github/open62541
7
0
Fork 0
mirror of https://github.com/open62541/open62541.git synced 2025-06-03 04:00:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/1.2' into merge_12_13_7

Browse Source
This commit is contained in:
Julius Pfrommer 2022-11-14 11:51:51 +01:00
commit 6674768d7c
8 changed files with 109 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
plugins/crypto/mbedtls/ua_pki_mbedtls.c
View File

@ -236,12 +236,6 @@ reloadCertificates(CertInfo *ci) {
#endif
static UA_StatusCode
certificateVerification_allow(void *verificationContext,
const UA_ByteString *certificate) {
return UA_STATUSCODE_GOOD;
}
static UA_StatusCode
certificateVerification_verify(void *verificationContext,
const UA_ByteString *certificate) {
@ -539,10 +533,7 @@ UA_CertificateVerification_Trustlist(UA_CertificateVerification *cv,
mbedtls_x509_crt_init(&ci->certificateIssuerList);
cv->context = (void*)ci;
if(certificateTrustListSize > 0)
cv->verifyCertificate = certificateVerification_verify;
else
cv->verifyCertificate = certificateVerification_allow;
cv->verifyCertificate = certificateVerification_verify;
cv->clear = certificateVerification_clear;
cv->verifyApplicationURI = certificateVerification_verifyApplicationURI;

90
plugins/crypto/openssl/securitypolicy_openssl_common.c
View File

@ -4,6 +4,7 @@
*
* Copyright 2020 (c) Wind River Systems, Inc.
* Copyright 2020 (c) basysKom GmbH
* Copyright 2022 (c) Wind River Systems, Inc.
*/
/*
@ -30,6 +31,8 @@ modification history
#include "ua_openssl_version_abstraction.h"
#define SHA1_DIGEST_LENGTH 20 /* 160 bits */
#define RSA_DECRYPT_BUFFER_LENGTH 2048 /* bytes */
/** P_SHA256 Context */
typedef struct UA_Openssl_P_SHA256_Ctx_ {
@ -73,6 +76,14 @@ UA_Openssl_Init (void) {
#endif
}
static int UA_OpenSSL_RSA_Key_Size (EVP_PKEY * key){
#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
return EVP_PKEY_get_size (key);
#else
return RSA_size (get_pkey_rsa(key));
#endif
}
/* UA_copyCertificate - allocalte the buffer, copy the certificate and
* add a NULL to the end
*/
@ -192,8 +203,8 @@ UA_Openssl_X509_GetCertificateThumbprint (const UA_ByteString * certficate,
}
static UA_StatusCode
UA_Openssl_RSA_Private_Decrypt (UA_ByteString * data,
EVP_PKEY * privateKey,
UA_Openssl_RSA_Private_Decrypt (UA_ByteString * data,
EVP_PKEY * privateKey,
UA_Int16 padding) {
if (data == NULL || privateKey == NULL) {
return UA_STATUSCODE_BADINVALIDARGUMENT;
@ -203,27 +214,49 @@ UA_Openssl_RSA_Private_Decrypt (UA_ByteString * data,
return UA_STATUSCODE_BADINVALIDARGUMENT;
}
UA_Int32 keySize = RSA_size(get_pkey_rsa(privateKey));
size_t keySize = (size_t) UA_OpenSSL_RSA_Key_Size (privateKey);
size_t cipherOffset = 0;
size_t outOffset = 0;
unsigned char buf[2048];
UA_Int32 decryptedBytes;
unsigned char buf[RSA_DECRYPT_BUFFER_LENGTH];
size_t decryptedBytes;
EVP_PKEY_CTX * ctx;
int opensslRet;
ctx = EVP_PKEY_CTX_new (privateKey, NULL);
if (ctx == NULL) {
return UA_STATUSCODE_BADOUTOFMEMORY;
}
opensslRet = EVP_PKEY_decrypt_init (ctx);
if (opensslRet != 1)
{
EVP_PKEY_CTX_free (ctx);
return UA_STATUSCODE_BADINTERNALERROR;
}
opensslRet = EVP_PKEY_CTX_set_rsa_padding (ctx, padding);
if (opensslRet != 1) {
EVP_PKEY_CTX_free (ctx);
return UA_STATUSCODE_BADINTERNALERROR;
}
while (cipherOffset < data->length) {
decryptedBytes = RSA_private_decrypt (keySize,
data->data + cipherOffset, /* what to decrypt */
decryptedBytes = RSA_DECRYPT_BUFFER_LENGTH;
opensslRet = EVP_PKEY_decrypt (ctx,
buf, /* where to decrypt */
get_pkey_rsa(privateKey), /* private key */
padding
&decryptedBytes,
data->data + cipherOffset, /* what to decrypt */
keySize
);
if (decryptedBytes < 0) {
if (opensslRet != 1) {
EVP_PKEY_CTX_free (ctx);
return UA_STATUSCODE_BADSECURITYCHECKSFAILED;
}
memcpy(data->data + outOffset, buf, (size_t) decryptedBytes);
(void) memcpy(data->data + outOffset, buf, decryptedBytes);
cipherOffset += (size_t) keySize;
outOffset += (size_t) decryptedBytes;
outOffset += decryptedBytes;
}
data->length = outOffset;
EVP_PKEY_CTX_free (ctx);
return UA_STATUSCODE_GOOD;
}
@ -249,7 +282,6 @@ UA_Openssl_RSA_Public_Encrypt (const UA_ByteString * message,
size_t encryptedPos = 0;
size_t bytesToEncrypt = 0;
size_t encryptedBlockSize = 0;
RSA * rsa = NULL;
size_t keySize = 0;
evpPublicKey = X509_get_pubkey (publicX509);
@ -274,8 +306,8 @@ UA_Openssl_RSA_Public_Encrypt (const UA_ByteString * message,
}
/* get the encrypted block size */
rsa = get_pkey_rsa (evpPublicKey);
keySize = (size_t) RSA_size (rsa);
keySize = (size_t) UA_OpenSSL_RSA_Key_Size (evpPublicKey);
if (keySize == 0) {
ret = UA_STATUSCODE_BADINTERNALERROR;
goto errout;
@ -435,8 +467,8 @@ UA_Openssl_RSA_Public_GetKeyLength (X509 * publicKeyX509,
if (evpKey == NULL) {
return UA_STATUSCODE_BADINTERNALERROR;
}
RSA * rsa = get_pkey_rsa (evpKey);
*keyLen = RSA_size(rsa);
*keyLen = UA_OpenSSL_RSA_Key_Size (evpKey);
EVP_PKEY_free (evpKey);
return UA_STATUSCODE_GOOD;
@ -448,7 +480,7 @@ UA_Openssl_RSA_Private_GetKeyLength (EVP_PKEY * privateKey,
if (privateKey == NULL) {
return UA_STATUSCODE_BADINVALIDARGUMENT;
}
*keyLen = RSA_size(get_pkey_rsa(privateKey));
*keyLen = UA_OpenSSL_RSA_Key_Size (privateKey);
return UA_STATUSCODE_GOOD;
}
@ -646,16 +678,28 @@ UA_OpenSSL_Encrypt (const UA_ByteString * iv,
ret = UA_STATUSCODE_BADINTERNALERROR;
goto errout;
}
/* Disable padding. Padding is done in the stack before calling encryption.
* Ensure that we have a multiple of the block size */
if(data->length % (size_t)EVP_CIPHER_CTX_block_size(ctx)) {
ret = UA_STATUSCODE_BADINTERNALERROR;
goto errout;
}
opensslRet = EVP_CIPHER_CTX_set_padding(ctx, 0);
if (opensslRet != 1) {
ret = UA_STATUSCODE_BADINTERNALERROR;
goto errout;
}
/* Encrypt the data */
opensslRet = EVP_EncryptUpdate (ctx, data->data, &outLen,
plainTxt.data, (int) plainTxt.length);
if (opensslRet != 1) {
ret = UA_STATUSCODE_BADINTERNALERROR;
goto errout;
}
/*
* Buffer passed to EVP_EncryptFinal() must be after data just
* encrypted to avoid overwriting it.
*/
/* Encrypt-final does nothing as padding is disabled */
opensslRet = EVP_EncryptFinal_ex(ctx, data->data + outLen, &tmpLen);
if (opensslRet != 1) {
ret = UA_STATUSCODE_BADINTERNALERROR;
@ -879,6 +923,8 @@ EVP_PKEY *
UA_OpenSSL_LoadPrivateKey(const UA_ByteString *privateKey) {
const unsigned char * pkData = privateKey->data;
long len = (long) privateKey->length;
if(len == 0)
return NULL;
EVP_PKEY *result = NULL;

21
plugins/crypto/openssl/ua_pki_openssl.c
View File

@ -471,9 +471,11 @@ UA_CertificateVerification_Verify (void * verificationContext,
ret = UA_STATUSCODE_BADINTERNALERROR;
goto cleanup;
}
(void) X509_STORE_CTX_set0_trusted_stack (storeCtx, ctx->skTrusted);
#if defined(OPENSSL_API_COMPAT) && OPENSSL_API_COMPAT < 0x10100000L
(void) X509_STORE_CTX_trusted_stack (storeCtx, ctx->skTrusted);
#else
(void) X509_STORE_CTX_set0_trusted_stack (storeCtx, ctx->skTrusted);
#endif
/* Set crls to ctx */
if (sk_X509_CRL_num (ctx->skCrls) > 0) {
@ -579,14 +581,6 @@ cleanup:
return ret;
}
static UA_StatusCode
UA_VerifyCertificateAllowAll (void * verificationContext,
const UA_ByteString * certificate) {
(void) verificationContext;
(void) certificate;
return UA_STATUSCODE_GOOD;
}
static UA_StatusCode
UA_CertificateVerification_VerifyApplicationURI (void * verificationContext,
const UA_ByteString * certificate,
@ -672,10 +666,7 @@ UA_CertificateVerification_Trustlist(UA_CertificateVerification * cv,
cv->verifyApplicationURI = UA_CertificateVerification_VerifyApplicationURI;
cv->clear = UA_CertificateVerification_clear;
cv->context = context;
if (certificateTrustListSize > 0)
cv->verifyCertificate = UA_CertificateVerification_Verify;
else
cv->verifyCertificate = UA_VerifyCertificateAllowAll;
cv->verifyCertificate = UA_CertificateVerification_Verify;
if (certificateTrustListSize > 0) {
if (UA_skTrusted_Cert2X509 (certificateTrustList, certificateTrustListSize,

6
tests/client/check_client_encryption.c
View File

@ -10,6 +10,7 @@
#include <open62541/client_config_default.h>
#include <open62541/client_highlevel.h>
#include <open62541/plugin/securitypolicy.h>
#include <open62541/plugin/pki_default.h>
#include <open62541/server.h>
#include <open62541/server_config_default.h>
@ -62,6 +63,9 @@ static void setup(void) {
issuerList, issuerListSize,
revocationList, revocationListSize);
config->certificateVerification.clear(&config->certificateVerification);
UA_CertificateVerification_AcceptAll(&config->certificateVerification);
/* Set the ApplicationUri used in the certificate */
UA_String_clear(&config->applicationDescription.applicationUri);
config->applicationDescription.applicationUri =
@ -103,6 +107,8 @@ START_TEST(encryption_reconnect_session) {
UA_ClientConfig_setDefaultEncryption(cc, certificate, privateKey,
trustList, trustListSize,
revocationList, revocationListSize);
cc->certificateVerification.clear(&cc->certificateVerification);
UA_CertificateVerification_AcceptAll(&cc->certificateVerification);
cc->securityPolicyUri =
UA_STRING_ALLOC("http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256");
ck_assert(client != NULL);

7
tests/encryption/check_encryption_aes128sha256rsaoaep.c
View File

@ -10,6 +10,7 @@
#include <open62541/client_config_default.h>
#include <open62541/client_highlevel.h>
#include <open62541/plugin/securitypolicy.h>
#include <open62541/plugin/pki_default.h>
#include <open62541/server.h>
#include <open62541/server_config_default.h>
@ -74,6 +75,8 @@ static void setup(void) {
trustList, trustListSize,
issuerList, issuerListSize,
revocationList, revocationListSize);
config->certificateVerification.clear(&config->certificateVerification);
UA_CertificateVerification_AcceptAll(&config->certificateVerification);
/* Set the ApplicationUri used in the certificate */
UA_String_clear(&config->applicationDescription.applicationUri);
@ -151,6 +154,8 @@ START_TEST(encryption_connect) {
UA_ClientConfig_setDefaultEncryption(cc, certificate, privateKey,
trustList, trustListSize,
revocationList, revocationListSize);
cc->certificateVerification.clear(&cc->certificateVerification);
UA_CertificateVerification_AcceptAll(&cc->certificateVerification);
cc->securityPolicyUri =
UA_STRING_ALLOC("http://opcfoundation.org/UA/SecurityPolicy#Aes128_Sha256_RsaOaep");
ck_assert(client != NULL);
@ -232,6 +237,8 @@ START_TEST(encryption_connect_pem) {
UA_ClientConfig_setDefaultEncryption(cc, certificate, privateKey,
trustList, trustListSize,
revocationList, revocationListSize);
cc->certificateVerification.clear(&cc->certificateVerification);
UA_CertificateVerification_AcceptAll(&cc->certificateVerification);
cc->securityPolicyUri =
UA_STRING_ALLOC("http://opcfoundation.org/UA/SecurityPolicy#Aes128_Sha256_RsaOaep");
ck_assert(client != NULL);

7
tests/encryption/check_encryption_basic128rsa15.c
View File

@ -8,6 +8,7 @@
#include <open62541/client_config_default.h>
#include <open62541/plugin/securitypolicy_default.h>
#include <open62541/plugin/pki_default.h>
#include <open62541/server_config_default.h>
#include "client/ua_client_internal.h"
@ -71,6 +72,8 @@ static void setup(void) {
trustList, trustListSize,
issuerList, issuerListSize,
revocationList, revocationListSize);
config->certificateVerification.clear(&config->certificateVerification);
UA_CertificateVerification_AcceptAll(&config->certificateVerification);
/* Set the ApplicationUri used in the certificate */
UA_String_clear(&config->applicationDescription.applicationUri);
@ -148,6 +151,8 @@ START_TEST(encryption_connect) {
UA_ClientConfig_setDefaultEncryption(cc, certificate, privateKey,
trustList, trustListSize,
revocationList, revocationListSize);
cc->certificateVerification.clear(&cc->certificateVerification);
UA_CertificateVerification_AcceptAll(&cc->certificateVerification);
cc->securityPolicyUri =
UA_STRING_ALLOC("http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15");
ck_assert(client != NULL);
@ -229,6 +234,8 @@ START_TEST(encryption_connect_pem) {
UA_ClientConfig_setDefaultEncryption(cc, certificate, privateKey,
trustList, trustListSize,
revocationList, revocationListSize);
cc->certificateVerification.clear(&cc->certificateVerification);
UA_CertificateVerification_AcceptAll(&cc->certificateVerification);
cc->securityPolicyUri =
UA_STRING_ALLOC("http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15");
ck_assert(client != NULL);

7
tests/encryption/check_encryption_basic256.c
View File

@ -10,6 +10,7 @@
#include <open62541/client_config_default.h>
#include <open62541/client_highlevel.h>
#include <open62541/plugin/securitypolicy.h>
#include <open62541/plugin/pki_default.h>
#include <open62541/server.h>
#include <open62541/server_config_default.h>
@ -74,6 +75,8 @@ static void setup(void) {
trustList, trustListSize,
issuerList, issuerListSize,
revocationList, revocationListSize);
config->certificateVerification.clear(&config->certificateVerification);
UA_CertificateVerification_AcceptAll(&config->certificateVerification);
/* Set the ApplicationUri used in the certificate */
UA_String_clear(&config->applicationDescription.applicationUri);
@ -151,6 +154,8 @@ START_TEST(encryption_connect) {
UA_ClientConfig_setDefaultEncryption(cc, certificate, privateKey,
trustList, trustListSize,
revocationList, revocationListSize);
cc->certificateVerification.clear(&cc->certificateVerification);
UA_CertificateVerification_AcceptAll(&cc->certificateVerification);
cc->securityPolicyUri =
UA_STRING_ALLOC("http://opcfoundation.org/UA/SecurityPolicy#Basic256");
ck_assert(client != NULL);
@ -232,6 +237,8 @@ START_TEST(encryption_connect_pem) {
UA_ClientConfig_setDefaultEncryption(cc, certificate, privateKey,
trustList, trustListSize,
revocationList, revocationListSize);
cc->certificateVerification.clear(&cc->certificateVerification);
UA_CertificateVerification_AcceptAll(&cc->certificateVerification);
cc->securityPolicyUri =
UA_STRING_ALLOC("http://opcfoundation.org/UA/SecurityPolicy#Basic256");
ck_assert(client != NULL);

7
tests/encryption/check_encryption_basic256sha256.c
View File

@ -10,6 +10,7 @@
#include <open62541/client_config_default.h>
#include <open62541/client_highlevel.h>
#include <open62541/plugin/securitypolicy.h>
#include <open62541/plugin/pki_default.h>
#include <open62541/server.h>
#include <open62541/server_config_default.h>
@ -74,6 +75,8 @@ static void setup(void) {
trustList, trustListSize,
issuerList, issuerListSize,
revocationList, revocationListSize);
config->certificateVerification.clear(&config->certificateVerification);
UA_CertificateVerification_AcceptAll(&config->certificateVerification);
/* Set the ApplicationUri used in the certificate */
UA_String_clear(&config->applicationDescription.applicationUri);
@ -151,6 +154,8 @@ START_TEST(encryption_connect) {
UA_ClientConfig_setDefaultEncryption(cc, certificate, privateKey,
trustList, trustListSize,
revocationList, revocationListSize);
cc->certificateVerification.clear(&cc->certificateVerification);
UA_CertificateVerification_AcceptAll(&cc->certificateVerification);
cc->securityPolicyUri =
UA_STRING_ALLOC("http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256");
ck_assert(client != NULL);
@ -232,6 +237,8 @@ START_TEST(encryption_connect_pem) {
UA_ClientConfig_setDefaultEncryption(cc, certificate, privateKey,
trustList, trustListSize,
revocationList, revocationListSize);
cc->certificateVerification.clear(&cc->certificateVerification);
UA_CertificateVerification_AcceptAll(&cc->certificateVerification);
cc->securityPolicyUri =
UA_STRING_ALLOC("http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256");
ck_assert(client != NULL);