From 383bfdaa04152f6d4a0f2d3f2885bd4180c063b1 Mon Sep 17 00:00:00 2001
From: Nathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
Date: Fri, 15 Sep 2017 16:25:06 -0700
Subject: [PATCH 1/1] [IOT-2617] Enable Anon Ciphersuite after RESET

The Anon Ciphersuite should be enabled after RESET if the Device
by default has the oxmsel == JUSTWORKS, so that a Client isn't
required to re-select the JUSTWORKS OTM in order to enable the
suite.

Change-Id: I6ab06b958959b1cad5e04f0bc63e90c8c4202785
Signed-off-by: Nathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
---
 .../csdk/security/include/internal/doxmresource.h  |  13 +++
 resource/csdk/security/src/deviceonboardingstate.c |  10 ++
 resource/csdk/security/src/doxmresource.c          | 101 ++++++++++++++++-----
 3 files changed, 100 insertions(+), 24 deletions(-)

diff --git a/resource/csdk/security/include/internal/doxmresource.h b/resource/csdk/security/include/internal/doxmresource.h
index 762e8ce..cf96385 100644
--- a/resource/csdk/security/include/internal/doxmresource.h
+++ b/resource/csdk/security/include/internal/doxmresource.h
@@ -115,6 +115,19 @@ OCStackResult CBORPayloadToDoxm(const uint8_t *cborPayload, size_t size,
 OCStackResult DoxmToCBORPayload(const OicSecDoxm_t *doxm,
 	uint8_t **payload, size_t *size);
 
+#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
+/**
+ * Enables Anon DH ciphersuite if device unowned and Just Works OTM is selected.
+ * Otherwise, does nothing.
+ *
+ * @param[out] enabled TRUE if Anon DH ciphersuite enabled, else FALSE
+ *
+ * @retval  ::OC_STACK_OK No errors.
+ * @retval  ::OC_STACK_ERROR An error occured.
+ */
+OCStackResult EnableAnonCipherSuiteIfUnOwnedAndJustWorksSelected(bool *enabled);
+#endif // __WITH_DTLS__ or __WITH_TLS__
+
 #if defined(__WITH_DTLS__) || defined (__WITH_TLS__)
 /**
  * API to save the seed value to generate device UUID.
diff --git a/resource/csdk/security/src/deviceonboardingstate.c b/resource/csdk/security/src/deviceonboardingstate.c
index 11d6a50..17c7f36 100644
--- a/resource/csdk/security/src/deviceonboardingstate.c
+++ b/resource/csdk/security/src/deviceonboardingstate.c
@@ -413,6 +413,16 @@ static bool EnterRESET()
         EnterStateGeneric(false, true, false, false, true, DOS_RESET),
         ERROR);
 
+#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
+    // Enable Anon DH cipher suite if appropriate
+    bool isAnonEnabled = false;
+    VERIFY_SUCCESS(TAG,
+        OC_STACK_OK == EnableAnonCipherSuiteIfUnOwnedAndJustWorksSelected(&isAnonEnabled),
+        ERROR);
+    OIC_LOG_V(INFO, TAG, "%s: Anon Ciphersuite %sENABLED.", __func__,
+        isAnonEnabled ? "" : "NOT ");
+#endif // __WITH_DTLS__ or __WITH_TLS__
+
     ret = true;
 
 exit:
diff --git a/resource/csdk/security/src/doxmresource.c b/resource/csdk/security/src/doxmresource.c
index 1fe60eb..9fc886b 100644
--- a/resource/csdk/security/src/doxmresource.c
+++ b/resource/csdk/security/src/doxmresource.c
@@ -1206,7 +1206,7 @@ void HandleDoxmPostRequestMom(OicSecDoxm_t *newDoxm, OCEntityHandlerRequest *ehR
             {
                 caRes = CAEnableAnonECDHCipherSuite(false);
                 VERIFY_SUCCESS(TAG, caRes == CA_STATUS_OK, ERROR);
-                OIC_LOG(INFO, TAG, "ECDH_ANON CipherSuite is DISABLED");
+                OIC_LOG_V(INFO, TAG, "%s: ECDH_ANON CipherSuite is DISABLED", __func__);
 
                 RegisterOTMSslHandshakeCallback(DoxmDTLSHandshakeCB);
                 caRes = CASelectCipherSuite((uint16_t)MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
@@ -1342,15 +1342,12 @@ OCEntityHandlerResult HandleDoxmPostRequestJustWork(OicSecDoxm_t *newDoxm,
     if (IsNilUuid(&newDoxm->owner))
     {
         gDoxm->oxmSel = newDoxm->oxmSel;
-        /*
-        * If current state of the device is un-owned, enable
-        * anonymous ECDH cipher in tinyDTLS so that Provisioning
-        * tool can initiate JUST_WORKS ownership transfer process.
-        */
 #if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
-        RegisterOTMSslHandshakeCallback(DoxmDTLSHandshakeCB);
-        OIC_LOG(INFO, TAG, "Doxm EntityHandle  enabling AnonECDHCipherSuite");
-        ehRet = (CAEnableAnonECDHCipherSuite(true) == CA_STATUS_OK) ? OC_EH_OK : OC_EH_ERROR;
+        OCStackResult res = EnableAnonCipherSuiteIfUnOwnedAndJustWorksSelected(NULL);
+        if (OC_STACK_OK != res)
+        {
+            ehRet = OC_EH_ERROR;
+        }
 #endif // __WITH_DTLS__ or __WITH_TLS__
         goto exit;
     }
@@ -1368,7 +1365,7 @@ OCEntityHandlerResult HandleDoxmPostRequestJustWork(OicSecDoxm_t *newDoxm,
         CAResult_t caRes = CA_STATUS_OK;
         caRes = CAEnableAnonECDHCipherSuite(false);
         VERIFY_SUCCESS(TAG, caRes == CA_STATUS_OK, ERROR);
-        OIC_LOG(INFO, TAG, "ECDH_ANON CipherSuite is DISABLED");
+        OIC_LOG_V(INFO, TAG, "%s: ECDH_ANON CipherSuite is DISABLED", __func__);
 
         //In case of Mutual Verified Just-Works, verify mutualVerifNum
         if (OIC_MV_JUST_WORKS == newDoxm->oxmSel && false == newDoxm->owned &&
@@ -1448,7 +1445,7 @@ OCEntityHandlerResult HandleDoxmPostRequestRandomPin(OicSecDoxm_t *newDoxm,
 #if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
         CAResult_t caRes = CAEnableAnonECDHCipherSuite(false);
         VERIFY_SUCCESS(TAG, caRes == CA_STATUS_OK, ERROR);
-        OIC_LOG(INFO, TAG, "ECDH_ANON CipherSuite is DISABLED");
+        OIC_LOG_V(INFO, TAG, "%s: ECDH_ANON CipherSuite is DISABLED", __func__);
 
         RegisterOTMSslHandshakeCallback(DoxmDTLSHandshakeCB);
         caRes = CASelectCipherSuite(MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
@@ -1530,7 +1527,7 @@ OCEntityHandlerResult HandleDoxmPostRequestMfg(OicSecDoxm_t *newDoxm,
         RegisterOTMSslHandshakeCallback(DoxmDTLSHandshakeCB);
         CAResult_t caRes = CAEnableAnonECDHCipherSuite(false);
         VERIFY_SUCCESS(TAG, caRes == CA_STATUS_OK, ERROR);
-        OIC_LOG(INFO, TAG, "ECDH_ANON CipherSuite is DISABLED");
+        OIC_LOG_V(INFO, TAG, "%s: ECDH_ANON CipherSuite is DISABLED", __func__);
 
         //Unset pre-selected ciphersuite, if any
         caRes = CASelectCipherSuite(0,(CATransportAdapter_t)ehRequest->devAddr.adapter);
@@ -1959,7 +1956,7 @@ static void PrepareMOT(const OicSecDoxm_t* doxm)
         {
             caRes = CAEnableAnonECDHCipherSuite(false);
             VERIFY_SUCCESS(TAG, caRes == CA_STATUS_OK, ERROR);
-            OIC_LOG(INFO, TAG, "ECDH_ANON CipherSuite is DISABLED");
+            OIC_LOG_V(INFO, TAG, "%s: ECDH_ANON CipherSuite is DISABLED", __func__);
 
             RegisterOTMSslHandshakeCallback(DoxmDTLSHandshakeCB);
             caRes = CASelectCipherSuite((uint16_t)MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, CA_ADAPTER_IP);
@@ -2045,19 +2042,14 @@ OCStackResult InitDoxmResource()
     }
 #endif // defined(__WITH_DTLS__) && defined(MULTIPLE_OWNER)
 
-// If DTLS or TLS enabled, and device unowned, check if JW OTM is selected.
-// If so, register handshake callback and enable Anon Ciphersuite.
 #if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
-    if (NULL != gDoxm) {
-        if (false == gDoxm->owned) {
-            if (OIC_JUST_WORKS == gDoxm->oxmSel) {
-                RegisterOTMSslHandshakeCallback(DoxmDTLSHandshakeCB);
-                OIC_LOG_V(INFO, TAG, "%s: enabling AnonECDHCipherSuite", __func__);
-                ret = (CAEnableAnonECDHCipherSuite(true) == CA_STATUS_OK) ? OC_STACK_OK : OC_STACK_ERROR;
-            }
-            ret = OC_STACK_OK;
-        }
+    bool isAnonEnabled = false;
+    if (OC_STACK_OK != EnableAnonCipherSuiteIfUnOwnedAndJustWorksSelected(&isAnonEnabled))
+    {
+        ret = OC_STACK_ERROR;
     }
+    OIC_LOG_V(INFO, TAG, "%s: Anon Ciphersuite %sENABLED.", __func__,
+        isAnonEnabled ? "" : "NOT ");
 #endif // __WITH_DTLS__ or __WITH_TLS__
 
     return ret;
@@ -2544,3 +2536,64 @@ bool AreDoxmBinPropertyValuesEqual(OicSecDoxm_t* doxm1, OicSecDoxm_t* doxm2)
     return true;
 #endif
 }
+
+#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
+OCStackResult EnableAnonCipherSuiteIfUnOwnedAndJustWorksSelected(bool *enabled)
+{
+    OCStackResult ret = OC_STACK_ERROR;
+
+    OIC_LOG_V(INFO, TAG, "%s: function enter.", __func__);
+
+    // If device unowned, check if JW OTM is selected.
+    // If so, register handshake callback, and enable Anon Ciphersuite.
+    if (NULL != gDoxm) {
+        if (false == gDoxm->owned) {
+            if (OIC_JUST_WORKS == gDoxm->oxmSel) {
+                RegisterOTMSslHandshakeCallback(DoxmDTLSHandshakeCB);
+                OIC_LOG_V(INFO, TAG, "%s: enabling AnonECDHCipherSuite", __func__);
+                ret = (CAEnableAnonECDHCipherSuite(true) == CA_STATUS_OK) ? OC_STACK_OK : OC_STACK_ERROR;
+                if (OC_STACK_OK == ret)
+                {
+                    OIC_LOG_V(INFO, TAG, "%s: AnonECDHCipherSuite ENABLED.", __func__);
+                    if (NULL != enabled)
+                    {
+                        *enabled = true;
+                    }
+                }
+                else
+                {
+                    OIC_LOG_V(ERROR, TAG, "%s: Error attempting to enable AnonECDHCipherSuite!", __func__);
+                }
+            }
+            else
+            {
+                OIC_LOG_V(INFO, TAG, "%s: JustWorks not selected; NOT enabling AnonECDHCipherSuite.", __func__);
+                ret = OC_STACK_OK;
+            }
+        }
+        else
+        {
+            OIC_LOG_V(INFO, TAG, "%s: Device is owned; NOT enabling AnonECDHCipherSuite.", __func__);
+            ret = OC_STACK_OK;
+        }
+    }
+    else
+    {
+        OIC_LOG_V(INFO, TAG, "%s: gDoxm is NULL; NOT enabling AnonECDHCipherSuite.", __func__);
+        ret = OC_STACK_OK;
+    }
+
+    if (NULL != enabled)
+    {
+        if (true != *enabled)
+        {
+            *enabled = false;
+        }
+    }
+
+    OIC_LOG_V(INFO, TAG, "%s: function exit, returning %s.", __func__,
+        (OC_STACK_OK == ret) ? "OC_STACK_OK" : "OC_STACK_ERROR");
+
+    return ret;
+}
+#endif // __WITH_DTLS__ or __WITH_TLS__
-- 
2.7.4