if (MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 != selectedCipher &&
MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256 != selectedCipher)
{
- char uuid[UUID_LENGTH * 2 + 5] = {0};
- void * uuidPos = NULL;
- void * userIdPos = NULL;
const mbedtls_x509_crt * peerCert = mbedtls_ssl_get_peer_cert(&peer->ssl);
+ const mbedtls_x509_name * name = NULL;
ret = (NULL == peerCert ? -1 : 0);
- SSL_CHECK_FAIL(peer, ret, "Failed to retrieve cert", 1,
- CA_STATUS_FAILED, MBEDTLS_SSL_ALERT_MSG_NO_CERT);
+ if (!checkSslOperation(peer,
+ ret,
+ "Failed to retrieve cert",
+ MBEDTLS_SSL_ALERT_MSG_NO_CERT))
+ {
+ oc_mutex_unlock(g_sslContextMutex);
+ OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
+ return CA_STATUS_FAILED;
+ }
- uuidPos = memmem(peerCert->subject_raw.p, peerCert->subject_raw.len,
- UUID_PREFIX, sizeof(UUID_PREFIX) - 1);
- if (NULL != uuidPos)
+ /* Find the CN component of the subject name. */
+ for (name = &peerCert->subject; NULL != name; name = name->next)
{
- memcpy(uuid, (char*) uuidPos + sizeof(UUID_PREFIX) - 1, UUID_LENGTH * 2 + 4);
- OIC_LOG_V(DEBUG, NET_SSL_TAG, "certificate uuid string: %s" , uuid);
- ret = (OCConvertStringToUuid(uuid, peer->sep.identity.id)) ? 0 : -1;
- if (!checkSslOperation(peer,
- ret,
- "Failed to convert subject",
- MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT))
+ if (!name->oid.p)
{
- oc_mutex_unlock(g_sslContextMutex);
- OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
- return CA_STATUS_FAILED;
+ continue;
}
- }
- else
- {
- OIC_LOG(WARNING, NET_SSL_TAG, "uuid not found");
- }
- userIdPos = memmem(peerCert->subject_raw.p, peerCert->subject_raw.len,
- USERID_PREFIX, sizeof(USERID_PREFIX) - 1);
- if (NULL != userIdPos)
- {
- memcpy(uuid, (char*) userIdPos + sizeof(USERID_PREFIX) - 1, UUID_LENGTH * 2 + 4);
- ret = (OCConvertStringToUuid(uuid, peer->sep.userId.id)) ? 0 : -1;
- if (!checkSslOperation(peer,
- ret,
- "Failed to convert subject alt name",
- MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT))
+ if ((name->oid.len < MBEDTLS_OID_SIZE(MBEDTLS_OID_AT_CN) ||
+ (0 != memcmp(MBEDTLS_OID_AT_CN, name->oid.p, name->oid.len))))
{
- oc_mutex_unlock(g_sslContextMutex);
- OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
- return CA_STATUS_FAILED;
+ continue;
}
}
+
+ if (NULL == name)
+ {
+ OIC_LOG(WARNING, NET_SSL_TAG, "no CN RDN found in subject name");
+ }
else
{
- OIC_LOG(WARNING, NET_SSL_TAG, "Subject alternative name not found");
+ const size_t uuidBufLen = UUID_STRING_SIZE - 1;
+ char uuid[UUID_STRING_SIZE] = { 0 };
+ const unsigned char * uuidPos = NULL;
+ const unsigned char * userIdPos = NULL;
+
+ uuidPos = (const unsigned char*)memmem(name->val.p, name->val.len,
+ UUID_PREFIX, sizeof(UUID_PREFIX) - 1);
+
+ /* If UUID_PREFIX is present, ensure there's enough data for the prefix plus an entire
+ * UUID, to make sure we don't read past the end of the buffer.
+ */
+ if ((NULL != uuidPos) &&
+ (name->val.len >= ((uuidPos - name->val.p) + (sizeof(UUID_PREFIX) - 1) + uuidBufLen)))
+ {
+ memcpy(uuid, uuidPos + sizeof(UUID_PREFIX) - 1, uuidBufLen);
+ OIC_LOG_V(DEBUG, NET_SSL_TAG, "certificate uuid string: %s", uuid);
+ ret = (OCConvertStringToUuid(uuid, peer->sep.identity.id)) ? 0 : -1;
- SSL_CHECK_FAIL(peer, ret, "Failed to convert subject", 1,
- CA_STATUS_FAILED, MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT);
++ if (!checkSslOperation(peer,
++ ret,
++ "Failed to convert subject",
++ MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT))
++ {
++ oc_mutex_unlock(g_sslContextMutex);
++ OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
++ return CA_STATUS_FAILED;
++ }
+ }
+ else
+ {
+ OIC_LOG(WARNING, NET_SSL_TAG, "uuid not found");
+ }
+
+ /* If USERID_PREFIX is present, ensure there's enough data for the prefix plus an entire
+ * UUID, to make sure we don't read past the end of the buffer.
+ */
+ userIdPos = (const unsigned char*)memmem(name->val.p, name->val.len,
+ USERID_PREFIX, sizeof(USERID_PREFIX) - 1);
+ if ((NULL != userIdPos) &&
+ (name->val.len >= ((userIdPos - name->val.p) + (sizeof(USERID_PREFIX) - 1) + uuidBufLen)))
+ {
+ memcpy(uuid, userIdPos + sizeof(USERID_PREFIX) - 1, uuidBufLen);
+ ret = (OCConvertStringToUuid(uuid, peer->sep.userId.id)) ? 0 : -1;
- SSL_CHECK_FAIL(peer, ret, "Failed to convert subject alt name", 1,
- CA_STATUS_FAILED, MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT);
++ if (!checkSslOperation(peer,
++ ret,
++ "Failed to convert subject alt name",
++ MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT))
++ {
++ oc_mutex_unlock(g_sslContextMutex);
++ OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
++ return CA_STATUS_FAILED;
++ }
+ }
+ else
+ {
+ OIC_LOG(WARNING, NET_SSL_TAG, "Subject alternative name not found");
+ }
}
}
projects / contrib / iotivity.git / commitdiff