tinydtls: remove certificate_list length field for raw public keys

This fixes https://jira.iotivity.org/browse/IOT-715
This patch introduces an API incompatible change, old IoTivity clients
using Raw Public key will not be able to communicate with clients
with this change.

backport of tinydtls upstream commit:
From 71d5f5c9247bbdb5ae1f43533f94c13be1153160 Mon Sep 17 00:00:00 2001
From: Olaf Bergmann <bergmann@tzi.org>
Date: Wed, 26 Aug 2015 21:35:26 +0200
Subject: [PATCH] dtls.c: remove certificate_list length field for raw public
 keys

RFC 7250 has changed the format of the Certificate structure from
RFC 5246 to the following:

opaque ASN.1Cert<1..2^24-1>;

struct {
    select(certificate_type) {

        // certificate type defined in RFC 7250
        case RawPublicKey:
           opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>;

        // X.509 certificate defined in RFC 5246
        case X.509:
           ASN.1Cert certificate_list<0..2^24-1>;
    };
} Certificate;

Thus, there must be no additional length field indicating a
certificate list in case the message contains a raw public key.

Change-Id: I3887fe962548e8e9d0c5bbb9f450073b9f95d1cb
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@lantiq.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/2569
Tested-by: jenkins-iotivity <jenkins-iotivity@opendaylight.org>
Reviewed-by: Sachin Agrawal <sachin.agrawal@intel.com>

diff --git a/extlibs/tinydtls/dtls.c b/extlibs/tinydtls/dtls.c
index 6104a08..42d6027 100644 (file)
--- a/extlibs/tinydtls/dtls.c
+++ b/extlibs/tinydtls/dtls.c
@@ -2065,6 +2065,8 @@ dtls_send_server_hello(dtls_context_t *ctx, dtls_peer_t *peer)
 }
 
 #ifdef DTLS_ECC
+#define DTLS_EC_SUBJECTPUBLICKEY_SIZE (2 * DTLS_EC_KEY_SIZE + sizeof(cert_asn1_header))
+
 static int
 dtls_send_certificate_ecdsa(dtls_context_t *ctx, dtls_peer_t *peer,
                            const dtls_ecc_key_t *key)
@@ -2077,12 +2079,10 @@ dtls_send_certificate_ecdsa(dtls_context_t *ctx, dtls_peer_t *peer,
    * Start message construction at beginning of buffer. */
   p = buf;
 
-  dtls_int_to_uint24(p, 94);   /* certificates length */
+  /* length of this certificate */
+  dtls_int_to_uint24(p, DTLS_EC_SUBJECTPUBLICKEY_SIZE);
   p += sizeof(uint24);
 
-  dtls_int_to_uint24(p, 91);   /* length of this certificate */
-  p += sizeof(uint24);
-  
   memcpy(p, &cert_asn1_header, sizeof(cert_asn1_header));
   p += sizeof(cert_asn1_header);
 
@@ -2999,14 +2999,9 @@ check_server_certificate(dtls_context_t *ctx,
 
   data += DTLS_HS_LENGTH;
 
-  if (dtls_uint24_to_int(data) != 94) {
-    dtls_alert("expect length of 94 bytes for server certificate message\n");
-    return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
-  }
-  data += sizeof(uint24);
-
-  if (dtls_uint24_to_int(data) != 91) {
-    dtls_alert("expect length of 91 bytes for certificate\n");
+  if (dtls_uint24_to_int(data) != DTLS_EC_SUBJECTPUBLICKEY_SIZE) {
+    dtls_alert("expect length of %d bytes for certificate\n",
+              DTLS_EC_SUBJECTPUBLICKEY_SIZE);
     return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
   }
   data += sizeof(uint24);