BuildRequires: pkgconfig(libsmack)
BuildRequires: pkgconfig(libsystemd-daemon)
BuildRequires: pkgconfig(db-util)
+BuildRequires: pkgconfig(vconf)
BuildRequires: boost-devel
Requires: libkey-manager-common = %{version}-%{release}
%{?systemd_requires}
libsystemd-daemon
capi-base-common
db-util
+ vconf
REQUIRED
)
FIND_PACKAGE(Threads REQUIRED)
// database only. This function may be used during application uninstallation.
virtual int removeApplicationData(const std::string &smackLabel) = 0;
- virtual int setCCMode(CCModeState mode) = 0;
+ virtual int updateCCMode() = 0;
virtual int allowAccess(uid_t user,
const std::string &owner,
COUNT
};
-enum class CCModeState : int {
- CC_MODE_OFF = 0,
- CC_MODE_ON
-};
-
enum class AccessRight: int {
AR_READ = 0,
AR_READ_REMOVE
#define CKM_LISTENER_TAG "CKM_LISTENER"
-#ifndef MDPP_MODE_ENFORCING
-#define MDPP_MODE_ENFORCING "Enforcing"
-#endif
-
-#ifndef MDPP_MODE_ENABLED
-#define MDPP_MODE_ENABLED "Enabled"
-#endif
-
#ifndef VCONFKEY_SECURITY_MDPP_STATE
#define VCONFKEY_SECURITY_MDPP_STATE "file/security_mdpp/security_mdpp_state"
#endif
SLOG(LOG_DEBUG, CKM_LISTENER_TAG, "%s", str);
}
-void callSetCCMode(const char *mdpp_state)
+void callUpdateCCMode()
{
+ // TODO make it call ckm only if it's already running (lock file)
auto control = CKM::Control::create();
- int ret = CKM_API_SUCCESS;
- if ( !strcmp(mdpp_state, MDPP_MODE_ENABLED) ||
- !strcmp(mdpp_state, MDPP_MODE_ENFORCING) )
- ret = control->setCCMode(CKM::CCModeState::CC_MODE_ON);
- else
- ret = control->setCCMode(CKM::CCModeState::CC_MODE_OFF);
+ int ret = control->updateCCMode();
SLOG(LOG_DEBUG, CKM_LISTENER_TAG, "Callback caller process id : %d\n", getpid());
if ( ret != CKM_API_SUCCESS )
- SLOG(LOG_ERROR, CKM_LISTENER_TAG, "CKM::Control::setCCMode error. ret : %d\n", ret);
+ SLOG(LOG_ERROR, CKM_LISTENER_TAG, "CKM::Control::updateCCMode error. ret : %d\n", ret);
else
- SLOG(LOG_DEBUG, CKM_LISTENER_TAG, "CKM::Control::setCCMode success. mdpp_state : %s", mdpp_state);
+ SLOG(LOG_DEBUG, CKM_LISTENER_TAG, "CKM::Control::updateCCMode success.\n");
}
void packageUninstalledEventCallback(
}
}
-void ccModeChangedEventCallback(
- keynode_t *key,
- void *userData)
+void ccModeChangedEventCallback(keynode_t*, void*)
{
- (void) key;
- (void) userData;
-
- char *mdpp_state = vconf_get_str(VCONFKEY_SECURITY_MDPP_STATE);
- callSetCCMode(mdpp_state);
+ callUpdateCCMode();
}
int main(void) {
int ret = 0;
char *mdpp_state = vconf_get_str(VCONFKEY_SECURITY_MDPP_STATE);
- if ( mdpp_state ) { // set CC mode and register event callback only when mdpp vconf key exists
- callSetCCMode(mdpp_state);
+ if ( mdpp_state ) { // Update cc mode and register event callback only when mdpp vconf key exists
+ callUpdateCCMode();
SLOG(LOG_DEBUG, CKM_LISTENER_TAG, "register vconfCCModeChanged event callback start");
if ( 0 != (ret = vconf_notify_key_changed(VCONFKEY_SECURITY_MDPP_STATE, ccModeChangedEventCallback, NULL)) ) {
});
}
- virtual int setCCMode(CCModeState mode) {
+ virtual int updateCCMode() {
return try_catch([&] {
- if(((mode != CCModeState::CC_MODE_OFF)) && (mode != CCModeState::CC_MODE_ON)) {
- return CKM_API_ERROR_INPUT_PARAM;
- }
-
MessageBuffer recv;
- auto send = MessageBuffer::Serialize(static_cast<int>(ControlCommand::SET_CC_MODE),
- static_cast<int>(mode));
+ auto send = MessageBuffer::Serialize(static_cast<int>(ControlCommand::UPDATE_CC_MODE));
int retCode = sendToServer(
SERVICE_SOCKET_CKM_CONTROL,
send.Pop(),
CHANGE_USER_PASSWORD,
RESET_USER_PASSWORD,
REMOVE_APP_DATA,
- SET_CC_MODE,
+ UPDATE_CC_MODE,
ALLOW_ACCESS,
DENY_ACCESS,
// for backward compatibility append new at the end
* @version 1.0
* @brief Sample service implementation.
*/
+#include <vconf/vconf.h>
#include <dpl/serialization.h>
#include <dpl/log/log.h>
#include <ckm/ckm-error.h>
#include <ckm-logic.h>
#include <key-impl.h>
+#ifndef VCONFKEY_SECURITY_MDPP_STATE
+#define VCONFKEY_SECURITY_MDPP_STATE = "file/security_mdpp/security_mdpp_state";
+#endif
+
namespace {
const char * const CERT_SYSTEM_DIR = "/etc/ssl/certs";
+
+const char* const MDPP_MODE_ENFORCING = "Enforcing";
+const char* const MDPP_MODE_ENABLED = "Enabled";
+
} // anonymous namespace
namespace CKM {
-CKMLogic::CKMLogic()
+CKMLogic::CKMLogic() : m_ccMode(false)
{
int retCode = FileSystem::init();
// TODO what can I do when init went wrong? exit(-1) ??
LogError("Fatal error in CertificateStore::setSystemCertificateDir. Chain creation will not work");
}
- cc_mode_status = CCModeState::CC_MODE_OFF;
+ updateCCMode_internal();
}
CKMLogic::~CKMLogic(){}
return MessageBuffer::Serialize(retCode).Pop();
}
-RawBuffer CKMLogic::setCCModeStatus(CCModeState mode_status) {
-
- int retCode = CKM_API_SUCCESS;
+void CKMLogic::updateCCMode_internal() {
int fipsModeStatus = 0;
int rc = 0;
+ bool newMode;
- if((mode_status != CCModeState:: CC_MODE_OFF) && (mode_status != CCModeState:: CC_MODE_ON)) {
- retCode = CKM_API_ERROR_INPUT_PARAM;
- }
+ char *mdppState = vconf_get_str(VCONFKEY_SECURITY_MDPP_STATE);
+ newMode = ( mdppState && (!strcmp(mdppState, MDPP_MODE_ENABLED) ||
+ !strcmp(mdppState, MDPP_MODE_ENFORCING)) );
+ if (newMode == m_ccMode)
+ return;
+
+ m_ccMode = newMode;
- cc_mode_status = mode_status;
fipsModeStatus = FIPS_mode();
- if(cc_mode_status == CCModeState:: CC_MODE_ON) {
+ if(m_ccMode) {
if(fipsModeStatus == 0) { // If FIPS mode off
rc = FIPS_mode_set(1); // Change FIPS_mode from off to on
if(rc == 0) {
}
}
}
+}
- return MessageBuffer::Serialize(retCode).Pop();
+RawBuffer CKMLogic::updateCCMode() {
+ updateCCMode_internal();
+ return MessageBuffer::Serialize(CKM_API_SUCCESS).Pop();
}
RawBuffer CKMLogic::lockUserKey(uid_t user) {
}
// Do not encrypt data with password during cc_mode on
- if(cc_mode_status == CCModeState::CC_MODE_ON) {
+ if(m_ccMode) {
handler.crypto.encryptRow("", row);
} else {
handler.crypto.encryptRow(policy.password, row);
}
// Prevent extracting private keys during cc-mode on
- if((cc_mode_status == CCModeState::CC_MODE_ON) && (row.dataType == DBDataType::KEY_RSA_PRIVATE || row.dataType == DBDataType::KEY_ECDSA_PRIVATE || row.dataType == DBDataType::KEY_DSA_PRIVATE)) {
+ if((m_ccMode) && (row.dataType == DBDataType::KEY_RSA_PRIVATE ||
+ row.dataType == DBDataType::KEY_ECDSA_PRIVATE ||
+ row.dataType == DBDataType::KEY_DSA_PRIVATE))
+ {
row.data.clear();
retCode = CKM_API_ERROR_BAD_REQUEST;
}
const HashAlgorithm hash,
const RSAPaddingAlgorithm padding);
- RawBuffer setCCModeStatus(CCModeState mode_status);
+ RawBuffer updateCCMode();
RawBuffer allowAccess(
Credentials &cred,
const Password &password, // password for public_key (optional)
const KeyImpl &genericKey);
+ void updateCCMode_internal();
+
std::map<uid_t, UserData> m_userDataMap;
CertificateStore m_certStore;
- CCModeState cc_mode_status;
+ bool m_ccMode;
};
} // namespace CKM
RawBuffer CKMService::processControl(MessageBuffer &buffer) {
int command;
- int cc_mode_status;
uid_t user;
ControlCommand cc;
Password newPass, oldPass;
case ControlCommand::REMOVE_APP_DATA:
buffer.Deserialize(smackLabel);
return m_logic->removeApplicationData(smackLabel);
- case ControlCommand::SET_CC_MODE:
- buffer.Deserialize(cc_mode_status);
- return m_logic->setCCModeStatus(static_cast<CCModeState>(cc_mode_status));
+ case ControlCommand::UPDATE_CC_MODE:
+ return m_logic->updateCCMode();
case ControlCommand::ALLOW_ACCESS:
{
std::string owner;