Commit aa9954a4 authored by Aleksey's avatar Aleksey Committed by Nathan Heldt-Sheller

[IOT-3296] Disable CertificateRequest at MFG OTM

Signed-off-by: Aleksey's avatarAleksey Volkov <a.volkov@samsung.com>
Change-Id: Icb28ab66596890ac22e292bc4a51bf9a1bc90a6a
parent cb250969
...@@ -272,6 +272,17 @@ CAResult_t CASelectCipherSuite(const uint16_t cipher, CATransportAdapter_t adapt ...@@ -272,6 +272,17 @@ CAResult_t CASelectCipherSuite(const uint16_t cipher, CATransportAdapter_t adapt
*/ */
CAResult_t CAEnableAnonECDHCipherSuite(const bool enable); CAResult_t CAEnableAnonECDHCipherSuite(const bool enable);
#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
/**
* Set the TLS certificate verification mode
*
* @param[in] enable TRUE/FALSE enables/disables peer certificate checking.
*
* @retval ::CA_STATUS_OK Successful.
* @retval ::CA_STATUS_FAILED Operation failed.
*/
CAResult_t CASetCertificateRequest(const bool enable);
#endif
/** /**
* Generate ownerPSK using PRF. * Generate ownerPSK using PRF.
......
...@@ -58,6 +58,16 @@ typedef ssize_t (*CAPacketSendCallback)(CAEndpoint_t *endpoint, ...@@ -58,6 +58,16 @@ typedef ssize_t (*CAPacketSendCallback)(CAEndpoint_t *endpoint,
*/ */
CAResult_t CAsetTlsCipherSuite(const uint32_t cipher); CAResult_t CAsetTlsCipherSuite(const uint32_t cipher);
/**
* Set the TLS certificate verification mode
*
* @param[in] enable TRUE/FALSE enables/disables peer certificate checking.
*
* @retval ::CA_STATUS_OK Successful.
* @retval ::CA_STATUS_FAILED Operation failed.
*/
CAResult_t CAsetTlsAuthMode(const bool enable);
/** /**
* Used set send,recv and error callbacks for different adapters(WIFI,EtherNet). * Used set send,recv and error callbacks for different adapters(WIFI,EtherNet).
* *
......
...@@ -2329,32 +2329,36 @@ CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, size_t dat ...@@ -2329,32 +2329,36 @@ CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, size_t dat
sizeof(sep->endpoint.addr)); sizeof(sep->endpoint.addr));
ret = mbedtls_ssl_handshake_step(&peer->ssl); ret = mbedtls_ssl_handshake_step(&peer->ssl);
} }
uint32_t flags = mbedtls_ssl_get_verify_result(&peer->ssl);
if (0 != flags) if (peer->ssl.conf->authmode != MBEDTLS_SSL_VERIFY_NONE)
{ {
size_t bufSize = 1024; uint32_t flags = mbedtls_ssl_get_verify_result(&peer->ssl);
char *bufMsg = (char*)OICCalloc(1, bufSize); if (0 != flags)
if (bufMsg)
{
mbedtls_x509_crt_verify_info(bufMsg, bufSize, "", flags);
OIC_LOG_V(ERROR, NET_SSL_TAG, "%s: session verification(%X): %s", __func__, flags, bufMsg);
OICFree(bufMsg);
}
else
{ {
OIC_LOG_V(ERROR, NET_SSL_TAG, "%s: session verification(%X)", __func__, flags); size_t bufSize = 1024;
} char *bufMsg = (char*)OICCalloc(1, bufSize);
if (bufMsg)
{
mbedtls_x509_crt_verify_info(bufMsg, bufSize, "", flags);
OIC_LOG_V(ERROR, NET_SSL_TAG, "%s: session verification(%X): %s", __func__, flags, bufMsg);
OICFree(bufMsg);
}
else
{
OIC_LOG_V(ERROR, NET_SSL_TAG, "%s: session verification(%X)", __func__, flags);
}
OIC_LOG_BUFFER(ERROR, NET_SSL_TAG, (const uint8_t *) &flags, sizeof(flags)); OIC_LOG_BUFFER(ERROR, NET_SSL_TAG, (const uint8_t *) &flags, sizeof(flags));
if (!checkSslOperation(peer, if (!checkSslOperation(peer,
(int)flags, (int)flags,
"Cert verification failed", "Cert verification failed",
GetAlertCode(flags))) GetAlertCode(flags)))
{ {
oc_mutex_unlock(g_sslContextMutex); oc_mutex_unlock(g_sslContextMutex);
OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__); OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
return CA_STATUS_FAILED; return CA_STATUS_FAILED;
}
} }
} }
if (!checkSslOperation(peer, if (!checkSslOperation(peer,
...@@ -2421,7 +2425,8 @@ CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, size_t dat ...@@ -2421,7 +2425,8 @@ CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, size_t dat
int selectedCipher = peer->ssl.session->ciphersuite; int selectedCipher = peer->ssl.session->ciphersuite;
OIC_LOG_V(DEBUG, NET_SSL_TAG, "(D)TLS Session is connected via ciphersuite [0x%x]", selectedCipher); OIC_LOG_V(DEBUG, NET_SSL_TAG, "(D)TLS Session is connected via ciphersuite [0x%x]", selectedCipher);
if (MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 != selectedCipher && if (MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 != selectedCipher &&
MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256 != selectedCipher) MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256 != selectedCipher &&
peer->ssl.conf->authmode != MBEDTLS_SSL_VERIFY_NONE)
{ {
const mbedtls_x509_crt * peerCert = mbedtls_ssl_get_peer_cert(&peer->ssl); const mbedtls_x509_crt * peerCert = mbedtls_ssl_get_peer_cert(&peer->ssl);
const mbedtls_x509_name * name = NULL; const mbedtls_x509_name * name = NULL;
...@@ -2748,6 +2753,37 @@ CAResult_t CAsetTlsCipherSuite(const uint32_t cipher) ...@@ -2748,6 +2753,37 @@ CAResult_t CAsetTlsCipherSuite(const uint32_t cipher)
return CA_STATUS_OK; return CA_STATUS_OK;
} }
CAResult_t CAsetTlsAuthMode(const bool enable)
{
OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
oc_mutex_lock(g_sslContextMutex);
if (NULL == g_caSslContext)
{
OIC_LOG(ERROR, NET_SSL_TAG, "SSL context is not initialized.");
oc_mutex_unlock(g_sslContextMutex);
return CA_STATUS_NOT_INITIALIZED;
}
#ifdef __WITH_TLS__
mbedtls_ssl_conf_authmode(&g_caSslContext->serverTlsConf
, enable ? MBEDTLS_SSL_VERIFY_REQUIRED
: MBEDTLS_SSL_VERIFY_NONE);
#endif
#ifdef __WITH_DTLS__
mbedtls_ssl_conf_authmode(&g_caSslContext->serverDtlsConf
, enable ? MBEDTLS_SSL_VERIFY_REQUIRED
: MBEDTLS_SSL_VERIFY_NONE);
#endif
OIC_LOG_V(DEBUG, NET_SSL_TAG, "Certificate check is : %s", enable ? "enabled":"disabled");
oc_mutex_unlock(g_sslContextMutex);
OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
return CA_STATUS_OK;
}
CAResult_t CAinitiateSslHandshake(const CAEndpoint_t *endpoint) CAResult_t CAinitiateSslHandshake(const CAEndpoint_t *endpoint)
{ {
CAResult_t res = CA_STATUS_OK; CAResult_t res = CA_STATUS_OK;
......
...@@ -568,6 +568,22 @@ CAResult_t CAEnableAnonECDHCipherSuite(const bool enable) ...@@ -568,6 +568,22 @@ CAResult_t CAEnableAnonECDHCipherSuite(const bool enable)
return res; return res;
} }
#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
CAResult_t CASetCertificateRequest(const bool enable)
{
OIC_LOG_V(DEBUG, TAG, "IN %s", __func__);
CAResult_t res = CA_STATUS_FAILED;
res = CAsetTlsAuthMode(enable);
if (CA_STATUS_OK != res)
{
OIC_LOG_V(ERROR, TAG, "Failed to CAsetTlsCipherSuiteAuthMode : %d", res);
}
OIC_LOG_V(DEBUG, TAG, "Out %s", __func__);
return res;
}
#endif
CAResult_t CAGenerateOwnerPSK(const CAEndpoint_t* endpoint, CAResult_t CAGenerateOwnerPSK(const CAEndpoint_t* endpoint,
const uint8_t* label, const size_t labelLen, const uint8_t* label, const size_t labelLen,
const uint8_t* rsrcServerDeviceID, const size_t rsrcServerDeviceIDLen, const uint8_t* rsrcServerDeviceID, const size_t rsrcServerDeviceIDLen,
......
...@@ -51,6 +51,8 @@ ...@@ -51,6 +51,8 @@
#define CAsetPeerCNVerifyCallback CAsetPeerCNVerifyCallbackTest #define CAsetPeerCNVerifyCallback CAsetPeerCNVerifyCallbackTest
#define CAsetCloseSslConnectionCallback CAsetCloseSslConnectionCallbackTest #define CAsetCloseSslConnectionCallback CAsetCloseSslConnectionCallbackTest
#define CAcleanupSslAdapter CAcleanupSslAdapterTest #define CAcleanupSslAdapter CAcleanupSslAdapterTest
#define CAsetTlsAuthMode CAsetTlsAuthModeTest
#include "../src/adapter_util/ca_adapter_net_ssl.c" #include "../src/adapter_util/ca_adapter_net_ssl.c"
......
...@@ -2304,7 +2304,8 @@ static OCEntityHandlerResult HandleNewCredential(OCEntityHandlerRequest *ehReque ...@@ -2304,7 +2304,8 @@ static OCEntityHandlerResult HandleNewCredential(OCEntityHandlerRequest *ehReque
#if defined(__WITH_DTLS__) || defined(__WITH_TLS__) #if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
if(CA_STATUS_OK != CAregisterPkixInfoHandler(GetPkixInfo) if(CA_STATUS_OK != CAregisterPkixInfoHandler(GetPkixInfo)
|| CA_STATUS_OK != CAregisterIdentityHandler(GetIdentityHandler) || CA_STATUS_OK != CAregisterIdentityHandler(GetIdentityHandler)
|| CA_STATUS_OK != CAregisterGetCredentialTypesHandler(InitCipherSuiteList)) || CA_STATUS_OK != CAregisterGetCredentialTypesHandler(InitCipherSuiteList)
|| CA_STATUS_OK != CASetCertificateRequest(true))
{ {
OIC_LOG(ERROR, TAG, "Failed to revert TLS default handlers."); OIC_LOG(ERROR, TAG, "Failed to revert TLS default handlers.");
ret = OC_EH_ERROR; ret = OC_EH_ERROR;
......
...@@ -1523,6 +1523,7 @@ OCEntityHandlerResult HandleDoxmPostRequestMfg(OicSecDoxm_t *newDoxm, ...@@ -1523,6 +1523,7 @@ OCEntityHandlerResult HandleDoxmPostRequestMfg(OicSecDoxm_t *newDoxm,
VERIFY_SUCCESS(TAG, CA_STATUS_OK == CAregisterIdentityHandler(NULL), ERROR); VERIFY_SUCCESS(TAG, CA_STATUS_OK == CAregisterIdentityHandler(NULL), ERROR);
VERIFY_SUCCESS(TAG, CA_STATUS_OK == CAregisterGetCredentialTypesHandler( VERIFY_SUCCESS(TAG, CA_STATUS_OK == CAregisterGetCredentialTypesHandler(
InitManufacturerCipherSuiteList), ERROR); InitManufacturerCipherSuiteList), ERROR);
VERIFY_SUCCESS(TAG, CA_STATUS_OK == CASetCertificateRequest(false), ERROR);
exit: exit:
OIC_LOG_V(DEBUG, TAG, "%s: OUT", __func__); OIC_LOG_V(DEBUG, TAG, "%s: OUT", __func__);
return ehRet; return ehRet;
......
...@@ -489,6 +489,10 @@ OCStackResult SRMInitSecureResources(void) ...@@ -489,6 +489,10 @@ OCStackResult SRMInitSecureResources(void)
{ {
OIC_LOG_V(WARNING, TAG, "%s : CAregisterGetCredentialTypesHandler failed!", __func__); OIC_LOG_V(WARNING, TAG, "%s : CAregisterGetCredentialTypesHandler failed!", __func__);
} }
if (CA_STATUS_OK != CASetCertificateRequest(true))
{
OIC_LOG_V(WARNING, TAG, "%s : CASetCertificateRequest failed!", __func__);
}
CAregisterSslDisconnectCallback(DeleteRolesCB); CAregisterSslDisconnectCallback(DeleteRolesCB);
#endif // __WITH_DTLS__ or __WITH_TLS__ #endif // __WITH_DTLS__ or __WITH_TLS__
return ret; return ret;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment