Skip to content

Security tvOS xcode9 beta1

Vincent Dondain edited this page Jun 5, 2017 · 1 revision

#Security.framework

diff -ruN /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/CipherSuite.h /Applications/Xcode9-beta1.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/CipherSuite.h
--- /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/CipherSuite.h	2016-05-03 18:21:22.000000000 -0400
+++ /Applications/Xcode9-beta1.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/CipherSuite.h	2017-05-20 23:23:30.000000000 -0400
@@ -222,6 +222,14 @@
     TLS_RSA_PSK_WITH_NULL_SHA256              = 0x00B8,
     TLS_RSA_PSK_WITH_NULL_SHA384              = 0x00B9,
 
+    /* TLS 1.3 standard cipher suites for ChaCha20+Poly1305.
+       Note: TLS 1.3 ciphersuites do not specify the key exchange
+       algorithm -- they only specify the symmetric ciphers. */
+    TLS_AES_128_GCM_SHA256                    = 0x1301,
+    TLS_AES_256_GCM_SHA384                    = 0x1302,
+    TLS_CHACHA20_POLY1305_SHA256              = 0x1303,
+    TLS_AES_128_CCM_SHA256                    = 0x1304,
+    TLS_AES_128_CCM_8_SHA256                  = 0x1305,
 
     /* Addenda from rfc 5289  Elliptic Curve Cipher Suites with
        HMAC SHA-256/384. */
diff -ruN /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecBase.h /Applications/Xcode9-beta1.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecBase.h
--- /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecBase.h	2017-02-24 00:26:29.000000000 -0500
+++ /Applications/Xcode9-beta1.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecBase.h	2017-05-25 03:57:50.000000000 -0400
@@ -28,6 +28,16 @@
 #include <CoreFoundation/CFBase.h>
 #include <AvailabilityMacros.h>
 
+// Truth table for following declarations:
+//
+//                            TARGET_OS_OSX  TARGET_OS_OSX    TARGET_OS_IPHONE    TARGET_OS_IPHONE
+//                                           SEC_IOS_ON_OSX                       SEC_IOS_ON_OSX
+// ===================================================================================================
+// SEC_OS_IPHONE                0             1                1                   1
+// SEC_OS_IPHONE_INCLUDES       0             0                1                   1
+// SEC_OS_OSX                   1             0                0                   0
+// SEC_OS_OSX_INCLUDES          1             1                0                   0
+
 #if TARGET_OS_OSX
   #ifdef SEC_IOS_ON_OSX
     #define SEC_OS_IPHONE 1
@@ -142,7 +152,7 @@
 {
     SecKeychainAttrType tag;
     UInt32 length;
-    void *data;
+    void * __nullable data;
 };
 typedef struct SecKeychainAttribute SecKeychainAttribute;
 
@@ -161,7 +171,7 @@
 struct SecKeychainAttributeList
 {
     UInt32 count;
-    SecKeychainAttribute *attr;
+    SecKeychainAttribute * __nullable attr;
 };
 typedef struct SecKeychainAttributeList  SecKeychainAttributeList;
 
@@ -207,7 +217,7 @@
 {
     UInt32 count;
     UInt32 *tag;
-    UInt32 *format;
+    UInt32 * __nullable format;
 };
 typedef struct SecKeychainAttributeInfo  SecKeychainAttributeInfo;
 
@@ -302,7 +312,7 @@
     errSecUnimplemented                      = -4,      /* Function or operation not implemented. */
     errSecDskFull                            = -34,
     errSecIO                                 = -36,     /*I/O error (bummers)*/
-    errSecOpWr                               = -49,     /*file already open with with write permission*/
+    errSecOpWr                               = -49,     /*file already open with write permission*/
     errSecParam                              = -50,     /* One or more parameters passed to a function were not valid. */
     errSecWrPerm                             = -61,     /* write permissions error*/
     errSecAllocate                           = -108,    /* Failed to allocate memory. */
@@ -312,6 +322,8 @@
     errSecInternalComponent                  = -2070,
     errSecCoreFoundationUnknown              = -4960,
 
+    errSecMissingEntitlement                 = -34018,    /* A required entitlement isn't present. */
+
     errSecNotAvailable                       = -25291,    /* No keychain is available. You may need to restart your computer. */
     errSecReadOnly                           = -25292,    /* This keychain cannot be modified. */
     errSecAuthFailed                         = -25293,    /* The user name or passphrase you entered is not correct. */
diff -ruN /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecCertificate.h /Applications/Xcode9-beta1.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecCertificate.h
--- /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecCertificate.h	2017-02-24 01:36:08.000000000 -0500
+++ /Applications/Xcode9-beta1.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecCertificate.h	2017-05-25 03:57:50.000000000 -0400
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002-2016 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2002-2017 Apple Inc. All Rights Reserved.
  *
  * @APPLE_LICENSE_HEADER_START@
  *
@@ -169,29 +169,40 @@
     __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_NA);
 #endif
 
+/*!
+ @function SecCertificateCopySerialNumberData
+ @abstract Return the certificate's serial number.
+ @param certificate The certificate from which to get values.
+ @param error An optional pointer to a CFErrorRef which will be set on return from the function if an error occurred. If not NULL, the caller is responsible for releasing the CFErrorRef.
+ @discussion Return the content of a DER-encoded integer (without the tag and length fields) for this certificate's serial number. The caller must CFRelease the value returned.
+ */
+__nullable
+CFDataRef SecCertificateCopySerialNumberData(SecCertificateRef certificate, CFErrorRef *error)
+    __OSX_AVAILABLE_STARTING(__MAC_10_13, __IPHONE_11_0);
+
 #if TARGET_OS_IPHONE
 /*!
  @function SecCertificateCopySerialNumber
  @abstract Return the certificate's serial number.
- @param certificate The certificate from which to get values
- @discussion Return the content of a DER-encoded integer (without the tag and length fields) for this certificate's serial number. The caller must CFRelease the value returned.
+ @param certificate The certificate from which to get values.
+ @discussion Return the content of a DER-encoded integer (without the tag and length fields) for this certificate's serial number. The caller must CFRelease the value returned. NOTE: Deprecated in iOS 11.0; use SecCertificateCopySerialNumberData instead for cross-platform availability.
  */
 __nullable
 CFDataRef SecCertificateCopySerialNumber(SecCertificateRef certificate)
-    __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_10_3);
+    __OSX_AVAILABLE_BUT_DEPRECATED_MSG(__MAC_NA, __MAC_NA, __IPHONE_10_3, __IPHONE_11_0, "SecCertificateCopySerialNumber is deprecated. Use SecCertificateCopySerialNumberData instead.");
 #endif
 
 #if TARGET_OS_OSX
 /*!
  @function SecCertificateCopySerialNumber
  @abstract Return the certificate's serial number.
- @param certificate The certificate from which to get values
- @param error An optional pointer to a CFErrorRef. This value is set if an error occurred.  If not NULL the caller is responsible for releasing the CFErrorRef.
- @discussion Return the content of a DER-encoded integer (without the tag and length fields) for this certificate's serial number. The caller must CFRelease the value returned.
+ @param certificate The certificate from which to get values.
+ @param error An optional pointer to a CFErrorRef which will be set on return from the function if an error occurred. If not NULL, the caller is responsible for releasing the CFErrorRef.
+ @discussion Return the content of a DER-encoded integer (without the tag and length fields) for this certificate's serial number. The caller must CFRelease the value returned. NOTE: Deprecated in macOS 10.13; use SecCertificateCopySerialNumberData instead for cross-platform availability.
  */
 __nullable
 CFDataRef SecCertificateCopySerialNumber(SecCertificateRef certificate, CFErrorRef *error)
-    __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+    __OSX_AVAILABLE_BUT_DEPRECATED_MSG(__MAC_10_7, __MAC_10_13, __IPHONE_NA, __IPHONE_NA, "SecCertificateCopySerialNumber is deprecated. Use SecCertificateCopySerialNumberData instead.");
 #endif
 
 /*
diff -ruN /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecImportExport.h /Applications/Xcode9-beta1.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecImportExport.h
--- /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecImportExport.h	2017-02-24 02:35:02.000000000 -0500
+++ /Applications/Xcode9-beta1.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecImportExport.h	2017-05-26 22:40:28.000000000 -0400
@@ -154,7 +154,7 @@
      /* for import and export */
      uint32_t                    version;        /* SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION */
      SecKeyImportExportFlags flags;              /* SecKeyImportExportFlags bits */
-     CFTypeRef                    passphrase;    /* kSecFormatPKCS12, kSecFormatWrapped*
+     CFTypeRef __nullable           passphrase;  /* kSecFormatPKCS12, kSecFormatWrapped*
                                                   *    formats only. Legal types are
                                                   *    CFStringRef and CFDataRef. */
      CFStringRef                    alertTitle;  /* title of secure passphrase alert panel */
@@ -174,11 +174,11 @@
      /* for import and export */
      uint32_t                    version;        /* SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION */
      SecKeyImportExportFlags flags;              /* SecKeyImportExportFlags bits */
-     CFTypeRef                    passphrase;    /* kSecFormatPKCS12, kSecFormatWrapped*
+     CFTypeRef __nullable           passphrase;    /* kSecFormatPKCS12, kSecFormatWrapped*
                                                   *    formats only. Legal types are
                                                   *    CFStringRef and CFDataRef. */
-     CFStringRef                    alertTitle;  /* title of secure passphrase alert panel */
-     CFStringRef                    alertPrompt; /* prompt in secure passphrase alert panel */
+     CFStringRef __nullable         alertTitle;  /* title of secure passphrase alert panel */
+     CFStringRef __nullable         alertPrompt; /* prompt in secure passphrase alert panel */
 
      /* for import only */
      SecAccessRef __nullable     accessRef;      /* specifies the initial ACL of imported
diff -ruN /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecItem.h /Applications/Xcode9-beta1.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecItem.h
--- /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecItem.h	2017-02-24 00:30:51.000000000 -0500
+++ /Applications/Xcode9-beta1.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecItem.h	2017-05-27 00:31:24.000000000 -0400
@@ -149,9 +149,9 @@
         kSecAttrIsPermanent
         kSecAttrApplicationTag
         kSecAttrKeyType
-        kSecAttrPRF    (iOS only)
-        kSecAttrSalt   (iOS only)
-        kSecAttrRounds (iOS only)
+        kSecAttrPRF    (OS X only)
+        kSecAttrSalt   (OS X only)
+        kSecAttrRounds (OS X only)
         kSecAttrKeySizeInBits
         kSecAttrEffectiveKeySize
         kSecAttrCanEncrypt
@@ -399,12 +399,12 @@
 
     @constant kSecAttrPRF Specifies a dictionary key whose value is the PRF
         (pseudo-random function) for this key (see "kSecAttrPRF Value Constants".)
-        iOS only.
+        OS X only.
     @constant kSecAttrSalt Specifies a dictionary key whose value is a
-        CFData containing the salt to use for this key. iOS only.
+        CFData containing the salt to use for this key. OS X only.
     @constant kSecAttrRounds Specifies a dictionary key whose value is the
         number of rounds for the pseudo-random function specified by kSecAttrPRF.
-        iOS only.
+        OS X only.
     @constant kSecAttrKeySizeInBits Specifies a dictionary key whose value
         is a CFNumberRef indicating the number of bits in this key.
     @constant kSecAttrEffectiveKeySize Specifies a dictionary key whose value
@@ -550,6 +550,8 @@
     __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
 extern const CFStringRef kSecAttrTokenID
     __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_9_0);
+extern const CFStringRef kSecAttrPersistantReference
+    __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
 
 /*!
     @enum kSecAttrAccessible Value Constants
diff -ruN /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecKey.h /Applications/Xcode9-beta1.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecKey.h
--- /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecKey.h	2017-02-23 22:56:19.000000000 -0500
+++ /Applications/Xcode9-beta1.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecKey.h	2017-05-20 23:23:30.000000000 -0400
@@ -924,6 +924,46 @@
     @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512
     RSA signature with PKCS#1 padding, SHA-512 digest is generated from input data of any size.
 
+    @constant kSecKeyAlgorithmRSASignatureDigestPSSSHA1
+    RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, input data must be SHA-1 generated digest.
+    PSS padding is calculated using MGF1 with SHA1 and saltLength parameter is set to 20 (SHA-1 output size).
+
+    @constant kSecKeyAlgorithmRSASignatureDigestPSSSHA224
+    RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, input data must be SHA-224 generated digest.
+    PSS padding is calculated using MGF1 with SHA224 and saltLength parameter is set to 28 (SHA-224 output size).
+
+    @constant kSecKeyAlgorithmRSASignatureDigestPSSSHA256
+    RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, input data must be SHA-256 generated digest.
+    PSS padding is calculated using MGF1 with SHA256 and saltLength parameter is set to 32 (SHA-256 output size).
+
+    @constant kSecKeyAlgorithmRSASignatureDigestPSSSHA384
+    RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, input data must be SHA-384 generated digest.
+    PSS padding is calculated using MGF1 with SHA384 and saltLength parameter is set to 48 (SHA-384 output size).
+
+    @constant kSecKeyAlgorithmRSASignatureDigestPSSSHA512
+    RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, input data must be SHA-512 generated digest.
+    PSS padding is calculated using MGF1 with SHA512 and saltLength parameter is set to 64 (SHA-512 output size).
+
+    @constant kSecKeyAlgorithmRSASignatureMessagePSSSHA1
+    RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, SHA-1 digest is generated from input data of any size.
+    PSS padding is calculated using MGF1 with SHA1 and saltLength parameter is set to 20 (SHA-1 output size).
+
+    @constant kSecKeyAlgorithmRSASignatureMessagePSSSHA224
+    RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, SHA-224 digest is generated from input data of any size.
+    PSS padding is calculated using MGF1 with SHA224 and saltLength parameter is set to 28 (SHA-224 output size).
+
+    @constant kSecKeyAlgorithmRSASignatureMessagePSSSHA256
+    RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, SHA-256 digest is generated from input data of any size.
+    PSS padding is calculated using MGF1 with SHA256 and saltLength parameter is set to 32 (SHA-256 output size).
+
+    @constant kSecKeyAlgorithmRSASignatureMessagePSSSHA384
+    RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, SHA-384 digest is generated from input data of any size.
+    PSS padding is calculated using MGF1 with SHA384 and saltLength parameter is set to 48 (SHA-384 output size).
+
+    @constant kSecKeyAlgorithmRSASignatureMessagePSSSHA512
+    RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, SHA-512 digest is generated from input data of any size.
+    PSS padding is calculated using MGF1 with SHA512 and saltLength parameter is set to 64 (SHA-512 output size).
+
     @constant kSecKeyAlgorithmECDSASignatureRFC4754
     ECDSA algorithm, signature is concatenated r and s, big endian, data is message digest.
 
@@ -1029,75 +1069,131 @@
     as authentication data for AES-GCM encryption.
 
     @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM
-    ECIES encryption or decryption.  This algorithm does not limit the size of the message to be encrypted or decrypted.
+    Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA256AESGCM in new code.
     Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1.  AES Key size
     is 128bit for EC keys <=256bit and 256bit for bigger EC keys.  Ephemeral public key data is used as sharedInfo for KDF,
     and static public key data is used as authenticationData for AES-GCM processing.  AES-GCM uses 16 bytes long TAG and
     all-zero 16 byte long IV (initialization vector).
 
     @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM
-    ECIES encryption or decryption.  This algorithm does not limit the size of the message to be encrypted or decrypted.
-    Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1.  AES Key size
+    Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA224AESGCM in new code.
+    Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA224.  AES Key size
     is 128bit for EC keys <=256bit and 256bit for bigger EC keys.  Ephemeral public key data is used as sharedInfo for KDF,
     and static public key data is used as authenticationData for AES-GCM processing.  AES-GCM uses 16 bytes long TAG and
     all-zero 16 byte long IV (initialization vector).
 
     @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM
-    ECIES encryption or decryption.  This algorithm does not limit the size of the message to be encrypted or decrypted.
-    Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1.  AES Key size
+    Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA256AESGCM in new code.
+    Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA256.  AES Key size
     is 128bit for EC keys <=256bit and 256bit for bigger EC keys.  Ephemeral public key data is used as sharedInfo for KDF,
     and static public key data is used as authenticationData for AES-GCM processing.  AES-GCM uses 16 bytes long TAG and
     all-zero 16 byte long IV (initialization vector).
 
     @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA384AESGCM
-    ECIES encryption or decryption.  This algorithm does not limit the size of the message to be encrypted or decrypted.
-    Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1.  AES Key size
+    Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA384AESGCM in new code.
+    Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA384.  AES Key size
     is 128bit for EC keys <=256bit and 256bit for bigger EC keys.  Ephemeral public key data is used as sharedInfo for KDF,
     and static public key data is used as authenticationData for AES-GCM processing.  AES-GCM uses 16 bytes long TAG and
     all-zero 16 byte long IV (initialization vector).
 
     @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA512AESGCM
-    ECIES encryption or decryption.  This algorithm does not limit the size of the message to be encrypted or decrypted.
-    Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1.  AES Key size
+    Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA512AESGCM in new code.
+    Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA512.  AES Key size
     is 128bit for EC keys <=256bit and 256bit for bigger EC keys.  Ephemeral public key data is used as sharedInfo for KDF,
     and static public key data is used as authenticationData for AES-GCM processing.  AES-GCM uses 16 bytes long TAG and
     all-zero 16 byte long IV (initialization vector).
 
     @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA1AESGCM
-    ECIES encryption or decryption.  This algorithm does not limit the size of the message to be encrypted or decrypted.
+    Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA256AESGCM in new code.
     Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1.  AES Key size
     is 128bit for EC keys <=256bit and 256bit for bigger EC keys.  Ephemeral public key data is used as sharedInfo for KDF,
     and static public key data is used as authenticationData for AES-GCM processing.  AES-GCM uses 16 bytes long TAG and
     all-zero 16 byte long IV (initialization vector).
 
     @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA224AESGCM
-    ECIES encryption or decryption.  This algorithm does not limit the size of the message to be encrypted or decrypted.
-    Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1.  AES Key size
+    Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA224AESGCM in new code.
+    Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA224.  AES Key size
     is 128bit for EC keys <=256bit and 256bit for bigger EC keys.  Ephemeral public key data is used as sharedInfo for KDF,
     and static public key data is used as authenticationData for AES-GCM processing.  AES-GCM uses 16 bytes long TAG and
     all-zero 16 byte long IV (initialization vector).
 
     @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM
-    ECIES encryption or decryption.  This algorithm does not limit the size of the message to be encrypted or decrypted.
-    Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1.  AES Key size
+    Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA256AESGCM in new code.
+    Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA256.  AES Key size
     is 128bit for EC keys <=256bit and 256bit for bigger EC keys.  Ephemeral public key data is used as sharedInfo for KDF,
     and static public key data is used as authenticationData for AES-GCM processing.  AES-GCM uses 16 bytes long TAG and
     all-zero 16 byte long IV (initialization vector).
 
     @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA384AESGCM
-    ECIES encryption or decryption.  This algorithm does not limit the size of the message to be encrypted or decrypted.
-    Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1.  AES Key size
+    Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA384AESGCM in new code.
+    Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA384.  AES Key size
     is 128bit for EC keys <=256bit and 256bit for bigger EC keys.  Ephemeral public key data is used as sharedInfo for KDF,
     and static public key data is used as authenticationData for AES-GCM processing.  AES-GCM uses 16 bytes long TAG and
     all-zero 16 byte long IV (initialization vector).
 
     @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA512AESGCM
-    ECIES encryption or decryption.  This algorithm does not limit the size of the message to be encrypted or decrypted.
-    Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1.  AES Key size
+    Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA512AESGCM in new code.
+    Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA512.  AES Key size
     is 128bit for EC keys <=256bit and 256bit for bigger EC keys.  Ephemeral public key data is used as sharedInfo for KDF,
     and static public key data is used as authenticationData for AES-GCM processing.  AES-GCM uses 16 bytes long TAG and
     all-zero 16 byte long IV (initialization vector).
 
+    @constant kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA224AESGCM
+    ECIES encryption or decryption.  This algorithm does not limit the size of the message to be encrypted or decrypted.
+    Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA224.  AES Key size
+    is 128bit for EC keys <=256bit and 256bit for bigger EC keys.  Ephemeral public key data is used as sharedInfo for KDF,
+    and static public key data is used as authenticationData for AES-GCM processing.  AES-GCM uses 16 bytes long TAG, AES key
+    is first half of KDF output and 16 byte long IV (initialization vector) is second half of KDF output.
+
+    @constant kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA256AESGCM
+    ECIES encryption or decryption.  This algorithm does not limit the size of the message to be encrypted or decrypted.
+    Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA256.  AES Key size
+    is 128bit for EC keys <=256bit and 256bit for bigger EC keys.  Ephemeral public key data is used as sharedInfo for KDF,
+    and static public key data is used as authenticationData for AES-GCM processing.  AES-GCM uses 16 bytes long TAG, AES key
+    is first half of KDF output and 16 byte long IV (initialization vector) is second half of KDF output.
+
+    @constant kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA384AESGCM
+    ECIES encryption or decryption.  This algorithm does not limit the size of the message to be encrypted or decrypted.
+    Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA384.  AES Key size
+    is 128bit for EC keys <=256bit and 256bit for bigger EC keys.  Ephemeral public key data is used as sharedInfo for KDF,
+    and static public key data is used as authenticationData for AES-GCM processing.  AES-GCM uses 16 bytes long TAG, AES key
+    is first half of KDF output and 16 byte long IV (initialization vector) is second half of KDF output.
+
+    @constant kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA512AESGCM
+    ECIES encryption or decryption.  This algorithm does not limit the size of the message to be encrypted or decrypted.
+    Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA512.  AES Key size
+    is 128bit for EC keys <=256bit and 256bit for bigger EC keys.  Ephemeral public key data is used as sharedInfo for KDF,
+    and static public key data is used as authenticationData for AES-GCM processing.  AES-GCM uses 16 bytes long TAG, AES key
+    is first half of KDF output and 16 byte long IV (initialization vector) is second half of KDF output.
+
+    @constant kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA224AESGCM
+    ECIES encryption or decryption.  This algorithm does not limit the size of the message to be encrypted or decrypted.
+    Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA224.  AES Key size
+    is 128bit for EC keys <=256bit and 256bit for bigger EC keys.  Ephemeral public key data is used as sharedInfo for KDF,
+    and static public key data is used as authenticationData for AES-GCM processing.  AES-GCM uses 16 bytes long TAG, AES key
+    is first half of KDF output and 16 byte long IV (initialization vector) is second half of KDF output.
+
+    @constant kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA256AESGCM
+    ECIES encryption or decryption.  This algorithm does not limit the size of the message to be encrypted or decrypted.
+    Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA256.  AES Key size
+    is 128bit for EC keys <=256bit and 256bit for bigger EC keys.  Ephemeral public key data is used as sharedInfo for KDF,
+    and static public key data is used as authenticationData for AES-GCM processing.  AES-GCM uses 16 bytes long TAG, AES key
+    is first half of KDF output and 16 byte long IV (initialization vector) is second half of KDF output.
+
+    @constant kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA384AESGCM
+    ECIES encryption or decryption.  This algorithm does not limit the size of the message to be encrypted or decrypted.
+    Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA384.  AES Key size
+    is 128bit for EC keys <=256bit and 256bit for bigger EC keys.  Ephemeral public key data is used as sharedInfo for KDF,
+    and static public key data is used as authenticationData for AES-GCM processing.  AES-GCM uses 16 bytes long TAG, AES key
+    is first half of KDF output and 16 byte long IV (initialization vector) is second half of KDF output.
+
+    @constant kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA512AESGCM
+    ECIES encryption or decryption.  This algorithm does not limit the size of the message to be encrypted or decrypted.
+    Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA512.  AES Key size
+    is 128bit for EC keys <=256bit and 256bit for bigger EC keys.  Ephemeral public key data is used as sharedInfo for KDF,
+    and static public key data is used as authenticationData for AES-GCM processing.  AES-GCM uses 16 bytes long TAG, AES key
+    is first half of KDF output and 16 byte long IV (initialization vector) is second half of KDF output.
+
     @constant kSecKeyAlgorithmECDHKeyExchangeCofactor
     Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys.
     This algorithm does not accept any parameters, length of output raw shared secret is given by the length of the key.
@@ -1188,6 +1284,28 @@
 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512
 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
 
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPSSSHA1
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPSSSHA224
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPSSSHA256
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPSSSHA384
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPSSSHA512
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePSSSHA1
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePSSSHA224
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePSSSHA256
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePSSSHA384
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePSSSHA512
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+
 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureRFC4754
 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
 
@@ -1263,6 +1381,24 @@
 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA512AESGCM
 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
 
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA224AESGCM
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA256AESGCM
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA384AESGCM
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA512AESGCM
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA224AESGCM
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA256AESGCM
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA384AESGCM
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA512AESGCM
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+
 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandard
 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1
diff -ruN /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecRandom.h /Applications/Xcode9-beta1.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecRandom.h
--- /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecRandom.h	2017-02-24 01:36:08.000000000 -0500
+++ /Applications/Xcode9-beta1.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecRandom.h	2017-05-20 23:33:32.000000000 -0400
@@ -41,7 +41,7 @@
 
 /*!
     @typedef SecRandomRef
-    @abstract Reference to a (psuedo) random number generator.
+    @abstract Reference to a (pseudo) random number generator.
 */
 typedef const struct __SecRandom * SecRandomRef;
 
@@ -54,10 +54,9 @@
      @function SecRandomCopyBytes
      @abstract Return count random bytes in *bytes, allocated by the caller.
         It is critical to check the return value for error
-     @result Return 0 on success or -1 if something went wrong, check errno
-     to find out the real error.
+     @result Return 0 on success, any other value on failure.
 */
-int SecRandomCopyBytes(SecRandomRef __nullable rnd, size_t count, uint8_t *bytes)
+int SecRandomCopyBytes(SecRandomRef __nullable rnd, size_t count, void *bytes)
     __attribute__ ((warn_unused_result))
     __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0);
 
diff -ruN /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecTrust.h /Applications/Xcode9-beta1.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecTrust.h
--- /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecTrust.h	2017-02-24 00:26:29.000000000 -0500
+++ /Applications/Xcode9-beta1.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecTrust.h	2017-05-26 22:40:28.000000000 -0400
@@ -603,13 +603,16 @@
     @param keychainOrArray A reference to an array of keychains to search, a
     single keychain, or NULL to use the default keychain search list.
     @result A result code. See "Security Error Codes" (SecBase.h).
-    @discussion By default, the user's keychain search list and the system
-    anchors keychain are searched for certificates to complete the chain. You
-    can specify a zero-element array if you do not want any keychains searched.
-    Note: this function is not applicable to iOS.
+    @discussion This function is deprecated in macOS 10.13 and later. Beginning in
+    macOS 10.12, this function no longer affected the behavior of the trust
+    evaluation: the user's keychain search list and the system
+    anchors keychain are searched for certificates to complete the chain. To change
+    the keychains that are searched, callers must use SecKeychainSetSearchList to
+    change the user's keychain search list.
+    Note: this function was never applicable to iOS.
  */
 OSStatus SecTrustSetKeychains(SecTrustRef trust, CFTypeRef __nullable keychainOrArray)
-    __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_NA);
+    __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3, __MAC_10_13, __IPHONE_NA, __IPHONE_NA);
 
 /*!
     @function SecTrustGetResult
diff -ruN /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecureTransport.h /Applications/Xcode9-beta1.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecureTransport.h
--- /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecureTransport.h	2016-11-29 00:35:44.000000000 -0500
+++ /Applications/Xcode9-beta1.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/SecureTransport.h	2017-05-20 23:23:30.000000000 -0400
@@ -84,19 +84,20 @@
 
 /* SSL Protocol version */
 typedef CF_ENUM(int, SSLProtocol) {
-	kSSLProtocolUnknown = 0,                /* no protocol negotiated/specified; use default */
-	kSSLProtocol3       = 2,				/* SSL 3.0 */
-	kTLSProtocol1       = 4,				/* TLS 1.0 */
-    kTLSProtocol11      = 7,				/* TLS 1.1 */
-    kTLSProtocol12      = 8,				/* TLS 1.2 */
-    kDTLSProtocol1      = 9,                /* DTLS 1.0 */
-
-    /* DEPRECATED on iOS */
-    kSSLProtocol2       = 1,				/* SSL 2.0 */
-    kSSLProtocol3Only   = 3,                /* SSL 3.0 Only */
-    kTLSProtocol1Only   = 5,                /* TLS 1.0 Only */
-    kSSLProtocolAll     = 6,                /* All TLS supported protocols */
-
+    kSSLProtocolUnknown = 0, /* no protocol negotiated/specified; use default */
+    kSSLProtocol3 = 2, /* SSL 3.0 */
+    kTLSProtocol1 = 4, /* TLS 1.0 */
+    kTLSProtocol11 = 7, /* TLS 1.1 */
+    kTLSProtocol12 = 8, /* TLS 1.2 */
+    kDTLSProtocol1 = 9, /* DTLS 1.0 */
+    kTLSProtocol13 = 10, /* TLS 1.3 */
+
+    kTLSProtocolMaxSupported = 999, /* Max system-supported version */
+
+    kSSLProtocol2 = 1, /* SSL 2.0. DEPRECATED on iOS. */
+    kSSLProtocol3Only = 3, /* SSL 3.0. DEPRECATED on iOS. */
+    kTLSProtocol1Only = 5, /* TLS 1.0 Only. DEPRECATED on iOS. */
+    kSSLProtocolAll = 6, /* All TLS supported protocols. DEPRECATED on iOS. */
 };
 
 /* SSL session options */
@@ -151,7 +152,10 @@
      * Set this option to Allow renegotations. False by default.
      */
     kSSLSessionOptionAllowRenegotiation = 8,
-
+    /*
+     * Set this option to enable session tickets. False by default.
+     */
+    kSSLSessionOptionEnableSessionTickets = 9,
 };
 
 /* State of an SSLSession */
@@ -184,7 +188,7 @@
 	 * Server app can inspect the cert via SSLCopyPeerCertificates().
 	 */
 	kSSLClientCertRejected
-} ;
+};
 
 /*
  * R/W functions. The application using this library provides
@@ -312,29 +316,52 @@
  */
 
 /* Default configuration (has 3DES, no RC4) */
-extern const CFStringRef kSSLSessionConfig_default;
+extern const CFStringRef kSSLSessionConfig_default
+__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2,__MAC_10_13,__IPHONE_5_0,__IPHONE_11_0);
+
 /* ATS v1 Config: TLS v1.2, only PFS ciphersuites */
-extern const CFStringRef kSSLSessionConfig_ATSv1;
+extern const CFStringRef kSSLSessionConfig_ATSv1
+__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
+
 /* ATS v1 Config without PFS: TLS v1.2, include non PFS ciphersuites */
-extern const CFStringRef kSSLSessionConfig_ATSv1_noPFS;
+extern const CFStringRef kSSLSessionConfig_ATSv1_noPFS
+__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
+
 /* TLS v1.2 to TLS v1.0, with default ciphersuites (no 3DES, no RC4) */
-extern const CFStringRef kSSLSessionConfig_standard;
+extern const CFStringRef kSSLSessionConfig_standard
+__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
+
 /* TLS v1.2 to TLS v1.0, with default ciphersuites + RC4 + 3DES */
-extern const CFStringRef kSSLSessionConfig_RC4_fallback;
+extern const CFStringRef kSSLSessionConfig_RC4_fallback
+__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2,__MAC_10_13,__IPHONE_5_0,__IPHONE_11_0);
+
 /* TLS v1.0 only, with default ciphersuites + fallback SCSV */
-extern const CFStringRef kSSLSessionConfig_TLSv1_fallback;
+extern const CFStringRef kSSLSessionConfig_TLSv1_fallback
+__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
+
 /* TLS v1.0, with default ciphersuites + RC4 + 3DES + fallback SCSV */
-extern const CFStringRef kSSLSessionConfig_TLSv1_RC4_fallback;
+extern const CFStringRef kSSLSessionConfig_TLSv1_RC4_fallback
+__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2,__MAC_10_13,__IPHONE_5_0,__IPHONE_11_0);
+
 /* TLS v1.2 to TLS v1.0, defaults + RC4 + DHE ciphersuites */
-extern const CFStringRef kSSLSessionConfig_legacy;
+extern const CFStringRef kSSLSessionConfig_legacy
+__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
+
 /* TLS v1.2 to TLS v1.0, default + RC4 + DHE ciphersuites */
-extern const CFStringRef kSSLSessionConfig_legacy_DHE;
+extern const CFStringRef kSSLSessionConfig_legacy_DHE
+__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
+
 /* TLS v1.2, anonymous ciphersuites only */
-extern const CFStringRef kSSLSessionConfig_anonymous;
+extern const CFStringRef kSSLSessionConfig_anonymous
+__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
+
 /* TLS v1.2 to TLS v1.0, has 3DES, no RC4 */
-extern const CFStringRef kSSLSessionConfig_3DES_fallback;
+extern const CFStringRef kSSLSessionConfig_3DES_fallback
+__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2,__MAC_10_13,__IPHONE_5_0,__IPHONE_11_0);
+
 /* TLS v1.0, with default ciphersuites + 3DES, no RC4 */
-extern const CFStringRef kSSLSessionConfig_TLSv1_3DES_fallback;
+extern const CFStringRef kSSLSessionConfig_TLSv1_3DES_fallback
+__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2,__MAC_10_13,__IPHONE_5_0,__IPHONE_11_0);
 
 
 /******************
@@ -783,6 +810,15 @@
 							 size_t					*numCiphers)	/* IN/OUT */
 	__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
 
+/*
+ * Forcibly enable or disable session ticket resumption. By default, session tickets
+ * are disabled.
+ */
+OSStatus
+SSLSetSessionTicketsEnabled     (SSLContextRef          context,
+                                 Boolean                enabled)
+    __OSX_AVAILABLE_STARTING(__MAC_10_13, __IPHONE_11_0);
+
 
 #if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
 /*
@@ -1140,6 +1176,48 @@
 							 SSLCipherSuite 	*cipherSuite)
 	__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
 
+/*
+ * Set the ALPN protocols to be passed in the ALPN negotiation.
+ * This is the list of supported application-layer protocols supported.
+ *
+ * The protocols parameter must be an array of CFStringRef values
+ * with ASCII-encoded reprensetations of the supported protocols, e.g., "http/1.1".
+ *
+ * See RFC 7301 for more information.
+ */
+OSStatus
+SSLSetALPNProtocols         (SSLContextRef      context,
+                             CFArrayRef         protocols)
+    __OSX_AVAILABLE_STARTING(__MAC_10_12_4, __IPHONE_9_3);
+
+/*
+ * Get the ALPN protocols associated with this SSL context.
+ * This is the list of supported application-layer protocols supported.
+ *
+ * The resultant protocols array will contain CFStringRef values containing
+ * ASCII-encoded representations of the supported protocols, e.g., "http/1.1".
+ *
+ * See RFC 7301 for more information.
+ *
+ * Note: The `protocols` pointer must be NULL, otherwise the copy will fail.
+ * This function will allocate memory for the CFArrayRef container
+ * if there is data to provide. Otherwise, the pointer will remain NULL.
+ */
+OSStatus
+SSLCopyALPNProtocols        (SSLContextRef      context,
+                             CFArrayRef         __nullable * __nonnull protocols)           /* RETURNED */
+    __OSX_AVAILABLE_STARTING(__MAC_10_12_4, __IPHONE_9_3);
+
+/*
+ * Set the OCSP response for the given SSL session.
+ *
+ * The response parameter must be a non-NULL CFDataRef containing the 
+ * bytes of the OCSP response.
+ */
+OSStatus
+SSLSetOCSPResponse          (SSLContextRef      context,
+                             CFDataRef          __nonnull response)
+__OSX_AVAILABLE_STARTING(__MAC_10_12_4, __IPHONE_9_3);
 
 /********************************************************
  *** Session context configuration, server side only. ***
@@ -1413,6 +1491,15 @@
 SSLClose					(SSLContextRef		context)
 	__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
 
+/*
+ * Set the status of a SSLContextRef. This is to be done after handling 
+ * steps of the SSL handshake such as server certificate validation.
+ */
+OSStatus
+SSLSetError                 (SSLContextRef      context,
+                             OSStatus           status)
+    __OSX_AVAILABLE_STARTING(__MAC_10_12_4, __IPHONE_9_3);
+
 CF_IMPLICIT_BRIDGING_DISABLED
 CF_ASSUME_NONNULL_END
 
diff -ruN /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/Security.h /Applications/Xcode9-beta1.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/Security.h
--- /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/Security.h	2017-02-24 01:36:08.000000000 -0500
+++ /Applications/Xcode9-beta1.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS.sdk/System/Library/Frameworks/Security.framework/Headers/Security.h	2017-05-20 23:33:32.000000000 -0400
@@ -35,7 +35,7 @@
 #include <Security/SecImportExport.h>
 #include <Security/SecTrust.h>
 
-#if SEC_OS_IPHONE
+#if SEC_OS_IPHONE_INCLUDES
 #include <Security/SecSharedCredential.h>
 #endif
 
@@ -43,7 +43,7 @@
 #include <Security/AuthSession.h>
 #endif
 
-#if SEC_OS_OSX
+#if SEC_OS_OSX_INCLUDES
 /* CDSA */
 #include <Security/cssmconfig.h>
 #include <Security/cssmapple.h>
Clone this wiki locally