1 /******************************************************************
3 * Copyright 2016 Samsung Electronics All Rights Reserved.
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
19 ******************************************************************/
24 #include "ca_adapter_net_tls.h"
26 #include "caipinterface.h"
27 #include "oic_malloc.h"
28 #include "pkix/byte_array.h"
31 // headers required for mbed TLS
32 #include "mbedtls/platform.h"
33 #include "mbedtls/ssl.h"
34 #include "mbedtls/entropy.h"
35 #include "mbedtls/ctr_drbg.h"
36 #include "mbedtls/pkcs12.h"
37 #include "mbedtls/ssl_internal.h"
40 #include "mbedtls/debug.h"
41 #include "mbedtls/version.h"
45 #include <sys/types.h>
51 #include "pkix/byte_array.h"
54 * @def MBED_TLS_VERSION_LEN
55 * @brief mbedTLS version string length
57 #define MBED_TLS_VERSION_LEN (16)
60 * @brief Seed for initialization RNG
62 #define SEED "IOTIVITY_RND"
65 * @brief uuid prefix in certificate subject field
67 #define UUID_PREFIX "uuid:"
70 * @brief userid prefix in certificate alternative subject name field
72 #define USERID_PREFIX "userid:"
76 * @brief Logging tag for module name
78 #define NET_TLS_TAG "OIC_CA_NET_TLS"
81 * @brief Logging tag for mbedTLS library
83 #define MBED_TLS_TAG "OIC_MBED_TLS"
85 * @def MMBED_TLS_DEBUG_LEVEL
86 * @brief Logging level for mbedTLS library
88 #define MBED_TLS_DEBUG_LEVEL (4) // Verbose
91 * @def TLS_MSG_BUF_LEN
92 * @brief Buffer size for TLS record. A single TLS record may be up to 16384 octets in length
95 #define TLS_MSG_BUF_LEN (16384)
98 * @brief PSK keys max length
100 #define PSK_LENGTH (256/8)
102 * @def UUID_LENGTHPSK_LENGTH
103 * @brief Identity max length
105 #define UUID_LENGTH (128/8)
107 * @def MASTER_SECRET_LEN
108 * @brief TLS master secret length
110 #define MASTER_SECRET_LEN (48)
112 #define TLS_CLOSE_NOTIFY(peer, ret) \
115 ret = mbedtls_ssl_close_notify(&peer->ssl); \
116 } while (MBEDTLS_ERR_SSL_WANT_WRITE == ret)
118 #define TLS_RET_HANDSHAKE_RES(peer) \
119 if (g_tlsHandshakeCallback) \
121 CAErrorInfo_t errorInfo = {.result = CA_STATUS_FAILED}; \
122 g_tlsHandshakeCallback(&peer->sep.endpoint, &errorInfo); \
125 #define TLS_CHECK_HANDSHAKE_FAIL(peer, ret, str, mutex, error) \
126 if (0 != ret && MBEDTLS_ERR_SSL_WANT_READ != ret && MBEDTLS_ERR_SSL_WANT_WRITE != ret) \
128 OIC_LOG_V(ERROR, NET_TLS_TAG, "%s: -0x%x", str, -ret); \
129 TLS_CLOSE_NOTIFY(peer, ret); \
130 TLS_RET_HANDSHAKE_RES(peer); \
131 removePeerFromList(&peer->sep.endpoint); \
134 ca_mutex_unlock(g_tlsContextMutex); \
141 ADAPTER_TLS_RSA_WITH_AES_256_CBC_SHA,
142 ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
143 ADAPTER_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA_256,
144 ADAPTER_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
150 ADAPTER_CURVE_SECP256R1,
154 int tlsCipher[ADAPTER_CIPHER_MAX][2] =
156 {MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA, 0},
157 {MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, 0},
158 {MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256, 0},
159 {MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, 0}
162 mbedtls_ecp_group_id curve[ADAPTER_CURVE_MAX][2] =
164 {MBEDTLS_ECP_DP_SECP256R1, 0}
167 //TODO add description
168 static PkiInfo_t g_pkiInfo = {{NULL, 0}, {NULL, 0}, {NULL, 0}, {NULL, 0}};
172 * Pass a message to the OIC logger.
174 * @param[in] ctx opaque context for the callback
175 * @param[in] level debug level
176 * @param[in] file file name
177 * @param[in] line line number
178 * @param[in] str message
180 static void debugTls(void *ctx, int level, const char *file, int line, const char *str)
186 OIC_LOG_V(DEBUG, MBED_TLS_TAG, "%s", str);
187 fflush((FILE *) ctx);
192 * structure to holds the information of cache message and address info.
194 typedef ByteArray TlsCacheMessage_t;
198 * Data structure for holding the send and recv callbacks.
200 typedef struct TlsCallBacks
202 CAPacketReceivedCallback recvCallback; /**< Callback used to send data to upper layer. */
203 CAPacketSendCallback sendCallback; /**< Callback used to send data to socket layer. */
207 * Data structure for holding the mbedTLS interface related info.
209 typedef struct TlsContext
211 u_arraylist_t *peerList; /**< peer list which holds the mapping between
212 peer id, it's n/w address and mbedTLS context. */
213 mbedtls_entropy_context entropy;
214 mbedtls_ctr_drbg_context rnd;
216 mbedtls_x509_crt crt;
217 mbedtls_pk_context pkey;
218 mbedtls_ssl_config clientConf;
219 mbedtls_ssl_config serverConf;
220 AdapterCipher_t cipher;
221 TlsCallbacks_t adapterCallbacks[MAX_SUPPORTED_ADAPTERS];
222 mbedtls_x509_crl crl;
227 * @var g_caTlsContext
228 * @brief global context which holds tls context and cache list information.
230 static TlsContext_t * g_caTlsContext = NULL;
233 * @var g_getCredentialsCallback
234 * @brief callback to get TLS credentials (same as for DTLS)
236 static CAGetDTLSPskCredentialsHandler g_getCredentialsCallback = NULL;
239 * @var g_getPkixInfoCallback
241 * @brief callback to get X.509-based Public Key Infrastructure
243 static CAgetPkixInfoHandler g_getPkixInfoCallback = NULL;
246 * @var g_dtlsContextMutex
247 * @brief Mutex to synchronize access to g_caTlsContext.
249 static ca_mutex g_tlsContextMutex = NULL;
252 * @var g_tlsHandshakeCallback
253 * @brief callback to deliver the TLS handshake result
255 static CAErrorCallback g_tlsHandshakeCallback = NULL;
258 * Data structure for holding the data to be rceived.
260 typedef struct TlsRecBuf
268 * Data structure for holding the data related to endpoint
271 typedef struct TlsEndPoint
273 mbedtls_ssl_context ssl;
274 CASecureEndpoint_t sep;
275 u_arraylist_t * cacheList;
277 uint8_t master[MASTER_SECRET_LEN];
280 void CAsetTlsCredentialsCallback(CAGetDTLSPskCredentialsHandler credCallback)
282 // TODO Does this method needs protection of tlsContextMutex?
283 OIC_LOG_V(DEBUG, NET_TLS_TAG, "In %s", __func__);
284 g_getCredentialsCallback = credCallback;
285 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
288 void CAsetPkixInfoCallback(CAgetPkixInfoHandler infoCallback)
290 OIC_LOG_V(DEBUG, NET_TLS_TAG, "In %s", __func__);
291 g_getPkixInfoCallback = infoCallback;
292 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
297 * @param[in] tep TLS endpoint
298 * @param[in] data message
299 * @param[in] dataLen message length
301 * @return message length
303 static int sendTls(void * tep, const unsigned char * data, size_t dataLen)
305 OIC_LOG_V(DEBUG, NET_TLS_TAG, "In %s", __func__);
306 VERIFY_NON_NULL_RET(tep, NET_TLS_TAG, "secure endpoint is NULL", 0);
307 VERIFY_NON_NULL_RET(data, NET_TLS_TAG, "data is NULL", 0);
308 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Data len: %zu", dataLen);
310 g_caTlsContext->adapterCallbacks[0].sendCallback(&(((TlsEndPoint_t * )tep)->sep.endpoint),
311 (const void *) data, (uint32_t) dataLen);
312 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
318 * @param[in] tep TLS endpoint
319 * @param[in] data message
320 * @param[in] dataLen message length
322 * @return read length
324 static int recvTls(void * tep, unsigned char * data, size_t dataLen)
326 OIC_LOG_V(DEBUG, NET_TLS_TAG, "In %s", __func__);
327 VERIFY_NON_NULL_RET(tep, NET_TLS_TAG, "endpoint is NULL", 0);
328 VERIFY_NON_NULL_RET(data, NET_TLS_TAG, "data is NULL", 0);
330 TlsRecBuf_t *recBuf = &((TlsEndPoint_t *)tep)->recBuf;
331 size_t retLen = (recBuf->len > recBuf->loaded ? recBuf->len - recBuf->loaded : 0);
332 retLen = (retLen < dataLen ? retLen : dataLen);
334 memcpy(data, recBuf->buff + recBuf->loaded, retLen);
335 recBuf->loaded += retLen;
337 OIC_LOG_BUFFER(DEBUG, NET_TLS_TAG, data, retLen);
338 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
342 //TODO add description
343 static int parseChain(mbedtls_x509_crt * crt, const unsigned char * buf, int buflen)
345 VERIFY_NON_NULL_RET(crt, NET_TLS_TAG, "Param crt is NULL" , -1);
346 VERIFY_NON_NULL_RET(buf, NET_TLS_TAG, "Param buf is NULL" , -1);
353 if (0x30 == buf[pos] && 0x82 == buf[pos + 1] && pos + 3 < buflen)
355 len = (((int) buf[pos+2]) << 8) | buf[pos+3];
356 if (pos + len < buflen)
358 ret = mbedtls_x509_crt_parse_der(crt, buf+pos, len+4);
361 OIC_LOG_V(ERROR, NET_TLS_TAG, "mbedtls_x509_crt_parse returned -0x%x", -ret);
369 OIC_LOG_V(ERROR, NET_TLS_TAG, "mbedtls_x509_crt_parse returned -0x%x", -ret);
375 //TODO add description
376 static int loadX509()
378 OIC_LOG_V(DEBUG, NET_TLS_TAG, "In %s", __func__);
379 VERIFY_NON_NULL_RET(g_getPkixInfoCallback, NET_TLS_TAG, "PKIX info callback is NULL", -1);
381 g_getPkixInfoCallback(&g_pkiInfo);
383 int ret = parseChain(&g_caTlsContext->ca, g_pkiInfo.ca.data, g_pkiInfo.ca.len);
386 OIC_LOG(ERROR, NET_TLS_TAG, "CA chain parsing error");
387 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
390 ret = parseChain(&g_caTlsContext->crt, g_pkiInfo.crt.data, g_pkiInfo.crt.len);
393 OIC_LOG(ERROR, NET_TLS_TAG, "Own certificate chain parsing error");
394 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
398 ret = mbedtls_pk_parse_key(&g_caTlsContext->pkey, g_pkiInfo.key.data, g_pkiInfo.key.len,
402 OIC_LOG(ERROR, NET_TLS_TAG, "Key parsing error");
403 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
406 ret = mbedtls_x509_crl_parse_der(&g_caTlsContext->crl, g_pkiInfo.crl.data, g_pkiInfo.crl.len);
409 OIC_LOG(ERROR, NET_TLS_TAG, "CRL parsing error");
410 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
415 mbedtls_ssl_conf_ca_chain(&g_caTlsContext->clientConf, &g_caTlsContext->ca, NULL);
416 mbedtls_ssl_conf_ca_chain(&g_caTlsContext->serverConf, &g_caTlsContext->ca, NULL);
418 ret = mbedtls_ssl_conf_own_cert(&g_caTlsContext->serverConf, &g_caTlsContext->crt,
419 &g_caTlsContext->pkey);
422 OIC_LOG(ERROR, NET_TLS_TAG, "Certificate parsing error");
423 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
426 ret = mbedtls_ssl_conf_own_cert( &g_caTlsContext->clientConf, &g_caTlsContext->crt,
427 &g_caTlsContext->pkey);
430 OIC_LOG(ERROR, NET_TLS_TAG, "Certificate parsing error");
431 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
435 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
442 * @param[in] notUsed opaque context
443 * @param[in] ssl mbedTLS context
444 * @param[in] desc identity
445 * @param[in] descLen identity length
447 * @return 0 on success any other return value will result in a denied PSK identity
449 static int getTlsCredentialsCallback(void * notUsed, mbedtls_ssl_context * ssl,
450 const unsigned char * desc, size_t descLen)
452 OIC_LOG_V(DEBUG, NET_TLS_TAG, "In %s", __func__);
453 VERIFY_NON_NULL_RET(g_getCredentialsCallback, NET_TLS_TAG, "Credential callback s NULL", -1);
454 VERIFY_NON_NULL_RET(ssl, NET_TLS_TAG, "ssl pointer is NULL", -1);
455 VERIFY_NON_NULL_RET(desc, NET_TLS_TAG, "desc pointer is NULL", -1);
456 if (descLen > CA_MAX_ENDPOINT_IDENTITY_LEN)
458 OIC_LOG(ERROR, NET_TLS_TAG, "desc too long!");
462 uint8_t keyBuf[PSK_LENGTH] = {0};
464 // Retrieve the credentials blob from security module
465 int ret = g_getCredentialsCallback(2, desc, descLen, keyBuf, PSK_LENGTH);
468 memcpy(((TlsEndPoint_t *) ssl)->sep.identity.id, desc, descLen);
469 ((TlsEndPoint_t *) ssl)->sep.identity.id_length = descLen;
471 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
472 return(mbedtls_ssl_set_hs_psk(ssl, keyBuf, PSK_LENGTH));
474 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
478 * Gets session corresponding for endpoint.
480 * @param[in] peer remote address
482 * @return TLS session or NULL
484 static TlsEndPoint_t *getTlsPeer(const CAEndpoint_t *peer)
486 uint32_t listIndex = 0;
487 uint32_t listLength = 0;
488 OIC_LOG_V(DEBUG, NET_TLS_TAG, "In %s", __func__);
489 VERIFY_NON_NULL_RET(peer, NET_TLS_TAG, "TLS peer is NULL", NULL);
491 TlsEndPoint_t *tep = NULL;
492 listLength = u_arraylist_length(g_caTlsContext->peerList);
493 for (listIndex = 0; listIndex < listLength; listIndex++)
495 tep = (TlsEndPoint_t *) u_arraylist_get(g_caTlsContext->peerList, listIndex);
500 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Compare [%s] and [%s]", peer->addr, tep->sep.endpoint.addr);
501 if((0 == strncmp(peer->addr, tep->sep.endpoint.addr, MAX_ADDR_STR_SIZE_CA))
502 && (peer->port == tep->sep.endpoint.port))
504 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
508 OIC_LOG(DEBUG, NET_TLS_TAG, "Return NULL");
509 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
513 * Deletes cached message.
515 * @param[in] msg message
517 static void deleteTlsCacheMessage(TlsCacheMessage_t * msg)
519 OIC_LOG_V(DEBUG, NET_TLS_TAG, "In %s", __func__);
520 VERIFY_NON_NULL_VOID(msg, NET_TLS_TAG, "msg");
525 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
528 * Deletes cached message list.
530 * @param[in] cacheList list of cached messages
532 static void deleteCacheList(u_arraylist_t * cacheList)
534 OIC_LOG_V(DEBUG, NET_TLS_TAG, "In %s", __func__);
535 VERIFY_NON_NULL_VOID(cacheList, NET_TLS_TAG, "cacheList");
536 uint32_t listIndex = 0;
537 uint32_t listLength = 0;
539 listLength = u_arraylist_length(cacheList);
540 for (listIndex = 0; listIndex < listLength; listIndex++)
542 TlsCacheMessage_t * msg = (TlsCacheMessage_t *) u_arraylist_get(cacheList, listIndex);
545 deleteTlsCacheMessage(msg);
548 u_arraylist_free(&cacheList);
550 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
553 * Deletes endpoint with session.
555 * @param[in] tep endpoint with session info
557 static void deleteTlsEndPoint(TlsEndPoint_t * tep)
559 OIC_LOG_V(DEBUG, NET_TLS_TAG, "In %s", __func__);
560 VERIFY_NON_NULL_VOID(tep, NET_TLS_TAG, "tep");
562 mbedtls_ssl_free(&tep->ssl);
563 deleteCacheList(tep->cacheList);
565 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
568 * Removes endpoint session from list.
570 * @param[in] endpoint remote address
572 static void removePeerFromList(CAEndpoint_t * endpoint)
574 uint32_t listLength = u_arraylist_length(g_caTlsContext->peerList);
575 VERIFY_NON_NULL_VOID(endpoint, NET_TLS_TAG, "endpoint");
576 for (uint32_t listIndex = 0; listIndex < listLength; listIndex++)
578 TlsEndPoint_t * tep = (TlsEndPoint_t *)u_arraylist_get(g_caTlsContext->peerList,listIndex);
583 if(0 == strncmp(endpoint->addr, tep->sep.endpoint.addr, MAX_ADDR_STR_SIZE_CA)
584 && (endpoint->port == tep->sep.endpoint.port))
586 u_arraylist_remove(g_caTlsContext->peerList, listIndex);
587 deleteTlsEndPoint(tep);
593 * Deletes session list.
595 static void deletePeerList()
597 uint32_t listLength = u_arraylist_length(g_caTlsContext->peerList);
598 for (uint32_t listIndex = 0; listIndex < listLength; listIndex++)
600 TlsEndPoint_t * tep = (TlsEndPoint_t *)u_arraylist_get(g_caTlsContext->peerList,listIndex);
605 deleteTlsEndPoint(tep);
607 u_arraylist_free(&g_caTlsContext->peerList);
610 CAResult_t CAcloseTlsConnection(const CAEndpoint_t *endpoint)
612 OIC_LOG_V(DEBUG, NET_TLS_TAG, "In %s", __func__);
613 VERIFY_NON_NULL_RET(endpoint, NET_TLS_TAG, "Param endpoint is NULL" , CA_STATUS_INVALID_PARAM);
615 ca_mutex_lock(g_tlsContextMutex);
616 if (NULL == g_caTlsContext)
618 OIC_LOG(ERROR, NET_TLS_TAG, "Context is NULL");
619 ca_mutex_unlock(g_tlsContextMutex);
620 return CA_STATUS_FAILED;
622 TlsEndPoint_t * tep = getTlsPeer(endpoint);
625 OIC_LOG(ERROR, NET_TLS_TAG, "Session does not exist");
626 ca_mutex_unlock(g_tlsContextMutex);
627 return CA_STATUS_FAILED;
629 /* No error checking, the connection might be closed already */
633 ret = mbedtls_ssl_close_notify(&tep->ssl);
635 while (MBEDTLS_ERR_SSL_WANT_WRITE == ret);
637 removePeerFromList(&tep->sep.endpoint);
638 ca_mutex_unlock(g_tlsContextMutex);
640 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
644 * Creates session for endpoint.
646 * @param[in] endpoint remote address
647 * @param[in] config mbedTLS configuration info
649 * @return TLS endpoint or NULL
651 static TlsEndPoint_t * newTlsEndPoint(const CAEndpoint_t * endpoint, mbedtls_ssl_config * config)
653 TlsEndPoint_t * tep = NULL;
654 OIC_LOG_V(DEBUG, NET_TLS_TAG, "In %s", __func__);
655 VERIFY_NON_NULL_RET(endpoint, NET_TLS_TAG, "endpoint", NULL);
656 VERIFY_NON_NULL_RET(config, NET_TLS_TAG, "config", NULL);
658 tep = (TlsEndPoint_t *) OICCalloc(1, sizeof (TlsEndPoint_t));
661 OIC_LOG(ERROR, NET_TLS_TAG, "Malloc failed!");
665 tep->sep.endpoint = *endpoint;
666 tep->sep.endpoint.flags |= CA_SECURE;
668 if(0 != mbedtls_ssl_setup( &tep->ssl, config))
670 OIC_LOG(ERROR, NET_TLS_TAG, "Setup failed");
672 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
676 mbedtls_ssl_set_bio(&tep->ssl, tep, sendTls, recvTls, NULL);
678 tep->cacheList = u_arraylist_create();
679 if (NULL == tep->cacheList)
681 OIC_LOG(ERROR, NET_TLS_TAG, "cacheList initialization failed!");
682 mbedtls_ssl_free(&tep->ssl);
684 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
687 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
691 * Initializes PSK identity.
693 * @param[out] config client/server config to be updated
695 * @return 0 on success or -1 on error
697 static int initPskIdentity(mbedtls_ssl_config * config)
699 uint8_t idBuf[UUID_LENGTH] = {0};
700 VERIFY_NON_NULL_RET(config, NET_TLS_TAG, "Param config is NULL" , -1);
702 if (0 > g_getCredentialsCallback(CA_DTLS_PSK_IDENTITY, NULL, 0, idBuf, UUID_LENGTH))
704 OIC_LOG(ERROR, NET_TLS_TAG, "Identity not found");
707 if (0 != mbedtls_ssl_conf_psk(config, idBuf, 0, idBuf, UUID_LENGTH))
709 OIC_LOG(ERROR, NET_TLS_TAG, "Identity initialization failed!");
715 * Initiate TLS handshake with endpoint.
717 * @param[in] endpoint remote address
719 * @return TLS endpoint or NULL
721 static TlsEndPoint_t * initiateTlsHandshake(const CAEndpoint_t *endpoint)
724 TlsEndPoint_t * tep = NULL;
726 OIC_LOG_V(DEBUG, NET_TLS_TAG, "In %s", __func__);
727 VERIFY_NON_NULL_RET(endpoint, NET_TLS_TAG, "Param endpoint is NULL" , NULL);
729 // Retrieve the credentials blob from security module
730 if (ADAPTER_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 == g_caTlsContext->cipher &&
731 0 != initPskIdentity(&g_caTlsContext->clientConf))
733 OIC_LOG(ERROR, NET_TLS_TAG, "Client PSK identity initialization failed!");
737 tep = newTlsEndPoint(endpoint, &g_caTlsContext->clientConf);
740 OIC_LOG(ERROR, NET_TLS_TAG, "Malloc failed!");
744 if (ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 == g_caTlsContext->cipher ||
745 ADAPTER_TLS_RSA_WITH_AES_256_CBC_SHA == g_caTlsContext->cipher)
750 OIC_LOG(ERROR, NET_TLS_TAG, "Failed to init X.509");
751 deleteTlsEndPoint(tep);
756 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Add %s:%d", tep->sep.endpoint.addr, tep->sep.endpoint.port);
757 ret = u_arraylist_add(g_caTlsContext->peerList, (void *) tep);
760 OIC_LOG(ERROR, NET_TLS_TAG, "u_arraylist_add failed!");
761 deleteTlsEndPoint(tep);
765 while (MBEDTLS_SSL_HANDSHAKE_OVER > tep->ssl.state)
767 ret = mbedtls_ssl_handshake_step(&tep->ssl);
768 if (MBEDTLS_ERR_SSL_CONN_EOF == ret)
772 TLS_CHECK_HANDSHAKE_FAIL(tep, ret, "Handshake error", 0, NULL);
774 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
778 void CAdeinitTlsAdapter()
780 OIC_LOG_V(DEBUG, NET_TLS_TAG, "In %s", __func__);
782 VERIFY_NON_NULL_VOID(g_caTlsContext, NET_TLS_TAG, "context is NULL");
783 VERIFY_NON_NULL_VOID(g_tlsContextMutex, NET_TLS_TAG, "context mutex is NULL");
785 //Lock tlsContext mutex
786 ca_mutex_lock(g_tlsContextMutex);
791 // De-initialize mbedTLS
792 mbedtls_x509_crt_free(&g_caTlsContext->crt);
793 mbedtls_pk_free(&g_caTlsContext->pkey);
794 mbedtls_ssl_config_free(&g_caTlsContext->clientConf);
795 mbedtls_ssl_config_free(&g_caTlsContext->serverConf);
796 mbedtls_ctr_drbg_free(&g_caTlsContext->rnd);
797 mbedtls_entropy_free(&g_caTlsContext->entropy);
799 // De-initialize tls Context
800 OICFree(g_caTlsContext);
801 g_caTlsContext = NULL;
803 // Unlock tlsContext mutex and de-initialize it
804 ca_mutex_unlock(g_tlsContextMutex);
805 ca_mutex_free(g_tlsContextMutex);
806 g_tlsContextMutex = NULL;
808 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s ", __func__);
811 CAResult_t CAinitTlsAdapter()
813 OIC_LOG_V(DEBUG, NET_TLS_TAG, "In %s", __func__);
815 // Initialize mutex for tlsContext
816 if (NULL == g_tlsContextMutex)
818 g_tlsContextMutex = ca_mutex_new();
819 VERIFY_NON_NULL_RET(g_tlsContextMutex, NET_TLS_TAG, "malloc failed",
820 CA_MEMORY_ALLOC_FAILED);
824 OIC_LOG(ERROR, NET_TLS_TAG, "CAAdapterNettlsInit done already!");
828 // Lock tlsContext mutex and create tlsContext
829 ca_mutex_lock(g_tlsContextMutex);
830 g_caTlsContext = (TlsContext_t *)OICCalloc(1, sizeof(TlsContext_t));
832 if (NULL == g_caTlsContext)
834 OIC_LOG(ERROR, NET_TLS_TAG, "Context malloc failed");
835 ca_mutex_unlock(g_tlsContextMutex);
836 ca_mutex_free(g_tlsContextMutex);
837 g_tlsContextMutex = NULL;
838 return CA_MEMORY_ALLOC_FAILED;
842 g_caTlsContext->peerList = u_arraylist_create();
844 if(NULL == g_caTlsContext->peerList)
846 OIC_LOG(ERROR, NET_TLS_TAG, "peerList initialization failed!");
847 OICFree(g_caTlsContext);
848 g_caTlsContext = NULL;
849 ca_mutex_unlock(g_tlsContextMutex);
850 ca_mutex_free(g_tlsContextMutex);
851 g_tlsContextMutex = NULL;
852 return CA_STATUS_FAILED;
855 /* Initialize TLS library
858 char version[MBED_TLS_VERSION_LEN];
859 mbedtls_version_get_string(version);
860 OIC_LOG_V(INFO, NET_TLS_TAG, "mbed TLS version: %s", version);
865 mbedtls_entropy_init(&g_caTlsContext->entropy);
866 mbedtls_ctr_drbg_init(&g_caTlsContext->rnd);
869 unsigned char seed[sizeof(SEED)] = {0};
871 urandomFd = open("/dev/urandom", O_RDONLY);
874 OIC_LOG(ERROR, NET_TLS_TAG, "Fails open /dev/urandom!");
875 ca_mutex_unlock(g_tlsContextMutex);
876 CAdeinitTlsAdapter();
877 return CA_STATUS_FAILED;
879 if(0 > read(urandomFd, seed, sizeof(seed)))
881 OIC_LOG(ERROR, NET_TLS_TAG, "Fails read from /dev/urandom!");
883 ca_mutex_unlock(g_tlsContextMutex);
884 CAdeinitTlsAdapter();
885 return CA_STATUS_FAILED;
890 unsigned char * seed = (unsigned char*) SEED;
892 if(0 != mbedtls_ctr_drbg_seed(&g_caTlsContext->rnd, mbedtls_entropy_func,
893 &g_caTlsContext->entropy, seed, sizeof(SEED)))
895 OIC_LOG(ERROR, NET_TLS_TAG, "Seed initialization failed!");
896 ca_mutex_unlock(g_tlsContextMutex);
897 CAdeinitTlsAdapter();
898 return CA_STATUS_FAILED;
900 mbedtls_ctr_drbg_set_prediction_resistance(&g_caTlsContext->rnd, MBEDTLS_CTR_DRBG_PR_OFF);
902 /* Client SSL configuration
904 mbedtls_ssl_config_init(&g_caTlsContext->clientConf);
905 if (mbedtls_ssl_config_defaults(&g_caTlsContext->clientConf, MBEDTLS_SSL_IS_CLIENT,
906 MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT) != 0)
908 OIC_LOG(ERROR, NET_TLS_TAG, "Client config initialization failed!");
909 ca_mutex_unlock(g_tlsContextMutex);
910 CAdeinitTlsAdapter();
911 return CA_STATUS_FAILED;
914 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
916 mbedtls_ssl_conf_psk_cb(&g_caTlsContext->clientConf, getTlsCredentialsCallback, NULL);
917 mbedtls_ssl_conf_rng( &g_caTlsContext->clientConf, mbedtls_ctr_drbg_random,
918 &g_caTlsContext->rnd);
919 mbedtls_ssl_conf_curves(&g_caTlsContext->clientConf, curve[ADAPTER_CURVE_SECP256R1]);
920 mbedtls_ssl_conf_min_version(&g_caTlsContext->clientConf, MBEDTLS_SSL_MAJOR_VERSION_3,
921 MBEDTLS_SSL_MINOR_VERSION_1);
922 mbedtls_ssl_conf_renegotiation(&g_caTlsContext->clientConf, MBEDTLS_SSL_RENEGOTIATION_DISABLED);
924 mbedtls_ssl_conf_authmode(&g_caTlsContext->clientConf, MBEDTLS_SSL_VERIFY_REQUIRED);
926 mbedtls_ssl_conf_dbg( &g_caTlsContext->clientConf, debugTls, NULL);
929 /* Server SSL configuration
931 mbedtls_ssl_config_init(&g_caTlsContext->serverConf);
932 if (mbedtls_ssl_config_defaults(&g_caTlsContext->serverConf, MBEDTLS_SSL_IS_SERVER,
933 MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT) != 0)
935 OIC_LOG(ERROR, NET_TLS_TAG, "Server config initialization failed!");
936 ca_mutex_unlock(g_tlsContextMutex);
937 CAdeinitTlsAdapter();
938 return CA_STATUS_FAILED;
941 mbedtls_ssl_conf_psk_cb(&g_caTlsContext->serverConf, getTlsCredentialsCallback, NULL);
942 mbedtls_ssl_conf_rng( &g_caTlsContext->serverConf, mbedtls_ctr_drbg_random,
943 &g_caTlsContext->rnd);
944 mbedtls_ssl_conf_curves(&g_caTlsContext->serverConf, curve[ADAPTER_CURVE_SECP256R1]);
945 mbedtls_ssl_conf_min_version(&g_caTlsContext->serverConf, MBEDTLS_SSL_MAJOR_VERSION_3,
946 MBEDTLS_SSL_MINOR_VERSION_1);
947 mbedtls_ssl_conf_renegotiation(&g_caTlsContext->serverConf, MBEDTLS_SSL_RENEGOTIATION_DISABLED);
948 mbedtls_ssl_conf_authmode(&g_caTlsContext->serverConf, MBEDTLS_SSL_VERIFY_REQUIRED);
951 mbedtls_ssl_conf_dbg( &g_caTlsContext->serverConf, debugTls, NULL);
952 mbedtls_debug_set_threshold(MBED_TLS_DEBUG_LEVEL);
955 // set default cipher to PSK
956 CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256);
959 mbedtls_x509_crt_init(&g_caTlsContext->ca);
960 mbedtls_x509_crt_init(&g_caTlsContext->crt);
961 mbedtls_pk_init(&g_caTlsContext->pkey);
962 mbedtls_x509_crl_init(&g_caTlsContext->crl);
964 ca_mutex_unlock(g_tlsContextMutex);
966 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
970 * Creates cache message structure and fills with data.
972 * @param[in] data data array
973 * @param[in] dataLen data array length
975 * @return message or NULL
977 TlsCacheMessage_t * newTlsCacheMessage(uint8_t * data, size_t dataLen)
979 OIC_LOG_V(DEBUG, NET_TLS_TAG, "In %s", __func__);
980 VERIFY_NON_NULL_RET(data, NET_TLS_TAG, "Param data is NULL" , NULL);
983 OIC_LOG(ERROR, NET_TLS_TAG, "dataLen is equal to zero");
984 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
987 TlsCacheMessage_t * message = (TlsCacheMessage_t *) OICCalloc(1, sizeof(TlsCacheMessage_t));
990 OIC_LOG(ERROR, NET_TLS_TAG, "calloc failed!");
991 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
995 message->data = (uint8_t *)OICCalloc(dataLen, sizeof(uint8_t));
996 if (NULL == message->data)
998 OIC_LOG(ERROR, NET_TLS_TAG, "calloc failed!");
1000 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
1003 memcpy(message->data, data, dataLen);
1004 message->len = dataLen;
1005 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
1009 /* Send data via TLS connection.
1011 CAResult_t CAencryptTls(const CAEndpoint_t *endpoint,
1012 void *data, uint32_t dataLen)
1016 OIC_LOG_V(DEBUG, NET_TLS_TAG, "In %s ", __func__);
1018 VERIFY_NON_NULL_RET(endpoint, NET_TLS_TAG,"Remote address is NULL", CA_STATUS_INVALID_PARAM);
1019 VERIFY_NON_NULL_RET(data, NET_TLS_TAG, "Data is NULL", CA_STATUS_INVALID_PARAM);
1023 OIC_LOG_V(ERROR, NET_TLS_TAG, "dataLen is zero [%d]", dataLen);
1024 return CA_STATUS_FAILED;
1027 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Data to be encrypted dataLen [%d]", dataLen);
1029 ca_mutex_lock(g_tlsContextMutex);
1030 if(NULL == g_caTlsContext)
1032 OIC_LOG(ERROR, NET_TLS_TAG, "Context is NULL");
1033 ca_mutex_unlock(g_tlsContextMutex);
1034 return CA_STATUS_FAILED;
1037 TlsEndPoint_t * tep = getTlsPeer(endpoint);
1040 tep = initiateTlsHandshake(endpoint);
1044 OIC_LOG(ERROR, NET_TLS_TAG, "TLS handshake failed");
1045 ca_mutex_unlock(g_tlsContextMutex);
1046 return CA_STATUS_FAILED;
1049 if (MBEDTLS_SSL_HANDSHAKE_OVER == tep->ssl.state)
1051 ret = mbedtls_ssl_write(&tep->ssl, (unsigned char *) data, dataLen);
1055 OIC_LOG_V(ERROR, NET_TLS_TAG, "mbedTLS write returned %d", ret);
1056 if (g_tlsHandshakeCallback)
1058 CAErrorInfo_t errorInfo = {.result = CA_STATUS_FAILED};
1059 g_tlsHandshakeCallback(&tep->sep.endpoint, &errorInfo);
1061 removePeerFromList(&tep->sep.endpoint);
1062 ca_mutex_unlock(g_tlsContextMutex);
1063 return CA_STATUS_FAILED;
1068 TlsCacheMessage_t * msg = newTlsCacheMessage(data, dataLen);
1069 if (NULL == msg || !u_arraylist_add(tep->cacheList, (void *) msg))
1071 OIC_LOG(ERROR, NET_TLS_TAG, "u_arraylist_add failed!");
1072 ca_mutex_unlock(g_tlsContextMutex);
1073 return CA_STATUS_FAILED;
1077 ca_mutex_unlock(g_tlsContextMutex);
1079 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
1080 return CA_STATUS_OK;
1083 * Sends cached messages via TLS connection.
1085 * @param[in] tep remote address with session info
1087 static void sendCacheMessages(TlsEndPoint_t * tep)
1089 OIC_LOG_V(DEBUG, NET_TLS_TAG, "In %s", __func__);
1090 VERIFY_NON_NULL_VOID(tep, NET_TLS_TAG, "Param tep is NULL");
1092 uint32_t listIndex = 0;
1093 uint32_t listLength = 0;
1094 listLength = u_arraylist_length(tep->cacheList);
1095 for (listIndex = 0; listIndex < listLength;)
1098 TlsCacheMessage_t * msg = (TlsCacheMessage_t *) u_arraylist_get(tep->cacheList, listIndex);
1099 if (NULL != msg && NULL != msg->data && 0 != msg->len)
1103 ret = mbedtls_ssl_write(&tep->ssl, (unsigned char *) msg->data, msg->len);
1105 while(MBEDTLS_ERR_SSL_WANT_WRITE == ret);
1109 OIC_LOG_V(ERROR, NET_TLS_TAG,"mbedTLS write returned %d", ret );
1111 if (u_arraylist_remove(tep->cacheList, listIndex))
1113 deleteTlsCacheMessage(msg);
1114 // Reduce list length by 1 as we removed one element.
1119 OIC_LOG(ERROR, NET_TLS_TAG, "u_arraylist_remove failed.");
1125 // Move to the next element
1129 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
1132 void CAsetTlsHandshakeCallback(CAErrorCallback tlsHandshakeCallback)
1134 OIC_LOG_V(DEBUG, NET_TLS_TAG, "In %s", __func__);
1135 g_tlsHandshakeCallback = tlsHandshakeCallback;
1136 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
1138 // TODO move ConvertStrToUuid function to common module
1140 * Converts string UUID to CARemoteId_t
1142 * @param strUuid Device UUID in string format
1143 * @param uuid converted UUID in CARemoteId_t format
1145 * @return 0 for success.
1147 static int ConvertStrToUuid(const char* strUuid, CARemoteId_t* uuid)
1149 if(NULL == strUuid || NULL == uuid)
1151 OIC_LOG(ERROR, NET_TLS_TAG, "ConvertStrToUuid : Invalid param");
1157 size_t strUuidLen = 0;
1158 char convertedUuid[UUID_LENGTH * 2] = {0};
1160 strUuidLen = strlen(strUuid);
1163 OIC_LOG(INFO, NET_TLS_TAG, "The empty string detected, The UUID will be converted to "\
1164 "\"00000000-0000-0000-0000-000000000000\"");
1166 else if(UUID_LENGTH * 2 + 4 == strUuidLen)
1168 for(uuidIdx=0, urnIdx=0; uuidIdx < UUID_LENGTH ; uuidIdx++, urnIdx+=2)
1170 if(*(strUuid + urnIdx) == '-')
1174 sscanf(strUuid + urnIdx, "%2hhx", &convertedUuid[uuidIdx]);
1179 OIC_LOG(ERROR, NET_TLS_TAG, "Invalid string uuid format");
1183 memcpy(uuid->id, convertedUuid, UUID_LENGTH);
1184 uuid->id_length = UUID_LENGTH;
1188 /* Read data from TLS connection
1190 CAResult_t CAdecryptTls(const CASecureEndpoint_t *sep, uint8_t *data, uint32_t dataLen)
1193 OIC_LOG_V(DEBUG, NET_TLS_TAG, "In %s", __func__);
1194 VERIFY_NON_NULL_RET(sep, NET_TLS_TAG, "endpoint is NULL" , CA_STATUS_INVALID_PARAM);
1195 VERIFY_NON_NULL_RET(data, NET_TLS_TAG, "Param data is NULL" , CA_STATUS_INVALID_PARAM);
1197 ca_mutex_lock(g_tlsContextMutex);
1198 if (NULL == g_caTlsContext)
1200 OIC_LOG(ERROR, NET_TLS_TAG, "Context is NULL");
1201 ca_mutex_unlock(g_tlsContextMutex);
1202 return CA_STATUS_FAILED;
1205 if (ADAPTER_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 == g_caTlsContext->cipher &&
1206 0 != initPskIdentity(&g_caTlsContext->serverConf))
1208 ca_mutex_unlock(g_tlsContextMutex);
1209 return CA_STATUS_FAILED;
1212 TlsEndPoint_t * peer = getTlsPeer(&sep->endpoint);
1215 peer = newTlsEndPoint(&sep->endpoint, &g_caTlsContext->serverConf);
1218 OIC_LOG(ERROR, NET_TLS_TAG, "Malloc failed!");
1219 ca_mutex_unlock(g_tlsContextMutex);
1220 return CA_STATUS_FAILED;
1223 if (ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 == g_caTlsContext->cipher ||
1224 ADAPTER_TLS_RSA_WITH_AES_256_CBC_SHA == g_caTlsContext->cipher)
1229 OIC_LOG(ERROR, NET_TLS_TAG, "Failed to init X.509");
1230 deleteTlsEndPoint(peer);
1231 ca_mutex_unlock(g_tlsContextMutex);
1232 return CA_STATUS_FAILED;
1236 ret = u_arraylist_add(g_caTlsContext->peerList, (void *) peer);
1239 OIC_LOG(ERROR, NET_TLS_TAG, "u_arraylist_add failed!");
1241 ca_mutex_unlock(g_tlsContextMutex);
1242 return CA_STATUS_FAILED;
1245 OIC_LOG_BUFFER(DEBUG, NET_TLS_TAG, data, dataLen);
1246 peer->recBuf.buff = data;
1247 peer->recBuf.len = dataLen;
1248 peer->recBuf.loaded = 0;
1250 OIC_LOG(DEBUG, NET_TLS_TAG, "Call mbedTLS handshake steps");
1252 while (MBEDTLS_SSL_HANDSHAKE_OVER > peer->ssl.state)
1254 ret = mbedtls_ssl_handshake_step(&peer->ssl);
1255 if (MBEDTLS_ERR_SSL_CONN_EOF == ret)
1259 TLS_CHECK_HANDSHAKE_FAIL(peer, ret, "Handshake error", 1, CA_STATUS_FAILED);
1260 if (MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC == peer->ssl.state)
1262 memcpy(peer->master, peer->ssl.session_negotiate->master, sizeof(peer->master));
1265 if (MBEDTLS_SSL_HANDSHAKE_OVER == peer->ssl.state)
1267 if (MBEDTLS_SSL_IS_CLIENT == peer->ssl.conf->endpoint)
1269 sendCacheMessages(peer);
1270 if (g_tlsHandshakeCallback)
1272 CAErrorInfo_t errorInfo = {.result = CA_STATUS_OK};
1273 g_tlsHandshakeCallback(&peer->sep.endpoint, &errorInfo);
1278 if (ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 == g_caTlsContext->cipher)
1280 char uuid[UUID_LENGTH * 2 + 5] = {0};
1281 void * uuidPos = NULL;
1282 void * userIdPos = NULL;
1283 const mbedtls_x509_crt * peerCert = mbedtls_ssl_get_peer_cert(&peer->ssl);
1284 ret = (NULL == peerCert ? -1 : 0);
1285 TLS_CHECK_HANDSHAKE_FAIL(peer, ret, "Failed to retrieve subject",
1286 1, CA_STATUS_FAILED);
1287 ret = mbedtls_ssl_get_verify_result(&peer->ssl);
1288 TLS_CHECK_HANDSHAKE_FAIL(peer, ret, "Failed to retrieve subject",
1289 1, CA_STATUS_FAILED);
1290 uuidPos = memmem((void *) peerCert->subject_raw.p, peerCert->subject_raw.len,
1291 (void *) UUID_PREFIX, sizeof(UUID_PREFIX) - 1);
1293 ret = (NULL == uuidPos ? -1 : 0);
1294 TLS_CHECK_HANDSHAKE_FAIL(peer, ret, "Failed to retrieve subject",
1295 1, CA_STATUS_FAILED);
1297 memcpy(uuid, uuidPos + sizeof(UUID_PREFIX) - 1, UUID_LENGTH * 2 + 4);
1298 ret = ConvertStrToUuid(uuid, &peer->sep.identity);
1299 TLS_CHECK_HANDSHAKE_FAIL(peer, ret, "Failed to convert subject",
1300 1, CA_STATUS_FAILED);
1302 userIdPos = memmem((void *) peerCert->subject_raw.p, peerCert->subject_raw.len,
1303 (void *) USERID_PREFIX, sizeof(USERID_PREFIX) - 1);
1304 if (NULL != userIdPos)
1306 memcpy(uuid, userIdPos + sizeof(USERID_PREFIX) - 1, UUID_LENGTH * 2 + 4);
1307 ret = ConvertStrToUuid(uuid, &peer->sep.userId);
1308 TLS_CHECK_HANDSHAKE_FAIL(peer, ret,
1309 "Failed to convert subject alternative name", 1, CA_STATUS_FAILED);
1313 OIC_LOG(DEBUG, NET_TLS_TAG, "Subject alternative name not found");
1317 ca_mutex_unlock(g_tlsContextMutex);
1318 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
1319 return CA_STATUS_OK;
1323 if (MBEDTLS_SSL_HANDSHAKE_OVER == peer->ssl.state)
1325 uint8_t decryptBuffer[TLS_MSG_BUF_LEN] = {0};
1328 ret = mbedtls_ssl_read(&peer->ssl, decryptBuffer, TLS_MSG_BUF_LEN);
1329 } while (MBEDTLS_ERR_SSL_WANT_READ == ret);
1330 if (MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY == ret)
1332 OIC_LOG(INFO, NET_TLS_TAG, "Connection was closed gracefully");
1333 removePeerFromList(&peer->sep.endpoint);
1334 ca_mutex_unlock(g_tlsContextMutex);
1335 return CA_STATUS_OK;
1340 OIC_LOG_V(ERROR, NET_TLS_TAG, "mbedtls_ssl_read returned -0x%x", -ret);
1341 if (g_tlsHandshakeCallback)
1343 CAErrorInfo_t errorInfo = {.result = CA_STATUS_FAILED};
1344 g_tlsHandshakeCallback(&peer->sep.endpoint, &errorInfo);
1346 removePeerFromList(&peer->sep.endpoint);
1347 ca_mutex_unlock(g_tlsContextMutex);
1348 return CA_STATUS_FAILED;
1351 g_caTlsContext->adapterCallbacks[0].recvCallback(&peer->sep, decryptBuffer, ret);
1354 ca_mutex_unlock(g_tlsContextMutex);
1355 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
1356 return CA_STATUS_OK;
1359 void CAsetTlsAdapterCallbacks(CAPacketReceivedCallback recvCallback,
1360 CAPacketSendCallback sendCallback,
1361 CATransportAdapter_t type)
1363 OIC_LOG_V(DEBUG, NET_TLS_TAG, "In %s", __func__);
1364 VERIFY_NON_NULL_VOID(sendCallback, NET_TLS_TAG, "sendCallback is NULL");
1365 VERIFY_NON_NULL_VOID(recvCallback, NET_TLS_TAG, "recvCallback is NULL");
1366 ca_mutex_lock(g_tlsContextMutex);
1367 if (NULL == g_caTlsContext)
1369 OIC_LOG(ERROR, NET_TLS_TAG, "Context is NULL");
1370 ca_mutex_unlock(g_tlsContextMutex);
1374 if (MAX_SUPPORTED_ADAPTERS > type)
1376 // TODO: change the zeros to better values.
1377 g_caTlsContext->adapterCallbacks[0].recvCallback = recvCallback;
1378 g_caTlsContext->adapterCallbacks[0].sendCallback = sendCallback;
1381 ca_mutex_unlock(g_tlsContextMutex);
1382 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
1385 CAResult_t CAsetTlsCipherSuite(const uint32_t cipher)
1387 OIC_LOG_V(DEBUG, NET_TLS_TAG, "In %s", __func__);
1390 case MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA:
1392 mbedtls_ssl_conf_ciphersuites(&g_caTlsContext->clientConf,
1393 tlsCipher[ADAPTER_TLS_RSA_WITH_AES_256_CBC_SHA]);
1394 mbedtls_ssl_conf_ciphersuites(&g_caTlsContext->serverConf,
1395 tlsCipher[ADAPTER_TLS_RSA_WITH_AES_256_CBC_SHA]);
1396 g_caTlsContext->cipher = ADAPTER_TLS_RSA_WITH_AES_256_CBC_SHA;
1399 case MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8:
1401 mbedtls_ssl_conf_ciphersuites(&g_caTlsContext->clientConf,
1402 tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8]);
1403 mbedtls_ssl_conf_ciphersuites(&g_caTlsContext->serverConf,
1404 tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8]);
1405 g_caTlsContext->cipher = ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8;
1408 case MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256:
1410 mbedtls_ssl_conf_ciphersuites(&g_caTlsContext->clientConf,
1411 tlsCipher[ADAPTER_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA_256]);
1412 mbedtls_ssl_conf_ciphersuites(&g_caTlsContext->serverConf,
1413 tlsCipher[ADAPTER_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA_256]);
1414 g_caTlsContext->cipher = ADAPTER_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA_256;
1417 case MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256:
1419 mbedtls_ssl_conf_ciphersuites(&g_caTlsContext->clientConf,
1420 tlsCipher[ADAPTER_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256]);
1421 mbedtls_ssl_conf_ciphersuites(&g_caTlsContext->serverConf,
1422 tlsCipher[ADAPTER_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256]);
1423 g_caTlsContext->cipher = ADAPTER_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256;
1428 OIC_LOG(ERROR, NET_TLS_TAG, "Unknown cipher");
1429 return CA_STATUS_FAILED;
1432 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Selected cipher: 0x%x", cipher);
1433 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
1434 return CA_STATUS_OK;
1437 CAResult_t CAinitiateTlsHandshake(const CAEndpoint_t *endpoint)
1439 CAResult_t res = CA_STATUS_OK;
1440 OIC_LOG_V(DEBUG, NET_TLS_TAG, "In %s", __func__);
1441 VERIFY_NON_NULL_RET(endpoint, NET_TLS_TAG, "Param endpoint is NULL" , CA_STATUS_INVALID_PARAM);
1442 ca_mutex_lock(g_tlsContextMutex);
1443 if (NULL == initiateTlsHandshake(endpoint))
1445 OIC_LOG(ERROR, NET_TLS_TAG, "TLS handshake failed");
1446 res = CA_STATUS_FAILED;
1448 ca_mutex_unlock(g_tlsContextMutex);
1449 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
1453 CAResult_t CAtlsGenerateOwnerPSK(const CAEndpoint_t *endpoint,
1454 uint8_t* ownerPSK, const size_t ownerPSKSize,
1455 const uint8_t* deviceID, const size_t deviceIDLen)
1457 OIC_LOG_V(DEBUG, NET_TLS_TAG, "In %s", __func__);
1459 VERIFY_NON_NULL_RET(ownerPSK, NET_TLS_TAG, "ownerPSK is NULL", CA_STATUS_INVALID_PARAM);
1460 VERIFY_NON_NULL_RET(deviceID, NET_TLS_TAG, "rsrcID is NULL", CA_STATUS_INVALID_PARAM);
1462 ca_mutex_lock(g_tlsContextMutex);
1463 if (NULL == g_caTlsContext)
1465 OIC_LOG(ERROR, NET_TLS_TAG, "Context is NULL");
1466 ca_mutex_unlock(g_tlsContextMutex);
1467 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
1468 return CA_STATUS_FAILED;
1470 TlsEndPoint_t * tep = getTlsPeer(endpoint);
1473 OIC_LOG(ERROR, NET_TLS_TAG, "Session does not exist");
1474 ca_mutex_unlock(g_tlsContextMutex);
1475 return CA_STATUS_FAILED;
1478 if (0 != mbedtls_pkcs12_derivation(ownerPSK, ownerPSKSize,
1479 tep->master, sizeof(tep->master),
1480 deviceID, deviceIDLen,
1481 MBEDTLS_MD_SHA1, MBEDTLS_PKCS12_DERIVE_KEY, 1))
1483 OIC_LOG(ERROR, NET_TLS_TAG, "Failed to generate key");
1484 ca_mutex_unlock(g_tlsContextMutex);
1485 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
1486 return CA_STATUS_FAILED;
1488 OIC_LOG_V(DEBUG, NET_TLS_TAG, "PSK: ");
1489 OIC_LOG_BUFFER(DEBUG, NET_TLS_TAG, tep->master, sizeof(tep->master));
1490 ca_mutex_unlock(g_tlsContextMutex);
1492 OIC_LOG_V(DEBUG, NET_TLS_TAG, "Out %s", __func__);
1493 return CA_STATUS_OK;