This package includes the SharkSSL lite library and header files.
Dependents: WebSocket-Client-Example SharkMQ-LED-Demo
SharkSSL-Lite
Description: SharkSSL is an SSL v3.0 TLS v1.0/1.1/1.2 implementation of the TLS and SSL protocol standard. With its array of compile-time options and Raycrypto proprietary cryptographic algorithms, SharkSSL can be fine-tuned to a footprint that occupies less than 20 kB, while maintaining full x.509 authentication. The SharkSSL-Lite download includes a subset of SharkSSL and header files made for use in non-commercial and for evaluation purposes.
Features
- SSL|TLS v1.2
- Size: 21kB
- Encryption: Elliptic Curve Cryptography (ECC) | ChaCha20/Poly1305
- SharkSSL Online Documentation
- SMQ (Simple Message Queues) Client and SMQ Documentation
- Secure WebSocket Client
- Secure MQTT Client
Examples
- SharkMQ LED Demo: Secure control of LEDs on your mbed board using a browser.
- WebSocket Client: Connect to ELIZA the Psychotherapist
Limitations
SharkSSL-Lite includes a limited set of ciphers. To use SharkSSL-Lite, the peer side must support Elliptic Curve Cryptography (ECC) and you must use ECC certificates. The peer side must also support the new ChaCha20/Poly1305 cipher combination.
ChaCha20 and Poly1305 for TLS is published RFC 7905. The development of this new cipher was a response to many attacks discovered against other widely used TLS cipher suites. ChaCha20 is the cipher and Poly1305 is an authenticated encryption mode.
SharkSSL-Lite occupies less than 20kB, while maintaining full x.509 authentication. The ChaCha20/Poly1305 cipher software implementation is equally as fast as many hardware accelerated AES engines.
Creating ECC Certificates for SharkSSL-Lite
The following video shows how to create an Elliptic Curve Cryptography (ECC) certificate for a server, how to install the certificate in the server, and how to make the mbed clients connecting to the server trust this certificate. The server in this video is installed on a private/personal computer on a private network for test purposes. The video was produced for the embedded.com article How to run your own secure IoT cloud server.
Diff: inc/SharkSSL.h
- Revision:
- 0:e0adec41ad6b
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/inc/SharkSSL.h Wed Apr 06 00:46:36 2016 +0000 @@ -0,0 +1,2101 @@ +/* + * ____ _________ __ _ + * / __ \___ ____ _/ /_ __(_)___ ___ ___ / / ____ ____ _(_)____ + * / /_/ / _ \/ __ `/ / / / / / __ `__ \/ _ \/ / / __ \/ __ `/ / ___/ + * / _, _/ __/ /_/ / / / / / / / / / / / __/ /___/ /_/ / /_/ / / /__ + * /_/ |_|\___/\__,_/_/ /_/ /_/_/ /_/ /_/\___/_____/\____/\__, /_/\___/ + * /____/ + * + * SharkSSL Embedded SSL/TLS Stack + **************************************************************************** + * PROGRAM MODULE + * + * $Id: SharkSSL.h 3863 2016-03-19 02:15:11Z wini $ + * + * COPYRIGHT: Real Time Logic LLC, 2010 - 2013 + * + * This software is copyrighted by and is the sole property of Real + * Time Logic LLC. All rights, title, ownership, or other interests in + * the software remain the property of Real Time Logic LLC. This + * software may only be used in accordance with the terms and + * conditions stipulated in the corresponding license agreement under + * which the software has been supplied. Any unauthorized use, + * duplication, transmission, distribution, or disclosure of this + * software is expressly forbidden. + * + * This Copyright notice may not be removed or modified without prior + * written consent of Real Time Logic LLC. + * + * Real Time Logic LLC. reserves the right to modify this software + * without notice. + * + * http://www.realtimelogic.com + * http://www.sharkssl.com + **************************************************************************** + * + */ +#ifndef _SharkSsl_h +#define _SharkSsl_h + +#include "TargConfig.h" /* platform dependencies */ +#include "SharkSSL_cfg.h" /* SharkSSL configuration */ +#ifdef __cplusplus +#include <stddef.h> /* size_t for new, delete */ +#endif + +#ifndef SHARKSSL_API +#define SHARKSSL_API +#else /* Barracuda */ +#define SHARKSSL_BA 1 +#include <ThreadLib.h> +#include <BaServerLib.h> +#endif + +#include "SharkSslCrypto.h" /* Crypto API */ + +/** \defgroup ECDSA ECDSA sign/verify functions +\ingroup RayCryptoApi + +See [Signing and Verifying Binaries](@ref signing) for an example +of how to use the ECDSA ECDSA sign/verify functions. + +*/ + + + + +/** \addtogroup SharkSslAlert +@{ + +Alert messages are generated by SharkSSL or the peer side on errors. + +Alert messages are one of: fatal or warning. A fatal error means that +the connection must be closed. +*/ + +/** SSL/TLS warning message */ +#define SHARKSSL_ALERT_LEVEL_WARNING 1 + +/** Fatal error message. Connection must be closed. */ +#define SHARKSSL_ALERT_LEVEL_FATAL 2 + +/** \defgroup SharkSslAlertMsg SSL/TLS Alert Messages +\ingroup SharkSslAlert +@{ + +\brief Alert messages returned by function #SharkSslCon_getAlertDescription + +Alert messages are generated by SharkSSL when processing the incoming +data fails. Alert messages can also be received from the peer side, +when the peer fails to process the data. +*/ + +/** SHARKSSL_ALERT_CLOSE_NOTIFY */ +#define SHARKSSL_ALERT_CLOSE_NOTIFY 0 +/** SHARKSSL_ALERT_UNEXPECTED_MESSAGE */ +#define SHARKSSL_ALERT_UNEXPECTED_MESSAGE 10 +/** SHARKSSL_ALERT_BAD_RECORD_MAC */ +#define SHARKSSL_ALERT_BAD_RECORD_MAC 20 +/** SHARKSSL_ALERT_DECRYPTION_FAILED */ +#define SHARKSSL_ALERT_DECRYPTION_FAILED 21 +/** SHARKSSL_ALERT_RECORD_OVERFLOW */ +#define SHARKSSL_ALERT_RECORD_OVERFLOW 22 +/** SHARKSSL_ALERT_DECOMPRESSION_FAILURE */ +#define SHARKSSL_ALERT_DECOMPRESSION_FAILURE 30 +/** SHARKSSL_ALERT_HANDSHAKE_FAILURE */ +#define SHARKSSL_ALERT_HANDSHAKE_FAILURE 40 +/** SHARKSSL_ALERT_NO_CERTIFICATE */ +#define SHARKSSL_ALERT_NO_CERTIFICATE 41 /* SSL 3.0 only */ +/** SHARKSSL_ALERT_BAD_CERTIFICATE */ +#define SHARKSSL_ALERT_BAD_CERTIFICATE 42 +/** SHARKSSL_ALERT_UNSUPPORTED_CERTIFICATE */ +#define SHARKSSL_ALERT_UNSUPPORTED_CERTIFICATE 43 +/** SHARKSSL_ALERT_CERTIFICATE_REVOKED */ +#define SHARKSSL_ALERT_CERTIFICATE_REVOKED 44 +/** SHARKSSL_ALERT_CERTIFICATE_EXPIRED */ +#define SHARKSSL_ALERT_CERTIFICATE_EXPIRED 45 +/** SHARKSSL_ALERT_CERTIFICATE_UNKNOWN */ +#define SHARKSSL_ALERT_CERTIFICATE_UNKNOWN 46 +/** SHARKSSL_ALERT_ILLEGAL_PARAMETER */ +#define SHARKSSL_ALERT_ILLEGAL_PARAMETER 47 +/** SHARKSSL_ALERT_UNKNOWN_CA */ +#define SHARKSSL_ALERT_UNKNOWN_CA 48 +/** SHARKSSL_ALERT_ACCESS_DENIED */ +#define SHARKSSL_ALERT_ACCESS_DENIED 49 +/** SHARKSSL_ALERT_DECODE_ERROR */ +#define SHARKSSL_ALERT_DECODE_ERROR 50 +/** SHARKSSL_ALERT_DECRYPT_ERROR */ +#define SHARKSSL_ALERT_DECRYPT_ERROR 51 +/** SHARKSSL_ALERT_EXPORT_RESTRICTION */ +#define SHARKSSL_ALERT_EXPORT_RESTRICTION 60 +/** SHARKSSL_ALERT_PROTOCOL_VERSION */ +#define SHARKSSL_ALERT_PROTOCOL_VERSION 70 +/** SHARKSSL_ALERT_INSUFFICIENT_SECURITY */ +#define SHARKSSL_ALERT_INSUFFICIENT_SECURITY 71 +/** SHARKSSL_ALERT_INTERNAL_ERROR */ +#define SHARKSSL_ALERT_INTERNAL_ERROR 80 +/** SHARKSSL_ALERT_USER_CANCELED */ +#define SHARKSSL_ALERT_USER_CANCELED 90 +/** SHARKSSL_ALERT_NO_RENEGOTIATION */ +#define SHARKSSL_ALERT_NO_RENEGOTIATION 100 +/** SHARKSSL_ALERT_UNKNOWN_PSK_IDENTITY */ +#define SHARKSSL_ALERT_UNKNOWN_PSK_IDENTITY 115 + +/** @} */ /* end group SharkSslAlertMsg */ +/** @} */ /* end group SharkSslAlert */ + + +/** \defgroup SharkSslCiphers Supported Ciphersuites +\ingroup SharkSslInfoAndCodes +@{ + + \brief Supported Ciphersuites and values returned by +SharkSslCon_getCiphersuite. +*/ + +/** TLS_NULL_WITH_NULL_NULL */ +#define TLS_NULL_WITH_NULL_NULL 0x0000 +/** TLS_RSA_WITH_NULL_MD5 */ +#define TLS_RSA_WITH_NULL_MD5 0x0001 +/** TLS_RSA_WITH_NULL_SHA */ +#define TLS_RSA_WITH_NULL_SHA 0x0002 +/** TLS_RSA_WITH_RC4_128_MD5 */ +#define TLS_RSA_WITH_RC4_128_MD5 0x0004 +/** TLS_RSA_WITH_RC4_128_SHA */ +#define TLS_RSA_WITH_RC4_128_SHA 0x0005 +/** TLS_RSA_WITH_DES_CBC_SHA */ +#define TLS_RSA_WITH_DES_CBC_SHA 0x0009 +/** TLS_RSA_WITH_3DES_EDE_CBC_SHA */ +#define TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x000A +/** TLS_DHE_RSA_WITH_DES_CBC_SHA */ +#define TLS_DHE_RSA_WITH_DES_CBC_SHA 0x0015 +/** TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */ +#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0016 +/** TLS_RSA_WITH_AES_128_CBC_SHA */ +#define TLS_RSA_WITH_AES_128_CBC_SHA 0x002F +/** TLS_DHE_RSA_WITH_AES_128_CBC_SHA */ +#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0033 +/** TLS_RSA_WITH_AES_256_CBC_SHA */ +#define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035 +/** TLS_DHE_RSA_WITH_AES_256_CBC_SHA */ +#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039 +/** TLS_RSA_WITH_NULL_SHA256 */ +#define TLS_RSA_WITH_NULL_SHA256 0x003B +/** TLS_RSA_WITH_AES_128_CBC_SHA256 */ +#define TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C +/** TLS_RSA_WITH_AES_256_CBC_SHA256 */ +#define TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D +/** TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */ +#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067 +/** TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */ +#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006B +/** TLS_PSK_WITH_RC4_128_SHA */ +#define TLS_PSK_WITH_RC4_128_SHA 0x008A +/** TLS_PSK_WITH_3DES_EDE_CBC_SHA */ +#define TLS_PSK_WITH_3DES_EDE_CBC_SHA 0x008B +/** TLS_PSK_WITH_AES_128_CBC_SHA */ +#define TLS_PSK_WITH_AES_128_CBC_SHA 0x008C +/** TLS_PSK_WITH_AES_256_CBC_SHA */ +#define TLS_PSK_WITH_AES_256_CBC_SHA 0x008D +/** TLS_RSA_WITH_AES_128_GCM_SHA256 */ +#define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C +/** TLS_RSA_WITH_AES_256_GCM_SHA384 */ +#define TLS_RSA_WITH_AES_256_GCM_SHA384 0x009D +/** TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */ +#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E +/** TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */ +#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x009F +/** TLS_PSK_WITH_AES_128_GCM_SHA256 */ +#define TLS_PSK_WITH_AES_128_GCM_SHA256 0x00A8 +/** TLS_PSK_WITH_AES_256_GCM_SHA384 */ +#define TLS_PSK_WITH_AES_256_GCM_SHA384 0x00A9 +/** TLS_PSK_WITH_AES_128_CBC_SHA256 */ +#define TLS_PSK_WITH_AES_128_CBC_SHA256 0x00AE +/** TLS_PSK_WITH_AES_256_CBC_SHA384 */ +#define TLS_PSK_WITH_AES_256_CBC_SHA384 0x00AF +/** TLS_ECDH_ECDSA_WITH_NULL_SHA */ +#define TLS_ECDH_ECDSA_WITH_NULL_SHA 0xC001 +/** TLS_ECDH_ECDSA_WITH_RC4_128_SHA */ +#define TLS_ECDH_ECDSA_WITH_RC4_128_SHA 0xC002 +/** TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */ +#define TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC003 +/** TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */ +#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 0xC004 +/** TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */ +#define TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 0xC005 +/** TLS_ECDHE_ECDSA_WITH_NULL_SHA */ +#define TLS_ECDHE_ECDSA_WITH_NULL_SHA 0xC006 +/** TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */ +#define TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 0xC007 +/** TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */ +#define TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC008 +/** TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */ +#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC009 +/** TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */ +#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC00A +/** TLS_ECDH_RSA_WITH_NULL_SHA */ +#define TLS_ECDH_RSA_WITH_NULL_SHA 0xC00B +/** TLS_ECDH_RSA_WITH_RC4_128_SHA */ +#define TLS_ECDH_RSA_WITH_RC4_128_SHA 0xC00C +/** TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA */ +#define TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 0xC00D +/** TLS_ECDH_RSA_WITH_AES_128_CBC_SHA */ +#define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 0xC00E +/** TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */ +#define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 0xC00F +/** TLS_ECDHE_RSA_WITH_NULL_SHA */ +#define TLS_ECDHE_RSA_WITH_NULL_SHA 0xC010 +/** TLS_ECDHE_RSA_WITH_RC4_128_SHA */ +#define TLS_ECDHE_RSA_WITH_RC4_128_SHA 0xC011 +/** TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */ +#define TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xC012 +/** TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */ +#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC013 +/** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */ +#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC014 +/** TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */ +#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023 +/** TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */ +#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024 +/** TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */ +#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 0xC025 +/** TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */ +#define TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 0xC026 +/** TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */ +#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027 +/** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */ +#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xC028 +/** TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */ +#define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 0xC029 +/** TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */ +#define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 0xC02A +/** TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 */ +#define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B +/** TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */ +#define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C +/** TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 */ +#define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D +/** TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 */ +#define TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 0xC02E +/** TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */ +#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F +/** TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */ +#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC030 +/** TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 */ +#define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031 +/** TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 */ +#define TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 0xC032 +/** TLS_RSA_WITH_AES_128_CCM */ +#define TLS_RSA_WITH_AES_128_CCM 0xC09C +/** TLS_RSA_WITH_AES_256_CCM */ +#define TLS_RSA_WITH_AES_256_CCM 0xC09D +/** TLS_DHE_RSA_WITH_AES_128_CCM */ +#define TLS_DHE_RSA_WITH_AES_128_CCM 0xC09E +/** TLS_DHE_RSA_WITH_AES_256_CCM */ +#define TLS_DHE_RSA_WITH_AES_256_CCM 0xC09F +/** TLS_RSA_WITH_AES_128_CCM_8 */ +#define TLS_RSA_WITH_AES_128_CCM_8 0xC0A0 +/** TLS_RSA_WITH_AES_256_CCM_8 */ +#define TLS_RSA_WITH_AES_256_CCM_8 0xC0A1 +/** TLS_DHE_RSA_WITH_AES_128_CCM_8 */ +#define TLS_DHE_RSA_WITH_AES_128_CCM_8 0xC0A2 +/** TLS_DHE_RSA_WITH_AES_256_CCM_8 */ +#define TLS_DHE_RSA_WITH_AES_256_CCM_8 0xC0A3 +/** TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */ +#define TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCC13 +/** TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */ +#define TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCC14 +/** TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */ +#define TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCC15 + +/** @} */ /* end group SharkSslCiphers */ + + +/** \defgroup SharkSslProtocol SSL and TLS protocol version +\ingroup SharkSslInfoAndCodes +@{ + \brief Return values from function #SharkSslCon_getProtocol. +*/ + +/** SHARKSSL_PROTOCOL_UNKNOWN */ +#define SHARKSSL_PROTOCOL_UNKNOWN 0x00 +/** SHARKSSL_PROTOCOL_SSL_3_0 */ +#define SHARKSSL_PROTOCOL_SSL_3_0 0x30 +/** SHARKSSL_PROTOCOL_TLS_1_0 */ +#define SHARKSSL_PROTOCOL_TLS_1_0 0x31 +/** SHARKSSL_PROTOCOL_TLS_1_1 */ +#define SHARKSSL_PROTOCOL_TLS_1_1 0x32 +/** SHARKSSL_PROTOCOL_TLS_1_2 */ +#define SHARKSSL_PROTOCOL_TLS_1_2 0x33 + +/** @} */ /* end group SharkSslProtocol */ + + +#if (SHARKSSL_ENABLE_RSA || SHARKSSL_ENABLE_ECDSA) +#ifndef BA_API /* standalone SharkSSL */ +#define BA_API SHARKSSL_API +#ifdef _SHARKSSL_C_ +#define SingleListCode 1 +#endif +#endif +#include "SingleList.h" +#endif + + +#if SHARKSSL_ENABLE_SESSION_CACHE || SHARKSSL_NOPACK + +/** @addtogroup SharkSslSessionApi +@{ +*/ + +/** SharkSslSession is an opaque handle returned by function + #SharkSslCon_acquireSession. + */ +typedef struct SharkSslSession SharkSslSession; + +/** @} */ /* end group SharkSslSessionApi */ + +#ifndef _DOXYGEN +typedef struct SharkSslSessionCache +{ + SharkSslSession *cache; + ThreadMutexBase cacheMutex; + U16 cacheSize; +} SharkSslSessionCache; +#endif +#endif + + +/** \addtogroup SharkSslInfoAndCodes +@{ +*/ + +/** Select one of client or server mode when creating a #SharkSsl + object. + + __Note:__ A SharkSsl instance in server mode requires that you + install at a minimum one certificate by calling function + #SharkSsl_addCertificate. +*/ +typedef enum +{ + SharkSsl_Unspecified, /*!< Invalid value */ + SharkSsl_Server, /*!< Select SSL server mode */ + SharkSsl_Client /*!< Select SSL client mode */ +} SharkSsl_Role; + +/** @} */ /* end group SharkSslInfoAndCodes */ + + +#if (SHARKSSL_ENABLE_RSA || SHARKSSL_ENABLE_ECDSA) +/** \addtogroup SharkSslInfoAndCodes +@{ +*/ + +/** The SharkSSL Certificate is in a binary format optimized for speed + and size. The certificate can be created by calling #sharkssl_PEM + or by using the command line tool + [SharkSslParseCert](\ref SharkSslParseCert) + */ +typedef const U8 *SharkSslCert; + +#if SHARKSSL_ENABLE_CA_LIST +/** The SharkSSL Certificate Authority (CA) List is in a binary format + optimized for speed and size. The list can be created by calling + #SharkSslCertStore_assemble or by using the command line tool + [SharkSSLParseCAList](\ref SharkSSLParseCAList). + */ +typedef const U8 *SharkSslCAList; +#endif + +/** @} */ /* end group SharkSslInfoAndCodes */ +#endif + +#if SHARKSSL_ENABLE_PSK || SHARKSSL_NOPACK +/** \addtogroup SharkSslInfoAndCodes +@{ +*/ + +/** The SharkSSL PSK table is in an optimized binary format. + The table can be created by using the command line tool + [SharkSslParsePSKTable](\ref SharkSSLParsePSKTable). + */ +typedef const U8 *SharkSslPSKTable; + +/** @} */ /* end group SharkSslInfoAndCodes */ +#endif + +#ifndef _DOXYGEN +struct SharkSsl; +#endif + + +/* Non documented API used by SharkSslSCMgr when used indirectly by + Lua code in the Barracuda Application Server. The code manages + automatic destruction of SharkSslSCMgr. + */ +#ifndef _DOXYGEN +struct SharkSslIntf; +typedef void (*SharkSslIntf_Terminate)(struct SharkSslIntf* o, + struct SharkSsl* ssl); +typedef struct SharkSslIntf +{ + SharkSslIntf_Terminate terminate; +} SharkSslIntf; +#define SharkSslIntf_constructor(o,terminateFunc) (o)->terminate=terminateFunc +#endif + + +/** \addtogroup SharkSslInfoAndCodes +@{ +*/ + +/** SharkSslCon is an opaque handle returned by function + #SharkSsl_createCon. + + The lifetime of a SharkSslCon object is as follows: + + - Create a network connection and create a SharkSslCon object by + calling #SharkSsl_createCon + + - Use the SharkSslCon functions to encode and decode data sent + and received over the network. See #SharkSslCon_encrypt and + #SharkSslCon_decrypt for more information. + + - When you are ready to close the connection: close the network + connection and call function #SharkSsl_terminateCon + + \sa SharkSsl +*/ +typedef struct SharkSslCon SharkSslCon; + + +/** A SharkSsl object is the coordinator for managing #SharkSslCon + objects (See #SharkSsl_constructor for details). +*/ +typedef struct +SharkSsl +{ +#ifdef __cplusplus + void *operator new(size_t s) { return ::baMalloc(s); } + void operator delete(void* d) { if(d) ::baFree(d); } + void *operator new(size_t, void *place) { return place; } + void operator delete(void*, void *) { } + + SharkSsl() {}; + + SharkSsl(SharkSsl_Role role, + U16 cacheSize = 0, + U16 inBufStartSize = 4096, + U16 outBufSize = 4096 + ); + + ~SharkSsl(); + SharkSslCon *createCon(void); + U8 setCAList(SharkSslCAList caList); + U8 addCertificate(SharkSslCert cert); + void terminateCon(SharkSslCon *sslCon); +#endif + #if (SHARKSSL_SSL_SERVER_CODE && SHARKSSL_SSL_CLIENT_CODE) || SHARKSSL_NOPACK + SharkSsl_Role role; + #endif + U16 outBufSize; + U16 inBufStartSize; + U16 nCon; + #if (SHARKSSL_ENABLE_RSA || (SHARKSSL_ENABLE_ECDSA)) || SHARKSSL_NOPACK + SingleList certList; + #if SHARKSSL_ENABLE_CA_LIST || SHARKSSL_NOPACK + SharkSslCAList caList; + #endif + #endif + #if SHARKSSL_ENABLE_PSK || SHARKSSL_NOPACK + SharkSslPSKTable tablePSK; + #endif + #if SHARKSSL_ENABLE_SESSION_CACHE || SHARKSSL_NOPACK + SharkSslSessionCache sessionCache; + /* Reserved for use with one SharkSslSCMgr object */ + SharkSslIntf* intf; + #endif +} SharkSsl; + +/** @} */ /* end group SharkSslInfoAndCodes */ + +/** @addtogroup SharkSslCoreApi +@{ +*/ + +/** The #SharkSslCon_decrypt and #SharkSslCon_encrypt return values. + */ +typedef enum +{ + /** Indicates general errors, including configuration errors. + */ + SharkSslCon_Error = 1, + + /** The memory pool is too small. + */ + SharkSslCon_AllocationError, + + /** Returned when a block of received data has been successfully decrypted. + + __selib.c code snippet:__ + \dontinclude selib.c + \skipline case SharkSslCon_Decrypted: + \until return + + \sa SharkSslCon_getDecData + */ + SharkSslCon_Decrypted, + + /** Returned when an SSL/TLS handshake message has been received or + is to be sent. During this phase, one must call + #SharkSslCon_getHandshakeData and + #SharkSslCon_getHandshakeDataLen, and send the handshake data to + the peer side. + + __selib.c code snippet:__ + \dontinclude selib.c + \skipline case SharkSslCon_Handshake: + \until xprintf(("handshake complete")); + */ + SharkSslCon_Handshake, + + /** Returned when SharkSSL holds an incomplete SSL/TLS record or + when the connection is initially established and the readLen + parameter is zero. + + __selib.c code snippet:__ + \dontinclude selib.c + \skipline case SharkSslCon_NeedMoreData: + \until decrypt next record + + \sa #SharkSslCon_getBuf and #SharkSslCon_getBufLen + */ + SharkSslCon_NeedMoreData, + + /** Returned when an [SSL/TLS alert message](@ref SharkSslAlertMsg) + must be sent to the peer side. The error code, which must be + sent to the peer, indicates that SharkSSL was unable to decode + the data sent from the peer. + + __selib.c code snippet:__ + \dontinclude selib.c + \skipline case SharkSslCon_AlertSend: + \until return + + \sa #SharkSslCon_getAlertData and #SharkSslCon_getAlertDataLen + */ + SharkSslCon_AlertSend, + + /** SharkSSL received an [SSL/TLS alert message](@ref SharkSslAlertMsg) + from the peer, which means that the peer either failed to + decode the message from SharkSSL or the peer entered an + exception state. + + \sa SharkSslCon_getAlertLevel and SharkSslCon_getAlertDescription + */ + SharkSslCon_AlertRecv, + + /** SharkSSL has successfully decrypted a chunk of data. The data + is available in the SharkSSL receive buffer, which is returned + by function #SharkSslCon_getEncData. The length is returned by + function #SharkSslCon_getEncDataLen. + + __selib.c code snippet:__ + \dontinclude selib.c + \skipline case SharkSslCon_Encrypted: + \until return maxLen + */ + SharkSslCon_Encrypted, + + /** An error condition returned by function #SharkSslCon_encrypt if + the SSL handshake is not completed. You cannot send encrypted + data before completing the handshake phase. + */ + SharkSslCon_HandshakeNotComplete, + + /** Returned by function #SharkSslCon_encrypt if + #SHARKSSL_ENABLE_CLONE_CERTINFO is disabled and when a complete + certificate is received from the peer during the SSL handshake + phase. Fixme more... + */ + SharkSslCon_Certificate, + + /** Unrecognized format of a provided certificate. + */ + SharkSslCon_CertificateError + +} SharkSslCon_RetVal; + +/** @} */ /* end group SharkSslCoreApi */ + +#if (SHARKSSL_ENABLE_RSA || SHARKSSL_ENABLE_ECDSA) + +/** \defgroup SharkSslCertInfo Peer's certificate information +\ingroup SharkSslInfoAndCodes + +\brief Certificate information returned by #SharkSslCon_getCertInfo + +@{ +*/ + +/** Certificate KeyUsage and ExtendedKeyUsage flags and relative + pseudofunctions + */ +#if SHARKSSL_ENABLE_CERT_KEYUSAGE +#define SHARKSSL_CERT_KEYUSAGE_DIGITALSIGNATURE 0x00000001 +#define SHARKSSL_CERT_KEYUSAGE_NONREPUDIATION 0x00000002 +#define SHARKSSL_CERT_KEYUSAGE_KEYENCIPHERMENT 0x00000004 +#define SHARKSSL_CERT_KEYUSAGE_DATAENCIPHERMENT 0x00000008 +#define SHARKSSL_CERT_KEYUSAGE_KEYAGREEMENT 0x00000010 +#define SHARKSSL_CERT_KEYUSAGE_KEYCERTSIGN 0x00000020 +#define SHARKSSL_CERT_KEYUSAGE_CRLSIGN 0x00000040 +#define SHARKSSL_CERT_KEYUSAGE_ENCIPHERONLY 0x00000080 +#define SHARKSSL_CERT_KEYUSAGE_DECIPHERONLY 0x00000100 +#define SHARKSSL_CERT_KEYUSAGE_PRESENT 0x00000200 +#define SHARKSSL_CERT_KEYUSAGE_CRITICAL 0x00000400 + +#define SHARKSSL_CERT_KEYPURPOSE_SERVERAUTH 0x00010000 +#define SHARKSSL_CERT_KEYPURPOSE_CLIENTAUTH 0x00020000 +#define SHARKSSL_CERT_KEYPURPOSE_CODESIGNING 0x00040000 +#define SHARKSSL_CERT_KEYPURPOSE_EMAILPROTECTION 0x00080000 +#define SHARKSSL_CERT_KEYPURPOSE_TIMESTAMPING 0x00100000 +#define SHARKSSL_CERT_KEYPURPOSE_OCSPSIGNING 0x00200000 + +#define SharkSslCertInfo_KeyFlagSet(o,f) ((o)->keyUsagePurposes & f) + +/** The following pseudo-functions return a non-zero value + if the corresponding flag is set + */ +#define SharkSslCertInfo_isKeyUsagePresent(o) SharkSslCertInfo_KeyFlagSet(o, SHARKSSL_CERT_KEYUSAGE_PRESENT) +#define SharkSslCertInfo_isKeyUsageCritical(o) SharkSslCertInfo_KeyFlagSet(o, SHARKSSL_CERT_KEYUSAGE_CRITICAL) +#define SharkSslCertInfo_KU_digitalSignature(o) SharkSslCertInfo_KeyFlagSet(o, SHARKSSL_CERT_KEYUSAGE_DIGITALSIGNATURE) +#define SharkSslCertInfo_KU_nonRepudiation(o) SharkSslCertInfo_KeyFlagSet(o, SHARKSSL_CERT_KEYUSAGE_NONREPUDIATION) +#define SharkSslCertInfo_KU_keyEncipherment(o) SharkSslCertInfo_KeyFlagSet(o, SHARKSSL_CERT_KEYUSAGE_KEYENCIPHERMENT) +#define SharkSslCertInfo_KU_dataEncipherment(o) SharkSslCertInfo_KeyFlagSet(o, SHARKSSL_CERT_KEYUSAGE_DATAENCIPHERMENT) +#define SharkSslCertInfo_KU_keyAgreement(o) SharkSslCertInfo_KeyFlagSet(o, SHARKSSL_CERT_KEYUSAGE_KEYAGREEMENT) +#define SharkSslCertInfo_KU_keyCertSign(o) SharkSslCertInfo_KeyFlagSet(o, SHARKSSL_CERT_KEYUSAGE_KEYCERTSIGN) +#define SharkSslCertInfo_KU_cRLSign(o) SharkSslCertInfo_KeyFlagSet(o, SHARKSSL_CERT_KEYUSAGE_CRLSIGN) +#define SharkSslCertInfo_KU_encipherOnly(o) SharkSslCertInfo_KeyFlagSet(o, SHARKSSL_CERT_KEYUSAGE_ENCIPHERONLY) +#define SharkSslCertInfo_KU_decipherOnly(o) SharkSslCertInfo_KeyFlagSet(o, SHARKSSL_CERT_KEYUSAGE_DECIPHERONLY) + +#define SharkSslCertInfo_kp_serverAuth(o) SharkSslCertInfo_KeyFlagSet(o, SHARKSSL_CERT_KEYPURPOSE_SERVERAUTH) +#define SharkSslCertInfo_kp_clientAuth(o) SharkSslCertInfo_KeyFlagSet(o, SHARKSSL_CERT_KEYPURPOSE_CLIENTAUTH) +#define SharkSslCertInfo_kp_codeSigning(o) SharkSslCertInfo_KeyFlagSet(o, SHARKSSL_CERT_KEYPURPOSE_CODESIGNING) +#define SharkSslCertInfo_kp_emailProtection(o) SharkSslCertInfo_KeyFlagSet(o, SHARKSSL_CERT_KEYPURPOSE_EMAILPROTECTION) +#define SharkSslCertInfo_kp_timeStamping(o) SharkSslCertInfo_KeyFlagSet(o, SHARKSSL_CERT_KEYPURPOSE_TIMESTAMPING) +#define SharkSslCertInfo_kp_OCSPSigning(o) SharkSslCertInfo_KeyFlagSet(o, SHARKSSL_CERT_KEYPURPOSE_OCSPSIGNING) +#endif + + +/** Certificate Distinguished Name + + Example from certcheck.c: + + \dontinclude certcheck.c + \skip Begin Cert Info + \until End Cert Info + + \sa SharkSslCertInfo + + */ +typedef struct SharkSslCertDN +{ + const U8 *countryName; /**< ISO3166 country code */ + const U8 *province; /**< State or Province */ + const U8 *locality; /**< The city or town name */ + const U8 *organization; /**< Organization Name (company or department) */ + const U8 *unit; /**< Organizational Unit (OU: department or organization unit) */ + /** Common Name is the Host + Domain Name (example: + www.mycompany.com, where www is host and mycompany.com is Domain + Name) */ + const U8 *commonName; + const U8 *emailAddress; + + U8 countryNameLen; /** length in bytes of the field "country" */ + U8 provinceLen; /** length in bytes of the field "province" */ + U8 localityLen; /** length in bytes of the field "locality" */ + U8 organizationLen; /** length in bytes of the field "organization" */ + U8 unitLen; /** length in bytes of the field "unit" */ + U8 commonNameLen; /** length in bytes of the field "common name" */ + U8 emailAddressLen; /** length in bytes of the field "emailAddress" */ +} SharkSslCertDN; + +#define SharkSslCertDN_constructor(o) memset(o,0,sizeof(SharkSslCertDN)) + +#define SharkSslCertDN_setCountryName(o, countryNameMA) \ + (o)->countryName=(const U8*)countryNameMA,(o)->countryNameLen=(U8)strlen(countryNameMA) +#define SharkSslCertDN_setProvince(o, provinceMA) \ + (o)->province=(const U8*)provinceMA,(o)->provinceLen=(U8)strlen(provinceMA) +#define SharkSslCertDN_setLocality(o, localityMA) \ + (o)->locality=(const U8*)localityMA,(o)->localityLen=(U8)strlen(localityMA) +#define SharkSslCertDN_setOrganization(o, organizationMA) \ + (o)->organization=(const U8*)organizationMA,(o)->organizationLen=(U8)strlen(organizationMA) +#define SharkSslCertDN_setUnit(o, unitMA) \ + (o)->unit=(const U8*)unitMA,(o)->unitLen=(U8)strlen(unitMA) +#define SharkSslCertDN_setCommonName(o, commonNameMA) \ + (o)->commonName=(const U8*)commonNameMA,(o)->commonNameLen=(U8)strlen(commonNameMA) + + +/** The peer's certificate information returned by #SharkSslCon_getCertInfo. + \sa SharkSslCertDN + */ +typedef struct SharkSslCertInfo +{ + /** Length of 'sn' (serial number) */ + U16 snLen; + + /** Certificate version is offset at 0 so add +1 for actual + version number. + */ + U8 version; + + /** The Certificate Authority flag (CA) is set to one if the + certificate is a CA i.e. a root certificate. + */ + U8 CAflag; + + /** Binary serial number. The length is provided in 'snLen' + */ + U8 *sn; + + /** Certificate is valid from date (in UTCTime format: YYMMDDHHMMSSZ) + */ + U8 *timeFrom; + + /** Certificate expiration date (in UTCTime format: YYMMDDHHMMSSZ) + */ + U8 *timeTo; + + /** The entity who has signed and issued the certificate (<a + href="http://tools.ietf.org/html/rfc2459#section-4.1.2.4" + >RFC2459 4.1.2.4</a>) + */ + SharkSslCertDN issuer; + + /** The entity associated with the public key (<a + href="http://tools.ietf.org/html/rfc2459#section-4.1.2.6" + >RFC2459 4.1.2.6</a>). + */ + SharkSslCertDN subject; + + /** Subject Alternative DNS Names, if set, is a pointer to a list + of alternative names. Each entry in the list is prefixed with + a 1-byte length, followed by a string of 'length' bytes; + the list ends with a zero length. + The following example is from certcheck.c: + + \dontinclude certcheck.c + \skipline U8 *tp + \until xprintf(("\n")) + */ + U8 *subjectAltDNSNames; + + #if SHARKSSL_ENABLE_CERT_KEYUSAGE + /** KeyUsage & ExtendedKeyUsage (key purposes) flags. + Verify that the KeyUsage extension is present through the + SharkSslCertInfo_isKeyUsagePresent(o) pseudo-function, + then verify all the flags through the pseudo-functions: + SharkSslCertInfo_KU_digitalSignature(o) + SharkSslCertInfo_KU_nonRepudiation(o) + SharkSslCertInfo_KU_keyEncipherment(o) + SharkSslCertInfo_KU_dataEncipherment(o) + SharkSslCertInfo_KU_keyAgreement(o) + SharkSslCertInfo_KU_keyCertSign(o) + SharkSslCertInfo_KU_cRLSign(o) + SharkSslCertInfo_KU_encipherOnly(o) + SharkSslCertInfo_KU_decipherOnly(o) + + Verify the ExtendedKeyUsage purposes through the following: + SharkSslCertInfo_kp_serverAuth(o) + SharkSslCertInfo_kp_clientAuth(o) + SharkSslCertInfo_kp_codeSigning(o) + SharkSslCertInfo_kp_emailProtection(o) + SharkSslCertInfo_kp_timeStamping(o) + SharkSslCertInfo_kp_OCSPSigning(o) + */ + U32 keyUsagePurposes; + #endif + + /** Pointer to parent node when the SharkSslCertInfo object is part of + a certificate chain. You walk up the chain until you reach the root. + */ + struct SharkSslCertInfo *parent; +} SharkSslCertInfo; + +/** @} */ /* end group SharkSslCertInfo */ +#endif + +/** @addtogroup SharkSslApi +@{ +*/ + + +#ifdef __cplusplus +extern "C" { +#endif + +/** A SharkSsl object is the coordinator for managing SharkSslCon + objects. + + You must at a minimum create one SharkSsl object. A more advanced + configuration may include several SharkSsl objects. For example, a + system that includes both a client and server SSL stack must + create and initialize two SharkSsl objects. + + \param o Uninitialized data of size sizeof(SharkSsl). + + \param role Select client or server SSL mode. See #SharkSsl_Role + for details. + + \param cacheSize The session resumption cache size. Setting this + to zero disables the cache management code. See + [SSL Session Management](@ref SharkSslSessionApi) for details. + + \param inBufStartSize + \param outBufSize + + parameter must be provided if you plan on using function + #SharkSslCon_trustedCA or #SharkSslCon_trusted. See + #SharkSslCAList for details. + + \sa #SharkSsl_addCertificate, #SharkSsl_setCAList, + SharkSsl_createCon, and SharkSsl_terminateCon. + */ +SHARKSSL_API void SharkSsl_constructor( + SharkSsl *o, + SharkSsl_Role role, + U16 cacheSize, + U16 inBufStartSize, + U16 outBufSize + ); + +/** Close the SharkSsl object. Closing a SharkSsl object is not + common in embedded devices. You would normally keep the SharkSsl + object for the lifetime of the application. You must make sure + all #SharkSslCon objects are terminated by calling + #SharkSslCon_terminate for each active connection prior to calling + the SharkSsl_destructor. + */ +SHARKSSL_API void SharkSsl_destructor(SharkSsl *o); + + +/** Create a #SharkSslCon object. You must create one SharkSslCon + object for each active network connection that requires encryption. + + The following code snippet is from the + [example programs](\ref SharkExamples). + \code +int rc; +SharkSslCon* scon; +if( (rc=se_connect(&sock, "realtimelogic.com", 443)) == 0) // open socket +{ + if( (scon = SharkSsl_createCon(&sharkSsl)) != NULL) + { + // success + \endcode + + \return a SharkSslCon object or NULL if memory is exhausted. + + \sa SharkSsl_terminateCon and SharkSslCon_terminate + */ +SharkSslCon *SharkSsl_createCon(SharkSsl *o); + + +/** Terminate a SharkSslCon object created by function SharkSsl_createCon. + + \param o the SharkSsl object. Setting this parameter to NULL is + the same as calling macro #SharkSslCon_terminate. + + \param con the SharkSslCon object to reclaim. + + Code snippet from the example code: sessioncache.c + + \dontinclude sessioncache.c + \skipline Release resources + \until se_close + + */ +void SharkSsl_terminateCon(const SharkSsl *o, SharkSslCon* con); + + +#if SHARKSSL_ENABLE_SESSION_CACHE + +/** Returns the SharkSsl session cache size. + \sa SharkSsl_constructor (parameter cacheSize) and + #SHARKSSL_ENABLE_SESSION_CACHE +*/ +SHARKSSL_API U16 SharkSsl_getCacheSize(SharkSsl *o); + +#define SharkSsl_setIntf(o, sharkSslIntf) (o)->intf=sharkSslIntf +#define SharkSsl_getIntf(o) (o)->intf + +#endif + + +/** The SharkSslCon object must be reclaimed when you close the + * network connection. + + \sa #SharkSsl_createCon + \sa SharkSsl_terminateCon + */ +#define SharkSslCon_terminate(o) SharkSsl_terminateCon(0, o) + +/** @addtogroup SharkSslCoreApi +@{ +*/ + +/** Decrypt the received data copied into the SharkSslCon receive + buffer (the buffer returned by #SharkSslCon_getBuf). See + #SharkSslCon_RetVal for example code. + + The SharkSslCon_decrypt function keeps decrypt state information + in the SharkSslCon object and the function can therefore be used + in event driven systems. + + \param o the SharkSslCon object returned by function #SharkSsl_createCon. + + \param readLen the length of the received network data copied into + the buffer returned by #SharkSslCon_getBuf. + + \return the decrypt state information #SharkSslCon_RetVal. + + \sa SharkSslCon_getBuf, SharkSslCon_getBufLen, SharkSslCon_encrypt + */ +SharkSslCon_RetVal SharkSslCon_decrypt(SharkSslCon *o, U16 readLen); + + +/** Encrypt the data provided by parameter 'buf' or encrypt data in + the SharkSslCon send buffer. SharkSSL provides a zero copy API and + you can optionally copy data directly to the SharkSslCon send + buffer. The send buffer is returned by calling function + #SharkSslCon_getEncBufPtr. + + The SharkSslCon_encrypt function keeps decrypt state information + in the SharkSslCon object and the function can therefore be used + in event driven systems. + + \param o the SharkSslCon object returned by function #SharkSsl_createCon. + + \param buf the data to be encrypted or NULL when encrypting data + copied directly to the SharkSslCon send buffer i.e. when copying + the data to the pointer returned by function + #SharkSslCon_getEncBufPtr. + + \param maxLen is the length of 'buf' or the length of the data + data copied directly to the SharkSslCon send buffer. + + \return the decrypt state information #SharkSslCon_RetVal. + + \sa SharkSslCon_getEncBufPtr, SharkSslCon_getEncBufSize, SharkSslCon_decrypt + */ +SharkSslCon_RetVal SharkSslCon_encrypt(SharkSslCon *o, U8 *buf, U16 maxLen); + + +/** Returns TRUE if the SSL handshake phase is completed. See + state #SharkSslCon_Handshake for example code. +*/ +U8 SharkSslCon_isHandshakeComplete(SharkSslCon *o); + + +/** This function is used in conjunction with state + SharkSslCon_Encrypted returned by function + #SharkSslCon_encrypt. + + The function returns TRUE if the SharkSslCon send buffer is full + and must be flushed out. + + The maximum size of the output buffer is set with parameter + 'outBufSize' when calling the #SharkSsl_constructor. When the + unencrypted buffer is larger than what fits into the internal + output buffer, SharkSSL breaks the unencrypted data into multiple + chunks and SharkSslCon_encryptMore lets the application know when + the buffer must be flushed. + + See #SharkSslCon_Encrypted for example code. + */ +U8 SharkSslCon_encryptMore(SharkSslCon *o); + + +/** This function is used in conjunction with state + SharkSslCon_Decrypted returned by function + #SharkSslCon_decrypt. + + The function returns TRUE if a complete SSL frame has been + decrypted and is ready for consumption. See #SharkSslCon_Decrypted + for example code. + + */ +U8 SharkSslCon_decryptMore(SharkSslCon *o); + +/** Returns a pointer to the SharkSslCon input/receive buffer. The + pointer returned by SharkSslCon_getBuf is where you copy the + encrypted data you receive from the network. + + Example code: + \code + readLen = recv(mysocket, SharkSslCon_getBuf(s),SharkSslCon_getBufLen(s), 0); + \endcode + \sa SharkSslCon_getBufLen and SharkSslCon_getDecData + */ +U8 *SharkSslCon_getBuf(SharkSslCon *o); + + +/** Returns the length of the SharkSslCon input buffer. The buffer is + internally managed by SharkSSL and may dynamically grow as large + as 16Kbytes. The SharkSslCon input buffer start size is set with + parameter inBufStartSize when calling the #SharkSsl_constructor. + + Many ciphers are block based and the receiving end must read the + complete block before it can be decrypted. The SSL/TLS + specification enables blocks up to 16K in size. Note, the block + will not be larger than the size of the packet sent by the peer + side. + + \sa SharkSslCon_getBuf + */ +U16 SharkSslCon_getBufLen(SharkSslCon *o); + +/** Copy decoded data to 'buf'. Provides an alternative to using the + zero copy API and the buffer returned by #SharkSslCon_getDecData. + + \param o the SharkSslCon object returned by function #SharkSsl_createCon. + \param buf a buffer provided by the caller + \param maxLen the size of parameter 'buf'. SharkSSL will copy at + most maxLen bytes to 'buf'. + + Example: + \code +for(;;) +{ + switch (SharkSslCon_decrypt(s, (U16)readLen)) + { + case SharkSslCon_Decrypted: + readLen = SharkSslCon_copyDecData(s, buf, maxLen); + // decrypted readLen bytes + if (SharkSslCon_decryptMore(s)) + { + if ((readLen == 0) && (maxLen > 0)) + { + break; // zero-length record, decrypt next one + } + } + return readLen; + + // other cases not shown here + \endcode + \sa SharkSslCon_getDecData + */ +U16 SharkSslCon_copyDecData(SharkSslCon *o, U8 *buf, U16 maxLen); + + +/** Get a pointer to the decoded data. + + See #SharkSslCon_Decrypted for example code. + + \param o the SharkSslCon object returned by function #SharkSsl_createCon. + \param bufPtr is set to the beginning of the decoded data. + \returns Number of bytes decoded. + \sa SharkSslCon_copyDecData + */ +SHARKSSL_API U16 SharkSslCon_getDecData(SharkSslCon *o, U8 **bufPtr); + + +/** This function is used in conjunction with state + SharkSslCon_Handshake returned by function + #SharkSslCon_encrypt. + + The function returns the handshake data that must be sent to the + peer side, if any. + + See #SharkSslCon_Handshake for example code. + + \sa SharkSslCon_getHandshakeDataLen + */ +U8 *SharkSslCon_getHandshakeData(SharkSslCon *o); + + +/** This function is used in conjunction with state + SharkSslCon_Handshake returned by function + #SharkSslCon_decrypt. + + The function returns the length of the handshake data that must be + sent to the peer side, if any. The function returns zero if no + handshake data should be sent. + + See #SharkSslCon_Handshake for example code. + + \sa SharkSslCon_getHandshakeData + */ +U16 SharkSslCon_getHandshakeDataLen(SharkSslCon *o); + + +/** This function is used in conjunction with state + SharkSslCon_Encrypted returned by function + #SharkSslCon_encrypt. + + The function returns a pointer to the encoded data that must be + sent to the peer side. + + \sa SharkSslCon_getEncDataLen and SharkSslCon_encryptMore + */ +U8 *SharkSslCon_getEncData(SharkSslCon *o); + + +/** This function is used in conjunction with state + SharkSslCon_Encrypted returned by function + #SharkSslCon_encrypt. + + The function returns the length of the encoded data that must be + sent to the peer side. + + See #SharkSslCon_Encrypted for example code. + + \sa SharkSslCon_getEncData and SharkSslCon_encryptMore + */ +U16 SharkSslCon_getEncDataLen(SharkSslCon *o); + + +/** This function is used in conjunction with #SharkSslCon_encrypt + when using the zero copy send API. + + \return a pointer to the internal SharkSslCon send buffer. + \sa SharkSslCon_getEncBufSize. + */ +U8 *SharkSslCon_getEncBufPtr(SharkSslCon *o); + + +/** Returns the length of the buffer returned by #SharkSslCon_getEncBufPtr + */ +U16 SharkSslCon_getEncBufSize(SharkSslCon *o); + + +/** This function is used in conjunction with state + #SharkSslCon_AlertSend returned by function #SharkSslCon_encrypt or + in conjunction with state #SharkSslCon_AlertRecv returned by + function #SharkSslCon_decrypt. + + \returns #SHARKSSL_ALERT_LEVEL_WARNING or #SHARKSSL_ALERT_LEVEL_FATAL + + \sa #SharkSslCon_getAlertDescription and #SharkSslCon_getAlertData + */ +U8 SharkSslCon_getAlertLevel(SharkSslCon *o); + + +/** This function is used in conjunction with state + #SharkSslCon_AlertSend returned by function #SharkSslCon_encrypt or + in conjunction with state #SharkSslCon_AlertRecv returned by + function #SharkSslCon_decrypt. + + returns the [SSL/TLS alert message](@ref SharkSslAlertMsg) + + \sa #SharkSslCon_getAlertLevel and #SharkSslCon_getAlertData + */ +U8 SharkSslCon_getAlertDescription(SharkSslCon *o); + + +/** This function is used in conjunction with state + #SharkSslCon_AlertSend returned by function + #SharkSslCon_encrypt. + + The function returns a pointer to the alert data that must be sent + to the peer side. + + \sa #SharkSslCon_getAlertDataLen + */ +#define SharkSslCon_getAlertData(o) SharkSslCon_getEncData(o) + + +/** This function is used in conjunction with state + #SharkSslCon_AlertSend returned by function + #SharkSslCon_encrypt. + + The function returns the length of the alert data that must be + sent to the peer side. + + \sa #SharkSslCon_getAlertData + */ +#define SharkSslCon_getAlertDataLen(o) SharkSslCon_getEncDataLen(o) + +/** @} */ /* end group SharkSslCoreApi */ + +#if SHARKSSL_ENABLE_INFO_API + +/** Returns the active session's [chiper suite](@ref Ciphersuites) + */ +SHARKSSL_API U16 SharkSslCon_getCiphersuite(SharkSslCon *o); + +/** Returns the active session's [protocol version](@ref SharkSslProtocol) + */ +SHARKSSL_API U8 SharkSslCon_getProtocol(SharkSslCon *o); + +#endif + +#if SHARKSSL_ENABLE_SNI + +#if SHARKSSL_SSL_CLIENT_CODE +/** set Server Name Indication for TLS client connections + */ +SHARKSSL_API U8 SharkSslCon_setSNI(SharkSslCon *o, const char *name, U16 length); +#endif + +#endif + + +#if (SHARKSSL_ENABLE_RSA || SHARKSSL_ENABLE_ECDSA) +#if (SHARKSSL_SSL_CLIENT_CODE && SHARKSSL_ENABLE_CLIENT_AUTH) +/** Returns TRUE if the server requested a certificate from the client + to verify that the client's identity (authentication) + */ +U8 SharkSslCon_certificateRequested(SharkSslCon *o); +#endif + +/** Returns the peer's certificate if the handshaking has + completed. The certificate is available at any time if the code is + compiled with #SHARKSSL_ENABLE_CLONE_CERTINFO enabled. The + certificate is only available when #SharkSslCon_decrypt returns the + state #SharkSslCon_Certificate if the certificate cloning code is + not enabled. + */ +SHARKSSL_API SharkSslCertInfo *SharkSslCon_getCertInfo(SharkSslCon *o); + + +/** Add a certificate to the SharkSsl object. A SharkSsl object in + [server mode](\ref #SharkSsl_Server) is required to have at least + one certificate. + + __Note:__ You must install the certificate(s) before using the + SharkSsl object -- i.e. before calling #SharkSsl_createCon. + + \returns TRUE on success or FALSE on error. The function + fails if you have existing connections in the SharkSsl object. + */ +SHARKSSL_API U8 SharkSsl_addCertificate(SharkSsl *o, SharkSslCert cert); + +#if SHARKSSL_ENABLE_CA_LIST + +/** Set a Certificate Authority (CA) list so the SharkSSL object can + permform certificate validation on the peer's certificate. + + \param o the SharkSsl object. + + \param caList list created by calling #SharkSslCertStore_assemble + or by using the command line tool + [SharkSSLParseCAList](\ref SharkSSLParseCAList) + + __Note:__ You can only set one CA list, thus the CA list must + include all root certificates required for your system. + + The example program certcheck.c includes code that shows how to + perform complete certificate validation of the connected servers. + + \return TRUE if the CA list was successfully installed or FALSE if + another CA list has previously been installed. + + \sa #SharkSslCAList and SharkSslCon_trusted. + */ +SHARKSSL_API U8 SharkSsl_setCAList(SharkSsl *o, SharkSslCAList caList); + +/** Returns TRUE if the certificate is valid and is signed with a root + certificate trusted by SharkSSL. Root certificates can optionally + be installed with parameter #SharkSslCAList when calling + #SharkSsl_constructor. + + Note, the function only validates the certificate. You must + typically also validate the domain name. Function + #SharkSslCon_trusted extends the certificate validation and also + includes domain name validation. + + \sa SharkSslCon_trusted + */ +SHARKSSL_API U8 SharkSslCon_trustedCA(SharkSslCon *o); + +U8 SharkSslCon_isCAListEmpty(SharkSslCon *o); +#endif /* SHARKSSL_ENABLE_CA_LIST */ + +#if (SHARKSSL_SSL_SERVER_CODE && SHARKSSL_ENABLE_RSA) +/** Description to be added. + */ + +/* to be used as 'flag' param */ +#define SHARKSSL_SET_FAVOR_RSA 1 +#define SHARKSSL_CLEAR_FAVOR_RSA 0 + +/** A SharkSSL server can have multiple certificates, such as RSA + certificates with various strengths, and Elliptic Curve + Certificates (ECC). A SharkSSL server connection will select the + strongest cipher combination supported by the server and the + client. In general, the ECC certificate will be preferred by the + server connection, if supported by the client. Most browsers today + support ECC, however, Certificate Authorities do not typically + support ECC. + + The purpose with function SharkSslCon_favorRSA is to favor RSA + certificates over ECC when a client such as browser supports both + ECC and RSA. An M2M device can then force the use of ECC by + calling function SharkSslCon_selectCiphersuite, or at compile time + by removing RSA support. This enables devices to use ECC, with + self signed Certificate Authority certificates and browsers to use + RSA certificates signed by well known Certificate Authorities. + */ +U8 SharkSslCon_favorRSA(SharkSslCon *o, U8 flag); +#endif /* SHARKSSL_SSL_SERVER_CODE */ +#endif /* SHARKSSL_ENABLE_RSA || SHARKSSL_ENABLE_ECDSA */ + +#if SHARKSSL_ENABLE_PSK +/** To be documented + */ +SHARKSSL_API U8 SharkSsl_setPSKTable(SharkSsl *o, SharkSslPSKTable tablePSK); +#endif /* SHARKSSL_ENABLE_PSK */ + +#if SHARKSSL_SSL_CLIENT_CODE +U8 SharkSslCon_selectProtocol(SharkSslCon *o, U8 protocol); +#endif + +/** @addtogroup SharkSslSessionApi +@{ +*/ + +#if SHARKSSL_ENABLE_SESSION_CACHE + +/** Release a session created by function #SharkSslCon_acquireSession. + */ +SHARKSSL_API U8 SharkSslSession_release(SharkSslSession *o, SharkSsl *s); + +#if SHARKSSL_SSL_SERVER_CODE +/** experimental + */ +SHARKSSL_API U8 SharkSslCon_releaseSession(SharkSslCon *o); +#endif + +#if SHARKSSL_SSL_CLIENT_CODE + +/** Request a SharkSslSession object from the client's session pool. + + \returns a SharkSslSession object on success or NULL if the + session cache pool is exhausted. See parameter 'cacheSize' in + function SharkSsl_constructor for more information on the cache + size. + */ +SHARKSSL_API SharkSslSession *SharkSslCon_acquireSession(SharkSslCon *o); + + +/** Resume an existing session. + \param o the SharkSslCon object. + \param s a session object created by function #SharkSslCon_acquireSession. + + \returns TRUE on success or FALSE if the session cannot be resumed. + */ +SHARKSSL_API U8 SharkSslCon_resumeSession(SharkSslCon *o, SharkSslSession *s); + +/** Returns the last time the session was accessed. Delta time can be + calculated as follows: baGetUnixTime() - + SharkSslSession_getLatestAccessTime(ss); + */ +SHARKSSL_API U32 SharkSslSession_getLatestAccessTime(SharkSslSession *o); +#endif +#endif + +/** @} */ /* end group SharkSslSessionApi */ + +#if (SHARKSSL_SSL_SERVER_CODE && SHARKSSL_ENABLE_CLIENT_AUTH && \ + (SHARKSSL_ENABLE_RSA || SHARKSSL_ENABLE_ECDSA)) +/** This function is used by server solutions that require client SSL + certificate authentication. For example, it can be used by an + HTTPS server that requires the client to authenticate using a + certificate signed with a Certificate Authority (CA) known to the + server. The second parameter, caList specifies one or several CA + certificates the server uses when validating the client + certificate. + + The function must be called before the initial handshake has + started or just after calling SharkSslCon_renegotiate. Calling + SharkSslCon_requestClientCert after #SharkSslCon_renegotiate + enables an existing session to request client authentication at a + later stage. For example, a server may require that the client + authenticates when the user navigates to a protected web page. + + \param o the SharkSslCon object returned by function #SharkSsl_createCon. + + \param caList the SharkSSL CA list is in a binary format optimized + for speed and size. The list can be created by calling + #SharkSslCertStore_assemble or by using the command line tool + [SharkSSLParseCAList](\ref SharkSSLParseCAList). The client is + then requested to provide an SSL certificate and this certificate + must be signed using one of the CA certificates provided in the + caList. The SSL handshake or rehandshake fails if the client's + certificate is not trusted or not signed with a known CA + certificate. + + \return TRUE (1) if the request is accepted. Returns FALSE (0) if + the SharkSSL connection is already going through or done with a + handshaking phase. + */ +SHARKSSL_API U8 SharkSslCon_requestClientCert( + SharkSslCon *o, const void *caList); +#endif + +#if ((SHARKSSL_SSL_SERVER_CODE || SHARKSSL_SSL_CLIENT_CODE) && \ + SHARKSSL_ENABLE_SELECT_CIPHERSUITE) +/** +This function enables you to limit the number of ciphers at +runtime. Cipher suites can be enabled/disabled at compile time, but +your application may require that you also allow only specific ciphers +at runtime. By default, all ciphers enabled at compile time can be +used by SharkSSL. Calling this function disables the use of all +ciphers except the selected cipher. You can call this function up to N +times and re-enable N ciphers. N is by default set to 8 at compile +time. You can change the N value by setting macro +#SHARKSSL_SELECT_CIPHERSUITE_LIST_DEPTH. + +The function must be called before the initial handshake has completed +or just after calling SharkSslCon_renegotiate. Calling +SharkSslCon_selectCiphersuite and then #SharkSslCon_renegotiate +enables an existing session to change cipher. + +<b>Example:</b><br> +SharkSslCon_selectCiphersuite(myCon, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) + +\param o the SharkSslCon object returned by function #SharkSsl_createCon. + +\param cipherSuite is one of the [supported ciphers](\ref SharkSslCiphers) +enabled at compile time. + +\return TRUE (1) if the request is accepted. Returns FALSE (0) if the +SharkSSL connection is currently in the handshaking phase, if the +selected cipher was not enabled at compile time, or if called more +than N times. +*/ +SHARKSSL_API U8 SharkSslCon_selectCiphersuite(SharkSslCon *o, U16 cipherSuite); + +/** Clears the selection, thus enabling all ciphers. + */ +SHARKSSL_API U8 SharkSslCon_clearCiphersuiteSelection(SharkSslCon *o); +#endif + +#if (SHARKSSL_SSL_SERVER_CODE && SHARKSSL_ENABLE_SECURE_RENEGOTIATION) +/** This function enables you to renegotiate an already established + SSL/TLS connection. Renegotiation is also known as + rehandshake. The function informs the SharkSSL state machine for + the active connection that you wish to renegotiate the + connection. The actual renegotiation is initiated and performed + the next time you call #SharkSslCon_decrypt. + + The function is typically used in combination with + #SharkSslCon_requestClientCert, when requesting client SSL + certificate authentication on an existing connection. The function + can also be used in combination with + #SharkSslCon_selectCiphersuite, to force a change in the cipher + being used. + + \param o the SharkSslCon object returned by function #SharkSsl_createCon. + + \return TRUE (1) if the request is accepted. Returns FALSE (0) if + the SharkSSL connection is currently in the handshaking phase. +*/ +SHARKSSL_API U8 SharkSslCon_renegotiate(SharkSslCon *o); +#endif + +/** @} */ /* end group SharkSslApi */ + + +#if SHARKSSL_ENABLE_PEM_API +/** @addtogroup RayCryptoApi +@{ +*/ + + +/** Return values from function #sharkssl_PEM + */ +typedef enum +{ + /** OK */ + SHARKSSL_PEM_OK = 0, + + /** OK_PUBLIC */ + SHARKSSL_PEM_OK_PUBLIC = 1, + + /** ALLOCATION_ERROR */ + SHARKSSL_PEM_ALLOCATION_ERROR = - 3000, + + /** KEY_PARSE_ERROR */ + SHARKSSL_PEM_KEY_PARSE_ERROR, + + /** KEY_WRONG_IV */ + SHARKSSL_PEM_KEY_WRONG_IV, + + /** KEY_WRONG_LENGTH */ + SHARKSSL_PEM_KEY_WRONG_LENGTH, + + /** KEY_PASSPHRASE_REQUIRED */ + SHARKSSL_PEM_KEY_PASSPHRASE_REQUIRED, + + /** KEY_UNRECOGNIZED_FORMAT */ + SHARKSSL_PEM_KEY_UNRECOGNIZED_FORMAT, + + /** KEY_UNSUPPORTED_FORMAT */ + SHARKSSL_PEM_KEY_UNSUPPORTED_FORMAT, + + /** KEY_UNSUPPORTED_MODULUS_LENGTH */ + SHARKSSL_PEM_KEY_UNSUPPORTED_MODULUS_LENGTH, + + /** KEY_UNSUPPORTED_ENCRYPTION_TYPE */ + SHARKSSL_PEM_KEY_UNSUPPORTED_ENCRYPTION_TYPE, + + /** KEY_CERT_MISMATCH */ + SHARKSSL_PEM_KEY_CERT_MISMATCH, + + /** CERT_UNRECOGNIZED_FORMAT */ + SHARKSSL_PEM_CERT_UNRECOGNIZED_FORMAT, + + /** CERT_UNSUPPORTED_TYPE */ + SHARKSSL_PEM_CERT_UNSUPPORTED_TYPE, + + /** KEY_UNSUPPORTED_VERSION */ + SHARKSSL_PEM_KEY_UNSUPPORTED_VERSION, + + /** INTERNAL ERROR */ + SHARKSSL_PEM_INTERNAL_ERROR +} sharkssl_PEM_RetVal; + + +/** fixme doc + */ +SHARKSSL_API sharkssl_PEM_RetVal sharkssl_PEM( + const char *certPEM, const char *keyPEM, + const char *passphrase, SharkSslCert *sharkSslCert); + +/** @} */ /* end group RayCryptoApi */ +#endif + +#if SHARKSSL_ENABLE_RSA + +/** \addtogroup SharkSslInfoAndCodes +@{ +*/ + +/** SHARKSSL_RSA_NO_PADDING for raw RSA encryption (insecure). + */ +#define SHARKSSL_RSA_NO_PADDING 0 + + +/** SHARKSSL_RSA_PKCS1_PADDING for + [PKCS #1 v1.5](http://tools.ietf.org/html/rfc2313). +*/ +#define SHARKSSL_RSA_PKCS1_PADDING 1 + + +/** Return values from functions #sharkssl_RSA_public_encrypt, + #sharkssl_RSA_private_decrypt, #sharkssl_RSA_public_decrypt, + #sharkssl_RSA_private_encrypt + */ +typedef enum +{ + /** OK */ + SHARKSSL_RSA_OK = 0, + + /** ALLOCATION_ERROR */ + SHARKSSL_RSA_ALLOCATION_ERROR = -3000, + + /** INTERNAL_ERROR */ + SHARKSSL_RSA_INTERNAL_ERROR = -3100, + + /** WRONG_PARAMETERS */ + SHARKSSL_RSA_WRONG_PARAMETERS, + + /** WRONG_KEY_FORMAT */ + SHARKSSL_RSA_WRONG_KEY_FORMAT, + + /** WRONG_KEY_LENGTH */ + SHARKSSL_RSA_WRONG_KEY_LENGTH, + + /** INPUT_DATA_LENGTH_TOO_BIG */ + SHARKSSL_RSA_INPUT_DATA_LENGTH_TOO_BIG, + + /** INPUT_DATA_LENGTH_AND_KEY_LENGTH_MISMATCH */ + SHARKSSL_RSA_INPUT_DATA_LENGTH_AND_KEY_LENGTH_MISMATCH, + + /** PKCS1_PADDING_ERROR */ + SHARKSSL_RSA_PKCS1_PADDING_ERROR +} sharkssl_RSA_RetVal; +#endif + +/** @} */ /* end group SharkSslInfoAndCodes */ + +#if SHARKSSL_ENABLE_RSA_API + +/** \defgroup RSA RSA encrypt/decrypt functions +\ingroup RayCryptoApi + +@{ +*/ + +/** SharkSslRSAKey is an alias for the #SharkSslCert type and is a + private/public key converted by sharkssl_PEM_to_RSAKey or the + command line tool [SharkSslParseKey](\ref SharkSslParseKey). + */ +typedef U8* SharkSslRSAKey; + +#if SHARKSSL_ENABLE_PEM_API +/** Convert an RSA private or public key in PEM format to the + #SharkSslRSAKey format. + + Note: the converted value must be released by calling + SharkSslRSAKey_free, when no longer needed. + + example: + \code + { + SharkSslRSAKey RSAKey; + ... + RSAKey = sharksslPEM_to_RSAKey(key, pass); + if (RSAKey) + { + ... + void SharkSslRSAKey_free(RSAKey); + } + } + \endcode + + \return the private/public key in #SharkSslRSAKey format or NULL if + the conversion fails. + */ +SHARKSSL_API SharkSslRSAKey sharkssl_PEM_to_RSAKey( + const char *PEMKey, const char *passphrase); + +/** Extract the public key form a certificate in PEM format + + Note: the converted value must be released by calling + SharkSslRSAKey_free, when no longer needed. + + example: + \code + { + SharkSslRSAKey RSAKey; + ... + RSAKey = sharkssl_PEM_extractPublicKey(cert); + if (RSAKey) + { + ... + void SharkSslRSAKey_free(RSAKey); + } + } + \endcode + + \return the certificate's public key in #SharkSslRSAKey format + or NULL if the conversion fails. + + */ +SHARKSSL_API SharkSslRSAKey +sharkssl_PEM_extractPublicKey(const char *certPEM); + +/** Release a SharkSslRSAKey allocated by functions #sharkssl_PEM_to_RSAKey + and sharkssl_PEM_extractPublicKey. + */ +SHARKSSL_API void SharkSslRSAKey_free(SharkSslRSAKey key); +#endif + +#if SHARKSSL_ENABLE_RSA + +/** Returns the private or public key's modulus size in bytes. + */ +SHARKSSL_API U16 SharkSslRSAKey_size(SharkSslRSAKey key); + +/** Encrypt data using the public key or private key. The private key + includes the public key an can for this reason be used for + encrypting the data. + + \param in the plaintext + + \param len is the length/size of parameter 'in'. This length must be + exactly #SharkSslRSAKey_size (key) when selecting + #SHARKSSL_RSA_NO_PADDING or a value between 1 and + (#SharkSslRSAKey_size (key) - 11) when selecting + SHARKSSL_RSA_PKCS1_PADDING. + + \param out the encrypted ciphertext is copied to this buffer. The + size of this buffer must be no less than #SharkSslRSAKey_size (key) + + \param key is the public key in SharkSslRSAKey format. + + \param padding is one of #SHARKSSL_RSA_PKCS1_PADDING or + #SHARKSSL_RSA_NO_PADDING + + \return the size of the encrypted ciphertext, or -1 if any error occurs + */ +SHARKSSL_API sharkssl_RSA_RetVal sharkssl_RSA_public_encrypt( + U16 len, U8 *in, U8 *out, SharkSslRSAKey key, U8 padding); + + +/** Decrypt ciphertext using the private key. + + \param len is the length/size of parameter 'in'. This length must be + exactly #SharkSslRSAKey_size (key). + + \param in the ciphertext + + \param out the decrypted ciphertext is copied to this buffer. The + size of this buffer must be no less than #SharkSslRSAKey_size (key) + + \param privkey is the private key in SharkSslRSAKey format. + + \param padding is one of #SHARKSSL_RSA_PKCS1_PADDING or + #SHARKSSL_RSA_NO_PADDING + + \return the size of the decrypted ciphertext, or -1 if any error occurs + */ +SHARKSSL_API sharkssl_RSA_RetVal sharkssl_RSA_private_decrypt( + U16 len, U8 *in, U8 *out, SharkSslRSAKey privkey, U8 padding); + + +/** Sign a message digest using the private key. + + \param in commonly, an algorithm identifier followed by a message digest + + \param len is the length/size of parameter 'in'. This length must be + exactly #SharkSslRSAKey_size (key) when selecting + #SHARKSSL_RSA_NO_PADDING or a value between 1 and + (#SharkSslRSAKey_size (key) - 11) when selecting + SHARKSSL_RSA_PKCS1_PADDING. + + \param out the signature is copied to this buffer. The size + of this buffer must be no less than #SharkSslRSAKey_size (key) + + \param privkey is the private key in SharkSslRSAKey format. + + \param padding is one of #SHARKSSL_RSA_PKCS1_PADDING or + #SHARKSSL_RSA_NO_PADDING + + \return the size of the signature, or -1 if any error occurs + */ +SHARKSSL_API sharkssl_RSA_RetVal sharkssl_RSA_private_encrypt( + U16 len, U8 *in, U8 *out, SharkSslRSAKey privkey, U8 padding); + + +/** Bring back a message digest using the public key or private key. + The private key includes the public key an can for this reason be used for + this operation. + + \param in the RSA signature + + \param len is the length/size of parameter 'in'. This length must be + exactly #SharkSslRSAKey_size (key). + + \param out the message digest is copied to this buffer. The size + of this buffer must be no less than #SharkSslRSAKey_size (key) + + \param key is the public key in SharkSslRSAKey format. + + \param padding is one of #SHARKSSL_RSA_PKCS1_PADDING or + #SHARKSSL_RSA_NO_PADDING + + \return the size of the obtained message digest, or -1 if any error occurs + */ +SHARKSSL_API sharkssl_RSA_RetVal sharkssl_RSA_public_decrypt( + U16 len, U8 *in, U8 *out, SharkSslRSAKey key, U8 padding); + +#endif + +/** @} */ /* end group RSA */ +#endif + + +/** To be used as hashlen parameter in sharkssl_ECDSA_ functions + These are the hash lengths for the functions implemented in SharkSSL/RayCrypto + + SHARKSSL_MD5_HASH_LEN + SHARKSSL_SHA1_HASH_LEN + SHARKSSL_SHA256_HASH_LEN + SHARKSSL_SHA384_HASH_LEN + SHARKSSL_SHA512_HASH_LEN + SHARKSSL_POLY1305_HASH_LEN + */ + + +#if SHARKSSL_USE_ECC + +/* + * use as curveID parameter + */ +#define SHARKSSL_EC_CURVE_ID_SECP192R1 19 +#define SHARKSSL_EC_CURVE_ID_SECP224R1 21 +#define SHARKSSL_EC_CURVE_ID_SECP256R1 23 +#define SHARKSSL_EC_CURVE_ID_SECP384R1 24 +#define SHARKSSL_EC_CURVE_ID_SECP521R1 25 + + +/** + @ingroup ECDSA + SharkSslECCKey is an alias for the #SharkSslCert type and is a + private/public key converted by #sharkssl_PEM_to_ECCKey or the + command line tool [SharkSslParseKey](\ref SharkSslParseKey). + */ +typedef U8* SharkSslECCKey; + +#if SHARKSSL_ENABLE_PEM_API +/** + @ingroup ECDSA + Convert an ECC private or public key in PEM format to the + #SharkSslECCKey format. + + Note: the converted value must be released by calling + SharkSslECCKey_free, when no longer needed. + + example: + \code + { + SharkSslECCKey ECCKey; + ... + ECCKey = sharksslPEM_to_ECCKey(key, pass); + if (ECCKey) + { + ... + void SharkSslECCKey_free(ECCKey); + } + } + \endcode + + \return the private/public key in #SharkSslECCKey format or NULL if + the conversion fails. + */ +SHARKSSL_API SharkSslECCKey sharkssl_PEM_to_ECCKey( + const char *PEMKey, const char *passphrase); +#endif + + +#if SHARKSSL_ENABLE_ECCKEY_CREATE +int SharkSslECCKey_create(SharkSslECCKey *key, U16 curveID); +#endif + + +#if (SHARKSSL_ENABLE_PEM_API || SHARKSSL_ENABLE_ECCKEY_CREATE) +/** Release a SharkSslECCKey allocated by functions #sharkssl_PEM_to_ECCKey + or #SharkSslECCKey_create + */ +SHARKSSL_API void SharkSslECCKey_free(SharkSslECCKey key); +#endif + +/** \addtogroup SharkSslInfoAndCodes +@{ +*/ + + +#if (SHARKSSL_ENABLE_ECDSA && SHARKSSL_ENABLE_ECDSA_API) +/** Return values from functions #sharkssl_ECDSA_sign_hash, + #sharkssl_ECDSA_verify_hash + */ +typedef enum +{ + /** OK */ + SHARKSSL_ECDSA_OK = 0, + + /** ALLOCATION_ERROR */ + SHARKSSL_ECDSA_ALLOCATION_ERROR = -3200, + + /** INTERNAL_ERROR */ + SHARKSSL_ECDSA_INTERNAL_ERROR = -3300, + + /** WRONG_PARAMETERS */ + SHARKSSL_ECDSA_WRONG_PARAMETERS, + + /** WRONG_KEY_FORMAT */ + SHARKSSL_ECDSA_WRONG_KEY_FORMAT, + + /** KEY_IS_NOT_PRIVATE */ + SHARKSSL_ECDSA_KEY_NOT_PRIVATE, + + /** KEY_IS_NOT_PUBLIC */ + SHARKSSL_ECDSA_KEY_NOT_PUBLIC, + + /** SIGLEN_TOO_SMALL */ + SHARKSSL_ECDSA_SIGLEN_TOO_SMALL, + + /** VERIFICATION_FAIL */ + SHARKSSL_ECDSA_VERIFICATION_FAIL, + + /** WRONG SIGNATURE */ + SHARKSSL_ECDSA_WRONG_SIGNATURE +} sharkssl_ECDSA_RetVal; + +/** @} */ /* end group SharkSslInfoAndCodes */ + +/** @addtogroup ECDSA +@{ +*/ + + +#if (!SHARKSSL_ECDSA_ONLY_VERIFY) +/** Returns the maximum length (in bytes) of a DER-encoded ECDSA + signature generated with the private key 'privkey'. This function + is typically used in combination with #sharkssl_ECDSA_sign_hash to + compute the maximum length of the signature and to allocate a + buffer large enough to hold the signature 'sig'. + + \param privkey is the private key in SharkSslECCKey format. + */ +SHARKSSL_API U16 sharkssl_ECDSA_siglen(SharkSslECCKey privkey); + +/** Generate the signature using the ECC private key and a hash. + + \param privkey is the private key in #SharkSslECCKey format. + + \param sig is a pointer to the buffer where the DER-encoded ECDSA + signature will be generated. The size of this buffer must not be + smaller than the value returned by #sharkssl_ECDSA_siglen for + param 'privkey'. The length of this buffer, which may be larger + than required, is provided in the next parameter (siglen). + + \param siglen is parameter "sig"'s length and is provided as an + input parameter. The signature length will be returned as output + parameter. + + \param hash the message digest obtained from a hash function + e.g. SHA256. + + \param hashlen the length of the message digest (see above). + + \return SHARKSSL_ECDSA_OK if the signature generation is succesful, + or one of the #sharkssl_ECDSA_RetVal error codes. + */ +SHARKSSL_API sharkssl_ECDSA_RetVal sharkssl_ECDSA_sign_hash( + SharkSslECCKey privkey, U8 *sig, U16 *siglen, U8 *hash, U8 hashlen); +#endif + +/** Verify a message using the ECC public key and a hash algorithm. + + \param pubkey is the public key in SharkSslECCKey format. + + \param sig is a pointer to the DER-encoded ECDSA signature + that is to be verified. + + \param siglen is parameter "sig"'s length. + + \param hash the message digest obtained from a hash function + e.g. SHA256. + + \param hashlen the length of the message digest (see above). + + \return SHARKSSL_ECDSA_OK if the signature verification is succesful, + or one of the #sharkssl_ECDSA_RetVal error codes. + */ +SHARKSSL_API sharkssl_ECDSA_RetVal sharkssl_ECDSA_verify_hash( + SharkSslECCKey pubkey, U8 *sig, U16 siglen, U8 *hash, U8 hashlen); + +#endif + +/** @} */ /* end group ECC */ +#endif + + +#if (SHARKSSL_ENABLE_CA_LIST && SHARKSSL_ENABLE_CERTSTORE_API) + +/** @addtogroup SharkSslCertApi +@{ +*/ + + +#ifndef BA_API /* standalone SharkSSL */ +#define BA_API SHARKSSL_API +typedef U8 BaBool; +#endif +#include "DoubleList.h" + +/** SharkSslCertStore is a container object used when assembling a + #SharkSslCAList. See #SharkSslCertStore_assemble for details. + */ +typedef struct SharkSslCertStore +{ + DoubleList certList; + SharkSslCAList caList; + U16 elements; /* number of elements in list */ +} SharkSslCertStore; + +/** Initialize a SharkSslCertStore object. See #SharkSslCertStore for + details. The object must reside in memory as long as the produced + SharkSslCAList is used by a SharkSSL object. + + \param o Uninitialized data of size sizeof(SharkSsl). + + \sa #SharkSslCertStore_assemble. +*/ +SHARKSSL_API void SharkSslCertStore_constructor(SharkSslCertStore *o); + +/** Cleanup all memory used by the SharkSslCAList object. + */ +SHARKSSL_API void SharkSslCertStore_destructor(SharkSslCertStore* o); + +/** Alias for SharkSslCertStore_destructor */ +#define SharkSslCertStore_release(o) SharkSslCertStore_destructor(o) + +/** add a certificate in PEM or p7b format to the CA store. A + convenient way to get CA's is to export the certificates from a + browser in PEM or p7b format. The p7b format is a container format + that can contain many CA's. + + \param o the SharkSslCertStore object. + \param cert is a one PEM cert or multiple certs in p7b format. + \param certlen is the length of parameter 'cert' + \sa SharkSslCertStore_assemble. + \return the number of certificates successfully parsed and added to + the certificate store or a negative value if memory could not be allocated. + */ +SHARKSSL_API U16 SharkSslCertStore_add( + SharkSslCertStore *o, const char *cert, U32 certlen); + +/** Assemble all certificates added by calling #SharkSslCertStore_add. + The SharkSslCertStore object can be released as soon as the + #SharkSslCAList is assembled. + + \param o the SharkSslCertStore object + \param outList is the SharkSslCAList out value + \return TRUE on success or FALSE if memory could not be allocated + \sa #SharkSslCertStore_destructor and #SharkSsl_setCAList + */ +SHARKSSL_API U8 SharkSslCertStore_assemble( + SharkSslCertStore *o, SharkSslCAList *outList); + +/** @} */ /* end group SharkSslCertApi */ +#endif /* SHARKSSL_ENABLE_CA_LIST && SHARKSSL_ENABLE_CERTSTORE_API */ + + + + + +#ifdef __cplusplus +} + +inline SharkSsl::SharkSsl( + SharkSsl_Role role, U16 cacheSize, U16 inBufStartSize, U16 outBufSize) { + SharkSsl_constructor(this, role, cacheSize, inBufStartSize, outBufSize); +} +inline SharkSsl::~SharkSsl() { + SharkSsl_destructor(this); +} +inline SharkSslCon *SharkSsl::createCon(void) { + return SharkSsl_createCon(this); +} +inline void SharkSsl::terminateCon(SharkSslCon *sslCon) { + SharkSsl_terminateCon(this, sslCon); +} + +#if (SHARKSSL_ENABLE_RSA || SHARKSSL_ENABLE_ECDSA) +inline U8 SharkSsl::addCertificate(SharkSslCert cert) { + return SharkSsl_addCertificate(this, cert); +} +#if SHARKSSL_ENABLE_CA_LIST +inline U8 SharkSsl::setCAList(SharkSslCAList caList) { + return SharkSsl_setCAList(this, caList); +} +#endif /* SHARKSSL_ENABLE_CA_LIST */ +#endif /* SHARKSSL_ENABLE_RSA || SHARKSSL_ENABLE_ECDSA */ + +#if SHARKSSL_ENABLE_PSK +inline U8 SharkSsl::setPSKTable(SharkSslPSKTable tablePSK) { + return SharkSsl_setPSKTable(this, tablePSK); +} +#endif /* SHARKSSL_ENABLE_PSK */ + +#endif /* __cplusplus */ + + +#endif