[IOT-2016][IOT-1623] UUID check and use MBEDTLS_MD_MAX_SIZE

Use MBEDTLS_MD_MAX_SIZE for buffer lengths in pHash. Don't allow wildcard UUID in CSRs Change-Id: Ifad48945250087d8dc92fb346cfc986f68888352 Signed-off-by: Greg Zaverucha <gregz@microsoft.com> Reviewed-on: https://gerrit.iotivity.org/gerrit/18829Reviewed-by: Kevin Kane <kkane@microsoft.com> Tested-by: jenkins-iotivity <jenkins@iotivity.org> Reviewed-by: Nathan Heldt-Sheller <nathan.heldt-sheller@intel.com>

[IOT-2016][IOT-1623] UUID check and use MBEDTLS_MD_MAX_SIZE
Use MBEDTLS_MD_MAX_SIZE for buffer lengths in pHash. Don't allow wildcard UUID in CSRs Change-Id: Ifad48945250087d8dc92fb346cfc986f68888352 Signed-off-by: Greg Zaverucha <gregz@microsoft.com> Reviewed-on: https://gerrit.iotivity.org/gerrit/18829Reviewed-by: Kevin Kane <kkane@microsoft.com> Tested-by: jenkins-iotivity <jenkins@iotivity.org> Reviewed-by: Nathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
31eb1e8d · Greg Zaverucha · Nathan Heldt-Sheller · d3f72431 · 31eb1e8d · 31eb1e8d
Commit 31eb1e8d authored Apr 10, 2017 by Greg Zaverucha Committed by Nathan Heldt-Sheller Apr 14, 2017
2 changed files
--- a/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c
+++ b/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c
@@ -2359,10 +2359,11 @@ static int pHash (const unsigned char *key, size_t keyLen,
     const unsigned char *random2, size_t random2Len,
     unsigned char *buf, size_t bufLen)
 {
-    unsigned char A[RANDOM_LEN] = {0};
-    unsigned char tmp[RANDOM_LEN] = {0};
+    unsigned char A[MBEDTLS_MD_MAX_SIZE] = {0};
+    unsigned char tmp[MBEDTLS_MD_MAX_SIZE] = {0};
    size_t dLen;   /* digest length */
    size_t len = 0;   /* result length */
+    const mbedtls_md_type_t hashAlg = MBEDTLS_MD_SHA256;

    VERIFY_TRUE_RET(bufLen <= INT_MAX, NET_SSL_TAG, "buffer too large", -1);
    VERIFY_NON_NULL_RET(key, NET_SSL_TAG, "key is NULL", -1);
@@ -2377,8 +2378,8 @@ static int pHash (const unsigned char *key, size_t keyLen,
    mbedtls_md_init(&hmacA);
    mbedtls_md_init(&hmacP);

-    CHECK_MBEDTLS_RET(mbedtls_md_setup, &hmacA, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 1);
-    CHECK_MBEDTLS_RET(mbedtls_md_setup, &hmacP, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 1);
+    CHECK_MBEDTLS_RET(mbedtls_md_setup, &hmacA, mbedtls_md_info_from_type(hashAlg), 1);
+    CHECK_MBEDTLS_RET(mbedtls_md_setup, &hmacP, mbedtls_md_info_from_type(hashAlg), 1);

    CHECK_MBEDTLS_RET(mbedtls_md_hmac_starts, &hmacA, key, keyLen );
    CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacA, label, labelLen);
@@ -2386,7 +2387,7 @@ static int pHash (const unsigned char *key, size_t keyLen,
    CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacA, random2, random2Len);
    CHECK_MBEDTLS_RET(mbedtls_md_hmac_finish, &hmacA, A);

-    dLen = RANDOM_LEN;
+    dLen = mbedtls_md_get_size(mbedtls_md_info_from_type(hashAlg));

    CHECK_MBEDTLS_RET(mbedtls_md_hmac_starts, &hmacP, key, keyLen);

@@ -2398,10 +2399,9 @@ static int pHash (const unsigned char *key, size_t keyLen,
        CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, label, labelLen);
        CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, random1, random1Len);
        CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, random2, random2Len);
-
        CHECK_MBEDTLS_RET(mbedtls_md_hmac_finish, &hmacP, tmp);

-        len += RANDOM_LEN;
+        len += dLen;

        memcpy(buf, tmp, dLen);
        buf += dLen;
@@ -2412,16 +2412,18 @@ static int pHash (const unsigned char *key, size_t keyLen,
        CHECK_MBEDTLS_RET(mbedtls_md_hmac_finish, &hmacA, A);
    }

-    CHECK_MBEDTLS_RET(mbedtls_md_hmac_reset, &hmacP);
-    CHECK_MBEDTLS_RET(mbedtls_md_hmac_starts, &hmacP, key, keyLen);
-    CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, A, dLen);
-
-    CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, label, labelLen);
-    CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, random1, random1Len);
-    CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, random2, random2Len);
-    CHECK_MBEDTLS_RET(mbedtls_md_hmac_finish, &hmacP, tmp);
+    if ((bufLen % dLen) != 0)
+    {
+        CHECK_MBEDTLS_RET(mbedtls_md_hmac_reset, &hmacP);
+        CHECK_MBEDTLS_RET(mbedtls_md_hmac_starts, &hmacP, key, keyLen);
+        CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, A, dLen);
+        CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, label, labelLen);
+        CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, random1, random1Len);
+        CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, random2, random2Len);
+        CHECK_MBEDTLS_RET(mbedtls_md_hmac_finish, &hmacP, tmp);

-    memcpy(buf, tmp, bufLen - len);
+        memcpy(buf, tmp, bufLen - len);
+    }

    mbedtls_md_free(&hmacA);
    mbedtls_md_free(&hmacP);

--- a/resource/csdk/security/src/occertutility.c
+++ b/resource/csdk/security/src/occertutility.c
@@ -36,6 +36,7 @@
 #include "payload_logging.h"
 #include "pmutility.h"
 #include "srmutility.h"
+#include "srmresourcestrings.h"

 // headers required for mbed TLS
 #include "mbedtls/config.h"
@@ -739,6 +740,13 @@ OCStackResult OCGetUuidFromCSR(const char* csr, OicUuid_t* uuid)
        return OC_STACK_ERROR;
    }

+    if (memcmp(uuid->id, &WILDCARD_SUBJECT_ID, sizeof(uuid->id)) == 0)
+    {
+        OIC_LOG(ERROR, TAG, "Invalid UUID in CSR: '*'");
+        mbedtls_x509_csr_free(&csrObj);
+        return OC_STACK_ERROR;
+    }
+
    mbedtls_x509_csr_free(&csrObj);
    return OC_STACK_OK;
 }