X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/80e2389990082500d76eb566d4946be3e786c3ef..d8f41ccd20de16f8ebe2ccc84d47bf1cb2b26bbb:/libsecurity_ssl/lib/SecureTransportPriv.h diff --git a/libsecurity_ssl/lib/SecureTransportPriv.h b/libsecurity_ssl/lib/SecureTransportPriv.h deleted file mode 100644 index 01035afc..00000000 --- a/libsecurity_ssl/lib/SecureTransportPriv.h +++ /dev/null @@ -1,758 +0,0 @@ -/* - * Copyright (c) 1999-2001,2005-2012 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -/* - * SecureTransportPriv.h - Apple-private exported routines - */ - -#ifndef _SECURE_TRANSPORT_PRIV_H_ -#define _SECURE_TRANSPORT_PRIV_H_ 1 - -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -#include "sslTypes.h" - -/* Create an SSL Context with an external record layer - eg: kernel accelerated layer */ -SSLContextRef -SSLCreateContextWithRecordFuncs(CFAllocatorRef alloc, - SSLProtocolSide protocolSide, - SSLConnectionType connectionType, - const struct SSLRecordFuncs *recFuncs); - -/* Set the external record layer context */ -OSStatus -SSLSetRecordContext (SSLContextRef ctx, - SSLRecordContextRef recCtx); - -/* The size of of client- and server-generated random numbers in hello messages. */ -#define SSL_CLIENT_SRVR_RAND_SIZE 32 - -/* The size of the pre-master and master secrets. */ -#define SSL_RSA_PREMASTER_SECRET_SIZE 48 -#define SSL_MASTER_SECRET_SIZE 48 - -/* - * For the following three functions, *size is the available - * buffer size on entry and the actual size of the data returned - * on return. The above consts are for convenience. - */ -OSStatus SSLInternalMasterSecret( - SSLContextRef context, - void *secret, // mallocd by caller, SSL_MASTER_SECRET_SIZE - size_t *secretSize); // in/out - -OSStatus SSLInternalServerRandom( - SSLContextRef context, - void *randBuf, // mallocd by caller, SSL_CLIENT_SRVR_RAND_SIZE - size_t *randSize); // in/out - -OSStatus SSLInternalClientRandom( - SSLContextRef context, - void *randBuf, // mallocd by caller, SSL_CLIENT_SRVR_RAND_SIZE - size_t *randSize); // in/out - -/* - * Obtain the sizes of the currently negotiated HMAC digest, session - * key, and session key IV. - */ -OSStatus SSLGetCipherSizes( - SSLContextRef context, - size_t *digestSize, - size_t *symmetricKeySize, - size_t *ivSize); - -OSStatus SSLInternal_PRF( - SSLContextRef context, - const void *secret, - size_t secretLen, - const void *label, - size_t labelLen, - const void *seed, - size_t seedLen, - void *out, // mallocd by caller, length >= outLen - size_t outLen); - -/* - * Obtain a SecTrustRef representing peer certificates. Valid anytime, - * subsequent to a handshake attempt. The returned SecTrustRef is valid - * only as long as the SSLContextRef is. - */ -OSStatus -SSLGetPeerSecTrust (SSLContextRef context, - SecTrustRef *secTrust); /* RETURNED */ - -/* - * Obtain resumable session info. Can be called anytime subsequent to - * handshake attempt. - * - * if sessionWasResumed is True on return, the session is indeed a - * resumed session; the sessionID (an opaque blob generated by the - * server) is returned in *sessionID. The length of the sessionID - * is returned in *sessionIDLength. Caller must allocate the - * sessionID buffer; it max size is MAX_SESSION_ID_LENGTH bytes. - */ -#define MAX_SESSION_ID_LENGTH 32 - -OSStatus -SSLGetResumableSessionInfo ( - SSLContextRef context, - Boolean *sessionWasResumed, // RETURNED - void *sessionID, // RETURNED, mallocd by caller - size_t *sessionIDLength); // IN/OUT - -/* - * Getters for SSLSetCertificate() and SSLSetEncryptionCertificate() - */ -OSStatus -SSLGetCertificate ( - SSLContextRef context, - CFArrayRef *certRefs); // RETURNED, *not* retained - -OSStatus -SSLGetEncryptionCertificate ( - SSLContextRef context, - CFArrayRef *certRefs); // RETURNED, *not* retained - -/* - * Getter for SSLSetClientSideAuthenticate() - */ -OSStatus -SSLGetClientSideAuthenticate ( - SSLContextRef context, - SSLAuthenticate *auth); // RETURNED - -/* - * Get/set array of trusted leaf certificates. - * - * If none have been set previously with SSLSetTrustedLeafCertificates(), - * then SSLCopyTrustedLeafCertificates() will return NULL with errSecSuccess. - */ -OSStatus -SSLSetTrustedLeafCertificates ( - SSLContextRef context, - CFArrayRef certRefs); - -OSStatus -SSLCopyTrustedLeafCertificates ( - SSLContextRef context, - CFArrayRef *certRefs); // RETURNED, caller must release - -/* - * Get/set enable of anonymous ciphers. Default is enabled. - * - * SSLSetAllowAnonymousCiphers() returns errSecBadReq if SSLSetEnabledCiphers() - * has already been called. - * - * The enable state set by SSLSetAllowAnonymousCiphers() is ignored if - * SSLSetEnabledCiphers() is called after SSLSetAllowAnonymousCiphers() is - * called, i.e., SSLSetEnabledCiphers() overrides SSLSetAllowAnonymousCiphers(). - * - * NOTE: "Anonymous" ciphers include those ciphers that perform no encryption, - * as well as ciphers that perform no authentication, since neither are secure. - */ -OSStatus -SSLSetAllowAnonymousCiphers( - SSLContextRef context, - Boolean enable); - -OSStatus -SSLGetAllowAnonymousCiphers( - SSLContextRef context, - Boolean *enable); - -/* - * Override the default session cache timeout for a cache entry created for - * the current session. - */ -OSStatus -SSLSetSessionCacheTimeout( - SSLContextRef context, - uint32_t timeoutInSeconds); - -/* - * Callback function for EAP-style PAC-based session resumption. - * This function is called by SecureTransport to obtain the - * master secret. - */ -typedef void (*SSLInternalMasterSecretFunction)( - SSLContextRef ctx, - const void *arg, /* opaque to SecureTransport; app-specific */ - void *secret, /* mallocd by caller, SSL_MASTER_SECRET_SIZE */ - size_t *secretLength); /* in/out */ - -/* - * Register a callback for obtaining the master_secret when performing - * PAC-based session resumption. At the time the callback is called, - * the following are guaranteed to be valid: - * - * -- serverRandom (via SSLInternalServerRandom()) - * -- clientRandom (via SSLInternalClientRandom()) - * -- negotiated protocol version (via SSLGetNegotiatedProtocolVersion()) - * -- negotiated CipherSuite (via SSLGetNegotiatedCipher()) - * - * Currently, PAC-based session resumption is only implemented on - * the client side for Deployment builds. - * - * On the client side, this callback occurs if/when the server sends a - * ChangeCipherSpec message immediately following its ServerHello - * message (i.e., it's skipped the entire Key Exchange phase of - * negotiation). - * - * On the server side (Development builds only) this callback occurs - * immediately upon receipt of the Client Hello message, before we send - * the Server Hello. - */ -OSStatus -SSLInternalSetMasterSecretFunction( - SSLContextRef ctx, - SSLInternalMasterSecretFunction mFunc, - const void *arg); /* opaque to SecureTransport; app-specific */ - -/* - * Provide an opaque SessionTicket for use in PAC-based session - * resumption. Client side only. The provided ticket is sent in - * the ClientHello message as a SessionTicket extension. - * The maximum ticketLength is 2**16-1. - */ -OSStatus SSLInternalSetSessionTicket( - SSLContextRef ctx, - const void *ticket, - size_t ticketLength); - -/* - * Support for specifying and obtaining ECC curves, used with the ECDH-based - * ciphersuites. - */ - -/* - * These are the named curves from RFC 4492 - * section 5.1.1, with the exception of SSL_Curve_None which means - * "ECDSA not negotiated". - */ -typedef enum -{ - SSL_Curve_None = -1, - - SSL_Curve_sect163k1 = 1, - SSL_Curve_sect163r1 = 2, - SSL_Curve_sect163r2 = 3, - SSL_Curve_sect193r1 = 4, - SSL_Curve_sect193r2 = 5, - SSL_Curve_sect233k1 = 6, - SSL_Curve_sect233r1 = 7, - SSL_Curve_sect239k1 = 8, - SSL_Curve_sect283k1 = 9, - SSL_Curve_sect283r1 = 10, - SSL_Curve_sect409k1 = 11, - SSL_Curve_sect409r1 = 12, - SSL_Curve_sect571k1 = 13, - SSL_Curve_sect571r1 = 14, - SSL_Curve_secp160k1 = 15, - SSL_Curve_secp160r1 = 16, - SSL_Curve_secp160r2 = 17, - SSL_Curve_secp192k1 = 18, - SSL_Curve_secp192r1 = 19, - SSL_Curve_secp224k1 = 20, - SSL_Curve_secp224r1 = 21, - SSL_Curve_secp256k1 = 22, - - /* These are the ones we actually support */ - SSL_Curve_secp256r1 = 23, - SSL_Curve_secp384r1 = 24, - SSL_Curve_secp521r1 = 25 -} SSL_ECDSA_NamedCurve; - -/* - * Obtain the SSL_ECDSA_NamedCurve negotiated during a handshake. - * Returns errSecParam if no ECDH-related ciphersuite was negotiated. - */ -extern OSStatus SSLGetNegotiatedCurve( - SSLContextRef ctx, - SSL_ECDSA_NamedCurve *namedCurve); /* RETURNED */ - -/* - * Obtain the number of currently enabled SSL_ECDSA_NamedCurves. - */ -extern OSStatus SSLGetNumberOfECDSACurves( - SSLContextRef ctx, - unsigned *numCurves); /* RETURNED */ - -/* - * Obtain the ordered list of currently enabled SSL_ECDSA_NamedCurves. - * Caller allocates returned array and specifies its size (in - * SSL_ECDSA_NamedCurves) in *numCurves on entry; *numCurves - * is the actual size of the returned array on successful return. - */ -extern OSStatus SSLGetECDSACurves( - SSLContextRef ctx, - SSL_ECDSA_NamedCurve *namedCurves, /* RETURNED */ - unsigned *numCurves); /* IN/OUT */ - -/* - * Specify ordered list of allowable named curves. - */ -extern OSStatus SSLSetECDSACurves( - SSLContextRef ctx, - const SSL_ECDSA_NamedCurve *namedCurves, - unsigned numCurves); - -/* - * Server-specified client authentication mechanisms. - */ -typedef enum { - /* doesn't appear on the wire */ - SSLClientAuthNone = -1, - /* RFC 2246 7.4.6 */ - SSLClientAuth_RSASign = 1, - SSLClientAuth_DSSSign = 2, - SSLClientAuth_RSAFixedDH = 3, - SSLClientAuth_DSS_FixedDH = 4, - /* RFC 4492 5.5 */ - SSLClientAuth_ECDSASign = 64, - SSLClientAuth_RSAFixedECDH = 65, - SSLClientAuth_ECDSAFixedECDH = 66 -} SSLClientAuthenticationType; - -/* TLS 1.2 Signature Algorithms extension values for hash field. */ -typedef enum { - SSL_HashAlgorithmNone = 0, - SSL_HashAlgorithmMD5 = 1, - SSL_HashAlgorithmSHA1 = 2, - SSL_HashAlgorithmSHA224 = 3, - SSL_HashAlgorithmSHA256 = 4, - SSL_HashAlgorithmSHA384 = 5, - SSL_HashAlgorithmSHA512 = 6 -} SSL_HashAlgorithm; - -/* TLS 1.2 Signature Algorithms extension values for signature field. */ -typedef enum { - SSL_SignatureAlgorithmAnonymous = 0, - SSL_SignatureAlgorithmRSA = 1, - SSL_SignatureAlgorithmDSA = 2, - SSL_SignatureAlgorithmECDSA = 3 -} SSL_SignatureAlgorithm; - -typedef struct { - SSL_HashAlgorithm hash; - SSL_SignatureAlgorithm signature; -} SSLSignatureAndHashAlgorithm; - -/* - * Obtain the number of client authentication mechanisms specified by - * the server in its Certificate Request message. - * Returns errSecParam if server hasn't sent a Certificate Request message - * (i.e., client certificate state is kSSLClientCertNone). - */ -extern OSStatus SSLGetNumberOfClientAuthTypes( - SSLContextRef ctx, - unsigned *numTypes); - -/* - * Obtain the client authentication mechanisms specified by - * the server in its Certificate Request message. - * Caller allocates returned array and specifies its size (in - * SSLClientAuthenticationTypes) in *numType on entry; *numTypes - * is the actual size of the returned array on successful return. - */ -extern OSStatus SSLGetClientAuthTypes( - SSLContextRef ctx, - SSLClientAuthenticationType *authTypes, /* RETURNED */ - unsigned *numTypes); /* IN/OUT */ - -/* - * Obtain the SSLClientAuthenticationType actually performed. - * Only valid if client certificate state is kSSLClientCertSent - * or kSSLClientCertRejected; SSLClientAuthNone is returned as - * the negotiated auth type otherwise. - */ -extern OSStatus SSLGetNegotiatedClientAuthType( - SSLContextRef ctx, - SSLClientAuthenticationType *authType); /* RETURNED */ - -/* - * Obtain the number of supported_signature_algorithms specified by - * the server in its Certificate Request message. - * Returns errSecParam if server hasn't sent a Certificate Request message - * (i.e., client certificate state is kSSLClientCertNone). - */ -extern OSStatus SSLGetNumberOfSignatureAlgorithms( - SSLContextRef ctx, - unsigned *numSigAlgs); - -/* - * Obtain the supported_signature_algorithms specified by - * the server in its Certificate Request message. - * Caller allocates returned array and specifies its size (in - * SSLClientAuthenticationTypes) in *numType on entry; *numTypes - * is the actual size of the returned array on successful return. - */ -extern OSStatus SSLGetSignatureAlgorithms( - SSLContextRef ctx, - SSLSignatureAndHashAlgorithm *sigAlgs, /* RETURNED */ - unsigned *numSigAlgs); /* IN/OUT */ - -/* PSK SPIs */ - -/* Set the Shared Secret for PSK CipherSuite. - This need to be set before the handshake starts. */ -OSStatus SSLSetPSKSharedSecret(SSLContextRef ctx, - const void *secret, - size_t secretLen); - -/* Set the Client identity for PSK CipherSuite. - This need to be set before the handshake starts. - Only useful for client side.*/ -OSStatus SSLSetPSKIdentity(SSLContextRef ctx, - const void *pskIdentity, - size_t pskIdentityLen); - -/* For client side, get the identity previously set by SSLSetPSKIdentity. - For server side, get the identity provided by the client during the handshake. - Might be NULL if not set. identity is owned by the SSLContext and is invalid once - the SSLContext is released. - */ -OSStatus SSLGetPSKIdentity(SSLContextRef ctx, - const void **pskIdentity, - size_t *pskIdentityLen); - -#if TARGET_OS_IPHONE - -/* Following are SPIs on iOS */ - -/* - * Set allowed SSL protocol versions. Optional. - * Specifying kSSLProtocolAll for SSLSetProtocolVersionEnabled results in - * specified 'enable' boolean to be applied to all supported protocols. - * The default is "all supported protocols are enabled". - * This can only be called when no session is active. - * - * Legal values for protocol are : - * kSSLProtocol2 - * kSSLProtocol3 - * kTLSProtocol1 - * kSSLProtocolAll - * - * This is deprecated in favor of SSLSetProtocolVersionMax/SSLSetProtocolVersionMin - */ -OSStatus -_SSLSetProtocolVersionEnabled (SSLContextRef context, - SSLProtocol protocol, - Boolean enable); - -/* - * Obtain a value specified in SSLSetProtocolVersionEnabled. - * - * This is deprecated in favor of SSLGetProtocolVersionMax/SSLGetProtocolVersionMin - */ -OSStatus -_SSLGetProtocolVersionEnabled(SSLContextRef context, - SSLProtocol protocol, - Boolean *enable); /* RETURNED */ - -/* - * Get/set SSL protocol version; optional. Default is kSSLProtocolUnknown, - * in which case the highest possible version (currently kTLSProtocol1) - * is attempted, but a lower version is accepted if the peer requires it. - * - * SSLSetProtocolVersion can not be called when a session is active. - * - * This is deprecated in favor of SSLSetProtocolVersionEnabled. - * - * This is deprecated in favor of SSLSetProtocolVersionMax/SSLSetProtocolVersionMin - */ -OSStatus -_SSLSetProtocolVersion (SSLContextRef context, - SSLProtocol version); - -/* - * Obtain the protocol version specified in SSLSetProtocolVersion. - * This is deprecated in favor of SSLGetProtocolVersionEnabled. - * If SSLSetProtocolVersionEnabled() has been called for this session, - * SSLGetProtocolVersion() may return errSecParam if the protocol enable - * state can not be represented by the SSLProtocol enums (e.g., - * SSL2 and TLS1 enabled, SSL3 disabled). - * - * This is deprecated in favor of SSLGetProtocolVersionMax/SSLGetProtocolVersionMin - */ -OSStatus -_SSLGetProtocolVersion (SSLContextRef context, - SSLProtocol *protocol); /* RETURNED */ - -/* API REVIEW: - The following 15 calls were used to change the behaviour of the trust - evaluation of the certificate chain. - The proper alternative is to break out of the handshake, get the - peer's SecTrustRef with SSLCopyPeerTrust and evaluate that. - */ - -/* - * Enable/disable peer certificate chain validation. Default is enabled. - * If caller disables, it is the caller's responsibility to call - * SSLCopyPeerTrust() upon successful completion of the handshake - * and then to perform external validation of the peer certificate - * chain before proceeding with data transfer. - */ -OSStatus -_SSLSetEnableCertVerify (SSLContextRef context, - Boolean enableVerify); - -OSStatus -_SSLGetEnableCertVerify (SSLContextRef context, - Boolean *enableVerify); /* RETURNED */ - -/* - * Specify the option of ignoring certificates' "expired" times. - * This is a common failure in the real SSL world. Default for - * this flag is false, meaning expired certs result in a - * errSSLCertExpired error. - */ -OSStatus -_SSLSetAllowsExpiredCerts (SSLContextRef context, - Boolean allowsExpired); - -/* - * Obtain the current value of an SSLContext's "allowExpiredCerts" flag. - */ -OSStatus -_SSLGetAllowsExpiredCerts (SSLContextRef context, - Boolean *allowsExpired); /* RETURNED */ - -/* - * Similar to SSLSetAllowsExpiredCerts(), this function allows the - * option of ignoring "expired" status for root certificates only. - * Default is false, i.e., expired root certs result in an - * errSSLCertExpired error. - */ -OSStatus -_SSLSetAllowsExpiredRoots (SSLContextRef context, - Boolean allowsExpired); - -OSStatus -_SSLGetAllowsExpiredRoots (SSLContextRef context, - Boolean *allowsExpired); /* RETURNED */ - -/* - * Specify option of allowing for an unknown root cert, i.e., one which - * this software can not verify as one of a list of known good root certs. - * Default for this flag is false, in which case one of the following two - * errors may occur: - * -- The peer returns a cert chain with a root cert, and the chain - * verifies to that root, but the root is not one of our trusted - * roots. This results in errSSLUnknownRootCert on handshake. - * -- The peer returns a cert chain which does not contain a root cert, - * and we can't verify the chain to one of our trusted roots. This - * results in errSSLNoRootCert on handshake. - * - * Both of these error conditions are ignored when the AllowAnyRoot flag is true, - * allowing connection to a totally untrusted peer. - */ -OSStatus -_SSLSetAllowsAnyRoot (SSLContextRef context, - Boolean anyRoot); - -/* - * Obtain the current value of an SSLContext's "allow any root" flag. - */ -OSStatus -_SSLGetAllowsAnyRoot (SSLContextRef context, - Boolean *anyRoot); /* RETURNED */ - -/* - * Augment or replace the system's default trusted root certificate set - * for this session. If replaceExisting is true, the specified roots will - * be the only roots which are trusted during this session. If replaceExisting - * is false, the specified roots will be added to the current set of trusted - * root certs. If this function has never been called, the current trusted - * root set is the same as the system's default trusted root set. - * Successive calls with replaceExisting false result in accumulation - * of additional root certs. - * - * The trustedRoots array contains SecCertificateRefs. - */ -OSStatus -_SSLSetTrustedRoots (SSLContextRef context, - CFArrayRef trustedRoots, - Boolean replaceExisting); - -/* - * Obtain an array of SecCertificateRefs representing the current - * set of trusted roots. If SSLSetTrustedRoots() has never been called - * for this session, this returns the system's default root set. - * - * Caller must CFRelease the returned CFArray. - */ -OSStatus -_SSLCopyTrustedRoots (SSLContextRef context, - CFArrayRef *trustedRoots); /* RETURNED */ - -/* - * Add a SecCertificateRef, or a CFArray of them, to a server's list - * of acceptable Certificate Authorities (CAs) to present to the client - * when client authentication is performed. - * - * If replaceExisting is true, the specified certificate(s) will replace - * a possible existing list of acceptable CAs. If replaceExisting is - * false, the specified certificate(s) will be appended to the existing - * list of acceptable CAs, if any. - * - * Returns errSecParam is this is called on an SSLContextRef which - * is configured as a client, or when a session is active. - */ -OSStatus -_SSLSetCertificateAuthorities(SSLContextRef context, - CFTypeRef certificateOrArray, - Boolean replaceExisting); - -/* - * Obtain the certificates specified in SSLSetCertificateAuthorities(), - * if any. Returns a NULL array if SSLSetCertificateAuthorities() has not - * been called. - * Caller must CFRelease the returned array. - */ - -OSStatus -_SSLCopyCertificateAuthorities(SSLContextRef context, - CFArrayRef *certificates); /* RETURNED */ - -/* - * Request peer certificates. Valid anytime, subsequent to - * a handshake attempt. - * - * The certs argument is a CFArray containing SecCertificateRefs. - * Caller must CFRelease the returned array. - * - * The cert at index 0 of the returned array is the subject (end - * entity) cert; the root cert (or the closest cert to it) is at - * the end of the returned array. - */ -/* API REVIEW: - This should be removed so that applications are not tempted to - use this to evaluate trust, they should use the SecTrustRef returned - by SSLCopyPeerTrust instead. - But this maybe useful to know which certs where returned by the server - vs which where pulled internally. - This would be a debug feature, so we deprecate this in iOS. There - should be an API in SecTrust to allow getting the original certificates - for debug purpose. - */ -OSStatus -_SSLCopyPeerCertificates (SSLContextRef context, - CFArrayRef *certs); /* RETURNED */ - -/* - * Specify Diffie-Hellman parameters. Optional; if we are configured to allow - * for D-H ciphers and a D-H cipher is negotiated, and this function has not - * been called, a set of process-wide parameters will be calculated. However - * that can take a long time (30 seconds). - */ -OSStatus _SSLSetDiffieHellmanParams (SSLContextRef context, - const void *dhParams, - size_t dhParamsLen); - -/* - * Return parameter block specified in SSLSetDiffieHellmanParams. - * Returned data is not copied and belongs to the SSLContextRef. - */ -OSStatus _SSLGetDiffieHellmanParams (SSLContextRef context, - const void **dhParams, - size_t *dhParamsLen); - -/* - * Enable/Disable RSA blinding. This feature thwarts a known timing - * attack to which RSA keys are vulnerable; enabling it is a tradeoff - * between performance and security. The default for RSA blinding is - * enabled. - */ -OSStatus _SSLSetRsaBlinding (SSLContextRef context, - Boolean blinding); - -OSStatus _SSLGetRsaBlinding (SSLContextRef context, - Boolean *blinding); - -/* - * Create a new SSL/TLS session context. - * Deprecated: please use the allocator based functions, when available. - */ -OSStatus -_SSLNewContext (Boolean isServer, - SSLContextRef *tlsContextPtr); /* RETURNED */ - -/* - * Dispose of an SSLContextRef. This is effectivly a CFRelease. - * Deprecated. - */ -OSStatus -_SSLDisposeContext (SSLContextRef context); - -/* We redefine the names of all SPIs to avoid collision with unavailable APIs */ -#define SSLSetProtocolVersionEnabled _SSLSetProtocolVersionEnabled -#define SSLGetProtocolVersionEnabled _SSLGetProtocolVersionEnabled -#define SSLSetProtocolVersion _SSLSetProtocolVersion -#define SSLGetProtocolVersion _SSLGetProtocolVersion -#define SSLSetEnableCertVerify _SSLSetEnableCertVerify -#define SSLGetEnableCertVerify _SSLGetEnableCertVerify -#define SSLSetAllowsExpiredCerts _SSLSetAllowsExpiredCerts -#define SSLGetAllowsExpiredCerts _SSLGetAllowsExpiredCerts -#define SSLSetAllowsExpiredRoots _SSLSetAllowsExpiredRoots -#define SSLGetAllowsExpiredRoots _SSLGetAllowsExpiredRoots -#define SSLSetAllowsAnyRoot _SSLSetAllowsAnyRoot -#define SSLGetAllowsAnyRoot _SSLGetAllowsAnyRoot -#define SSLSetTrustedRoots _SSLSetTrustedRoots -#define SSLCopyTrustedRoots _SSLCopyTrustedRoots -#define SSLSetCertificateAuthorities _SSLSetCertificateAuthorities -#define SSLCopyCertificateAuthorities _SSLCopyCertificateAuthorities -#define SSLCopyPeerCertificates _SSLCopyPeerCertificates -#define SSLSetDiffieHellmanParams _SSLSetDiffieHellmanParams -#define SSLGetDiffieHellmanParams _SSLGetDiffieHellmanParams -#define SSLSetRsaBlinding _SSLSetRsaBlinding -#define SSLGetRsaBlinding _SSLGetRsaBlinding -#define SSLNewContext _SSLNewContext -#define SSLNewDatagramContext _SSLNewDatagramContext -#define SSLDisposeContext _SSLDisposeContext - -#endif /* TARGET_OS_IPHONE */ - - -/* - * Create a new Datagram TLS session context. - * Use in place of SSLNewContext to create a DTLS session. - * Deprecated: please use the allocator based functions, when available. - * Also note: the symbol is prefixed with underscore in iOS (historical) - */ -OSStatus -SSLNewDatagramContext (Boolean isServer, - SSLContextRef *dtlsContextPtr); /* RETURNED */ - - - -#ifdef __cplusplus -} -#endif - - -#endif /* _SECURE_TRANSPORT_PRIV_H_ */