Merge pull request #721 from microsoft/bugfixes

1.6.9-1 release

Unix/base/messages.c

@@ -194,7 +194,6 @@ static const MessageField binProtocolNotificationFields[] =
     {MFT_POINTER_OPT,offsetof(BinProtocolNotification, user),0,0},
     {MFT_POINTER_OPT,offsetof(BinProtocolNotification, password),0,0},
     {MFT_POINTER_OPT,offsetof(BinProtocolNotification, authFile),0,0},
-    {MFT_POINTER_OPT,offsetof(BinProtocolNotification, message),0,0},
     {MFT_END_OF_LIST, 0, 0, 0}
 };
 
@@ -217,7 +216,6 @@ static const MessageField postIndicationMessageFields[] =
 static const MessageField postSocketFileFields[] =
 {
     {MFT_POINTER_OPT,offsetof(PostSocketFile, sockFilePath),0,0},
-    {MFT_POINTER_OPT,offsetof(PostSocketFile, secretString),0,0},
     {MFT_END_OF_LIST, 0, 0, 0}
 };
 
@@ -234,11 +232,6 @@ static const MessageField pamCheckUserFields[] =
     {MFT_END_OF_LIST, 0, 0, 0}
 };
 
-static const MessageField pamCheckUserRspFields[] =
-{
-    {MFT_POINTER_OPT,offsetof(PamCheckUserResp, message),0,0},
-    {MFT_END_OF_LIST, 0, 0, 0}
-};
 
 #if defined(CONFIG_ENABLE_PREEXEC)
 static const MessageField execPreexecReqFields[] =
@@ -305,7 +298,7 @@ static const MessageDeclaration allMessages[] = {
     {postSocketFileFields,              sizeof(PostSocketFile),         MI_TRUE},
     {socketMaintenanceFields,           sizeof(VerifySocketConn),       MI_TRUE},
     {pamCheckUserFields,                sizeof(PamCheckUserReq),        MI_TRUE},
-    {pamCheckUserRspFields,             sizeof(PamCheckUserResp),       MI_FALSE}
+    {emptyMessageFields,                sizeof(PamCheckUserResp),       MI_FALSE}
 #if defined(CONFIG_ENABLE_PREEXEC)
     ,
     {execPreexecReqFields,              sizeof(ExecPreexecReq),         MI_TRUE},

Unix/base/messages.h

@@ -1191,7 +1191,6 @@ typedef struct _BinProtocolNotification
 
     /* if in nonroot mode, keeps track of which socket to send message back*/
     int             forwardSock;
-    MI_ConstString  message;
 }
 BinProtocolNotification;
 
@@ -1652,7 +1651,6 @@ typedef struct _PostSocketFile
     Message         base;
     MI_Uint32       type;
     MI_ConstString  sockFilePath;
-    MI_ConstString  secretString;
 }
 PostSocketFile;
 
@@ -1800,7 +1798,6 @@ typedef struct _PamCheckUserResp
     Message         base;
     MI_Uint64       handle;
     MI_Boolean      result;
-    MI_ConstString  message;
 }
 PamCheckUserResp;
 

Unix/base/messagesprint.c

@@ -692,7 +692,6 @@ void PostSocketFile_Print(
         {"operationId", FT_UINT64, offsetof(Self, base.operationId)},
         {"type", FT_UINT32, offsetof(Self, type)},
         {"sockFilePath", FT_STRING, offsetof(Self, sockFilePath)},
-        {"secretString", FT_STRING, offsetof(Self, secretString)},
         {NULL, 0, 0},
     };
     _Message_Print(msg, os, "PostSocketFile", fields);

Unix/base/oi_traces.h

@@ -439,10 +439,8 @@ OI_EVENT("Password exceeds reasonable limit: %d")
 void trace_Password_Error(unsigned int bytes);
 OI_EVENT("Invalid server credentials")
 void trace_InvalidServerCredentials();
-OI_EVENT("Attempt to reset secret string")
-void trace_AttemptToResetSecretString();
-
-
+OI_EVENT("(%c) A malicious attempt is detected. tag:(%d) name:(%T)")
+void trace_MaliciousAttemptDetected(char type, MI_Uint32 msgTag, const TChar * messageName);
 
 /******************************** WARNINGS ***********************************/
 
@@ -1837,8 +1835,8 @@ OI_EVENT("Engine: Client Credentials Verified (%p)")
 void trace_ClientCredentialsVerfied(void* handle);
 OI_EVENT("Client: Client Credentials Verified")
 void trace_ClientCredentialsVerfied2();
-OI_EVENT("(%c)Handle:(%p), ClientAuthState = %d, EngineAuthState = %d")
-void trace_AuthStates(char type, void* handle, int client, int engine);
+OI_EVENT("(%c)Handle:(%p), ClientAuthState = %d, ServerAuthState = %d")
+void trace_AuthStates(char type, void* handle, int client, int server);
 OI_EVENT("Asking Server to PAM authenticate")
 void trace_AskServerToAuthenticate();
 OI_EVENT("AgentMgr_PreExec_RequestStrand_Post: preexecContext (%p), strand (%p)")
@@ -1865,8 +1863,6 @@ OI_EVENT("AgentMgr_PreExec_ResponseStrand_Close: preexecContext (%p), strand (%p
 void trace_AgentMgr_PreExec_ResponseStrand_Close(void* context, void* strand);
 OI_EVENT("AgentMgr_PreExec_ResponseStrand_Finish: preexecContext (%p), strand (%p)")
 void trace_AgentMgr_PreExec_ResponseStrand_Finish(void* context, void* strand);
-OI_EVENT("Server credentials verified (%p)")
-void trace_ServerCredentialsVerified(void* handle);
 
 /******************************** AUTH TRACES ***********************************/
 

Unix/base/oiomi.h

@@ -1133,17 +1133,11 @@ FILE_EVENT1(20153, trace_Password_Error_Impl, LOG_ERR, PAL_T("Password exceeds r
 #endif
 FILE_EVENT0(20154, trace_Listen_Failed_Impl, LOG_ERR, PAL_T("Listen failed on both IPv4 and IPv6"))
 #if defined(CONFIG_ENABLE_DEBUG)
-#define trace_InvalidServerCredentials() trace_InvalidServerCredentials_Impl(__FILE__, __LINE__)
+#define trace_MaliciousAttemptDetected(a0, a1, a2) trace_MaliciousAttemptDetected_Impl(__FILE__, __LINE__, a0, a1, a2)
 #else
-#define trace_InvalidServerCredentials() trace_InvalidServerCredentials_Impl(0, 0)
+#define trace_MaliciousAttemptDetected(a0, a1, a2) trace_MaliciousAttemptDetected_Impl(0, 0, a0, a1, a2)
 #endif
-FILE_EVENT0(20155, trace_InvalidServerCredentials_Impl, LOG_ERR, PAL_T("Invalid Server credentials"))
-#if defined(CONFIG_ENABLE_DEBUG)
-#define trace_AttemptToResetSecretString() trace_AttemptToResetSecretString_Impl(__FILE__, __LINE__)
-#else
-#define trace_AttemptToResetSecretString() trace_AttemptToResetSecretString_Impl(0, 0)
-#endif
-FILE_EVENT0(20156, trace_AttemptToResetSecretString_Impl, LOG_ERR, PAL_T("Attempt to reset Secret String"))
+FILE_EVENT3(20155, trace_MaliciousAttemptDetected_Impl, LOG_ERR, PAL_T("(%c) A malicious attempt is detected. tag:(%d) name:(%T)"), char, MI_Uint32, const TChar *)
 #if defined(CONFIG_ENABLE_DEBUG)
 #define trace__FindSubRequest_CannotFindKey(a0, a1, a2) trace__FindSubRequest_CannotFindKey_Impl(__FILE__, __LINE__, a0, a1, a2)
 #else
@@ -5007,7 +5001,7 @@ FILE_EVENT0(45372, trace_ClientCredentialsVerfied2_Impl, LOG_DEBUG, PAL_T("Clien
 #else
 #define trace_AuthStates(a0, a1, a2, a3) trace_AuthStates_Impl(0, 0, a0, a1, a2, a3)
 #endif
-FILE_EVENT4(45373, trace_AuthStates_Impl, LOG_DEBUG, PAL_T("(%c)Handle:(%p), ClientAuthState = %d, EngineAuthState = %d"), char, void*, int, int)
+FILE_EVENT4(45373, trace_AuthStates_Impl, LOG_DEBUG, PAL_T("(%c)Handle:(%p), ClientAuthState = %d, ServerAuthState = %d"), char, void*, int, int)
 #if defined(CONFIG_ENABLE_DEBUG)
 #define trace_AskServerToAuthenticate() trace_AskServerToAuthenticate_Impl(__FILE__, __LINE__)
 #else
@@ -5087,12 +5081,6 @@ FILE_EVENT2(45385, trace_AgentMgr_PreExec_ResponseStrand_Close_Impl, LOG_DEBUG,
 #endif
 FILE_EVENT2(45386, trace_AgentMgr_PreExec_ResponseStrand_Finish_Impl, LOG_DEBUG, PAL_T("AgentMgr_PreExec_ResponseStrand_Finish: preexecContext (%p), strand (%p)"), void*, void*)
 #if defined(CONFIG_ENABLE_DEBUG)
-#define trace_ServerCredentialsVerified(a0) trace_ServerCredentialsVerified_Impl(__FILE__, __LINE__, a0)
-#else
-#define trace_ServerCredentialsVerified(a0) trace_ServerCredentialsVerified_Impl(0, 0, a0)
-#endif
-FILE_EVENT1(45387, trace_ServerCredentialsVerified_Impl, LOG_DEBUG, PAL_T("Server credentials verified (%p)"), void*)
-#if defined(CONFIG_ENABLE_DEBUG)
 #define trace_HTTP_EncryptionFailed() trace_HTTP_EncryptionFailed_Impl(__FILE__, __LINE__)
 #else
 #define trace_HTTP_EncryptionFailed() trace_HTTP_EncryptionFailed_Impl(0, 0)

Unix/buildtool

@@ -753,6 +753,9 @@ if [ "$arg1" = "cflags" -o "$arg1" = "cxxflags" ]; then
             --gcov)
                 gcov_opt=1
                 ;;
+            --security-hardening)
+                security_hardening_opt=1
+                ;;
             --pic)
                 pic_opt=1
                 ;;
@@ -798,6 +801,10 @@ if [ "$arg1" = "cflags" -o "$arg1" = "cxxflags" ]; then
             r="$r -fvisibility=hidden"
             r="$r -fcommon"
             r="$r -fno-strict-aliasing"
+            test -n "$security_hardening_opt" && r="$r -D_FORTIFY_SOURCE=2"
+            test -n "$security_hardening_opt" && r="$r -z noexecstack"
+            test -n "$security_hardening_opt" && r="$r -Wl,-z,relro -Wl,-z,now"
+            test -n "$security_hardening_opt" && r="$r -Wformat -Wformat-security -Werror=format-security"
             r="$r -fstack-protector-all"
             r="$r -D_GNU_SOURCE"
             r="$r -D_XOPEN_SOURCE=600"

Unix/configure

@@ -299,11 +299,16 @@ do
         fi
         ;;
 
+    --enable-security-hardening)
+        enable_security_hardening=1
+        ;;
+
     --enable-system-build)
         set_microsoft_build_options
 
         # Enable universal linux (--enable-ulinux) if we're on Linux and not PPC
         if  [ "`uname -s`" = "Linux" -a "`uname -m`" != "ppc64le" ]; then
+            echo "enable universal Linux build."
             enable_ulinux=1
         fi
 
@@ -1670,6 +1675,7 @@ GSSLIB=$gsslib
 TRAVIS_CI=$travis_ci
 ENABLE_NATIVE_KITS=$enable_native_kits
 ENABLE_ULINUX=$enable_ulinux
+ENABLE_SECURITY_HARDENING=$enable_security_hardening
 EOF
 
 echo "created $fn"
@@ -2009,6 +2015,12 @@ else
     echo "/* #define TRAVIS_CI */" >> $fn
 fi
 
+if [ "$enable_security_hardening" = "1" ]; then
+    echo "#define CONFIG_ENABLE_SECURITY_HARDENING" >> $fn
+else
+    echo "/* #define CONFIG_ENABLE_SECURITY_HARDENING */" >> $fn
+fi
+
 echo "" >> $fn
 echo "#endif /* _config_h */" >> $fn
 
@@ -2049,6 +2061,12 @@ ln -f -s $root/omiclient $outputdir/include/omiclient
 
 fn=$outputdir/omi.mak
 
+if [ "$enable_security_hardening" = "1" ];then
+  securityhardeningopt=--security-hardening
+else
+  securityhardeningopt=
+fi
+
 cat > $fn <<EOF
 CONFIG_PREFIX=$prefix
 LIBDIR=\$(OMI_ROOT)/$libdir
@@ -2065,11 +2083,11 @@ CC=$with_cc
 CXX=$with_cxx
 
 ifndef DEBUG
-  CFLAGS=`$buildtool cflags --debug --pic $buildtoolopts`
-  CXXFLAGS=`$buildtool cxxflags --debug --pic $buildtoolopts`
+  CFLAGS=`$buildtool cflags --debug --pic $securityhardeningopt $buildtoolopts`
+  CXXFLAGS=`$buildtool cxxflags --debug --pic $securityhardeningopt $buildtoolopts`
 else
-  CFLAGS=`$buildtool cflags --optim --pic $buildtoolopts`
-  CXXFLAGS=`$buildtool cxxflags --optim --pic $buildtoolopts`
+  CFLAGS=`$buildtool cflags --optim --pic $securityhardeningopt $buildtoolopts`
+  CXXFLAGS=`$buildtool cxxflags --optim --pic $securityhardeningopt $buildtoolopts`
 endif
 
 CSHLIBFLAGS=`$buildtool cshlibflags --libpath=$libdir $buildtoolopts`
@@ -2464,6 +2482,12 @@ echo "created $fn"
 
 fn=$configuredir/GNUmakefile
 
+if [ "$enable_security_hardening" = "1" ];then
+  securityhardeningflags=--enable-security-hardening
+else
+  securityhardeningflags=
+fi
+
 # Only generate makefile if it was not already generated.
 #
 # Since this Makefile will re-run configure (and thus regenerate GNUmakefile),
@@ -2486,13 +2510,14 @@ export ENABLE_DEBUG=$enable_debug
 export ENABLE_ULINUX=$enable_ulinux
 export ENABLE_NATIVE_KITS=$enable_native_kits
 export DISABLE_SSL_1_1_0=$disable_ssl_1_1_0
+export ENABLE_SECURITY_HARDENING=$enable_security_hardening
 
 OMI_CONFIGURE_QUALS=--enable-microsoft --disable-makefile-gen
 ifeq (\$(ENABLE_NATIVE_KITS),1)
-  OMI_CONFIGURE_QUALS=--enable-microsoft --disable-makefile-gen --enable-native-kits
+  OMI_CONFIGURE_QUALS=--enable-microsoft --disable-makefile-gen --enable-native-kits $securityhardeningflags
 endif
 ifeq (\$(ENABLE_DEBUG),1)
-  OMI_CONFIGURE_QUALS += --enable-debug
+  OMI_CONFIGURE_QUALS += --enable-debug $securityhardeningflags
 endif
 
 

Unix/engine/engine.c

@@ -75,19 +75,20 @@ int enginemain(int argc, const char* argv[])
         }
 
         // binary connection with server
-        result = BinaryProtocolListenSock(s_opts.socketpairPort, &s_data.mux[1], &s_data.protocol1, NULL, NULL);
+        result = BinaryProtocolListenSock(s_opts.socketpairPort, &s_data.mux[1], &s_data.protocol1, NULL);
         if (result != MI_RESULT_OK)
         {
             err(ZT("Failed to initialize binary protocol for socket"));
         }
         s_data.protocol1->protocolSocket.permanent = MI_TRUE;
+        s_data.protocol1->protocolSocket.serverAuthState = PRT_AUTH_OK;
 
         result = Initialize_ProtocolSocketTracker();
         if (result != MI_RESULT_OK)
         {
             err(ZT("Failed to initialize binary protocol tracker for engine"));
         }
-
+        
         r = SendSocketFileRequest(&s_data.protocol1->protocolSocket);
         if (r == MI_FALSE)
         {
@@ -96,7 +97,7 @@ int enginemain(int argc, const char* argv[])
 
         // binary connection with client
         const char *path = OMI_GetPath(ID_SOCKETFILE);
-        result = BinaryProtocolListenFile(path, &s_data.mux[0], &s_data.protocol0, NULL);
+        result = BinaryProtocolListenFile(path, &s_data.mux[0], &s_data.protocol0);
         if (result != MI_RESULT_OK)
         {
             err(ZT("Failed to initialize binary protocol for socket file"));

Unix/etc/omicli.conf

@@ -42,8 +42,8 @@
 #logpath = var/log/
 #logfile = miclient.log
 NoSSLv2=true
-NoSSLv3=false
-NoTLSv1_0=false
-NoTLSv1_1=false
+NoSSLv3=true
+NoTLSv1_0=true
+NoTLSv1_1=true
 NoTLSv1_2=false
-NoSSLCompression=false
+NoSSLCompression=true

Unix/etc/omiserver.conf

@@ -53,8 +53,12 @@
 ##   NoSSLv3: When it is true, the SSLv3 protocol is disabled.
 ##   If NoSSLv2 and NoSSLv3 are both set to true, only TLS encryption will be negotiated.
 ##
-#NoSSLv2=true
-#NoSSLv3=false
+NoSSLv2=true
+NoSSLv3=true
+NoTLSv1_0=true
+NoTLSv1_1=true
+NoTLSv1_2=false
+NoSSLCompression=true
 
 ##
 ## NtlmCredsFile -- credentials file for NTLM authentication

Unix/installbuilder/GNUmakefile

@@ -70,11 +70,17 @@ else
   WITH_SYMBOLS=withsymbols
 endif
 
+ifeq ($(ENABLE_SECURITY_HARDENING),1)
+  SECURITY_FLAG=.s
+else
+  SECURITY_FLAG=
+endif
+
 # New output format for OMI on Linux (avoids ugly renaming since we always build universal)
 ifeq ($(PF),Linux)
   BUILD_SEMODULE = 1
   ifneq ($(PF_ARCH),ppc)
-    OUTPUTFILE_LINE = --OUTPUTFILE=omi-$(CONFIG_VERSION)-$(CONFIG_PATCH_LEVEL).$(PACKAGE_SSL_DECORATION).ulinux.$(PF_ARCH)
+    OUTPUTFILE_LINE = --OUTPUTFILE=omi-$(CONFIG_VERSION)-$(CONFIG_PATCH_LEVEL).$(PACKAGE_SSL_DECORATION).ulinux$(SECURITY_FLAG).$(PF_ARCH)
     OUTPUTFILE_LINE_WITHSYMBOLS = $(OUTPUTFILE_LINE).$(WITH_SYMBOLS)
   else
     ifeq ($(PF_DISTRO),SUSE)

Unix/mak/rules.mak

@@ -125,6 +125,10 @@ ifeq ($(ENABLE_GCOV),1)
   __OPTS += --gcov
 endif
 
+ifeq ($(ENABLE_SECURITY_HARDENING),1)
+  __OPTS += --security-hardening
+endif
+
 ifeq ($(CONFIG_FAVORSIZE),1)
   __OPTS += --size
 endif
@@ -174,6 +178,9 @@ CPROGFLAGS=$(shell $(BUILDTOOL) cprogflags)
 CPROGFLAGS+=$(shell $(BUILDTOOL) syslibs)
 CPROGFLAGS+=$(OPENSSL_LIBS)
 CPROGFLAGS+=$(LIBPATHFLAGS)
+ifeq ($(ENABLE_SECURITY_HARDENING),1)
+  CPROGFLAGS+=-pie
+endif
 
 CXXPROGFLAGS=$(shell $(BUILDTOOL) cxxprogflags)
 CXXPROGFLAGS+=$(shell $(BUILDTOOL) syslibs)