#include "ocrandom.h"
#include "byte_array.h"
#include "octhread.h"
+#include "octypes.h"
#include "timer.h"
static CAgetPkixInfoHandler g_getPkixInfoCallback = NULL;
/**
+ * Callback to inform in case of client's certificate absence
+ */
+static CertificateVerificationCallback_t g_CertificateVerificationCallback = NULL;
+
+/**
* @var g_setupPkContextCallback
*
* @brief callback to setup PK context handler for H/W based Public Key Infrastructure
OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
}
+void CAsetCertificateVerificationCallback(CertificateVerificationCallback_t certVerifyStatusCallback)
+{
+ OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
+ g_CertificateVerificationCallback = certVerifyStatusCallback;
+ OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
+}
+
+void CAunsetCertificateVerificationCallback()
+{
+ OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
+ g_CertificateVerificationCallback = NULL;
+ OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
+}
+
static int GetAdapterIndex(CATransportAdapter_t adapter)
{
switch (adapter)
else if ((size_t)sentLen != dataLen)
{
OIC_LOG_V(DEBUG, NET_SSL_TAG,
- "Packet was partially sent - total/sent/remained bytes : %zd/%zu/%lu",
+ "Packet was partially sent - total/sent/remained bytes : %zd/%zu/%zu",
sentLen, dataLen, (dataLen - sentLen));
}
}
&& (endpoint->port == tep->sep.endpoint.port || CA_ADAPTER_GATT_BTLE == endpoint->adapter))
{
u_arraylist_remove(g_caSslContext->peerList, listIndex);
- DeleteSslEndPoint(tep);
OIC_LOG_V(INFO, NET_SSL_TAG, "Remove Peer:[%s:%d] for %d adapter",
endpoint->addr, endpoint->port, endpoint->adapter);
+ DeleteSslEndPoint(tep);
OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
return;
}
memset(g_cipherSuitesList, 0, sizeof(g_cipherSuitesList));
+ if (SSL_CIPHER_MAX < g_caSslContext->cipher)
+ {
+ OIC_LOG(ERROR, NET_SSL_TAG, "Maximum ciphersuite index exceeded");
+ }
+
// Add the preferred ciphersuite first
if (SSL_CIPHER_MAX != g_caSslContext->cipher)
{
return CA_STATUS_FAILED;
}
-
SslEndPoint_t * peer = GetSslPeer(&sep->endpoint);
if (NULL == peer)
{
sizeof(sep->endpoint.addr));
ret = mbedtls_ssl_handshake_step(&peer->ssl);
}
- if (MBEDTLS_SSL_IS_CLIENT == peer->ssl.conf->endpoint)
+ uint32_t flags = mbedtls_ssl_get_verify_result(&peer->ssl);
+ if (0 != flags &&
+ ((MBEDTLS_SSL_IS_CLIENT == peer->ssl.conf->endpoint) ||
+ (MBEDTLS_SSL_IS_SERVER == peer->ssl.conf->endpoint && MBEDTLS_X509_BADCERT_MISSING != flags)))
{
- uint32_t flags = mbedtls_ssl_get_verify_result(&peer->ssl);
- if (0 != flags)
- {
- OIC_LOG_BUFFER(ERROR, NET_SSL_TAG, (const uint8_t *) &flags, sizeof(flags));
- SSL_CHECK_FAIL(peer, flags, "Cert verification failed", 1,
- CA_STATUS_FAILED, GetAlertCode(flags));
- }
+ OIC_LOG_BUFFER(ERROR, NET_SSL_TAG, (const uint8_t *) &flags, sizeof(flags));
+ SSL_CHECK_FAIL(peer, flags, "Cert verification failed", 1,
+ CA_STATUS_FAILED, GetAlertCode(flags));
}
SSL_CHECK_FAIL(peer, ret, "Handshake error", 1, CA_STATUS_FAILED, MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
if (MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC == peer->ssl.state)
void * userIdPos = NULL;
const mbedtls_x509_crt * peerCert = mbedtls_ssl_get_peer_cert(&peer->ssl);
ret = (NULL == peerCert ? -1 : 0);
+ if (g_CertificateVerificationCallback)
+ {
+ uint32_t flags = mbedtls_ssl_get_verify_result(&peer->ssl);
+ if (!flags)
+ {
+ g_CertificateVerificationCallback(CA_CERTIFICATE_VERIFY_SUCCESS_MUTUAL);
+ }
+ else if (MBEDTLS_X509_BADCERT_MISSING == flags)
+ {
+ g_CertificateVerificationCallback(CA_CERTIFICATE_VERIFY_NO_CERT);
+ }
+ else
+ {
+ g_CertificateVerificationCallback(CA_CERTIFICATE_VERIFY_FAILED);
+ }
+ }
//SSL_CHECK_FAIL(peer, ret, "Failed to retrieve cert", 1,
// CA_STATUS_FAILED, MBEDTLS_SSL_ALERT_MSG_NO_CERT);
if (0 == ret)