Commit 31eb1e8d authored by Greg Zaverucha's avatar Greg Zaverucha Committed by Nathan Heldt-Sheller

[IOT-2016][IOT-1623] UUID check and use MBEDTLS_MD_MAX_SIZE

Use MBEDTLS_MD_MAX_SIZE for buffer lengths in pHash.
Don't allow wildcard UUID in CSRs

Change-Id: Ifad48945250087d8dc92fb346cfc986f68888352
Signed-off-by: default avatarGreg Zaverucha <gregz@microsoft.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/18829Reviewed-by: default avatarKevin Kane <kkane@microsoft.com>
Tested-by: default avatarjenkins-iotivity <jenkins@iotivity.org>
Reviewed-by: Nathan Heldt-Sheller's avatarNathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
parent d3f72431
......@@ -2359,10 +2359,11 @@ static int pHash (const unsigned char *key, size_t keyLen,
const unsigned char *random2, size_t random2Len,
unsigned char *buf, size_t bufLen)
{
unsigned char A[RANDOM_LEN] = {0};
unsigned char tmp[RANDOM_LEN] = {0};
unsigned char A[MBEDTLS_MD_MAX_SIZE] = {0};
unsigned char tmp[MBEDTLS_MD_MAX_SIZE] = {0};
size_t dLen; /* digest length */
size_t len = 0; /* result length */
const mbedtls_md_type_t hashAlg = MBEDTLS_MD_SHA256;
VERIFY_TRUE_RET(bufLen <= INT_MAX, NET_SSL_TAG, "buffer too large", -1);
VERIFY_NON_NULL_RET(key, NET_SSL_TAG, "key is NULL", -1);
......@@ -2377,8 +2378,8 @@ static int pHash (const unsigned char *key, size_t keyLen,
mbedtls_md_init(&hmacA);
mbedtls_md_init(&hmacP);
CHECK_MBEDTLS_RET(mbedtls_md_setup, &hmacA, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 1);
CHECK_MBEDTLS_RET(mbedtls_md_setup, &hmacP, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 1);
CHECK_MBEDTLS_RET(mbedtls_md_setup, &hmacA, mbedtls_md_info_from_type(hashAlg), 1);
CHECK_MBEDTLS_RET(mbedtls_md_setup, &hmacP, mbedtls_md_info_from_type(hashAlg), 1);
CHECK_MBEDTLS_RET(mbedtls_md_hmac_starts, &hmacA, key, keyLen );
CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacA, label, labelLen);
......@@ -2386,7 +2387,7 @@ static int pHash (const unsigned char *key, size_t keyLen,
CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacA, random2, random2Len);
CHECK_MBEDTLS_RET(mbedtls_md_hmac_finish, &hmacA, A);
dLen = RANDOM_LEN;
dLen = mbedtls_md_get_size(mbedtls_md_info_from_type(hashAlg));
CHECK_MBEDTLS_RET(mbedtls_md_hmac_starts, &hmacP, key, keyLen);
......@@ -2398,10 +2399,9 @@ static int pHash (const unsigned char *key, size_t keyLen,
CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, label, labelLen);
CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, random1, random1Len);
CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, random2, random2Len);
CHECK_MBEDTLS_RET(mbedtls_md_hmac_finish, &hmacP, tmp);
len += RANDOM_LEN;
len += dLen;
memcpy(buf, tmp, dLen);
buf += dLen;
......@@ -2412,16 +2412,18 @@ static int pHash (const unsigned char *key, size_t keyLen,
CHECK_MBEDTLS_RET(mbedtls_md_hmac_finish, &hmacA, A);
}
CHECK_MBEDTLS_RET(mbedtls_md_hmac_reset, &hmacP);
CHECK_MBEDTLS_RET(mbedtls_md_hmac_starts, &hmacP, key, keyLen);
CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, A, dLen);
CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, label, labelLen);
CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, random1, random1Len);
CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, random2, random2Len);
CHECK_MBEDTLS_RET(mbedtls_md_hmac_finish, &hmacP, tmp);
if ((bufLen % dLen) != 0)
{
CHECK_MBEDTLS_RET(mbedtls_md_hmac_reset, &hmacP);
CHECK_MBEDTLS_RET(mbedtls_md_hmac_starts, &hmacP, key, keyLen);
CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, A, dLen);
CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, label, labelLen);
CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, random1, random1Len);
CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, random2, random2Len);
CHECK_MBEDTLS_RET(mbedtls_md_hmac_finish, &hmacP, tmp);
memcpy(buf, tmp, bufLen - len);
memcpy(buf, tmp, bufLen - len);
}
mbedtls_md_free(&hmacA);
mbedtls_md_free(&hmacP);
......
......@@ -36,6 +36,7 @@
#include "payload_logging.h"
#include "pmutility.h"
#include "srmutility.h"
#include "srmresourcestrings.h"
// headers required for mbed TLS
#include "mbedtls/config.h"
......@@ -739,6 +740,13 @@ OCStackResult OCGetUuidFromCSR(const char* csr, OicUuid_t* uuid)
return OC_STACK_ERROR;
}
if (memcmp(uuid->id, &WILDCARD_SUBJECT_ID, sizeof(uuid->id)) == 0)
{
OIC_LOG(ERROR, TAG, "Invalid UUID in CSR: '*'");
mbedtls_x509_csr_free(&csrObj);
return OC_STACK_ERROR;
}
mbedtls_x509_csr_free(&csrObj);
return OC_STACK_OK;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment