net: lwm2m_client_utils: Fix supported protocols list for FOTA

FOTA object has list of supported protocols. We assumed that when CA chain is present in certain sec_tag, we can use HTTPS or CoAPS. This is OK. But AVSystem uses mutual DTLS authentication on CoAPS so the sec_tag we use, might not use CA chain at all. So when only PSK credentials are present, claim that we support CoAPS but not HTTPS. Signed-off-by: Seppo Takalo <[email protected]>
koffes · Apr 3, 2024 · 96da08b · 96da08b
1 parent 67f0270
commit 96da08b
Showing 1 changed file with 17 additions and 7 deletions.
diff --git a/subsys/net/lib/lwm2m_client_utils/lwm2m/lwm2m_firmware.c b/subsys/net/lib/lwm2m_client_utils/lwm2m/lwm2m_firmware.c
@@ -1010,12 +1010,12 @@ static void lwm2m_firmware_object_pull_protocol_init(int instance_id)
 #endif
 }
 
-static bool modem_has_credentials(int sec_tag)
+static bool modem_has_credentials(int sec_tag, enum modem_key_mgmt_cred_type cred_type)
 {
 	bool exist;
 	int ret;
 
-	ret = modem_key_mgmt_exists(sec_tag, MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN, &exist);
+	ret = modem_key_mgmt_exists(sec_tag, cred_type, &exist);
 	if (ret < 0) {
 		return false;
 	}
@@ -1032,12 +1032,22 @@ static void lwm2m_firware_pull_protocol_support_resource_init(int instance_id)
 		lwm2m_firmware_object_pull_protocol_init(instance_id);
 	}
 
-	if (modem_has_credentials(CONFIG_LWM2M_CLIENT_UTILS_DOWNLOADER_SEC_TAG)) {
-		/* Enable non-security &  Security protocols for download client */
-		supported_protocol_count = 4;
+	int tag = CONFIG_LWM2M_CLIENT_UTILS_DOWNLOADER_SEC_TAG;
+
+	/* Check which protocols from pull_protocol_support[] may work.
+	 * Order in that list is CoAP, HTTP, CoAPS, HTTPS.
+	 * So unsecure protocols are first, those should always work.
+	 */
+
+	if (modem_has_credentials(tag, MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN)) {
+		/* CA chain means that HTTPS and CoAPS might work, support all */
+		supported_protocol_count = ARRAY_SIZE(pull_protocol_support);
+	} else if (modem_has_credentials(tag, MODEM_KEY_MGMT_CRED_TYPE_PSK)) {
+		/* PSK might work on CoAPS, not HTTPS. Drop it from the list */
+		supported_protocol_count = ARRAY_SIZE(pull_protocol_support) - 1;
 	} else {
-		/* Enable non-security protocols for download client */
-		supported_protocol_count = 2;
+		/* Drop both secure protocols from list as we don't have credentials */
+		supported_protocol_count = ARRAY_SIZE(pull_protocol_support) - 2;
 	}
 
 	for (int i = 0; i < supported_protocol_count; i++) {