PSK and DTLS support #202
PSK and DTLS support #202
Conversation
mbedtls/src/ssl/context.rs
Outdated
|
|
||
| #[cfg(feature = "std")] | ||
| impl ConnectedUdpSocket { | ||
| pub fn connect<A: std::net::ToSocketAddrs>(socket: std::net::UdpSocket, addr: A) -> std::result::Result<Self, (std::io::Error, std::net::UdpSocket)> { |
There was a problem hiding this comment.
Nit:
We already use core::result::Result as StdResult in this file, and since here we have std in this block let's keep with StdResult.
Similarly, we can import std::io::Error as IoError and use that.
There was a problem hiding this comment.
Done.
What are you referring to here?
There was a problem hiding this comment.
I'm just giving evidence of the fact that std exports core.
|
Hey @DrTobe, would you mind adding some tests that you find appropriate? For instance I'd like to see mbedtls complaining when the identity is not valid UTF-8, if it makes sense. |
That specific test won't be necessary because the type of the I will have a look if I find some things to test. If you have any other specific idea, please let me know. |
…propriate tests This requires to make the handshake method public because it needs to be called again after the initial handshake attempt has failed due to the server responding with a HelloVerifyRequest.
|
I have added the whole DTLS server side (cookies and client ID) which requires some dodging around some current design decisions. On the server side, the first connection setup attempt will always fail if the cookie-based DoS protection is activated (which it should be). So it must be possible to reset the context and try the handshake again. I have considered various possibilities to achieve that, the solution I chose was the one which required, in my opinion, the most acceptable changes. I started with a separate I guess I would add another PSK test, too. I do not know yet if I prefer a separate test or merge it, too. |
|
With the recent changes, everything should be properly tested by now. Again, to avoid code duplication, I have merged the PSK-based tests into the Unfortunately, I had to add a short |
|
bors +r |
|
Did you mean "r+"? |
|
bors r+ |
|
Build succeeded: |
2 participants
I have added PSK (only the interface to
mbedtls_ssl_conf_psk(), so mainly useful for clients) and DTLS support. Because using either of those is a little different from the default, I have also added two new examples.Using DTLS strictly requires setting a timer with
ssl_set_timer_cbso I added an appropriate interface. Because it is relatively straightforward to supply one in astd-environment, I did so, too.Additionally, I needed another
IoCallbackwhich works over UDP. The previously availableimplbased on theWriteandReadtraits is clearly designed to be used withstd::net::TcpStreamwhich is a good choice for TLS connections but inappropriate for DTLS.std::net::UdpSocketdoes not implement those traits but I thought that a default implementation to use instd-environments would be good. So I ended up creating a new type which wraps a UDP socket and enforces that connect is properly called before. Please let me know what you think about that design.The more I worked on the UDP/DTLS stuff, the more I got the feeling that maybe, the current API design is insufficient for TLS and DTLS usage (although the current API design with the
mbedtls::ssl::config::Transportparameter formbedtls::ssl::Config::newsuggests that this should be possible). Some things I noticed while working on this:mbedtls_ssl_recv_timeout_tinstead ofmbedtls_ssl_recv_tto prevent getting stuck? Unfortunately, this would require constant calls toTcpStream::set_read_timeoutandUdpSocket::set_read_timeoutand would prevent theIoCallbackimplementation based on theWriteandReadtraits.Error::SslWantReadandError::SslWantWriteare handled differently) but the handshake can not be completed becauseContext::handshakeis notpub.Nevertheless, unless we can quickly agree on how to resolve any of those issues, I would like to see these changes merged soon so that we can base our future work onto them. If there is anything obvious which can be fixed, please let me know.