1
0
mirror of https://github.com/RIOT-OS/RIOT.git synced 2025-01-15 17:12:45 +01:00
RIOT/examples/dtls-sock/README.md
2021-04-01 09:47:39 +02:00

2.8 KiB

DTLS sock example

This example shows how to use DTLS sock sock_dtls_t.

Testing using RIOT native

For testing, we can use two RIOT native RIOT instances. For that first we need to prepare the network interfaces:

$ ./../../dist/tools/tapsetup/tapsetup --create 2

For the server instance:

$ PORT=tap0 make all term
[...]
> dtlss start
ifconfig

For the client:

$ PORT=tap1 make all term
[...]
> dtlsc <server ip address> "DATA to send"

Debug logs

To enable debug logs uncomment CFLAGS += -DCONFIG_DTLS_DEBUG in the Makefile. Tinydtls supports setting the log level. See Makefile for more info.

Configs and constraints

DTLS sock acts as a wrapper for the underlying DTLS stack and as such, the constraints that applies specifically to the stack are also applied here. For tinydtls, please refer to dtls-echo README.

Cipher suite

You can select between TLS_PSK_WITH_AES_128_CCM_8 (Pre-Shared Key) and TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (Raw Public Key - ECC) either by setting the correspondent options in make menuconfig or via CFLAGS. See the Makefile for more information.

Credentials

Pre-Shared Key

When using Pre-Shared Key (PSK), the client registers two keys to credman and makes them available to the sock. The client registers a PSK callback function, which allows the application to specify which credential to use with a particular sock and endpoint. In this application the client will print the server's endpoint and the sent hint, if any. As per the sock DTLS documentation, if the application callback fails to determine which credential should be used, an Identity Hint (https://tools.ietf.org/html/rfc4279#section-5.2) match is attempted. credential1 is assigned an Identity Hint, defined as PSK_DEFAULT_HINT in tinydtls_keys.h. This hint is used by sock to select the credential, in case the DTLS server sends such a hint. Finally, if none of the above attempts succeed in determining which credential to use, sock DTLS will pick the first valid credential registered in the sock.

The behaviour above can be tested, for example, by removing the hint from the server (sock_dtls_set_server_psk_id_hint). As credential0 is the first registered credential in the client, it will be chosen. As the server does not have this credential, the handshake will fail.

ECC

When using ECC Raw Public Key (RPK), the server registers two keys to credman and makes them available to the sock. It also registers an RPK callback function, which allows the application to specify which credential to use with a particular sock and endpoint (the client could as well do so). In the particular case of this example the callback always returns the credential with tag SOCK_DTLS_SERVER_TAG_1.