TLS suites

1. Suites added:
   TLS_RSA_WITH_AES_256_CBC_SHA256          0x3D
   TLS_RSA_WITH_AES_128_GCM_SHA256          0x009C
   TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  0xC02B
   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  0xC024
   TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384  0xC02C
   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_256   0xC027
2. Removed:
   TLS_RSA_WITH_AES_256_CBC_SHA             0x35
   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA     0xC009
3. SSL code refactored
4. Added unit tests for new cipher suites
5. CAsslGenerateOwnerPsk modified to support all suites

Change-Id: If22925d175751a08121c66b90cc2907dd27ebee5
Signed-off-by: Oleksii Beketov <ol.beketov@samsung.com>
Signed-off-by: Dmitriy Zhuravlev <d.zhuravlev@samsung.com>
Signed-off-by: Oleksii Beketov <ol.beketov@samsung.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/15443
Reviewed-by: Jongsung Lee <js126.lee@samsung.com>
Tested-by: jenkins-iotivity <jenkins-iotivity@opendaylight.org>
Reviewed-by: Greg Zaverucha <gregz@microsoft.com>
Reviewed-by: Randeep Singh <randeep.s@samsung.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/16523
Tested-by: jenkins-iotivity <jenkins@iotivity.org>

diff --git a/java/common/src/main/java/org/iotivity/ca/OicCipher.java b/java/common/src/main/java/org/iotivity/ca/OicCipher.java
index 60f9f16..030217f 100644 (file)
--- a/java/common/src/main/java/org/iotivity/ca/OicCipher.java
+++ b/java/common/src/main/java/org/iotivity/ca/OicCipher.java
@@ -1,38 +1,45 @@
-/* ****************************************************************\r
- *\r
- * Copyright 2016 Samsung Electronics All Rights Reserved.\r
- *\r
- *\r
- *\r
- * Licensed under the Apache License, Version 2.0 (the "License");\r
- * you may not use this file except in compliance with the License.\r
- * You may obtain a copy of the License at\r
- *\r
- *      http://www.apache.org/licenses/LICENSE-2.0\r
- *\r
- * Unless required by applicable law or agreed to in writing, software\r
- * distributed under the License is distributed on an "AS IS" BASIS,\r
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
- * See the License for the specific language governing permissions and\r
- * limitations under the License.\r
- *\r
- ******************************************************************/\r
-\r
-package org.iotivity.ca;\r
-\r
-public enum OicCipher {\r
-    TLS_ECDH_anon_WITH_AES_128_CBC_SHA(0xC018),\r
-    TLS_PSK_WITH_AES_128_CCM_8(0xC0A8),\r
-    TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8(0xC0AE),\r
-    TLS_RSA_WITH_AES_256_CBC_SHA(0x35);\r
-\r
-    private int cipher;\r
-\r
-    private OicCipher(int cipher) {\r
-        this.cipher = cipher;\r
-    }\r
-\r
-    public int getValue(){\r
-        return cipher;\r
-    }\r
-}\r
+/* ****************************************************************
+ *
+ * Copyright 2016 Samsung Electronics All Rights Reserved.
+ *
+ *
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ ******************************************************************/
+
+package org.iotivity.ca;
+
+public enum OicCipher {
+    TLS_RSA_WITH_AES_256_CBC_SHA256(0x3D),
+    TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C),
+    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B),
+    TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8(0xC0AE),
+    TLS_ECDHE_ECDSA_WITH_AES_128_CCM(0xC0AC),
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023),
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024),
+    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C),
+    TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256(0xC037),
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027),
+    TLS_ECDH_anon_WITH_AES_128_CBC_SHA(0xC018);
+
+    private int cipher;
+
+    private OicCipher(int cipher) {
+        this.cipher = cipher;
+    }
+
+    public int getValue(){
+        return cipher;
+    }
+}

diff --git a/resource/csdk/connectivity/api/casecurityinterface.h b/resource/csdk/connectivity/api/casecurityinterface.h
index 1b62dba..3aa7685 100644 (file)
--- a/resource/csdk/connectivity/api/casecurityinterface.h
+++ b/resource/csdk/connectivity/api/casecurityinterface.h
@@ -144,9 +144,17 @@ CAResult_t CAregisterPkixInfoHandler(CAgetPkixInfoHandler getPkixInfoHandler);
  * Select the cipher suite for dtls handshake.
  *
  * @param[in] cipher  cipher suite (Note : Make sure endianness).
- *                    0xC018 : TLS_ECDH_anon_WITH_AES_128_CBC_SHA
- *                    0xC0A8 : TLS_PSK_WITH_AES_128_CCM_8
- *                    0xC0AE : TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
+ *                        TLS_RSA_WITH_AES_256_CBC_SHA256          0x3D
+ *                        TLS_RSA_WITH_AES_128_GCM_SHA256          0x009C
+ *                        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  0xC02B
+ *                        TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8       0xC0AE
+ *                        TLS_ECDHE_ECDSA_WITH_AES_128_CCM         0xC0AC
+ *                        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256  0xC023
+ *                        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  0xC024
+ *                        TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384  0xC02C
+ *                        TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256    0xC037
+ *                        TLS_ECDH_anon_WITH_AES_128_CBC_SHA       0xC018
+ * @param[in] adapter  transport adapter (TCP/IP/BLE)
  *
  * @retval  ::CA_STATUS_OK    Successful.
  * @retval  ::CA_STATUS_INVALID_PARAM  Invalid input arguments.

diff --git a/resource/csdk/connectivity/inc/ca_adapter_net_ssl.h b/resource/csdk/connectivity/inc/ca_adapter_net_ssl.h
index 050c74e..cad229d 100644 (file)
--- a/resource/csdk/connectivity/inc/ca_adapter_net_ssl.h
+++ b/resource/csdk/connectivity/inc/ca_adapter_net_ssl.h
@@ -42,9 +42,16 @@ typedef ssize_t (*CAPacketSendCallback)(CAEndpoint_t *endpoint,
  * Select the cipher suite for dtls handshake
  *
  * @param[in] cipher    cipher suite
- *                             0xC018 : TLS_ECDH_anon_WITH_AES_128_CBC_SHA_256
- *                             0xC0A8 : TLS_PSK_WITH_AES_128_CCM_8
- *                             0xC0AE : TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
+ *                        TLS_RSA_WITH_AES_256_CBC_SHA256          0x3D
+ *                        TLS_RSA_WITH_AES_128_GCM_SHA256          0x009C
+ *                        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  0xC02B
+ *                        TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8       0xC0AE
+ *                        TLS_ECDHE_ECDSA_WITH_AES_128_CCM         0xC0AC
+ *                        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256  0xC023
+ *                        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  0xC024
+ *                        TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384  0xC02C
+ *                        TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256    0xC037
+ *                        TLS_ECDH_anon_WITH_AES_128_CBC_SHA       0xC018
  *
  * @retval  ::CA_STATUS_OK for success, otherwise some error value
  */

diff --git a/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c b/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c
index d829bba..01f9a9d 100644 (file)
--- a/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c
+++ b/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c
@@ -18,7 +18,9 @@
  *
  ******************************************************************/
 
+
 #include "iotivity_config.h"
+
 #define _GNU_SOURCE
 
 #include <stddef.h>
@@ -128,18 +130,45 @@
  */
 #define RANDOM_LEN (32)
 /**
- * @def RANDOM_LEN
- * @brief PSK generated keyblock length
+ * @def SHA384_MAC_KEY_LENGTH
+ * @brief MAC key length for SHA384 cipher suites
  */
-#define KEY_BLOCK_LEN (96)
-
-/**@def SSL_CLOSE_NOTIFY(peer, ret)
- *
- * Notifies of existing \a peer about closing TLS connection.
- *
- * @param[in] peer remote peer
- * @param[in] ret used internaly
+#define SHA384_MAC_KEY_LENGTH (48)
+/**
+ * @def SHA256_MAC_KEY_LENGTH
+ * @brief MAC key length for SHA256 cipher suites
+ */
+#define SHA256_MAC_KEY_LENGTH (32)
+/**
+ * @def CCM_MAC_KEY_LENGTH
+ * @brief MAC key length for CCM cipher suites
+ */
+#define CCM_MAC_KEY_LENGTH (0)
+/**
+ * @def AES256_KEY_LENGTH
+ * @brief key material length for AES256 cipher suites
+ */
+#define AES256_KEY_LENGTH (32)
+/**
+ * @def AES128_KEY_LENGTH
+ * @brief key material length for AES128 cipher suites
+ */
+#define AES128_KEY_LENGTH (16)
+/**
+ * @def GCM_IV_LENGTH
+ * @brief length of nonce for GCM cipher suites
  */
+#define GCM_IV_LENGTH (12)
+/**
+ * @def CCM_IV_LENGTH
+ * @brief length of nonce for CCM cipher suites
+ */
+#define CCM_IV_LENGTH (4)
+/**
+ * @def CBC_IV_LENGTH
+ * @brief length of nonce for CBC cipher suites
+ */
+#define CBC_IV_LENGTH (0)
 
 /**
  * @var RETRANSMISSION_TIME
@@ -147,6 +176,13 @@
  */
 #define RETRANSMISSION_TIME 1
 
+/**@def SSL_CLOSE_NOTIFY(peer, ret)
+ *
+ * Notifies of existing \a peer about closing TLS connection.
+ *
+ * @param[in] peer remote peer
+ * @param[in] ret used internaly
+ */
 #define SSL_CLOSE_NOTIFY(peer, ret)                                                                \
 do                                                                                                 \
 {                                                                                                  \
@@ -208,6 +244,16 @@ if (0 != (ret) && MBEDTLS_ERR_SSL_WANT_READ != (int) (ret) &&
         return (error);                                                                            \
     }                                                                                              \
 }
+/**@def CONF_SSL(clientConf, serverConf, fn, ...)
+ *
+ * Calls \a fn for \a clientConf and \a serverConf.
+ *
+ */
+#define CONF_SSL(clientConf, serverConf, fn, ...) do {                                             \
+fn((clientConf), __VA_ARGS__);                                                                     \
+fn((serverConf), __VA_ARGS__);                                                                     \
+} while (0)
+
 /** @def CHECK_MBEDTLS_RET(f, ...)
  * A macro that checks \a f function return code
  *
@@ -223,18 +269,23 @@ int ret = (f)(__VA_ARGS__);
 if (0 != ret) {                                                                                    \
     OIC_LOG_V(ERROR, NET_SSL_TAG, "%s returned -0x%04x\n", __func__, -(ret));                      \
     goto exit;                                                                                     \
-} } while(0)
+} } while (0)
 
 typedef enum
 {
-    ADAPTER_TLS_RSA_WITH_AES_256_CBC_SHA,
-    ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
-    ADAPTER_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA_256,
-    ADAPTER_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
-    ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
-    ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
-    ADAPTER_CIPHER_MAX
-} AdapterCipher_t;
+    SSL_RSA_WITH_AES_256_CBC_SHA256,
+    SSL_RSA_WITH_AES_128_GCM_SHA256,
+    SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+    SSL_ECDHE_ECDSA_WITH_AES_128_CCM_8,
+    SSL_ECDHE_ECDSA_WITH_AES_128_CCM,
+    SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+    SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+    SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+    SSL_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
+    SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+    SSL_ECDH_ANON_WITH_AES_128_CBC_SHA256,
+    SSL_CIPHER_MAX
+} SslCipher_t;
 
 typedef enum
 {
@@ -242,19 +293,22 @@ typedef enum
     ADAPTER_CURVE_MAX
 } AdapterCurve_t;
 
-int tlsCipher[ADAPTER_CIPHER_MAX][2] =
+static const int tlsCipher[SSL_CIPHER_MAX][2] =
 {
-    {MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA, 0},
+    {MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256, 0},
+    {MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256, 0},
+    {MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
     {MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, 0},
-#ifdef MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256
-    {MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256, 0},
-#endif
-    {MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, 0},
     {MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM, 0},
-    {MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 0}
+    {MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 0},
+    {MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 0},
+    {MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 0},
+    {MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, 0},
+    {MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 0},
+    {MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256, 0}
 };
 
-static int g_cipherSuitesList[ADAPTER_CIPHER_MAX];
+static int g_cipherSuitesList[SSL_CIPHER_MAX];
 
 mbedtls_ecp_group_id curve[ADAPTER_CURVE_MAX][2] =
 {
@@ -360,7 +414,7 @@ typedef struct SslContext
     mbedtls_ssl_config clientDtlsConf;
     mbedtls_ssl_config serverDtlsConf;
 
-    AdapterCipher_t cipher;
+    SslCipher_t cipher;
     SslCallbacks_t adapterCallbacks[MAX_SUPPORTED_ADAPTERS];
     mbedtls_x509_crl crl;
     bool cipherFlag[2];
@@ -686,13 +740,12 @@ static int InitPKIX(CATransportAdapter_t adapter)
     if(0 != ret)
     {
         OIC_LOG(WARNING, NET_SSL_TAG, "CRL parsing error");
-        mbedtls_ssl_conf_ca_chain(clientConf, &g_caSslContext->ca, NULL);
-        mbedtls_ssl_conf_ca_chain(serverConf, &g_caSslContext->ca, NULL);
+        CONF_SSL(clientConf, serverConf, mbedtls_ssl_conf_ca_chain, &g_caSslContext->ca, NULL);
     }
     else
     {
-        mbedtls_ssl_conf_ca_chain(clientConf, &g_caSslContext->ca, &g_caSslContext->crl);
-        mbedtls_ssl_conf_ca_chain(serverConf, &g_caSslContext->ca, &g_caSslContext->crl);
+        CONF_SSL(clientConf, serverConf, mbedtls_ssl_conf_ca_chain,
+                 &g_caSslContext->ca, &g_caSslContext->crl);
     }
 
     OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
@@ -1102,14 +1155,13 @@ static void SetupCipher(mbedtls_ssl_config * config, CATransportAdapter_t adapte
 
     g_getCredentialTypesCallback(g_caSslContext->cipherFlag);
     // Retrieve the PSK credential from SRM
-    // PIN OTM if (true == g_caSslContext->cipherFlag[0] && 0 != InitPskIdentity(config))
     if (0 != InitPskIdentity(config))
     {
         OIC_LOG(ERROR, NET_SSL_TAG, "PSK identity initialization failed!");
     }
 
-    // Retrieve the ECC credential from SRM
-    if (true == g_caSslContext->cipherFlag[1] || ADAPTER_TLS_RSA_WITH_AES_256_CBC_SHA == g_caSslContext->cipher)
+    // Retrieve the Cert credential from SRM
+    if (true == g_caSslContext->cipherFlag[1])
     {
         int ret = InitPKIX(adapter);
         if (0 != ret)
@@ -1119,19 +1171,24 @@ static void SetupCipher(mbedtls_ssl_config * config, CATransportAdapter_t adapte
     }
 
     memset(g_cipherSuitesList, 0, sizeof(g_cipherSuitesList));
-    if (ADAPTER_CIPHER_MAX != g_caSslContext->cipher)
+    if (SSL_CIPHER_MAX != g_caSslContext->cipher)
     {
         g_cipherSuitesList[index] = tlsCipher[g_caSslContext->cipher][0];
-        index ++;
     }
-    if (true == g_caSslContext->cipherFlag[1])
+    else
     {
-        g_cipherSuitesList[index] = MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8;
-        index ++;
-    }
-    if (true == g_caSslContext->cipherFlag[0])
+    if (true == g_caSslContext->cipherFlag[1])
     {
-       g_cipherSuitesList[index] = MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256;
+        for (int i = 2; i < SSL_CIPHER_MAX - 2; i++)
+            {
+                g_cipherSuitesList[index] = tlsCipher[i][0];
+                index ++;
+            }
+        }
+        if (true == g_caSslContext->cipherFlag[0])
+        {
+           g_cipherSuitesList[index] = MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256;
+        }
     }
 
     mbedtls_ssl_conf_ciphersuites(config, g_cipherSuitesList);
@@ -1437,7 +1494,7 @@ CAResult_t CAinitSslAdapter()
 #endif // __WITH_DTLS__
 
     // set default cipher
-    g_caSslContext->cipher = ADAPTER_CIPHER_MAX;
+    g_caSslContext->cipher = SSL_CIPHER_MAX;
 
     // init X.509
     mbedtls_x509_crt_init(&g_caSslContext->ca);
@@ -1732,8 +1789,8 @@ CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, uint32_t d
                 SendCacheMessages(peer);
             }
 
-            if (MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 == g_caSslContext->selectedCipher ||
-                MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA == g_caSslContext->selectedCipher)
+            if (MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 != g_caSslContext->selectedCipher &&
+                MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256 != g_caSslContext->selectedCipher)
             {
                 char uuid[UUID_LENGTH * 2 + 5] = {0};
                 void * uuidPos = NULL;
@@ -1845,7 +1902,7 @@ void CAsetSslAdapterCallbacks(CAPacketReceivedCallback recvCallback,
         return;
     }
 
-//    if (MAX_SUPPORTED_ADAPTERS > type)
+    switch (type)
     {
         switch (type)
         {
@@ -1869,149 +1926,92 @@ void CAsetSslAdapterCallbacks(CAPacketReceivedCallback recvCallback,
     oc_mutex_unlock(g_sslContextMutex);
     OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
 }
+/**
+ * Gets index of the TLS ciphersuite in the SslCipher_t enum.
+ *
+ * @param[in]  cipher    TLS chiphersuite code
+ *
+ * @return   corresponding enum
+ */
 
-CAResult_t CAsetTlsCipherSuite(const uint32_t cipher)
+static SslCipher_t GetCipherIndex(const uint32_t cipher)
 {
-    OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
-    VERIFY_NON_NULL_RET(g_getCredentialTypesCallback, NET_SSL_TAG, "Param callback is null", CA_STATUS_FAILED);
-    g_getCredentialTypesCallback(g_caSslContext->cipherFlag);
     switch(cipher)
     {
-        case MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA:
+        case MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256:
         {
-#ifdef __WITH_TLS__
-            //todo check that Cred with RSA cert exists
-            mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientTlsConf,
-                                         tlsCipher[ADAPTER_TLS_RSA_WITH_AES_256_CBC_SHA]);
-            mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverTlsConf,
-                                         tlsCipher[ADAPTER_TLS_RSA_WITH_AES_256_CBC_SHA]);
-#endif
-#ifdef __WITH_DTLS__
-            //todo check that Cred with RSA cert exists
-            mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientDtlsConf,
-                                         tlsCipher[ADAPTER_TLS_RSA_WITH_AES_256_CBC_SHA]);
-            mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverDtlsConf,
-                                         tlsCipher[ADAPTER_TLS_RSA_WITH_AES_256_CBC_SHA]);
-#endif
-            g_caSslContext->cipher = ADAPTER_TLS_RSA_WITH_AES_256_CBC_SHA;
-            break;
+            return SSL_RSA_WITH_AES_256_CBC_SHA256;
         }
-        case MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8:
+        case MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256:
         {
-            if (false == g_caSslContext->cipherFlag[1])
-            {
-                OIC_LOG(ERROR, NET_SSL_TAG, "No Credential for ECC");
-                return CA_STATUS_FAILED;
-            }
-#ifdef __WITH_TLS__
-            mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientTlsConf,
-                                         tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8]);
-            mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverTlsConf,
-                                         tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8]);
-#endif
-#ifdef __WITH_DTLS__
-            mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientDtlsConf,
-                                         tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8]);
-            mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverDtlsConf,
-                                         tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8]);
-#endif
-            g_caSslContext->cipher = ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8;
-            break;
+            return SSL_RSA_WITH_AES_128_GCM_SHA256;
         }
-#ifdef MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256
-        case MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256:
+        case MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
         {
-#ifdef __WITH_TLS__
-            mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientTlsConf,
-                                         tlsCipher[ADAPTER_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA_256]);
-            mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverTlsConf,
-                                         tlsCipher[ADAPTER_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA_256]);
-#endif
-#ifdef __WITH_DTLS__
-            mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientDtlsConf,
-                                         tlsCipher[ADAPTER_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA_256]);
-            mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverDtlsConf,
-                                         tlsCipher[ADAPTER_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA_256]);
-#endif
-            g_caSslContext->cipher = ADAPTER_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA_256;
-            break;
+            return SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256;
         }
-#endif
-        case MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256:
+        case MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8:
         {
-#if 0 // PIN OTM
-            if (false == g_caSslContext->cipherFlag[0])
-            {
-                OIC_LOG(ERROR, NET_SSL_TAG, "No Credential for PSK");
-                return CA_STATUS_FAILED;
-            }
-#endif
-#ifdef __WITH_TLS__
-            mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientTlsConf,
-                                          tlsCipher[ADAPTER_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256]);
-            mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverTlsConf,
-                                          tlsCipher[ADAPTER_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256]);
-#endif
-#ifdef __WITH_DTLS__
-            mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientDtlsConf,
-                                          tlsCipher[ADAPTER_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256]);
-            mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverDtlsConf,
-                                          tlsCipher[ADAPTER_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256]);
-#endif
-            g_caSslContext->cipher = ADAPTER_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256;
-            break;
+            return SSL_ECDHE_ECDSA_WITH_AES_128_CCM_8;
         }
         case MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM:
         {
-            if (false == g_caSslContext->cipherFlag[1])
-            {
-                OIC_LOG(ERROR, NET_SSL_TAG, "No Credential for ECC");
-                return CA_STATUS_FAILED;
-            }
-#ifdef __WITH_TLS__
-            mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientTlsConf,
-                                         tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM]);
-            mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverTlsConf,
-                                         tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM]);
-#endif
-#ifdef __WITH_DTLS__
-            mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientDtlsConf,
-                                         tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM]);
-            mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverDtlsConf,
-                                         tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM]);
-#endif
-            g_caSslContext->cipher = ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM;
-            break;
+            return SSL_ECDHE_ECDSA_WITH_AES_128_CCM;
         }
         case MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
         {
-            if (false == g_caSslContext->cipherFlag[1])
-            {
-                OIC_LOG(ERROR, NET_SSL_TAG, "No Credential for ECC");
-                return CA_STATUS_FAILED;
-            }
-#ifdef __WITH_TLS__
-            mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientTlsConf,
-                                         tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]);
-            mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverTlsConf,
-                                         tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]);
-#endif
-#ifdef __WITH_DTLS__
-            mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientDtlsConf,
-                                         tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]);
-            mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverDtlsConf,
-                                         tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]);
-#endif
-            g_caSslContext->cipher = ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256;
-            break;
+            return SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256;
+        }
+        case MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
+        {
+            return SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384;
+        }
+        case MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
+        {
+            return SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;
+        }
+        case MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256:
+        {
+            return SSL_ECDHE_PSK_WITH_AES_128_CBC_SHA256;
+        }
+        case MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
+        {
+            return SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256;
+        }
+        case MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256:
+        {
+            return SSL_ECDH_ANON_WITH_AES_128_CBC_SHA256;
         }
         default:
         {
-            OIC_LOG(ERROR, NET_SSL_TAG, "Unknown cipher");
-            return CA_STATUS_FAILED;
+            return SSL_CIPHER_MAX;
         }
     }
-    OIC_LOG_V(DEBUG, NET_SSL_TAG, "Selected cipher: 0x%x", cipher);
+}
+
+CAResult_t CAsetTlsCipherSuite(const uint32_t cipher)
+{
+    OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
+    CAResult_t res = CA_STATUS_FAILED;
+    SslCipher_t index = GetCipherIndex(cipher);
+    if (SSL_CIPHER_MAX == index)
+    {
+        OIC_LOG(WARNING, NET_SSL_TAG, "Unknown cipher");
+    }
+    else
+    {
+#ifdef __WITH_TLS__
+        CONF_SSL(&g_caSslContext->clientTlsConf, &g_caSslContext->serverTlsConf,
+        mbedtls_ssl_conf_ciphersuites, tlsCipher[index]);
+#endif
+#ifdef __WITH_DTLS__
+        CONF_SSL(&g_caSslContext->clientDtlsConf, &g_caSslContext->serverDtlsConf,
+        mbedtls_ssl_conf_ciphersuites, tlsCipher[index]);
+#endif
+        OIC_LOG_V(DEBUG, NET_SSL_TAG, "Selected cipher: 0x%x", cipher);
+    }
+    g_caSslContext->cipher = index;
+
     OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
     return CA_STATUS_OK;
 }
@@ -2162,29 +2162,100 @@ CAResult_t CAsslGenerateOwnerPsk(const CAEndpoint_t *endpoint,
         return CA_STATUS_FAILED;
     }
 
-    uint8_t keyblock[KEY_BLOCK_LEN] = {0};
+    // keyBlockLen set up according to OIC 1.1 Security Specification Section 7.3.2
+    int macKeyLen;
+    int ivSize;
+    int keySize;
+    int keyBlockLen = 0;
+    if (MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256 == g_caSslContext->selectedCipher ||
+        MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 == g_caSslContext->selectedCipher ||
+        MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 == g_caSslContext->selectedCipher ||
+        MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 == g_caSslContext->selectedCipher)
+    {
+        // 2 * ( 32 + 0 + 16 ) = 96
+        macKeyLen = SHA256_MAC_KEY_LENGTH;
+        ivSize = CBC_IV_LENGTH;
+        keySize = AES128_KEY_LENGTH;
+    }
+    else if (MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM == g_caSslContext->selectedCipher ||
+             MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 == g_caSslContext->selectedCipher)
+    {
+        // 2 * ( 0 + 4 + 16 ) = 40
+        macKeyLen = CCM_MAC_KEY_LENGTH;
+        ivSize = CCM_IV_LENGTH;
+        keySize = AES128_KEY_LENGTH;
+    }
+    else if (MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 == g_caSslContext->selectedCipher)
+    {
+        // 2 * ( 32 + 12 + 16 ) = 120
+        macKeyLen = SHA256_MAC_KEY_LENGTH;
+        ivSize = GCM_IV_LENGTH;
+        keySize = AES128_KEY_LENGTH;
+    }
+    else if (MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 == g_caSslContext->selectedCipher)
+    {
+        // 2 * ( 32 + 0 + 32 ) = 128
+        macKeyLen = SHA256_MAC_KEY_LENGTH;
+        ivSize = CBC_IV_LENGTH;
+        keySize = AES256_KEY_LENGTH;
+    }
+    else if (MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 == g_caSslContext->selectedCipher)
+    {
+        // 2 * ( 48 + 0 + 32 ) = 160
+        macKeyLen = SHA384_MAC_KEY_LENGTH;
+        ivSize = CBC_IV_LENGTH;
+        keySize = AES256_KEY_LENGTH;
+    }
+    else if (MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 == g_caSslContext->selectedCipher)
+    {
+        // 2 * ( 48 + 12 + 32 ) = 184
+        macKeyLen = SHA384_MAC_KEY_LENGTH;
+        ivSize = GCM_IV_LENGTH;
+        keySize = AES256_KEY_LENGTH;
+    }
+    else if (MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 == g_caSslContext->selectedCipher)
+    {
+        // 2 * ( 48 + 12 + 32 ) = 184
+        macKeyLen = SHA256_MAC_KEY_LENGTH;
+        ivSize = GCM_IV_LENGTH;
+        keySize = AES128_KEY_LENGTH;
+    }
+    keyBlockLen = 2 * (macKeyLen + keySize + ivSize);
+
+    uint8_t * keyblock = (uint8_t *)OICMalloc(keyBlockLen);
+    if (NULL == keyblock)
+    {
+        OIC_LOG(ERROR, NET_SSL_TAG, "Failed to OICMalloc for keyblock");
+        oc_mutex_unlock(g_sslContextMutex);
+        return CA_STATUS_FAILED;
+    }
+
     // "key expansion"
     uint8_t lab[] = {0x6b, 0x65, 0x79, 0x20, 0x65, 0x78, 0x70, 0x61, 0x6e, 0x73, 0x69, 0x6f, 0x6e};
     int ret = pHash(tep->master, sizeof(tep->master), lab, sizeof(lab),
                     (tep->random) + RANDOM_LEN, RANDOM_LEN, tep->random, RANDOM_LEN,
-                    keyblock, KEY_BLOCK_LEN);
+                    keyblock, keyBlockLen);
     if (-1 == ret)
     {
         OIC_LOG(ERROR, NET_SSL_TAG, "PSK not generated");
+        OICFree(keyblock);
         oc_mutex_unlock(g_sslContextMutex);
         return CA_STATUS_FAILED;
     }
-    ret = pHash(keyblock, sizeof(keyblock), label, labelLen,
+
+    ret = pHash(keyblock, keyBlockLen, label, labelLen,
                 rsrcServerDeviceId, rsrcServerDeviceIdLen,
                 provServerDeviceId, provServerDeviceIdLen,
                 ownerPsk, ownerPskSize);
     if (-1 == ret)
     {
         OIC_LOG(ERROR, NET_SSL_TAG, "PSK not generated");
+        OICFree(keyblock);
         oc_mutex_unlock(g_sslContextMutex);
         return CA_STATUS_FAILED;
     }
 
+    OICFree(keyblock);
     oc_mutex_unlock(g_sslContextMutex);
 
     OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);

diff --git a/resource/csdk/connectivity/src/caconnectivitymanager.c b/resource/csdk/connectivity/src/caconnectivitymanager.c
index 1e469f3..a170ade 100644 (file)
--- a/resource/csdk/connectivity/src/caconnectivitymanager.c
+++ b/resource/csdk/connectivity/src/caconnectivitymanager.c
@@ -499,8 +499,7 @@ CAResult_t CAEnableAnonECDHCipherSuite(const bool enable)
     CAResult_t res = CA_STATUS_FAILED;
 #if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
     // TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256    0xFF00 replaces 0xC018
-    // TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256    0xC037
-    res = CAsetTlsCipherSuite(enable ? 0xFF00 : 0xC037);
+    res = CAsetTlsCipherSuite(enable ? 0xFF00 : 0x00);
     if (CA_STATUS_OK != res)
     {
         OIC_LOG_V(ERROR, TAG, "Failed to CAsetTlsCipherSuite : %d", res);

diff --git a/resource/csdk/connectivity/test/ssladapter_test.cpp b/resource/csdk/connectivity/test/ssladapter_test.cpp
index 1dde70f..9ebdcf4 100644 (file)
--- a/resource/csdk/connectivity/test/ssladapter_test.cpp
+++ b/resource/csdk/connectivity/test/ssladapter_test.cpp
@@ -182,7 +182,7 @@ unsigned char caCert[] = {
 };
 int caCertLen = sizeof(caCert);
 
-unsigned char control_server_message_ccm[] = {
+unsigned char control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM[] = {
     0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
     0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74,
     0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x32, 0x3e,
@@ -194,9 +194,9 @@ unsigned char control_server_message_ccm[] = {
     0x48, 0x45, 0x2d, 0x45, 0x43, 0x44, 0x53, 0x41, 0x2d, 0x57, 0x49, 0x54, 0x48, 0x2d, 0x41, 0x45,
     0x53, 0x2d, 0x31, 0x32, 0x38, 0x2d, 0x43, 0x43, 0x4d, 0x3c, 0x2f, 0x70, 0x3e, 0x0d, 0x0a
 };
-int control_server_message_ccm_len = sizeof(control_server_message_ccm);
+int control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM_len = sizeof(control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM);
 
-unsigned char control_server_message_ccm8[] = {
+unsigned char control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM_8[] = {
     0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
     0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74,
     0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x32, 0x3e,
@@ -209,9 +209,9 @@ unsigned char control_server_message_ccm8[] = {
     0x53, 0x2d, 0x31, 0x32, 0x38, 0x2d, 0x43, 0x43, 0x4d, 0x2d, 0x38, 0x3c, 0x2f, 0x70, 0x3e, 0x0d,
     0x0a
 };
-int control_server_message_ccm8_len = sizeof(control_server_message_ccm8);
+int control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM_8_len = sizeof(control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM_8);
 
-unsigned char control_server_message_cbc[] = {
+unsigned char control_server_message_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256[] = {
     0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
     0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74,
     0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x32, 0x3e,
@@ -222,9 +222,39 @@ unsigned char control_server_message_cbc[] = {
     0x6e, 0x20, 0x75, 0x73, 0x69, 0x6e, 0x67, 0x3a, 0x20, 0x54, 0x4c, 0x53, 0x2d, 0x45, 0x43, 0x44,
     0x48, 0x45, 0x2d, 0x45, 0x43, 0x44, 0x53, 0x41, 0x2d, 0x57, 0x49, 0x54, 0x48, 0x2d, 0x41, 0x45,
     0x53, 0x2d, 0x31, 0x32, 0x38, 0x2d, 0x43, 0x42, 0x43, 0x2d, 0x53, 0x48, 0x41, 0x32, 0x35, 0x36,
-       0x3c, 0x2f, 0x70, 0x3e, 0x0d, 0x0a
+    0x3c, 0x2f, 0x70, 0x3e, 0x0d, 0x0a
 };
-int control_server_message_cbc_len = sizeof(control_server_message_cbc);
+int control_server_message_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_len = sizeof(control_server_message_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256);
+
+unsigned char control_server_message_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256[] = {
+    0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
+    0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74,
+    0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x32, 0x3e,
+    0x6d, 0x62, 0x65, 0x64, 0x20, 0x54, 0x4c, 0x53, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x53, 0x65,
+    0x72, 0x76, 0x65, 0x72, 0x3c, 0x2f, 0x68, 0x32, 0x3e, 0x0d, 0x0a, 0x54, 0x45, 0x53, 0x54, 0x20,
+    0x4d, 0x45, 0x53, 0x53, 0x41, 0x47, 0x45, 0x0d, 0x0a, 0x3c, 0x70, 0x3e, 0x53, 0x75, 0x63, 0x63,
+    0x65, 0x73, 0x73, 0x66, 0x75, 0x6c, 0x20, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f,
+    0x6e, 0x20, 0x75, 0x73, 0x69, 0x6e, 0x67, 0x3a, 0x20, 0x54, 0x4c, 0x53, 0x2d, 0x45, 0x43, 0x44,
+    0x48, 0x45, 0x2d, 0x45, 0x43, 0x44, 0x53, 0x41, 0x2d, 0x57, 0x49, 0x54, 0x48, 0x2d, 0x41, 0x45,
+    0x53, 0x2d, 0x31, 0x32, 0x38, 0x2d, 0x47, 0x43, 0x4D, 0x2d, 0x53, 0x48, 0x41, 0x32, 0x35, 0x36,
+    0x3c, 0x2f, 0x70, 0x3e, 0x0d, 0x0a
+};
+int control_server_message_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_len = sizeof(control_server_message_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
+
+unsigned char control_server_message_ECDHE_ECDSA_WITH_AES_128_CBC_SHA[] = {
+    0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
+    0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74,
+    0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x32, 0x3e,
+    0x6d, 0x62, 0x65, 0x64, 0x20, 0x54, 0x4c, 0x53, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x53, 0x65,
+    0x72, 0x76, 0x65, 0x72, 0x3c, 0x2f, 0x68, 0x32, 0x3e, 0x0d, 0x0a, 0x54, 0x45, 0x53, 0x54, 0x20,
+    0x4d, 0x45, 0x53, 0x53, 0x41, 0x47, 0x45, 0x0d, 0x0a, 0x3c, 0x70, 0x3e, 0x53, 0x75, 0x63, 0x63,
+    0x65, 0x73, 0x73, 0x66, 0x75, 0x6c, 0x20, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f,
+    0x6e, 0x20, 0x75, 0x73, 0x69, 0x6e, 0x67, 0x3a, 0x20, 0x54, 0x4c, 0x53, 0x2d, 0x45, 0x43, 0x44,
+    0x48, 0x45, 0x2d, 0x45, 0x43, 0x44, 0x53, 0x41, 0x2d, 0x57, 0x49, 0x54, 0x48, 0x2d, 0x41, 0x45,
+    0x53, 0x2d, 0x31, 0x32, 0x38, 0x2d, 0x43, 0x42, 0x43, 0x2d, 0x53, 0x48, 0x41, 0x3c, 0x2f, 0x70,
+    0x3e, 0x0d, 0x0a
+};
+int control_server_message_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_len = sizeof(control_server_message_ECDHE_ECDSA_WITH_AES_128_CBC_SHA);
 
 unsigned char control_client_message[] = {
     0x47, 0x45, 0x54, 0x20, 0x2f, 0x20, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, 0x0d, 0x0a,
@@ -232,6 +262,36 @@ unsigned char control_client_message[] = {
 };
 int control_client_message_len = sizeof(control_client_message);
 
+unsigned char control_server_message_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384[] = {
+    0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
+    0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74,
+    0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x32, 0x3e,
+    0x6d, 0x62, 0x65, 0x64, 0x20, 0x54, 0x4c, 0x53, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x53, 0x65,
+    0x72, 0x76, 0x65, 0x72, 0x3c, 0x2f, 0x68, 0x32, 0x3e, 0x0d, 0x0a, 0x54, 0x45, 0x53, 0x54, 0x20,
+    0x4d, 0x45, 0x53, 0x53, 0x41, 0x47, 0x45, 0x0d, 0x0a, 0x3c, 0x70, 0x3e, 0x53, 0x75, 0x63, 0x63,
+    0x65, 0x73, 0x73, 0x66, 0x75, 0x6c, 0x20, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f,
+    0x6e, 0x20, 0x75, 0x73, 0x69, 0x6e, 0x67, 0x3a, 0x20, 0x54, 0x4c, 0x53, 0x2d, 0x45, 0x43, 0x44,
+    0x48, 0x45, 0x2d, 0x45, 0x43, 0x44, 0x53, 0x41, 0x2d, 0x57, 0x49, 0x54, 0x48, 0x2d, 0x41, 0x45,
+    0x53, 0x2d, 0x32, 0x35, 0x36, 0x2d, 0x43, 0x42, 0x43, 0x2d, 0x53, 0x48, 0x41, 0x33, 0x38, 0x34,
+    0x3c, 0x2f, 0x70, 0x3e, 0x0d, 0x0a
+};
+int control_server_message_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_len = sizeof(control_server_message_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384);
+
+unsigned char control_server_message_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384[] = {
+    0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d,
+    0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74,
+    0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x32, 0x3e,
+    0x6d, 0x62, 0x65, 0x64, 0x20, 0x54, 0x4c, 0x53, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x53, 0x65,
+    0x72, 0x76, 0x65, 0x72, 0x3c, 0x2f, 0x68, 0x32, 0x3e, 0x0d, 0x0a, 0x54, 0x45, 0x53, 0x54, 0x20,
+    0x4d, 0x45, 0x53, 0x53, 0x41, 0x47, 0x45, 0x0d, 0x0a, 0x3c, 0x70, 0x3e, 0x53, 0x75, 0x63, 0x63,
+    0x65, 0x73, 0x73, 0x66, 0x75, 0x6c, 0x20, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f,
+    0x6e, 0x20, 0x75, 0x73, 0x69, 0x6e, 0x67, 0x3a, 0x20, 0x54, 0x4c, 0x53, 0x2d, 0x45, 0x43, 0x44,
+    0x48, 0x45, 0x2d, 0x45, 0x43, 0x44, 0x53, 0x41, 0x2d, 0x57, 0x49, 0x54, 0x48, 0x2d, 0x41, 0x45,
+    0x53, 0x2d, 0x32, 0x35, 0x36, 0x2d, 0x47, 0x43, 0x4D, 0x2d, 0x53, 0x48, 0x41, 0x33, 0x38, 0x34,
+    0x3c, 0x2f, 0x70, 0x3e, 0x0d, 0x0a
+};
+int control_server_message_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_len = sizeof(control_server_message_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384);
+
 static void error(const char *msg)
 {
     perror(msg);
@@ -1334,10 +1394,10 @@ static void * test0CAinitiateSslHandshake(void * arg)
 
     // CAsetTlsCipherSuite
     mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientTlsConf,
-                                         tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM]);
+                                         tlsCipher[SSL_ECDHE_ECDSA_WITH_AES_128_CCM]);
     mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverTlsConf,
-                                         tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM]);
-    g_caSslContext->cipher = ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM;
+                                         tlsCipher[SSL_ECDHE_ECDSA_WITH_AES_128_CCM]);
+    g_caSslContext->cipher = SSL_ECDHE_ECDSA_WITH_AES_128_CCM;
 
     CAsetPskCredentialsCallback(GetDtlsPskCredentials);
 
@@ -1495,7 +1555,7 @@ static void * testCAencryptSsl(void * arg)
     {
         CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM);
     }
-    if (*((int*)arg) == 1)
+    else if (*((int*)arg) == 1)
     {
         CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8);
     }
@@ -1503,6 +1563,19 @@ static void * testCAencryptSsl(void * arg)
     {
         CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256);
     }
+    else if (*((int*)arg) == 3)
+    {
+        CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
+    }
+    else if (*((int*)arg) == 4)
+    {
+        CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384);
+    }
+    else if (*((int*)arg) == 5)
+    {
+        CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384);
+    }
+
     CAsetPskCredentialsCallback(GetDtlsPskCredentials);
 
     socketConnect();
@@ -1551,7 +1624,9 @@ static void * testCAencryptSsl(void * arg)
 
     if (*((int*)arg) == 0)
     {
-        if (control_server_message_ccm_len == msglen && memcmp(msg, control_server_message_ccm, control_server_message_ccm_len) == 0)
+        if (control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM_len == msglen &&
+            memcmp(msg, control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM,
+            control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM_len) == 0)
         {
             ret = 0;
         }
@@ -1562,7 +1637,9 @@ static void * testCAencryptSsl(void * arg)
     }
     if (*((int*)arg) == 1)
     {
-        if (control_server_message_ccm8_len == msglen && memcmp(msg, control_server_message_ccm8, control_server_message_ccm8_len) == 0)
+        if (control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM_8_len == msglen &&
+            memcmp(msg, control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM_8,
+            control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM_8_len) == 0)
         {
             ret = 0;
         }
@@ -1573,7 +1650,48 @@ static void * testCAencryptSsl(void * arg)
     }
     else if (*((int*)arg) == 2)
     {
-        if (control_server_message_cbc_len == msglen && memcmp(msg, control_server_message_cbc, control_server_message_cbc_len) == 0)
+        if (control_server_message_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_len == msglen &&
+            memcmp(msg, control_server_message_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+            control_server_message_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_len) == 0)
+        {
+            ret = 0;
+        }
+        else
+        {
+            ret = 1;
+        }
+    }
+    else if (*((int*)arg) == 3)
+    {
+        if (control_server_message_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_len == msglen &&
+            memcmp(msg, control_server_message_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+            control_server_message_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_len) == 0)
+        {
+            ret = 0;
+        }
+        else
+        {
+            ret = 1;
+        }
+    }
+    else if (*((int*)arg) == 4)
+    {
+        if (control_server_message_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_len == msglen &&
+            memcmp(msg, control_server_message_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+                   control_server_message_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_len) == 0)
+        {
+            ret = 0;
+        }
+        else
+        {
+            ret = 1;
+        }
+    }
+    else if (*((int*)arg) == 5)
+    {
+        if (control_server_message_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_len == msglen &&
+            memcmp(msg, control_server_message_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+                   control_server_message_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_len) == 0)
         {
             ret = 0;
         }
@@ -1679,6 +1797,89 @@ TEST(TLSAdaper, Test_4_2)
     EXPECT_EQ(0, arg);
 }
 
+// CAencryptSsl()
+TEST(TLSAdaper, Test_4_3)
+{
+    pthread_t thread1, thread2;
+    int ret = 0;
+    int arg = 3;
+
+    ret = pthread_create( &thread1, NULL, server, (void*) NULL);
+    if(ret)
+    {
+        fprintf(stderr,"Error - pthread_create() return code: %d\n", ret);
+        exit(EXIT_FAILURE);
+    }
+
+    sleep(5);
+
+    ret = pthread_create( &thread2, NULL, testCAencryptSsl, &arg);
+    if(ret)
+    {
+        fprintf(stderr,"Error - pthread_create() return code: %d\n", ret);
+        exit(EXIT_FAILURE);
+    }
+
+    sleep(5);
+
+    EXPECT_EQ(0, arg);
+}
+
+// CAencryptSsl()
+TEST(TLSAdaper, Test_4_4)
+{
+    pthread_t thread1, thread2;
+    int ret = 0;
+    int arg = 4;
+
+    ret = pthread_create( &thread1, NULL, server, (void*) NULL);
+    if(ret)
+    {
+        fprintf(stderr,"Error - pthread_create() return code: %d\n", ret);
+        exit(EXIT_FAILURE);
+    }
+
+    sleep(5);
+
+    ret = pthread_create( &thread2, NULL, testCAencryptSsl, &arg);
+    if(ret)
+    {
+        fprintf(stderr,"Error - pthread_create() return code: %d\n", ret);
+        exit(EXIT_FAILURE);
+    }
+
+    sleep(5);
+
+    EXPECT_EQ(0, arg);
+}
+
+TEST(TLSAdaper, Test_4_5)
+{
+    pthread_t thread1, thread2;
+    int ret = 0;
+    int arg = 5;
+
+    ret = pthread_create( &thread1, NULL, server, (void*) NULL);
+    if(ret)
+    {
+        fprintf(stderr,"Error - pthread_create() return code: %d\n", ret);
+        exit(EXIT_FAILURE);
+    }
+
+    sleep(5);
+
+    ret = pthread_create( &thread2, NULL, testCAencryptSsl, &arg);
+    if(ret)
+    {
+        fprintf(stderr,"Error - pthread_create() return code: %d\n", ret);
+        exit(EXIT_FAILURE);
+    }
+
+    sleep(5);
+
+    EXPECT_EQ(0, arg);
+}
+
 /* **************************
  *
  *
@@ -1784,8 +1985,9 @@ static void * testCAdecryptSsl(void * arg)
 
     socketClose();
 
-    if (control_server_message_ccm_len == msglen && memcmp(msg, control_server_message_ccm,
-                                                                 control_server_message_ccm_len) == 0)
+    if (control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM_len == msglen &&
+            memcmp(msg, control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM,
+            control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM_len) == 0)
     {
         *((int*)arg) = 0;
         return NULL;
@@ -1880,10 +2082,10 @@ static int testCAdeinitSslAdapter()
 
     // CAsetTlsCipherSuite
     mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientTlsConf,
-                                         tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM]);
+                                         tlsCipher[SSL_ECDHE_ECDSA_WITH_AES_128_CCM]);
     mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverTlsConf,
-                                         tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM]);
-    g_caSslContext->cipher = ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM;
+                                         tlsCipher[SSL_ECDHE_ECDSA_WITH_AES_128_CCM]);
+    g_caSslContext->cipher = SSL_ECDHE_ECDSA_WITH_AES_128_CCM;
 
     CAdeinitSslAdapter();
 
@@ -2105,32 +2307,55 @@ static int testCAsetTlsCipherSuite()
     // CAsetCredentialTypesCallback
     g_getCredentialTypesCallback = clutch;
 
-    status = CAsetTlsCipherSuite(MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA);
-    if (ADAPTER_TLS_RSA_WITH_AES_256_CBC_SHA != g_caSslContext->cipher || status != CA_STATUS_OK)
+    status = CAsetTlsCipherSuite(MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256);
+    if (SSL_RSA_WITH_AES_256_CBC_SHA256 != g_caSslContext->cipher || status != CA_STATUS_OK)
+    {
+        ret += 1;
+    }
+
+    status = CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
+    if (SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 != g_caSslContext->cipher || status != CA_STATUS_OK)
+    {
+        ret += 1;
+    }
+    status = CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8);
+    if (SSL_ECDHE_ECDSA_WITH_AES_128_CCM_8 != g_caSslContext->cipher || status != CA_STATUS_OK)
     {
         ret += 1;
     }
 
     status = CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM);
-    if (ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM != g_caSslContext->cipher || status != CA_STATUS_OK)
+    if (SSL_ECDHE_ECDSA_WITH_AES_128_CCM != g_caSslContext->cipher || status != CA_STATUS_OK)
     {
         ret += 1;
     }
 
     status = CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256);
-    if (ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 != g_caSslContext->cipher || status != CA_STATUS_OK)
+    if (SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 != g_caSslContext->cipher || status != CA_STATUS_OK)
     {
         ret += 1;
     }
 
-    status = CAsetTlsCipherSuite(MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256);
-    if (ADAPTER_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA_256 != g_caSslContext->cipher || status != CA_STATUS_OK)
+    status = CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384);
+    if (SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 != g_caSslContext->cipher || status != CA_STATUS_OK)
+    {
+        ret += 1;
+    }
+
+    status = CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384);
+    if (SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 != g_caSslContext->cipher || status != CA_STATUS_OK)
     {
         ret += 1;
     }
 
     status = CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256);
-    if (ADAPTER_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 != g_caSslContext->cipher || status != CA_STATUS_OK)
+    if (SSL_ECDHE_PSK_WITH_AES_128_CBC_SHA256 != g_caSslContext->cipher || status != CA_STATUS_OK)
+    {
+        ret += 1;
+    }
+
+    status = CAsetTlsCipherSuite(MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256);
+    if (SSL_ECDH_ANON_WITH_AES_128_CBC_SHA256 != g_caSslContext->cipher || status != CA_STATUS_OK)
     {
         ret += 1;
     }
@@ -2238,7 +2463,7 @@ static void * testCAsslGenerateOwnerPsk(void * arg)
     // CAsetCredentialTypesCallback
     g_getCredentialTypesCallback = clutch;
 
-    CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM);
+    CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256);
 
     CAsetPskCredentialsCallback(GetDtlsPskCredentials);
 

diff --git a/resource/csdk/security/provisioning/sample/cloud/cloudCommon.c b/resource/csdk/security/provisioning/sample/cloud/cloudCommon.c
index e7050ce..c0223b2 100644 (file)
--- a/resource/csdk/security/provisioning/sample/cloud/cloudCommon.c
+++ b/resource/csdk/security/provisioning/sample/cloud/cloudCommon.c
@@ -542,7 +542,7 @@ static void userRequests(void *data)
         {
             int tmp = 0;
             readInteger(&tmp, "Select Cipher Suite", "0 - ECDSA, other - RSA");
-            uint16_t cipher = tmp? MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA:
+            uint16_t cipher = tmp? MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256:
                                    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8;
             if (CA_STATUS_OK != CASelectCipherSuite(cipher, CA_ADAPTER_TCP))
             {

diff --git a/resource/csdk/security/provisioning/src/ownershiptransfermanager.c b/resource/csdk/security/provisioning/src/ownershiptransfermanager.c
index 5700c74..9fa52d9 100644 (file)
--- a/resource/csdk/security/provisioning/src/ownershiptransfermanager.c
+++ b/resource/csdk/security/provisioning/src/ownershiptransfermanager.c
@@ -1133,7 +1133,6 @@ static OCStackApplicationResult OwnerCredentialHandler(void *ctx, OCDoHandle UNU
              */
             // TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA_256 = 0xC037, /**< see RFC 5489 */
             caResult = CASelectCipherSuite(0xC037, endpoint->adapter);
-
             if(CA_STATUS_OK != caResult)
             {
                 OIC_LOG(ERROR, TAG, "Failed to select TLS_NULL_WITH_NULL_NULL");

diff --git a/resource/csdk/security/provisioning/src/oxmmanufacturercert.c b/resource/csdk/security/provisioning/src/oxmmanufacturercert.c
index 77d658c..b1bf0d5 100644 (file)
--- a/resource/csdk/security/provisioning/src/oxmmanufacturercert.c
+++ b/resource/csdk/security/provisioning/src/oxmmanufacturercert.c
@@ -129,14 +129,14 @@ OCStackResult CreateSecureSessionMCertificateCallback(OTMContext_t* otmCtx)
     }
     OIC_LOG(INFO, TAG, "Anonymous cipher suite disabled.");
 
-    caresult  = CASelectCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+    caresult  = CASelectCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
                                     otmCtx->selectedDeviceInfo->endpoint.adapter);
     if (CA_STATUS_OK != caresult)
     {
-        OIC_LOG_V(ERROR, TAG, "Failed to select TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256");
+        OIC_LOG_V(ERROR, TAG, "Failed to select MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8");
         return OC_STACK_ERROR;
     }
-    OIC_LOG(INFO, TAG, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 cipher suite selected.");
+    OIC_LOG(INFO, TAG, "MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 cipher suite selected.");
 
     OCProvisionDev_t* selDevInfo = otmCtx->selectedDeviceInfo;
     CAEndpoint_t *endpoint = (CAEndpoint_t *)OICCalloc(1, sizeof (CAEndpoint_t));

diff --git a/resource/csdk/security/src/credresource.c b/resource/csdk/security/src/credresource.c
index 43f650c..7c477ac 100644 (file)
--- a/resource/csdk/security/src/credresource.c
+++ b/resource/csdk/security/src/credresource.c
@@ -1874,13 +1874,6 @@ static OCEntityHandlerResult HandlePostRequest(OCEntityHandlerRequest * ehReques
                         {
                             OIC_LOG(INFO, TAG, "Anonymous cipher suite is DISABLED");
                         }
-
-                        if(CA_STATUS_OK !=
-                           CASelectCipherSuite(TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA_256, ehRequest->devAddr.adapter))
-                        {
-                            OIC_LOG(ERROR, TAG, "Failed to select cipher suite");
-                            ret = OC_EH_ERROR;
-                        }
                     }
 
                     break;

diff --git a/resource/include/CAManager.h b/resource/include/CAManager.h
index ae0823b..d67e96a 100644 (file)
--- a/resource/include/CAManager.h
+++ b/resource/include/CAManager.h
@@ -78,10 +78,16 @@ namespace OC
         /**
          * Select the cipher suite for TLS/DTLS handshake.
          * @param cipher  cipher suite (Note : Make sure endianness).
-         *                    0x35   : TLS_RSA_WITH_AES_256_CBC_SHA
-         *                    0xC018 : TLS_ECDH_anon_WITH_AES_128_CBC_SHA
-         *                    0xC037 : TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
-         *                    0xC0AE : TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
+         *                        TLS_RSA_WITH_AES_256_CBC_SHA256          0x3D
+         *                        TLS_RSA_WITH_AES_128_GCM_SHA256          0x009C
+         *                        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  0xC02B
+         *                        TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8       0xC0AE
+         *                        TLS_ECDHE_ECDSA_WITH_AES_128_CCM         0xC0AC
+         *                        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256  0xC023
+         *                        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  0xC024
+         *                        TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384  0xC02C
+         *                        TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256    0xC037
+         *                        TLS_ECDH_anon_WITH_AES_128_CBC_SHA       0xC018
          * @param adapter transport adapter type.
          * @return Returns ::OC_STACK_OK if success.
          */