55#define MIN_GNUTLS_VERSION "3.3.0"
60#include <gnutls/gnutls.h>
61#include <gnutls/x509.h>
62#include <gnutls/dtls.h>
63#include <gnutls/pkcs11.h>
64#include <gnutls/crypto.h>
65#include <gnutls/abstract.h>
67#if (GNUTLS_VERSION_NUMBER >= 0x030606)
68#define COAP_GNUTLS_KEY_RPK GNUTLS_KEY_DIGITAL_SIGNATURE | \
69 GNUTLS_KEY_NON_REPUDIATION | \
70 GNUTLS_KEY_KEY_ENCIPHERMENT | \
71 GNUTLS_KEY_DATA_ENCIPHERMENT | \
72 GNUTLS_KEY_KEY_AGREEMENT | \
73 GNUTLS_KEY_KEY_CERT_SIGN
77#define GNUTLS_CRT_RAW GNUTLS_CRT_RAWPK
81#define strcasecmp _stricmp
84typedef struct coap_ssl_t {
88 gnutls_datum_t cookie_key;
96typedef struct coap_gnutls_env_t {
97 gnutls_session_t g_session;
98 gnutls_psk_client_credentials_t psk_cl_credentials;
99 gnutls_psk_server_credentials_t psk_sv_credentials;
100 gnutls_certificate_credentials_t pki_credentials;
101 coap_ssl_t coap_ssl_data;
104 int doing_dtls_timeout;
109#define IS_PSK (1 << 0)
110#define IS_PKI (1 << 1)
111#define IS_CLIENT (1 << 6)
112#define IS_SERVER (1 << 7)
114typedef struct pki_sni_entry {
117 gnutls_certificate_credentials_t pki_credentials;
120typedef struct psk_sni_entry {
123 gnutls_psk_server_credentials_t psk_credentials;
126typedef struct coap_gnutls_context_t {
129 size_t pki_sni_count;
130 pki_sni_entry *pki_sni_entry_list;
131 size_t psk_sni_count;
132 psk_sni_entry *psk_sni_entry_list;
133 gnutls_datum_t alpn_proto;
136 gnutls_priority_t priority_cache;
137} coap_gnutls_context_t;
139typedef enum coap_free_bye_t {
140 COAP_FREE_BYE_AS_TCP,
141 COAP_FREE_BYE_AS_UDP,
145#define VARIANTS_3_6_6 "NORMAL:+ECDHE-PSK:+PSK:+ECDHE-ECDSA:+AES-128-CCM-8:+CTYPE-CLI-ALL:+CTYPE-SRV-ALL:+SHA256"
146#define VARIANTS_3_5_5 "NORMAL:+ECDHE-PSK:+PSK:+ECDHE-ECDSA:+AES-128-CCM-8"
147#define VARIANTS_BASE "NORMAL:+ECDHE-PSK:+PSK"
149#define VARIANTS_NO_TLS13_3_6_6 VARIANTS_3_6_6 ":-VERS-TLS1.3"
150#define VARIANTS_NO_TLS13_3_6_4 VARIANTS_3_5_5 ":-VERS-TLS1.3"
152#define G_ACTION(xx) do { \
154} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED)
156#define G_CHECK(xx,func) do { \
157 if ((ret = (xx)) < 0) { \
158 coap_log(LOG_WARNING, "%s: '%s'\n", func, gnutls_strerror(ret)); \
163#define G_ACTION_CHECK(xx,func) do { \
170#if COAP_SERVER_SUPPORT
171static int post_client_hello_gnutls_pki(gnutls_session_t g_session);
172static int post_client_hello_gnutls_psk(gnutls_session_t g_session);
173static int psk_server_callback(gnutls_session_t g_session,
174 const char *identity,
175 gnutls_datum_t *key);
184 if (gnutls_check_version(MIN_GNUTLS_VERSION) == NULL) {
185 coap_log(
LOG_ERR,
"GnuTLS " MIN_GNUTLS_VERSION
" or later is required\n");
198 if (gnutls_check_version(MIN_GNUTLS_VERSION) == NULL) {
199 coap_log(
LOG_ERR,
"GnuTLS " MIN_GNUTLS_VERSION
" or later is required\n");
211 const char *vers = gnutls_check_version(NULL);
217 sscanf (vers,
"%d.%d.%d", &p1, &p2, &p3);
218 version.
version = (p1 << 16) | (p2 << 8) | p3;
226coap_gnutls_audit_log_func(gnutls_session_t g_session,
const char* text)
239coap_gnutls_log_func(
int level,
const char* text)
256 coap_gnutls_context_t *g_context =
259 if (!g_context || !setup_data)
262 g_context->setup_data = *setup_data;
263 if (!g_context->setup_data.verify_peer_cert) {
265 g_context->setup_data.check_common_ca = 0;
266 if (g_context->setup_data.is_rpk_not_cert) {
268 g_context->setup_data.allow_self_signed = 0;
269 g_context->setup_data.allow_expired_certs = 0;
270 g_context->setup_data.cert_chain_validation = 0;
271 g_context->setup_data.cert_chain_verify_depth = 0;
272 g_context->setup_data.check_cert_revocation = 0;
273 g_context->setup_data.allow_no_crl = 0;
274 g_context->setup_data.allow_expired_crl = 0;
275 g_context->setup_data.allow_bad_md_hash = 0;
276 g_context->setup_data.allow_short_rsa_length = 0;
280 g_context->setup_data.allow_self_signed = 1;
281 g_context->setup_data.allow_expired_certs = 1;
282 g_context->setup_data.cert_chain_validation = 1;
283 g_context->setup_data.cert_chain_verify_depth = 10;
284 g_context->setup_data.check_cert_revocation = 1;
285 g_context->setup_data.allow_no_crl = 1;
286 g_context->setup_data.allow_expired_crl = 1;
287 g_context->setup_data.allow_bad_md_hash = 1;
288 g_context->setup_data.allow_short_rsa_length = 1;
291 g_context->psk_pki_enabled |= IS_PKI;
304 coap_gnutls_context_t *g_context =
308 "coap_context_set_pki_root_cas: (D)TLS environment "
313 if (ca_file == NULL && ca_path == NULL) {
315 "coap_context_set_pki_root_cas: ca_file and/or ca_path "
319 if (g_context->root_ca_file) {
320 gnutls_free(g_context->root_ca_file);
321 g_context->root_ca_file = NULL;
324 g_context->root_ca_file = gnutls_strdup(ca_file);
326 if (g_context->root_ca_path) {
327 gnutls_free(g_context->root_ca_path);
328 g_context->root_ca_path = NULL;
331#if (GNUTLS_VERSION_NUMBER >= 0x030306)
332 g_context->root_ca_path = gnutls_strdup(ca_path);
340#if COAP_SERVER_SUPPORT
349 coap_gnutls_context_t *g_context =
352 if (!g_context || !setup_data)
355 g_context->psk_pki_enabled |= IS_PSK;
360#if COAP_CLIENT_SUPPORT
369 coap_gnutls_context_t *g_context =
372 if (!g_context || !setup_data)
375 g_context->psk_pki_enabled |= IS_PSK;
387 coap_gnutls_context_t *g_context =
389 return g_context->psk_pki_enabled ? 1 : 0;
393 gnutls_global_set_audit_log_function(coap_gnutls_audit_log_func);
394 gnutls_global_set_log_function(coap_gnutls_log_func);
405 if (c_session && c_session->
tls) {
406 const coap_gnutls_env_t *g_env = (
const coap_gnutls_env_t *)c_session->
tls;
408 return g_env->g_session;
418 gnutls_global_set_log_level(2 + level -
LOG_DEBUG);
421 gnutls_global_set_log_level(0);
441 coap_gnutls_context_t *g_context =
442 (coap_gnutls_context_t *)
443 gnutls_malloc(
sizeof(coap_gnutls_context_t));
447 const char *priority;
449 G_CHECK(gnutls_global_init(),
"gnutls_global_init");
450 memset(g_context, 0,
sizeof(coap_gnutls_context_t));
451 g_context->alpn_proto.data = gnutls_malloc(4);
452 if (g_context->alpn_proto.data) {
453 memcpy(g_context->alpn_proto.data,
"coap", 4);
454 g_context->alpn_proto.size = 4;
457 if (tls_version->
version >= 0x030606) {
458 priority = VARIANTS_3_6_6;
460 else if (tls_version->
version >= 0x030505) {
461 priority = VARIANTS_3_5_5;
464 priority = VARIANTS_BASE;
466 ret = gnutls_priority_init(&g_context->priority_cache, priority, &err);
467 if (ret != GNUTLS_E_SUCCESS) {
468 if (ret == GNUTLS_E_INVALID_REQUEST)
470 "gnutls_priority_init: Syntax error at: %s\n", err);
473 "gnutls_priority_init: %s\n", gnutls_strerror(ret));
488 coap_gnutls_context_t *g_context = (coap_gnutls_context_t *)handle;
490 gnutls_free(g_context->alpn_proto.data);
491 gnutls_free(g_context->root_ca_file);
492 gnutls_free(g_context->root_ca_path);
493 for (i = 0; i < g_context->pki_sni_count; i++) {
494 gnutls_free(g_context->pki_sni_entry_list[i].sni);
495 gnutls_certificate_free_credentials(
496 g_context->pki_sni_entry_list[i].pki_credentials);
498 if (g_context->pki_sni_entry_list)
499 gnutls_free(g_context->pki_sni_entry_list);
501 for (i = 0; i < g_context->psk_sni_count; i++) {
502 gnutls_free(g_context->psk_sni_entry_list[i].sni);
504 gnutls_psk_free_server_credentials(
505 g_context->psk_sni_entry_list[i].psk_credentials);
507 if (g_context->psk_sni_entry_list)
508 gnutls_free(g_context->psk_sni_entry_list);
510 gnutls_priority_deinit(g_context->priority_cache);
512 gnutls_global_deinit();
513 gnutls_free(g_context);
516#if COAP_CLIENT_SUPPORT
525psk_client_callback(gnutls_session_t g_session,
526 char **username, gnutls_datum_t *key) {
529 coap_gnutls_context_t *g_context;
531 const char *hint = gnutls_psk_client_get_hint(g_session);
541 if (c_session == NULL)
545 if (g_context == NULL)
550 temp.
s = hint ? (
const uint8_t*)hint : (
const uint8_t*)
"";
551 temp.
length = strlen((
const char*)temp.
s);
555 (
const char *)temp.
s);
567 if (cpsk_info == NULL)
572 psk_identity = &cpsk_info->
identity;
573 psk_key = &cpsk_info->
key;
580 if (psk_identity == NULL || psk_key == NULL) {
585 *username = gnutls_malloc(psk_identity->
length+1);
586 if (*username == NULL)
588 memcpy(*username, psk_identity->
s, psk_identity->
length);
589 (*username)[psk_identity->
length] =
'\000';
591 key->data = gnutls_malloc(psk_key->
length);
592 if (key->data == NULL) {
593 gnutls_free(*username);
597 memcpy(key->data, psk_key->
s, psk_key->
length);
598 key->size = psk_key->
length;
604 gnutls_certificate_type_t certificate_type;
606 const gnutls_datum_t *cert_list;
607 unsigned int cert_list_size;
609} coap_gnutls_certificate_info_t;
615static gnutls_certificate_type_t get_san_or_cn(gnutls_session_t g_session,
616 coap_gnutls_certificate_info_t *cert_info)
618 gnutls_x509_crt_t cert;
625#if (GNUTLS_VERSION_NUMBER >= 0x030606)
626 cert_info->certificate_type = gnutls_certificate_type_get2(g_session,
629 cert_info->certificate_type = gnutls_certificate_type_get(g_session);
632 cert_info->san_or_cn = NULL;
634 cert_info->cert_list = gnutls_certificate_get_peers(g_session,
635 &cert_info->cert_list_size);
636 if (cert_info->cert_list_size == 0) {
637 return GNUTLS_CRT_UNKNOWN;
640 if (cert_info->certificate_type != GNUTLS_CRT_X509)
641 return cert_info->certificate_type;
643 G_CHECK(gnutls_x509_crt_init(&cert),
"gnutls_x509_crt_init");
646 G_CHECK(gnutls_x509_crt_import(cert, &cert_info->cert_list[0],
647 GNUTLS_X509_FMT_DER),
"gnutls_x509_crt_import");
649 cert_info->self_signed = gnutls_x509_crt_check_issuer(cert, cert);
651 size =
sizeof(dn) -1;
653 ret = gnutls_x509_crt_get_subject_alt_name(cert, 0, dn, &size, NULL);
656 gnutls_x509_crt_deinit(cert);
657 cert_info->san_or_cn = gnutls_strdup(dn);
658 return cert_info->certificate_type;
662 G_CHECK(gnutls_x509_crt_get_dn(cert, dn, &size),
"gnutls_x509_crt_get_dn");
664 gnutls_x509_crt_deinit(cert);
670 if (((cn[0] ==
'C') || (cn[0] ==
'c')) &&
671 ((cn[1] ==
'N') || (cn[1] ==
'n')) &&
680 char *ecn = strchr(cn,
',');
684 cert_info->san_or_cn = gnutls_strdup(cn);
685 return cert_info->certificate_type;
687 return GNUTLS_CRT_UNKNOWN;
690 return GNUTLS_CRT_UNKNOWN;
693#if (GNUTLS_VERSION_NUMBER >= 0x030606)
694#define OUTPUT_CERT_NAME (cert_type == GNUTLS_CRT_X509 ? \
695 cert_info.san_or_cn : \
696 cert_type == GNUTLS_CRT_RAW ? \
697 COAP_DTLS_RPK_CERT_CN : "?")
699#define OUTPUT_CERT_NAME (cert_type == GNUTLS_CRT_X509 ? \
700 cert_info.san_or_cn : "?")
703#if (GNUTLS_VERSION_NUMBER >= 0x030606)
705check_rpk_cert(coap_gnutls_context_t *g_context,
706 coap_gnutls_certificate_info_t *cert_info,
710 if (g_context->setup_data.validate_cn_call_back) {
711 gnutls_pcert_st pcert;
715 G_CHECK(gnutls_pcert_import_rawpk_raw(&pcert, &cert_info->cert_list[0],
716 GNUTLS_X509_FMT_DER, 0, 0),
717 "gnutls_pcert_import_rawpk_raw");
720 G_CHECK(gnutls_pubkey_export(pcert.pubkey, GNUTLS_X509_FMT_DER, der, &size),
721 "gnutls_pubkey_export");
722 gnutls_pcert_deinit(&pcert);
729 g_context->setup_data.cn_call_back_arg)) {
743static int cert_verify_gnutls(gnutls_session_t g_session)
745 unsigned int status = 0;
746 unsigned int fail = 0;
749 coap_gnutls_context_t *g_context =
751 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
752 int alert = GNUTLS_A_BAD_CERTIFICATE;
754 coap_gnutls_certificate_info_t cert_info;
755 gnutls_certificate_type_t cert_type;
757 memset(&cert_info, 0,
sizeof(cert_info));
758 cert_type = get_san_or_cn(g_session, &cert_info);
759#if (GNUTLS_VERSION_NUMBER >= 0x030606)
760 if (cert_type == GNUTLS_CRT_RAW) {
761 if (!check_rpk_cert(g_context, &cert_info, c_session)) {
762 alert = GNUTLS_A_ACCESS_DENIED;
769 if (cert_info.cert_list_size == 0 && !g_context->setup_data.verify_peer_cert)
772 G_CHECK(gnutls_certificate_verify_peers(g_session, NULL, 0, &status),
773 "gnutls_certificate_verify_peers");
776 status &= ~(GNUTLS_CERT_INVALID);
777 if (status & (GNUTLS_CERT_NOT_ACTIVATED|GNUTLS_CERT_EXPIRED)) {
778 status &= ~(GNUTLS_CERT_NOT_ACTIVATED|GNUTLS_CERT_EXPIRED);
779 if (g_context->setup_data.allow_expired_certs) {
781 " %s: %s: overridden: '%s'\n",
783 "The certificate has an invalid usage date",
791 "The certificate has an invalid usage date",
795 if (status & (GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED|
796 GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE)) {
797 status &= ~(GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED|
798 GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE);
799 if (g_context->setup_data.allow_expired_crl) {
801 " %s: %s: overridden: '%s'\n",
803 "The certificate's CRL entry has an invalid usage date",
811 "The certificate's CRL entry has an invalid usage date",
815 if (status & (GNUTLS_CERT_SIGNER_NOT_FOUND)) {
816 status &= ~(GNUTLS_CERT_SIGNER_NOT_FOUND);
817 if (cert_info.self_signed) {
818 if (g_context->setup_data.allow_self_signed &&
819 !g_context->setup_data.check_common_ca) {
821 " %s: %s: overridden: '%s'\n",
828 alert = GNUTLS_A_UNKNOWN_CA;
837 if (!g_context->setup_data.verify_peer_cert) {
839 " %s: %s: overridden: '%s'\n",
841 "The peer certificate's CA is unknown",
846 alert = GNUTLS_A_UNKNOWN_CA;
850 "The peer certificate's CA is unknown",
859 " %s: gnutls_certificate_verify_peers() status 0x%x: '%s'\n",
861 status, OUTPUT_CERT_NAME);
868 if (g_context->setup_data.validate_cn_call_back) {
869 gnutls_x509_crt_t cert;
874 const int cert_is_trusted = !status;
876 G_CHECK(gnutls_x509_crt_init(&cert),
"gnutls_x509_crt_init");
879 G_CHECK(gnutls_x509_crt_import(cert, &cert_info.cert_list[0],
880 GNUTLS_X509_FMT_DER),
"gnutls_x509_crt_import");
883 G_CHECK(gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_DER, der, &size),
884 "gnutls_x509_crt_export");
885 gnutls_x509_crt_deinit(cert);
886 if (!g_context->setup_data.validate_cn_call_back(OUTPUT_CERT_NAME,
892 g_context->setup_data.cn_call_back_arg)) {
893 alert = GNUTLS_A_ACCESS_DENIED;
898 if (g_context->setup_data.additional_tls_setup_call_back) {
900 if (!g_context->setup_data.additional_tls_setup_call_back(g_session,
901 &g_context->setup_data)) {
907 if (cert_info.san_or_cn)
908 gnutls_free(cert_info.san_or_cn);
913 if (cert_info.san_or_cn)
914 gnutls_free(cert_info.san_or_cn);
916 if (!g_env->sent_alert) {
917 G_ACTION(gnutls_alert_send(g_session, GNUTLS_AL_FATAL, alert));
918 g_env->sent_alert = 1;
931static int cert_verify_callback_gnutls(gnutls_session_t g_session)
933 if (gnutls_auth_get_type(g_session) == GNUTLS_CRD_CERTIFICATE) {
934 if (cert_verify_gnutls(g_session) == 0) {
942#define min(a,b) ((a) < (b) ? (a) : (b))
946pin_callback(
void *user_data,
int attempt,
964#if (GNUTLS_VERSION_NUMBER >= 0x030606)
966static const unsigned char cert_asn1_header1[] = {
970 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01,
975 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07,
977static const unsigned char cert_asn1_header2[] = {
982static gnutls_datum_t *
983get_asn1_spki(
const uint8_t *data,
size_t size)
987 gnutls_datum_t *spki = NULL;
989 if (pub_key && prime) {
990 size_t header_size =
sizeof(cert_asn1_header1) +
993 sizeof(cert_asn1_header2);
994 uint8_t *tmp = gnutls_malloc(
sizeof(gnutls_datum_t) +
999 spki = (gnutls_datum_t *)tmp;
1000 spki->data = &tmp[
sizeof(gnutls_datum_t)];
1001 memcpy(&spki->data[header_size], pub_key->
s, pub_key->
length);
1002 memcpy(spki->data, cert_asn1_header1,
sizeof(cert_asn1_header1));
1004 spki->data[
sizeof(cert_asn1_header1)+1] = prime->
length;
1005 memcpy(&spki->data[
sizeof(cert_asn1_header1)+2],
1007 memcpy(&spki->data[
sizeof(cert_asn1_header1)+2+prime->
length],
1008 cert_asn1_header2,
sizeof(cert_asn1_header2));
1009 spki->size = header_size + pub_key->
length;
1023setup_pki_credentials(gnutls_certificate_credentials_t *pki_credentials,
1024 gnutls_session_t g_session,
1025 coap_gnutls_context_t *g_context,
1030 G_CHECK(gnutls_certificate_allocate_credentials(pki_credentials),
1031 "gnutls_certificate_allocate_credentials");
1041 "RPK keys cannot be in COAP_PKI_KEY_PEM format\n");
1042 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1045 G_CHECK(gnutls_certificate_set_x509_key_file(*pki_credentials,
1048 GNUTLS_X509_FMT_PEM),
1049 "gnutls_certificate_set_x509_key_file");
1054 "***setup_pki: (D)TLS: No %s Certificate + Private "
1057 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1061 ret = gnutls_certificate_set_x509_trust_file(*pki_credentials,
1063 GNUTLS_X509_FMT_PEM);
1066 "gnutls_certificate_set_x509_trust_file: No certificates found\n");
1070 "gnutls_certificate_set_x509_trust_file",
1071 gnutls_strerror(ret));
1082 gnutls_datum_t cert;
1084 int alloced_cert_memory = 0;
1085 int alloced_key_memory = 0;
1090 alloced_cert_memory = 1;
1091 cert.data = gnutls_malloc(cert.size + 1);
1094 return GNUTLS_E_MEMORY_ERROR;
1098 cert.data[cert.size] =
'\000';
1109 alloced_key_memory = 1;
1110 key.data = gnutls_malloc(key.size + 1);
1113 if (alloced_cert_memory) gnutls_free(cert.data);
1114 return GNUTLS_E_MEMORY_ERROR;
1117 key.data[key.size] =
'\000';
1126#if (GNUTLS_VERSION_NUMBER >= 0x030606)
1127 int have_done_key = 0;
1128 if (strstr ((
char*)key.data,
"-----BEGIN EC PRIVATE KEY-----")) {
1129 gnutls_datum_t der_private;
1131 if (gnutls_pem_base64_decode2(
"EC PRIVATE KEY", &key,
1132 &der_private) == 0) {
1133 gnutls_datum_t *spki = get_asn1_spki(der_private.data,
1137 ret = gnutls_certificate_set_rawpk_key_mem(*pki_credentials,
1140 GNUTLS_X509_FMT_DER, NULL,
1141 COAP_GNUTLS_KEY_RPK,
1148 gnutls_free(der_private.data);
1151 if (!have_done_key) {
1152 G_CHECK(gnutls_certificate_set_rawpk_key_mem(*pki_credentials,
1155 GNUTLS_X509_FMT_PEM, NULL,
1156 COAP_GNUTLS_KEY_RPK,
1158 "gnutls_certificate_set_rawpk_key_mem");
1162 "RPK Support not available (needs gnutls 3.6.6 or later)\n");
1163 if (alloced_cert_memory) gnutls_free(cert.data);
1164 if (alloced_key_memory) gnutls_free(key.data);
1165 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1169 G_CHECK(gnutls_certificate_set_x509_key_mem(*pki_credentials,
1172 GNUTLS_X509_FMT_PEM),
1173 "gnutls_certificate_set_x509_key_mem");
1175 if (alloced_cert_memory) gnutls_free(cert.data);
1176 if (alloced_key_memory) gnutls_free(key.data);
1180 "***setup_pki: (D)TLS: No Server Certificate + Private "
1182 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1187 int alloced_ca_memory = 0;
1192 alloced_ca_memory = 1;
1193 ca.data = gnutls_malloc(ca.size + 1);
1196 return GNUTLS_E_MEMORY_ERROR;
1199 ca.data[ca.size] =
'\000';
1207 ret = gnutls_certificate_set_x509_trust_mem(*pki_credentials,
1209 GNUTLS_X509_FMT_PEM);
1212 "gnutls_certificate_set_x509_trust_mem: No certificates found\n");
1216 "gnutls_certificate_set_x509_trust_mem",
1217 gnutls_strerror(ret));
1218 if (alloced_ca_memory) gnutls_free(ca.data);
1221 if (alloced_ca_memory) gnutls_free(ca.data);
1230 gnutls_datum_t cert;
1241#if (GNUTLS_VERSION_NUMBER >= 0x030606)
1242 int have_done_key = 0;
1245 gnutls_datum_t *spki = get_asn1_spki(key.data,
1249 ret = gnutls_certificate_set_rawpk_key_mem(*pki_credentials,
1252 GNUTLS_X509_FMT_DER, NULL,
1253 COAP_GNUTLS_KEY_RPK,
1261 if (!have_done_key) {
1262 G_CHECK(gnutls_certificate_set_rawpk_key_mem(*pki_credentials,
1265 GNUTLS_X509_FMT_DER, NULL,
1266 COAP_GNUTLS_KEY_RPK,
1268 "gnutls_certificate_set_rawpk_key_mem");
1272 "RPK Support not available (needs gnutls 3.6.6 or later)\n");
1273 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1277 G_CHECK(gnutls_certificate_set_x509_key_mem(*pki_credentials,
1280 GNUTLS_X509_FMT_DER),
1281 "gnutls_certificate_set_x509_key_mem");
1286 "***setup_pki: (D)TLS: No %s Certificate + Private "
1289 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1293 gnutls_datum_t ca_cert;
1297 sizeof(ca_cert.data));
1299 ret = gnutls_certificate_set_x509_trust_mem(*pki_credentials,
1301 GNUTLS_X509_FMT_DER);
1304 "gnutls_certificate_set_x509_trust_mem: No certificates found\n");
1308 "gnutls_certificate_set_x509_trust_mem",
1309 gnutls_strerror(ret));
1321 gnutls_pkcs11_set_pin_function(pin_callback, setup_data);
1323#if (GNUTLS_VERSION_NUMBER >= 0x030606)
1324 G_CHECK(gnutls_certificate_set_rawpk_key_file(*pki_credentials,
1327 GNUTLS_X509_FMT_PEM, NULL,
1328 COAP_GNUTLS_KEY_RPK,
1329 NULL, 0, GNUTLS_PKCS_PLAIN, 0),
1330 "gnutls_certificate_set_rawpk_key_file");
1333 "RPK Support not available (needs gnutls 3.6.6 or later)\n");
1334 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1338 G_CHECK(gnutls_certificate_set_x509_key_file(*pki_credentials,
1341 GNUTLS_X509_FMT_DER),
1342 "gnutls_certificate_set_x509_key_file");
1347 "***setup_pki: (D)TLS: No %s Certificate + Private "
1350 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1354 ret = gnutls_certificate_set_x509_trust_file(*pki_credentials,
1356 GNUTLS_X509_FMT_DER);
1359 "gnutls_certificate_set_x509_trust_file: No certificates found\n");
1363 "gnutls_certificate_set_x509_trust_file",
1364 gnutls_strerror(ret));
1372 "***setup_pki: (D)TLS: Unknown key type %d\n",
1374 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1377 if (g_context->root_ca_file) {
1378 ret = gnutls_certificate_set_x509_trust_file(*pki_credentials,
1379 g_context->root_ca_file,
1380 GNUTLS_X509_FMT_PEM);
1383 "gnutls_certificate_set_x509_trust_file: Root CA: No certificates found\n");
1386 if (g_context->root_ca_path) {
1387#if (GNUTLS_VERSION_NUMBER >= 0x030306)
1388 G_CHECK(gnutls_certificate_set_x509_trust_dir(*pki_credentials,
1389 g_context->root_ca_path,
1390 GNUTLS_X509_FMT_PEM),
1391 "gnutls_certificate_set_x509_trust_dir");
1394 gnutls_certificate_send_x509_rdn_sequence(g_session,
1396 if (!(g_context->psk_pki_enabled & IS_PKI)) {
1398 G_CHECK(gnutls_certificate_set_x509_system_trust(*pki_credentials),
1399 "gnutls_certificate_set_x509_system_trust");
1403 gnutls_certificate_set_verify_function(*pki_credentials,
1404 cert_verify_callback_gnutls);
1408 gnutls_certificate_set_verify_limits(*pki_credentials,
1417 gnutls_certificate_set_verify_flags(*pki_credentials,
1419 GNUTLS_VERIFY_DISABLE_CRL_CHECKS : 0)
1422 return GNUTLS_E_SUCCESS;
1428#if COAP_SERVER_SUPPORT
1434setup_psk_credentials(gnutls_psk_server_credentials_t *psk_credentials,
1441 G_CHECK(gnutls_psk_allocate_server_credentials(psk_credentials),
1442 "gnutls_psk_allocate_server_credentials");
1443 gnutls_psk_set_server_credentials_function(*psk_credentials,
1444 psk_server_callback);
1448 G_CHECK(gnutls_psk_set_server_credentials_hint(*psk_credentials, hint),
1449 "gnutls_psk_set_server_credentials_hint");
1452 return GNUTLS_E_SUCCESS;
1463post_client_hello_gnutls_psk(gnutls_session_t g_session)
1467 coap_gnutls_context_t *g_context =
1469 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
1470 int ret = GNUTLS_E_SUCCESS;
1480 name = gnutls_malloc(len);
1482 return GNUTLS_E_MEMORY_ERROR;
1485 ret = gnutls_server_name_get(g_session, name, &len, &type, i);
1486 if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
1488 new_name = gnutls_realloc(name, len);
1489 if (new_name == NULL) {
1490 ret = GNUTLS_E_MEMORY_ERROR;
1498 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1501 if (ret != GNUTLS_E_SUCCESS)
1504 if (type != GNUTLS_NAME_DNS)
1515 for (i = 0; i < g_context->psk_sni_count; i++) {
1516 if (strcasecmp(name, g_context->psk_sni_entry_list[i].sni) == 0) {
1520 if (i == g_context->psk_sni_count) {
1529 G_ACTION(gnutls_alert_send(g_session, GNUTLS_AL_FATAL,
1530 GNUTLS_A_UNRECOGNIZED_NAME));
1531 g_env->sent_alert = 1;
1532 ret = GNUTLS_E_NO_CERTIFICATE_FOUND;
1536 g_context->psk_sni_entry_list =
1537 gnutls_realloc(g_context->psk_sni_entry_list,
1538 (i+1)*
sizeof(psk_sni_entry));
1539 g_context->psk_sni_entry_list[i].sni = gnutls_strdup(name);
1540 g_context->psk_sni_entry_list[i].psk_info = *new_entry;
1542 sni_setup_data.
psk_info = *new_entry;
1543 if ((ret = setup_psk_credentials(
1544 &g_context->psk_sni_entry_list[i].psk_credentials,
1546 &sni_setup_data)) < 0) {
1548 G_ACTION(gnutls_alert_send(g_session, GNUTLS_AL_FATAL,
1549 GNUTLS_A_BAD_CERTIFICATE));
1550 g_env->sent_alert = 1;
1554 g_context->psk_sni_count++;
1556 G_CHECK(gnutls_credentials_set(g_env->g_session, GNUTLS_CRD_PSK,
1557 g_context->psk_sni_entry_list[i].psk_credentials),
1558 "gnutls_credentials_set");
1560 &g_context->psk_sni_entry_list[i].psk_info.hint);
1562 &g_context->psk_sni_entry_list[i].psk_info.key);
1578post_client_hello_gnutls_pki(gnutls_session_t g_session)
1582 coap_gnutls_context_t *g_context =
1584 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
1585 int ret = GNUTLS_E_SUCCESS;
1588 if (g_context->setup_data.validate_sni_call_back) {
1595 name = gnutls_malloc(len);
1597 return GNUTLS_E_MEMORY_ERROR;
1600 ret = gnutls_server_name_get(g_session, name, &len, &type, i);
1601 if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
1603 new_name = gnutls_realloc(name, len);
1604 if (new_name == NULL) {
1605 ret = GNUTLS_E_MEMORY_ERROR;
1613 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1616 if (ret != GNUTLS_E_SUCCESS)
1619 if (type != GNUTLS_NAME_DNS)
1630 for (i = 0; i < g_context->pki_sni_count; i++) {
1631 if (strcasecmp(name, g_context->pki_sni_entry_list[i].sni) == 0) {
1635 if (i == g_context->pki_sni_count) {
1640 g_context->setup_data.validate_sni_call_back(name,
1641 g_context->setup_data.sni_call_back_arg);
1643 G_ACTION(gnutls_alert_send(g_session, GNUTLS_AL_FATAL,
1644 GNUTLS_A_UNRECOGNIZED_NAME));
1645 g_env->sent_alert = 1;
1646 ret = GNUTLS_E_NO_CERTIFICATE_FOUND;
1650 g_context->pki_sni_entry_list = gnutls_realloc(
1651 g_context->pki_sni_entry_list,
1652 (i+1)*
sizeof(pki_sni_entry));
1653 g_context->pki_sni_entry_list[i].sni = gnutls_strdup(name);
1654 g_context->pki_sni_entry_list[i].pki_key = *new_entry;
1655 sni_setup_data = g_context->setup_data;
1656 sni_setup_data.
pki_key = *new_entry;
1657 if ((ret = setup_pki_credentials(
1658 &g_context->pki_sni_entry_list[i].pki_credentials,
1663 G_ACTION(gnutls_alert_send(g_session, GNUTLS_AL_FATAL,
1664 GNUTLS_A_BAD_CERTIFICATE));
1665 g_env->sent_alert = 1;
1669 g_context->pki_sni_count++;
1671 G_CHECK(gnutls_credentials_set(g_env->g_session, GNUTLS_CRD_CERTIFICATE,
1672 g_context->pki_sni_entry_list[i].pki_credentials),
1673 "gnutls_credentials_set");
1685#if COAP_CLIENT_SUPPORT
1691setup_client_ssl_session(
coap_session_t *c_session, coap_gnutls_env_t *g_env)
1693 coap_gnutls_context_t *g_context =
1697 g_context->psk_pki_enabled |= IS_CLIENT;
1698 if (g_context->psk_pki_enabled & IS_PSK) {
1700 G_CHECK(gnutls_psk_allocate_client_credentials(&g_env->psk_cl_credentials),
1701 "gnutls_psk_allocate_client_credentials");
1702 gnutls_psk_set_client_credentials_function(g_env->psk_cl_credentials,
1703 psk_client_callback);
1704 G_CHECK(gnutls_credentials_set(g_env->g_session, GNUTLS_CRD_PSK,
1705 g_env->psk_cl_credentials),
1706 "gnutls_credentials_set");
1709 G_CHECK(gnutls_server_name_set(g_env->g_session, GNUTLS_NAME_DNS,
1712 "gnutls_server_name_set");
1718 if (tls_version->
version >= 0x030604) {
1720 const char *priority;
1722 if (tls_version->
version >= 0x030606) {
1723 priority = VARIANTS_NO_TLS13_3_6_6;
1726 priority = VARIANTS_NO_TLS13_3_6_4;
1728 ret = gnutls_priority_set_direct(g_env->g_session,
1731 if (ret == GNUTLS_E_INVALID_REQUEST)
1733 "gnutls_priority_set_direct: Syntax error at: %s\n", err);
1736 "gnutls_priority_set_direct: %s\n", gnutls_strerror(ret));
1743 if ((g_context->psk_pki_enabled & IS_PKI) ||
1744 (g_context->psk_pki_enabled & (IS_PSK | IS_PKI)) == 0) {
1750 G_CHECK(setup_pki_credentials(&g_env->pki_credentials, g_env->g_session,
1751 g_context, setup_data,
1753 "setup_pki_credentials");
1755 G_CHECK(gnutls_credentials_set(g_env->g_session, GNUTLS_CRD_CERTIFICATE,
1756 g_env->pki_credentials),
1757 "gnutls_credentials_set");
1760 G_CHECK(gnutls_alpn_set_protocols(g_env->g_session,
1761 &g_context->alpn_proto, 1, 0),
1762 "gnutls_alpn_set_protocols");
1766 G_CHECK(gnutls_server_name_set(g_env->g_session, GNUTLS_NAME_DNS,
1769 "gnutls_server_name_set");
1772 return GNUTLS_E_SUCCESS;
1779#if COAP_SERVER_SUPPORT
1788psk_server_callback(gnutls_session_t g_session,
1789 const char *identity,
1790 gnutls_datum_t *key)
1794 coap_gnutls_context_t *g_context;
1799 if (c_session == NULL)
1803 if (g_context == NULL)
1809 lidentity.
s = identity ? (
const uint8_t*)identity : (
const uint8_t*)
"";
1810 lidentity.
length = strlen((
const char*)lidentity.
s);
1814 (
int)lidentity.
length, (
const char *)lidentity.
s);
1827 if (psk_key == NULL)
1830 key->data = gnutls_malloc(psk_key->
length);
1831 if (key->data == NULL)
1833 memcpy(key->data, psk_key->
s, psk_key->
length);
1834 key->size = psk_key->
length;
1843setup_server_ssl_session(
coap_session_t *c_session, coap_gnutls_env_t *g_env)
1845 coap_gnutls_context_t *g_context =
1847 int ret = GNUTLS_E_SUCCESS;
1849 g_context->psk_pki_enabled |= IS_SERVER;
1850 if (g_context->psk_pki_enabled & IS_PSK) {
1851 G_CHECK(setup_psk_credentials(
1852 &g_env->psk_sv_credentials,
1855 "setup_psk_credentials\n");
1856 G_CHECK(gnutls_credentials_set(g_env->g_session,
1858 g_env->psk_sv_credentials),
1859 "gnutls_credentials_set\n");
1860 gnutls_handshake_set_post_client_hello_function(g_env->g_session,
1861 post_client_hello_gnutls_psk);
1864 if (g_context->psk_pki_enabled & IS_PKI) {
1866 G_CHECK(setup_pki_credentials(&g_env->pki_credentials, g_env->g_session,
1867 g_context, setup_data,
1869 "setup_pki_credentials");
1872 gnutls_certificate_server_set_request(g_env->g_session,
1873 GNUTLS_CERT_REQUIRE);
1876 gnutls_certificate_server_set_request(g_env->g_session,
1877 GNUTLS_CERT_REQUEST);
1880 gnutls_certificate_server_set_request(g_env->g_session,
1881 GNUTLS_CERT_IGNORE);
1884 gnutls_handshake_set_post_client_hello_function(g_env->g_session,
1885 post_client_hello_gnutls_pki);
1887 G_CHECK(gnutls_credentials_set(g_env->g_session, GNUTLS_CRD_CERTIFICATE,
1888 g_env->pki_credentials),
1889 "gnutls_credentials_set\n");
1891 return GNUTLS_E_SUCCESS;
1904coap_dgram_read(gnutls_transport_ptr_t context,
void *out,
size_t outl)
1910 if (!c_session->
tls) {
1914 data = &((coap_gnutls_env_t *)c_session->
tls)->coap_ssl_data;
1917 if (data != NULL && data->pdu_len > 0) {
1918 if (outl < data->pdu_len) {
1919 memcpy(out, data->pdu, outl);
1921 if (!data->peekmode) {
1923 data->pdu_len -= outl;
1926 memcpy(out, data->pdu, data->pdu_len);
1927 ret = data->pdu_len;
1928 if (!data->peekmode) {
1949coap_dgram_write(gnutls_transport_ptr_t context,
const void *send_buffer,
1950 size_t send_buffer_length) {
1951 ssize_t result = -1;
1956 if (result != (
int)send_buffer_length) {
1972receive_timeout(gnutls_transport_ptr_t context,
unsigned int ms
COAP_UNUSED) {
1976 fd_set readfds, writefds, exceptfds;
1978 int nfds = c_session->
sock.
fd +1;
1979 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
1983 g_env->coap_ssl_data.pdu_len > 0) {
1989 FD_ZERO(&exceptfds);
1990 FD_SET (c_session->
sock.
fd, &readfds);
1991 if (!(g_env && g_env->doing_dtls_timeout)) {
1992 FD_SET (c_session->
sock.
fd, &writefds);
1993 FD_SET (c_session->
sock.
fd, &exceptfds);
1999 return select(nfds, &readfds, &writefds, &exceptfds, &tv);
2004static coap_gnutls_env_t *
2007 coap_gnutls_context_t *g_context =
2009 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
2010#if (GNUTLS_VERSION_NUMBER >= 0x030606)
2011 int flags = type | GNUTLS_DATAGRAM | GNUTLS_NONBLOCK | GNUTLS_ENABLE_RAWPK;
2013 int flags = type | GNUTLS_DATAGRAM | GNUTLS_NONBLOCK;
2020 g_env = gnutls_malloc(
sizeof(coap_gnutls_env_t));
2024 memset(g_env, 0,
sizeof(coap_gnutls_env_t));
2026 G_CHECK(gnutls_init(&g_env->g_session, flags),
"gnutls_init");
2028 gnutls_transport_set_pull_function(g_env->g_session, coap_dgram_read);
2029 gnutls_transport_set_push_function(g_env->g_session, coap_dgram_write);
2030 gnutls_transport_set_pull_timeout_function(g_env->g_session, receive_timeout);
2032 gnutls_transport_set_ptr(g_env->g_session, c_session);
2034 G_CHECK(gnutls_priority_set(g_env->g_session, g_context->priority_cache),
2035 "gnutls_priority_set");
2037 if (type == GNUTLS_SERVER) {
2038#if COAP_SERVER_SUPPORT
2039 G_CHECK(setup_server_ssl_session(c_session, g_env),
2040 "setup_server_ssl_session");
2046#if COAP_CLIENT_SUPPORT
2047 G_CHECK(setup_client_ssl_session(c_session, g_env),
2048 "setup_client_ssl_session");
2054 gnutls_handshake_set_timeout(g_env->g_session,
2055 GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
2056 gnutls_dtls_set_timeouts(g_env->g_session, COAP_DTLS_RETRANSMIT_MS,
2057 COAP_DTLS_RETRANSMIT_TOTAL_MS);
2068coap_dtls_free_gnutls_env(coap_gnutls_context_t *g_context,
2069 coap_gnutls_env_t *g_env,
2070 coap_free_bye_t free_bye)
2076 if (free_bye != COAP_FREE_BYE_NONE && !g_env->sent_alert) {
2078 gnutls_bye(g_env->g_session, free_bye == COAP_FREE_BYE_AS_UDP ?
2079 GNUTLS_SHUT_WR : GNUTLS_SHUT_RDWR);
2081 gnutls_deinit(g_env->g_session);
2082 g_env->g_session = NULL;
2083 if (g_context->psk_pki_enabled & IS_PSK) {
2084 if ((g_context->psk_pki_enabled & IS_CLIENT) &&
2085 g_env->psk_cl_credentials != NULL) {
2086 gnutls_psk_free_client_credentials(g_env->psk_cl_credentials);
2087 g_env->psk_cl_credentials = NULL;
2091 if (g_env->psk_sv_credentials != NULL)
2092 gnutls_psk_free_server_credentials(g_env->psk_sv_credentials);
2093 g_env->psk_sv_credentials = NULL;
2096 if ((g_context->psk_pki_enabled & IS_PKI) ||
2097 (g_context->psk_pki_enabled &
2098 (IS_PSK | IS_PKI | IS_CLIENT)) == IS_CLIENT) {
2099 gnutls_certificate_free_credentials(g_env->pki_credentials);
2100 g_env->pki_credentials = NULL;
2102 gnutls_free(g_env->coap_ssl_data.cookie_key.data);
2107#if COAP_SERVER_SUPPORT
2109 coap_gnutls_env_t *g_env =
2110 (coap_gnutls_env_t *)c_session->
tls;
2112 gnutls_transport_set_ptr(g_env->g_session, c_session);
2119 gnutls_session_t g_session) {
2120 int last_alert = gnutls_alert_get(g_session);
2122 if (last_alert == GNUTLS_A_CLOSE_NOTIFY)
2125 last_alert, gnutls_alert_get_name(last_alert));
2129 last_alert, gnutls_alert_get_name(last_alert));
2138do_gnutls_handshake(
coap_session_t *c_session, coap_gnutls_env_t *g_env) {
2141 ret = gnutls_handshake(g_env->g_session);
2143 case GNUTLS_E_SUCCESS:
2144 g_env->established = 1;
2149 case GNUTLS_E_INTERRUPTED:
2153 case GNUTLS_E_AGAIN:
2157 case GNUTLS_E_INSUFFICIENT_CREDENTIALS:
2159 "Insufficient credentials provided.\n");
2162 case GNUTLS_E_FATAL_ALERT_RECEIVED:
2164 g_env->sent_alert = 1;
2165 log_last_alert(c_session, g_env->g_session);
2167 case GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET:
2168 case GNUTLS_E_UNEXPECTED_PACKET:
2172 case GNUTLS_E_WARNING_ALERT_RECEIVED:
2173 log_last_alert(c_session, g_env->g_session);
2177 case GNUTLS_E_NO_CERTIFICATE_FOUND:
2178#if (GNUTLS_VERSION_NUMBER > 0x030606)
2179 case GNUTLS_E_CERTIFICATE_REQUIRED:
2182 "Client Certificate requested and required, but not provided\n"
2184 G_ACTION(gnutls_alert_send(g_env->g_session, GNUTLS_AL_FATAL,
2185 GNUTLS_A_BAD_CERTIFICATE));
2186 g_env->sent_alert = 1;
2190 case GNUTLS_E_DECRYPTION_FAILED:
2192 "do_gnutls_handshake: session establish "
2194 gnutls_strerror(ret));
2195 G_ACTION(gnutls_alert_send(g_env->g_session, GNUTLS_AL_FATAL,
2196 GNUTLS_A_DECRYPT_ERROR));
2197 g_env->sent_alert = 1;
2201 case GNUTLS_E_CERTIFICATE_ERROR:
2202 if (g_env->sent_alert) {
2208 case GNUTLS_E_UNKNOWN_CIPHER_SUITE:
2209 case GNUTLS_E_NO_CIPHER_SUITES:
2210 case GNUTLS_E_INVALID_SESSION:
2212 "do_gnutls_handshake: session establish "
2214 gnutls_strerror(ret));
2215 if (!g_env->sent_alert) {
2216 G_ACTION(gnutls_alert_send(g_env->g_session, GNUTLS_AL_FATAL,
2217 GNUTLS_A_HANDSHAKE_FAILURE));
2218 g_env->sent_alert = 1;
2223 case GNUTLS_E_SESSION_EOF:
2224 case GNUTLS_E_TIMEDOUT:
2225 case GNUTLS_E_PULL_ERROR:
2226 case GNUTLS_E_PUSH_ERROR:
2232 "do_gnutls_handshake: session establish "
2233 "returned %d: '%s'\n",
2234 ret, gnutls_strerror(ret));
2241#if COAP_CLIENT_SUPPORT
2243 coap_gnutls_env_t *g_env = coap_dtls_new_gnutls_env(c_session, GNUTLS_CLIENT);
2247 ret = do_gnutls_handshake(c_session, g_env);
2252 COAP_FREE_BYE_AS_UDP : COAP_FREE_BYE_AS_TCP);
2261 if (c_session && c_session->
context && c_session->
tls) {
2265 COAP_FREE_BYE_AS_UDP : COAP_FREE_BYE_AS_TCP);
2266 c_session->
tls = NULL;
2272 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
2276 G_CHECK(gnutls_dtls_set_data_mtu(g_env->g_session,
2277 (
unsigned int)c_session->
mtu),
2278 "gnutls_dtls_set_data_mtu");
2289 const uint8_t *data,
size_t data_len) {
2291 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
2293 assert(g_env != NULL);
2296 if (g_env->established) {
2297 ret = gnutls_record_send(g_env->g_session, data, data_len);
2301 case GNUTLS_E_AGAIN:
2304 case GNUTLS_E_FATAL_ALERT_RECEIVED:
2306 g_env->sent_alert = 1;
2307 log_last_alert(c_session, g_env->g_session);
2313 "coap_dtls_send: gnutls_record_send "
2314 "returned %d: '%s'\n",
2315 ret, gnutls_strerror(ret));
2325 ret = do_gnutls_handshake(c_session, g_env);
2354 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
2357 if (g_env && g_env->g_session) {
2358 unsigned int rem_ms = gnutls_dtls_get_timeout(g_env->g_session);
2371 g_env->last_timeout = now;
2372 return now + rem_ms;
2384 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
2387 g_env->doing_dtls_timeout = 1;
2389 (do_gnutls_handshake(c_session, g_env) < 0)) {
2391 g_env->doing_dtls_timeout = 0;
2396 g_env->doing_dtls_timeout = 0;
2408 const uint8_t *data,
2411 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
2413 coap_ssl_t *ssl_data = &g_env->coap_ssl_data;
2417 assert(g_env != NULL);
2419 if (ssl_data->pdu_len)
2422 ssl_data->pdu = data;
2423 ssl_data->pdu_len = data_len;
2426 if (g_env->established) {
2430 gnutls_transport_set_ptr(g_env->g_session, c_session);
2433 ret = gnutls_record_recv(g_env->g_session, pdu, (
int)
sizeof(pdu));
2437 else if (ret == 0) {
2442 case GNUTLS_E_FATAL_ALERT_RECEIVED:
2444 g_env->sent_alert = 1;
2445 log_last_alert(c_session, g_env->g_session);
2449 case GNUTLS_E_WARNING_ALERT_RECEIVED:
2450 log_last_alert(c_session, g_env->g_session);
2456 "coap_dtls_receive: gnutls_record_recv returned %d\n", ret);
2463 ret = do_gnutls_handshake(c_session, g_env);
2469 if (ssl_data->pdu_len && !g_env->sent_alert) {
2471 ret = do_gnutls_handshake(c_session, g_env);
2491 if (ssl_data && ssl_data->pdu_len) {
2493 coap_log(
LOG_DEBUG,
"coap_dtls_receive: ret %d: remaining data %u\n", ret, ssl_data->pdu_len);
2494 ssl_data->pdu_len = 0;
2495 ssl_data->pdu = NULL;
2500#if COAP_SERVER_SUPPORT
2508 const uint8_t *data,
2511 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
2512 coap_ssl_t *ssl_data;
2516 g_env = coap_dtls_new_gnutls_env(c_session, GNUTLS_SERVER);
2518 c_session->
tls = g_env;
2519 gnutls_key_generate(&g_env->coap_ssl_data.cookie_key,
2520 GNUTLS_COOKIE_KEY_SIZE);
2528 gnutls_dtls_prestate_st prestate;
2531 memset(&prestate, 0,
sizeof(prestate));
2533 memcpy (&data_rw, &data,
sizeof(data_rw));
2534 ret = gnutls_dtls_cookie_verify(&g_env->coap_ssl_data.cookie_key,
2541 gnutls_dtls_cookie_send(&g_env->coap_ssl_data.cookie_key,
2549 gnutls_dtls_prestate_set(g_env->g_session, &prestate);
2552 ssl_data = &g_env->coap_ssl_data;
2553 ssl_data->pdu = data;
2554 ssl_data->pdu_len = data_len;
2556 ret = do_gnutls_handshake(c_session, g_env);
2562 coap_dtls_free_gnutls_env(
2564 g_env, COAP_FREE_BYE_NONE);
2565 c_session->
tls = NULL;
2574 if (ssl_data && ssl_data->pdu_len) {
2576 coap_log(
LOG_DEBUG,
"coap_dtls_hello: ret %d: remaining data %u\n", ret, ssl_data->pdu_len);
2577 ssl_data->pdu_len = 0;
2578 ssl_data->pdu = NULL;
2588#if !COAP_DISABLE_TCP
2595coap_sock_read(gnutls_transport_ptr_t context,
void *out,
size_t outl) {
2601 ret = recv(c_session->
sock.
fd, (
char *)out, (
int)outl, 0);
2603 ret = recv(c_session->
sock.
fd, out, outl, 0);
2608 }
else if (ret < 0 && errno != EAGAIN) {
2614 c_session->
sock.
flags &= ~COAP_SOCKET_CAN_READ;
2617 c_session->
sock.
flags &= ~COAP_SOCKET_CAN_READ;
2618 else if (ret < (ssize_t)outl)
2619 c_session->
sock.
flags &= ~COAP_SOCKET_CAN_READ;
2631coap_sock_write(gnutls_transport_ptr_t context,
const void *in,
size_t inl) {
2639 }
else if (ret < 0) {
2642 (errno == EPIPE || errno == ECONNRESET)) {
2669#if COAP_CLIENT_SUPPORT
2671 coap_gnutls_env_t *g_env = gnutls_malloc(
sizeof(coap_gnutls_env_t));
2672 coap_gnutls_context_t *g_context =
2674#if (GNUTLS_VERSION_NUMBER >= 0x030606)
2675 int flags = GNUTLS_CLIENT | GNUTLS_NONBLOCK | GNUTLS_ENABLE_RAWPK;
2677 int flags = GNUTLS_CLIENT | GNUTLS_NONBLOCK;
2684 memset(g_env, 0,
sizeof(coap_gnutls_env_t));
2687 G_CHECK(gnutls_init(&g_env->g_session, flags),
"gnutls_init");
2689 gnutls_transport_set_pull_function(g_env->g_session, coap_sock_read);
2690 gnutls_transport_set_push_function(g_env->g_session, coap_sock_write);
2691 gnutls_transport_set_pull_timeout_function(g_env->g_session, receive_timeout);
2693 gnutls_transport_set_ptr(g_env->g_session, c_session);
2695 gnutls_priority_set(g_env->g_session, g_context->priority_cache);
2696 setup_client_ssl_session(c_session, g_env);
2698 gnutls_handshake_set_timeout(g_env->g_session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
2700 c_session->
tls = g_env;
2701 ret = do_gnutls_handshake(c_session, g_env);
2716#if COAP_SERVER_SUPPORT
2718 coap_gnutls_env_t *g_env = gnutls_malloc(
sizeof(coap_gnutls_env_t));
2719 coap_gnutls_context_t *g_context =
2721#if (GNUTLS_VERSION_NUMBER >= 0x030606)
2722 int flags = GNUTLS_SERVER | GNUTLS_NONBLOCK | GNUTLS_ENABLE_RAWPK;
2724 int flags = GNUTLS_SERVER | GNUTLS_NONBLOCK;
2730 memset(g_env, 0,
sizeof(coap_gnutls_env_t));
2733 G_CHECK(gnutls_init(&g_env->g_session, flags),
"gnutls_init");
2735 gnutls_transport_set_pull_function(g_env->g_session, coap_sock_read);
2736 gnutls_transport_set_push_function(g_env->g_session, coap_sock_write);
2737 gnutls_transport_set_pull_timeout_function(g_env->g_session, receive_timeout);
2739 gnutls_transport_set_ptr(g_env->g_session, c_session);
2741 setup_server_ssl_session(c_session, g_env);
2743 gnutls_priority_set(g_env->g_session, g_context->priority_cache);
2744 gnutls_handshake_set_timeout(g_env->g_session,
2745 GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
2747 c_session->
tls = g_env;
2748 ret = do_gnutls_handshake(c_session, g_env);
2770 const uint8_t *data,
2774 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
2776 assert(g_env != NULL);
2779 if (g_env->established) {
2780 ret = gnutls_record_send(g_env->g_session, data, data_len);
2784 case GNUTLS_E_AGAIN:
2787 case GNUTLS_E_PUSH_ERROR:
2788 case GNUTLS_E_PULL_ERROR:
2789 case GNUTLS_E_PREMATURE_TERMINATION:
2793 case GNUTLS_E_FATAL_ALERT_RECEIVED:
2795 g_env->sent_alert = 1;
2796 log_last_alert(c_session, g_env->g_session);
2802 "coap_tls_write: gnutls_record_send "
2803 "returned %d: '%s'\n",
2804 ret, gnutls_strerror(ret));
2814 ret = do_gnutls_handshake(c_session, g_env);
2848 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
2855 if (!g_env->established && !g_env->sent_alert) {
2856 ret = do_gnutls_handshake(c_session, g_env);
2864 ret = gnutls_record_recv(g_env->g_session, data, (
int)data_len);
2870 case GNUTLS_E_AGAIN:
2874 case GNUTLS_E_PULL_ERROR:
2877 case GNUTLS_E_FATAL_ALERT_RECEIVED:
2879 g_env->sent_alert = 1;
2880 log_last_alert(c_session, g_env->g_session);
2884 case GNUTLS_E_WARNING_ALERT_RECEIVED:
2885 log_last_alert(c_session, g_env->g_session);
2891 "coap_tls_read: gnutls_record_recv "
2892 "returned %d: '%s'\n",
2893 ret, gnutls_strerror(ret));
2914#if COAP_SERVER_SUPPORT
2917 gnutls_hash_hd_t digest_ctx;
2919 if (gnutls_hash_init(&digest_ctx, GNUTLS_DIG_SHA256)) {
2927 gnutls_hash_deinit(digest_ctx, NULL);
2932 const uint8_t *data,
2934 int ret = gnutls_hash(digest_ctx, data, data_len);
2942 gnutls_hash_output(digest_ctx, (uint8_t*)digest_buffer);
2955#pragma GCC diagnostic ignored "-Wunused-function"
Pulls together all the internal only header files.
const char * coap_socket_strerror(void)
ssize_t coap_socket_write(coap_socket_t *sock, const uint8_t *data, size_t data_len)
#define COAP_RXBUFFER_SIZE
#define COAP_SOCKET_ERROR
int coap_dtls_context_set_pki(coap_context_t *ctx COAP_UNUSED, const coap_dtls_pki_t *setup_data COAP_UNUSED, const coap_dtls_role_t role COAP_UNUSED)
coap_tick_t coap_dtls_get_timeout(coap_session_t *session COAP_UNUSED, coap_tick_t now COAP_UNUSED)
int coap_dtls_send(coap_session_t *session COAP_UNUSED, const uint8_t *data COAP_UNUSED, size_t data_len COAP_UNUSED)
ssize_t coap_tls_read(coap_session_t *session COAP_UNUSED, uint8_t *data COAP_UNUSED, size_t data_len COAP_UNUSED)
coap_tick_t coap_dtls_get_context_timeout(void *dtls_context COAP_UNUSED)
int coap_dtls_receive(coap_session_t *session COAP_UNUSED, const uint8_t *data COAP_UNUSED, size_t data_len COAP_UNUSED)
void * coap_dtls_get_tls(const coap_session_t *c_session COAP_UNUSED, coap_tls_library_t *tls_lib)
unsigned int coap_dtls_get_overhead(coap_session_t *session COAP_UNUSED)
int coap_dtls_context_check_keys_enabled(coap_context_t *ctx COAP_UNUSED)
static int dtls_log_level
ssize_t coap_tls_write(coap_session_t *session COAP_UNUSED, const uint8_t *data COAP_UNUSED, size_t data_len COAP_UNUSED)
void coap_dtls_session_update_mtu(coap_session_t *session COAP_UNUSED)
int coap_dtls_context_set_pki_root_cas(coap_context_t *ctx COAP_UNUSED, const char *ca_file COAP_UNUSED, const char *ca_path COAP_UNUSED)
int coap_dtls_handle_timeout(coap_session_t *session COAP_UNUSED)
void coap_dtls_free_context(void *handle COAP_UNUSED)
void coap_dtls_free_session(coap_session_t *coap_session COAP_UNUSED)
void * coap_dtls_new_context(coap_context_t *coap_context COAP_UNUSED)
void coap_tls_free_session(coap_session_t *coap_session COAP_UNUSED)
coap_binary_t * get_asn1_tag(coap_asn1_tag_t ltag, const uint8_t *ptr, size_t tlen, asn1_validate validate)
Get the asn1 tag and data from the current ptr.
void coap_digest_free(coap_digest_ctx_t *digest_ctx)
Free off coap_digest_ctx_t.
int coap_digest_final(coap_digest_ctx_t *digest_ctx, coap_digest_t *digest_buffer)
Finalize the coap_digest information into the provided digest_buffer.
int coap_digest_update(coap_digest_ctx_t *digest_ctx, const uint8_t *data, size_t data_len)
Update the coap_digest information with the next chunk of data.
coap_digest_ctx_t * coap_digest_setup(void)
Initialize a coap_digest.
uint64_t coap_tick_t
This data type represents internal timer ticks with COAP_TICKS_PER_SECOND resolution.
int coap_handle_dgram(coap_context_t *ctx, coap_session_t *session, uint8_t *msg, size_t msg_len)
Parses and interprets a CoAP datagram with context ctx.
int coap_handle_event(coap_context_t *context, coap_event_t event, coap_session_t *session)
Invokes the event handler of context for the given event and data.
const coap_bin_const_t * coap_get_session_client_psk_identity(const coap_session_t *session)
Get the current client's PSK identity.
void coap_dtls_startup(void)
Initialize the underlying (D)TLS Library layer.
void * coap_dtls_new_client_session(coap_session_t *coap_session)
Create a new client-side session.
void * coap_tls_new_client_session(coap_session_t *coap_session, int *connected)
Create a new TLS client-side session.
void * coap_tls_new_server_session(coap_session_t *coap_session, int *connected)
Create a TLS new server-side session.
void * coap_dtls_new_server_session(coap_session_t *coap_session)
Create a new DTLS server-side session.
int coap_dtls_hello(coap_session_t *coap_session, const uint8_t *data, size_t data_len)
Handling client HELLO messages from a new candiate peer.
int coap_dtls_is_context_timeout(void)
Check if timeout is handled per CoAP session or per CoAP context.
int coap_dtls_context_set_cpsk(coap_context_t *coap_context, coap_dtls_cpsk_t *setup_data)
Set the DTLS context's default client PSK information.
int coap_dtls_context_set_spsk(coap_context_t *coap_context, coap_dtls_spsk_t *setup_data)
Set the DTLS context's default server PSK information.
void coap_dtls_shutdown(void)
Close down the underlying (D)TLS Library layer.
const coap_bin_const_t * coap_get_session_client_psk_key(const coap_session_t *coap_session)
Get the current client's PSK key.
#define COAP_DTLS_RETRANSMIT_COAP_TICKS
const coap_bin_const_t * coap_get_session_server_psk_key(const coap_session_t *coap_session)
Get the current server's PSK key.
#define COAP_DTLS_HINT_LENGTH
coap_tls_version_t * coap_get_tls_library_version(void)
Determine the type and version of the underlying (D)TLS library.
int coap_tls_is_supported(void)
Check whether TLS is available.
#define COAP_DTLS_RPK_CERT_CN
int coap_dtls_is_supported(void)
Check whether DTLS is available.
@ COAP_DTLS_ROLE_SERVER
Internal function invoked for server.
@ COAP_DTLS_ROLE_CLIENT
Internal function invoked for client.
@ COAP_PKI_KEY_PKCS11
The PKI key type is PKCS11 (DER)
@ COAP_PKI_KEY_PEM_BUF
The PKI key type is PEM buffer.
@ COAP_PKI_KEY_PEM
The PKI key type is PEM file.
@ COAP_PKI_KEY_ASN1
The PKI key type is ASN.1 (DER) buffer.
@ COAP_ASN1_PKEY_EC
EC type.
@ COAP_TLS_LIBRARY_GNUTLS
Using GnuTLS library.
@ COAP_EVENT_DTLS_CLOSED
Triggerred when (D)TLS session closed.
@ COAP_EVENT_DTLS_CONNECTED
Triggered when (D)TLS session connected.
@ COAP_EVENT_DTLS_ERROR
Triggered when (D)TLS error occurs.
void coap_dtls_set_log_level(int level)
Sets the (D)TLS logging level to the specified level.
int coap_dtls_get_log_level(void)
Get the current (D)TLS logging.
const char * coap_session_str(const coap_session_t *session)
Get session description.
#define coap_log(level,...)
Logging function.
int coap_session_refresh_psk_hint(coap_session_t *session, const coap_bin_const_t *psk_hint)
Refresh the session's current Identity Hint (PSK).
void coap_session_send_csm(coap_session_t *session)
Notify session transport has just connected and CSM exchange can now start.
ssize_t coap_session_send(coap_session_t *session, const uint8_t *data, size_t datalen)
Function interface for datagram data transmission.
int coap_session_refresh_psk_key(coap_session_t *session, const coap_bin_const_t *psk_key)
Refresh the session's current pre-shared key (PSK).
void coap_session_connected(coap_session_t *session)
Notify session that it has just connected or reconnected.
int coap_session_refresh_psk_identity(coap_session_t *session, const coap_bin_const_t *psk_identity)
Refresh the session's current pre-shared identity (PSK).
#define COAP_PROTO_NOT_RELIABLE(p)
void coap_session_disconnected(coap_session_t *session, coap_nack_reason_t reason)
Notify session that it has failed.
@ COAP_SESSION_STATE_HANDSHAKE
@ COAP_SESSION_STATE_NONE
void coap_delete_binary(coap_binary_t *s)
Deletes the given coap_binary_t object and releases any memory allocated.
CoAP binary data definition with const data.
size_t length
length of binary data
const uint8_t * s
read-only binary data
CoAP binary data definition.
size_t length
length of binary data
The CoAP stack's global state is stored in a coap_context_t object.
coap_dtls_spsk_t spsk_setup_data
Contains the initial PSK server setup data.
The structure that holds the Client PSK information.
coap_bin_const_t identity
The structure used for defining the Client PSK setup data to be used.
void * ih_call_back_arg
Passed in to the Identity Hint callback function.
char * client_sni
If not NULL, SNI to use in client TLS setup.
coap_dtls_ih_callback_t validate_ih_call_back
Identity Hint check callback function.
The structure that holds the PKI key information.
coap_pki_key_pem_t pem
for PEM file keys
coap_pki_key_pkcs11_t pkcs11
for PKCS11 keys
union coap_dtls_key_t::@2 key
coap_pki_key_pem_buf_t pem_buf
for PEM memory keys
coap_pki_key_t key_type
key format type
coap_pki_key_asn1_t asn1
for ASN.1 (DER) memory keys
The structure used for defining the PKI setup data to be used.
uint8_t cert_chain_validation
1 if to check cert_chain_verify_depth
uint8_t check_cert_revocation
1 if revocation checks wanted
uint8_t cert_chain_verify_depth
recommended depth is 3
uint8_t verify_peer_cert
Set to COAP_DTLS_PKI_SETUP_VERSION to support this version of the struct.
char * client_sni
If not NULL, SNI to use in client TLS setup.
uint8_t is_rpk_not_cert
1 is RPK instead of Public Certificate.
uint8_t check_common_ca
1 if peer cert is to be signed by the same CA as the local cert
coap_dtls_key_t pki_key
PKI key definition.
The structure that holds the Server Pre-Shared Key and Identity Hint information.
The structure used for defining the Server PSK setup data to be used.
coap_dtls_psk_sni_callback_t validate_sni_call_back
SNI check callback function.
coap_dtls_id_callback_t validate_id_call_back
Identity check callback function.
void * id_call_back_arg
Passed in to the Identity callback function.
void * sni_call_back_arg
Passed in to the SNI callback function.
coap_dtls_spsk_info_t psk_info
Server PSK definition.
const uint8_t * private_key
ASN1 (DER) Private Key.
coap_asn1_privatekey_type_t private_key_type
Private Key Type.
size_t public_cert_len
ASN1 Public Cert length.
size_t private_key_len
ASN1 Private Key length.
const uint8_t * ca_cert
ASN1 (DER) Common CA Cert.
size_t ca_cert_len
ASN1 CA Cert length.
const uint8_t * public_cert
ASN1 (DER) Public Cert, or Public Key if RPK.
size_t ca_cert_len
PEM buffer CA Cert length.
const uint8_t * ca_cert
PEM buffer Common CA Cert.
size_t private_key_len
PEM buffer Private Key length.
const uint8_t * private_key
PEM buffer Private Key If RPK and 'EC PRIVATE KEY' this can be used for both the public_cert and priv...
size_t public_cert_len
PEM buffer Public Cert length.
const uint8_t * public_cert
PEM buffer Public Cert, or Public Key if RPK.
const char * ca_file
File location of Common CA in PEM format.
const char * public_cert
File location of Public Cert.
const char * private_key
File location of Private Key in PEM format.
const char * private_key
pkcs11: URI for Private Key
const char * ca
pkcs11: URI for Common CA Certificate
const char * user_pin
User pin to access PKCS11.
const char * public_cert
pkcs11: URI for Public Cert
Abstraction of virtual session that can be attached to coap_context_t (client) or coap_endpoint_t (se...
unsigned int dtls_timeout_count
dtls setup retry counter
coap_socket_t sock
socket object for the session, if any
coap_session_state_t state
current state of relationaship with peer
coap_addr_tuple_t addr_info
key: remote/local address info
coap_proto_t proto
protocol used
coap_dtls_cpsk_t cpsk_setup_data
client provided PSK initial setup data
size_t mtu
path or CSM mtu (xmt)
int dtls_event
Tracking any (D)TLS events on this sesison.
void * tls
security parameters
uint16_t max_retransmit
maximum re-transmit count (default 4)
coap_context_t * context
session's context
coap_socket_flags_t flags
CoAP string data definition with const data.
const uint8_t * s
read-only string data
size_t length
length of string
The structure used for returning the underlying (D)TLS library information.
uint64_t built_version
(D)TLS Built against Library Version
coap_tls_library_t type
Library type.
uint64_t version
(D)TLS runtime Library Version
1.9.4