[IOT-1998] Set remote ID

Since "f7e8c4ba PSK check before ciphersuite selection" PSK ciphersuites will only be negotiated if the local peer has a credential with the remote peer's UUID. Make sure the UUID is present in the endpoint information used when calling OCDoRequest. In the SSL adapter, when setting up a connection, if no ciphersuites are usable based on the credentials available, fail. Change-Id: I64db80379e8055e35e051dd5b90191625f1d5033 Signed-off-by: Greg Zaverucha <gregz@microsoft.com> Reviewed-on: https://gerrit.iotivity.org/gerrit/19123Tested-by: jenkins-iotivity <jenkins@iotivity.org> Reviewed-by: Dan Mihai <Daniel.Mihai@microsoft.com>

[IOT-1998] Set remote ID
Since "f7e8c4ba PSK check before ciphersuite selection" PSK ciphersuites will only be negotiated if the local peer has a credential with the remote peer's UUID. Make sure the UUID is present in the endpoint information used when calling OCDoRequest. In the SSL adapter, when setting up a connection, if no ciphersuites are usable based on the credentials available, fail. Change-Id: I64db80379e8055e35e051dd5b90191625f1d5033 Signed-off-by: Greg Zaverucha <gregz@microsoft.com> Reviewed-on: https://gerrit.iotivity.org/gerrit/19123Tested-by: jenkins-iotivity <jenkins@iotivity.org> Reviewed-by: Dan Mihai <Daniel.Mihai@microsoft.com>
a4e0bb27 · Greg Zaverucha · Dan Mihai · 79cd909a · a4e0bb27 · a4e0bb27
Commit a4e0bb27 authored May 11, 2017 by Greg Zaverucha Committed by Dan Mihai Jun 08, 2017
3 changed files
--- a/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c
+++ b/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c
@@ -1329,15 +1329,25 @@ static int InitPskIdentity(mbedtls_ssl_config * config)
    OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
    return 0;
 }
-static void SetupCipher(mbedtls_ssl_config * config, CATransportAdapter_t adapter,
+
+/**
+ * Select cipher suites for use with (D)TLS based on the credentials available.
+ *
+ * @param[in]  config     the (D)TLS configuration object
+ * @param[in]  adapter    the associated transport adapter
+ * @param[in]  deviceId   the device ID of the peer we will connect to
+ *
+ * @return  true on success or false on error
+ */
+static bool SetupCipher(mbedtls_ssl_config * config, CATransportAdapter_t adapter,
                        const char* deviceId)
 {
    int index = 0;
    OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);

-    VERIFY_NON_NULL_VOID(config, NET_SSL_TAG, "Invaild param");
-    VERIFY_NON_NULL_VOID(g_caSslContext, NET_SSL_TAG, "SSL Context is NULL");
-    VERIFY_NON_NULL_VOID(g_getCredentialTypesCallback, NET_SSL_TAG, "Param callback is null");
+    VERIFY_NON_NULL_RET(config, NET_SSL_TAG, "Invailid param", false);
+    VERIFY_NON_NULL_RET(g_caSslContext, NET_SSL_TAG, "SSL Context is NULL", false);
+    VERIFY_NON_NULL_RET(g_getCredentialTypesCallback, NET_SSL_TAG, "Param callback is null", false);

    //Resetting cipherFlag
    g_caSslContext->cipherFlag[0] = false;
@@ -1346,7 +1356,8 @@ static void SetupCipher(mbedtls_ssl_config * config, CATransportAdapter_t adapte
    if (NULL == g_getCredentialTypesCallback)
    {
        OIC_LOG(ERROR, NET_SSL_TAG, "Param callback is null");
-        return;
+        OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
+        return false;
    }

    g_getCredentialTypesCallback(g_caSslContext->cipherFlag, deviceId);
@@ -1356,6 +1367,7 @@ static void SetupCipher(mbedtls_ssl_config * config, CATransportAdapter_t adapte
         true == g_caSslContext->cipherFlag[0]) && 0 != InitPskIdentity(config))
    {
        OIC_LOG(ERROR, NET_SSL_TAG, "PSK identity initialization failed!");
+        /* Don't return error, the connection may work with another cred type */
    }

    // Retrieve the Cert credential from SRM
@@ -1365,6 +1377,7 @@ static void SetupCipher(mbedtls_ssl_config * config, CATransportAdapter_t adapte
        if (0 != ret)
        {
            OIC_LOG(ERROR, NET_SSL_TAG, "Failed to init X.509");
+            /* Don't return error, the connection may work with another cred type */
        }
    }

@@ -1409,7 +1422,15 @@ static void SetupCipher(mbedtls_ssl_config * config, CATransportAdapter_t adapte

    mbedtls_ssl_conf_ciphersuites(config, g_cipherSuitesList);

+    if (0 == index)
+    {
+        OIC_LOG_V(ERROR, NET_SSL_TAG, "No ciphersuites configured, secure connections will fail");
+        OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
+        return false;
+    }
+
    OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
+    return true;
 }
 /**
 * Initiate TLS handshake with endpoint.
@@ -1438,7 +1459,12 @@ static SslEndPoint_t * InitiateTlsHandshake(const CAEndpoint_t *endpoint)
    }

    //Load allowed SVR suites from SVR DB
-    SetupCipher(config, endpoint->adapter, endpoint->remoteId);
+    if(!SetupCipher(config, endpoint->adapter, endpoint->remoteId))
+    {
+        OIC_LOG(ERROR, NET_SSL_TAG, "Failed to set up cipher");
+        DeleteSslEndPoint(tep);
+        return NULL;
+    }

    oc_mutex_lock(g_sslContextMutex);
    ret = u_arraylist_add(g_caSslContext->peerList, (void *) tep);
@@ -2005,7 +2031,13 @@ CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, size_t dat
            return CA_STATUS_FAILED;
        }
        //Load allowed TLS suites from SVR DB
-        SetupCipher(config, sep->endpoint.adapter, NULL);
+        if(!SetupCipher(config, sep->endpoint.adapter, NULL))
+        {
+            OIC_LOG(ERROR, NET_SSL_TAG, "Failed to set up cipher");
+            DeleteSslEndPoint(peer);
+            oc_mutex_unlock(g_sslContextMutex);
+            return CA_STATUS_FAILED;
+        }

        ret = u_arraylist_add(g_caSslContext->peerList, (void *) peer);
        if (!ret)

--- a/resource/csdk/security/provisioning/sample/autoprovisioningclient.c
+++ b/resource/csdk/security/provisioning/sample/autoprovisioningclient.c
@@ -51,6 +51,7 @@
 #include "ocsecurity.h"
 #include "ocstackinternal.h"
 #include "pmutility.h"
+#include "ocrandom.h"

 #ifdef _MSC_VER
 #include <io.h>
@@ -568,9 +569,18 @@ static int doGetRequest(const char* uri, int dev_num)
        return -1;
    }

-    res = OCDoRequest(&handle, OC_REST_GET, query, NULL, NULL,
-        device->connType, OC_HIGH_QOS, &cbData, NULL, 0);
+    /* 
+     * Make sure the OCDevAddr passed to OCDoRequest contains the remote peer's UUID, 
+     * so that PSK lookup succeeds. 
+     */
+    if (!OCConvertUuidToString(device->doxm->deviceID.id, device->endpoint.remoteId))
+    {
+        OIC_LOG_V(ERROR, TAG, "%s : Failed to copy or convert UUID", __func__);
+        return -1;
+    }

+    res = OCDoRequest(&handle, OC_REST_GET, query, &device->endpoint, NULL,
+        device->connType, OC_HIGH_QOS, &cbData, NULL, 0);
    if (res != OC_STACK_OK)
    {
        OIC_LOG_V(ERROR, TAG, "OCDoRequest returned error %d with method", res);

--- a/resource/csdk/stack/src/ocstack.c
+++ b/resource/csdk/stack/src/ocstack.c
@@ -3389,6 +3389,14 @@ OCStackResult OCDoRequest(OCDoHandle *handle,
    if (devAddr)
    {
        OIC_LOG_V(DEBUG, TAG, "remoteId of devAddr : %s", devAddr->remoteId);
+
+        if ((devAddr->remoteId[0] == 0)
+            && destination
+            && (destination->remoteId[0] != 0))
+        {
+            OIC_LOG_V(DEBUG, TAG, "Copying remoteId from destination parameter: %s", destination->remoteId);
+            OICStrcpy(devAddr->remoteId, sizeof(devAddr->remoteId), destination->remoteId);
+        }
    }

    resHandle = GenerateInvocationHandle();