diff options
author | Krzysztof Jackiewicz <k.jackiewicz@samsung.com> | 2017-11-22 11:37:53 +0100 |
---|---|---|
committer | Krzysztof Jackiewicz <k.jackiewicz@samsung.com> | 2017-11-22 11:37:53 +0100 |
commit | 9682ce95dd4a079511c225be2839d93af4ecdc69 (patch) | |
tree | 84d4ae4b827525da57324ad0fa9fe6bccf6e8cad | |
parent | 40b139332568707e7f2009c997cc21a0f29ac326 (diff) | |
parent | 3874f0f942a1a22ce0ceb8e1799133f085536c27 (diff) | |
download | key-manager-9682ce95dd4a079511c225be2839d93af4ecdc69.tar.gz key-manager-9682ce95dd4a079511c225be2839d93af4ecdc69.tar.bz2 key-manager-9682ce95dd4a079511c225be2839d93af4ecdc69.zip |
Merge branches 'tizen' and 'tizen_4.0'tizen_4.0.IoT.p2_releasesubmit/tizen_4.0/20171206.144625accepted/tizen/4.0/unified/20171207.070809tizen_4.0_tv
Change-Id: I0e30db44df252ac6a5629542dfd9cea022a04971
-rw-r--r-- | src/manager/client-async/client-manager-async-impl.cpp | 4 | ||||
-rw-r--r-- | src/manager/client-async/client-manager-async-impl.h | 20 | ||||
-rw-r--r-- | src/manager/client-async/client-manager-async.cpp | 42 | ||||
-rw-r--r-- | src/manager/client-async/descriptor-set.cpp | 3 | ||||
-rw-r--r-- | src/manager/client-capi/ckmc-manager.cpp | 73 | ||||
-rw-r--r-- | src/manager/client/client-common.cpp | 3 | ||||
-rw-r--r-- | src/manager/client/client-manager-impl.cpp | 14 | ||||
-rw-r--r-- | src/manager/common/exception.h | 4 | ||||
-rw-r--r-- | src/manager/common/protocols.cpp | 13 | ||||
-rw-r--r-- | src/manager/dpl/log/src/dlog_log_provider.cpp | 10 | ||||
-rw-r--r-- | src/manager/main/thread-service.cpp | 7 | ||||
-rw-r--r-- | src/manager/service/ckm-logic.cpp | 20 | ||||
-rw-r--r-- | src/manager/service/db-row.h | 7 | ||||
-rw-r--r-- | src/manager/service/encryption-service.cpp | 1 | ||||
-rw-r--r-- | src/manager/service/key-provider.cpp | 30 | ||||
-rw-r--r-- | src/manager/service/ocsp.cpp | 62 |
16 files changed, 188 insertions, 125 deletions
diff --git a/src/manager/client-async/client-manager-async-impl.cpp b/src/manager/client-async/client-manager-async-impl.cpp index 96454cbd..3837771e 100644 --- a/src/manager/client-async/client-manager-async-impl.cpp +++ b/src/manager/client-async/client-manager-async-impl.cpp @@ -42,7 +42,7 @@ void ManagerAsync::Impl::saveKey(const ObserverPtr &observer, { observerCheck(observer); - if (alias.empty() || !key) { + if (alias.empty() || !key || key->empty()) { observer->ReceivedError(CKM_API_ERROR_INPUT_PARAM); return; } @@ -62,7 +62,7 @@ void ManagerAsync::Impl::saveCertificate(const ObserverPtr &observer, { observerCheck(observer); - if (alias.empty() || !cert) { + if (alias.empty() || !cert || cert->empty()) { observer->ReceivedError(CKM_API_ERROR_INPUT_PARAM); return; } diff --git a/src/manager/client-async/client-manager-async-impl.h b/src/manager/client-async/client-manager-async-impl.h index c0cfaab5..65f4970a 100644 --- a/src/manager/client-async/client-manager-async-impl.h +++ b/src/manager/client-async/client-manager-async-impl.h @@ -135,19 +135,11 @@ public: const T &trusted, bool useSystemTrustedCertificates) { - observerCheck(observer); + if (!certificate || certificate->empty()) + ThrowMsg(Exc::InputParam, "Empty certificate"); - if (!certificate) { - observer->ReceivedError(CKM_API_ERROR_INPUT_PARAM); - return; - } - - try_catch_async([&]() { - sendToStorage(observer, static_cast<int>(command), m_counter, - certificate->getDER(), untrusted, trusted, useSystemTrustedCertificates); - }, [&observer](int error) { - observer->ReceivedError(error); - }); + sendToStorage(observer, static_cast<int>(command), m_counter, + certificate->getDER(), untrusted, trusted, useSystemTrustedCertificates); } void crypt( @@ -158,6 +150,8 @@ public: const RawBuffer &input, bool encryption); + static void observerCheck(const ManagerAsync::ObserverPtr &observer); + private: template <typename... Args> void sendToStorage(const ManagerAsync::ObserverPtr &observer, @@ -172,8 +166,6 @@ private: m_counter)); } - void observerCheck(const ManagerAsync::ObserverPtr &observer); - typedef std::unique_ptr<ConnectionThread> ConnectionThreadPtr; ConnectionThreadPtr &thread() diff --git a/src/manager/client-async/client-manager-async.cpp b/src/manager/client-async/client-manager-async.cpp index 7ef0696a..471c8483 100644 --- a/src/manager/client-async/client-manager-async.cpp +++ b/src/manager/client-async/client-manager-async.cpp @@ -21,6 +21,7 @@ #include <ckm/ckm-manager-async.h> #include <client-manager-async-impl.h> +#include <exception.h> namespace CKM { @@ -29,8 +30,11 @@ RawBufferVector toRawBufferVector(const CertificateShPtrVector &certificates) { RawBufferVector rawBufferVector; - for (auto &e : certificates) + for (auto &e : certificates) { + if (!e || e->empty()) + ThrowMsg(Exc::InputParam, "Empty certificate"); rawBufferVector.push_back(e->getDER()); + } return rawBufferVector; } @@ -205,12 +209,18 @@ void ManagerAsync::getCertificateChain(const ObserverPtr &observer, const CertificateShPtrVector &trustedCertificates, bool useSystemTrustedCertificates) { - m_impl->getCertChain(observer, - LogicCommand::GET_CHAIN_CERT, - certificate, - toRawBufferVector(untrustedCertificates), - toRawBufferVector(trustedCertificates), - useSystemTrustedCertificates); + Impl::observerCheck(observer); + + try_catch_async([&]() { + m_impl->getCertChain(observer, + LogicCommand::GET_CHAIN_CERT, + certificate, + toRawBufferVector(untrustedCertificates), + toRawBufferVector(trustedCertificates), + useSystemTrustedCertificates); + }, [&observer](int error) { + observer->ReceivedError(error); + }); } void ManagerAsync::getCertificateChain(const ObserverPtr &observer, @@ -219,12 +229,18 @@ void ManagerAsync::getCertificateChain(const ObserverPtr &observer, const AliasVector &trustedCertificates, bool useSystemTrustedCertificates) { - m_impl->getCertChain(observer, - LogicCommand::GET_CHAIN_ALIAS, - certificate, - toLabelNameVector(untrustedCertificates), - toLabelNameVector(trustedCertificates), - useSystemTrustedCertificates); + Impl::observerCheck(observer); + + try_catch_async([&]() { + m_impl->getCertChain(observer, + LogicCommand::GET_CHAIN_ALIAS, + certificate, + toLabelNameVector(untrustedCertificates), + toLabelNameVector(trustedCertificates), + useSystemTrustedCertificates); + }, [&observer](int error) { + observer->ReceivedError(error); + }); } void ManagerAsync::createSignature(const ObserverPtr &observer, diff --git a/src/manager/client-async/descriptor-set.cpp b/src/manager/client-async/descriptor-set.cpp index 83442b2f..fdee29db 100644 --- a/src/manager/client-async/descriptor-set.cpp +++ b/src/manager/client-async/descriptor-set.cpp @@ -34,6 +34,8 @@ DescriptorSet::DescriptorSet() : m_dirty(true), m_fds(NULL) DescriptorSet::~DescriptorSet() { purge(); + + delete[] m_fds; } void DescriptorSet::purge() @@ -42,6 +44,7 @@ void DescriptorSet::purge() close(it.first); m_descriptors.clear(); + m_dirty = true; } void DescriptorSet::add(int fd, short events, Callback &&callback) diff --git a/src/manager/client-capi/ckmc-manager.cpp b/src/manager/client-capi/ckmc-manager.cpp index 2aa3c48b..37dd14fc 100644 --- a/src/manager/client-capi/ckmc-manager.cpp +++ b/src/manager/client-capi/ckmc-manager.cpp @@ -45,22 +45,34 @@ inline CKM::Policy _toCkmPolicy(const ckmc_policy_s &policy) return CKM::Policy(_tostring(policy.password), policy.extractable); } -inline CKM::KeyShPtr _toCkmKey(const ckmc_key_s *key) +CKM::KeyShPtr _toCkmKey(const ckmc_key_s *key) { - return (key == nullptr) ? - CKM::KeyShPtr() : - CKM::Key::create( + if (key == nullptr) + return CKM::KeyShPtr(); + + auto ckmKey = CKM::Key::create( CKM::RawBuffer(key->raw_key, key->raw_key + key->key_size), _tostring(key->password)); + + if (!ckmKey || ckmKey->empty()) + ThrowMsg(CKM::Exc::InvalidFormat, "Key parsing failed"); + + return ckmKey; } -inline CKM::CertificateShPtr _toCkmCertificate(const ckmc_cert_s *cert) +CKM::CertificateShPtr _toCkmCertificate(const ckmc_cert_s *cert) { - return (cert == nullptr) ? - CKM::CertificateShPtr() : - CKM::Certificate::create( + if (cert == nullptr) + return CKM::CertificateShPtr(); + + auto ckmCert = CKM::Certificate::create( CKM::RawBuffer(cert->raw_cert, cert->raw_cert + cert->cert_size), static_cast<CKM::DataFormat>(static_cast<int>(cert->data_format))); + + if (!ckmCert || ckmCert->empty()) + ThrowMsg(CKM::Exc::InvalidFormat, "Certificate parsing failed"); + + return ckmCert; } CKM::CertificateShPtrVector _toCkmCertificateVector(const ckmc_cert_list_s @@ -101,6 +113,9 @@ ckmc_cert_list_s *_toNewCkmCertList(const CKM::CertificateShPtrVector ckmc_cert_list_s *plist = nullptr; for (const auto &e : certVector) { + if (!e || e->empty()) + ThrowMsg(CKM::Exc::BadResponse, "Empty certificate received from server"); + auto rawBuffer = e->getDER(); ckmc_cert_s *pcert = nullptr; int ret = ckmc_cert_new(rawBuffer.data(), rawBuffer.size(), CKMC_FORM_DER, @@ -223,6 +238,9 @@ int ckmc_get_key(const char *alias, const char *password, ckmc_key_s **key) if ((ret = mgr->getKey(alias, _tostring(password), ckmKey)) != CKM_API_SUCCESS) return to_ckmc_error(ret); + if (!ckmKey || ckmKey->empty()) + return CKMC_ERROR_BAD_RESPONSE; + auto buffer = ckmKey->getDER(); return ckmc_key_new( buffer.data(), @@ -287,13 +305,9 @@ int ckmc_save_cert(const char *alias, const ckmc_cert_s cert, if (alias == nullptr || cert.raw_cert == nullptr || cert.cert_size == 0) return CKMC_ERROR_INVALID_PARAMETER; - auto ckmCert = _toCkmCertificate(&cert); - - if (!ckmCert) - return CKMC_ERROR_INVALID_FORMAT; - auto mgr = CKM::Manager::create(); - return to_ckmc_error(mgr->saveCertificate(CKM::Alias(alias), ckmCert, + return to_ckmc_error(mgr->saveCertificate(CKM::Alias(alias), + _toCkmCertificate(&cert), _toCkmPolicy(policy))); EXCEPTION_GUARD_END @@ -324,6 +338,9 @@ int ckmc_get_cert(const char *alias, const char *password, ckmc_cert_s **cert) ckmCert)) != CKM_API_SUCCESS) return to_ckmc_error(ret); + if (!ckmCert || ckmCert->empty()) + return CKMC_ERROR_BAD_RESPONSE; + auto buffer = ckmCert->getDER(); return ckmc_cert_new(buffer.data(), buffer.size(), CKMC_FORM_DER, cert); @@ -424,6 +441,9 @@ int ckmc_get_pkcs12(const char *alias, const char *key_password, auto pkcsKey = pkcs->getKey(); if (pkcsKey) { + if (pkcsKey->empty()) + return CKMC_ERROR_BAD_RESPONSE; + ckmc_key_s *private_key = nullptr; auto buffer = pkcsKey->getDER(); ckmc_key_type_e keyType = static_cast<ckmc_key_type_e>(pkcsKey->getType()); @@ -439,6 +459,9 @@ int ckmc_get_pkcs12(const char *alias, const char *key_password, auto pkcsCert = pkcs->getCertificate(); if (pkcsCert) { + if (pkcsCert->empty()) + return CKMC_ERROR_BAD_RESPONSE; + ckmc_cert_s *cert = nullptr; CKM::RawBuffer buffer = pkcsCert->getDER(); ret = ckmc_cert_new(buffer.data(), buffer.size(), CKMC_FORM_DER, &cert); @@ -716,15 +739,10 @@ int ckmc_get_cert_chain(const ckmc_cert_s *cert, cert_chain_list == nullptr) return CKMC_ERROR_INVALID_PARAMETER; - auto ckmCert = _toCkmCertificate(cert); - - if (!ckmCert) - return CKMC_ERROR_INVALID_FORMAT; - CKM::CertificateShPtrVector ckmCertChain; auto mgr = CKM::Manager::create(); int ret = mgr->getCertificateChain( - ckmCert, + _toCkmCertificate(cert), _toCkmCertificateVector(untrustedcerts), EMPTY_CERT_VECTOR, true, @@ -750,14 +768,10 @@ int ckmc_get_cert_chain_with_alias(const ckmc_cert_s *cert, cert_chain_list == nullptr) return CKMC_ERROR_INVALID_PARAMETER; - auto ckmCert = _toCkmCertificate(cert); - - if (!ckmCert) - return CKMC_ERROR_INVALID_FORMAT; - CKM::CertificateShPtrVector ckmCertChain; auto mgr = CKM::Manager::create(); - int ret = mgr->getCertificateChain(ckmCert, _toCkmAliasVector(untrustedcerts), + int ret = mgr->getCertificateChain(_toCkmCertificate(cert), + _toCkmAliasVector(untrustedcerts), EMPTY_ALIAS_VECTOR, true, ckmCertChain); if (ret != CKM_API_SUCCESS) @@ -783,15 +797,10 @@ int ckmc_get_cert_chain_with_trustedcert(const ckmc_cert_s *cert, ppcert_chain_list == nullptr) return CKMC_ERROR_INVALID_PARAMETER; - auto ckmCert = _toCkmCertificate(cert); - - if (!ckmCert) - return CKMC_ERROR_INVALID_PARAMETER; - CKM::CertificateShPtrVector ckmCertChain; auto mgr = CKM::Manager::create(); int ret = mgr->getCertificateChain( - ckmCert, + _toCkmCertificate(cert), _toCkmCertificateVector(untrustedcerts), _toCkmCertificateVector(trustedcerts), sys_certs, diff --git a/src/manager/client/client-common.cpp b/src/manager/client/client-common.cpp index 7cb11089..312f3340 100644 --- a/src/manager/client/client-common.cpp +++ b/src/manager/client/client-common.cpp @@ -40,6 +40,7 @@ #include <ckm/ckm-error.h> #include <ckmc/ckmc-type.h> #include <client-common.h> +#include <ckmc-type-converter.h> namespace { @@ -345,6 +346,8 @@ int try_catch_enclosure(const std::function<int()> &func) { try { return func(); + } catch (const Exc::Exception &e) { + return to_ckmc_error(e.error()); } catch (const std::bad_alloc &e) { LogError("memory allocation exception: " << e.what()); return CKMC_ERROR_OUT_OF_MEMORY; diff --git a/src/manager/client/client-manager-impl.cpp b/src/manager/client/client-manager-impl.cpp index f1b68bb1..fa4f5a9f 100644 --- a/src/manager/client/client-manager-impl.cpp +++ b/src/manager/client/client-manager-impl.cpp @@ -143,7 +143,7 @@ int Manager::Impl::saveBinaryData( int Manager::Impl::saveKey(const Alias &alias, const KeyShPtr &key, const Policy &policy) { - if (key.get() == NULL) + if (key.get() == NULL || key->empty()) return CKM_API_ERROR_INPUT_PARAM; try { @@ -159,7 +159,7 @@ int Manager::Impl::saveCertificate( const CertificateShPtr &cert, const Policy &policy) { - if (cert.get() == NULL) + if (cert.get() == NULL || cert->empty()) return CKM_API_ERROR_INPUT_PARAM; return saveBinaryData(alias, DataType::CERTIFICATE, cert->getDER(), policy); @@ -626,11 +626,17 @@ int Manager::Impl::getCertificateChain( if (!certificate || certificate->empty()) return CKM_API_ERROR_INPUT_PARAM; - for (auto &e : untrustedCertificates) + for (auto &e : untrustedCertificates) { + if (!e || e->empty()) + return CKM_API_ERROR_INPUT_PARAM; untrustedVector.push_back(e->getDER()); + } - for (auto &e : trustedCertificates) + for (auto &e : trustedCertificates) { + if (!e || e->empty()) + return CKM_API_ERROR_INPUT_PARAM; trustedVector.push_back(e->getDER()); + } return getCertChain( m_storageConnection, diff --git a/src/manager/common/exception.h b/src/manager/common/exception.h index 874fbd0f..22188300 100644 --- a/src/manager/common/exception.h +++ b/src/manager/common/exception.h @@ -124,6 +124,10 @@ using InputParam = DefineException<CKM_API_ERROR_INPUT_PARAM, true, PrintDebug>; using AuthenticationFailed = DefineException<CKM_API_ERROR_AUTHENTICATION_FAILED, true, PrintDebug>; +using InvalidFormat = + DefineException<CKM_API_ERROR_INVALID_FORMAT, true, PrintDebug>; +using BadResponse = + DefineException<CKM_API_ERROR_BAD_RESPONSE, true, PrintDebug>; struct TransactionFailed : public DatabaseFailed { diff --git a/src/manager/common/protocols.cpp b/src/manager/common/protocols.cpp index a42d75d2..8cf65725 100644 --- a/src/manager/common/protocols.cpp +++ b/src/manager/common/protocols.cpp @@ -108,14 +108,15 @@ PKCS12Serializable::PKCS12Serializable(IStream &stream) for (size_t i = 0; i < numCA; i++) { RawBuffer CAcertData; Deserialization::Deserialize(stream, CAcertData); - m_ca.emplace_back(CKM::Certificate::create(CAcertData, DataFormat::FORM_DER)); - - if (m_pkey) + auto ca = CKM::Certificate::create(CAcertData, DataFormat::FORM_DER); + if (ca) { LogDebug("ca certificate from pkcs deserialized success. cert size: " << - CAcertData.size() << " and DER size: " << CKM::Certificate::create(CAcertData, - DataFormat::FORM_DER)->getDER().size()); - else + CAcertData.size() << " and DER size: " << ca->getDER().size()); + + m_ca.emplace_back(std::move(ca)); + } else { LogError("ca certificate from pkcs deserialized fail"); + } } } diff --git a/src/manager/dpl/log/src/dlog_log_provider.cpp b/src/manager/dpl/log/src/dlog_log_provider.cpp index 0f6bb222..8a1325b0 100644 --- a/src/manager/dpl/log/src/dlog_log_provider.cpp +++ b/src/manager/dpl/log/src/dlog_log_provider.cpp @@ -36,23 +36,23 @@ typedef void (*dlogMacro)(const char *, const char *); // I can't map LOG_ values because SLOG uses token concatenation void error(const char *tag, const char *msg) { - SLOG(LOG_ERROR, tag, "%s", msg); + print_system_log(DLOG_ERROR, tag, "%s", msg); } void warning(const char *tag, const char *msg) { - SLOG(LOG_WARN, tag, "%s", msg); + print_system_log(DLOG_WARN, tag, "%s", msg); } void info(const char *tag, const char *msg) { - SLOG(LOG_INFO, tag, "%s", msg); + print_system_log(DLOG_INFO, tag, "%s", msg); } void debug(const char *tag, const char *msg) { - SLOG(LOG_DEBUG, tag, "%s", msg); + print_system_log(DLOG_DEBUG, tag, "%s", msg); } void pedantic(const char *tag, const char *msg) { - SLOG(LOG_VERBOSE, tag, "%s", msg); + print_system_log(DLOG_VERBOSE, tag, "%s", msg); } std::map<AbstractLogProvider::LogLevel, dlogMacro> dlogMacros = { // [](const char* tag, const char* msg) { SLOG(LOG_ERROR, tag, "%s", msg); } won't compile diff --git a/src/manager/main/thread-service.cpp b/src/manager/main/thread-service.cpp index 9bd49930..ef512892 100644 --- a/src/manager/main/thread-service.cpp +++ b/src/manager/main/thread-service.cpp @@ -34,20 +34,17 @@ ThreadService::~ThreadService() void ThreadService::Handle(const AcceptEvent &event) { - LogDebug("Accept event"); auto &info = m_connectionInfoMap[event.connectionID.counter]; info.interfaceID = event.interfaceID; info.credentials = event.credentials; } -void ThreadService::Handle(const WriteEvent &event) +void ThreadService::Handle(const WriteEvent &) { - LogDebug("Write event (" << event.size << " bytes )"); } void ThreadService::Handle(const ReadEvent &event) { - LogDebug("Read event"); auto &info = m_connectionInfoMap[event.connectionID.counter]; info.buffer.Push(event.rawBuffer); @@ -63,13 +60,11 @@ void ThreadService::Handle(const ReadEvent &event) void ThreadService::Handle(const CloseEvent &event) { - LogDebug("Close event"); m_connectionInfoMap.erase(event.connectionID.counter); } void ThreadService::Handle(const SecurityEvent &event) { - LogDebug("Security event"); auto it = m_connectionInfoMap.find(event.connectionID.counter); if (it == m_connectionInfoMap.end()) { diff --git a/src/manager/service/ckm-logic.cpp b/src/manager/service/ckm-logic.cpp index 5f134441..2da20703 100644 --- a/src/manager/service/ckm-logic.cpp +++ b/src/manager/service/ckm-logic.cpp @@ -487,8 +487,6 @@ int CKMLogic::getKeyForService( const Password &pass, Crypto::GObjShPtr &key) { - DB::Row row; - try { // Key is for internal service use. It won't be exported to the client Crypto::GObjUPtr obj; @@ -946,7 +944,7 @@ RawBuffer CKMLogic::getData( const Password &password) { int retCode = CKM_API_SUCCESS; - DB::Row row; + RawBuffer rowData; DataType objDataType; try { @@ -955,7 +953,7 @@ RawBuffer CKMLogic::getData( objDataType); if (retCode == CKM_API_SUCCESS) - row.data = std::move(obj->getBinary()); + rowData = obj->getBinary(); } catch (const Exc::Exception &e) { retCode = e.error(); } catch (const CKM::Exception &e) { @@ -963,16 +961,14 @@ RawBuffer CKMLogic::getData( retCode = CKM_API_ERROR_SERVER_ERROR; } - if (CKM_API_SUCCESS != retCode) { - row.data.clear(); - row.dataType = dataType; - } + if (CKM_API_SUCCESS != retCode) + rowData.clear(); auto response = MessageBuffer::Serialize(static_cast<int>(LogicCommand::GET), commandId, retCode, static_cast<int>(objDataType), - row.data); + rowData); return response.Pop(); } @@ -1470,8 +1466,6 @@ int CKMLogic::readCertificateHelper( const LabelNameVector &labelNameVector, CertificateImplVector &certVector) { - DB::Row row; - for (auto &i : labelNameVector) { // certificates can't be protected with custom user password Crypto::GObjUPtr obj; @@ -1569,7 +1563,6 @@ int CKMLogic::getCertificateChainHelper( CertificateImplVector untrustedCertVector; CertificateImplVector trustedCertVector; CertificateImplVector chainVector; - DB::Row row; if (cert.empty()) return CKM_API_ERROR_INPUT_PARAM; @@ -1681,7 +1674,6 @@ RawBuffer CKMLogic::createSignature( const RawBuffer &message, const CryptoAlgorithm &cryptoAlg) { - DB::Row row; RawBuffer signature; int retCode = CKM_API_SUCCESS; @@ -1724,8 +1716,6 @@ RawBuffer CKMLogic::verifySignature( int retCode = CKM_API_ERROR_VERIFICATION_FAILED; try { - DB::Row row; - // try certificate first - looking for a public key. // in case of PKCS, pub key from certificate will be found first // rather than private key from the same PKCS. diff --git a/src/manager/service/db-row.h b/src/manager/service/db-row.h index 722e1498..0f171bad 100644 --- a/src/manager/service/db-row.h +++ b/src/manager/service/db-row.h @@ -30,7 +30,12 @@ namespace CKM { namespace DB { struct Row : public Token { - Row() = default; + Row() : + Token(), + exportable(0), + algorithmType(DBCMAlgType::NONE), + encryptionScheme(0), + dataSize(0) {} Row(Token token, const Name &pName, const Label &pLabel, int pExportable) : Token(std::move(token)), diff --git a/src/manager/service/encryption-service.cpp b/src/manager/service/encryption-service.cpp index f9678368..f8868676 100644 --- a/src/manager/service/encryption-service.cpp +++ b/src/manager/service/encryption-service.cpp @@ -142,7 +142,6 @@ void EncryptionService::ProcessEncryption(const ConnectionID &conn, void EncryptionService::CustomHandle(const ReadEvent &event) { - LogDebug("Read event"); auto &info = m_connectionInfoMap[event.connectionID.counter]; info.buffer.Push(event.rawBuffer); diff --git a/src/manager/service/key-provider.cpp b/src/manager/service/key-provider.cpp index 4ca4f038..60cce238 100644 --- a/src/manager/service/key-provider.cpp +++ b/src/manager/service/key-provider.cpp @@ -602,29 +602,13 @@ int KeyProvider::decryptAes256Gcm(const unsigned char *ciphertext, char *KeyProvider::concat_password_user(const char *user, const char *password) { - char *concat_user_pass = NULL; - char *resized_user = NULL; - int concat_user_pass_len = 0; - - if (strlen(user) > MAX_LABEL_SIZE - 1) { - resized_user = new char[MAX_LABEL_SIZE]; - memcpy(resized_user, user, MAX_LABEL_SIZE - 1); - resized_user[MAX_LABEL_SIZE - 1] = '\0'; - } else { - resized_user = new char[strlen(user) + 1]; - memcpy(resized_user, user, strlen(user)); - resized_user[strlen(user)] = '\0'; - } - - concat_user_pass_len = strlen(resized_user) + strlen(password) + 1; - concat_user_pass = new char[concat_user_pass_len]; + std::string result(password); + result += user; - memset(concat_user_pass, '\0', concat_user_pass_len); - memcpy(concat_user_pass, password, strlen(password)); - memcpy(&(concat_user_pass[strlen(password)]), resized_user, - strlen(resized_user)); - concat_user_pass[strlen(resized_user) + strlen(password)] = '\0'; + if (strlen(user) > MAX_LABEL_SIZE - 1) + result.resize(strlen(password) + MAX_LABEL_SIZE - 1); - delete[] resized_user; - return concat_user_pass; + char *ret = new char[result.size() + 1]; + memcpy(ret, result.c_str(), result.size() + 1); + return ret; } diff --git a/src/manager/service/ocsp.cpp b/src/manager/service/ocsp.cpp index dcccf2ac..acbf9d30 100644 --- a/src/manager/service/ocsp.cpp +++ b/src/manager/service/ocsp.cpp @@ -37,6 +37,9 @@ /* Maximum leeway in validity period: default 5 minutes */ #define MAX_VALIDITY_PERIOD (5 * 60) +/* Timeout in seconds for ocsp response */ +#define OCSP_TIMEOUT 30 + namespace CKM { namespace { @@ -151,6 +154,7 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer, std::vector<char> url(constUrl.begin(), constUrl.end()); url.push_back(0); + std::string headerHost; { char *chost = NULL, *cport = NULL, *cpath = NULL; @@ -159,7 +163,10 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer, /* report error */ return CKM_API_OCSP_STATUS_INVALID_URL; - if (chost) host = chost; + if (chost) { + host = chost; + headerHost = chost; + } if (cport) port = cport; if (cpath) path = cpath; @@ -198,6 +205,7 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer, if (cbio == NULL) { /*BIO_printf(bio_err, "Error creating connect BIO\n");*/ /* report error */ + LogError("Connection to ocsp host failed: " << host); return CKM_API_OCSP_STATUS_INTERNAL_ERROR; } @@ -266,7 +274,56 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer, return CKM_API_OCSP_STATUS_INTERNAL_ERROR; } - resp = OCSP_sendreq_bio(cbio, path.c_str(), req); + std::unique_ptr<OCSP_REQ_CTX, decltype(OCSP_REQ_CTX_free)*> ctx(OCSP_sendreq_new(cbio, path.c_str(), NULL, -1), OCSP_REQ_CTX_free); + if (!ctx) { + LogError("Error creating OCSP_REQ_CTX"); + return CKM_API_OCSP_STATUS_INTERNAL_ERROR; + } + + if (!OCSP_REQ_CTX_add1_header(ctx.get(), "host", headerHost.c_str())) { + LogError("Error adding header"); + return CKM_API_OCSP_STATUS_INTERNAL_ERROR; + } + + if (!OCSP_REQ_CTX_set1_req(ctx.get(), req)) { + LogError("Error setting ocsp request"); + return CKM_API_OCSP_STATUS_INTERNAL_ERROR; + } + + int fd; + if (BIO_get_fd(cbio, &fd) < 0) { + LogError("Error extracting fd from bio"); + return CKM_API_OCSP_STATUS_INTERNAL_ERROR; + } + + for (;;) { + fd_set confds; + int req_timeout = OCSP_TIMEOUT; + struct timeval tv; + int rv = OCSP_sendreq_nbio(&resp, ctx.get()); + if (rv != -1) + break; + FD_ZERO(&confds); + FD_SET(fd, &confds); + tv.tv_usec = 0; + tv.tv_sec = req_timeout; + if (BIO_should_read(cbio)) { + rv = select(fd + 1, &confds, NULL, NULL, &tv); + } else if (BIO_should_write(cbio)) { + rv = select(fd + 1, NULL, &confds, NULL, &tv); + } else { + LogError("Unexpected retry condition\n"); + return CKM_API_OCSP_STATUS_INTERNAL_ERROR; + } + if (rv == 0) { + LogError("Timeout on request\n"); + break; + } + if (rv == -1) { + LogError("Select error\n"); + break; + } + } if (use_ssl && use_ssl_ctx) SSL_CTX_free(use_ssl_ctx); @@ -370,7 +427,6 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer, return CKM_API_OCSP_STATUS_INVALID_RESPONSE; } - /* Check validity: if invalid write to output BIO so we * know which response this refers to. */ |