Skip to content

Commit

Permalink
Allow for overriding the OpenSSL security level (#203)
Browse files Browse the repository at this point in the history
* feat: allow for overriding the OpenSSL security level

* chore: use lower security level for DTLS example
  • Loading branch information
JKRhb authored Dec 13, 2024
1 parent 42a7f0b commit 14a7019
Show file tree
Hide file tree
Showing 4 changed files with 23 additions and 0 deletions.
8 changes: 8 additions & 0 deletions example/get_resource_secure.dart
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,14 @@ PskCredentials pskCredentialsCallback(final String? identityHint) =>
class DtlsConfig extends DefaultCoapConfig {
@override
String? get dtlsCiphers => 'PSK-AES128-CCM8';

@override
// Since TLS_PSK_WITH_AES_128_CCM_8 (also known as PSK-AES128-CCM8 in OpenSSL)
// is considered insecure in more recent versions of OpenSSL, we reduce the
// security level here, as TLS_PSK_WITH_AES_128_CCM_8 is the mandatory cipher
// suite that CoAP implementations must support when using DTLS in PSK mode
// (see section 9.1.3.1 of RFC 7252).
int? get openSslSecurityLevel => 0;
}

FutureOr<void> main() async {
Expand Down
9 changes: 9 additions & 0 deletions lib/src/coap_config.dart
Original file line number Diff line number Diff line change
Expand Up @@ -91,4 +91,13 @@ abstract class DefaultCoapConfig {
/// Custom libcrypto instance that can be registered if OpenSSL
/// should not be available at the default locations.
DynamicLibrary? get libCryptoInstance => null;

/// Adjusts the security level that is used by OpenSSL for DTLS.
///
/// The possible security levels range from 0 to 5.
/// See the [OpenSSL Documentation] for more information on the meaning of
/// each level.
///
/// [OpenSSL Documentation]: https://docs.openssl.org/master/man3/SSL_CTX_set_security_level/#default-callback-behaviour
int? get openSslSecurityLevel => null;
}
1 change: 1 addition & 0 deletions lib/src/network/coap_inetwork.dart
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ abstract class CoapINetwork {
libCrypto: config.libCryptoInstance,
libSsl: config.libSslInstance,
hostName: uri.host,
securityLevel: config.openSslSecurityLevel,
);
default:
throw UnsupportedProtocolException(uri.scheme);
Expand Down
5 changes: 5 additions & 0 deletions lib/src/network/coap_network_openssl.dart
Original file line number Diff line number Diff line change
Expand Up @@ -65,13 +65,15 @@ class CoapNetworkUDPOpenSSL extends CoapNetworkUDP {
final DynamicLibrary? libSsl,
final DynamicLibrary? libCrypto,
final String? hostName,
final int? securityLevel,
}) : _ciphers = ciphers,
_verify = verify,
_withTrustedRoots = withTrustedRoots,
_rootCertificates = rootCertificates,
_libSsl = libSsl,
_libCrypto = libCrypto,
_hostname = hostName,
_securityLevel = securityLevel,
_openSslPskCallback = _createOpenSslPskCallback(pskCredentialsCallback);

DtlsClient? _dtlsClient;
Expand All @@ -94,6 +96,8 @@ class CoapNetworkUDPOpenSSL extends CoapNetworkUDP {

final String? _hostname;

final int? _securityLevel;

@override
void send(final CoapMessage coapMessage) {
if (isClosed) {
Expand Down Expand Up @@ -132,6 +136,7 @@ class CoapNetworkUDPOpenSSL extends CoapNetworkUDP {
rootCertificates: _rootCertificates,
ciphers: _ciphers,
pskCredentialsCallback: _openSslPskCallback,
securityLevel: _securityLevel,
);

try {
Expand Down

0 comments on commit 14a7019

Please sign in to comment.