2018-02-14 04:45:50 -05:00
|
|
|
// Copyright 2017-2018 Espressif Systems (Shanghai) PTE LTD
|
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
2018-02-02 22:31:45 -05:00
|
|
|
#ifndef _ESP_TLS_H_
|
|
|
|
#define _ESP_TLS_H_
|
|
|
|
|
|
|
|
#include <stdbool.h>
|
|
|
|
#include <sys/socket.h>
|
2018-02-14 04:45:50 -05:00
|
|
|
#include <fcntl.h>
|
2019-10-04 07:48:08 -04:00
|
|
|
#include "esp_err.h"
|
2018-02-02 22:31:45 -05:00
|
|
|
|
2018-02-28 07:39:43 -05:00
|
|
|
#include "mbedtls/platform.h"
|
|
|
|
#include "mbedtls/net_sockets.h"
|
|
|
|
#include "mbedtls/esp_debug.h"
|
|
|
|
#include "mbedtls/ssl.h"
|
|
|
|
#include "mbedtls/entropy.h"
|
|
|
|
#include "mbedtls/ctr_drbg.h"
|
|
|
|
#include "mbedtls/error.h"
|
|
|
|
#include "mbedtls/certs.h"
|
|
|
|
|
2017-11-30 01:05:34 -05:00
|
|
|
#ifdef __cplusplus
|
|
|
|
extern "C" {
|
|
|
|
#endif
|
|
|
|
|
2019-04-09 10:08:05 -04:00
|
|
|
#define ESP_ERR_ESP_TLS_BASE 0x8000 /*!< Starting number of ESP-TLS error codes */
|
|
|
|
#define ESP_ERR_ESP_TLS_CANNOT_RESOLVE_HOSTNAME (ESP_ERR_ESP_TLS_BASE + 0x01) /*!< Error if hostname couldn't be resolved upon tls connection */
|
|
|
|
#define ESP_ERR_ESP_TLS_CANNOT_CREATE_SOCKET (ESP_ERR_ESP_TLS_BASE + 0x02) /*!< Failed to create socket */
|
|
|
|
#define ESP_ERR_ESP_TLS_UNSUPPORTED_PROTOCOL_FAMILY (ESP_ERR_ESP_TLS_BASE + 0x03) /*!< Unsupported protocol family */
|
2019-04-16 05:58:38 -04:00
|
|
|
#define ESP_ERR_ESP_TLS_FAILED_CONNECT_TO_HOST (ESP_ERR_ESP_TLS_BASE + 0x04) /*!< Failed to connect to host */
|
2019-04-09 10:08:05 -04:00
|
|
|
#define ESP_ERR_ESP_TLS_SOCKET_SETOPT_FAILED (ESP_ERR_ESP_TLS_BASE + 0x05) /*!< failed to set socket option */
|
2019-04-16 05:58:38 -04:00
|
|
|
#define ESP_ERR_MBEDTLS_CERT_PARTLY_OK (ESP_ERR_ESP_TLS_BASE + 0x06) /*!< mbedtls parse certificates was partly successful */
|
|
|
|
#define ESP_ERR_MBEDTLS_CTR_DRBG_SEED_FAILED (ESP_ERR_ESP_TLS_BASE + 0x07) /*!< mbedtls api returned error */
|
|
|
|
#define ESP_ERR_MBEDTLS_SSL_SET_HOSTNAME_FAILED (ESP_ERR_ESP_TLS_BASE + 0x08) /*!< mbedtls api returned error */
|
|
|
|
#define ESP_ERR_MBEDTLS_SSL_CONFIG_DEFAULTS_FAILED (ESP_ERR_ESP_TLS_BASE + 0x09) /*!< mbedtls api returned error */
|
|
|
|
#define ESP_ERR_MBEDTLS_SSL_CONF_ALPN_PROTOCOLS_FAILED (ESP_ERR_ESP_TLS_BASE + 0x0A) /*!< mbedtls api returned error */
|
|
|
|
#define ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x0B) /*!< mbedtls api returned error */
|
|
|
|
#define ESP_ERR_MBEDTLS_SSL_CONF_OWN_CERT_FAILED (ESP_ERR_ESP_TLS_BASE + 0x0C) /*!< mbedtls api returned error */
|
|
|
|
#define ESP_ERR_MBEDTLS_SSL_SETUP_FAILED (ESP_ERR_ESP_TLS_BASE + 0x0D) /*!< mbedtls api returned error */
|
|
|
|
#define ESP_ERR_MBEDTLS_SSL_WRITE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x0E) /*!< mbedtls api returned error */
|
|
|
|
#define ESP_ERR_MBEDTLS_PK_PARSE_KEY_FAILED (ESP_ERR_ESP_TLS_BASE + 0x0F) /*!< mbedtls api returned failed */
|
|
|
|
#define ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x10) /*!< mbedtls api returned failed */
|
2020-01-13 10:20:50 -05:00
|
|
|
#define ESP_ERR_MBEDTLS_SSL_CONF_PSK_FAILED (ESP_ERR_ESP_TLS_BASE + 0x11) /*!< mbedtls api returned failed */
|
|
|
|
#define ESP_ERR_ESP_TLS_CONNECTION_TIMEOUT (ESP_ERR_ESP_TLS_BASE + 0x12) /*!< new connection in esp_tls_low_level_conn connection timeouted */
|
2019-04-16 05:58:38 -04:00
|
|
|
|
|
|
|
typedef struct esp_tls_last_error* esp_tls_error_handle_t;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @brief Error structure containing relevant errors in case tls error occurred
|
|
|
|
*/
|
|
|
|
typedef struct esp_tls_last_error {
|
|
|
|
esp_err_t last_error; /*!< error code (based on ESP_ERR_ESP_TLS_BASE) of the last occurred error */
|
|
|
|
int mbedtls_error_code; /*!< mbedtls error code from last mbedtls failed api */
|
|
|
|
int mbedtls_flags; /*!< last certification verification flags */
|
|
|
|
} esp_tls_last_error_t;
|
2019-04-09 10:08:05 -04:00
|
|
|
|
2018-08-07 13:54:57 -04:00
|
|
|
/**
|
|
|
|
* @brief ESP-TLS Connection State
|
|
|
|
*/
|
|
|
|
typedef enum esp_tls_conn_state {
|
|
|
|
ESP_TLS_INIT = 0,
|
|
|
|
ESP_TLS_CONNECTING,
|
|
|
|
ESP_TLS_HANDSHAKE,
|
|
|
|
ESP_TLS_FAIL,
|
|
|
|
ESP_TLS_DONE,
|
|
|
|
} esp_tls_conn_state_t;
|
|
|
|
|
2019-05-28 01:49:02 -04:00
|
|
|
typedef enum esp_tls_role {
|
|
|
|
ESP_TLS_CLIENT = 0,
|
|
|
|
ESP_TLS_SERVER,
|
|
|
|
} esp_tls_role_t;
|
|
|
|
|
2021-01-06 03:58:39 -05:00
|
|
|
/**
|
|
|
|
* @brief Keep alive parameters structure
|
|
|
|
*/
|
|
|
|
typedef struct tls_keep_alive_cfg {
|
|
|
|
bool keep_alive_enable; /*!< Enable keep-alive timeout */
|
|
|
|
int keep_alive_idle; /*!< Keep-alive idle time (second) */
|
|
|
|
int keep_alive_interval; /*!< Keep-alive interval time (second) */
|
|
|
|
int keep_alive_count; /*!< Keep-alive packet retry send count */
|
|
|
|
} tls_keep_alive_cfg_t;
|
|
|
|
|
2018-02-14 04:45:50 -05:00
|
|
|
/**
|
|
|
|
* @brief ESP-TLS configuration parameters
|
|
|
|
*/
|
|
|
|
typedef struct esp_tls_cfg {
|
2018-04-20 01:20:38 -04:00
|
|
|
const char **alpn_protos; /*!< Application protocols required for HTTP2.
|
2018-02-14 04:45:50 -05:00
|
|
|
If HTTP2/ALPN support is required, a list
|
|
|
|
of protocols that should be negotiated.
|
|
|
|
The format is length followed by protocol
|
|
|
|
name.
|
|
|
|
For the most common cases the following is ok:
|
2019-05-28 01:49:02 -04:00
|
|
|
const char **alpn_protos = { "h2", NULL };
|
|
|
|
- where 'h2' is the protocol name */
|
2018-02-28 07:39:43 -05:00
|
|
|
|
2019-05-03 10:02:54 -04:00
|
|
|
const unsigned char *cacert_pem_buf; /*!< Certificate Authority's certificate in a buffer.
|
|
|
|
This buffer should be NULL terminated */
|
2018-02-28 07:39:43 -05:00
|
|
|
|
2018-07-27 08:45:55 -04:00
|
|
|
unsigned int cacert_pem_bytes; /*!< Size of Certificate Authority certificate
|
2018-02-14 04:45:50 -05:00
|
|
|
pointed to by cacert_pem_buf */
|
2018-09-28 12:45:11 -04:00
|
|
|
|
2019-05-03 10:02:54 -04:00
|
|
|
const unsigned char *clientcert_pem_buf;/*!< Client certificate in a buffer
|
|
|
|
This buffer should be NULL terminated */
|
2019-05-28 01:49:02 -04:00
|
|
|
|
2018-09-28 12:45:11 -04:00
|
|
|
unsigned int clientcert_pem_bytes; /*!< Size of client certificate pointed to by
|
|
|
|
clientcert_pem_buf */
|
|
|
|
|
2019-05-03 10:02:54 -04:00
|
|
|
const unsigned char *clientkey_pem_buf; /*!< Client key in a buffer
|
|
|
|
This buffer should be NULL terminated */
|
2018-09-28 12:45:11 -04:00
|
|
|
|
|
|
|
unsigned int clientkey_pem_bytes; /*!< Size of client key pointed to by
|
|
|
|
clientkey_pem_buf */
|
|
|
|
|
|
|
|
const unsigned char *clientkey_password;/*!< Client key decryption password string */
|
|
|
|
|
|
|
|
unsigned int clientkey_password_len; /*!< String length of the password pointed to by
|
|
|
|
clientkey_password */
|
|
|
|
|
2018-02-14 04:45:50 -05:00
|
|
|
bool non_block; /*!< Configure non-blocking mode. If set to true the
|
|
|
|
underneath socket will be configured in non
|
|
|
|
blocking mode after tls session is established */
|
2018-07-27 08:45:55 -04:00
|
|
|
|
|
|
|
int timeout_ms; /*!< Network timeout in milliseconds */
|
2018-10-04 06:35:02 -04:00
|
|
|
|
|
|
|
bool use_global_ca_store; /*!< Use a global ca_store for all the connections in which
|
|
|
|
this bool is set. */
|
2019-05-03 10:02:54 -04:00
|
|
|
|
|
|
|
const char *common_name; /*!< If non-NULL, server certificate CN must match this name.
|
|
|
|
If NULL, server certificate CN must match hostname. */
|
|
|
|
|
|
|
|
bool skip_common_name; /*!< Skip any validation of server certificate CN field */
|
2021-01-06 03:58:39 -05:00
|
|
|
|
|
|
|
tls_keep_alive_cfg_t *keep_alive_cfg; /*!< Enable TCP keep-alive timeout for SSL connection */
|
2018-02-14 04:45:50 -05:00
|
|
|
} esp_tls_cfg_t;
|
|
|
|
|
2019-05-28 01:49:02 -04:00
|
|
|
#ifdef CONFIG_ESP_TLS_SERVER
|
|
|
|
typedef struct esp_tls_cfg_server {
|
|
|
|
const char **alpn_protos; /*!< Application protocols required for HTTP2.
|
|
|
|
If HTTP2/ALPN support is required, a list
|
|
|
|
of protocols that should be negotiated.
|
|
|
|
The format is length followed by protocol
|
|
|
|
name.
|
|
|
|
For the most common cases the following is ok:
|
|
|
|
const char **alpn_protos = { "h2", NULL };
|
|
|
|
- where 'h2' is the protocol name */
|
|
|
|
|
|
|
|
const unsigned char *cacert_pem_buf; /*!< Client CA certificate in a buffer.
|
|
|
|
This buffer should be NULL terminated */
|
|
|
|
|
|
|
|
unsigned int cacert_pem_bytes; /*!< Size of client CA certificate
|
|
|
|
pointed to by cacert_pem_buf */
|
|
|
|
|
|
|
|
const unsigned char *servercert_pem_buf; /*!< Server certificate in a buffer
|
|
|
|
This buffer should be NULL terminated */
|
|
|
|
|
|
|
|
unsigned int servercert_pem_bytes; /*!< Size of server certificate pointed to by
|
|
|
|
servercert_pem_buf */
|
|
|
|
|
|
|
|
const unsigned char *serverkey_pem_buf; /*!< Server key in a buffer
|
|
|
|
This buffer should be NULL terminated */
|
|
|
|
|
|
|
|
unsigned int serverkey_pem_bytes; /*!< Size of server key pointed to by
|
|
|
|
serverkey_pem_buf */
|
|
|
|
|
|
|
|
const unsigned char *serverkey_password; /*!< Server key decryption password string */
|
|
|
|
|
|
|
|
unsigned int serverkey_password_len; /*!< String length of the password pointed to by
|
|
|
|
serverkey_password */
|
|
|
|
|
|
|
|
} esp_tls_cfg_server_t;
|
|
|
|
#endif /* ! CONFIG_ESP_TLS_SERVER */
|
|
|
|
|
2018-02-14 04:45:50 -05:00
|
|
|
/**
|
|
|
|
* @brief ESP-TLS Connection Handle
|
|
|
|
*/
|
|
|
|
typedef struct esp_tls {
|
2018-02-28 07:39:43 -05:00
|
|
|
mbedtls_ssl_context ssl; /*!< TLS/SSL context */
|
|
|
|
|
|
|
|
mbedtls_entropy_context entropy; /*!< mbedTLS entropy context structure */
|
|
|
|
|
|
|
|
mbedtls_ctr_drbg_context ctr_drbg; /*!< mbedTLS ctr drbg context structure.
|
|
|
|
CTR_DRBG is deterministic random
|
|
|
|
bit generation based on AES-256 */
|
|
|
|
|
|
|
|
mbedtls_ssl_config conf; /*!< TLS/SSL configuration to be shared
|
|
|
|
between mbedtls_ssl_context
|
|
|
|
structures */
|
|
|
|
|
|
|
|
mbedtls_net_context server_fd; /*!< mbedTLS wrapper type for sockets */
|
|
|
|
|
2018-09-28 12:45:11 -04:00
|
|
|
mbedtls_x509_crt cacert; /*!< Container for the X.509 CA certificate */
|
|
|
|
|
2018-10-11 11:34:09 -04:00
|
|
|
mbedtls_x509_crt *cacert_ptr; /*!< Pointer to the cacert being used. */
|
|
|
|
|
2018-09-28 12:45:11 -04:00
|
|
|
mbedtls_x509_crt clientcert; /*!< Container for the X.509 client certificate */
|
|
|
|
|
|
|
|
mbedtls_pk_context clientkey; /*!< Container for the private key of the client
|
|
|
|
certificate */
|
2019-05-28 01:49:02 -04:00
|
|
|
#ifdef CONFIG_ESP_TLS_SERVER
|
|
|
|
mbedtls_x509_crt servercert; /*!< Container for the X.509 server certificate */
|
2018-10-04 06:35:02 -04:00
|
|
|
|
2019-05-28 01:49:02 -04:00
|
|
|
mbedtls_pk_context serverkey; /*!< Container for the private key of the server
|
|
|
|
certificate */
|
|
|
|
#endif
|
2018-02-28 07:39:43 -05:00
|
|
|
int sockfd; /*!< Underlying socket file descriptor. */
|
|
|
|
|
2018-02-14 04:45:50 -05:00
|
|
|
ssize_t (*read)(struct esp_tls *tls, char *data, size_t datalen); /*!< Callback function for reading data from TLS/SSL
|
|
|
|
connection. */
|
2018-02-28 07:39:43 -05:00
|
|
|
|
2018-02-14 04:45:50 -05:00
|
|
|
ssize_t (*write)(struct esp_tls *tls, const char *data, size_t datalen); /*!< Callback function for writing data to TLS/SSL
|
|
|
|
connection. */
|
2018-08-07 13:54:57 -04:00
|
|
|
|
|
|
|
esp_tls_conn_state_t conn_state; /*!< ESP-TLS Connection state */
|
|
|
|
|
|
|
|
fd_set rset; /*!< read file descriptors */
|
|
|
|
|
|
|
|
fd_set wset; /*!< write file descriptors */
|
2019-04-08 06:49:16 -04:00
|
|
|
|
|
|
|
bool is_tls; /*!< indicates connection type (TLS or NON-TLS) */
|
2019-05-28 01:49:02 -04:00
|
|
|
|
|
|
|
esp_tls_role_t role; /*!< esp-tls role
|
|
|
|
- ESP_TLS_CLIENT
|
|
|
|
- ESP_TLS_SERVER */
|
2019-04-09 10:08:05 -04:00
|
|
|
|
2019-04-16 05:58:38 -04:00
|
|
|
esp_tls_error_handle_t error_handle; /*!< handle to error descriptor */
|
2019-04-09 10:08:05 -04:00
|
|
|
|
2018-02-14 04:45:50 -05:00
|
|
|
} esp_tls_t;
|
|
|
|
|
2019-04-09 10:08:05 -04:00
|
|
|
|
|
|
|
/**
|
|
|
|
* @brief Create TLS connection
|
|
|
|
*
|
|
|
|
* This function allocates and initializes esp-tls structure handle.
|
|
|
|
*
|
|
|
|
* @return tls Pointer to esp-tls as esp-tls handle if successfully initialized,
|
|
|
|
* NULL if allocation error
|
|
|
|
*/
|
|
|
|
esp_tls_t *esp_tls_init();
|
|
|
|
|
2019-04-16 05:58:38 -04:00
|
|
|
|
|
|
|
|
|
|
|
|
2018-02-14 04:45:50 -05:00
|
|
|
/**
|
2018-08-07 13:54:57 -04:00
|
|
|
* @brief Create a new blocking TLS/SSL connection
|
2017-11-30 01:05:34 -05:00
|
|
|
*
|
2018-08-07 13:54:57 -04:00
|
|
|
* This function establishes a TLS/SSL connection with the specified host in blocking manner.
|
2019-04-16 05:58:38 -04:00
|
|
|
*
|
|
|
|
* Note: This API is present for backward compatibility reasons. Alternative function
|
|
|
|
* with the same functionality is `esp_tls_conn_new_sync` (and its asynchronous version
|
|
|
|
* `esp_tls_conn_new_async`)
|
|
|
|
*
|
|
|
|
* @param[in] hostname Hostname of the host.
|
|
|
|
* @param[in] hostlen Length of hostname.
|
|
|
|
* @param[in] port Port number of the host.
|
|
|
|
* @param[in] cfg TLS configuration as esp_tls_cfg_t. If you wish to open
|
|
|
|
* non-TLS connection, keep this NULL. For TLS connection,
|
|
|
|
* a pass pointer to esp_tls_cfg_t. At a minimum, this
|
|
|
|
* structure should be zero-initialized.
|
|
|
|
*
|
|
|
|
* @return pointer to esp_tls_t, or NULL if connection couldn't be opened.
|
|
|
|
*/
|
|
|
|
esp_tls_t *esp_tls_conn_new(const char *hostname, int hostlen, int port, const esp_tls_cfg_t *cfg) __attribute__ ((deprecated));
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @brief Create a new blocking TLS/SSL connection
|
|
|
|
*
|
|
|
|
* This function establishes a TLS/SSL connection with the specified host in blocking manner.
|
|
|
|
*
|
2018-02-14 04:45:50 -05:00
|
|
|
* @param[in] hostname Hostname of the host.
|
|
|
|
* @param[in] hostlen Length of hostname.
|
|
|
|
* @param[in] port Port number of the host.
|
2019-04-16 05:58:38 -04:00
|
|
|
* @param[in] cfg TLS configuration as esp_tls_cfg_t. If you wish to open
|
2018-02-14 04:45:50 -05:00
|
|
|
* non-TLS connection, keep this NULL. For TLS connection,
|
|
|
|
* a pass pointer to esp_tls_cfg_t. At a minimum, this
|
|
|
|
* structure should be zero-initialized.
|
2019-04-09 10:08:05 -04:00
|
|
|
* @param[in] tls Pointer to esp-tls as esp-tls handle.
|
|
|
|
*
|
|
|
|
* @return
|
|
|
|
* - -1 If connection establishment fails.
|
|
|
|
* - 1 If connection establishment is successful.
|
2020-01-13 10:20:50 -05:00
|
|
|
* - 0 If connection state is in progress.
|
2017-11-30 01:05:34 -05:00
|
|
|
*/
|
2019-04-16 05:58:38 -04:00
|
|
|
int esp_tls_conn_new_sync(const char *hostname, int hostlen, int port, const esp_tls_cfg_t *cfg, esp_tls_t *tls);
|
2018-02-02 22:31:45 -05:00
|
|
|
|
2018-02-14 04:45:50 -05:00
|
|
|
/**
|
2018-08-07 13:54:57 -04:00
|
|
|
* @brief Create a new blocking TLS/SSL connection with a given "HTTP" url
|
2018-02-14 04:45:50 -05:00
|
|
|
*
|
|
|
|
* The behaviour is same as esp_tls_conn_new() API. However this API accepts host's url.
|
|
|
|
*
|
|
|
|
* @param[in] url url of host.
|
|
|
|
* @param[in] cfg TLS configuration as esp_tls_cfg_t. If you wish to open
|
|
|
|
* non-TLS connection, keep this NULL. For TLS connection,
|
|
|
|
* a pass pointer to 'esp_tls_cfg_t'. At a minimum, this
|
|
|
|
* structure should be zero-initialized.
|
|
|
|
* @return pointer to esp_tls_t, or NULL if connection couldn't be opened.
|
|
|
|
*/
|
|
|
|
esp_tls_t *esp_tls_conn_http_new(const char *url, const esp_tls_cfg_t *cfg);
|
|
|
|
|
2018-10-23 03:41:03 -04:00
|
|
|
/**
|
2018-08-07 13:54:57 -04:00
|
|
|
* @brief Create a new non-blocking TLS/SSL connection
|
|
|
|
*
|
|
|
|
* This function initiates a non-blocking TLS/SSL connection with the specified host, but due to
|
|
|
|
* its non-blocking nature, it doesn't wait for the connection to get established.
|
|
|
|
*
|
|
|
|
* @param[in] hostname Hostname of the host.
|
|
|
|
* @param[in] hostlen Length of hostname.
|
|
|
|
* @param[in] port Port number of the host.
|
|
|
|
* @param[in] cfg TLS configuration as esp_tls_cfg_t. `non_block` member of
|
|
|
|
* this structure should be set to be true.
|
|
|
|
* @param[in] tls pointer to esp-tls as esp-tls handle.
|
|
|
|
*
|
2018-10-23 03:41:03 -04:00
|
|
|
* @return
|
|
|
|
* - -1 If connection establishment fails.
|
|
|
|
* - 0 If connection establishment is in progress.
|
|
|
|
* - 1 If connection establishment is successful.
|
2018-08-07 13:54:57 -04:00
|
|
|
*/
|
|
|
|
int esp_tls_conn_new_async(const char *hostname, int hostlen, int port, const esp_tls_cfg_t *cfg, esp_tls_t *tls);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @brief Create a new non-blocking TLS/SSL connection with a given "HTTP" url
|
|
|
|
*
|
|
|
|
* The behaviour is same as esp_tls_conn_new() API. However this API accepts host's url.
|
|
|
|
*
|
|
|
|
* @param[in] url url of host.
|
|
|
|
* @param[in] cfg TLS configuration as esp_tls_cfg_t.
|
2018-10-23 03:41:03 -04:00
|
|
|
* @param[in] tls pointer to esp-tls as esp-tls handle.
|
2018-08-07 13:54:57 -04:00
|
|
|
*
|
2018-10-23 03:41:03 -04:00
|
|
|
* @return
|
|
|
|
* - -1 If connection establishment fails.
|
|
|
|
* - 0 If connection establishment is in progress.
|
|
|
|
* - 1 If connection establishment is successful.
|
2018-08-07 13:54:57 -04:00
|
|
|
*/
|
|
|
|
int esp_tls_conn_http_new_async(const char *url, const esp_tls_cfg_t *cfg, esp_tls_t *tls);
|
|
|
|
|
2018-02-14 04:45:50 -05:00
|
|
|
/**
|
|
|
|
* @brief Write from buffer 'data' into specified tls connection.
|
|
|
|
*
|
|
|
|
* @param[in] tls pointer to esp-tls as esp-tls handle.
|
|
|
|
* @param[in] data Buffer from which data will be written.
|
|
|
|
* @param[in] datalen Length of data buffer.
|
|
|
|
*
|
|
|
|
* @return
|
|
|
|
* - >0 if write operation was successful, the return value is the number
|
|
|
|
* of bytes actually written to the TLS/SSL connection.
|
|
|
|
* - 0 if write operation was not successful. The underlying
|
|
|
|
* connection was closed.
|
|
|
|
* - <0 if write operation was not successful, because either an
|
|
|
|
* error occured or an action must be taken by the calling process.
|
|
|
|
*/
|
|
|
|
static inline ssize_t esp_tls_conn_write(esp_tls_t *tls, const void *data, size_t datalen)
|
2018-02-02 22:31:45 -05:00
|
|
|
{
|
2018-02-14 04:45:50 -05:00
|
|
|
return tls->write(tls, (char *)data, datalen);
|
2018-02-02 22:31:45 -05:00
|
|
|
}
|
|
|
|
|
2018-02-14 04:45:50 -05:00
|
|
|
/**
|
|
|
|
* @brief Read from specified tls connection into the buffer 'data'.
|
|
|
|
*
|
|
|
|
* @param[in] tls pointer to esp-tls as esp-tls handle.
|
|
|
|
* @param[in] data Buffer to hold read data.
|
|
|
|
* @param[in] datalen Length of data buffer.
|
|
|
|
*
|
|
|
|
* @return
|
2018-08-07 13:54:57 -04:00
|
|
|
* - >0 if read operation was successful, the return value is the number
|
|
|
|
* of bytes actually read from the TLS/SSL connection.
|
|
|
|
* - 0 if read operation was not successful. The underlying
|
|
|
|
* connection was closed.
|
|
|
|
* - <0 if read operation was not successful, because either an
|
|
|
|
* error occured or an action must be taken by the calling process.
|
|
|
|
*/
|
2018-02-14 04:45:50 -05:00
|
|
|
static inline ssize_t esp_tls_conn_read(esp_tls_t *tls, void *data, size_t datalen)
|
2018-02-02 22:31:45 -05:00
|
|
|
{
|
2018-02-14 04:45:50 -05:00
|
|
|
return tls->read(tls, (char *)data, datalen);
|
2018-02-02 22:31:45 -05:00
|
|
|
}
|
|
|
|
|
2018-02-14 04:45:50 -05:00
|
|
|
/**
|
|
|
|
* @brief Close the TLS/SSL connection and free any allocated resources.
|
|
|
|
*
|
|
|
|
* This function should be called to close each tls connection opened with esp_tls_conn_new() or
|
|
|
|
* esp_tls_conn_http_new() APIs.
|
|
|
|
*
|
|
|
|
* @param[in] tls pointer to esp-tls as esp-tls handle.
|
|
|
|
*/
|
|
|
|
void esp_tls_conn_delete(esp_tls_t *tls);
|
2018-02-02 22:31:45 -05:00
|
|
|
|
2018-07-27 08:45:55 -04:00
|
|
|
/**
|
|
|
|
* @brief Return the number of application data bytes remaining to be
|
|
|
|
* read from the current record
|
|
|
|
*
|
|
|
|
* This API is a wrapper over mbedtls's mbedtls_ssl_get_bytes_avail() API.
|
|
|
|
*
|
|
|
|
* @param[in] tls pointer to esp-tls as esp-tls handle.
|
|
|
|
*
|
|
|
|
* @return
|
|
|
|
* - -1 in case of invalid arg
|
|
|
|
* - bytes available in the application data
|
|
|
|
* record read buffer
|
|
|
|
*/
|
2019-04-09 10:08:05 -04:00
|
|
|
ssize_t esp_tls_get_bytes_avail(esp_tls_t *tls);
|
2018-07-27 08:45:55 -04:00
|
|
|
|
2018-10-04 06:35:02 -04:00
|
|
|
/**
|
2018-11-01 14:11:16 -04:00
|
|
|
* @brief Create a global CA store, initially empty.
|
2018-10-04 06:35:02 -04:00
|
|
|
*
|
2018-11-01 14:11:16 -04:00
|
|
|
* This function should be called if the application wants to use the same CA store for multiple connections.
|
|
|
|
* This function initialises the global CA store which can be then set by calling esp_tls_set_global_ca_store().
|
|
|
|
* To be effective, this function must be called before any call to esp_tls_set_global_ca_store().
|
|
|
|
*
|
|
|
|
* @return
|
|
|
|
* - ESP_OK if creating global CA store was successful.
|
|
|
|
* - ESP_ERR_NO_MEM if an error occured when allocating the mbedTLS resources.
|
|
|
|
*/
|
|
|
|
esp_err_t esp_tls_init_global_ca_store();
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @brief Set the global CA store with the buffer provided in pem format.
|
|
|
|
*
|
|
|
|
* This function should be called if the application wants to set the global CA store for
|
|
|
|
* multiple connections i.e. to add the certificates in the provided buffer to the certificate chain.
|
|
|
|
* This function implicitly calls esp_tls_init_global_ca_store() if it has not already been called.
|
|
|
|
* The application must call this function before calling esp_tls_conn_new().
|
2018-10-04 06:35:02 -04:00
|
|
|
*
|
|
|
|
* @param[in] cacert_pem_buf Buffer which has certificates in pem format. This buffer
|
|
|
|
* is used for creating a global CA store, which can be used
|
|
|
|
* by other tls connections.
|
|
|
|
* @param[in] cacert_pem_bytes Length of the buffer.
|
|
|
|
*
|
|
|
|
* @return
|
2018-11-01 14:11:16 -04:00
|
|
|
* - ESP_OK if adding certificates was successful.
|
2018-10-04 06:35:02 -04:00
|
|
|
* - Other if an error occured or an action must be taken by the calling process.
|
|
|
|
*/
|
|
|
|
esp_err_t esp_tls_set_global_ca_store(const unsigned char *cacert_pem_buf, const unsigned int cacert_pem_bytes);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @brief Get the pointer to the global CA store currently being used.
|
|
|
|
*
|
|
|
|
* The application must first call esp_tls_set_global_ca_store(). Then the same
|
|
|
|
* CA store could be used by the application for APIs other than esp_tls.
|
|
|
|
*
|
|
|
|
* @note Modifying the pointer might cause a failure in verifying the certificates.
|
|
|
|
*
|
|
|
|
* @return
|
|
|
|
* - Pointer to the global CA store currently being used if successful.
|
|
|
|
* - NULL if there is no global CA store set.
|
|
|
|
*/
|
|
|
|
mbedtls_x509_crt *esp_tls_get_global_ca_store();
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @brief Free the global CA store currently being used.
|
|
|
|
*
|
|
|
|
* The memory being used by the global CA store to store all the parsed certificates is
|
|
|
|
* freed up. The application can call this API if it no longer needs the global CA store.
|
|
|
|
*/
|
|
|
|
void esp_tls_free_global_ca_store();
|
|
|
|
|
2019-04-09 10:08:05 -04:00
|
|
|
/**
|
2019-04-16 05:58:38 -04:00
|
|
|
* @brief Returns last error in esp_tls with detailed mbedtls related error codes.
|
|
|
|
* The error information is cleared internally upon return
|
2019-04-09 10:08:05 -04:00
|
|
|
*
|
2019-04-16 05:58:38 -04:00
|
|
|
* @param[in] h esp-tls error handle.
|
|
|
|
* @param[out] mbedtls_code last error code returned from mbedtls api (set to zero if none)
|
|
|
|
* This pointer could be NULL if caller does not care about mbedtls_code
|
|
|
|
* @param[out] mbedtls_flags last certification verification flags (set to zero if none)
|
|
|
|
* This pointer could be NULL if caller does not care about mbedtls_flags
|
2019-04-09 10:08:05 -04:00
|
|
|
*
|
|
|
|
* @return
|
2019-04-16 05:58:38 -04:00
|
|
|
* - ESP_ERR_INVALID_STATE if invalid parameters
|
|
|
|
* - ESP_OK (0) if no error occurred
|
2019-04-09 10:08:05 -04:00
|
|
|
* - specific error code (based on ESP_ERR_ESP_TLS_BASE) otherwise
|
|
|
|
*/
|
2019-04-16 05:58:38 -04:00
|
|
|
esp_err_t esp_tls_get_and_clear_last_error(esp_tls_error_handle_t h, int *mbedtls_code, int *mbedtls_flags);
|
2019-04-09 10:08:05 -04:00
|
|
|
|
2019-05-28 01:49:02 -04:00
|
|
|
#ifdef CONFIG_ESP_TLS_SERVER
|
|
|
|
/**
|
|
|
|
* @brief Create TLS/SSL server session
|
|
|
|
*
|
|
|
|
* This function creates a TLS/SSL server context for already accepted client connection
|
|
|
|
* and performs TLS/SSL handshake with the client
|
|
|
|
*
|
|
|
|
* @param[in] cfg Pointer to esp_tls_cfg_server_t
|
|
|
|
* @param[in] sockfd FD of accepted connection
|
|
|
|
* @param[out] tls Pointer to allocated esp_tls_t
|
|
|
|
*
|
|
|
|
* @return
|
|
|
|
* - 0 if successful
|
|
|
|
* - <0 in case of error
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
int esp_tls_server_session_create(esp_tls_cfg_server_t *cfg, int sockfd, esp_tls_t *tls);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @brief Close the server side TLS/SSL connection and free any allocated resources.
|
|
|
|
*
|
|
|
|
* This function should be called to close each tls connection opened with esp_tls_server_session_create()
|
|
|
|
*
|
|
|
|
* @param[in] tls pointer to esp_tls_t
|
|
|
|
*/
|
|
|
|
void esp_tls_server_session_delete(esp_tls_t *tls);
|
|
|
|
#endif /* ! CONFIG_ESP_TLS_SERVER */
|
2018-08-07 13:54:57 -04:00
|
|
|
|
2017-11-30 01:05:34 -05:00
|
|
|
#ifdef __cplusplus
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2018-02-02 22:31:45 -05:00
|
|
|
#endif /* ! _ESP_TLS_H_ */
|