wolfssl icon indicating copy to clipboard operation
wolfssl copied to clipboard
verified publisher icon wolfSSL

Support ConnectionID Extension DTLS Negotiation

Open rizlik opened this issue 3 years ago • 0 comments

Description

This PR adds initial partial support for ConnectionID as described by RFC9146 and RFC9147. TLDR; A pair of "labels" (the ConnectionIDs) is negotiated in the handshake and the labels will be attached to each record. Each peer negotiates the ConnectionID for the record it will receive (the RX path). In the future, ConnectionIDs may be used to decouple (src,dst,srcport,dstport) 4-tuple from the connection and to allow connections that survives to IP address changes (so it will support long-lasting connections behind a NAT).

Caveats of this PR:

  • It adds support for DTLSv1.3 only
  • It doesn't support RequestConnectionID/NewConnectionID messages
  • No easy way to use the ConnectionIDs

Testing

I added some tests to be sure the extension doesn't break connectivity. I added a very basic test to check if the connectionID is negotiated correctly (scripts/dtlscid.test). I manually with Wireshark that the ConnectionID is inserted in the record headers. An automatic test will be provided in the future.

Checklist

  • [X] added tests
  • [X] updated/added doxygen

rizlik avatar Aug 10 '22 15:08 rizlik

Thanks for the feedback. I addressed the comments and rebased.

rizlik avatar Aug 22 '22 12:08 rizlik