37#ifdef COAP_WITH_LIBMBEDTLS
53#include <mbedtls/version.h>
56#if (MBEDTLS_VERSION_NUMBER < 0x03000000)
57#define MBEDTLS_2_X_COMPAT
60#ifndef MBEDTLS_ALLOW_PRIVATE_ACCESS
61#define MBEDTLS_ALLOW_PRIVATE_ACCESS
65#include <mbedtls/platform.h>
66#include <mbedtls/net_sockets.h>
67#include <mbedtls/ssl.h>
68#include <mbedtls/entropy.h>
69#include <mbedtls/ctr_drbg.h>
70#include <mbedtls/error.h>
71#include <mbedtls/timing.h>
72#include <mbedtls/ssl_cookie.h>
73#include <mbedtls/oid.h>
74#include <mbedtls/debug.h>
75#include <mbedtls/sha256.h>
76#if defined(ESPIDF_VERSION) && defined(CONFIG_MBEDTLS_DEBUG)
77#include <mbedtls/esp_debug.h>
79#if defined(MBEDTLS_PSA_CRYPTO_C)
80#include <psa/crypto.h>
83#define mbedtls_malloc(a) malloc(a)
84#define mbedtls_realloc(a,b) realloc(a,b)
85#define mbedtls_strdup(a) strdup(a)
86#define mbedtls_strndup(a,b) strndup(a,b)
88#ifndef MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED
90#ifdef MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED
91#define MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED
95#if ! COAP_SERVER_SUPPORT
96#undef MBEDTLS_SSL_SRV_C
98#if ! COAP_CLIENT_SUPPORT
99#undef MBEDTLS_SSL_CLI_C
103#define strcasecmp _stricmp
106#define IS_PSK (1 << 0)
107#define IS_PKI (1 << 1)
108#define IS_CLIENT (1 << 6)
109#define IS_SERVER (1 << 7)
111typedef struct coap_ssl_t {
122typedef struct coap_mbedtls_env_t {
123 mbedtls_ssl_context ssl;
124 mbedtls_entropy_context entropy;
125 mbedtls_ctr_drbg_context ctr_drbg;
126 mbedtls_ssl_config conf;
127 mbedtls_timing_delay_context timer;
128 mbedtls_x509_crt cacert;
129 mbedtls_x509_crt public_cert;
130 mbedtls_pk_context private_key;
131 mbedtls_ssl_cookie_ctx cookie_ctx;
135 int seen_client_hello;
137 unsigned int retry_scalar;
138 coap_ssl_t coap_ssl_data;
141typedef struct pki_sni_entry {
144 mbedtls_x509_crt cacert;
145 mbedtls_x509_crt public_cert;
146 mbedtls_pk_context private_key;
149typedef struct psk_sni_entry {
154typedef struct coap_mbedtls_context_t {
156 size_t pki_sni_count;
157 pki_sni_entry *pki_sni_entry_list;
158 size_t psk_sni_count;
159 psk_sni_entry *psk_sni_entry_list;
163} coap_mbedtls_context_t;
165typedef enum coap_enc_method_t {
170#ifndef MBEDTLS_2_X_COMPAT
175coap_rng(
void *ctx
COAP_UNUSED,
unsigned char *buf,
size_t len) {
176 return coap_prng(buf, len) ? 0 : MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED;
181coap_dgram_read(
void *ctx,
unsigned char *out,
size_t outl) {
186 if (!c_session->
tls) {
188 return MBEDTLS_ERR_SSL_WANT_READ;
190 data = &((coap_mbedtls_env_t *)c_session->
tls)->coap_ssl_data;
193 if (data->pdu_len > 0) {
194 if (outl < data->pdu_len) {
195 memcpy(out, data->pdu, outl);
198 data->pdu_len -= outl;
200 memcpy(out, data->pdu, data->pdu_len);
202 if (!data->peekmode) {
208 ret = MBEDTLS_ERR_SSL_WANT_READ;
222coap_dgram_write(
void *ctx,
const unsigned char *send_buffer,
223 size_t send_buffer_length) {
228 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
231#if COAP_SERVER_SUPPORT
240 send_buffer, send_buffer_length);
241 if (result != (ssize_t)send_buffer_length) {
243 result, send_buffer_length);
248 m_env->last_timeout = now;
256#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) && defined(MBEDTLS_SSL_SRV_C)
261psk_server_callback(
void *p_info, mbedtls_ssl_context *ssl,
262 const unsigned char *identity,
size_t identity_len) {
265 coap_mbedtls_env_t *m_env;
269 if (c_session == NULL)
273 lidentity.
s = identity ? (
const uint8_t *)identity : (
const uint8_t *)
"";
274 lidentity.
length = identity ? identity_len : 0;
278 (
int)lidentity.
length, (
const char *)lidentity.
s);
280 m_env = (coap_mbedtls_env_t *)c_session->
tls;
295 mbedtls_ssl_set_hs_psk(ssl, psk_key->
s, psk_key->
length);
296 m_env->seen_client_hello = 1;
302get_san_or_cn_from_cert(mbedtls_x509_crt *crt) {
304 const mbedtls_asn1_named_data *cn_data;
306 if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
307 mbedtls_asn1_sequence *seq = &crt->subject_alt_names;
308 while (seq && seq->buf.p == NULL) {
313 return mbedtls_strndup((
const char *)seq->buf.p,
318 cn_data = mbedtls_asn1_find_named_data(&crt->subject,
320 MBEDTLS_OID_SIZE(MBEDTLS_OID_AT_CN));
323 return mbedtls_strndup((
const char *)cn_data->val.p,
330#if COAP_MAX_LOGGING_LEVEL > 0
332get_error_string(
int ret) {
333 static char buf[128] = {0};
334 mbedtls_strerror(ret, buf,
sizeof(buf)-1);
340self_signed_cert_verify_callback_mbedtls(
void *data,
345 const coap_mbedtls_context_t *m_context =
349 if (*flags & MBEDTLS_X509_BADCERT_EXPIRED) {
350 if (setup_data->allow_expired_certs) {
351 *flags &= ~MBEDTLS_X509_BADCERT_EXPIRED;
362cert_verify_callback_mbedtls(
void *data, mbedtls_x509_crt *crt,
363 int depth, uint32_t *flags) {
365 coap_mbedtls_context_t *m_context =
373 cn = get_san_or_cn_from_cert(crt);
375 if (*flags & MBEDTLS_X509_BADCERT_EXPIRED) {
376 if (setup_data->allow_expired_certs) {
377 *flags &= ~MBEDTLS_X509_BADCERT_EXPIRED;
380 "The certificate has expired", cn ? cn :
"?", depth);
383 if (*flags & MBEDTLS_X509_BADCERT_FUTURE) {
384 if (setup_data->allow_expired_certs) {
385 *flags &= ~MBEDTLS_X509_BADCERT_FUTURE;
388 "The certificate has a future date", cn ? cn :
"?", depth);
391 if (*flags & MBEDTLS_X509_BADCERT_BAD_MD) {
392 if (setup_data->allow_bad_md_hash) {
393 *flags &= ~MBEDTLS_X509_BADCERT_BAD_MD;
396 "The certificate has a bad MD hash", cn ? cn :
"?", depth);
399 if (*flags & MBEDTLS_X509_BADCERT_BAD_KEY) {
400 if (setup_data->allow_short_rsa_length) {
401 *flags &= ~MBEDTLS_X509_BADCERT_BAD_KEY;
404 "The certificate has a short RSA length", cn ? cn :
"?", depth);
407 if (*flags & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
409 int self_signed = !mbedtls_x509_crt_verify(crt, crt, NULL, NULL, &lflags,
410 self_signed_cert_verify_callback_mbedtls,
412 if (self_signed && depth == 0) {
413 if (setup_data->allow_self_signed &&
414 !setup_data->check_common_ca) {
415 *flags &= ~MBEDTLS_X509_BADCERT_NOT_TRUSTED;
419 cn ? cn :
"?", depth);
422 if (!setup_data->verify_peer_cert) {
423 *flags &= ~MBEDTLS_X509_BADCERT_NOT_TRUSTED;
426 "The certificate's CA does not match", cn ? cn :
"?", depth);
430 if (*flags & MBEDTLS_X509_BADCRL_EXPIRED) {
431 if (setup_data->check_cert_revocation && setup_data->allow_expired_crl) {
432 *flags &= ~MBEDTLS_X509_BADCRL_EXPIRED;
435 "The certificate's CRL has expired", cn ? cn :
"?", depth);
436 }
else if (!setup_data->check_cert_revocation) {
437 *flags &= ~MBEDTLS_X509_BADCRL_EXPIRED;
440 if (*flags & MBEDTLS_X509_BADCRL_FUTURE) {
441 if (setup_data->check_cert_revocation && setup_data->allow_expired_crl) {
442 *flags &= ~MBEDTLS_X509_BADCRL_FUTURE;
445 "The certificate's CRL has a future date", cn ? cn :
"?", depth);
446 }
else if (!setup_data->check_cert_revocation) {
447 *flags &= ~MBEDTLS_X509_BADCRL_FUTURE;
450 if (setup_data->cert_chain_validation &&
451 depth > (setup_data->cert_chain_verify_depth + 1)) {
452 *flags |= MBEDTLS_X509_BADCERT_OTHER;
455 "The certificate's verify depth is too long",
456 cn ? cn :
"?", depth);
459 if (*flags & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
460 *flags &= ~MBEDTLS_X509_BADCERT_CN_MISMATCH;
462 if (setup_data->validate_cn_call_back) {
463 if (!setup_data->validate_cn_call_back(cn,
469 setup_data->cn_call_back_arg)) {
470 *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
476 int ret = mbedtls_x509_crt_verify_info(buf,
sizeof(buf),
"", *flags);
479 tcp = strchr(buf,
'\n');
484 buf, *flags, cn ? cn :
"?", depth);
485 tcp = strchr(tcp+1,
'\n');
488 coap_log_err(
"mbedtls_x509_crt_verify_info returned -0x%x: '%s'\n",
489 -ret, get_error_string(ret));
500setup_pki_credentials(mbedtls_x509_crt *cacert,
501 mbedtls_x509_crt *public_cert,
502 mbedtls_pk_context *private_key,
503 coap_mbedtls_env_t *m_env,
504 coap_mbedtls_context_t *m_context,
511 coap_log_err(
"RPK Support not available in Mbed TLS\n");
516#if defined(MBEDTLS_FS_IO)
522 mbedtls_x509_crt_init(public_cert);
523 mbedtls_pk_init(private_key);
525 ret = mbedtls_x509_crt_parse_file(public_cert,
528 coap_log_err(
"mbedtls_x509_crt_parse_file returned -0x%x: '%s'\n",
529 -ret, get_error_string(ret));
533#ifdef MBEDTLS_2_X_COMPAT
534 ret = mbedtls_pk_parse_keyfile(private_key,
537 ret = mbedtls_pk_parse_keyfile(private_key,
539 NULL, coap_rng, (
void *)&m_env->ctr_drbg);
542 coap_log_err(
"mbedtls_pk_parse_keyfile returned -0x%x: '%s'\n",
543 -ret, get_error_string(ret));
547 ret = mbedtls_ssl_conf_own_cert(&m_env->conf, public_cert, private_key);
549 coap_log_err(
"mbedtls_ssl_conf_own_cert returned -0x%x: '%s'\n",
550 -ret, get_error_string(ret));
554 coap_log_err(
"***setup_pki: (D)TLS: No Server Certificate + Private "
561 mbedtls_x509_crt_init(cacert);
562 ret = mbedtls_x509_crt_parse_file(cacert,
565 coap_log_err(
"mbedtls_x509_crt_parse returned -0x%x: '%s'\n",
566 -ret, get_error_string(ret));
569 mbedtls_ssl_conf_ca_chain(&m_env->conf, cacert, NULL);
573 coap_log_err(
"mbedtls_x509_crt_parse_file: MBEDTLS_FS_IO not set, so cannot handle files\n");
584 mbedtls_x509_crt_init(public_cert);
585 mbedtls_pk_init(private_key);
590 buffer = mbedtls_malloc(length + 1);
593 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
596 buffer[length] =
'\000';
598 ret = mbedtls_x509_crt_parse(public_cert, buffer, length);
599 mbedtls_free(buffer);
601 ret = mbedtls_x509_crt_parse(public_cert,
606 coap_log_err(
"mbedtls_x509_crt_parse returned -0x%x: '%s'\n",
607 -ret, get_error_string(ret));
614 buffer = mbedtls_malloc(length + 1);
617 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
620 buffer[length] =
'\000';
622#ifdef MBEDTLS_2_X_COMPAT
623 ret = mbedtls_pk_parse_key(private_key, buffer, length, NULL, 0);
625 ret = mbedtls_pk_parse_key(private_key, buffer, length,
626 NULL, 0, coap_rng, (
void *)&m_env->ctr_drbg);
628 mbedtls_free(buffer);
630#ifdef MBEDTLS_2_X_COMPAT
631 ret = mbedtls_pk_parse_key(private_key,
635 ret = mbedtls_pk_parse_key(private_key,
638 NULL, 0, coap_rng, (
void *)&m_env->ctr_drbg);
642 coap_log_err(
"mbedtls_pk_parse_key returned -0x%x: '%s'\n",
643 -ret, get_error_string(ret));
647 ret = mbedtls_ssl_conf_own_cert(&m_env->conf, public_cert, private_key);
649 coap_log_err(
"mbedtls_ssl_conf_own_cert returned -0x%x: '%s'\n",
650 -ret, get_error_string(ret));
654 coap_log_err(
"***setup_pki: (D)TLS: No Server Certificate + Private "
664 mbedtls_x509_crt_init(cacert);
668 buffer = mbedtls_malloc(length + 1);
671 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
674 buffer[length] =
'\000';
676 ret = mbedtls_x509_crt_parse(cacert, buffer, length);
677 mbedtls_free(buffer);
679 ret = mbedtls_x509_crt_parse(cacert,
684 coap_log_err(
"mbedtls_x509_crt_parse returned -0x%x: '%s'\n",
685 -ret, get_error_string(ret));
688 mbedtls_ssl_conf_ca_chain(&m_env->conf, cacert, NULL);
697 mbedtls_x509_crt_init(public_cert);
698 mbedtls_pk_init(private_key);
699 ret = mbedtls_x509_crt_parse(public_cert,
703 coap_log_err(
"mbedtls_x509_crt_parse returned -0x%x: '%s'\n",
704 -ret, get_error_string(ret));
708#ifdef MBEDTLS_2_X_COMPAT
709 ret = mbedtls_pk_parse_key(private_key,
713 ret = mbedtls_pk_parse_key(private_key,
716 (
void *)&m_env->ctr_drbg);
719 coap_log_err(
"mbedtls_pk_parse_key returned -0x%x: '%s'\n",
720 -ret, get_error_string(ret));
724 ret = mbedtls_ssl_conf_own_cert(&m_env->conf, public_cert, private_key);
726 coap_log_err(
"mbedtls_ssl_conf_own_cert returned -0x%x: '%s'\n",
727 -ret, get_error_string(ret));
731 coap_log_err(
"***setup_pki: (D)TLS: No Server Certificate + Private "
738 mbedtls_x509_crt_init(cacert);
739 ret = mbedtls_x509_crt_parse(cacert,
743 coap_log_err(
"mbedtls_x509_crt_parse returned -0x%x: '%s'\n",
744 -ret, get_error_string(ret));
747 mbedtls_ssl_conf_ca_chain(&m_env->conf, cacert, NULL);
752 coap_log_err(
"***setup_pki: (D)TLS: PKCS11 not currently supported\n");
756 coap_log_err(
"***setup_pki: (D)TLS: Unknown key type %d\n",
761#if defined(MBEDTLS_FS_IO)
762 if (m_context->root_ca_file) {
763 ret = mbedtls_x509_crt_parse_file(cacert, m_context->root_ca_file);
765 coap_log_err(
"mbedtls_x509_crt_parse returned -0x%x: '%s'\n",
766 -ret, get_error_string(ret));
769 mbedtls_ssl_conf_ca_chain(&m_env->conf, cacert, NULL);
771 if (m_context->root_ca_path) {
772 ret = mbedtls_x509_crt_parse_file(cacert, m_context->root_ca_path);
774 coap_log_err(
"mbedtls_x509_crt_parse returned -0x%x: '%s'\n",
775 -ret, get_error_string(ret));
778 mbedtls_ssl_conf_ca_chain(&m_env->conf, cacert, NULL);
781 coap_log_err(
"mbedtls_x509_crt_parse_file: MBEDTLS_FS_IO not set, so cannot handle files\n");
784#if defined(MBEDTLS_SSL_SRV_C)
785 mbedtls_ssl_conf_cert_req_ca_list(&m_env->conf,
787 MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED :
788 MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED);
791 MBEDTLS_SSL_VERIFY_REQUIRED :
792 MBEDTLS_SSL_VERIFY_NONE);
797 mbedtls_ssl_conf_verify(&m_env->conf,
798 cert_verify_callback_mbedtls, c_session);
803#if defined(MBEDTLS_SSL_SRV_C)
808pki_sni_callback(
void *p_info, mbedtls_ssl_context *ssl,
809 const unsigned char *uname,
size_t name_len) {
813 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
814 coap_mbedtls_context_t *m_context =
819 name = mbedtls_malloc(name_len+1);
823 memcpy(name, uname, name_len);
824 name[name_len] =
'\000';
827 for (i = 0; i < m_context->pki_sni_count; i++) {
828 if (strcasecmp(name, m_context->pki_sni_entry_list[i].sni) == 0) {
832 if (i == m_context->pki_sni_count) {
837 pki_sni_entry *pki_sni_entry_list;
840 m_context->setup_data.validate_sni_call_back(name,
841 m_context->setup_data.sni_call_back_arg);
847 pki_sni_entry_list = mbedtls_realloc(m_context->pki_sni_entry_list,
848 (i+1)*
sizeof(pki_sni_entry));
850 if (pki_sni_entry_list == NULL) {
854 m_context->pki_sni_entry_list = pki_sni_entry_list;
855 memset(&m_context->pki_sni_entry_list[i], 0,
856 sizeof(m_context->pki_sni_entry_list[i]));
857 m_context->pki_sni_entry_list[i].sni = name;
858 m_context->pki_sni_entry_list[i].pki_key = *new_entry;
859 sni_setup_data = m_context->setup_data;
860 sni_setup_data.
pki_key = *new_entry;
861 if ((ret = setup_pki_credentials(&m_context->pki_sni_entry_list[i].cacert,
862 &m_context->pki_sni_entry_list[i].public_cert,
863 &m_context->pki_sni_entry_list[i].private_key,
872 m_context->pki_sni_count++;
877 mbedtls_ssl_set_hs_ca_chain(ssl, &m_context->pki_sni_entry_list[i].cacert,
879 return mbedtls_ssl_set_hs_own_cert(ssl,
880 &m_context->pki_sni_entry_list[i].public_cert,
881 &m_context->pki_sni_entry_list[i].private_key);
884#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
889psk_sni_callback(
void *p_info, mbedtls_ssl_context *ssl,
890 const unsigned char *uname,
size_t name_len) {
893 coap_mbedtls_context_t *m_context =
897 name = mbedtls_malloc(name_len+1);
901 memcpy(name, uname, name_len);
902 name[name_len] =
'\000';
905 for (i = 0; i < m_context->psk_sni_count; i++) {
906 if (strcasecmp(name, m_context->psk_sni_entry_list[i].sni) == 0) {
910 if (i == m_context->psk_sni_count) {
915 psk_sni_entry *psk_sni_entry_list;
926 psk_sni_entry_list = mbedtls_realloc(m_context->psk_sni_entry_list,
927 (i+1)*
sizeof(psk_sni_entry));
929 if (psk_sni_entry_list == NULL) {
933 m_context->psk_sni_entry_list = psk_sni_entry_list;
934 m_context->psk_sni_entry_list[i].sni = name;
935 m_context->psk_sni_entry_list[i].psk_info = *new_entry;
937 m_context->psk_sni_count++;
943 &m_context->psk_sni_entry_list[i].psk_info.hint);
945 &m_context->psk_sni_entry_list[i].psk_info.key);
946 return mbedtls_ssl_set_hs_psk(ssl,
947 m_context->psk_sni_entry_list[i].psk_info.key.s,
948 m_context->psk_sni_entry_list[i].psk_info.key.length);
954 coap_mbedtls_env_t *m_env) {
955 coap_mbedtls_context_t *m_context =
958 m_context->psk_pki_enabled |= IS_SERVER;
960 mbedtls_ssl_cookie_init(&m_env->cookie_ctx);
961 if ((ret = mbedtls_ssl_config_defaults(&m_env->conf,
962 MBEDTLS_SSL_IS_SERVER,
964 MBEDTLS_SSL_TRANSPORT_DATAGRAM :
965 MBEDTLS_SSL_TRANSPORT_STREAM,
966 MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
967 coap_log_err(
"mbedtls_ssl_config_defaults returned -0x%x: '%s'\n",
968 -ret, get_error_string(ret));
972 mbedtls_ssl_conf_rng(&m_env->conf, mbedtls_ctr_drbg_random, &m_env->ctr_drbg);
974#if defined(MBEDTLS_SSL_PROTO_DTLS)
975 mbedtls_ssl_conf_handshake_timeout(&m_env->conf, COAP_DTLS_RETRANSMIT_MS,
976 COAP_DTLS_RETRANSMIT_TOTAL_MS);
979 if (m_context->psk_pki_enabled & IS_PSK) {
980#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
981 mbedtls_ssl_conf_psk_cb(&m_env->conf, psk_server_callback, c_session);
983 mbedtls_ssl_conf_sni(&m_env->conf, psk_sni_callback, c_session);
990 if (m_context->psk_pki_enabled & IS_PKI) {
991 ret = setup_pki_credentials(&m_env->cacert, &m_env->public_cert,
992 &m_env->private_key, m_env, m_context,
993 c_session, &m_context->setup_data,
999 if (m_context->setup_data.validate_sni_call_back) {
1000 mbedtls_ssl_conf_sni(&m_env->conf, pki_sni_callback, c_session);
1004 if ((ret = mbedtls_ssl_cookie_setup(&m_env->cookie_ctx,
1005 mbedtls_ctr_drbg_random,
1006 &m_env->ctr_drbg)) != 0) {
1007 coap_log_err(
"mbedtls_ssl_cookie_setup: returned -0x%x: '%s'\n",
1008 -ret, get_error_string(ret));
1012#if defined(MBEDTLS_SSL_PROTO_DTLS)
1013 mbedtls_ssl_conf_dtls_cookies(&m_env->conf, mbedtls_ssl_cookie_write,
1014 mbedtls_ssl_cookie_check,
1015 &m_env->cookie_ctx);
1016#if MBEDTLS_VERSION_NUMBER >= 0x02100100
1017 mbedtls_ssl_set_mtu(&m_env->ssl, (uint16_t)c_session->
mtu);
1020#ifdef MBEDTLS_SSL_DTLS_CONNECTION_ID
1028 mbedtls_ssl_conf_cid(&m_env->conf, COAP_DTLS_CID_LENGTH, MBEDTLS_SSL_UNEXPECTED_CID_IGNORE);
1035#if COAP_CLIENT_SUPPORT
1036static int *psk_ciphers = NULL;
1037static int *pki_ciphers = NULL;
1038static int processed_ciphers = 0;
1041set_ciphersuites(mbedtls_ssl_config *conf, coap_enc_method_t method) {
1042 if (!processed_ciphers) {
1043 const int *list = mbedtls_ssl_list_ciphersuites();
1044 const int *base = list;
1051 const mbedtls_ssl_ciphersuite_t *cur =
1052 mbedtls_ssl_ciphersuite_from_id(*list);
1054#if MBEDTLS_VERSION_NUMBER >= 0x03020000
1056 if (cur->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2) {
1061 if (cur->max_minor_ver < MBEDTLS_SSL_MINOR_VERSION_3) {
1065#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
1066 else if (mbedtls_ssl_ciphersuite_uses_psk(cur)) {
1078 psk_ciphers = mbedtls_malloc(psk_count *
sizeof(psk_ciphers[0]));
1079 if (psk_ciphers == NULL) {
1080 coap_log_err(
"set_ciphers: mbedtls_malloc with count %d failed\n", psk_count);
1083 pki_ciphers = mbedtls_malloc(pki_count *
sizeof(pki_ciphers[0]));
1084 if (pki_ciphers == NULL) {
1085 coap_log_err(
"set_ciphers: mbedtls_malloc with count %d failed\n", pki_count);
1086 mbedtls_free(psk_ciphers);
1091 psk_list = psk_ciphers;
1092 pki_list = pki_ciphers;
1095 const mbedtls_ssl_ciphersuite_t *cur =
1096 mbedtls_ssl_ciphersuite_from_id(*list);
1097#if MBEDTLS_VERSION_NUMBER >= 0x03020000
1099 if (cur->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2) {
1104 if (cur->max_minor_ver < MBEDTLS_SSL_MINOR_VERSION_3) {
1108#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
1109 else if (mbedtls_ssl_ciphersuite_uses_psk(cur)) {
1124 processed_ciphers = 1;
1126 mbedtls_ssl_conf_ciphersuites(conf, method == COAP_ENC_PSK ? psk_ciphers : pki_ciphers);
1131 coap_mbedtls_env_t *m_env) {
1134 coap_mbedtls_context_t *m_context =
1137 m_context->psk_pki_enabled |= IS_CLIENT;
1139 if ((ret = mbedtls_ssl_config_defaults(&m_env->conf,
1140 MBEDTLS_SSL_IS_CLIENT,
1142 MBEDTLS_SSL_TRANSPORT_DATAGRAM :
1143 MBEDTLS_SSL_TRANSPORT_STREAM,
1144 MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
1145 coap_log_err(
"mbedtls_ssl_config_defaults returned -0x%x: '%s'\n",
1146 -ret, get_error_string(ret));
1150#if defined(MBEDTLS_SSL_PROTO_DTLS)
1151 mbedtls_ssl_conf_handshake_timeout(&m_env->conf, COAP_DTLS_RETRANSMIT_MS,
1152 COAP_DTLS_RETRANSMIT_TOTAL_MS);
1155 mbedtls_ssl_conf_authmode(&m_env->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
1156 mbedtls_ssl_conf_rng(&m_env->conf, mbedtls_ctr_drbg_random, &m_env->ctr_drbg);
1158 if (m_context->psk_pki_enabled & IS_PSK) {
1159#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
1167 if (psk_key == NULL || psk_identity == NULL) {
1168 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1172 if ((ret = mbedtls_ssl_conf_psk(&m_env->conf, psk_key->
s,
1173 psk_key->
length, psk_identity->
s,
1174 psk_identity->
length)) != 0) {
1175 coap_log_err(
"mbedtls_ssl_conf_psk returned -0x%x: '%s'\n",
1176 -ret, get_error_string(ret));
1180 if ((ret = mbedtls_ssl_set_hostname(&m_env->ssl,
1182 coap_log_err(
"mbedtls_ssl_set_hostname returned -0x%x: '%s'\n",
1183 -ret, get_error_string(ret));
1189 set_ciphersuites(&m_env->conf, COAP_ENC_PSK);
1193 }
else if ((m_context->psk_pki_enabled & IS_PKI) ||
1194 (m_context->psk_pki_enabled & (IS_PSK | IS_PKI)) == 0) {
1199 mbedtls_ssl_conf_authmode(&m_env->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
1200 ret = setup_pki_credentials(&m_env->cacert, &m_env->public_cert,
1201 &m_env->private_key, m_env, m_context,
1202 c_session, &m_context->setup_data,
1208#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN)
1211 static const char *alpn_list[] = {
"coap", NULL };
1213 ret = mbedtls_ssl_conf_alpn_protocols(&m_env->conf, alpn_list);
1219 if (m_context->setup_data.client_sni) {
1220 mbedtls_ssl_set_hostname(&m_env->ssl, m_context->setup_data.client_sni);
1222#if defined(MBEDTLS_SSL_PROTO_DTLS)
1223#if MBEDTLS_VERSION_NUMBER >= 0x02100100
1224 mbedtls_ssl_set_mtu(&m_env->ssl, (uint16_t)c_session->
mtu);
1227 set_ciphersuites(&m_env->conf, COAP_ENC_PKI);
1237mbedtls_cleanup(coap_mbedtls_env_t *m_env) {
1242 mbedtls_x509_crt_free(&m_env->cacert);
1243 mbedtls_x509_crt_free(&m_env->public_cert);
1244 mbedtls_pk_free(&m_env->private_key);
1245 mbedtls_entropy_free(&m_env->entropy);
1246 mbedtls_ssl_config_free(&m_env->conf);
1247 mbedtls_ctr_drbg_free(&m_env->ctr_drbg);
1248 mbedtls_ssl_free(&m_env->ssl);
1249 mbedtls_ssl_cookie_free(&m_env->cookie_ctx);
1253coap_dtls_free_mbedtls_env(coap_mbedtls_env_t *m_env) {
1255 if (!m_env->sent_alert)
1256 mbedtls_ssl_close_notify(&m_env->ssl);
1257 mbedtls_cleanup(m_env);
1258 mbedtls_free(m_env);
1262#if COAP_MAX_LOGGING_LEVEL > 0
1264report_mbedtls_alert(
unsigned char alert) {
1266 case MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC:
1267 return ": Bad Record MAC";
1268 case MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE:
1269 return ": Handshake failure";
1270 case MBEDTLS_SSL_ALERT_MSG_NO_CERT:
1271 return ": No Certificate provided";
1272 case MBEDTLS_SSL_ALERT_MSG_BAD_CERT:
1273 return ": Certificate is bad";
1274 case MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN:
1275 return ": Certificate is unknown";
1276 case MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA:
1277 return ": CA is unknown";
1278 case MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED:
1279 return ": Access was denied";
1280 case MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR:
1281 return ": Decrypt error";
1295 coap_mbedtls_env_t *m_env) {
1299 ret = mbedtls_ssl_handshake(&m_env->ssl);
1302 m_env->established = 1;
1307 case MBEDTLS_ERR_SSL_WANT_READ:
1308 case MBEDTLS_ERR_SSL_WANT_WRITE:
1312 case MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED:
1315 case MBEDTLS_ERR_SSL_INVALID_MAC:
1317#ifdef MBEDTLS_2_X_COMPAT
1318 case MBEDTLS_ERR_SSL_UNKNOWN_CIPHER:
1320 case MBEDTLS_ERR_SSL_DECODE_ERROR:
1323 case MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE:
1324 alert = MBEDTLS_SSL_ALERT_MSG_NO_CERT;
1326#ifdef MBEDTLS_2_X_COMPAT
1327 case MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO:
1328 case MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO:
1329 alert = MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE;
1332 case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:
1334 case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:
1335 if (m_env->ssl.in_msg[1] != MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY)
1338 report_mbedtls_alert(m_env->ssl.in_msg[1]));
1340 case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
1341 case MBEDTLS_ERR_SSL_CONN_EOF:
1342 case MBEDTLS_ERR_NET_CONN_RESET:
1348 "returned -0x%x: '%s'\n",
1349 -ret, get_error_string(ret));
1356 mbedtls_ssl_send_alert_message(&m_env->ssl,
1357 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1359 m_env->sent_alert = 1;
1364 get_error_string(ret));
1366 mbedtls_ssl_session_reset(&m_env->ssl);
1371mbedtls_debug_out(
void *ctx
COAP_UNUSED,
int level,
1404#if !COAP_DISABLE_TCP
1412coap_sock_read(
void *ctx,
unsigned char *out,
size_t outl) {
1413 int ret = MBEDTLS_ERR_SSL_CONN_EOF;
1420 if (errno == ECONNRESET) {
1422 ret = MBEDTLS_ERR_SSL_CONN_EOF;
1424 ret = MBEDTLS_ERR_NET_RECV_FAILED;
1426 }
else if (ret == 0) {
1428 ret = MBEDTLS_ERR_SSL_WANT_READ;
1441coap_sock_write(
void *context,
const unsigned char *in,
size_t inl) {
1446 (
const uint8_t *)in,
1452 (errno == EPIPE || errno == ECONNRESET)) {
1467 int lasterror = WSAGetLastError();
1469 if (lasterror == WSAEWOULDBLOCK) {
1470 ret = MBEDTLS_ERR_SSL_WANT_WRITE;
1471 }
else if (lasterror == WSAECONNRESET) {
1472 ret = MBEDTLS_ERR_NET_CONN_RESET;
1475 if (errno == EAGAIN || errno == EINTR) {
1476 ret = MBEDTLS_ERR_SSL_WANT_WRITE;
1477 }
else if (errno == EPIPE || errno == ECONNRESET) {
1478 ret = MBEDTLS_ERR_NET_CONN_RESET;
1482 ret = MBEDTLS_ERR_NET_SEND_FAILED;
1491 ret = MBEDTLS_ERR_SSL_WANT_WRITE;
1497static coap_mbedtls_env_t *
1502 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
1507 m_env = (coap_mbedtls_env_t *)mbedtls_malloc(
sizeof(coap_mbedtls_env_t));
1511 memset(m_env, 0,
sizeof(coap_mbedtls_env_t));
1513 mbedtls_ssl_init(&m_env->ssl);
1514 mbedtls_ctr_drbg_init(&m_env->ctr_drbg);
1515 mbedtls_ssl_config_init(&m_env->conf);
1516 mbedtls_entropy_init(&m_env->entropy);
1518#if defined(MBEDTLS_PSA_CRYPTO_C)
1522#if defined(ESPIDF_VERSION) && defined(CONFIG_MBEDTLS_DEBUG)
1523 mbedtls_esp_enable_debug_log(&m_env->conf, CONFIG_MBEDTLS_DEBUG_LEVEL);
1525 if ((ret = mbedtls_ctr_drbg_seed(&m_env->ctr_drbg,
1526 mbedtls_entropy_func, &m_env->entropy, NULL, 0)) != 0) {
1527 coap_log_err(
"mbedtls_ctr_drbg_seed returned -0x%x: '%s'\n",
1528 -ret, get_error_string(ret));
1533#if COAP_CLIENT_SUPPORT
1534 if (setup_client_ssl_session(c_session, m_env) != 0) {
1541#if defined(MBEDTLS_SSL_SRV_C)
1542 if (setup_server_ssl_session(c_session, m_env) != 0) {
1552#if MBEDTLS_VERSION_NUMBER >= 0x03020000
1553 mbedtls_ssl_conf_min_tls_version(&m_env->conf, MBEDTLS_SSL_VERSION_TLS1_2);
1555 mbedtls_ssl_conf_min_version(&m_env->conf, MBEDTLS_SSL_MAJOR_VERSION_3,
1556 MBEDTLS_SSL_MINOR_VERSION_3);
1559 if ((ret = mbedtls_ssl_setup(&m_env->ssl, &m_env->conf)) != 0) {
1563 mbedtls_ssl_set_bio(&m_env->ssl, c_session, coap_dgram_write,
1564 coap_dgram_read, NULL);
1565#ifdef MBEDTLS_SSL_DTLS_CONNECTION_ID
1568 u_char cid[COAP_DTLS_CID_LENGTH];
1577 mbedtls_ssl_set_cid(&m_env->ssl, MBEDTLS_SSL_CID_ENABLED, cid,
1582#if !COAP_DISABLE_TCP
1585 mbedtls_ssl_set_bio(&m_env->ssl, c_session, coap_sock_write,
1586 coap_sock_read, NULL);
1589 mbedtls_ssl_set_timer_cb(&m_env->ssl, &m_env->timer,
1590 mbedtls_timing_set_delay,
1591 mbedtls_timing_get_delay);
1593 mbedtls_ssl_conf_dbg(&m_env->conf, mbedtls_debug_out, stdout);
1598 mbedtls_free(m_env);
1605#if defined(MBEDTLS_SSL_PROTO_DTLS)
1608 static int reported = 0;
1612 " - update Mbed TLS to include DTLS\n");
1620#if !COAP_DISABLE_TCP
1665 coap_mbedtls_context_t *m_context;
1668 m_context = (coap_mbedtls_context_t *)mbedtls_malloc(
sizeof(coap_mbedtls_context_t));
1670 memset(m_context, 0,
sizeof(coap_mbedtls_context_t));
1675#if COAP_SERVER_SUPPORT
1684 coap_mbedtls_context_t *m_context =
1687#if !defined(MBEDTLS_SSL_SRV_C)
1689 " libcoap not compiled for Server Mode for Mbed TLS"
1690 " - update Mbed TLS to include Server Mode\n");
1693 if (!m_context || !setup_data)
1696 m_context->psk_pki_enabled |= IS_PSK;
1701#if COAP_CLIENT_SUPPORT
1710#if !defined(MBEDTLS_SSL_CLI_C)
1715 " libcoap not compiled for Client Mode for Mbed TLS"
1716 " - update Mbed TLS to include Client Mode\n");
1719 coap_mbedtls_context_t *m_context =
1722 if (!m_context || !setup_data)
1726 coap_log_warn(
"CoAP Client with Mbed TLS does not support Identity Hint selection\n");
1728 m_context->psk_pki_enabled |= IS_PSK;
1738 coap_mbedtls_context_t *m_context =
1741 m_context->setup_data = *setup_data;
1742 if (!m_context->setup_data.verify_peer_cert) {
1746 m_context->setup_data.allow_self_signed = 1;
1747 m_context->setup_data.allow_expired_certs = 1;
1748 m_context->setup_data.cert_chain_validation = 1;
1749 m_context->setup_data.cert_chain_verify_depth = 10;
1750 m_context->setup_data.check_cert_revocation = 1;
1751 m_context->setup_data.allow_no_crl = 1;
1752 m_context->setup_data.allow_expired_crl = 1;
1753 m_context->setup_data.allow_bad_md_hash = 1;
1754 m_context->setup_data.allow_short_rsa_length = 1;
1756 m_context->psk_pki_enabled |= IS_PKI;
1762 const char *ca_file,
1763 const char *ca_path) {
1764 coap_mbedtls_context_t *m_context =
1768 coap_log_warn(
"coap_context_set_pki_root_cas: (D)TLS environment "
1773 if (ca_file == NULL && ca_path == NULL) {
1774 coap_log_warn(
"coap_context_set_pki_root_cas: ca_file and/or ca_path "
1778 if (m_context->root_ca_file) {
1779 mbedtls_free(m_context->root_ca_file);
1780 m_context->root_ca_file = NULL;
1784 m_context->root_ca_file = mbedtls_strdup(ca_file);
1787 if (m_context->root_ca_path) {
1788 mbedtls_free(m_context->root_ca_path);
1789 m_context->root_ca_path = NULL;
1793 m_context->root_ca_path = mbedtls_strdup(ca_path);
1800 coap_mbedtls_context_t *m_context =
1802 return m_context->psk_pki_enabled ? 1 : 0;
1807 coap_mbedtls_context_t *m_context = (coap_mbedtls_context_t *)dtls_context;
1810 for (i = 0; i < m_context->pki_sni_count; i++) {
1811 mbedtls_free(m_context->pki_sni_entry_list[i].sni);
1813 mbedtls_x509_crt_free(&m_context->pki_sni_entry_list[i].public_cert);
1815 mbedtls_pk_free(&m_context->pki_sni_entry_list[i].private_key);
1817 mbedtls_x509_crt_free(&m_context->pki_sni_entry_list[i].cacert);
1819 if (m_context->pki_sni_entry_list)
1820 mbedtls_free(m_context->pki_sni_entry_list);
1822 for (i = 0; i < m_context->psk_sni_count; i++) {
1823 mbedtls_free(m_context->psk_sni_entry_list[i].sni);
1825 if (m_context->psk_sni_entry_list)
1826 mbedtls_free(m_context->psk_sni_entry_list);
1828 if (m_context->root_ca_path)
1829 mbedtls_free(m_context->root_ca_path);
1830 if (m_context->root_ca_file)
1831 mbedtls_free(m_context->root_ca_file);
1833 mbedtls_free(m_context);
1836#if COAP_CLIENT_SUPPORT
1839#if !defined(MBEDTLS_SSL_CLI_C)
1842 " libcoap not compiled for Client Mode for Mbed TLS"
1843 " - update Mbed TLS to include Client Mode\n");
1846 coap_mbedtls_env_t *m_env = coap_dtls_new_mbedtls_env(c_session,
1853#ifdef MBEDTLS_SSL_DTLS_CONNECTION_ID
1862 mbedtls_ssl_set_cid(&m_env->ssl, MBEDTLS_SSL_CID_ENABLED, NULL, 0);
1866 m_env->last_timeout = now;
1867 ret = do_mbedtls_handshake(c_session, m_env);
1869 coap_dtls_free_mbedtls_env(m_env);
1878#if COAP_SERVER_SUPPORT
1881#if !defined(MBEDTLS_SSL_SRV_C)
1884 " libcoap not compiled for Server Mode for Mbed TLS"
1885 " - update Mbed TLS to include Server Mode\n");
1888 coap_mbedtls_env_t *m_env =
1889 (coap_mbedtls_env_t *)c_session->
tls;
1891#if defined(MBEDTLS_SSL_PROTO_DTLS)
1892#if MBEDTLS_VERSION_NUMBER >= 0x02100100
1893 mbedtls_ssl_set_mtu(&m_env->ssl, (uint16_t)c_session->
mtu);
1904 if (c_session && c_session->
context && c_session->
tls) {
1905 coap_dtls_free_mbedtls_env(c_session->
tls);
1906 c_session->
tls = NULL;
1914#if defined(MBEDTLS_SSL_PROTO_DTLS)
1915 coap_mbedtls_env_t *m_env =
1916 (coap_mbedtls_env_t *)c_session->
tls;
1918#if MBEDTLS_VERSION_NUMBER >= 0x02100100
1919 mbedtls_ssl_set_mtu(&m_env->ssl, (uint16_t)c_session->
mtu);
1929 const uint8_t *data,
size_t data_len) {
1931 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
1933 assert(m_env != NULL);
1939 if (m_env->established) {
1940 ret = mbedtls_ssl_write(&m_env->ssl, (
const unsigned char *) data, data_len);
1943 case MBEDTLS_ERR_SSL_WANT_READ:
1944 case MBEDTLS_ERR_SSL_WANT_WRITE:
1947 case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:
1953 "returned -0x%x: '%s'\n",
1954 -ret, get_error_string(ret));
1963 ret = do_mbedtls_handshake(c_session, m_env);
1982 if (ret == (ssize_t)data_len)
2004 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
2005 int ret = mbedtls_timing_get_delay(&m_env->timer);
2006 unsigned int scalar = 1 << m_env->retry_scalar;
2016 m_env->last_timeout = now;
2029 m_env->last_timeout = now;
2047 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
2050 m_env->retry_scalar++;
2052 (do_mbedtls_handshake(c_session, m_env) < 0)) {
2067 const uint8_t *data,
2072 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
2073 coap_ssl_t *ssl_data;
2075 assert(m_env != NULL);
2077 ssl_data = &m_env->coap_ssl_data;
2078 if (ssl_data->pdu_len) {
2079 coap_log_err(
"** %s: Previous data not read %u bytes\n",
2082 ssl_data->pdu = data;
2083 ssl_data->pdu_len = (unsigned)data_len;
2085 if (m_env->established) {
2086#if COAP_CONSTRAINED_STACK
2093#if COAP_CONSTRAINED_STACK
2103 ret = mbedtls_ssl_read(&m_env->ssl, pdu,
sizeof(pdu));
2106#if COAP_CONSTRAINED_STACK
2113 case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
2114 case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:
2117 case MBEDTLS_ERR_SSL_WANT_READ:
2121 "returned -0x%x: '%s' (length %zd)\n",
2122 -ret, get_error_string(ret), data_len);
2125#if COAP_CONSTRAINED_STACK
2130 ret = do_mbedtls_handshake(c_session, m_env);
2135 if (ssl_data->pdu_len) {
2137 ret = do_mbedtls_handshake(c_session, m_env);
2160 if (ssl_data && ssl_data->pdu_len) {
2162 coap_log_debug(
"coap_dtls_receive: ret %d: remaining data %u\n", ret, ssl_data->pdu_len);
2163 ssl_data->pdu_len = 0;
2164 ssl_data->pdu = NULL;
2173#if COAP_SERVER_SUPPORT
2181 const uint8_t *data,
2183#if !defined(MBEDTLS_SSL_PROTO_DTLS) || !defined(MBEDTLS_SSL_SRV_C)
2188 " libcoap not compiled for DTLS or Server Mode for Mbed TLS"
2189 " - update Mbed TLS to include DTLS and Server Mode\n");
2192 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
2193 coap_ssl_t *ssl_data;
2200 c_session->
tls = m_env;
2207 if ((ret = mbedtls_ssl_set_client_transport_id(&m_env->ssl,
2210 coap_log_err(
"mbedtls_ssl_set_client_transport_id() returned -0x%x: '%s'\n",
2211 -ret, get_error_string(ret));
2215 ssl_data = &m_env->coap_ssl_data;
2216 if (ssl_data->pdu_len) {
2217 coap_log_err(
"** %s: Previous data not read %u bytes\n",
2220 ssl_data->pdu = data;
2221 ssl_data->pdu_len = (unsigned)data_len;
2223 ret = do_mbedtls_handshake(c_session, m_env);
2224 if (ret == 0 || m_env->seen_client_hello) {
2230 m_env->seen_client_hello = 0;
2236 if (ssl_data->pdu_len) {
2238 coap_log_debug(
"coap_dtls_hello: ret %d: remaining data %u\n", ret, ssl_data->pdu_len);
2239 ssl_data->pdu_len = 0;
2240 ssl_data->pdu = NULL;
2249 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
2250 int expansion = mbedtls_ssl_get_record_expansion(&m_env->ssl);
2252 if (expansion == MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE) {
2258#if !COAP_DISABLE_TCP
2259#if COAP_CLIENT_SUPPORT
2262#if !defined(MBEDTLS_SSL_CLI_C)
2266 " libcoap not compiled for Client Mode for Mbed TLS"
2267 " - update Mbed TLS to include Client Mode\n");
2270 coap_mbedtls_env_t *m_env = coap_dtls_new_mbedtls_env(c_session,
2280 m_env->last_timeout = now;
2281 c_session->
tls = m_env;
2282 ret = do_mbedtls_handshake(c_session, m_env);
2292#if COAP_SERVER_SUPPORT
2295#if !defined(MBEDTLS_SSL_SRV_C)
2300 " libcoap not compiled for Server Mode for Mbed TLS"
2301 " - update Mbed TLS to include Server Mode\n");
2304 coap_mbedtls_env_t *m_env = coap_dtls_new_mbedtls_env(c_session,
2312 c_session->
tls = m_env;
2313 ret = do_mbedtls_handshake(c_session, m_env);
2338 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
2339 size_t amount_sent = 0;
2341 assert(m_env != NULL);
2348 if (m_env->established) {
2349 while (amount_sent < data_len) {
2350 ret = mbedtls_ssl_write(&m_env->ssl, &data[amount_sent],
2351 data_len - amount_sent);
2354 case MBEDTLS_ERR_SSL_WANT_READ:
2355 case MBEDTLS_ERR_SSL_WANT_WRITE:
2362 case MBEDTLS_ERR_NET_CONN_RESET:
2363 case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:
2368 "returned -0x%x: '%s'\n",
2369 -ret, get_error_string(ret));
2381 ret = do_mbedtls_handshake(c_session, m_env);
2402 if (ret == (ssize_t)data_len)
2421 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
2430 if (!m_env->established && !m_env->sent_alert) {
2431 ret = do_mbedtls_handshake(c_session, m_env);
2440 ret = mbedtls_ssl_read(&m_env->ssl, data, data_len);
2444 case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
2448 case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:
2450 m_env->sent_alert = 1;
2453 case MBEDTLS_ERR_SSL_WANT_READ:
2459 "returned -0x%x: '%s' (length %zd)\n",
2460 -ret, get_error_string(ret), data_len);
2464 }
else if (ret < (
int)data_len) {
2465 c_session->
sock.
flags &= ~COAP_SOCKET_CAN_READ;
2493#if COAP_CLIENT_SUPPORT
2494 mbedtls_free(psk_ciphers);
2495 mbedtls_free(pki_ciphers);
2498 processed_ciphers = 0;
2508 if (c_session && c_session->
tls) {
2509 coap_mbedtls_env_t *m_env;
2512 memcpy(&m_env, &c_session->
tls,
sizeof(m_env));
2514 return (
void *)&m_env->ssl;
2523#if !defined(ESPIDF_VERSION)
2533 switch ((
int)level) {
2554 mbedtls_debug_set_threshold(use_level);
2556 keep_log_level = level;
2561 return keep_log_level;
2567 version.
version = mbedtls_version_get_number();
2573#if COAP_SERVER_SUPPORT
2576 mbedtls_sha256_context *digest_ctx = mbedtls_malloc(
sizeof(mbedtls_sha256_context));
2579 mbedtls_sha256_init(digest_ctx);
2580#ifdef MBEDTLS_2_X_COMPAT
2581 if (mbedtls_sha256_starts_ret(digest_ctx, 0) != 0) {
2583 if (mbedtls_sha256_starts(digest_ctx, 0) != 0) {
2593 mbedtls_sha256_free(digest_ctx);
2594 mbedtls_free(digest_ctx);
2599 const uint8_t *data,
2601#ifdef MBEDTLS_2_X_COMPAT
2602 int ret = mbedtls_sha256_update_ret(digest_ctx, data, data_len);
2604 int ret = mbedtls_sha256_update(digest_ctx, data, data_len);
2613#ifdef MBEDTLS_2_X_COMPAT
2614 int ret = mbedtls_sha256_finish_ret(digest_ctx, (uint8_t *)digest_buffer);
2616 int ret = mbedtls_sha256_finish(digest_ctx, (uint8_t *)digest_buffer);
2624#include <mbedtls/cipher.h>
2625#include <mbedtls/md.h>
2627#ifndef MBEDTLS_CIPHER_MODE_AEAD
2628#error need MBEDTLS_CIPHER_MODE_AEAD, please enable MBEDTLS_CCM_C
2631#ifdef MBEDTLS_ERROR_C
2632#include <mbedtls/error.h>
2635#ifdef MBEDTLS_ERROR_C
2638 int c_tmp = (int)(Func); \
2640 char error_buf[64]; \
2641 mbedtls_strerror(c_tmp, error_buf, sizeof(error_buf)); \
2642 coap_log_err("mbedtls: -0x%04x: %s\n", -c_tmp, error_buf); \
2649 int c_tmp = (int)(Func); \
2651 coap_log_err("mbedtls: %d\n", tmp); \
2662static struct hash_algs {
2664 mbedtls_md_type_t hash_type;
2672static mbedtls_md_type_t
2673get_hash_alg(
cose_alg_t alg,
size_t *hash_len) {
2676 for (idx = 0; idx <
sizeof(hashs) /
sizeof(
struct hash_algs); idx++) {
2677 if (hashs[idx].alg == alg) {
2678 *hash_len = hashs[idx].hash_size;
2679 return hashs[idx].hash_type;
2682 coap_log_debug(
"get_hash_alg: COSE hash %d not supported\n", alg);
2683 return MBEDTLS_MD_NONE;
2690 mbedtls_md_context_t ctx;
2692 const mbedtls_md_info_t *md_info;
2696 mbedtls_md_type_t dig_type = get_hash_alg(alg, &hash_length);
2698 if (dig_type == MBEDTLS_MD_NONE) {
2699 coap_log_debug(
"coap_crypto_hash: algorithm %d not supported\n", alg);
2702 md_info = mbedtls_md_info_from_type(dig_type);
2704 len = mbedtls_md_get_size(md_info);
2709 mbedtls_md_init(&ctx);
2710 C(mbedtls_md_setup(&ctx, md_info, 0));
2712 C(mbedtls_md_starts(&ctx));
2713 C(mbedtls_md_update(&ctx, (
const unsigned char *)data->
s, data->
length));
2717 C(mbedtls_md_finish(&ctx,
dummy->s));
2722 mbedtls_md_free(&ctx);
2727#if COAP_OSCORE_SUPPORT
2738static struct cipher_algs {
2740 mbedtls_cipher_type_t cipher_type;
2745static mbedtls_cipher_type_t
2749 for (idx = 0; idx <
sizeof(ciphers) /
sizeof(
struct cipher_algs); idx++) {
2750 if (ciphers[idx].alg == alg)
2751 return ciphers[idx].cipher_type;
2753 coap_log_debug(
"get_cipher_alg: COSE cipher %d not supported\n", alg);
2762static struct hmac_algs {
2764 mbedtls_md_type_t hmac_type;
2771static mbedtls_md_type_t
2775 for (idx = 0; idx <
sizeof(hmacs) /
sizeof(
struct hmac_algs); idx++) {
2776 if (hmacs[idx].hmac_alg == hmac_alg)
2777 return hmacs[idx].hmac_type;
2779 coap_log_debug(
"get_hmac_alg: COSE HMAC %d not supported\n", hmac_alg);
2785 return get_cipher_alg(alg) != 0;
2794 return get_hmac_alg(hmac_alg) != 0;
2802setup_cipher_context(mbedtls_cipher_context_t *ctx,
2804 const uint8_t *key_data,
2806 mbedtls_operation_t mode) {
2807 const mbedtls_cipher_info_t *cipher_info;
2808 mbedtls_cipher_type_t cipher_type;
2812 memset(key, 0,
sizeof(key));
2814 if ((cipher_type = get_cipher_alg(coap_alg)) == 0) {
2815 coap_log_debug(
"coap_crypto_encrypt: algorithm %d not supported\n",
2819 cipher_info = mbedtls_cipher_info_from_type(cipher_type);
2821 coap_log_crit(
"coap_crypto_encrypt: cannot get cipher info\n");
2825 mbedtls_cipher_init(ctx);
2827 C(mbedtls_cipher_setup(ctx, cipher_info));
2828 klen = mbedtls_cipher_get_key_bitlen(ctx);
2829 if ((klen > (
int)(
sizeof(key) * 8)) || (key_length >
sizeof(key))) {
2833 memcpy(key, key_data, key_length);
2834 C(mbedtls_cipher_setkey(ctx, key, klen, mode));
2839 mbedtls_cipher_free(ctx);
2848 size_t *max_result_len) {
2849 mbedtls_cipher_context_t ctx;
2851#if (MBEDTLS_VERSION_NUMBER < 0x02150000)
2852 unsigned char tag[16];
2855 size_t result_len = *max_result_len;
2861 assert(params != NULL);
2868 if (!setup_cipher_context(&ctx,
2883#if (MBEDTLS_VERSION_NUMBER < 0x02150000)
2884 C(mbedtls_cipher_auth_encrypt(&ctx,
2897 if ((result_len + ccm->
tag_len) > *max_result_len) {
2902 memcpy(result + result_len, tag, ccm->
tag_len);
2903 *max_result_len = result_len + ccm->
tag_len;
2906 C(mbedtls_cipher_auth_encrypt_ext(&ctx,
2918 *max_result_len = result_len;
2923 mbedtls_cipher_free(&ctx);
2932 size_t *max_result_len) {
2933 mbedtls_cipher_context_t ctx;
2935#if (MBEDTLS_VERSION_NUMBER < 0x02150000)
2936 const unsigned char *tag;
2939 size_t result_len = *max_result_len;
2945 assert(params != NULL);
2953 if (!setup_cipher_context(&ctx,
2973#if (MBEDTLS_VERSION_NUMBER < 0x02150000)
2975 C(mbedtls_cipher_auth_decrypt(&ctx,
2988 C(mbedtls_cipher_auth_decrypt_ext(&ctx,
3003 *max_result_len = result_len;
3006 mbedtls_cipher_free(&ctx);
3015 mbedtls_md_context_t ctx;
3017 const int use_hmac = 1;
3018 const mbedtls_md_info_t *md_info;
3019 mbedtls_md_type_t mac_algo;
3027 if ((mac_algo = get_hmac_alg(hmac_alg)) == 0) {
3028 coap_log_debug(
"coap_crypto_hmac: algorithm %d not supported\n", hmac_alg);
3031 md_info = mbedtls_md_info_from_type(mac_algo);
3033 len = mbedtls_md_get_size(md_info);
3038 mbedtls_md_init(&ctx);
3039 C(mbedtls_md_setup(&ctx, md_info, use_hmac));
3041 C(mbedtls_md_hmac_starts(&ctx, key->
s, key->
length));
3042 C(mbedtls_md_hmac_update(&ctx, (
const unsigned char *)data->
s, data->
length));
3046 C(mbedtls_md_hmac_finish(&ctx,
dummy->s));
3051 mbedtls_md_free(&ctx);
3063#pragma GCC diagnostic ignored "-Wunused-function"
Pulls together all the internal only header files.
const char * coap_socket_strerror(void)
#define COAP_RXBUFFER_SIZE
#define COAP_SOCKET_WANT_WRITE
non blocking socket is waiting for writing
#define coap_mutex_unlock(a)
#define coap_mutex_lock(a)
int coap_dtls_context_set_pki(coap_context_t *ctx COAP_UNUSED, const coap_dtls_pki_t *setup_data COAP_UNUSED, const coap_dtls_role_t role COAP_UNUSED)
coap_tick_t coap_dtls_get_timeout(coap_session_t *session COAP_UNUSED, coap_tick_t now COAP_UNUSED)
ssize_t coap_tls_read(coap_session_t *session COAP_UNUSED, uint8_t *data COAP_UNUSED, size_t data_len COAP_UNUSED)
coap_tick_t coap_dtls_get_context_timeout(void *dtls_context COAP_UNUSED)
int coap_dtls_receive(coap_session_t *session COAP_UNUSED, const uint8_t *data COAP_UNUSED, size_t data_len COAP_UNUSED)
void * coap_dtls_get_tls(const coap_session_t *c_session COAP_UNUSED, coap_tls_library_t *tls_lib)
unsigned int coap_dtls_get_overhead(coap_session_t *session COAP_UNUSED)
int coap_dtls_context_check_keys_enabled(coap_context_t *ctx COAP_UNUSED)
ssize_t coap_dtls_send(coap_session_t *session COAP_UNUSED, const uint8_t *data COAP_UNUSED, size_t data_len COAP_UNUSED)
ssize_t coap_tls_write(coap_session_t *session COAP_UNUSED, const uint8_t *data COAP_UNUSED, size_t data_len COAP_UNUSED)
void coap_dtls_session_update_mtu(coap_session_t *session COAP_UNUSED)
int coap_dtls_context_set_pki_root_cas(coap_context_t *ctx COAP_UNUSED, const char *ca_file COAP_UNUSED, const char *ca_path COAP_UNUSED)
int coap_dtls_handle_timeout(coap_session_t *session COAP_UNUSED)
void coap_dtls_free_context(void *handle COAP_UNUSED)
void coap_dtls_free_session(coap_session_t *coap_session COAP_UNUSED)
void * coap_dtls_new_context(coap_context_t *coap_context COAP_UNUSED)
void coap_tls_free_session(coap_session_t *coap_session COAP_UNUSED)
void coap_digest_free(coap_digest_ctx_t *digest_ctx)
Free off coap_digest_ctx_t.
int coap_digest_final(coap_digest_ctx_t *digest_ctx, coap_digest_t *digest_buffer)
Finalize the coap_digest information into the provided digest_buffer.
int coap_digest_update(coap_digest_ctx_t *digest_ctx, const uint8_t *data, size_t data_len)
Update the coap_digest information with the next chunk of data.
coap_digest_ctx_t * coap_digest_setup(void)
Initialize a coap_digest.
uint64_t coap_tick_t
This data type represents internal timer ticks with COAP_TICKS_PER_SECOND resolution.
int coap_prng(void *buf, size_t len)
Fills buf with len random bytes using the default pseudo random number generator.
int coap_handle_dgram(coap_context_t *ctx, coap_session_t *session, uint8_t *msg, size_t msg_len)
Parses and interprets a CoAP datagram with context ctx.
int coap_handle_event(coap_context_t *context, coap_event_t event, coap_session_t *session)
Invokes the event handler of context for the given event and data.
void coap_ticks(coap_tick_t *)
Returns the current value of an internal tick counter.
int coap_crypto_hmac(cose_hmac_alg_t hmac_alg, coap_bin_const_t *key, coap_bin_const_t *data, coap_bin_const_t **hmac)
Create a HMAC hash of the provided data.
int coap_crypto_aead_decrypt(const coap_crypto_param_t *params, coap_bin_const_t *data, coap_bin_const_t *aad, uint8_t *result, size_t *max_result_len)
Decrypt the provided encrypted data into plaintext.
int coap_crypto_aead_encrypt(const coap_crypto_param_t *params, coap_bin_const_t *data, coap_bin_const_t *aad, uint8_t *result, size_t *max_result_len)
Encrypt the provided plaintext data.
#define COAP_CRYPTO_MAX_KEY_SIZE
int coap_crypto_hash(cose_alg_t alg, const coap_bin_const_t *data, coap_bin_const_t **hash)
Create a hash of the provided data.
int coap_crypto_check_hkdf_alg(cose_hkdf_alg_t hkdf_alg)
Check whether the defined hkdf algorithm is supported by the underlying crypto library.
int coap_crypto_check_cipher_alg(cose_alg_t alg)
Check whether the defined cipher algorithm is supported by the underlying crypto library.
void * coap_tls_new_server_session(coap_session_t *coap_session)
Create a TLS new server-side session.
const coap_bin_const_t * coap_get_session_client_psk_identity(const coap_session_t *session)
Get the current client's PSK identity.
void coap_dtls_startup(void)
Initialize the underlying (D)TLS Library layer.
void * coap_dtls_new_client_session(coap_session_t *coap_session)
Create a new client-side session.
void * coap_dtls_new_server_session(coap_session_t *coap_session)
Create a new DTLS server-side session.
int coap_dtls_hello(coap_session_t *coap_session, const uint8_t *data, size_t data_len)
Handling client HELLO messages from a new candiate peer.
int coap_dtls_is_context_timeout(void)
Check if timeout is handled per CoAP session or per CoAP context.
int coap_dtls_context_set_cpsk(coap_context_t *coap_context, coap_dtls_cpsk_t *setup_data)
Set the DTLS context's default client PSK information.
int coap_dtls_context_set_spsk(coap_context_t *coap_context, coap_dtls_spsk_t *setup_data)
Set the DTLS context's default server PSK information.
void coap_dtls_shutdown(void)
Close down the underlying (D)TLS Library layer.
const coap_bin_const_t * coap_get_session_client_psk_key(const coap_session_t *coap_session)
Get the current client's PSK key.
void * coap_tls_new_client_session(coap_session_t *coap_session)
Create a new TLS client-side session.
#define COAP_DTLS_RETRANSMIT_COAP_TICKS
const coap_bin_const_t * coap_get_session_server_psk_key(const coap_session_t *coap_session)
Get the current server's PSK key.
coap_tls_version_t * coap_get_tls_library_version(void)
Determine the type and version of the underlying (D)TLS library.
int coap_dtls_psk_is_supported(void)
Check whether (D)TLS PSK is available.
int coap_tls_is_supported(void)
Check whether TLS is available.
int coap_dtls_is_supported(void)
Check whether DTLS is available.
int coap_dtls_pki_is_supported(void)
Check whether (D)TLS PKI is available.
int coap_dtls_rpk_is_supported(void)
Check whether (D)TLS RPK is available.
int coap_dtls_pkcs11_is_supported(void)
Check whether (D)TLS PKCS11 is available.
@ COAP_DTLS_ROLE_SERVER
Internal function invoked for server.
@ COAP_DTLS_ROLE_CLIENT
Internal function invoked for client.
@ COAP_PKI_KEY_PKCS11
The PKI key type is PKCS11 (DER)
@ COAP_PKI_KEY_PEM_BUF
The PKI key type is PEM buffer.
@ COAP_PKI_KEY_PEM
The PKI key type is PEM file.
@ COAP_PKI_KEY_ASN1
The PKI key type is ASN.1 (DER) buffer.
@ COAP_TLS_LIBRARY_MBEDTLS
Using Mbed TLS library.
@ COAP_EVENT_DTLS_CLOSED
Triggerred when (D)TLS session closed.
@ COAP_EVENT_DTLS_CONNECTED
Triggered when (D)TLS session connected.
@ COAP_EVENT_DTLS_ERROR
Triggered when (D)TLS error occurs.
#define coap_log_debug(...)
#define coap_log_emerg(...)
coap_log_t coap_dtls_get_log_level(void)
Get the current (D)TLS logging.
#define coap_dtls_log(level,...)
Logging function.
void coap_dtls_set_log_level(coap_log_t level)
Sets the (D)TLS logging level to the specified level.
const char * coap_session_str(const coap_session_t *session)
Get session description.
#define coap_log_info(...)
#define coap_log_warn(...)
#define coap_log_err(...)
#define coap_log_crit(...)
int coap_netif_available(coap_session_t *session)
Function interface to check whether netif for session is still available.
int cose_get_hmac_alg_for_hkdf(cose_hkdf_alg_t hkdf_alg, cose_hmac_alg_t *hmac_alg)
@ COSE_HMAC_ALG_HMAC384_384
@ COSE_HMAC_ALG_HMAC256_256
@ COSE_HMAC_ALG_HMAC512_512
@ COSE_ALGORITHM_SHA_256_256
@ COSE_ALGORITHM_AES_CCM_16_64_128
@ COSE_ALGORITHM_AES_CCM_16_64_256
int coap_oscore_is_supported(void)
Check whether OSCORE is available.
coap_proto_t
CoAP protocol types.
int coap_session_refresh_psk_hint(coap_session_t *session, const coap_bin_const_t *psk_hint)
Refresh the session's current Identity Hint (PSK).
int coap_session_refresh_psk_key(coap_session_t *session, const coap_bin_const_t *psk_key)
Refresh the session's current pre-shared key (PSK).
void coap_session_connected(coap_session_t *session)
Notify session that it has just connected or reconnected.
int coap_session_refresh_psk_identity(coap_session_t *session, const coap_bin_const_t *psk_identity)
Refresh the session's current pre-shared identity (PSK).
#define COAP_PROTO_NOT_RELIABLE(p)
void coap_session_disconnected(coap_session_t *session, coap_nack_reason_t reason)
Notify session that it has failed.
@ COAP_SESSION_STATE_HANDSHAKE
@ COAP_SESSION_STATE_NONE
coap_binary_t * coap_new_binary(size_t size)
Returns a new binary object with at least size bytes storage allocated.
coap_address_t remote
remote address and port
CoAP binary data definition with const data.
size_t length
length of binary data
const uint8_t * s
read-only binary data
CoAP binary data definition.
The CoAP stack's global state is stored in a coap_context_t object.
coap_dtls_spsk_t spsk_setup_data
Contains the initial PSK server setup data.
The structure that holds the AES Crypto information.
size_t l
The number of bytes in the length field.
const uint8_t * nonce
must be exactly 15 - l bytes
coap_crypto_key_t key
The Key to use.
size_t tag_len
The size of the Tag.
The common structure that holds the Crypto information.
union coap_crypto_param_t::@2 params
coap_crypto_aes_ccm_t aes
Used if AES type encryption.
cose_alg_t alg
The COSE algorith to use.
The structure used for defining the Client PSK setup data to be used.
char * client_sni
If not NULL, SNI to use in client TLS setup.
coap_dtls_ih_callback_t validate_ih_call_back
Identity Hint check callback function.
The structure that holds the PKI key information.
coap_pki_key_pem_t pem
for PEM file keys
union coap_dtls_key_t::@3 key
coap_pki_key_pem_buf_t pem_buf
for PEM memory keys
coap_pki_key_t key_type
key format type
coap_pki_key_asn1_t asn1
for ASN.1 (DER) memory keys
The structure used for defining the PKI setup data to be used.
uint8_t verify_peer_cert
Set to COAP_DTLS_PKI_SETUP_VERSION to support this version of the struct.
uint8_t is_rpk_not_cert
1 is RPK instead of Public Certificate.
uint8_t check_common_ca
1 if peer cert is to be signed by the same CA as the local cert
coap_dtls_key_t pki_key
PKI key definition.
The structure that holds the Server Pre-Shared Key and Identity Hint information.
The structure used for defining the Server PSK setup data to be used.
coap_dtls_psk_sni_callback_t validate_sni_call_back
SNI check callback function.
coap_dtls_id_callback_t validate_id_call_back
Identity check callback function.
void * id_call_back_arg
Passed in to the Identity callback function.
void * sni_call_back_arg
Passed in to the SNI callback function.
coap_layer_write_t l_write
coap_layer_establish_t l_establish
const uint8_t * private_key
ASN1 (DER) Private Key.
size_t public_cert_len
ASN1 Public Cert length.
size_t private_key_len
ASN1 Private Key length.
const uint8_t * ca_cert
ASN1 (DER) Common CA Cert.
size_t ca_cert_len
ASN1 CA Cert length.
const uint8_t * public_cert
ASN1 (DER) Public Cert, or Public Key if RPK.
size_t ca_cert_len
PEM buffer CA Cert length.
const uint8_t * ca_cert
PEM buffer Common CA Cert.
size_t private_key_len
PEM buffer Private Key length.
const uint8_t * private_key
PEM buffer Private Key If RPK and 'EC PRIVATE KEY' this can be used for both the public_cert and priv...
size_t public_cert_len
PEM buffer Public Cert length.
const uint8_t * public_cert
PEM buffer Public Cert, or Public Key if RPK.
const char * ca_file
File location of Common CA (and any intermediates) in PEM format.
const char * public_cert
File location of Public Cert.
const char * private_key
File location of Private Key in PEM format.
Abstraction of virtual session that can be attached to coap_context_t (client) or coap_endpoint_t (se...
unsigned int dtls_timeout_count
dtls setup retry counter
coap_endpoint_t * endpoint
session's endpoint
coap_socket_t sock
socket object for the session, if any
coap_session_state_t state
current state of relationship with peer
coap_addr_tuple_t addr_info
remote/local address info
coap_proto_t proto
protocol used
coap_dtls_cpsk_t cpsk_setup_data
client provided PSK initial setup data
size_t mtu
path or CSM mtu (xmt)
int dtls_event
Tracking any (D)TLS events on this session.
void * tls
security parameters
uint16_t max_retransmit
maximum re-transmit count (default 4)
coap_context_t * context
session's context
coap_layer_func_t lfunc[COAP_LAYER_LAST]
Layer functions to use.
coap_socket_flags_t flags
1 or more of COAP_SOCKET* flag values
The structure used for returning the underlying (D)TLS library information.
uint64_t built_version
(D)TLS Built against Library Version
coap_tls_library_t type
Library type.
uint64_t version
(D)TLS runtime Library Version