ESP8266
Functions
Standard C API

The standard interface in C. More...

Functions

SSL_CTX * ssl_ctx_new (uint32_t options, int num_sessions)
 Establish a new client/server context. More...
 
void ssl_ctx_free (SSL_CTX *ssl_ctx)
 Remove a client/server context. More...
 
SSL * ssl_server_new (SSL_CTX *ssl_ctx, int client_fd)
 (server only) Establish a new SSL connection to an SSL client. More...
 
SSL * ssl_client_new (SSL_CTX *ssl_ctx, int client_fd, const uint8_t *session_id, uint8_t sess_id_size)
 (client only) Establish a new SSL connection to an SSL server. More...
 
void ssl_free (SSL *ssl)
 Free any used resources on this connection. More...
 
int ssl_read (SSL *ssl, uint8_t **in_data)
 Read the SSL data stream. If the socket is non-blocking and data is blocked then SSO_OK will be returned. More...
 
int ssl_write (SSL *ssl, const uint8_t *out_data, int out_len)
 Write to the SSL data stream. if the socket is non-blocking and data is blocked then a check is made to ensure that all data is sent (i.e. blocked mode is forced). More...
 
SSL * ssl_find (SSL_CTX *ssl_ctx, int client_fd)
 Find an ssl object based on a file descriptor. More...
 
const uint8_t * ssl_get_session_id (const SSL *ssl)
 Get the session id for a handshake. More...
 
uint8_t ssl_get_session_id_size (const SSL *ssl)
 Get the session id size for a handshake. More...
 
uint8_t ssl_get_cipher_id (const SSL *ssl)
 Return the cipher id (in the SSL form). More...
 
int ssl_handshake_status (const SSL *ssl)
 Return the status of the handshake. More...
 
int ssl_get_config (int offset)
 Retrieve various parameters about the axTLS engine. More...
 
void ssl_display_error (int error_code)
 Display why the handshake failed. More...
 
int ssl_verify_cert (const SSL *ssl)
 Authenticate a received certificate. More...
 
int ssl_match_fingerprint (const SSL *ssl, const uint8_t *fp)
 Check if certificate fingerprint (SHA1) matches the one given. More...
 
const char * ssl_get_cert_dn (const SSL *ssl, int component)
 Retrieve an X.509 distinguished name component. More...
 
const char * ssl_get_cert_subject_alt_dnsname (const SSL *ssl, int dnsindex)
 Retrieve a Subject Alternative DNSName. More...
 
int ssl_renegotiate (SSL *ssl)
 Force the client to perform its handshake again. More...
 
int ssl_obj_load (SSL_CTX *ssl_ctx, int obj_type, const char *filename, const char *password)
 Process a file that is in binary DER or ASCII PEM format. More...
 
int ssl_obj_memory_load (SSL_CTX *ssl_ctx, int obj_type, const uint8_t *data, int len, const char *password)
 Process binary data. More...
 
const char * ssl_version (void)
 Return the axTLS library version as a string. More...
 

Detailed Description

The standard interface in C.

Function Documentation

SSL* ssl_client_new ( SSL_CTX *  ssl_ctx,
int  client_fd,
const uint8_t *  session_id,
uint8_t  sess_id_size 
)

(client only) Establish a new SSL connection to an SSL server.

It is up to the application to establish the initial logical connection (whether it is a socket, serial connection etc).

This is a normally a blocking call - it will finish when the handshake is complete (or has failed). To use in non-blocking mode, set SSL_CONNECT_IN_PARTS in ssl_ctx_new().

Parameters
ssl_ctx[in] The client context.
client_fd[in] The client's file descriptor.
session_id[in] A 32 byte session id for session resumption. This can be null if no session resumption is being used or required. This option is not used in skeleton mode.
sess_id_sizeThe size of the session id (max 32)
Returns
An SSL object reference. Use ssl_handshake_status() to check if a handshake succeeded.
void ssl_ctx_free ( SSL_CTX *  ssl_ctx)

Remove a client/server context.

Frees any used resources used by this context. Each connection will be sent a "Close Notify" alert (if possible).

Parameters
ssl_ctx[in] The client/server context.
SSL_CTX* ssl_ctx_new ( uint32_t  options,
int  num_sessions 
)

Establish a new client/server context.

This function is called before any client/server SSL connections are made.

Each new connection will use the this context's private key and certificate chain. If a different certificate chain is required, then a different context needs to be be used.

There are two threading models supported - a single thread with one SSL_CTX can support any number of SSL connections - and multiple threads can support one SSL_CTX object each (the default). But if a single SSL_CTX object uses many SSL objects in individual threads, then the CONFIG_SSL_CTX_MUTEXING option needs to be configured.

Parameters
options[in] Any particular options. At present the options supported are:
  • SSL_SERVER_VERIFY_LATER (client only): Don't stop a handshake if the server authentication fails. The certificate can be authenticated later with a call to ssl_verify_cert().
  • SSL_CLIENT_AUTHENTICATION (server only): Enforce client authentication i.e. each handshake will include a "certificate request" message from the server. Only available if verification has been enabled.
  • SSL_DISPLAY_BYTES (full mode build only): Display the byte sequences during the handshake.
  • SSL_DISPLAY_STATES (full mode build only): Display the state changes during the handshake.
  • SSL_DISPLAY_CERTS (full mode build only): Display the certificates that are passed during a handshake.
  • SSL_DISPLAY_RSA (full mode build only): Display the RSA key details that are passed during a handshake.
  • SSL_CONNECT_IN_PARTS (client only): To use a non-blocking version of ssl_client_new().
num_sessions[in] The number of sessions to be used for session caching. If this value is 0, then there is no session caching. This option is not used in skeleton mode.
Returns
A client/server context.
void ssl_display_error ( int  error_code)

Display why the handshake failed.

This call is only useful in a 'full mode' build. The output is to stdout.

Parameters
error_code[in] An error code.
See also
ssl.h for the error code list.
SSL* ssl_find ( SSL_CTX *  ssl_ctx,
int  client_fd 
)

Find an ssl object based on a file descriptor.

Goes through the list of SSL objects maintained in a client/server context to look for a file descriptor match.

Parameters
ssl_ctx[in] The client/server context.
client_fd[in] The file descriptor.
Returns
A reference to the SSL object. Returns null if the object could not be found.
void ssl_free ( SSL *  ssl)

Free any used resources on this connection.

A "Close Notify" message is sent on this connection (if possible). It is up to the application to close the socket or file descriptor.

Parameters
ssl[in] The ssl object reference.
const char* ssl_get_cert_dn ( const SSL *  ssl,
int  component 
)

Retrieve an X.509 distinguished name component.

When a handshake is complete and a certificate has been exchanged, then the details of the remote certificate can be retrieved.

This will usually be used by a client to check that the server's common name matches the URL.

Parameters
ssl[in] An SSL object reference.
component[in] one of:
  • SSL_X509_CERT_COMMON_NAME
  • SSL_X509_CERT_ORGANIZATION
  • SSL_X509_CERT_ORGANIZATIONAL_NAME
  • SSL_X509_CA_CERT_COMMON_NAME
  • SSL_X509_CA_CERT_ORGANIZATION
  • SSL_X509_CA_CERT_ORGANIZATIONAL_NAME
Returns
The appropriate string (or null if not defined)
Note
Verification build mode must be enabled.
const char* ssl_get_cert_subject_alt_dnsname ( const SSL *  ssl,
int  dnsindex 
)

Retrieve a Subject Alternative DNSName.

When a handshake is complete and a certificate has been exchanged, then the details of the remote certificate can be retrieved.

This will usually be used by a client to check that the server's DNS name matches the URL.

Parameters
ssl[in] An SSL object reference.
dnsindex[in] The index of the DNS name to retrieve.
Returns
The appropriate string (or null if not defined)
Note
Verification build mode must be enabled.
uint8_t ssl_get_cipher_id ( const SSL *  ssl)

Return the cipher id (in the SSL form).

Parameters
ssl[in] An SSL object reference.
Returns
The cipher id. This will be one of the following:
  • SSL_AES128_SHA (0x2f)
  • SSL_AES256_SHA (0x35)
  • SSL_RC4_128_SHA (0x05)
  • SSL_RC4_128_MD5 (0x04)
int ssl_get_config ( int  offset)

Retrieve various parameters about the axTLS engine.

Parameters
offset[in] The configuration offset. It will be one of the following:
  • SSL_BUILD_MODE The build mode. This will be one of the following:
    • SSL_BUILD_SERVER_ONLY (basic server mode)
    • SSL_BUILD_ENABLE_VERIFICATION (server can do client authentication)
    • SSL_BUILD_ENABLE_CLIENT (client/server capabilties)
    • SSL_BUILD_FULL_MODE (client/server with diagnostics)
    • SSL_BUILD_SKELETON_MODE (skeleton mode)
  • SSL_MAX_CERT_CFG_OFFSET The maximum number of certificates allowed.
  • SSL_MAX_CA_CERT_CFG_OFFSET The maximum number of CA certificates allowed.
  • SSL_HAS_PEM 1 if supported
Returns
The value of the requested parameter.
const uint8_t* ssl_get_session_id ( const SSL *  ssl)

Get the session id for a handshake.

This will be a 32 byte sequence and is available after the first handshaking messages are sent.

Parameters
ssl[in] An SSL object reference.
Returns
The session id as a 32 byte sequence.
Note
A SSLv23 handshake may have only 16 valid bytes.
uint8_t ssl_get_session_id_size ( const SSL *  ssl)

Get the session id size for a handshake.

This will normally be 32 but could be 0 (no session id) or something else.

Parameters
ssl[in] An SSL object reference.
Returns
The size of the session id.
int ssl_handshake_status ( const SSL *  ssl)

Return the status of the handshake.

Parameters
ssl[in] An SSL object reference.
Returns
SSL_OK if the handshake is complete and ok.
See also
ssl.h for the error code list.
int ssl_match_fingerprint ( const SSL *  ssl,
const uint8_t *  fp 
)

Check if certificate fingerprint (SHA1) matches the one given.

Parameters
ssl[in] An SSL object reference.
fp[in] SHA1 fingerprint to match against
Returns
SSL_OK if the certificate is verified.
int ssl_obj_load ( SSL_CTX *  ssl_ctx,
int  obj_type,
const char *  filename,
const char *  password 
)

Process a file that is in binary DER or ASCII PEM format.

These are temporary objects that are used to load private keys, certificates etc into memory.

Parameters
ssl_ctx[in] The client/server context.
obj_type[in] The format of the file. Can be one of:
  • SSL_OBJ_X509_CERT (no password required)
  • SSL_OBJ_X509_CACERT (no password required)
  • SSL_OBJ_RSA_KEY (AES128/AES256 PEM encryption supported)
  • SSL_OBJ_PKCS8 (RC4-128 encrypted data supported)
  • SSL_OBJ_PKCS12 (RC4-128 encrypted data supported)

PEM files are automatically detected (if supported). The object type is also detected, and so is not relevant for these types of files.

Parameters
filename[in] The location of a file in DER/PEM format.
password[in] The password used. Can be null if not required.
Returns
SSL_OK if all ok
Note
Not available in skeleton build mode.
int ssl_obj_memory_load ( SSL_CTX *  ssl_ctx,
int  obj_type,
const uint8_t *  data,
int  len,
const char *  password 
)

Process binary data.

These are temporary objects that are used to load private keys, certificates etc into memory.

Parameters
ssl_ctx[in] The client/server context.
obj_type[in] The format of the memory data.
data[in] The binary data to be loaded.
len[in] The amount of data to be loaded.
password[in] The password used. Can be null if not required.
Returns
SSL_OK if all ok
See also
ssl_obj_load for more details on obj_type.
int ssl_read ( SSL *  ssl,
uint8_t **  in_data 
)

Read the SSL data stream. If the socket is non-blocking and data is blocked then SSO_OK will be returned.

Parameters
ssl[in] An SSL object reference.
in_data[out] If the read was successful, a pointer to the read buffer will be here. Do NOT ever free this memory as this buffer is used in sucessive calls. If the call was unsuccessful, this value will be null.
Returns
The number of decrypted bytes:
  • if > 0, then the handshaking is complete and we are returning the number of decrypted bytes.
  • SSL_OK if the handshaking stage is successful (but not yet complete).
  • < 0 if an error.
See also
ssl.h for the error code list.
Note
Use in_data before doing any successive ssl calls.
int ssl_renegotiate ( SSL *  ssl)

Force the client to perform its handshake again.

For a client this involves sending another "client hello" message. For the server is means sending a "hello request" message.

This is a blocking call on the client (until the handshake completes).

Parameters
ssl[in] An SSL object reference.
Returns
SSL_OK if renegotiation instantiation was ok
SSL* ssl_server_new ( SSL_CTX *  ssl_ctx,
int  client_fd 
)

(server only) Establish a new SSL connection to an SSL client.

It is up to the application to establish the logical connection (whether it is a socket, serial connection etc).

Parameters
ssl_ctx[in] The server context.
client_fd[in] The client's file descriptor.
Returns
An SSL object reference.
int ssl_verify_cert ( const SSL *  ssl)

Authenticate a received certificate.

This call is usually made by a client after a handshake is complete and the context is in SSL_SERVER_VERIFY_LATER mode.

Parameters
ssl[in] An SSL object reference.
Returns
SSL_OK if the certificate is verified.
const char* ssl_version ( void  )

Return the axTLS library version as a string.

int ssl_write ( SSL *  ssl,
const uint8_t *  out_data,
int  out_len 
)

Write to the SSL data stream. if the socket is non-blocking and data is blocked then a check is made to ensure that all data is sent (i.e. blocked mode is forced).

Parameters
ssl[in] An SSL obect reference.
out_data[in] The data to be written
out_len[in] The number of bytes to be written.
Returns
The number of bytes sent, or if < 0 if an error.
See also
ssl.h for the error code list.