Modify the OxM callback implementation to select the appropriate cipher suite

for creating secure session

[NOTE] I will modify the tinyDTLS cipher suite selection and enable/disable mechanism
       according to comments of https://gerrit.iotivity.org/gerrit/#/c/2456/

[Patch #1] Intial upload
[Patch #2] Modify the comment according to doxygen format.
[Patch #3] Modify the oxmjustworks.c according to comment.

Change-Id: I6fb555d486f21f3851a7f2da9964381863128240
Signed-off-by: leechul <chuls.lee@samsung.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/3351
Tested-by: jenkins-iotivity <jenkins-iotivity@opendaylight.org>
Reviewed-by: Woochul Shim <woochul.shim@samsung.com>
Reviewed-by: Sachin Agrawal <sachin.agrawal@intel.com>

diff --git a/resource/csdk/security/provisioning/src/ownershiptransfermanager.c b/resource/csdk/security/provisioning/src/ownershiptransfermanager.c
index a34894d..d1150ae 100644 (file)
--- a/resource/csdk/security/provisioning/src/ownershiptransfermanager.c
+++ b/resource/csdk/security/provisioning/src/ownershiptransfermanager.c
@@ -43,6 +43,7 @@
 #include "cainterface.h"
 #include "base64.h"
 #include "cJSON.h"
+#include "global.h"
 
 #include "srmresourcestrings.h"
 #include "doxmresource.h"
@@ -513,11 +514,23 @@ static OCStackApplicationResult OwnershipInformationHandler(void *ctx, OCDoHandl
 
         CAEndpoint_t* endpoint = (CAEndpoint_t *)&otmCtx->selectedDeviceInfo->endpoint;
         endpoint->port = otmCtx->selectedDeviceInfo->securePort;
-        CAResult_t closeRes = CACloseDtlsSession(endpoint);
-        if(CA_STATUS_OK != closeRes)
+        CAResult_t caResult = CACloseDtlsSession(endpoint);
+        if(CA_STATUS_OK != caResult)
         {
             OC_LOG(ERROR, TAG, "Failed to close DTLS session");
-            SetResult(otmCtx, closeRes);
+            SetResult(otmCtx, caResult);
+            return OC_STACK_DELETE_TRANSACTION;
+        }
+
+        /**
+         * If we select NULL cipher,
+         * client will select appropriate cipher suite according to server's cipher-suite list.
+         */
+        caResult = CASelectCipherSuite(TLS_NULL_WITH_NULL_NULL);
+        if(CA_STATUS_OK != caResult)
+        {
+            OC_LOG(ERROR, TAG, "Failed to select TLS_NULL_WITH_NULL_NULL");
+            SetResult(otmCtx, caResult);
             return OC_STACK_DELETE_TRANSACTION;
         }
 

diff --git a/resource/csdk/security/provisioning/src/oxmjustworks.c b/resource/csdk/security/provisioning/src/oxmjustworks.c
index 2d1988c..7a0d561 100644 (file)
--- a/resource/csdk/security/provisioning/src/oxmjustworks.c
+++ b/resource/csdk/security/provisioning/src/oxmjustworks.c
@@ -86,6 +86,23 @@ OCStackResult CreateSecureSessionJustWorksCallback(OTMContext_t* otmCtx)
     }
     OC_LOG(INFO, TAG, "Anonymous cipher suite Enabled.");
 
+    caresult  = CASelectCipherSuite(TLS_ECDH_anon_WITH_AES_128_CBC_SHA_256);
+    if (CA_STATUS_OK != caresult)
+    {
+        OC_LOG_V(ERROR, TAG, "Failed to select TLS_ECDH_anon_WITH_AES_128_CBC_SHA_256");
+        caresult = CAEnableAnonECDHCipherSuite(false);
+        if (CA_STATUS_OK != caresult)
+        {
+            OC_LOG_V(ERROR, TAG, "Unable to enable anon cipher suite");
+        }
+        else
+        {
+            OC_LOG(INFO, TAG, "Anonymous cipher suite Disabled.");
+        }
+        return OC_STACK_ERROR;
+    }
+    OC_LOG(INFO, TAG, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA_256 cipher suite selected.");
+
     OCProvisionDev_t* selDevInfo = otmCtx->selectedDeviceInfo;
     CAEndpoint_t *endpoint = (CAEndpoint_t *)OICCalloc(1, sizeof (CAEndpoint_t));
     if(NULL == endpoint)

diff --git a/resource/csdk/security/provisioning/src/oxmrandompin.c b/resource/csdk/security/provisioning/src/oxmrandompin.c
index ec069a0..8e9ad1e 100644 (file)
--- a/resource/csdk/security/provisioning/src/oxmrandompin.c
+++ b/resource/csdk/security/provisioning/src/oxmrandompin.c
@@ -122,6 +122,23 @@ OCStackResult CreateSecureSessionRandomPinCallbak(OTMContext_t* otmCtx)
         return OC_STACK_INVALID_PARAM;
     }
 
+    CAResult_t caresult = CAEnableAnonECDHCipherSuite(false);
+    if (CA_STATUS_OK != caresult)
+    {
+        OC_LOG_V(ERROR, TAG, "Unable to disable anon cipher suite");
+        return OC_STACK_ERROR;
+    }
+    OC_LOG(INFO, TAG, "Anonymous cipher suite disabled.");
+
+    caresult  = CASelectCipherSuite(TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA_256);
+    if (CA_STATUS_OK != caresult)
+    {
+        OC_LOG_V(ERROR, TAG, "Failed to select TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA_256");
+        return OC_STACK_ERROR;
+    }
+    OC_LOG(INFO, TAG, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA_256 cipher suite selected.");
+
+
     OCProvisionDev_t* selDevInfo = otmCtx->selectedDeviceInfo;
     CAEndpoint_t *endpoint = (CAEndpoint_t *)OICCalloc(1, sizeof (CAEndpoint_t));
     if(NULL == endpoint)
@@ -130,7 +147,7 @@ OCStackResult CreateSecureSessionRandomPinCallbak(OTMContext_t* otmCtx)
     }
     memcpy(endpoint,&selDevInfo->endpoint,sizeof(CAEndpoint_t));
     endpoint->port = selDevInfo->securePort;
-    CAResult_t caresult = CAInitiateHandshake(endpoint);
+    caresult = CAInitiateHandshake(endpoint);
     OICFree(endpoint);
     if (CA_STATUS_OK != caresult)
     {