Enhanced security

Author: Deepak Jain

Unix/base/messages.c

@@ -194,6 +194,7 @@ static const MessageField binProtocolNotificationFields[] =
     {MFT_POINTER_OPT,offsetof(BinProtocolNotification, user),0,0},
     {MFT_POINTER_OPT,offsetof(BinProtocolNotification, password),0,0},
     {MFT_POINTER_OPT,offsetof(BinProtocolNotification, authFile),0,0},
+    {MFT_POINTER_OPT,offsetof(BinProtocolNotification, message),0,0},
     {MFT_END_OF_LIST, 0, 0, 0}
 };
 
@@ -233,6 +234,12 @@ static const MessageField pamCheckUserFields[] =
     {MFT_END_OF_LIST, 0, 0, 0}
 };
 
+static const MessageField pamCheckUserRspFields[] =
+{
+    {MFT_POINTER_OPT,offsetof(PamCheckUserResp, message),0,0},
+    {MFT_END_OF_LIST, 0, 0, 0}
+};
+
 #if defined(CONFIG_ENABLE_PREEXEC)
 static const MessageField execPreexecReqFields[] =
 {
@@ -298,7 +305,7 @@ static const MessageDeclaration allMessages[] = {
     {postSocketFileFields,              sizeof(PostSocketFile),         MI_TRUE},
     {socketMaintenanceFields,           sizeof(VerifySocketConn),       MI_TRUE},
     {pamCheckUserFields,                sizeof(PamCheckUserReq),        MI_TRUE},
-    {emptyMessageFields,                sizeof(PamCheckUserResp),       MI_FALSE}
+    {pamCheckUserRspFields,             sizeof(PamCheckUserResp),       MI_FALSE}
 #if defined(CONFIG_ENABLE_PREEXEC)
     ,
     {execPreexecReqFields,              sizeof(ExecPreexecReq),         MI_TRUE},

Unix/base/messages.h

@@ -1191,6 +1191,7 @@ typedef struct _BinProtocolNotification
 
     /* if in nonroot mode, keeps track of which socket to send message back*/
     int             forwardSock;
+    MI_ConstString  message;
 }
 BinProtocolNotification;
 
@@ -1799,6 +1800,7 @@ typedef struct _PamCheckUserResp
     Message         base;
     MI_Uint64       handle;
     MI_Boolean      result;
+    MI_ConstString  message;
 }
 PamCheckUserResp;
 

Unix/base/oi_traces.h

@@ -437,6 +437,10 @@ OI_EVENT("Username exceeds reasonable limit: %d")
 void trace_Username_Error(unsigned int bytes);
 OI_EVENT("Password exceeds reasonable limit: %d")
 void trace_Password_Error(unsigned int bytes);
+OI_EVENT("Invalid server credentials")
+void trace_InvalidServerCredentials();
+OI_EVENT("Attempt to reset secret string")
+void trace_AttemptToResetSecretString();
 
 
 
@@ -1861,6 +1865,8 @@ OI_EVENT("AgentMgr_PreExec_ResponseStrand_Close: preexecContext (%p), strand (%p
 void trace_AgentMgr_PreExec_ResponseStrand_Close(void* context, void* strand);
 OI_EVENT("AgentMgr_PreExec_ResponseStrand_Finish: preexecContext (%p), strand (%p)")
 void trace_AgentMgr_PreExec_ResponseStrand_Finish(void* context, void* strand);
+OI_EVENT("Server credentials verified (%p)")
+void trace_ServerCredentialsVerified(void* handle);
 
 /******************************** AUTH TRACES ***********************************/
 

Unix/base/oiomi.h

@@ -1133,6 +1133,18 @@ FILE_EVENT1(20153, trace_Password_Error_Impl, LOG_ERR, PAL_T("Password exceeds r
 #endif
 FILE_EVENT0(20154, trace_Listen_Failed_Impl, LOG_ERR, PAL_T("Listen failed on both IPv4 and IPv6"))
 #if defined(CONFIG_ENABLE_DEBUG)
+#define trace_InvalidServerCredentials() trace_InvalidServerCredentials_Impl(__FILE__, __LINE__)
+#else
+#define trace_InvalidServerCredentials() trace_InvalidServerCredentials_Impl(0, 0)
+#endif
+FILE_EVENT0(20155, trace_InvalidServerCredentials_Impl, LOG_ERR, PAL_T("Invalid Server credentials"))
+#if defined(CONFIG_ENABLE_DEBUG)
+#define trace_AttemptToResetSecretString() trace_AttemptToResetSecretString_Impl(__FILE__, __LINE__)
+#else
+#define trace_AttemptToResetSecretString() trace_AttemptToResetSecretString_Impl(0, 0)
+#endif
+FILE_EVENT0(20156, trace_AttemptToResetSecretString_Impl, LOG_ERR, PAL_T("Attempt to reset Secret String"))
+#if defined(CONFIG_ENABLE_DEBUG)
 #define trace__FindSubRequest_CannotFindKey(a0, a1, a2) trace__FindSubRequest_CannotFindKey_Impl(__FILE__, __LINE__, a0, a1, a2)
 #else
 #define trace__FindSubRequest_CannotFindKey(a0, a1, a2) trace__FindSubRequest_CannotFindKey_Impl(0, 0, a0, a1, a2)
@@ -2411,12 +2423,6 @@ FILE_EVENT2(30212, trace_TrackerHashMapAlreadyExists_Impl, LOG_WARNING, PAL_T("T
 #endif
 FILE_EVENT3(30213, trace_Selector_AddHandler_AlreadyThere_Impl, LOG_WARNING, PAL_T("Selector_AddHandler: selector=%p, handler=%p, name=%T ALREADY REGISTERED"), Selector *, Handler *, const TChar *)
 #if defined(CONFIG_ENABLE_DEBUG)
-#define trace_Selector_RemoveHandler_NotThere(a0, a1, a2) trace_Selector_RemoveHandler_NotThere_Impl(__FILE__, __LINE__, a0, a1, tcs(a2))
-#else
-#define trace_Selector_RemoveHandler_NotThere(a0, a1, a2) trace_Selector_RemoveHandler_NotThere_Impl(0, 0, a0, a1, tcs(a2))
-#endif
-FILE_EVENT3(30214, trace_Selector_RemoveHandler_NotThere_Impl, LOG_WARNING, PAL_T("Selector_RemoveHandler: selector=%p, handler=%p, name=%T NOT REGISTERED"), Selector *, Handler *, const TChar *)
-#if defined(CONFIG_ENABLE_DEBUG)
 #define trace_Stop_OMI() trace_Stop_OMI_Impl(__FILE__, __LINE__)
 #else
 #define trace_Stop_OMI() trace_Stop_OMI_Impl(0, 0)
@@ -2753,6 +2759,12 @@ FILE_EVENT0(40047, trace_Trying_IPv6_Impl, LOG_INFO, PAL_T("Trying to listen on
 #endif
 FILE_EVENT0(40048, trace_TurnOff_IPV6_V6ONLY_Pass_Impl, LOG_INFO, PAL_T("Turn off IPV6_V6ONLY pass."))
 #if defined(CONFIG_ENABLE_DEBUG)
+#define trace_Selector_RemoveHandler_NotThere(a0, a1, a2) trace_Selector_RemoveHandler_NotThere_Impl(__FILE__, __LINE__, a0, a1, tcs(a2))
+#else
+#define trace_Selector_RemoveHandler_NotThere(a0, a1, a2) trace_Selector_RemoveHandler_NotThere_Impl(0, 0, a0, a1, tcs(a2))
+#endif
+FILE_EVENT3(40049, trace_Selector_RemoveHandler_NotThere_Impl, LOG_INFO, PAL_T("Selector_RemoveHandler: selector=%p, handler=%p, name=%T NOT REGISTERED"), Selector *, Handler *, const TChar *)
+#if defined(CONFIG_ENABLE_DEBUG)
 #define trace_FunctionEntered(a0, a1) trace_FunctionEntered_Impl(__FILE__, __LINE__, scs(a0), a1)
 #else
 #define trace_FunctionEntered(a0, a1) trace_FunctionEntered_Impl(0, 0, scs(a0), a1)
@@ -5075,6 +5087,12 @@ FILE_EVENT2(45385, trace_AgentMgr_PreExec_ResponseStrand_Close_Impl, LOG_DEBUG,
 #endif
 FILE_EVENT2(45386, trace_AgentMgr_PreExec_ResponseStrand_Finish_Impl, LOG_DEBUG, PAL_T("AgentMgr_PreExec_ResponseStrand_Finish: preexecContext (%p), strand (%p)"), void*, void*)
 #if defined(CONFIG_ENABLE_DEBUG)
+#define trace_ServerCredentialsVerified(a0) trace_ServerCredentialsVerified_Impl(__FILE__, __LINE__, a0)
+#else
+#define trace_ServerCredentialsVerified(a0) trace_ServerCredentialsVerified_Impl(0, 0, a0)
+#endif
+FILE_EVENT1(45387, trace_ServerCredentialsVerified_Impl, LOG_DEBUG, PAL_T("Server credentials verified (%p)"), void*)
+#if defined(CONFIG_ENABLE_DEBUG)
 #define trace_HTTP_EncryptionFailed() trace_HTTP_EncryptionFailed_Impl(__FILE__, __LINE__)
 #else
 #define trace_HTTP_EncryptionFailed() trace_HTTP_EncryptionFailed_Impl(0, 0)

Unix/http/http.c

@@ -66,6 +66,8 @@ typedef void SSL_CTX;
 # define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS               0x0001
 #endif
 
+#define INVALID_ID ((uid_t)-1)
+
 int GetTimeStamp(_Pre_writable_size_(TIMESTAMP_SIZE) char buf[TIMESTAMP_SIZE]);
 
 //------------------------------------------------------------------------------
@@ -672,10 +674,13 @@ static Http_CallbackResult _ReadData(
         }
     }
 
-    r = Process_Authorized_Message(handler);
-    if (MI_RESULT_OK != r)
+    if (handler->isAuthorised)
     {
-        return PRT_RETURN_FALSE;
+        r = Process_Authorized_Message(handler);
+        if (MI_RESULT_OK != r)
+        {
+            return PRT_RETURN_FALSE;
+        }
     }
 
 Done:
@@ -1458,6 +1463,8 @@ static MI_Boolean _ListenerCallback(
         h->encryptedTransaction = FALSE;
         h->pSendAuthHeader = NULL;
         h->sendAuthHeaderLen = 0;
+        h->authInfo.uid= INVALID_ID;
+        h->authInfo.gid= INVALID_ID;
 
         h->recvBufferSize = INITIAL_BUFFER_SIZE;
         h->recvBuffer = (char*)PAL_Calloc(1, h->recvBufferSize);

Unix/protocol/protocol.c

@@ -216,7 +216,7 @@ MI_Result _AddProtocolSocket_Handler(
 
 static void _ProtocolSocket_Cleanup(ProtocolSocket* handler)
 {
-    ProtocolBase* protocolBase;
+    ProtocolBase* protocolBase = (ProtocolBase*)handler->base.data;
 
     if(handler->closeOtherScheduled)
         return;
@@ -230,6 +230,8 @@ static void _ProtocolSocket_Cleanup(ProtocolSocket* handler)
         Batch_Destroy( handler->receivingBatch );
     if (handler->engineBatch)
     {
+        // Remove engine's handler from selector list just in case it has not been removed yet. 
+        Selector_RemoveHandler(protocolBase->selector, handler->engineHandler);
         Batch_Destroy( handler->engineBatch );
         handler->engineBatch = NULL;
     }
@@ -258,7 +260,6 @@ static void _ProtocolSocket_Cleanup(ProtocolSocket* handler)
     }
 
     // skip for engine communicating with server
-    protocolBase = (ProtocolBase*)handler->base.data;
     if (!protocolBase->forwardRequests || protocolBase->type == PRT_TYPE_LISTENER)
         Strand_ScheduleClose( &handler->strand );
 }
@@ -673,6 +674,7 @@ static MI_Boolean _SendAuthResponse(
     gid_t gid
     )
 {
+    ProtocolBase* protocolBase = (ProtocolBase*)h->base.data;
     BinProtocolNotification* req;
     MI_Boolean retVal = MI_TRUE;
 
@@ -694,6 +696,16 @@ static MI_Boolean _SendAuthResponse(
         }
     }
 
+    if (protocolBase->expectedSecretString && *protocolBase->expectedSecretString)
+    {
+        req->message = Batch_Strdup(req->base.batch, protocolBase->expectedSecretString);
+        if (!req->message)
+        {
+            BinProtocolNotification_Release(req);
+            return MI_FALSE;
+        }
+    }
+
     req->uid = uid;
     req->gid = gid;
 
@@ -1112,9 +1124,17 @@ static MI_Boolean _ProcessEngineAuthMessage(
     /* engine waiting for server's response */
     if (PostSocketFileResponse == sockMsg->type)
     {
+        // secret string is mandatory and can be set only during engine start-up
+        if( (sockMsg->secretString == NULL) || 
+            (*s_secretString && Strncmp(sockMsg->secretString, s_secretString, S_SECRET_STRING_LENGTH) != 0) )
+        {
+            trace_AttemptToResetSecretString();
+            return MI_FALSE;
+        }
+
         DEBUG_ASSERT(sockMsg->sockFilePath);
         DEBUG_ASSERT(sockMsg->secretString);
-            
+
         Strlcpy(s_socketFile, sockMsg->sockFilePath, PAL_MAX_PATH_SIZE);
         Strlcpy(s_secretString, sockMsg->secretString, S_SECRET_STRING_LENGTH);
         trace_ServerInfoReceived();
@@ -1404,6 +1424,7 @@ static MI_Boolean _SendPamCheckUserResp(
     MI_Boolean result
     )
 {
+    ProtocolBase* protocolBase = (ProtocolBase*)h->base.data;
     PamCheckUserResp *req = NULL;
     MI_Boolean retVal = MI_TRUE;
 
@@ -1416,6 +1437,16 @@ static MI_Boolean _SendPamCheckUserResp(
     req->handle = handle;
     req->result = result;
 
+    if (protocolBase->expectedSecretString && *protocolBase->expectedSecretString)
+    {
+        req->message = Batch_Strdup(req->base.batch, protocolBase->expectedSecretString);
+        if (!req->message)
+        {
+            PamCheckUserResp_Release(req);
+            return MI_FALSE;
+        }
+    }
+
     /* send message */
     {
         DEBUG_ASSERT(h->message == NULL);
@@ -1471,6 +1502,19 @@ static MI_Boolean _ProcessPamCheckUserResp(
 
     pamMsg = (PamCheckUserResp*) msg;
 
+    // server authentication check
+    if ( (pamMsg->message != NULL) && (*s_secretString) && (Strncmp(pamMsg->message, s_secretString, S_SECRET_STRING_LENGTH) == 0) )
+    {
+        trace_ServerCredentialsVerified(handler);
+    }
+    else
+    {
+        trace_InvalidServerCredentials();
+        return MI_FALSE;
+    }
+    
+    pamMsg->message = NULL;
+
     /* engine waiting server's response */
 
     result = authenticateCallback(pamMsg);
@@ -1950,8 +1994,8 @@ static Protocol_CallbackResult _ProcessReceivedMessage(
                         return PRT_RETURN_FALSE;
                     }
 
-                    DEBUG_ASSERT(s_socketFile != NULL);
-                    DEBUG_ASSERT(s_secretString != NULL);
+                    DEBUG_ASSERT(*s_socketFile);
+                    DEBUG_ASSERT(*s_secretString);
 
                     /* If system supports connection-based auth, use it for
                        implicit auth */
@@ -1986,6 +2030,7 @@ static Protocol_CallbackResult _ProcessReceivedMessage(
                             return PRT_RETURN_FALSE;
                         }
 
+                        handler->engineHandler = &newSocketAndBase->protocolSocket.base;
                         handler->clientAuthState = PRT_AUTH_WAIT_CONNECTION_RESPONSE;
                         handler = &newSocketAndBase->protocolSocket;
                         newSocketAndBase->internalProtocolBase.forwardRequests = MI_TRUE;
@@ -2009,6 +2054,18 @@ static Protocol_CallbackResult _ProcessReceivedMessage(
                 }
                 else if (binMsg->type == BinNotificationConnectResponse)
                 {
+                    // server authentication check
+                    if ( (binMsg->message != NULL) && (*s_secretString) && (Strncmp(binMsg->message, s_secretString, S_SECRET_STRING_LENGTH) == 0) )
+                    {
+                        trace_ServerCredentialsVerified(handler);
+                    }
+                    else
+                    {
+                        trace_InvalidServerCredentials();
+                        return PRT_RETURN_FALSE;
+                    }
+                    binMsg->message = NULL;
+
                     // forward to client
 
                     Sock s = binMsg->forwardSock;
@@ -2672,7 +2729,8 @@ MI_Result _ProtocolSocket_New(
     self->closeOtherScheduled = MI_FALSE;
 
     self->base.callback = _RequestCallback;
-
+    self->authInfo.uid = INVALID_ID;
+    self->authInfo.gid = INVALID_ID;
     /* Set output parameter */
     *selfOut = self;
     return MI_RESULT_OK;
@@ -3042,6 +3100,8 @@ static MI_Result _ProtocolSocketAndBase_New_Server_Connection(
     protocolSocketAndBase->protocolSocket.refCount = 1; //ref associated with Strand. Released on Strand_Finish
     protocolSocketAndBase->protocolSocket.closeOtherScheduled = MI_FALSE;
     protocolSocketAndBase->protocolSocket.base.callback = NULL;
+    protocolSocketAndBase->protocolSocket.authInfo.uid = INVALID_ID;
+    protocolSocketAndBase->protocolSocket.authInfo.gid = INVALID_ID;
 
     r = _ProtocolBase_Init(&protocolSocketAndBase->internalProtocolBase, selector, NULL, NULL, PRT_TYPE_FROM_SOCKET);
     if( r != MI_RESULT_OK )

Unix/protocol/protocol.h

@@ -118,6 +118,7 @@ typedef struct _ProtocolSocket
 
     /* Whether socket is permanent */
     MI_Boolean permanent;
+    Handler *           engineHandler;
 }
 ProtocolSocket;