diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/CMakeLists.txt | 1 | ||||
| -rw-r--r-- | src/include/ckm/ckm-control.h | 2 | ||||
| -rw-r--r-- | src/include/ckm/ckm-type.h | 5 | ||||
| -rw-r--r-- | src/listener/listener-daemon.cpp | 36 | ||||
| -rw-r--r-- | src/manager/client/client-control.cpp | 9 | ||||
| -rw-r--r-- | src/manager/common/protocols.h | 2 | ||||
| -rw-r--r-- | src/manager/service/ckm-logic.cpp | 43 | ||||
| -rw-r--r-- | src/manager/service/ckm-logic.h | 6 | ||||
| -rw-r--r-- | src/manager/service/ckm-service.cpp | 6 |
9 files changed, 50 insertions, 60 deletions
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 76a4b984..c6a464dd 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -6,6 +6,7 @@ PKG_CHECK_MODULES(KEY_MANAGER_DEP libsystemd-daemon capi-base-common db-util + vconf REQUIRED ) FIND_PACKAGE(Threads REQUIRED) diff --git a/src/include/ckm/ckm-control.h b/src/include/ckm/ckm-control.h index 89c402ef..1f6954b7 100644 --- a/src/include/ckm/ckm-control.h +++ b/src/include/ckm/ckm-control.h @@ -62,7 +62,7 @@ public: // database only. This function may be used during application uninstallation. virtual int removeApplicationData(const std::string &smackLabel) = 0; - virtual int setCCMode(CCModeState mode) = 0; + virtual int updateCCMode() = 0; virtual int allowAccess(uid_t user, const std::string &owner, diff --git a/src/include/ckm/ckm-type.h b/src/include/ckm/ckm-type.h index efde2aba..c67c5c4e 100644 --- a/src/include/ckm/ckm-type.h +++ b/src/include/ckm/ckm-type.h @@ -92,11 +92,6 @@ enum class DBCMAlgType : int { COUNT }; -enum class CCModeState : int { - CC_MODE_OFF = 0, - CC_MODE_ON -}; - enum class AccessRight: int { AR_READ = 0, AR_READ_REMOVE diff --git a/src/listener/listener-daemon.cpp b/src/listener/listener-daemon.cpp index af2e6fd8..28a2bb03 100644 --- a/src/listener/listener-daemon.cpp +++ b/src/listener/listener-daemon.cpp @@ -18,14 +18,6 @@ #define CKM_LISTENER_TAG "CKM_LISTENER" -#ifndef MDPP_MODE_ENFORCING -#define MDPP_MODE_ENFORCING "Enforcing" -#endif - -#ifndef MDPP_MODE_ENABLED -#define MDPP_MODE_ENABLED "Enabled" -#endif - #ifndef VCONFKEY_SECURITY_MDPP_STATE #define VCONFKEY_SECURITY_MDPP_STATE "file/security_mdpp/security_mdpp_state" #endif @@ -93,22 +85,18 @@ void daemonize() SLOG(LOG_DEBUG, CKM_LISTENER_TAG, "%s", str); } -void callSetCCMode(const char *mdpp_state) +void callUpdateCCMode() { + // TODO make it call ckm only if it's already running (lock file) auto control = CKM::Control::create(); - int ret = CKM_API_SUCCESS; - if ( !strcmp(mdpp_state, MDPP_MODE_ENABLED) || - !strcmp(mdpp_state, MDPP_MODE_ENFORCING) ) - ret = control->setCCMode(CKM::CCModeState::CC_MODE_ON); - else - ret = control->setCCMode(CKM::CCModeState::CC_MODE_OFF); + int ret = control->updateCCMode(); SLOG(LOG_DEBUG, CKM_LISTENER_TAG, "Callback caller process id : %d\n", getpid()); if ( ret != CKM_API_SUCCESS ) - SLOG(LOG_ERROR, CKM_LISTENER_TAG, "CKM::Control::setCCMode error. ret : %d\n", ret); + SLOG(LOG_ERROR, CKM_LISTENER_TAG, "CKM::Control::updateCCMode error. ret : %d\n", ret); else - SLOG(LOG_DEBUG, CKM_LISTENER_TAG, "CKM::Control::setCCMode success. mdpp_state : %s", mdpp_state); + SLOG(LOG_DEBUG, CKM_LISTENER_TAG, "CKM::Control::updateCCMode success.\n"); } void packageUninstalledEventCallback( @@ -144,15 +132,9 @@ void packageUninstalledEventCallback( } } -void ccModeChangedEventCallback( - keynode_t *key, - void *userData) +void ccModeChangedEventCallback(keynode_t*, void*) { - (void) key; - (void) userData; - - char *mdpp_state = vconf_get_str(VCONFKEY_SECURITY_MDPP_STATE); - callSetCCMode(mdpp_state); + callUpdateCCMode(); } int main(void) { @@ -175,8 +157,8 @@ int main(void) { int ret = 0; char *mdpp_state = vconf_get_str(VCONFKEY_SECURITY_MDPP_STATE); - if ( mdpp_state ) { // set CC mode and register event callback only when mdpp vconf key exists - callSetCCMode(mdpp_state); + if ( mdpp_state ) { // Update cc mode and register event callback only when mdpp vconf key exists + callUpdateCCMode(); SLOG(LOG_DEBUG, CKM_LISTENER_TAG, "register vconfCCModeChanged event callback start"); if ( 0 != (ret = vconf_notify_key_changed(VCONFKEY_SECURITY_MDPP_STATE, ccModeChangedEventCallback, NULL)) ) { diff --git a/src/manager/client/client-control.cpp b/src/manager/client/client-control.cpp index 4f8ac558..698c7a0b 100644 --- a/src/manager/client/client-control.cpp +++ b/src/manager/client/client-control.cpp @@ -190,15 +190,10 @@ public: }); } - virtual int setCCMode(CCModeState mode) { + virtual int updateCCMode() { return try_catch([&] { - if(((mode != CCModeState::CC_MODE_OFF)) && (mode != CCModeState::CC_MODE_ON)) { - return CKM_API_ERROR_INPUT_PARAM; - } - MessageBuffer recv; - auto send = MessageBuffer::Serialize(static_cast<int>(ControlCommand::SET_CC_MODE), - static_cast<int>(mode)); + auto send = MessageBuffer::Serialize(static_cast<int>(ControlCommand::UPDATE_CC_MODE)); int retCode = sendToServer( SERVICE_SOCKET_CKM_CONTROL, send.Pop(), diff --git a/src/manager/common/protocols.h b/src/manager/common/protocols.h index 3f4cec00..426ee28b 100644 --- a/src/manager/common/protocols.h +++ b/src/manager/common/protocols.h @@ -40,7 +40,7 @@ enum class ControlCommand : int { CHANGE_USER_PASSWORD, RESET_USER_PASSWORD, REMOVE_APP_DATA, - SET_CC_MODE, + UPDATE_CC_MODE, ALLOW_ACCESS, DENY_ACCESS, // for backward compatibility append new at the end diff --git a/src/manager/service/ckm-logic.cpp b/src/manager/service/ckm-logic.cpp index 6e8e13a1..7744066a 100644 --- a/src/manager/service/ckm-logic.cpp +++ b/src/manager/service/ckm-logic.cpp @@ -19,6 +19,7 @@ * @version 1.0 * @brief Sample service implementation. */ +#include <vconf/vconf.h> #include <dpl/serialization.h> #include <dpl/log/log.h> #include <ckm/ckm-error.h> @@ -29,13 +30,21 @@ #include <ckm-logic.h> #include <key-impl.h> +#ifndef VCONFKEY_SECURITY_MDPP_STATE +#define VCONFKEY_SECURITY_MDPP_STATE = "file/security_mdpp/security_mdpp_state"; +#endif + namespace { const char * const CERT_SYSTEM_DIR = "/etc/ssl/certs"; + +const char* const MDPP_MODE_ENFORCING = "Enforcing"; +const char* const MDPP_MODE_ENABLED = "Enabled"; + } // anonymous namespace namespace CKM { -CKMLogic::CKMLogic() +CKMLogic::CKMLogic() : m_ccMode(false) { int retCode = FileSystem::init(); // TODO what can I do when init went wrong? exit(-1) ?? @@ -47,7 +56,7 @@ CKMLogic::CKMLogic() LogError("Fatal error in CertificateStore::setSystemCertificateDir. Chain creation will not work"); } - cc_mode_status = CCModeState::CC_MODE_OFF; + updateCCMode_internal(); } CKMLogic::~CKMLogic(){} @@ -111,20 +120,22 @@ RawBuffer CKMLogic::unlockUserKey(uid_t user, const Password &password) { return MessageBuffer::Serialize(retCode).Pop(); } -RawBuffer CKMLogic::setCCModeStatus(CCModeState mode_status) { - - int retCode = CKM_API_SUCCESS; +void CKMLogic::updateCCMode_internal() { int fipsModeStatus = 0; int rc = 0; + bool newMode; - if((mode_status != CCModeState:: CC_MODE_OFF) && (mode_status != CCModeState:: CC_MODE_ON)) { - retCode = CKM_API_ERROR_INPUT_PARAM; - } + char *mdppState = vconf_get_str(VCONFKEY_SECURITY_MDPP_STATE); + newMode = ( mdppState && (!strcmp(mdppState, MDPP_MODE_ENABLED) || + !strcmp(mdppState, MDPP_MODE_ENFORCING)) ); + if (newMode == m_ccMode) + return; + + m_ccMode = newMode; - cc_mode_status = mode_status; fipsModeStatus = FIPS_mode(); - if(cc_mode_status == CCModeState:: CC_MODE_ON) { + if(m_ccMode) { if(fipsModeStatus == 0) { // If FIPS mode off rc = FIPS_mode_set(1); // Change FIPS_mode from off to on if(rc == 0) { @@ -139,8 +150,11 @@ RawBuffer CKMLogic::setCCModeStatus(CCModeState mode_status) { } } } +} - return MessageBuffer::Serialize(retCode).Pop(); +RawBuffer CKMLogic::updateCCMode() { + updateCCMode_internal(); + return MessageBuffer::Serialize(CKM_API_SUCCESS).Pop(); } RawBuffer CKMLogic::lockUserKey(uid_t user) { @@ -275,7 +289,7 @@ int CKMLogic::saveDataHelper( } // Do not encrypt data with password during cc_mode on - if(cc_mode_status == CCModeState::CC_MODE_ON) { + if(m_ccMode) { handler.crypto.encryptRow("", row); } else { handler.crypto.encryptRow(policy.password, row); @@ -477,7 +491,10 @@ RawBuffer CKMLogic::getData( } // Prevent extracting private keys during cc-mode on - if((cc_mode_status == CCModeState::CC_MODE_ON) && (row.dataType == DBDataType::KEY_RSA_PRIVATE || row.dataType == DBDataType::KEY_ECDSA_PRIVATE || row.dataType == DBDataType::KEY_DSA_PRIVATE)) { + if((m_ccMode) && (row.dataType == DBDataType::KEY_RSA_PRIVATE || + row.dataType == DBDataType::KEY_ECDSA_PRIVATE || + row.dataType == DBDataType::KEY_DSA_PRIVATE)) + { row.data.clear(); retCode = CKM_API_ERROR_BAD_REQUEST; } diff --git a/src/manager/service/ckm-logic.h b/src/manager/service/ckm-logic.h index e56a727e..0494d421 100644 --- a/src/manager/service/ckm-logic.h +++ b/src/manager/service/ckm-logic.h @@ -141,7 +141,7 @@ public: const HashAlgorithm hash, const RSAPaddingAlgorithm padding); - RawBuffer setCCModeStatus(CCModeState mode_status); + RawBuffer updateCCMode(); RawBuffer allowAccess( Credentials &cred, @@ -193,9 +193,11 @@ private: const Password &password, // password for public_key (optional) const KeyImpl &genericKey); + void updateCCMode_internal(); + std::map<uid_t, UserData> m_userDataMap; CertificateStore m_certStore; - CCModeState cc_mode_status; + bool m_ccMode; }; } // namespace CKM diff --git a/src/manager/service/ckm-service.cpp b/src/manager/service/ckm-service.cpp index 4cc31208..73662640 100644 --- a/src/manager/service/ckm-service.cpp +++ b/src/manager/service/ckm-service.cpp @@ -107,7 +107,6 @@ bool CKMService::processOne( RawBuffer CKMService::processControl(MessageBuffer &buffer) { int command; - int cc_mode_status; uid_t user; ControlCommand cc; Password newPass, oldPass; @@ -138,9 +137,8 @@ RawBuffer CKMService::processControl(MessageBuffer &buffer) { case ControlCommand::REMOVE_APP_DATA: buffer.Deserialize(smackLabel); return m_logic->removeApplicationData(smackLabel); - case ControlCommand::SET_CC_MODE: - buffer.Deserialize(cc_mode_status); - return m_logic->setCCModeStatus(static_cast<CCModeState>(cc_mode_status)); + case ControlCommand::UPDATE_CC_MODE: + return m_logic->updateCCMode(); case ControlCommand::ALLOW_ACCESS: { std::string owner; |