diff options
author | Kyungwook Tak <k.tak@samsung.com> | 2016-12-15 14:47:50 +0900 |
---|---|---|
committer | Kyungwook Tak <k.tak@samsung.com> | 2016-12-15 14:48:00 +0900 |
commit | b01ca066810194616b23bb56e3d2136891213730 (patch) | |
tree | 50b76785263b596d62281e7f0781209833844e85 | |
parent | 592432e551bd61800d488a0bf6b4a52762445e58 (diff) | |
parent | 0f1b2b060f31cc5b7abcb24fd8aae5ef4b9ad038 (diff) | |
download | key-manager-b01ca066810194616b23bb56e3d2136891213730.tar.gz key-manager-b01ca066810194616b23bb56e3d2136891213730.tar.bz2 key-manager-b01ca066810194616b23bb56e3d2136891213730.zip |
Merge branch 'tizen' into tizen_3.0submit/tizen_3.0/20161215.064317accepted/tizen/3.0/wearable/20161216.083506accepted/tizen/3.0/tv/20161216.083451accepted/tizen/3.0/mobile/20161216.083416accepted/tizen/3.0/ivi/20161216.083519accepted/tizen/3.0/common/20161216.123335
- Remove to add openssl locking function on client
Change-Id: Ifbf8960970a7395ccbd5e0f953d97314c8fbf926
Signed-off-by: Kyungwook Tak <k.tak@samsung.com>
-rw-r--r-- | LICENSE.BSD-3-Clause (renamed from LICENSE.BSD-2.0) | 0 | ||||
-rw-r--r-- | packaging/key-manager.spec | 17 | ||||
-rw-r--r-- | src/CMakeLists.txt | 13 | ||||
-rw-r--r-- | src/manager/common/crypto-init.cpp | 91 | ||||
-rw-r--r-- | src/manager/common/crypto-init.h | 17 | ||||
-rw-r--r-- | src/manager/main/cynara-mockup.cpp | 101 | ||||
-rw-r--r-- | src/manager/main/socket-2-id-mockup.cpp | 78 | ||||
-rw-r--r-- | src/manager/main/socket-2-id-wrapper.cpp | 92 | ||||
-rw-r--r-- | src/manager/main/socket-2-id.cpp | 60 | ||||
-rw-r--r-- | tools/ckm_db_tool/CMakeLists.txt | 2 |
10 files changed, 132 insertions, 339 deletions
diff --git a/LICENSE.BSD-2.0 b/LICENSE.BSD-3-Clause index 5658a940..5658a940 100644 --- a/LICENSE.BSD-2.0 +++ b/LICENSE.BSD-3-Clause diff --git a/packaging/key-manager.spec b/packaging/key-manager.spec index c6089ded..8ec74d6b 100644 --- a/packaging/key-manager.spec +++ b/packaging/key-manager.spec @@ -6,8 +6,8 @@ Name: key-manager Summary: Central Key Manager and utilities Version: 0.1.23 Release: 1 -Group: System/Security -License: Apache-2.0 and BSL-1.0 and BSD-2.0 +Group: Security/Secure Storage +License: Apache-2.0 and BSL-1.0 and BSD-3-Clause Source0: %{name}-%{version}.tar.gz Source1001: key-manager-pam-plugin.manifest Source1002: libkey-manager-client.manifest @@ -66,7 +66,7 @@ application to sign and verify (DSA/RSA/ECDSA) signatures. %package -n libkey-manager-common Summary: Central Key Manager (common libraries) -Group: Development/Libraries +Group: Security/Libraries Requires(post): %{sbin_dir}/ldconfig Requires(postun): %{sbin_dir}/ldconfig @@ -75,7 +75,7 @@ Central Key Manager package (common library) %package -n libkey-manager-client Summary: Central Key Manager (client) -Group: Development/Libraries +Group: Security/Libraries Requires: key-manager = %{version}-%{release} Requires: libkey-manager-common = %{version}-%{release} Requires(post): %{sbin_dir}/ldconfig @@ -86,7 +86,7 @@ Central Key Manager package (client) %package -n libkey-manager-client-devel Summary: Central Key Manager (client-devel) -Group: Development/Libraries +Group: Security/Development BuildRequires: pkgconfig(capi-base-common) Requires: pkgconfig(capi-base-common) Requires: libkey-manager-client = %{version}-%{release} @@ -96,7 +96,7 @@ Central Key Manager package (client-devel) %package -n key-manager-tests Summary: Internal test for key-manager -Group: Development +Group: Security/Testing BuildRequires: pkgconfig(libxml-2.0) Requires: boost-test Requires: key-manager = %{version}-%{release} @@ -106,7 +106,7 @@ Internal test for key-manager implementation. %package -n key-manager-pam-plugin Summary: CKM login/password module to PAM -Group: Development/Libraries +Group: Security/Libraries BuildRequires: pam-devel Requires: key-manager = %{version}-%{release} Requires(post): %{sbin_dir}/ldconfig @@ -143,7 +143,6 @@ export LDFLAGS+="-Wl,--rpath=%{_libdir},-Bsymbolic-functions " -DUSER_NAME=%{user_name} \ -DGROUP_NAME=%{group_name} \ -DSMACK_DOMAIN_NAME=%{smack_domain_name} \ - -DMOCKUP_SM=%{?mockup_sm:%mockup_sm}%{!?mockup_sm:OFF} \ -DOLD_RW_DATA_DIR=%{old_rw_data_dir} \ -DRW_DATA_DIR=%{rw_data_dir} \ -DRO_DATA_DIR=%{ro_data_dir} \ @@ -245,7 +244,7 @@ fi %manifest key-manager.manifest %license LICENSE %license LICENSE.BSL-1.0 -%license LICENSE.BSD-2.0 +%license LICENSE.BSD-3-Clause %{bin_dir}/key-manager %{_unitdir}/multi-user.target.wants/central-key-manager.service %{_unitdir}/central-key-manager.service diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 02f8e395..a784d15b 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -26,19 +26,8 @@ FIND_PACKAGE(Threads REQUIRED) SET(KEY_MANAGER_SRC_PATH ${PROJECT_SOURCE_DIR}/src) SET(KEY_MANAGER_PATH ${PROJECT_SOURCE_DIR}/src/manager) -IF (MOCKUP_SM MATCHES "ON") - IF (CMAKE_BUILD_TYPE MATCHES "RELEASE") - MESSAGE(FATAL_ERROR "You cannot compile release version with SECURITY MOCKUPS!") - ENDIF (CMAKE_BUILD_TYPE MATCHES "RELEASE") - MESSAGE("USING MOCKUPS INSTEAD SECURITY MODULES (SECURITY MANAGER AND CYNARA)") - SET(SECURITY_MANAGER_WRAPPER_PATH ${KEY_MANAGER_PATH}/main/socket-2-id-mockup.cpp) - SET(CYNARA_WRAPPER_PATH ${KEY_MANAGER_PATH}/main/cynara-mockup.cpp) -ELSE (MOCKUP_SM MATCHES "ON") - SET(SECURITY_MANAGER_WRAPPER_PATH ${KEY_MANAGER_PATH}/main/socket-2-id-wrapper.cpp) - SET(CYNARA_WRAPPER_PATH ${KEY_MANAGER_PATH}/main/cynara.cpp) -ENDIF (MOCKUP_SM MATCHES "ON") - SET(KEY_MANAGER_SOURCES + ${KEY_MANAGER_PATH}/main/cynara.cpp ${KEY_MANAGER_PATH}/main/generic-socket-manager.cpp ${KEY_MANAGER_PATH}/main/key-manager-main.cpp ${KEY_MANAGER_PATH}/main/smack-check.cpp diff --git a/src/manager/common/crypto-init.cpp b/src/manager/common/crypto-init.cpp index 99822997..573a4d63 100644 --- a/src/manager/common/crypto-init.cpp +++ b/src/manager/common/crypto-init.cpp @@ -81,33 +81,18 @@ void opensslUninstallLocks() g_mutexes = NULL; } -} // namespace anonymous - - -void initOpenSsl() +void initOpenSsl(bool isLib) { - // Loads all error strings (crypto and ssl) - SSL_load_error_strings(); - /* * Initialize libcrypto (add all algorithms, digests & ciphers) * It also does the stuff from SSL_library_init() except for ssl_load_ciphers() */ OpenSSL_add_all_algorithms(); // Can be optimized by using EVP_add_cipher instead - /* - * Initialize libssl (OCSP uses it) - * SSL_library_init() == OpenSSL_add_ssl_algorithms() - * It always returns 1 - */ - SSL_library_init(); - - // load default configuration (/etc/ssl/openssl.cnf) - OPENSSL_config(NULL); + if (isLib) + return; - // enable FIPS mode by default - if (0 == FIPS_mode_set(1)) - LogWarning("Failed to set FIPS mode. Key-manager will be operated in non FIPS mode."); + // below initializes only for executable client. (key-manager daemon) /* * Initialize entropy @@ -128,26 +113,22 @@ void initOpenSsl() LogError("Error in U_RAND_file_load"); } - // Install locks for multithreading support - opensslInstallLocks(); -} + /* + * Initialize libssl (OCSP uses it) + * SSL_library_init() == OpenSSL_add_ssl_algorithms() + * It always returns 1 + */ + SSL_library_init(); -void deinitOpenSsl() -{ - opensslUninstallLocks(); - CONF_modules_unload(1); - EVP_cleanup(); - ERR_free_strings(); - deinitOpenSslThread(); -} + // load default configuration (/etc/ssl/openssl.cnf) + OPENSSL_config(NULL); + // Loads all error strings (crypto and ssl) + SSL_load_error_strings(); -void deinitOpenSslThread() -{ - CRYPTO_cleanup_all_ex_data(); - ERR_remove_thread_state(NULL); + // Install locks for multithreading support + opensslInstallLocks(); } -namespace { std::mutex cryptoInitMutex; void initOpenSslAndDetach(); @@ -159,22 +140,24 @@ std::atomic<initFnPtr> initFn(&initOpenSslAndDetach); void initEmpty() {} +// this function will be called only once by initOpenSslOnce for library client void initOpenSslAndDetach() { // DCLP std::lock_guard<std::mutex> lock(cryptoInitMutex); /* - * We don't care about memory ordering here. Current thread will order it correctly and for - * other threads only store matters. Also only one thread can be here at once because of lock. + * We don't care about memory ordering here. Current thread will order it + * correctly and for other threads only store matters. Also only one thread + * can be here at once because of lock. */ if (initFn.load(std::memory_order_relaxed) != &initEmpty) { - initOpenSsl(); + initOpenSsl(true); /* - * Synchronizes with load. Everything that happened before this store in this thread is - * visible to everything that happens after load in another thread. We switch to an empty - * function here. + * Synchronizes with load. Everything that happened before this store in + * this thread is visible to everything that happens after load in another + * thread. We switch to an empty function here. */ initFn.store(&initEmpty, std::memory_order_release); } @@ -182,13 +165,33 @@ void initOpenSslAndDetach() } // namespace anonymous +void initOpenSsl() +{ + initOpenSsl(false); +} + +void deinitOpenSsl() +{ + opensslUninstallLocks(); + CONF_modules_free(); // cleanup of OPENSSL_config + EVP_cleanup(); // cleanup of OpenSSL_add_all_algorithms + ERR_free_strings(); //cleanup of SSL_load_error_strings + deinitOpenSslThread(); +} + +void deinitOpenSslThread() +{ + CRYPTO_cleanup_all_ex_data(); + ERR_remove_thread_state(NULL); +} + void initOpenSslOnce() { /* - * Synchronizes with store. Everything that happened before store in another thread will be - * visible in this thread after load. + * Synchronizes with store. Everything that happened before store in another + * thread will be visible in this thread after load. */ initFn.load(std::memory_order_acquire)(); } -} /* namespace CKM */ +} // namespace CKM diff --git a/src/manager/common/crypto-init.h b/src/manager/common/crypto-init.h index e2419b18..d8abecae 100644 --- a/src/manager/common/crypto-init.h +++ b/src/manager/common/crypto-init.h @@ -23,11 +23,26 @@ #include <symbol-visibility.h> namespace CKM { +// Remarks! +// These functions are used carefully depending on library / executable client. +// +// Init/deinit locking functions are only available for executable client +// (it's key-manager daemon) +// +// For library client, locking functions are not supported because it can make +// undefined behavior(usually segmentation fault) when the client is used as +// plugin(dynamic loaded) because there's probability of openssl's locking function +// being init/deinit on multiple plugins. +// Must be called once manually because it'll handle openssl locking functions. +// Only for server. COMMON_API void initOpenSsl(); COMMON_API void deinitOpenSsl(); +// deinit for every service thread on server. COMMON_API void deinitOpenSslThread(); + +// init for client or common libraries. +// It'll only do OpenSSL_add_all_algorithms COMMON_API void initOpenSslOnce(); } // namespace CKM - diff --git a/src/manager/main/cynara-mockup.cpp b/src/manager/main/cynara-mockup.cpp deleted file mode 100644 index 733bae2f..00000000 --- a/src/manager/main/cynara-mockup.cpp +++ /dev/null @@ -1,101 +0,0 @@ -/* - * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file cynara-mockup.cpp - * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) - * @version 1.0 - * @brief Mockup for cynara used in ckm-tests. - */ -#include <string> - -#include <cynara.h> - -namespace CKM { - -Cynara::Cynara(GenericSocketManager *socketManager) : - m_socketManager(socketManager), - m_cynara(nullptr) -{ -} - -void Cynara::Request( - const std::string &, - const std::string &, - const std::string &, - const std::string &, - StatusCallback callback) -{ - callback(true); -} - -void Cynara::ProcessSocket() {} - -Cynara::~Cynara() {} - -void Cynara::ChangeStatus( - int, - int, - cynara_async_status) -{ -} - -void Cynara::ProcessResponse( - cynara_check_id, - cynara_async_call_cause, - int) -{ -} - -void Cynara::SendRequest( - const std::string &, - const std::string &, - const std::string &, - const std::string &, - StatusCallback) -{ -} - -void Cynara::ChangeStatusCallback( - int, - int, - cynara_async_status, - void *) -{ -} - -void Cynara::ProcessResponseCallback( - cynara_check_id, - cynara_async_call_cause, - int, - void *) -{ -} - -bool Cynara::GetUserFromSocket( - int, - std::string &) -{ - return true; -} - -bool Cynara::GetClientFromSocket( - int, - std::string &) -{ - return true; -} - -} // namespace CKM diff --git a/src/manager/main/socket-2-id-mockup.cpp b/src/manager/main/socket-2-id-mockup.cpp deleted file mode 100644 index 222976d5..00000000 --- a/src/manager/main/socket-2-id-mockup.cpp +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file socket-2-id-mockup.cpp - * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) - * @version 1.0 - */ -#include <string> - -#include <dpl/log/log.h> -#include <protocols.h> -#include <socket-2-id.h> - -namespace { - -int getPkgIdFromSmack(const std::string &smack, std::string &pkgId) -{ - static const std::string SMACK_PREFIX_APPID = "User::App::"; - - if (smack.empty()) { - LogError("Smack is empty. Connection will be rejected"); - return -1; - } - - if (smack.compare(0, SMACK_PREFIX_APPID.size(), SMACK_PREFIX_APPID)) { - pkgId = "/" + smack; - LogDebug("Smack: " << smack << " Was translated to owner id: " << pkgId); - return 0; - } - - std::string appId = smack.substr(SMACK_PREFIX_APPID.size(), std::string::npos); - - if (appId.empty()) { - LogError("After conversion (smack->pkgId) pkgId is empty. Label: " << appId); - return -1; - } - - pkgId = std::move(appId); - LogDebug("Smack: " << smack << " Was translated to owner id: " << pkgId); - return 0; -} - -} // namespace anonymous - -namespace CKM { - -int Socket2Id::translate(int sock, std::string &result) -{ - std::string smack; - std::string pkgId; - - if (0 > getCredentialsFromSocket(sock, smack)) - return -1; - - if (0 > getPkgIdFromSmack(smack, pkgId)) - return -1; - - mapToDomainLabel(pkgId); - - result = std::move(pkgId); - return 0; -} - -} // namespace CKM - diff --git a/src/manager/main/socket-2-id-wrapper.cpp b/src/manager/main/socket-2-id-wrapper.cpp deleted file mode 100644 index 2eb9f369..00000000 --- a/src/manager/main/socket-2-id-wrapper.cpp +++ /dev/null @@ -1,92 +0,0 @@ -/* - * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file socket-2-id-wrapper.cpp - * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) - * @version 1.0 - */ -#include <string> - -#include <security-manager.h> - -#include <dpl/log/log.h> -#include <protocols.h> -#include <socket-2-id.h> - -namespace { - -int getPkgIdFromSocket(int sock, std::string &pkgId) -{ - char *pkg = nullptr; - - int ret = security_manager_identify_app_from_socket(sock, &pkg, nullptr); - - if (ret == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT) { - LogInfo("Owner of socket is not connected with pkgid. " - "This case must be special-labled client. e.g. User, System"); - return 1; - } - - if (ret != SECURITY_MANAGER_SUCCESS) { - LogError("security_manager_identify_app_from_socket failed with error: " - << ret); - return -1; - } - - pkgId = pkg; - free(pkg); - LogDebug("Socket: " << sock << " Was translated to owner id: " << pkgId); - return 0; -} - -} // namespace anonymous - -namespace CKM { - -int Socket2Id::translate(int sock, std::string &result) -{ - std::string smack; - - if (0 > getCredentialsFromSocket(sock, smack)) - return -1; - - StringMap::iterator it = m_stringMap.find(smack); - - if (it != m_stringMap.end()) { - result = it->second; - return 0; - } - - std::string pkgId; - int retCode = getPkgIdFromSocket(sock, pkgId); - - if (retCode < 0) - return -1; - - if (retCode == 1) { - LogInfo("Special smack label case. label: " << smack); - pkgId = "/" + smack; - } - - mapToDomainLabel(pkgId); - - result = pkgId; - m_stringMap.emplace(std::move(smack), std::move(pkgId)); - return 0; -} - -} // namespace CKM - diff --git a/src/manager/main/socket-2-id.cpp b/src/manager/main/socket-2-id.cpp index b6f43c08..ea0b50ab 100644 --- a/src/manager/main/socket-2-id.cpp +++ b/src/manager/main/socket-2-id.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2016 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,6 +22,8 @@ #include <sys/types.h> #include <sys/socket.h> +#include <security-manager.h> + #include <dpl/log/log.h> #include <protocols.h> #include <socket-2-id.h> @@ -30,6 +32,30 @@ namespace CKM { namespace { +int getPkgIdFromSocket(int sock, std::string &pkgId) +{ + char *pkg = nullptr; + + int ret = security_manager_identify_app_from_socket(sock, &pkg, nullptr); + + if (ret == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT) { + LogInfo("Owner of socket is not connected with pkgid. " + "This case must be special-labled client. e.g. User, System"); + return 1; + } + + if (ret != SECURITY_MANAGER_SUCCESS) { + LogError("security_manager_identify_app_from_socket failed with error: " + << ret); + return -1; + } + + pkgId = pkg; + free(pkg); + LogDebug("Socket: " << sock << " Was translated to owner id: " << pkgId); + return 0; +} + int assignToString(std::vector<char> &vec, socklen_t len, std::string &res) { if (vec.size() <= len) @@ -87,5 +113,37 @@ void Socket2Id::resetCache() m_stringMap.clear(); } +int Socket2Id::translate(int sock, std::string &result) +{ + std::string smack; + + if (0 > getCredentialsFromSocket(sock, smack)) + return -1; + + StringMap::iterator it = m_stringMap.find(smack); + + if (it != m_stringMap.end()) { + result = it->second; + return 0; + } + + std::string pkgId; + int retCode = getPkgIdFromSocket(sock, pkgId); + + if (retCode < 0) + return -1; + + if (retCode == 1) { + LogInfo("Special smack label case. label: " << smack); + pkgId = "/" + smack; + } + + mapToDomainLabel(pkgId); + + result = pkgId; + m_stringMap.emplace(std::move(smack), std::move(pkgId)); + return 0; +} + } // namespace CKM diff --git a/tools/ckm_db_tool/CMakeLists.txt b/tools/ckm_db_tool/CMakeLists.txt index 5790b7c2..cd8d413f 100644 --- a/tools/ckm_db_tool/CMakeLists.txt +++ b/tools/ckm_db_tool/CMakeLists.txt @@ -11,6 +11,7 @@ PKG_CHECK_MODULES(CKM_DB_TOOL_DEP libxml-2.0 cynara-client-async cynara-creds-socket + security-manager ) FIND_PACKAGE(Threads REQUIRED) @@ -56,7 +57,6 @@ SET(CKM_DB_TOOL_SOURCES ${KEY_MANAGER_PATH}/main/generic-socket-manager.cpp ${KEY_MANAGER_PATH}/main/smack-check.cpp ${KEY_MANAGER_PATH}/main/socket-2-id.cpp - ${KEY_MANAGER_PATH}/main/socket-2-id-mockup.cpp ${KEY_MANAGER_PATH}/main/socket-manager.cpp ${KEY_MANAGER_PATH}/main/thread-service.cpp ${KEY_MANAGER_PATH}/service/access-control.cpp |