application: serial_lte_modem: Support DTLS connection ID #11244
Conversation
junqingzou
requested review from
SeppoTakalo,
VTPeltoketo,
MarkusLassila and
rlubos
as code owners
github-actions
bot
added
the
changelog-entry-required
|
Under testing with mfw_1.3.5 pre-release |
Test specificationCI/Jenkins/NRF
CI/Jenkins/integration
Detailed information of selected test modules Note: This message is automatically posted and updated by the CI |
Support RFC9146 DTLS v1.2 Connection Identifier. - Requires lib_modem from NCS v2.4.0 and beyond. - Requires mfw-1.3.5 and beyond. Supported in DTLS client proxy #XUDPCLI only. Signed-off-by: Jun Qing Zou <jun.qing.zou@nordicsemi.no>
| @@ -481,7 +529,7 @@ int handle_at_udp_server(enum at_cmd_type cmd_type) | |||
| } | |||
|
|
|||
| /**@brief handle AT#XUDPCLI commands | |||
| * AT#XUDPCLI=<op>[,<url>,<port>[,<sec_tag>] | |||
| * AT#XUDPCLI=<op>[,<url>,<port>[,<sec_tag>,<connection_id>] | |||
There was a problem hiding this comment.
| * AT#XUDPCLI=<op>[,<url>,<port>[,<sec_tag>,<connection_id>] | |
| * AT#XUDPCLI=<op>[,<url>,<port>[,<sec_tag>[,<connection_id>] |
Connection ID parameter seem optional.
There was a problem hiding this comment.
You're right, it's optional.
| ret = nrf_setsockopt(proxy.sock, NRF_SOL_SECURE, | ||
| NRF_SO_SEC_DTLS_CONN_SAVE, | ||
| NULL, 0); | ||
| if (ret) { | ||
| LOG_WRN("Save DTLS connection failed: %d", ret); | ||
| } |
There was a problem hiding this comment.
Why do we blindly save the session if connection ID is enabled?
I would propose that we don't use that feature as it might run out of memory.
There was a problem hiding this comment.
I think there will be only ONE session saved on modem side, as only SAVE/LOAD defined and no DELETE, so there should be no incremental memeory usage. SAVE after confirmation of CID active would only update the session data as I assumed. Finally if APP dones not SAVE then it could not LOAD, either.
There was a problem hiding this comment.
I don't think that this SAVE/LOAD works as you expect. According to the documentation, SAVEd socket cannot be used, before it is LOADed. To me it seems like this should be used after we have transmitted the wanted data and are waiting for more data. Not sure how suitable this is for SLM.
https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrfxlib/nrf_modem/doc/sockets.html:
...
Once the DTLS context is saved, the socket can’t be used before the DTLS context is loaded with [NRF_SO_SEC_DTLS_CONN_LOAD]
...
The option will fail with nrf_errno NRF_ENOMEM if the amount of saved connections exceeds four.
....
edit: Noticed that @SeppoTakalo addressed this as well, leaving this up.
| uint32_t dtls_cid = (proxy.conn_id != 0) ? | ||
| NRF_SO_SEC_DTLS_CID_ENABLED : NRF_SO_SEC_DTLS_CID_DISABLED; | ||
|
|
||
| ret = nrf_setsockopt(proxy.sock, NRF_SOL_SECURE, NRF_SO_SEC_DTLS_CID, | ||
| &dtls_cid, sizeof(dtls_cid)); |
There was a problem hiding this comment.
| uint32_t dtls_cid = (proxy.conn_id != 0) ? | |
| NRF_SO_SEC_DTLS_CID_ENABLED : NRF_SO_SEC_DTLS_CID_DISABLED; | |
| ret = nrf_setsockopt(proxy.sock, NRF_SOL_SECURE, NRF_SO_SEC_DTLS_CID, | |
| &dtls_cid, sizeof(dtls_cid)); | |
| if (proxy.conn_id) { | |
| ret = nrf_setsockopt(proxy.sock, NRF_SOL_SECURE, NRF_SO_SEC_DTLS_CID, | |
| &proxy.conn_id, sizeof(proxy.conn_id)); | |
| } |
I propose that we only set the socket option if it is other than zero.
Also require that AT parameter is 0, 1 or 2, so it is already same as what our socket API can take.
There was a problem hiding this comment.
It is a bit awkward to set TLS_DTLS_CID_SUPPORTED, but will be allowed.
Then we'll need to differentiate TLS_DTLS_CID_SUPPORTED and TLS_DTLS_CID_ENABLED.
| } else if (proxy.conn_id != 0) { | ||
| ret = nrf_setsockopt(proxy.sock, NRF_SOL_SECURE, | ||
| NRF_SO_SEC_DTLS_CONN_LOAD, | ||
| NULL, 0); | ||
| if (ret) { | ||
| LOG_WRN("Load DTLS connection failed: %d", ret); | ||
| } else { | ||
| LOG_INF("DTLS connection resumed"); | ||
| } | ||
| } |
There was a problem hiding this comment.
My proposal would be not to use to storing/loading, at least not in the first phase.
Either drop it, or have it as a separate option / AT command.
There was a problem hiding this comment.
I don't think modem will automatically SAVE/LOAD CID so if APP does not do that, CID might not take effect for DTLS re-handshake.
There was a problem hiding this comment.
Same CID should not be re-used in DTLS re-handshake.
https://datatracker.ietf.org/doc/html/rfc9146:
In DTLS 1.2, CIDs are exchanged at the beginning of the DTLS session only. There is no dedicated "CID update" message that allows new CIDs to be established mid-session, because DTLS 1.2 in general does not allow TLS 1.3-style post-handshake messages that do not themselves begin other handshakes. When a DTLS session is resumed or renegotiated, the "connection_id" extension is negotiated afresh.
Also:
https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrfxlib/nrf_modem/doc/sockets.html
NRF_SO_SEC_DTLS_CONN_SAVE
Save DTLS connection. This option is write-only. This option require a DTLS v1.2 connection with renegotiation disabled.
edit: Noticed that @SeppoTakalo addressed this as well, leaving this up.
| @@ -516,6 +564,9 @@ int handle_at_udp_client(enum at_cmd_type cmd_type) | |||
| proxy.sec_tag = INVALID_SEC_TAG; | |||
| if (at_params_valid_count_get(&at_param_list) > 4) { | |||
| at_params_unsigned_int_get(&at_param_list, 4, &proxy.sec_tag); | |||
| if (at_params_valid_count_get(&at_param_list) > 5) { | |||
| at_params_int_get(&at_param_list, 5, &proxy.conn_id); | |||
There was a problem hiding this comment.
We should verify here that conn_id is either 0, 1 or 2, so we can feed it directly to Socket API.
There was a problem hiding this comment.
Yes we can do that
Sorry to be late in replying due to local expo and tech tour. |
|
Can you verify that there is no misunderstanding of connection ID SAVE/LOAD functionality, because I believe it works differently than what this code is using. My understanding of the documentation is that:
|
I get your point. I referred to lib_modem socket test code, but it does not really reflect the correct sequence of LOAD and SAVE. |
| ret = nrf_setsockopt(proxy.sock, NRF_SOL_SECURE, | ||
| NRF_SO_SEC_DTLS_CONN_SAVE, | ||
| NULL, 0); | ||
| if (ret) { | ||
| LOG_WRN("Save DTLS connection failed: %d", ret); | ||
| } |
There was a problem hiding this comment.
I don't think that this SAVE/LOAD works as you expect. According to the documentation, SAVEd socket cannot be used, before it is LOADed. To me it seems like this should be used after we have transmitted the wanted data and are waiting for more data. Not sure how suitable this is for SLM.
https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrfxlib/nrf_modem/doc/sockets.html:
...
Once the DTLS context is saved, the socket can’t be used before the DTLS context is loaded with [NRF_SO_SEC_DTLS_CONN_LOAD]
...
The option will fail with nrf_errno NRF_ENOMEM if the amount of saved connections exceeds four.
....
edit: Noticed that @SeppoTakalo addressed this as well, leaving this up.
| } else if (proxy.conn_id != 0) { | ||
| ret = nrf_setsockopt(proxy.sock, NRF_SOL_SECURE, | ||
| NRF_SO_SEC_DTLS_CONN_LOAD, | ||
| NULL, 0); | ||
| if (ret) { | ||
| LOG_WRN("Load DTLS connection failed: %d", ret); | ||
| } else { | ||
| LOG_INF("DTLS connection resumed"); | ||
| } | ||
| } |
There was a problem hiding this comment.
Same CID should not be re-used in DTLS re-handshake.
https://datatracker.ietf.org/doc/html/rfc9146:
In DTLS 1.2, CIDs are exchanged at the beginning of the DTLS session only. There is no dedicated "CID update" message that allows new CIDs to be established mid-session, because DTLS 1.2 in general does not allow TLS 1.3-style post-handshake messages that do not themselves begin other handshakes. When a DTLS session is resumed or renegotiated, the "connection_id" extension is negotiated afresh.
Also:
https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrfxlib/nrf_modem/doc/sockets.html
NRF_SO_SEC_DTLS_CONN_SAVE
Save DTLS connection. This option is write-only. This option require a DTLS v1.2 connection with renegotiation disabled.
edit: Noticed that @SeppoTakalo addressed this as well, leaving this up.
|
Thanks for the comments. |
|
@junqingzou Can you drop the SAVE/LOAD functionality. Connection Identifier itself does not require it, it should be considered as a separate thing. |
|
I can actually close this PR and keep the code as local test object. |
Support RFC9146 DTLS v1.2 Connection Identifier.
Supported in DTLS client proxy #XUDPCLI only.