/// <summary>
/// Processes an incoming message.
/// </summary>
/// <returns>True if the implementor takes ownership of the buffer.</returns>
protected override bool HandleIncomingMessage(uint messageType, ArraySegment <byte> messageChunk)
{
lock (DataLock)
{
SetResponseRequired(true);
try
{
// process a response.
if (TcpMessageType.IsType(messageType, TcpMessageType.Message))
{
//Utils.Trace("Channel {0}: ProcessRequestMessage", ChannelId);
return(ProcessRequestMessage(messageType, messageChunk));
}
// check for hello.
if (messageType == TcpMessageType.Hello)
{
//Utils.Trace("Channel {0}: ProcessHelloMessage", ChannelId);
return(ProcessHelloMessage(messageChunk));
}
// process open secure channel repsonse.
if (TcpMessageType.IsType(messageType, TcpMessageType.Open))
{
//Utils.Trace("Channel {0}: ProcessOpenSecureChannelRequest", ChannelId);
return(ProcessOpenSecureChannelRequest(messageType, messageChunk));
}
// process close secure channel response.
if (TcpMessageType.IsType(messageType, TcpMessageType.Close))
{
//Utils.Trace("Channel {0}: ProcessCloseSecureChannelRequest", ChannelId);
return(ProcessCloseSecureChannelRequest(messageType, messageChunk));
}
// invalid message type - must close socket and reconnect.
ForceChannelFault(
StatusCodes.BadTcpMessageTypeInvalid,
"The server does not recognize the message type: {0:X8}.",
messageType);
return(false);
}
finally
{
SetResponseRequired(false);
}
}
}
/// <summary>
/// Processes a request message.
/// </summary>
private bool ProcessRequestMessage(uint messageType, ArraySegment <byte> messageChunk)
{
// validate the channel state.
if (State != TcpChannelState.Open)
{
ForceChannelFault(StatusCodes.BadTcpMessageTypeInvalid, "Client sent an unexpected request message.");
return(false);
}
// validate security on the message.
ChannelToken token = null;
uint requestId = 0;
uint sequenceNumber = 0;
ArraySegment <byte> messageBody;
try
{
messageBody = ReadSymmetricMessage(messageChunk, true, out token, out requestId, out sequenceNumber);
// check for replay attacks.
if (!VerifySequenceNumber(sequenceNumber, "ProcessRequestMessage"))
{
throw new ServiceResultException(StatusCodes.BadSequenceNumberInvalid);
}
if (token == CurrentToken && PreviousToken != null && !PreviousToken.Expired)
{
Utils.Trace("Server Revoked Token. ChannelId={1}, TokenId={0}", PreviousToken.TokenId, PreviousToken.ChannelId, DateTime.UtcNow);
PreviousToken.Lifetime = 0;
}
}
catch (Exception e)
{
Utils.Trace("Could not verify security on incoming request.");
ForceChannelFault(e, StatusCodes.BadSecurityChecksFailed, "Could not verify security on incoming request.");
return(false);
}
BufferCollection chunksToProcess = null;
try
{
// check for an abort.
if (TcpMessageType.IsAbort(messageType))
{
Utils.Trace("Request was aborted.");
chunksToProcess = GetSavedChunks(requestId, messageBody);
return(true);
}
// check if it is necessary to wait for more chunks.
if (!TcpMessageType.IsFinal(messageType))
{
SaveIntermediateChunk(requestId, messageBody);
return(true);
}
Utils.Trace("Channel {0}: ProcessRequestMessage {1}", ChannelId, requestId);
// get the chunks to process.
chunksToProcess = GetSavedChunks(requestId, messageBody);
// decode the request.
IServiceRequest request = BinaryDecoder.DecodeMessage(new ArraySegmentStream(chunksToProcess), null, Quotas.MessageContext) as IServiceRequest;
if (request == null)
{
SendServiceFault(token, requestId, ServiceResult.Create(StatusCodes.BadStructureMissing, "Could not parse request body."));
return(true);
}
// ensure that only discovery requests come through unsecured.
if (DiscoveryOnly)
{
if (!(request is GetEndpointsRequest || request is FindServersRequest))
{
SendServiceFault(token, requestId, ServiceResult.Create(StatusCodes.BadSecurityPolicyRejected, "Channel can only be used for discovery."));
return(true);
}
}
// hand the request to the server.
RequestReceived?.Invoke(this, requestId, request);
return(true);
}
catch (Exception e)
{
Utils.Trace(e, "Unexpected error processing request.");
SendServiceFault(token, requestId, ServiceResult.Create(e, StatusCodes.BadTcpInternalError, "Unexpected error processing request."));
return(true);
}
finally
{
if (chunksToProcess != null)
{
chunksToProcess.Release(BufferManager, "ProcessRequestMessage");
}
}
}
/// <summary>
/// Processes an CloseSecureChannel request message.
/// </summary>
private bool ProcessCloseSecureChannelRequest(uint messageType, ArraySegment <byte> messageChunk)
{
// validate security on the message.
ChannelToken token = null;
uint requestId = 0;
uint sequenceNumber = 0;
ArraySegment <byte> messageBody;
try
{
messageBody = ReadSymmetricMessage(messageChunk, true, out token, out requestId, out sequenceNumber);
// check for replay attacks.
if (!VerifySequenceNumber(sequenceNumber, "ProcessCloseSecureChannelRequest"))
{
throw new ServiceResultException(StatusCodes.BadSequenceNumberInvalid);
}
}
catch (Exception e)
{
throw ServiceResultException.Create(StatusCodes.BadSecurityChecksFailed, e, "Could not verify security on CloseSecureChannel request.");
}
BufferCollection chunksToProcess = null;
try
{
// check if it is necessary to wait for more chunks.
if (!TcpMessageType.IsFinal(messageType))
{
SaveIntermediateChunk(requestId, messageBody);
return(false);
}
// get the chunks to process.
chunksToProcess = GetSavedChunks(requestId, messageBody);
CloseSecureChannelRequest request = BinaryDecoder.DecodeMessage(
new ArraySegmentStream(chunksToProcess),
typeof(CloseSecureChannelRequest),
Quotas.MessageContext) as CloseSecureChannelRequest;
if (request == null)
{
throw ServiceResultException.Create(StatusCodes.BadStructureMissing, "Could not parse CloseSecureChannel request body.");
}
// send the response.
// SendCloseSecureChannelResponse(requestId, token, request);
}
catch (Exception e)
{
Utils.Trace(e, "Unexpected error processing OpenSecureChannel request.");
}
finally
{
if (chunksToProcess != null)
{
chunksToProcess.Release(BufferManager, "ProcessCloseSecureChannelRequest");
}
Utils.Trace(
"{0} ProcessCloseSecureChannelRequest Socket={0:X8}, ChannelId={1}, TokenId={2}",
ChannelName,
(Socket != null) ? Socket.Handle : 0,
(CurrentToken != null) ? CurrentToken.ChannelId : 0,
(CurrentToken != null) ? CurrentToken.TokenId : 0);
// close the channel.
ChannelClosed();
}
// return false would double free the buffer
return(true);
}
/// <summary>
/// Processes an OpenSecureChannel request message.
/// </summary>
private bool ProcessOpenSecureChannelRequest(uint messageType, ArraySegment <byte> messageChunk)
{
// validate the channel state.
if (State != TcpChannelState.Opening && State != TcpChannelState.Open)
{
ForceChannelFault(StatusCodes.BadTcpMessageTypeInvalid, "Client sent an unexpected OpenSecureChannel message.");
return(false);
}
// parse the security header.
uint channelId = 0;
X509Certificate2 clientCertificate = null;
uint requestId = 0;
uint sequenceNumber = 0;
ArraySegment <byte> messageBody;
try
{
messageBody = ReadAsymmetricMessage(
messageChunk,
ServerCertificate,
out channelId,
out clientCertificate,
out requestId,
out sequenceNumber);
// check for replay attacks.
if (!VerifySequenceNumber(sequenceNumber, "ProcessOpenSecureChannelRequest"))
{
throw new ServiceResultException(StatusCodes.BadSequenceNumberInvalid);
}
}
catch (Exception e)
{
ServiceResultException innerException = e.InnerException as ServiceResultException;
// If the certificate structre, signature and trust list checks pass, we return the other specific validation errors instead of BadSecurityChecksFailed
if (innerException != null)
{
if (innerException.StatusCode == StatusCodes.BadCertificateUntrusted ||
innerException.StatusCode == StatusCodes.BadCertificateChainIncomplete ||
innerException.StatusCode == StatusCodes.BadCertificateRevoked ||
innerException.StatusCode == StatusCodes.BadCertificateInvalid ||
(innerException.InnerResult != null && innerException.InnerResult.StatusCode == StatusCodes.BadCertificateUntrusted))
{
ForceChannelFault(StatusCodes.BadSecurityChecksFailed, e.Message);
return(false);
}
else if (innerException.StatusCode == StatusCodes.BadCertificateTimeInvalid ||
innerException.StatusCode == StatusCodes.BadCertificateIssuerTimeInvalid ||
innerException.StatusCode == StatusCodes.BadCertificateHostNameInvalid ||
innerException.StatusCode == StatusCodes.BadCertificateUriInvalid ||
innerException.StatusCode == StatusCodes.BadCertificateUseNotAllowed ||
innerException.StatusCode == StatusCodes.BadCertificateIssuerUseNotAllowed ||
innerException.StatusCode == StatusCodes.BadCertificateRevocationUnknown ||
innerException.StatusCode == StatusCodes.BadCertificateIssuerRevocationUnknown ||
innerException.StatusCode == StatusCodes.BadCertificateIssuerRevoked)
{
ForceChannelFault(innerException, innerException.StatusCode, e.Message);
return(false);
}
}
ForceChannelFault(e, StatusCodes.BadSecurityChecksFailed, "Could not verify security on OpenSecureChannel request.");
return(false);
}
BufferCollection chunksToProcess = null;
try
{
bool firstCall = ClientCertificate == null;
// must ensure the same certificate was used.
if (ClientCertificate != null)
{
CompareCertificates(ClientCertificate, clientCertificate, false);
}
else
{
ClientCertificate = clientCertificate;
}
// check if it is necessary to wait for more chunks.
if (!TcpMessageType.IsFinal(messageType))
{
SaveIntermediateChunk(requestId, messageBody);
return(false);
}
// create a new token.
ChannelToken token = CreateToken();
token.TokenId = GetNewTokenId();
token.ServerNonce = CreateNonce();
// get the chunks to process.
chunksToProcess = GetSavedChunks(requestId, messageBody);
OpenSecureChannelRequest request = (OpenSecureChannelRequest)BinaryDecoder.DecodeMessage(
new ArraySegmentStream(chunksToProcess),
typeof(OpenSecureChannelRequest),
Quotas.MessageContext);
if (request == null)
{
throw ServiceResultException.Create(StatusCodes.BadStructureMissing, "Could not parse OpenSecureChannel request body.");
}
// check the security mode.
if (request.SecurityMode != SecurityMode)
{
ReviseSecurityMode(firstCall, request.SecurityMode);
}
// check the client nonce.
token.ClientNonce = request.ClientNonce;
if (!ValidateNonce(token.ClientNonce))
{
throw ServiceResultException.Create(StatusCodes.BadNonceInvalid, "Client nonce is not the correct length or not random enough.");
}
// choose the lifetime.
int lifetime = (int)request.RequestedLifetime;
if (lifetime < TcpMessageLimits.MinSecurityTokenLifeTime)
{
lifetime = TcpMessageLimits.MinSecurityTokenLifeTime;
}
if (lifetime > 0 && lifetime < token.Lifetime)
{
token.Lifetime = lifetime;
}
// check the request type.
SecurityTokenRequestType requestType = request.RequestType;
if (requestType == SecurityTokenRequestType.Issue && State != TcpChannelState.Opening)
{
throw ServiceResultException.Create(StatusCodes.BadRequestTypeInvalid, "Cannot request a new token for an open channel.");
}
if (requestType == SecurityTokenRequestType.Renew && State != TcpChannelState.Open)
{
// may be reconnecting to a dropped channel.
if (State == TcpChannelState.Opening)
{
// tell the listener to find the channel that can process the request.
Listener.ReconnectToExistingChannel(
Socket,
requestId,
sequenceNumber,
channelId,
ClientCertificate,
token,
request);
Utils.Trace(
"{0} ReconnectToExistingChannel Socket={0:X8}, ChannelId={1}, TokenId={2}",
ChannelName,
(Socket != null) ? Socket.Handle : 0,
(CurrentToken != null) ? CurrentToken.ChannelId : 0,
(CurrentToken != null) ? CurrentToken.TokenId : 0);
// close the channel.
ChannelClosed();
// nothing more to do.
return(false);
}
throw ServiceResultException.Create(StatusCodes.BadRequestTypeInvalid, "Cannot request to renew a token for a channel that has not been opened.");
}
// check the channel id.
if (requestType == SecurityTokenRequestType.Renew && channelId != ChannelId)
{
throw ServiceResultException.Create(StatusCodes.BadTcpSecureChannelUnknown, "Do not recognize the secure channel id provided.");
}
// log security information.
if (requestType == SecurityTokenRequestType.Issue)
{
Opc.Ua.Security.Audit.SecureChannelCreated(
m_ImplementationString,
Listener.EndpointUrl.ToString(),
Utils.Format("{0}", ChannelId),
EndpointDescription,
ClientCertificate,
ServerCertificate,
BinaryEncodingSupport.Required);
}
else
{
Opc.Ua.Security.Audit.SecureChannelRenewed(
m_ImplementationString,
Utils.Format("{0}", ChannelId));
}
if (requestType == SecurityTokenRequestType.Renew)
{
SetRenewedToken(token);
}
else
{
ActivateToken(token);
}
State = TcpChannelState.Open;
// send the response.
SendOpenSecureChannelResponse(requestId, token, request);
// notify reverse
CompleteReverseHello(null);
// notify any monitors.
NotifyMonitors(ServiceResult.Good, false);
return(false);
}
catch (Exception e)
{
SendServiceFault(requestId, ServiceResult.Create(e, StatusCodes.BadTcpInternalError, "Unexpected error processing OpenSecureChannel request."));
CompleteReverseHello(e);
return(false);
}
finally
{
if (chunksToProcess != null)
{
chunksToProcess.Release(BufferManager, "ProcessOpenSecureChannelRequest");
}
}
}
