github/open62541
7
0
Fork 0
mirror of https://github.com/open62541/open62541.git synced 2025-06-03 04:00:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(core): Make PolicyIds unique by appending the security mode

Browse Source
This commit is contained in:
Julius Pfrommer 2023-07-18 12:06:17 +02:00 committed by Julius Pfrommer
parent db5b40ee05
commit b1198f814d
2 changed files with 38 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
plugins/ua_accesscontrol_default.c
View File

@ -69,17 +69,29 @@ activateSession_default(UA_Server *server, UA_AccessControl *ac,
const UA_AnonymousIdentityToken *token = (UA_AnonymousIdentityToken*)
userIdentityToken->content.decoded.data;
/* Compatibility notice: Siemens OPC Scout v10 provides an empty
/* Match the beginnig of the PolicyId.
* Compatibility notice: Siemens OPC Scout v10 provides an empty
* policyId. This is not compliant. For compatibility, assume that empty
* policyId == ANONYMOUS_POLICY */
if(token->policyId.data && !UA_String_equal(&token->policyId, &anonymous_policy))
if(token->policyId.data &&
(token->policyId.length < anonymous_policy.length ||
strncmp((const char*)token->policyId.data,
(const char*)anonymous_policy.data,
anonymous_policy.length) != 0)) {
return UA_STATUSCODE_BADIDENTITYTOKENINVALID;
}
} else if(tokenType == &UA_TYPES[UA_TYPES_USERNAMEIDENTITYTOKEN]) {
/* Username and password */
const UA_UserNameIdentityToken *userToken =
(UA_UserNameIdentityToken*)userIdentityToken->content.decoded.data;
if(!UA_String_equal(&userToken->policyId, &username_policy))
const UA_UserNameIdentityToken *userToken = (UA_UserNameIdentityToken*)
userIdentityToken->content.decoded.data;
/* Match the beginnig of the PolicyId */
if(userToken->policyId.length < username_policy.length ||
strncmp((const char*)userToken->policyId.data,
(const char*)username_policy.data,
username_policy.length) != 0) {
return UA_STATUSCODE_BADIDENTITYTOKENINVALID;
}
/* The userToken has been decrypted by the server before forwarding
* it to the plugin. This information can be used here. */
@ -107,8 +119,13 @@ activateSession_default(UA_Server *server, UA_AccessControl *ac,
const UA_X509IdentityToken *userToken = (UA_X509IdentityToken*)
userIdentityToken->content.decoded.data;
if(!UA_String_equal(&userToken->policyId, &certificate_policy))
/* Match the beginnig of the PolicyId */
if(userToken->policyId.length < certificate_policy.length ||
strncmp((const char*)userToken->policyId.data,
(const char*)certificate_policy.data,
certificate_policy.length) != 0) {
return UA_STATUSCODE_BADIDENTITYTOKENINVALID;
}
if(!config->sessionPKI.verifyCertificate)
return UA_STATUSCODE_BADIDENTITYTOKENINVALID;

15
plugins/ua_config_default.c
View File

@ -180,6 +180,8 @@ const UA_ConnectionConfig UA_ConnectionConfig_default = {
#define VERSION(MAJOR, MINOR, PATCH, LABEL) \
STRINGIFY(MAJOR) "." STRINGIFY(MINOR) "." STRINGIFY(PATCH) LABEL
const char *securityModeStrs[4] = {"-invalid", "-none", "-sign", "-sign+encrypt"};
static UA_StatusCode
addEndpoint(UA_ServerConfig *conf,
const UA_SecurityPolicy *securityPolicy,
@ -218,6 +220,19 @@ addEndpoint(UA_ServerConfig *conf,
if(retval == UA_STATUSCODE_GOOD)
endpoint->userIdentityTokensSize = conf->accessControl.userTokenPoliciesSize;
/* Append the SecurityMode to the usertokenpolicy PolicyId */
for(size_t i = 0; i < endpoint->userIdentityTokensSize; i++) {
UA_UserTokenPolicy *utp = &endpoint->userIdentityTokens[i];
size_t newLen = utp->policyId.length + strlen(securityModeStrs[securityMode]);
UA_Byte *newString = (UA_Byte*)UA_realloc(utp->policyId.data, newLen);
memcpy(&newString[utp->policyId.length], securityModeStrs[securityMode],
strlen(securityModeStrs[securityMode]));
if(!newString)
continue;
utp->policyId.data = newString;
utp->policyId.length = newLen;
}
retval |= UA_String_copy(&securityPolicy->policyUri, &endpoint->securityPolicyUri);
endpoint->transportProfileUri =
UA_STRING_ALLOC("http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary");