40 #include <mbedtls/version.h>
41 #include <mbedtls/platform.h>
42 #include <mbedtls/net_sockets.h>
43 #include <mbedtls/ssl.h>
44 #include <mbedtls/entropy.h>
45 #include <mbedtls/ctr_drbg.h>
46 #include <mbedtls/error.h>
47 #include <mbedtls/certs.h>
48 #include <mbedtls/timing.h>
49 #include <mbedtls/ssl_cookie.h>
50 #include <mbedtls/oid.h>
51 #include <mbedtls/debug.h>
52 #include <mbedtls/sha256.h>
53 #if defined(ESPIDF_VERSION) && defined(CONFIG_MBEDTLS_DEBUG)
54 #include <mbedtls/esp_debug.h>
58 #define mbedtls_malloc(a) malloc(a)
59 #define mbedtls_realloc(a,b) realloc(a,b)
60 #define mbedtls_strdup(a) strdup(a)
61 #define mbedtls_strndup(a,b) strndup(a,b)
63 #ifndef MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED
65 #ifdef MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED
66 #define MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED
71 #define UNUSED __attribute__((unused))
77 #define strcasecmp _stricmp
80 #define IS_PSK (1 << 0)
81 #define IS_PKI (1 << 1)
82 #define IS_CLIENT (1 << 6)
83 #define IS_SERVER (1 << 7)
85 typedef struct coap_ssl_t {
96 typedef struct coap_mbedtls_env_t {
97 mbedtls_ssl_context ssl;
98 mbedtls_entropy_context entropy;
99 mbedtls_ctr_drbg_context ctr_drbg;
100 mbedtls_ssl_config conf;
101 mbedtls_timing_delay_context timer;
102 mbedtls_x509_crt cacert;
103 mbedtls_x509_crt public_cert;
104 mbedtls_pk_context private_key;
105 mbedtls_ssl_cookie_ctx cookie_ctx;
108 int seen_client_hello;
110 unsigned int retry_scalar;
111 coap_ssl_t coap_ssl_data;
112 } coap_mbedtls_env_t;
114 typedef struct pki_sni_entry {
117 mbedtls_x509_crt cacert;
118 mbedtls_x509_crt public_cert;
119 mbedtls_pk_context private_key;
122 typedef struct psk_sni_entry {
127 typedef struct coap_mbedtls_context_t {
129 size_t pki_sni_count;
130 pki_sni_entry *pki_sni_entry_list;
131 size_t psk_sni_count;
132 psk_sni_entry *psk_sni_entry_list;
136 } coap_mbedtls_context_t;
138 typedef enum coap_enc_method_t {
143 static int coap_dgram_read(
void *ctx,
unsigned char *out,
size_t outl)
149 if (!c_session->
tls) {
151 return MBEDTLS_ERR_SSL_WANT_READ;
153 data = &((coap_mbedtls_env_t *)c_session->
tls)->coap_ssl_data;
156 if (data->pdu_len > 0) {
157 if (outl < data->pdu_len) {
158 memcpy(out, data->pdu, outl);
161 data->pdu_len -= outl;
164 memcpy(out, data->pdu, data->pdu_len);
166 if (!data->peekmode) {
173 ret = MBEDTLS_ERR_SSL_WANT_READ;
187 coap_dgram_write(
void *ctx,
const unsigned char *send_buffer,
188 size_t send_buffer_length)
194 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
196 if (result != (ssize_t)send_buffer_length) {
198 result, send_buffer_length);
204 m_env->last_timeout = now;
212 #if defined(MBEDTLS_SSL_PROTO_DTLS) && defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) && defined(MBEDTLS_SSL_SRV_C)
216 static int psk_server_callback(
void *p_info, mbedtls_ssl_context *ssl,
217 const unsigned char *name,
size_t name_len )
223 coap_mbedtls_env_t *m_env;
226 (
int)name_len, name);
228 if (c_session == NULL || c_session->
context == NULL ||
232 m_env = (coap_mbedtls_env_t *)c_session->
tls;
237 lidentity.
length = name_len;
248 m_env->seen_client_hello = 1;
256 m_env->seen_client_hello = 1;
257 mbedtls_ssl_set_hs_psk(ssl, buf, psk_len);
263 get_san_or_cn_from_cert(mbedtls_x509_crt *crt)
266 mbedtls_asn1_named_data * cn_data;
268 if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
269 mbedtls_asn1_sequence *seq = &crt->subject_alt_names;
270 while (seq && seq->buf.p == NULL) {
275 return mbedtls_strndup((
const char *)seq->buf.p,
280 cn_data = mbedtls_asn1_find_named_data(&crt->subject,
282 MBEDTLS_OID_SIZE(MBEDTLS_OID_AT_CN));
285 return mbedtls_strndup((
const char *)cn_data->val.p,
293 get_error_string(
int ret) {
294 static char buf[128] = {0};
295 mbedtls_strerror(ret, buf,
sizeof(buf)-1);
304 cert_verify_callback_mbedtls(
void *data, mbedtls_x509_crt *crt,
308 coap_mbedtls_context_t *m_context =
316 cn = get_san_or_cn_from_cert(crt);
318 if (*flags & MBEDTLS_X509_BADCERT_EXPIRED) {
319 if (setup_data->allow_expired_certs) {
320 *flags &= ~MBEDTLS_X509_BADCERT_EXPIRED;
322 " %s: %s: overridden: '%s' depth %d\n",
324 "The certificate has expired", cn ? cn :
"?", depth);
327 if (*flags & MBEDTLS_X509_BADCERT_FUTURE) {
328 if (setup_data->allow_expired_certs) {
329 *flags &= ~MBEDTLS_X509_BADCERT_FUTURE;
331 " %s: %s: overridden: '%s' depth %d\n",
333 "The certificate has a future date", cn ? cn :
"?", depth);
336 if (*flags & MBEDTLS_X509_BADCERT_BAD_MD) {
337 if (setup_data->allow_bad_md_hash) {
338 *flags &= ~MBEDTLS_X509_BADCERT_BAD_MD;
340 " %s: %s: overridden: '%s' depth %d\n",
342 "The certificate has a bad MD hash", cn ? cn :
"?", depth);
345 if (*flags & MBEDTLS_X509_BADCERT_BAD_KEY) {
346 if (setup_data->allow_short_rsa_length) {
347 *flags &= ~MBEDTLS_X509_BADCERT_BAD_KEY;
349 " %s: %s: overridden: '%s' depth %d\n",
351 "The certificate has a short RSA length", cn ? cn :
"?", depth);
354 if (*flags & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
356 int self_signed = !mbedtls_x509_crt_verify(crt, crt, NULL, NULL, &lflags,
358 if (self_signed && depth == 0) {
359 if (setup_data->allow_self_signed &&
360 !setup_data->check_common_ca) {
361 *flags &= ~MBEDTLS_X509_BADCERT_NOT_TRUSTED;
363 " %s: %s: overridden: '%s' depth %d\n",
366 cn ? cn :
"?", depth);
370 if (!setup_data->verify_peer_cert) {
371 *flags &= ~MBEDTLS_X509_BADCERT_NOT_TRUSTED;
373 " %s: %s: overridden: '%s' depth %d\n",
375 "The certificate's CA does not match", cn ? cn :
"?", depth);
379 if (*flags & MBEDTLS_X509_BADCRL_EXPIRED) {
380 if (setup_data->check_cert_revocation && setup_data->allow_expired_crl) {
381 *flags &= ~MBEDTLS_X509_BADCRL_EXPIRED;
383 " %s: %s: overridden: '%s' depth %d\n",
385 "The certificate's CRL has expired", cn ? cn :
"?", depth);
387 else if (!setup_data->check_cert_revocation) {
388 *flags &= ~MBEDTLS_X509_BADCRL_EXPIRED;
391 if (*flags & MBEDTLS_X509_BADCRL_FUTURE) {
392 if (setup_data->check_cert_revocation && setup_data->allow_expired_crl) {
393 *flags &= ~MBEDTLS_X509_BADCRL_FUTURE;
395 " %s: %s: overridden: '%s' depth %d\n",
397 "The certificate's CRL has a future date", cn ? cn :
"?", depth);
399 else if (!setup_data->check_cert_revocation) {
400 *flags &= ~MBEDTLS_X509_BADCRL_FUTURE;
403 if (setup_data->cert_chain_validation &&
404 depth > (setup_data->cert_chain_verify_depth)) {
405 *flags |= MBEDTLS_X509_BADCERT_OTHER;
407 " %s: %s: '%s' depth %d\n",
409 "The certificate's verify depth is too long",
410 cn ? cn :
"?", depth);
413 if (*flags & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
414 *flags &= ~MBEDTLS_X509_BADCERT_CN_MISMATCH;
416 if (setup_data->validate_cn_call_back) {
417 if (!setup_data->validate_cn_call_back(cn,
423 setup_data->cn_call_back_arg)) {
424 *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
430 int ret = mbedtls_x509_crt_verify_info(buf,
sizeof(buf),
"", *flags);
433 tcp = strchr(buf,
'\n');
437 " %s: %s: issue 0x%x: '%s' depth %d\n",
439 buf, *flags, cn ? cn :
"?", depth);
440 tcp = strchr(tcp+1,
'\n');
444 coap_log(
LOG_ERR,
"mbedtls_x509_crt_verify_info returned -0x%x: '%s'\n",
445 -ret, get_error_string(ret));
456 setup_pki_credentials(mbedtls_x509_crt *cacert,
457 mbedtls_x509_crt *public_cert,
458 mbedtls_pk_context *private_key,
459 coap_mbedtls_env_t *m_env,
460 coap_mbedtls_context_t *m_context,
469 "RPK Support not available in MbedTLS\n");
479 mbedtls_x509_crt_init(public_cert);
480 mbedtls_pk_init(private_key);
482 ret = mbedtls_x509_crt_parse_file(public_cert,
485 coap_log(
LOG_ERR,
"mbedtls_x509_crt_parse_file returned -0x%x: '%s'\n",
486 -ret, get_error_string(ret));
490 ret = mbedtls_pk_parse_keyfile(private_key,
494 -ret, get_error_string(ret));
498 ret = mbedtls_ssl_conf_own_cert(&m_env->conf, public_cert, private_key);
501 -ret, get_error_string(ret));
507 "***setup_pki: (D)TLS: No Server Certificate + Private "
514 mbedtls_x509_crt_init(cacert);
515 ret = mbedtls_x509_crt_parse_file(cacert,
519 -ret, get_error_string(ret));
522 mbedtls_ssl_conf_ca_chain(&m_env->conf, cacert, NULL);
533 mbedtls_x509_crt_init(public_cert);
534 mbedtls_pk_init(private_key);
539 buffer = mbedtls_malloc(length + 1);
542 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
545 buffer[length] =
'\000';
547 ret = mbedtls_x509_crt_parse(public_cert, buffer, length);
548 mbedtls_free(buffer);
551 ret = mbedtls_x509_crt_parse(public_cert,
557 -ret, get_error_string(ret));
564 buffer = mbedtls_malloc(length + 1);
567 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
570 buffer[length] =
'\000';
572 ret = mbedtls_pk_parse_key(private_key, buffer, length, NULL, 0);
573 mbedtls_free(buffer);
576 ret = mbedtls_pk_parse_key(private_key,
582 -ret, get_error_string(ret));
586 ret = mbedtls_ssl_conf_own_cert(&m_env->conf, public_cert, private_key);
589 -ret, get_error_string(ret));
594 "***setup_pki: (D)TLS: No Server Certificate + Private "
604 mbedtls_x509_crt_init(cacert);
608 buffer = mbedtls_malloc(length + 1);
611 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
614 buffer[length] =
'\000';
616 ret = mbedtls_x509_crt_parse(cacert, buffer, length);
617 mbedtls_free(buffer);
620 ret = mbedtls_x509_crt_parse(cacert,
626 -ret, get_error_string(ret));
629 mbedtls_ssl_conf_ca_chain(&m_env->conf, cacert, NULL);
638 mbedtls_x509_crt_init(public_cert);
639 mbedtls_pk_init(private_key);
640 ret = mbedtls_x509_crt_parse(public_cert,
645 -ret, get_error_string(ret));
649 ret = mbedtls_pk_parse_key(private_key,
654 -ret, get_error_string(ret));
658 ret = mbedtls_ssl_conf_own_cert(&m_env->conf, public_cert, private_key);
661 -ret, get_error_string(ret));
666 "***setup_pki: (D)TLS: No Server Certificate + Private "
673 mbedtls_x509_crt_init(cacert);
674 ret = mbedtls_x509_crt_parse(cacert,
679 -ret, get_error_string(ret));
682 mbedtls_ssl_conf_ca_chain(&m_env->conf, cacert, NULL);
688 "***setup_pki: (D)TLS: PKCS11 not currently supported\n");
693 "***setup_pki: (D)TLS: Unknown key type %d\n",
698 if (m_context->root_ca_file) {
699 ret = mbedtls_x509_crt_parse_file(cacert, m_context->root_ca_file);
702 -ret, get_error_string(ret));
705 mbedtls_ssl_conf_ca_chain(&m_env->conf, cacert, NULL);
707 if (m_context->root_ca_path) {
708 ret = mbedtls_x509_crt_parse_file(cacert, m_context->root_ca_path);
711 -ret, get_error_string(ret));
714 mbedtls_ssl_conf_ca_chain(&m_env->conf, cacert, NULL);
717 mbedtls_ssl_conf_cert_req_ca_list(&m_env->conf,
719 MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED :
720 MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED);
722 MBEDTLS_SSL_VERIFY_REQUIRED :
723 MBEDTLS_SSL_VERIFY_NONE);
728 mbedtls_ssl_conf_verify(&m_env->conf,
729 cert_verify_callback_mbedtls, c_session);
734 #if defined(MBEDTLS_SSL_SRV_C)
739 pki_sni_callback(
void *p_info, mbedtls_ssl_context *ssl,
740 const unsigned char *uname,
size_t name_len)
745 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
746 coap_mbedtls_context_t *m_context =
751 name = mbedtls_malloc(name_len+1);
755 memcpy(name, uname, name_len);
756 name[name_len] =
'\000';
759 for (i = 0; i < m_context->pki_sni_count; i++) {
760 if (strcasecmp(name, m_context->pki_sni_entry_list[i].sni) == 0) {
764 if (i == m_context->pki_sni_count) {
771 m_context->setup_data.validate_sni_call_back(name,
772 m_context->setup_data.sni_call_back_arg);
778 m_context->pki_sni_entry_list =
779 mbedtls_realloc(m_context->pki_sni_entry_list,
780 (i+1)*
sizeof(pki_sni_entry));
781 memset(&m_context->pki_sni_entry_list[i], 0,
782 sizeof(m_context->pki_sni_entry_list[i]));
783 m_context->pki_sni_entry_list[i].sni = name;
784 m_context->pki_sni_entry_list[i].pki_key = *new_entry;
785 sni_setup_data = m_context->setup_data;
786 sni_setup_data.
pki_key = *new_entry;
787 if ((ret = setup_pki_credentials(&m_context->pki_sni_entry_list[i].cacert,
788 &m_context->pki_sni_entry_list[i].public_cert,
789 &m_context->pki_sni_entry_list[i].private_key,
798 m_context->pki_sni_count++;
804 mbedtls_ssl_set_hs_ca_chain(ssl, &m_context->pki_sni_entry_list[i].cacert,
806 return mbedtls_ssl_set_hs_own_cert(ssl,
807 &m_context->pki_sni_entry_list[i].public_cert,
808 &m_context->pki_sni_entry_list[i].private_key);
811 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
816 psk_sni_callback(
void *p_info, mbedtls_ssl_context *ssl,
817 const unsigned char *uname,
size_t name_len)
821 coap_mbedtls_context_t *m_context =
825 name = mbedtls_malloc(name_len+1);
829 memcpy(name, uname, name_len);
830 name[name_len] =
'\000';
833 for (i = 0; i < m_context->psk_sni_count; i++) {
834 if (strcasecmp(name, m_context->psk_sni_entry_list[i].sni) == 0) {
838 if (i == m_context->psk_sni_count) {
853 m_context->psk_sni_entry_list =
854 mbedtls_realloc(m_context->psk_sni_entry_list,
855 (i+1)*
sizeof(psk_sni_entry));
857 m_context->psk_sni_entry_list[i].sni = name;
858 m_context->psk_sni_entry_list[i].psk_info = *new_entry;
860 m_context->psk_sni_count++;
867 &m_context->psk_sni_entry_list[i].psk_info.hint);
869 &m_context->psk_sni_entry_list[i].psk_info.key);
870 return mbedtls_ssl_set_hs_psk(ssl,
871 m_context->psk_sni_entry_list[i].psk_info.key.s,
872 m_context->psk_sni_entry_list[i].psk_info.key.length);
877 coap_mbedtls_env_t *m_env)
879 coap_mbedtls_context_t *m_context =
882 m_context->psk_pki_enabled |= IS_SERVER;
884 mbedtls_ssl_cookie_init(&m_env->cookie_ctx);
885 if ((ret = mbedtls_ssl_config_defaults(&m_env->conf,
886 MBEDTLS_SSL_IS_SERVER,
888 MBEDTLS_SSL_TRANSPORT_DATAGRAM :
889 MBEDTLS_SSL_TRANSPORT_STREAM,
890 MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
891 coap_log(
LOG_ERR,
"mbedtls_ssl_config_defaults returned -0x%x: '%s'\n",
892 -ret, get_error_string(ret));
896 mbedtls_ssl_conf_rng(&m_env->conf, mbedtls_ctr_drbg_random, &m_env->ctr_drbg);
898 #if defined(MBEDTLS_SSL_PROTO_DTLS)
902 if (m_context->psk_pki_enabled & IS_PSK) {
903 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
904 mbedtls_ssl_conf_psk_cb(&m_env->conf, psk_server_callback, c_session);
906 mbedtls_ssl_conf_sni(&m_env->conf, psk_sni_callback, c_session);
914 if (m_context->psk_pki_enabled & IS_PKI) {
915 ret = setup_pki_credentials(&m_env->cacert, &m_env->public_cert,
916 &m_env->private_key, m_env, m_context,
917 c_session, &m_context->setup_data,
923 if (m_context->setup_data.validate_sni_call_back) {
924 mbedtls_ssl_conf_sni(&m_env->conf, pki_sni_callback, c_session);
928 if ((ret = mbedtls_ssl_cookie_setup(&m_env->cookie_ctx,
929 mbedtls_ctr_drbg_random,
930 &m_env->ctr_drbg)) != 0) {
932 -ret, get_error_string(ret));
936 #if defined(MBEDTLS_SSL_PROTO_DTLS)
937 mbedtls_ssl_conf_dtls_cookies(&m_env->conf, mbedtls_ssl_cookie_write,
938 mbedtls_ssl_cookie_check,
939 &m_env->cookie_ctx );
940 #if MBEDTLS_VERSION_NUMBER >= 0x02100100
941 mbedtls_ssl_set_mtu(&m_env->ssl, c_session->
mtu);
949 static int *psk_ciphers = NULL;
950 static int *pki_ciphers = NULL;
951 static int processed_ciphers = 0;
954 set_ciphersuites(mbedtls_ssl_config *conf, coap_enc_method_t method)
956 if (!processed_ciphers) {
957 const int *list = mbedtls_ssl_list_ciphersuites();
958 const int *base = list;
965 const mbedtls_ssl_ciphersuite_t *cur =
966 mbedtls_ssl_ciphersuite_from_id(*list);
969 if (cur->max_minor_ver < MBEDTLS_SSL_MINOR_VERSION_3) {
972 else if (mbedtls_ssl_ciphersuite_uses_psk(cur)) {
983 psk_ciphers = mbedtls_malloc(psk_count *
sizeof(psk_ciphers[0]));
984 if (psk_ciphers == NULL) {
985 coap_log(
LOG_ERR,
"set_ciphers: mbedtls_malloc with count %d failed\n", psk_count);
988 pki_ciphers = mbedtls_malloc(pki_count *
sizeof(pki_ciphers[0]));
989 if (pki_ciphers == NULL) {
990 coap_log(
LOG_ERR,
"set_ciphers: mbedtls_malloc with count %d failed\n", pki_count);
994 psk_list = psk_ciphers;
995 pki_list = pki_ciphers;
998 const mbedtls_ssl_ciphersuite_t *cur =
999 mbedtls_ssl_ciphersuite_from_id(*list);
1001 if (cur->max_minor_ver < MBEDTLS_SSL_MINOR_VERSION_3) {
1004 else if (mbedtls_ssl_ciphersuite_uses_psk(cur)) {
1018 processed_ciphers = 1;
1020 mbedtls_ssl_conf_ciphersuites(conf, method == COAP_ENC_PSK ? psk_ciphers : pki_ciphers);
1024 coap_mbedtls_env_t *m_env)
1028 coap_mbedtls_context_t *m_context =
1031 m_context->psk_pki_enabled |= IS_CLIENT;
1033 if ((ret = mbedtls_ssl_config_defaults(&m_env->conf,
1034 MBEDTLS_SSL_IS_CLIENT,
1036 MBEDTLS_SSL_TRANSPORT_DATAGRAM :
1037 MBEDTLS_SSL_TRANSPORT_STREAM,
1038 MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
1039 coap_log(
LOG_ERR,
"mbedtls_ssl_config_defaults returned -0x%x: '%s'\n",
1040 -ret, get_error_string(ret));
1044 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1049 mbedtls_ssl_conf_authmode(&m_env->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
1050 mbedtls_ssl_conf_rng(&m_env->conf, mbedtls_ctr_drbg_random, &m_env->ctr_drbg);
1052 if (m_context->psk_pki_enabled & IS_PSK) {
1053 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
1055 size_t identity_len;
1058 size_t max_identity_len =
sizeof(identity);
1069 assert(identity_len <=
sizeof(identity));
1070 mbedtls_ssl_conf_psk(&m_env->conf, (
const unsigned char *)
psk_key,
1071 psk_len, (
const unsigned char *)identity,
1074 mbedtls_ssl_set_hostname(&m_env->ssl,
1079 set_ciphersuites(&m_env->conf, COAP_ENC_PSK);
1084 else if ((m_context->psk_pki_enabled & IS_PKI) ||
1085 (m_context->psk_pki_enabled & (IS_PSK | IS_PKI)) == 0) {
1090 mbedtls_ssl_conf_authmode(&m_env->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
1091 ret = setup_pki_credentials(&m_env->cacert, &m_env->public_cert,
1092 &m_env->private_key, m_env, m_context,
1093 c_session, &m_context->setup_data,
1099 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN)
1101 const char *alpn_list[] = {
"coap", NULL };
1103 ret = mbedtls_ssl_conf_alpn_protocols(&m_env->conf, alpn_list);
1109 if (m_context->setup_data.client_sni) {
1110 mbedtls_ssl_set_hostname(&m_env->ssl, m_context->setup_data.client_sni);
1112 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1113 #if MBEDTLS_VERSION_NUMBER >= 0x02100100
1114 mbedtls_ssl_set_mtu(&m_env->ssl, c_session->
mtu);
1117 set_ciphersuites(&m_env->conf, COAP_ENC_PKI);
1125 static void mbedtls_cleanup(coap_mbedtls_env_t *m_env)
1131 mbedtls_x509_crt_free(&m_env->cacert);
1132 mbedtls_x509_crt_free(&m_env->public_cert);
1133 mbedtls_pk_free(&m_env->private_key);
1134 mbedtls_entropy_free(&m_env->entropy);
1135 mbedtls_ssl_config_free(&m_env->conf);
1136 mbedtls_ctr_drbg_free(&m_env->ctr_drbg);
1137 mbedtls_ssl_free(&m_env->ssl);
1138 mbedtls_ssl_cookie_free(&m_env->cookie_ctx);
1142 coap_dtls_free_mbedtls_env(coap_mbedtls_env_t *m_env) {
1144 mbedtls_cleanup(m_env);
1145 mbedtls_free(m_env);
1150 report_mbedtls_alert(
unsigned char alert) {
1152 case MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC:
return ": Bad Record MAC";
1153 case MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE:
return ": Handshake failure";
1154 case MBEDTLS_SSL_ALERT_MSG_NO_CERT:
return ": No Certificate provided";
1155 case MBEDTLS_SSL_ALERT_MSG_BAD_CERT:
return ": Certificate is bad";
1156 case MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA:
return ": CA is unknown";
1157 case MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED:
return ": Access was denied";
1158 case MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR:
return ": Decrypt error";
1169 coap_mbedtls_env_t *m_env) {
1173 ret = mbedtls_ssl_handshake(&m_env->ssl);
1176 m_env->established = 1;
1181 case MBEDTLS_ERR_SSL_WANT_READ:
1182 case MBEDTLS_ERR_SSL_WANT_WRITE:
1186 case MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED:
1189 case MBEDTLS_ERR_SSL_INVALID_MAC:
1191 case MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE:
1192 alert = MBEDTLS_SSL_ALERT_MSG_NO_CERT;
1194 case MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO:
1195 alert = MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE;
1197 case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:
1199 case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:
1200 if (m_env->ssl.in_msg[1] != MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY)
1203 report_mbedtls_alert(m_env->ssl.in_msg[1]));
1205 case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
1211 "do_mbedtls_handshake: session establish "
1212 "returned -0x%x: '%s'\n",
1213 -ret, get_error_string(ret));
1220 mbedtls_ssl_send_alert_message(&m_env->ssl,
1221 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1226 "do_mbedtls_handshake: session establish "
1228 get_error_string(ret));
1230 mbedtls_ssl_session_reset(&m_env->ssl);
1235 mbedtls_debug_out(
void *ctx
UNUSED,
int level,
1236 const char *file,
int line,
const char *str) {
1259 coap_log(log_level,
"%s:%04d: %s", file, line, str);
1262 static coap_mbedtls_env_t *coap_dtls_new_mbedtls_env(
coap_session_t *c_session,
1266 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
1271 m_env = (coap_mbedtls_env_t *)mbedtls_malloc(
sizeof(coap_mbedtls_env_t));
1275 memset(m_env, 0,
sizeof(coap_mbedtls_env_t));
1277 mbedtls_ssl_init(&m_env->ssl);
1278 mbedtls_ctr_drbg_init(&m_env->ctr_drbg);
1279 mbedtls_ssl_config_init(&m_env->conf);
1280 mbedtls_entropy_init(&m_env->entropy);
1282 #if defined(ESPIDF_VERSION) && defined(CONFIG_MBEDTLS_DEBUG)
1283 mbedtls_esp_enable_debug_log(&m_env->conf, CONFIG_MBEDTLS_DEBUG_LEVEL);
1285 if ((ret = mbedtls_ctr_drbg_seed(&m_env->ctr_drbg,
1286 mbedtls_entropy_func, &m_env->entropy, NULL, 0)) != 0) {
1288 -ret, get_error_string(ret));
1293 if (setup_client_ssl_session(c_session, m_env) != 0) {
1296 #if defined(MBEDTLS_SSL_SRV_C)
1298 if (setup_server_ssl_session(c_session, m_env) != 0) {
1306 mbedtls_ssl_conf_min_version(&m_env->conf, MBEDTLS_SSL_MAJOR_VERSION_3,
1307 MBEDTLS_SSL_MINOR_VERSION_3);
1309 if ((ret = mbedtls_ssl_setup(&m_env->ssl, &m_env->conf)) != 0) {
1312 mbedtls_ssl_set_bio(&m_env->ssl, c_session, coap_dgram_write,
1313 coap_dgram_read, NULL);
1314 mbedtls_ssl_set_timer_cb(&m_env->ssl, &m_env->timer,
1315 mbedtls_timing_set_delay,
1316 mbedtls_timing_get_delay);
1318 mbedtls_ssl_conf_dbg(&m_env->conf, mbedtls_debug_out, stdout);
1323 mbedtls_free(m_env);
1329 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1333 "libcoap not compiled for DTLS with MbedTLS"
1334 " - update MbedTLS to include DTLS\n");
1346 coap_mbedtls_context_t *m_context;
1349 m_context = (coap_mbedtls_context_t *)mbedtls_malloc(
sizeof(coap_mbedtls_context_t));
1351 memset(m_context, 0,
sizeof(coap_mbedtls_context_t));
1364 coap_mbedtls_context_t *m_context =
1367 #if !defined(MBEDTLS_SSL_SRV_C)
1369 " libcoap not compiled for Server Mode for MbedTLS"
1370 " - update MbedTLS to include Server Mode\n");
1373 if (!m_context || !setup_data)
1376 m_context->psk_pki_enabled |= IS_PSK;
1388 #if !defined(MBEDTLS_SSL_CLI_C)
1390 " libcoap not compiled for Client Mode for MbedTLS"
1391 " - update MbedTLS to include Client Mode\n");
1394 coap_mbedtls_context_t *m_context =
1397 if (!m_context || !setup_data)
1402 "CoAP Client with MbedTLS does not support Identity Hint selection\n");
1404 m_context->psk_pki_enabled |= IS_PSK;
1412 coap_mbedtls_context_t *m_context =
1415 m_context->setup_data = *setup_data;
1416 if (!m_context->setup_data.verify_peer_cert) {
1420 m_context->setup_data.allow_self_signed = 1;
1421 m_context->setup_data.allow_expired_certs = 1;
1422 m_context->setup_data.cert_chain_validation = 1;
1423 m_context->setup_data.cert_chain_verify_depth = 10;
1424 m_context->setup_data.check_cert_revocation = 1;
1425 m_context->setup_data.allow_no_crl = 1;
1426 m_context->setup_data.allow_expired_crl = 1;
1427 m_context->setup_data.allow_bad_md_hash = 1;
1428 m_context->setup_data.allow_short_rsa_length = 1;
1430 m_context->psk_pki_enabled |= IS_PKI;
1435 const char *ca_file,
1436 const char *ca_path)
1438 coap_mbedtls_context_t *m_context =
1443 "coap_context_set_pki_root_cas: (D)TLS environment "
1448 if (ca_file == NULL && ca_path == NULL) {
1450 "coap_context_set_pki_root_cas: ca_file and/or ca_path "
1454 if (m_context->root_ca_file) {
1455 mbedtls_free(m_context->root_ca_file);
1456 m_context->root_ca_file = NULL;
1460 m_context->root_ca_file = mbedtls_strdup(ca_file);
1463 if (m_context->root_ca_path) {
1464 mbedtls_free(m_context->root_ca_path);
1465 m_context->root_ca_path = NULL;
1469 m_context->root_ca_path = mbedtls_strdup(ca_path);
1476 coap_mbedtls_context_t *m_context =
1478 return m_context->psk_pki_enabled ? 1 : 0;
1483 coap_mbedtls_context_t *m_context = (coap_mbedtls_context_t *)dtls_context;
1486 for (i = 0; i < m_context->pki_sni_count; i++) {
1487 mbedtls_free(m_context->pki_sni_entry_list[i].sni);
1489 mbedtls_x509_crt_free(&m_context->pki_sni_entry_list[i].public_cert);
1491 mbedtls_pk_free(&m_context->pki_sni_entry_list[i].private_key);
1493 mbedtls_x509_crt_free(&m_context->pki_sni_entry_list[i].cacert);
1495 if (m_context->pki_sni_entry_list)
1496 mbedtls_free(m_context->pki_sni_entry_list);
1498 for (i = 0; i < m_context->psk_sni_count; i++) {
1499 mbedtls_free(m_context->psk_sni_entry_list[i].sni);
1501 if (m_context->psk_sni_entry_list)
1502 mbedtls_free(m_context->psk_sni_entry_list);
1504 if (m_context->root_ca_path)
1505 mbedtls_free(m_context->root_ca_path);
1506 if (m_context->root_ca_file)
1507 mbedtls_free(m_context->root_ca_file);
1509 mbedtls_free(m_context);
1514 #if !defined(MBEDTLS_SSL_CLI_C)
1517 " libcoap not compiled for Client Mode for MbedTLS"
1518 " - update MbedTLS to include Client Mode\n");
1521 coap_mbedtls_env_t *m_env = coap_dtls_new_mbedtls_env(c_session,
1528 m_env->last_timeout = now;
1529 ret = do_mbedtls_handshake(c_session, m_env);
1531 coap_dtls_free_mbedtls_env(m_env);
1541 coap_mbedtls_env_t *m_env =
1542 (coap_mbedtls_env_t *)c_session->
tls;
1544 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1545 #if MBEDTLS_VERSION_NUMBER >= 0x02100100
1546 mbedtls_ssl_set_mtu(&m_env->ssl, c_session->
mtu);
1555 if (c_session && c_session->
context && c_session->
tls) {
1556 coap_dtls_free_mbedtls_env(c_session->
tls);
1557 c_session->
tls = NULL;
1565 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1566 coap_mbedtls_env_t *m_env =
1567 (coap_mbedtls_env_t *)c_session->
tls;
1569 #if MBEDTLS_VERSION_NUMBER >= 0x02100100
1570 mbedtls_ssl_set_mtu(&m_env->ssl, c_session->
mtu);
1581 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
1583 assert(m_env != NULL);
1589 if (m_env->established) {
1590 ret = mbedtls_ssl_write(&m_env->ssl, (
const unsigned char*) data, data_len);
1593 case MBEDTLS_ERR_SSL_WANT_READ:
1594 case MBEDTLS_ERR_SSL_WANT_WRITE:
1597 case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:
1604 "returned -0x%x: '%s'\n",
1605 -ret, get_error_string(ret));
1614 ret = do_mbedtls_handshake(c_session, m_env);
1647 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
1648 int ret = mbedtls_timing_get_delay(&m_env->timer);
1649 unsigned int scalar = 1 << m_env->retry_scalar;
1659 m_env->last_timeout = now;
1672 m_env->last_timeout = now;
1686 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
1689 m_env->retry_scalar++;
1691 (do_mbedtls_handshake(c_session, m_env) < 0)) {
1710 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
1711 coap_ssl_t *ssl_data;
1713 assert(m_env != NULL);
1715 ssl_data = &m_env->coap_ssl_data;
1716 if (ssl_data->pdu_len) {
1720 ssl_data->pdu = data;
1721 ssl_data->pdu_len = (unsigned)data_len;
1723 if (m_env->established) {
1724 #if COAP_CONSTRAINED_STACK
1725 static coap_mutex_t b_static_mutex = COAP_MUTEX_INITIALIZER;
1731 #if COAP_CONSTRAINED_STACK
1732 coap_mutex_lock(&b_static_mutex);
1741 ret = mbedtls_ssl_read(&m_env->ssl, pdu,
sizeof(pdu));
1744 #if COAP_CONSTRAINED_STACK
1745 coap_mutex_unlock(&b_static_mutex);
1751 case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
1752 case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:
1755 case MBEDTLS_ERR_SSL_WANT_READ:
1759 "coap_dtls_receive: "
1760 "returned -0x%x: '%s' (length %zd)\n",
1761 -ret, get_error_string(ret), data_len);
1764 #if COAP_CONSTRAINED_STACK
1765 coap_mutex_unlock(&b_static_mutex);
1770 ret = do_mbedtls_handshake(c_session, m_env);
1775 if (ssl_data->pdu_len) {
1777 ret = do_mbedtls_handshake(c_session, m_env);
1800 if (ssl_data && ssl_data->pdu_len) {
1802 coap_log(
LOG_DEBUG,
"coap_dtls_receive: ret %d: remaining data %u\n", ret, ssl_data->pdu_len);
1803 ssl_data->pdu_len = 0;
1804 ssl_data->pdu = NULL;
1818 #if !defined(MBEDTLS_SSL_PROTO_DTLS) || !defined(MBEDTLS_SSL_SRV_C)
1823 " libcoap not compiled for DTLS or Server Mode for MbedTLS"
1824 " - update MbedTLS to include DTLS and Server Mode\n");
1827 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
1828 coap_ssl_t *ssl_data;
1834 c_session->
tls = m_env;
1842 if((ret = mbedtls_ssl_set_client_transport_id(&m_env->ssl,
1846 "mbedtls_ssl_set_client_transport_id() returned -0x%x: '%s'\n",
1847 -ret, get_error_string(ret));
1851 ssl_data = &m_env->coap_ssl_data;
1852 if (ssl_data->pdu_len) {
1856 ssl_data->pdu = data;
1857 ssl_data->pdu_len = (unsigned)data_len;
1859 ret = do_mbedtls_handshake(c_session, m_env);
1860 if (ret == 0 || m_env->seen_client_hello) {
1866 m_env->seen_client_hello = 0;
1873 if (ssl_data && ssl_data->pdu_len) {
1875 coap_log(
LOG_DEBUG,
"coap_dtls_hello: ret %d: remaining data %u\n", ret, ssl_data->pdu_len);
1876 ssl_data->pdu_len = 0;
1877 ssl_data->pdu = NULL;
1885 coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->
tls;
1886 int expansion = mbedtls_ssl_get_record_expansion(&m_env->ssl);
1888 if (expansion == MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE) {
1894 #if !COAP_DISABLE_TCP
1933 static int keep_log_level = 0;
1937 #if !defined(ESPIDF_VERSION)
1954 mbedtls_debug_set_threshold(use_level);
1956 keep_log_level = level;
1961 return keep_log_level;
1967 version.
version = mbedtls_version_get_number();
1975 mbedtls_sha256_context *digest_ctx = mbedtls_malloc(
sizeof(mbedtls_sha256_context));
1978 mbedtls_sha256_init(digest_ctx);
1979 mbedtls_sha256_starts_ret(digest_ctx, 0);
1986 mbedtls_sha256_free(digest_ctx);
1987 mbedtls_free(digest_ctx);
1994 int ret = mbedtls_sha256_update_ret(digest_ctx, data, data_len);
2002 int ret = mbedtls_sha256_finish_ret(digest_ctx, (
uint8_t*)digest_buffer);
2014 #pragma GCC diagnostic ignored "-Wunused-function"
void coap_dtls_free_context(struct coap_dtls_context_t *dtls_context)
Releases the storage allocated for dtls_context.
int coap_dtls_send(struct coap_context_t *coap_context, struct coap_dtls_session_t *session, const coap_pdu_t *pdu)
void coap_dtls_free_session(struct coap_dtls_context_t *dtls_context, struct coap_dtls_session_t *session)
Pulls together all the internal only header files.
#define COAP_RXBUFFER_SIZE
int coap_dtls_context_set_pki_root_cas(struct coap_context_t *ctx UNUSED, const char *ca_file UNUSED, const char *ca_path UNUSED)
int coap_dtls_context_set_pki(coap_context_t *ctx UNUSED, const coap_dtls_pki_t *setup_data UNUSED, const coap_dtls_role_t role UNUSED)
void * coap_dtls_new_client_session(coap_session_t *session UNUSED)
coap_tick_t coap_dtls_get_context_timeout(void *dtls_context UNUSED)
void * coap_tls_new_client_session(coap_session_t *session UNUSED, int *connected UNUSED)
int coap_dtls_receive(coap_session_t *session UNUSED, const uint8_t *data UNUSED, size_t data_len UNUSED)
int coap_dtls_hello(coap_session_t *session UNUSED, const uint8_t *data UNUSED, size_t data_len UNUSED)
void * coap_tls_new_server_session(coap_session_t *session UNUSED, int *connected UNUSED)
int coap_dtls_context_set_cpsk(coap_context_t *ctx UNUSED, coap_dtls_cpsk_t *setup_data UNUSED)
void * coap_dtls_new_server_session(coap_session_t *session UNUSED)
ssize_t coap_tls_read(coap_session_t *session UNUSED, uint8_t *data UNUSED, size_t data_len UNUSED)
int coap_dtls_context_set_spsk(coap_context_t *ctx UNUSED, coap_dtls_spsk_t *setup_data UNUSED)
coap_tick_t coap_dtls_get_timeout(coap_session_t *session UNUSED, coap_tick_t now UNUSED)
int coap_dtls_context_check_keys_enabled(coap_context_t *ctx UNUSED)
void coap_tls_free_session(coap_session_t *coap_session UNUSED)
void coap_dtls_session_update_mtu(coap_session_t *session UNUSED)
void coap_dtls_handle_timeout(coap_session_t *session UNUSED)
unsigned int coap_dtls_get_overhead(coap_session_t *session UNUSED)
ssize_t coap_tls_write(coap_session_t *session UNUSED, const uint8_t *data UNUSED, size_t data_len UNUSED)
int coap_session_refresh_psk_hint(coap_session_t *session, const coap_bin_const_t *psk_hint)
ssize_t coap_session_send(coap_session_t *session, const uint8_t *data, size_t datalen)
Function interface for datagram data transmission.
int coap_session_refresh_psk_key(coap_session_t *session, const coap_bin_const_t *psk_key)
void coap_session_connected(coap_session_t *session)
Notify session that it has just connected or reconnected.
void coap_session_disconnected(coap_session_t *session, coap_nack_reason_t reason)
Notify session that it has failed.
#define COAP_SESSION_STATE_HANDSHAKE
void coap_digest_free(coap_digest_ctx_t *digest_ctx)
Free off coap_digest_ctx_t.
coap_digest_ctx_t * coap_digest_setup(void)
Initialize a coap_digest.
int coap_digest_final(coap_digest_ctx_t *digest_ctx, coap_digest_t *digest_buffer)
Finalize the coap_digest information into the provided digest_buffer.
int coap_digest_update(coap_digest_ctx_t *digest_ctx, const uint8_t *data, size_t data_len)
Update the coap_digest information with the next chunk of data.
void coap_ticks(coap_tick_t *t)
Sets t to the internal time with COAP_TICKS_PER_SECOND resolution.
uint64_t coap_tick_t
This data type represents internal timer ticks with COAP_TICKS_PER_SECOND resolution.
void coap_dtls_startup(void)
Initialize the underlying (D)TLS Library layer.
int coap_dtls_is_context_timeout(void)
Check if timeout is handled per CoAP session or per CoAP context.
void coap_dtls_shutdown(void)
Close down the underlying (D)TLS Library layer.
struct coap_dtls_context_t * coap_dtls_new_context(struct coap_context_t *coap_context)
Creates a new DTLS context for the given coap_context.
@ COAP_DTLS_ROLE_SERVER
Internal function invoked for server.
@ COAP_DTLS_ROLE_CLIENT
Internal function invoked for client.
#define COAP_DTLS_RETRANSMIT_MS
int coap_tls_is_supported(void)
Check whether TLS is available.
coap_tls_version_t * coap_get_tls_library_version(void)
Determine the type and version of the underlying (D)TLS library.
int coap_dtls_is_supported(void)
Returns 1 if support for DTLS is enabled, or 0 otherwise.
#define COAP_DTLS_RETRANSMIT_COAP_TICKS
#define COAP_DTLS_RETRANSMIT_TOTAL_MS
@ COAP_PKI_KEY_PKCS11
The PKI key type is PKCS11 (DER)
@ COAP_PKI_KEY_PEM_BUF
The PKI key type is PEM buffer.
@ COAP_PKI_KEY_PEM
The PKI key type is PEM file.
@ COAP_PKI_KEY_ASN1
The PKI key type is ASN.1 (DER) buffer.
@ COAP_TLS_LIBRARY_MBEDTLS
Using MbedTLS library.
#define COAP_EVENT_DTLS_ERROR
#define COAP_EVENT_DTLS_CLOSED
(D)TLS events for COAP_PROTO_DTLS and COAP_PROTO_TLS
#define COAP_EVENT_DTLS_CONNECTED
void coap_dtls_set_log_level(int level)
Sets the log level to the specified value.
const char * coap_session_str(const coap_session_t *session)
Get session description.
int coap_dtls_get_log_level(void)
Returns the current log level.
#define coap_log(level,...)
Logging function.
@ COAP_LOG_CIPHERS
CipherInfo.
int coap_handle_dgram(coap_context_t *ctx, coap_session_t *session, uint8_t *msg, size_t msg_len)
Parses and interprets a CoAP datagram with context ctx.
int coap_handle_event(coap_context_t *context, coap_event_t event, coap_session_t *session)
Invokes the event handler of context for the given event and data.
coap_address_t remote
remote address and port
CoAP binary data definition with const data.
size_t length
length of binary data
const uint8_t * s
read-only binary data
The CoAP stack's global state is stored in a coap_context_t object.
size_t(* get_server_psk)(const coap_session_t *session, const uint8_t *identity, size_t identity_len, uint8_t *psk, size_t max_psk_len)
size_t(* get_client_psk)(const coap_session_t *session, const uint8_t *hint, size_t hint_len, uint8_t *identity, size_t *identity_len, size_t max_identity_len, uint8_t *psk, size_t max_psk_len)
coap_dtls_spsk_t spsk_setup_data
Contains the initial PSK server setup data.
The structure used for defining the Client PSK setup data to be used.
char * client_sni
If not NULL, SNI to use in client TLS setup.
coap_dtls_ih_callback_t validate_ih_call_back
Identity Hint check callback function.
The structure that holds the PKI key information.
coap_pki_key_pem_t pem
for PEM file keys
union coap_dtls_key_t::@1 key
coap_pki_key_pem_buf_t pem_buf
for PEM memory keys
coap_pki_key_t key_type
key format type
coap_pki_key_asn1_t asn1
for ASN.1 (DER) memory keys
The structure used for defining the PKI setup data to be used.
uint8_t verify_peer_cert
Set to COAP_DTLS_PKI_SETUP_VERSION to support this version of the struct.
uint8_t is_rpk_not_cert
1 is RPK instead of Public Certificate.
uint8_t check_common_ca
1 if peer cert is to be signed by the same CA as the local cert
coap_dtls_key_t pki_key
PKI key definition.
The structure that holds the Server Pre-Shared Key and Identity Hint information.
The structure used for defining the Server PSK setup data to be used.
coap_dtls_psk_sni_callback_t validate_sni_call_back
SNI check callback function.
coap_dtls_id_callback_t validate_id_call_back
Identity check callback function.
void * id_call_back_arg
Passed in to the Identity callback function.
void * sni_call_back_arg
Passed in to the SNI callback function.
const uint8_t * private_key
ASN1 (DER) Private Key.
size_t public_cert_len
ASN1 Public Cert length.
size_t private_key_len
ASN1 Private Key length.
const uint8_t * ca_cert
ASN1 (DER) Common CA Cert.
size_t ca_cert_len
ASN1 CA Cert length.
const uint8_t * public_cert
ASN1 (DER) Public Cert, or Public Key if RPK.
size_t ca_cert_len
PEM buffer CA Cert length.
const uint8_t * ca_cert
PEM buffer Common CA Cert.
size_t private_key_len
PEM buffer Private Key length.
const uint8_t * private_key
PEM buffer Private Key If RPK and 'EC PRIVATE KEY' this can be used for both the public_cert and priv...
size_t public_cert_len
PEM buffer Public Cert length.
const uint8_t * public_cert
PEM buffer Public Cert, or Public Key if RPK.
const char * ca_file
File location of Common CA in PEM format.
const char * public_cert
File location of Public Cert.
const char * private_key
File location of Private Key in PEM format.
unsigned int dtls_timeout_count
dtls setup retry counter
coap_bin_const_t * psk_key
If client, this field contains the current pre-shared key for server; When this field is NULL,...
unsigned int max_retransmit
maximum re-transmit count (default 4)
coap_session_state_t state
current state of relationaship with peer
coap_addr_tuple_t addr_info
key: remote/local address info
coap_proto_t proto
protocol used
coap_dtls_cpsk_t cpsk_setup_data
client provided PSK initial setup data
struct coap_context_t * context
session's context
int dtls_event
Tracking any (D)TLS events on this sesison.
void * tls
security parameters
uint64_t mtu
path or CSM mtu
The structure used for returning the underlying (D)TLS library information.
uint64_t built_version
(D)TLS Built against Library Version
coap_tls_library_t type
Library type.
uint64_t version
(D)TLS runtime Library Version