ln -s ../security-server-cookie-check-tmp.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-cookie-check-tmp.socket
ln -s ../security-server-app-privilege-by-name.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-app-privilege-by-name.socket
ln -s ../security-server-open-for.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-open-for.socket
+ln -s ../security-server-password-check.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-password-check.socket
+ln -s ../security-server-password-set.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-password-set.socket
%clean
rm -rf %{buildroot}
%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-open-for.socket
%attr(-,root,root) /usr/lib/systemd/system/security-server-open-for.socket
%attr(-,root,root) /etc/security/security-server-audit.conf
+%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-password-check.socket
+%attr(-,root,root) /usr/lib/systemd/system/security-server-password-check.socket
+%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-password-set.socket
+%attr(-,root,root) /usr/lib/systemd/system/security-server-password-set.socket
%{_datadir}/license/%{name}
SET(SECURITY_SERVER_SOURCES
${SECURITY_SERVER_PATH}/communication/security-server-comm.c
${SECURITY_SERVER_PATH}/server/security-server-main.c
- ${SECURITY_SERVER_PATH}/server/security-server-password.c
${SECURITY_SERVER_PATH}/util/security-server-util-common.c
${SECURITY_SERVER_PATH}/util/smack-check.c
${SERVER2_PATH}/main/generic-socket-manager.cpp
${SERVER2_PATH}/service/get-object-name.cpp
${SERVER2_PATH}/service/open-for.cpp
${SERVER2_PATH}/service/open-for-manager.cpp
+ ${SERVER2_PATH}/service/password.cpp
+ ${SERVER2_PATH}/service/password-file.cpp
+ ${SERVER2_PATH}/service/password-manager.cpp
+ ${SERVER2_PATH}/service/password-file-buffer.cpp
)
SET_SOURCE_FILES_PROPERTIES(
${SECURITY_SERVER_PATH}/server2/client/client-socket-privilege.cpp
${SECURITY_SERVER_PATH}/server2/client/client-get-object-name.cpp
${SECURITY_SERVER_PATH}/server2/client/client-open-for.cpp
- ${SECURITY_SERVER_PATH}/client/security-server-client.c
+ ${SECURITY_SERVER_PATH}/server2/client/client-password.cpp
${SECURITY_SERVER_PATH}/communication/security-server-comm.c
${SECURITY_SERVER_PATH}/util/smack-check.c
)
+++ /dev/null
-/*
- * security-server
- *
- * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- *
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <errno.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/smack.h>
-#include <fcntl.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-#include <sys/poll.h>
-
-#include "smack-check.h"
-#include "security-server.h"
-#include "security-server-common.h"
-#include "security-server-comm.h"
-
-#if 0
-void printhex(unsigned char *data, int size)
-{
- int i;
- for (i = 0; i < size; i++)
- {
- if (data[i] < 0xF)
- printf("0");
-
- printf("%X ", data[i]);
- if (((i + 1) % 16) == 0 && i != 0)
- printf("\n");
- }
- printf("\n");
-}
-
-
-char *read_cmdline_from_proc(pid_t pid)
-{
- int memsize = 32;
- char path[32];
- char *cmdline = NULL;
-
- snprintf(path, sizeof(path), "/proc/%d/exe", pid);
-
- cmdline = malloc(32);
- if (cmdline == NULL)
- {
- SEC_SVR_DBG("%s", "Out of memory");
- goto error;
- }
-
- while (1)
- {
- bzero(cmdline, memsize);
- /* readlink() may have security hole in normal symbolic link. *
- * But this link is located at proc fs that only kernel can change */
- readlink(path, cmdline, memsize); /* FlawFinder: ignore */
- SEC_SVR_DBG("pid: %d, cmdline: %s", pid, cmdline);
-
- /* Check it's truncated */
- if (cmdline[memsize - 1] != 0)
- {
- cmdline = (char*)realloc(cmdline, sizeof(char) * (memsize + 32));
- memsize += 32;
- if (cmdline == NULL)
- {
- SEC_SVR_DBG("%s", "Out of memory");
- goto error;
- }
- }
- else
- break;
- }
-
-error:
- return cmdline;
-}
-#endif
-
-
-/* We may need to filter error code */
-int convert_to_public_error_code(int err_code)
-{
- /* Do we need this? */
- return err_code;
-}
-
-// SECURITY_SERVER_API
-// int security_server_get_gid(const char *object)
-// {
-// int sockfd = -1, retval, gid;
-// response_header hdr;
-
-// if (object == NULL)
-// {
-// SEC_SVR_ERR("%s", "Client: object is null or object is too big");
-// retval = SECURITY_SERVER_API_ERROR_INPUT_PARAM;
-// goto error;
-// }
-// if (strlen(object) > SECURITY_SERVER_MAX_OBJ_NAME)
-// {
-// SEC_SVR_ERR("%s", "object is null or object is too big");
-// retval = SECURITY_SERVER_API_ERROR_INPUT_PARAM;
-// goto error;
-// }
-
-// if (strlen(object) == 0)
-// {
-// SEC_SVR_ERR("Client: object is is empty");
-// retval = SECURITY_SERVER_API_ERROR_INPUT_PARAM;
-// goto error;
-// }
-
-// SECURE_SLOGD("%s", "Client: security_server_get_gid() is called");
-// retval = connect_to_server(&sockfd);
-// if (retval != SECURITY_SERVER_SUCCESS)
-// {
-// /* Error on socket */
-// SEC_SVR_ERR("Connection failed: %d", retval);
-// goto error;
-// }
-// SECURE_SLOGD("%s", "Client: Security server has been connected");
-
-// /* make request packet and send to server*/
-// retval = send_gid_request(sockfd, object);
-// SEC_SVR_DBG("%s", "Client: gid request has been sent");
-// if (retval != SECURITY_SERVER_SUCCESS)
-// {
-// /* Error on socket */
-// SEC_SVR_ERR("Send gid request failed: %d", retval);
-// goto error;
-// }
-
-// /* Receive response */
-// retval = recv_get_gid_response(sockfd, &hdr, &gid);
-// if (retval != SECURITY_SERVER_SUCCESS)
-// {
-// SEC_SVR_ERR("Client: Receive response failed: %d", retval);
-// goto error;
-// }
-// SEC_SVR_DBG("%s", "Client: get gid response has been received");
-
-// if (hdr.basic_hdr.msg_id != SECURITY_SERVER_MSG_TYPE_GID_RESPONSE) /* Wrong response */
-// {
-// if (hdr.basic_hdr.msg_id == SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE)
-// {
-// /* There must be some error */
-// SEC_SVR_ERR("Client: It'll be an error. return code:%d", hdr.return_code);
-// retval = return_code_to_error_code(hdr.return_code);
-// goto error;
-// }
-// else
-// {
-// /* Something wrong with response */
-// SEC_SVR_ERR("Client: Something wrong with response:%d", hdr.basic_hdr.msg_id);
-// retval = SECURITY_SERVER_ERROR_BAD_RESPONSE;
-// goto error;
-// }
-// }
-
-// SEC_SVR_DBG("received gid is %d", gid);
-// retval = gid;
-
-// error:
-// if (sockfd > 0)
-// close(sockfd);
-// /* If error happened */
-// if (retval < 0)
-// retval = convert_to_public_error_code(retval);
-
-// return retval;
-// }
-
-
-
-// SECURITY_SERVER_API
-// int security_server_get_object_name(gid_t gid, char *object, size_t max_object_size)
-// {
-// int sockfd = -1, retval;
-// response_header hdr;
-
-// if (object == NULL)
-// {
-// retval = SECURITY_SERVER_ERROR_INPUT_PARAM;
-// goto error;
-// }
-
-// retval = connect_to_server(&sockfd);
-// if (retval != SECURITY_SERVER_SUCCESS)
-// {
-// /* Error on socket */
-// SEC_SVR_ERR("Client: connect to server failed: %d", retval);
-// goto error;
-// }
-
-// /* make request packet */
-// retval = send_object_name_request(sockfd, gid);
-// if (retval != SECURITY_SERVER_SUCCESS)
-// {
-// /* Error on socket */
-// SEC_SVR_ERR("Client: cannot send request: %d", retval);
-// goto error;
-// }
-
-// retval = recv_get_object_name(sockfd, &hdr, object, max_object_size);
-// if (retval != SECURITY_SERVER_SUCCESS)
-// {
-// SEC_SVR_ERR("Client: Receive response failed: %d", retval);
-// goto error;
-// }
-
-// if (hdr.basic_hdr.msg_id != SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE) /* Wrong response */
-// {
-// if (hdr.basic_hdr.msg_id == SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE)
-// {
-// /* There must be some error */
-// SEC_SVR_ERR("Client: There is error on response: return code:%d", hdr.basic_hdr.msg_id);
-// retval = return_code_to_error_code(hdr.return_code);
-// }
-// else
-// {
-// /* Something wrong with response */
-// SEC_SVR_ERR("Client: Some unexpected error happene: return code:%d", hdr.basic_hdr.msg_id);
-// retval = SECURITY_SERVER_ERROR_BAD_RESPONSE;
-// }
-// goto error;
-// }
-
-// error:
-// if (sockfd > 0)
-// close(sockfd);
-
-// retval = convert_to_public_error_code(retval);
-// return retval;
-// }
-
-
-SECURITY_SERVER_API
-int security_server_is_pwd_valid(unsigned int *current_attempts,
- unsigned int *max_attempts,
- unsigned int *valid_secs)
-{
- int sockfd = -1, retval = SECURITY_SERVER_ERROR_UNKNOWN;
- response_header hdr;
-
- if (current_attempts == NULL || max_attempts == NULL || valid_secs == NULL)
- {
- retval = SECURITY_SERVER_ERROR_INPUT_PARAM;
- goto error;
- }
-
- /* Authenticate self that is setting app goes here */
- /* 1st, check cmdline which is setting app */
- /* 2nd, check /proc/self/attr/current for the SMACK label */
-
- retval = connect_to_server(&sockfd);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- /* Error on socket */
- goto error;
- }
-
- /* make request packet */
- retval = send_valid_pwd_request(sockfd);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- /* Error on socket */
- SEC_SVR_ERR("Client: Send failed: %d", retval);
- goto error;
- }
-
- retval = recv_pwd_response(sockfd, &hdr, current_attempts, max_attempts, valid_secs);
-
- retval = return_code_to_error_code(hdr.return_code);
- if (hdr.basic_hdr.msg_id != SECURITY_SERVER_MSG_TYPE_VALID_PWD_RESPONSE) /* Wrong response */
- {
- if (hdr.basic_hdr.msg_id == SECURITY_SERVER_MSG_TYPE_VALID_PWD_RESPONSE)
- {
- /* There must be some error */
- SEC_SVR_ERR("Client: Error has been received. return code:%d", hdr.return_code);
- }
- else
- {
- /* Something wrong with response */
- SEC_SVR_ERR("Client ERROR: Unexpected error occurred:%d", retval);
- retval = SECURITY_SERVER_ERROR_BAD_RESPONSE;
- }
- goto error;
- }
-error:
- if (sockfd > 0)
- close(sockfd);
-
- retval = convert_to_public_error_code(retval);
- return retval;
-}
-
-
-
-SECURITY_SERVER_API
-int security_server_set_pwd(const char *cur_pwd,
- const char *new_pwd,
- const unsigned int max_challenge,
- const unsigned int valid_period_in_days)
-{
- int sockfd = -1, retval;
- response_header hdr;
-
- if (new_pwd == NULL || strlen(new_pwd) > SECURITY_SERVER_MAX_PASSWORD_LEN || strlen(new_pwd) == 0)
- {
- retval = SECURITY_SERVER_ERROR_INPUT_PARAM;
- goto error;
- }
-
- /* Authenticate self that is setting app goes here */
- /* 1st, check cmdline which is setting app */
- /* 2nd, check /proc/self/attr/current for the SMACK label */
-
- retval = connect_to_server(&sockfd);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- /* Error on socket */
- goto error;
- }
-
- /* make request packet */
- retval = send_set_pwd_request(sockfd, cur_pwd, new_pwd, max_challenge, valid_period_in_days);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- /* Error on socket */
- SEC_SVR_ERR("Client: Send failed: %d", retval);
- goto error;
- }
-
- retval = recv_generic_response(sockfd, &hdr);
-
- retval = return_code_to_error_code(hdr.return_code);
- if (hdr.basic_hdr.msg_id != SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE) /* Wrong response */
- {
- if (hdr.basic_hdr.msg_id == SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE)
- {
- /* There must be some error */
- SEC_SVR_ERR("Client: Error has been received. return code:%d", hdr.return_code);
- }
- else
- {
- /* Something wrong with response */
- SEC_SVR_ERR("Client ERROR: Unexpected error occurred:%d", retval);
- retval = SECURITY_SERVER_ERROR_BAD_RESPONSE;
- }
- goto error;
- }
-error:
- if (sockfd > 0)
- close(sockfd);
-
- retval = convert_to_public_error_code(retval);
- return retval;
-}
-
-
-SECURITY_SERVER_API
-int security_server_set_pwd_validity(const unsigned int valid_period_in_days)
-{
- int sockfd = -1, retval;
- response_header hdr;
-
- retval = connect_to_server(&sockfd);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- /* Error on socket */
- goto error;
- }
-
- /* make request packet */
- retval = send_set_pwd_validity_request(sockfd, valid_period_in_days);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- /* Error on socket */
- SEC_SVR_ERR("Client: Send failed: %d", retval);
- goto error;
- }
-
- retval = recv_generic_response(sockfd, &hdr);
-
- retval = return_code_to_error_code(hdr.return_code);
- if (hdr.basic_hdr.msg_id != SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_RESPONSE) /* Wrong response */
- {
- if (hdr.basic_hdr.msg_id == SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE)
- {
- /* There must be some error */
- SEC_SVR_ERR("Client: Error has been received. return code:%d", hdr.return_code);
- }
- else
- {
- /* Something wrong with response */
- SEC_SVR_ERR("Client ERROR: Unexpected error occurred:%d", retval);
- retval = SECURITY_SERVER_ERROR_BAD_RESPONSE;
- }
- goto error;
- }
-error:
- if (sockfd > 0)
- close(sockfd);
-
- retval = convert_to_public_error_code(retval);
- return retval;
-}
-
-SECURITY_SERVER_API
-int security_server_set_pwd_max_challenge(const unsigned int max_challenge)
-{
- int sockfd = -1, retval;
- response_header hdr;
-
- retval = connect_to_server(&sockfd);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- /* Error on socket */
- goto error;
- }
-
- /* make request packet */
- retval = send_set_pwd_max_challenge_request(sockfd, max_challenge);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- /* Error on socket */
- SEC_SVR_ERR("Client: Send failed: %d", retval);
- goto error;
- }
-
- retval = recv_generic_response(sockfd, &hdr);
-
- retval = return_code_to_error_code(hdr.return_code);
- if (hdr.basic_hdr.msg_id != SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_RESPONSE) /* Wrong response */
- {
- if (hdr.basic_hdr.msg_id == SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE)
- {
- /* There must be some error */
- SEC_SVR_ERR("Client: Error has been received. return code:%d", hdr.return_code);
- }
- else
- {
- /* Something wrong with response */
- SEC_SVR_ERR("Client ERROR: Unexpected error occurred:%d", retval);
- retval = SECURITY_SERVER_ERROR_BAD_RESPONSE;
- }
- goto error;
- }
-error:
- if (sockfd > 0)
- close(sockfd);
-
- retval = convert_to_public_error_code(retval);
- return retval;
-}
-
-
-
-SECURITY_SERVER_API
-int security_server_reset_pwd(const char *new_pwd,
- const unsigned int max_challenge,
- const unsigned int valid_period_in_days)
-{
- int sockfd = -1, retval;
- response_header hdr;
-
- if (new_pwd == NULL || strlen(new_pwd) > SECURITY_SERVER_MAX_PASSWORD_LEN || strlen(new_pwd) == 0)
- {
- retval = SECURITY_SERVER_ERROR_INPUT_PARAM;
- goto error;
- }
-
- /* Authenticate self that is setting app goes here */
- /* 1st, check cmdline which is setting app */
- /* 2nd, check /proc/self/attr/current for the SMACK label */
-
- retval = connect_to_server(&sockfd);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- /* Error on socket */
- goto error;
- }
-
- /* make request packet */
- retval = send_reset_pwd_request(sockfd, new_pwd, max_challenge, valid_period_in_days);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- /* Error on socket */
- SEC_SVR_ERR("Client: Send failed: %d", retval);
- goto error;
- }
-
- retval = recv_generic_response(sockfd, &hdr);
-
- retval = return_code_to_error_code(hdr.return_code);
- if (hdr.basic_hdr.msg_id != SECURITY_SERVER_MSG_TYPE_RESET_PWD_RESPONSE) /* Wrong response */
- {
- if (hdr.basic_hdr.msg_id == SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE)
- {
- /* There must be some error */
- SEC_SVR_ERR("Client: Error has been received. return code:%d", hdr.return_code);
- }
- else
- {
- /* Something wrong with response */
- SEC_SVR_ERR("Client ERROR: Unexpected error occurred:%d", retval);
- retval = SECURITY_SERVER_ERROR_BAD_RESPONSE;
- }
- goto error;
- }
-error:
- if (sockfd > 0)
- close(sockfd);
-
- retval = convert_to_public_error_code(retval);
- return retval;
-}
-
-
-
-SECURITY_SERVER_API
-int security_server_chk_pwd(const char *challenge,
- unsigned int *current_attempt,
- unsigned int *max_attempts,
- unsigned int *valid_secs)
-{
- int sockfd = -1, retval;
- response_header hdr;
-
- if (challenge == NULL || strlen(challenge) > SECURITY_SERVER_MAX_PASSWORD_LEN
- || strlen(challenge) == 0 || current_attempt == NULL
- || max_attempts == NULL || valid_secs == NULL)
- {
- retval = SECURITY_SERVER_ERROR_INPUT_PARAM;
- goto error;
- }
-
- /* Authenticate self goes here */
-
- retval = connect_to_server(&sockfd);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- /* Error on socket */
- goto error;
- }
-
- /* make request packet */
- retval = send_chk_pwd_request(sockfd, challenge);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- /* Error on socket */
- SEC_SVR_ERR("Client: Send failed: %d", retval);
- goto error;
- }
-
- retval = recv_pwd_response(sockfd, &hdr, current_attempt, max_attempts, valid_secs);
-
- retval = return_code_to_error_code(hdr.return_code);
- if (hdr.basic_hdr.msg_id != SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE) /* Wrong response */
- {
- if (hdr.basic_hdr.msg_id == SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE)
- {
- /* There must be some error */
- SEC_SVR_ERR("Client: Error has been received. return code:%d", hdr.return_code);
- }
- else
- {
- /* Something wrong with response */
- SEC_SVR_ERR("Client ERROR: Unexpected error occurred:%d", retval);
- retval = SECURITY_SERVER_ERROR_BAD_RESPONSE;
- }
- goto error;
- }
-error:
- if (sockfd > 0)
- close(sockfd);
-
- retval = convert_to_public_error_code(retval);
- return retval;
-}
-
-SECURITY_SERVER_API
-int security_server_set_pwd_history(int number_of_history)
-{
- int sockfd = -1, retval;
- response_header hdr;
-
- if (number_of_history > SECURITY_SERVER_MAX_PASSWORD_HISTORY || number_of_history < 0)
- return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
-
- /* Authenticate self that is setting app goes here */
- /* 1st, check cmdline which is setting app */
- /* 2nd, check /proc/self/attr/current for the SMACK label */
-
- retval = connect_to_server(&sockfd);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- /* Error on socket */
- goto error;
- }
-
- /* make request packet */
- retval = send_set_pwd_history_request(sockfd, number_of_history);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- /* Error on socket */
- SEC_SVR_ERR("Client: Send failed: %d", retval);
- goto error;
- }
- retval = recv_generic_response(sockfd, &hdr);
-
- retval = return_code_to_error_code(hdr.return_code);
- if (hdr.basic_hdr.msg_id != SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_RESPONSE) /* Wrong response */
- {
- if (hdr.basic_hdr.msg_id == SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE)
- {
- /* There must be some error */
- SEC_SVR_ERR("Client: Error has been received. return code:%d", hdr.return_code);
- }
- else
- {
- /* Something wrong with response */
- SEC_SVR_ERR("Client ERROR: Unexpected error occurred:%d", retval);
- retval = SECURITY_SERVER_ERROR_BAD_RESPONSE;
- }
- goto error;
- }
-error:
- if (sockfd > 0)
- close(sockfd);
-
- retval = convert_to_public_error_code(retval);
- return retval;
-}
-
case SECURITY_SERVER_RETURN_CODE_NO_SUCH_COOKIE:
ret = SECURITY_SERVER_ERROR_NO_SUCH_COOKIE;
break;
- case SECURITY_SERVER_RETURN_CODE_NO_PASSWORD:
- ret = SECURITY_SERVER_ERROR_NO_PASSWORD;
- break;
- case SECURITY_SERVER_RETURN_CODE_PASSWORD_EXIST:
- ret = SECURITY_SERVER_ERROR_PASSWORD_EXIST;
- break;
- case SECURITY_SERVER_RETURN_CODE_PASSWORD_MISMATCH:
- ret = SECURITY_SERVER_ERROR_PASSWORD_MISMATCH;
- break;
- case SECURITY_SERVER_RETURN_CODE_PASSWORD_RETRY_TIMER:
- ret = SECURITY_SERVER_ERROR_PASSWORD_RETRY_TIMER;
- break;
- case SECURITY_SERVER_RETURN_CODE_PASSWORD_EXPIRED:
- ret = SECURITY_SERVER_ERROR_PASSWORD_EXPIRED;
- break;
- case SECURITY_SERVER_RETURN_CODE_PASSWORD_MAX_ATTEMPTS_EXCEEDED:
- ret = SECURITY_SERVER_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED;
- break;
- case SECURITY_SERVER_RETURN_CODE_PASSWORD_REUSED:
- ret = SECURITY_SERVER_ERROR_PASSWORD_REUSED;
- break;
default:
ret = SECURITY_SERVER_ERROR_UNKNOWN;
break;
// return SECURITY_SERVER_SUCCESS;
// }
-/* Send validate password request message to security server *
- *
- * Message format
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * |---------------------------------------------------------------|
- * | version=0x01 |MessageID=0x0d | Message Length |
- * |---------------------------------------------------------------|
- */
-int send_valid_pwd_request(int sock_fd)
-{
- basic_header hdr;
- int retval;
-
- hdr.version = SECURITY_SERVER_MSG_VERSION;
- hdr.msg_id = SECURITY_SERVER_MSG_TYPE_VALID_PWD_REQUEST;
- hdr.msg_len = 0;
-
- /* Check poll */
- retval = check_socket_poll(sock_fd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (retval == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "poll() error");
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
- if (retval == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "poll() timeout");
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
-
- /* Send to server */
- retval = TEMP_FAILURE_RETRY(write(sock_fd, &hdr, sizeof(hdr)));
- if (retval < (int)(sizeof(hdr)))
- {
- /* Write error */
- SEC_SVR_ERR("Error on write(): %d", retval);
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
- retval = SECURITY_SERVER_SUCCESS;
-
-error:
- return retval;
-}
-
-/* Send password set request message to security server *
- *
- * Message format
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * |---------------------------------------------------------------|
- * | version=0x01 |MessageID=0x0f | Message Length |
- * |---------------------------------------------------------------|
- * | cur_pwd_len | new_pwd_len | |
- * |-------------------------------- |
- * | cur pwd |
- * |---------------------------------------------------------------|
- * | |
- * | new pwd |
- * | |
- * |---------------------------------------------------------------|
- * | max attempts |
- * |---------------------------------------------------------------|
- * | valid days |
- * |---------------------------------------------------------------|
- */
-int send_set_pwd_request(int sock_fd,
- const char *cur_pwd,
- const char *new_pwd,
- const unsigned int max_challenge,
- const unsigned int valid_period_in_days)
-{
- basic_header hdr;
- int retval, total_length = 0, ptr;
- unsigned char *buf = NULL, cur_pwd_len, new_pwd_len;
-
- if (cur_pwd == NULL)
- cur_pwd_len = 0;
- else
- cur_pwd_len = strlen(cur_pwd);
- new_pwd_len = strlen(new_pwd);
-
- total_length += sizeof(hdr) + sizeof(char) + sizeof(char) + cur_pwd_len
- + new_pwd_len + sizeof(unsigned int) + sizeof(unsigned int);
-
- buf = malloc(total_length);
- if (buf == NULL)
- {
- SEC_SVR_ERR("%s", "Error: failed to malloc()");
- return SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
- }
-
- /* Assemble header */
- hdr.version = SECURITY_SERVER_MSG_VERSION;
- hdr.msg_id = SECURITY_SERVER_MSG_TYPE_SET_PWD_REQUEST;
- hdr.msg_len = (unsigned short)total_length;
- memcpy(buf, &hdr, sizeof(hdr));
- ptr = sizeof(hdr);
- memcpy(buf + ptr, &cur_pwd_len, sizeof(char));
- ptr += sizeof(char);
- memcpy(buf + ptr, &new_pwd_len, sizeof(char));
- ptr += sizeof(char);
- if (cur_pwd != NULL)
- {
- memcpy(buf + ptr, cur_pwd, cur_pwd_len);
- ptr += cur_pwd_len;
- }
- memcpy(buf + ptr, new_pwd, new_pwd_len);
- ptr += new_pwd_len;
- memcpy(buf + ptr, &max_challenge, sizeof(unsigned int));
- ptr += sizeof(unsigned int);
- memcpy(buf + ptr, &valid_period_in_days, sizeof(unsigned int));
-
- /* Check poll */
- retval = check_socket_poll(sock_fd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (retval == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "poll() error");
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
- if (retval == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "poll() timeout");
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
-
- /* Send to server */
- retval = TEMP_FAILURE_RETRY(write(sock_fd, buf, total_length));
- if (retval < (int)(sizeof(buf)))
- {
- /* Write error */
- SEC_SVR_ERR("Error on write(): %d", retval);
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
- retval = SECURITY_SERVER_SUCCESS;
-
-error:
- if (buf != NULL)
- free(buf);
- return retval;
-}
-
-/* Send password validity change request message to security server *
- *
- * Message format
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * |---------------------------------------------------------------|
- * | version=0x01 |MessageID=0x0f | Message Length |
- * |---------------------------------------------------------------|
- * | valid days |
- * |---------------------------------------------------------------|
- */
-int send_set_pwd_validity_request(int sock_fd, const unsigned int valid_period_in_days)
-{
- basic_header hdr;
- int retval, total_length = 0, ptr;
- unsigned char *buf = NULL;
-
- total_length = sizeof(hdr) + sizeof(unsigned int);
-
- buf = malloc(total_length);
- if (buf == NULL)
- {
- SEC_SVR_ERR("%s", "Error: failed to malloc()");
- return SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
- }
-
- /* Assemble header */
- hdr.version = SECURITY_SERVER_MSG_VERSION;
- hdr.msg_id = SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_REQUEST;
- hdr.msg_len = (unsigned short)total_length;
- memcpy(buf, &hdr, sizeof(hdr));
- ptr = sizeof(hdr);
- memcpy(buf + ptr, &valid_period_in_days, sizeof(unsigned int));
-
- /* Check poll */
- retval = check_socket_poll(sock_fd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (retval == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "poll() error");
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
- if (retval == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "poll() timeout");
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
-
- /* Send to server */
- retval = TEMP_FAILURE_RETRY(write(sock_fd, buf, total_length));
- if (retval < (int)(sizeof(buf)))
- {
- /* Write error */
- SEC_SVR_ERR("Error on write(): %d", retval);
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
- retval = SECURITY_SERVER_SUCCESS;
-
-error:
- if (buf != NULL)
- free(buf);
- return retval;
-}
-
-/* Send password max challenge request message to security server *
- *
- * Message format
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * |---------------------------------------------------------------|
- * | version=0x01 |MessageID=0x0f | Message Length |
- * |---------------------------------------------------------------|
- * | max challenge |
- * |---------------------------------------------------------------|
- */
-int send_set_pwd_max_challenge_request(int sock_fd, const unsigned int max_challenge)
-{
- basic_header hdr;
- int retval, total_length = 0, ptr;
- unsigned char *buf = NULL;
-
- total_length = sizeof(hdr) + sizeof(unsigned int);
-
- buf = malloc(total_length);
- if (buf == NULL)
- {
- SEC_SVR_ERR("%s", "Error: failed to malloc()");
- return SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
- }
-
- /* Assemble header */
- hdr.version = SECURITY_SERVER_MSG_VERSION;
- hdr.msg_id = SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_REQUEST;
- hdr.msg_len = (unsigned short)total_length;
- memcpy(buf, &hdr, sizeof(hdr));
- ptr = sizeof(hdr);
- memcpy(buf + ptr, &max_challenge, sizeof(unsigned int));
-
- /* Check poll */
- retval = check_socket_poll(sock_fd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (retval == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "poll() error");
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
- if (retval == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "poll() timeout");
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
-
- /* Send to server */
- retval = TEMP_FAILURE_RETRY(write(sock_fd, buf, total_length));
- if (retval < (int)sizeof(buf))
- {
- /* Write error */
- SEC_SVR_ERR("Error on write(): %d", retval);
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
- retval = SECURITY_SERVER_SUCCESS;
-
-error:
- if (buf != NULL)
- free(buf);
- return retval;
-}
-
-/* Send password reset request message to security server *
- *
- * Message format
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * |---------------------------------------------------------------|
- * | version=0x01 |MessageID=0x11 | Message Length |
- * |---------------------------------------------------------------|
- * | new_pwd_len | |
- * |---------------------------------------------------------------|
- * | |
- * | new pwd |
- * | |
- * |---------------------------------------------------------------|
- * | max attempts |
- * |---------------------------------------------------------------|
- * | valid days |
- * |---------------------------------------------------------------|
- */
-int send_reset_pwd_request(int sock_fd,
- const char *new_pwd,
- const unsigned int max_challenge,
- const unsigned int valid_period_in_days)
-{
- basic_header hdr;
- int retval, total_length = 0, ptr;
- unsigned char *buf = NULL, new_pwd_len;
-
- new_pwd_len = strlen(new_pwd);
-
- total_length += sizeof(hdr) + sizeof(char) + new_pwd_len + sizeof(unsigned int) +
- sizeof(unsigned int);
-
- buf = malloc(total_length);
- if (buf == NULL)
- {
- SEC_SVR_ERR("%s", "Error: failed to malloc()");
- return SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
- }
-
- /* Assemble header */
- hdr.version = SECURITY_SERVER_MSG_VERSION;
- hdr.msg_id = SECURITY_SERVER_MSG_TYPE_RESET_PWD_REQUEST;
- hdr.msg_len = (unsigned short)total_length;
- memcpy(buf, &hdr, sizeof(hdr));
- ptr = sizeof(hdr);
- memcpy(buf + ptr, &new_pwd_len, sizeof(char));
- ptr += sizeof(char);
- memcpy(buf + ptr, new_pwd, new_pwd_len);
- ptr += new_pwd_len;
- memcpy(buf + ptr, &max_challenge, sizeof(unsigned int));
- ptr += sizeof(unsigned int);
- memcpy(buf + ptr, &valid_period_in_days, sizeof(unsigned int));
-
- /* Check poll */
- retval = check_socket_poll(sock_fd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (retval == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "poll() error");
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
- if (retval == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "poll() timeout");
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
-
- /* Send to server */
- retval = TEMP_FAILURE_RETRY(write(sock_fd, buf, total_length));
- if (retval < (int)sizeof(buf))
- {
- /* Write error */
- SEC_SVR_ERR("Error on write(): %d", retval);
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
- retval = SECURITY_SERVER_SUCCESS;
-
-error:
- if (buf != NULL)
- free(buf);
- return retval;
-}
-
-/* Send password check request message to security server *
- *
- * Message format
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * |---------------------------------------------------------------|
- * | version=0x01 |MessageID=0x13 | Message Length |
- * |---------------------------------------------------------------|
- * | challenge_len | |
- * |--------------- |
- * | challenge |
- * |---------------------------------------------------------------|
- */
-int send_chk_pwd_request(int sock_fd, const char *challenge)
-{
- basic_header hdr;
- int retval, total_length = 0, ptr;
- unsigned char *buf = NULL, challenge_len;
-
- challenge_len = strlen(challenge);
-
- total_length += sizeof(hdr) + sizeof(char) + challenge_len;
-
- buf = malloc(total_length);
- if (buf == NULL)
- {
- SEC_SVR_ERR("%s", "Error: failed to malloc()");
- return SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
- }
-
- /* Assemble header */
- hdr.version = SECURITY_SERVER_MSG_VERSION;
- hdr.msg_id = SECURITY_SERVER_MSG_TYPE_CHK_PWD_REQUEST;
- hdr.msg_len = (unsigned short)total_length;
- memcpy(buf, &hdr, sizeof(hdr));
- ptr = sizeof(hdr);
- memcpy(buf + ptr, &challenge_len, sizeof(char));
- ptr += sizeof(char);
- memcpy(buf + ptr, challenge, challenge_len);
- ptr += sizeof(char);
-
- /* Check poll */
- retval = check_socket_poll(sock_fd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (retval == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "poll() error");
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
- if (retval == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "poll() timeout");
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
-
- /* Send to server */
- retval = TEMP_FAILURE_RETRY(write(sock_fd, buf, total_length));
- if (retval < (int)sizeof(buf))
- {
- /* Write error */
- SEC_SVR_ERR("Error on write(): %d", retval);
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
- retval = SECURITY_SERVER_SUCCESS;
-
-error:
- if (buf != NULL)
- free(buf);
- return retval;
-}
-
-/* Send password history set request message to security server *
- *
- * Message format
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * |---------------------------------------------------------------|
- * | version=0x01 |MessageID=0x15 | Message Length |
- * |---------------------------------------------------------------|
- * | challenge_len |
- * |----------------
- */
-int send_set_pwd_history_request(int sock_fd, int num)
-{
- basic_header hdr;
- int retval, total_length = 0, ptr;
- unsigned char history;
- unsigned char buf[sizeof(hdr) + sizeof(history)];
-
- total_length = sizeof(hdr) + sizeof(char);
- history = (unsigned char) num;
-
- /* Assemble header */
- hdr.version = SECURITY_SERVER_MSG_VERSION;
- hdr.msg_id = SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_REQUEST;
- hdr.msg_len = (unsigned short)total_length;
- memcpy(buf, &hdr, sizeof(hdr));
- ptr = sizeof(hdr);
- memcpy(buf + ptr, &history, sizeof(char));
- ptr += sizeof(char);
-
- /* Check poll */
- retval = check_socket_poll(sock_fd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (retval == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "poll() error");
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
- if (retval == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "poll() timeout");
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
-
- /* Send to server */
- retval = TEMP_FAILURE_RETRY(write(sock_fd, buf, ptr));
- if (retval < (int)sizeof(buf))
- {
- /* Write error */
- SEC_SVR_ERR("Error on write(): %d", retval);
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
- retval = SECURITY_SERVER_SUCCESS;
-
-error:
- return retval;
-}
-
/* Receive request header */
int recv_hdr(int client_sockfd, basic_header *basic_hdr)
{
return SECURITY_SERVER_SUCCESS;
}
-int recv_pwd_response(int sockfd, response_header *hdr,
- unsigned int *current_attempts,
- unsigned int *max_attempts,
- unsigned int *valid_secs)
-{
- int retval;
- *current_attempts = 0;
- *max_attempts = 0;
- *valid_secs = 0;
-
- retval = recv_generic_response(sockfd, hdr);
-
- switch (retval)
- {
- case SECURITY_SERVER_ERROR_PASSWORD_EXIST:
- case SECURITY_SERVER_ERROR_NO_PASSWORD:
- case SECURITY_SERVER_ERROR_PASSWORD_MISMATCH:
- case SECURITY_SERVER_ERROR_PASSWORD_RETRY_TIMER:
- case SECURITY_SERVER_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED:
- case SECURITY_SERVER_ERROR_PASSWORD_EXPIRED:
- case SECURITY_SERVER_ERROR_PASSWORD_REUSED:
- case SECURITY_SERVER_SUCCESS:
- break;
- default:
- return return_code_to_error_code(hdr->return_code);
- }
-
- retval = TEMP_FAILURE_RETRY(read(sockfd, current_attempts, sizeof(unsigned int)));
- if (retval < (int)sizeof(unsigned int))
- {
- /* Error on socket */
- SEC_SVR_ERR("Client: Receive failed %d", retval);
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
- retval = TEMP_FAILURE_RETRY(read(sockfd, max_attempts, sizeof(unsigned int)));
- if (retval < (int)sizeof(unsigned int))
- {
- /* Error on socket */
- SEC_SVR_ERR("Client: Receive failed %d", retval);
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
- retval = TEMP_FAILURE_RETRY(read(sockfd, valid_secs, sizeof(unsigned int)));
- if (retval < (int)sizeof(unsigned int))
- {
- /* Error on socket */
- SEC_SVR_ERR("Client: Receive failed %d", retval);
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
-
- //if come here there were no errors
- return SECURITY_SERVER_SUCCESS;
-}
-
/* Authenticate client application *
* Currently it only gets peer's credential information only *
* If we need, we can extend in the futer */
// #define SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE 0x06
#define SECURITY_SERVER_MSG_TYPE_GID_REQUEST 0x07
#define SECURITY_SERVER_MSG_TYPE_GID_RESPONSE 0x08
-#define SECURITY_SERVER_MSG_TYPE_VALID_PWD_REQUEST 0x0d
-#define SECURITY_SERVER_MSG_TYPE_VALID_PWD_RESPONSE 0x0e
-#define SECURITY_SERVER_MSG_TYPE_SET_PWD_REQUEST 0x0f
-#define SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE 0x10
-#define SECURITY_SERVER_MSG_TYPE_RESET_PWD_REQUEST 0x11
-#define SECURITY_SERVER_MSG_TYPE_RESET_PWD_RESPONSE 0x12
-#define SECURITY_SERVER_MSG_TYPE_CHK_PWD_REQUEST 0x13
-#define SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE 0x14
-#define SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_REQUEST 0x15
-#define SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_RESPONSE 0x16
-#define SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_REQUEST 0x19
-#define SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_RESPONSE 0x1a
-#define SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_REQUEST 0x1b
-#define SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_RESPONSE 0x1c
#define SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE 0xff
/* Return code */
#define SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED 0x04
#define SECURITY_SERVER_RETURN_CODE_NO_SUCH_OBJECT 0x05
#define SECURITY_SERVER_RETURN_CODE_NO_SUCH_COOKIE 0x06
-#define SECURITY_SERVER_RETURN_CODE_NO_PASSWORD 0x07
-#define SECURITY_SERVER_RETURN_CODE_PASSWORD_EXIST 0x08
-#define SECURITY_SERVER_RETURN_CODE_PASSWORD_MISMATCH 0x09
-#define SECURITY_SERVER_RETURN_CODE_PASSWORD_MAX_ATTEMPTS_EXCEEDED 0x0a
-#define SECURITY_SERVER_RETURN_CODE_PASSWORD_EXPIRED 0x0b
-#define SECURITY_SERVER_RETURN_CODE_PASSWORD_REUSED 0x0c
-#define SECURITY_SERVER_RETURN_CODE_PASSWORD_RETRY_TIMER 0x0d
#define SECURITY_SERVER_RETURN_CODE_SERVER_ERROR 0x0e
int return_code_to_error_code(int ret_code);
int recv_hdr(int client_sockfd, basic_header *basic_hdr);
int recv_generic_response(int sockfd, response_header *hdr);
-int recv_pwd_response(int sockfd, response_header *hdr, unsigned int *current_attempts,
- unsigned int *max_attempts, unsigned int *valid_days);
-int send_set_pwd_request(int sock_fd, const char *cur_pwd, const char *new_pwd,
- const unsigned int max_challenge, const unsigned int valid_period_in_days);
-int send_set_pwd_validity_request(int sock_fd, const unsigned int valid_period_in_days);
-int send_set_pwd_max_challenge_request(int sock_fd, const unsigned int max_challenge);
-int send_chk_pwd_request(int sock_fd, const char *challenge);
int check_socket_poll(int sockfd, int event, int timeout);
int free_argv(char **argv, int argc);
-int send_valid_pwd_request(int sock_fd);
-int send_reset_pwd_request(int sock_fd,
- const char *new_pwd,
- const unsigned int max_challenge,
- const unsigned int valid_period_in_days);
-int send_set_pwd_history_request(int sock_fd, int num);
int get_socket_from_systemd(int *sockfd);
-int send_pwd_response(const int sockfd,
- const unsigned char msg_id,
- const unsigned char return_code,
- const unsigned int current_attempts,
- const unsigned int max_attempts,
- const unsigned int expire_time);
-
#endif
#define SECURITY_SERVER_ERROR_SERVER_ERROR -12
#define SECURITY_SERVER_ERROR_NO_SUCH_COOKIE -13
#define SECURITY_SERVER_ERROR_NO_PASSWORD -14
-#define SECURITY_SERVER_ERROR_PASSWORD_EXIST -15
-#define SECURITY_SERVER_ERROR_PASSWORD_MISMATCH -16
-#define SECURITY_SERVER_ERROR_PASSWORD_RETRY_TIMER -17
-#define SECURITY_SERVER_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED -18
-#define SECURITY_SERVER_ERROR_PASSWORD_EXPIRED -19
-#define SECURITY_SERVER_ERROR_PASSWORD_REUSED -20
#define SECURITY_SERVER_ERROR_SOCKET_BIND -21
#define SECURITY_SERVER_ERROR_FILE_OPERATION -22
#define SECURITY_SERVER_ERROR_TIMEOUT -23
#define SECURITY_SERVER_ACCEPT_TIMEOUT_MILISECOND 10000
#define SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND 3000
#define SECURITY_SERVER_DEVELOPER_UID 5100
-#define SECURITY_SERVER_DATA_DIRECTORY_PATH "/opt/data/security-server"
-#define SECURITY_SERVER_ATTEMPT_FILE_NAME "attempts"
-#define SECURITY_SERVER_HISTORY_FILE_NAME "history"
-#define SECURITY_SERVER_MAX_PASSWORD_LEN 32
-#define SECURITY_SERVER_HASHED_PWD_LEN 32 /* SHA256 */
-#define SECURITY_SERVER_PASSWORD_RETRY_TIMEOUT_SECOND 1 /* Deprecated. Will be removed. */
-#define SECURITY_SERVER_PASSWORD_RETRY_TIMEOUT_MICROSECOND 500000 /* = 500 milliseconds */
-#define SECURITY_SERVER_MAX_PASSWORD_HISTORY 50
#define SECURITY_SERVER_NUM_THREADS 10
#define MESSAGE_MAX_LEN 1048576
+++ /dev/null
-/*
- * security-server
- *
- * Copyright (c) 2000 - 2012 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- *
- */
-
-#ifndef SECURITY_SERVER_PASSWORD_H
-#define SECURITY_SERVER_PASSWORD_H
-
-#include "security-server-common.h"
-#include "security-server-comm.h"
-
-int process_valid_pwd_request(int sockfd);
-int process_set_pwd_request(int sockfd);
-int process_set_pwd_history_request(int sockfd);
-int process_reset_pwd_request(int sockfd);
-int process_reset_pwd_request(int sockfd);
-int process_chk_pwd_request(int sockfd);
-int process_set_pwd_max_challenge_request(int sockfd);
-int process_set_pwd_validity_request(int sockfd);
-void initiate_try(void);
-
-#endif
* \par Important notes:
* There is retry timer on this API to limit replay attack. You will get error if you called this API too often.\n
*
- * \param[in] number_of_history Number of history to be checked when user tries to change password. Maximum is currently 50
+ * \param[in] history_size Number of history to be checked when user tries to change password. Maximum is currently 50
*
* \return 0 on seccuess, negative integer error code on error.
*
*
* Access to this function requires SMACK rule: "<app_label> security-server::api-password-set w"
*/
-int security_server_set_pwd_history(int number_of_history);
+int security_server_set_pwd_history(int history_size);
/*
* This function allows to get process SMACK label by passing cookie assigned
#include <privilege-control.h>
#include "security-server-common.h"
-#include "security-server-password.h"
#include "security-server-comm.h"
#include "security-server-util.h"
#include "smack-check.h"
process_gid_request(client_sockfd, (int)basic_hdr.msg_len);
break;
- case SECURITY_SERVER_MSG_TYPE_VALID_PWD_REQUEST:
- SECURE_SLOGD("%s", "Server: validate password request received");
- authorize_SS_API_caller_socket(client_sockfd, API_PASSWD_CHECK, API_RULE_REQUIRED);
- process_valid_pwd_request(client_sockfd);
- break;
-
- case SECURITY_SERVER_MSG_TYPE_SET_PWD_REQUEST:
- SECURE_SLOGD("%s", "Server: set password request received");
- authorize_SS_API_caller_socket(client_sockfd, API_PASSWD_SET, API_RULE_REQUIRED);
- process_set_pwd_request(client_sockfd);
- break;
-
- case SECURITY_SERVER_MSG_TYPE_RESET_PWD_REQUEST:
- SECURE_SLOGD("%s", "Server: reset password request received");
- authorize_SS_API_caller_socket(client_sockfd, API_PASSWD_SET, API_RULE_REQUIRED);
- process_reset_pwd_request(client_sockfd);
- break;
-
- case SECURITY_SERVER_MSG_TYPE_CHK_PWD_REQUEST:
- SECURE_SLOGD("%s", "Server: check password request received");
- authorize_SS_API_caller_socket(client_sockfd, API_PASSWD_CHECK, API_RULE_REQUIRED);
- process_chk_pwd_request(client_sockfd);
- break;
-
- case SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_REQUEST:
- SECURE_SLOGD("%s", "Server: set password histroy request received");
- authorize_SS_API_caller_socket(client_sockfd, API_PASSWD_SET, API_RULE_REQUIRED);
- process_set_pwd_history_request(client_sockfd);
- break;
-
- case SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_REQUEST:
- SECURE_SLOGD("%s", "Server: set password max challenge request received");
- authorize_SS_API_caller_socket(client_sockfd, API_PASSWD_SET, API_RULE_REQUIRED);
- process_set_pwd_max_challenge_request(client_sockfd);
- break;
-
- case SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_REQUEST:
- SECURE_SLOGD("%s", "Server: set password validity request received");
- authorize_SS_API_caller_socket(client_sockfd, API_PASSWD_SET, API_RULE_REQUIRED);
- process_set_pwd_validity_request(client_sockfd);
- break;
-
default:
SEC_SVR_ERR("Unknown msg ID :%d", basic_hdr.msg_id);
/* Unknown message ID */
for (retval = 0; retval < SECURITY_SERVER_NUM_THREADS; retval++)
thread_status[retval] = 0;
- initiate_try();
/* Create and bind a Unix domain socket */
if(SECURITY_SERVER_SUCCESS != get_socket_from_systemd(&server_sockfd))
+++ /dev/null
-/*
- * security-server
- *
- * Copyright (c) 2000 - 2012 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- *
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <dirent.h>
-#include <errno.h>
-#include <limits.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <time.h>
-#include <sys/time.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <openssl/sha.h>
-#include <limits.h>
-
-#include "security-server-password.h"
-
-struct timeval prev_try;
-
-void initiate_try()
-{
- long int temp_usec;
-
- gettimeofday(&prev_try, NULL);
-
- temp_usec = prev_try.tv_usec - SECURITY_SERVER_PASSWORD_RETRY_TIMEOUT_MICROSECOND;
- if (temp_usec >= 0)
- prev_try.tv_usec = temp_usec;
- else
- {
- prev_try.tv_sec = prev_try.tv_sec - 1;
- prev_try.tv_usec = 1000000 + temp_usec;
- }
-}
-
-int validate_pwd_file(char *filename)
-{
- int i;
-
- if ((strncmp(filename + (strlen(filename) - 4), ".pwd", 4)) != 0)
- {
- SECURE_SLOGE("The password filename [%s] is invalid", filename);
- return SECURITY_SERVER_ERROR_NO_PASSWORD;
- }
-
- for (i = 0; i < ((int)strlen(filename) - 4); i++)
- {
- if (filename[i] > '9' || filename[i] < '0')
- {
- SECURE_SLOGE("The password filename [%s] is invalid", filename);
- return SECURITY_SERVER_ERROR_NO_PASSWORD;
- }
- }
- return SECURITY_SERVER_SUCCESS;
-}
-
-int dir_filter(const struct dirent *entry)
-{
- if ((strcmp(entry->d_name, ".") == 0) ||
- (strcmp(entry->d_name, "..") == 0) ||
- (strcmp(entry->d_name, "attempts") == 0) ||
- (strcmp(entry->d_name, "history") == 0))
- return (0);
- else
- return (1);
-}
-
-int get_pwd_path(char *path)
-{
- int retval;
- struct dirent **mydirent;
- int num;
- num = scandir(SECURITY_SERVER_DATA_DIRECTORY_PATH, &mydirent, &dir_filter, alphasort);
- if (num < 0)
- {
- SECURE_SLOGE("Server: [Error] Cannot scan password directory. errno: %d", errno);
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
- if (num == 0)
- {
- SECURE_SLOGD("%s", "Server: There is no password file");
- return SECURITY_SERVER_ERROR_NO_PASSWORD;
- }
-
- snprintf(path, 255, "%s/%s", SECURITY_SERVER_DATA_DIRECTORY_PATH, mydirent[num - 1]->d_name);
- retval = validate_pwd_file(mydirent[num - 1]->d_name);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SECURE_SLOGD("Removing invalid password file: %s", path);
- unlink(path);
- get_pwd_path(path);
- }
- SECURE_SLOGD("Password file path: %s", path);
- while (num--)
- free(mydirent[num]);
- free(mydirent);
- return SECURITY_SERVER_SUCCESS;
-}
-
-int load_password(unsigned char *cur_pwd, unsigned int *max_attempt, unsigned int *expire_time)
-{
- int retval, fd;
- char pwd_path[255];
-
- /* Create directory */
- retval = mkdir(SECURITY_SERVER_DATA_DIRECTORY_PATH, 0700);
- if (retval != 0)
- {
- if (errno != EEXIST)
- {
- SEC_SVR_ERR("Cannot create directory. errno: %d", errno);
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
- }
-
- /* Check password files */
- while (1)
- {
- /* Get password file path */
- retval = get_pwd_path(pwd_path);
- if (retval == SECURITY_SERVER_ERROR_NO_PASSWORD)
- {
- SECURE_SLOGD("%s", "Current password doesn't exist");
- return SECURITY_SERVER_ERROR_NO_PASSWORD;
- }
-
- /* Load password file */
- fd = open(pwd_path, O_RDONLY | O_NONBLOCK );
- if (fd < 0)
- {
- if (errno == ENOENT)
- {
- SECURE_SLOGD("%s", "Server: Current password doesn't exist");
- return SECURITY_SERVER_ERROR_NO_PASSWORD;
- }
- SECURE_SLOGE("Server: Current password cannot be opened. errno: %d", errno);
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
-
- /* Read and store into memory */
- retval = TEMP_FAILURE_RETRY(read(fd, cur_pwd, SECURITY_SERVER_HASHED_PWD_LEN));
- if (retval < SECURITY_SERVER_HASHED_PWD_LEN)
- {
- SECURE_SLOGD("%s", "Server: Current password corrupted. resetting to previous one. 0");
- close(fd);
- fd = 0;
- unlink(pwd_path);
- continue;
- }
-
- retval = TEMP_FAILURE_RETRY(read(fd, max_attempt, sizeof(unsigned int)));
- if (retval < (int)sizeof(unsigned int))
- {
- SECURE_SLOGD("%s", "Server: Current password corrupted. resetting to previous one. 1");
- close(fd);
- fd = 0;
- unlink(pwd_path);
- continue;
- }
-
- retval = TEMP_FAILURE_RETRY(read(fd, expire_time, sizeof(unsigned int)));
- if (retval < (int)sizeof(unsigned int))
- {
- SECURE_SLOGD("%s", "Server: Current password corrupted. resetting to previous one. 2");
- close(fd);
- fd = 0;
- unlink(pwd_path);
- continue;
- }
- close(fd);
-
- /* Check expiration time. */
- if (*expire_time == 0) /* No valid period */
- *expire_time = 0xffffffff;
- else if ((time_t)*expire_time <= time(NULL)) /* expired */
- *expire_time = 0;
- else /* valid yet */
- *expire_time -= time(NULL);
- break;
- }
- SECURE_SLOGD("%s", "Server: Current password file successfully loaded");
- return SECURITY_SERVER_SUCCESS;
-}
-
-int get_current_attempt(int increase)
-{
- int retval, fd, attempt;
- char path[255];
-
- snprintf(path, 255, "%s/%s", SECURITY_SERVER_DATA_DIRECTORY_PATH,
- SECURITY_SERVER_ATTEMPT_FILE_NAME);
-
- /* Open current attempt file as read mode */
- fd = open(path, O_RDONLY | O_NONBLOCK );
- if (fd < 0)
- {
- if (errno == ENOENT)
- {
- SEC_SVR_DBG("%s", "Server: attempt doesn't exist. Creating one:");
- /* Create one if it doesn't exist */
- fd = open(path, O_WRONLY | O_NONBLOCK | O_CREAT, 0600);
- if (fd < 0)
- {
- SEC_SVR_ERR("Server ERROR: Cannot open attempt file. errno: %d", errno);
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
- retval = fchmod(fd, 0600);
- if (retval != 0)
- {
- SEC_SVR_ERR("Server ERROR: Cannot chmod attempt file. errno: %d", errno);
- close(fd);
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
- attempt = increase;
- retval = TEMP_FAILURE_RETRY(write(fd, &attempt, sizeof(int)));
- close(fd);
- if (retval < (int)sizeof(int))
- {
- SEC_SVR_ERR("%s", "Server ERROR: Cannot write attempt");
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
- return attempt;
- }
- SECURE_SLOGE("Current password cannot be opened. errno: %d", errno);
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
- retval = TEMP_FAILURE_RETRY(read(fd, &attempt, sizeof(int)));
- close(fd);
- if (retval < (int)sizeof(int))
- {
- SEC_SVR_ERR("%s", "Server ERROR: Cannot read attempt");
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
-
- if (increase > 0)
- {
- /* Open the file again with write mode */
- fd = open(path, O_WRONLY | O_NONBLOCK, 0600);
- if (fd < 0)
- {
- SEC_SVR_ERR("Server ERROR: Cannot open attempt file. errno: %d", errno);
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
- retval = fchmod(fd, 0600);
- if (retval != 0)
- {
- SEC_SVR_ERR("Server ERROR: Cannot chmod attempt file. errno: %d", errno);
- close(fd);
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
- attempt += increase;
- retval = TEMP_FAILURE_RETRY(write(fd, &attempt, sizeof(int)));
- close(fd);
- if (retval < (int)sizeof(int))
- {
- SEC_SVR_ERR("%s", "Server ERROR: Cannot write attempt");
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
- }
- return attempt;
-}
-
-int reset_attempt(void)
-{
- int fd, retval;
- char path[255];
- unsigned int attempt = 0;
-
- snprintf(path, 255, "%s/%s", SECURITY_SERVER_DATA_DIRECTORY_PATH,
- SECURITY_SERVER_ATTEMPT_FILE_NAME);
-
- /* Open the file again with write mode */
- fd = open(path, O_WRONLY | O_NONBLOCK, 0600);
- if (fd < 0)
- {
- SEC_SVR_ERR("Server ERROR: Cannot open attempt file. errno: %d", errno);
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
- retval = fchmod(fd, 0600);
- if (retval != 0)
- {
- SEC_SVR_ERR("Server ERROR: Cannot chmod attempt file. errno: %d", errno);
- close(fd);
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
- retval = TEMP_FAILURE_RETRY(write(fd, &attempt, sizeof(int)));
- close(fd);
- if (retval < (int)sizeof(int))
- {
- SEC_SVR_ERR("%s", "Server ERROR: Cannot write attempt");
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
- SEC_SVR_DBG("%s", "Server: Attempt reset");
- return SECURITY_SERVER_SUCCESS;
-}
-
-/* Compare current password Stored password is hashed by SHA-256 Algorithm */
-int check_password(const unsigned char *cur_pwd, const unsigned char *requested_pwd,
- const unsigned int max_attempts, const unsigned int expire_time,
- int *current_attempt)
-{
-#ifdef BUILD_TYPE_DEBUG
- unsigned int current_time = time(NULL);
-#endif
-
- if (max_attempts != 0)
- {
- *current_attempt = get_current_attempt(1);
-
- if ((unsigned int)*current_attempt > max_attempts)
- {
- SEC_SVR_DBG("Server: Max attempt exceeded: %d, %d", *current_attempt, max_attempts);
- return SECURITY_SERVER_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED;
- }
- if (*current_attempt < 0)
- {
- SEC_SVR_DBG("Server: Attempt file operation failed. Ignoring... : %d", *current_attempt);
- }
- }
-
- /* Compare */
- if (memcmp(cur_pwd, requested_pwd, SECURITY_SERVER_HASHED_PWD_LEN) != 0)
- {
- SECURE_SLOGD("%s", "Password mismatched");
- return SECURITY_SERVER_ERROR_PASSWORD_MISMATCH;
- }
-
- if (expire_time == 0)
- {
- SECURE_SLOGD("Server: Password has been expired: %d, %d", current_time, expire_time);
- return SECURITY_SERVER_ERROR_PASSWORD_EXPIRED;
- }
-
- SECURE_SLOGD("%s", "Password matched");
- return SECURITY_SERVER_SUCCESS;
-}
-
-int set_history(int num)
-{
- int fd, retval;
- char path[255];
-
- snprintf(path, 255, "%s/%s", SECURITY_SERVER_DATA_DIRECTORY_PATH,
- SECURITY_SERVER_HISTORY_FILE_NAME);
-
- /* Open the file again with write mode */
- fd = open(path, O_WRONLY | O_NONBLOCK, 0600);
- if (fd < 0)
- {
- if (errno == ENOENT)
- {
- fd = open(path, O_WRONLY | O_NONBLOCK | O_CREAT, 0600);
- if (fd < 0)
- {
- SEC_SVR_ERR("Server ERROR: Cannot create history file. errno: %d", errno);
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
- }
- else
- {
- SEC_SVR_ERR("Server ERROR: Cannot open history file. errno: %d", errno);
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
- }
- retval = fchmod(fd, 0600);
- if (retval != 0)
- {
- SEC_SVR_ERR("Server ERROR: Cannot chmod history file. errno: %d", errno);
- close(fd);
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
- retval = TEMP_FAILURE_RETRY(write(fd, &num, sizeof(int)));
- close(fd);
- if (retval < (int)sizeof(int))
- {
- SEC_SVR_ERR("%s", "Server ERROR: Cannot write history");
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
- SEC_SVR_DBG("%s", "Server: history set finished");
- return SECURITY_SERVER_SUCCESS;
-}
-
-
-int get_history_num(void)
-{
- /* Placeholder for password history check count getting function */
- int fd, retval, history;
- char path[255];
-
- snprintf(path, 255, "%s/%s", SECURITY_SERVER_DATA_DIRECTORY_PATH,
- SECURITY_SERVER_HISTORY_FILE_NAME);
-
- /* Load password file */
- fd = open(path, O_RDONLY | O_NONBLOCK );
- if (fd < 0)
- {
- if (errno == ENOENT)
- {
- SEC_SVR_DBG("%s", "Server: history file doesn't exist");
- retval = set_history(0);
- return retval;
- }
- SEC_SVR_ERR("Server ERROR: history file cannot be opened. errno: %d", errno);
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
- retval = TEMP_FAILURE_RETRY(read(fd, &history, sizeof(history)));
- close(fd);
- if (retval < (int)sizeof(history))
- {
- SEC_SVR_DBG("%s", "History file corrupted. Creating new one");
- unlink(path);
- retval = set_history(0);
- return retval;
- }
- SEC_SVR_DBG("History file read: %d", history);
- return history;
-}
-
-
-
-int check_history(const unsigned char *requested_pwd)
-{
- unsigned char history_pwd[SECURITY_SERVER_HASHED_PWD_LEN];
- char path[255];
- int num, history_count, fd, file_count, retval;
- int retval2 = SECURITY_SERVER_SUCCESS;
- struct dirent **mydirent;
-
- history_count = get_history_num();
- if (history_count <= 0)
- return SECURITY_SERVER_SUCCESS;
-
- num = scandir(SECURITY_SERVER_DATA_DIRECTORY_PATH, &mydirent, &dir_filter, alphasort);
- if (num < 0)
- {
- SECURE_SLOGE("Server: [Error] Cannot scan password directory. errno: %d", errno);
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
-
- if (num == 0)
- {
- SECURE_SLOGD("%s", "Server: There is no password file");
- return SECURITY_SERVER_ERROR_NO_PASSWORD;
- }
-
- file_count = 2;
- while ((num--))
- {
- snprintf(path, 255, "%s/%s", SECURITY_SERVER_DATA_DIRECTORY_PATH, mydirent[num]->d_name);
- SECURE_SLOGD("Password file path: %s", path);
- if (history_count > 0)
- {
- /* Load password file */
- fd = open(path, O_RDONLY | O_NONBLOCK );
- if (fd < 0)
- {
- if (errno == ENOENT)
- {
- SECURE_SLOGD("%s", "Current password doesn't exist");
- return SECURITY_SERVER_SUCCESS;
- }
- SECURE_SLOGE("Current password cannot be opened. errno: %d", errno);
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
- /* Read and store into memory */
- retval = TEMP_FAILURE_RETRY(read(fd, history_pwd, SECURITY_SERVER_HASHED_PWD_LEN));
- if (retval < SECURITY_SERVER_HASHED_PWD_LEN)
- {
- SECURE_SLOGD("%s", "Current password corrupted. resetting to previous one. 0");
- close(fd);
- fd = 0;
- unlink(path);
- continue;
- }
- close(fd);
- /* Compare */
- if (memcmp(history_pwd, requested_pwd, SECURITY_SERVER_HASHED_PWD_LEN) == 0)
- {
- SECURE_SLOGD("%s", "Server: Password has been reused");
- retval2 = SECURITY_SERVER_ERROR_PASSWORD_REUSED;
- }
- history_count--;
- }
-
- /* Remove too old or invalid password history */
- retval = validate_pwd_file(mydirent[num]->d_name);
- if (retval != SECURITY_SERVER_SUCCESS || file_count > (SECURITY_SERVER_MAX_PASSWORD_HISTORY))
- {
- SECURE_SLOGD("Removing too old password. %s", path);
- unlink(path);
- }
- file_count++;
- free(mydirent[num]);
- }
- free(mydirent);
- if (retval2 == SECURITY_SERVER_ERROR_PASSWORD_REUSED)
- retval = retval2;
- return retval;
-}
-
-/* Password file format */
-/* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * |---------------------------------------------------------------|
- * | |
- * | |
- * | Hashed PWD (32 bytes) |
- * | |
- * |---------------------------------------------------------------|
- * | Max attempts (4 bytes) |
- * |---------------------------------------------------------------|
- * | Expiration time in seconds (4 bytes) |
- * |---------------------------------------------------------------|
- */
-int set_password(const unsigned char *requested_new_pwd, const unsigned int attempts,
- const unsigned int expire_time)
-{
- int retval, fd;
- char pwd_path[255];
-
- /* New file created */
- retval = time(NULL);
- snprintf(pwd_path, 255, "%s/%d.pwd", SECURITY_SERVER_DATA_DIRECTORY_PATH, retval);
-
- /* Save new password as current password */
- fd = open(pwd_path, O_WRONLY | O_NONBLOCK | O_CREAT, 0600);
- if (fd < 0)
- {
- SECURE_SLOGE("Cannot open current password file. errno: %d", errno);
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
- retval = fchmod(fd, 0600);
- if (retval != 0)
- {
- SECURE_SLOGE("Cannot chmod current password file. errno: %d", errno);
- close(fd);
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
- retval = TEMP_FAILURE_RETRY(write(fd, requested_new_pwd, SECURITY_SERVER_HASHED_PWD_LEN));
- if (retval < SECURITY_SERVER_HASHED_PWD_LEN)
- {
- SECURE_SLOGE("%s", "Cannot write password");
- close(fd);
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
- retval = TEMP_FAILURE_RETRY(write(fd, &attempts, sizeof(unsigned int)));
- if (retval < (int)sizeof(unsigned int))
- {
- SECURE_SLOGE("%s", "Cannot write password");
- close(fd);
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
- retval = TEMP_FAILURE_RETRY(write(fd, &expire_time, sizeof(unsigned int)));
- if (retval < (int)sizeof(unsigned int))
- {
- SECURE_SLOGE("%s", "Cannot write password");
- close(fd);
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
- fsync(fd);
- close(fd);
- SECURE_SLOGD("%s", "Password file created");
- return SECURITY_SERVER_SUCCESS;
-}
-
-int check_retry(const struct timeval cur_try)
-{
- int interval_sec, interval_usec;
- interval_sec = cur_try.tv_sec - prev_try.tv_sec;
- interval_usec = cur_try.tv_usec - prev_try.tv_usec;
- prev_try = cur_try;
- if (interval_sec == 0
- && interval_usec > SECURITY_SERVER_PASSWORD_RETRY_TIMEOUT_MICROSECOND)
- return SECURITY_SERVER_SUCCESS;
-
- if (interval_sec > 0)
- return SECURITY_SERVER_SUCCESS;
-
- SEC_SVR_DBG("%s", "retry timer hit");
- return SECURITY_SERVER_ERROR_PASSWORD_RETRY_TIMER;
-}
-
-int process_valid_pwd_request(int sockfd)
-{
- struct timeval cur_try;
- int retval, current_attempts, password_set;
- unsigned char cur_pwd[SECURITY_SERVER_HASHED_PWD_LEN];
- unsigned int max_attempt, expire_time;
-
- /* Check retry timer */
- gettimeofday(&cur_try, NULL);
- retval = check_retry(cur_try);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_DBG("%s", "Server: Retry timeout occurred");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_PASSWORD_RETRY_TIMER);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- password_set = load_password(cur_pwd, &max_attempt, &expire_time);
- if (password_set == SECURITY_SERVER_ERROR_SERVER_ERROR)
- {
- SECURE_SLOGE("%s", "Server: Responding error because we cannot provide password service");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SECURE_LOGE("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- current_attempts = get_current_attempt(0);
- if (current_attempts < 0)
- {
- SEC_SVR_ERR("Server ERROR: Cannot get attempts: %d", current_attempts);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- }
-
- /* There is no password */
- if (password_set == SECURITY_SERVER_ERROR_NO_PASSWORD)
- {
- retval = send_pwd_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_VALID_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_NO_PASSWORD,
- 0, 0, 0);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SECURE_SLOGE("Server ERROR: Cannot send password response: %d", retval);
- }
- goto error;
- }
- if (password_set == SECURITY_SERVER_SUCCESS)
- {
- retval = send_pwd_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_VALID_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_PASSWORD_EXIST,
- current_attempts, max_attempt, expire_time);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SECURE_SLOGE("Server ERROR: Cannot send password response: %d", retval);
- }
- goto error;
- }
- SEC_SVR_ERR("Server ERROR: Unknown error: %d", retval);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
-error:
- return retval;
-}
-
-int process_set_pwd_request(int sockfd)
-{
- struct timeval cur_try;
- int retval, password_set, current_attempt;
- unsigned int max_attempt, expire_time, valid_days, received_attempts;
- char new_pwd_len = 0, cur_pwd_len = 0;
- char requested_cur_pwd[SECURITY_SERVER_MAX_PASSWORD_LEN + 1];
- char requested_new_pwd[SECURITY_SERVER_MAX_PASSWORD_LEN + 1];
- unsigned char cur_pwd[SECURITY_SERVER_HASHED_PWD_LEN];
- unsigned char hashed_challenge[SECURITY_SERVER_HASHED_PWD_LEN];
- unsigned char hashed_new_pw[SECURITY_SERVER_HASHED_PWD_LEN];
-
- SHA256_CTX context;
-
- /* Authenticate client that peer is setting app goes here*/
- /* Check SMACK 'rw' rule for the set password */
- retval = SECURITY_SERVER_SUCCESS;
-
- /* Check retry timer */
- gettimeofday(&cur_try, NULL);
- retval = check_retry(cur_try);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_DBG("%s", "Server: Retry timeout occurred");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_PASSWORD_RETRY_TIMER);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- password_set = load_password(cur_pwd, &max_attempt, &expire_time);
- /* If we cannot load password file */
- if (password_set == SECURITY_SERVER_ERROR_SERVER_ERROR)
- {
- SECURE_SLOGE("%s", "Server: Responding error because we cannot provide password service");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- /* Receive size of pwds */
- retval = TEMP_FAILURE_RETRY(read(sockfd, &cur_pwd_len, sizeof(char)));
- if (retval < (int)sizeof(char) || cur_pwd_len > SECURITY_SERVER_MAX_PASSWORD_LEN)
- {
- SECURE_SLOGE("Server Error: current password length recieve failed: %d, %d", retval, cur_pwd_len);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- retval = TEMP_FAILURE_RETRY(read(sockfd, &new_pwd_len, sizeof(char)));
- if (retval < (int)sizeof(char) || new_pwd_len > SECURITY_SERVER_MAX_PASSWORD_LEN)
- {
- SECURE_SLOGE("Server Error: new password length recieve failed: %d, %d", retval, new_pwd_len);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- else if (new_pwd_len <= 0)
- {
- SECURE_SLOGE("Error: Password length too short: %d", new_pwd_len);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- /* Receive current password */
- if (cur_pwd_len > 0)
- {
- /* Check wheter current password is exist */
- if (password_set == SECURITY_SERVER_SUCCESS)
- retval = TEMP_FAILURE_RETRY(read(sockfd, requested_cur_pwd, cur_pwd_len));
- if (retval < cur_pwd_len)
- {
- SECURE_SLOGE("Server Error: current password recieve failed: %d", retval);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- requested_cur_pwd[(int)cur_pwd_len] = 0;
- }
- else /* Check first password set attempt but password is already set */
- {
- if (password_set == SECURITY_SERVER_SUCCESS)
- {
- SECURE_SLOGE("Server Error: password is already set: %d", retval);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_PASSWORD_EXIST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- }
-
- /* Receive new password */
- retval = TEMP_FAILURE_RETRY(read(sockfd, requested_new_pwd, new_pwd_len));
- if (retval < new_pwd_len)
- {
- SECURE_SLOGE("Server Error: new password recieve failed: %d", retval);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- requested_new_pwd[(int)new_pwd_len] = 0;
-
- /* Receive max attempt */
- retval = TEMP_FAILURE_RETRY(read(sockfd, &received_attempts, sizeof(unsigned int)));
- if (retval < (int)sizeof(unsigned int))
- {
- SEC_SVR_ERR("Sever Error: Max attempt receive failed: %d", retval);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- /* Receive valid period */
- retval = TEMP_FAILURE_RETRY(read(sockfd, &valid_days, sizeof(unsigned int)));
- if (retval < (int)sizeof(unsigned int))
- {
- SEC_SVR_ERR("Sever Error: Max attempt receive failed: %d", retval);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- /* Hash requested password */
- SHA256_Init(&context);
- SHA256_Update(&context, (unsigned char*)requested_cur_pwd, strlen(requested_cur_pwd));
- SHA256_Final(hashed_challenge, &context);
-
- SHA256_Init(&context);
- SHA256_Update(&context, (unsigned char*)requested_new_pwd, strlen(requested_new_pwd));
- SHA256_Final(hashed_new_pw, &context);
-
- /* check current password */
- if (password_set == SECURITY_SERVER_SUCCESS)
- {
- retval = check_password(cur_pwd, hashed_challenge, max_attempt, expire_time, ¤t_attempt);
- if (retval == SECURITY_SERVER_ERROR_PASSWORD_MISMATCH)
- {
- SECURE_SLOGD("%s", "Server: Wrong password");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_PASSWORD_MISMATCH);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- if (retval == SECURITY_SERVER_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED)
- {
- SEC_SVR_DBG("%s", "Server: Too many challange");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_PASSWORD_MAX_ATTEMPTS_EXCEEDED);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- if (retval == SECURITY_SERVER_ERROR_PASSWORD_EXPIRED)
- {
- SECURE_SLOGD("%s", "Server: Password expired");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_PASSWORD_EXPIRED);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SECURE_SLOGE("Error: Password check failed: %d", retval);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- retval = check_history(hashed_new_pw);
- if (retval == SECURITY_SERVER_ERROR_PASSWORD_REUSED)
- {
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_PASSWORD_REUSED);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- }
- else if (cur_pwd_len != 0)
- {
- /* Client ask to set with current password, but there is no password now */
- SECURE_SLOGD("%s", "Server: There is no current password. But try to set with current password");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_PASSWORD_MISMATCH);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- /* Calculate expire time in seconds */
- if (valid_days == 0)
- expire_time = 0;
- else
- {
- /* Check if value converted to seconds will not exceed the range of unsigned int */
- time_t t = time(NULL );
- unsigned int valid_days_max = (UINT_MAX - t) / 86400;
- if (valid_days > valid_days_max)
- {
- SECURE_SLOGE("%s",
- "Server: Max password validity exceeded (%d>%d)", valid_days, valid_days_max);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- expire_time = t + (valid_days * 86400);
- }
-
- /* set new password */
- retval = set_password(hashed_new_pw, received_attempts, expire_time);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SECURE_SLOGE("Server Error: Password set failed: %d", retval);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- password_set = SECURITY_SERVER_ERROR_SERVER_ERROR;
- goto error;
- }
- password_set = SECURITY_SERVER_SUCCESS;
- retval = reset_attempt();
-
- /* All done. send response */
- SECURE_SLOGD("%s", "Server: Password has been successfully modified");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_SUCCESS);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
-error:
- return retval;
-}
-
-int process_reset_pwd_request(int sockfd)
-{
- int retval, password_set;
- char new_pwd_len;
- unsigned int valid_days, received_attempts, expire_time;
- char requested_new_pwd[SECURITY_SERVER_MAX_PASSWORD_LEN + 1];
- unsigned char hashed_new_pw[SECURITY_SERVER_HASHED_PWD_LEN];
- unsigned char cur_pwd[SECURITY_SERVER_HASHED_PWD_LEN];
- struct timeval cur_try;
-
- SHA256_CTX context;
-
- /* Authenticate client that peer is setting app goes here*/
-
- /* Check retry timer */
- gettimeofday(&cur_try, NULL);
- retval = check_retry(cur_try);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_DBG("%s", "Server: Retry timeout occurred");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_RESET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_PASSWORD_RETRY_TIMER);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- password_set = load_password(cur_pwd, &valid_days, &expire_time);
- if (password_set == SECURITY_SERVER_ERROR_SERVER_ERROR)
- {
- SECURE_SLOGE("%s", "Server: Responding error because we cannot provide password service");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- /* Receive size of pwd */
- retval = TEMP_FAILURE_RETRY(read(sockfd, &new_pwd_len, sizeof(char)));
- if (retval < (int)sizeof(char) || new_pwd_len > SECURITY_SERVER_MAX_PASSWORD_LEN)
- {
- SECURE_SLOGE("Server Error: new password length recieve failed: %d, %d", retval, new_pwd_len);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_RESET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- else if (new_pwd_len <= 0)
- {
- SECURE_SLOGE("Error: Password length too short: %d", new_pwd_len);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- /* Receive new password */
- retval = TEMP_FAILURE_RETRY(read(sockfd, requested_new_pwd, new_pwd_len));
- if (retval < new_pwd_len)
- {
- SECURE_SLOGE("Server Error: new password recieve failed: %d", retval);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_RESET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- requested_new_pwd[(int)new_pwd_len] = 0;
-
- /* Receive max attempt */
- retval = TEMP_FAILURE_RETRY(read(sockfd, &received_attempts, sizeof(unsigned int)));
- if (retval < (int)sizeof(unsigned int))
- {
- SEC_SVR_ERR("Sever Error: Max attempt receive failed: %d", retval);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_RESET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- /* Receive valid period */
- retval = TEMP_FAILURE_RETRY(read(sockfd, &valid_days, sizeof(unsigned int)));
- if (retval < (int)sizeof(unsigned int))
- {
- SEC_SVR_ERR("Sever Error: Max attempt receive failed: %d", retval);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_RESET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- /* Calculate expire time in seconds */
- if (valid_days == 0)
- expire_time = 0;
- else
- {
- /* Check if value converted to seconds will not exceed the range of unsigned int */
- time_t t = time(NULL );
- unsigned int valid_days_max = (UINT_MAX - t) / 86400;
- if (valid_days > valid_days_max)
- {
- SECURE_SLOGE("%s",
- "Server: Max password validity exceeded (%d>%d)", valid_days, valid_days_max);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- expire_time = t + (valid_days * 86400);
- }
-
- /* Hash requested password */
- SHA256_Init(&context);
- SHA256_Update(&context, (unsigned char*)requested_new_pwd, strlen(requested_new_pwd));
- SHA256_Final(hashed_new_pw, &context);
- /* set new password */
- retval = set_password(hashed_new_pw, received_attempts, expire_time);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SECURE_SLOGE("Server Error: Password set failed: %d", retval);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_RESET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- retval = reset_attempt();
-
- /* All done. send response */
- SECURE_SLOGD("%s", "Server: Password has been successfully modified");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_RESET_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_SUCCESS);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
-error:
- return retval;
-}
-
-int process_chk_pwd_request(int sockfd)
-{
- int retval, password_set, current_attempt;
- unsigned int max_attempt, expire_time;
- char requested_challenge[SECURITY_SERVER_MAX_PASSWORD_LEN + 1];
- char challenge_len;
- unsigned char cur_pwd[SECURITY_SERVER_HASHED_PWD_LEN];
- unsigned char hashed_challenge[SECURITY_SERVER_HASHED_PWD_LEN];
- struct timeval cur_try;
-
- SHA256_CTX context;
-
- /* Authenticate client that peer is proper app goes here*/
- /* Check SMACK rule for the 'r' for password */
- retval = SECURITY_SERVER_SUCCESS;
-
- /* Check retry timer */
- gettimeofday(&cur_try, NULL);
- retval = check_retry(cur_try);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_DBG("%s", "Server: Retry timeout occurred");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_PASSWORD_RETRY_TIMER);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- /* If we cannot load password file */
- password_set = load_password(cur_pwd, &max_attempt, &expire_time);;
- if (password_set == SECURITY_SERVER_ERROR_SERVER_ERROR)
- {
- SECURE_SLOGE("%s", "ServerERROR: Responding error because we cannot provide password service");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- /* Receive size of challenge */
- retval = TEMP_FAILURE_RETRY(read(sockfd, &challenge_len, sizeof(char)));
- if (retval < (int)sizeof(char) || challenge_len > SECURITY_SERVER_MAX_PASSWORD_LEN)
- {
- SEC_SVR_ERR("Server ERROR: challenge length recieve failed: %d", retval);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- /* Receive challenge */
- if (challenge_len > 0)
- {
- retval = TEMP_FAILURE_RETRY(read(sockfd, requested_challenge, challenge_len));
- if (retval < challenge_len)
- {
- SECURE_SLOGE("Server ERROR: current password recieve failed: %d", retval);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- requested_challenge[(int)challenge_len] = 0;
- }
- else
- {
- SEC_SVR_ERR("Error: Challenge length too short: %d", retval);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- /* Hash requested password */
- SHA256_Init(&context);
- SHA256_Update(&context, (unsigned char*)requested_challenge, challenge_len);
- SHA256_Final(hashed_challenge, &context);
-
- /* check current password */
- if (password_set == SECURITY_SERVER_SUCCESS)
- {
- retval = check_password(cur_pwd, hashed_challenge, max_attempt, expire_time, ¤t_attempt);
- if (retval == SECURITY_SERVER_ERROR_PASSWORD_MISMATCH)
- {
- SECURE_SLOGD("%s", "Server: Wrong password");
- retval = send_pwd_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_PASSWORD_MISMATCH,
- current_attempt, max_attempt, expire_time);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- if (retval == SECURITY_SERVER_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED)
- {
- SEC_SVR_DBG("%s", "Server: Too many trial");
- retval = send_pwd_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_PASSWORD_MAX_ATTEMPTS_EXCEEDED,
- current_attempt, max_attempt, expire_time);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- if (retval == SECURITY_SERVER_ERROR_PASSWORD_EXPIRED)
- {
- SECURE_SLOGD("%s", "Server: Password expired");
- retval = send_pwd_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_PASSWORD_EXPIRED,
- current_attempt, max_attempt, 0);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SECURE_SLOGE("Server ERROR: Password check failed: %d", retval);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- /* Password matched */
- SECURE_SLOGD("%s", "Server: Password matched");
- retval = send_pwd_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_SUCCESS,
- current_attempt, max_attempt, expire_time);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- retval = reset_attempt();
- goto error;
- }
-
- /* There is no password */
-
- SECURE_SLOGD("%s", "Server: There is no password to be checked");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_NO_PASSWORD);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
-error:
- return retval;
-}
-
-int process_set_pwd_history_request(int sockfd)
-{
- int retval;
- char history_num;
- struct timeval cur_try;
-
- /* Authenticate client that peer is setting app goes here*/
-
- /* Check retry timer */
- gettimeofday(&cur_try, NULL);
- retval = check_retry(cur_try);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_DBG("%s", "Server: Retry timeout occurred");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_PASSWORD_RETRY_TIMER);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- /* Receive size of pwds */
- retval = TEMP_FAILURE_RETRY(read(sockfd, &history_num, sizeof(char)));
- if (retval < (int)sizeof(char) || history_num > SECURITY_SERVER_MAX_PASSWORD_HISTORY)
- {
- SEC_SVR_ERR("Server Error: History number recieve failed: %d, %d", retval, history_num);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- retval = set_history((int)history_num);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server Error: History number set failed: %d", retval);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- }
- SEC_SVR_DBG("Server History has been set to %d", history_num);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_SUCCESS);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
-error:
- return retval;
-}
-
-
-int process_set_pwd_max_challenge_request(int sockfd)
-{
- unsigned int max_challenge, current_challenge, current_validity;
- unsigned char cur_pwd[SECURITY_SERVER_HASHED_PWD_LEN];
- int retval;
-
- // TODO here we should probably check if the peer has rights to change
- // this value (max challenge) for current password
-
- retval = TEMP_FAILURE_RETRY(read(sockfd, &max_challenge, sizeof(unsigned int)));
- if (retval < (int)sizeof(unsigned int))
- {
- SEC_SVR_ERR("Server Error: recieve failed: %d", retval);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- SEC_SVR_DBG("Server max challenge request: %d", max_challenge);
-
- // Getting currently set password
- retval = load_password(cur_pwd, ¤t_challenge, ¤t_validity);
- /* If we cannot load password file */
- if (retval == SECURITY_SERVER_ERROR_NO_PASSWORD)
- {
- SECURE_SLOGE("%s", "Server: can't read current password");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_NO_PASSWORD);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- else if (retval != SECURITY_SERVER_SUCCESS)
- {
- SECURE_SLOGE("%s", "Server: can't read current password");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- // Set 'new' password file with old password and new max challenge
- retval = set_password(cur_pwd, max_challenge, time(NULL) + current_validity);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SECURE_SLOGE("Server Error: Password set failed: %d", retval);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_SUCCESS);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- retval = reset_attempt();
-error:
- return retval;
-}
-
-int process_set_pwd_validity_request(int sockfd)
-{
- unsigned int current_challenge, current_validity, validity;
- unsigned char cur_pwd[SECURITY_SERVER_HASHED_PWD_LEN];
- int retval;
-
- // TODO here we should probably check if the peer has rights to change
- // this value (validity) for current password
-
- retval = TEMP_FAILURE_RETRY(read(sockfd, &validity, sizeof(unsigned int)));
- if (retval < (int)sizeof(unsigned int))
- {
- SEC_SVR_ERR("Server Error: recieve failed: %d", retval);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- SEC_SVR_DBG("Server validity request: %d", validity);
-
- // Calculating validity in seconds
- if (validity == 0)
- validity = 0;
- else
- validity = time(NULL) + (validity * 86400);
-
- // Getting currently set password
- retval = load_password(cur_pwd, ¤t_challenge, ¤t_validity);
- /* If we cannot load password file */
- if (retval == SECURITY_SERVER_ERROR_NO_PASSWORD)
- {
- SECURE_SLOGE("%s", "Server: can't read current password");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_NO_PASSWORD);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- else if (retval != SECURITY_SERVER_SUCCESS)
- {
- SECURE_SLOGE("%s", "Server: can't read current password");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- // Set 'new' password file with old password and new validity
- retval = set_password(cur_pwd, current_challenge, validity);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SECURE_SLOGE("Server Error: Password set failed: %d", retval);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_SUCCESS);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Server ERROR: Cannot send generic response: %d", retval);
- }
- retval = reset_attempt();
-error:
- return retval;
-}
-
#include <message-buffer.h>
+#ifndef SECURITY_SERVER_API
+#define SECURITY_SERVER_API __attribute__((visibility("default")))
+#endif
+
extern "C" {
struct msghdr;
}
--- /dev/null
+/*
+ * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Bumjin Im <bj.im@samsung.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file client-password.cpp
+ * @author Zbigniew Jasinski (z.jasinski@samsung.com)
+ * @author Lukasz Kostyra (l.kostyra@partner.samsung.com)
+ * @version 1.0
+ * @brief This file contains implementation of password functions.
+ */
+
+#include <cstring>
+
+#include <dpl/log/log.h>
+#include <dpl/exception.h>
+
+#include <message-buffer.h>
+#include <client-common.h>
+#include <protocols.h>
+
+#include <security-server.h>
+
+inline bool isPasswordIncorrect(const char* pwd)
+{
+ return (pwd == NULL || strlen(pwd) == 0 || strlen(pwd) > SecurityServer::MAX_PASSWORD_LEN);
+}
+
+SECURITY_SERVER_API
+int security_server_is_pwd_valid(unsigned int *current_attempts,
+ unsigned int *max_attempts,
+ unsigned int *valid_secs)
+{
+ using namespace SecurityServer;
+
+ try {
+ if (NULL == current_attempts || NULL == max_attempts ||
+ NULL == valid_secs) {
+
+ LogError("Wrong input param");
+ return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
+ }
+
+ MessageBuffer send, recv;
+
+ *current_attempts = 0;
+ *max_attempts = 0;
+ *valid_secs = 0;
+
+ Serialization::Serialize(send, static_cast<int>(PasswordHdrs::HDR_IS_PWD_VALID));
+
+ int retCode = sendToServer(SERVICE_SOCKET_PASSWD_CHECK, send.Pop(), recv);
+ if (SECURITY_SERVER_API_SUCCESS != retCode) {
+ LogDebug("Error in sendToServer. Error code: " << retCode);
+ return retCode;
+ }
+
+ Deserialization::Deserialize(recv, retCode);
+
+ if(retCode == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST) {
+ Deserialization::Deserialize(recv, *current_attempts);
+ Deserialization::Deserialize(recv, *max_attempts);
+ Deserialization::Deserialize(recv, *valid_secs);
+ }
+
+ return retCode;
+ } catch (MessageBuffer::Exception::Base &e) {
+ LogError("SecurityServer::MessageBuffer::Exception " << e.DumpToString());
+ } catch (std::exception &e) {
+ LogError("STD exception " << e.what());
+ } catch (...) {
+ LogError("Unknown exception occured");
+ }
+ return SECURITY_SERVER_API_ERROR_UNKNOWN;
+}
+
+SECURITY_SERVER_API
+int security_server_chk_pwd(const char *challenge,
+ unsigned int *current_attempts,
+ unsigned int *max_attempts,
+ unsigned int *valid_secs)
+{
+ using namespace SecurityServer;
+
+ try {
+ if (current_attempts == NULL || max_attempts == NULL || valid_secs == NULL ||
+ isPasswordIncorrect(challenge)) {
+ LogError("Wrong input param");
+ return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
+ }
+
+ MessageBuffer send, recv;
+
+ *current_attempts = 0;
+ *max_attempts = 0;
+ *valid_secs = 0;
+
+ Serialization::Serialize(send, static_cast<int>(PasswordHdrs::HDR_CHK_PWD));
+ Serialization::Serialize(send, std::string(challenge));
+
+ int retCode = sendToServer(SERVICE_SOCKET_PASSWD_CHECK, send.Pop(), recv);
+ if (SECURITY_SERVER_API_SUCCESS != retCode) {
+ LogDebug("Error in sendToServer. Error code: " << retCode);
+ return retCode;
+ }
+
+ Deserialization::Deserialize(recv, retCode);
+
+ switch (retCode) {
+ case SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH:
+ case SECURITY_SERVER_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED:
+ case SECURITY_SERVER_API_ERROR_PASSWORD_EXPIRED:
+ case SECURITY_SERVER_API_SUCCESS:
+ Deserialization::Deserialize(recv, *current_attempts);
+ Deserialization::Deserialize(recv, *max_attempts);
+ Deserialization::Deserialize(recv, *valid_secs);
+ break;
+ default:
+ break;
+ }
+
+ return retCode;
+ } catch (MessageBuffer::Exception::Base &e) {
+ LogError("SecurityServer::MessageBuffer::Exception " << e.DumpToString());
+ } catch (std::exception &e) {
+ LogError("STD exception " << e.what());
+ } catch (...) {
+ LogError("Unknown exception occured");
+ }
+ return SECURITY_SERVER_API_ERROR_UNKNOWN;
+}
+
+SECURITY_SERVER_API
+int security_server_set_pwd(const char *cur_pwd,
+ const char *new_pwd,
+ const unsigned int max_challenge,
+ const unsigned int valid_period_in_days)
+{
+ using namespace SecurityServer;
+
+ try {
+ if (NULL == cur_pwd)
+ cur_pwd = "";
+
+ if (isPasswordIncorrect(new_pwd) || strlen(cur_pwd) > MAX_PASSWORD_LEN) {
+ LogError("Wrong input param.");
+ return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
+ }
+
+ MessageBuffer send, recv;
+
+ Serialization::Serialize(send, static_cast<int>(PasswordHdrs::HDR_SET_PWD));
+ Serialization::Serialize(send, std::string(cur_pwd));
+ Serialization::Serialize(send, std::string(new_pwd));
+ Serialization::Serialize(send, max_challenge);
+ Serialization::Serialize(send, valid_period_in_days);
+
+ int retCode = sendToServer(SERVICE_SOCKET_PASSWD_SET, send.Pop(), recv);
+ if (SECURITY_SERVER_API_SUCCESS != retCode) {
+ LogError("Error in sendToServer. Error code: " << retCode);
+ return retCode;
+ }
+
+ Deserialization::Deserialize(recv, retCode);
+
+ return retCode;
+ } catch (MessageBuffer::Exception::Base &e) {
+ LogError("SecurityServer::MessageBuffer::Exception " << e.DumpToString());
+ } catch (std::exception &e) {
+ LogError("STD exception " << e.what());
+ } catch (...) {
+ LogError("Unknown exception occured");
+ }
+ return SECURITY_SERVER_API_ERROR_UNKNOWN;
+}
+
+SECURITY_SERVER_API
+int security_server_set_pwd_validity(const unsigned int valid_period_in_days)
+{
+ using namespace SecurityServer;
+
+ try {
+ MessageBuffer send, recv;
+
+ Serialization::Serialize(send, static_cast<int>(PasswordHdrs::HDR_SET_PWD_VALIDITY));
+ Serialization::Serialize(send, valid_period_in_days);
+
+ int retCode = sendToServer(SERVICE_SOCKET_PASSWD_SET, send.Pop(), recv);
+ if (SECURITY_SERVER_API_SUCCESS != retCode) {
+ LogError("Error in sendToServer. Error code: " << retCode);
+ return retCode;
+ }
+
+ Deserialization::Deserialize(recv, retCode);
+
+ return retCode;
+ } catch (MessageBuffer::Exception::Base &e) {
+ LogError("SecurityServer::MessageBuffer::Exception " << e.DumpToString());
+ } catch (std::exception &e) {
+ LogError("STD exception " << e.what());
+ } catch (...) {
+ LogError("Unknown exception occured");
+ }
+ return SECURITY_SERVER_API_ERROR_UNKNOWN;
+}
+
+SECURITY_SERVER_API
+int security_server_set_pwd_max_challenge(const unsigned int max_challenge)
+{
+ using namespace SecurityServer;
+
+ try {
+ MessageBuffer send, recv;
+
+ Serialization::Serialize(send, static_cast<int>(PasswordHdrs::HDR_SET_PWD_MAX_CHALLENGE));
+ Serialization::Serialize(send, max_challenge);
+
+ int retCode = sendToServer(SERVICE_SOCKET_PASSWD_SET, send.Pop(), recv);
+ if (SECURITY_SERVER_API_SUCCESS != retCode) {
+ LogError("Error in sendToServer. Error code: " << retCode);
+ return retCode;
+ }
+
+ Deserialization::Deserialize(recv, retCode);
+
+ return retCode;
+ } catch (MessageBuffer::Exception::Base &e) {
+ LogError("SecurityServer::MessageBuffer::Exception " << e.DumpToString());
+ } catch (std::exception &e) {
+ LogError("STD exception " << e.what());
+ } catch (...) {
+ LogError("Unknown exception occured");
+ }
+ return SECURITY_SERVER_API_ERROR_UNKNOWN;
+}
+
+SECURITY_SERVER_API
+int security_server_reset_pwd(const char *new_pwd,
+ const unsigned int max_challenge,
+ const unsigned int valid_period_in_days)
+{
+ using namespace SecurityServer;
+
+ try {
+ if (isPasswordIncorrect(new_pwd)) {
+ LogError("Wrong input param.");
+ return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
+ }
+
+ MessageBuffer send, recv;
+
+ Serialization::Serialize(send, static_cast<int>(PasswordHdrs::HDR_RST_PWD));
+ Serialization::Serialize(send, std::string(new_pwd));
+ Serialization::Serialize(send, max_challenge);
+ Serialization::Serialize(send, valid_period_in_days);
+
+ int retCode = sendToServer(SERVICE_SOCKET_PASSWD_SET, send.Pop(), recv);
+ if (SECURITY_SERVER_API_SUCCESS != retCode) {
+ LogError("Error in sendToServer. Error code: " << retCode);
+ return retCode;
+ }
+
+ Deserialization::Deserialize(recv, retCode);
+
+ return retCode;
+ } catch (MessageBuffer::Exception::Base &e) {
+ LogError("SecurityServer::MessageBuffer::Exception " << e.DumpToString());
+ } catch (std::exception &e) {
+ LogError("STD exception " << e.what());
+ } catch (...) {
+ LogError("Unknown exception occured");
+ }
+ return SECURITY_SERVER_API_ERROR_UNKNOWN;
+}
+
+SECURITY_SERVER_API
+int security_server_set_pwd_history(int history_size)
+{
+ using namespace SecurityServer;
+
+ try {
+ if (history_size > static_cast<int>(MAX_PASSWORD_HISTORY) || history_size < 0) {
+ LogError("Wrong input param.");
+ return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
+ }
+
+ MessageBuffer send, recv;
+
+ Serialization::Serialize(send, static_cast<int>(PasswordHdrs::HDR_SET_PWD_HISTORY));
+ Serialization::Serialize(send, static_cast<unsigned int>(history_size));
+
+ int retCode = sendToServer(SERVICE_SOCKET_PASSWD_SET, send.Pop(), recv);
+ if (SECURITY_SERVER_API_SUCCESS != retCode) {
+ LogError("Error in sendToServer. Error code: " << retCode);
+ return retCode;
+ }
+
+ Deserialization::Deserialize(recv, retCode);
+
+ return retCode;
+ } catch (MessageBuffer::Exception::Base &e) {
+ LogError("SecurityServer::MessageBuffer::Exception " << e.DumpToString());
+ } catch (std::exception &e) {
+ LogError("STD exception " << e.what());
+ } catch (...) {
+ LogError("Unknown exception occured");
+ }
+ return SECURITY_SERVER_API_ERROR_UNKNOWN;
+}
"/tmp/.security-server-api-cookie-check-tmp.sock";
char const * const SERVICE_SOCKET_OPEN_FOR =
"/tmp/.security-server-api-open-for.sock";
+char const * const SERVICE_SOCKET_PASSWD_CHECK =
+ "/tmp/.security-server-api-passwd-check.sock";
+char const * const SERVICE_SOCKET_PASSWD_SET =
+ "/tmp/.security-server-api-passwd-set.sock";
const size_t COOKIE_SIZE = 20;
+const size_t MAX_PASSWORD_LEN = 32;
+const unsigned int MAX_PASSWORD_HISTORY = 50;
+
} // namespace SecurityServer
extern char const * const SERVICE_SOCKET_COOKIE_CHECK;
extern char const * const SERVICE_SOCKET_COOKIE_CHECK_TMP;
extern char const * const SERVICE_SOCKET_OPEN_FOR;
+extern char const * const SERVICE_SOCKET_PASSWD_CHECK;
+extern char const * const SERVICE_SOCKET_PASSWD_SET;
enum class AppPermissionsAction { ENABLE, DISABLE };
extern const size_t COOKIE_SIZE;
+enum class PasswordHdrs
+{
+ HDR_IS_PWD_VALID,
+ HDR_CHK_PWD,
+ HDR_SET_PWD,
+ HDR_SET_PWD_VALIDITY,
+ HDR_SET_PWD_MAX_CHALLENGE,
+ HDR_RST_PWD,
+ HDR_SET_PWD_HISTORY
+};
+
+extern const size_t MAX_PASSWORD_LEN;
+extern const unsigned int MAX_PASSWORD_HISTORY;
+
} // namespace SecuritySever
#endif // _SECURITY_SERVER_PROTOCOLS_
stream.Write(sizeof(*value), value);
}
+ // unsigned char
+ static void Serialize(IStream& stream, const unsigned char value)
+ {
+ stream.Write(sizeof(value), &value);
+ }
+ static void Serialize(IStream& stream, const unsigned char* const value)
+ {
+ stream.Write(sizeof(*value), value);
+ }
+
// unsigned int
static void Serialize(IStream& stream, const unsigned value)
{
stream.Write(sizeof(*value), value);
}
+ // time_t
+ static void Serialize(IStream& stream, const time_t value)
+ {
+ stream.Write(sizeof(value), &value);
+ }
+ static void Serialize(IStream& stream, const time_t* const value)
+ {
+ stream.Write(sizeof(*value), value);
+ }
+
// std::string
static void Serialize(IStream& stream, const std::string& str)
{
stream.Read(sizeof(*value), value);
}
+ // unsigned char
+ static void Deserialize(IStream& stream, unsigned char& value)
+ {
+ stream.Read(sizeof(value), &value);
+ }
+ static void Deserialize(IStream& stream, unsigned char*& value)
+ {
+ value = new unsigned char;
+ stream.Read(sizeof(*value), value);
+ }
+
// unsigned int
static void Deserialize(IStream& stream, unsigned& value)
{
stream.Read(sizeof(*value), value);
}
+ // time_t
+ static void Deserialize(IStream& stream, time_t& value)
+ {
+ stream.Read(sizeof(value), &value);
+ }
+ static void Deserialize(IStream& stream, time_t*& value)
+ {
+ value = new time_t;
+ stream.Read(sizeof(*value), value);
+ }
+
// std::string
static void Deserialize(IStream& stream, std::string& str)
{
#include <app-permissions.h>
#include <cookie.h>
#include <open-for.h>
+#include <password.h>
#include <echo.h>
IMPLEMENT_SAFE_SINGLETON(SecurityServer::Log::LogSystem);
appEnablePermissionsService->Create();
manager.RegisterSocketService(appEnablePermissionsService);
+ SecurityServer::PasswordService *pwdService = new SecurityServer::PasswordService;
+ pwdService->Create();
+ manager.RegisterSocketService(pwdService);
+
manager.MainLoop();
}
UNHANDLED_EXCEPTION_HANDLER_END
--- /dev/null
+/*
+ * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Bumjin Im <bj.im@samsung.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file password-exception.h
+ * @author Lukasz Kostyra (l.kostyra@partner.samsung.com)
+ * @version 1.0
+ * @brief Definition of PasswordException class.
+ */
+
+#ifndef _PASSWORD_EXCEPTION_H_
+#define _PASSWORD_EXCEPTION_H_
+
+#include <dpl/exception.h>
+
+namespace SecurityServer
+{
+ class PasswordException
+ {
+ public:
+ DECLARE_EXCEPTION_TYPE(SecurityServer::Exception, Base)
+ DECLARE_EXCEPTION_TYPE(Base, OutOfData)
+ DECLARE_EXCEPTION_TYPE(Base, NoData)
+ DECLARE_EXCEPTION_TYPE(Base, FStreamOpenError)
+ DECLARE_EXCEPTION_TYPE(Base, FStreamWriteError)
+ DECLARE_EXCEPTION_TYPE(Base, FStreamReadError)
+ DECLARE_EXCEPTION_TYPE(Base, MemoryError)
+ DECLARE_EXCEPTION_TYPE(Base, NoPasswords)
+ DECLARE_EXCEPTION_TYPE(Base, PasswordNotActive)
+ DECLARE_EXCEPTION_TYPE(Base, MakeDirError)
+ DECLARE_EXCEPTION_TYPE(Base, TimerError)
+ };
+} //namespace SecurityServer
+
+#endif //_PASSWORD_EXCEPTION_H_
--- /dev/null
+/*
+ * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Bumjin Im <bj.im@samsung.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file password-file-buffer.h
+ * @author Lukasz Kostyra (l.kostyra@partner.samsung.com)
+ * @version 1.0
+ * @brief Implementation of PasswordFileBuffer, used for serialization in PasswordFile class
+ */
+
+#include <password-file-buffer.h>
+
+#include <fstream>
+#include <iterator>
+
+#include <dpl/log/log.h>
+
+#include <security-server.h>
+#include <password-exception.h>
+
+namespace SecurityServer
+{
+ PasswordFileBuffer::PasswordFileBuffer(): m_bufferReadBytes(0) {}
+
+ void PasswordFileBuffer::Read(size_t num, void *bytes)
+ {
+ if(m_buffer.empty()) {
+ LogError("Buffer doesn't contain any data.");
+ Throw(PasswordException::NoData);
+ }
+
+ if((m_bufferReadBytes + num) > m_buffer.size()) {
+ LogError("Not enough buffer to read " << num << " data.");
+ Throw(PasswordException::OutOfData);
+ }
+
+ void* ret = memcpy(bytes, &m_buffer[m_bufferReadBytes], num);
+
+ if(ret == 0) {
+ LogError("Failed to read " << num << " bytes.");
+ Throw(PasswordException::MemoryError);
+ }
+
+ m_bufferReadBytes += num;
+ }
+
+ void PasswordFileBuffer::Write(size_t num, const void *bytes)
+ {
+ const char* buffer = static_cast<const char*>(bytes);
+ std::copy(buffer, buffer+num, std::back_inserter(m_buffer));
+ }
+
+ void PasswordFileBuffer::Save(const std::string &path)
+ {
+ std::ofstream file(path, std::ofstream::trunc);
+
+ if(!file.good()) {
+ LogError("Error while opening file stream.");
+ Throw(PasswordException::FStreamOpenError);
+ }
+
+ file.write(m_buffer.data(), m_buffer.size());
+ if(!file) {
+ LogError("Failed to write data.");
+ Throw(PasswordException::FStreamWriteError);
+ }
+ }
+
+ void PasswordFileBuffer::Load(const std::string &path)
+ {
+ std::ifstream file(path, std::ifstream::binary);
+
+ if(!file.good()) {
+ LogError("Error while opening file stream.");
+ Throw(PasswordException::FStreamOpenError);
+ }
+
+ //reset read bytes counter
+ m_bufferReadBytes = 0;
+
+ m_buffer.assign(std::istreambuf_iterator<char>(file),
+ std::istreambuf_iterator<char>());
+
+ if(!file) {
+ LogError("Failed to read data. Failbit: " << file.fail() << ", Badbit: " << file.bad());
+ Throw(PasswordException::FStreamReadError);
+ }
+ }
+
+} //namespace SecurityServer
--- /dev/null
+/*
+ * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Bumjin Im <bj.im@samsung.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file password-file-buffer.h
+ * @author Zbigniew Jasinski (z.jasinski@samsung.com)
+ * @author Lukasz Kostyra (l.kostyra@partner.samsung.com)
+ * @version 1.0
+ * @brief Implementation of password file buffer, used for serialization in password-manager.h
+ */
+
+#ifndef _PASSWORD_FILE_BUFFER_H_
+#define _PASSWORD_FILE_BUFFER_H_
+
+#include <stddef.h>
+#include <vector>
+#include <string>
+
+#include <dpl/serialization.h>
+
+namespace SecurityServer
+{
+ class PasswordFileBuffer: public IStream
+ {
+ public:
+ PasswordFileBuffer();
+
+ virtual void Read(size_t num, void *bytes);
+ virtual void Write(size_t num, const void *bytes);
+
+ void Save(const std::string &path);
+ void Load(const std::string &path);
+
+ private:
+ typedef std::vector<char> DataBuffer;
+
+ DataBuffer m_buffer;
+ size_t m_bufferReadBytes;
+ };
+} //namespace SecurityServer
+
+#endif
--- /dev/null
+/*
+ * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Bumjin Im <bj.im@samsung.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file password-file.cpp
+ * @author Zbigniew Jasinski (z.jasinski@samsung.com)
+ * @author Lukasz Kostyra (l.kostyra@partner.samsung.com)
+ * @version 1.0
+ * @brief Implementation of PasswordFile, used to manage password files.
+ */
+#include <password-file.h>
+
+#include <fstream>
+#include <algorithm>
+
+#include <openssl/sha.h>
+
+#include <sys/stat.h>
+
+#include <dpl/log/log.h>
+
+#include <security-server.h>
+#include <password-exception.h>
+#include <password-file-buffer.h>
+
+const std::string DATA_DIR = "/opt/data/security-server";
+const std::string PASSWORD_FILE = "password.pwd";
+const std::string ATTEMPT_FILE = "attempt";
+const double RETRY_TIMEOUT = 0.5;
+
+namespace SecurityServer
+{
+ PasswordFile::Password::Password()
+ {
+ m_password = PasswordFile::hashPassword("");
+ }
+
+ PasswordFile::Password::Password(const RawHash& password)
+ {
+ m_password = password;
+ }
+
+ PasswordFile::Password::Password(IStream& stream)
+ {
+ Deserialization::Deserialize(stream, m_password);
+ }
+
+ void PasswordFile::Password::Serialize(IStream &stream) const
+ {
+ Serialization::Serialize(stream, m_password);
+ }
+
+ PasswordFile::PasswordFile(): m_maxAttempt(0), m_historySize(0), m_expireTime(0), m_attempt(0)
+ {
+ // check if data directory exists
+ // if not create it
+ if (!dirExists(DATA_DIR.c_str())) {
+ if(mkdir(DATA_DIR.c_str(), 0700)) {
+ LogError("Failed to create directory for files. Error: " << strerror(errno));
+ Throw(PasswordException::MakeDirError);
+ }
+ }
+
+ preparePwdFile();
+ prepareAttemptFile();
+ resetTimer();
+ }
+
+ void PasswordFile::resetTimer()
+ {
+ m_retryTimerStart = std::chrono::monotonic_clock::now();
+ m_retryTimerStart -= TimeDiff(RETRY_TIMEOUT);
+ }
+
+ void PasswordFile::preparePwdFile()
+ {
+ std::string s_pwdfilePath = DATA_DIR + "/" + PASSWORD_FILE;
+
+ // check if password file exists
+ // if not create it
+ if (!fileExists(s_pwdfilePath)) {
+ LogSecureDebug("PWD_DBG not found password file. Creating.");
+ __mode_t oldMask = umask(S_IRUSR | S_IWUSR);
+
+ //create file
+ writeMemoryToFile();
+
+ umask(oldMask);
+ } else { //if file exists, load data
+ LogSecureDebug("PWD_DBG found password file. Opening.");
+ loadMemoryFromFile();
+ }
+ }
+
+ void PasswordFile::prepareAttemptFile()
+ {
+ std::string s_attemptfilePath = DATA_DIR + "/" + ATTEMPT_FILE;
+
+ // check if attempt file exists
+ // if not create it
+ if (!fileExists(s_attemptfilePath)) {
+ LogSecureDebug("PWD_DBG not found attempt file. Creating.");
+ __mode_t oldMask = umask(S_IRUSR | S_IWUSR);
+
+ writeAttemptToFile();
+
+ umask(oldMask);
+ } else {
+ LogSecureDebug("PWD_DBG found attempt file. Opening.");
+ std::ifstream attemptFile(s_attemptfilePath);
+ if(!attemptFile.good()) {
+ LogError("Failed to open attempt file.");
+ Throw(PasswordException::FStreamOpenError);
+ }
+
+ attemptFile.read(reinterpret_cast<char*>(&m_attempt), sizeof(unsigned int));
+ if(!attemptFile) {
+ LogError("Failed to read attempt count.");
+ Throw(PasswordException::FStreamReadError);
+ }
+ }
+ }
+
+ bool PasswordFile::fileExists(const std::string &filename) const
+ {
+ struct stat buf;
+
+ return ((stat(filename.c_str(), &buf) == 0));
+ }
+
+ bool PasswordFile::dirExists(const std::string &dirpath) const
+ {
+ struct stat buf;
+
+ return ((stat(dirpath.c_str(), &buf) == 0) && (((buf.st_mode) & S_IFMT) == S_IFDIR));
+ }
+
+ void PasswordFile::writeMemoryToFile() const
+ {
+ PasswordFileBuffer pwdBuffer;
+
+ //serialize password attributes
+ Serialization::Serialize(pwdBuffer, m_maxAttempt);
+ Serialization::Serialize(pwdBuffer, m_historySize);
+ Serialization::Serialize(pwdBuffer, m_expireTime);
+ Serialization::Serialize(pwdBuffer, m_passwords);
+
+ pwdBuffer.Save(DATA_DIR + "/" + PASSWORD_FILE);
+ }
+
+ void PasswordFile::loadMemoryFromFile()
+ {
+ PasswordFileBuffer pwdFile;
+
+ pwdFile.Load(DATA_DIR + "/" + PASSWORD_FILE);
+
+ m_passwords.clear();
+
+ Deserialization::Deserialize(pwdFile, m_maxAttempt);
+ Deserialization::Deserialize(pwdFile, m_historySize);
+ Deserialization::Deserialize(pwdFile, m_expireTime);
+ Deserialization::Deserialize(pwdFile, m_passwords);
+ }
+
+ void PasswordFile::writeAttemptToFile() const
+ {
+ std::ofstream attemptFile(DATA_DIR + "/" + ATTEMPT_FILE, std::ofstream::trunc);
+
+ if(!attemptFile.good()) {
+ LogError("Failed to open attempt file.");
+ Throw(PasswordException::FStreamOpenError);
+ }
+
+ attemptFile.write(reinterpret_cast<const char*>(&m_attempt), sizeof(unsigned int));
+ if(!attemptFile) {
+ LogError("Failed to write attempt count.");
+ Throw(PasswordException::FStreamWriteError);
+ }
+ }
+
+ bool PasswordFile::isPasswordActive() const
+ {
+ return !(m_passwords.empty());
+ }
+
+ void PasswordFile::setHistory(unsigned int history)
+ {
+ //setting history should be independent from password being set
+ m_historySize = history;
+
+ //we want to keep 1 current pwd, plus history amount of passwords.
+ if(m_passwords.size() > 1+history)
+ m_passwords.resize(1+history);
+ }
+
+ unsigned int PasswordFile::getHistorySize() const
+ {
+ return m_historySize;
+ }
+
+ unsigned int PasswordFile::getAttempt() const
+ {
+ return m_attempt;
+ }
+
+ void PasswordFile::resetAttempt()
+ {
+ m_attempt = 0;
+ }
+
+ void PasswordFile::incrementAttempt()
+ {
+ m_attempt++;
+ }
+
+ int PasswordFile::getMaxAttempt() const
+ {
+ return m_maxAttempt;
+ }
+
+ void PasswordFile::setMaxAttempt(unsigned int maxAttempt)
+ {
+ m_maxAttempt = maxAttempt;
+ }
+
+ bool PasswordFile::isPasswordReused(const std::string &password) const
+ {
+ RawHash hashedPwd = hashPassword(password);
+
+ LogSecureDebug("PwdCount: " << m_passwords.size() << ", PwdMaxHistory: " << getHistorySize());
+
+ if(std::find_if(m_passwords.begin(), m_passwords.end(),
+ [&hashedPwd](const Password& pwd) { return (pwd.m_password == hashedPwd); })
+ != m_passwords.end()) {
+ LogSecureDebug("Passwords match!");
+ return true;
+ }
+
+ LogSecureDebug("isPasswordReused: No passwords match, password not reused.");
+ return false;
+ }
+
+ void PasswordFile::setPassword(const std::string &password)
+ {
+ RawHash hashedPwd = hashPassword(password);
+
+ m_passwords.push_front(Password(hashedPwd));
+
+ //one current password, plus history amount of passwords
+ if(m_passwords.size() > 1+getHistorySize())
+ m_passwords.pop_back();
+ }
+
+ bool PasswordFile::checkPassword(const std::string &password) const
+ {
+ RawHash hashedPwd = hashPassword(password);
+
+ return (hashedPwd == m_passwords.begin()->m_password);
+ }
+
+ void PasswordFile::setExpireTime(int expireTime)
+ {
+ if(isPasswordActive())
+ m_expireTime = expireTime;
+ else {
+ LogError("Can't set expiration time, password not active.");
+ Throw(PasswordException::PasswordNotActive);
+ }
+ }
+
+ time_t PasswordFile::getExpireTime() const
+ {
+ return m_expireTime;
+ }
+
+ time_t PasswordFile::getExpireTimeLeft() const
+ {
+ if(m_expireTime > 0)
+ return (m_expireTime - time(NULL));
+ else
+ return m_expireTime;
+ }
+
+ bool PasswordFile::checkExpiration() const
+ {
+ //return true if expired, else false
+ return ((m_expireTime != 0) && (time(NULL) > m_expireTime));
+ }
+
+ bool PasswordFile::isIgnorePeriod() const
+ {
+ TimePoint retryTimerStop = std::chrono::monotonic_clock::now();
+ TimeDiff diff = retryTimerStop - m_retryTimerStart;
+
+ m_retryTimerStart = retryTimerStop;
+
+ return (diff.count() < RETRY_TIMEOUT);
+ }
+
+ //hashPassword is also used in Password struct constructor, that's why it's static. Moreover
+ //it is assumed that incorrect input password was checked earlier.
+ PasswordFile::RawHash PasswordFile::hashPassword(const std::string &password)
+ {
+ RawHash result(SHA256_DIGEST_LENGTH);
+
+ SHA256_CTX context;
+ SHA256_Init(&context);
+ SHA256_Update(&context, reinterpret_cast<const unsigned char*>(password.c_str()),
+ password.size());
+ SHA256_Final(result.data(), &context);
+
+ return result;
+ }
+} //namespace SecurityServer
+
--- /dev/null
+/*
+ * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Bumjin Im <bj.im@samsung.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file password-file.h
+ * @author Zbigniew Jasinski (z.jasinski@samsung.com)
+ * @author Lukasz Kostyra (l.kostyra@partner.samsung.com)
+ * @version 1.0
+ * @brief Implementation of PasswordFile, used to manage password files.
+ */
+#ifndef _PASSWORD_FILE_H_
+#define _PASSWORD_FILE_H_
+
+#include <string>
+#include <vector>
+#include <list>
+#include <chrono>
+
+#include <time.h>
+
+#include <dpl/serialization.h>
+
+namespace SecurityServer
+{
+ class PasswordFile
+ {
+ public:
+ PasswordFile();
+
+ void writeMemoryToFile() const;
+ void writeAttemptToFile() const;
+
+ void setPassword(const std::string &password);
+ bool checkPassword(const std::string &password) const;
+ bool isPasswordActive() const;
+
+ void setHistory(unsigned int history);
+ unsigned int getHistorySize() const;
+
+ time_t getExpireTime() const;
+ time_t getExpireTimeLeft() const;
+ void setExpireTime(int expireTime);
+
+ //attempt manipulating functions
+ unsigned int getAttempt() const;
+ void resetAttempt();
+ void incrementAttempt();
+ int getMaxAttempt() const;
+ void setMaxAttempt(unsigned int maxAttempt);
+
+ bool isPasswordReused(const std::string &password) const;
+
+ bool checkExpiration() const;
+ bool isIgnorePeriod() const;
+
+ private:
+ typedef std::vector<unsigned char> RawHash;
+ typedef std::chrono::duration<double> TimeDiff;
+ typedef std::chrono::time_point<std::chrono::monotonic_clock, TimeDiff> TimePoint;
+
+ struct Password: public ISerializable
+ {
+ Password();
+ Password(const RawHash& password);
+ Password(IStream& stream);
+
+ virtual void Serialize(IStream &stream) const;
+
+ RawHash m_password;
+ };
+
+ typedef std::list<Password> PasswordList;
+
+ void loadMemoryFromFile();
+
+ void resetTimer();
+ void preparePwdFile();
+ void prepareAttemptFile();
+ bool fileExists(const std::string &filename) const;
+ bool dirExists(const std::string &dirpath) const;
+ static RawHash hashPassword(const std::string &password);
+
+ mutable TimePoint m_retryTimerStart;
+
+ //password file data
+ PasswordList m_passwords;
+ unsigned int m_maxAttempt;
+ unsigned int m_historySize;
+ time_t m_expireTime;
+
+ //attempt file data
+ unsigned int m_attempt;
+ };
+} //namespace SecurityServer
+
+#endif
--- /dev/null
+/*
+ * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Bumjin Im <bj.im@samsung.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file password-manager.cpp
+ * @author Zbigniew Jasinski (z.jasinski@samsung.com)
+ * @author Lukasz Kostyra (l.kostyra@partner.samsung.com)
+ * @version 1.0
+ * @brief Implementation of password management functions
+ */
+
+#include <password-manager.h>
+
+#include <iostream>
+#include <iterator>
+#include <algorithm>
+
+#include <limits.h>
+
+#include <dpl/log/log.h>
+
+#include <security-server.h>
+#include <protocols.h>
+
+namespace {
+ bool calculateExpiredTime(unsigned int receivedDays, unsigned int &validSecs)
+ {
+ validSecs = 0;
+
+ if(receivedDays == 0)
+ return true;
+
+ time_t curTime = time(NULL);
+
+ if (receivedDays > ((UINT_MAX - curTime) / 86400)) {
+ LogError("Incorrect input param.");
+ return false;
+ } else {
+ validSecs = (curTime + (receivedDays * 86400));
+ return true;
+ }
+
+ //when receivedDays equal to zero, it means infinite password valid time
+ //if receivedDays is 0 return true, else return false (that is, an error)
+ return false;
+ }
+} //namespace
+
+namespace SecurityServer
+{
+ int PasswordManager::isPwdValid(unsigned int ¤tAttempt, unsigned int &maxAttempt,
+ unsigned int &expirationTime) const
+ {
+ if (m_pwdFile.isIgnorePeriod()) {
+ LogError("Retry timeout occured.");
+ return SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER;
+ }
+
+ if (!m_pwdFile.isPasswordActive()) {
+ LogError("Current password not active.");
+ return SECURITY_SERVER_API_ERROR_NO_PASSWORD;
+ } else {
+ currentAttempt = m_pwdFile.getAttempt();
+ maxAttempt = m_pwdFile.getMaxAttempt();
+ expirationTime = m_pwdFile.getExpireTimeLeft();
+
+ return SECURITY_SERVER_API_ERROR_PASSWORD_EXIST;
+ }
+
+ return SECURITY_SERVER_API_SUCCESS;
+ }
+
+ int PasswordManager::checkPassword(const std::string &challenge, unsigned int ¤tAttempt,
+ unsigned int &maxAttempt, unsigned int &expirationTime)
+ {
+ LogSecureDebug("Inside checkPassword function.");
+
+ if (m_pwdFile.isIgnorePeriod()) {
+ LogError("Retry timeout occurred.");
+ return SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER;
+ }
+
+ if (!m_pwdFile.isPasswordActive()) {
+ LogError("Password not active.");
+ return SECURITY_SERVER_API_ERROR_NO_PASSWORD;
+ }
+
+ currentAttempt = m_pwdFile.getAttempt();
+ maxAttempt = m_pwdFile.getMaxAttempt();
+ expirationTime = m_pwdFile.getExpireTimeLeft();
+
+ if ((maxAttempt != 0) && (currentAttempt >= maxAttempt)) {
+ LogError("Too many tries.");
+ return SECURITY_SERVER_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED;
+ }
+
+ m_pwdFile.incrementAttempt();
+ m_pwdFile.writeAttemptToFile();
+
+ if (!m_pwdFile.checkPassword(challenge)) {
+ LogError("Wrong password.");
+ return SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH;
+ }
+
+ if (m_pwdFile.checkExpiration()) {
+ LogError("Password expired.");
+ return SECURITY_SERVER_API_ERROR_PASSWORD_EXPIRED;
+ }
+
+ m_pwdFile.resetAttempt();
+ m_pwdFile.writeAttemptToFile();
+
+ return SECURITY_SERVER_API_SUCCESS;
+ }
+
+ int PasswordManager::setPassword(const std::string ¤tPassword,
+ const std::string &newPassword,
+ const unsigned int receivedAttempts,
+ const unsigned int receivedDays)
+ {
+ LogSecureDebug("Curpwd = " << currentPassword << ", newpwd = " << newPassword <<
+ ", recatt = " << receivedAttempts << ", recdays = " << receivedDays);
+
+ unsigned int valid_secs = 0;
+
+ //check retry timer
+ if (m_pwdFile.isIgnorePeriod()) {
+ LogError("Retry timeout occured.");
+ return SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER;
+ }
+
+ //check if passwords are correct
+ if (currentPassword.size() > MAX_PASSWORD_LEN) {
+ LogError("Current password length failed.");
+ return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
+ }
+
+ if (newPassword.size() > MAX_PASSWORD_LEN) {
+ LogError("New password length failed.");
+ return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
+ }
+
+ //check delivered currentPassword
+ //when m_passwordActive flag is true, currentPassword shouldn't be empty
+ if (currentPassword.empty() && m_pwdFile.isPasswordActive()) {
+ LogError("Password is already set.");
+ return SECURITY_SERVER_API_ERROR_PASSWORD_EXIST;
+ }
+
+ // check attempt
+ unsigned int maxAttempt = m_pwdFile.getMaxAttempt();
+ if ((maxAttempt != 0) && (m_pwdFile.getAttempt() >= maxAttempt)) {
+ LogError("Too many attempts.");
+ return SECURITY_SERVER_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED;
+ }
+
+ //if we didn't exceed max attempts, increment attempt count and save it to separate file
+ m_pwdFile.incrementAttempt();
+ m_pwdFile.writeAttemptToFile();
+
+ //check current password, however only when we don't send empty string as current.
+ if(!currentPassword.empty()) {
+ if(!m_pwdFile.checkPassword(currentPassword)) {
+ LogError("Wrong password.");
+ return SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH;
+ }
+ }
+
+ //check if password expired
+ if (m_pwdFile.checkExpiration()) {
+ LogError("Password expired.");
+ return SECURITY_SERVER_API_ERROR_PASSWORD_EXPIRED;
+ }
+
+ //check history
+ if (m_pwdFile.isPasswordActive()) {
+ if (m_pwdFile.isPasswordReused(newPassword)) {
+ LogError("Password reused.");
+ return SECURITY_SERVER_API_ERROR_PASSWORD_REUSED;
+ }
+ }
+
+ if(!calculateExpiredTime(receivedDays, valid_secs)) {
+ LogError("Received expiration time incorrect.");
+ return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
+ }
+
+ //setting password
+ m_pwdFile.setPassword(newPassword);
+ m_pwdFile.setMaxAttempt(receivedAttempts);
+ m_pwdFile.setExpireTime(valid_secs);
+ m_pwdFile.writeMemoryToFile();
+
+ m_pwdFile.resetAttempt();
+ m_pwdFile.writeAttemptToFile();
+
+ return SECURITY_SERVER_API_SUCCESS;
+ }
+
+ int PasswordManager::setPasswordValidity(const unsigned int receivedDays)
+ {
+ unsigned int valid_secs = 0;
+
+ LogSecureDebug("received_days: " << receivedDays);
+
+ if (!m_pwdFile.isPasswordActive()) {
+ LogError("Current password is not active.");
+ return SECURITY_SERVER_API_ERROR_NO_PASSWORD;
+ }
+
+ if(!calculateExpiredTime(receivedDays, valid_secs))
+ return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
+
+ m_pwdFile.setExpireTime(valid_secs);
+ m_pwdFile.writeMemoryToFile();
+
+ return SECURITY_SERVER_API_SUCCESS;
+ }
+
+ int PasswordManager::resetPassword(const std::string &newPassword,
+ const unsigned int receivedAttempts,
+ const unsigned int receivedDays)
+ {
+ unsigned int valid_secs = 0;
+
+ if (m_pwdFile.isIgnorePeriod()) {
+ LogError("Retry timeout occured.");
+ return SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER;
+ }
+
+ if(!calculateExpiredTime(receivedDays, valid_secs))
+ return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
+
+ m_pwdFile.setPassword(newPassword);
+ m_pwdFile.setMaxAttempt(receivedAttempts);
+ m_pwdFile.setExpireTime(valid_secs);
+ m_pwdFile.writeMemoryToFile();
+
+ m_pwdFile.resetAttempt();
+ m_pwdFile.writeAttemptToFile();
+
+ return SECURITY_SERVER_API_SUCCESS;
+ }
+
+ int PasswordManager::setPasswordHistory(const unsigned int history)
+ {
+ if(history > MAX_PASSWORD_HISTORY) {
+ LogError("Incorrect input param.");
+ return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
+ }
+
+ // check retry time
+ if (m_pwdFile.isIgnorePeriod()) {
+ LogError("Retry timeout occurred.");
+ return SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER;
+ }
+
+ m_pwdFile.setHistory(history);
+ m_pwdFile.writeMemoryToFile();
+
+ return SECURITY_SERVER_API_SUCCESS;
+ }
+
+ int PasswordManager::setPasswordMaxChallenge(const unsigned int maxChallenge)
+ {
+ // check if there is password
+ if (!m_pwdFile.isPasswordActive()) {
+ LogError("Password not active.");
+ return SECURITY_SERVER_API_ERROR_NO_PASSWORD;
+ }
+
+ m_pwdFile.setMaxAttempt(maxChallenge);
+ m_pwdFile.writeMemoryToFile();
+
+ m_pwdFile.resetAttempt();
+ m_pwdFile.writeAttemptToFile();
+
+ return SECURITY_SERVER_API_SUCCESS;
+ }
+} //namespace SecurityServer
--- /dev/null
+/*
+ * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Bumjin Im <bj.im@samsung.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file password-manager.h
+ * @author Zbigniew Jasinski (z.jasinski@samsung.com)
+ * @author Lukasz Kostyra (l.kostyra@partner.samsung.com)
+ * @version 1.0
+ * @brief Implementation of password management functions
+ */
+
+#ifndef _PASSWORDMANAGER_H_
+#define _PASSWORDMANAGER_H_
+
+#include <string>
+
+#include <password-file.h>
+
+namespace SecurityServer
+{
+ class PasswordManager
+ {
+ public:
+ //checking functions
+ int isPwdValid(unsigned int ¤tAttempt, unsigned int &maxAttempt,
+ unsigned int &expirationTime) const;
+ int checkPassword(const std::string& challenge, unsigned int ¤tAttempt,
+ unsigned int &maxAttempt, unsigned int &expTime);
+ //no const in checkPassword, attempts are updated
+
+ //setting functions
+ int setPassword(const std::string ¤tPassword, const std::string &newPassword,
+ const unsigned int receivedAttempts, const unsigned int receivedDays);
+ int setPasswordValidity(const unsigned int receivedDays);
+ int resetPassword(const std::string &newPassword, const unsigned int receivedAttempts,
+ const unsigned int receivedDays);
+ int setPasswordHistory(const unsigned int history);
+ int setPasswordMaxChallenge(const unsigned int maxChallenge);
+
+ private:
+ PasswordFile m_pwdFile;
+ };
+} //namespace SecurityServer
+
+#endif
--- /dev/null
+/*
+ * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Bumjin Im <bj.im@samsung.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file password.cpp
+ * @author Zbigniew Jasinski (z.jasinski@samsung.com)
+ * @author Lukasz Kostyra (l.kostyra@partner.samsung.com)
+ * @version 1.0
+ * @brief Implementation of password service
+ */
+
+#include <iostream>
+#include <string>
+
+#include <dpl/log/log.h>
+#include <dpl/serialization.h>
+
+#include <password.h>
+
+#include <security-server.h>
+#include <password-exception.h>
+
+namespace SecurityServer {
+
+namespace {
+// Service may open more than one socket.
+// These ID's will be assigned to sockets
+// and will be used only by service.
+// When new connection arrives, AcceptEvent
+// will be generated with proper ID to inform
+// service about input socket.
+//
+// Please note: SocketManager does not use it and
+// does not check it in any way.
+//
+// If your service requires only one socket
+// (uses only one socket labeled with smack)
+// you may ignore this ID (just pass 0)
+const InterfaceID SOCKET_ID_CHECK = 0;
+const InterfaceID SOCKET_ID_SET = 1;
+
+} // namespace anonymous
+
+GenericSocketService::ServiceDescriptionVector PasswordService::GetServiceDescription()
+{
+ return ServiceDescriptionVector {
+ {SERVICE_SOCKET_PASSWD_CHECK, "security-server::api-password-check", SOCKET_ID_CHECK},
+ {SERVICE_SOCKET_PASSWD_SET, "security-server::api-password-set", SOCKET_ID_SET}
+ };
+}
+
+void PasswordService::accept(const AcceptEvent &event)
+{
+ LogSecureDebug("Accept event. ConnectionID.sock: " << event.connectionID.sock
+ << " ConnectionID.counter: " << event.connectionID.counter
+ << " ServiceID: " << event.interfaceID);
+
+ auto &info = m_connectionInfoMap[event.connectionID.counter];
+ info.interfaceID = event.interfaceID;
+}
+
+void PasswordService::write(const WriteEvent &event)
+{
+ LogSecureDebug("WriteEvent. ConnectionID: " << event.connectionID.sock <<
+ " Size: " << event.size << " Left: " << event.left);
+ if (event.left == 0)
+ m_serviceManager->Close(event.connectionID);
+}
+
+void PasswordService::process(const ReadEvent &event)
+{
+ LogSecureDebug("Read event for counter: " << event.connectionID.counter);
+ auto &info = m_connectionInfoMap[event.connectionID.counter];
+ info.buffer.Push(event.rawBuffer);
+
+ // We can get several requests in one package.
+ // Extract and process them all
+ while(processOne(event.connectionID, info.buffer, info.interfaceID));
+}
+
+void PasswordService::close(const CloseEvent &event)
+{
+ LogSecureDebug("CloseEvent. ConnectionID: " << event.connectionID.sock);
+ m_connectionInfoMap.erase(event.connectionID.counter);
+}
+
+int PasswordService::processCheckFunctions(PasswordHdrs hdr, MessageBuffer& buffer,
+ unsigned int &cur_att, unsigned int &max_att,
+ unsigned int &exp_time)
+{
+ int result = SECURITY_SERVER_API_ERROR_SERVER_ERROR;
+
+ switch (hdr) {
+ case PasswordHdrs::HDR_IS_PWD_VALID:
+ result = m_pwdManager.isPwdValid(cur_att, max_att, exp_time);
+ break;
+
+ case PasswordHdrs::HDR_CHK_PWD: {
+ std::string challenge;
+ Deserialization::Deserialize(buffer, challenge);
+ result = m_pwdManager.checkPassword(challenge, cur_att, max_att, exp_time);
+ break;
+ }
+
+ default:
+ LogError("Unknown msg header.");
+ Throw(Exception::IncorrectHeader);
+ }
+
+ return result;
+}
+
+int PasswordService::processSetFunctions(PasswordHdrs hdr, MessageBuffer& buffer)
+{
+ int result = SECURITY_SERVER_API_ERROR_SERVER_ERROR;
+
+ std::string curPwd, newPwd;
+ unsigned int rec_att = 0, rec_days = 0, rec_max_challenge = 0, rec_history = 0;
+
+ switch(hdr) {
+ case PasswordHdrs::HDR_SET_PWD:
+ Deserialization::Deserialize(buffer, curPwd);
+ Deserialization::Deserialize(buffer, newPwd);
+ Deserialization::Deserialize(buffer, rec_att);
+ Deserialization::Deserialize(buffer, rec_days);
+ result = m_pwdManager.setPassword(curPwd, newPwd, rec_att, rec_days);
+ break;
+
+ case PasswordHdrs::HDR_SET_PWD_VALIDITY:
+ Deserialization::Deserialize(buffer, rec_days);
+ result = m_pwdManager.setPasswordValidity(rec_days);
+ break;
+
+ case PasswordHdrs::HDR_SET_PWD_MAX_CHALLENGE:
+ Deserialization::Deserialize(buffer, rec_max_challenge);
+ result = m_pwdManager.setPasswordMaxChallenge(rec_max_challenge);
+ break;
+
+ case PasswordHdrs::HDR_RST_PWD:
+ Deserialization::Deserialize(buffer, newPwd);
+ Deserialization::Deserialize(buffer, rec_att);
+ Deserialization::Deserialize(buffer, rec_days);
+ result = m_pwdManager.resetPassword(newPwd, rec_att, rec_days);
+ break;
+
+ case PasswordHdrs::HDR_SET_PWD_HISTORY:
+ Deserialization::Deserialize(buffer, rec_history);
+ result = m_pwdManager.setPasswordHistory(rec_history);
+ break;
+
+ default:
+ LogError("Unknown msg header.");
+ Throw(Exception::IncorrectHeader);
+ }
+
+ return result;
+}
+
+bool PasswordService::processOne(const ConnectionID &conn, MessageBuffer &buffer,
+ InterfaceID interfaceID)
+{
+ LogSecureDebug("Iteration begin");
+
+ MessageBuffer sendBuffer;
+
+ int retCode = SECURITY_SERVER_API_ERROR_SERVER_ERROR;
+ unsigned int cur_att = 0, max_att = 0, exp_time = 0;
+
+ if (!buffer.Ready())
+ return false;
+
+ Try { //try..catch for MessageBuffer errors, closes connection when exception is thrown
+ int tempHdr;
+ Deserialization::Deserialize(buffer, tempHdr);
+ PasswordHdrs hdr = static_cast<PasswordHdrs>(tempHdr);
+
+ try { //try..catch for internal service errors, assigns error code for returning.
+ switch (interfaceID) {
+ case SOCKET_ID_CHECK:
+ retCode = processCheckFunctions(hdr, buffer, cur_att, max_att, exp_time);
+ break;
+
+ case SOCKET_ID_SET:
+ retCode = processSetFunctions(hdr, buffer);
+ break;
+
+ default:
+ LogError("Wrong interfaceID.");
+ Throw(Exception::IncorrectHeader);
+ }
+ } catch (PasswordException::Base &e) {
+ LogError("Password error: " << e.DumpToString());
+ retCode = SECURITY_SERVER_API_ERROR_SERVER_ERROR;
+ } catch (std::exception &e) {
+ LogError("STD error: " << e.what());
+ retCode = SECURITY_SERVER_API_ERROR_SERVER_ERROR;
+ }
+
+ //everything is OK, send return code and extra data
+ Serialization::Serialize(sendBuffer, retCode);
+
+ //Returning additional information should occur only when checking functions
+ //are called, and under certain return values
+ if(interfaceID == SOCKET_ID_CHECK)
+ {
+ switch(retCode)
+ {
+ case SECURITY_SERVER_API_ERROR_PASSWORD_EXIST:
+ case SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH:
+ case SECURITY_SERVER_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED:
+ case SECURITY_SERVER_API_ERROR_PASSWORD_EXPIRED:
+ Serialization::Serialize(sendBuffer, cur_att);
+ Serialization::Serialize(sendBuffer, max_att);
+ Serialization::Serialize(sendBuffer, exp_time);
+ break;
+
+ case SECURITY_SERVER_API_SUCCESS:
+ if(hdr == PasswordHdrs::HDR_CHK_PWD) {
+ Serialization::Serialize(sendBuffer, cur_att);
+ Serialization::Serialize(sendBuffer, max_att);
+ Serialization::Serialize(sendBuffer, exp_time);
+ }
+ break;
+
+ default:
+ break;
+ }
+ }
+
+ m_serviceManager->Write(conn, sendBuffer.Pop());
+ } Catch (MessageBuffer::Exception::Base) {
+ LogError("Broken protocol. Closing socket.");
+ m_serviceManager->Close(conn);
+ return false;
+ } Catch (PasswordService::Exception::Base) {
+ LogError("Incorrect message header. Closing socket.");
+ m_serviceManager->Close(conn);
+ return false;
+ }
+
+
+
+ return true;
+}
+
+} // namespace SecurityServer
+
--- /dev/null
+/*
+ * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Bumjin Im <bj.im@samsung.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file password.h
+ * @author Zigniew Jasinski (z.jasinski@samsung.com)
+ * @author Lukasz Kostyra (l.kostyra@partner.samsung.com)
+ * @version 1.0
+ * @brief Implementation of password service
+ */
+
+#ifndef _SECURITY_SERVER_PASSWORD_
+#define _SECURITY_SERVER_PASSWORD_
+
+#include <map>
+
+#include <service-thread.h>
+#include <generic-socket-manager.h>
+#include <message-buffer.h>
+#include <connection-info.h>
+#include <protocols.h>
+
+#include <password-manager.h>
+
+namespace SecurityServer
+{
+ class PasswordService
+ : public SecurityServer::GenericSocketService
+ , public SecurityServer::ServiceThread<PasswordService>
+ {
+ public:
+ class Exception
+ {
+ public:
+ DECLARE_EXCEPTION_TYPE(SecurityServer::Exception, Base)
+ DECLARE_EXCEPTION_TYPE(Base, IncorrectHeader)
+ };
+
+ //service functions
+ ServiceDescriptionVector GetServiceDescription();
+
+ DECLARE_THREAD_EVENT(AcceptEvent, accept)
+ DECLARE_THREAD_EVENT(WriteEvent, write)
+ DECLARE_THREAD_EVENT(ReadEvent, process)
+ DECLARE_THREAD_EVENT(CloseEvent, close)
+
+ void accept(const AcceptEvent &event);
+ void write(const WriteEvent &event);
+ void process(const ReadEvent &event);
+ void close(const CloseEvent &event);
+
+ private:
+ //internal service functions
+ bool processOne(const ConnectionID &conn, MessageBuffer &buffer, InterfaceID interfaceID);
+ int processCheckFunctions(PasswordHdrs hdr, MessageBuffer& buffer, unsigned int &cur_att,
+ unsigned int &max_att, unsigned int &exp_time);
+ int processSetFunctions(PasswordHdrs hdr, MessageBuffer& buffer);
+
+ // service attributes
+ PasswordManager m_pwdManager;
+ ConnectionInfoMap m_connectionInfoMap;
+ };
+} // namespace SecurityServer
+
+#endif // _SECURITY_SERVER_PASSWORD_
${CMAKE_SOURCE_DIR}/systemd/security-server-app-privilege-by-name.socket
${CMAKE_SOURCE_DIR}/systemd/security-server-cookie-check-tmp.socket
${CMAKE_SOURCE_DIR}/systemd/security-server-open-for.socket
+ ${CMAKE_SOURCE_DIR}/systemd/security-server-password-check.socket
+ ${CMAKE_SOURCE_DIR}/systemd/security-server-password-set.socket
DESTINATION
/usr/lib/systemd/system
)
--- /dev/null
+[Socket]
+ListenStream=/tmp/.security-server-api-password-check.sock
+SocketMode=0777
+#SmackLabelIPIn=security-server::api-password-check
+SmackLabelIPIn=*
+SmackLabelIPOut=@
+
+Service=security-server.service
+
+[Install]
+WantedBy=sockets.target
--- /dev/null
+[Socket]
+ListenStream=/tmp/.security-server-api-password-set.sock
+SocketMode=0777
+#SmackLabelIPIn=security-server::api-password-set
+SmackLabelIPIn=*
+SmackLabelIPOut=@
+
+Service=security-server.service
+
+[Install]
+WantedBy=sockets.target
Sockets=security-server-cookie-check.socket
Sockets=security-server-cookie-check-tmp.socket
Sockets=security-server-open-for.socket
+Sockets=security-server-password-check.socket
+Scokets=security-server-password-set.socket
[Install]
WantedBy=multi-user.target