#ifndef CA_SECURITY_INTERFACE_H_
#define CA_SECURITY_INTERFACE_H_
-
+#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
+#include "mbedtls/ssl.h"
+#include "mbedtls/x509_crt.h"
+#endif //__WITH_DTLS__ or __WITH_TLS__
#include "cacommon.h"
#include "byte_array.h"
} CADtlsPskCredType_t;
/**
+ *@enum CASslEkcbRole_t
+ * type of SSL role to be used when invoking export key callback
+ */
+typedef enum
+{
+ CA_SSL_EKCB_CLIENT = 0,
+ CA_SSL_EKCB_SERVER = 1
+}CASslEkcbRole_t;
+
+/**
+ *@enum CASslEkcbProtocol_t
+ * type of SSL protocol(TLS or DTLS) to be used when invoking export key callback
+ */
+typedef enum
+{
+ CA_SSL_EKCB_TLS = 0,
+ CA_SSL_EKCB_DTLS = 1
+}CASslEkcbProtocol_t;
+
+/**
* This internal callback is used by CA layer to
* retrieve PSK credentials from SRM.
*
uint8_t *result, size_t result_length);
#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
-#ifdef _ENABLE_MULTIPLE_OWNER_
+#ifdef MULTIPLE_OWNER
/**
* API to get a secure connected peer information
*
* @return secure connected peer information on success, otherwise NULL
*/
const CASecureEndpoint_t *CAGetSecureEndpointData(const CAEndpoint_t *peer);
-#endif //_ENABLE_MULTIPLE_OWNER_
+#endif //MULTIPLE_OWNER
#endif
/**
ByteArray_t crl;
} PkiInfo_t;
+#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
+/**
+ * this callback will be invoked to utilize peer certificate information
+ */
+typedef int (*PeerCertCallback)(void *ctx, const mbedtls_x509_crt *peerCert,
+ int depth);
+
+/**
+ * API to set callback used to utilize peer certificate information
+ * @param[in] peerCertCallback callback to utilize certificate information
+ *
+ * return CA_STATUS_OK on success
+ */
+CAResult_t CAsetPeerCertCallback(void *ctx, PeerCertCallback peerCertCallback);
+#endif
+
/**
* Register callback to receive credential types.
* @param[in] credTypesCallback callback to get cerdential types
* @return ::CA_STATUS_OK
*/
-CAResult_t CAregisterGetCredentialTypesCallback(CAgetCredentialTypesHandler credTypesCallback);
+CAResult_t CAregisterGetCredentialTypesHandler(CAgetCredentialTypesHandler credTypesCallback);
/**
* Register callback to receive the result of TLS handshake.
* @param[in] tlsHandshakeCallback callback for get tls handshake result
*/
typedef void (*CAgetPkixInfoHandler)(PkiInfo_t * inf);
+#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
+/**
+ * @brief Callback function type for setup PK context
+ *
+ * @param pkCtx[in] mbedtls's PK context
+ *
+ * @return 0 on success
+ */
+typedef int (*CAsetupPkContextHandler)(mbedtls_pk_context * pkCtx);
+
+/**
+ * Register callback to setup PK Context
+ * @param[in] setupPkContextCallback Callback function to setup PK context.
+ * @return ::CA_STATUS_OK or appropriate error code.
+ */
+CAResult_t CAregisterSetupPkContextHandler(CAsetupPkContextHandler setupPkContextHandler);
+#endif //__WITH_DTLS__ or __WITH_TLS__
+
/**
* Register callback to get PKIX related info.
* @param[in] getPkixInfoHandler Get PKIX related info callback.
* Select the cipher suite for dtls handshake.
*
* @param[in] cipher cipher suite (Note : Make sure endianness).
- * 0xC018 : TLS_ECDH_anon_WITH_AES_128_CBC_SHA
- * 0xC0A8 : TLS_PSK_WITH_AES_128_CCM_8
- * 0xC0AE : TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
+ * TLS_RSA_WITH_AES_256_CBC_SHA256 0x3D
+ * TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C
+ * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B
+ * TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 0xC0AE
+ * TLS_ECDHE_ECDSA_WITH_AES_128_CCM 0xC0AC
+ * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023
+ * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024
+ * TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C
+ * TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 0xC037
+ * TLS_ECDH_anon_WITH_AES_128_CBC_SHA 0xC018
+ * @param[in] adapter transport adapter (TCP/IP/BLE)
*
* @retval ::CA_STATUS_OK Successful.
* @retval ::CA_STATUS_INVALID_PARAM Invalid input arguments.
*/
CAResult_t CAcloseSslConnection(const CAEndpoint_t *endpoint);
+/**
+ * Close the TLS session using UUID
+ *
+ * @param[in] identity UUID of target device
+ * @param[in] idLength Byte length of 'identity'
+ *
+ * @retval ::CA_STATUS_OK Successful.
+ * @retval ::CA_STATUS_FAILED Operation failed.
+ */
+CAResult_t CAcloseSslConnectionUsingUuid(const uint8_t *identity, size_t idLength);
/**
* Close All of DTLS sessions.
*/
-void CAcloseSslConnectionAll();
+void CAcloseSslConnectionAll(CATransportAdapter_t transportType);
+
+#if defined(__WITH_TLS__) || defined(__WITH_DTLS__)
+
+/**
+ * @brief Callback type: Export key block and master secret
+ * @note This is required for certain uses of TLS, e.g. EAP-TLS
+ * (RFC 5216) and Thread. The key pointers are ephemeral and
+ * therefore must not be stored. The master secret and keys
+ * should not be used directly except as an input to a key
+ * derivation function.
+ *
+ * @aram[in] masterSecret Pointer to master secret (fixed length: 48 bytes)
+ * @param[in] keyBlock Pointer to key block, see RFC 5246 section 6.3
+ * (variable length: 2 * maclen + 2 * keylen + 2 * ivlen).
+ * @param[in] maclen MAC length
+ * @param[in] keylen Key length
+ * @param[in] ivlen IV length
+ */
+typedef void (*SslExportKeysCallback_t)(const unsigned char* masterSecret,
+ const unsigned char* keyBlock,
+ size_t macLen, size_t keyLen, size_t ivLen);
+
+/**
+ * API to set a export SSL(TLS/DTLS) key callback.
+ * This callback will be invoked when SSL handshake occured.
+ *
+ * @param[in] exportKeysCb implementation of SslExportKeysCallback_t
+ * @param[in] protocol CA_SSL_EKCB_TLS=TLS, CA_SSL_EKCB_DTLS=DTLS (@ref CASslEkcbProtocol_t)
+ * @param[in] role CA_SSL_EKCB_CLIENT=client, CA_SSL_EKCB_SERVER=server (@ref CASslEkcbRole_t)
+ *
+ * @return CA_STATUS_OK on success, otherwise fail.
+ */
+CAResult_t CASetSslExportKeysCallback(SslExportKeysCallback_t exportKeysCb,
+ CASslEkcbProtocol_t protocol, CASslEkcbRole_t role);
+
+#endif //__WITH_TLS__ or __WITH_DTLS__
+
#ifdef __cplusplus
} /* extern "C" */