Merge pull request open62541#6752 from jpfr/merge_13_14_19

Merge 1.3 to 1.4

CMakeLists.txt

@@ -40,7 +40,7 @@ set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/bin)
 # overwritten with more detailed information if git is available.
 set(OPEN62541_VER_MAJOR 1)
 set(OPEN62541_VER_MINOR 4)
-set(OPEN62541_VER_PATCH 5)
+set(OPEN62541_VER_PATCH 6)
 set(OPEN62541_VER_LABEL "-undefined") # like "-rc1" or "-g4538abcd" or "-g4538abcd-dirty"
 set(OPEN62541_VER_COMMIT "unknown-commit")
 

include/open62541/client.h

@@ -101,9 +101,9 @@ struct UA_ClientConfig {
      * message. */
     UA_ExtensionObject userIdentityToken; /* Configured User-Identity Token */
     UA_MessageSecurityMode securityMode;  /* None, Sign, SignAndEncrypt. The
-                                           * default is invalid. This indicates
-                                           * the client to select any matching
-                                           * endpoint. */
+                                           * default is "invalid". This
+                                           * indicates the client to select any
+                                           * matching endpoint. */
     UA_String securityPolicyUri; /* SecurityPolicy for the SecureChannel. An
                                   * empty string indicates the client to select
                                   * any matching SecurityPolicy. */
@@ -116,27 +116,16 @@ struct UA_ClientConfig {
                               * connection when the Session is lost. */
 
     /**
-     * If either endpoint or userTokenPolicy has been set (at least one non-zero
-     * byte in either structure), then the selected Endpoint and UserTokenPolicy
-     * overwrite the settings in the basic connection configuration. The
-     * userTokenPolicy array in the EndpointDescription is ignored. The selected
-     * userTokenPolicy is set in the dedicated configuration field.
-     *
-     * If the advanced configuration is not set, the client will write to it the
-     * selected Endpoint and UserTokenPolicy during GetEndpoints.
-     *
-     * The information in the advanced configuration is used during reconnect
-     * when the SecureChannel was broken. */
+     * If either endpoint or userTokenPolicy has been set, then they are used
+     * directly. Otherwise this information comes from the GetEndpoints response
+     * from the server (filtered and selected for the SecurityMode, etc.). */
     UA_EndpointDescription endpoint;
     UA_UserTokenPolicy userTokenPolicy;
 
     /**
      * If the EndpointDescription has not been defined, the ApplicationURI
-     * constrains the servers considered in the FindServers service and the
-     * Endpoints considered in the GetEndpoints service.
-     *
-     * If empty the applicationURI is not used to filter.
-     */
+     * filters the servers considered in the FindServers service and the
+     * Endpoints considered in the GetEndpoints service. */
     UA_String applicationUri;
 
     /**
@@ -179,6 +168,7 @@ struct UA_ClientConfig {
      * secure channel is selected.*/
     size_t authSecurityPoliciesSize;
     UA_SecurityPolicy *authSecurityPolicies;
+
     /* SecurityPolicyUri for the Authentication. */
     UA_String authSecurityPolicyUri;
 

plugins/crypto/mbedtls/ua_securitypolicy_basic128rsa15.c

@@ -735,6 +735,10 @@ UA_SecurityPolicy_Basic128Rsa15(UA_SecurityPolicy *policy, const UA_ByteString l
     memset(policy, 0, sizeof(UA_SecurityPolicy));
     policy->logger = logger;
 
+    UA_LOG_WARNING(logger, UA_LOGCATEGORY_SECURITYPOLICY,
+                   "!! WARNING !! The Basic128Rsa15 SecurityPolicy is unsecure. "
+                   "There are known attacks that break the encryption.");
+
     policy->policyUri = UA_STRING("http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15\0");
 
     UA_SecurityPolicyAsymmetricModule *const asymmetricModule = &policy->asymmetricModule;

plugins/crypto/mbedtls/ua_securitypolicy_basic256.c

@@ -665,6 +665,11 @@ policyContext_newContext_sp_basic256(UA_SecurityPolicy *securityPolicy,
 UA_StatusCode
 UA_SecurityPolicy_Basic256(UA_SecurityPolicy *policy, const UA_ByteString localCertificate,
                            const UA_ByteString localPrivateKey, const UA_Logger *logger) {
+
+    UA_LOG_WARNING(logger, UA_LOGCATEGORY_SECURITYPOLICY,
+                   "!! WARNING !! The Basic256 SecurityPolicy is unsecure. "
+                   "There are known attacks that break the encryption.");
+
     memset(policy, 0, sizeof(UA_SecurityPolicy));
     policy->logger = logger;
 

plugins/crypto/openssl/ua_openssl_basic128rsa15.c

@@ -549,6 +549,10 @@ UA_SecurityPolicy_Basic128Rsa15 (UA_SecurityPolicy * policy,
                                  const UA_ByteString localPrivateKey,
                                  const UA_Logger *   logger) {
 
+    UA_LOG_WARNING(logger, UA_LOGCATEGORY_SECURITYPOLICY,
+                   "!! WARNING !! The Basic128Rsa15 SecurityPolicy is unsecure. "
+                   "There are known attacks that break the encryption.");
+
     UA_SecurityPolicyAsymmetricModule * const asymmetricModule = &policy->asymmetricModule;
     UA_SecurityPolicySymmetricModule * const  symmetricModule = &policy->symmetricModule;
     UA_SecurityPolicyChannelModule * const    channelModule = &policy->channelModule;

plugins/crypto/openssl/ua_openssl_basic256.c

@@ -550,6 +550,11 @@ UA_SecurityPolicy_Basic256 (UA_SecurityPolicy * policy,
                             const UA_ByteString localCertificate,
                             const UA_ByteString localPrivateKey,
                             const UA_Logger *   logger) {
+
+    UA_LOG_WARNING(logger, UA_LOGCATEGORY_SECURITYPOLICY,
+                   "!! WARNING !! The Basic256 SecurityPolicy is unsecure. "
+                   "There are known attacks that break the encryption.");
+
     UA_SecurityPolicyAsymmetricModule * const asymmetricModule = &policy->asymmetricModule;
     UA_SecurityPolicySymmetricModule * const  symmetricModule = &policy->symmetricModule;
     UA_SecurityPolicyChannelModule * const    channelModule = &policy->channelModule;

plugins/ua_config_default.c

@@ -936,23 +936,23 @@ addAllSecurityPolicies(UA_ServerConfig *config, const UA_ByteString *certificate
                        UA_StatusCode_name(retval));
     }
 
-    /* Basic128Rsa15 */
-    retval = UA_ServerConfig_addSecurityPolicyBasic128Rsa15(config, &localCertificate,
-                                                            &decryptedPrivateKey);
-    if(retval != UA_STATUSCODE_GOOD) {
-        UA_LOG_WARNING(config->logging, UA_LOGCATEGORY_USERLAND,
-                       "Could not add SecurityPolicy#Basic128Rsa15 with error code %s",
-                       UA_StatusCode_name(retval));
-    }
-
-    /* Basic256 */
-    retval = UA_ServerConfig_addSecurityPolicyBasic256(config, &localCertificate,
-                                                       &decryptedPrivateKey);
-    if(retval != UA_STATUSCODE_GOOD) {
-        UA_LOG_WARNING(config->logging, UA_LOGCATEGORY_USERLAND,
-                       "Could not add SecurityPolicy#Basic256 with error code %s",
-                       UA_StatusCode_name(retval));
-    }
+    /* Basic128Rsa15 should no longer be used */
+    /* retval = UA_ServerConfig_addSecurityPolicyBasic128Rsa15(config, &localCertificate, */
+    /*                                                         &decryptedPrivateKey); */
+    /* if(retval != UA_STATUSCODE_GOOD) { */
+    /*     UA_LOG_WARNING(config->logging, UA_LOGCATEGORY_USERLAND, */
+    /*                    "Could not add SecurityPolicy#Basic128Rsa15 with error code %s", */
+    /*                    UA_StatusCode_name(retval)); */
+    /* } */
+
+    /* Basic256 should no longer be used */
+    /* retval = UA_ServerConfig_addSecurityPolicyBasic256(config, &localCertificate, */
+    /*                                                    &decryptedPrivateKey); */
+    /* if(retval != UA_STATUSCODE_GOOD) { */
+    /*     UA_LOG_WARNING(config->logging, UA_LOGCATEGORY_USERLAND, */
+    /*                    "Could not add SecurityPolicy#Basic256 with error code %s", */
+    /*                    UA_StatusCode_name(retval)); */
+    /* } */
 
     UA_ByteString_memZero(&decryptedPrivateKey);
     UA_ByteString_clear(&decryptedPrivateKey);
@@ -1183,6 +1183,83 @@ UA_ClientConfig_setDefault(UA_ClientConfig *config) {
 
 #ifdef UA_ENABLE_ENCRYPTION
 
+static UA_StatusCode
+clientConfig_setAuthenticationSecurityPolicies(UA_ClientConfig *config,
+                                               UA_ByteString certificateAuth,
+                                               UA_ByteString privateKeyAuth) {
+    UA_SecurityPolicy *sp = (UA_SecurityPolicy*)
+        UA_realloc(config->authSecurityPolicies, sizeof(UA_SecurityPolicy) * 3);
+    if(!sp)
+        return UA_STATUSCODE_BADOUTOFMEMORY;
+    config->authSecurityPolicies = sp;
+
+    /* Clean up old SecurityPolicies */
+    for(size_t i = 0; i < config->authSecurityPoliciesSize; i++) {
+        config->authSecurityPolicies[i].clear(&config->authSecurityPolicies[i]);
+    }
+    config->authSecurityPoliciesSize = 0;
+
+    /* Basic128Rsa15 is unsecure and should not be used */
+    /* sp = &config->authSecurityPolicies[config->authSecurityPoliciesSize]; */
+    /* retval = UA_SecurityPolicy_Basic128Rsa15(sp, certificateAuth, privateKeyAuth, config->logging); */
+    /* if(retval == UA_STATUSCODE_GOOD) { */
+    /*     ++config->authSecurityPoliciesSize; */
+    /* } else { */
+    /*     UA_LOG_WARNING(config->logging, UA_LOGCATEGORY_USERLAND, */
+    /*                    "Could not add SecurityPolicy#Basic128Rsa15 with error code %s", */
+    /*                    UA_StatusCode_name(retval)); */
+    /* } */
+
+    /* Basic256 is unsecure and should not be used */
+    /* sp = &config->authSecurityPolicies[config->authSecurityPoliciesSize]; */
+    /* retval = UA_SecurityPolicy_Basic256(sp, certificateAuth, privateKeyAuth, config->logging); */
+    /* if(retval == UA_STATUSCODE_GOOD) { */
+    /*     ++config->authSecurityPoliciesSize; */
+    /* } else { */
+    /*     UA_LOG_WARNING(config->logging, UA_LOGCATEGORY_USERLAND, */
+    /*                    "Could not add SecurityPolicy#Basic256 with error code %s", */
+    /*                    UA_StatusCode_name(retval)); */
+    /* } */
+
+    UA_StatusCode retval;
+    sp = &config->authSecurityPolicies[config->authSecurityPoliciesSize];
+    retval = UA_SecurityPolicy_Aes256Sha256RsaPss(sp, certificateAuth, privateKeyAuth, config->logging);
+    if(retval == UA_STATUSCODE_GOOD) {
+        ++config->authSecurityPoliciesSize;
+    } else {
+        UA_LOG_WARNING(config->logging, UA_LOGCATEGORY_USERLAND,
+                       "Could not add SecurityPolicy#Aes256Sha256RsaPss with error code %s",
+                       UA_StatusCode_name(retval));
+    }
+
+    sp = &config->authSecurityPolicies[config->authSecurityPoliciesSize];
+    retval = UA_SecurityPolicy_Basic256Sha256(sp, certificateAuth, privateKeyAuth, config->logging);
+    if(retval == UA_STATUSCODE_GOOD) {
+        ++config->authSecurityPoliciesSize;
+    } else {
+        UA_LOG_WARNING(config->logging, UA_LOGCATEGORY_USERLAND,
+                       "Could not add SecurityPolicy#Basic256Sha256 with error code %s",
+                       UA_StatusCode_name(retval));
+    }
+
+    sp = &config->authSecurityPolicies[config->authSecurityPoliciesSize];
+    retval = UA_SecurityPolicy_Aes128Sha256RsaOaep(sp, certificateAuth, privateKeyAuth, config->logging);
+    if(retval == UA_STATUSCODE_GOOD) {
+        ++config->authSecurityPoliciesSize;
+    } else {
+        UA_LOG_WARNING(config->logging, UA_LOGCATEGORY_USERLAND,
+                       "Could not add SecurityPolicy#Aes128Sha256RsaOaep with error code %s",
+                       UA_StatusCode_name(retval));
+    }
+
+    if(config->authSecurityPoliciesSize == 0) {
+        UA_free(config->authSecurityPolicies);
+        config->authSecurityPolicies = NULL;
+    }
+
+    return retval;
+}
+
 UA_StatusCode
 UA_ClientConfig_setDefaultEncryption(UA_ClientConfig *config,
                                      UA_ByteString localCertificate, UA_ByteString privateKey,
@@ -1234,27 +1311,29 @@ UA_ClientConfig_setDefaultEncryption(UA_ClientConfig *config,
     if(keySuccess != UA_STATUSCODE_GOOD)
         return keySuccess;
 
-    retval = UA_SecurityPolicy_Basic128Rsa15(&config->securityPolicies[config->securityPoliciesSize],
-                                             localCertificate, decryptedPrivateKey, config->logging);
-    if(retval == UA_STATUSCODE_GOOD) {
-        ++config->securityPoliciesSize;
-    } else {
-        UA_LOG_WARNING(config->logging, UA_LOGCATEGORY_USERLAND,
-                       "Could not add SecurityPolicy#Basic128Rsa15 with error code %s",
-                       UA_StatusCode_name(retval));
-    }
-
-    retval = UA_SecurityPolicy_Basic256(&config->securityPolicies[config->securityPoliciesSize],
-                                        localCertificate, decryptedPrivateKey, config->logging);
-
-    if(retval == UA_STATUSCODE_GOOD) {
-        ++config->securityPoliciesSize;
-    } else {
-        UA_LOG_WARNING(config->logging, UA_LOGCATEGORY_USERLAND,
-                       "Could not add SecurityPolicy#Basic256 with error code %s",
-                       UA_StatusCode_name(retval));
-    }
-
+    /* Basic128Rsa15 should no longer be used */
+    /* retval = UA_SecurityPolicy_Basic128Rsa15(&config->securityPolicies[config->securityPoliciesSize], */
+    /*                                          localCertificate, decryptedPrivateKey, config->logging); */
+    /* if(retval == UA_STATUSCODE_GOOD) { */
+    /*     ++config->securityPoliciesSize; */
+    /* } else { */
+    /*     UA_LOG_WARNING(config->logging, UA_LOGCATEGORY_USERLAND, */
+    /*                    "Could not add SecurityPolicy#Basic128Rsa15 with error code %s", */
+    /*                    UA_StatusCode_name(retval)); */
+    /* } */
+
+    /* Basic256 should no longer be used */
+    /* retval = UA_SecurityPolicy_Basic256(&config->securityPolicies[config->securityPoliciesSize], */
+    /*                                     localCertificate, decryptedPrivateKey, config->logging); */
+
+    /* if(retval == UA_STATUSCODE_GOOD) { */
+    /*     ++config->securityPoliciesSize; */
+    /* } else { */
+    /*     UA_LOG_WARNING(config->logging, UA_LOGCATEGORY_USERLAND, */
+    /*                    "Could not add SecurityPolicy#Basic256 with error code %s", */
+    /*                    UA_StatusCode_name(retval)); */
+    /* } */
+
     retval = UA_SecurityPolicy_Aes256Sha256RsaPss(&config->securityPolicies[config->securityPoliciesSize],
                                                   localCertificate, decryptedPrivateKey, config->logging);
     if(retval == UA_STATUSCODE_GOOD) {
@@ -1285,6 +1364,12 @@ UA_ClientConfig_setDefaultEncryption(UA_ClientConfig *config,
                        UA_StatusCode_name(retval));
     }
 
+    /* Set the same certificate also for authentication.
+     * Can be overridden with a different certificate. */
+    if(config->authSecurityPoliciesSize == 0)
+        clientConfig_setAuthenticationSecurityPolicies(config, localCertificate,
+                                                       decryptedPrivateKey);
+
     UA_ByteString_memZero(&decryptedPrivateKey);
     UA_ByteString_clear(&decryptedPrivateKey);
 
@@ -1307,6 +1392,7 @@ UA_ClientConfig_setAuthenticationCert(UA_ClientConfig *config,
                    "Certificate authentication with LibreSSL as crypto backend is not supported.");
     return UA_STATUSCODE_BADNOTIMPLEMENTED;
 #endif
+
     /* Create UserIdentityToken */
     UA_X509IdentityToken* identityToken = UA_X509IdentityToken_new();
     if(!identityToken)
@@ -1322,66 +1408,6 @@ UA_ClientConfig_setAuthenticationCert(UA_ClientConfig *config,
     config->userIdentityToken.content.decoded.data = identityToken;
 
     /* Populate SecurityPolicies */
-    UA_SecurityPolicy *sp = (UA_SecurityPolicy*)
-        UA_realloc(config->authSecurityPolicies, sizeof(UA_SecurityPolicy) * 5);
-    if(!sp)
-        return UA_STATUSCODE_BADOUTOFMEMORY;
-    config->authSecurityPolicies = sp;
-
-    retval = UA_SecurityPolicy_Basic128Rsa15(&config->authSecurityPolicies[config->authSecurityPoliciesSize],
-                                                           certificateAuth, privateKeyAuth, config->logging);
-    if(retval == UA_STATUSCODE_GOOD) {
-        ++config->authSecurityPoliciesSize;
-    } else {
-        UA_LOG_WARNING(config->logging, UA_LOGCATEGORY_USERLAND,
-                       "Could not add SecurityPolicy#Basic128Rsa15 with error code %s",
-                       UA_StatusCode_name(retval));
-    }
-
-    retval = UA_SecurityPolicy_Basic256(&config->authSecurityPolicies[config->authSecurityPoliciesSize],
-                                        certificateAuth, privateKeyAuth, config->logging);
-    if(retval == UA_STATUSCODE_GOOD) {
-        ++config->authSecurityPoliciesSize;
-    } else {
-        UA_LOG_WARNING(config->logging, UA_LOGCATEGORY_USERLAND,
-                       "Could not add SecurityPolicy#Basic256 with error code %s",
-                       UA_StatusCode_name(retval));
-    }
-
-    retval = UA_SecurityPolicy_Aes256Sha256RsaPss(&config->authSecurityPolicies[config->authSecurityPoliciesSize],
-                                                   certificateAuth, privateKeyAuth, config->logging);
-    if(retval == UA_STATUSCODE_GOOD) {
-        ++config->authSecurityPoliciesSize;
-    } else {
-        UA_LOG_WARNING(config->logging, UA_LOGCATEGORY_USERLAND,
-                       "Could not add SecurityPolicy#Aes256Sha256RsaPss with error code %s",
-                       UA_StatusCode_name(retval));
-    }
-
-    retval = UA_SecurityPolicy_Basic256Sha256(&config->authSecurityPolicies[config->authSecurityPoliciesSize],
-                                              certificateAuth, privateKeyAuth, config->logging);
-    if(retval == UA_STATUSCODE_GOOD) {
-        ++config->authSecurityPoliciesSize;
-    } else {
-        UA_LOG_WARNING(config->logging, UA_LOGCATEGORY_USERLAND,
-                       "Could not add SecurityPolicy#Basic256Sha256 with error code %s",
-                       UA_StatusCode_name(retval));
-    }
-
-    retval = UA_SecurityPolicy_Aes128Sha256RsaOaep(&config->authSecurityPolicies[config->authSecurityPoliciesSize],
-                                                   certificateAuth, privateKeyAuth, config->logging);
-    if(retval == UA_STATUSCODE_GOOD) {
-        ++config->authSecurityPoliciesSize;
-    } else {
-        UA_LOG_WARNING(config->logging, UA_LOGCATEGORY_USERLAND,
-                       "Could not add SecurityPolicy#Aes128Sha256RsaOaep with error code %s",
-                       UA_StatusCode_name(retval));
-    }
-
-    if(config->authSecurityPoliciesSize == 0) {
-        UA_free(config->authSecurityPolicies);
-        config->authSecurityPolicies = NULL;
-    }
-    return UA_STATUSCODE_GOOD;
+    return clientConfig_setAuthenticationSecurityPolicies(config, certificateAuth, privateKeyAuth);
 }
 #endif