[IOT-2016][IOT-1623] UUID check and use MBEDTLS_MD_MAX_SIZE

Use MBEDTLS_MD_MAX_SIZE for buffer lengths in pHash.
Don't allow wildcard UUID in CSRs

Change-Id: Ifad48945250087d8dc92fb346cfc986f68888352
Signed-off-by: Greg Zaverucha <gregz@microsoft.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/18829
Reviewed-by: Kevin Kane <kkane@microsoft.com>
Tested-by: jenkins-iotivity <jenkins@iotivity.org>
Reviewed-by: Nathan Heldt-Sheller <nathan.heldt-sheller@intel.com>

diff --git a/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c b/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c
index 11089d1..040bb37 100644 (file)
--- a/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c
+++ b/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c
@@ -2359,10 +2359,11 @@ static int pHash (const unsigned char *key, size_t keyLen,
      const unsigned char *random2, size_t random2Len,
      unsigned char *buf, size_t bufLen)
 {
-    unsigned char A[RANDOM_LEN] = {0};
-    unsigned char tmp[RANDOM_LEN] = {0};
+    unsigned char A[MBEDTLS_MD_MAX_SIZE] = {0};
+    unsigned char tmp[MBEDTLS_MD_MAX_SIZE] = {0};
     size_t dLen;   /* digest length */
     size_t len = 0;   /* result length */
+    const mbedtls_md_type_t hashAlg = MBEDTLS_MD_SHA256;
 
     VERIFY_TRUE_RET(bufLen <= INT_MAX, NET_SSL_TAG, "buffer too large", -1);
     VERIFY_NON_NULL_RET(key, NET_SSL_TAG, "key is NULL", -1);
@@ -2377,8 +2378,8 @@ static int pHash (const unsigned char *key, size_t keyLen,
     mbedtls_md_init(&hmacA);
     mbedtls_md_init(&hmacP);
 
-    CHECK_MBEDTLS_RET(mbedtls_md_setup, &hmacA, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 1);
-    CHECK_MBEDTLS_RET(mbedtls_md_setup, &hmacP, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 1);
+    CHECK_MBEDTLS_RET(mbedtls_md_setup, &hmacA, mbedtls_md_info_from_type(hashAlg), 1);
+    CHECK_MBEDTLS_RET(mbedtls_md_setup, &hmacP, mbedtls_md_info_from_type(hashAlg), 1);
 
     CHECK_MBEDTLS_RET(mbedtls_md_hmac_starts, &hmacA, key, keyLen );
     CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacA, label, labelLen);
@@ -2386,7 +2387,7 @@ static int pHash (const unsigned char *key, size_t keyLen,
     CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacA, random2, random2Len);
     CHECK_MBEDTLS_RET(mbedtls_md_hmac_finish, &hmacA, A);
 
-    dLen = RANDOM_LEN;
+    dLen = mbedtls_md_get_size(mbedtls_md_info_from_type(hashAlg));
 
     CHECK_MBEDTLS_RET(mbedtls_md_hmac_starts, &hmacP, key, keyLen);
 
@@ -2398,10 +2399,9 @@ static int pHash (const unsigned char *key, size_t keyLen,
         CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, label, labelLen);
         CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, random1, random1Len);
         CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, random2, random2Len);
-
         CHECK_MBEDTLS_RET(mbedtls_md_hmac_finish, &hmacP, tmp);
 
-        len += RANDOM_LEN;
+        len += dLen;
 
         memcpy(buf, tmp, dLen);
         buf += dLen;
@@ -2412,16 +2412,18 @@ static int pHash (const unsigned char *key, size_t keyLen,
         CHECK_MBEDTLS_RET(mbedtls_md_hmac_finish, &hmacA, A);
     }
 
-    CHECK_MBEDTLS_RET(mbedtls_md_hmac_reset, &hmacP);
-    CHECK_MBEDTLS_RET(mbedtls_md_hmac_starts, &hmacP, key, keyLen);
-    CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, A, dLen);
-
-    CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, label, labelLen);
-    CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, random1, random1Len);
-    CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, random2, random2Len);
-    CHECK_MBEDTLS_RET(mbedtls_md_hmac_finish, &hmacP, tmp);
+    if ((bufLen % dLen) != 0)
+    {
+        CHECK_MBEDTLS_RET(mbedtls_md_hmac_reset, &hmacP);
+        CHECK_MBEDTLS_RET(mbedtls_md_hmac_starts, &hmacP, key, keyLen);
+        CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, A, dLen);
+        CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, label, labelLen);
+        CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, random1, random1Len);
+        CHECK_MBEDTLS_RET(mbedtls_md_hmac_update, &hmacP, random2, random2Len);
+        CHECK_MBEDTLS_RET(mbedtls_md_hmac_finish, &hmacP, tmp);
 
-    memcpy(buf, tmp, bufLen - len);
+        memcpy(buf, tmp, bufLen - len);
+    }
 
     mbedtls_md_free(&hmacA);
     mbedtls_md_free(&hmacP);

diff --git a/resource/csdk/security/src/occertutility.c b/resource/csdk/security/src/occertutility.c
index 2f8665a..f296404 100644 (file)
--- a/resource/csdk/security/src/occertutility.c
+++ b/resource/csdk/security/src/occertutility.c
@@ -36,6 +36,7 @@
 #include "payload_logging.h"
 #include "pmutility.h"
 #include "srmutility.h"
+#include "srmresourcestrings.h"
 
 // headers required for mbed TLS
 #include "mbedtls/config.h"
@@ -739,6 +740,13 @@ OCStackResult OCGetUuidFromCSR(const char* csr, OicUuid_t* uuid)
         return OC_STACK_ERROR;
     }
 
+    if (memcmp(uuid->id, &WILDCARD_SUBJECT_ID, sizeof(uuid->id)) == 0)
+    {
+        OIC_LOG(ERROR, TAG, "Invalid UUID in CSR: '*'");
+        mbedtls_x509_csr_free(&csrObj);
+        return OC_STACK_ERROR;
+    }
+
     mbedtls_x509_csr_free(&csrObj);
     return OC_STACK_OK;
 }