fixup! examples/dtls-sock: cleanup credentials

RIOT-OS · Feb 1, 2024 · 01b6e77 · 01b6e77
1 parent a89e58d
commit 01b6e77
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 41 deletions.
diff --git a/examples/dtls-sock/README.md b/examples/dtls-sock/README.md
@@ -52,25 +52,25 @@ for more information.
 When using Pre-Shared Key (PSK), the client registers two keys to `credman` and
 makes them available to the sock. The client registers a PSK callback function,
 which allows the application to specify which credential to use with a
-particular sock and endpoint. In this application the client will print the
-server's endpoint and the sent hint, if any. As per the sock DTLS documentation,
-if the application callback fails to determine which credential should be used,
-an Identity Hint (https://tools.ietf.org/html/rfc4279#section-5.2) match is
-attempted. `credential1` is assigned an Identity Hint, defined as
-`PSK_DEFAULT_HINT` in `tinydtls_keys.h`. This hint is used by sock to select the
-credential, in case the DTLS server sends such a hint. Finally, if none of the
-above attempts succeed in determining which credential to use, sock DTLS will
-pick the first valid credential registered in the sock.
+particular sock and endpoint, depending on the hint sent by the server. As per
+the sock DTLS documentation, if the application callback fails to determine
+which credential should be used, an Identity Hint
+(https://tools.ietf.org/html/rfc4279#section-5.2) match is attempted.
+`credential1` is assigned an Identity Hint, defined as `PSK_DEFAULT_HINT` in
+`tinydtls_keys.h`. This hint is used by sock to select the credential, in case
+the DTLS server sends such a hint. Finally, if none of the above attempts
+succeed in determining which credential to use, sock DTLS will pick the first
+valid credential registered in the sock.
 
 The behaviour above can be tested, for example, by removing the hint from the
-server (`sock_dtls_set_server_psk_id_hint`). As `credential0` is the first
+server (`sock_dtls_set_server_psk_id_hint`). As `psk_credential_0` is the first
 registered credential in the client, it will be chosen. As the server does not
 have this credential, the handshake will fail.
 
 ### ECC
-When using ECC Raw Public Key (RPK), the server registers two keys to `credman`
-and makes them available to the sock. It also registers an RPK callback
-function, which allows the application to specify which credential to use with a
-particular sock and endpoint (the client could as well do so). In the particular
-case of this example the callback always returns the credential with tag
-`SOCK_DTLS_SERVER_TAG_1`.
+When using ECC Raw Public Key (RPK), the server registers two private keys to
+`credman` and makes them available to the sock. It also registers an RPK
+callback function, which allows the application to specify which credential to
+use. The used credential can be changed at runtime by calling `dtlss ecc <0|1>`.
+As the client also knows both public keys from the server, both options will
+work.
diff --git a/examples/dtls-sock/dtls-server.c b/examples/dtls-sock/dtls-server.c
@@ -47,14 +47,15 @@ char _dtls_server_stack[THREAD_STACKSIZE_MAIN + THREAD_EXTRA_STACKSIZE_PRINTF];
 
 static kernel_pid_t _dtls_server_pid = KERNEL_PID_UNDEF;
 
+static unsigned int _ecc_credential = 0;
+
 /*
  * Each credman_credential_t acts as a sort of keyring, containing a single
  * private / public key pair and a list of public keys of clients that are
  * known.
 */
 static const ecdsa_public_key_t known_client_pub_keys[] = {
-    { .x = known_client_public_key_0_x, .y = known_client_public_key_0_y },
-    { .x = known_client_public_key_1_x, .y = known_client_public_key_1_y },
+    { .x = known_client_public_key_0_x, .y = known_client_public_key_0_y }
 };
 
 static const credman_credential_t ecc_credential_0 = {
@@ -103,7 +104,12 @@ static credman_tag_t _rpk_cb(sock_dtls_t *sock, sock_udp_ep_t *ep, credman_tag_t
     sock_udp_ep_fmt(ep, addrstr, &port);
     printf("From [%s]:%d\n", addrstr, port);
 
-    return SOCK_DTLS_SERVER_TAG_1;
+    if (!_ecc_credential) {
+        return SOCK_DTLS_SERVER_TAG_0;
+    }
+    else {
+        return SOCK_DTLS_SERVER_TAG_1;
+    }
 }
 
 /*
@@ -267,12 +273,23 @@ static void stop_server(void)
     puts("Success: DTLS server stopped");
 }
 
+void _print_usage(const char *cmd)
+{
+    if (IS_ACTIVE(CONFIG_DTLS_ECC)) {
+        printf("usage: %s start | stop | ecc <0|1>\n", cmd);
+    }
+    else {
+        printf("usage: %s start | stop\n", cmd);
+    }
+}
+
 int dtls_server_cmd(int argc, char **argv)
 {
     if (argc < 2) {
-        printf("usage: %s start | stop\n", argv[0]);
+        _print_usage(argv[0]);
         return 1;
     }
+
     if (strcmp(argv[1], "start") == 0) {
         if (!_server_credentials_configured) {
             int res = _configure_server_credentials();
@@ -286,8 +303,25 @@ int dtls_server_cmd(int argc, char **argv)
     else if (strcmp(argv[1], "stop") == 0) {
         stop_server();
     }
+    else if (IS_ACTIVE(CONFIG_DTLS_ECC) && strcmp(argv[1], "ecc") == 0) {
+        /* if using ECC, allow choosing which key to use on handshakes at runtime */
+        if (argc < 3) {
+            _print_usage(argv[0]);
+            return 1;
+        }
+
+        int value = atoi(argv[2]);
+        if (value != 0 && value != 1) {
+            printf("Error: invalid value, should be 0 or 1, got %" PRIiSIZE "\n", value);
+            return 1;
+        }
+        else {
+            _ecc_credential = value;
+        }
+    }
     else {
-        printf("Error: invalid command. Usage: %s start | stop\n", argv[0]);
+        printf("Error: invalid command.");
+        _print_usage(argv[0]);
         return 1;
     }
     return 0;

diff --git a/examples/dtls-sock/dtls_server_credentials.h b/examples/dtls-sock/dtls_server_credentials.h
@@ -129,26 +129,6 @@ static const unsigned char known_client_public_key_0_y[] = {
     0x4F, 0xAB, 0xC3, 0x6F, 0xC7, 0x72, 0xF8, 0x29
 };
 
-/**
- * @brief The x coordinate of the public part of the key 1 of a known client.
- */
-static const unsigned char known_client_public_key_1_x[] = {
-    0xb7, 0x4e, 0xa0, 0x62, 0x96, 0xc5, 0xb9, 0x09,
-    0xad, 0x36, 0x10, 0xab, 0xb1, 0xd8, 0x54, 0x69,
-    0xef, 0x2b, 0x15, 0x5a, 0xb5, 0x28, 0x21, 0x21,
-    0x9f, 0xa3, 0x9e, 0x6a, 0x02, 0xce, 0xb8, 0xb9
-};
-
-/**
- * @brief The y coordinate of the public part of the key 1 of a known client.
- */
-static const unsigned char known_client_public_key_1_y[] = {
-    0xcc, 0x0e, 0x88, 0x88, 0x91, 0x80, 0x7a, 0xdd,
-    0xf7, 0x4e, 0x2e, 0xe6, 0x6e, 0xd4, 0x22, 0xde,
-    0xbc, 0x68, 0xcd, 0x8f, 0xd9, 0x5a, 0xa0, 0xcd,
-    0x5f, 0x4a, 0x1a, 0xb7, 0x2f, 0x95, 0xfc, 0x76
-};
-
 #ifdef __cplusplus
 }
 #endif