My Project
Functions
IoT-Safe Module

Functions

int wolfSSL_CTX_iotsafe_enable (WOLFSSL_CTX *ctx)
 This function enables the IoT-Safe support on the given context. More...
 
int wolfSSL_iotsafe_on (WOLFSSL *ssl, byte privkey_id, byte ecdh_keypair_slot, byte peer_pubkey_slot, byte peer_cert_slot)
 This function connects the IoT-Safe TLS callbacks to the given SSL session. More...
 
int wolfSSL_iotsafe_on_ex (WOLFSSL *ssl, byte *privkey_id, byte *ecdh_keypair_slot, byte *peer_pubkey_slot, byte *peer_cert_slot, word16 id_size)
 This function connects the IoT-Safe TLS callbacks to the given SSL session. This is equivalent to wolfSSL_iotsafe_on except that the IDs for the IoT-SAFE slots can be passed by reference, and the length of the ID fields can be specified via the parameter "id_size". More...
 
void wolfIoTSafe_SetCSIM_read_cb (wolfSSL_IOTSafe_CSIM_read_cb rf)
 Associates a read callback for the AT+CSIM commands. This input function is usually associated to a read event of a UART channel communicating with the modem. The read callback associated is global and changes for all the contexts that use IoT-safe support at the same time. More...
 
void wolfIoTSafe_SetCSIM_write_cb (wolfSSL_IOTSafe_CSIM_write_cb wf)
 Associates a write callback for the AT+CSIM commands. This output function is usually associated to a write event on a UART channel communicating with the modem. The write callback associated is global and changes for all the contexts that use IoT-safe support at the same time. More...
 
int wolfIoTSafe_GetRandom (unsigned char *out, word32 sz)
 Generate a random buffer of given size, using the IoT-Safe function GetRandom. This function is automatically used by the wolfCrypt RNG object. More...
 
int wolfIoTSafe_GetCert (uint8_t id, unsigned char *output, unsigned long sz)
 Import a certificate stored in a file on IoT-Safe applet, and store it locally in memory. Works with one-byte file ID field. More...
 
int wolfIoTSafe_GetCert_ex (uint8_t *id, uint16_t id_sz, unsigned char *output, unsigned long sz)
 Import a certificate stored in a file on IoT-Safe applet, and store it locally in memory. Equivalent to wolfIoTSafe_GetCert, except that it can be invoked with a file ID of two or more bytes. More...
 
int wc_iotsafe_ecc_import_public (ecc_key *key, byte key_id)
 Import an ECC 256-bit public key, stored in the IoT-Safe applet, into an ecc_key object. More...
 
int wc_iotsafe_ecc_export_public (ecc_key *key, byte key_id)
 Export an ECC 256-bit public key, from ecc_key object to a writable public-key slot into the IoT-Safe applet. More...
 
int wc_iotsafe_ecc_import_public_ex (ecc_key *key, byte *key_id, word16 id_size)
 Export an ECC 256-bit public key, from ecc_key object to a writable public-key slot into the IoT-Safe applet. Equivalent to wc_iotsafe_ecc_import_public, except that it can be invoked with a key ID of two or more bytes. More...
 
int wc_iotsafe_ecc_export_private (ecc_key *key, byte key_id)
 Export an ECC 256-bit key, from ecc_key object to a writable private-key slot into the IoT-Safe applet. More...
 
int wc_iotsafe_ecc_export_private_ex (ecc_key *key, byte *key_id, word16 id_size)
 Export an ECC 256-bit key, from ecc_key object to a writable private-key slot into the IoT-Safe applet. Equivalent to wc_iotsafe_ecc_export_private, except that it can be invoked with a key ID of two or more bytes. More...
 
int wc_iotsafe_ecc_sign_hash (byte *in, word32 inlen, byte *out, word32 *outlen, byte key_id)
 Sign a pre-computed 256-bit HASH, using a private key previously stored, or pre-provisioned, in the IoT-Safe applet. More...
 
int wc_iotsafe_ecc_sign_hash_ex (byte *in, word32 inlen, byte *out, word32 *outlen, byte *key_id, word16 id_size)
 Sign a pre-computed 256-bit HASH, using a private key previously stored, or pre-provisioned, in the IoT-Safe applet. Equivalent to wc_iotsafe_ecc_sign_hash, except that it can be invoked with a key ID of two or more bytes. More...
 
int wc_iotsafe_ecc_verify_hash (byte *sig, word32 siglen, byte *hash, word32 hashlen, int *res, byte key_id)
 Verify an ECC signature against a pre-computed 256-bit HASH, using a public key previously stored, or pre-provisioned, in the IoT-Safe applet. Result is written to res. 1 is valid, 0 is invalid. Note: Do not use the return value to test for valid. Only use res. More...
 
int wc_iotsafe_ecc_verify_hash_ex (byte *sig, word32 siglen, byte *hash, word32 hashlen, int *res, byte *key_id, word16 id_size)
 Verify an ECC signature against a pre-computed 256-bit HASH, using a public key previously stored, or pre-provisioned, in the IoT-Safe applet. Result is written to res. 1 is valid, 0 is invalid. Note: Do not use the return value to test for valid. Only use res. Equivalent to wc_iotsafe_ecc_verify_hash, except that it can be invoked with a key ID of two or more bytes. More...
 
int wc_iotsafe_ecc_gen_k (byte key_id)
 Generate an ECC 256-bit keypair and store it in a (writable) slot into the IoT-Safe applet. More...
 

Detailed Description

IoT-Safe (IoT-SIM Applet For Secure End-2-End Communication) is a technology that leverage the SIM as robust, scalable and standardized hardware Root of Trust to protect data communication.

IoT-Safe SSL sessions use the SIM as Hardware Security Module, offloading all the crypto public key operations and reducing the attack surface by restricting access to certificate and keys to the SIM.

IoT-Safe support can be enabled on an existing WOLFSSL_CTX contex, using wolfSSL_CTX_iotsafe_enable().
Session created within the context can set the parameters for IoT-Safe key and files usage, and enable the public keys callback, with wolfSSL_iotsafe_on().

If compiled in, the module supports IoT-Safe random number generator as source of entropy for wolfCrypt.

Function Documentation

◆ wc_iotsafe_ecc_export_private()

int wc_iotsafe_ecc_export_private ( ecc_key *  key,
byte  key_id 
)

Export an ECC 256-bit key, from ecc_key object to a writable private-key slot into the IoT-Safe applet.

Parameters
keythe ecc_key object containing the key to be exported
idThe key id in the IoT-Safe applet where the private key will be stored
Returns
0 upon success
< 0 in case of failure
See also
wc_iotsafe_ecc_export_private_ex
wc_iotsafe_ecc_import_public
wc_iotsafe_ecc_export_public

◆ wc_iotsafe_ecc_export_private_ex()

int wc_iotsafe_ecc_export_private_ex ( ecc_key *  key,
byte *  key_id,
word16  id_size 
)

Export an ECC 256-bit key, from ecc_key object to a writable private-key slot into the IoT-Safe applet. Equivalent to wc_iotsafe_ecc_export_private, except that it can be invoked with a key ID of two or more bytes.

Parameters
keythe ecc_key object containing the key to be exported
idThe pointer to the key id in the IoT-Safe applet where the private key will be stored
id_sizeThe key id size
Returns
0 upon success
< 0 in case of failure
See also
wc_iotsafe_ecc_export_private
wc_iotsafe_ecc_import_public
wc_iotsafe_ecc_export_public

◆ wc_iotsafe_ecc_export_public()

int wc_iotsafe_ecc_export_public ( ecc_key *  key,
byte  key_id 
)

Export an ECC 256-bit public key, from ecc_key object to a writable public-key slot into the IoT-Safe applet.

Parameters
keythe ecc_key object containing the key to be exported
idThe key id in the IoT-Safe applet where the public key will be stored
Returns
0 upon success
< 0 in case of failure
See also
wc_iotsafe_ecc_import_public_ex
wc_iotsafe_ecc_export_private

◆ wc_iotsafe_ecc_gen_k()

int wc_iotsafe_ecc_gen_k ( byte  key_id)

Generate an ECC 256-bit keypair and store it in a (writable) slot into the IoT-Safe applet.

Generate an ECC 256-bit keypair and store it in a (writable) slot into the IoT-Safe applet. Equivalent to wc_iotsafe_ecc_gen_k, except that it can be invoked with a key ID of two or more bytes.

Parameters
key_idThe id of the slot where the ECC key pair is stored in the IoT-Safe applet.
Returns
0 upon success
< 0 in case of failure.
See also
wc_iotsafe_ecc_gen_k_ex
wc_iotsafe_ecc_sign_hash
wc_iotsafe_ecc_verify_hash
Parameters
key_idThe id of the slot where the ECC key pair is stored in the IoT-Safe applet.
id_sizeThe key id size
Returns
0 upon success
< 0 in case of failure.
See also
wc_iotsafe_ecc_gen_k
wc_iotsafe_ecc_sign_hash_ex
wc_iotsafe_ecc_verify_hash_ex

◆ wc_iotsafe_ecc_import_public()

int wc_iotsafe_ecc_import_public ( ecc_key *  key,
byte  key_id 
)

Import an ECC 256-bit public key, stored in the IoT-Safe applet, into an ecc_key object.

Parameters
keythe ecc_key object that will contain the key imported from the IoT-Safe applet
idThe key id in the IoT-Safe applet where the public key is stored
Returns
0 upon success
< 0 in case of failure
See also
wc_iotsafe_ecc_export_public
wc_iotsafe_ecc_export_private

◆ wc_iotsafe_ecc_import_public_ex()

int wc_iotsafe_ecc_import_public_ex ( ecc_key *  key,
byte *  key_id,
word16  id_size 
)

Export an ECC 256-bit public key, from ecc_key object to a writable public-key slot into the IoT-Safe applet. Equivalent to wc_iotsafe_ecc_import_public, except that it can be invoked with a key ID of two or more bytes.

Parameters
keythe ecc_key object containing the key to be exported
idThe pointer to the key id in the IoT-Safe applet where the public key will be stored
id_sizeThe key id size
Returns
0 upon success
< 0 in case of failure
See also
wc_iotsafe_ecc_import_public
wc_iotsafe_ecc_export_private

◆ wc_iotsafe_ecc_sign_hash()

int wc_iotsafe_ecc_sign_hash ( byte *  in,
word32  inlen,
byte *  out,
word32 *  outlen,
byte  key_id 
)

Sign a pre-computed 256-bit HASH, using a private key previously stored, or pre-provisioned, in the IoT-Safe applet.

Parameters
inpointer to the buffer containing the message hash to sign
inlenlength of the message hash to sign
outbuffer in which to store the generated signature
outlenmax length of the output buffer. Will store the bytes
idkey id in the IoT-Safe applet for the slot containing the private key to sign the payload written to out upon successfully generating a message signature
Returns
0 upon success
< 0 in case of failure
See also
wc_iotsafe_ecc_sign_hash_ex
wc_iotsafe_ecc_verify_hash
wc_iotsafe_ecc_gen_k

◆ wc_iotsafe_ecc_sign_hash_ex()

int wc_iotsafe_ecc_sign_hash_ex ( byte *  in,
word32  inlen,
byte *  out,
word32 *  outlen,
byte *  key_id,
word16  id_size 
)

Sign a pre-computed 256-bit HASH, using a private key previously stored, or pre-provisioned, in the IoT-Safe applet. Equivalent to wc_iotsafe_ecc_sign_hash, except that it can be invoked with a key ID of two or more bytes.

Parameters
inpointer to the buffer containing the message hash to sign
inlenlength of the message hash to sign
outbuffer in which to store the generated signature
outlenmax length of the output buffer. Will store the bytes
idpointer to a key id in the IoT-Safe applet for the slot containing the private key to sign the payload written to out upon successfully generating a message signature
id_sizeThe key id size
Returns
0 upon success
< 0 in case of failure
See also
wc_iotsafe_ecc_sign_hash
wc_iotsafe_ecc_verify_hash
wc_iotsafe_ecc_gen_k

◆ wc_iotsafe_ecc_verify_hash()

int wc_iotsafe_ecc_verify_hash ( byte *  sig,
word32  siglen,
byte *  hash,
word32  hashlen,
int *  res,
byte  key_id 
)

Verify an ECC signature against a pre-computed 256-bit HASH, using a public key previously stored, or pre-provisioned, in the IoT-Safe applet. Result is written to res. 1 is valid, 0 is invalid. Note: Do not use the return value to test for valid. Only use res.

Returns
0 upon success (even if the signature is not valid)
< 0 in case of failure.
Parameters
sigbuffer containing the signature to verify
hashThe hash (message digest) that was signed
hashlenThe length of the hash (octets)
resResult of signature, 1==valid, 0==invalid
key_idThe id of the slot where the public ECC key is stored in the IoT-Safe applet
See also
wc_iotsafe_ecc_verify_hash_ex
wc_iotsafe_ecc_sign_hash
wc_iotsafe_ecc_gen_k

◆ wc_iotsafe_ecc_verify_hash_ex()

int wc_iotsafe_ecc_verify_hash_ex ( byte *  sig,
word32  siglen,
byte *  hash,
word32  hashlen,
int *  res,
byte *  key_id,
word16  id_size 
)

Verify an ECC signature against a pre-computed 256-bit HASH, using a public key previously stored, or pre-provisioned, in the IoT-Safe applet. Result is written to res. 1 is valid, 0 is invalid. Note: Do not use the return value to test for valid. Only use res. Equivalent to wc_iotsafe_ecc_verify_hash, except that it can be invoked with a key ID of two or more bytes.

Returns
0 upon success (even if the signature is not valid)
< 0 in case of failure.
Parameters
sigbuffer containing the signature to verify
hashThe hash (message digest) that was signed
hashlenThe length of the hash (octets)
resResult of signature, 1==valid, 0==invalid
key_idThe id of the slot where the public ECC key is stored in the IoT-Safe applet
id_sizeThe key id size
See also
wc_iotsafe_ecc_verify_hash
wc_iotsafe_ecc_sign_hash
wc_iotsafe_ecc_gen_k

◆ wolfIoTSafe_GetCert()

int wolfIoTSafe_GetCert ( uint8_t  id,
unsigned char *  output,
unsigned long  sz 
)

Import a certificate stored in a file on IoT-Safe applet, and store it locally in memory. Works with one-byte file ID field.

Parameters
idThe file id in the IoT-Safe applet where the certificate is stored
outputthe buffer where the certificate will be imported
szthe maximum size available in the buffer output
Returns
the length of the certificate imported
< 0 in case of failure

Example

#define CRT_CLIENT_FILE_ID 0x03
unsigned char cert_buffer[2048];
// Get the certificate into the buffer
cert_buffer_size = wolfIoTSafe_GetCert(CRT_CLIENT_FILE_ID, cert_buffer, 2048);
if (cert_buffer_size < 1) {
printf("Bad cli cert\n");
return -1;
}
printf("Loaded Client certificate from IoT-Safe, size = %lu\n", cert_buffer_size);
// Use the certificate buffer as identity for the TLS client context
if (wolfSSL_CTX_use_certificate_buffer(cli_ctx, cert_buffer,
cert_buffer_size, SSL_FILETYPE_ASN1) != SSL_SUCCESS) {
printf("Cannot load client cert\n");
return -1;
}
printf("Client certificate successfully imported.\n");
int wolfSSL_CTX_use_certificate_buffer(WOLFSSL_CTX *ctx, const unsigned char *in, long sz, int format)
This function loads a certificate buffer into the WOLFSSL Context. It behaves like the non-buffered v...
int wolfIoTSafe_GetCert(uint8_t id, unsigned char *output, unsigned long sz)
Import a certificate stored in a file on IoT-Safe applet, and store it locally in memory....

◆ wolfIoTSafe_GetCert_ex()

int wolfIoTSafe_GetCert_ex ( uint8_t *  id,
uint16_t  id_sz,
unsigned char *  output,
unsigned long  sz 
)

Import a certificate stored in a file on IoT-Safe applet, and store it locally in memory. Equivalent to wolfIoTSafe_GetCert, except that it can be invoked with a file ID of two or more bytes.

Parameters
idPointer to the file id in the IoT-Safe applet where the certificate is stored
id_szSize of the file id in bytes
outputthe buffer where the certificate will be imported
szthe maximum size available in the buffer output
Returns
the length of the certificate imported
< 0 in case of failure

Example

#define CRT_CLIENT_FILE_ID 0x0302
#define ID_SIZE (sizeof(word16))
unsigned char cert_buffer[2048];
word16 client_file_id = CRT_CLIENT_FILE_ID;
// Get the certificate into the buffer
cert_buffer_size = wolfIoTSafe_GetCert_ex(&client_file_id, ID_SIZE, cert_buffer, 2048);
if (cert_buffer_size < 1) {
printf("Bad cli cert\n");
return -1;
}
printf("Loaded Client certificate from IoT-Safe, size = %lu\n", cert_buffer_size);
// Use the certificate buffer as identity for the TLS client context
if (wolfSSL_CTX_use_certificate_buffer(cli_ctx, cert_buffer,
cert_buffer_size, SSL_FILETYPE_ASN1) != SSL_SUCCESS) {
printf("Cannot load client cert\n");
return -1;
}
printf("Client certificate successfully imported.\n");
int wolfIoTSafe_GetCert_ex(uint8_t *id, uint16_t id_sz, unsigned char *output, unsigned long sz)
Import a certificate stored in a file on IoT-Safe applet, and store it locally in memory....

◆ wolfIoTSafe_GetRandom()

int wolfIoTSafe_GetRandom ( unsigned char *  out,
word32  sz 
)

Generate a random buffer of given size, using the IoT-Safe function GetRandom. This function is automatically used by the wolfCrypt RNG object.

Parameters
outthe buffer where the random sequence of bytes is stored.
szthe size of the random sequence to generate, in bytes
Returns
0 upon success

◆ wolfIoTSafe_SetCSIM_read_cb()

void wolfIoTSafe_SetCSIM_read_cb ( wolfSSL_IOTSafe_CSIM_read_cb  rf)

Associates a read callback for the AT+CSIM commands. This input function is usually associated to a read event of a UART channel communicating with the modem. The read callback associated is global and changes for all the contexts that use IoT-safe support at the same time.

Parameters
rfRead callback associated to a UART read event. The callback function takes two arguments (buf, len) and return the number of characters read, up to len. When a newline is encountered, the callback should return the number of characters received so far, including the newline character.

Example

// USART read function, defined elsewhere
int usart_read(char *buf, int len);
void wolfIoTSafe_SetCSIM_read_cb(wolfSSL_IOTSafe_CSIM_read_cb rf)
Associates a read callback for the AT+CSIM commands. This input function is usually associated to a r...
See also
wolfIoTSafe_SetCSIM_write_cb

◆ wolfIoTSafe_SetCSIM_write_cb()

void wolfIoTSafe_SetCSIM_write_cb ( wolfSSL_IOTSafe_CSIM_write_cb  wf)

Associates a write callback for the AT+CSIM commands. This output function is usually associated to a write event on a UART channel communicating with the modem. The write callback associated is global and changes for all the contexts that use IoT-safe support at the same time.

Parameters
rfWrite callback associated to a UART write event. The callback function takes two arguments (buf, len) and return the number of characters written, up to len.

Example

// USART write function, defined elsewhere
int usart_write(const char *buf, int len);
void wolfIoTSafe_SetCSIM_write_cb(wolfSSL_IOTSafe_CSIM_write_cb wf)
Associates a write callback for the AT+CSIM commands. This output function is usually associated to a...
See also
wolfIoTSafe_SetCSIM_read_cb

◆ wolfSSL_CTX_iotsafe_enable()

int wolfSSL_CTX_iotsafe_enable ( WOLFSSL_CTX *  ctx)

This function enables the IoT-Safe support on the given context.

Parameters
ctxpointer to the WOLFSSL_CTX object on which the IoT-safe support must be enabled
Returns
0 on success
WC_HW_E on hardware error

Example

WOLFSSL_CTX *ctx;
if (!ctx)
return NULL;
int wolfSSL_CTX_iotsafe_enable(WOLFSSL_CTX *ctx)
This function enables the IoT-Safe support on the given context.
WOLFSSL_METHOD * wolfTLSv1_2_client_method(void)
The wolfTLSv1_2_client_method() function is used to indicate that the application is a client and wil...
WOLFSSL_CTX * wolfSSL_CTX_new(WOLFSSL_METHOD *)
This function creates a new SSL context, taking a desired SSL/TLS protocol method for input.
See also
wolfSSL_iotsafe_on
wolfIoTSafe_SetCSIM_read_cb
wolfIoTSafe_SetCSIM_write_cb

◆ wolfSSL_iotsafe_on()

int wolfSSL_iotsafe_on ( WOLFSSL *  ssl,
byte  privkey_id,
byte  ecdh_keypair_slot,
byte  peer_pubkey_slot,
byte  peer_cert_slot 
)

This function connects the IoT-Safe TLS callbacks to the given SSL session.

This should be called to connect a SSL session to IoT-Safe applet when the ID of the slots are one-byte long. If IoT-SAFE slots have an ID of two or more bytes, wolfSSL_iotsafe_on_ex() should be used instead.

Parameters
sslpointer to the WOLFSSL object where the callbacks will be enabled
privkey_idid of the iot-safe applet slot containing the private key for the host
ecdh_keypair_slotid of the iot-safe applet slot to store the ECDH keypair
peer_pubkey_slotid of the iot-safe applet slot to store the other endpoint's public key for ECDH
peer_cert_slotid of the iot-safe applet slot to store the other endpoint's public key for verification
Returns
0 upon success
NOT_COMPILED_IN if HAVE_PK_CALLBACKS is disabled
BAD_FUNC_ARG if the ssl pointer is invalid

Example

// Define key ids for IoT-Safe
#define PRIVKEY_ID 0x02
#define ECDH_KEYPAIR_ID 0x03
#define PEER_PUBKEY_ID 0x04
#define PEER_CERT_ID 0x05
// Create new ssl session
WOLFSSL *ssl;
ssl = wolfSSL_new(ctx);
if (!ssl)
return NULL;
// Enable IoT-Safe and associate key slots
if (ret == 0) {
ret = wolfSSL_iotsafe_on(ssl, PRIVKEY_ID, ECDH_KEYPAIR_ID, PEER_PUBKEY_ID, PEER_CERT_ID);
}
int wolfSSL_iotsafe_on(WOLFSSL *ssl, byte privkey_id, byte ecdh_keypair_slot, byte peer_pubkey_slot, byte peer_cert_slot)
This function connects the IoT-Safe TLS callbacks to the given SSL session.
WOLFSSL * wolfSSL_new(WOLFSSL_CTX *)
This function creates a new SSL session, taking an already created SSL context as input.
See also
wolfSSL_iotsafe_on_ex
wolfSSL_CTX_iotsafe_enable

◆ wolfSSL_iotsafe_on_ex()

int wolfSSL_iotsafe_on_ex ( WOLFSSL *  ssl,
byte *  privkey_id,
byte *  ecdh_keypair_slot,
byte *  peer_pubkey_slot,
byte *  peer_cert_slot,
word16  id_size 
)

This function connects the IoT-Safe TLS callbacks to the given SSL session. This is equivalent to wolfSSL_iotsafe_on except that the IDs for the IoT-SAFE slots can be passed by reference, and the length of the ID fields can be specified via the parameter "id_size".

Parameters
sslpointer to the WOLFSSL object where the callbacks will be enabled
privkey_idpointer to the id of the iot-safe applet slot containing the private key for the host
ecdh_keypair_slotpointer to the id of the iot-safe applet slot to store the ECDH keypair
peer_pubkey_slotpointer to the of id the iot-safe applet slot to store the other endpoint's public key for ECDH
peer_cert_slotpointer to the id of the iot-safe applet slot to store the other endpoint's public key for verification
id_sizesize of each slot ID
Returns
0 upon success
NOT_COMPILED_IN if HAVE_PK_CALLBACKS is disabled
BAD_FUNC_ARG if the ssl pointer is invalid

Example

// Define key ids for IoT-Safe (16 bit, little endian)
#define PRIVKEY_ID 0x0201
#define ECDH_KEYPAIR_ID 0x0301
#define PEER_PUBKEY_ID 0x0401
#define PEER_CERT_ID 0x0501
#define ID_SIZE (sizeof(word16))
word16 privkey = PRIVKEY_ID,
ecdh_keypair = ECDH_KEYPAIR_ID,
peer_pubkey = PEER_PUBKEY_ID,
peer_cert = PEER_CERT_ID;
// Create new ssl session
WOLFSSL *ssl;
ssl = wolfSSL_new(ctx);
if (!ssl)
return NULL;
// Enable IoT-Safe and associate key slots
if (ret == 0) {
ret = wolfSSL_CTX_iotsafe_on_ex(ssl, &privkey, &ecdh_keypair, &peer_pubkey, &peer_cert, ID_SIZE);
}
See also
wolfSSL_iotsafe_on
wolfSSL_CTX_iotsafe_enable