1 /******************************************************************
3 * Copyright 2016 Samsung Electronics All Rights Reserved.
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
19 ******************************************************************/
22 #include "iotivity_config.h"
28 #include "ca_adapter_net_ssl.h"
30 #include "caipinterface.h"
31 #include "oic_malloc.h"
33 #include "byte_array.h"
37 // headers required for mbed TLS
38 #include "mbedtls/platform.h"
39 #include "mbedtls/ssl.h"
40 #include "mbedtls/entropy.h"
41 #include "mbedtls/ctr_drbg.h"
42 #include "mbedtls/pkcs12.h"
43 #include "mbedtls/ssl_internal.h"
44 #include "mbedtls/net_sockets.h"
46 #include "mbedtls/timing.h"
47 #include "mbedtls/ssl_cookie.h"
50 #if !defined(NDEBUG) || defined(TB_LOG)
51 #include "mbedtls/debug.h"
52 #include "mbedtls/version.h"
55 #ifdef HAVE_SYS_TYPES_H
56 #include <sys/types.h>
58 #ifdef HAVE_SYS_STAT_H
70 * @def MBED_TLS_VERSION_LEN
71 * @brief mbedTLS version string length
73 #define MBED_TLS_VERSION_LEN (16)
75 * @def PERSONALIZATION_STRING
76 * @brief Personalization string for the mbedtls RNG
78 #define PERSONALIZATION_STRING "IOTIVITY_RND"
81 * @brief uuid prefix in certificate subject field
83 #define UUID_PREFIX "uuid:"
86 * @brief userid prefix in certificate alternative subject name field
88 #define USERID_PREFIX "userid:"
92 * @brief Logging tag for module name
94 #define NET_SSL_TAG "OIC_CA_NET_SSL"
97 * @brief Logging tag for mbedTLS library
99 #define MBED_TLS_TAG "MBED_TLS"
101 * @def MMBED_TLS_DEBUG_LEVEL
102 * @brief Logging level for mbedTLS library
104 #define MBED_TLS_DEBUG_LEVEL (4)
107 * @def TLS_MSG_BUF_LEN
108 * @brief Buffer size for TLS record. A single TLS record may be up to 16384 octets in length
111 #define TLS_MSG_BUF_LEN (16384)
114 * @brief PSK keys max length
116 #define PSK_LENGTH (256/8)
118 * @def UUID_LENGTHPSK_LENGTH
119 * @brief Identity max length
121 #define UUID_LENGTH (128/8)
123 * @def MASTER_SECRET_LEN
124 * @brief TLS master secret length
126 #define MASTER_SECRET_LEN (48)
129 * @brief TLS client and server random bytes length
131 #define RANDOM_LEN (32)
133 * @def SHA384_MAC_KEY_LENGTH
134 * @brief MAC key length for SHA384 cipher suites
136 #define SHA384_MAC_KEY_LENGTH (48)
138 * @def SHA256_MAC_KEY_LENGTH
139 * @brief MAC key length for SHA256 cipher suites
141 #define SHA256_MAC_KEY_LENGTH (32)
143 * @def CCM_MAC_KEY_LENGTH
144 * @brief MAC key length for CCM cipher suites
146 #define CCM_MAC_KEY_LENGTH (0)
148 * @def AES256_KEY_LENGTH
149 * @brief key material length for AES256 cipher suites
151 #define AES256_KEY_LENGTH (32)
153 * @def AES128_KEY_LENGTH
154 * @brief key material length for AES128 cipher suites
156 #define AES128_KEY_LENGTH (16)
159 * @brief length of nonce for GCM cipher suites
161 #define GCM_IV_LENGTH (12)
164 * @brief length of nonce for CCM cipher suites
166 #define CCM_IV_LENGTH (4)
169 * @brief length of nonce for CBC cipher suites
171 #define CBC_IV_LENGTH (0)
174 * @var RETRANSMISSION_TIME
175 * @brief Maximum timeout value (in seconds) to start DTLS retransmission.
177 #define RETRANSMISSION_TIME 1
179 /**@def SSL_CLOSE_NOTIFY(peer, ret)
181 * Notifies of existing \a peer about closing TLS connection.
183 * @param[in] peer remote peer
184 * @param[in] ret used internaly
186 #define SSL_CLOSE_NOTIFY(peer, ret) \
189 (ret) = mbedtls_ssl_close_notify(&(peer)->ssl); \
190 } while (MBEDTLS_ERR_SSL_WANT_WRITE == (ret))
192 /**@def SSL_RES(peer, status)
194 * Sets SSL result for callback.
196 * @param[in] peer remote peer
198 #define SSL_RES(peer, status) \
201 CAErrorInfo_t errorInfo; \
202 errorInfo.result = (status); \
203 g_sslCallback(&(peer)->sep.endpoint, &errorInfo); \
205 /**@def SSL_CHECK_FAIL(peer, ret, str, mutex, error, msg)
207 * Checks handshake result and send alert if needed.
209 * @param[in] peer remote peer
210 * @param[in] ret error code
211 * @param[in] str debug string
212 * @param[in] mutex ca mutex
213 * @param[in] if code does not equal to -1 returns error code
214 * @param[in] msg allert message
216 #define SSL_CHECK_FAIL(peer, ret, str, mutex, error, msg) \
217 if (0 != (ret) && MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY != (int) (ret) && \
218 MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED != (int) (ret) && \
219 MBEDTLS_ERR_SSL_WANT_READ != (int) (ret) && \
220 MBEDTLS_ERR_SSL_WANT_WRITE != (int) (ret) && \
221 MBEDTLS_ERR_SSL_NON_FATAL != (int) (ret) && \
222 MBEDTLS_SSL_ALERT_MSG_USER_CANCELED != (int) (ret) && \
223 MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION != (int) (ret) && \
224 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT != (int) (ret) && \
225 MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY != (int) (ret) && \
226 MBEDTLS_SSL_ALERT_MSG_NO_CERT != (int) (ret) && \
227 MBEDTLS_SSL_ALERT_MSG_BAD_CERT != (int) (ret) && \
228 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT != (int) (ret) && \
229 MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED != (int) (ret) && \
230 MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED != (int) (ret) && \
231 MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN != (int) (ret) && \
232 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK != (int) (ret) && \
233 MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME != (int) (ret) && \
234 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY != (int) (ret) && \
235 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL != (int) (ret)) \
237 OIC_LOG_V(ERROR, NET_SSL_TAG, "%s: -0x%x", (str), -(ret)); \
238 if ((int) MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE != (int) (ret) && \
239 (int) MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO != (int) (ret)) \
241 mbedtls_ssl_send_alert_message(&(peer)->ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, (msg)); \
243 RemovePeerFromList(&(peer)->sep.endpoint); \
246 oc_mutex_unlock(g_sslContextMutex); \
248 if ((int) MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO != (int)(ret)) \
250 SSL_RES((peer), CA_DTLS_AUTHENTICATION_FAILURE); \
252 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__); \
258 /**@def CONF_SSL(clientConf, serverConf, fn, ...)
260 * Calls \a fn for \a clientConf and \a serverConf.
263 #define CONF_SSL(clientConf, serverConf, fn, ...) do { \
264 fn((clientConf), __VA_ARGS__); \
265 fn((serverConf), __VA_ARGS__); \
268 /** @def CHECK_MBEDTLS_RET(f, ...)
269 * A macro that checks \a f function return code
271 * If function returns error code it goes to error processing.
273 * **IMPORTANT:** Any time CHECK_MBEDTLS_RET is used an `exit:` goto label must
274 * be present to handle error processing.
276 * @param[in] f Function to call
278 #define CHECK_MBEDTLS_RET(f, ...) do { \
279 int ret = (f)(__VA_ARGS__); \
281 OIC_LOG_V(ERROR, NET_SSL_TAG, "%s returned -0x%04x\n", __func__, -(ret)); \
287 SSL_RSA_WITH_AES_256_CBC_SHA256,
288 SSL_RSA_WITH_AES_128_GCM_SHA256,
289 SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
290 SSL_ECDHE_ECDSA_WITH_AES_128_CCM_8,
291 SSL_ECDHE_ECDSA_WITH_AES_128_CCM,
292 SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
293 SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
294 SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
295 SSL_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
296 SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
297 SSL_ECDH_ANON_WITH_AES_128_CBC_SHA256,
303 ADAPTER_CURVE_SECP256R1,
307 static const int tlsCipher[SSL_CIPHER_MAX][2] =
309 {MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256, 0},
310 {MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256, 0},
311 {MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
312 {MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, 0},
313 {MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM, 0},
314 {MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 0},
315 {MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 0},
316 {MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 0},
317 {MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, 0},
318 {MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 0},
319 {MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256, 0}
322 static int g_cipherSuitesList[SSL_CIPHER_MAX];
324 mbedtls_ecp_group_id curve[ADAPTER_CURVE_MAX][2] =
326 {MBEDTLS_ECP_DP_SECP256R1, MBEDTLS_ECP_DP_NONE}
329 static PkiInfo_t g_pkiInfo = {{NULL, 0}, {NULL, 0}, {NULL, 0}, {NULL, 0}};
336 static const CrtVerifyAlert_t crtVerifyAlerts[] = {
337 {MBEDTLS_X509_BADCERT_EXPIRED, MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED},
338 {MBEDTLS_X509_BADCERT_REVOKED, MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED},
339 {MBEDTLS_X509_BADCERT_CN_MISMATCH, MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN},
340 {MBEDTLS_X509_BADCERT_NOT_TRUSTED, MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA},
341 {MBEDTLS_X509_BADCRL_NOT_TRUSTED, MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA},
342 {MBEDTLS_X509_BADCRL_EXPIRED, MBEDTLS_SSL_ALERT_MSG_INSUFFICIENT_SECURITY},
343 {MBEDTLS_X509_BADCERT_MISSING, MBEDTLS_SSL_ALERT_MSG_NO_CERT},
344 {MBEDTLS_X509_BADCERT_SKIP_VERIFY, MBEDTLS_SSL_ALERT_MSG_INSUFFICIENT_SECURITY},
345 {MBEDTLS_X509_BADCERT_OTHER, MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR},
346 {MBEDTLS_X509_BADCERT_FUTURE, MBEDTLS_SSL_ALERT_MSG_BAD_CERT},
347 {MBEDTLS_X509_BADCRL_FUTURE, MBEDTLS_SSL_ALERT_MSG_INSUFFICIENT_SECURITY},
348 {MBEDTLS_X509_BADCERT_KEY_USAGE, MBEDTLS_SSL_ALERT_MSG_BAD_CERT},
349 {MBEDTLS_X509_BADCERT_EXT_KEY_USAGE, MBEDTLS_SSL_ALERT_MSG_BAD_CERT},
350 {MBEDTLS_X509_BADCERT_NS_CERT_TYPE, MBEDTLS_SSL_ALERT_MSG_BAD_CERT},
351 {MBEDTLS_X509_BADCERT_BAD_MD, MBEDTLS_SSL_ALERT_MSG_BAD_CERT},
352 {MBEDTLS_X509_BADCERT_BAD_PK, MBEDTLS_SSL_ALERT_MSG_BAD_CERT},
353 {MBEDTLS_X509_BADCERT_BAD_KEY, MBEDTLS_SSL_ALERT_MSG_BAD_CERT},
354 {MBEDTLS_X509_BADCRL_BAD_MD, MBEDTLS_SSL_ALERT_MSG_BAD_CERT},
355 {MBEDTLS_X509_BADCRL_BAD_PK, MBEDTLS_SSL_ALERT_MSG_BAD_CERT},
356 {MBEDTLS_X509_BADCRL_BAD_KEY, MBEDTLS_SSL_ALERT_MSG_BAD_CERT},
360 static int GetAlertCode(uint32_t flags)
362 const CrtVerifyAlert_t *cur;
364 for (cur = crtVerifyAlerts; cur->alert != 0 ; cur++)
366 if (flags & cur->code)
374 #if !defined(NDEBUG) || defined(TB_LOG)
376 * Pass a message to the OIC logger.
378 * @param[in] ctx opaque context for the callback
379 * @param[in] level debug level
380 * @param[in] file file name
381 * @param[in] line line number
382 * @param[in] str message
384 static void DebugSsl(void *ctx, int level, const char *file, int line, const char *str)
391 char * temp = (char*) str;
392 size_t len = strlen(temp);
393 if (1 <= len && temp[len - 1] == '\n')
395 temp[len - 1] = '\0';
398 OIC_LOG_V(DEBUG, MBED_TLS_TAG, "%s", str);
403 * structure to holds the information of cache message and address info.
405 typedef ByteArray_t SslCacheMessage_t;
409 * Data structure for holding the send and recv callbacks.
411 typedef struct TlsCallBacks
413 CAPacketReceivedCallback recvCallback; /**< Callback used to send data to upper layer. */
414 CAPacketSendCallback sendCallback; /**< Callback used to send data to socket layer. */
418 * Data structure for holding the mbedTLS interface related info.
420 typedef struct SslContext
422 u_arraylist_t *peerList; /**< peer list which holds the mapping between
423 peer id, it's n/w address and mbedTLS context. */
424 mbedtls_entropy_context entropy;
425 mbedtls_ctr_drbg_context rnd;
427 mbedtls_x509_crt crt;
428 mbedtls_pk_context pkey;
430 mbedtls_ssl_config clientTlsConf;
431 mbedtls_ssl_config serverTlsConf;
432 mbedtls_ssl_config clientDtlsConf;
433 mbedtls_ssl_config serverDtlsConf;
436 SslCallbacks_t adapterCallbacks[MAX_SUPPORTED_ADAPTERS];
437 mbedtls_x509_crl crl;
448 * @var g_caSslContext
449 * @brief global context which holds tls context and cache list information.
451 static SslContext_t * g_caSslContext = NULL;
454 * @var g_getCredentialsCallback
455 * @brief callback to get TLS credentials (same as for DTLS)
457 static CAgetPskCredentialsHandler g_getCredentialsCallback = NULL;
459 * @var g_getCerdentilTypesCallback
460 * @brief callback to get different credential types from SRM
462 static CAgetCredentialTypesHandler g_getCredentialTypesCallback = NULL;
464 * @var g_getPkixInfoCallback
466 * @brief callback to get X.509-based Public Key Infrastructure
468 static CAgetPkixInfoHandler g_getPkixInfoCallback = NULL;
471 * @var g_dtlsContextMutex
472 * @brief Mutex to synchronize access to g_caSslContext.
474 static oc_mutex g_sslContextMutex = NULL;
478 * @brief callback to deliver the TLS handshake result
480 static CAErrorCallback g_sslCallback = NULL;
483 * Data structure for holding the data to be received.
485 typedef struct SslRecBuf
492 * Data structure for holding the data related to endpoint
495 typedef struct SslEndPoint
497 mbedtls_ssl_context ssl;
498 CASecureEndpoint_t sep;
499 u_arraylist_t * cacheList;
501 uint8_t master[MASTER_SECRET_LEN];
502 uint8_t random[2*RANDOM_LEN];
504 mbedtls_ssl_cookie_ctx cookieCtx;
505 mbedtls_timing_delay_context timer;
506 #endif // __WITH_DTLS__
509 void CAsetPskCredentialsCallback(CAgetPskCredentialsHandler credCallback)
511 // TODO Does this method needs protection of tlsContextMutex?
512 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
513 g_getCredentialsCallback = credCallback;
514 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
517 void CAsetPkixInfoCallback(CAgetPkixInfoHandler infoCallback)
519 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
520 g_getPkixInfoCallback = infoCallback;
521 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
523 void CAsetCredentialTypesCallback(CAgetCredentialTypesHandler credTypesCallback)
525 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
526 g_getCredentialTypesCallback = credTypesCallback;
527 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
530 static int GetAdapterIndex(CATransportAdapter_t adapter)
538 case CA_ADAPTER_GATT_BTLE:
541 OIC_LOG(ERROR, NET_SSL_TAG, "Unsupported adapter");
548 * @param[in] tep TLS endpoint
549 * @param[in] data message
550 * @param[in] dataLen message length
552 * @return message length or -1 on error.
554 static int SendCallBack(void * tep, const unsigned char * data, size_t dataLen)
556 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
557 VERIFY_NON_NULL_RET(tep, NET_SSL_TAG, "secure endpoint is NULL", -1);
558 VERIFY_NON_NULL_RET(data, NET_SSL_TAG, "data is NULL", -1);
559 VERIFY_NON_NULL_RET(g_caSslContext, NET_SSL_TAG, "SSL Context is NULL", -1);
560 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Data len: %zu", dataLen);
561 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Adapter: %u", ((SslEndPoint_t * )tep)->sep.endpoint.adapter);
563 int adapterIndex = GetAdapterIndex(((SslEndPoint_t * )tep)->sep.endpoint.adapter);
564 if (0 <= adapterIndex && MAX_SUPPORTED_ADAPTERS > adapterIndex)
566 CAPacketSendCallback sendCallback = g_caSslContext->adapterCallbacks[adapterIndex].sendCallback;
567 sentLen = sendCallback(&(((SslEndPoint_t * )tep)->sep.endpoint), (const void *) data, dataLen);
568 if (sentLen != dataLen)
570 OIC_LOG_V(DEBUG, NET_SSL_TAG,
571 "Packet was partially sent - total/sent/remained bytes : %d/%d/%d",
572 sentLen, dataLen, (dataLen - sentLen));
577 OIC_LOG(ERROR, NET_SSL_TAG, "Unsupported adapter");
581 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
587 * @param[in] tep TLS endpoint
588 * @param[in] data message
589 * @param[in] dataLen message length
591 * @return read length
593 static int RecvCallBack(void * tep, unsigned char * data, size_t dataLen)
595 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
596 VERIFY_NON_NULL_RET(tep, NET_SSL_TAG, "endpoint is NULL", 0);
597 VERIFY_NON_NULL_RET(data, NET_SSL_TAG, "data is NULL", 0);
599 SslRecBuf_t *recBuf = &((SslEndPoint_t *)tep)->recBuf;
600 size_t retLen = (recBuf->len > recBuf->loaded ? recBuf->len - recBuf->loaded : 0);
601 retLen = (retLen < dataLen ? retLen : dataLen);
603 if (retLen > INT_MAX)
608 memcpy(data, recBuf->buff + recBuf->loaded, retLen);
609 recBuf->loaded += retLen;
611 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
616 * Parse chain of X.509 certificates.
618 * @param[out] crt container for X.509 certificates
619 * @param[in] data buffer with X.509 certificates. Certificates may be in either in PEM
620 or DER format in a jumble, delimiting symbols does not matter.
621 * @param[in] bufLen buffer length
622 * @param[in] errNum number certificates that failed to parse
624 * @return number of successfully parsed certificates or -1 on error
626 static int ParseChain(mbedtls_x509_crt * crt, unsigned char * buf, int bufLen, int * errNum)
628 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
629 VERIFY_NON_NULL_RET(crt, NET_SSL_TAG, "Param crt is NULL" , -1);
630 VERIFY_NON_NULL_RET(buf, NET_SSL_TAG, "Param buf is NULL" , -1);
632 char pemCertHeader[] = {
633 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x42, 0x45, 0x47, 0x49, 0x4e, 0x20, 0x43, 0x45, 0x52,
634 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d
636 char pemCertFooter[] = {
637 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x45, 0x4e, 0x44, 0x20, 0x43, 0x45, 0x52, 0x54, 0x49,
638 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d
640 size_t pemCertHeaderLen = sizeof(pemCertHeader);
641 size_t pemCertFooterLen = sizeof(pemCertFooter);
644 unsigned char * tmp = NULL;
652 if (buf[pos] == 0x30 && buf[pos + 1] == 0x82)
654 tmp = (unsigned char *)buf + pos + 1;
655 CHECK_MBEDTLS_RET(mbedtls_asn1_get_len, &tmp, buf + bufLen, &len);
656 if (pos + len < bufLen)
658 ret = mbedtls_x509_crt_parse_der(crt, buf + pos, len + 4);
666 OIC_LOG_V(ERROR, NET_SSL_TAG, "mbedtls_x509_crt_parse_der returned -0x%04x\n", -(ret));
671 else if ((buf + pos + pemCertHeaderLen < buf + bufLen) &&
672 (0 == memcmp(buf + pos, pemCertHeader, pemCertHeaderLen)))
674 void * endPos = NULL;
675 endPos = memmem(&(buf[pos]), bufLen - pos, pemCertFooter, pemCertFooterLen);
678 OIC_LOG(ERROR, NET_SSL_TAG, "Error: end of PEM certificate not found.");
679 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
682 len = (char*)endPos - ((char*)buf + pos) + pemCertFooterLen;
683 if (pos + len + 1 <= bufLen)
685 char con = buf[pos + len];
686 buf[pos + len] = 0x00;
687 ret = mbedtls_x509_crt_parse(crt, buf + pos, len + 1);
695 OIC_LOG_V(ERROR, NET_SSL_TAG, "mbedtls_x509_crt_parse returned -0x%04x\n", -(ret));
697 buf[pos + len] = con;
701 unsigned char * lastCert = (unsigned char *)OICMalloc((len + 1) * sizeof(unsigned char));
702 memcpy(lastCert, buf + pos, len);
703 lastCert[len] = 0x00;
704 ret = mbedtls_x509_crt_parse(crt, lastCert, len + 1);
712 OIC_LOG_V(ERROR, NET_SSL_TAG, "mbedtls_x509_crt_parse returned -0x%04x\n", -(ret));
723 OIC_LOG_V(DEBUG, NET_SSL_TAG, "%s successfully parsed %d certificates", __func__, count);
724 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
731 //Loads PKIX related information from SRM
732 static int InitPKIX(CATransportAdapter_t adapter)
734 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
735 VERIFY_NON_NULL_RET(g_getPkixInfoCallback, NET_SSL_TAG, "PKIX info callback is NULL", -1);
736 // load pk key, cert, trust chain and crl
737 if (g_getPkixInfoCallback)
739 g_getPkixInfoCallback(&g_pkiInfo);
742 VERIFY_NON_NULL_RET(g_caSslContext, NET_SSL_TAG, "SSL Context is NULL", -1);
744 mbedtls_x509_crt_free(&g_caSslContext->ca);
745 mbedtls_x509_crt_free(&g_caSslContext->crt);
746 mbedtls_pk_free(&g_caSslContext->pkey);
747 mbedtls_x509_crl_free(&g_caSslContext->crl);
749 mbedtls_x509_crt_init(&g_caSslContext->ca);
750 mbedtls_x509_crt_init(&g_caSslContext->crt);
751 mbedtls_pk_init(&g_caSslContext->pkey);
752 mbedtls_x509_crl_init(&g_caSslContext->crl);
754 mbedtls_ssl_config * serverConf = (adapter == CA_ADAPTER_IP ||
755 adapter == CA_ADAPTER_GATT_BTLE ?
756 &g_caSslContext->serverDtlsConf : &g_caSslContext->serverTlsConf);
757 mbedtls_ssl_config * clientConf = (adapter == CA_ADAPTER_IP ||
758 adapter == CA_ADAPTER_GATT_BTLE ?
759 &g_caSslContext->clientDtlsConf : &g_caSslContext->clientTlsConf);
763 int count = ParseChain(&g_caSslContext->crt, g_pkiInfo.crt.data, g_pkiInfo.crt.len, &errNum);
766 OIC_LOG(WARNING, NET_SSL_TAG, "Own certificate chain parsing error");
771 OIC_LOG_V(WARNING, NET_SSL_TAG, "Own certificate chain parsing error: %d certs failed to parse", errNum);
774 ret = mbedtls_pk_parse_key(&g_caSslContext->pkey, g_pkiInfo.key.data, g_pkiInfo.key.len,
778 OIC_LOG(WARNING, NET_SSL_TAG, "Key parsing error");
782 ret = mbedtls_ssl_conf_own_cert(serverConf, &g_caSslContext->crt, &g_caSslContext->pkey);
785 OIC_LOG(WARNING, NET_SSL_TAG, "Own certificate parsing error");
788 ret = mbedtls_ssl_conf_own_cert(clientConf, &g_caSslContext->crt, &g_caSslContext->pkey);
791 OIC_LOG(WARNING, NET_SSL_TAG, "Own certificate configuration error");
796 count = ParseChain(&g_caSslContext->ca, g_pkiInfo.ca.data, g_pkiInfo.ca.len, &errNum);
799 OIC_LOG(ERROR, NET_SSL_TAG, "CA chain parsing error");
800 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
805 OIC_LOG_V(WARNING, NET_SSL_TAG, "CA chain parsing warning: %d certs failed to parse", errNum);
808 ret = mbedtls_x509_crl_parse_der(&g_caSslContext->crl, g_pkiInfo.crl.data, g_pkiInfo.crl.len);
811 OIC_LOG(WARNING, NET_SSL_TAG, "CRL parsing error");
812 CONF_SSL(clientConf, serverConf, mbedtls_ssl_conf_ca_chain, &g_caSslContext->ca, NULL);
816 CONF_SSL(clientConf, serverConf, mbedtls_ssl_conf_ca_chain,
817 &g_caSslContext->ca, &g_caSslContext->crl);
820 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
827 * @param[in] notUsed opaque context
828 * @param[in] ssl mbedTLS context
829 * @param[in] desc identity
830 * @param[in] descLen identity length
832 * @return 0 on success any other return value will result in a denied PSK identity
834 static int GetPskCredentialsCallback(void * notUsed, mbedtls_ssl_context * ssl,
835 const unsigned char * desc, size_t descLen)
837 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
838 VERIFY_NON_NULL_RET(g_getCredentialsCallback, NET_SSL_TAG, "Credential callback s NULL", -1);
839 VERIFY_NON_NULL_RET(ssl, NET_SSL_TAG, "ssl pointer is NULL", -1);
840 VERIFY_NON_NULL_RET(desc, NET_SSL_TAG, "desc pointer is NULL", -1);
841 if (descLen > CA_MAX_ENDPOINT_IDENTITY_LEN)
843 OIC_LOG(ERROR, NET_SSL_TAG, "desc too long!");
847 uint8_t keyBuf[PSK_LENGTH] = {0};
849 // Retrieve the credentials blob from security module
850 int ret = g_getCredentialsCallback(CA_DTLS_PSK_KEY, desc, descLen, keyBuf, PSK_LENGTH);
853 memcpy(((SslEndPoint_t *) ssl)->sep.identity.id, desc, descLen);
854 ((SslEndPoint_t *) ssl)->sep.identity.id_length = descLen;
855 OIC_LOG(DEBUG, NET_SSL_TAG, "PSK:");
856 OIC_LOG_BUFFER(DEBUG, NET_SSL_TAG, keyBuf, ret);
858 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
859 return(mbedtls_ssl_set_hs_psk(ssl, keyBuf, ret));
861 OIC_LOG_V(WARNING, NET_SSL_TAG, "Out %s", __func__);
865 * Gets session corresponding for endpoint.
867 * @param[in] peer remote address
869 * @return TLS session or NULL
871 static SslEndPoint_t *GetSslPeer(const CAEndpoint_t *peer)
873 uint32_t listIndex = 0;
874 uint32_t listLength = 0;
875 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
876 VERIFY_NON_NULL_RET(peer, NET_SSL_TAG, "TLS peer is NULL", NULL);
877 VERIFY_NON_NULL_RET(g_caSslContext, NET_SSL_TAG, "SSL Context is NULL", NULL);
879 SslEndPoint_t *tep = NULL;
880 listLength = u_arraylist_length(g_caSslContext->peerList);
881 for (listIndex = 0; listIndex < listLength; listIndex++)
883 tep = (SslEndPoint_t *) u_arraylist_get(g_caSslContext->peerList, listIndex);
889 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Compare [%s:%d] and [%s:%d] for %d adapter",
890 peer->addr, peer->port, tep->sep.endpoint.addr, tep->sep.endpoint.port,
893 if((peer->adapter == tep->sep.endpoint.adapter)
894 && (0 == strncmp(peer->addr, tep->sep.endpoint.addr, MAX_ADDR_STR_SIZE_CA))
895 && (peer->port == tep->sep.endpoint.port || CA_ADAPTER_GATT_BTLE == peer->adapter))
897 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
901 OIC_LOG(DEBUG, NET_SSL_TAG, "Return NULL");
902 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
906 #ifdef MULTIPLE_OWNER
908 * Gets CA secure endpoint info corresponding for endpoint.
910 * @param[in] peer remote address
912 * @return CASecureEndpoint or NULL
914 const CASecureEndpoint_t *GetCASecureEndpointData(const CAEndpoint_t* peer)
916 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
918 oc_mutex_lock(g_sslContextMutex);
919 if (NULL == g_caSslContext)
921 OIC_LOG(ERROR, NET_SSL_TAG, "Context is NULL");
922 oc_mutex_unlock(g_sslContextMutex);
926 SslEndPoint_t* sslPeer = GetSslPeer(peer);
929 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
930 oc_mutex_unlock(g_sslContextMutex);
931 return &sslPeer->sep;
934 OIC_LOG(DEBUG, NET_SSL_TAG, "Return NULL");
935 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
936 oc_mutex_unlock(g_sslContextMutex);
942 * Adds a bit to the attributes field of a secure endpoint.
944 * @param[in] peer remote address
945 * @param[in] newAttribute bit to be added to the attributes field
947 * @return true if the secure endpoint has been found, false otherwise.
949 bool SetCASecureEndpointAttribute(const CAEndpoint_t* peer, uint32_t newAttribute)
953 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s(peer = %s:%u, attribute = %#x)", __func__,
954 peer->addr, (uint32_t)peer->port, newAttribute);
956 oc_mutex_lock(g_sslContextMutex);
958 if (NULL == g_caSslContext)
960 OIC_LOG(ERROR, NET_SSL_TAG, "Context is NULL");
964 SslEndPoint_t* sslPeer = GetSslPeer(peer);
968 OIC_LOG(ERROR, NET_SSL_TAG, "SSL peer not found");
972 sslPeer->sep.attributes |= newAttribute;
977 oc_mutex_unlock(g_sslContextMutex);
979 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s -> %s", __func__, result ? "success" : "failed");
984 * Gets the attributes field of a secure endpoint.
986 * @param[in] peer remote address
987 * @param[out] allAttributes all the attributes bits for that remote address
989 * @return true if the secure endpoint has been found, false otherwise.
991 bool GetCASecureEndpointAttributes(const CAEndpoint_t* peer, uint32_t* allAttributes)
995 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s(peer = %s:%u)", __func__,
996 peer->addr, (uint32_t)peer->port);
998 oc_mutex_lock(g_sslContextMutex);
1000 if (NULL == g_caSslContext)
1002 OIC_LOG(ERROR, NET_SSL_TAG, "Context is NULL");
1006 SslEndPoint_t* sslPeer = GetSslPeer(peer);
1010 OIC_LOG(ERROR, NET_SSL_TAG, "SSL peer not found");
1014 *allAttributes = sslPeer->sep.attributes;
1019 oc_mutex_unlock(g_sslContextMutex);
1021 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s -> %s, attributes = %#x", __func__,
1022 result ? "success" : "failed", result ? *allAttributes : 0);
1027 * Deletes cached message.
1029 * @param[in] msg message
1031 static void DeleteCacheMessage(SslCacheMessage_t * msg)
1033 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
1034 VERIFY_NON_NULL_VOID(msg, NET_SSL_TAG, "msg");
1039 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1042 * Deletes cached message list.
1044 * @param[in] cacheList list of cached messages
1046 static void DeleteCacheList(u_arraylist_t * cacheList)
1048 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
1049 VERIFY_NON_NULL_VOID(cacheList, NET_SSL_TAG, "cacheList");
1050 uint32_t listIndex = 0;
1051 uint32_t listLength = 0;
1053 listLength = u_arraylist_length(cacheList);
1054 for (listIndex = 0; listIndex < listLength; listIndex++)
1056 SslCacheMessage_t * msg = (SslCacheMessage_t *) u_arraylist_get(cacheList, listIndex);
1059 DeleteCacheMessage(msg);
1062 u_arraylist_free(&cacheList);
1064 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1067 * Deletes endpoint with session.
1069 * @param[in] tep endpoint with session info
1071 static void DeleteSslEndPoint(SslEndPoint_t * tep)
1073 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
1074 VERIFY_NON_NULL_VOID(tep, NET_SSL_TAG, "tep");
1076 mbedtls_ssl_free(&tep->ssl);
1077 #ifdef __WITH_DTLS__
1078 mbedtls_ssl_cookie_free(&tep->cookieCtx);
1080 DeleteCacheList(tep->cacheList);
1082 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1085 * Removes endpoint session from list.
1087 * @param[in] endpoint remote address
1089 static void RemovePeerFromList(CAEndpoint_t * endpoint)
1091 VERIFY_NON_NULL_VOID(g_caSslContext, NET_SSL_TAG, "SSL Context is NULL");
1092 VERIFY_NON_NULL_VOID(endpoint, NET_SSL_TAG, "endpoint");
1093 uint32_t listLength = u_arraylist_length(g_caSslContext->peerList);
1094 for (uint32_t listIndex = 0; listIndex < listLength; listIndex++)
1096 SslEndPoint_t * tep = (SslEndPoint_t *)u_arraylist_get(g_caSslContext->peerList,listIndex);
1101 if(0 == strncmp(endpoint->addr, tep->sep.endpoint.addr, MAX_ADDR_STR_SIZE_CA)
1102 && (endpoint->port == tep->sep.endpoint.port))
1104 u_arraylist_remove(g_caSslContext->peerList, listIndex);
1105 DeleteSslEndPoint(tep);
1111 * Deletes session list.
1113 static void DeletePeerList()
1115 VERIFY_NON_NULL_VOID(g_caSslContext, NET_SSL_TAG, "SSL Context is NULL");
1117 uint32_t listLength = u_arraylist_length(g_caSslContext->peerList);
1118 for (uint32_t listIndex = 0; listIndex < listLength; listIndex++)
1120 SslEndPoint_t * tep = (SslEndPoint_t *)u_arraylist_get(g_caSslContext->peerList,listIndex);
1125 if (MBEDTLS_SSL_HANDSHAKE_OVER == tep->ssl.state)
1130 ret = mbedtls_ssl_close_notify(&tep->ssl);
1132 while (MBEDTLS_ERR_SSL_WANT_WRITE == ret);
1134 DeleteSslEndPoint(tep);
1136 u_arraylist_free(&g_caSslContext->peerList);
1139 CAResult_t CAcloseSslConnection(const CAEndpoint_t *endpoint)
1141 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
1142 VERIFY_NON_NULL_RET(endpoint, NET_SSL_TAG, "Param endpoint is NULL" , CA_STATUS_INVALID_PARAM);
1144 oc_mutex_lock(g_sslContextMutex);
1145 if (NULL == g_caSslContext)
1147 OIC_LOG(ERROR, NET_SSL_TAG, "Context is NULL");
1148 oc_mutex_unlock(g_sslContextMutex);
1149 return CA_STATUS_FAILED;
1151 SslEndPoint_t * tep = GetSslPeer(endpoint);
1154 OIC_LOG(ERROR, NET_SSL_TAG, "Session does not exist");
1155 oc_mutex_unlock(g_sslContextMutex);
1156 return CA_STATUS_FAILED;
1158 /* No error checking, the connection might be closed already */
1162 ret = mbedtls_ssl_close_notify(&tep->ssl);
1164 while (MBEDTLS_ERR_SSL_WANT_WRITE == ret);
1166 RemovePeerFromList(&tep->sep.endpoint);
1167 oc_mutex_unlock(g_sslContextMutex);
1169 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1170 return CA_STATUS_OK;
1173 void CAcloseSslConnectionAll(CATransportAdapter_t transportType)
1175 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
1176 oc_mutex_lock(g_sslContextMutex);
1177 if (NULL == g_caSslContext)
1179 OIC_LOG(ERROR, NET_SSL_TAG, "Context is NULL");
1180 oc_mutex_unlock(g_sslContextMutex);
1184 uint32_t listLength = u_arraylist_length(g_caSslContext->peerList);
1185 OIC_LOG_V(DEBUG, NET_SSL_TAG,
1186 "Required transport [%d], peer count [%u]", transportType, listLength);
1187 for (uint32_t i = listLength; i > 0; i--)
1189 SslEndPoint_t *tep = (SslEndPoint_t *)u_arraylist_get(g_caSslContext->peerList, i - 1);
1194 OIC_LOG_V(DEBUG, NET_SSL_TAG, "SSL Connection [%s:%d], Transport [%d]",
1195 tep->sep.endpoint.addr, tep->sep.endpoint.port, tep->sep.endpoint.adapter);
1197 // check transport matching
1198 if (0 == (tep->sep.endpoint.adapter & transportType))
1200 OIC_LOG(DEBUG, NET_SSL_TAG, "Skip the un-matched transport session");
1204 // TODO: need to check below code after socket close is ensured.
1208 ret = mbedtls_ssl_close_notify(&tep->ssl);
1210 while (MBEDTLS_ERR_SSL_WANT_WRITE == ret);*/
1213 u_arraylist_remove(g_caSslContext->peerList, i - 1);
1214 DeleteSslEndPoint(tep);
1216 oc_mutex_unlock(g_sslContextMutex);
1218 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1222 * Creates session for endpoint.
1224 * @param[in] endpoint remote address
1225 * @param[in] config mbedTLS configuration info
1227 * @return TLS endpoint or NULL
1229 static SslEndPoint_t * NewSslEndPoint(const CAEndpoint_t * endpoint, mbedtls_ssl_config * config)
1231 SslEndPoint_t * tep = NULL;
1232 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
1233 VERIFY_NON_NULL_RET(endpoint, NET_SSL_TAG, "endpoint", NULL);
1234 VERIFY_NON_NULL_RET(config, NET_SSL_TAG, "config", NULL);
1235 VERIFY_NON_NULL_RET(g_caSslContext, NET_SSL_TAG, "SSL Context is NULL", NULL);
1237 tep = (SslEndPoint_t *) OICCalloc(1, sizeof (SslEndPoint_t));
1240 OIC_LOG(ERROR, NET_SSL_TAG, "Malloc failed!");
1244 tep->sep.endpoint = *endpoint;
1245 tep->sep.endpoint.flags = (CATransportFlags_t)(tep->sep.endpoint.flags | CA_SECURE);
1247 if(0 != mbedtls_ssl_setup(&tep->ssl, config))
1249 OIC_LOG(ERROR, NET_SSL_TAG, "Setup failed");
1251 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1255 mbedtls_ssl_set_bio(&tep->ssl, tep, SendCallBack, RecvCallBack, NULL);
1256 if (MBEDTLS_SSL_TRANSPORT_DATAGRAM == config->transport)
1258 mbedtls_ssl_set_timer_cb(&tep->ssl, &tep->timer,
1259 mbedtls_timing_set_delay, mbedtls_timing_get_delay);
1260 if (MBEDTLS_SSL_IS_SERVER == config->endpoint)
1262 if (0 != mbedtls_ssl_cookie_setup(&tep->cookieCtx, mbedtls_ctr_drbg_random,
1263 &g_caSslContext->rnd))
1265 OIC_LOG(ERROR, NET_SSL_TAG, "Cookie setup failed!");
1267 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1270 mbedtls_ssl_conf_dtls_cookies(config, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check,
1272 if (0 != mbedtls_ssl_set_client_transport_id(&tep->ssl,
1273 (const unsigned char *) endpoint->addr, sizeof(endpoint->addr)))
1275 OIC_LOG(ERROR, NET_SSL_TAG, "Transport id setup failed!");
1277 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1282 tep->cacheList = u_arraylist_create();
1283 if (NULL == tep->cacheList)
1285 OIC_LOG(ERROR, NET_SSL_TAG, "cacheList initialization failed!");
1286 mbedtls_ssl_free(&tep->ssl);
1288 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1291 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1295 * Initializes PSK identity.
1297 * @param[out] config client/server config to be updated
1299 * @return 0 on success or -1 on error
1301 static int InitPskIdentity(mbedtls_ssl_config * config)
1303 uint8_t idBuf[UUID_LENGTH] = {0};
1304 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
1305 VERIFY_NON_NULL_RET(config, NET_SSL_TAG, "Param config is NULL" , -1);
1307 if (0 > g_getCredentialsCallback(CA_DTLS_PSK_IDENTITY, NULL, 0, idBuf, UUID_LENGTH))
1309 OIC_LOG(ERROR, NET_SSL_TAG, "Identity not found");
1310 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1313 if (0 != mbedtls_ssl_conf_psk(config, idBuf, 0, idBuf, UUID_LENGTH))
1315 OIC_LOG(ERROR, NET_SSL_TAG, "Identity initialization failed!");
1316 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1319 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1322 static void SetupCipher(mbedtls_ssl_config * config, CATransportAdapter_t adapter)
1325 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
1326 VERIFY_NON_NULL_VOID(config, NET_SSL_TAG, "Invaild param");
1327 VERIFY_NON_NULL_VOID(g_caSslContext, NET_SSL_TAG, "SSL Context is NULL");
1328 VERIFY_NON_NULL_VOID(g_getCredentialTypesCallback, NET_SSL_TAG, "Param callback is null");
1330 g_getCredentialTypesCallback(g_caSslContext->cipherFlag);
1331 // Retrieve the PSK credential from SRM
1332 if (0 != InitPskIdentity(config))
1334 OIC_LOG(ERROR, NET_SSL_TAG, "PSK identity initialization failed!");
1337 // Retrieve the Cert credential from SRM
1338 if (true == g_caSslContext->cipherFlag[1])
1340 int ret = InitPKIX(adapter);
1343 OIC_LOG(ERROR, NET_SSL_TAG, "Failed to init X.509");
1347 memset(g_cipherSuitesList, 0, sizeof(g_cipherSuitesList));
1348 if (SSL_CIPHER_MAX != g_caSslContext->cipher)
1350 g_cipherSuitesList[index] = tlsCipher[g_caSslContext->cipher][0];
1354 if (true == g_caSslContext->cipherFlag[1])
1356 for (int i = 2; i < SSL_CIPHER_MAX - 2; i++)
1358 g_cipherSuitesList[index] = tlsCipher[i][0];
1362 if (true == g_caSslContext->cipherFlag[0])
1364 g_cipherSuitesList[index] = MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256;
1368 mbedtls_ssl_conf_ciphersuites(config, g_cipherSuitesList);
1370 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1373 * Initiate TLS handshake with endpoint.
1375 * @param[in] endpoint remote address
1377 * @return TLS endpoint or NULL
1379 static SslEndPoint_t * InitiateTlsHandshake(const CAEndpoint_t *endpoint)
1382 SslEndPoint_t * tep = NULL;
1384 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
1385 VERIFY_NON_NULL_RET(endpoint, NET_SSL_TAG, "Param endpoint is NULL" , NULL);
1386 VERIFY_NON_NULL_RET(g_caSslContext, NET_SSL_TAG, "SSL Context is NULL", NULL);
1388 mbedtls_ssl_config * config = (endpoint->adapter == CA_ADAPTER_IP ||
1389 endpoint->adapter == CA_ADAPTER_GATT_BTLE ?
1390 &g_caSslContext->clientDtlsConf : &g_caSslContext->clientTlsConf);
1391 tep = NewSslEndPoint(endpoint, config);
1394 OIC_LOG(ERROR, NET_SSL_TAG, "Malloc failed!");
1398 //Load allowed SVR suites from SVR DB
1399 SetupCipher(config, endpoint->adapter);
1401 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Add %s:%d", tep->sep.endpoint.addr, tep->sep.endpoint.port);
1402 ret = u_arraylist_add(g_caSslContext->peerList, (void *) tep);
1405 OIC_LOG(ERROR, NET_SSL_TAG, "u_arraylist_add failed!");
1406 DeleteSslEndPoint(tep);
1410 while (MBEDTLS_SSL_HANDSHAKE_OVER > tep->ssl.state)
1412 ret = mbedtls_ssl_handshake_step(&tep->ssl);
1413 if (MBEDTLS_ERR_SSL_CONN_EOF == ret)
1419 OIC_LOG(ERROR, NET_SSL_TAG, "Handshake failed due to socket error");
1420 RemovePeerFromList(&tep->sep.endpoint);
1423 SSL_CHECK_FAIL(tep, ret, "Handshake error", 0, NULL, MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1425 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1428 #ifdef __WITH_DTLS__
1430 * Stops DTLS retransmission.
1432 static void StopRetransmit()
1436 unregisterTimer(g_caSslContext->timerId);
1437 g_caSslContext->timerId= -1;
1441 void CAdeinitSslAdapter()
1443 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
1445 VERIFY_NON_NULL_VOID(g_caSslContext, NET_SSL_TAG, "context is NULL");
1446 VERIFY_NON_NULL_VOID(g_sslContextMutex, NET_SSL_TAG, "context mutex is NULL");
1448 //Lock tlsContext mutex
1449 oc_mutex_lock(g_sslContextMutex);
1454 // De-initialize mbedTLS
1455 mbedtls_x509_crt_free(&g_caSslContext->crt);
1456 mbedtls_pk_free(&g_caSslContext->pkey);
1458 mbedtls_ssl_config_free(&g_caSslContext->clientTlsConf);
1459 mbedtls_ssl_config_free(&g_caSslContext->serverTlsConf);
1460 #endif // __WITH_TLS__
1461 #ifdef __WITH_DTLS__
1462 mbedtls_ssl_config_free(&g_caSslContext->clientDtlsConf);
1463 mbedtls_ssl_config_free(&g_caSslContext->serverDtlsConf);
1464 #endif // __WITH_DTLS__
1465 mbedtls_ctr_drbg_free(&g_caSslContext->rnd);
1466 mbedtls_entropy_free(&g_caSslContext->entropy);
1467 #ifdef __WITH_DTLS__
1470 // De-initialize tls Context
1471 OICFree(g_caSslContext);
1472 g_caSslContext = NULL;
1474 // Unlock tlsContext mutex and de-initialize it
1475 oc_mutex_unlock(g_sslContextMutex);
1476 oc_mutex_free(g_sslContextMutex);
1477 g_sslContextMutex = NULL;
1479 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s ", __func__);
1482 static int InitConfig(mbedtls_ssl_config * conf, int transport, int mode)
1484 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
1485 VERIFY_NON_NULL_RET(conf, NET_SSL_TAG, "Param conf is NULL" , -1);
1486 VERIFY_NON_NULL_RET(g_caSslContext, NET_SSL_TAG, "SSL Context is NULL", -1);
1487 mbedtls_ssl_config_init(conf);
1488 if (mbedtls_ssl_config_defaults(conf, mode, transport, MBEDTLS_SSL_PRESET_DEFAULT) != 0)
1490 OIC_LOG(ERROR, NET_SSL_TAG, "Config initialization failed!");
1495 * Configure mbedTLS runtime options. Many options are configured at build
1496 * time, see extlibs/mbedtls/config-iotivity.h
1498 mbedtls_ssl_conf_psk_cb(conf, GetPskCredentialsCallback, NULL);
1499 mbedtls_ssl_conf_rng(conf, mbedtls_ctr_drbg_random, &g_caSslContext->rnd);
1500 mbedtls_ssl_conf_curves(conf, curve[ADAPTER_CURVE_SECP256R1]);
1501 mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_REQUIRED);
1503 /* Set TLS 1.2 as the minimum allowed version. */
1504 mbedtls_ssl_conf_min_version(conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3);
1506 #if !defined(NDEBUG) || defined(TB_LOG)
1507 mbedtls_ssl_conf_dbg(conf, DebugSsl, NULL);
1508 #if defined(MBEDTLS_DEBUG_C)
1509 mbedtls_debug_set_threshold(MBED_TLS_DEBUG_LEVEL);
1512 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1515 #ifdef __WITH_DTLS__
1517 * Starts DTLS retransmission.
1519 static int StartRetransmit()
1521 uint32_t listIndex = 0;
1522 uint32_t listLength = 0;
1523 SslEndPoint_t *tep = NULL;
1525 oc_mutex_lock(g_sslContextMutex);
1526 if (NULL == g_caSslContext)
1528 OIC_LOG(ERROR, NET_SSL_TAG, "Context is NULL. Stop retransmission");
1529 oc_mutex_unlock(g_sslContextMutex);
1533 if (g_caSslContext->timerId != -1)
1535 //clear previous timer
1536 unregisterTimer(g_caSslContext->timerId);
1538 listLength = u_arraylist_length(g_caSslContext->peerList);
1539 for (listIndex = 0; listIndex < listLength; listIndex++)
1541 tep = (SslEndPoint_t *) u_arraylist_get(g_caSslContext->peerList, listIndex);
1543 || (tep->ssl.conf && MBEDTLS_SSL_TRANSPORT_STREAM == tep->ssl.conf->transport)
1544 || MBEDTLS_SSL_HANDSHAKE_OVER == tep->ssl.state)
1548 int ret = mbedtls_ssl_handshake_step(&tep->ssl);
1550 if (MBEDTLS_ERR_SSL_CONN_EOF != ret)
1553 registerTimer(RETRANSMISSION_TIME, &g_caSslContext->timerId, (void *) StartRetransmit);
1555 SSL_CHECK_FAIL(tep, ret, "Retransmission", 1, CA_STATUS_FAILED,
1556 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1561 registerTimer(RETRANSMISSION_TIME, &g_caSslContext->timerId, (void *) StartRetransmit);
1562 oc_mutex_unlock(g_sslContextMutex);
1567 CAResult_t CAinitSslAdapter()
1569 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
1570 // Initialize mutex for tlsContext
1571 if (NULL == g_sslContextMutex)
1573 g_sslContextMutex = oc_mutex_new();
1574 VERIFY_NON_NULL_RET(g_sslContextMutex, NET_SSL_TAG, "malloc failed", CA_MEMORY_ALLOC_FAILED);
1578 OIC_LOG(INFO, NET_SSL_TAG, "Done already!");
1579 return CA_STATUS_OK;
1582 // Lock tlsContext mutex and create tlsContext
1583 oc_mutex_lock(g_sslContextMutex);
1584 g_caSslContext = (SslContext_t *)OICCalloc(1, sizeof(SslContext_t));
1586 if (NULL == g_caSslContext)
1588 OIC_LOG(ERROR, NET_SSL_TAG, "Context malloc failed");
1589 oc_mutex_unlock(g_sslContextMutex);
1590 oc_mutex_free(g_sslContextMutex);
1591 g_sslContextMutex = NULL;
1592 return CA_MEMORY_ALLOC_FAILED;
1596 g_caSslContext->peerList = u_arraylist_create();
1598 if(NULL == g_caSslContext->peerList)
1600 OIC_LOG(ERROR, NET_SSL_TAG, "peerList initialization failed!");
1601 OICFree(g_caSslContext);
1602 g_caSslContext = NULL;
1603 oc_mutex_unlock(g_sslContextMutex);
1604 oc_mutex_free(g_sslContextMutex);
1605 g_sslContextMutex = NULL;
1606 return CA_STATUS_FAILED;
1609 /* Initialize TLS library
1611 #if !defined(NDEBUG) || defined(TB_LOG)
1612 #ifdef MBEDTLS_VERSION_C
1613 char version[MBED_TLS_VERSION_LEN];
1614 mbedtls_version_get_string(version);
1615 OIC_LOG_V(INFO, NET_SSL_TAG, "mbed TLS version: %s", version);
1617 OIC_LOG_V(INFO, NET_SSL_TAG, "mbed TLS version: %s", MBEDTLS_VERSION_STRING);
1623 mbedtls_entropy_init(&g_caSslContext->entropy);
1624 mbedtls_ctr_drbg_init(&g_caSslContext->rnd);
1626 if(0 != mbedtls_ctr_drbg_seed(&g_caSslContext->rnd, mbedtls_entropy_func,
1627 &g_caSslContext->entropy,
1628 (const unsigned char*) PERSONALIZATION_STRING, sizeof(PERSONALIZATION_STRING)))
1630 OIC_LOG(ERROR, NET_SSL_TAG, "Seed initialization failed!");
1631 oc_mutex_unlock(g_sslContextMutex);
1632 CAdeinitSslAdapter();
1633 return CA_STATUS_FAILED;
1635 mbedtls_ctr_drbg_set_prediction_resistance(&g_caSslContext->rnd, MBEDTLS_CTR_DRBG_PR_ON);
1638 if (0 != InitConfig(&g_caSslContext->clientTlsConf,
1639 MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_IS_CLIENT))
1641 OIC_LOG(ERROR, NET_SSL_TAG, "Client config initialization failed!");
1642 oc_mutex_unlock(g_sslContextMutex);
1643 CAdeinitSslAdapter();
1644 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1645 return CA_STATUS_FAILED;
1648 if (0 != InitConfig(&g_caSslContext->serverTlsConf,
1649 MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_IS_SERVER))
1651 OIC_LOG(ERROR, NET_SSL_TAG, "Server config initialization failed!");
1652 oc_mutex_unlock(g_sslContextMutex);
1653 CAdeinitSslAdapter();
1654 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1655 return CA_STATUS_FAILED;
1657 #endif // __WITH_TLS__
1658 #ifdef __WITH_DTLS__
1659 if (0 != InitConfig(&g_caSslContext->clientDtlsConf,
1660 MBEDTLS_SSL_TRANSPORT_DATAGRAM, MBEDTLS_SSL_IS_CLIENT))
1662 OIC_LOG(ERROR, NET_SSL_TAG, "Client config initialization failed!");
1663 oc_mutex_unlock(g_sslContextMutex);
1664 CAdeinitSslAdapter();
1665 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1666 return CA_STATUS_FAILED;
1669 if (0 != InitConfig(&g_caSslContext->serverDtlsConf,
1670 MBEDTLS_SSL_TRANSPORT_DATAGRAM, MBEDTLS_SSL_IS_SERVER))
1672 OIC_LOG(ERROR, NET_SSL_TAG, "Server config initialization failed!");
1673 oc_mutex_unlock(g_sslContextMutex);
1674 CAdeinitSslAdapter();
1675 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1676 return CA_STATUS_FAILED;
1678 #endif // __WITH_DTLS__
1680 // set default cipher
1681 g_caSslContext->cipher = SSL_CIPHER_MAX;
1684 mbedtls_x509_crt_init(&g_caSslContext->ca);
1685 mbedtls_x509_crt_init(&g_caSslContext->crt);
1686 mbedtls_pk_init(&g_caSslContext->pkey);
1687 mbedtls_x509_crl_init(&g_caSslContext->crl);
1689 #ifdef __WITH_DTLS__
1690 g_caSslContext->timerId = -1;
1693 oc_mutex_unlock(g_sslContextMutex);
1694 #ifdef __WITH_DTLS__
1698 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1699 return CA_STATUS_OK;
1702 SslCacheMessage_t * NewCacheMessage(uint8_t * data, size_t dataLen)
1704 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
1705 VERIFY_NON_NULL_RET(data, NET_SSL_TAG, "Param data is NULL" , NULL);
1708 OIC_LOG(ERROR, NET_SSL_TAG, "dataLen is equal to zero");
1709 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1712 SslCacheMessage_t * message = (SslCacheMessage_t *) OICCalloc(1, sizeof(SslCacheMessage_t));
1713 if (NULL == message)
1715 OIC_LOG(ERROR, NET_SSL_TAG, "calloc failed!");
1716 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1720 message->data = (uint8_t *)OICCalloc(dataLen, sizeof(uint8_t));
1721 if (NULL == message->data)
1723 OIC_LOG(ERROR, NET_SSL_TAG, "calloc failed!");
1725 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1728 memcpy(message->data, data, dataLen);
1729 message->len = dataLen;
1730 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1734 /* Send data via TLS connection.
1736 CAResult_t CAencryptSsl(const CAEndpoint_t *endpoint,
1737 void *data, uint32_t dataLen)
1741 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s ", __func__);
1743 VERIFY_NON_NULL_RET(endpoint, NET_SSL_TAG,"Remote address is NULL", CA_STATUS_INVALID_PARAM);
1744 VERIFY_NON_NULL_RET(data, NET_SSL_TAG, "Data is NULL", CA_STATUS_INVALID_PARAM);
1745 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Port %d", endpoint->port);
1749 OIC_LOG_V(ERROR, NET_SSL_TAG, "dataLen is zero [%d]", dataLen);
1750 return CA_STATUS_FAILED;
1753 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Data to be encrypted dataLen [%d]", dataLen);
1755 oc_mutex_lock(g_sslContextMutex);
1756 if(NULL == g_caSslContext)
1758 OIC_LOG(ERROR, NET_SSL_TAG, "Context is NULL");
1759 oc_mutex_unlock(g_sslContextMutex);
1760 return CA_STATUS_FAILED;
1763 SslEndPoint_t * tep = GetSslPeer(endpoint);
1766 tep = InitiateTlsHandshake(endpoint);
1770 OIC_LOG(ERROR, NET_SSL_TAG, "TLS handshake failed");
1771 oc_mutex_unlock(g_sslContextMutex);
1772 return CA_STATUS_FAILED;
1775 if (MBEDTLS_SSL_HANDSHAKE_OVER == tep->ssl.state)
1777 unsigned char *dataBuf = (unsigned char *)data;
1782 ret = mbedtls_ssl_write(&tep->ssl, dataBuf, dataLen - written);
1785 if (MBEDTLS_ERR_SSL_WANT_WRITE != ret)
1787 OIC_LOG_V(ERROR, NET_SSL_TAG, "mbedTLS write failed! returned 0x%x", -ret);
1788 RemovePeerFromList(&tep->sep.endpoint);
1789 oc_mutex_unlock(g_sslContextMutex);
1790 return CA_STATUS_FAILED;
1794 OIC_LOG_V(DEBUG, NET_SSL_TAG, "mbedTLS write returned with sent bytes[%d]", ret);
1798 } while (dataLen > written);
1803 SslCacheMessage_t * msg = NewCacheMessage((uint8_t*) data, dataLen);
1804 if (NULL == msg || !u_arraylist_add(tep->cacheList, (void *) msg))
1806 OIC_LOG(ERROR, NET_SSL_TAG, "u_arraylist_add failed!");
1807 oc_mutex_unlock(g_sslContextMutex);
1808 return CA_STATUS_FAILED;
1812 oc_mutex_unlock(g_sslContextMutex);
1814 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1815 return CA_STATUS_OK;
1818 * Sends cached messages via TLS connection.
1820 * @param[in] tep remote address with session info
1822 static void SendCacheMessages(SslEndPoint_t * tep)
1824 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
1825 VERIFY_NON_NULL_VOID(tep, NET_SSL_TAG, "Param tep is NULL");
1827 uint32_t listIndex = 0;
1828 uint32_t listLength = 0;
1829 listLength = u_arraylist_length(tep->cacheList);
1830 for (listIndex = 0; listIndex < listLength;)
1833 SslCacheMessage_t * msg = (SslCacheMessage_t *) u_arraylist_get(tep->cacheList, listIndex);
1834 if (NULL != msg && NULL != msg->data && 0 != msg->len)
1836 unsigned char *dataBuf = (unsigned char *)msg->data;
1841 ret = mbedtls_ssl_write(&tep->ssl, dataBuf, msg->len - written);
1844 if (MBEDTLS_ERR_SSL_WANT_WRITE != ret)
1846 OIC_LOG_V(ERROR, NET_SSL_TAG, "mbedTLS write failed! returned -0x%x", -ret);
1851 OIC_LOG_V(DEBUG, NET_SSL_TAG, "mbedTLS write returned with sent bytes[%d]", ret);
1855 } while (msg->len > written);
1857 if (u_arraylist_remove(tep->cacheList, listIndex))
1859 DeleteCacheMessage(msg);
1860 // Reduce list length by 1 as we removed one element.
1865 OIC_LOG(ERROR, NET_SSL_TAG, "u_arraylist_remove failed.");
1871 // Move to the next element
1875 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
1878 void CAsetSslHandshakeCallback(CAErrorCallback tlsHandshakeCallback)
1880 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s(%p)", __func__, tlsHandshakeCallback);
1881 g_sslCallback = tlsHandshakeCallback;
1882 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s(%p)", __func__, tlsHandshakeCallback);
1885 /* Read data from TLS connection
1887 CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, uint32_t dataLen)
1890 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
1891 VERIFY_NON_NULL_RET(sep, NET_SSL_TAG, "endpoint is NULL" , CA_STATUS_INVALID_PARAM);
1892 VERIFY_NON_NULL_RET(data, NET_SSL_TAG, "Param data is NULL" , CA_STATUS_INVALID_PARAM);
1894 oc_mutex_lock(g_sslContextMutex);
1895 if (NULL == g_caSslContext)
1897 OIC_LOG(ERROR, NET_SSL_TAG, "Context is NULL");
1898 oc_mutex_unlock(g_sslContextMutex);
1899 return CA_STATUS_FAILED;
1903 SslEndPoint_t * peer = GetSslPeer(&sep->endpoint);
1906 mbedtls_ssl_config * config = (sep->endpoint.adapter == CA_ADAPTER_IP ||
1907 sep->endpoint.adapter == CA_ADAPTER_GATT_BTLE ?
1908 &g_caSslContext->serverDtlsConf : &g_caSslContext->serverTlsConf);
1909 peer = NewSslEndPoint(&sep->endpoint, config);
1912 OIC_LOG(ERROR, NET_SSL_TAG, "Malloc failed!");
1913 oc_mutex_unlock(g_sslContextMutex);
1914 return CA_STATUS_FAILED;
1916 //Load allowed TLS suites from SVR DB
1917 SetupCipher(config, sep->endpoint.adapter);
1919 ret = u_arraylist_add(g_caSslContext->peerList, (void *) peer);
1922 OIC_LOG(ERROR, NET_SSL_TAG, "u_arraylist_add failed!");
1924 oc_mutex_unlock(g_sslContextMutex);
1925 return CA_STATUS_FAILED;
1929 peer->recBuf.buff = data;
1930 peer->recBuf.len = dataLen;
1931 peer->recBuf.loaded = 0;
1933 while (MBEDTLS_SSL_HANDSHAKE_OVER != peer->ssl.state)
1935 ret = mbedtls_ssl_handshake_step(&peer->ssl);
1936 if (MBEDTLS_ERR_SSL_CONN_EOF == ret)
1941 if (MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED == ret)
1943 OIC_LOG(DEBUG, NET_SSL_TAG, "Hello verification requested");
1944 mbedtls_ssl_session_reset(&peer->ssl);
1945 mbedtls_ssl_set_client_transport_id(&peer->ssl,
1946 (const unsigned char *) sep->endpoint.addr,
1947 sizeof(sep->endpoint.addr));
1948 ret = mbedtls_ssl_handshake_step(&peer->ssl);
1950 uint32_t flags = mbedtls_ssl_get_verify_result(&peer->ssl);
1953 OIC_LOG_BUFFER(ERROR, NET_SSL_TAG, (const uint8_t *) &flags, sizeof(flags));
1954 SSL_CHECK_FAIL(peer, flags, "Cert verification failed", 1,
1955 CA_STATUS_FAILED, GetAlertCode(flags));
1957 SSL_CHECK_FAIL(peer, ret, "Handshake error", 1, CA_STATUS_FAILED, MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1958 if (MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC == peer->ssl.state)
1960 memcpy(peer->master, peer->ssl.session_negotiate->master, sizeof(peer->master));
1961 g_caSslContext->selectedCipher = peer->ssl.session_negotiate->ciphersuite;
1963 if (MBEDTLS_SSL_CLIENT_KEY_EXCHANGE == peer->ssl.state)
1965 memcpy(peer->random, peer->ssl.handshake->randbytes, sizeof(peer->random));
1968 if (MBEDTLS_SSL_HANDSHAKE_OVER == peer->ssl.state)
1970 SSL_RES(peer, CA_STATUS_OK);
1971 if (MBEDTLS_SSL_IS_CLIENT == peer->ssl.conf->endpoint)
1973 SendCacheMessages(peer);
1976 int selectedCipher = peer->ssl.session->ciphersuite;
1977 OIC_LOG_V(DEBUG, NET_SSL_TAG, "(D)TLS Session is connected via ciphersuite [0x%x]", selectedCipher);
1978 if (MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 != selectedCipher &&
1979 MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256 != selectedCipher)
1981 char uuid[UUID_LENGTH * 2 + 5] = {0};
1982 void * uuidPos = NULL;
1983 void * userIdPos = NULL;
1984 const mbedtls_x509_crt * peerCert = mbedtls_ssl_get_peer_cert(&peer->ssl);
1985 ret = (NULL == peerCert ? -1 : 0);
1986 SSL_CHECK_FAIL(peer, ret, "Failed to retrieve cert", 1,
1987 CA_STATUS_FAILED, MBEDTLS_SSL_ALERT_MSG_NO_CERT);
1988 uuidPos = memmem(peerCert->subject_raw.p, peerCert->subject_raw.len,
1989 UUID_PREFIX, sizeof(UUID_PREFIX) - 1);
1991 if (NULL != uuidPos)
1993 memcpy(uuid, (char*) uuidPos + sizeof(UUID_PREFIX) - 1, UUID_LENGTH * 2 + 4);
1994 OIC_LOG_V(DEBUG, NET_SSL_TAG, "certificate uuid string: %s" , uuid);
1995 ret = (OCConvertStringToUuid(uuid, peer->sep.identity.id)) ? 0 : -1;
1996 SSL_CHECK_FAIL(peer, ret, "Failed to convert subject", 1,
1997 CA_STATUS_FAILED, MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT);
2001 OIC_LOG(WARNING, NET_SSL_TAG, "uuid not found");
2004 userIdPos = memmem(peerCert->subject_raw.p, peerCert->subject_raw.len,
2005 USERID_PREFIX, sizeof(USERID_PREFIX) - 1);
2006 if (NULL != userIdPos)
2008 memcpy(uuid, (char*) userIdPos + sizeof(USERID_PREFIX) - 1, UUID_LENGTH * 2 + 4);
2009 ret = (OCConvertStringToUuid(uuid, peer->sep.userId.id)) ? 0 : -1;
2010 SSL_CHECK_FAIL(peer, ret, "Failed to convert subject alt name", 1,
2011 CA_STATUS_FAILED, MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT);
2015 OIC_LOG(WARNING, NET_SSL_TAG, "Subject alternative name not found");
2019 oc_mutex_unlock(g_sslContextMutex);
2020 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
2021 return CA_STATUS_OK;
2025 if (MBEDTLS_SSL_HANDSHAKE_OVER == peer->ssl.state)
2027 uint8_t decryptBuffer[TLS_MSG_BUF_LEN] = {0};
2030 ret = mbedtls_ssl_read(&peer->ssl, decryptBuffer, TLS_MSG_BUF_LEN);
2031 } while (MBEDTLS_ERR_SSL_WANT_READ == ret);
2033 if (MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY == ret ||
2034 // TinyDTLS sends fatal close_notify alert
2035 (MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE == ret &&
2036 MBEDTLS_SSL_ALERT_LEVEL_FATAL == peer->ssl.in_msg[0] &&
2037 MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY == peer->ssl.in_msg[1]))
2039 OIC_LOG(INFO, NET_SSL_TAG, "Connection was closed gracefully");
2040 RemovePeerFromList(&peer->sep.endpoint);
2041 oc_mutex_unlock(g_sslContextMutex);
2042 return CA_STATUS_OK;
2047 OIC_LOG_V(ERROR, NET_SSL_TAG, "mbedtls_ssl_read returned -0x%x", -ret);
2048 //SSL_RES(peer, CA_STATUS_FAILED);
2049 RemovePeerFromList(&peer->sep.endpoint);
2050 oc_mutex_unlock(g_sslContextMutex);
2051 return CA_STATUS_FAILED;
2055 int adapterIndex = GetAdapterIndex(peer->sep.endpoint.adapter);
2056 if (0 <= adapterIndex && MAX_SUPPORTED_ADAPTERS > adapterIndex)
2058 g_caSslContext->adapterCallbacks[adapterIndex].recvCallback(&peer->sep, decryptBuffer, ret);
2062 OIC_LOG(ERROR, NET_SSL_TAG, "Unsuported adapter");
2063 RemovePeerFromList(&peer->sep.endpoint);
2064 oc_mutex_unlock(g_sslContextMutex);
2065 return CA_STATUS_FAILED;
2070 oc_mutex_unlock(g_sslContextMutex);
2071 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
2072 return CA_STATUS_OK;
2075 void CAsetSslAdapterCallbacks(CAPacketReceivedCallback recvCallback,
2076 CAPacketSendCallback sendCallback,
2077 CATransportAdapter_t type)
2079 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
2080 VERIFY_NON_NULL_VOID(sendCallback, NET_SSL_TAG, "sendCallback is NULL");
2081 VERIFY_NON_NULL_VOID(recvCallback, NET_SSL_TAG, "recvCallback is NULL");
2082 oc_mutex_lock(g_sslContextMutex);
2083 if (NULL == g_caSslContext)
2085 OIC_LOG(ERROR, NET_SSL_TAG, "Context is NULL");
2086 oc_mutex_unlock(g_sslContextMutex);
2093 g_caSslContext->adapterCallbacks[0].recvCallback = recvCallback;
2094 g_caSslContext->adapterCallbacks[0].sendCallback = sendCallback;
2096 case CA_ADAPTER_TCP:
2097 g_caSslContext->adapterCallbacks[1].recvCallback = recvCallback;
2098 g_caSslContext->adapterCallbacks[1].sendCallback = sendCallback;
2100 case CA_ADAPTER_GATT_BTLE:
2101 g_caSslContext->adapterCallbacks[2].recvCallback = recvCallback;
2102 g_caSslContext->adapterCallbacks[2].sendCallback = sendCallback;
2105 OIC_LOG_V(ERROR, NET_SSL_TAG, "Unsupported adapter: %d", type);
2108 oc_mutex_unlock(g_sslContextMutex);
2109 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
2112 * Gets index of the TLS ciphersuite in the SslCipher_t enum.
2114 * @param[in] cipher TLS chiphersuite code
2116 * @return corresponding enum
2119 static SslCipher_t GetCipherIndex(const uint32_t cipher)
2123 case MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256:
2125 return SSL_RSA_WITH_AES_256_CBC_SHA256;
2127 case MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256:
2129 return SSL_RSA_WITH_AES_128_GCM_SHA256;
2131 case MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
2133 return SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256;
2135 case MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8:
2137 return SSL_ECDHE_ECDSA_WITH_AES_128_CCM_8;
2139 case MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM:
2141 return SSL_ECDHE_ECDSA_WITH_AES_128_CCM;
2143 case MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
2145 return SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256;
2147 case MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
2149 return SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384;
2151 case MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
2153 return SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;
2155 case MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256:
2157 return SSL_ECDHE_PSK_WITH_AES_128_CBC_SHA256;
2159 case MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
2161 return SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256;
2163 case MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256:
2165 return SSL_ECDH_ANON_WITH_AES_128_CBC_SHA256;
2169 return SSL_CIPHER_MAX;
2174 CAResult_t CAsetTlsCipherSuite(const uint32_t cipher)
2176 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
2177 VERIFY_NON_NULL_RET(g_caSslContext, NET_SSL_TAG, "SSL context is not initialized." , CA_STATUS_NOT_INITIALIZED);
2179 CAResult_t res = CA_STATUS_FAILED;
2180 SslCipher_t index = GetCipherIndex(cipher);
2181 if (SSL_CIPHER_MAX == index)
2183 OIC_LOG(WARNING, NET_SSL_TAG, "Unknown cipher");
2188 CONF_SSL(&g_caSslContext->clientTlsConf, &g_caSslContext->serverTlsConf,
2189 mbedtls_ssl_conf_ciphersuites, tlsCipher[index]);
2191 #ifdef __WITH_DTLS__
2192 CONF_SSL(&g_caSslContext->clientDtlsConf, &g_caSslContext->serverDtlsConf,
2193 mbedtls_ssl_conf_ciphersuites, tlsCipher[index]);
2195 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Selected cipher: 0x%x", cipher);
2197 g_caSslContext->cipher = index;
2199 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
2200 return CA_STATUS_OK;
2203 CAResult_t CAinitiateSslHandshake(const CAEndpoint_t *endpoint)
2205 CAResult_t res = CA_STATUS_OK;
2206 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
2207 VERIFY_NON_NULL_RET(endpoint, NET_SSL_TAG, "Param endpoint is NULL" , CA_STATUS_INVALID_PARAM);
2208 oc_mutex_lock(g_sslContextMutex);
2209 if (NULL == InitiateTlsHandshake(endpoint))
2211 OIC_LOG(ERROR, NET_SSL_TAG, "TLS handshake failed");
2212 res = CA_STATUS_FAILED;
2214 oc_mutex_unlock(g_sslContextMutex);
2215 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
2219 * Expands the secret into blocks of data according
2220 * to the algorithm specified in section 5 of RFC 4346
2222 * This function writes upto @p bufLen bytes into the given output buffer @p buf
2224 * @param key secret key.
2225 * @param keyLen secret key length.
2226 * @param label A PRF label.
2227 * @param labelLen Actual length of @p label.
2228 * @param random1 Random seed.
2229 * @param random1Len Actual length of @p random1 (may be zero).
2230 * @param random2 Random seed.
2231 * @param random2Len Actual length of @p random2 (may be zero).
2232 * @param buf Output buffer for generated random data.
2233 * @param bufLen Maximum size of @p buf.
2235 * @return The actual number of bytes written to @p buf or @c -1 on error.
2238 static int pHash (const unsigned char *key, size_t keyLen,
2239 const unsigned char *label, size_t labelLen,
2240 const unsigned char *random1, size_t random1Len,
2241 const unsigned char *random2, size_t random2Len,
2242 unsigned char *buf, size_t bufLen)
2244 unsigned char A[RANDOM_LEN] = {0};
2245 unsigned char tmp[RANDOM_LEN] = {0};
2246 size_t dLen; /* digest length */
2247 size_t len = 0; /* result length */
2249 VERIFY_NON_NULL_RET(key, NET_SSL_TAG, "key is NULL", -1);
2250 VERIFY_NON_NULL_RET(label, NET_SSL_TAG, "label is NULL", -1);
2251 VERIFY_NON_NULL_RET(random1, NET_SSL_TAG, "random1 is NULL", -1);
2252 VERIFY_NON_NULL_RET(random2, NET_SSL_TAG, "random2 is NULL", -1);
2253 VERIFY_NON_NULL_RET(buf, NET_SSL_TAG, "buf is NULL", -1);
2255 mbedtls_md_context_t hmacA;
2256 mbedtls_md_context_t hmacP;
2258 mbedtls_md_init(&hmacA);
2259 mbedtls_md_init(&hmacP);
2261 CHECK_MBEDTLS_RET(mbedtls_md_setup, &hmacA, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 1);
2262 CHECK_MBEDTLS_RET(mbedtls_md_setup, &hmacP, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 1);
2264 CHECK_MBEDTLS_RET(mbedtls_md_hmac_starts, &hmacA, key, keyLen );
2265 CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacA, label, labelLen);
2266 CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacA, random1, random1Len);
2267 CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacA, random2, random2Len);
2268 CHECK_MBEDTLS_RET(mbedtls_md_hmac_finish, &hmacA, A);
2272 CHECK_MBEDTLS_RET(mbedtls_md_hmac_starts, &hmacP, key, keyLen);
2274 while (len + dLen < bufLen)
2276 CHECK_MBEDTLS_RET(mbedtls_md_hmac_reset, &hmacP);
2277 CHECK_MBEDTLS_RET(mbedtls_md_hmac_starts, &hmacP, key, keyLen);
2278 CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, A, dLen);
2279 CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, label, labelLen);
2280 CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, random1, random1Len);
2281 CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, random2, random2Len);
2283 CHECK_MBEDTLS_RET(mbedtls_md_hmac_finish, &hmacP, tmp);
2287 memcpy(buf, tmp, dLen);
2290 CHECK_MBEDTLS_RET(mbedtls_md_hmac_reset, &hmacA);
2291 CHECK_MBEDTLS_RET(mbedtls_md_hmac_starts, &hmacA, key, keyLen);
2292 CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacA, A, dLen);
2293 CHECK_MBEDTLS_RET(mbedtls_md_hmac_finish, &hmacA, A);
2296 CHECK_MBEDTLS_RET(mbedtls_md_hmac_reset, &hmacP);
2297 CHECK_MBEDTLS_RET(mbedtls_md_hmac_starts, &hmacP, key, keyLen);
2298 CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, A, dLen);
2300 CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, label, labelLen);
2301 CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, random1, random1Len);
2302 CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, random2, random2Len);
2303 CHECK_MBEDTLS_RET(mbedtls_md_hmac_finish, &hmacP, tmp);
2305 memcpy(buf, tmp, bufLen - len);
2307 mbedtls_md_free(&hmacA);
2308 mbedtls_md_free(&hmacP);
2310 // exit label required for CHECK_MBEDTLS_RET macro
2312 mbedtls_md_free(&hmacA);
2313 mbedtls_md_free(&hmacP);
2317 CAResult_t CAsslGenerateOwnerPsk(const CAEndpoint_t *endpoint,
2318 const uint8_t* label, const size_t labelLen,
2319 const uint8_t* rsrcServerDeviceId, const size_t rsrcServerDeviceIdLen,
2320 const uint8_t* provServerDeviceId, const size_t provServerDeviceIdLen,
2321 uint8_t* ownerPsk, const size_t ownerPskSize)
2323 OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
2324 VERIFY_NON_NULL_RET(endpoint, NET_SSL_TAG, "endpoint is NULL", CA_STATUS_INVALID_PARAM);
2325 VERIFY_NON_NULL_RET(label, NET_SSL_TAG, "label is NULL", CA_STATUS_INVALID_PARAM);
2326 VERIFY_NON_NULL_RET(rsrcServerDeviceId, NET_SSL_TAG, "rsrcId is NULL", CA_STATUS_INVALID_PARAM);
2327 VERIFY_NON_NULL_RET(provServerDeviceId, NET_SSL_TAG, "provId is NULL", CA_STATUS_INVALID_PARAM);
2328 VERIFY_NON_NULL_RET(ownerPsk, NET_SSL_TAG, "ownerPSK is NULL", CA_STATUS_INVALID_PARAM);
2330 oc_mutex_lock(g_sslContextMutex);
2331 if (NULL == g_caSslContext)
2333 OIC_LOG(ERROR, NET_SSL_TAG, "Context is NULL");
2334 oc_mutex_unlock(g_sslContextMutex);
2335 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
2336 return CA_STATUS_FAILED;
2338 SslEndPoint_t * tep = GetSslPeer(endpoint);
2341 OIC_LOG(ERROR, NET_SSL_TAG, "Session does not exist");
2342 oc_mutex_unlock(g_sslContextMutex);
2343 return CA_STATUS_FAILED;
2346 // keyBlockLen set up according to OIC 1.1 Security Specification Section 7.3.2
2350 int keyBlockLen = 0;
2351 if (MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256 == g_caSslContext->selectedCipher ||
2352 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 == g_caSslContext->selectedCipher ||
2353 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 == g_caSslContext->selectedCipher ||
2354 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 == g_caSslContext->selectedCipher)
2356 // 2 * ( 32 + 0 + 16 ) = 96
2357 macKeyLen = SHA256_MAC_KEY_LENGTH;
2358 ivSize = CBC_IV_LENGTH;
2359 keySize = AES128_KEY_LENGTH;
2361 else if (MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM == g_caSslContext->selectedCipher ||
2362 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 == g_caSslContext->selectedCipher)
2364 // 2 * ( 0 + 4 + 16 ) = 40
2365 macKeyLen = CCM_MAC_KEY_LENGTH;
2366 ivSize = CCM_IV_LENGTH;
2367 keySize = AES128_KEY_LENGTH;
2369 else if (MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 == g_caSslContext->selectedCipher)
2371 // 2 * ( 32 + 12 + 16 ) = 120
2372 macKeyLen = SHA256_MAC_KEY_LENGTH;
2373 ivSize = GCM_IV_LENGTH;
2374 keySize = AES128_KEY_LENGTH;
2376 else if (MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 == g_caSslContext->selectedCipher)
2378 // 2 * ( 32 + 0 + 32 ) = 128
2379 macKeyLen = SHA256_MAC_KEY_LENGTH;
2380 ivSize = CBC_IV_LENGTH;
2381 keySize = AES256_KEY_LENGTH;
2383 else if (MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 == g_caSslContext->selectedCipher)
2385 // 2 * ( 48 + 0 + 32 ) = 160
2386 macKeyLen = SHA384_MAC_KEY_LENGTH;
2387 ivSize = CBC_IV_LENGTH;
2388 keySize = AES256_KEY_LENGTH;
2390 else if (MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 == g_caSslContext->selectedCipher)
2392 // 2 * ( 48 + 12 + 32 ) = 184
2393 macKeyLen = SHA384_MAC_KEY_LENGTH;
2394 ivSize = GCM_IV_LENGTH;
2395 keySize = AES256_KEY_LENGTH;
2397 else if (MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 == g_caSslContext->selectedCipher)
2399 // 2 * ( 48 + 12 + 32 ) = 184
2400 macKeyLen = SHA256_MAC_KEY_LENGTH;
2401 ivSize = GCM_IV_LENGTH;
2402 keySize = AES128_KEY_LENGTH;
2404 keyBlockLen = 2 * (macKeyLen + keySize + ivSize);
2406 uint8_t * keyblock = (uint8_t *)OICMalloc(keyBlockLen);
2407 if (NULL == keyblock)
2409 OIC_LOG(ERROR, NET_SSL_TAG, "Failed to OICMalloc for keyblock");
2410 oc_mutex_unlock(g_sslContextMutex);
2411 return CA_STATUS_FAILED;
2415 uint8_t lab[] = {0x6b, 0x65, 0x79, 0x20, 0x65, 0x78, 0x70, 0x61, 0x6e, 0x73, 0x69, 0x6f, 0x6e};
2416 int ret = pHash(tep->master, sizeof(tep->master), lab, sizeof(lab),
2417 (tep->random) + RANDOM_LEN, RANDOM_LEN, tep->random, RANDOM_LEN,
2418 keyblock, keyBlockLen);
2421 OIC_LOG(ERROR, NET_SSL_TAG, "PSK not generated");
2423 oc_mutex_unlock(g_sslContextMutex);
2424 return CA_STATUS_FAILED;
2427 ret = pHash(keyblock, keyBlockLen, label, labelLen,
2428 rsrcServerDeviceId, rsrcServerDeviceIdLen,
2429 provServerDeviceId, provServerDeviceIdLen,
2430 ownerPsk, ownerPskSize);
2433 OIC_LOG(ERROR, NET_SSL_TAG, "PSK not generated");
2435 oc_mutex_unlock(g_sslContextMutex);
2436 return CA_STATUS_FAILED;
2440 oc_mutex_unlock(g_sslContextMutex);
2442 OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
2443 return CA_STATUS_OK;