From: Sachin Agrawal Date: Fri, 25 Sep 2015 18:20:29 +0000 (-0700) Subject: Refactor PSK Credential retrieval interface X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=134d702757cb17c888a6700ebd93bfc00a92f02e;p=contrib%2Fiotivity.git Refactor PSK Credential retrieval interface When CA requests PSK credentials during DTLS handshake, SRM retrieves credential for all devices and provides it to CA. This is un-necessary and is in-efficient approach. Updated code to only provide credential which has been requested by tinydtls. Change-Id: Ie9bdc0ff1236b9f1f198215d211a682df416e731 Signed-off-by: Sachin Agrawal Reviewed-on: https://gerrit.iotivity.org/gerrit/3009 Reviewed-by: Jon A. Cruz Tested-by: jenkins-iotivity --- diff --git a/resource/csdk/connectivity/api/cainterface.h b/resource/csdk/connectivity/api/cainterface.h index ca67e76..6b4d8a2 100644 --- a/resource/csdk/connectivity/api/cainterface.h +++ b/resource/csdk/connectivity/api/cainterface.h @@ -31,13 +31,7 @@ * Connectivity Abstraction Interface APIs. */ #include "cacommon.h" - -#ifdef __WITH_DTLS__ -#include "ocsecurityconfig.h" -#endif -#ifdef __WITH_X509__ -#include "pki.h" -#endif //__WITH_X509__ +#include "casecurityinterface.h" #ifdef __cplusplus extern "C" @@ -93,66 +87,6 @@ typedef struct #endif //RA_ADAPTER -#ifdef __WITH_DTLS__ - -/** - * Binary blob containing device identity and the credentials for all devices - * trusted by this device. - */ -typedef struct -{ - unsigned char identity[DTLS_PSK_ID_LEN]; /** identity of self. */ - uint32_t num; /** number of credentials in this blob. */ - OCDtlsPskCreds *creds; /** list of credentials. Size of this - array is determined by 'num' variable. */ -} CADtlsPskCredsBlob_t; - -/** - * Callback function type for getting DTLS credentials. - * @param[out] credInfo DTLS credentials info. Handler has to allocate new memory for. - * both credInfo and credInfo->creds which is then freed by CA. - */ -typedef void (*CAGetDTLSCredentialsHandler)(CADtlsPskCredsBlob_t **credInfo); -#endif //__WITH_DTLS__ - -#ifdef __WITH_X509__ -/** - * Binary structure containing certificate chain and certificate credentials - * for this device. - */ -typedef struct -{ - // certificate message for DTLS - unsigned char certificateChain[MAX_CERT_MESSAGE_LEN]; - // length of the certificate message - uint32_t certificateChainLen; - // number of certificates in certificate message - uint8_t chainLen; - // x component of EC public key - uint8_t rootPublicKeyX[PUBLIC_KEY_SIZE / 2]; - // y component of EC public key - uint8_t rootPublicKeyY[PUBLIC_KEY_SIZE / 2]; - // EC private key - uint8_t devicePrivateKey[PRIVATE_KEY_SIZE]; - -} CADtlsX509Creds_t; - -/** - * @brief Callback function type for getting certificate credentials. - * @param credInfo [OUT] Certificate credentials info. Handler has to allocate new memory for - * credInfo which is then freed by CA - * @return NONE - */ -typedef int (*CAGetDTLSX509CredentialsHandler)(CADtlsX509Creds_t *credInfo); -/** - * @brief Callback function type for getting CRL. - * @param crlInfo [OUT] Certificate credentials info. Handler has to allocate new memory for - * credInfo which is then freed by CA - * @return NONE - */ -typedef void (*CAGetDTLSCrlHandler)(ByteArray crlInfo); -#endif //__WITH_X509__ - /** * Initialize the connectivity abstraction module. * It will initialize adapters, thread pool and other modules based on the platform @@ -196,30 +130,6 @@ CAResult_t CAStartDiscoveryServer(); void CARegisterHandler(CARequestCallback ReqHandler, CAResponseCallback RespHandler, CAErrorCallback ErrorHandler); -#ifdef __WITH_DTLS__ -/** - * Register callback to get DTLS PSK credentials. - * @param[in] GetDTLSCredentials GetDTLS Credetials callback. - * @return ::CA_STATUS_OK - */ -CAResult_t CARegisterDTLSCredentialsHandler(CAGetDTLSCredentialsHandler GetDTLSCredentials); -#endif //__WITH_DTLS__ - -#ifdef __WITH_X509__ -/** - * @brief Register callback to get DTLS Cert credentials. - * @param GetCertCredentials [IN] GetCert Credetials callback - * @return #CA_STATUS_OK - */ -CAResult_t CARegisterDTLSX509CredentialsHandler(CAGetDTLSX509CredentialsHandler GetX509Credentials); -/** - * @brief Register callback to get CRL. - * @param GetCrl [IN] GetCrl callback - * @return #CA_STATUS_OK - */ -CAResult_t CARegisterDTLSCrlHandler(CAGetDTLSCrlHandler GetCrl); -#endif //__WITH_X509__ - /** * Create an endpoint description. * @param[in] flags how the adapter should be used. @@ -330,83 +240,6 @@ CAResult_t CASetRAInfo(const CARAInfo_t *caraInfo); #endif -#ifdef __WITH_DTLS__ - -/** - * Select the cipher suite for dtls handshake. - * - * @param[in] cipher cipher suite (Note : Make sure endianness). - * 0xC018 : TLS_ECDH_anon_WITH_AES_128_CBC_SHA - * 0xC0A8 : TLS_PSK_WITH_AES_128_CCM_8 - * 0xC0AE : TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 - * - * @retval ::CA_STATUS_OK Successful. - * @retval ::CA_STATUS_INVALID_PARAM Invalid input arguments. - * @retval ::CA_STATUS_FAILED Operation failed. - */ -CAResult_t CASelectCipherSuite(const uint16_t cipher); - -/** - * Enable TLS_ECDH_anon_WITH_AES_128_CBC_SHA cipher suite in dtls. - * - * @param[in] enable TRUE/FALSE enables/disables anonymous cipher suite. - * - * @retval ::CA_STATUS_OK Successful. - * @retval ::CA_STATUS_FAILED Operation failed. - * - * @note anonymous cipher suite should only be enabled for 'JustWorks' provisioning. - */ -CAResult_t CAEnableAnonECDHCipherSuite(const bool enable); - - -/** - * Generate ownerPSK using PRF. - * OwnerPSK = TLS-PRF('master key' , 'oic.sec.doxm.jw', - * 'ID of new device(Resource Server)', - * 'ID of owner smart-phone(Provisioning Server)') - * - * @param[in] endpoint information of network address. - * @param[in] label Ownership transfer method e.g)"oic.sec.doxm.jw". - * @param[in] labelLen Byte length of label. - * @param[in] rsrcServerDeviceID ID of new device(Resource Server). - * @param[in] rsrcServerDeviceIDLen Byte length of rsrcServerDeviceID. - * @param[in] provServerDeviceID label of previous owner. - * @param[in] provServerDeviceIDLen byte length of provServerDeviceID. - * @param[in,out] ownerPSK Output buffer for owner PSK. - * @param[in] ownerPSKSize Byte length of the ownerPSK to be generated. - * - * @retval ::CA_STATUS_OK Successful. - * @retval ::CA_STATUS_FAILED Operation failed. - */ -CAResult_t CAGenerateOwnerPSK(const CAEndpoint_t *endpoint, - const uint8_t* label, const size_t labelLen, - const uint8_t* rsrcServerDeviceID, - const size_t rsrcServerDeviceIDLen, - const uint8_t* provServerDeviceID, - const size_t provServerDeviceIDLen, - uint8_t* ownerPSK, const size_t ownerPSKSize); - -/** - * Initiate DTLS handshake with selected cipher suite. - * - * @param[in] endpoint information of network address. - * - * @retval ::CA_STATUS_OK Successful. - * @retval ::CA_STATUS_FAILED Operation failed. - */ -CAResult_t CAInitiateHandshake(const CAEndpoint_t *endpoint); - -/** - * Close the DTLS session. - * - * @param[in] endpoint information of network address. - * - * @retval ::CA_STATUS_OK Successful. - * @retval ::CA_STATUS_FAILED Operation failed. - */ -CAResult_t CACloseDtlsSession(const CAEndpoint_t *endpoint); - -#endif /* __WITH_DTLS__ */ #ifdef __cplusplus } /* extern "C" */ diff --git a/resource/csdk/connectivity/api/casecurityinterface.h b/resource/csdk/connectivity/api/casecurityinterface.h new file mode 100644 index 0000000..fb8afdb --- /dev/null +++ b/resource/csdk/connectivity/api/casecurityinterface.h @@ -0,0 +1,218 @@ +/* ***************************************************************** + * + * Copyright 2015 Samsung Electronics All Rights Reserved. + * + * + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + ******************************************************************/ + +/** + * @file + * + * This file contains the Security APIs for Resource Model to use. + */ + +#ifndef CA_SECURITY_INTERFACE_H_ +#define CA_SECURITY_INTERFACE_H_ + +#ifdef __WITH_X509__ +#include "pki.h" +#endif //__WITH_X509__ + + +#ifdef __cplusplus +extern "C" +{ +#endif + + +#ifdef __WITH_DTLS__ +/** + * @enum CADtlsPskCredType_t + * Type of PSK credential required during DTLS handshake + * It does not make much sense in bringing in all definitions from dtls.h into here. + * Therefore, redefining them here. + */ +typedef enum +{ + CA_DTLS_PSK_HINT, + CA_DTLS_PSK_IDENTITY, + CA_DTLS_PSK_KEY +} CADtlsPskCredType_t; + +/** + * This internal callback is used by CA layer to + * retrieve PSK credentials from SRM. + * + * @param[in] type type of PSK data required by CA layer during DTLS handshake set. + * @param[in] desc Additional request information. + * @param[in] desc_len The actual length of desc. + * @param[out] result Must be filled with the requested information. + * @param[in] result_length Maximum size of @p result. + * + * @return The number of bytes written to @p result or a value + * less than zero on error. + */ +typedef int (*CAGetDTLSPskCredentialsHandler)( CADtlsPskCredType_t type, + const unsigned char *desc, size_t desc_len, + unsigned char *result, size_t result_length); + +/** + * Register callback to get DTLS PSK credentials. + * @param[in] GetDTLSCredentials GetDTLS Credetials callback. + * @return ::CA_STATUS_OK + */ +CAResult_t CARegisterDTLSCredentialsHandler(CAGetDTLSPskCredentialsHandler GetDTLSCredentials); + +#endif //__WITH_DTLS__ + +#ifdef __WITH_X509__ +/** + * Binary structure containing certificate chain and certificate credentials + * for this device. + */ +typedef struct +{ + // certificate message for DTLS + unsigned char certificateChain[MAX_CERT_MESSAGE_LEN]; + // length of the certificate message + uint32_t certificateChainLen; + // number of certificates in certificate message + uint8_t chainLen; + // x component of EC public key + uint8_t rootPublicKeyX[PUBLIC_KEY_SIZE / 2]; + // y component of EC public key + uint8_t rootPublicKeyY[PUBLIC_KEY_SIZE / 2]; + // EC private key + uint8_t devicePrivateKey[PRIVATE_KEY_SIZE]; + +} CADtlsX509Creds_t; + +/** + * @brief Callback function type for getting certificate credentials. + * @param credInfo [OUT] Certificate credentials info. Handler has to allocate new memory for + * credInfo which is then freed by CA + * @return NONE + */ +typedef int (*CAGetDTLSX509CredentialsHandler)(CADtlsX509Creds_t *credInfo); +/** + * @brief Callback function type for getting CRL. + * @param crlInfo [OUT] Certificate credentials info. Handler has to allocate new memory for + * credInfo which is then freed by CA + * @return NONE + */ +typedef void (*CAGetDTLSCrlHandler)(ByteArray crlInfo); + +/** + * @brief Register callback to get DTLS Cert credentials. + * @param GetCertCredentials [IN] GetCert Credetials callback + * @return #CA_STATUS_OK + */ +CAResult_t CARegisterDTLSX509CredentialsHandler(CAGetDTLSX509CredentialsHandler GetX509Credentials); +/** + * @brief Register callback to get CRL. + * @param GetCrl [IN] GetCrl callback + * @return #CA_STATUS_OK + */ +CAResult_t CARegisterDTLSCrlHandler(CAGetDTLSCrlHandler GetCrl); +#endif //__WITH_X509__ + + +#ifdef __WITH_DTLS__ + +/** + * Select the cipher suite for dtls handshake. + * + * @param[in] cipher cipher suite (Note : Make sure endianness). + * 0xC018 : TLS_ECDH_anon_WITH_AES_128_CBC_SHA + * 0xC0A8 : TLS_PSK_WITH_AES_128_CCM_8 + * 0xC0AE : TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 + * + * @retval ::CA_STATUS_OK Successful. + * @retval ::CA_STATUS_INVALID_PARAM Invalid input arguments. + * @retval ::CA_STATUS_FAILED Operation failed. + */ +CAResult_t CASelectCipherSuite(const uint16_t cipher); + +/** + * Enable TLS_ECDH_anon_WITH_AES_128_CBC_SHA cipher suite in dtls. + * + * @param[in] enable TRUE/FALSE enables/disables anonymous cipher suite. + * + * @retval ::CA_STATUS_OK Successful. + * @retval ::CA_STATUS_FAILED Operation failed. + * + * @note anonymous cipher suite should only be enabled for 'JustWorks' provisioning. + */ +CAResult_t CAEnableAnonECDHCipherSuite(const bool enable); + + +/** + * Generate ownerPSK using PRF. + * OwnerPSK = TLS-PRF('master key' , 'oic.sec.doxm.jw', + * 'ID of new device(Resource Server)', + * 'ID of owner smart-phone(Provisioning Server)') + * + * @param[in] endpoint information of network address. + * @param[in] label Ownership transfer method e.g)"oic.sec.doxm.jw". + * @param[in] labelLen Byte length of label. + * @param[in] rsrcServerDeviceID ID of new device(Resource Server). + * @param[in] rsrcServerDeviceIDLen Byte length of rsrcServerDeviceID. + * @param[in] provServerDeviceID label of previous owner. + * @param[in] provServerDeviceIDLen byte length of provServerDeviceID. + * @param[in,out] ownerPSK Output buffer for owner PSK. + * @param[in] ownerPSKSize Byte length of the ownerPSK to be generated. + * + * @retval ::CA_STATUS_OK Successful. + * @retval ::CA_STATUS_FAILED Operation failed. + */ +CAResult_t CAGenerateOwnerPSK(const CAEndpoint_t *endpoint, + const uint8_t* label, const size_t labelLen, + const uint8_t* rsrcServerDeviceID, + const size_t rsrcServerDeviceIDLen, + const uint8_t* provServerDeviceID, + const size_t provServerDeviceIDLen, + uint8_t* ownerPSK, const size_t ownerPSKSize); + +/** + * Initiate DTLS handshake with selected cipher suite. + * + * @param[in] endpoint information of network address. + * + * @retval ::CA_STATUS_OK Successful. + * @retval ::CA_STATUS_FAILED Operation failed. + */ +CAResult_t CAInitiateHandshake(const CAEndpoint_t *endpoint); + +/** + * Close the DTLS session. + * + * @param[in] endpoint information of network address. + * + * @retval ::CA_STATUS_OK Successful. + * @retval ::CA_STATUS_FAILED Operation failed. + */ +CAResult_t CACloseDtlsSession(const CAEndpoint_t *endpoint); + +#endif /* __WITH_DTLS__ */ + + +#ifdef __cplusplus +} /* extern "C" */ +#endif + + +#endif /* CA_SECURITY_INTERFACE_H_ */ + diff --git a/resource/csdk/connectivity/build/tizen/packaging/com.oic.ca.spec b/resource/csdk/connectivity/build/tizen/packaging/com.oic.ca.spec index 8533188..1602200 100644 --- a/resource/csdk/connectivity/build/tizen/packaging/com.oic.ca.spec +++ b/resource/csdk/connectivity/build/tizen/packaging/com.oic.ca.spec @@ -52,6 +52,7 @@ cp -rf %{ROOTDIR}/con/inc/caipadapter.h* %{DEST_INC_DIR}/ cp -rf %{ROOTDIR}/con/inc/caedradapter.h* %{DEST_INC_DIR}/ cp -rf %{ROOTDIR}/con/inc/caleadapter.h* %{DEST_INC_DIR}/ cp -rf %{ROOTDIR}/con/api/cainterface.h* %{DEST_INC_DIR}/ +cp -rf %{ROOTDIR}/con/api/casecurityinterface.h* %{DEST_INC_DIR}/ cp -rf %{ROOTDIR}/com.oic.ca.pc %{DEST_LIB_DIR}/pkgconfig/ diff --git a/resource/csdk/connectivity/external/inc/ocsecurityconfig.h b/resource/csdk/connectivity/external/inc/ocsecurityconfig.h deleted file mode 100644 index c7af532..0000000 --- a/resource/csdk/connectivity/external/inc/ocsecurityconfig.h +++ /dev/null @@ -1,64 +0,0 @@ - //******************************************************************* - // - // Copyright 2014 Intel Mobile Communications GmbH All Rights Reserved. - // - // - // - // Licensed under the Apache License, Version 2.0 (the "License"); - // you may not use this file except in compliance with the License. - // You may obtain a copy of the License at - // - // http://www.apache.org/licenses/LICENSE-2.0 - // - // Unless required by applicable law or agreed to in writing, software - // distributed under the License is distributed on an "AS IS" BASIS, - // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - // See the License for the specific language governing permissions and - // limitations under the License. - // - // - //****************************************************************** -/** - * @file - * - * This file contains all the constants which can be configured/modified as - * per platform or security specific product usage scenarios. - */ - - -#ifndef OC_SECURITY_CONFIG_H -#define OC_SECURITY_CONFIG_H - -#include - -#define DTLS_PSK_ID_LEN 16 -#define DTLS_PSK_PSK_LEN 16 - -#define DtlsPskCredsBlobVer_1 1 /**< Credentials stored in plaintext */ -#define DtlsPskCredsBlobVer_CurrentVersion DtlsPskCredsBlobVer_1 - -/** - * Credentials for a device. Includes identity and the associated PSK. - */ -typedef struct -{ - unsigned char id[DTLS_PSK_ID_LEN]; - unsigned char psk[DTLS_PSK_PSK_LEN]; -} OCDtlsPskCreds; - -/** - * Binary blob containing device identity and the credentials for all devices - * trusted by this device. - */ -typedef struct -{ - unsigned char identity[DTLS_PSK_ID_LEN]; /** identity of self */ - uint32_t num; /** number of credentials in this blob */ - OCDtlsPskCreds creds[1]; /** list of credentials. Size of this - array is determined by 'num' variable. */ -} OCDtlsPskCredsBlob; - -#endif //OC_SECURITY_CONFIG_H - - - diff --git a/resource/csdk/connectivity/inc/caadapternetdtls.h b/resource/csdk/connectivity/inc/caadapternetdtls.h index d766451..1ef7fb6 100644 --- a/resource/csdk/connectivity/inc/caadapternetdtls.h +++ b/resource/csdk/connectivity/inc/caadapternetdtls.h @@ -24,7 +24,6 @@ #include "uarraylist.h" #include "camutex.h" #include "caadapterutils.h" -#include "ocsecurityconfig.h" #include "cainterface.h" #include "cacommon.h" @@ -33,11 +32,6 @@ */ #define MAX_SUPPORTED_ADAPTERS 2 -/** - * The implementation will be provided by OIC RI layer. - */ -extern void OCGetDtlsPskCredentials(CADtlsPskCredsBlob_t **credInfo); - typedef void (*CAPacketReceivedCallback)(const CASecureEndpoint_t *sep, const void *data, uint32_t dataLength); @@ -130,9 +124,9 @@ void CADTLSSetAdapterCallbacks(CAPacketReceivedCallback recvCallback, /** * Register callback to get DTLS PSK credentials. - * @param[in] credCallback callback to get DTLS credentials. + * @param[in] credCallback callback to get DTLS PSK credentials. */ -void CADTLSSetCredentialsCallback(CAGetDTLSCredentialsHandler credCallback); +void CADTLSSetCredentialsCallback(CAGetDTLSPskCredentialsHandler credCallback); /** * Select the cipher suite for dtls handshake diff --git a/resource/csdk/connectivity/samples/android/casample/sampleService/src/main/jni/ResourceModel.c b/resource/csdk/connectivity/samples/android/casample/sampleService/src/main/jni/ResourceModel.c index 0c62fff..c041f83 100644 --- a/resource/csdk/connectivity/samples/android/casample/sampleService/src/main/jni/ResourceModel.c +++ b/resource/csdk/connectivity/samples/android/casample/sampleService/src/main/jni/ResourceModel.c @@ -17,15 +17,11 @@ #define LOGI(...) __android_log_print(ANDROID_LOG_INFO, LOG_TAG, __VA_ARGS__) #define LOGE(...) __android_log_print(ANDROID_LOG_ERROR, LOG_TAG, __VA_ARGS__) -/** - * @def RS_IDENTITY - * @brief - */ -#define IDENTITY ("1111111111111111") -/* @def RS_CLIENT_PSK - * @brief - */ -#define RS_CLIENT_PSK ("AAAAAAAAAAAAAAAA") +// Iotivity Device Identity. +const unsigned char IDENTITY[] = ("1111111111111111"); + +// PSK between this device and peer device. +const unsigned char RS_CLIENT_PSK[] = ("AAAAAAAAAAAAAAAA"); #define PORT_LENGTH 5 #define SECURE_DEFAULT_PORT 5684 @@ -104,80 +100,61 @@ Java_org_iotivity_ca_service_RMInterface_setNativeResponseListener(JNIEnv *env, } #ifdef __WITH_DTLS__ -static CADtlsPskCredsBlob_t *pskCredsBlob = NULL; - -void clearDtlsCredentialInfo() -{ - LOGI("clearDtlsCredentialInfo IN"); - if (pskCredsBlob) - { - // Initialize sensitive data to zeroes before freeing. - if (NULL != pskCredsBlob->creds) - { - memset(pskCredsBlob->creds, 0, sizeof(OCDtlsPskCreds)*(pskCredsBlob->num)); - free(pskCredsBlob->creds); - } - - memset(pskCredsBlob, 0, sizeof(CADtlsPskCredsBlob_t)); - free(pskCredsBlob); - pskCredsBlob = NULL; - } - LOGI("clearDtlsCredentialInfo OUT"); -} - // Internal API. Invoked by OC stack to retrieve credentials from this module -void CAGetDtlsPskCredentials(CADtlsPskCredsBlob_t **credInfo) +int32_t CAGetDtlsPskCredentials( CADtlsPskCredType_t type, + const unsigned char *desc, size_t desc_len, + unsigned char *result, size_t result_length) { LOGI("CAGetDtlsPskCredentials IN"); - *credInfo = (CADtlsPskCredsBlob_t *) malloc(sizeof(CADtlsPskCredsBlob_t)); - if (NULL == *credInfo) + + int32_t ret = -1; + + if (NULL == result) { - LOGE("Failed to allocate credential blob."); - return; + return ret; } - int16_t credLen = sizeof(OCDtlsPskCreds) * (pskCredsBlob->num); - (*credInfo)->creds = (OCDtlsPskCreds *) malloc(credLen); - if (NULL == (*credInfo)->creds) + switch (type) { - LOGE("Failed to allocate crentials."); - free(*credInfo); - *credInfo = NULL; - return; - } + case CA_DTLS_PSK_HINT: + case CA_DTLS_PSK_IDENTITY: - memcpy((*credInfo)->identity, pskCredsBlob->identity, DTLS_PSK_ID_LEN); - (*credInfo)->num = pskCredsBlob->num; - memcpy((*credInfo)->creds, pskCredsBlob->creds, credLen); + if (result_length < sizeof(IDENTITY)) + { + LOGE("ERROR : Wrong value for result for storing IDENTITY"); + return ret; + } - LOGI("CAGetDtlsPskCredentials OUT"); -} + memcpy(result, IDENTITY, sizeof(IDENTITY)); + ret = sizeof(IDENTITY); + break; -CAResult_t SetCredentials() -{ - LOGI("SetCredentials IN"); - pskCredsBlob = (CADtlsPskCredsBlob_t *)malloc(sizeof(CADtlsPskCredsBlob_t)); - if (NULL == pskCredsBlob) - { - LOGE("Memory allocation failed!"); - return CA_MEMORY_ALLOC_FAILED; - } - memcpy(pskCredsBlob->identity, IDENTITY, DTLS_PSK_ID_LEN); + case CA_DTLS_PSK_KEY: - pskCredsBlob->num = 1; + if ((desc_len == sizeof(IDENTITY)) && + memcmp(desc, IDENTITY, sizeof(IDENTITY)) == 0) + { + if (result_length < sizeof(RS_CLIENT_PSK)) + { + LOGE("ERROR : Wrong value for result for storing RS_CLIENT_PSK"); + return ret; + } - pskCredsBlob->creds = (OCDtlsPskCreds *)malloc(sizeof(OCDtlsPskCreds) *(pskCredsBlob->num)); - if (NULL == pskCredsBlob->creds) - { - LOGE("Memory allocation failed!"); - return CA_MEMORY_ALLOC_FAILED; + memcpy(result, RS_CLIENT_PSK, sizeof(RS_CLIENT_PSK)); + ret = sizeof(RS_CLIENT_PSK); + } + break; + + default: + + LOGE("Wrong value passed for PSK_CRED_TYPE."); + ret = -1; } - memcpy(pskCredsBlob->creds[0].id, IDENTITY, DTLS_PSK_ID_LEN); - memcpy(pskCredsBlob->creds[0].psk, RS_CLIENT_PSK, DTLS_PSK_PSK_LEN); - LOGI("SetCredentials OUT"); - return CA_STATUS_OK; + LOGI("CAGetDtlsPskCredentials OUT\n"); + return ret; } + #endif JNIEXPORT jint JNI_OnLoad(JavaVM *jvm, void *reserved) @@ -232,12 +209,6 @@ Java_org_iotivity_ca_service_RMInterface_RMInitialize(JNIEnv *env, jobject obj, } #ifdef __WITH_DTLS__ - if (CA_STATUS_OK != SetCredentials()) - { - LOGE("SetCredentials failed"); - return; - } - res = CARegisterDTLSCredentialsHandler(CAGetDtlsPskCredentials); if(CA_STATUS_OK != res) { diff --git a/resource/csdk/connectivity/samples/linux/sample_main.c b/resource/csdk/connectivity/samples/linux/sample_main.c index 0a40dab..57063bf 100644 --- a/resource/csdk/connectivity/samples/linux/sample_main.c +++ b/resource/csdk/connectivity/samples/linux/sample_main.c @@ -28,9 +28,6 @@ #include "cacommon.h" #include "cainterface.h" #include "oic_string.h" -#ifdef __WITH_DTLS__ -#include "ocsecurityconfig.h" -#endif #define MAX_BUF_LEN 1024 #define MAX_OPT_LEN 16 @@ -48,15 +45,11 @@ #define BLOCK_SIZE(arg) (1 << ((arg) + 4)) #endif -/** - * @def RS_IDENTITY - * @brief - */ -#define IDENTITY ("1111111111111111") -/* @def RS_CLIENT_PSK - * @brief - */ -#define RS_CLIENT_PSK ("AAAAAAAAAAAAAAAA") +// Iotivity Device Identity. +const unsigned char IDENTITY[] = ("1111111111111111"); + +// PSK between this device and peer device. +const unsigned char RS_CLIENT_PSK[] = ("AAAAAAAAAAAAAAAA"); int g_received; uint16_t g_local_secure_port = SECURE_DEFAULT_PORT; @@ -119,27 +112,6 @@ static const char NORMAL_INFO_DATA[] = "\"if\":[\"oic.if.baseline\"],\"obs\":1}}]}"; #ifdef __WITH_DTLS__ -static CADtlsPskCredsBlob_t *pskCredsBlob = NULL; - -void clearDtlsCredentialInfo() -{ - printf("clearDtlsCredentialInfo IN\n"); - if (pskCredsBlob) - { - // Initialize sensitive data to zeroes before freeing. - if (pskCredsBlob->creds) - { - memset(pskCredsBlob->creds, 0, sizeof(OCDtlsPskCreds) * (pskCredsBlob->num)); - free(pskCredsBlob->creds); - } - - memset(pskCredsBlob, 0, sizeof(CADtlsPskCredsBlob_t)); - free(pskCredsBlob); - pskCredsBlob = NULL; - } - printf("clearDtlsCredentialInfo OUT\n"); -} - #ifdef __WITH_X509__ int GetDtlsX509Credentials(CADtlsX509Creds_t *credInfo) { @@ -150,72 +122,64 @@ int * GetCRLResource() { return (int*) NULL; } -#endif +#endif //__WITH_X509__ // Internal API. Invoked by CA stack to retrieve credentials from this module -void CAGetDtlsPskCredentials(CADtlsPskCredsBlob_t **credInfo) +int32_t CAGetDtlsPskCredentials( CADtlsPskCredType_t type, + const unsigned char *desc, size_t desc_len, + unsigned char *result, size_t result_length) { printf("CAGetDtlsPskCredentials IN\n"); - if(!credInfo) - { - printf("Invalid credential container"); - return; - } - *credInfo = (CADtlsPskCredsBlob_t *)malloc(sizeof(CADtlsPskCredsBlob_t)); - if (NULL == *credInfo) + int32_t ret = -1; + + if (NULL == result) { - printf("Failed to allocate credential blob."); - return; + return ret; } - size_t credLen = sizeof(OCDtlsPskCreds) * (pskCredsBlob->num); - (*credInfo)->creds = (OCDtlsPskCreds *)malloc(credLen); - if (NULL == (*credInfo)->creds) + switch (type) { - printf("Failed to allocate credentials."); - free(*credInfo); - *credInfo = NULL; - return; - } + case CA_DTLS_PSK_HINT: + case CA_DTLS_PSK_IDENTITY: - memcpy((*credInfo)->identity, pskCredsBlob->identity, DTLS_PSK_ID_LEN); - (*credInfo)->num = pskCredsBlob->num; - memcpy((*credInfo)->creds, pskCredsBlob->creds, credLen); + if (result_length < sizeof(IDENTITY)) + { + printf("ERROR : Wrong value for result for storing IDENTITY"); + return ret; + } - printf("CAGetDtlsPskCredentials OUT\n"); -} + memcpy(result, IDENTITY, sizeof(IDENTITY)); + ret = sizeof(IDENTITY); + break; + case CA_DTLS_PSK_KEY: -CAResult_t SetCredentials() -{ - printf("SetCredentials IN\n"); - pskCredsBlob = (CADtlsPskCredsBlob_t *)calloc(1, sizeof(CADtlsPskCredsBlob_t)); - if (NULL == pskCredsBlob) - { - printf("Memory allocation failed!\n"); - return CA_MEMORY_ALLOC_FAILED; - } - memcpy(pskCredsBlob->identity, IDENTITY, DTLS_PSK_ID_LEN); + if ((desc_len == sizeof(IDENTITY)) && + memcmp(desc, IDENTITY, sizeof(IDENTITY)) == 0) + { + if (result_length < sizeof(RS_CLIENT_PSK)) + { + printf("ERROR : Wrong value for result for storing RS_CLIENT_PSK"); + return ret; + } + memcpy(result, RS_CLIENT_PSK, sizeof(RS_CLIENT_PSK)); + ret = sizeof(RS_CLIENT_PSK); + } + break; - pskCredsBlob->num = 1; + default: - pskCredsBlob->creds = (OCDtlsPskCreds *)malloc(sizeof(OCDtlsPskCreds) * (pskCredsBlob->num)); - if (NULL == pskCredsBlob->creds) - { - printf("Memory allocation failed!\n"); - free(pskCredsBlob); - return CA_MEMORY_ALLOC_FAILED; + printf("Wrong value passed for PSK_CRED_TYPE."); + ret = -1; } - memcpy(pskCredsBlob->creds[0].id, IDENTITY, DTLS_PSK_ID_LEN); - memcpy(pskCredsBlob->creds[0].psk, RS_CLIENT_PSK, DTLS_PSK_PSK_LEN); - - printf("SetCredentials OUT\n"); - return CA_STATUS_OK; + printf("CAGetDtlsPskCredentials OUT\n"); + return ret; } -#endif + +#endif //__WITH_DTLS__ int main() { @@ -238,22 +202,12 @@ int main() return -1; } - /* - * Read DTLS PSK credentials from persistent storage and - * set in the OC stack. - */ + // Set the PSK Credentials callback handler. #ifdef __WITH_DTLS__ - res = SetCredentials(); - if (CA_STATUS_OK != res) - { - printf("SetCredentials failed\n"); - return -1; - } - res = CARegisterDTLSCredentialsHandler(CAGetDtlsPskCredentials); if (CA_STATUS_OK != res) { - printf("Set credential handler fail\n"); + printf("Register credential handler fail\n"); return -1; } #endif @@ -268,9 +222,6 @@ int main() g_last_request_token = NULL; CATerminate(); -#ifdef __WITH_DTLS__ - clearDtlsCredentialInfo(); -#endif return 0; } diff --git a/resource/csdk/connectivity/samples/tizen/casample.c b/resource/csdk/connectivity/samples/tizen/casample.c index 8c2651e..b86a50d 100644 --- a/resource/csdk/connectivity/samples/tizen/casample.c +++ b/resource/csdk/connectivity/samples/tizen/casample.c @@ -28,9 +28,6 @@ #include "cacommon.h" #include "cainterface.h" -#ifdef __WITH_DTLS__ -#include "ocsecurityconfig.h" -#endif /** * @def MAX_BUF_LEN * @brief maximum buffer length @@ -62,15 +59,11 @@ #define COAPS_PREFIX "coaps://" #define COAPS_PREFIX_LEN 8 -/** - * @def RS_IDENTITY - * @brief - */ -#define IDENTITY ("1111111111111111") -/* @def RS_CLIENT_PSK - * @brief - */ -#define RS_CLIENT_PSK ("AAAAAAAAAAAAAAAA") +// Iotivity Device Identity. +const unsigned char IDENTITY[] = ("1111111111111111"); + +// PSK between this device and peer device. +const unsigned char RS_CLIENT_PSK[] = ("AAAAAAAAAAAAAAAA"); /** * Max size for big payload. @@ -129,88 +122,59 @@ static const char NORMAL_INFO_DATA[] = "\"if\":[\"oic.if.baseline\"],\"obs\":1}}]}"; #ifdef __WITH_DTLS__ -static CADtlsPskCredsBlob_t *pskCredsBlob = NULL; - -void clearDtlsCredentialInfo() -{ - printf("clearDtlsCredentialInfo IN\n"); - if (pskCredsBlob) - { - // Initialize sensitive data to zeroes before freeing. - if (pskCredsBlob->creds) - { - memset(pskCredsBlob->creds, 0, sizeof(OCDtlsPskCreds) * (pskCredsBlob->num)); - free(pskCredsBlob->creds); - } - - memset(pskCredsBlob, 0, sizeof(CADtlsPskCredsBlob_t)); - free(pskCredsBlob); - pskCredsBlob = NULL; - } - printf("clearDtlsCredentialInfo OUT\n"); -} - // Internal API. Invoked by CA stack to retrieve credentials from this module. -void CAGetDtlsPskCredentials(CADtlsPskCredsBlob_t **credInfo) +int32_t CAGetDtlsPskCredentials( CADtlsPskCredType_t type, + const unsigned char *desc, size_t desc_len, + unsigned char *result, size_t result_length) { printf("CAGetDtlsPskCredentials IN\n"); - if(NULL == credInfo) - { - printf("Invalid credential container"); - return; - } + int32_t ret = -1; - *credInfo = (CADtlsPskCredsBlob_t *)malloc(sizeof(CADtlsPskCredsBlob_t)); - if (NULL == *credInfo) + if (NULL == result) { - printf("Failed to allocate credential blob."); - return; + return ret; } - int16_t credLen = sizeof(OCDtlsPskCreds) * (pskCredsBlob->num); - (*credInfo)->creds = (OCDtlsPskCreds *)malloc(credLen); - if (NULL == (*credInfo)->creds) + switch (type) { - printf("Failed to allocate credentials."); - free(*credInfo); - *credInfo = NULL; - return; - } + case CA_DTLS_PSK_HINT: + case CA_DTLS_PSK_IDENTITY: - memcpy((*credInfo)->identity, pskCredsBlob->identity, DTLS_PSK_ID_LEN); - (*credInfo)->num = pskCredsBlob->num; - memcpy((*credInfo)->creds, pskCredsBlob->creds, credLen); + if (result_length < sizeof(IDENTITY)) + { + printf("ERROR : Wrong value for result for storing IDENTITY"); + return ret; + } - printf("CAGetDtlsPskCredentials OUT\n"); -} + memcpy(result, IDENTITY, sizeof(IDENTITY)); + ret = sizeof(IDENTITY); + break; -CAResult_t SetCredentials() -{ - printf("SetCredentials IN\n"); - pskCredsBlob = (CADtlsPskCredsBlob_t *)malloc(sizeof(CADtlsPskCredsBlob_t)); - if (NULL == pskCredsBlob) - { - printf("Memory allocation failed!\n"); - return CA_MEMORY_ALLOC_FAILED; - } - memcpy(pskCredsBlob->identity, IDENTITY, DTLS_PSK_ID_LEN); + case CA_DTLS_PSK_KEY: - pskCredsBlob->num = 1; + if ((desc_len == sizeof(IDENTITY)) && + memcmp(desc, IDENTITY, sizeof(IDENTITY)) == 0) + { + if (result_length < sizeof(RS_CLIENT_PSK)) + { + printf("ERROR : Wrong value for result for storing RS_CLIENT_PSK"); + return ret; + } - pskCredsBlob->creds = (OCDtlsPskCreds *)malloc(sizeof(OCDtlsPskCreds) * (pskCredsBlob->num)); - if (NULL == pskCredsBlob->creds) - { - printf("Memory allocation failed!\n"); - free(pskCredsBlob); - return CA_MEMORY_ALLOC_FAILED; - } + memcpy(result, RS_CLIENT_PSK, sizeof(RS_CLIENT_PSK)); + ret = sizeof(RS_CLIENT_PSK); + } + break; - memcpy(pskCredsBlob->creds[0].id, IDENTITY, DTLS_PSK_ID_LEN); - memcpy(pskCredsBlob->creds[0].psk, RS_CLIENT_PSK, DTLS_PSK_PSK_LEN); + default: - printf("SetCredentials OUT\n"); - return CA_STATUS_OK; + printf("Wrong value passed for PSK_CRED_TYPE."); + ret = -1; + } + + printf("CAGetDtlsPskCredentials OUT\n"); + return ret; } #endif @@ -263,18 +227,8 @@ int main() return -1; } - /* - * Read DTLS PSK credentials from persistent storage and - * set in the OC stack. - */ + // Set the PSK Credentials callback handler. #ifdef __WITH_DTLS__ - res = SetCredentials(); - if (CA_STATUS_OK != res) - { - printf("SetCredentials failed\n"); - return -1; - } - res = CARegisterDTLSCredentialsHandler(CAGetDtlsPskCredentials); if (CA_STATUS_OK != res) { @@ -291,9 +245,6 @@ int main() CADestroyToken(g_last_request_token); CATerminate(); -#ifdef __WITH_DTLS__ - clearDtlsCredentialInfo(); -#endif return 0; } diff --git a/resource/csdk/connectivity/src/adapter_util/caadapternetdtls.c b/resource/csdk/connectivity/src/adapter_util/caadapternetdtls.c index 4ef1397..599423c 100644 --- a/resource/csdk/connectivity/src/adapter_util/caadapternetdtls.c +++ b/resource/csdk/connectivity/src/adapter_util/caadapternetdtls.c @@ -62,7 +62,7 @@ static ca_mutex g_dtlsContextMutex = NULL; * @var g_getCredentialsCallback * @brief callback to get DTLS credentials */ -static CAGetDTLSCredentialsHandler g_getCredentialsCallback = NULL; +static CAGetDTLSPskCredentialsHandler g_getCredentialsCallback = NULL; #ifdef __WITH_X509__ /** @@ -540,66 +540,27 @@ static int32_t CAGetPskCredentials(dtls_context_t *ctx, } VERIFY_NON_NULL_RET(g_getCredentialsCallback, NET_DTLS_TAG, "GetCredential callback", -1); - VERIFY_NON_NULL_RET(result, NET_DTLS_TAG, "result", -1); - - CADtlsPskCredsBlob_t *credInfo = NULL; // Retrieve the credentials blob from security module - g_getCredentialsCallback(&credInfo); - - VERIFY_NON_NULL_RET(credInfo, NET_DTLS_TAG, "credInfo is NULL", -1); - if(NULL == credInfo->creds) - { - OIC_LOG(DEBUG, NET_DTLS_TAG, "credentials are NULL"); - memset(credInfo, 0, sizeof(CADtlsPskCredsBlob_t)); - OICFree(credInfo); - return -1; - } + ret = g_getCredentialsCallback(type, desc, descLen, result, resultLen); - if ((type == DTLS_PSK_HINT) || (type == DTLS_PSK_IDENTITY)) + if (ret > 0) { - if (DTLS_PSK_ID_LEN <= resultLen) - { - memcpy(result, credInfo->identity, DTLS_PSK_ID_LEN); - ret = DTLS_PSK_ID_LEN; - } - } + // TODO SRM needs identity of the remote end-point with every data packet to + // perform access control management. tinyDTLS 'frees' the handshake parameters + // data structure when handshake completes. Therefore, currently this is a + // workaround to cache remote end-point identity when tinyDTLS asks for PSK. + stCADtlsAddrInfo_t *addrInfo = (stCADtlsAddrInfo_t *)session; + char peerAddr[MAX_ADDR_STR_SIZE_CA] = { 0 }; + uint16_t port = 0; + CAConvertAddrToName(&(addrInfo->addr.st), peerAddr, &port); - if ((type == DTLS_PSK_KEY) && (desc) && (descLen == DTLS_PSK_PSK_LEN)) - { - // Check if we have the credentials for the device with which we - // are trying to perform a handshake - for (uint32_t index = 0; index < credInfo->num; index++) + if(CA_STATUS_OK != CAAddIdToPeerInfoList(peerAddr, port, desc, descLen) ) { - if (memcmp(desc, credInfo->creds[index].id, DTLS_PSK_ID_LEN) == 0) - { - // TODO SRM needs identity of the remote end-point with every data packet to - // perform access control management. tinyDTLS 'frees' the handshake parameters - // data structure when handshake completes. Therefore, currently this is a - // workaround to cache remote end-point identity when tinyDTLS asks for PSK. - stCADtlsAddrInfo_t *addrInfo = (stCADtlsAddrInfo_t *)session; - char peerAddr[MAX_ADDR_STR_SIZE_CA] = { 0 }; - uint16_t port = 0; - CAConvertAddrToName(&(addrInfo->addr.st), peerAddr, &port); - - if(CA_STATUS_OK != CAAddIdToPeerInfoList(peerAddr, port, desc, descLen) ) - { - OIC_LOG(ERROR, NET_DTLS_TAG, "Fail to add peer id to gDtlsPeerInfoList"); - } - memcpy(result, credInfo->creds[index].psk, DTLS_PSK_PSK_LEN); - ret = DTLS_PSK_PSK_LEN; - } + OIC_LOG(ERROR, NET_DTLS_TAG, "Fail to add peer id to gDtlsPeerInfoList"); } } - // Erase sensitive data before freeing. - memset(credInfo->creds, 0, sizeof(OCDtlsPskCreds) * (credInfo->num)); - OICFree(credInfo->creds); - - memset(credInfo, 0, sizeof(CADtlsPskCredsBlob_t)); - OICFree(credInfo); - credInfo = NULL; - return ret; } @@ -628,7 +589,7 @@ void CADTLSSetAdapterCallbacks(CAPacketReceivedCallback recvCallback, OIC_LOG(DEBUG, NET_DTLS_TAG, "OUT"); } -void CADTLSSetCredentialsCallback(CAGetDTLSCredentialsHandler credCallback) +void CADTLSSetCredentialsCallback(CAGetDTLSPskCredentialsHandler credCallback) { // TODO Does this method needs protection of DtlsContextMutex ? OIC_LOG(DEBUG, NET_DTLS_TAG, "IN"); diff --git a/resource/csdk/connectivity/src/caconnectivitymanager.c b/resource/csdk/connectivity/src/caconnectivitymanager.c index 690772b..cc54c4a 100644 --- a/resource/csdk/connectivity/src/caconnectivitymanager.c +++ b/resource/csdk/connectivity/src/caconnectivitymanager.c @@ -47,7 +47,7 @@ static bool g_isInitialized = false; #ifdef __WITH_DTLS__ // CAAdapterNetDTLS will register the callback. // Taking callback all the way through adapters not the right approach, hence calling here. -extern void CADTLSSetCredentialsCallback(CAGetDTLSCredentialsHandler credCallback); +extern void CADTLSSetCredentialsCallback(CAGetDTLSPskCredentialsHandler credCallback); #endif #ifdef __WITH_X509__ @@ -126,7 +126,7 @@ void CARegisterHandler(CARequestCallback ReqHandler, CAResponseCallback RespHand } #ifdef __WITH_DTLS__ -CAResult_t CARegisterDTLSCredentialsHandler(CAGetDTLSCredentialsHandler GetDTLSCredentialsHandler) +CAResult_t CARegisterDTLSCredentialsHandler(CAGetDTLSPskCredentialsHandler GetDTLSCredentialsHandler) { OIC_LOG(DEBUG, TAG, "CARegisterDTLSCredentialsHandler"); diff --git a/resource/csdk/connectivity/test/ca_api_unittest.cpp b/resource/csdk/connectivity/test/ca_api_unittest.cpp index 299d39a..433cf8c 100644 --- a/resource/csdk/connectivity/test/ca_api_unittest.cpp +++ b/resource/csdk/connectivity/test/ca_api_unittest.cpp @@ -82,66 +82,68 @@ static const char NORMAL_INFO_DATA[] = #ifdef __WITH_DTLS__ -/** - * @def RS_IDENTITY - * @brief - */ -#define IDENTITY ("1111111111111111") -/* @def RS_CLIENT_PSK - * @brief - */ -#define RS_CLIENT_PSK ("AAAAAAAAAAAAAAAA") - -static CADtlsPskCredsBlob_t *pskCredsBlob = NULL; - -void clearDtlsCredentialInfo() -{ - printf("clearDtlsCredentialInfo IN\n"); - if (pskCredsBlob) - { - // Initialize sensitive data to zeroes before freeing. - memset(pskCredsBlob->creds, 0, sizeof(OCDtlsPskCreds) * (pskCredsBlob->num)); - free(pskCredsBlob->creds); +// Iotivity Device Identity. +const unsigned char IDENTITY[] = ("1111111111111111"); - memset(pskCredsBlob, 0, sizeof(CADtlsPskCredsBlob_t)); - free(pskCredsBlob); - pskCredsBlob = NULL; - } - printf("clearDtlsCredentialInfo OUT\n"); -} +// PSK between this device and peer device. +const unsigned char RS_CLIENT_PSK[] = ("AAAAAAAAAAAAAAAA"); -// Internal API. Invoked by OC stack to retrieve credentials from this module -void CAGetDtlsPskCredentials(CADtlsPskCredsBlob_t **credInfo) +// Internal API. Invoked by CA stack to retrieve credentials from this module +int32_t CAGetDtlsPskCredentials( CADtlsPskCredType_t type, + const unsigned char *desc, size_t desc_len, + unsigned char *result, size_t result_length) { printf("CAGetDtlsPskCredentials IN\n"); - if (pskCredsBlob != NULL) + int32_t ret = -1; + + if (NULL == result) { - *credInfo = pskCredsBlob; + return ret; } - printf("CAGetDtlsPskCredentials OUT\n"); -} - -int32_t SetCredentials() -{ - printf("SetCredentials IN\n"); - pskCredsBlob = (CADtlsPskCredsBlob_t *)malloc(sizeof(CADtlsPskCredsBlob_t)); - - memset(pskCredsBlob, 0x0, sizeof(CADtlsPskCredsBlob_t)); - memcpy(pskCredsBlob->identity, IDENTITY, DTLS_PSK_ID_LEN); - - pskCredsBlob->num = 1; - - pskCredsBlob->creds = (OCDtlsPskCreds *)malloc(sizeof(OCDtlsPskCreds) * (pskCredsBlob->num)); + switch (type) + { + case CA_DTLS_PSK_HINT: + case CA_DTLS_PSK_IDENTITY: + + if (result_length < sizeof(IDENTITY)) + { + printf("ERROR : Wrong value for result for storing IDENTITY"); + return ret; + } + + memcpy(result, IDENTITY, sizeof(IDENTITY)); + ret = sizeof(IDENTITY); + break; + + case CA_DTLS_PSK_KEY: + + if ((desc_len == sizeof(IDENTITY)) && + memcmp(desc, IDENTITY, sizeof(IDENTITY)) == 0) + { + if (result_length < sizeof(RS_CLIENT_PSK)) + { + printf("ERROR : Wrong value for result for storing RS_CLIENT_PSK"); + return ret; + } + + memcpy(result, RS_CLIENT_PSK, sizeof(RS_CLIENT_PSK)); + ret = sizeof(RS_CLIENT_PSK); + } + break; + + default: + + printf("Wrong value passed for PSK_CRED_TYPE."); + ret = -1; + } - memcpy(pskCredsBlob->creds[0].id, IDENTITY, DTLS_PSK_ID_LEN); - memcpy(pskCredsBlob->creds[0].psk, RS_CLIENT_PSK, DTLS_PSK_PSK_LEN); - printf("SetCredentials OUT\n"); - return 1; + printf("CAGetDtlsPskCredentials OUT\n"); + return ret; } -#endif +#endif //__WITH_DTLS__ int main(int argc, char **argv) { @@ -494,11 +496,6 @@ TEST_F (CATests, GetNetworkInformationTestGood) TEST_F(CATests, RegisterDTLSCredentialsHandlerTest) { #ifdef __WITH_DTLS__ - if (SetCredentials() == 0) - { - printf("SetCredentials failed\n"); - } - EXPECT_EQ(CA_STATUS_OK, CARegisterDTLSCredentialsHandler(CAGetDtlsPskCredentials)); #endif } diff --git a/resource/csdk/security/include/internal/credresource.h b/resource/csdk/security/include/internal/credresource.h index 9af4e20..ae092df 100644 --- a/resource/csdk/security/include/internal/credresource.h +++ b/resource/csdk/security/include/internal/credresource.h @@ -21,7 +21,6 @@ #ifndef IOTVT_SRM_CREDR_H #define IOTVT_SRM_CREDR_H -#include "ocsecurityconfig.h" #include "cainterface.h" #include "securevirtualresourcetypes.h" #include "octypes.h" @@ -116,15 +115,18 @@ OCStackResult RemoveCredential(const OicUuid_t* credId); * This internal callback is used by lower stack (i.e. CA layer) to * retrieve PSK credentials from RI security layer. * - * Note: When finished, caller should initialize memory to zeroes and - * invoke OCFree to delete @p credInfo. + * @param[in] type type of PSK data required by CA layer during DTLS handshake. + * @param[in] desc Additional request information. + * @param[in] desc_len The actual length of desc. + * @param[out] result Must be filled with the requested information. + * @param[in] result_length Maximum size of @p result. * - * @param credInfo - * binary blob containing PSK credentials - * - * @retval none + * @return The number of bytes written to @p result or a value + * less than zero on error. */ -void GetDtlsPskCredentials(CADtlsPskCredsBlob_t **credInfo); +int32_t GetDtlsPskCredentials( CADtlsPskCredType_t type, + const unsigned char *desc, size_t desc_len, + unsigned char *result, size_t result_length); /** * Add temporal PSK to PIN based OxM diff --git a/resource/csdk/security/provisioning/src/oxmrandompin.c b/resource/csdk/security/provisioning/src/oxmrandompin.c index a3c76bc..ec069a0 100644 --- a/resource/csdk/security/provisioning/src/oxmrandompin.c +++ b/resource/csdk/security/provisioning/src/oxmrandompin.c @@ -21,7 +21,6 @@ #include #include "ocstack.h" -#include "ocsecurityconfig.h" #include "securevirtualresourcetypes.h" #include "doxmresource.h" #include "credresource.h" diff --git a/resource/csdk/security/src/credresource.c b/resource/csdk/security/src/credresource.c index 2e5fced..79163ea 100644 --- a/resource/csdk/security/src/credresource.c +++ b/resource/csdk/security/src/credresource.c @@ -850,79 +850,88 @@ const OicSecCred_t* GetCredResourceData(const OicUuid_t* subject) * This internal callback is used by lower stack (i.e. CA layer) to * retrieve PSK credentials from RI security layer. * - * Note: When finished, caller should initialize memory to zeros and - * invoke OICFree to delete @p credInfo. + * @param[in] type type of PSK data required by tinyDTLS layer during DTLS handshake. + * @param[in] desc Additional request information. + * @param[in] desc_len The actual length of desc. + * @param[out] result Must be filled with the requested information. + * @param[in] result_length Maximum size of @p result. * - * @param credInfo - * binary blob containing PSK credentials - * - * @retval none + * @return The number of bytes written to @p result or a value + * less than zero on error. */ -void GetDtlsPskCredentials(CADtlsPskCredsBlob_t **credInfo) +int32_t GetDtlsPskCredentials( CADtlsPskCredType_t type, + const unsigned char *desc, size_t desc_len, + unsigned char *result, size_t result_length) { - CADtlsPskCredsBlob_t * caBlob = NULL; - if(credInfo) - { - caBlob = (CADtlsPskCredsBlob_t *)OICCalloc(sizeof(CADtlsPskCredsBlob_t), 1); - if (caBlob) - { - OicUuid_t deviceID = {.id={}}; + int32_t ret = -1; - // Retrieve Device ID from doxm resource and copy in PSK creds blob - VERIFY_SUCCESS(TAG, GetDoxmDeviceID(&deviceID) == OC_STACK_OK, ERROR); - memcpy(caBlob->identity, deviceID.id, sizeof(caBlob->identity)); + if (NULL == result) + { + return ret; + } - OicSecCred_t *cred = NULL; - size_t count = 0; - LL_FOREACH(gCred, cred) + switch (type) + { + case CA_DTLS_PSK_HINT: + case CA_DTLS_PSK_IDENTITY: { - // Currently, Iotivity supports only symmetric pair wise key credentials - if (cred->credType == SYMMETRIC_PAIR_WISE_KEY) + OicUuid_t deviceID = {.id={}}; + // Retrieve Device ID from doxm resource + if ( OC_STACK_OK != GetDoxmDeviceID(&deviceID) ) { - ++count; + OC_LOG (ERROR, TAG, "Unable to retrieve doxm Device ID"); + return ret; } + + if (result_length < sizeof(deviceID.id)) + { + OC_LOG (ERROR, TAG, "Wrong value for result_length"); + return ret; + } + memcpy(result, deviceID.id, sizeof(deviceID.id)); + return (sizeof(deviceID.id)); } - caBlob->num = count; - if (caBlob->num) - { - caBlob->creds = - (OCDtlsPskCreds*) OICMalloc(caBlob->num * sizeof(OCDtlsPskCreds)); - VERIFY_NON_NULL(TAG, caBlob->creds, ERROR); + break; - unsigned int i = 0; + case CA_DTLS_PSK_KEY: + { + OicSecCred_t *cred = NULL; LL_FOREACH(gCred, cred) { - if ((cred->credType == SYMMETRIC_PAIR_WISE_KEY) && - (i < count)) - + if (cred->credType != SYMMETRIC_PAIR_WISE_KEY) { - // Copy subject ID - memcpy(caBlob->creds[i].id, cred->subject.id, - sizeof(caBlob->creds[i].id)); + continue; + } - // Convert PSK from JSON to binary before copying + if ((desc_len == sizeof(cred->subject.id)) && + (memcmp(desc, cred->subject.id, sizeof(cred->subject.id)) == 0)) + { + // Convert PSK from Base64 encoding to binary before copying uint32_t outLen = 0; B64Result b64Ret = b64Decode(cred->privateData.data, - strlen(cred->privateData.data), caBlob->creds[i].psk, - sizeof(caBlob->creds[i].psk), &outLen); - VERIFY_SUCCESS(TAG, b64Ret == B64_OK, ERROR); - i++; + strlen(cred->privateData.data), result, + result_length, &outLen); + if (B64_OK != b64Ret) + { + OC_LOG (ERROR, TAG, "Base64 decoding failed."); + ret = -1; + return ret; + } + return outLen; } } } - } - *credInfo = caBlob; - // Return from here after making the credential list - return; - } + break; -exit: - if (caBlob) - { - memset(caBlob->creds, 0, caBlob->num * sizeof(OCDtlsPskCreds)); - OICFree(caBlob->creds); + default: + { + OC_LOG (ERROR, TAG, "Wrong value passed for CADtlsPskCredType_t."); + ret = -1; + } + break; } - OICFree(caBlob); + + return ret; } /**