nrf_tls.h 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307
  1. /**
  2. * Copyright (c) 2015 - 2019, Nordic Semiconductor ASA
  3. *
  4. * All rights reserved.
  5. *
  6. * Redistribution and use in source and binary forms, with or without modification,
  7. * are permitted provided that the following conditions are met:
  8. *
  9. * 1. Redistributions of source code must retain the above copyright notice, this
  10. * list of conditions and the following disclaimer.
  11. *
  12. * 2. Redistributions in binary form, except as embedded into a Nordic
  13. * Semiconductor ASA integrated circuit in a product or a software update for
  14. * such product, must reproduce the above copyright notice, this list of
  15. * conditions and the following disclaimer in the documentation and/or other
  16. * materials provided with the distribution.
  17. *
  18. * 3. Neither the name of Nordic Semiconductor ASA nor the names of its
  19. * contributors may be used to endorse or promote products derived from this
  20. * software without specific prior written permission.
  21. *
  22. * 4. This software, with or without modification, must only be used with a
  23. * Nordic Semiconductor ASA integrated circuit.
  24. *
  25. * 5. Any software provided in binary form under this license must not be reverse
  26. * engineered, decompiled, modified and/or disassembled.
  27. *
  28. * THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
  29. * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  30. * OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
  31. * DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
  32. * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  33. * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
  34. * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  35. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  36. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
  37. * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  38. *
  39. */
  40. /**@file nrf_tls.h
  41. *
  42. * @defgroup iot_nrf_tls TLS on nRF5x
  43. * @ingroup iot_sdk_common
  44. * @{
  45. * @brief TLS interface on nRF5x.
  46. *
  47. * @details Defines TLS interface for securing UDP/TCP transport using DTLS/TLS respectively.
  48. * The interface integrates TLS library with needed libraries/drivers on the nRF.
  49. *
  50. */
  51. #ifndef NRF_TLS_H__
  52. #define NRF_TLS_H__
  53. #include <stdint.h>
  54. #include <stdlib.h>
  55. #ifdef __cplusplus
  56. extern "C" {
  57. #endif
  58. /**@brief Maximum number of TLS instances to be supported. */
  59. #define NRF_TLS_INVALID_INSTANCE_IDENTIFIER 0xFFFFFFFF
  60. /**@brief Initializes the TLS instance. */
  61. #define NRF_TLS_INTSANCE_INIT(INSTANCE) \
  62. do \
  63. { \
  64. (INSTANCE)->transport_id = NRF_TLS_INVALID_INSTANCE_IDENTIFIER; \
  65. (INSTANCE)->instance_id = NRF_TLS_INVALID_INSTANCE_IDENTIFIER; \
  66. }while(0)
  67. /**@brief Transport type definitions. The type determines whether TLS or DTLS shall be used. */
  68. typedef enum
  69. {
  70. NRF_TLS_TYPE_STREAM, /**< TCP transport, TLS to be used for the instance. */
  71. NRF_TLS_TYPE_DATAGRAM /**< UDP transport, DTLS to be used for the instance. */
  72. } nrf_transport_type_t;
  73. /**@brief TLS/DTLS roles definition. */
  74. typedef enum
  75. {
  76. NRF_TLS_ROLE_CLIENT, /**< Client role. */
  77. NRF_TLS_ROLE_SERVER /**< Server role. */
  78. } nrf_tls_role_t;
  79. /**@brief TLS Instance identifier*/
  80. typedef struct
  81. {
  82. uint32_t transport_id; /**< Identifies the TCP/UDP transport which is being secured. */
  83. uint32_t instance_id; /**< Identifies the TLS instance. */
  84. } nrf_tls_instance_t;
  85. /**@brief Information needed when using Pre-shared key ciphers. */
  86. typedef struct
  87. {
  88. const uint8_t * p_identity; /**< Client identity. */
  89. const uint8_t * p_secret_key; /**< Secret Preshared Key. */
  90. uint16_t identity_len; /**< Length of the client identity. */
  91. uint16_t secret_key_len; /**< Length of the preshared key. */
  92. } nrf_tls_preshared_key_t;
  93. /**@brief Information provided when using Raw Public key ciphers. */
  94. typedef struct
  95. {
  96. const uint8_t * p_private_key; /**< Private key. */
  97. const uint8_t * p_public_key; /**< Raw public key. */
  98. uint16_t private_key_len; /**< Length of the private key. */
  99. uint16_t public_key_len; /**< Length of the raw public key. */
  100. } nrf_tls_raw_key_t;
  101. /**@brief Certificate to be used when using certificates for key derivation. */
  102. typedef struct
  103. {
  104. const uint8_t * p_private_key; /**< Private key. */
  105. const uint8_t * p_certificate; /**< Own certificate in PEM format. */
  106. uint16_t private_key_len; /**< Length of the private key. */
  107. uint16_t certificate_len; /**< Length of the certificate. */
  108. } nrf_tls_certificate_t;
  109. /**@brief Key settings to be used for TLS instance. */
  110. typedef struct
  111. {
  112. nrf_tls_certificate_t * p_own_certificate; /**< Own certificate to be used for the instance. Can be NULL. */
  113. uint8_t * p_ca_cert_pem; /**< CA certificate in PEM formart. */
  114. uint16_t ca_cert_pem_len; /**< Length of the CA certificate. */
  115. nrf_tls_preshared_key_t * p_psk; /**< Identitiy and shared secret in case pre-shared key is used. Can be NULL. */
  116. nrf_tls_raw_key_t * p_raw_key; /**< Public and private key in case RAW keys are used. This method is not currently supported. */
  117. } nrf_tls_key_settings_t;
  118. /**@brief Transport write function registered for the instance.
  119. *
  120. * @details Function registered with the interface to write on the transport interface.
  121. * The application shall implement the function registered here to ensure handshake
  122. * messages and encrypted data can be written by the interface/TLS library on the
  123. * transport.
  124. *
  125. * @param[in] p_instance Identifies the instance on which transport write is requested.
  126. * Shall not be NULL.
  127. * @param[in] p_data Pointer to data to be written on the instance.
  128. * Shall not be NULL.
  129. * @param[in] datalen Length of data to be written on the transport.
  130. *
  131. * @retval NRF_SUCCESS If the procedure was successful, else an error code indicating reason
  132. * for failure.
  133. */
  134. typedef uint32_t (*nrf_tls_output_t)(nrf_tls_instance_t const * p_instance,
  135. uint8_t const * p_data,
  136. uint32_t datalen);
  137. /**@brief Options when requesting an TLS instance. */
  138. typedef struct
  139. {
  140. nrf_tls_output_t output_fn; /**< Function registered to deliver output of TLS operations on a TLS interface. Shall not be NULL. */
  141. uint8_t transport_type; /**< Indicates type of transport being secured. @ref nrf_transport_type_t for possible transports. */
  142. uint8_t role; /**< Indicates role to be played, server or client. @ref nrf_tls_role_t for possible roles. */
  143. nrf_tls_key_settings_t * p_key_settings; /**< Provide key configurations/certificates here. */
  144. } nrf_tls_options_t;
  145. /**@brief Initialize TLS interface.
  146. *
  147. * @details This function initializes TLS interface. Initialization includes initializing the TLS
  148. * library, RNG driver, and any other dependencies. This API shall be called before using
  149. * any other APIs of the interface.
  150. *
  151. * @retval NRF_SUCCESS If the procedure is successful, else, an error code indicating
  152. * reason for failure. If the procedure fails, the application shall
  153. * not proceed with using other APIs of the interface.
  154. */
  155. uint32_t nrf_tls_init(void);
  156. /**@brief Allocate an TLS/DTLS instance.
  157. *
  158. * @details This function allocates an instance for TLS/DTLS. Options indicate whether DTLS/TLS will
  159. * be used and role is server or client.
  160. *
  161. * @param[inout] p_instance Instance with transport id set by the application to identify the
  162. * transport being secured. If the procedure is successful, the
  163. * instance id is allocated by the interface. The application is
  164. * expected to remember the instance information for all subsequent
  165. * procedures on the transport.
  166. * Shall not be NULL.
  167. * @param[in] p_options Pointer to options that indicate transport type, role, keys etc.
  168. * Output function registered is used write TLS/DTLS data on the
  169. * raw transport (TCP.UDP) for the instance.
  170. * Shall not be NULL.
  171. * @note
  172. *
  173. * @retval NRF_SUCCESS If the procedure is successful, else, an error code indicating
  174. * reason for failure. If the procedure succeeds, the application
  175. * shall use the instance allocated for all subsequent procedures on
  176. * the instance.
  177. */
  178. uint32_t nrf_tls_alloc(nrf_tls_instance_t * p_instance,
  179. nrf_tls_options_t const * p_options);
  180. /**@brief Free the TLS/DTLS instance.
  181. *
  182. * @details This function frees the instance allocated for TLS/DTLS. All sessions, buffered data
  183. * related to instance are freed as well by this API.
  184. *
  185. * @param[in] p_instance Identifies the instance being freed.
  186. * Shall not be NULL.
  187. *
  188. * @retval NRF_SUCCESS If the procedure is successful, else, an error code indicating
  189. * reason for failure. If the procedure succeeds, the application
  190. * shall use the instance allocated for all subsequent procedures on
  191. * the instance.
  192. */
  193. uint32_t nrf_tls_free(nrf_tls_instance_t const * p_instance);
  194. /**@brief Write data on the TLS/DTLS instance.
  195. *
  196. * @details This function writes data on the TLS/DTLS instance. The requested data is encrypted
  197. * and padded based on cipher configuration and selected cipher during handshake.
  198. * If no sessions exists already with the peer, a handshake is initiated automatically
  199. * by the interface, if the role played on the instance is a client role. Requested data to
  200. * be written is buffered until a session is established.
  201. *
  202. * @param[in] p_instance Identifies the instance on which write is requested.
  203. * Shall not be NULL.
  204. * @param[in] p_data Pointer to data to be written on the instance.
  205. * Shall not be NULL.
  206. * @param[inout] p_datalen Pointer to size of data to be written. The actual size written can
  207. * be smaller than requested and is indicated here if the procedure is
  208. * successful. The application shall check for the actual size written
  209. * and make subsequent requests in case the right was partial.
  210. * Shall not be NULL.
  211. *
  212. * @retval NRF_SUCCESS If the procedure is successful, else, an error code indicating
  213. * reason for failure. If the procedure succeeds, the application
  214. * shall check for the actual size written and make subsequent
  215. * requests in case the right was partial.
  216. */
  217. uint32_t nrf_tls_write(nrf_tls_instance_t const * p_instance,
  218. uint8_t const * p_data,
  219. uint32_t * p_datalen);
  220. /**@brief Read data from the TLS/DTLS instance.
  221. *
  222. * @details This function reads data from the TLS/DTLS interface. The read data is
  223. * decrypted based on cipher configuration and selected cipher during handshake.
  224. * If no data is available on the instance, the API indicates so with an error code.
  225. * It is possible to request size of data that can be read by passing a NULL parameter on
  226. * the data.
  227. *
  228. * @param[in] p_instance Identifies the instance on which read is requested.
  229. * Shall not be NULL.
  230. * @param[in] p_data Pointer to data where read data is to be copied.
  231. * Can be NULL. In case, this parameter is NULL, size of bytes that
  232. * are available to read is returned in the p_datalen parameter.
  233. * @param[inout] p_datalen Pointer to size of data to be read. The application shall ensure that
  234. * the memory pointed to by p_data parameter is the size indicated.
  235. * The actual size read can be smaller than requested and is indicated
  236. * here if the procedure is successful. The application should check for
  237. * the actual size read.
  238. * Shall not be NULL.
  239. *
  240. * @retval NRF_SUCCESS If the procedure is successful, else, an error code indicating
  241. * reason for failure. If the procedure succeeds, the application
  242. * should check for the actual size read.
  243. */
  244. uint32_t nrf_tls_read(nrf_tls_instance_t const * p_instance,
  245. uint8_t * p_data,
  246. uint32_t * p_datalen);
  247. /**@brief Function to input data read on the transport to the TLS library.
  248. *
  249. * @details Function to input data read on the transport to TLS library for further processing.
  250. * Further processing could include advancing the handshake or decrypting the received
  251. * data based on the state of TLS session.
  252. *
  253. * @param[in] p_instance Identifies the instance on which transport write is requested.
  254. * Shall not be NULL.
  255. * @param[in] p_data Pointer to data to be processed on the instance.
  256. * Shall not be NULL.
  257. * @param[in] datalen Length of data to be written on the transport.
  258. *
  259. * @retval NRF_SUCCESS If the procedure was successful, else an error code indicating reason
  260. * for failure.
  261. */
  262. uint32_t nrf_tls_input(nrf_tls_instance_t const * p_instance,
  263. uint8_t const * p_data,
  264. uint32_t datalen);
  265. /**@brief Function to continue TLS/DTLS operation after a busy state on transport.
  266. *
  267. * @details The transport writes requested by the TLS interface may return failure if transport
  268. * data flow was off. In order to resume and retry the operations, this function shall be
  269. * called periodically. This function shall be called in order to ensure TLS interface
  270. * and the library behaves as expected.
  271. */
  272. void nrf_tls_process(void);
  273. #ifdef __cplusplus
  274. }
  275. #endif
  276. #endif // NRF_TLS_H__
  277. /** @} */