Commit a4e0bb27 authored by Greg Zaverucha's avatar Greg Zaverucha Committed by Dan Mihai

[IOT-1998] Set remote ID

Since "f7e8c4ba PSK check before ciphersuite selection" PSK
ciphersuites will only be negotiated if the local peer has
a credential with the remote peer's UUID. Make sure the UUID
is present in the endpoint information used when calling
OCDoRequest.

In the SSL adapter, when setting up a connection, if no
ciphersuites are usable based on the credentials available, fail.

Change-Id: I64db80379e8055e35e051dd5b90191625f1d5033
Signed-off-by: default avatarGreg Zaverucha <gregz@microsoft.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/19123Tested-by: default avatarjenkins-iotivity <jenkins@iotivity.org>
Reviewed-by: default avatarDan Mihai <Daniel.Mihai@microsoft.com>
parent 79cd909a
...@@ -1329,15 +1329,25 @@ static int InitPskIdentity(mbedtls_ssl_config * config) ...@@ -1329,15 +1329,25 @@ static int InitPskIdentity(mbedtls_ssl_config * config)
OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__); OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
return 0; return 0;
} }
static void SetupCipher(mbedtls_ssl_config * config, CATransportAdapter_t adapter,
/**
* Select cipher suites for use with (D)TLS based on the credentials available.
*
* @param[in] config the (D)TLS configuration object
* @param[in] adapter the associated transport adapter
* @param[in] deviceId the device ID of the peer we will connect to
*
* @return true on success or false on error
*/
static bool SetupCipher(mbedtls_ssl_config * config, CATransportAdapter_t adapter,
const char* deviceId) const char* deviceId)
{ {
int index = 0; int index = 0;
OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__); OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
VERIFY_NON_NULL_VOID(config, NET_SSL_TAG, "Invaild param"); VERIFY_NON_NULL_RET(config, NET_SSL_TAG, "Invailid param", false);
VERIFY_NON_NULL_VOID(g_caSslContext, NET_SSL_TAG, "SSL Context is NULL"); VERIFY_NON_NULL_RET(g_caSslContext, NET_SSL_TAG, "SSL Context is NULL", false);
VERIFY_NON_NULL_VOID(g_getCredentialTypesCallback, NET_SSL_TAG, "Param callback is null"); VERIFY_NON_NULL_RET(g_getCredentialTypesCallback, NET_SSL_TAG, "Param callback is null", false);
//Resetting cipherFlag //Resetting cipherFlag
g_caSslContext->cipherFlag[0] = false; g_caSslContext->cipherFlag[0] = false;
...@@ -1346,7 +1356,8 @@ static void SetupCipher(mbedtls_ssl_config * config, CATransportAdapter_t adapte ...@@ -1346,7 +1356,8 @@ static void SetupCipher(mbedtls_ssl_config * config, CATransportAdapter_t adapte
if (NULL == g_getCredentialTypesCallback) if (NULL == g_getCredentialTypesCallback)
{ {
OIC_LOG(ERROR, NET_SSL_TAG, "Param callback is null"); OIC_LOG(ERROR, NET_SSL_TAG, "Param callback is null");
return; OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
return false;
} }
g_getCredentialTypesCallback(g_caSslContext->cipherFlag, deviceId); g_getCredentialTypesCallback(g_caSslContext->cipherFlag, deviceId);
...@@ -1356,6 +1367,7 @@ static void SetupCipher(mbedtls_ssl_config * config, CATransportAdapter_t adapte ...@@ -1356,6 +1367,7 @@ static void SetupCipher(mbedtls_ssl_config * config, CATransportAdapter_t adapte
true == g_caSslContext->cipherFlag[0]) && 0 != InitPskIdentity(config)) true == g_caSslContext->cipherFlag[0]) && 0 != InitPskIdentity(config))
{ {
OIC_LOG(ERROR, NET_SSL_TAG, "PSK identity initialization failed!"); OIC_LOG(ERROR, NET_SSL_TAG, "PSK identity initialization failed!");
/* Don't return error, the connection may work with another cred type */
} }
// Retrieve the Cert credential from SRM // Retrieve the Cert credential from SRM
...@@ -1365,6 +1377,7 @@ static void SetupCipher(mbedtls_ssl_config * config, CATransportAdapter_t adapte ...@@ -1365,6 +1377,7 @@ static void SetupCipher(mbedtls_ssl_config * config, CATransportAdapter_t adapte
if (0 != ret) if (0 != ret)
{ {
OIC_LOG(ERROR, NET_SSL_TAG, "Failed to init X.509"); OIC_LOG(ERROR, NET_SSL_TAG, "Failed to init X.509");
/* Don't return error, the connection may work with another cred type */
} }
} }
...@@ -1409,7 +1422,15 @@ static void SetupCipher(mbedtls_ssl_config * config, CATransportAdapter_t adapte ...@@ -1409,7 +1422,15 @@ static void SetupCipher(mbedtls_ssl_config * config, CATransportAdapter_t adapte
mbedtls_ssl_conf_ciphersuites(config, g_cipherSuitesList); mbedtls_ssl_conf_ciphersuites(config, g_cipherSuitesList);
if (0 == index)
{
OIC_LOG_V(ERROR, NET_SSL_TAG, "No ciphersuites configured, secure connections will fail");
OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
return false;
}
OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__); OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
return true;
} }
/** /**
* Initiate TLS handshake with endpoint. * Initiate TLS handshake with endpoint.
...@@ -1438,7 +1459,12 @@ static SslEndPoint_t * InitiateTlsHandshake(const CAEndpoint_t *endpoint) ...@@ -1438,7 +1459,12 @@ static SslEndPoint_t * InitiateTlsHandshake(const CAEndpoint_t *endpoint)
} }
//Load allowed SVR suites from SVR DB //Load allowed SVR suites from SVR DB
SetupCipher(config, endpoint->adapter, endpoint->remoteId); if(!SetupCipher(config, endpoint->adapter, endpoint->remoteId))
{
OIC_LOG(ERROR, NET_SSL_TAG, "Failed to set up cipher");
DeleteSslEndPoint(tep);
return NULL;
}
oc_mutex_lock(g_sslContextMutex); oc_mutex_lock(g_sslContextMutex);
ret = u_arraylist_add(g_caSslContext->peerList, (void *) tep); ret = u_arraylist_add(g_caSslContext->peerList, (void *) tep);
...@@ -2005,7 +2031,13 @@ CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, size_t dat ...@@ -2005,7 +2031,13 @@ CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, size_t dat
return CA_STATUS_FAILED; return CA_STATUS_FAILED;
} }
//Load allowed TLS suites from SVR DB //Load allowed TLS suites from SVR DB
SetupCipher(config, sep->endpoint.adapter, NULL); if(!SetupCipher(config, sep->endpoint.adapter, NULL))
{
OIC_LOG(ERROR, NET_SSL_TAG, "Failed to set up cipher");
DeleteSslEndPoint(peer);
oc_mutex_unlock(g_sslContextMutex);
return CA_STATUS_FAILED;
}
ret = u_arraylist_add(g_caSslContext->peerList, (void *) peer); ret = u_arraylist_add(g_caSslContext->peerList, (void *) peer);
if (!ret) if (!ret)
......
...@@ -51,6 +51,7 @@ ...@@ -51,6 +51,7 @@
#include "ocsecurity.h" #include "ocsecurity.h"
#include "ocstackinternal.h" #include "ocstackinternal.h"
#include "pmutility.h" #include "pmutility.h"
#include "ocrandom.h"
#ifdef _MSC_VER #ifdef _MSC_VER
#include <io.h> #include <io.h>
...@@ -568,9 +569,18 @@ static int doGetRequest(const char* uri, int dev_num) ...@@ -568,9 +569,18 @@ static int doGetRequest(const char* uri, int dev_num)
return -1; return -1;
} }
res = OCDoRequest(&handle, OC_REST_GET, query, NULL, NULL, /*
device->connType, OC_HIGH_QOS, &cbData, NULL, 0); * Make sure the OCDevAddr passed to OCDoRequest contains the remote peer's UUID,
* so that PSK lookup succeeds.
*/
if (!OCConvertUuidToString(device->doxm->deviceID.id, device->endpoint.remoteId))
{
OIC_LOG_V(ERROR, TAG, "%s : Failed to copy or convert UUID", __func__);
return -1;
}
res = OCDoRequest(&handle, OC_REST_GET, query, &device->endpoint, NULL,
device->connType, OC_HIGH_QOS, &cbData, NULL, 0);
if (res != OC_STACK_OK) if (res != OC_STACK_OK)
{ {
OIC_LOG_V(ERROR, TAG, "OCDoRequest returned error %d with method", res); OIC_LOG_V(ERROR, TAG, "OCDoRequest returned error %d with method", res);
......
...@@ -3389,6 +3389,14 @@ OCStackResult OCDoRequest(OCDoHandle *handle, ...@@ -3389,6 +3389,14 @@ OCStackResult OCDoRequest(OCDoHandle *handle,
if (devAddr) if (devAddr)
{ {
OIC_LOG_V(DEBUG, TAG, "remoteId of devAddr : %s", devAddr->remoteId); OIC_LOG_V(DEBUG, TAG, "remoteId of devAddr : %s", devAddr->remoteId);
if ((devAddr->remoteId[0] == 0)
&& destination
&& (destination->remoteId[0] != 0))
{
OIC_LOG_V(DEBUG, TAG, "Copying remoteId from destination parameter: %s", destination->remoteId);
OICStrcpy(devAddr->remoteId, sizeof(devAddr->remoteId), destination->remoteId);
}
} }
resHandle = GenerateInvocationHandle(); resHandle = GenerateInvocationHandle();
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment