[IOT-3296] Disable CertificateRequest at MFG OTM 89/29689/4
authorAleksey Volkov <a.volkov@samsung.com>
Wed, 14 Aug 2019 05:59:07 +0000 (08:59 +0300)
committerNathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
Mon, 9 Sep 2019 17:22:58 +0000 (17:22 +0000)
Signed-off-by: Aleksey Volkov <a.volkov@samsung.com>
Change-Id: Icb28ab66596890ac22e292bc4a51bf9a1bc90a6a

resource/csdk/connectivity/api/casecurityinterface.h
resource/csdk/connectivity/inc/ca_adapter_net_ssl.h
resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c
resource/csdk/connectivity/src/caconnectivitymanager.c
resource/csdk/connectivity/test/ssladapter_test.cpp
resource/csdk/security/src/credresource.c
resource/csdk/security/src/doxmresource.c
resource/csdk/security/src/secureresourcemanager.c

index 699746a..5c4be77 100644 (file)
@@ -272,6 +272,17 @@ CAResult_t CASelectCipherSuite(const uint16_t cipher, CATransportAdapter_t adapt
  */
 CAResult_t CAEnableAnonECDHCipherSuite(const bool enable);
 
+#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
+/**
+ * Set the TLS certificate verification mode
+ *
+ * @param[in] enable  TRUE/FALSE enables/disables peer certificate checking.
+ *
+ * @retval  ::CA_STATUS_OK    Successful.
+ * @retval  ::CA_STATUS_FAILED Operation failed.
+ */
+CAResult_t CASetCertificateRequest(const bool enable);
+#endif
 
 /**
  * Generate ownerPSK using PRF.
index 081e704..d0b1e99 100644 (file)
@@ -58,6 +58,16 @@ typedef ssize_t (*CAPacketSendCallback)(CAEndpoint_t *endpoint,
  */
 CAResult_t CAsetTlsCipherSuite(const uint32_t cipher);
 
+/**
+ * Set the TLS certificate verification mode
+ *
+ * @param[in] enable  TRUE/FALSE enables/disables peer certificate checking.
+ *
+ * @retval  ::CA_STATUS_OK    Successful.
+ * @retval  ::CA_STATUS_FAILED Operation failed.
+ */
+CAResult_t CAsetTlsAuthMode(const bool enable);
+
 /**
  * Used set send,recv and error callbacks for different adapters(WIFI,EtherNet).
  *
index 80f76a9..1a20a07 100644 (file)
@@ -2329,32 +2329,36 @@ CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, size_t dat
                                                  sizeof(sep->endpoint.addr));
             ret = mbedtls_ssl_handshake_step(&peer->ssl);
         }
-        uint32_t flags = mbedtls_ssl_get_verify_result(&peer->ssl);
-        if (0 != flags)
+
+        if (peer->ssl.conf->authmode != MBEDTLS_SSL_VERIFY_NONE)
         {
-            size_t bufSize = 1024;
-            char *bufMsg = (char*)OICCalloc(1, bufSize);
-            if (bufMsg)
-            {
-                mbedtls_x509_crt_verify_info(bufMsg, bufSize, "", flags);
-                OIC_LOG_V(ERROR, NET_SSL_TAG, "%s: session verification(%X): %s", __func__, flags, bufMsg);
-                OICFree(bufMsg);
-            }
-            else
+            uint32_t flags = mbedtls_ssl_get_verify_result(&peer->ssl);
+            if (0 != flags)
             {
-                OIC_LOG_V(ERROR, NET_SSL_TAG, "%s: session verification(%X)", __func__, flags);
-            }
+                size_t bufSize = 1024;
+                char *bufMsg = (char*)OICCalloc(1, bufSize);
+                if (bufMsg)
+                {
+                    mbedtls_x509_crt_verify_info(bufMsg, bufSize, "", flags);
+                    OIC_LOG_V(ERROR, NET_SSL_TAG, "%s: session verification(%X): %s", __func__, flags, bufMsg);
+                    OICFree(bufMsg);
+                }
+                else
+                {
+                    OIC_LOG_V(ERROR, NET_SSL_TAG, "%s: session verification(%X)", __func__, flags);
+                }
 
-            OIC_LOG_BUFFER(ERROR, NET_SSL_TAG, (const uint8_t *) &flags, sizeof(flags));
+                OIC_LOG_BUFFER(ERROR, NET_SSL_TAG, (const uint8_t *) &flags, sizeof(flags));
 
-            if (!checkSslOperation(peer,
-                                   (int)flags,
-                                   "Cert verification failed",
-                                   GetAlertCode(flags)))
-            {
-                oc_mutex_unlock(g_sslContextMutex);
-                OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
-                return CA_STATUS_FAILED;
+                if (!checkSslOperation(peer,
+                                       (int)flags,
+                                       "Cert verification failed",
+                                       GetAlertCode(flags)))
+                {
+                    oc_mutex_unlock(g_sslContextMutex);
+                    OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
+                    return CA_STATUS_FAILED;
+                }
             }
         }
         if (!checkSslOperation(peer,
@@ -2421,7 +2425,8 @@ CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, size_t dat
             int selectedCipher = peer->ssl.session->ciphersuite;
             OIC_LOG_V(DEBUG, NET_SSL_TAG, "(D)TLS Session is connected via ciphersuite [0x%x]", selectedCipher);
             if (MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 != selectedCipher &&
-                MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256 != selectedCipher)
+                MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256 != selectedCipher &&
+                peer->ssl.conf->authmode != MBEDTLS_SSL_VERIFY_NONE)
             {
                 const mbedtls_x509_crt * peerCert = mbedtls_ssl_get_peer_cert(&peer->ssl);
                 const mbedtls_x509_name * name = NULL;
@@ -2748,6 +2753,37 @@ CAResult_t CAsetTlsCipherSuite(const uint32_t cipher)
     return CA_STATUS_OK;
 }
 
+CAResult_t CAsetTlsAuthMode(const bool enable)
+{
+    OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
+    oc_mutex_lock(g_sslContextMutex);
+
+    if (NULL == g_caSslContext)
+    {
+        OIC_LOG(ERROR, NET_SSL_TAG, "SSL context is not initialized.");
+        oc_mutex_unlock(g_sslContextMutex);
+        return CA_STATUS_NOT_INITIALIZED;
+    }
+
+#ifdef __WITH_TLS__
+        mbedtls_ssl_conf_authmode(&g_caSslContext->serverTlsConf
+                                 , enable ? MBEDTLS_SSL_VERIFY_REQUIRED
+                                          : MBEDTLS_SSL_VERIFY_NONE);
+#endif
+#ifdef __WITH_DTLS__
+        mbedtls_ssl_conf_authmode(&g_caSslContext->serverDtlsConf
+                                 , enable ? MBEDTLS_SSL_VERIFY_REQUIRED
+                                          : MBEDTLS_SSL_VERIFY_NONE);
+
+#endif
+        OIC_LOG_V(DEBUG, NET_SSL_TAG, "Certificate check is : %s", enable ? "enabled":"disabled");
+
+    oc_mutex_unlock(g_sslContextMutex);
+    OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
+    return CA_STATUS_OK;
+}
+
+
 CAResult_t CAinitiateSslHandshake(const CAEndpoint_t *endpoint)
 {
     CAResult_t res = CA_STATUS_OK;
index de731e5..3037894 100644 (file)
@@ -568,6 +568,22 @@ CAResult_t CAEnableAnonECDHCipherSuite(const bool enable)
     return res;
 }
 
+#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
+CAResult_t CASetCertificateRequest(const bool enable)
+{
+    OIC_LOG_V(DEBUG, TAG, "IN %s", __func__);
+    CAResult_t res = CA_STATUS_FAILED;
+
+    res = CAsetTlsAuthMode(enable);
+    if (CA_STATUS_OK != res)
+    {
+        OIC_LOG_V(ERROR, TAG, "Failed to CAsetTlsCipherSuiteAuthMode : %d", res);
+    }
+    OIC_LOG_V(DEBUG, TAG, "Out %s", __func__);
+    return res;
+}
+#endif
+
 CAResult_t CAGenerateOwnerPSK(const CAEndpoint_t* endpoint,
                     const uint8_t* label, const size_t labelLen,
                     const uint8_t* rsrcServerDeviceID, const size_t rsrcServerDeviceIDLen,
index d291527..6410ac0 100644 (file)
@@ -51,6 +51,8 @@
 #define CAsetPeerCNVerifyCallback CAsetPeerCNVerifyCallbackTest
 #define CAsetCloseSslConnectionCallback CAsetCloseSslConnectionCallbackTest
 #define CAcleanupSslAdapter CAcleanupSslAdapterTest
+#define CAsetTlsAuthMode CAsetTlsAuthModeTest
+
 
 #include "../src/adapter_util/ca_adapter_net_ssl.c"
 
index fd21d05..337aab3 100644 (file)
@@ -2304,7 +2304,8 @@ static OCEntityHandlerResult HandleNewCredential(OCEntityHandlerRequest *ehReque
 #if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
                         if(CA_STATUS_OK != CAregisterPkixInfoHandler(GetPkixInfo)
                             || CA_STATUS_OK != CAregisterIdentityHandler(GetIdentityHandler)
-                            || CA_STATUS_OK != CAregisterGetCredentialTypesHandler(InitCipherSuiteList))
+                            || CA_STATUS_OK != CAregisterGetCredentialTypesHandler(InitCipherSuiteList)
+                            || CA_STATUS_OK != CASetCertificateRequest(true))
                         {
                             OIC_LOG(ERROR, TAG, "Failed to revert TLS default handlers.");
                             ret = OC_EH_ERROR;
index 8efd714..a59d182 100644 (file)
@@ -1523,6 +1523,7 @@ OCEntityHandlerResult HandleDoxmPostRequestMfg(OicSecDoxm_t *newDoxm,
         VERIFY_SUCCESS(TAG, CA_STATUS_OK == CAregisterIdentityHandler(NULL), ERROR);
         VERIFY_SUCCESS(TAG, CA_STATUS_OK == CAregisterGetCredentialTypesHandler(
                            InitManufacturerCipherSuiteList), ERROR);
+        VERIFY_SUCCESS(TAG, CA_STATUS_OK == CASetCertificateRequest(false), ERROR);
 exit:
     OIC_LOG_V(DEBUG, TAG, "%s: OUT", __func__);
     return ehRet;
index 049ab3d..15b9cb6 100644 (file)
@@ -489,6 +489,10 @@ OCStackResult SRMInitSecureResources(void)
     {
         OIC_LOG_V(WARNING, TAG, "%s : CAregisterGetCredentialTypesHandler failed!", __func__);
     }
+    if (CA_STATUS_OK != CASetCertificateRequest(true))
+    {
+        OIC_LOG_V(WARNING, TAG, "%s : CASetCertificateRequest failed!", __func__);
+    }
     CAregisterSslDisconnectCallback(DeleteRolesCB);
 #endif // __WITH_DTLS__ or __WITH_TLS__
     return ret;