summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorso.yu <so.yu@samsung.com>2013-08-29 19:57:28 +0900
committerso.yu <so.yu@samsung.com>2013-08-29 20:28:40 +0900
commit35e82577b3b6acacc9f37569e2ed244885a7f178 (patch)
treec86870a2857ae0dccf6cab83b8938382a16284cf
parent9e03a52218e1193a3e17e5fc865b030064eedd94 (diff)
parent8ab6aaac8bccd00433efd1bfa60828d6aa82fa61 (diff)
downloadsecure-storage-35e82577b3b6acacc9f37569e2ed244885a7f178.tar.gz
secure-storage-35e82577b3b6acacc9f37569e2ed244885a7f178.tar.bz2
secure-storage-35e82577b3b6acacc9f37569e2ed244885a7f178.zip
Conflicts: packaging/secure-storage.spec ss-server.manifest
-rw-r--r--CMakeLists.txt9
-rwxr-xr-x[-rw-r--r--]client/include/ss_client_intf.h7
-rwxr-xr-x[-rw-r--r--]client/src/ss_client_intf.c176
-rwxr-xr-x[-rw-r--r--]client/src/ss_manager.c102
-rwxr-xr-x[-rw-r--r--]include/secure_storage.h0
-rwxr-xr-x[-rw-r--r--]include/ss_manager.h12
-rwxr-xr-x[-rw-r--r--]packaging/secure-storage.spec18
-rwxr-xr-x[-rw-r--r--]server/include/ss_server_main.h4
-rwxr-xr-x[-rw-r--r--]server/src/ss_server_ipc.c90
-rwxr-xr-x[-rw-r--r--]server/src/ss_server_main.c534
-rwxr-xr-xss-server.manifest20
-rwxr-xr-xss-serverd4
-rw-r--r--systemd/secure-storage.service (renamed from packaging/secure-storage.service)1
-rw-r--r--systemd/secure-storage.socket6
14 files changed, 638 insertions, 345 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt
index f731e97..d6c395d 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -13,7 +13,7 @@ SET(VERSION ${VERSION_MAJOR}.0.0)
INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/include)
INCLUDE(FindPkgConfig)
-pkg_check_modules(pkgs REQUIRED openssl dlog)
+pkg_check_modules(pkgs REQUIRED dukgenerator libsystemd-daemon)
FOREACH(flag ${pkgs_CFLAGS})
SET(EXTRA_CFLAGS "${EXTRA_CFLAGS} ${flag}")
@@ -56,11 +56,11 @@ SET_TARGET_PROPERTIES(ss-client PROPERTIES COMPILE_FLAGS "${libss-client_CFLAGS}
###################################################################################################
## for ss-server (binary)
SET(ss-server_SOURCES ${ss_server_dir}/ss_server_ipc.c ${ss_server_dir}/ss_server_main.c)
-SET(ss-server_CFLAGS " -I. -I${ss_include_dir} -I${ss_server_include_dir} ${debug_type} ${use_key} ${OPENSSL_CFLAGS} -D_GNU_SOURCE ")
+SET(ss-server_CFLAGS " -I. -I${ss_include_dir} -I${ss_server_include_dir} ${debug_type} ${use_key} ${OPENSSL_CFLAGS} ${smack_groupid} -D_GNU_SOURCE ")
SET(ss-server_LDFLAGS ${pkgs_LDFLAGS})
ADD_EXECUTABLE(ss-server ${ss-server_SOURCES})
-TARGET_LINK_LIBRARIES(ss-server ${pkgs_LDFLAGS} -lsecurity-server-client)
+TARGET_LINK_LIBRARIES(ss-server ${pkgs_LDFLAGS} -lsecurity-server-client )
SET_TARGET_PROPERTIES(ss-server PROPERTIES COMPILE_FLAGS "${ss-server_CFLAGS}")
####################################################################################################
@@ -72,4 +72,5 @@ INSTALL(PROGRAMS ${CMAKE_BINARY_DIR}/ss-server DESTINATION bin)
INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/secure-storage.pc DESTINATION ${LIB_INSTALL_DIR}/pkgconfig)
INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/config DESTINATION share/secure-storage/)
INSTALL(FILES ${CMAKE_CURRENT_SOURCE_DIR}/include/ss_manager.h DESTINATION include)
-INSTALL(PROGRAMS ${CMAKE_CURRENT_SOURCE_DIR}/ss-serverd DESTINATION /etc/rc.d/init.d)
+INSTALL(FILES ${CMAKE_CURRENT_SOURCE_DIR}/systemd/secure-storage.service DESTINATION /usr/lib/systemd/system)
+INSTALL(FILES ${CMAKE_CURRENT_SOURCE_DIR}/systemd/secure-storage.socket DESTINATION /usr/lib/systemd/system)
diff --git a/client/include/ss_client_intf.h b/client/include/ss_client_intf.h
index 49255ea..88a54ea 100644..100755
--- a/client/include/ss_client_intf.h
+++ b/client/include/ss_client_intf.h
@@ -66,3 +66,10 @@ int SsClientDataRead(const char* filepath, char* pRetBuf, size_t bufLen, size_t
int SsClientGetInfo(const char* filepath, ssm_file_info_t* sfi, ssm_flag flag, const char* group_id);
int SsClientDeleteFile(const char* pFilePath, ssm_flag flag, const char* group_id);
+
+int SsClientEncrypt(const char* pAppId, int idLen, const char* pBuffer, int bufLen, char** ppEncryptedBuffer, int* pEncryptedBufLen);
+
+int SsClientDecrypt(const char* pAppId, int idLen, const char* pBuffer, int bufLen, char** ppDecryptedBuffer, int* pDecryptedBufLen);
+
+int SsClientEncryptPreloadedApplication(const char* pBuffer, int bufLen, char** ppEncryptedBuffer, int* pEncryptedBufLen);
+int SsClientDecryptPreloadedApplication(const char* pBuffer, int bufLen, char** ppDecryptedBuffer, int* pEncryptedBufLen);
diff --git a/client/src/ss_client_intf.c b/client/src/ss_client_intf.c
index 577f8b7..ec9beb3 100644..100755
--- a/client/src/ss_client_intf.c
+++ b/client/src/ss_client_intf.c
@@ -23,12 +23,16 @@
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#include <openssl/evp.h>
+#include <openssl/crypto.h>
#include "secure_storage.h"
#include "ss_client_intf.h"
#include "ss_client_ipc.h"
#include "ss_manager.h"
+#include <dukgen.h>
+
int SsClientDataStoreFromFile(const char* filepath, ssm_flag flag, const char* group_id)
{
ReqData_t* send_data = NULL;
@@ -264,7 +268,7 @@ Last :
goto Free_and_Error;
}
- SLOGE("Decrypted file name : %s\n", recv_data.data_filepath);
+ SECURE_SLOGD("Decrypted file name : %s\n", recv_data.data_filepath);
Free_and_Error:
free(send_data);
Error:
@@ -408,8 +412,176 @@ int SsClientDeleteFile(const char *pFilePath, ssm_flag flag, const char* group_i
Free_and_Error:
free(send_data);
- SLOGE("Deleted file name: %s\n", recv_data.data_filepath);
+ SECURE_SLOGD("Deleted file name: %s\n", recv_data.data_filepath);
Error:
return recv_data.rsp_type;
}
+
+
+//////////////////////////////
+__attribute__((visibility("hidden")))
+int DoCipher(const char* pInputBuf, int inputLen, char** ppOutBuf, int* pOutBufLen, char* pKey, int encryption)
+{
+ static const unsigned char iv[16] = {0xbd, 0xc3, 0xc5, 0xa5, 0xb8, 0xae, 0xc6, 0xbc, 0x20, 0xb3, 0xeb, 0xb0, 0xe6, 0xbf, 0xec, 0x20};
+ struct evp_cipher_st* pCipherAlgorithm = NULL;
+ EVP_CIPHER_CTX cipherCtx;
+ int tempLen = 0;
+ int result = 0;
+ int finalLen = 0;
+
+ pCipherAlgorithm = EVP_aes_256_cbc();
+ tempLen = (int)((inputLen / pCipherAlgorithm->block_size + 1) * pCipherAlgorithm->block_size);
+
+ *ppOutBuf = (char*)calloc(tempLen, 1);
+ EVP_CIPHER_CTX_init(&cipherCtx);
+
+ result = EVP_CipherInit(&cipherCtx, pCipherAlgorithm, (const unsigned char*)pKey, iv, encryption);
+ if(result != 1)
+ {
+ SLOGE("[%s] EVP_CipherInit failed", result);
+ goto Error;
+ }
+
+ result = EVP_CIPHER_CTX_set_padding(&cipherCtx, 1);
+ if(result != 1)
+ {
+ SLOGE("[%d] EVP_CIPHER_CTX_set_padding failed", result);
+ goto Error;
+ }
+
+ //cipher update operation
+ result = EVP_CipherUpdate(&cipherCtx, (unsigned char*)*ppOutBuf, pOutBufLen, (const unsigned char*)pInputBuf, inputLen);
+ if(result != 1)
+ {
+ SLOGE("[%d] EVP_CipherUpdate failed", result);
+ goto Error;
+ }
+
+ //cipher final operation
+ result = EVP_CipherFinal(&cipherCtx, (unsigned char*)*ppOutBuf + *pOutBufLen, &finalLen);
+ if(result != 1)
+ {
+ SLOGE("[%d] EVP_CipherFinal failed", result);
+ goto Error;
+ }
+ *pOutBufLen = *pOutBufLen + finalLen;
+ goto Last;
+Error:
+ result = SS_ENCRYPTION_ERROR;
+ free(*ppOutBuf);
+
+Last:
+ EVP_CIPHER_CTX_cleanup(&cipherCtx);
+ if((result != 1) && (encryption != 1))
+ result = SS_DECRYPTION_ERROR;
+
+ return result;
+}
+
+int SsClientEncrypt(const char* pAppId, int idLen, const char* pBuffer, int bufLen, char** ppEncryptedBuffer, int* pEncryptedBufLen)
+{
+ int result = 1;
+ char* pDuk = NULL;
+
+ if(!pAppId || idLen == 0 || !pBuffer || bufLen ==0)
+ {
+ SLOGE("Parameter error in SsClientEncrypt");
+ result = SS_PARAM_ERROR;
+ goto Error;
+ }
+
+ pDuk = GetDeviceUniqueKey(pAppId, idLen, 32);
+
+ if(DoCipher(pBuffer, bufLen, ppEncryptedBuffer, pEncryptedBufLen, pDuk, 1) != 1)
+ {
+ SLOGE("failed to encrypt data");
+ result = SS_ENCRYPTION_ERROR;
+ goto Error;
+ }
+
+ result = 1;
+
+Error:
+ if(pDuk)
+ free(pDuk);
+ return result;
+}
+
+int SsClientDecrypt(const char* pAppId, int idLen, const char* pBuffer, int bufLen, char** ppDecryptedBuffer, int* pDecryptedBufLen)
+{
+ int result = 1;
+ char* pDuk = NULL;
+
+ if(!pAppId || idLen == 0 || !pBuffer || bufLen ==0)
+ {
+ SLOGE("Parameter error in SsClientDecrypt");
+ result = SS_PARAM_ERROR;
+ goto Error;
+ }
+
+ pDuk = GetDeviceUniqueKey(pAppId, idLen, 32);
+
+ if(DoCipher(pBuffer, bufLen, ppDecryptedBuffer, pDecryptedBufLen, pDuk, 0) != 1)
+ {
+ SLOGE("failed to decrypt data\n");
+ result = SS_DECRYPTION_ERROR;
+ goto Error;
+ }
+ result = 1;
+
+Error:
+ if(pDuk)
+ free(pDuk);
+ return result;
+}
+
+int SsClientEncryptPreloadedApplication(const char* pBuffer, int bufLen, char** ppEncryptedBuffer, int* pEncryptedBufLen)
+{
+ int result = 0;
+ char duk[36] = {0,};
+
+ if(!pBuffer || bufLen ==0)
+ {
+ SLOGE("Parameter error");
+ result = SS_PARAM_ERROR;
+ goto Final;
+ }
+
+ if(DoCipher(pBuffer, bufLen, ppEncryptedBuffer, pEncryptedBufLen, duk, 1) != 1)
+ {
+ SLOGE("failed to decrypt data");
+ result = SS_ENCRYPTION_ERROR;
+ goto Final;
+ }
+
+ result = 1;
+
+Final:
+ return result;
+}
+
+int SsClientDecryptPreloadedApplication(const char* pBuffer, int bufLen, char** ppDecryptedBuffer, int* pDecryptedBufLen)
+{
+ int result = 0;
+ char duk[36] = {0,};
+
+ if(!pBuffer || bufLen ==0)
+ {
+ SLOGE("Parameter error");
+ result = SS_PARAM_ERROR;
+ goto Final;
+ }
+
+ if(DoCipher(pBuffer, bufLen, ppDecryptedBuffer, pDecryptedBufLen, duk, 0) != 1)
+ {
+ SLOGE("failed to decrypt data");
+ result = SS_DECRYPTION_ERROR;
+ goto Final;
+ }
+
+ result = 1;
+
+Final:
+ return result;
+}
diff --git a/client/src/ss_manager.c b/client/src/ss_manager.c
index a94357e..2edda6f 100644..100755
--- a/client/src/ss_manager.c
+++ b/client/src/ss_manager.c
@@ -212,3 +212,105 @@ int ssm_delete_file(const char *pFilePath, ssm_flag flag, const char* group_id)
Error:
return -(ret);
}
+
+SS_API
+int ssm_encrypt(const char* pAppId, int idLen, const char* pBuffer, int bufLen, char** ppEncryptedBuffer, int* pEncryptedBufLen)
+{
+ int ret = 0;
+
+ if(!pAppId || idLen == 0 || !pBuffer || bufLen ==0)
+ {
+ SLOGE("Parameter error.\n");
+ ret = SS_PARAM_ERROR;
+ goto Error;
+ }
+
+ ret = SsClientEncrypt(pAppId, idLen, pBuffer, bufLen, ppEncryptedBuffer, pEncryptedBufLen);
+
+ if(ret == 1) // success
+ {
+ SLOGI("Application encryption succeeded.\n");
+ return 0;
+ }
+ else // fail
+ SLOGE("Application encryption failed.\n");
+
+Error:
+ return -(ret);
+}
+
+SS_API
+int ssm_decrypt(const char* pAppId, int idLen, const char* pBuffer, int bufLen, char** ppDecryptedBuffer, int* pDecryptedBufLen)
+{
+ int ret = 0;
+
+ if(!pAppId || idLen == 0 || !pBuffer || bufLen ==0)
+ {
+ SLOGE("Parameter error.\n");
+ ret = SS_PARAM_ERROR;
+ goto Error;
+ }
+
+ ret = SsClientDecrypt(pAppId, idLen, pBuffer, bufLen, ppDecryptedBuffer, pDecryptedBufLen);
+
+ if(ret == 1) // success
+ {
+ SLOGI("Application decryption succeeded.\n");
+ return 0;
+ }
+ else // fail
+ SLOGE("Application decryption failed.\n");
+
+Error:
+ return -(ret);
+}
+
+SS_API
+int ssm_encrypt_preloaded_application(const char* pBuffer, int bufLen, char** ppEncryptedBuffer, int* pEncryptedBufLen)
+{
+ int ret = 0;
+
+ if(!pBuffer || bufLen ==0)
+ {
+ SLOGE("Parameter error.\n");
+ ret = SS_PARAM_ERROR;
+ goto Error;
+ }
+
+ ret = SsClientEncryptPreloadedApplication(pBuffer, bufLen, ppEncryptedBuffer, pEncryptedBufLen);
+ if(ret == 1) // success
+ {
+ SLOGI("Application decryption succeeded.\n");
+ return 0;
+ }
+ else // fail
+ SLOGE("Application decryption failed.\n");
+
+Error:
+ return -(ret);
+}
+
+SS_API
+int ssm_decrypt_preloaded_application(const char* pBuffer, int bufLen, char** ppDecryptedBuffer, int* pDecryptedBufLen)
+{
+ int ret = 0;
+
+ if(!pBuffer || bufLen ==0)
+ {
+ SLOGE("Parameter error.\n");
+ ret = SS_PARAM_ERROR;
+ goto Error;
+ }
+
+ ret = SsClientDecryptPreloadedApplication(pBuffer, bufLen, ppDecryptedBuffer, pDecryptedBufLen);
+ if(ret == 1) // success
+ {
+ SLOGI("Application decryption succeeded.\n");
+ return 0;
+ }
+ else // fail
+ SLOGE("Application decryption failed.\n");
+
+Error:
+ return -(ret);
+}
diff --git a/include/secure_storage.h b/include/secure_storage.h
index 67ff3d0..67ff3d0 100644..100755
--- a/include/secure_storage.h
+++ b/include/secure_storage.h
diff --git a/include/ss_manager.h b/include/ss_manager.h
index 942a1a1..1d14ca4 100644..100755
--- a/include/ss_manager.h
+++ b/include/ss_manager.h
@@ -45,6 +45,8 @@ typedef enum {
SSM_FLAG_SECRET_PRESERVE, // for preserved operation
SSM_FLAG_SECRET_OPERATION, // for oma drm , wifi addr, divx and bt addr
SSM_FLAG_WIDGET, // for wiget encryption/decryption
+ SSM_FLAG_WEB_APP,
+ SSM_FLAG_PRELOADED_WEB_APP,
SSM_FLAG_MAX
} ssm_flag;
@@ -74,6 +76,7 @@ typedef struct {
#define SS_SIZE_ERROR 0x0000000b // 11
#define SS_SECURE_STORAGE_ERROR 0x0000000c // 12
#define SS_PERMISSION_DENIED 0x0000000d // 13
+#define SS_TZ_ERROR 0x0000000e // 14
#ifdef __cplusplus
extern "C" {
@@ -387,6 +390,15 @@ int ssm_getinfo(const char* pFilePath, ssm_file_info_t* sfi, ssm_flag flag, cons
/*================================================================================================*/
int ssm_delete_file(const char* pFilePath, ssm_flag flag, const char* group_id);
+//for wrt installer
+/*================================================================================================*/
+int ssm_encrypt(const char* pAppId, int idLen, const char* pBuffer, int bufLen, char** ppEncryptedBuffer, int* pEncryptedBufLen);
+int ssm_decrypt(const char* pAppId, int idLen, const char* pBuffer, int bufLen, char** ppDecryptedBuffer, int* pDecryptedBufLen);
+
+int ssm_encrypt_preloaded_application(const char* pBuffer, int bufLen, char** ppEncryptedBuffer, int* pEncryptedBufLen);
+int ssm_decrypt_preloaded_application(const char* pBuffer, int bufLen, char** ppDecryptedBuffer, int* pDecryptedBufLen);
+
+
#ifdef __cplusplus
}
#endif
diff --git a/packaging/secure-storage.spec b/packaging/secure-storage.spec
index d416a0e..e8bd09a 100644..100755
--- a/packaging/secure-storage.spec
+++ b/packaging/secure-storage.spec
@@ -5,15 +5,15 @@ Release: 4
Group: System/Security
License: Apache 2.0
Source0: secure-storage-%{version}.tar.gz
-Source1: secure-storage.service
Source1001: libss-client.manifest
Source1002: libss-client-devel.manifest
Source1003: ss-server.manifest
BuildRequires: pkgconfig(openssl)
BuildRequires: pkgconfig(dlog)
-#BuildRequires: pkgconfig(libsystemd-daemon)
+BuildRequires: pkgconfig(libsystemd-daemon)
BuildRequires: pkgconfig(security-server)
BuildRequires: cmake
+BuildRequires: pkgconfig(dukgenerator)
%description
Secure storage package
@@ -22,6 +22,7 @@ Secure storage package
Summary: Secure storage (client)
Group: Development/Libraries
Provides: libss-client.so
+Requires: dukgenerator
%description -n libss-client
Secure storage package (client)
@@ -61,13 +62,9 @@ make %{?jobs:-j%jobs}
%make_install
mkdir -p %{buildroot}%{_prefix}/lib/systemd/system/multi-user.target.wants
-install -m 0644 %{SOURCE1} %{buildroot}%{_prefix}/lib/systemd/system/secure-storage.service
+mkdir -p %{buildroot}%{_prefix}/lib/systemd/system/sockets.target.wants
ln -s ../secure-storage.service %{buildroot}%{_prefix}/lib/systemd/system/multi-user.target.wants/secure-storage.service
-
-mkdir -p %{buildroot}%{_sysconfdir}/rc.d/rc3.d
-mkdir -p %{buildroot}%{_sysconfdir}/rc.d/rc5.d
-ln -s ../init.d/ss-serverd %{buildroot}%{_sysconfdir}/rc.d/rc3.d/S40ss-server
-ln -s ../init.d/ss-serverd %{buildroot}%{_sysconfdir}/rc.d/rc5.d/S40ss-server
+ln -s ../secure-storage.socket %{buildroot}%{_prefix}/lib/systemd/system/sockets.target.wants/secure-storage.socket
mkdir -p %{buildroot}/usr/share/license
cp LICENSE.APLv2 %{buildroot}/usr/share/license/ss-server
@@ -94,12 +91,11 @@ systemctl daemon-reload
%files -n ss-server
%manifest ss-server.manifest
%defattr(-,root,root,-)
-%attr(0755,root,root) %{_sysconfdir}/rc.d/init.d/ss-serverd
-%{_sysconfdir}/rc.d/rc3.d/S40ss-server
-%{_sysconfdir}/rc.d/rc5.d/S40ss-server
%{_bindir}/ss-server
%{_prefix}/lib/systemd/system/secure-storage.service
%{_prefix}/lib/systemd/system/multi-user.target.wants/secure-storage.service
+%{_prefix}/lib/systemd/system/secure-storage.socket
+%{_prefix}/lib/systemd/system/sockets.target.wants/secure-storage.socket
%{_datadir}/secure-storage/config
/usr/share/license/ss-server
diff --git a/server/include/ss_server_main.h b/server/include/ss_server_main.h
index c549d58..52ef9ed 100644..100755
--- a/server/include/ss_server_main.h
+++ b/server/include/ss_server_main.h
@@ -65,7 +65,7 @@ int SsServerDataRead(int sender_pid, const char* filepath, char* pRetBuf, unsign
* - file_info
* @return type: int
*/
-
+
#ifndef SMACK_GROUP_ID
int SsServerGetInfo(int sender_pid, const char* filepath, char* file_info, ssm_flag flag, const char* cookie, const char* group_id);
int SsServerDeleteFile(int sender_pid, const char* filepath, ssm_flag flag, const char* cookie, const char* group_id);
@@ -73,3 +73,5 @@ int SsServerDeleteFile(int sender_pid, const char* filepath, ssm_flag flag, cons
int SsServerGetInfo(int sender_pid, const char* filepath, char* file_info, ssm_flag flag, int sockfd, const char* group_id);
int SsServerDeleteFile(int sender_pid, const char* filepath, ssm_flag flag, int sockfd, const char* group_id);
#endif
+
+
diff --git a/server/src/ss_server_ipc.c b/server/src/ss_server_ipc.c
index 93006d1..e0cc5e0 100644..100755
--- a/server/src/ss_server_ipc.c
+++ b/server/src/ss_server_ipc.c
@@ -32,7 +32,7 @@
#include <dirent.h>
#include <sys/ioctl.h>
#include <fcntl.h>
-
+#include <systemd/sd-daemon.h>
#include "secure_storage.h"
#include "ss_server_ipc.h"
#include "ss_server_main.h"
@@ -103,7 +103,7 @@ int check_key_file()
if(!(fp_key = fopen(key_path, "r")))
{
- SLOGE("Secret key file is not exist, [%s]\n", key_path);
+ SECURE_SLOGE("Secret key file is not exist, [%s]\n", key_path);
free(key_path);
return 0;
}
@@ -150,14 +150,22 @@ int make_key_file()
if(!(fp_key = fopen(key_path, "w")))
{
- SLOGE("Secret key file Open error, [%s]\n", key_path);
+ SECURE_SLOGE("Secret key file Open error, [%s]\n", key_path);
free(key_path);
close(random_dev);
return 0;
}
fprintf(fp_key, "%s", key);
- chmod(key_path, 0600);
+
+ if(chmod(key_path, 0600)!=0)
+ {
+ SLOGE("Secret key file chmod error, [%s]\n", strerror(errno));
+ free(key_path);
+ close(random_dev);
+ fclose(fp_key);
+ return 0;
+ }
free(key_path);
fclose(fp_key);
@@ -191,45 +199,67 @@ void SsServerComm(void)
server_sockfd = client_sockfd = -1;
- if((server_sockfd = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
+ int number_fds = sd_listen_fds(1);
+ if (number_fds > 1)
{
- SLOGE("Error in function socket()..\n");
- send_data.rsp_type = SS_SOCKET_ERROR; // ipc error
+ SLOGE("Too many file descriptors received..\n");
+ send_data.rsp_type = SS_SOCKET_ERROR; // ipc error
goto Error_exit;
}
+ if (number_fds == 1)
+ {
+ int r;
+ if ((r = sd_is_socket_unix(SD_LISTEN_FDS_START, SOCK_STREAM, 1, SS_SOCK_PATH, 0)) <= 0)
+ {
+ SLOGE("The file descriptor received from systemd is of a wrong type.\n");
+ send_data.rsp_type = SS_SOCKET_ERROR; // ipc error
+ goto Error_exit;
+ }
+ server_sockfd = SD_LISTEN_FDS_START + 0;
+ }
+ else
+ {
+ if((server_sockfd = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
+ {
+ SLOGE("Error in function socket()..\n");
+ send_data.rsp_type = SS_SOCKET_ERROR; // ipc error
+ goto Error_exit;
+ }
- temp_len_sock = strlen(SS_SOCK_PATH);
-
- bzero(&serveraddr, sizeof(serveraddr));
- serveraddr.sun_family = AF_UNIX;
- strncpy(serveraddr.sun_path, SS_SOCK_PATH, temp_len_sock);
- serveraddr.sun_path[temp_len_sock] = '\0';
+ temp_len_sock = strlen(SS_SOCK_PATH);
+
+ memset(&serveraddr, '0', sizeof(serveraddr));
+ serveraddr.sun_family = AF_UNIX;
+ strncpy(serveraddr.sun_path, SS_SOCK_PATH, temp_len_sock);
+ serveraddr.sun_path[temp_len_sock] = '\0';
- if((bind(server_sockfd, (struct sockaddr*)&serveraddr, sizeof(serveraddr))) < 0)
- {
- unlink("/tmp/SsSocket");
if((bind(server_sockfd, (struct sockaddr*)&serveraddr, sizeof(serveraddr))) < 0)
{
- SLOGE("Error in function bind()..\n");
- send_data.rsp_type = SS_SOCKET_ERROR; // ipc error
- goto Error_close_exit;
+ unlink(SS_SOCK_PATH);
+ if((bind(server_sockfd, (struct sockaddr*)&serveraddr, sizeof(serveraddr))) < 0)
+ {
+ SLOGE("Error in function bind()..\n");
+ send_data.rsp_type = SS_SOCKET_ERROR; // ipc error
+ goto Error_close_exit;
+ }
}
- }
- if(chmod(SS_SOCK_PATH, S_IRWXU | S_IRWXG | S_IRWXO) != 0)
- {
- send_data.rsp_type = SS_SOCKET_ERROR;
- goto Error_close_exit;
- }
+ if(chmod(SS_SOCK_PATH, S_IRWXU | S_IRWXG | S_IRWXO) != 0)
+ {
+ send_data.rsp_type = SS_SOCKET_ERROR;
+ goto Error_close_exit;
+ }
- if((listen(server_sockfd, 5)) < 0)
- {
- SLOGE("Error in function listen()..\n");
- send_data.rsp_type = SS_SOCKET_ERROR; // ipc error
- goto Error_close_exit;
+ if((listen(server_sockfd, 5)) < 0)
+ {
+ SLOGE("Error in function listen()..\n");
+ send_data.rsp_type = SS_SOCKET_ERROR; // ipc error
+ goto Error_close_exit;
+ }
}
signal(SIGINT, (void*)SigHandler);
+ sd_notify(0, "READY=1");
while(1)
{
diff --git a/server/src/ss_server_main.c b/server/src/ss_server_main.c
index 6344116..34c1919 100644..100755
--- a/server/src/ss_server_main.c
+++ b/server/src/ss_server_main.c
@@ -40,6 +40,7 @@
#include <unistd.h>
#include <dirent.h>
#include <errno.h>
+#include <openssl/hmac.h>
#include <openssl/aes.h>
#include <openssl/sha.h>
@@ -112,7 +113,7 @@ char* get_preserved_dir()
int IsSmackEnabled()
{
FILE *file = NULL;
- if(file = fopen("/smack/load2", "r"))
+ if((file = fopen("/smack/load2", "r")))
{
fclose(file);
return 1;
@@ -185,13 +186,13 @@ unsigned short GetHashCode(const unsigned char* pString)
return hash;
}
-int IsDirExist(char* dirpath)
+int IsDirExist(const char* dirpath)
{
DIR* dp = NULL;
if((dp = opendir(dirpath)) == NULL) // dir is not exist
{
- SLOGE("directory [%s] is not exist.\n", dirpath);
+ SECURE_SLOGE("directory [%s] is not exist.\n", dirpath);
return 0; // return value '0' represents dir is not exist
}
else
@@ -203,69 +204,21 @@ int IsDirExist(char* dirpath)
return -1;
}
-int check_privilege(const char* cookie, const char* group_id)
-{
-// int ret = -1; // if success, return 0
-// int gid = -1;
-
-// if(!strncmp(group_id, "NOTUSED", 7)) // group_id is NULL
-// return 0;
-// else
-// {
-// gid = security_server_get_gid(group_id);
-// ret = security_server_check_privilege(cookie, gid);
-// }
-
-// return ret;
- return 0; // success always
-}
-
int check_privilege_by_sockfd(int sockfd, const char* object, const char* access_rights)
{
- int ret = -1; // if success, return 0
- const char* private_group_id = "NOTUSED";
-
if(!IsSmackEnabled())
- {
return 0;
- }
-
- if(!strncmp(object,"NOTUSED", strlen(private_group_id)))
- {
- SLOGD("requested default group_id :%s. get smack label", object);
- char* client_process_smack_label = security_server_get_smacklabel_sockfd(sockfd);
- if(client_process_smack_label)
- {
- SLOGD("defined smack label : %s", client_process_smack_label);
- strncpy(object, client_process_smack_label, strlen(client_process_smack_label));
- free(client_process_smack_label);
- }
- else
- {
- SLOGD("failed to get smack label");
- return -1;
- }
- }
-
- SLOGD("object : %s, access_rights : %s", object, access_rights);
- ret = security_server_check_privilege_by_sockfd(sockfd, object, access_rights);
+ int ret = security_server_check_privilege_by_sockfd(sockfd, object, access_rights);
+ SECURE_SLOGD("object : %s, access_rights : %s, ret : %d", object, access_rights, ret);
return ret;
}
/* convert normal file path to secure storage file path */
int ConvertFileName(int sender_pid, char* dest, const char* src, ssm_flag flag, const char* group_id)
{
- char* if_pointer = NULL;
- unsigned short h_code = 0;
- unsigned short h_code2 = 0;
- unsigned char path_hash[SHA_DIGEST_LENGTH + 1];
char s[33+1];
- const char* dir = NULL;
- char tmp_cmd[32] = {0, };
- char tmp_buf[10] = {0, };
- const unsigned char exe_path[256] = {0, };
- FILE* fp_proc = NULL;
+ const char* dir = group_id;
char* preserved_dir = NULL;
int is_dir_exist = -1;
@@ -275,221 +228,170 @@ int ConvertFileName(int sender_pid, char* dest, const char* src, ssm_flag flag,
return SS_FILE_OPEN_ERROR; // file related error
}
- memset(tmp_cmd, 0x00, 32);
- snprintf(tmp_cmd, 32, "/proc/%d/cmdline", sender_pid);
+ // get top-dir path
+ if(flag == SSM_FLAG_SECRET_PRESERVE)
+ {
+ preserved_dir = get_preserved_dir();
+ if(preserved_dir == NULL) // fail to get preserved directory
+ {
+ SLOGE("fail to get preserved dir\n");
+ return SS_FILE_OPEN_ERROR;
+ }
+
+ strncpy(dest, preserved_dir, strlen(preserved_dir)); //dest <= /csa
+ free(preserved_dir);
+ }
+ else // SSM_FLAG_SECRET_DATA || SSM_FLAG_SECRET_OPERATION || SSM_FLAG_PRELOADED_WEB_APP
+ {
+ if(CreateStorageDir(SS_STORAGE_DEFAULT_PATH) < 0)
+ {
+ return SS_FILE_OPEN_ERROR;
+ }
+ // TBD
+ strncpy(dest, SS_STORAGE_DEFAULT_PATH, strlen(SS_STORAGE_DEFAULT_PATH) + 1);
+ }
+
+ strncat(dest, dir, (strlen(dir))); // add top-dir + dir(label)
+ strncat(dest, "/", 1);
+
+ if(CreateStorageDir(dest) < 0)
+ {
+ return SS_FILE_OPEN_ERROR;
+ }
+
+ strncat(dest, "_", 1); // /top-dir/label/_
+
+ GetPathHash(src, s);
+ strncat(dest, s, strlen(s)); // /top-dir/label/_hash
+ strncat(dest, SS_FILE_POSTFIX, strlen(SS_FILE_POSTFIX)); // /top-dir/label/_hash.e
+
+ SECURE_SLOGD("final dest : %s", dest);
+
+ return 1;
+}
+
+int GetProcessExecPath(int pid, char* buffer)
+{
+ char tmp_cmd[32] = {0,};
+ FILE *fp_proc = NULL;
+ snprintf(tmp_cmd, 32, "/proc/%d/cmdline", pid);
if(!(fp_proc = fopen(tmp_cmd, "r")))
{
- SLOGE("file open error: [%s]", tmp_cmd);
+ SECURE_SLOGE("file open error: [%s]", tmp_cmd);
return SS_FILE_OPEN_ERROR;
}
-
- fgets((char*)exe_path, 256, fp_proc);
+
+ fgets((char*)buffer, 256, fp_proc);
fclose(fp_proc);
- if(!strncmp(group_id, "NOTUSED", 7)) // don't share
+ return 0;
+}
+
+int GetProcessSmackLabel(int sockfd, char* proc_smack_label)
+{
+ char* smack_label = security_server_get_smacklabel_sockfd(sockfd);
+ if(smack_label)
{
- h_code2 = GetHashCode(exe_path);
- memset(tmp_buf, 0x00, 10);
- snprintf(tmp_buf, 10, "%u", h_code2);
- dir = tmp_buf;
+ strncpy(proc_smack_label, smack_label, strlen(smack_label));
+ free(smack_label);
}
- else // share
- dir = group_id;
-
- if_pointer = strrchr(src, '/');
-
- if(flag == SSM_FLAG_DATA) // /opt/share/secure-storage/*
+ else
{
- // check whether directory is exist or not
- is_dir_exist = IsDirExist(SS_STORAGE_DEFAULT_PATH);
-
- if (is_dir_exist == 0) // SS_STORAGE_FILE_PATH is not exist
- {
- SLOGI("directory [%s] is making now.\n", SS_STORAGE_DEFAULT_PATH);
- if(mkdir(SS_STORAGE_DEFAULT_PATH, 0700) < 0) // fail to make directory
- {
- SLOGE("[%s] cannot be made\n", SS_STORAGE_DEFAULT_PATH);
- return SS_FILE_OPEN_ERROR;
- }
- }
- else if (is_dir_exist == -1) // Unknown error
- {
- SLOGE("Unknown error in the function IsDirExist().\n");
- return SS_PARAM_ERROR;
- }
+ SLOGE("failed to get smack label");
+ return -1; // SS_SECURITY_SERVER_ERROR?
+ }
+ SECURE_SLOGD("defined smack label : %s", proc_smack_label);
+ return 0;
+}
- // TBD
- strncpy(dest, SS_STORAGE_DEFAULT_PATH, MAX_FILENAME_LEN - 1);
- strncat(dest, dir, (strlen(dest) - 1));
- strncat(dest, "/", 1);
+int GetPathHash(const char *src, char *output)
+{
+ unsigned short h_code = 0;
+ unsigned char path_hash[SHA_DIGEST_LENGTH + 1];
- // make directory
- dest[strlen(SS_STORAGE_DEFAULT_PATH) + strlen(dir) + 2] = '\0';
- is_dir_exist = IsDirExist(dest);
+ SHA1((unsigned char*)src, (size_t)strlen(src), path_hash);
+ h_code = GetHashCode(path_hash);
+ memset(output, 0x00, 34);
+ snprintf(output, 34, "%u", h_code);
- if(is_dir_exist == 0) // not exist
- {
- SLOGI("%s is making now.\n", dest);
- if(mkdir(dest, 0700) < 0) // fail to make directory
- {
- SLOGE("[%s] cannot be made\n", dest);
- return SS_FILE_OPEN_ERROR;
- }
- }
-
- int length_of_file = 0;
- if(if_pointer != NULL)
- {
- strncat(dest, if_pointer + 1, strlen(if_pointer) + 1);
- }
- strncat(dest, "_", 1);
+ SECURE_SLOGD("hashing src : %s to output : %s", src, output);
- SHA1((unsigned char*)src, (size_t)strlen(src), path_hash);
- h_code = GetHashCode(path_hash);
- memset(s, 0x00, 34);
- snprintf(s, 34, "%u", h_code);
- strncat(dest, s, strlen(s));
- strncat(dest, SS_FILE_POSTFIX, strlen(SS_FILE_POSTFIX));
+ return 0;
+}
- dest[strlen(SS_STORAGE_DEFAULT_PATH) + strlen(dir) + length_of_file + strlen(s) + strlen(SS_FILE_POSTFIX) + 4] = '\0';
- }
- else if(flag == SSM_FLAG_SECRET_PRESERVE) // /tmp/csa/
+
+int CreateStorageDir(const char* path)
+{
+ int is_dir_exist = IsDirExist(path);
+
+ if (is_dir_exist == 0) // path directory is not exist
{
- preserved_dir = get_preserved_dir();
- if(preserved_dir == NULL) // fail to get preserved directory
+ SECURE_SLOGI("directory [%s] is making now.\n", path);
+ if(mkdir(path, 0700) < 0) // fail to make directory
{
- SLOGE("fail to get preserved dir\n");
- return SS_FILE_OPEN_ERROR;
+ SLOGE("[%s] cannot be made\n", SS_STORAGE_DEFAULT_PATH);
+ return -SS_FILE_OPEN_ERROR;
}
-
- if(strncmp(src, preserved_dir, strlen(preserved_dir)) == 0) //src[0] == '/')
- {
- strncpy(dest, src, MAX_FILENAME_LEN - 1);
- strncat(dest, SS_FILE_POSTFIX, strlen(SS_FILE_POSTFIX));
+ }
- dest[strlen(src) + strlen(SS_FILE_POSTFIX)] = '\0';
- }
- else if(if_pointer != NULL) // absolute path == file
- {
- strncpy(dest, preserved_dir, MAX_FILENAME_LEN - 1);
- strncat(dest, if_pointer + 1, strlen(if_pointer) + 1);
- strncat(dest, SS_FILE_POSTFIX, strlen(SS_FILE_POSTFIX));
- dest[strlen(preserved_dir) + strlen(if_pointer) + strlen(SS_FILE_POSTFIX) + 1] = '\0';
- }
- else // relative path == buffer
- {
- strncpy(dest, preserved_dir, MAX_FILENAME_LEN - 1);
- strncat(dest, src, strlen(src));
- strncat(dest, SS_FILE_POSTFIX, strlen(SS_FILE_POSTFIX));
- dest[strlen(preserved_dir) + strlen(src) + strlen(SS_FILE_POSTFIX)] = '\0';
- }
+ return 0;
+}
- free(preserved_dir);
+/*
+ * if group_id is given, use group_id
+ *
+ * if NULL group_id is given
+ * smack enable : use process smack label
+ * smack disable : use process exec path
+ *
+ */
+int GetProcessStorageDir(int sockfd, int sender_pid, const char* group_id, char* output)
+{
+ char *object = group_id;
+ char proc_smack_label[MAX_GROUP_ID_LEN+1] = {0,};
+ char hash_buf[10] = {0, };
+ int is_shared = strncmp(group_id, "NOTUSED", 7) ? 1 : 0;
- }
- else if(flag == SSM_FLAG_SECRET_OPERATION) // /opt/share/secure-storage/
+#ifdef SMACK_GROUP_ID
+ if(IsSmackEnabled())
{
- if(if_pointer != NULL) // absolute path == input is a file
+ if(!is_shared) // don't share, use process smack label
{
- // check whether directory is exist or not
- is_dir_exist = IsDirExist(SS_STORAGE_DEFAULT_PATH);
-
- if (is_dir_exist == 0) // SS_STORAGE_FILE_PATH is not exist
- {
- SLOGI("%s is making now.\n", SS_STORAGE_DEFAULT_PATH);
- if(mkdir(SS_STORAGE_DEFAULT_PATH, 0700) < 0) // fail to make directory
- {
- SLOGE("[%s] cannnot be made\n", SS_STORAGE_DEFAULT_PATH);
- return SS_FILE_OPEN_ERROR;
- }
- }
- else if (is_dir_exist == -1) // Unknown error
+ if(GetProcessSmackLabel(sockfd, proc_smack_label) != 0)
{
- SLOGE("Unknown error in the function IsDirExist().\n");
- return SS_PARAM_ERROR;
+ return -SS_SECURE_STORAGE_ERROR;
}
-
- strncpy(dest, SS_STORAGE_DEFAULT_PATH, MAX_FILENAME_LEN - 1);
- strncat(dest, dir, strlen(dir));
- strncat(dest, "/", 1);
-
- // make directory
- dest[strlen(SS_STORAGE_DEFAULT_PATH) + strlen(dir) + 2] = '\0';
- is_dir_exist = IsDirExist(dest);
-
- if(is_dir_exist == 0) // not exist
- {
- SLOGI("%s is making now.\n", dest);
- if(mkdir(dest, 0700) < 0)
- {
- SLOGE("[%s] cannot be made\n", dest);
- return SS_FILE_OPEN_ERROR;
- }
- }
-
- strncat(dest, if_pointer + 1, strlen(if_pointer) + 1);
- strncat(dest, "_", 1);
- SHA1((unsigned char*)src, (size_t)strlen(src), path_hash);
- h_code = GetHashCode(path_hash);
- memset(s, 0x00, 34);
- snprintf(s, 34, "%u", h_code);
- strncat(dest, s, strlen(s));
- strncat(dest, SS_FILE_POSTFIX, strlen(SS_FILE_POSTFIX));
-
- dest[strlen(SS_STORAGE_DEFAULT_PATH) + strlen(dir) + strlen(if_pointer) + strlen(s) + strlen(SS_FILE_POSTFIX) + 4] = '\0';
+ object = proc_smack_label;
}
- else // relative path == input is a buffer
- {
- // check whether directory is exist or not
- is_dir_exist = IsDirExist(SS_STORAGE_DEFAULT_PATH);
-
- if (is_dir_exist == 0) // SS_STORAGE_BUFFER_PATH is not exist
- {
- SLOGI("%s is making now.\n", SS_STORAGE_DEFAULT_PATH);
- if(mkdir(SS_STORAGE_DEFAULT_PATH, 0700) < 0)
- {
- SLOGE("[%s] cannot be made\n", SS_STORAGE_DEFAULT_PATH);
- return SS_FILE_OPEN_ERROR;
- }
- }
- else if (is_dir_exist == -1) // Unknown error
- {
- SLOGE("Unknown error in the function IsDirExist().\n");
- return SS_PARAM_ERROR;
- }
-
- strncpy(dest, SS_STORAGE_DEFAULT_PATH, MAX_FILENAME_LEN - 1);
- strncat(dest, dir, strlen(dir));
- strncat(dest, "/", 1);
-
- // make directory
- dest[strlen(SS_STORAGE_DEFAULT_PATH) + strlen(dir) + 2] = '\0';
- is_dir_exist = IsDirExist(dest);
+ }
+ else{
+#endif
+ char exe_path[256] = {0,};
+ int h_code2 = 0;
- if(is_dir_exist == 0) // not exist
+ if(!is_shared) // don't share
+ {
+ if(GetProcessExecPath(sender_pid, exe_path) != 0)
{
- SLOGI("%s is making now.\n", dest);
- if(mkdir(dest, 0700) < 0)
- {
- SLOGE("[%s] cannot be made\n", dest);
- return SS_FILE_OPEN_ERROR;
- }
+ return -SS_SECURE_STORAGE_ERROR;
}
-
- strncat(dest, src, strlen(src));
- strncat(dest, SS_FILE_POSTFIX, strlen(SS_FILE_POSTFIX));
-
- dest[strlen(SS_STORAGE_DEFAULT_PATH) + strlen(dir) + strlen(src) + strlen(SS_FILE_POSTFIX) + 2] = '\0';
+ h_code2 = GetHashCode(exe_path);
+ snprintf(hash_buf, 10, "%u", h_code2);
+ object = hash_buf;
}
+#ifdef SMACK_GROUP_ID
}
- else
- {
- SLOGE("flag mispatch. cannot convert file name.\n");
- return SS_PARAM_ERROR;
- }
+#endif
+ strncpy(output, object, strlen(object));
+ return 0;
+}
- return 1;
+void SetMetaData(ssm_file_info_convert_t* sfic, unsigned int orig_size, unsigned int stored_size, int flag)
+{
+ sfic->fInfoStruct.originSize = (unsigned int)orig_size;
+ sfic->fInfoStruct.storedSize = (unsigned int)stored_size;
+ sfic->fInfoStruct.reserved[0] = flag & 0x000000ff;
}
/* aes crypto function wrapper - p_text : plain text, c_text : cipher text, aes_key : from GetKey, mode : ENCRYPT/DECRYPT, size : data size */
@@ -530,25 +432,35 @@ int SsServerDataStoreFromFile(int sender_pid, const char* data_filepath, ssm_fla
FILE* fd_out = NULL;
struct stat file_info;
ssm_file_info_convert_t sfic;
- int res = -1;
unsigned char p_text[ENCRYPT_SIZE]= {0, };
unsigned char e_text[ENCRYPT_SIZE]= {0, };
size_t read = 0, rest = 0;
+ int res = -1;
//0. privilege check and get directory name
+ char dir[MAX_GROUP_ID_LEN] = {0,};
+ if(GetProcessStorageDir(sockfd, sender_pid, group_id, dir) < 0)
+ {
+ SLOGE("Failed to get storage dir\n");
+ return SS_SECURE_STORAGE_ERROR;
+ }
+
#ifdef SMACK_GROUP_ID
- if(check_privilege_by_sockfd(sockfd, group_id, "w") != 0)
+ if(flag != SSM_FLAG_PRELOADED_WEB_APP)
{
- SLOGE("[%s] permission denied\n", group_id);
- return SS_PERMISSION_DENIED;
+ if(check_privilege_by_sockfd(sockfd, dir, "w") < 0)
+ {
+ SLOGE("Permission denied\n");
+ return SS_PERMISSION_DENIED;
+ }
}
#endif
// 1. create out file name
- ConvertFileName(sender_pid, out_filepath, in_filepath, flag, group_id);
-
+ ConvertFileName(sender_pid, out_filepath, in_filepath, flag, dir);
+
// 2. file open
if(!(fd_in = fopen(in_filepath, "rb")))
{
@@ -574,9 +486,7 @@ int SsServerDataStoreFromFile(int sender_pid, const char* data_filepath, ssm_fla
// 3. write metadata
if(!stat(in_filepath, &file_info))
{
- sfic.fInfoStruct.originSize = (unsigned int)file_info.st_size;
- sfic.fInfoStruct.storedSize = (unsigned int)(sfic.fInfoStruct.originSize/AES_BLOCK_SIZE + 1) * AES_BLOCK_SIZE;
- sfic.fInfoStruct.reserved[0] = flag & 0x000000ff;
+ SetMetaData(&sfic, file_info.st_size, (file_info.st_size/AES_BLOCK_SIZE + 1) * AES_BLOCK_SIZE, flag);
}
else
{
@@ -639,15 +549,37 @@ int SsServerDataStoreFromBuffer(int sender_pid, char* writebuffer, size_t bufLen
{
char key[16] = {0, };
unsigned char iv[16] = {0, };
- char out_filepath[MAX_FILENAME_LEN+1];
+ char out_filepath[MAX_FILENAME_LEN+1] = {0,};
char *buffer = NULL;
unsigned int writeLen = 0, loop, rest, count;
FILE *fd_out = NULL;
ssm_file_info_convert_t sfic;
- unsigned char p_text[ENCRYPT_SIZE]= {0, };
- unsigned char e_text[ENCRYPT_SIZE]= {0, };
+ unsigned char p_text[ENCRYPT_SIZE] = {0, };
+ unsigned char e_text[ENCRYPT_SIZE] = {0, };
int res = -1;
-
+
+ //0. get directory name and privilege check
+ char dir[MAX_GROUP_ID_LEN] = {0,};
+ if(GetProcessStorageDir(sockfd, sender_pid, group_id, dir) < 0)
+ {
+ SLOGE("Failed to get storage dir\n");
+ return SS_SECURE_STORAGE_ERROR;
+ }
+
+#ifdef SMACK_GROUP_ID
+ if(flag != SSM_FLAG_PRELOADED_WEB_APP)
+ {
+ if(check_privilege_by_sockfd(sockfd, dir, "w") < 0)
+ {
+ SLOGE("Permission denied\n");
+ return SS_PERMISSION_DENIED;
+ }
+ }
+#endif
+
+ // create file path from filename
+ ConvertFileName(sender_pid, out_filepath, filename, flag, dir);
+
writeLen = (unsigned int)(bufLen / AES_BLOCK_SIZE + 1) * AES_BLOCK_SIZE;
buffer = (char*)malloc(writeLen + 1);
if(!buffer)
@@ -658,23 +590,10 @@ int SsServerDataStoreFromBuffer(int sender_pid, char* writebuffer, size_t bufLen
memset(buffer, 0x00, writeLen);
memcpy(buffer, writebuffer, bufLen);
- //0. privilege check and get directory name
-#ifdef SMACK_GROUP_ID
- if(check_privilege_by_sockfd(sockfd, group_id, "w") != 0)
- {
- SLOGE("permission denied\n");
- free(buffer);
- return SS_PERMISSION_DENIED;
- }
-#endif
-
- // create file path from filename
- ConvertFileName(sender_pid, out_filepath, filename, flag, group_id);
-
// open a file with write mode
if(!(fd_out = fopen(out_filepath, "wb")))
{
- SLOGE("File open error:(out_filepath) %s\n", out_filepath);
+ SECURE_SLOGE("File open error:(out_filepath) %s\n", out_filepath);
free(buffer);
return SS_FILE_OPEN_ERROR; // file related error
}
@@ -688,9 +607,7 @@ int SsServerDataStoreFromBuffer(int sender_pid, char* writebuffer, size_t bufLen
}
// write metadata
- sfic.fInfoStruct.originSize = (unsigned int)bufLen;
- sfic.fInfoStruct.storedSize = writeLen;
- sfic.fInfoStruct.reserved[0] = flag & 0x000000ff;
+ SetMetaData(&sfic, bufLen, writeLen, flag);
fwrite(sfic.fInfoArray, 1, sizeof(ssm_file_info_t), fd_out);
@@ -730,9 +647,9 @@ int SsServerDataStoreFromBuffer(int sender_pid, char* writebuffer, size_t bufLen
SLOGI("success to execute fsync(). loop=[%d], rest=[%d]\n", loop, rest);
}
- fclose(fd_out);
+ fclose(fd_out);
free(buffer);
-
+
return 1;
}
@@ -755,12 +672,22 @@ int SsServerDataRead(int sender_pid, const char* data_filepath, char* pRetBuf, u
*readLen = 0;
- //0. privilege check and get directory name
+ //0. get directory name and privilege check
+ char dir[MAX_GROUP_ID_LEN] = {0,};
+ if(GetProcessStorageDir(sockfd, sender_pid, group_id, dir) < 0)
+ {
+ SLOGE("Failed to get storage dir\n");
+ return SS_SECURE_STORAGE_ERROR;
+ }
+
#ifdef SMACK_GROUP_ID
- if(check_privilege_by_sockfd(sockfd, group_id, "r") != 0)
+ if(flag != SSM_FLAG_PRELOADED_WEB_APP)
{
- SLOGE("permission denied\n");
- return SS_PERMISSION_DENIED;
+ if(check_privilege_by_sockfd(sockfd, dir, "r") < 0)
+ {
+ SLOGE("Permission denied\n");
+ return SS_PERMISSION_DENIED;
+ }
}
#endif
@@ -768,12 +695,12 @@ int SsServerDataRead(int sender_pid, const char* data_filepath, char* pRetBuf, u
if(flag == SSM_FLAG_WIDGET)
strncpy(in_filepath, data_filepath, MAX_FILENAME_LEN - 1);
else
- ConvertFileName(sender_pid, in_filepath, data_filepath, flag, group_id);
+ ConvertFileName(sender_pid, in_filepath, data_filepath, flag, dir);
// 2. open file
if(!(fd_in = fopen(in_filepath, "rb")))
{
- SLOGE("File open error:(in_filepath) %s\n", in_filepath);
+ SECURE_SLOGE("File open error:(in_filepath) %s\n", in_filepath);
return SS_FILE_OPEN_ERROR; // file related error
}
@@ -781,7 +708,7 @@ int SsServerDataRead(int sender_pid, const char* data_filepath, char* pRetBuf, u
if(fseek(fd_in, (long)offset + sizeof(ssm_file_info_t), SEEK_SET) < 0)
{
int err_tmp = errno;
- SLOGE("Fseek error: %s in %s\n", strerror(err_tmp), in_filepath);
+ SECURE_SLOGE("Fseek error: %s in %s\n", strerror(err_tmp), in_filepath);
fclose(fd_in);
return SS_FILE_OPEN_ERROR; // file related error
}
@@ -816,10 +743,10 @@ int SsServerDataRead(int sender_pid, const char* data_filepath, char* pRetBuf, u
out_data += read;
*readLen += read;
Last:
- *out_data = '\0';
+ *out_data = '\0';
fclose(fd_in);
-
+
return 1;
}
@@ -832,17 +759,28 @@ int SsServerDeleteFile(int sender_pid, const char* data_filepath, ssm_flag flag,
const char* in_filepath = data_filepath;
char out_filepath[MAX_FILENAME_LEN] = {0, };
- //0. privilege check and get directory name
+ //0. get directory name and privilege check
+ char dir[MAX_GROUP_ID_LEN] = {0,};
+ if(GetProcessStorageDir(sockfd, sender_pid, group_id, dir) < 0)
+ {
+ SLOGE("Failed to get storage dir\n");
+ return SS_SECURE_STORAGE_ERROR;
+ }
+
#ifdef SMACK_GROUP_ID
- if(check_privilege_by_sockfd(sockfd, group_id, "w") != 0)
+ if(flag != SSM_FLAG_PRELOADED_WEB_APP)
{
- SLOGE("permission denied\n");
- return SS_PERMISSION_DENIED;
+ if(check_privilege_by_sockfd(sockfd, dir, "w") < 0)
+ {
+ SLOGE("Permission denied\n");
+ return SS_PERMISSION_DENIED;
+ }
}
#endif
- // 1. create out file name
- ConvertFileName(sender_pid, out_filepath, in_filepath, flag, group_id);
-
+
+ // create file path from filename
+ ConvertFileName(sender_pid, out_filepath, in_filepath, flag, dir);
+
// 2. delete designated file
if(unlink(out_filepath) != 0) // unlink fail?
{
@@ -863,25 +801,35 @@ int SsServerGetInfo(int sender_pid, const char* data_filepath, char* file_info,
FILE *fd_in = NULL;
char in_filepath[MAX_FILENAME_LEN] = {0, };
- //0. privilege check and get directory name
+ //0. get directory name and privilege check
+ char dir[MAX_GROUP_ID_LEN] = {0,};
+ if(GetProcessStorageDir(sockfd, sender_pid, group_id, dir) < 0)
+ {
+ SLOGE("Failed to get storage dir\n");
+ return SS_SECURE_STORAGE_ERROR;
+ }
+
#ifdef SMACK_GROUP_ID
- if(check_privilege_by_sockfd(sockfd, group_id, "r") != 0)
+ if(flag != SSM_FLAG_PRELOADED_WEB_APP)
{
- SLOGE("permission denied, [%s]\n", group_id);
- return SS_PERMISSION_DENIED;
+ if(check_privilege_by_sockfd(sockfd, dir, "r") < 0)
+ {
+ SLOGE("Permission denied\n");
+ return SS_PERMISSION_DENIED;
+ }
}
#endif
-
+
// 1. create in file name : convert file name in order to access secure storage
if(flag == SSM_FLAG_WIDGET)
strncpy(in_filepath, data_filepath, MAX_FILENAME_LEN - 1);
else
- ConvertFileName(sender_pid, in_filepath, data_filepath, flag, group_id);
-
+ ConvertFileName(sender_pid, in_filepath, data_filepath, flag, dir);
+
// 1. open file
if(!(fd_in = fopen( in_filepath, "rb")))
{
- SLOGE("File open error:(in_filepath) [%s], [%s]\n", data_filepath, in_filepath );
+ SECURE_SLOGE("File open error:(in_filepath) [%s], [%s]\n", data_filepath, in_filepath );
return SS_FILE_OPEN_ERROR; // file related error
}
diff --git a/ss-server.manifest b/ss-server.manifest
new file mode 100755
index 0000000..5612058
--- /dev/null
+++ b/ss-server.manifest
@@ -0,0 +1,20 @@
+<manifest>
+ <define>
+ <domain name="secure-storage"/>
+ <provide>
+ <label name="secure-storage::mdm-limit-call"/>
+ <label name="secure-storage::mdm-limit-sms"/>
+ <label name="secure-storage::tethering"/>
+ <label name="secure-storage::activesync"/>
+ <label name="secure-storage::divx-fragment"/>
+ <label name="secure-storage::google-sync"/>
+ <label name="secure-storage::facebook"/>
+ <label name="secure-storage::telephony_sim"/>
+ </provide>
+ </define>
+ <request>
+ <domain name="secure-storage"/>
+ </request>
+ <assign>
+ </assign>
+</manifest>
diff --git a/ss-serverd b/ss-serverd
deleted file mode 100755
index 79132e9..0000000
--- a/ss-serverd
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-
-# start secure-storage server
-/usr/bin/ss-server &
diff --git a/packaging/secure-storage.service b/systemd/secure-storage.service
index d46ceee..553539e 100644
--- a/packaging/secure-storage.service
+++ b/systemd/secure-storage.service
@@ -3,6 +3,7 @@
Description=Start the Secure Storage server
[Service]
+Type=notify
ExecStartPre=-/bin/mkdir -p /csa
ExecStart=/usr/bin/ss-server
diff --git a/systemd/secure-storage.socket b/systemd/secure-storage.socket
new file mode 100644
index 0000000..631c09a
--- /dev/null
+++ b/systemd/secure-storage.socket
@@ -0,0 +1,6 @@
+[Socket]
+ListenStream=/tmp/SsSocket
+SocketMode=0777
+
+[Install]
+WantedBy=sockets.target