From 51a4e4c85875d25a3e35a203b23646d2b7b60f1c Mon Sep 17 00:00:00 2001
From: Pieter De Gendt <pieter.degendt@basalte.be>
Date: Mon, 28 Apr 2025 11:28:29 +0200
Subject: [PATCH] samples: net: sockets: coap_server: Add CoAP secure support

Update the CoAP server sample to demonstrate using DTLS for secure
sockets.

Signed-off-by: Pieter De Gendt <pieter.degendt@basalte.be>
---
 .../net/sockets/coap_server/CMakeLists.txt    |  29 ++++
 samples/net/sockets/coap_server/Kconfig       |  36 +++++
 samples/net/sockets/coap_server/README.rst    |  15 +-
 .../net/sockets/coap_server/overlay-dtls.conf |  18 +++
 samples/net/sockets/coap_server/prj.conf      |   5 +-
 samples/net/sockets/coap_server/sample.yaml   |  10 ++
 .../net/sockets/coap_server/src/certificate.h |  43 ++++++
 .../net/sockets/coap_server/src/certs/ca.der  | Bin 0 -> 783 bytes
 .../src/certs/coaps-server-cert.der           | Bin 0 -> 767 bytes
 .../src/certs/coaps-server-key.der            | Bin 0 -> 1218 bytes
 .../sockets/coap_server/src/certs/server.der  | Bin 0 -> 693 bytes
 .../coap_server/src/certs/server_privkey.der  | Bin 0 -> 1219 bytes
 .../net/sockets/coap_server/src/dummy_psk.h   |  14 ++
 samples/net/sockets/coap_server/src/main.c    | 130 +++++++++++++++---
 14 files changed, 279 insertions(+), 21 deletions(-)
 create mode 100644 samples/net/sockets/coap_server/Kconfig
 create mode 100644 samples/net/sockets/coap_server/overlay-dtls.conf
 create mode 100644 samples/net/sockets/coap_server/src/certificate.h
 create mode 100644 samples/net/sockets/coap_server/src/certs/ca.der
 create mode 100644 samples/net/sockets/coap_server/src/certs/coaps-server-cert.der
 create mode 100644 samples/net/sockets/coap_server/src/certs/coaps-server-key.der
 create mode 100644 samples/net/sockets/coap_server/src/certs/server.der
 create mode 100644 samples/net/sockets/coap_server/src/certs/server_privkey.der
 create mode 100644 samples/net/sockets/coap_server/src/dummy_psk.h

diff --git a/samples/net/sockets/coap_server/CMakeLists.txt b/samples/net/sockets/coap_server/CMakeLists.txt
index 5b9a0beeb19..8941035a7c5 100644
--- a/samples/net/sockets/coap_server/CMakeLists.txt
+++ b/samples/net/sockets/coap_server/CMakeLists.txt
@@ -4,6 +4,19 @@ cmake_minimum_required(VERSION 3.20.0)
 find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
 project(coap_server)
 
+if(CONFIG_NET_SOCKETS_ENABLE_DTLS AND
+   CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED AND
+   (CONFIG_NET_SAMPLE_PSK_HEADER_FILE STREQUAL "dummy_psk.h"))
+  add_custom_target(development_psk
+    COMMAND ${CMAKE_COMMAND} -E echo "----------------------------------------------------------"
+    COMMAND ${CMAKE_COMMAND} -E echo "--- WARNING: Using dummy PSK! Only suitable for        ---"
+    COMMAND ${CMAKE_COMMAND} -E echo "--- development. Set NET_SAMPLE_PSK_HEADER_FILE to use ---"
+    COMMAND ${CMAKE_COMMAND} -E echo "--- own pre-shared key.                                ---"
+    COMMAND ${CMAKE_COMMAND} -E echo "----------------------------------------------------------"
+  )
+  add_dependencies(app development_psk)
+endif()
+
 FILE(GLOB app_sources src/*.c)
 target_sources(app PRIVATE ${app_sources})
 target_include_directories(app PRIVATE ${ZEPHYR_BASE}/subsys/net/ip)
@@ -18,3 +31,19 @@ zephyr_iterable_section(
   SUBALIGN ${CONFIG_LINKER_ITERABLE_SUBALIGN})
 
 include(${ZEPHYR_BASE}/samples/net/common/common.cmake)
+
+set(gen_dir ${ZEPHYR_BINARY_DIR}/include/generated/)
+
+foreach(inc_file
+	ca.der
+	server.der
+	server_privkey.der
+	coaps-server-cert.der
+	coaps-server-key.der
+)
+  generate_inc_file_for_target(
+    app
+    src/certs/${inc_file}
+    ${gen_dir}/${inc_file}.inc
+  )
+endforeach()
diff --git a/samples/net/sockets/coap_server/Kconfig b/samples/net/sockets/coap_server/Kconfig
new file mode 100644
index 00000000000..6cef67ac154
--- /dev/null
+++ b/samples/net/sockets/coap_server/Kconfig
@@ -0,0 +1,36 @@
+# Copyright (c) 2023, Emna Rekik
+# Copyright (c) 2025, Basalte bv
+# SPDX-License-Identifier: Apache-2.0
+
+# Config options for CoAP server sample application
+
+mainmenu "CoAP server sample application"
+
+config NET_SAMPLE_COAPS_SERVICE
+	bool "Enable CoAP secure service"
+	depends on NET_SOCKETS_ENABLE_DTLS || TLS_CREDENTIALS
+
+config NET_SAMPLE_COAP_SERVER_SERVICE_PORT
+	int "Port number for CoAP service"
+	default 5684 if NET_SAMPLE_COAPS_SERVICE
+	default 5683
+
+if NET_SAMPLE_COAPS_SERVICE
+
+config NET_SAMPLE_PSK_HEADER_FILE
+	string "Header file containing PSK"
+	default "dummy_psk.h"
+	depends on MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+	help
+	  Name of a header file containing a pre-shared key.
+
+config NET_SAMPLE_CERTS_WITH_SC
+	bool "Signed Certificates"
+	depends on NET_SOCKETS_SOCKOPT_TLS
+	help
+	  Enable this flag, if you are interested to run this
+	  application with certificates.
+
+endif
+
+source "Kconfig.zephyr"
diff --git a/samples/net/sockets/coap_server/README.rst b/samples/net/sockets/coap_server/README.rst
index 64bb1a687dc..ac6e1b15cb2 100644
--- a/samples/net/sockets/coap_server/README.rst
+++ b/samples/net/sockets/coap_server/README.rst
@@ -17,8 +17,9 @@ service's name. A linker file is required, see ``sections-ram.ld`` for an exampl
 This demo assumes that the platform of choice has networking support,
 some adjustments to the configuration may be needed.
 
-The sample will listen for requests in the CoAP UDP port (5683) in the
-site-local IPv6 multicast address reserved for CoAP nodes.
+The sample will listen for requests on the default CoAP UDP port
+(5683 or 5684 for secure CoAP) in the site-local IPv6 multicast address reserved
+for CoAP nodes.
 
 The sample exports the following resources:
 
@@ -37,6 +38,16 @@ against coap-server.
 
 Building And Running
 ********************
+Build the CoAP server sample application like this:
+
+.. zephyr-app-commands::
+   :zephyr-app: samples/net/sockets/coap_server
+   :board: <board to use>
+   :goals: build
+   :compact:
+
+Use :zephyr_file:`overlay-dtls.conf <samples/net/sockets/coap_server/overlay-dtls.conf>`
+to build the sample with CoAP secure resources instead.
 
 This project has no output in case of success, the correct
 functionality can be verified by using some external tool such as tcpdump
diff --git a/samples/net/sockets/coap_server/overlay-dtls.conf b/samples/net/sockets/coap_server/overlay-dtls.conf
new file mode 100644
index 00000000000..d0a85bad132
--- /dev/null
+++ b/samples/net/sockets/coap_server/overlay-dtls.conf
@@ -0,0 +1,18 @@
+CONFIG_NET_SAMPLE_COAPS_SERVICE=y
+
+# Secure Socket
+CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
+CONFIG_NET_SOCKETS_ENABLE_DTLS=y
+CONFIG_NET_SOCKETS_TLS_MAX_CLIENT_SESSION_COUNT=6
+CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=6
+CONFIG_NET_SOCKETS_DTLS_TIMEOUT=30000
+
+# TLS configuration
+CONFIG_MBEDTLS_DEBUG=y
+CONFIG_MBEDTLS=y
+CONFIG_MBEDTLS_BUILTIN=y
+CONFIG_MBEDTLS_ENABLE_HEAP=y
+CONFIG_MBEDTLS_HEAP_SIZE=60000
+CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID=y
+CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=2048
+CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y
diff --git a/samples/net/sockets/coap_server/prj.conf b/samples/net/sockets/coap_server/prj.conf
index 9fdbcb99c20..ce12e0d895a 100644
--- a/samples/net/sockets/coap_server/prj.conf
+++ b/samples/net/sockets/coap_server/prj.conf
@@ -6,7 +6,7 @@ CONFIG_NET_UDP=y
 # Socket
 CONFIG_NET_SOCKETS=y
 CONFIG_POSIX_API=y
-CONFIG_ZVFS_POLL_MAX=4
+CONFIG_ZVFS_POLL_MAX=10
 
 # CoAP
 CONFIG_COAP=y
@@ -48,3 +48,6 @@ CONFIG_NET_IF_MCAST_IPV6_ADDR_COUNT=5
 CONFIG_NET_IPV4=n
 CONFIG_NET_CONFIG_NEED_IPV4=n
 CONFIG_NET_CONFIG_MY_IPV4_ADDR="192.0.2.1"
+
+# Enable v4-mapped-on-v6
+CONFIG_NET_IPV4_MAPPING_TO_IPV6=y
diff --git a/samples/net/sockets/coap_server/sample.yaml b/samples/net/sockets/coap_server/sample.yaml
index d1efb969706..2be258caa50 100644
--- a/samples/net/sockets/coap_server/sample.yaml
+++ b/samples/net/sockets/coap_server/sample.yaml
@@ -12,6 +12,16 @@ tests:
     platform_allow:
       - native_sim
       - qemu_x86
+  sample.net.sockets.coaps_server:
+    harness: net
+    extra_args: EXTRA_CONF_FILE="overlay-dtls.conf"
+    tags:
+      - net
+      - socket
+      - tls
+    platform_allow:
+      - native_sim
+      - qemu_x86
   sample.net.sockets.coap_server.wifi.nrf70dk:
     extra_args:
       - SNIPPET=wifi-ipv4
diff --git a/samples/net/sockets/coap_server/src/certificate.h b/samples/net/sockets/coap_server/src/certificate.h
new file mode 100644
index 00000000000..7488d4afc5e
--- /dev/null
+++ b/samples/net/sockets/coap_server/src/certificate.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 2018 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#ifndef __CERTIFICATE_H__
+#define __CERTIFICATE_H__
+
+#define SERVER_CERTIFICATE_TAG 1
+#define PSK_TAG 2
+
+#if !defined(CONFIG_NET_SAMPLE_CERTS_WITH_SC)
+static const unsigned char server_certificate[] = {
+#include "coaps-server-cert.der.inc"
+};
+
+/* This is the private key in pkcs#8 format. */
+static const unsigned char private_key[] = {
+#include "coaps-server-key.der.inc"
+};
+
+#else
+
+static const unsigned char ca_certificate[] = {
+#include "ca.der.inc"
+};
+
+static const unsigned char server_certificate[] = {
+#include "server.der.inc"
+};
+
+/* This is the private key in pkcs#8 format. */
+static const unsigned char private_key[] = {
+#include "server_privkey.der.inc"
+};
+#endif
+
+#if defined(CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+#include CONFIG_NET_SAMPLE_PSK_HEADER_FILE
+#endif
+
+#endif /* __CERTIFICATE_H__ */
diff --git a/samples/net/sockets/coap_server/src/certs/ca.der b/samples/net/sockets/coap_server/src/certs/ca.der
new file mode 100644
index 0000000000000000000000000000000000000000..b1d3e097cadcea344d9b172b4a540ddd57dae71e
GIT binary patch
literal 783
zcmXqLV&*nzV*I>-nTe5!NkrQ5sj}%5hTSG>R`_Lq-*o88&x{EMylk9WZ60mkc^MhG
zSs4sO4228?*qB3En0Yu;D-v@Ha#Ecg4HU$AjSLJ74b2TKfs|#G1iz7?p{1dbkqJ})
zhrT98C1eX2Ss9p{82K51ZsKBUVq|34wV`KTh|5~Fr}HK2;*u6Ee|T=)1e1!xi;caz
z-Z<-YoAX;FSjv^Y>1nk1mK&woeDe9}%lcDyWX(QRwR~w^i;nQdPj^{11~o3<Vx!%z
zW?Fj7>t{h`P~MygMx|HOPX%tXsnEOA>fFBedeU33Yx~_59X84`-hUap=ymBqc8_=e
zXJ0AHhzvS^yv$SG(`m0>x{E^8F`u&eJ(a)Lt@-kAO77R3LtU3@X0!0{EwG4T-8z42
z@`rzOzWi!tInektcgxn$j9`t&6D!)di-I|~?Tzu<xa9NZ`=Q=0Ue}qfv>s+tW+_OU
zBOPJG^i2Jk=Y-?xkG9WkdAoLt*%`^MJMCs?Hr>7-wUvpPk%4h>utA`KEHKPv`B=nQ
zL;`E>*2qT+TP*1l-lo3#WLEad32P1HLDI@B5(Z)o*cI@D6bLgi{%2t|U<Oji!48a9
zV6ZbX=zV+2-YRS9`cJ4?<I(lw_0oSjjbiSz{rtnWWP1KP%ZYrN_TP*q92XS|lS<07
zcyK$eVS@aAA04q@uGce7PXsuAWct)FO?0~661Aq6SLbSkCMkA*GyC1Y`-6bxMa!n8
z+7i24(r$XpxS@Z^=HHu1nunXRwI=;_K3;!0dGcEB8M#wl-``O7hwqBwJpT=biY;<0
z`xY%Qu)pQV{CR%+CDAqKpGg-t*2)#hESGuYByyeO?~Uq$>Yw?JA%`W?xT7A$?XFl}
zX+CG(vMCB{-fr{pd|lDHbz#Hxjy)3f&IdyKXSc+pI<5$Nwf$h;y-8pD0*`A~XmRRD
S-t=3uW{SGEL-b8SsSE(&xI?V~

literal 0
HcmV?d00001

diff --git a/samples/net/sockets/coap_server/src/certs/coaps-server-cert.der b/samples/net/sockets/coap_server/src/certs/coaps-server-cert.der
new file mode 100644
index 0000000000000000000000000000000000000000..bfcb335e31c8c37fd5c964276c42a3554abc3f4e
GIT binary patch
literal 767
zcmXqLV)|{+#Q1mtGZP~d6DPwv0r`WU3|<Nv@Un4gwRyCC=VfH%W@RuCF%&WoU}Fwt
zVdmk?$xlwq$;dA*F_07IH8eLcGcq$YFa_c$ab6P>LlA&)ap-DdR6;hMk(GhDiIJZH
z=nO8VCPqevV+_^27sZ{kS1zxd!{1vz@zQs9)6L?K?!L`s{JC+`NsopH^5?fNiT_~s
zYX3vyA1jYOyCT`$q<T}bq@eQ6v5b@N&q=NPu$|F#;{VH~c}%<5W@)WCue4uV{$P=X
zlIg2k`FGP7X-is2^0{0rwAhlX)_U#OzJvKT@77PTVGZ+J8{F7^McFX3NPY4at2N3m
z1lE0>&%G?~a`7n%!BhJR8NxJ8LeAXMj8@Z}=^MXr+0N72oA?D7SXK(^cx;@x^i)my
z(tRQdLffsY{O=sUs>_nL`zz1ck4Bc)1848L{c-s}-C57(WQW}Pc-Q0S^$(^seJXV>
z`k(h(@=aU)(3QD6<j%uwf{lty%!~|-ivtY&3}k^JF3ZOv#v-!heeRvv%15p4n%rcR
z$zTp%H|fwx19_0NGK++PSOaziJRk+aEUX61jEw)0!yFi;z%XZINKf5Ax$~ZX;eVOQ
z84FT4<EBpedi6`Tg3%3@hBZHe%&IJ!*R9r6aw@EQ_0+#`jf?%fI8P<kcgw0*hv{ve
zWh&KiIAr$UHK`%%6_-D_o21#ZPK~=oKC`0bSl#&(Unljjt`N33%RM9b_ubyW2`d7B
z1?|(gQW#JyzhN7n>qd7+wwtn5CeIu6c$fmF-&;}Dq9gkyFl=eiRu;X}cf0k(j@>))
zviDuwwgnHgTeUi?cV#qa|IX8EcwRM~bF02W-`hPi@~2*nwpEi<6R~VsvBJr1b>w9C
z=I@pJi?_zcR{Tp^^LD$O*V@A~Eo<!z6xC$YZu5TL)$aCz<<H@LEv+_;?;m8Oz5@Uf
C?>lM$

literal 0
HcmV?d00001

diff --git a/samples/net/sockets/coap_server/src/certs/coaps-server-key.der b/samples/net/sockets/coap_server/src/certs/coaps-server-key.der
new file mode 100644
index 0000000000000000000000000000000000000000..5a4d67372ea41873b1c69e5e9371f6f9d2c5a4bd
GIT binary patch
literal 1218
zcmV;z1U>sOf&{(-0RS)!1_>&LNQU<f0RaI800e>rs4#*Aqyhl|0)hbn0LB1&4bc}v
zYpJJsoDYq6k<#}^HM1Au-R*4w`LUA8NPyrU&$pys@HXnd;WPND#pcu*i-IND8FX-Y
z?8a!x@6H;j@V5aqk^j?mZUVXnnkuZ%BEKsi!E!hvHR{@L-DjdJ88{gZMA30Lv~4DZ
z*2ccUZ#?d=lspAiPOVdci_{}AX>uo%v^uOK=n$^;p9`jL({sug5z4-C09Gk9RLt5b
zTP7))O<$p=xyviE4-fzZsSzwlv6-dHd}pP;6d)3}J9<yt$JH$aX1nza&G9lh*HN3g
z+wrIVEt=+>YgF3t-AMV@@HKpnBz{CM^S?O`maE}K1B+DL;kFThAp!#d009Dm0RaH7
z0UN?WjiWr2jsEeC*@o6{wYkmT#(VLVd8DRNY9H7lcy<MS79Q!%P(4~oIz6m9ayv!P
zIjy2k1zzrj3wL;`9c>umSAs^->(9OQQ2?gklP=v-L`Gx}l}Epd9hrmzrWPB^HgY2;
zPe4Raxg5}uhi0bmA2T-mx#s85P@au1X1#k-Aozb#I!LTKGTvnxtemE5>_qMcl?C!j
z#SDE>AF8y#xd(^;D<~3x>O7vYf$#m);|U+hoAc_SeGMv2ZJY+*hf(x<z<tAPcv<AP
zC)fA&Z)5)_;a7(92&4IH@4nD-DMUM|229@f4r3yaGcFVi|ARvCmZM7bTLJL`fq?+y
zq$XDa5t%}}KoDs3%%LwlgbsYA{5)tFj_I5)97$K;-HFQiPnja+)G!KQrve-VE(aVB
zwqRN7k2sMw3$tt!*snU}a7Rq*Z7I=ar{|YZTy5I-Y_l=a*<6{bgfcBa`|zlRJ1mBW
zo9DEjArny4R%>P2JocW!<nG>N5Gh>(fq?+ts}+mI(T~AV*HlNM#ec4c%-zD89*-5W
zoj3kXL$XrmvJT)MNZtpI|8%|ly(cPqz-9@rTLkUAoS)`Hqn^ieJ<D%tSVQRk*ao@F
z3B1R(F73?UDJE<IGyS8j#)1p76m_!py1}m7Ob7`_3CV~(X>#j$+4frJ&sg!>B1V-0
zfq+K~=0jzR<d0=7n{kF^k1*8iN-;46#yy_gi=c@+gwTG6<_C#H1c6n>p|HDkq&((1
z4^sTRXxZnW?SQnSc0LySo5cU}$nFBvF(&`13#hnd=8Im5cx&cpoOA&>{Ra-O67MCI
z&{4EyJ}s*>fq2TSrW{4Sogwp8<_}h%jHv>FfdJOeMWN~48A<M<MD#Y>K`JI_MJJDU
z8=_kU!4}(t3vFMBFF}{=yak@NV(~@!ROfCqUOUOBjX|tSjTWBzA{$rPt$=l?X&Xg<
zGCkVbG5nX724gmcghG9WqLN(tyh?m2u)<BWEmeBT29~U;jCz`cI1yqkBedTf@j0QT
zmtg{dfNc9C1E!=Y12%+)m2HMHn7#_4x<}9{Ka8d*lW!$yI5-34o5)Bt$0opa(v@3L
zZ77JbOYm736`h_)wPy^lgZf2CO{%)%-*#XI2@P_L4AO8p?HSk`WHZhZsI#E;U(EL!
gV_igH#-LQ`0j5+Ir=Xt6*qj*z;a=4@yZv@|bp@74`v3p{

literal 0
HcmV?d00001

diff --git a/samples/net/sockets/coap_server/src/certs/server.der b/samples/net/sockets/coap_server/src/certs/server.der
new file mode 100644
index 0000000000000000000000000000000000000000..2b664a4bdb2ce64d9e2f92d88aa163d09fd0a073
GIT binary patch
literal 693
zcmXqLV%liX#5j{lB<MlL2elat)%D9NZ}Lved|<F~a=HO88>d#AN85K^Mn-N{1_Kd8
zAp-$6=1>-99?sN?#N2|MRA)y61#w;@0|P@ta|25QLnDJI34S9(LrX&=BNM0qioTru
z<iwne{NfUzwMxhqFtRc*H!<=v0L8hOniv@w?)v9wG|V%a&#*IjdaQWp(~`qpzPFX+
zQgoOSwKvVXQ~RlYWkS}U8}=#J*e)d8y;!nVrDbu>ik^@kDXYAcf~pQKuP)zo+30&-
zdsL`W?2aE_c8Ub||GIFX(J^B};2(|hvNbb#i*={IPiDy3J$tJ&ci@?4VMWV=4&VCe
zed<tr7609wi7&I}@#TG9m-(tG`EyB#g1=I+wv*EyvzsU1-<lw}^{M`be^q@uXU+-P
zxiFy5&gIJXvJMA{bE+M)c{;p|=Fa-Gc3H<qf6mXIe5L`(%N0&O+;!?`s#){5_njt%
z=Rz}dRV5q>*i}zE-9BtHZF9qVy(`sT+oy{ksJnS;amZ=bj_*v&j0}v(Aq0#9U<ffX
z#45ViNLBL0GF^NiyQ@Fr3+IJ}(hYwE(suJ5aMYjf6MiRD`-9;z6{Z^2#rCF!cUJBT
zml0B)eSXWIxWiFxn_Ms6`NguU#s7sud*m^{69Nurb;Dm(zkHE?s&#*o(EaqR-#qp#
zPXr`>NL&?l7Jj%zSgmElFXmI`$*a$X#J<0sy{~v`PEt_XN{9Kv4~>gL4f1N!%QHKI
zrQ!?c2J27zSdg}K;<*B6sk_I_f9h;pVn08MKhh_xqvX6o-GpVLVd2xY%A(A-@$z5W
zA6>qdW5xTj>8pMAgl1+(2pQNNu1#6e`Z4|)(;s_#+qPfTUHR2lm>=v4@vgY1wJ2i3
MBGv5t+z!hv0H2m3zyJUM

literal 0
HcmV?d00001

diff --git a/samples/net/sockets/coap_server/src/certs/server_privkey.der b/samples/net/sockets/coap_server/src/certs/server_privkey.der
new file mode 100644
index 0000000000000000000000000000000000000000..2269293fe790f2276d24bb62e5347e2d6e5b9cdf
GIT binary patch
literal 1219
zcmV;!1U&mNf&{+;0RS)!1_>&LNQU<f0RaI800e>rsW5^Br2+u}0)hbn0Nqb)D1e?a
zp8&aImt7ZC<#fYJP1_<KWGn(<E3%&4ee!>)U~2r>KV;Sh&|uxsbgd+Wqim>*RQP17
zN+MEv!KZt7vePp6ZiiY`B3-!n^tlvMkNVKSfk9}HQT!-(cC48Vb1jwcV*qTso3%p=
zQOxF6a;8$l+WAY$!e4q1-E5KRYMu^m^R8*?f@AY^R3J|xb1OnZyf)d%@7j<NwdF6c
z{(6qNnVeL)p-_%KMAWx-h(H+5C5W30h)Ob@n)0oti1AMe^GOahP-CYc$>F-n#bq{w
z_V0-_an4m}EhQL0a0eyJLfgYUma~AbF4TKUx0e^de%Z>SRLcd3_W}a}009Dm0RaG!
zDnpyyq31e$(;f_OH=9&LUdAGWmcg)_U4%E0mb$XCnj(|v8LAHpDTtP?vr%m06^$EJ
zZpnTE;H3hyxV~h-V=#o!93n{(=c4FC>CFRKQ-|zrZ1|YaI<imH!v=YUg>P9Ik-N}{
zy2<3c<rzz|$8+@vJW13XswR1m{}bQEhSuedeb0OcST5+imA&urwH^LAi;{%dV(k|O
zPIQ8_k8ti^g?flMcUmQDKO-3d))o=EBDJ~-^cmJ!X5DBta#kPm+23%9UqdqO6`#f;
zZUN?8{cTkf>WREtdn{P+&|LN!)p7{mIkU|!Zt`2R(;Pg#_N=yr%0Vbp2xs8}fq?+{
zc_*4}atI@kiq43z4w}weDdyNNVAbB4NkS;27<K+RtPTkX*aqc|TFkeHlw(P>(x^wl
z9J%b|Zc?z3;9TOiJK1`TB(hH8#oFnIv_f(!BjM<1Tj6}HlvN;ezG8sA3fPIW5j-m0
zrtNkO#a&BWxBBTNvSLcW2Sl27{uX5dfq?+z1E4J%6tye))MkM!X;Uf?8bH~Szs0u6
z*)cirwi2tZjOy<Wy=_zAdm{Thy`_@{;}=z{+%FtBBC%N#1;2%|6i&qioG|fpP;AFM
zQr0YTAhoyKraeW|F-x4`x*TQ8mqgf1po}JEhB&3fb)(SDq^*|7@U6kumAq^=p-w9T
zfq;3QW1<w>@!RH&>XpF<1p??`R2z_I*@ponczcJ58;AN9n=lmO7)}?cPxq}S7K$e|
z%_M>YTZQ&9fy?JR7<=cE*V;m7sn;&-g+MhbC^OY4hZM-K;ApehPU?Alz@8rI#vgD*
ziCnquP~ol5;^0<Wzc!0I3ms={r%9{erg;K^fdIi|ncV0VK0O#;Ai4V!GH8I)<Dn*~
z<!4R!o0<zELf^jP;`sDMl8+1BB_wvXThl?Y1wXRR#9nCjbNQMfsrnhZ!@RRrPUPIg
z!XA=&s1kOPYtE0%hBwU<2$21ozb;Sd^N5Nix%qD{(y2D$n3*SXzmXovly=Vrzm)+P
z`;`KLfdKV`&eM9Hvz)fvLiVS79$AwNA{Z|?NJCN&<~~Hv+91Oh*_4t8F}|)Z^0^wO
zTw3Ch_2Nxa<;{N_EB@YST(PbeituK%mV!u>64q^Ud%WP58WWvLp2efKx^7FEPDLiY
hlYUM(QL<8v)b323|FJ#?NUg;s4_k!y09su`yV-?yRI&g7

literal 0
HcmV?d00001

diff --git a/samples/net/sockets/coap_server/src/dummy_psk.h b/samples/net/sockets/coap_server/src/dummy_psk.h
new file mode 100644
index 00000000000..e67107266fd
--- /dev/null
+++ b/samples/net/sockets/coap_server/src/dummy_psk.h
@@ -0,0 +1,14 @@
+/*
+ * Copyright (c) 2019 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#ifndef __DUMMY_PSK_H__
+#define __DUMMY_PSK_H__
+
+static const unsigned char psk[] = {0x01, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
+0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f};
+static const char psk_id[] = "PSK_identity";
+
+#endif /* __DUMMY_PSK_H__ */
diff --git a/samples/net/sockets/coap_server/src/main.c b/samples/net/sockets/coap_server/src/main.c
index 19890c1f3d3..64db9d128cd 100644
--- a/samples/net/sockets/coap_server/src/main.c
+++ b/samples/net/sockets/coap_server/src/main.c
@@ -8,18 +8,98 @@
 LOG_MODULE_REGISTER(net_coap_service_sample, LOG_LEVEL_DBG);
 
 #include <zephyr/net/coap_service.h>
-#include <zephyr/net/mld.h>
+
+#include "net_sample_common.h"
 
 #ifdef CONFIG_NET_IPV6
+#include <zephyr/net/mld.h>
+
 #include "net_private.h"
 #include "ipv6.h"
 #endif
 
-#include "net_sample_common.h"
+static uint16_t coap_port = CONFIG_NET_SAMPLE_COAP_SERVER_SERVICE_PORT;
 
-static const uint16_t coap_port = 5683;
+#ifndef CONFIG_NET_SAMPLE_COAPS_SERVICE
 
-#ifdef CONFIG_NET_IPV6
+COAP_SERVICE_DEFINE(coap_server, NULL, &coap_port, COAP_SERVICE_AUTOSTART);
+
+#else /* CONFIG_NET_SAMPLE_COAPS_SERVICE */
+
+#include "certificate.h"
+
+static const sec_tag_t sec_tag_list_verify_none[] = {
+		SERVER_CERTIFICATE_TAG,
+#if defined(CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+		PSK_TAG,
+#endif
+};
+
+COAPS_SERVICE_DEFINE(coap_server, NULL, &coap_port, 0,
+		     sec_tag_list_verify_none, sizeof(sec_tag_list_verify_none));
+
+#endif /* CONFIG_NET_SAMPLE_COAPS_SERVICE */
+
+static int setup_dtls(void)
+{
+#if defined(CONFIG_NET_SAMPLE_COAPS_SERVICE)
+#if defined(CONFIG_NET_SOCKETS_ENABLE_DTLS)
+	int err;
+
+#if defined(CONFIG_NET_SAMPLE_CERTS_WITH_SC)
+	err = tls_credential_add(SERVER_CERTIFICATE_TAG,
+				 TLS_CREDENTIAL_CA_CERTIFICATE,
+				 ca_certificate,
+				 sizeof(ca_certificate));
+	if (err < 0) {
+		LOG_ERR("Failed to register CA certificate: %d", err);
+		return err;
+	}
+#endif /* defined(CONFIG_NET_SAMPLE_CERTS_WITH_SC) */
+
+	err = tls_credential_add(SERVER_CERTIFICATE_TAG,
+				 TLS_CREDENTIAL_SERVER_CERTIFICATE,
+				 server_certificate,
+				 sizeof(server_certificate));
+	if (err < 0) {
+		LOG_ERR("Failed to register public certificate: %d", err);
+		return err;
+	}
+
+	err = tls_credential_add(SERVER_CERTIFICATE_TAG,
+				 TLS_CREDENTIAL_PRIVATE_KEY,
+				 private_key, sizeof(private_key));
+	if (err < 0) {
+		LOG_ERR("Failed to register private key: %d", err);
+		return err;
+	}
+
+#if defined(CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+	err = tls_credential_add(PSK_TAG,
+				 TLS_CREDENTIAL_PSK,
+				 psk,
+				 sizeof(psk));
+	if (err < 0) {
+		LOG_ERR("Failed to register PSK: %d", err);
+		return err;
+	}
+
+	err = tls_credential_add(PSK_TAG,
+				 TLS_CREDENTIAL_PSK_ID,
+				 psk_id,
+				 sizeof(psk_id) - 1);
+	if (err < 0) {
+		LOG_ERR("Failed to register PSK ID: %d", err);
+		return err;
+	}
+
+#endif /* defined(CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) */
+#endif /* defined(CONFIG_NET_SOCKETS_ENABLE_DTLS) */
+#endif /* defined(CONFIG_NET_SAMPLE_COAPS_SERVICE) */
+	return 0;
+}
+
+#if !defined(CONFIG_NET_SAMPLE_COAPS_SERVICE) && defined(CONFIG_NET_IPV6)
 
 #define ALL_NODES_LOCAL_COAP_MCAST \
 	{ { { 0xff, 0x02, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xfd } } }
@@ -27,13 +107,13 @@ static const uint16_t coap_port = 5683;
 #define MY_IP6ADDR \
 	{ { { 0x20, 0x01, 0x0d, 0xb8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x1 } } }
 
-static int join_coap_multicast_group(void)
+static int join_coap_multicast_group(uint16_t port)
 {
 	static struct in6_addr my_addr = MY_IP6ADDR;
-	static struct sockaddr_in6 mcast_addr = {
+	struct sockaddr_in6 mcast_addr = {
 		.sin6_family = AF_INET6,
 		.sin6_addr = ALL_NODES_LOCAL_COAP_MCAST,
-		.sin6_port = htons(coap_port) };
+		.sin6_port = htons(port) };
 	struct net_if_addr *ifaddr;
 	struct net_if *iface;
 	int ret;
@@ -71,22 +151,36 @@ static int join_coap_multicast_group(void)
 	return 0;
 }
 
+#endif /* CONFIG_NET_IPV6 */
+
 int main(void)
 {
+	int ret;
+
 	wait_for_network();
 
-	return join_coap_multicast_group();
-}
+	ret = setup_dtls();
+	if (ret < 0) {
+		LOG_ERR("Failed to setup DTLS (%d)", ret);
+		return ret;
+	}
 
-#else /* CONFIG_NET_IPV6 */
+#if !defined(CONFIG_NET_SAMPLE_COAPS_SERVICE) && defined(CONFIG_NET_IPV6)
+	ret = join_coap_multicast_group(coap_port);
+	if (ret < 0) {
+		LOG_ERR("Failed to join CoAP all-nodes multicast (%d)", ret);
+		return ret;
+	}
+#endif
 
-int main(void)
-{
-	wait_for_network();
+#ifdef CONFIG_NET_SAMPLE_COAPS_SERVICE
+	/* CoAP secure server has to be started manually after DTLS setup */
+	ret = coap_service_start(&coap_server);
+	if (ret < 0) {
+		LOG_ERR("Failed to start CoAP secure server (%d)", ret);
+		return ret;
+	}
+#endif
 
-	return 0;
+	return ret;
 }
-
-#endif /* CONFIG_NET_IPV6 */
-
-COAP_SERVICE_DEFINE(coap_server, NULL, &coap_port, COAP_SERVICE_AUTOSTART);