/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. * * Copyright 2014-2018 (c) Fraunhofer IOSB (Author: Julius Pfrommer) * Copyright 2014, 2017 (c) Florian Palm * Copyright 2014-2016 (c) Sten Grüner * Copyright 2015 (c) Chris Iatrou * Copyright 2015 (c) Oleksiy Vasylyev * Copyright 2017 (c) Stefan Profanter, fortiss GmbH * Copyright 2017-2018 (c) Mark Giraud, Fraunhofer IOSB */ #include "ua_services.h" #include "ua_server_internal.h" #include "ua_session_manager.h" #include "ua_types_generated_handling.h" static UA_StatusCode signCreateSessionResponse(UA_Server *server, UA_SecureChannel *channel, const UA_CreateSessionRequest *request, UA_CreateSessionResponse *response) { if(channel->securityMode != UA_MESSAGESECURITYMODE_SIGN && channel->securityMode != UA_MESSAGESECURITYMODE_SIGNANDENCRYPT) return UA_STATUSCODE_GOOD; const UA_SecurityPolicy *const securityPolicy = channel->securityPolicy; UA_SignatureData *signatureData = &response->serverSignature; /* Prepare the signature */ size_t signatureSize = securityPolicy->certificateSigningAlgorithm. getLocalSignatureSize(securityPolicy, channel->channelContext); UA_StatusCode retval = UA_String_copy(&securityPolicy->certificateSigningAlgorithm.uri, &signatureData->algorithm); retval |= UA_ByteString_allocBuffer(&signatureData->signature, signatureSize); if(retval != UA_STATUSCODE_GOOD) return retval; /* Allocate a temp buffer */ size_t dataToSignSize = request->clientCertificate.length + request->clientNonce.length; UA_ByteString dataToSign; retval = UA_ByteString_allocBuffer(&dataToSign, dataToSignSize); if(retval != UA_STATUSCODE_GOOD) return retval; /* signatureData->signature is cleaned up with the response */ /* Sign the signature */ memcpy(dataToSign.data, request->clientCertificate.data, request->clientCertificate.length); memcpy(dataToSign.data + request->clientCertificate.length, request->clientNonce.data, request->clientNonce.length); retval = securityPolicy->certificateSigningAlgorithm. sign(securityPolicy, channel->channelContext, &dataToSign, &signatureData->signature); /* Clean up */ UA_ByteString_deleteMembers(&dataToSign); return retval; } void Service_CreateSession(UA_Server *server, UA_SecureChannel *channel, const UA_CreateSessionRequest *request, UA_CreateSessionResponse *response) { if(!channel) { response->responseHeader.serviceResult = UA_STATUSCODE_BADINTERNALERROR; return; } if(!channel->connection) { response->responseHeader.serviceResult = UA_STATUSCODE_BADINTERNALERROR; return; } UA_LOG_DEBUG_CHANNEL(server->config.logger, channel, "Trying to create session"); if(channel->securityMode == UA_MESSAGESECURITYMODE_SIGN || channel->securityMode == UA_MESSAGESECURITYMODE_SIGNANDENCRYPT) { if(!UA_ByteString_equal(&request->clientCertificate, &channel->remoteCertificate)) { response->responseHeader.serviceResult = UA_STATUSCODE_BADCERTIFICATEINVALID; return; } } if(channel->securityToken.channelId == 0) { response->responseHeader.serviceResult = UA_STATUSCODE_BADSECURECHANNELIDINVALID; return; } if(!UA_ByteString_equal(&channel->securityPolicy->policyUri, &UA_SECURITY_POLICY_NONE_URI) && request->clientNonce.length < 32) { response->responseHeader.serviceResult = UA_STATUSCODE_BADNONCEINVALID; return; } /* TODO: Compare application URI with certificate uri (decode certificate) */ UA_CertificateVerification *cv = channel->securityPolicy->certificateVerification; if(cv && cv->verifyApplicationURI) { response->responseHeader.serviceResult = cv->verifyApplicationURI(cv->context, &request->clientCertificate, &request->clientDescription.applicationUri); if(response->responseHeader.serviceResult != UA_STATUSCODE_GOOD) return; } /* Allocate the response */ response->serverEndpoints = (UA_EndpointDescription *) UA_Array_new(server->config.endpointsSize, &UA_TYPES[UA_TYPES_ENDPOINTDESCRIPTION]); if(!response->serverEndpoints) { response->responseHeader.serviceResult = UA_STATUSCODE_BADOUTOFMEMORY; return; } response->serverEndpointsSize = server->config.endpointsSize; /* Copy the server's endpointdescriptions into the response */ for(size_t i = 0; i < server->config.endpointsSize; ++i) response->responseHeader.serviceResult |= UA_EndpointDescription_copy(&server->config.endpoints[i].endpointDescription, &response->serverEndpoints[i]); if(response->responseHeader.serviceResult != UA_STATUSCODE_GOOD) return; /* Mirror back the endpointUrl */ for(size_t i = 0; i < response->serverEndpointsSize; ++i) { UA_String_deleteMembers(&response->serverEndpoints[i].endpointUrl); UA_String_copy(&request->endpointUrl, &response->serverEndpoints[i].endpointUrl); } UA_Session *newSession = NULL; response->responseHeader.serviceResult = UA_SessionManager_createSession(&server->sessionManager, channel, request, &newSession); if(response->responseHeader.serviceResult != UA_STATUSCODE_GOOD) { UA_LOG_DEBUG_CHANNEL(server->config.logger, channel, "Processing CreateSessionRequest failed"); return; } UA_assert(newSession != NULL); /* Attach the session to the channel. But don't activate for now. */ UA_Session_attachToSecureChannel(newSession, channel); /* Fill the session information */ newSession->maxResponseMessageSize = request->maxResponseMessageSize; newSession->maxRequestMessageSize = channel->connection->localConf.maxMessageSize; response->responseHeader.serviceResult |= UA_ApplicationDescription_copy(&request->clientDescription, &newSession->clientDescription); /* Prepare the response */ response->sessionId = newSession->sessionId; response->revisedSessionTimeout = (UA_Double)newSession->timeout; response->authenticationToken = newSession->header.authenticationToken; response->responseHeader.serviceResult = UA_String_copy(&request->sessionName, &newSession->sessionName); if(server->config.endpointsSize > 0) response->responseHeader.serviceResult |= UA_ByteString_copy(&channel->securityPolicy->localCertificate, &response->serverCertificate); /* Create a session nonce */ response->responseHeader.serviceResult = UA_Session_generateNonce(newSession); response->responseHeader.serviceResult |= UA_ByteString_copy(&newSession->serverNonce, &response->serverNonce); /* Sign the signature */ response->responseHeader.serviceResult |= signCreateSessionResponse(server, channel, request, response); /* Failure -> remove the session */ if(response->responseHeader.serviceResult != UA_STATUSCODE_GOOD) { UA_SessionManager_removeSession(&server->sessionManager, &newSession->header.authenticationToken); return; } UA_LOG_DEBUG_CHANNEL(server->config.logger, channel, "Session " UA_PRINTF_GUID_FORMAT " created", UA_PRINTF_GUID_DATA(newSession->sessionId.identifier.guid)); } static UA_StatusCode checkSignature(const UA_Server *server, const UA_SecureChannel *channel, UA_Session *session, const UA_ActivateSessionRequest *request) { if(channel->securityMode != UA_MESSAGESECURITYMODE_SIGN && channel->securityMode != UA_MESSAGESECURITYMODE_SIGNANDENCRYPT) return UA_STATUSCODE_GOOD; if(!channel->securityPolicy) return UA_STATUSCODE_BADINTERNALERROR; const UA_SecurityPolicy *securityPolicy = channel->securityPolicy; const UA_ByteString *localCertificate = &securityPolicy->localCertificate; size_t dataToVerifySize = localCertificate->length + session->serverNonce.length; UA_ByteString dataToVerify; UA_StatusCode retval = UA_ByteString_allocBuffer(&dataToVerify, dataToVerifySize); if(retval != UA_STATUSCODE_GOOD) return retval; memcpy(dataToVerify.data, localCertificate->data, localCertificate->length); memcpy(dataToVerify.data + localCertificate->length, session->serverNonce.data, session->serverNonce.length); retval = securityPolicy->certificateSigningAlgorithm.verify(securityPolicy, channel->channelContext, &dataToVerify, &request->clientSignature.signature); UA_ByteString_deleteMembers(&dataToVerify); return retval; } /* TODO: Check all of the following: * * Part 4, §5.6.3: When the ActivateSession Service is called for the first time * then the Server shall reject the request if the SecureChannel is not same as * the one associated with the CreateSession request. Subsequent calls to * ActivateSession may be associated with different SecureChannels. If this is * the case then the Server shall verify that the Certificate the Client used to * create the new SecureChannel is the same as the Certificate used to create * the original SecureChannel. In addition, the Server shall verify that the * Client supplied a UserIdentityToken that is identical to the token currently * associated with the Session. Once the Server accepts the new SecureChannel it * shall reject requests sent via the old SecureChannel. */ void Service_ActivateSession(UA_Server *server, UA_SecureChannel *channel, UA_Session *session, const UA_ActivateSessionRequest *request, UA_ActivateSessionResponse *response) { UA_LOG_DEBUG_SESSION(server->config.logger, session, "Execute ActivateSession"); if(session->validTill < UA_DateTime_nowMonotonic()) { UA_LOG_INFO_SESSION(server->config.logger, session, "ActivateSession: SecureChannel %i wants " "to activate, but the session has timed out", channel->securityToken.channelId); response->responseHeader.serviceResult = UA_STATUSCODE_BADSESSIONIDINVALID; return; } /* Check if the signature corresponds to the ServerNonce that was last sent * to the client */ response->responseHeader.serviceResult = checkSignature(server, channel, session, request); if(response->responseHeader.serviceResult != UA_STATUSCODE_GOOD) { UA_LOG_INFO_SESSION(server->config.logger, session, "Signature check failed with status code %s", UA_StatusCode_name(response->responseHeader.serviceResult)); return; } /* Find the matching endpoint */ const UA_EndpointDescription *ed = NULL; for(size_t i = 0; ed == NULL && i < server->config.endpointsSize; ++i) { const UA_Endpoint *e = &server->config.endpoints[i]; /* Match the Security Mode */ if(e->endpointDescription.securityMode != channel->securityMode) continue; /* Match the SecurityPolicy */ if(!UA_String_equal(&e->securityPolicy.policyUri, &channel->securityPolicy->policyUri)) continue; /* Match the UserTokenType */ for(size_t j = 0; j < e->endpointDescription.userIdentityTokensSize; j++) { const UA_UserTokenPolicy *u = &e->endpointDescription.userIdentityTokens[j]; if(u->tokenType == UA_USERTOKENTYPE_ANONYMOUS) { if(request->userIdentityToken.content.decoded.type != &UA_TYPES[UA_TYPES_ANONYMOUSIDENTITYTOKEN]) continue; } else if(u->tokenType == UA_USERTOKENTYPE_USERNAME) { if(request->userIdentityToken.content.decoded.type != &UA_TYPES[UA_TYPES_USERNAMEIDENTITYTOKEN]) continue; } else if(u->tokenType == UA_USERTOKENTYPE_CERTIFICATE) { if(request->userIdentityToken.content.decoded.type != &UA_TYPES[UA_TYPES_X509IDENTITYTOKEN]) continue; } else if(u->tokenType == UA_USERTOKENTYPE_ISSUEDTOKEN) { if(request->userIdentityToken.content.decoded.type != &UA_TYPES[UA_TYPES_ISSUEDIDENTITYTOKEN]) continue; } else { response->responseHeader.serviceResult = UA_STATUSCODE_BADIDENTITYTOKENINVALID; return; } /* Match found */ ed = &e->endpointDescription; break; } } /* No matching endpoint found */ if(!ed) { response->responseHeader.serviceResult = UA_STATUSCODE_BADIDENTITYTOKENREJECTED; return; } /* Callback into userland access control */ response->responseHeader.serviceResult = server->config.accessControl.activateSession(server, &server->config.accessControl, ed, &channel->remoteCertificate, &session->sessionId, &request->userIdentityToken, &session->sessionHandle); if(response->responseHeader.serviceResult != UA_STATUSCODE_GOOD) { UA_LOG_INFO_SESSION(server->config.logger, session, "ActivateSession: Could not generate a server nonce"); return; } if(session->header.channel && session->header.channel != channel) { UA_LOG_INFO_SESSION(server->config.logger, session, "ActivateSession: Detach from old channel"); /* Detach the old SecureChannel and attach the new */ UA_Session_detachFromSecureChannel(session); UA_Session_attachToSecureChannel(session, channel); } /* Activate the session */ session->activated = true; UA_Session_updateLifetime(session); /* Generate a new session nonce for the next time ActivateSession is called */ response->responseHeader.serviceResult = UA_Session_generateNonce(session); response->responseHeader.serviceResult |= UA_ByteString_copy(&session->serverNonce, &response->serverNonce); if(response->responseHeader.serviceResult != UA_STATUSCODE_GOOD) { UA_Session_detachFromSecureChannel(session); session->activated = false; UA_LOG_INFO_SESSION(server->config.logger, session, "ActivateSession: Could not generate a server nonce"); return; } UA_LOG_INFO_SESSION(server->config.logger, session, "ActivateSession: Session activated"); } void Service_CloseSession(UA_Server *server, UA_Session *session, const UA_CloseSessionRequest *request, UA_CloseSessionResponse *response) { UA_LOG_INFO_SESSION(server->config.logger, session, "CloseSession"); /* Callback into userland access control */ server->config.accessControl.closeSession(server, &server->config.accessControl, &session->sessionId, session->sessionHandle); response->responseHeader.serviceResult = UA_SessionManager_removeSession(&server->sessionManager, &session->header.authenticationToken); }