sl@0: // Copyright (c) 2008-2009 Nokia Corporation and/or its subsidiary(-ies). sl@0: // All rights reserved. sl@0: // This component and the accompanying materials are made available sl@0: // under the terms of "Eclipse Public License v1.0" sl@0: // which accompanies this distribution, and is available sl@0: // at the URL "http://www.eclipse.org/legal/epl-v10.html". sl@0: // sl@0: // Initial Contributors: sl@0: // Nokia Corporation - initial contribution. sl@0: // sl@0: // Contributors: sl@0: // sl@0: // Description: sl@0: // Wrapper around RMessage2 that provides message validation and error handling sl@0: // to improve robustness of system servers under IPC attack sl@0: // sl@0: // sl@0: sl@0: #if !defined(CLIENTMESSAGE_H) sl@0: #define CLIENTMESSAGE_H sl@0: sl@0: #include sl@0: #include sl@0: #include sl@0: #include sl@0: sl@0: namespace BSUL sl@0: { sl@0: sl@0: //Version number of the client server framework code sl@0: const TInt KClientMessageVersion = 0x1; sl@0: sl@0: //Forward Declarations sl@0: class CMessageParameterBase; sl@0: sl@0: //Const Declarations sl@0: sl@0: /** sl@0: Returned to caller to indicate that the requested message number is not sl@0: supported by the current server sl@0: @publishedPartner sl@0: @released sl@0: */ sl@0: const TInt KErrInvalidFunction = -1004; sl@0: sl@0: /** sl@0: Returned to caller if a message is passed in containing a non-descriptor sl@0: parameter which doesn't meet the constraints specified in the schema sl@0: @publishedPartner sl@0: @released sl@0: */ sl@0: const TInt KErrBadParameter = -1005; sl@0: sl@0: /** sl@0: Returned to caller in UREL mode when the server attempts to call a sl@0: CMessageParameterBase function which is not defined for the given sl@0: parameter type. E.g. calling GetIntL() on a Descriptor parameter. sl@0: @publishedPartner sl@0: @released sl@0: */ sl@0: const TInt KErrWrongParameterType = -1006; sl@0: sl@0: /** sl@0: Returned to caller in UREL mode when a message is found to be sl@0: incorrectly defined in the message schema. sl@0: @publishedPartner sl@0: @released sl@0: */ sl@0: const TInt KErrBadMessageSchema = -1007; sl@0: sl@0: sl@0: /** sl@0: Returned to caller to indicate that the requested parameter has not yet sl@0: been validated sl@0: @publishedPartner sl@0: @released sl@0: */ sl@0: const TInt KErrNotValidated = -1008; //Server internal error sl@0: sl@0: /** sl@0: Returned to caller to indicate that the ClientMessage framework has sl@0: not yet been initialised sl@0: @publishedPartner sl@0: @released sl@0: */ sl@0: const TInt KErrNotInitialised = -1009; //Server internal error sl@0: sl@0: sl@0: //Enum Declarations sl@0: sl@0: /** sl@0: This is the list of Panic codes used by the ClientMessage framework sl@0: @publishedPartner sl@0: @released sl@0: */ sl@0: enum sl@0: { sl@0: /**This panic is raised in UDEB mode when the server attempts to call a sl@0: CMessageParameterBase function which is not defined for the given sl@0: parameter type. E.g. calling GetIntL() on a Descriptor parameter. sl@0: */ sl@0: ECMPanicWrongParameterType = 0, sl@0: sl@0: /**This panic is raised when the server attempts to read from a sl@0: descriptor in the clients process and supplies a target descriptor sl@0: that is smaller than the client descriptor. sl@0: */ sl@0: ECMPanicBadDescriptor, sl@0: sl@0: /**This panic is raised when a TParameterDetails structure for a sl@0: given parameter is incorrectly defined in the message schema sl@0: */ sl@0: ECMPanicBadMessageSchema sl@0: }; sl@0: sl@0: /** sl@0: This Enum lists the currently supported Parameter types. sl@0: These enum values are used as indices to the Parameter Factory Function sl@0: which instantiates the appropriate CMessageParammeterBase derived sl@0: object to represent a given message parameter. sl@0: @publishedPartner sl@0: @released sl@0: */ sl@0: enum TParamType sl@0: { sl@0: EParamNull = 0, sl@0: EParamInt, sl@0: EParamDes8Read, sl@0: EParamDes8, sl@0: EParamPckg, sl@0: EParamDes16Read, sl@0: EParamDes16, sl@0: EParamPtr sl@0: }; sl@0: sl@0: /** sl@0: This enum lists the currently supported flags that can be passed to the server sl@0: in TClientMessageServerData::iFlags. Note that internally this value is stored sl@0: in a TBitFlags32 type but this type cannot be statically initialised in a dll sl@0: so the value is passed to the framework in a TInt. The bottom 16 bit flags are sl@0: reserved for the framework's internal use. sl@0: sl@0: @publishedPartner sl@0: @released sl@0: */ sl@0: enum TServerFlags sl@0: { sl@0: /** Default empty flag */ sl@0: ESrvFlagNone = 0, sl@0: /** Setting this flag indicates that for bad message errors, request sl@0: should be completed with error code rather than panicking the client */ sl@0: ESrvFlagDoNotPanicClientOnBadMessageErrors = 0x40000000, sl@0: /** Indicates that bad messages should be logged in UDEB */ sl@0: ESrvFlagLogBadMessages = 0x80000000 sl@0: }; sl@0: sl@0: //Typedef Declarations sl@0: sl@0: /** sl@0: This typedef is used to simplify the declaration of custom sl@0: parameter validation functions sl@0: @publishedPartner sl@0: @released sl@0: */ sl@0: typedef void (*TCustomValidationFn)(CMessageParameterBase* aParameter); sl@0: sl@0: sl@0: sl@0: //Struct Declarations sl@0: sl@0: /** sl@0: This structure defines the format for storing information for an sl@0: individual message parameter. sl@0: sl@0: iType - This defines the parameter type and is used by the CMessageParameterBase sl@0: class to instantiate the appropriate derived class via the sl@0: KParameterFactoryFunctions factory lookup table. sl@0: sl@0: iMin, iMax - These are two constraints that are used in the ValidateL sl@0: method of a class derived from CMessageParameter to validate the message sl@0: as required by that parameter. sl@0: The constraints that are used depend on the type as follows: sl@0: EParamInt: sl@0: -iMin = Minimum int value accepted sl@0: -iMax = Maximum int value accepted. This must be > iMin sl@0: sl@0: NOTE: Currently unsigned integers are not explicitly supported, sl@0: however 16 bit unsigned integers are implicitly supported sl@0: by the EParamInt type. Note that the constraint above sl@0: (iMax > iMin) means that the maximum supported value for an sl@0: unsigned int is 0x7FFFFFFF. sl@0: sl@0: EParamDes8Read: sl@0: EParamDes16Read: sl@0: -iMin = Minimum length of descriptor in clients address space. sl@0: If no minimum restriction exists this should be set to 0 in sl@0: the schema. This must be >= 0 sl@0: -iMax = Maximum length of descriptor in clients address space. sl@0: The descriptor supplied by the client must not have a sl@0: length that exceeds this value. This must be >= iMin sl@0: EParamDes8: sl@0: EParamDes16: sl@0: -iMin = Minimum MaxLength of descriptor in clients address space. sl@0: The descriptor supplied by the client must have a MaxLength sl@0: that is at least as big as this value. This must be >= 0 sl@0: -iMax = Maximum length of descriptor in clients address space. sl@0: The descriptor supplied by the client must not have a sl@0: length that exceeds this value. This must be >= 0. sl@0: sl@0: NOTE: As the EParamDes* types use MaxLength() as a restriction sl@0: They cannot be used if the client intends to pass a TDesC sl@0: derived descriptor. If the client intends read only use sl@0: then the explicit EParamDes*Read types should be used instead. sl@0: sl@0: EParamPckg: sl@0: -iMin = Minimum length of descriptor in clients address space. sl@0: If no minimum restriction exists this should be set to 0 in sl@0: the schema. This must be >= 0 sl@0: -iMax = Maximum length of descriptor in clients address space. sl@0: The descriptor supplied by the client must not have a sl@0: length that exceeds this value. This must be >= iMin sl@0: sl@0: EParamPtr: sl@0: -iMin = Unused sl@0: -iMax = Unused sl@0: @publishedPartner sl@0: @released sl@0: */ sl@0: struct TParameterDetails sl@0: { sl@0: const TInt iType; sl@0: const TInt iMin; sl@0: const TInt iMax; sl@0: }; sl@0: sl@0: /** sl@0: This struct is used to represent a single message from the client. sl@0: It defines the function number corresponding to the message, the security sl@0: policy for the message, the number of paramaters that are passed to the sl@0: function and the type and constraint information for each of the parameters sl@0: as described above. The server must define an array of these objects to be sl@0: used by CClientMessage to validate all incoming messages. sl@0: sl@0: NOTE: It is assumed that the message parameters are contiguous. I.E. if there is one sl@0: parameter it is assumed to be located at index 0, if there are 2 parameters they sl@0: are located at index 0,1 etc. sl@0: sl@0: @publishedPartner sl@0: @released sl@0: */ sl@0: struct TClientMessageSchema sl@0: { sl@0: sl@0: //Version number of the framework sl@0: const TInt iVersion; sl@0: sl@0: //The message number described by this schema sl@0: const TInt iFunction; sl@0: sl@0: //The security policy for this message. The CClientMessage framework sl@0: //uses this security policy to police incoming messages. sl@0: const TStaticSecurityPolicy& iPolicy; sl@0: sl@0: //The number of parameters expected by this message sl@0: const TInt iParamCount; sl@0: sl@0: //The array of TParameterDetails structs describing the sl@0: //parameter types and constraints for this message sl@0: const TParameterDetails* iParams; sl@0: sl@0: //Reserved values for future proofing sl@0: const TInt iReserved1; sl@0: const TInt iReserved2; sl@0: }; sl@0: sl@0: /** sl@0: This struct is used to initialise the ClientMessage Framework. sl@0: This struct provides the framework with the message schema and sl@0: the custom validation functions for the server as well as the server sl@0: name and flags. sl@0: The struct should be populated by the server using the SERVER_DATA sl@0: macro defined below. sl@0: @publishedPartner sl@0: @released sl@0: */ sl@0: struct TClientMessageServerData sl@0: { sl@0: //Version number of this structure sl@0: const TInt iVersion; sl@0: sl@0: //The number of messages accepted by this server sl@0: const TInt iMessageCount; sl@0: sl@0: //The array of TClientMessageSchema structs defining the schema for sl@0: //each message accpeted by this server sl@0: const TClientMessageSchema* iMessageSchema; sl@0: sl@0: //The number of custom validation fucntions suplpied by this server sl@0: const TInt iValidationFnCount; sl@0: sl@0: //The array of custom validation functions supplied by this server. sl@0: //These validation functions are called from ValidateL to provide sl@0: //customised validation of any parameter type. sl@0: const TCustomValidationFn* iCustomValidationFns; sl@0: sl@0: //The name of the server using the framework. This string is used both sl@0: //in logging bad messages and in panicing the client or the server. sl@0: //In line with Panic category strings, this value should be 16 characters or less. sl@0: const TUint8* iServerName; sl@0: sl@0: //Flags used to pass settings info into the framework. The supported values are sl@0: //defined in the TServerFlags enum above. sl@0: const TInt iFlags; sl@0: sl@0: //Reserved values for future proofing sl@0: const TInt iReserved1; sl@0: const TInt iReserved2; sl@0: }; sl@0: sl@0: //Macro Definitions sl@0: sl@0: /** sl@0: This macro is used to simplify declaration of TClientMessageSchema entries. sl@0: The function number, security policy and pointer to array of TParameterDetails sl@0: structures is converted into the expected format for the declaration of a sl@0: TClientMessageSchema structure. sl@0: @publishedPartner sl@0: @released sl@0: */ sl@0: #define MESSAGE_SCHEMA(Function,Policy,Params) {KClientMessageVersion,Function,Policy,sizeof(Params)/sizeof(TParameterDetails),Params,0,0} sl@0: sl@0: sl@0: /** sl@0: This TParameterDetails structure is used to represent a message with no sl@0: parameters. This is required as the schema expects a const TParameterDetails*. sl@0: @publishedPartner sl@0: @released sl@0: */ sl@0: const TParameterDetails KNoParams[1] = {{EParamNull,0,0}}; sl@0: sl@0: /** sl@0: This macro is used to simplify declaration of TClientMessageSchema entries sl@0: for functions with no parameters. Because the number of parameters is set sl@0: to 0, a CMessageParameterBase derived object is not instantiated for this sl@0: parameter type. sl@0: @publishedPartner sl@0: @released sl@0: */ sl@0: #define MESSAGE_SCHEMA_NO_PARAMS(Function,Policy) {KClientMessageVersion,Function,Policy,0,KNoParams,0,0} sl@0: sl@0: sl@0: /** sl@0: This macro is used to simplify declaration of the TClientMessageServerData structure. sl@0: The pointer to the array of TClientMessageSchemas, pointer to array of sl@0: TCustomValidationFns, server name and server flags are converted into the sl@0: expected format for the declaration of a TClientMessageServerData structure. sl@0: @publishedPartner sl@0: @released sl@0: */ sl@0: #define SERVER_DATA(ClientMessages,ValidationFns,ServerName,Flags){KClientMessageVersion,sizeof(ClientMessages)/sizeof(TClientMessageSchema),ClientMessages,sizeof(ValidationFns)/sizeof(TCustomValidationFn),ValidationFns,(TUint8*)ServerName,Flags,0,0} sl@0: sl@0: sl@0: //Class Declarations sl@0: sl@0: /** sl@0: This is the abstract base class for all message parameter classes. sl@0: The class defines one pure virtual function, ValidateL, which all derived classes sl@0: must implement. This class also defines default implementation for the access sl@0: methods which should be properly defined in all derived classes. sl@0: This class is not intended for external derivation. sl@0: @publishedPartner sl@0: @released sl@0: */ sl@0: NONSHARABLE_CLASS(CMessageParameterBase) : public CBase sl@0: { sl@0: public: sl@0: static CMessageParameterBase* CreateL(const TParameterDetails& aParam, TInt aParamIndex, sl@0: const RMessage2& aMessage); sl@0: virtual void ValidateL() = 0; sl@0: virtual ~CMessageParameterBase(){}; sl@0: sl@0: virtual TInt GetIntL(); sl@0: virtual const TAny* GetPtrL(); sl@0: virtual const TDesC8& GetDes8L(); sl@0: virtual const TDesC& GetDes16L(); sl@0: virtual TInt GetDesLengthL(); sl@0: virtual TInt GetDesMaxLengthL(); sl@0: virtual void ReadL(TDes8& aDes, TInt aOffset); sl@0: virtual void ReadL(TDes& aDes, TInt aOffset); sl@0: virtual void WriteL(const TDesC8& aDes, TInt aOffset); sl@0: virtual void WriteL(const TDesC& aDes, TInt aOffset); sl@0: sl@0: virtual TInt Min(); sl@0: virtual TInt Max(); sl@0: sl@0: protected: sl@0: CMessageParameterBase(const TParameterDetails& aParam, TInt aParamIndex, sl@0: const RMessage2& aMessage, TCustomValidationFn aValidationFn); sl@0: sl@0: private: sl@0: static TCustomValidationFn GetValidationFunctionL(const TParameterDetails& aParam); sl@0: sl@0: protected: sl@0: //The index of this parameter within the corresponding RMessage2 object sl@0: TInt iIndex; sl@0: sl@0: //A reference to the RMessage2 object that contains this parameter sl@0: const RMessage2& iMessage; sl@0: sl@0: //A reference to the structure that defines the expected type sl@0: //and constraints for this parameter sl@0: const TParameterDetails& iParamDetails; sl@0: sl@0: //A custom validation function to allow user defined validation sl@0: //this function is called from ValidateL sl@0: TCustomValidationFn iValidationFn; sl@0: sl@0: }; sl@0: sl@0: /** sl@0: This class is used by a server to sanitise incoming messages. sl@0: The class provides a wrapper around an RMessage2 object and provides a method sl@0: for validation of the message against the constraints defined in the message schema. sl@0: This class also provides methods for safely accessing the message arguments, sl@0: and for error handling and logging of bad messages. sl@0: This class is not intended for derivation. sl@0: @publishedPartner sl@0: @released sl@0: */ sl@0: NONSHARABLE_CLASS(CClientMessage) : public CBase sl@0: { sl@0: public: sl@0: IMPORT_C static void InitialiseFrameworkL(const TClientMessageServerData& aServerData); sl@0: IMPORT_C static CClientMessage* NewL(const RMessage2& aMessage); sl@0: IMPORT_C virtual ~CClientMessage(); sl@0: sl@0: IMPORT_C TInt Function(); sl@0: IMPORT_C const RMessage2& Message(); sl@0: IMPORT_C virtual void ValidateL(); sl@0: IMPORT_C virtual void ValidateL(TInt aParam); sl@0: IMPORT_C virtual void CompleteRequestL(TInt aError); sl@0: IMPORT_C virtual void PanicClient(const TDesC& aServer, TInt aPanic); sl@0: sl@0: IMPORT_C virtual TInt GetIntL(TInt aParam); sl@0: IMPORT_C virtual const TAny* GetPtrL(TInt aParam); sl@0: IMPORT_C virtual const TDesC8& GetDes8L(TInt aParam); sl@0: IMPORT_C virtual const TDesC& GetDes16L(TInt aParam); sl@0: IMPORT_C virtual TInt GetDesLengthL(TInt aParam); sl@0: IMPORT_C virtual TInt GetDesMaxLengthL(TInt aParam); sl@0: IMPORT_C virtual void ReadL(TInt aParam, TDes8& aDes, TInt aOffset = 0); sl@0: IMPORT_C virtual void ReadL(TInt aParam, TDes16& aDes, TInt aOffset = 0); sl@0: IMPORT_C virtual void WriteL(TInt aParam, const TDesC8& aDes, TInt aOffset = 0); sl@0: IMPORT_C virtual void WriteL(TInt aParam, const TDesC16& aDes, TInt aOffset = 0); sl@0: sl@0: private: sl@0: virtual void LogBadMessageL(TInt aError); sl@0: virtual void CheckSecurityPolicyL(const TSecurityPolicy& aPolicy); sl@0: CClientMessage(const RMessage2& aMessage,const TClientMessageServerData& aServerData); sl@0: void ConstructL(); sl@0: const TClientMessageSchema* FindMessageSchema(); sl@0: void CheckValidatedL(TInt aParam); sl@0: TBool LogBadMessages(); sl@0: sl@0: private: sl@0: //Array of pointers to CMessageParameterBase Derived parameter objects used sl@0: // to validate and access the individual message arguments sl@0: RPointerArray iParameters; sl@0: sl@0: //Reference to the underlying RMessage2 wrapped by this object sl@0: const RMessage2& iMessage; sl@0: sl@0: //Reference to TClientMessageServerData structure stored in TLS for sl@0: //this thread. This structure is passed in to the framework by the server sl@0: //on initialisation. sl@0: const TClientMessageServerData& iServerData; sl@0: sl@0: //Bit flags for use internally within CClientMessage. sl@0: TBitFlags32 iFlags; sl@0: }; sl@0: /** sl@0: This class is used for Base64 based encoding and decoding . sl@0: This class provides a method for encoding and decoding sl@0: @publishedPartner sl@0: @released sl@0: */ sl@0: class Base64Codec sl@0: { sl@0: // base64 and UU coding defines. sl@0: /** sl@0: This is the list of Bitmask used for encoding and decoding sl@0: @publishedPartner sl@0: @released sl@0: */ sl@0: enum EMaskValues sl@0: { sl@0: ESixBitMask = 0x3F, sl@0: EEightBitMask = 0xFF sl@0: }; sl@0: sl@0: /** sl@0: This is the list of shift values used for encoding and decoding sl@0: @publishedPartner sl@0: @released sl@0: */ sl@0: enum EMaskShiftValues sl@0: { sl@0: ESix = 6, sl@0: EFour = 4, sl@0: ETwo = 2, sl@0: EZero = 0 sl@0: }; sl@0: sl@0: /** sl@0: This enum is used as padding charcter sl@0: @publishedPartner sl@0: @released sl@0: */ sl@0: enum sl@0: { sl@0: EPadChar = 64 sl@0: }; sl@0: public: sl@0: IMPORT_C static TInt Encode(const TDesC8& aSrcString, TDes8& aDestString); sl@0: IMPORT_C static TInt Decode(const TDesC8& aSrcString, TDes8& aDestString); sl@0: }; sl@0: }//namespace sl@0: sl@0: #endif