37#if COAP_WITH_LIBMBEDTLS
53#include <mbedtls/version.h>
56#if (MBEDTLS_VERSION_NUMBER < 0x03000000)
57#define MBEDTLS_2_X_COMPAT
60#ifndef MBEDTLS_ALLOW_PRIVATE_ACCESS
61#define MBEDTLS_ALLOW_PRIVATE_ACCESS
65#include <mbedtls/platform.h>
66#include <mbedtls/net_sockets.h>
67#include <mbedtls/ssl.h>
68#include <mbedtls/entropy.h>
69#include <mbedtls/ctr_drbg.h>
70#include <mbedtls/error.h>
71#include <mbedtls/timing.h>
72#include <mbedtls/ssl_cookie.h>
73#include <mbedtls/oid.h>
74#include <mbedtls/debug.h>
75#include <mbedtls/sha256.h>
76#if defined(ESPIDF_VERSION) && defined(CONFIG_MBEDTLS_DEBUG)
77#include <mbedtls/esp_debug.h>
79#if defined(MBEDTLS_PSA_CRYPTO_C)
80#include <psa/crypto.h>
87strndup(
const char *s1,
size_t n) {
88 char *copy = (
char *)malloc(n + 1);
97#define mbedtls_malloc(a) malloc(a)
98#define mbedtls_realloc(a,b) realloc(a,b)
99#define mbedtls_strdup(a) strdup(a)
100#define mbedtls_strndup(a,b) strndup(a,b)
102#define mbedtls_free(a) free(a)
104#ifndef MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED
106#ifdef MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED
107#define MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED
111#if ! COAP_SERVER_SUPPORT
112#undef MBEDTLS_SSL_SRV_C
114#if ! COAP_CLIENT_SUPPORT
115#undef MBEDTLS_SSL_CLI_C
119#define strcasecmp _stricmp
122#define IS_PSK (1 << 0)
123#define IS_PKI (1 << 1)
124#define IS_CLIENT (1 << 6)
125#define IS_SERVER (1 << 7)
127typedef struct coap_ssl_t {
138typedef struct coap_mbedtls_env_t {
139 mbedtls_ssl_context ssl;
140 mbedtls_entropy_context entropy;
141 mbedtls_ctr_drbg_context ctr_drbg;
142 mbedtls_ssl_config conf;
143 mbedtls_timing_delay_context timer;
144 mbedtls_x509_crt cacert;
145 mbedtls_x509_crt public_cert;
146 mbedtls_pk_context private_key;
147 mbedtls_ssl_cookie_ctx cookie_ctx;
151 int seen_client_hello;
154 unsigned int retry_scalar;
155 coap_ssl_t coap_ssl_data;
156 uint32_t server_hello_cnt;
159typedef struct pki_sni_entry {
162 mbedtls_x509_crt cacert;
163 mbedtls_x509_crt public_cert;
164 mbedtls_pk_context private_key;
167typedef struct psk_sni_entry {
172typedef struct coap_mbedtls_context_t {
174 size_t pki_sni_count;
175 pki_sni_entry *pki_sni_entry_list;
176 size_t psk_sni_count;
177 psk_sni_entry *psk_sni_entry_list;
180 int trust_store_defined;
182} coap_mbedtls_context_t;
184typedef enum coap_enc_method_t {
196} zephyr_timing_delay_context;
199zephyr_timing_set_delay(
void *data, uint32_t int_ms, uint32_t fin_ms) {
200 zephyr_timing_delay_context *ctx = (zephyr_timing_delay_context *)data;
206 ctx->start_time = k_uptime_get_32();
209 ctx->int_time = ctx->start_time + int_ms;
210 ctx->fin_time = ctx->start_time + fin_ms;
218zephyr_timing_get_delay(
void *data) {
219 zephyr_timing_delay_context *ctx = (zephyr_timing_delay_context *)data;
222 if (ctx == NULL || ctx->fin_time == 0) {
226 now = k_uptime_get_32();
228 if (now >= ctx->fin_time) {
232 if (now >= ctx->int_time) {
241#ifndef MBEDTLS_2_X_COMPAT
246coap_rng(
void *ctx
COAP_UNUSED,
unsigned char *buf,
size_t len) {
247 return coap_prng_lkd(buf, len) ? 0 : MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED;
252coap_dgram_read(
void *ctx,
unsigned char *out,
size_t outl) {
257 if (!c_session->
tls) {
259 return MBEDTLS_ERR_SSL_WANT_READ;
261 data = &((coap_mbedtls_env_t *)c_session->
tls)->coap_ssl_data;
264 if (data->pdu_len > 0) {
265 if (outl < data->pdu_len) {
266 memcpy(out, data->pdu, outl);
269 data->pdu_len -= outl;
271 memcpy(out, data->pdu, data->pdu_len);
273 if (!data->peekmode) {
279 ret = MBEDTLS_ERR_SSL_WANT_READ;
293coap_dgram_write(
void *ctx,
const unsigned char *send_buffer,
294 size_t send_buffer_length) {
299 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
311 send_buffer, send_buffer_length);
312 if (result != (ssize_t)send_buffer_length) {
313 int keep_errno = errno;
316 result, send_buffer_length);
319 if (errno == ENOTCONN || errno == ECONNREFUSED)
328 m_env->last_timeout = now;
336#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) && defined(MBEDTLS_SSL_SRV_C)
341psk_server_callback(
void *p_info, mbedtls_ssl_context *ssl,
342 const unsigned char *identity,
size_t identity_len) {
345 coap_mbedtls_env_t *m_env;
349 if (c_session == NULL)
353 lidentity.
s = identity ? (
const uint8_t *)identity : (const uint8_t *)
"";
354 lidentity.
length = identity ? identity_len : 0;
358 (
int)lidentity.
length, (
const char *)lidentity.
s);
360 m_env = (coap_mbedtls_env_t *)c_session->
tls;
375 mbedtls_ssl_set_hs_psk(ssl, psk_key->
s, psk_key->
length);
376 m_env->seen_client_hello = 1;
382get_san_or_cn_from_cert(mbedtls_x509_crt *crt) {
384 const mbedtls_asn1_named_data *cn_data;
386 if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
387 mbedtls_asn1_sequence *seq = &crt->subject_alt_names;
388 while (seq && seq->buf.p == NULL) {
393 return mbedtls_strndup((
const char *)seq->buf.p,
398 cn_data = mbedtls_asn1_find_named_data(&crt->subject,
400 MBEDTLS_OID_SIZE(MBEDTLS_OID_AT_CN));
403 return mbedtls_strndup((
const char *)cn_data->val.p,
410#if COAP_MAX_LOGGING_LEVEL > 0
412get_error_string(
int ret) {
413 static char buf[128] = {0};
414 mbedtls_strerror(ret, buf,
sizeof(buf)-1);
420self_signed_cert_verify_callback_mbedtls(
void *data,
425 const coap_mbedtls_context_t *m_context =
429 if (*flags & MBEDTLS_X509_BADCERT_EXPIRED) {
431 *flags &= ~MBEDTLS_X509_BADCERT_EXPIRED;
442cert_verify_callback_mbedtls(
void *data, mbedtls_x509_crt *crt,
443 int depth, uint32_t *flags) {
445 coap_mbedtls_context_t *m_context =
453 cn = get_san_or_cn_from_cert(crt);
455 if (*flags & MBEDTLS_X509_BADCERT_EXPIRED) {
457 *flags &= ~MBEDTLS_X509_BADCERT_EXPIRED;
460 "The certificate has expired", cn ? cn :
"?", depth);
463 if (*flags & MBEDTLS_X509_BADCERT_FUTURE) {
465 *flags &= ~MBEDTLS_X509_BADCERT_FUTURE;
468 "The certificate has a future date", cn ? cn :
"?", depth);
471 if (*flags & MBEDTLS_X509_BADCERT_BAD_MD) {
473 *flags &= ~MBEDTLS_X509_BADCERT_BAD_MD;
476 "The certificate has a bad MD hash", cn ? cn :
"?", depth);
479 if (*flags & MBEDTLS_X509_BADCERT_BAD_KEY) {
481 *flags &= ~MBEDTLS_X509_BADCERT_BAD_KEY;
484 "The certificate has a short RSA length", cn ? cn :
"?", depth);
487 if (*flags & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
489 int self_signed = !mbedtls_x509_crt_verify(crt, crt, NULL, NULL, &lflags,
490 self_signed_cert_verify_callback_mbedtls,
492 if (self_signed && depth == 0) {
495 *flags &= ~MBEDTLS_X509_BADCERT_NOT_TRUSTED;
499 cn ? cn :
"?", depth);
501 }
else if (self_signed) {
503 *flags &= ~MBEDTLS_X509_BADCERT_NOT_TRUSTED;
506 "Self-signed", cn ? cn :
"?", depth);
510 *flags &= ~MBEDTLS_X509_BADCERT_NOT_TRUSTED;
513 "The certificate's CA is not trusted", cn ? cn :
"?", depth);
517 if (*flags & MBEDTLS_X509_BADCRL_EXPIRED) {
519 *flags &= ~MBEDTLS_X509_BADCRL_EXPIRED;
522 "The certificate's CRL has expired", cn ? cn :
"?", depth);
524 *flags &= ~MBEDTLS_X509_BADCRL_EXPIRED;
527 if (*flags & MBEDTLS_X509_BADCRL_FUTURE) {
529 *flags &= ~MBEDTLS_X509_BADCRL_FUTURE;
532 "The certificate's CRL has a future date", cn ? cn :
"?", depth);
534 *flags &= ~MBEDTLS_X509_BADCRL_FUTURE;
539 *flags |= MBEDTLS_X509_BADCERT_OTHER;
542 "The certificate's verify depth is too long",
543 cn ? cn :
"?", depth);
546 if (*flags & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
547 *flags &= ~MBEDTLS_X509_BADCERT_CN_MISMATCH;
561 *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
567 int ret = mbedtls_x509_crt_verify_info(buf,
sizeof(buf),
"", *flags);
570 tcp = strchr(buf,
'\n');
575 buf, *flags, cn ? cn :
"?", depth);
576 tcp = strchr(tcp+1,
'\n');
579 coap_log_err(
"mbedtls_x509_crt_verify_info returned -0x%x: '%s'\n",
580 -ret, get_error_string(ret));
591setup_pki_credentials(mbedtls_x509_crt *cacert,
592 mbedtls_x509_crt *public_cert,
593 mbedtls_pk_context *private_key,
594 coap_mbedtls_env_t *m_env,
595 coap_mbedtls_context_t *m_context,
601 int done_private_key = 0;
602 int done_public_cert = 0;
620#if defined(MBEDTLS_FS_IO)
621 mbedtls_pk_init(private_key);
622#ifdef MBEDTLS_2_X_COMPAT
623 ret = mbedtls_pk_parse_keyfile(private_key,
626 ret = mbedtls_pk_parse_keyfile(private_key,
628 NULL, coap_rng, (
void *)&m_env->ctr_drbg);
635 done_private_key = 1;
643 mbedtls_pk_init(private_key);
647 buffer = mbedtls_malloc(length + 1);
653 buffer[length] =
'\000';
655#ifdef MBEDTLS_2_X_COMPAT
656 ret = mbedtls_pk_parse_key(private_key, buffer, length, NULL, 0);
658 ret = mbedtls_pk_parse_key(private_key, buffer, length,
659 NULL, 0, coap_rng, (
void *)&m_env->ctr_drbg);
661 mbedtls_free(buffer);
663#ifdef MBEDTLS_2_X_COMPAT
664 ret = mbedtls_pk_parse_key(private_key,
668 ret = mbedtls_pk_parse_key(private_key,
671 NULL, 0, coap_rng, (
void *)&m_env->ctr_drbg);
679 done_private_key = 1;
682 mbedtls_pk_init(private_key);
683#ifdef MBEDTLS_2_X_COMPAT
684 ret = mbedtls_pk_parse_key(private_key,
688 ret = mbedtls_pk_parse_key(private_key,
691 (
void *)&m_env->ctr_drbg);
698 done_private_key = 1;
726#if defined(MBEDTLS_FS_IO)
727 mbedtls_x509_crt_init(public_cert);
728 ret = mbedtls_x509_crt_parse_file(public_cert,
735 done_public_cert = 1;
743 mbedtls_x509_crt_init(public_cert);
748 buffer = mbedtls_malloc(length + 1);
754 buffer[length] =
'\000';
756 ret = mbedtls_x509_crt_parse(public_cert, buffer, length);
757 mbedtls_free(buffer);
759 ret = mbedtls_x509_crt_parse(public_cert,
768 done_public_cert = 1;
775 mbedtls_x509_crt_init(public_cert);
776 ret = mbedtls_x509_crt_parse(public_cert,
784 done_public_cert = 1;
802 if (done_private_key && done_public_cert) {
803 ret = mbedtls_ssl_conf_own_cert(&m_env->conf, public_cert, private_key);
805 coap_log_err(
"mbedtls_ssl_conf_own_cert returned -0x%x: '%s'\n",
806 -ret, get_error_string(ret));
821#if defined(MBEDTLS_FS_IO)
822 mbedtls_x509_crt_init(cacert);
823 ret = mbedtls_x509_crt_parse_file(cacert,
830 mbedtls_ssl_conf_ca_chain(&m_env->conf, cacert, NULL);
838 mbedtls_x509_crt_init(cacert);
842 buffer = mbedtls_malloc(length + 1);
848 buffer[length] =
'\000';
850 ret = mbedtls_x509_crt_parse(cacert, buffer, length);
851 mbedtls_free(buffer);
853 ret = mbedtls_x509_crt_parse(cacert,
862 mbedtls_ssl_conf_ca_chain(&m_env->conf, cacert, NULL);
869 mbedtls_x509_crt_init(cacert);
870 ret = mbedtls_x509_crt_parse(cacert,
878 mbedtls_ssl_conf_ca_chain(&m_env->conf, cacert, NULL);
892#if defined(MBEDTLS_FS_IO)
893 if (m_context->root_ca_file) {
894 ret = mbedtls_x509_crt_parse_file(cacert, m_context->root_ca_file);
901 mbedtls_ssl_conf_ca_chain(&m_env->conf, cacert, NULL);
903 if (m_context->root_ca_path) {
904 ret = mbedtls_x509_crt_parse_path(cacert, m_context->root_ca_path);
911 mbedtls_ssl_conf_ca_chain(&m_env->conf, cacert, NULL);
913 if (m_context->trust_store_defined) {
915 const char *trust_list[] = {
916 "/etc/ssl/ca-bundle.pem",
917 "/etc/ssl/certs/ca-certificates.crt",
918 "/etc/pki/tls/cert.pem",
919 "/usr/local/share/certs/ca-root-nss.crt",
922 static const char *trust_file_found = NULL;
923 static int trust_file_done = 0;
926 if (trust_file_found) {
927 ret = mbedtls_x509_crt_parse_file(cacert, trust_file_found);
929 mbedtls_ssl_conf_ca_chain(&m_env->conf, cacert, NULL);
934 }
else if (!trust_file_done) {
936 for (i = 0; i <
sizeof(trust_list)/
sizeof(trust_list[0]); i++) {
937 ret = mbedtls_x509_crt_parse_file(cacert, trust_list[i]);
939 mbedtls_ssl_conf_ca_chain(&m_env->conf, cacert, NULL);
940 trust_file_found = trust_list[i];
944 if (i ==
sizeof(trust_list)/
sizeof(trust_list[0])) {
956#if defined(MBEDTLS_SSL_SRV_C)
957 mbedtls_ssl_conf_cert_req_ca_list(&m_env->conf,
959 MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED :
960 MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED);
963 MBEDTLS_SSL_VERIFY_REQUIRED :
964 MBEDTLS_SSL_VERIFY_NONE);
969 mbedtls_ssl_conf_verify(&m_env->conf,
970 cert_verify_callback_mbedtls, c_session);
975#if defined(MBEDTLS_SSL_SRV_C)
980pki_sni_callback(
void *p_info, mbedtls_ssl_context *ssl,
981 const unsigned char *uname,
size_t name_len) {
985 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
986 coap_mbedtls_context_t *m_context =
990 name = mbedtls_malloc(name_len+1);
994 memcpy(name, uname, name_len);
995 name[name_len] =
'\000';
998 for (i = 0; i < m_context->pki_sni_count; i++) {
999 if (strcasecmp(name, m_context->pki_sni_entry_list[i].sni) == 0) {
1003 if (i == m_context->pki_sni_count) {
1008 pki_sni_entry *pki_sni_entry_list;
1011 m_context->setup_data.validate_sni_call_back(name,
1012 m_context->setup_data.sni_call_back_arg));
1018 pki_sni_entry_list = mbedtls_realloc(m_context->pki_sni_entry_list,
1019 (i+1)*
sizeof(pki_sni_entry));
1021 if (pki_sni_entry_list == NULL) {
1025 m_context->pki_sni_entry_list = pki_sni_entry_list;
1026 memset(&m_context->pki_sni_entry_list[i], 0,
1027 sizeof(m_context->pki_sni_entry_list[i]));
1028 m_context->pki_sni_entry_list[i].sni = name;
1029 m_context->pki_sni_entry_list[i].pki_key = *new_entry;
1030 sni_setup_data = m_context->setup_data;
1031 sni_setup_data.pki_key = *new_entry;
1032 if (setup_pki_credentials(&m_context->pki_sni_entry_list[i].cacert,
1033 &m_context->pki_sni_entry_list[i].public_cert,
1034 &m_context->pki_sni_entry_list[i].private_key,
1043 m_context->pki_sni_count++;
1048 mbedtls_ssl_set_hs_ca_chain(ssl, &m_context->pki_sni_entry_list[i].cacert,
1050 return mbedtls_ssl_set_hs_own_cert(ssl,
1051 &m_context->pki_sni_entry_list[i].public_cert,
1052 &m_context->pki_sni_entry_list[i].private_key);
1055#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
1060psk_sni_callback(
void *p_info, mbedtls_ssl_context *ssl,
1061 const unsigned char *uname,
size_t name_len) {
1064 coap_mbedtls_context_t *m_context =
1068 name = mbedtls_malloc(name_len+1);
1072 memcpy(name, uname, name_len);
1073 name[name_len] =
'\000';
1076 for (i = 0; i < m_context->psk_sni_count; i++) {
1077 if (strcasecmp(name, m_context->psk_sni_entry_list[i].sni) == 0) {
1081 if (i == m_context->psk_sni_count) {
1086 psk_sni_entry *psk_sni_entry_list;
1097 psk_sni_entry_list = mbedtls_realloc(m_context->psk_sni_entry_list,
1098 (i+1)*
sizeof(psk_sni_entry));
1100 if (psk_sni_entry_list == NULL) {
1104 m_context->psk_sni_entry_list = psk_sni_entry_list;
1105 m_context->psk_sni_entry_list[i].sni = name;
1106 m_context->psk_sni_entry_list[i].psk_info = *new_entry;
1108 m_context->psk_sni_count++;
1114 &m_context->psk_sni_entry_list[i].psk_info.hint);
1116 &m_context->psk_sni_entry_list[i].psk_info.key);
1117 return mbedtls_ssl_set_hs_psk(ssl,
1118 m_context->psk_sni_entry_list[i].psk_info.key.s,
1119 m_context->psk_sni_entry_list[i].psk_info.key.length);
1125 coap_mbedtls_env_t *m_env) {
1126 coap_mbedtls_context_t *m_context =
1129 m_context->psk_pki_enabled |= IS_SERVER;
1131 mbedtls_ssl_cookie_init(&m_env->cookie_ctx);
1132 if ((ret = mbedtls_ssl_config_defaults(&m_env->conf,
1133 MBEDTLS_SSL_IS_SERVER,
1135 MBEDTLS_SSL_TRANSPORT_DATAGRAM :
1136 MBEDTLS_SSL_TRANSPORT_STREAM,
1137 MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
1138 coap_log_err(
"mbedtls_ssl_config_defaults returned -0x%x: '%s'\n",
1139 -ret, get_error_string(ret));
1143 mbedtls_ssl_conf_rng(&m_env->conf, mbedtls_ctr_drbg_random, &m_env->ctr_drbg);
1145#if defined(MBEDTLS_SSL_PROTO_DTLS)
1146 mbedtls_ssl_conf_handshake_timeout(&m_env->conf, COAP_DTLS_RETRANSMIT_MS,
1147 COAP_DTLS_RETRANSMIT_TOTAL_MS);
1150 if (m_context->psk_pki_enabled & IS_PSK) {
1151#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
1152 mbedtls_ssl_conf_psk_cb(&m_env->conf, psk_server_callback, c_session);
1154 mbedtls_ssl_conf_sni(&m_env->conf, psk_sni_callback, c_session);
1156#ifdef MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
1164 if (m_context->psk_pki_enabled & IS_PKI) {
1165 ret = setup_pki_credentials(&m_env->cacert, &m_env->public_cert,
1166 &m_env->private_key, m_env, m_context,
1167 c_session, &m_context->setup_data,
1173 if (m_context->setup_data.validate_sni_call_back) {
1174 mbedtls_ssl_conf_sni(&m_env->conf, pki_sni_callback, c_session);
1178 if ((ret = mbedtls_ssl_cookie_setup(&m_env->cookie_ctx,
1179 mbedtls_ctr_drbg_random,
1180 &m_env->ctr_drbg)) != 0) {
1181 coap_log_err(
"mbedtls_ssl_cookie_setup: returned -0x%x: '%s'\n",
1182 -ret, get_error_string(ret));
1186#if defined(MBEDTLS_SSL_PROTO_DTLS)
1187 mbedtls_ssl_conf_dtls_cookies(&m_env->conf, mbedtls_ssl_cookie_write,
1188 mbedtls_ssl_cookie_check,
1189 &m_env->cookie_ctx);
1190#if MBEDTLS_VERSION_NUMBER >= 0x02100100
1191 mbedtls_ssl_set_mtu(&m_env->ssl, (uint16_t)c_session->
mtu);
1194#ifdef MBEDTLS_SSL_DTLS_CONNECTION_ID
1202 mbedtls_ssl_conf_cid(&m_env->conf, COAP_DTLS_CID_LENGTH, MBEDTLS_SSL_UNEXPECTED_CID_IGNORE);
1209#if COAP_CLIENT_SUPPORT
1210static int *psk_ciphers = NULL;
1211static int *pki_ciphers = NULL;
1212static int *ecjpake_ciphers = NULL;
1213static int processed_ciphers = 0;
1215#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
1217coap_ssl_ciphersuite_uses_psk(
const mbedtls_ssl_ciphersuite_t *info) {
1218#if MBEDTLS_VERSION_NUMBER >= 0x03060000
1219 switch (info->key_exchange) {
1220 case MBEDTLS_KEY_EXCHANGE_PSK:
1221 case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
1222 case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
1223 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
1225 case MBEDTLS_KEY_EXCHANGE_NONE:
1226 case MBEDTLS_KEY_EXCHANGE_RSA:
1227 case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
1228 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
1229 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
1230 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
1231 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
1232 case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
1237 return mbedtls_ssl_ciphersuite_uses_psk(info);
1243set_ciphersuites(mbedtls_ssl_config *conf, coap_enc_method_t method) {
1244 if (!processed_ciphers) {
1245 const int *list = mbedtls_ssl_list_ciphersuites();
1246 const int *base = list;
1249#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1251 int ecjpake_count = 1;
1257 const mbedtls_ssl_ciphersuite_t *cur =
1258 mbedtls_ssl_ciphersuite_from_id(*list);
1261#if MBEDTLS_VERSION_NUMBER >= 0x03020000
1262 if (cur->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2) {
1266 if (cur->max_minor_ver < MBEDTLS_SSL_MINOR_VERSION_3) {
1270#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1271 else if (cur->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
1275#if MBEDTLS_VERSION_NUMBER >= 0x03060000
1276 else if (cur->min_tls_version >= MBEDTLS_SSL_VERSION_TLS1_3) {
1281#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
1282 else if (coap_ssl_ciphersuite_uses_psk(cur)) {
1294 psk_ciphers = mbedtls_malloc(psk_count *
sizeof(psk_ciphers[0]));
1295 if (psk_ciphers == NULL) {
1296 coap_log_err(
"set_ciphers: mbedtls_malloc with count %d failed\n", psk_count);
1299 pki_ciphers = mbedtls_malloc(pki_count *
sizeof(pki_ciphers[0]));
1300 if (pki_ciphers == NULL) {
1301 coap_log_err(
"set_ciphers: mbedtls_malloc with count %d failed\n", pki_count);
1302 mbedtls_free(psk_ciphers);
1306#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1307 ecjpake_ciphers = mbedtls_malloc(ecjpake_count *
sizeof(ecjpake_ciphers[0]));
1308 if (ecjpake_ciphers == NULL) {
1309 coap_log_err(
"set_ciphers: mbedtls_malloc with count %d failed\n", pki_count);
1310 mbedtls_free(psk_ciphers);
1311 mbedtls_free(pki_ciphers);
1318 psk_list = psk_ciphers;
1319 pki_list = pki_ciphers;
1320#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1321 ecjpake_list = ecjpake_ciphers;
1325 const mbedtls_ssl_ciphersuite_t *cur =
1326 mbedtls_ssl_ciphersuite_from_id(*list);
1328#if MBEDTLS_VERSION_NUMBER >= 0x03020000
1329 if (cur->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2) {
1333 if (cur->max_minor_ver < MBEDTLS_SSL_MINOR_VERSION_3) {
1337#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1338 else if (cur->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
1339 *ecjpake_list = *list;
1343#if MBEDTLS_VERSION_NUMBER >= 0x03060000
1344 else if (cur->min_tls_version >= MBEDTLS_SSL_VERSION_TLS1_3) {
1351#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
1352 else if (coap_ssl_ciphersuite_uses_psk(cur)) {
1367 processed_ciphers = 1;
1371 mbedtls_ssl_conf_ciphersuites(conf, psk_ciphers);
1374 mbedtls_ssl_conf_ciphersuites(conf, pki_ciphers);
1376 case COAP_ENC_ECJPAKE:
1377 mbedtls_ssl_conf_ciphersuites(conf, ecjpake_ciphers);
1387 coap_mbedtls_env_t *m_env) {
1390 coap_mbedtls_context_t *m_context =
1393 m_context->psk_pki_enabled |= IS_CLIENT;
1395 if ((ret = mbedtls_ssl_config_defaults(&m_env->conf,
1396 MBEDTLS_SSL_IS_CLIENT,
1398 MBEDTLS_SSL_TRANSPORT_DATAGRAM :
1399 MBEDTLS_SSL_TRANSPORT_STREAM,
1400 MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
1401 coap_log_err(
"mbedtls_ssl_config_defaults returned -0x%x: '%s'\n",
1402 -ret, get_error_string(ret));
1406#if defined(MBEDTLS_SSL_PROTO_DTLS)
1407 mbedtls_ssl_conf_handshake_timeout(&m_env->conf, COAP_DTLS_RETRANSMIT_MS,
1408 COAP_DTLS_RETRANSMIT_TOTAL_MS);
1411 mbedtls_ssl_conf_authmode(&m_env->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
1412 mbedtls_ssl_conf_rng(&m_env->conf, mbedtls_ctr_drbg_random, &m_env->ctr_drbg);
1414 if (m_context->psk_pki_enabled & IS_PSK) {
1415#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
1423 if (psk_key == NULL || psk_identity == NULL) {
1424 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1428 if ((ret = mbedtls_ssl_conf_psk(&m_env->conf, psk_key->
s,
1429 psk_key->
length, psk_identity->
s,
1430 psk_identity->
length)) != 0) {
1431 coap_log_err(
"mbedtls_ssl_conf_psk returned -0x%x: '%s'\n",
1432 -ret, get_error_string(ret));
1436 if ((ret = mbedtls_ssl_set_hostname(&m_env->ssl,
1438 coap_log_err(
"mbedtls_ssl_set_hostname returned -0x%x: '%s'\n",
1439 -ret, get_error_string(ret));
1445#ifdef MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
1447 m_env->ec_jpake = 1;
1448 set_ciphersuites(&m_env->conf, COAP_ENC_ECJPAKE);
1449#if MBEDTLS_VERSION_NUMBER >= 0x03020000
1450 mbedtls_ssl_conf_max_tls_version(&m_env->conf, MBEDTLS_SSL_VERSION_TLS1_2);
1453 set_ciphersuites(&m_env->conf, COAP_ENC_PSK);
1456 set_ciphersuites(&m_env->conf, COAP_ENC_PSK);
1461 }
else if ((m_context->psk_pki_enabled & IS_PKI) ||
1462 (m_context->psk_pki_enabled & (IS_PSK | IS_PKI)) == 0) {
1469 if (!(m_context->psk_pki_enabled & IS_PKI)) {
1483 mbedtls_ssl_conf_authmode(&m_env->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
1484 ret = setup_pki_credentials(&m_env->cacert, &m_env->public_cert,
1485 &m_env->private_key, m_env, m_context,
1486 c_session, setup_data,
1492#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN)
1495 static const char *alpn_list[] = {
"coap", NULL };
1497 ret = mbedtls_ssl_conf_alpn_protocols(&m_env->conf, alpn_list);
1503 mbedtls_ssl_set_hostname(&m_env->ssl, m_context->setup_data.client_sni);
1504#if defined(MBEDTLS_SSL_PROTO_DTLS)
1505#if MBEDTLS_VERSION_NUMBER >= 0x02100100
1506 mbedtls_ssl_set_mtu(&m_env->ssl, (uint16_t)c_session->
mtu);
1509 set_ciphersuites(&m_env->conf, COAP_ENC_PKI);
1519mbedtls_cleanup(coap_mbedtls_env_t *m_env) {
1524 mbedtls_x509_crt_free(&m_env->cacert);
1525 mbedtls_x509_crt_free(&m_env->public_cert);
1526 mbedtls_pk_free(&m_env->private_key);
1527 mbedtls_entropy_free(&m_env->entropy);
1528 mbedtls_ssl_config_free(&m_env->conf);
1529 mbedtls_ctr_drbg_free(&m_env->ctr_drbg);
1530 mbedtls_ssl_free(&m_env->ssl);
1531 mbedtls_ssl_cookie_free(&m_env->cookie_ctx);
1535coap_dtls_free_mbedtls_env(coap_mbedtls_env_t *m_env) {
1537 if (!m_env->sent_alert)
1538 mbedtls_ssl_close_notify(&m_env->ssl);
1539 mbedtls_cleanup(m_env);
1540 mbedtls_free(m_env);
1544#if COAP_MAX_LOGGING_LEVEL > 0
1546report_mbedtls_alert(
unsigned char alert) {
1548 case MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC:
1549 return ": Bad Record MAC";
1550 case MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE:
1551 return ": Handshake failure";
1552 case MBEDTLS_SSL_ALERT_MSG_NO_CERT:
1553 return ": No Certificate provided";
1554 case MBEDTLS_SSL_ALERT_MSG_BAD_CERT:
1555 return ": Certificate is bad";
1556 case MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN:
1557 return ": Certificate is unknown";
1558 case MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA:
1559 return ": CA is unknown";
1560 case MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED:
1561 return ": Access was denied";
1562 case MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR:
1563 return ": Decrypt error";
1577 coap_mbedtls_env_t *m_env) {
1581 ret = mbedtls_ssl_handshake(&m_env->ssl);
1584 m_env->established = 1;
1588#ifdef MBEDTLS_SSL_DTLS_CONNECTION_ID
1589#if COAP_CLIENT_SUPPORT
1592 coap_mbedtls_context_t *m_context;
1596 m_context->setup_data.use_cid) {
1597 unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX];
1599 size_t peer_cid_len;
1602 if (mbedtls_ssl_get_peer_cid(&m_env->ssl, &enabled, peer_cid, &peer_cid_len) == 0 &&
1603 enabled == MBEDTLS_SSL_CID_ENABLED) {
1614 case MBEDTLS_ERR_SSL_WANT_READ:
1615 case MBEDTLS_ERR_SSL_WANT_WRITE:
1616 if (m_env->ssl.state == MBEDTLS_SSL_SERVER_HELLO
1617#
if MBEDTLS_VERSION_NUMBER >= 0x03030000
1618 || m_env->ssl.state == MBEDTLS_SSL_NEW_SESSION_TICKET
1621 if (++m_env->server_hello_cnt > 10) {
1629 case MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED:
1632 case MBEDTLS_ERR_SSL_INVALID_MAC:
1634#ifdef MBEDTLS_2_X_COMPAT
1635 case MBEDTLS_ERR_SSL_UNKNOWN_CIPHER:
1637 case MBEDTLS_ERR_SSL_DECODE_ERROR:
1640 case MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE:
1641 alert = MBEDTLS_SSL_ALERT_MSG_NO_CERT;
1643#ifdef MBEDTLS_2_X_COMPAT
1644 case MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO:
1645 case MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO:
1646 alert = MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE;
1649 case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:
1651 case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:
1652 if (m_env->ssl.in_msg[1] != MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY)
1655 report_mbedtls_alert(m_env->ssl.in_msg[1]));
1657 case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
1658 case MBEDTLS_ERR_SSL_CONN_EOF:
1659 case MBEDTLS_ERR_NET_CONN_RESET:
1665 "returned -0x%x: '%s'\n",
1666 -ret, get_error_string(ret));
1673 mbedtls_ssl_send_alert_message(&m_env->ssl,
1674 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1676 m_env->sent_alert = 1;
1681 get_error_string(ret));
1683 mbedtls_ssl_session_reset(&m_env->ssl);
1684#ifdef MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
1685 if (m_env->ec_jpake) {
1688#if COAP_CLIENT_SUPPORT && COAP_SERVER_SUPPORT
1694#elif COAP_CLIENT_SUPPORT
1700 mbedtls_ssl_set_hs_ecjpake_password(&m_env->ssl, psk_key->
s, psk_key->
length);
1708mbedtls_debug_out(
void *ctx
COAP_UNUSED,
int level,
1741#if !COAP_DISABLE_TCP
1749coap_sock_read(
void *ctx,
unsigned char *out,
size_t outl) {
1750 int ret = MBEDTLS_ERR_SSL_CONN_EOF;
1757 if (errno == ECONNRESET) {
1759 ret = MBEDTLS_ERR_SSL_CONN_EOF;
1761 ret = MBEDTLS_ERR_NET_RECV_FAILED;
1763 }
else if (ret == 0) {
1765 ret = MBEDTLS_ERR_SSL_WANT_READ;
1778coap_sock_write(
void *context,
const unsigned char *in,
size_t inl) {
1783 (
const uint8_t *)in,
1789 (errno == EPIPE || errno == ECONNRESET)) {
1804 int lasterror = WSAGetLastError();
1806 if (lasterror == WSAEWOULDBLOCK) {
1807 ret = MBEDTLS_ERR_SSL_WANT_WRITE;
1808 }
else if (lasterror == WSAECONNRESET) {
1809 ret = MBEDTLS_ERR_NET_CONN_RESET;
1812 if (errno == EAGAIN || errno == EINTR) {
1813 ret = MBEDTLS_ERR_SSL_WANT_WRITE;
1814 }
else if (errno == EPIPE || errno == ECONNRESET) {
1815 ret = MBEDTLS_ERR_NET_CONN_RESET;
1819 ret = MBEDTLS_ERR_NET_SEND_FAILED;
1828 ret = MBEDTLS_ERR_SSL_WANT_WRITE;
1834static coap_mbedtls_env_t *
1839 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
1844 m_env = (coap_mbedtls_env_t *)mbedtls_malloc(
sizeof(coap_mbedtls_env_t));
1848 memset(m_env, 0,
sizeof(coap_mbedtls_env_t));
1850 mbedtls_ssl_init(&m_env->ssl);
1851 mbedtls_ctr_drbg_init(&m_env->ctr_drbg);
1852 mbedtls_ssl_config_init(&m_env->conf);
1853 mbedtls_entropy_init(&m_env->entropy);
1855#if defined(MBEDTLS_PSA_CRYPTO_C)
1859#if defined(ESPIDF_VERSION) && defined(CONFIG_MBEDTLS_DEBUG)
1860 mbedtls_esp_enable_debug_log(&m_env->conf, CONFIG_MBEDTLS_DEBUG_LEVEL);
1862 if ((ret = mbedtls_ctr_drbg_seed(&m_env->ctr_drbg,
1863 mbedtls_entropy_func, &m_env->entropy, NULL, 0)) != 0) {
1864 if (ret != MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED) {
1865 coap_log_info(
"mbedtls_ctr_drbg_seed returned -0x%x: '%s'\n",
1866 -ret, get_error_string(ret));
1869 coap_log_err(
"mbedtls_ctr_drbg_seed returned -0x%x: '%s'\n",
1870 -ret, get_error_string(ret));
1874#if COAP_CLIENT_SUPPORT
1875 if (setup_client_ssl_session(c_session, m_env) != 0) {
1882#if defined(MBEDTLS_SSL_SRV_C)
1883 if (setup_server_ssl_session(c_session, m_env) != 0) {
1893#if MBEDTLS_VERSION_NUMBER >= 0x03020000
1894 mbedtls_ssl_conf_min_tls_version(&m_env->conf, MBEDTLS_SSL_VERSION_TLS1_2);
1896 mbedtls_ssl_conf_min_version(&m_env->conf, MBEDTLS_SSL_MAJOR_VERSION_3,
1897 MBEDTLS_SSL_MINOR_VERSION_3);
1900 if (mbedtls_ssl_setup(&m_env->ssl, &m_env->conf) != 0) {
1904 mbedtls_ssl_set_bio(&m_env->ssl, c_session, coap_dgram_write,
1905 coap_dgram_read, NULL);
1906#ifdef MBEDTLS_SSL_DTLS_CONNECTION_ID
1909#if COAP_CLIENT_SUPPORT
1910 coap_mbedtls_context_t *m_context =
1914 m_context->setup_data.use_cid) {
1922 mbedtls_ssl_set_cid(&m_env->ssl, MBEDTLS_SSL_CID_ENABLED, NULL, 0);
1926#if COAP_SERVER_SUPPORT
1927 uint8_t cid[COAP_DTLS_CID_LENGTH];
1936 mbedtls_ssl_set_cid(&m_env->ssl, MBEDTLS_SSL_CID_ENABLED, cid,
1944#if !COAP_DISABLE_TCP
1947 mbedtls_ssl_set_bio(&m_env->ssl, c_session, coap_sock_write,
1948 coap_sock_read, NULL);
1951#ifdef MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
1952 coap_mbedtls_context_t *m_context =
1954 if ((m_context->psk_pki_enabled & IS_PSK) &&
1958#if COAP_CLIENT_SUPPORT && COAP_SERVER_SUPPORT
1964#elif COAP_CLIENT_SUPPORT
1969 mbedtls_ssl_set_hs_ecjpake_password(&m_env->ssl, psk_key->
s, psk_key->
length);
1973 mbedtls_ssl_set_timer_cb(&m_env->ssl, &m_env->timer,
1974 zephyr_timing_set_delay,
1975 zephyr_timing_get_delay);
1977 mbedtls_ssl_set_timer_cb(&m_env->ssl, &m_env->timer,
1978 mbedtls_timing_set_delay,
1979 mbedtls_timing_get_delay);
1982 mbedtls_ssl_conf_dbg(&m_env->conf, mbedtls_debug_out, stdout);
1987 mbedtls_free(m_env);
1994#if defined(MBEDTLS_SSL_PROTO_DTLS)
1997 static int reported = 0;
2001 " - update Mbed TLS to include DTLS\n");
2009#if !COAP_DISABLE_TCP
2058#ifdef MBEDTLS_SSL_DTLS_CONNECTION_ID
2065#if COAP_CLIENT_SUPPORT
2068#ifdef MBEDTLS_SSL_DTLS_CONNECTION_ID
2081 coap_mbedtls_context_t *m_context;
2084 m_context = (coap_mbedtls_context_t *)mbedtls_malloc(
sizeof(coap_mbedtls_context_t));
2086 memset(m_context, 0,
sizeof(coap_mbedtls_context_t));
2091#if COAP_SERVER_SUPPORT
2100 coap_mbedtls_context_t *m_context =
2103#if !defined(MBEDTLS_SSL_SRV_C)
2105 " libcoap not compiled for Server Mode for Mbed TLS"
2106 " - update Mbed TLS to include Server Mode\n");
2109 if (!m_context || !setup_data)
2113#ifndef MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
2114 coap_log_warn(
"Mbed TLS not compiled for EC-JPAKE support\n");
2117 m_context->psk_pki_enabled |= IS_PSK;
2122#if COAP_CLIENT_SUPPORT
2131#if !defined(MBEDTLS_SSL_CLI_C)
2136 " libcoap not compiled for Client Mode for Mbed TLS"
2137 " - update Mbed TLS to include Client Mode\n");
2140 coap_mbedtls_context_t *m_context =
2143 if (!m_context || !setup_data)
2147 coap_log_warn(
"CoAP Client with Mbed TLS does not support Identity Hint selection\n");
2150#ifndef MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
2151 coap_log_warn(
"Mbed TLS not compiled for EC-JPAKE support\n");
2155#ifndef MBEDTLS_SSL_DTLS_CONNECTION_ID
2156 coap_log_warn(
"Mbed TLS not compiled for Connection-ID support\n");
2159 m_context->psk_pki_enabled |= IS_PSK;
2169 coap_mbedtls_context_t *m_context =
2172 m_context->setup_data = *setup_data;
2173 if (!m_context->setup_data.verify_peer_cert) {
2175 m_context->setup_data.check_common_ca = 0;
2177 m_context->setup_data.allow_self_signed = 1;
2178 m_context->setup_data.allow_expired_certs = 1;
2179 m_context->setup_data.cert_chain_validation = 1;
2180 m_context->setup_data.cert_chain_verify_depth = 10;
2181 m_context->setup_data.check_cert_revocation = 1;
2182 m_context->setup_data.allow_no_crl = 1;
2183 m_context->setup_data.allow_expired_crl = 1;
2184 m_context->setup_data.allow_bad_md_hash = 1;
2185 m_context->setup_data.allow_short_rsa_length = 1;
2187 m_context->psk_pki_enabled |= IS_PKI;
2189#ifndef MBEDTLS_SSL_DTLS_CONNECTION_ID
2190 coap_log_warn(
"Mbed TLS not compiled for Connection-ID support\n");
2198 const char *ca_file,
2199 const char *ca_path) {
2200 coap_mbedtls_context_t *m_context =
2204 coap_log_warn(
"coap_context_set_pki_root_cas: (D)TLS environment "
2209 if (ca_file == NULL && ca_path == NULL) {
2210 coap_log_warn(
"coap_context_set_pki_root_cas: ca_file and/or ca_path "
2214 if (m_context->root_ca_file) {
2215 mbedtls_free(m_context->root_ca_file);
2216 m_context->root_ca_file = NULL;
2220 m_context->root_ca_file = mbedtls_strdup(ca_file);
2223 if (m_context->root_ca_path) {
2224 mbedtls_free(m_context->root_ca_path);
2225 m_context->root_ca_path = NULL;
2229 m_context->root_ca_path = mbedtls_strdup(ca_path);
2240 coap_mbedtls_context_t *m_context =
2244 coap_log_warn(
"coap_context_load_pki_trust_store: (D)TLS environment "
2248 m_context->trust_store_defined = 1;
2257 coap_mbedtls_context_t *m_context =
2259 return m_context->psk_pki_enabled ? 1 : 0;
2264 coap_mbedtls_context_t *m_context = (coap_mbedtls_context_t *)dtls_context;
2267 for (i = 0; i < m_context->pki_sni_count; i++) {
2268 mbedtls_free(m_context->pki_sni_entry_list[i].sni);
2270 mbedtls_x509_crt_free(&m_context->pki_sni_entry_list[i].public_cert);
2272 mbedtls_pk_free(&m_context->pki_sni_entry_list[i].private_key);
2274 mbedtls_x509_crt_free(&m_context->pki_sni_entry_list[i].cacert);
2276 if (m_context->pki_sni_entry_list)
2277 mbedtls_free(m_context->pki_sni_entry_list);
2279 for (i = 0; i < m_context->psk_sni_count; i++) {
2280 mbedtls_free(m_context->psk_sni_entry_list[i].sni);
2282 if (m_context->psk_sni_entry_list)
2283 mbedtls_free(m_context->psk_sni_entry_list);
2285 if (m_context->root_ca_path)
2286 mbedtls_free(m_context->root_ca_path);
2287 if (m_context->root_ca_file)
2288 mbedtls_free(m_context->root_ca_file);
2290 mbedtls_free(m_context);
2293#if COAP_CLIENT_SUPPORT
2296#if !defined(MBEDTLS_SSL_CLI_C)
2299 " libcoap not compiled for Client Mode for Mbed TLS"
2300 " - update Mbed TLS to include Client Mode\n");
2303 coap_mbedtls_env_t *m_env = coap_dtls_new_mbedtls_env(c_session,
2312 m_env->last_timeout = now;
2313 ret = do_mbedtls_handshake(c_session, m_env);
2315 coap_dtls_free_mbedtls_env(m_env);
2324#if COAP_SERVER_SUPPORT
2327#if !defined(MBEDTLS_SSL_SRV_C)
2330 " libcoap not compiled for Server Mode for Mbed TLS"
2331 " - update Mbed TLS to include Server Mode\n");
2334 coap_mbedtls_env_t *m_env =
2335 (coap_mbedtls_env_t *)c_session->
tls;
2337#if defined(MBEDTLS_SSL_PROTO_DTLS)
2338#if MBEDTLS_VERSION_NUMBER >= 0x02100100
2339 mbedtls_ssl_set_mtu(&m_env->ssl, (uint16_t)c_session->
mtu);
2350 if (c_session && c_session->
context && c_session->
tls) {
2351 coap_dtls_free_mbedtls_env(c_session->
tls);
2352 c_session->
tls = NULL;
2360#if defined(MBEDTLS_SSL_PROTO_DTLS)
2361 coap_mbedtls_env_t *m_env =
2362 (coap_mbedtls_env_t *)c_session->
tls;
2364#if MBEDTLS_VERSION_NUMBER >= 0x02100100
2365 mbedtls_ssl_set_mtu(&m_env->ssl, (uint16_t)c_session->
mtu);
2375 const uint8_t *data,
size_t data_len) {
2377 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
2379 assert(m_env != NULL);
2387 if (m_env->established) {
2388 ret = mbedtls_ssl_write(&m_env->ssl, (
const unsigned char *) data, data_len);
2391 case MBEDTLS_ERR_SSL_WANT_READ:
2392 case MBEDTLS_ERR_SSL_WANT_WRITE:
2395 case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:
2401 "returned -0x%x: '%s'\n",
2402 -ret, get_error_string(ret));
2411 ret = do_mbedtls_handshake(c_session, m_env);
2444 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
2446 int ret = zephyr_timing_get_delay(&m_env->timer);
2448 int ret = mbedtls_timing_get_delay(&m_env->timer);
2450 unsigned int scalar = 1 << m_env->retry_scalar;
2460 m_env->last_timeout = now;
2473 m_env->last_timeout = now;
2491 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
2494 m_env->retry_scalar++;
2496 (do_mbedtls_handshake(c_session, m_env) < 0)) {
2511 const uint8_t *data,
2516 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
2517 coap_ssl_t *ssl_data;
2519 assert(m_env != NULL);
2521 ssl_data = &m_env->coap_ssl_data;
2522 if (ssl_data->pdu_len) {
2523 coap_log_err(
"** %s: Previous data not read %u bytes\n",
2526 ssl_data->pdu = data;
2527 ssl_data->pdu_len = (unsigned)data_len;
2529 if (m_env->established) {
2530#if COAP_CONSTRAINED_STACK
2543 ret = mbedtls_ssl_read(&m_env->ssl, pdu,
sizeof(pdu));
2552 case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
2553 case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:
2556 case MBEDTLS_ERR_SSL_WANT_READ:
2560 "returned -0x%x: '%s' (length %zd)\n",
2561 -ret, get_error_string(ret), data_len);
2566 ret = do_mbedtls_handshake(c_session, m_env);
2571 if (ssl_data->pdu_len) {
2573 ret = do_mbedtls_handshake(c_session, m_env);
2594 if (ssl_data && ssl_data->pdu_len) {
2596 coap_log_debug(
"coap_dtls_receive: ret %d: remaining data %u\n", ret, ssl_data->pdu_len);
2597 ssl_data->pdu_len = 0;
2598 ssl_data->pdu = NULL;
2603#if COAP_SERVER_SUPPORT
2611 const uint8_t *data,
2613#if !defined(MBEDTLS_SSL_PROTO_DTLS) || !defined(MBEDTLS_SSL_SRV_C)
2618 " libcoap not compiled for DTLS or Server Mode for Mbed TLS"
2619 " - update Mbed TLS to include DTLS and Server Mode\n");
2622 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
2623 coap_ssl_t *ssl_data;
2630 c_session->
tls = m_env;
2637 if ((ret = mbedtls_ssl_set_client_transport_id(&m_env->ssl,
2640 coap_log_err(
"mbedtls_ssl_set_client_transport_id() returned -0x%x: '%s'\n",
2641 -ret, get_error_string(ret));
2645 ssl_data = &m_env->coap_ssl_data;
2646 if (ssl_data->pdu_len) {
2647 coap_log_err(
"** %s: Previous data not read %u bytes\n",
2650 ssl_data->pdu = data;
2651 ssl_data->pdu_len = (unsigned)data_len;
2653 ret = do_mbedtls_handshake(c_session, m_env);
2654 if (ret == 0 || m_env->seen_client_hello) {
2660 m_env->seen_client_hello = 0;
2666 if (ssl_data->pdu_len) {
2668 coap_log_debug(
"coap_dtls_hello: ret %d: remaining data %u\n", ret, ssl_data->pdu_len);
2669 ssl_data->pdu_len = 0;
2670 ssl_data->pdu = NULL;
2679 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
2680 int expansion = mbedtls_ssl_get_record_expansion(&m_env->ssl);
2682 if (expansion == MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE) {
2688#if !COAP_DISABLE_TCP
2689#if COAP_CLIENT_SUPPORT
2692#if !defined(MBEDTLS_SSL_CLI_C)
2696 " libcoap not compiled for Client Mode for Mbed TLS"
2697 " - update Mbed TLS to include Client Mode\n");
2700 coap_mbedtls_env_t *m_env = coap_dtls_new_mbedtls_env(c_session,
2710 m_env->last_timeout = now;
2711 c_session->
tls = m_env;
2712 ret = do_mbedtls_handshake(c_session, m_env);
2722#if COAP_SERVER_SUPPORT
2725#if !defined(MBEDTLS_SSL_SRV_C)
2730 " libcoap not compiled for Server Mode for Mbed TLS"
2731 " - update Mbed TLS to include Server Mode\n");
2734 coap_mbedtls_env_t *m_env = coap_dtls_new_mbedtls_env(c_session,
2742 c_session->
tls = m_env;
2743 ret = do_mbedtls_handshake(c_session, m_env);
2768 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
2769 size_t amount_sent = 0;
2771 assert(m_env != NULL);
2778 if (m_env->established) {
2779 while (amount_sent < data_len) {
2780 ret = mbedtls_ssl_write(&m_env->ssl, &data[amount_sent],
2781 data_len - amount_sent);
2784 case MBEDTLS_ERR_SSL_WANT_READ:
2785 case MBEDTLS_ERR_SSL_WANT_WRITE:
2792 case MBEDTLS_ERR_NET_CONN_RESET:
2793 case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:
2798 "returned -0x%x: '%s'\n",
2799 -ret, get_error_string(ret));
2811 ret = do_mbedtls_handshake(c_session, m_env);
2832 if (ret == (ssize_t)data_len)
2851 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
2860 if (!m_env->established && !m_env->sent_alert) {
2861 ret = do_mbedtls_handshake(c_session, m_env);
2870 ret = mbedtls_ssl_read(&m_env->ssl, data, data_len);
2874 case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
2878 case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:
2880 m_env->sent_alert = 1;
2883#if MBEDTLS_VERSION_NUMBER >= 0x03060000
2884 case MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET:
2886 case MBEDTLS_ERR_SSL_WANT_READ:
2892 "returned -0x%x: '%s' (length %zd)\n",
2893 -ret, get_error_string(ret), data_len);
2897 }
else if (ret < (
int)data_len) {
2898 c_session->
sock.
flags &= ~COAP_SOCKET_CAN_READ;
2926#if COAP_CLIENT_SUPPORT
2927 mbedtls_free(psk_ciphers);
2928 mbedtls_free(pki_ciphers);
2929 mbedtls_free(ecjpake_ciphers);
2932 ecjpake_ciphers = NULL;
2933 processed_ciphers = 0;
2943 if (c_session && c_session->
tls) {
2944 coap_mbedtls_env_t *m_env;
2947 memcpy(&m_env, &c_session->
tls,
sizeof(m_env));
2949 return (
void *)&m_env->ssl;
2958#if !defined(ESPIDF_VERSION)
2968 switch ((
int)level) {
2989 mbedtls_debug_set_threshold(use_level);
2991 keep_log_level = level;
2996 return keep_log_level;
3002 version.
version = mbedtls_version_get_number();
3008#if COAP_SERVER_SUPPORT
3011 mbedtls_sha256_context *digest_ctx = mbedtls_malloc(
sizeof(mbedtls_sha256_context));
3014 mbedtls_sha256_init(digest_ctx);
3015#ifdef MBEDTLS_2_X_COMPAT
3016 if (mbedtls_sha256_starts_ret(digest_ctx, 0) != 0) {
3018 if (mbedtls_sha256_starts(digest_ctx, 0) != 0) {
3030 mbedtls_sha256_free(digest_ctx);
3031 mbedtls_free(digest_ctx);
3037 const uint8_t *data,
3039#ifdef MBEDTLS_2_X_COMPAT
3040 int ret = mbedtls_sha256_update_ret(digest_ctx, data, data_len);
3042 int ret = mbedtls_sha256_update(digest_ctx, data, data_len);
3051#ifdef MBEDTLS_2_X_COMPAT
3052 int ret = mbedtls_sha256_finish_ret(digest_ctx, (uint8_t *)digest_buffer);
3054 int ret = mbedtls_sha256_finish(digest_ctx, (uint8_t *)digest_buffer);
3062#include <mbedtls/cipher.h>
3063#include <mbedtls/md.h>
3065#ifndef MBEDTLS_CIPHER_MODE_AEAD
3066#error need MBEDTLS_CIPHER_MODE_AEAD, please enable MBEDTLS_CCM_C
3069#ifdef MBEDTLS_ERROR_C
3070#include <mbedtls/error.h>
3073#ifdef MBEDTLS_ERROR_C
3076 int c_tmp = (int)(Func); \
3078 char error_buf[64]; \
3079 mbedtls_strerror(c_tmp, error_buf, sizeof(error_buf)); \
3080 coap_log_err("mbedtls: -0x%04x: %s\n", -c_tmp, error_buf); \
3087 int c_tmp = (int)(Func); \
3089 coap_log_err("mbedtls: %d\n", tmp); \
3100static struct hash_algs {
3102 mbedtls_md_type_t hash_type;
3110static mbedtls_md_type_t
3111get_hash_alg(
cose_alg_t alg,
size_t *hash_len) {
3114 for (idx = 0; idx <
sizeof(hashs) /
sizeof(
struct hash_algs); idx++) {
3115 if (hashs[idx].alg == alg) {
3116 *hash_len = hashs[idx].hash_size;
3117 return hashs[idx].hash_type;
3120 coap_log_debug(
"get_hash_alg: COSE hash %d not supported\n", alg);
3121 return MBEDTLS_MD_NONE;
3128 mbedtls_md_context_t ctx;
3130 const mbedtls_md_info_t *md_info;
3134 mbedtls_md_type_t dig_type = get_hash_alg(alg, &hash_length);
3136 if (dig_type == MBEDTLS_MD_NONE) {
3137 coap_log_debug(
"coap_crypto_hash: algorithm %d not supported\n", alg);
3140 md_info = mbedtls_md_info_from_type(dig_type);
3142 len = mbedtls_md_get_size(md_info);
3147 mbedtls_md_init(&ctx);
3148 C(mbedtls_md_setup(&ctx, md_info, 0));
3150 C(mbedtls_md_starts(&ctx));
3151 C(mbedtls_md_update(&ctx, (
const unsigned char *)data->
s, data->
length));
3155 C(mbedtls_md_finish(&ctx,
dummy->s));
3160 mbedtls_md_free(&ctx);
3165#if COAP_OSCORE_SUPPORT
3176static struct cipher_algs {
3178 mbedtls_cipher_type_t cipher_type;
3183static mbedtls_cipher_type_t
3187 for (idx = 0; idx <
sizeof(ciphers) /
sizeof(
struct cipher_algs); idx++) {
3188 if (ciphers[idx].alg == alg)
3189 return ciphers[idx].cipher_type;
3191 coap_log_debug(
"get_cipher_alg: COSE cipher %d not supported\n", alg);
3200static struct hmac_algs {
3202 mbedtls_md_type_t hmac_type;
3209static mbedtls_md_type_t
3213 for (idx = 0; idx <
sizeof(hmacs) /
sizeof(
struct hmac_algs); idx++) {
3214 if (hmacs[idx].hmac_alg == hmac_alg)
3215 return hmacs[idx].hmac_type;
3217 coap_log_debug(
"get_hmac_alg: COSE HMAC %d not supported\n", hmac_alg);
3223 return get_cipher_alg(alg) != 0;
3232 return get_hmac_alg(hmac_alg) != 0;
3240setup_cipher_context(mbedtls_cipher_context_t *ctx,
3242 const uint8_t *key_data,
3244 mbedtls_operation_t mode) {
3245 const mbedtls_cipher_info_t *cipher_info;
3246 mbedtls_cipher_type_t cipher_type;
3250 memset(key, 0,
sizeof(key));
3252 if ((cipher_type = get_cipher_alg(coap_alg)) == 0) {
3253 coap_log_debug(
"coap_crypto_encrypt: algorithm %d not supported\n",
3257 cipher_info = mbedtls_cipher_info_from_type(cipher_type);
3259 coap_log_crit(
"coap_crypto_encrypt: cannot get cipher info\n");
3263 mbedtls_cipher_init(ctx);
3265 C(mbedtls_cipher_setup(ctx, cipher_info));
3266 klen = mbedtls_cipher_get_key_bitlen(ctx);
3267 if ((klen > (
int)(
sizeof(key) * 8)) || (key_length >
sizeof(key))) {
3271 memcpy(key, key_data, key_length);
3272 C(mbedtls_cipher_setkey(ctx, key, klen, mode));
3277 mbedtls_cipher_free(ctx);
3286 size_t *max_result_len) {
3287 mbedtls_cipher_context_t ctx;
3289#if (MBEDTLS_VERSION_NUMBER < 0x02150000)
3290 unsigned char tag[16];
3293 size_t result_len = *max_result_len;
3299 assert(params != NULL);
3306 if (!setup_cipher_context(&ctx,
3321#if (MBEDTLS_VERSION_NUMBER < 0x02150000)
3322 C(mbedtls_cipher_auth_encrypt(&ctx,
3335 if ((result_len + ccm->
tag_len) > *max_result_len) {
3340 memcpy(result + result_len, tag, ccm->
tag_len);
3341 *max_result_len = result_len + ccm->
tag_len;
3344 C(mbedtls_cipher_auth_encrypt_ext(&ctx,
3356 *max_result_len = result_len;
3361 mbedtls_cipher_free(&ctx);
3370 size_t *max_result_len) {
3371 mbedtls_cipher_context_t ctx;
3373#if (MBEDTLS_VERSION_NUMBER < 0x02150000)
3374 const unsigned char *tag;
3377 size_t result_len = *max_result_len;
3383 assert(params != NULL);
3391 if (!setup_cipher_context(&ctx,
3411#if (MBEDTLS_VERSION_NUMBER < 0x02150000)
3413 C(mbedtls_cipher_auth_decrypt(&ctx,
3426 C(mbedtls_cipher_auth_decrypt_ext(&ctx,
3441 *max_result_len = result_len;
3444 mbedtls_cipher_free(&ctx);
3453 mbedtls_md_context_t ctx;
3455 const int use_hmac = 1;
3456 const mbedtls_md_info_t *md_info;
3457 mbedtls_md_type_t mac_algo;
3465 if ((mac_algo = get_hmac_alg(hmac_alg)) == 0) {
3466 coap_log_debug(
"coap_crypto_hmac: algorithm %d not supported\n", hmac_alg);
3469 md_info = mbedtls_md_info_from_type(mac_algo);
3471 len = mbedtls_md_get_size(md_info);
3476 mbedtls_md_init(&ctx);
3477 C(mbedtls_md_setup(&ctx, md_info, use_hmac));
3479 C(mbedtls_md_hmac_starts(&ctx, key->
s, key->
length));
3480 C(mbedtls_md_hmac_update(&ctx, (
const unsigned char *)data->
s, data->
length));
3484 C(mbedtls_md_hmac_finish(&ctx,
dummy->s));
3489 mbedtls_md_free(&ctx);
3501#pragma GCC diagnostic ignored "-Wunused-function"
#define COAP_SERVER_SUPPORT
const char * coap_socket_strerror(void)
#define COAP_RXBUFFER_SIZE
#define COAP_SOCKET_WANT_WRITE
non blocking socket is waiting for writing
Library specific build wrapper for coap_internal.h.
int coap_dtls_context_set_pki(coap_context_t *ctx COAP_UNUSED, const coap_dtls_pki_t *setup_data COAP_UNUSED, const coap_dtls_role_t role COAP_UNUSED)
coap_tick_t coap_dtls_get_timeout(coap_session_t *session COAP_UNUSED, coap_tick_t now COAP_UNUSED)
ssize_t coap_tls_read(coap_session_t *session COAP_UNUSED, uint8_t *data COAP_UNUSED, size_t data_len COAP_UNUSED)
coap_tick_t coap_dtls_get_context_timeout(void *dtls_context COAP_UNUSED)
int coap_dtls_receive(coap_session_t *session COAP_UNUSED, const uint8_t *data COAP_UNUSED, size_t data_len COAP_UNUSED)
void * coap_dtls_get_tls(const coap_session_t *c_session COAP_UNUSED, coap_tls_library_t *tls_lib)
unsigned int coap_dtls_get_overhead(coap_session_t *session COAP_UNUSED)
int coap_dtls_context_load_pki_trust_store(coap_context_t *ctx COAP_UNUSED)
int coap_dtls_context_check_keys_enabled(coap_context_t *ctx COAP_UNUSED)
ssize_t coap_dtls_send(coap_session_t *session COAP_UNUSED, const uint8_t *data COAP_UNUSED, size_t data_len COAP_UNUSED)
ssize_t coap_tls_write(coap_session_t *session COAP_UNUSED, const uint8_t *data COAP_UNUSED, size_t data_len COAP_UNUSED)
void coap_dtls_session_update_mtu(coap_session_t *session COAP_UNUSED)
int coap_dtls_context_set_pki_root_cas(coap_context_t *ctx COAP_UNUSED, const char *ca_file COAP_UNUSED, const char *ca_path COAP_UNUSED)
int coap_dtls_handle_timeout(coap_session_t *session COAP_UNUSED)
void coap_dtls_free_context(void *handle COAP_UNUSED)
void coap_dtls_free_session(coap_session_t *coap_session COAP_UNUSED)
void * coap_dtls_new_context(coap_context_t *coap_context COAP_UNUSED)
void coap_tls_free_session(coap_session_t *coap_session COAP_UNUSED)
void coap_digest_free(coap_digest_ctx_t *digest_ctx)
Free off coap_digest_ctx_t.
int coap_digest_final(coap_digest_ctx_t *digest_ctx, coap_digest_t *digest_buffer)
Finalize the coap_digest information into the provided digest_buffer.
int coap_digest_update(coap_digest_ctx_t *digest_ctx, const uint8_t *data, size_t data_len)
Update the coap_digest information with the next chunk of data.
coap_digest_ctx_t * coap_digest_setup(void)
Initialize a coap_digest.
uint64_t coap_tick_t
This data type represents internal timer ticks with COAP_TICKS_PER_SECOND resolution.
int coap_prng_lkd(void *buf, size_t len)
Fills buf with len random bytes using the default pseudo random number generator.
int coap_handle_event_lkd(coap_context_t *context, coap_event_t event, coap_session_t *session)
Invokes the event handler of context for the given event and data.
int coap_handle_dgram(coap_context_t *ctx, coap_session_t *session, uint8_t *msg, size_t msg_len)
Parses and interprets a CoAP datagram with context ctx.
void coap_ticks(coap_tick_t *t)
Returns the current value of an internal tick counter.
int coap_crypto_hmac(cose_hmac_alg_t hmac_alg, coap_bin_const_t *key, coap_bin_const_t *data, coap_bin_const_t **hmac)
Create a HMAC hash of the provided data.
int coap_crypto_aead_decrypt(const coap_crypto_param_t *params, coap_bin_const_t *data, coap_bin_const_t *aad, uint8_t *result, size_t *max_result_len)
Decrypt the provided encrypted data into plaintext.
int coap_crypto_aead_encrypt(const coap_crypto_param_t *params, coap_bin_const_t *data, coap_bin_const_t *aad, uint8_t *result, size_t *max_result_len)
Encrypt the provided plaintext data.
#define COAP_CRYPTO_MAX_KEY_SIZE
int coap_crypto_hash(cose_alg_t alg, const coap_bin_const_t *data, coap_bin_const_t **hash)
Create a hash of the provided data.
int coap_crypto_check_hkdf_alg(cose_hkdf_alg_t hkdf_alg)
Check whether the defined hkdf algorithm is supported by the underlying crypto library.
int coap_crypto_check_cipher_alg(cose_alg_t alg)
Check whether the defined cipher algorithm is supported by the underlying crypto library.
void * coap_tls_new_server_session(coap_session_t *coap_session)
Create a TLS new server-side session.
const coap_bin_const_t * coap_get_session_client_psk_identity(const coap_session_t *coap_session)
Get the current client's PSK identity.
void coap_dtls_startup(void)
Initialize the underlying (D)TLS Library layer.
int coap_dtls_define_issue(coap_define_issue_key_t type, coap_define_issue_fail_t fail, coap_dtls_key_t *key, const coap_dtls_role_t role, int ret)
Report PKI DEFINE type issue.
void * coap_dtls_new_client_session(coap_session_t *coap_session)
Create a new client-side session.
void * coap_dtls_new_server_session(coap_session_t *coap_session)
Create a new DTLS server-side session.
int coap_dtls_hello(coap_session_t *coap_session, const uint8_t *data, size_t data_len)
Handling client HELLO messages from a new candiate peer.
int coap_dtls_set_cid_tuple_change(coap_context_t *context, uint8_t every)
Set the Connection ID client tuple frequency change for testing CIDs.
int coap_dtls_is_context_timeout(void)
Check if timeout is handled per CoAP session or per CoAP context.
int coap_dtls_context_set_cpsk(coap_context_t *coap_context, coap_dtls_cpsk_t *setup_data)
Set the DTLS context's default client PSK information.
int coap_dtls_context_set_spsk(coap_context_t *coap_context, coap_dtls_spsk_t *setup_data)
Set the DTLS context's default server PSK information.
void coap_dtls_shutdown(void)
Close down the underlying (D)TLS Library layer.
const coap_bin_const_t * coap_get_session_client_psk_key(const coap_session_t *coap_session)
Get the current client's PSK key.
void * coap_tls_new_client_session(coap_session_t *coap_session)
Create a new TLS client-side session.
#define COAP_DTLS_RETRANSMIT_COAP_TICKS
void coap_dtls_map_key_type_to_define(const coap_dtls_pki_t *setup_data, coap_dtls_key_t *key)
Map the PKI key definitions to the new DEFINE format.
const coap_bin_const_t * coap_get_session_server_psk_key(const coap_session_t *coap_session)
Get the current server's PSK key.
@ COAP_DEFINE_KEY_PRIVATE
@ COAP_DEFINE_KEY_ROOT_CA
@ COAP_DEFINE_FAIL_NOT_SUPPORTED
coap_tls_version_t * coap_get_tls_library_version(void)
Determine the type and version of the underlying (D)TLS library.
@ COAP_PKI_KEY_DEF_PKCS11
The PKI key type is PKCS11 (pkcs11:...).
@ COAP_PKI_KEY_DEF_DER_BUF
The PKI key type is DER buffer (ASN.1).
@ COAP_PKI_KEY_DEF_PEM_BUF
The PKI key type is PEM buffer.
@ COAP_PKI_KEY_DEF_PEM
The PKI key type is PEM file.
@ COAP_PKI_KEY_DEF_ENGINE
The PKI key type is to be passed to ENGINE.
@ COAP_PKI_KEY_DEF_RPK_BUF
The PKI key type is RPK in buffer.
@ COAP_PKI_KEY_DEF_DER
The PKI key type is DER file.
@ COAP_PKI_KEY_DEF_PKCS11_RPK
The PKI key type is PKCS11 w/ RPK (pkcs11:...).
@ COAP_DTLS_ROLE_SERVER
Internal function invoked for server.
@ COAP_DTLS_ROLE_CLIENT
Internal function invoked for client.
@ COAP_PKI_KEY_DEFINE
The individual PKI key types are Definable.
@ COAP_TLS_LIBRARY_MBEDTLS
Using Mbed TLS library.
@ COAP_EVENT_DTLS_CLOSED
Triggerred when (D)TLS session closed.
@ COAP_EVENT_DTLS_CONNECTED
Triggered when (D)TLS session connected.
@ COAP_EVENT_DTLS_ERROR
Triggered when (D)TLS error occurs.
#define coap_lock_callback_ret(r, func)
Dummy for no thread-safe code.
#define coap_log_debug(...)
#define coap_log_emerg(...)
coap_log_t coap_dtls_get_log_level(void)
Get the current (D)TLS logging.
#define coap_dtls_log(level,...)
Logging function.
void coap_dtls_set_log_level(coap_log_t level)
Sets the (D)TLS logging level to the specified level.
const char * coap_session_str(const coap_session_t *session)
Get session description.
#define coap_log_info(...)
#define coap_log_warn(...)
#define coap_log_err(...)
#define coap_log_crit(...)
int coap_netif_available(coap_session_t *session)
Function interface to check whether netif for session is still available.
int cose_get_hmac_alg_for_hkdf(cose_hkdf_alg_t hkdf_alg, cose_hmac_alg_t *hmac_alg)
@ COSE_HMAC_ALG_HMAC384_384
@ COSE_HMAC_ALG_HMAC256_256
@ COSE_HMAC_ALG_HMAC512_512
@ COSE_ALGORITHM_SHA_256_256
@ COSE_ALGORITHM_AES_CCM_16_64_128
@ COSE_ALGORITHM_AES_CCM_16_64_256
coap_proto_t
CoAP protocol types.
int coap_session_refresh_psk_hint(coap_session_t *session, const coap_bin_const_t *psk_hint)
Refresh the session's current Identity Hint (PSK).
int coap_session_refresh_psk_key(coap_session_t *session, const coap_bin_const_t *psk_key)
Refresh the session's current pre-shared key (PSK).
void coap_session_connected(coap_session_t *session)
Notify session that it has just connected or reconnected.
int coap_session_refresh_psk_identity(coap_session_t *session, const coap_bin_const_t *psk_identity)
Refresh the session's current pre-shared identity (PSK).
void coap_session_disconnected_lkd(coap_session_t *session, coap_nack_reason_t reason)
Notify session that it has failed.
#define COAP_PROTO_NOT_RELIABLE(p)
@ COAP_SESSION_TYPE_CLIENT
client-side
@ COAP_SESSION_STATE_HANDSHAKE
@ COAP_SESSION_STATE_NONE
coap_binary_t * coap_new_binary(size_t size)
Returns a new binary object with at least size bytes storage allocated.
coap_bin_const_t * coap_new_bin_const(const uint8_t *data, size_t size)
Take the specified byte array (text) and create a coap_bin_const_t * Returns a new const binary objec...
int coap_dtls_cid_is_supported(void)
Check whether (D)TLS CID is available.
int coap_dtls_psk_is_supported(void)
Check whether (D)TLS PSK is available.
int coap_tls_is_supported(void)
Check whether TLS is available.
int coap_oscore_is_supported(void)
Check whether OSCORE is available.
int coap_dtls_is_supported(void)
Check whether DTLS is available.
int coap_dtls_pki_is_supported(void)
Check whether (D)TLS PKI is available.
int coap_dtls_rpk_is_supported(void)
Check whether (D)TLS RPK is available.
int coap_dtls_pkcs11_is_supported(void)
Check whether (D)TLS PKCS11 is available.
coap_address_t remote
remote address and port
CoAP binary data definition with const data.
size_t length
length of binary data
const uint8_t * s
read-only binary data
CoAP binary data definition.
The CoAP stack's global state is stored in a coap_context_t object.
uint8_t testing_cids
Change client's source port every testing_cids.
coap_dtls_spsk_t spsk_setup_data
Contains the initial PSK server setup data.
The structure that holds the AES Crypto information.
size_t l
The number of bytes in the length field.
const uint8_t * nonce
must be exactly 15 - l bytes
coap_crypto_key_t key
The Key to use.
size_t tag_len
The size of the Tag.
The common structure that holds the Crypto information.
union coap_crypto_param_t::@2 params
coap_crypto_aes_ccm_t aes
Used if AES type encryption.
cose_alg_t alg
The COSE algorith to use.
The structure used for defining the Client PSK setup data to be used.
uint8_t use_cid
Set to 1 if DTLS Connection ID is to be used.
char * client_sni
If not NULL, SNI to use in client TLS setup.
coap_dtls_ih_callback_t validate_ih_call_back
Identity Hint check callback function.
uint8_t ec_jpake
Set to COAP_DTLS_CPSK_SETUP_VERSION to support this version of the struct.
The structure that holds the PKI key information.
coap_pki_key_define_t define
for definable type keys
union coap_dtls_key_t::@3 key
coap_pki_key_t key_type
key format type
The structure used for defining the PKI setup data to be used.
uint8_t allow_no_crl
1 ignore if CRL not there
void * cn_call_back_arg
Passed in to the CN callback function.
uint8_t allow_short_rsa_length
1 if small RSA keysizes are allowed
uint8_t cert_chain_validation
1 if to check cert_chain_verify_depth
uint8_t allow_bad_md_hash
1 if unsupported MD hashes are allowed
uint8_t use_cid
1 if DTLS Connection ID is to be used (Client only, server always enabled) if supported
uint8_t check_cert_revocation
1 if revocation checks wanted
uint8_t cert_chain_verify_depth
recommended depth is 3
uint8_t allow_expired_certs
1 if expired certs are allowed
uint8_t verify_peer_cert
Set to COAP_DTLS_PKI_SETUP_VERSION to support this version of the struct.
uint8_t allow_self_signed
1 if self-signed certs are allowed.
coap_dtls_cn_callback_t validate_cn_call_back
CN check callback function.
uint8_t allow_expired_crl
1 if expired crl is allowed
uint8_t is_rpk_not_cert
1 is RPK instead of Public Certificate.
uint8_t check_common_ca
1 if peer cert is to be signed by the same CA as the local cert
The structure that holds the Server Pre-Shared Key and Identity Hint information.
The structure used for defining the Server PSK setup data to be used.
coap_dtls_psk_sni_callback_t validate_sni_call_back
SNI check callback function.
coap_dtls_id_callback_t validate_id_call_back
Identity check callback function.
void * id_call_back_arg
Passed in to the Identity callback function.
uint8_t ec_jpake
Set to COAP_DTLS_SPSK_SETUP_VERSION to support this version of the struct.
void * sni_call_back_arg
Passed in to the SNI callback function.
coap_layer_write_t l_write
coap_layer_establish_t l_establish
coap_const_char_ptr_t public_cert
define: Public Cert
coap_const_char_ptr_t private_key
define: Private Key
coap_const_char_ptr_t ca
define: Common CA Certificate
size_t public_cert_len
define Public Cert length (if needed)
size_t ca_len
define CA Cert length (if needed)
coap_pki_define_t private_key_def
define: Private Key type definition
size_t private_key_len
define Private Key length (if needed)
coap_pki_define_t ca_def
define: Common CA type definition
coap_pki_define_t public_cert_def
define: Public Cert type definition
Abstraction of virtual session that can be attached to coap_context_t (client) or coap_endpoint_t (se...
unsigned int dtls_timeout_count
dtls setup retry counter
coap_endpoint_t * endpoint
session's endpoint
coap_socket_t sock
socket object for the session, if any
coap_session_state_t state
current state of relationship with peer
coap_bin_const_t * client_cid
Contains client CID or NULL.
coap_addr_tuple_t addr_info
remote/local address info
coap_proto_t proto
protocol used
coap_dtls_cpsk_t cpsk_setup_data
client provided PSK initial setup data
size_t mtu
path or CSM mtu (xmt)
uint8_t negotiated_cid
Set for a client if CID negotiated.
int dtls_event
Tracking any (D)TLS events on this session.
void * tls
security parameters
uint16_t max_retransmit
maximum re-transmit count (default 4)
coap_session_type_t type
client or server side socket
coap_context_t * context
session's context
coap_layer_func_t lfunc[COAP_LAYER_LAST]
Layer functions to use.
coap_socket_flags_t flags
1 or more of COAP_SOCKET* flag values
The structure used for returning the underlying (D)TLS library information.
uint64_t built_version
(D)TLS Built against Library Version
coap_tls_library_t type
Library type.
uint64_t version
(D)TLS runtime Library Version
const char * s_byte
signed char ptr
const uint8_t * u_byte
unsigned char ptr