Commit e984a943 authored by Kishen Maloor's avatar Kishen Maloor

Merge branch 'origin/master' into fargo

Signed-off-by: Kishen Maloor's avatarKishen Maloor <kishen.maloor@intel.com>
parents bc41ba8e 207bbfde
Pipeline #526 passed with stage
in 6 minutes and 8 seconds
......@@ -28,7 +28,7 @@ Android_build:
image: openjdk:8-jdk
before_script:
- apt-get --quiet update --yes
- apt-get --quiet install --yes wget tar unzip lib32stdc++6 lib32z1 make autoconf swig
- apt-get --quiet install --yes wget tar unzip lib32stdc++6 lib32z1 make autoconf swig patch
- wget --quiet --output-document=android-sdk.zip https://dl.google.com/android/repository/sdk-tools-linux-4333796.zip
- unzip -d android-sdk-linux android-sdk.zip
- echo y | android-sdk-linux/tools/bin/sdkmanager "ndk-bundle" >/dev/null
......
......@@ -42,7 +42,7 @@ gen_idd_tag(const char *name, size_t device_index, char *idd_tag)
snprintf(idd_tag, MAX_TAG_LENGTH, "%s_%zd", name, device_index);
idd_tag_len =
(idd_tag_len < MAX_TAG_LENGTH) ? idd_tag_len + 1 : MAX_TAG_LENGTH;
idd_tag[idd_tag_len] = '\0';
idd_tag[idd_tag_len - 1] = '\0';
}
void
......
-----BEGIN CERTIFICATE-----
MIIEGzCCA8KgAwIBAgIJAI0K+3tTsk13MAoGCCqGSM49BAMCMFsxDDAKBgNVBAoM
MIIEFjCCA7ygAwIBAgIJAI0K+3tTsk3QMAoGCCqGSM49BAMCMFsxDDAKBgNVBAoM
A09DRjEiMCAGA1UECwwZS3lyaW8gVGVzdCBJbmZyYXN0cnVjdHVyZTEnMCUGA1UE
AwweS3lyaW8gVEVTVCBJbnRlcm1lZGlhdGUgQ0EwMDAyMB4XDTIwMDEyMjE4MDU1
NFoXDTIwMDIyMTE4MDU1NFowYTEMMAoGA1UECgwDT0NGMSIwIAYDVQQLDBlLeXJp
byBUZXN0IEluZnJhc3RydWN0dXJlMS0wKwYDVQQDDCQxMzkyNTVmMC01NmIwLTQx
YWMtYTM2YS1lMWU2ZWNlZWUxOGYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASS
WU61vywYFtJPLT7MIp8KxjeCrY0H4TQbPLlXEoV9arjVaEqIuQzZA1H3WvY8sDiM
5AGsnaOsL16u+ySTPGaCo4ICZzCCAmMwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMC
AwweS3lyaW8gVEVTVCBJbnRlcm1lZGlhdGUgQ0EwMDAyMB4XDTIwMDMxMDIwMDk1
MVoXDTIwMDQwOTIwMDk1MVowYTEMMAoGA1UECgwDT0NGMSIwIAYDVQQLDBlLeXJp
byBUZXN0IEluZnJhc3RydWN0dXJlMS0wKwYDVQQDDCRjMWUxNDZhZC01ZGUyLTRj
MDQtYTNjMy00MmE0ODFmNWY4M2UwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQF
gm1AqffNmL+2QjCpNlcOdoYQGc7GOelSLQBNPkNz8djtXbjejsOEzqnkxCXz15tR
xwG4DokrcXHUw0mK1uuPo4ICYTCCAl0wCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMC
A4gwKQYDVR0lBCIwIAYIKwYBBQUHAwIGCCsGAQUFBwMBBgorBgEEAYLefAEGMB0G
A1UdDgQWBBSd5Da4Qns+TbSeXRWl99r75h9xnzAfBgNVHSMEGDAWgBQZc2oEGgsH
A1UdDgQWBBTghtw+RYtvEuhWV6nHblOoLWy3MzAfBgNVHSMEGDAWgBQZc2oEGgsH
cE9TeVM2h/wMunyuCzCBlgYIKwYBBQUHAQEEgYkwgYYwXQYIKwYBBQUHMAKGUWh0
dHA6Ly90ZXN0cGtpLmt5cmlvLmNvbS9vY2YvY2FjZXJ0cy9CQkU2NEY5QTdFRTM3
RDI5QTA1RTRCQjc3NTk1RjMwOEJFNDFFQjA3LmNydDAlBggrBgEFBQcwAYYZaHR0
cDovL3Rlc3RvY3NwLmt5cmlvLmNvbTBfBgNVHR8EWDBWMFSgUqBQhk5odHRwOi8v
dGVzdHBraS5reXJpby5jb20vb2NmL2NybHMvQkJFNjRGOUE3RUUzN0QyOUEwNUU0
QkI3NzU5NUYzMDhCRTQxRUIwNy5jcmwwGAYDVR0gBBEwDzANBgsrBgEEAYORVgAB
AjBpBgorBgEEAYORVgEABFswWTAJAgECAgEAAgEAMDYMGTEuMy42LjEuNC4xLjUx
NDE0LjAuMC4xLjAMGTEuMy42LjEuNC4xLjUxNDE0LjAuMC4yLjAMDUlvVGl2aXR5
LUxpdGUMBUludGVsMCoGCisGAQQBg5FWAQEEHDAaBgsrBgEEAYORVgEBAAYLKwYB
BAGDkVYBAQEwMAYKKwYBBAGDkVYBAgQiMCAMDjEuMy42LjEuNC4xLjcxDAlEaXNj
b3ZlcnkMAzEuMDAKBggqhkjOPQQDAgNHADBEAiAGrNc1XWq+PtJjXjhuGplzFjrS
ngGyRletSbgsNnxuhgIgJ5vROhQqPJQA9xKAO3SAc20646dUF34l0wiRSRfUnzE=
AjBjBgorBgEEAYORVgEABFUwUzAJAgECAgEAAgEAMDYMGTEuMy42LjEuNC4xLjUx
NDE0LjAuMC4xLjAMGTEuMy42LjEuNC4xLjUxNDE0LjAuMC4yLjAMBExpdGUMCExp
dGUyMDIwMCoGCisGAQQBg5FWAQEEHDAaBgsrBgEEAYORVgEBAAYLKwYBBAGDkVYB
AQEwMAYKKwYBBAGDkVYBAgQiMCAMDjEuMy42LjEuNC4xLjcxDAlEaXNjb3ZlcnkM
AzEuMDAKBggqhkjOPQQDAgNIADBFAiA0bVdWYgglTyEi6+Ba9bGKNDw0DzQrH2Y+
k5Cnu9ki+wIhAOqkIo41b/mOfNwSgjSsxFZkrdaYhvM1Ce+aS23z4hAC
-----END CERTIFICATE-----
......@@ -2,7 +2,7 @@
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIAeACxwKCL4K8fWzGYYe1ZKm3glUcKo+0vdB4HGR8IcyoAoGCCqGSM49
AwEHoUQDQgAEkllOtb8sGBbSTy0+zCKfCsY3gq2NB+E0Gzy5VxKFfWq41WhKiLkM
2QNR91r2PLA4jOQBrJ2jrC9ervskkzxmgg==
MHcCAQEEII8kjV/guIOeu+1e6GKjDOeIzHAgmA4MCBXIMy10uAlqoAoGCCqGSM49
AwEHoUQDQgAEBYJtQKn3zZi/tkIwqTZXDnaGEBnOxjnpUi0ATT5Dc/HY7V243o7D
hM6p5MQl89ebUccBuA6JK3Fx1MNJitbrjw==
-----END EC PRIVATE KEY-----
......@@ -645,6 +645,7 @@ coap_notify_observers(oc_resource_t *resource,
}
#endif /* OC_SECURITY */
bool resource_is_collection = false;
coap_observer_t *obs = NULL;
if (resource->num_observers > 0) {
#ifdef OC_BLOCK_WISE
......@@ -675,8 +676,21 @@ coap_notify_observers(oc_resource_t *resource,
request.response = &response;
request.request_payload = NULL;
oc_rep_new(response_buffer.buffer, response_buffer.buffer_size);
resource->get_handler.cb(&request, resource->default_interface,
resource->get_handler.user_data);
#ifdef OC_COLLECTIONS
if (oc_check_if_collection(resource)) {
resource_is_collection = true;
if (resource->get_handler.cb) {
resource->get_handler.cb(&request, OC_IF_BASELINE,
resource->get_handler.user_data);
} else {
response_buffer.code = OC_IGNORE;
}
} else
#endif /* OC_COLLECTIONS */
{
resource->get_handler.cb(&request, resource->default_interface,
resource->get_handler.user_data);
}
response_buf = &response_buffer;
if (response_buf->code == OC_IGNORE) {
OC_DBG("coap_notify_observers: Resource ignored request");
......@@ -692,7 +706,10 @@ coap_notify_observers(oc_resource_t *resource,
obs = obs->next;
continue;
} // obs->resource != resource || endpoint != obs->endpoint
if (resource_is_collection && obs->iface_mask != OC_IF_BASELINE) {
obs = obs->next;
continue;
}
if (response.separate_response != NULL) {
if (response_buf->code == oc_status_code(OC_STATUS_OK)) {
coap_packet_t req[1];
......
......@@ -31,6 +31,7 @@
#define UUID_PREFIX "uuid:"
#define UUID_PREFIX_LEN (5)
#define MBEDTLS_ULIMITED_PATHLEN 0
int
oc_certs_generate_serial_number(mbedtls_x509write_cert *crt)
......@@ -448,29 +449,36 @@ validate_x509v1_fields(const mbedtls_x509_crt *cert)
}
int
oc_certs_validate_root_cert(const mbedtls_x509_crt *cert)
oc_certs_validate_non_end_entity_cert(const mbedtls_x509_crt *cert,
bool is_root, bool is_otm, int depth)
{
OC_DBG("attempting to validate root cert");
OC_DBG("attempting to validate %s cert", is_root ? "root" : "intermediate");
/* Validate common X.509v1 fields */
if (validate_x509v1_fields(cert) < 0) {
return -1;
}
/* Issuer SHALL match the Subject field
* Subject SHALL match the Issuer field
*/
if ((cert->issuer_raw.len != cert->subject_raw.len) ||
memcmp(cert->issuer_raw.p, cert->subject_raw.p, cert->issuer_raw.len) !=
0) {
OC_WRN("certificate is not a root CA");
/* Root certificates (and ONLY Root certificates) shall be self-issued */
bool is_self_issued =
(cert->issuer_raw.len == cert->subject_raw.len) ||
memcmp(cert->issuer_raw.p, cert->subject_raw.p, cert->issuer_raw.len) == 0;
if (is_root && !is_self_issued) {
OC_WRN("certificate is not a valid root CA");
return -1;
}
if (!is_root && is_self_issued) {
OC_WRN("certificate is not a valid intermediate CA");
return -1;
}
/* keyCertSign (5) & cRLSign (6) bits SHALL be enabled */
/* Digital Signature bit may optionally be enabled */
unsigned int optional_key_usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
unsigned int optional_key_usage =
is_otm ? MBEDTLS_X509_KU_DIGITAL_SIGNATURE
: MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_CRL_SIGN;
unsigned int key_usage =
(MBEDTLS_X509_KU_KEY_CERT_SIGN | MBEDTLS_X509_KU_CRL_SIGN);
is_otm ? MBEDTLS_X509_KU_KEY_CERT_SIGN | MBEDTLS_X509_KU_CRL_SIGN
: MBEDTLS_X509_KU_KEY_CERT_SIGN;
if ((cert->key_usage & key_usage) != key_usage) {
OC_WRN("key_usage constraints not met");
return -1;
......@@ -480,56 +488,24 @@ oc_certs_validate_root_cert(const mbedtls_x509_crt *cert)
return -1;
}
/* cA = TRUE and pathLenConstraint = not present (unlimited) */
if (cert->ca_istrue == 0 || cert->max_pathlen != 0) {
OC_WRN("CA=True and/or path len constraints not met");
/* cA = TRUE */
if (cert->ca_istrue == 0) {
OC_WRN("CA=True constraint is not met");
return -1;
}
return 0;
}
int
oc_certs_validate_intermediate_cert(const mbedtls_x509_crt *cert)
{
OC_DBG("attempting to validate intermediate cert");
/* Validate common X.509v1 fields */
if (validate_x509v1_fields(cert) < 0) {
return -1;
}
if (cert->max_pathlen == 0) {
OC_WRN("certificate is not an intermediate CA");
return -1;
}
/* Issuer SHALL NOT match the Subject field
* Subject SHALL NOT match the Issuer field
*/
if ((cert->issuer_raw.len == cert->subject_raw.len) ||
memcmp(cert->issuer_raw.p, cert->subject_raw.p, cert->issuer_raw.len) ==
0) {
OC_WRN("certificate is not an intermediate CA");
return -1;
}
/* keyCertSign (5) & cRLSign (6) bits SHALL be enabled */
/* Digital Signature bit may optionally be enabled */
unsigned int optional_key_usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
unsigned int key_usage =
(MBEDTLS_X509_KU_KEY_CERT_SIGN | MBEDTLS_X509_KU_CRL_SIGN);
if ((cert->key_usage & key_usage) != key_usage) {
OC_WRN("key_usage constraints not met");
return -1;
}
if ((cert->key_usage & ~(optional_key_usage | key_usage)) != 0) {
OC_WRN("key_usage sets additional bits");
/* pathLenConstraint should be at least as long as the signed chain, note that
* mbedtls max_pathlen = real pathlen + 1 */
if (cert->max_pathlen != MBEDTLS_ULIMITED_PATHLEN &&
cert->max_pathlen < depth) {
OC_WRN("certificate pathLen is not sufficient: %d < %d", cert->max_pathlen,
depth);
return -1;
}
/* cA = TRUE and pathLenConstraint = 0 (can only sign end-entity certs) */
if (cert->ca_istrue == 0 || cert->max_pathlen > 1) {
OC_WRN("CA=True and/or path len constraints not met");
/* pathLenConstraint = 0 for OTM chains (can only sign end-entity certs) */
if (is_otm && !is_root && cert->max_pathlen != 1) {
OC_WRN("only 3-tiered chains are allowed for OTM certificates");
return -1;
}
......
......@@ -23,8 +23,7 @@
#include "security/oc_cred_internal.h"
#ifdef __cplusplus
extern "C"
{
extern "C" {
#endif
int oc_certs_parse_CN_for_UUID(const mbedtls_x509_crt *cert,
......@@ -39,9 +38,8 @@ int oc_certs_serialize_chain_to_pem(const mbedtls_x509_crt *cert_chain,
int oc_certs_extract_public_key(const mbedtls_x509_crt *cert,
oc_string_t *public_key);
int oc_certs_validate_root_cert(const mbedtls_x509_crt *root_cert);
int oc_certs_validate_intermediate_cert(const mbedtls_x509_crt *int_cert);
int oc_certs_validate_non_end_entity_cert(const mbedtls_x509_crt *cert,
bool is_root, bool is_otm, int depth);
int oc_certs_validate_end_entity_cert(const mbedtls_x509_crt *ee_cert);
......
......@@ -1023,18 +1023,21 @@ verify_certificate(void *opq, mbedtls_x509_crt *crt, int depth, uint32_t *flags)
oc_tls_peer_t *peer = (oc_tls_peer_t *)opq;
OC_DBG("verifying certificate at depth %d", depth);
if (depth > 0) {
if (oc_certs_validate_root_cert(crt) < 0) {
if (oc_certs_validate_intermediate_cert(crt) < 0) {
/* For D2D handshakes involving identity certificates:
* Find a trusted root that matches the peer's root and store it
* as context accompanying the identity certificate. This is queried
* after validating the end-entity certificate to authorize the
* the peer per the OCF Specification. */
oc_x509_crt_t *id_cert = get_identity_cert_for_session(&peer->ssl_conf);
oc_sec_pstat_t *ps = oc_sec_get_pstat(peer->endpoint.device);
if (oc_certs_validate_non_end_entity_cert(crt, true, ps->s == OC_DOS_RFOTM,
depth) < 0) {
if (oc_certs_validate_non_end_entity_cert(
crt, false, ps->s == OC_DOS_RFOTM, depth) < 0) {
OC_ERR("failed to verify root or intermediate cert");
return -1;
}
} else {
/* For D2D handshakes involving identity certificates:
* Find a trusted root that matches the peer's root and store it
* as context accompanying the identity certificate. This is queried
* after validating the end-entity certificate to authorize the
* the peer per the OCF Specification. */
oc_x509_crt_t *id_cert = get_identity_cert_for_session(&peer->ssl_conf);
if (id_cert && id_cert->cred->credusage == OC_CREDUSAGE_IDENTITY_CERT) {
oc_x509_cacrt_t *ca_cert = (oc_x509_cacrt_t *)oc_list_head(ca_certs);
while (ca_cert) {
......
......@@ -45,6 +45,7 @@ function isC() {
# from this script returns failure. The diff command should return failure
# every time the output from clang-format is different than the input file.
failures=0
fail_filelist=""
trap 'failures=$((failures+1))' ERR
echo "***********************************************************************"
......@@ -62,6 +63,9 @@ for f in $filelist; do
# the '-' at the end of the diff will cause the diff command to use the
# output from clang-format as part of the diff input.
clang-format -style=file ${f} | diff -u --color=auto ${f} -
if [ $? -ne 0 ]; then
fail_filelist+="${f} "
fi
fi
done
......@@ -75,18 +79,16 @@ else
# just print all of the C/C++ files. Even if the user runs a command on a file
# that does not need to be change it will leave the file unchanged.
echo "***********************************************************************"
echo "Found $failures file(s) with BAD formating!"
echo "Found $failures file(s) with BAD formatting!"
echo ""
echo "Please update the files formating."
echo "Please update the files formatting."
echo ""
echo "This can be done automatically by running the following commands from"
echo "the top directory of iotivity-lite project"
echo ""
echo " cp tools/_clang-format _clang-format"
for f in $filelist; do
if isC $f; then
for f in $fail_filelist; do
echo " clang-format -style=file -i ${f}"
fi
done
echo ""
echo "The format tool can be added to git's pre-commit hook using the"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment