From 7b11e8e3d900cc1417e894d1d552fa215be34d27 Mon Sep 17 00:00:00 2001 From: Oleksii Beketov Date: Fri, 9 Nov 2018 14:39:33 +0200 Subject: [PATCH] Double confirmation logic removed https://github.sec.samsung.net/RS7-IOTIVITY/IoTivity/commit/036235a192380ad9fbf1840113d4d99c24021b4d (cherry picked from commit 036235a192380ad9fbf1840113d4d99c24021b4d) Change-Id: Icbeed810aaff3f016a71e10cf039046925863b3c Signed-off-by: Oleksii Beketov Signed-off-by: DoHyun Pyun --- .../csdk/connectivity/api/casecurityinterface.h | 21 +++++++++- .../src/adapter_util/ca_adapter_net_ssl.c | 48 +++++++++------------- .../provisioning/sample/sampleserver_mfg.cpp | 40 +++++++----------- 3 files changed, 53 insertions(+), 56 deletions(-) diff --git a/resource/csdk/connectivity/api/casecurityinterface.h b/resource/csdk/connectivity/api/casecurityinterface.h index 166bba6..ac5a22b 100644 --- a/resource/csdk/connectivity/api/casecurityinterface.h +++ b/resource/csdk/connectivity/api/casecurityinterface.h @@ -73,7 +73,23 @@ typedef enum CA_SSL_EKCB_DTLS = 1 }CASslEkcbProtocol_t; -typedef OCStackResult (*UserConfirmNoCertCallback)(void * ctx); +/** + *@enum CACertificateVerificationStatus_t + * type of certificate status info to be used when invoking + * certificate verification status info callback + */ +typedef enum +{ + CA_CERTIFICATE_VERIFY_SUCCESS_MUTUAL = 0, + CA_CERTIFICATE_VERIFY_NO_CERT, + CA_CERTIFICATE_VERIFY_FAILED +} CACertificateVerificationStatus_t; + +/** + * Callback function type for certificate verification status. + * @param[in] status Certificate verification status info. + */ +typedef void (*CertificateVerificationCallback_t)(CACertificateVerificationStatus_t status); /** * This internal callback is used by CA layer to @@ -357,7 +373,8 @@ typedef void (*SslExportKeysCallback_t)(const unsigned char* masterSecret, CAResult_t CASetSslExportKeysCallback(SslExportKeysCallback_t exportKeysCb, CASslEkcbProtocol_t protocol, CASslEkcbRole_t role); -void CAsetNoCertConfirmCallback(UserConfirmNoCertCallback noCertCallback); + +void CAsetCertificateVerificationCallback(CertificateVerificationCallback_t noCertCallback); #endif //__WITH_TLS__ or __WITH_DTLS__ diff --git a/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c b/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c index 0f221c6..7a21908 100644 --- a/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c +++ b/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c @@ -520,14 +520,9 @@ static CAgetCredentialTypesHandler g_getCredentialTypesCallback = NULL; static CAgetPkixInfoHandler g_getPkixInfoCallback = NULL; /** - * Function pointer to get user confirmation in case of client's certificate absence + * Callback to inform in case of client's certificate absence */ -static UserConfirmNoCertCallback g_noCertConfirmCallback = NULL; - -/** - * Function pointer to get user confirmation in case of client's certificate absence - */ -static int g_noCertConfirmState = OC_STACK_METHOD_NOT_ALLOWED; +static CertificateVerificationCallback_t g_CertificateVerificationCallback = NULL; /** * @var g_setupPkContextCallback @@ -625,10 +620,10 @@ void CAsetCredentialTypesCallback(CAgetCredentialTypesHandler credTypesCallback) OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__); } -void CAsetNoCertConfirmCallback(UserConfirmNoCertCallback noCertCallback) +void CAsetCertificateVerificationCallback(CertificateVerificationCallback_t certVerifyStatusCallback) { OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__); - g_noCertConfirmCallback = noCertCallback; + g_CertificateVerificationCallback = certVerifyStatusCallback; OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__); } @@ -2406,24 +2401,6 @@ CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, uint32_t d ret = mbedtls_ssl_handshake_step(&peer->ssl); } uint32_t flags = mbedtls_ssl_get_verify_result(&peer->ssl); - if (MBEDTLS_SSL_IS_SERVER == peer->ssl.conf->endpoint && - MBEDTLS_X509_BADCERT_MISSING == flags) - { - if (OC_STACK_METHOD_NOT_ALLOWED == g_noCertConfirmState) - { - g_noCertConfirmState = g_noCertConfirmCallback(NULL); - if (OC_STACK_OK == g_noCertConfirmState) - { - OIC_LOG_V(DEBUG, NET_SSL_TAG, "Absent peer's cert: user confirmation received"); - } - else if (OC_STACK_USER_DENIED_REQ == g_noCertConfirmState) - { - OIC_LOG_V(DEBUG, NET_SSL_TAG, "Absent peer's cert: user denial received"); - SSL_CHECK_FAIL(peer, MBEDTLS_SSL_ALERT_LEVEL_FATAL, "Handshake error", 1, - CA_STATUS_FAILED, MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); - } - } - } if (0 != flags && ((MBEDTLS_SSL_IS_CLIENT == peer->ssl.conf->endpoint) || (MBEDTLS_SSL_IS_SERVER == peer->ssl.conf->endpoint && MBEDTLS_X509_BADCERT_MISSING != flags))) @@ -2431,7 +2408,6 @@ CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, uint32_t d OIC_LOG_BUFFER(ERROR, NET_SSL_TAG, (const uint8_t *) &flags, sizeof(flags)); SSL_CHECK_FAIL(peer, flags, "Cert verification failed", 1, CA_STATUS_FAILED, GetAlertCode(flags)); - } SSL_CHECK_FAIL(peer, ret, "Handshake error", 1, CA_STATUS_FAILED, MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); if (MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC == peer->ssl.state) @@ -2462,6 +2438,22 @@ CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, uint32_t d void * userIdPos = NULL; const mbedtls_x509_crt * peerCert = mbedtls_ssl_get_peer_cert(&peer->ssl); ret = (NULL == peerCert ? -1 : 0); + if (g_CertificateVerificationCallback) + { + uint32_t flags = mbedtls_ssl_get_verify_result(&peer->ssl); + if (!flags) + { + g_CertificateVerificationCallback(CA_CERTIFICATE_VERIFY_SUCCESS_MUTUAL); + } + else if (MBEDTLS_X509_BADCERT_MISSING == flags) + { + g_CertificateVerificationCallback(CA_CERTIFICATE_VERIFY_NO_CERT); + } + else + { + g_CertificateVerificationCallback(CA_CERTIFICATE_VERIFY_FAILED); + } + } //SSL_CHECK_FAIL(peer, ret, "Failed to retrieve cert", 1, // CA_STATUS_FAILED, MBEDTLS_SSL_ALERT_MSG_NO_CERT); if (0 == ret) diff --git a/resource/csdk/security/provisioning/sample/sampleserver_mfg.cpp b/resource/csdk/security/provisioning/sample/sampleserver_mfg.cpp index 55ce08c..cb2809e 100644 --- a/resource/csdk/security/provisioning/sample/sampleserver_mfg.cpp +++ b/resource/csdk/security/provisioning/sample/sampleserver_mfg.cpp @@ -46,6 +46,7 @@ #include "pkix_interface.h" #include "hw_emul/hw_interface.h" #include "oxmverifycommon.h" +#include "casecurityinterface.h" #define TAG "SAMPLE_MANUFACTURER_CERT" @@ -434,34 +435,21 @@ OCStackResult confirmCB(void * ctx) return OC_STACK_OK; } -OCStackResult confirmNoCertCB(void * ctx) +void confirmNoCertCB(CACertificateVerificationStatus_t status) { - OC_UNUSED(ctx); - for (;;) + if (CA_CERTIFICATE_VERIFY_SUCCESS_MUTUAL == status) { - int userConfirm; - - printf(" > Peer has no cert!\n"); - printf(" > Press 1 for confirmation\n"); - printf(" > Press 0 otherwise\n"); - - for (int ret=0; 1!=ret; ) - { - ret = scanf("%d", &userConfirm); - for (; 0x20<=getchar(); ); // for removing overflow garbage - // '0x20<=code' is character region - } - if (1 == userConfirm) - { - break; - } - else if (0 == userConfirm) - { - return OC_STACK_USER_DENIED_REQ; - } - printf(" Entered Wrong Number. Please Enter Again\n"); + printf(" > Peer certificate verification successful"); } - return OC_STACK_OK; + else if (CA_CERTIFICATE_VERIFY_NO_CERT == status) + { + printf(" > Peer has not provided certificate\n"); + } + else if (CA_CERTIFICATE_VERIFY_FAILED == status) + { + printf(" > Peer certificate verification failed\n"); + } + return; } FILE* server_fopen(const char *path, const char *mode) @@ -507,7 +495,7 @@ int main(int argc, char **argv) OCPersistentStorage ps = {server_fopen, fread, fwrite, fclose, unlink, NULL, NULL}; SetUserConfirmCB(NULL, confirmCB); - CAsetNoCertConfirmCallback(confirmNoCertCB); + CAsetCertificateVerificationCallback(confirmNoCertCB); OCRegisterPersistentStorageHandler(&ps); -- 2.7.4