6 #ifndef SecProtocolPriv_h
7 #define SecProtocolPriv_h
9 #include <Security/SecProtocolOptions.h>
10 #include <Security/SecProtocolMetadata.h>
11 #include <Security/SecProtocolConfiguration.h>
12 #include <Security/SecureTransportPriv.h>
13 #include <Security/SecCertificatePriv.h>
19 /* See: https://tools.ietf.org/html/rfc8446#section-4.2.7 */
20 typedef CF_ENUM(uint16_t, tls_key_exchange_group_t
) {
21 tls_key_exchange_group_Secp256r1
= 0x0017,
22 tls_key_exchange_group_Secp384r1
= 0x0018,
23 tls_key_exchange_group_Secp521r1
= 0x0019,
24 tls_key_exchange_group_X25519
= 0x001D,
25 tls_key_exchange_group_X448
= 0x001E,
26 tls_key_exchange_group_FFDHE2048
= 0x0100,
27 tls_key_exchange_group_FFDHE3072
= 0x0101,
28 tls_key_exchange_group_FFDHE4096
= 0x0102,
29 tls_key_exchange_group_FFDHE6144
= 0x0103,
30 tls_key_exchange_group_FFDHE8192
= 0x0104,
34 * Convenience key exchange groups that collate group identifiers of
35 * comparable security into a single alias.
37 typedef CF_ENUM(uint16_t, tls_key_exchange_group_set_t
) {
38 tls_key_exchange_group_set_default
,
39 tls_key_exchange_group_set_compatibility
,
40 tls_key_exchange_group_set_legacy
,
43 SEC_ASSUME_NONNULL_BEGIN
45 #ifndef SEC_OBJECT_IMPL
46 SEC_OBJECT_DECL(sec_array
);
47 #endif // !SEC_OBJECT_IMPL
49 struct sec_protocol_options_content
;
50 typedef struct sec_protocol_options_content
*sec_protocol_options_content_t
;
52 struct sec_protocol_metadata_content
;
53 typedef struct sec_protocol_metadata_content
*sec_protocol_metadata_content_t
;
55 typedef void (^sec_protocol_tls_handshake_message_handler_t
)(uint8_t type
, dispatch_data_t message
);
57 typedef dispatch_data_t
_Nullable (*sec_protocol_metadata_exporter
)(void * handle
, size_t label_len
, const char *label
,
58 size_t context_len
, const uint8_t * __nullable context
, size_t exporter_len
);
60 typedef dispatch_data_t
_Nullable (*sec_protocol_metadata_session_exporter
)(void *handle
);
62 typedef bool (^sec_access_block_t
)(void *handle
);
64 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
65 SEC_RETURNS_RETAINED sec_array_t
66 sec_array_create(void);
68 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
70 sec_array_append(sec_array_t array
, sec_object_t object
);
72 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
74 sec_array_get_count(sec_array_t array
);
76 typedef bool (^sec_array_applier_t
) (size_t index
, sec_object_t object
);
78 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
80 sec_array_apply(sec_array_t array
, sec_array_applier_t applier
);
83 * @function sec_protocol_options_access_handle
86 * Access the internal handle of a `sec_protocol_options` object.
89 * A `sec_protocol_options_t` instance.
92 * A block to invoke with access to the internal handle.
94 * @return True if the access was successful
96 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
98 sec_protocol_options_access_handle(sec_protocol_options_t options
, sec_access_block_t access_block
);
101 * @function sec_protocol_options_contents_are_equal
104 * Compare two `sec_protocol_options_content_t` structs for equality.
107 * A `sec_protocol_options_t` instance.
110 * A `sec_protocol_options_t` instance.
112 * @return True if equal, and false otherwise.
114 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
116 sec_protocol_options_contents_are_equal(sec_protocol_options_content_t contentA
, sec_protocol_options_content_t contentB
);
119 * @function sec_protocol_options_set_tls_early_data_enabled
122 * Enable or disable early (0-RTT) data for TLS.
125 * A `sec_protocol_options_t` instance.
127 * @param early_data_enabled
128 * Flag to enable or disable early (0-RTT) data.
130 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
132 sec_protocol_options_set_tls_early_data_enabled(sec_protocol_options_t options
, bool early_data_enabled
);
135 * @function sec_protocol_options_set_tls_sni_disabled
138 * Enable or disable the TLS SNI extension. This defaults to `false`.
141 * A `sec_protocol_options_t` instance.
143 * @param sni_disabled
144 * Flag to enable or disable use of the TLS SNI extension.
146 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
148 sec_protocol_options_set_tls_sni_disabled(sec_protocol_options_t options
, bool sni_disabled
);
151 * @function sec_protocol_options_set_enforce_ev
154 * Enable or disable EV enforcement.
157 * A `sec_protocol_options_t` instance.
160 * Flag to determine if EV is enforced.
162 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
164 sec_protocol_options_set_enforce_ev(sec_protocol_options_t options
, bool enforce_ev
);
167 * @block sec_protocol_session_update_t
170 * Block to be invoked when a new session is established and ready.
173 * A `sec_protocol_metadata_t` instance.
175 typedef void (^sec_protocol_session_update_t
)(sec_protocol_metadata_t metadata
);
178 * @function sec_protocol_options_set_session_update_block
181 * Set the session update block. This is fired whenever a new session is
182 * created an inserted into the cache.
185 * A `sec_protocol_options_t` instance.
187 * @param update_block
188 * A `sec_protocol_session_update_t` instance.
190 * @params update_queue
191 * A `dispatch_queue_t` on which the update block should be called.
193 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
195 sec_protocol_options_set_session_update_block(sec_protocol_options_t options
,
196 sec_protocol_session_update_t update_block
,
197 dispatch_queue_t update_queue
);
200 * @function sec_protocol_options_set_session_state
203 * Set the session state using a serialized session blob.
205 * If the session state is invalid or otherwise corrupt, the state is ignored and
206 * the connection will proceed as if no state was provided.
209 * A `sec_protocol_options_t` instance.
211 * @param session_state
212 * A `dispatch_data_t` carrying serialized session state from a previous.
214 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
216 sec_protocol_options_set_session_state(sec_protocol_options_t options
, dispatch_data_t session_state
);
219 * @function sec_protocol_options_set_quic_transport_parameters
222 * Set the opaque QUIC transport parameters to be used for this connection.
225 * A `sec_protocol_options_t` instance.
227 * @param transport_parameters
228 * A `dispatch_data_t` carrying opqaue QUIC transport parameters.
230 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
232 sec_protocol_options_set_quic_transport_parameters(sec_protocol_options_t options
, dispatch_data_t transport_parameters
);
235 * @enum sec_protocol_tls_encryption_level_t
237 * @abstract An enumeration of the different TLS encryption levels.
240 sec_protocol_tls_encryption_level_initial
= 0,
241 sec_protocol_tls_encryption_level_early_data
,
242 sec_protocol_tls_encryption_level_handshake
,
243 sec_protocol_tls_encryption_level_application
,
244 } sec_protocol_tls_encryption_level_t
;
247 * @block sec_protocol_tls_encryption_secret_update_t
250 * Block to be invoked when a new session is established and ready.
253 * The `sec_protocol_tls_encryption_level_t` for this secret.
256 * True if this secret is for writing, and false if it's for reading.
259 * Secret wrapped in a `dispatch_data_t`
261 typedef void (^sec_protocol_tls_encryption_secret_update_t
)(sec_protocol_tls_encryption_level_t level
, bool is_write
, dispatch_data_t secret
);
264 * @function sec_protocol_options_set_tls_encryption_secret_update_block
267 * Set the TLS secret update block. This is fired whenever a new TLS secret is
271 * A `sec_protocol_options_t` instance.
273 * @param update_block
274 * A `sec_protocol_tls_encryption_secret_update_t` instance.
276 * @params update_queue
277 * A `dispatch_queue_t` on which the update block should be called.
279 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
281 sec_protocol_options_set_tls_encryption_secret_update_block(sec_protocol_options_t options
,
282 sec_protocol_tls_encryption_secret_update_t update_block
,
283 dispatch_queue_t update_queue
);
286 * @block sec_protocol_private_key_complete_t
289 * Block to be invoked when a private key operation is complete.
292 * A `dispatch_data_t` object containing the private key result.
294 typedef void (^sec_protocol_private_key_complete_t
)(dispatch_data_t result
);
297 * @block sec_protocol_private_key_sign_t
300 * Block to be invoked when a private key signature operation is required.
303 * The signature algorithm to use for the signature.
306 * The input to be signed.
309 * The `sec_protocol_private_key_complete_t` block to invoke when the operation is complete.
311 typedef void (^sec_protocol_private_key_sign_t
)(uint16_t algorithm
, dispatch_data_t input
, sec_protocol_private_key_complete_t complete
);
314 * @block sec_protocol_private_key_decrypt_t
317 * Block to be invoked when a private key decryption operation is required.
320 * The input to be decrypted.
323 * The `sec_protocol_private_key_complete_t` block to invoke when the operation is complete.
325 typedef void (^sec_protocol_private_key_decrypt_t
)(dispatch_data_t input
, sec_protocol_private_key_complete_t complete
);
328 * @block sec_protocol_options_set_private_key_blocks
331 * Set the private key operation blocks for this connection.
334 * A `sec_protocol_options_t` instance.
337 * A `sec_protocol_private_key_sign_t` block.
339 * @param decrypt_block
340 * A `sec_protocol_private_key_decrypt_t` block.
342 * @param operation_queue
343 * The `dispatch_queue_t` queue on which each private key operation is invoked.
345 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
347 sec_protocol_options_set_private_key_blocks(sec_protocol_options_t options
,
348 sec_protocol_private_key_sign_t sign_block
,
349 sec_protocol_private_key_decrypt_t decrypt_block
,
350 dispatch_queue_t operation_queue
);
353 * @block sec_protocol_options_set_local_certificates
356 * Set the local certificates to be used for this protocol instance.
359 * A `sec_protocol_options_t` instance.
361 * @param certificates
362 * A `sec_array_t` instance of `sec_certifiate_t` instances.
364 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
366 sec_protocol_options_set_local_certificates(sec_protocol_options_t options
, sec_array_t certificates
);
369 * @block sec_protocol_options_set_tls_certificate_compression_enabled
372 * Enable or disable TLS 1.3 certificate compression.
374 * See: https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-04
377 * A `sec_protocol_options_t` instance.
379 * @param certificate_compression_enabled
380 * Flag to determine if certificate compression is enabled.
382 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
384 sec_protocol_options_set_tls_certificate_compression_enabled(sec_protocol_options_t options
, bool certificate_compression_enabled
);
387 * @block sec_protocol_options_tls_handshake_message_callback
390 * Set a callback to process each TLS handshake message. This function may be invoked at any point during
391 * the TLS handshake, if at all. Clients MUST NOT rely on any behavior aspect of this function as they
395 * A `sec_protocol_options_t` instance.
398 * A `sec_protocol_tls_handshake_message_handler_t`.
401 * The queue upon which to invoke the callback.
403 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
405 sec_protocol_options_tls_handshake_message_callback(sec_protocol_options_t options
, sec_protocol_tls_handshake_message_handler_t handler
, dispatch_queue_t queue
);
408 * @block sec_protocol_options_append_tls_key_exchange_group
411 * Append a TLS key exchange group to the set of enabled groups.
414 * A `sec_protocol_options_t` instance.
417 * A `tls_key_exchange_group_t` value.
419 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
421 sec_protocol_options_append_tls_key_exchange_group(sec_protocol_options_t options
, tls_key_exchange_group_t group
);
424 * @block sec_protocol_options_add_tls_key_exchange_group
427 * Add a TLS key exchange group to the set of enabled groups.
430 * A `sec_protocol_options_t` instance.
433 * A SSLKeyExchangeGroup value.
435 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
437 sec_protocol_options_add_tls_key_exchange_group(sec_protocol_options_t options
, SSLKeyExchangeGroup group
);
440 * @block sec_protocol_options_append_tls_key_exchange_group_set
443 * Append a TLS key exchange group set to the set of enabled groups.
446 * A `sec_protocol_options_t` instance.
449 * A `tls_key_exchange_group_set_t` value.
451 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
453 sec_protocol_options_append_tls_key_exchange_group_set(sec_protocol_options_t options
, tls_key_exchange_group_set_t set
);
456 * @block sec_protocol_options_tls_key_exchange_group_set
459 * Add a TLS key exchange group set to the set of enabled groups.
462 * A `sec_protocol_options_t` instance.
465 * A SSLKeyExchangeGroupSet value.
467 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
469 sec_protocol_options_add_tls_key_exchange_group_set(sec_protocol_options_t options
, SSLKeyExchangeGroupSet set
);
472 * @function sec_protocol_options_set_tls_SIKE503_exchange_enabled
475 * Enable SIKE using P503 for TLS 1.3 key exchange.
477 * DO NOT DEPEND ON THIS SPI. IT IS FOR EXPERIMENTAL PURPOSES AND SUBJECT TO REMOVAL WITHOUT ADVANCE NOTICE.
478 * BUILD BREAKAGE ISSUES WILL BE SENT TO THE CALLING PROJECT.
481 * A `sec_protocol_options_t` instance.
483 * @param tls_SIKE503_exchange_enabled
484 * Flag to enable SIKE with P503.
486 #define SEC_PROTOCOL_HAS_PQ_TLS_HANDLES 1
487 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
489 sec_protocol_options_set_tls_SIKE503_exchange_enabled(sec_protocol_options_t options
, bool tls_SIKE503_exchange_enabled
);
492 * @function sec_protocol_options_set_tls_HRSS_exchange_enabled
495 * Enable HRSS for TLS 1.3 key exchange.
497 * DO NOT DEPEND ON THIS SPI. IT IS FOR EXPERIMENTAL PURPOSES AND SUBJECT TO REMOVAL WITHOUT ADVANCE NOTICE.
498 * BUILD BREAKAGE ISSUES WILL BE SENT TO THE CALLING PROJECT.
501 * A `sec_protocol_options_t` instance.
503 * @param tls_HRSS_exchange_enabled
504 * Flag to enable HRSS.
506 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
508 sec_protocol_options_set_tls_HRSS_exchange_enabled(sec_protocol_options_t options
, bool tls_HRSS_exchange_enabled
);
511 * @function sec_protocol_options_set_eddsa_enabled
514 * Enable EDDSA support (for TLS 1.3).
517 * A `sec_protocol_options_t` instance.
519 * @param eddsa_enabled
520 * Flag to enable EDDSA.
522 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
524 sec_protocol_options_set_eddsa_enabled(sec_protocol_options_t options
, bool eddsa_enabled
);
527 * @function sec_protocol_options_set_tls_delegated_credentials_enabled
530 * Enable TLS delegated credentials support. See https://tools.ietf.org/html/draft-ietf-tls-subcerts-02.
532 * DO NOT DEPEND ON THIS SPI. IT IS FOR EXPERIMENTAL PURPOSES AND SUBJECT TO REMOVAL WITHOUT ADVANCE NOTICE.
533 * BUILD BREAKAGE ISSUES WILL BE SENT TO THE CALLING PROJECT.
536 * A `sec_protocol_options_t` instance.
538 * @param tls_delegated_credentials_enabled
539 * Flag to enable TLS delegated credentials.
541 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
543 sec_protocol_options_set_tls_delegated_credentials_enabled(sec_protocol_options_t options
, bool tls_delegated_credentials_enabled
);
546 * @function sec_protocol_options_set_tls_ticket_request_count
549 * Enable TLS ticket request support, and specify the count of tickets. Ticket support
550 * must also be explicitly enabled by `sec_protocol_options_set_tls_tickets_enabled`.
552 * DO NOT DEPEND ON THIS SPI. IT IS FOR EXPERIMENTAL PURPOSES AND SUBJECT TO REMOVAL WITHOUT ADVANCE NOTICE.
553 * BUILD BREAKAGE ISSUES WILL BE SENT TO THE CALLING PROJECT.
556 * A `sec_protocol_options_t` instance.
558 * @param tls_ticket_request_count
559 * Set the amount of tickets to request from the server.
561 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
563 sec_protocol_options_set_tls_ticket_request_count(sec_protocol_options_t options
, uint8_t tls_ticket_request_count
);
566 * @function sec_protocol_options_set_tls_grease_enabled
569 * Enable TLS GREASE support. See https://tools.ietf.org/html/draft-ietf-tls-grease-02.
571 * DO NOT DEPEND ON THIS SPI. IT IS FOR EXPERIMENTAL PURPOSES AND SUBJECT TO REMOVAL WITHOUT ADVANCE NOTICE.
572 * BUILD BREAKAGE ISSUES WILL BE SENT TO THE CALLING PROJECT.
575 * A `sec_protocol_options_t` instance.
577 * @param tls_grease_enabled
578 * Flag to enable TLS GREASE.
580 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
582 sec_protocol_options_set_tls_grease_enabled(sec_protocol_options_t options
, bool tls_grease_enabled
);
585 * @function sec_protocol_options_create_config
588 * Create a `xpc_object_t` instance carrying a configuration for the given `sec_protocol_options_t` instance.
591 * A `sec_protocol_options_t` instance.
593 * @return A `xpc_object_t` instance carrying a configuration, or nil on failure.
595 #define SEC_PROTOCOL_HAS_EXPERIMENT_HOOKS 1
596 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
597 SEC_RETURNS_RETAINED __nullable xpc_object_t
598 sec_protocol_options_create_config(sec_protocol_options_t options
);
601 * @function sec_protocol_options_matches_config
604 * Determine if a `sec_protocol_options_t` instance matches a given configuration.
607 * A `sec_protocol_options_t` instance.
610 * A `xpc_object_t` instance carrying a SecExperiment config.
612 * @return True if the parameters in `config` match that of `options`, and false otherwise.
614 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
616 sec_protocol_options_matches_config(sec_protocol_options_t options
, xpc_object_t config
);
619 * @function sec_protocol_options_apply_config
622 * Transform the given `sec_protocol_options_t` instance using the provided config.
625 * A `sec_protocol_options_t` instance.
628 * A `xpc_object_t` instance carrying a SecExperiment config.
630 * @return True if the options were applied successfully, and false otherwise.
633 sec_protocol_options_apply_config(sec_protocol_options_t options
, xpc_object_t config
);
636 * @function sec_protocol_metadata_get_tls_negotiated_group
639 * Get a human readable representation of the negotiated key exchange group.
642 * A `sec_protocol_metadata_t` instance.
644 * @return A string representation of the negotiated group, or NULL if it does not exist.
646 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
647 const char * __nullable
648 sec_protocol_metadata_get_tls_negotiated_group(sec_protocol_metadata_t metadata
);
651 * @function sec_protocol_metadata_get_tls_false_start_used
654 * Determine if False Start was used.
657 * A `sec_protocol_metadata_t` instance.
659 * @return True if False Start was used, and false otherwise.
661 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
663 sec_protocol_metadata_get_tls_false_start_used(sec_protocol_metadata_t metadata
);
666 * @function sec_protocol_metadata_get_ticket_offered
669 * Determine if a ticket was offered for session resumption.
672 * A `sec_protocol_metadata_t` instance.
674 * @return True if a ticket was offered for resumption, and false otherwise.
676 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
678 sec_protocol_metadata_get_ticket_offered(sec_protocol_metadata_t metadata
);
681 * @function sec_protocol_metadata_get_ticket_received
684 * Determine if a ticket was received upon completing the new connection.
687 * A `sec_protocol_metadata_t` instance.
689 * @return True if a ticket was received from the peer (server), and false otherwise.
691 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
693 sec_protocol_metadata_get_ticket_received(sec_protocol_metadata_t metadata
);
696 * @function sec_protocol_metadata_get_session_resumed
699 * Determine if this new connection was a session resumption.
702 * A `sec_protocol_metadata_t` instance.
704 * @return True if this new connection was resumed, and false otherwise.
706 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
708 sec_protocol_metadata_get_session_resumed(sec_protocol_metadata_t metadata
);
711 * @function sec_protocol_metadata_get_session_renewed
714 * Determine if this resumed connection was renewed with a new ticket.
717 * A `sec_protocol_metadata_t` instance.
719 * @return True if this resumed connection was renewed with a new ticket, and false otherwise.
721 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
723 sec_protocol_metadata_get_session_renewed(sec_protocol_metadata_t metadata
);
726 * @function sec_protocol_metadata_get_connection_strength
729 * Determine the TLS connection strength.
732 * A `sec_protocol_metadata_t` instance.
734 * @return An `SSLConnectionStrength` enum.
736 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
737 SSLConnectionStrength
738 sec_protocol_metadata_get_connection_strength(sec_protocol_metadata_t metadata
);
741 * @function sec_protocol_metadata_copy_serialized_session
744 * Copy a serialized representation of a session.
747 * A `sec_protocol_metadata_t` instance.
749 * @return A `dispatch_data_t` object containing a serialized session.
751 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
752 SEC_RETURNS_RETAINED __nullable dispatch_data_t
753 sec_protocol_metadata_copy_serialized_session(sec_protocol_metadata_t metadata
);
756 * @function sec_protocol_metadata_access_handle
759 * Access the internal handle of a `sec_protocol_metadata` object.
762 * A `sec_protocol_metadata_t` instance.
764 * @param access_block
765 * A block to invoke with access to the internal handle.
767 * @return True if the access was successful
769 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
771 sec_protocol_metadata_access_handle(sec_protocol_metadata_t metadata
, sec_access_block_t access_block
);
774 * @function sec_protocol_metadata_serialize_with_options
777 * Serialize a `sec_protocol_metadata_t` to an `xpc_object_t` dictionary using information
778 * contained in the `metadata` and `options` objects.
781 * A `sec_protocol_metadata_t` instance.
783 * @return A xpc_object_t carrying the serialized metadata.
785 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
786 SEC_RETURNS_RETAINED __nullable xpc_object_t
787 sec_protocol_metadata_serialize_with_options(sec_protocol_metadata_t metadata
, sec_protocol_options_t options
);
790 * @function sec_protocol_metadata_get_tls_certificate_compression_used
793 * Determine if certificate compression was used for a given connection.
795 * See: https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-04
798 * A `sec_protocol_metadata_t` instance.
800 * @return True if certificate compression was negotiated and used.
802 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
804 sec_protocol_metadata_get_tls_certificate_compression_used(sec_protocol_metadata_t metadata
);
807 * @function sec_protocol_metadata_get_tls_certificate_compression_algorithm
810 * Return the certificate compression algorithm used. This will return 0
811 * if `sec_protocol_metadata_get_tls_certificate_compression_used` is false.
813 * See: https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-04
816 * A `sec_protocol_metadata_t` instance.
818 * @return IANA codepoint for the certificate compression algorithm.
820 API_AVAILABLE(macos(10.14), ios(12.0), watchos(5.0), tvos(12.0))
822 sec_protocol_metadata_get_tls_certificate_compression_algorithm(sec_protocol_metadata_t metadata
);
825 * @function sec_protocol_metadata_copy_quic_transport_parameters
828 * Copy the peer's QUIC transport parameters.
831 * A `sec_protocol_metadata_t` instance.
833 * @return A dispatch_data_t carrying the connection peer's opaque QUIC tranport parameters.
835 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
836 SEC_RETURNS_RETAINED __nullable dispatch_data_t
837 sec_protocol_metadata_copy_quic_transport_parameters(sec_protocol_metadata_t metadata
);
840 * @function sec_protocol_metadata_get_handshake_time_ms
843 * Get the TLS handshake time in miliseconds. The result is undefined
844 * for connections not yet connected.
847 * A `sec_protocol_metadata_t` instance.
849 * @return A millisecond measurement of the TLS handshake time from start to finish.
851 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
852 #define SEC_PROTOCOL_HAS_METRIC_SPI_V1
854 sec_protocol_metadata_get_handshake_time_ms(sec_protocol_metadata_t metadata
);
857 * @function sec_protocol_metadata_get_handshake_rtt
860 * Get the observed TLS handshake RTT. This function must only be
861 * called after the connection is established. Calling this before
862 * the connection completes will yields an undefined result.
864 * This is computed as the average RTT across all 1-RTT exchanges.
865 * For TLS 1.3, this will be the time for the normal exchange. For prior
866 * versions, or TLS 1.3 with HRR, this will be the average RTT across
867 * multiple message flights.
870 * A `sec_protocol_metadata_t` instance.
872 * @return A millisecond measurement of the TLS handshake RTT.
874 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
876 sec_protocol_metadata_get_handshake_rtt(sec_protocol_metadata_t metadata
);
879 * @function sec_protocol_metadata_get_handshake_byte_count
882 * Get the total number of bytes sent and received for the handshake.
885 * A `sec_protocol_metadata_t` instance.
887 * @return Number of bytes sent and received for the handshake.
889 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
891 sec_protocol_metadata_get_handshake_byte_count(sec_protocol_metadata_t metadata
);
894 * @function sec_protocol_metadata_get_handshake_sent_byte_count
897 * Get the total number of bytes sent for the handshake.
900 * A `sec_protocol_metadata_t` instance.
902 * @return Number of bytes sent for the handshake.
904 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
906 sec_protocol_metadata_get_handshake_sent_byte_count(sec_protocol_metadata_t metadata
);
909 * @function sec_protocol_metadata_get_handshake_received_byte_count
912 * Get the total number of bytes received for the handshake.
915 * A `sec_protocol_metadata_t` instance.
917 * @return Number of bytes received for the handshake.
919 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
921 sec_protocol_metadata_get_handshake_received_byte_count(sec_protocol_metadata_t metadata
);
924 * @function sec_protocol_metadata_get_handshake_read_stall_count
927 * Get the total number of read stalls during the handshake.
930 * A `sec_protocol_metadata_t` instance.
932 * @return Number of read stalls.
934 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
936 sec_protocol_metadata_get_handshake_read_stall_count(sec_protocol_metadata_t metadata
);
939 * @function sec_protocol_metadata_get_handshake_write_stall_count
942 * Get the total number of write stalls during the handshake.
945 * A `sec_protocol_metadata_t` instance.
947 * @return Number of write stalls.
949 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
951 sec_protocol_metadata_get_handshake_write_stall_count(sec_protocol_metadata_t metadata
);
954 * @function sec_protocol_metadata_get_handshake_async_call_count
957 * Get the total number of asynchronous callbacks invoked during the handshake.
960 * A `sec_protocol_metadata_t` instance.
962 * @return Number of asynchronous callbacks.
964 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
966 sec_protocol_metadata_get_handshake_async_call_count(sec_protocol_metadata_t metadata
);
969 * @function sec_protocol_metadata_copy_sec_trust
972 * Copy the `sec_trust_t` associated with a connection.
975 * A `sec_protocol_metadata_t` instance.
977 * @return A `sec_trust_t` instance.
979 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
980 SEC_RETURNS_RETAINED __nullable sec_trust_t
981 sec_protocol_metadata_copy_sec_trust(sec_protocol_metadata_t metadata
);
984 * @function sec_protocol_metadata_copy_sec_identity
987 * Copy the `sec_identity_t` associated with a connection.
990 * A `sec_protocol_metadata_t` instance.
992 * @return A `sec_identity_t` instance.
994 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
995 SEC_RETURNS_RETAINED __nullable sec_identity_t
996 sec_protocol_metadata_copy_sec_identity(sec_protocol_metadata_t metadata
);
999 * @function sec_protocol_metadata_access_sent_certificates
1002 * Access the certificates which were sent to the peer on this connection.
1005 * A `sec_protocol_metadata_t` instance.
1008 * A block to invoke one or more times with `sec_certificate_t` instances.
1010 * @return Returns true if the peer certificates were accessible, false otherwise.
1012 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
1014 sec_protocol_metadata_access_sent_certificates(sec_protocol_metadata_t metadata
,
1015 void (^handler
)(sec_certificate_t certificate
));
1018 * @function sec_protocol_metadata_get_tls_negotiated_group
1021 * Get a human readable representation of the negotiated key exchange group.
1024 * A `sec_protocol_metadata_t` instance.
1026 * @return A string representation of the negotiated group, or NULL if it does not exist.
1028 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
1029 const char * __nullable
1030 sec_protocol_metadata_get_tls_negotiated_group(sec_protocol_metadata_t metadata
);
1033 * @function sec_protocol_configuration_copy_singleton
1036 * Copy the per-process `sec_protocol_configuration_t` object.
1038 * @return A non-nil `sec_protocol_configuration_t` instance.
1040 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
1041 SEC_RETURNS_RETAINED sec_protocol_configuration_t
1042 sec_protocol_configuration_copy_singleton(void);
1044 #ifndef SEC_OBJECT_IMPL
1045 SEC_OBJECT_DECL(sec_protocol_configuration_builder
);
1046 #endif // !SEC_OBJECT_IMPL
1049 * @function sec_protocol_configuration_builder_create
1052 * This function is exposed for testing purposes only. It MUST NOT be called by clients.
1054 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
1055 SEC_RETURNS_RETAINED sec_protocol_configuration_builder_t
1056 sec_protocol_configuration_builder_create(CFDictionaryRef dictionary
, bool is_apple
);
1059 * @function sec_protocol_configuration_create_with_builder
1062 * This function is exposed for testing purposes only. It MUST NOT be called by clients.
1064 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
1065 SEC_RETURNS_RETAINED __nullable sec_protocol_configuration_t
1066 sec_protocol_configuration_create_with_builder(sec_protocol_configuration_builder_t builder
);
1069 * @block sec_protocol_output_handler_access_block_t
1072 * Block to be invoked to obtain the output handler for a given encryption level.
1074 typedef void *_Nullable(^sec_protocol_output_handler_access_block_t
)(sec_protocol_tls_encryption_level_t level
);
1077 * @function sec_protocol_options_set_output_handler_access_block
1080 * Set a block used to access output handler instances identified by encryption level.
1082 #define SEC_PROTOCOL_HAS_QUIC_OUTPUT_HANDLER_ACCESS_BLOCK 1
1083 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
1085 sec_protocol_options_set_output_handler_access_block(sec_protocol_options_t options
,
1086 sec_protocol_output_handler_access_block_t access_block
);
1089 * @function sec_protocol_helper_ciphersuite_group_to_ciphersuite_list
1092 * Return a pointer to a statically allocated list of ciphersuites corresponding to `group`.
1095 * A `tls_ciphersuite_group_t` instance.
1098 * Pointer to storage for the ciphersuite list length.
1100 * @return Pointer to a statically allocated list, or NULL if an error occurred.
1102 API_AVAILABLE(macos(10.15), ios(13.0), watchos(6.0), tvos(13.0))
1103 const tls_ciphersuite_t
* __nullable
1104 sec_protocol_helper_ciphersuite_group_to_ciphersuite_list(tls_ciphersuite_group_t group
, size_t *list_count
);
1106 #define SEC_PROTOCOL_HAS_MULTI_PSK_SUPPORT 1
1108 struct sec_protocol_options_content
{
1109 SSLProtocol min_version
;
1110 SSLProtocol max_version
;
1112 // Reference-counted types
1114 __nullable xpc_object_t ciphersuites
;
1115 xpc_object_t application_protocols
;
1116 sec_identity_t identity
;
1117 sec_array_t certificates
;
1118 xpc_object_t pre_shared_keys
;
1119 dispatch_data_t psk_identity_hint
;
1120 sec_protocol_key_update_t key_update_block
;
1121 dispatch_queue_t key_update_queue
;
1122 sec_protocol_challenge_t challenge_block
;
1123 dispatch_queue_t challenge_queue
;
1124 sec_protocol_verify_t verify_block
;
1125 dispatch_queue_t verify_queue
;
1126 dispatch_data_t quic_transport_parameters
;
1127 sec_protocol_tls_encryption_secret_update_t tls_secret_update_block
;
1128 dispatch_queue_t tls_secret_update_queue
;
1129 sec_protocol_session_update_t session_update_block
;
1130 dispatch_queue_t session_update_queue
;
1131 dispatch_data_t session_state
;
1132 sec_protocol_private_key_sign_t private_key_sign_block
;
1133 sec_protocol_private_key_decrypt_t private_key_decrypt_block
;
1134 dispatch_queue_t private_key_queue
;
1135 dispatch_data_t dh_params
;
1136 xpc_object_t key_exchange_groups
;
1137 sec_protocol_tls_handshake_message_handler_t handshake_message_callback
;
1138 dispatch_queue_t handshake_message_callback_queue
;
1139 sec_protocol_pre_shared_key_selection_t psk_selection_block
;
1140 dispatch_queue_t psk_selection_queue
;
1143 size_t minimum_rsa_key_size
;
1144 size_t minimum_ecdsa_key_size
;
1145 SecSignatureHashAlgorithm minimum_signature_algorithm
;
1147 // Non-boolean options
1148 uint8_t tls_ticket_request_count
;
1150 // QUIC-specific access block
1151 sec_protocol_output_handler_access_block_t output_handler_access_block
;
1154 unsigned ats_required
: 1;
1155 unsigned ats_minimum_tls_version_allowed
: 1;
1156 unsigned ats_non_pfs_ciphersuite_allowed
: 1;
1157 unsigned trusted_peer_certificate
: 1;
1158 unsigned trusted_peer_certificate_override
: 1;
1159 unsigned disable_sni
: 1;
1160 unsigned disable_sni_override
: 1;
1161 unsigned enable_fallback_attempt
: 1;
1162 unsigned enable_fallback_attempt_override
: 1;
1163 unsigned enable_false_start
: 1;
1164 unsigned enable_false_start_override
: 1;
1165 unsigned enable_tickets
: 1;
1166 unsigned enable_tickets_override
: 1;
1167 unsigned enable_sct
: 1;
1168 unsigned enable_sct_override
: 1;
1169 unsigned enable_ocsp
: 1;
1170 unsigned enable_ocsp_override
: 1;
1171 unsigned enforce_ev
: 1;
1172 unsigned enforce_ev_override
: 1;
1173 unsigned enable_resumption
: 1;
1174 unsigned enable_resumption_override
: 1;
1175 unsigned enable_renegotiation
: 1;
1176 unsigned enable_renegotiation_override
: 1;
1177 unsigned enable_early_data
: 1;
1178 unsigned enable_early_data_override
: 1;
1179 unsigned peer_authentication_required
: 1;
1180 unsigned peer_authentication_override
: 1;
1181 unsigned certificate_compression_enabled
: 1;
1182 unsigned tls_SIKE503_exchange_enabled
: 1;
1183 unsigned tls_HRSS_exchange_enabled
: 1;
1184 unsigned eddsa_enabled
: 1;
1185 unsigned tls_delegated_credentials_enabled
: 1;
1186 unsigned tls_grease_enabled
: 1;
1189 struct sec_protocol_metadata_content
{
1190 void *exporter_context
; // Opaque context for the exporter function
1191 sec_protocol_metadata_exporter exporter_function
; // Exporter function pointer. This MUST be set by the metadata allocator.
1192 void *session_exporter_context
; // Opaque context for the session exporter function
1193 sec_protocol_metadata_session_exporter session_exporter_function
;
1195 SSLProtocol negotiated_protocol_version
;
1196 SSLCipherSuite negotiated_ciphersuite
;
1197 const char *negotiated_protocol
;
1198 const char *server_name
;
1200 sec_array_t sent_certificate_chain
;
1201 sec_array_t peer_certificate_chain
;
1202 xpc_object_t pre_shared_keys
;
1203 dispatch_data_t peer_public_key
;
1204 xpc_object_t supported_signature_algorithms
;
1205 dispatch_data_t request_certificate_types
;
1206 sec_array_t signed_certificate_timestamps
;
1207 sec_array_t ocsp_response
;
1208 sec_array_t distinguished_names
;
1209 dispatch_data_t quic_transport_parameters
;
1210 sec_identity_t identity
;
1211 sec_trust_t trust_ref
;
1212 const char *negotiated_curve
;
1213 const char *peer_public_key_type
;
1214 const char *certificate_request_type
;
1215 uint64_t ticket_lifetime
;
1216 uint64_t max_early_data_supported
;
1217 uint64_t alert_type
;
1218 uint64_t alert_code
;
1219 uint64_t handshake_state
;
1220 uint64_t stack_error
;
1221 uint64_t handshake_rtt
;
1222 uint16_t certificate_compression_algorithm
;
1223 uint64_t handshake_time
;
1224 uint64_t total_byte_count
;
1225 uint64_t sent_byte_count
;
1226 uint64_t received_byte_count
;
1227 size_t read_stall_count
;
1228 size_t write_stall_count
;
1229 size_t async_call_count
;
1231 unsigned failure
: 1;
1232 unsigned sct_enabled
: 1;
1233 unsigned ocsp_enabled
: 1;
1234 unsigned early_data_accepted
: 1;
1235 unsigned false_start_used
: 1;
1236 unsigned ticket_offered
: 1;
1237 unsigned ticket_received
: 1;
1238 unsigned session_resumed
: 1;
1239 unsigned session_renewed
: 1;
1240 unsigned resumption_attempted
: 1;
1241 unsigned alpn_used
: 1;
1242 unsigned npn_used
: 1;
1243 unsigned early_data_sent
: 1;
1244 unsigned certificate_compression_used
: 1;
1247 SEC_ASSUME_NONNULL_END
1251 #endif /* SecProtocolPriv_h */