Commit aa9954a4 authored by Aleksey's avatar Aleksey Committed by Nathan Heldt-Sheller

[IOT-3296] Disable CertificateRequest at MFG OTM

Signed-off-by: Aleksey's avatarAleksey Volkov <a.volkov@samsung.com>
Change-Id: Icb28ab66596890ac22e292bc4a51bf9a1bc90a6a
parent cb250969
......@@ -272,6 +272,17 @@ CAResult_t CASelectCipherSuite(const uint16_t cipher, CATransportAdapter_t adapt
*/
CAResult_t CAEnableAnonECDHCipherSuite(const bool enable);
#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
/**
* Set the TLS certificate verification mode
*
* @param[in] enable TRUE/FALSE enables/disables peer certificate checking.
*
* @retval ::CA_STATUS_OK Successful.
* @retval ::CA_STATUS_FAILED Operation failed.
*/
CAResult_t CASetCertificateRequest(const bool enable);
#endif
/**
* Generate ownerPSK using PRF.
......
......@@ -58,6 +58,16 @@ typedef ssize_t (*CAPacketSendCallback)(CAEndpoint_t *endpoint,
*/
CAResult_t CAsetTlsCipherSuite(const uint32_t cipher);
/**
* Set the TLS certificate verification mode
*
* @param[in] enable TRUE/FALSE enables/disables peer certificate checking.
*
* @retval ::CA_STATUS_OK Successful.
* @retval ::CA_STATUS_FAILED Operation failed.
*/
CAResult_t CAsetTlsAuthMode(const bool enable);
/**
* Used set send,recv and error callbacks for different adapters(WIFI,EtherNet).
*
......
......@@ -2329,6 +2329,9 @@ CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, size_t dat
sizeof(sep->endpoint.addr));
ret = mbedtls_ssl_handshake_step(&peer->ssl);
}
if (peer->ssl.conf->authmode != MBEDTLS_SSL_VERIFY_NONE)
{
uint32_t flags = mbedtls_ssl_get_verify_result(&peer->ssl);
if (0 != flags)
{
......@@ -2357,6 +2360,7 @@ CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, size_t dat
return CA_STATUS_FAILED;
}
}
}
if (!checkSslOperation(peer,
ret,
"Handshake error",
......@@ -2421,7 +2425,8 @@ CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, size_t dat
int selectedCipher = peer->ssl.session->ciphersuite;
OIC_LOG_V(DEBUG, NET_SSL_TAG, "(D)TLS Session is connected via ciphersuite [0x%x]", selectedCipher);
if (MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 != selectedCipher &&
MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256 != selectedCipher)
MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256 != selectedCipher &&
peer->ssl.conf->authmode != MBEDTLS_SSL_VERIFY_NONE)
{
const mbedtls_x509_crt * peerCert = mbedtls_ssl_get_peer_cert(&peer->ssl);
const mbedtls_x509_name * name = NULL;
......@@ -2748,6 +2753,37 @@ CAResult_t CAsetTlsCipherSuite(const uint32_t cipher)
return CA_STATUS_OK;
}
CAResult_t CAsetTlsAuthMode(const bool enable)
{
OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
oc_mutex_lock(g_sslContextMutex);
if (NULL == g_caSslContext)
{
OIC_LOG(ERROR, NET_SSL_TAG, "SSL context is not initialized.");
oc_mutex_unlock(g_sslContextMutex);
return CA_STATUS_NOT_INITIALIZED;
}
#ifdef __WITH_TLS__
mbedtls_ssl_conf_authmode(&g_caSslContext->serverTlsConf
, enable ? MBEDTLS_SSL_VERIFY_REQUIRED
: MBEDTLS_SSL_VERIFY_NONE);
#endif
#ifdef __WITH_DTLS__
mbedtls_ssl_conf_authmode(&g_caSslContext->serverDtlsConf
, enable ? MBEDTLS_SSL_VERIFY_REQUIRED
: MBEDTLS_SSL_VERIFY_NONE);
#endif
OIC_LOG_V(DEBUG, NET_SSL_TAG, "Certificate check is : %s", enable ? "enabled":"disabled");
oc_mutex_unlock(g_sslContextMutex);
OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
return CA_STATUS_OK;
}
CAResult_t CAinitiateSslHandshake(const CAEndpoint_t *endpoint)
{
CAResult_t res = CA_STATUS_OK;
......
......@@ -568,6 +568,22 @@ CAResult_t CAEnableAnonECDHCipherSuite(const bool enable)
return res;
}
#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
CAResult_t CASetCertificateRequest(const bool enable)
{
OIC_LOG_V(DEBUG, TAG, "IN %s", __func__);
CAResult_t res = CA_STATUS_FAILED;
res = CAsetTlsAuthMode(enable);
if (CA_STATUS_OK != res)
{
OIC_LOG_V(ERROR, TAG, "Failed to CAsetTlsCipherSuiteAuthMode : %d", res);
}
OIC_LOG_V(DEBUG, TAG, "Out %s", __func__);
return res;
}
#endif
CAResult_t CAGenerateOwnerPSK(const CAEndpoint_t* endpoint,
const uint8_t* label, const size_t labelLen,
const uint8_t* rsrcServerDeviceID, const size_t rsrcServerDeviceIDLen,
......
......@@ -51,6 +51,8 @@
#define CAsetPeerCNVerifyCallback CAsetPeerCNVerifyCallbackTest
#define CAsetCloseSslConnectionCallback CAsetCloseSslConnectionCallbackTest
#define CAcleanupSslAdapter CAcleanupSslAdapterTest
#define CAsetTlsAuthMode CAsetTlsAuthModeTest
#include "../src/adapter_util/ca_adapter_net_ssl.c"
......
......@@ -2304,7 +2304,8 @@ static OCEntityHandlerResult HandleNewCredential(OCEntityHandlerRequest *ehReque
#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
if(CA_STATUS_OK != CAregisterPkixInfoHandler(GetPkixInfo)
|| CA_STATUS_OK != CAregisterIdentityHandler(GetIdentityHandler)
|| CA_STATUS_OK != CAregisterGetCredentialTypesHandler(InitCipherSuiteList))
|| CA_STATUS_OK != CAregisterGetCredentialTypesHandler(InitCipherSuiteList)
|| CA_STATUS_OK != CASetCertificateRequest(true))
{
OIC_LOG(ERROR, TAG, "Failed to revert TLS default handlers.");
ret = OC_EH_ERROR;
......
......@@ -1523,6 +1523,7 @@ OCEntityHandlerResult HandleDoxmPostRequestMfg(OicSecDoxm_t *newDoxm,
VERIFY_SUCCESS(TAG, CA_STATUS_OK == CAregisterIdentityHandler(NULL), ERROR);
VERIFY_SUCCESS(TAG, CA_STATUS_OK == CAregisterGetCredentialTypesHandler(
InitManufacturerCipherSuiteList), ERROR);
VERIFY_SUCCESS(TAG, CA_STATUS_OK == CASetCertificateRequest(false), ERROR);
exit:
OIC_LOG_V(DEBUG, TAG, "%s: OUT", __func__);
return ehRet;
......
......@@ -489,6 +489,10 @@ OCStackResult SRMInitSecureResources(void)
{
OIC_LOG_V(WARNING, TAG, "%s : CAregisterGetCredentialTypesHandler failed!", __func__);
}
if (CA_STATUS_OK != CASetCertificateRequest(true))
{
OIC_LOG_V(WARNING, TAG, "%s : CASetCertificateRequest failed!", __func__);
}
CAregisterSslDisconnectCallback(DeleteRolesCB);
#endif // __WITH_DTLS__ or __WITH_TLS__
return ret;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment