From 37a81afa64c4c8f022af8d7977cc1cb69a8ca842 Mon Sep 17 00:00:00 2001 From: Kidong Kim Date: Wed, 22 Aug 2012 13:48:10 +0900 Subject: [PATCH] source code open - security-server --- CMakeLists.txt | 4 +- LICENSE | 4 +- debian/changelog | 386 +++++++++++++++++++++++++++++- debian/control | 2 +- debian/rules | 4 +- debian/security-server.install.in | 4 +- include/security-server-comm.h | 23 +- include/security-server-common.h | 5 +- include/security-server-cookie.h | 24 +- include/security-server-password.h | 4 +- include/security-server-util.h | 2 +- include/security-server.h | 211 ++++++++++------ packaging/security-server.spec | 16 +- src/client/security-server-client.c | 212 +++++++++++++++- src/communication/security-server-comm.c | 372 +++++++++++++++++++++++----- src/server/security-server-cookie.c | 60 ++++- src/server/security-server-main.c | 192 +++++++++++---- src/server/security-server-password.c | 326 +++++++++++++++++++------ src/util/security-server-util-common.c | 3 +- src/util/security-server-util.c | 2 +- testcases/debug-util.c | 23 +- testcases/security_server_tc_client.c | 346 ++++++++++++++++++++------ testcases/security_server_tc_password.c | 175 ++++++++++++-- testcases/security_server_tc_pid_reuser.c | 18 +- testcases/security_server_tc_server.c | 156 ++++++++++-- testcases/test.h | 19 +- 26 files changed, 2120 insertions(+), 473 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 2aabe26..0dfb68e 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -14,7 +14,7 @@ SET(VERSION ${VERSION_MAJOR}.0.1) INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/include) INCLUDE(FindPkgConfig) -pkg_check_modules(pkgs REQUIRED dlog openssl) +pkg_check_modules(pkgs REQUIRED dlog openssl libsmack) FOREACH(flag ${pkgs_CFLAGS}) SET(EXTRA_CFLAGS "${EXTRA_CFLAGS} ${flag}") @@ -51,7 +51,7 @@ SET_TARGET_PROPERTIES(security-server-client PROPERTIES COMPILE_FLAGS "${libsecu ## for security-server (binary) SET(security-server_SOURCES ${sec_svr_src_dir}/server/security-server-main.c ${sec_svr_src_dir}/communication/security-server-comm.c ${sec_svr_src_dir}/server/security-server-cookie.c ${sec_svr_src_dir}/server/security-server-password.c ${sec_svr_src_dir}/util/security-server-util-common.c ) SET(security-server_CFLAGS " -I/usr/include -I. -I${sec_svr_include_dir} ${debug_type} -D_GNU_SOURCE ") -SET(security-server_LDFLAGS ${pkgs_LDFLAGS} -lpthread ) +SET(security-server_LDFLAGS ${pkgs_LDFLAGS} -lpthread) ADD_EXECUTABLE(security-server ${security-server_SOURCES}) TARGET_LINK_LIBRARIES(security-server ${pkgs_LDFLAGS}) diff --git a/LICENSE b/LICENSE index c0e0d97..8bcf8d7 100644 --- a/LICENSE +++ b/LICENSE @@ -1,5 +1,5 @@ -Copyright (c) 2012 Samsung Electronics Co., Ltd. All rights reserved. +Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd. All rights reserved. Apache License Version 2.0, January 2004 @@ -189,7 +189,7 @@ Copyright (c) 2012 Samsung Electronics Co., Ltd. All rights reserved. same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright (c) 2012 Samsung Electronics Co., Ltd. All rights reserved. + Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/debian/changelog b/debian/changelog index 97c318a..6be8b40 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,7 +1,391 @@ +security-server (0.0.36) unstable; urgency=low + + * Reverted merge with wrt-security + * Git: framework/security/security/server + * Tag: security-server_0.0.36 + + -- Tomasz Swierczek Tue, 14 Aug 2012 14:17:00 +0200 + +security-server (0.0.1-48) unstable; urgency=low + + * Changed security_server_chk_pwd return codes + * Git: slp/pkgs/s/security-server + * Tag: security-server_0.0.1-48 + + -- Tomasz Swierczek Tue, 22 May 2012 08:46:00 +0100 + +security-server (0.0.1-47) unstable; urgency=low + + * new API for password validity and retry number + * new API for SMACK-based permission check + * Git: slp/pkgs/s/security-server + * Tag: security-server_0.0.1-47 + + -- Tomasz Swierczek Mon, 14 May 2012 12:12:00 +0100 + +security-server (0.0.1-46) unstable; urgency=low + + * change booting order from 25 to 10 + * Git: slp/pkgs/s/security-server + * Tag: security-server_0.0.1-46 + + -- Kidong Kim Mon, 16 Apr 2012 15:22:17 +0900 + +security-server (0.0.1-45) unstable; urgency=low + + * systemd dependency in spec file has been deleted + * Git: slp/pkgs/s/security-server + * Tag: security-server_0.0.1-45 + + -- Bumjin Im Thu, 29 Mar 2012 10:08:32 +0900 + +security-server (0.0.1-44) unstable; urgency=low + + * Spec file has been changed that package name was wrong. + * Git: slp/pkgs/s/security-server + * Tag: security-server_0.0.1-44 + -- Bumjin Im Fri, 16 Mar 2012 18:20:31 +0900 + security-server (0.0.1-43) unstable; urgency=low * Bug fixed: security_server_reset_pwd() fails when password sets for the first time. - * Git: pkgs/s/security-server + * Git: slp/pkgs/s/security-server * Tag: security-server_0.0.1-43 -- Bumjin Wed, 18 Jan 2012 19:24:33 +0900 + +security-server (0.0.1-42) unstable; urgency=low + + * Added password history, attempts, and expiration management. API has been chagned. Function structure has been changed + * Git: slp/pkgs/s/security-server + * Tag: security-server_0.0.1-42 + + -- Bumjin Im Thu, 12 Jan 2012 10:22:17 +0900 + +security-server (0.0.1-41) unstable; urgency=low + + * Phone password management API added. Support multi thread for multi-core support + * Git: slp/pkgs/s/security-server + * Tag: security-server_0.0.1-41 + + -- Bumjin Im Wed, 04 Jan 2012 14:56:19 +0900 + +security-server (0.0.1-40) unstable; urgency=low + + * systemd dependency has been elimiated + * Git: slp/pkgs/s/security-server + * Tag: security-server_0.0.1-40 + + -- Bumjin Im Tue, 20 Dec 2011 11:23:55 +0900 + +security-server (0.0.1-39) unstable; urgency=low + + * License has been changed to Apache 2.0. All boilerplates and LICENSE files are changed to Apache 2.0 License + * Git: 165.213.180.234:slp/pkgs/s/security-server + * Tag: security-server_0.0.1-39 + + -- Bumjin Im Fri, 02 Dec 2011 17:48:40 +0900 + +security-server (0.0.1-38) unstable; urgency=low + + * SMACK setxattr for security server socket enabled + * Git: 165.213.180.234:slp/pkgs/s/security-server + * Tag: security-server_0.0.1-38 + + -- Bumjin Im Mon, 07 Nov 2011 15:45:32 +0900 + +security-server (0.0.1-37) unstable; urgency=low + + * Added Systemd support. SMACK labeling is commented out because of lack of kernel SMACK support + * Git: 165.213.180.234:slp/pkgs/s/security-server + * Tag: security-server_0.0.1-37 + + -- Bumjin Im Sat, 08 Oct 2011 09:36:44 +0900 + +security-server (0.0.1-36) unstable; urgency=low + + * Fixed version problem major 0 --> 1 + * Git: 165.213.180.234:slp/pkgs/s/security-server + * Tag: security-server_0.0.1-36 + + -- Bumjin Im Thu, 25 Aug 2011 09:37:02 +0900 + +security-server (0.0.1-35) unstable; urgency=low + + * security_server_get_gid() API bug fix. + * Git: 165.213.180.234:slp/pkgs/s/security-server + * Tag: security-server_0.0.1-35 + + -- Bumjin Im Tue, 23 Aug 2011 09:44:45 +0900 + +security-server (0.0.1-34) unstable; urgency=low + + * Modify COPYING file + * Git: 165.213.180.234:slp/pkgs/s/security-server + * Tag: security-server_0.0.1-34 + + -- Bumjin Im Fri, 15 Jul 2011 10:14:34 +0900 + +security-server (0.0.1-33) unstable; urgency=low + + * Modify boilerplates of each src files + * Git: 165.213.180.234:slp/pkgs/s/security-server + * Tag: security-server_0.0.1-33 + + -- Bumjin Im Wed, 13 Jul 2011 09:55:15 +0900 + +security-server (0.0.1-32) unstable; urgency=low + + * One more option (kill_app) to debug-util has been added + * Git: 165.213.180.234:slp/pkgs/s/security-server + * Tag: security-server_0.0.1-32 + + -- Bumjin Im Mon, 13 Jun 2011 15:03:24 +0900 + +security-server (0.0.1-31) unstable; urgency=low + + * Fixed Red screen problem because of calling strlen() in dlog because of calling dlog API with non null terminating string + * Git: 165.213.180.234:slp/pkgs/s/security-server + * Tag: security-server_0.0.1-31 + + -- Bumjin Im Thu, 24 Mar 2011 16:17:52 +0900 + +security-server (0.0.1-30) unstable; urgency=low + + * Fixed Red screen problem because of calling strlen() with NULL string + * Git: 165.213.180.234:slp/pkgs/s/security-server + * Tag: security-server_0.0.1-30 + + -- Bumjin Im Wed, 16 Mar 2011 11:15:37 +0900 + +security-server (0.0.1-29) unstable; urgency=low + + * Fixed child process defunct problem by adding signal handler and fixed argv processing problem on execv + * Git: 165.213.180.234:slp/pkgs/s/security-server + * Tag: security-server_0.0.1-29 + + -- Bumjin Im Tue, 08 Mar 2011 13:58:16 +0900 + +security-server (0.0.1-28) unstable; urgency=low + + * Fixed CQ defect "H0100120946" Which occurrs blue screen because of system lock-up + * Git: 165.213.180.234:slp/pkgs/s/security-server + * Tag: security-server_0.0.1-28 + + -- Bumjin Im Wed, 02 Mar 2011 09:06:45 +0900 + +security-server (0.0.1-27) unstable; urgency=low + + * coverity defects fixed + * Git: 165.213.180.234:slp/pkgs/s/security-server + * Tag: security-server_0.0.1-27 + + -- Bumjin Im Mon, 14 Feb 2011 17:23:33 +0900 + +security-server (0.0.1-26) unstable; urgency=low + + * Added a new API to launch a debugging tool as root privilege for SDK shell with authentication of SDK + * Git: 165.213.180.234:slp/pkgs/s/security-server + * Tag: security-server_0.0.1-26 + + -- Bumjin Im Thu, 27 Jan 2011 18:23:30 +0900 + +security-server (0.0.1-25) unstable; urgency=low + + * Fixed Prevent bugs + * Git: 165.213.180.234:slp/pkgs/s/security-server + * Tag: security-server_0.0.1-25 + + -- Bumjin Im Wed, 26 Jan 2011 10:16:39 +0900 + +security-server (0.0.1-24) unstable; urgency=low + + * adjust booting sequence + * Git: 165.213.180.234:slp/pkgs/s/security-server + * Tag: security-server_0.0.1-24 + + -- Kidong Kim Fri, 21 Jan 2011 10:52:32 +0900 + +security-server (0.0.1-23) unstable; urgency=low + + * Add cookie utility for better test, and fix some null check problems + * Git: 165.213.180.234:slp/pkgs/s/security-server + * Tag: security-server_0.0.1-23 + + -- Bumjin Im Wed, 19 Jan 2011 10:46:23 +0900 + +security-server (0.0.1-22) unstable; urgency=low + + * Add a new API that getting PID of a given cookie value to support alarm service + * Git: 165.213.180.234:slp/pkgs/s/security-server + * Tag: security-server_0.0.1-22 + + -- Bumjin Im Mon, 17 Jan 2011 11:47:54 +0900 + +security-server (0.0.1-21) unstable; urgency=low + + * add some daemons to mw-list + * Git: 165.213.180.234:slp/pkgs/s/security-server + * Tag: security-server_0.0.1-21 + + -- Kidong Kim Fri, 14 Jan 2011 10:18:31 +0900 + +security-server (0.0.1-20) unstable; urgency=low + + * Added feature to save default cookie into a file and keep it until reboots to guarantee the default cookie is not changed even security server is relaunched. + * Git: 165.213.180.234:slp/pkgs/s/security-server + * Tag: security-server_0.0.1-20 + + -- Bumjin Im Tue, 11 Jan 2011 13:12:28 +0900 + +security-server (0.0.1-19) unstable; urgency=low + + * fixed timing issue that if the server socket closed then the client goes to error condition without reading packet + * Git: 165.213.180.234:slp/pkgs/s/security-server + * Tag: security-server_0.0.1-19 + + -- Bumjin Im Mon, 10 Jan 2011 11:42:07 +0900 + +security-server (0.0.1-18) unstable; urgency=low + + * fix reading and parsing problem of /etc/group file which had failed to read when a line is bigger than 128 bytes + * Git: 165.213.180.234:slp/pkgs/s/security-server + * Tag: security-server_0.0.1-18 + + -- Bumjin Im Sat, 08 Jan 2011 18:50:00 +0900 + +security-server (0.0.1-17) unstable; urgency=low + + * fix crash problem when server try to send to already close socket fd + * Git: 165.213.180.234:slp/pkgs/s/security-server + * Tag: security-server_0.0.1-17 + + -- Bumjin Im Sat, 08 Jan 2011 17:33:01 +0900 + +security-server (0.0.1-16) unstable; urgency=low + + * fix file pointer problem + * Git: 165.213.180.234:slp/pkgs/s/security-server + * Tag: security-server_0.0.1-16 + + -- Kidong Kim Thu, 06 Jan 2011 09:27:40 +0900 + +security-server (0.0.1-15) unstable; urgency=low + + * fix strtoul problem + * Git: 165.213.180.234:slp/pkgs/s/security-server + * Tag: security-server_0.0.1-15 + + -- Kidong Kim Fri, 10 Dec 2010 18:32:33 +0900 + +security-server (0.0.1-14) unstable; urgency=low + + * fix strip problem + * Git: 165.213.180.234:/git/slp/pkgs/security-server + * Tag: security-server_0.0.1-14 + + -- Kidong Kim Wed, 01 Dec 2010 10:41:39 +0900 + +security-server (0.0.1-13) unstable; urgency=low + + * preparations for limo contribution + * Git: 165.213.180.234:/git/slp/pkgs/security-server + * Tag: security-server_0.0.1-13 + + -- Kidong Kim Fri, 26 Nov 2010 16:03:03 +0900 + +security-server (0.0.1-12) unstable; urgency=low + + * Add more doxygen documentations -- Security Server, secure storage + * Git: 165.213.180.234:/git/slp/pkgs/security-server + * Tag: security-server_0.0.1-12 + + -- Bumjin Im Wed, 10 Nov 2010 15:06:02 +0900 + +security-server (0.0.1-11) unstable; urgency=low + + * Modify doxygen command by SDK team + * Git: 165.213.180.234:/git/slp/pkgs/security-server + * Tag: security-server_0.0.1-11 + + -- Bumjin Im Tue, 09 Nov 2010 10:46:56 +0900 + +security-server (0.0.1-10) unstable; urgency=low + + * remove useless log messages + * Git: 165.213.180.234:/git/slp/pkgs/security-server + * Tag: security-server_0.0.1-10 + + -- Kidong Kim Mon, 08 Nov 2010 11:19:48 +0900 + +security-server (0.0.1-9) unstable; urgency=low + + * apply patch regarding versioning + * Git: 165.213.180.234:/git/slp/pkgs/security-server + * Tag: security-server_0.0.1-9 + + -- Kidong Kim Tue, 02 Nov 2010 17:53:27 +0900 + +security-server (0.0.1-8) unstable; urgency=low + + * doxygen has been modified to add more items such as @pre, @post, and so on + * Git: 165.213.180.234:/git/slp/pkgs/security-server + * Tag: security-server_0.0.1-8 + + -- Bumjin Im Thu, 28 Oct 2010 11:52:57 +0900 + +security-server (0.0.1-7) unstable; urgency=low + + * add new boiler-plate + * Git: 165.213.180.234:/git/slp/pkgs/security-server + * Tag: security-server_0.0.1-7 + + -- Kidong Kim Fri, 22 Oct 2010 18:59:58 +0900 + +security-server (0.0.1-6) unstable; urgency=low + + * fix some bugs + * Git: 165.213.180.234:/git/slp/pkgs/security-server + * Tag: security-server_0.0.1-6 + + -- Kidong Kim Thu, 21 Oct 2010 14:40:34 +0900 + +security-server (0.0.1-5) unstable; urgency=low + + * make another symbolic link + * Git: 165.213.180.234:/git/slp/pkgs/security-server + * Tag: security-server_0.0.1-5 + + -- Kidong Kim Mon, 18 Oct 2010 14:22:00 +0900 + +security-server (0.0.1-4) unstable; urgency=low + + * add doxygen PG + * Git: 165.213.180.234:/git/slp/pkgs/security-server + * Tag: security-server_0.0.1-4 + + -- Kidong Kim Tue, 12 Oct 2010 14:44:31 +0900 + +security-server (0.0.1-3) unstable; urgency=low + + * Fix PID reuse vulnerability + * Git: 165.213.180.234:/git/slp/pkgs/security-server + * Tag: security-server_0.0.1-3 + + -- Kidong Kim Mon, 27 Sep 2010 11:12:14 +0900 + +security-server (0.0.1-2) unstable; urgency=low + + * Make Doxygen + * Git: 165.213.180.234:/git/slp/pkgs/security-server + * Tag: security-server_0.0.1-2 + + -- Kidong Kim Thu, 16 Sep 2010 16:04:57 +0900 + +security-server (0.0.1-1) unstable; urgency=low + + * Initial release + * Git: 165.213.180.234:/git/slp/pkgs/security-server + * Tag: security-server_0.0.1-1 + + -- Kidong Kim Mon, 26 Jul 2010 14:27:03 +0900 diff --git a/debian/control b/debian/control index 7c3ee1b..5c83a71 100644 --- a/debian/control +++ b/debian/control @@ -1,7 +1,7 @@ Source: security-server Priority: extra Maintainer: Bumjin Im , Kidong Kim -Build-Depends: debhelper (>= 5), autotools-dev, dlog-dev, libssl-dev, libattr1-dev +Build-Depends: debhelper (>= 5), autotools-dev, dlog-dev, libssl-dev, libattr1-dev, libsmack-dev Standards-Version: 3.7.2 Section: base Homepage: N/A diff --git a/debian/rules b/debian/rules index 15799b4..5443644 100755 --- a/debian/rules +++ b/debian/rules @@ -82,8 +82,8 @@ install: build $(MAKE) DESTDIR=$(CURDIR)/debian/tmp install mkdir -p $(CURDIR)/debian/tmp/etc/rc.d/rc3.d/ mkdir -p $(CURDIR)/debian/tmp/etc/rc.d/rc5.d/ - ln -s ../init.d/security-serverd $(CURDIR)/debian/tmp/etc/rc.d/rc3.d/S25security-server - ln -s ../init.d/security-serverd $(CURDIR)/debian/tmp/etc/rc.d/rc5.d/S25security-server + ln -s ../init.d/security-serverd $(CURDIR)/debian/tmp/etc/rc.d/rc3.d/S10security-server + ln -s ../init.d/security-serverd $(CURDIR)/debian/tmp/etc/rc.d/rc5.d/S10security-server # Build architecture-independent files here. diff --git a/debian/security-server.install.in b/debian/security-server.install.in index 9d6c7c4..6a751a4 100644 --- a/debian/security-server.install.in +++ b/debian/security-server.install.in @@ -1,6 +1,6 @@ usr/bin/security-server -etc/rc.d/rc3.d/S25security-server -etc/rc.d/rc5.d/S25security-server +etc/rc.d/rc3.d/S10security-server +etc/rc.d/rc5.d/S10security-server etc/rc.d/init.d/security-serverd usr/share/security-server/mw-list /usr/bin/sec-svr-util diff --git a/include/security-server-comm.h b/include/security-server-comm.h index c4ce939..3a3de6f 100644 --- a/include/security-server-comm.h +++ b/include/security-server-comm.h @@ -1,7 +1,7 @@ /* * security-server * - * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2012 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Bumjin Im * @@ -59,6 +59,12 @@ typedef struct #define SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE 0x14 #define SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_REQUEST 0x15 #define SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_RESPONSE 0x16 +#define SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_REQUEST 0x17 +#define SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE 0x18 +#define SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_REQUEST 0x19 +#define SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_RESPONSE 0x1a +#define SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_REQUEST 0x1b +#define SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_RESPONSE 0x1c #define SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE 0xff /* Return code */ @@ -95,12 +101,21 @@ int send_cookie_request(int sock_fd); int send_gid_request(int sock_fd, const char* object); int send_object_name_request(int sock_fd, int gid); int send_privilege_check_request(int sock_fd, const char*cookie, int gid); +int send_privilege_check_new_request(int sock_fd, + const char *cookie, + const char *object, + const char *access_rights); int recv_get_gid_response(int sockfd, response_header *hdr, int *gid); int recv_get_object_name(int sockfd, response_header *hdr, char *object, int max_object_size); int recv_cookie(int sockfd, response_header *hdr, char *cookie); int recv_privilege_check_response(int sockfd, response_header *hdr); +int recv_privilege_check_new_response(int sockfd, response_header *hdr); int recv_hdr(int client_sockfd, basic_header *basic_hdr); int recv_check_privilege_request(int sockfd, unsigned char *requested_cookie, int *requested_privilege); +int recv_check_privilege_new_request(int sockfd, + unsigned char *requested_cookie, + char *object_label, + char *access_rights); int send_pid_request(int sock_fd, const char*cookie); int recv_pid_response(int sockfd, response_header *hdr, int *pid); int recv_pid_request(int sockfd, unsigned char *requested_cookie); @@ -108,10 +123,12 @@ int send_pid(int sockfd, int pid); int send_launch_tool_request(int sock_fd, int argc, const char **argv); int recv_generic_response(int sockfd, response_header *hdr); int recv_launch_tool_request(int sockfd, int argc, char *argv[]); -int recv_pwd_response(int sockfd, response_header *hdr, unsigned int *current_attempts, +int recv_pwd_response(int sockfd, response_header *hdr, unsigned int *current_attempts, unsigned int *max_attempts, unsigned int *valid_days); -int send_set_pwd_request(int sock_fd, const char*cur_pwd, const char*new_pwd, +int send_set_pwd_request(int sock_fd, const char*cur_pwd, const char*new_pwd, const unsigned int max_challenge, const unsigned int valid_period_in_days); +int send_set_pwd_validity_request(int sock_fd, const unsigned int valid_period_in_days); +int send_set_pwd_max_challenge_request(int sock_fd, const unsigned int max_challenge); int send_chk_pwd_request(int sock_fd, const char*challenge); int check_socket_poll(int sockfd, int event, int timeout); int free_argv(char **argv, int argc); diff --git a/include/security-server-common.h b/include/security-server-common.h index 6ba0335..355892d 100644 --- a/include/security-server-common.h +++ b/include/security-server-common.h @@ -1,7 +1,7 @@ /* * security-server * - * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Bumjin Im * @@ -58,6 +58,8 @@ #define SECURITY_SERVER_DEFAULT_COOKIE_PATH "/tmp/.security_server.coo" #define SECURITY_SERVER_DAEMON_PATH "/usr/bin/security-server" #define SECURITY_SERVER_COOKIE_LEN 20 +#define MAX_OBJECT_LABEL_LEN 32 +#define MAX_MODE_STR_LEN 16 #define SECURITY_SERVER_MIDDLEWARE_LIST_PATH "/usr/share/security-server/mw-list" #define SECURITY_SERVER_MAX_OBJ_NAME 30 #define SECURITY_SERVER_MAX_PATH_LEN 50 @@ -93,6 +95,7 @@ typedef struct _cookie_list pid_t pid; /* Client process's PID */ char *path; /* Client process's cmd line string */ int *permissions; /* Array of GID that the client process has */ + char *smack_label; /* SMACK label of the client process */ struct _cookie_list *prev; /* Next cookie list */ struct _cookie_list *next; /* Previous cookie list */ } cookie_list; diff --git a/include/security-server-cookie.h b/include/security-server-cookie.h index 373cab7..3acc720 100644 --- a/include/security-server-cookie.h +++ b/include/security-server-cookie.h @@ -1,7 +1,7 @@ /* * security-server * - * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2012 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Bumjin Im * @@ -19,20 +19,24 @@ * */ -#ifndef SECURITY_SERVER_COOKIE_H -#define SECURITY_SERVER_COOKIE_H - -#include "security-server-common.h" - +#ifndef SECURITY_SERVER_COOKIE_H +#define SECURITY_SERVER_COOKIE_H + +#include "security-server-common.h" + int free_cookie_item(cookie_list *cookie); cookie_list *delete_cookie_item(cookie_list *cookie); cookie_list *search_existing_cookie(int pid, const cookie_list *c_list); cookie_list *search_cookie(const cookie_list *c_list, const unsigned char *cookie, int privilege); +cookie_list *search_cookie_new(const cookie_list *c_list, + const unsigned char *cookie, + const char *object, + const char *access_rights); int generate_random_cookie(unsigned char *cookie, int size); -cookie_list *create_cookie_item(int pid, cookie_list *c_list); +cookie_list *create_cookie_item(int pid, int sockfd, cookie_list *c_list); cookie_list *create_default_cookie(void); cookie_list * garbage_collection(cookie_list *cookie); cookie_list *search_cookie_from_pid(cookie_list *c_list, int pid); -void printhex(const unsigned char *data, int size); - -#endif +void printhex(const unsigned char *data, int size); + +#endif diff --git a/include/security-server-password.h b/include/security-server-password.h index a10e165..7fa9377 100644 --- a/include/security-server-password.h +++ b/include/security-server-password.h @@ -1,7 +1,7 @@ /* * security-server * - * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2012 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Bumjin Im * @@ -30,6 +30,8 @@ int process_set_pwd_request(int sockfd); int process_reset_pwd_request(int sockfd); int process_reset_pwd_request(int sockfd); int process_chk_pwd_request(int sockfd); +int process_set_pwd_max_challenge_request(int sockfd); +int process_set_pwd_validity_request(int sockfd); int init_try(void); #endif diff --git a/include/security-server-util.h b/include/security-server-util.h index 0a6cac3..32c9f72 100644 --- a/include/security-server-util.h +++ b/include/security-server-util.h @@ -1,7 +1,7 @@ /* * security-server * - * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Bumjin Im * diff --git a/include/security-server.h b/include/security-server.h index f9862f9..77ab2f2 100644 --- a/include/security-server.h +++ b/include/security-server.h @@ -1,7 +1,7 @@ /* * security-server * - * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Bumjin Im * @@ -50,8 +50,8 @@ * * Revision History: * - * -- Company Name -- | Modification Date | Description of Changes - * ----------------------------------------------------------------------- + * -- Company Name -- | Modification Date | Description of Changes + * ----------------------------------------------------------------------- * --- Samsung ------ | --- 2010-07-25 -- | First created * * @@ -128,7 +128,6 @@ #define SECURITY_SERVER_API_ERROR_UNKNOWN -255 /** @}*/ - #ifdef __cplusplus extern "C" { #endif @@ -157,22 +156,22 @@ extern "C" { * \param[in] object Name of the object which is kwnown by the caller. * * \return matching gid (positive integer) on success, or negative error code on error. - * + * * \par Prospective clients: * Inhouse middleware * * \par Known issues/bugs: * None - * + * * \pre None - * + * * \post None * * \see /etc/group, * security_server_get_object_name(), security_server_check_privilege() - * + * * \remarks None - * + * * \par Sample code: * \code * #include @@ -217,29 +216,29 @@ int security_server_get_gid(const char *object); * \param[in] max_object_size Allocated byte size of parameter "object". * * \return 0 on success, or negative error code on error. - * + * * \par Prospective clients: * Inhouse middleware. * * \par Known issues/bugs: * None - * + * * \pre output parameter object must be malloced before calling this API not to make memory curruption - * + * * \post None * * \see /etc/group, * security_server_get_gid() - * + * * \remarks None - * + * * \par Sample code: * \code * #include * ... * int retval; * char objectname[20]; - * + * * // Call the API * retval = security_server_get_object_name(6005, objectname, sizeof(objectname)); * if(retval < 0) @@ -277,22 +276,22 @@ int security_server_get_object_name(gid_t gid, char *object, size_t max_object_s * \param[in] max_cookie Allocated byte size of parameter "cookie". * * \return 0 on success, or negative error code on error. - * + * * \par Prospective clients: * Any process * * \par Known issues/bugs: * None - * + * * \pre output parameter cookie must be malloced before calling this API not to make memory curruption * Size of the cookie can be retrieved by security_server_get_cookie_size() API. - * + * * \post None * * \see security_server_check_privilege(), security_server_get_cookie_size() - * + * * \remarks None - * + * * \par Sample code: * \code * #include @@ -335,22 +334,22 @@ int security_server_request_cookie(char *cookie, size_t max_cookie); * \par Important notes: * None * - * \return Always returns byte size of the cookie. - * + * \return Always returns byte size of the cookie. + * * \par Prospective clients: * Any process * * \par Known issues/bugs: * None - * + * * \pre None - * + * * \post None * * \see security_server_request_cookie() * \remarks None - * + * * \par Sample code: * \code * #include @@ -361,7 +360,7 @@ int security_server_request_cookie(char *cookie, size_t max_cookie); * // API calling * cookie_size = security_server_get_cookie_size(); * unsigned char cookie[cookie_size]; - * + * * char objectname[20]; * retval = security_server_request_cookie(cookie, cookie_size); * if(retval < 0) @@ -400,20 +399,20 @@ int security_server_get_cookie_size(void); * \param[in] privilege Object group ID which the client application wants to access * * \return 0 on success, or negative error code on error. - * + * * \par Prospective clients: * Only pre-defiend middleware daemons * * \par Known issues/bugs: * None * \pre None - * + * * \post None * * \see security_server_request_cookie(), security_server_get_gid(), security_server_get_cookie_size() - * + * * \remarks None - * + * * \par Sample code: * \code * #include @@ -423,7 +422,7 @@ int security_server_get_cookie_size(void); * int call_gid; * cookie_size = security_server_get_cookie_size(); * unsigned char recved_cookie[cookie_size]; - * + * * ... // Receiving request with cookie * * call_gid = security_server_get_gid("telephony_makecall"); @@ -443,7 +442,13 @@ int security_server_get_cookie_size(void); */ int security_server_check_privilege(const char *cookie, gid_t privilege); +int security_server_check_privilege_by_cookie(const char *cookie, + const char *object, + const char *access_rights); +int security_server_check_privilege_by_sockfd(int sockfd, + const char *object, + const char *access_rights); /** * \par Description: @@ -468,7 +473,7 @@ int security_server_check_privilege(const char *cookie, gid_t privilege); * \param[in] cookie Received cookie value from client application. Cookie is not a null terminated human readable string. Make sure you're code doesn't have any string related process on the cookie. * * \return positive integer on success meaning the PID, 0 means the cookie is for root process, negative integer error code on error. - * + * * \par Prospective clients: * Only pre-defiend middleware daemons * @@ -476,15 +481,15 @@ int security_server_check_privilege(const char *cookie, gid_t privilege); * None * * \pre None - * + * * \post None * * \see security_server_request_cookie(), security_server_get_cookie_size() - * + * * \remarks the cookie is not a null terminated string. Cookie is a BINARY byte stream of such length which can be retrieved by security_server_get_cookie_size() API. * Therefore, please do not use strcpy() family to process cookie value. You MUST use memcpy() function to process cookie value. * You also have to know that the cookie value doesn't carry any null terminator. So you don't need to allocate 1 more byte of the cookie size. - * + * * \par Sample code: * \code * #include @@ -494,7 +499,7 @@ int security_server_check_privilege(const char *cookie, gid_t privilege); * gid_t call_gid; * cookie_size = security_server_get_cookie_size(); * unsigned char recved_cookie[cookie_size]; - * + * * ... // Receiving request with cookie * * peerpid = security_server_get_cookie_pid(recved_cookie); @@ -529,12 +534,12 @@ int security_server_get_cookie_pid(const char *cookie); * \par Important notes: * Password file should be stored safely. The password file will be stored by security server and only allowed itself to read/write, and data is will be securely hashed\n * - * \param[out] current_attempts Number of password check missed attempts. + * \param[out] current_attempts Number of password check missed attempts. * \param[out] max_attempts Number of maximum attempts that the password locks. 0 means infinite * \param[out] valid_secs Remaining time in second which represents this password will be expired. 0xFFFFFFFF means infinite * * \return 0 if there is no password set, other negative integer error code on error. - * + * * \par Prospective clients: * Applications which can unlock UI * @@ -542,13 +547,13 @@ int security_server_get_cookie_pid(const char *cookie); * None * * \pre None - * + * * \post None * * \see security_server_set_pwd(), security_server_chk_pwd() - * + * * \remarks If password file is currupted or accitentally deleted, this API may not synchronized with security-server, but security-server will check file status on next request. - * + * * \par Sample code: * \code * #include @@ -573,8 +578,8 @@ int security_server_get_cookie_pid(const char *cookie); * * \endcode */ -int security_server_is_pwd_valid(unsigned int *current_attempts, - unsigned int *max_attempts, +int security_server_is_pwd_valid(unsigned int *current_attempts, + unsigned int *max_attempts, unsigned int *valid_secs); @@ -604,7 +609,7 @@ int security_server_is_pwd_valid(unsigned int *current_attempts, * \param[in] valid_period_in_days. Number of days that this password is valid. 0 means infinity * * \return 0 on seccuess, negative integer error code on error. - * + * * \par Prospective clients: * Platform's THE ONLY setting application and some dedicated privileged processes * @@ -612,14 +617,14 @@ int security_server_is_pwd_valid(unsigned int *current_attempts, * None * * \pre None - * + * * \post None * * \see security_server_is_pwd_valid(), security_server_chk_pwd(), security_server_reset_pwd() - * + * * \remarks Only setting application can call this API. The password file will be acces controlled and securely hashed. Security-server will remain previous password file to recover unexpected password file curruption. * \remarks If current password exists and it's expired, or max attempts reached, you cannot call this API. You have to call security_server_reset_pwd() API. - * + * * \par Sample code: * \code * #include @@ -657,11 +662,71 @@ int security_server_is_pwd_valid(unsigned int *current_attempts, * \endcode */ int security_server_set_pwd(const char *cur_pwd, - const char *new_pwd, - const unsigned int max_challenge, + const char *new_pwd, + const unsigned int max_challenge, const unsigned int valid_period_in_days); +/** + * \par Description: + * This API sets validity period for currently setup password. + * + * \par Purpose: + * This API should be used by Enterprise authorities to modify password policy. To be used only with valid password setup. + * + * \par Typical use case: + * Authorized application calls this API to change current passwords validity when password policy needs to be changed. + * + * \par Method of function operation: + * Function attempts to find currently set password and changes its current validity to passed number of days. Retry counter for the password is reset to zero. + * If there is no password set, function returns proper error code. + * + * \par Sync (or) Async: + * This is a Synchronous API. + * \param[in] valid_period_in_days. Number of days that this password is valid. 0 means infinity + * + * \return 0 on success, negative integer error code on error. + * + * \par Prospective clients: + * Platform's THE ONLY setting application and some dedicated privileged processes + * + * \par Known issues/bugs: + * Identifying calling peer is not ready yet, should be based on SMACK somehow. + * + * \see security_server_is_pwd_valid(), security_server_chk_pwd(), security_server_reset_pwd() + */ +int security_server_set_pwd_validity(const unsigned int valid_period_in_days); + + +/** + * \par Description: + * This API sets maximum number of attempts for currently setup password. + * + * \par Purpose: + * This API should be used by Enterprise authorities to modify password policy. To be used only with valid password setup. + * + * \par Typical use case: + * Authorized application calls this API to change current passwords max attempt number when password policy needs to be changed. + * + * \par Method of function operation: + * Function attempts to find currently set password and changes its max attempt number to passed one. Retry counter for the password is reset to zero. + * If there is no password set, function returns proper error code. + * + * \par Sync (or) Async: + * This is a Synchronous API. + * \param[in] max_challenge Maximum number of attempts that user can try to check the password without success in serial. 0 means infinity. + * + * \return 0 on success, negative integer error code on error. + * + * \par Prospective clients: + * Platform's THE ONLY setting application and some dedicated privileged processes + * + * \par Known issues/bugs: + * Identifying calling peer is not ready yet, should be based on SMACK somehow. + * + * \see security_server_is_pwd_valid(), security_server_chk_pwd(), security_server_reset_pwd() + */ +int security_server_set_pwd_max_challenge(const unsigned int max_challenge); /** * \par Description: @@ -687,7 +752,7 @@ int security_server_set_pwd(const char *cur_pwd, * \param[in] valid_period_in_days. Number of days that this password is valid. 0 means infinity * * \return 0 on seccuess, negative integer error code on error. - * + * * \par Prospective clients: * Platform's THE ONLY setting application and some dedicated privileged processes * @@ -695,13 +760,13 @@ int security_server_set_pwd(const char *cur_pwd, * None * * \pre None - * + * * \post None * * \see security_server_is_pwd_valid(), security_server_chk_pwd(), security_server_set_pwd() - * + * * \remarks Only dedicated applications can call this API. The password file will be acces controlled and securely hashed. Security-server will remain previous password file to recover unexpected password file curruption. - * + * * \par Sample code: * \code * #include @@ -720,7 +785,7 @@ int security_server_set_pwd(const char *cur_pwd, * \endcode */ int security_server_reset_pwd(const char *new_pwd, - const unsigned int max_challenge, + const unsigned int max_challenge, const unsigned int valid_period_in_days); /** @@ -743,12 +808,12 @@ int security_server_reset_pwd(const char *new_pwd, * There is retry timer on this API to limit replay attack. You will get error if you called this API too often.\n * * \param[in] challenge Null terminated challenged password string. It must not a NULL pointer. - * \param[out] current_attempts Number of password check missed attempts. + * \param[out] current_attempts Number of password check missed attempts. * \param[out] max_attempts Number of maximum attempts that the password locks. 0 means infinite * \param[out] valid_secs Remaining time in second which represents this password will be expired. 0xFFFFFFFF means infinite * * \return 0 on seccuess, negative integer error code on error. - * + * * \par Prospective clients: * Applications which has phone UI lock feature. * @@ -756,19 +821,19 @@ int security_server_reset_pwd(const char *new_pwd, * None * * \pre None - * + * * \post None * * \see security_server_is_pwd_valid(), security_server_set_pwd() - * + * * \remarks The password file will be acces controlled and securely hashed. Security-server will remain previous password file to recover unexpected password file curruption. - * + * * \par Sample code: * \code * #include * ... * int retval; - * unsigned int attempt, max_attempt, expire_sec; + * unsigned int attempt, max_attempt, expire_sec; * * retval = security_server_chk_pwd("is_this_password", &attmpt, &max_attempt, &expire_sec); * if(retval == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH) @@ -785,9 +850,9 @@ int security_server_reset_pwd(const char *new_pwd, * * \endcode */ -int security_server_chk_pwd(const char *challenge, - unsigned int *current_attempt, - unsigned int *max_attempt, +int security_server_chk_pwd(const char *challenge, + unsigned int *current_attempt, + unsigned int *max_attempt, unsigned int *valid_secs); @@ -813,7 +878,7 @@ int security_server_chk_pwd(const char *challenge, * \param[in] number_of_history Number of history to be checked when user tries to change password. Maximum is currently 50 * * \return 0 on seccuess, negative integer error code on error. - * + * * \par Prospective clients: * MDM client, Enterprise manager. * @@ -821,13 +886,13 @@ int security_server_chk_pwd(const char *challenge, * None * * \pre None - * + * * \post None * * \see security_server_set_pwd() - * + * * \remarks The password file will be acces controlled and securely hashed. Security-server will remain previous password file to recover unexpected password file curruption. - * + * * \par Sample code: * \code * #include @@ -871,11 +936,11 @@ int security_server_set_pwd_history(int number_of_history); * /usr/bin/debug-util itself must be omitted in the argv. Security server will put this as first argv in the execution procedure * * \param[in] argc Number of arguements. - * + * * \param[in] argv Arguements * * \return 0 on success, negative integer error code on error. - * + * * \par Prospective clients: * Only pre-defiend debugging utility. * @@ -883,13 +948,13 @@ int security_server_set_pwd_history(int number_of_history); * None * * \pre None - * + * * \post None * * \see None - * + * * \remarks Calling this API, you have to put argv[1] of the debug-util as argv[0] of this API. Security server will put argv[0] automatically - * + * * \par Sample code: * \code * #include @@ -930,4 +995,4 @@ int security_server_launch_debug_tool(int argc, const char **argv); * @} */ -#endif +#endif diff --git a/packaging/security-server.spec b/packaging/security-server.spec index 7519aae..8fe6ce6 100644 --- a/packaging/security-server.spec +++ b/packaging/security-server.spec @@ -1,14 +1,16 @@ +#sbs-git:slp/pkgs/s/security-server security-server 0.0.1 41964751bdbad7b215eea8f7ca955aa365348e4a Name: security-server Summary: Security server -Version: 0.0.1 -Release: 37 +Version: 0.0.36 +Release: 1 Group: TO_BE/FILLED_IN -License: Apache 2.0 +License: Apache2.0 Source0: %{name}-%{version}.tar.gz BuildRequires: cmake BuildRequires: pkgconfig(dlog) BuildRequires: pkgconfig(openssl) BuildRequires: libattr-devel +BuildRequires: pkgconfig(libsmack) %description Security server package @@ -49,12 +51,12 @@ rm -rf %{buildroot} %post mkdir -p /etc/rc.d/rc3.d mkdir -p /etc/rc.d/rc5.d -ln -s /etc/rc.d/init.d/security-serverd /etc/rc.d/rc3.d/S25security-server -ln -s /etc/rc.d/init.d/security-serverd /etc/rc.d/rc5.d/S25security-server +ln -s /etc/rc.d/init.d/security-serverd /etc/rc.d/rc3.d/S10security-server +ln -s /etc/rc.d/init.d/security-serverd /etc/rc.d/rc5.d/S10security-server %postun -rm -f /etc/rc.d/rc3.d/S25security-server -rm -f /etc/rc.d/rc5.d/S25security-server +rm -f /etc/rc.d/rc3.d/S10security-server +rm -f /etc/rc.d/rc5.d/S10security-server %post -n libsecurity-server-client -p /sbin/ldconfig diff --git a/src/client/security-server-client.c b/src/client/security-server-client.c index 8e78d18..e934df1 100644 --- a/src/client/security-server-client.c +++ b/src/client/security-server-client.c @@ -1,7 +1,7 @@ /* - * security-server + * security-server * - * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Bumjin Im * @@ -26,6 +26,7 @@ #include #include #include +#include #include "security-server.h" #include "security-server-common.h" @@ -71,7 +72,7 @@ char *read_cmdline_from_proc(pid_t pid) readlink(path, cmdline, memsize); /* FlawFinder: ignore */ SEC_SVR_DBG("pid: %d, cmdline: %s", pid, cmdline); - /* Check it's truncated */ + /* Check it's truncated */ if(cmdline[memsize -1] != 0) { cmdline = (char *)realloc(cmdline, sizeof(char) * (memsize + 32)); @@ -79,7 +80,7 @@ SEC_SVR_DBG("pid: %d, cmdline: %s", pid, cmdline); if(cmdline == NULL) { SEC_SVR_DBG("%s", "Out of memory"); - goto error; + goto error; } } else @@ -376,7 +377,101 @@ error: } + SECURITY_SERVER_API +int security_server_check_privilege_by_cookie(const char *cookie, + const char *object, + const char *access_rights) +{ + int sockfd = -1, retval; + int olen, alen; + response_header hdr; + + if(cookie == NULL || object == NULL || access_rights == NULL) + { + retval = SECURITY_SERVER_ERROR_INPUT_PARAM; + goto error; + } + + olen = strlen(object); + alen = strlen(access_rights); + + if (olen > MAX_OBJECT_LABEL_LEN || alen > MAX_MODE_STR_LEN) + { + retval = SECURITY_SERVER_ERROR_INPUT_PARAM; + goto error; + } + + retval = connect_to_server(&sockfd); + if(retval != SECURITY_SERVER_SUCCESS) + { + /* Error on socket */ + goto error; + } + + /* make request packet */ + retval = send_privilege_check_new_request( + sockfd, cookie, object, access_rights); + if(retval != SECURITY_SERVER_SUCCESS) + { + /* Error on socket */ + SEC_SVR_DBG("Send failed: %d", retval); + goto error; + } + + retval = recv_privilege_check_new_response(sockfd, &hdr); + + retval = return_code_to_error_code(hdr.return_code); + if(hdr.basic_hdr.msg_id != SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE) + /* Wrong response */ + { + if(hdr.basic_hdr.msg_id == SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE) + { + /* There must be some error */ + SEC_SVR_DBG("Client: Error has been received. return code:%d", + hdr.return_code); + } + else + { + /* Something wrong with response */ + SEC_SVR_DBG("Client ERROR: Unexpected error occurred:%d", retval); + retval = SECURITY_SERVER_ERROR_BAD_RESPONSE; + } + goto error; + } +error: + if(sockfd >= 0) + close(sockfd); + + retval = convert_to_public_error_code(retval); + return retval; +} + + SECURITY_SERVER_API +int security_server_check_privilege_by_sockfd(int sockfd, + const char *object, + const char *access_rights) +{ + char *subject; + int ret; + ret = smack_new_label_from_socket(sockfd, &subject); + if (ret != 0) + { + return SECURITY_SERVER_API_ERROR_SERVER_ERROR; + } + ret = smack_have_access(subject, object, access_rights); + SEC_SVR_DBG("check by sockfd, subject >%s< object >%s< rights >%s< ====> %d", + subject, object, access_rights, ret); + free(subject); + if (ret == 1) + { + return SECURITY_SERVER_API_SUCCESS; + } + else + { + return SECURITY_SERVER_API_ERROR_ACCESS_DENIED; + } +} SECURITY_SERVER_API @@ -527,8 +622,8 @@ error: SECURITY_SERVER_API -int security_server_is_pwd_valid(unsigned int *current_attempts, - unsigned int *max_attempts, +int security_server_is_pwd_valid(unsigned int *current_attempts, + unsigned int *max_attempts, unsigned int *valid_secs) { int sockfd = -1, retval = SECURITY_SERVER_ERROR_UNKNOWN; @@ -590,8 +685,8 @@ error: SECURITY_SERVER_API int security_server_set_pwd(const char *cur_pwd, - const char *new_pwd, - const unsigned int max_challenge, + const char *new_pwd, + const unsigned int max_challenge, const unsigned int valid_period_in_days) { int sockfd = -1, retval; @@ -650,10 +745,107 @@ error: } + SECURITY_SERVER_API +int security_server_set_pwd_validity(const unsigned int valid_period_in_days) +{ + int sockfd = -1, retval; + response_header hdr; + + retval = connect_to_server(&sockfd); + if(retval != SECURITY_SERVER_SUCCESS) + { + /* Error on socket */ + goto error; + } + + /* make request packet */ + retval = send_set_pwd_validity_request(sockfd, valid_period_in_days); + if(retval != SECURITY_SERVER_SUCCESS) + { + /* Error on socket */ + SEC_SVR_DBG("Client: Send failed: %d", retval); + goto error; + } + + retval = recv_generic_response(sockfd, &hdr); + + retval = return_code_to_error_code(hdr.return_code); + if(hdr.basic_hdr.msg_id != SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_RESPONSE) /* Wrong response */ + { + if(hdr.basic_hdr.msg_id == SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE) + { + /* There must be some error */ + SEC_SVR_DBG("Client: Error has been received. return code:%d", hdr.return_code); + } + else + { + /* Something wrong with response */ + SEC_SVR_DBG("Client ERROR: Unexpected error occurred:%d", retval); + retval = SECURITY_SERVER_ERROR_BAD_RESPONSE; + } + goto error; + } +error: + if(sockfd > 0) + close(sockfd); + + retval = convert_to_public_error_code(retval); + return retval; +} + + SECURITY_SERVER_API +int security_server_set_pwd_max_challenge(const unsigned int max_challenge) +{ + int sockfd = -1, retval; + response_header hdr; + + retval = connect_to_server(&sockfd); + if(retval != SECURITY_SERVER_SUCCESS) + { + /* Error on socket */ + goto error; + } + + /* make request packet */ + retval = send_set_pwd_max_challenge_request(sockfd, max_challenge); + if(retval != SECURITY_SERVER_SUCCESS) + { + /* Error on socket */ + SEC_SVR_DBG("Client: Send failed: %d", retval); + goto error; + } + + retval = recv_generic_response(sockfd, &hdr); + + retval = return_code_to_error_code(hdr.return_code); + if(hdr.basic_hdr.msg_id != SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_RESPONSE) /* Wrong response */ + { + if(hdr.basic_hdr.msg_id == SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE) + { + /* There must be some error */ + SEC_SVR_DBG("Client: Error has been received. return code:%d", hdr.return_code); + } + else + { + /* Something wrong with response */ + SEC_SVR_DBG("Client ERROR: Unexpected error occurred:%d", retval); + retval = SECURITY_SERVER_ERROR_BAD_RESPONSE; + } + goto error; + } +error: + if(sockfd > 0) + close(sockfd); + + retval = convert_to_public_error_code(retval); + return retval; +} + + SECURITY_SERVER_API int security_server_reset_pwd(const char *new_pwd, - const unsigned int max_challenge, + const unsigned int max_challenge, const unsigned int valid_period_in_days) { int sockfd = -1, retval; @@ -714,7 +906,7 @@ error: SECURITY_SERVER_API -int security_server_chk_pwd(const char *challenge, +int security_server_chk_pwd(const char *challenge, unsigned int *current_attempt, unsigned int *max_attempts, unsigned int *valid_secs) diff --git a/src/communication/security-server-comm.c b/src/communication/security-server-comm.c index 689681d..59eb864 100644 --- a/src/communication/security-server-comm.c +++ b/src/communication/security-server-comm.c @@ -1,7 +1,7 @@ /* - * security-server + * security-server * - * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Bumjin Im * @@ -174,7 +174,7 @@ int check_socket_poll(int sockfd, int event, int timeout) return SECURITY_SERVER_ERROR_POLL; else { - /* Chile process has been closed. Not poll() problem. Call it once again */ + /* Chile process has been closed. Not poll() problem. Call it once again */ return check_socket_poll(sockfd, event, timeout); } } @@ -246,7 +246,7 @@ int create_new_socket(int *sockfd) } /* Make socket as non blocking */ - if((flags = fcntl(localsockfd, F_GETFL, 0)) < 0 || + if((flags = fcntl(localsockfd, F_GETFL, 0)) < 0 || fcntl(localsockfd, F_SETFL, flags | O_NONBLOCK) < 0) { retval = SECURITY_SERVER_ERROR_SOCKET; @@ -258,7 +258,7 @@ int create_new_socket(int *sockfd) bzero (&serveraddr, sizeof(serveraddr)); serveraddr.sun_family = AF_UNIX; - strncpy(serveraddr.sun_path, SECURITY_SERVER_SOCK_PATH, + strncpy(serveraddr.sun_path, SECURITY_SERVER_SOCK_PATH, strlen(SECURITY_SERVER_SOCK_PATH)); serveraddr.sun_path[strlen(SECURITY_SERVER_SOCK_PATH)] = 0; @@ -271,7 +271,7 @@ int create_new_socket(int *sockfd) localsockfd = -1; goto error; } - + /* Change permission to accept all processes that has different uID/gID */ sock_mode = (S_IRWXU | S_IRWXG | S_IRWXO); @@ -360,7 +360,7 @@ int connect_to_server(int *fd) } /* Make socket as non blocking */ - if((flags = fcntl(localsockfd, F_GETFL, 0)) < 0 || + if((flags = fcntl(localsockfd, F_GETFL, 0)) < 0 || fcntl(localsockfd, F_SETFL, flags | O_NONBLOCK) < 0) { close(localsockfd); @@ -446,8 +446,8 @@ int accept_client(int server_sockfd) return SECURITY_SERVER_ERROR_TIMEOUT; } - localsockfd = accept(server_sockfd, - (struct sockaddr *)&clientaddr, + localsockfd = accept(server_sockfd, + (struct sockaddr *)&clientaddr, &client_len); if(localsockfd < 0) @@ -468,10 +468,10 @@ int validate_header(basic_header hdr) } /* Send generic response packet to client - * - * Generic Response Packet Format + * + * Generic Response Packet Format 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 |---------------------------------------------------------------| | version=0x01 | Message ID |Message Length (without header)| |---------------------------------------------------------------| @@ -511,10 +511,10 @@ int send_generic_response (int sockfd, unsigned char msgid, unsigned char return } /* Send cookie response to client - * + * * Get Cookie response packet format * 0 1 2 3 - * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * |---------------------------------------------------------------| * | version=0x01 |MessageID=0x02 | Message Length =20 | * |---------------------------------------------------------------| @@ -565,7 +565,7 @@ int send_cookie(int sockfd, unsigned char *cookie) /* Send Object name response * * Get Object name response packet format * 0 1 2 3 - * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * |---------------------------------------------------------------| * | version=0x01 |MessageID=0x06 | Message Length | * |---------------------------------------------------------------| @@ -613,10 +613,10 @@ int send_object_name(int sockfd, char *obj) } /* Send GID response to client - * + * * Get GID response packet format * 0 1 2 3 - * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * |---------------------------------------------------------------| * | version=0x01 |MessageID=0x08 | Message Length = 4 | * |---------------------------------------------------------------| @@ -667,10 +667,10 @@ int send_gid(int sockfd, int gid) } /* Send PID response to client - * + * * Get PID response packet format * 0 1 2 3 - * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * |---------------------------------------------------------------| * | version=0x01 |MessageID=0x0a | Message Length = 4 | * |---------------------------------------------------------------| @@ -721,10 +721,10 @@ int send_pid(int sockfd, int pid) } /* Send Check password response to client - * + * * Check password response packet format * 0 1 2 3 - * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * |---------------------------------------------------------------| * | version=0x01 | MessageID | Message Length = 12 | * |---------------------------------------------------------------| @@ -737,18 +737,18 @@ int send_pid(int sockfd, int pid) * |expire_in_days | * |---------------- */ -int send_pwd_response(const int sockfd, +int send_pwd_response(const int sockfd, const unsigned char msg_id, - const unsigned char return_code, - const unsigned int current_attempts, - const unsigned int max_attempts, + const unsigned char return_code, + const unsigned int current_attempts, + const unsigned int max_attempts, const unsigned int expire_time) { response_header hdr; unsigned int expire_secs; unsigned char msg[sizeof(hdr) + sizeof(current_attempts) + sizeof(max_attempts) + sizeof(expire_secs)]; int ret, ptr = 0; - + /* Assemble header */ hdr.basic_hdr.version = SECURITY_SERVER_MSG_VERSION; @@ -792,7 +792,7 @@ int send_pwd_response(const int sockfd, } /* Send cookie request packet to security server * - * + * * Message format * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * |---------------------------------------------------------------| @@ -830,13 +830,13 @@ int send_cookie_request(int sock_fd) SEC_SVR_DBG("Error on write(): %d", retval); return SECURITY_SERVER_ERROR_SEND_FAILED; } - return SECURITY_SERVER_SUCCESS; + return SECURITY_SERVER_SUCCESS; } /* Send GID request message to security server * * Message format - * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * |---------------------------------------------------------------| * | version=0x01 |MessageID=0x07 | Message Length = variable | * |---------------------------------------------------------------| @@ -903,13 +903,13 @@ error: if(buf != NULL) free(buf); - return retval; + return retval; } /* Send object name request message to security server * * * Message format - * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * |---------------------------------------------------------------| * | version=0x01 |MessageID=0x05 | Message Length = 4 | * |---------------------------------------------------------------| @@ -951,13 +951,13 @@ int send_object_name_request(int sock_fd, int gid) SEC_SVR_DBG("Error on write(): %d", retval); return SECURITY_SERVER_ERROR_SEND_FAILED; } - return SECURITY_SERVER_SUCCESS; + return SECURITY_SERVER_SUCCESS; } /* Send privilege check request message to security server * * * Message format - * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * |---------------------------------------------------------------| * | version=0x01 |MessageID=0x03 | Message Length = 24 | * |---------------------------------------------------------------| @@ -1009,10 +1009,69 @@ int send_privilege_check_request(int sock_fd, const char*cookie, int gid) return SECURITY_SERVER_SUCCESS; } +int send_privilege_check_new_request(int sock_fd, + const char *cookie, + const char *object, + const char *access_rights) +{ + basic_header hdr; + int retval; + int olen, alen; + int size; + + olen = strlen(object); + alen = strlen(access_rights); + if (olen > MAX_OBJECT_LABEL_LEN || alen > MAX_MODE_STR_LEN) + { + return SECURITY_SERVER_ERROR_INPUT_PARAM; + } + + unsigned char buf[sizeof(hdr) + SECURITY_SERVER_COOKIE_LEN + + 2*sizeof(int) + MAX_OBJECT_LABEL_LEN + MAX_MODE_STR_LEN]; + + /* Assemble header */ + hdr.version = SECURITY_SERVER_MSG_VERSION; + hdr.msg_id = SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_REQUEST; + hdr.msg_len = SECURITY_SERVER_COOKIE_LEN + 2*sizeof(int) + olen + alen; + + memcpy(buf, &hdr, sizeof(hdr)); + memcpy(buf + sizeof(hdr), cookie, SECURITY_SERVER_COOKIE_LEN); + memcpy(buf + sizeof(hdr) + SECURITY_SERVER_COOKIE_LEN, &olen, sizeof(int)); + memcpy(buf + sizeof(hdr) + SECURITY_SERVER_COOKIE_LEN + sizeof(int), + &alen, sizeof(int)); + memcpy(buf + sizeof(hdr) + SECURITY_SERVER_COOKIE_LEN + 2*sizeof(int), object, olen); + memcpy(buf + sizeof(hdr) + SECURITY_SERVER_COOKIE_LEN + 2*sizeof(int) + olen, + access_rights, alen); + + /* Check poll */ + retval = check_socket_poll(sock_fd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND); + if(retval == SECURITY_SERVER_ERROR_POLL) + { + SEC_SVR_DBG("%s", "poll() error"); + return SECURITY_SERVER_ERROR_SEND_FAILED; + } + if(retval == SECURITY_SERVER_ERROR_TIMEOUT) + { + SEC_SVR_DBG("%s", "poll() timeout"); + return SECURITY_SERVER_ERROR_SEND_FAILED; + } + + size = sizeof(hdr) + SECURITY_SERVER_COOKIE_LEN + 2*sizeof(int) + olen + alen; + /* Send to server */ + retval = write(sock_fd, buf, size); + if(retval < size) + { + /* Write error */ + SEC_SVR_DBG("Error on write(): %d", retval); + return SECURITY_SERVER_ERROR_SEND_FAILED; + } + return SECURITY_SERVER_SUCCESS; +} + /* Send PID check request message to security server * * * Message format - * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * |---------------------------------------------------------------| * | version=0x01 |MessageID=0x09 | Message Length = 20 | * |---------------------------------------------------------------| @@ -1065,7 +1124,7 @@ int send_pid_request(int sock_fd, const char*cookie) /* Send debug tool launch request message to security server * * * Message format - * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * |---------------------------------------------------------------| * | version=0x01 |MessageID=0x0b | Message Length | * |---------------------------------------------------------------| @@ -1154,7 +1213,7 @@ int send_launch_tool_request(int sock_fd, int argc, const char **argv) SEC_SVR_DBG("%s", "poll() error"); retval = SECURITY_SERVER_ERROR_SEND_FAILED; goto error; - + } if(retval == SECURITY_SERVER_ERROR_TIMEOUT) { @@ -1183,7 +1242,7 @@ error: /* Send validate password request message to security server * * * Message format - * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * |---------------------------------------------------------------| * | version=0x01 |MessageID=0x0d | Message Length | * |---------------------------------------------------------------| @@ -1204,7 +1263,7 @@ int send_valid_pwd_request(int sock_fd) SEC_SVR_DBG("%s", "poll() error"); retval = SECURITY_SERVER_ERROR_SEND_FAILED; goto error; - + } if(retval == SECURITY_SERVER_ERROR_TIMEOUT) { @@ -1231,7 +1290,7 @@ error: /* Send password set request message to security server * * * Message format - * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * |---------------------------------------------------------------| * | version=0x01 |MessageID=0x0f | Message Length | * |---------------------------------------------------------------| @@ -1248,8 +1307,8 @@ error: * | valid days | * |---------------------------------------------------------------| */ -int send_set_pwd_request(int sock_fd, - const char*cur_pwd, +int send_set_pwd_request(int sock_fd, + const char*cur_pwd, const char*new_pwd, const unsigned int max_challenge, const unsigned int valid_period_in_days) @@ -1302,7 +1361,7 @@ int send_set_pwd_request(int sock_fd, SEC_SVR_DBG("%s", "poll() error"); retval = SECURITY_SERVER_ERROR_SEND_FAILED; goto error; - + } if(retval == SECURITY_SERVER_ERROR_TIMEOUT) { @@ -1328,10 +1387,142 @@ error: return retval; } +/* Send password validity change request message to security server * + * + * Message format + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * |---------------------------------------------------------------| + * | version=0x01 |MessageID=0x0f | Message Length | + * |---------------------------------------------------------------| + * | valid days | + * |---------------------------------------------------------------| + */ +int send_set_pwd_validity_request(int sock_fd, const unsigned int valid_period_in_days) +{ + basic_header hdr; + int retval, total_length = 0, ptr; + unsigned char *buf = NULL; + + total_length = sizeof(hdr) + sizeof(unsigned int); + + buf = malloc(total_length); + if(buf == NULL) + { + SEC_SVR_DBG("%s", "Error: failed to malloc()"); + return SECURITY_SERVER_ERROR_OUT_OF_MEMORY; + } + + /* Assemble header */ + hdr.version = SECURITY_SERVER_MSG_VERSION; + hdr.msg_id = SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_REQUEST; + hdr.msg_len = (unsigned short)total_length; + memcpy(buf, &hdr, sizeof(hdr)); + ptr = sizeof(hdr); + memcpy(buf + ptr, &valid_period_in_days, sizeof(unsigned int)); + + /* Check poll */ + retval = check_socket_poll(sock_fd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND); + if(retval == SECURITY_SERVER_ERROR_POLL) + { + SEC_SVR_DBG("%s", "poll() error"); + retval = SECURITY_SERVER_ERROR_SEND_FAILED; + goto error; + + } + if(retval == SECURITY_SERVER_ERROR_TIMEOUT) + { + SEC_SVR_DBG("%s", "poll() timeout"); + retval = SECURITY_SERVER_ERROR_SEND_FAILED; + goto error; + } + + /* Send to server */ + retval = write(sock_fd, buf, total_length); + if(retval < sizeof(buf)) + { + /* Write error */ + SEC_SVR_DBG("Error on write(): %d", retval); + retval = SECURITY_SERVER_ERROR_SEND_FAILED; + goto error; + } + retval = SECURITY_SERVER_SUCCESS; + +error: + if(buf != NULL) + free(buf); + return retval; +} + +/* Send password max challenge request message to security server * + * + * Message format + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * |---------------------------------------------------------------| + * | version=0x01 |MessageID=0x0f | Message Length | + * |---------------------------------------------------------------| + * | max challenge | + * |---------------------------------------------------------------| + */ +int send_set_pwd_max_challenge_request(int sock_fd, const unsigned int max_challenge) +{ + basic_header hdr; + int retval, total_length = 0, ptr; + unsigned char *buf = NULL; + + total_length = sizeof(hdr) + sizeof(unsigned int); + + buf = malloc(total_length); + if(buf == NULL) + { + SEC_SVR_DBG("%s", "Error: failed to malloc()"); + return SECURITY_SERVER_ERROR_OUT_OF_MEMORY; + } + + /* Assemble header */ + hdr.version = SECURITY_SERVER_MSG_VERSION; + hdr.msg_id = SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_REQUEST; + hdr.msg_len = (unsigned short)total_length; + memcpy(buf, &hdr, sizeof(hdr)); + ptr = sizeof(hdr); + memcpy(buf + ptr, &max_challenge, sizeof(unsigned int)); + + /* Check poll */ + retval = check_socket_poll(sock_fd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND); + if(retval == SECURITY_SERVER_ERROR_POLL) + { + SEC_SVR_DBG("%s", "poll() error"); + retval = SECURITY_SERVER_ERROR_SEND_FAILED; + goto error; + + } + if(retval == SECURITY_SERVER_ERROR_TIMEOUT) + { + SEC_SVR_DBG("%s", "poll() timeout"); + retval = SECURITY_SERVER_ERROR_SEND_FAILED; + goto error; + } + + /* Send to server */ + retval = write(sock_fd, buf, total_length); + if(retval < sizeof(buf)) + { + /* Write error */ + SEC_SVR_DBG("Error on write(): %d", retval); + retval = SECURITY_SERVER_ERROR_SEND_FAILED; + goto error; + } + retval = SECURITY_SERVER_SUCCESS; + +error: + if(buf != NULL) + free(buf); + return retval; +} + /* Send password reset request message to security server * * * Message format - * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * |---------------------------------------------------------------| * | version=0x01 |MessageID=0x11 | Message Length | * |---------------------------------------------------------------| @@ -1346,7 +1537,7 @@ error: * | valid days | * |---------------------------------------------------------------| */ -int send_reset_pwd_request(int sock_fd, +int send_reset_pwd_request(int sock_fd, const char*new_pwd, const unsigned int max_challenge, const unsigned int valid_period_in_days) @@ -1357,7 +1548,7 @@ int send_reset_pwd_request(int sock_fd, new_pwd_len = strlen(new_pwd); - total_length += sizeof(hdr) + sizeof(char) + new_pwd_len + sizeof(unsigned int) + + total_length += sizeof(hdr) + sizeof(char) + new_pwd_len + sizeof(unsigned int) + sizeof(unsigned int); buf = malloc(total_length); @@ -1388,7 +1579,7 @@ int send_reset_pwd_request(int sock_fd, SEC_SVR_DBG("%s", "poll() error"); retval = SECURITY_SERVER_ERROR_SEND_FAILED; goto error; - + } if(retval == SECURITY_SERVER_ERROR_TIMEOUT) { @@ -1417,7 +1608,7 @@ error: /* Send password check request message to security server * * * Message format - * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * |---------------------------------------------------------------| * | version=0x01 |MessageID=0x13 | Message Length | * |---------------------------------------------------------------| @@ -1461,7 +1652,7 @@ int send_chk_pwd_request(int sock_fd, const char*challenge) SEC_SVR_DBG("%s", "poll() error"); retval = SECURITY_SERVER_ERROR_SEND_FAILED; goto error; - + } if(retval == SECURITY_SERVER_ERROR_TIMEOUT) { @@ -1490,7 +1681,7 @@ error: /* Send password history set request message to security server * * * Message format - * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * |---------------------------------------------------------------| * | version=0x01 |MessageID=0x15 | Message Length | * |---------------------------------------------------------------| @@ -1523,7 +1714,7 @@ int send_set_pwd_history_request(int sock_fd, int num) SEC_SVR_DBG("%s", "poll() error"); retval = SECURITY_SERVER_ERROR_SEND_FAILED; goto error; - + } if(retval == SECURITY_SERVER_ERROR_TIMEOUT) { @@ -1599,6 +1790,55 @@ int recv_check_privilege_request(int sockfd, unsigned char *requested_cookie, in return SECURITY_SERVER_SUCCESS; } +/* Receive check privilege request packet body (new mode)*/ +int recv_check_privilege_new_request(int sockfd, + unsigned char *requested_cookie, + char *object_label, + char *access_rights) +{ + int retval; + int olen, alen; + + retval = read(sockfd, requested_cookie, SECURITY_SERVER_COOKIE_LEN); + if(retval < SECURITY_SERVER_COOKIE_LEN) + { + SEC_SVR_DBG("Received cookie size is too small: %d", retval); + return SECURITY_SERVER_ERROR_RECV_FAILED; + } + + retval = read(sockfd, &olen, sizeof(int)); + if(retval < sizeof(int) || olen < 0 || olen > MAX_OBJECT_LABEL_LEN) + { + SEC_SVR_DBG("error reading object_label len: %d", retval); + return SECURITY_SERVER_ERROR_RECV_FAILED; + } + + retval = read(sockfd, &alen, sizeof(int)); + if(retval < sizeof(int) || alen < 0 || olen > MAX_MODE_STR_LEN) + { + SEC_SVR_DBG("error reading access_rights len: %d", retval); + return SECURITY_SERVER_ERROR_RECV_FAILED; + } + + retval = read(sockfd, object_label, olen); + if(retval < olen) + { + SEC_SVR_DBG("error reading object_label: %d", retval); + return SECURITY_SERVER_ERROR_RECV_FAILED; + } + object_label[olen] = '\0'; + + retval = read(sockfd, access_rights, olen); + if(retval < alen) + { + SEC_SVR_DBG("error reading access_rights: %d", retval); + return SECURITY_SERVER_ERROR_RECV_FAILED; + } + access_rights[alen] = '\0'; + + return SECURITY_SERVER_SUCCESS; +} + /* Receive pid request packet body */ int recv_pid_request(int sockfd, unsigned char *requested_cookie) { @@ -1749,7 +1989,7 @@ int recv_get_object_name(int sockfd, response_header *hdr, char *object, int max SEC_SVR_DBG("%s", "Out of memory error"); return SECURITY_SERVER_ERROR_OUT_OF_MEMORY; } - + retval = read(sockfd, local_obj_name, hdr->basic_hdr.msg_len); if(retval < (hdr->basic_hdr.msg_len)) { @@ -1799,7 +2039,21 @@ int recv_privilege_check_response(int sockfd, response_header *hdr) retval = recv_generic_response(sockfd, hdr); if(hdr->return_code != SECURITY_SERVER_RETURN_CODE_ACCESS_GRANTED && - hdr->return_code != SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED) + hdr->return_code != SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED) + { + SEC_SVR_DBG("response error: %d", hdr->return_code); + return return_code_to_error_code(hdr->return_code); + } + return SECURITY_SERVER_SUCCESS; +} + +int recv_privilege_check_new_response(int sockfd, response_header *hdr) +{ + int retval; + + retval = recv_generic_response(sockfd, hdr); + if(hdr->return_code != SECURITY_SERVER_RETURN_CODE_ACCESS_GRANTED && + hdr->return_code != SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED) { SEC_SVR_DBG("response error: %d", hdr->return_code); return return_code_to_error_code(hdr->return_code); @@ -1825,9 +2079,9 @@ int recv_pid_response(int sockfd, response_header *hdr, int *pid) return SECURITY_SERVER_SUCCESS; } -int recv_pwd_response(int sockfd, response_header *hdr, - unsigned int *current_attempts, - unsigned int *max_attempts, +int recv_pwd_response(int sockfd, response_header *hdr, + unsigned int *current_attempts, + unsigned int *max_attempts, unsigned int *valid_secs) { int retval; @@ -1897,7 +2151,7 @@ int authenticate_client_application(int sockfd, int *pid, int *uid) /* Authenticate client that it's real client application */ /* TBA */ - + error: return retval; } @@ -1918,7 +2172,7 @@ int search_middleware_cmdline(char *cmdline) { /* error on file */ SEC_SVR_DBG("%s", "Error oening mw-list file"); - return SECURITY_SERVER_ERROR_FILE_OPERATION; + return SECURITY_SERVER_ERROR_FILE_OPERATION; } /* Search each line */ @@ -1957,7 +2211,7 @@ int authenticate_client_middleware(int sockfd, int *pid) SEC_SVR_DBG("%s", "Error on getsockopt"); goto error; } - + /* All middlewares will run as root */ if(cr.uid != 0) { @@ -2003,7 +2257,7 @@ int authenticate_developer_shell(int sockfd) SEC_SVR_DBG("%s", "Error on getsockopt"); goto error; } - + /* All middlewares will run as root */ if(cr.uid != SECURITY_SERVER_DEVELOPER_UID) { diff --git a/src/server/security-server-cookie.c b/src/server/security-server-cookie.c index 6470f31..e0f94dd 100644 --- a/src/server/security-server-cookie.c +++ b/src/server/security-server-cookie.c @@ -1,7 +1,6 @@ /* * security-server - * - * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Bumjin Im * @@ -27,6 +26,7 @@ #include #include #include +#include #include "security-server-cookie.h" @@ -38,6 +38,8 @@ int free_cookie_item(cookie_list *cookie) free(cookie->path); if(cookie->permissions != NULL) free(cookie->permissions); + if(cookie->smack_label != NULL) + free(cookie->smack_label); if(cookie->prev != NULL) cookie->prev->next = cookie->next; if(cookie->next != NULL) @@ -261,6 +263,45 @@ finish: return retval; } + +cookie_list *search_cookie_new(const cookie_list *c_list, + const unsigned char *cookie, + const char *object, + const char *access_rights) +{ + cookie_list *current = (cookie_list *)c_list, *retval = NULL; + int ret; + int i; + + /* Search from the list */ + while(current != NULL) + { + /* print_cookie(current);*/ + /* PID must be same */ + current = garbage_collection(current); + if(current == NULL) + break; + + if(memcmp(current->cookie, cookie, SECURITY_SERVER_COOKIE_LEN) == 0) + { + SEC_SVR_DBG("%s", "cookie has been found"); + + ret = smack_have_access(current->smack_label, object, access_rights); + SEC_SVR_DBG("smack_have_access, subject >%s< object >%s< access >%s< ===> %d", + current->smack_label, object, access_rights, ret); + if (ret == 1) + { + retval = current; + goto finish; + } + } + current = current->next; + } +finish: + return retval; +} + + /* Generage a random stream value of size to cookie * * by reading /dev/uranddom file */ int generate_random_cookie(unsigned char *cookie, int size) @@ -289,7 +330,7 @@ error: } /* Create a cookie item from PID */ -cookie_list *create_cookie_item(int pid, cookie_list *c_list) +cookie_list *create_cookie_item(int pid, int sockfd, cookie_list *c_list) { int ret, tempint; cookie_list *added = NULL, *current = NULL; @@ -297,6 +338,7 @@ cookie_list *create_cookie_item(int pid, cookie_list *c_list) char *buf = NULL, inputed, *tempptr = NULL; char delim[] = ": ", *token = NULL; int *permissions = NULL, perm_num = 1, cnt, i, *tempperm = NULL; + char *smack_label = NULL; FILE *fp = NULL; current = search_existing_cookie(pid, c_list); @@ -442,6 +484,16 @@ out_of_while: goto error; } + /* Check SMACK label */ + ret = smack_new_label_from_socket(sockfd, &smack_label); + if (ret != 0) + { + SEC_SVR_DBG("Error checking peer label: %d", ret); + free(added); + added = NULL; + goto error; + } + added->path_len = strlen(cmdline); added->path = calloc(1, strlen(cmdline)); memcpy(added->path, cmdline, strlen(cmdline)); @@ -449,6 +501,7 @@ out_of_while: added->permission_len = perm_num; added->pid = pid; added->permissions = permissions; + added->smack_label = smack_label; added->prev = current; current->next = added; added->next = NULL; @@ -551,6 +604,7 @@ cookie_list *create_default_cookie(void) first->pid = 0; first->path = NULL; first->permissions = NULL; + first->smack_label = NULL; first->prev = NULL; first->next = NULL; return first; diff --git a/src/server/security-server-main.c b/src/server/security-server-main.c index fe4e755..2e87f2f 100644 --- a/src/server/security-server-main.c +++ b/src/server/security-server-main.c @@ -1,7 +1,7 @@ /* - * security-server + * security-server * - * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Bumjin Im * @@ -109,7 +109,7 @@ int search_object_name(int gid, char *obj, int obj_size) SEC_SVR_DBG("%s", "cannot malloc()"); goto error; } - + bzero(linebuf, bufsize); ret = SECURITY_SERVER_ERROR_NO_SUCH_OBJECT; while(fgets(linebuf, bufsize, fp) != NULL) @@ -176,7 +176,7 @@ int search_object_name(int gid, char *obj, int obj_size) } bzero(linebuf, bufsize); } - + error: if(linebuf != NULL) free(linebuf); @@ -257,7 +257,7 @@ int search_gid(const char *obj) } bzero(linebuf, bufsize); } - + error: if(linebuf != NULL) free(linebuf); @@ -272,7 +272,7 @@ static void security_server_sig_child(int signo, siginfo_t *info, void *data) int status; pid_t child_pid; pid_t child_pgid; - + child_pgid = getpgid(info->si_pid); SEC_SVR_DBG("Signal handler: dead_pid=%d, pgid=%d",info->si_pid,child_pgid); @@ -325,7 +325,7 @@ int process_cookie_request(int sockfd) if(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("%s", "Client Authentication Failed"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE, SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED); if(retval != SECURITY_SERVER_SUCCESS) @@ -349,7 +349,7 @@ int process_cookie_request(int sockfd) { /* Create a new cookie. or find existing one */ pthread_mutex_lock(&cookie_mutex); - created_cookie = create_cookie_item(client_pid, c_list); + created_cookie = create_cookie_item(client_pid, sockfd, c_list); pthread_mutex_unlock(&cookie_mutex); if(created_cookie == NULL) { @@ -363,6 +363,10 @@ int process_cookie_request(int sockfd) { SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval); } + SEC_SVR_DBG("Server: Cookie created for client PID %d LABEL >%s<", + created_cookie->pid, + (created_cookie->smack_label)?(created_cookie->smack_label):"NULL"); + SEC_SVR_DBG("%s", "Server: Cookie has been sent to client"); error: @@ -380,7 +384,7 @@ int process_check_privilege_request(int sockfd) if(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("%s", "Client Authentication Failed"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE, SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED); if(retval != SECURITY_SERVER_SUCCESS) @@ -390,12 +394,12 @@ int process_check_privilege_request(int sockfd) goto error;; } - retval = recv_check_privilege_request(sockfd, + retval = recv_check_privilege_request(sockfd, requested_cookie, &requested_privilege); if(retval == SECURITY_SERVER_ERROR_RECV_FAILED) { SEC_SVR_DBG("%s", "Receiving request failed"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE, SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); if(retval != SECURITY_SERVER_SUCCESS) @@ -408,7 +412,7 @@ int process_check_privilege_request(int sockfd) if(requested_privilege < 1) { SEC_SVR_DBG("Requiring bad privilege [%d]", requested_privilege); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE, SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); if(retval != SECURITY_SERVER_SUCCESS) @@ -427,8 +431,8 @@ int process_check_privilege_request(int sockfd) /* We found */ SEC_SVR_DBG("We found the cookie with %d privilege and pid:%d", requested_privilege, client_pid); SEC_SVR_DBG("%s", "Cookie comparison succeeded. Access granted."); - retval = send_generic_response(sockfd, - SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE, + retval = send_generic_response(sockfd, + SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE, SECURITY_SERVER_RETURN_CODE_ACCESS_GRANTED); if(retval != SECURITY_SERVER_SUCCESS) { @@ -439,8 +443,80 @@ int process_check_privilege_request(int sockfd) { /* It's not exist */ SEC_SVR_DBG("Could not find the cookie with %d privilege", requested_privilege); + retval = send_generic_response(sockfd, + SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE, + SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED); + if(retval != SECURITY_SERVER_SUCCESS) + { + SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval); + } + } +error: + return retval; +} + +int process_check_privilege_new_request(int sockfd) +{ + /* Authenticate client */ + int retval, client_pid, requested_privilege; + unsigned char requested_cookie[SECURITY_SERVER_COOKIE_LEN]; + cookie_list *search_result = NULL; + char object_label[MAX_OBJECT_LABEL_LEN+1]; + char access_rights[MAX_MODE_STR_LEN+1]; + + retval = authenticate_client_middleware(sockfd, &client_pid); + if(retval != SECURITY_SERVER_SUCCESS) + { + SEC_SVR_DBG("%s", "Client Authentication Failed"); + retval = send_generic_response(sockfd, + SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE, + SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED); + if(retval != SECURITY_SERVER_SUCCESS) + { + SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval); + } + goto error;; + } + + retval = recv_check_privilege_new_request( + sockfd, requested_cookie, object_label, access_rights); + if(retval == SECURITY_SERVER_ERROR_RECV_FAILED) + { + SEC_SVR_DBG("%s", "Receiving request failed"); + retval = send_generic_response(sockfd, + SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE, + SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); + if(retval != SECURITY_SERVER_SUCCESS) + { + SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval); + } + goto error;; + } + + /* Search cookie list */ + pthread_mutex_lock(&cookie_mutex); + search_result = search_cookie_new(c_list, requested_cookie, object_label, access_rights); + pthread_mutex_unlock(&cookie_mutex); + + if(search_result != NULL) + { + /* We found */ + SEC_SVR_DBG("We found the cookie with %s rights and pid:%d", access_rights, client_pid); + SEC_SVR_DBG("%s", "Cookie comparison succeeded. Access granted."); retval = send_generic_response(sockfd, - SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE, + SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE, + SECURITY_SERVER_RETURN_CODE_ACCESS_GRANTED); + if(retval != SECURITY_SERVER_SUCCESS) + { + SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval); + } + } + else + { + /* It's not exist */ + SEC_SVR_DBG("Could not find the cookie with %s rights", access_rights); + retval = send_generic_response(sockfd, + SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE, SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED); if(retval != SECURITY_SERVER_SUCCESS) { @@ -449,6 +525,8 @@ int process_check_privilege_request(int sockfd) } error: return retval; + + } int process_object_name_request(int sockfd) @@ -461,7 +539,7 @@ int process_object_name_request(int sockfd) if(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("%s", "Client Authentication Failed"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE, SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED); if(retval != SECURITY_SERVER_SUCCESS) @@ -476,7 +554,7 @@ int process_object_name_request(int sockfd) if (retval < sizeof(requested_privilege)) { SEC_SVR_DBG("%s", "Receiving request failed"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE, SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); if(retval != SECURITY_SERVER_SUCCESS) @@ -487,14 +565,14 @@ int process_object_name_request(int sockfd) } /* Search from /etc/group */ - retval = search_object_name(requested_privilege, - object_name, + retval = search_object_name(requested_privilege, + object_name, SECURITY_SERVER_MAX_OBJ_NAME); if (retval == SECURITY_SERVER_ERROR_NO_SUCH_OBJECT) { /* It's not exist */ SEC_SVR_DBG("There is no such object for gid [%d]", requested_privilege); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE, SECURITY_SERVER_RETURN_CODE_NO_SUCH_OBJECT); if(retval != SECURITY_SERVER_SUCCESS) @@ -507,7 +585,7 @@ int process_object_name_request(int sockfd) { /* Error occurred */ SEC_SVR_DBG("Error on searching object name [%d]", retval); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE, SECURITY_SERVER_RETURN_CODE_SERVER_ERROR); if(retval != SECURITY_SERVER_SUCCESS) @@ -538,7 +616,7 @@ int process_gid_request(int sockfd, int msg_len) if(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("%s", "Client authentication failed"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_GID_RESPONSE, SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED); if(retval != SECURITY_SERVER_SUCCESS) @@ -552,7 +630,7 @@ int process_gid_request(int sockfd, int msg_len) { /* Too big ojbect name */ SEC_SVR_DBG("%s", "Object name is too big"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_GID_RESPONSE, SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); if(retval != SECURITY_SERVER_SUCCESS) @@ -567,7 +645,7 @@ int process_gid_request(int sockfd, int msg_len) if (retval < msg_len ) { SEC_SVR_DBG("%s", "Failed to read object name"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_GID_RESPONSE, SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); if(retval != SECURITY_SERVER_SUCCESS) @@ -584,7 +662,7 @@ int process_gid_request(int sockfd, int msg_len) { /* Not exist */ SEC_SVR_DBG("The object [%s] is not exist", object_name); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_GID_RESPONSE, SECURITY_SERVER_RETURN_CODE_NO_SUCH_OBJECT); if(retval != SECURITY_SERVER_SUCCESS) @@ -593,12 +671,12 @@ int process_gid_request(int sockfd, int msg_len) } goto error; } - + if(retval < 0) { /* Error occurred */ SEC_SVR_DBG("Cannot send the response. %d", retval); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_GID_RESPONSE, SECURITY_SERVER_RETURN_CODE_SERVER_ERROR); if(retval != SECURITY_SERVER_SUCCESS) @@ -629,7 +707,7 @@ int process_pid_request(int sockfd) if(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("%s", "Client Authentication Failed"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_PID_RESPONSE, SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED); if(retval != SECURITY_SERVER_SUCCESS) @@ -643,7 +721,7 @@ int process_pid_request(int sockfd) if(retval == SECURITY_SERVER_ERROR_RECV_FAILED) { SEC_SVR_DBG("%s", "Receiving request failed"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_PID_RESPONSE, SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); if(retval != SECURITY_SERVER_SUCCESS) @@ -663,7 +741,7 @@ int process_pid_request(int sockfd) SEC_SVR_DBG("We found the cookie and pid:%d", search_result->pid); SEC_SVR_DBG("%s", "Cookie comparison succeeded. Access granted."); retval = send_pid(sockfd, search_result->pid); - + if(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval); @@ -673,8 +751,8 @@ int process_pid_request(int sockfd) { /* It's not exist */ SEC_SVR_DBG("%s", "Could not find the cookie"); - retval = send_generic_response(sockfd, - SECURITY_SERVER_MSG_TYPE_PID_RESPONSE, + retval = send_generic_response(sockfd, + SECURITY_SERVER_MSG_TYPE_PID_RESPONSE, SECURITY_SERVER_RETURN_CODE_NO_SUCH_COOKIE); if(retval != SECURITY_SERVER_SUCCESS) { @@ -695,7 +773,7 @@ int process_tool_request(int client_sockfd, int server_sockfd) if(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("%s", "Client Authentication Failed"); - retval = send_generic_response(client_sockfd, + retval = send_generic_response(client_sockfd, SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE, SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED); if(retval != SECURITY_SERVER_SUCCESS) @@ -711,7 +789,7 @@ int process_tool_request(int client_sockfd, int server_sockfd) if(retval < sizeof(int)) { SEC_SVR_DBG("Error: argc recieve failed: %d", retval); - retval = send_generic_response(client_sockfd, + retval = send_generic_response(client_sockfd, SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE, SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); if(retval != SECURITY_SERVER_SUCCESS) @@ -725,7 +803,7 @@ int process_tool_request(int client_sockfd, int server_sockfd) if(recved_argv == NULL) { SEC_SVR_DBG("Error: malloc() failed: %d", retval); - retval = send_generic_response(client_sockfd, + retval = send_generic_response(client_sockfd, SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE, SECURITY_SERVER_RETURN_CODE_SERVER_ERROR); if(retval != SECURITY_SERVER_SUCCESS) @@ -735,13 +813,13 @@ int process_tool_request(int client_sockfd, int server_sockfd) goto error; } memset(recved_argv, 0, sizeof(char *) * argcnum); - + retval = recv_launch_tool_request(client_sockfd, argcnum -1, recved_argv); if(retval == SECURITY_SERVER_ERROR_RECV_FAILED) { SEC_SVR_DBG("%s", "Receiving request failed"); recved_argv = NULL; - retval = send_generic_response(client_sockfd, + retval = send_generic_response(client_sockfd, SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE, SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); if(retval != SECURITY_SERVER_SUCCESS) @@ -753,7 +831,7 @@ int process_tool_request(int client_sockfd, int server_sockfd) if(argcnum < 2) { SEC_SVR_DBG("Error: Too small number of argv [%d]", argcnum); - retval = send_generic_response(client_sockfd, + retval = send_generic_response(client_sockfd, SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE, SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); if(retval != SECURITY_SERVER_SUCCESS) @@ -767,7 +845,7 @@ int process_tool_request(int client_sockfd, int server_sockfd) if(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("Error: Cannot execute debug tool [%d]", retval); - retval = send_generic_response(client_sockfd, + retval = send_generic_response(client_sockfd, SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE, SECURITY_SERVER_RETURN_CODE_SERVER_ERROR); if(retval != SECURITY_SERVER_SUCCESS) @@ -778,7 +856,7 @@ int process_tool_request(int client_sockfd, int server_sockfd) else { SEC_SVR_DBG("%s", "Tool has been executed"); - retval = send_generic_response(client_sockfd, + retval = send_generic_response(client_sockfd, SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE, SECURITY_SERVER_RETURN_CODE_SUCCESS); if(retval != SECURITY_SERVER_SUCCESS) @@ -823,7 +901,7 @@ void *security_server_thread(void *param) { /* Response */ SEC_SVR_DBG("Receiving header error [%d]",retval); - retval = send_generic_response(client_sockfd, + retval = send_generic_response(client_sockfd, SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE, SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); if(retval != SECURITY_SERVER_SUCCESS) @@ -849,6 +927,11 @@ void *security_server_thread(void *param) process_check_privilege_request(client_sockfd); break; + case SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_REQUEST: + SEC_SVR_DBG("%s", "Privilege check (new mode) received"); + process_check_privilege_new_request(client_sockfd); + break; + case SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_REQUEST: SEC_SVR_DBG("%s", "Get object name request received"); process_object_name_request(client_sockfd); @@ -873,7 +956,7 @@ void *security_server_thread(void *param) SEC_SVR_DBG("%s", "Server: validate password request received"); process_valid_pwd_request(client_sockfd); break; - + case SECURITY_SERVER_MSG_TYPE_SET_PWD_REQUEST: SEC_SVR_DBG("%s", "Server: set password request received"); process_set_pwd_request(client_sockfd); @@ -893,6 +976,17 @@ void *security_server_thread(void *param) SEC_SVR_DBG("%s", "Server: set password histroy request received"); process_set_pwd_history_request(client_sockfd); break; + + case SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_REQUEST: + SEC_SVR_DBG("%s", "Server: set password max challenge request received"); + process_set_pwd_max_challenge_request(client_sockfd); + break; + + case SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_REQUEST: + SEC_SVR_DBG("%s", "Server: set password validity request received"); + process_set_pwd_validity_request(client_sockfd); + break; + /************************************************************************************************/ /* Just for test. This code must be removed on release */ case SECURITY_SERVER_MSG_TYPE_GET_ALL_COOKIES_REQUEST: @@ -901,7 +995,7 @@ void *security_server_thread(void *param) if(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("%s", "Client Authentication Failed"); - retval = send_generic_response(client_sockfd, + retval = send_generic_response(client_sockfd, SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE, SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED); if(retval != SECURITY_SERVER_SUCCESS) @@ -922,7 +1016,7 @@ void *security_server_thread(void *param) if(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("%s", "Client Authentication Failed"); - retval = send_generic_response(client_sockfd, + retval = send_generic_response(client_sockfd, SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE, SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED); if(retval != SECURITY_SERVER_SUCCESS) @@ -939,7 +1033,7 @@ void *security_server_thread(void *param) if(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("%s", "Client Authentication Failed"); - retval = send_generic_response(client_sockfd, + retval = send_generic_response(client_sockfd, SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE, SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED); if(retval != SECURITY_SERVER_SUCCESS) @@ -956,7 +1050,7 @@ void *security_server_thread(void *param) default: SEC_SVR_DBG("Unknown msg ID :%d", basic_hdr.msg_id); /* Unknown message ID */ - retval = send_generic_response(client_sockfd, + retval = send_generic_response(client_sockfd, SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE, SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); if(retval != SECURITY_SERVER_SUCCESS) @@ -982,7 +1076,7 @@ error: -int main(int argc, char* argv[]) +int main(int argc, char* argv[]) { int server_sockfd = 0, retval, client_sockfd = -1, args[2], rc; struct sigaction act, dummy; @@ -1034,7 +1128,7 @@ int main(int argc, char* argv[]) { SEC_SVR_DBG("%s", "cannot change session"); } - + pthread_mutex_init(&cookie_mutex, NULL); while(1) @@ -1042,7 +1136,7 @@ int main(int argc, char* argv[]) /* Accept a new client */ if(client_sockfd < 0) client_sockfd = accept_client(server_sockfd); - + if(client_sockfd == SECURITY_SERVER_ERROR_TIMEOUT) continue; if(client_sockfd < 0) diff --git a/src/server/security-server-password.c b/src/server/security-server-password.c index ff84c64..270ce31 100644 --- a/src/server/security-server-password.c +++ b/src/server/security-server-password.c @@ -1,7 +1,7 @@ /* * security-server * - * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2012 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Bumjin Im * @@ -61,7 +61,7 @@ int validate_pwd_file(char *filename) int dir_filter(const struct dirent *entry) { - if ((strcmp(entry->d_name, ".") == 0) || + if ((strcmp(entry->d_name, ".") == 0) || (strcmp(entry->d_name, "..") == 0) || (strcmp(entry->d_name, "attempts") ==0) || (strcmp(entry->d_name, "history") ==0) ) @@ -101,7 +101,7 @@ int get_pwd_path(char *path) free(mydirent); return SECURITY_SERVER_SUCCESS; } - + int load_password(unsigned char *cur_pwd, unsigned int *max_attempt, unsigned int *expire_time) { int retval, fd; @@ -262,7 +262,7 @@ int get_current_attempt(int increase) return SECURITY_SERVER_ERROR_FILE_OPERATION; } } - return attempt; + return attempt; } int reset_attempt(void) @@ -321,20 +321,21 @@ int check_password(const unsigned char *cur_pwd, const unsigned char *requested_ } } - if(expire_time == 0) - { - SEC_SVR_DBG("Server: Password has been expired: %d, %d", current_time, expire_time); - return SECURITY_SERVER_ERROR_PASSWORD_EXPIRED; - } - /* Compare */ - if(memcmp(cur_pwd, requested_pwd, SECURITY_SERVER_HASHED_PWD_LEN) == 0) + if(memcmp(cur_pwd, requested_pwd, SECURITY_SERVER_HASHED_PWD_LEN) != 0) { - SEC_SVR_DBG("%s", "Password matched"); - return SECURITY_SERVER_SUCCESS; + SEC_SVR_DBG("%s", "Password mismatched"); + return SECURITY_SERVER_ERROR_PASSWORD_MISMATCH; } - SEC_SVR_DBG("%s", "Password mismatched"); - return SECURITY_SERVER_ERROR_PASSWORD_MISMATCH; + + if(expire_time == 0) + { + SEC_SVR_DBG("Server: Password has been expired: %d, %d", current_time, expire_time); + return SECURITY_SERVER_ERROR_PASSWORD_EXPIRED; + } + + SEC_SVR_DBG("%s", "Password matched"); + return SECURITY_SERVER_SUCCESS; } int set_history(int num) @@ -381,7 +382,7 @@ int set_history(int num) SEC_SVR_DBG("%s", "Server: history set finished"); return SECURITY_SERVER_SUCCESS; } - + int get_history_num(void) { @@ -483,7 +484,7 @@ int check_history(const unsigned char *requested_pwd) retval2 = SECURITY_SERVER_ERROR_PASSWORD_REUSED; } history_count--; - + } /* Remove too old or invalid password history */ @@ -503,7 +504,7 @@ int check_history(const unsigned char *requested_pwd) } /* Password file format */ -/* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +/* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * |---------------------------------------------------------------| * | | * | | @@ -515,7 +516,7 @@ int check_history(const unsigned char *requested_pwd) * | Expiration time in seconds (4 bytes) | * |---------------------------------------------------------------| */ -int set_password(const unsigned char *requested_new_pwd, const unsigned int attempts, +int set_password(const unsigned char *requested_new_pwd, const unsigned int attempts, const unsigned int expire_time) { int retval, fd; @@ -563,7 +564,7 @@ int set_password(const unsigned char *requested_new_pwd, const unsigned int atte fsync(fd); close(fd); SEC_SVR_DBG("%s", "Password file created"); - return SECURITY_SERVER_SUCCESS; + return SECURITY_SERVER_SUCCESS; } int check_retry(const struct timeval cur_try) @@ -575,7 +576,7 @@ int check_retry(const struct timeval cur_try) if(interval_sec > SECURITY_SERVER_PASSWORD_RETRY_TIMEOUT_SECOND) return SECURITY_SERVER_SUCCESS; - if(interval_sec == SECURITY_SERVER_PASSWORD_RETRY_TIMEOUT_SECOND + if(interval_sec == SECURITY_SERVER_PASSWORD_RETRY_TIMEOUT_SECOND && interval_usec >= 0) return SECURITY_SERVER_SUCCESS; @@ -589,12 +590,12 @@ int process_valid_pwd_request(int sockfd) int retval, current_attempts, password_set; unsigned char cur_pwd[SECURITY_SERVER_HASHED_PWD_LEN]; unsigned int max_attempt, expire_time; - -/* + +/* if(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("%s", "Client Authentication Failed"); - retval = send_generic_response(client_sockfd, + retval = send_generic_response(client_sockfd, SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE, SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED); if(retval != SECURITY_SERVER_SUCCESS) @@ -611,7 +612,7 @@ int process_valid_pwd_request(int sockfd) if(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("%s", "Server: Retry timeout occurred"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE, SECURITY_SERVER_RETURN_CODE_PASSWORD_RETRY_TIMER); if(retval != SECURITY_SERVER_SUCCESS) @@ -624,7 +625,7 @@ int process_valid_pwd_request(int sockfd) if(password_set == SECURITY_SERVER_ERROR_SERVER_ERROR) { SEC_SVR_DBG("%s", "Server: Responding error because we cannot provide password service"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE, SECURITY_SERVER_RETURN_CODE_SERVER_ERROR); if(retval != SECURITY_SERVER_SUCCESS) @@ -638,7 +639,7 @@ int process_valid_pwd_request(int sockfd) if(current_attempts < 0) { SEC_SVR_DBG("Server ERROR: Cannot get attempts: %d", current_attempts); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE, SECURITY_SERVER_RETURN_CODE_SERVER_ERROR); if(retval != SECURITY_SERVER_SUCCESS) @@ -650,9 +651,9 @@ int process_valid_pwd_request(int sockfd) /* There is no password */ if(password_set == SECURITY_SERVER_ERROR_NO_PASSWORD) { - retval = send_pwd_response(sockfd, + retval = send_pwd_response(sockfd, SECURITY_SERVER_MSG_TYPE_VALID_PWD_RESPONSE, - SECURITY_SERVER_RETURN_CODE_NO_PASSWORD, + SECURITY_SERVER_RETURN_CODE_NO_PASSWORD, 0, 0, 0); if(retval != SECURITY_SERVER_SUCCESS) { @@ -662,7 +663,7 @@ int process_valid_pwd_request(int sockfd) } if(password_set == SECURITY_SERVER_SUCCESS) { - retval = send_pwd_response(sockfd, + retval = send_pwd_response(sockfd, SECURITY_SERVER_MSG_TYPE_VALID_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_PASSWORD_EXIST, current_attempts, max_attempt, expire_time); @@ -673,7 +674,7 @@ int process_valid_pwd_request(int sockfd) goto error; } SEC_SVR_DBG("Server ERROR: Unknown error: %d", retval); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE, SECURITY_SERVER_RETURN_CODE_SERVER_ERROR); if(retval != SECURITY_SERVER_SUCCESS) @@ -705,7 +706,7 @@ int process_set_pwd_request(int sockfd) if(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("%s", "Client Authentication Failed"); - retval = send_generic_response(client_sockfd, + retval = send_generic_response(client_sockfd, SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE, SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED); if(retval != SECURITY_SERVER_SUCCESS) @@ -722,7 +723,7 @@ int process_set_pwd_request(int sockfd) if(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("%s", "Server: Retry timeout occurred"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_PASSWORD_RETRY_TIMER); if(retval != SECURITY_SERVER_SUCCESS) @@ -736,7 +737,7 @@ int process_set_pwd_request(int sockfd) if(password_set == SECURITY_SERVER_ERROR_SERVER_ERROR) { SEC_SVR_DBG("%s", "Server: Responding error because we cannot provide password service"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_SERVER_ERROR); if(retval != SECURITY_SERVER_SUCCESS) @@ -751,7 +752,7 @@ int process_set_pwd_request(int sockfd) if(retval < sizeof(char) || cur_pwd_len > SECURITY_SERVER_MAX_PASSWORD_LEN) { SEC_SVR_DBG("Server Error: current password length recieve failed: %d, %d", retval, cur_pwd_len); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); if(retval != SECURITY_SERVER_SUCCESS) @@ -764,7 +765,7 @@ int process_set_pwd_request(int sockfd) if(retval < sizeof(char) || new_pwd_len > SECURITY_SERVER_MAX_PASSWORD_LEN) { SEC_SVR_DBG("Server Error: new password length recieve failed: %d, %d", retval, new_pwd_len); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); if(retval != SECURITY_SERVER_SUCCESS) @@ -783,7 +784,7 @@ int process_set_pwd_request(int sockfd) if(retval < cur_pwd_len) { SEC_SVR_DBG("Server Error: current password recieve failed: %d", retval); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); if(retval != SECURITY_SERVER_SUCCESS) @@ -799,7 +800,7 @@ int process_set_pwd_request(int sockfd) if(password_set == SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("Server Error: password is already set: %d", retval); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_PASSWORD_EXIST); if(retval != SECURITY_SERVER_SUCCESS) @@ -815,7 +816,7 @@ int process_set_pwd_request(int sockfd) if(retval < new_pwd_len) { SEC_SVR_DBG("Server Error: new password recieve failed: %d", retval); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); if(retval != SECURITY_SERVER_SUCCESS) @@ -831,7 +832,7 @@ int process_set_pwd_request(int sockfd) if(retval < sizeof(unsigned int)) { SEC_SVR_DBG("Sever Error: Max attempt receive failed: %d", retval); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); if(retval != SECURITY_SERVER_SUCCESS) @@ -846,7 +847,7 @@ int process_set_pwd_request(int sockfd) if(retval < sizeof(unsigned int)) { SEC_SVR_DBG("Sever Error: Max attempt receive failed: %d", retval); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); if(retval != SECURITY_SERVER_SUCCESS) @@ -864,7 +865,7 @@ int process_set_pwd_request(int sockfd) SHA256_Init(&context); SHA256_Update(&context, (unsigned char*)requested_new_pwd, strlen(requested_new_pwd)); SHA256_Final(hashed_new_pw, &context); - + /* check current password */ if(password_set == SECURITY_SERVER_SUCCESS) { @@ -872,7 +873,7 @@ int process_set_pwd_request(int sockfd) if(retval == SECURITY_SERVER_ERROR_PASSWORD_MISMATCH) { SEC_SVR_DBG("%s", "Server: Wrong password"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_PASSWORD_MISMATCH); if(retval != SECURITY_SERVER_SUCCESS) @@ -884,7 +885,7 @@ int process_set_pwd_request(int sockfd) if(retval == SECURITY_SERVER_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED) { SEC_SVR_DBG("%s", "Server: Too many challange"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_PASSWORD_MAX_ATTEMPTS_EXCEEDED); if(retval != SECURITY_SERVER_SUCCESS) @@ -896,7 +897,7 @@ int process_set_pwd_request(int sockfd) if(retval == SECURITY_SERVER_ERROR_PASSWORD_EXPIRED) { SEC_SVR_DBG("%s", "Server: Password expired"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_PASSWORD_EXPIRED); if(retval != SECURITY_SERVER_SUCCESS) @@ -908,7 +909,7 @@ int process_set_pwd_request(int sockfd) if(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("Error: Password check failed: %d", retval); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_SERVER_ERROR); if(retval != SECURITY_SERVER_SUCCESS) @@ -920,7 +921,7 @@ int process_set_pwd_request(int sockfd) retval = check_history(hashed_new_pw); if(retval == SECURITY_SERVER_ERROR_PASSWORD_REUSED) { - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_PASSWORD_REUSED); if(retval != SECURITY_SERVER_SUCCESS) @@ -934,7 +935,7 @@ int process_set_pwd_request(int sockfd) { /* Client ask to set with current password, but there is no password now */ SEC_SVR_DBG("%s", "Server: There is no current password. But try to set with current password"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_PASSWORD_MISMATCH); if(retval != SECURITY_SERVER_SUCCESS) @@ -955,7 +956,7 @@ int process_set_pwd_request(int sockfd) if(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("Server Error: Password set failed: %d", retval); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_SERVER_ERROR); if(retval != SECURITY_SERVER_SUCCESS) @@ -970,7 +971,7 @@ int process_set_pwd_request(int sockfd) /* All done. send response */ SEC_SVR_DBG("%s", "Server: Password has been successfully modified"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_SET_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_SUCCESS); if(retval != SECURITY_SERVER_SUCCESS) @@ -994,11 +995,11 @@ int process_reset_pwd_request(int sockfd) SHA256_CTX context; /* Authenticate client that peer is setting app goes here*/ -/* +/* if(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("%s", "Client Authentication Failed"); - retval = send_generic_response(client_sockfd, + retval = send_generic_response(client_sockfd, SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE, SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED); if(retval != SECURITY_SERVER_SUCCESS) @@ -1015,7 +1016,7 @@ int process_reset_pwd_request(int sockfd) if(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("%s", "Server: Retry timeout occurred"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_RESET_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_PASSWORD_RETRY_TIMER); if(retval != SECURITY_SERVER_SUCCESS) @@ -1029,7 +1030,7 @@ int process_reset_pwd_request(int sockfd) if(password_set == SECURITY_SERVER_ERROR_SERVER_ERROR) { SEC_SVR_DBG("%s", "Server: Responding error because we cannot provide password service"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE, SECURITY_SERVER_RETURN_CODE_SERVER_ERROR); if(retval != SECURITY_SERVER_SUCCESS) @@ -1044,7 +1045,7 @@ int process_reset_pwd_request(int sockfd) if(retval < sizeof(char) || new_pwd_len > SECURITY_SERVER_MAX_PASSWORD_LEN) { SEC_SVR_DBG("Server Error: new password length recieve failed: %d, %d", retval, new_pwd_len); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_RESET_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); if(retval != SECURITY_SERVER_SUCCESS) @@ -1059,7 +1060,7 @@ int process_reset_pwd_request(int sockfd) if(retval < new_pwd_len) { SEC_SVR_DBG("Server Error: new password recieve failed: %d", retval); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_RESET_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); if(retval != SECURITY_SERVER_SUCCESS) @@ -1075,7 +1076,7 @@ int process_reset_pwd_request(int sockfd) if(retval < sizeof(unsigned int)) { SEC_SVR_DBG("Sever Error: Max attempt receive failed: %d", retval); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_RESET_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); if(retval != SECURITY_SERVER_SUCCESS) @@ -1090,7 +1091,7 @@ int process_reset_pwd_request(int sockfd) if(retval < sizeof(unsigned int)) { SEC_SVR_DBG("Sever Error: Max attempt receive failed: %d", retval); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_RESET_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); if(retval != SECURITY_SERVER_SUCCESS) @@ -1115,7 +1116,7 @@ int process_reset_pwd_request(int sockfd) if(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("Server Error: Password set failed: %d", retval); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_RESET_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_SERVER_ERROR); if(retval != SECURITY_SERVER_SUCCESS) @@ -1128,7 +1129,7 @@ int process_reset_pwd_request(int sockfd) /* All done. send response */ SEC_SVR_DBG("%s", "Server: Password has been successfully modified"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_RESET_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_SUCCESS); if(retval != SECURITY_SERVER_SUCCESS) @@ -1158,7 +1159,7 @@ int process_chk_pwd_request(int sockfd) if(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("%s", "Client Authentication Failed"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE, SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED); if(retval != SECURITY_SERVER_SUCCESS) @@ -1174,7 +1175,7 @@ int process_chk_pwd_request(int sockfd) if(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("%s", "Server: Retry timeout occurred"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_PASSWORD_RETRY_TIMER); if(retval != SECURITY_SERVER_SUCCESS) @@ -1189,7 +1190,7 @@ int process_chk_pwd_request(int sockfd) if(password_set == SECURITY_SERVER_ERROR_SERVER_ERROR) { SEC_SVR_DBG("%s", "ServerERROR: Responding error because we cannot provide password service"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_SERVER_ERROR); if(retval != SECURITY_SERVER_SUCCESS) @@ -1204,7 +1205,7 @@ int process_chk_pwd_request(int sockfd) if(retval < sizeof(char) || challenge_len > SECURITY_SERVER_MAX_PASSWORD_LEN) { SEC_SVR_DBG("Server ERROR: challenge length recieve failed: %d", retval); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); if(retval != SECURITY_SERVER_SUCCESS) @@ -1220,7 +1221,7 @@ int process_chk_pwd_request(int sockfd) if(retval < challenge_len) { SEC_SVR_DBG("Server ERROR: current password recieve failed: %d", retval); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); if(retval != SECURITY_SERVER_SUCCESS) @@ -1234,7 +1235,7 @@ int process_chk_pwd_request(int sockfd) else { SEC_SVR_DBG("Error: Challenge length too short: %d", retval); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); if(retval != SECURITY_SERVER_SUCCESS) @@ -1256,9 +1257,9 @@ int process_chk_pwd_request(int sockfd) if(retval == SECURITY_SERVER_ERROR_PASSWORD_MISMATCH) { SEC_SVR_DBG("%s", "Server: Wrong password"); - retval = send_pwd_response(sockfd, + retval = send_pwd_response(sockfd, SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE, - SECURITY_SERVER_RETURN_CODE_PASSWORD_MISMATCH, + SECURITY_SERVER_RETURN_CODE_PASSWORD_MISMATCH, current_attempt, max_attempt, expire_time); if(retval != SECURITY_SERVER_SUCCESS) { @@ -1269,7 +1270,7 @@ int process_chk_pwd_request(int sockfd) if(retval == SECURITY_SERVER_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED) { SEC_SVR_DBG("%s", "Server: Too many trial"); - retval = send_pwd_response(sockfd, + retval = send_pwd_response(sockfd, SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_PASSWORD_MAX_ATTEMPTS_EXCEEDED, current_attempt, max_attempt, expire_time); @@ -1282,7 +1283,7 @@ int process_chk_pwd_request(int sockfd) if(retval == SECURITY_SERVER_ERROR_PASSWORD_EXPIRED) { SEC_SVR_DBG("%s", "Server: Password expired"); - retval = send_pwd_response(sockfd, + retval = send_pwd_response(sockfd, SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_PASSWORD_EXPIRED, current_attempt, max_attempt, 0); @@ -1295,7 +1296,7 @@ int process_chk_pwd_request(int sockfd) if(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("Server ERROR: Password check failed: %d", retval); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_SERVER_ERROR); if(retval != SECURITY_SERVER_SUCCESS) @@ -1307,7 +1308,7 @@ int process_chk_pwd_request(int sockfd) /* Password matched */ SEC_SVR_DBG("%s", "Server: Password matched"); - retval = send_pwd_response(sockfd, + retval = send_pwd_response(sockfd, SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_SUCCESS, current_attempt, max_attempt, expire_time); @@ -1320,9 +1321,9 @@ int process_chk_pwd_request(int sockfd) } /* There is no password */ - + SEC_SVR_DBG("%s", "Server: There is no password to be checked"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE, SECURITY_SERVER_RETURN_CODE_NO_PASSWORD); if(retval != SECURITY_SERVER_SUCCESS) @@ -1344,7 +1345,7 @@ int process_set_pwd_history_request(int sockfd) f(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("%s", "Client Authentication Failed"); - retval = send_generic_response(client_sockfd, + retval = send_generic_response(client_sockfd, SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE, SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED); if(retval != SECURITY_SERVER_SUCCESS) @@ -1361,7 +1362,7 @@ int process_set_pwd_history_request(int sockfd) if(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("%s", "Server: Retry timeout occurred"); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_RESPONSE, SECURITY_SERVER_RETURN_CODE_PASSWORD_RETRY_TIMER); if(retval != SECURITY_SERVER_SUCCESS) @@ -1376,7 +1377,7 @@ int process_set_pwd_history_request(int sockfd) if(retval < sizeof(char) || history_num > SECURITY_SERVER_MAX_PASSWORD_HISTORY || history_num < 0 ) { SEC_SVR_DBG("Server Error: History number recieve failed: %d, %d", retval, history_num); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_RESPONSE, SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); if(retval != SECURITY_SERVER_SUCCESS) @@ -1390,7 +1391,7 @@ int process_set_pwd_history_request(int sockfd) if(retval != SECURITY_SERVER_SUCCESS) { SEC_SVR_DBG("Server Error: History number set failed: %d", retval); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_RESPONSE, SECURITY_SERVER_RETURN_CODE_SERVER_ERROR); if(retval != SECURITY_SERVER_SUCCESS) @@ -1399,7 +1400,7 @@ int process_set_pwd_history_request(int sockfd) } } SEC_SVR_DBG("Server History has been set to %d", history_num); - retval = send_generic_response(sockfd, + retval = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_RESPONSE, SECURITY_SERVER_RETURN_CODE_SUCCESS); if(retval != SECURITY_SERVER_SUCCESS) @@ -1409,3 +1410,170 @@ int process_set_pwd_history_request(int sockfd) error: return retval; } + + +int process_set_pwd_max_challenge_request(int sockfd) +{ + unsigned int max_challenge, current_challenge, current_validity; + unsigned char cur_pwd[SECURITY_SERVER_HASHED_PWD_LEN]; + int retval; + + // TODO here we should probably check if the peer has rights to change + // this value (max challenge) for current password + + retval = read(sockfd, &max_challenge, sizeof(unsigned int)); + if(retval < sizeof(unsigned int)) + { + SEC_SVR_DBG("Server Error: recieve failed: %d", retval); + retval = send_generic_response(sockfd, + SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_RESPONSE, + SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); + if(retval != SECURITY_SERVER_SUCCESS) + { + SEC_SVR_DBG("Server ERROR: Cannot send generic response: %d", retval); + } + goto error; + } + + SEC_SVR_DBG("Server max challenge request: %d", max_challenge); + + // Getting currently set password + retval = load_password(cur_pwd, ¤t_challenge, ¤t_validity); + /* If we cannot load password file */ + if(retval == SECURITY_SERVER_ERROR_NO_PASSWORD) + { + SEC_SVR_DBG("%s", "Server: can't read current password"); + retval = send_generic_response(sockfd, + SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_RESPONSE, + SECURITY_SERVER_RETURN_CODE_NO_PASSWORD); + if(retval != SECURITY_SERVER_SUCCESS) + { + SEC_SVR_DBG("Server ERROR: Cannot send generic response: %d", retval); + } + goto error; + } + else if(retval != SECURITY_SERVER_SUCCESS) + { + SEC_SVR_DBG("%s", "Server: can't read current password"); + retval = send_generic_response(sockfd, + SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_RESPONSE, + SECURITY_SERVER_RETURN_CODE_SERVER_ERROR); + if(retval != SECURITY_SERVER_SUCCESS) + { + SEC_SVR_DBG("Server ERROR: Cannot send generic response: %d", retval); + } + goto error; + } + + // Set 'new' password file with old password and new max challenge + retval = set_password(cur_pwd, max_challenge, time(NULL) + current_validity); + if(retval != SECURITY_SERVER_SUCCESS) + { + SEC_SVR_DBG("Server Error: Password set failed: %d", retval); + retval = send_generic_response(sockfd, + SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_RESPONSE, + SECURITY_SERVER_RETURN_CODE_SERVER_ERROR); + if(retval != SECURITY_SERVER_SUCCESS) + { + SEC_SVR_DBG("Server ERROR: Cannot send generic response: %d", retval); + } + goto error; + } + + retval = send_generic_response(sockfd, + SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_RESPONSE, + SECURITY_SERVER_RETURN_CODE_SUCCESS); + if(retval != SECURITY_SERVER_SUCCESS) + { + SEC_SVR_DBG("Server ERROR: Cannot send generic response: %d", retval); + } + retval = reset_attempt(); +error: + return retval; +} + +int process_set_pwd_validity_request(int sockfd) +{ + unsigned int current_challenge, current_validity, validity; + unsigned char cur_pwd[SECURITY_SERVER_HASHED_PWD_LEN]; + int retval; + + // TODO here we should probably check if the peer has rights to change + // this value (validity) for current password + + retval = read(sockfd, &validity, sizeof(unsigned int)); + if(retval < sizeof(unsigned int)) + { + SEC_SVR_DBG("Server Error: recieve failed: %d", retval); + retval = send_generic_response(sockfd, + SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_RESPONSE, + SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); + if(retval != SECURITY_SERVER_SUCCESS) + { + SEC_SVR_DBG("Server ERROR: Cannot send generic response: %d", retval); + } + goto error; + } + + SEC_SVR_DBG("Server validity request: %d", validity); + + // Calculating validity in seconds + if(validity == 0) + validity = 0; + else + validity = time(NULL) + (validity * 86400); + + // Getting currently set password + retval = load_password(cur_pwd, ¤t_challenge, ¤t_validity); + /* If we cannot load password file */ + if(retval == SECURITY_SERVER_ERROR_NO_PASSWORD) + { + SEC_SVR_DBG("%s", "Server: can't read current password"); + retval = send_generic_response(sockfd, + SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_RESPONSE, + SECURITY_SERVER_RETURN_CODE_NO_PASSWORD); + if(retval != SECURITY_SERVER_SUCCESS) + { + SEC_SVR_DBG("Server ERROR: Cannot send generic response: %d", retval); + } + goto error; + } + else if(retval != SECURITY_SERVER_SUCCESS) + { + SEC_SVR_DBG("%s", "Server: can't read current password"); + retval = send_generic_response(sockfd, + SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_RESPONSE, + SECURITY_SERVER_RETURN_CODE_SERVER_ERROR); + if(retval != SECURITY_SERVER_SUCCESS) + { + SEC_SVR_DBG("Server ERROR: Cannot send generic response: %d", retval); + } + goto error; + } + + // Set 'new' password file with old password and new validity + retval = set_password(cur_pwd, current_challenge, validity); + if(retval != SECURITY_SERVER_SUCCESS) + { + SEC_SVR_DBG("Server Error: Password set failed: %d", retval); + retval = send_generic_response(sockfd, + SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_RESPONSE, + SECURITY_SERVER_RETURN_CODE_SERVER_ERROR); + if(retval != SECURITY_SERVER_SUCCESS) + { + SEC_SVR_DBG("Server ERROR: Cannot send generic response: %d", retval); + } + goto error; + } + + retval = send_generic_response(sockfd, + SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_RESPONSE, + SECURITY_SERVER_RETURN_CODE_SUCCESS); + if(retval != SECURITY_SERVER_SUCCESS) + { + SEC_SVR_DBG("Server ERROR: Cannot send generic response: %d", retval); + } + retval = reset_attempt(); +error: + return retval; +} diff --git a/src/util/security-server-util-common.c b/src/util/security-server-util-common.c index 6db71c1..93826e6 100644 --- a/src/util/security-server-util-common.c +++ b/src/util/security-server-util-common.c @@ -1,7 +1,7 @@ /* * security-server * - * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Bumjin Im * @@ -19,6 +19,7 @@ * */ + #include #include #include diff --git a/src/util/security-server-util.c b/src/util/security-server-util.c index 3cc1aff..9e6e516 100644 --- a/src/util/security-server-util.c +++ b/src/util/security-server-util.c @@ -1,7 +1,7 @@ /* * security-server * - * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Bumjin Im * diff --git a/testcases/debug-util.c b/testcases/debug-util.c index 310f8be..9925519 100644 --- a/testcases/debug-util.c +++ b/testcases/debug-util.c @@ -1,25 +1,12 @@ /* - * security-server - * - * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License + * security server * + * Copyright (c) 2000 - 2010 Samsung Electronics Co., Ltd. + * Contact: Bumjin Im + * */ -#include + #include #include #include #include "security-server.h" diff --git a/testcases/security_server_tc_client.c b/testcases/security_server_tc_client.c index aa29375..8c7a32b 100644 --- a/testcases/security_server_tc_client.c +++ b/testcases/security_server_tc_client.c @@ -1,21 +1,8 @@ /* - * security-server + * security server * - * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License + * Copyright (c) 2000 - 2010 Samsung Electronics Co., Ltd. + * Contact: Bumjin Im * */ @@ -35,21 +22,50 @@ int *g_permissions = NULL; gid_t *g_groups = NULL; int g_perm_num, g_group_num; +char *object_label = NULL; +char *subject_label = NULL; +char *access_rights = NULL; + +/* + * 0 - old mode (uid/gid) + * 1 - new mode (SMACK labels) + */ +int mode_new = 0; + void printusage(char *cmdline) { printf("%s\n", "Usage: "); printf("%s -u uid -g gid1 gid2 gid3... -p gid_a gid_b gid_c ...\n", cmdline); + printf("%s\n", "or:"); + printf("%s -s subject -o object -a access-rights\n", cmdline); printf("%s\n", "[Options]"); printf("%s\n", "-u: UID that the process are running as"); printf("%s\n", " Only one UID is allowed."); printf("%s\n", "-g: GIDs that the process belongs to"); printf("%s\n", "-p: GIDs that the process wants to get privilege"); - printf("%s\n", "Example:"); + printf("%s\n", "-s: subject label (label of the process)"); + printf("%s\n", "-o: object label to be accessed"); + printf("%s\n", "-a: accessed rights requested (one or more of the letterrs rwx)"); + printf("%s\n", "Examples:"); printf("%s -u 5000 -g 6001 6002 6003 6004 6005 6006 6007 -p 6001 6002 6010\n", cmdline); + printf("%s -s mylabel -o objlabel -a rx\n", cmdline); } int privilege_control(int argc, char *argv[]) { + + if (argc == 7 && !strcmp(argv[1], "-s")) + { + return privilege_control_new(argc, argv); + } + else + { + return privilege_control_old(argc, argv); + } +} + +int privilege_control_old(int argc, char *argv[]) +{ int option = 0; /* 0: no, 1: uID, 2: gid, 3: permission */ int uid_flag = 0, gid_flag= 0, perm_flag = 0, i = 1, number, uid = 0, j; @@ -153,6 +169,44 @@ int privilege_control(int argc, char *argv[]) return 0; } +int privilege_control_new(int argc, char *argv[]) +{ + if (argc == 7 && !strcmp(argv[1], "-s") && + !strcmp(argv[3], "-o") && + !strcmp(argv[5], "-a")) + { + int fd, len, ret; int e; + mode_new = 1; + subject_label = argv[2]; + object_label = argv[4]; + access_rights = argv[6]; + fd = open("/proc/self/attr/current", O_WRONLY|O_TRUNC, 0); + if (fd < 0) + { + printf("Cannot set my own smack label... maybe I'm not root?"); + exit(1); + } + len = strlen(subject_label); + ret = write(fd, subject_label, len); + if (ret != len) + { + e = errno; + printf("(2)Cannot set my own smack label... maybe I'm not root?"); + exit(1); + } + close(fd); + setgid(1); + setuid(1); + } + else + { + printusage(argv[0]); + exit(1); + } + + return 0; +} + int connect_to_testserver() { struct sockaddr_un clientaddr; @@ -211,6 +265,58 @@ int send_request(int sock_fd, unsigned char *cookie, int perm) return 0; } +/* + * @param direct 0=via security server 1=directly from IPC socket + */ +int send_request_new_cookie(int sock_fd, + const char *cookie, + const char *subject_label, + const char *access_rights) +{ + unsigned char buf[1024] = {17, 0, 0, 0, }; + int olen, alen; + int size, ret; + olen = strlen(subject_label); + alen = strlen(access_rights); + size = 24+2*sizeof(int)+olen+alen; + memcpy(buf + 4, cookie, 20); + memcpy(buf + 24, &olen, sizeof(int)); + memcpy(buf + 28, &alen, sizeof(int)); + memcpy(buf + 32, subject_label, olen); + memcpy(buf + 32 + olen, access_rights, alen); + ret = write(sock_fd, buf, size); + if(ret < size) + { + printf("Cannot send\n"); + close(sock_fd); + exit(1); + } + return 0; +} + +int send_request_new_direct(int sock_fd, + const char *object_label, + const char *access_rights) +{ + unsigned char buf[1024] = {17, 0, 0, 1, }; + int olen, alen; + int size, ret; + olen = strlen(object_label); + alen = strlen(access_rights); + size = 24+2*sizeof(int)+olen+alen; + memcpy(buf + 4, &olen, sizeof(int)); + memcpy(buf + 8, &alen, sizeof(int)); + memcpy(buf + 12, object_label, olen); + memcpy(buf + 12 + olen, access_rights, alen); + ret = write(sock_fd, buf, size); + if(ret < size) + { + printf("Cannot send\n"); + close(sock_fd); + exit(1); + } + return 0; +} int recv_result(int sock_fd) { @@ -288,14 +394,21 @@ int main(int argc, char *argv[]) sleep(1); printf("TC C4: security_server_check_privilege(): client is not allowed\n"); - ret = security_server_check_privilege(cookie, g_permissions[0]); - if(ret != SECURITY_SERVER_API_ERROR_AUTHENTICATION_FAILED) - { - printf("TC C4 failed. %d\n", ret); - exit(1); - } - printf("TC C4: PASSED\n\n"); - sleep(1); + if (mode_new) + { + printf("TC C4: SKIPPED because new mode (SMACK-based) was selected.\n"); + } + else + { + ret = security_server_check_privilege(cookie, g_permissions[0]); + if(ret != SECURITY_SERVER_API_ERROR_AUTHENTICATION_FAILED) + { + printf("TC C4 failed. %d\n", ret); + exit(1); + } + printf("TC C4: PASSED\n\n"); + sleep(1); + } printf("TC C5: security_server_get_gid(): client is not allowed\n"); ret = security_server_get_gid("telephony"); @@ -308,52 +421,145 @@ int main(int argc, char *argv[]) sleep(1); printf("TC C6: security_server_get_object_name(): client is not allowed\n"); - ret = security_server_get_object_name(g_groups[0], tmpchar, sizeof(tmpchar)); - if(ret != SECURITY_SERVER_API_ERROR_AUTHENTICATION_FAILED) - { - printf("TC C6 failed. %d\n", ret); - exit(1); - } - printf("TC C6: PASSED\n\n"); - sleep(1); - - printf("TC C7: Requesting access to test server\n"); - for(i=0;i%s<\n", object_label); + printf("subject: >%s<\n", subject_label); + printf("access: >%s<\n", access_rights); + + sock_fd = connect_to_testserver(); + if(sock_fd < 1) + { + printf("Socket connection error\n"); + exit(1); + } + ret = send_request_new_cookie(sock_fd, cookie, object_label, access_rights); + if(ret != 0) + { + printf("send failed\n"); + close(sock_fd); + exit(1); + } + ret = recv_result(sock_fd); + if(ret == SECURITY_SERVER_API_SUCCESS) + { + printf("Permission granted\n\n"); + } + else if(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED) + { + printf("Permission denied\n\n"); + } + else + { + printf("Recv error\n"); + close(sock_fd); + exit(1); + } + close(sock_fd); + sock_fd = 0; + sleep(1); + } + else + { + for(i=0;i%s<\n", subject_label); + printf("object: >%s<\n", object_label); + printf("access: >%s<\n", access_rights); + + sock_fd = connect_to_testserver(); + if(sock_fd < 1) + { + printf("Socket connection error\n"); + exit(1); + } + ret = send_request_new_direct(sock_fd, object_label, access_rights); + if(ret != 0) + { + printf("send failed\n"); + close(sock_fd); + exit(1); + } + ret = recv_result(sock_fd); + if(ret == SECURITY_SERVER_API_SUCCESS) + { + printf("Permission granted\n\n"); + } + else if(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED) + { + printf("Permission denied\n\n"); + } + else + { + printf("Recv error\n"); + close(sock_fd); + exit(1); + } + close(sock_fd); + sock_fd = 0; + sleep(1); + } + else + { + printf("TC C7a: SKIPPED because old mode (uid/gid-based) was selected.\n"); + } - ret = recv_result(sock_fd); - if(ret == SECURITY_SERVER_API_SUCCESS) - { - printf("Permission granted\n\n"); - } - else if(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED) - { - printf("Permission denied\n\n"); - } - else - { - printf("Recv error\n"); - close(sock_fd); - exit(1); - } - close(sock_fd); - sock_fd = 0; - } - sleep(1); printf("TC 08: Requesting cookie for same PID with different path\n"); printf(" Exiting this process to cycle different process as same PID.\n"); printf(" Please look at the test server's terminal for the result\n"); diff --git a/testcases/security_server_tc_password.c b/testcases/security_server_tc_password.c index 721d2dd..f31134b 100644 --- a/testcases/security_server_tc_password.c +++ b/testcases/security_server_tc_password.c @@ -1,21 +1,8 @@ /* - * security-server + * security server * - * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License + * Copyright (c) 2000 - 2010 Samsung Electronics Co., Ltd. + * Contact: Bumjin Im * */ @@ -57,7 +44,7 @@ void printhex(unsigned char *data, int size) int dir_filter(const struct dirent *entry) { - if ((strcmp(entry->d_name, ".") == 0) || + if ((strcmp(entry->d_name, ".") == 0) || (strcmp(entry->d_name, "..") == 0) || (strcmp(entry->d_name, "attempts") ==0) || (strcmp(entry->d_name, "history") ==0) ) @@ -103,6 +90,40 @@ int main(int argc, char *argv[]) printf("If not, you will see some TC failures\n"); } + printf("TC P1.1: security_server_set_pwd_validity(): There is no password yet\n"); + ret = security_server_set_pwd_validity(10); + if(ret != SECURITY_SERVER_API_ERROR_NO_PASSWORD) + { + printf("TC P1.1 failed. %d\n", ret); + exit(1); + } + ret = security_server_set_pwd_validity(11); + if(ret != SECURITY_SERVER_API_ERROR_NO_PASSWORD) + { + printf("TC P1.1 failed. %d\n", ret); + exit(1); + } + + printf("TC P1.1: PASSED\n\n"); + sleep(1); + + printf("TC P1.2: security_server_set_pwd_max_challenge(): There is no password yet\n"); + ret = security_server_set_pwd_max_challenge(5); + if(ret != SECURITY_SERVER_API_ERROR_NO_PASSWORD) + { + printf("TC P1.2 failed. %d\n", ret); + exit(1); + } + ret = security_server_set_pwd_max_challenge(6); + if(ret != SECURITY_SERVER_API_ERROR_NO_PASSWORD) + { + printf("TC P1.2 failed. %d\n", ret); + exit(1); + } + + printf("TC P1.2: PASSED\n\n"); + sleep(1); + printf("TC P2: security_server_chk_pwd(): Too long password case\n"); ret = security_server_chk_pwd("abcdefghijklmnopqrstuvwxyz0123456", &attempt, &max_attempt, &expire_sec); /* 33 chars */ if(ret != SECURITY_SERVER_API_ERROR_INPUT_PARAM) @@ -181,6 +202,68 @@ int main(int argc, char *argv[]) printf("TC P7: PASSED\n\n"); sleep(1); + + printf("TC P7.1: security_server_set_pwd_validity(): Normal case when there is a password\n"); + ret = security_server_set_pwd_validity(1); + if(ret != SECURITY_SERVER_API_SUCCESS) + { + printf("TC P7.1 failed. %d\n", ret); + exit(1); + } + + ret = security_server_set_pwd_validity(2); + if(ret != SECURITY_SERVER_API_SUCCESS) + { + printf("TC P7.1 failed. %d\n", ret); + exit(1); + } + + ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec); + if(ret != SECURITY_SERVER_API_ERROR_PASSWORD_EXIST) + { + printf("TC P7.1 failed. %d\n", ret); + exit(1); + } + if (expire_sec < 172798 || expire_sec > 172800) // About 2 days in seconds +-1 second + { + printf("TC P7.1 failed. Invalid expiration time in seconds: %d", expire_sec); + exit(1); + } + + printf("TC P7.1: PASSED\n\n"); + sleep(1); + + + printf("TC P7.2: security_server_set_pwd_max_challenge(): Normal case when there is a password\n"); + ret = security_server_set_pwd_max_challenge(5); + if(ret != SECURITY_SERVER_API_SUCCESS) + { + printf("TC P7.2 failed. %d\n", ret); + exit(1); + } + + + ret = security_server_set_pwd_max_challenge(6); + if(ret != SECURITY_SERVER_API_SUCCESS) + { + printf("TC P7.2 failed. %d\n", ret); + exit(1); + } + ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec); + if(ret != SECURITY_SERVER_API_ERROR_PASSWORD_EXIST) + { + printf("TC P7.1 failed. %d\n", ret); + exit(1); + } + if (6 != max_attempt) + { + printf("TC P7.2 failed. Invalid max_attempt: %d", max_attempt); + exit(1); + } + + printf("TC P7.2: PASSED\n\n"); + sleep(1); + printf("TC P8: security_server_chk_pwd(): normal(correct pwd) case\n"); ret = security_server_chk_pwd(argv[1], &attempt, &max_attempt, &expire_sec); if(ret != SECURITY_SERVER_API_SUCCESS) @@ -200,7 +283,7 @@ int main(int argc, char *argv[]) } printf("TC P9: PASSED\n\n"); sleep(1); - + printf("TC P10: security_server_chk_pwd(): incorrect pwd case\n"); (argv[1])[0]++; ret = security_server_chk_pwd(argv[1], &attempt, &max_attempt, &expire_sec); @@ -278,7 +361,7 @@ int main(int argc, char *argv[]) exit(1); } printf("TC P13: PASSED\n\n"); - sleep(1); + sleep(1); printf("TC P14: security_server_chk_pwd(): attempt exceeding case\n"); for(i=0;i<10;i++) @@ -305,7 +388,7 @@ int main(int argc, char *argv[]) exit(1); } printf("TC P14: PASSED\n\n"); - sleep(1); + sleep(1); printf("TC P15: security_server_reset_pwd(): Reset current password\n"); ret = security_server_reset_pwd(argv[1],0, 0); @@ -315,7 +398,7 @@ int main(int argc, char *argv[]) exit(1); } printf("TC P15: PASSED\n\n"); - sleep(1); + sleep(1); printf("TC P16: security_server_set_pwd(): Check expiration \n"); ret = security_server_set_pwd(argv[1], argv[2], 10, 1); @@ -337,7 +420,7 @@ int main(int argc, char *argv[]) exit(1); } printf("TC P16: PASSED\n\n"); - sleep(1); + sleep(1); printf("TC P17: security_server_chk_pwd(): Check expiration sec decreasing\n"); ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec); @@ -367,7 +450,7 @@ int main(int argc, char *argv[]) sleep(1); } printf("\nTC P17: PASSED\n\n"); - + printf("TC P18: security_server_chk_pwd(): Check expiration with system time change\n"); ret = gettimeofday(&cur_time, NULL); if(ret < 0) @@ -518,7 +601,7 @@ int main(int argc, char *argv[]) } printf("TC P23: security_server_chk_pwd(): incorrect with replay attack\n"); ret = security_server_chk_pwd("quickquickquick", &attempt, &max_attempt, &expire_sec); - do + do { i = i + 100000; ret = security_server_chk_pwd("quickquickquick", &attempt, &max_attempt, &expire_sec); @@ -535,6 +618,50 @@ int main(int argc, char *argv[]) printf("Last interval was %d.%06d sec.\n", (i /1000000), (i % 1000000) ); printf("TC P23: PASSED\n\n"); + printf("TC P24: security_server_chk_pwd(): wrong challenge on expired password\n"); + sleep(2); + ret = security_server_set_pwd("history60", "newpwd23", 4, 1); + if(ret != SECURITY_SERVER_API_SUCCESS) + { + printf("TC P24 failed[1]. %d\n", ret); + exit(1); + } + sleep(2); + ret = security_server_chk_pwd("newpwd23", &attempt, &max_attempt, &expire_sec); + if(ret != SECURITY_SERVER_API_SUCCESS) + { + printf("TC P24 failed[2]. %d\n", ret); + exit(1); + } + + ret = gettimeofday(&cur_time, NULL); + if(ret < 0) + { + printf("TC P24 failed[3]. %d\n", ret); + exit(1); + } + cur_time.tv_sec += (expire_sec + 1); + ret = settimeofday(&cur_time, NULL); + if(ret < 0) + { + printf("TC P24 failed[4]. %d\n", ret); + exit(1); + } + sleep(2); + ret = security_server_chk_pwd("newpwd23", &attempt, &max_attempt, &expire_sec); + if(ret != SECURITY_SERVER_API_ERROR_PASSWORD_EXPIRED) + { + printf("TC P24 failed[5]. %d\n", ret); + exit(1); + } + sleep(2); + ret = security_server_chk_pwd("newpwd23_invalid", &attempt, &max_attempt, &expire_sec); + if(ret != SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH) + { + printf("TC P24 failed[6]. %d\n", ret); + exit(1); + } + printf("TC P24: PASSED\n\n"); return 0; } diff --git a/testcases/security_server_tc_pid_reuser.c b/testcases/security_server_tc_pid_reuser.c index 8971085..6f3c1df 100644 --- a/testcases/security_server_tc_pid_reuser.c +++ b/testcases/security_server_tc_pid_reuser.c @@ -1,21 +1,9 @@ /* - * security-server + * security server * - * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2010 Samsung Electronics Co., Ltd. * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License + * Contact: Bumjin Im * */ diff --git a/testcases/security_server_tc_server.c b/testcases/security_server_tc_server.c index 7ca4f34..6d8247b 100644 --- a/testcases/security_server_tc_server.c +++ b/testcases/security_server_tc_server.c @@ -1,21 +1,8 @@ /* - * security-server + * security server * - * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License + * Copyright (c) 2000 - 2010 Samsung Electronics Co., Ltd. + * Contact: Bumjin Im * */ @@ -307,7 +294,9 @@ int main(int argc, char *argv[]) char obj_name[30]; struct pollfd accept_poll[1], client_poll[1]; struct sockaddr_un clientaddr; - + int olen, alen; + char olabel[1024]; + char arights[32]; ret = getuid(); if(ret != 0) @@ -574,9 +563,7 @@ int main(int argc, char *argv[]) } } } - else - { - if(recvbuf[0] == 255 && recvbuf[1] == 255 && recvbuf[2] == 255 && recvbuf[3] == 255) + else if(recvbuf[0] == 255 && recvbuf[1] == 255 && recvbuf[2] == 255 && recvbuf[3] == 255) { char *myargv[5] = {NULL}; int i, cnt; @@ -625,12 +612,137 @@ int main(int argc, char *argv[]) free(myargv[3]); } } - else + else if(recvbuf[0] == 17 ) + { + if (recvbuf[3] == 0) + { + ret = read(client_sockfd, recvbuf, 20); + if(ret < 20) + { + close(client_sockfd); + printf("cannot read request:%d\n", ret); + close(client_sockfd); + continue; + } + memcpy(recved_cookie, recvbuf, 20); + ret = read(client_sockfd, &olen, 4); + if(ret < 4) + { + close(client_sockfd); + printf("cannot read request:%d\n", ret); + close(client_sockfd); + continue; + } + ret = read(client_sockfd, &alen, 4); + if(ret < 4) + { + close(client_sockfd); + printf("cannot read request:%d\n", ret); + close(client_sockfd); + continue; + } + ret = read(client_sockfd, olabel, olen); + if(ret < olen) + { + close(client_sockfd); + printf("cannot read request:%d\n", ret); + close(client_sockfd); + continue; + } + olabel[olen] = '\0'; + ret = read(client_sockfd, arights, alen); + if(ret < alen) + { + close(client_sockfd); + printf("cannot read request:%d\n", ret); + close(client_sockfd); + continue; + } + arights[alen] = '\0'; + printf("Check by cookie requested.\n"); + printf("requested cookie: \n"); + printhex(recved_cookie, 20); + printf("olen: %d\n", olen); + printf("object label: >%s<\n", olabel); + printf("alen: %d\n", alen); + printf("access rights: >%s<\n", arights); + + ret = security_server_check_privilege_by_cookie( + recved_cookie, olabel, arights); + + printf("return: %d\n", ret); + + ret = write(client_sockfd, &ret, sizeof(int)); + if(ret < sizeof(int)) + { + printf("Send error: %d\n", ret); + printf("Test failed: %d\n", ret); + goto error; + } + } + else if (recvbuf[3] == 1) + { + ret = read(client_sockfd, &olen, 4); + if(ret < 4) + { + close(client_sockfd); + printf("cannot read request:%d\n", ret); + close(client_sockfd); + continue; + } + ret = read(client_sockfd, &alen, 4); + if(ret < 4) + { + close(client_sockfd); + printf("cannot read request:%d\n", ret); + close(client_sockfd); + continue; + } + ret = read(client_sockfd, olabel, olen); + if(ret < olen) + { + close(client_sockfd); + printf("cannot read request:%d\n", ret); + close(client_sockfd); + continue; + } + olabel[olen] = '\0'; + ret = read(client_sockfd, arights, alen); + if(ret < alen) { - printf("malformed request. %d, %d, %d, %d\n", recvbuf[0], recvbuf[1], recvbuf[2], recvbuf[3]); + close(client_sockfd); + printf("cannot read request:%d\n", ret); + close(client_sockfd); + continue; + } + arights[alen] = '\0'; + printf("Check by sockfd requested.\n"); + printf("olen: %d\n", olen); + printf("object label: >%s<\n", olabel); + printf("alen: %d\n", alen); + printf("access rights: >%s<\n", arights); + + ret = security_server_check_privilege_by_sockfd( + client_sockfd, olabel, arights); + + ret = write(client_sockfd, &ret, sizeof(int)); + if(ret < sizeof(int)) + { + printf("Send error: %d\n", ret); printf("Test failed: %d\n", ret); goto error; } + } else { + printf("malformed request. %d, %d, %d, %d\n", recvbuf[0], recvbuf[1], recvbuf[2], recvbuf[3]); + printf("Test failed: %d\n", ret); + goto error; + } + } + else + { + printf("malformed request. %d, %d, %d, %d\n", recvbuf[0], recvbuf[1], recvbuf[2], recvbuf[3]); + printf("Test failed: %d\n", ret); + goto error; } if(client_sockfd > 0) { diff --git a/testcases/test.h b/testcases/test.h index 4202966..076c992 100644 --- a/testcases/test.h +++ b/testcases/test.h @@ -1,21 +1,8 @@ /* - * security-server + * security server * - * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License + * Copyright (c) 2000 - 2010 Samsung Electronics Co., Ltd. + * Contact: Bumjin Im * */ -- 2.7.4