Merge branch 'master' into iot-1785 09/17709/3
authorKevin Kane <kkane@microsoft.com>
Mon, 6 Mar 2017 23:06:02 +0000 (15:06 -0800)
committerKevin Kane <kkane@microsoft.com>
Mon, 6 Mar 2017 23:06:02 +0000 (15:06 -0800)
Change-Id: I387fe3c1c6dace44fa25a22c999ec6498576a8d8
Signed-off-by: Kevin Kane <kkane@microsoft.com>
1  2 
resource/csdk/connectivity/api/cacommon.h
resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c
resource/csdk/security/SConscript

@@@ -2014,75 -2054,62 +2050,96 @@@ CAResult_t CAdecryptSsl(const CASecureE
              if (MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 != selectedCipher &&
                  MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256 != selectedCipher)
              {
 -                char uuid[UUID_LENGTH * 2 + 5] = {0};
 -                void * uuidPos = NULL;
 -                void * userIdPos = NULL;
                  const mbedtls_x509_crt * peerCert = mbedtls_ssl_get_peer_cert(&peer->ssl);
 +                const mbedtls_x509_name * name = NULL;
                  ret = (NULL == peerCert ? -1 : 0);
-                 SSL_CHECK_FAIL(peer, ret, "Failed to retrieve cert", 1,
-                                             CA_STATUS_FAILED, MBEDTLS_SSL_ALERT_MSG_NO_CERT);
+                 if (!checkSslOperation(peer,
+                                        ret,
+                                        "Failed to retrieve cert",
+                                        MBEDTLS_SSL_ALERT_MSG_NO_CERT))
+                 {
+                     oc_mutex_unlock(g_sslContextMutex);
+                     OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
+                     return CA_STATUS_FAILED;
+                 }
 -                uuidPos = memmem(peerCert->subject_raw.p, peerCert->subject_raw.len,
 -                                                 UUID_PREFIX, sizeof(UUID_PREFIX) - 1);
  
 -                if (NULL != uuidPos)
 +                /* Find the CN component of the subject name. */
 +                for (name = &peerCert->subject; NULL != name; name = name->next)
                  {
 -                    memcpy(uuid, (char*) uuidPos + sizeof(UUID_PREFIX) - 1, UUID_LENGTH * 2 + 4);
 -                    OIC_LOG_V(DEBUG, NET_SSL_TAG, "certificate uuid string: %s" , uuid);
 -                    ret = (OCConvertStringToUuid(uuid, peer->sep.identity.id)) ? 0 : -1;
 -                    if (!checkSslOperation(peer,
 -                                           ret,
 -                                           "Failed to convert subject",
 -                                           MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT))
 +                    if (!name->oid.p)
                      {
 -                        oc_mutex_unlock(g_sslContextMutex);
 -                        OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
 -                        return CA_STATUS_FAILED;
 +                        continue;
                      }
 -                }
 -                else
 -                {
 -                    OIC_LOG(WARNING, NET_SSL_TAG, "uuid not found");
 -                }
  
 -                userIdPos = memmem(peerCert->subject_raw.p, peerCert->subject_raw.len,
 -                                             USERID_PREFIX, sizeof(USERID_PREFIX) - 1);
 -                if (NULL != userIdPos)
 -                {
 -                    memcpy(uuid, (char*) userIdPos + sizeof(USERID_PREFIX) - 1, UUID_LENGTH * 2 + 4);
 -                    ret = (OCConvertStringToUuid(uuid, peer->sep.userId.id)) ? 0 : -1;
 -                    if (!checkSslOperation(peer,
 -                                           ret,
 -                                           "Failed to convert subject alt name",
 -                                           MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT))
 +                    if ((name->oid.len < MBEDTLS_OID_SIZE(MBEDTLS_OID_AT_CN) ||
 +                        (0 != memcmp(MBEDTLS_OID_AT_CN, name->oid.p, name->oid.len))))
                      {
 -                        oc_mutex_unlock(g_sslContextMutex);
 -                        OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
 -                        return CA_STATUS_FAILED;
 +                        continue;
                      }
                  }
 +
 +                if (NULL == name)
 +                {
 +                    OIC_LOG(WARNING, NET_SSL_TAG, "no CN RDN found in subject name");
 +                }
                  else
                  {
 -                    OIC_LOG(WARNING, NET_SSL_TAG, "Subject alternative name not found");
 +                    const size_t uuidBufLen = UUID_STRING_SIZE - 1;
 +                    char uuid[UUID_STRING_SIZE] = { 0 };
 +                    const unsigned char * uuidPos = NULL;
 +                    const unsigned char * userIdPos = NULL;
 +
 +                    uuidPos = (const unsigned char*)memmem(name->val.p, name->val.len,
 +                                                           UUID_PREFIX, sizeof(UUID_PREFIX) - 1);
 +
 +                    /* If UUID_PREFIX is present, ensure there's enough data for the prefix plus an entire
 +                     * UUID, to make sure we don't read past the end of the buffer.
 +                     */
 +                    if ((NULL != uuidPos) && 
 +                        (name->val.len >= ((uuidPos - name->val.p) + (sizeof(UUID_PREFIX) - 1) + uuidBufLen)))
 +                    {
 +                        memcpy(uuid, uuidPos + sizeof(UUID_PREFIX) - 1, uuidBufLen);
 +                        OIC_LOG_V(DEBUG, NET_SSL_TAG, "certificate uuid string: %s", uuid);
 +                        ret = (OCConvertStringToUuid(uuid, peer->sep.identity.id)) ? 0 : -1;
-                         SSL_CHECK_FAIL(peer, ret, "Failed to convert subject", 1,
-                                        CA_STATUS_FAILED, MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT);
++                        if (!checkSslOperation(peer,
++                                               ret,
++                                               "Failed to convert subject",
++                                               MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT))
++                        {
++                            oc_mutex_unlock(g_sslContextMutex);
++                            OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
++                            return CA_STATUS_FAILED;
++                        }
 +                    }
 +                    else
 +                    {
 +                        OIC_LOG(WARNING, NET_SSL_TAG, "uuid not found");
 +                    }
 +
 +                    /* If USERID_PREFIX is present, ensure there's enough data for the prefix plus an entire
 +                     * UUID, to make sure we don't read past the end of the buffer.
 +                     */
 +                    userIdPos = (const unsigned char*)memmem(name->val.p, name->val.len,
 +                                                             USERID_PREFIX, sizeof(USERID_PREFIX) - 1);
 +                    if ((NULL != userIdPos) &&
 +                        (name->val.len >= ((userIdPos - name->val.p) + (sizeof(USERID_PREFIX) - 1) + uuidBufLen)))
 +                    {
 +                        memcpy(uuid, userIdPos + sizeof(USERID_PREFIX) - 1, uuidBufLen);
 +                        ret = (OCConvertStringToUuid(uuid, peer->sep.userId.id)) ? 0 : -1;
-                         SSL_CHECK_FAIL(peer, ret, "Failed to convert subject alt name", 1,
-                                        CA_STATUS_FAILED, MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT);
++                        if (!checkSslOperation(peer,
++                                               ret,
++                                               "Failed to convert subject alt name",
++                                               MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT))
++                        {
++                            oc_mutex_unlock(g_sslContextMutex);
++                            OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
++                            return CA_STATUS_FAILED;
++                        }
 +                    }
 +                    else
 +                    {
 +                        OIC_LOG(WARNING, NET_SSL_TAG, "Subject alternative name not found");
 +                    }
                  }
              }
  
Simple merge