diff options
Diffstat (limited to 'src/components/security_manager/include/security_manager')
4 files changed, 173 insertions, 249 deletions
diff --git a/src/components/security_manager/include/security_manager/crypto_manager_impl.h b/src/components/security_manager/include/security_manager/crypto_manager_impl.h index 43bb63ef67..6aea2e28b1 100644 --- a/src/components/security_manager/include/security_manager/crypto_manager_impl.h +++ b/src/components/security_manager/include/security_manager/crypto_manager_impl.h @@ -42,66 +42,97 @@ #include "security_manager/crypto_manager.h" #include "security_manager/ssl_context.h" +#include "security_manager/security_manager_settings.h" + #include "utils/macro.h" #include "utils/lock.h" +#include "utils/shared_ptr.h" namespace security_manager { class CryptoManagerImpl : public CryptoManager { private: class SSLContextImpl : public SSLContext { public: - SSLContextImpl(SSL *conn, Mode mode); + SSLContextImpl(SSL* conn, Mode mode, size_t maximum_payload_size); + ~SSLContextImpl(); virtual HandshakeResult StartHandshake(const uint8_t** const out_data, - size_t *out_data_size); - virtual HandshakeResult DoHandshakeStep(const uint8_t *const in_data, + size_t* out_data_size); + virtual HandshakeResult DoHandshakeStep(const uint8_t* const in_data, size_t in_data_size, const uint8_t** const out_data, - size_t *out_data_size); - virtual bool Encrypt(const uint8_t *const in_data, size_t in_data_size, - const uint8_t ** const out_data, size_t *out_data_size); - virtual bool Decrypt(const uint8_t *const in_data, size_t in_data_size, - const uint8_t ** const out_data, size_t *out_data_size); - virtual bool IsInitCompleted() const; - virtual bool IsHandshakePending() const; - virtual size_t get_max_block_size(size_t mtu) const; - virtual std::string LastError() const; - virtual ~SSLContextImpl(); + size_t* out_data_size) OVERRIDE; + bool Encrypt(const uint8_t* const in_data, + size_t in_data_size, + const uint8_t** const out_data, + size_t* out_data_size) OVERRIDE; + bool Decrypt(const uint8_t* const in_data, + size_t in_data_size, + const uint8_t** const out_data, + size_t* out_data_size) OVERRIDE; + bool IsInitCompleted() const OVERRIDE; + bool IsHandshakePending() const OVERRIDE; + size_t get_max_block_size(size_t mtu) const OVERRIDE; + std::string LastError() const OVERRIDE; + void ResetConnection() OVERRIDE; + void SetHandshakeContext(const HandshakeContext& hsh_ctx) OVERRIDE; + + void PrintCertData(X509* cert, const std::string& cert_owner); private: - typedef size_t(*BlockSizeGetter)(size_t); + void PrintCertInfo(); + HandshakeResult CheckCertContext(); + bool ReadHandshakeData(const uint8_t** const out_data, + size_t* out_data_size); + bool WriteHandshakeData(const uint8_t* const in_data, size_t in_data_size); + HandshakeResult PerformHandshake(); + typedef size_t (*BlockSizeGetter)(size_t); void EnsureBufferSizeEnough(size_t size); - SSL *connection_; - BIO *bioIn_; - BIO *bioOut_; - BIO *bioFilter_; + void SetHandshakeError(const int error); + HandshakeResult openssl_error_convert_to_internal(const long error); + + std::string GetTextBy(X509_NAME* name, int object) const; + + SSL* connection_; + BIO* bioIn_; + BIO* bioOut_; + BIO* bioFilter_; mutable sync_primitives::Lock bio_locker; size_t buffer_size_; - uint8_t *buffer_; + uint8_t* buffer_; bool is_handshake_pending_; Mode mode_; + mutable std::string last_error_; BlockSizeGetter max_block_size_; static std::map<std::string, BlockSizeGetter> max_block_sizes; static std::map<std::string, BlockSizeGetter> create_max_block_sizes(); + HandshakeContext hsh_context_; DISALLOW_COPY_AND_ASSIGN(SSLContextImpl); }; public: - CryptoManagerImpl(); - virtual bool Init(Mode mode, - Protocol protocol, - const std::string &cert_filename, - const std::string &key_filename, - const std::string &ciphers_list, - bool verify_peer); - virtual void Finish(); - virtual SSLContext *CreateSSLContext(); - virtual void ReleaseSSLContext(SSLContext *context); - virtual std::string LastError() const; + explicit CryptoManagerImpl( + const utils::SharedPtr<const CryptoManagerSettings> set); + ~CryptoManagerImpl(); + + bool Init() OVERRIDE; + bool OnCertificateUpdated(const std::string& data) OVERRIDE; + SSLContext* CreateSSLContext() OVERRIDE; + void ReleaseSSLContext(SSLContext* context) OVERRIDE; + std::string LastError() const OVERRIDE; + virtual bool IsCertificateUpdateRequired() const OVERRIDE; + virtual const CryptoManagerSettings& get_settings() const OVERRIDE; private: - SSL_CTX *context_; - Mode mode_; + bool set_certificate(const std::string& cert_data); + + int pull_number_from_buf(char* buf, int* idx); + void asn1_time_to_tm(ASN1_TIME* time); + + const utils::SharedPtr<const CryptoManagerSettings> settings_; + SSL_CTX* context_; + mutable struct tm expiration_time_; static uint32_t instance_count_; + static sync_primitives::Lock instance_lock_; DISALLOW_COPY_AND_ASSIGN(CryptoManagerImpl); }; } // namespace security_manager diff --git a/src/components/security_manager/include/security_manager/crypto_manager_settings_impl.h b/src/components/security_manager/include/security_manager/crypto_manager_settings_impl.h new file mode 100644 index 0000000000..1e4699b77a --- /dev/null +++ b/src/components/security_manager/include/security_manager/crypto_manager_settings_impl.h @@ -0,0 +1,65 @@ + +#ifndef SRC_COMPONENTS_SECURITY_MANAGER_INCLUDE_SECURITY_MANAGER_CRYPTO_MANAGER_SETTINGS_IMPL_H_ +#define SRC_COMPONENTS_SECURITY_MANAGER_INCLUDE_SECURITY_MANAGER_CRYPTO_MANAGER_SETTINGS_IMPL_H_ +#include "security_manager/security_manager_settings.h" +#include "config_profile/profile.h" + +namespace security_manager { + +class CryptoManagerSettingsImpl : public CryptoManagerSettings { + public: + CryptoManagerSettingsImpl(const profile::Profile& profile, + const std::string& certificate_data) + : profile_(profile), certificate_data_(certificate_data) {} + + // CryptoManagerSettings interface + Mode security_manager_mode() const OVERRIDE { + return profile_.ssl_mode() == "SERVER" ? security_manager::SERVER + : security_manager::CLIENT; + } + Protocol security_manager_protocol_name() const OVERRIDE { + CREATE_LOGGERPTR_LOCAL(logger_, "SecurityManager") + + const std::string& protocol_str = profile_.security_manager_protocol_name(); + if (protocol_str == "TLSv1.0") { + return security_manager::TLSv1; + } + if (protocol_str == "TLSv1.1") { + return security_manager::TLSv1_1; + } + if (protocol_str == "TLSv1.2") { + return security_manager::TLSv1_2; + } + if (protocol_str == "SSLv3") { + return security_manager::SSLv3; + } + LOG4CXX_ERROR( + logger_, + "Unknown protocol: " << profile_.security_manager_protocol_name()); + return static_cast<security_manager::Protocol>(-1); + } + bool verify_peer() const OVERRIDE { + return profile_.verify_peer(); + } + const std::string& certificate_data() const OVERRIDE { + return certificate_data_; + } + const std::string& ciphers_list() const OVERRIDE { + return profile_.ciphers_list(); + } + const std::string& ca_cert_path() const OVERRIDE { + return profile_.ca_cert_path(); + } + size_t update_before_hours() const OVERRIDE { + return profile_.update_before_hours(); + } + size_t maximum_payload_size() const OVERRIDE { + return profile_.maximum_payload_size(); + } + + private: + const profile::Profile& profile_; + const std::string certificate_data_; +}; +} +#endif // SRC_COMPONENTS_SECURITY_MANAGER_INCLUDE_SECURITY_MANAGER_CRYPTO_MANAGER_SETTINGS_IMPL_H_ diff --git a/src/components/security_manager/include/security_manager/security_manager_impl.h b/src/components/security_manager/include/security_manager/security_manager_impl.h index 2aa03087eb..d4231ffaa0 100644 --- a/src/components/security_manager/include/security_manager/security_manager_impl.h +++ b/src/components/security_manager/include/security_manager/security_manager_impl.h @@ -51,9 +51,10 @@ namespace security_manager { * \brief SecurityMessageQueue and SecurityMessageLoop are support typedefs * for thread working */ -struct SecurityMessage: public SecurityQueryPtr { - explicit SecurityMessage(const SecurityQueryPtr &message) - : SecurityQueryPtr(message) {} +struct SecurityMessage : public SecurityQueryPtr { + SecurityMessage() {} + explicit SecurityMessage(const SecurityQueryPtr& message) + : SecurityQueryPtr(message) {} // PrioritizedQueue requires this method to decide which priority to assign size_t PriorityOrder() const { return 0; @@ -65,9 +66,8 @@ typedef threads::MessageLoopThread<SecurityMessageQueue> SecurityMessageLoop; /** * \brief SecurityManagerImpl class implements SecurityManager interface */ -class SecurityManagerImpl - : public SecurityManager, - public SecurityMessageLoop::Handler { +class SecurityManagerImpl : public SecurityManager, + public SecurityMessageLoop::Handler { public: /** * \brief Constructor @@ -78,7 +78,8 @@ class SecurityManagerImpl * Overriden ProtocolObserver::OnMessageReceived method * \param message Message with supporting params received */ - void OnMessageReceived(const ::protocol_handler::RawMessagePtr message) OVERRIDE; + void OnMessageReceived( + const ::protocol_handler::RawMessagePtr message) OVERRIDE; /** * \brief Post message to Mobile Application * Empty *overriden ProtocolObserver::OnMessageReceived method @@ -91,28 +92,29 @@ class SecurityManagerImpl * \param session_observer pointer to object of the class implementing */ void set_session_observer( - protocol_handler::SessionObserver *observer) OVERRIDE; + protocol_handler::SessionObserver* observer) OVERRIDE; /** * \brief Sets pointer for Protocol Handler layer for sending * \param protocol_handler pointer to object of the class implementing */ void set_protocol_handler( - protocol_handler::ProtocolHandler *protocol_handler_) OVERRIDE; + protocol_handler::ProtocolHandler* protocol_handler_) OVERRIDE; /** * \brief Sets pointer for CryptoManager for handling SSLContext * \param crypto_manager pointer to object of the class implementing */ - void set_crypto_manager(CryptoManager *crypto_manager) OVERRIDE; + void set_crypto_manager(CryptoManager* crypto_manager) OVERRIDE; /** * \brief Sends InternallError with text message to mobile application - * \param connection_key Unique key used by other components as session identifier + * \param connection_key Unique key used by other components as session + * identifier * \param error_id unique error identifier * \param erorr_text SSL impelmentation error text * \param seq_number received from Mobile Application */ void SendInternalError(const uint32_t connection_key, - const uint8_t &error_id, - const std::string &erorr_text, + const uint8_t& error_id, + const std::string& erorr_text, const uint32_t seq_number) OVERRIDE; using SecurityManager::SendInternalError; @@ -127,10 +129,11 @@ class SecurityManagerImpl /** * \brief Create new SSLContext for connection or return exists * Do not notify listeners, send security error on occure - * \param connection_key Unique key used by other components as session identifier + * \param connection_key Unique key used by other components as session + * identifier * @return new \c SSLContext or \c NULL on any error */ - SSLContext *CreateSSLContext(const uint32_t &connection_key) OVERRIDE; + SSLContext* CreateSSLContext(const uint32_t& connection_key) OVERRIDE; /** * \brief Start handshake as SSL client @@ -140,50 +143,61 @@ class SecurityManagerImpl /** * \brief Add/Remove for SecurityManagerListener */ - void AddListener(SecurityManagerListener *const listener) OVERRIDE; - void RemoveListener(SecurityManagerListener *const listener) OVERRIDE; + void AddListener(SecurityManagerListener* const listener) OVERRIDE; + void RemoveListener(SecurityManagerListener* const listener) OVERRIDE; /** * \brief Notifiers for listeners - * \param connection_key Unique key used by other components as session identifier + * \param connection_key Unique key used by other components as session + * identifier * \param success result of connection protection */ - void NotifyListenersOnHandshakeDone(const uint32_t &connection_key, - const bool success); + void NotifyListenersOnHandshakeDone(const uint32_t& connection_key, + SSLContext::HandshakeResult error); + + /** + * @brief Notifiers for listeners. + * Allows to notify that certificate should be updated + */ + void NotifyOnCertififcateUpdateRequired(); + /** * @brief SecurityConfigSection * @return Session name in config file */ - static const char *ConfigSection(); + static const char* ConfigSection(); + private: /** * \brief Sends Handshake binary data to mobile application - * \param connection_key Unique key used by other components as session identifier + * \param connection_key Unique key used by other components as session + * identifier * \param data pointer to binary data array * \param data_size size of binary data array * \param seq_number received from Mobile Application */ void SendHandshakeBinData(const uint32_t connection_key, - const uint8_t *const data, + const uint8_t* const data, const size_t data_size, const uint32_t seq_number = 0); /** * \brief Parse SecurityMessage as HandshakeData request * \param inMessage SecurityMessage with binary data of handshake */ - bool ProccessHandshakeData(const SecurityMessage &inMessage); + bool ProccessHandshakeData(const SecurityMessage& inMessage); /** * \brief Parse InternalError from mobile side * \param inMessage SecurityMessage with binary data of handshake */ - bool ProccessInternalError(const SecurityMessage &inMessage); + bool ProccessInternalError(const SecurityMessage& inMessage); /** * \brief Sends security query * Create new array as concatenation of header and binary data * \param query SecurityQuery for sending via Control service - * \param connection_key Unique key used by other components as session identifier + * \param connection_key Unique key used by other components as session + * identifier */ - void SendQuery(const SecurityQuery &query, const uint32_t connection_key); + void SendQuery(const SecurityQuery& query, const uint32_t connection_key); // Thread that pumps handshake data SecurityMessageLoop security_messages_; @@ -191,19 +205,19 @@ class SecurityManagerImpl /** *\brief Pointer on instance of class implementing SessionObserver */ - protocol_handler::SessionObserver *session_observer_; + protocol_handler::SessionObserver* session_observer_; /** *\brief Pointer on instance of class implementing CryptoManager */ - security_manager::CryptoManager *crypto_manager_; + security_manager::CryptoManager* crypto_manager_; /** *\brief Pointer on instance of class implementing ProtocolHandler */ - protocol_handler::ProtocolHandler *protocol_handler_; + protocol_handler::ProtocolHandler* protocol_handler_; /** *\brief List of listeners for notify handshake done result */ - std::list<SecurityManagerListener *> listeners_; + std::list<SecurityManagerListener*> listeners_; DISALLOW_COPY_AND_ASSIGN(SecurityManagerImpl); }; } // namespace security_manager diff --git a/src/components/security_manager/include/security_manager/security_query.h b/src/components/security_manager/include/security_manager/security_query.h deleted file mode 100644 index c9f0b5843f..0000000000 --- a/src/components/security_manager/include/security_manager/security_query.h +++ /dev/null @@ -1,186 +0,0 @@ -/* - * Copyright (c) 2014, Ford Motor Company - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following - * disclaimer in the documentation and/or other materials provided with the - * distribution. - * - * Neither the name of the Ford Motor Company nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef SRC_COMPONENTS_SECURITY_MANAGER_INCLUDE_SECURITY_MANAGER_SECURITY_QUERY_H_ -#define SRC_COMPONENTS_SECURITY_MANAGER_INCLUDE_SECURITY_MANAGER_SECURITY_QUERY_H_ - -#include <stdint.h> -#include <cstddef> -#include <vector> -#include <string> -#include "utils/shared_ptr.h" - -namespace security_manager { -/** - * \brief SecurityQuery is wrapper for handling Mobile messages - * as security queries - */ -class SecurityQuery { - public: - /** - * \brief QueryType is 1 byte type of income query - * Equal RPC Type (Ford Binary Header Definition) - */ - enum QueryType { - REQUEST = 0x00, - RESPONSE = 0x10, - NOTIFICATION = 0x20, - INVALID_QUERY_TYPE = 0xFF - }; - /** - * \brief QueryId is 3 byte identifier of income query - * Equal RPC Function ID (Ford Binary Header Definition) - */ - enum QueryId { - SEND_HANDSHAKE_DATA = 0x1, - SEND_INTERNAL_ERROR = 0x2, - INVALID_QUERY_ID = 0xFFFFFF - }; - /** - * \brief QueryHeader is 12 byte header of security query - * Equal Ford Binary Header Definition - */ - struct QueryHeader { - QueryHeader(); - QueryHeader(uint8_t queryType, uint32_t queryId, - uint32_t seqNumber = 0, uint32_t jsonSize= 0); - // TODO(EZamakhov): check bitfield correctness on other endianness platform - uint32_t query_type:8; - uint32_t query_id:24; // API function identifier - uint32_t seq_number; // request sequential number - uint32_t json_size; - }; - - /** - * \brief Constructor - */ - SecurityQuery(); - /** - * \brief Constructor with header and connection_key - * \param connection_key Unique key used by other components as session identifier - * \param header QueryHeader - */ - SecurityQuery(const QueryHeader &header, const uint32_t connection_key); - /** - * \brief Constructor with header, connection_key and query binary data - * \param connection_key Unique key used by other components as session identifier - * \param raw_data pointer to binary data array - * \param raw_data_size size of binary data array - * \param header QueryHeader - */ - SecurityQuery(const QueryHeader &header, const uint32_t connection_key, - const uint8_t *const raw_data, const size_t raw_data_size); - /** - * \brief Serialize income from Mobile Application data - * as query with header and binary data or json message - * \param raw_data pointer to binary data array - * \param raw_data_size size of binary data array - * \return \c true on correct parse and \c false on wrong size of data - */ - bool SerializeQuery(const uint8_t *const raw_data, const size_t raw_data_size); - /** - * \brief Deserialize query for sending to Mobile Application - * \return \c vector of uint8_t data (serialized header data and send_data)) - */ - const std::vector<uint8_t> DeserializeQuery() const; - /** - * \brief Set binary data. (No header modification) - * \param binary_data pointer to binary data array - * \param bin_data_size size of binary data array - */ - void set_data(const uint8_t *const binary_data, const size_t bin_data_size); - /** - * \brief Set json data. (No header modification) - * \param json_message string with json error - */ - void set_json_message(const std::string &json_message); - /** - * \brief Set connection key - * \param connection_key Unique key used by other components as session identifier - */ - void set_connection_key(const uint32_t connection_key); - /** - * \brief Set query header - * \param header of query - */ - void set_header(const QueryHeader &header); - /** - * \brief Get query header - * \return header of query - */ - const QueryHeader &get_header() const; - /** - * \brief Get query binary data (without header data) - * \return const pointer to const binary data - */ - const uint8_t *get_data() const; - /** - * \brief Get query binary data size - * \return size of binary data - */ - size_t get_data_size() const; - /** - * \brief Get json string data (without header data) - * \return const pointer to const binary data - */ - const std::string &get_json_message() const; - /** - * \brief Get connection key - * \return Unique key used by other components as session identifier - */ - uint32_t get_connection_key() const; - - private: - /** - *\brief 12 byte header of security query - * Equal Ford Binary Header Definition - */ - QueryHeader header_; - /** - *\brief nique key used by other components as session identifier - */ - uint32_t connection_key_; - /** - *\brief Binary data of query (without header info) - */ - std::vector<uint8_t> data_; - /** - *\brief JSON (string) value of query - */ - std::string json_message_; -}; -/** -*\brief SmartPointer wrapper -*/ -typedef utils::SharedPtr<SecurityQuery> SecurityQueryPtr; -} // namespace security_manager -#endif // SRC_COMPONENTS_SECURITY_MANAGER_INCLUDE_SECURITY_MANAGER_SECURITY_QUERY_H_ |