diff options
17 files changed, 119 insertions, 19 deletions
diff --git a/src/appMain/life_cycle.cc b/src/appMain/life_cycle.cc index cb38d621db..f342da63f4 100644 --- a/src/appMain/life_cycle.cc +++ b/src/appMain/life_cycle.cc @@ -198,6 +198,7 @@ bool LifeCycle::StartComponents() { #ifdef ENABLE_SECURITY security_manager_->set_session_observer(connection_handler_); security_manager_->set_protocol_handler(protocol_handler_); + security_manager_->AddListener(app_manager_); security_manager_->set_crypto_manager(crypto_manager_); #endif // ENABLE_SECURITY @@ -388,6 +389,7 @@ void LifeCycle::StopComponents() { protocol_handler_->RemoveProtocolObserver(media_manager_); #ifdef ENABLE_SECURITY protocol_handler_->RemoveProtocolObserver(security_manager_); + security_manager_->RemoveListener(app_manager_); #endif // ENABLE_SECURITY protocol_handler_->Stop(); diff --git a/src/appMain/smartDeviceLink.ini b/src/appMain/smartDeviceLink.ini index 4b0d83ed61..c237ad7175 100644 --- a/src/appMain/smartDeviceLink.ini +++ b/src/appMain/smartDeviceLink.ini @@ -165,6 +165,9 @@ ForceProtectedService = Non ; Services which can not be started protected or delayed protected ;ForceUnprotectedService = 0x07 ForceUnprotectedService = Non +; The PTU will be triggered in case expiration date of certificate +; then certain hours amount +UpdateBeforeHours = 24 [Policy] EnablePolicy = true diff --git a/src/components/application_manager/include/application_manager/application_manager_impl.h b/src/components/application_manager/include/application_manager/application_manager_impl.h index 759691ae38..0d804458fe 100644 --- a/src/components/application_manager/include/application_manager/application_manager_impl.h +++ b/src/components/application_manager/include/application_manager/application_manager_impl.h @@ -651,6 +651,8 @@ class ApplicationManagerImpl : public ApplicationManager, uint32_t connection_key, security_manager::SSLContext::HandshakeResult result) OVERRIDE FINAL; + void OnCertificateUpdateRequired() OVERRIDE FINAL; + security_manager::SSLContext::HandshakeContext GetHandshakeContext(uint32_t key) const OVERRIDE FINAL; #endif // ENABLE_SECURITY diff --git a/src/components/application_manager/src/application_manager_impl.cc b/src/components/application_manager/src/application_manager_impl.cc index a9e67a93ca..4fed37a455 100644 --- a/src/components/application_manager/src/application_manager_impl.cc +++ b/src/components/application_manager/src/application_manager_impl.cc @@ -1199,7 +1199,12 @@ bool ApplicationManagerImpl::OnHandshakeDone( SSLContext::Handshake_Result_NotYetValid)) { app->usage_report().RecordTLSError(); } - return true; + return false; +} + +void ApplicationManagerImpl::OnCertificateUpdateRequired() { + LOG4CXX_AUTO_TRACE(logger_); + policy::PolicyHandler::instance()->OnPTExchangeNeeded(); } security_manager::SSLContext::HandshakeContext diff --git a/src/components/config_profile/include/config_profile/profile.h b/src/components/config_profile/include/config_profile/profile.h index 5767e68ae4..e3ef1a82a7 100644 --- a/src/components/config_profile/include/config_profile/profile.h +++ b/src/components/config_profile/include/config_profile/profile.h @@ -400,7 +400,6 @@ class Profile : public utils::Singleton<Profile> { uint32_t update_before_hours() const; #endif //ENABLE_SECURITY - /** * @brief Reads a string value from the profile * diff --git a/src/components/config_profile/src/profile.cc b/src/components/config_profile/src/profile.cc index ed9798198c..92c139ce8d 100644 --- a/src/components/config_profile/src/profile.cc +++ b/src/components/config_profile/src/profile.cc @@ -111,6 +111,31 @@ const char* kNamedVideoPipePathKey = "NamedVideoPipePath"; const char* kNamedAudioPipePathKey = "NamedAudioPipePath"; const char* kVideoStreamFileKey = "VideoStreamFile"; const char* kAudioStreamFileKey = "AudioStreamFile"; + +#ifdef ENABLE_SECURITY +const char* kSecurityProtocolKey = "Protocol"; +const char* kSecurityCertificatePathKey = "CertificatePath"; +const char* kSecurityCACertificatePathKey = "CACertificatePath"; +const char* kSecuritySSLModeKey = "SSLMode"; +const char* kSecurityKeyPathKey = "KeyPath"; +const char* kSecurityCipherListKey = "CipherList"; +const char* kSecurityVerifyPeerKey = "VerifyPeer"; +const char* kBeforeUpdateHours = "UpdateBeforeHours"; +#endif + +#ifdef CUSTOMER_PASA +const char* kHMIHeartBeatTimeoutKey = "HMIHeartBeatTimeout"; +const char* kLoggerSection = "LOGGING"; +const char* kAudioMQPath = "MQAudioPath"; +const char* kLoggerConfigFileKey = "LoggerConfigFile"; +const char* kRemoteLoggingFlagFileKey = "RemoteLoggingFlagFile"; +const char* kRemoteLoggingFlagFilePathKey = "RemoteLoggingFlagFilePath"; +const char* kTargetLogFileHomeDirKey = "TargetLogFileHomeDir"; +const char* kTargetLogFileNamePatternKey = "TargetLogFileNamePattern"; +const char* kTargetBootCountFileKey = "TargetBootCountFile"; +const char* kTargetTmpDirKey = "TargetTmpDir"; +const char* kLogFileMaxSizeKey = "LogFileMaxSize"; +#endif const char* kAudioDataStoppedTimeoutKey = "AudioDataStoppedTimeout"; const char* kVideoDataStoppedTimeoutKey = "VideoDataStoppedTimeout"; const char* kMixingAudioSupportedKey = "MixingAudioSupported"; @@ -254,18 +279,6 @@ const uint32_t kDefaultAppIconsFolderMaxSize = 104857600; const uint32_t kDefaultAppIconsAmountToRemove = 1; const uint16_t kDefaultAttemptsToOpenResumptionDB = 5; const uint16_t kDefaultOpenAttemptTimeoutMsResumptionDB = 500; - -#ifdef ENABLE_SECURITY -const char* kSecurityProtocolKey = "Protocol"; -const char* kSecurityCertificatePathKey = "CertificatePath"; -const char* kSecurityCACertificatePathKey = "CACertificatePath"; -const char* kSecuritySSLModeKey = "SSLMode"; -const char* kSecurityKeyPathKey = "KeyPath"; -const char* kSecurityCipherListKey = "CipherList"; -const char* kSecurityVerifyPeerKey = "VerifyPeer"; -const char* kBeforeUpdateHours = "UpdateBeforeHours"; -#endif - } // namespace namespace profile { diff --git a/src/components/include/security_manager/crypto_manager.h b/src/components/include/security_manager/crypto_manager.h index fd8e058d10..e4867663a4 100644 --- a/src/components/include/security_manager/crypto_manager.h +++ b/src/components/include/security_manager/crypto_manager.h @@ -64,6 +64,8 @@ class CryptoManager { virtual bool OnCertificateUpdated(const std::string& data) = 0; virtual void ReleaseSSLContext(SSLContext *context) = 0; virtual std::string LastError() const = 0; + + virtual bool IsCertificateUpdateRequired() const = 0; virtual ~CryptoManager() { } }; diff --git a/src/components/include/security_manager/security_manager.h b/src/components/include/security_manager/security_manager.h index 252ec610a8..97b1ffc065 100644 --- a/src/components/include/security_manager/security_manager.h +++ b/src/components/include/security_manager/security_manager.h @@ -40,10 +40,11 @@ #include "protocol_handler/protocol_observer.h" #include "protocol_handler/session_observer.h" -#include "security_manager/crypto_manager.h" #include "security_manager/security_manager_listener.h" namespace security_manager { + +class CryptoManager; /** * \brief SecurityManager interface implements protocol_handler::ProtocolObserver * and provide interface for handling Security queries from mobile side @@ -67,7 +68,7 @@ class SecurityManager ERROR_ENCRYPTION_FAILED = 0x07, ERROR_SSL_INVALID_DATA = 0x08, ERROR_INTERNAL = 0xFF, - ERROR_UNKWOWN_INTERNAL_ERROR = 0xFE // error valeu for testing + ERROR_UNKNOWN_INTERNAL_ERROR = 0xFE // error value for testing }; /** * \brief Sets pointer for Connection Handler layer for managing sessions diff --git a/src/components/include/security_manager/security_manager_listener.h b/src/components/include/security_manager/security_manager_listener.h index 1655d15e7e..6cf6e8f7ed 100644 --- a/src/components/include/security_manager/security_manager_listener.h +++ b/src/components/include/security_manager/security_manager_listener.h @@ -43,6 +43,10 @@ class SecurityManagerListener { */ virtual bool OnHandshakeDone(uint32_t connection_key, SSLContext::HandshakeResult result) = 0; + /** + * @brief Notify listeners that certificate update is required. + */ + virtual void OnCertificateUpdateRequired() = 0; virtual ~SecurityManagerListener() {} }; } // namespace security_manager diff --git a/src/components/include/security_manager/ssl_context.h b/src/components/include/security_manager/ssl_context.h index cd82b67461..6e7c10939a 100644 --- a/src/components/include/security_manager/ssl_context.h +++ b/src/components/include/security_manager/ssl_context.h @@ -74,6 +74,13 @@ class SSLContext { struct HandshakeContext { std::string expected_sn; std::string expected_cn; + + HandshakeContext& make_context(const std::string& sn, + const std::string& cn) { + expected_sn = sn; + expected_cn = cn; + return *this; + } }; virtual HandshakeResult StartHandshake(const uint8_t** const out_data, diff --git a/src/components/policy/src/policy/src/policy_manager_impl.cc b/src/components/policy/src/policy/src/policy_manager_impl.cc index b44db6e65e..7c5e0cf3d5 100644 --- a/src/components/policy/src/policy/src/policy_manager_impl.cc +++ b/src/components/policy/src/policy/src/policy_manager_impl.cc @@ -775,7 +775,7 @@ void PolicyManagerImpl::Increment(usage_statistics::GlobalCounterId type) { void PolicyManagerImpl::Increment(const std::string& app_id, usage_statistics::AppCounterId type){ - LOG4CXX_INFO(logger_, "Increment " << app_id); + LOG4CXX_DEBUG(logger_, "Increment " << app_id << " AppCounter: " << type); sync_primitives::AutoLock locker(statistics_lock_); } diff --git a/src/components/policy/src/policy/src/sql_pt_ext_queries.cc b/src/components/policy/src/policy/src/sql_pt_ext_queries.cc index 776b318991..13477054aa 100644 --- a/src/components/policy/src/policy/src/sql_pt_ext_queries.cc +++ b/src/components/policy/src/policy/src/sql_pt_ext_queries.cc @@ -111,7 +111,8 @@ const std::string kSelectAppLevels = " `count_of_removals_for_bad_behavior`, " " `count_of_run_attempts_while_revoked`, " " `app_registration_language_gui`, " - " `app_registration_language_vui` " + " `app_registration_language_vui`, " + " `count_of_tls_errors` " "FROM `app_level`"; const std::string kUpdateGlobalCounters = "UPDATE `usage_and_error_count` SET " diff --git a/src/components/policy/src/policy/src/sql_pt_ext_representation.cc b/src/components/policy/src/policy/src/sql_pt_ext_representation.cc index 1ce3b99ce8..976271b5d1 100644 --- a/src/components/policy/src/policy/src/sql_pt_ext_representation.cc +++ b/src/components/policy/src/policy/src/sql_pt_ext_representation.cc @@ -905,6 +905,7 @@ bool SQLPTExtRepresentation::GatherAppLevels( level.count_of_run_attempts_while_revoked = query.GetInteger(12); level.app_registration_language_gui = query.GetString(13); level.app_registration_language_vui = query.GetString(14); + level.count_of_tls_errors = query.GetString(15); (*apps)[query.GetString(0)] = level; } @@ -1498,6 +1499,7 @@ bool SQLPTExtRepresentation::SaveAppCounters( query.Bind(13, it->second.app_registration_language_gui); query.Bind(14, it->second.app_registration_language_vui); query.Bind(15, it->second.count_of_tls_errors); + if (!query.Exec() || !query.Reset()) { LOG4CXX_WARN(logger_, "Incorrect insert into app level."); return false; diff --git a/src/components/protocol_handler/src/protocol_handler_impl.cc b/src/components/protocol_handler/src/protocol_handler_impl.cc index 10b42b049f..f75651b951 100644 --- a/src/components/protocol_handler/src/protocol_handler_impl.cc +++ b/src/components/protocol_handler/src/protocol_handler_impl.cc @@ -994,6 +994,9 @@ class StartSessionHandler : public security_manager::SecurityManagerListener { return true; } + void OnCertificateUpdateRequired() OVERRIDE { + } + private: const uint32_t connection_key_; ProtocolHandlerImpl *protocol_handler_; diff --git a/src/components/security_manager/CMakeLists.txt b/src/components/security_manager/CMakeLists.txt index 6973a98e07..6433ff6dd8 100644 --- a/src/components/security_manager/CMakeLists.txt +++ b/src/components/security_manager/CMakeLists.txt @@ -33,6 +33,7 @@ include_directories( include/ ${COMPONENTS_DIR}/protocol_handler/include/ ${COMPONENTS_DIR}/connection_handler/include + ${COMPONENTS_DIR}/config_profile/include/ ${COMPONENTS_DIR}/utils/include/ ${JSONCPP_INCLUDE_DIRECTORY} ${CMAKE_SOURCE_DIR}/src/thirdPartyLibs/jsoncpp/include @@ -51,4 +52,4 @@ target_link_libraries(SecurityManager crypto ssl ProtocolHandler jsoncpp Protoco if(BUILD_TESTS) add_subdirectory(test) -endif()
\ No newline at end of file +endif() diff --git a/src/components/security_manager/include/security_manager/crypto_manager_impl.h b/src/components/security_manager/include/security_manager/crypto_manager_impl.h index 881aefbe81..5d7b579a86 100644 --- a/src/components/security_manager/include/security_manager/crypto_manager_impl.h +++ b/src/components/security_manager/include/security_manager/crypto_manager_impl.h @@ -107,11 +107,16 @@ class CryptoManagerImpl : public CryptoManager { SSLContext *CreateSSLContext() OVERRIDE; void ReleaseSSLContext(SSLContext *context) OVERRIDE; std::string LastError() const OVERRIDE; + virtual bool IsCertificateUpdateRequired() const OVERRIDE; private: bool set_certificate(const std::string &cert_data); + int pull_number_from_buf(char* buf, int* idx); + void asn1_time_to_tm(ASN1_TIME* time); + SSL_CTX *context_; + mutable struct tm expiration_time_; Mode mode_; static uint32_t instance_count_; static sync_primitives::Lock instance_lock_; diff --git a/src/components/security_manager/src/crypto_manager_impl.cc b/src/components/security_manager/src/crypto_manager_impl.cc index 6a38b76b63..944ff52600 100644 --- a/src/components/security_manager/src/crypto_manager_impl.cc +++ b/src/components/security_manager/src/crypto_manager_impl.cc @@ -46,6 +46,7 @@ #include "utils/atomic.h" #include "utils/macro.h" #include "utils/scope_guard.h" +#include "config_profile/profile.h" #define TLS1_1_MINIMAL_VERSION 0x1000103fL #define CONST_SSL_METHOD_MINIMAL_VERSION 0x00909000L @@ -260,6 +261,13 @@ std::string CryptoManagerImpl::LastError() const { return std::string(reason ? reason : ""); } +bool CryptoManagerImpl::IsCertificateUpdateRequired() const { + const double seconds = difftime(time(NULL), mktime(&expiration_time_)); + + return (seconds <= ( + profile::Profile::instance()->update_before_hours() * 60 * 60)); +} + bool CryptoManagerImpl::set_certificate(const std::string &cert_data) { if (cert_data.empty()) { @@ -309,6 +317,8 @@ bool CryptoManagerImpl::set_certificate(const std::string &cert_data) { return false; } + asn1_time_to_tm(X509_get_notAfter(cert)); + if (!SSL_CTX_use_PrivateKey(context_, pkey)) { LOG4CXX_ERROR(logger_, "Could not use key"); return false; @@ -320,4 +330,44 @@ bool CryptoManagerImpl::set_certificate(const std::string &cert_data) { return true; } +int CryptoManagerImpl::pull_number_from_buf(char *buf, int *idx) { + if (!idx) { return 0; } + const int val = ((buf[*idx] - '0') * 10) + buf[(*idx) + 1] - '0'; + *idx = *idx + 2; + return val; +} + +void CryptoManagerImpl::asn1_time_to_tm(ASN1_TIME *time) { + char* buf = (char *)time->data; + int index = 0; + const int year = pull_number_from_buf(buf, &index); + if (V_ASN1_GENERALIZEDTIME == time->type) { + expiration_time_.tm_year = (year * 100 -1900) + pull_number_from_buf(buf, &index); + } else { + expiration_time_.tm_year = year < 50 ? year + 100 : year; + } + + const int mon = pull_number_from_buf(buf, &index); + const int day = pull_number_from_buf(buf, &index); + const int hour = pull_number_from_buf(buf, &index); + const int mn = pull_number_from_buf(buf, &index); + + expiration_time_.tm_mon = mon -1; + expiration_time_.tm_mday = day; + expiration_time_.tm_hour = hour; + expiration_time_.tm_min = mn; + + if (buf[index] == 'Z') { + expiration_time_.tm_sec = 0; + } + if ((buf[index] == '+') || (buf[index] == '-')) { + const int mn = pull_number_from_buf(buf, &index); + const int mn1 = pull_number_from_buf(buf, &index); + expiration_time_.tm_sec = (mn * 3600) + (mn1 * 60); + } else { + const int sec = pull_number_from_buf(buf, &index); + expiration_time_.tm_sec = sec; + } +} + } // namespace security_manager |