[IOT-1843] Reject unsecure request for unknown resource 79/19479/3
authorNathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
Mon, 1 May 2017 04:39:39 +0000 (21:39 -0700)
committerNathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
Tue, 2 May 2017 05:39:09 +0000 (05:39 +0000)
Previously, a null return from FindResourceByUri() may have resulted
in Unsecure Channel CREATE access to an OC_SECURE resource.  Until
the Policy Engine is updated to comprehend conntype access this
hole should be closed.

Change-Id: I4dbba12b108b103704cc931b3f03ef096e2ffc48
Signed-off-by: Nathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/19479
Reviewed-by: Kevin Kane <kkane@microsoft.com>
Tested-by: jenkins-iotivity <jenkins@iotivity.org>
resource/csdk/security/src/secureresourcemanager.c

index 5d07c27..f3995ee 100644 (file)
@@ -179,8 +179,6 @@ void CheckRequestForSecResourceOverUnsecureChannel(SRMRequestContext_t *context)
     {
         OCResource *resPtr = FindResourceByUri(context->resourceUri);
 
-        // TODO: IOT-1843:
-        // Should a NULL return value from FindResourceByUri result in CA_FORBIDDEN_REQ?
         if (NULL != resPtr)
         {
             OIC_LOG_V(DEBUG, TAG, "%s: OC_SECURE = %s",
@@ -204,6 +202,13 @@ void CheckRequestForSecResourceOverUnsecureChannel(SRMRequestContext_t *context)
                 OIC_LOG_V(DEBUG, TAG, "%s: Allowing unsecured access", __func__);
             }
         }
+        else
+        {
+            // if resource not found and request is over unsecure channel, reject
+            context->responseVal = ACCESS_DENIED_SEC_RESOURCE_OVER_UNSECURE_CHANNEL;
+            context->responseInfo.result = CA_FORBIDDEN_REQ;
+            SRMSendResponse(context);
+        }
     }
 
     return;