Topic: messages of DTLS

Hello,
I want to use DTLS with PSK. I enable DTLS and PSK in setting of cubeMX.
I get these cipher-list

DHE-PSK-AES128-CBC-SHA256
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA256
DHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-PSK-AES128-CBC-SHA256

SSL session has been configured to use DTLS

and check the DTLS is enabled or not with wolf_dtls(ssl) and it is anabled.

I define a callback function  for PSK with wolfSSL_CTX_set_psk_client_callback(...). I have a question here, PSK value is defined here?

Share

Re: messages of DTLS

Also, I define the custom I/O callback, because I do not use TCP and ...
I use these  functions  for defining the callbacks

    wolfSSL_CTX_SetIORecv(ctx, my_IORecv);
    wolfSSL_CTX_SetIOSend(ctx, my_IOSend);

int my_IOSend(WOLFSSL* ssl, char* buff, int sz, void* ctx)
int my_IORecv(WOLFSSL* ssl, char* buff, int sz, void* ctx)

After that, I use wolfSSL_connect(ssl). The  my_IOSend(...) is called.  I check, the paraments that are passed to the my_IOSend, like buff and sz,  but I become so confused:

I get sz = 121, but the buff is  þý. The debugging log as this:

ŽwolfSSL Entering DTLS_client_method_ex
wolfSSL Entering wolfSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
Hello.
wolfSSL Entering SSL_CTX_set_psk_client_callback
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
SSL session has been configured to use DTLS
DHE-PSK-AES128-CBC-SHA256
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA256
DHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-PSK-AES128-CBC-SHA256
   
wolfSSL Entering SSL_connect()
wolfSSL Entering SendClientHello
Adding signature algorithms extension
growing output buffer

Signature Algorithms extension to write
Point Formats extension to write
Supported Groups extension to write
Encrypt-Then-Mac extension to write
EMS extension to write
wolfSSL Entering DtlsMsgPoolSave()
wolfSSL Entering DtlsMsgNew()
wolfSSL Leaving DtlsMsgPoolSave(), return 0

þý
sz 121


is it correct?

Share

Re: messages of DTLS

Hi lili,

See out wolfssl/test.h example for the PSK values:

/* identity is OpenSSL testing default for openssl s_client, keep same */
static const char* kIdentityStr = "Client_identity";

static WC_INLINE unsigned int my_psk_client_cb(WOLFSSL* ssl, const char* hint,
        char* identity, unsigned int id_max_len, unsigned char* key,
        unsigned int key_max_len)
{
    (void)ssl;
    (void)hint;
    (void)key_max_len;

    /* see internal.h MAX_PSK_ID_LEN for PSK identity limit */
    XSTRNCPY(identity, kIdentityStr, id_max_len);

    if (wolfSSL_GetVersion(ssl) < WOLFSSL_TLSV1_3) {
        /* test key in hex is 0x1a2b3c4d , in decimal 439,041,101 , we're using
           unsigned binary */
        key[0] = 0x1a;
        key[1] = 0x2b;
        key[2] = 0x3c;
        key[3] = 0x4d;

        return 4;   /* length of key in octets or 0 for error */
    }
    else {
        int i;
        int b = 0x01;

        for (i = 0; i < 32; i++, b += 0x22) {
            if (b >= 0x100)
                b = 0x01;
            key[i] = b;
        }

        return 32;   /* length of key in octets or 0 for error */
    }
}

These values need to be agree'd upon by both the server and client. You should use your own key.

I would also recommend setting your cipher suite list to just the PSK ones so the peer is forced to use PSK.

wolfSSL_CTX_set_cipher_list(ctx, "DHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA256");

The send size of 121 is a client_hello. As the client it starts the connection and sends the "client_hello" then it will try and read 5 bytes (the TLS header) then the remainder.

We have some good PSK and IO callback examples here:
https://github.com/wolfSSL/wolfssl-exam … callback.c
https://github.com/wolfSSL/wolfssl-exam … master/psk

Thanks,
David Garske, wolfSSL

Share

4 (edited by lili 2022-08-06 02:13:43)

Re: messages of DTLS

Thanks for your help.

?" As you said, the clinet_hello is 121 bytes. why when I try to printf it, I get "þý
it is not 121 bytes!
Is it correct?

Share

Re: messages of DTLS

Hi Lili,

I believe you are trying to printf the IO buffers, which are binary (not ASCII), so printf will not work. Where did you place the printf? Perhaps you can share the code you are using?

Thanks,
David Garske, wolfSSL

Share