Networking sockets
The Modem library offers an implementation of a subset of the POSIX networking sockets API.
This API allows you to reuse existing programming experience and port existing simple networking applications to the nRF9160.
The implementation is namespaced (nrf_
) to avoid conflicts with functions that might be part of libc or other POSIX compatibility libraries.
Following is a list of supported functions:
The library supports up to eight networking sockets.
Socket options
The following table shows all socket options supported by the Modem library.
Option level |
Option |
Type |
Operations |
Description |
---|---|---|---|---|
NRF_SOL_SOCKET |
NRF_SO_ERROR |
|
get |
Requests and clears pending error information on the socket. |
NRF_SOL_SOCKET |
NRF_SO_REUSEADDR |
|
set |
Non-zero requests reuse of local addresses in |
NRF_SOL_SOCKET |
NRF_SO_RCVTIMEO |
|
get/set |
Timeout value for a socket receive operation. |
NRF_SOL_SOCKET |
NRF_SO_SNDTIMEO |
|
get/set |
Timeout value for a socket send operation. |
NRF_SOL_SOCKET |
NRF_SO_BINDTODEVICE |
|
set |
Bind this socket to a specific PDN like |
NRF_SOL_SOCKET |
NRF_SO_POLLCB |
|
set |
Set callbacks for poll() events on sockets. |
NRF_SOL_SOCKET |
NRF_SO_RAI_LAST |
|
set |
Enter Radio Resource Control (RRC) idle immediately after the next send operation. |
NRF_SOL_SOCKET |
NRF_SO_RAI_ONE_RESP |
|
set |
Wait for one incoming packet after the next send operation, before entering RRC idle mode. |
NRF_SOL_SOCKET |
NRF_SO_RAI_ONGOING |
|
set |
Keep RRC in connected mode after the next send operation (client). |
NRF_SOL_SOCKET |
NRF_SO_RAI_WAIT_MORE |
|
set |
Keep RRC in connected mode after the next send operation (server). |
NRF_SOL_SOCKET |
NRF_SO_RAI_NO_DATA |
|
set |
Immediately release the RRC. |
NRF_SOL_SECURE |
NRF_SO_SEC_TAG_LIST |
|
get/set |
Set/get the security tag associated with a socket. |
NRF_SOL_SECURE |
NRF_SO_SEC_HOSTNAME |
|
get/set |
Set/get the hostname to check against during TLS handshakes. |
NRF_SOL_SECURE |
NRF_SO_SEC_CIPHERSUITE_LIST |
|
get/set |
Set/get allowed cipher suite list. |
NRF_SOL_SECURE |
NRF_SO_SEC_PEER_VERIFY |
|
get/set |
Set/get Peer verification level. |
NRF_SOL_SECURE |
NRF_SO_SEC_ROLE |
|
get/set |
Set/get TLS role. |
NRF_SOL_SECURE |
NRF_SO_SEC_SESSION_CACHE |
|
get/set |
Non-zero enables TLS session cache. |
NRF_SOL_SECURE |
NRF_SO_SEC_SESSION_CACHE_PURGE |
|
set |
Delete TLS session cache. |
NRF_SOL_SECURE |
NRF_SO_SEC_DTLS_HANDSHAKE_TIMEO |
|
get/set |
Set/get DTLS handshake timeout. |
NRF_SOL_SECURE |
NRF_SO_SEC_HANDSHAKE_STATUS |
|
get |
Get latest TLS/DTLS completed handshake procedure end status. |
NRF_SOL_SECURE |
NRF_SO_SEC_DTLS_CID |
|
get/set |
Set DTLS Connection ID setting. |
NRF_SOL_SECURE |
NRF_SO_SEC_DTLS_CID_STATUS |
|
get |
Get status of DTLS Connection ID. |
NRF_SOL_SECURE |
NRF_SO_SEC_DTLS_CONN_SAVE |
|
set |
Save DTLS connection. |
NRF_SOL_SECURE |
NRF_SO_SEC_DTLS_CONN_LOAD |
|
set |
Load DTLS connection. |
NRF_SOL_SECURE |
NRF_SO_SEC_CIPHERSUITE_USED |
|
get |
Get TLS cipher suite used for the handshake. |
NRF_IPPROTO_ALL |
NRF_SO_SILENCE_ALL |
|
get/set |
Non-zero disables ICMP echo replies on both IPv4 and IPv6. |
NRF_IPPROTO_IP |
NRF_SO_IP_ECHO_REPLY |
|
get/set |
Non-zero enables ICMP echo replies on IPv4. |
NRF_IPPROTO_IPV6 |
NRF_SO_IPV6_ECHO_REPLY |
|
get/set |
Non-zero enables ICMP echo replies on IPv6. |
NRF_IPPROTO_TCP |
NRF_SO_TCP_SRV_SESSTIMEO |
|
get/set |
Non-zero enables TCP server session timeout after a configurable period of inactivity. |
The details for each socket are described as follows:
- NRF_SO_ERROR
When this option is specified,
nrf_getsockopt()
returns any pending errors on the socket and clears the error status. It returns a0
value if there is no pending error.NRF_SO_ERROR
might be used to check for asynchronous errors on connected connectionless-mode sockets or for other types of asynchronous errors.NRF_SO_ERROR
has no default value.- NRF_SO_REUSEADDR
Allow for the reuse of local addresses by using the
nrf_bind()
function. The default value forNRF_SO_REUSEADDR
isoff
, that is, reuse of local addresses is not permitted.- NRF_SO_RCVTIMEO
Set a timeout value for the
nrf_recv()
andnrf_recvfrom()
operations. This option accepts annrf_timeval
structure with a number of seconds and microseconds specifying the limit on how long to wait for an input operation to complete. If a receive operation has blocked for this much time without receiving additional data, it returns with a partial count, orerrno
is set toNRF_EAGAIN
orNRF_EWOULDBLOCK
if no data were received. The default for this option is the value0
, which indicates that a receive operation will not time out.
Note
The minimum supported resolution is 1 millisecond.
- NRF_SO_SNDTIMEO
Set a timeout value for the
nrf_connect()
,nrf_send()
, andnrf_sendto()
operations. The option accepts annrf_timeval
structure with a number of seconds and microseconds specifying the limit on how long to wait for an output operation to complete. The default for this option is the value0
, which indicates that these operations will not time out.
Note
The minimum supported resolution is 1 millisecond.
- NRF_SO_BINDTODEVICE
Bind this socket to a particular packet data network like,
pdn0
, as specified in the passed interface name. The passed option is a variable-length null-terminated interface name string with a maximum size ofNRF_IFNAMSIZ
. If a socket is bound to an interface, only packets received from that particular interface are processed by the socket.- NRF_SO_POLLCB
Set a callback for events occurring on this socket such as
NRF_POLLIN
andNRF_POLLOUT
. Thenrf_modem_pollcb.callback
function is invoked every time any of the events specified by thenrf_modem_pollcb.events
bitmask field occurs. In addition, theNRF_POLLHUP
andNRF_POLLERR
events will also trigger the callback, regardless of whether they are set in thenrf_modem_pollcb.events
bitmask field. The callback receives anrf_pollfd
structure, populated in the same way as it would be populated by thenrf_poll()
function. If thenrf_modem_pollcb.oneshot
field is set totrue
, the callback will be invoked only once, and it is automatically unset afterwards.
Important
The callback is invoked in an interrupt service routine.
- NRF_SO_RAI_LAST
This is a Release assistance indication (RAI) socket option. Enter RRC idle mode after the next output operation on this socket is complete.
- NRF_SO_RAI_ONE_RESP
This is a Release assistance indication (RAI) socket option. After the next output operation is complete, wait for one more packet to be received from the network on this socket before entering RRC idle mode.
- NRF_SO_RAI_ONGOING
This is a Release assistance indication (RAI) socket option. Keep RRC in connected mode after the next output operation on this socket (client side).
- NRF_SO_RAI_WAIT_MORE
This is a Release assistance indication (RAI) socket option. Keep RRC in connected mode after the next output operation on this socket (server side).
- NRF_SO_RAI_NO_DATA
This is a Release assistance indication (RAI) socket option. Immediately enter RRC idle mode for this socket. Does not require a following output operation.
- NRF_SO_SILENCE_ALL
Disable ICMP echo replies on both IPv4 and IPv6. The option value is an integer, a
1
value disables echo replies. Default value is0
(OFF).- NRF_SO_IP_ECHO_REPLY
Enable ICMP echo replies on IPv4. The option value is an integer, a
0
value disables echo replies on IPv4. Default value is1
(ON).- NRF_SO_IPV6_ECHO_REPLY
Enable ICMP echo replies on IPv6. The option value is an integer, a
0
value disables echo replies on IPv6. Default value is1
(ON).- NRF_SO_TCP_SRV_SESSTIMEO
Configure the TCP server session inactivity timeout for a socket. The timeout value is specified in seconds. Allowed values for this option range from
0
to135
, inclusive. The default value is0
(no timeout).
Note
This option must be set on the listening socket, but it can be overridden on the accepting socket afterwards.
- NRF_SO_SEC_TAG_LIST
Set an array of security tags to use for credentials when connecting. The option length is the size in bytes of the array of security tags. Passing
NULL
as an option value and0
as an option length removes all security tags associated with a socket. By default, no security tags are associated with a socket. The maximum number of security tags are given by theNRF_SOCKET_TLS_MAX_SEC_TAG_LIST_SIZE
macro innrf_socket.h
.- NRF_SO_SEC_HOSTNAME
Set the hostname used for peer verification. The option value is a null-terminated string containing the host name to verify against. The option length is the size in bytes of the hostname. Passing
NULL
as an option value and0
as an option length disables peer hostname verification. By default, peer hostname verification is disabled.- NRF_SO_SEC_CIPHERSUITE_LIST
Select which cipher suites are allowed to be used during the TLS handshake. The cipher suites are identified by their IANA assigned values. By default, all supported cipher suites are allowed. For a complete list, see the supported cipher_suites API documentation or refer to the release notes of the modem firmware. The release notes are distributed as part of the nRF9160 modem firmware zip file.
- NRF_SO_SEC_PEER_VERIFY
Set the peer verification level. The following values are accepted:
NRF_SO_SEC_PEER_VERIFY_NONE
- No peer verificationNRF_SO_SEC_PEER_VERIFY_OPTIONAL
- Optional peer verificationNRF_SO_SEC_PEER_VERIFY_REQUIRED
- Peer verification is required
By default, peer verification is required.
- NRF_SO_SEC_ROLE
Set the role for the connection. The following values are accepted:
NRF_SO_SEC_ROLE_CLIENT
- Client roleNRF_SO_SEC_ROLE_SERVER
- Server role
The default role is client. For TLS, the choice is implicit from the usage of
listen()
,accept()
andconnect()
.- NRF_SO_SEC_SESSION_CACHE
This option controls TLS session caching. The following values are accepted:
NRF_SO_SEC_SESSION_CACHE_DISABLED
- Disable TLS session cachingNRF_SO_SEC_SESSION_CACHE_ENABLED
- Enable TLS session caching
By default, TLS session caching is disabled.
- NRF_SO_SEC_SESSION_CACHE_PURGE
Delete TLS session cache. This option is write-only.
- NRF_SO_SEC_DTLS_HANDSHAKE_TIMEO
Set the DTLS handshake timeout. The socket option is supported from modem firmware version 1.3.x. The following values are accepted:
0 - No timeout
NRF_SO_SEC_DTLS_HANDSHAKE_TIMEOUT_1S
- 1 secondNRF_SO_SEC_DTLS_HANDSHAKE_TIMEOUT_3S
- 3 secondsNRF_SO_SEC_DTLS_HANDSHAKE_TIMEOUT_7S
- 7 secondsNRF_SO_SEC_DTLS_HANDSHAKE_TIMEOUT_15S
- 15 secondsNRF_SO_SEC_DTLS_HANDSHAKE_TIMEOUT_31S
- 31 secondsNRF_SO_SEC_DTLS_HANDSHAKE_TIMEOUT_63S
- 63 secondsNRF_SO_SEC_DTLS_HANDSHAKE_TIMEOUT_123S
- 123 seconds
The default is no timeout.
- NRF_SO_SEC_HANDSHAKE_STATUS
Get the latest TLS/DTLS completed handshake procedure end status. This option is read-only. The socket option is supported from modem firmware v2.x.x. The following values are expected:
NRF_SO_SEC_HANDSHAKE_STATUS_FULL
- TLS/DTLS attach/negotiation procedure was made with a full handshake, and session cache data was not used or it was not accepted by the server.NRF_SO_SEC_HANDSHAKE_STATUS_CACHED
- The latest TLS/DTLS attach negotiation was completed successfully with cached session data.
The default is a full handshake.
- NRF_SO_SEC_DTLS_CID
Set DTLS Connection ID setting. The socket option is supported from modem firmware v1.3.x, where x is greater than or equal to 5, and v2.x.x. The following values are accepted:
NRF_SO_SEC_DTLS_CID_DISABLED
- The DTLS connection ID is not used, and the connection ID extension is not included in the client hello.NRF_SO_SEC_DTLS_CID_SUPPORTED
- The DTLS connection ID is supported but not used, and the connection ID extension with a zero-length CID is included in the client hello.NRF_SO_SEC_DTLS_CID_ENABLED
- The DTLS connection ID is used, and the connection ID extension with a valid CID is included in the client hello.
The default is disabled.
- NRF_SO_SEC_DTLS_CID_STATUS
Get the status of DTLS connection ID. This option is read-only. The socket option is supported from modem firmware v1.3.x, where x is greater than or equal to 5, and v2.x.x. The following values are expected:
NRF_SO_SEC_DTLS_CID_STATUS_DISABLED
- The DTLS connection ID is not included in DTLS records sent to and from the modem. This status is returned before the DTLS handshake is complete.NRF_SO_SEC_DTLS_CID_STATUS_DOWNLINK
- The DTLS connection ID is included only in DTLS records sent to the modem.NRF_SO_SEC_DTLS_CID_STATUS_UPLINK
- The DTLS connection ID is included only in DTLS records sent from the modem.NRF_SO_SEC_DTLS_CID_STATUS_BIDIRECTIONAL
- The DTLS connection ID is included in DTLS records sent to and from the modem.
- NRF_SO_SEC_DTLS_CONN_SAVE
Save DTLS connection. This option is write-only. This option require a DTLS v1.2 connection with renegotiation disabled. The socket option is supported from modem firmware v1.3.x, where x is greater than or equal to 5, and v2.x.x.
Once the DTLS context is saved, the socket can’t be used before the DTLS context is loaded with
NRF_SO_SEC_DTLS_CONN_LOAD
.This option will fail with nrf_errno
NRF_EAGAIN
if an error happened during serialization of the SSL context. This can occur, for instance, when the modem cannot allocate enough memory or if the socket is busy sending or receiving data. In this case, the SSL context is still present in the socket, so data sending is still possible. The option will fail with nrf_errnoNRF_EINVAL
if the socket option is not supported with the current configuration, for instance because the DTLS handshake is not completed, the connection is not an DTLS v1.2 connection with renegotiation disabled, or the connection does not use an AEAD cipher suite (AES-CCM or AES-GCM). The option will fail with nrf_errnoNRF_ENOMEM
if the amount of saved connections exceeds four.- NRF_SO_SEC_DTLS_CONN_LOAD
Load DTLS connection. This option is write-only. The socket option is supported from modem firmware v1.3.x, where x is greater than or equal to 5, and v2.x.x.
- NRF_SO_SEC_CIPHERSUITE_USED
Get chosen TLS cipher suite. This option is read-only. The socket option is supported from modem firmware v1.3.x, where x is greater than or equal to 5, and v2.x.x.
Packet data networks
The Modem library supports selecting which Packet Data Network (PDN) to use on a network socket and for DNS queries. The configuration of Packet Data Protocol (PDP) contexts, and the activation of PDN connections are not handled by the Modem library. To configure PDP contexts and activate PDN connections, the application must use the nRF9160 modem packet domain AT commands.
When performing network operations on any PDN, the application ensures that the PDN connection is available. For more information about how to configure PDP contexts, activate PDN connections, and determine their state, see the nRF9160 modem Packet Domain AT commands documentation.
Configuring a socket to use a PDN
The application can select which PDN to use on a specific socket by using the nrf_setsockopt()
function, with the NRF_SO_BINDTODEVICE
option and specifying the PDN ID as a string, prefixed by pdn
.
For example, to select the PDN with ID 1, the application must pass pdn1
as the option value.
The following code shows how to create an IPv4 TCP stream socket and configure it to use the PDN with ID 1:
fd = nrf_socket(NRF_AF_INET, NRF_SOCK_STREAM, NRF_IPPROTO_TCP);
nrf_setsockopt(fd, NRF_SOL_SOCKET, NRF_SO_BINDTODEVICE, "pdn1", strlen("pdn1"));
Routing a DNS query on a PDN
The application can route a DNS query using the nrf_getaddrinfo()
function to a specific PDN.
This can be done by setting the NRF_AI_PDNSERV
flag in the ai_flags
field of the nrf_addrinfo
input structure, and specifying the PDN ID as a string prefixed by pdn
, in the service
argument to the nrf_getaddrinfo()
function call.
The following code shows how to route a DNS query to the PDN with ID 1:
struct nrf_addrinfo hints = {
.ai_flags = NRF_AI_PDNSERV, /* flag to specify PDN ID */
}
nrf_getaddrinfo("example.com", "pdn1", &hints, &result);
Handling PDN errors on sockets
During operation, an active PDN connection may be deactivated due to loss of connectivity or other reasons.
When a socket operation is attempted on a socket that no longer has an active PDN connection, the operation will return -1
and set errno
to NRF_ENETDOWN
.
If the socket is being polled, the nrf_poll()
function will set the POLLERR
flag and set the socket error to NRF_ENETDOWN
.
The socket error can be retrieved using the NRF_SO_ERROR
socket option.
When the NRF_ENETDOWN
error is detected, the socket is no longer usable and must be closed by the application.
The application is responsible for detecting when the PDN connection is activated again, before re-creating the socket and attempting the failed operation again.
The nRF9160 modem Packet Domain AT commands can be used to manage packet data networks. Alternatively, the PDN library in nRF Connect SDK can be used to receive events on PDN connectivity and manage packet data networks.
TLS/DTLS configuration
The IP stack in the nRF9160 modem firmware has TLS and DTLS support.
Supported cipher suites
See the nRF9160 modem TLS cipher suites summary page for a full list of TLS/DTLS cipher suites supported by the modem.
Each cipher suite is recognized by an official identification number, which is registered at IANA.
You can narrow down the set of cipher suites that is used for a specific TLS/DTLS connection with nrf_setsockopt()
.
For example, see the following code:
/* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
nrf_sec_cipher_t cipher_list[] = { 0xC014 };
err = nrf_setsockopt(fd, NRF_SOL_SECURE, NRF_SO_SEC_CIPHERSUITE_LIST, cipher_list, sizeof(cipher_list));
if (err) {
/* Failed to set up cipher suite list. */
return -1;
}
Note that as in the case of other TLS/DTLS socket options, you must do this configuration before connecting to the server.