/*
- * Copyright (c) 1999-2002,2005-2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 1999-2002,2005-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
/* SSL Protocol version */
typedef CF_ENUM(int, SSLProtocol) {
- kSSLProtocolUnknown = 0, /* no protocol negotiated/specified; use default */
- kSSLProtocol3 = 2, /* SSL 3.0 */
- kTLSProtocol1 = 4, /* TLS 1.0 */
- kTLSProtocol11 = 7, /* TLS 1.1 */
- kTLSProtocol12 = 8, /* TLS 1.2 */
- kDTLSProtocol1 = 9, /* DTLS 1.0 */
-
- /* DEPRECATED on iOS */
- kSSLProtocol2 = 1, /* SSL 2.0 */
- kSSLProtocol3Only = 3, /* SSL 3.0 Only */
- kTLSProtocol1Only = 5, /* TLS 1.0 Only */
- kSSLProtocolAll = 6, /* All TLS supported protocols */
-
+ kSSLProtocolUnknown = 0, /* no protocol negotiated/specified; use default */
+ kSSLProtocol3 = 2, /* SSL 3.0 */
+ kTLSProtocol1 = 4, /* TLS 1.0 */
+ kTLSProtocol11 = 7, /* TLS 1.1 */
+ kTLSProtocol12 = 8, /* TLS 1.2 */
+ kDTLSProtocol1 = 9, /* DTLS 1.0 */
+ kTLSProtocol13 = 10, /* TLS 1.3 */
+
+ kTLSProtocolMaxSupported = 999, /* Max system-supported version */
+
+ kSSLProtocol2 = 1, /* SSL 2.0. DEPRECATED on iOS. */
+ kSSLProtocol3Only = 3, /* SSL 3.0. DEPRECATED on iOS. */
+ kTLSProtocol1Only = 5, /* TLS 1.0 Only. DEPRECATED on iOS. */
+ kSSLProtocolAll = 6, /* All TLS supported protocols. DEPRECATED on iOS. */
};
/* SSL session options */
* Set this option to break from a client hello in order to check for SNI
*/
kSSLSessionOptionBreakOnClientHello = 7,
-
+ /*
+ * Set this option to Allow renegotations. False by default.
+ */
+ kSSLSessionOptionAllowRenegotiation = 8,
+ /*
+ * Set this option to enable session tickets. False by default.
+ */
+ kSSLSessionOptionEnableSessionTickets = 9,
};
/* State of an SSLSession */
/*
* Server side: We asked for a cert, client sent one, we validated
* it OK. App can inspect the cert via
- * SSLGetPeerCertificates().
+ * SSLCopyPeerCertificates().
* Client side: server asked for one, we sent it.
*/
kSSLClientCertSent,
/*
* Client sent a cert but failed validation. Server side only.
- * Server app can inspect the cert via SSLGetPeerCertificates().
+ * Server app can inspect the cert via SSLCopyPeerCertificates().
*/
kSSLClientCertRejected
-} ;
+};
/*
* R/W functions. The application using this library provides
kSSLDatagramType
};
-typedef CF_ENUM(int, SSLSessionStrengthPolicy)
-{
- kSSLSessionStrengthPolicyDefault,
- kSSLSessionStrengthPolicyATSv1
-};
+/*
+ * Predefined TLS configurations constants
+ */
+
+/* Default configuration (has 3DES, no RC4) */
+extern const CFStringRef kSSLSessionConfig_default
+__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2,__MAC_10_13,__IPHONE_5_0,__IPHONE_11_0);
+
+/* ATS v1 Config: TLS v1.2, only PFS ciphersuites */
+extern const CFStringRef kSSLSessionConfig_ATSv1
+__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
+
+/* ATS v1 Config without PFS: TLS v1.2, include non PFS ciphersuites */
+extern const CFStringRef kSSLSessionConfig_ATSv1_noPFS
+__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
+
+/* TLS v1.2 to TLS v1.0, with default ciphersuites (no 3DES, no RC4) */
+extern const CFStringRef kSSLSessionConfig_standard
+__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
+
+/* TLS v1.2 to TLS v1.0, with default ciphersuites + RC4 + 3DES */
+extern const CFStringRef kSSLSessionConfig_RC4_fallback
+__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2,__MAC_10_13,__IPHONE_5_0,__IPHONE_11_0);
+
+/* TLS v1.0 only, with default ciphersuites + fallback SCSV */
+extern const CFStringRef kSSLSessionConfig_TLSv1_fallback
+__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
+
+/* TLS v1.0, with default ciphersuites + RC4 + 3DES + fallback SCSV */
+extern const CFStringRef kSSLSessionConfig_TLSv1_RC4_fallback
+__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2,__MAC_10_13,__IPHONE_5_0,__IPHONE_11_0);
+
+/* TLS v1.2 to TLS v1.0, defaults + RC4 + DHE ciphersuites */
+extern const CFStringRef kSSLSessionConfig_legacy
+__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
+
+/* TLS v1.2 to TLS v1.0, default + RC4 + DHE ciphersuites */
+extern const CFStringRef kSSLSessionConfig_legacy_DHE
+__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
+
+/* TLS v1.2, anonymous ciphersuites only */
+extern const CFStringRef kSSLSessionConfig_anonymous
+__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
+
+/* TLS v1.2 to TLS v1.0, has 3DES, no RC4 */
+extern const CFStringRef kSSLSessionConfig_3DES_fallback
+__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2,__MAC_10_13,__IPHONE_5_0,__IPHONE_11_0);
+
+/* TLS v1.0, with default ciphersuites + 3DES, no RC4 */
+extern const CFStringRef kSSLSessionConfig_TLSv1_3DES_fallback
+__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2,__MAC_10_13,__IPHONE_5_0,__IPHONE_11_0);
+
/******************
*** Public API ***
SSLWriteFunc writeFunc)
__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
+
+/*
+ * Set a predefined configuration for the SSL Session
+ *
+ * This currently affect enabled protocol versions,
+ * enabled ciphersuites, and the kSSLSessionOptionFallback
+ * session option.
+ */
+OSStatus
+SSLSetSessionConfig(SSLContextRef context,
+ CFStringRef config)
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+
/*
* Set the minimum SSL protocol version allowed. Optional.
* The default is the lower supported protocol.
*
* This can only be called when no session is active.
*
- * For TLS contexts, legal values for minVersion are :
+ * For TLS contexts, legal values for maxVersion are :
* kSSLProtocol3
* kTLSProtocol1
* kTLSProtocol11
* kTLSProtocol12
*
- * For DTLS contexts, legal values for minVersion are :
+ * For DTLS contexts, legal values for maxVersion are :
* kDTLSProtocol1
*/
OSStatus
*/
OSStatus
SSLSetCertificate (SSLContextRef context,
- CFArrayRef certRefs)
+ CFArrayRef _Nullable certRefs)
__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
/*
size_t *peerNameLen) // IN/OUT
__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
+
+/*
+ * Determine the buffer size needed for SSLCopyRequestedPeerNameLength().
+ */
+OSStatus
+SSLCopyRequestedPeerName (SSLContextRef context,
+ char *peerName,
+ size_t *peerNameLen)
+ __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
+
+/*
+ * Server Only: obtain the hostname specified by the client in the ServerName extension (SNI)
+ */
+OSStatus
+SSLCopyRequestedPeerNameLength (SSLContextRef ctx,
+ size_t *peerNameLen)
+ __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
+
+
/*
* Specify the Datagram TLS Hello Cookie.
* This is to be called for server side only and is optional.
size_t *numCiphers) /* IN/OUT */
__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
+/*
+ * Forcibly enable or disable session ticket resumption. By default, session tickets
+ * are disabled.
+ */
+OSStatus
+SSLSetSessionTicketsEnabled (SSLContextRef context,
+ Boolean enabled)
+ __OSX_AVAILABLE_STARTING(__MAC_10_13, __IPHONE_11_0);
+
#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
/*
SSLCipherSuite *cipherSuite)
__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
+/*
+ * Set the ALPN protocols to be passed in the ALPN negotiation.
+ * This is the list of supported application-layer protocols supported.
+ *
+ * The protocols parameter must be an array of CFStringRef values
+ * with ASCII-encoded reprensetations of the supported protocols, e.g., "http/1.1".
+ *
+ * See RFC 7301 for more information.
+ */
+OSStatus
+SSLSetALPNProtocols (SSLContextRef context,
+ CFArrayRef protocols)
+ __OSX_AVAILABLE_STARTING(__MAC_10_13, __IPHONE_11_0);
+
+/*
+ * Get the ALPN protocols associated with this SSL context.
+ * This is the list of supported application-layer protocols supported.
+ *
+ * The resultant protocols array will contain CFStringRef values containing
+ * ASCII-encoded representations of the supported protocols, e.g., "http/1.1".
+ *
+ * See RFC 7301 for more information.
+ *
+ * Note: The `protocols` pointer must be NULL, otherwise the copy will fail.
+ * This function will allocate memory for the CFArrayRef container
+ * if there is data to provide. Otherwise, the pointer will remain NULL.
+ */
+OSStatus
+SSLCopyALPNProtocols (SSLContextRef context,
+ CFArrayRef __nullable * __nonnull protocols) /* RETURNED */
+ __OSX_AVAILABLE_STARTING(__MAC_10_13, __IPHONE_11_0);
+
+/*
+ * Set the OCSP response for the given SSL session.
+ *
+ * The response parameter must be a non-NULL CFDataRef containing the
+ * bytes of the OCSP response.
+ */
+OSStatus
+SSLSetOCSPResponse (SSLContextRef context,
+ CFDataRef __nonnull response)
+__OSX_AVAILABLE_STARTING(__MAC_10_13, __IPHONE_11_0);
/********************************************************
*** Session context configuration, server side only. ***
SSLHandshake (SSLContextRef context)
__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
+/*
+ * Server Only: Request renegotation.
+ * This will return an error if the server is already renegotiating, or if the session is closed.
+ * After this return without error, the application should call SSLHandshake() and/or SSLRead() as
+ * for the original handshake.
+ */
+OSStatus
+SSLReHandshake (SSLContextRef context)
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+
+
/*
* Normal application-level read/write. On both of these, a errSSLWouldBlock
* return and a partially completed transfer - or even zero bytes transferred -
__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
/*
- * Set the minimum acceptable strength of policy to be negotiated for an
- * ATS session
+ * Set the status of a SSLContextRef. This is to be done after handling
+ * steps of the SSL handshake such as server certificate validation.
*/
OSStatus
-SSLSetSessionStrengthPolicy(SSLContextRef context,
- SSLSessionStrengthPolicy policyStrength);
+SSLSetError (SSLContextRef context,
+ OSStatus status)
+ __OSX_AVAILABLE_STARTING(__MAC_10_13, __IPHONE_11_0);
CF_IMPLICIT_BRIDGING_DISABLED
CF_ASSUME_NONNULL_END
projects / apple / security.git / blobdiff