INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/include)
INCLUDE(FindPkgConfig)
-pkg_check_modules(pkgs REQUIRED dlog openssl)
+pkg_check_modules(pkgs REQUIRED dlog openssl libsmack)
FOREACH(flag ${pkgs_CFLAGS})
SET(EXTRA_CFLAGS "${EXTRA_CFLAGS} ${flag}")
## for security-server (binary)
SET(security-server_SOURCES ${sec_svr_src_dir}/server/security-server-main.c ${sec_svr_src_dir}/communication/security-server-comm.c ${sec_svr_src_dir}/server/security-server-cookie.c ${sec_svr_src_dir}/server/security-server-password.c ${sec_svr_src_dir}/util/security-server-util-common.c )
SET(security-server_CFLAGS " -I/usr/include -I. -I${sec_svr_include_dir} ${debug_type} -D_GNU_SOURCE ")
-SET(security-server_LDFLAGS ${pkgs_LDFLAGS} -lpthread )
+SET(security-server_LDFLAGS ${pkgs_LDFLAGS} -lpthread)
ADD_EXECUTABLE(security-server ${security-server_SOURCES})
TARGET_LINK_LIBRARIES(security-server ${pkgs_LDFLAGS})
-Copyright (c) 2012 Samsung Electronics Co., Ltd. All rights reserved.
+Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd. All rights reserved.
Apache License
Version 2.0, January 2004
same "printed page" as the copyright notice for easier
identification within third-party archives.
- Copyright (c) 2012 Samsung Electronics Co., Ltd. All rights reserved.
+ Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
+security-server (0.0.36) unstable; urgency=low
+
+ * Reverted merge with wrt-security
+ * Git: framework/security/security/server
+ * Tag: security-server_0.0.36
+
+ -- Tomasz Swierczek <t.swierczek@samsung.com> Tue, 14 Aug 2012 14:17:00 +0200
+
+security-server (0.0.1-48) unstable; urgency=low
+
+ * Changed security_server_chk_pwd return codes
+ * Git: slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-48
+
+ -- Tomasz Swierczek <t.swierczek@samsung.com> Tue, 22 May 2012 08:46:00 +0100
+
+security-server (0.0.1-47) unstable; urgency=low
+
+ * new API for password validity and retry number
+ * new API for SMACK-based permission check
+ * Git: slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-47
+
+ -- Tomasz Swierczek <t.swierczek@samsung.com> Mon, 14 May 2012 12:12:00 +0100
+
+security-server (0.0.1-46) unstable; urgency=low
+
+ * change booting order from 25 to 10
+ * Git: slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-46
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Mon, 16 Apr 2012 15:22:17 +0900
+
+security-server (0.0.1-45) unstable; urgency=low
+
+ * systemd dependency in spec file has been deleted
+ * Git: slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-45
+
+ -- Bumjin Im <bj.im@samsung.com> Thu, 29 Mar 2012 10:08:32 +0900
+
+security-server (0.0.1-44) unstable; urgency=low
+
+ * Spec file has been changed that package name was wrong.
+ * Git: slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-44
+ -- Bumjin Im <bj.im@samsung.com> Fri, 16 Mar 2012 18:20:31 +0900
+
security-server (0.0.1-43) unstable; urgency=low
* Bug fixed: security_server_reset_pwd() fails when password sets for the first time.
- * Git: pkgs/s/security-server
+ * Git: slp/pkgs/s/security-server
* Tag: security-server_0.0.1-43
-- Bumjin <bj.im@samsung.com> Wed, 18 Jan 2012 19:24:33 +0900
+
+security-server (0.0.1-42) unstable; urgency=low
+
+ * Added password history, attempts, and expiration management. API has been chagned. Function structure has been changed
+ * Git: slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-42
+
+ -- Bumjin Im <bj.im@samsung.com> Thu, 12 Jan 2012 10:22:17 +0900
+
+security-server (0.0.1-41) unstable; urgency=low
+
+ * Phone password management API added. Support multi thread for multi-core support
+ * Git: slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-41
+
+ -- Bumjin Im <bj.im@samsung.com> Wed, 04 Jan 2012 14:56:19 +0900
+
+security-server (0.0.1-40) unstable; urgency=low
+
+ * systemd dependency has been elimiated
+ * Git: slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-40
+
+ -- Bumjin Im <bj.im@samsung.com> Tue, 20 Dec 2011 11:23:55 +0900
+
+security-server (0.0.1-39) unstable; urgency=low
+
+ * License has been changed to Apache 2.0. All boilerplates and LICENSE files are changed to Apache 2.0 License
+ * Git: 165.213.180.234:slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-39
+
+ -- Bumjin Im <bj.im@samsung.com> Fri, 02 Dec 2011 17:48:40 +0900
+
+security-server (0.0.1-38) unstable; urgency=low
+
+ * SMACK setxattr for security server socket enabled
+ * Git: 165.213.180.234:slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-38
+
+ -- Bumjin Im <bj.im@samsung.com> Mon, 07 Nov 2011 15:45:32 +0900
+
+security-server (0.0.1-37) unstable; urgency=low
+
+ * Added Systemd support. SMACK labeling is commented out because of lack of kernel SMACK support
+ * Git: 165.213.180.234:slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-37
+
+ -- Bumjin Im <bj.im@samsung.com> Sat, 08 Oct 2011 09:36:44 +0900
+
+security-server (0.0.1-36) unstable; urgency=low
+
+ * Fixed version problem major 0 --> 1
+ * Git: 165.213.180.234:slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-36
+
+ -- Bumjin Im <bj.im@samsung.com> Thu, 25 Aug 2011 09:37:02 +0900
+
+security-server (0.0.1-35) unstable; urgency=low
+
+ * security_server_get_gid() API bug fix.
+ * Git: 165.213.180.234:slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-35
+
+ -- Bumjin Im <bj.im@samsung.com> Tue, 23 Aug 2011 09:44:45 +0900
+
+security-server (0.0.1-34) unstable; urgency=low
+
+ * Modify COPYING file
+ * Git: 165.213.180.234:slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-34
+
+ -- Bumjin Im <bj.im@samsung.com> Fri, 15 Jul 2011 10:14:34 +0900
+
+security-server (0.0.1-33) unstable; urgency=low
+
+ * Modify boilerplates of each src files
+ * Git: 165.213.180.234:slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-33
+
+ -- Bumjin Im <bj.im@samsung.com> Wed, 13 Jul 2011 09:55:15 +0900
+
+security-server (0.0.1-32) unstable; urgency=low
+
+ * One more option (kill_app) to debug-util has been added
+ * Git: 165.213.180.234:slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-32
+
+ -- Bumjin Im <bj.im@samsung.com> Mon, 13 Jun 2011 15:03:24 +0900
+
+security-server (0.0.1-31) unstable; urgency=low
+
+ * Fixed Red screen problem because of calling strlen() in dlog because of calling dlog API with non null terminating string
+ * Git: 165.213.180.234:slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-31
+
+ -- Bumjin Im <bj.im@samsung.com> Thu, 24 Mar 2011 16:17:52 +0900
+
+security-server (0.0.1-30) unstable; urgency=low
+
+ * Fixed Red screen problem because of calling strlen() with NULL string
+ * Git: 165.213.180.234:slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-30
+
+ -- Bumjin Im <bj.im@samsung.com> Wed, 16 Mar 2011 11:15:37 +0900
+
+security-server (0.0.1-29) unstable; urgency=low
+
+ * Fixed child process defunct problem by adding signal handler and fixed argv processing problem on execv
+ * Git: 165.213.180.234:slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-29
+
+ -- Bumjin Im <bj.im@samsung.com> Tue, 08 Mar 2011 13:58:16 +0900
+
+security-server (0.0.1-28) unstable; urgency=low
+
+ * Fixed CQ defect "H0100120946" Which occurrs blue screen because of system lock-up
+ * Git: 165.213.180.234:slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-28
+
+ -- Bumjin Im <bj.im@samsung.com> Wed, 02 Mar 2011 09:06:45 +0900
+
+security-server (0.0.1-27) unstable; urgency=low
+
+ * coverity defects fixed
+ * Git: 165.213.180.234:slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-27
+
+ -- Bumjin Im <bj.im@samsung.com> Mon, 14 Feb 2011 17:23:33 +0900
+
+security-server (0.0.1-26) unstable; urgency=low
+
+ * Added a new API to launch a debugging tool as root privilege for SDK shell with authentication of SDK
+ * Git: 165.213.180.234:slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-26
+
+ -- Bumjin Im <bj.im@samsung.com> Thu, 27 Jan 2011 18:23:30 +0900
+
+security-server (0.0.1-25) unstable; urgency=low
+
+ * Fixed Prevent bugs
+ * Git: 165.213.180.234:slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-25
+
+ -- Bumjin Im <bj.im@samsung.com> Wed, 26 Jan 2011 10:16:39 +0900
+
+security-server (0.0.1-24) unstable; urgency=low
+
+ * adjust booting sequence
+ * Git: 165.213.180.234:slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-24
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Fri, 21 Jan 2011 10:52:32 +0900
+
+security-server (0.0.1-23) unstable; urgency=low
+
+ * Add cookie utility for better test, and fix some null check problems
+ * Git: 165.213.180.234:slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-23
+
+ -- Bumjin Im <bj.im@samsung.com> Wed, 19 Jan 2011 10:46:23 +0900
+
+security-server (0.0.1-22) unstable; urgency=low
+
+ * Add a new API that getting PID of a given cookie value to support alarm service
+ * Git: 165.213.180.234:slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-22
+
+ -- Bumjin Im <bj.im@samsung.com> Mon, 17 Jan 2011 11:47:54 +0900
+
+security-server (0.0.1-21) unstable; urgency=low
+
+ * add some daemons to mw-list
+ * Git: 165.213.180.234:slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-21
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Fri, 14 Jan 2011 10:18:31 +0900
+
+security-server (0.0.1-20) unstable; urgency=low
+
+ * Added feature to save default cookie into a file and keep it until reboots to guarantee the default cookie is not changed even security server is relaunched.
+ * Git: 165.213.180.234:slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-20
+
+ -- Bumjin Im <bj.im@samsung.com> Tue, 11 Jan 2011 13:12:28 +0900
+
+security-server (0.0.1-19) unstable; urgency=low
+
+ * fixed timing issue that if the server socket closed then the client goes to error condition without reading packet
+ * Git: 165.213.180.234:slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-19
+
+ -- Bumjin Im <bj.im@samsung.com> Mon, 10 Jan 2011 11:42:07 +0900
+
+security-server (0.0.1-18) unstable; urgency=low
+
+ * fix reading and parsing problem of /etc/group file which had failed to read when a line is bigger than 128 bytes
+ * Git: 165.213.180.234:slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-18
+
+ -- Bumjin Im <bj.im@samsung.com> Sat, 08 Jan 2011 18:50:00 +0900
+
+security-server (0.0.1-17) unstable; urgency=low
+
+ * fix crash problem when server try to send to already close socket fd
+ * Git: 165.213.180.234:slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-17
+
+ -- Bumjin Im <bj.im@samsung.com> Sat, 08 Jan 2011 17:33:01 +0900
+
+security-server (0.0.1-16) unstable; urgency=low
+
+ * fix file pointer problem
+ * Git: 165.213.180.234:slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-16
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Thu, 06 Jan 2011 09:27:40 +0900
+
+security-server (0.0.1-15) unstable; urgency=low
+
+ * fix strtoul problem
+ * Git: 165.213.180.234:slp/pkgs/s/security-server
+ * Tag: security-server_0.0.1-15
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Fri, 10 Dec 2010 18:32:33 +0900
+
+security-server (0.0.1-14) unstable; urgency=low
+
+ * fix strip problem
+ * Git: 165.213.180.234:/git/slp/pkgs/security-server
+ * Tag: security-server_0.0.1-14
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Wed, 01 Dec 2010 10:41:39 +0900
+
+security-server (0.0.1-13) unstable; urgency=low
+
+ * preparations for limo contribution
+ * Git: 165.213.180.234:/git/slp/pkgs/security-server
+ * Tag: security-server_0.0.1-13
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Fri, 26 Nov 2010 16:03:03 +0900
+
+security-server (0.0.1-12) unstable; urgency=low
+
+ * Add more doxygen documentations -- Security Server, secure storage
+ * Git: 165.213.180.234:/git/slp/pkgs/security-server
+ * Tag: security-server_0.0.1-12
+
+ -- Bumjin Im <bj.im@samsung.com> Wed, 10 Nov 2010 15:06:02 +0900
+
+security-server (0.0.1-11) unstable; urgency=low
+
+ * Modify doxygen command by SDK team
+ * Git: 165.213.180.234:/git/slp/pkgs/security-server
+ * Tag: security-server_0.0.1-11
+
+ -- Bumjin Im <bj.im@samsung.com> Tue, 09 Nov 2010 10:46:56 +0900
+
+security-server (0.0.1-10) unstable; urgency=low
+
+ * remove useless log messages
+ * Git: 165.213.180.234:/git/slp/pkgs/security-server
+ * Tag: security-server_0.0.1-10
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Mon, 08 Nov 2010 11:19:48 +0900
+
+security-server (0.0.1-9) unstable; urgency=low
+
+ * apply patch regarding versioning
+ * Git: 165.213.180.234:/git/slp/pkgs/security-server
+ * Tag: security-server_0.0.1-9
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Tue, 02 Nov 2010 17:53:27 +0900
+
+security-server (0.0.1-8) unstable; urgency=low
+
+ * doxygen has been modified to add more items such as @pre, @post, and so on
+ * Git: 165.213.180.234:/git/slp/pkgs/security-server
+ * Tag: security-server_0.0.1-8
+
+ -- Bumjin Im <bj.im@samsung.com> Thu, 28 Oct 2010 11:52:57 +0900
+
+security-server (0.0.1-7) unstable; urgency=low
+
+ * add new boiler-plate
+ * Git: 165.213.180.234:/git/slp/pkgs/security-server
+ * Tag: security-server_0.0.1-7
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Fri, 22 Oct 2010 18:59:58 +0900
+
+security-server (0.0.1-6) unstable; urgency=low
+
+ * fix some bugs
+ * Git: 165.213.180.234:/git/slp/pkgs/security-server
+ * Tag: security-server_0.0.1-6
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Thu, 21 Oct 2010 14:40:34 +0900
+
+security-server (0.0.1-5) unstable; urgency=low
+
+ * make another symbolic link
+ * Git: 165.213.180.234:/git/slp/pkgs/security-server
+ * Tag: security-server_0.0.1-5
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Mon, 18 Oct 2010 14:22:00 +0900
+
+security-server (0.0.1-4) unstable; urgency=low
+
+ * add doxygen PG
+ * Git: 165.213.180.234:/git/slp/pkgs/security-server
+ * Tag: security-server_0.0.1-4
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Tue, 12 Oct 2010 14:44:31 +0900
+
+security-server (0.0.1-3) unstable; urgency=low
+
+ * Fix PID reuse vulnerability
+ * Git: 165.213.180.234:/git/slp/pkgs/security-server
+ * Tag: security-server_0.0.1-3
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Mon, 27 Sep 2010 11:12:14 +0900
+
+security-server (0.0.1-2) unstable; urgency=low
+
+ * Make Doxygen
+ * Git: 165.213.180.234:/git/slp/pkgs/security-server
+ * Tag: security-server_0.0.1-2
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Thu, 16 Sep 2010 16:04:57 +0900
+
+security-server (0.0.1-1) unstable; urgency=low
+
+ * Initial release
+ * Git: 165.213.180.234:/git/slp/pkgs/security-server
+ * Tag: security-server_0.0.1-1
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Mon, 26 Jul 2010 14:27:03 +0900
Source: security-server
Priority: extra
Maintainer: Bumjin Im <bj.im@samsung.com>, Kidong Kim <kd0228.kim@samsung.com>
-Build-Depends: debhelper (>= 5), autotools-dev, dlog-dev, libssl-dev, libattr1-dev
+Build-Depends: debhelper (>= 5), autotools-dev, dlog-dev, libssl-dev, libattr1-dev, libsmack-dev
Standards-Version: 3.7.2
Section: base
Homepage: N/A
$(MAKE) DESTDIR=$(CURDIR)/debian/tmp install
mkdir -p $(CURDIR)/debian/tmp/etc/rc.d/rc3.d/
mkdir -p $(CURDIR)/debian/tmp/etc/rc.d/rc5.d/
- ln -s ../init.d/security-serverd $(CURDIR)/debian/tmp/etc/rc.d/rc3.d/S25security-server
- ln -s ../init.d/security-serverd $(CURDIR)/debian/tmp/etc/rc.d/rc5.d/S25security-server
+ ln -s ../init.d/security-serverd $(CURDIR)/debian/tmp/etc/rc.d/rc3.d/S10security-server
+ ln -s ../init.d/security-serverd $(CURDIR)/debian/tmp/etc/rc.d/rc5.d/S10security-server
# Build architecture-independent files here.
usr/bin/security-server
-etc/rc.d/rc3.d/S25security-server
-etc/rc.d/rc5.d/S25security-server
+etc/rc.d/rc3.d/S10security-server
+etc/rc.d/rc5.d/S10security-server
etc/rc.d/init.d/security-serverd
usr/share/security-server/mw-list
/usr/bin/sec-svr-util
/*
* security-server
*
- * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2000 - 2012 Samsung Electronics Co., Ltd All Rights Reserved
*
* Contact: Bumjin Im <bj.im@samsung.com>
*
#define SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE 0x14
#define SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_REQUEST 0x15
#define SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_RESPONSE 0x16
+#define SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_REQUEST 0x17
+#define SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE 0x18
+#define SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_REQUEST 0x19
+#define SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_RESPONSE 0x1a
+#define SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_REQUEST 0x1b
+#define SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_RESPONSE 0x1c
#define SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE 0xff
/* Return code */
int send_gid_request(int sock_fd, const char* object);
int send_object_name_request(int sock_fd, int gid);
int send_privilege_check_request(int sock_fd, const char*cookie, int gid);
+int send_privilege_check_new_request(int sock_fd,
+ const char *cookie,
+ const char *object,
+ const char *access_rights);
int recv_get_gid_response(int sockfd, response_header *hdr, int *gid);
int recv_get_object_name(int sockfd, response_header *hdr, char *object, int max_object_size);
int recv_cookie(int sockfd, response_header *hdr, char *cookie);
int recv_privilege_check_response(int sockfd, response_header *hdr);
+int recv_privilege_check_new_response(int sockfd, response_header *hdr);
int recv_hdr(int client_sockfd, basic_header *basic_hdr);
int recv_check_privilege_request(int sockfd, unsigned char *requested_cookie, int *requested_privilege);
+int recv_check_privilege_new_request(int sockfd,
+ unsigned char *requested_cookie,
+ char *object_label,
+ char *access_rights);
int send_pid_request(int sock_fd, const char*cookie);
int recv_pid_response(int sockfd, response_header *hdr, int *pid);
int recv_pid_request(int sockfd, unsigned char *requested_cookie);
int send_launch_tool_request(int sock_fd, int argc, const char **argv);
int recv_generic_response(int sockfd, response_header *hdr);
int recv_launch_tool_request(int sockfd, int argc, char *argv[]);
-int recv_pwd_response(int sockfd, response_header *hdr, unsigned int *current_attempts,
+int recv_pwd_response(int sockfd, response_header *hdr, unsigned int *current_attempts,
unsigned int *max_attempts, unsigned int *valid_days);
-int send_set_pwd_request(int sock_fd, const char*cur_pwd, const char*new_pwd,
+int send_set_pwd_request(int sock_fd, const char*cur_pwd, const char*new_pwd,
const unsigned int max_challenge, const unsigned int valid_period_in_days);
+int send_set_pwd_validity_request(int sock_fd, const unsigned int valid_period_in_days);
+int send_set_pwd_max_challenge_request(int sock_fd, const unsigned int max_challenge);
int send_chk_pwd_request(int sock_fd, const char*challenge);
int check_socket_poll(int sockfd, int event, int timeout);
int free_argv(char **argv, int argc);
/*
* security-server
*
- * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved
*
* Contact: Bumjin Im <bj.im@samsung.com>
*
#define SECURITY_SERVER_DEFAULT_COOKIE_PATH "/tmp/.security_server.coo"
#define SECURITY_SERVER_DAEMON_PATH "/usr/bin/security-server"
#define SECURITY_SERVER_COOKIE_LEN 20
+#define MAX_OBJECT_LABEL_LEN 32
+#define MAX_MODE_STR_LEN 16
#define SECURITY_SERVER_MIDDLEWARE_LIST_PATH "/usr/share/security-server/mw-list"
#define SECURITY_SERVER_MAX_OBJ_NAME 30
#define SECURITY_SERVER_MAX_PATH_LEN 50
pid_t pid; /* Client process's PID */
char *path; /* Client process's cmd line string */
int *permissions; /* Array of GID that the client process has */
+ char *smack_label; /* SMACK label of the client process */
struct _cookie_list *prev; /* Next cookie list */
struct _cookie_list *next; /* Previous cookie list */
} cookie_list;
/*
* security-server
*
- * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2000 - 2012 Samsung Electronics Co., Ltd All Rights Reserved\r
*
* Contact: Bumjin Im <bj.im@samsung.com>
*
*
*/
-#ifndef SECURITY_SERVER_COOKIE_H
-#define SECURITY_SERVER_COOKIE_H
-
-#include "security-server-common.h"
-
+#ifndef SECURITY_SERVER_COOKIE_H\r
+#define SECURITY_SERVER_COOKIE_H\r
+\r
+#include "security-server-common.h"\r
+\r
int free_cookie_item(cookie_list *cookie);
cookie_list *delete_cookie_item(cookie_list *cookie);
cookie_list *search_existing_cookie(int pid, const cookie_list *c_list);
cookie_list *search_cookie(const cookie_list *c_list, const unsigned char *cookie, int privilege);
+cookie_list *search_cookie_new(const cookie_list *c_list,
+ const unsigned char *cookie,
+ const char *object,
+ const char *access_rights);
int generate_random_cookie(unsigned char *cookie, int size);
-cookie_list *create_cookie_item(int pid, cookie_list *c_list);
+cookie_list *create_cookie_item(int pid, int sockfd, cookie_list *c_list);
cookie_list *create_default_cookie(void);
cookie_list * garbage_collection(cookie_list *cookie);
cookie_list *search_cookie_from_pid(cookie_list *c_list, int pid);
-void printhex(const unsigned char *data, int size);
-
-#endif
+void printhex(const unsigned char *data, int size);\r
+\r
+#endif\r
/*
* security-server
*
- * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2000 - 2012 Samsung Electronics Co., Ltd All Rights Reserved
*
* Contact: Bumjin Im <bj.im@samsung.com>
*
int process_reset_pwd_request(int sockfd);
int process_reset_pwd_request(int sockfd);
int process_chk_pwd_request(int sockfd);
+int process_set_pwd_max_challenge_request(int sockfd);
+int process_set_pwd_validity_request(int sockfd);
int init_try(void);
#endif
/*
* security-server
*
- * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved
*
* Contact: Bumjin Im <bj.im@samsung.com>
*
/*
* security-server
*
- * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved
*
* Contact: Bumjin Im <bj.im@samsung.com>
*
*
* Revision History:
*
- * -- Company Name -- | Modification Date | Description of Changes
- * -----------------------------------------------------------------------
+ * -- Company Name -- | Modification Date | Description of Changes
+ * -----------------------------------------------------------------------
* --- Samsung ------ | --- 2010-07-25 -- | First created
*
* </tt>
#define SECURITY_SERVER_API_ERROR_UNKNOWN -255
/** @}*/
-
#ifdef __cplusplus
extern "C" {
#endif
* \param[in] object Name of the object which is kwnown by the caller.
*
* \return matching gid (positive integer) on success, or negative error code on error.
- *
+ *
* \par Prospective clients:
* Inhouse middleware
*
* \par Known issues/bugs:
* None
- *
+ *
* \pre None
- *
+ *
* \post None
*
* \see /etc/group,
* security_server_get_object_name(), security_server_check_privilege()
- *
+ *
* \remarks None
- *
+ *
* \par Sample code:
* \code
* #include <security-server.h>
* \param[in] max_object_size Allocated byte size of parameter "object".
*
* \return 0 on success, or negative error code on error.
- *
+ *
* \par Prospective clients:
* Inhouse middleware.
*
* \par Known issues/bugs:
* None
- *
+ *
* \pre output parameter object must be malloced before calling this API not to make memory curruption
- *
+ *
* \post None
*
* \see /etc/group,
* security_server_get_gid()
- *
+ *
* \remarks None
- *
+ *
* \par Sample code:
* \code
* #include <security-server.h>
* ...
* int retval;
* char objectname[20];
- *
+ *
* // Call the API
* retval = security_server_get_object_name(6005, objectname, sizeof(objectname));
* if(retval < 0)
* \param[in] max_cookie Allocated byte size of parameter "cookie".
*
* \return 0 on success, or negative error code on error.
- *
+ *
* \par Prospective clients:
* Any process
*
* \par Known issues/bugs:
* None
- *
+ *
* \pre output parameter cookie must be malloced before calling this API not to make memory curruption
* Size of the cookie can be retrieved by security_server_get_cookie_size() API.
- *
+ *
* \post None
*
* \see security_server_check_privilege(), security_server_get_cookie_size()
- *
+ *
* \remarks None
- *
+ *
* \par Sample code:
* \code
* #include <security-server.h>
* \par Important notes:
* None
*
- * \return Always returns byte size of the cookie.
- *
+ * \return Always returns byte size of the cookie.
+ *
* \par Prospective clients:
* Any process
*
* \par Known issues/bugs:
* None
- *
+ *
* \pre None
- *
+ *
* \post None
*
* \see security_server_request_cookie()
* \remarks None
- *
+ *
* \par Sample code:
* \code
* #include <security-server.h>
* // API calling
* cookie_size = security_server_get_cookie_size();
* unsigned char cookie[cookie_size];
- *
+ *
* char objectname[20];
* retval = security_server_request_cookie(cookie, cookie_size);
* if(retval < 0)
* \param[in] privilege Object group ID which the client application wants to access
*
* \return 0 on success, or negative error code on error.
- *
+ *
* \par Prospective clients:
* Only pre-defiend middleware daemons
*
* \par Known issues/bugs:
* None
* \pre None
- *
+ *
* \post None
*
* \see security_server_request_cookie(), security_server_get_gid(), security_server_get_cookie_size()
- *
+ *
* \remarks None
- *
+ *
* \par Sample code:
* \code
* #include <security-server.h>
* int call_gid;
* cookie_size = security_server_get_cookie_size();
* unsigned char recved_cookie[cookie_size];
- *
+ *
* ... // Receiving request with cookie
*
* call_gid = security_server_get_gid("telephony_makecall");
*/
int security_server_check_privilege(const char *cookie, gid_t privilege);
+int security_server_check_privilege_by_cookie(const char *cookie,
+ const char *object,
+ const char *access_rights);
+int security_server_check_privilege_by_sockfd(int sockfd,
+ const char *object,
+ const char *access_rights);
/**
* \par Description:
* \param[in] cookie Received cookie value from client application. Cookie is not a null terminated human readable string. Make sure you're code doesn't have any string related process on the cookie.
*
* \return positive integer on success meaning the PID, 0 means the cookie is for root process, negative integer error code on error.
- *
+ *
* \par Prospective clients:
* Only pre-defiend middleware daemons
*
* None
*
* \pre None
- *
+ *
* \post None
*
* \see security_server_request_cookie(), security_server_get_cookie_size()
- *
+ *
* \remarks the cookie is not a null terminated string. Cookie is a BINARY byte stream of such length which can be retrieved by security_server_get_cookie_size() API.
* Therefore, please do not use strcpy() family to process cookie value. You MUST use memcpy() function to process cookie value.
* You also have to know that the cookie value doesn't carry any null terminator. So you don't need to allocate 1 more byte of the cookie size.
- *
+ *
* \par Sample code:
* \code
* #include <security-server.h>
* gid_t call_gid;
* cookie_size = security_server_get_cookie_size();
* unsigned char recved_cookie[cookie_size];
- *
+ *
* ... // Receiving request with cookie
*
* peerpid = security_server_get_cookie_pid(recved_cookie);
* \par Important notes:
* Password file should be stored safely. The password file will be stored by security server and only allowed itself to read/write, and data is will be securely hashed\n
*
- * \param[out] current_attempts Number of password check missed attempts.
+ * \param[out] current_attempts Number of password check missed attempts.
* \param[out] max_attempts Number of maximum attempts that the password locks. 0 means infinite
* \param[out] valid_secs Remaining time in second which represents this password will be expired. 0xFFFFFFFF means infinite
*
* \return 0 if there is no password set, other negative integer error code on error.
- *
+ *
* \par Prospective clients:
* Applications which can unlock UI
*
* None
*
* \pre None
- *
+ *
* \post None
*
* \see security_server_set_pwd(), security_server_chk_pwd()
- *
+ *
* \remarks If password file is currupted or accitentally deleted, this API may not synchronized with security-server, but security-server will check file status on next request.
- *
+ *
* \par Sample code:
* \code
* #include <security-server.h>
*
* \endcode
*/
-int security_server_is_pwd_valid(unsigned int *current_attempts,
- unsigned int *max_attempts,
+int security_server_is_pwd_valid(unsigned int *current_attempts,
+ unsigned int *max_attempts,
unsigned int *valid_secs);
* \param[in] valid_period_in_days. Number of days that this password is valid. 0 means infinity
*
* \return 0 on seccuess, negative integer error code on error.
- *
+ *
* \par Prospective clients:
* Platform's THE ONLY setting application and some dedicated privileged processes
*
* None
*
* \pre None
- *
+ *
* \post None
*
* \see security_server_is_pwd_valid(), security_server_chk_pwd(), security_server_reset_pwd()
- *
+ *
* \remarks Only setting application can call this API. The password file will be acces controlled and securely hashed. Security-server will remain previous password file to recover unexpected password file curruption.
* \remarks If current password exists and it's expired, or max attempts reached, you cannot call this API. You have to call security_server_reset_pwd() API.
- *
+ *
* \par Sample code:
* \code
* #include <security-server.h>
* \endcode
*/
int security_server_set_pwd(const char *cur_pwd,
- const char *new_pwd,
- const unsigned int max_challenge,
+ const char *new_pwd,
+ const unsigned int max_challenge,
const unsigned int valid_period_in_days);
+/**
+ * \par Description:
+ * This API sets validity period for currently setup password.
+ *
+ * \par Purpose:
+ * This API should be used by Enterprise authorities to modify password policy. To be used only with valid password setup.
+ *
+ * \par Typical use case:
+ * Authorized application calls this API to change current passwords validity when password policy needs to be changed.
+ *
+ * \par Method of function operation:
+ * Function attempts to find currently set password and changes its current validity to passed number of days. Retry counter for the password is reset to zero.
+ * If there is no password set, function returns proper error code.
+ *
+ * \par Sync (or) Async:
+ * This is a Synchronous API.
+ * \param[in] valid_period_in_days. Number of days that this password is valid. 0 means infinity
+ *
+ * \return 0 on success, negative integer error code on error.
+ *
+ * \par Prospective clients:
+ * Platform's THE ONLY setting application and some dedicated privileged processes
+ *
+ * \par Known issues/bugs:
+ * Identifying calling peer is not ready yet, should be based on SMACK somehow.
+ *
+ * \see security_server_is_pwd_valid(), security_server_chk_pwd(), security_server_reset_pwd()
+ */
+int security_server_set_pwd_validity(const unsigned int valid_period_in_days);
+
+
+/**
+ * \par Description:
+ * This API sets maximum number of attempts for currently setup password.
+ *
+ * \par Purpose:
+ * This API should be used by Enterprise authorities to modify password policy. To be used only with valid password setup.
+ *
+ * \par Typical use case:
+ * Authorized application calls this API to change current passwords max attempt number when password policy needs to be changed.
+ *
+ * \par Method of function operation:
+ * Function attempts to find currently set password and changes its max attempt number to passed one. Retry counter for the password is reset to zero.
+ * If there is no password set, function returns proper error code.
+ *
+ * \par Sync (or) Async:
+ * This is a Synchronous API.
+ * \param[in] max_challenge Maximum number of attempts that user can try to check the password without success in serial. 0 means infinity.
+ *
+ * \return 0 on success, negative integer error code on error.
+ *
+ * \par Prospective clients:
+ * Platform's THE ONLY setting application and some dedicated privileged processes
+ *
+ * \par Known issues/bugs:
+ * Identifying calling peer is not ready yet, should be based on SMACK somehow.
+ *
+ * \see security_server_is_pwd_valid(), security_server_chk_pwd(), security_server_reset_pwd()
+ */
+int security_server_set_pwd_max_challenge(const unsigned int max_challenge);
/**
* \par Description:
* \param[in] valid_period_in_days. Number of days that this password is valid. 0 means infinity
*
* \return 0 on seccuess, negative integer error code on error.
- *
+ *
* \par Prospective clients:
* Platform's THE ONLY setting application and some dedicated privileged processes
*
* None
*
* \pre None
- *
+ *
* \post None
*
* \see security_server_is_pwd_valid(), security_server_chk_pwd(), security_server_set_pwd()
- *
+ *
* \remarks Only dedicated applications can call this API. The password file will be acces controlled and securely hashed. Security-server will remain previous password file to recover unexpected password file curruption.
- *
+ *
* \par Sample code:
* \code
* #include <security-server.h>
* \endcode
*/
int security_server_reset_pwd(const char *new_pwd,
- const unsigned int max_challenge,
+ const unsigned int max_challenge,
const unsigned int valid_period_in_days);
/**
* There is retry timer on this API to limit replay attack. You will get error if you called this API too often.\n
*
* \param[in] challenge Null terminated challenged password string. It must not a NULL pointer.
- * \param[out] current_attempts Number of password check missed attempts.
+ * \param[out] current_attempts Number of password check missed attempts.
* \param[out] max_attempts Number of maximum attempts that the password locks. 0 means infinite
* \param[out] valid_secs Remaining time in second which represents this password will be expired. 0xFFFFFFFF means infinite
*
* \return 0 on seccuess, negative integer error code on error.
- *
+ *
* \par Prospective clients:
* Applications which has phone UI lock feature.
*
* None
*
* \pre None
- *
+ *
* \post None
*
* \see security_server_is_pwd_valid(), security_server_set_pwd()
- *
+ *
* \remarks The password file will be acces controlled and securely hashed. Security-server will remain previous password file to recover unexpected password file curruption.
- *
+ *
* \par Sample code:
* \code
* #include <security-server.h>
* ...
* int retval;
- * unsigned int attempt, max_attempt, expire_sec;
+ * unsigned int attempt, max_attempt, expire_sec;
*
* retval = security_server_chk_pwd("is_this_password", &attmpt, &max_attempt, &expire_sec);
* if(retval == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH)
*
* \endcode
*/
-int security_server_chk_pwd(const char *challenge,
- unsigned int *current_attempt,
- unsigned int *max_attempt,
+int security_server_chk_pwd(const char *challenge,
+ unsigned int *current_attempt,
+ unsigned int *max_attempt,
unsigned int *valid_secs);
* \param[in] number_of_history Number of history to be checked when user tries to change password. Maximum is currently 50
*
* \return 0 on seccuess, negative integer error code on error.
- *
+ *
* \par Prospective clients:
* MDM client, Enterprise manager.
*
* None
*
* \pre None
- *
+ *
* \post None
*
* \see security_server_set_pwd()
- *
+ *
* \remarks The password file will be acces controlled and securely hashed. Security-server will remain previous password file to recover unexpected password file curruption.
- *
+ *
* \par Sample code:
* \code
* #include <security-server.h>
* /usr/bin/debug-util itself must be omitted in the argv. Security server will put this as first argv in the execution procedure
*
* \param[in] argc Number of arguements.
- *
+ *
* \param[in] argv Arguements
*
* \return 0 on success, negative integer error code on error.
- *
+ *
* \par Prospective clients:
* Only pre-defiend debugging utility.
*
* None
*
* \pre None
- *
+ *
* \post None
*
* \see None
- *
+ *
* \remarks Calling this API, you have to put argv[1] of the debug-util as argv[0] of this API. Security server will put argv[0] automatically
- *
+ *
* \par Sample code:
* \code
* #include <security-server.h>
* @}
*/
-#endif
+#endif
+#sbs-git:slp/pkgs/s/security-server security-server 0.0.1 41964751bdbad7b215eea8f7ca955aa365348e4a
Name: security-server
Summary: Security server
-Version: 0.0.1
-Release: 37
+Version: 0.0.36
+Release: 1
Group: TO_BE/FILLED_IN
-License: Apache 2.0
+License: Apache2.0
Source0: %{name}-%{version}.tar.gz
BuildRequires: cmake
BuildRequires: pkgconfig(dlog)
BuildRequires: pkgconfig(openssl)
BuildRequires: libattr-devel
+BuildRequires: pkgconfig(libsmack)
%description
Security server package
%post
mkdir -p /etc/rc.d/rc3.d
mkdir -p /etc/rc.d/rc5.d
-ln -s /etc/rc.d/init.d/security-serverd /etc/rc.d/rc3.d/S25security-server
-ln -s /etc/rc.d/init.d/security-serverd /etc/rc.d/rc5.d/S25security-server
+ln -s /etc/rc.d/init.d/security-serverd /etc/rc.d/rc3.d/S10security-server
+ln -s /etc/rc.d/init.d/security-serverd /etc/rc.d/rc5.d/S10security-server
%postun
-rm -f /etc/rc.d/rc3.d/S25security-server
-rm -f /etc/rc.d/rc5.d/S25security-server
+rm -f /etc/rc.d/rc3.d/S10security-server
+rm -f /etc/rc.d/rc5.d/S10security-server
%post -n libsecurity-server-client -p /sbin/ldconfig
/*
- * security-server
+ * security-server
*
- * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved
*
* Contact: Bumjin Im <bj.im@samsung.com>
*
#include <errno.h>
#include <unistd.h>
#include <string.h>
+#include <sys/smack.h>
#include "security-server.h"
#include "security-server-common.h"
readlink(path, cmdline, memsize); /* FlawFinder: ignore */
SEC_SVR_DBG("pid: %d, cmdline: %s", pid, cmdline);
- /* Check it's truncated */
+ /* Check it's truncated */
if(cmdline[memsize -1] != 0)
{
cmdline = (char *)realloc(cmdline, sizeof(char) * (memsize + 32));
if(cmdline == NULL)
{
SEC_SVR_DBG("%s", "Out of memory");
- goto error;
+ goto error;
}
}
else
}
+ SECURITY_SERVER_API
+int security_server_check_privilege_by_cookie(const char *cookie,
+ const char *object,
+ const char *access_rights)
+{
+ int sockfd = -1, retval;
+ int olen, alen;
+ response_header hdr;
+
+ if(cookie == NULL || object == NULL || access_rights == NULL)
+ {
+ retval = SECURITY_SERVER_ERROR_INPUT_PARAM;
+ goto error;
+ }
+
+ olen = strlen(object);
+ alen = strlen(access_rights);
+
+ if (olen > MAX_OBJECT_LABEL_LEN || alen > MAX_MODE_STR_LEN)
+ {
+ retval = SECURITY_SERVER_ERROR_INPUT_PARAM;
+ goto error;
+ }
+
+ retval = connect_to_server(&sockfd);
+ if(retval != SECURITY_SERVER_SUCCESS)
+ {
+ /* Error on socket */
+ goto error;
+ }
+
+ /* make request packet */
+ retval = send_privilege_check_new_request(
+ sockfd, cookie, object, access_rights);
+ if(retval != SECURITY_SERVER_SUCCESS)
+ {
+ /* Error on socket */
+ SEC_SVR_DBG("Send failed: %d", retval);
+ goto error;
+ }
+
+ retval = recv_privilege_check_new_response(sockfd, &hdr);
+
+ retval = return_code_to_error_code(hdr.return_code);
+ if(hdr.basic_hdr.msg_id != SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE)
+ /* Wrong response */
+ {
+ if(hdr.basic_hdr.msg_id == SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE)
+ {
+ /* There must be some error */
+ SEC_SVR_DBG("Client: Error has been received. return code:%d",
+ hdr.return_code);
+ }
+ else
+ {
+ /* Something wrong with response */
+ SEC_SVR_DBG("Client ERROR: Unexpected error occurred:%d", retval);
+ retval = SECURITY_SERVER_ERROR_BAD_RESPONSE;
+ }
+ goto error;
+ }
+error:
+ if(sockfd >= 0)
+ close(sockfd);
+
+ retval = convert_to_public_error_code(retval);
+ return retval;
+}
+
+ SECURITY_SERVER_API
+int security_server_check_privilege_by_sockfd(int sockfd,
+ const char *object,
+ const char *access_rights)
+{
+ char *subject;
+ int ret;
+ ret = smack_new_label_from_socket(sockfd, &subject);
+ if (ret != 0)
+ {
+ return SECURITY_SERVER_API_ERROR_SERVER_ERROR;
+ }
+ ret = smack_have_access(subject, object, access_rights);
+ SEC_SVR_DBG("check by sockfd, subject >%s< object >%s< rights >%s< ====> %d",
+ subject, object, access_rights, ret);
+ free(subject);
+ if (ret == 1)
+ {
+ return SECURITY_SERVER_API_SUCCESS;
+ }
+ else
+ {
+ return SECURITY_SERVER_API_ERROR_ACCESS_DENIED;
+ }
+}
SECURITY_SERVER_API
SECURITY_SERVER_API
-int security_server_is_pwd_valid(unsigned int *current_attempts,
- unsigned int *max_attempts,
+int security_server_is_pwd_valid(unsigned int *current_attempts,
+ unsigned int *max_attempts,
unsigned int *valid_secs)
{
int sockfd = -1, retval = SECURITY_SERVER_ERROR_UNKNOWN;
SECURITY_SERVER_API
int security_server_set_pwd(const char *cur_pwd,
- const char *new_pwd,
- const unsigned int max_challenge,
+ const char *new_pwd,
+ const unsigned int max_challenge,
const unsigned int valid_period_in_days)
{
int sockfd = -1, retval;
}
+ SECURITY_SERVER_API
+int security_server_set_pwd_validity(const unsigned int valid_period_in_days)
+{
+ int sockfd = -1, retval;
+ response_header hdr;
+
+ retval = connect_to_server(&sockfd);
+ if(retval != SECURITY_SERVER_SUCCESS)
+ {
+ /* Error on socket */
+ goto error;
+ }
+
+ /* make request packet */
+ retval = send_set_pwd_validity_request(sockfd, valid_period_in_days);
+ if(retval != SECURITY_SERVER_SUCCESS)
+ {
+ /* Error on socket */
+ SEC_SVR_DBG("Client: Send failed: %d", retval);
+ goto error;
+ }
+
+ retval = recv_generic_response(sockfd, &hdr);
+
+ retval = return_code_to_error_code(hdr.return_code);
+ if(hdr.basic_hdr.msg_id != SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_RESPONSE) /* Wrong response */
+ {
+ if(hdr.basic_hdr.msg_id == SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE)
+ {
+ /* There must be some error */
+ SEC_SVR_DBG("Client: Error has been received. return code:%d", hdr.return_code);
+ }
+ else
+ {
+ /* Something wrong with response */
+ SEC_SVR_DBG("Client ERROR: Unexpected error occurred:%d", retval);
+ retval = SECURITY_SERVER_ERROR_BAD_RESPONSE;
+ }
+ goto error;
+ }
+error:
+ if(sockfd > 0)
+ close(sockfd);
+
+ retval = convert_to_public_error_code(retval);
+ return retval;
+}
+
+ SECURITY_SERVER_API
+int security_server_set_pwd_max_challenge(const unsigned int max_challenge)
+{
+ int sockfd = -1, retval;
+ response_header hdr;
+
+ retval = connect_to_server(&sockfd);
+ if(retval != SECURITY_SERVER_SUCCESS)
+ {
+ /* Error on socket */
+ goto error;
+ }
+
+ /* make request packet */
+ retval = send_set_pwd_max_challenge_request(sockfd, max_challenge);
+ if(retval != SECURITY_SERVER_SUCCESS)
+ {
+ /* Error on socket */
+ SEC_SVR_DBG("Client: Send failed: %d", retval);
+ goto error;
+ }
+
+ retval = recv_generic_response(sockfd, &hdr);
+
+ retval = return_code_to_error_code(hdr.return_code);
+ if(hdr.basic_hdr.msg_id != SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_RESPONSE) /* Wrong response */
+ {
+ if(hdr.basic_hdr.msg_id == SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE)
+ {
+ /* There must be some error */
+ SEC_SVR_DBG("Client: Error has been received. return code:%d", hdr.return_code);
+ }
+ else
+ {
+ /* Something wrong with response */
+ SEC_SVR_DBG("Client ERROR: Unexpected error occurred:%d", retval);
+ retval = SECURITY_SERVER_ERROR_BAD_RESPONSE;
+ }
+ goto error;
+ }
+error:
+ if(sockfd > 0)
+ close(sockfd);
+
+ retval = convert_to_public_error_code(retval);
+ return retval;
+}
+
+
SECURITY_SERVER_API
int security_server_reset_pwd(const char *new_pwd,
- const unsigned int max_challenge,
+ const unsigned int max_challenge,
const unsigned int valid_period_in_days)
{
int sockfd = -1, retval;
SECURITY_SERVER_API
-int security_server_chk_pwd(const char *challenge,
+int security_server_chk_pwd(const char *challenge,
unsigned int *current_attempt,
unsigned int *max_attempts,
unsigned int *valid_secs)
/*
- * security-server
+ * security-server
*
- * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved
*
* Contact: Bumjin Im <bj.im@samsung.com>
*
return SECURITY_SERVER_ERROR_POLL;
else
{
- /* Chile process has been closed. Not poll() problem. Call it once again */
+ /* Chile process has been closed. Not poll() problem. Call it once again */
return check_socket_poll(sockfd, event, timeout);
}
}
}
/* Make socket as non blocking */
- if((flags = fcntl(localsockfd, F_GETFL, 0)) < 0 ||
+ if((flags = fcntl(localsockfd, F_GETFL, 0)) < 0 ||
fcntl(localsockfd, F_SETFL, flags | O_NONBLOCK) < 0)
{
retval = SECURITY_SERVER_ERROR_SOCKET;
bzero (&serveraddr, sizeof(serveraddr));
serveraddr.sun_family = AF_UNIX;
- strncpy(serveraddr.sun_path, SECURITY_SERVER_SOCK_PATH,
+ strncpy(serveraddr.sun_path, SECURITY_SERVER_SOCK_PATH,
strlen(SECURITY_SERVER_SOCK_PATH));
serveraddr.sun_path[strlen(SECURITY_SERVER_SOCK_PATH)] = 0;
localsockfd = -1;
goto error;
}
-
+
/* Change permission to accept all processes that has different uID/gID */
sock_mode = (S_IRWXU | S_IRWXG | S_IRWXO);
}
/* Make socket as non blocking */
- if((flags = fcntl(localsockfd, F_GETFL, 0)) < 0 ||
+ if((flags = fcntl(localsockfd, F_GETFL, 0)) < 0 ||
fcntl(localsockfd, F_SETFL, flags | O_NONBLOCK) < 0)
{
close(localsockfd);
return SECURITY_SERVER_ERROR_TIMEOUT;
}
- localsockfd = accept(server_sockfd,
- (struct sockaddr *)&clientaddr,
+ localsockfd = accept(server_sockfd,
+ (struct sockaddr *)&clientaddr,
&client_len);
if(localsockfd < 0)
}
/* Send generic response packet to client
- *
- * Generic Response Packet Format
+ *
+ * Generic Response Packet Format
0 1 2 3
- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|---------------------------------------------------------------|
| version=0x01 | Message ID |Message Length (without header)|
|---------------------------------------------------------------|
}
/* Send cookie response to client
- *
+ *
* Get Cookie response packet format
* 0 1 2 3
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* |---------------------------------------------------------------|
* | version=0x01 |MessageID=0x02 | Message Length =20 |
* |---------------------------------------------------------------|
/* Send Object name response *
* Get Object name response packet format
* 0 1 2 3
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* |---------------------------------------------------------------|
* | version=0x01 |MessageID=0x06 | Message Length |
* |---------------------------------------------------------------|
}
/* Send GID response to client
- *
+ *
* Get GID response packet format
* 0 1 2 3
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* |---------------------------------------------------------------|
* | version=0x01 |MessageID=0x08 | Message Length = 4 |
* |---------------------------------------------------------------|
}
/* Send PID response to client
- *
+ *
* Get PID response packet format
* 0 1 2 3
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* |---------------------------------------------------------------|
* | version=0x01 |MessageID=0x0a | Message Length = 4 |
* |---------------------------------------------------------------|
}
/* Send Check password response to client
- *
+ *
* Check password response packet format
* 0 1 2 3
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* |---------------------------------------------------------------|
* | version=0x01 | MessageID | Message Length = 12 |
* |---------------------------------------------------------------|
* |expire_in_days |
* |----------------
*/
-int send_pwd_response(const int sockfd,
+int send_pwd_response(const int sockfd,
const unsigned char msg_id,
- const unsigned char return_code,
- const unsigned int current_attempts,
- const unsigned int max_attempts,
+ const unsigned char return_code,
+ const unsigned int current_attempts,
+ const unsigned int max_attempts,
const unsigned int expire_time)
{
response_header hdr;
unsigned int expire_secs;
unsigned char msg[sizeof(hdr) + sizeof(current_attempts) + sizeof(max_attempts) + sizeof(expire_secs)];
int ret, ptr = 0;
-
+
/* Assemble header */
hdr.basic_hdr.version = SECURITY_SERVER_MSG_VERSION;
}
/* Send cookie request packet to security server *
- *
+ *
* Message format
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* |---------------------------------------------------------------|
SEC_SVR_DBG("Error on write(): %d", retval);
return SECURITY_SERVER_ERROR_SEND_FAILED;
}
- return SECURITY_SERVER_SUCCESS;
+ return SECURITY_SERVER_SUCCESS;
}
/* Send GID request message to security server
*
* Message format
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* |---------------------------------------------------------------|
* | version=0x01 |MessageID=0x07 | Message Length = variable |
* |---------------------------------------------------------------|
if(buf != NULL)
free(buf);
- return retval;
+ return retval;
}
/* Send object name request message to security server *
*
* Message format
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* |---------------------------------------------------------------|
* | version=0x01 |MessageID=0x05 | Message Length = 4 |
* |---------------------------------------------------------------|
SEC_SVR_DBG("Error on write(): %d", retval);
return SECURITY_SERVER_ERROR_SEND_FAILED;
}
- return SECURITY_SERVER_SUCCESS;
+ return SECURITY_SERVER_SUCCESS;
}
/* Send privilege check request message to security server *
*
* Message format
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* |---------------------------------------------------------------|
* | version=0x01 |MessageID=0x03 | Message Length = 24 |
* |---------------------------------------------------------------|
return SECURITY_SERVER_SUCCESS;
}
+int send_privilege_check_new_request(int sock_fd,
+ const char *cookie,
+ const char *object,
+ const char *access_rights)
+{
+ basic_header hdr;
+ int retval;
+ int olen, alen;
+ int size;
+
+ olen = strlen(object);
+ alen = strlen(access_rights);
+ if (olen > MAX_OBJECT_LABEL_LEN || alen > MAX_MODE_STR_LEN)
+ {
+ return SECURITY_SERVER_ERROR_INPUT_PARAM;
+ }
+
+ unsigned char buf[sizeof(hdr) + SECURITY_SERVER_COOKIE_LEN +
+ 2*sizeof(int) + MAX_OBJECT_LABEL_LEN + MAX_MODE_STR_LEN];
+
+ /* Assemble header */
+ hdr.version = SECURITY_SERVER_MSG_VERSION;
+ hdr.msg_id = SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_REQUEST;
+ hdr.msg_len = SECURITY_SERVER_COOKIE_LEN + 2*sizeof(int) + olen + alen;
+
+ memcpy(buf, &hdr, sizeof(hdr));
+ memcpy(buf + sizeof(hdr), cookie, SECURITY_SERVER_COOKIE_LEN);
+ memcpy(buf + sizeof(hdr) + SECURITY_SERVER_COOKIE_LEN, &olen, sizeof(int));
+ memcpy(buf + sizeof(hdr) + SECURITY_SERVER_COOKIE_LEN + sizeof(int),
+ &alen, sizeof(int));
+ memcpy(buf + sizeof(hdr) + SECURITY_SERVER_COOKIE_LEN + 2*sizeof(int), object, olen);
+ memcpy(buf + sizeof(hdr) + SECURITY_SERVER_COOKIE_LEN + 2*sizeof(int) + olen,
+ access_rights, alen);
+
+ /* Check poll */
+ retval = check_socket_poll(sock_fd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
+ if(retval == SECURITY_SERVER_ERROR_POLL)
+ {
+ SEC_SVR_DBG("%s", "poll() error");
+ return SECURITY_SERVER_ERROR_SEND_FAILED;
+ }
+ if(retval == SECURITY_SERVER_ERROR_TIMEOUT)
+ {
+ SEC_SVR_DBG("%s", "poll() timeout");
+ return SECURITY_SERVER_ERROR_SEND_FAILED;
+ }
+
+ size = sizeof(hdr) + SECURITY_SERVER_COOKIE_LEN + 2*sizeof(int) + olen + alen;
+ /* Send to server */
+ retval = write(sock_fd, buf, size);
+ if(retval < size)
+ {
+ /* Write error */
+ SEC_SVR_DBG("Error on write(): %d", retval);
+ return SECURITY_SERVER_ERROR_SEND_FAILED;
+ }
+ return SECURITY_SERVER_SUCCESS;
+}
+
/* Send PID check request message to security server *
*
* Message format
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* |---------------------------------------------------------------|
* | version=0x01 |MessageID=0x09 | Message Length = 20 |
* |---------------------------------------------------------------|
/* Send debug tool launch request message to security server *
*
* Message format
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* |---------------------------------------------------------------|
* | version=0x01 |MessageID=0x0b | Message Length |
* |---------------------------------------------------------------|
SEC_SVR_DBG("%s", "poll() error");
retval = SECURITY_SERVER_ERROR_SEND_FAILED;
goto error;
-
+
}
if(retval == SECURITY_SERVER_ERROR_TIMEOUT)
{
/* Send validate password request message to security server *
*
* Message format
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* |---------------------------------------------------------------|
* | version=0x01 |MessageID=0x0d | Message Length |
* |---------------------------------------------------------------|
SEC_SVR_DBG("%s", "poll() error");
retval = SECURITY_SERVER_ERROR_SEND_FAILED;
goto error;
-
+
}
if(retval == SECURITY_SERVER_ERROR_TIMEOUT)
{
/* Send password set request message to security server *
*
* Message format
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* |---------------------------------------------------------------|
* | version=0x01 |MessageID=0x0f | Message Length |
* |---------------------------------------------------------------|
* | valid days |
* |---------------------------------------------------------------|
*/
-int send_set_pwd_request(int sock_fd,
- const char*cur_pwd,
+int send_set_pwd_request(int sock_fd,
+ const char*cur_pwd,
const char*new_pwd,
const unsigned int max_challenge,
const unsigned int valid_period_in_days)
SEC_SVR_DBG("%s", "poll() error");
retval = SECURITY_SERVER_ERROR_SEND_FAILED;
goto error;
-
+
}
if(retval == SECURITY_SERVER_ERROR_TIMEOUT)
{
return retval;
}
+/* Send password validity change request message to security server *
+ *
+ * Message format
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * |---------------------------------------------------------------|
+ * | version=0x01 |MessageID=0x0f | Message Length |
+ * |---------------------------------------------------------------|
+ * | valid days |
+ * |---------------------------------------------------------------|
+ */
+int send_set_pwd_validity_request(int sock_fd, const unsigned int valid_period_in_days)
+{
+ basic_header hdr;
+ int retval, total_length = 0, ptr;
+ unsigned char *buf = NULL;
+
+ total_length = sizeof(hdr) + sizeof(unsigned int);
+
+ buf = malloc(total_length);
+ if(buf == NULL)
+ {
+ SEC_SVR_DBG("%s", "Error: failed to malloc()");
+ return SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
+ }
+
+ /* Assemble header */
+ hdr.version = SECURITY_SERVER_MSG_VERSION;
+ hdr.msg_id = SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_REQUEST;
+ hdr.msg_len = (unsigned short)total_length;
+ memcpy(buf, &hdr, sizeof(hdr));
+ ptr = sizeof(hdr);
+ memcpy(buf + ptr, &valid_period_in_days, sizeof(unsigned int));
+
+ /* Check poll */
+ retval = check_socket_poll(sock_fd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
+ if(retval == SECURITY_SERVER_ERROR_POLL)
+ {
+ SEC_SVR_DBG("%s", "poll() error");
+ retval = SECURITY_SERVER_ERROR_SEND_FAILED;
+ goto error;
+
+ }
+ if(retval == SECURITY_SERVER_ERROR_TIMEOUT)
+ {
+ SEC_SVR_DBG("%s", "poll() timeout");
+ retval = SECURITY_SERVER_ERROR_SEND_FAILED;
+ goto error;
+ }
+
+ /* Send to server */
+ retval = write(sock_fd, buf, total_length);
+ if(retval < sizeof(buf))
+ {
+ /* Write error */
+ SEC_SVR_DBG("Error on write(): %d", retval);
+ retval = SECURITY_SERVER_ERROR_SEND_FAILED;
+ goto error;
+ }
+ retval = SECURITY_SERVER_SUCCESS;
+
+error:
+ if(buf != NULL)
+ free(buf);
+ return retval;
+}
+
+/* Send password max challenge request message to security server *
+ *
+ * Message format
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * |---------------------------------------------------------------|
+ * | version=0x01 |MessageID=0x0f | Message Length |
+ * |---------------------------------------------------------------|
+ * | max challenge |
+ * |---------------------------------------------------------------|
+ */
+int send_set_pwd_max_challenge_request(int sock_fd, const unsigned int max_challenge)
+{
+ basic_header hdr;
+ int retval, total_length = 0, ptr;
+ unsigned char *buf = NULL;
+
+ total_length = sizeof(hdr) + sizeof(unsigned int);
+
+ buf = malloc(total_length);
+ if(buf == NULL)
+ {
+ SEC_SVR_DBG("%s", "Error: failed to malloc()");
+ return SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
+ }
+
+ /* Assemble header */
+ hdr.version = SECURITY_SERVER_MSG_VERSION;
+ hdr.msg_id = SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_REQUEST;
+ hdr.msg_len = (unsigned short)total_length;
+ memcpy(buf, &hdr, sizeof(hdr));
+ ptr = sizeof(hdr);
+ memcpy(buf + ptr, &max_challenge, sizeof(unsigned int));
+
+ /* Check poll */
+ retval = check_socket_poll(sock_fd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
+ if(retval == SECURITY_SERVER_ERROR_POLL)
+ {
+ SEC_SVR_DBG("%s", "poll() error");
+ retval = SECURITY_SERVER_ERROR_SEND_FAILED;
+ goto error;
+
+ }
+ if(retval == SECURITY_SERVER_ERROR_TIMEOUT)
+ {
+ SEC_SVR_DBG("%s", "poll() timeout");
+ retval = SECURITY_SERVER_ERROR_SEND_FAILED;
+ goto error;
+ }
+
+ /* Send to server */
+ retval = write(sock_fd, buf, total_length);
+ if(retval < sizeof(buf))
+ {
+ /* Write error */
+ SEC_SVR_DBG("Error on write(): %d", retval);
+ retval = SECURITY_SERVER_ERROR_SEND_FAILED;
+ goto error;
+ }
+ retval = SECURITY_SERVER_SUCCESS;
+
+error:
+ if(buf != NULL)
+ free(buf);
+ return retval;
+}
+
/* Send password reset request message to security server *
*
* Message format
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* |---------------------------------------------------------------|
* | version=0x01 |MessageID=0x11 | Message Length |
* |---------------------------------------------------------------|
* | valid days |
* |---------------------------------------------------------------|
*/
-int send_reset_pwd_request(int sock_fd,
+int send_reset_pwd_request(int sock_fd,
const char*new_pwd,
const unsigned int max_challenge,
const unsigned int valid_period_in_days)
new_pwd_len = strlen(new_pwd);
- total_length += sizeof(hdr) + sizeof(char) + new_pwd_len + sizeof(unsigned int) +
+ total_length += sizeof(hdr) + sizeof(char) + new_pwd_len + sizeof(unsigned int) +
sizeof(unsigned int);
buf = malloc(total_length);
SEC_SVR_DBG("%s", "poll() error");
retval = SECURITY_SERVER_ERROR_SEND_FAILED;
goto error;
-
+
}
if(retval == SECURITY_SERVER_ERROR_TIMEOUT)
{
/* Send password check request message to security server *
*
* Message format
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* |---------------------------------------------------------------|
* | version=0x01 |MessageID=0x13 | Message Length |
* |---------------------------------------------------------------|
SEC_SVR_DBG("%s", "poll() error");
retval = SECURITY_SERVER_ERROR_SEND_FAILED;
goto error;
-
+
}
if(retval == SECURITY_SERVER_ERROR_TIMEOUT)
{
/* Send password history set request message to security server *
*
* Message format
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* |---------------------------------------------------------------|
* | version=0x01 |MessageID=0x15 | Message Length |
* |---------------------------------------------------------------|
SEC_SVR_DBG("%s", "poll() error");
retval = SECURITY_SERVER_ERROR_SEND_FAILED;
goto error;
-
+
}
if(retval == SECURITY_SERVER_ERROR_TIMEOUT)
{
return SECURITY_SERVER_SUCCESS;
}
+/* Receive check privilege request packet body (new mode)*/
+int recv_check_privilege_new_request(int sockfd,
+ unsigned char *requested_cookie,
+ char *object_label,
+ char *access_rights)
+{
+ int retval;
+ int olen, alen;
+
+ retval = read(sockfd, requested_cookie, SECURITY_SERVER_COOKIE_LEN);
+ if(retval < SECURITY_SERVER_COOKIE_LEN)
+ {
+ SEC_SVR_DBG("Received cookie size is too small: %d", retval);
+ return SECURITY_SERVER_ERROR_RECV_FAILED;
+ }
+
+ retval = read(sockfd, &olen, sizeof(int));
+ if(retval < sizeof(int) || olen < 0 || olen > MAX_OBJECT_LABEL_LEN)
+ {
+ SEC_SVR_DBG("error reading object_label len: %d", retval);
+ return SECURITY_SERVER_ERROR_RECV_FAILED;
+ }
+
+ retval = read(sockfd, &alen, sizeof(int));
+ if(retval < sizeof(int) || alen < 0 || olen > MAX_MODE_STR_LEN)
+ {
+ SEC_SVR_DBG("error reading access_rights len: %d", retval);
+ return SECURITY_SERVER_ERROR_RECV_FAILED;
+ }
+
+ retval = read(sockfd, object_label, olen);
+ if(retval < olen)
+ {
+ SEC_SVR_DBG("error reading object_label: %d", retval);
+ return SECURITY_SERVER_ERROR_RECV_FAILED;
+ }
+ object_label[olen] = '\0';
+
+ retval = read(sockfd, access_rights, olen);
+ if(retval < alen)
+ {
+ SEC_SVR_DBG("error reading access_rights: %d", retval);
+ return SECURITY_SERVER_ERROR_RECV_FAILED;
+ }
+ access_rights[alen] = '\0';
+
+ return SECURITY_SERVER_SUCCESS;
+}
+
/* Receive pid request packet body */
int recv_pid_request(int sockfd, unsigned char *requested_cookie)
{
SEC_SVR_DBG("%s", "Out of memory error");
return SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
}
-
+
retval = read(sockfd, local_obj_name, hdr->basic_hdr.msg_len);
if(retval < (hdr->basic_hdr.msg_len))
{
retval = recv_generic_response(sockfd, hdr);
if(hdr->return_code != SECURITY_SERVER_RETURN_CODE_ACCESS_GRANTED &&
- hdr->return_code != SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED)
+ hdr->return_code != SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED)
+ {
+ SEC_SVR_DBG("response error: %d", hdr->return_code);
+ return return_code_to_error_code(hdr->return_code);
+ }
+ return SECURITY_SERVER_SUCCESS;
+}
+
+int recv_privilege_check_new_response(int sockfd, response_header *hdr)
+{
+ int retval;
+
+ retval = recv_generic_response(sockfd, hdr);
+ if(hdr->return_code != SECURITY_SERVER_RETURN_CODE_ACCESS_GRANTED &&
+ hdr->return_code != SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED)
{
SEC_SVR_DBG("response error: %d", hdr->return_code);
return return_code_to_error_code(hdr->return_code);
return SECURITY_SERVER_SUCCESS;
}
-int recv_pwd_response(int sockfd, response_header *hdr,
- unsigned int *current_attempts,
- unsigned int *max_attempts,
+int recv_pwd_response(int sockfd, response_header *hdr,
+ unsigned int *current_attempts,
+ unsigned int *max_attempts,
unsigned int *valid_secs)
{
int retval;
/* Authenticate client that it's real client application */
/* TBA */
-
+
error:
return retval;
}
{
/* error on file */
SEC_SVR_DBG("%s", "Error oening mw-list file");
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
+ return SECURITY_SERVER_ERROR_FILE_OPERATION;
}
/* Search each line */
SEC_SVR_DBG("%s", "Error on getsockopt");
goto error;
}
-
+
/* All middlewares will run as root */
if(cr.uid != 0)
{
SEC_SVR_DBG("%s", "Error on getsockopt");
goto error;
}
-
+
/* All middlewares will run as root */
if(cr.uid != SECURITY_SERVER_DEVELOPER_UID)
{
/*
* security-server
- *
- * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved
*
* Contact: Bumjin Im <bj.im@samsung.com>
*
#include <string.h>
#include <sys/types.h>
#include <fcntl.h>
+#include <sys/smack.h>
#include "security-server-cookie.h"
free(cookie->path);
if(cookie->permissions != NULL)
free(cookie->permissions);
+ if(cookie->smack_label != NULL)
+ free(cookie->smack_label);
if(cookie->prev != NULL)
cookie->prev->next = cookie->next;
if(cookie->next != NULL)
return retval;
}
+
+cookie_list *search_cookie_new(const cookie_list *c_list,
+ const unsigned char *cookie,
+ const char *object,
+ const char *access_rights)
+{
+ cookie_list *current = (cookie_list *)c_list, *retval = NULL;
+ int ret;
+ int i;
+
+ /* Search from the list */
+ while(current != NULL)
+ {
+ /* print_cookie(current);*/
+ /* PID must be same */
+ current = garbage_collection(current);
+ if(current == NULL)
+ break;
+
+ if(memcmp(current->cookie, cookie, SECURITY_SERVER_COOKIE_LEN) == 0)
+ {
+ SEC_SVR_DBG("%s", "cookie has been found");
+
+ ret = smack_have_access(current->smack_label, object, access_rights);
+ SEC_SVR_DBG("smack_have_access, subject >%s< object >%s< access >%s< ===> %d",
+ current->smack_label, object, access_rights, ret);
+ if (ret == 1)
+ {
+ retval = current;
+ goto finish;
+ }
+ }
+ current = current->next;
+ }
+finish:
+ return retval;
+}
+
+
/* Generage a random stream value of size to cookie *
* by reading /dev/uranddom file */
int generate_random_cookie(unsigned char *cookie, int size)
}
/* Create a cookie item from PID */
-cookie_list *create_cookie_item(int pid, cookie_list *c_list)
+cookie_list *create_cookie_item(int pid, int sockfd, cookie_list *c_list)
{
int ret, tempint;
cookie_list *added = NULL, *current = NULL;
char *buf = NULL, inputed, *tempptr = NULL;
char delim[] = ": ", *token = NULL;
int *permissions = NULL, perm_num = 1, cnt, i, *tempperm = NULL;
+ char *smack_label = NULL;
FILE *fp = NULL;
current = search_existing_cookie(pid, c_list);
goto error;
}
+ /* Check SMACK label */
+ ret = smack_new_label_from_socket(sockfd, &smack_label);
+ if (ret != 0)
+ {
+ SEC_SVR_DBG("Error checking peer label: %d", ret);
+ free(added);
+ added = NULL;
+ goto error;
+ }
+
added->path_len = strlen(cmdline);
added->path = calloc(1, strlen(cmdline));
memcpy(added->path, cmdline, strlen(cmdline));
added->permission_len = perm_num;
added->pid = pid;
added->permissions = permissions;
+ added->smack_label = smack_label;
added->prev = current;
current->next = added;
added->next = NULL;
first->pid = 0;
first->path = NULL;
first->permissions = NULL;
+ first->smack_label = NULL;
first->prev = NULL;
first->next = NULL;
return first;
/*
- * security-server
+ * security-server
*
- * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved
*
* Contact: Bumjin Im <bj.im@samsung.com>
*
SEC_SVR_DBG("%s", "cannot malloc()");
goto error;
}
-
+
bzero(linebuf, bufsize);
ret = SECURITY_SERVER_ERROR_NO_SUCH_OBJECT;
while(fgets(linebuf, bufsize, fp) != NULL)
}
bzero(linebuf, bufsize);
}
-
+
error:
if(linebuf != NULL)
free(linebuf);
}
bzero(linebuf, bufsize);
}
-
+
error:
if(linebuf != NULL)
free(linebuf);
int status;
pid_t child_pid;
pid_t child_pgid;
-
+
child_pgid = getpgid(info->si_pid);
SEC_SVR_DBG("Signal handler: dead_pid=%d, pgid=%d",info->si_pid,child_pgid);
if(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("%s", "Client Authentication Failed");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
if(retval != SECURITY_SERVER_SUCCESS)
{
/* Create a new cookie. or find existing one */
pthread_mutex_lock(&cookie_mutex);
- created_cookie = create_cookie_item(client_pid, c_list);
+ created_cookie = create_cookie_item(client_pid, sockfd, c_list);
pthread_mutex_unlock(&cookie_mutex);
if(created_cookie == NULL)
{
{
SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
}
+ SEC_SVR_DBG("Server: Cookie created for client PID %d LABEL >%s<",
+ created_cookie->pid,
+ (created_cookie->smack_label)?(created_cookie->smack_label):"NULL");
+
SEC_SVR_DBG("%s", "Server: Cookie has been sent to client");
error:
if(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("%s", "Client Authentication Failed");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
if(retval != SECURITY_SERVER_SUCCESS)
goto error;;
}
- retval = recv_check_privilege_request(sockfd,
+ retval = recv_check_privilege_request(sockfd,
requested_cookie, &requested_privilege);
if(retval == SECURITY_SERVER_ERROR_RECV_FAILED)
{
SEC_SVR_DBG("%s", "Receiving request failed");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
if(retval != SECURITY_SERVER_SUCCESS)
if(requested_privilege < 1)
{
SEC_SVR_DBG("Requiring bad privilege [%d]", requested_privilege);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
if(retval != SECURITY_SERVER_SUCCESS)
/* We found */
SEC_SVR_DBG("We found the cookie with %d privilege and pid:%d", requested_privilege, client_pid);
SEC_SVR_DBG("%s", "Cookie comparison succeeded. Access granted.");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
+ retval = send_generic_response(sockfd,
+ SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
SECURITY_SERVER_RETURN_CODE_ACCESS_GRANTED);
if(retval != SECURITY_SERVER_SUCCESS)
{
{
/* It's not exist */
SEC_SVR_DBG("Could not find the cookie with %d privilege", requested_privilege);
+ retval = send_generic_response(sockfd,
+ SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
+ SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED);
+ if(retval != SECURITY_SERVER_SUCCESS)
+ {
+ SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
+ }
+ }
+error:
+ return retval;
+}
+
+int process_check_privilege_new_request(int sockfd)
+{
+ /* Authenticate client */
+ int retval, client_pid, requested_privilege;
+ unsigned char requested_cookie[SECURITY_SERVER_COOKIE_LEN];
+ cookie_list *search_result = NULL;
+ char object_label[MAX_OBJECT_LABEL_LEN+1];
+ char access_rights[MAX_MODE_STR_LEN+1];
+
+ retval = authenticate_client_middleware(sockfd, &client_pid);
+ if(retval != SECURITY_SERVER_SUCCESS)
+ {
+ SEC_SVR_DBG("%s", "Client Authentication Failed");
+ retval = send_generic_response(sockfd,
+ SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE,
+ SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
+ if(retval != SECURITY_SERVER_SUCCESS)
+ {
+ SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
+ }
+ goto error;;
+ }
+
+ retval = recv_check_privilege_new_request(
+ sockfd, requested_cookie, object_label, access_rights);
+ if(retval == SECURITY_SERVER_ERROR_RECV_FAILED)
+ {
+ SEC_SVR_DBG("%s", "Receiving request failed");
+ retval = send_generic_response(sockfd,
+ SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE,
+ SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
+ if(retval != SECURITY_SERVER_SUCCESS)
+ {
+ SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
+ }
+ goto error;;
+ }
+
+ /* Search cookie list */
+ pthread_mutex_lock(&cookie_mutex);
+ search_result = search_cookie_new(c_list, requested_cookie, object_label, access_rights);
+ pthread_mutex_unlock(&cookie_mutex);
+
+ if(search_result != NULL)
+ {
+ /* We found */
+ SEC_SVR_DBG("We found the cookie with %s rights and pid:%d", access_rights, client_pid);
+ SEC_SVR_DBG("%s", "Cookie comparison succeeded. Access granted.");
retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
+ SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE,
+ SECURITY_SERVER_RETURN_CODE_ACCESS_GRANTED);
+ if(retval != SECURITY_SERVER_SUCCESS)
+ {
+ SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
+ }
+ }
+ else
+ {
+ /* It's not exist */
+ SEC_SVR_DBG("Could not find the cookie with %s rights", access_rights);
+ retval = send_generic_response(sockfd,
+ SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE,
SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED);
if(retval != SECURITY_SERVER_SUCCESS)
{
}
error:
return retval;
+
+
}
int process_object_name_request(int sockfd)
if(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("%s", "Client Authentication Failed");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE,
SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
if(retval != SECURITY_SERVER_SUCCESS)
if (retval < sizeof(requested_privilege))
{
SEC_SVR_DBG("%s", "Receiving request failed");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE,
SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
if(retval != SECURITY_SERVER_SUCCESS)
}
/* Search from /etc/group */
- retval = search_object_name(requested_privilege,
- object_name,
+ retval = search_object_name(requested_privilege,
+ object_name,
SECURITY_SERVER_MAX_OBJ_NAME);
if (retval == SECURITY_SERVER_ERROR_NO_SUCH_OBJECT)
{
/* It's not exist */
SEC_SVR_DBG("There is no such object for gid [%d]", requested_privilege);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE,
SECURITY_SERVER_RETURN_CODE_NO_SUCH_OBJECT);
if(retval != SECURITY_SERVER_SUCCESS)
{
/* Error occurred */
SEC_SVR_DBG("Error on searching object name [%d]", retval);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE,
SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("%s", "Client authentication failed");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_GID_RESPONSE,
SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
if(retval != SECURITY_SERVER_SUCCESS)
{
/* Too big ojbect name */
SEC_SVR_DBG("%s", "Object name is too big");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_GID_RESPONSE,
SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
if(retval != SECURITY_SERVER_SUCCESS)
if (retval < msg_len )
{
SEC_SVR_DBG("%s", "Failed to read object name");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_GID_RESPONSE,
SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
if(retval != SECURITY_SERVER_SUCCESS)
{
/* Not exist */
SEC_SVR_DBG("The object [%s] is not exist", object_name);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_GID_RESPONSE,
SECURITY_SERVER_RETURN_CODE_NO_SUCH_OBJECT);
if(retval != SECURITY_SERVER_SUCCESS)
}
goto error;
}
-
+
if(retval < 0)
{
/* Error occurred */
SEC_SVR_DBG("Cannot send the response. %d", retval);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_GID_RESPONSE,
SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("%s", "Client Authentication Failed");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_PID_RESPONSE,
SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval == SECURITY_SERVER_ERROR_RECV_FAILED)
{
SEC_SVR_DBG("%s", "Receiving request failed");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_PID_RESPONSE,
SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
if(retval != SECURITY_SERVER_SUCCESS)
SEC_SVR_DBG("We found the cookie and pid:%d", search_result->pid);
SEC_SVR_DBG("%s", "Cookie comparison succeeded. Access granted.");
retval = send_pid(sockfd, search_result->pid);
-
+
if(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
{
/* It's not exist */
SEC_SVR_DBG("%s", "Could not find the cookie");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_PID_RESPONSE,
+ retval = send_generic_response(sockfd,
+ SECURITY_SERVER_MSG_TYPE_PID_RESPONSE,
SECURITY_SERVER_RETURN_CODE_NO_SUCH_COOKIE);
if(retval != SECURITY_SERVER_SUCCESS)
{
if(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("%s", "Client Authentication Failed");
- retval = send_generic_response(client_sockfd,
+ retval = send_generic_response(client_sockfd,
SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval < sizeof(int))
{
SEC_SVR_DBG("Error: argc recieve failed: %d", retval);
- retval = send_generic_response(client_sockfd,
+ retval = send_generic_response(client_sockfd,
SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
if(retval != SECURITY_SERVER_SUCCESS)
if(recved_argv == NULL)
{
SEC_SVR_DBG("Error: malloc() failed: %d", retval);
- retval = send_generic_response(client_sockfd,
+ retval = send_generic_response(client_sockfd,
SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
if(retval != SECURITY_SERVER_SUCCESS)
goto error;
}
memset(recved_argv, 0, sizeof(char *) * argcnum);
-
+
retval = recv_launch_tool_request(client_sockfd, argcnum -1, recved_argv);
if(retval == SECURITY_SERVER_ERROR_RECV_FAILED)
{
SEC_SVR_DBG("%s", "Receiving request failed");
recved_argv = NULL;
- retval = send_generic_response(client_sockfd,
+ retval = send_generic_response(client_sockfd,
SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
if(retval != SECURITY_SERVER_SUCCESS)
if(argcnum < 2)
{
SEC_SVR_DBG("Error: Too small number of argv [%d]", argcnum);
- retval = send_generic_response(client_sockfd,
+ retval = send_generic_response(client_sockfd,
SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("Error: Cannot execute debug tool [%d]", retval);
- retval = send_generic_response(client_sockfd,
+ retval = send_generic_response(client_sockfd,
SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
if(retval != SECURITY_SERVER_SUCCESS)
else
{
SEC_SVR_DBG("%s", "Tool has been executed");
- retval = send_generic_response(client_sockfd,
+ retval = send_generic_response(client_sockfd,
SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
SECURITY_SERVER_RETURN_CODE_SUCCESS);
if(retval != SECURITY_SERVER_SUCCESS)
{
/* Response */
SEC_SVR_DBG("Receiving header error [%d]",retval);
- retval = send_generic_response(client_sockfd,
+ retval = send_generic_response(client_sockfd,
SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
if(retval != SECURITY_SERVER_SUCCESS)
process_check_privilege_request(client_sockfd);
break;
+ case SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_REQUEST:
+ SEC_SVR_DBG("%s", "Privilege check (new mode) received");
+ process_check_privilege_new_request(client_sockfd);
+ break;
+
case SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_REQUEST:
SEC_SVR_DBG("%s", "Get object name request received");
process_object_name_request(client_sockfd);
SEC_SVR_DBG("%s", "Server: validate password request received");
process_valid_pwd_request(client_sockfd);
break;
-
+
case SECURITY_SERVER_MSG_TYPE_SET_PWD_REQUEST:
SEC_SVR_DBG("%s", "Server: set password request received");
process_set_pwd_request(client_sockfd);
SEC_SVR_DBG("%s", "Server: set password histroy request received");
process_set_pwd_history_request(client_sockfd);
break;
+
+ case SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_REQUEST:
+ SEC_SVR_DBG("%s", "Server: set password max challenge request received");
+ process_set_pwd_max_challenge_request(client_sockfd);
+ break;
+
+ case SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_REQUEST:
+ SEC_SVR_DBG("%s", "Server: set password validity request received");
+ process_set_pwd_validity_request(client_sockfd);
+ break;
+
/************************************************************************************************/
/* Just for test. This code must be removed on release */
case SECURITY_SERVER_MSG_TYPE_GET_ALL_COOKIES_REQUEST:
if(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("%s", "Client Authentication Failed");
- retval = send_generic_response(client_sockfd,
+ retval = send_generic_response(client_sockfd,
SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("%s", "Client Authentication Failed");
- retval = send_generic_response(client_sockfd,
+ retval = send_generic_response(client_sockfd,
SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("%s", "Client Authentication Failed");
- retval = send_generic_response(client_sockfd,
+ retval = send_generic_response(client_sockfd,
SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
if(retval != SECURITY_SERVER_SUCCESS)
default:
SEC_SVR_DBG("Unknown msg ID :%d", basic_hdr.msg_id);
/* Unknown message ID */
- retval = send_generic_response(client_sockfd,
+ retval = send_generic_response(client_sockfd,
SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
if(retval != SECURITY_SERVER_SUCCESS)
-int main(int argc, char* argv[])
+int main(int argc, char* argv[])
{
int server_sockfd = 0, retval, client_sockfd = -1, args[2], rc;
struct sigaction act, dummy;
{
SEC_SVR_DBG("%s", "cannot change session");
}
-
+
pthread_mutex_init(&cookie_mutex, NULL);
while(1)
/* Accept a new client */
if(client_sockfd < 0)
client_sockfd = accept_client(server_sockfd);
-
+
if(client_sockfd == SECURITY_SERVER_ERROR_TIMEOUT)
continue;
if(client_sockfd < 0)
/*
* security-server
*
- * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2000 - 2012 Samsung Electronics Co., Ltd All Rights Reserved
*
* Contact: Bumjin Im <bj.im@samsung.com>
*
int dir_filter(const struct dirent *entry)
{
- if ((strcmp(entry->d_name, ".") == 0) ||
+ if ((strcmp(entry->d_name, ".") == 0) ||
(strcmp(entry->d_name, "..") == 0) ||
(strcmp(entry->d_name, "attempts") ==0) ||
(strcmp(entry->d_name, "history") ==0) )
free(mydirent);
return SECURITY_SERVER_SUCCESS;
}
-
+
int load_password(unsigned char *cur_pwd, unsigned int *max_attempt, unsigned int *expire_time)
{
int retval, fd;
return SECURITY_SERVER_ERROR_FILE_OPERATION;
}
}
- return attempt;
+ return attempt;
}
int reset_attempt(void)
}
}
- if(expire_time == 0)
- {
- SEC_SVR_DBG("Server: Password has been expired: %d, %d", current_time, expire_time);
- return SECURITY_SERVER_ERROR_PASSWORD_EXPIRED;
- }
-
/* Compare */
- if(memcmp(cur_pwd, requested_pwd, SECURITY_SERVER_HASHED_PWD_LEN) == 0)
+ if(memcmp(cur_pwd, requested_pwd, SECURITY_SERVER_HASHED_PWD_LEN) != 0)
{
- SEC_SVR_DBG("%s", "Password matched");
- return SECURITY_SERVER_SUCCESS;
+ SEC_SVR_DBG("%s", "Password mismatched");
+ return SECURITY_SERVER_ERROR_PASSWORD_MISMATCH;
}
- SEC_SVR_DBG("%s", "Password mismatched");
- return SECURITY_SERVER_ERROR_PASSWORD_MISMATCH;
+
+ if(expire_time == 0)
+ {
+ SEC_SVR_DBG("Server: Password has been expired: %d, %d", current_time, expire_time);
+ return SECURITY_SERVER_ERROR_PASSWORD_EXPIRED;
+ }
+
+ SEC_SVR_DBG("%s", "Password matched");
+ return SECURITY_SERVER_SUCCESS;
}
int set_history(int num)
SEC_SVR_DBG("%s", "Server: history set finished");
return SECURITY_SERVER_SUCCESS;
}
-
+
int get_history_num(void)
{
retval2 = SECURITY_SERVER_ERROR_PASSWORD_REUSED;
}
history_count--;
-
+
}
/* Remove too old or invalid password history */
}
/* Password file format */
-/* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+/* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* |---------------------------------------------------------------|
* | |
* | |
* | Expiration time in seconds (4 bytes) |
* |---------------------------------------------------------------|
*/
-int set_password(const unsigned char *requested_new_pwd, const unsigned int attempts,
+int set_password(const unsigned char *requested_new_pwd, const unsigned int attempts,
const unsigned int expire_time)
{
int retval, fd;
fsync(fd);
close(fd);
SEC_SVR_DBG("%s", "Password file created");
- return SECURITY_SERVER_SUCCESS;
+ return SECURITY_SERVER_SUCCESS;
}
int check_retry(const struct timeval cur_try)
if(interval_sec > SECURITY_SERVER_PASSWORD_RETRY_TIMEOUT_SECOND)
return SECURITY_SERVER_SUCCESS;
- if(interval_sec == SECURITY_SERVER_PASSWORD_RETRY_TIMEOUT_SECOND
+ if(interval_sec == SECURITY_SERVER_PASSWORD_RETRY_TIMEOUT_SECOND
&& interval_usec >= 0)
return SECURITY_SERVER_SUCCESS;
int retval, current_attempts, password_set;
unsigned char cur_pwd[SECURITY_SERVER_HASHED_PWD_LEN];
unsigned int max_attempt, expire_time;
-
-/*
+
+/*
if(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("%s", "Client Authentication Failed");
- retval = send_generic_response(client_sockfd,
+ retval = send_generic_response(client_sockfd,
SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("%s", "Server: Retry timeout occurred");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
SECURITY_SERVER_RETURN_CODE_PASSWORD_RETRY_TIMER);
if(retval != SECURITY_SERVER_SUCCESS)
if(password_set == SECURITY_SERVER_ERROR_SERVER_ERROR)
{
SEC_SVR_DBG("%s", "Server: Responding error because we cannot provide password service");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
if(retval != SECURITY_SERVER_SUCCESS)
if(current_attempts < 0)
{
SEC_SVR_DBG("Server ERROR: Cannot get attempts: %d", current_attempts);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
if(retval != SECURITY_SERVER_SUCCESS)
/* There is no password */
if(password_set == SECURITY_SERVER_ERROR_NO_PASSWORD)
{
- retval = send_pwd_response(sockfd,
+ retval = send_pwd_response(sockfd,
SECURITY_SERVER_MSG_TYPE_VALID_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_NO_PASSWORD,
+ SECURITY_SERVER_RETURN_CODE_NO_PASSWORD,
0, 0, 0);
if(retval != SECURITY_SERVER_SUCCESS)
{
}
if(password_set == SECURITY_SERVER_SUCCESS)
{
- retval = send_pwd_response(sockfd,
+ retval = send_pwd_response(sockfd,
SECURITY_SERVER_MSG_TYPE_VALID_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_PASSWORD_EXIST,
current_attempts, max_attempt, expire_time);
goto error;
}
SEC_SVR_DBG("Server ERROR: Unknown error: %d", retval);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("%s", "Client Authentication Failed");
- retval = send_generic_response(client_sockfd,
+ retval = send_generic_response(client_sockfd,
SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("%s", "Server: Retry timeout occurred");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_PASSWORD_RETRY_TIMER);
if(retval != SECURITY_SERVER_SUCCESS)
if(password_set == SECURITY_SERVER_ERROR_SERVER_ERROR)
{
SEC_SVR_DBG("%s", "Server: Responding error because we cannot provide password service");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval < sizeof(char) || cur_pwd_len > SECURITY_SERVER_MAX_PASSWORD_LEN)
{
SEC_SVR_DBG("Server Error: current password length recieve failed: %d, %d", retval, cur_pwd_len);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval < sizeof(char) || new_pwd_len > SECURITY_SERVER_MAX_PASSWORD_LEN)
{
SEC_SVR_DBG("Server Error: new password length recieve failed: %d, %d", retval, new_pwd_len);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval < cur_pwd_len)
{
SEC_SVR_DBG("Server Error: current password recieve failed: %d", retval);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
if(retval != SECURITY_SERVER_SUCCESS)
if(password_set == SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("Server Error: password is already set: %d", retval);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_PASSWORD_EXIST);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval < new_pwd_len)
{
SEC_SVR_DBG("Server Error: new password recieve failed: %d", retval);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval < sizeof(unsigned int))
{
SEC_SVR_DBG("Sever Error: Max attempt receive failed: %d", retval);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval < sizeof(unsigned int))
{
SEC_SVR_DBG("Sever Error: Max attempt receive failed: %d", retval);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
if(retval != SECURITY_SERVER_SUCCESS)
SHA256_Init(&context);
SHA256_Update(&context, (unsigned char*)requested_new_pwd, strlen(requested_new_pwd));
SHA256_Final(hashed_new_pw, &context);
-
+
/* check current password */
if(password_set == SECURITY_SERVER_SUCCESS)
{
if(retval == SECURITY_SERVER_ERROR_PASSWORD_MISMATCH)
{
SEC_SVR_DBG("%s", "Server: Wrong password");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_PASSWORD_MISMATCH);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval == SECURITY_SERVER_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED)
{
SEC_SVR_DBG("%s", "Server: Too many challange");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_PASSWORD_MAX_ATTEMPTS_EXCEEDED);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval == SECURITY_SERVER_ERROR_PASSWORD_EXPIRED)
{
SEC_SVR_DBG("%s", "Server: Password expired");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_PASSWORD_EXPIRED);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("Error: Password check failed: %d", retval);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
if(retval != SECURITY_SERVER_SUCCESS)
retval = check_history(hashed_new_pw);
if(retval == SECURITY_SERVER_ERROR_PASSWORD_REUSED)
{
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_PASSWORD_REUSED);
if(retval != SECURITY_SERVER_SUCCESS)
{
/* Client ask to set with current password, but there is no password now */
SEC_SVR_DBG("%s", "Server: There is no current password. But try to set with current password");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_PASSWORD_MISMATCH);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("Server Error: Password set failed: %d", retval);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
if(retval != SECURITY_SERVER_SUCCESS)
/* All done. send response */
SEC_SVR_DBG("%s", "Server: Password has been successfully modified");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_SUCCESS);
if(retval != SECURITY_SERVER_SUCCESS)
SHA256_CTX context;
/* Authenticate client that peer is setting app goes here*/
-/*
+/*
if(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("%s", "Client Authentication Failed");
- retval = send_generic_response(client_sockfd,
+ retval = send_generic_response(client_sockfd,
SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("%s", "Server: Retry timeout occurred");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_RESET_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_PASSWORD_RETRY_TIMER);
if(retval != SECURITY_SERVER_SUCCESS)
if(password_set == SECURITY_SERVER_ERROR_SERVER_ERROR)
{
SEC_SVR_DBG("%s", "Server: Responding error because we cannot provide password service");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval < sizeof(char) || new_pwd_len > SECURITY_SERVER_MAX_PASSWORD_LEN)
{
SEC_SVR_DBG("Server Error: new password length recieve failed: %d, %d", retval, new_pwd_len);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_RESET_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval < new_pwd_len)
{
SEC_SVR_DBG("Server Error: new password recieve failed: %d", retval);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_RESET_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval < sizeof(unsigned int))
{
SEC_SVR_DBG("Sever Error: Max attempt receive failed: %d", retval);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_RESET_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval < sizeof(unsigned int))
{
SEC_SVR_DBG("Sever Error: Max attempt receive failed: %d", retval);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_RESET_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("Server Error: Password set failed: %d", retval);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_RESET_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
if(retval != SECURITY_SERVER_SUCCESS)
/* All done. send response */
SEC_SVR_DBG("%s", "Server: Password has been successfully modified");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_RESET_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_SUCCESS);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("%s", "Client Authentication Failed");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("%s", "Server: Retry timeout occurred");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_PASSWORD_RETRY_TIMER);
if(retval != SECURITY_SERVER_SUCCESS)
if(password_set == SECURITY_SERVER_ERROR_SERVER_ERROR)
{
SEC_SVR_DBG("%s", "ServerERROR: Responding error because we cannot provide password service");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval < sizeof(char) || challenge_len > SECURITY_SERVER_MAX_PASSWORD_LEN)
{
SEC_SVR_DBG("Server ERROR: challenge length recieve failed: %d", retval);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval < challenge_len)
{
SEC_SVR_DBG("Server ERROR: current password recieve failed: %d", retval);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
if(retval != SECURITY_SERVER_SUCCESS)
else
{
SEC_SVR_DBG("Error: Challenge length too short: %d", retval);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval == SECURITY_SERVER_ERROR_PASSWORD_MISMATCH)
{
SEC_SVR_DBG("%s", "Server: Wrong password");
- retval = send_pwd_response(sockfd,
+ retval = send_pwd_response(sockfd,
SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_PASSWORD_MISMATCH,
+ SECURITY_SERVER_RETURN_CODE_PASSWORD_MISMATCH,
current_attempt, max_attempt, expire_time);
if(retval != SECURITY_SERVER_SUCCESS)
{
if(retval == SECURITY_SERVER_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED)
{
SEC_SVR_DBG("%s", "Server: Too many trial");
- retval = send_pwd_response(sockfd,
+ retval = send_pwd_response(sockfd,
SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_PASSWORD_MAX_ATTEMPTS_EXCEEDED,
current_attempt, max_attempt, expire_time);
if(retval == SECURITY_SERVER_ERROR_PASSWORD_EXPIRED)
{
SEC_SVR_DBG("%s", "Server: Password expired");
- retval = send_pwd_response(sockfd,
+ retval = send_pwd_response(sockfd,
SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_PASSWORD_EXPIRED,
current_attempt, max_attempt, 0);
if(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("Server ERROR: Password check failed: %d", retval);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
if(retval != SECURITY_SERVER_SUCCESS)
/* Password matched */
SEC_SVR_DBG("%s", "Server: Password matched");
- retval = send_pwd_response(sockfd,
+ retval = send_pwd_response(sockfd,
SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_SUCCESS,
current_attempt, max_attempt, expire_time);
}
/* There is no password */
-
+
SEC_SVR_DBG("%s", "Server: There is no password to be checked");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE,
SECURITY_SERVER_RETURN_CODE_NO_PASSWORD);
if(retval != SECURITY_SERVER_SUCCESS)
f(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("%s", "Client Authentication Failed");
- retval = send_generic_response(client_sockfd,
+ retval = send_generic_response(client_sockfd,
SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("%s", "Server: Retry timeout occurred");
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_RESPONSE,
SECURITY_SERVER_RETURN_CODE_PASSWORD_RETRY_TIMER);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval < sizeof(char) || history_num > SECURITY_SERVER_MAX_PASSWORD_HISTORY || history_num < 0 )
{
SEC_SVR_DBG("Server Error: History number recieve failed: %d, %d", retval, history_num);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_RESPONSE,
SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
if(retval != SECURITY_SERVER_SUCCESS)
if(retval != SECURITY_SERVER_SUCCESS)
{
SEC_SVR_DBG("Server Error: History number set failed: %d", retval);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_RESPONSE,
SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
if(retval != SECURITY_SERVER_SUCCESS)
}
}
SEC_SVR_DBG("Server History has been set to %d", history_num);
- retval = send_generic_response(sockfd,
+ retval = send_generic_response(sockfd,
SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_RESPONSE,
SECURITY_SERVER_RETURN_CODE_SUCCESS);
if(retval != SECURITY_SERVER_SUCCESS)
error:
return retval;
}
+
+
+int process_set_pwd_max_challenge_request(int sockfd)
+{
+ unsigned int max_challenge, current_challenge, current_validity;
+ unsigned char cur_pwd[SECURITY_SERVER_HASHED_PWD_LEN];
+ int retval;
+
+ // TODO here we should probably check if the peer has rights to change
+ // this value (max challenge) for current password
+
+ retval = read(sockfd, &max_challenge, sizeof(unsigned int));
+ if(retval < sizeof(unsigned int))
+ {
+ SEC_SVR_DBG("Server Error: recieve failed: %d", retval);
+ retval = send_generic_response(sockfd,
+ SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_RESPONSE,
+ SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
+ if(retval != SECURITY_SERVER_SUCCESS)
+ {
+ SEC_SVR_DBG("Server ERROR: Cannot send generic response: %d", retval);
+ }
+ goto error;
+ }
+
+ SEC_SVR_DBG("Server max challenge request: %d", max_challenge);
+
+ // Getting currently set password
+ retval = load_password(cur_pwd, ¤t_challenge, ¤t_validity);
+ /* If we cannot load password file */
+ if(retval == SECURITY_SERVER_ERROR_NO_PASSWORD)
+ {
+ SEC_SVR_DBG("%s", "Server: can't read current password");
+ retval = send_generic_response(sockfd,
+ SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_RESPONSE,
+ SECURITY_SERVER_RETURN_CODE_NO_PASSWORD);
+ if(retval != SECURITY_SERVER_SUCCESS)
+ {
+ SEC_SVR_DBG("Server ERROR: Cannot send generic response: %d", retval);
+ }
+ goto error;
+ }
+ else if(retval != SECURITY_SERVER_SUCCESS)
+ {
+ SEC_SVR_DBG("%s", "Server: can't read current password");
+ retval = send_generic_response(sockfd,
+ SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_RESPONSE,
+ SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
+ if(retval != SECURITY_SERVER_SUCCESS)
+ {
+ SEC_SVR_DBG("Server ERROR: Cannot send generic response: %d", retval);
+ }
+ goto error;
+ }
+
+ // Set 'new' password file with old password and new max challenge
+ retval = set_password(cur_pwd, max_challenge, time(NULL) + current_validity);
+ if(retval != SECURITY_SERVER_SUCCESS)
+ {
+ SEC_SVR_DBG("Server Error: Password set failed: %d", retval);
+ retval = send_generic_response(sockfd,
+ SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_RESPONSE,
+ SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
+ if(retval != SECURITY_SERVER_SUCCESS)
+ {
+ SEC_SVR_DBG("Server ERROR: Cannot send generic response: %d", retval);
+ }
+ goto error;
+ }
+
+ retval = send_generic_response(sockfd,
+ SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_RESPONSE,
+ SECURITY_SERVER_RETURN_CODE_SUCCESS);
+ if(retval != SECURITY_SERVER_SUCCESS)
+ {
+ SEC_SVR_DBG("Server ERROR: Cannot send generic response: %d", retval);
+ }
+ retval = reset_attempt();
+error:
+ return retval;
+}
+
+int process_set_pwd_validity_request(int sockfd)
+{
+ unsigned int current_challenge, current_validity, validity;
+ unsigned char cur_pwd[SECURITY_SERVER_HASHED_PWD_LEN];
+ int retval;
+
+ // TODO here we should probably check if the peer has rights to change
+ // this value (validity) for current password
+
+ retval = read(sockfd, &validity, sizeof(unsigned int));
+ if(retval < sizeof(unsigned int))
+ {
+ SEC_SVR_DBG("Server Error: recieve failed: %d", retval);
+ retval = send_generic_response(sockfd,
+ SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_RESPONSE,
+ SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
+ if(retval != SECURITY_SERVER_SUCCESS)
+ {
+ SEC_SVR_DBG("Server ERROR: Cannot send generic response: %d", retval);
+ }
+ goto error;
+ }
+
+ SEC_SVR_DBG("Server validity request: %d", validity);
+
+ // Calculating validity in seconds
+ if(validity == 0)
+ validity = 0;
+ else
+ validity = time(NULL) + (validity * 86400);
+
+ // Getting currently set password
+ retval = load_password(cur_pwd, ¤t_challenge, ¤t_validity);
+ /* If we cannot load password file */
+ if(retval == SECURITY_SERVER_ERROR_NO_PASSWORD)
+ {
+ SEC_SVR_DBG("%s", "Server: can't read current password");
+ retval = send_generic_response(sockfd,
+ SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_RESPONSE,
+ SECURITY_SERVER_RETURN_CODE_NO_PASSWORD);
+ if(retval != SECURITY_SERVER_SUCCESS)
+ {
+ SEC_SVR_DBG("Server ERROR: Cannot send generic response: %d", retval);
+ }
+ goto error;
+ }
+ else if(retval != SECURITY_SERVER_SUCCESS)
+ {
+ SEC_SVR_DBG("%s", "Server: can't read current password");
+ retval = send_generic_response(sockfd,
+ SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_RESPONSE,
+ SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
+ if(retval != SECURITY_SERVER_SUCCESS)
+ {
+ SEC_SVR_DBG("Server ERROR: Cannot send generic response: %d", retval);
+ }
+ goto error;
+ }
+
+ // Set 'new' password file with old password and new validity
+ retval = set_password(cur_pwd, current_challenge, validity);
+ if(retval != SECURITY_SERVER_SUCCESS)
+ {
+ SEC_SVR_DBG("Server Error: Password set failed: %d", retval);
+ retval = send_generic_response(sockfd,
+ SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_RESPONSE,
+ SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
+ if(retval != SECURITY_SERVER_SUCCESS)
+ {
+ SEC_SVR_DBG("Server ERROR: Cannot send generic response: %d", retval);
+ }
+ goto error;
+ }
+
+ retval = send_generic_response(sockfd,
+ SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_RESPONSE,
+ SECURITY_SERVER_RETURN_CODE_SUCCESS);
+ if(retval != SECURITY_SERVER_SUCCESS)
+ {
+ SEC_SVR_DBG("Server ERROR: Cannot send generic response: %d", retval);
+ }
+ retval = reset_attempt();
+error:
+ return retval;
+}
/*
* security-server
*
- * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved
*
* Contact: Bumjin Im <bj.im@samsung.com>
*
*
*/
+
#include <poll.h>
#include <stdio.h>
#include <stdlib.h>
/*
* security-server
*
- * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved
*
* Contact: Bumjin Im <bj.im@samsung.com>
*
/*
- * security-server
- *
- * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
+ * security server
*
+ * Copyright (c) 2000 - 2010 Samsung Electronics Co., Ltd.
+ * Contact: Bumjin Im <bj.im@samsung.com>
+ *
*/
-#include <stdio.h>
+ #include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include "security-server.h"
/*
- * security-server
+ * security server
*
- * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
+ * Copyright (c) 2000 - 2010 Samsung Electronics Co., Ltd.
+ * Contact: Bumjin Im <bj.im@samsung.com>
*
*/
gid_t *g_groups = NULL;
int g_perm_num, g_group_num;
+char *object_label = NULL;
+char *subject_label = NULL;
+char *access_rights = NULL;
+
+/*
+ * 0 - old mode (uid/gid)
+ * 1 - new mode (SMACK labels)
+ */
+int mode_new = 0;
+
void printusage(char *cmdline)
{
printf("%s\n", "Usage: ");
printf("%s -u uid -g gid1 gid2 gid3... -p gid_a gid_b gid_c ...\n", cmdline);
+ printf("%s\n", "or:");
+ printf("%s -s subject -o object -a access-rights\n", cmdline);
printf("%s\n", "[Options]");
printf("%s\n", "-u: UID that the process are running as");
printf("%s\n", " Only one UID is allowed.");
printf("%s\n", "-g: GIDs that the process belongs to");
printf("%s\n", "-p: GIDs that the process wants to get privilege");
- printf("%s\n", "Example:");
+ printf("%s\n", "-s: subject label (label of the process)");
+ printf("%s\n", "-o: object label to be accessed");
+ printf("%s\n", "-a: accessed rights requested (one or more of the letterrs rwx)");
+ printf("%s\n", "Examples:");
printf("%s -u 5000 -g 6001 6002 6003 6004 6005 6006 6007 -p 6001 6002 6010\n", cmdline);
+ printf("%s -s mylabel -o objlabel -a rx\n", cmdline);
}
int privilege_control(int argc, char *argv[])
{
+
+ if (argc == 7 && !strcmp(argv[1], "-s"))
+ {
+ return privilege_control_new(argc, argv);
+ }
+ else
+ {
+ return privilege_control_old(argc, argv);
+ }
+}
+
+int privilege_control_old(int argc, char *argv[])
+{
int option = 0; /* 0: no, 1: uID, 2: gid, 3: permission */
int uid_flag = 0, gid_flag= 0, perm_flag = 0, i = 1, number, uid = 0, j;
return 0;
}
+int privilege_control_new(int argc, char *argv[])
+{
+ if (argc == 7 && !strcmp(argv[1], "-s") &&
+ !strcmp(argv[3], "-o") &&
+ !strcmp(argv[5], "-a"))
+ {
+ int fd, len, ret; int e;
+ mode_new = 1;
+ subject_label = argv[2];
+ object_label = argv[4];
+ access_rights = argv[6];
+ fd = open("/proc/self/attr/current", O_WRONLY|O_TRUNC, 0);
+ if (fd < 0)
+ {
+ printf("Cannot set my own smack label... maybe I'm not root?");
+ exit(1);
+ }
+ len = strlen(subject_label);
+ ret = write(fd, subject_label, len);
+ if (ret != len)
+ {
+ e = errno;
+ printf("(2)Cannot set my own smack label... maybe I'm not root?");
+ exit(1);
+ }
+ close(fd);
+ setgid(1);
+ setuid(1);
+ }
+ else
+ {
+ printusage(argv[0]);
+ exit(1);
+ }
+
+ return 0;
+}
+
int connect_to_testserver()
{
struct sockaddr_un clientaddr;
return 0;
}
+/*
+ * @param direct 0=via security server 1=directly from IPC socket
+ */
+int send_request_new_cookie(int sock_fd,
+ const char *cookie,
+ const char *subject_label,
+ const char *access_rights)
+{
+ unsigned char buf[1024] = {17, 0, 0, 0, };
+ int olen, alen;
+ int size, ret;
+ olen = strlen(subject_label);
+ alen = strlen(access_rights);
+ size = 24+2*sizeof(int)+olen+alen;
+ memcpy(buf + 4, cookie, 20);
+ memcpy(buf + 24, &olen, sizeof(int));
+ memcpy(buf + 28, &alen, sizeof(int));
+ memcpy(buf + 32, subject_label, olen);
+ memcpy(buf + 32 + olen, access_rights, alen);
+ ret = write(sock_fd, buf, size);
+ if(ret < size)
+ {
+ printf("Cannot send\n");
+ close(sock_fd);
+ exit(1);
+ }
+ return 0;
+}
+
+int send_request_new_direct(int sock_fd,
+ const char *object_label,
+ const char *access_rights)
+{
+ unsigned char buf[1024] = {17, 0, 0, 1, };
+ int olen, alen;
+ int size, ret;
+ olen = strlen(object_label);
+ alen = strlen(access_rights);
+ size = 24+2*sizeof(int)+olen+alen;
+ memcpy(buf + 4, &olen, sizeof(int));
+ memcpy(buf + 8, &alen, sizeof(int));
+ memcpy(buf + 12, object_label, olen);
+ memcpy(buf + 12 + olen, access_rights, alen);
+ ret = write(sock_fd, buf, size);
+ if(ret < size)
+ {
+ printf("Cannot send\n");
+ close(sock_fd);
+ exit(1);
+ }
+ return 0;
+}
int recv_result(int sock_fd)
{
sleep(1);
printf("TC C4: security_server_check_privilege(): client is not allowed\n");
- ret = security_server_check_privilege(cookie, g_permissions[0]);
- if(ret != SECURITY_SERVER_API_ERROR_AUTHENTICATION_FAILED)
- {
- printf("TC C4 failed. %d\n", ret);
- exit(1);
- }
- printf("TC C4: PASSED\n\n");
- sleep(1);
+ if (mode_new)
+ {
+ printf("TC C4: SKIPPED because new mode (SMACK-based) was selected.\n");
+ }
+ else
+ {
+ ret = security_server_check_privilege(cookie, g_permissions[0]);
+ if(ret != SECURITY_SERVER_API_ERROR_AUTHENTICATION_FAILED)
+ {
+ printf("TC C4 failed. %d\n", ret);
+ exit(1);
+ }
+ printf("TC C4: PASSED\n\n");
+ sleep(1);
+ }
printf("TC C5: security_server_get_gid(): client is not allowed\n");
ret = security_server_get_gid("telephony");
sleep(1);
printf("TC C6: security_server_get_object_name(): client is not allowed\n");
- ret = security_server_get_object_name(g_groups[0], tmpchar, sizeof(tmpchar));
- if(ret != SECURITY_SERVER_API_ERROR_AUTHENTICATION_FAILED)
- {
- printf("TC C6 failed. %d\n", ret);
- exit(1);
- }
- printf("TC C6: PASSED\n\n");
- sleep(1);
-
- printf("TC C7: Requesting access to test server\n");
- for(i=0;i<g_perm_num;i++)
- {
- sock_fd = connect_to_testserver();
- if(sock_fd < 1)
- {
- printf("Socket connection error\n");
- exit(1);
- }
- printf("%d: requesting %d permission...sockfd=%d\n", i, g_permissions[i], sock_fd);
- ret = send_request(sock_fd, cookie, g_permissions[i]);
- if(ret != 0)
- {
- printf("send failed\n");
- close(sock_fd);
- exit(1);
- }
+ if (mode_new)
+ {
+ printf("TC C6: SKIPPED because new mode (SMACK-based) was selected.\n");
+ }
+ else
+ {
+ ret = security_server_get_object_name(g_groups[0], tmpchar, sizeof(tmpchar));
+ if(ret != SECURITY_SERVER_API_ERROR_AUTHENTICATION_FAILED)
+ {
+ printf("TC C6 failed. %d\n", ret);
+ exit(1);
+ }
+ printf("TC C6: PASSED\n\n");
+ sleep(1);
+ }
+
+ printf("TC C7: Requesting access to test server via security server\n");
+ if (mode_new)
+ {
+ printf("object: >%s<\n", object_label);
+ printf("subject: >%s<\n", subject_label);
+ printf("access: >%s<\n", access_rights);
+
+ sock_fd = connect_to_testserver();
+ if(sock_fd < 1)
+ {
+ printf("Socket connection error\n");
+ exit(1);
+ }
+ ret = send_request_new_cookie(sock_fd, cookie, object_label, access_rights);
+ if(ret != 0)
+ {
+ printf("send failed\n");
+ close(sock_fd);
+ exit(1);
+ }
+ ret = recv_result(sock_fd);
+ if(ret == SECURITY_SERVER_API_SUCCESS)
+ {
+ printf("Permission granted\n\n");
+ }
+ else if(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED)
+ {
+ printf("Permission denied\n\n");
+ }
+ else
+ {
+ printf("Recv error\n");
+ close(sock_fd);
+ exit(1);
+ }
+ close(sock_fd);
+ sock_fd = 0;
+ sleep(1);
+ }
+ else
+ {
+ for(i=0;i<g_perm_num;i++)
+ {
+ sock_fd = connect_to_testserver();
+ if(sock_fd < 1)
+ {
+ printf("Socket connection error\n");
+ exit(1);
+ }
+ printf("%d: requesting %d permission...sockfd=%d\n", i, g_permissions[i], sock_fd);
+ ret = send_request(sock_fd, cookie, g_permissions[i]);
+ if(ret != 0)
+ {
+ printf("send failed\n");
+ close(sock_fd);
+ exit(1);
+ }
+
+ ret = recv_result(sock_fd);
+ if(ret == SECURITY_SERVER_API_SUCCESS)
+ {
+ printf("Permission granted\n\n");
+ }
+ else if(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED)
+ {
+ printf("Permission denied\n\n");
+ }
+ else
+ {
+ printf("Recv error\n");
+ close(sock_fd);
+ exit(1);
+ }
+ close(sock_fd);
+ sock_fd = 0;
+ }
+ sleep(1);
+ }
+
+ printf("TC C7a: Requesting access to test server with direct IPC\n");
+ if (mode_new)
+ {
+ printf("subject: >%s<\n", subject_label);
+ printf("object: >%s<\n", object_label);
+ printf("access: >%s<\n", access_rights);
+
+ sock_fd = connect_to_testserver();
+ if(sock_fd < 1)
+ {
+ printf("Socket connection error\n");
+ exit(1);
+ }
+ ret = send_request_new_direct(sock_fd, object_label, access_rights);
+ if(ret != 0)
+ {
+ printf("send failed\n");
+ close(sock_fd);
+ exit(1);
+ }
+ ret = recv_result(sock_fd);
+ if(ret == SECURITY_SERVER_API_SUCCESS)
+ {
+ printf("Permission granted\n\n");
+ }
+ else if(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED)
+ {
+ printf("Permission denied\n\n");
+ }
+ else
+ {
+ printf("Recv error\n");
+ close(sock_fd);
+ exit(1);
+ }
+ close(sock_fd);
+ sock_fd = 0;
+ sleep(1);
+ }
+ else
+ {
+ printf("TC C7a: SKIPPED because old mode (uid/gid-based) was selected.\n");
+ }
- ret = recv_result(sock_fd);
- if(ret == SECURITY_SERVER_API_SUCCESS)
- {
- printf("Permission granted\n\n");
- }
- else if(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED)
- {
- printf("Permission denied\n\n");
- }
- else
- {
- printf("Recv error\n");
- close(sock_fd);
- exit(1);
- }
- close(sock_fd);
- sock_fd = 0;
- }
- sleep(1);
printf("TC 08: Requesting cookie for same PID with different path\n");
printf(" Exiting this process to cycle different process as same PID.\n");
printf(" Please look at the test server's terminal for the result\n");
/*
- * security-server
+ * security server
*
- * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
+ * Copyright (c) 2000 - 2010 Samsung Electronics Co., Ltd.
+ * Contact: Bumjin Im <bj.im@samsung.com>
*
*/
int dir_filter(const struct dirent *entry)
{
- if ((strcmp(entry->d_name, ".") == 0) ||
+ if ((strcmp(entry->d_name, ".") == 0) ||
(strcmp(entry->d_name, "..") == 0) ||
(strcmp(entry->d_name, "attempts") ==0) ||
(strcmp(entry->d_name, "history") ==0) )
printf("If not, you will see some TC failures\n");
}
+ printf("TC P1.1: security_server_set_pwd_validity(): There is no password yet\n");
+ ret = security_server_set_pwd_validity(10);
+ if(ret != SECURITY_SERVER_API_ERROR_NO_PASSWORD)
+ {
+ printf("TC P1.1 failed. %d\n", ret);
+ exit(1);
+ }
+ ret = security_server_set_pwd_validity(11);
+ if(ret != SECURITY_SERVER_API_ERROR_NO_PASSWORD)
+ {
+ printf("TC P1.1 failed. %d\n", ret);
+ exit(1);
+ }
+
+ printf("TC P1.1: PASSED\n\n");
+ sleep(1);
+
+ printf("TC P1.2: security_server_set_pwd_max_challenge(): There is no password yet\n");
+ ret = security_server_set_pwd_max_challenge(5);
+ if(ret != SECURITY_SERVER_API_ERROR_NO_PASSWORD)
+ {
+ printf("TC P1.2 failed. %d\n", ret);
+ exit(1);
+ }
+ ret = security_server_set_pwd_max_challenge(6);
+ if(ret != SECURITY_SERVER_API_ERROR_NO_PASSWORD)
+ {
+ printf("TC P1.2 failed. %d\n", ret);
+ exit(1);
+ }
+
+ printf("TC P1.2: PASSED\n\n");
+ sleep(1);
+
printf("TC P2: security_server_chk_pwd(): Too long password case\n");
ret = security_server_chk_pwd("abcdefghijklmnopqrstuvwxyz0123456", &attempt, &max_attempt, &expire_sec); /* 33 chars */
if(ret != SECURITY_SERVER_API_ERROR_INPUT_PARAM)
printf("TC P7: PASSED\n\n");
sleep(1);
+
+ printf("TC P7.1: security_server_set_pwd_validity(): Normal case when there is a password\n");
+ ret = security_server_set_pwd_validity(1);
+ if(ret != SECURITY_SERVER_API_SUCCESS)
+ {
+ printf("TC P7.1 failed. %d\n", ret);
+ exit(1);
+ }
+
+ ret = security_server_set_pwd_validity(2);
+ if(ret != SECURITY_SERVER_API_SUCCESS)
+ {
+ printf("TC P7.1 failed. %d\n", ret);
+ exit(1);
+ }
+
+ ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
+ if(ret != SECURITY_SERVER_API_ERROR_PASSWORD_EXIST)
+ {
+ printf("TC P7.1 failed. %d\n", ret);
+ exit(1);
+ }
+ if (expire_sec < 172798 || expire_sec > 172800) // About 2 days in seconds +-1 second
+ {
+ printf("TC P7.1 failed. Invalid expiration time in seconds: %d", expire_sec);
+ exit(1);
+ }
+
+ printf("TC P7.1: PASSED\n\n");
+ sleep(1);
+
+
+ printf("TC P7.2: security_server_set_pwd_max_challenge(): Normal case when there is a password\n");
+ ret = security_server_set_pwd_max_challenge(5);
+ if(ret != SECURITY_SERVER_API_SUCCESS)
+ {
+ printf("TC P7.2 failed. %d\n", ret);
+ exit(1);
+ }
+
+
+ ret = security_server_set_pwd_max_challenge(6);
+ if(ret != SECURITY_SERVER_API_SUCCESS)
+ {
+ printf("TC P7.2 failed. %d\n", ret);
+ exit(1);
+ }
+ ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
+ if(ret != SECURITY_SERVER_API_ERROR_PASSWORD_EXIST)
+ {
+ printf("TC P7.1 failed. %d\n", ret);
+ exit(1);
+ }
+ if (6 != max_attempt)
+ {
+ printf("TC P7.2 failed. Invalid max_attempt: %d", max_attempt);
+ exit(1);
+ }
+
+ printf("TC P7.2: PASSED\n\n");
+ sleep(1);
+
printf("TC P8: security_server_chk_pwd(): normal(correct pwd) case\n");
ret = security_server_chk_pwd(argv[1], &attempt, &max_attempt, &expire_sec);
if(ret != SECURITY_SERVER_API_SUCCESS)
}
printf("TC P9: PASSED\n\n");
sleep(1);
-
+
printf("TC P10: security_server_chk_pwd(): incorrect pwd case\n");
(argv[1])[0]++;
ret = security_server_chk_pwd(argv[1], &attempt, &max_attempt, &expire_sec);
exit(1);
}
printf("TC P13: PASSED\n\n");
- sleep(1);
+ sleep(1);
printf("TC P14: security_server_chk_pwd(): attempt exceeding case\n");
for(i=0;i<10;i++)
exit(1);
}
printf("TC P14: PASSED\n\n");
- sleep(1);
+ sleep(1);
printf("TC P15: security_server_reset_pwd(): Reset current password\n");
ret = security_server_reset_pwd(argv[1],0, 0);
exit(1);
}
printf("TC P15: PASSED\n\n");
- sleep(1);
+ sleep(1);
printf("TC P16: security_server_set_pwd(): Check expiration \n");
ret = security_server_set_pwd(argv[1], argv[2], 10, 1);
exit(1);
}
printf("TC P16: PASSED\n\n");
- sleep(1);
+ sleep(1);
printf("TC P17: security_server_chk_pwd(): Check expiration sec decreasing\n");
ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
sleep(1);
}
printf("\nTC P17: PASSED\n\n");
-
+
printf("TC P18: security_server_chk_pwd(): Check expiration with system time change\n");
ret = gettimeofday(&cur_time, NULL);
if(ret < 0)
}
printf("TC P23: security_server_chk_pwd(): incorrect with replay attack\n");
ret = security_server_chk_pwd("quickquickquick", &attempt, &max_attempt, &expire_sec);
- do
+ do
{
i = i + 100000;
ret = security_server_chk_pwd("quickquickquick", &attempt, &max_attempt, &expire_sec);
printf("Last interval was %d.%06d sec.\n", (i /1000000), (i % 1000000) );
printf("TC P23: PASSED\n\n");
+ printf("TC P24: security_server_chk_pwd(): wrong challenge on expired password\n");
+ sleep(2);
+ ret = security_server_set_pwd("history60", "newpwd23", 4, 1);
+ if(ret != SECURITY_SERVER_API_SUCCESS)
+ {
+ printf("TC P24 failed[1]. %d\n", ret);
+ exit(1);
+ }
+ sleep(2);
+ ret = security_server_chk_pwd("newpwd23", &attempt, &max_attempt, &expire_sec);
+ if(ret != SECURITY_SERVER_API_SUCCESS)
+ {
+ printf("TC P24 failed[2]. %d\n", ret);
+ exit(1);
+ }
+
+ ret = gettimeofday(&cur_time, NULL);
+ if(ret < 0)
+ {
+ printf("TC P24 failed[3]. %d\n", ret);
+ exit(1);
+ }
+ cur_time.tv_sec += (expire_sec + 1);
+ ret = settimeofday(&cur_time, NULL);
+ if(ret < 0)
+ {
+ printf("TC P24 failed[4]. %d\n", ret);
+ exit(1);
+ }
+ sleep(2);
+ ret = security_server_chk_pwd("newpwd23", &attempt, &max_attempt, &expire_sec);
+ if(ret != SECURITY_SERVER_API_ERROR_PASSWORD_EXPIRED)
+ {
+ printf("TC P24 failed[5]. %d\n", ret);
+ exit(1);
+ }
+ sleep(2);
+ ret = security_server_chk_pwd("newpwd23_invalid", &attempt, &max_attempt, &expire_sec);
+ if(ret != SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH)
+ {
+ printf("TC P24 failed[6]. %d\n", ret);
+ exit(1);
+ }
+ printf("TC P24: PASSED\n\n");
return 0;
}
/*
- * security-server
+ * security server
*
- * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2000 - 2010 Samsung Electronics Co., Ltd.
*
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
+ * Contact: Bumjin Im <bj.im@samsung.com>
*
*/
/*
- * security-server
+ * security server
*
- * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
+ * Copyright (c) 2000 - 2010 Samsung Electronics Co., Ltd.
+ * Contact: Bumjin Im <bj.im@samsung.com>
*
*/
char obj_name[30];
struct pollfd accept_poll[1], client_poll[1];
struct sockaddr_un clientaddr;
-
+ int olen, alen;
+ char olabel[1024];
+ char arights[32];
ret = getuid();
if(ret != 0)
}
}
}
- else
- {
- if(recvbuf[0] == 255 && recvbuf[1] == 255 && recvbuf[2] == 255 && recvbuf[3] == 255)
+ else if(recvbuf[0] == 255 && recvbuf[1] == 255 && recvbuf[2] == 255 && recvbuf[3] == 255)
{
char *myargv[5] = {NULL};
int i, cnt;
free(myargv[3]);
}
}
- else
+ else if(recvbuf[0] == 17 )
+ {
+ if (recvbuf[3] == 0)
+ {
+ ret = read(client_sockfd, recvbuf, 20);
+ if(ret < 20)
+ {
+ close(client_sockfd);
+ printf("cannot read request:%d\n", ret);
+ close(client_sockfd);
+ continue;
+ }
+ memcpy(recved_cookie, recvbuf, 20);
+ ret = read(client_sockfd, &olen, 4);
+ if(ret < 4)
+ {
+ close(client_sockfd);
+ printf("cannot read request:%d\n", ret);
+ close(client_sockfd);
+ continue;
+ }
+ ret = read(client_sockfd, &alen, 4);
+ if(ret < 4)
+ {
+ close(client_sockfd);
+ printf("cannot read request:%d\n", ret);
+ close(client_sockfd);
+ continue;
+ }
+ ret = read(client_sockfd, olabel, olen);
+ if(ret < olen)
+ {
+ close(client_sockfd);
+ printf("cannot read request:%d\n", ret);
+ close(client_sockfd);
+ continue;
+ }
+ olabel[olen] = '\0';
+ ret = read(client_sockfd, arights, alen);
+ if(ret < alen)
+ {
+ close(client_sockfd);
+ printf("cannot read request:%d\n", ret);
+ close(client_sockfd);
+ continue;
+ }
+ arights[alen] = '\0';
+ printf("Check by cookie requested.\n");
+ printf("requested cookie: \n");
+ printhex(recved_cookie, 20);
+ printf("olen: %d\n", olen);
+ printf("object label: >%s<\n", olabel);
+ printf("alen: %d\n", alen);
+ printf("access rights: >%s<\n", arights);
+
+ ret = security_server_check_privilege_by_cookie(
+ recved_cookie, olabel, arights);
+
+ printf("return: %d\n", ret);
+
+ ret = write(client_sockfd, &ret, sizeof(int));
+ if(ret < sizeof(int))
+ {
+ printf("Send error: %d\n", ret);
+ printf("Test failed: %d\n", ret);
+ goto error;
+ }
+ }
+ else if (recvbuf[3] == 1)
+ {
+ ret = read(client_sockfd, &olen, 4);
+ if(ret < 4)
+ {
+ close(client_sockfd);
+ printf("cannot read request:%d\n", ret);
+ close(client_sockfd);
+ continue;
+ }
+ ret = read(client_sockfd, &alen, 4);
+ if(ret < 4)
+ {
+ close(client_sockfd);
+ printf("cannot read request:%d\n", ret);
+ close(client_sockfd);
+ continue;
+ }
+ ret = read(client_sockfd, olabel, olen);
+ if(ret < olen)
+ {
+ close(client_sockfd);
+ printf("cannot read request:%d\n", ret);
+ close(client_sockfd);
+ continue;
+ }
+ olabel[olen] = '\0';
+ ret = read(client_sockfd, arights, alen);
+ if(ret < alen)
{
- printf("malformed request. %d, %d, %d, %d\n", recvbuf[0], recvbuf[1], recvbuf[2], recvbuf[3]);
+ close(client_sockfd);
+ printf("cannot read request:%d\n", ret);
+ close(client_sockfd);
+ continue;
+ }
+ arights[alen] = '\0';
+ printf("Check by sockfd requested.\n");
+ printf("olen: %d\n", olen);
+ printf("object label: >%s<\n", olabel);
+ printf("alen: %d\n", alen);
+ printf("access rights: >%s<\n", arights);
+
+ ret = security_server_check_privilege_by_sockfd(
+ client_sockfd, olabel, arights);
+
+ ret = write(client_sockfd, &ret, sizeof(int));
+ if(ret < sizeof(int))
+ {
+ printf("Send error: %d\n", ret);
printf("Test failed: %d\n", ret);
goto error;
}
+ } else {
+ printf("malformed request. %d, %d, %d, %d\n", recvbuf[0], recvbuf[1], recvbuf[2], recvbuf[3]);
+ printf("Test failed: %d\n", ret);
+ goto error;
+ }
+ }
+ else
+ {
+ printf("malformed request. %d, %d, %d, %d\n", recvbuf[0], recvbuf[1], recvbuf[2], recvbuf[3]);
+ printf("Test failed: %d\n", ret);
+ goto error;
}
if(client_sockfd > 0)
{
/*
- * security-server
+ * security server
*
- * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
+ * Copyright (c) 2000 - 2010 Samsung Electronics Co., Ltd.
+ * Contact: Bumjin Im <bj.im@samsung.com>
*
*/