Support for multiple ciphersuites

SetupCipher() modified to support multiple ciphersuites rather than using a fixed one Patch #1: initial upload Patch #2: Rebased and SetupCipher() related changes applied Patch #3: Rebased Change-Id: I6cb57605984c273bcdb98c5130da9a9995ae50db Signed-off-by: Jongmin Choi <jminl.choi@samsung.com> Reviewed-on: https://gerrit.iotivity.org/gerrit/16251Tested-by: jenkins-iotivity <jenkins@iotivity.org> Reviewed-by: Randeep Singh <randeep.s@samsung.com> Reviewed-on: https://gerrit.iotivity.org/gerrit/16633

Support for multiple ciphersuites
SetupCipher() modified to support multiple ciphersuites rather than using a fixed one Patch #1: initial upload Patch #2: Rebased and SetupCipher() related changes applied Patch #3: Rebased Change-Id: I6cb57605984c273bcdb98c5130da9a9995ae50db Signed-off-by: Jongmin Choi <jminl.choi@samsung.com> Reviewed-on: https://gerrit.iotivity.org/gerrit/16251Tested-by: jenkins-iotivity <jenkins@iotivity.org> Reviewed-by: Randeep Singh <randeep.s@samsung.com> Reviewed-on: https://gerrit.iotivity.org/gerrit/16633
6c2f03cc · Jongmin Choi · Randeep · 26756ec1 · 6c2f03cc · 6c2f03cc
Commit 6c2f03cc authored Feb 28, 2017 by Jongmin Choi Committed by Randeep Mar 02, 2017
3 changed files
--- a/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c
+++ b/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c
@@ -1323,10 +1323,21 @@ static void SetupCipher(mbedtls_ssl_config * config, CATransportAdapter_t adapte
 {
    int index = 0;
    OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
+
    VERIFY_NON_NULL_VOID(config, NET_SSL_TAG, "Invaild param");
    VERIFY_NON_NULL_VOID(g_caSslContext, NET_SSL_TAG, "SSL Context is NULL");
    VERIFY_NON_NULL_VOID(g_getCredentialTypesCallback, NET_SSL_TAG, "Param callback is null");

+    //Resetting cipherFlag
+    g_caSslContext->cipherFlag[0] = false;
+    g_caSslContext->cipherFlag[1] = false;
+
+    if (NULL == g_getCredentialTypesCallback)
+    {
+        OIC_LOG(ERROR, NET_SSL_TAG, "Param callback is null");
+        return;
+    }
+
    g_getCredentialTypesCallback(g_caSslContext->cipherFlag);
    // Retrieve the PSK credential from SRM
    if (0 != InitPskIdentity(config))
@@ -1345,24 +1356,42 @@ static void SetupCipher(mbedtls_ssl_config * config, CATransportAdapter_t adapte
    }

    memset(g_cipherSuitesList, 0, sizeof(g_cipherSuitesList));
+
+    // Add the preferred ciphersuite first
    if (SSL_CIPHER_MAX != g_caSslContext->cipher)
    {
        g_cipherSuitesList[index] = tlsCipher[g_caSslContext->cipher][0];
+        OIC_LOG_V(DEBUG, NET_SSL_TAG, "Preferred ciphersuite added");
+        index++;
    }
-    else
+
+    // Add PSK ciphersuite
+    if (true == g_caSslContext->cipherFlag[0] &&
+                MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 != tlsCipher[g_caSslContext->cipher][0])
    {
+       g_cipherSuitesList[index] = MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256;
+       OIC_LOG(DEBUG, NET_SSL_TAG, "PSK ciphersuite added");
+       index++;
+    }
+
+    // Add all certificate ciphersuites
    if (true == g_caSslContext->cipherFlag[1])
    {
-        for (int i = 2; i < SSL_CIPHER_MAX - 2; i++)
+        for (int i = 0; i < SSL_CIPHER_MAX - 1; i++)
+        {
+            if (MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 != tlsCipher[i][0] &&
+                    i != g_caSslContext->cipher)
            {
                g_cipherSuitesList[index] = tlsCipher[i][0];
                index ++;
            }
        }
-        if (true == g_caSslContext->cipherFlag[0])
-        {
-           g_cipherSuitesList[index] = MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256;
-        }
+    }
+
+    OIC_LOG(DEBUG, NET_SSL_TAG, "Supported ciphersuites:");
+    for (int i = 0; i < index; i++)
+    {
+        OIC_LOG_V(DEBUG, NET_SSL_TAG, "Ciphersuite %04x", g_cipherSuitesList[i]);
    }

    mbedtls_ssl_conf_ciphersuites(config, g_cipherSuitesList);

--- a/resource/csdk/security/src/credresource.c
+++ b/resource/csdk/security/src/credresource.c
@@ -61,6 +61,10 @@
 #include <unistd.h>
 #endif

+#if defined(__WITH_DTLS__) || defined (__WITH_TLS__)
+#include <mbedtls/ssl_ciphersuites.h>
+#endif
+
 #define TAG  "OIC_SRM_CREDL"

 #ifdef HAVE_WINDOWS_H
@@ -1935,6 +1939,19 @@ static OCEntityHandlerResult HandlePostRequest(OCEntityHandlerRequest * ehReques
                        {
                            OIC_LOG(INFO, TAG, "Anonymous cipher suite is DISABLED");
                        }
+
+#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
+                        if(CA_STATUS_OK != CASelectCipherSuite(
+                                    MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, CA_ADAPTER_IP))
+                        {
+                            OIC_LOG(ERROR, TAG, "Failed to enable PSK cipher suite");
+                            ret = OC_EH_ERROR;
+                        }
+                        else
+                        {
+                            OIC_LOG(INFO, TAG, "PSK cipher suite is ENABLED");
+                        }
+#endif // __WITH_DTLS__ or __WITH_TLS__
                    }

                    break;

--- a/resource/csdk/security/src/doxmresource.c
+++ b/resource/csdk/security/src/doxmresource.c
@@ -1378,6 +1378,11 @@ static OCEntityHandlerResult HandleDoxmPostRequest(OCEntityHandlerRequest * ehRe
                    VERIFY_SUCCESS(TAG, caRes == CA_STATUS_OK, ERROR);
                    OIC_LOG(INFO, TAG, "ECDH_ANON CipherSuite is DISABLED");

+                    //Unset pre-selected ciphersuite, if any
+                    caRes = CASelectCipherSuite(0, ehRequest->devAddr.adapter);
+                    VERIFY_SUCCESS(TAG, caRes == CA_STATUS_OK, ERROR);
+                    OIC_LOG(DEBUG, TAG, "No ciphersuite preferred");
+
                    VERIFY_SUCCESS(TAG, CA_STATUS_OK == CAregisterPkixInfoHandler(GetManufacturerPkixInfo), ERROR);
                    VERIFY_SUCCESS(TAG, CA_STATUS_OK == CAregisterGetCredentialTypesHandler(InitManufacturerCipherSuiteList), ERROR);
                }