53#if COAP_WITH_LIBGNUTLS
55#define MIN_GNUTLS_VERSION "3.3.0"
58#include <gnutls/gnutls.h>
59#include <gnutls/x509.h>
60#include <gnutls/dtls.h>
61#include <gnutls/pkcs11.h>
62#include <gnutls/crypto.h>
63#include <gnutls/abstract.h>
65#if (GNUTLS_VERSION_NUMBER >= 0x030606)
66#define COAP_GNUTLS_KEY_RPK GNUTLS_KEY_DIGITAL_SIGNATURE | \
67 GNUTLS_KEY_NON_REPUDIATION | \
68 GNUTLS_KEY_KEY_ENCIPHERMENT | \
69 GNUTLS_KEY_DATA_ENCIPHERMENT | \
70 GNUTLS_KEY_KEY_AGREEMENT | \
71 GNUTLS_KEY_KEY_CERT_SIGN
75#define GNUTLS_CRT_RAW GNUTLS_CRT_RAWPK
79#define strcasecmp _stricmp
82typedef struct coap_ssl_t {
86 gnutls_datum_t cookie_key;
94typedef struct coap_gnutls_env_t {
95 gnutls_session_t g_session;
96 gnutls_psk_client_credentials_t psk_cl_credentials;
97 gnutls_psk_server_credentials_t psk_sv_credentials;
98 gnutls_certificate_credentials_t pki_credentials;
99 coap_ssl_t coap_ssl_data;
102 int doing_dtls_timeout;
107#define IS_PSK (1 << 0)
108#define IS_PKI (1 << 1)
109#define IS_CLIENT (1 << 6)
110#define IS_SERVER (1 << 7)
112typedef struct pki_sni_entry {
115 gnutls_certificate_credentials_t pki_credentials;
118typedef struct psk_sni_entry {
121 gnutls_psk_server_credentials_t psk_credentials;
124typedef struct coap_gnutls_context_t {
127 size_t pki_sni_count;
128 pki_sni_entry *pki_sni_entry_list;
129 size_t psk_sni_count;
130 psk_sni_entry *psk_sni_entry_list;
131 gnutls_datum_t alpn_proto;
134 int trust_store_defined;
135 gnutls_priority_t priority_cache;
136} coap_gnutls_context_t;
138typedef enum coap_free_bye_t {
139 COAP_FREE_BYE_AS_TCP,
140 COAP_FREE_BYE_AS_UDP,
144#define VARIANTS_3_6_6 "NORMAL:+ECDHE-PSK:+PSK:+ECDHE-ECDSA:+AES-128-CCM-8:+CTYPE-CLI-ALL:+CTYPE-SRV-ALL:+SHA256"
145#define VARIANTS_3_5_5 "NORMAL:+ECDHE-PSK:+PSK:+ECDHE-ECDSA:+AES-128-CCM-8"
146#define VARIANTS_BASE "NORMAL:+ECDHE-PSK:+PSK"
148#define VARIANTS_NO_TLS13_3_6_6 VARIANTS_3_6_6 ":-VERS-TLS1.3"
149#define VARIANTS_NO_TLS13_3_6_4 VARIANTS_3_5_5 ":-VERS-TLS1.3"
151#define G_ACTION(xx) do { \
153 } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED)
155#define G_CHECK(xx,func) do { \
156 if ((ret = (xx)) < 0) { \
157 coap_log_warn("%s: '%s'\n", func, gnutls_strerror(ret)); \
162#define G_ACTION_CHECK(xx,func) do { \
169#if COAP_SERVER_SUPPORT
170static int post_client_hello_gnutls_pki(gnutls_session_t g_session);
171static int post_client_hello_gnutls_psk(gnutls_session_t g_session);
172static int psk_server_callback(gnutls_session_t g_session,
173 const char *identity,
174 gnutls_datum_t *key);
183 if (gnutls_check_version(MIN_GNUTLS_VERSION) ==
NULL) {
184 coap_log_err(
"GnuTLS " MIN_GNUTLS_VERSION
" or later is required\n");
197 if (gnutls_check_version(MIN_GNUTLS_VERSION) ==
NULL) {
198 coap_log_err(
"GnuTLS " MIN_GNUTLS_VERSION
" or later is required\n");
240#if (GNUTLS_VERSION_NUMBER >= 0x030606)
256#if COAP_CLIENT_SUPPORT
268 const char *vers = gnutls_check_version(
NULL);
274 sscanf(vers,
"%d.%d.%d", &p1, &p2, &p3);
275 version.
version = (p1 << 16) | (p2 << 8) | p3;
283coap_gnutls_audit_log_func(gnutls_session_t g_session,
const char *text) {
284#if COAP_MAX_LOGGING_LEVEL > 0
300coap_gnutls_log_func(
int level,
const char *text) {
318 coap_gnutls_context_t *g_context =
321 if (!g_context || !setup_data)
324 g_context->setup_data = *setup_data;
325 if (!g_context->setup_data.verify_peer_cert) {
327 g_context->setup_data.check_common_ca = 0;
328 if (g_context->setup_data.is_rpk_not_cert) {
330 g_context->setup_data.allow_self_signed = 0;
331 g_context->setup_data.allow_expired_certs = 0;
332 g_context->setup_data.cert_chain_validation = 0;
333 g_context->setup_data.cert_chain_verify_depth = 0;
334 g_context->setup_data.check_cert_revocation = 0;
335 g_context->setup_data.allow_no_crl = 0;
336 g_context->setup_data.allow_expired_crl = 0;
337 g_context->setup_data.allow_bad_md_hash = 0;
338 g_context->setup_data.allow_short_rsa_length = 0;
341 g_context->setup_data.allow_self_signed = 1;
342 g_context->setup_data.allow_expired_certs = 1;
343 g_context->setup_data.cert_chain_validation = 1;
344 g_context->setup_data.cert_chain_verify_depth = 10;
345 g_context->setup_data.check_cert_revocation = 1;
346 g_context->setup_data.allow_no_crl = 1;
347 g_context->setup_data.allow_expired_crl = 1;
348 g_context->setup_data.allow_bad_md_hash = 1;
349 g_context->setup_data.allow_short_rsa_length = 1;
354 g_context->setup_data.pki_key = key;
355 g_context->psk_pki_enabled |= IS_PKI;
369 const char *ca_path) {
370 coap_gnutls_context_t *g_context =
373 coap_log_warn(
"coap_context_set_pki_root_cas: (D)TLS environment "
378 if (ca_file ==
NULL && ca_path ==
NULL) {
379 coap_log_warn(
"coap_context_set_pki_root_cas: ca_file and/or ca_path "
383 if (g_context->root_ca_file) {
384 gnutls_free(g_context->root_ca_file);
385 g_context->root_ca_file =
NULL;
388 g_context->root_ca_file = gnutls_strdup(ca_file);
390 if (g_context->root_ca_path) {
391 gnutls_free(g_context->root_ca_path);
392 g_context->root_ca_path =
NULL;
395#if (GNUTLS_VERSION_NUMBER >= 0x030306)
396 g_context->root_ca_path = gnutls_strdup(ca_path);
398 coap_log_err(
"ca_path not supported in GnuTLS < 3.3.6\n");
410 coap_gnutls_context_t *g_context =
413 coap_log_warn(
"coap_context_set_pki_trust_store: (D)TLS environment "
418#if (GNUTLS_VERSION_NUMBER >= 0x030020)
419 g_context->trust_store_defined = 1;
422 coap_log_warn(
"coap_context_set_pki_trust_store(): (D)TLS environment "
423 "not supported for GnuTLS < v3.0.20\n");
428#if COAP_SERVER_SUPPORT
437 coap_gnutls_context_t *g_context =
440 if (!g_context || !setup_data)
446 g_context->psk_pki_enabled |= IS_PSK;
451#if COAP_CLIENT_SUPPORT
460 coap_gnutls_context_t *g_context =
463 if (!g_context || !setup_data)
472 g_context->psk_pki_enabled |= IS_PSK;
483 coap_gnutls_context_t *g_context =
485 return g_context->psk_pki_enabled ? 1 : 0;
490 gnutls_global_set_audit_log_function(coap_gnutls_audit_log_func);
491 gnutls_global_set_log_function(coap_gnutls_log_func);
508 if (c_session && c_session->
tls) {
509 const coap_gnutls_env_t *g_env = (
const coap_gnutls_env_t *)c_session->
tls;
511 return g_env->g_session;
536 const char *err =
"Unknown Error";
538 coap_gnutls_context_t *g_context =
539 (coap_gnutls_context_t *)
540 gnutls_malloc(
sizeof(coap_gnutls_context_t));
544 const char *priority;
546 memset(g_context, 0,
sizeof(coap_gnutls_context_t));
547 G_CHECK(gnutls_global_init(),
"gnutls_global_init");
548 g_context->alpn_proto.data = gnutls_malloc(4);
549 if (g_context->alpn_proto.data) {
550 memcpy(g_context->alpn_proto.data,
"coap", 4);
551 g_context->alpn_proto.size = 4;
554 if (tls_version->
version >= 0x030606) {
555 priority = VARIANTS_3_6_6;
556 }
else if (tls_version->
version >= 0x030505) {
557 priority = VARIANTS_3_5_5;
559 priority = VARIANTS_BASE;
561 ret = gnutls_priority_init(&g_context->priority_cache, priority, &err);
562 if (ret != GNUTLS_E_SUCCESS) {
563 if (ret == GNUTLS_E_INVALID_REQUEST)
564 coap_log_warn(
"gnutls_priority_init: Syntax error at: %s\n", err);
566 coap_log_warn(
"gnutls_priority_init: %s\n", gnutls_strerror(ret));
581 coap_gnutls_context_t *g_context = (coap_gnutls_context_t *)handle;
583 gnutls_free(g_context->alpn_proto.data);
584 gnutls_free(g_context->root_ca_file);
585 gnutls_free(g_context->root_ca_path);
586 for (i = 0; i < g_context->pki_sni_count; i++) {
587 gnutls_free(g_context->pki_sni_entry_list[i].sni);
588 gnutls_certificate_free_credentials(
589 g_context->pki_sni_entry_list[i].pki_credentials);
591 if (g_context->pki_sni_entry_list)
592 gnutls_free(g_context->pki_sni_entry_list);
594 for (i = 0; i < g_context->psk_sni_count; i++) {
595 gnutls_free(g_context->psk_sni_entry_list[i].sni);
597 gnutls_psk_free_server_credentials(
598 g_context->psk_sni_entry_list[i].psk_credentials);
600 if (g_context->psk_sni_entry_list)
601 gnutls_free(g_context->psk_sni_entry_list);
603 gnutls_priority_deinit(g_context->priority_cache);
605 gnutls_global_deinit();
606 gnutls_free(g_context);
609#if COAP_CLIENT_SUPPORT
618psk_client_callback(gnutls_session_t g_session,
619 char **username, gnutls_datum_t *key) {
622 coap_gnutls_context_t *g_context;
624 const char *hint = gnutls_psk_client_get_hint(g_session);
634 if (c_session ==
NULL)
638 if (g_context ==
NULL)
643 temp.
s = hint ? (
const uint8_t *)hint : (const uint8_t *)
"";
644 temp.
length = strlen((
const char *)temp.
s);
648 (
const char *)temp.
s);
660 if (cpsk_info ==
NULL)
665 psk_identity = &cpsk_info->
identity;
666 psk_key = &cpsk_info->
key;
672 if (psk_identity ==
NULL || psk_key ==
NULL) {
677 *username = gnutls_malloc(psk_identity->
length+1);
678 if (*username ==
NULL)
680 memcpy(*username, psk_identity->
s, psk_identity->
length);
681 (*username)[psk_identity->
length] =
'\000';
683 key->data = gnutls_malloc(psk_key->
length);
684 if (key->data ==
NULL) {
685 gnutls_free(*username);
689 memcpy(key->data, psk_key->
s, psk_key->
length);
690 key->size = psk_key->
length;
696 gnutls_certificate_type_t certificate_type;
698 const gnutls_datum_t *cert_list;
699 unsigned int cert_list_size;
701} coap_gnutls_certificate_info_t;
707static gnutls_certificate_type_t
708get_san_or_cn(gnutls_session_t g_session,
709 coap_gnutls_certificate_info_t *cert_info) {
710 gnutls_x509_crt_t cert;
717#if (GNUTLS_VERSION_NUMBER >= 0x030606)
718 cert_info->certificate_type = gnutls_certificate_type_get2(g_session,
721 cert_info->certificate_type = gnutls_certificate_type_get(g_session);
724 cert_info->san_or_cn =
NULL;
726 cert_info->cert_list = gnutls_certificate_get_peers(g_session,
727 &cert_info->cert_list_size);
728 if (cert_info->cert_list_size == 0) {
729 return GNUTLS_CRT_UNKNOWN;
732 if (cert_info->certificate_type != GNUTLS_CRT_X509)
733 return cert_info->certificate_type;
735 G_CHECK(gnutls_x509_crt_init(&cert),
"gnutls_x509_crt_init");
738 G_CHECK(gnutls_x509_crt_import(cert, &cert_info->cert_list[0],
739 GNUTLS_X509_FMT_DER),
"gnutls_x509_crt_import");
741 cert_info->self_signed = gnutls_x509_crt_check_issuer(cert, cert);
743 size =
sizeof(dn) -1;
745 ret = gnutls_x509_crt_get_subject_alt_name(cert, 0, dn, &size,
NULL);
748 gnutls_x509_crt_deinit(cert);
749 cert_info->san_or_cn = gnutls_strdup(dn);
750 return cert_info->certificate_type;
754 G_CHECK(gnutls_x509_crt_get_dn(cert, dn, &size),
"gnutls_x509_crt_get_dn");
756 gnutls_x509_crt_deinit(cert);
762 if (((cn[0] ==
'C') || (cn[0] ==
'c')) &&
763 ((cn[1] ==
'N') || (cn[1] ==
'n')) &&
772 char *ecn = strchr(cn,
',');
776 cert_info->san_or_cn = gnutls_strdup(cn);
777 return cert_info->certificate_type;
779 return GNUTLS_CRT_UNKNOWN;
782 return GNUTLS_CRT_UNKNOWN;
785#if (GNUTLS_VERSION_NUMBER >= 0x030606)
786#define OUTPUT_CERT_NAME (cert_type == GNUTLS_CRT_X509 ? \
787 cert_info.san_or_cn : \
788 cert_type == GNUTLS_CRT_RAW ? \
789 COAP_DTLS_RPK_CERT_CN : "?")
791#define OUTPUT_CERT_NAME (cert_type == GNUTLS_CRT_X509 ? \
792 cert_info.san_or_cn : "?")
795#if (GNUTLS_VERSION_NUMBER >= 0x030606)
797check_rpk_cert(coap_gnutls_context_t *g_context,
798 coap_gnutls_certificate_info_t *cert_info,
802 if (g_context->setup_data.validate_cn_call_back) {
803 gnutls_pcert_st pcert;
807 G_CHECK(gnutls_pcert_import_rawpk_raw(&pcert, &cert_info->cert_list[0],
808 GNUTLS_X509_FMT_DER, 0, 0),
809 "gnutls_pcert_import_rawpk_raw");
812 G_CHECK(gnutls_pubkey_export(pcert.pubkey, GNUTLS_X509_FMT_DER, der, &size),
813 "gnutls_pubkey_export");
814 gnutls_pcert_deinit(&pcert);
822 g_context->setup_data.cn_call_back_arg));
838cert_verify_gnutls(gnutls_session_t g_session) {
839 unsigned int status = 0;
840 unsigned int fail = 0;
843 coap_gnutls_context_t *g_context =
845 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
846 int alert = GNUTLS_A_BAD_CERTIFICATE;
848 coap_gnutls_certificate_info_t cert_info;
849 gnutls_certificate_type_t cert_type;
851 memset(&cert_info, 0,
sizeof(cert_info));
852 cert_type = get_san_or_cn(g_session, &cert_info);
853#if (GNUTLS_VERSION_NUMBER >= 0x030606)
854 if (cert_type == GNUTLS_CRT_RAW) {
855 if (!check_rpk_cert(g_context, &cert_info, c_session)) {
856 alert = GNUTLS_A_ACCESS_DENIED;
863 if (cert_info.cert_list_size == 0) {
864 if (!g_context->setup_data.verify_peer_cert)
871 gnutls_typed_vdata_st host;
873 host.type = GNUTLS_DT_DNS_HOSTNAME;
874 host.data = (uint8_t *)g_context->setup_data.client_sni;
875 host.size = strlen(g_context->setup_data.client_sni);
876 G_CHECK(gnutls_certificate_verify_peers(g_session, &host, 1, &status),
877 "gnutls_certificate_verify_peers");
879 G_CHECK(gnutls_certificate_verify_peers(g_session,
NULL, 0, &status),
880 "gnutls_certificate_verify_peers");
884 status, cert_info.san_or_cn);
886 if (g_context->setup_data.validate_cn_call_back) {
887 gnutls_x509_crt_t cert;
892 const int cert_is_trusted = !status;
894 G_CHECK(gnutls_x509_crt_init(&cert),
"gnutls_x509_crt_init");
897 G_CHECK(gnutls_x509_crt_import(cert, &cert_info.cert_list[0],
898 GNUTLS_X509_FMT_DER),
"gnutls_x509_crt_import");
901 G_CHECK(gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_DER, der, &size),
902 "gnutls_x509_crt_export");
903 gnutls_x509_crt_deinit(cert);
905 g_context->setup_data.validate_cn_call_back(OUTPUT_CERT_NAME,
911 g_context->setup_data.cn_call_back_arg));
913 alert = GNUTLS_A_ACCESS_DENIED;
919 status &= ~(GNUTLS_CERT_INVALID);
920 if (status & (GNUTLS_CERT_NOT_ACTIVATED|GNUTLS_CERT_EXPIRED)) {
921 status &= ~(GNUTLS_CERT_NOT_ACTIVATED|GNUTLS_CERT_EXPIRED);
922 if (g_context->setup_data.allow_expired_certs) {
925 "The certificate has an invalid usage date",
931 "The certificate has an invalid usage date",
935 if (status & (GNUTLS_CERT_UNEXPECTED_OWNER)) {
936 status &= ~(GNUTLS_CERT_UNEXPECTED_OWNER);
937 if (g_context->setup_data.allow_sni_cn_mismatch) {
940 "The SNI does not match the returned CN",
941 g_context->setup_data.client_sni,
947 "The SNI does not match the returned CN",
948 g_context->setup_data.client_sni,
952 if (status & (GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED|
953 GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE)) {
954 status &= ~(GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED|
955 GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE);
956 if (g_context->setup_data.allow_expired_crl) {
959 "The certificate's CRL entry has an invalid usage date",
965 "The certificate's CRL entry has an invalid usage date",
969 if (status & (GNUTLS_CERT_SIGNER_NOT_FOUND)) {
970 status &= ~(GNUTLS_CERT_SIGNER_NOT_FOUND);
971 if (cert_info.self_signed) {
972 if (g_context->setup_data.allow_self_signed &&
973 !g_context->setup_data.check_common_ca) {
980 alert = GNUTLS_A_UNKNOWN_CA;
987 if (!g_context->setup_data.verify_peer_cert) {
990 "The peer certificate's CA is unknown",
994 alert = GNUTLS_A_UNKNOWN_CA;
997 "The peer certificate's CA is unknown",
1002 if (status & (GNUTLS_CERT_INSECURE_ALGORITHM)) {
1003 status &= ~(GNUTLS_CERT_INSECURE_ALGORITHM);
1007 "The certificate uses an insecure algorithm",
1013 coap_log_warn(
" %s: gnutls_certificate_verify_peers() status 0x%x: '%s'\n",
1015 status, OUTPUT_CERT_NAME);
1022 if (g_context->setup_data.additional_tls_setup_call_back) {
1024 if (!g_context->setup_data.additional_tls_setup_call_back(g_session,
1025 &g_context->setup_data)) {
1031 if (cert_info.san_or_cn)
1032 gnutls_free(cert_info.san_or_cn);
1037 if (cert_info.san_or_cn)
1038 gnutls_free(cert_info.san_or_cn);
1040 if (!g_env->sent_alert) {
1041 G_ACTION(gnutls_alert_send(g_session, GNUTLS_AL_FATAL, alert));
1042 g_env->sent_alert = 1;
1056cert_verify_callback_gnutls(gnutls_session_t g_session) {
1057 if (gnutls_auth_get_type(g_session) == GNUTLS_CRD_CERTIFICATE) {
1058 if (cert_verify_gnutls(g_session) == 0) {
1066#define min(a,b) ((a) < (b) ? (a) : (b))
1070pin_callback(
void *user_data,
int attempt,
1090check_null_memory(gnutls_datum_t *datum,
1091 const uint8_t *buf,
size_t len,
int *alloced) {
1094 if (buf[len-1] !=
'\000') {
1097 datum->data = gnutls_malloc(len + 1);
1100 return GNUTLS_E_MEMORY_ERROR;
1102 memcpy(datum->data, buf, len);
1103 datum->data[len] =
'\000';
1107 memcpy(&datum->data,
1108 &buf,
sizeof(datum->data));
1118setup_pki_credentials(gnutls_certificate_credentials_t *pki_credentials,
1119 gnutls_session_t g_session,
1120 coap_gnutls_context_t *g_context,
1124 gnutls_datum_t cert;
1125 gnutls_datum_t pkey;
1127 int alloced_cert_memory = 0;
1128 int alloced_pkey_memory = 0;
1129 int alloced_ca_memory = 0;
1130 int have_done_key = 0;
1137 G_CHECK(gnutls_certificate_allocate_credentials(pki_credentials),
1138 "gnutls_certificate_allocate_credentials");
1155#if (GNUTLS_VERSION_NUMBER >= 0x030606)
1159 coap_log_err(
"RPK Support not available (needs gnutls 3.6.6 or later)\n");
1162 &key, role, GNUTLS_E_INSUFFICIENT_CREDENTIALS);
1168 &key, role, GNUTLS_E_INSUFFICIENT_CREDENTIALS);
1175 &key, role, GNUTLS_E_INSUFFICIENT_CREDENTIALS);
1189 &key, role, GNUTLS_E_INSUFFICIENT_CREDENTIALS);
1193 if ((ret = gnutls_certificate_set_x509_key_file(*pki_credentials,
1196 GNUTLS_X509_FMT_PEM)) < 0) {
1203 if ((ret = check_null_memory(&cert,
1206 &alloced_cert_memory)) < 0) {
1211 if ((ret = check_null_memory(&pkey,
1214 &alloced_pkey_memory)) < 0) {
1215 if (alloced_cert_memory)
1216 gnutls_free(cert.data);
1221 if ((ret = gnutls_certificate_set_x509_key_mem(*pki_credentials,
1224 GNUTLS_X509_FMT_PEM)) < 0) {
1225 if (alloced_cert_memory)
1226 gnutls_free(cert.data);
1227 if (alloced_pkey_memory)
1228 gnutls_free(pkey.data);
1233 if (alloced_cert_memory)
1234 gnutls_free(cert.data);
1235 if (alloced_pkey_memory)
1236 gnutls_free(pkey.data);
1239#if (GNUTLS_VERSION_NUMBER >= 0x030606)
1240 if ((ret = check_null_memory(&cert,
1243 &alloced_cert_memory)) < 0) {
1248 if ((ret = check_null_memory(&pkey,
1251 &alloced_pkey_memory)) < 0) {
1252 if (alloced_cert_memory)
1253 gnutls_free(cert.data);
1258 if (strstr((
char *)pkey.data,
"-----BEGIN EC PRIVATE KEY-----")) {
1259 gnutls_datum_t der_private;
1261 if (gnutls_pem_base64_decode2(
"EC PRIVATE KEY", &pkey,
1262 &der_private) == 0) {
1267 gnutls_datum_t tspki;
1269 tspki.data = spki->
s;
1270 tspki.size = spki->
length;
1271 ret = gnutls_certificate_set_rawpk_key_mem(*pki_credentials,
1274 GNUTLS_X509_FMT_DER,
NULL,
1275 COAP_GNUTLS_KEY_RPK,
1282 gnutls_free(der_private.data);
1285 if (!have_done_key) {
1286 if ((ret = gnutls_certificate_set_rawpk_key_mem(*pki_credentials,
1289 GNUTLS_X509_FMT_PEM,
NULL,
1290 COAP_GNUTLS_KEY_RPK,
1292 if (alloced_cert_memory)
1293 gnutls_free(cert.data);
1294 if (alloced_pkey_memory)
1295 gnutls_free(pkey.data);
1298 &key, role, GNUTLS_E_INSUFFICIENT_CREDENTIALS);
1301 if (alloced_cert_memory)
1302 gnutls_free(cert.data);
1303 if (alloced_pkey_memory)
1304 gnutls_free(pkey.data);
1307 coap_log_err(
"RPK Support not available (needs gnutls 3.6.6 or later)\n");
1310 &key, role, GNUTLS_E_INSUFFICIENT_CREDENTIALS);
1313 if ((ret = gnutls_certificate_set_x509_key_file(*pki_credentials,
1316 GNUTLS_X509_FMT_DER) < 0)) {
1323 if ((ret = check_null_memory(&cert,
1326 &alloced_cert_memory)) < 0) {
1331 if ((ret = check_null_memory(&pkey,
1334 &alloced_pkey_memory)) < 0) {
1335 if (alloced_cert_memory)
1336 gnutls_free(cert.data);
1341 if ((ret = gnutls_certificate_set_x509_key_mem(*pki_credentials,
1344 GNUTLS_X509_FMT_DER)) < 0) {
1345 if (alloced_cert_memory)
1346 gnutls_free(cert.data);
1347 if (alloced_pkey_memory)
1348 gnutls_free(pkey.data);
1353 if (alloced_cert_memory)
1354 gnutls_free(cert.data);
1355 if (alloced_pkey_memory)
1356 gnutls_free(pkey.data);
1359 gnutls_pkcs11_set_pin_function(pin_callback, &setup_data->
pki_key);
1360 if ((ret = gnutls_certificate_set_x509_key_file(*pki_credentials,
1363 GNUTLS_X509_FMT_DER)) < 0) {
1370#if (GNUTLS_VERSION_NUMBER >= 0x030606)
1371 gnutls_pkcs11_set_pin_function(pin_callback, setup_data);
1372 if ((ret = gnutls_certificate_set_rawpk_key_file(*pki_credentials,
1375 GNUTLS_X509_FMT_PEM,
NULL,
1376 COAP_GNUTLS_KEY_RPK,
1377 NULL, 0, GNUTLS_PKCS_PLAIN, 0))) {
1383 coap_log_err(
"RPK Support not available (needs gnutls 3.6.6 or later)\n");
1384 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1391 &key, role, GNUTLS_E_INSUFFICIENT_CREDENTIALS);
1402 if ((ret = gnutls_certificate_set_x509_trust_file(*pki_credentials,
1404 GNUTLS_X509_FMT_PEM) < 0)) {
1411 if ((ret = check_null_memory(&ca,
1414 &alloced_ca_memory)) < 0) {
1419 if ((ret = gnutls_certificate_set_x509_trust_mem(*pki_credentials,
1421 GNUTLS_X509_FMT_PEM)) < 0) {
1422 if (alloced_ca_memory)
1423 gnutls_free(ca.data);
1428 if (alloced_ca_memory)
1429 gnutls_free(ca.data);
1435 if ((ret = gnutls_certificate_set_x509_trust_file(*pki_credentials,
1437 GNUTLS_X509_FMT_DER) < 0)) {
1444 if ((ret = check_null_memory(&ca,
1447 &alloced_ca_memory)) < 0) {
1452 if ((ret = gnutls_certificate_set_x509_trust_mem(*pki_credentials,
1454 GNUTLS_X509_FMT_DER)) <= 0) {
1455 if (alloced_ca_memory)
1456 gnutls_free(ca.data);
1461 if (alloced_ca_memory)
1462 gnutls_free(ca.data);
1465 if ((ret = gnutls_certificate_set_x509_trust_file(*pki_credentials,
1467 GNUTLS_X509_FMT_DER)) <= 0) {
1480 &key, role, GNUTLS_E_INSUFFICIENT_CREDENTIALS);
1484#if (GNUTLS_VERSION_NUMBER >= 0x030020)
1485 if (g_context->trust_store_defined) {
1486 G_CHECK(gnutls_certificate_set_x509_system_trust(*pki_credentials),
1487 "gnutls_certificate_set_x509_system_trust");
1490 if (g_context->root_ca_file) {
1491 ret = gnutls_certificate_set_x509_trust_file(*pki_credentials,
1492 g_context->root_ca_file,
1493 GNUTLS_X509_FMT_PEM);
1495 coap_log_warn(
"gnutls_certificate_set_x509_trust_file: Root CA: No certificates found\n");
1498 if (g_context->root_ca_path) {
1499#if (GNUTLS_VERSION_NUMBER >= 0x030306)
1500 G_CHECK(gnutls_certificate_set_x509_trust_dir(*pki_credentials,
1501 g_context->root_ca_path,
1502 GNUTLS_X509_FMT_PEM),
1503 "gnutls_certificate_set_x509_trust_dir");
1506 gnutls_certificate_send_x509_rdn_sequence(g_session,
1508#if (GNUTLS_VERSION_NUMBER >= 0x030020)
1509 if (!(g_context->psk_pki_enabled & IS_PKI) && !g_context->trust_store_defined) {
1511 G_CHECK(gnutls_certificate_set_x509_system_trust(*pki_credentials),
1512 "gnutls_certificate_set_x509_system_trust");
1517 gnutls_certificate_set_verify_function(*pki_credentials,
1518 cert_verify_callback_gnutls);
1522 gnutls_certificate_set_verify_limits(*pki_credentials,
1531 gnutls_certificate_set_verify_flags(*pki_credentials,
1533 GNUTLS_VERIFY_DISABLE_CRL_CHECKS : 0)
1536 return GNUTLS_E_SUCCESS;
1542#if COAP_SERVER_SUPPORT
1548setup_psk_credentials(gnutls_psk_server_credentials_t *psk_credentials,
1554 G_CHECK(gnutls_psk_allocate_server_credentials(psk_credentials),
1555 "gnutls_psk_allocate_server_credentials");
1556 gnutls_psk_set_server_credentials_function(*psk_credentials,
1557 psk_server_callback);
1561 G_CHECK(gnutls_psk_set_server_credentials_hint(*psk_credentials, hint),
1562 "gnutls_psk_set_server_credentials_hint");
1565 return GNUTLS_E_SUCCESS;
1576post_client_hello_gnutls_psk(gnutls_session_t g_session) {
1579 coap_gnutls_context_t *g_context =
1581 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
1582 int ret = GNUTLS_E_SUCCESS;
1585 if (c_session->
context->spsk_setup_data.validate_sni_call_back) {
1592 name = gnutls_malloc(len);
1594 return GNUTLS_E_MEMORY_ERROR;
1597 ret = gnutls_server_name_get(g_session, name, &len, &type, i);
1598 if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
1600 new_name = gnutls_realloc(name, len);
1601 if (new_name ==
NULL) {
1602 ret = GNUTLS_E_MEMORY_ERROR;
1610 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1613 if (ret != GNUTLS_E_SUCCESS)
1616 if (type != GNUTLS_NAME_DNS)
1627 for (i = 0; i < g_context->psk_sni_count; i++) {
1628 if (strcasecmp(name, g_context->psk_sni_entry_list[i].sni) == 0) {
1632 if (i == g_context->psk_sni_count) {
1639 c_session->
context->spsk_setup_data.validate_sni_call_back(name,
1641 c_session->
context->spsk_setup_data.sni_call_back_arg));
1643 G_ACTION(gnutls_alert_send(g_session, GNUTLS_AL_FATAL,
1644 GNUTLS_A_UNRECOGNIZED_NAME));
1645 g_env->sent_alert = 1;
1646 ret = GNUTLS_E_NO_CERTIFICATE_FOUND;
1650 g_context->psk_sni_entry_list =
1651 gnutls_realloc(g_context->psk_sni_entry_list,
1652 (i+1)*
sizeof(psk_sni_entry));
1653 g_context->psk_sni_entry_list[i].sni = gnutls_strdup(name);
1654 g_context->psk_sni_entry_list[i].psk_info = *new_entry;
1655 sni_setup_data = c_session->
context->spsk_setup_data;
1656 sni_setup_data.
psk_info = *new_entry;
1657 if ((ret = setup_psk_credentials(
1658 &g_context->psk_sni_entry_list[i].psk_credentials,
1660 &sni_setup_data)) < 0) {
1662 G_ACTION(gnutls_alert_send(g_session, GNUTLS_AL_FATAL,
1663 GNUTLS_A_BAD_CERTIFICATE));
1664 g_env->sent_alert = 1;
1668 g_context->psk_sni_count++;
1670 G_CHECK(gnutls_credentials_set(g_env->g_session, GNUTLS_CRD_PSK,
1671 g_context->psk_sni_entry_list[i].psk_credentials),
1672 "gnutls_credentials_set");
1674 &g_context->psk_sni_entry_list[i].psk_info.hint);
1676 &g_context->psk_sni_entry_list[i].psk_info.key);
1692post_client_hello_gnutls_pki(gnutls_session_t g_session) {
1695 coap_gnutls_context_t *g_context =
1697 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
1698 int ret = GNUTLS_E_SUCCESS;
1701 if (g_context->setup_data.validate_sni_call_back) {
1708 name = gnutls_malloc(len);
1710 return GNUTLS_E_MEMORY_ERROR;
1713 ret = gnutls_server_name_get(g_session, name, &len, &type, i);
1714 if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
1716 new_name = gnutls_realloc(name, len);
1717 if (new_name ==
NULL) {
1718 ret = GNUTLS_E_MEMORY_ERROR;
1726 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1729 if (ret != GNUTLS_E_SUCCESS)
1732 if (type != GNUTLS_NAME_DNS)
1743 for (i = 0; i < g_context->pki_sni_count; i++) {
1744 if (strcasecmp(name, g_context->pki_sni_entry_list[i].sni) == 0) {
1748 if (i == g_context->pki_sni_count) {
1755 g_context->setup_data.validate_sni_call_back(name,
1756 g_context->setup_data.sni_call_back_arg));
1758 G_ACTION(gnutls_alert_send(g_session, GNUTLS_AL_FATAL,
1759 GNUTLS_A_UNRECOGNIZED_NAME));
1760 g_env->sent_alert = 1;
1761 ret = GNUTLS_E_NO_CERTIFICATE_FOUND;
1765 g_context->pki_sni_entry_list = gnutls_realloc(
1766 g_context->pki_sni_entry_list,
1767 (i+1)*
sizeof(pki_sni_entry));
1768 g_context->pki_sni_entry_list[i].sni = gnutls_strdup(name);
1769 g_context->pki_sni_entry_list[i].pki_key = *new_entry;
1770 sni_setup_data = g_context->setup_data;
1771 sni_setup_data.
pki_key = *new_entry;
1772 if ((ret = setup_pki_credentials(&g_context->pki_sni_entry_list[i].pki_credentials,
1777 G_ACTION(gnutls_alert_send(g_session, GNUTLS_AL_FATAL,
1778 GNUTLS_A_BAD_CERTIFICATE));
1779 g_env->sent_alert = 1;
1783 g_context->pki_sni_count++;
1785 G_CHECK(gnutls_credentials_set(g_env->g_session, GNUTLS_CRD_CERTIFICATE,
1786 g_context->pki_sni_entry_list[i].pki_credentials),
1787 "gnutls_credentials_set");
1799#if COAP_CLIENT_SUPPORT
1805setup_client_ssl_session(
coap_session_t *c_session, coap_gnutls_env_t *g_env) {
1806 coap_gnutls_context_t *g_context =
1810 g_context->psk_pki_enabled |= IS_CLIENT;
1811 if (g_context->psk_pki_enabled & IS_PSK) {
1813 G_CHECK(gnutls_psk_allocate_client_credentials(&g_env->psk_cl_credentials),
1814 "gnutls_psk_allocate_client_credentials");
1815 gnutls_psk_set_client_credentials_function(g_env->psk_cl_credentials,
1816 psk_client_callback);
1817 G_CHECK(gnutls_credentials_set(g_env->g_session, GNUTLS_CRD_PSK,
1818 g_env->psk_cl_credentials),
1819 "gnutls_credentials_set");
1822 G_CHECK(gnutls_server_name_set(g_env->g_session, GNUTLS_NAME_DNS,
1825 "gnutls_server_name_set");
1831 if (tls_version->
version >= 0x030604) {
1833 const char *priority;
1835 if (tls_version->
version >= 0x030606) {
1836 priority = VARIANTS_NO_TLS13_3_6_6;
1838 priority = VARIANTS_NO_TLS13_3_6_4;
1840 ret = gnutls_priority_set_direct(g_env->g_session,
1843 if (ret == GNUTLS_E_INVALID_REQUEST)
1844 coap_log_warn(
"gnutls_priority_set_direct: Syntax error at: %s\n", err);
1846 coap_log_warn(
"gnutls_priority_set_direct: %s\n", gnutls_strerror(ret));
1853 if ((g_context->psk_pki_enabled & IS_PKI) ||
1854 (g_context->psk_pki_enabled & (IS_PSK | IS_PKI)) == 0) {
1861 if (!(g_context->psk_pki_enabled & IS_PKI)) {
1875 G_CHECK(setup_pki_credentials(&g_env->pki_credentials, g_env->g_session,
1876 g_context, setup_data,
1878 "setup_pki_credentials");
1880 G_CHECK(gnutls_credentials_set(g_env->g_session, GNUTLS_CRD_CERTIFICATE,
1881 g_env->pki_credentials),
1882 "gnutls_credentials_set");
1885 G_CHECK(gnutls_alpn_set_protocols(g_env->g_session,
1886 &g_context->alpn_proto, 1, 0),
1887 "gnutls_alpn_set_protocols");
1891 G_CHECK(gnutls_server_name_set(g_env->g_session, GNUTLS_NAME_DNS,
1894 "gnutls_server_name_set");
1897 return GNUTLS_E_SUCCESS;
1904#if COAP_SERVER_SUPPORT
1913psk_server_callback(gnutls_session_t g_session,
1914 const char *identity,
1915 gnutls_datum_t *key) {
1918 coap_gnutls_context_t *g_context;
1923 if (c_session ==
NULL)
1927 if (g_context ==
NULL)
1929 setup_data = &c_session->
context->spsk_setup_data;
1933 lidentity.
s = identity ? (
const uint8_t *)identity : (const uint8_t *)
"";
1934 lidentity.
length = strlen((
const char *)lidentity.
s);
1938 (
int)lidentity.
length, (
const char *)lidentity.
s);
1950 if (psk_key ==
NULL)
1953 key->data = gnutls_malloc(psk_key->
length);
1954 if (key->data ==
NULL)
1956 memcpy(key->data, psk_key->
s, psk_key->
length);
1957 key->size = psk_key->
length;
1966setup_server_ssl_session(
coap_session_t *c_session, coap_gnutls_env_t *g_env) {
1967 coap_gnutls_context_t *g_context =
1969 int ret = GNUTLS_E_SUCCESS;
1971 g_context->psk_pki_enabled |= IS_SERVER;
1972 if (g_context->psk_pki_enabled & IS_PSK) {
1973 G_CHECK(setup_psk_credentials(
1974 &g_env->psk_sv_credentials,
1976 &c_session->
context->spsk_setup_data),
1977 "setup_psk_credentials\n");
1978 G_CHECK(gnutls_credentials_set(g_env->g_session,
1980 g_env->psk_sv_credentials),
1981 "gnutls_credentials_set\n");
1982 gnutls_handshake_set_post_client_hello_function(g_env->g_session,
1983 post_client_hello_gnutls_psk);
1986 if (g_context->psk_pki_enabled & IS_PKI) {
1988 G_CHECK(setup_pki_credentials(&g_env->pki_credentials, g_env->g_session,
1989 g_context, setup_data,
1991 "setup_pki_credentials");
1994 gnutls_certificate_server_set_request(g_env->g_session,
1995 GNUTLS_CERT_REQUIRE);
1997 gnutls_certificate_server_set_request(g_env->g_session,
1998 GNUTLS_CERT_REQUEST);
2000 gnutls_certificate_server_set_request(g_env->g_session,
2001 GNUTLS_CERT_IGNORE);
2004 gnutls_handshake_set_post_client_hello_function(g_env->g_session,
2005 post_client_hello_gnutls_pki);
2007 G_CHECK(gnutls_credentials_set(g_env->g_session, GNUTLS_CRD_CERTIFICATE,
2008 g_env->pki_credentials),
2009 "gnutls_credentials_set\n");
2011 return GNUTLS_E_SUCCESS;
2024coap_dgram_read(gnutls_transport_ptr_t context,
void *out,
size_t outl) {
2029 if (!c_session->
tls) {
2033 data = &((coap_gnutls_env_t *)c_session->
tls)->coap_ssl_data;
2036 if (data !=
NULL && data->pdu_len > 0) {
2037 if (outl < data->pdu_len) {
2038 memcpy(out, data->pdu, outl);
2040 if (!data->peekmode) {
2042 data->pdu_len -= outl;
2045 memcpy(out, data->pdu, data->pdu_len);
2046 ret = data->pdu_len;
2047 if (!data->peekmode) {
2067coap_dgram_write(gnutls_transport_ptr_t context,
const void *send_buffer,
2068 size_t send_buffer_length) {
2069 ssize_t result = -1;
2075 && c_session->endpoint ==
NULL
2083 send_buffer, send_buffer_length);
2084 if (result != (
int)send_buffer_length) {
2085 int keep_errno = errno;
2088 result, send_buffer_length);
2091 if (errno == ENOTCONN || errno == ECONNREFUSED)
2110receive_timeout(gnutls_transport_ptr_t context,
unsigned int ms
COAP_UNUSED) {
2114 fd_set readfds, writefds, exceptfds;
2116#if COAP_SERVER_SUPPORT
2123 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
2127 g_env->coap_ssl_data.pdu_len > 0) {
2133 FD_ZERO(&exceptfds);
2134 FD_SET(fd, &readfds);
2135 if (!(g_env && g_env->doing_dtls_timeout)) {
2136 FD_SET(fd, &writefds);
2137 FD_SET(fd, &exceptfds);
2143 return select(nfds, &readfds, &writefds, &exceptfds, &tv);
2148static coap_gnutls_env_t *
2150 coap_gnutls_context_t *g_context =
2152 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
2153#if (GNUTLS_VERSION_NUMBER >= 0x030606)
2154 int flags = type | GNUTLS_DATAGRAM | GNUTLS_NONBLOCK | GNUTLS_ENABLE_RAWPK;
2156 int flags = type | GNUTLS_DATAGRAM | GNUTLS_NONBLOCK;
2163 g_env = gnutls_malloc(
sizeof(coap_gnutls_env_t));
2167 memset(g_env, 0,
sizeof(coap_gnutls_env_t));
2169 G_CHECK(gnutls_init(&g_env->g_session, flags),
"gnutls_init");
2171 gnutls_transport_set_pull_function(g_env->g_session, coap_dgram_read);
2172 gnutls_transport_set_push_function(g_env->g_session, coap_dgram_write);
2173 gnutls_transport_set_pull_timeout_function(g_env->g_session, receive_timeout);
2175 gnutls_transport_set_ptr(g_env->g_session, c_session);
2177 G_CHECK(gnutls_priority_set(g_env->g_session, g_context->priority_cache),
2178 "gnutls_priority_set");
2180 if (type == GNUTLS_SERVER) {
2181#if COAP_SERVER_SUPPORT
2182 G_CHECK(setup_server_ssl_session(c_session, g_env),
2183 "setup_server_ssl_session");
2188#if COAP_CLIENT_SUPPORT
2189 G_CHECK(setup_client_ssl_session(c_session, g_env),
2190 "setup_client_ssl_session");
2196 gnutls_handshake_set_timeout(g_env->g_session,
2197 GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
2210coap_dtls_free_gnutls_env(coap_gnutls_context_t *g_context,
2211 coap_gnutls_env_t *g_env,
2212 coap_free_bye_t free_bye) {
2217 if (free_bye != COAP_FREE_BYE_NONE && !g_env->sent_alert) {
2219 gnutls_bye(g_env->g_session, free_bye == COAP_FREE_BYE_AS_UDP ?
2220 GNUTLS_SHUT_WR : GNUTLS_SHUT_RDWR);
2222 gnutls_deinit(g_env->g_session);
2223 g_env->g_session =
NULL;
2224 if (g_context->psk_pki_enabled & IS_PSK) {
2225 if ((g_context->psk_pki_enabled & IS_CLIENT) &&
2226 g_env->psk_cl_credentials !=
NULL) {
2227 gnutls_psk_free_client_credentials(g_env->psk_cl_credentials);
2228 g_env->psk_cl_credentials =
NULL;
2231 if (g_env->psk_sv_credentials !=
NULL)
2232 gnutls_psk_free_server_credentials(g_env->psk_sv_credentials);
2233 g_env->psk_sv_credentials =
NULL;
2236 if ((g_context->psk_pki_enabled & IS_PKI) ||
2237 (g_context->psk_pki_enabled &
2238 (IS_PSK | IS_PKI | IS_CLIENT)) == IS_CLIENT) {
2239 gnutls_certificate_free_credentials(g_env->pki_credentials);
2240 g_env->pki_credentials =
NULL;
2242 gnutls_free(g_env->coap_ssl_data.cookie_key.data);
2247#if COAP_SERVER_SUPPORT
2250 coap_gnutls_env_t *g_env =
2251 (coap_gnutls_env_t *)c_session->
tls;
2253 gnutls_transport_set_ptr(g_env->g_session, c_session);
2261 gnutls_session_t g_session) {
2262#if COAP_MAX_LOGGING_LEVEL > 0
2263 int last_alert = gnutls_alert_get(g_session);
2265 if (last_alert == GNUTLS_A_CLOSE_NOTIFY)
2268 last_alert, gnutls_alert_get_name(last_alert));
2272 last_alert, gnutls_alert_get_name(last_alert));
2285do_gnutls_handshake(
coap_session_t *c_session, coap_gnutls_env_t *g_env) {
2288 ret = gnutls_handshake(g_env->g_session);
2290 case GNUTLS_E_SUCCESS:
2291 g_env->established = 1;
2296 gnutls_transport_set_ptr(g_env->g_session, c_session);
2300 case GNUTLS_E_INTERRUPTED:
2304 case GNUTLS_E_AGAIN:
2308 case GNUTLS_E_INSUFFICIENT_CREDENTIALS:
2312 case GNUTLS_E_FATAL_ALERT_RECEIVED:
2314 g_env->sent_alert = 1;
2315 log_last_alert(c_session, g_env->g_session);
2317 case GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET:
2318 case GNUTLS_E_UNEXPECTED_PACKET:
2322 case GNUTLS_E_WARNING_ALERT_RECEIVED:
2323 log_last_alert(c_session, g_env->g_session);
2327 case GNUTLS_E_NO_CERTIFICATE_FOUND:
2328#if (GNUTLS_VERSION_NUMBER > 0x030606)
2329 case GNUTLS_E_CERTIFICATE_REQUIRED:
2331 coap_log_warn(
"Client Certificate requested and required, but not provided\n"
2333 G_ACTION(gnutls_alert_send(g_env->g_session, GNUTLS_AL_FATAL,
2334 GNUTLS_A_BAD_CERTIFICATE));
2335 g_env->sent_alert = 1;
2339 case GNUTLS_E_DECRYPTION_FAILED:
2342 gnutls_strerror(ret));
2343 G_ACTION(gnutls_alert_send(g_env->g_session, GNUTLS_AL_FATAL,
2344 GNUTLS_A_DECRYPT_ERROR));
2345 g_env->sent_alert = 1;
2349 case GNUTLS_E_CERTIFICATE_ERROR:
2350 if (g_env->sent_alert) {
2356 case GNUTLS_E_UNKNOWN_CIPHER_SUITE:
2357 case GNUTLS_E_NO_CIPHER_SUITES:
2358 case GNUTLS_E_INVALID_SESSION:
2361 gnutls_strerror(ret));
2362 if (!g_env->sent_alert) {
2363 G_ACTION(gnutls_alert_send(g_env->g_session, GNUTLS_AL_FATAL,
2364 GNUTLS_A_HANDSHAKE_FAILURE));
2365 g_env->sent_alert = 1;
2370 case GNUTLS_E_SESSION_EOF:
2371 case GNUTLS_E_PREMATURE_TERMINATION:
2372 case GNUTLS_E_TIMEDOUT:
2373 case GNUTLS_E_PULL_ERROR:
2374 case GNUTLS_E_PUSH_ERROR:
2380 "returned %d: '%s'\n",
2381 ret, gnutls_strerror(ret));
2388#if COAP_CLIENT_SUPPORT
2391 coap_gnutls_env_t *g_env = coap_dtls_new_gnutls_env(c_session, GNUTLS_CLIENT);
2395 ret = do_gnutls_handshake(c_session, g_env);
2400 COAP_FREE_BYE_AS_UDP : COAP_FREE_BYE_AS_TCP);
2410 if (c_session && c_session->
context && c_session->
tls) {
2414 COAP_FREE_BYE_AS_UDP : COAP_FREE_BYE_AS_TCP);
2422 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
2426 G_CHECK(gnutls_dtls_set_data_mtu(g_env->g_session,
2427 (
unsigned int)c_session->
mtu),
2428 "gnutls_dtls_set_data_mtu");
2440 const uint8_t *data,
size_t data_len) {
2442 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
2444 if (g_env ==
NULL) {
2451 if (g_env->established) {
2452 ret = gnutls_record_send(g_env->g_session, data, data_len);
2456 case GNUTLS_E_AGAIN:
2459 case GNUTLS_E_FATAL_ALERT_RECEIVED:
2461 g_env->sent_alert = 1;
2462 log_last_alert(c_session, g_env->g_session);
2468 "returned %d: '%s'\n",
2469 ret, gnutls_strerror(ret));
2478 ret = do_gnutls_handshake(c_session, g_env);
2509 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
2512 if (g_env && g_env->g_session) {
2513 unsigned int rem_ms = gnutls_dtls_get_timeout(g_env->g_session);
2526 g_env->last_timeout = now - rem_ms;
2527 return now + rem_ms;
2539 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
2542 g_env->doing_dtls_timeout = 1;
2544 (do_gnutls_handshake(c_session, g_env) < 0)) {
2546 g_env->doing_dtls_timeout = 0;
2550 g_env->doing_dtls_timeout = 0;
2563 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
2565 coap_ssl_t *ssl_data = &g_env->coap_ssl_data;
2569 assert(g_env !=
NULL);
2571 if (ssl_data->pdu_len)
2572 coap_log_err(
"** %s: Previous data not read %u bytes\n",
2574 ssl_data->pdu = data;
2575 ssl_data->pdu_len = data_len;
2578 if (g_env->established) {
2579 ret = gnutls_record_recv(g_env->g_session, pdu, (
int)
sizeof(pdu));
2584 }
else if (ret == 0) {
2588 case GNUTLS_E_FATAL_ALERT_RECEIVED:
2590 g_env->sent_alert = 1;
2591 log_last_alert(c_session, g_env->g_session);
2595 case GNUTLS_E_WARNING_ALERT_RECEIVED:
2596 log_last_alert(c_session, g_env->g_session);
2601 coap_log_warn(
"coap_dtls_receive: gnutls_record_recv returned %d\n", ret);
2607 ret = do_gnutls_handshake(c_session, g_env);
2612 if (ssl_data->pdu_len && !g_env->sent_alert) {
2614 ret = do_gnutls_handshake(c_session, g_env);
2632 if (ssl_data && ssl_data->pdu_len) {
2634 coap_log_debug(
"coap_dtls_receive: ret %d: remaining data %u\n", ret, ssl_data->pdu_len);
2635 ssl_data->pdu_len = 0;
2636 ssl_data->pdu =
NULL;
2641#if COAP_SERVER_SUPPORT
2649 const uint8_t *data,
2652 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
2653 coap_ssl_t *ssl_data;
2657 g_env = coap_dtls_new_gnutls_env(c_session, GNUTLS_SERVER);
2659 c_session->
tls = g_env;
2660 gnutls_key_generate(&g_env->coap_ssl_data.cookie_key,
2661 GNUTLS_COOKIE_KEY_SIZE);
2668 gnutls_dtls_prestate_st prestate;
2671 memset(&prestate, 0,
sizeof(prestate));
2673 memcpy(&data_rw, &data,
sizeof(data_rw));
2674 ret = gnutls_dtls_cookie_verify(&g_env->coap_ssl_data.cookie_key,
2681 gnutls_dtls_cookie_send(&g_env->coap_ssl_data.cookie_key,
2689 gnutls_dtls_prestate_set(g_env->g_session, &prestate);
2692 ssl_data = &g_env->coap_ssl_data;
2693 ssl_data->pdu = data;
2694 ssl_data->pdu_len = data_len;
2696 ret = do_gnutls_handshake(c_session, g_env);
2703 g_env, COAP_FREE_BYE_NONE);
2712 if (ssl_data && ssl_data->pdu_len) {
2714 coap_log_debug(
"coap_dtls_hello: ret %d: remaining data %u\n", ret, ssl_data->pdu_len);
2715 ssl_data->pdu_len = 0;
2716 ssl_data->pdu =
NULL;
2727#if !COAP_DISABLE_TCP
2735coap_sock_read(gnutls_transport_ptr_t context,
void *out,
size_t outl) {
2757coap_sock_write(gnutls_transport_ptr_t context,
const void *in,
size_t inl) {
2766 (errno == EPIPE || errno == ECONNRESET)) {
2792#if COAP_CLIENT_SUPPORT
2795 coap_gnutls_env_t *g_env = gnutls_malloc(
sizeof(coap_gnutls_env_t));
2796 coap_gnutls_context_t *g_context =
2798#if (GNUTLS_VERSION_NUMBER >= 0x030606)
2799 int flags = GNUTLS_CLIENT | GNUTLS_NONBLOCK | GNUTLS_ENABLE_RAWPK;
2801 int flags = GNUTLS_CLIENT | GNUTLS_NONBLOCK;
2808 memset(g_env, 0,
sizeof(coap_gnutls_env_t));
2810 G_CHECK(gnutls_init(&g_env->g_session, flags),
"gnutls_init");
2812 gnutls_transport_set_pull_function(g_env->g_session, coap_sock_read);
2813 gnutls_transport_set_push_function(g_env->g_session, coap_sock_write);
2814 gnutls_transport_set_pull_timeout_function(g_env->g_session, receive_timeout);
2816 gnutls_transport_set_ptr(g_env->g_session, c_session);
2818 gnutls_priority_set(g_env->g_session, g_context->priority_cache);
2819 setup_client_ssl_session(c_session, g_env);
2821 gnutls_handshake_set_timeout(g_env->g_session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
2823 c_session->
tls = g_env;
2824 do_gnutls_handshake(c_session, g_env);
2834#if COAP_SERVER_SUPPORT
2837 coap_gnutls_env_t *g_env = gnutls_malloc(
sizeof(coap_gnutls_env_t));
2838 coap_gnutls_context_t *g_context =
2840#if (GNUTLS_VERSION_NUMBER >= 0x030606)
2841 int flags = GNUTLS_SERVER | GNUTLS_NONBLOCK | GNUTLS_ENABLE_RAWPK;
2843 int flags = GNUTLS_SERVER | GNUTLS_NONBLOCK;
2849 memset(g_env, 0,
sizeof(coap_gnutls_env_t));
2851 G_CHECK(gnutls_init(&g_env->g_session, flags),
"gnutls_init");
2853 gnutls_transport_set_pull_function(g_env->g_session, coap_sock_read);
2854 gnutls_transport_set_push_function(g_env->g_session, coap_sock_write);
2855 gnutls_transport_set_pull_timeout_function(g_env->g_session, receive_timeout);
2857 gnutls_transport_set_ptr(g_env->g_session, c_session);
2859 setup_server_ssl_session(c_session, g_env);
2861 gnutls_priority_set(g_env->g_session, g_context->priority_cache);
2862 gnutls_handshake_set_timeout(g_env->g_session,
2863 GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
2865 c_session->
tls = g_env;
2866 do_gnutls_handshake(c_session, g_env);
2889 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
2891 assert(g_env !=
NULL);
2894 if (g_env->established) {
2895 ret = gnutls_record_send(g_env->g_session, data, data_len);
2899 case GNUTLS_E_AGAIN:
2902 case GNUTLS_E_PUSH_ERROR:
2903 case GNUTLS_E_PULL_ERROR:
2904 case GNUTLS_E_PREMATURE_TERMINATION:
2907 case GNUTLS_E_FATAL_ALERT_RECEIVED:
2909 g_env->sent_alert = 1;
2910 log_last_alert(c_session, g_env->g_session);
2915 "returned %d: '%s'\n",
2916 ret, gnutls_strerror(ret));
2925 ret = do_gnutls_handshake(c_session, g_env);
2942 if (ret == (ssize_t)data_len)
2959 coap_gnutls_env_t *g_env = (coap_gnutls_env_t *)c_session->
tls;
2968 if (!g_env->established && !g_env->sent_alert) {
2969 ret = do_gnutls_handshake(c_session, g_env);
2975 ret = gnutls_record_recv(g_env->g_session, data, (
int)data_len);
2981 case GNUTLS_E_AGAIN:
2985 case GNUTLS_E_PULL_ERROR:
2988 case GNUTLS_E_FATAL_ALERT_RECEIVED:
2990 g_env->sent_alert = 1;
2991 log_last_alert(c_session, g_env->g_session);
2994 case GNUTLS_E_WARNING_ALERT_RECEIVED:
2995 log_last_alert(c_session, g_env->g_session);
3000 "returned %d: '%s'\n",
3001 ret, gnutls_strerror(ret));
3024#if COAP_SERVER_SUPPORT
3026coap_digest_setup(
void) {
3027 gnutls_hash_hd_t digest_ctx;
3029 if (gnutls_hash_init(&digest_ctx, GNUTLS_DIG_SHA256)) {
3036coap_digest_free(coap_digest_ctx_t *digest_ctx) {
3038 gnutls_hash_deinit(digest_ctx,
NULL);
3042coap_digest_update(coap_digest_ctx_t *digest_ctx,
3043 const uint8_t *data,
3045 int ret = gnutls_hash(digest_ctx, data, data_len);
3051coap_digest_final(coap_digest_ctx_t *digest_ctx,
3052 coap_digest_t *digest_buffer) {
3053 gnutls_hash_output(digest_ctx, (uint8_t *)digest_buffer);
3055 coap_digest_free(digest_ctx);
3065static struct hash_algs {
3067 gnutls_digest_algorithm_t dig_type;
3075static gnutls_digest_algorithm_t
3076get_hash_alg(
cose_alg_t alg,
size_t *hash_len) {
3079 for (idx = 0; idx <
sizeof(hashs) /
sizeof(
struct hash_algs); idx++) {
3080 if (hashs[idx].alg == alg) {
3081 *hash_len = hashs[idx].dig_size;
3082 return hashs[idx].dig_type;
3085 coap_log_debug(
"get_hash_alg: COSE hash %d not supported\n", alg);
3086 return GNUTLS_DIG_UNKNOWN;
3094 gnutls_digest_algorithm_t dig_type = get_hash_alg(alg, &hash_length);
3095 gnutls_hash_hd_t digest_ctx;
3099 if (dig_type == GNUTLS_DIG_UNKNOWN) {
3100 coap_log_debug(
"coap_crypto_hash: algorithm %d not supported\n", alg);
3104 if (gnutls_hash_init(&digest_ctx, dig_type)) {
3107 ret = gnutls_hash(digest_ctx, data->
s, data->
length);
3114 gnutls_hash_output(digest_ctx,
dummy->s);
3117 gnutls_hash_deinit(digest_ctx,
NULL);
3122 gnutls_hash_deinit(digest_ctx,
NULL);
3127#if COAP_OSCORE_SUPPORT
3138static struct cipher_algs {
3140 gnutls_cipher_algorithm_t cipher_type;
3145static gnutls_cipher_algorithm_t
3149 for (idx = 0; idx <
sizeof(ciphers) /
sizeof(
struct cipher_algs); idx++) {
3150 if (ciphers[idx].alg == alg)
3151 return ciphers[idx].cipher_type;
3153 coap_log_debug(
"get_cipher_alg: COSE cipher %d not supported\n", alg);
3162static struct hmac_algs {
3164 gnutls_mac_algorithm_t hmac_type;
3170static gnutls_mac_algorithm_t
3174 for (idx = 0; idx <
sizeof(hmacs) /
sizeof(
struct hmac_algs); idx++) {
3175 if (hmacs[idx].hmac_alg == hmac_alg)
3176 return hmacs[idx].hmac_type;
3178 coap_log_debug(
"get_hmac_alg: COSE HMAC %d not supported\n", hmac_alg);
3184 return get_cipher_alg(alg);
3193 return get_hmac_alg(hmac_alg);
3201 size_t *max_result_len) {
3202 gnutls_aead_cipher_hd_t ctx;
3206 size_t result_len = *max_result_len;
3207 gnutls_cipher_algorithm_t algo;
3209 uint8_t *key_data_rw;
3215 assert(params !=
NULL);
3219 if ((algo = get_cipher_alg(params->
alg)) == 0) {
3220 coap_log_debug(
"coap_crypto_encrypt: algorithm %d not supported\n",
3224 tag_size = gnutls_cipher_get_tag_size(algo);
3228 memcpy(&key_data_rw, &ccm->
key.
s,
sizeof(key_data_rw));
3229 key.data = key_data_rw;
3239 G_CHECK(gnutls_aead_cipher_init(&ctx, algo, &key),
"gnutls_aead_cipher_init");
3241 G_CHECK(gnutls_aead_cipher_encrypt(ctx,
3251 "gnutls_aead_cipher_encrypt");
3252 *max_result_len = result_len;
3255 gnutls_aead_cipher_deinit(ctx);
3256 return ret == 1 ? 1 : 0;
3264 size_t *max_result_len) {
3265 gnutls_aead_cipher_hd_t ctx;
3269 size_t result_len = *max_result_len;
3270 gnutls_cipher_algorithm_t algo;
3272 uint8_t *key_data_rw;
3278 assert(params !=
NULL);
3283 if ((algo = get_cipher_alg(params->
alg)) == 0) {
3284 coap_log_debug(
"coap_crypto_decrypt: algorithm %d not supported\n",
3288 tag_size = gnutls_cipher_get_tag_size(algo);
3292 memcpy(&key_data_rw, &ccm->
key.
s,
sizeof(key_data_rw));
3293 key.data = key_data_rw;
3303 G_CHECK(gnutls_aead_cipher_init(&ctx, algo, &key),
"gnutls_aead_cipher_init");
3305 G_CHECK(gnutls_aead_cipher_decrypt(ctx,
3315 "gnutls_aead_cipher_decrypt");
3316 *max_result_len = result_len;
3319 gnutls_aead_cipher_deinit(ctx);
3320 return ret == 1 ? 1 : 0;
3328 gnutls_hmac_hd_t ctx;
3331 gnutls_mac_algorithm_t mac_algo;
3337 if ((mac_algo = get_hmac_alg(hmac_alg)) == 0) {
3338 coap_log_debug(
"coap_crypto_hmac: algorithm %d not supported\n", hmac_alg);
3341 len = gnutls_hmac_get_len(mac_algo);
3348 G_CHECK(gnutls_hmac_init(&ctx, mac_algo, key->
s, key->
length),
3349 "gnutls_hmac_init");
3350 G_CHECK(gnutls_hmac(ctx, data->
s, data->
length),
"gnutls_hmac");
3351 gnutls_hmac_output(ctx,
dummy->s);
3357 gnutls_hmac_deinit(ctx,
NULL);
3358 return ret == 1 ? 1 : 0;
3369#pragma GCC diagnostic ignored "-Wunused-function"
#define COAP_SERVER_SUPPORT
const char * coap_socket_strerror(void)
#define COAP_RXBUFFER_SIZE
Library specific build wrapper for coap_internal.h.
int coap_dtls_context_set_pki(coap_context_t *ctx COAP_UNUSED, const coap_dtls_pki_t *setup_data COAP_UNUSED, const coap_dtls_role_t role COAP_UNUSED)
coap_tick_t coap_dtls_get_timeout(coap_session_t *session COAP_UNUSED, coap_tick_t now COAP_UNUSED)
ssize_t coap_tls_read(coap_session_t *session COAP_UNUSED, uint8_t *data COAP_UNUSED, size_t data_len COAP_UNUSED)
coap_tick_t coap_dtls_get_context_timeout(void *dtls_context COAP_UNUSED)
int coap_dtls_receive(coap_session_t *session COAP_UNUSED, const uint8_t *data COAP_UNUSED, size_t data_len COAP_UNUSED)
void * coap_dtls_get_tls(const coap_session_t *c_session COAP_UNUSED, coap_tls_library_t *tls_lib)
unsigned int coap_dtls_get_overhead(coap_session_t *session COAP_UNUSED)
int coap_dtls_context_load_pki_trust_store(coap_context_t *ctx COAP_UNUSED)
static coap_log_t dtls_log_level
int coap_dtls_context_check_keys_enabled(coap_context_t *ctx COAP_UNUSED)
ssize_t coap_dtls_send(coap_session_t *session COAP_UNUSED, const uint8_t *data COAP_UNUSED, size_t data_len COAP_UNUSED)
ssize_t coap_tls_write(coap_session_t *session COAP_UNUSED, const uint8_t *data COAP_UNUSED, size_t data_len COAP_UNUSED)
void coap_dtls_session_update_mtu(coap_session_t *session COAP_UNUSED)
int coap_dtls_context_set_pki_root_cas(coap_context_t *ctx COAP_UNUSED, const char *ca_file COAP_UNUSED, const char *ca_path COAP_UNUSED)
int coap_dtls_handle_timeout(coap_session_t *session COAP_UNUSED)
void coap_dtls_free_context(void *handle COAP_UNUSED)
void coap_dtls_free_session(coap_session_t *coap_session COAP_UNUSED)
void * coap_dtls_new_context(coap_context_t *coap_context COAP_UNUSED)
void coap_tls_free_session(coap_session_t *coap_session COAP_UNUSED)
coap_binary_t * get_asn1_spki(const uint8_t *data, size_t size)
Abstract SPKI public key from the ASN1.
uint64_t coap_tick_t
This data type represents internal timer ticks with COAP_TICKS_PER_SECOND resolution.
int coap_handle_event_lkd(coap_context_t *context, coap_event_t event, coap_session_t *session)
Invokes the event handler of context for the given event and data.
int coap_handle_dgram(coap_context_t *ctx, coap_session_t *session, uint8_t *msg, size_t msg_len)
Parses and interprets a CoAP datagram with context ctx.
int coap_crypto_hmac(cose_hmac_alg_t hmac_alg, coap_bin_const_t *key, coap_bin_const_t *data, coap_bin_const_t **hmac)
Create a HMAC hash of the provided data.
int coap_crypto_aead_decrypt(const coap_crypto_param_t *params, coap_bin_const_t *data, coap_bin_const_t *aad, uint8_t *result, size_t *max_result_len)
Decrypt the provided encrypted data into plaintext.
int coap_crypto_aead_encrypt(const coap_crypto_param_t *params, coap_bin_const_t *data, coap_bin_const_t *aad, uint8_t *result, size_t *max_result_len)
Encrypt the provided plaintext data.
int coap_crypto_hash(cose_alg_t alg, const coap_bin_const_t *data, coap_bin_const_t **hash)
Create a hash of the provided data.
int coap_crypto_check_hkdf_alg(cose_hkdf_alg_t hkdf_alg)
Check whether the defined hkdf algorithm is supported by the underlying crypto library.
int coap_crypto_check_cipher_alg(cose_alg_t alg)
Check whether the defined cipher algorithm is supported by the underlying crypto library.
const coap_bin_const_t * coap_get_session_client_psk_identity(const coap_session_t *coap_session)
Get the current client's PSK identity.
void coap_dtls_startup(void)
Initialize the underlying (D)TLS Library layer.
#define COAP_DTLS_RETRANSMIT_MS
int coap_dtls_define_issue(coap_define_issue_key_t type, coap_define_issue_fail_t fail, coap_dtls_key_t *key, const coap_dtls_role_t role, int ret)
Report PKI DEFINE type issue.
void coap_dtls_thread_shutdown(void)
Close down the underlying (D)TLS Library layer.
int coap_dtls_set_cid_tuple_change(coap_context_t *context, uint8_t every)
Set the Connection ID client tuple frequency change for testing CIDs.
int coap_dtls_is_context_timeout(void)
Check if timeout is handled per CoAP session or per CoAP context.
void coap_dtls_shutdown(void)
Close down the underlying (D)TLS Library layer.
const coap_bin_const_t * coap_get_session_client_psk_key(const coap_session_t *coap_session)
Get the current client's PSK key.
#define COAP_DTLS_RETRANSMIT_COAP_TICKS
void coap_dtls_map_key_type_to_define(const coap_dtls_pki_t *setup_data, coap_dtls_key_t *key)
Map the PKI key definitions to the new DEFINE format.
const coap_bin_const_t * coap_get_session_server_psk_key(const coap_session_t *coap_session)
Get the current server's PSK key.
#define COAP_DTLS_RETRANSMIT_TOTAL_MS
@ COAP_DEFINE_KEY_PRIVATE
@ COAP_DEFINE_FAIL_NOT_SUPPORTED
#define COAP_DTLS_HINT_LENGTH
coap_tls_version_t * coap_get_tls_library_version(void)
Determine the type and version of the underlying (D)TLS library.
struct coap_dtls_key_t coap_dtls_key_t
The structure that holds the PKI key information.
#define COAP_DTLS_RPK_CERT_CN
struct coap_dtls_spsk_info_t coap_dtls_spsk_info_t
The structure that holds the Server Pre-Shared Key and Identity Hint information.
struct coap_dtls_pki_t coap_dtls_pki_t
@ COAP_PKI_KEY_DEF_PKCS11
The PKI key type is PKCS11 (pkcs11:...).
@ COAP_PKI_KEY_DEF_DER_BUF
The PKI key type is DER buffer (ASN.1).
@ COAP_PKI_KEY_DEF_PEM_BUF
The PKI key type is PEM buffer.
@ COAP_PKI_KEY_DEF_PEM
The PKI key type is PEM file.
@ COAP_PKI_KEY_DEF_ENGINE
The PKI key type is to be passed to ENGINE.
@ COAP_PKI_KEY_DEF_RPK_BUF
The PKI key type is RPK in buffer.
@ COAP_PKI_KEY_DEF_DER
The PKI key type is DER file.
@ COAP_PKI_KEY_DEF_PKCS11_RPK
The PKI key type is PKCS11 w/ RPK (pkcs11:...).
@ COAP_DTLS_ROLE_SERVER
Internal function invoked for server.
@ COAP_DTLS_ROLE_CLIENT
Internal function invoked for client.
@ COAP_PKI_KEY_DEFINE
The individual PKI key types are Definable.
@ COAP_TLS_LIBRARY_GNUTLS
Using GnuTLS library.
@ COAP_EVENT_DTLS_CLOSED
Triggerred when (D)TLS session closed.
@ COAP_EVENT_DTLS_CONNECTED
Triggered when (D)TLS session connected.
@ COAP_EVENT_DTLS_ERROR
Triggered when (D)TLS error occurs.
#define coap_lock_callback_ret(r, func)
Dummy for no thread-safe code.
#define coap_log_debug(...)
coap_log_t coap_dtls_get_log_level(void)
Get the current (D)TLS logging.
#define coap_dtls_log(level,...)
Logging function.
void coap_dtls_set_log_level(coap_log_t level)
Sets the (D)TLS logging level to the specified level.
const char * coap_session_str(const coap_session_t *session)
Get session description.
#define coap_log_info(...)
#define coap_log_warn(...)
#define coap_log_err(...)
int coap_netif_available(coap_session_t *session)
Function interface to check whether netif for session is still available.
int cose_get_hmac_alg_for_hkdf(cose_hkdf_alg_t hkdf_alg, cose_hmac_alg_t *hmac_alg)
@ COSE_HMAC_ALG_HMAC256_256
@ COSE_HMAC_ALG_HMAC512_512
@ COSE_ALGORITHM_SHA_256_256
@ COSE_ALGORITHM_AES_CCM_16_64_128
@ COSE_ALGORITHM_AES_CCM_16_64_256
int coap_session_refresh_psk_hint(coap_session_t *session, const coap_bin_const_t *psk_hint)
Refresh the session's current Identity Hint (PSK).
int coap_session_refresh_psk_key(coap_session_t *session, const coap_bin_const_t *psk_key)
Refresh the session's current pre-shared key (PSK).
void coap_session_connected(coap_session_t *session)
Notify session that it has just connected or reconnected.
int coap_session_refresh_psk_identity(coap_session_t *session, const coap_bin_const_t *psk_identity)
Refresh the session's current pre-shared identity (PSK).
void coap_session_disconnected_lkd(coap_session_t *session, coap_nack_reason_t reason)
Notify session that it has failed.
#define COAP_PROTO_NOT_RELIABLE(p)
@ COAP_SESSION_TYPE_CLIENT
client-side
@ COAP_SESSION_STATE_HANDSHAKE
@ COAP_SESSION_STATE_NONE
coap_binary_t * coap_new_binary(size_t size)
Returns a new binary object with at least size bytes storage allocated.
void coap_delete_binary(coap_binary_t *s)
Deletes the given coap_binary_t object and releases any memory allocated.
int coap_dtls_cid_is_supported(void)
Check whether (D)TLS CID is available.
int coap_dtls_psk_is_supported(void)
Check whether (D)TLS PSK is available.
int coap_tls_is_supported(void)
Check whether TLS is available.
int coap_oscore_is_supported(void)
Check whether OSCORE is available.
int coap_dtls_is_supported(void)
Check whether DTLS is available.
int coap_dtls_pki_is_supported(void)
Check whether (D)TLS PKI is available.
int coap_dtls_rpk_is_supported(void)
Check whether (D)TLS RPK is available.
int coap_dtls_pkcs11_is_supported(void)
Check whether (D)TLS PKCS11 is available.
CoAP binary data definition with const data.
size_t length
length of binary data
const uint8_t * s
read-only binary data
CoAP binary data definition.
size_t length
length of binary data
The CoAP stack's global state is stored in a coap_context_t object.
The structure that holds the AES Crypto information.
size_t l
The number of bytes in the length field.
const uint8_t * nonce
must be exactly 15 - l bytes
coap_crypto_key_t key
The Key to use.
The common structure that holds the Crypto information.
union coap_crypto_param_t::@376202006114157036213053136012210003017006234156 params
coap_crypto_aes_ccm_t aes
Used if AES type encryption.
cose_alg_t alg
The COSE algorith to use.
The structure that holds the Client PSK information.
coap_bin_const_t identity
The structure used for defining the Client PSK setup data to be used.
uint8_t use_cid
Set to 1 if DTLS Connection ID is to be used.
void * ih_call_back_arg
Passed in to the Identity Hint callback function.
char * client_sni
If not NULL, SNI to use in client TLS setup.
coap_dtls_ih_callback_t validate_ih_call_back
Identity Hint check callback function.
uint8_t ec_jpake
Set to COAP_DTLS_CPSK_SETUP_VERSION to support this version of the struct.
The structure that holds the PKI key information.
coap_pki_key_define_t define
for definable type keys
coap_pki_key_t key_type
key format type
union coap_dtls_key_t::@003017313271040156213200302176016051164315363211 key
The structure used for defining the PKI setup data to be used.
uint8_t allow_no_crl
1 ignore if CRL not there
uint8_t cert_chain_validation
1 if to check cert_chain_verify_depth
uint8_t use_cid
1 if DTLS Connection ID is to be used (Client only, server always enabled) if supported
uint8_t check_cert_revocation
1 if revocation checks wanted
uint8_t cert_chain_verify_depth
recommended depth is 3
uint8_t allow_expired_certs
1 if expired certs are allowed
uint8_t verify_peer_cert
Set to COAP_DTLS_PKI_SETUP_VERSION to support this version of the struct.
char * client_sni
If not NULL, SNI to use in client TLS setup.
uint8_t allow_self_signed
1 if self-signed certs are allowed.
uint8_t allow_expired_crl
1 if expired crl is allowed
uint8_t is_rpk_not_cert
1 is RPK instead of Public Certificate.
uint8_t check_common_ca
1 if peer cert is to be signed by the same CA as the local cert
coap_dtls_key_t pki_key
PKI key definition.
The structure that holds the Server Pre-Shared Key and Identity Hint information.
The structure used for defining the Server PSK setup data to be used.
coap_dtls_id_callback_t validate_id_call_back
Identity check callback function.
void * id_call_back_arg
Passed in to the Identity callback function.
uint8_t ec_jpake
Set to COAP_DTLS_SPSK_SETUP_VERSION to support this version of the struct.
coap_dtls_spsk_info_t psk_info
Server PSK definition.
coap_layer_write_t l_write
coap_layer_establish_t l_establish
coap_const_char_ptr_t public_cert
define: Public Cert
const char * user_pin
define: User pin to access type PKCS11.
coap_const_char_ptr_t private_key
define: Private Key
coap_const_char_ptr_t ca
define: Common CA Certificate
size_t public_cert_len
define Public Cert length (if needed)
size_t ca_len
define CA Cert length (if needed)
coap_pki_define_t private_key_def
define: Private Key type definition
size_t private_key_len
define Private Key length (if needed)
coap_pki_define_t ca_def
define: Common CA type definition
coap_pki_define_t public_cert_def
define: Public Cert type definition
Abstraction of virtual session that can be attached to coap_context_t (client) or coap_endpoint_t (se...
unsigned int dtls_timeout_count
dtls setup retry counter
coap_socket_t sock
socket object for the session, if any
coap_session_state_t state
current state of relationship with peer
coap_addr_tuple_t addr_info
remote/local address info
coap_proto_t proto
protocol used
coap_dtls_cpsk_t cpsk_setup_data
client provided PSK initial setup data
size_t mtu
path or CSM mtu (xmt)
int dtls_event
Tracking any (D)TLS events on this session.
void * tls
security parameters
uint16_t max_retransmit
maximum re-transmit count (default 4)
coap_session_type_t type
client or server side socket
coap_context_t * context
session's context
coap_layer_func_t lfunc[COAP_LAYER_LAST]
Layer functions to use.
CoAP string data definition with const data.
const uint8_t * s
read-only string data
size_t length
length of string
The structure used for returning the underlying (D)TLS library information.
uint64_t built_version
(D)TLS Built against Library Version
coap_tls_library_t type
Library type.
uint64_t version
(D)TLS runtime Library Version
const char * s_byte
signed char ptr
const uint8_t * u_byte
unsigned char ptr