2021-05-31 20:06:09 +08:00
/*
2024-11-18 07:47:50 +01:00
* SPDX-FileCopyrightText: 2017-2024 Espressif Systems (Shanghai) CO LTD
2021-05-31 20:06:09 +08:00
*
* SPDX-License-Identifier: Apache-2.0
*/
2018-02-03 09:01:45 +05:30
# ifndef _ESP_TLS_H_
# define _ESP_TLS_H_
# include <stdbool.h>
2019-10-07 19:47:32 +08:00
# include "esp_err.h"
2021-01-22 21:00:22 +01:00
# include "esp_tls_errors.h"
2022-04-20 08:09:13 +05:30
# include "sdkconfig.h"
2019-09-07 16:24:54 +05:30
# ifdef CONFIG_ESP_TLS_USING_MBEDTLS
2018-02-28 18:09:43 +05:30
# include "mbedtls/ssl.h"
2023-07-03 10:28:24 +05:30
# include "mbedtls/x509_crt.h"
2021-05-19 17:16:59 +02:00
# ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS
# include "mbedtls/ssl_ticket.h"
2023-02-15 10:37:09 +05:30
# include "mbedtls/entropy.h"
# include "mbedtls/ctr_drbg.h"
2021-05-19 17:16:59 +02:00
# endif
2019-09-07 16:24:54 +05:30
# elif CONFIG_ESP_TLS_USING_WOLFSSL
# include "wolfssl/wolfcrypt/settings.h"
# include "wolfssl/ssl.h"
# endif
2018-02-28 18:09:43 +05:30
2022-04-20 08:09:13 +05:30
2017-11-30 11:35:34 +05:30
# ifdef __cplusplus
extern " C " {
# endif
2018-08-07 23:24:57 +05:30
/**
* @brief ESP-TLS Connection State
*/
typedef enum esp_tls_conn_state {
ESP_TLS_INIT = 0 ,
ESP_TLS_CONNECTING ,
ESP_TLS_HANDSHAKE ,
ESP_TLS_FAIL ,
ESP_TLS_DONE ,
} esp_tls_conn_state_t ;
2019-05-28 11:19:02 +05:30
typedef enum esp_tls_role {
ESP_TLS_CLIENT = 0 ,
ESP_TLS_SERVER ,
} esp_tls_role_t ;
2019-05-23 21:48:08 +02:00
/**
* @brief ESP-TLS preshared key and hint structure
*/
typedef struct psk_key_hint {
const uint8_t * key ; /*!< key in PSK authentication mode in binary format */
const size_t key_size ; /*!< length of the key */
const char * hint ; /*!< hint in PSK authentication mode in string format */
} psk_hint_key_t ;
2021-07-23 17:00:32 +05:30
/**
* @brief esp-tls client session ticket ctx
*/
# ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
typedef struct esp_tls_client_session {
mbedtls_ssl_session saved_session ;
} esp_tls_client_session_t ;
# endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */
2021-01-06 16:58:39 +08:00
/**
* @brief Keep alive parameters structure
*/
typedef struct tls_keep_alive_cfg {
bool keep_alive_enable ; /*!< Enable keep-alive timeout */
int keep_alive_idle ; /*!< Keep-alive idle time (second) */
int keep_alive_interval ; /*!< Keep-alive interval time (second) */
int keep_alive_count ; /*!< Keep-alive packet retry send count */
} tls_keep_alive_cfg_t ;
2023-03-10 21:39:02 -05:00
/*
* @brief ESP-TLS Address families
*/
typedef enum esp_tls_addr_family {
ESP_TLS_AF_UNSPEC = 0 , /**< Unspecified address family. */
ESP_TLS_AF_INET , /**< IPv4 address family. */
ESP_TLS_AF_INET6 , /**< IPv6 address family. */
} esp_tls_addr_family_t ;
2023-10-04 12:19:43 +05:30
/*
* @brief ESP-TLS TLS Protocol version
*/
typedef enum {
ESP_TLS_VER_ANY = 0 , /* No preference */
ESP_TLS_VER_TLS_1_2 = 0x1 , /* (D)TLS 1.2 */
ESP_TLS_VER_TLS_1_3 = 0x2 , /* (D)TLS 1.3 */
ESP_TLS_VER_TLS_MAX , /* to indicate max */
} esp_tls_proto_ver_t ;
2018-02-14 15:15:50 +05:30
/**
2019-09-29 18:04:34 +08:00
* @brief ESP-TLS configuration parameters
*
2019-08-02 09:20:02 +02:00
* @note Note about format of certificates:
* - This structure includes certificates of a Certificate Authority, of client or server as well
* as private keys, which may be of PEM or DER format. In case of PEM format, the buffer must be
* NULL terminated (with NULL character included in certificate size).
* - Certificate Authority's certificate may be a chain of certificates in case of PEM format,
* but could be only one certificate in case of DER format
* - Variables names of certificates and private key buffers and sizes are defined as unions providing
* backward compatibility for legacy *_pem_buf and *_pem_bytes names which suggested only PEM format
* was supported. It is encouraged to use generic names such as cacert_buf and cacert_bytes.
2019-09-29 18:04:34 +08:00
*/
2018-02-14 15:15:50 +05:30
typedef struct esp_tls_cfg {
2018-04-20 10:50:38 +05:30
const char * * alpn_protos ; /*!< Application protocols required for HTTP2.
2018-02-14 15:15:50 +05:30
If HTTP2/ALPN support is required, a list
2019-09-29 18:04:34 +08:00
of protocols that should be negotiated.
2018-02-14 15:15:50 +05:30
The format is length followed by protocol
2019-09-29 18:04:34 +08:00
name.
2018-02-14 15:15:50 +05:30
For the most common cases the following is ok:
2019-05-28 11:19:02 +05:30
const char **alpn_protos = { "h2", NULL };
- where 'h2' is the protocol name */
2019-09-29 18:04:34 +08:00
2019-08-02 09:20:02 +02:00
union {
const unsigned char * cacert_buf ; /*!< Certificate Authority's certificate in a buffer.
2019-07-15 17:51:25 +02:00
Format may be PEM or DER, depending on mbedtls-support
This buffer should be NULL terminated in case of PEM */
2019-08-02 09:20:02 +02:00
const unsigned char * cacert_pem_buf ; /*!< CA certificate buffer legacy name */
} ;
union {
unsigned int cacert_bytes ; /*!< Size of Certificate Authority certificate
pointed to by cacert_buf
2019-07-15 17:51:25 +02:00
(including NULL-terminator in case of PEM format) */
2019-08-02 09:20:02 +02:00
unsigned int cacert_pem_bytes ; /*!< Size of Certificate Authority certificate legacy name */
} ;
2018-09-28 18:45:11 +02:00
2019-08-02 09:20:02 +02:00
union {
const unsigned char * clientcert_buf ; /*!< Client certificate in a buffer
2019-07-15 17:51:25 +02:00
Format may be PEM or DER, depending on mbedtls-support
This buffer should be NULL terminated in case of PEM */
2019-08-02 09:20:02 +02:00
const unsigned char * clientcert_pem_buf ; /*!< Client certificate legacy name */
} ;
2019-05-28 11:19:02 +05:30
2019-08-02 09:20:02 +02:00
union {
unsigned int clientcert_bytes ; /*!< Size of client certificate pointed to by
2019-07-15 17:51:25 +02:00
clientcert_pem_buf
(including NULL-terminator in case of PEM format) */
2019-08-02 09:20:02 +02:00
unsigned int clientcert_pem_bytes ; /*!< Size of client certificate legacy name */
} ;
2018-09-28 18:45:11 +02:00
2019-08-02 09:20:02 +02:00
union {
const unsigned char * clientkey_buf ; /*!< Client key in a buffer
2019-07-15 17:51:25 +02:00
Format may be PEM or DER, depending on mbedtls-support
This buffer should be NULL terminated in case of PEM */
2019-08-02 09:20:02 +02:00
const unsigned char * clientkey_pem_buf ; /*!< Client key legacy name */
} ;
2018-09-28 18:45:11 +02:00
2019-08-02 09:20:02 +02:00
union {
unsigned int clientkey_bytes ; /*!< Size of client key pointed to by
2019-07-15 17:51:25 +02:00
clientkey_pem_buf
(including NULL-terminator in case of PEM format) */
2019-08-02 09:20:02 +02:00
unsigned int clientkey_pem_bytes ; /*!< Size of client key legacy name */
} ;
2018-09-28 18:45:11 +02:00
const unsigned char * clientkey_password ; /*!< Client key decryption password string */
unsigned int clientkey_password_len ; /*!< String length of the password pointed to by
clientkey_password */
2023-07-27 15:40:03 +05:30
bool use_ecdsa_peripheral ; /*!< Use the ECDSA peripheral for the private key operations */
uint8_t ecdsa_key_efuse_blk ; /*!< The efuse block where the ECDSA key is stored */
2019-09-29 18:04:34 +08:00
bool non_block ; /*!< Configure non-blocking mode. If set to true the
underneath socket will be configured in non
2018-02-14 15:15:50 +05:30
blocking mode after tls session is established */
2018-07-27 18:15:55 +05:30
2020-04-06 20:12:52 +05:30
bool use_secure_element ; /*!< Enable this option to use secure element or
2023-12-04 12:22:01 +05:30
atecc608a chip */
2019-02-12 17:34:15 +05:30
2022-06-21 14:38:19 +05:30
int timeout_ms ; /*!< Network timeout in milliseconds.
Note: If this value is not set, by default the timeout is
set to 10 seconds. If you wish that the session should wait
indefinitely then please use a larger value e.g., INT32_MAX */
2018-10-04 16:05:02 +05:30
bool use_global_ca_store ; /*!< Use a global ca_store for all the connections in which
this bool is set. */
2019-05-03 19:32:54 +05:30
const char * common_name ; /*!< If non-NULL, server certificate CN must match this name.
If NULL, server certificate CN must match hostname. */
bool skip_common_name ; /*!< Skip any validation of server certificate CN field */
2019-05-23 21:48:08 +02:00
2021-01-06 16:58:39 +08:00
tls_keep_alive_cfg_t * keep_alive_cfg ; /*!< Enable TCP keep-alive timeout for SSL connection */
2024-11-18 13:52:00 +01:00
# if defined(CONFIG_ESP_TLS_PSK_VERIFICATION)
2019-05-23 21:48:08 +02:00
const psk_hint_key_t * psk_hint_key ; /*!< Pointer to PSK hint and key. if not NULL (and certificates are NULL)
then PSK authentication is enabled with configured setup.
Important note: the pointer must be valid for connection */
2024-11-18 13:52:00 +01:00
# endif /* CONFIG_ESP_TLS_PSK_VERIFICATION */
2019-05-23 21:48:08 +02:00
2020-03-11 15:48:34 +05:30
esp_err_t ( * crt_bundle_attach ) ( void * conf ) ;
2019-09-29 18:04:34 +08:00
/*!< Function pointer to esp_crt_bundle_attach. Enables the use of certification
bundle for server verification, must be enabled in menuconfig */
2020-06-16 18:10:12 +05:30
void * ds_data ; /*!< Pointer for digital signature peripheral context */
2021-01-25 09:45:38 +01:00
bool is_plain_tcp ; /*!< Use non-TLS connection: When set to true, the esp-tls uses
2021-05-19 12:58:06 +02:00
plain TCP transport rather then TLS/SSL connection.
Note, that it is possible to connect using a plain tcp transport
directly with esp_tls_plain_tcp_connect() API */
2021-01-19 17:49:42 +08:00
struct ifreq * if_name ; /*!< The name of interface for data to go through. Use the default interface without setting */
2021-07-23 17:00:32 +05:30
# ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
esp_tls_client_session_t * client_session ; /*! Pointer for the client session ticket context. */
# endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */
2023-03-10 21:39:02 -05:00
esp_tls_addr_family_t addr_family ; /*!< The address family to use when connecting to a host. */
2023-04-20 17:45:25 +08:00
const int * ciphersuites_list ; /*!< Pointer to a zero-terminated array of IANA identifiers of TLS ciphersuites.
Please check the list validity by esp_tls_get_ciphersuites_list() API */
2023-10-04 12:19:43 +05:30
esp_tls_proto_ver_t tls_version ; /*!< TLS protocol version of the connection, e.g., TLS 1.2, TLS 1.3 (default - no preference) */
2018-02-14 15:15:50 +05:30
} esp_tls_cfg_t ;
2021-07-23 17:00:32 +05:30
# if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS)
2021-05-19 17:16:59 +02:00
/**
* @brief Data structures necessary to support TLS session tickets according to RFC5077
*/
2021-07-23 17:00:32 +05:30
typedef struct esp_tls_server_session_ticket_ctx {
2021-05-19 17:16:59 +02:00
mbedtls_entropy_context entropy ; /*!< mbedTLS entropy context structure */
mbedtls_ctr_drbg_context ctr_drbg ; /*!< mbedTLS ctr drbg context structure.
CTR_DRBG is deterministic random
bit generation based on AES-256 */
mbedtls_ssl_ticket_context ticket_ctx ; /*!< Session ticket generation context */
2021-07-23 17:00:32 +05:30
} esp_tls_server_session_ticket_ctx_t ;
2021-05-19 17:16:59 +02:00
# endif
2023-09-05 14:34:04 +05:30
# if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK)
2022-09-26 16:14:09 +02:00
/**
* @brief tls handshake callback
* Can be used to configure per-handshake attributes for the TLS connection.
* E.g. Client certificate / Key, Authmode, Client CA verification, etc.
*
* @param ssl mbedtls_ssl_context that can be used for changing settings
* @return The reutn value of the callback must be 0 if successful,
* or a specific MBEDTLS_ERR_XXX code, which will cause the handhsake to abort
*/
typedef mbedtls_ssl_hs_cb_t esp_tls_handshake_callback ;
2023-11-15 07:20:59 +05:30
# else
// When CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK is not defined,
// the following typedef is only kept for compatibility reasons, not to be used.
typedef void * esp_tls_handshake_callback ;
2023-09-05 14:34:04 +05:30
# endif
2022-09-26 16:14:09 +02:00
2023-09-05 14:34:04 +05:30
/**
* @brief ESP-TLS Server configuration parameters
*/
2019-05-28 11:19:02 +05:30
typedef struct esp_tls_cfg_server {
const char * * alpn_protos ; /*!< Application protocols required for HTTP2.
If HTTP2/ALPN support is required, a list
of protocols that should be negotiated.
The format is length followed by protocol
name.
For the most common cases the following is ok:
const char **alpn_protos = { "h2", NULL };
- where 'h2' is the protocol name */
2019-08-02 09:20:02 +02:00
union {
const unsigned char * cacert_buf ; /*!< Client CA certificate in a buffer.
2019-05-28 11:19:02 +05:30
This buffer should be NULL terminated */
2019-08-02 09:20:02 +02:00
const unsigned char * cacert_pem_buf ; /*!< Client CA certificate legacy name */
} ;
2019-05-28 11:19:02 +05:30
2019-08-02 09:20:02 +02:00
union {
unsigned int cacert_bytes ; /*!< Size of client CA certificate
2019-05-28 11:19:02 +05:30
pointed to by cacert_pem_buf */
2019-08-02 09:20:02 +02:00
unsigned int cacert_pem_bytes ; /*!< Size of client CA certificate legacy name */
} ;
2019-05-28 11:19:02 +05:30
2019-08-02 09:20:02 +02:00
union {
const unsigned char * servercert_buf ; /*!< Server certificate in a buffer
2019-05-28 11:19:02 +05:30
This buffer should be NULL terminated */
2019-08-02 09:20:02 +02:00
const unsigned char * servercert_pem_buf ; /*!< Server certificate legacy name */
} ;
2019-05-28 11:19:02 +05:30
2019-08-02 09:20:02 +02:00
union {
unsigned int servercert_bytes ; /*!< Size of server certificate pointed to by
2019-05-28 11:19:02 +05:30
servercert_pem_buf */
2019-08-02 09:20:02 +02:00
unsigned int servercert_pem_bytes ; /*!< Size of server certificate legacy name */
} ;
2019-05-28 11:19:02 +05:30
2019-08-02 09:20:02 +02:00
union {
const unsigned char * serverkey_buf ; /*!< Server key in a buffer
2019-05-28 11:19:02 +05:30
This buffer should be NULL terminated */
2019-08-02 09:20:02 +02:00
const unsigned char * serverkey_pem_buf ; /*!< Server key legacy name */
} ;
2019-05-28 11:19:02 +05:30
2019-08-02 09:20:02 +02:00
union {
unsigned int serverkey_bytes ; /*!< Size of server key pointed to by
2019-05-28 11:19:02 +05:30
serverkey_pem_buf */
2019-08-02 09:20:02 +02:00
unsigned int serverkey_pem_bytes ; /*!< Size of server key legacy name */
} ;
2019-05-28 11:19:02 +05:30
const unsigned char * serverkey_password ; /*!< Server key decryption password string */
unsigned int serverkey_password_len ; /*!< String length of the password pointed to by
serverkey_password */
2023-07-27 15:40:03 +05:30
bool use_ecdsa_peripheral ; /*!< Use ECDSA peripheral to use private key */
uint8_t ecdsa_key_efuse_blk ; /*!< The efuse block where ECDSA key is stored */
2022-03-27 14:31:30 +05:30
bool use_secure_element ; /*!< Enable this option to use secure element or
2023-12-04 12:22:01 +05:30
atecc608a chip */
2022-03-27 14:31:30 +05:30
2021-07-23 17:00:32 +05:30
# if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS)
esp_tls_server_session_ticket_ctx_t * ticket_ctx ; /*!< Session ticket generation context.
2021-05-19 17:16:59 +02:00
You have to call esp_tls_cfg_server_session_tickets_init
to use it.
Call esp_tls_cfg_server_session_tickets_free
to free the data associated with this context. */
# endif
2022-09-26 16:14:09 +02:00
2022-10-21 12:51:31 +05:30
void * userdata ; /*!< User data to be added to the ssl context.
Can be retrieved by callbacks */
2022-09-26 16:14:09 +02:00
# if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK)
esp_tls_handshake_callback cert_select_cb ; /*!< Certificate selection callback that gets called after ClientHello is processed.
Can be used as an SNI callback, but also has access to other
TLS extensions, such as ALPN and server_certificate_type . */
# endif
2024-11-18 07:47:50 +01:00
# if defined(CONFIG_ESP_TLS_PSK_VERIFICATION)
const psk_hint_key_t * psk_hint_key ; /*!< Pointer to PSK hint and key. if not NULL (and the certificate/key is NULL)
then PSK authentication is enabled with configured setup.
Important note: the pointer must be valid for connection */
# endif
2019-05-28 11:19:02 +05:30
} esp_tls_cfg_server_t ;
2021-05-19 17:16:59 +02:00
/**
* @brief Initialize the server side TLS session ticket context
*
* This function initializes the server side tls session ticket context
* which holds all necessary data structures to enable tls session tickets
* according to RFC5077.
* Use esp_tls_cfg_server_session_tickets_free to free the data.
*
* @param[in] cfg server configuration as esp_tls_cfg_server_t
* @return
* ESP_OK if setup succeeded
* ESP_ERR_INVALID_ARG if context is already initialized
* ESP_ERR_NO_MEM if memory allocation failed
* ESP_ERR_NOT_SUPPORTED if session tickets are not available due to build configuration
* ESP_FAIL if setup failed
*/
esp_err_t esp_tls_cfg_server_session_tickets_init ( esp_tls_cfg_server_t * cfg ) ;
/**
* @brief Free the server side TLS session ticket context
2021-07-23 17:00:32 +05:30
*
* @param cfg server configuration as esp_tls_cfg_server_t
2021-05-19 17:16:59 +02:00
*/
void esp_tls_cfg_server_session_tickets_free ( esp_tls_cfg_server_t * cfg ) ;
2019-05-28 11:19:02 +05:30
2022-04-20 08:09:13 +05:30
typedef struct esp_tls esp_tls_t ;
2018-02-14 15:15:50 +05:30
2019-04-09 16:08:05 +02:00
/**
* @brief Create TLS connection
*
* This function allocates and initializes esp-tls structure handle.
*
* @return tls Pointer to esp-tls as esp-tls handle if successfully initialized,
* NULL if allocation error
*/
2019-07-16 16:33:30 +07:00
esp_tls_t * esp_tls_init ( void ) ;
2019-04-09 16:08:05 +02:00
2018-02-14 15:15:50 +05:30
/**
2022-03-24 12:36:00 +05:30
* @brief Create a new blocking TLS/SSL connection with a given "HTTP" url
2019-04-16 11:58:38 +02:00
*
* Note: This API is present for backward compatibility reasons. Alternative function
2022-03-24 12:36:00 +05:30
* with the same functionality is `esp_tls_conn_http_new_sync` (and its asynchronous version
* `esp_tls_conn_http_new_async`)
2019-04-16 11:58:38 +02:00
*
2022-03-24 12:36:00 +05:30
* @param[in] url url of host.
* @param[in] cfg TLS configuration as esp_tls_cfg_t. If you wish to open
* non-TLS connection, keep this NULL. For TLS connection,
* a pass pointer to 'esp_tls_cfg_t'. At a minimum, this
* structure should be zero-initialized.
2019-04-16 11:58:38 +02:00
* @return pointer to esp_tls_t, or NULL if connection couldn't be opened.
*/
2022-03-24 12:36:00 +05:30
esp_tls_t * esp_tls_conn_http_new ( const char * url , const esp_tls_cfg_t * cfg ) __attribute__ ( ( deprecated ( " Please use esp_tls_conn_http_new_sync (or its asynchronous version esp_tls_conn_http_new_async) instead " ) ) ) ;
2019-04-16 11:58:38 +02:00
/**
* @brief Create a new blocking TLS/SSL connection
*
* This function establishes a TLS/SSL connection with the specified host in blocking manner.
*
2018-02-14 15:15:50 +05:30
* @param[in] hostname Hostname of the host.
* @param[in] hostlen Length of hostname.
* @param[in] port Port number of the host.
2019-04-16 11:58:38 +02:00
* @param[in] cfg TLS configuration as esp_tls_cfg_t. If you wish to open
2018-02-14 15:15:50 +05:30
* non-TLS connection, keep this NULL. For TLS connection,
* a pass pointer to esp_tls_cfg_t. At a minimum, this
* structure should be zero-initialized.
2019-04-09 16:08:05 +02:00
* @param[in] tls Pointer to esp-tls as esp-tls handle.
*
* @return
* - -1 If connection establishment fails.
* - 1 If connection establishment is successful.
2020-01-13 16:20:50 +01:00
* - 0 If connection state is in progress.
2017-11-30 11:35:34 +05:30
*/
2019-04-16 11:58:38 +02:00
int esp_tls_conn_new_sync ( const char * hostname , int hostlen , int port , const esp_tls_cfg_t * cfg , esp_tls_t * tls ) ;
2018-02-03 09:01:45 +05:30
2018-02-14 15:15:50 +05:30
/**
2018-08-07 23:24:57 +05:30
* @brief Create a new blocking TLS/SSL connection with a given "HTTP" url
2018-02-14 15:15:50 +05:30
*
2022-03-24 12:36:00 +05:30
* The behaviour is same as esp_tls_conn_new_sync() API. However this API accepts host's url.
2019-09-29 18:04:34 +08:00
*
2022-03-24 12:36:00 +05:30
* @param[in] url url of host.
* @param[in] cfg TLS configuration as esp_tls_cfg_t. If you wish to open
* non-TLS connection, keep this NULL. For TLS connection,
* a pass pointer to 'esp_tls_cfg_t'. At a minimum, this
* structure should be zero-initialized.
* @param[in] tls Pointer to esp-tls as esp-tls handle.
*
* @return
* - -1 If connection establishment fails.
* - 1 If connection establishment is successful.
* - 0 If connection state is in progress.
2018-02-14 15:15:50 +05:30
*/
2022-03-24 12:36:00 +05:30
int esp_tls_conn_http_new_sync ( const char * url , const esp_tls_cfg_t * cfg , esp_tls_t * tls ) ;
2019-09-29 18:04:34 +08:00
2018-10-23 13:11:03 +05:30
/**
2018-08-07 23:24:57 +05:30
* @brief Create a new non-blocking TLS/SSL connection
*
* This function initiates a non-blocking TLS/SSL connection with the specified host, but due to
* its non-blocking nature, it doesn't wait for the connection to get established.
*
* @param[in] hostname Hostname of the host.
* @param[in] hostlen Length of hostname.
* @param[in] port Port number of the host.
* @param[in] cfg TLS configuration as esp_tls_cfg_t. `non_block` member of
* this structure should be set to be true.
* @param[in] tls pointer to esp-tls as esp-tls handle.
*
2018-10-23 13:11:03 +05:30
* @return
* - -1 If connection establishment fails.
* - 0 If connection establishment is in progress.
* - 1 If connection establishment is successful.
2018-08-07 23:24:57 +05:30
*/
int esp_tls_conn_new_async ( const char * hostname , int hostlen , int port , const esp_tls_cfg_t * cfg , esp_tls_t * tls ) ;
/**
* @brief Create a new non-blocking TLS/SSL connection with a given "HTTP" url
*
2022-03-24 12:36:00 +05:30
* The behaviour is same as esp_tls_conn_new_async() API. However this API accepts host's url.
2018-08-07 23:24:57 +05:30
*
* @param[in] url url of host.
* @param[in] cfg TLS configuration as esp_tls_cfg_t.
2018-10-23 13:11:03 +05:30
* @param[in] tls pointer to esp-tls as esp-tls handle.
2018-08-07 23:24:57 +05:30
*
2018-10-23 13:11:03 +05:30
* @return
* - -1 If connection establishment fails.
* - 0 If connection establishment is in progress.
* - 1 If connection establishment is successful.
2018-08-07 23:24:57 +05:30
*/
int esp_tls_conn_http_new_async ( const char * url , const esp_tls_cfg_t * cfg , esp_tls_t * tls ) ;
2018-02-14 15:15:50 +05:30
/**
* @brief Write from buffer 'data' into specified tls connection.
2019-09-29 18:04:34 +08:00
*
2018-02-14 15:15:50 +05:30
* @param[in] tls pointer to esp-tls as esp-tls handle.
* @param[in] data Buffer from which data will be written.
* @param[in] datalen Length of data buffer.
2019-09-29 18:04:34 +08:00
*
* @return
2020-03-17 12:35:20 +05:30
* - >=0 if write operation was successful, the return value is the number
2019-09-29 18:04:34 +08:00
* of bytes actually written to the TLS/SSL connection.
* - <0 if write operation was not successful, because either an
2024-11-18 07:47:50 +01:00
* error occurred or an action must be taken by the calling process.
2021-09-13 01:00:13 +05:30
* - ESP_TLS_ERR_SSL_WANT_READ/
* ESP_TLS_ERR_SSL_WANT_WRITE.
* if the handshake is incomplete and waiting for data to be available for reading.
* In this case this functions needs to be called again when the underlying transport is ready for operation.
2018-02-14 15:15:50 +05:30
*/
2022-04-20 08:09:13 +05:30
ssize_t esp_tls_conn_write ( esp_tls_t * tls , const void * data , size_t datalen ) ;
2018-02-03 09:01:45 +05:30
2018-02-14 15:15:50 +05:30
/**
* @brief Read from specified tls connection into the buffer 'data'.
2019-09-29 18:04:34 +08:00
*
2018-02-14 15:15:50 +05:30
* @param[in] tls pointer to esp-tls as esp-tls handle.
* @param[in] data Buffer to hold read data.
2019-09-29 18:04:34 +08:00
* @param[in] datalen Length of data buffer.
2018-02-14 15:15:50 +05:30
*
* @return
2018-08-07 23:24:57 +05:30
* - >0 if read operation was successful, the return value is the number
* of bytes actually read from the TLS/SSL connection.
* - 0 if read operation was not successful. The underlying
* connection was closed.
* - <0 if read operation was not successful, because either an
2024-11-18 07:47:50 +01:00
* error occurred or an action must be taken by the calling process.
2018-08-07 23:24:57 +05:30
*/
2022-04-20 08:09:13 +05:30
ssize_t esp_tls_conn_read ( esp_tls_t * tls , void * data , size_t datalen ) ;
2018-02-03 09:01:45 +05:30
2018-02-14 15:15:50 +05:30
/**
* @brief Close the TLS/SSL connection and free any allocated resources.
2019-09-29 18:04:34 +08:00
*
2022-03-24 12:36:00 +05:30
* This function should be called to close each tls connection opened with
* esp_tls_conn_new_sync() (or esp_tls_conn_http_new_sync()) and
* esp_tls_conn_new_async() (or esp_tls_conn_http_new_async()) APIs.
2018-02-14 15:15:50 +05:30
*
2019-09-29 18:04:34 +08:00
* @param[in] tls pointer to esp-tls as esp-tls handle.
2020-04-28 12:16:03 +02:00
*
* @return - 0 on success
* - -1 if socket error or an invalid argument
2018-02-14 15:15:50 +05:30
*/
2020-04-28 12:16:03 +02:00
int esp_tls_conn_destroy ( esp_tls_t * tls ) ;
2018-02-03 09:01:45 +05:30
2018-07-27 18:15:55 +05:30
/**
* @brief Return the number of application data bytes remaining to be
* read from the current record
*
* This API is a wrapper over mbedtls's mbedtls_ssl_get_bytes_avail() API.
*
* @param[in] tls pointer to esp-tls as esp-tls handle.
*
* @return
* - -1 in case of invalid arg
* - bytes available in the application data
* record read buffer
*/
2019-04-09 16:08:05 +02:00
ssize_t esp_tls_get_bytes_avail ( esp_tls_t * tls ) ;
2018-07-27 18:15:55 +05:30
2020-01-15 13:43:52 +05:30
/**
* @brief Returns the connection socket file descriptor from esp_tls session
*
* @param[in] tls handle to esp_tls context
*
* @param[out] sockfd int pointer to sockfd value.
*
* @return - ESP_OK on success and value of sockfd will be updated with socket file descriptor for connection
* - ESP_ERR_INVALID_ARG if (tls == NULL || sockfd == NULL)
*/
esp_err_t esp_tls_get_conn_sockfd ( esp_tls_t * tls , int * sockfd ) ;
2023-04-10 13:55:05 +05:30
/**
* @brief Sets the connection socket file descriptor for the esp_tls session
*
* @param[in] tls handle to esp_tls context
*
* @param[in] sockfd sockfd value to set.
*
2024-11-18 07:47:50 +01:00
* @return - ESP_OK on success and value of sockfd for the tls connection shall updated with the provided value
2023-04-10 13:55:05 +05:30
* - ESP_ERR_INVALID_ARG if (tls == NULL || sockfd < 0)
*/
esp_err_t esp_tls_set_conn_sockfd ( esp_tls_t * tls , int sockfd ) ;
/**
* @brief Gets the connection state for the esp_tls session
*
* @param[in] tls handle to esp_tls context
*
* @param[out] conn_state pointer to the connection state value.
*
2024-11-18 07:47:50 +01:00
* @return - ESP_OK on success and value of sockfd for the tls connection shall updated with the provided value
2023-04-10 13:55:05 +05:30
* - ESP_ERR_INVALID_ARG (Invalid arguments)
*/
esp_err_t esp_tls_get_conn_state ( esp_tls_t * tls , esp_tls_conn_state_t * conn_state ) ;
/**
* @brief Sets the connection state for the esp_tls session
*
* @param[in] tls handle to esp_tls context
*
* @param[in] conn_state connection state value to set.
*
2024-11-18 07:47:50 +01:00
* @return - ESP_OK on success and value of sockfd for the tls connection shall updated with the provided value
2023-04-10 13:55:05 +05:30
* - ESP_ERR_INVALID_ARG (Invalid arguments)
*/
esp_err_t esp_tls_set_conn_state ( esp_tls_t * tls , esp_tls_conn_state_t conn_state ) ;
2022-04-20 11:30:56 +05:30
/**
* @brief Returns the ssl context
*
* @param[in] tls handle to esp_tls context
*
*
* @return - ssl_ctx pointer to ssl context of underlying TLS layer on success
* - NULL in case of error
*/
void * esp_tls_get_ssl_context ( esp_tls_t * tls ) ;
2018-10-04 16:05:02 +05:30
/**
2018-11-01 11:11:16 -07:00
* @brief Create a global CA store, initially empty.
2018-10-04 16:05:02 +05:30
*
2018-11-01 11:11:16 -07:00
* This function should be called if the application wants to use the same CA store for multiple connections.
* This function initialises the global CA store which can be then set by calling esp_tls_set_global_ca_store().
* To be effective, this function must be called before any call to esp_tls_set_global_ca_store().
*
* @return
* - ESP_OK if creating global CA store was successful.
2024-11-18 07:47:50 +01:00
* - ESP_ERR_NO_MEM if an error occurred when allocating the mbedTLS resources.
2018-11-01 11:11:16 -07:00
*/
2019-07-16 16:33:30 +07:00
esp_err_t esp_tls_init_global_ca_store ( void ) ;
2018-11-01 11:11:16 -07:00
/**
* @brief Set the global CA store with the buffer provided in pem format.
*
* This function should be called if the application wants to set the global CA store for
* multiple connections i.e. to add the certificates in the provided buffer to the certificate chain.
* This function implicitly calls esp_tls_init_global_ca_store() if it has not already been called.
* The application must call this function before calling esp_tls_conn_new().
2018-10-04 16:05:02 +05:30
*
* @param[in] cacert_pem_buf Buffer which has certificates in pem format. This buffer
* is used for creating a global CA store, which can be used
* by other tls connections.
* @param[in] cacert_pem_bytes Length of the buffer.
*
* @return
2018-11-01 11:11:16 -07:00
* - ESP_OK if adding certificates was successful.
2024-11-18 07:47:50 +01:00
* - Other if an error occurred or an action must be taken by the calling process.
2018-10-04 16:05:02 +05:30
*/
esp_err_t esp_tls_set_global_ca_store ( const unsigned char * cacert_pem_buf , const unsigned int cacert_pem_bytes ) ;
/**
* @brief Free the global CA store currently being used.
*
* The memory being used by the global CA store to store all the parsed certificates is
* freed up. The application can call this API if it no longer needs the global CA store.
*/
2019-07-16 16:33:30 +07:00
void esp_tls_free_global_ca_store ( void ) ;
2018-10-04 16:05:02 +05:30
2019-04-09 16:08:05 +02:00
/**
2019-04-16 11:58:38 +02:00
* @brief Returns last error in esp_tls with detailed mbedtls related error codes.
* The error information is cleared internally upon return
2019-04-09 16:08:05 +02:00
*
2019-04-16 11:58:38 +02:00
* @param[in] h esp-tls error handle.
2019-09-07 16:24:54 +05:30
* @param[out] esp_tls_code last error code returned from mbedtls api (set to zero if none)
* This pointer could be NULL if caller does not care about esp_tls_code
* @param[out] esp_tls_flags last certification verification flags (set to zero if none)
* This pointer could be NULL if caller does not care about esp_tls_code
2019-04-09 16:08:05 +02:00
*
* @return
2019-04-16 11:58:38 +02:00
* - ESP_ERR_INVALID_STATE if invalid parameters
* - ESP_OK (0) if no error occurred
2019-04-09 16:08:05 +02:00
* - specific error code (based on ESP_ERR_ESP_TLS_BASE) otherwise
*/
2019-09-07 16:24:54 +05:30
esp_err_t esp_tls_get_and_clear_last_error ( esp_tls_error_handle_t h , int * esp_tls_code , int * esp_tls_flags ) ;
2020-04-08 20:04:33 +02:00
/**
* @brief Returns the last error captured in esp_tls of a specific type
* The error information is cleared internally upon return
*
* @param[in] h esp-tls error handle.
* @param[in] err_type specific error type
* @param[out] error_code last error code returned from mbedtls api (set to zero if none)
* This pointer could be NULL if caller does not care about esp_tls_code
* @return
* - ESP_ERR_INVALID_STATE if invalid parameters
* - ESP_OK if a valid error returned and was cleared
*/
esp_err_t esp_tls_get_and_clear_error_type ( esp_tls_error_handle_t h , esp_tls_error_type_t err_type , int * error_code ) ;
2022-04-20 08:09:13 +05:30
/**
* @brief Returns the ESP-TLS error_handle
*
* @param[in] tls handle to esp_tls context
*
* @param[out] error_handle pointer to the error handle.
*
* @return
* - ESP_OK on success and error_handle will be updated with the ESP-TLS error handle.
*
2022-04-20 11:30:56 +05:30
* - ESP_ERR_INVALID_ARG if (tls == NULL || error_handle == NULL)
2022-04-20 08:09:13 +05:30
*/
esp_err_t esp_tls_get_error_handle ( esp_tls_t * tls , esp_tls_error_handle_t * error_handle ) ;
2019-09-07 16:24:54 +05:30
# if CONFIG_ESP_TLS_USING_MBEDTLS
/**
* @brief Get the pointer to the global CA store currently being used.
*
* The application must first call esp_tls_set_global_ca_store(). Then the same
* CA store could be used by the application for APIs other than esp_tls.
*
* @note Modifying the pointer might cause a failure in verifying the certificates.
*
* @return
* - Pointer to the global CA store currently being used if successful.
* - NULL if there is no global CA store set.
*/
mbedtls_x509_crt * esp_tls_get_global_ca_store ( void ) ;
2019-04-09 16:08:05 +02:00
2023-04-20 17:45:25 +08:00
/**
* @brief Get supported TLS ciphersuites list.
*
* See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 for the list of ciphersuites
*
* @return Pointer to a zero-terminated array of IANA identifiers of TLS ciphersuites.
*
*/
const int * esp_tls_get_ciphersuites_list ( void ) ;
2024-10-23 22:10:16 +05:30
/**
* @brief Initialize server side TLS/SSL connection
*
* This function should be used to initialize the server side TLS/SSL connection when the
* application wants to handle the TLS/SSL connection asynchronously with the help of
* esp_tls_server_session_continue_async() function.
*
* @param[in] cfg Pointer to esp_tls_cfg_server_t
* @param[in] sockfd FD of accepted connection
* @param[out] tls Pointer to allocated esp_tls_t
*
* @return
* - ESP_OK if successful
* - ESP_ERR_INVALID_ARG if invalid arguments
* - ESP_FAIL if server session setup failed
*/
esp_err_t esp_tls_server_session_init ( esp_tls_cfg_server_t * cfg , int sockfd , esp_tls_t * tls ) ;
/**
* @brief Asynchronous continue of esp_tls_server_session_init
*
* This function should be called in a loop by the user until it returns 0. If this functions returns
* something other than 0, ESP_TLS_ERR_SSL_WANT_READ or ESP_TLS_ERR_SSL_WANT_WRITE,
* the esp-tls context must not be used and should be freed using esp_tls_conn_destroy();
*
* @param[in] tls pointer to esp_tls_t
*
* @return
* - 0 if successful
* - <0 in case of error
* - ESP_TLS_ERR_SSL_WANT_READ/ESP_TLS_ERR_SSL_WANT_WRITE
* if the handshake is incomplete and waiting for data to be available for reading.
*/
int esp_tls_server_session_continue_async ( esp_tls_t * tls ) ;
2020-01-17 14:57:08 +05:30
# endif /* CONFIG_ESP_TLS_USING_MBEDTLS */
2019-05-28 11:19:02 +05:30
/**
* @brief Create TLS/SSL server session
*
* This function creates a TLS/SSL server context for already accepted client connection
* and performs TLS/SSL handshake with the client
*
* @param[in] cfg Pointer to esp_tls_cfg_server_t
* @param[in] sockfd FD of accepted connection
* @param[out] tls Pointer to allocated esp_tls_t
*
* @return
* - 0 if successful
* - <0 in case of error
*
*/
int esp_tls_server_session_create ( esp_tls_cfg_server_t * cfg , int sockfd , esp_tls_t * tls ) ;
/**
* @brief Close the server side TLS/SSL connection and free any allocated resources.
*
* This function should be called to close each tls connection opened with esp_tls_server_session_create()
*
* @param[in] tls pointer to esp_tls_t
*/
void esp_tls_server_session_delete ( esp_tls_t * tls ) ;
2018-08-07 23:24:57 +05:30
2021-05-04 10:23:52 +02:00
/**
* @brief Creates a plain TCP connection, returning a valid socket fd on success or an error handle
*
* @param[in] host Hostname of the host.
* @param[in] hostlen Length of hostname.
* @param[in] port Port number of the host.
* @param[in] cfg ESP-TLS configuration as esp_tls_cfg_t.
* @param[out] error_handle ESP-TLS error handle holding potential errors occurred during connection
* @param[out] sockfd Socket descriptor if successfully connected on TCP layer
* @return ESP_OK on success
2021-05-19 12:58:06 +02:00
* ESP_ERR_INVALID_ARG if invalid output parameters
2021-05-04 10:23:52 +02:00
* ESP-TLS based error codes on failure
*/
2021-05-19 12:58:06 +02:00
esp_err_t esp_tls_plain_tcp_connect ( const char * host , int hostlen , int port , const esp_tls_cfg_t * cfg , esp_tls_error_handle_t error_handle , int * sockfd ) ;
2021-05-04 10:23:52 +02:00
2021-07-23 17:00:32 +05:30
# ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
/**
* @brief Obtain the client session ticket
*
* This function should be called when the TLS connection is already established.
2022-03-24 12:36:00 +05:30
* This can be passed again in the esp_tls_cfg_t structure, to appropriate tls session create (e.g. esp_tls_conn_http_new_sync) API for session resumption.
2021-07-23 17:00:32 +05:30
*
* @param[in] esp_tls context as esp_tls_t
* @return
* Pointer to the saved client session.
* NULL on Failure
*/
esp_tls_client_session_t * esp_tls_get_client_session ( esp_tls_t * tls ) ;
2022-05-17 17:14:57 +08:00
/**
* @brief Free the client session
*
* This function should be called after esp_tls_get_client_session().
*
* @param[in] client_session context as esp_tls_client_session_t
*
*/
void esp_tls_free_client_session ( esp_tls_client_session_t * client_session ) ;
2021-07-23 17:00:32 +05:30
# endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */
2017-11-30 11:35:34 +05:30
# ifdef __cplusplus
}
# endif
2018-02-03 09:01:45 +05:30
# endif /* ! _ESP_TLS_H_ */
