Commit 6c2f03cc authored by Jongmin Choi's avatar Jongmin Choi Committed by Randeep

Support for multiple ciphersuites

SetupCipher() modified to support multiple ciphersuites
rather than using a fixed one

Patch #1: initial upload
Patch #2: Rebased and SetupCipher() related changes applied
Patch #3: Rebased

Change-Id: I6cb57605984c273bcdb98c5130da9a9995ae50db
Signed-off-by: default avatarJongmin Choi <jminl.choi@samsung.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/16251Tested-by: default avatarjenkins-iotivity <jenkins@iotivity.org>
Reviewed-by: Randeep's avatarRandeep Singh <randeep.s@samsung.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/16633
parent 26756ec1
......@@ -1323,10 +1323,21 @@ static void SetupCipher(mbedtls_ssl_config * config, CATransportAdapter_t adapte
{
int index = 0;
OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
VERIFY_NON_NULL_VOID(config, NET_SSL_TAG, "Invaild param");
VERIFY_NON_NULL_VOID(g_caSslContext, NET_SSL_TAG, "SSL Context is NULL");
VERIFY_NON_NULL_VOID(g_getCredentialTypesCallback, NET_SSL_TAG, "Param callback is null");
//Resetting cipherFlag
g_caSslContext->cipherFlag[0] = false;
g_caSslContext->cipherFlag[1] = false;
if (NULL == g_getCredentialTypesCallback)
{
OIC_LOG(ERROR, NET_SSL_TAG, "Param callback is null");
return;
}
g_getCredentialTypesCallback(g_caSslContext->cipherFlag);
// Retrieve the PSK credential from SRM
if (0 != InitPskIdentity(config))
......@@ -1345,24 +1356,42 @@ static void SetupCipher(mbedtls_ssl_config * config, CATransportAdapter_t adapte
}
memset(g_cipherSuitesList, 0, sizeof(g_cipherSuitesList));
// Add the preferred ciphersuite first
if (SSL_CIPHER_MAX != g_caSslContext->cipher)
{
g_cipherSuitesList[index] = tlsCipher[g_caSslContext->cipher][0];
OIC_LOG_V(DEBUG, NET_SSL_TAG, "Preferred ciphersuite added");
index++;
}
else
// Add PSK ciphersuite
if (true == g_caSslContext->cipherFlag[0] &&
MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 != tlsCipher[g_caSslContext->cipher][0])
{
g_cipherSuitesList[index] = MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256;
OIC_LOG(DEBUG, NET_SSL_TAG, "PSK ciphersuite added");
index++;
}
// Add all certificate ciphersuites
if (true == g_caSslContext->cipherFlag[1])
{
for (int i = 2; i < SSL_CIPHER_MAX - 2; i++)
for (int i = 0; i < SSL_CIPHER_MAX - 1; i++)
{
if (MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 != tlsCipher[i][0] &&
i != g_caSslContext->cipher)
{
g_cipherSuitesList[index] = tlsCipher[i][0];
index ++;
}
}
if (true == g_caSslContext->cipherFlag[0])
{
g_cipherSuitesList[index] = MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256;
}
}
OIC_LOG(DEBUG, NET_SSL_TAG, "Supported ciphersuites:");
for (int i = 0; i < index; i++)
{
OIC_LOG_V(DEBUG, NET_SSL_TAG, "Ciphersuite %04x", g_cipherSuitesList[i]);
}
mbedtls_ssl_conf_ciphersuites(config, g_cipherSuitesList);
......
......@@ -61,6 +61,10 @@
#include <unistd.h>
#endif
#if defined(__WITH_DTLS__) || defined (__WITH_TLS__)
#include <mbedtls/ssl_ciphersuites.h>
#endif
#define TAG "OIC_SRM_CREDL"
#ifdef HAVE_WINDOWS_H
......@@ -1935,6 +1939,19 @@ static OCEntityHandlerResult HandlePostRequest(OCEntityHandlerRequest * ehReques
{
OIC_LOG(INFO, TAG, "Anonymous cipher suite is DISABLED");
}
#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
if(CA_STATUS_OK != CASelectCipherSuite(
MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, CA_ADAPTER_IP))
{
OIC_LOG(ERROR, TAG, "Failed to enable PSK cipher suite");
ret = OC_EH_ERROR;
}
else
{
OIC_LOG(INFO, TAG, "PSK cipher suite is ENABLED");
}
#endif // __WITH_DTLS__ or __WITH_TLS__
}
break;
......
......@@ -1378,6 +1378,11 @@ static OCEntityHandlerResult HandleDoxmPostRequest(OCEntityHandlerRequest * ehRe
VERIFY_SUCCESS(TAG, caRes == CA_STATUS_OK, ERROR);
OIC_LOG(INFO, TAG, "ECDH_ANON CipherSuite is DISABLED");
//Unset pre-selected ciphersuite, if any
caRes = CASelectCipherSuite(0, ehRequest->devAddr.adapter);
VERIFY_SUCCESS(TAG, caRes == CA_STATUS_OK, ERROR);
OIC_LOG(DEBUG, TAG, "No ciphersuite preferred");
VERIFY_SUCCESS(TAG, CA_STATUS_OK == CAregisterPkixInfoHandler(GetManufacturerPkixInfo), ERROR);
VERIFY_SUCCESS(TAG, CA_STATUS_OK == CAregisterGetCredentialTypesHandler(InitManufacturerCipherSuiteList), ERROR);
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment