Merge branch 'v1.6_develop_tls_cipher_suite_444' into v1.6_develop

1 year ago · f80e81abc6
parent 2866a52c88 9f93d7d035
commit f80e81abc6
4 changed files with 487 additions and 72 deletions
--- a/hal/inc/tls_ciphers.h
+++ b/hal/inc/tls_ciphers.h
@ -0,0 +1,262 @@
 #ifndef IANA_TLS_CIPHER_SUITES_H_
 #define IANA_TLS_CIPHER_SUITES_H_
 #ifdef __cplusplus
 extern "C" {
 #endif
 #define TLS_NULL_WITH_NULL_NULL 0x0000
 #define TLS_RSA_WITH_NULL_MD5 0x0001
 #define TLS_RSA_WITH_NULL_SHA 0x0002
 #define TLS_RSA_EXPORT_WITH_RC4_40_MD5 0x0003
 #define TLS_RSA_WITH_RC4_128_MD5 0x0004
 #define TLS_RSA_WITH_RC4_128_SHA 0x0005
 #define TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 0x0006
 #define TLS_RSA_WITH_IDEA_CBC_SHA 0x0007
 #define TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 0x0008
 #define TLS_RSA_WITH_DES_CBC_SHA 0x0009
 #define TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x000A
 #define TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA 0x000B
 #define TLS_DH_DSS_WITH_DES_CBC_SHA 0x000C
 #define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA 0x000D
 #define TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA 0x000E
 #define TLS_DH_RSA_WITH_DES_CBC_SHA 0x000F
 #define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA 0x0010
 #define TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA 0x0011
 #define TLS_DHE_DSS_WITH_DES_CBC_SHA 0x0012
 #define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x0013
 #define TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 0x0014
 #define TLS_DHE_RSA_WITH_DES_CBC_SHA 0x0015
 #define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0016
 #define TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 0x0017
 #define TLS_DH_anon_WITH_RC4_128_MD5 0x0018
 #define TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA 0x0019
 #define TLS_DH_anon_WITH_DES_CBC_SHA 0x001A
 #define TLS_DH_anon_WITH_3DES_EDE_CBC_SHA 0x001B
 #define TLS_RSA_WITH_AES_128_CBC_SHA 0x002F
 #define TLS_DH_DSS_WITH_AES_128_CBC_SHA 0x0030
 #define TLS_DH_RSA_WITH_AES_128_CBC_SHA 0x0031
 #define TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x0032
 #define TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0033
 #define TLS_DH_anon_WITH_AES_128_CBC_SHA 0x0034
 #define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035
 #define TLS_DH_DSS_WITH_AES_256_CBC_SHA 0x0036
 #define TLS_DH_RSA_WITH_AES_256_CBC_SHA 0x0037
 #define TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x0038
 #define TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039
 #define TLS_DH_anon_WITH_AES_256_CBC_SHA 0x003A
 #define TLS_RSA_WITH_NULL_SHA256 0x003B
 #define TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C
 #define TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D
 #define TLS_DH_DSS_WITH_AES_128_CBC_SHA256 0x003E
 #define TLS_DH_RSA_WITH_AES_128_CBC_SHA256 0x003F
 #define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 0x0040
 #define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0041
 #define TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA 0x0042
 #define TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0043
 #define TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA 0x0044
 #define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0045
 #define TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA 0x0046
 #define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067
 #define TLS_DH_DSS_WITH_AES_256_CBC_SHA256 0x0068
 #define TLS_DH_RSA_WITH_AES_256_CBC_SHA256 0x0069
 #define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 0x006A
 #define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006B
 #define TLS_DH_anon_WITH_AES_128_CBC_SHA256 0x006C
 #define TLS_DH_anon_WITH_AES_256_CBC_SHA256 0x006D
 #define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0084
 #define TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA 0x0085
 #define TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0086
 #define TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA 0x0087
 #define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0088
 #define TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA 0x0089
 #define TLS_RSA_WITH_SEED_CBC_SHA 0x0096
 #define TLS_DH_DSS_WITH_SEED_CBC_SHA 0x0097
 #define TLS_DH_RSA_WITH_SEED_CBC_SHA 0x0098
 #define TLS_DHE_DSS_WITH_SEED_CBC_SHA 0x0099
 #define TLS_DHE_RSA_WITH_SEED_CBC_SHA 0x009A
 #define TLS_DH_anon_WITH_SEED_CBC_SHA 0x009B
 #define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C
 #define TLS_RSA_WITH_AES_256_GCM_SHA384 0x009D
 #define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E
 #define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x009F
 #define TLS_DH_RSA_WITH_AES_128_GCM_SHA256 0x00A0
 #define TLS_DH_RSA_WITH_AES_256_GCM_SHA384 0x00A1
 #define TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 0x00A2
 #define TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 0x00A3
 #define TLS_DH_DSS_WITH_AES_128_GCM_SHA256 0x00A4
 #define TLS_DH_DSS_WITH_AES_256_GCM_SHA384 0x00A5
 #define TLS_DH_anon_WITH_AES_128_GCM_SHA256 0x00A6
 #define TLS_DH_anon_WITH_AES_256_GCM_SHA384 0x00A7
 #define TLS_PSK_WITH_AES_128_CBC_SHA 0x008C
 #define TLS_PSK_WITH_AES_256_CBC_SHA 0x008D
 #define TLS_DHE_PSK_WITH_AES_128_CBC_SHA 0x008E
 #define TLS_DHE_PSK_WITH_AES_256_CBC_SHA 0x008F
 #define TLS_RSA_PSK_WITH_AES_128_CBC_SHA 0x0090
 #define TLS_RSA_PSK_WITH_AES_256_CBC_SHA 0x0091
 #define TLS_PSK_WITH_AES_128_CBC_SHA256 0x00AE
 #define TLS_PSK_WITH_AES_256_CBC_SHA384 0x00AF
 #define TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 0x00B0
 #define TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 0x00B1
 #define TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 0x00B2
 #define TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 0x00B3
 #define TLS_PSK_WITH_NULL_SHA 0x002C
 #define TLS_DHE_PSK_WITH_NULL_SHA 0x002D
 #define TLS_RSA_PSK_WITH_NULL_SHA 0x002E
 #define TLS_PSK_WITH_NULL_SHA256 0x00B4
 #define TLS_PSK_WITH_NULL_SHA384 0x00B5
 #define TLS_DHE_PSK_WITH_NULL_SHA256 0x00B6
 #define TLS_DHE_PSK_WITH_NULL_SHA384 0x00B7
 #define TLS_RSA_PSK_WITH_NULL_SHA256 0x00B8
 #define TLS_RSA_PSK_WITH_NULL_SHA384 0x00B9
 #define TLS_ECDH_ECDSA_WITH_NULL_SHA 0xC001
 #define TLS_ECDH_ECDSA_WITH_RC4_128_SHA 0xC002
 #define TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC003
 #define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 0xC004
 #define TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 0xC005
 #define TLS_ECDHE_ECDSA_WITH_NULL_SHA 0xC006
 #define TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 0xC007
 #define TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC008
 #define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC009
 #define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC00A
 #define TLS_ECDH_RSA_WITH_NULL_SHA 0xC00B
 #define TLS_ECDH_RSA_WITH_RC4_128_SHA 0xC00C
 #define TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 0xC00D
 #define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 0xC00E
 #define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 0xC00F
 #define TLS_ECDHE_RSA_WITH_NULL_SHA 0xC010
 #define TLS_ECDHE_RSA_WITH_RC4_128_SHA 0xC011
 #define TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xC012
 #define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC013
 #define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC014
 #define TLS_ECDH_anon_WITH_NULL_SHA 0xC015
 #define TLS_ECDH_anon_WITH_RC4_128_SHA 0xC016
 #define TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA 0xC017
 #define TLS_ECDH_anon_WITH_AES_128_CBC_SHA 0xC018
 #define TLS_ECDH_anon_WITH_AES_256_CBC_SHA 0xC019
 #define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023
 #define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024
 #define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 0xC025
 #define TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 0xC026
 #define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027
 #define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xC028
 #define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 0xC029
 #define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 0xC02A
 #define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B
 #define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C
 #define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D
 #define TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 0xC02E
 #define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F
 #define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC030
 #define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031
 #define TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 0xC032
 #define TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 0xC035
 #define TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 0xC036
 #define TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 0xC037
 #define TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 0xC038
 #define TLS_ECDHE_PSK_WITH_NULL_SHA 0xC039
 #define TLS_ECDHE_PSK_WITH_NULL_SHA256 0xC03A
 #define TLS_ECDHE_PSK_WITH_NULL_SHA384 0xC03B
 #define TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0xC072
 #define TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 0xC073
 #define TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0xC074
 #define TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 0xC075
 #define TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xC076
 #define TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 0xC077
 #define TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xC078
 #define TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 0xC079
 #define TLS_RSA_WITH_ARIA_128_CBC_SHA256 0xC03C
 #define TLS_RSA_WITH_ARIA_256_CBC_SHA384 0xC03D
 #define TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 0xC03E
 #define TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 0xC03F
 #define TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 0xC040
 #define TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 0xC041
 #define TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 0xC042
 #define TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 0xC043
 #define TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 0xC044
 #define TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 0xC045
 #define TLS_DH_anon_WITH_ARIA_128_CBC_SHA256 0xC046
 #define TLS_DH_anon_WITH_ARIA_256_CBC_SHA384 0xC047
 #define TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC048
 #define TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC049
 #define TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC04A
 #define TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC04B
 #define TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 0xC04C
 #define TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 0xC04D
 #define TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 0xC04E
 #define TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 0xC04F
 #define TLS_RSA_WITH_ARIA_128_GCM_SHA256 0xC050
 #define TLS_RSA_WITH_ARIA_256_GCM_SHA384 0xC051
 #define TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 0xC052
 #define TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 0xC053
 #define TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 0xC054
 #define TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 0xC055
 #define TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 0xC056
 #define TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 0xC057
 #define TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 0xC058
 #define TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 0xC059
 #define TLS_DH_anon_WITH_ARIA_128_GCM_SHA256 0xC05A
 #define TLS_DH_anon_WITH_ARIA_256_GCM_SHA384 0xC05B
 #define TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05C
 #define TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05D
 #define TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05E
 #define TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05F
 #define TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 0xC060
 #define TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 0xC061
 #define TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 0xC062
 #define TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 0xC063
 #define TLS_PSK_WITH_ARIA_128_CBC_SHA256 0xC064
 #define TLS_PSK_WITH_ARIA_256_CBC_SHA384 0xC065
 #define TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 0xC066
 #define TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 0xC067
 #define TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 0xC068
 #define TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 0xC069
 #define TLS_PSK_WITH_ARIA_128_GCM_SHA256 0xC06A
 #define TLS_PSK_WITH_ARIA_256_GCM_SHA384 0xC06B
 #define TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 0xC06C
 #define TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 0xC06D
 #define TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 0xC06E
 #define TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 0xC06F
 #define TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 0xC070
 #define TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 0xC071
 #define TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 0xC076
 #define TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 0xC077
 #define TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 0xC078
 #define TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 0xC079
 #define TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 0xC07A
 #define TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 0xC07B
 #define TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 0xC07C
 #define TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 0xC07D
 #define TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 0xC07E
 #define TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 0xC07F
 #define TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 0xC080
 #define TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 0xC081
 #define TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 0xC082
 #define TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 0xC083
 #define TLS_ECDHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 0xC084
 #define TLS_ECDHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 0xC085
 #define TLS_RSA_WITH_AES_128_CCM 0xC09C
 #define TLS_RSA_WITH_AES_256_CCM 0xC09D
 #define TLS_DHE_RSA_WITH_AES_128_CCM 0xC09E
 #define TLS_DHE_RSA_WITH_AES_256_CCM 0xC09F
 #define TLS_RSA_WITH_AES_128_CCM_8 0xC0A0
 #define TLS_RSA_WITH_AES_256_CCM_8 0xC0A1
 #define TLS_DHE_RSA_WITH_AES_128_CCM_8 0xC0A2
 #define TLS_DHE_RSA_WITH_AES_256_CCM_8 0xC0A3
 #define TLS_PSK_WITH_AES_128_CCM 0xC0A4
 #define TLS_PSK_WITH_AES_256_CCM 0xC0A5
 #define TLS_DHE_PSK_WITH_AES_128_CCM 0xC0A6
 #define TLS_DHE_PSK_WITH_AES_256_CCM 0xC0A7
 #define TLS_PSK_WITH_AES_128_CCM_8 0xC0A8
 #define TLS_PSK_WITH_AES_256_CCM_8 0xC0A9
 #define TLS_PSK_DHE_WITH_AES_128_CCM_8 0xC0AA
 #define TLS_PSK_DHE_WITH_AES_256_CCM_8 0xC0AB
 #define TLS_ECDHE_ECDSA_WITH_AES_128_CCM 0xC0AC
 // ... add more cipher suite codes here ...
 #ifdef __cplusplus
 }
 #endif
 #endif /* IANA_TLS_CIPHER_SUITES_H_ */
--- a/hal/inc/tls_config.h
+++ b/hal/inc/tls_config.h
@ -3,7 +3,7 @@
 *
 * TLS Configuration API for protocol stacks using TCP/IP
 *
- * Copyright 2017-2022 Michael Zillgith
+ * Copyright 2017-2024 Michael Zillgith
 *
 * Abstraction layer for configuration of different TLS implementations
 *
@ -17,6 +17,7 @@ extern "C" {
 #endif
 #include "hal_base.h"
 #include "tls_ciphers.h"
 /**
 * \file tls_config.h
@ -90,6 +91,7 @@ typedef enum {
 #define TLS_EVENT_CODE_ALM_CERT_NOT_CONFIGURED 13
 #define TLS_EVENT_CODE_ALM_CERT_NOT_TRUSTED 14
 #define TLS_EVENT_CODE_ALM_NO_CIPHER 15
 #define TLS_EVENT_CODE_INF_SESSION_ESTABLISHED 16
 typedef struct sTLSConnection* TLSConnection;
@ -303,6 +305,23 @@ TLSConfiguration_addCRLFromFile(TLSConfiguration self, const char* filename);
 PAL_API void
 TLSConfiguration_resetCRL(TLSConfiguration self);
 /**
 * \brief Add an allowed ciphersuite to the list of allowed ciphersuites
 *
 * \param self the TLS configuration instance
 * \param ciphersuite the ciphersuite to add (IANA cipher suite ID)
 */
 PAL_API void
 TLSConfiguration_addCipherSuite(TLSConfiguration self, int ciphersuite);
 /**
 * \brief Clear the list of allowed ciphersuites
 *
 * \param self the TLS configuration instance
 */
 PAL_API void
 TLSConfiguration_clearCipherSuiteList(TLSConfiguration self);
 /**
 * Release all resource allocated by the TLSConfiguration instance
 *
--- a/hal/tls/mbedtls/mbedtls_config.h
+++ b/hal/tls/mbedtls/mbedtls_config.h
@ -17,6 +17,8 @@
 #define MBEDTLS_SSL_PROTO_TLS1_1
 #define MBEDTLS_SSL_PROTO_TLS1
 #define MBEDTLS_SSL_RENEGOTIATION
 #define MBEDTLS_ENABLE_WEAK_CIPHERSUITES
 #define MBEDTLS_CIPHER_NULL_CIPHER
 #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
--- a/hal/tls/mbedtls/tls_mbedtls.c
+++ b/hal/tls/mbedtls/tls_mbedtls.c
@ -3,7 +3,7 @@
 *
 * TLS API for TCP/IP protocol stacks
 *
- * Copyright 2017-2022 Michael Zillgith
+ * Copyright 2017-2024 Michael Zillgith
 *
 * Implementation of the TLS abstraction layer for mbedtls
 *
@ -20,7 +20,6 @@
 #include "mbedtls/platform.h"
 #include "mbedtls/entropy.h"
 #include "mbedtls/ctr_drbg.h"
 #include "mbedtls/certs.h"
 #include "mbedtls/x509.h"
 #include "mbedtls/ssl.h"
 #include "mbedtls/net_sockets.h"
@ -86,6 +85,9 @@ struct sTLSConfiguration {
    bool useSessionResumption;
    int sessionResumptionInterval; /* session resumption interval in seconds */
    int* ciphersuites;
    int maxCiphersuites;
 };
 struct sTLSSocket {
@ -115,9 +117,10 @@ raiseSecurityEvent(TLSConfiguration config, TLSEventLevel eventCategory, int eve
 static bool
 compareCertificates(mbedtls_x509_crt *crt1, mbedtls_x509_crt *crt2)
 {
-    if (crt1 != NULL && crt2 != NULL) {
+    if (crt1 != NULL && crt2 != NULL)
-
+    {
-        if (crt1->sig.len == crt2->sig.len) {
+        if (crt1->sig.len == crt2->sig.len)
        {
            if (memcmp(crt1->sig.p, crt2->sig.p, crt1->sig.len) == 0)
                return true;
        }
@ -142,28 +145,32 @@ verifyCertificate (void* parameter, mbedtls_x509_crt *crt, int certificate_depth
    DEBUG_PRINT("TLS", "%s\n", buffer);
-    if (self->tlsConfig->chainValidation == false) {
+    if (self->tlsConfig->chainValidation == false)
    {
        if (certificate_depth != 0)
            *flags = 0;
    }
-    if (certificate_depth == 0) {
+    if (certificate_depth == 0)
-        if (self->tlsConfig->allowOnlyKnownCertificates) {
+    {
-
+        if (self->tlsConfig->allowOnlyKnownCertificates)
        {
            DEBUG_PRINT("TLS", "Check against list of allowed certs\n");
            bool certMatches = false;
            LinkedList certList = LinkedList_getNext(self->tlsConfig->allowedCertificates);
-            while (certList) {
+            while (certList)
            {
                mbedtls_x509_crt* allowedCert = (mbedtls_x509_crt*) LinkedList_getData(certList);
                DEBUG_PRINT("TLS", "Compare With:\n");
                mbedtls_x509_crt_info(buffer, 1023, "     ", allowedCert);
                DEBUG_PRINT("TLS", "%s\n", buffer);
-                if (compareCertificates(allowedCert, crt)) {
+                if (compareCertificates(allowedCert, crt))
                {
                    certMatches = true;
                    break;
                }
@ -173,7 +180,8 @@ verifyCertificate (void* parameter, mbedtls_x509_crt *crt, int certificate_depth
            if (certMatches)
                *flags = 0;
-            else {
+            else
            {
                raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_INCIDENT, TLS_EVENT_CODE_ALM_CERT_NOT_CONFIGURED, "Alarm: certificate validation: trusted individual certificate not available", self);
                *flags |= MBEDTLS_X509_BADCERT_OTHER;
@ -181,20 +189,19 @@ verifyCertificate (void* parameter, mbedtls_x509_crt *crt, int certificate_depth
            }
        }
-        if (self->storePeerCert) {
+        if (self->storePeerCert)
-
+        {
-            if (*flags == 0) {
+            if (*flags == 0)
-
+            {
                self->peerCertLength = 0;
                self->peerCert = (uint8_t*) GLOBAL_MALLOC(crt->raw.len);
-                if (self->peerCert) {
+                if (self->peerCert)
                {
                    self->peerCertLength = (int)crt->raw.len;
                    memcpy(self->peerCert, crt->raw.p, self->peerCertLength);
                }
            }
        }
    }
@ -207,10 +214,12 @@ verifyCertificate (void* parameter, mbedtls_x509_crt *crt, int certificate_depth
 static bool
 TLSConfiguration_setupComplete(TLSConfiguration self)
 {
-    if (self->setupComplete == false) {
+    if (self->setupComplete == false)
    {
        mbedtls_ssl_conf_ca_chain( &(self->conf), &(self->cacerts), &(self->crl) );
-        if (self->ownCertificate.version > 0) {
+        if (self->ownCertificate.version > 0)
        {
            int ret = mbedtls_ssl_conf_own_cert( &(self->conf), &(self->ownCertificate), &(self->ownKey));
            if (ret != 0) {
@ -219,11 +228,13 @@ TLSConfiguration_setupComplete(TLSConfiguration self)
            }
        }
-        if (self->useSessionResumption) {
+        if (self->useSessionResumption)
        {
            if (self->conf.endpoint == MBEDTLS_SSL_IS_CLIENT) {
            }
-            else {
+            else
            {
                mbedtls_ssl_cache_init( &(self->cache) );
                self->cache.timeout = self->sessionResumptionInterval;
@ -234,18 +245,71 @@ TLSConfiguration_setupComplete(TLSConfiguration self)
            }
        }
        mbedtls_ssl_conf_ciphersuites(&(self->conf), self->ciphersuites);
        self->setupComplete = true;
    }
    return true;
 }
 void
 TLSConfiguration_addCipherSuite(TLSConfiguration self, int ciphersuite)
 {
    /* search last index */
    int nextIndex = 0;
    int i;
    for (i = 0; i < self->maxCiphersuites; i++)
    {
        if (self->ciphersuites[i] == 0)
        {
            nextIndex = i;
            break;
        }
    }
    if (nextIndex == self->maxCiphersuites)
    {
        /* reallocate space for ciphersuites list */
        int newMaxCiphersuites = self->maxCiphersuites + 10;
        int* newCiphersuites = (int*)GLOBAL_CALLOC(newMaxCiphersuites, sizeof(int));
        if (newCiphersuites)
        {
            for (i = 0; i < self->maxCiphersuites; i++)
            {
                newCiphersuites[i] = self->ciphersuites[i];
            }
            GLOBAL_FREEMEM(self->ciphersuites);
            self->ciphersuites = newCiphersuites;
            self->maxCiphersuites = newMaxCiphersuites;
            TLSConfiguration_addCipherSuite(self, ciphersuite);
        }
    }
    else
    {
        self->ciphersuites[nextIndex] = ciphersuite;
        self->ciphersuites[nextIndex + 1] = 0;
    }
 }
 void
 TLSConfiguration_clearCipherSuiteList(TLSConfiguration self)
 {
    self->ciphersuites[0] = 0;
 }
 TLSConfiguration
 TLSConfiguration_create()
 {
    TLSConfiguration self = (TLSConfiguration) GLOBAL_CALLOC(1, sizeof(struct sTLSConfiguration));
-    if (self != NULL) {
+    if (self != NULL)
    {
        mbedtls_ssl_config_init( &(self->conf) );
        mbedtls_x509_crt_init( &(self->ownCertificate) );
        mbedtls_x509_crt_init( &(self->cacerts) );
@ -267,10 +331,7 @@ TLSConfiguration_create()
        mbedtls_ssl_conf_renegotiation(&(self->conf), MBEDTLS_SSL_RENEGOTIATION_ENABLED);
-        /* static int hashes[] = {3,4,5,6,7,8,0}; */
+        self->minVersion = TLS_VERSION_TLS_1_2;
        /* mbedtls_ssl_conf_sig_hashes(&(self->conf), hashes); */
        self->minVersion = TLS_VERSION_TLS_1_0;
        self->maxVersion = TLS_VERSION_NOT_SELECTED;
        self->renegotiationTimeInMs = -1; /* no automatic renegotiation */
@ -289,6 +350,31 @@ TLSConfiguration_create()
        self->sessionResumptionInterval = 21600; /* default value: 6h */
        self->savedSession = NULL;
        self->savedSessionTime = 0;
        self->ciphersuites = (int*)GLOBAL_CALLOC(20, sizeof(int));
        if (self->ciphersuites)
        {
            self->maxCiphersuites = 20;
            /* mandatory cipher suites by IEC 62351-4:2018 */
            self->ciphersuites[0] = MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256;
            /* self->ciphersuites[1] = MBEDTLS_TLS_DH_RSA_WITH_AES_128_GCM_SHA256; */ /* weak - not supported? */
            self->ciphersuites[1] = MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256;
            self->ciphersuites[2] = MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
            /* recommended cipher suites by IEC 62351-4:2018 */
            /* self->ciphersuites[1] = MBEDTLS_TLS_DH_RSA_WITH_AES_128_CBC_SHA256; */ /* weak - not supported?*/
            /* self->ciphersuites[1] = MBEDTLS_TLS_DH_RSA_WITH_AES_256_GCM_SHA384; */ /* not supported?*/
            self->ciphersuites[3] = MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
            self->ciphersuites[4] = MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384;
            self->ciphersuites[5] = MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;
            /* additional ciphersuites */
            self->ciphersuites[6] = MBEDTLS_TLS_RSA_WITH_NULL_SHA256;
            self->ciphersuites[7] = MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;
        }
    }
    return self;
@ -394,11 +480,13 @@ TLSConfiguration_addAllowedCertificate(TLSConfiguration self, uint8_t* certifica
    int ret = mbedtls_x509_crt_parse(cert, certificate, certLen);
-    if (ret == 0) {
+    if (ret == 0)
    {
        LinkedList_add(self->allowedCertificates, cert);
        return true;
    }
-    else {
+    else
    {
        GLOBAL_FREEMEM(cert);
        return false;
    }
@ -411,11 +499,13 @@ TLSConfiguration_addAllowedCertificateFromFile(TLSConfiguration self, const char
    int ret = mbedtls_x509_crt_parse_file(cert, filename);
-    if (ret == 0) {
+    if (ret == 0)
    {
        LinkedList_add(self->allowedCertificates, cert);
        return true;
    }
-    else {
+    else
    {
        GLOBAL_FREEMEM(cert);
        return false;
    }
@ -426,7 +516,8 @@ TLSConfiguration_addCACertificate(TLSConfiguration self, uint8_t* certificate, i
 {
    int ret =  mbedtls_x509_crt_parse(&(self->cacerts), certificate, certLen);
-    if (ret != 0) {
+    if (ret != 0)
    {
        DEBUG_PRINT("TLS", "mbedtls_x509_crt_parse returned -0x%x\n", -ret);
        return false;
    }
@ -458,7 +549,8 @@ udpatedCRL(TLSConfiguration self)
    {
        mbedtls_ssl_cache_entry *cur = self->cache.chain;
-        while (cur) {
+        while (cur)
        {
            cur->timestamp = 0;
            cur = cur->next;
        }
@ -512,14 +604,18 @@ TLSConfiguration_setRenegotiationTime(TLSConfiguration self, int timeInMs)
 void
 TLSConfiguration_destroy(TLSConfiguration self)
 {
-    if (self->useSessionResumption) {
+    if (self->useSessionResumption)
-        if (self->conf.endpoint == MBEDTLS_SSL_IS_CLIENT) {
+    {
-            if (self->savedSession) {
+        if (self->conf.endpoint == MBEDTLS_SSL_IS_CLIENT)
        {
            if (self->savedSession)
            {
                mbedtls_ssl_session_free(self->savedSession);
                GLOBAL_FREEMEM(self->savedSession);
            }
        }
-        else {
+        else
        {
            mbedtls_ssl_cache_free(&(self->cache));
        }
    }
@ -532,7 +628,8 @@ TLSConfiguration_destroy(TLSConfiguration self)
    LinkedList certElem = LinkedList_getNext(self->allowedCertificates);
-    while (certElem) {
+    while (certElem)
    {
        mbedtls_x509_crt* cert = (mbedtls_x509_crt*) LinkedList_getData(certElem);
        mbedtls_x509_crt_free(cert);
@ -621,7 +718,8 @@ readFunction(void* ctx, unsigned char* buf, size_t len)
 {
    int ret = Socket_read((Socket) ctx, buf, (int)len);
-    if ((ret == 0) && (len > 0)) {
+    if ((ret == 0) && (len > 0))
    {
        return MBEDTLS_ERR_SSL_WANT_READ;
    }
@ -631,7 +729,14 @@ readFunction(void* ctx, unsigned char* buf, size_t len)
 static int
 writeFunction(void* ctx, unsigned char* buf, size_t len)
 {
-    return Socket_write((Socket)ctx, buf, (int)len);
+    int ret = Socket_write((Socket)ctx, buf, (int)len);
    if ((ret == 0) && (len > 0))
    {
        return MBEDTLS_ERR_SSL_WANT_WRITE;
    }
    return ret;
 }
 static TLSConfigVersion
@ -640,7 +745,8 @@ getTLSVersion(int majorVersion, int minorVersion)
    if (majorVersion != 3) {
        return TLS_VERSION_NOT_SELECTED;
    }
-    else {
+    else
    {
        switch (minorVersion) {
        case 0:
            return TLS_VERSION_SSL_3_0;
@ -721,7 +827,8 @@ TLSSocket_create(Socket socket, TLSConfiguration configuration, bool storeClient
        self->crlUpdated = configuration->crlUpdated;
-        if (configuration->minVersion != TLS_VERSION_NOT_SELECTED) {
+        if (configuration->minVersion != TLS_VERSION_NOT_SELECTED)
        {
            /* set minimum TLS version */
            int majorVer = getMajorVersion(configuration->minVersion);
@ -730,7 +837,8 @@ TLSSocket_create(Socket socket, TLSConfiguration configuration, bool storeClient
            mbedtls_ssl_conf_min_version( &(self->conf), majorVer, minorVer);
        }
-        if (configuration->maxVersion != TLS_VERSION_NOT_SELECTED) {
+        if (configuration->maxVersion != TLS_VERSION_NOT_SELECTED)
        {
            /* set maximum TLS version */
            int majorVer = getMajorVersion(configuration->maxVersion);
@ -739,7 +847,8 @@ TLSSocket_create(Socket socket, TLSConfiguration configuration, bool storeClient
            mbedtls_ssl_conf_max_version( &(self->conf), majorVer, minorVer);
        }
-        if (configuration->ownCertificate.version > 0) {
+        if (configuration->ownCertificate.version > 0)
        {
            ret = mbedtls_ssl_conf_own_cert( &(self->conf), &(configuration->ownCertificate), &(configuration->ownKey));
            if (ret != 0)
@ -754,30 +863,31 @@ TLSSocket_create(Socket socket, TLSConfiguration configuration, bool storeClient
        mbedtls_ssl_set_bio(&(self->ssl), socket, (mbedtls_ssl_send_t*) writeFunction,
                (mbedtls_ssl_recv_t*) readFunction, NULL);
-        bool reuseSession = false;
+        if (configuration->useSessionResumption)
-
+        {
-        if (configuration->useSessionResumption) {
+            if (configuration->conf.endpoint == MBEDTLS_SSL_IS_CLIENT)
-            if (configuration->conf.endpoint == MBEDTLS_SSL_IS_CLIENT) {
+            {
-                if (configuration->savedSession && configuration->savedSessionTime > 0) {
+                if (configuration->savedSession && configuration->savedSessionTime > 0)
-
+                {
-                    if (Hal_getTimeInMs() < (configuration->savedSessionTime + configuration->sessionResumptionInterval * 1000)) {
+                    if (Hal_getTimeInMs() < (configuration->savedSessionTime + configuration->sessionResumptionInterval * 1000))
-
+                    {
                        ret = mbedtls_ssl_set_session(&(self->ssl), configuration->savedSession);
-                        if (ret != 0) {
+                        if (ret != 0)
                        {
                            DEBUG_PRINT("TLS", "mbedtls_ssl_set_session returned %d\n", ret);
                            configuration->savedSessionTime = 0;
                        }
-                        else {
+                        else
                        {
                            DEBUG_PRINT("TLS", "resume TLS session\n");
                            reuseSession = true;
                        }
                    }
-                    else {
+                    else
                    {
                        configuration->savedSessionTime = 0;
                        DEBUG_PRINT("TLS", "cached session expired\n");
                    }
                }
            }
        }
@ -804,22 +914,27 @@ TLSSocket_create(Socket socket, TLSConfiguration configuration, bool storeClient
            }
        }
-        if (configuration->useSessionResumption) {
+        if (configuration->useSessionResumption)
-            if (configuration->conf.endpoint == MBEDTLS_SSL_IS_CLIENT) {
+        {
-
+            if (configuration->conf.endpoint == MBEDTLS_SSL_IS_CLIENT)
-                if (configuration->savedSession == NULL) {
+            {
                if (configuration->savedSession == NULL)
                {
                    configuration->savedSession = (mbedtls_ssl_session*)GLOBAL_CALLOC(1, sizeof(mbedtls_ssl_session));
                }
-                if (configuration->savedSession) {
+                if (configuration->savedSession)
-
+                {
-                    if (configuration->savedSessionTime == 0) {
+                    if (configuration->savedSessionTime == 0)
                    {
                        ret = mbedtls_ssl_get_session(&(self->ssl), configuration->savedSession);
-                        if (ret != 0) {
+                        if (ret != 0)
                        {
                            DEBUG_PRINT("TLS", "mbedtls_ssl_get_session returned %d\n", ret);
                        }
-                        else {
+                        else
                        {
                            configuration->savedSessionTime = Hal_getTimeInMs();
                        }
                    }
@ -833,6 +948,16 @@ TLSSocket_create(Socket socket, TLSConfiguration configuration, bool storeClient
            raiseSecurityEvent(configuration, TLS_SEC_EVT_WARNING, TLS_EVENT_CODE_WRN_INSECURE_TLS_VERSION,  "Warning: Insecure TLS version", self);
        }
        /* create event that TLS session is established */
        {
            char msg[256];
            const char* cipherSuite = mbedtls_ssl_get_ciphersuite(&(self->ssl));
            snprintf(msg, 255, "Info: Session established with cipher suite %s", cipherSuite);
            raiseSecurityEvent(configuration, TLS_SEC_EVT_INFO, TLS_EVENT_CODE_INF_SESSION_ESTABLISHED, msg, self);
        }
    }
    return self;
@ -853,17 +978,18 @@ TLSSocket_performHandshake(TLSSocket self)
    int ret = mbedtls_ssl_renegotiate(&(self->ssl));
    if (ret == 0 || ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE ||
-        ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS || ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) {
+        ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS || ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS)
    {
        if (getTLSVersion(self->ssl.major_ver, self->ssl.minor_ver) < TLS_VERSION_TLS_1_2) {
            raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_WARNING, TLS_EVENT_CODE_WRN_INSECURE_TLS_VERSION, "Warning: Insecure TLS version", self);
        }
        DEBUG_PRINT("TLS", "TLSSocket_performHandshake Success -> ret=%i\n", ret);
        raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_INFO, TLS_EVENT_CODE_INF_SESSION_RENEGOTIATION, "TLS session renegotiation completed", self);
        return true;
    }
-    else {
+    else
    {
        DEBUG_PRINT("TLS", "TLSSocket_performHandshake failed -> ret=%i\n", ret);
        raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_WARNING, TLS_EVENT_CODE_INF_SESSION_RENEGOTIATION, "Alarm: TLS session renegotiation failed", self);
@ -904,10 +1030,17 @@ startRenegotiationIfRequired(TLSSocket self)
    if (Hal_getTimeInMs() <= self->lastRenegotiationTime + self->tlsConfig->renegotiationTimeInMs)
        return true;
    raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_INFO, TLS_EVENT_CODE_INF_SESSION_RENEGOTIATION, "Info: session renegotiation started", self);
    if (TLSSocket_performHandshake(self) == false)
    {
        DEBUG_PRINT("TLS", " renegotiation failed\n");
        return false;
    }
    DEBUG_PRINT("TLS", " started renegotiation\n");
    self->lastRenegotiationTime = Hal_getTimeInMs();
    return true;
 }
@ -1024,7 +1157,6 @@ TLSSocket_close(TLSSocket self)
    if (self->peerCert)
        GLOBAL_FREEMEM(self->peerCert);
    GLOBAL_FREEMEM(self);
 }