RIOT
RIOT copied to clipboard
RIOT-OS
pkg/wakaama: add DTLS support
Contribution description
This PR adds support for DTLS connections when using LwM2M. The LwM2M client implementation has been rewritten to allow both CoAP and CoAP over DTLS to be used at the same time. An own implementation of the Security Object is introduced, as it needs to handle the interaction with the Credential Manager (credman). ~For now only Pre-Shared Key mode is supported.~ Pre-Shared Key and Raw Public Key modes are supported. DTLS is supported during the communication with LwM2M server and during bootstrapping.
Update: Raw public key mode is added now as well.
The example application has been modified to use DTLS connections by default. Finally, documentation has been improved.
Testing procedure
The best way to test this is using the example/wakaama application. If you use Eclipse Leshan as your LwM2M Server implementation, you should see an indication that the connection is done over DTLS:
The example can be modified to use plain CoAP connection to the server. That should also work as usual.
diff --git a/examples/wakaama/lwm2m_cli.c b/examples/wakaama/lwm2m_cli.c
index 0cecb7b73a..8d7392746b 100644
--- a/examples/wakaama/lwm2m_cli.c
+++ b/examples/wakaama/lwm2m_cli.c
@@ -63,8 +63,8 @@ void lwm2m_cli_init(void)
lwm2m_obj_security_args_t args = {
.server_id = CONFIG_LWM2M_SERVER_SHORT_ID,
.server_uri = CONFIG_LWM2M_SERVER_URI,
- .security_mode = LWM2M_SECURITY_MODE_PRE_SHARED_KEY,
- .cred = &credential,
+ .security_mode = LWM2M_SECURITY_MODE_NONE,
+ .cred = NULL,
.is_bootstrap = false, /* set to true when using Bootstrap server */
.client_hold_off_time = 5,
.bootstrap_account_timeout = 0
Issues/PRs references
~~Depends on #16179~~ (merged) ~~Depends on #16203~~ (merged) ~~Depends on #16709~~ (merged)
Successfully tested this using the nrf52840dongle as LwM2M client connected to a border router (gnrc_border_router) running on a nrf52840dk. For some reason it did not work when I tried using the dongle as border router and the dk as LwM2M client. The /dev/ttyACM device kept disappearing in this case.
Below is a screenshot of the LwM2M server dashboard showing the device and DTLS connection info.
Additionally the console output for the lwm2m client:
2021-08-04 00:43:36,577 # lwm2m start
2021-08-04 00:43:36,579 # [lwm2m_init:64] Entering
2021-08-04 00:43:36,580 # [lwm2m_configure:277] numObject: 3
2021-08-04 00:43:36,581 # [lwm2m_configure:297] endpointName: "testRIOTDevice"
2021-08-04 00:43:36,582 # [lwm2m:client:refresh_cred] refreshing DTLS credentials
2021-08-04 00:43:36,582 # [lwm2m_data_new:143] size: 1
2021-08-04 00:43:36,583 # [lwm2m_data_encode_int:272] value:
2021-08-04 00:43:36,584 # [lwm2m_data_encode_int:273] 0
2021-08-04 00:43:36,585 # [lwm2m_data_free:161] size: 1
2021-08-04 00:43:36,586 # [lwm2m:client] trying to add credential with tag 11
2021-08-04 00:43:36,586 # [lwm2m:client] added
2021-08-04 00:43:36,587 # [lwm2m_step:376] timeoutP:
2021-08-04 00:43:36,587 # [lwm2m_step:377] 1
2021-08-04 00:43:36,588 # [lwm2m_step:382] State: STATE_INITIAL
2021-08-04 00:43:36,590 # [object_getServers:741] Entering
2021-08-04 00:43:36,591 # [lwm2m_data_new:143] size: 3
2021-08-04 00:43:36,592 # [lwm2m_data_encode_bool:410] value: false
2021-08-04 00:43:36,593 # [lwm2m_data_encode_int:272] value:
2021-08-04 00:43:36,594 # [lwm2m_data_encode_int:273] 1
2021-08-04 00:43:36,595 # [lwm2m_data_encode_int:272] value:
2021-08-04 00:43:36,596 # [lwm2m_data_encode_int:273] 5
2021-08-04 00:43:36,598 # [lwm2m_data_decode_bool:420] Entering
2021-08-04 00:43:36,600 # [lwm2m_data_decode_bool:471] result: 1, value: false
2021-08-04 00:43:36,601 # [lwm2m_data_decode_int:283] Entering
2021-08-04 00:43:36,602 # [lwm2m_data_decode_int:338] result: 1, value:
2021-08-04 00:43:36,603 # [lwm2m_data_decode_int:339] 1
2021-08-04 00:43:36,604 # [lwm2m_data_new:143] size: 1
2021-08-04 00:43:36,606 # [lwm2m_data_encode_int:272] value:
2021-08-04 00:43:36,607 # [lwm2m_data_encode_int:273] 1
2021-08-04 00:43:36,608 # [lwm2m_data_decode_int:283] Entering
2021-08-04 00:43:36,609 # [lwm2m_data_decode_int:338] result: 1, value:
2021-08-04 00:43:36,610 # [lwm2m_data_decode_int:339] 1
2021-08-04 00:43:36,611 # [lwm2m_data_free:161] size: 1
2021-08-04 00:43:36,612 # [lwm2m_data_new:143] size: 2
2021-08-04 00:43:36,614 # [lwm2m_data_encode_int:272] value:
2021-08-04 00:43:36,615 # [lwm2m_data_encode_int:273] 300
2021-08-04 00:43:36,616 # [lwm2m_data_encode_string:195] "U"
2021-08-04 00:43:36,617 # [lwm2m_data_decode_int:283] Entering
2021-08-04 00:43:36,619 # [lwm2m_data_decode_int:338] result: 1, value:
2021-08-04 00:43:36,620 # [lwm2m_data_decode_int:339] 300
2021-08-04 00:43:36,621 # [lwm2m_data_free:161] size: 2
2021-08-04 00:43:36,622 # [lwm2m_data_free:161] size: 3
2021-08-04 00:43:36,624 # [registration_start:477] State: STATE_REGISTER_REQUIRED
2021-08-04 00:43:36,626 # [object_getRegisterPayloadBufferLength:508] Entering
2021-08-04 00:43:36,627 # [object_getRegisterPayload:579] Entering
2021-08-04 00:43:36,628 # [lwm2m_data_new:143] size: 1
2021-08-04 00:43:36,631 # [lwm2m_data_encode_string:195] "coaps://[2003:fa:9f08:1800:b81c:7238:d99e:6aba]:5684"
2021-08-04 00:43:36,632 # [lwm2m_data_free:161] size: 1
2021-08-04 00:43:36,633 # [lwm2m_data_new:143] size: 1
2021-08-04 00:43:36,634 # [lwm2m_data_encode_bool:410] value: false
2021-08-04 00:43:36,635 # [lwm2m_data_free:161] size: 1
2021-08-04 00:43:36,636 # [lwm2m_data_new:143] size: 1
2021-08-04 00:43:36,638 # [lwm2m_data_encode_int:272] value:
2021-08-04 00:43:36,639 # [lwm2m_data_encode_int:273] 0
2021-08-04 00:43:36,640 # [lwm2m_data_free:161] size: 1
> 2021-08-04 00:43:36,787 # [lwm2m:client:PSK] getting credential
2021-08-04 00:43:36,787 # [lwm2m_data_new:143] size: 1
2021-08-04 00:43:36,789 # [lwm2m_data_encode_string:195] "coaps://[2003:fa:9f08:1800:b81c:7238:d99e:6aba]:5684"
2021-08-04 00:43:36,790 # [lwm2m_data_free:161] size: 1
2021-08-04 00:43:36,791 # [lwm2m:client:PSK] found matching EP on instance 1
2021-08-04 00:43:36,791 # [lwm2m:client:PSK] tag: 11
2021-08-04 00:43:36,868 # [transaction_new:155] method: 2, mID: 26188, token_len: 4
2021-08-04 00:43:36,869 # [transaction_new:159] NULL
2021-08-04 00:43:36,871 # [transaction_new:237] Exiting on success. new transac=0x20007c38
2021-08-04 00:43:36,873 # [transaction_send:353] Entering: transaction=0x20007c38
2021-08-04 00:43:36,875 # [observe_step:492] Entering
2021-08-04 00:43:36,877 # [registration_step:1303] State: STATE_REGISTERING
2021-08-04 00:43:36,878 # [transaction_step:436] Entering
2021-08-04 00:43:36,879 # [lwm2m_step:485] Final timeoutP:
2021-08-04 00:43:36,880 # [lwm2m_step:486] 1
2021-08-04 00:43:36,881 # [lwm2m_step:488] Final state: STATE_REGISTERING
2021-08-04 00:43:36,882 # [lwm2m:client] state: STATE_REGISTERING
2021-08-04 00:43:36,968 # [lwm2m:client] finding connection
2021-08-04 00:43:36,968 # [lwm2m:client] handle packet (22 bytes)
2021-08-04 00:43:36,969 # [lwm2m_handle_packet:214] Entering
2021-08-04 00:43:36,972 # [lwm2m_handle_packet:218] Parsed: ver 1, type 2, tkl 4, code 2.01, mid 26188, Content type: 0
2021-08-04 00:43:36,973 # [lwm2m_handle_packet:220] Payload:
2021-08-04 00:43:36,974 # [transaction_handleResponse:276] Entering
2021-08-04 00:43:36,976 # [prv_handleRegistrationReply:212] Registration successful
2021-08-04 00:43:36,978 # [transaction_remove:262] Entering. transaction=0x20007c38
2021-08-04 00:43:36,980 # [transaction_free:248] Entering. transaction=0x20007c38
2021-08-04 00:43:37,883 # [lwm2m_step:376] timeoutP:
2021-08-04 00:43:37,884 # [lwm2m_step:377] 1
2021-08-04 00:43:37,885 # [lwm2m_step:382] State: STATE_REGISTERING
2021-08-04 00:43:37,887 # [registration_getStatus:506] State: STATE_REGISTERING
2021-08-04 00:43:37,888 # [registration_getStatus:513] targetP->status: STATE_REGISTERED
2021-08-04 00:43:37,890 # [registration_getStatus:536] reg_status: STATE_REGISTERED
2021-08-04 00:43:37,891 # [observe_step:492] Entering
2021-08-04 00:43:37,893 # [registration_step:1303] State: STATE_READY
2021-08-04 00:43:37,894 # [transaction_step:436] Entering
2021-08-04 00:43:37,895 # [lwm2m_step:485] Final timeoutP:
2021-08-04 00:43:37,895 # [lwm2m_step:486] 1
2021-08-04 00:43:37,897 # [lwm2m_step:488] Final state: STATE_READY
2021-08-04 00:43:37,897 # [lwm2m:client] state: STATE_READY
2021-08-04 00:43:38,898 # [lwm2m_step:376] timeoutP:
2021-08-04 00:43:38,899 # [lwm2m_step:377] 1
2021-08-04 00:43:38,900 # [lwm2m_step:382] State: STATE_READY
2021-08-04 00:43:38,902 # [registration_getStatus:506] State: STATE_READY
2021-08-04 00:43:38,903 # [registration_getStatus:513] targetP->status: STATE_REGISTERED
2021-08-04 00:43:38,905 # [registration_getStatus:536] reg_status: STATE_REGISTERED
2021-08-04 00:43:38,906 # [observe_step:492] Entering
2021-08-04 00:43:38,908 # [registration_step:1303] State: STATE_READY
2021-08-04 00:43:38,909 # [transaction_step:436] Entering
2021-08-04 00:43:38,910 # [lwm2m_step:485] Final timeoutP:
2021-08-04 00:43:38,910 # [lwm2m_step:486] 1
2021-08-04 00:43:38,912 # [lwm2m_step:488] Final state: STATE_READY
2021-08-04 00:43:38,912 # [lwm2m:client] state: STATE_READY
2021-08-04 00:43:39,440 # Exiting Pyterm
For some reason it did not work when I tried using the dongle as border router and the dk as LwM2M client
@Ollrogge is this related to #16411? If so, please report your outcome there.
ping @leandrolanzieri @PeterKietzmann do you still want this in for the release?
I think I addressed all comments. I also re-based to current master.
The CI is passing, it only reported some insufficient memory boards, which are now added to the Makefile.ci. I think we can go forward only with PSK support and add the RPK in a following PR, now that #16263 is in.
I think we can go forward only with PSK support and add the RPK in a following PR, now that #16263 is in.
Nevermind this, I added now RPK as well :)
CI is mostly passing now (only hitting an unrelated issue with LVGL on native).
Needs a rebase. @OlegHahm are you still interested in testing it again?
Rebased :)
While testing with the latest Leshan I see that the DTLS handshake and device registration work well, but upon trying to read any resource, a NullPointerException on the Leshan server occurs and no message is sent...
Murdock results
:heavy_check_mark: PASSED
17a3125091066589678e993d88c540e859ab046a pkg/tinydtls: allow PSK and ECC at the same time
| Success | Failures | Total | Runtime |
|---|---|---|---|
| 10083 | 0 | 10083 | 13m:59s |
Artifacts
Or you can wait until the Kconfig removal PR is in then rebase.
Sure
Now that the Kconfig removal is there you can rebase!
Done, also adapted some things to look closer to the existing object API
So far testing has not gone that well. Further investigation is needed before we can proceed. It is crashing on both the samr21-xpro and feather-nrf52840-sense.
Some documentation additions I will just throw here as well:
Running with security
In the security section click 'Add Security Information', select the security mode 'Pre-Shared Key', and enter the Client endpoint name and the security information (Identity and Key).
Then Endpoint should be what is configured in the client device, CONFIG_LWM2M_DEVICE_NAME.
For example, the default name is "testRIOTDevice".
Assuming Security Mode is psk, the Identity field should match the CONFIG_LWM2M_PSK_ID value.
By default, it is Client_Identity.
The final field, the Key field is CONFIG_LWM2M_PSK_KEY.
The default is ThisIsRIOT! but it must be converted to hex. The hex conversion can be done as you
wish but here is a quick example with bash:
echo -n "ThisIsRIOT!" | xxd -p
54686973497352494f5421
Bootstrap server (optional)
Looks like something changed in the meantime, and the stack size of the event thread was not big enough now. I updated this in the example Makefile now. Tested with the feather-nrf52840-sense board.
I just tested with a master rebase, aside from documentation updates I think this looks good, I would also like to try on the samr21-xpro maybe...