1 /*
2 * SPDX-FileCopyrightText: 2017-2021 Espressif Systems (Shanghai) CO LTD
3 *
4 * SPDX-License-Identifier: Apache-2.0
5 */
6 #ifndef _ESP_TLS_H_
7 #define _ESP_TLS_H_
8
9 #include <stdbool.h>
10 #include <sys/socket.h>
11 #include <fcntl.h>
12 #include "esp_err.h"
13 #include "esp_tls_errors.h"
14 #ifdef CONFIG_ESP_TLS_USING_MBEDTLS
15 #include "mbedtls/platform.h"
16 #include "mbedtls/net_sockets.h"
17 #include "mbedtls/esp_debug.h"
18 #include "mbedtls/ssl.h"
19 #include "mbedtls/entropy.h"
20 #include "mbedtls/ctr_drbg.h"
21 #include "mbedtls/error.h"
22 #include "mbedtls/certs.h"
23 #ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS
24 #include "mbedtls/ssl_ticket.h"
25 #endif
26 #elif CONFIG_ESP_TLS_USING_WOLFSSL
27 #include "wolfssl/wolfcrypt/settings.h"
28 #include "wolfssl/ssl.h"
29 #endif
30
31 #ifdef __cplusplus
32 extern "C" {
33 #endif
34
35 /**
36 * @brief ESP-TLS Connection State
37 */
38 typedef enum esp_tls_conn_state {
39 ESP_TLS_INIT = 0,
40 ESP_TLS_CONNECTING,
41 ESP_TLS_HANDSHAKE,
42 ESP_TLS_FAIL,
43 ESP_TLS_DONE,
44 } esp_tls_conn_state_t;
45
46 typedef enum esp_tls_role {
47 ESP_TLS_CLIENT = 0,
48 ESP_TLS_SERVER,
49 } esp_tls_role_t;
50
51 /**
52 * @brief ESP-TLS preshared key and hint structure
53 */
54 typedef struct psk_key_hint {
55 const uint8_t* key; /*!< key in PSK authentication mode in binary format */
56 const size_t key_size; /*!< length of the key */
57 const char* hint; /*!< hint in PSK authentication mode in string format */
58 } psk_hint_key_t;
59
60 /**
61 * @brief esp-tls client session ticket ctx
62 */
63 #ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
64 typedef struct esp_tls_client_session {
65 mbedtls_ssl_session saved_session;
66 } esp_tls_client_session_t;
67 #endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */
68
69 /**
70 * @brief Keep alive parameters structure
71 */
72 typedef struct tls_keep_alive_cfg {
73 bool keep_alive_enable; /*!< Enable keep-alive timeout */
74 int keep_alive_idle; /*!< Keep-alive idle time (second) */
75 int keep_alive_interval; /*!< Keep-alive interval time (second) */
76 int keep_alive_count; /*!< Keep-alive packet retry send count */
77 } tls_keep_alive_cfg_t;
78
79 /**
80 * @brief ESP-TLS configuration parameters
81 *
82 * @note Note about format of certificates:
83 * - This structure includes certificates of a Certificate Authority, of client or server as well
84 * as private keys, which may be of PEM or DER format. In case of PEM format, the buffer must be
85 * NULL terminated (with NULL character included in certificate size).
86 * - Certificate Authority's certificate may be a chain of certificates in case of PEM format,
87 * but could be only one certificate in case of DER format
88 * - Variables names of certificates and private key buffers and sizes are defined as unions providing
89 * backward compatibility for legacy *_pem_buf and *_pem_bytes names which suggested only PEM format
90 * was supported. It is encouraged to use generic names such as cacert_buf and cacert_bytes.
91 */
92 typedef struct esp_tls_cfg {
93 const char **alpn_protos; /*!< Application protocols required for HTTP2.
94 If HTTP2/ALPN support is required, a list
95 of protocols that should be negotiated.
96 The format is length followed by protocol
97 name.
98 For the most common cases the following is ok:
99 const char **alpn_protos = { "h2", NULL };
100 - where 'h2' is the protocol name */
101
102 union {
103 const unsigned char *cacert_buf; /*!< Certificate Authority's certificate in a buffer.
104 Format may be PEM or DER, depending on mbedtls-support
105 This buffer should be NULL terminated in case of PEM */
106 const unsigned char *cacert_pem_buf; /*!< CA certificate buffer legacy name */
107 };
108
109 union {
110 unsigned int cacert_bytes; /*!< Size of Certificate Authority certificate
111 pointed to by cacert_buf
112 (including NULL-terminator in case of PEM format) */
113 unsigned int cacert_pem_bytes; /*!< Size of Certificate Authority certificate legacy name */
114 };
115
116 union {
117 const unsigned char *clientcert_buf; /*!< Client certificate in a buffer
118 Format may be PEM or DER, depending on mbedtls-support
119 This buffer should be NULL terminated in case of PEM */
120 const unsigned char *clientcert_pem_buf; /*!< Client certificate legacy name */
121 };
122
123 union {
124 unsigned int clientcert_bytes; /*!< Size of client certificate pointed to by
125 clientcert_pem_buf
126 (including NULL-terminator in case of PEM format) */
127 unsigned int clientcert_pem_bytes; /*!< Size of client certificate legacy name */
128 };
129
130 union {
131 const unsigned char *clientkey_buf; /*!< Client key in a buffer
132 Format may be PEM or DER, depending on mbedtls-support
133 This buffer should be NULL terminated in case of PEM */
134 const unsigned char *clientkey_pem_buf; /*!< Client key legacy name */
135 };
136
137 union {
138 unsigned int clientkey_bytes; /*!< Size of client key pointed to by
139 clientkey_pem_buf
140 (including NULL-terminator in case of PEM format) */
141 unsigned int clientkey_pem_bytes; /*!< Size of client key legacy name */
142 };
143
144 const unsigned char *clientkey_password;/*!< Client key decryption password string */
145
146 unsigned int clientkey_password_len; /*!< String length of the password pointed to by
147 clientkey_password */
148
149 bool non_block; /*!< Configure non-blocking mode. If set to true the
150 underneath socket will be configured in non
151 blocking mode after tls session is established */
152
153 bool use_secure_element; /*!< Enable this option to use secure element or
154 atecc608a chip ( Integrated with ESP32-WROOM-32SE ) */
155
156 int timeout_ms; /*!< Network timeout in milliseconds */
157
158 bool use_global_ca_store; /*!< Use a global ca_store for all the connections in which
159 this bool is set. */
160
161 const char *common_name; /*!< If non-NULL, server certificate CN must match this name.
162 If NULL, server certificate CN must match hostname. */
163
164 bool skip_common_name; /*!< Skip any validation of server certificate CN field */
165
166 tls_keep_alive_cfg_t *keep_alive_cfg; /*!< Enable TCP keep-alive timeout for SSL connection */
167
168 const psk_hint_key_t* psk_hint_key; /*!< Pointer to PSK hint and key. if not NULL (and certificates are NULL)
169 then PSK authentication is enabled with configured setup.
170 Important note: the pointer must be valid for connection */
171
172 esp_err_t (*crt_bundle_attach)(void *conf);
173 /*!< Function pointer to esp_crt_bundle_attach. Enables the use of certification
174 bundle for server verification, must be enabled in menuconfig */
175
176 void *ds_data; /*!< Pointer for digital signature peripheral context */
177 bool is_plain_tcp; /*!< Use non-TLS connection: When set to true, the esp-tls uses
178 plain TCP transport rather then TLS/SSL connection.
179 Note, that it is possible to connect using a plain tcp transport
180 directly with esp_tls_plain_tcp_connect() API */
181
182 struct ifreq *if_name; /*!< The name of interface for data to go through. Use the default interface without setting */
183
184 #ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
185 esp_tls_client_session_t *client_session; /*! Pointer for the client session ticket context. */
186 #endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */
187 } esp_tls_cfg_t;
188
189 #ifdef CONFIG_ESP_TLS_SERVER
190 #if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS)
191 /**
192 * @brief Data structures necessary to support TLS session tickets according to RFC5077
193 */
194 typedef struct esp_tls_server_session_ticket_ctx {
195 mbedtls_entropy_context entropy; /*!< mbedTLS entropy context structure */
196
197 mbedtls_ctr_drbg_context ctr_drbg; /*!< mbedTLS ctr drbg context structure.
198 CTR_DRBG is deterministic random
199 bit generation based on AES-256 */
200 mbedtls_ssl_ticket_context ticket_ctx; /*!< Session ticket generation context */
201 } esp_tls_server_session_ticket_ctx_t;
202 #endif
203
204 typedef struct esp_tls_cfg_server {
205 const char **alpn_protos; /*!< Application protocols required for HTTP2.
206 If HTTP2/ALPN support is required, a list
207 of protocols that should be negotiated.
208 The format is length followed by protocol
209 name.
210 For the most common cases the following is ok:
211 const char **alpn_protos = { "h2", NULL };
212 - where 'h2' is the protocol name */
213
214 union {
215 const unsigned char *cacert_buf; /*!< Client CA certificate in a buffer.
216 This buffer should be NULL terminated */
217 const unsigned char *cacert_pem_buf; /*!< Client CA certificate legacy name */
218 };
219
220 union {
221 unsigned int cacert_bytes; /*!< Size of client CA certificate
222 pointed to by cacert_pem_buf */
223 unsigned int cacert_pem_bytes; /*!< Size of client CA certificate legacy name */
224 };
225
226 union {
227 const unsigned char *servercert_buf; /*!< Server certificate in a buffer
228 This buffer should be NULL terminated */
229 const unsigned char *servercert_pem_buf; /*!< Server certificate legacy name */
230 };
231
232 union {
233 unsigned int servercert_bytes; /*!< Size of server certificate pointed to by
234 servercert_pem_buf */
235 unsigned int servercert_pem_bytes; /*!< Size of server certificate legacy name */
236 };
237
238 union {
239 const unsigned char *serverkey_buf; /*!< Server key in a buffer
240 This buffer should be NULL terminated */
241 const unsigned char *serverkey_pem_buf; /*!< Server key legacy name */
242 };
243
244 union {
245 unsigned int serverkey_bytes; /*!< Size of server key pointed to by
246 serverkey_pem_buf */
247 unsigned int serverkey_pem_bytes; /*!< Size of server key legacy name */
248 };
249
250 const unsigned char *serverkey_password; /*!< Server key decryption password string */
251
252 unsigned int serverkey_password_len; /*!< String length of the password pointed to by
253 serverkey_password */
254
255 #if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS)
256 esp_tls_server_session_ticket_ctx_t * ticket_ctx; /*!< Session ticket generation context.
257 You have to call esp_tls_cfg_server_session_tickets_init
258 to use it.
259 Call esp_tls_cfg_server_session_tickets_free
260 to free the data associated with this context. */
261 #endif
262 } esp_tls_cfg_server_t;
263
264 /**
265 * @brief Initialize the server side TLS session ticket context
266 *
267 * This function initializes the server side tls session ticket context
268 * which holds all necessary data structures to enable tls session tickets
269 * according to RFC5077.
270 * Use esp_tls_cfg_server_session_tickets_free to free the data.
271 *
272 * @param[in] cfg server configuration as esp_tls_cfg_server_t
273 * @return
274 * ESP_OK if setup succeeded
275 * ESP_ERR_INVALID_ARG if context is already initialized
276 * ESP_ERR_NO_MEM if memory allocation failed
277 * ESP_ERR_NOT_SUPPORTED if session tickets are not available due to build configuration
278 * ESP_FAIL if setup failed
279 */
280 esp_err_t esp_tls_cfg_server_session_tickets_init(esp_tls_cfg_server_t *cfg);
281
282 /**
283 * @brief Free the server side TLS session ticket context
284 *
285 * @param cfg server configuration as esp_tls_cfg_server_t
286 */
287 void esp_tls_cfg_server_session_tickets_free(esp_tls_cfg_server_t *cfg);
288 #endif /* ! CONFIG_ESP_TLS_SERVER */
289
290 /**
291 * @brief ESP-TLS Connection Handle
292 */
293 typedef struct esp_tls {
294 #ifdef CONFIG_ESP_TLS_USING_MBEDTLS
295 mbedtls_ssl_context ssl; /*!< TLS/SSL context */
296
297 mbedtls_entropy_context entropy; /*!< mbedTLS entropy context structure */
298
299 mbedtls_ctr_drbg_context ctr_drbg; /*!< mbedTLS ctr drbg context structure.
300 CTR_DRBG is deterministic random
301 bit generation based on AES-256 */
302
303 mbedtls_ssl_config conf; /*!< TLS/SSL configuration to be shared
304 between mbedtls_ssl_context
305 structures */
306
307 mbedtls_net_context server_fd; /*!< mbedTLS wrapper type for sockets */
308
309 mbedtls_x509_crt cacert; /*!< Container for the X.509 CA certificate */
310
311 mbedtls_x509_crt *cacert_ptr; /*!< Pointer to the cacert being used. */
312
313 mbedtls_x509_crt clientcert; /*!< Container for the X.509 client certificate */
314
315 mbedtls_pk_context clientkey; /*!< Container for the private key of the client
316 certificate */
317 #ifdef CONFIG_ESP_TLS_SERVER
318 mbedtls_x509_crt servercert; /*!< Container for the X.509 server certificate */
319
320 mbedtls_pk_context serverkey; /*!< Container for the private key of the server
321 certificate */
322 #endif
323 #elif CONFIG_ESP_TLS_USING_WOLFSSL
324 void *priv_ctx;
325 void *priv_ssl;
326 #endif
327 int sockfd; /*!< Underlying socket file descriptor. */
328
329 ssize_t (*read)(struct esp_tls *tls, char *data, size_t datalen); /*!< Callback function for reading data from TLS/SSL
330 connection. */
331
332 ssize_t (*write)(struct esp_tls *tls, const char *data, size_t datalen); /*!< Callback function for writing data to TLS/SSL
333 connection. */
334
335 esp_tls_conn_state_t conn_state; /*!< ESP-TLS Connection state */
336
337 fd_set rset; /*!< read file descriptors */
338
339 fd_set wset; /*!< write file descriptors */
340
341 bool is_tls; /*!< indicates connection type (TLS or NON-TLS) */
342
343 esp_tls_role_t role; /*!< esp-tls role
344 - ESP_TLS_CLIENT
345 - ESP_TLS_SERVER */
346
347 esp_tls_error_handle_t error_handle; /*!< handle to error descriptor */
348
349 } esp_tls_t;
350
351
352 /**
353 * @brief Create TLS connection
354 *
355 * This function allocates and initializes esp-tls structure handle.
356 *
357 * @return tls Pointer to esp-tls as esp-tls handle if successfully initialized,
358 * NULL if allocation error
359 */
360 esp_tls_t *esp_tls_init(void);
361
362
363
364
365 /**
366 * @brief Create a new blocking TLS/SSL connection
367 *
368 * This function establishes a TLS/SSL connection with the specified host in blocking manner.
369 *
370 * Note: This API is present for backward compatibility reasons. Alternative function
371 * with the same functionality is `esp_tls_conn_new_sync` (and its asynchronous version
372 * `esp_tls_conn_new_async`)
373 *
374 * @param[in] hostname Hostname of the host.
375 * @param[in] hostlen Length of hostname.
376 * @param[in] port Port number of the host.
377 * @param[in] cfg TLS configuration as esp_tls_cfg_t. If you wish to open
378 * non-TLS connection, keep this NULL. For TLS connection,
379 * a pass pointer to esp_tls_cfg_t. At a minimum, this
380 * structure should be zero-initialized.
381 *
382 * @return pointer to esp_tls_t, or NULL if connection couldn't be opened.
383 */
384 esp_tls_t *esp_tls_conn_new(const char *hostname, int hostlen, int port, const esp_tls_cfg_t *cfg) __attribute__ ((deprecated));
385
386 /**
387 * @brief Create a new blocking TLS/SSL connection
388 *
389 * This function establishes a TLS/SSL connection with the specified host in blocking manner.
390 *
391 * @param[in] hostname Hostname of the host.
392 * @param[in] hostlen Length of hostname.
393 * @param[in] port Port number of the host.
394 * @param[in] cfg TLS configuration as esp_tls_cfg_t. If you wish to open
395 * non-TLS connection, keep this NULL. For TLS connection,
396 * a pass pointer to esp_tls_cfg_t. At a minimum, this
397 * structure should be zero-initialized.
398 * @param[in] tls Pointer to esp-tls as esp-tls handle.
399 *
400 * @return
401 * - -1 If connection establishment fails.
402 * - 1 If connection establishment is successful.
403 * - 0 If connection state is in progress.
404 */
405 int esp_tls_conn_new_sync(const char *hostname, int hostlen, int port, const esp_tls_cfg_t *cfg, esp_tls_t *tls);
406
407 /**
408 * @brief Create a new blocking TLS/SSL connection with a given "HTTP" url
409 *
410 * The behaviour is same as esp_tls_conn_new() API. However this API accepts host's url.
411 *
412 * @param[in] url url of host.
413 * @param[in] cfg TLS configuration as esp_tls_cfg_t. If you wish to open
414 * non-TLS connection, keep this NULL. For TLS connection,
415 * a pass pointer to 'esp_tls_cfg_t'. At a minimum, this
416 * structure should be zero-initialized.
417 * @return pointer to esp_tls_t, or NULL if connection couldn't be opened.
418 */
419 esp_tls_t *esp_tls_conn_http_new(const char *url, const esp_tls_cfg_t *cfg);
420
421 /**
422 * @brief Create a new non-blocking TLS/SSL connection
423 *
424 * This function initiates a non-blocking TLS/SSL connection with the specified host, but due to
425 * its non-blocking nature, it doesn't wait for the connection to get established.
426 *
427 * @param[in] hostname Hostname of the host.
428 * @param[in] hostlen Length of hostname.
429 * @param[in] port Port number of the host.
430 * @param[in] cfg TLS configuration as esp_tls_cfg_t. `non_block` member of
431 * this structure should be set to be true.
432 * @param[in] tls pointer to esp-tls as esp-tls handle.
433 *
434 * @return
435 * - -1 If connection establishment fails.
436 * - 0 If connection establishment is in progress.
437 * - 1 If connection establishment is successful.
438 */
439 int esp_tls_conn_new_async(const char *hostname, int hostlen, int port, const esp_tls_cfg_t *cfg, esp_tls_t *tls);
440
441 /**
442 * @brief Create a new non-blocking TLS/SSL connection with a given "HTTP" url
443 *
444 * The behaviour is same as esp_tls_conn_new() API. However this API accepts host's url.
445 *
446 * @param[in] url url of host.
447 * @param[in] cfg TLS configuration as esp_tls_cfg_t.
448 * @param[in] tls pointer to esp-tls as esp-tls handle.
449 *
450 * @return
451 * - -1 If connection establishment fails.
452 * - 0 If connection establishment is in progress.
453 * - 1 If connection establishment is successful.
454 */
455 int esp_tls_conn_http_new_async(const char *url, const esp_tls_cfg_t *cfg, esp_tls_t *tls);
456
457 /**
458 * @brief Write from buffer 'data' into specified tls connection.
459 *
460 * @param[in] tls pointer to esp-tls as esp-tls handle.
461 * @param[in] data Buffer from which data will be written.
462 * @param[in] datalen Length of data buffer.
463 *
464 * @return
465 * - >=0 if write operation was successful, the return value is the number
466 * of bytes actually written to the TLS/SSL connection.
467 * - <0 if write operation was not successful, because either an
468 * error occured or an action must be taken by the calling process.
469 * - ESP_TLS_ERR_SSL_WANT_READ/
470 * ESP_TLS_ERR_SSL_WANT_WRITE.
471 * if the handshake is incomplete and waiting for data to be available for reading.
472 * In this case this functions needs to be called again when the underlying transport is ready for operation.
473 */
esp_tls_conn_write(esp_tls_t * tls,const void * data,size_t datalen)474 static inline ssize_t esp_tls_conn_write(esp_tls_t *tls, const void *data, size_t datalen)
475 {
476 return tls->write(tls, (char *)data, datalen);
477 }
478
479 /**
480 * @brief Read from specified tls connection into the buffer 'data'.
481 *
482 * @param[in] tls pointer to esp-tls as esp-tls handle.
483 * @param[in] data Buffer to hold read data.
484 * @param[in] datalen Length of data buffer.
485 *
486 * @return
487 * - >0 if read operation was successful, the return value is the number
488 * of bytes actually read from the TLS/SSL connection.
489 * - 0 if read operation was not successful. The underlying
490 * connection was closed.
491 * - <0 if read operation was not successful, because either an
492 * error occured or an action must be taken by the calling process.
493 */
esp_tls_conn_read(esp_tls_t * tls,void * data,size_t datalen)494 static inline ssize_t esp_tls_conn_read(esp_tls_t *tls, void *data, size_t datalen)
495 {
496 return tls->read(tls, (char *)data, datalen);
497 }
498
499 /**
500 * @brief Compatible version of esp_tls_conn_destroy() to close the TLS/SSL connection
501 *
502 * @note This API will be removed in IDFv5.0
503 *
504 * @param[in] tls pointer to esp-tls as esp-tls handle.
505 */
506 void esp_tls_conn_delete(esp_tls_t *tls);
507
508 /**
509 * @brief Close the TLS/SSL connection and free any allocated resources.
510 *
511 * This function should be called to close each tls connection opened with esp_tls_conn_new() or
512 * esp_tls_conn_http_new() APIs.
513 *
514 * @param[in] tls pointer to esp-tls as esp-tls handle.
515 *
516 * @return - 0 on success
517 * - -1 if socket error or an invalid argument
518 */
519 int esp_tls_conn_destroy(esp_tls_t *tls);
520
521 /**
522 * @brief Return the number of application data bytes remaining to be
523 * read from the current record
524 *
525 * This API is a wrapper over mbedtls's mbedtls_ssl_get_bytes_avail() API.
526 *
527 * @param[in] tls pointer to esp-tls as esp-tls handle.
528 *
529 * @return
530 * - -1 in case of invalid arg
531 * - bytes available in the application data
532 * record read buffer
533 */
534 ssize_t esp_tls_get_bytes_avail(esp_tls_t *tls);
535
536 /**
537 * @brief Returns the connection socket file descriptor from esp_tls session
538 *
539 * @param[in] tls handle to esp_tls context
540 *
541 * @param[out] sockfd int pointer to sockfd value.
542 *
543 * @return - ESP_OK on success and value of sockfd will be updated with socket file descriptor for connection
544 * - ESP_ERR_INVALID_ARG if (tls == NULL || sockfd == NULL)
545 */
546 esp_err_t esp_tls_get_conn_sockfd(esp_tls_t *tls, int *sockfd);
547
548 /**
549 * @brief Create a global CA store, initially empty.
550 *
551 * This function should be called if the application wants to use the same CA store for multiple connections.
552 * This function initialises the global CA store which can be then set by calling esp_tls_set_global_ca_store().
553 * To be effective, this function must be called before any call to esp_tls_set_global_ca_store().
554 *
555 * @return
556 * - ESP_OK if creating global CA store was successful.
557 * - ESP_ERR_NO_MEM if an error occured when allocating the mbedTLS resources.
558 */
559 esp_err_t esp_tls_init_global_ca_store(void);
560
561 /**
562 * @brief Set the global CA store with the buffer provided in pem format.
563 *
564 * This function should be called if the application wants to set the global CA store for
565 * multiple connections i.e. to add the certificates in the provided buffer to the certificate chain.
566 * This function implicitly calls esp_tls_init_global_ca_store() if it has not already been called.
567 * The application must call this function before calling esp_tls_conn_new().
568 *
569 * @param[in] cacert_pem_buf Buffer which has certificates in pem format. This buffer
570 * is used for creating a global CA store, which can be used
571 * by other tls connections.
572 * @param[in] cacert_pem_bytes Length of the buffer.
573 *
574 * @return
575 * - ESP_OK if adding certificates was successful.
576 * - Other if an error occured or an action must be taken by the calling process.
577 */
578 esp_err_t esp_tls_set_global_ca_store(const unsigned char *cacert_pem_buf, const unsigned int cacert_pem_bytes);
579
580 /**
581 * @brief Free the global CA store currently being used.
582 *
583 * The memory being used by the global CA store to store all the parsed certificates is
584 * freed up. The application can call this API if it no longer needs the global CA store.
585 */
586 void esp_tls_free_global_ca_store(void);
587
588 /**
589 * @brief Returns last error in esp_tls with detailed mbedtls related error codes.
590 * The error information is cleared internally upon return
591 *
592 * @param[in] h esp-tls error handle.
593 * @param[out] esp_tls_code last error code returned from mbedtls api (set to zero if none)
594 * This pointer could be NULL if caller does not care about esp_tls_code
595 * @param[out] esp_tls_flags last certification verification flags (set to zero if none)
596 * This pointer could be NULL if caller does not care about esp_tls_code
597 *
598 * @return
599 * - ESP_ERR_INVALID_STATE if invalid parameters
600 * - ESP_OK (0) if no error occurred
601 * - specific error code (based on ESP_ERR_ESP_TLS_BASE) otherwise
602 */
603 esp_err_t esp_tls_get_and_clear_last_error(esp_tls_error_handle_t h, int *esp_tls_code, int *esp_tls_flags);
604
605 /**
606 * @brief Returns the last error captured in esp_tls of a specific type
607 * The error information is cleared internally upon return
608 *
609 * @param[in] h esp-tls error handle.
610 * @param[in] err_type specific error type
611 * @param[out] error_code last error code returned from mbedtls api (set to zero if none)
612 * This pointer could be NULL if caller does not care about esp_tls_code
613 * @return
614 * - ESP_ERR_INVALID_STATE if invalid parameters
615 * - ESP_OK if a valid error returned and was cleared
616 */
617 esp_err_t esp_tls_get_and_clear_error_type(esp_tls_error_handle_t h, esp_tls_error_type_t err_type, int *error_code);
618
619 #if CONFIG_ESP_TLS_USING_MBEDTLS
620 /**
621 * @brief Get the pointer to the global CA store currently being used.
622 *
623 * The application must first call esp_tls_set_global_ca_store(). Then the same
624 * CA store could be used by the application for APIs other than esp_tls.
625 *
626 * @note Modifying the pointer might cause a failure in verifying the certificates.
627 *
628 * @return
629 * - Pointer to the global CA store currently being used if successful.
630 * - NULL if there is no global CA store set.
631 */
632 mbedtls_x509_crt *esp_tls_get_global_ca_store(void);
633
634 #endif /* CONFIG_ESP_TLS_USING_MBEDTLS */
635 #ifdef CONFIG_ESP_TLS_SERVER
636 /**
637 * @brief Create TLS/SSL server session
638 *
639 * This function creates a TLS/SSL server context for already accepted client connection
640 * and performs TLS/SSL handshake with the client
641 *
642 * @param[in] cfg Pointer to esp_tls_cfg_server_t
643 * @param[in] sockfd FD of accepted connection
644 * @param[out] tls Pointer to allocated esp_tls_t
645 *
646 * @return
647 * - 0 if successful
648 * - <0 in case of error
649 *
650 */
651 int esp_tls_server_session_create(esp_tls_cfg_server_t *cfg, int sockfd, esp_tls_t *tls);
652
653 /**
654 * @brief Close the server side TLS/SSL connection and free any allocated resources.
655 *
656 * This function should be called to close each tls connection opened with esp_tls_server_session_create()
657 *
658 * @param[in] tls pointer to esp_tls_t
659 */
660 void esp_tls_server_session_delete(esp_tls_t *tls);
661 #endif /* ! CONFIG_ESP_TLS_SERVER */
662
663 /**
664 * @brief Creates a plain TCP connection, returning a valid socket fd on success or an error handle
665 *
666 * @param[in] host Hostname of the host.
667 * @param[in] hostlen Length of hostname.
668 * @param[in] port Port number of the host.
669 * @param[in] cfg ESP-TLS configuration as esp_tls_cfg_t.
670 * @param[out] error_handle ESP-TLS error handle holding potential errors occurred during connection
671 * @param[out] sockfd Socket descriptor if successfully connected on TCP layer
672 * @return ESP_OK on success
673 * ESP_ERR_INVALID_ARG if invalid output parameters
674 * ESP-TLS based error codes on failure
675 */
676 esp_err_t esp_tls_plain_tcp_connect(const char *host, int hostlen, int port, const esp_tls_cfg_t *cfg, esp_tls_error_handle_t error_handle, int *sockfd);
677
678 #ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
679 /**
680 * @brief Obtain the client session ticket
681 *
682 * This function should be called when the TLS connection is already established.
683 * This can be passed again in the esp_tls_cfg_t structure, to appropriate tls session create (e.g. esp_tls_conn_http_new) API for session resumption.
684 *
685 * @param[in] esp_tls context as esp_tls_t
686 * @return
687 * Pointer to the saved client session.
688 * NULL on Failure
689 */
690 esp_tls_client_session_t *esp_tls_get_client_session(esp_tls_t *tls);
691 #endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */
692 #ifdef __cplusplus
693 }
694 #endif
695
696 #endif /* ! _ESP_TLS_H_ */
697
