1. 01 Feb, 2019 3 commits
  2. 31 Jan, 2019 6 commits
  3. 29 Jan, 2019 1 commit
  4. 25 Jan, 2019 1 commit
  5. 24 Jan, 2019 8 commits
  6. 09 Jan, 2019 2 commits
  7. 07 Jan, 2019 8 commits
  8. 31 Dec, 2018 8 commits
    • Jaehyun Cho's avatar
      Set encrypt flag for zepher port. · b475c8f7
      Jaehyun Cho authored
      For secure messages, encrypted flag in oc_message_t
      should be set.
      
      Change-Id: I32671bbc9d715db6d2d8c34408ac83441ebd9565
      Signed-off-by: default avatarJaehyun Cho <jaehyun3.cho@samsung.com>
      Reviewed-on: https://gerrit.iotivity.org/gerrit/27699Tested-by: default avatarIoTivity Jenkins <jenkins-daemon@iotivity.org>
      Reviewed-by: default avatarTaehwa Kang <teo@vinetech.co.kr>
      Reviewed-by: Kishen Maloor's avatarKishen Maloor <kishen.maloor@intel.com>
      b475c8f7
    • Kishen Maloor's avatar
      oc_obt: bug fix in owned/unowned discovery · c9024ce1
      Kishen Maloor authored
      Fix logic to refresh endpoints of known owned/unowned devices
      upon every discovery call. While owned/unowned deivces are cached internally
      in oc_obt, previously their endpoints were not refreshed on subsequent
      re-discovery. As a result, a device that was momentarily offline and
      got back online during a single run of an OBT wouldn't have a
      chance to provide its new endpoints to the OBT, and hence the OBT couldn't
      access it until it was itself restarted. This has been fixed.
      
      Change-Id: Ia2973cab6cf24164cb30de28136d34d3044219f9
      Signed-off-by: Kishen Maloor's avatarKishen Maloor <kishen.maloor@intel.com>
      Reviewed-on: https://gerrit.iotivity.org/gerrit/27807
      c9024ce1
    • Kishen Maloor's avatar
      Fix oc_sp to reflect mfg defaults in sp resource · d85abe4a
      Kishen Maloor authored
      Change-Id: I6ce8b32223e1f72af4aee11e51cbc73a5a3dddc9
      Signed-off-by: Kishen Maloor's avatarKishen Maloor <kishen.maloor@intel.com>
      Reviewed-on: https://gerrit.iotivity.org/gerrit/27806
      d85abe4a
    • Kishen Maloor's avatar
      oc_pstat:free all asserted roles on server RESET · 5f2d1501
      Kishen Maloor authored
      Change-Id: I79c3fc5f8d4abff901f01b2af3ae271708a6c4af
      Signed-off-by: Kishen Maloor's avatarKishen Maloor <kishen.maloor@intel.com>
      Reviewed-on: https://gerrit.iotivity.org/gerrit/27805
      5f2d1501
    • Kishen Maloor's avatar
      Update oc_tls and other minor updates · 254a00b8
      Kishen Maloor authored
      * Added logic to free all roles bound to a (D)TLS session when
      the session is closed. This is Server-side logic for a (D)TLS
      session with a Client and applies to all roles that were asserted
      by that Client during the session.
      * Added internal API to check if an ongoing (D)TLS session was
      established using a PSK credential. When this function returns
      false, it implies that the session was authenticated using an identity
      certificate chain.
      
      Change-Id: Ic5c3640ba2547702fabfad4988a793653afba61a
      Signed-off-by: Kishen Maloor's avatarKishen Maloor <kishen.maloor@intel.com>
      Reviewed-on: https://gerrit.iotivity.org/gerrit/27803
      254a00b8
    • Kishen Maloor's avatar
      oc_acl:role-based access control via role certs · cb964713
      Kishen Maloor authored
      This change adds logic to oc_sec_check_acl() to inspect all
      roles currently asserted by a Client while determining its
      permissions to access a resource.
      
      Each role certificate is first checked for its validity at present.
      If found to be invalid, it is immediately removed from /oic/sec/roles.
      If found to be valid, oc_acl searches the ACL for ACEs bearing a
      matching roleId and authority, and obtains its permissions to factor
      into the consolidated permissions mask. Processing continues until all
      asserted roles have been checked.
      
      Change-Id: I0d164ebcc00d6f16ab0f53464408ec9ef2386ce8
      Signed-off-by: Kishen Maloor's avatarKishen Maloor <kishen.maloor@intel.com>
      Reviewed-on: https://gerrit.iotivity.org/gerrit/27804
      cb964713
    • Kishen Maloor's avatar
      oc_roles:support /oic/sec/roles & role assertion · 607319ee
      Kishen Maloor authored
      This change adds support for the /oic/sec/roles resource on Servers
      for role-based access-control using role certificates, as well as Client
      hooks and APIs to assert roles provisioned to it.
      
      As /oic/sec/roles shares its schema in large part with /oic/sec/cred,
      oc_cred has been updated so its GET/POST/DELETE handlers may also be
      used to service requests to /oic/sec/roles. With an awareness of which
      of the two resources is being currently handled, some logic
      has been added to oc_cred to perform the appropriate actions for each
      resource type. This enables reuse of existing code and flows for parsing
      requests to /oic/sec/cred for /oic/sec/roles, and checking for credid
      uniqueness, while accounting for minor behavioral differences.
      
      oc_sec_cred_t objects are however recorded separately for the two
      resources and oc_roles stores all roles (in oc_sec_cred_t objects) asserted
      via requests to /oic/sec/roles. Also, the encoding function for the
      /oic/sec/roles response representation is separate from that of /oic/sec/cred.
      
      oc_roles provides internal APIs for managing role assertions
      on the Server-side and to help assert roles on the Client-side.
      
      On the Server-side, all roles asserted by various Clients are
      indexed by (D)TLS session in oc_roles. As all asserted roles must be valid
      when they're used for role-based access-control, the Server-side
      stores a parsed role certificate for each role asserted in an
      associated mbedTLS object in memory which may be directly queried for
      a validity check by the access-control flow at the time of handling a
      Client request to a resource. A new void* parameter has been added to
      oc_sec_cred_t to store a handle to this mbedtls_x509_crt object.
      oc_roles automatically frees these mbedtls_x509_crt objects
      for role certificates when the role is freed.
      
      On the Client-side, oc_roles tracks all roles provisioned to
      the Client in its /oic/sec/cred resource by the OBT/CMS for its use. It
      provides APIs for a Client to list all roles available to it, and for
      asserting a role to a Server via a request to /oic/sec/roles.
      
      Change-Id: Id25dbc767141da06f65a46fad1a740da2633d15e
      Signed-off-by: Kishen Maloor's avatarKishen Maloor <kishen.maloor@intel.com>
      Reviewed-on: https://gerrit.iotivity.org/gerrit/27802
      607319ee
    • Kishen Maloor's avatar
      oc_certs:parse role cert,fix cert path validation · 1cefb4bf
      Kishen Maloor authored
      * Added internal APIs to parse and validate role certificates.
      The parsing function is invoked in Servers when a Client asserts
      a role by directing a role certificate to the /oic/sec/roles resource
      in the Server.
      The validation function is invoked in Servers both from
      the parsing function and from the access-control flow when a Server is
      determining a Client's permissions by inspecting all roles currently
      asserted by that Client.
      
      * Added internal API to obtain the public key from a DER/PEM
      encoded certficate provided as input. The primary use of this API is
      to confirm that a Client is asserting a role using a certificate
      that was issued to the Client by the OBT/CMS. This is determined by
      comparing the public key of the role (end-entity) certificate and
      the public key of the identity certificate used by the Client to
      authenticate the current (D)TLS session, and checking that they match.
      
      * Updated the root/intermediate certificate validation functions to
      make the Digital Signature bit an optional key_usage.
      
      * Updated internal APIs for validating root/intermediate/end-entity/role
      certificates to accept a const (mbedtls_x509_crt *) parameter.
      
      Change-Id: I0bb5f4fa2ceca20b5c838bad9ea73eee57fc46c9
      Signed-off-by: Kishen Maloor's avatarKishen Maloor <kishen.maloor@intel.com>
      Reviewed-on: https://gerrit.iotivity.org/gerrit/27801
      1cefb4bf
  9. 14 Dec, 2018 3 commits