2 * Copyright (c) 1999-2002,2005-2019 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 * SecureTransport.h - Public API for Apple SSL/TLS Implementation
28 #ifndef _SECURITY_SECURETRANSPORT_H_
29 #define _SECURITY_SECURETRANSPORT_H_
32 * This file describes the public API for an implementation of the
33 * Secure Socket Layer, V. 3.0, Transport Layer Security, V. 1.0 to V. 1.2
34 * and Datagram Transport Layer Security V. 1.0
36 * There are no transport layer dependencies in this library;
37 * it can be used with sockets, Open Transport, etc. Applications using
38 * this library provide callback functions which do the actual I/O
39 * on underlying network connections. Applications are also responsible
40 * for setting up raw network connections; the application passes in
41 * an opaque reference to the underlying (connected) entity at the
42 * start of an SSL session in the form of an SSLConnectionRef.
46 * A "client" is the initiator of an SSL Session. The canonical example
47 * of a client is a web browser, when it's talking to an https URL.
49 * A "server" is an entity which accepts requests for SSL sessions made
50 * by clients. E.g., a secure web server.
52 * An "SSL Session", or "session", is bounded by calls to SSLHandshake()
53 * and SSLClose(). An "Active session" is in some state between these
54 * two calls, inclusive.
56 * An SSL Session Context, or SSLContextRef, is an opaque reference in this
57 * library to the state associated with one session. A SSLContextRef cannot
58 * be reused for multiple sessions.
61 #include <CoreFoundation/CFArray.h>
62 #include <Security/SecProtocolOptions.h>
63 #include <Security/CipherSuite.h>
64 #include <Security/SecTrust.h>
65 #include <Security/SecBase.h>
66 #include <sys/types.h>
67 #include <Availability.h>
73 CF_ASSUME_NONNULL_BEGIN
74 CF_IMPLICIT_BRIDGING_ENABLED
76 #define __SECURETRANSPORT_API_DEPRECATED(...) \
77 __API_DEPRECATED("No longer supported. Use Network.framework.", __VA_ARGS__)
79 /***********************
80 *** Common typedefs ***
81 ***********************/
83 /* Opaque reference to an SSL session context */
85 typedef struct CF_BRIDGED_TYPE(id
) SSLContext
*SSLContextRef
;
87 /* Opaque reference to an I/O connection (socket, endpoint, etc.) */
88 typedef const void *SSLConnectionRef
;
90 /* SSL session options */
91 typedef CF_ENUM(int, SSLSessionOption
) {
93 * Set this option to enable returning from SSLHandshake (with a result of
94 * errSSLServerAuthCompleted) when the server authentication portion of the
95 * handshake is complete. This disable certificate verification and
96 * provides an opportunity to perform application-specific server
97 * verification before deciding to continue.
99 kSSLSessionOptionBreakOnServerAuth
CF_ENUM_DEPRECATED(10_2
, 10_15
, 2_0
, 13_0
) = 0,
101 * Set this option to enable returning from SSLHandshake (with a result of
102 * errSSLClientCertRequested) when the server requests a client certificate.
104 kSSLSessionOptionBreakOnCertRequested
CF_ENUM_DEPRECATED(10_2
, 10_15
, 2_0
, 13_0
) = 1,
106 * This option is the same as kSSLSessionOptionBreakOnServerAuth but applies
107 * to the case where SecureTransport is the server and the client has presented
108 * its certificates allowing the server to verify whether these should be
109 * allowed to authenticate.
111 kSSLSessionOptionBreakOnClientAuth
CF_ENUM_DEPRECATED(10_2
, 10_15
, 2_0
, 13_0
) = 2,
113 * Enable/Disable TLS False Start
114 * When enabled, False Start will only be performed if a adequate cipher-suite is
117 kSSLSessionOptionFalseStart
CF_ENUM_DEPRECATED(10_2
, 10_15
, 2_0
, 13_0
) = 3,
119 * Enable/Disable 1/n-1 record splitting for BEAST attack mitigation.
120 * When enabled, record splitting will only be performed for TLS 1.0 connections
121 * using a block cipher.
123 kSSLSessionOptionSendOneByteRecord
CF_ENUM_DEPRECATED(10_2
, 10_15
, 2_0
, 13_0
) = 4,
125 * Allow/Disallow server identity change on renegotiation. Disallow by default
126 * to avoid Triple Handshake attack.
128 kSSLSessionOptionAllowServerIdentityChange
CF_ENUM_DEPRECATED(10_2
, 10_15
, 2_0
, 13_0
) = 5,
130 * Enable fallback countermeasures. Use this option when retyring a SSL connection
131 * with a lower protocol version because of failure to connect.
133 kSSLSessionOptionFallback
CF_ENUM_DEPRECATED(10_2
, 10_15
, 2_0
, 13_0
) = 6,
135 * Set this option to break from a client hello in order to check for SNI
137 kSSLSessionOptionBreakOnClientHello
CF_ENUM_DEPRECATED(10_2
, 10_15
, 2_0
, 13_0
) = 7,
139 * Set this option to Allow renegotations. False by default.
141 kSSLSessionOptionAllowRenegotiation
CF_ENUM_DEPRECATED(10_2
, 10_15
, 2_0
, 13_0
) = 8,
143 * Set this option to enable session tickets. False by default.
145 kSSLSessionOptionEnableSessionTickets
CF_ENUM_DEPRECATED(10_2
, 10_15
, 2_0
, 13_0
) = 9,
148 /* State of an SSLSession */
149 typedef CF_CLOSED_ENUM(int, SSLSessionState
) {
150 kSSLIdle
CF_ENUM_DEPRECATED(10_2
, 10_15
, 2_0
, 13_0
), /* no I/O performed yet */
151 kSSLHandshake
CF_ENUM_DEPRECATED(10_2
, 10_15
, 2_0
, 13_0
), /* SSL handshake in progress */
152 kSSLConnected
CF_ENUM_DEPRECATED(10_2
, 10_15
, 2_0
, 13_0
), /* Handshake complete, ready for normal I/O */
153 kSSLClosed
CF_ENUM_DEPRECATED(10_2
, 10_15
, 2_0
, 13_0
), /* connection closed normally */
154 kSSLAborted
CF_ENUM_DEPRECATED(10_2
, 10_15
, 2_0
, 13_0
) /* connection aborted */
158 * Status of client certificate exchange (which is optional
159 * for both server and client).
161 typedef CF_ENUM(int, SSLClientCertificateState
) {
162 /* Server hasn't asked for a cert. Client hasn't sent one. */
163 kSSLClientCertNone
CF_ENUM_DEPRECATED(10_2
, 10_15
, 2_0
, 13_0
),
164 /* Server has asked for a cert, but client didn't send it. */
165 kSSLClientCertRequested
CF_ENUM_DEPRECATED(10_2
, 10_15
, 2_0
, 13_0
),
167 * Server side: We asked for a cert, client sent one, we validated
168 * it OK. App can inspect the cert via
169 * SSLCopyPeerCertificates().
170 * Client side: server asked for one, we sent it.
172 kSSLClientCertSent
CF_ENUM_DEPRECATED(10_2
, 10_15
, 2_0
, 13_0
),
174 * Client sent a cert but failed validation. Server side only.
175 * Server app can inspect the cert via SSLCopyPeerCertificates().
177 kSSLClientCertRejected
CF_ENUM_DEPRECATED(10_2
, 10_15
, 2_0
, 13_0
)
181 * R/W functions. The application using this library provides
182 * these functions via SSLSetIOFuncs().
184 * Data's memory is allocated by caller; on entry to these two functions
185 * the *length argument indicates both the size of the available data and the
186 * requested byte count. Number of bytes actually transferred is returned in
189 * The application may configure the underlying connection to operate
190 * in a non-blocking manner; in such a case, a read operation may
191 * well return errSSLWouldBlock, indicating "I transferred less data than
192 * you requested (maybe even zero bytes), nothing is wrong, except
193 * requested I/O hasn't completed". This will be returned back up to
194 * the application as a return from SSLRead(), SSLWrite(), SSLHandshake(),
198 (*SSLReadFunc
) (SSLConnectionRef connection
,
199 void *data
, /* owned by
202 size_t *dataLength
); /* IN/OUT */
204 (*SSLWriteFunc
) (SSLConnectionRef connection
,
206 size_t *dataLength
); /* IN/OUT */
208 /* DEPRECATED aliases for errSSLPeerAuthCompleted */
209 #define errSSLServerAuthCompleted errSSLPeerAuthCompleted
210 #define errSSLClientAuthCompleted errSSLPeerAuthCompleted
212 /* DEPRECATED alias for the end of the error range */
213 #define errSSLLast errSSLUnexpectedRecord
215 typedef CF_CLOSED_ENUM(int, SSLProtocolSide
)
217 kSSLServerSide
CF_ENUM_DEPRECATED(10_2
, 10_15
, 2_0
, 13_0
),
218 kSSLClientSide
CF_ENUM_DEPRECATED(10_2
, 10_15
, 2_0
, 13_0
)
221 typedef CF_ENUM(int, SSLConnectionType
)
223 kSSLStreamType
CF_ENUM_DEPRECATED(10_2
, 10_15
, 2_0
, 13_0
),
224 kSSLDatagramType
CF_ENUM_DEPRECATED(10_2
, 10_15
, 2_0
, 13_0
)
228 * Predefined TLS configuration constants
231 /* Default configuration (has 3DES, no RC4) */
232 extern const CFStringRef kSSLSessionConfig_default
233 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.13), ios(5.0, 11.0));
235 /* ATS v1 Config: TLS v1.2, only PFS ciphersuites */
236 extern const CFStringRef kSSLSessionConfig_ATSv1
237 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
239 /* ATS v1 Config without PFS: TLS v1.2, include non PFS ciphersuites */
240 extern const CFStringRef kSSLSessionConfig_ATSv1_noPFS
241 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
243 /* TLS v1.2 to TLS v1.0, with default ciphersuites (no 3DES, no RC4) */
244 extern const CFStringRef kSSLSessionConfig_standard
245 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
247 /* TLS v1.2 to TLS v1.0, with default ciphersuites + RC4 + 3DES */
248 extern const CFStringRef kSSLSessionConfig_RC4_fallback
249 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.13), ios(5.0, 11.0));
251 /* TLS v1.0 only, with default ciphersuites + fallback SCSV */
252 extern const CFStringRef kSSLSessionConfig_TLSv1_fallback
253 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
255 /* TLS v1.0, with default ciphersuites + RC4 + 3DES + fallback SCSV */
256 extern const CFStringRef kSSLSessionConfig_TLSv1_RC4_fallback
257 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.13), ios(5.0, 11.0));
259 /* TLS v1.2 to TLS v1.0, defaults + RC4 + DHE ciphersuites */
260 extern const CFStringRef kSSLSessionConfig_legacy
261 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
263 /* TLS v1.2 to TLS v1.0, default + RC4 + DHE ciphersuites */
264 extern const CFStringRef kSSLSessionConfig_legacy_DHE
265 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
267 /* TLS v1.2, anonymous ciphersuites only */
268 extern const CFStringRef kSSLSessionConfig_anonymous
269 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
271 /* TLS v1.2 to TLS v1.0, has 3DES, no RC4 */
272 extern const CFStringRef kSSLSessionConfig_3DES_fallback
273 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.13), ios(5.0, 11.0));
275 /* TLS v1.0, with default ciphersuites + 3DES, no RC4 */
276 extern const CFStringRef kSSLSessionConfig_TLSv1_3DES_fallback
277 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.13), ios(5.0, 11.0));
285 * Secure Transport APIs require a SSLContextRef, which is an opaque
286 * reference to the SSL session and its parameters. On Mac OS X 10.7
287 * and earlier versions, a new context is created using SSLNewContext,
288 * and is disposed by calling SSLDisposeContext.
290 * On i0S 5.0 and later, as well as Mac OS X versions after 10.7, the
291 * SSLContextRef is a true CFType object with retain-release semantics.
292 * New code should create a new context using SSLCreateContext (instead
293 * of SSLNewContext), and dispose the context by calling CFRelease
294 * (instead of SSLDisposeContext) when finished with it.
298 * @function SSLContextGetTypeID
299 * @abstract Return the CFTypeID for SSLContext objects.
300 * @return CFTypeId for SSLContext objects.
303 SSLContextGetTypeID(void)
304 __SECURETRANSPORT_API_DEPRECATED(macos(10.8, 10.15), ios(5.0, 13.0));
307 * @function SSLCreateContext
308 * @abstract Create a new instance of an SSLContextRef using the specified allocator.
309 * @param alloc Allocator to use for memory.
310 * @param protooclSide Client or server indication.
311 * @param connectionType Type of connection.
312 * @return A newly allocated SSLContextRef, or NULL on error.
316 SSLCreateContext(CFAllocatorRef __nullable alloc
, SSLProtocolSide protocolSide
, SSLConnectionType connectionType
)
317 __SECURETRANSPORT_API_DEPRECATED(macos(10.8, 10.15), ios(5.0, 13.0));
322 * @function SSLNewContext
323 * @abstract Create a new session context.
326 * ==========================
327 * MAC OS X ONLY (DEPRECATED)
328 * ==========================
329 * NOTE: this function is not available on iOS, and should be considered
330 * deprecated on Mac OS X. Your code should use SSLCreateContext instead.
332 * @param isServer Flag indicating if the context is for the server (true) or client (false).
333 * @param contextPtr Pointer to SSLContextRef where result will be stored.
334 * @return errSecSuccess on success, alternative error on failure.
337 SSLNewContext (Boolean isServer
,
338 SSLContextRef
* __nonnull CF_RETURNS_RETAINED contextPtr
) /* RETURNED */
339 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.9));
342 * @function SSLDisposeContext
343 * @abstract Dispose of a session context.
346 * ==========================
347 * MAC OS X ONLY (DEPRECATED)
348 * ==========================
349 * NOTE: this function is not available on iOS, and should be considered
350 * deprecated on Mac OS X. Your code should use CFRelease to dispose a session
351 * created with SSLCreateContext.
353 * @param context A SSLContextRef to deallocate and destroy.
354 * @result errSecSuccess on success, alternative error on failure.
357 SSLDisposeContext (SSLContextRef context
)
358 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.9));
360 #endif /* MAC OS X */
363 * @function SSLGetSessionState
364 * @abstract Determine the state of an SSL/DTLS session.
365 * @param context A valid SSLContextRef.
366 * @param state Output pointer to store the SSLSessionState.
367 * @result errSecSuccess on success, alternative error on failure.
370 SSLGetSessionState (SSLContextRef context
,
371 SSLSessionState
*state
) /* RETURNED */
372 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
375 * @function SSLSetSessionOption
376 * @abstract Set options for an SSL session. Must be called prior to SSLHandshake();
377 * subsequently cannot be called while session is active.
378 * @param context A valid SSLContextRef.
379 * @param option An option enumeration value.
380 * @param value Value of the SSLSessionOption.
381 * @result errSecSuccess on success, alternative error on failure.
384 SSLSetSessionOption (SSLContextRef context
,
385 SSLSessionOption option
,
387 __SECURETRANSPORT_API_DEPRECATED(macos(10.6, 10.15), ios(5.0, 13.0));
390 * @function SSLGetSessionOption
391 * @abstract Determine current value for the specified option in a given SSL session.
392 * @param context A valid SSLContextRef.
393 * @param option An option enumeration value.
394 * @param value Pointer to a Boolean where the SSLSessionOption value is stored.
395 * @result errSecSuccess on success, alternative error on failure.
398 SSLGetSessionOption (SSLContextRef context
,
399 SSLSessionOption option
,
401 __SECURETRANSPORT_API_DEPRECATED(macos(10.6, 10.15), ios(5.0, 13.0));
403 /********************************************************************
404 *** Session context configuration, common to client and servers. ***
405 ********************************************************************/
408 * @function SSLSetIOFuncs
409 * @abstract Specify functions which do the network I/O. Must be called prior
410 * to SSLHandshake(); subsequently cannot be called while a session is
412 * @param context A valid SSLContextRef.
413 * @param readFunc Pointer to a SSLReadFunc.
414 * @param writeFunc Pointer to a SSLWriteFunc.
415 * @result errSecSuccess on success, alternative error on failure.
418 SSLSetIOFuncs (SSLContextRef context
,
419 SSLReadFunc readFunc
,
420 SSLWriteFunc writeFunc
)
421 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
425 * @function SSLSetSessionConfig
426 * @absttact Set a predefined configuration for the SSL Session
427 * @note This currently affect enabled protocol versions,
428 * enabled ciphersuites, and the kSSLSessionOptionFallback
430 * @param context A valid SSLContextRef.
431 * @param config String name of constant TLS handshake configuration, e.g., kSSLSessionConfig_standard.
432 * @result errSecSuccess on success, alternative error on failure.
435 SSLSetSessionConfig(SSLContextRef context
,
437 __SECURETRANSPORT_API_DEPRECATED(macos(10.12, 10.15), ios(10.0, 13.0));
440 * @function SSLSetProtocolVersionMin
441 * @abstract Set the minimum SSL protocol version allowed. Optional.
442 * The default is the lower supported protocol.
443 * @note This can only be called when no session is active.
445 * For TLS contexts, legal values for minVersion are :
451 * For DTLS contexts, legal values for minVersion are :
453 * @param context A valid SSLContextRef.
454 * @param minVersion Minimum TLS protocol version.
455 * @result errSecSuccess on success, alternative error on failure.
458 SSLSetProtocolVersionMin (SSLContextRef context
,
459 SSLProtocol minVersion
)
460 __SECURETRANSPORT_API_DEPRECATED(macos(10.8, 10.15), ios(5.0, 13.0));
463 * @function SSLGetProtocolVersionMin
464 * @abstract Get minimum protocol version allowed
465 * @param context A valid SSLContextRef.
466 * @param minVersion Pointer to SSLProtocol value where the minimum protocol version is stored.
467 * @result errSecSuccess on success, alternative error on failure.
470 SSLGetProtocolVersionMin (SSLContextRef context
,
471 SSLProtocol
*minVersion
)
472 __SECURETRANSPORT_API_DEPRECATED(macos(10.8, 10.15), ios(5.0, 13.0));
475 * @function SSLSetProtocolVersionMax
476 * @abstract Set the maximum SSL protocol version allowed. Optional.
477 * The default is the highest supported protocol.
479 * This can only be called when no session is active.
481 * For TLS contexts, legal values for maxVersion are :
487 * For DTLS contexts, legal values for maxVersion are :
489 * @param context A valid SSLContextRef.
490 * @param maxVersion Maximum TLS protocol version.
491 * @result errSecSuccess on success, alternative error on failure.
494 SSLSetProtocolVersionMax (SSLContextRef context
,
495 SSLProtocol maxVersion
)
496 __SECURETRANSPORT_API_DEPRECATED(macos(10.8, 10.15), ios(5.0, 13.0));
499 * @function SSLGetProtocolVersionMax
500 * @abstract Get maximum protocol version allowed
501 * @param context A valid SSLContextRef.
502 * @param maxVersion Pointer to SSLProtocol value where the maximum protocol version is stored.
503 * @result errSecSuccess on success, alternative error on failure.
506 SSLGetProtocolVersionMax (SSLContextRef context
,
507 SSLProtocol
*maxVersion
)
508 __SECURETRANSPORT_API_DEPRECATED(macos(10.8, 10.15), ios(5.0, 13.0));
513 * @function SSLSetProtocolVersionEnabled
514 * @abstract Set allowed SSL protocol versions. Optional.
515 * @discussion Specifying kSSLProtocolAll for SSLSetProtocolVersionEnabled results in
516 * specified 'enable' boolean to be applied to all supported protocols.
517 * The default is "all supported protocols are enabled".
518 * This can only be called when no session is active.
520 * Legal values for protocol are :
526 * ==========================
527 * MAC OS X ONLY (DEPRECATED)
528 * ==========================
529 * @note this function is not available on iOS, and should be considered
530 * deprecated on Mac OS X. You can use SSLSetProtocolVersionMin and/or
531 * SSLSetProtocolVersionMax to specify which protocols are enabled.
532 * @param context A valid SSLContextRef.
533 * @param protocol A SSLProtocol enumerated value.
534 * @param enable Boolean to enable or disable the designated protocol.
535 * @result errSecSuccess on success, alternative error on failure.
538 SSLSetProtocolVersionEnabled (SSLContextRef context
,
539 SSLProtocol protocol
,
541 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.9));
544 * Obtain a value specified in SSLSetProtocolVersionEnabled.
546 * ==========================
547 * MAC OS X ONLY (DEPRECATED)
548 * ==========================
549 * NOTE: this function is not available on iOS, and should be considered
550 * deprecated on Mac OS X. You can use SSLGetProtocolVersionMin and/or
551 * SSLGetProtocolVersionMax to check whether a protocol is enabled.
554 SSLGetProtocolVersionEnabled(SSLContextRef context
,
555 SSLProtocol protocol
,
556 Boolean
*enable
) /* RETURNED */
557 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.9));
560 * @function SSLSetProtocolVersion
561 * @abstract Get/set SSL protocol version; optional. Default is kSSLProtocolUnknown,
562 * in which case the highest possible version is attempted, but a lower
563 * version is accepted if the peer requires it.
564 * @discussion SSLSetProtocolVersion cannot be called when a session is active.
566 * ==========================
567 * MAC OS X ONLY (DEPRECATED)
568 * ==========================
569 * @note this function is not available on iOS, and deprecated on Mac OS X 10.8.
570 * Use SSLSetProtocolVersionMin and/or SSLSetProtocolVersionMax to specify
571 * which protocols are enabled.
572 * @param context A valid SSLContextRef.
573 * @param protocol A SSLProtocol enumerated value.
574 * @result errSecSuccess on success, alternative error on failure.
577 SSLSetProtocolVersion (SSLContextRef context
,
579 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.8));
582 * @function SSLGetProtocolVersion
583 * @abstract Obtain the protocol version specified in SSLSetProtocolVersion.
584 * @discussion If SSLSetProtocolVersionEnabled() has been called for this session,
585 * SSLGetProtocolVersion() may return errSecParam if the protocol enable
586 * state can not be represented by the SSLProtocol enums (e.g.,
587 * SSL2 and TLS1 enabled, SSL3 disabled).
589 * ==========================
590 * MAC OS X ONLY (DEPRECATED)
591 * ==========================
592 * @note this function is not available on iOS, and deprecated on Mac OS X 10.8.
593 * Use SSLGetProtocolVersionMin and/or SSLGetProtocolVersionMax to check
594 * whether a protocol is enabled.
595 * @param context A valid SSLContextRef.
596 * @param protocol A SSLProtocol enumerated value pointer to store the protocol version.
597 * @result errSecSuccess on success, alternative error on failure.
600 SSLGetProtocolVersion (SSLContextRef context
,
601 SSLProtocol
*protocol
) /* RETURNED */
602 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.8));
604 #endif /* MAC OS X */
607 * @function SSLSetCertificate
608 * @abstract Specify this connection's certificate(s).
609 * @discussion This is mandatory for server connections,and optional for
610 * clients. Specifying a certificate for a client enables SSL client-side
611 * authentication. The end-entity cert is in certRefs[0]. Specifying a root
612 * cert is optional; if it's not specified, the root cert which verifies the
613 * cert chain specified here must be present in the system-wide set of trusted
616 * The certRefs argument is a CFArray containing SecCertificateRefs,
617 * except for certRefs[0], which is a SecIdentityRef.
619 * Must be called prior to SSLHandshake(), or immediately after
620 * SSLHandshake has returned errSSLClientCertRequested (i.e. before the
621 * handshake is resumed by calling SSLHandshake again.)
623 * SecureTransport assumes the following:
625 * -- The certRef references remain valid for the lifetime of the session.
626 * -- The certificate specified in certRefs[0] is capable of signing.
627 * -- The required capabilities of the certRef[0], and of the optional cert
628 * specified in SSLSetEncryptionCertificate (see below), are highly
629 * dependent on the application. For example, to work as a server with
630 * Netscape clients, the cert specified here must be capable of both
631 * signing and encrypting.
632 * @param context A valid SSLContextRef.
633 * @param certRefs An array of SecCertificateRef instances.
634 * @result errSecSuccess on success, alternative error on failure.
637 SSLSetCertificate (SSLContextRef context
,
638 CFArrayRef _Nullable certRefs
)
639 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
642 * @function SSLSetConnection
643 * @abstract Specify I/O connection - a socket, endpoint, etc., which is
645 * @discussion On the client side, it's assumed that communication
646 * has been established with the desired server on this connection.
647 * On the server side, it's assumed that an incoming client request
648 * has been established.
650 * Must be called prior to SSLHandshake(); subsequently can only be
651 * called when no session is active.
652 * @param context A valid SSLContextRef.
653 * @param connection A SSLConnectionRef.
654 * @result errSecSuccess on success, alternative error on failure.
657 SSLSetConnection (SSLContextRef context
,
658 SSLConnectionRef __nullable connection
)
659 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
662 * @function SSLGetConnection
663 * @abstract Retrieve the I/O connection managed managed by the caller.
664 * @param context A valid SSLContextRef.
665 * @param connection A SSLConnectionRef pointer.
666 * @result errSecSuccess on success, alternative error on failure.
669 SSLGetConnection (SSLContextRef context
,
670 SSLConnectionRef
* __nonnull CF_RETURNS_NOT_RETAINED connection
)
671 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
674 * @function SSLSetPeerDomainName
675 * @abstract Specify the fully qualified doman name of the peer, e.g., "store.apple.com."
676 * @discussion Optional; used to verify the common name field in peer's certificate.
677 * Name is in the form of a C string; NULL termination optional, i.e.,
678 * peerName[peerNameLen+1] may or may not have a NULL. In any case peerNameLen
679 * is the number of bytes of the peer domain name.
680 * @param context A valid SSLContextRef.
681 * @param peerName A C string carrying the peer domain name.
682 * @param peerNameLen Length of the peer domain name string.
683 * @result errSecSuccess on success, alternative error on failure.
686 SSLSetPeerDomainName (SSLContextRef context
,
687 const char * __nullable peerName
,
689 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
692 * @function SSLGetPeerDomainNameLength
693 * @abstract Determine the buffer size needed for SSLGetPeerDomainName().
694 * @param context A valid SSLContextRef.
695 * @param peerNameLen Pointer to where the length of the peer domain name string is stored
696 * @result errSecSuccess on success, alternative error on failure.
699 SSLGetPeerDomainNameLength (SSLContextRef context
,
700 size_t *peerNameLen
) // RETURNED
701 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
704 * @function SSLGetPeerDomainName
705 * @abstract Obtain the value specified in SSLSetPeerDomainName().
706 * @param context A valid SSLContextRef.
707 * @param peerName Pointer to where the peer domain name is stored.
708 * @param peerNameLen Pointer to where the length of the peer domain name string is stored,
709 * up to the length specified by peerNameLen (on input).
710 * @result errSecSuccess on success, alternative error on failure.
713 SSLGetPeerDomainName (SSLContextRef context
,
714 char *peerName
, // returned here
715 size_t *peerNameLen
) // IN/OUT
716 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
719 * @function SSLCopyRequestedPeerNameLength
720 * @abstract [Server Only] obtain the hostname specified by the client in the ServerName extension (SNI)
721 * @param context A valid SSLContextRef.
722 * @param peerNameLen Pointer to where the length of the requested peer domain name string
723 * is stored, up to the length specified by peerNameLen (on input).
724 * @result errSecSuccess on success, alternative error on failure.
727 SSLCopyRequestedPeerNameLength (SSLContextRef ctx
,
729 __SECURETRANSPORT_API_DEPRECATED(macos(10.11, 10.15), ios(9.0, 13.0));
732 * @function SSLCopyRequestedPeerName
733 * @abstract Determine the buffer size needed for SSLCopyRequestedPeerNameLength().
734 * @param context A valid SSLContextRef.
735 * @param peerName Pointer to where the requested peer domain name is stored.
736 * @param peerNameLen Pointer to where the length of the requested peer domain name string
737 * is stored, up to the length specified by peerNameLen (on input).
738 * @result errSecSuccess on success, alternative error on failure.
741 SSLCopyRequestedPeerName (SSLContextRef context
,
744 __SECURETRANSPORT_API_DEPRECATED(macos(10.11, 10.15), ios(9.0, 13.0));
748 * @function SSLSetDatagramHelloCookie
749 * @abstract Specify the Datagram TLS Hello Cookie.
750 * @discussion This is to be called for server side only and is optional.
751 * The default is a zero len cookie. The maximum cookieLen is 32 bytes.
752 * @param context A valid SSLContextRef.
753 * @param cookie Pointer to opaque cookie data.
754 * @param cookieLen Length of cookie data.
755 * @result errSecSuccess on success, alternative error on failure.
758 SSLSetDatagramHelloCookie (SSLContextRef dtlsContext
,
759 const void * __nullable cookie
,
761 __SECURETRANSPORT_API_DEPRECATED(macos(10.8, 10.15), ios(5.0, 13.0));
764 * @function SSLSetMaxDatagramRecordSize
765 * @abstract Specify the maximum record size, including all DTLS record headers.
766 * @discussion This should be set appropriately to avoid fragmentation
767 * of Datagrams during handshake, as fragmented datagrams may
768 * be dropped by some network.
769 * @note This is for Datagram TLS only
770 * @param context A valid SSLContextRef.
771 * @param maxSize Maximum size of datagram record(s).
772 * @result errSecSuccess on success, alternative error on failure.
775 SSLSetMaxDatagramRecordSize (SSLContextRef dtlsContext
,
777 __SECURETRANSPORT_API_DEPRECATED(macos(10.8, 10.15), ios(5.0, 13.0));
780 * @function SSLGetMaxDatagramRecordSize
781 * @abstract Get the maximum record size, including all Datagram TLS record headers.
782 * @note This is for Datagram TLS only
783 * @param context A valid SSLContextRef.
784 * @param maxSize Pointer where maximum size of datagram record(s) is stored.
785 * @result errSecSuccess on success, alternative error on failure.
788 SSLGetMaxDatagramRecordSize (SSLContextRef dtlsContext
,
790 __SECURETRANSPORT_API_DEPRECATED(macos(10.8, 10.15), ios(5.0, 13.0));
793 * @function SSLGetNegotiatedProtocolVersion
794 * @abstract Obtain the actual negotiated protocol version of the active
795 * session, which may be different that the value specified in
796 * SSLSetProtocolVersion(). Returns kSSLProtocolUnknown if no
797 * SSL session is in progress.
798 * @param context A valid SSLContextRef.
799 * @param protocol Pointer where negotiated SSLProtocol is stored.
800 * @result errSecSuccess on success, alternative error on failure.
803 SSLGetNegotiatedProtocolVersion (SSLContextRef context
,
804 SSLProtocol
*protocol
) /* RETURNED */
805 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
808 * @function SSLGetNumberSupportedCiphers
809 * @abstract Determine number and values of all of the SSLCipherSuites we support.
810 * Caller allocates output buffer for SSLGetSupportedCiphers() and passes in
811 * its size in *numCiphers. If supplied buffer is too small, errSSLBufferOverflow
813 * @param context A valid SSLContextRef.
814 * @param numCiphers Pointer where number of supported ciphers is stored.
815 * @result errSecSuccess on success, alternative error on failure.
818 SSLGetNumberSupportedCiphers (SSLContextRef context
,
820 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
823 * @function SSLGetSupportedCiphers
824 * @abstract Get the supported ciphers.
825 * @param context A valid SSLContextRef.
826 * @param ciphers Pointer to array of SSLCipherSuite values where supported ciphersuites
827 * are stored. This array size is specified by the input value of numCiphers.
828 * @param numCiphers Pointer where number of supported ciphers is stored.
829 * @result errSecSuccess on success, alternative error on failure.
832 SSLGetSupportedCiphers (SSLContextRef context
,
833 SSLCipherSuite
*ciphers
, /* RETURNED */
834 size_t *numCiphers
) /* IN/OUT */
835 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
838 * @function SSLGetNumberEnabledCiphers
839 * @abstract Determine number and values of all of the SSLCipherSuites currently enabled.
840 * Caller allocates output buffer for SSLGetEnabledCiphers() and passes in
841 * its size in *numCiphers. If supplied buffer is too small, errSSLBufferOverflow
843 * @param context A valid SSLContextRef.
844 * @param numCiphers Pointer where number of enabled ciphers is stored.
845 * @result errSecSuccess on success, alternative error on failure.
848 SSLGetNumberEnabledCiphers (SSLContextRef context
,
850 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
853 * @function SSLSetEnabledCiphers
854 * @abstract Specify a (typically) restricted set of SSLCipherSuites to be enabled by
855 * the current SSLContext. Can only be called when no session is active. Default
856 * set of enabled SSLCipherSuites is the same as the complete set of supported
857 * SSLCipherSuites as obtained by SSLGetSupportedCiphers().
858 * @param context A valid SSLContextRef.
859 * @param ciphers Array of enabled SSLCipherSuite values. This array size is specified
860 * by the input value of numCiphers.
861 * @param numCiphers Pointer where number of enabled ciphers is stored.
862 * @result errSecSuccess on success, alternative error on failure.
865 SSLSetEnabledCiphers (SSLContextRef context
,
866 const SSLCipherSuite
*ciphers
,
868 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
871 * @function SSLGetEnabledCiphers
872 * @abstract Get the set of supported ciphersuites.
873 * @param context A valid SSLContextRef.
874 * @param ciphers Pointer to array of SSLCipherSuite values where enabled ciphersuites
875 * are stored. This array size is specified by the input value of numCiphers.
876 * @param numCiphers Pointer where number of enabled ciphers is stored.
877 * @result errSecSuccess on success, alternative error on failure.
880 SSLGetEnabledCiphers (SSLContextRef context
,
881 SSLCipherSuite
*ciphers
, /* RETURNED */
882 size_t *numCiphers
) /* IN/OUT */
883 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
886 * @function SSLSetSessionTicketsEnabled
887 * @abstract Forcibly enable or disable session ticket resumption.
888 * @note By default, session tickets are disabled.
889 * @param context A valid SSLContextRef.
890 * @param enabled Boolean indicating if ticket support is enabled (true) or not (false).
891 * @result errSecSuccess on success, alternative error on failure.
894 SSLSetSessionTicketsEnabled (SSLContextRef context
,
896 __SECURETRANSPORT_API_DEPRECATED(macos(10.13, 10.15), ios(11.0, 13.0));
901 * @function SSLSetEnableCertVerify
902 * @abstract Enable/disable peer certificate chain validation. Default is enabled.
903 * @discussion If caller disables, it is the caller's responsibility to call
904 * SSLCopyPeerCertificates() upon successful completion of the handshake
905 * and then to perform external validation of the peer certificate
906 * chain before proceeding with data transfer.
908 * ==========================
909 * MAC OS X ONLY (DEPRECATED)
910 * ==========================
911 * @note This function is not available on iOS, and should be considered
912 * deprecated on Mac OS X. To disable peer certificate chain validation, you
913 * can instead use SSLSetSessionOption to set kSSLSessionOptionBreakOnServerAuth
914 * to true. This will disable verification and cause SSLHandshake to return with
915 * an errSSLServerAuthCompleted result when the peer certificates have been
916 * received; at that time, you can choose to evaluate peer trust yourself, or
917 * simply call SSLHandshake again to proceed with the handshake.
918 * @param context A valid SSLContextRef.
919 * @param enableVerify Boolean indicating if certificate verifiation is enabled (true) or disabled (false).
920 * @result errSecSuccess on success, alternative error on failure.
923 SSLSetEnableCertVerify (SSLContextRef context
,
924 Boolean enableVerify
)
925 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.9));
928 * @function SSLGetEnableCertVerify
929 * @abstract Check whether peer certificate chain validation is enabled.
931 * ==========================
932 * MAC OS X ONLY (DEPRECATED)
933 * ==========================
934 * @note This function is not available on iOS, and should be considered
935 * deprecated on Mac OS X. To check whether peer certificate chain validation
936 * is enabled in a context, call SSLGetSessionOption to obtain the value of
937 * the kSSLSessionOptionBreakOnServerAuth session option flag. If the value
938 * of this option flag is true, then verification is disabled.
939 * @param context A valid SSLContextRef.
940 * @param enableVerify Pointer to Boolean where enable bit is stored.
941 * @result errSecSuccess on success, alternative error on failure.
944 SSLGetEnableCertVerify (SSLContextRef context
,
945 Boolean
*enableVerify
) /* RETURNED */
946 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.9));
949 * @function SSLSetAllowsExpiredCerts
950 * @abstract Specify the option of ignoring certificates' "expired" times.
951 * @discussion This is a common failure in the real SSL world. Default setting for this
952 * flag is false, meaning expired certs result in an errSSLCertExpired error.
954 * ==========================
955 * MAC OS X ONLY (DEPRECATED)
956 * ==========================
957 * @note This function is not available on iOS, and should be considered
958 * deprecated on Mac OS X. To ignore expired certificate errors, first disable
959 * Secure Transport's automatic verification of peer certificates by calling
960 * SSLSetSessionOption to set kSSLSessionOptionBreakOnServerAuth to true. When
961 * SSLHandshake subsequently returns an errSSLServerAuthCompleted result,
962 * your code should obtain the SecTrustRef for the peer's certificates and
963 * perform a custom trust evaluation with SecTrust APIs (see SecTrust.h).
964 * The SecTrustSetOptions function allows you to specify that the expiration
965 * status of certificates should be ignored for this evaluation.
969 * status = SSLSetSessionOption(ctx, kSSLSessionOptionBreakOnServerAuth, true);
971 * status = SSLHandshake(ctx);
973 * if (status == errSSLServerAuthCompleted) {
974 * SecTrustRef peerTrust = NULL;
975 * status = SSLCopyPeerTrust(ctx, &peerTrust);
976 * if (status == errSecSuccess) {
977 * SecTrustResultType trustResult;
978 * // set flag to allow expired certificates
979 * SecTrustSetOptions(peerTrust, kSecTrustOptionAllowExpired);
980 * status = SecTrustEvaluate(peerTrust, &trustResult);
981 * if (status == errSecSuccess) {
982 * // A "proceed" result means the cert is explicitly trusted,
983 * // e.g. "Always Trust" was clicked;
984 * // "Unspecified" means the cert has no explicit trust settings,
985 * // but is implicitly OK since it chains back to a trusted root.
986 * // Any other result means the cert is not trusted.
988 * if (trustResult == kSecTrustResultProceed ||
989 * trustResult == kSecTrustResultUnspecified) {
990 * // certificate is trusted
991 * status = errSSLWouldBlock; // so we call SSLHandshake again
992 * } else if (trustResult == kSecTrustResultRecoverableTrustFailure) {
993 * // not trusted, for some reason other than being expired;
994 * // could ask the user whether to allow the connection here
996 * status = errSSLXCertChainInvalid;
998 * // cannot use this certificate (fatal)
999 * status = errSSLBadCert;
1003 * CFRelease(peerTrust);
1006 * } // errSSLServerAuthCompleted
1008 * } while (status == errSSLWouldBlock);
1009 * @param context A valid SSLContextRef.
1010 * @param allowsExpired Boolean indicating if expired certificates are allowed (true) or not (false).
1011 * @result errSecSuccess on success, alternative error on failure.
1014 SSLSetAllowsExpiredCerts (SSLContextRef context
,
1015 Boolean allowsExpired
)
1016 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.9));
1019 * @function SSLGetAllowsExpiredCerts
1020 * @abstract Obtain the current value of an SSLContext's "allowExpiredCerts" flag.
1022 * ==========================
1023 * MAC OS X ONLY (DEPRECATED)
1024 * ==========================
1025 * @note This function is not available on iOS, and should be considered
1026 * deprecated on Mac OS X.
1027 * @param context A valid SSLContextRef.
1028 * @param allowsExpired Pointer to Boolean where the expired certificate allowance Boolean is stored.
1029 * @result errSecSuccess on success, alternative error on failure.
1032 SSLGetAllowsExpiredCerts (SSLContextRef context
,
1033 Boolean
*allowsExpired
) /* RETURNED */
1034 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.9));
1037 * @function SSLSetAllowsExpiredRoots
1038 * @abstract Similar to SSLSetAllowsExpiredCerts, SSLSetAllowsExpiredRoots allows the
1039 * option of ignoring "expired" status for root certificates only.
1040 * @discussion Default setting is false, i.e., expired root certs result in an
1041 * errSSLCertExpired error.
1043 * ==========================
1044 * MAC OS X ONLY (DEPRECATED)
1045 * ==========================
1046 * @note This function is not available on iOS, and should be considered
1047 * deprecated on Mac OS X. To ignore expired certificate errors, first disable
1048 * Secure Transport's automatic verification of peer certificates by calling
1049 * SSLSetSessionOption to set kSSLSessionOptionBreakOnServerAuth to true. When
1050 * SSLHandshake subsequently returns an errSSLServerAuthCompleted result,
1051 * your code should obtain the SecTrustRef for the peer's certificates and
1052 * perform a custom trust evaluation with SecTrust APIs (see SecTrust.h).
1053 * The SecTrustSetOptions function allows you to specify that the expiration
1054 * status of certificates should be ignored for this evaluation.
1056 * See the description of the SSLSetAllowsExpiredCerts function (above)
1057 * for a code example. The kSecTrustOptionAllowExpiredRoot option can be used
1058 * instead of kSecTrustOptionAllowExpired to allow expired roots only.
1059 * @param context A valid SSLContextRef.
1060 * @param allowsExpired Boolean indicating if expired roots are allowed.
1061 * @result errSecSuccess on success, alternative error on failure.
1064 SSLSetAllowsExpiredRoots (SSLContextRef context
,
1065 Boolean allowsExpired
)
1066 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.9));
1069 * @function SSLGetAllowsExpiredRoots
1070 * @abstract Obtain the current value of an SSLContext's "allow expired roots" flag.
1072 * ==========================
1073 * MAC OS X ONLY (DEPRECATED)
1074 * ==========================
1075 * @note This function is not available on iOS, and should be considered
1076 * deprecated on Mac OS X.
1077 * @param context A valid SSLContextRef.
1078 * @param allowsExpired Pointer to Boolean where the expired root certificate allowance
1079 * Boolean is stored.
1080 * @result errSecSuccess on success, alternative error on failure.
1083 SSLGetAllowsExpiredRoots (SSLContextRef context
,
1084 Boolean
*allowsExpired
) /* RETURNED */
1085 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.9));
1088 * @function SSLSetAllowsAnyRoot
1089 * @abstract Specify option of allowing for an unknown root cert, i.e., one which
1090 * this software can not verify as one of a list of known good root certs.
1091 * @discussion Default for this flag is false, in which case one of the following two
1093 * -- The peer returns a cert chain with a root cert, and the chain
1094 * verifies to that root, but the root is not one of our trusted
1095 * roots. This results in errSSLUnknownRootCert on handshake.
1096 * -- The peer returns a cert chain which does not contain a root cert,
1097 * and we can't verify the chain to one of our trusted roots. This
1098 * results in errSSLNoRootCert on handshake.
1100 * Both of these error conditions are ignored when the AllowAnyRoot flag is
1101 * true, allowing connection to a totally untrusted peer.
1103 * ==========================
1104 * MAC OS X ONLY (DEPRECATED)
1105 * ==========================
1106 * @note This function is not available on iOS, and should be considered
1107 * deprecated on Mac OS X. To ignore unknown root cert errors, first disable
1108 * Secure Transport's automatic verification of peer certificates by calling
1109 * SSLSetSessionOption to set kSSLSessionOptionBreakOnServerAuth to true. When
1110 * SSLHandshake subsequently returns an errSSLServerAuthCompleted result,
1111 * your code should obtain the SecTrustRef for the peer's certificates and
1112 * perform a custom trust evaluation with SecTrust APIs (see SecTrust.h).
1114 * See the description of the SSLSetAllowsExpiredCerts function (above)
1115 * for a code example. Note that an unknown root certificate will cause
1116 * SecTrustEvaluate to report kSecTrustResultRecoverableTrustFailure as the
1118 * @param context A valid SSLContextRef.
1119 * @param anyRoot Boolean indicating if any root is allowed (true) or not (false).
1120 * @result errSecSuccess on success, alternative error on failure.
1123 SSLSetAllowsAnyRoot (SSLContextRef context
,
1125 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.9));
1128 * @function SSLGetAllowsAnyRoot
1129 * @abstract Obtain the current value of an SSLContext's "allow any root" flag.
1131 * ==========================
1132 * MAC OS X ONLY (DEPRECATED)
1133 * ==========================
1134 * @note This function is not available on iOS, and should be considered
1135 * deprecated on Mac OS X.
1136 * @param context A valid SSLContextRef.
1137 * @param anyRoot Pointer to Boolean to store any root allowance Boolean.
1138 * @result errSecSuccess on success, alternative error on failure.
1141 SSLGetAllowsAnyRoot (SSLContextRef context
,
1142 Boolean
*anyRoot
) /* RETURNED */
1143 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.9));
1146 * @function SSLSetTrustedRoots
1147 * @abstract Augment or replace the system's default trusted root certificate set
1149 * @discussion If replaceExisting is true, the specified roots will
1150 * be the only roots which are trusted during this session. If replaceExisting
1151 * is false, the specified roots will be added to the current set of trusted
1152 * root certs. If this function has never been called, the current trusted
1153 * root set is the same as the system's default trusted root set.
1154 * Successive calls with replaceExisting false result in accumulation
1155 * of additional root certs.
1157 * The trustedRoots array contains SecCertificateRefs.
1159 * ==========================
1160 * MAC OS X ONLY (DEPRECATED)
1161 * ==========================
1162 * @note This function is not available on iOS, and should be considered
1163 * deprecated on Mac OS X. To trust specific roots in a session, first disable
1164 * Secure Transport's automatic verification of peer certificates by calling
1165 * SSLSetSessionOption to set kSSLSessionOptionBreakOnServerAuth to true. When
1166 * SSLHandshake subsequently returns an errSSLServerAuthCompleted result,
1167 * your code should obtain the SecTrustRef for the peer's certificates and
1168 * perform a custom trust evaluation with SecTrust APIs (see SecTrust.h).
1170 * See the description of the SSLSetAllowsExpiredCerts function (above)
1171 * for a code example. You can call SecTrustSetAnchorCertificates to
1172 * augment the system's trusted root set, or SecTrustSetAnchorCertificatesOnly
1173 * to make these the only trusted roots, prior to calling SecTrustEvaluate.
1174 * @param context A valid SSLContextRef.
1175 * @param trustedRoots Array of SecCertificateRef roots.
1176 * @param replaceExisting Boolean indicating if provided roots should override all others for this connection.
1177 * @result errSecSuccess on success, alternative error on failure.
1180 SSLSetTrustedRoots (SSLContextRef context
,
1181 CFArrayRef trustedRoots
,
1182 Boolean replaceExisting
)
1183 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.9));
1186 * @function SSLCopyTrustedRoots
1187 * @abstract Obtain an array of SecCertificateRefs representing the current
1188 * set of trusted roots.
1189 * @discussion If SSLSetTrustedRoots() has never been called
1190 * for this session, this returns the system's default root set.
1191 * Caller must CFRelease the returned CFArray.
1193 * ==========================
1194 * MAC OS X ONLY (DEPRECATED)
1195 * ==========================
1196 * @note This function is not available on iOS, and should be considered
1197 * deprecated on Mac OS X. To get the current set of trusted roots, call the
1198 * SSLCopyPeerTrust function to obtain the SecTrustRef for the peer certificate
1199 * chain, then SecTrustCopyCustomAnchorCertificates (see SecTrust.h).
1200 * @param context A valid SSLContextRef.
1201 * @param trustedRoots Array of SecCertificateRef roots.
1202 * @param replaceExisting Boolean indicating if provided roots should override all others for this connection.
1203 * @result errSecSuccess on success, alternative error on failure.
1206 SSLCopyTrustedRoots (SSLContextRef context
,
1207 CFArrayRef
* __nonnull CF_RETURNS_RETAINED trustedRoots
) /* RETURNED */
1208 __SECURETRANSPORT_API_DEPRECATED(macos(10.5, 10.9));
1211 * @function SSLCopyPeerCertificates
1212 * @abstract Request peer certificates. Valid anytime, subsequent to a handshake attempt.
1213 * @discussion The certs argument is a CFArray containing SecCertificateRefs.
1214 * Caller must CFRelease the returned array.
1216 * The cert at index 0 of the returned array is the subject (end
1217 * entity) cert; the root cert (or the closest cert to it) is at
1218 * the end of the returned array.
1220 * ==========================
1221 * MAC OS X ONLY (DEPRECATED)
1222 * ==========================
1223 * @note This function is not available on iOS, and should be considered
1224 * deprecated on Mac OS X. To get peer certificates, call SSLCopyPeerTrust
1225 * to obtain the SecTrustRef for the peer certificate chain, then use the
1226 * SecTrustGetCertificateCount and SecTrustGetCertificateAtIndex functions
1227 * to retrieve individual certificates in the chain (see SecTrust.h).
1228 * @param context A valid SSLContextRef.
1229 * @param certs Pointer to CFArrayRef that will store a reference to the peer's certificates.
1230 * @result errSecSuccess on success, alternative error on failure.
1233 SSLCopyPeerCertificates (SSLContextRef context
,
1234 CFArrayRef
* __nonnull CF_RETURNS_RETAINED certs
) /* RETURNED */
1235 __SECURETRANSPORT_API_DEPRECATED(macos(10.5, 10.9));
1237 #endif /* MAC OS X */
1240 * @function SSLCopyPeerTrust
1241 * @abstract Obtain a SecTrustRef representing peer certificates. Valid anytime,
1242 * subsequent to a handshake attempt. Caller must CFRelease the returned
1244 * @discussion The returned trust reference will have already been evaluated for
1245 * you, unless one of the following is true:
1246 * - Your code has disabled automatic certificate verification, by calling
1247 * SSLSetSessionOption to set kSSLSessionOptionBreakOnServerAuth to true.
1248 * - Your code has called SSLSetPeerID, and this session has been resumed
1249 * from an earlier cached session.
1251 * In these cases, your code should call SecTrustEvaluate prior to
1252 * examining the peer certificate chain or trust results (see SecTrust.h).
1254 * @note If you have not called SSLHandshake at least once prior to
1255 * calling this function, the returned trust reference will be NULL.
1256 * @param context A valid SSLContextRef.
1257 * @param trust Pointer to SecTrustRef where peer's SecTrustRef is copied (retained).
1258 * @result errSecSuccess on success, alternative error on failure.
1261 SSLCopyPeerTrust (SSLContextRef context
,
1262 SecTrustRef
* __nonnull CF_RETURNS_RETAINED trust
) /* RETURNED */
1263 __SECURETRANSPORT_API_DEPRECATED(macos(10.6, 10.15), ios(5.0, 13.0));
1266 * @function SSLSetPeerID
1267 * @discussion Specify some data, opaque to this library, which is sufficient
1268 * to uniquely identify the peer of the current session. An example
1269 * would be IP address and port, stored in some caller-private manner.
1270 * To be optionally called prior to SSLHandshake for the current
1271 * session. This is mandatory if this session is to be resumable.
1273 * SecureTransport allocates its own copy of the incoming peerID. The
1274 * data provided in *peerID, while opaque to SecureTransport, is used
1275 * in a byte-for-byte compare to other previous peerID values set by the
1276 * current application. Matching peerID blobs result in SecureTransport
1277 * attempting to resume an SSL session with the same parameters as used
1278 * in the previous session which specified the same peerID bytes.
1279 * @param context A valid SSLContextRef.
1280 * @param peerID Opaque peer ID.
1281 * @param peerIDLen Length of opaque peer ID.
1282 * @result errSecSuccess on success, alternative error on failure.
1285 SSLSetPeerID (SSLContextRef context
,
1286 const void * __nullable peerID
,
1288 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
1291 * @function SSLGetPeerID
1292 * @abstract Obtain current PeerID. Returns NULL pointer, zero length if
1293 * SSLSetPeerID has not been called for this context.
1294 * @param context A valid SSLContextRef.
1295 * @param peerID Pointer to storage for the peer ID.
1296 * @param peerIDLen Pointer to storage for the peer ID length.
1297 * @result errSecSuccess on success, alternative error on failure.
1300 SSLGetPeerID (SSLContextRef context
,
1301 const void * __nullable
* __nonnull peerID
,
1303 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
1306 * @function SSLGetNegotiatedCipher
1307 * @abstract Obtain the SSLCipherSuite (e.g., SSL_RSA_WITH_DES_CBC_SHA) negotiated
1308 * for this session. Only valid when a session is active.
1309 * @param context A valid SSLContextRef.
1310 * @param cipherSuite Pointer to storage for negotiated SSLCipherSuite.
1311 * @result errSecSuccess on success, alternative error on failure.
1314 SSLGetNegotiatedCipher (SSLContextRef context
,
1315 SSLCipherSuite
*cipherSuite
)
1316 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
1319 * @function SSLSetALPNProtocols
1320 * @abstract Set the ALPN protocols to be passed in the ALPN negotiation.
1321 * @discussion This is the list of supported application-layer protocols supported.
1323 * The protocols parameter must be an array of CFStringRef values
1324 * with ASCII-encoded reprensetations of the supported protocols, e.g., "http/1.1".
1326 * @note See RFC 7301 for more information.
1327 * @param context A valid SSLContextRef.
1328 * @param protocols Array of CFStringRefs carrying application protocols.
1329 * @result errSecSuccess on success, alternative error on failure.
1332 SSLSetALPNProtocols (SSLContextRef context
,
1333 CFArrayRef protocols
)
1334 __SECURETRANSPORT_API_DEPRECATED(macos(10.13, 10.15), ios(11.0, 13.0));
1337 * @function SSLCopyALPNProtocols
1338 * @abstract Get the ALPN protocols associated with this SSL context.
1339 * @discussion This is the list of supported application-layer protocols supported.
1341 * The resultant protocols array will contain CFStringRef values containing
1342 * ASCII-encoded representations of the supported protocols, e.g., "http/1.1".
1344 * See RFC 7301 for more information.
1346 * @note The `protocols` pointer must be NULL, otherwise the copy will fail.
1347 * This function will allocate memory for the CFArrayRef container
1348 * if there is data to provide. Otherwise, the pointer will remain NULL.
1349 * @param context A valid SSLContextRef.
1350 * @param protocols Pointer to a CFArrayRef where peer ALPN protocols are stored.
1351 * @result errSecSuccess on success, alternative error on failure.
1354 SSLCopyALPNProtocols (SSLContextRef context
,
1355 CFArrayRef __nullable
* __nonnull protocols
) /* RETURNED */
1356 __SECURETRANSPORT_API_DEPRECATED(macos(10.13, 10.15), ios(11.0, 13.0));
1359 * @function SSLSetOCSPResponse
1360 * @abstract Set the OCSP response for the given SSL session.
1361 * @discussion The response parameter must be a non-NULL CFDataRef containing the
1362 * bytes of the OCSP response.
1363 * @param context A valid SSLContextRef.
1364 * @param response CFDataRef carrying OCSP response.
1365 * @result errSecSuccess on success, alternative error on failure.
1368 SSLSetOCSPResponse (SSLContextRef context
,
1369 CFDataRef __nonnull response
)
1370 __SECURETRANSPORT_API_DEPRECATED(macos(10.13, 10.15), ios(11.0, 13.0));
1372 /********************************************************
1373 *** Session context configuration, server side only. ***
1374 ********************************************************/
1377 * @function SSLSetEncryptionCertificate
1378 * @discussion This function is deprecated in OSX 10.11 and iOS 9.0 and
1379 * has no effect on the TLS handshake since OSX 10.10 and
1380 * iOS 8.0. Using separate RSA certificates for encryption
1381 * and signing is no longer supported.
1382 * @param context A valid SSLContextRef.
1383 * @param certRefs Array of certificates.
1384 * @result errSecSuccess on success, alternative error on failure.
1387 SSLSetEncryptionCertificate (SSLContextRef context
,
1388 CFArrayRef certRefs
)
1389 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.11), ios(5.0, 9.0));
1392 * @enum SSLAuthenticate
1393 * @discussion Optional; Default is kNeverAuthenticate.
1394 * Can only be called when no session is active.
1396 typedef CF_ENUM(int, SSLAuthenticate
) {
1397 kNeverAuthenticate
, /* skip client authentication */
1398 kAlwaysAuthenticate
, /* require it */
1399 kTryAuthenticate
/* try to authenticate, but not an error if client doesn't have a cert */
1403 * @function SSLSetClientSideAuthenticate
1404 * @abstract Specify requirements for client-side authentication.
1405 * @param context A valid SSLContextRef.
1406 * @param auth A SSLAuthenticate enumeration value.
1407 * @result errSecSuccess on success, alternative error on failure.
1410 SSLSetClientSideAuthenticate (SSLContextRef context
,
1411 SSLAuthenticate auth
)
1412 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
1415 * @function SSLAddDistinguishedName
1416 * @abstract Add a DER-encoded distinguished name to list of acceptable names
1417 * to be specified in requests for client certificates.
1418 * @param context A valid SSLContextRef.
1419 * @param derDN A DER-encoded Distinguished Name blob.
1420 * @param derDNLen Length of the Distinguished Name blob.
1421 * @result errSecSuccess on success, alternative error on failure.
1424 SSLAddDistinguishedName (SSLContextRef context
,
1425 const void * __nullable derDN
,
1427 __SECURETRANSPORT_API_DEPRECATED(macos(10.4, 10.15), ios(5.0, 13.0));
1432 * @function SSLSetCertificateAuthorities
1433 * @abstract Add a SecCertificateRef, or a CFArray of them, to a server's list
1434 * of acceptable Certificate Authorities (CAs) to present to the client
1435 * when client authentication is performed.
1436 * @discussion If replaceExisting is true, the specified certificate(s) will
1437 * replace a possible existing list of acceptable CAs. If replaceExisting
1438 * is false, the specified certificate(s) will be appended to the existing
1439 * list of acceptable CAs, if any.
1441 * Returns errSecParam if this is called on a SSLContextRef which
1442 * is configured as a client, or when a session is active.
1444 * @note this function is currently not available on iOS.
1445 * @param context A valid SSLContextRef.
1446 * @param certificateOrARray Either a SecCertificateRef (or CFArrayRef of them).
1447 * @param replaceExisting Boolean indicating if existing CAs should be overruled for this connection.
1448 * @result errSecSuccess on success, alternative error on failure.
1451 SSLSetCertificateAuthorities(SSLContextRef context
,
1452 CFTypeRef certificateOrArray
,
1453 Boolean replaceExisting
)
1454 __SECURETRANSPORT_API_DEPRECATED(macos(10.5, 10.15));
1457 * @function SSLCopyCertificateAuthorities
1458 * @abstract Obtain the certificates specified in SSLSetCertificateAuthorities(),
1459 * if any. Returns a NULL array if SSLSetCertificateAuthorities() has not been called.
1460 * @discussion Caller must CFRelease the returned array.
1462 * @note This function is currently not available on iOS.
1463 * @param context A valid SSLContextRef.
1464 * @param certificates Pointer to CFArrayRef storage for retained copy of CAs for this connection.
1465 * @result errSecSuccess on success, alternative error on failure.
1468 SSLCopyCertificateAuthorities(SSLContextRef context
,
1469 CFArrayRef
* __nonnull CF_RETURNS_RETAINED certificates
) /* RETURNED */
1470 __SECURETRANSPORT_API_DEPRECATED(macos(10.5, 10.15));
1472 #endif /* MAC OS X */
1475 * @function SSLCopyDistinguishedNames
1476 * @abstract Obtain the list of acceptable distinguished names as provided by
1477 * a server (if the SSLContextRef is configured as a client), or as
1478 * specified by SSLSetCertificateAuthorities (if the SSLContextRef
1479 * is configured as a server).
1480 * @discussion The returned array contains CFDataRefs, each of which represents
1481 * one DER-encoded RDN. Caller must CFRelease the returned array.
1482 * @param context A valid SSLContextRef.
1483 * @param names Pointer to CFArrayRef storage for retained copy of Distinguished Names.
1484 * @result errSecSuccess on success, alternative error on failure.
1487 SSLCopyDistinguishedNames (SSLContextRef context
,
1488 CFArrayRef
* __nonnull CF_RETURNS_RETAINED names
)
1489 __SECURETRANSPORT_API_DEPRECATED(macos(10.5, 10.15), ios(5.0, 13.0));
1492 * @function SSLGetClientCertificateState
1493 * @abstract Obtain client certificate exchange status.
1494 * @discussion Can be called any time.
1495 * Reflects the *last* client certificate state change;
1496 * subsequent to a renegotiation attempt by either peer, the state
1497 * is reset to kSSLClientCertNone.
1498 * @param context A valid SSLContextRef.
1499 * @param clientState Pointer to SSLClientCertificateState storage.
1500 * @result errSecSuccess on success, alternative error on failure.
1503 SSLGetClientCertificateState (SSLContextRef context
,
1504 SSLClientCertificateState
*clientState
)
1505 __SECURETRANSPORT_API_DEPRECATED(macos(10.3, 10.15), ios(5.0, 13.0));
1510 * @function SSLSetDiffieHellmanParams
1511 * @abstract Specify Diffie-Hellman parameters.
1512 * @discussion Optional; if we are configured to allow
1513 * for D-H ciphers and a D-H cipher is negotiated, and this function has not
1514 * been called, a set of process-wide parameters will be calculated. However
1515 * that can take a long time (30 seconds).
1516 * @note This function is currently not available on iOS.
1517 * @param context A valid SSLContextRef.
1518 * @param clientState Pointer to SSLClientCertificateState storage.
1519 * @result errSecSuccess on success, alternative error on failure.
1522 SSLSetDiffieHellmanParams (SSLContextRef context
,
1523 const void * __nullable dhParams
,
1525 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15));
1528 * @function SSLGetDiffieHellmanParams
1529 * @abstract Return parameter block specified in SSLSetDiffieHellmanParams.
1530 * @discussion Returned data is not copied and belongs to the SSLContextRef.
1531 * @note This function is currently not available on iOS.
1532 * @param context A valid SSLContextRef.
1533 * @param dhParams Pointer to storage for DH parameters (if set), of at length most |*dhParamsLen|.
1534 * @param dhParamsLen (Input and output) length of dhParams.
1535 * @result errSecSuccess on success, alternative error on failure.
1538 SSLGetDiffieHellmanParams (SSLContextRef context
,
1539 const void * __nullable
* __nonnull dhParams
,
1540 size_t *dhParamsLen
)
1541 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15));
1544 * @function SSLSetRsaBlinding
1545 * @abstract Enable/Disable RSA blinding.
1546 * @discussion This feature thwarts a known timing
1547 * attack to which RSA keys are vulnerable; enabling it is a tradeoff
1548 * between performance and security. The default for RSA blinding is
1551 * ==========================
1552 * MAC OS X ONLY (DEPRECATED)
1553 * ==========================
1554 * @note This function is not available on iOS, and should be considered
1555 * deprecated on Mac OS X. RSA blinding is enabled unconditionally, as
1556 * it prevents a known way for an attacker to recover the private key,
1557 * and the performance gain of disabling it is negligible.
1558 * @param context A valid SSLContextRef.
1559 * @param blinding Boolean indicating if RSA blinding is enabled.
1560 * @result errSecSuccess on success, alternative error on failure.
1563 SSLSetRsaBlinding (SSLContextRef context
,
1565 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.9));
1568 * @function SSLGetRsaBlinding
1569 * @abstract Get RSA blinding state.
1570 * @discussion See SSLSetRsaBlinding().
1572 * ==========================
1573 * MAC OS X ONLY (DEPRECATED)
1574 * ==========================
1575 * @note This function is not available on iOS, and should be considered
1576 * deprecated on Mac OS X.
1577 * @param context A valid SSLContextRef.
1578 * @param blinding Pointer to Boolean storage for RSA blinding state.
1579 * @result errSecSuccess on success, alternative error on failure.
1582 SSLGetRsaBlinding (SSLContextRef context
,
1584 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.9));
1586 #endif /* MAC OS X */
1588 /*******************************
1589 ******** I/O Functions ********
1590 *******************************/
1593 * Note: depending on the configuration of the underlying I/O
1594 * connection, all SSL I/O functions can return errSSLWouldBlock,
1595 * indicating "not complete, nothing is wrong, except required
1596 * I/O hasn't completed". Caller may need to repeat I/Os as necessary
1597 * if the underlying connection has been configured to behave in
1598 * a non-blocking manner.
1602 * @function SSLHandshake
1603 * @abstract Perform the SSL handshake.
1604 * @discussion On successful return, session is ready for normal secure application
1605 * I/O via SSLWrite and SSLRead.
1607 * Interesting error returns:
1609 * errSSLUnknownRootCert: Peer had a valid cert chain, but the root of
1610 * the chain is unknown.
1612 * errSSLNoRootCert: Peer had a cert chain which did not end in a root.
1614 * errSSLCertExpired: Peer's cert chain had one or more expired certs.
1616 * errSSLXCertChainInvalid: Peer had an invalid cert chain (i.e.,
1617 * signature verification within the chain failed, or no certs
1620 * In all of the above errors, the handshake was aborted; the peer's
1621 * cert chain is available via SSLCopyPeerTrust or SSLCopyPeerCertificates.
1623 * Other interesting result codes:
1625 * errSSLPeerAuthCompleted: Peer's cert chain is valid, or was ignored if
1626 * cert verification was disabled via SSLSetEnableCertVerify. The application
1627 * may decide to continue with the handshake (by calling SSLHandshake
1628 * again), or close the connection at this point.
1630 * errSSLClientCertRequested: The server has requested a client certificate.
1631 * The client may choose to examine the server's certificate and
1632 * distinguished name list, then optionally call SSLSetCertificate prior
1633 * to resuming the handshake by calling SSLHandshake again.
1635 * A return value of errSSLWouldBlock indicates that SSLHandshake has to be
1636 * called again (and again and again until something else is returned).
1637 * @param context A valid SSLContextRef.
1638 * @result errSecSuccess on success, alternative error on failure or incomplete state.
1641 SSLHandshake (SSLContextRef context
)
1642 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
1645 * @function SSLReHandshake
1646 * @abstract Server Only: Request renegotation.
1647 * @discussion This will return an error if the server is already renegotiating, or if the session is closed.
1648 * After this return without error, the application should call SSLHandshake() and/or SSLRead() as
1649 * for the original handshake.
1650 * @param context A valid SSLContextRef.
1651 * @result errSecSuccess on success, alternative error on failure.
1654 SSLReHandshake (SSLContextRef context
)
1655 __SECURETRANSPORT_API_DEPRECATED(macos(10.12, 10.15), ios(10.0, 13.0));
1659 * @function SSLWrite
1660 * @abstract Normal application-level write.
1661 * @discussion On both of these, a errSSLWouldBlock return and a partially completed
1662 * transfer - or even zero bytes transferred - are NOT mutually exclusive.
1663 * @param context A valid SSLContextRef.
1664 * @param data Pointer to data to write.
1665 * @param dataLength Length of data to write.
1666 * @param processed Pointer to storage indicating how much data was written.
1667 * @result errSecSuccess on success, alternative error on failure.
1670 SSLWrite (SSLContextRef context
,
1671 const void * __nullable data
,
1673 size_t *processed
) /* RETURNED */
1674 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
1678 * @abstract * @abstract Normal application-level write.
1679 * @discussion Data is mallocd by caller; available size specified in
1680 * dataLength; actual number of bytes read returned in
1682 * @param context A valid SSLContextRef.
1683 * @param data Pointer to storage where data can be read.
1684 * @param dataLength Length of data storage.
1685 * @param processed Pointer to storage indicating how much data was read.
1686 * @result errSecSuccess on success, alternative error on failure.
1689 SSLRead (SSLContextRef context
,
1690 void * data
, /* RETURNED */
1692 size_t *processed
) /* RETURNED */
1693 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
1696 * @function SSLGetBufferedReadSize
1697 * @abstract Determine how much data the client can be guaranteed to
1698 * obtain via SSLRead() without blocking or causing any low-level
1699 * read operations to occur.
1700 * @param context A valid SSLContextRef.
1701 * @param bufferSize Pointer to store the amount of buffered data to be read.
1702 * @result errSecSuccess on success, alternative error on failure.
1705 SSLGetBufferedReadSize (SSLContextRef context
,
1706 size_t *bufferSize
) /* RETURNED */
1707 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
1710 * @function SSLGetDatagramWriteSize
1711 * @abstract Determine how much data the application can be guaranteed to write
1712 * with SSLWrite() without causing fragmentation. The value is based on
1713 * the maximum Datagram Record size defined by the application with
1714 * SSLSetMaxDatagramRecordSize(), minus the DTLS Record header size.
1715 * @param context A valid SSLContextRef (for DTLS).
1716 * @param bufferSize Pointer to store the amount of data that can be written.
1717 * @result errSecSuccess on success, alternative error on failure.
1720 SSLGetDatagramWriteSize (SSLContextRef dtlsContext
,
1722 __SECURETRANSPORT_API_DEPRECATED(macos(10.8, 10.15), ios(5.0, 13.0));
1725 * @function SSLClose
1726 * @abstract Terminate current SSL session.
1727 * @param context A valid SSLContextRef.
1728 * @result errSecSuccess on success, alternative error on failure.
1731 SSLClose (SSLContextRef context
)
1732 __SECURETRANSPORT_API_DEPRECATED(macos(10.2, 10.15), ios(5.0, 13.0));
1735 * @function SSLSetError
1736 * @abstract Set the status of a SSLContextRef.
1737 * @discussion This is to be done after handling steps of the SSL handshake such
1738 * as server certificate validation.
1739 * @param context A valid SSLContextRef.
1740 * @param status Error status to set internally, which will be translated to an alert.
1741 * @result errSecSuccess on success, alternative error on failure.
1744 SSLSetError (SSLContextRef context
,
1746 __SECURETRANSPORT_API_DEPRECATED(macos(10.13, 10.15), ios(11.0, 13.0));
1748 #undef __SECURETRANSPORT_API_DEPRECATED
1750 CF_IMPLICIT_BRIDGING_DISABLED
1751 CF_ASSUME_NONNULL_END
1757 #endif /* !_SECURITY_SECURETRANSPORT_H_ */
projects / apple / security.git / blob