README
¶
dtls
https://github.com/qwerty-iot/dtls
Renamed from https://github.com/bocajim/dtls
This package implements a RFC-4347 compliant DTLS client and server.
Key Features
- Pure go, no CGo
- Supports both client and server via UDP
- Supports TLS_PSK_WITH_AES_128_CCM_8 cipher RFC-6655
- Supports TLS_PSK_WITH_AES_128_CBC_SHA256 cipher RFC-5487
- Supports TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 cipher RFC-7251
- Supports pre-shared key authentication
- Supports certificate based authentication
- Supports DTLS session resumption
- Supports persisting session data for resumption later
- Designed for OMA LWM2M comliance LWM2M
- Support for Connection ID RFC-9146 (Nov/19 draft)
TODO
- Implement session renegotiation
- Implement packet retransmission for handshake
- Implement out of order handshake processing
- Implement replay detection
- Implement client hello stateless cookie handling
- Improve parallel processing of incoming packets
- Implement Connection ID for latest RFC-9146 draft
Samples
Keystore
mks := keystore.NewMemoryKeyStore()
keystore.SetKeyStores([]keystore.KeyStore{mks})
psk, _ := hex.DecodeString("00112233445566")
mks.AddKey("myIdentity", psk)
Sample Client
listener, _ = NewUdpListener(":6000", time.Second*5)
peer, err := listener.AddPeer("127.0.0.1:5684", "myIdentity")
err = peer.Write("hello world")
data, rsp := listener.Read()
Generating Certificates
The following commands can be used to generate certificates for testing:
# generate private key
openssl ecparam -out key.pem -name prime256v1 -genkey
# generate certificate
openssl req -new -key key.pem -x509 -nodes -days 3650 -out cert.pem
Documentation
http://godoc.org/github.com/qwerty-iot/dtls
License
Mozilla Public License Version 2.0
NOTE: License was changed from MIT on 11/20/2020.
Documentation
¶
Overview ¶
Package ccm implements a CCM, Counter with CBC-MAC as per RFC 3610.
Index ¶
- Constants
- Variables
- func CertificateFromDisk(keyPath string, certificatePath string) (*tls.Certificate, error)
- func DebugAll()
- func GetPskFromKeystore(identity []byte, remoteAddr string) []byte
- func SessionCacheSize() int
- func SetExportSecret(key string)
- func SetKeyStores(ks []Keystore)
- func SetLogFunc(lf LogFunc)
- func SetLogLevel(level string)
- func SetSniffPacketsCallback(callback SniffPacketsCallback)
- type CCM
- type Cipher
- type CipherCBC
- func (c CipherCBC) Decrypt(s *session, rec *record, key []byte, iv []byte, mac []byte) ([]byte, error)
- func (c CipherCBC) Encrypt(s *session, rec *record, key []byte, iv []byte, mac []byte) ([]byte, error)
- func (c CipherCBC) GenerateKeyBlock(masterSecret []byte, rawKeyBlock []byte) *KeyBlock
- func (c CipherCBC) GetPrfSize() int
- type CipherCcm
- func (c CipherCcm) Decrypt(s *session, rec *record, key []byte, iv []byte, mac []byte) ([]byte, error)
- func (c CipherCcm) Encrypt(s *session, rec *record, key []byte, iv []byte, mac []byte) ([]byte, error)
- func (c CipherCcm) GenerateKeyBlock(masterSecret []byte, rawKeyBlock []byte) *KeyBlock
- func (c CipherCcm) GetPrfSize() int
- type CipherSuite
- type CompressionMethod
- type ContentType
- type KeyBlock
- type Keystore
- type KeystoreInMemory
- type Listener
- func (l *Listener) AddCipherSuite(cipherSuite CipherSuite)
- func (l *Listener) AddCompressionMethod(compressionMethod CompressionMethod)
- func (l *Listener) AddPeer(addr string, identity []byte) (*Peer, error)
- func (l *Listener) AddPeerWithParams(params *PeerParams) (*Peer, error)
- func (l *Listener) CountPeers() int
- func (l *Listener) EachPeer(callback func(peer *Peer))
- func (l *Listener) EnableConnectionId(cidLen int)
- func (l *Listener) FindPeer(addr string) (*Peer, error)
- func (l *Listener) LocalAddr() string
- func (l *Listener) Read() ([]byte, *Peer)
- func (l *Listener) RemovePeer(peer *Peer, alertDesc uint8)
- func (l *Listener) RemovePeerByAddr(addr string, alertDesc uint8)
- func (l *Listener) SetCertificate(cert tls.Certificate) error
- func (l *Listener) SetFrameLimits(maxPacket int, maxHandshake int)
- func (l *Listener) Shutdown() error
- func (l *Listener) UpdatePeer(p *Peer, trans TransportEndpoint, lock bool)
- type LogFunc
- type Peer
- func (p *Peer) CipherSuite() string
- func (p *Peer) Close(alertDesc uint8)
- func (p *Peer) LastActivity() time.Time
- func (p *Peer) Lock()
- func (p *Peer) Read(timeout time.Duration) ([]byte, error)
- func (p *Peer) RemoteAddr() string
- func (p *Peer) SessionCertificate() *x509.Certificate
- func (p *Peer) SessionCid() []byte
- func (p *Peer) SessionExport() string
- func (p *Peer) SessionIdentity() []byte
- func (p *Peer) SessionIdentityOrPublicKeyString() string
- func (p *Peer) SessionIdentityString() string
- func (p *Peer) SessionPeerCid() []byte
- func (p *Peer) SessionPublicKey() []byte
- func (p *Peer) SetName(name string)
- func (p *Peer) Unlock()
- func (p *Peer) UseQueue(en bool)
- func (p *Peer) Write(data []byte) error
- type PeerParams
- type SessionStore
- type SniffPacketsCallback
- type Transport
- type TransportEndpoint
Constants ¶
View Source
const ( AlertType_Warning uint8 = 1 AlertType_Fatal uint8 = 2 AlertDesc_CloseNotify uint8 = 0 AlertDesc_UnexpectedMessage uint8 = 10 AlertDesc_BadRecordMac uint8 = 20 AlertDesc_DecryptionFailed uint8 = 21 AlertDesc_RecordOverflow uint8 = 22 AlertDesc_DecompressionFailure uint8 = 30 AlertDesc_HandshakeFailure uint8 = 40 AlertDesc_NoCertificate uint8 = 41 AlertDesc_BadCertificate uint8 = 42 AlertDesc_UnsupportedCertificate uint8 = 43 AlertDesc_CertificateRevoked uint8 = 44 AlertDesc_CertificateExpired uint8 = 45 AlertDesc_CertificateUnknown uint8 = 46 AlertDesc_IllegalParameter uint8 = 47 AlertDesc_UnknownCa uint8 = 48 AlertDesc_AccessDenied uint8 = 49 AlertDesc_DecodeError uint8 = 50 AlertDesc_DecryptError uint8 = 51 AlertDesc_ExportRestriction uint8 = 60 AlertDesc_ProtocolVersion uint8 = 70 AlertDesc_InsufficientSecurity uint8 = 71 AlertDesc_InternalError uint8 = 80 AlertDesc_UserCanceled uint8 = 90 AlertDesc_NoRenegotiation uint8 = 100 AlertDesc_UnsupportedExtension uint8 = 110 AlertDesc_Noop uint8 = 254 )
View Source
const ( DtlsVersion10 uint16 = 0xFEFF DtlsVersion12 uint16 = 0xFEFD )
View Source
const ( LogLevelError string = "error" LogLevelWarn string = "warn" LogLevelInfo string = "info" LogLevelDebug string = "debug" )
View Source
const ( ContentType_ChangeCipherSpec ContentType = 20 ContentType_Alert = 21 ContentType_Handshake = 22 ContentType_Appdata = 23 ContentType_Appdata_Cid = 25 )
View Source
const ( SessionType_Server string = "server" SessionType_Client string = "client" )
View Source
const ( SniffWrite = "write" SniffRead = "read" )
View Source
const (
AadAuthLen int = 13
)
View Source
const DtlsExtConnectionId = uint16(54)
View Source
const DtlsExtConnectionIdLegacy = uint16(254)
View Source
const (
EccCurve_P256 eccCurve = 0x0017
)
Variables ¶
View Source
var DebugEncryption bool = false
View Source
var DebugHandshake bool = false
View Source
var DebugHandshakeHash bool = false
This callback is invoked each time a handshake completes, if the handshake failed, the reason is stored in error
View Source
var MaxPacketSize = 16384
View Source
var SessionCacheSweepInterval = time.Minute * -5
set to the interval to look for expired sessions
View Source
var SessionCacheTtl = time.Hour * 24
set to whatever you want the cache time to live to be
View Source
var SessionExportCallback func(*Peer)
View Source
var SessionImportCallback func(*Peer) string
View Source
var SessionInactivityTimeout = time.Hour * 24
View Source
var ValidateCertificateCallback func(*Peer, *x509.Certificate) error
Functions ¶
func CertificateFromDisk ¶ added in v2.2.0
func CertificateFromDisk(keyPath string, certificatePath string) (*tls.Certificate, error)
func GetPskFromKeystore ¶
func SessionCacheSize ¶
func SessionCacheSize() int
func SetExportSecret ¶ added in v2.1.0
func SetExportSecret(key string)
func SetKeyStores ¶
func SetKeyStores(ks []Keystore)
func SetLogFunc ¶
func SetLogFunc(lf LogFunc)
func SetLogLevel ¶
func SetLogLevel(level string)
func SetSniffPacketsCallback ¶ added in v2.7.3
func SetSniffPacketsCallback(callback SniffPacketsCallback)
Types ¶
type CCM ¶
type CCM interface {
cipher.AEAD
// MaxLength returns the maxium length of plaintext in calls to Seal.
// The maximum length of ciphertext in calls to Open is MaxLength()+Overhead().
// The maximum length is related to CCM's `L` parameter (15-noncesize) and
// is 1<<(8*L) - 1 (but also limited by the maxium size of an int).
MaxLength() int
}
CCM is a block cipher in Counter with CBC-MAC mode. Providing authenticated encryption with associated data via the cipher.AEAD interface.
type CipherCBC ¶
type CipherCBC struct {
// contains filtered or unexported fields
}
func (CipherCBC) GenerateKeyBlock ¶
func (CipherCBC) GetPrfSize ¶
type CipherCcm ¶
type CipherCcm struct {
// contains filtered or unexported fields
}
func (CipherCcm) GenerateKeyBlock ¶
func (CipherCcm) GetPrfSize ¶
type CipherSuite ¶
type CipherSuite uint16
const ( CipherSuite_TLS_PSK_WITH_AES_128_CCM_8 CipherSuite = 0xC0A8 CipherSuite_TLS_PSK_WITH_AES_128_CBC_SHA256 CipherSuite = 0x00AE CipherSuite_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 CipherSuite = 0xC0AE CipherSuite_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 CipherSuite = 0xC023 )
func (CipherSuite) NeedCert ¶ added in v2.4.0
func (cs CipherSuite) NeedCert() bool
func (CipherSuite) NeedPsk ¶ added in v2.4.0
func (cs CipherSuite) NeedPsk() bool
func (CipherSuite) String ¶ added in v2.7.1
func (cs CipherSuite) String() string
type CompressionMethod ¶
type CompressionMethod uint8
const (
CompressionMethod_Null CompressionMethod = 0
)
type ContentType ¶
type ContentType uint8
type KeyBlock ¶ added in v2.1.0
type KeystoreInMemory ¶
type KeystoreInMemory struct {
// contains filtered or unexported fields
}
func NewKeystoreInMemory ¶
func NewKeystoreInMemory() *KeystoreInMemory
func (*KeystoreInMemory) AddKey ¶
func (ks *KeystoreInMemory) AddKey(identity []byte, psk []byte)
type Listener ¶
type Listener struct {
// contains filtered or unexported fields
}
func NewUdpListener ¶
func (*Listener) AddCipherSuite ¶
func (l *Listener) AddCipherSuite(cipherSuite CipherSuite)
func (*Listener) AddCompressionMethod ¶
func (l *Listener) AddCompressionMethod(compressionMethod CompressionMethod)
func (*Listener) AddPeerWithParams ¶
func (l *Listener) AddPeerWithParams(params *PeerParams) (*Peer, error)
func (*Listener) CountPeers ¶
func (*Listener) EnableConnectionId ¶ added in v2.6.0
func (*Listener) RemovePeer ¶
func (*Listener) RemovePeerByAddr ¶
func (*Listener) SetCertificate ¶ added in v2.2.0
func (l *Listener) SetCertificate(cert tls.Certificate) error
func (*Listener) SetFrameLimits ¶ added in v2.2.0
func (*Listener) UpdatePeer ¶ added in v2.6.4
func (l *Listener) UpdatePeer(p *Peer, trans TransportEndpoint, lock bool)
type Peer ¶
type Peer struct {
// contains filtered or unexported fields
}
func (*Peer) CipherSuite ¶ added in v2.7.1
func (*Peer) LastActivity ¶
func (*Peer) RemoteAddr ¶
func (*Peer) SessionCertificate ¶ added in v2.2.1
func (p *Peer) SessionCertificate() *x509.Certificate
func (*Peer) SessionCid ¶ added in v2.6.0
func (*Peer) SessionExport ¶ added in v2.1.0
func (*Peer) SessionIdentity ¶
func (*Peer) SessionIdentityOrPublicKeyString ¶ added in v2.5.11
func (*Peer) SessionIdentityString ¶
func (*Peer) SessionPeerCid ¶ added in v2.7.1
func (*Peer) SessionPublicKey ¶ added in v2.2.1
type PeerParams ¶
type SessionStore ¶ added in v2.1.0
type SessionStore struct {
Id []byte `json:"id"`
Type string `json:"type"`
RemoteAddr string `json:"remoteAddr"`
PeerIdentity []byte `json:"peerIdentity"`
Cid []byte `json:"cid"`
PeerCid []byte `json:"peerCid"`
CidVersion uint16 `json:"cidVersion"`
Epoch uint16 `json:"epoch"`
SequenceNumber0 uint64 `json:"sequenceNumber0"`
SequenceNumber1 uint64 `json:"sequenceNumber1"`
KeyBlock *KeyBlock `json:"KeyBlock"`
SelectedCipherSuite CipherSuite `json:"selectedCipherSuite"`
}
type SniffPacketsCallback ¶ added in v2.7.3
type Transport ¶
type Transport interface {
Type() string
Local() string
Shutdown() error
NewEndpoint(address string) TransportEndpoint
ReadPacket() ([]byte, TransportEndpoint, error)
}
type TransportEndpoint ¶
func NewUdpPeerFromSocket ¶
func NewUdpPeerFromSocket(socket *net.UDPConn, addr *net.UDPAddr) TransportEndpoint
Source Files
¶
- alert.go
- bytereader.go
- bytewriter.go
- cert.go
- cipher.go
- cipher_cbc.go
- cipher_ccm.go
- common.go
- crypto.go
- debug.go
- dtls.go
- ecc_curves.go
- handshake.go
- handshake_certificate.go
- handshake_certificaterequest.go
- handshake_certificateverify.go
- handshake_clienthello.go
- handshake_clientkeyexchange.go
- handshake_finished.go
- handshake_header.go
- handshake_helloverifyrequest.go
- handshake_serverhello.go
- handshake_serverhellodone.go
- handshake_serverkeyexchange.go
- handshake_unknown.go
- keystore.go
- log.go
- peer.go
- record.go
- session.go
- session_cache.go
- session_export.go
- session_handshake.go
- transport.go
- transport_sniffer.go
- transport_udp.go
Directories
Click to show internal directories.
Click to hide internal directories.