diff options
Diffstat (limited to 'src/components/include/security_manager')
6 files changed, 362 insertions, 64 deletions
diff --git a/src/components/include/security_manager/crypto_manager.h b/src/components/include/security_manager/crypto_manager.h index 00c3833e62..9b11a8e4ae 100644 --- a/src/components/include/security_manager/crypto_manager.h +++ b/src/components/include/security_manager/crypto_manager.h @@ -30,42 +30,50 @@ * POSSIBILITY OF SUCH DAMAGE. */ -#ifndef SRC_COMPONENTS_SECURITY_MANAGER_INCLUDE_SECURITY_MANAGER_CRYPTO_MANAGER_H_ -#define SRC_COMPONENTS_SECURITY_MANAGER_INCLUDE_SECURITY_MANAGER_CRYPTO_MANAGER_H_ +#ifndef SRC_COMPONENTS_INCLUDE_SECURITY_MANAGER_CRYPTO_MANAGER_H_ +#define SRC_COMPONENTS_INCLUDE_SECURITY_MANAGER_CRYPTO_MANAGER_H_ -#include <string> +#include "application_manager/policies/policy_handler_observer.h" +#include "security_manager/security_manager_settings.h" /** * \class security_manager::CryptoManager * \brief Class factory, producing instances of \ref SSLContext * - * \fn security_manager::SSLContext *security_manager::CryptoManager::CreateSSLContext() + * \fn security_manager::SSLContext + **security_manager::CryptoManager::CreateSSLContext() * \brief Creates an instance of \ref SSLContext class * - * \fn void security_manager::CryptoManager::ReleaseSSLContext(security_manager::SSLContext *context) + * \fn void + *security_manager::CryptoManager::ReleaseSSLContext(security_manager::SSLContext + **context) * \brief Frees \ref SSLContext instance */ namespace security_manager { class SSLContext; -enum Mode { CLIENT, SERVER }; -enum Protocol { SSLv3, TLSv1, TLSv1_1, TLSv1_2}; - -class CryptoManager { +class CryptoManager : public policy::PolicyHandlerObserver { public: - virtual bool Init(Mode mode, - Protocol protocol, - const std::string &cert_filename, - const std::string &key_filename, - const std::string &ciphers_list, - bool verify_peer) = 0; - virtual void Finish() = 0; - virtual SSLContext *CreateSSLContext() = 0; - virtual void ReleaseSSLContext(SSLContext *context) = 0; + /** + * @brief Init allows to initialize cryptomanager with certain values. + * + * @return true in case initialization was succesfull, false otherwise. + */ + virtual bool Init() = 0; + virtual SSLContext* CreateSSLContext() = 0; + virtual bool OnCertificateUpdated(const std::string& data) = 0; + virtual void ReleaseSSLContext(SSLContext* context) = 0; virtual std::string LastError() const = 0; - virtual ~CryptoManager() { } + + virtual bool IsCertificateUpdateRequired() const = 0; + /** + * \brief Crypto manager settings getter + * \return pointer to crypto manager settings class + */ + virtual const CryptoManagerSettings& get_settings() const = 0; + virtual ~CryptoManager() {} }; } // namespace security_manager -#endif // SRC_COMPONENTS_SECURITY_MANAGER_INCLUDE_SECURITY_MANAGER_CRYPTO_MANAGER_H_ +#endif // SRC_COMPONENTS_INCLUDE_SECURITY_MANAGER_CRYPTO_MANAGER_H_ diff --git a/src/components/include/security_manager/security_manager.h b/src/components/include/security_manager/security_manager.h index 252ec610a8..8ed0ff2912 100644 --- a/src/components/include/security_manager/security_manager.h +++ b/src/components/include/security_manager/security_manager.h @@ -40,83 +40,87 @@ #include "protocol_handler/protocol_observer.h" #include "protocol_handler/session_observer.h" -#include "security_manager/crypto_manager.h" #include "security_manager/security_manager_listener.h" namespace security_manager { + +class CryptoManager; /** - * \brief SecurityManager interface implements protocol_handler::ProtocolObserver + * \brief SecurityManager interface implements + * protocol_handler::ProtocolObserver * and provide interface for handling Security queries from mobile side */ -class SecurityManager - : public protocol_handler::ProtocolObserver { +class SecurityManager : public protocol_handler::ProtocolObserver { public: /** * \brief InternalErrors is 1 byte identifier of internal error * Handle as binary data in Ford Protocol */ enum InternalErrors { - ERROR_SUCCESS = 0x00, - ERROR_INVALID_QUERY_SIZE = 0x01, // wrong size of query data - ERROR_INVALID_QUERY_ID = 0x02, // unknown query id - ERROR_NOT_SUPPORTED = 0x03, // SDL does not support encryption - ERROR_SERVICE_ALREADY_PROTECTED = 0x04, - ERROR_SERVICE_NOT_PROTECTED = 0x05, // got handshake or encrypted data + ERROR_SUCCESS = 0x00, + ERROR_INVALID_QUERY_SIZE = 0x01, // wrong size of query data + ERROR_INVALID_QUERY_ID = 0x02, // unknown query id + ERROR_NOT_SUPPORTED = 0x03, // SDL does not support encryption + ERROR_SERVICE_ALREADY_PROTECTED = 0x04, + ERROR_SERVICE_NOT_PROTECTED = 0x05, // got handshake or encrypted data // for not protected service - ERROR_DECRYPTION_FAILED = 0x06, - ERROR_ENCRYPTION_FAILED = 0x07, - ERROR_SSL_INVALID_DATA = 0x08, - ERROR_INTERNAL = 0xFF, - ERROR_UNKWOWN_INTERNAL_ERROR = 0xFE // error valeu for testing + ERROR_DECRYPTION_FAILED = 0x06, + ERROR_ENCRYPTION_FAILED = 0x07, + ERROR_SSL_INVALID_DATA = 0x08, + ERROR_INTERNAL = 0xFF, + ERROR_UNKNOWN_INTERNAL_ERROR = 0xFE // error value for testing }; /** * \brief Sets pointer for Connection Handler layer for managing sessions * \param session_observer pointer to object of the class implementing */ virtual void set_session_observer( - protocol_handler::SessionObserver *observer) = 0; + protocol_handler::SessionObserver* observer) = 0; /** * \brief Sets pointer for Protocol Handler layer for sending * \param protocol_handler pointer to object of the class implementing */ virtual void set_protocol_handler( - protocol_handler::ProtocolHandler *protocol_handler_) = 0; + protocol_handler::ProtocolHandler* protocol_handler_) = 0; /** * \brief Sets pointer for CryptoManager for handling SSLContext * \param crypto_manager pointer to object of the class implementing */ - virtual void set_crypto_manager(CryptoManager *crypto_manager) = 0; + virtual void set_crypto_manager(CryptoManager* crypto_manager) = 0; /** * \brief Sends InternalError with text message to mobile application - * \param connection_key Unique key used by other components as session identifier + * \param connection_key Unique key used by other components as session + * identifier * \param error_id unique error identifier * \param erorr_text SSL impelmentation error text * \param seq_number received from Mobile Application */ virtual void SendInternalError(const uint32_t connection_key, - const uint8_t &error_id, - const std::string &erorr_text, + const uint8_t& error_id, + const std::string& erorr_text, const uint32_t seq_number) = 0; /** * \brief Sends InternalError override methode for sending without seq_number - * \param connection_key Unique key used by other components as session identifier + * \param connection_key Unique key used by other components as session + * identifier * \param error_id unique error identifier * \param erorr_text SSL impelmentation error text */ void SendInternalError(const uint32_t connection_key, - const uint8_t &error_id, - const std::string &erorr_text) { + const uint8_t& error_id, + const std::string& erorr_text) { SendInternalError(connection_key, error_id, erorr_text, 0); } /** * \brief Create new SSLContext for connection or return exists * Do not notify listeners, send security error on occure - * \param connection_key Unique key used by other components as session identifier + * \param connection_key Unique key used by other components as session + * identifier * @return new \c SSLContext or \c NULL on any error */ - virtual SSLContext *CreateSSLContext(const uint32_t &connection_key) = 0; + virtual SSLContext* CreateSSLContext(const uint32_t& connection_key) = 0; /** * \brief Start handshake as SSL client @@ -126,8 +130,8 @@ class SecurityManager /** * \brief Add/Remove for SecurityManagerListener */ - virtual void AddListener(SecurityManagerListener *const listener) = 0; - virtual void RemoveListener(SecurityManagerListener *const listener) = 0; + virtual void AddListener(SecurityManagerListener* const listener) = 0; + virtual void RemoveListener(SecurityManagerListener* const listener) = 0; }; } // namespace security_manager #endif // SRC_COMPONENTS_INCLUDE_SECURITY_MANAGER_SECURITY_MANAGER_H_ diff --git a/src/components/include/security_manager/security_manager_listener.h b/src/components/include/security_manager/security_manager_listener.h index 14a5dc3281..577c7c4378 100644 --- a/src/components/include/security_manager/security_manager_listener.h +++ b/src/components/include/security_manager/security_manager_listener.h @@ -37,12 +37,17 @@ class SecurityManagerListener { public: /** * \brief Notification about protection result - * \param connection_key Unique key used by other components as session identifier + * \param connection_key Unique key used by other components as session + * identifier * \param success result of connection protection * \return \c true on success notification or \c false otherwise */ virtual bool OnHandshakeDone(uint32_t connection_key, - bool success) = 0; + SSLContext::HandshakeResult result) = 0; + /** + * @brief Notify listeners that certificate update is required. + */ + virtual void OnCertificateUpdateRequired() = 0; virtual ~SecurityManagerListener() {} }; } // namespace security_manager diff --git a/src/components/include/security_manager/security_manager_settings.h b/src/components/include/security_manager/security_manager_settings.h new file mode 100644 index 0000000000..70f0452ef2 --- /dev/null +++ b/src/components/include/security_manager/security_manager_settings.h @@ -0,0 +1,58 @@ +/* + * Copyright (c) 2014, Ford Motor Company + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * Redistributions of source code must retain the above copyright notice, this + * list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following + * disclaimer in the documentation and/or other materials provided with the + * distribution. + * + * Neither the name of the Ford Motor Company nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef SRC_COMPONENTS_INCLUDE_SUCURITY_MANAGER_SUCURITY_MANAGER_SETTINGS_H_ +#define SRC_COMPONENTS_INCLUDE_SUCURITY_MANAGER_SUCURITY_MANAGER_SETTINGS_H_ + +namespace security_manager { +enum Mode { CLIENT, SERVER }; +enum Protocol { SSLv3, TLSv1, TLSv1_1, TLSv1_2 }; +/** + * \class ConnectionHandlerSettings + * \brief Interface for connection handler component settings. + */ +class CryptoManagerSettings { + public: + virtual ~CryptoManagerSettings() {} + + virtual Mode security_manager_mode() const = 0; + virtual Protocol security_manager_protocol_name() const = 0; + virtual bool verify_peer() const = 0; + virtual const std::string& certificate_data() const = 0; + virtual const std::string& ciphers_list() const = 0; + virtual const std::string& ca_cert_path() const = 0; + virtual size_t update_before_hours() const = 0; + virtual size_t maximum_payload_size() const = 0; +}; + +} // namespace security_manager +#endif // SRC_COMPONENTS_INCLUDE_SUCURITY_MANAGER_SUCURITY_MANAGER_SETTINGS_H_ diff --git a/src/components/include/security_manager/security_query.h b/src/components/include/security_manager/security_query.h new file mode 100644 index 0000000000..71d148b909 --- /dev/null +++ b/src/components/include/security_manager/security_query.h @@ -0,0 +1,194 @@ +/* + * Copyright (c) 2014, Ford Motor Company + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * Redistributions of source code must retain the above copyright notice, this + * list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following + * disclaimer in the documentation and/or other materials provided with the + * distribution. + * + * Neither the name of the Ford Motor Company nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef SRC_COMPONENTS_SECURITY_MANAGER_INCLUDE_SECURITY_MANAGER_SECURITY_QUERY_H_ +#define SRC_COMPONENTS_SECURITY_MANAGER_INCLUDE_SECURITY_MANAGER_SECURITY_QUERY_H_ + +#include <stdint.h> +#include <cstddef> +#include <vector> +#include <string> +#include "utils/shared_ptr.h" + +namespace security_manager { +/** + * \brief SecurityQuery is wrapper for handling Mobile messages + * as security queries + */ +class SecurityQuery { + public: + /** + * \brief QueryType is 1 byte type of income query + * Equal RPC Type (Ford Binary Header Definition) + */ + enum QueryType { + REQUEST = 0x00, + RESPONSE = 0x10, + NOTIFICATION = 0x20, + INVALID_QUERY_TYPE = 0xFF + }; + /** + * \brief QueryId is 3 byte identifier of income query + * Equal RPC Function ID (Ford Binary Header Definition) + */ + enum QueryId { + SEND_HANDSHAKE_DATA = 0x1, + SEND_INTERNAL_ERROR = 0x2, + INVALID_QUERY_ID = 0xFFFFFF + }; + /** + * \brief QueryHeader is 12 byte header of security query + * Equal Ford Binary Header Definition + */ + struct QueryHeader { + QueryHeader(); + QueryHeader(uint8_t queryType, + uint32_t queryId, + uint32_t seqNumber = 0, + uint32_t jsonSize = 0); + // TODO(EZamakhov): check bitfield correctness on other endianness platform + uint32_t query_type : 8; + uint32_t query_id : 24; // API function identifier + uint32_t seq_number; // request sequential number + uint32_t json_size; + }; + + /** + * \brief Constructor + */ + SecurityQuery(); + /** + * \brief Constructor with header and connection_key + * \param connection_key Unique key used by other components as session + * identifier + * \param header QueryHeader + */ + SecurityQuery(const QueryHeader& header, const uint32_t connection_key); + /** + * \brief Constructor with header, connection_key and query binary data + * \param connection_key Unique key used by other components as session + * identifier + * \param raw_data pointer to binary data array + * \param raw_data_size size of binary data array + * \param header QueryHeader + */ + SecurityQuery(const QueryHeader& header, + const uint32_t connection_key, + const uint8_t* const raw_data, + const size_t raw_data_size); + /** + * \brief Serialize income from Mobile Application data + * as query with header and binary data or json message + * \param raw_data pointer to binary data array + * \param raw_data_size size of binary data array + * \return \c true on correct parse and \c false on wrong size of data + */ + bool SerializeQuery(const uint8_t* const raw_data, + const size_t raw_data_size); + /** + * \brief Deserialize query for sending to Mobile Application + * \return \c vector of uint8_t data (serialized header data and send_data)) + */ + const std::vector<uint8_t> DeserializeQuery() const; + /** + * \brief Set binary data. (No header modification) + * \param binary_data pointer to binary data array + * \param bin_data_size size of binary data array + */ + void set_data(const uint8_t* const binary_data, const size_t bin_data_size); + /** + * \brief Set json data. (No header modification) + * \param json_message string with json error + */ + void set_json_message(const std::string& json_message); + /** + * \brief Set connection key + * \param connection_key Unique key used by other components as session + * identifier + */ + void set_connection_key(const uint32_t connection_key); + /** + * \brief Set query header + * \param header of query + */ + void set_header(const QueryHeader& header); + /** + * \brief Get query header + * \return header of query + */ + const QueryHeader& get_header() const; + /** + * \brief Get query binary data (without header data) + * \return const pointer to const binary data + */ + const uint8_t* get_data() const; + /** + * \brief Get query binary data size + * \return size of binary data + */ + size_t get_data_size() const; + /** + * \brief Get json string data (without header data) + * \return const pointer to const binary data + */ + const std::string& get_json_message() const; + /** + * \brief Get connection key + * \return Unique key used by other components as session identifier + */ + uint32_t get_connection_key() const; + + private: + /** + *\brief 12 byte header of security query + * Equal Ford Binary Header Definition + */ + QueryHeader header_; + /** + *\brief nique key used by other components as session identifier + */ + uint32_t connection_key_; + /** + *\brief Binary data of query (without header info) + */ + std::vector<uint8_t> data_; + /** + *\brief JSON (string) value of query + */ + std::string json_message_; +}; +/** +*\brief SmartPointer wrapper +*/ +typedef utils::SharedPtr<SecurityQuery> SecurityQueryPtr; +} // namespace security_manager +#endif // SRC_COMPONENTS_SECURITY_MANAGER_INCLUDE_SECURITY_MANAGER_SECURITY_QUERY_H_ diff --git a/src/components/include/security_manager/ssl_context.h b/src/components/include/security_manager/ssl_context.h index e3f1dadc4f..86997edbd9 100644 --- a/src/components/include/security_manager/ssl_context.h +++ b/src/components/include/security_manager/ssl_context.h @@ -35,6 +35,9 @@ #include <cstddef> // for size_t typedef #include <string> +#include <ctype.h> +#include <algorithm> +#include "utils/custom_string.h" // TODO(EZamakhov): update brief info /** @@ -53,33 +56,59 @@ * * \param in_data [in] data sent by other side * \param in_data_size [in] size of data in \ref in_data buffer - * \param out_data [out] response of SSL context if there is one. If not, equals NULL + * \param out_data [out] response of SSL context if there is one. If not, + * equals NULL * \param out_data_size [out] length of response. On no response, equals 0 */ namespace security_manager { +namespace custom_str = utils::custom_string; class SSLContext { public: enum HandshakeResult { - Handshake_Result_Success = 0x0, - Handshake_Result_Fail = 0x1, - Handshake_Result_AbnormalFail = 0x2 + Handshake_Result_Success, + Handshake_Result_Fail, + Handshake_Result_AbnormalFail, + Handshake_Result_CertExpired, + Handshake_Result_NotYetValid, + Handshake_Result_CertNotSigned, + Handshake_Result_AppIDMismatch, + Handshake_Result_AppNameMismatch, }; + + struct HandshakeContext { + HandshakeContext() : expected_sn(""), expected_cn("") {} + + HandshakeContext(const custom_str::CustomString& exp_sn, + const custom_str::CustomString& exp_cn) + : expected_sn(exp_sn), expected_cn(exp_cn) {} + + custom_str::CustomString expected_sn; + custom_str::CustomString expected_cn; + }; + virtual HandshakeResult StartHandshake(const uint8_t** const out_data, - size_t *out_data_size) = 0; - virtual HandshakeResult DoHandshakeStep(const uint8_t *const in_data, + size_t* out_data_size) = 0; + virtual HandshakeResult DoHandshakeStep(const uint8_t* const in_data, size_t in_data_size, const uint8_t** const out_data, - size_t *out_data_size) = 0; - virtual bool Encrypt(const uint8_t *const in_data, size_t in_data_size, - const uint8_t ** const out_data, size_t *out_data_size) = 0; - virtual bool Decrypt(const uint8_t *const in_data, size_t in_data_size, - const uint8_t ** const out_data, size_t *out_data_size) = 0; - virtual bool IsInitCompleted() const = 0; - virtual bool IsHandshakePending() const = 0; + size_t* out_data_size) = 0; + virtual bool Encrypt(const uint8_t* const in_data, + size_t in_data_size, + const uint8_t** const out_data, + size_t* out_data_size) = 0; + virtual bool Decrypt(const uint8_t* const in_data, + size_t in_data_size, + const uint8_t** const out_data, + size_t* out_data_size) = 0; + virtual bool IsInitCompleted() const = 0; + virtual bool IsHandshakePending() const = 0; virtual size_t get_max_block_size(size_t mtu) const = 0; virtual std::string LastError() const = 0; - virtual ~SSLContext() { } + + virtual void ResetConnection() = 0; + virtual void SetHandshakeContext(const HandshakeContext& hsh_ctx) = 0; + virtual ~SSLContext() {} }; } // namespace security_manager #endif // SRC_COMPONENTS_INCLUDE_SECURITY_MANAGER_SSL_CONTEXT_H_ |