net: lwm2m: Support DTLS Connection Identifier

DTLS Connection Identifier support requires DTLS stack that supports it. MbedTLS support in Zephyr is already ported in, also some offloaded sockets support it. Signed-off-by: Seppo Takalo <[email protected]>
jrhrsmit · Nov 17, 2023 · 8cfede8 · 8cfede8
1 parent 100836e
commit 8cfede8
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 0 deletions.
diff --git a/doc/connectivity/networking/api/lwm2m.rst b/doc/connectivity/networking/api/lwm2m.rst
@@ -404,6 +404,11 @@ NoSec
 In all modes, Server URI resource (ID 0) must contain the full URI for the target server.
 When DNS names are used, the DNS resolver must be enabled.
 
+When DTLS is used, following options are recommended to reduce DTLS handshake traffic when connection is re-established:
+
+* :kconfig:option:`CONFIG_LWM2M_DTLS_CID` enables DTLS Connection Identifier support. When server supports it, this completely removes the handshake when device resumes operation after long idle period. Greatly helps when NAT mappings have timed out.
+* :kconfig:option:`CONFIG_LWM2M_TLS_SESSION_CACHING` uses session cache when before falling back to full DTLS handshake. Reduces few packets from handshake, when session is still cached on server side. Most significant effect is to avoid full registration.
+
 LwM2M stack provides callbacks in the :c:struct:`lwm2m_ctx` structure.
 They are used to feed keys from the LwM2M security object into the TLS credential subsystem.
 By default, these callbacks can be left as NULL pointers, in which case default callbacks are used.

diff --git a/samples/net/lwm2m_client/overlay-dtls.conf b/samples/net/lwm2m_client/overlay-dtls.conf
@@ -1,9 +1,12 @@
+# Enable DTLS with Connection Identifier
 CONFIG_LWM2M_DTLS_SUPPORT=y
+CONFIG_LWM2M_DTLS_CID=y
 CONFIG_LWM2M_PEER_PORT=5684
 
 # Select Zephyr mbedtls
 CONFIG_MBEDTLS=y
 CONFIG_MBEDTLS_TLS_VERSION_1_2=y
+CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID=y
 
 # Special MbedTLS changes
 CONFIG_MBEDTLS_ENABLE_HEAP=y

diff --git a/subsys/net/lib/lwm2m/Kconfig b/subsys/net/lib/lwm2m/Kconfig
@@ -115,6 +115,13 @@ config LWM2M_TLS_SESSION_CACHING
 	help
 	  Enabling this only when feature is supported in TLS library.
 
+config LWM2M_DTLS_CID
+	bool "DTLS Connection Identifier support"
+	default y if MBEDTLS_SSL_DTLS_CONNECTION_ID
+	help
+	  Request TLS stack to enable DTLS Connection identifier. This requires stack that support it
+	  and actual effect depends on the target server as well.
+
 config LWM2M_RD_CLIENT_SUPPORT_BOOTSTRAP
 	bool "Bootstrap support"
 	help

diff --git a/subsys/net/lib/lwm2m/lwm2m_engine.c b/subsys/net/lib/lwm2m/lwm2m_engine.c
@@ -987,6 +987,18 @@ int lwm2m_set_default_sockopt(struct lwm2m_ctx *ctx)
 				return ret;
 			}
 		}
+		if (IS_ENABLED(CONFIG_LWM2M_DTLS_CID)) {
+			/* Enable CID */
+			int cid = TLS_DTLS_CID_ENABLED;
+
+			ret = zsock_setsockopt(ctx->sock_fd, SOL_TLS, TLS_DTLS_CID, &cid,
+					       sizeof(cid));
+			if (ret) {
+				ret = -errno;
+				LOG_ERR("Failed to enable TLS_DTLS_CID: %d", ret);
+				/* Not fatal, continue. */
+			}
+		}
 
 		if (ctx->hostname_verify && (ctx->desthostname != NULL)) {
 			/** store character at len position */