Merge branch 'tizen' into tizen_3.0submit/tizen_3.0/20161215.064317accepted/tizen/3.0/wearable/20161216.083506accepted/tizen/3.0/tv/20161216.083451accepted/tizen/3.0/mobile/20161216.083416accepted/tizen/3.0/ivi/20161216.083519accepted/tizen/3.0/common/20161216.123335

- Remove to add openssl locking function on client

Change-Id: Ifbf8960970a7395ccbd5e0f953d97314c8fbf926
Signed-off-by: Kyungwook Tak <k.tak@samsung.com>

10 files changed, 132 insertions, 339 deletions

diff --git a/LICENSE.BSD-2.0 b/LICENSE.BSD-3-Clause
index 5658a940..5658a940 100644
--- a/LICENSE.BSD-2.0
+++ b/LICENSE.BSD-3-Clause
diff --git a/packaging/key-manager.spec b/packaging/key-manager.spec
index c6089ded..8ec74d6b 100644
--- a/packaging/key-manager.spec
+++ b/packaging/key-manager.spec
@@ -6,8 +6,8 @@ Name:       key-manager
 Summary:    Central Key Manager and utilities
 Version:    0.1.23
 Release:    1
-Group:      System/Security
-License:    Apache-2.0 and BSL-1.0 and BSD-2.0
+Group:      Security/Secure Storage
+License:    Apache-2.0 and BSL-1.0 and BSD-3-Clause
 Source0:    %{name}-%{version}.tar.gz
 Source1001: key-manager-pam-plugin.manifest
 Source1002: libkey-manager-client.manifest
@@ -66,7 +66,7 @@ application to sign and verify (DSA/RSA/ECDSA) signatures.
 
 %package -n libkey-manager-common
 Summary:    Central Key Manager (common libraries)
-Group:      Development/Libraries
+Group:      Security/Libraries
 Requires(post): %{sbin_dir}/ldconfig
 Requires(postun): %{sbin_dir}/ldconfig
 
@@ -75,7 +75,7 @@ Central Key Manager package (common library)
 
 %package -n libkey-manager-client
 Summary:    Central Key Manager (client)
-Group:      Development/Libraries
+Group:      Security/Libraries
 Requires:   key-manager = %{version}-%{release}
 Requires:   libkey-manager-common = %{version}-%{release}
 Requires(post): %{sbin_dir}/ldconfig
@@ -86,7 +86,7 @@ Central Key Manager package (client)
 
 %package -n libkey-manager-client-devel
 Summary:    Central Key Manager (client-devel)
-Group:      Development/Libraries
+Group:      Security/Development
 BuildRequires: pkgconfig(capi-base-common)
 Requires:   pkgconfig(capi-base-common)
 Requires:   libkey-manager-client = %{version}-%{release}
@@ -96,7 +96,7 @@ Central Key Manager package (client-devel)
 
 %package -n key-manager-tests
 Summary:    Internal test for key-manager
-Group:      Development
+Group:      Security/Testing
 BuildRequires: pkgconfig(libxml-2.0)
 Requires:   boost-test
 Requires:   key-manager = %{version}-%{release}
@@ -106,7 +106,7 @@ Internal test for key-manager implementation.
 
 %package -n key-manager-pam-plugin
 Summary:    CKM login/password module to PAM
-Group:      Development/Libraries
+Group:      Security/Libraries
 BuildRequires: pam-devel
 Requires:   key-manager = %{version}-%{release}
 Requires(post): %{sbin_dir}/ldconfig
@@ -143,7 +143,6 @@ export LDFLAGS+="-Wl,--rpath=%{_libdir},-Bsymbolic-functions "
         -DUSER_NAME=%{user_name} \
         -DGROUP_NAME=%{group_name} \
         -DSMACK_DOMAIN_NAME=%{smack_domain_name} \
-        -DMOCKUP_SM=%{?mockup_sm:%mockup_sm}%{!?mockup_sm:OFF} \
         -DOLD_RW_DATA_DIR=%{old_rw_data_dir} \
         -DRW_DATA_DIR=%{rw_data_dir} \
         -DRO_DATA_DIR=%{ro_data_dir} \
@@ -245,7 +244,7 @@ fi
 %manifest key-manager.manifest
 %license LICENSE
 %license LICENSE.BSL-1.0
-%license LICENSE.BSD-2.0
+%license LICENSE.BSD-3-Clause
 %{bin_dir}/key-manager
 %{_unitdir}/multi-user.target.wants/central-key-manager.service
 %{_unitdir}/central-key-manager.service
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 02f8e395..a784d15b 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -26,19 +26,8 @@ FIND_PACKAGE(Threads REQUIRED)
 SET(KEY_MANAGER_SRC_PATH ${PROJECT_SOURCE_DIR}/src)
 SET(KEY_MANAGER_PATH ${PROJECT_SOURCE_DIR}/src/manager)
 
-IF (MOCKUP_SM MATCHES "ON")
-    IF (CMAKE_BUILD_TYPE MATCHES "RELEASE")
-        MESSAGE(FATAL_ERROR "You cannot compile release version with SECURITY MOCKUPS!")
-    ENDIF (CMAKE_BUILD_TYPE MATCHES "RELEASE")
-    MESSAGE("USING MOCKUPS INSTEAD SECURITY MODULES (SECURITY MANAGER AND CYNARA)")
-    SET(SECURITY_MANAGER_WRAPPER_PATH ${KEY_MANAGER_PATH}/main/socket-2-id-mockup.cpp)
-    SET(CYNARA_WRAPPER_PATH ${KEY_MANAGER_PATH}/main/cynara-mockup.cpp)
-ELSE (MOCKUP_SM MATCHES "ON")
-    SET(SECURITY_MANAGER_WRAPPER_PATH ${KEY_MANAGER_PATH}/main/socket-2-id-wrapper.cpp)
-    SET(CYNARA_WRAPPER_PATH ${KEY_MANAGER_PATH}/main/cynara.cpp)
-ENDIF (MOCKUP_SM MATCHES "ON")
-
 SET(KEY_MANAGER_SOURCES
+    ${KEY_MANAGER_PATH}/main/cynara.cpp
     ${KEY_MANAGER_PATH}/main/generic-socket-manager.cpp
     ${KEY_MANAGER_PATH}/main/key-manager-main.cpp
     ${KEY_MANAGER_PATH}/main/smack-check.cpp
diff --git a/src/manager/common/crypto-init.cpp b/src/manager/common/crypto-init.cpp
index 99822997..573a4d63 100644
--- a/src/manager/common/crypto-init.cpp
+++ b/src/manager/common/crypto-init.cpp
@@ -81,33 +81,18 @@ void opensslUninstallLocks()
 	g_mutexes = NULL;
 }
 
-} // namespace anonymous
-
-
-void initOpenSsl()
+void initOpenSsl(bool isLib)
 {
-	// Loads all error strings (crypto and ssl)
-	SSL_load_error_strings();
-
 	/*
 	 * Initialize libcrypto (add all algorithms, digests & ciphers)
 	 * It also does the stuff from SSL_library_init() except for ssl_load_ciphers()
 	 */
 	OpenSSL_add_all_algorithms(); // Can be optimized by using EVP_add_cipher instead
 
-	/*
-	 *  Initialize libssl (OCSP uses it)
-	 *  SSL_library_init() == OpenSSL_add_ssl_algorithms()
-	 *  It always returns 1
-	 */
-	SSL_library_init();
-
-	// load default configuration (/etc/ssl/openssl.cnf)
-	OPENSSL_config(NULL);
+	if (isLib)
+		return;
 
-	// enable FIPS mode by default
-	if (0 == FIPS_mode_set(1))
-		LogWarning("Failed to set FIPS mode. Key-manager will be operated in non FIPS mode.");
+	// below initializes only for executable client. (key-manager daemon)
 
 	/*
 	 * Initialize entropy
@@ -128,26 +113,22 @@ void initOpenSsl()
 			LogError("Error in U_RAND_file_load");
 	}
 
-	// Install locks for multithreading support
-	opensslInstallLocks();
-}
+	/*
+	 *  Initialize libssl (OCSP uses it)
+	 *  SSL_library_init() == OpenSSL_add_ssl_algorithms()
+	 *  It always returns 1
+	 */
+	SSL_library_init();
 
-void deinitOpenSsl()
-{
-	opensslUninstallLocks();
-	CONF_modules_unload(1);
-	EVP_cleanup();
-	ERR_free_strings();
-	deinitOpenSslThread();
-}
+	// load default configuration (/etc/ssl/openssl.cnf)
+	OPENSSL_config(NULL);
+	// Loads all error strings (crypto and ssl)
+	SSL_load_error_strings();
 
-void deinitOpenSslThread()
-{
-	CRYPTO_cleanup_all_ex_data();
-	ERR_remove_thread_state(NULL);
+	// Install locks for multithreading support
+	opensslInstallLocks();
 }
 
-namespace {
 std::mutex cryptoInitMutex;
 
 void initOpenSslAndDetach();
@@ -159,22 +140,24 @@ std::atomic<initFnPtr> initFn(&initOpenSslAndDetach);
 
 void initEmpty() {}
 
+// this function will be called only once by initOpenSslOnce for library client
 void initOpenSslAndDetach()
 {
 	// DCLP
 	std::lock_guard<std::mutex> lock(cryptoInitMutex);
 
 	/*
-	 * We don't care about memory ordering here. Current thread will order it correctly and for
-	 * other threads only store matters. Also only one thread can be here at once because of lock.
+	 * We don't care about memory ordering here. Current thread will order it
+	 * correctly and for other threads only store matters. Also only one thread
+	 * can be here at once because of lock.
 	 */
 	if (initFn.load(std::memory_order_relaxed) != &initEmpty) {
-		initOpenSsl();
+		initOpenSsl(true);
 
 		/*
-		 * Synchronizes with load. Everything that happened before this store in this thread is
-		 * visible to everything that happens after load in another thread. We switch to an empty
-		 * function here.
+		 * Synchronizes with load. Everything that happened before this store in
+		 * this thread is visible to everything that happens after load in another
+		 * thread. We switch to an empty function here.
 		 */
 		initFn.store(&initEmpty, std::memory_order_release);
 	}
@@ -182,13 +165,33 @@ void initOpenSslAndDetach()
 
 } // namespace anonymous
 
+void initOpenSsl()
+{
+	initOpenSsl(false);
+}
+
+void deinitOpenSsl()
+{
+	opensslUninstallLocks();
+	CONF_modules_free(); // cleanup of OPENSSL_config
+	EVP_cleanup(); // cleanup of OpenSSL_add_all_algorithms
+	ERR_free_strings(); //cleanup of SSL_load_error_strings
+	deinitOpenSslThread();
+}
+
+void deinitOpenSslThread()
+{
+	CRYPTO_cleanup_all_ex_data();
+	ERR_remove_thread_state(NULL);
+}
+
 void initOpenSslOnce()
 {
 	/*
-	 * Synchronizes with store. Everything that happened before store in another thread will be
-	 * visible in this thread after load.
+	 * Synchronizes with store. Everything that happened before store in another
+	 * thread will be visible in this thread after load.
 	 */
 	initFn.load(std::memory_order_acquire)();
 }
 
-} /* namespace CKM */
+} // namespace CKM
diff --git a/src/manager/common/crypto-init.h b/src/manager/common/crypto-init.h
index e2419b18..d8abecae 100644
--- a/src/manager/common/crypto-init.h
+++ b/src/manager/common/crypto-init.h
@@ -23,11 +23,26 @@
 #include <symbol-visibility.h>
 
 namespace CKM {
+// Remarks!
+//   These functions are used carefully depending on library / executable client.
+//
+//   Init/deinit locking functions are only available for executable client
+//     (it's key-manager daemon)
+//
+//   For library client, locking functions are not supported because it can make
+//   undefined behavior(usually segmentation fault) when the client is used as
+//   plugin(dynamic loaded) because there's probability of openssl's locking function
+//   being init/deinit on multiple plugins.
 
+// Must be called once manually because it'll handle openssl locking functions.
+// Only for server.
 COMMON_API void initOpenSsl();
 COMMON_API void deinitOpenSsl();
+// deinit for every service thread on server.
 COMMON_API void deinitOpenSslThread();
+
+// init for client or common libraries.
+// It'll only do OpenSSL_add_all_algorithms
 COMMON_API void initOpenSslOnce();
 
 } // namespace CKM
-
diff --git a/src/manager/main/cynara-mockup.cpp b/src/manager/main/cynara-mockup.cpp
deleted file mode 100644
index 733bae2f..00000000
--- a/src/manager/main/cynara-mockup.cpp
+++ /dev/null
@@ -1,101 +0,0 @@
-/*
- *  Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
- *
- *  Licensed under the Apache License, Version 2.0 (the "License");
- *  you may not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS,
- *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License
- */
-/*
- * @file        cynara-mockup.cpp
- * @author      Bartlomiej Grzelewski (b.grzelewski@samsung.com)
- * @version     1.0
- * @brief       Mockup for cynara used in ckm-tests.
- */
-#include <string>
-
-#include <cynara.h>
-
-namespace CKM {
-
-Cynara::Cynara(GenericSocketManager *socketManager) :
-	m_socketManager(socketManager),
-	m_cynara(nullptr)
-{
-}
-
-void Cynara::Request(
-	const std::string &,
-	const std::string &,
-	const std::string &,
-	const std::string &,
-	StatusCallback callback)
-{
-	callback(true);
-}
-
-void Cynara::ProcessSocket() {}
-
-Cynara::~Cynara() {}
-
-void Cynara::ChangeStatus(
-	int,
-	int,
-	cynara_async_status)
-{
-}
-
-void Cynara::ProcessResponse(
-	cynara_check_id,
-	cynara_async_call_cause,
-	int)
-{
-}
-
-void Cynara::SendRequest(
-	const std::string &,
-	const std::string &,
-	const std::string &,
-	const std::string &,
-	StatusCallback)
-{
-}
-
-void Cynara::ChangeStatusCallback(
-	int,
-	int,
-	cynara_async_status,
-	void *)
-{
-}
-
-void Cynara::ProcessResponseCallback(
-	cynara_check_id,
-	cynara_async_call_cause,
-	int,
-	void *)
-{
-}
-
-bool Cynara::GetUserFromSocket(
-	int,
-	std::string &)
-{
-	return true;
-}
-
-bool Cynara::GetClientFromSocket(
-	int,
-	std::string &)
-{
-	return true;
-}
-
-} // namespace CKM
diff --git a/src/manager/main/socket-2-id-mockup.cpp b/src/manager/main/socket-2-id-mockup.cpp
deleted file mode 100644
index 222976d5..00000000
--- a/src/manager/main/socket-2-id-mockup.cpp
+++ /dev/null
@@ -1,78 +0,0 @@
-/*
- *  Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved
- *
- *  Licensed under the Apache License, Version 2.0 (the "License");
- *  you may not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS,
- *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License
- */
-/*
- * @file       socket-2-id-mockup.cpp
- * @author     Bartlomiej Grzelewski (b.grzelewski@samsung.com)
- * @version    1.0
- */
-#include <string>
-
-#include <dpl/log/log.h>
-#include <protocols.h>
-#include <socket-2-id.h>
-
-namespace {
-
-int getPkgIdFromSmack(const std::string &smack, std::string &pkgId)
-{
-	static const std::string SMACK_PREFIX_APPID  = "User::App::";
-
-	if (smack.empty()) {
-		LogError("Smack is empty. Connection will be rejected");
-		return -1;
-	}
-
-	if (smack.compare(0, SMACK_PREFIX_APPID.size(), SMACK_PREFIX_APPID)) {
-		pkgId = "/" + smack;
-		LogDebug("Smack: " << smack << " Was translated to owner id: " << pkgId);
-		return 0;
-	}
-
-	std::string appId = smack.substr(SMACK_PREFIX_APPID.size(), std::string::npos);
-
-	if (appId.empty()) {
-		LogError("After conversion (smack->pkgId) pkgId is empty. Label: " << appId);
-		return -1;
-	}
-
-	pkgId = std::move(appId);
-	LogDebug("Smack: " << smack << " Was translated to owner id: " << pkgId);
-	return 0;
-}
-
-} // namespace anonymous
-
-namespace CKM {
-
-int Socket2Id::translate(int sock, std::string &result)
-{
-	std::string smack;
-	std::string pkgId;
-
-	if (0 > getCredentialsFromSocket(sock, smack))
-		return -1;
-
-	if (0 > getPkgIdFromSmack(smack, pkgId))
-		return -1;
-
-	mapToDomainLabel(pkgId);
-
-	result = std::move(pkgId);
-	return 0;
-}
-
-} // namespace CKM
-
diff --git a/src/manager/main/socket-2-id-wrapper.cpp b/src/manager/main/socket-2-id-wrapper.cpp
deleted file mode 100644
index 2eb9f369..00000000
--- a/src/manager/main/socket-2-id-wrapper.cpp
+++ /dev/null
@@ -1,92 +0,0 @@
-/*
- *  Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved
- *
- *  Licensed under the Apache License, Version 2.0 (the "License");
- *  you may not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS,
- *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License
- */
-/*
- * @file       socket-2-id-wrapper.cpp
- * @author     Bartlomiej Grzelewski (b.grzelewski@samsung.com)
- * @version    1.0
- */
-#include <string>
-
-#include <security-manager.h>
-
-#include <dpl/log/log.h>
-#include <protocols.h>
-#include <socket-2-id.h>
-
-namespace {
-
-int getPkgIdFromSocket(int sock, std::string &pkgId)
-{
-	char *pkg = nullptr;
-
-	int ret = security_manager_identify_app_from_socket(sock, &pkg, nullptr);
-
-	if (ret == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT) {
-		LogInfo("Owner of socket is not connected with pkgid. "
-				"This case must be special-labled client. e.g. User, System");
-		return 1;
-	}
-
-	if (ret != SECURITY_MANAGER_SUCCESS) {
-		LogError("security_manager_identify_app_from_socket failed with error: "
-				 << ret);
-		return -1;
-	}
-
-	pkgId = pkg;
-	free(pkg);
-	LogDebug("Socket: " << sock << " Was translated to owner id: " << pkgId);
-	return 0;
-}
-
-} // namespace anonymous
-
-namespace CKM {
-
-int Socket2Id::translate(int sock, std::string &result)
-{
-	std::string smack;
-
-	if (0 > getCredentialsFromSocket(sock, smack))
-		return -1;
-
-	StringMap::iterator it = m_stringMap.find(smack);
-
-	if (it != m_stringMap.end()) {
-		result = it->second;
-		return 0;
-	}
-
-	std::string pkgId;
-	int retCode = getPkgIdFromSocket(sock, pkgId);
-
-	if (retCode < 0)
-		return -1;
-
-	if (retCode == 1) {
-		LogInfo("Special smack label case. label: " << smack);
-		pkgId = "/" + smack;
-	}
-
-	mapToDomainLabel(pkgId);
-
-	result = pkgId;
-	m_stringMap.emplace(std::move(smack), std::move(pkgId));
-	return 0;
-}
-
-} // namespace CKM
-
diff --git a/src/manager/main/socket-2-id.cpp b/src/manager/main/socket-2-id.cpp
index b6f43c08..ea0b50ab 100644
--- a/src/manager/main/socket-2-id.cpp
+++ b/src/manager/main/socket-2-id.cpp
@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2000 - 2016 Samsung Electronics Co., Ltd All Rights Reserved
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
  *  you may not use this file except in compliance with the License.
@@ -22,6 +22,8 @@
 #include <sys/types.h>
 #include <sys/socket.h>
 
+#include <security-manager.h>
+
 #include <dpl/log/log.h>
 #include <protocols.h>
 #include <socket-2-id.h>
@@ -30,6 +32,30 @@ namespace CKM {
 
 namespace {
 
+int getPkgIdFromSocket(int sock, std::string &pkgId)
+{
+	char *pkg = nullptr;
+
+	int ret = security_manager_identify_app_from_socket(sock, &pkg, nullptr);
+
+	if (ret == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT) {
+		LogInfo("Owner of socket is not connected with pkgid. "
+				"This case must be special-labled client. e.g. User, System");
+		return 1;
+	}
+
+	if (ret != SECURITY_MANAGER_SUCCESS) {
+		LogError("security_manager_identify_app_from_socket failed with error: "
+				 << ret);
+		return -1;
+	}
+
+	pkgId = pkg;
+	free(pkg);
+	LogDebug("Socket: " << sock << " Was translated to owner id: " << pkgId);
+	return 0;
+}
+
 int assignToString(std::vector<char> &vec, socklen_t len, std::string &res)
 {
 	if (vec.size() <= len)
@@ -87,5 +113,37 @@ void Socket2Id::resetCache()
 	m_stringMap.clear();
 }
 
+int Socket2Id::translate(int sock, std::string &result)
+{
+	std::string smack;
+
+	if (0 > getCredentialsFromSocket(sock, smack))
+		return -1;
+
+	StringMap::iterator it = m_stringMap.find(smack);
+
+	if (it != m_stringMap.end()) {
+		result = it->second;
+		return 0;
+	}
+
+	std::string pkgId;
+	int retCode = getPkgIdFromSocket(sock, pkgId);
+
+	if (retCode < 0)
+		return -1;
+
+	if (retCode == 1) {
+		LogInfo("Special smack label case. label: " << smack);
+		pkgId = "/" + smack;
+	}
+
+	mapToDomainLabel(pkgId);
+
+	result = pkgId;
+	m_stringMap.emplace(std::move(smack), std::move(pkgId));
+	return 0;
+}
+
 } // namespace CKM
 
diff --git a/tools/ckm_db_tool/CMakeLists.txt b/tools/ckm_db_tool/CMakeLists.txt
index 5790b7c2..cd8d413f 100644
--- a/tools/ckm_db_tool/CMakeLists.txt
+++ b/tools/ckm_db_tool/CMakeLists.txt
@@ -11,6 +11,7 @@ PKG_CHECK_MODULES(CKM_DB_TOOL_DEP
     libxml-2.0
     cynara-client-async
     cynara-creds-socket
+    security-manager
     )
 
 FIND_PACKAGE(Threads REQUIRED)
@@ -56,7 +57,6 @@ SET(CKM_DB_TOOL_SOURCES
     ${KEY_MANAGER_PATH}/main/generic-socket-manager.cpp
     ${KEY_MANAGER_PATH}/main/smack-check.cpp
     ${KEY_MANAGER_PATH}/main/socket-2-id.cpp
-    ${KEY_MANAGER_PATH}/main/socket-2-id-mockup.cpp
     ${KEY_MANAGER_PATH}/main/socket-manager.cpp
     ${KEY_MANAGER_PATH}/main/thread-service.cpp
     ${KEY_MANAGER_PATH}/service/access-control.cpp