Anjay 3.11.0

BREAKING CHANGES:
- Default value of maximal holdoff time during Bootstrap limited from 120 sec.
  to 20 sec. The limit can still be changed using ANJAY_MAX_HOLDOFF_TIME define.
- If the Server certificate is missing from the Data Model, Anjay falls back to
  PKIX verification, provided that a Trust Store is available, even when the
  certificate usage is set to DANE-TA or DANE-EE.
- avs_commons 5.5.0 that is used by Anjay 3.11.0 stoped passing the trust store
  to Mbed TLS backend for Certificate Usage 2 or 3. For details on how Anjay
  handles Certificate Usage resource refer to
  Anjay Specification -> Advanced Topics -> Certificate Usage.

Bugfixes:
- Updated avs_commons to a version without a PSK-mode vulnerability in the Mbed
  TLS backend where a client configured for PSK could connect to a server that
  did not know the PSK, due to advertising non-PSK key exchange and skipping
  certificate verification. This issue affected only TLS 1.3 connections with
  Mbed TLS versions ≥ 3.6.1.
  For details, see: https://github.com/AVSystem/avs_commons/releases/tag/5.5.0

Features:
- (commercial version only) Added support for configuring OSCORE Object for each
  Security Object in Anjay Demo.

Author: ferre111

.github/workflows/anjay-tests.yml

@@ -10,7 +10,7 @@ on: [push]
 jobs:
   ubuntu2004-compilers-test:
     runs-on: ubuntu-latest
-    container: avsystemembedded/anjay-travis:ubuntu-20.04-2.1
+    container: avsystemembedded/anjay-travis:ubuntu-20.04-2.2
     env:
       CC: ${{ matrix.CC }}
       CXX: ${{ matrix.CXX }}
@@ -41,7 +41,7 @@ jobs:
 
   ubuntu2204-compilers-test:
     runs-on: ubuntu-latest
-    container: avsystemembedded/anjay-travis:ubuntu-22.04-2.1
+    container: avsystemembedded/anjay-travis:ubuntu-22.04-2.2
     env:
       CC: ${{ matrix.CC }}
       CXX: ${{ matrix.CXX }}
@@ -83,7 +83,7 @@ jobs:
 
   rockylinux9-compilers-test:
     runs-on: ubuntu-latest
-    container: avsystemembedded/anjay-travis:rockylinux-9-2.1
+    container: avsystemembedded/anjay-travis:rockylinux-9-2.2
     env:
       CC: ${{ matrix.CC }}
       CXX: ${{ matrix.CXX }}
@@ -128,7 +128,16 @@ jobs:
       # NOTE: Some tests don't pass on mbedTLS 3.6.2 now, so we need to install an older version
       #       Homebrew only specifiers major version of mbedTLS, so let's pin the version to 3.6.0 manually
       - run: curl -f https://raw.githubusercontent.com/Homebrew/homebrew-core/219dabf6cab172fb8b62b4d8598e016e190c3c20/Formula/m/mbedtls.rb > /tmp/mbedtls.rb
-      - run: brew install --formula /tmp/mbedtls.rb
+      # HACK: New version of homebrew requires us to install a formulae from a tap, create a tap for our mbedTLS.
+      # The change in homebrew is intentional and won't be fixed, for more details see: https://github.com/orgs/Homebrew/discussions/6351
+      - run: brew tap-new embedded/mbedtls
+      - run: |
+          TAP_DIR="$(brew --repo embedded/mbedtls)"
+          mkdir -p "${TAP_DIR}/Formula"
+          cp /tmp/mbedtls.rb "${TAP_DIR}/Formula/mbedtls.rb"
+          git -C "${TAP_DIR}" add Formula/mbedtls.rb
+          git -C "${TAP_DIR}" -c user.name="CI" -c user.email="[email protected]" commit -m "Add custom mbedtls formula"
+      - run: brew install embedded/mbedtls/mbedtls
       - run: brew pin mbedtls
       # NOTE: The above command may have installed a new version of Python, that's why we launch it weirdly
       - run: /usr/bin/env python3 -m pip install -r requirements.txt --break-system-packages
@@ -139,14 +148,15 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - CC: /opt/homebrew/opt/gcc/bin/gcc-14
-            CXX: /opt/homebrew/opt/gcc/bin/g++-14
+          - CC: /opt/homebrew/opt/gcc@14/bin/gcc-14
+            CXX: /opt/homebrew/opt/gcc@14/bin/g++-14
             COMPILER_VERSION: gcc@14
             MEM_CHECK_TOOL: --without-memcheck
-          - CC: /opt/homebrew/opt/llvm/bin/clang
-            CXX: /opt/homebrew/opt/llvm/bin/clang++
-            COMPILER_VERSION: llvm
-            MEM_CHECK_TOOL: --with-asan
+            # NOTE: llvm is temporarily disabled due to problem with header search paths
+            # - CC: /opt/homebrew/opt/llvm@20/bin/clang
+            #   CXX: /opt/homebrew/opt/llvm@20/bin/clang++
+            #   COMPILER_VERSION: llvm@20
+            #   MEM_CHECK_TOOL: --with-asan
           - CC: cc
             CXX: c++
             MEM_CHECK_TOOL: --with-asan

.github/workflows/coverity.yml

@@ -12,7 +12,7 @@ on:
 jobs:
   coverity:
     runs-on: ubuntu-latest
-    container: avsystemembedded/anjay-travis:ubuntu-22.04-1.1
+    container: avsystemembedded/anjay-travis:ubuntu-22.04-2.2
     env:
       # NOTE: These need to be configured in GitHub Actions GUI
       COVERITY_EMAIL: ${{ secrets.COVERITY_EMAIL }}

CHANGELOG.md

@@ -1,5 +1,32 @@
 # Changelog
 
+## 3.11.0 (September 26th, 2025)
+
+### BREAKING CHANGES
+
+- Default value of maximal holdoff time during Bootstrap limited from 120 sec.
+  to 20 sec. The limit can still be changed using ANJAY_MAX_HOLDOFF_TIME define.
+- If the Server certificate is missing from the Data Model, Anjay falls back to
+  PKIX verification, provided that a Trust Store is available, even when the
+  certificate usage is set to DANE-TA or DANE-EE.
+- avs_commons 5.5.0 that is used by Anjay 3.11.0 stoped passing the trust store
+  to Mbed TLS backend for Certificate Usage 2 or 3. For details on how Anjay
+  handles Certificate Usage resource refer to
+  Anjay Specification -> Advanced Topics -> Certificate Usage.
+
+### Bugfixes
+
+- Updated avs_commons to a version without a PSK-mode vulnerability in the Mbed
+  TLS backend where a client configured for PSK could connect to a server that
+  did not know the PSK, due to advertising non-PSK key exchange and skipping
+  certificate verification. This issue affected only TLS 1.3 connections with
+  Mbed TLS versions ≥ 3.6.1.
+  For details, see: https://github.com/AVSystem/avs_commons/releases/tag/5.5.0
+
+### Features
+- (commercial version only) Added support for configuring OSCORE Object for each
+  Security Object in Anjay Demo.
+
 ## 3.10.0 (May 28th, 2025)
 
 ### Features

CMakeLists.txt

@@ -8,7 +8,7 @@
 cmake_minimum_required(VERSION 3.16)
 
 project(anjay C)
-set(ANJAY_VERSION "3.10.0" CACHE STRING "Anjay library version")
+set(ANJAY_VERSION "3.11.0" CACHE STRING "Anjay library version")
 set(ANJAY_BINARY_VERSION 1.0.0)
 
 set(ANJAY_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}")
@@ -94,6 +94,9 @@ set(MAX_OBSERVATION_SERVERS_REPORTED_NUMBER 0 CACHE STRING
 set(ANJAY_DEFAULT_SEND_FORMAT AVS_COAP_FORMAT_NONE CACHE STRING
     "Default value of Content-Format used in Send messages. Value AVS_COAP_FORMAT_NONE(65535) means no default value.")
 
+set(MAX_HOLDOFF_TIME 20 CACHE STRING
+    "Upper limit for the Hold Off Time for the Bootstrap connection.")
+
 ################# FEATURES THAT REQUIRE LIBRARY CONFIGURATION ##################
 
 option(WITH_AVS_PERSISTENCE "Enable support for persisting objects data" ON)

README.md

@@ -151,14 +151,17 @@ More details about OMA LwM2M: [Brief introduction to LwM2M](https://AVSystem.git
 
 ## Embedded operating systems ports
 
-If you want to use Anjay on Zephyr OS, FreeRTOS, Azure RTOS, ESP-IDF or RPI Pico W check our demo
+If you want to use Anjay on Zephyr OS, FreeRTOS, Azure RTOS, or RPI Pico W check our demo
 applications available in other repositories:
 - [Anjay-zephyr-client](https://github.com/AVSystem/Anjay-zephyr-client) (uses [Anjay-zephyr](https://github.com/AVSystem/Anjay-zephyr) integration layer)
 - [Anjay-freertos-client](https://github.com/AVSystem/Anjay-freertos-client)
-- [Anjay-stm32-azurertos-client](https://github.com/AVSystem/Anjay-stm32-azurertos-client)
-- [Anjay-esp32-client](https://github.com/AVSystem/Anjay-esp32-client) (uses [Anjay-esp-idf](https://github.com/AVSystem/Anjay-esp-idf) integration layer)
 - [Anjay-pico-client](https://github.com/AVSystem/Anjay-pico-client) (uses FreeRTOS Kernel)
 
+There are also archived, not actively maintained Anjay demos and integrations:
+- [Anjay-esp32-client](https://github.com/AVSystem/Anjay-esp32-client) (uses [Anjay-esp-idf](https://github.com/AVSystem/Anjay-esp-idf) integration layer)
+- [Anjay-mbedos-client](https://github.com/AVSystem/Anjay-mbedos-client) (uses [Anjay-mbedos](https://github.com/AVSystem/Anjay-mbedos) integration layer)
+- [Anjay-stm32-azurertos-client](https://github.com/AVSystem/Anjay-stm32-azurertos-client)
+
 ## Quickstart guide
 
 ### Dependencies

demo/demo.c

@@ -79,6 +79,10 @@
 #    define MAX_PATH_STRING_SIZE MAX_PATH_STRING_SIZE_WO_PREFIX
 #endif // ANJAY_WITH_LWM2M_GATEWAY
 
+#ifdef AVS_COMMONS_NET_WITH_MBEDTLS_SSLKEYLOG
+#    define SSLKEYLOGFILE "/tmp/sslkey.log"
+#endif // AVS_COMMONS_NET_WITH_MBEDTLS_SSLKEYLOG
+
 static int security_object_reload(anjay_demo_t *demo) {
 #ifdef WITH_DEMO_USE_STANDALONE_OBJECTS
     standalone_security_object_purge(demo->security_obj_ptr);
@@ -154,6 +158,8 @@ static int security_object_reload(anjay_demo_t *demo) {
         instance.server_public_key_size = args->server_public_key_size;
 #ifdef ANJAY_WITH_LWM2M11
         instance.server_name_indication = server->sni;
+        instance.certificate_usage =
+                (const uint8_t *) &server->certificate_usage;
 #endif // ANJAY_WITH_LWM2M11
 
         anjay_iid_t iid = server->security_iid;
@@ -1060,7 +1066,11 @@ int main(int argc, char *argv[]) {
         close(fd);
     }
 #endif // WIN32
-
+#ifdef AVS_COMMONS_NET_WITH_MBEDTLS_SSLKEYLOG
+    avs_stream_t *ssl_key_log_file =
+            avs_stream_file_create(SSLKEYLOGFILE, AVS_STREAM_FILE_WRITE);
+    avs_mbedtls_set_sslkeylog_stream(ssl_key_log_file);
+#endif // AVS_COMMONS_NET_WITH_MBEDTLS_SSLKEYLOG
     /*
      * If, as a result of a single poll() more than a single line is read into
      * stdin buffer, we will end up handling just a single command and then
@@ -1156,5 +1166,8 @@ int main(int argc, char *argv[]) {
     demo_delete(demo);
     cmdline_args_cleanup(&cmdline_args);
     avs_log_reset();
+#ifdef AVS_COMMONS_NET_WITH_MBEDTLS_SSLKEYLOG
+    avs_stream_cleanup(&ssl_key_log_file);
+#endif // AVS_COMMONS_NET_WITH_MBEDTLS_SSLKEYLOG
     return 0;
 }

demo/demo_args.c

@@ -43,6 +43,7 @@ static const cmdline_args_t DEFAULT_CMDLINE_ARGS = {
             .retry_timer = 0,
             .sequence_retry_count = 1,
             .sequence_delay_timer = 0,
+            .certificate_usage = AVS_NET_SOCKET_DANE_DOMAIN_ISSUED_CERTIFICATE,
 #endif // ANJAY_WITH_LWM2M11
         },
 #ifdef ANJAY_WITH_BOOTSTRAP
@@ -606,8 +607,12 @@ static void print_help(const struct option *options) {
 #ifdef ANJAY_WITH_DOWNLOADER
         { 349, "RETRY COUNT", NULL, "Number of CoAP downloader retry" },
         { 350, "RETRY DELAY", NULL,
-          "Delay (in seconds) between CoAP downloader retry" }
+          "Delay (in seconds) between CoAP downloader retry" },
 #endif // ANJAY_WITH_DOWNLOADER
+#ifdef ANJAY_WITH_LWM2M11
+        { 351, "CERTIFICATE USAGE", "3",
+          "Certificate usage to set for the last configured server" },
+#endif // ANJAY_WITH_LWM2M11
     };
 
     const size_t screen_width = get_screen_width();
@@ -1016,6 +1021,9 @@ int demo_parse_argv(cmdline_args_t *parsed_args, int argc, char *argv[]) {
         {"coap-downloader-retry-count", required_argument, 0, 349},
         {"coap-downloader-retry-delay", required_argument, 0, 350},
 #endif // ANJAY_WITH_DOWNLOADER
+#ifdef ANJAY_WITH_LWM2M11
+        {"certificate-usage", required_argument, 0, 351},
+#endif // ANJAY_WITH_LWM2M11
         { 0, 0, 0, 0 }
         // clang-format on
     };
@@ -2052,6 +2060,21 @@ int demo_parse_argv(cmdline_args_t *parsed_args, int argc, char *argv[]) {
             break;
         }
 #endif // ANJAY_WITH_DOWNLOADER
+#ifdef ANJAY_WITH_LWM2M11
+        case 351: {
+            if (num_servers == 0) {
+                demo_log(ERROR, "Undefined server. Use --server-uri/-u first");
+                goto finish;
+            }
+            int idx = num_servers - 1;
+            if (parse_u16(optarg,
+                          &parsed_args->connection_args.servers[idx]
+                                   .certificate_usage)) {
+                goto finish;
+            }
+            break;
+        }
+#endif // ANJAY_WITH_LWM2M11
         case 0:
             goto process;
         }

demo/objects.h

@@ -68,6 +68,7 @@ typedef struct {
     uint32_t retry_timer;
     uint32_t sequence_retry_count;
     uint32_t sequence_delay_timer;
+    uint16_t certificate_usage;
 #endif // ANJAY_WITH_LWM2M11
 } server_entry_t;
 

deps/avs_commons

@@ -98,6 +98,7 @@ while [ $# -gt 0 ]; do
             EXTRA_FLAGS[${#EXTRA_FLAGS[@]}]="-DMAX_DOUBLE_STRING_SIZE=64"
             EXTRA_FLAGS[${#EXTRA_FLAGS[@]}]="-DMAX_URI_SEGMENT_SIZE=64"
             EXTRA_FLAGS[${#EXTRA_FLAGS[@]}]="-DMAX_URI_QUERY_SEGMENT_SIZE=64"
+            EXTRA_FLAGS[${#EXTRA_FLAGS[@]}]="-DMAX_HOLDOFF_TIME=20"
             ;;
         -DDTLS_BACKEND=*)
             DTLS_BACKEND="${1#-DDTLS_BACKEND=}"