This package includes the SharkSSL lite library and header files.

Dependents:   WebSocket-Client-Example SharkMQ-LED-Demo


Description: SharkSSL is an SSL v3.0 TLS v1.0/1.1/1.2 implementation of the TLS and SSL protocol standard. With its array of compile-time options and Raycrypto proprietary cryptographic algorithms, SharkSSL can be fine-tuned to a footprint that occupies less than 20 kB, while maintaining full x.509 authentication. The SharkSSL-Lite download includes a subset of SharkSSL and header files made for use in non-commercial and for evaluation purposes.




SharkSSL-Lite includes a limited set of ciphers. To use SharkSSL-Lite, the peer side must support Elliptic Curve Cryptography (ECC) and you must use ECC certificates. The peer side must also support the new ChaCha20/Poly1305 cipher combination.

ChaCha20 and Poly1305 for TLS is published RFC 7905. The development of this new cipher was a response to many attacks discovered against other widely used TLS cipher suites. ChaCha20 is the cipher and Poly1305 is an authenticated encryption mode.

SharkSSL-Lite occupies less than 20kB, while maintaining full x.509 authentication. The ChaCha20/Poly1305 cipher software implementation is equally as fast as many hardware accelerated AES engines.

Creating ECC Certificates for SharkSSL-Lite

The following video shows how to create an Elliptic Curve Cryptography (ECC) certificate for a server, how to install the certificate in the server, and how to make the mbed clients connecting to the server trust this certificate. The server in this video is installed on a private/personal computer on a private network for test purposes. The video was produced for the article How to run your own secure IoT cloud server.

diff -r 000000000000 -r e0adec41ad6b inc/selib.h
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/inc/selib.h	Wed Apr 06 00:46:36 2016 +0000
@@ -0,0 +1,267 @@
+ *     ____             _________                __                _
+ *    / __ \___  ____ _/ /_  __(_)___ ___  ___  / /   ____  ____ _(_)____
+ *   / /_/ / _ \/ __ `/ / / / / / __ `__ \/ _ \/ /   / __ \/ __ `/ / ___/
+ *  / _, _/  __/ /_/ / / / / / / / / / / /  __/ /___/ /_/ / /_/ / / /__
+ * /_/ |_|\___/\__,_/_/ /_/ /_/_/ /_/ /_/\___/_____/\____/\__, /_/\___/
+ *                                                       /____/
+ *
+ *                 SharkSSL Embedded SSL/TLS Stack
+ ****************************************************************************
+ *
+ *   $Id: selib.h 3854 2016-03-08 17:40:24Z wini $
+ *
+ *   COPYRIGHT:  Real Time Logic LLC, 2013
+ *
+ *   This software is copyrighted by and is the sole property of Real
+ *   Time Logic LLC.  All rights, title, ownership, or other interests in
+ *   the software remain the property of Real Time Logic LLC.  This
+ *   software may only be used in accordance with the terms and
+ *   conditions stipulated in the corresponding license agreement under
+ *   which the software has been supplied.  Any unauthorized use,
+ *   duplication, transmission, distribution, or disclosure of this
+ *   software is expressly forbidden.
+ *
+ *   This Copyright notice may not be removed or modified without prior
+ *   written consent of Real Time Logic LLC.
+ *
+ *   Real Time Logic LLC. reserves the right to modify this software
+ *   without notice.
+ *
+ *     
+ *     
+ ****************************************************************************
+ *
+ */
+#ifndef _selib_h
+#define _selib_h
+#include <SharkSSL.h>
+#include <SharkSslEx.h>
+/** @addtogroup SharkExamples
+ */
+/** @defgroup selib SharkSSL Socket Example Lib
+    @ingroup SharkExamples
+The SharkSSL Socket Example Lib (selib.h/selib.c) is a basic module
+that wraps the transport agnostic SharkSSL functions for encoding and
+decoding into functions that interface to TCP/IP socket calls.
+![Socket Example Lib](@ref SharkSSL-selib.jpg)
+In addition, the file selib.c includes wrappers for standard BSD
+socket calls at the end of the file. TCP/IP stacks not using the BSD
+API must define NO_BSD_SOCK and implement the following functions in a
+separate file: #se_bind, #se_accept, #se_connect, #se_close,
+#se_sockValid, #se_send, and #se_recv.
+/** Use INFINITE_TMO for standard blocking call. */
+#define INFINITE_TMO (~((U32)0))
+#include <selibplat.h>
+#ifndef XPRINTF
+#define XPRINTF 1
+#define XPRINTF 0
+#include <string.h>
+#include <stdarg.h>
+#ifndef SE_CTX
+#define SeCtx void
+/** Infinite wait time option for socket read functions.
+ */
+#ifndef NO_BSD_SOCK
+/** The SOCKET object/handle is an 'int' when using a BSD compatible
+    TCP/IP stack. Non BSD compatible TCP IP stacks must set the macro
+    NO_BSD_SOCK and define the SOCKET object. See the header file
+    selib.h for details.
+#define SOCKET int
+#ifndef SOCKET_constructor
+#define SOCKET_constructor(o, ctx) (void)ctx,memset(o,0,sizeof(SOCKET))
+#ifdef __cplusplus
+extern "C" {
+   Performs the initial SSL handshaking using an asymmetric cipher in
+   order to establish cipher settings and a shared key for the session.
+   The function also validates the server's certificate and compares
+   the commonName provided in argument 3 with the common name in the
+   certificate, if commonName is provided (not NULL). The domain name
+   comparison works with and without the clone certificate API
+   <b>Note:</b> the function only performs basic certificate domain
+   name comparison and can only be used with server certificates that
+   does not include Subject Alternative Names (SAN Certificate). Use
+   the more advanced function #SharkSslCon_trusted for certificate
+   trust management if the server uses a SAN Certificate.
+   \param s the SharkSslCon object.
+   \param sock the SOCKET object.
+   \param timeout in milliseconds. The timeout can be set to #INFINITE_TMO.
+   \param commonName is optional and is used for certificate domain
+   name verification.
+   \return
+   - A negative value on error. The negative value is an inverted
+     #SharkSslCon_RetVal value.
+   - Zero on timeout.
+   - The return value is #SharkSslConTrust for any return value
+     greater than zero.
+   int seSec_handshake(
+      SharkSslCon *s, SOCKET* sock, U32 timeout, const char* commonName);
+/** Read data from socket stream and decode the encrypted data. The
+    buffer is managed by SharkSSL and the data returned is valid until
+    the next SharkSSL call. This function blocks until data is
+    available or until 'timeout' milliseconds.
+    \param s the SharkSslCon object.
+    \param sock the SOCKET object.
+    \param buf is a pointer set to the SharkSSL receive buffer offset to
+    the WebSocket payload data.
+    \param timeout in milliseconds. The timeout can be set to #INFINITE_TMO.
+    \return The function returns the number of bytes available in
+    'buf' on success. The function returns 0 on timeout and a negative
+    value on error.
+ */
+int seSec_read(SharkSslCon *s,SOCKET* sock,U8 **buf,U32 timeout);
+/** Encrypts and sends encrypted data to the connected peer side.
+    \return Zero on success or a negative value on error.
+int seSec_write(SharkSslCon *s, SOCKET* sock, U8* buf, int maxLen);
+/** Initializes a SOCKET object connected to a remote host/address at
+ * a given port.
+ \return  Zero on success.
+   Error codes returned:
+   \li \c -1 Cannot create socket: Fatal
+   \li \c -2 Cannot resolve 'address'
+   \li \c -3 Cannot connect
+int se_connect(SOCKET* sock, const char* address, U16 port);
+/** Initializes a SOCKET object bound to a local port, ready to accept
+    client connections.
+ \return Zero on success.
+   Error codes returned:
+   \li \c -1 Cannot create socket: Fatal
+   \li \c -2 Cannot listen: Fatal
+   \li \c -3 Cannot bind: socket in use
+ */
+int se_bind(SOCKET* sock, U16 port);
+/** Waits for remote connections on the server SOCKET object
+   'listenSock', initialized by function se_bind, and initializes
+   socket object 'outSock' to represent the new connection.
+   \return
+   \li \c 1 Success
+   \li \c 0 timeout
+   \li \c -1 error
+int se_accept(SOCKET** listenSock, U32 timeout, SOCKET** outSock);
+/** Close a connected socket connection.
+ */
+void se_close(SOCKET* sock);
+/** Returns TRUE if socket is valid (connected).
+ */
+int se_sockValid(SOCKET* sock);
+/** Sends data to the connected peer.
+ */
+S32 se_send(SOCKET* sock, const void* buf, U32 len);
+/** Waits for data sent by peer.
+    \param sock the SOCKET object.
+    \param buf is the data to send.
+    \param len is the 'buf' length.
+    \param timeout in milliseconds. The timeout can be set to #INFINITE_TMO.
+    \returns the length of the data read, zero on timeout, or a
+    negative value on error.
+ */
+S32 se_recv(SOCKET* sock, void* buf, U32 len, U32 timeout);
+/* Macro function designed for IPv4
+   sock: a pointer to SOCKET
+   buf: a buf large enough to hold 4 bytes
+   status: int pointer: out value is negative on error and 4 (len) on success
+#ifndef se_getSockName
+#define se_getSockName(sock, buf, status) do {                  \
+   struct sockaddr_in in; int size=sizeof(struct sockaddr_in);      \
+   *(status) = getsockname(*(sock), (struct sockaddr *)&in, &size); \
+   memcpy((buf), &in.sin_addr.s_addr, 4);                           \
+   if(*(status) == 0) *(status) = 4;                                \
+} while(0)
+#if XPRINTF == 1
+/** The macro xprintf expands to function _xprintf if the code is
+    compiled with XPRINTF set to 1.
+    \param data is standard printf arguments enclosed in parenthesis;
+    thus you must use double parenthesis when using macro xprintf.
+#define xprintf(data) _xprintf data
+/** The example code and macro xprintf requires this function when the
+    code is compiled with macro XPRINTF set to 1.
+    \param fmt the format string.
+    \param ... variable arguments.
+#ifndef _xprintf  /* to handle #define _xprintf printf */
+void _xprintf(const char* fmt, ...);
+#ifndef xprintf
+#define xprintf(data)
+/** Main entry for all example programs */
+void mainTask(SeCtx* ctx);
+#ifdef __cplusplus
+/** @} */ /* end group selib */
+/** @} */ /* end group Examples */