From 0262e8f67a3eb8aa53b65dd0a0d36436f8402912 Mon Sep 17 00:00:00 2001 From: dishantcr7 <64056848+dishantcr7@users.noreply.github.com> Date: Tue, 28 Sep 2021 20:26:05 +0530 Subject: [PATCH 01/10] Disabling -werror flag from the build step --- Unix/regress | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Unix/regress b/Unix/regress index f35e7249a..ec9f10ab3 100755 --- a/Unix/regress +++ b/Unix/regress @@ -217,7 +217,9 @@ fi ## sudo rm -rf $prefix -./configure --enable-werror --prefix=$prefix --outputdirname=$current_output $options +./configure --prefix=$prefix --outputdirname=$current_output $options + +## --enable-werror if [ "$?" != "0" ]; then echo "$0: configure failed" From 272e0da1b8b4839c093a5a385c54e7998e058e9f Mon Sep 17 00:00:00 2001 From: dishantcr7 <64056848+dishantcr7@users.noreply.github.com> Date: Wed, 29 Sep 2021 00:25:01 +0530 Subject: [PATCH 02/10] Update regress --- Unix/regress | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Unix/regress b/Unix/regress index ec9f10ab3..da05176f8 100755 --- a/Unix/regress +++ b/Unix/regress @@ -217,9 +217,8 @@ fi ## sudo rm -rf $prefix -./configure --prefix=$prefix --outputdirname=$current_output $options +./configure --enable-werror --prefix=$prefix --outputdirname=$current_output $options -## --enable-werror if [ "$?" != "0" ]; then echo "$0: configure failed" From df545b967f98dae9910fe58c16de5b890dba4f35 Mon Sep 17 00:00:00 2001 From: "Jumping Yang[Wicresoft]" Date: Tue, 14 Dec 2021 14:40:15 +0800 Subject: [PATCH 03/10] remove password in Unix/tests/wsman/utils.h (#8) * Remove PASSWORD in wsman tests * Include cstdlib in utils.cpp --- Unix/tests/wsman/test_auth.cpp | 7 +++++-- Unix/tests/wsman/utils.cpp | 6 ++++-- Unix/tests/wsman/utils.h | 2 -- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/Unix/tests/wsman/test_auth.cpp b/Unix/tests/wsman/test_auth.cpp index fdd8b76b9..118d207f2 100644 --- a/Unix/tests/wsman/test_auth.cpp +++ b/Unix/tests/wsman/test_auth.cpp @@ -65,6 +65,8 @@ NitsSetup(TestAuthSetup) { EnterStrandState strandEnterState; + const char* omiPassword = std::getenv("OMI_PASSWORD"); + /* Enable auth so we can verify pre-conditions */ IgnoreAuthCalls(0); @@ -76,7 +78,7 @@ NitsSetup(TestAuthSetup) return; } - if (0 != AuthenticateUser(USER, PASSWORD)) + if (0 != AuthenticateUser(USER, omiPassword)) { UT_WARNING("auth tests skipped - user " USER "/" PASSWORD " not found"); return; @@ -170,12 +172,13 @@ NitsTestWithSetup(TestAuthExplicitOOPModes, TestAuthSetup) Client c; ProvInfo info; + const char* omiPassword = std::getenv("OMI_PASSWORD"); const Uint64 TIMEOUT = 15 * 1000 * 1000; TChar sockfile[PAL_MAX_PATH_SIZE]; TcsStrlcpy(sockfile, OMI_GetPath(ID_SOCKETFILE), sizeof(sockfile)); - UT_ASSERT(c.Connect(sockfile, USER_Z, PASSWORD_Z, TIMEOUT)); + UT_ASSERT(c.Connect(sockfile, USER_Z, MI_T(omiPassword), TIMEOUT)); _GetProvInfo(c, info); diff --git a/Unix/tests/wsman/utils.cpp b/Unix/tests/wsman/utils.cpp index ecbafddeb..356cbdac7 100644 --- a/Unix/tests/wsman/utils.cpp +++ b/Unix/tests/wsman/utils.cpp @@ -16,6 +16,7 @@ #include #include #include +#include #include #include #include @@ -197,6 +198,7 @@ int StartServerAndConnect( ProtocolSocketAndBase** protocol) { const char* path = OMI_GetPath(ID_SERVERPROGRAM); + const char* omiPassword = std::getenv("OMI_PASSWORD"); char http[32]; char https[32]; string socketFile = OMI_GetPath(ID_SOCKETFILE); @@ -255,7 +257,7 @@ int StartServerAndConnect( { mi::Client cl; const MI_Uint64 TIMEOUT = 1 * 1000 * 1000; // 1 second - if (cl.Connect(sockfile, USER_Z, PASSWORD_Z, TIMEOUT)) + if (cl.Connect(sockfile, USER_Z, MI_T(omiPassword), TIMEOUT)) break; ut::sleep_ms(100); @@ -279,7 +281,7 @@ int StartServerAndConnect( socketFile.c_str(), ¶ms, USER, - PASSWORD ); + omiPassword ); UT_ASSERT( MI_RESULT_OK == result ); diff --git a/Unix/tests/wsman/utils.h b/Unix/tests/wsman/utils.h index 5a88f4cf5..e71c27dd6 100644 --- a/Unix/tests/wsman/utils.h +++ b/Unix/tests/wsman/utils.h @@ -31,9 +31,7 @@ void SockSendRecvHTTP( /* starts server (with or without ignoreAuth option dependin on flag) and creates new connector to it */ #define USER "omi" -#define PASSWORD "CfgMgr2011" #define USER_Z MI_T("omi") -#define PASSWORD_Z MI_T("CfgMgr2011") int StartServerAndConnect( bool ignoreAuth, From d88bec921dc983aaf34d828a291ae88f7c7c1f39 Mon Sep 17 00:00:00 2001 From: "Jumping Yang[Wicresoft]" Date: Tue, 14 Dec 2021 17:04:01 +0800 Subject: [PATCH 04/10] Remove password in docker files. (#9) --- docker/README.md | 9 +++------ docker/nightly/centos7/Dockerfile | 4 +--- docker/nightly/ubuntu14.04/Dockerfile | 4 +--- docker/nightly/ubuntu16.04/Dockerfile | 4 +--- docker/release/centos7/Dockerfile | 4 +--- docker/release/ubuntu14.04/Dockerfile | 4 +--- docker/release/ubuntu16.04/Dockerfile | 4 +--- 7 files changed, 9 insertions(+), 24 deletions(-) diff --git a/docker/README.md b/docker/README.md index dcf690afe..143b08fa7 100644 --- a/docker/README.md +++ b/docker/README.md @@ -20,9 +20,9 @@ and finally install the omi package from Microsoft Repo, the command to build ni ``` git clone https://github.com/Microsoft/omi cd omi/docker -docker build --build-arg rootpassword=newpassword -t "microsoft/omi:ubuntu16.04" release/ubuntu16.04/ -docker build --build-arg rootpassword=newpassword -t "microsoft/omi:ubuntu14.04" release/ubuntu14.04/ -docker build --build-arg rootpassword=newpassword -t "microsoft/omi:centos7" release/centos7/ +docker build -t "microsoft/omi:ubuntu16.04" release/ubuntu16.04/ +docker build -t "microsoft/omi:ubuntu14.04" release/ubuntu14.04/ +docker build -t "microsoft/omi:centos7" release/centos7/ ``` Build Nightly OMI docker @@ -49,9 +49,6 @@ Variable following with --build-arg: * `branch`: the branch to checkout in nightly builds (default: `master`) * Set `branch=feature-A` after --build-arg to checkout the `feature-A` branch - -* `rootpassword`: container's root password to be set in nightly or release builds (default: `newpassword`) - * Set `rootpassword=Pa$$word` after --build-arg to set `Pa$$word` as container's root password Variable following with -t: * `microsoft/omi:ubuntu16.04`: the image tag you want to build out for the omi docker diff --git a/docker/nightly/centos7/Dockerfile b/docker/nightly/centos7/Dockerfile index f2a5ec0d0..a94c44649 100644 --- a/docker/nightly/centos7/Dockerfile +++ b/docker/nightly/centos7/Dockerfile @@ -6,10 +6,8 @@ LABEL description="This Dockerfile will install the latest code of OMI." ARG fork=Microsoft ARG branch=master -ARG rootpassword=newpassword SHELL ["/bin/bash", "-c"] -RUN echo $rootpassword |passwd root --stdin RUN yum update -y; \ yum install -y git bind-utils gcc-c++ rpm-devel pam-devel openssl-devel rpm-build krb5-devel redhat-lsb-core openssl which; RUN git clone https://github.com/$fork/omi.git -b $branch; \ @@ -20,4 +18,4 @@ RUN git clone https://github.com/$fork/omi.git -b $branch; \ make install; \ popd; EXPOSE 5985 5986 -ENTRYPOINT /opt/omi-1.0.8/bin/omiserver -d && echo 'Started omi inner docker' && tail -f /opt/omi-1.0.8/var/log/omiserver.log \ No newline at end of file +ENTRYPOINT /opt/omi-1.0.8/bin/omiserver -d && echo 'Started omi inner docker' && tail -f /opt/omi-1.0.8/var/log/omiserver.log diff --git a/docker/nightly/ubuntu14.04/Dockerfile b/docker/nightly/ubuntu14.04/Dockerfile index 617b5ee2b..65d272c04 100644 --- a/docker/nightly/ubuntu14.04/Dockerfile +++ b/docker/nightly/ubuntu14.04/Dockerfile @@ -6,10 +6,8 @@ LABEL description="This Dockerfile will install the latest code of OMI." ARG fork=Microsoft ARG branch=master -ARG rootpassword=newpassword SHELL ["/bin/bash", "-c"] -RUN echo root:$rootpassword | chpasswd RUN apt-get update -y RUN apt-get install -y git pkg-config make g++ rpm librpm-dev libpam0g-dev libssl-dev libkrb5-dev openssl; RUN git clone https://github.com/$fork/omi.git -b $branch; \ @@ -20,4 +18,4 @@ RUN git clone https://github.com/$fork/omi.git -b $branch; \ make install; \ popd; EXPOSE 5985 5986 -ENTRYPOINT /opt/omi-1.0.8/bin/omiserver -d && echo 'Started omi inner docker' && tail -f /opt/omi-1.0.8/var/log/omiserver.log \ No newline at end of file +ENTRYPOINT /opt/omi-1.0.8/bin/omiserver -d && echo 'Started omi inner docker' && tail -f /opt/omi-1.0.8/var/log/omiserver.log diff --git a/docker/nightly/ubuntu16.04/Dockerfile b/docker/nightly/ubuntu16.04/Dockerfile index c56f6e10b..6be789214 100644 --- a/docker/nightly/ubuntu16.04/Dockerfile +++ b/docker/nightly/ubuntu16.04/Dockerfile @@ -6,10 +6,8 @@ LABEL description="This Dockerfile will install the latest code of OMI." ARG fork=Microsoft ARG branch=master -ARG rootpassword=newpassword SHELL ["/bin/bash", "-c"] -RUN echo root:$rootpassword | chpasswd RUN apt-get update -y RUN apt-get install -y git pkg-config make g++ rpm librpm-dev libpam0g-dev libssl-dev libkrb5-dev; RUN git clone https://github.com/$fork/omi.git -b $branch; \ @@ -20,4 +18,4 @@ RUN git clone https://github.com/$fork/omi.git -b $branch; \ make install; \ popd; EXPOSE 5985 5986 -ENTRYPOINT /opt/omi-1.0.8/bin/omiserver -d && echo 'Started omi inner docker' && tail -f /opt/omi-1.0.8/var/log/omiserver.log \ No newline at end of file +ENTRYPOINT /opt/omi-1.0.8/bin/omiserver -d && echo 'Started omi inner docker' && tail -f /opt/omi-1.0.8/var/log/omiserver.log diff --git a/docker/release/centos7/Dockerfile b/docker/release/centos7/Dockerfile index c3a0ab3f5..48d819c03 100644 --- a/docker/release/centos7/Dockerfile +++ b/docker/release/centos7/Dockerfile @@ -4,10 +4,8 @@ LABEL maintainer="Jumping Yang " LABEL readme.md="https://github.com/Microsoft/omi/blob/master/docker/README.md" LABEL description="This Dockerfile will install the latest release of OMI." -ARG rootpassword=newpassword SHELL ["/bin/bash", "-c"] -RUN echo $rootpassword |passwd root --stdin RUN yum update -y; \ yum install -y rpm-devel pam-devel openssl which rpm-build krb5-devel redhat-lsb-core; RUN rpm -Uvh http://packages.microsoft.com/config/rhel/7/packages-microsoft-prod.rpm @@ -15,4 +13,4 @@ RUN yum install -y omi RUN /opt/omi/bin/omiconfigeditor httpport -a 5985 < /etc/opt/omi/conf/omiserver.conf>tmp.conf && mv -f tmp.conf /etc/opt/omi/conf/omiserver.conf RUN /opt/omi/bin/omiconfigeditor httpsport -a 5986 < /etc/opt/omi/conf/omiserver.conf>tmp.conf && mv -f tmp.conf /etc/opt/omi/conf/omiserver.conf EXPOSE 5985 5986 -ENTRYPOINT /opt/omi/bin/omiserver -d && echo 'Started omi inner docker' && tail -f /var/opt/omi/log/omiserver.log \ No newline at end of file +ENTRYPOINT /opt/omi/bin/omiserver -d && echo 'Started omi inner docker' && tail -f /var/opt/omi/log/omiserver.log diff --git a/docker/release/ubuntu14.04/Dockerfile b/docker/release/ubuntu14.04/Dockerfile index 55be718c0..ed02980ae 100644 --- a/docker/release/ubuntu14.04/Dockerfile +++ b/docker/release/ubuntu14.04/Dockerfile @@ -4,10 +4,8 @@ LABEL maintainer="Jumping Yang " LABEL readme.md="https://github.com/Microsoft/omi/blob/master/docker/README.md" LABEL description="This Dockerfile will install the latest release of OMI." -ARG rootpassword=newpassword SHELL ["/bin/bash", "-c"] -RUN echo root:$rootpassword | chpasswd RUN apt-get update -y RUN apt-get install -y pkg-config rpm librpm-dev libpam0g-dev libssl-dev libkrb5-dev wget openssl; RUN wget http://packages.microsoft.com/config/ubuntu/14.04/packages-microsoft-prod.deb @@ -16,4 +14,4 @@ RUN apt-get install -y omi RUN /opt/omi/bin/omiconfigeditor httpport -a 5985 < /etc/opt/omi/conf/omiserver.conf>tmp.conf && mv -f tmp.conf /etc/opt/omi/conf/omiserver.conf RUN /opt/omi/bin/omiconfigeditor httpsport -a 5986 < /etc/opt/omi/conf/omiserver.conf>tmp.conf && mv -f tmp.conf /etc/opt/omi/conf/omiserver.conf EXPOSE 5985 5986 -ENTRYPOINT /opt/omi/bin/omiserver -d && echo 'Started omi inner docker' && tail -f /var/opt/omi/log/omiserver.log \ No newline at end of file +ENTRYPOINT /opt/omi/bin/omiserver -d && echo 'Started omi inner docker' && tail -f /var/opt/omi/log/omiserver.log diff --git a/docker/release/ubuntu16.04/Dockerfile b/docker/release/ubuntu16.04/Dockerfile index a2393d083..ed8680a77 100644 --- a/docker/release/ubuntu16.04/Dockerfile +++ b/docker/release/ubuntu16.04/Dockerfile @@ -4,10 +4,8 @@ LABEL maintainer="Jumping Yang " LABEL readme.md="https://github.com/Microsoft/omi/blob/master/docker/README.md" LABEL description="This Dockerfile will install the latest release of OMI." -ARG rootpassword=newpassword SHELL ["/bin/bash", "-c"] -RUN echo root:$rootpassword | chpasswd RUN apt-get update -y RUN apt-get install -y rpm libpam0g-dev libkrb5-dev wget openssl; RUN wget http://packages.microsoft.com/config/ubuntu/16.04/packages-microsoft-prod.deb @@ -16,4 +14,4 @@ RUN apt-get install -y omi RUN /opt/omi/bin/omiconfigeditor httpport -a 5985 < /etc/opt/omi/conf/omiserver.conf>tmp.conf && mv -f tmp.conf /etc/opt/omi/conf/omiserver.conf RUN /opt/omi/bin/omiconfigeditor httpsport -a 5986 < /etc/opt/omi/conf/omiserver.conf>tmp.conf && mv -f tmp.conf /etc/opt/omi/conf/omiserver.conf EXPOSE 5985 5986 -ENTRYPOINT /opt/omi/bin/omiserver -d && echo 'Started omi inner docker' && tail -f /var/opt/omi/log/omiserver.log \ No newline at end of file +ENTRYPOINT /opt/omi/bin/omiserver -d && echo 'Started omi inner docker' && tail -f /var/opt/omi/log/omiserver.log From 6ef8cdd7a6d94df76eee98c84e0d33236ca4eaa7 Mon Sep 17 00:00:00 2001 From: "Jumping Yang[Wicresoft]" Date: Tue, 14 Dec 2021 17:06:53 +0800 Subject: [PATCH 05/10] Compiler Mitigations (#5) * Add security hardening flags --- Unix/buildtool | 7 +++++++ Unix/configure | 37 +++++++++++++++++++++++++++------ Unix/installbuilder/GNUmakefile | 8 ++++++- Unix/mak/rules.mak | 7 +++++++ 4 files changed, 52 insertions(+), 7 deletions(-) diff --git a/Unix/buildtool b/Unix/buildtool index cbe3c6e75..480ec1b37 100755 --- a/Unix/buildtool +++ b/Unix/buildtool @@ -753,6 +753,9 @@ if [ "$arg1" = "cflags" -o "$arg1" = "cxxflags" ]; then --gcov) gcov_opt=1 ;; + --security-hardening) + security_hardening_opt=1 + ;; --pic) pic_opt=1 ;; @@ -798,6 +801,10 @@ if [ "$arg1" = "cflags" -o "$arg1" = "cxxflags" ]; then r="$r -fvisibility=hidden" r="$r -fcommon" r="$r -fno-strict-aliasing" + test -n "$security_hardening_opt" && r="$r -D_FORTIFY_SOURCE=2" + test -n "$security_hardening_opt" && r="$r -z noexecstack" + test -n "$security_hardening_opt" && r="$r -Wl,-z,relro -Wl,-z,now" + test -n "$security_hardening_opt" && r="$r -Wformat -Wformat-security -Werror=format-security" r="$r -fstack-protector-all" r="$r -D_GNU_SOURCE" r="$r -D_XOPEN_SOURCE=600" diff --git a/Unix/configure b/Unix/configure index eb536a38a..1019e0bdc 100755 --- a/Unix/configure +++ b/Unix/configure @@ -299,11 +299,16 @@ do fi ;; + --enable-security-hardening) + enable_security_hardening=1 + ;; + --enable-system-build) set_microsoft_build_options # Enable universal linux (--enable-ulinux) if we're on Linux and not PPC if [ "`uname -s`" = "Linux" -a "`uname -m`" != "ppc64le" ]; then + echo "enable universal Linux build." enable_ulinux=1 fi @@ -1670,6 +1675,7 @@ GSSLIB=$gsslib TRAVIS_CI=$travis_ci ENABLE_NATIVE_KITS=$enable_native_kits ENABLE_ULINUX=$enable_ulinux +ENABLE_SECURITY_HARDENING=$enable_security_hardening EOF echo "created $fn" @@ -2009,6 +2015,12 @@ else echo "/* #define TRAVIS_CI */" >> $fn fi +if [ "$enable_security_hardening" = "1" ]; then + echo "#define CONFIG_ENABLE_SECURITY_HARDENING" >> $fn +else + echo "/* #define CONFIG_ENABLE_SECURITY_HARDENING */" >> $fn +fi + echo "" >> $fn echo "#endif /* _config_h */" >> $fn @@ -2049,6 +2061,12 @@ ln -f -s $root/omiclient $outputdir/include/omiclient fn=$outputdir/omi.mak +if [ "$enable_security_hardening" = "1" ];then + securityhardeningopt=--security-hardening +else + securityhardeningopt= +fi + cat > $fn < Date: Wed, 15 Dec 2021 08:12:18 +0000 Subject: [PATCH 06/10] security hardening (#4) --- Unix/base/messages.c | 9 +- Unix/base/messages.h | 3 - Unix/base/messagesprint.c | 1 - Unix/base/oi_traces.h | 12 +- Unix/base/oiomi.h | 20 +-- Unix/engine/engine.c | 7 +- Unix/protocol/protocol.c | 243 ++++++++++--------------------------- Unix/protocol/protocol.h | 10 +- Unix/server/server.c | 24 ++-- Unix/server/server.h | 4 +- Unix/server/servercommon.c | 12 +- 11 files changed, 91 insertions(+), 254 deletions(-) diff --git a/Unix/base/messages.c b/Unix/base/messages.c index ff05f75c8..3b85fa6ee 100644 --- a/Unix/base/messages.c +++ b/Unix/base/messages.c @@ -194,7 +194,6 @@ static const MessageField binProtocolNotificationFields[] = {MFT_POINTER_OPT,offsetof(BinProtocolNotification, user),0,0}, {MFT_POINTER_OPT,offsetof(BinProtocolNotification, password),0,0}, {MFT_POINTER_OPT,offsetof(BinProtocolNotification, authFile),0,0}, - {MFT_POINTER_OPT,offsetof(BinProtocolNotification, message),0,0}, {MFT_END_OF_LIST, 0, 0, 0} }; @@ -217,7 +216,6 @@ static const MessageField postIndicationMessageFields[] = static const MessageField postSocketFileFields[] = { {MFT_POINTER_OPT,offsetof(PostSocketFile, sockFilePath),0,0}, - {MFT_POINTER_OPT,offsetof(PostSocketFile, secretString),0,0}, {MFT_END_OF_LIST, 0, 0, 0} }; @@ -234,11 +232,6 @@ static const MessageField pamCheckUserFields[] = {MFT_END_OF_LIST, 0, 0, 0} }; -static const MessageField pamCheckUserRspFields[] = -{ - {MFT_POINTER_OPT,offsetof(PamCheckUserResp, message),0,0}, - {MFT_END_OF_LIST, 0, 0, 0} -}; #if defined(CONFIG_ENABLE_PREEXEC) static const MessageField execPreexecReqFields[] = @@ -305,7 +298,7 @@ static const MessageDeclaration allMessages[] = { {postSocketFileFields, sizeof(PostSocketFile), MI_TRUE}, {socketMaintenanceFields, sizeof(VerifySocketConn), MI_TRUE}, {pamCheckUserFields, sizeof(PamCheckUserReq), MI_TRUE}, - {pamCheckUserRspFields, sizeof(PamCheckUserResp), MI_FALSE} + {emptyMessageFields, sizeof(PamCheckUserResp), MI_FALSE} #if defined(CONFIG_ENABLE_PREEXEC) , {execPreexecReqFields, sizeof(ExecPreexecReq), MI_TRUE}, diff --git a/Unix/base/messages.h b/Unix/base/messages.h index 3490c8933..8a5323946 100644 --- a/Unix/base/messages.h +++ b/Unix/base/messages.h @@ -1191,7 +1191,6 @@ typedef struct _BinProtocolNotification /* if in nonroot mode, keeps track of which socket to send message back*/ int forwardSock; - MI_ConstString message; } BinProtocolNotification; @@ -1652,7 +1651,6 @@ typedef struct _PostSocketFile Message base; MI_Uint32 type; MI_ConstString sockFilePath; - MI_ConstString secretString; } PostSocketFile; @@ -1800,7 +1798,6 @@ typedef struct _PamCheckUserResp Message base; MI_Uint64 handle; MI_Boolean result; - MI_ConstString message; } PamCheckUserResp; diff --git a/Unix/base/messagesprint.c b/Unix/base/messagesprint.c index 018602062..b28649e0e 100644 --- a/Unix/base/messagesprint.c +++ b/Unix/base/messagesprint.c @@ -692,7 +692,6 @@ void PostSocketFile_Print( {"operationId", FT_UINT64, offsetof(Self, base.operationId)}, {"type", FT_UINT32, offsetof(Self, type)}, {"sockFilePath", FT_STRING, offsetof(Self, sockFilePath)}, - {"secretString", FT_STRING, offsetof(Self, secretString)}, {NULL, 0, 0}, }; _Message_Print(msg, os, "PostSocketFile", fields); diff --git a/Unix/base/oi_traces.h b/Unix/base/oi_traces.h index b04f1b885..6fee402df 100644 --- a/Unix/base/oi_traces.h +++ b/Unix/base/oi_traces.h @@ -439,10 +439,8 @@ OI_EVENT("Password exceeds reasonable limit: %d") void trace_Password_Error(unsigned int bytes); OI_EVENT("Invalid server credentials") void trace_InvalidServerCredentials(); -OI_EVENT("Attempt to reset secret string") -void trace_AttemptToResetSecretString(); - - +OI_EVENT("(%c) A malicious attempt is detected. tag:(%d) name:(%T)") +void trace_MaliciousAttemptDetected(char type, MI_Uint32 msgTag, const TChar * messageName); /******************************** WARNINGS ***********************************/ @@ -1837,8 +1835,8 @@ OI_EVENT("Engine: Client Credentials Verified (%p)") void trace_ClientCredentialsVerfied(void* handle); OI_EVENT("Client: Client Credentials Verified") void trace_ClientCredentialsVerfied2(); -OI_EVENT("(%c)Handle:(%p), ClientAuthState = %d, EngineAuthState = %d") -void trace_AuthStates(char type, void* handle, int client, int engine); +OI_EVENT("(%c)Handle:(%p), ClientAuthState = %d, ServerAuthState = %d") +void trace_AuthStates(char type, void* handle, int client, int server); OI_EVENT("Asking Server to PAM authenticate") void trace_AskServerToAuthenticate(); OI_EVENT("AgentMgr_PreExec_RequestStrand_Post: preexecContext (%p), strand (%p)") @@ -1865,8 +1863,6 @@ OI_EVENT("AgentMgr_PreExec_ResponseStrand_Close: preexecContext (%p), strand (%p void trace_AgentMgr_PreExec_ResponseStrand_Close(void* context, void* strand); OI_EVENT("AgentMgr_PreExec_ResponseStrand_Finish: preexecContext (%p), strand (%p)") void trace_AgentMgr_PreExec_ResponseStrand_Finish(void* context, void* strand); -OI_EVENT("Server credentials verified (%p)") -void trace_ServerCredentialsVerified(void* handle); /******************************** AUTH TRACES ***********************************/ diff --git a/Unix/base/oiomi.h b/Unix/base/oiomi.h index 8e30f2137..dfb0055b2 100644 --- a/Unix/base/oiomi.h +++ b/Unix/base/oiomi.h @@ -1133,17 +1133,11 @@ FILE_EVENT1(20153, trace_Password_Error_Impl, LOG_ERR, PAL_T("Password exceeds r #endif FILE_EVENT0(20154, trace_Listen_Failed_Impl, LOG_ERR, PAL_T("Listen failed on both IPv4 and IPv6")) #if defined(CONFIG_ENABLE_DEBUG) -#define trace_InvalidServerCredentials() trace_InvalidServerCredentials_Impl(__FILE__, __LINE__) +#define trace_MaliciousAttemptDetected(a0, a1, a2) trace_MaliciousAttemptDetected_Impl(__FILE__, __LINE__, a0, a1, a2) #else -#define trace_InvalidServerCredentials() trace_InvalidServerCredentials_Impl(0, 0) +#define trace_MaliciousAttemptDetected(a0, a1, a2) trace_MaliciousAttemptDetected_Impl(0, 0, a0, a1, a2) #endif -FILE_EVENT0(20155, trace_InvalidServerCredentials_Impl, LOG_ERR, PAL_T("Invalid Server credentials")) -#if defined(CONFIG_ENABLE_DEBUG) -#define trace_AttemptToResetSecretString() trace_AttemptToResetSecretString_Impl(__FILE__, __LINE__) -#else -#define trace_AttemptToResetSecretString() trace_AttemptToResetSecretString_Impl(0, 0) -#endif -FILE_EVENT0(20156, trace_AttemptToResetSecretString_Impl, LOG_ERR, PAL_T("Attempt to reset Secret String")) +FILE_EVENT3(20155, trace_MaliciousAttemptDetected_Impl, LOG_ERR, PAL_T("(%c) A malicious attempt is detected. tag:(%d) name:(%T)"), char, MI_Uint32, const TChar *) #if defined(CONFIG_ENABLE_DEBUG) #define trace__FindSubRequest_CannotFindKey(a0, a1, a2) trace__FindSubRequest_CannotFindKey_Impl(__FILE__, __LINE__, a0, a1, a2) #else @@ -5007,7 +5001,7 @@ FILE_EVENT0(45372, trace_ClientCredentialsVerfied2_Impl, LOG_DEBUG, PAL_T("Clien #else #define trace_AuthStates(a0, a1, a2, a3) trace_AuthStates_Impl(0, 0, a0, a1, a2, a3) #endif -FILE_EVENT4(45373, trace_AuthStates_Impl, LOG_DEBUG, PAL_T("(%c)Handle:(%p), ClientAuthState = %d, EngineAuthState = %d"), char, void*, int, int) +FILE_EVENT4(45373, trace_AuthStates_Impl, LOG_DEBUG, PAL_T("(%c)Handle:(%p), ClientAuthState = %d, ServerAuthState = %d"), char, void*, int, int) #if defined(CONFIG_ENABLE_DEBUG) #define trace_AskServerToAuthenticate() trace_AskServerToAuthenticate_Impl(__FILE__, __LINE__) #else @@ -5087,12 +5081,6 @@ FILE_EVENT2(45385, trace_AgentMgr_PreExec_ResponseStrand_Close_Impl, LOG_DEBUG, #endif FILE_EVENT2(45386, trace_AgentMgr_PreExec_ResponseStrand_Finish_Impl, LOG_DEBUG, PAL_T("AgentMgr_PreExec_ResponseStrand_Finish: preexecContext (%p), strand (%p)"), void*, void*) #if defined(CONFIG_ENABLE_DEBUG) -#define trace_ServerCredentialsVerified(a0) trace_ServerCredentialsVerified_Impl(__FILE__, __LINE__, a0) -#else -#define trace_ServerCredentialsVerified(a0) trace_ServerCredentialsVerified_Impl(0, 0, a0) -#endif -FILE_EVENT1(45387, trace_ServerCredentialsVerified_Impl, LOG_DEBUG, PAL_T("Server credentials verified (%p)"), void*) -#if defined(CONFIG_ENABLE_DEBUG) #define trace_HTTP_EncryptionFailed() trace_HTTP_EncryptionFailed_Impl(__FILE__, __LINE__) #else #define trace_HTTP_EncryptionFailed() trace_HTTP_EncryptionFailed_Impl(0, 0) diff --git a/Unix/engine/engine.c b/Unix/engine/engine.c index 1c594eba9..b07ea39f9 100644 --- a/Unix/engine/engine.c +++ b/Unix/engine/engine.c @@ -75,19 +75,20 @@ int enginemain(int argc, const char* argv[]) } // binary connection with server - result = BinaryProtocolListenSock(s_opts.socketpairPort, &s_data.mux[1], &s_data.protocol1, NULL, NULL); + result = BinaryProtocolListenSock(s_opts.socketpairPort, &s_data.mux[1], &s_data.protocol1, NULL); if (result != MI_RESULT_OK) { err(ZT("Failed to initialize binary protocol for socket")); } s_data.protocol1->protocolSocket.permanent = MI_TRUE; + s_data.protocol1->protocolSocket.serverAuthState = PRT_AUTH_OK; result = Initialize_ProtocolSocketTracker(); if (result != MI_RESULT_OK) { err(ZT("Failed to initialize binary protocol tracker for engine")); } - + r = SendSocketFileRequest(&s_data.protocol1->protocolSocket); if (r == MI_FALSE) { @@ -96,7 +97,7 @@ int enginemain(int argc, const char* argv[]) // binary connection with client const char *path = OMI_GetPath(ID_SOCKETFILE); - result = BinaryProtocolListenFile(path, &s_data.mux[0], &s_data.protocol0, NULL); + result = BinaryProtocolListenFile(path, &s_data.mux[0], &s_data.protocol0); if (result != MI_RESULT_OK) { err(ZT("Failed to initialize binary protocol for socket file")); diff --git a/Unix/protocol/protocol.c b/Unix/protocol/protocol.c index b4991b4fc..2b4b35637 100644 --- a/Unix/protocol/protocol.c +++ b/Unix/protocol/protocol.c @@ -61,7 +61,6 @@ static const MI_Uint32 _MAGIC = 0xC764445E; static ProtocolSocket *s_permanentSocket = NULL; static char s_socketFile[PAL_MAX_PATH_SIZE]; -static char s_secretString[S_SECRET_STRING_LENGTH]; static HashMap s_protocolSocketTracker; static Lock s_trackerLock; static MI_Result (*authenticateCallback)(PamCheckUserResp*); @@ -696,15 +695,6 @@ static MI_Boolean _SendAuthResponse( } } - if (protocolBase->expectedSecretString && *protocolBase->expectedSecretString) - { - req->message = Batch_Strdup(req->base.batch, protocolBase->expectedSecretString); - if (!req->message) - { - BinProtocolNotification_Release(req); - return MI_FALSE; - } - } req->uid = uid; req->gid = gid; @@ -1050,14 +1040,12 @@ MI_Boolean SendSocketFileRequest( MI_Boolean SendSocketFileResponse( ProtocolSocket* h, - const char *socketFile, - const char *expectedSecretString) + const char *socketFile) { PostSocketFile* req; MI_Boolean retVal = MI_TRUE; DEBUG_ASSERT(socketFile); - DEBUG_ASSERT(expectedSecretString); s_permanentSocket = h; s_type = 'S'; @@ -1076,14 +1064,6 @@ MI_Boolean SendSocketFileResponse( } } - { - req->secretString = Batch_Strdup(req->base.batch, expectedSecretString); - if (!req->secretString) - { - PostSocketFile_Release(req); - return MI_FALSE; - } - } /* send message */ { @@ -1115,7 +1095,7 @@ static MI_Boolean _ProcessEngineAuthMessage( /* server waiting engine's request */ if (PostSocketFileRequest == sockMsg->type) { - if (!SendSocketFileResponse(handler, protocolBase->socketFile, protocolBase->expectedSecretString)) + if (!SendSocketFileResponse(handler, protocolBase->socketFile)) return MI_FALSE; return MI_TRUE; @@ -1124,19 +1104,8 @@ static MI_Boolean _ProcessEngineAuthMessage( /* engine waiting for server's response */ if (PostSocketFileResponse == sockMsg->type) { - // secret string is mandatory and can be set only during engine start-up - if( (sockMsg->secretString == NULL) || - (*s_secretString && Strncmp(sockMsg->secretString, s_secretString, S_SECRET_STRING_LENGTH) != 0) ) - { - trace_AttemptToResetSecretString(); - return MI_FALSE; - } - DEBUG_ASSERT(sockMsg->sockFilePath); - DEBUG_ASSERT(sockMsg->secretString); - Strlcpy(s_socketFile, sockMsg->sockFilePath, PAL_MAX_PATH_SIZE); - Strlcpy(s_secretString, sockMsg->secretString, S_SECRET_STRING_LENGTH); trace_ServerInfoReceived(); return MI_TRUE; @@ -1145,49 +1114,6 @@ static MI_Boolean _ProcessEngineAuthMessage( return MI_FALSE; } -/* Creates and sends socket maintenance message */ -static MI_Boolean _SendVerifySocketConnMsg( - ProtocolSocket* h, - VerifySocketConnType type, - const char* message, - Sock s) -{ - VerifySocketConn* req; - MI_Boolean retVal = MI_TRUE; - - req = VerifySocketConn_New(type); - - if (!req) - return MI_FALSE; - - req->sock = s; - - if (message && *message) - { - req->message = Batch_Strdup(req->base.batch, message); - if (!req->message) - { - VerifySocketConn_Release(req); - return MI_FALSE; - } - } - - /* send message */ - { - DEBUG_ASSERT(h->message == NULL); - h->message = (Message*) req; - - Message_AddRef(&req->base); - - _PrepareMessageForSending(h); - retVal = _RequestCallbackWrite(h); - } - - VerifySocketConn_Release(req); - - return retVal; -} - static MI_Boolean _SendCreateAgentMsg( ProtocolSocket* h, CreateAgentMsgType type, @@ -1437,15 +1363,6 @@ static MI_Boolean _SendPamCheckUserResp( req->handle = handle; req->result = result; - if (protocolBase->expectedSecretString && *protocolBase->expectedSecretString) - { - req->message = Batch_Strdup(req->base.batch, protocolBase->expectedSecretString); - if (!req->message) - { - PamCheckUserResp_Release(req); - return MI_FALSE; - } - } /* send message */ { @@ -1503,18 +1420,6 @@ static MI_Boolean _ProcessPamCheckUserResp( pamMsg = (PamCheckUserResp*) msg; // server authentication check - if ( (pamMsg->message != NULL) && (*s_secretString) && (Strncmp(pamMsg->message, s_secretString, S_SECRET_STRING_LENGTH) == 0) ) - { - trace_ServerCredentialsVerified(handler); - } - else - { - trace_InvalidServerCredentials(); - return MI_FALSE; - } - - pamMsg->message = NULL; - /* engine waiting server's response */ result = authenticateCallback(pamMsg); @@ -1663,47 +1568,6 @@ static MI_Boolean _ProcessExecPreexecResp( } #endif -static MI_Boolean _ProcessVerifySocketConnMessage( - ProtocolSocket* handler, - Message *msg) -{ - ProtocolBase* protocolBase = (ProtocolBase*)handler->base.data; - VerifySocketConn* sockMsg; - - if (msg->tag != VerifySocketConnTag) - return MI_FALSE; - - sockMsg = (VerifySocketConn*) msg; - - /* server waiting engine's request */ - if (VerifySocketConnStartup == sockMsg->type) - { - DEBUG_ASSERT(handler->engineAuthState == PRT_AUTH_WAIT_CONNECTION_REQUEST); - if (Strncmp(sockMsg->message, protocolBase->expectedSecretString, S_SECRET_STRING_LENGTH) == 0) - { - trace_EngineCredentialsVerified(handler); - handler->engineAuthState = PRT_AUTH_OK; - } - else - { - trace_InvalidEngineCredentials(); - _SendVerifySocketConnMsg(handler, VerifySocketConnShutdown, "Invalid secret string received", sockMsg->sock); - - _ProtocolSocket_Cleanup(handler); - } - return MI_TRUE; - } - - /* engine waiting for closing request from server*/ - if (VerifySocketConnShutdown == sockMsg->type) - { - handler->base.sock = sockMsg->sock; - _ProtocolSocket_Cleanup(handler); - return MI_TRUE; - } - - return MI_FALSE; -} static void _PrepareMessageForSending( ProtocolSocket *handler) @@ -1872,6 +1736,55 @@ static MI_Result _CreateConnector( return Sock_CreateIPConnector(s, locator); } +static MI_Boolean _VerifyMessage( + ProtocolSocket* handler, + Message* msg) +{ + if(msg->tag == PostSocketFileTag) + { + PostSocketFile* sockMsg = (PostSocketFile*) msg; + + // s_type is not yet set for server during this check + if(sockMsg->type == PostSocketFileRequest) + return s_type != 'E'; + + else if(sockMsg->type == PostSocketFileResponse) + return s_type == 'E' && handler->serverAuthState == PRT_AUTH_OK; + + else + return MI_FALSE; + } + else if(msg->tag == CreateAgentMsgTag) + { + CreateAgentMsg* agentMsg = (CreateAgentMsg*) msg; + + if(agentMsg->type == CreateAgentMsgRequest) + return s_type == 'S'; + + else if(agentMsg->type == CreateAgentMsgResponse) + return s_type == 'E' && handler->serverAuthState == PRT_AUTH_OK; + + else + return MI_FALSE; + } + else if (msg->tag == BinProtocolNotificationTag) + { + BinProtocolNotification* binMsg = (BinProtocolNotification*) msg; + + if(binMsg->type == BinNotificationConnectResponse) + return s_type == 'E' && handler->serverAuthState == PRT_AUTH_OK; + } + else if (msg->tag == PamCheckUserReqTag) + return s_type == 'S'; + + else if (msg->tag == PamCheckUserRespTag) + return s_type == 'E' && handler->serverAuthState == PRT_AUTH_OK; + + else if (msg->tag == ExecPreexecRespTag) + return s_type == 'E' && handler->serverAuthState == PRT_AUTH_OK; + + return MI_TRUE; +} /* Processes incoming message, including: - decoding message from batch @@ -1921,19 +1834,18 @@ static Protocol_CallbackResult _ProcessReceivedMessage( MessageName(msg->tag), msg->operationId ); - trace_AuthStates(s_type, handler, handler->clientAuthState, handler->engineAuthState); + trace_AuthStates(s_type, handler, handler->clientAuthState, handler->serverAuthState); + + if( !_VerifyMessage(handler,msg) ){ + trace_MaliciousAttemptDetected(s_type, msg->tag, MessageName(msg->tag) ); + return PRT_RETURN_FALSE; + } if (msg->tag == PostSocketFileTag) { if( _ProcessEngineAuthMessage(handler, msg) ) ret = PRT_CONTINUE; } - else if (msg->tag == VerifySocketConnTag) - { - trace_ServerEstablishingSocket(handler, handler->base.sock); - if( _ProcessVerifySocketConnMessage(handler, msg) ) - ret = PRT_CONTINUE; - } else if (msg->tag == CreateAgentMsgTag) { if( _ProcessCreateAgentMsg(handler, msg) ) @@ -1958,19 +1870,6 @@ static Protocol_CallbackResult _ProcessReceivedMessage( ret = PRT_CONTINUE; } #endif /* CONFIG_ENABLE_PREEXEC */ - else if (PRT_AUTH_OK != handler->engineAuthState) - { - trace_EngineCredentialsNotReceived(); - if (msg->tag == BinProtocolNotificationTag) - { - BinProtocolNotification* binMsg = (BinProtocolNotification*) msg; - - _SendVerifySocketConnMsg(handler, VerifySocketConnShutdown, "Engine credentials not received", binMsg->forwardSock); - - _ProtocolSocket_Cleanup(handler); - return PRT_RETURN_FALSE; - } - } else if (msg->tag == BinProtocolNotificationTag && PRT_AUTH_OK != handler->clientAuthState) { if (protocolBase->forwardRequests == MI_TRUE) @@ -1995,7 +1894,6 @@ static Protocol_CallbackResult _ProcessReceivedMessage( } DEBUG_ASSERT(*s_socketFile); - DEBUG_ASSERT(*s_secretString); /* If system supports connection-based auth, use it for implicit auth */ @@ -2032,7 +1930,10 @@ static Protocol_CallbackResult _ProcessReceivedMessage( handler->engineHandler = &newSocketAndBase->protocolSocket.base; handler->clientAuthState = PRT_AUTH_WAIT_CONNECTION_RESPONSE; + handler = &newSocketAndBase->protocolSocket; + handler->serverAuthState = PRT_AUTH_OK; + newSocketAndBase->internalProtocolBase.forwardRequests = MI_TRUE; // Note that we are storing (socket, ProtocolSocketAndBase*) here @@ -2054,17 +1955,6 @@ static Protocol_CallbackResult _ProcessReceivedMessage( } else if (binMsg->type == BinNotificationConnectResponse) { - // server authentication check - if ( (binMsg->message != NULL) && (*s_secretString) && (Strncmp(binMsg->message, s_secretString, S_SECRET_STRING_LENGTH) == 0) ) - { - trace_ServerCredentialsVerified(handler); - } - else - { - trace_InvalidServerCredentials(); - return PRT_RETURN_FALSE; - } - binMsg->message = NULL; // forward to client @@ -2750,8 +2640,7 @@ ProtocolSocket* _ProtocolSocket_Server_New( self->base.handlerName = MI_T("BINARY_SERVER_CONNECTION"); /* waiting for connect-request */ - self->clientAuthState = PRT_AUTH_WAIT_CONNECTION_REQUEST; - self->engineAuthState = (protocolBase->expectedSecretString == NULL) ? PRT_AUTH_OK : PRT_AUTH_WAIT_CONNECTION_REQUEST; + self->clientAuthState = PRT_AUTH_WAIT_CONNECTION_REQUEST; } return self; @@ -2841,7 +2730,6 @@ MI_Result ProtocolSocketAndBase_New_Connector( h->base.mask = SELECTOR_READ | SELECTOR_WRITE | SELECTOR_EXCEPTION; h->base.handlerName = MI_T("BINARY_CONNECTOR"); h->clientAuthState = PRT_AUTH_WAIT_CONNECTION_RESPONSE; - h->engineAuthState = PRT_AUTH_OK; /* send connect request */ if( !_SendAuthRequest(h, user, password, NULL, INVALID_SOCK, INVALID_ID, INVALID_ID) ) @@ -2929,8 +2817,6 @@ MI_Result _ProtocolSocketAndBase_New_From_Socket( (only used in server/agent communication) */ h->clientAuthState = PRT_AUTH_OK; - h->engineAuthState = PRT_AUTH_OK; - r = _AddProtocolSocket_Handler(self->internalProtocolBase.selector, h); if (r != MI_RESULT_OK) @@ -3132,7 +3018,6 @@ static MI_Result _ProtocolSocketAndBase_New_Server_Connection( h->base.mask = SELECTOR_READ | SELECTOR_WRITE | SELECTOR_EXCEPTION; h->base.callback = _RequestCallback; h->clientAuthState = PRT_AUTH_OK; - h->engineAuthState = PRT_AUTH_OK; r = _AddProtocolSocket_Handler(selector, h); @@ -3142,12 +3027,6 @@ static MI_Result _ProtocolSocketAndBase_New_Server_Connection( return r; } - if (!_SendVerifySocketConnMsg(h, VerifySocketConnStartup, s_secretString, INVALID_SOCK)) - { - Selector_RemoveHandler(selector, &h->base); - return MI_RESULT_FAILED; - } - return MI_RESULT_OK; } diff --git a/Unix/protocol/protocol.h b/Unix/protocol/protocol.h index d2b7f62e6..fa471e6f9 100644 --- a/Unix/protocol/protocol.h +++ b/Unix/protocol/protocol.h @@ -72,7 +72,6 @@ typedef struct _ProtocolBase /* Indicates whether instance has to be upacked or stored as byte array */ MI_Boolean skipInstanceUnpack; MI_Boolean forwardRequests; // true if in nonroot mode and msg should be forwarded - const char* expectedSecretString; const char* socketFile; } ProtocolBase; @@ -103,8 +102,10 @@ typedef struct _ProtocolSocket /* Client auth state */ Protocol_AuthState clientAuthState; - /* Engine auth state */ - Protocol_AuthState engineAuthState; + /* Server auth state + maintained for connection between engine and server + PRT_AUTH_OK for engine's endpoint if verified connection with server*/ + Protocol_AuthState serverAuthState; /* server side - auhtenticated user's ids */ AuthInfo authInfo; Protocol_AuthData* authData; @@ -196,8 +197,7 @@ MI_Boolean SendSocketFileRequest( MI_Boolean SendSocketFileResponse( ProtocolSocket* h, - const char *socketFile, - const char *expectedSecretString); + const char *socketFile); MI_Boolean SendExecutePreexecRequest( void *contextp, diff --git a/Unix/server/server.c b/Unix/server/server.c index 993508649..8592a7c3a 100644 --- a/Unix/server/server.c +++ b/Unix/server/server.c @@ -46,7 +46,7 @@ OPTIONS:\n\ --service ACCT Use ACCT as the service account.\n\ \n"); -static int _StartEngine(int argc, char** argv, char ** envp, const char *engineSockFile, const char *secretString) +static int _StartEngine(int argc, char** argv, char ** envp, const char *engineSockFile) { Sock s[2]; char engineFile[PAL_MAX_PATH_SIZE]; @@ -63,7 +63,7 @@ static int _StartEngine(int argc, char** argv, char ** envp, const char *engineS Strlcat(engineFile, "/omiengine", PAL_MAX_PATH_SIZE); argv[0] = engineFile; - r = BinaryProtocolListenFile(engineSockFile, &s_data.mux[0], &s_data.protocol0, secretString); + r = BinaryProtocolListenFile(engineSockFile, &s_data.mux[0], &s_data.protocol0); if (r != MI_RESULT_OK) { return -1; @@ -101,8 +101,7 @@ static int _StartEngine(int argc, char** argv, char ** envp, const char *engineS trace_ServerClosingSocket(0, s[1]); Sock_Close(s[1]); s_data.internalSock = s[0]; - - r = BinaryProtocolListenSock(s[0], &s_data.mux[1], &s_data.protocol1, engineSockFile, secretString); + r = BinaryProtocolListenSock(s[0], &s_data.mux[1], &s_data.protocol1, engineSockFile); if (r != MI_RESULT_OK) { return -1; @@ -322,8 +321,8 @@ static char** _DuplicateEnvp(const char* envp[]) return NULL; } - -static int _CreateSockFile(char *sockFileBuf, int sockFileBufSize, char *secretStringBuf, int secretStringBufSize) +// find all caller to this function +static int _CreateSockFile(char *sockFileBuf, int sockFileBufSize) { char sockDir[PAL_MAX_PATH_SIZE]; char file[PAL_MAX_PATH_SIZE]; @@ -361,12 +360,6 @@ static int _CreateSockFile(char *sockFileBuf, int sockFileBufSize, char *secretS err(PAL_T("Unable to generate socket file name")); } - if ( GenerateRandomString(secretStringBuf, secretStringBufSize) != 0) - { - trace_Failed_Generate_Secret_String(); - err(PAL_T("Unable to generate secretString")); - } - Strlcpy(sockFileBuf, sockDir, sockFileBufSize); Strlcat(sockFileBuf, "/omi_", sockFileBufSize); Strlcat(sockFileBuf, name, sockFileBufSize); @@ -480,7 +473,6 @@ int servermain(int argc, const char* argv[], const char *envp[]) char **engine_argv = NULL; char **engine_envp = NULL; char socketFile[PAL_MAX_PATH_SIZE]; - char secretString[S_SECRET_STRING_LENGTH]; const char* arg0 = argv[0]; MI_Result result; int r; @@ -611,13 +603,13 @@ int servermain(int argc, const char* argv[], const char *envp[]) if (s_opts.nonRoot == MI_TRUE) { - r = _CreateSockFile(socketFile, PAL_MAX_PATH_SIZE, secretString, S_SECRET_STRING_LENGTH); + r = _CreateSockFile(socketFile, PAL_MAX_PATH_SIZE); if (r != 0) { err(ZT("failed to create socket file")); } - r = _StartEngine(engine_argc, engine_argv, engine_envp, socketFile, secretString); + r = _StartEngine(engine_argc, engine_argv, engine_envp, socketFile); if (r != 0) { err(ZT("failed to start omi engine")); @@ -631,7 +623,7 @@ int servermain(int argc, const char* argv[], const char *envp[]) err(ZT("Failed to initialize Wsman")); } - result = BinaryProtocolListenFile(OMI_GetPath(ID_SOCKETFILE), &s_data.mux[0], &s_data.protocol0, NULL); + result = BinaryProtocolListenFile(OMI_GetPath(ID_SOCKETFILE), &s_data.mux[0], &s_data.protocol0); if (result != MI_RESULT_OK) { err(ZT("Failed to initialize binary protocol for socket file")); diff --git a/Unix/server/server.h b/Unix/server/server.h index ce90b1c74..30f55b630 100644 --- a/Unix/server/server.h +++ b/Unix/server/server.h @@ -130,8 +130,8 @@ void HandleSIGCHLD(int sig); void RequestCallback(_Inout_ InteractionOpenParams* interactionParams); void FUNCTION_NEVER_RETURNS err(const ZChar* fmt, ...); void FUNCTION_NEVER_RETURNS info_exit(const ZChar* fmt, ...); -MI_Result BinaryProtocolListenFile(const char *socketFile, MuxIn *mux, ProtocolBase **protocol, const char *expectedSecretString); -MI_Result BinaryProtocolListenSock(Sock sock, MuxIn *mux, ProtocolSocketAndBase **protocol, const char *socketFile, const char *expectedSecretString); +MI_Result BinaryProtocolListenFile(const char *socketFile, MuxIn *mux, ProtocolBase **protocol); +MI_Result BinaryProtocolListenSock(Sock sock, MuxIn *mux, ProtocolSocketAndBase **protocol, const char *socketFile); MI_Result WsmanProtocolListen(); MI_Result RunProtocol(); MI_Result InitializeNetwork(); diff --git a/Unix/server/servercommon.c b/Unix/server/servercommon.c index d7d3885c2..0dc65cd54 100644 --- a/Unix/server/servercommon.c +++ b/Unix/server/servercommon.c @@ -1309,8 +1309,7 @@ MI_Result WsmanProtocolListen() MI_Result BinaryProtocolListenFile( const char *socketFile, MuxIn *mux, - ProtocolBase **protocol, - const char *expectedSecretString) + ProtocolBase **protocol) { MI_Result r = MI_RESULT_OK; @@ -1343,12 +1342,10 @@ MI_Result BinaryProtocolListenFile( if (serverType == OMI_SERVER && s_optsPtr->nonRoot) { (*protocol)->socketFile = NULL; - (*protocol)->expectedSecretString = expectedSecretString; } else { (*protocol)->socketFile = NULL; - (*protocol)->expectedSecretString = NULL; } } @@ -1359,8 +1356,7 @@ MI_Result BinaryProtocolListenSock( Sock sock, MuxIn *mux, ProtocolSocketAndBase **protocol, - const char *socketFile, - const char *expectedSecretString) + const char *socketFile) { MI_Result r = MI_RESULT_OK; @@ -1394,14 +1390,10 @@ MI_Result BinaryProtocolListenSock( if (serverType == OMI_SERVER && s_optsPtr->nonRoot) { (*protocol)->internalProtocolBase.socketFile = socketFile; - (*protocol)->internalProtocolBase.expectedSecretString = expectedSecretString; - (*protocol)->protocolSocket.engineAuthState = PRT_AUTH_OK; } else { (*protocol)->internalProtocolBase.socketFile = socketFile; - (*protocol)->internalProtocolBase.expectedSecretString = expectedSecretString; - (*protocol)->protocolSocket.engineAuthState = PRT_AUTH_OK; } } From 4c2472fe2df9a730a5a533a220028f3edcc810d0 Mon Sep 17 00:00:00 2001 From: Yash-Khatri <86319267+Yash-Khatri@users.noreply.github.com> Date: Thu, 16 Dec 2021 06:37:07 +0000 Subject: [PATCH 07/10] fix build warnings (#12) --- Unix/protocol/protocol.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Unix/protocol/protocol.c b/Unix/protocol/protocol.c index 2b4b35637..c22e4a549 100644 --- a/Unix/protocol/protocol.c +++ b/Unix/protocol/protocol.c @@ -673,7 +673,6 @@ static MI_Boolean _SendAuthResponse( gid_t gid ) { - ProtocolBase* protocolBase = (ProtocolBase*)h->base.data; BinProtocolNotification* req; MI_Boolean retVal = MI_TRUE; @@ -1350,7 +1349,6 @@ static MI_Boolean _SendPamCheckUserResp( MI_Boolean result ) { - ProtocolBase* protocolBase = (ProtocolBase*)h->base.data; PamCheckUserResp *req = NULL; MI_Boolean retVal = MI_TRUE; @@ -1779,9 +1777,11 @@ static MI_Boolean _VerifyMessage( else if (msg->tag == PamCheckUserRespTag) return s_type == 'E' && handler->serverAuthState == PRT_AUTH_OK; - + + #if defined(CONFIG_ENABLE_PREEXEC) else if (msg->tag == ExecPreexecRespTag) - return s_type == 'E' && handler->serverAuthState == PRT_AUTH_OK; + return s_type == 'E' && handler->serverAuthState == PRT_AUTH_OK; + #endif /* CONFIG_ENABLE_PREEXEC */ return MI_TRUE; } From 64b62abf3c4664e028e11efc94f20480adcd4fa9 Mon Sep 17 00:00:00 2001 From: Yash-Khatri <86319267+Yash-Khatri@users.noreply.github.com> Date: Mon, 20 Dec 2021 12:02:14 +0000 Subject: [PATCH 08/10] binconnect response fix (#14) --- Unix/protocol/protocol.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Unix/protocol/protocol.c b/Unix/protocol/protocol.c index c22e4a549..037cbfb90 100644 --- a/Unix/protocol/protocol.c +++ b/Unix/protocol/protocol.c @@ -1765,13 +1765,13 @@ static MI_Boolean _VerifyMessage( else return MI_FALSE; } - else if (msg->tag == BinProtocolNotificationTag) + else if (msg->tag == BinProtocolNotificationTag) { BinProtocolNotification* binMsg = (BinProtocolNotification*) msg; if(binMsg->type == BinNotificationConnectResponse) - return s_type == 'E' && handler->serverAuthState == PRT_AUTH_OK; - } + return (s_type == 'U') || (s_type == 'E' && handler->serverAuthState == PRT_AUTH_OK); + } else if (msg->tag == PamCheckUserReqTag) return s_type == 'S'; From b15755097f192a89d380c15e6389d240f6b6e079 Mon Sep 17 00:00:00 2001 From: dishantcr7 <64056848+dishantcr7@users.noreply.github.com> Date: Mon, 20 Dec 2021 17:39:07 +0530 Subject: [PATCH 09/10] Bug 1822129: [OMI Engine] Insecure TLS configuration (SSLv3, Compression) (#13) --- Unix/etc/omicli.conf | 4 ++-- Unix/etc/omiserver.conf | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/Unix/etc/omicli.conf b/Unix/etc/omicli.conf index e98b837fb..6bd1801f4 100644 --- a/Unix/etc/omicli.conf +++ b/Unix/etc/omicli.conf @@ -42,8 +42,8 @@ #logpath = var/log/ #logfile = miclient.log NoSSLv2=true -NoSSLv3=false +NoSSLv3=true NoTLSv1_0=false NoTLSv1_1=false NoTLSv1_2=false -NoSSLCompression=false +NoSSLCompression=true diff --git a/Unix/etc/omiserver.conf b/Unix/etc/omiserver.conf index 526b04a96..6ebf18fc2 100644 --- a/Unix/etc/omiserver.conf +++ b/Unix/etc/omiserver.conf @@ -53,8 +53,9 @@ ## NoSSLv3: When it is true, the SSLv3 protocol is disabled. ## If NoSSLv2 and NoSSLv3 are both set to true, only TLS encryption will be negotiated. ## -#NoSSLv2=true -#NoSSLv3=false +NoSSLv2=true +NoSSLv3=true +NoSSLCompression=true ## ## NtlmCredsFile -- credentials file for NTLM authentication From 6a9a1b4821fe8ccf4fe7e4a56e95a5a6ff635cde Mon Sep 17 00:00:00 2001 From: dishantcr7 <64056848+dishantcr7@users.noreply.github.com> Date: Tue, 21 Dec 2021 14:41:55 +0530 Subject: [PATCH 10/10] Dishant disable sslv3 (#15) * Bug 1822129: [OMI Engine] Insecure TLS configuration (SSLv3, Compression) * Setting TLS v1.2 as default minimum --- Unix/etc/omicli.conf | 4 ++-- Unix/etc/omiserver.conf | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/Unix/etc/omicli.conf b/Unix/etc/omicli.conf index 6bd1801f4..8b774f8fe 100644 --- a/Unix/etc/omicli.conf +++ b/Unix/etc/omicli.conf @@ -43,7 +43,7 @@ #logfile = miclient.log NoSSLv2=true NoSSLv3=true -NoTLSv1_0=false -NoTLSv1_1=false +NoTLSv1_0=true +NoTLSv1_1=true NoTLSv1_2=false NoSSLCompression=true diff --git a/Unix/etc/omiserver.conf b/Unix/etc/omiserver.conf index 6ebf18fc2..86a176c6c 100644 --- a/Unix/etc/omiserver.conf +++ b/Unix/etc/omiserver.conf @@ -55,6 +55,9 @@ ## NoSSLv2=true NoSSLv3=true +NoTLSv1_0=true +NoTLSv1_1=true +NoTLSv1_2=false NoSSLCompression=true ##