#include "ocrandom.h"
#include "byte_array.h"
#include "octhread.h"
+#include "octypes.h"
#include "timer.h"
static CAgetPkixInfoHandler g_getPkixInfoCallback = NULL;
/**
+ * Function pointer to get user confirmation in case of client's certificate absence
+ */
+static UserConfirmNoCertCallback g_noCertConfirmCallback = NULL;
+
+/**
+ * Function pointer to get user confirmation in case of client's certificate absence
+ */
+static int g_noCertConfirmState = OC_STACK_METHOD_NOT_ALLOWED;
+
+/**
* @var g_setupPkContextCallback
*
* @brief callback to setup PK context handler for H/W based Public Key Infrastructure
OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
}
+void CAsetNoCertConfirmCallback(UserConfirmNoCertCallback noCertCallback)
+{
+ OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
+ g_noCertConfirmCallback = noCertCallback;
+ OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
+}
+
static int GetAdapterIndex(CATransportAdapter_t adapter)
{
switch (adapter)
return CA_STATUS_FAILED;
}
-
SslEndPoint_t * peer = GetSslPeer(&sep->endpoint);
if (NULL == peer)
{
ret = mbedtls_ssl_handshake_step(&peer->ssl);
}
uint32_t flags = mbedtls_ssl_get_verify_result(&peer->ssl);
+ if (MBEDTLS_SSL_IS_SERVER == peer->ssl.conf->endpoint &&
+ MBEDTLS_X509_BADCERT_MISSING == flags)
+ {
+ if (OC_STACK_METHOD_NOT_ALLOWED == g_noCertConfirmState)
+ {
+ g_noCertConfirmState = g_noCertConfirmCallback(NULL);
+ if (OC_STACK_OK == g_noCertConfirmState)
+ {
+ OIC_LOG_V(DEBUG, NET_SSL_TAG, "Absent peer's cert: user confirmation received");
+ }
+ else if (OC_STACK_USER_DENIED_REQ == g_noCertConfirmState)
+ {
+ OIC_LOG_V(DEBUG, NET_SSL_TAG, "Absent peer's cert: user denial received");
+ SSL_CHECK_FAIL(peer, MBEDTLS_SSL_ALERT_LEVEL_FATAL, "Handshake error", 1,
+ CA_STATUS_FAILED, MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+ }
+ }
+ }
if (0 != flags &&
((MBEDTLS_SSL_IS_CLIENT == peer->ssl.conf->endpoint) ||
(MBEDTLS_SSL_IS_SERVER == peer->ssl.conf->endpoint && MBEDTLS_X509_BADCERT_MISSING != flags)))
OIC_LOG_BUFFER(ERROR, NET_SSL_TAG, (const uint8_t *) &flags, sizeof(flags));
SSL_CHECK_FAIL(peer, flags, "Cert verification failed", 1,
CA_STATUS_FAILED, GetAlertCode(flags));
+
}
SSL_CHECK_FAIL(peer, ret, "Handshake error", 1, CA_STATUS_FAILED, MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
if (MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC == peer->ssl.state)
return OC_STACK_OK;
}
+OCStackResult confirmNoCertCB(void * ctx)
+{
+ OC_UNUSED(ctx);
+ for (;;)
+ {
+ int userConfirm;
+
+ printf(" > Peer has no cert!\n");
+ printf(" > Press 1 for confirmation\n");
+ printf(" > Press 0 otherwise\n");
+
+ for (int ret=0; 1!=ret; )
+ {
+ ret = scanf("%d", &userConfirm);
+ for (; 0x20<=getchar(); ); // for removing overflow garbage
+ // '0x20<=code' is character region
+ }
+ if (1 == userConfirm)
+ {
+ break;
+ }
+ else if (0 == userConfirm)
+ {
+ return OC_STACK_USER_DENIED_REQ;
+ }
+ printf(" Entered Wrong Number. Please Enter Again\n");
+ }
+ return OC_STACK_OK;
+}
+
FILE* server_fopen(const char *path, const char *mode)
{
(void)path;
OCPersistentStorage ps = {server_fopen, fread, fwrite, fclose, unlink, NULL, NULL};
SetUserConfirmCB(NULL, confirmCB);
+ CAsetNoCertConfirmCallback(confirmNoCertCB);
OCRegisterPersistentStorageHandler(&ps);