#include "securevirtualresourcetypes.h"
#include "secureresourcemanager.h"
#include "srmresourcestrings.h"
+#include "ocresourcehandler.h"
-#define TAG "SRM"
-
-#ifdef __WITH_X509__
-#include "crlresource.h"
-#endif // __WITH_X509__
+#if defined( __WITH_TLS__) || defined(__WITH_DTLS__)
+#include "pkix_interface.h"
+#endif //__WITH_TLS__ or __WITH_DTLS__
+#define TAG "OIC_SRM"
//Request Callback handler
static CARequestCallback gRequestHandler = NULL;
sizeof(responseInfo.info));
responseInfo.info.payload = NULL;
responseInfo.result = CA_UNAUTHORIZED_REQ;
+ responseInfo.info.dataType = CA_RESPONSE_DATA;
if (CA_STATUS_OK == CASendResponse(context->amsMgrContext->endpoint, &responseInfo))
{
{
OIC_LOG(DEBUG, TAG, "Received request from remote device");
+ bool isRequestOverSecureChannel = false;
if (!endPoint || !requestInfo)
{
OIC_LOG(ERROR, TAG, "Invalid arguments");
// Copy the subjectID
OicUuid_t subjectId = {.id = {0}};
memcpy(subjectId.id, requestInfo->info.identity.id, sizeof(subjectId.id));
+ if (endPoint->flags & CA_SECURE)
+ {
+ OIC_LOG(INFO, TAG, "request over secure channel");
+ isRequestOverSecureChannel = true;
+ }
//Check the URI has the query and skip it before checking the permission
+ if (NULL == requestInfo->info.resourceUri)
+ {
+ OIC_LOG(ERROR, TAG, "Invalid resourceUri");
+ return;
+ }
+
char *uri = strstr(requestInfo->info.resourceUri, "?");
int position = 0;
if (uri)
SetResourceRequestType(&g_policyEngineContext, newUri);
+ // Form a 'Error', 'slow response' or 'access deny' response and send to peer
+ CAResponseInfo_t responseInfo = {.result = CA_EMPTY};
+ memcpy(&responseInfo.info, &(requestInfo->info), sizeof(responseInfo.info));
+ responseInfo.info.payload = NULL;
+ responseInfo.info.dataType = CA_RESPONSE_DATA;
+
+ OCResource *resPtr = FindResourceByUri(newUri);
+ if (NULL != resPtr)
+ {
+ // All vertical secure resources and SVR resources other than DOXM & PSTAT should reject request
+ // over coap.
+ if ((((resPtr->resourceProperties) & OC_SECURE)
+ && (g_policyEngineContext.resourceType == NOT_A_SVR_RESOURCE))
+ || ((g_policyEngineContext.resourceType < OIC_SEC_SVR_TYPE_COUNT)
+ && (g_policyEngineContext.resourceType != OIC_R_DOXM_TYPE)
+ && (g_policyEngineContext.resourceType != OIC_R_PSTAT_TYPE)))
+ {
+ // if resource is secure and request is over insecure channel
+ if (!isRequestOverSecureChannel)
+ {
+ // Reject all the requests over coap for secure resource.
+ responseInfo.result = CA_FORBIDDEN_REQ;
+ if (CA_STATUS_OK != CASendResponse(endPoint, &responseInfo))
+ {
+ OIC_LOG(ERROR, TAG, "Failed in sending response to a unauthorized request!");
+ }
+ return;
+ }
+ }
+ }
+#ifdef _ENABLE_MULTIPLE_OWNER_
+ /*
+ * In case of ACL and CRED, The payload required to verify the payload.
+ * Payload information will be used for subowner's permission verification.
+ */
+ g_policyEngineContext.payload = (uint8_t*)requestInfo->info.payload;
+ g_policyEngineContext.payloadSize = requestInfo->info.payloadSize;
+#endif //_ENABLE_MULTIPLE_OWNER_
+
//New request are only processed if the policy engine state is AWAITING_REQUEST.
if (AWAITING_REQUEST == g_policyEngineContext.state)
{
return;
}
- // Form a 'Error', 'slow response' or 'access deny' response and send to peer
- CAResponseInfo_t responseInfo = {.result = CA_EMPTY};
- memcpy(&responseInfo.info, &(requestInfo->info), sizeof(responseInfo.info));
- responseInfo.info.payload = NULL;
-
VERIFY_NON_NULL(TAG, gRequestHandler, ERROR);
if (ACCESS_WAITING_FOR_AMS == response)
gErrorHandler = errHandler;
-#if defined(__WITH_DTLS__)
+#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
CARegisterHandler(SRMRequestHandler, SRMResponseHandler, SRMErrorHandler);
#else
CARegisterHandler(reqHandler, respHandler, errHandler);
// behavior (for when SVR DB is missing) is settled.
InitSecureResources();
OCStackResult ret = OC_STACK_OK;
-#if defined(__WITH_DTLS__)
- if(CA_STATUS_OK != CARegisterDTLSCredentialsHandler(GetDtlsPskCredentials))
+#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
+ if (CA_STATUS_OK != CAregisterPskCredentialsHandler(GetDtlsPskCredentials))
{
- OIC_LOG(ERROR, TAG, "Failed to revert DTLS credential handler.");
+ OIC_LOG(ERROR, TAG, "Failed to revert TLS credential handler.");
ret = OC_STACK_ERROR;
}
-
-#endif // (__WITH_DTLS__)
-#if defined(__WITH_X509__)
- CARegisterDTLSX509CredentialsHandler(GetDtlsX509Credentials);
- CARegisterDTLSCrlHandler(GetDerCrl);
-#endif // (__WITH_X509__)
-
+ CAregisterPkixInfoHandler(GetPkixInfo);
+ CAregisterGetCredentialTypesHandler(InitCipherSuiteList);
+#endif // __WITH_DTLS__ or __WITH_TLS__
return ret;
}
OIC_RSRC_PCONF_URI,
OIC_RSRC_DPAIRING_URI,
OIC_RSRC_VER_URI,
+ OC_RSRVD_PROV_CRL_URL
};
// Remove query from Uri for resource string comparison