[riot-notifications] [RIOT-OS/RIOT] sys: add credman (D)TLS credential management module (#11564)

Aiman Ismail notifications at github.com
Tue May 28 20:21:27 CEST 2019


> I think this may be over-specialized. If the user must remember a (32 bit) numerical tag and this does not copy the buffers, how is this different from just remembering a pointer to the buffer.

The main reason for this module is so that the user can supply their own credentials for libraries that uses(D)TLS (e.g. gcoap + sock_dtls [1]). With this module, users can tell the sock_dtls used in gcoap, which credential to use without having access to the sock itself. Ideally, if the user is using sock_dtls directly, they actually doesn't need this module. It is more towards other modules/libraries that uses DTLS.

> Also, why mix the storage and validation logic. If what is needed is an int->pointer mapping (thread safe and all) why not make that a module and implement the validation and retrieval on top of it.

The (tag, type) mapping is to allow use of different credentials with different sock_dtls. If this module are intended for more general usage, mixing the storage and validation logic may not be good here but for (D)TLS it is easier to check it once when added if the credential is valid than to check it later every time the credential will be used in the (D)TLS libraries. Also, I don't know if such module (int->pointer mapping) is needed currently other than here.

> The design of this does not allow for persisting the credentials in any way.

Copying the buffer into the system might use a larger amount of memory than needed e.g. credman reserves memory enough for ECDSA (longer) but the user only uses PSK (much shorter). That is why I decided to only save pointer to the buffer.

> If credentials are known at compile time, why not use constfs. And if they are dynamically added in run-time, where will they be allocated?

I'm not aware of constfs before this. Thanks for pointing that out. I'll look into it. For the dynamically added in run-time, the users have to supply their own buffer for the credentials.

[1]: sock_dtls is a wrapper around libraries that implements DTLS e.g. tinyDTLS, wolfSSL.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/RIOT-OS/RIOT/pull/11564#issuecomment-496631906
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riot-os.org/pipermail/notifications/attachments/20190528/ca498a59/attachment-0001.html>


More information about the notifications mailing list