20#if COAP_WITH_LIBOPENSSL
75#include <openssl/ssl.h>
76#if OPENSSL_VERSION_NUMBER < 0x40000000L
77#include <openssl/engine.h>
79#include <openssl/err.h>
80#include <openssl/rand.h>
81#include <openssl/hmac.h>
82#include <openssl/x509v3.h>
84#if OPENSSL_VERSION_NUMBER >= 0x30000000L
87#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
90#if !defined(__MINGW32__)
91#pragma warning(disable : 4996)
96#ifdef COAP_EPOLL_SUPPORT
97# include <sys/epoll.h>
100#if OPENSSL_VERSION_NUMBER < 0x10100000L
101#error Must be compiled against OpenSSL 1.1.0 or later
105#define strcasecmp _stricmp
106#define strncasecmp _strnicmp
110#ifndef TLSEXT_TYPE_client_certificate_type
111#define TLSEXT_TYPE_client_certificate_type 19
113#ifndef TLSEXT_TYPE_server_certificate_type
114#define TLSEXT_TYPE_server_certificate_type 20
117#ifndef COAP_OPENSSL_CIPHERS
118#if OPENSSL_VERSION_NUMBER >= 0x10101000L
119#define COAP_OPENSSL_CIPHERS "TLSv1.3:TLSv1.2:!NULL"
121#define COAP_OPENSSL_CIPHERS "TLSv1.2:!NULL"
125#ifndef COAP_OPENSSL_PSK_CIPHERS
126#define COAP_OPENSSL_PSK_CIPHERS "PSK:!NULL"
129#ifndef COAP_OPENSSL_PKCS11_ENGINE_ID
130#define COAP_OPENSSL_PKCS11_ENGINE_ID "pkcs11"
134typedef struct coap_dtls_context_t {
137 HMAC_CTX *cookie_hmac;
140} coap_dtls_context_t;
142typedef struct coap_tls_context_t {
150typedef struct sni_entry {
152#if OPENSSL_VERSION_NUMBER < 0x10101000L
159typedef struct psk_sni_entry {
161#if OPENSSL_VERSION_NUMBER < 0x10101000L
167typedef struct coap_openssl_context_t {
168 coap_dtls_context_t dtls;
170 coap_tls_context_t tls;
175 sni_entry *sni_entry_list;
176#if OPENSSL_VERSION_NUMBER < 0x10101000L
177 size_t psk_sni_count;
178 psk_sni_entry *psk_sni_entry_list;
180} coap_openssl_context_t;
182#if COAP_SERVER_SUPPORT
183#if OPENSSL_VERSION_NUMBER < 0x10101000L
184static int psk_tls_server_name_call_back(SSL *ssl,
int *sd,
void *arg);
186static int tls_client_hello_call_back(SSL *ssl,
int *al,
void *arg);
192 if (SSLeay() < 0x10100000L) {
193 coap_log_warn(
"OpenSSL version 1.1.0 or later is required\n");
196#if OPENSSL_VERSION_NUMBER >= 0x10101000L
204 if (SSLeay() < 0x10101000L) {
205 coap_log_warn(
"OpenSSL version 1.1.1 or later is required\n");
215 if (SSLeay() < 0x10100000L) {
216 coap_log_warn(
"OpenSSL version 1.1.0 or later is required\n");
219#if OPENSSL_VERSION_NUMBER >= 0x10101000L
220 if (SSLeay() < 0x10101000L) {
221 coap_log_warn(
"OpenSSL version 1.1.1 or later is required\n");
255#if OPENSSL_VERSION_NUMBER < 0x40000000L
280#if COAP_CLIENT_SUPPORT
298#if OPENSSL_VERSION_NUMBER < 0x40000000L
299static ENGINE *pkcs11_engine =
NULL;
300static ENGINE *defined_engine =
NULL;
305 SSL_load_error_strings();
307#if OPENSSL_VERSION_NUMBER < 0x40000000L
308 ENGINE_load_dynamic();
314#if OPENSSL_VERSION_NUMBER < 0x30000000L
317 ENGINE_finish(pkcs11_engine);
318 pkcs11_engine =
NULL;
320 if (defined_engine) {
322 ENGINE_finish(defined_engine);
323 defined_engine =
NULL;
325#elif OPENSSL_VERSION_NUMBER < 0x40000000L
326 pkcs11_engine =
NULL;
327 defined_engine =
NULL;
343 return c_session->
tls;
348#if OPENSSL_VERSION_NUMBER < 0x40000000L
350get_split_conf_entry(
const uint8_t **start,
size_t size,
const char *get_keyword,
352 const uint8_t *begin = *start;
355 const uint8_t *split;
361 kend = end = memchr(begin,
'\n', size);
367 if (end > begin && end[-1] ==
'\r')
370 if (begin[0] ==
'#' || (end - begin) == 0) {
372 size -= kend - begin + 1;
378 split = memchr(begin,
':', end - begin);
382 if ((
size_t)(split - begin) != strlen(get_keyword)) {
383 size -= kend - begin + 1;
387 if (memcmp(begin, get_keyword, split - begin)) {
388 size -= kend - begin + 1;
396 if ((end - begin) == 0)
399 split = memchr(begin,
':', end - begin);
411 if ((end - split) > 0) {
446 const uint8_t *start;
451 unsigned int defaults = 0;
452 int done_engine_id = 0;
453 int done_engine_init = 0;
459 end = start + conf_mem->
length;
461 if (defined_engine) {
462 coap_log_warn(
"coap_tls_engine_configure: Freeing off previous engine definition\n");
463 ENGINE_finish(defined_engine);
464 defined_engine =
NULL;
468 if (!get_split_conf_entry(&start, end - start,
"engine", &engine_id, &p2)) {
469 coap_log_warn(
"coap_tls_engine_configure: engine not defined\n");
472 defined_engine = ENGINE_by_id((
const char *)engine_id->
s);
473 if (!defined_engine) {
474 coap_log_warn(
"coap_tls_engine_configure: engine '%s' not known\n", engine_id->
s);
484 while (get_split_conf_entry(&start, end - start,
"pre-cmd", &p1, &p2)) {
485 if (!ENGINE_ctrl_cmd_string(defined_engine, (
const char *)p1->
s, p2 ? (
const char *)p2->
s :
NULL,
487 coap_log_warn(
"coap_tls_engine_configure: engine %s pre-cmd '%s:%s' failed\n",
488 (
const char *)engine_id->
s,
489 (
const char *)p1->
s, p2 ? (
const char *)p2->
s :
"(NULL)");
493 engine_id->
s, p1->
s, p2 ? (
const char *)p2->
s :
"(NULL)");
502 if (!ENGINE_init(defined_engine)) {
503 coap_log_warn(
"coap_tls_engine_configure: %s failed initialization\n", (
const char *)engine_id->
s);
506 done_engine_init = 1;
508 (
const char *)engine_id->
s);
513 while (get_split_conf_entry(&start, end - start,
"post-cmd", &p1, &p2)) {
514 if (!ENGINE_ctrl_cmd_string(defined_engine, (
const char *)p1->
s, p2 ? (
const char *)p2->
s :
NULL,
516 coap_log_warn(
"coap_tls_engine_configure: %s post-cmd '%s:%s' failed\n", (
const char *)engine_id->
s,
517 (
const char *)p1->
s, p2 ? (
const char *)p2->
s :
"(NULL)");
521 (
const char *)engine_id->
s,
522 (
const char *)p1->
s, p2 ? (
const char *)p2->
s :
"(NULL)");
530 if (!get_split_conf_entry(&start, end - start,
"enable-methods", &p1, &p2)) {
531 coap_log_warn(
"coap_tls_engine_configure: enable-methods not found\n");
534 defaults = strtoul((
const char *)p1->
s,
NULL, 0);
535 if (!ENGINE_set_default(defined_engine, defaults)) {
536 coap_log_warn(
"coap_tls_engine_configure: enable-methods 0x%x invalid\n", defaults);
551 ENGINE_free(defined_engine);
552 if (done_engine_init)
553 ENGINE_finish(defined_engine);
554 defined_engine =
NULL;
563 if (defined_engine) {
564 ENGINE_finish(defined_engine);
565 defined_engine =
NULL;
599typedef struct coap_ssl_data {
608coap_dgram_create(BIO *a) {
609 coap_ssl_data *data =
NULL;
610 data = malloc(
sizeof(coap_ssl_data));
614 BIO_set_data(a, data);
615 memset(data, 0x00,
sizeof(coap_ssl_data));
620coap_dgram_destroy(BIO *a) {
624 data = (coap_ssl_data *)BIO_get_data(a);
625 BIO_set_data(a,
NULL);
632coap_dgram_read(BIO *a,
char *out,
int outl) {
634 coap_ssl_data *data = (coap_ssl_data *)BIO_get_data(a);
637 if (data !=
NULL && data->pdu_len > 0) {
638 if (outl < (
int)data->pdu_len) {
639 memcpy(out, data->pdu, outl);
642 memcpy(out, data->pdu, data->pdu_len);
643 ret = (int)data->pdu_len;
645 if (!data->peekmode) {
652 BIO_clear_retry_flags(a);
654 BIO_set_retry_read(a);
660coap_dgram_write(BIO *a,
const char *in,
int inl) {
662 coap_ssl_data *data = (coap_ssl_data *)BIO_get_data(a);
664 if (data && data->session) {
667 && data->session->endpoint ==
NULL
671 BIO_clear_retry_flags(a);
675 ret = (int)data->session->sock.lfunc[
COAP_LAYER_TLS].l_write(data->session,
678 BIO_clear_retry_flags(a);
680 if (ret < 0 && (errno == ENOTCONN || errno == ECONNREFUSED))
682 BIO_set_retry_write(a);
685 BIO_clear_retry_flags(a);
692coap_dgram_puts(BIO *a,
const char *pstr) {
693 return coap_dgram_write(a, pstr, (
int)strlen(pstr));
697coap_dgram_ctrl(BIO *a,
int cmd,
long num,
void *ptr) {
699 coap_ssl_data *data = BIO_get_data(a);
704 case BIO_CTRL_GET_CLOSE:
705 ret = BIO_get_shutdown(a);
707 case BIO_CTRL_SET_CLOSE:
708 BIO_set_shutdown(a, (
int)num);
710 case BIO_CTRL_DGRAM_SET_PEEK_MODE:
712 data->peekmode = (unsigned)num;
716 case BIO_CTRL_DGRAM_CONNECT:
719 case BIO_CTRL_DGRAM_SET_DONT_FRAG:
720 case BIO_CTRL_DGRAM_GET_MTU:
721 case BIO_CTRL_DGRAM_SET_MTU:
722 case BIO_CTRL_DGRAM_QUERY_MTU:
723 case BIO_CTRL_DGRAM_GET_FALLBACK_MTU:
728 case BIO_CTRL_DGRAM_MTU_DISCOVER:
729 case BIO_CTRL_DGRAM_SET_CONNECTED:
731 case BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT:
734 ((
struct timeval *)ptr)->tv_usec);
739 case BIO_C_FILE_SEEK:
740 case BIO_C_FILE_TELL:
742 case BIO_CTRL_PENDING:
743 case BIO_CTRL_WPENDING:
744 case BIO_CTRL_DGRAM_GET_PEER:
745 case BIO_CTRL_DGRAM_SET_PEER:
746 case BIO_CTRL_DGRAM_SET_RECV_TIMEOUT:
747 case BIO_CTRL_DGRAM_GET_RECV_TIMEOUT:
748 case BIO_CTRL_DGRAM_SET_SEND_TIMEOUT:
749 case BIO_CTRL_DGRAM_GET_SEND_TIMEOUT:
750 case BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP:
751 case BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP:
752 case BIO_CTRL_DGRAM_MTU_EXCEEDED:
753 case BIO_CTRL_DGRAM_GET_MTU_OVERHEAD:
762coap_dtls_generate_cookie(SSL *ssl,
763 unsigned char *cookie,
764 unsigned int *cookie_len) {
765 SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
766 coap_dtls_context_t *dtls = ctx ? (coap_dtls_context_t *)SSL_CTX_get_app_data(ctx) :
NULL;
767 coap_ssl_data *data = (coap_ssl_data *)BIO_get_data(SSL_get_rbio(ssl));
770 int r = HMAC_Init_ex(dtls->cookie_hmac,
NULL, 0,
NULL,
NULL);
771 r &= HMAC_Update(dtls->cookie_hmac,
772 (
const uint8_t *)&data->session->addr_info.local.addr,
773 (
size_t)data->session->addr_info.local.size);
774 r &= HMAC_Update(dtls->cookie_hmac,
775 (
const uint8_t *)&data->session->addr_info.remote.addr,
776 (
size_t)data->session->addr_info.remote.size);
777 r &= HMAC_Final(dtls->cookie_hmac, cookie, cookie_len);
784coap_dtls_verify_cookie(SSL *ssl,
785 const uint8_t *cookie,
786 unsigned int cookie_len) {
789 if (coap_dtls_generate_cookie(ssl, hmac, &len) &&
790 cookie_len == len && memcmp(cookie, hmac, len) == 0)
796#if COAP_CLIENT_SUPPORT
798coap_dtls_psk_client_callback(SSL *ssl,
801 unsigned int max_identity_len,
803 unsigned int max_psk_len) {
805 coap_openssl_context_t *o_context;
816 if (o_context ==
NULL)
820 temp.
s = hint ? (
const uint8_t *)hint : (const uint8_t *)
"";
821 temp.
length = strlen((
const char *)temp.
s);
825 (
const char *)temp.
s);
837 if (cpsk_info ==
NULL)
842 psk_identity = &cpsk_info->
identity;
843 psk_key = &cpsk_info->
key;
849 if (psk_identity ==
NULL || psk_key ==
NULL) {
855 if (!max_identity_len)
858 if (psk_identity->
length > max_identity_len) {
859 coap_log_warn(
"psk_identity too large, truncated to %d bytes\n",
863 max_identity_len = (
unsigned int)psk_identity->
length;
865 memcpy(identity, psk_identity->
s, max_identity_len);
866 identity[max_identity_len] =
'\000';
868 if (psk_key->
length > max_psk_len) {
873 max_psk_len = (
unsigned int)psk_key->
length;
875 memcpy(psk, psk_key->
s, max_psk_len);
880#if COAP_SERVER_SUPPORT
882coap_dtls_psk_server_callback(
884 const char *identity,
886 unsigned int max_psk_len
897 setup_data = &c_session->
context->spsk_setup_data;
900 lidentity.
s = identity ? (
const uint8_t *)identity : (const uint8_t *)
"";
901 lidentity.
length = strlen((
const char *)lidentity.
s);
905 (
int)lidentity.
length, (
const char *)lidentity.
s);
920 if (psk_key->
length > max_psk_len) {
925 max_psk_len = (
unsigned int)psk_key->
length;
927 memcpy(psk, psk_key->
s, max_psk_len);
933ssl_function_definition(
unsigned long e) {
934#if OPENSSL_VERSION_NUMBER >= 0x30000000L
938 static char buff[80];
940 snprintf(buff,
sizeof(buff),
" at %s:%s",
941 ERR_lib_error_string(e), ERR_func_error_string(e));
947coap_dtls_info_callback(
const SSL *ssl,
int where,
int ret) {
950 int w = where &~SSL_ST_MASK;
954 "coap_dtls_info_callback: session not determined, where 0x%0x and ret 0x%0x\n", where, ret);
957 if (w & SSL_ST_CONNECT)
958 pstr =
"SSL_connect";
959 else if (w & SSL_ST_ACCEPT)
964 if (where & SSL_CB_LOOP) {
967 }
else if (where & SSL_CB_ALERT) {
969 pstr = (where & SSL_CB_READ) ?
"read" :
"write";
970 if ((where & (SSL_CB_WRITE|SSL_CB_READ)) && (ret >> 8) == SSL3_AL_FATAL) {
972 if ((ret & 0xff) != SSL3_AD_CLOSE_NOTIFY)
976 coap_log(log_level,
"* %s: SSL3 alert %s:%s:%s\n",
979 SSL_alert_type_string_long(ret),
980 SSL_alert_desc_string_long(ret));
981 }
else if (where & SSL_CB_EXIT) {
987 while ((e = ERR_get_error()))
990 ssl_function_definition(e));
992 }
else if (ret < 0) {
994 int err = SSL_get_error(ssl, ret);
995 if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE &&
996 err != SSL_ERROR_WANT_CONNECT && err != SSL_ERROR_WANT_ACCEPT &&
997 err != SSL_ERROR_WANT_X509_LOOKUP) {
1001 while ((e = ERR_get_error()))
1004 ssl_function_definition(e));
1009 while ((e = ERR_get_error())) {
1015 if (where == SSL_CB_HANDSHAKE_START && SSL_get_state(ssl) == TLS_ST_OK)
1019#if !COAP_DISABLE_TCP
1021coap_sock_create(BIO *a) {
1027coap_sock_destroy(BIO *a) {
1039coap_sock_read(BIO *a,
char *out,
int outl) {
1043 if (session && out !=
NULL) {
1048 BIO_set_retry_read(a);
1052 BIO_clear_retry_flags(a);
1065coap_sock_write(BIO *a,
const char *in,
int inl) {
1074 (
const uint8_t *)in,
1078 BIO_clear_retry_flags(a);
1080 BIO_set_retry_read(a);
1084 BIO_clear_retry_flags(a);
1088 (errno == EPIPE || errno == ECONNRESET)) {
1108coap_sock_puts(BIO *a,
const char *pstr) {
1109 return coap_sock_write(a, pstr, (
int)strlen(pstr));
1113coap_sock_ctrl(BIO *a,
int cmd,
long num,
void *ptr) {
1124 case BIO_CTRL_SET_CLOSE:
1126 case BIO_CTRL_FLUSH:
1130 case BIO_CTRL_GET_CLOSE:
1139coap_set_user_prefs(SSL_CTX *ctx) {
1140 SSL_CTX_set_cipher_list(ctx, COAP_OPENSSL_CIPHERS);
1142#ifdef COAP_OPENSSL_SIGALGS
1143 SSL_CTX_set1_sigalgs_list(ctx, COAP_OPENSSL_SIGALGS);
1144 SSL_CTX_set1_client_sigalgs_list(ctx, COAP_OPENSSL_SIGALGS);
1147#if OPENSSL_VERSION_NUMBER >= 0x10101000L && defined(COAP_OPENSSL_GROUPS)
1148 SSL_CTX_set1_groups_list(ctx, COAP_OPENSSL_GROUPS);
1152#if COAP_DTLS_RETRANSMIT_MS != 1000
1153#if OPENSSL_VERSION_NUMBER >= 0x10101000L
1155timer_cb(SSL *s,
unsigned int timer_us) {
1160 return 2 * timer_us;
1167 coap_openssl_context_t *context;
1172 uint8_t cookie_secret[32];
1174 memset(context, 0,
sizeof(coap_openssl_context_t));
1177 context->dtls.ctx = SSL_CTX_new(DTLS_method());
1178 if (!context->dtls.ctx)
1180 SSL_CTX_set_min_proto_version(context->dtls.ctx, DTLS1_2_VERSION);
1181 SSL_CTX_set_app_data(context->dtls.ctx, &context->dtls);
1182 SSL_CTX_set_read_ahead(context->dtls.ctx, 1);
1183 coap_set_user_prefs(context->dtls.ctx);
1184 memset(cookie_secret, 0,
sizeof(cookie_secret));
1185 if (!RAND_bytes(cookie_secret, (
int)
sizeof(cookie_secret))) {
1187 "Insufficient entropy for random cookie generation");
1190 context->dtls.cookie_hmac = HMAC_CTX_new();
1191 if (!context->dtls.cookie_hmac)
1193 if (!HMAC_Init_ex(context->dtls.cookie_hmac, cookie_secret, (
int)
sizeof(cookie_secret),
1194 EVP_sha256(),
NULL))
1196 SSL_CTX_set_cookie_generate_cb(context->dtls.ctx, coap_dtls_generate_cookie);
1197 SSL_CTX_set_cookie_verify_cb(context->dtls.ctx, coap_dtls_verify_cookie);
1198 SSL_CTX_set_info_callback(context->dtls.ctx, coap_dtls_info_callback);
1199 SSL_CTX_set_options(context->dtls.ctx, SSL_OP_NO_QUERY_MTU);
1200#if OPENSSL_VERSION_NUMBER >= 0x30000000L
1201 SSL_CTX_set_options(context->dtls.ctx, SSL_OP_LEGACY_SERVER_CONNECT);
1203 context->dtls.meth = BIO_meth_new(BIO_TYPE_DGRAM,
"coapdgram");
1204 if (!context->dtls.meth)
1206 context->dtls.bio_addr = BIO_ADDR_new();
1207 if (!context->dtls.bio_addr)
1209 BIO_meth_set_write(context->dtls.meth, coap_dgram_write);
1210 BIO_meth_set_read(context->dtls.meth, coap_dgram_read);
1211 BIO_meth_set_puts(context->dtls.meth, coap_dgram_puts);
1212 BIO_meth_set_ctrl(context->dtls.meth, coap_dgram_ctrl);
1213 BIO_meth_set_create(context->dtls.meth, coap_dgram_create);
1214 BIO_meth_set_destroy(context->dtls.meth, coap_dgram_destroy);
1216#if !COAP_DISABLE_TCP
1218 context->tls.ctx = SSL_CTX_new(TLS_method());
1219 if (!context->tls.ctx)
1221 SSL_CTX_set_app_data(context->tls.ctx, &context->tls);
1222 SSL_CTX_set_min_proto_version(context->tls.ctx, TLS1_VERSION);
1223 coap_set_user_prefs(context->tls.ctx);
1224 SSL_CTX_set_info_callback(context->tls.ctx, coap_dtls_info_callback);
1225 context->tls.meth = BIO_meth_new(BIO_TYPE_SOCKET,
"coapsock");
1226 if (!context->tls.meth)
1228 BIO_meth_set_write(context->tls.meth, coap_sock_write);
1229 BIO_meth_set_read(context->tls.meth, coap_sock_read);
1230 BIO_meth_set_puts(context->tls.meth, coap_sock_puts);
1231 BIO_meth_set_ctrl(context->tls.meth, coap_sock_ctrl);
1232 BIO_meth_set_create(context->tls.meth, coap_sock_create);
1233 BIO_meth_set_destroy(context->tls.meth, coap_sock_destroy);
1244#if COAP_SERVER_SUPPORT
1249 coap_openssl_context_t *o_context =
1253 if (!setup_data || !o_context)
1256 SSL_CTX_set_psk_server_callback(o_context->dtls.ctx,
1257 coap_dtls_psk_server_callback);
1258#if !COAP_DISABLE_TCP
1259 SSL_CTX_set_psk_server_callback(o_context->tls.ctx,
1260 coap_dtls_psk_server_callback);
1266 SSL_CTX_use_psk_identity_hint(o_context->dtls.ctx, hint);
1267#if !COAP_DISABLE_TCP
1268 SSL_CTX_use_psk_identity_hint(o_context->tls.ctx, hint);
1272#if OPENSSL_VERSION_NUMBER < 0x10101000L
1273 SSL_CTX_set_tlsext_servername_arg(o_context->dtls.ctx,
1274 &c_context->spsk_setup_data);
1275 SSL_CTX_set_tlsext_servername_callback(o_context->dtls.ctx,
1276 psk_tls_server_name_call_back);
1277#if !COAP_DISABLE_TCP
1278 SSL_CTX_set_tlsext_servername_arg(o_context->tls.ctx,
1279 &c_context->spsk_setup_data);
1280 SSL_CTX_set_tlsext_servername_callback(o_context->tls.ctx,
1281 psk_tls_server_name_call_back);
1284 SSL_CTX_set_client_hello_cb(o_context->dtls.ctx,
1285 tls_client_hello_call_back,
1287#if !COAP_DISABLE_TCP
1288 SSL_CTX_set_client_hello_cb(o_context->tls.ctx,
1289 tls_client_hello_call_back,
1295 if (!o_context->dtls.ssl) {
1297 o_context->dtls.ssl = SSL_new(o_context->dtls.ctx);
1298 if (!o_context->dtls.ssl)
1300 bio = BIO_new(o_context->dtls.meth);
1302 SSL_free(o_context->dtls.ssl);
1303 o_context->dtls.ssl =
NULL;
1306 SSL_set_bio(o_context->dtls.ssl, bio, bio);
1307 SSL_set_app_data(o_context->dtls.ssl,
NULL);
1308 SSL_set_options(o_context->dtls.ssl, SSL_OP_COOKIE_EXCHANGE);
1314 o_context->psk_pki_enabled |= IS_PSK;
1319#if COAP_CLIENT_SUPPORT
1324 coap_openssl_context_t *o_context =
1328 if (!setup_data || !o_context)
1331 if (!o_context->dtls.ssl) {
1333 o_context->dtls.ssl = SSL_new(o_context->dtls.ctx);
1334 if (!o_context->dtls.ssl)
1336 bio = BIO_new(o_context->dtls.meth);
1338 SSL_free(o_context->dtls.ssl);
1339 o_context->dtls.ssl =
NULL;
1342 SSL_set_bio(o_context->dtls.ssl, bio, bio);
1343 SSL_set_app_data(o_context->dtls.ssl,
NULL);
1344 SSL_set_options(o_context->dtls.ssl, SSL_OP_COOKIE_EXCHANGE);
1353 o_context->psk_pki_enabled |= IS_PSK;
1359map_key_type(
int asn1_private_key_type
1361 switch (asn1_private_key_type) {
1363 return EVP_PKEY_NONE;
1365 return EVP_PKEY_RSA;
1367 return EVP_PKEY_RSA2;
1369 return EVP_PKEY_DSA;
1371 return EVP_PKEY_DSA1;
1373 return EVP_PKEY_DSA2;
1375 return EVP_PKEY_DSA3;
1377 return EVP_PKEY_DSA4;
1381 return EVP_PKEY_DHX;
1385 return EVP_PKEY_HMAC;
1387 return EVP_PKEY_CMAC;
1389 return EVP_PKEY_TLS1_PRF;
1391 return EVP_PKEY_HKDF;
1393 coap_log_warn(
"*** setup_pki: DTLS: Unknown Private Key type %d for ASN1\n",
1394 asn1_private_key_type);
1399#if !COAP_DISABLE_TCP
1400static uint8_t coap_alpn[] = { 4,
'c',
'o',
'a',
'p' };
1402#if COAP_SERVER_SUPPORT
1405 const unsigned char **out,
1406 unsigned char *outlen,
1407 const unsigned char *in,
1411 unsigned char *tout =
NULL;
1414 return SSL_TLSEXT_ERR_NOACK;
1415 ret = SSL_select_next_proto(&tout,
1422 return (ret != OPENSSL_NPN_NEGOTIATED) ? SSL_TLSEXT_ERR_NOACK : SSL_TLSEXT_ERR_OK;
1428add_ca_to_cert_store(X509_STORE *st, X509 *x509) {
1432 while (ERR_get_error() != 0) {
1435 if (!X509_STORE_add_cert(st, x509)) {
1436 while ((e = ERR_get_error()) != 0) {
1437 int r = ERR_GET_REASON(e);
1438 if (r != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
1441 ERR_reason_error_string(e),
1442 ssl_function_definition(e));
1448#if OPENSSL_VERSION_NUMBER < 0x40000000L
1450missing_ENGINE_load_cert(ENGINE *engine,
const char *cert_id) {
1452 const char *cert_id;
1456 params.cert_id = cert_id;
1460 if (!ENGINE_ctrl_cmd(engine,
"LOAD_CERT_CTRL", 0, ¶ms,
NULL, 1)) {
1467check_pkcs11_engine(
void) {
1468 static int already_tried = 0;
1473 if (!pkcs11_engine) {
1474 pkcs11_engine = ENGINE_by_id(COAP_OPENSSL_PKCS11_ENGINE_ID);
1475 if (!pkcs11_engine) {
1476 coap_log_err(
"*** setup_pki: (D)TLS: No PKCS11 support - need OpenSSL %s engine\n",
1477 COAP_OPENSSL_PKCS11_ENGINE_ID);
1481 if (!ENGINE_init(pkcs11_engine)) {
1483 ENGINE_free(pkcs11_engine);
1484 pkcs11_engine =
NULL;
1485 coap_log_err(
"*** setup_pki: (D)TLS: PKCS11 engine initialize failed\n");
1493 ENGINE_free(pkcs11_engine);
1499#if OPENSSL_VERSION_NUMBER < 0x10101000L && COAP_SERVER_SUPPORT
1502install_engine_public_cert_ctx(ENGINE *engine, SSL_CTX *ctx,
1503 const char *public_cert) {
1506 x509 = missing_ENGINE_load_cert(engine, public_cert);
1514 if (!SSL_CTX_use_certificate(ctx, x509)) {
1515 coap_log_warn(
"*** setup_pki: (D)TLS: %s: Unable to configure "
1527install_engine_private_key_ctx(ENGINE *engine, SSL_CTX *ctx,
1528 const char *private_key) {
1529 EVP_PKEY *pkey = ENGINE_load_private_key(engine,
1540 if (!SSL_CTX_use_PrivateKey(ctx, pkey)) {
1541 coap_log_warn(
"*** setup_pki: (D)TLS: %s: Unable to configure "
1545 EVP_PKEY_free(pkey);
1548 EVP_PKEY_free(pkey);
1553install_engine_ca_ctx(ENGINE *engine, SSL_CTX *ctx,
const char *ca) {
1557 x509 = missing_ENGINE_load_cert(engine,
1561 "%s CA Certificate\n",
1566 if (!SSL_CTX_add_client_CA(ctx, x509)) {
1567 coap_log_warn(
"*** setup_pki: (D)TLS: %s: Unable to configure "
1568 "%s CA Certificate\n",
1574 st = SSL_CTX_get_cert_store(ctx);
1575 add_ca_to_cert_store(st, x509);
1581load_in_cas_ctx(SSL_CTX *ctx,
1582 const char *ca_file) {
1583 STACK_OF(X509_NAME) *cert_names;
1587 char *rw_var =
NULL;
1588 cert_names = SSL_load_client_CA_file(ca_file);
1589 if (cert_names !=
NULL)
1590 SSL_CTX_set_client_CA_list(ctx, cert_names);
1592 coap_log_warn(
"*** setup_pki: (D)TLS: %s: Unable to configure "
1599 st = SSL_CTX_get_cert_store(ctx);
1600 in = BIO_new(BIO_s_file());
1604 memcpy(&rw_var, &ca_file,
sizeof(rw_var));
1605 if (!BIO_read_filename(in, rw_var)) {
1613 add_ca_to_cert_store(st, x);
1621setup_pki_server(SSL_CTX *ctx,
1637 if (!(SSL_CTX_use_PrivateKey_file(ctx,
1639 SSL_FILETYPE_PEM))) {
1649 EVP_PKEY *pkey = bp ? PEM_read_bio_PrivateKey(bp,
NULL, 0,
NULL) :
NULL;
1651 if (!pkey || !SSL_CTX_use_PrivateKey(ctx, pkey)) {
1655 EVP_PKEY_free(pkey);
1663 EVP_PKEY_free(pkey);
1675 if (!(SSL_CTX_use_PrivateKey_file(ctx,
1677 SSL_FILETYPE_ASN1))) {
1695 if (!check_pkcs11_engine()) {
1700 if (ENGINE_ctrl_cmd_string(pkcs11_engine,
1703 coap_log_warn(
"*** setup_pki: (D)TLS: PKCS11: %s: Unable to set pin\n",
1708 if (!install_engine_private_key_ctx(pkcs11_engine, ctx,
1716 if (!defined_engine ||
1717 !install_engine_private_key_ctx(defined_engine, ctx,
1746 if (!(SSL_CTX_use_certificate_file(ctx,
1748 SSL_FILETYPE_PEM))) {
1754 if (!SSL_CTX_use_certificate_chain_file(ctx,
1766 X509 *cert = bp ? PEM_read_bio_X509(bp,
NULL, 0,
NULL) :
NULL;
1768 if (!cert || !SSL_CTX_use_certificate(ctx, cert)) {
1792 if (!(SSL_CTX_use_certificate_file(ctx,
1794 SSL_FILETYPE_ASN1))) {
1802 !(SSL_CTX_use_certificate_ASN1(ctx,
1811 if (!check_pkcs11_engine()) {
1814 if (!install_engine_public_cert_ctx(pkcs11_engine, ctx,
1822 if (!defined_engine ||
1823 !install_engine_public_cert_ctx(defined_engine, ctx,
1861 X509_STORE *st = SSL_CTX_get_cert_store(ctx);
1867 add_ca_to_cert_store(st, x);
1868 SSL_CTX_add_client_CA(ctx, x);
1884 if (!(SSL_CTX_use_certificate_file(ctx,
1886 SSL_FILETYPE_ASN1))) {
1899 if (!x509 || !SSL_CTX_add_client_CA(ctx, x509)) {
1907 st = SSL_CTX_get_cert_store(ctx);
1908 add_ca_to_cert_store(st, x509);
1913 if (!check_pkcs11_engine()) {
1916 if (!install_engine_ca_ctx(pkcs11_engine, ctx,
1924 if (!defined_engine ||
1925 !install_engine_ca_ctx(defined_engine, ctx,
1944#if OPENSSL_VERSION_NUMBER >= 0x10101000L || COAP_CLIENT_SUPPORT
1946#if OPENSSL_VERSION_NUMBER < 0x40000000L
1948install_engine_public_cert(ENGINE *engine, SSL *ssl,
const char *public_cert,
1952 x509 = missing_ENGINE_load_cert(engine, public_cert);
1960 if (!SSL_use_certificate(ssl, x509)) {
1961 coap_log_warn(
"*** setup_pki: (D)TLS: %s: Unable to configure "
1973install_engine_private_key(ENGINE *engine, SSL *ssl,
const char *private_key,
1975 EVP_PKEY *pkey = ENGINE_load_private_key(engine,
1986 if (!SSL_use_PrivateKey(ssl, pkey)) {
1987 coap_log_warn(
"*** setup_pki: (D)TLS: %s: Unable to configure "
1991 EVP_PKEY_free(pkey);
1994 EVP_PKEY_free(pkey);
1999install_engine_ca(ENGINE *engine, SSL *ssl,
const char *ca,
2002 SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
2007 "%s CA Certificate (no ctx)\n",
2012 x509 = missing_ENGINE_load_cert(engine,
2016 "%s CA Certificate\n",
2021 if (!SSL_add_client_CA(ssl, x509)) {
2022 coap_log_warn(
"*** setup_pki: (D)TLS: %s: Unable to configure "
2023 "%s CA Certificate\n",
2029 st = SSL_CTX_get_cert_store(ctx);
2030 add_ca_to_cert_store(st, x509);
2037load_in_cas(SSL *ssl,
2042 char *rw_var =
NULL;
2043 SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
2046 STACK_OF(X509_NAME) *cert_names = SSL_load_client_CA_file(ca_file);
2048 if (cert_names !=
NULL)
2049 SSL_set_client_CA_list(ssl, cert_names);
2059 in = BIO_new(BIO_s_file());
2063 memcpy(&rw_var, &ca_file,
sizeof(rw_var));
2064 if (!BIO_read_filename(in, rw_var)) {
2068 st = SSL_CTX_get_cert_store(ctx);
2072 add_ca_to_cert_store(st, x);
2080setup_pki_ssl(SSL *ssl,
2096 if (!(SSL_use_PrivateKey_file(ssl,
2098 SSL_FILETYPE_PEM))) {
2099 goto fail_bad_private;
2106 EVP_PKEY *pkey = bp ? PEM_read_bio_PrivateKey(bp,
NULL, 0,
NULL) :
NULL;
2108 if (!pkey || !SSL_use_PrivateKey(ssl, pkey)) {
2112 EVP_PKEY_free(pkey);
2113 goto fail_bad_private;
2118 EVP_PKEY_free(pkey);
2120 goto fail_none_private;
2124 goto fail_ns_private;
2126 if (!(SSL_use_PrivateKey_file(ssl,
2128 SSL_FILETYPE_ASN1))) {
2129 goto fail_bad_private;
2138 goto fail_bad_private;
2142#if OPENSSL_VERSION_NUMBER < 0x40000000L
2143 if (!check_pkcs11_engine()) {
2144 goto fail_bad_private;
2148 if (ENGINE_ctrl_cmd_string(pkcs11_engine,
2151 coap_log_warn(
"*** setup_pki: (D)TLS: PKCS11: %s: Unable to set pin\n",
2153 goto fail_bad_private;
2156 if (!install_engine_private_key(pkcs11_engine, ssl,
2159 goto fail_bad_private;
2162 goto fail_bad_private;
2166#if OPENSSL_VERSION_NUMBER < 0x40000000L
2167 if (!defined_engine ||
2168 !install_engine_private_key(defined_engine, ssl,
2171 goto fail_bad_private;
2177 goto fail_ns_private;
2182 goto fail_none_private;
2195 if (!(SSL_use_certificate_file(ssl,
2197 SSL_FILETYPE_PEM))) {
2198 goto fail_bad_public;
2201 if (!SSL_use_certificate_chain_file(ssl,
2203 goto fail_bad_public;
2211 X509 *cert = bp ? PEM_read_bio_X509(bp,
NULL, 0,
NULL) :
NULL;
2213 if (!cert || !SSL_use_certificate(ssl, cert)) {
2218 goto fail_bad_public;
2225 goto fail_bad_public;
2229 goto fail_ns_public;
2231 if (!(SSL_use_certificate_file(ssl,
2233 SSL_FILETYPE_ASN1))) {
2234 goto fail_bad_public;
2239 !(SSL_use_certificate_ASN1(ssl,
2242 goto fail_bad_public;
2246#if OPENSSL_VERSION_NUMBER < 0x40000000L
2247 if (!check_pkcs11_engine()) {
2248 goto fail_bad_public;
2250 if (!install_engine_public_cert(pkcs11_engine, ssl,
2253 goto fail_bad_public;
2256 goto fail_bad_public;
2260#if OPENSSL_VERSION_NUMBER < 0x40000000L
2261 if (!defined_engine ||
2262 !install_engine_public_cert(defined_engine, ssl,
2265 goto fail_bad_public;
2271 goto fail_ns_public;
2297 SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
2299 X509_STORE *st = ctx? SSL_CTX_get_cert_store(ctx) :
NULL;
2303 if ((x = PEM_read_bio_X509(bp,
NULL, 0,
NULL)) ==
NULL)
2306 add_ca_to_cert_store(st, x);
2307 SSL_add_client_CA(ssl, x);
2319 if (!(SSL_use_certificate_file(ssl,
2321 SSL_FILETYPE_ASN1))) {
2331 SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
2334 if (!x509 || !SSL_add_client_CA(ssl, x509)) {
2341 st = ctx ? SSL_CTX_get_cert_store(ctx) :
NULL;
2343 add_ca_to_cert_store(st, x509);
2348#if OPENSSL_VERSION_NUMBER < 0x40000000L
2349 if (!check_pkcs11_engine()) {
2352 if (!install_engine_ca(pkcs11_engine, ssl,
2362#if OPENSSL_VERSION_NUMBER < 0x40000000L
2363 if (!defined_engine ||
2364 !install_engine_ca(defined_engine, ssl,
2412get_san_or_cn_from_cert(
coap_session_t *session, X509 *x509,
const char *sni_match) {
2416 STACK_OF(GENERAL_NAME) *san_list;
2420 san_list = X509_get_ext_d2i(x509, NID_subject_alt_name,
NULL,
NULL);
2422 int san_count = sk_GENERAL_NAME_num(san_list);
2424 for (n = 0; n < san_count; n++) {
2425 const GENERAL_NAME *name = sk_GENERAL_NAME_value(san_list, n);
2427 if (name && name->type == GEN_DNS) {
2428 const char *dns_name = (
const char *)ASN1_STRING_get0_data(name->d.dNSName);
2431 if (ASN1_STRING_length(name->d.dNSName) != (
int)strlen(dns_name))
2434 if (strcmp(dns_name, sni_match)) {
2438 cn = OPENSSL_strdup(dns_name);
2439 sk_GENERAL_NAME_pop_free(san_list, GENERAL_NAME_free);
2443 sk_GENERAL_NAME_pop_free(san_list, GENERAL_NAME_free);
2446 X509_NAME_oneline(X509_get_subject_name(x509), buffer,
sizeof(buffer));
2449 n = (int)strlen(buffer) - 3;
2452 if (((cn[0] ==
'C') || (cn[0] ==
'c')) &&
2453 ((cn[1] ==
'N') || (cn[1] ==
'n')) &&
2462 char *ecn = strchr(cn,
'/');
2464 cn[ecn-cn] =
'\000';
2473 return OPENSSL_strdup(cn);
2479 san_list = X509_get_ext_d2i(x509, NID_subject_alt_name,
NULL,
NULL);
2481 int san_count = sk_GENERAL_NAME_num(san_list);
2483 for (n = 0; n < san_count; n++) {
2484 const GENERAL_NAME *name = sk_GENERAL_NAME_value(san_list, n);
2486 if (name && name->type == GEN_DNS) {
2487 const char *dns_name = (
const char *)ASN1_STRING_get0_data(name->d.dNSName);
2490 if (ASN1_STRING_length(name->d.dNSName) != (
int)strlen(dns_name))
2496 sk_GENERAL_NAME_pop_free(san_list, GENERAL_NAME_free);
2503tls_verify_call_back(
int preverify_ok, X509_STORE_CTX *ctx) {
2504 int index = SSL_get_ex_data_X509_STORE_CTX_idx();
2505 SSL *ssl = index >= 0 ? X509_STORE_CTX_get_ex_data(ctx, index) :
NULL;
2507 coap_openssl_context_t *context = (session && session->
context) ?
2510 int depth = X509_STORE_CTX_get_error_depth(ctx);
2511 int err = X509_STORE_CTX_get_error(ctx);
2512 X509 *x509 = X509_STORE_CTX_get_current_cert(ctx);
2515 if (!setup_data || !x509) {
2516 X509_STORE_CTX_set_error(ctx, X509_V_ERR_UNSPECIFIED);
2521 cn = get_san_or_cn_from_cert(session, x509, setup_data->
client_sni);
2523 coap_log_info(
" %s: SNI '%s' not returned in certificate\n",
2526 X509_STORE_CTX_set_error(ctx, X509_V_ERR_SUBJECT_ISSUER_MISMATCH);
2527 err = X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
2531 cn = get_san_or_cn_from_cert(session, x509,
NULL);
2534 depth, err, preverify_ok, cn);
2538 int length = i2d_X509(x509,
NULL);
2540 uint8_t *base_buf2 = base_buf = length > 0 ? OPENSSL_malloc(length) :
NULL;
2545 assert(i2d_X509(x509, &base_buf2) > 0);
2549 depth, preverify_ok,
2553 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REJECTED);
2555 X509_STORE_CTX_set_error(ctx, X509_V_ERR_INVALID_CA);
2559 OPENSSL_free(base_buf);
2561 X509_STORE_CTX_set_error(ctx, X509_V_ERR_UNSPECIFIED);
2565 if (!preverify_ok) {
2567 case X509_V_ERR_CERT_NOT_YET_VALID:
2568 case X509_V_ERR_CERT_HAS_EXPIRED:
2572 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
2576 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
2580 case X509_V_ERR_UNABLE_TO_GET_CRL:
2584 case X509_V_ERR_CRL_NOT_YET_VALID:
2585 case X509_V_ERR_CRL_HAS_EXPIRED:
2589 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
2590 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
2591 case X509_V_ERR_AKID_SKID_MISMATCH:
2595 case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
2605 err = X509_V_ERR_CERT_CHAIN_TOO_LONG;
2606 X509_STORE_CTX_set_error(ctx, err);
2608 if (!preverify_ok) {
2609 if (err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) {
2612 "Unknown CA", cn ? cn :
"?", depth);
2616 X509_verify_cert_error_string(err), cn ? cn :
"?", depth);
2621 X509_verify_cert_error_string(err), cn ? cn :
"?", depth);
2625 return preverify_ok;
2628#if COAP_SERVER_SUPPORT
2629#if OPENSSL_VERSION_NUMBER < 0x10101000L
2639tls_secret_call_back(SSL *ssl,
2642 STACK_OF(SSL_CIPHER) *peer_ciphers,
2646 int psk_requested = 0;
2651 assert(session !=
NULL);
2653 if (session ==
NULL ||
2658 (session->
context->spsk_setup_data.psk_info.key.s &&
2659 session->
context->spsk_setup_data.psk_info.key.length)) {
2661 for (ii = 0; ii < sk_SSL_CIPHER_num(peer_ciphers); ii++) {
2662 const SSL_CIPHER *peer_cipher = sk_SSL_CIPHER_value(peer_ciphers, ii);
2665 SSL_CIPHER_get_name(peer_cipher));
2666 if (strstr(SSL_CIPHER_get_name(peer_cipher),
"PSK")) {
2672 if (!psk_requested) {
2679 SSL_VERIFY_CLIENT_ONCE |
2680 SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2681 tls_verify_call_back);
2683 SSL_set_verify(ssl, SSL_VERIFY_NONE, tls_verify_call_back);
2692 X509_VERIFY_PARAM *param;
2694 param = X509_VERIFY_PARAM_new();
2696 X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
2697 SSL_set1_param(ssl, param);
2698 X509_VERIFY_PARAM_free(param);
2710 }
else if (session->
context->spsk_setup_data.psk_info.key.s &&
2711 session->
context->spsk_setup_data.psk_info.key.length) {
2712 memcpy(secret, session->
context->spsk_setup_data.psk_info.key.s,
2713 session->
context->spsk_setup_data.psk_info.key.length);
2714 *secretlen = session->
context->spsk_setup_data.psk_info.key.length;
2721 SSL_set_cipher_list(ssl, COAP_OPENSSL_PSK_CIPHERS);
2722#ifdef COAP_OPENSSL_PSK_SECURITY_LEVEL
2728 SSL_set_security_level(ssl, COAP_OPENSSL_PSK_SECURITY_LEVEL);
2730 SSL_set_psk_server_callback(ssl, coap_dtls_psk_server_callback);
2745tls_server_name_call_back(SSL *ssl,
2751 return SSL_TLSEXT_ERR_NOACK;
2757 coap_openssl_context_t *context = (session && session->
context) ?
2759 const char *sni = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
2763 return SSL_TLSEXT_ERR_NOACK;
2765 if (!sni || !sni[0]) {
2768 for (i = 0; i < context->sni_count; i++) {
2769 if (!strcasecmp(sni, context->sni_entry_list[i].sni)) {
2773 if (i == context->sni_count) {
2782 return SSL_TLSEXT_ERR_ALERT_FATAL;
2787 ctx = SSL_CTX_new(DTLS_method());
2790 SSL_CTX_set_min_proto_version(ctx, DTLS1_2_VERSION);
2791 SSL_CTX_set_app_data(ctx, &context->dtls);
2792 SSL_CTX_set_read_ahead(ctx, 1);
2793 coap_set_user_prefs(ctx);
2794 SSL_CTX_set_cookie_generate_cb(ctx, coap_dtls_generate_cookie);
2795 SSL_CTX_set_cookie_verify_cb(ctx, coap_dtls_verify_cookie);
2796 SSL_CTX_set_info_callback(ctx, coap_dtls_info_callback);
2797 SSL_CTX_set_options(ctx, SSL_OP_NO_QUERY_MTU);
2799#if !COAP_DISABLE_TCP
2802 ctx = SSL_CTX_new(TLS_method());
2805 SSL_CTX_set_app_data(ctx, &context->tls);
2806 SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
2807 coap_set_user_prefs(ctx);
2808 SSL_CTX_set_info_callback(ctx, coap_dtls_info_callback);
2809 SSL_CTX_set_alpn_select_cb(ctx, server_alpn_callback,
NULL);
2812 sni_setup_data = *setup_data;
2813 sni_setup_data.
pki_key = *new_entry;
2814 setup_pki_server(ctx, &sni_setup_data);
2816 context->sni_entry_list = OPENSSL_realloc(context->sni_entry_list,
2817 (context->sni_count+1)*
sizeof(sni_entry));
2818 context->sni_entry_list[context->sni_count].sni = OPENSSL_strdup(sni);
2819 context->sni_entry_list[context->sni_count].ctx = ctx;
2820 context->sni_count++;
2822 SSL_set_SSL_CTX(ssl, context->sni_entry_list[i].ctx);
2823 SSL_clear_options(ssl, 0xFFFFFFFFL);
2824 SSL_set_options(ssl, SSL_CTX_get_options(context->sni_entry_list[i].ctx));
2831 SSL_set_session_secret_cb(ssl, tls_secret_call_back, arg);
2832 return SSL_TLSEXT_ERR_OK;
2835 return SSL_TLSEXT_ERR_ALERT_WARNING;
2847psk_tls_server_name_call_back(SSL *ssl,
2854 return SSL_TLSEXT_ERR_NOACK;
2860 coap_openssl_context_t *o_context = (c_session && c_session->
context) ?
2862 const char *sni = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
2867 return SSL_TLSEXT_ERR_ALERT_FATAL;
2869 if (!sni || !sni[0]) {
2872 for (i = 0; i < o_context->psk_sni_count; i++) {
2873 if (!strcasecmp(sni, (
char *)o_context->psk_sni_entry_list[i].sni)) {
2877 if (i == o_context->psk_sni_count) {
2886 return SSL_TLSEXT_ERR_ALERT_FATAL;
2891 ctx = SSL_CTX_new(DTLS_method());
2894 SSL_CTX_set_min_proto_version(ctx, DTLS1_2_VERSION);
2895 SSL_CTX_set_app_data(ctx, &o_context->dtls);
2896 SSL_CTX_set_read_ahead(ctx, 1);
2897 SSL_CTX_set_cipher_list(ctx, COAP_OPENSSL_CIPHERS);
2898 SSL_CTX_set_cookie_generate_cb(ctx, coap_dtls_generate_cookie);
2899 SSL_CTX_set_cookie_verify_cb(ctx, coap_dtls_verify_cookie);
2900 SSL_CTX_set_info_callback(ctx, coap_dtls_info_callback);
2901 SSL_CTX_set_options(ctx, SSL_OP_NO_QUERY_MTU);
2903#if !COAP_DISABLE_TCP
2906 ctx = SSL_CTX_new(TLS_method());
2909 SSL_CTX_set_app_data(ctx, &o_context->tls);
2910 SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
2911 SSL_CTX_set_cipher_list(ctx, COAP_OPENSSL_CIPHERS);
2912 SSL_CTX_set_info_callback(ctx, coap_dtls_info_callback);
2913 SSL_CTX_set_alpn_select_cb(ctx, server_alpn_callback,
NULL);
2917 o_context->psk_sni_entry_list =
2918 OPENSSL_realloc(o_context->psk_sni_entry_list,
2919 (o_context->psk_sni_count+1)*
sizeof(psk_sni_entry));
2920 o_context->psk_sni_entry_list[o_context->psk_sni_count].sni =
2921 OPENSSL_strdup(sni);
2922 o_context->psk_sni_entry_list[o_context->psk_sni_count].psk_info =
2924 o_context->psk_sni_entry_list[o_context->psk_sni_count].ctx =
2926 o_context->psk_sni_count++;
2928 SSL_set_SSL_CTX(ssl, o_context->psk_sni_entry_list[i].ctx);
2929 SSL_clear_options(ssl, 0xFFFFFFFFL);
2930 SSL_set_options(ssl,
2931 SSL_CTX_get_options(o_context->psk_sni_entry_list[i].ctx));
2933 &o_context->psk_sni_entry_list[i].psk_info.key);
2934 snprintf(lhint,
sizeof(lhint),
"%.*s",
2935 (
int)o_context->psk_sni_entry_list[i].psk_info.hint.length,
2936 o_context->psk_sni_entry_list[i].psk_info.hint.s);
2937 SSL_use_psk_identity_hint(ssl, lhint);
2944 SSL_set_session_secret_cb(ssl, tls_secret_call_back, arg);
2945 return SSL_TLSEXT_ERR_OK;
2948 return SSL_TLSEXT_ERR_ALERT_WARNING;
2961tls_client_hello_call_back(SSL *ssl,
2966 coap_openssl_context_t *dtls_context;
2968 int psk_requested = 0;
2969 const unsigned char *out;
2973 *al = SSL_AD_INTERNAL_ERROR;
2974 return SSL_CLIENT_HELLO_ERROR;
2977 assert(session !=
NULL);
2980 if (session ==
NULL ||
2983 *al = SSL_AD_INTERNAL_ERROR;
2984 return SSL_CLIENT_HELLO_ERROR;
2987 setup_data = &dtls_context->setup_data;
2993 (session->
context->spsk_setup_data.psk_info.key.s &&
2994 session->
context->spsk_setup_data.psk_info.key.length)) {
2995 size_t len = SSL_client_hello_get0_ciphers(ssl, &out);
2996 STACK_OF(SSL_CIPHER) *peer_ciphers =
NULL;
2997 STACK_OF(SSL_CIPHER) *scsvc =
NULL;
2999 if (len && SSL_bytes_to_cipher_list(ssl, out, len,
3000 SSL_client_hello_isv2(ssl),
3001 &peer_ciphers, &scsvc)) {
3003 for (ii = 0; ii < sk_SSL_CIPHER_num(peer_ciphers); ii++) {
3004 const SSL_CIPHER *peer_cipher = sk_SSL_CIPHER_value(peer_ciphers, ii);
3007 "Client cipher: %s (%04x)\n",
3008 SSL_CIPHER_get_name(peer_cipher),
3009 SSL_CIPHER_get_protocol_id(peer_cipher));
3010 if (strstr(SSL_CIPHER_get_name(peer_cipher),
"PSK")) {
3016 sk_SSL_CIPHER_free(peer_ciphers);
3017 sk_SSL_CIPHER_free(scsvc);
3020 if (psk_requested) {
3027 const char *sni =
"";
3028 char *sni_tmp =
NULL;
3032 if (SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_server_name,
3035 (((out[0] << 8) + out[1] + 2) == (
int)outlen) &&
3036 out[2] == TLSEXT_NAMETYPE_host_name &&
3037 (((out[3] << 8) + out[4] + 2 + 3) == (
int)outlen)) {
3041 sni_tmp = OPENSSL_malloc(outlen + 1);
3043 sni_tmp[outlen] =
'\000';
3044 memcpy(sni_tmp, out, outlen);
3056 OPENSSL_free(sni_tmp);
3058 *al = SSL_AD_UNRECOGNIZED_NAME;
3059 return SSL_CLIENT_HELLO_ERROR;
3063 OPENSSL_free(sni_tmp);
3066 *al = SSL_AD_INTERNAL_ERROR;
3067 return SSL_CLIENT_HELLO_ERROR;
3070 *al = SSL_AD_INTERNAL_ERROR;
3071 return SSL_CLIENT_HELLO_ERROR;
3073 if (new_entry->
hint.
s) {
3074 snprintf(lhint,
sizeof(lhint),
"%.*s",
3077 SSL_use_psk_identity_hint(ssl, lhint);
3082 SSL_set_psk_server_callback(ssl, coap_dtls_psk_server_callback);
3088 return SSL_CLIENT_HELLO_SUCCESS;
3098 if (SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_client_certificate_type,
3101 for (ii = 0; ii < outlen; ii++) {
3117 *al = SSL_AD_UNSUPPORTED_EXTENSION;
3118 return SSL_CLIENT_HELLO_ERROR;
3127 coap_openssl_context_t *context =
3129 const char *sni =
"";
3130 char *sni_tmp =
NULL;
3133 if (SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_server_name, &out, &outlen) &&
3135 (((out[0]<<8) + out[1] +2) == (
int)outlen) &&
3136 out[2] == TLSEXT_NAMETYPE_host_name &&
3137 (((out[3]<<8) + out[4] +2 +3) == (
int)outlen)) {
3141 sni_tmp = OPENSSL_malloc(outlen+1);
3142 sni_tmp[outlen] =
'\000';
3143 memcpy(sni_tmp, out, outlen);
3147 for (i = 0; i < context->sni_count; i++) {
3148 if (!strcasecmp(sni, context->sni_entry_list[i].sni)) {
3152 if (i == context->sni_count) {
3162 *al = SSL_AD_UNRECOGNIZED_NAME;
3163 return SSL_CLIENT_HELLO_ERROR;
3167 context->sni_entry_list = OPENSSL_realloc(context->sni_entry_list,
3168 (context->sni_count+1)*
sizeof(sni_entry));
3169 context->sni_entry_list[context->sni_count].sni = OPENSSL_strdup(sni);
3170 context->sni_entry_list[context->sni_count].pki_key = *new_entry;
3171 context->sni_count++;
3174 OPENSSL_free(sni_tmp);
3176 sni_setup_data = *setup_data;
3177 sni_setup_data.
pki_key = context->sni_entry_list[i].pki_key;
3189 SSL_VERIFY_CLIENT_ONCE |
3190 SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3191 tls_verify_call_back);
3193 SSL_set_verify(ssl, SSL_VERIFY_NONE, tls_verify_call_back);
3202 X509_VERIFY_PARAM *param;
3204 param = X509_VERIFY_PARAM_new();
3206 X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
3207 SSL_set1_param(ssl, param);
3208 X509_VERIFY_PARAM_free(param);
3216 return SSL_CLIENT_HELLO_SUCCESS;
3226 coap_openssl_context_t *context =
3231 context->setup_data = *setup_data;
3233#if OPENSSL_VERSION_NUMBER < 0x40000000L
3238 if (!defined_engine) {
3239 coap_log_warn(
"setup_pki: OpenSSL Engine not configured, PKI not set up\n");
3246 if (!context->setup_data.verify_peer_cert) {
3248 context->setup_data.check_common_ca = 0;
3250 context->setup_data.allow_self_signed = 1;
3251 context->setup_data.allow_expired_certs = 1;
3252 context->setup_data.cert_chain_validation = 1;
3253 context->setup_data.cert_chain_verify_depth = 10;
3254 context->setup_data.check_cert_revocation = 1;
3255 context->setup_data.allow_no_crl = 1;
3256 context->setup_data.allow_expired_crl = 1;
3257 context->setup_data.allow_bad_md_hash = 1;
3258 context->setup_data.allow_short_rsa_length = 1;
3260#if COAP_SERVER_SUPPORT
3262 if (context->dtls.ctx) {
3264#if OPENSSL_VERSION_NUMBER < 0x10101000L
3265 if (!setup_pki_server(context->dtls.ctx, setup_data))
3274#if OPENSSL_VERSION_NUMBER < 0x10101000L
3275 if (SSLeay() >= 0x10101000L) {
3276 coap_log_warn(
"OpenSSL compiled with %lux, linked with %lux, so "
3277 "no certificate checking\n",
3278 OPENSSL_VERSION_NUMBER, SSLeay());
3280 SSL_CTX_set_tlsext_servername_arg(context->dtls.ctx, &context->setup_data);
3281 SSL_CTX_set_tlsext_servername_callback(context->dtls.ctx,
3282 tls_server_name_call_back);
3284 SSL_CTX_set_client_hello_cb(context->dtls.ctx,
3285 tls_client_hello_call_back,
3289#if !COAP_DISABLE_TCP
3290 if (context->tls.ctx) {
3292#if OPENSSL_VERSION_NUMBER < 0x10101000L
3293 if (!setup_pki_server(context->tls.ctx, setup_data))
3302#if OPENSSL_VERSION_NUMBER < 0x10101000L
3303 if (SSLeay() >= 0x10101000L) {
3304 coap_log_warn(
"OpenSSL compiled with %lux, linked with %lux, so "
3305 "no certificate checking\n",
3306 OPENSSL_VERSION_NUMBER, SSLeay());
3308 SSL_CTX_set_tlsext_servername_arg(context->tls.ctx, &context->setup_data);
3309 SSL_CTX_set_tlsext_servername_callback(context->tls.ctx,
3310 tls_server_name_call_back);
3312 SSL_CTX_set_client_hello_cb(context->tls.ctx,
3313 tls_client_hello_call_back,
3317 SSL_CTX_set_alpn_select_cb(context->tls.ctx, server_alpn_callback,
NULL);
3324#if COAP_CLIENT_SUPPORT
3326 context->psk_pki_enabled &= ~IS_PSK;
3330 if (!context->dtls.ssl) {
3332 context->dtls.ssl = SSL_new(context->dtls.ctx);
3333 if (!context->dtls.ssl)
3335 bio = BIO_new(context->dtls.meth);
3337 SSL_free(context->dtls.ssl);
3338 context->dtls.ssl =
NULL;
3341 SSL_set_bio(context->dtls.ssl, bio, bio);
3342 SSL_set_app_data(context->dtls.ssl,
NULL);
3343 SSL_set_options(context->dtls.ssl, SSL_OP_COOKIE_EXCHANGE);
3346 context->psk_pki_enabled |= IS_PKI;
3355 const char *ca_file,
3358 coap_openssl_context_t *context =
3360 if (context->dtls.ctx) {
3361 if (!SSL_CTX_load_verify_locations(context->dtls.ctx, ca_file, ca_dir)) {
3363 ca_file ? ca_file :
"NULL", ca_dir ? ca_dir :
"NULL");
3367#if !COAP_DISABLE_TCP
3368 if (context->tls.ctx) {
3369 if (!SSL_CTX_load_verify_locations(context->tls.ctx, ca_file, ca_dir)) {
3371 ca_file ? ca_file :
"NULL", ca_dir ? ca_dir :
"NULL");
3381#if OPENSSL_VERSION_NUMBER >= 0x30000000L
3382 coap_openssl_context_t *context =
3384 if (context->dtls.ctx) {
3385 if (!SSL_CTX_set_default_verify_store(context->dtls.ctx)) {
3390#if !COAP_DISABLE_TCP
3391 if (context->tls.ctx) {
3392 if (!SSL_CTX_set_default_verify_store(context->tls.ctx)) {
3401 coap_log_warn(
"coap_context_set_pki_trust_store: (D)TLS environment "
3402 "not supported for OpenSSL < v3.0.0\n");
3409 coap_openssl_context_t *context =
3411 return context->psk_pki_enabled ? 1 : 0;
3418 coap_openssl_context_t *context = (coap_openssl_context_t *)handle;
3420 if (context->dtls.ssl)
3421 SSL_free(context->dtls.ssl);
3422 if (context->dtls.ctx)
3423 SSL_CTX_free(context->dtls.ctx);
3424 if (context->dtls.cookie_hmac)
3425 HMAC_CTX_free(context->dtls.cookie_hmac);
3426 if (context->dtls.meth)
3427 BIO_meth_free(context->dtls.meth);
3428 if (context->dtls.bio_addr)
3429 BIO_ADDR_free(context->dtls.bio_addr);
3430#if !COAP_DISABLE_TCP
3431 if (context->tls.ctx)
3432 SSL_CTX_free(context->tls.ctx);
3433 if (context->tls.meth)
3434 BIO_meth_free(context->tls.meth);
3436 for (i = 0; i < context->sni_count; i++) {
3437 OPENSSL_free(context->sni_entry_list[i].sni);
3438#if OPENSSL_VERSION_NUMBER < 0x10101000L
3439 SSL_CTX_free(context->sni_entry_list[i].ctx);
3442 if (context->sni_count)
3443 OPENSSL_free(context->sni_entry_list);
3444#if OPENSSL_VERSION_NUMBER < 0x10101000L
3445 for (i = 0; i < context->psk_sni_count; i++) {
3446 OPENSSL_free((
char *)context->psk_sni_entry_list[i].sni);
3447 SSL_CTX_free(context->psk_sni_entry_list[i].ctx);
3449 if (context->psk_sni_count)
3450 OPENSSL_free(context->psk_sni_entry_list);
3455#if COAP_SERVER_SUPPORT
3460 coap_ssl_data *data;
3461 coap_dtls_context_t *dtls = &((coap_openssl_context_t *)session->
context->
dtls_context)->dtls;
3466 nssl = SSL_new(dtls->ctx);
3469 nbio = BIO_new(dtls->meth);
3472 SSL_set_bio(nssl, nbio, nbio);
3473 SSL_set_app_data(nssl,
NULL);
3474 SSL_set_options(nssl, SSL_OP_COOKIE_EXCHANGE);
3475 SSL_set_mtu(nssl, (
long)session->
mtu);
3479 SSL_set_app_data(ssl, session);
3481 rbio = SSL_get_rbio(ssl);
3482 data = rbio ? (coap_ssl_data *)BIO_get_data(rbio) :
NULL;
3485 data->session = session;
3490 char *hint = OPENSSL_malloc(psk_hint->
length + 1);
3493 memcpy(hint, psk_hint->
s, psk_hint->
length);
3494 hint[psk_hint->
length] =
'\000';
3495 SSL_use_psk_identity_hint(ssl, hint);
3502 r = SSL_accept(ssl);
3504 int err = SSL_get_error(ssl, r);
3505 if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE)
3523#if COAP_CLIENT_SUPPORT
3527 coap_openssl_context_t *context =
3530 if (context->psk_pki_enabled & IS_PSK) {
3535 SSL_set_tlsext_host_name(ssl, setup_data->
client_sni) != 1) {
3539 SSL_set_psk_client_callback(ssl, coap_dtls_psk_client_callback);
3540#if COAP_SERVER_SUPPORT
3541 SSL_set_psk_server_callback(ssl, coap_dtls_psk_server_callback);
3543 SSL_set_cipher_list(ssl, COAP_OPENSSL_PSK_CIPHERS);
3544#ifdef COAP_OPENSSL_PSK_SECURITY_LEVEL
3550 SSL_set_security_level(ssl, COAP_OPENSSL_PSK_SECURITY_LEVEL);
3554 SSL_set_max_proto_version(ssl, DTLS1_2_VERSION);
3556#if !COAP_DISABLE_TCP
3558 SSL_set_max_proto_version(ssl, TLS1_2_VERSION);
3561 coap_log_debug(
"CoAP Client restricted to (D)TLS1.2 with Identity Hint callback\n");
3564 if ((context->psk_pki_enabled & IS_PKI) ||
3565 (context->psk_pki_enabled & (IS_PSK | IS_PKI)) == 0) {
3572 if (!(context->psk_pki_enabled & IS_PKI)) {
3589#if !COAP_DISABLE_TCP
3591 SSL_set_alpn_protos(ssl, coap_alpn,
sizeof(coap_alpn));
3596 SSL_set_tlsext_host_name(ssl, setup_data->
client_sni) != 1) {
3602 X509_VERIFY_PARAM *param;
3604 param = X509_VERIFY_PARAM_new();
3606 X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
3607 SSL_set1_param(ssl, param);
3608 X509_VERIFY_PARAM_free(param);
3616 SSL_VERIFY_CLIENT_ONCE |
3617 SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3618 tls_verify_call_back);
3620 SSL_set_verify(ssl, SSL_VERIFY_NONE, tls_verify_call_back);
3627#if COAP_DTLS_RETRANSMIT_MS != 1000
3628#if OPENSSL_VERSION_NUMBER >= 0x10101000L
3630 DTLS_set_timer_cb(ssl, timer_cb);
3641 coap_ssl_data *data;
3643 coap_openssl_context_t *context = ((coap_openssl_context_t *)session->
context->
dtls_context);
3644 coap_dtls_context_t *dtls = &context->dtls;
3646 ssl = SSL_new(dtls->ctx);
3649 bio = BIO_new(dtls->meth);
3652 data = (coap_ssl_data *)BIO_get_data(bio);
3655 data->session = session;
3656 SSL_set_bio(ssl, bio, bio);
3657 SSL_set_app_data(ssl, session);
3658 SSL_set_options(ssl, SSL_OP_COOKIE_EXCHANGE);
3659 SSL_set_mtu(ssl, (
long)session->
mtu);
3661 if (!setup_client_ssl_session(session, ssl))
3666 r = SSL_connect(ssl);
3668 int ret = SSL_get_error(ssl, r);
3669 if (ret != SSL_ERROR_WANT_READ && ret != SSL_ERROR_WANT_WRITE)
3687 SSL *ssl = (SSL *)session->
tls;
3689 SSL_set_mtu(ssl, (
long)session->
mtu);
3695 SSL *ssl = (SSL *)session->
tls;
3697 if (!SSL_in_init(ssl) && !(SSL_get_shutdown(ssl) & SSL_SENT_SHUTDOWN)) {
3698 int r = SSL_shutdown(ssl);
3711 const uint8_t *data,
size_t data_len) {
3713 SSL *ssl = (SSL *)session->
tls;
3724 r = SSL_write(ssl, data, (
int)data_len);
3727 int err = SSL_get_error(ssl, r);
3728 if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE) {
3731 if (err == SSL_ERROR_ZERO_RETURN)
3733 else if (err == SSL_ERROR_SSL) {
3734 unsigned long e = ERR_get_error();
3736 coap_log_info(
"***%s: coap_dtls_send: cannot send PDU: %d: %s\n",
3738 ERR_GET_REASON(e), ERR_reason_error_string(e));
3741 coap_log_info(
"***%s: coap_dtls_send: cannot send PDU: %d\n",
3772 SSL *ssl = (SSL *)session->
tls;
3773 coap_ssl_data *ssl_data;
3777 rbio = ssl ? SSL_get_rbio(ssl) :
NULL;
3778 ssl_data = rbio ? (coap_ssl_data *)BIO_get_data(rbio) :
NULL;
3779 return ssl_data ? ssl_data->timeout : 1000;
3788 SSL *ssl = (SSL *)session->
tls;
3792 (DTLSv1_handle_timeout(ssl) < 0)) {
3802#if COAP_SERVER_SUPPORT
3805 const uint8_t *data,
size_t data_len) {
3806 coap_dtls_context_t *dtls = &((coap_openssl_context_t *)session->
context->
dtls_context)->dtls;
3807 coap_ssl_data *ssl_data;
3811 SSL_set_mtu(dtls->ssl, (
long)session->
mtu);
3812 rbio = dtls->ssl ? SSL_get_rbio(dtls->ssl) :
NULL;
3813 ssl_data = rbio ? (coap_ssl_data *)BIO_get_data(rbio) :
NULL;
3814 assert(ssl_data !=
NULL);
3819 if (ssl_data->pdu_len) {
3820 coap_log_err(
"** %s: Previous data not read %u bytes\n",
3823 ssl_data->session = session;
3824 ssl_data->pdu = data;
3825 ssl_data->pdu_len = (unsigned)data_len;
3826 r = DTLSv1_listen(dtls->ssl, dtls->bio_addr);
3828 int err = SSL_get_error(dtls->ssl, r);
3829 if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE) {
3849 coap_ssl_data *ssl_data;
3850 SSL *ssl = (SSL *)session->
tls;
3853#if OPENSSL_VERSION_NUMBER >= 0x30000000L
3857 assert(ssl !=
NULL);
3859 int in_init = SSL_in_init(ssl);
3861 rbio = ssl ? SSL_get_rbio(ssl) :
NULL;
3862 ssl_data = rbio ? (coap_ssl_data *)BIO_get_data(rbio) :
NULL;
3868 if (ssl_data->pdu_len) {
3869 coap_log_err(
"** %s: Previous data not read %u bytes\n",
3872 ssl_data->pdu = data;
3873 ssl_data->pdu_len = (unsigned)data_len;
3876#if OPENSSL_VERSION_NUMBER >= 0x30000000L
3880 r = SSL_read(ssl, pdu, (
int)
sizeof(pdu));
3886 ssl_data = (coap_ssl_data *)BIO_get_data(rbio);
3889 int err = SSL_get_error(ssl, r);
3890 if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE) {
3891 if (in_init && SSL_is_init_finished(ssl)) {
3899 if (err == SSL_ERROR_ZERO_RETURN)
3901 else if (err == SSL_ERROR_SSL) {
3902 unsigned long e = ERR_get_error();
3904#if OPENSSL_VERSION_NUMBER >= 0x30000000L
3905#include <openssl/proverr.h>
3906 if (ERR_GET_REASON(e) == PROV_R_SEARCH_ONLY_SUPPORTED_FOR_DIRECTORIES && !retry) {
3912 coap_log_info(
"***%s: coap_dtls_receive: cannot recv PDU: %d: %s\n",
3914 ERR_GET_REASON(e), ERR_reason_error_string(e));
3917 coap_log_info(
"***%s: coap_dtls_receive: cannot send PDU %d\n",
3935 if (ssl_data && ssl_data->pdu_len) {
3937 coap_log_debug(
"coap_dtls_receive: ret %d: remaining data %u\n", r, ssl_data->pdu_len);
3938 ssl_data->pdu_len = 0;
3939 ssl_data->pdu =
NULL;
3946 unsigned int overhead = 37;
3947 const SSL_CIPHER *s_ciph =
NULL;
3949 s_ciph = SSL_get_current_cipher(session->
tls);
3951 unsigned int ivlen, maclen, blocksize = 1, pad = 0;
3953 const EVP_CIPHER *e_ciph;
3957 e_ciph = EVP_get_cipherbynid(SSL_CIPHER_get_cipher_nid(s_ciph));
3959 switch (EVP_CIPHER_mode(e_ciph)) {
3960 case EVP_CIPH_GCM_MODE:
3961 ivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN;
3962 maclen = EVP_GCM_TLS_TAG_LEN;
3965 case EVP_CIPH_CCM_MODE:
3966 ivlen = EVP_CCM_TLS_EXPLICIT_IV_LEN;
3967 SSL_CIPHER_description(s_ciph, cipher,
sizeof(cipher));
3968 if (strstr(cipher,
"CCM8"))
3974 case EVP_CIPH_CBC_MODE:
3975 e_md = EVP_get_digestbynid(SSL_CIPHER_get_digest_nid(s_ciph));
3976 blocksize = EVP_CIPHER_block_size(e_ciph);
3977 ivlen = EVP_CIPHER_iv_length(e_ciph);
3979 maclen = EVP_MD_size(e_md);
3982 case EVP_CIPH_STREAM_CIPHER:
3989 SSL_CIPHER_description(s_ciph, cipher,
sizeof(cipher));
3996 overhead = DTLS1_RT_HEADER_LENGTH + ivlen + maclen + blocksize - 1 + pad;
4001#if !COAP_DISABLE_TCP
4002#if COAP_CLIENT_SUPPORT
4008 coap_openssl_context_t *context = ((coap_openssl_context_t *)session->
context->
dtls_context);
4009 coap_tls_context_t *tls = &context->tls;
4011 ssl = SSL_new(tls->ctx);
4014 bio = BIO_new(tls->meth);
4017 BIO_set_data(bio, session);
4018 SSL_set_bio(ssl, bio, bio);
4019 SSL_set_app_data(ssl, session);
4021 if (!setup_client_ssl_session(session, ssl))
4024 r = SSL_connect(ssl);
4026 int ret = SSL_get_error(ssl, r);
4027 if (ret != SSL_ERROR_WANT_READ && ret != SSL_ERROR_WANT_WRITE)
4029 if (ret == SSL_ERROR_WANT_READ)
4031 if (ret == SSL_ERROR_WANT_WRITE) {
4033#ifdef COAP_EPOLL_SUPPORT
4047 if (SSL_is_init_finished(ssl)) {
4061#if COAP_SERVER_SUPPORT
4066 coap_tls_context_t *tls = &((coap_openssl_context_t *)session->
context->
dtls_context)->tls;
4070 ssl = SSL_new(tls->ctx);
4073 bio = BIO_new(tls->meth);
4076 BIO_set_data(bio, session);
4077 SSL_set_bio(ssl, bio, bio);
4078 SSL_set_app_data(ssl, session);
4082 char *hint = OPENSSL_malloc(psk_hint->
length + 1);
4085 memcpy(hint, psk_hint->
s, psk_hint->
length);
4086 hint[psk_hint->
length] =
'\000';
4087 SSL_use_psk_identity_hint(ssl, hint);
4094 r = SSL_accept(ssl);
4096 int err = SSL_get_error(ssl, r);
4097 if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE)
4099 if (err == SSL_ERROR_WANT_READ)
4101 if (err == SSL_ERROR_WANT_WRITE) {
4103#ifdef COAP_EPOLL_SUPPORT
4117 if (SSL_is_init_finished(ssl)) {
4122#if COAP_DTLS_RETRANSMIT_MS != 1000
4123#if OPENSSL_VERSION_NUMBER >= 0x10101000L
4125 DTLS_set_timer_cb(ssl, timer_cb);
4141 SSL *ssl = (SSL *)session->
tls;
4143 if (!SSL_in_init(ssl) && !(SSL_get_shutdown(ssl) & SSL_SENT_SHUTDOWN)) {
4144 int r = SSL_shutdown(ssl);
4162 SSL *ssl = (SSL *)session->
tls;
4168 in_init = !SSL_is_init_finished(ssl);
4171 r = SSL_write(ssl, data, (
int)data_len);
4174 int err = SSL_get_error(ssl, r);
4175 if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE) {
4176 if (in_init && SSL_is_init_finished(ssl)) {
4182 if (err == SSL_ERROR_WANT_READ)
4184 else if (err == SSL_ERROR_WANT_WRITE) {
4186#ifdef COAP_EPOLL_SUPPORT
4196 if (err == SSL_ERROR_ZERO_RETURN)
4198 else if (err == SSL_ERROR_SSL) {
4199 unsigned long e = ERR_get_error();
4201 coap_log_info(
"***%s: coap_tls_write: cannot send PDU: %d: %s\n",
4203 ERR_GET_REASON(e), ERR_reason_error_string(e));
4206 coap_log_info(
"***%s: coap_tls_send: cannot send PDU: %d\n",
4211 }
else if (in_init && SSL_is_init_finished(ssl)) {
4227 if (r == (ssize_t)data_len)
4244 SSL *ssl = (SSL *)session->
tls;
4252 in_init = !SSL_is_init_finished(ssl);
4255 r = SSL_read(ssl, data, (
int)data_len);
4257 int err = SSL_get_error(ssl, r);
4258 if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE) {
4259 if (in_init && SSL_is_init_finished(ssl)) {
4265 if (err == SSL_ERROR_WANT_READ)
4267 if (err == SSL_ERROR_WANT_WRITE) {
4269#ifdef COAP_EPOLL_SUPPORT
4279 if (err == SSL_ERROR_ZERO_RETURN)
4281 else if (err == SSL_ERROR_SSL) {
4282 unsigned long e = ERR_get_error();
4284 coap_log_info(
"***%s: coap_tls_read: cannot recv PDU: %d: %s\n",
4286 ERR_GET_REASON(e), ERR_reason_error_string(e));
4294 }
else if (in_init && SSL_is_init_finished(ssl)) {
4319#if COAP_SERVER_SUPPORT
4321coap_digest_setup(
void) {
4322 EVP_MD_CTX *digest_ctx = EVP_MD_CTX_new();
4325 EVP_DigestInit_ex(digest_ctx, EVP_sha256(),
NULL);
4331coap_digest_free(coap_digest_ctx_t *digest_ctx) {
4333 EVP_MD_CTX_free(digest_ctx);
4337coap_digest_update(coap_digest_ctx_t *digest_ctx,
4338 const uint8_t *data,
4340 return EVP_DigestUpdate(digest_ctx, data, data_len);
4344coap_digest_final(coap_digest_ctx_t *digest_ctx,
4345 coap_digest_t *digest_buffer) {
4346 unsigned int size =
sizeof(coap_digest_t);
4347 int ret = EVP_DigestFinal_ex(digest_ctx, (uint8_t *)digest_buffer, &size);
4349 coap_digest_free(digest_ctx);
4354#if COAP_WS_SUPPORT || COAP_OSCORE_SUPPORT
4356coap_crypto_output_errors(
const char *prefix) {
4357#if COAP_MAX_LOGGING_LEVEL < _COAP_LOG_WARN
4362 while ((e = ERR_get_error()))
4365 ERR_reason_error_string(e),
4366 ssl_function_definition(e));
4376static struct hash_algs {
4378 const EVP_MD *(*get_hash)(void);
4387static const EVP_MD *
4388get_hash_alg(
cose_alg_t alg,
size_t *length) {
4391 for (idx = 0; idx <
sizeof(hashs) /
sizeof(
struct hash_algs); idx++) {
4392 if (hashs[idx].alg == alg) {
4393 *length = hashs[idx].length;
4394 return hashs[idx].get_hash();
4397 coap_log_debug(
"get_hash_alg: COSE hash %d not supported\n", alg);
4405 unsigned int length;
4406 const EVP_MD *evp_md;
4407 EVP_MD_CTX *evp_ctx =
NULL;
4411 if ((evp_md = get_hash_alg(alg, &hash_length)) ==
NULL) {
4412 coap_log_debug(
"coap_crypto_hash: algorithm %d not supported\n", alg);
4415 evp_ctx = EVP_MD_CTX_new();
4416 if (evp_ctx ==
NULL)
4418 if (EVP_DigestInit_ex(evp_ctx, evp_md,
NULL) == 0)
4421 if (EVP_DigestUpdate(evp_ctx, data->
s, data->
length) == 0)
4427 if (EVP_DigestFinal_ex(evp_ctx,
dummy->s, &length) == 0)
4429 dummy->length = length;
4430 if (hash_length < dummy->length)
4431 dummy->length = hash_length;
4433 EVP_MD_CTX_free(evp_ctx);
4437 coap_crypto_output_errors(
"coap_crypto_hash");
4440 EVP_MD_CTX_free(evp_ctx);
4445#if COAP_OSCORE_SUPPORT
4451#include <openssl/evp.h>
4452#include <openssl/hmac.h>
4459static struct cipher_algs {
4461 const EVP_CIPHER *(*get_cipher)(void);
4466static const EVP_CIPHER *
4470 for (idx = 0; idx <
sizeof(ciphers) /
sizeof(
struct cipher_algs); idx++) {
4471 if (ciphers[idx].alg == alg)
4472 return ciphers[idx].get_cipher();
4474 coap_log_debug(
"get_cipher_alg: COSE cipher %d not supported\n", alg);
4483static struct hmac_algs {
4485 const EVP_MD *(*get_hmac)(void);
4492static const EVP_MD *
4496 for (idx = 0; idx <
sizeof(hmacs) /
sizeof(
struct hmac_algs); idx++) {
4497 if (hmacs[idx].hmac_alg == hmac_alg)
4498 return hmacs[idx].get_hmac();
4500 coap_log_debug(
"get_hmac_alg: COSE HMAC %d not supported\n", hmac_alg);
4506 return get_cipher_alg(alg) !=
NULL;
4515 return get_hmac_alg(hmac_alg) !=
NULL;
4519 if (1 != (Func)) { \
4528 size_t *max_result_len) {
4529 const EVP_CIPHER *cipher;
4532 int result_len = (int)(*max_result_len & INT_MAX);
4533 EVP_CIPHER_CTX *ctx;
4538 assert(params !=
NULL);
4539 if (!params || ((cipher = get_cipher_alg(params->
alg)) ==
NULL)) {
4546 ctx = EVP_CIPHER_CTX_new();
4552 C(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_L, (
int)ccm->
l,
NULL));
4553 C(EVP_CIPHER_CTX_ctrl(ctx,
4554 EVP_CTRL_AEAD_SET_IVLEN,
4557 C(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, (
int)ccm->
tag_len,
NULL));
4561 C(EVP_EncryptUpdate(ctx,
NULL, &result_len,
NULL, (
int)data->
length));
4562 if (aad && aad->
s && (aad->
length > 0)) {
4563 C(EVP_EncryptUpdate(ctx,
NULL, &result_len, aad->
s, (
int)aad->
length));
4565 C(EVP_EncryptUpdate(ctx, result, &result_len, data->
s, (
int)data->
length));
4568 C(EVP_EncryptFinal_ex(ctx, result + result_len, &tmp));
4572 C(EVP_CIPHER_CTX_ctrl(ctx,
4573 EVP_CTRL_CCM_GET_TAG,
4575 result + result_len));
4577 *max_result_len = result_len + ccm->
tag_len;
4578 EVP_CIPHER_CTX_free(ctx);
4582 coap_crypto_output_errors(
"coap_crypto_aead_encrypt");
4591 size_t *max_result_len) {
4592 const EVP_CIPHER *cipher;
4598 EVP_CIPHER_CTX *ctx;
4603 assert(params !=
NULL);
4604 if (!params || ((cipher = get_cipher_alg(params->
alg)) ==
NULL)) {
4616 memcpy(&rwtag, &tag,
sizeof(rwtag));
4619 ctx = EVP_CIPHER_CTX_new();
4624 C(EVP_CIPHER_CTX_ctrl(ctx,
4625 EVP_CTRL_AEAD_SET_IVLEN,
4628 C(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, (
int)ccm->
tag_len, rwtag));
4629 C(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_L, (
int)ccm->
l,
NULL));
4634 if (aad && aad->
s && (aad->
length > 0)) {
4635 C(EVP_DecryptUpdate(ctx,
NULL, &len, aad->
s, (
int)aad->
length));
4637 tmp = EVP_DecryptUpdate(ctx, result, &len, data->
s, (
int)data->
length);
4638 EVP_CIPHER_CTX_free(ctx);
4640 *max_result_len = 0;
4643 *max_result_len = len;
4647 coap_crypto_output_errors(
"coap_crypto_aead_decrypt");
4656 unsigned int result_len;
4657 const EVP_MD *evp_md;
4664 if ((evp_md = get_hmac_alg(hmac_alg)) == 0) {
4665 coap_log_debug(
"coap_crypto_hmac: algorithm %d not supported\n", hmac_alg);
4671 result_len = (
unsigned int)
dummy->length;
4679 dummy->length = result_len;
4685 coap_crypto_output_errors(
"coap_crypto_hmac");
4697#pragma GCC diagnostic ignored "-Wunused-function"
struct coap_session_t coap_session_t
#define COAP_SERVER_SUPPORT
#define COAP_RXBUFFER_SIZE
#define COAP_SOCKET_WANT_READ
non blocking socket is waiting for reading
#define COAP_SOCKET_WANT_WRITE
non blocking socket is waiting for writing
void coap_epoll_ctl_mod(coap_socket_t *sock, uint32_t events, const char *func)
Epoll specific function to modify the state of events that epoll is tracking on the appropriate file ...
Library specific build wrapper for coap_internal.h.
void * coap_malloc_type(coap_memory_tag_t type, size_t size)
Allocates a chunk of size bytes and returns a pointer to the newly allocated memory.
void coap_free_type(coap_memory_tag_t type, void *p)
Releases the memory that was allocated by coap_malloc_type().
int coap_dtls_context_set_pki(coap_context_t *ctx COAP_UNUSED, const coap_dtls_pki_t *setup_data COAP_UNUSED, const coap_dtls_role_t role COAP_UNUSED)
coap_tick_t coap_dtls_get_timeout(coap_session_t *session COAP_UNUSED, coap_tick_t now COAP_UNUSED)
ssize_t coap_tls_read(coap_session_t *session COAP_UNUSED, uint8_t *data COAP_UNUSED, size_t data_len COAP_UNUSED)
coap_tick_t coap_dtls_get_context_timeout(void *dtls_context COAP_UNUSED)
int coap_dtls_receive(coap_session_t *session COAP_UNUSED, const uint8_t *data COAP_UNUSED, size_t data_len COAP_UNUSED)
void * coap_dtls_get_tls(const coap_session_t *c_session COAP_UNUSED, coap_tls_library_t *tls_lib)
unsigned int coap_dtls_get_overhead(coap_session_t *session COAP_UNUSED)
int coap_dtls_context_load_pki_trust_store(coap_context_t *ctx COAP_UNUSED)
static coap_log_t dtls_log_level
int coap_dtls_context_check_keys_enabled(coap_context_t *ctx COAP_UNUSED)
ssize_t coap_dtls_send(coap_session_t *session COAP_UNUSED, const uint8_t *data COAP_UNUSED, size_t data_len COAP_UNUSED)
ssize_t coap_tls_write(coap_session_t *session COAP_UNUSED, const uint8_t *data COAP_UNUSED, size_t data_len COAP_UNUSED)
void coap_dtls_session_update_mtu(coap_session_t *session COAP_UNUSED)
int coap_dtls_context_set_pki_root_cas(coap_context_t *ctx COAP_UNUSED, const char *ca_file COAP_UNUSED, const char *ca_path COAP_UNUSED)
int coap_dtls_handle_timeout(coap_session_t *session COAP_UNUSED)
void coap_dtls_free_context(void *handle COAP_UNUSED)
void coap_dtls_free_session(coap_session_t *coap_session COAP_UNUSED)
void * coap_dtls_new_context(coap_context_t *coap_context COAP_UNUSED)
void coap_tls_free_session(coap_session_t *coap_session COAP_UNUSED)
coap_tick_t coap_ticks_from_rt_us(uint64_t t)
Helper function that converts POSIX wallclock time in us to coap ticks.
uint64_t coap_tick_t
This data type represents internal timer ticks with COAP_TICKS_PER_SECOND resolution.
int coap_prng_lkd(void *buf, size_t len)
Fills buf with len random bytes using the default pseudo random number generator.
int coap_handle_event_lkd(coap_context_t *context, coap_event_t event, coap_session_t *session)
Invokes the event handler of context for the given event and data.
int coap_handle_dgram(coap_context_t *ctx, coap_session_t *session, uint8_t *msg, size_t msg_len)
Parses and interprets a CoAP datagram with context ctx.
int coap_crypto_hmac(cose_hmac_alg_t hmac_alg, coap_bin_const_t *key, coap_bin_const_t *data, coap_bin_const_t **hmac)
Create a HMAC hash of the provided data.
int coap_crypto_aead_decrypt(const coap_crypto_param_t *params, coap_bin_const_t *data, coap_bin_const_t *aad, uint8_t *result, size_t *max_result_len)
Decrypt the provided encrypted data into plaintext.
int coap_crypto_aead_encrypt(const coap_crypto_param_t *params, coap_bin_const_t *data, coap_bin_const_t *aad, uint8_t *result, size_t *max_result_len)
Encrypt the provided plaintext data.
int coap_crypto_hash(cose_alg_t alg, const coap_bin_const_t *data, coap_bin_const_t **hash)
Create a hash of the provided data.
int coap_crypto_check_hkdf_alg(cose_hkdf_alg_t hkdf_alg)
Check whether the defined hkdf algorithm is supported by the underlying crypto library.
int coap_crypto_check_cipher_alg(cose_alg_t alg)
Check whether the defined cipher algorithm is supported by the underlying crypto library.
const coap_bin_const_t * coap_get_session_client_psk_identity(const coap_session_t *coap_session)
Get the current client's PSK identity.
void coap_dtls_startup(void)
Initialize the underlying (D)TLS Library layer.
#define COAP_DTLS_RETRANSMIT_MS
int coap_dtls_define_issue(coap_define_issue_key_t type, coap_define_issue_fail_t fail, coap_dtls_key_t *key, const coap_dtls_role_t role, int ret)
Report PKI DEFINE type issue.
int coap_pki_name_match_sni(const char *name_entry, size_t name_length, const char *sni_match)
Check if the PKI name entry is a (wildcard) match for the requested SNI.
void coap_dtls_thread_shutdown(void)
Close down the underlying (D)TLS Library layer.
int coap_dtls_set_cid_tuple_change(coap_context_t *context, uint8_t every)
Set the Connection ID client tuple frequency change for testing CIDs.
int coap_dtls_is_context_timeout(void)
Check if timeout is handled per CoAP session or per CoAP context.
void coap_dtls_shutdown(void)
Close down the underlying (D)TLS Library layer.
const coap_bin_const_t * coap_get_session_client_psk_key(const coap_session_t *coap_session)
Get the current client's PSK key.
void coap_dtls_map_key_type_to_define(const coap_dtls_pki_t *setup_data, coap_dtls_key_t *key)
Map the PKI key definitions to the new DEFINE format.
const coap_bin_const_t * coap_get_session_server_psk_key(const coap_session_t *coap_session)
Get the current server's PSK key.
const coap_bin_const_t * coap_get_session_server_psk_hint(const coap_session_t *coap_session)
Get the current server's PSK identity hint.
@ COAP_DEFINE_KEY_PRIVATE
@ COAP_DEFINE_FAIL_NOT_SUPPORTED
#define COAP_DTLS_HINT_LENGTH
int coap_tls_engine_configure(coap_str_const_t *conf_mem)
Configure an ENGINE for a TLS library.
coap_tls_version_t * coap_get_tls_library_version(void)
Determine the type and version of the underlying (D)TLS library.
struct coap_dtls_key_t coap_dtls_key_t
The structure that holds the PKI key information.
int coap_tls_engine_remove(void)
Remove a previously configured ENGINE from a TLS library.
struct coap_dtls_spsk_info_t coap_dtls_spsk_info_t
The structure that holds the Server Pre-Shared Key and Identity Hint information.
struct coap_dtls_pki_t coap_dtls_pki_t
@ COAP_PKI_KEY_DEF_PKCS11
The PKI key type is PKCS11 (pkcs11:...).
@ COAP_PKI_KEY_DEF_DER_BUF
The PKI key type is DER buffer (ASN.1).
@ COAP_PKI_KEY_DEF_PEM_BUF
The PKI key type is PEM buffer.
@ COAP_PKI_KEY_DEF_PEM
The PKI key type is PEM file.
@ COAP_PKI_KEY_DEF_ENGINE
The PKI key type is to be passed to ENGINE.
@ COAP_PKI_KEY_DEF_RPK_BUF
The PKI key type is RPK in buffer.
@ COAP_PKI_KEY_DEF_DER
The PKI key type is DER file.
@ COAP_PKI_KEY_DEF_PKCS11_RPK
The PKI key type is PKCS11 w/ RPK (pkcs11:...).
@ COAP_DTLS_ROLE_SERVER
Internal function invoked for server.
@ COAP_DTLS_ROLE_CLIENT
Internal function invoked for client.
@ COAP_PKI_KEY_DEFINE
The individual PKI key types are Definable.
@ COAP_ASN1_PKEY_DH
DH type.
@ COAP_ASN1_PKEY_NONE
NONE.
@ COAP_ASN1_PKEY_TLS1_PRF
TLS1_PRF type.
@ COAP_ASN1_PKEY_RSA2
RSA2 type.
@ COAP_ASN1_PKEY_DSA
DSA type.
@ COAP_ASN1_PKEY_DHX
DHX type.
@ COAP_ASN1_PKEY_DSA4
DSA4 type.
@ COAP_ASN1_PKEY_DSA2
DSA2 type.
@ COAP_ASN1_PKEY_RSA
RSA type.
@ COAP_ASN1_PKEY_DSA1
DSA1 type.
@ COAP_ASN1_PKEY_HKDF
HKDF type.
@ COAP_ASN1_PKEY_EC
EC type.
@ COAP_ASN1_PKEY_DSA3
DSA3 type.
@ COAP_ASN1_PKEY_HMAC
HMAC type.
@ COAP_ASN1_PKEY_CMAC
CMAC type.
@ COAP_TLS_LIBRARY_OPENSSL
Using OpenSSL library.
@ COAP_EVENT_DTLS_CLOSED
Triggerred when (D)TLS session closed.
@ COAP_EVENT_DTLS_CONNECTED
Triggered when (D)TLS session connected.
@ COAP_EVENT_DTLS_RENEGOTIATE
Triggered when (D)TLS session renegotiated.
@ COAP_EVENT_DTLS_ERROR
Triggered when (D)TLS error occurs.
#define coap_lock_callback_ret(r, func)
Dummy for no thread-safe code.
#define coap_log_debug(...)
coap_log_t coap_dtls_get_log_level(void)
Get the current (D)TLS logging.
#define coap_dtls_log(level,...)
Logging function.
void coap_dtls_set_log_level(coap_log_t level)
Sets the (D)TLS logging level to the specified level.
const char * coap_session_str(const coap_session_t *session)
Get session description.
#define coap_log_info(...)
#define coap_log_warn(...)
#define coap_log_err(...)
#define coap_log(level,...)
Logging function.
int coap_netif_available(coap_session_t *session)
Function interface to check whether netif for session is still available.
int cose_get_hmac_alg_for_hkdf(cose_hkdf_alg_t hkdf_alg, cose_hmac_alg_t *hmac_alg)
@ COSE_HMAC_ALG_HMAC384_384
@ COSE_HMAC_ALG_HMAC256_256
@ COSE_HMAC_ALG_HMAC512_512
@ COSE_ALGORITHM_SHA_256_64
@ COSE_ALGORITHM_SHA_256_256
@ COSE_ALGORITHM_AES_CCM_16_64_128
@ COSE_ALGORITHM_AES_CCM_16_64_256
int coap_session_refresh_psk_hint(coap_session_t *session, const coap_bin_const_t *psk_hint)
Refresh the session's current Identity Hint (PSK).
int coap_session_refresh_psk_key(coap_session_t *session, const coap_bin_const_t *psk_key)
Refresh the session's current pre-shared key (PSK).
int coap_session_refresh_psk_identity(coap_session_t *session, const coap_bin_const_t *psk_identity)
Refresh the session's current pre-shared identity (PSK).
void coap_session_disconnected_lkd(coap_session_t *session, coap_nack_reason_t reason)
Notify session that it has failed.
@ COAP_SESSION_TYPE_CLIENT
client-side
@ COAP_SESSION_STATE_HANDSHAKE
void coap_delete_str_const(coap_str_const_t *s)
Deletes the given const string and releases any memory allocated.
coap_binary_t * coap_new_binary(size_t size)
Returns a new binary object with at least size bytes storage allocated.
void coap_delete_binary(coap_binary_t *s)
Deletes the given coap_binary_t object and releases any memory allocated.
coap_str_const_t * coap_new_str_const(const uint8_t *data, size_t size)
Returns a new const string object with at least size+1 bytes storage allocated, and the provided data...
int coap_dtls_cid_is_supported(void)
Check whether (D)TLS CID is available.
int coap_dtls_psk_is_supported(void)
Check whether (D)TLS PSK is available.
int coap_tls_is_supported(void)
Check whether TLS is available.
int coap_oscore_is_supported(void)
Check whether OSCORE is available.
int coap_dtls_is_supported(void)
Check whether DTLS is available.
int coap_dtls_pki_is_supported(void)
Check whether (D)TLS PKI is available.
int coap_dtls_rpk_is_supported(void)
Check whether (D)TLS RPK is available.
int coap_dtls_pkcs11_is_supported(void)
Check whether (D)TLS PKCS11 is available.
CoAP binary data definition with const data.
size_t length
length of binary data
const uint8_t * s
read-only binary data
CoAP binary data definition.
The CoAP stack's global state is stored in a coap_context_t object.
The structure that holds the AES Crypto information.
size_t l
The number of bytes in the length field.
const uint8_t * nonce
must be exactly 15 - l bytes
coap_crypto_key_t key
The Key to use.
size_t tag_len
The size of the Tag.
The common structure that holds the Crypto information.
coap_crypto_aes_ccm_t aes
Used if AES type encryption.
cose_alg_t alg
The COSE algorith to use.
union coap_crypto_param_t::@127375133034013360062164022213074075037225051156 params
The structure that holds the Client PSK information.
coap_bin_const_t identity
The structure used for defining the Client PSK setup data to be used.
uint8_t use_cid
Set to 1 if DTLS Connection ID is to be used.
void * ih_call_back_arg
Passed in to the Identity Hint callback function.
char * client_sni
If not NULL, SNI to use in client TLS setup.
coap_dtls_ih_callback_t validate_ih_call_back
Identity Hint check callback function.
uint8_t ec_jpake
Set to COAP_DTLS_CPSK_SETUP_VERSION to support this version of the struct.
The structure that holds the PKI key information.
coap_pki_key_define_t define
for definable type keys
union coap_dtls_key_t::@206067364111071227257047077347013260174107036042 key
coap_pki_key_t key_type
key format type
The structure used for defining the PKI setup data to be used.
uint8_t allow_no_crl
1 ignore if CRL not there
void * cn_call_back_arg
Passed in to the CN callback function.
uint8_t allow_sni_cn_mismatch
1 if SNI and returnd CN allowed to mismatch (Client only).
uint8_t cert_chain_validation
1 if to check cert_chain_verify_depth
uint8_t use_cid
1 if DTLS Connection ID is to be used (Client only, server always enabled) if supported
uint8_t check_cert_revocation
1 if revocation checks wanted
coap_dtls_pki_sni_callback_t validate_sni_call_back
SNI check callback function.
uint8_t cert_chain_verify_depth
recommended depth is 3
coap_dtls_security_setup_t additional_tls_setup_call_back
Additional Security callback handler that is invoked when libcoap has done the standard,...
uint8_t allow_expired_certs
1 if expired certs are allowed
uint8_t verify_peer_cert
Set to COAP_DTLS_PKI_SETUP_VERSION to support this version of the struct.
char * client_sni
If not NULL, SNI to use in client TLS setup.
uint8_t allow_self_signed
1 if self-signed certs are allowed.
void * sni_call_back_arg
Passed in to the sni callback function.
coap_dtls_cn_callback_t validate_cn_call_back
CN check callback function.
uint8_t allow_expired_crl
1 if expired crl is allowed
uint8_t is_rpk_not_cert
1 is RPK instead of Public Certificate.
uint8_t check_common_ca
1 if peer cert is to be signed by the same CA as the local cert
coap_dtls_key_t pki_key
PKI key definition.
The structure that holds the Server Pre-Shared Key and Identity Hint information.
The structure used for defining the Server PSK setup data to be used.
coap_dtls_psk_sni_callback_t validate_sni_call_back
SNI check callback function.
coap_dtls_id_callback_t validate_id_call_back
Identity check callback function.
void * id_call_back_arg
Passed in to the Identity callback function.
uint8_t ec_jpake
Set to COAP_DTLS_SPSK_SETUP_VERSION to support this version of the struct.
void * sni_call_back_arg
Passed in to the SNI callback function.
coap_dtls_spsk_info_t psk_info
Server PSK definition.
coap_layer_write_t l_write
coap_layer_establish_t l_establish
coap_const_char_ptr_t public_cert
define: Public Cert
coap_asn1_privatekey_type_t private_key_type
define: ASN1 Private Key Type (if needed)
const char * user_pin
define: User pin to access type PKCS11.
coap_const_char_ptr_t private_key
define: Private Key
coap_const_char_ptr_t ca
define: Common CA Certificate
size_t public_cert_len
define Public Cert length (if needed)
size_t ca_len
define CA Cert length (if needed)
coap_pki_define_t private_key_def
define: Private Key type definition
size_t private_key_len
define Private Key length (if needed)
coap_pki_define_t ca_def
define: Common CA type definition
coap_pki_define_t public_cert_def
define: Public Cert type definition
Abstraction of virtual session that can be attached to coap_context_t (client) or coap_endpoint_t (se...
unsigned int dtls_timeout_count
dtls setup retry counter
coap_bin_const_t * psk_key
If client, this field contains the current pre-shared key for server; When this field is NULL,...
coap_socket_t sock
socket object for the session, if any
coap_session_state_t state
current state of relationship with peer
coap_proto_t proto
protocol used
coap_dtls_cpsk_t cpsk_setup_data
client provided PSK initial setup data
size_t mtu
path or CSM mtu (xmt)
int dtls_event
Tracking any (D)TLS events on this session.
void * tls
security parameters
uint16_t max_retransmit
maximum re-transmit count (default 4)
coap_session_type_t type
client or server side socket
coap_context_t * context
session's context
coap_layer_func_t lfunc[COAP_LAYER_LAST]
Layer functions to use.
coap_socket_flags_t flags
1 or more of COAP_SOCKET* flag values
CoAP string data definition with const data.
const uint8_t * s
read-only string data
size_t length
length of string
The structure used for returning the underlying (D)TLS library information.
uint64_t built_version
(D)TLS Built against Library Version
coap_tls_library_t type
Library type.
uint64_t version
(D)TLS runtime Library Version
const char * s_byte
signed char ptr
const uint8_t * u_byte
unsigned char ptr