21#if COAP_WITH_LIBWOLFSSL
78#include <wolfssl/options.h>
79#include <wolfssl/ssl.h>
80#include <wolfssl/wolfcrypt/settings.h>
81#include <wolfssl/openssl/ssl.h>
82#include <wolfssl/openssl/x509v3.h>
84#ifdef COAP_EPOLL_SUPPORT
85# include <sys/epoll.h>
88#if LIBWOLFSSL_VERSION_HEX < 0x05002000
89#error Must be compiled against wolfSSL 5.2.0 or later
93#define strcasecmp _stricmp
94#define strncasecmp _strnicmp
98#define WOLFSSL3_AL_FATAL 2
99#define WOLFSSL_TLSEXT_ERR_OK 0
102typedef struct coap_dtls_context_t {
104 WOLFSSL_HMAC_CTX *cookie_hmac;
105} coap_dtls_context_t;
107typedef struct coap_tls_context_t {
114typedef struct coap_wolfssl_context_t {
115 coap_dtls_context_t dtls;
117 coap_tls_context_t tls;
123 int trust_store_defined;
124} coap_wolfssl_context_t;
126typedef struct coap_ssl_data_t {
133typedef struct coap_wolfssl_env_t {
136 unsigned int retry_scalar;
137 coap_ssl_data_t data;
142typedef enum coap_enc_method_t {
148wolfssl_malloc(
size_t size) {
149 void *ret = XMALLOC(size,
NULL, DYNAMIC_TYPE_TMP_BUFFER);
155wolfssl_free(
void *ptr) {
157 XFREE(ptr,
NULL, DYNAMIC_TYPE_TMP_BUFFER);
161wolfssl_strdup(
const char *str) {
162 char *ret = (
char *)wolfssl_malloc(strlen(str) + 1);
171wolfssl_strndup(
const char *str,
size_t n) {
173 char *ret = (
char *)wolfssl_malloc(len + 1);
176 strncpy(ret, str, len);
182static coap_wolfssl_env_t *
184 coap_wolfssl_env_t *w_env = (coap_wolfssl_env_t *)c_session->
tls;
189 w_env = (coap_wolfssl_env_t *)wolfssl_malloc(
sizeof(coap_wolfssl_env_t));
193 memset(w_env, 0,
sizeof(coap_wolfssl_env_t));
199coap_dtls_free_wolfssl_env(coap_wolfssl_env_t *w_env) {
205#if COAP_CLIENT_SUPPORT
206#ifndef WOLFSSL_CIPHER_LIST_MAX_SIZE
207#define WOLFSSL_CIPHER_LIST_MAX_SIZE 4096
210#ifdef COAP_WOLFSSL_PSK_CIPHERS
211static char psk_ciphers[] = COAP_WOLFSSL_PSK_CIPHERS;
213static char psk_ciphers[WOLFSSL_CIPHER_LIST_MAX_SIZE];
216#ifdef COAP_WOLFSSL_PKI_CIPHERS
217static char pki_ciphers[] = COAP_WOLFSSL_PKI_CIPHERS;
219static char pki_ciphers[WOLFSSL_CIPHER_LIST_MAX_SIZE];
223set_ciphersuites(WOLFSSL *ssl, coap_enc_method_t method) {
224#if ! defined(COAP_WOLFSSL_PSK_CIPHERS) || ! defined(COAP_WOLFSSL_PKI_CIPHERS)
225 static int processed_ciphers = 0;
227 if (!processed_ciphers) {
228 static char ciphers[WOLFSSL_CIPHER_LIST_MAX_SIZE];
229 char *ciphers_ofs = ciphers;
231#if ! defined(COAP_WOLFSSL_PSK_CIPHERS)
232 char *psk_ofs = psk_ciphers;
234#if ! defined(COAP_WOLFSSL_PKI_CIPHERS)
235 char *pki_ofs = pki_ciphers;
238 if (wolfSSL_get_ciphers(ciphers, (
int)
sizeof(ciphers)) != WOLFSSL_SUCCESS) {
243 while (ciphers_ofs) {
244 cp = strchr(ciphers_ofs,
':');
247 if (strstr(ciphers_ofs,
"NULL")) {
251 if (strcmp(ciphers_ofs,
"RENEGOTIATION-INFO") == 0) {
254 }
else if (strstr(ciphers_ofs,
"PSK")) {
255#if ! defined(COAP_WOLFSSL_PSK_CIPHERS)
256 if (psk_ofs != psk_ciphers) {
260 strcpy(psk_ofs, ciphers_ofs);
261 psk_ofs += strlen(ciphers_ofs);
265#if ! defined(COAP_WOLFSSL_PKI_CIPHERS)
266 if (pki_ofs != pki_ciphers) {
270 strcpy(pki_ofs, ciphers_ofs);
271 pki_ofs += strlen(ciphers_ofs);
277 ciphers_ofs = cp + 1;
281#ifndef HAVE_SECURE_RENEGOTIATION
287#if ! defined(COAP_WOLFSSL_PSK_CIPHERS)
288 if (psk_ofs != psk_ciphers) {
292 strcpy(psk_ofs,
"RENEGOTIATION-INFO");
293 psk_ofs += strlen(
"RENEGOTIATION-INFO");
296#if ! defined(COAP_WOLFSSL_PKI_CIPHERS)
297 if (pki_ofs != pki_ciphers) {
301 strcpy(pki_ofs,
"RENEGOTIATION-INFO");
302 pki_ofs += strlen(
"RENEGOTIATION-INFO");
307 processed_ciphers = 1;
311 if (method == COAP_ENC_PSK) {
312 wolfSSL_set_cipher_list(ssl, psk_ciphers);
314 wolfSSL_set_cipher_list(ssl, pki_ciphers);
319#if COAP_SERVER_SUPPORT
320static int psk_tls_server_name_call_back(WOLFSSL *ssl,
int *sd,
void *arg);
322static int tls_verify_call_back(
int preverify_ok, WOLFSSL_X509_STORE_CTX *ctx);
326 if (wolfSSL_lib_version_hex() < 0x05002000) {
327 coap_log_warn(
"wolfSSL version 5.2.0 or later is required\n");
336 if (wolfSSL_lib_version_hex() < 0x05002000) {
337 coap_log_warn(
"wolfSSL version 5.2.0 or later is required\n");
388#if defined(WOLFSSL_DTLS_CID)
395#if COAP_CLIENT_SUPPORT
398#if defined(WOLFSSL_DTLS_CID)
399 c_context->testing_cids = every;
412 version.
version = wolfSSL_lib_version_hex();
420coap_wolfssl_log_func(
int level,
const char *text) {
423 switch ((
int)level) {
448 if (wolfSSL_library_init() != WOLFSSL_SUCCESS) {
452 wolfSSL_load_error_strings();
453 wolfSSL_SetLoggingCb(coap_wolfssl_log_func);
454 wolfSSL_Debugging_ON();
459 wolfSSL_ERR_free_strings();
461 wolfSSL_Debugging_OFF();
482 coap_wolfssl_env_t *w_env;
485 memcpy(&w_env, &c_session->
tls,
sizeof(w_env));
487 return (
void *)&w_env->ssl;
508coap_dgram_read(WOLFSSL *ssl,
char *out,
int outl,
void *ctx) {
510 coap_wolfssl_env_t *w_env = (coap_wolfssl_env_t *)ctx;
511 coap_ssl_data_t *data = w_env ? &w_env->data :
NULL;
515 if (w_env && !w_env->done_psk_check && w_env->ssl) {
516 if (wolfSSL_SSL_in_init(w_env->ssl)) {
517 const char *name = wolfSSL_get_cipher_name(w_env->ssl);
523 wolfSSL_set_verify(w_env->ssl, WOLFSSL_VERIFY_NONE, tls_verify_call_back);
524 w_env->done_psk_check = 1;
530 if (data !=
NULL && data->pdu_len > 0) {
531 if (outl < (
int)data->pdu_len) {
532 memcpy(out, data->pdu, outl);
535 memcpy(out, data->pdu, data->pdu_len);
536 ret = (int)data->pdu_len;
538 if (!data->peekmode) {
543 w_env->last_timeout = now;
552coap_dgram_write(WOLFSSL *ssl,
char *in,
int inl,
void *ctx) {
554 coap_wolfssl_env_t *w_env = (coap_wolfssl_env_t *)ctx;
555 coap_ssl_data_t *data = w_env ? &w_env->data :
NULL;
559 if (data && data->session) {
562 && data->session->endpoint ==
NULL
569 ret = (int)data->session->sock.lfunc[
COAP_LAYER_TLS].l_write(data->session,
574 w_env->last_timeout = now;
575 }
else if (ret < 0) {
576 if (errno == ENOTCONN || errno == ECONNREFUSED)
585#if COAP_CLIENT_SUPPORT
587coap_dtls_psk_client_callback(WOLFSSL *ssl,
590 unsigned int max_identity_len,
592 unsigned int max_psk_len) {
594 coap_wolfssl_context_t *w_context;
604 if (w_context ==
NULL)
612 temp.
s = hint ? (
const uint8_t *)hint : (const uint8_t *)
"";
613 temp.
length = strlen((
const char *)temp.
s);
617 (
const char *)temp.
s);
627 if (cpsk_info ==
NULL)
632 psk_identity = &cpsk_info->
identity;
633 psk_key = &cpsk_info->
key;
639 if (psk_identity ==
NULL || psk_key ==
NULL) {
645 if (!max_identity_len)
648 if (psk_identity->
length > max_identity_len) {
649 coap_log_warn(
"psk_identity too large, truncated to %d bytes\n",
653 max_identity_len = (
unsigned int)psk_identity->
length;
655 memcpy(identity, psk_identity->
s, max_identity_len);
656 identity[max_identity_len] =
'\000';
658 if (psk_key->
length > max_psk_len) {
663 max_psk_len = (
unsigned int)psk_key->
length;
665 memcpy(psk, psk_key->
s, max_psk_len);
672coap_dtls_psk_client_cs_callback(WOLFSSL *ssl,
const char *hint,
673 char *identity,
unsigned int max_identity_len,
674 unsigned char *psk,
unsigned int max_psk_len,
675 const char *ciphersuite) {
676 int key_len = coap_dtls_psk_client_callback(ssl,
688coap_tls_psk_client_cs_callback(WOLFSSL *ssl,
const char *hint,
689 char *identity,
unsigned int max_identity_len,
690 unsigned char *psk,
unsigned int max_psk_len,
691 const char **ciphersuite) {
692 int key_len = coap_dtls_psk_client_callback(ssl,
699 *ciphersuite =
"TLS13-AES128-GCM-SHA256";
706#if COAP_SERVER_SUPPORT
708coap_dtls_psk_server_callback(
710 const char *identity,
712 unsigned int max_psk_len) {
722 setup_data = &c_session->
context->spsk_setup_data;
725 lidentity.
s = identity ? (
const uint8_t *)identity : (const uint8_t *)
"";
726 lidentity.
length = strlen((
const char *)lidentity.
s);
730 (
int)lidentity.
length, (
const char *)lidentity.
s);
745 if (psk_key->
length > max_psk_len) {
750 max_psk_len = (
unsigned int)psk_key->
length;
752 memcpy(psk, psk_key->
s, max_psk_len);
758ssl_function_definition(
unsigned long e) {
759 static char buff[80];
761 snprintf(buff,
sizeof(buff),
" at %s:%s",
762 wolfSSL_ERR_lib_error_string(e), wolfSSL_ERR_func_error_string(e));
767coap_dtls_info_callback(
const WOLFSSL *ssl,
int where,
int ret) {
770 int w = where &~SSL_ST_MASK;
774 "coap_dtls_info_callback: session not determined, where 0x%0x and ret 0x%0x\n", where, ret);
778 if (w & SSL_ST_CONNECT)
779 pstr =
"wolfSSL_connect";
780 else if (w & SSL_ST_ACCEPT)
781 pstr =
"wolfSSL_accept";
785 if (where & SSL_CB_LOOP) {
788 }
else if (where & SSL_CB_ALERT) {
790 pstr = (where & SSL_CB_READ) ?
"read" :
"write";
791 if ((where & (SSL_CB_WRITE|SSL_CB_READ)) && (ret >> 8) == WOLFSSL3_AL_FATAL) {
793 if ((ret & 0xff) != close_notify)
798 coap_log(log_level,
"* %s: SSL3 alert %s:%s:%s\n",
801 wolfSSL_alert_type_string_long(ret),
802 wolfSSL_alert_desc_string_long(ret));
803 }
else if (where & SSL_CB_EXIT) {
809 while ((e = wolfSSL_ERR_get_error()))
812 ssl_function_definition(e));
814 }
else if (ret < 0) {
819 memcpy(&rw_ssl, &ssl,
sizeof(rw_ssl));
820 int err = wolfSSL_get_error(rw_ssl, ret);
821 if (err != WOLFSSL_ERROR_WANT_READ && err != WOLFSSL_ERROR_WANT_WRITE &&
822 err != WOLFSSL_ERROR_WANT_CONNECT && err != WOLFSSL_ERROR_WANT_ACCEPT &&
823 err != WOLFSSL_ERROR_WANT_X509_LOOKUP) {
827 while ((e = wolfSSL_ERR_get_error()))
830 ssl_function_definition(e));
836 if (where == SSL_CB_HANDSHAKE_START) {
840 memcpy(&rw_ssl, &ssl,
sizeof(rw_ssl));
841 if (wolfSSL_is_init_finished(rw_ssl))
854coap_sock_read(WOLFSSL *ssl,
char *out,
int outl,
void *ctx) {
855 coap_wolfssl_env_t *w_env = (coap_wolfssl_env_t *)ctx;
860 if (w_env && !w_env->done_psk_check && w_env->ssl &&
862 if (wolfSSL_SSL_in_init(w_env->ssl)) {
863 const char *name = wolfSSL_get_cipher_name(w_env->ssl);
868 if (strstr(name,
"PSK")) {
869 wolfSSL_set_verify(w_env->ssl, WOLFSSL_VERIFY_NONE, tls_verify_call_back);
870 w_env->done_psk_check = 1;
875 if (session && out !=
NULL) {
892coap_sock_write(WOLFSSL *ssl,
char *in,
int inl,
void *ctx) {
893 coap_wolfssl_env_t *w_env = (coap_wolfssl_env_t *)ctx;
913 (errno == EPIPE || errno == ECONNRESET)) {
934coap_set_user_prefs(WOLFSSL_CTX *ctx) {
937#ifdef COAP_WOLFSSL_SIGALGS
938 wolfSSL_CTX_set1_sigalgs_list(ctx, COAP_WOLFSSL_SIGALGS);
940#ifdef COAP_WOLFSSL_GROUPS
942 ret = wolfSSL_CTX_set1_groups_list(ctx,
943 (
char *) COAP_WOLFSSL_GROUPS);
944 if (ret != WOLFSSL_SUCCESS) {
952setup_dtls_context(coap_wolfssl_context_t *w_context) {
953 if (!w_context->dtls.ctx) {
954 uint8_t cookie_secret[32];
957 w_context->dtls.ctx = wolfSSL_CTX_new(wolfDTLS_method());
958 if (!w_context->dtls.ctx)
960 wolfSSL_CTX_set_min_proto_version(w_context->dtls.ctx,
962 wolfSSL_CTX_set_ex_data(w_context->dtls.ctx, 0, &w_context->dtls);
963 coap_set_user_prefs(w_context->dtls.ctx);
964 memset(cookie_secret, 0,
sizeof(cookie_secret));
965 if (!wolfSSL_RAND_bytes(cookie_secret, (
int)
sizeof(cookie_secret))) {
967 "Insufficient entropy for random cookie generation");
970 w_context->dtls.cookie_hmac = wolfSSL_HMAC_CTX_new();
971 if (!wolfSSL_HMAC_Init_ex(w_context->dtls.cookie_hmac, cookie_secret, (
int)
sizeof(cookie_secret),
972 wolfSSL_EVP_sha256(),
NULL))
975 wolfSSL_CTX_set_info_callback(w_context->dtls.ctx, coap_dtls_info_callback);
976 wolfSSL_CTX_set_options(w_context->dtls.ctx, SSL_OP_NO_QUERY_MTU);
977 wolfSSL_SetIORecv(w_context->dtls.ctx, coap_dgram_read);
978 wolfSSL_SetIOSend(w_context->dtls.ctx, coap_dgram_write);
979#ifdef WOLFSSL_DTLS_MTU
982#ifdef WOLFSSL_SYS_CA_CERTS
983 if (w_context->trust_store_defined) {
984 if (!wolfSSL_CTX_load_system_CA_certs(w_context->dtls.ctx)) {
990 if (w_context->root_ca_file || w_context->root_ca_dir) {
991 if (!wolfSSL_CTX_load_verify_locations_ex(w_context->dtls.ctx,
992 w_context->root_ca_file,
993 w_context->root_ca_dir,
994 w_context->setup_data.allow_expired_certs ?
995 WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY : 0)) {
997 w_context->root_ca_file ? w_context->root_ca_file :
"NULL",
998 w_context->root_ca_dir ? w_context->root_ca_dir :
"NULL");
1003 if (w_context->setup_data.verify_peer_cert)
1004 wolfSSL_CTX_set_verify(w_context->dtls.ctx,
1005 WOLFSSL_VERIFY_PEER |
1006 WOLFSSL_VERIFY_CLIENT_ONCE |
1007 WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1008 tls_verify_call_back);
1010 wolfSSL_CTX_set_verify(w_context->dtls.ctx, WOLFSSL_VERIFY_NONE, tls_verify_call_back);
1019#if !COAP_DISABLE_TCP
1023setup_tls_context(coap_wolfssl_context_t *w_context) {
1024 if (!w_context->tls.ctx) {
1026 w_context->tls.ctx = wolfSSL_CTX_new(wolfSSLv23_method());
1027 if (!w_context->tls.ctx)
1029 wolfSSL_CTX_set_ex_data(w_context->tls.ctx, 0, &w_context->tls);
1030 wolfSSL_CTX_set_min_proto_version(w_context->tls.ctx, TLS1_VERSION);
1031 coap_set_user_prefs(w_context->tls.ctx);
1032 wolfSSL_CTX_set_info_callback(w_context->tls.ctx, coap_dtls_info_callback);
1033 wolfSSL_SetIORecv(w_context->tls.ctx, coap_sock_read);
1034 wolfSSL_SetIOSend(w_context->tls.ctx, coap_sock_write);
1035#if COAP_CLIENT_SUPPORT
1036 if (w_context->psk_pki_enabled & IS_PSK) {
1038 wolfSSL_CTX_set_psk_client_tls13_callback(w_context->tls.ctx,
1039 coap_tls_psk_client_cs_callback);
1041 wolfSSL_CTX_set_psk_client_cs_callback(w_context->tls.ctx,
1042 coap_dtls_psk_client_cs_callback);
1046 if (w_context->root_ca_file || w_context->root_ca_dir) {
1047 if (!wolfSSL_CTX_load_verify_locations_ex(w_context->tls.ctx,
1048 w_context->root_ca_file,
1049 w_context->root_ca_dir,
1050 w_context->setup_data.allow_expired_certs ?
1051 WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY : 0)) {
1053 w_context->root_ca_file ? w_context->root_ca_file :
"NULL",
1054 w_context->root_ca_dir ? w_context->root_ca_dir :
"NULL");
1059#ifdef WOLFSSL_SYS_CA_CERTS
1060 if (w_context->trust_store_defined) {
1061 if (!wolfSSL_CTX_load_system_CA_certs(w_context->tls.ctx)) {
1067 if (w_context->setup_data.verify_peer_cert)
1068 wolfSSL_CTX_set_verify(w_context->tls.ctx,
1069 WOLFSSL_VERIFY_PEER |
1070 WOLFSSL_VERIFY_CLIENT_ONCE |
1071 WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1072 tls_verify_call_back);
1074 wolfSSL_CTX_set_verify(w_context->tls.ctx, WOLFSSL_VERIFY_NONE, tls_verify_call_back);
1086 coap_wolfssl_context_t *w_context;
1089 w_context = (coap_wolfssl_context_t *)wolfssl_malloc(
sizeof(coap_wolfssl_context_t));
1091 memset(w_context, 0,
sizeof(coap_wolfssl_context_t));
1097#if COAP_SERVER_SUPPORT
1102 coap_wolfssl_context_t *w_context =
1105 if (!setup_data || !w_context)
1108 if (!setup_dtls_context(w_context))
1110#if !COAP_DISABLE_TCP
1111 if (!setup_tls_context(w_context))
1115 wolfSSL_CTX_set_psk_server_callback(w_context->dtls.ctx,
1116 coap_dtls_psk_server_callback);
1118#if !COAP_DISABLE_TCP
1119 wolfSSL_CTX_set_psk_server_callback(w_context->tls.ctx,
1120 coap_dtls_psk_server_callback);
1126 wolfSSL_CTX_use_psk_identity_hint(w_context->dtls.ctx, hint);
1127 wolfSSL_CTX_set_max_proto_version(w_context->dtls.ctx,
1129#if !COAP_DISABLE_TCP
1130 wolfSSL_CTX_use_psk_identity_hint(w_context->tls.ctx, hint);
1131 wolfSSL_CTX_set_max_proto_version(w_context->tls.ctx,
1136 wolfSSL_CTX_set_servername_arg(w_context->dtls.ctx,
1137 &c_context->spsk_setup_data);
1138 wolfSSL_CTX_set_tlsext_servername_callback(w_context->dtls.ctx,
1139 psk_tls_server_name_call_back);
1140#if !COAP_DISABLE_TCP
1141 wolfSSL_CTX_set_servername_arg(w_context->tls.ctx,
1142 &c_context->spsk_setup_data);
1143 wolfSSL_CTX_set_tlsext_servername_callback(w_context->tls.ctx,
1144 psk_tls_server_name_call_back);
1150 w_context->psk_pki_enabled |= IS_PSK;
1155#if COAP_CLIENT_SUPPORT
1160 coap_wolfssl_context_t *w_context =
1163 if (!setup_data || !w_context)
1170#if ! defined(WOLFSSL_DTLS_CID)
1174 w_context->psk_pki_enabled |= IS_PSK;
1179#if !COAP_DISABLE_TCP
1180static uint8_t coap_alpn[] = { 4,
'c',
'o',
'a',
'p' };
1182#if COAP_SERVER_SUPPORT
1185 const unsigned char **out,
1186 unsigned char *outlen,
1187 const unsigned char *in,
1191 unsigned char *tout =
NULL;
1194 return SSL_TLSEXT_ERR_NOACK;
1195 ret = wolfSSL_select_next_proto(&tout,
1202 return (ret != OPENSSL_NPN_NEGOTIATED) ? noack_return : WOLFSSL_TLSEXT_ERR_OK;
1208setup_pki_ssl(WOLFSSL *ssl,
1211 WOLFSSL_CTX *ctx = wolfSSL_get_SSL_CTX(ssl);
1225 if (!(wolfSSL_use_PrivateKey_file(ssl,
1227 WOLFSSL_FILETYPE_PEM))) {
1234 if (!(wolfSSL_use_PrivateKey_buffer(ssl,
1237 WOLFSSL_FILETYPE_PEM))) {
1244#if defined(HAVE_RPK) && LIBWOLFSSL_VERSION_HEX >= 0x05006004
1245 if (!(wolfSSL_use_PrivateKey_buffer(ssl,
1248 WOLFSSL_FILETYPE_PEM))) {
1260 if (!(wolfSSL_use_PrivateKey_file(ssl,
1262 WOLFSSL_FILETYPE_ASN1))) {
1269 if (!(wolfSSL_use_PrivateKey_buffer(ssl,
1272 WOLFSSL_FILETYPE_ASN1))) {
1301 if (!(wolfSSL_use_certificate_chain_file(ssl,
1309 if (!(wolfSSL_use_certificate_chain_buffer(ssl,
1318#if defined(HAVE_RPK) && LIBWOLFSSL_VERSION_HEX >= 0x05006004
1320 unsigned char der_buff[512];
1322 char ctype[] = {WOLFSSL_CERT_TYPE_RPK};
1323 char stype[] = {WOLFSSL_CERT_TYPE_RPK};
1325 wolfSSL_set_client_cert_type(ssl, ctype,
sizeof(ctype)/
sizeof(ctype[0]));
1326 wolfSSL_set_server_cert_type(ssl, stype,
sizeof(stype)/
sizeof(stype[0]));
1330 der_buff, (
int)
sizeof(der_buff));
1334 der_buff, (
int)
sizeof(der_buff),
NULL);
1343 if (!wolfSSL_use_PrivateKey_buffer(ssl, der_buff, ret, WOLFSSL_FILETYPE_ASN1)) {
1348 if (!wolfSSL_use_certificate_buffer(ssl, spki->
s, spki->
length, WOLFSSL_FILETYPE_ASN1)) {
1363 if (!wolfSSL_use_certificate_buffer(ssl, der_buff, ret, WOLFSSL_FILETYPE_ASN1)) {
1376 if (!(wolfSSL_use_certificate_file(ssl,
1378 WOLFSSL_FILETYPE_ASN1))) {
1385 if (!(wolfSSL_use_certificate_buffer(ssl,
1388 WOLFSSL_FILETYPE_ASN1))) {
1409#if defined(HAVE_RPK) && LIBWOLFSSL_VERSION_HEX >= 0x05006004
1411 char stype[] = {WOLFSSL_CERT_TYPE_X509, WOLFSSL_CERT_TYPE_RPK};
1412 wolfSSL_set_server_cert_type(ssl, stype,
sizeof(stype)/
sizeof(stype[0]));
1423 if (!wolfSSL_CTX_load_verify_locations_ex(ctx,
1427 WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY : 0)) {
1434 if (!wolfSSL_CTX_load_verify_buffer_ex(ctx,
1440 WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY : 0)) {
1450 if (!wolfSSL_CTX_load_verify_locations_ex(ctx,
1454 WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY : 0)) {
1461 if (!wolfSSL_CTX_load_verify_buffer_ex(ctx,
1467 WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY : 0)) {
1486get_san_or_cn_from_cert(WOLFSSL_X509 *x509) {
1490 WOLF_STACK_OF(WOLFSSL_GENERAL_NAME) *san_list;
1494 san_list = wolfSSL_X509_get_ext_d2i(x509, NID_subject_alt_name,
NULL,
NULL);
1496 int san_count = wolfSSL_sk_GENERAL_NAME_num(san_list);
1498 for (n = 0; n < san_count; n++) {
1499 const WOLFSSL_GENERAL_NAME *name = wolfSSL_sk_GENERAL_NAME_value(san_list, n);
1501 if (name && name->type == GEN_DNS) {
1502 const char *dns_name = (
const char *)wolfSSL_ASN1_STRING_get0_data(name->d.dNSName);
1505 if (wolfSSL_ASN1_STRING_length(name->d.dNSName) != (
int)strlen(dns_name))
1507 cn = wolfssl_strdup(dns_name);
1508 wolfSSL_sk_GENERAL_NAME_pop_free(san_list, wolfSSL_GENERAL_NAME_free);
1512 wolfSSL_sk_GENERAL_NAME_pop_free(san_list, wolfSSL_GENERAL_NAME_free);
1515 wolfSSL_X509_NAME_oneline(wolfSSL_X509_get_subject_name((WOLFSSL_X509 *)(x509)), buffer,
1519 n = (int)strlen(buffer) - 3;
1522 if (((cn[0] ==
'C') || (cn[0] ==
'c')) &&
1523 ((cn[1] ==
'N') || (cn[1] ==
'n')) &&
1532 char *ecn = strchr(cn,
'/');
1534 return wolfssl_strndup(cn, ecn-cn);
1536 return wolfssl_strdup(cn);
1544tls_verify_call_back(
int preverify_ok, WOLFSSL_X509_STORE_CTX *ctx) {
1545 int index = wolfSSL_get_ex_data_X509_STORE_CTX_idx();
1546 WOLFSSL *ssl = index >= 0 ? wolfSSL_X509_STORE_CTX_get_ex_data(ctx, index) :
NULL;
1548 coap_wolfssl_context_t *w_context = (session && session->
context) ?
1551 int depth = wolfSSL_X509_STORE_CTX_get_error_depth(ctx);
1552 int err = wolfSSL_X509_STORE_CTX_get_error(ctx);
1553 WOLFSSL_X509 *x509 = wolfSSL_X509_STORE_CTX_get_current_cert(ctx);
1557 wolfSSL_X509_STORE_CTX_set_error(ctx, X509_V_ERR_UNSPECIFIED);
1562 cn = wolfssl_strdup(
"RPK");
1564 cn = x509 ? get_san_or_cn_from_cert(x509) :
NULL;
1567 depth, err, preverify_ok, cn ? cn :
"");
1571 X509_STORE_CTX_set_error(ctx, X509_V_ERR_SUBJECT_ISSUER_MISMATCH);
1572 err = X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
1574 if (!preverify_ok) {
1576 case X509_V_ERR_CERT_NOT_YET_VALID:
1577 case X509_V_ERR_CERT_HAS_EXPIRED:
1578 case ASN_NO_SIGNER_E:
1579 case ASN_AFTER_DATE_E:
1583 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1587 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
1591 case X509_V_ERR_UNABLE_TO_GET_CRL:
1595 case X509_V_ERR_CRL_NOT_YET_VALID:
1596 case X509_V_ERR_CRL_HAS_EXPIRED:
1600 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
1601 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
1602 case X509_V_ERR_AKID_SKID_MISMATCH:
1606 case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
1616 err = X509_V_ERR_CERT_CHAIN_TOO_LONG;
1617 wolfSSL_X509_STORE_CTX_set_error(ctx, err);
1619 if (!preverify_ok) {
1620 if (err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) {
1623 "Unknown CA", cn ? cn :
"?", depth);
1627 wolfSSL_X509_verify_cert_error_string(err), cn ? cn :
"?", depth);
1632 wolfSSL_X509_verify_cert_error_string(err), cn ? cn :
"?", depth);
1637 int length = wolfSSL_i2d_X509(x509,
NULL);
1641 uint8_t *base_buf2 = base_buf = wolfssl_malloc(length);
1646 wolfSSL_i2d_X509(x509, &base_buf2);
1649 depth, preverify_ok,
1653 wolfSSL_X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REJECTED);
1655 wolfSSL_X509_STORE_CTX_set_error(ctx, X509_V_ERR_INVALID_CA);
1659 wolfssl_free(base_buf);
1661 wolfSSL_X509_STORE_CTX_set_error(ctx, X509_V_ERR_UNSPECIFIED);
1667 return preverify_ok;
1670#if COAP_SERVER_SUPPORT
1681tls_server_name_call_back(WOLFSSL *ssl,
1686 coap_wolfssl_context_t *w_context = (session && session->
context) ?
1690 return noack_return;
1695 const char *sni = wolfSSL_get_servername(ssl, WOLFSSL_SNI_HOST_NAME);
1699 if (!sni || !sni[0]) {
1706 return fatal_return;
1708 sni_setup_data = *setup_data;
1709 sni_setup_data.
pki_key = *new_entry;
1713 if (w_context->psk_pki_enabled & IS_PSK) {
1714 wolfSSL_set_psk_server_callback(ssl, coap_dtls_psk_server_callback);
1716 return SSL_TLSEXT_ERR_OK;
1727psk_tls_server_name_call_back(WOLFSSL *ssl,
1733 coap_wolfssl_context_t *w_context = (c_session && c_session->
context) ?
1737 return noack_return;
1742 const char *sni = wolfSSL_get_servername(ssl, WOLFSSL_SNI_HOST_NAME);
1746 if (!sni || !sni[0]) {
1755 snprintf(lhint,
sizeof(lhint),
"%.*s",
1758 wolfSSL_use_psk_identity_hint(ssl, lhint);
1762 if (w_context->psk_pki_enabled & IS_PSK) {
1763 wolfSSL_set_psk_server_callback(ssl, coap_dtls_psk_server_callback);
1765 return SSL_TLSEXT_ERR_OK;
1773 coap_wolfssl_context_t *w_context =
1779 w_context->setup_data = *setup_data;
1780 if (!w_context->setup_data.verify_peer_cert) {
1782 w_context->setup_data.check_common_ca = 0;
1783 if (w_context->setup_data.is_rpk_not_cert) {
1785 w_context->setup_data.allow_self_signed = 0;
1786 w_context->setup_data.allow_expired_certs = 0;
1787 w_context->setup_data.cert_chain_validation = 0;
1788 w_context->setup_data.cert_chain_verify_depth = 0;
1789 w_context->setup_data.check_cert_revocation = 0;
1790 w_context->setup_data.allow_no_crl = 0;
1791 w_context->setup_data.allow_expired_crl = 0;
1792 w_context->setup_data.allow_bad_md_hash = 0;
1793 w_context->setup_data.allow_short_rsa_length = 0;
1796 w_context->setup_data.allow_self_signed = 1;
1797 w_context->setup_data.allow_expired_certs = 1;
1798 w_context->setup_data.cert_chain_validation = 1;
1799 w_context->setup_data.cert_chain_verify_depth = 10;
1800 w_context->setup_data.check_cert_revocation = 1;
1801 w_context->setup_data.allow_no_crl = 1;
1802 w_context->setup_data.allow_expired_crl = 1;
1803 w_context->setup_data.allow_bad_md_hash = 1;
1804 w_context->setup_data.allow_short_rsa_length = 1;
1807#if COAP_SERVER_SUPPORT
1809 if (!setup_dtls_context(w_context))
1811 if (w_context->dtls.ctx) {
1812#if defined(HAVE_RPK) && LIBWOLFSSL_VERSION_HEX >= 0x05006004
1813 char ctype[] = {WOLFSSL_CERT_TYPE_RPK};
1814 char stype[] = {WOLFSSL_CERT_TYPE_RPK};
1817 wolfSSL_CTX_set_servername_arg(w_context->dtls.ctx,
1818 &w_context->setup_data);
1819 wolfSSL_CTX_set_tlsext_servername_callback(w_context->dtls.ctx,
1820 tls_server_name_call_back);
1822#if defined(HAVE_RPK) && LIBWOLFSSL_VERSION_HEX >= 0x05006004
1823 if (w_context->setup_data.is_rpk_not_cert) {
1824 wolfSSL_CTX_set_client_cert_type(w_context->dtls.ctx, ctype,
sizeof(ctype)/
sizeof(ctype[0]));
1825 wolfSSL_CTX_set_server_cert_type(w_context->dtls.ctx, stype,
sizeof(stype)/
sizeof(stype[0]));
1829#if !COAP_DISABLE_TCP
1830 if (!setup_tls_context(w_context))
1832 if (w_context->tls.ctx) {
1833 wolfSSL_CTX_set_servername_arg(w_context->tls.ctx,
1834 &w_context->setup_data);
1835 wolfSSL_CTX_set_tlsext_servername_callback(w_context->tls.ctx,
1836 tls_server_name_call_back);
1839 wolfSSL_CTX_set_alpn_select_cb(w_context->tls.ctx,
1840 server_alpn_callback,
NULL);
1844 if (w_context->setup_data.check_cert_revocation) {
1845 WOLFSSL_X509_VERIFY_PARAM *param;
1847 param = wolfSSL_X509_VERIFY_PARAM_new();
1848 wolfSSL_X509_VERIFY_PARAM_set_flags(param, WOLFSSL_CRL_CHECK);
1849 wolfSSL_CTX_set1_param(w_context->dtls.ctx, param);
1850#if !COAP_DISABLE_TCP
1851 wolfSSL_CTX_set1_param(w_context->tls.ctx, param);
1853 wolfSSL_X509_VERIFY_PARAM_free(param);
1856 if (w_context->setup_data.verify_peer_cert) {
1857 wolfSSL_CTX_set_verify(w_context->dtls.ctx,
1858 WOLFSSL_VERIFY_PEER |
1859 WOLFSSL_VERIFY_CLIENT_ONCE |
1860 WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1861 tls_verify_call_back);
1862#if !COAP_DISABLE_TCP
1863 wolfSSL_CTX_set_verify(w_context->tls.ctx,
1864 WOLFSSL_VERIFY_PEER |
1865 WOLFSSL_VERIFY_CLIENT_ONCE |
1866 WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1867 tls_verify_call_back);
1870 wolfSSL_CTX_set_verify(w_context->dtls.ctx,
1871 WOLFSSL_VERIFY_NONE, tls_verify_call_back);
1872#if !COAP_DISABLE_TCP
1873 wolfSSL_CTX_set_verify(w_context->tls.ctx,
1874 WOLFSSL_VERIFY_NONE, tls_verify_call_back);
1879 if (w_context->setup_data.cert_chain_validation) {
1880 wolfSSL_CTX_set_verify_depth(w_context->dtls.ctx,
1882#if !COAP_DISABLE_TCP
1883 wolfSSL_CTX_set_verify_depth(w_context->tls.ctx,
1892 w_context->psk_pki_enabled |= IS_PKI;
1894#if ! defined(WOLFSSL_DTLS_CID)
1903 const char *ca_file,
1904 const char *ca_dir) {
1905 coap_wolfssl_context_t *w_context =
1909 coap_log_warn(
"coap_context_set_pki_root_cas: (D)TLS environment "
1913 if (ca_file ==
NULL && ca_dir ==
NULL) {
1914 coap_log_warn(
"coap_context_set_pki_root_cas: ca_file and/or ca_dir "
1918 if (w_context->root_ca_file) {
1919 wolfssl_free(w_context->root_ca_file);
1920 w_context->root_ca_file =
NULL;
1923 w_context->root_ca_file = wolfssl_strdup(ca_file);
1925 if (w_context->root_ca_dir) {
1926 wolfssl_free(w_context->root_ca_dir);
1927 w_context->root_ca_dir =
NULL;
1930 w_context->root_ca_dir = wolfssl_strdup(ca_dir);
1937 coap_wolfssl_context_t *w_context =
1941 coap_log_warn(
"coap_context_set_pki_trust_store: (D)TLS environment "
1945#ifdef WOLFSSL_SYS_CA_CERTS
1946 w_context->trust_store_defined = 1;
1949 coap_log_warn(
"coap_context_set_pki_trust_store: (D)TLS environment "
1950 "not supported for wolfSSL < v5.5.2 or –enable-sys-ca-certs not defined\n");
1957 coap_wolfssl_context_t *w_context =
1959 return w_context->psk_pki_enabled ? 1 : 0;
1964 coap_wolfssl_context_t *w_context = (coap_wolfssl_context_t *)handle;
1968 wolfssl_free(w_context->root_ca_file);
1969 wolfssl_free(w_context->root_ca_dir);
1971 if (w_context->dtls.ctx)
1972 wolfSSL_CTX_free(w_context->dtls.ctx);
1973 if (w_context->dtls.cookie_hmac)
1974 wolfSSL_HMAC_CTX_free(w_context->dtls.cookie_hmac);
1976#if !COAP_DISABLE_TCP
1977 if (w_context->tls.ctx)
1978 wolfSSL_CTX_free(w_context->tls.ctx);
1980 wolfssl_free(w_context);
1983#if COAP_SERVER_SUPPORT
1986 coap_wolfssl_context_t *w_context = session && session->
context ?
1988 coap_dtls_context_t *dtls;
1989 WOLFSSL *ssl =
NULL;
1992 coap_wolfssl_env_t *w_env = session ? (coap_wolfssl_env_t *)session->
tls :
NULL;
1995 if (!w_env || !w_context)
1998 if (!setup_dtls_context(w_context))
2000 dtls = &w_context->dtls;
2002 ssl = wolfSSL_new(dtls->ctx);
2006 wolfSSL_set_app_data(ssl,
NULL);
2007 wolfSSL_set_options(ssl, SSL_OP_COOKIE_EXCHANGE);
2008#ifdef WOLFSSL_DTLS_MTU
2009 wolfSSL_dtls_set_mtu(ssl, (
long)session->
mtu);
2012 wolfSSL_SetIOWriteCtx(ssl, w_env);
2013 wolfSSL_SetIOReadCtx(ssl, w_env);
2014 wolfSSL_set_app_data(ssl, session);
2015 w_env->data.session = session;
2017#if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_SEND_HRR_COOKIE)
2018 if (wolfSSL_send_hrr_cookie(ssl,
NULL, 0) != WOLFSSL_SUCCESS)
2019 coap_log_debug(
"Error: Unable to set cookie with Hello Retry Request\n");
2022#ifdef HAVE_SERVER_RENEGOTIATION_INFO
2023 if (wolfSSL_UseSecureRenegotiation(ssl) != WOLFSSL_SUCCESS) {
2024 coap_log_debug(
"Error: wolfSSL_UseSecureRenegotiation failed\n");
2028 if (w_context->psk_pki_enabled & IS_PSK) {
2032 char *hint = wolfssl_malloc(psk_hint->
length + 1);
2035 memcpy(hint, psk_hint->
s, psk_hint->
length);
2036 hint[psk_hint->
length] =
'\000';
2037 wolfSSL_use_psk_identity_hint(ssl, hint);
2044 if (w_context->psk_pki_enabled & IS_PKI) {
2049#if defined(WOLFSSL_DTLS_CH_FRAG) && defined(WOLFSSL_DTLS13)
2050 if (wolfSSL_dtls13_allow_ch_frag(ssl, 1) != WOLFSSL_SUCCESS) {
2055#if defined(WOLFSSL_DTLS_CID) && defined(WOLFSSL_DTLS13)
2057#if COAP_DTLS_CID_LENGTH > DTLS_CID_MAX_SIZE
2058#bad COAP_DTLS_CID_LENGTH > DTLS_CID_MAX_SIZE
2061 if (wolfSSL_dtls_cid_use(ssl) != WOLFSSL_SUCCESS)
2068 if (wolfSSL_dtls_cid_set(ssl, cid,
sizeof(cid)) != WOLFSSL_SUCCESS)
2074 w_env->last_timeout = now;
2077 r = wolfSSL_accept(ssl);
2079 int err = wolfSSL_get_error(ssl, r);
2080 if (err != WOLFSSL_ERROR_WANT_READ && err != WOLFSSL_ERROR_WANT_WRITE)
2093 coap_dtls_free_wolfssl_env(w_env);
2099#if COAP_CLIENT_SUPPORT
2102 coap_wolfssl_context_t *w_context =
2105 if (w_context->psk_pki_enabled & IS_PSK) {
2110 wolfSSL_set_max_proto_version(ssl,
2113#if !COAP_DISABLE_TCP
2115 wolfSSL_set_max_proto_version(ssl,
2117 wolfSSL_set_options(ssl, WOLFSSL_OP_NO_TLSv1_3);
2120 coap_log_debug(
"CoAP Client restricted to (D)TLS1.2 with Identity Hint callback\n");
2123 set_ciphersuites(ssl, COAP_ENC_PSK);
2128 wolfSSL_set_tlsext_host_name(ssl, setup_data->
client_sni) != 1) {
2129 coap_log_warn(
"wolfSSL_set_tlsext_host_name: set '%s' failed",
2132 wolfSSL_set_psk_client_callback(ssl, coap_dtls_psk_client_callback);
2134#if defined(WOLFSSL_DTLS_CID) && defined(WOLFSSL_DTLS13)
2136 if (wolfSSL_dtls_cid_use(ssl) != WOLFSSL_SUCCESS)
2141 if (wolfSSL_dtls_cid_set(ssl,
NULL, 0) != WOLFSSL_SUCCESS)
2146 if ((w_context->psk_pki_enabled & IS_PKI) ||
2147 (w_context->psk_pki_enabled & (IS_PSK | IS_PKI)) == 0) {
2154 if (!(w_context->psk_pki_enabled & IS_PKI)) {
2168 set_ciphersuites(ssl, COAP_ENC_PKI);
2172#if !COAP_DISABLE_TCP
2174 wolfSSL_set_alpn_protos(ssl, coap_alpn,
sizeof(coap_alpn));
2179 wolfSSL_set_tlsext_host_name(ssl, setup_data->
client_sni) != 1) {
2180 coap_log_warn(
"wolfSSL_set_tlsext_host_name: set '%s' failed",
2185 WOLFSSL_X509_VERIFY_PARAM *param;
2187 param = wolfSSL_X509_VERIFY_PARAM_new();
2188 wolfSSL_X509_VERIFY_PARAM_set_flags(param, WOLFSSL_CRL_CHECK);
2189 WOLFSSL_CTX *ctx = wolfSSL_get_SSL_CTX(ssl);
2191 wolfSSL_CTX_set1_param(ctx, param);
2192 wolfSSL_X509_VERIFY_PARAM_free(param);
2196 wolfSSL_set_verify(ssl,
2197 WOLFSSL_VERIFY_PEER |
2198 WOLFSSL_VERIFY_CLIENT_ONCE |
2199 WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2200 tls_verify_call_back);
2202 wolfSSL_set_verify(ssl, WOLFSSL_VERIFY_NONE, tls_verify_call_back);
2208#if defined(WOLFSSL_DTLS_CID) && defined(WOLFSSL_DTLS13)
2210 if (wolfSSL_dtls_cid_use(ssl) != WOLFSSL_SUCCESS)
2215 if (wolfSSL_dtls_cid_set(ssl,
NULL, 0) != WOLFSSL_SUCCESS)
2226 WOLFSSL *ssl =
NULL;
2228 coap_wolfssl_context_t *w_context = session && session->
context ?
2230 coap_dtls_context_t *dtls;
2231 coap_wolfssl_env_t *w_env = session ?
2235 if (!w_env || !w_context)
2238 if (!setup_dtls_context(w_context))
2240 dtls = &w_context->dtls;
2242 ssl = wolfSSL_new(dtls->ctx);
2247 w_env->data.session = session;
2248 wolfSSL_set_app_data(ssl, session);
2249 wolfSSL_set_options(ssl, SSL_OP_COOKIE_EXCHANGE);
2250 wolfSSL_SetIOWriteCtx(ssl, w_env);
2251 wolfSSL_SetIOReadCtx(ssl, w_env);
2252#ifdef WOLFSSL_DTLS_MTU
2253 wolfSSL_dtls_set_mtu(ssl, (
long)session->
mtu);
2256 if (!setup_client_ssl_session(session, ssl))
2258#ifdef HAVE_SERVER_RENEGOTIATION_INFO
2259 if (wolfSSL_UseSecureRenegotiation(ssl) != WOLFSSL_SUCCESS) {
2260 coap_log_debug(
"Error: wolfSSL_UseSecureRenegotiation failed\n");
2266#if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_SEND_HRR_COOKIE)
2267 wolfSSL_NoKeyShares(ssl);
2269 r = wolfSSL_connect(ssl);
2271 int ret = wolfSSL_get_error(ssl, r);
2272 if (ret != WOLFSSL_ERROR_WANT_READ && ret != WOLFSSL_ERROR_WANT_WRITE)
2280 w_env->last_timeout = now;
2287 coap_dtls_free_wolfssl_env(w_env);
2294#ifdef WOLFSSL_DTLS_MTU
2295 coap_wolfssl_env_t *w_env = (coap_wolfssl_env_t *)session->
tls;
2296 WOLFSSL *ssl = w_env ? w_env->ssl :
NULL;
2299 wolfSSL_dtls_set_mtu(ssl, (
long)session->
mtu);
2308 coap_wolfssl_env_t *w_env = (coap_wolfssl_env_t *)session->
tls;
2309 WOLFSSL *ssl = w_env ? w_env->ssl :
NULL;
2312 if (!wolfSSL_SSL_in_init(ssl) && !(wolfSSL_get_shutdown(ssl) & WOLFSSL_SENT_SHUTDOWN)) {
2313 int r = wolfSSL_shutdown(ssl);
2315 wolfSSL_shutdown(ssl);
2322 coap_dtls_free_wolfssl_env(w_env);
2328 const uint8_t *data,
size_t data_len) {
2329 coap_wolfssl_env_t *w_env = (coap_wolfssl_env_t *)session->
tls;
2330 WOLFSSL *ssl = w_env ? w_env->ssl :
NULL;
2341 r = wolfSSL_write(ssl, data, (
int)data_len);
2344 int err = wolfSSL_get_error(ssl, r);
2345 if (err == WOLFSSL_ERROR_WANT_READ || err == WOLFSSL_ERROR_WANT_WRITE) {
2349 if (err == WOLFSSL_ERROR_ZERO_RETURN)
2351 else if (err == WOLFSSL_ERROR_SSL)
2381 coap_wolfssl_env_t *w_env = (coap_wolfssl_env_t *)session->
tls;
2382 unsigned int scalar;
2389 scalar = 1 << w_env->retry_scalar;
2403 coap_wolfssl_env_t *w_env = (coap_wolfssl_env_t *)session->
tls;
2404 WOLFSSL *ssl = w_env ? w_env->ssl :
NULL;
2407 w_env->retry_scalar++;
2413 wolfSSL_dtls_got_timeout(ssl);
2417#if COAP_SERVER_SUPPORT
2421 const uint8_t *data,
size_t data_len) {
2422 coap_wolfssl_env_t *w_env = (coap_wolfssl_env_t *)session->
tls;
2423 coap_ssl_data_t *ssl_data;
2428 session->
tls = w_env;
2435 ssl_data = w_env ? &w_env->data :
NULL;
2436 assert(ssl_data !=
NULL);
2441 if (ssl_data->pdu_len) {
2442 coap_log_err(
"** %s: Previous data not read %u bytes\n",
2446 ssl_data->session = session;
2447 ssl_data->pdu = data;
2448 ssl_data->pdu_len = (unsigned)data_len;
2457 coap_ssl_data_t *ssl_data;
2458 coap_wolfssl_env_t *w_env = (coap_wolfssl_env_t *)session->
tls;
2459 WOLFSSL *ssl = w_env ? w_env->ssl :
NULL;
2461 int in_init = wolfSSL_SSL_in_init(ssl);
2464 assert(ssl !=
NULL);
2466 ssl_data = &w_env->data;
2468 if (ssl_data->pdu_len) {
2469 coap_log_err(
"** %s: Previous data not read %u bytes\n",
2472 ssl_data->pdu = data;
2473 ssl_data->pdu_len = (unsigned)data_len;
2476 r = wolfSSL_read(ssl, pdu, (
int)
sizeof(pdu));
2483 int err = wolfSSL_get_error(ssl, r);
2484 if (err == WOLFSSL_ERROR_WANT_READ || err == WOLFSSL_ERROR_WANT_WRITE) {
2485 if (in_init && wolfSSL_is_init_finished(ssl)) {
2488#if defined(WOLFSSL_DTLS_CID) && defined(WOLFSSL_DTLS13) && COAP_CLIENT_SUPPORT
2491 if (wolfSSL_dtls_cid_is_enabled(ssl)) {
2492 session->negotiated_cid = 1;
2495 session->negotiated_cid = 0;
2499 if (!strcmp(wolfSSL_get_version(ssl),
"DTLSv1.3")) {
2508 }
else if (err == APP_DATA_READY) {
2509 r = wolfSSL_read(ssl, pdu, (
int)
sizeof(pdu));
2517 if (err == WOLFSSL_ERROR_ZERO_RETURN) {
2522 if (err == FATAL_ERROR) {
2523 WOLFSSL_ALERT_HISTORY h;
2525 if (wolfSSL_get_alert_history(ssl, &h) == WOLFSSL_SUCCESS) {
2526 if (h.last_rx.code != close_notify && h.last_rx.code != -1) {
2529 wolfSSL_alert_desc_string_long(h.last_rx.code));
2548 if (ssl_data && ssl_data->pdu_len) {
2550 coap_log_debug(
"coap_dtls_receive: ret %d: remaining data %u\n", r, ssl_data->pdu_len);
2551 ssl_data->pdu_len = 0;
2552 ssl_data->pdu =
NULL;
2559 unsigned int overhead = 37;
2560 const WOLFSSL_CIPHER *s_ciph =
NULL;
2561 coap_wolfssl_env_t *w_env = (coap_wolfssl_env_t *)session->
tls;
2562 WOLFSSL *ssl = w_env ? w_env->ssl :
NULL;
2565 s_ciph = wolfSSL_get_current_cipher(ssl);
2567 unsigned int ivlen, maclen, blocksize = 1, pad = 0;
2569 const WOLFSSL_EVP_CIPHER *e_ciph;
2570 const WOLFSSL_EVP_MD *e_md;
2573 e_ciph = wolfSSL_EVP_get_cipherbynid(wolfSSL_CIPHER_get_cipher_nid(s_ciph));
2575 switch (WOLFSSL_EVP_CIPHER_mode(e_ciph)) {
2577 case WOLFSSL_EVP_CIPH_GCM_MODE:
2578#ifndef WOLFSSL_EVP_GCM_TLS_EXPLICIT_IV_LEN
2579#define WOLFSSL_EVP_GCM_TLS_EXPLICIT_IV_LEN 8
2581#ifndef WOLFSSL_EVP_GCM_TLS_TAG_LEN
2582#define WOLFSSL_EVP_GCM_TLS_TAG_LEN 16
2584 ivlen = WOLFSSL_EVP_GCM_TLS_EXPLICIT_IV_LEN;
2585 maclen = WOLFSSL_EVP_GCM_TLS_TAG_LEN;
2588 case WOLFSSL_EVP_CIPH_CCM_MODE:
2589#ifndef WOLFSSL_EVP_CCM_TLS_EXPLICIT_IV_LEN
2590#define WOLFSSL_EVP_CCM_TLS_EXPLICIT_IV_LEN 8
2592 ivlen = WOLFSSL_EVP_CCM_TLS_EXPLICIT_IV_LEN;
2593 wolfSSL_CIPHER_description(s_ciph, cipher,
sizeof(cipher));
2594 if (strstr(cipher,
"CCM8"))
2600 case WOLFSSL_EVP_CIPH_CBC_MODE:
2601 e_md = wolfSSL_EVP_get_digestbynid(wolfSSL_CIPHER_get_digest_nid(s_ciph));
2602 blocksize = wolfSSL_EVP_CIPHER_block_size(e_ciph);
2603 ivlen = wolfSSL_EVP_CIPHER_iv_length(e_ciph);
2605 maclen = wolfSSL_EVP_MD_size(e_md);
2608 case WOLFSSL_EVP_CIPH_STREAM_CIPHER:
2615 wolfSSL_CIPHER_description(s_ciph, cipher,
sizeof(cipher));
2622#ifndef WOLFSSL_DTLS13_RT_HEADER_LENGTH
2623#define WOLFSSL_DTLS13_RT_HEADER_LENGTH 13
2625 overhead = WOLFSSL_DTLS13_RT_HEADER_LENGTH + ivlen + maclen + blocksize - 1 +
2631#if !COAP_DISABLE_TCP
2632#if COAP_CLIENT_SUPPORT
2635 WOLFSSL *ssl =
NULL;
2637 coap_wolfssl_context_t *w_context =
2639 coap_tls_context_t *tls;
2640 coap_wolfssl_env_t *w_env =
2644 if (!w_env || !w_context)
2647 if (!setup_tls_context(w_context))
2649 tls = &w_context->tls;
2651 ssl = wolfSSL_new(tls->ctx);
2654 wolfSSL_SetIOWriteCtx(ssl, w_env);
2655 wolfSSL_SetIOReadCtx(ssl, w_env);
2656 wolfSSL_set_app_data(ssl, session);
2657 w_env->data.session = session;
2659 if (!setup_client_ssl_session(session, ssl))
2662 session->
tls = w_env;
2664 r = wolfSSL_connect(ssl);
2666 int ret = wolfSSL_get_error(ssl, r);
2667 if (ret != WOLFSSL_ERROR_WANT_READ && ret != WOLFSSL_ERROR_WANT_WRITE)
2669 if (ret == WOLFSSL_ERROR_WANT_READ)
2671 if (ret == WOLFSSL_ERROR_WANT_WRITE) {
2673#ifdef COAP_EPOLL_SUPPORT
2687 w_env->last_timeout = now;
2688 if (wolfSSL_is_init_finished(ssl)) {
2696 coap_dtls_free_wolfssl_env(w_env);
2703#if COAP_SERVER_SUPPORT
2706 WOLFSSL *ssl =
NULL;
2707 coap_wolfssl_context_t *w_context =
2709 coap_tls_context_t *tls;
2712 coap_wolfssl_env_t *w_env =
2719 if (!setup_tls_context(w_context))
2721 tls = &w_context->tls;
2723 ssl = wolfSSL_new(tls->ctx);
2726 wolfSSL_SetIOWriteCtx(ssl, w_env);
2727 wolfSSL_SetIOReadCtx(ssl, w_env);
2728 wolfSSL_set_app_data(ssl, session);
2730 wolfSSL_set_cipher_list(ssl,
"ALL");
2732 if (w_context->psk_pki_enabled & IS_PSK) {
2735 char *hint = wolfssl_malloc(psk_hint->
length + 1);
2738 memcpy(hint, psk_hint->
s, psk_hint->
length);
2739 hint[psk_hint->
length] =
'\000';
2740 wolfSSL_use_psk_identity_hint(ssl, hint);
2747 if (w_context->psk_pki_enabled & IS_PKI) {
2751#if defined(HAVE_RPK) && LIBWOLFSSL_VERSION_HEX >= 0x05006004
2752 if (w_context->setup_data.is_rpk_not_cert) {
2753 char stype[] = {WOLFSSL_CERT_TYPE_RPK};
2755 wolfSSL_set_server_cert_type(ssl, stype,
sizeof(stype)/
sizeof(stype[0]));
2760 w_env->last_timeout = now;
2762 w_env->data.session = session;
2764 r = wolfSSL_accept(ssl);
2766 int err = wolfSSL_get_error(ssl, r);
2767 if (err != WOLFSSL_ERROR_WANT_READ && err != WOLFSSL_ERROR_WANT_WRITE) {
2770 if (err == WOLFSSL_ERROR_WANT_READ) {
2773 if (err == WOLFSSL_ERROR_WANT_WRITE) {
2775#ifdef COAP_EPOLL_SUPPORT
2788 session->
tls = w_env;
2789 if (wolfSSL_is_init_finished(ssl)) {
2799 coap_dtls_free_wolfssl_env(w_env);
2807 coap_wolfssl_env_t *w_env = (coap_wolfssl_env_t *)session->
tls;
2808 WOLFSSL *ssl = w_env ? w_env->ssl :
NULL;
2811 if (!wolfSSL_SSL_in_init(ssl) && !(wolfSSL_get_shutdown(ssl) & WOLFSSL_SENT_SHUTDOWN)) {
2812 int r = wolfSSL_shutdown(ssl);
2814 wolfSSL_shutdown(ssl);
2821 coap_dtls_free_wolfssl_env(w_env);
2832 coap_wolfssl_env_t *w_env = (coap_wolfssl_env_t *)session->
tls;
2833 WOLFSSL *ssl = w_env ? w_env->ssl :
NULL;
2839 in_init = !wolfSSL_is_init_finished(ssl);
2841 r = wolfSSL_write(ssl, data, (
int)data_len);
2844 int err = wolfSSL_get_error(ssl, r);
2845 if (err == WOLFSSL_ERROR_WANT_READ || err == WOLFSSL_ERROR_WANT_WRITE) {
2846 if (in_init && wolfSSL_is_init_finished(ssl)) {
2852 if (err == WOLFSSL_ERROR_WANT_READ)
2854 else if (err == WOLFSSL_ERROR_WANT_WRITE) {
2856#ifdef COAP_EPOLL_SUPPORT
2868 if (err == WOLFSSL_ERROR_ZERO_RETURN)
2870 else if (err == WOLFSSL_ERROR_SSL)
2874 }
else if (in_init && wolfSSL_is_init_finished(ssl)) {
2890 if (r == (ssize_t)data_len)
2907 coap_wolfssl_env_t *w_env = (coap_wolfssl_env_t *)session->
tls;
2908 WOLFSSL *ssl = w_env ? w_env->ssl :
NULL;
2916 in_init = !wolfSSL_is_init_finished(ssl);
2918 r = wolfSSL_read(ssl, data, (
int)data_len);
2920 int err = wolfSSL_get_error(ssl, r);
2921 if (err == WOLFSSL_ERROR_WANT_READ || err == WOLFSSL_ERROR_WANT_WRITE) {
2922 if (in_init && wolfSSL_is_init_finished(ssl)) {
2928 if (err == WOLFSSL_ERROR_WANT_READ)
2930 if (err == WOLFSSL_ERROR_WANT_WRITE) {
2932#ifdef COAP_EPOLL_SUPPORT
2942 if (err == WOLFSSL_ERROR_ZERO_RETURN) {
2945 }
else if (err == WOLFSSL_ERROR_SSL) {
2947 }
else if (err == FATAL_ERROR) {
2948 WOLFSSL_ALERT_HISTORY h;
2951 if (wolfSSL_get_alert_history(ssl, &h) == WOLFSSL_SUCCESS) {
2952 if (h.last_rx.code != close_notify && h.last_rx.code != -1) {
2955 wolfSSL_alert_desc_string_long(h.last_rx.code));
2961 }
else if (in_init && wolfSSL_is_init_finished(ssl)) {
2985#if COAP_SERVER_SUPPORT
2987coap_digest_setup(
void) {
2988 WOLFSSL_EVP_MD_CTX *digest_ctx = wolfSSL_EVP_MD_CTX_new();
2991 wolfSSL_EVP_DigestInit_ex(digest_ctx, wolfSSL_EVP_sha256(),
NULL);
2997coap_digest_free(coap_digest_ctx_t *digest_ctx) {
2999 wolfSSL_EVP_MD_CTX_free(digest_ctx);
3003coap_digest_update(coap_digest_ctx_t *digest_ctx,
3004 const uint8_t *data,
3006 return wolfSSL_EVP_DigestUpdate(digest_ctx, data, data_len);
3010coap_digest_final(coap_digest_ctx_t *digest_ctx,
3011 coap_digest_t *digest_buffer) {
3012 unsigned int size =
sizeof(coap_digest_t);
3013 int ret = wolfSSL_EVP_DigestFinal_ex(digest_ctx, (uint8_t *)digest_buffer, &size);
3015 coap_digest_free(digest_ctx);
3020#if COAP_WS_SUPPORT || COAP_OSCORE_SUPPORT
3022coap_crypto_output_errors(
const char *prefix) {
3023#if COAP_MAX_LOGGING_LEVEL < _COAP_LOG_WARN
3028 while ((e = wolfSSL_ERR_get_error()))
3031 wolfSSL_ERR_reason_error_string(e),
3032 ssl_function_definition(e));
3042static struct hash_algs {
3044 const WOLFSSL_EVP_MD *(*get_hash)(void);
3053static const WOLFSSL_EVP_MD *
3054get_hash_alg(
cose_alg_t alg,
size_t *length) {
3057 for (idx = 0; idx <
sizeof(hashs) /
sizeof(
struct hash_algs); idx++) {
3058 if (hashs[idx].alg == alg) {
3059 *length = hashs[idx].length;
3060 return hashs[idx].get_hash();
3063 coap_log_debug(
"get_hash_alg: COSE hash %d not supported\n", alg);
3071 unsigned int length;
3072 const WOLFSSL_EVP_MD *evp_md;
3073 WOLFSSL_EVP_MD_CTX *evp_ctx =
NULL;
3077 if ((evp_md = get_hash_alg(alg, &hash_length)) ==
NULL) {
3078 coap_log_debug(
"coap_crypto_hash: algorithm %d not supported\n", alg);
3081 evp_ctx = wolfSSL_EVP_MD_CTX_new();
3082 if (evp_ctx ==
NULL)
3084 if (wolfSSL_EVP_DigestInit_ex(evp_ctx, evp_md,
NULL) == 0)
3087 if (wolfSSL_EVP_DigestUpdate(evp_ctx, data->
s, data->
length) == 0)
3093 if (wolfSSL_EVP_DigestFinal_ex(evp_ctx,
dummy->s, &length) == 0)
3095 dummy->length = length;
3096 if (hash_length < dummy->length)
3097 dummy->length = hash_length;
3099 wolfSSL_EVP_MD_CTX_free(evp_ctx);
3103 coap_crypto_output_errors(
"coap_crypto_hash");
3106 wolfSSL_EVP_MD_CTX_free(evp_ctx);
3111#if COAP_OSCORE_SUPPORT
3112#if LIBWOLFSSL_VERSION_HEX < 0x05006000
3113static const WOLFSSL_EVP_CIPHER *
3114EVP_aes_128_ccm(
void) {
3115 return "AES-128-CCM";
3118static const WOLFSSL_EVP_CIPHER *
3119EVP_aes_256_ccm(
void) {
3120 return "AES-256-CCM";
3134static struct cipher_algs {
3136 const WOLFSSL_EVP_CIPHER *(*get_cipher)(void);
3141static const WOLFSSL_EVP_CIPHER *
3145 for (idx = 0; idx <
sizeof(ciphers) /
sizeof(
struct cipher_algs); idx++) {
3146 if (ciphers[idx].alg == alg)
3147 return ciphers[idx].get_cipher();
3149 coap_log_debug(
"get_cipher_alg: COSE cipher %d not supported\n", alg);
3158static struct hmac_algs {
3160 const WOLFSSL_EVP_MD *(*get_hmac)(void);
3167static const WOLFSSL_EVP_MD *
3171 for (idx = 0; idx <
sizeof(hmacs) /
sizeof(
struct hmac_algs); idx++) {
3172 if (hmacs[idx].hmac_alg == hmac_alg)
3173 return hmacs[idx].get_hmac();
3175 coap_log_debug(
"get_hmac_alg: COSE HMAC %d not supported\n", hmac_alg);
3181 return get_cipher_alg(alg) !=
NULL;
3190 return get_hmac_alg(hmac_alg) !=
NULL;
3194 if (1 != (Func)) { \
3203 size_t *max_result_len) {
3209 byte *authTag =
NULL;
3215 assert(params !=
NULL);
3224 result_len = data->
length;
3225 nonce_length = 15 - ccm->
l;
3227 memset(&aes, 0,
sizeof(aes));
3232 authTag = (
byte *)wolfssl_malloc(ccm->
tag_len);
3236 ret = wc_AesCcmEncrypt(&aes, result, data->
s, data->
length, ccm->
nonce,
3237 nonce_length, authTag, ccm->
tag_len,
3244 memcpy(result + result_len, authTag, ccm->
tag_len);
3246 *max_result_len = result_len;
3247 wolfssl_free(authTag);
3251 coap_crypto_output_errors(
"coap_crypto_aead_encrypt");
3252 wolfssl_free(authTag);
3262 size_t *max_result_len) {
3267 byte *authTag =
NULL;
3276 assert(params !=
NULL);
3284 authTag = (
byte *)wolfssl_malloc(ccm->
tag_len);
3295 memset(&aes, 0,
sizeof(aes));
3302 ret = wc_AesCcmDecrypt(&aes, result, data->
s, len, ccm->
nonce,
3303 15 - ccm->
l, authTag, ccm->
tag_len,
3309 *max_result_len = len;
3310 wolfssl_free(authTag);
3314 coap_crypto_output_errors(
"coap_crypto_aead_decrypt");
3315 wolfssl_free(authTag);
3324 unsigned int result_len;
3325 const WOLFSSL_EVP_MD *evp_md;
3332 if ((evp_md = get_hmac_alg(hmac_alg)) == 0) {
3333 coap_log_debug(
"coap_crypto_hmac: algorithm %d not supported\n", hmac_alg);
3339 result_len = (
unsigned int)
dummy->length;
3340 if (wolfSSL_HMAC(evp_md,
3347 dummy->length = result_len;
3352 coap_crypto_output_errors(
"coap_crypto_hmac");
3364#pragma GCC diagnostic ignored "-Wunused-function"
static size_t strnlen(const char *s, size_t maxlen)
A length-safe strlen() fake.
struct coap_session_t coap_session_t
#define COAP_SERVER_SUPPORT
#define COAP_RXBUFFER_SIZE
#define COAP_SOCKET_WANT_READ
non blocking socket is waiting for reading
#define COAP_SOCKET_WANT_WRITE
non blocking socket is waiting for writing
void coap_epoll_ctl_mod(coap_socket_t *sock, uint32_t events, const char *func)
Epoll specific function to modify the state of events that epoll is tracking on the appropriate file ...
Library specific build wrapper for coap_internal.h.
int coap_dtls_context_set_pki(coap_context_t *ctx COAP_UNUSED, const coap_dtls_pki_t *setup_data COAP_UNUSED, const coap_dtls_role_t role COAP_UNUSED)
coap_tick_t coap_dtls_get_timeout(coap_session_t *session COAP_UNUSED, coap_tick_t now COAP_UNUSED)
ssize_t coap_tls_read(coap_session_t *session COAP_UNUSED, uint8_t *data COAP_UNUSED, size_t data_len COAP_UNUSED)
coap_tick_t coap_dtls_get_context_timeout(void *dtls_context COAP_UNUSED)
int coap_dtls_receive(coap_session_t *session COAP_UNUSED, const uint8_t *data COAP_UNUSED, size_t data_len COAP_UNUSED)
void * coap_dtls_get_tls(const coap_session_t *c_session COAP_UNUSED, coap_tls_library_t *tls_lib)
unsigned int coap_dtls_get_overhead(coap_session_t *session COAP_UNUSED)
int coap_dtls_context_load_pki_trust_store(coap_context_t *ctx COAP_UNUSED)
static coap_log_t dtls_log_level
int coap_dtls_context_check_keys_enabled(coap_context_t *ctx COAP_UNUSED)
ssize_t coap_dtls_send(coap_session_t *session COAP_UNUSED, const uint8_t *data COAP_UNUSED, size_t data_len COAP_UNUSED)
ssize_t coap_tls_write(coap_session_t *session COAP_UNUSED, const uint8_t *data COAP_UNUSED, size_t data_len COAP_UNUSED)
void coap_dtls_session_update_mtu(coap_session_t *session COAP_UNUSED)
int coap_dtls_context_set_pki_root_cas(coap_context_t *ctx COAP_UNUSED, const char *ca_file COAP_UNUSED, const char *ca_path COAP_UNUSED)
int coap_dtls_handle_timeout(coap_session_t *session COAP_UNUSED)
void coap_dtls_free_context(void *handle COAP_UNUSED)
void coap_dtls_free_session(coap_session_t *coap_session COAP_UNUSED)
void * coap_dtls_new_context(coap_context_t *coap_context COAP_UNUSED)
void coap_tls_free_session(coap_session_t *coap_session COAP_UNUSED)
coap_binary_t * get_asn1_spki(const uint8_t *data, size_t size)
Abstract SPKI public key from the ASN1.
uint64_t coap_tick_t
This data type represents internal timer ticks with COAP_TICKS_PER_SECOND resolution.
int coap_prng_lkd(void *buf, size_t len)
Fills buf with len random bytes using the default pseudo random number generator.
int coap_handle_event_lkd(coap_context_t *context, coap_event_t event, coap_session_t *session)
Invokes the event handler of context for the given event and data.
int coap_handle_dgram(coap_context_t *ctx, coap_session_t *session, uint8_t *msg, size_t msg_len)
Parses and interprets a CoAP datagram with context ctx.
void coap_ticks(coap_tick_t *t)
Returns the current value of an internal tick counter.
int coap_crypto_hmac(cose_hmac_alg_t hmac_alg, coap_bin_const_t *key, coap_bin_const_t *data, coap_bin_const_t **hmac)
Create a HMAC hash of the provided data.
int coap_crypto_aead_decrypt(const coap_crypto_param_t *params, coap_bin_const_t *data, coap_bin_const_t *aad, uint8_t *result, size_t *max_result_len)
Decrypt the provided encrypted data into plaintext.
int coap_crypto_aead_encrypt(const coap_crypto_param_t *params, coap_bin_const_t *data, coap_bin_const_t *aad, uint8_t *result, size_t *max_result_len)
Encrypt the provided plaintext data.
int coap_crypto_hash(cose_alg_t alg, const coap_bin_const_t *data, coap_bin_const_t **hash)
Create a hash of the provided data.
int coap_crypto_check_hkdf_alg(cose_hkdf_alg_t hkdf_alg)
Check whether the defined hkdf algorithm is supported by the underlying crypto library.
int coap_crypto_check_cipher_alg(cose_alg_t alg)
Check whether the defined cipher algorithm is supported by the underlying crypto library.
const coap_bin_const_t * coap_get_session_client_psk_identity(const coap_session_t *coap_session)
Get the current client's PSK identity.
void coap_dtls_startup(void)
Initialize the underlying (D)TLS Library layer.
int coap_dtls_define_issue(coap_define_issue_key_t type, coap_define_issue_fail_t fail, coap_dtls_key_t *key, const coap_dtls_role_t role, int ret)
Report PKI DEFINE type issue.
void coap_dtls_thread_shutdown(void)
Close down the underlying (D)TLS Library layer.
int coap_dtls_set_cid_tuple_change(coap_context_t *context, uint8_t every)
Set the Connection ID client tuple frequency change for testing CIDs.
#define COAP_DTLS_CID_LENGTH
int coap_dtls_is_context_timeout(void)
Check if timeout is handled per CoAP session or per CoAP context.
void coap_dtls_shutdown(void)
Close down the underlying (D)TLS Library layer.
const coap_bin_const_t * coap_get_session_client_psk_key(const coap_session_t *coap_session)
Get the current client's PSK key.
#define COAP_DTLS_RETRANSMIT_COAP_TICKS
void coap_dtls_map_key_type_to_define(const coap_dtls_pki_t *setup_data, coap_dtls_key_t *key)
Map the PKI key definitions to the new DEFINE format.
const coap_bin_const_t * coap_get_session_server_psk_key(const coap_session_t *coap_session)
Get the current server's PSK key.
const coap_bin_const_t * coap_get_session_server_psk_hint(const coap_session_t *coap_session)
Get the current server's PSK identity hint.
@ COAP_DEFINE_KEY_PRIVATE
@ COAP_DEFINE_FAIL_NOT_SUPPORTED
#define COAP_DTLS_HINT_LENGTH
coap_tls_version_t * coap_get_tls_library_version(void)
Determine the type and version of the underlying (D)TLS library.
struct coap_dtls_pki_t coap_dtls_pki_t
@ COAP_PKI_KEY_DEF_PKCS11
The PKI key type is PKCS11 (pkcs11:...).
@ COAP_PKI_KEY_DEF_DER_BUF
The PKI key type is DER buffer (ASN.1).
@ COAP_PKI_KEY_DEF_PEM_BUF
The PKI key type is PEM buffer.
@ COAP_PKI_KEY_DEF_PEM
The PKI key type is PEM file.
@ COAP_PKI_KEY_DEF_ENGINE
The PKI key type is to be passed to ENGINE.
@ COAP_PKI_KEY_DEF_RPK_BUF
The PKI key type is RPK in buffer.
@ COAP_PKI_KEY_DEF_DER
The PKI key type is DER file.
@ COAP_PKI_KEY_DEF_PKCS11_RPK
The PKI key type is PKCS11 w/ RPK (pkcs11:...).
@ COAP_DTLS_ROLE_SERVER
Internal function invoked for server.
@ COAP_DTLS_ROLE_CLIENT
Internal function invoked for client.
@ COAP_PKI_KEY_DEFINE
The individual PKI key types are Definable.
@ COAP_TLS_LIBRARY_WOLFSSL
Using wolfSSL library.
@ COAP_EVENT_DTLS_CLOSED
Triggerred when (D)TLS session closed.
@ COAP_EVENT_DTLS_CONNECTED
Triggered when (D)TLS session connected.
@ COAP_EVENT_DTLS_RENEGOTIATE
Triggered when (D)TLS session renegotiated.
@ COAP_EVENT_DTLS_ERROR
Triggered when (D)TLS error occurs.
#define coap_lock_callback_ret(r, func)
Dummy for no thread-safe code.
#define coap_log_debug(...)
coap_log_t coap_dtls_get_log_level(void)
Get the current (D)TLS logging.
#define coap_dtls_log(level,...)
Logging function.
void coap_dtls_set_log_level(coap_log_t level)
Sets the (D)TLS logging level to the specified level.
const char * coap_session_str(const coap_session_t *session)
Get session description.
#define coap_log_info(...)
#define coap_log_warn(...)
#define coap_log_err(...)
#define coap_log(level,...)
Logging function.
int coap_netif_available(coap_session_t *session)
Function interface to check whether netif for session is still available.
int cose_get_hmac_alg_for_hkdf(cose_hkdf_alg_t hkdf_alg, cose_hmac_alg_t *hmac_alg)
@ COSE_HMAC_ALG_HMAC384_384
@ COSE_HMAC_ALG_HMAC256_256
@ COSE_HMAC_ALG_HMAC512_512
@ COSE_ALGORITHM_SHA_256_64
@ COSE_ALGORITHM_SHA_256_256
@ COSE_ALGORITHM_AES_CCM_16_64_128
@ COSE_ALGORITHM_AES_CCM_16_64_256
int coap_session_refresh_psk_hint(coap_session_t *session, const coap_bin_const_t *psk_hint)
Refresh the session's current Identity Hint (PSK).
int coap_session_refresh_psk_key(coap_session_t *session, const coap_bin_const_t *psk_key)
Refresh the session's current pre-shared key (PSK).
int coap_session_refresh_psk_identity(coap_session_t *session, const coap_bin_const_t *psk_identity)
Refresh the session's current pre-shared identity (PSK).
void coap_session_disconnected_lkd(coap_session_t *session, coap_nack_reason_t reason)
Notify session that it has failed.
#define COAP_PROTO_NOT_RELIABLE(p)
@ COAP_SESSION_TYPE_CLIENT
client-side
@ COAP_SESSION_STATE_HANDSHAKE
coap_binary_t * coap_new_binary(size_t size)
Returns a new binary object with at least size bytes storage allocated.
coap_bin_const_t * coap_new_bin_const(const uint8_t *data, size_t size)
Take the specified byte array (text) and create a coap_bin_const_t * Returns a new const binary objec...
void coap_delete_binary(coap_binary_t *s)
Deletes the given coap_binary_t object and releases any memory allocated.
int coap_dtls_cid_is_supported(void)
Check whether (D)TLS CID is available.
int coap_dtls_psk_is_supported(void)
Check whether (D)TLS PSK is available.
int coap_tls_is_supported(void)
Check whether TLS is available.
int coap_oscore_is_supported(void)
Check whether OSCORE is available.
int coap_dtls_is_supported(void)
Check whether DTLS is available.
int coap_dtls_pki_is_supported(void)
Check whether (D)TLS PKI is available.
int coap_dtls_rpk_is_supported(void)
Check whether (D)TLS RPK is available.
int coap_dtls_pkcs11_is_supported(void)
Check whether (D)TLS PKCS11 is available.
CoAP binary data definition with const data.
size_t length
length of binary data
const uint8_t * s
read-only binary data
CoAP binary data definition.
size_t length
length of binary data
The CoAP stack's global state is stored in a coap_context_t object.
The structure that holds the AES Crypto information.
size_t l
The number of bytes in the length field.
const uint8_t * nonce
must be exactly 15 - l bytes
coap_crypto_key_t key
The Key to use.
size_t tag_len
The size of the Tag.
The common structure that holds the Crypto information.
union coap_crypto_param_t::@376202006114157036213053136012210003017006234156 params
coap_crypto_aes_ccm_t aes
Used if AES type encryption.
The structure that holds the Client PSK information.
coap_bin_const_t identity
The structure used for defining the Client PSK setup data to be used.
uint8_t use_cid
Set to 1 if DTLS Connection ID is to be used.
void * ih_call_back_arg
Passed in to the Identity Hint callback function.
char * client_sni
If not NULL, SNI to use in client TLS setup.
coap_dtls_ih_callback_t validate_ih_call_back
Identity Hint check callback function.
uint8_t ec_jpake
Set to COAP_DTLS_CPSK_SETUP_VERSION to support this version of the struct.
The structure that holds the PKI key information.
coap_pki_key_define_t define
for definable type keys
coap_pki_key_t key_type
key format type
union coap_dtls_key_t::@003017313271040156213200302176016051164315363211 key
The structure used for defining the PKI setup data to be used.
uint8_t allow_no_crl
1 ignore if CRL not there
void * cn_call_back_arg
Passed in to the CN callback function.
uint8_t allow_sni_cn_mismatch
1 if SNI and returnd CN allowed to mismatch (Client only).
uint8_t cert_chain_validation
1 if to check cert_chain_verify_depth
uint8_t use_cid
1 if DTLS Connection ID is to be used (Client only, server always enabled) if supported
uint8_t check_cert_revocation
1 if revocation checks wanted
coap_dtls_pki_sni_callback_t validate_sni_call_back
SNI check callback function.
uint8_t cert_chain_verify_depth
recommended depth is 3
uint8_t allow_expired_certs
1 if expired certs are allowed
uint8_t verify_peer_cert
Set to COAP_DTLS_PKI_SETUP_VERSION to support this version of the struct.
char * client_sni
If not NULL, SNI to use in client TLS setup.
uint8_t allow_self_signed
1 if self-signed certs are allowed.
void * sni_call_back_arg
Passed in to the sni callback function.
coap_dtls_cn_callback_t validate_cn_call_back
CN check callback function.
uint8_t allow_expired_crl
1 if expired crl is allowed
uint8_t is_rpk_not_cert
1 is RPK instead of Public Certificate.
uint8_t check_common_ca
1 if peer cert is to be signed by the same CA as the local cert
coap_dtls_key_t pki_key
PKI key definition.
The structure that holds the Server Pre-Shared Key and Identity Hint information.
The structure used for defining the Server PSK setup data to be used.
coap_dtls_psk_sni_callback_t validate_sni_call_back
SNI check callback function.
coap_dtls_id_callback_t validate_id_call_back
Identity check callback function.
void * id_call_back_arg
Passed in to the Identity callback function.
uint8_t ec_jpake
Set to COAP_DTLS_SPSK_SETUP_VERSION to support this version of the struct.
void * sni_call_back_arg
Passed in to the SNI callback function.
coap_dtls_spsk_info_t psk_info
Server PSK definition.
coap_layer_write_t l_write
coap_layer_establish_t l_establish
coap_const_char_ptr_t public_cert
define: Public Cert
coap_const_char_ptr_t private_key
define: Private Key
coap_const_char_ptr_t ca
define: Common CA Certificate
size_t public_cert_len
define Public Cert length (if needed)
size_t ca_len
define CA Cert length (if needed)
coap_pki_define_t private_key_def
define: Private Key type definition
size_t private_key_len
define Private Key length (if needed)
coap_pki_define_t ca_def
define: Common CA type definition
coap_pki_define_t public_cert_def
define: Public Cert type definition
Abstraction of virtual session that can be attached to coap_context_t (client) or coap_endpoint_t (se...
unsigned int dtls_timeout_count
dtls setup retry counter
coap_socket_t sock
socket object for the session, if any
coap_session_state_t state
current state of relationship with peer
coap_proto_t proto
protocol used
uint8_t is_dtls13
Set if session is DTLS1.3.
coap_dtls_cpsk_t cpsk_setup_data
client provided PSK initial setup data
size_t mtu
path or CSM mtu (xmt)
int dtls_event
Tracking any (D)TLS events on this session.
void * tls
security parameters
uint16_t max_retransmit
maximum re-transmit count (default 4)
coap_session_type_t type
client or server side socket
coap_context_t * context
session's context
coap_layer_func_t lfunc[COAP_LAYER_LAST]
Layer functions to use.
coap_socket_flags_t flags
1 or more of COAP_SOCKET* flag values
CoAP string data definition with const data.
const uint8_t * s
read-only string data
size_t length
length of string
The structure used for returning the underlying (D)TLS library information.
uint64_t built_version
(D)TLS Built against Library Version
coap_tls_library_t type
Library type.
uint64_t version
(D)TLS runtime Library Version
const char * s_byte
signed char ptr
const uint8_t * u_byte
unsigned char ptr