2 * Copyright (c) 1999-2001,2005-2014 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 * SecureTransportPriv.h - Apple-private exported routines
28 #ifndef _SECURE_TRANSPORT_PRIV_H_
29 #define _SECURE_TRANSPORT_PRIV_H_ 1
31 #include <Security/SecureTransport.h>
32 #include <Security/SecTrust.h>
38 #include <Security/sslTypes.h>
40 /* Create an SSL Context with an external record layer - eg: kernel accelerated layer */
42 SSLCreateContextWithRecordFuncs(CFAllocatorRef alloc
,
43 SSLProtocolSide protocolSide
,
44 SSLConnectionType connectionType
,
45 const struct SSLRecordFuncs
*recFuncs
);
47 /* Set the external record layer context */
49 SSLSetRecordContext (SSLContextRef ctx
,
50 SSLRecordContextRef recCtx
);
52 /* The size of of client- and server-generated random numbers in hello messages. */
53 #define SSL_CLIENT_SRVR_RAND_SIZE 32
55 /* The size of the pre-master and master secrets. */
56 #define SSL_RSA_PREMASTER_SECRET_SIZE 48
57 #define SSL_MASTER_SECRET_SIZE 48
60 * For the following three functions, *size is the available
61 * buffer size on entry and the actual size of the data returned
62 * on return. The above consts are for convenience.
64 OSStatus
SSLInternalMasterSecret(
65 SSLContextRef context
,
66 void *secret
, // mallocd by caller, SSL_MASTER_SECRET_SIZE
67 size_t *secretSize
); // in/out
69 OSStatus
SSLInternalServerRandom(
70 SSLContextRef context
,
71 void *randBuf
, // mallocd by caller, SSL_CLIENT_SRVR_RAND_SIZE
72 size_t *randSize
); // in/out
74 OSStatus
SSLInternalClientRandom(
75 SSLContextRef context
,
76 void *randBuf
, // mallocd by caller, SSL_CLIENT_SRVR_RAND_SIZE
77 size_t *randSize
); // in/out
80 * Obtain the sizes of the currently negotiated HMAC digest, session
81 * key, and session key IV.
83 OSStatus
SSLGetCipherSizes(
84 SSLContextRef context
,
86 size_t *symmetricKeySize
,
89 OSStatus
SSLInternal_PRF(
90 SSLContextRef context
,
97 void *out
, // mallocd by caller, length >= outLen
101 * Obtain a SecTrustRef representing peer certificates. Valid anytime,
102 * subsequent to a handshake attempt. The returned SecTrustRef is valid
103 * only as long as the SSLContextRef is.
106 SSLGetPeerSecTrust (SSLContextRef context
,
107 SecTrustRef
*secTrust
); /* RETURNED */
110 * Obtain resumable session info. Can be called anytime subsequent to
113 * if sessionWasResumed is True on return, the session is indeed a
114 * resumed session; the sessionID (an opaque blob generated by the
115 * server) is returned in *sessionID. The length of the sessionID
116 * is returned in *sessionIDLength. Caller must allocate the
117 * sessionID buffer; it max size is MAX_SESSION_ID_LENGTH bytes.
119 #define MAX_SESSION_ID_LENGTH 32
122 SSLGetResumableSessionInfo (
123 SSLContextRef context
,
124 Boolean
*sessionWasResumed
, // RETURNED
125 void *sessionID
, // RETURNED, mallocd by caller
126 size_t *sessionIDLength
); // IN/OUT
129 * Getters for SSLSetCertificate() and SSLSetEncryptionCertificate()
133 SSLContextRef context
,
134 CFArrayRef
*certRefs
); // RETURNED, *not* retained
137 SSLGetEncryptionCertificate (
138 SSLContextRef context
,
139 CFArrayRef
*certRefs
); // RETURNED, *not* retained
142 * Getter for SSLSetClientSideAuthenticate()
145 SSLGetClientSideAuthenticate (
146 SSLContextRef context
,
147 SSLAuthenticate
*auth
); // RETURNED
150 * Get/set array of trusted leaf certificates.
152 * If none have been set previously with SSLSetTrustedLeafCertificates(),
153 * then SSLCopyTrustedLeafCertificates() will return NULL with errSecSuccess.
156 SSLSetTrustedLeafCertificates (
157 SSLContextRef context
,
158 CFArrayRef certRefs
);
161 SSLCopyTrustedLeafCertificates (
162 SSLContextRef context
,
163 CFArrayRef
*certRefs
); // RETURNED, caller must release
166 * Get/set enable of anonymous ciphers. This is deprecated and now a no-op.
169 SSLSetAllowAnonymousCiphers(
170 SSLContextRef context
,
174 SSLGetAllowAnonymousCiphers(
175 SSLContextRef context
,
179 * Override the default session cache timeout for a cache entry created for
180 * the current session.
183 SSLSetSessionCacheTimeout(
184 SSLContextRef context
,
185 uint32_t timeoutInSeconds
);
188 * Callback function for EAP-style PAC-based session resumption.
189 * This function is called by SecureTransport to obtain the
192 typedef void (*SSLInternalMasterSecretFunction
)(
194 const void *arg
, /* opaque to SecureTransport; app-specific */
195 void *secret
, /* mallocd by caller, SSL_MASTER_SECRET_SIZE */
196 size_t *secretLength
); /* in/out */
199 * Register a callback for obtaining the master_secret when performing
200 * PAC-based session resumption. At the time the callback is called,
201 * the following are guaranteed to be valid:
203 * -- serverRandom (via SSLInternalServerRandom())
204 * -- clientRandom (via SSLInternalClientRandom())
205 * -- negotiated protocol version (via SSLGetNegotiatedProtocolVersion())
206 * -- negotiated CipherSuite (via SSLGetNegotiatedCipher())
208 * Currently, PAC-based session resumption is only implemented on
209 * the client side for Deployment builds.
211 * On the client side, this callback occurs if/when the server sends a
212 * ChangeCipherSpec message immediately following its ServerHello
213 * message (i.e., it's skipped the entire Key Exchange phase of
216 * On the server side (Development builds only) this callback occurs
217 * immediately upon receipt of the Client Hello message, before we send
221 SSLInternalSetMasterSecretFunction(
223 SSLInternalMasterSecretFunction mFunc
,
224 const void *arg
); /* opaque to SecureTransport; app-specific */
227 * Provide an opaque SessionTicket for use in PAC-based session
228 * resumption. Client side only. The provided ticket is sent in
229 * the ClientHello message as a SessionTicket extension.
230 * The maximum ticketLength is 2**16-1.
232 OSStatus
SSLInternalSetSessionTicket(
235 size_t ticketLength
);
238 * Support for specifying and obtaining ECC curves, used with the ECDH-based
243 * These are the named curves from RFC 4492
244 * section 5.1.1, with the exception of SSL_Curve_None which means
245 * "ECDSA not negotiated".
251 SSL_Curve_sect163k1
= 1,
252 SSL_Curve_sect163r1
= 2,
253 SSL_Curve_sect163r2
= 3,
254 SSL_Curve_sect193r1
= 4,
255 SSL_Curve_sect193r2
= 5,
256 SSL_Curve_sect233k1
= 6,
257 SSL_Curve_sect233r1
= 7,
258 SSL_Curve_sect239k1
= 8,
259 SSL_Curve_sect283k1
= 9,
260 SSL_Curve_sect283r1
= 10,
261 SSL_Curve_sect409k1
= 11,
262 SSL_Curve_sect409r1
= 12,
263 SSL_Curve_sect571k1
= 13,
264 SSL_Curve_sect571r1
= 14,
265 SSL_Curve_secp160k1
= 15,
266 SSL_Curve_secp160r1
= 16,
267 SSL_Curve_secp160r2
= 17,
268 SSL_Curve_secp192k1
= 18,
269 SSL_Curve_secp192r1
= 19,
270 SSL_Curve_secp224k1
= 20,
271 SSL_Curve_secp224r1
= 21,
272 SSL_Curve_secp256k1
= 22,
274 /* These are the ones we actually support */
275 SSL_Curve_secp256r1
= 23,
276 SSL_Curve_secp384r1
= 24,
277 SSL_Curve_secp521r1
= 25
278 } SSL_ECDSA_NamedCurve
;
281 * Obtain the SSL_ECDSA_NamedCurve negotiated during a handshake.
282 * Returns errSecParam if no ECDH-related ciphersuite was negotiated.
284 extern OSStatus
SSLGetNegotiatedCurve(
286 SSL_ECDSA_NamedCurve
*namedCurve
); /* RETURNED */
289 * Obtain the number of currently enabled SSL_ECDSA_NamedCurves.
291 extern OSStatus
SSLGetNumberOfECDSACurves(
293 unsigned *numCurves
); /* RETURNED */
296 * Obtain the ordered list of currently enabled SSL_ECDSA_NamedCurves.
297 * Caller allocates returned array and specifies its size (in
298 * SSL_ECDSA_NamedCurves) in *numCurves on entry; *numCurves
299 * is the actual size of the returned array on successful return.
301 extern OSStatus
SSLGetECDSACurves(
303 SSL_ECDSA_NamedCurve
*namedCurves
, /* RETURNED */
304 unsigned *numCurves
); /* IN/OUT */
307 * Specify ordered list of allowable named curves.
309 extern OSStatus
SSLSetECDSACurves(
311 const SSL_ECDSA_NamedCurve
*namedCurves
,
315 * Server-specified client authentication mechanisms.
318 /* doesn't appear on the wire */
319 SSLClientAuthNone
= -1,
321 SSLClientAuth_RSASign
= 1,
322 SSLClientAuth_DSSSign
= 2,
323 SSLClientAuth_RSAFixedDH
= 3,
324 SSLClientAuth_DSS_FixedDH
= 4,
326 SSLClientAuth_ECDSASign
= 64,
327 SSLClientAuth_RSAFixedECDH
= 65,
328 SSLClientAuth_ECDSAFixedECDH
= 66
329 } SSLClientAuthenticationType
;
331 /* TLS 1.2 Signature Algorithms extension values for hash field. */
333 SSL_HashAlgorithmNone
= 0,
334 SSL_HashAlgorithmMD5
= 1,
335 SSL_HashAlgorithmSHA1
= 2,
336 SSL_HashAlgorithmSHA224
= 3,
337 SSL_HashAlgorithmSHA256
= 4,
338 SSL_HashAlgorithmSHA384
= 5,
339 SSL_HashAlgorithmSHA512
= 6
342 /* TLS 1.2 Signature Algorithms extension values for signature field. */
344 SSL_SignatureAlgorithmAnonymous
= 0,
345 SSL_SignatureAlgorithmRSA
= 1,
346 SSL_SignatureAlgorithmDSA
= 2,
347 SSL_SignatureAlgorithmECDSA
= 3
348 } SSL_SignatureAlgorithm
;
351 SSL_HashAlgorithm hash
;
352 SSL_SignatureAlgorithm signature
;
353 } SSLSignatureAndHashAlgorithm
;
356 * Obtain the number of client authentication mechanisms specified by
357 * the server in its Certificate Request message.
358 * Returns errSecParam if server hasn't sent a Certificate Request message
359 * (i.e., client certificate state is kSSLClientCertNone).
361 extern OSStatus
SSLGetNumberOfClientAuthTypes(
366 * Obtain the client authentication mechanisms specified by
367 * the server in its Certificate Request message.
368 * Caller allocates returned array and specifies its size (in
369 * SSLClientAuthenticationTypes) in *numType on entry; *numTypes
370 * is the actual size of the returned array on successful return.
372 extern OSStatus
SSLGetClientAuthTypes(
374 SSLClientAuthenticationType
*authTypes
, /* RETURNED */
375 unsigned *numTypes
); /* IN/OUT */
378 * Obtain the SSLClientAuthenticationType actually performed.
379 * Only valid if client certificate state is kSSLClientCertSent
380 * or kSSLClientCertRejected; SSLClientAuthNone is returned as
381 * the negotiated auth type otherwise.
383 extern OSStatus
SSLGetNegotiatedClientAuthType(
385 SSLClientAuthenticationType
*authType
); /* RETURNED */
389 * Obtain the number of supported_signature_algorithms specified by
390 * the server in its Certificate Request message.
391 * Returns errSecParam if server hasn't sent a Certificate Request message
392 * (i.e., client certificate state is kSSLClientCertNone).
394 extern OSStatus
SSLGetNumberOfSignatureAlgorithms(
396 unsigned *numSigAlgs
);
399 * Obtain the supported_signature_algorithms specified by
400 * the server in its Certificate Request message.
401 * Caller allocates returned array and specifies its size (in
402 * SSLClientAuthenticationTypes) in *numType on entry; *numTypes
403 * is the actual size of the returned array on successful return.
405 extern OSStatus
SSLGetSignatureAlgorithms(
407 SSLSignatureAndHashAlgorithm
*sigAlgs
, /* RETURNED */
408 unsigned *numSigAlgs
); /* IN/OUT */
412 /* Set the Shared Secret for PSK CipherSuite.
413 This need to be set before the handshake starts. */
414 OSStatus
SSLSetPSKSharedSecret(SSLContextRef ctx
,
418 /* Set the Client identity for PSK CipherSuite.
419 This need to be set before the handshake starts.
420 Only useful for client side.*/
421 OSStatus
SSLSetPSKIdentity(SSLContextRef ctx
,
422 const void *pskIdentity
,
423 size_t pskIdentityLen
);
425 /* For client side, get the identity previously set by SSLSetPSKIdentity.
426 For server side, get the identity provided by the client during the handshake.
427 Might be NULL if not set. identity is owned by the SSLContext and is invalid once
428 the SSLContext is released.
430 OSStatus
SSLGetPSKIdentity(SSLContextRef ctx
,
431 const void **pskIdentity
,
432 size_t *pskIdentityLen
);
434 /* For client side, set the minimum allowed DH group size for DHE ciphersuites */
435 OSStatus
SSLSetMinimumDHGroupSize(SSLContextRef ctx
, unsigned nbits
);
437 OSStatus
SSLGetMinimumDHGroupSize(SSLContextRef ctx
, unsigned *nbits
);
439 OSStatus
SSLSetDHEEnabled(SSLContextRef ctx
, bool enabled
);
441 OSStatus
SSLGetDHEEnabled(SSLContextRef ctx
, bool *enabled
);
443 extern const CFStringRef kSSLSessionConfig_default
;
444 extern const CFStringRef kSSLSessionConfig_ATSv1
;
445 extern const CFStringRef kSSLSessionConfig_ATSv1_noPFS
;
446 extern const CFStringRef kSSLSessionConfig_legacy
;
447 extern const CFStringRef kSSLSessionConfig_standard
;
448 extern const CFStringRef kSSLSessionConfig_RC4_fallback
;
449 extern const CFStringRef kSSLSessionConfig_TLSv1_fallback
;
450 extern const CFStringRef kSSLSessionConfig_TLSv1_RC4_fallback
;
451 extern const CFStringRef kSSLSessionConfig_legacy_DHE
;
454 SSLSetSessionConfig(SSLContextRef context
,
458 SSLGetSessionConfig(SSLContextRef context
,
459 CFStringRef
*config
);
464 /* Following are SPIs on iOS */
467 * Set allowed SSL protocol versions. Optional.
468 * Specifying kSSLProtocolAll for SSLSetProtocolVersionEnabled results in
469 * specified 'enable' boolean to be applied to all supported protocols.
470 * The default is "all supported protocols are enabled".
471 * This can only be called when no session is active.
473 * Legal values for protocol are :
479 * This is deprecated in favor of SSLSetProtocolVersionMax/SSLSetProtocolVersionMin
482 _SSLSetProtocolVersionEnabled (SSLContextRef context
,
483 SSLProtocol protocol
,
487 * Obtain a value specified in SSLSetProtocolVersionEnabled.
489 * This is deprecated in favor of SSLGetProtocolVersionMax/SSLGetProtocolVersionMin
492 _SSLGetProtocolVersionEnabled(SSLContextRef context
,
493 SSLProtocol protocol
,
494 Boolean
*enable
); /* RETURNED */
497 * Get/set SSL protocol version; optional. Default is kSSLProtocolUnknown,
498 * in which case the highest possible version (currently kTLSProtocol1)
499 * is attempted, but a lower version is accepted if the peer requires it.
501 * SSLSetProtocolVersion can not be called when a session is active.
503 * This is deprecated in favor of SSLSetProtocolVersionEnabled.
505 * This is deprecated in favor of SSLSetProtocolVersionMax/SSLSetProtocolVersionMin
508 _SSLSetProtocolVersion (SSLContextRef context
,
509 SSLProtocol version
);
512 * Obtain the protocol version specified in SSLSetProtocolVersion.
513 * This is deprecated in favor of SSLGetProtocolVersionEnabled.
514 * If SSLSetProtocolVersionEnabled() has been called for this session,
515 * SSLGetProtocolVersion() may return errSecParam if the protocol enable
516 * state can not be represented by the SSLProtocol enums (e.g.,
517 * SSL2 and TLS1 enabled, SSL3 disabled).
519 * This is deprecated in favor of SSLGetProtocolVersionMax/SSLGetProtocolVersionMin
522 _SSLGetProtocolVersion (SSLContextRef context
,
523 SSLProtocol
*protocol
); /* RETURNED */
526 The following 15 calls were used to change the behaviour of the trust
527 evaluation of the certificate chain.
528 The proper alternative is to break out of the handshake, get the
529 peer's SecTrustRef with SSLCopyPeerTrust and evaluate that.
533 * Enable/disable peer certificate chain validation. Default is enabled.
534 * If caller disables, it is the caller's responsibility to call
535 * SSLCopyPeerTrust() upon successful completion of the handshake
536 * and then to perform external validation of the peer certificate
537 * chain before proceeding with data transfer.
540 _SSLSetEnableCertVerify (SSLContextRef context
,
541 Boolean enableVerify
);
544 _SSLGetEnableCertVerify (SSLContextRef context
,
545 Boolean
*enableVerify
); /* RETURNED */
548 * Specify the option of ignoring certificates' "expired" times.
549 * This is a common failure in the real SSL world. Default for
550 * this flag is false, meaning expired certs result in a
551 * errSSLCertExpired error.
554 _SSLSetAllowsExpiredCerts (SSLContextRef context
,
555 Boolean allowsExpired
);
558 * Obtain the current value of an SSLContext's "allowExpiredCerts" flag.
561 _SSLGetAllowsExpiredCerts (SSLContextRef context
,
562 Boolean
*allowsExpired
); /* RETURNED */
565 * Similar to SSLSetAllowsExpiredCerts(), this function allows the
566 * option of ignoring "expired" status for root certificates only.
567 * Default is false, i.e., expired root certs result in an
568 * errSSLCertExpired error.
571 _SSLSetAllowsExpiredRoots (SSLContextRef context
,
572 Boolean allowsExpired
);
575 _SSLGetAllowsExpiredRoots (SSLContextRef context
,
576 Boolean
*allowsExpired
); /* RETURNED */
579 * Specify option of allowing for an unknown root cert, i.e., one which
580 * this software can not verify as one of a list of known good root certs.
581 * Default for this flag is false, in which case one of the following two
583 * -- The peer returns a cert chain with a root cert, and the chain
584 * verifies to that root, but the root is not one of our trusted
585 * roots. This results in errSSLUnknownRootCert on handshake.
586 * -- The peer returns a cert chain which does not contain a root cert,
587 * and we can't verify the chain to one of our trusted roots. This
588 * results in errSSLNoRootCert on handshake.
590 * Both of these error conditions are ignored when the AllowAnyRoot flag is true,
591 * allowing connection to a totally untrusted peer.
594 _SSLSetAllowsAnyRoot (SSLContextRef context
,
598 * Obtain the current value of an SSLContext's "allow any root" flag.
601 _SSLGetAllowsAnyRoot (SSLContextRef context
,
602 Boolean
*anyRoot
); /* RETURNED */
605 * Augment or replace the system's default trusted root certificate set
606 * for this session. If replaceExisting is true, the specified roots will
607 * be the only roots which are trusted during this session. If replaceExisting
608 * is false, the specified roots will be added to the current set of trusted
609 * root certs. If this function has never been called, the current trusted
610 * root set is the same as the system's default trusted root set.
611 * Successive calls with replaceExisting false result in accumulation
612 * of additional root certs.
614 * The trustedRoots array contains SecCertificateRefs.
617 _SSLSetTrustedRoots (SSLContextRef context
,
618 CFArrayRef trustedRoots
,
619 Boolean replaceExisting
);
622 * Obtain an array of SecCertificateRefs representing the current
623 * set of trusted roots. If SSLSetTrustedRoots() has never been called
624 * for this session, this returns the system's default root set.
626 * Caller must CFRelease the returned CFArray.
629 _SSLCopyTrustedRoots (SSLContextRef context
,
630 CFArrayRef
*trustedRoots
); /* RETURNED */
633 * Add a SecCertificateRef, or a CFArray of them, to a server's list
634 * of acceptable Certificate Authorities (CAs) to present to the client
635 * when client authentication is performed.
637 * If replaceExisting is true, the specified certificate(s) will replace
638 * a possible existing list of acceptable CAs. If replaceExisting is
639 * false, the specified certificate(s) will be appended to the existing
640 * list of acceptable CAs, if any.
642 * Returns errSecParam is this is called on an SSLContextRef which
643 * is configured as a client, or when a session is active.
646 _SSLSetCertificateAuthorities(SSLContextRef context
,
647 CFTypeRef certificateOrArray
,
648 Boolean replaceExisting
);
651 * Obtain the certificates specified in SSLSetCertificateAuthorities(),
652 * if any. Returns a NULL array if SSLSetCertificateAuthorities() has not
654 * Caller must CFRelease the returned array.
658 _SSLCopyCertificateAuthorities(SSLContextRef context
,
659 CFArrayRef
*certificates
); /* RETURNED */
662 * Request peer certificates. Valid anytime, subsequent to
663 * a handshake attempt.
665 * The certs argument is a CFArray containing SecCertificateRefs.
666 * Caller must CFRelease the returned array.
668 * The cert at index 0 of the returned array is the subject (end
669 * entity) cert; the root cert (or the closest cert to it) is at
670 * the end of the returned array.
673 This should be removed so that applications are not tempted to
674 use this to evaluate trust, they should use the SecTrustRef returned
675 by SSLCopyPeerTrust instead.
676 But this maybe useful to know which certs where returned by the server
677 vs which where pulled internally.
678 This would be a debug feature, so we deprecate this in iOS. There
679 should be an API in SecTrust to allow getting the original certificates
683 _SSLCopyPeerCertificates (SSLContextRef context
,
684 CFArrayRef
*certs
); /* RETURNED */
687 * Specify Diffie-Hellman parameters. Optional; if we are configured to allow
688 * for D-H ciphers and a D-H cipher is negotiated, and this function has not
689 * been called, a set of process-wide parameters will be calculated. However
690 * that can take a long time (30 seconds).
692 OSStatus
_SSLSetDiffieHellmanParams (SSLContextRef context
,
693 const void *dhParams
,
697 * Return parameter block specified in SSLSetDiffieHellmanParams.
698 * Returned data is not copied and belongs to the SSLContextRef.
700 OSStatus
_SSLGetDiffieHellmanParams (SSLContextRef context
,
701 const void **dhParams
,
702 size_t *dhParamsLen
);
705 * Enable/Disable RSA blinding. This feature thwarts a known timing
706 * attack to which RSA keys are vulnerable; enabling it is a tradeoff
707 * between performance and security. The default for RSA blinding is
710 OSStatus
_SSLSetRsaBlinding (SSLContextRef context
,
713 OSStatus
_SSLGetRsaBlinding (SSLContextRef context
,
717 * Create a new SSL/TLS session context.
718 * Deprecated: please use the allocator based functions, when available.
721 _SSLNewContext (Boolean isServer
,
722 SSLContextRef
*tlsContextPtr
); /* RETURNED */
725 * Dispose of an SSLContextRef. This is effectivly a CFRelease.
729 _SSLDisposeContext (SSLContextRef context
);
731 /* We redefine the names of all SPIs to avoid collision with unavailable APIs */
732 #define SSLSetProtocolVersionEnabled _SSLSetProtocolVersionEnabled
733 #define SSLGetProtocolVersionEnabled _SSLGetProtocolVersionEnabled
734 #define SSLSetProtocolVersion _SSLSetProtocolVersion
735 #define SSLGetProtocolVersion _SSLGetProtocolVersion
736 #define SSLSetEnableCertVerify _SSLSetEnableCertVerify
737 #define SSLGetEnableCertVerify _SSLGetEnableCertVerify
738 #define SSLSetAllowsExpiredCerts _SSLSetAllowsExpiredCerts
739 #define SSLGetAllowsExpiredCerts _SSLGetAllowsExpiredCerts
740 #define SSLSetAllowsExpiredRoots _SSLSetAllowsExpiredRoots
741 #define SSLGetAllowsExpiredRoots _SSLGetAllowsExpiredRoots
742 #define SSLSetAllowsAnyRoot _SSLSetAllowsAnyRoot
743 #define SSLGetAllowsAnyRoot _SSLGetAllowsAnyRoot
744 #define SSLSetTrustedRoots _SSLSetTrustedRoots
745 #define SSLCopyTrustedRoots _SSLCopyTrustedRoots
746 #define SSLSetCertificateAuthorities _SSLSetCertificateAuthorities
747 #define SSLCopyCertificateAuthorities _SSLCopyCertificateAuthorities
748 #define SSLCopyPeerCertificates _SSLCopyPeerCertificates
749 #define SSLSetDiffieHellmanParams _SSLSetDiffieHellmanParams
750 #define SSLGetDiffieHellmanParams _SSLGetDiffieHellmanParams
751 #define SSLSetRsaBlinding _SSLSetRsaBlinding
752 #define SSLGetRsaBlinding _SSLGetRsaBlinding
753 #define SSLNewContext _SSLNewContext
754 #define SSLNewDatagramContext _SSLNewDatagramContext
755 #define SSLDisposeContext _SSLDisposeContext
757 #endif /* TARGET_OS_IPHONE */
761 * Create a new Datagram TLS session context.
762 * Use in place of SSLNewContext to create a DTLS session.
763 * Deprecated: please use the allocator based functions, when available.
764 * Also note: the symbol is prefixed with underscore in iOS (historical)
767 SSLNewDatagramContext (Boolean isServer
,
768 SSLContextRef
*dtlsContextPtr
); /* RETURNED */
775 * If used, must be by client and server before SSLHandshake()
777 * Client: if set the client will announce NPN extension in the
778 * ClientHello, and the a callback will provide the server list, at
779 * that time the client needs to call SSLSetNPNData() in the callback
780 * to provide to the server the support mechanism.
782 * Server: the callback will tell the server that the client supports
783 * NPN and at that time, the server needs to set the supported NPN
784 * types with SSLSetNPNData().
787 (*SSLNPNFunc
) (SSLContextRef ctx
,
788 void *info
, /* info pointer provided by SSLSetNPNFunc */
790 size_t npnDataLength
);
794 SSLSetNPNFunc (SSLContextRef context
,
797 __OSX_AVAILABLE_STARTING(__MAC_10_10
, __IPHONE_8_0
);
800 * For servers, this is the data that is announced.
801 * For clients, this is the picked data in the npnFunc callback.
803 * Return an error on out of memory and if buffer it too large
806 SSLSetNPNData (SSLContextRef context
,
809 __OSX_AVAILABLE_STARTING(__MAC_10_10
, __IPHONE_8_0
);
812 * For servers, return client provided npn data if sent
815 SSLGetNPNData (SSLContextRef context
,
817 __OSX_AVAILABLE_STARTING(__MAC_10_10
, __IPHONE_8_0
);
821 (*SSLALPNFunc
) (SSLContextRef ctx
,
822 void *info
, /* info pointer provided by SSLSetALPNFunc */
823 const void *alpnData
,
824 size_t alpnDataLength
);
827 SSLSetALPNFunc (SSLContextRef context
,
828 SSLALPNFunc alpnFunc
,
830 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
834 SSLSetALPNData (SSLContextRef context
,
837 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
840 SSLGetALPNData (SSLContextRef context
,
842 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
847 SSLCopyRequestedPeerName (SSLContextRef context
,
849 size_t *peerNameLen
);
852 SSLCopyRequestedPeerNameLength (SSLContextRef ctx
,
853 size_t *peerNameLen
);
861 #endif /* _SECURE_TRANSPORT_PRIV_H_ */