X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=resource%2Fcsdk%2Fconnectivity%2Fapi%2Fcasecurityinterface.h;h=264bac8fee6c5e0e1fc3e1a501ef05c031fa65c3;hb=03ae7cd73e2e10a8de75da40a0e476cc955b46b2;hp=cab30a7705f1d3b35b1d6fee7fa5aa74057af416;hpb=c2b7d54fdd4c59e3422d2ff635475eca0d7dec80;p=platform%2Fupstream%2Fiotivity.git diff --git a/resource/csdk/connectivity/api/casecurityinterface.h b/resource/csdk/connectivity/api/casecurityinterface.h index cab30a7..264bac8 100644 --- a/resource/csdk/connectivity/api/casecurityinterface.h +++ b/resource/csdk/connectivity/api/casecurityinterface.h @@ -27,19 +27,19 @@ #ifndef CA_SECURITY_INTERFACE_H_ #define CA_SECURITY_INTERFACE_H_ -#ifdef __WITH_X509__ -#include "pki.h" -#endif //__WITH_X509__ - +#if defined(__WITH_DTLS__) || defined(__WITH_TLS__) +#include "mbedtls/ssl.h" +#include "mbedtls/x509_crt.h" +#endif //__WITH_DTLS__ or __WITH_TLS__ #include "cacommon.h" +#include "byte_array.h" +#include "octypes.h" #ifdef __cplusplus extern "C" { #endif - -#ifdef __WITH_DTLS__ /** * @enum CADtlsPskCredType_t * Type of PSK credential required during DTLS handshake @@ -54,6 +54,44 @@ typedef enum } CADtlsPskCredType_t; /** + *@enum CASslEkcbRole_t + * type of SSL role to be used when invoking export key callback + */ +typedef enum +{ + CA_SSL_EKCB_CLIENT = 0, + CA_SSL_EKCB_SERVER = 1 +}CASslEkcbRole_t; + +/** + *@enum CASslEkcbProtocol_t + * type of SSL protocol(TLS or DTLS) to be used when invoking export key callback + */ +typedef enum +{ + CA_SSL_EKCB_TLS = 0, + CA_SSL_EKCB_DTLS = 1 +}CASslEkcbProtocol_t; + +/** + *@enum CACertificateVerificationStatus_t + * type of certificate status info to be used when invoking + * certificate verification status info callback + */ +typedef enum +{ + CA_CERTIFICATE_VERIFY_SUCCESS_MUTUAL = 0, + CA_CERTIFICATE_VERIFY_NO_CERT, + CA_CERTIFICATE_VERIFY_FAILED +} CACertificateVerificationStatus_t; + +/** + * Callback function type for certificate verification status. + * @param[in] status Certificate verification status info. + */ +typedef void (*CertificateVerificationCallback_t)(CACertificateVerificationStatus_t status); + +/** * This internal callback is used by CA layer to * retrieve PSK credentials from SRM. * @@ -66,93 +104,154 @@ typedef enum * @return The number of bytes written to @p result or a value * less than zero on error. */ -typedef int (*CAGetDTLSPskCredentialsHandler)(CADtlsPskCredType_t type, - const uint8_t *desc, size_t desc_len, - uint8_t *result, size_t result_length); +typedef int (*CAgetPskCredentialsHandler)(CADtlsPskCredType_t type, + const uint8_t *desc, size_t desc_len, + uint8_t *result, size_t result_length); +#if defined(__WITH_DTLS__) || defined(__WITH_TLS__) +#ifdef MULTIPLE_OWNER /** - * Register callback to receive the result of DTLS handshake. - * @param[in] dtlsHandshakeCallback callback for get dtls handshake result - * @return ::CA_STATUS_OK + * API to get a secure connected peer information + * + * @param[in] peer peer information includs IP address and port. + * + * @return secure connected peer information on success, otherwise NULL */ -CAResult_t CARegisterDTLSHandshakeCallback(CAErrorCallback dtlsHandshakeCallback); +const CASecureEndpoint_t *CAGetSecureEndpointData(const CAEndpoint_t *peer); +#endif //MULTIPLE_OWNER /** - * Register callback to get DTLS PSK credentials. - * @param[in] GetDTLSCredentials GetDTLS Credetials callback. - * @return ::CA_STATUS_OK + * API to set a secure endpoint identity with uuid + * + * @param[in] peer peer information includs IP address and port + * @param[in] uuid UUID of target device + * + * @return ::CA_STATUS_OK or appropriate error code */ -CAResult_t CARegisterDTLSCredentialsHandler(CAGetDTLSPskCredentialsHandler GetDTLSCredentials); - -#endif //__WITH_DTLS__ +CAResult_t CASetSecureEndpointUuid(const CAEndpoint_t *peer, const char *uuid); +#endif -#ifdef __WITH_X509__ /** - * Binary structure containing certificate chain and certificate credentials - * for this device. + * This internal callback is used by CA layer to + * retrieve all credential types from SRM + * + * @param[out] list of enabled credential types for CA handshake + * + */ +typedef void (*CAgetCredentialTypesHandler)(bool * list); +/** + * Binary structure containing PKIX related info + * own certificate chain, public key, CA's and CRL's */ typedef struct { - // certificate message for DTLS - unsigned char certificateChain[MAX_CERT_MESSAGE_LEN]; - // length of the certificate message - uint32_t certificateChainLen; - // number of certificates in certificate message - uint8_t chainLen; - // x component of EC public key - uint8_t rootPublicKeyX[PUBLIC_KEY_SIZE / 2]; - // y component of EC public key - uint8_t rootPublicKeyY[PUBLIC_KEY_SIZE / 2]; - // EC private key - uint8_t devicePrivateKey[PRIVATE_KEY_SIZE]; - -} CADtlsX509Creds_t; - -/** - * @brief Callback function type for getting certificate credentials. - * @param credInfo [OUT] Certificate credentials info. Handler has to allocate new memory for - * credInfo which is then freed by CA - * @return NONE + // own certificate chain + ByteArray_t crt; + // own public key + ByteArray_t key; + // trusted CA's + ByteArray_t ca; + // trusted CRL's + ByteArray_t crl; +} PkiInfo_t; + +#if defined(__WITH_DTLS__) || defined(__WITH_TLS__) +/** + * this callback will be invoked to utilize peer certificate information */ -typedef int (*CAGetDTLSX509CredentialsHandler)(CADtlsX509Creds_t *credInfo); +typedef int (*PeerCertCallback)(void *ctx, const mbedtls_x509_crt *peerCert, + int depth); + /** - * @brief Callback function type for getting CRL. - * @param crlInfo [OUT] Certificate credentials info. Handler has to allocate new memory for - * credInfo which is then freed by CA - * @return NONE + * API to set callback used to utilize peer certificate information + * @param[in] peerCertCallback callback to utilize certificate information + * + * return CA_STATUS_OK on success + */ +CAResult_t CAsetPeerCertCallback(void *ctx, PeerCertCallback peerCertCallback); +#endif + +/** + * Register callback to receive credential types. + * @param[in] credTypesCallback callback to get cerdential types + * @return ::CA_STATUS_OK + */ +CAResult_t CAregisterGetCredentialTypesHandler(CAgetCredentialTypesHandler credTypesCallback); +/** + * Register callback to receive the result of TLS handshake. + * @param[in] tlsHandshakeCallback callback for get tls handshake result + * @return ::CA_STATUS_OK + */ +CAResult_t CAregisterSslHandshakeCallback(CAErrorCallback tlsHandshakeCallback); + +/** + * Register callback to get TLS PSK credentials. + * @param[in] getTLSCredentials GetDTLS Credetials callback. + * @return ::CA_STATUS_OK */ -typedef void (*CAGetDTLSCrlHandler)(ByteArray* crlInfo); +CAResult_t CAregisterPskCredentialsHandler(CAgetPskCredentialsHandler getTlsCredentials); /** - * @brief Register callback to get DTLS Cert credentials. - * @param GetCertCredentials [IN] GetCert Credetials callback - * @return #CA_STATUS_OK + * @brief Callback function type for getting PKIX info + * + * @param inf[out] PKIX related info + * + * @return NONE */ -CAResult_t CARegisterDTLSX509CredentialsHandler(CAGetDTLSX509CredentialsHandler GetX509Credentials); +typedef void (*CAgetPkixInfoHandler)(PkiInfo_t * inf); + +#if defined(__WITH_DTLS__) || defined(__WITH_TLS__) /** - * @brief Register callback to get CRL. - * @param GetCrl [IN] GetCrl callback - * @return #CA_STATUS_OK + * @brief Callback function type for setup PK context + * + * @param pkCtx[in] mbedtls's PK context + * + * @return 0 on success */ -CAResult_t CARegisterDTLSCrlHandler(CAGetDTLSCrlHandler GetCrl); -#endif //__WITH_X509__ +typedef int (*CAsetupPkContextHandler)(mbedtls_pk_context * pkCtx); +/** + * Register callback to setup PK Context + * @param[in] setupPkContextCallback Callback function to setup PK context. + * @return ::CA_STATUS_OK or appropriate error code. + */ +CAResult_t CAregisterSetupPkContextHandler(CAsetupPkContextHandler setupPkContextHandler); +#endif //__WITH_DTLS__ or __WITH_TLS__ -#ifdef __WITH_DTLS__ +/** + * Register callback to get PKIX related info. + * @param[in] getPkixInfoHandler Get PKIX related info callback. + * @return ::CA_STATUS_OK or appropriate error code. + */ +CAResult_t CAregisterPkixInfoHandler(CAgetPkixInfoHandler getPkixInfoHandler); +/** + * Register callback to get types of TLS suites. + * @param[in] getCredTypesHandler Get types of TLS suites callback. + * @return ::CA_STATUS_OK or appropriate error code. + */ +CAResult_t CAregisterGetCredentialTypesHandler(CAgetCredentialTypesHandler getCredTypesHandler); /** * Select the cipher suite for dtls handshake. * * @param[in] cipher cipher suite (Note : Make sure endianness). - * 0xC018 : TLS_ECDH_anon_WITH_AES_128_CBC_SHA - * 0xC0A8 : TLS_PSK_WITH_AES_128_CCM_8 - * 0xC0AE : TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 + * TLS_RSA_WITH_AES_256_CBC_SHA256 0x3D + * TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C + * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B + * TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 0xC0AE + * TLS_ECDHE_ECDSA_WITH_AES_128_CCM 0xC0AC + * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023 + * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024 + * TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C + * TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 0xC037 + * TLS_ECDH_anon_WITH_AES_128_CBC_SHA 0xC018 + * @param[in] adapter transport adapter (TCP/IP/BLE) * * @retval ::CA_STATUS_OK Successful. * @retval ::CA_STATUS_INVALID_PARAM Invalid input arguments. * @retval ::CA_STATUS_FAILED Operation failed. */ -CAResult_t CASelectCipherSuite(const uint16_t cipher); +CAResult_t CASelectCipherSuite(const uint16_t cipher, CATransportAdapter_t adapter); /** * Enable TLS_ECDH_anon_WITH_AES_128_CBC_SHA cipher suite in dtls. @@ -181,7 +280,7 @@ CAResult_t CAEnableAnonECDHCipherSuite(const bool enable); * @param[in] provServerDeviceID label of previous owner. * @param[in] provServerDeviceIDLen byte length of provServerDeviceID. * @param[in,out] ownerPSK Output buffer for owner PSK. - * @param[in] ownerPSKSize Byte length of the ownerPSK to be generated. + * @param[in] ownerPskSize Byte length of the ownerPSK to be generated. * * @retval ::CA_STATUS_OK Successful. * @retval ::CA_STATUS_FAILED Operation failed. @@ -192,7 +291,7 @@ CAResult_t CAGenerateOwnerPSK(const CAEndpoint_t *endpoint, const size_t rsrcServerDeviceIDLen, const uint8_t* provServerDeviceID, const size_t provServerDeviceIDLen, - uint8_t* ownerPSK, const size_t ownerPSKSize); + uint8_t* ownerPSK, const size_t ownerPskSize); /** * Initiate DTLS handshake with selected cipher suite. @@ -212,9 +311,102 @@ CAResult_t CAInitiateHandshake(const CAEndpoint_t *endpoint); * @retval ::CA_STATUS_OK Successful. * @retval ::CA_STATUS_FAILED Operation failed. */ -CAResult_t CACloseDtlsSession(const CAEndpoint_t *endpoint); +CAResult_t CAcloseSslSession(const CAEndpoint_t *endpoint); + +/** + * Initiate TLS handshake with selected cipher suite. + * + * @param[in] endpoint information of network address. + * + * @retval ::CA_STATUS_OK Successful. + * @retval ::CA_STATUS_FAILED Operation failed. + */ +CAResult_t CAinitiateSslHandshake(const CAEndpoint_t *endpoint); + +/** + * Close the DTLS session. + * + * @param[in] endpoint information of network address. + * + * @retval ::CA_STATUS_OK Successful. + * @retval ::CA_STATUS_FAILED Operation failed. + */ +CAResult_t CAcloseSslConnection(const CAEndpoint_t *endpoint); + +#ifdef __TIZEN__ +/** + * Close the DTLS session and free endpoint. + * + * @param[in] endpoint information of network address; + * CAcloseSslConnectionWrapper takes ownership of endpoint + * + * @retval ::CA_STATUS_OK Successful. + * @retval ::CA_STATUS_FAILED Operation failed. + */ +CAResult_t CAcloseSslConnectionFreeEndpoint(CAEndpoint_t *endpoint); +#endif //__TIZEN__ + +/** + * Close the TLS session using UUID + * + * @param[in] identity UUID of target device + * @param[in] idLength Byte length of 'identity' + * + * @retval ::CA_STATUS_OK Successful. + * @retval ::CA_STATUS_FAILED Operation failed. + */ +CAResult_t CAcloseSslConnectionUsingUuid(const uint8_t *identity, size_t idLength); + +/** + * Close All of DTLS sessions. + */ +void CAcloseSslConnectionAll(CATransportAdapter_t transportType); + +#if defined(__WITH_TLS__) || defined(__WITH_DTLS__) + +/** + * @brief Callback type: Export key block and master secret + * @note This is required for certain uses of TLS, e.g. EAP-TLS + * (RFC 5216) and Thread. The key pointers are ephemeral and + * therefore must not be stored. The master secret and keys + * should not be used directly except as an input to a key + * derivation function. + * + * @aram[in] masterSecret Pointer to master secret (fixed length: 48 bytes) + * @param[in] keyBlock Pointer to key block, see RFC 5246 section 6.3 + * (variable length: 2 * maclen + 2 * keylen + 2 * ivlen). + * @param[in] maclen MAC length + * @param[in] keylen Key length + * @param[in] ivlen IV length + */ +typedef void (*SslExportKeysCallback_t)(const unsigned char* masterSecret, + const unsigned char* keyBlock, + size_t macLen, size_t keyLen, size_t ivLen); + +/** + * API to set a export SSL(TLS/DTLS) key callback. + * This callback will be invoked when SSL handshake occured. + * + * @param[in] exportKeysCb implementation of SslExportKeysCallback_t + * @param[in] protocol CA_SSL_EKCB_TLS=TLS, CA_SSL_EKCB_DTLS=DTLS (@ref CASslEkcbProtocol_t) + * @param[in] role CA_SSL_EKCB_CLIENT=client, CA_SSL_EKCB_SERVER=server (@ref CASslEkcbRole_t) + * + * @return CA_STATUS_OK on success, otherwise fail. + */ +CAResult_t CASetSslExportKeysCallback(SslExportKeysCallback_t exportKeysCb, + CASslEkcbProtocol_t protocol, CASslEkcbRole_t role); + +/** + * API to set certificate verification callback. + */ +void CAsetCertificateVerificationCallback(CertificateVerificationCallback_t noCertCallback); + +/** + * API to unset certificate verification callback. + */ +void CAunsetCertificateVerificationCallback(); -#endif /* __WITH_DTLS__ */ +#endif //__WITH_TLS__ or __WITH_DTLS__ #ifdef __cplusplus