ua_securechannel_manager.c 11 KB

  1. /* This Source Code Form is subject to the terms of the Mozilla Public
  2. * License, v. 2.0. If a copy of the MPL was not distributed with this
  3. * file, You can obtain one at
  4. *
  5. * Copyright 2014-2017 (c) Fraunhofer IOSB (Author: Julius Pfrommer)
  6. * Copyright 2014-2017 (c) Florian Palm
  7. * Copyright 2015-2016 (c) Sten Grüner
  8. * Copyright 2015 (c) Oleksiy Vasylyev
  9. * Copyright 2017 (c) Stefan Profanter, fortiss GmbH
  10. * Copyright 2017 (c) Mark Giraud, Fraunhofer IOSB
  11. */
  12. #include "ua_securechannel_manager.h"
  13. #include <open62541/transport_generated.h>
  14. #include "ua_server_internal.h"
  15. #include "ua_session.h"
  16. #define STARTCHANNELID 1
  17. #define STARTTOKENID 1
  18. UA_StatusCode
  19. UA_SecureChannelManager_init(UA_SecureChannelManager *cm, UA_Server *server) {
  20. TAILQ_INIT(&cm->channels);
  21. // TODO: use an ID that is likely to be unique after a restart
  22. cm->lastChannelId = STARTCHANNELID;
  23. cm->lastTokenId = STARTTOKENID;
  24. cm->currentChannelCount = 0;
  25. cm->server = server;
  26. return UA_STATUSCODE_GOOD;
  27. }
  28. void
  29. UA_SecureChannelManager_deleteMembers(UA_SecureChannelManager *cm) {
  30. channel_entry *entry, *temp;
  31. TAILQ_FOREACH_SAFE(entry, &cm->channels, pointers, temp) {
  32. TAILQ_REMOVE(&cm->channels, entry, pointers);
  33. UA_SecureChannel_close(&entry->channel);
  34. UA_SecureChannel_deleteMembers(&entry->channel);
  35. UA_free(entry);
  36. }
  37. }
  38. static void
  39. removeSecureChannelCallback(void *_, channel_entry *entry) {
  40. UA_SecureChannel_deleteMembers(&entry->channel);
  41. }
  42. static void
  43. removeSecureChannel(UA_SecureChannelManager *cm, channel_entry *entry) {
  44. /* Close the SecureChannel */
  45. UA_SecureChannel_close(&entry->channel);
  46. /* Detach the channel and make the capacity available */
  47. TAILQ_REMOVE(&cm->channels, entry, pointers);
  48. UA_atomic_subUInt32(&cm->currentChannelCount, 1);
  49. /* Add a delayed callback to remove the channel when the currently
  50. * scheduled jobs have completed */
  51. entry->cleanupCallback.callback = (UA_ApplicationCallback)removeSecureChannelCallback;
  52. entry->cleanupCallback.application = NULL;
  53. entry-> = entry;
  54. UA_WorkQueue_enqueueDelayed(&cm->server->workQueue, &entry->cleanupCallback);
  55. }
  56. /* remove channels that were not renewed or who have no connection attached */
  57. void
  58. UA_SecureChannelManager_cleanupTimedOut(UA_SecureChannelManager *cm,
  59. UA_DateTime nowMonotonic) {
  60. channel_entry *entry, *temp;
  61. TAILQ_FOREACH_SAFE(entry, &cm->channels, pointers, temp) {
  62. /* The channel was closed internally */
  63. if(entry->channel.state == UA_SECURECHANNELSTATE_CLOSED ||
  64. !entry->channel.connection) {
  65. removeSecureChannel(cm, entry);
  66. continue;
  67. }
  68. /* The channel has timed out */
  69. UA_DateTime timeout =
  70. entry->channel.securityToken.createdAt +
  71. (UA_DateTime)(entry->channel.securityToken.revisedLifetime * UA_DATETIME_MSEC);
  72. if(timeout < nowMonotonic) {
  73. UA_LOG_INFO_CHANNEL(&cm->server->config.logger, &entry->channel,
  74. "SecureChannel has timed out");
  75. removeSecureChannel(cm, entry);
  76. continue;
  77. }
  78. }
  79. }
  80. /* remove the first channel that has no session attached */
  81. static UA_Boolean
  82. purgeFirstChannelWithoutSession(UA_SecureChannelManager *cm) {
  83. channel_entry *entry;
  84. TAILQ_FOREACH(entry, &cm->channels, pointers) {
  85. if(LIST_EMPTY(&entry->channel.sessions)) {
  86. UA_LOG_INFO_CHANNEL(&cm->server->config.logger, &entry->channel,
  87. "Channel was purged since maxSecureChannels was "
  88. "reached and channel had no session attached");
  89. removeSecureChannel(cm, entry);
  90. return true;
  91. }
  92. }
  93. return false;
  94. }
  95. UA_StatusCode
  96. UA_SecureChannelManager_create(UA_SecureChannelManager *const cm, UA_Connection *const connection,
  97. const UA_SecurityPolicy *const securityPolicy,
  98. const UA_AsymmetricAlgorithmSecurityHeader *const asymHeader) {
  99. /* connection already has a channel attached. */
  100. if(connection->channel != NULL)
  102. /* Check if there exists a free SC, otherwise try to purge one SC without a
  103. * session the purge has been introduced to pass CTT, it is not clear what
  104. * strategy is expected here */
  105. if(cm->currentChannelCount >= cm->server->config.maxSecureChannels &&
  106. !purgeFirstChannelWithoutSession(cm))
  108. UA_LOG_INFO(&cm->server->config.logger, UA_LOGCATEGORY_SECURECHANNEL,
  109. "Creating a new SecureChannel");
  110. channel_entry *entry = (channel_entry *)UA_malloc(sizeof(channel_entry));
  111. if(!entry)
  113. /* Create the channel context and parse the sender (remote) certificate used for the
  114. * secureChannel. */
  115. UA_SecureChannel_init(&entry->channel);
  116. UA_StatusCode retval =
  117. UA_SecureChannel_setSecurityPolicy(&entry->channel, securityPolicy,
  118. &asymHeader->senderCertificate);
  119. if(retval != UA_STATUSCODE_GOOD) {
  120. UA_free(entry);
  121. return retval;
  122. }
  123. /* Channel state is fresh (0) */
  124. entry->channel.securityToken.channelId = 0;
  125. entry->channel.securityToken.tokenId = cm->lastTokenId++;
  126. entry->channel.securityToken.createdAt = UA_DateTime_now();
  127. entry->channel.securityToken.revisedLifetime = cm->server->config.maxSecurityTokenLifetime;
  128. TAILQ_INSERT_TAIL(&cm->channels, entry, pointers);
  129. UA_atomic_addUInt32(&cm->currentChannelCount, 1);
  130. UA_Connection_attachSecureChannel(connection, &entry->channel);
  131. return UA_STATUSCODE_GOOD;
  132. }
  133. UA_StatusCode
  134. UA_SecureChannelManager_open(UA_SecureChannelManager *cm, UA_SecureChannel *channel,
  135. const UA_OpenSecureChannelRequest *request,
  136. UA_OpenSecureChannelResponse *response) {
  137. if(channel->state != UA_SECURECHANNELSTATE_FRESH) {
  138. UA_LOG_ERROR_CHANNEL(&cm->server->config.logger, channel,
  139. "Called open on already open or closed channel");
  141. }
  142. if(request->securityMode != UA_MESSAGESECURITYMODE_NONE &&
  143. UA_ByteString_equal(&channel->securityPolicy->policyUri, &UA_SECURITY_POLICY_NONE_URI)) {
  145. }
  146. channel->securityMode = request->securityMode;
  147. channel->securityToken.createdAt = UA_DateTime_nowMonotonic();
  148. channel->securityToken.channelId = cm->lastChannelId++;
  149. channel->securityToken.createdAt = UA_DateTime_now();
  150. /* Set the lifetime. Lifetime 0 -> set the maximum possible */
  151. channel->securityToken.revisedLifetime =
  152. (request->requestedLifetime > cm->server->config.maxSecurityTokenLifetime) ?
  153. cm->server->config.maxSecurityTokenLifetime : request->requestedLifetime;
  154. if(channel->securityToken.revisedLifetime == 0)
  155. channel->securityToken.revisedLifetime = cm->server->config.maxSecurityTokenLifetime;
  156. /* Set the nonces and generate the keys */
  157. UA_StatusCode retval = UA_ByteString_copy(&request->clientNonce, &channel->remoteNonce);
  158. if(retval != UA_STATUSCODE_GOOD)
  159. return retval;
  160. retval = UA_SecureChannel_generateLocalNonce(channel);
  161. if(retval != UA_STATUSCODE_GOOD)
  162. return retval;
  163. retval = UA_SecureChannel_generateNewKeys(channel);
  164. if(retval != UA_STATUSCODE_GOOD)
  165. return retval;
  166. /* Set the response */
  167. retval = UA_ByteString_copy(&channel->localNonce, &response->serverNonce);
  168. if(retval != UA_STATUSCODE_GOOD)
  169. return retval;
  170. retval = UA_ChannelSecurityToken_copy(&channel->securityToken, &response->securityToken);
  171. if(retval != UA_STATUSCODE_GOOD)
  172. return retval;
  173. response->responseHeader.timestamp = UA_DateTime_now();
  174. response->responseHeader.requestHandle = request->requestHeader.requestHandle;
  175. /* The channel is open */
  176. channel->state = UA_SECURECHANNELSTATE_OPEN;
  177. return UA_STATUSCODE_GOOD;
  178. }
  179. UA_StatusCode
  180. UA_SecureChannelManager_renew(UA_SecureChannelManager *cm, UA_SecureChannel *channel,
  181. const UA_OpenSecureChannelRequest *request,
  182. UA_OpenSecureChannelResponse *response) {
  183. if(channel->state != UA_SECURECHANNELSTATE_OPEN) {
  184. UA_LOG_ERROR_CHANNEL(&cm->server->config.logger, channel,
  185. "Called renew on channel which is not open");
  187. }
  188. /* If no security token is already issued */
  189. if(channel->nextSecurityToken.tokenId == 0) {
  190. channel->nextSecurityToken.channelId = channel->securityToken.channelId;
  191. channel->nextSecurityToken.tokenId = cm->lastTokenId++;
  192. channel->nextSecurityToken.createdAt = UA_DateTime_now();
  193. channel->nextSecurityToken.revisedLifetime =
  194. (request->requestedLifetime > cm->server->config.maxSecurityTokenLifetime) ?
  195. cm->server->config.maxSecurityTokenLifetime : request->requestedLifetime;
  196. if(channel->nextSecurityToken.revisedLifetime == 0) /* lifetime 0 -> return the max lifetime */
  197. channel->nextSecurityToken.revisedLifetime = cm->server->config.maxSecurityTokenLifetime;
  198. }
  199. /* Replace the nonces */
  200. UA_ByteString_deleteMembers(&channel->remoteNonce);
  201. UA_StatusCode retval = UA_ByteString_copy(&request->clientNonce, &channel->remoteNonce);
  202. if(retval != UA_STATUSCODE_GOOD)
  203. return retval;
  204. retval = UA_SecureChannel_generateLocalNonce(channel);
  205. if(retval != UA_STATUSCODE_GOOD)
  206. return retval;
  207. /* Set the response */
  208. response->responseHeader.requestHandle = request->requestHeader.requestHandle;
  209. retval = UA_ByteString_copy(&channel->localNonce, &response->serverNonce);
  210. if(retval != UA_STATUSCODE_GOOD)
  211. return retval;
  212. retval = UA_ChannelSecurityToken_copy(&channel->nextSecurityToken, &response->securityToken);
  213. if(retval != UA_STATUSCODE_GOOD)
  214. return retval;
  215. /* Reset the internal creation date to the monotonic clock */
  216. channel->nextSecurityToken.createdAt = UA_DateTime_nowMonotonic();
  217. return UA_STATUSCODE_GOOD;
  218. }
  219. UA_SecureChannel *
  220. UA_SecureChannelManager_get(UA_SecureChannelManager *cm, UA_UInt32 channelId) {
  221. channel_entry *entry;
  222. TAILQ_FOREACH(entry, &cm->channels, pointers) {
  223. if(entry->channel.securityToken.channelId == channelId)
  224. return &entry->channel;
  225. }
  226. return NULL;
  227. }
  228. UA_StatusCode
  229. UA_SecureChannelManager_close(UA_SecureChannelManager *cm, UA_UInt32 channelId) {
  230. channel_entry *entry;
  231. TAILQ_FOREACH(entry, &cm->channels, pointers) {
  232. if(entry->channel.securityToken.channelId == channelId)
  233. break;
  234. }
  235. if(!entry)
  237. removeSecureChannel(cm, entry);
  238. return UA_STATUSCODE_GOOD;
  239. }