TLS (Transport Layer Security) More...
#include "tls.h"#include "tls_cipher_suites.h"#include "tls_handshake.h"#include "tls_common.h"#include "tls_certificate.h"#include "tls_transcript_hash.h"#include "tls_record.h"#include "tls_misc.h"#include "tls13_client_misc.h"#include "tls13_ticket.h"#include "dtls_record.h"#include "pkix/pem_import.h"#include "pkix/x509_cert_parse.h"#include "debug.h"Go to the source code of this file.
Macros | |
| #define | TRACE_LEVEL TLS_TRACE_LEVEL |
Functions | |
| TlsContext * | tlsInit (void) |
| TLS context initialization. More... | |
| TlsState | tlsGetState (TlsContext *context) |
| Retrieve current TLS state. More... | |
| error_t | tlsSetStateChangeCallback (TlsContext *context, TlsStateChangeCallback stateChangeCallback) |
| Register TLS state change callback. More... | |
| error_t | tlsSetSocketCallbacks (TlsContext *context, TlsSocketSendCallback socketSendCallback, TlsSocketReceiveCallback socketReceiveCallback, TlsSocketHandle handle) |
| Set socket send and receive callbacks. More... | |
| error_t | tlsSetVersion (TlsContext *context, uint16_t versionMin, uint16_t versionMax) |
| Set minimum and maximum versions permitted. More... | |
| error_t | tlsSetTransportProtocol (TlsContext *context, TlsTransportProtocol transportProtocol) |
| Set the transport protocol to be used. More... | |
| error_t | tlsSetConnectionEnd (TlsContext *context, TlsConnectionEnd entity) |
| Set operation mode (client or server) More... | |
| error_t | tlsSetPrng (TlsContext *context, const PrngAlgo *prngAlgo, void *prngContext) |
| Set the pseudo-random number generator to be used. More... | |
| error_t | tlsSetServerName (TlsContext *context, const char_t *serverName) |
| Set the server name. More... | |
| const char_t * | tlsGetServerName (TlsContext *context) |
| Get the server name. More... | |
| error_t | tlsSetCache (TlsContext *context, TlsCache *cache) |
| Set session cache. More... | |
| error_t | tlsSetClientAuthMode (TlsContext *context, TlsClientAuthMode mode) |
| Set client authentication mode (for servers only) More... | |
| error_t | tlsSetBufferSize (TlsContext *context, size_t txBufferSize, size_t rxBufferSize) |
| Set TLS buffer size. More... | |
| error_t | tlsSetMaxFragmentLength (TlsContext *context, size_t maxFragLen) |
| Set maximum fragment length. More... | |
| error_t | tlsSetCipherSuites (TlsContext *context, const uint16_t *cipherSuites, uint_t length) |
| Specify the list of allowed cipher suites. More... | |
| error_t | tlsSetSupportedGroups (TlsContext *context, const uint16_t *groups, uint_t length) |
| Specify the list of allowed ECDHE and FFDHE groups. More... | |
| error_t | tlsSetPreferredGroup (TlsContext *context, uint16_t group) |
| Specify the preferred ECDHE or FFDHE group. More... | |
| error_t | tlsSetSupportedSignAlgos (TlsContext *context, const uint16_t *signAlgos, uint_t length) |
| Specify the list of allowed signature algorithms. More... | |
| error_t | tlsSetDhParameters (TlsContext *context, const char_t *params, size_t length) |
| Import Diffie-Hellman parameters. More... | |
| error_t | tlsSetEcdhCallback (TlsContext *context, TlsEcdhCallback ecdhCallback) |
| Register ECDH key agreement callback function. More... | |
| error_t | tlsSetEcdsaSignCallback (TlsContext *context, TlsEcdsaSignCallback ecdsaSignCallback) |
| Register ECDSA signature generation callback function. More... | |
| error_t | tlsSetEcdsaVerifyCallback (TlsContext *context, TlsEcdsaVerifyCallback ecdsaVerifyCallback) |
| Register ECDSA signature verification callback function. More... | |
| error_t | tlsSetKeyLogCallback (TlsContext *context, TlsKeyLogCallback keyLogCallback) |
| Register key logging callback function (for debugging purpose only) More... | |
| error_t | tlsAllowUnknownAlpnProtocols (TlsContext *context, bool_t allowed) |
| Allow unknown ALPN protocols. More... | |
| error_t | tlsSetAlpnProtocolList (TlsContext *context, const char_t *protocolList) |
| Set the list of supported ALPN protocols. More... | |
| error_t | tlsSetAlpnCallback (TlsContext *context, TlsAlpnCallback alpnCallback) |
| Register ALPN callback function. More... | |
| const char_t * | tlsGetAlpnProtocol (TlsContext *context) |
| Get the name of the selected ALPN protocol. More... | |
| error_t | tlsSetPsk (TlsContext *context, const uint8_t *psk, size_t length) |
| Set the pre-shared key to be used. More... | |
| error_t | tlsSetPskIdentity (TlsContext *context, const char_t *pskIdentity) |
| Set the PSK identity to be used by the client. More... | |
| error_t | tlsSetPskIdentityHint (TlsContext *context, const char_t *pskIdentityHint) |
| Set the PSK identity hint to be used by the server. More... | |
| error_t | tlsSetPskCallback (TlsContext *context, TlsPskCallback pskCallback) |
| Register PSK callback function. More... | |
| error_t | tlsSetRpkVerifyCallback (TlsContext *context, TlsRpkVerifyCallback rpkVerifyCallback) |
| Register the raw public key verification callback function. More... | |
| error_t | tlsSetTrustedCaList (TlsContext *context, const char_t *trustedCaList, size_t length) |
| Import a trusted CA list. More... | |
| error_t | tlsAddCertificate (TlsContext *context, const char_t *certChain, size_t certChainLen, const char_t *privateKey, size_t privateKeyLen) |
| Add a certificate and the corresponding private key (deprecated) More... | |
| error_t | tlsLoadCertificate (TlsContext *context, uint_t index, const char_t *certChain, size_t certChainLen, const char_t *privateKey, size_t privateKeyLen, const char_t *password) |
| Load entity's certificate. More... | |
| error_t | tlsSetCertificateVerifyCallback (TlsContext *context, TlsCertVerifyCallback certVerifyCallback, void *param) |
| Register certificate verification callback function. More... | |
| error_t | tlsEnableSessionTickets (TlsContext *context, bool_t enabled) |
| Enable session ticket mechanism. More... | |
| error_t | tlsEnableSecureRenegotiation (TlsContext *context, bool_t enabled) |
| Enable secure renegotiation. More... | |
| error_t | tlsEnableFallbackScsv (TlsContext *context, bool_t enabled) |
| Perform fallback retry (for clients only) More... | |
| error_t | tlsSetTicketCallbacks (TlsContext *context, TlsTicketEncryptCallback ticketEncryptCallback, TlsTicketDecryptCallback ticketDecryptCallback, void *param) |
| Set ticket encryption/decryption callbacks. More... | |
| error_t | tlsSetPmtu (TlsContext *context, size_t pmtu) |
| Set PMTU value (for DTLS only) More... | |
| error_t | tlsSetTimeout (TlsContext *context, systime_t timeout) |
| Set timeout for blocking calls (for DTLS only) More... | |
| error_t | tlsSetCookieCallbacks (TlsContext *context, DtlsCookieGenerateCallback cookieGenerateCallback, DtlsCookieVerifyCallback cookieVerifyCallback, void *param) |
| Set cookie generation/verification callbacks (for DTLS only) More... | |
| error_t | tlsEnableReplayDetection (TlsContext *context, bool_t enabled) |
| Enable anti-replay mechanism (for DTLS only) More... | |
| error_t | tlsSetMaxEarlyDataSize (TlsContext *context, size_t maxEarlyDataSize) |
| Send the maximum amount of 0-RTT data the server can accept. More... | |
| error_t | tlsWriteEarlyData (TlsContext *context, const void *data, size_t length, size_t *written, uint_t flags) |
| Send early data to the remote TLS server. More... | |
| error_t | tlsConnect (TlsContext *context) |
| Initiate the TLS handshake. More... | |
| TlsEarlyDataStatus | tlsGetEarlyDataStatus (TlsContext *context) |
| Check whether the server has accepted or rejected the early data. More... | |
| error_t | tlsWrite (TlsContext *context, const void *data, size_t length, size_t *written, uint_t flags) |
| Send application data to the remote host using TLS. More... | |
| error_t | tlsRead (TlsContext *context, void *data, size_t size, size_t *received, uint_t flags) |
| Receive application data from a the remote host using TLS. More... | |
| bool_t | tlsIsTxReady (TlsContext *context) |
| Check whether some data is ready for transmission. More... | |
| bool_t | tlsIsRxReady (TlsContext *context) |
| Check whether some data is available in the receive buffer. More... | |
| error_t | tlsShutdown (TlsContext *context) |
| Gracefully close TLS session. More... | |
| error_t | tlsShutdownEx (TlsContext *context, bool_t waitForCloseNotify) |
| Gracefully close TLS session. More... | |
| void | tlsFree (TlsContext *context) |
| Release TLS context. More... | |
| error_t | tlsInitSessionState (TlsSessionState *session) |
| Initialize session state. More... | |
| error_t | tlsSaveSessionState (const TlsContext *context, TlsSessionState *session) |
| Save TLS session. More... | |
| error_t | tlsRestoreSessionState (TlsContext *context, const TlsSessionState *session) |
| Restore TLS session. More... | |
| void | tlsFreeSessionState (TlsSessionState *session) |
| Properly dispose a session state. More... | |
Detailed Description
TLS (Transport Layer Security)
License
SPDX-License-Identifier: GPL-2.0-or-later
Copyright (C) 2010-2024 Oryx Embedded SARL. All rights reserved.
This file is part of CycloneSSL Open.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
Description
The TLS protocol provides communications security over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery
- Version
- 2.4.4
Definition in file tls.c.
Macro Definition Documentation
◆ TRACE_LEVEL
Function Documentation
◆ tlsAddCertificate()
| error_t tlsAddCertificate | ( | TlsContext * | context, |
| const char_t * | certChain, | ||
| size_t | certChainLen, | ||
| const char_t * | privateKey, | ||
| size_t | privateKeyLen | ||
| ) |
Add a certificate and the corresponding private key (deprecated)
- Parameters
-
[in] context Pointer to the TLS context [in] certChain Certificate chain (PEM format). This parameter is taken as reference [in] certChainLen Total length of the certificate chain [in] privateKey Private key (PEM format). This parameter is taken as reference [in] privateKeyLen Total length of the private key
- Returns
- Error code
◆ tlsAllowUnknownAlpnProtocols()
| error_t tlsAllowUnknownAlpnProtocols | ( | TlsContext * | context, |
| bool_t | allowed | ||
| ) |
◆ tlsConnect()
| error_t tlsConnect | ( | TlsContext * | context | ) |
◆ tlsEnableFallbackScsv()
| error_t tlsEnableFallbackScsv | ( | TlsContext * | context, |
| bool_t | enabled | ||
| ) |
◆ tlsEnableReplayDetection()
| error_t tlsEnableReplayDetection | ( | TlsContext * | context, |
| bool_t | enabled | ||
| ) |
◆ tlsEnableSecureRenegotiation()
| error_t tlsEnableSecureRenegotiation | ( | TlsContext * | context, |
| bool_t | enabled | ||
| ) |
◆ tlsEnableSessionTickets()
| error_t tlsEnableSessionTickets | ( | TlsContext * | context, |
| bool_t | enabled | ||
| ) |
◆ tlsFree()
| void tlsFree | ( | TlsContext * | context | ) |
◆ tlsFreeSessionState()
| void tlsFreeSessionState | ( | TlsSessionState * | session | ) |
◆ tlsGetAlpnProtocol()
| const char_t* tlsGetAlpnProtocol | ( | TlsContext * | context | ) |
◆ tlsGetEarlyDataStatus()
| TlsEarlyDataStatus tlsGetEarlyDataStatus | ( | TlsContext * | context | ) |
◆ tlsGetServerName()
| const char_t* tlsGetServerName | ( | TlsContext * | context | ) |
◆ tlsGetState()
| TlsState tlsGetState | ( | TlsContext * | context | ) |
◆ tlsInit()
| TlsContext* tlsInit | ( | void | ) |
◆ tlsInitSessionState()
| error_t tlsInitSessionState | ( | TlsSessionState * | session | ) |
◆ tlsIsRxReady()
| bool_t tlsIsRxReady | ( | TlsContext * | context | ) |
◆ tlsIsTxReady()
| bool_t tlsIsTxReady | ( | TlsContext * | context | ) |
◆ tlsLoadCertificate()
| error_t tlsLoadCertificate | ( | TlsContext * | context, |
| uint_t | index, | ||
| const char_t * | certChain, | ||
| size_t | certChainLen, | ||
| const char_t * | privateKey, | ||
| size_t | privateKeyLen, | ||
| const char_t * | password | ||
| ) |
Load entity's certificate.
- Parameters
-
[in] context Pointer to the TLS context [in] index Zero-based index identifying a slot [in] certChain Certificate chain (PEM format). This parameter is taken as reference [in] certChainLen Length of the certificate chain [in] privateKey Private key (PEM format). This parameter is taken as reference [in] privateKeyLen Length of the private key [in] password NULL-terminated string containing the password. This parameter is required if the private key is encrypted
- Returns
- Error code
◆ tlsRead()
| error_t tlsRead | ( | TlsContext * | context, |
| void * | data, | ||
| size_t | size, | ||
| size_t * | received, | ||
| uint_t | flags | ||
| ) |
Receive application data from a the remote host using TLS.
- Parameters
-
[in] context Pointer to the TLS context [out] data Buffer into which received data will be placed [in] size Maximum number of bytes that can be received [out] received Number of bytes that have been received [in] flags Set of flags that influences the behavior of this function
- Returns
- Error code
◆ tlsRestoreSessionState()
| error_t tlsRestoreSessionState | ( | TlsContext * | context, |
| const TlsSessionState * | session | ||
| ) |
◆ tlsSaveSessionState()
| error_t tlsSaveSessionState | ( | const TlsContext * | context, |
| TlsSessionState * | session | ||
| ) |
◆ tlsSetAlpnCallback()
| error_t tlsSetAlpnCallback | ( | TlsContext * | context, |
| TlsAlpnCallback | alpnCallback | ||
| ) |
◆ tlsSetAlpnProtocolList()
| error_t tlsSetAlpnProtocolList | ( | TlsContext * | context, |
| const char_t * | protocolList | ||
| ) |
◆ tlsSetBufferSize()
| error_t tlsSetBufferSize | ( | TlsContext * | context, |
| size_t | txBufferSize, | ||
| size_t | rxBufferSize | ||
| ) |
◆ tlsSetCache()
| error_t tlsSetCache | ( | TlsContext * | context, |
| TlsCache * | cache | ||
| ) |
◆ tlsSetCertificateVerifyCallback()
| error_t tlsSetCertificateVerifyCallback | ( | TlsContext * | context, |
| TlsCertVerifyCallback | certVerifyCallback, | ||
| void * | param | ||
| ) |
◆ tlsSetCipherSuites()
| error_t tlsSetCipherSuites | ( | TlsContext * | context, |
| const uint16_t * | cipherSuites, | ||
| uint_t | length | ||
| ) |
Specify the list of allowed cipher suites.
- Parameters
-
[in] context Pointer to the TLS context [in] cipherSuites List of allowed cipher suites (most preferred first). This parameter is taken as reference [in] length Number of cipher suites in the list
- Returns
- Error code
◆ tlsSetClientAuthMode()
| error_t tlsSetClientAuthMode | ( | TlsContext * | context, |
| TlsClientAuthMode | mode | ||
| ) |
◆ tlsSetConnectionEnd()
| error_t tlsSetConnectionEnd | ( | TlsContext * | context, |
| TlsConnectionEnd | entity | ||
| ) |
◆ tlsSetCookieCallbacks()
| error_t tlsSetCookieCallbacks | ( | TlsContext * | context, |
| DtlsCookieGenerateCallback | cookieGenerateCallback, | ||
| DtlsCookieVerifyCallback | cookieVerifyCallback, | ||
| void * | param | ||
| ) |
Set cookie generation/verification callbacks (for DTLS only)
- Parameters
-
[in] context Pointer to the TLS context [in] cookieGenerateCallback Cookie generation callback function [in] cookieVerifyCallback Cookie verification callback function [in] param An opaque pointer passed to the callback functions
- Returns
- Error code
◆ tlsSetDhParameters()
| error_t tlsSetDhParameters | ( | TlsContext * | context, |
| const char_t * | params, | ||
| size_t | length | ||
| ) |
◆ tlsSetEcdhCallback()
| error_t tlsSetEcdhCallback | ( | TlsContext * | context, |
| TlsEcdhCallback | ecdhCallback | ||
| ) |
◆ tlsSetEcdsaSignCallback()
| error_t tlsSetEcdsaSignCallback | ( | TlsContext * | context, |
| TlsEcdsaSignCallback | ecdsaSignCallback | ||
| ) |
◆ tlsSetEcdsaVerifyCallback()
| error_t tlsSetEcdsaVerifyCallback | ( | TlsContext * | context, |
| TlsEcdsaVerifyCallback | ecdsaVerifyCallback | ||
| ) |
◆ tlsSetKeyLogCallback()
| error_t tlsSetKeyLogCallback | ( | TlsContext * | context, |
| TlsKeyLogCallback | keyLogCallback | ||
| ) |
◆ tlsSetMaxEarlyDataSize()
| error_t tlsSetMaxEarlyDataSize | ( | TlsContext * | context, |
| size_t | maxEarlyDataSize | ||
| ) |
◆ tlsSetMaxFragmentLength()
| error_t tlsSetMaxFragmentLength | ( | TlsContext * | context, |
| size_t | maxFragLen | ||
| ) |
◆ tlsSetPmtu()
| error_t tlsSetPmtu | ( | TlsContext * | context, |
| size_t | pmtu | ||
| ) |
◆ tlsSetPreferredGroup()
| error_t tlsSetPreferredGroup | ( | TlsContext * | context, |
| uint16_t | group | ||
| ) |
◆ tlsSetPrng()
| error_t tlsSetPrng | ( | TlsContext * | context, |
| const PrngAlgo * | prngAlgo, | ||
| void * | prngContext | ||
| ) |
◆ tlsSetPsk()
| error_t tlsSetPsk | ( | TlsContext * | context, |
| const uint8_t * | psk, | ||
| size_t | length | ||
| ) |
◆ tlsSetPskCallback()
| error_t tlsSetPskCallback | ( | TlsContext * | context, |
| TlsPskCallback | pskCallback | ||
| ) |
◆ tlsSetPskIdentity()
| error_t tlsSetPskIdentity | ( | TlsContext * | context, |
| const char_t * | pskIdentity | ||
| ) |
◆ tlsSetPskIdentityHint()
| error_t tlsSetPskIdentityHint | ( | TlsContext * | context, |
| const char_t * | pskIdentityHint | ||
| ) |
◆ tlsSetRpkVerifyCallback()
| error_t tlsSetRpkVerifyCallback | ( | TlsContext * | context, |
| TlsRpkVerifyCallback | rpkVerifyCallback | ||
| ) |
◆ tlsSetServerName()
| error_t tlsSetServerName | ( | TlsContext * | context, |
| const char_t * | serverName | ||
| ) |
◆ tlsSetSocketCallbacks()
| error_t tlsSetSocketCallbacks | ( | TlsContext * | context, |
| TlsSocketSendCallback | socketSendCallback, | ||
| TlsSocketReceiveCallback | socketReceiveCallback, | ||
| TlsSocketHandle | handle | ||
| ) |
◆ tlsSetStateChangeCallback()
| error_t tlsSetStateChangeCallback | ( | TlsContext * | context, |
| TlsStateChangeCallback | stateChangeCallback | ||
| ) |
◆ tlsSetSupportedGroups()
| error_t tlsSetSupportedGroups | ( | TlsContext * | context, |
| const uint16_t * | groups, | ||
| uint_t | length | ||
| ) |
◆ tlsSetSupportedSignAlgos()
| error_t tlsSetSupportedSignAlgos | ( | TlsContext * | context, |
| const uint16_t * | signAlgos, | ||
| uint_t | length | ||
| ) |
Specify the list of allowed signature algorithms.
- Parameters
-
[in] context Pointer to the TLS context [in] signAlgos List of signature algorithms (most preferred first). This parameter is taken as reference [in] length Number of signature algorithms in the list
- Returns
- Error code
◆ tlsSetTicketCallbacks()
| error_t tlsSetTicketCallbacks | ( | TlsContext * | context, |
| TlsTicketEncryptCallback | ticketEncryptCallback, | ||
| TlsTicketDecryptCallback | ticketDecryptCallback, | ||
| void * | param | ||
| ) |
Set ticket encryption/decryption callbacks.
- Parameters
-
[in] context Pointer to the TLS context [in] ticketEncryptCallback Ticket encryption callback function [in] ticketDecryptCallback Ticket decryption callback function [in] param An opaque pointer passed to the callback functions
- Returns
- Error code
◆ tlsSetTimeout()
| error_t tlsSetTimeout | ( | TlsContext * | context, |
| systime_t | timeout | ||
| ) |
◆ tlsSetTransportProtocol()
| error_t tlsSetTransportProtocol | ( | TlsContext * | context, |
| TlsTransportProtocol | transportProtocol | ||
| ) |
◆ tlsSetTrustedCaList()
| error_t tlsSetTrustedCaList | ( | TlsContext * | context, |
| const char_t * | trustedCaList, | ||
| size_t | length | ||
| ) |
◆ tlsSetVersion()
| error_t tlsSetVersion | ( | TlsContext * | context, |
| uint16_t | versionMin, | ||
| uint16_t | versionMax | ||
| ) |
◆ tlsShutdown()
| error_t tlsShutdown | ( | TlsContext * | context | ) |
◆ tlsShutdownEx()
| error_t tlsShutdownEx | ( | TlsContext * | context, |
| bool_t | waitForCloseNotify | ||
| ) |
◆ tlsWrite()
| error_t tlsWrite | ( | TlsContext * | context, |
| const void * | data, | ||
| size_t | length, | ||
| size_t * | written, | ||
| uint_t | flags | ||
| ) |
Send application data to the remote host using TLS.
- Parameters
-
[in] context Pointer to the TLS context [in] data Pointer to a buffer containing the data to be transmitted [in] length Number of bytes to be transmitted [out] written Actual number of bytes written (optional parameter) [in] flags Set of flags that influences the behavior of this function
- Returns
- Error code
◆ tlsWriteEarlyData()
| error_t tlsWriteEarlyData | ( | TlsContext * | context, |
| const void * | data, | ||
| size_t | length, | ||
| size_t * | written, | ||
| uint_t | flags | ||
| ) |
Send early data to the remote TLS server.
- Parameters
-
[in] context Pointer to the TLS context [in] data Pointer to a buffer containing the data to be transmitted [in] length Number of bytes to be transmitted [out] written Actual number of bytes written (optional parameter) [in] flags Set of flags that influences the behavior of this function
- Returns
- Error code