X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=resource%2Fcsdk%2Fsecurity%2Fsrc%2Fsecureresourcemanager.c;h=a91b10f9732ebfd4c5b51265d2f1b312c15fca29;hb=ed12a86f1b4b488b08bc32d67009ab16df132cf1;hp=9806813a423dcb63484fb02266d6e75982cd0c79;hpb=c7080dd10db28cd74639df408635e9e0ff4c7cd2;p=platform%2Fupstream%2Fiotivity.git diff --git a/resource/csdk/security/src/secureresourcemanager.c b/resource/csdk/security/src/secureresourcemanager.c index 9806813..a91b10f 100644 --- a/resource/csdk/security/src/secureresourcemanager.c +++ b/resource/csdk/security/src/secureresourcemanager.c @@ -32,12 +32,12 @@ #include "securevirtualresourcetypes.h" #include "secureresourcemanager.h" #include "srmresourcestrings.h" +#include "ocresourcehandler.h" -#define TAG "SRM" - -#ifdef __WITH_X509__ -#include "crlresource.h" -#endif // __WITH_X509__ +#if defined( __WITH_TLS__) || defined(__WITH_DTLS__) +#include "pkix_interface.h" +#endif //__WITH_TLS__ or __WITH_DTLS__ +#define TAG "OIC_SRM" //Request Callback handler static CARequestCallback gRequestHandler = NULL; @@ -135,6 +135,7 @@ void SRMRequestHandler(const CAEndpoint_t *endPoint, const CARequestInfo_t *requ { OIC_LOG(DEBUG, TAG, "Received request from remote device"); + bool isRequestOverSecureChannel = false; if (!endPoint || !requestInfo) { OIC_LOG(ERROR, TAG, "Invalid arguments"); @@ -144,8 +145,19 @@ void SRMRequestHandler(const CAEndpoint_t *endPoint, const CARequestInfo_t *requ // Copy the subjectID OicUuid_t subjectId = {.id = {0}}; memcpy(subjectId.id, requestInfo->info.identity.id, sizeof(subjectId.id)); + if (endPoint->flags & CA_SECURE) + { + OIC_LOG(INFO, TAG, "request over secure channel"); + isRequestOverSecureChannel = true; + } //Check the URI has the query and skip it before checking the permission + if (NULL == requestInfo->info.resourceUri) + { + OIC_LOG(ERROR, TAG, "Invalid resourceUri"); + return; + } + char *uri = strstr(requestInfo->info.resourceUri, "?"); int position = 0; if (uri) @@ -168,6 +180,45 @@ void SRMRequestHandler(const CAEndpoint_t *endPoint, const CARequestInfo_t *requ SetResourceRequestType(&g_policyEngineContext, newUri); + // Form a 'Error', 'slow response' or 'access deny' response and send to peer + CAResponseInfo_t responseInfo = {.result = CA_EMPTY}; + memcpy(&responseInfo.info, &(requestInfo->info), sizeof(responseInfo.info)); + responseInfo.info.payload = NULL; + responseInfo.info.dataType = CA_RESPONSE_DATA; + + OCResource *resPtr = FindResourceByUri(newUri); + if (NULL != resPtr) + { + // All vertical secure resources and SVR resources other than DOXM & PSTAT should reject request + // over coap. + if ((((resPtr->resourceProperties) & OC_SECURE) + && (g_policyEngineContext.resourceType == NOT_A_SVR_RESOURCE)) + || ((g_policyEngineContext.resourceType < OIC_SEC_SVR_TYPE_COUNT) + && (g_policyEngineContext.resourceType != OIC_R_DOXM_TYPE) + && (g_policyEngineContext.resourceType != OIC_R_PSTAT_TYPE))) + { + // if resource is secure and request is over insecure channel + if (!isRequestOverSecureChannel) + { + // Reject all the requests over coap for secure resource. + responseInfo.result = CA_FORBIDDEN_REQ; + if (CA_STATUS_OK != CASendResponse(endPoint, &responseInfo)) + { + OIC_LOG(ERROR, TAG, "Failed in sending response to a unauthorized request!"); + } + return; + } + } + } +#ifdef _ENABLE_MULTIPLE_OWNER_ + /* + * In case of ACL and CRED, The payload required to verify the payload. + * Payload information will be used for subowner's permission verification. + */ + g_policyEngineContext.payload = (uint8_t*)requestInfo->info.payload; + g_policyEngineContext.payloadSize = requestInfo->info.payloadSize; +#endif //_ENABLE_MULTIPLE_OWNER_ + //New request are only processed if the policy engine state is AWAITING_REQUEST. if (AWAITING_REQUEST == g_policyEngineContext.state) { @@ -188,12 +239,6 @@ void SRMRequestHandler(const CAEndpoint_t *endPoint, const CARequestInfo_t *requ return; } - // Form a 'Error', 'slow response' or 'access deny' response and send to peer - CAResponseInfo_t responseInfo = {.result = CA_EMPTY}; - memcpy(&responseInfo.info, &(requestInfo->info), sizeof(responseInfo.info)); - responseInfo.info.payload = NULL; - responseInfo.info.dataType = CA_RESPONSE_DATA; - VERIFY_NON_NULL(TAG, gRequestHandler, ERROR); if (ACCESS_WAITING_FOR_AMS == response) @@ -286,7 +331,7 @@ OCStackResult SRMRegisterHandler(CARequestCallback reqHandler, gErrorHandler = errHandler; -#if defined(__WITH_DTLS__) +#if defined(__WITH_DTLS__) || defined(__WITH_TLS__) CARegisterHandler(SRMRequestHandler, SRMResponseHandler, SRMErrorHandler); #else CARegisterHandler(reqHandler, respHandler, errHandler); @@ -317,19 +362,15 @@ OCStackResult SRMInitSecureResources() // behavior (for when SVR DB is missing) is settled. InitSecureResources(); OCStackResult ret = OC_STACK_OK; -#if defined(__WITH_DTLS__) - if(CA_STATUS_OK != CARegisterDTLSCredentialsHandler(GetDtlsPskCredentials)) +#if defined(__WITH_DTLS__) || defined(__WITH_TLS__) + if (CA_STATUS_OK != CAregisterPskCredentialsHandler(GetDtlsPskCredentials)) { - OIC_LOG(ERROR, TAG, "Failed to revert DTLS credential handler."); + OIC_LOG(ERROR, TAG, "Failed to revert TLS credential handler."); ret = OC_STACK_ERROR; } - -#endif // (__WITH_DTLS__) -#if defined(__WITH_X509__) - CARegisterDTLSX509CredentialsHandler(GetDtlsX509Credentials); - CARegisterDTLSCrlHandler(GetDerCrl); -#endif // (__WITH_X509__) - + CAregisterPkixInfoHandler(GetPkixInfo); + CAregisterGetCredentialTypesHandler(InitCipherSuiteList); +#endif // __WITH_DTLS__ or __WITH_TLS__ return ret; } @@ -366,6 +407,7 @@ bool SRMIsSecurityResourceURI(const char* uri) OIC_RSRC_PCONF_URI, OIC_RSRC_DPAIRING_URI, OIC_RSRC_VER_URI, + OC_RSRVD_PROV_CRL_URL }; // Remove query from Uri for resource string comparison