{
int index = 0;
OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
+
VERIFY_NON_NULL_VOID(config, NET_SSL_TAG, "Invaild param");
VERIFY_NON_NULL_VOID(g_caSslContext, NET_SSL_TAG, "SSL Context is NULL");
VERIFY_NON_NULL_VOID(g_getCredentialTypesCallback, NET_SSL_TAG, "Param callback is null");
+ //Resetting cipherFlag
+ g_caSslContext->cipherFlag[0] = false;
+ g_caSslContext->cipherFlag[1] = false;
+
+ if (NULL == g_getCredentialTypesCallback)
+ {
+ OIC_LOG(ERROR, NET_SSL_TAG, "Param callback is null");
+ return;
+ }
+
g_getCredentialTypesCallback(g_caSslContext->cipherFlag);
// Retrieve the PSK credential from SRM
if (0 != InitPskIdentity(config))
}
memset(g_cipherSuitesList, 0, sizeof(g_cipherSuitesList));
+
+ // Add the preferred ciphersuite first
if (SSL_CIPHER_MAX != g_caSslContext->cipher)
{
g_cipherSuitesList[index] = tlsCipher[g_caSslContext->cipher][0];
+ OIC_LOG_V(DEBUG, NET_SSL_TAG, "Preferred ciphersuite added");
+ index++;
}
- else
+
+ // Add PSK ciphersuite
+ if (true == g_caSslContext->cipherFlag[0] &&
+ MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 != tlsCipher[g_caSslContext->cipher][0])
{
+ g_cipherSuitesList[index] = MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256;
+ OIC_LOG(DEBUG, NET_SSL_TAG, "PSK ciphersuite added");
+ index++;
+ }
+
+ // Add all certificate ciphersuites
if (true == g_caSslContext->cipherFlag[1])
{
- for (int i = 2; i < SSL_CIPHER_MAX - 2; i++)
+ for (int i = 0; i < SSL_CIPHER_MAX - 1; i++)
+ {
+ if (MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 != tlsCipher[i][0] &&
+ i != g_caSslContext->cipher)
{
g_cipherSuitesList[index] = tlsCipher[i][0];
index ++;
}
}
- if (true == g_caSslContext->cipherFlag[0])
- {
- g_cipherSuitesList[index] = MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256;
- }
+ }
+
+ OIC_LOG(DEBUG, NET_SSL_TAG, "Supported ciphersuites:");
+ for (int i = 0; i < index; i++)
+ {
+ OIC_LOG_V(DEBUG, NET_SSL_TAG, "Ciphersuite %04x", g_cipherSuitesList[i]);
}
mbedtls_ssl_conf_ciphersuites(config, g_cipherSuitesList);
#include <unistd.h>
#endif
+#if defined(__WITH_DTLS__) || defined (__WITH_TLS__)
+#include <mbedtls/ssl_ciphersuites.h>
+#endif
+
#define TAG "OIC_SRM_CREDL"
#ifdef HAVE_WINDOWS_H
{
OIC_LOG(INFO, TAG, "Anonymous cipher suite is DISABLED");
}
+
+#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
+ if(CA_STATUS_OK != CASelectCipherSuite(
+ MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, CA_ADAPTER_IP))
+ {
+ OIC_LOG(ERROR, TAG, "Failed to enable PSK cipher suite");
+ ret = OC_EH_ERROR;
+ }
+ else
+ {
+ OIC_LOG(INFO, TAG, "PSK cipher suite is ENABLED");
+ }
+#endif // __WITH_DTLS__ or __WITH_TLS__
}
break;
VERIFY_SUCCESS(TAG, caRes == CA_STATUS_OK, ERROR);
OIC_LOG(INFO, TAG, "ECDH_ANON CipherSuite is DISABLED");
+ //Unset pre-selected ciphersuite, if any
+ caRes = CASelectCipherSuite(0, ehRequest->devAddr.adapter);
+ VERIFY_SUCCESS(TAG, caRes == CA_STATUS_OK, ERROR);
+ OIC_LOG(DEBUG, TAG, "No ciphersuite preferred");
+
VERIFY_SUCCESS(TAG, CA_STATUS_OK == CAregisterPkixInfoHandler(GetManufacturerPkixInfo), ERROR);
VERIFY_SUCCESS(TAG, CA_STATUS_OK == CAregisterGetCredentialTypesHandler(InitManufacturerCipherSuiteList), ERROR);
}