Add configuration to disable reuse of tokens on blockwise transfer.

californium-core/src/main/java/org/eclipse/californium/core/config/CoapConfig.java

@@ -611,12 +611,27 @@ public enum CongestionControlMode {
 	 * adapt the block size when receiving a 4.13 Entity too large response
 	 * code.
 	 * <p>
-	 * See https://tools.ietf.org/html/rfc7959#section-2.9.3 for more details.
+	 * @see <a href="https://tools.ietf.org/html/rfc7959#section-2.9.3" target="_blank">RFC7959, 2.9.3. - 4.13 Request Entity Too Large</a>
 	 */
 	public static final BooleanDefinition BLOCKWISE_ENTITY_TOO_LARGE_AUTO_FAILOVER = new BooleanDefinition(
 			MODULE + "BLOCKWISE_ENTITY_TOO_LARGE_AUTO_FAILOVER",
 			"Enable automatic failover on \"entity too large\" response.",
 			DEFAULT_BLOCKWISE_ENTITY_TOO_LARGE_AUTO_FAILOVER);
+	/**
+	 * Property to indicate that blockwise follow-up requests are reusing the
+	 * same token for traceability.
+	 * <p>
+	 * <b>Note:</b> reusing tokens may introduce a vulnerability, if
+	 * requests/response are captured and sent later without protecting the
+	 * integrity of the payload by other means.
+	 * </p>
+	 * 
+	 * @see <a href="https://github.com/core-wg/attacks-on-coap" target="_blank">attacks-on-coap</a>
+	 * @since 3.8
+	 */
+	public static final BooleanDefinition BLOCKWISE_REUSE_TOKEN = new BooleanDefinition(
+			MODULE + "BLOCKWISE_REUSE_TOKEN",
+			"Reuse token for blockwise requests. Ease traceability but may introduce vulnerability.", false);
 
 	/**
 	 * Time interval for a coap-server to check the client's interest in further
@@ -794,6 +809,7 @@ public void applyDefinitions(Configuration config) {
 			config.set(BLOCKWISE_STATUS_INTERVAL, DEFAULT_BLOCKWISE_STATUS_INTERVAL_IN_SECONDS, TimeUnit.SECONDS);
 			config.set(BLOCKWISE_STRICT_BLOCK2_OPTION, DEFAULT_BLOCKWISE_STRICT_BLOCK2_OPTION);
 			config.set(BLOCKWISE_ENTITY_TOO_LARGE_AUTO_FAILOVER, DEFAULT_BLOCKWISE_ENTITY_TOO_LARGE_AUTO_FAILOVER);
+			config.set(BLOCKWISE_REUSE_TOKEN, false);
 			// BERT enabled, when > 1
 			config.set(TCP_NUMBER_OF_BULK_BLOCKS, 4);
 

californium-core/src/main/java/org/eclipse/californium/core/network/stack/Block1BlockwiseStatus.java

@@ -32,6 +32,13 @@ public final class Block1BlockwiseStatus extends BlockwiseStatus {
 
 	private static final Logger LOGGER = LoggerFactory.getLogger(Block1BlockwiseStatus.class);
 
+	/**
+	 * Current pending block wise request.
+	 * 
+	 * @since 3.8
+	 */
+	private Request current;
+
 	/**
 	 * Create block1wise status.
 	 * 
@@ -47,6 +54,7 @@ public final class Block1BlockwiseStatus extends BlockwiseStatus {
 	private Block1BlockwiseStatus(KeyUri keyUri, RemoveHandler removeHandler, Exchange exchange, Request request,
 			int maxSize, int maxTcpBertBulkBlocks) {
 		super(keyUri, removeHandler, exchange, request, maxSize, maxTcpBertBulkBlocks);
+		current = request;
 	}
 
 	/**
@@ -189,6 +197,7 @@ public synchronized Request getNextRequestBlock(int blockSzx) throws BlockwiseTr
 		block.getOptions().setBlock1(blockSzx, m, num);
 
 		setComplete(!m);
+		current = block;
 		return block;
 	}
 
@@ -214,13 +223,15 @@ public boolean cancelRequest() {
 	}
 
 	/**
-	 * Checks whether a response has the same token as the request that
-	 * initiated the block1 transfer that this is the tracker for.
+	 * Checks whether a response has the same token as the current request of
+	 * this tracker.
 	 * 
 	 * @param response The response to check.
 	 * @return {@code true} if the tokens match.
+	 * @since 3.8 use the current request instead of the initial request to
+	 *        support blockwise transfer with changing tokens.
 	 */
-	public boolean hasMatchingToken(final Response response) {
-		return response.getToken().equals(firstMessage.getToken());
+	public synchronized boolean hasMatchingToken(final Response response) {
+		return response.getToken().equals(current.getToken());
 	}
 }

californium-core/src/main/java/org/eclipse/californium/core/network/stack/BlockwiseLayer.java

@@ -218,6 +218,7 @@ public void remove(BlockwiseStatus status) {
 	private volatile boolean enableStatus;
 	private ScheduledFuture<?> statusLogger;
 	private ScheduledFuture<?> cleanup;
+	private final long healthStatusInterval;
 	private final int maxTcpBertBulkBlocks;
 	private final int maxMessageSize;
 	private final int preferredBlockSzx;
@@ -226,12 +227,23 @@ public void remove(BlockwiseStatus status) {
 	private final int maxResourceBodySize;
 	private final boolean strictBlock1Option;
 	private final boolean strictBlock2Option;
-	private final long healthStatusInterval;
+	/**
+	 * Reuse tokens for follow-up requests.
+	 * <p>
+	 * <b>Note:</b> reusing tokens may introduce a vulnerability, if
+	 * requests/response are captured and sent later without protecting the
+	 * integrity of the payload by other means.
+	 * </p>
+	 * 
+	 * @see <a href="https://github.com/core-wg/attacks-on-coap" target="_blank">attacks-on-coap</a>
+	 * @since 3.8
+	 */
+	private final boolean reuseToken;
 	/* @since 2.4 */
 	private final boolean enableAutoFailoverOn413;
 
 	private final EndpointContextMatcher matchingStrategy;
-	
+
 	/**
 	 * Creates a new blockwise layer for a configuration.
 	 * <p>
@@ -372,7 +384,7 @@ public void onEviction(Block2BlockwiseStatus status) {
 		});
 		strictBlock1Option = config.get(CoapConfig.BLOCKWISE_STRICT_BLOCK1_OPTION);
 		strictBlock2Option = config.get(CoapConfig.BLOCKWISE_STRICT_BLOCK2_OPTION);
-
+		reuseToken = config.get(CoapConfig.BLOCKWISE_REUSE_TOKEN);
 		healthStatusInterval = config.get(SystemConfig.HEALTH_STATUS_INTERVAL, TimeUnit.MILLISECONDS);
 
 		enableAutoFailoverOn413 = config.get(CoapConfig.BLOCKWISE_ENTITY_TOO_LARGE_AUTO_FAILOVER);
@@ -760,6 +772,46 @@ public void sendResponse(final Exchange exchange, final Response response) {
 		lower().sendResponse(exchange, responseToSend);
 	}
 
+	/**
+	 * Get outer response to pass to application.
+	 * 
+	 * The outer response matches to initial application request.
+	 * 
+	 * @param exchange exchange
+	 * @param response actual response
+	 * @return outer application response
+	 * @since 3.8
+	 */
+	private Response getOuterResponse(Exchange exchange, Response response) {
+		// check, if response is for original request
+		if (exchange.getRequest() != exchange.getCurrentRequest()) {
+			// prepare the response as response to the original request
+			Response outerResponse = new Response(response.getCode());
+			// adjust the token using the original request
+			outerResponse.setToken(exchange.getRequest().getToken());
+			if (exchange.getRequest().getType() == Type.CON) {
+				outerResponse.setType(Type.ACK);
+				// adjust MID also
+				outerResponse.setMID(exchange.getRequest().getMID());
+			} else {
+				outerResponse.setType(Type.NON);
+			}
+			outerResponse.setSourceContext(response.getSourceContext());
+			outerResponse.setPayload(response.getPayload());
+			outerResponse.setOptions(response.getOptions());
+			outerResponse.setApplicationRttNanos(exchange.calculateApplicationRtt());
+			Long rtt = response.getTransmissionRttNanos();
+			if (rtt != null) {
+				outerResponse.setTransmissionRttNanos(rtt);
+			}
+			exchange.setResponse(outerResponse);
+			return outerResponse;
+		} else {
+			exchange.setResponse(response);
+			return response;
+		}
+	}
+
 	/**
 	 * Invoked when a response has been received from a peer.
 	 * <p>
@@ -800,32 +852,7 @@ public void receiveResponse(final Exchange exchange, final Response response) {
 				default:
 				}
 
-				// check, if response is for original request
-				if (exchange.getRequest() != exchange.getCurrentRequest()) {
-					// prepare the response as response to the original request
-					Response resp = new Response(response.getCode());
-					// adjust the token using the original request
-					resp.setToken(exchange.getRequest().getToken());
-					if (exchange.getRequest().getType() == Type.CON) {
-						resp.setType(Type.ACK);
-						// adjust MID also
-						resp.setMID(exchange.getRequest().getMID());
-					} else {
-						resp.setType(Type.NON);
-					}
-					resp.setSourceContext(response.getSourceContext());
-					resp.setPayload(response.getPayload());
-					resp.setOptions(response.getOptions());
-					resp.setApplicationRttNanos(exchange.calculateApplicationRtt());
-					Long rtt = response.getTransmissionRttNanos();
-					if (rtt != null) {
-						resp.setTransmissionRttNanos(rtt);
-					}
-					exchange.setResponse(resp);
-					upper().receiveResponse(exchange, resp);
-				} else {
-					upper().receiveResponse(exchange, response);
-				}
+				upper().receiveResponse(exchange, getOuterResponse(exchange, response));
 				return;
 			}
 
@@ -1039,11 +1066,9 @@ private void handleBlock1Response(final Exchange exchange, final Response respon
 				LOGGER.debug("{}Block1 followed by Block2 transfer", tag);
 			} else {
 				// All request blocks have been acknowledged and we have
-				// received a
-				// response that does not need blockwise transfer. Thus, deliver
-				// it.
-				exchange.setResponse(response);
-				upper().receiveResponse(exchange, response);
+				// received a response that does not need blockwise transfer.
+				// Thus, deliver it.
+				upper().receiveResponse(exchange, getOuterResponse(exchange, response));
 			}
 		}
 	}
@@ -1058,8 +1083,10 @@ private void sendNextBlock(Exchange exchange, Response response, Block1Blockwise
 				int blockSzx = Math.min(response.getOptions().getBlock1().getSzx(), preferredBlockSzx);
 				nextBlock = status.getNextRequestBlock(blockSzx);
 
-				// we use the same token to ease traceability
-				nextBlock.setToken(response.getToken());
+				if (reuseToken) {
+					// we use the same token to ease traceability
+					nextBlock.setToken(response.getToken());
+				}
 				nextBlock.setDestinationContext(status.getFollowUpEndpointContext(response.getSourceContext()));
 
 				LOGGER.debug("{}sending (next) Block1 [num={}]: {}", tag, nextBlock.getOptions().getBlock1().getNum(),
@@ -1152,8 +1179,7 @@ private void handleBlock2Response(final Exchange exchange, final Response respon
 
 			if (response.isNotification()) {
 				// We have received a notification for an observed resource that
-				// the
-				// application layer is no longer interested in.
+				// the application layer is no longer interested in.
 				// Let upper layers decide what to do with the notification.
 				upper().receiveResponse(exchange, response);
 			}
@@ -1253,7 +1279,8 @@ private void requestNextBlock(Exchange exchange, Response response, Block2Blockw
 			 * a different KeyToken in exchangesByToken, which is cleaned up
 			 * with the CleanupMessageObserver above.
 			 */
-			if (!response.isNotification()) {
+			if (reuseToken && !response.isNotification()) {
+				// we use the same token to ease traceability
 				block.setToken(response.getToken());
 			}
 

californium-core/src/test/java/org/eclipse/californium/core/test/lockstep/BlockwiseClientSideTest.java

@@ -844,7 +844,7 @@ public void testConcurrentBlock1TransferCancelsOriginalRequest() throws Exceptio
 		server.sendResponse(ACK, CONTINUE).loadBoth("B").block1(1, true, 128).go();
 
 		server.expectRequest(CON, PUT, path).storeBoth("B").block1(2, false, 128).payload(reqtPayload, 256, 300).go();
-		server.sendResponse(ACK, CHANGED).loadBoth("B").go();
+		server.sendResponse(ACK, CHANGED).loadBoth("B").block1(2, false, 128).go();
 
 		Response response = concurrentRequest.waitForResponse(ERROR_TIMEOUT_IN_MS);
 		assertThat(response, is(notNullValue()));

cf-oscore/src/main/java/org/eclipse/californium/oscore/ObjectSecurityContextLayer.java

@@ -233,9 +233,9 @@ public void receiveResponse(Exchange exchange, Response response) {
 		// Handle incoming OSCORE responses that have been re-assembled by the
 		// block-wise layer (for outer block-wise). If a response was not
 		// processed by OSCORE in the ObjectSecurityLayer it will happen here.
-		boolean outerBlockwise = exchange.getCurrentResponse() != null
-				&& exchange.getCurrentResponse().getOptions().hasBlock2()
-				&& ctxDb.getContextByToken(exchange.getCurrentResponse().getToken()) != null;
+		Response rawResponse =  exchange.getCurrentResponse();
+		boolean outerBlockwise = rawResponse.getOptions().hasBlock2()
+				&& ctxDb.getContextByToken(rawResponse.getToken()) != null;
 		if (outerBlockwise) {
 
 			LOGGER.debug("Incoming OSCORE response uses outer block-wise");
@@ -270,8 +270,6 @@ public void receiveResponse(Exchange exchange, Response response) {
 			if (exchange.getRequest().isObserveCancel()) {
 				ctxDb.removeToken(response.getToken());
 			}
-
-			super.receiveResponse(exchange, response);
 		}
 
 		super.receiveResponse(exchange, response);

cf-oscore/src/main/java/org/eclipse/californium/oscore/ObjectSecurityLayer.java

@@ -129,11 +129,19 @@ public void sendRequest(final Exchange exchange, final Request request) {
 				// Handle outgoing requests for more data from a responder that
 				// is responding with outer block-wise. These requests should
 				// not be processed with OSCORE.
-				boolean outerBlockwise = request.getOptions().hasBlock2() && exchange.getCurrentResponse() != null
-						&& ctxDb.getContextByToken(exchange.getCurrentResponse().getToken()) != null;
-				if (outerBlockwise) {
-					super.sendRequest(exchange, req);
-					return;
+				if (request.getOptions().hasBlock2() && exchange.getCurrentResponse() != null) {
+					final OSCoreCtx ctx = ctxDb.getContextByToken(exchange.getCurrentResponse().getToken());
+					if (ctx != null) {
+						request.addMessageObserver(0, new MessageObserverAdapter() {
+
+							@Override
+							public void onReadyToSend() {
+								ctxDb.addContext(request.getToken(), ctx);
+							}
+						});
+						super.sendRequest(exchange, request);
+						return;
+					}
 				}
 
 				final String uri;
@@ -169,7 +177,7 @@ public void sendRequest(final Exchange exchange, final Request request) {
 				final Request preparedRequest = prepareSend(ctxDb, request);
 				final OSCoreCtx finalCtx = ctxDb.getContext(uri);
 
-				if (outgoingExceedsMaxUnfragSize(preparedRequest, outerBlockwise, ctx.getMaxUnfragmentedSize())) {
+				if (outgoingExceedsMaxUnfragSize(preparedRequest, false, ctx.getMaxUnfragmentedSize())) {
 					throw new IllegalStateException("outgoing request is exceeding the MAX_UNFRAGMENTED_SIZE!");
 				}
 

cf-oscore/src/test/java/org/eclipse/californium/oscore/OSCoreOuterBlockwiseTest.java

@@ -602,18 +602,30 @@ public int getCounter() {
 	 */
 	private void createSimpleProxy(final boolean proxyRequestBlockwise, final boolean proxyResponseBlockwiseEnabled) {
 
+		final CoapClient proxyClient = new CoapClient();
+		proxyClient.setTimeout(1000L);
+
+		CoapEndpoint.Builder builder = new CoapEndpoint.Builder();
+		builder.setCoapStackFactory(CoapEndpoint.STANDARD_COAP_STACK_FACTORY);
+		if (proxyRequestBlockwise) {
+			builder.setConfiguration(blockwiseConfig);
+		}
+		CoapEndpoint proxyClientEndpoint = builder.build();
+		proxyClient.setEndpoint(proxyClientEndpoint);
+		cleanup.add(proxyClientEndpoint);
+
 		final Coap2CoapTranslator coapTranslator = new Coap2CoapTranslator();
 
 		// Create endpoint for proxy server side
-		CoapEndpoint.Builder builder = new CoapEndpoint.Builder();
+		builder = new CoapEndpoint.Builder();
 		builder.setCoapStackFactory(CoapEndpoint.STANDARD_COAP_STACK_FACTORY);
 		builder.setInetSocketAddress(TestTools.LOCALHOST_EPHEMERAL);
 		if (proxyResponseBlockwiseEnabled) {
 			builder.setConfiguration(blockwiseConfig);
 		}
 
 		CoapEndpoint proxyServerEndpoint = builder.build();
-		
+
 		// Create proxy
 		CoapServer proxy = new CoapServer();
 		cleanup.add(proxy);
@@ -632,21 +644,13 @@ public void deliverRequest(Exchange exchange) {
 							coapTranslator.getExposedInterface(incomingRequest));
 					Request outgoingRequest = coapTranslator.getRequest(finalDestinationUri, incomingRequest);
 
-					CoapClient proxyClient = new CoapClient();
-
-					// Create endpoint for proxy client side
-					CoapEndpoint.Builder builder = new CoapEndpoint.Builder();
-					builder.setCoapStackFactory(CoapEndpoint.STANDARD_COAP_STACK_FACTORY);
-					if (proxyRequestBlockwise) {
-						builder.setConfiguration(blockwiseConfig);
-					}
-					CoapEndpoint proxyClientEndpoint = builder.build();
-					proxyClient.setEndpoint(proxyClientEndpoint);
-					cleanup.add(proxyClientEndpoint);
-
 					// Now receive the response from the server and prepare the
 					// final response to the client
 					CoapResponse incomingResponse = proxyClient.advanced(outgoingRequest);
+					if (incomingResponse == null) {
+						System.err.println("Missing response.");
+						fail();
+					}
 					outgoingResponse = coapTranslator.getResponse(incomingResponse.advanced());
 				} catch (org.eclipse.californium.proxy2.TranslationException | ConnectorException | IOException e) {
 					System.err.println("Processing on proxy failed.");