check_securechannel.c 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380
  1. /* This Source Code Form is subject to the terms of the Mozilla Public
  2. * License, v. 2.0. If a copy of the MPL was not distributed with this
  3. * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
  4. #include <stdio.h>
  5. #include <stdlib.h>
  6. #include <src_generated/ua_types_generated.h>
  7. #include <testing_networklayers.h>
  8. #include <ua_types_encoding_binary.h>
  9. #include <src_generated/ua_transport_generated_encoding_binary.h>
  10. #include <src_generated/ua_transport_generated.h>
  11. #include <ua_types.h>
  12. #include <src_generated/ua_types_generated_encoding_binary.h>
  13. #include <ua_plugin_securitypolicy.h>
  14. #include <src_generated/ua_transport_generated_handling.h>
  15. #include "testing_policy.h"
  16. #include "ua_securechannel.h"
  17. #include "check.h"
  18. #define UA_BYTESTRING_STATIC(s) {sizeof(s)-1, (UA_Byte*)s}
  19. UA_SecureChannel testChannel;
  20. UA_ByteString dummyCertificate = UA_BYTESTRING_STATIC("DUMMY CERTIFICATE DUMMY CERTIFICATE DUMMY CERTIFICATE");
  21. UA_SecurityPolicy dummyPolicy;
  22. UA_Connection testingConnection;
  23. UA_ByteString sentData;
  24. funcs_called fCalled;
  25. static void
  26. setup_secureChannel(void) {
  27. TestingPolicy(&dummyPolicy, dummyCertificate, &fCalled);
  28. UA_SecureChannel_init(&testChannel, &dummyPolicy, &dummyCertificate);
  29. testingConnection = createDummyConnection(&sentData);
  30. UA_Connection_attachSecureChannel(&testingConnection, &testChannel);
  31. testChannel.connection = &testingConnection;
  32. }
  33. static void
  34. teardown_secureChannel(void) {
  35. UA_SecureChannel_deleteMembersCleanup(&testChannel);
  36. dummyPolicy.deleteMembers(&dummyPolicy);
  37. memset(&testingConnection, 0, sizeof(UA_Connection));
  38. }
  39. static void
  40. setup_funcs_called(void) {
  41. memset(&fCalled, 0, sizeof(struct funcs_called));
  42. }
  43. static void
  44. teardown_funcs_called(void) {
  45. memset(&fCalled, 0, sizeof(struct funcs_called));
  46. }
  47. /*
  48. static void
  49. setup_dummyPolicy(void) {
  50. TestingPolicy(&dummyPolicy, dummyCertificate, &fCalled);
  51. }
  52. static void
  53. teardown_dummyPolicy(void) {
  54. dummyPolicy.deleteMembers(&dummyPolicy);
  55. }*/
  56. START_TEST(SecureChannel_initAndDelete)
  57. {
  58. TestingPolicy(&dummyPolicy, dummyCertificate, &fCalled);
  59. UA_StatusCode retval;
  60. UA_SecureChannel channel;
  61. retval = UA_SecureChannel_init(&channel, &dummyPolicy, &dummyCertificate);
  62. ck_assert_msg(retval == UA_STATUSCODE_GOOD, "Expected StatusCode to be good");
  63. ck_assert_msg(channel.state == UA_SECURECHANNELSTATE_FRESH, "Expected state to be fresh");
  64. ck_assert_msg(fCalled.newContext, "Expected newContext to have been called");
  65. ck_assert_msg(fCalled.makeCertificateThumbprint, "Expected makeCertificateThumbprint to have been called");
  66. ck_assert_msg(channel.securityPolicy == &dummyPolicy, "SecurityPolicy not set correctly");
  67. UA_SecureChannel_deleteMembersCleanup(&channel);
  68. ck_assert_msg(fCalled.deleteContext, "Expected deleteContext to have been called");
  69. dummyPolicy.deleteMembers(&dummyPolicy);
  70. }
  71. END_TEST
  72. START_TEST(SecureChannel_initAndDelete_invalidParameters)
  73. {
  74. UA_StatusCode retval = UA_SecureChannel_init(NULL, NULL, NULL);
  75. ck_assert_msg(retval != UA_STATUSCODE_GOOD, "Expected init to fail");
  76. UA_SecureChannel channel;
  77. retval = UA_SecureChannel_init(&channel, &dummyPolicy, NULL);
  78. ck_assert_msg(retval != UA_STATUSCODE_GOOD, "Expected init to fail");
  79. retval = UA_SecureChannel_init(&channel, NULL, &dummyCertificate);
  80. ck_assert_msg(retval != UA_STATUSCODE_GOOD, "Expected init to fail");
  81. retval = UA_SecureChannel_init(NULL, &dummyPolicy, &dummyCertificate);
  82. ck_assert_msg(retval != UA_STATUSCODE_GOOD, "Expected init to fail");
  83. UA_SecureChannel_deleteMembersCleanup(NULL);
  84. }
  85. END_TEST
  86. START_TEST(SecureChannel_generateNewKeys)
  87. {
  88. UA_StatusCode retval = UA_SecureChannel_generateNewKeys(&testChannel);
  89. ck_assert_msg(retval == UA_STATUSCODE_GOOD, "Expected Statuscode to be good");
  90. ck_assert_msg(fCalled.generateKey, "Expected generateKey to have been called");
  91. ck_assert_msg(fCalled.setLocalSymEncryptingKey, "Expected setLocalSymEncryptingKey to have been called");
  92. ck_assert_msg(fCalled.setLocalSymSigningKey, "Expected setLocalSymSigningKey to have been called");
  93. ck_assert_msg(fCalled.setLocalSymIv, "Expected setLocalSymIv to have been called");
  94. ck_assert_msg(fCalled.setRemoteSymEncryptingKey, "Expected setRemoteSymEncryptingKey to have been called");
  95. ck_assert_msg(fCalled.setRemoteSymSigningKey, "Expected setRemoteSymSigningKey to have been called");
  96. ck_assert_msg(fCalled.setRemoteSymIv, "Expected setRemoteSymIv to have been called");
  97. retval = UA_SecureChannel_generateNewKeys(NULL);
  98. ck_assert_msg(retval != UA_STATUSCODE_GOOD, "Expected failure on NULL pointer");
  99. }
  100. END_TEST
  101. START_TEST(SecureChannel_revolveTokens)
  102. {
  103. // Fake that no token was issued by setting 0
  104. testChannel.nextSecurityToken.tokenId = 0;
  105. UA_StatusCode retval = UA_SecureChannel_revolveTokens(&testChannel);
  106. ck_assert_msg(retval == UA_STATUSCODE_BADSECURECHANNELTOKENUNKNOWN,
  107. "Expected failure because tokenId 0 signifies that no token was issued");
  108. // Fake an issued token by setting an id
  109. testChannel.nextSecurityToken.tokenId = 10;
  110. retval = UA_SecureChannel_revolveTokens(&testChannel);
  111. ck_assert_msg(retval == UA_STATUSCODE_GOOD, "Expected function to return GOOD");
  112. ck_assert_msg(fCalled.generateKey,
  113. "Expected generateKey to be called because new keys need to be generated,"
  114. "when switching to the next token.");
  115. UA_ChannelSecurityToken testToken;
  116. UA_ChannelSecurityToken_init(&testToken);
  117. ck_assert_msg(memcmp(&testChannel.nextSecurityToken, &testToken, sizeof(UA_ChannelSecurityToken)) == 0,
  118. "Expected the next securityToken to be freshly initialized");
  119. ck_assert_msg(testChannel.securityToken.tokenId == 10, "Expected token to have been copied");
  120. }
  121. END_TEST
  122. static void
  123. createDummyResponse(UA_OpenSecureChannelResponse *response) {
  124. UA_OpenSecureChannelResponse_init(response);
  125. memset(response, 0, sizeof(UA_OpenSecureChannelResponse));
  126. }
  127. START_TEST(SecureChannel_sendAsymmetricOPNMessage_withoutConnection)
  128. {
  129. UA_OpenSecureChannelResponse dummyResponse;
  130. createDummyResponse(&dummyResponse);
  131. testChannel.securityMode = UA_MESSAGESECURITYMODE_NONE;
  132. // Remove connection to provoke error
  133. UA_Connection_detachSecureChannel(testChannel.connection);
  134. testChannel.connection = NULL;
  135. UA_StatusCode retval = UA_SecureChannel_sendAsymmetricOPNMessage(&testChannel,
  136. 42,
  137. &dummyResponse,
  138. &UA_TYPES[UA_TYPES_OPENSECURECHANNELRESPONSE]);
  139. ck_assert_msg(retval != UA_STATUSCODE_GOOD, "Expected failure without a connection");
  140. }
  141. END_TEST
  142. START_TEST(SecureChannel_sendAsymmetricOPNMessage_invalidParameters)
  143. {
  144. UA_OpenSecureChannelResponse dummyResponse;
  145. createDummyResponse(&dummyResponse);
  146. UA_StatusCode retval = UA_SecureChannel_sendAsymmetricOPNMessage(&testChannel,
  147. 42,
  148. NULL,
  149. &UA_TYPES[UA_TYPES_OPENSECURECHANNELRESPONSE]);
  150. ck_assert_msg(retval != UA_STATUSCODE_GOOD, "Expected failure");
  151. retval = UA_SecureChannel_sendAsymmetricOPNMessage(&testChannel,
  152. 42,
  153. &dummyResponse,
  154. NULL);
  155. ck_assert_msg(retval != UA_STATUSCODE_GOOD, "Expected failure");
  156. retval = UA_SecureChannel_sendAsymmetricOPNMessage(NULL,
  157. 42,
  158. &dummyResponse,
  159. &UA_TYPES[UA_TYPES_OPENSECURECHANNELRESPONSE]);
  160. ck_assert_msg(retval != UA_STATUSCODE_GOOD, "Expected failure");
  161. }
  162. END_TEST
  163. START_TEST(SecureChannel_sendAsymmetricOPNMessage_SecurityModeInvalid)
  164. {
  165. // Configure our channel correctly for OPN messages and setup dummy message
  166. UA_OpenSecureChannelResponse dummyResponse;
  167. createDummyResponse(&dummyResponse);
  168. testChannel.securityMode = UA_MESSAGESECURITYMODE_INVALID;
  169. UA_StatusCode retval = UA_SecureChannel_sendAsymmetricOPNMessage(&testChannel,
  170. 42,
  171. &dummyResponse,
  172. &UA_TYPES[UA_TYPES_OPENSECURECHANNELRESPONSE]);
  173. ck_assert_msg(retval == UA_STATUSCODE_BADSECURITYMODEREJECTED, "Expected SecurityMode rejected error");
  174. }
  175. END_TEST
  176. START_TEST(SecureChannel_sendAsymmetricOPNMessage_SecurityModeNone)
  177. {
  178. // Configure our channel correctly for OPN messages and setup dummy message
  179. UA_OpenSecureChannelResponse dummyResponse;
  180. createDummyResponse(&dummyResponse);
  181. testChannel.securityMode = UA_MESSAGESECURITYMODE_NONE;
  182. UA_StatusCode retval = UA_SecureChannel_sendAsymmetricOPNMessage(&testChannel,
  183. 42,
  184. &dummyResponse,
  185. &UA_TYPES[UA_TYPES_OPENSECURECHANNELRESPONSE]);
  186. ck_assert_msg(retval == UA_STATUSCODE_GOOD, "Expected function to succeed");
  187. ck_assert_msg(!fCalled.asym_enc, "Message encryption was called but should not have been");
  188. ck_assert_msg(!fCalled.asym_sign, "Message signing was called but should not have been");
  189. }
  190. END_TEST
  191. START_TEST(SecureChannel_sendAsymmetricOPNMessage_SecurityModeSign)
  192. {
  193. // Configure our channel correctly for OPN messages and setup dummy message
  194. UA_OpenSecureChannelResponse dummyResponse;
  195. createDummyResponse(&dummyResponse);
  196. testChannel.securityMode = UA_MESSAGESECURITYMODE_SIGN;
  197. UA_StatusCode retval = UA_SecureChannel_sendAsymmetricOPNMessage(&testChannel,
  198. 42,
  199. &dummyResponse,
  200. &UA_TYPES[UA_TYPES_OPENSECURECHANNELRESPONSE]);
  201. ck_assert_msg(retval == UA_STATUSCODE_GOOD, "Expected function to succeed");
  202. ck_assert_msg(fCalled.asym_enc, "Expected message to have been encrypted but it was not");
  203. ck_assert_msg(fCalled.asym_sign, "Expected message to have been signed but it was not");
  204. }
  205. END_TEST
  206. START_TEST(SecureChannel_sendAsymmetricOPNMessage_SecurityModeSignAndEncrypt)
  207. {
  208. // Configure our channel correctly for OPN messages and setup dummy message
  209. UA_OpenSecureChannelResponse dummyResponse;
  210. createDummyResponse(&dummyResponse);
  211. testChannel.securityMode = UA_MESSAGESECURITYMODE_SIGNANDENCRYPT;
  212. UA_StatusCode retval = UA_SecureChannel_sendAsymmetricOPNMessage(&testChannel,
  213. 42,
  214. &dummyResponse,
  215. &UA_TYPES[UA_TYPES_OPENSECURECHANNELRESPONSE]);
  216. ck_assert_msg(retval == UA_STATUSCODE_GOOD, "Expected function to succeed");
  217. ck_assert_msg(fCalled.asym_enc, "Expected message to have been encrypted but it was not");
  218. ck_assert_msg(fCalled.asym_sign, "Expected message to have been signed but it was not");
  219. }
  220. END_TEST
  221. START_TEST(SecureChannel_sendAsymmetricOPNMessage_sentDataIsValid)
  222. {
  223. UA_OpenSecureChannelResponse dummyResponse;
  224. createDummyResponse(&dummyResponse);
  225. testChannel.securityMode = UA_MESSAGESECURITYMODE_SIGNANDENCRYPT;
  226. UA_UInt32 requestId = UA_UInt32_random();
  227. UA_StatusCode retval = UA_SecureChannel_sendAsymmetricOPNMessage(&testChannel,
  228. requestId,
  229. &dummyResponse,
  230. &UA_TYPES[UA_TYPES_OPENSECURECHANNELRESPONSE]);
  231. ck_assert_msg(retval == UA_STATUSCODE_GOOD, "Expected function to succeed");
  232. size_t offset = 0;
  233. UA_SecureConversationMessageHeader header;
  234. UA_SecureConversationMessageHeader_decodeBinary(&sentData, &offset, &header);
  235. UA_AsymmetricAlgorithmSecurityHeader asymSecurityHeader;
  236. UA_AsymmetricAlgorithmSecurityHeader_decodeBinary(&sentData, &offset, &asymSecurityHeader);
  237. ck_assert_msg(UA_ByteString_equal(&dummyCertificate, &asymSecurityHeader.senderCertificate),
  238. "Expected the certificate to be equal to the one used by the secureChannel");
  239. ck_assert_msg(UA_ByteString_equal(&testChannel.securityPolicy->policyUri,
  240. &asymSecurityHeader.securityPolicyUri),
  241. "Expected securityPolicyUri to be equal to the one used by the secureChannel");
  242. UA_ByteString thumbPrint = {20, testChannel.remoteCertificateThumbprint};
  243. ck_assert_msg(UA_ByteString_equal(&thumbPrint,
  244. &asymSecurityHeader.receiverCertificateThumbprint),
  245. "Expected receiverCertificateThumbprint to be equal to the one set in the secureChannel");
  246. for(size_t i = offset; i < header.messageHeader.messageSize; ++i) {
  247. sentData.data[i] = (UA_Byte) ((sentData.data[i] - 1) % (UA_BYTE_MAX + 1));
  248. }
  249. UA_SequenceHeader sequenceHeader;
  250. UA_SequenceHeader_decodeBinary(&sentData, &offset, &sequenceHeader);
  251. ck_assert_msg(sequenceHeader.requestId == requestId, "Expected requestId to be %i but was %i",
  252. requestId,
  253. sequenceHeader.requestId);
  254. UA_NodeId original = UA_NODEID_NUMERIC(0, UA_TYPES[UA_TYPES_OPENSECURECHANNELRESPONSE].binaryEncodingId);
  255. UA_NodeId requestTypeId;
  256. UA_NodeId_decodeBinary(&sentData, &offset, &requestTypeId);
  257. ck_assert_msg(UA_NodeId_equal(&original, &requestTypeId), "Expected nodeIds to be equal");
  258. UA_OpenSecureChannelResponse sentResponse;
  259. UA_OpenSecureChannelResponse_decodeBinary(&sentData, &offset, &sentResponse);
  260. ck_assert_msg(memcmp(&sentResponse, &dummyResponse, sizeof(UA_OpenSecureChannelResponse)) == 0,
  261. "Expected the sent response to be equal to the one supplied to the send function");
  262. UA_SecureConversationMessageHeader_deleteMembers(&header);
  263. UA_AsymmetricAlgorithmSecurityHeader_deleteMembers(&asymSecurityHeader);
  264. UA_SequenceHeader_deleteMembers(&sequenceHeader);
  265. UA_OpenSecureChannelResponse_deleteMembers(&sentResponse);
  266. }
  267. END_TEST
  268. static Suite *
  269. testSuite_SecureChannel(void) {
  270. Suite *s = suite_create("SecureChannel");
  271. TCase *tc_initAndDelete = tcase_create("Initialize and delete Securechannel");
  272. tcase_add_checked_fixture(tc_initAndDelete, setup_funcs_called, teardown_funcs_called);
  273. tcase_add_test(tc_initAndDelete, SecureChannel_initAndDelete);
  274. tcase_add_test(tc_initAndDelete, SecureChannel_initAndDelete_invalidParameters);
  275. suite_add_tcase(s, tc_initAndDelete);
  276. TCase *tc_generateNewKeys = tcase_create("Test generateNewKeys function");
  277. tcase_add_checked_fixture(tc_generateNewKeys, setup_funcs_called, teardown_funcs_called);
  278. tcase_add_checked_fixture(tc_generateNewKeys, setup_secureChannel, teardown_secureChannel);
  279. tcase_add_test(tc_generateNewKeys, SecureChannel_generateNewKeys);
  280. suite_add_tcase(s, tc_generateNewKeys);
  281. TCase *tc_revolveTokens = tcase_create("Test revolveTokens function");
  282. tcase_add_checked_fixture(tc_revolveTokens, setup_funcs_called, teardown_funcs_called);
  283. tcase_add_checked_fixture(tc_revolveTokens, setup_secureChannel, teardown_secureChannel);
  284. tcase_add_test(tc_revolveTokens, SecureChannel_revolveTokens);
  285. suite_add_tcase(s, tc_revolveTokens);
  286. TCase *tc_sendAsymmetricOPNMessage = tcase_create("Test sendAsymmetricOPNMessage function");
  287. tcase_add_checked_fixture(tc_sendAsymmetricOPNMessage, setup_funcs_called, teardown_funcs_called);
  288. tcase_add_checked_fixture(tc_sendAsymmetricOPNMessage, setup_secureChannel, teardown_secureChannel);
  289. tcase_add_test(tc_sendAsymmetricOPNMessage, SecureChannel_sendAsymmetricOPNMessage_withoutConnection);
  290. tcase_add_test(tc_sendAsymmetricOPNMessage, SecureChannel_sendAsymmetricOPNMessage_invalidParameters);
  291. tcase_add_test(tc_sendAsymmetricOPNMessage, SecureChannel_sendAsymmetricOPNMessage_SecurityModeInvalid);
  292. tcase_add_test(tc_sendAsymmetricOPNMessage, SecureChannel_sendAsymmetricOPNMessage_SecurityModeNone);
  293. tcase_add_test(tc_sendAsymmetricOPNMessage, SecureChannel_sendAsymmetricOPNMessage_SecurityModeSign);
  294. tcase_add_test(tc_sendAsymmetricOPNMessage, SecureChannel_sendAsymmetricOPNMessage_SecurityModeSignAndEncrypt);
  295. tcase_add_test(tc_sendAsymmetricOPNMessage, SecureChannel_sendAsymmetricOPNMessage_sentDataIsValid);
  296. suite_add_tcase(s, tc_sendAsymmetricOPNMessage);
  297. return s;
  298. }
  299. int
  300. main(void) {
  301. Suite *s = testSuite_SecureChannel();
  302. SRunner *sr = srunner_create(s);
  303. srunner_set_fork_status(sr, CK_NOFORK);
  304. srunner_run_all(sr, CK_NORMAL);
  305. int number_failed = srunner_ntests_failed(sr);
  306. srunner_free(sr);
  307. return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
  308. }