security: refactor doxm

Fix issues reported by SonarCloud and add tests.
iotivity · Aug 13, 2023 · 4bbfc13 · 4bbfc13
1 parent 92c7524
commit 4bbfc13
Show file tree

Hide file tree

Showing 22 changed files with 496 additions and 293 deletions.
diff --git a/api/oc_client_api.c b/api/oc_client_api.c
@@ -22,6 +22,7 @@
 
 #include "api/oc_client_api_internal.h"
 #include "api/oc_discovery_internal.h"
+#include "api/oc_endpoint_internal.h"
 #include "api/oc_helpers_internal.h"
 #include "api/oc_message_buffer_internal.h"
 #include "api/client/oc_client_cb_internal.h"
@@ -734,20 +735,16 @@ bool
 oc_do_realm_local_ipv6_multicast(const char *uri, const char *query,
                                  oc_response_handler_t handler, void *user_data)
 {
-  if (multi_scope_ipv6_multicast(NULL, 0x03, uri, query, handler, user_data)) {
-    return true;
-  }
-  return false;
+  return multi_scope_ipv6_multicast(NULL, OC_IPV6_ADDR_SCOPE_REALM_LOCAL, uri,
+                                    query, handler, user_data);
 }
 
 bool
 oc_do_site_local_ipv6_multicast(const char *uri, const char *query,
                                 oc_response_handler_t handler, void *user_data)
 {
-  if (multi_scope_ipv6_multicast(NULL, 0x05, uri, query, handler, user_data)) {
-    return true;
-  }
-  return false;
+  return multi_scope_ipv6_multicast(NULL, OC_IPV6_ADDR_SCOPE_SITE_LOCAL, uri,
+                                    query, handler, user_data);
 }
 
 bool
@@ -759,7 +756,8 @@ oc_do_ip_multicast(const char *uri, const char *query,
   cb4 = oc_do_ipv4_multicast(uri, query, handler, user_data);
 #endif /* OC_IPV4 */
 
-  return multi_scope_ipv6_multicast(cb4, 0x02, uri, query, handler, user_data);
+  return multi_scope_ipv6_multicast(cb4, OC_IPV6_ADDR_SCOPE_LINK_LOCAL, uri,
+                                    query, handler, user_data);
 }
 
 static bool
@@ -819,7 +817,8 @@ oc_do_site_local_ipv6_discovery_all(oc_discovery_all_handler_t handler,
     .discovery = NULL,
     .discovery_all = handler,
   };
-  return multi_scope_ipv6_discovery(NULL, 0x05, NULL, handlers, user_data);
+  return multi_scope_ipv6_discovery(NULL, OC_IPV6_ADDR_SCOPE_SITE_LOCAL, NULL,
+                                    handlers, user_data);
 }
 
 bool
@@ -836,8 +835,9 @@ oc_do_site_local_ipv6_discovery(const char *rt, oc_discovery_handler_t handler,
   if (rt && strlen(rt) > 0) {
     oc_concat_strings(&uri_query, "rt=", rt);
   }
-  bool status = multi_scope_ipv6_discovery(NULL, 0x05, oc_string(uri_query),
-                                           handlers, user_data);
+  bool status =
+    multi_scope_ipv6_discovery(NULL, OC_IPV6_ADDR_SCOPE_SITE_LOCAL,
+                               oc_string(uri_query), handlers, user_data);
   oc_free_string(&uri_query);
 
   return status;
@@ -852,7 +852,8 @@ oc_do_realm_local_ipv6_discovery_all(oc_discovery_all_handler_t handler,
     .discovery = NULL,
     .discovery_all = handler,
   };
-  return multi_scope_ipv6_discovery(NULL, 0x03, NULL, handlers, user_data);
+  return multi_scope_ipv6_discovery(NULL, OC_IPV6_ADDR_SCOPE_REALM_LOCAL, NULL,
+                                    handlers, user_data);
 }
 
 bool
@@ -869,8 +870,9 @@ oc_do_realm_local_ipv6_discovery(const char *rt, oc_discovery_handler_t handler,
   if (rt && strlen(rt) > 0) {
     oc_concat_strings(&uri_query, "rt=", rt);
   }
-  bool status = multi_scope_ipv6_discovery(NULL, 0x03, oc_string(uri_query),
-                                           handlers, user_data);
+  bool status =
+    multi_scope_ipv6_discovery(NULL, OC_IPV6_ADDR_SCOPE_REALM_LOCAL,
+                               oc_string(uri_query), handlers, user_data);
   oc_free_string(&uri_query);
 
   return status;
@@ -894,8 +896,9 @@ oc_do_ip_discovery(const char *rt, oc_discovery_handler_t handler,
 #ifdef OC_IPV4
   cb4 = oc_do_ipv4_discovery(oc_string(uri_query), handlers, user_data);
 #endif
-  bool status = multi_scope_ipv6_discovery(cb4, 0x02, oc_string(uri_query),
-                                           handlers, user_data);
+  bool status =
+    multi_scope_ipv6_discovery(cb4, OC_IPV6_ADDR_SCOPE_LINK_LOCAL,
+                               oc_string(uri_query), handlers, user_data);
   oc_free_string(&uri_query);
 
   return status;
@@ -913,7 +916,8 @@ oc_do_ip_discovery_all(oc_discovery_all_handler_t handler, void *user_data)
 #ifdef OC_IPV4
   cb4 = oc_do_ipv4_discovery(NULL, handlers, user_data);
 #endif
-  return multi_scope_ipv6_discovery(cb4, 0x02, NULL, handlers, user_data);
+  return multi_scope_ipv6_discovery(cb4, OC_IPV6_ADDR_SCOPE_LINK_LOCAL, NULL,
+                                    handlers, user_data);
 }
 
 bool

diff --git a/api/oc_core_res.c b/api/oc_core_res.c
@@ -754,8 +754,8 @@ oc_core_get_resource_type_by_uri(const char *uri, size_t uri_len)
                            OC_CHAR_ARRAY_LEN("/oic/sec/pstat"))) {
     return OCF_SEC_PSTAT;
   }
-  if (core_is_resource_uri(uri, uri_len, "/oic/sec/doxm",
-                           OC_CHAR_ARRAY_LEN("/oic/sec/doxm"))) {
+  if (core_is_resource_uri(uri, uri_len, OCF_SEC_DOXM_URI,
+                           OC_CHAR_ARRAY_LEN(OCF_SEC_DOXM_URI))) {
     return OCF_SEC_DOXM;
   }
   if (core_is_resource_uri(uri, uri_len, "/oic/sec/acl2",

diff --git a/api/oc_endpoint_internal.h b/api/oc_endpoint_internal.h
@@ -40,6 +40,16 @@ extern "C" {
 
 #define OC_SCHEME_OCF "ocf://"
 
+typedef enum {
+  OC_IPV6_ADDR_SCOPE_LOCAL = 0x01,
+  OC_IPV6_ADDR_SCOPE_LINK_LOCAL = 0x02,
+  OC_IPV6_ADDR_SCOPE_REALM_LOCAL = 0x03,
+  OC_IPV6_ADDR_SCOPE_ADMIN_LOCAL = 0x04,
+  OC_IPV6_ADDR_SCOPE_SITE_LOCAL = 0x05,
+  OC_IPV6_ADDR_SCOPE_ORGANIZATION_LOCAL = 0x08,
+  OC_IPV6_ADDR_SCOPE_GLOBAL = 0x0e,
+} oc_ipv6_addr_scope_t;
+
 /** @brief Get scheme string for transport flags */
 const char *oc_endpoint_flags_to_scheme(unsigned flags) OC_RETURNS_NONNULL;
 

diff --git a/messaging/coap/engine.c b/messaging/coap/engine.c
@@ -553,7 +553,7 @@ coap_send_response(coap_receive_ctx_t *ctx)
   }
 
   if (ctx->transaction == NULL) {
-    OC_ERR("cannot send response: transaction is NULL");
+    OC_DBG("cannot send response: transaction is NULL");
     return;
   }
 

diff --git a/onboarding_tool/obtmain.c b/onboarding_tool/obtmain.c
@@ -16,6 +16,7 @@
  *
  ****************************************************************************/
 
+#include "api/oc_endpoint_internal.h"
 #include "oc_api.h"
 #include "oc_clock_util.h"
 #include "oc_core_res.h"
@@ -351,11 +352,11 @@ static void
 discover_owned_devices(uint8_t scope)
 {
   otb_mutex_lock(app_sync_lock);
-  if (scope == 0x02) {
+  if (scope == OC_IPV6_ADDR_SCOPE_LINK_LOCAL) {
     oc_obt_discover_owned_devices(owned_device_cb, NULL);
-  } else if (scope == 0x03) {
+  } else if (scope == OC_IPV6_ADDR_SCOPE_REALM_LOCAL) {
     oc_obt_discover_owned_devices_realm_local_ipv6(owned_device_cb, NULL);
-  } else if (scope == 0x05) {
+  } else if (scope == OC_IPV6_ADDR_SCOPE_SITE_LOCAL) {
     oc_obt_discover_owned_devices_site_local_ipv6(owned_device_cb, NULL);
   }
   otb_mutex_unlock(app_sync_lock);
@@ -366,11 +367,11 @@ static void
 discover_unowned_devices(uint8_t scope)
 {
   otb_mutex_lock(app_sync_lock);
-  if (scope == 0x02) {
+  if (scope == OC_IPV6_ADDR_SCOPE_LINK_LOCAL) {
     oc_obt_discover_unowned_devices(unowned_device_cb, NULL);
-  } else if (scope == 0x03) {
+  } else if (scope == OC_IPV6_ADDR_SCOPE_REALM_LOCAL) {
     oc_obt_discover_unowned_devices_realm_local_ipv6(unowned_device_cb, NULL);
-  } else if (scope == 0x05) {
+  } else if (scope == OC_IPV6_ADDR_SCOPE_SITE_LOCAL) {
     oc_obt_discover_unowned_devices_site_local_ipv6(unowned_device_cb, NULL);
   }
   otb_mutex_unlock(app_sync_lock);
@@ -2306,22 +2307,22 @@ main(void)
       continue;
       break;
     case 1:
-      discover_unowned_devices(0x02);
+      discover_unowned_devices(OC_IPV6_ADDR_SCOPE_LINK_LOCAL);
       break;
     case 2:
-      discover_unowned_devices(0x03);
+      discover_unowned_devices(OC_IPV6_ADDR_SCOPE_REALM_LOCAL);
       break;
     case 3:
-      discover_unowned_devices(0x05);
+      discover_unowned_devices(OC_IPV6_ADDR_SCOPE_SITE_LOCAL);
       break;
     case 4:
-      discover_owned_devices(0x02);
+      discover_owned_devices(OC_IPV6_ADDR_SCOPE_LINK_LOCAL);
       break;
     case 5:
-      discover_owned_devices(0x03);
+      discover_owned_devices(OC_IPV6_ADDR_SCOPE_REALM_LOCAL);
       break;
     case 6:
-      discover_owned_devices(0x05);
+      discover_owned_devices(OC_IPV6_ADDR_SCOPE_SITE_LOCAL);
       break;
     case 7:
       discover_resources();

diff --git a/port/android/ipadapter.c b/port/android/ipadapter.c
@@ -22,6 +22,7 @@
 #if !defined(__ANDROID_API__) || __ANDROID_API__ == 10000
 #error __ANDROID_API__ not defined
 #endif
+#include "api/oc_endpoint_internal.h"
 #include "api/oc_network_events_internal.h"
 #include "ipcontext.h"
 #include "oc_buffer.h"
@@ -1136,7 +1137,8 @@ oc_send_discovery_request(oc_message_t *message)
   ip_context_t *dev = get_ip_context_for_device(message->endpoint.device);
 
 #define IN6_IS_ADDR_MC_REALM_LOCAL(addr)                                       \
-  IN6_IS_ADDR_MULTICAST(addr) && ((((const uint8_t *)(addr))[1] & 0x0f) == 0x03)
+  IN6_IS_ADDR_MULTICAST(addr) &&                                               \
+    ((((const uint8_t *)(addr))[1] & 0x0f) == OC_IPV6_ADDR_SCOPE_REALM_LOCAL)
 
   for (struct ifaddrs *interface = ifs; interface != NULL;
        interface = interface->ifa_next) {

diff --git a/port/esp32/adapter/src/ipadapter.c b/port/esp32/adapter/src/ipadapter.c
@@ -19,6 +19,7 @@
 #ifndef _GNU_SOURCE
 #define _GNU_SOURCE
 #endif
+#include "api/oc_endpoint_internal.h"
 #include "api/oc_network_events_internal.h"
 #include "port/oc_assert.h"
 #include "port/oc_connectivity.h"
@@ -1061,8 +1062,8 @@ oc_send_discovery_request(oc_message_t *message)
   ip_context_t *dev = get_ip_context_for_device(message->endpoint.device);
 
 #define IN6_IS_ADDR_MC_REALM_LOCAL(ip6)                                        \
-  ip6_addr_ismulticast(ip6) &&                                                 \
-    ((((const uint8_t *)(ip6->addr))[1] & 0x0f) == 0x03)
+  ip6_addr_ismulticast(ip6) && ((((const uint8_t *)(ip6->addr))[1] & 0x0f) ==  \
+                                OC_IPV6_ADDR_SCOPE_REALM_LOCAL)
 
   for (esp_netif_t *esp_netif = esp_netif_next(NULL); esp_netif;
        esp_netif = esp_netif_next(esp_netif)) {

diff --git a/port/linux/ipadapter.c b/port/linux/ipadapter.c
@@ -17,6 +17,7 @@
  ****************************************************************************/
 
 #define _GNU_SOURCE
+#include "api/oc_endpoint_internal.h"
 #include "api/oc_network_events_internal.h"
 #include "ipadapter.h"
 #include "ipcontext.h"
@@ -1322,7 +1323,8 @@ send_ipv6_discovery_request(oc_message_t *message,
   message->endpoint.interface_index = mif;
 
 #define IN6_IS_ADDR_MC_REALM_LOCAL(addr)                                       \
-  IN6_IS_ADDR_MULTICAST(addr) && ((((const uint8_t *)(addr))[1] & 0x0f) == 0x03)
+  IN6_IS_ADDR_MULTICAST(addr) &&                                               \
+    ((((const uint8_t *)(addr))[1] & 0x0f) == OC_IPV6_ADDR_SCOPE_REALM_LOCAL)
 
   if (IN6_IS_ADDR_MC_LINKLOCAL(message->endpoint.addr.ipv6.address)) {
     message->endpoint.addr.ipv6.scope = mif;

diff --git a/port/windows/vs2015/IoTivity-lite.vcxproj.filters b/port/windows/vs2015/IoTivity-lite.vcxproj.filters
@@ -113,6 +113,9 @@
     <ClCompile Include="..\..\..\api\oc_blockwise.c">
       <Filter>Core</Filter>
     </ClCompile>
+    <ClCompile Include="..\..\..\util\oc_buffer.c">
+      <Filter>Core</Filter>
+    </ClCompile>
     <ClCompile Include="..\..\..\api\oc_client_api.c">
       <Filter>Core</Filter>
     </ClCompile>

diff --git a/python/oc_python.c b/python/oc_python.c
@@ -18,6 +18,7 @@
  *
  ****************************************************************************/
 
+#include "api/oc_endpoint_internal.h"
 #include "api/oc_ri_internal.h"
 #include "oc_api.h"
 #include "oc_clock_util.h"
@@ -33,6 +34,7 @@
 #include "util/oc_secure_string_internal.h"
 
 #ifdef OC_SECURITY
+#include "security/oc_doxm_internal.h"
 #include "security/oc_obt_internal.h"
 #endif /* OC_SECURITY */
 
@@ -503,11 +505,11 @@ discover_owned_devices(int scope)
 {
   // OC_PRINTF("[C]discover_owned_devices: scope %d\n", scope);
   otb_mutex_lock(app_sync_lock);
-  if (scope == 0x02) {
+  if (scope == OC_IPV6_ADDR_SCOPE_LINK_LOCAL) {
     oc_obt_discover_owned_devices(owned_device_cb, NULL);
-  } else if (scope == 0x03) {
+  } else if (scope == OC_IPV6_ADDR_SCOPE_REALM_LOCAL) {
     oc_obt_discover_owned_devices_realm_local_ipv6(owned_device_cb, NULL);
-  } else if (scope == 0x05) {
+  } else if (scope == OC_IPV6_ADDR_SCOPE_SITE_LOCAL) {
     oc_obt_discover_owned_devices_site_local_ipv6(owned_device_cb, NULL);
   }
   otb_mutex_unlock(app_sync_lock);
@@ -519,11 +521,11 @@ discover_unowned_devices(int scope)
 {
   // OC_PRINTF("[C]discover_unowned_devices: scope %d\n", scope);
   otb_mutex_lock(app_sync_lock);
-  if (scope == 0x02) {
+  if (scope == OC_IPV6_ADDR_SCOPE_LINK_LOCAL) {
     oc_obt_discover_unowned_devices(unowned_device_cb, NULL);
-  } else if (scope == 0x03) {
+  } else if (scope == OC_IPV6_ADDR_SCOPE_REALM_LOCAL) {
     oc_obt_discover_unowned_devices_realm_local_ipv6(unowned_device_cb, NULL);
-  } else if (scope == 0x05) {
+  } else if (scope == OC_IPV6_ADDR_SCOPE_SITE_LOCAL) {
     oc_obt_discover_unowned_devices_site_local_ipv6(unowned_device_cb, NULL);
   }
   otb_mutex_unlock(app_sync_lock);
@@ -535,11 +537,11 @@ py_discover_unowned_devices(int scope)
 {
   // OC_PRINTF("[C]discover_unowned_devices: scope %d\n", scope);
   otb_mutex_lock(app_sync_lock);
-  if (scope == 0x02) {
+  if (scope == OC_IPV6_ADDR_SCOPE_LINK_LOCAL) {
     oc_obt_discover_unowned_devices(unowned_device_cb, NULL);
-  } else if (scope == 0x03) {
+  } else if (scope == OC_IPV6_ADDR_SCOPE_REALM_LOCAL) {
     oc_obt_discover_unowned_devices_realm_local_ipv6(unowned_device_cb, NULL);
-  } else if (scope == 0x05) {
+  } else if (scope == OC_IPV6_ADDR_SCOPE_SITE_LOCAL) {
     oc_obt_discover_unowned_devices_site_local_ipv6(unowned_device_cb, NULL);
   }
   otb_mutex_unlock(app_sync_lock);
@@ -2413,23 +2415,27 @@ doxm_discovery_cb(const char *anchor, const char *uri, oc_string_array_t types,
   return OC_STOP_DISCOVERY;
 }
 
+#ifdef OC_SECURITY
+
 void
 discover_doxm(void)
 {
   otb_mutex_lock(app_sync_lock);
-  if (!oc_do_ip_discovery("oic.r.doxm", &doxm_discovery_cb, NULL)) {
+  if (!oc_do_ip_discovery(OCF_SEC_DOXM_RT, &doxm_discovery_cb, NULL)) {
     OC_PRINTF("Failed to discover DOXM\n");
   }
   otb_mutex_unlock(app_sync_lock);
 
 #if 0
   OC_PRINTF("[C] Discover Doxm %s\n",uuid);
-  if (oc_do_get("/oic/sec/doxm", ep, NULL, &doxm_discovery_cb, HIGH_QOS, NULL)) { 
+  if (oc_do_get(OCF_SEC_DOXM_URI, ep, NULL, &doxm_discovery_cb, HIGH_QOS, NULL)) {
     OC_PRINTF("[C] doxm return\n");
   }
 #endif
 }
 
+#endif /* OC_SECURITY */
+
 void
 discover_resource(const char *rt, const char *uuid)
 {