ua_server_binary.c 34 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800
  1. /* This Source Code Form is subject to the terms of the Mozilla Public
  2. * License, v. 2.0. If a copy of the MPL was not distributed with this
  3. * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
  4. #include "ua_util.h"
  5. #include "ua_server_internal.h"
  6. #include "ua_services.h"
  7. #include "ua_securechannel_manager.h"
  8. #include "ua_session_manager.h"
  9. #include "ua_types_generated_encoding_binary.h"
  10. #include "ua_transport_generated.h"
  11. #include "ua_transport_generated_handling.h"
  12. #include "ua_transport_generated_encoding_binary.h"
  13. #include "ua_types_generated_handling.h"
  14. #include "ua_securitypolicy_none.h"
  15. #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
  16. // store the authentication token and session ID so we can help fuzzing by setting
  17. // these values in the next request automatically
  18. UA_NodeId unsafe_fuzz_authenticationToken = {
  19. 0, UA_NODEIDTYPE_NUMERIC, {0}
  20. };
  21. #endif
  22. #ifdef UA_DEBUG_DUMP_PKGS_FILE
  23. void UA_debug_dumpCompleteChunk(UA_Server *const server, UA_Connection *const connection, UA_ByteString *messageBuffer);
  24. #endif
  25. /********************/
  26. /* Helper Functions */
  27. /********************/
  28. /* This is not an ERR message, the connection is not closed afterwards */
  29. static UA_StatusCode
  30. sendServiceFault(UA_SecureChannel *channel, const UA_ByteString *msg,
  31. size_t offset, const UA_DataType *responseType,
  32. UA_UInt32 requestId, UA_StatusCode error) {
  33. UA_RequestHeader requestHeader;
  34. UA_StatusCode retval = UA_RequestHeader_decodeBinary(msg, &offset, &requestHeader);
  35. if(retval != UA_STATUSCODE_GOOD)
  36. return retval;
  37. void *response = UA_alloca(responseType->memSize);
  38. UA_init(response, responseType);
  39. UA_ResponseHeader *responseHeader = (UA_ResponseHeader*)response;
  40. responseHeader->requestHandle = requestHeader.requestHandle;
  41. responseHeader->timestamp = UA_DateTime_now();
  42. responseHeader->serviceResult = error;
  43. // Send error message. Message type is MSG and not ERR, since we are on a securechannel!
  44. retval = UA_SecureChannel_sendSymmetricMessage(channel, requestId, UA_MESSAGETYPE_MSG,
  45. response, responseType);
  46. UA_RequestHeader_deleteMembers(&requestHeader);
  47. UA_LOG_DEBUG(channel->securityPolicy->logger, UA_LOGCATEGORY_SERVER,
  48. "Sent ServiceFault with error code %s", UA_StatusCode_name(error));
  49. return retval;
  50. }
  51. typedef enum {
  52. UA_SERVICETYPE_NORMAL,
  53. UA_SERVICETYPE_INSITU,
  54. UA_SERVICETYPE_CUSTOM
  55. } UA_ServiceType;
  56. static void
  57. getServicePointers(UA_UInt32 requestTypeId, const UA_DataType **requestType,
  58. const UA_DataType **responseType, UA_Service *service,
  59. UA_Boolean *requiresSession, UA_ServiceType *serviceType) {
  60. switch(requestTypeId) {
  61. case UA_NS0ID_GETENDPOINTSREQUEST_ENCODING_DEFAULTBINARY:
  62. *service = (UA_Service)Service_GetEndpoints;
  63. *requestType = &UA_TYPES[UA_TYPES_GETENDPOINTSREQUEST];
  64. *responseType = &UA_TYPES[UA_TYPES_GETENDPOINTSRESPONSE];
  65. *requiresSession = false;
  66. break;
  67. case UA_NS0ID_FINDSERVERSREQUEST_ENCODING_DEFAULTBINARY:
  68. *service = (UA_Service)Service_FindServers;
  69. *requestType = &UA_TYPES[UA_TYPES_FINDSERVERSREQUEST];
  70. *responseType = &UA_TYPES[UA_TYPES_FINDSERVERSRESPONSE];
  71. *requiresSession = false;
  72. break;
  73. #ifdef UA_ENABLE_DISCOVERY
  74. # ifdef UA_ENABLE_DISCOVERY_MULTICAST
  75. case UA_NS0ID_FINDSERVERSONNETWORKREQUEST_ENCODING_DEFAULTBINARY:
  76. *service = (UA_Service)Service_FindServersOnNetwork;
  77. *requestType = &UA_TYPES[UA_TYPES_FINDSERVERSONNETWORKREQUEST];
  78. *responseType = &UA_TYPES[UA_TYPES_FINDSERVERSONNETWORKRESPONSE];
  79. *requiresSession = false;
  80. break;
  81. # endif
  82. case UA_NS0ID_REGISTERSERVERREQUEST_ENCODING_DEFAULTBINARY:
  83. *service = (UA_Service)Service_RegisterServer;
  84. *requestType = &UA_TYPES[UA_TYPES_REGISTERSERVERREQUEST];
  85. *responseType = &UA_TYPES[UA_TYPES_REGISTERSERVERRESPONSE];
  86. *requiresSession = false;
  87. break;
  88. case UA_NS0ID_REGISTERSERVER2REQUEST_ENCODING_DEFAULTBINARY:
  89. *service = (UA_Service)Service_RegisterServer2;
  90. *requestType = &UA_TYPES[UA_TYPES_REGISTERSERVER2REQUEST];
  91. *responseType = &UA_TYPES[UA_TYPES_REGISTERSERVER2RESPONSE];
  92. *requiresSession = false;
  93. break;
  94. #endif
  95. case UA_NS0ID_CREATESESSIONREQUEST_ENCODING_DEFAULTBINARY:
  96. *service = (UA_Service)Service_CreateSession;
  97. *requestType = &UA_TYPES[UA_TYPES_CREATESESSIONREQUEST];
  98. *responseType = &UA_TYPES[UA_TYPES_CREATESESSIONRESPONSE];
  99. *requiresSession = false;
  100. *serviceType = UA_SERVICETYPE_CUSTOM;
  101. break;
  102. case UA_NS0ID_ACTIVATESESSIONREQUEST_ENCODING_DEFAULTBINARY:
  103. *service = (UA_Service)Service_ActivateSession;
  104. *requestType = &UA_TYPES[UA_TYPES_ACTIVATESESSIONREQUEST];
  105. *responseType = &UA_TYPES[UA_TYPES_ACTIVATESESSIONRESPONSE];
  106. *serviceType = UA_SERVICETYPE_CUSTOM;
  107. break;
  108. case UA_NS0ID_CLOSESESSIONREQUEST_ENCODING_DEFAULTBINARY:
  109. *service = (UA_Service)Service_CloseSession;
  110. *requestType = &UA_TYPES[UA_TYPES_CLOSESESSIONREQUEST];
  111. *responseType = &UA_TYPES[UA_TYPES_CLOSESESSIONRESPONSE];
  112. break;
  113. case UA_NS0ID_READREQUEST_ENCODING_DEFAULTBINARY:
  114. *service = (UA_Service)Service_Read;
  115. *requestType = &UA_TYPES[UA_TYPES_READREQUEST];
  116. *responseType = &UA_TYPES[UA_TYPES_READRESPONSE];
  117. *serviceType = UA_SERVICETYPE_INSITU;
  118. break;
  119. case UA_NS0ID_WRITEREQUEST_ENCODING_DEFAULTBINARY:
  120. *service = (UA_Service)Service_Write;
  121. *requestType = &UA_TYPES[UA_TYPES_WRITEREQUEST];
  122. *responseType = &UA_TYPES[UA_TYPES_WRITERESPONSE];
  123. break;
  124. case UA_NS0ID_BROWSEREQUEST_ENCODING_DEFAULTBINARY:
  125. *service = (UA_Service)Service_Browse;
  126. *requestType = &UA_TYPES[UA_TYPES_BROWSEREQUEST];
  127. *responseType = &UA_TYPES[UA_TYPES_BROWSERESPONSE];
  128. break;
  129. case UA_NS0ID_BROWSENEXTREQUEST_ENCODING_DEFAULTBINARY:
  130. *service = (UA_Service)Service_BrowseNext;
  131. *requestType = &UA_TYPES[UA_TYPES_BROWSENEXTREQUEST];
  132. *responseType = &UA_TYPES[UA_TYPES_BROWSENEXTRESPONSE];
  133. break;
  134. case UA_NS0ID_REGISTERNODESREQUEST_ENCODING_DEFAULTBINARY:
  135. *service = (UA_Service)Service_RegisterNodes;
  136. *requestType = &UA_TYPES[UA_TYPES_REGISTERNODESREQUEST];
  137. *responseType = &UA_TYPES[UA_TYPES_REGISTERNODESRESPONSE];
  138. break;
  139. case UA_NS0ID_UNREGISTERNODESREQUEST_ENCODING_DEFAULTBINARY:
  140. *service = (UA_Service)Service_UnregisterNodes;
  141. *requestType = &UA_TYPES[UA_TYPES_UNREGISTERNODESREQUEST];
  142. *responseType = &UA_TYPES[UA_TYPES_UNREGISTERNODESRESPONSE];
  143. break;
  144. case UA_NS0ID_TRANSLATEBROWSEPATHSTONODEIDSREQUEST_ENCODING_DEFAULTBINARY:
  145. *service = (UA_Service)Service_TranslateBrowsePathsToNodeIds;
  146. *requestType = &UA_TYPES[UA_TYPES_TRANSLATEBROWSEPATHSTONODEIDSREQUEST];
  147. *responseType = &UA_TYPES[UA_TYPES_TRANSLATEBROWSEPATHSTONODEIDSRESPONSE];
  148. break;
  149. #ifdef UA_ENABLE_SUBSCRIPTIONS
  150. case UA_NS0ID_CREATESUBSCRIPTIONREQUEST_ENCODING_DEFAULTBINARY:
  151. *service = (UA_Service)Service_CreateSubscription;
  152. *requestType = &UA_TYPES[UA_TYPES_CREATESUBSCRIPTIONREQUEST];
  153. *responseType = &UA_TYPES[UA_TYPES_CREATESUBSCRIPTIONRESPONSE];
  154. break;
  155. case UA_NS0ID_PUBLISHREQUEST_ENCODING_DEFAULTBINARY:
  156. *requestType = &UA_TYPES[UA_TYPES_PUBLISHREQUEST];
  157. *responseType = &UA_TYPES[UA_TYPES_PUBLISHRESPONSE];
  158. break;
  159. case UA_NS0ID_REPUBLISHREQUEST_ENCODING_DEFAULTBINARY:
  160. *service = (UA_Service)Service_Republish;
  161. *requestType = &UA_TYPES[UA_TYPES_REPUBLISHREQUEST];
  162. *responseType = &UA_TYPES[UA_TYPES_REPUBLISHRESPONSE];
  163. break;
  164. case UA_NS0ID_MODIFYSUBSCRIPTIONREQUEST_ENCODING_DEFAULTBINARY:
  165. *service = (UA_Service)Service_ModifySubscription;
  166. *requestType = &UA_TYPES[UA_TYPES_MODIFYSUBSCRIPTIONREQUEST];
  167. *responseType = &UA_TYPES[UA_TYPES_MODIFYSUBSCRIPTIONRESPONSE];
  168. break;
  169. case UA_NS0ID_SETPUBLISHINGMODEREQUEST_ENCODING_DEFAULTBINARY:
  170. *service = (UA_Service)Service_SetPublishingMode;
  171. *requestType = &UA_TYPES[UA_TYPES_SETPUBLISHINGMODEREQUEST];
  172. *responseType = &UA_TYPES[UA_TYPES_SETPUBLISHINGMODERESPONSE];
  173. break;
  174. case UA_NS0ID_DELETESUBSCRIPTIONSREQUEST_ENCODING_DEFAULTBINARY:
  175. *service = (UA_Service)Service_DeleteSubscriptions;
  176. *requestType = &UA_TYPES[UA_TYPES_DELETESUBSCRIPTIONSREQUEST];
  177. *responseType = &UA_TYPES[UA_TYPES_DELETESUBSCRIPTIONSRESPONSE];
  178. break;
  179. case UA_NS0ID_CREATEMONITOREDITEMSREQUEST_ENCODING_DEFAULTBINARY:
  180. *service = (UA_Service)Service_CreateMonitoredItems;
  181. *requestType = &UA_TYPES[UA_TYPES_CREATEMONITOREDITEMSREQUEST];
  182. *responseType = &UA_TYPES[UA_TYPES_CREATEMONITOREDITEMSRESPONSE];
  183. break;
  184. case UA_NS0ID_DELETEMONITOREDITEMSREQUEST_ENCODING_DEFAULTBINARY:
  185. *service = (UA_Service)Service_DeleteMonitoredItems;
  186. *requestType = &UA_TYPES[UA_TYPES_DELETEMONITOREDITEMSREQUEST];
  187. *responseType = &UA_TYPES[UA_TYPES_DELETEMONITOREDITEMSRESPONSE];
  188. break;
  189. case UA_NS0ID_MODIFYMONITOREDITEMSREQUEST_ENCODING_DEFAULTBINARY:
  190. *service = (UA_Service)Service_ModifyMonitoredItems;
  191. *requestType = &UA_TYPES[UA_TYPES_MODIFYMONITOREDITEMSREQUEST];
  192. *responseType = &UA_TYPES[UA_TYPES_MODIFYMONITOREDITEMSRESPONSE];
  193. break;
  194. case UA_NS0ID_SETMONITORINGMODEREQUEST_ENCODING_DEFAULTBINARY:
  195. *service = (UA_Service)Service_SetMonitoringMode;
  196. *requestType = &UA_TYPES[UA_TYPES_SETMONITORINGMODEREQUEST];
  197. *responseType = &UA_TYPES[UA_TYPES_SETMONITORINGMODERESPONSE];
  198. break;
  199. #endif
  200. #ifdef UA_ENABLE_METHODCALLS
  201. case UA_NS0ID_CALLREQUEST_ENCODING_DEFAULTBINARY:
  202. *service = (UA_Service)Service_Call;
  203. *requestType = &UA_TYPES[UA_TYPES_CALLREQUEST];
  204. *responseType = &UA_TYPES[UA_TYPES_CALLRESPONSE];
  205. break;
  206. #endif
  207. #ifdef UA_ENABLE_NODEMANAGEMENT
  208. case UA_NS0ID_ADDNODESREQUEST_ENCODING_DEFAULTBINARY:
  209. *service = (UA_Service)Service_AddNodes;
  210. *requestType = &UA_TYPES[UA_TYPES_ADDNODESREQUEST];
  211. *responseType = &UA_TYPES[UA_TYPES_ADDNODESRESPONSE];
  212. break;
  213. case UA_NS0ID_ADDREFERENCESREQUEST_ENCODING_DEFAULTBINARY:
  214. *service = (UA_Service)Service_AddReferences;
  215. *requestType = &UA_TYPES[UA_TYPES_ADDREFERENCESREQUEST];
  216. *responseType = &UA_TYPES[UA_TYPES_ADDREFERENCESRESPONSE];
  217. break;
  218. case UA_NS0ID_DELETENODESREQUEST_ENCODING_DEFAULTBINARY:
  219. *service = (UA_Service)Service_DeleteNodes;
  220. *requestType = &UA_TYPES[UA_TYPES_DELETENODESREQUEST];
  221. *responseType = &UA_TYPES[UA_TYPES_DELETENODESRESPONSE];
  222. break;
  223. case UA_NS0ID_DELETEREFERENCESREQUEST_ENCODING_DEFAULTBINARY:
  224. *service = (UA_Service)Service_DeleteReferences;
  225. *requestType = &UA_TYPES[UA_TYPES_DELETEREFERENCESREQUEST];
  226. *responseType = &UA_TYPES[UA_TYPES_DELETEREFERENCESRESPONSE];
  227. break;
  228. #endif
  229. default:
  230. break;
  231. }
  232. }
  233. /*************************/
  234. /* Process Message Types */
  235. /*************************/
  236. /* HEL -> Open up the connection */
  237. static UA_StatusCode
  238. processHEL(UA_Server *server, UA_Connection *connection,
  239. const UA_ByteString *msg, size_t *offset) {
  240. UA_TcpHelloMessage helloMessage;
  241. UA_StatusCode retval = UA_TcpHelloMessage_decodeBinary(msg, offset, &helloMessage);
  242. if(retval != UA_STATUSCODE_GOOD)
  243. return retval;
  244. /* Parameterize the connection */
  245. connection->remoteConf.maxChunkCount = helloMessage.maxChunkCount; /* zero -> unlimited */
  246. connection->remoteConf.maxMessageSize = helloMessage.maxMessageSize; /* zero -> unlimited */
  247. connection->remoteConf.protocolVersion = helloMessage.protocolVersion;
  248. connection->remoteConf.recvBufferSize = helloMessage.receiveBufferSize;
  249. if(connection->localConf.sendBufferSize > helloMessage.receiveBufferSize)
  250. connection->localConf.sendBufferSize = helloMessage.receiveBufferSize;
  251. connection->remoteConf.sendBufferSize = helloMessage.sendBufferSize;
  252. if(connection->localConf.recvBufferSize > helloMessage.sendBufferSize)
  253. connection->localConf.recvBufferSize = helloMessage.sendBufferSize;
  254. UA_String_deleteMembers(&helloMessage.endpointUrl);
  255. if(connection->remoteConf.recvBufferSize == 0) {
  256. UA_LOG_INFO(server->config.logger, UA_LOGCATEGORY_NETWORK,
  257. "Connection %i | Remote end indicated a receive buffer size of 0. "
  258. "Not able to send any messages.",
  259. connection->sockfd);
  260. return UA_STATUSCODE_BADINTERNALERROR;
  261. }
  262. connection->state = UA_CONNECTION_ESTABLISHED;
  263. /* Build acknowledge response */
  264. UA_TcpAcknowledgeMessage ackMessage;
  265. ackMessage.protocolVersion = connection->localConf.protocolVersion;
  266. ackMessage.receiveBufferSize = connection->localConf.recvBufferSize;
  267. ackMessage.sendBufferSize = connection->localConf.sendBufferSize;
  268. ackMessage.maxMessageSize = connection->localConf.maxMessageSize;
  269. ackMessage.maxChunkCount = connection->localConf.maxChunkCount;
  270. UA_TcpMessageHeader ackHeader;
  271. ackHeader.messageTypeAndChunkType = UA_MESSAGETYPE_ACK + UA_CHUNKTYPE_FINAL;
  272. ackHeader.messageSize = 8 + 20; /* ackHeader + ackMessage */
  273. /* Get the send buffer from the network layer */
  274. UA_ByteString ack_msg;
  275. UA_ByteString_init(&ack_msg);
  276. retval = connection->getSendBuffer(connection, connection->localConf.sendBufferSize,
  277. &ack_msg);
  278. if(retval != UA_STATUSCODE_GOOD)
  279. return retval;
  280. /* Encode and send the response */
  281. UA_Byte *bufPos = ack_msg.data;
  282. const UA_Byte *bufEnd = &ack_msg.data[ack_msg.length];
  283. retval = UA_TcpMessageHeader_encodeBinary(&ackHeader, &bufPos, &bufEnd);
  284. if(retval != UA_STATUSCODE_GOOD) {
  285. connection->releaseSendBuffer(connection, &ack_msg);
  286. return retval;
  287. }
  288. retval = UA_TcpAcknowledgeMessage_encodeBinary(&ackMessage, &bufPos, &bufEnd);
  289. if(retval != UA_STATUSCODE_GOOD) {
  290. connection->releaseSendBuffer(connection, &ack_msg);
  291. return retval;
  292. }
  293. ack_msg.length = ackHeader.messageSize;
  294. return connection->send(connection, &ack_msg);
  295. }
  296. /* OPN -> Open up/renew the securechannel */
  297. static UA_StatusCode
  298. processOPN(UA_Server *server, UA_SecureChannel *channel,
  299. const UA_UInt32 requestId, const UA_ByteString *msg) {
  300. /* Decode the request */
  301. size_t offset = 0;
  302. UA_NodeId requestType;
  303. UA_StatusCode retval = UA_STATUSCODE_GOOD;
  304. UA_OpenSecureChannelRequest openSecureChannelRequest;
  305. retval |= UA_NodeId_decodeBinary(msg, &offset, &requestType);
  306. retval |= UA_OpenSecureChannelRequest_decodeBinary(msg, &offset, &openSecureChannelRequest);
  307. /* Error occurred */
  308. if(retval != UA_STATUSCODE_GOOD ||
  309. requestType.identifier.numeric != UA_TYPES[UA_TYPES_OPENSECURECHANNELREQUEST].binaryEncodingId) {
  310. UA_NodeId_deleteMembers(&requestType);
  311. UA_OpenSecureChannelRequest_deleteMembers(&openSecureChannelRequest);
  312. UA_LOG_INFO_CHANNEL(server->config.logger, channel,
  313. "Could not decode the OPN message. Closing the connection.");
  314. UA_SecureChannelManager_close(&server->secureChannelManager, channel->securityToken.channelId);
  315. return retval;
  316. }
  317. UA_NodeId_deleteMembers(&requestType);
  318. /* Call the service */
  319. UA_OpenSecureChannelResponse openScResponse;
  320. UA_OpenSecureChannelResponse_init(&openScResponse);
  321. Service_OpenSecureChannel(server, channel, &openSecureChannelRequest, &openScResponse);
  322. UA_OpenSecureChannelRequest_deleteMembers(&openSecureChannelRequest);
  323. if(openScResponse.responseHeader.serviceResult != UA_STATUSCODE_GOOD) {
  324. UA_LOG_INFO_CHANNEL(server->config.logger, channel, "Could not open a SecureChannel. "
  325. "Closing the connection.");
  326. UA_SecureChannelManager_close(&server->secureChannelManager,
  327. channel->securityToken.channelId);
  328. return openScResponse.responseHeader.serviceResult;
  329. }
  330. /* Send the response */
  331. retval = UA_SecureChannel_sendAsymmetricOPNMessage(channel, requestId, &openScResponse,
  332. &UA_TYPES[UA_TYPES_OPENSECURECHANNELRESPONSE]);
  333. UA_OpenSecureChannelResponse_deleteMembers(&openScResponse);
  334. if(retval != UA_STATUSCODE_GOOD) {
  335. UA_LOG_INFO_CHANNEL(server->config.logger, channel,
  336. "Could not send the OPN answer with error code %s",
  337. UA_StatusCode_name(retval));
  338. UA_SecureChannelManager_close(&server->secureChannelManager,
  339. channel->securityToken.channelId);
  340. }
  341. return retval;
  342. }
  343. static UA_StatusCode
  344. processMSG(UA_Server *server, UA_SecureChannel *channel,
  345. UA_UInt32 requestId, const UA_ByteString *msg) {
  346. /* At 0, the nodeid starts... */
  347. size_t offset = 0;
  348. /* Decode the nodeid */
  349. UA_NodeId requestTypeId;
  350. UA_StatusCode retval = UA_NodeId_decodeBinary(msg, &offset, &requestTypeId);
  351. if(retval != UA_STATUSCODE_GOOD)
  352. return retval;
  353. if(requestTypeId.namespaceIndex != 0 ||
  354. requestTypeId.identifierType != UA_NODEIDTYPE_NUMERIC)
  355. UA_NodeId_deleteMembers(&requestTypeId); /* leads to badserviceunsupported */
  356. /* Store the start-position of the request */
  357. size_t requestPos = offset;
  358. /* Get the service pointers */
  359. UA_Service service = NULL;
  360. const UA_DataType *requestType = NULL;
  361. const UA_DataType *responseType = NULL;
  362. UA_Boolean sessionRequired = true;
  363. UA_ServiceType serviceType = UA_SERVICETYPE_NORMAL;
  364. getServicePointers(requestTypeId.identifier.numeric, &requestType,
  365. &responseType, &service, &sessionRequired, &serviceType);
  366. if(!requestType) {
  367. if(requestTypeId.identifier.numeric == 787) {
  368. UA_LOG_INFO_CHANNEL(server->config.logger, channel,
  369. "Client requested a subscription, " \
  370. "but those are not enabled in the build");
  371. } else {
  372. UA_LOG_INFO_CHANNEL(server->config.logger, channel,
  373. "Unknown request with type identifier %i",
  374. requestTypeId.identifier.numeric);
  375. }
  376. return sendServiceFault(channel, msg, requestPos, &UA_TYPES[UA_TYPES_SERVICEFAULT],
  377. requestId, UA_STATUSCODE_BADSERVICEUNSUPPORTED);
  378. }
  379. UA_assert(responseType);
  380. /* Decode the request */
  381. void *request = UA_alloca(requestType->memSize);
  382. UA_RequestHeader *requestHeader = (UA_RequestHeader*)request;
  383. retval = UA_decodeBinary(msg, &offset, request, requestType,
  384. server->config.customDataTypesSize,
  385. server->config.customDataTypes);
  386. if(retval != UA_STATUSCODE_GOOD) {
  387. UA_LOG_DEBUG_CHANNEL(server->config.logger, channel,
  388. "Could not decode the request");
  389. return sendServiceFault(channel, msg, requestPos, responseType, requestId, retval);
  390. }
  391. /* Prepare the respone */
  392. void *response = UA_alloca(responseType->memSize);
  393. UA_init(response, responseType);
  394. UA_Session *session = NULL; /* must be initialized before goto send_response */
  395. /* CreateSession doesn't need a session */
  396. if(requestType == &UA_TYPES[UA_TYPES_CREATESESSIONREQUEST]) {
  397. Service_CreateSession(server, channel,
  398. (const UA_CreateSessionRequest *)request,
  399. (UA_CreateSessionResponse *)response);
  400. #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
  401. // store the authentication token and session ID so we can help fuzzing by setting
  402. // these values in the next request automatically
  403. UA_CreateSessionResponse *res = (UA_CreateSessionResponse *)response;
  404. UA_NodeId_copy(&res->authenticationToken, &unsafe_fuzz_authenticationToken);
  405. #endif
  406. goto send_response;
  407. }
  408. #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
  409. // set the authenticationToken from the create session request to help fuzzing cover more lines
  410. if(!UA_NodeId_isNull(&unsafe_fuzz_authenticationToken))
  411. UA_NodeId_copy(&unsafe_fuzz_authenticationToken, &requestHeader->authenticationToken);
  412. #endif
  413. /* Find the matching session */
  414. session = (UA_Session*)UA_SecureChannel_getSession(channel, &requestHeader->authenticationToken);
  415. if(!session && !UA_NodeId_isNull(&requestHeader->authenticationToken))
  416. session = UA_SessionManager_getSessionByToken(&server->sessionManager,
  417. &requestHeader->authenticationToken);
  418. if(requestType == &UA_TYPES[UA_TYPES_ACTIVATESESSIONREQUEST]) {
  419. if(!session) {
  420. UA_LOG_DEBUG_CHANNEL(server->config.logger, channel,
  421. "Trying to activate a session that is " \
  422. "not known in the server");
  423. UA_deleteMembers(request, requestType);
  424. return sendServiceFault(channel, msg, requestPos, responseType,
  425. requestId, UA_STATUSCODE_BADSESSIONIDINVALID);
  426. }
  427. Service_ActivateSession(server, channel, session,
  428. (const UA_ActivateSessionRequest*)request,
  429. (UA_ActivateSessionResponse*)response);
  430. goto send_response;
  431. }
  432. /* Set an anonymous, inactive session for services that need no session */
  433. UA_Session anonymousSession;
  434. if(!session) {
  435. if(sessionRequired) {
  436. UA_LOG_WARNING_CHANNEL(server->config.logger, channel,
  437. "Service request %i without a valid session",
  438. requestType->binaryEncodingId);
  439. UA_deleteMembers(request, requestType);
  440. return sendServiceFault(channel, msg, requestPos, responseType,
  441. requestId, UA_STATUSCODE_BADSESSIONIDINVALID);
  442. }
  443. UA_Session_init(&anonymousSession);
  444. anonymousSession.sessionId = UA_NODEID_GUID(0, UA_GUID_NULL);
  445. anonymousSession.header.channel = channel;
  446. session = &anonymousSession;
  447. }
  448. /* Trying to use a non-activated session? */
  449. if(sessionRequired && !session->activated) {
  450. UA_LOG_WARNING_SESSION(server->config.logger, session,
  451. "Calling service %i on a non-activated session",
  452. requestType->binaryEncodingId);
  453. UA_SessionManager_removeSession(&server->sessionManager,
  454. &session->header.authenticationToken);
  455. UA_deleteMembers(request, requestType);
  456. return sendServiceFault(channel, msg, requestPos, responseType,
  457. requestId, UA_STATUSCODE_BADSESSIONNOTACTIVATED);
  458. }
  459. /* The session is bound to another channel */
  460. if(session != &anonymousSession && session->header.channel != channel) {
  461. UA_LOG_WARNING_CHANNEL(server->config.logger, channel,
  462. "Client tries to use a Session that is not "
  463. "bound to this SecureChannel");
  464. UA_deleteMembers(request, requestType);
  465. return sendServiceFault(channel, msg, requestPos, responseType,
  466. requestId, UA_STATUSCODE_BADSESSIONNOTACTIVATED);
  467. }
  468. /* Update the session lifetime */
  469. UA_Session_updateLifetime(session);
  470. #ifdef UA_ENABLE_SUBSCRIPTIONS
  471. /* The publish request is not answered immediately */
  472. if(requestType == &UA_TYPES[UA_TYPES_PUBLISHREQUEST]) {
  473. Service_Publish(server, session,
  474. (const UA_PublishRequest*)request, requestId);
  475. UA_deleteMembers(request, requestType);
  476. return UA_STATUSCODE_GOOD;
  477. }
  478. #endif
  479. send_response:
  480. /* Prepare the ResponseHeader */
  481. ((UA_ResponseHeader*)response)->requestHandle = requestHeader->requestHandle;
  482. ((UA_ResponseHeader*)response)->timestamp = UA_DateTime_now();
  483. /* Start the message */
  484. UA_NodeId typeId = UA_NODEID_NUMERIC(0, responseType->binaryEncodingId);
  485. UA_MessageContext mc;
  486. retval = UA_MessageContext_begin(&mc, channel, requestId, UA_MESSAGETYPE_MSG);
  487. if(retval != UA_STATUSCODE_GOOD)
  488. goto cleanup;
  489. /* Assert's required for clang-analyzer */
  490. UA_assert(mc.buf_pos == &mc.messageBuffer.data[UA_SECURE_MESSAGE_HEADER_LENGTH]);
  491. UA_assert(mc.buf_end <= &mc.messageBuffer.data[mc.messageBuffer.length]);
  492. retval = UA_MessageContext_encode(&mc, &typeId, &UA_TYPES[UA_TYPES_NODEID]);
  493. if(retval != UA_STATUSCODE_GOOD)
  494. goto cleanup;
  495. switch(serviceType) {
  496. case UA_SERVICETYPE_CUSTOM:
  497. /* Was processed before...*/
  498. retval = UA_MessageContext_encode(&mc, response, responseType);
  499. break;
  500. case UA_SERVICETYPE_INSITU:
  501. retval = ((UA_InSituService)service)
  502. (server, session, &mc, request, (UA_ResponseHeader*)response);
  503. break;
  504. case UA_SERVICETYPE_NORMAL:
  505. default:
  506. service(server, session, request, response);
  507. retval = UA_MessageContext_encode(&mc, response, responseType);
  508. break;
  509. }
  510. /* Finish sending the message */
  511. if(retval != UA_STATUSCODE_GOOD) {
  512. UA_MessageContext_abort(&mc);
  513. goto cleanup;
  514. }
  515. retval = UA_MessageContext_finish(&mc);
  516. cleanup:
  517. if(retval != UA_STATUSCODE_GOOD)
  518. UA_LOG_INFO_CHANNEL(server->config.logger, channel,
  519. "Could not send the message over the SecureChannel "
  520. "with StatusCode %s", UA_StatusCode_name(retval));
  521. /* Clean up */
  522. UA_deleteMembers(request, requestType);
  523. UA_deleteMembers(response, responseType);
  524. return retval;
  525. }
  526. /* Takes decoded messages starting at the nodeid of the content type. */
  527. static UA_StatusCode
  528. processSecureChannelMessage(void *application, UA_SecureChannel *channel,
  529. UA_MessageType messagetype, UA_UInt32 requestId,
  530. const UA_ByteString *message) {
  531. UA_Server *server = (UA_Server*)application;
  532. UA_StatusCode retval = UA_STATUSCODE_GOOD;
  533. switch(messagetype) {
  534. case UA_MESSAGETYPE_OPN:
  535. UA_LOG_TRACE_CHANNEL(server->config.logger, channel,
  536. "Process an OPN on an open channel");
  537. retval = processOPN(server, channel, requestId, message);
  538. break;
  539. case UA_MESSAGETYPE_MSG:
  540. UA_LOG_TRACE_CHANNEL(server->config.logger, channel, "Process a MSG");
  541. retval = processMSG(server, channel, requestId, message);
  542. break;
  543. case UA_MESSAGETYPE_CLO:
  544. UA_LOG_TRACE_CHANNEL(server->config.logger, channel, "Process a CLO");
  545. Service_CloseSecureChannel(server, channel);
  546. break;
  547. default:
  548. UA_LOG_TRACE_CHANNEL(server->config.logger, channel, "Invalid message type");
  549. retval = UA_STATUSCODE_BADTCPMESSAGETYPEINVALID;
  550. break;
  551. }
  552. return retval;
  553. }
  554. static UA_StatusCode
  555. createSecureChannel(void *application, UA_Connection *connection,
  556. UA_AsymmetricAlgorithmSecurityHeader *asymHeader) {
  557. UA_Server *server = (UA_Server*)application;
  558. /* Iterate over available endpoints and choose the correct one */
  559. UA_Endpoint *endpoint = NULL;
  560. UA_StatusCode retval = UA_STATUSCODE_GOOD;
  561. for(size_t i = 0; i < server->config.endpointsSize; ++i) {
  562. UA_Endpoint *endpointCandidate = &server->config.endpoints[i];
  563. if(!UA_ByteString_equal(&asymHeader->securityPolicyUri,
  564. &endpointCandidate->securityPolicy.policyUri))
  565. continue;
  566. retval = endpointCandidate->securityPolicy.asymmetricModule.
  567. compareCertificateThumbprint(&endpointCandidate->securityPolicy,
  568. &asymHeader->receiverCertificateThumbprint);
  569. if(retval != UA_STATUSCODE_GOOD)
  570. continue;
  571. /* We found the correct endpoint (except for security mode) The endpoint
  572. * needs to be changed by the client / server to match the security
  573. * mode. The server does this in the securechannel manager */
  574. endpoint = endpointCandidate;
  575. break;
  576. }
  577. if(!endpoint)
  578. return UA_STATUSCODE_BADSECURITYPOLICYREJECTED;
  579. /* Create a new channel */
  580. return UA_SecureChannelManager_create(&server->secureChannelManager, connection,
  581. &endpoint->securityPolicy, asymHeader);
  582. }
  583. static UA_StatusCode
  584. processCompleteChunkWithoutChannel(UA_Server *server, UA_Connection *connection,
  585. UA_ByteString *message) {
  586. /* Process chunk without a channel; must be OPN */
  587. UA_LOG_TRACE(server->config.logger, UA_LOGCATEGORY_NETWORK,
  588. "Connection %i | No channel attached to the connection. "
  589. "Process the chunk directly", connection->sockfd);
  590. size_t offset = 0;
  591. UA_TcpMessageHeader tcpMessageHeader;
  592. UA_StatusCode retval =
  593. UA_TcpMessageHeader_decodeBinary(message, &offset, &tcpMessageHeader);
  594. if(retval != UA_STATUSCODE_GOOD)
  595. return retval;
  596. // Only HEL and OPN messages possible without a channel (on the server side)
  597. switch(tcpMessageHeader.messageTypeAndChunkType & 0x00ffffff) {
  598. case UA_MESSAGETYPE_HEL:
  599. retval = processHEL(server, connection, message, &offset);
  600. break;
  601. case UA_MESSAGETYPE_OPN:
  602. {
  603. UA_LOG_TRACE(server->config.logger, UA_LOGCATEGORY_NETWORK,
  604. "Connection %i | Process OPN message", connection->sockfd);
  605. /* Called before HEL */
  606. if(connection->state != UA_CONNECTION_ESTABLISHED) {
  607. retval = UA_STATUSCODE_BADCOMMUNICATIONERROR;
  608. break;
  609. }
  610. // Decode the asymmetric algorithm security header since it is not encrypted and
  611. // needed to decide what security policy to use.
  612. UA_AsymmetricAlgorithmSecurityHeader asymHeader;
  613. UA_AsymmetricAlgorithmSecurityHeader_init(&asymHeader);
  614. size_t messageHeaderOffset = UA_SECURE_CONVERSATION_MESSAGE_HEADER_LENGTH;
  615. retval = UA_AsymmetricAlgorithmSecurityHeader_decodeBinary(message,
  616. &messageHeaderOffset,
  617. &asymHeader);
  618. if(retval != UA_STATUSCODE_GOOD)
  619. break;
  620. retval = createSecureChannel(server, connection, &asymHeader);
  621. UA_AsymmetricAlgorithmSecurityHeader_deleteMembers(&asymHeader);
  622. if(retval != UA_STATUSCODE_GOOD)
  623. break;
  624. retval = UA_SecureChannel_processChunk(connection->channel, message,
  625. processSecureChannelMessage,
  626. server);
  627. if(retval != UA_STATUSCODE_GOOD)
  628. break;
  629. break;
  630. }
  631. default:
  632. UA_LOG_TRACE(server->config.logger, UA_LOGCATEGORY_NETWORK,
  633. "Connection %i | Expected OPN or HEL message on a connection "
  634. "without a SecureChannel", connection->sockfd);
  635. retval = UA_STATUSCODE_BADTCPMESSAGETYPEINVALID;
  636. break;
  637. }
  638. return retval;
  639. }
  640. static UA_StatusCode
  641. processCompleteChunk(void *const application,
  642. UA_Connection *const connection,
  643. UA_ByteString *const chunk) {
  644. UA_Server *const server = (UA_Server*)application;
  645. #ifdef UA_DEBUG_DUMP_PKGS_FILE
  646. UA_debug_dumpCompleteChunk(server, connection, chunk);
  647. #endif
  648. if(!connection->channel)
  649. return processCompleteChunkWithoutChannel(server, connection, chunk);
  650. return UA_SecureChannel_processChunk(connection->channel, chunk,
  651. processSecureChannelMessage,
  652. server);
  653. }
  654. static void
  655. processBinaryMessage(UA_Server *server, UA_Connection *connection,
  656. UA_ByteString *message) {
  657. UA_LOG_TRACE(server->config.logger, UA_LOGCATEGORY_NETWORK,
  658. "Connection %i | Received a packet.", connection->sockfd);
  659. #ifdef UA_DEBUG_DUMP_PKGS
  660. UA_dump_hex_pkg(message->data, message->length);
  661. #endif
  662. UA_StatusCode retval = UA_Connection_processChunks(connection, server,
  663. processCompleteChunk, message);
  664. if(retval != UA_STATUSCODE_GOOD) {
  665. UA_LOG_INFO(server->config.logger, UA_LOGCATEGORY_NETWORK,
  666. "Connection %i | Processing the message failed with "
  667. "error %s", connection->sockfd, UA_StatusCode_name(retval));
  668. /* Send an ERR message and close the connection */
  669. UA_TcpErrorMessage error;
  670. error.error = retval;
  671. error.reason = UA_STRING_NULL;
  672. UA_Connection_sendError(connection, &error);
  673. connection->close(connection);
  674. }
  675. }
  676. #ifndef UA_ENABLE_MULTITHREADING
  677. void
  678. UA_Server_processBinaryMessage(UA_Server *server, UA_Connection *connection,
  679. UA_ByteString *message) {
  680. processBinaryMessage(server, connection, message);
  681. }
  682. #else
  683. typedef struct {
  684. UA_Connection *connection;
  685. UA_ByteString message;
  686. } ConnectionMessage;
  687. static void
  688. workerProcessBinaryMessage(UA_Server *server, ConnectionMessage *cm) {
  689. processBinaryMessage(server, cm->connection, &cm->message);
  690. UA_free(cm);
  691. }
  692. void
  693. UA_Server_processBinaryMessage(UA_Server *server, UA_Connection *connection,
  694. UA_ByteString *message) {
  695. /* Allocate the memory for the callback data */
  696. ConnectionMessage *cm = (ConnectionMessage*)UA_malloc(sizeof(ConnectionMessage));
  697. /* If malloc failed, execute immediately */
  698. if(!cm) {
  699. processBinaryMessage(server, connection, message);
  700. return;
  701. }
  702. /* Dispatch to the workers */
  703. cm->connection = connection;
  704. cm->message = *message;
  705. UA_Server_workerCallback(server, (UA_ServerCallback)workerProcessBinaryMessage, cm);
  706. }
  707. static void
  708. deleteConnectionTrampoline(UA_Server *server, void *data) {
  709. UA_Connection *connection = (UA_Connection*)data;
  710. connection->free(connection);
  711. }
  712. #endif
  713. void
  714. UA_Server_removeConnection(UA_Server *server, UA_Connection *connection) {
  715. UA_Connection_detachSecureChannel(connection);
  716. #ifndef UA_ENABLE_MULTITHREADING
  717. connection->free(connection);
  718. #else
  719. UA_Server_delayedCallback(server, deleteConnectionTrampoline, connection);
  720. #endif
  721. }