From efb16a3d282851cbb70a8de693d2a300ce6f43dd Mon Sep 17 00:00:00 2001 From: Oleksii Beketov Date: Thu, 5 Jan 2017 13:42:25 +0200 Subject: [PATCH] TLS suites 1. Suites added: TLS_RSA_WITH_AES_256_CBC_SHA256 0x3D TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_256 0xC027 2. Removed: TLS_RSA_WITH_AES_256_CBC_SHA 0x35 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC009 3. SSL code refactored 4. Added unit tests for new cipher suites 5. CAsslGenerateOwnerPsk modified to support all suites Change-Id: If22925d175751a08121c66b90cc2907dd27ebee5 Signed-off-by: Oleksii Beketov Signed-off-by: Dmitriy Zhuravlev Signed-off-by: Oleksii Beketov Reviewed-on: https://gerrit.iotivity.org/gerrit/15443 Reviewed-by: Jongsung Lee Tested-by: jenkins-iotivity Reviewed-by: Greg Zaverucha Reviewed-by: Randeep Singh Reviewed-on: https://gerrit.iotivity.org/gerrit/16523 Tested-by: jenkins-iotivity --- .../src/main/java/org/iotivity/ca/OicCipher.java | 83 +++-- .../csdk/connectivity/api/casecurityinterface.h | 14 +- .../csdk/connectivity/inc/ca_adapter_net_ssl.h | 13 +- .../src/adapter_util/ca_adapter_net_ssl.c | 413 ++++++++++++--------- .../csdk/connectivity/src/caconnectivitymanager.c | 3 +- .../csdk/connectivity/test/ssladapter_test.cpp | 279 ++++++++++++-- .../provisioning/sample/cloud/cloudCommon.c | 2 +- .../provisioning/src/ownershiptransfermanager.c | 1 - .../provisioning/src/oxmmanufacturercert.c | 6 +- resource/csdk/security/src/credresource.c | 7 - resource/include/CAManager.h | 14 +- 11 files changed, 575 insertions(+), 260 deletions(-) diff --git a/java/common/src/main/java/org/iotivity/ca/OicCipher.java b/java/common/src/main/java/org/iotivity/ca/OicCipher.java index 60f9f16..030217f 100644 --- a/java/common/src/main/java/org/iotivity/ca/OicCipher.java +++ b/java/common/src/main/java/org/iotivity/ca/OicCipher.java @@ -1,38 +1,45 @@ -/* **************************************************************** - * - * Copyright 2016 Samsung Electronics All Rights Reserved. - * - * - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - ******************************************************************/ - -package org.iotivity.ca; - -public enum OicCipher { - TLS_ECDH_anon_WITH_AES_128_CBC_SHA(0xC018), - TLS_PSK_WITH_AES_128_CCM_8(0xC0A8), - TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8(0xC0AE), - TLS_RSA_WITH_AES_256_CBC_SHA(0x35); - - private int cipher; - - private OicCipher(int cipher) { - this.cipher = cipher; - } - - public int getValue(){ - return cipher; - } -} +/* **************************************************************** + * + * Copyright 2016 Samsung Electronics All Rights Reserved. + * + * + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + ******************************************************************/ + +package org.iotivity.ca; + +public enum OicCipher { + TLS_RSA_WITH_AES_256_CBC_SHA256(0x3D), + TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), + TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8(0xC0AE), + TLS_ECDHE_ECDSA_WITH_AES_128_CCM(0xC0AC), + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), + TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256(0xC037), + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), + TLS_ECDH_anon_WITH_AES_128_CBC_SHA(0xC018); + + private int cipher; + + private OicCipher(int cipher) { + this.cipher = cipher; + } + + public int getValue(){ + return cipher; + } +} diff --git a/resource/csdk/connectivity/api/casecurityinterface.h b/resource/csdk/connectivity/api/casecurityinterface.h index 1b62dba..3aa7685 100644 --- a/resource/csdk/connectivity/api/casecurityinterface.h +++ b/resource/csdk/connectivity/api/casecurityinterface.h @@ -144,9 +144,17 @@ CAResult_t CAregisterPkixInfoHandler(CAgetPkixInfoHandler getPkixInfoHandler); * Select the cipher suite for dtls handshake. * * @param[in] cipher cipher suite (Note : Make sure endianness). - * 0xC018 : TLS_ECDH_anon_WITH_AES_128_CBC_SHA - * 0xC0A8 : TLS_PSK_WITH_AES_128_CCM_8 - * 0xC0AE : TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 + * TLS_RSA_WITH_AES_256_CBC_SHA256 0x3D + * TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C + * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B + * TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 0xC0AE + * TLS_ECDHE_ECDSA_WITH_AES_128_CCM 0xC0AC + * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023 + * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024 + * TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C + * TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 0xC037 + * TLS_ECDH_anon_WITH_AES_128_CBC_SHA 0xC018 + * @param[in] adapter transport adapter (TCP/IP/BLE) * * @retval ::CA_STATUS_OK Successful. * @retval ::CA_STATUS_INVALID_PARAM Invalid input arguments. diff --git a/resource/csdk/connectivity/inc/ca_adapter_net_ssl.h b/resource/csdk/connectivity/inc/ca_adapter_net_ssl.h index 050c74e..cad229d 100644 --- a/resource/csdk/connectivity/inc/ca_adapter_net_ssl.h +++ b/resource/csdk/connectivity/inc/ca_adapter_net_ssl.h @@ -42,9 +42,16 @@ typedef ssize_t (*CAPacketSendCallback)(CAEndpoint_t *endpoint, * Select the cipher suite for dtls handshake * * @param[in] cipher cipher suite - * 0xC018 : TLS_ECDH_anon_WITH_AES_128_CBC_SHA_256 - * 0xC0A8 : TLS_PSK_WITH_AES_128_CCM_8 - * 0xC0AE : TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 + * TLS_RSA_WITH_AES_256_CBC_SHA256 0x3D + * TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C + * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B + * TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 0xC0AE + * TLS_ECDHE_ECDSA_WITH_AES_128_CCM 0xC0AC + * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023 + * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024 + * TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C + * TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 0xC037 + * TLS_ECDH_anon_WITH_AES_128_CBC_SHA 0xC018 * * @retval ::CA_STATUS_OK for success, otherwise some error value */ diff --git a/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c b/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c index d829bba..01f9a9d 100644 --- a/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c +++ b/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c @@ -18,7 +18,9 @@ * ******************************************************************/ + #include "iotivity_config.h" + #define _GNU_SOURCE #include @@ -128,18 +130,45 @@ */ #define RANDOM_LEN (32) /** - * @def RANDOM_LEN - * @brief PSK generated keyblock length + * @def SHA384_MAC_KEY_LENGTH + * @brief MAC key length for SHA384 cipher suites */ -#define KEY_BLOCK_LEN (96) - -/**@def SSL_CLOSE_NOTIFY(peer, ret) - * - * Notifies of existing \a peer about closing TLS connection. - * - * @param[in] peer remote peer - * @param[in] ret used internaly +#define SHA384_MAC_KEY_LENGTH (48) +/** + * @def SHA256_MAC_KEY_LENGTH + * @brief MAC key length for SHA256 cipher suites + */ +#define SHA256_MAC_KEY_LENGTH (32) +/** + * @def CCM_MAC_KEY_LENGTH + * @brief MAC key length for CCM cipher suites + */ +#define CCM_MAC_KEY_LENGTH (0) +/** + * @def AES256_KEY_LENGTH + * @brief key material length for AES256 cipher suites + */ +#define AES256_KEY_LENGTH (32) +/** + * @def AES128_KEY_LENGTH + * @brief key material length for AES128 cipher suites + */ +#define AES128_KEY_LENGTH (16) +/** + * @def GCM_IV_LENGTH + * @brief length of nonce for GCM cipher suites */ +#define GCM_IV_LENGTH (12) +/** + * @def CCM_IV_LENGTH + * @brief length of nonce for CCM cipher suites + */ +#define CCM_IV_LENGTH (4) +/** + * @def CBC_IV_LENGTH + * @brief length of nonce for CBC cipher suites + */ +#define CBC_IV_LENGTH (0) /** * @var RETRANSMISSION_TIME @@ -147,6 +176,13 @@ */ #define RETRANSMISSION_TIME 1 +/**@def SSL_CLOSE_NOTIFY(peer, ret) + * + * Notifies of existing \a peer about closing TLS connection. + * + * @param[in] peer remote peer + * @param[in] ret used internaly + */ #define SSL_CLOSE_NOTIFY(peer, ret) \ do \ { \ @@ -208,6 +244,16 @@ if (0 != (ret) && MBEDTLS_ERR_SSL_WANT_READ != (int) (ret) && return (error); \ } \ } +/**@def CONF_SSL(clientConf, serverConf, fn, ...) + * + * Calls \a fn for \a clientConf and \a serverConf. + * + */ +#define CONF_SSL(clientConf, serverConf, fn, ...) do { \ +fn((clientConf), __VA_ARGS__); \ +fn((serverConf), __VA_ARGS__); \ +} while (0) + /** @def CHECK_MBEDTLS_RET(f, ...) * A macro that checks \a f function return code * @@ -223,18 +269,23 @@ int ret = (f)(__VA_ARGS__); if (0 != ret) { \ OIC_LOG_V(ERROR, NET_SSL_TAG, "%s returned -0x%04x\n", __func__, -(ret)); \ goto exit; \ -} } while(0) +} } while (0) typedef enum { - ADAPTER_TLS_RSA_WITH_AES_256_CBC_SHA, - ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, - ADAPTER_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA_256, - ADAPTER_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, - ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM, - ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, - ADAPTER_CIPHER_MAX -} AdapterCipher_t; + SSL_RSA_WITH_AES_256_CBC_SHA256, + SSL_RSA_WITH_AES_128_GCM_SHA256, + SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + SSL_ECDHE_ECDSA_WITH_AES_128_CCM_8, + SSL_ECDHE_ECDSA_WITH_AES_128_CCM, + SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + SSL_ECDHE_PSK_WITH_AES_128_CBC_SHA256, + SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + SSL_ECDH_ANON_WITH_AES_128_CBC_SHA256, + SSL_CIPHER_MAX +} SslCipher_t; typedef enum { @@ -242,19 +293,22 @@ typedef enum ADAPTER_CURVE_MAX } AdapterCurve_t; -int tlsCipher[ADAPTER_CIPHER_MAX][2] = +static const int tlsCipher[SSL_CIPHER_MAX][2] = { - {MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA, 0}, + {MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256, 0}, + {MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256, 0}, + {MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0}, {MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, 0}, -#ifdef MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256 - {MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256, 0}, -#endif - {MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, 0}, {MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM, 0}, - {MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 0} + {MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 0}, + {MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 0}, + {MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 0}, + {MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, 0}, + {MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 0}, + {MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256, 0} }; -static int g_cipherSuitesList[ADAPTER_CIPHER_MAX]; +static int g_cipherSuitesList[SSL_CIPHER_MAX]; mbedtls_ecp_group_id curve[ADAPTER_CURVE_MAX][2] = { @@ -360,7 +414,7 @@ typedef struct SslContext mbedtls_ssl_config clientDtlsConf; mbedtls_ssl_config serverDtlsConf; - AdapterCipher_t cipher; + SslCipher_t cipher; SslCallbacks_t adapterCallbacks[MAX_SUPPORTED_ADAPTERS]; mbedtls_x509_crl crl; bool cipherFlag[2]; @@ -686,13 +740,12 @@ static int InitPKIX(CATransportAdapter_t adapter) if(0 != ret) { OIC_LOG(WARNING, NET_SSL_TAG, "CRL parsing error"); - mbedtls_ssl_conf_ca_chain(clientConf, &g_caSslContext->ca, NULL); - mbedtls_ssl_conf_ca_chain(serverConf, &g_caSslContext->ca, NULL); + CONF_SSL(clientConf, serverConf, mbedtls_ssl_conf_ca_chain, &g_caSslContext->ca, NULL); } else { - mbedtls_ssl_conf_ca_chain(clientConf, &g_caSslContext->ca, &g_caSslContext->crl); - mbedtls_ssl_conf_ca_chain(serverConf, &g_caSslContext->ca, &g_caSslContext->crl); + CONF_SSL(clientConf, serverConf, mbedtls_ssl_conf_ca_chain, + &g_caSslContext->ca, &g_caSslContext->crl); } OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__); @@ -1102,14 +1155,13 @@ static void SetupCipher(mbedtls_ssl_config * config, CATransportAdapter_t adapte g_getCredentialTypesCallback(g_caSslContext->cipherFlag); // Retrieve the PSK credential from SRM - // PIN OTM if (true == g_caSslContext->cipherFlag[0] && 0 != InitPskIdentity(config)) if (0 != InitPskIdentity(config)) { OIC_LOG(ERROR, NET_SSL_TAG, "PSK identity initialization failed!"); } - // Retrieve the ECC credential from SRM - if (true == g_caSslContext->cipherFlag[1] || ADAPTER_TLS_RSA_WITH_AES_256_CBC_SHA == g_caSslContext->cipher) + // Retrieve the Cert credential from SRM + if (true == g_caSslContext->cipherFlag[1]) { int ret = InitPKIX(adapter); if (0 != ret) @@ -1119,19 +1171,24 @@ static void SetupCipher(mbedtls_ssl_config * config, CATransportAdapter_t adapte } memset(g_cipherSuitesList, 0, sizeof(g_cipherSuitesList)); - if (ADAPTER_CIPHER_MAX != g_caSslContext->cipher) + if (SSL_CIPHER_MAX != g_caSslContext->cipher) { g_cipherSuitesList[index] = tlsCipher[g_caSslContext->cipher][0]; - index ++; } - if (true == g_caSslContext->cipherFlag[1]) + else { - g_cipherSuitesList[index] = MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8; - index ++; - } - if (true == g_caSslContext->cipherFlag[0]) + if (true == g_caSslContext->cipherFlag[1]) { - g_cipherSuitesList[index] = MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256; + for (int i = 2; i < SSL_CIPHER_MAX - 2; i++) + { + g_cipherSuitesList[index] = tlsCipher[i][0]; + index ++; + } + } + if (true == g_caSslContext->cipherFlag[0]) + { + g_cipherSuitesList[index] = MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256; + } } mbedtls_ssl_conf_ciphersuites(config, g_cipherSuitesList); @@ -1437,7 +1494,7 @@ CAResult_t CAinitSslAdapter() #endif // __WITH_DTLS__ // set default cipher - g_caSslContext->cipher = ADAPTER_CIPHER_MAX; + g_caSslContext->cipher = SSL_CIPHER_MAX; // init X.509 mbedtls_x509_crt_init(&g_caSslContext->ca); @@ -1732,8 +1789,8 @@ CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, uint32_t d SendCacheMessages(peer); } - if (MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 == g_caSslContext->selectedCipher || - MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA == g_caSslContext->selectedCipher) + if (MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 != g_caSslContext->selectedCipher && + MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256 != g_caSslContext->selectedCipher) { char uuid[UUID_LENGTH * 2 + 5] = {0}; void * uuidPos = NULL; @@ -1845,7 +1902,7 @@ void CAsetSslAdapterCallbacks(CAPacketReceivedCallback recvCallback, return; } -// if (MAX_SUPPORTED_ADAPTERS > type) + switch (type) { switch (type) { @@ -1869,149 +1926,92 @@ void CAsetSslAdapterCallbacks(CAPacketReceivedCallback recvCallback, oc_mutex_unlock(g_sslContextMutex); OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__); } +/** + * Gets index of the TLS ciphersuite in the SslCipher_t enum. + * + * @param[in] cipher TLS chiphersuite code + * + * @return corresponding enum + */ -CAResult_t CAsetTlsCipherSuite(const uint32_t cipher) +static SslCipher_t GetCipherIndex(const uint32_t cipher) { - OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__); - VERIFY_NON_NULL_RET(g_getCredentialTypesCallback, NET_SSL_TAG, "Param callback is null", CA_STATUS_FAILED); - g_getCredentialTypesCallback(g_caSslContext->cipherFlag); switch(cipher) { - case MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA: + case MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256: { -#ifdef __WITH_TLS__ - //todo check that Cred with RSA cert exists - mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientTlsConf, - tlsCipher[ADAPTER_TLS_RSA_WITH_AES_256_CBC_SHA]); - mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverTlsConf, - tlsCipher[ADAPTER_TLS_RSA_WITH_AES_256_CBC_SHA]); -#endif -#ifdef __WITH_DTLS__ - //todo check that Cred with RSA cert exists - mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientDtlsConf, - tlsCipher[ADAPTER_TLS_RSA_WITH_AES_256_CBC_SHA]); - mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverDtlsConf, - tlsCipher[ADAPTER_TLS_RSA_WITH_AES_256_CBC_SHA]); -#endif - g_caSslContext->cipher = ADAPTER_TLS_RSA_WITH_AES_256_CBC_SHA; - break; + return SSL_RSA_WITH_AES_256_CBC_SHA256; } - case MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: + case MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256: { - if (false == g_caSslContext->cipherFlag[1]) - { - OIC_LOG(ERROR, NET_SSL_TAG, "No Credential for ECC"); - return CA_STATUS_FAILED; - } -#ifdef __WITH_TLS__ - mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientTlsConf, - tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8]); - mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverTlsConf, - tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8]); -#endif -#ifdef __WITH_DTLS__ - mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientDtlsConf, - tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8]); - mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverDtlsConf, - tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8]); -#endif - g_caSslContext->cipher = ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8; - break; + return SSL_RSA_WITH_AES_128_GCM_SHA256; } -#ifdef MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256 - case MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256: + case MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: { -#ifdef __WITH_TLS__ - mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientTlsConf, - tlsCipher[ADAPTER_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA_256]); - mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverTlsConf, - tlsCipher[ADAPTER_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA_256]); -#endif -#ifdef __WITH_DTLS__ - mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientDtlsConf, - tlsCipher[ADAPTER_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA_256]); - mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverDtlsConf, - tlsCipher[ADAPTER_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA_256]); -#endif - g_caSslContext->cipher = ADAPTER_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA_256; - break; + return SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256; } -#endif - case MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256: + case MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: { -#if 0 // PIN OTM - if (false == g_caSslContext->cipherFlag[0]) - { - OIC_LOG(ERROR, NET_SSL_TAG, "No Credential for PSK"); - return CA_STATUS_FAILED; - } -#endif -#ifdef __WITH_TLS__ - mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientTlsConf, - tlsCipher[ADAPTER_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256]); - mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverTlsConf, - tlsCipher[ADAPTER_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256]); -#endif -#ifdef __WITH_DTLS__ - mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientDtlsConf, - tlsCipher[ADAPTER_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256]); - mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverDtlsConf, - tlsCipher[ADAPTER_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256]); -#endif - g_caSslContext->cipher = ADAPTER_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256; - break; + return SSL_ECDHE_ECDSA_WITH_AES_128_CCM_8; } case MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM: { - if (false == g_caSslContext->cipherFlag[1]) - { - OIC_LOG(ERROR, NET_SSL_TAG, "No Credential for ECC"); - return CA_STATUS_FAILED; - } -#ifdef __WITH_TLS__ - mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientTlsConf, - tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM]); - mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverTlsConf, - tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM]); -#endif -#ifdef __WITH_DTLS__ - mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientDtlsConf, - tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM]); - mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverDtlsConf, - tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM]); -#endif - g_caSslContext->cipher = ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM; - break; + return SSL_ECDHE_ECDSA_WITH_AES_128_CCM; } case MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: { - if (false == g_caSslContext->cipherFlag[1]) - { - OIC_LOG(ERROR, NET_SSL_TAG, "No Credential for ECC"); - return CA_STATUS_FAILED; - } -#ifdef __WITH_TLS__ - mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientTlsConf, - tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]); - mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverTlsConf, - tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]); -#endif -#ifdef __WITH_DTLS__ - mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientDtlsConf, - tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]); - mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverDtlsConf, - tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]); -#endif - g_caSslContext->cipher = ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256; - break; + return SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256; + } + case MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: + { + return SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384; + } + case MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: + { + return SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384; + } + case MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256: + { + return SSL_ECDHE_PSK_WITH_AES_128_CBC_SHA256; + } + case MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: + { + return SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256; + } + case MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256: + { + return SSL_ECDH_ANON_WITH_AES_128_CBC_SHA256; } default: { - OIC_LOG(ERROR, NET_SSL_TAG, "Unknown cipher"); - return CA_STATUS_FAILED; + return SSL_CIPHER_MAX; } } - OIC_LOG_V(DEBUG, NET_SSL_TAG, "Selected cipher: 0x%x", cipher); +} + +CAResult_t CAsetTlsCipherSuite(const uint32_t cipher) +{ + OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__); + CAResult_t res = CA_STATUS_FAILED; + SslCipher_t index = GetCipherIndex(cipher); + if (SSL_CIPHER_MAX == index) + { + OIC_LOG(WARNING, NET_SSL_TAG, "Unknown cipher"); + } + else + { +#ifdef __WITH_TLS__ + CONF_SSL(&g_caSslContext->clientTlsConf, &g_caSslContext->serverTlsConf, + mbedtls_ssl_conf_ciphersuites, tlsCipher[index]); +#endif +#ifdef __WITH_DTLS__ + CONF_SSL(&g_caSslContext->clientDtlsConf, &g_caSslContext->serverDtlsConf, + mbedtls_ssl_conf_ciphersuites, tlsCipher[index]); +#endif + OIC_LOG_V(DEBUG, NET_SSL_TAG, "Selected cipher: 0x%x", cipher); + } + g_caSslContext->cipher = index; + OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__); return CA_STATUS_OK; } @@ -2162,29 +2162,100 @@ CAResult_t CAsslGenerateOwnerPsk(const CAEndpoint_t *endpoint, return CA_STATUS_FAILED; } - uint8_t keyblock[KEY_BLOCK_LEN] = {0}; + // keyBlockLen set up according to OIC 1.1 Security Specification Section 7.3.2 + int macKeyLen; + int ivSize; + int keySize; + int keyBlockLen = 0; + if (MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256 == g_caSslContext->selectedCipher || + MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 == g_caSslContext->selectedCipher || + MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 == g_caSslContext->selectedCipher || + MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 == g_caSslContext->selectedCipher) + { + // 2 * ( 32 + 0 + 16 ) = 96 + macKeyLen = SHA256_MAC_KEY_LENGTH; + ivSize = CBC_IV_LENGTH; + keySize = AES128_KEY_LENGTH; + } + else if (MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM == g_caSslContext->selectedCipher || + MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 == g_caSslContext->selectedCipher) + { + // 2 * ( 0 + 4 + 16 ) = 40 + macKeyLen = CCM_MAC_KEY_LENGTH; + ivSize = CCM_IV_LENGTH; + keySize = AES128_KEY_LENGTH; + } + else if (MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 == g_caSslContext->selectedCipher) + { + // 2 * ( 32 + 12 + 16 ) = 120 + macKeyLen = SHA256_MAC_KEY_LENGTH; + ivSize = GCM_IV_LENGTH; + keySize = AES128_KEY_LENGTH; + } + else if (MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 == g_caSslContext->selectedCipher) + { + // 2 * ( 32 + 0 + 32 ) = 128 + macKeyLen = SHA256_MAC_KEY_LENGTH; + ivSize = CBC_IV_LENGTH; + keySize = AES256_KEY_LENGTH; + } + else if (MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 == g_caSslContext->selectedCipher) + { + // 2 * ( 48 + 0 + 32 ) = 160 + macKeyLen = SHA384_MAC_KEY_LENGTH; + ivSize = CBC_IV_LENGTH; + keySize = AES256_KEY_LENGTH; + } + else if (MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 == g_caSslContext->selectedCipher) + { + // 2 * ( 48 + 12 + 32 ) = 184 + macKeyLen = SHA384_MAC_KEY_LENGTH; + ivSize = GCM_IV_LENGTH; + keySize = AES256_KEY_LENGTH; + } + else if (MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 == g_caSslContext->selectedCipher) + { + // 2 * ( 48 + 12 + 32 ) = 184 + macKeyLen = SHA256_MAC_KEY_LENGTH; + ivSize = GCM_IV_LENGTH; + keySize = AES128_KEY_LENGTH; + } + keyBlockLen = 2 * (macKeyLen + keySize + ivSize); + + uint8_t * keyblock = (uint8_t *)OICMalloc(keyBlockLen); + if (NULL == keyblock) + { + OIC_LOG(ERROR, NET_SSL_TAG, "Failed to OICMalloc for keyblock"); + oc_mutex_unlock(g_sslContextMutex); + return CA_STATUS_FAILED; + } + // "key expansion" uint8_t lab[] = {0x6b, 0x65, 0x79, 0x20, 0x65, 0x78, 0x70, 0x61, 0x6e, 0x73, 0x69, 0x6f, 0x6e}; int ret = pHash(tep->master, sizeof(tep->master), lab, sizeof(lab), (tep->random) + RANDOM_LEN, RANDOM_LEN, tep->random, RANDOM_LEN, - keyblock, KEY_BLOCK_LEN); + keyblock, keyBlockLen); if (-1 == ret) { OIC_LOG(ERROR, NET_SSL_TAG, "PSK not generated"); + OICFree(keyblock); oc_mutex_unlock(g_sslContextMutex); return CA_STATUS_FAILED; } - ret = pHash(keyblock, sizeof(keyblock), label, labelLen, + + ret = pHash(keyblock, keyBlockLen, label, labelLen, rsrcServerDeviceId, rsrcServerDeviceIdLen, provServerDeviceId, provServerDeviceIdLen, ownerPsk, ownerPskSize); if (-1 == ret) { OIC_LOG(ERROR, NET_SSL_TAG, "PSK not generated"); + OICFree(keyblock); oc_mutex_unlock(g_sslContextMutex); return CA_STATUS_FAILED; } + OICFree(keyblock); oc_mutex_unlock(g_sslContextMutex); OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__); diff --git a/resource/csdk/connectivity/src/caconnectivitymanager.c b/resource/csdk/connectivity/src/caconnectivitymanager.c index 1e469f3..a170ade 100644 --- a/resource/csdk/connectivity/src/caconnectivitymanager.c +++ b/resource/csdk/connectivity/src/caconnectivitymanager.c @@ -499,8 +499,7 @@ CAResult_t CAEnableAnonECDHCipherSuite(const bool enable) CAResult_t res = CA_STATUS_FAILED; #if defined(__WITH_DTLS__) || defined(__WITH_TLS__) // TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256 0xFF00 replaces 0xC018 - // TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 0xC037 - res = CAsetTlsCipherSuite(enable ? 0xFF00 : 0xC037); + res = CAsetTlsCipherSuite(enable ? 0xFF00 : 0x00); if (CA_STATUS_OK != res) { OIC_LOG_V(ERROR, TAG, "Failed to CAsetTlsCipherSuite : %d", res); diff --git a/resource/csdk/connectivity/test/ssladapter_test.cpp b/resource/csdk/connectivity/test/ssladapter_test.cpp index 1dde70f..9ebdcf4 100644 --- a/resource/csdk/connectivity/test/ssladapter_test.cpp +++ b/resource/csdk/connectivity/test/ssladapter_test.cpp @@ -182,7 +182,7 @@ unsigned char caCert[] = { }; int caCertLen = sizeof(caCert); -unsigned char control_server_message_ccm[] = { +unsigned char control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM[] = { 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x32, 0x3e, @@ -194,9 +194,9 @@ unsigned char control_server_message_ccm[] = { 0x48, 0x45, 0x2d, 0x45, 0x43, 0x44, 0x53, 0x41, 0x2d, 0x57, 0x49, 0x54, 0x48, 0x2d, 0x41, 0x45, 0x53, 0x2d, 0x31, 0x32, 0x38, 0x2d, 0x43, 0x43, 0x4d, 0x3c, 0x2f, 0x70, 0x3e, 0x0d, 0x0a }; -int control_server_message_ccm_len = sizeof(control_server_message_ccm); +int control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM_len = sizeof(control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM); -unsigned char control_server_message_ccm8[] = { +unsigned char control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM_8[] = { 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x32, 0x3e, @@ -209,9 +209,9 @@ unsigned char control_server_message_ccm8[] = { 0x53, 0x2d, 0x31, 0x32, 0x38, 0x2d, 0x43, 0x43, 0x4d, 0x2d, 0x38, 0x3c, 0x2f, 0x70, 0x3e, 0x0d, 0x0a }; -int control_server_message_ccm8_len = sizeof(control_server_message_ccm8); +int control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM_8_len = sizeof(control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM_8); -unsigned char control_server_message_cbc[] = { +unsigned char control_server_message_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256[] = { 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x32, 0x3e, @@ -222,9 +222,39 @@ unsigned char control_server_message_cbc[] = { 0x6e, 0x20, 0x75, 0x73, 0x69, 0x6e, 0x67, 0x3a, 0x20, 0x54, 0x4c, 0x53, 0x2d, 0x45, 0x43, 0x44, 0x48, 0x45, 0x2d, 0x45, 0x43, 0x44, 0x53, 0x41, 0x2d, 0x57, 0x49, 0x54, 0x48, 0x2d, 0x41, 0x45, 0x53, 0x2d, 0x31, 0x32, 0x38, 0x2d, 0x43, 0x42, 0x43, 0x2d, 0x53, 0x48, 0x41, 0x32, 0x35, 0x36, - 0x3c, 0x2f, 0x70, 0x3e, 0x0d, 0x0a + 0x3c, 0x2f, 0x70, 0x3e, 0x0d, 0x0a }; -int control_server_message_cbc_len = sizeof(control_server_message_cbc); +int control_server_message_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_len = sizeof(control_server_message_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256); + +unsigned char control_server_message_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256[] = { + 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d, + 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74, + 0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x32, 0x3e, + 0x6d, 0x62, 0x65, 0x64, 0x20, 0x54, 0x4c, 0x53, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x53, 0x65, + 0x72, 0x76, 0x65, 0x72, 0x3c, 0x2f, 0x68, 0x32, 0x3e, 0x0d, 0x0a, 0x54, 0x45, 0x53, 0x54, 0x20, + 0x4d, 0x45, 0x53, 0x53, 0x41, 0x47, 0x45, 0x0d, 0x0a, 0x3c, 0x70, 0x3e, 0x53, 0x75, 0x63, 0x63, + 0x65, 0x73, 0x73, 0x66, 0x75, 0x6c, 0x20, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, + 0x6e, 0x20, 0x75, 0x73, 0x69, 0x6e, 0x67, 0x3a, 0x20, 0x54, 0x4c, 0x53, 0x2d, 0x45, 0x43, 0x44, + 0x48, 0x45, 0x2d, 0x45, 0x43, 0x44, 0x53, 0x41, 0x2d, 0x57, 0x49, 0x54, 0x48, 0x2d, 0x41, 0x45, + 0x53, 0x2d, 0x31, 0x32, 0x38, 0x2d, 0x47, 0x43, 0x4D, 0x2d, 0x53, 0x48, 0x41, 0x32, 0x35, 0x36, + 0x3c, 0x2f, 0x70, 0x3e, 0x0d, 0x0a +}; +int control_server_message_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_len = sizeof(control_server_message_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256); + +unsigned char control_server_message_ECDHE_ECDSA_WITH_AES_128_CBC_SHA[] = { + 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d, + 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74, + 0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x32, 0x3e, + 0x6d, 0x62, 0x65, 0x64, 0x20, 0x54, 0x4c, 0x53, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x53, 0x65, + 0x72, 0x76, 0x65, 0x72, 0x3c, 0x2f, 0x68, 0x32, 0x3e, 0x0d, 0x0a, 0x54, 0x45, 0x53, 0x54, 0x20, + 0x4d, 0x45, 0x53, 0x53, 0x41, 0x47, 0x45, 0x0d, 0x0a, 0x3c, 0x70, 0x3e, 0x53, 0x75, 0x63, 0x63, + 0x65, 0x73, 0x73, 0x66, 0x75, 0x6c, 0x20, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, + 0x6e, 0x20, 0x75, 0x73, 0x69, 0x6e, 0x67, 0x3a, 0x20, 0x54, 0x4c, 0x53, 0x2d, 0x45, 0x43, 0x44, + 0x48, 0x45, 0x2d, 0x45, 0x43, 0x44, 0x53, 0x41, 0x2d, 0x57, 0x49, 0x54, 0x48, 0x2d, 0x41, 0x45, + 0x53, 0x2d, 0x31, 0x32, 0x38, 0x2d, 0x43, 0x42, 0x43, 0x2d, 0x53, 0x48, 0x41, 0x3c, 0x2f, 0x70, + 0x3e, 0x0d, 0x0a +}; +int control_server_message_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_len = sizeof(control_server_message_ECDHE_ECDSA_WITH_AES_128_CBC_SHA); unsigned char control_client_message[] = { 0x47, 0x45, 0x54, 0x20, 0x2f, 0x20, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, 0x0d, 0x0a, @@ -232,6 +262,36 @@ unsigned char control_client_message[] = { }; int control_client_message_len = sizeof(control_client_message); +unsigned char control_server_message_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384[] = { + 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d, + 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74, + 0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x32, 0x3e, + 0x6d, 0x62, 0x65, 0x64, 0x20, 0x54, 0x4c, 0x53, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x53, 0x65, + 0x72, 0x76, 0x65, 0x72, 0x3c, 0x2f, 0x68, 0x32, 0x3e, 0x0d, 0x0a, 0x54, 0x45, 0x53, 0x54, 0x20, + 0x4d, 0x45, 0x53, 0x53, 0x41, 0x47, 0x45, 0x0d, 0x0a, 0x3c, 0x70, 0x3e, 0x53, 0x75, 0x63, 0x63, + 0x65, 0x73, 0x73, 0x66, 0x75, 0x6c, 0x20, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, + 0x6e, 0x20, 0x75, 0x73, 0x69, 0x6e, 0x67, 0x3a, 0x20, 0x54, 0x4c, 0x53, 0x2d, 0x45, 0x43, 0x44, + 0x48, 0x45, 0x2d, 0x45, 0x43, 0x44, 0x53, 0x41, 0x2d, 0x57, 0x49, 0x54, 0x48, 0x2d, 0x41, 0x45, + 0x53, 0x2d, 0x32, 0x35, 0x36, 0x2d, 0x43, 0x42, 0x43, 0x2d, 0x53, 0x48, 0x41, 0x33, 0x38, 0x34, + 0x3c, 0x2f, 0x70, 0x3e, 0x0d, 0x0a +}; +int control_server_message_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_len = sizeof(control_server_message_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384); + +unsigned char control_server_message_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384[] = { + 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d, + 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74, + 0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x0d, 0x0a, 0x3c, 0x68, 0x32, 0x3e, + 0x6d, 0x62, 0x65, 0x64, 0x20, 0x54, 0x4c, 0x53, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x53, 0x65, + 0x72, 0x76, 0x65, 0x72, 0x3c, 0x2f, 0x68, 0x32, 0x3e, 0x0d, 0x0a, 0x54, 0x45, 0x53, 0x54, 0x20, + 0x4d, 0x45, 0x53, 0x53, 0x41, 0x47, 0x45, 0x0d, 0x0a, 0x3c, 0x70, 0x3e, 0x53, 0x75, 0x63, 0x63, + 0x65, 0x73, 0x73, 0x66, 0x75, 0x6c, 0x20, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, + 0x6e, 0x20, 0x75, 0x73, 0x69, 0x6e, 0x67, 0x3a, 0x20, 0x54, 0x4c, 0x53, 0x2d, 0x45, 0x43, 0x44, + 0x48, 0x45, 0x2d, 0x45, 0x43, 0x44, 0x53, 0x41, 0x2d, 0x57, 0x49, 0x54, 0x48, 0x2d, 0x41, 0x45, + 0x53, 0x2d, 0x32, 0x35, 0x36, 0x2d, 0x47, 0x43, 0x4D, 0x2d, 0x53, 0x48, 0x41, 0x33, 0x38, 0x34, + 0x3c, 0x2f, 0x70, 0x3e, 0x0d, 0x0a +}; +int control_server_message_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_len = sizeof(control_server_message_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384); + static void error(const char *msg) { perror(msg); @@ -1334,10 +1394,10 @@ static void * test0CAinitiateSslHandshake(void * arg) // CAsetTlsCipherSuite mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientTlsConf, - tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM]); + tlsCipher[SSL_ECDHE_ECDSA_WITH_AES_128_CCM]); mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverTlsConf, - tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM]); - g_caSslContext->cipher = ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM; + tlsCipher[SSL_ECDHE_ECDSA_WITH_AES_128_CCM]); + g_caSslContext->cipher = SSL_ECDHE_ECDSA_WITH_AES_128_CCM; CAsetPskCredentialsCallback(GetDtlsPskCredentials); @@ -1495,7 +1555,7 @@ static void * testCAencryptSsl(void * arg) { CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM); } - if (*((int*)arg) == 1) + else if (*((int*)arg) == 1) { CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8); } @@ -1503,6 +1563,19 @@ static void * testCAencryptSsl(void * arg) { CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256); } + else if (*((int*)arg) == 3) + { + CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256); + } + else if (*((int*)arg) == 4) + { + CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384); + } + else if (*((int*)arg) == 5) + { + CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384); + } + CAsetPskCredentialsCallback(GetDtlsPskCredentials); socketConnect(); @@ -1551,7 +1624,9 @@ static void * testCAencryptSsl(void * arg) if (*((int*)arg) == 0) { - if (control_server_message_ccm_len == msglen && memcmp(msg, control_server_message_ccm, control_server_message_ccm_len) == 0) + if (control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM_len == msglen && + memcmp(msg, control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM, + control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM_len) == 0) { ret = 0; } @@ -1562,7 +1637,9 @@ static void * testCAencryptSsl(void * arg) } if (*((int*)arg) == 1) { - if (control_server_message_ccm8_len == msglen && memcmp(msg, control_server_message_ccm8, control_server_message_ccm8_len) == 0) + if (control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM_8_len == msglen && + memcmp(msg, control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM_8, + control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM_8_len) == 0) { ret = 0; } @@ -1573,7 +1650,48 @@ static void * testCAencryptSsl(void * arg) } else if (*((int*)arg) == 2) { - if (control_server_message_cbc_len == msglen && memcmp(msg, control_server_message_cbc, control_server_message_cbc_len) == 0) + if (control_server_message_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_len == msglen && + memcmp(msg, control_server_message_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + control_server_message_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_len) == 0) + { + ret = 0; + } + else + { + ret = 1; + } + } + else if (*((int*)arg) == 3) + { + if (control_server_message_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_len == msglen && + memcmp(msg, control_server_message_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + control_server_message_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_len) == 0) + { + ret = 0; + } + else + { + ret = 1; + } + } + else if (*((int*)arg) == 4) + { + if (control_server_message_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_len == msglen && + memcmp(msg, control_server_message_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + control_server_message_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_len) == 0) + { + ret = 0; + } + else + { + ret = 1; + } + } + else if (*((int*)arg) == 5) + { + if (control_server_message_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_len == msglen && + memcmp(msg, control_server_message_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + control_server_message_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_len) == 0) { ret = 0; } @@ -1679,6 +1797,89 @@ TEST(TLSAdaper, Test_4_2) EXPECT_EQ(0, arg); } +// CAencryptSsl() +TEST(TLSAdaper, Test_4_3) +{ + pthread_t thread1, thread2; + int ret = 0; + int arg = 3; + + ret = pthread_create( &thread1, NULL, server, (void*) NULL); + if(ret) + { + fprintf(stderr,"Error - pthread_create() return code: %d\n", ret); + exit(EXIT_FAILURE); + } + + sleep(5); + + ret = pthread_create( &thread2, NULL, testCAencryptSsl, &arg); + if(ret) + { + fprintf(stderr,"Error - pthread_create() return code: %d\n", ret); + exit(EXIT_FAILURE); + } + + sleep(5); + + EXPECT_EQ(0, arg); +} + +// CAencryptSsl() +TEST(TLSAdaper, Test_4_4) +{ + pthread_t thread1, thread2; + int ret = 0; + int arg = 4; + + ret = pthread_create( &thread1, NULL, server, (void*) NULL); + if(ret) + { + fprintf(stderr,"Error - pthread_create() return code: %d\n", ret); + exit(EXIT_FAILURE); + } + + sleep(5); + + ret = pthread_create( &thread2, NULL, testCAencryptSsl, &arg); + if(ret) + { + fprintf(stderr,"Error - pthread_create() return code: %d\n", ret); + exit(EXIT_FAILURE); + } + + sleep(5); + + EXPECT_EQ(0, arg); +} + +TEST(TLSAdaper, Test_4_5) +{ + pthread_t thread1, thread2; + int ret = 0; + int arg = 5; + + ret = pthread_create( &thread1, NULL, server, (void*) NULL); + if(ret) + { + fprintf(stderr,"Error - pthread_create() return code: %d\n", ret); + exit(EXIT_FAILURE); + } + + sleep(5); + + ret = pthread_create( &thread2, NULL, testCAencryptSsl, &arg); + if(ret) + { + fprintf(stderr,"Error - pthread_create() return code: %d\n", ret); + exit(EXIT_FAILURE); + } + + sleep(5); + + EXPECT_EQ(0, arg); +} + /* ************************** * * @@ -1784,8 +1985,9 @@ static void * testCAdecryptSsl(void * arg) socketClose(); - if (control_server_message_ccm_len == msglen && memcmp(msg, control_server_message_ccm, - control_server_message_ccm_len) == 0) + if (control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM_len == msglen && + memcmp(msg, control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM, + control_server_message_ECDHE_ECDSA_WITH_AES_128_CCM_len) == 0) { *((int*)arg) = 0; return NULL; @@ -1880,10 +2082,10 @@ static int testCAdeinitSslAdapter() // CAsetTlsCipherSuite mbedtls_ssl_conf_ciphersuites(&g_caSslContext->clientTlsConf, - tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM]); + tlsCipher[SSL_ECDHE_ECDSA_WITH_AES_128_CCM]); mbedtls_ssl_conf_ciphersuites(&g_caSslContext->serverTlsConf, - tlsCipher[ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM]); - g_caSslContext->cipher = ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM; + tlsCipher[SSL_ECDHE_ECDSA_WITH_AES_128_CCM]); + g_caSslContext->cipher = SSL_ECDHE_ECDSA_WITH_AES_128_CCM; CAdeinitSslAdapter(); @@ -2105,32 +2307,55 @@ static int testCAsetTlsCipherSuite() // CAsetCredentialTypesCallback g_getCredentialTypesCallback = clutch; - status = CAsetTlsCipherSuite(MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA); - if (ADAPTER_TLS_RSA_WITH_AES_256_CBC_SHA != g_caSslContext->cipher || status != CA_STATUS_OK) + status = CAsetTlsCipherSuite(MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256); + if (SSL_RSA_WITH_AES_256_CBC_SHA256 != g_caSslContext->cipher || status != CA_STATUS_OK) + { + ret += 1; + } + + status = CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256); + if (SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 != g_caSslContext->cipher || status != CA_STATUS_OK) + { + ret += 1; + } + status = CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8); + if (SSL_ECDHE_ECDSA_WITH_AES_128_CCM_8 != g_caSslContext->cipher || status != CA_STATUS_OK) { ret += 1; } status = CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM); - if (ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CCM != g_caSslContext->cipher || status != CA_STATUS_OK) + if (SSL_ECDHE_ECDSA_WITH_AES_128_CCM != g_caSslContext->cipher || status != CA_STATUS_OK) { ret += 1; } status = CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256); - if (ADAPTER_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 != g_caSslContext->cipher || status != CA_STATUS_OK) + if (SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 != g_caSslContext->cipher || status != CA_STATUS_OK) { ret += 1; } - status = CAsetTlsCipherSuite(MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256); - if (ADAPTER_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA_256 != g_caSslContext->cipher || status != CA_STATUS_OK) + status = CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384); + if (SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 != g_caSslContext->cipher || status != CA_STATUS_OK) + { + ret += 1; + } + + status = CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384); + if (SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 != g_caSslContext->cipher || status != CA_STATUS_OK) { ret += 1; } status = CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256); - if (ADAPTER_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 != g_caSslContext->cipher || status != CA_STATUS_OK) + if (SSL_ECDHE_PSK_WITH_AES_128_CBC_SHA256 != g_caSslContext->cipher || status != CA_STATUS_OK) + { + ret += 1; + } + + status = CAsetTlsCipherSuite(MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256); + if (SSL_ECDH_ANON_WITH_AES_128_CBC_SHA256 != g_caSslContext->cipher || status != CA_STATUS_OK) { ret += 1; } @@ -2238,7 +2463,7 @@ static void * testCAsslGenerateOwnerPsk(void * arg) // CAsetCredentialTypesCallback g_getCredentialTypesCallback = clutch; - CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM); + CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256); CAsetPskCredentialsCallback(GetDtlsPskCredentials); diff --git a/resource/csdk/security/provisioning/sample/cloud/cloudCommon.c b/resource/csdk/security/provisioning/sample/cloud/cloudCommon.c index e7050ce..c0223b2 100644 --- a/resource/csdk/security/provisioning/sample/cloud/cloudCommon.c +++ b/resource/csdk/security/provisioning/sample/cloud/cloudCommon.c @@ -542,7 +542,7 @@ static void userRequests(void *data) { int tmp = 0; readInteger(&tmp, "Select Cipher Suite", "0 - ECDSA, other - RSA"); - uint16_t cipher = tmp? MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA: + uint16_t cipher = tmp? MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256: MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8; if (CA_STATUS_OK != CASelectCipherSuite(cipher, CA_ADAPTER_TCP)) { diff --git a/resource/csdk/security/provisioning/src/ownershiptransfermanager.c b/resource/csdk/security/provisioning/src/ownershiptransfermanager.c index 5700c74..9fa52d9 100644 --- a/resource/csdk/security/provisioning/src/ownershiptransfermanager.c +++ b/resource/csdk/security/provisioning/src/ownershiptransfermanager.c @@ -1133,7 +1133,6 @@ static OCStackApplicationResult OwnerCredentialHandler(void *ctx, OCDoHandle UNU */ // TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA_256 = 0xC037, /**< see RFC 5489 */ caResult = CASelectCipherSuite(0xC037, endpoint->adapter); - if(CA_STATUS_OK != caResult) { OIC_LOG(ERROR, TAG, "Failed to select TLS_NULL_WITH_NULL_NULL"); diff --git a/resource/csdk/security/provisioning/src/oxmmanufacturercert.c b/resource/csdk/security/provisioning/src/oxmmanufacturercert.c index 77d658c..b1bf0d5 100644 --- a/resource/csdk/security/provisioning/src/oxmmanufacturercert.c +++ b/resource/csdk/security/provisioning/src/oxmmanufacturercert.c @@ -129,14 +129,14 @@ OCStackResult CreateSecureSessionMCertificateCallback(OTMContext_t* otmCtx) } OIC_LOG(INFO, TAG, "Anonymous cipher suite disabled."); - caresult = CASelectCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + caresult = CASelectCipherSuite(MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, otmCtx->selectedDeviceInfo->endpoint.adapter); if (CA_STATUS_OK != caresult) { - OIC_LOG_V(ERROR, TAG, "Failed to select TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"); + OIC_LOG_V(ERROR, TAG, "Failed to select MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8"); return OC_STACK_ERROR; } - OIC_LOG(INFO, TAG, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 cipher suite selected."); + OIC_LOG(INFO, TAG, "MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 cipher suite selected."); OCProvisionDev_t* selDevInfo = otmCtx->selectedDeviceInfo; CAEndpoint_t *endpoint = (CAEndpoint_t *)OICCalloc(1, sizeof (CAEndpoint_t)); diff --git a/resource/csdk/security/src/credresource.c b/resource/csdk/security/src/credresource.c index 43f650c..7c477ac 100644 --- a/resource/csdk/security/src/credresource.c +++ b/resource/csdk/security/src/credresource.c @@ -1874,13 +1874,6 @@ static OCEntityHandlerResult HandlePostRequest(OCEntityHandlerRequest * ehReques { OIC_LOG(INFO, TAG, "Anonymous cipher suite is DISABLED"); } - - if(CA_STATUS_OK != - CASelectCipherSuite(TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA_256, ehRequest->devAddr.adapter)) - { - OIC_LOG(ERROR, TAG, "Failed to select cipher suite"); - ret = OC_EH_ERROR; - } } break; diff --git a/resource/include/CAManager.h b/resource/include/CAManager.h index ae0823b..d67e96a 100644 --- a/resource/include/CAManager.h +++ b/resource/include/CAManager.h @@ -78,10 +78,16 @@ namespace OC /** * Select the cipher suite for TLS/DTLS handshake. * @param cipher cipher suite (Note : Make sure endianness). - * 0x35 : TLS_RSA_WITH_AES_256_CBC_SHA - * 0xC018 : TLS_ECDH_anon_WITH_AES_128_CBC_SHA - * 0xC037 : TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 - * 0xC0AE : TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 + * TLS_RSA_WITH_AES_256_CBC_SHA256 0x3D + * TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C + * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B + * TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 0xC0AE + * TLS_ECDHE_ECDSA_WITH_AES_128_CCM 0xC0AC + * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023 + * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024 + * TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C + * TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 0xC037 + * TLS_ECDH_anon_WITH_AES_128_CBC_SHA 0xC018 * @param adapter transport adapter type. * @return Returns ::OC_STACK_OK if success. */ -- 2.7.4