+++ /dev/null
-/*
- * Copyright (c) 1999-2001,2005-2012 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-/*
- * SecureTransportPriv.h - Apple-private exported routines
- */
-
-#ifndef _SECURE_TRANSPORT_PRIV_H_
-#define _SECURE_TRANSPORT_PRIV_H_ 1
-
-#include <Security/SecureTransport.h>
-#include <Security/SecTrust.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#include "sslTypes.h"
-
-/* Create an SSL Context with an external record layer - eg: kernel accelerated layer */
-SSLContextRef
-SSLCreateContextWithRecordFuncs(CFAllocatorRef alloc,
- SSLProtocolSide protocolSide,
- SSLConnectionType connectionType,
- const struct SSLRecordFuncs *recFuncs);
-
-/* Set the external record layer context */
-OSStatus
-SSLSetRecordContext (SSLContextRef ctx,
- SSLRecordContextRef recCtx);
-
-/* The size of of client- and server-generated random numbers in hello messages. */
-#define SSL_CLIENT_SRVR_RAND_SIZE 32
-
-/* The size of the pre-master and master secrets. */
-#define SSL_RSA_PREMASTER_SECRET_SIZE 48
-#define SSL_MASTER_SECRET_SIZE 48
-
-/*
- * For the following three functions, *size is the available
- * buffer size on entry and the actual size of the data returned
- * on return. The above consts are for convenience.
- */
-OSStatus SSLInternalMasterSecret(
- SSLContextRef context,
- void *secret, // mallocd by caller, SSL_MASTER_SECRET_SIZE
- size_t *secretSize); // in/out
-
-OSStatus SSLInternalServerRandom(
- SSLContextRef context,
- void *randBuf, // mallocd by caller, SSL_CLIENT_SRVR_RAND_SIZE
- size_t *randSize); // in/out
-
-OSStatus SSLInternalClientRandom(
- SSLContextRef context,
- void *randBuf, // mallocd by caller, SSL_CLIENT_SRVR_RAND_SIZE
- size_t *randSize); // in/out
-
-/*
- * Obtain the sizes of the currently negotiated HMAC digest, session
- * key, and session key IV.
- */
-OSStatus SSLGetCipherSizes(
- SSLContextRef context,
- size_t *digestSize,
- size_t *symmetricKeySize,
- size_t *ivSize);
-
-OSStatus SSLInternal_PRF(
- SSLContextRef context,
- const void *secret,
- size_t secretLen,
- const void *label,
- size_t labelLen,
- const void *seed,
- size_t seedLen,
- void *out, // mallocd by caller, length >= outLen
- size_t outLen);
-
-/*
- * Obtain a SecTrustRef representing peer certificates. Valid anytime,
- * subsequent to a handshake attempt. The returned SecTrustRef is valid
- * only as long as the SSLContextRef is.
- */
-OSStatus
-SSLGetPeerSecTrust (SSLContextRef context,
- SecTrustRef *secTrust); /* RETURNED */
-
-/*
- * Obtain resumable session info. Can be called anytime subsequent to
- * handshake attempt.
- *
- * if sessionWasResumed is True on return, the session is indeed a
- * resumed session; the sessionID (an opaque blob generated by the
- * server) is returned in *sessionID. The length of the sessionID
- * is returned in *sessionIDLength. Caller must allocate the
- * sessionID buffer; it max size is MAX_SESSION_ID_LENGTH bytes.
- */
-#define MAX_SESSION_ID_LENGTH 32
-
-OSStatus
-SSLGetResumableSessionInfo (
- SSLContextRef context,
- Boolean *sessionWasResumed, // RETURNED
- void *sessionID, // RETURNED, mallocd by caller
- size_t *sessionIDLength); // IN/OUT
-
-/*
- * Getters for SSLSetCertificate() and SSLSetEncryptionCertificate()
- */
-OSStatus
-SSLGetCertificate (
- SSLContextRef context,
- CFArrayRef *certRefs); // RETURNED, *not* retained
-
-OSStatus
-SSLGetEncryptionCertificate (
- SSLContextRef context,
- CFArrayRef *certRefs); // RETURNED, *not* retained
-
-/*
- * Getter for SSLSetClientSideAuthenticate()
- */
-OSStatus
-SSLGetClientSideAuthenticate (
- SSLContextRef context,
- SSLAuthenticate *auth); // RETURNED
-
-/*
- * Get/set array of trusted leaf certificates.
- *
- * If none have been set previously with SSLSetTrustedLeafCertificates(),
- * then SSLCopyTrustedLeafCertificates() will return NULL with errSecSuccess.
- */
-OSStatus
-SSLSetTrustedLeafCertificates (
- SSLContextRef context,
- CFArrayRef certRefs);
-
-OSStatus
-SSLCopyTrustedLeafCertificates (
- SSLContextRef context,
- CFArrayRef *certRefs); // RETURNED, caller must release
-
-/*
- * Get/set enable of anonymous ciphers. Default is enabled.
- *
- * SSLSetAllowAnonymousCiphers() returns errSecBadReq if SSLSetEnabledCiphers()
- * has already been called.
- *
- * The enable state set by SSLSetAllowAnonymousCiphers() is ignored if
- * SSLSetEnabledCiphers() is called after SSLSetAllowAnonymousCiphers() is
- * called, i.e., SSLSetEnabledCiphers() overrides SSLSetAllowAnonymousCiphers().
- *
- * NOTE: "Anonymous" ciphers include those ciphers that perform no encryption,
- * as well as ciphers that perform no authentication, since neither are secure.
- */
-OSStatus
-SSLSetAllowAnonymousCiphers(
- SSLContextRef context,
- Boolean enable);
-
-OSStatus
-SSLGetAllowAnonymousCiphers(
- SSLContextRef context,
- Boolean *enable);
-
-/*
- * Override the default session cache timeout for a cache entry created for
- * the current session.
- */
-OSStatus
-SSLSetSessionCacheTimeout(
- SSLContextRef context,
- uint32_t timeoutInSeconds);
-
-/*
- * Callback function for EAP-style PAC-based session resumption.
- * This function is called by SecureTransport to obtain the
- * master secret.
- */
-typedef void (*SSLInternalMasterSecretFunction)(
- SSLContextRef ctx,
- const void *arg, /* opaque to SecureTransport; app-specific */
- void *secret, /* mallocd by caller, SSL_MASTER_SECRET_SIZE */
- size_t *secretLength); /* in/out */
-
-/*
- * Register a callback for obtaining the master_secret when performing
- * PAC-based session resumption. At the time the callback is called,
- * the following are guaranteed to be valid:
- *
- * -- serverRandom (via SSLInternalServerRandom())
- * -- clientRandom (via SSLInternalClientRandom())
- * -- negotiated protocol version (via SSLGetNegotiatedProtocolVersion())
- * -- negotiated CipherSuite (via SSLGetNegotiatedCipher())
- *
- * Currently, PAC-based session resumption is only implemented on
- * the client side for Deployment builds.
- *
- * On the client side, this callback occurs if/when the server sends a
- * ChangeCipherSpec message immediately following its ServerHello
- * message (i.e., it's skipped the entire Key Exchange phase of
- * negotiation).
- *
- * On the server side (Development builds only) this callback occurs
- * immediately upon receipt of the Client Hello message, before we send
- * the Server Hello.
- */
-OSStatus
-SSLInternalSetMasterSecretFunction(
- SSLContextRef ctx,
- SSLInternalMasterSecretFunction mFunc,
- const void *arg); /* opaque to SecureTransport; app-specific */
-
-/*
- * Provide an opaque SessionTicket for use in PAC-based session
- * resumption. Client side only. The provided ticket is sent in
- * the ClientHello message as a SessionTicket extension.
- * The maximum ticketLength is 2**16-1.
- */
-OSStatus SSLInternalSetSessionTicket(
- SSLContextRef ctx,
- const void *ticket,
- size_t ticketLength);
-
-/*
- * Support for specifying and obtaining ECC curves, used with the ECDH-based
- * ciphersuites.
- */
-
-/*
- * These are the named curves from RFC 4492
- * section 5.1.1, with the exception of SSL_Curve_None which means
- * "ECDSA not negotiated".
- */
-typedef enum
-{
- SSL_Curve_None = -1,
-
- SSL_Curve_sect163k1 = 1,
- SSL_Curve_sect163r1 = 2,
- SSL_Curve_sect163r2 = 3,
- SSL_Curve_sect193r1 = 4,
- SSL_Curve_sect193r2 = 5,
- SSL_Curve_sect233k1 = 6,
- SSL_Curve_sect233r1 = 7,
- SSL_Curve_sect239k1 = 8,
- SSL_Curve_sect283k1 = 9,
- SSL_Curve_sect283r1 = 10,
- SSL_Curve_sect409k1 = 11,
- SSL_Curve_sect409r1 = 12,
- SSL_Curve_sect571k1 = 13,
- SSL_Curve_sect571r1 = 14,
- SSL_Curve_secp160k1 = 15,
- SSL_Curve_secp160r1 = 16,
- SSL_Curve_secp160r2 = 17,
- SSL_Curve_secp192k1 = 18,
- SSL_Curve_secp192r1 = 19,
- SSL_Curve_secp224k1 = 20,
- SSL_Curve_secp224r1 = 21,
- SSL_Curve_secp256k1 = 22,
-
- /* These are the ones we actually support */
- SSL_Curve_secp256r1 = 23,
- SSL_Curve_secp384r1 = 24,
- SSL_Curve_secp521r1 = 25
-} SSL_ECDSA_NamedCurve;
-
-/*
- * Obtain the SSL_ECDSA_NamedCurve negotiated during a handshake.
- * Returns errSecParam if no ECDH-related ciphersuite was negotiated.
- */
-extern OSStatus SSLGetNegotiatedCurve(
- SSLContextRef ctx,
- SSL_ECDSA_NamedCurve *namedCurve); /* RETURNED */
-
-/*
- * Obtain the number of currently enabled SSL_ECDSA_NamedCurves.
- */
-extern OSStatus SSLGetNumberOfECDSACurves(
- SSLContextRef ctx,
- unsigned *numCurves); /* RETURNED */
-
-/*
- * Obtain the ordered list of currently enabled SSL_ECDSA_NamedCurves.
- * Caller allocates returned array and specifies its size (in
- * SSL_ECDSA_NamedCurves) in *numCurves on entry; *numCurves
- * is the actual size of the returned array on successful return.
- */
-extern OSStatus SSLGetECDSACurves(
- SSLContextRef ctx,
- SSL_ECDSA_NamedCurve *namedCurves, /* RETURNED */
- unsigned *numCurves); /* IN/OUT */
-
-/*
- * Specify ordered list of allowable named curves.
- */
-extern OSStatus SSLSetECDSACurves(
- SSLContextRef ctx,
- const SSL_ECDSA_NamedCurve *namedCurves,
- unsigned numCurves);
-
-/*
- * Server-specified client authentication mechanisms.
- */
-typedef enum {
- /* doesn't appear on the wire */
- SSLClientAuthNone = -1,
- /* RFC 2246 7.4.6 */
- SSLClientAuth_RSASign = 1,
- SSLClientAuth_DSSSign = 2,
- SSLClientAuth_RSAFixedDH = 3,
- SSLClientAuth_DSS_FixedDH = 4,
- /* RFC 4492 5.5 */
- SSLClientAuth_ECDSASign = 64,
- SSLClientAuth_RSAFixedECDH = 65,
- SSLClientAuth_ECDSAFixedECDH = 66
-} SSLClientAuthenticationType;
-
-/* TLS 1.2 Signature Algorithms extension values for hash field. */
-typedef enum {
- SSL_HashAlgorithmNone = 0,
- SSL_HashAlgorithmMD5 = 1,
- SSL_HashAlgorithmSHA1 = 2,
- SSL_HashAlgorithmSHA224 = 3,
- SSL_HashAlgorithmSHA256 = 4,
- SSL_HashAlgorithmSHA384 = 5,
- SSL_HashAlgorithmSHA512 = 6
-} SSL_HashAlgorithm;
-
-/* TLS 1.2 Signature Algorithms extension values for signature field. */
-typedef enum {
- SSL_SignatureAlgorithmAnonymous = 0,
- SSL_SignatureAlgorithmRSA = 1,
- SSL_SignatureAlgorithmDSA = 2,
- SSL_SignatureAlgorithmECDSA = 3
-} SSL_SignatureAlgorithm;
-
-typedef struct {
- SSL_HashAlgorithm hash;
- SSL_SignatureAlgorithm signature;
-} SSLSignatureAndHashAlgorithm;
-
-/*
- * Obtain the number of client authentication mechanisms specified by
- * the server in its Certificate Request message.
- * Returns errSecParam if server hasn't sent a Certificate Request message
- * (i.e., client certificate state is kSSLClientCertNone).
- */
-extern OSStatus SSLGetNumberOfClientAuthTypes(
- SSLContextRef ctx,
- unsigned *numTypes);
-
-/*
- * Obtain the client authentication mechanisms specified by
- * the server in its Certificate Request message.
- * Caller allocates returned array and specifies its size (in
- * SSLClientAuthenticationTypes) in *numType on entry; *numTypes
- * is the actual size of the returned array on successful return.
- */
-extern OSStatus SSLGetClientAuthTypes(
- SSLContextRef ctx,
- SSLClientAuthenticationType *authTypes, /* RETURNED */
- unsigned *numTypes); /* IN/OUT */
-
-/*
- * Obtain the SSLClientAuthenticationType actually performed.
- * Only valid if client certificate state is kSSLClientCertSent
- * or kSSLClientCertRejected; SSLClientAuthNone is returned as
- * the negotiated auth type otherwise.
- */
-extern OSStatus SSLGetNegotiatedClientAuthType(
- SSLContextRef ctx,
- SSLClientAuthenticationType *authType); /* RETURNED */
-
-/*
- * Obtain the number of supported_signature_algorithms specified by
- * the server in its Certificate Request message.
- * Returns errSecParam if server hasn't sent a Certificate Request message
- * (i.e., client certificate state is kSSLClientCertNone).
- */
-extern OSStatus SSLGetNumberOfSignatureAlgorithms(
- SSLContextRef ctx,
- unsigned *numSigAlgs);
-
-/*
- * Obtain the supported_signature_algorithms specified by
- * the server in its Certificate Request message.
- * Caller allocates returned array and specifies its size (in
- * SSLClientAuthenticationTypes) in *numType on entry; *numTypes
- * is the actual size of the returned array on successful return.
- */
-extern OSStatus SSLGetSignatureAlgorithms(
- SSLContextRef ctx,
- SSLSignatureAndHashAlgorithm *sigAlgs, /* RETURNED */
- unsigned *numSigAlgs); /* IN/OUT */
-
-/* PSK SPIs */
-
-/* Set the Shared Secret for PSK CipherSuite.
- This need to be set before the handshake starts. */
-OSStatus SSLSetPSKSharedSecret(SSLContextRef ctx,
- const void *secret,
- size_t secretLen);
-
-/* Set the Client identity for PSK CipherSuite.
- This need to be set before the handshake starts.
- Only useful for client side.*/
-OSStatus SSLSetPSKIdentity(SSLContextRef ctx,
- const void *pskIdentity,
- size_t pskIdentityLen);
-
-/* For client side, get the identity previously set by SSLSetPSKIdentity.
- For server side, get the identity provided by the client during the handshake.
- Might be NULL if not set. identity is owned by the SSLContext and is invalid once
- the SSLContext is released.
- */
-OSStatus SSLGetPSKIdentity(SSLContextRef ctx,
- const void **pskIdentity,
- size_t *pskIdentityLen);
-
-#if TARGET_OS_IPHONE
-
-/* Following are SPIs on iOS */
-
-/*
- * Set allowed SSL protocol versions. Optional.
- * Specifying kSSLProtocolAll for SSLSetProtocolVersionEnabled results in
- * specified 'enable' boolean to be applied to all supported protocols.
- * The default is "all supported protocols are enabled".
- * This can only be called when no session is active.
- *
- * Legal values for protocol are :
- * kSSLProtocol2
- * kSSLProtocol3
- * kTLSProtocol1
- * kSSLProtocolAll
- *
- * This is deprecated in favor of SSLSetProtocolVersionMax/SSLSetProtocolVersionMin
- */
-OSStatus
-_SSLSetProtocolVersionEnabled (SSLContextRef context,
- SSLProtocol protocol,
- Boolean enable);
-
-/*
- * Obtain a value specified in SSLSetProtocolVersionEnabled.
- *
- * This is deprecated in favor of SSLGetProtocolVersionMax/SSLGetProtocolVersionMin
- */
-OSStatus
-_SSLGetProtocolVersionEnabled(SSLContextRef context,
- SSLProtocol protocol,
- Boolean *enable); /* RETURNED */
-
-/*
- * Get/set SSL protocol version; optional. Default is kSSLProtocolUnknown,
- * in which case the highest possible version (currently kTLSProtocol1)
- * is attempted, but a lower version is accepted if the peer requires it.
- *
- * SSLSetProtocolVersion can not be called when a session is active.
- *
- * This is deprecated in favor of SSLSetProtocolVersionEnabled.
- *
- * This is deprecated in favor of SSLSetProtocolVersionMax/SSLSetProtocolVersionMin
- */
-OSStatus
-_SSLSetProtocolVersion (SSLContextRef context,
- SSLProtocol version);
-
-/*
- * Obtain the protocol version specified in SSLSetProtocolVersion.
- * This is deprecated in favor of SSLGetProtocolVersionEnabled.
- * If SSLSetProtocolVersionEnabled() has been called for this session,
- * SSLGetProtocolVersion() may return errSecParam if the protocol enable
- * state can not be represented by the SSLProtocol enums (e.g.,
- * SSL2 and TLS1 enabled, SSL3 disabled).
- *
- * This is deprecated in favor of SSLGetProtocolVersionMax/SSLGetProtocolVersionMin
- */
-OSStatus
-_SSLGetProtocolVersion (SSLContextRef context,
- SSLProtocol *protocol); /* RETURNED */
-
-/* API REVIEW:
- The following 15 calls were used to change the behaviour of the trust
- evaluation of the certificate chain.
- The proper alternative is to break out of the handshake, get the
- peer's SecTrustRef with SSLCopyPeerTrust and evaluate that.
- */
-
-/*
- * Enable/disable peer certificate chain validation. Default is enabled.
- * If caller disables, it is the caller's responsibility to call
- * SSLCopyPeerTrust() upon successful completion of the handshake
- * and then to perform external validation of the peer certificate
- * chain before proceeding with data transfer.
- */
-OSStatus
-_SSLSetEnableCertVerify (SSLContextRef context,
- Boolean enableVerify);
-
-OSStatus
-_SSLGetEnableCertVerify (SSLContextRef context,
- Boolean *enableVerify); /* RETURNED */
-
-/*
- * Specify the option of ignoring certificates' "expired" times.
- * This is a common failure in the real SSL world. Default for
- * this flag is false, meaning expired certs result in a
- * errSSLCertExpired error.
- */
-OSStatus
-_SSLSetAllowsExpiredCerts (SSLContextRef context,
- Boolean allowsExpired);
-
-/*
- * Obtain the current value of an SSLContext's "allowExpiredCerts" flag.
- */
-OSStatus
-_SSLGetAllowsExpiredCerts (SSLContextRef context,
- Boolean *allowsExpired); /* RETURNED */
-
-/*
- * Similar to SSLSetAllowsExpiredCerts(), this function allows the
- * option of ignoring "expired" status for root certificates only.
- * Default is false, i.e., expired root certs result in an
- * errSSLCertExpired error.
- */
-OSStatus
-_SSLSetAllowsExpiredRoots (SSLContextRef context,
- Boolean allowsExpired);
-
-OSStatus
-_SSLGetAllowsExpiredRoots (SSLContextRef context,
- Boolean *allowsExpired); /* RETURNED */
-
-/*
- * Specify option of allowing for an unknown root cert, i.e., one which
- * this software can not verify as one of a list of known good root certs.
- * Default for this flag is false, in which case one of the following two
- * errors may occur:
- * -- The peer returns a cert chain with a root cert, and the chain
- * verifies to that root, but the root is not one of our trusted
- * roots. This results in errSSLUnknownRootCert on handshake.
- * -- The peer returns a cert chain which does not contain a root cert,
- * and we can't verify the chain to one of our trusted roots. This
- * results in errSSLNoRootCert on handshake.
- *
- * Both of these error conditions are ignored when the AllowAnyRoot flag is true,
- * allowing connection to a totally untrusted peer.
- */
-OSStatus
-_SSLSetAllowsAnyRoot (SSLContextRef context,
- Boolean anyRoot);
-
-/*
- * Obtain the current value of an SSLContext's "allow any root" flag.
- */
-OSStatus
-_SSLGetAllowsAnyRoot (SSLContextRef context,
- Boolean *anyRoot); /* RETURNED */
-
-/*
- * Augment or replace the system's default trusted root certificate set
- * for this session. If replaceExisting is true, the specified roots will
- * be the only roots which are trusted during this session. If replaceExisting
- * is false, the specified roots will be added to the current set of trusted
- * root certs. If this function has never been called, the current trusted
- * root set is the same as the system's default trusted root set.
- * Successive calls with replaceExisting false result in accumulation
- * of additional root certs.
- *
- * The trustedRoots array contains SecCertificateRefs.
- */
-OSStatus
-_SSLSetTrustedRoots (SSLContextRef context,
- CFArrayRef trustedRoots,
- Boolean replaceExisting);
-
-/*
- * Obtain an array of SecCertificateRefs representing the current
- * set of trusted roots. If SSLSetTrustedRoots() has never been called
- * for this session, this returns the system's default root set.
- *
- * Caller must CFRelease the returned CFArray.
- */
-OSStatus
-_SSLCopyTrustedRoots (SSLContextRef context,
- CFArrayRef *trustedRoots); /* RETURNED */
-
-/*
- * Add a SecCertificateRef, or a CFArray of them, to a server's list
- * of acceptable Certificate Authorities (CAs) to present to the client
- * when client authentication is performed.
- *
- * If replaceExisting is true, the specified certificate(s) will replace
- * a possible existing list of acceptable CAs. If replaceExisting is
- * false, the specified certificate(s) will be appended to the existing
- * list of acceptable CAs, if any.
- *
- * Returns errSecParam is this is called on an SSLContextRef which
- * is configured as a client, or when a session is active.
- */
-OSStatus
-_SSLSetCertificateAuthorities(SSLContextRef context,
- CFTypeRef certificateOrArray,
- Boolean replaceExisting);
-
-/*
- * Obtain the certificates specified in SSLSetCertificateAuthorities(),
- * if any. Returns a NULL array if SSLSetCertificateAuthorities() has not
- * been called.
- * Caller must CFRelease the returned array.
- */
-
-OSStatus
-_SSLCopyCertificateAuthorities(SSLContextRef context,
- CFArrayRef *certificates); /* RETURNED */
-
-/*
- * Request peer certificates. Valid anytime, subsequent to
- * a handshake attempt.
- *
- * The certs argument is a CFArray containing SecCertificateRefs.
- * Caller must CFRelease the returned array.
- *
- * The cert at index 0 of the returned array is the subject (end
- * entity) cert; the root cert (or the closest cert to it) is at
- * the end of the returned array.
- */
-/* API REVIEW:
- This should be removed so that applications are not tempted to
- use this to evaluate trust, they should use the SecTrustRef returned
- by SSLCopyPeerTrust instead.
- But this maybe useful to know which certs where returned by the server
- vs which where pulled internally.
- This would be a debug feature, so we deprecate this in iOS. There
- should be an API in SecTrust to allow getting the original certificates
- for debug purpose.
- */
-OSStatus
-_SSLCopyPeerCertificates (SSLContextRef context,
- CFArrayRef *certs); /* RETURNED */
-
-/*
- * Specify Diffie-Hellman parameters. Optional; if we are configured to allow
- * for D-H ciphers and a D-H cipher is negotiated, and this function has not
- * been called, a set of process-wide parameters will be calculated. However
- * that can take a long time (30 seconds).
- */
-OSStatus _SSLSetDiffieHellmanParams (SSLContextRef context,
- const void *dhParams,
- size_t dhParamsLen);
-
-/*
- * Return parameter block specified in SSLSetDiffieHellmanParams.
- * Returned data is not copied and belongs to the SSLContextRef.
- */
-OSStatus _SSLGetDiffieHellmanParams (SSLContextRef context,
- const void **dhParams,
- size_t *dhParamsLen);
-
-/*
- * Enable/Disable RSA blinding. This feature thwarts a known timing
- * attack to which RSA keys are vulnerable; enabling it is a tradeoff
- * between performance and security. The default for RSA blinding is
- * enabled.
- */
-OSStatus _SSLSetRsaBlinding (SSLContextRef context,
- Boolean blinding);
-
-OSStatus _SSLGetRsaBlinding (SSLContextRef context,
- Boolean *blinding);
-
-/*
- * Create a new SSL/TLS session context.
- * Deprecated: please use the allocator based functions, when available.
- */
-OSStatus
-_SSLNewContext (Boolean isServer,
- SSLContextRef *tlsContextPtr); /* RETURNED */
-
-/*
- * Dispose of an SSLContextRef. This is effectivly a CFRelease.
- * Deprecated.
- */
-OSStatus
-_SSLDisposeContext (SSLContextRef context);
-
-/* We redefine the names of all SPIs to avoid collision with unavailable APIs */
-#define SSLSetProtocolVersionEnabled _SSLSetProtocolVersionEnabled
-#define SSLGetProtocolVersionEnabled _SSLGetProtocolVersionEnabled
-#define SSLSetProtocolVersion _SSLSetProtocolVersion
-#define SSLGetProtocolVersion _SSLGetProtocolVersion
-#define SSLSetEnableCertVerify _SSLSetEnableCertVerify
-#define SSLGetEnableCertVerify _SSLGetEnableCertVerify
-#define SSLSetAllowsExpiredCerts _SSLSetAllowsExpiredCerts
-#define SSLGetAllowsExpiredCerts _SSLGetAllowsExpiredCerts
-#define SSLSetAllowsExpiredRoots _SSLSetAllowsExpiredRoots
-#define SSLGetAllowsExpiredRoots _SSLGetAllowsExpiredRoots
-#define SSLSetAllowsAnyRoot _SSLSetAllowsAnyRoot
-#define SSLGetAllowsAnyRoot _SSLGetAllowsAnyRoot
-#define SSLSetTrustedRoots _SSLSetTrustedRoots
-#define SSLCopyTrustedRoots _SSLCopyTrustedRoots
-#define SSLSetCertificateAuthorities _SSLSetCertificateAuthorities
-#define SSLCopyCertificateAuthorities _SSLCopyCertificateAuthorities
-#define SSLCopyPeerCertificates _SSLCopyPeerCertificates
-#define SSLSetDiffieHellmanParams _SSLSetDiffieHellmanParams
-#define SSLGetDiffieHellmanParams _SSLGetDiffieHellmanParams
-#define SSLSetRsaBlinding _SSLSetRsaBlinding
-#define SSLGetRsaBlinding _SSLGetRsaBlinding
-#define SSLNewContext _SSLNewContext
-#define SSLNewDatagramContext _SSLNewDatagramContext
-#define SSLDisposeContext _SSLDisposeContext
-
-#endif /* TARGET_OS_IPHONE */
-
-
-/*
- * Create a new Datagram TLS session context.
- * Use in place of SSLNewContext to create a DTLS session.
- * Deprecated: please use the allocator based functions, when available.
- * Also note: the symbol is prefixed with underscore in iOS (historical)
- */
-OSStatus
-SSLNewDatagramContext (Boolean isServer,
- SSLContextRef *dtlsContextPtr); /* RETURNED */
-
-
-
-#ifdef __cplusplus
-}
-#endif
-
-
-#endif /* _SECURE_TRANSPORT_PRIV_H_ */
projects / apple / security.git / blobdiff