[apple/security.git] / OSX / libsecurityd / lib / ssclient.h

/*
 * Copyright (c) 2000-2008,2011-2013 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */


//
// ssclient - SecurityServer client interface library
//
// This interface is private to the Security system. It is not a public interface,
// and it may change at any time. You have been warned.
//
#ifndef _H_SSCLIENT
#define _H_SSCLIENT

#include "sscommon.h"
#include <Security/Authorization.h>
#include <Security/AuthSession.h>

#ifdef __cplusplus

#include <security_utilities/osxcode.h>
#include <security_utilities/unix++.h>
#include <security_utilities/globalizer.h>
#include <security_cdsa_utilities/cssmerrors.h>
#include "ssnotify.h"


namespace Security {
namespace SecurityServer {

#endif //__cplusplus


//
// Unique-identifier blobs for key objects
//
typedef struct KeyUID {
    uint8 signature[20];
} KeyUID;


//
// Maximum length of hash (digest) arguments (bytes)
//
#define maxUcspHashLength 64


//
// Authorization blobs
//
typedef struct AuthorizationBlob {
    uint32 data[2];
	
#ifdef __cplusplus
	bool operator < (const AuthorizationBlob &other) const
	{ return memcmp(data, other.data, sizeof(data)) < 0; }
	
	bool operator == (const AuthorizationBlob &other) const
	{ return memcmp(data, other.data, sizeof(data)) == 0; }
    
    size_t hash() const {	//@@@ revisit this hash
        return data[0] ^ data[1] << 3;
    }
#endif
} AuthorizationBlob;


//
// Initial-setup data for versioning etc.
//
typedef struct {
	uint32_t order;
	uint32_t version;
} ClientSetupInfo;

#define SSPROTOVERSION 20000


//
// Database parameter structure
//
typedef struct {
	uint32_t idleTimeout;				// seconds idle timout lock
	uint8_t lockOnSleep;				// lock keychain when system sleeps
} DBParameters;


#ifdef __cplusplus


//
// A client connection (session)
//
class ClientSession : public ClientCommon {
public:
	ClientSession(Allocator &standard = Allocator::standard(),
		Allocator &returning = Allocator::standard());
	virtual ~ClientSession();

public:
	void activate();
	void reset();
	
public:
	// use this only if you know what you're doing...
	void contactName(const char *name);
	const char *contactName() const;

    static GenericHandle toIPCHandle(CSSM_HANDLE h) {
        // implementation subject to change
        if (h & (CSSM_HANDLE(~0) ^ GenericHandle(~0)))
            CssmError::throwMe(CSSM_ERRCODE_INVALID_CONTEXT_HANDLE);
        return h & GenericHandle(~0);
    }


public:
	//
	// common database interface
	//
	void authenticateDb(DbHandle db, CSSM_DB_ACCESS_TYPE type, const AccessCredentials *cred);
	void releaseDb(DbHandle db);
	
	//
	// External database interface
	//
	DbHandle openToken(uint32 ssid, const AccessCredentials *cred, const char *name = NULL);

	RecordHandle insertRecord(DbHandle db,
					  CSSM_DB_RECORDTYPE recordType,
					  const CssmDbRecordAttributeData *attributes,
					  const CssmData *data);
	void deleteRecord(DbHandle db, RecordHandle record);
	void modifyRecord(DbHandle db, RecordHandle &record,
					  CSSM_DB_RECORDTYPE recordType,
					  const CssmDbRecordAttributeData *attributesToBeModified,
					  const CssmData *dataToBeModified,
					  CSSM_DB_MODIFY_MODE modifyMode);

	RecordHandle findFirst(DbHandle db,
						const CssmQuery &query,
						SearchHandle &outSearchHandle,
						CssmDbRecordAttributeData *inOutAttributes,
						CssmData *outData, KeyHandle &key);
	RecordHandle findNext(SearchHandle searchHandle,
					   CssmDbRecordAttributeData *inOutAttributes,
					   CssmData *inOutData, KeyHandle &key);
	void findRecordHandle(RecordHandle record,
						 CssmDbRecordAttributeData *inOutAttributes,
						 CssmData *inOutData, KeyHandle &key);
	void releaseSearch(SearchHandle searchHandle);
	void releaseRecord(RecordHandle record);
	
	void getDbName(DbHandle db, std::string &name);
	void setDbName(DbHandle db, const std::string &name);

	//
	// Internal database interface
	//
	DbHandle createDb(const DLDbIdentifier &dbId,
        const AccessCredentials *cred, const AclEntryInput *owner,
        const DBParameters &params);
    DbHandle cloneDb(const DLDbIdentifier &newDbId, DbHandle srcDb);

	DbHandle cloneDbForSync(const CssmData &secretsBlob, DbHandle srcDb, 
							const CssmData &agentData);
	DbHandle recodeDbForSync(DbHandle dbToClone, DbHandle srcDb);
    DbHandle recodeDbToVersion(uint32 newVersion, DbHandle srcDb);
    void recodeFinished(DbHandle db);
	DbHandle authenticateDbsForSync(const CssmData &dbHandleArray, const CssmData &agentData);
    void commitDbForSync(DbHandle srcDb, DbHandle cloneDb, CssmData &blob, Allocator &alloc);
	DbHandle decodeDb(const DLDbIdentifier &dbId,
        const AccessCredentials *cred, const CssmData &blob);
	void encodeDb(DbHandle db, CssmData &blob, Allocator &alloc);
    void encodeDb(DbHandle db, CssmData &blob) { return encodeDb(db, blob, returnAllocator); }
	void setDbParameters(DbHandle db, const DBParameters &params);
	void getDbParameters(DbHandle db, DBParameters &params);
    void changePassphrase(DbHandle db, const AccessCredentials *cred);
    void lock(DbHandle db);
    void lockAll(bool forSleep);
    void unlock(DbHandle db);
    void unlock(DbHandle db, const CssmData &passPhrase);
    void stashDb(DbHandle db);
    void stashDbCheck(DbHandle db);
    bool isLocked(DbHandle db);
    void verifyKeyStorePassphrase(uint32_t retries);
    void resetKeyStorePassphrase(const CssmData &passphrase);
    void changeKeyStorePassphrase();
	
public:
	//
	// Key objects
	//
	void encodeKey(KeyHandle key, CssmData &blob, KeyUID *uid, Allocator &alloc);
	void encodeKey(KeyHandle key, CssmData &blob, KeyUID *uid = NULL)
    { return encodeKey(key, blob, uid, returnAllocator); }
	KeyHandle decodeKey(DbHandle db, const CssmData &blob, CssmKey::Header &header);
	void recodeKey(DbHandle oldDb, KeyHandle key, DbHandle newDb, CssmData &blob);
	void releaseKey(KeyHandle key);

	CssmKeySize queryKeySizeInBits(KeyHandle key);
    uint32 getOutputSize(const Security::Context &context, KeyHandle key,
        uint32 inputSize, bool encrypt = true);
		
	void getKeyDigest(KeyHandle key, CssmData &digest, Allocator &alloc);
	void getKeyDigest(KeyHandle key, CssmData &digest)
	{ return getKeyDigest(key, digest, returnAllocator); }


    // key wrapping and unwrapping
	void wrapKey(const Security::Context &context, KeyHandle key, KeyHandle keyToBeWrapped,
		const AccessCredentials *cred,
		const CssmData *descriptiveData, CssmWrappedKey &wrappedKey, Allocator &alloc);
	void wrapKey(const Security::Context &context, KeyHandle key, KeyHandle keyToBeWrapped,
		const AccessCredentials *cred,
		const CssmData *descriptiveData, CssmWrappedKey &wrappedKey)
    { return wrapKey(context, key, keyToBeWrapped, cred,
        descriptiveData, wrappedKey, returnAllocator); }
    
	void unwrapKey(DbHandle db, const Security::Context &context, KeyHandle key, KeyHandle publicKey,
		const CssmWrappedKey &wrappedKey, uint32 keyUsage, uint32 keyAttr,
		const AccessCredentials *cred, const AclEntryInput *owner,
		CssmData &data, KeyHandle &newKey, CssmKey::Header &newKeyHeader, Allocator &alloc);
	void unwrapKey(DbHandle db, const Security::Context &context, KeyHandle key, KeyHandle publicKey,
		const CssmWrappedKey &wrappedKey, uint32 keyUsage, uint32 keyAttr,
		const AccessCredentials *cred, const AclEntryInput *owner, CssmData &data,
        KeyHandle &newKey, CssmKey::Header &newKeyHeader)
    { return unwrapKey(db, context, key, publicKey, wrappedKey, keyUsage, keyAttr,
      cred, owner, data, newKey, newKeyHeader, returnAllocator); }

    // key generation and derivation
	void generateKey(DbHandle db, const Security::Context &context, uint32 keyUsage, uint32 keyAttr,
		const AccessCredentials *cred, const AclEntryInput *owner,
        KeyHandle &newKey, CssmKey::Header &newHeader);
	void generateKey(DbHandle db, const Security::Context &context,
		uint32 pubKeyUsage, uint32 pubKeyAttr,
		uint32 privKeyUsage, uint32 privKeyAttr,
		const AccessCredentials *cred, const AclEntryInput *owner,
		KeyHandle &pubKey, CssmKey::Header &pubHeader,
        KeyHandle &privKey, CssmKey::Header &privHeader);
	void deriveKey(DbHandle db, const Security::Context &context, KeyHandle baseKey,
        uint32 keyUsage, uint32 keyAttr, CssmData &param,
		const AccessCredentials *cred, const AclEntryInput *owner,
        KeyHandle &newKey, CssmKey::Header &newHeader, Allocator &alloc);
	void deriveKey(DbHandle db, const Security::Context &context, KeyHandle baseKey,
        uint32 keyUsage, uint32 keyAttr, CssmData &param,
		const AccessCredentials *cred, const AclEntryInput *owner,
        KeyHandle &newKey, CssmKey::Header &newHeader)
    { return deriveKey(db, context, baseKey, keyUsage, keyAttr, param, cred, owner, newKey, newHeader, returnAllocator); }
	//void generateAlgorithmParameters();	// not implemented

	void generateRandom(const Security::Context &context, CssmData &data, Allocator &alloc);
	void generateRandom(const Security::Context &context, CssmData &data)
	{ return generateRandom(context, data, returnAllocator); }
	
    // encrypt/decrypt
	void encrypt(const Security::Context &context, KeyHandle key,
        const CssmData &in, CssmData &out, Allocator &alloc);
	void encrypt(const Security::Context &context, KeyHandle key, const CssmData &in, CssmData &out)
    { return encrypt(context, key, in, out, returnAllocator); }
	void decrypt(const Security::Context &context, KeyHandle key,
        const CssmData &in, CssmData &out, Allocator &alloc);
	void decrypt(const Security::Context &context, KeyHandle key, const CssmData &in, CssmData &out)
    { return decrypt(context, key, in, out, returnAllocator); }

    // signatures
	void generateSignature(const Security::Context &context, KeyHandle key,
        const CssmData &data, CssmData &signature, Allocator &alloc,
        CSSM_ALGORITHMS signOnlyAlgorithm = CSSM_ALGID_NONE);
	void generateSignature(const Security::Context &context, KeyHandle key,
		const CssmData &data, CssmData &signature, CSSM_ALGORITHMS signOnlyAlgorithm = CSSM_ALGID_NONE)
    { return generateSignature(context, key, data, signature, returnAllocator, signOnlyAlgorithm); }
	void verifySignature(const Security::Context &context, KeyHandle key,
		const CssmData &data, const CssmData &signature,
        CSSM_ALGORITHMS verifyOnlyAlgorithm = CSSM_ALGID_NONE);
		
    // MACs
	void generateMac(const Security::Context &context, KeyHandle key,
		const CssmData &data, CssmData &mac, Allocator &alloc);
	void generateMac(const Security::Context &context, KeyHandle key,
		const CssmData &data, CssmData &mac)
    { return generateMac(context, key, data, mac, returnAllocator); }
	void verifyMac(const Security::Context &context, KeyHandle key,
		const CssmData &data, const CssmData &mac);
	
    // key ACL management
	void getKeyAcl(KeyHandle key, const char *tag,
        uint32 &count, AclEntryInfo * &info, Allocator &alloc);
	void getKeyAcl(KeyHandle key, const char *tag,
        uint32 &count, AclEntryInfo * &info)
    { return getKeyAcl(key, tag, count, info, returnAllocator); }
	void changeKeyAcl(KeyHandle key, const AccessCredentials &cred, const AclEdit &edit);
	void getKeyOwner(KeyHandle key, AclOwnerPrototype &owner, Allocator &alloc);
	void getKeyOwner(KeyHandle key, AclOwnerPrototype &owner)
    { return getKeyOwner(key, owner, returnAllocator); }
	void changeKeyOwner(KeyHandle key, const AccessCredentials &cred,
		const AclOwnerPrototype &edit);
	
    // database ACL management
	void getDbAcl(DbHandle db, const char *tag,
        uint32 &count, AclEntryInfo * &info, Allocator &alloc);
	void getDbAcl(DbHandle db, const char *tag,
        uint32 &count, AclEntryInfo * &info)
    { return getDbAcl(db, tag, count, info, returnAllocator); }
	void changeDbAcl(DbHandle db, const AccessCredentials &cred, const AclEdit &edit);
	void getDbOwner(DbHandle db, AclOwnerPrototype &owner, Allocator &alloc);
	void getDbOwner(DbHandle db, AclOwnerPrototype &owner)
    { return getDbOwner(db, owner, returnAllocator); }
    void changeDbOwner(DbHandle db, const AccessCredentials &cred,
		const AclOwnerPrototype &edit);
	
	// database key manipulations
	void extractMasterKey(DbHandle db, const Context &context, DbHandle sourceDb,
        uint32 keyUsage, uint32 keyAttr,
		const AccessCredentials *cred, const AclEntryInput *owner,
        KeyHandle &newKey, CssmKey::Header &newHeader, Allocator &alloc);
	void extractMasterKey(DbHandle db, const Context &context, DbHandle sourceDb,
        uint32 keyUsage, uint32 keyAttr,
		const AccessCredentials *cred, const AclEntryInput *owner,
        KeyHandle &newKey, CssmKey::Header &newHeader)
	{ return extractMasterKey(db, context, sourceDb, keyUsage, keyAttr, cred, owner,
		newKey, newHeader, returnAllocator); }

public:
    // Testing support calls
    void getUserPromptAttempts(uint32_t& attempts);
		
public:
    // Notification core support
    void postNotification(NotificationDomain domain, NotificationEvent event, const CssmData &data);
    
	// low-level callback (C form)
    typedef OSStatus ConsumeNotification(NotificationDomain domain, NotificationEvent event,
        const void *data, size_t dataLength, void *context);
	
public:
    // securityd helper support. The taskPort argument is no longer used, server will use client's audit token
	void childCheckIn(Port serverPort, Port taskPort);
	
public:
	// temporary hack to deal with "edit acl" pseudo-error returns
	typedef void DidChangeKeyAclCallback(void *context, ClientSession &clientSession,
		KeyHandle key, CSSM_ACL_AUTHORIZATION_TAG tag);
	void registerForAclEdits(DidChangeKeyAclCallback *callback, void *context);
	
private:
	static Port findSecurityd();
	void getAcl(AclKind kind, GenericHandle key, const char *tag,
		uint32 &count, AclEntryInfo * &info, Allocator &alloc);
	void changeAcl(AclKind kind, GenericHandle key,
		const AccessCredentials &cred, const AclEdit &edit);
	void getOwner(AclKind kind, GenericHandle key,
		AclOwnerPrototype &owner, Allocator &alloc);
	void changeOwner(AclKind kind, GenericHandle key,
		const AccessCredentials &cred, const AclOwnerPrototype &edit);
	
	static OSStatus consumerDispatch(NotificationDomain domain, NotificationEvent event,
		const void *data, size_t dataLength, void *context);

	void notifyAclChange(KeyHandle key, CSSM_ACL_AUTHORIZATION_TAG tag);

	void returnAttrsAndData(CssmDbRecordAttributeData *inOutAttributes,
		CssmDbRecordAttributeData *attrs, CssmDbRecordAttributeData *attrsBase, mach_msg_type_number_t attrsLength,
		CssmData *inOutData, void *dataPtr, mach_msg_type_number_t dataLength);
private:
	DidChangeKeyAclCallback *mCallback;
	void *mCallbackContext;

	static UnixPlusPlus::StaticForkMonitor mHasForked;	// global fork indicator

	struct Thread {
		Thread() : registered(false), notifySeq(0) { }
		operator bool() const { return registered; }
		
		ReceivePort replyPort;	// dedicated reply port (send right held by SecurityServer)
        bool registered;		// has been registered with SecurityServer
		uint32 notifySeq; // notification sequence number
	};

	struct Global {
        Global();
		Port serverPort;
		RefPointer<OSXCode> myself;
		ThreadNexus<Thread> thread;
	};

	static ModuleNexus<Global> mGlobal;
	static const char *mContactName;
};


} // end namespace SecurityServer
} // end namespace Security

#endif //__cplusplus


#endif //_H_SSCLIENT
Commit	Line	Data
b1ab9ed8	1	/*
d8f41ccd	2	* Copyright (c) 2000-2008,2011-2013 Apple Inc. All Rights Reserved.
b1ab9ed8 A	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24
	25	//
	26	// ssclient - SecurityServer client interface library
	27	//
	28	// This interface is private to the Security system. It is not a public interface,
	29	// and it may change at any time. You have been warned.
	30	//
	31	#ifndef _H_SSCLIENT
	32	#define _H_SSCLIENT
	33
	34	#include "sscommon.h"
	35	#include <Security/Authorization.h>
	36	#include <Security/AuthSession.h>
b1ab9ed8 A	37
	38	#ifdef __cplusplus
	39
	40	#include <security_utilities/osxcode.h>
	41	#include <security_utilities/unix++.h>
	42	#include <security_utilities/globalizer.h>
	43	#include <security_cdsa_utilities/cssmerrors.h>
	44	#include "ssnotify.h"
	45
	46
	47	namespace Security {
	48	namespace SecurityServer {
	49
	50	#endif //__cplusplus
	51
	52
	53	//
	54	// Unique-identifier blobs for key objects
	55	//
	56	typedef struct KeyUID {
	57	uint8 signature[20];
	58	} KeyUID;
	59
	60
	61	//
	62	// Maximum length of hash (digest) arguments (bytes)
	63	//
	64	#define maxUcspHashLength 64
	65
	66
	67	//
	68	// Authorization blobs
	69	//
	70	typedef struct AuthorizationBlob {
	71	uint32 data[2];
	72
	73	#ifdef __cplusplus
	74	bool operator < (const AuthorizationBlob &other) const
	75	{ return memcmp(data, other.data, sizeof(data)) < 0; }
	76
	77	bool operator == (const AuthorizationBlob &other) const
	78	{ return memcmp(data, other.data, sizeof(data)) == 0; }
	79
	80	size_t hash() const { //@@@ revisit this hash
	81	return data[0] ^ data[1] << 3;
	82	}
	83	#endif
	84	} AuthorizationBlob;
	85
	86
	87	//
	88	// Initial-setup data for versioning etc.
	89	//
	90	typedef struct {
	91	uint32_t order;
	92	uint32_t version;
	93	} ClientSetupInfo;
	94
	95	#define SSPROTOVERSION 20000
	96
	97
	98	//
	99	// Database parameter structure
	100	//
101	typedef struct {
102	uint32_t idleTimeout; // seconds idle timout lock
103	uint8_t lockOnSleep; // lock keychain when system sleeps
104	} DBParameters;
105
106
107	#ifdef __cplusplus
108
109
110	//
111	// A client connection (session)
112	//
113	class ClientSession : public ClientCommon {
114	public:
115	ClientSession(Allocator &standard = Allocator::standard(),
116	Allocator &returning = Allocator::standard());
117	virtual ~ClientSession();
118
119	public:
120	void activate();
121	void reset();
122
123	public:
124	// use this only if you know what you're doing...
125	void contactName(const char *name);
126	const char *contactName() const;
127
128	static GenericHandle toIPCHandle(CSSM_HANDLE h) {
129	// implementation subject to change
130	if (h & (CSSM_HANDLE(~0) ^ GenericHandle(~0)))
131	CssmError::throwMe(CSSM_ERRCODE_INVALID_CONTEXT_HANDLE);
132	return h & GenericHandle(~0);
133	}
134
135
136	public:
137	//
138	// common database interface
139	//
140	void authenticateDb(DbHandle db, CSSM_DB_ACCESS_TYPE type, const AccessCredentials *cred);
141	void releaseDb(DbHandle db);
142
143	//
144	// External database interface
145	//
146	DbHandle openToken(uint32 ssid, const AccessCredentials cred, const char name = NULL);
147
148	RecordHandle insertRecord(DbHandle db,
149	CSSM_DB_RECORDTYPE recordType,
150	const CssmDbRecordAttributeData *attributes,
151	const CssmData *data);
152	void deleteRecord(DbHandle db, RecordHandle record);
153	void modifyRecord(DbHandle db, RecordHandle &record,
154	CSSM_DB_RECORDTYPE recordType,
155	const CssmDbRecordAttributeData *attributesToBeModified,
156	const CssmData *dataToBeModified,
157	CSSM_DB_MODIFY_MODE modifyMode);
158
159	RecordHandle findFirst(DbHandle db,
160	const CssmQuery &query,
161	SearchHandle &outSearchHandle,
162	CssmDbRecordAttributeData *inOutAttributes,
163	CssmData *outData, KeyHandle &key);
164	RecordHandle findNext(SearchHandle searchHandle,
165	CssmDbRecordAttributeData *inOutAttributes,
166	CssmData *inOutData, KeyHandle &key);
167	void findRecordHandle(RecordHandle record,
168	CssmDbRecordAttributeData *inOutAttributes,
169	CssmData *inOutData, KeyHandle &key);
170	void releaseSearch(SearchHandle searchHandle);
171	void releaseRecord(RecordHandle record);
172
173	void getDbName(DbHandle db, std::string &name);
174	void setDbName(DbHandle db, const std::string &name);
175
176	//
177	// Internal database interface
178	//
179	DbHandle createDb(const DLDbIdentifier &dbId,
180	const AccessCredentials cred, const AclEntryInput owner,
181	const DBParameters &params);
fa7225c8 A	182	DbHandle cloneDb(const DLDbIdentifier &newDbId, DbHandle srcDb);
fa7225c8 A	183
b1ab9ed8 A	184	DbHandle cloneDbForSync(const CssmData &secretsBlob, DbHandle srcDb,
	185	const CssmData &agentData);
	186	DbHandle recodeDbForSync(DbHandle dbToClone, DbHandle srcDb);
e3d460c9	187	DbHandle recodeDbToVersion(uint32 newVersion, DbHandle srcDb);
fa7225c8	188	void recodeFinished(DbHandle db);
b1ab9ed8 A	189	DbHandle authenticateDbsForSync(const CssmData &dbHandleArray, const CssmData &agentData);
	190	void commitDbForSync(DbHandle srcDb, DbHandle cloneDb, CssmData &blob, Allocator &alloc);
	191	DbHandle decodeDb(const DLDbIdentifier &dbId,
	192	const AccessCredentials *cred, const CssmData &blob);
	193	void encodeDb(DbHandle db, CssmData &blob, Allocator &alloc);
	194	void encodeDb(DbHandle db, CssmData &blob) { return encodeDb(db, blob, returnAllocator); }
	195	void setDbParameters(DbHandle db, const DBParameters &params);
	196	void getDbParameters(DbHandle db, DBParameters &params);
	197	void changePassphrase(DbHandle db, const AccessCredentials *cred);
	198	void lock(DbHandle db);
	199	void lockAll(bool forSleep);
	200	void unlock(DbHandle db);
	201	void unlock(DbHandle db, const CssmData &passPhrase);
427c49bc A	202	void stashDb(DbHandle db);
427c49bc A	203	void stashDbCheck(DbHandle db);
b1ab9ed8	204	bool isLocked(DbHandle db);
427c49bc A	205	void verifyKeyStorePassphrase(uint32_t retries);
	206	void resetKeyStorePassphrase(const CssmData &passphrase);
	207	void changeKeyStorePassphrase();
b1ab9ed8 A	208
	209	public:
	210	//
	211	// Key objects
	212	//
	213	void encodeKey(KeyHandle key, CssmData &blob, KeyUID *uid, Allocator &alloc);
	214	void encodeKey(KeyHandle key, CssmData &blob, KeyUID *uid = NULL)
	215	{ return encodeKey(key, blob, uid, returnAllocator); }
	216	KeyHandle decodeKey(DbHandle db, const CssmData &blob, CssmKey::Header &header);
	217	void recodeKey(DbHandle oldDb, KeyHandle key, DbHandle newDb, CssmData &blob);
	218	void releaseKey(KeyHandle key);
	219
	220	CssmKeySize queryKeySizeInBits(KeyHandle key);
	221	uint32 getOutputSize(const Security::Context &context, KeyHandle key,
	222	uint32 inputSize, bool encrypt = true);
	223
	224	void getKeyDigest(KeyHandle key, CssmData &digest, Allocator &alloc);
	225	void getKeyDigest(KeyHandle key, CssmData &digest)
	226	{ return getKeyDigest(key, digest, returnAllocator); }
	227
	228
	229	// key wrapping and unwrapping
	230	void wrapKey(const Security::Context &context, KeyHandle key, KeyHandle keyToBeWrapped,
	231	const AccessCredentials *cred,
	232	const CssmData *descriptiveData, CssmWrappedKey &wrappedKey, Allocator &alloc);
	233	void wrapKey(const Security::Context &context, KeyHandle key, KeyHandle keyToBeWrapped,
	234	const AccessCredentials *cred,
	235	const CssmData *descriptiveData, CssmWrappedKey &wrappedKey)
	236	{ return wrapKey(context, key, keyToBeWrapped, cred,
	237	descriptiveData, wrappedKey, returnAllocator); }
	238
	239	void unwrapKey(DbHandle db, const Security::Context &context, KeyHandle key, KeyHandle publicKey,
	240	const CssmWrappedKey &wrappedKey, uint32 keyUsage, uint32 keyAttr,
	241	const AccessCredentials cred, const AclEntryInput owner,
	242	CssmData &data, KeyHandle &newKey, CssmKey::Header &newKeyHeader, Allocator &alloc);
	243	void unwrapKey(DbHandle db, const Security::Context &context, KeyHandle key, KeyHandle publicKey,
	244	const CssmWrappedKey &wrappedKey, uint32 keyUsage, uint32 keyAttr,
	245	const AccessCredentials cred, const AclEntryInput owner, CssmData &data,
	246	KeyHandle &newKey, CssmKey::Header &newKeyHeader)
	247	{ return unwrapKey(db, context, key, publicKey, wrappedKey, keyUsage, keyAttr,
	248	cred, owner, data, newKey, newKeyHeader, returnAllocator); }
	249
	250	// key generation and derivation
	251	void generateKey(DbHandle db, const Security::Context &context, uint32 keyUsage, uint32 keyAttr,
	252	const AccessCredentials cred, const AclEntryInput owner,
	253	KeyHandle &newKey, CssmKey::Header &newHeader);
	254	void generateKey(DbHandle db, const Security::Context &context,
	255	uint32 pubKeyUsage, uint32 pubKeyAttr,
	256	uint32 privKeyUsage, uint32 privKeyAttr,
	257	const AccessCredentials cred, const AclEntryInput owner,
	258	KeyHandle &pubKey, CssmKey::Header &pubHeader,
	259	KeyHandle &privKey, CssmKey::Header &privHeader);
	260	void deriveKey(DbHandle db, const Security::Context &context, KeyHandle baseKey,
	261	uint32 keyUsage, uint32 keyAttr, CssmData &param,
	262	const AccessCredentials cred, const AclEntryInput owner,
	263	KeyHandle &newKey, CssmKey::Header &newHeader, Allocator &alloc);
	264	void deriveKey(DbHandle db, const Security::Context &context, KeyHandle baseKey,
	265	uint32 keyUsage, uint32 keyAttr, CssmData &param,
	266	const AccessCredentials cred, const AclEntryInput owner,
	267	KeyHandle &newKey, CssmKey::Header &newHeader)
	268	{ return deriveKey(db, context, baseKey, keyUsage, keyAttr, param, cred, owner, newKey, newHeader, returnAllocator); }
	269	//void generateAlgorithmParameters(); // not implemented
	270
	271	void generateRandom(const Security::Context &context, CssmData &data, Allocator &alloc);
272	void generateRandom(const Security::Context &context, CssmData &data)
273	{ return generateRandom(context, data, returnAllocator); }
274
275	// encrypt/decrypt
276	void encrypt(const Security::Context &context, KeyHandle key,
277	const CssmData &in, CssmData &out, Allocator &alloc);
278	void encrypt(const Security::Context &context, KeyHandle key, const CssmData &in, CssmData &out)
279	{ return encrypt(context, key, in, out, returnAllocator); }
280	void decrypt(const Security::Context &context, KeyHandle key,
281	const CssmData &in, CssmData &out, Allocator &alloc);
282	void decrypt(const Security::Context &context, KeyHandle key, const CssmData &in, CssmData &out)
283	{ return decrypt(context, key, in, out, returnAllocator); }
284
285	// signatures
286	void generateSignature(const Security::Context &context, KeyHandle key,
287	const CssmData &data, CssmData &signature, Allocator &alloc,
288	CSSM_ALGORITHMS signOnlyAlgorithm = CSSM_ALGID_NONE);
289	void generateSignature(const Security::Context &context, KeyHandle key,
290	const CssmData &data, CssmData &signature, CSSM_ALGORITHMS signOnlyAlgorithm = CSSM_ALGID_NONE)
291	{ return generateSignature(context, key, data, signature, returnAllocator, signOnlyAlgorithm); }
292	void verifySignature(const Security::Context &context, KeyHandle key,
293	const CssmData &data, const CssmData &signature,
294	CSSM_ALGORITHMS verifyOnlyAlgorithm = CSSM_ALGID_NONE);
295
296	// MACs
297	void generateMac(const Security::Context &context, KeyHandle key,
298	const CssmData &data, CssmData &mac, Allocator &alloc);
299	void generateMac(const Security::Context &context, KeyHandle key,
300	const CssmData &data, CssmData &mac)
301	{ return generateMac(context, key, data, mac, returnAllocator); }
302	void verifyMac(const Security::Context &context, KeyHandle key,
303	const CssmData &data, const CssmData &mac);
304
305	// key ACL management
306	void getKeyAcl(KeyHandle key, const char *tag,
307	uint32 &count, AclEntryInfo * &info, Allocator &alloc);
308	void getKeyAcl(KeyHandle key, const char *tag,
309	uint32 &count, AclEntryInfo * &info)
310	{ return getKeyAcl(key, tag, count, info, returnAllocator); }
311	void changeKeyAcl(KeyHandle key, const AccessCredentials &cred, const AclEdit &edit);
312	void getKeyOwner(KeyHandle key, AclOwnerPrototype &owner, Allocator &alloc);
313	void getKeyOwner(KeyHandle key, AclOwnerPrototype &owner)
314	{ return getKeyOwner(key, owner, returnAllocator); }
315	void changeKeyOwner(KeyHandle key, const AccessCredentials &cred,
316	const AclOwnerPrototype &edit);
317
318	// database ACL management
319	void getDbAcl(DbHandle db, const char *tag,
320	uint32 &count, AclEntryInfo * &info, Allocator &alloc);
321	void getDbAcl(DbHandle db, const char *tag,
322	uint32 &count, AclEntryInfo * &info)
323	{ return getDbAcl(db, tag, count, info, returnAllocator); }
324	void changeDbAcl(DbHandle db, const AccessCredentials &cred, const AclEdit &edit);
325	void getDbOwner(DbHandle db, AclOwnerPrototype &owner, Allocator &alloc);
326	void getDbOwner(DbHandle db, AclOwnerPrototype &owner)
327	{ return getDbOwner(db, owner, returnAllocator); }
328	void changeDbOwner(DbHandle db, const AccessCredentials &cred,
329	const AclOwnerPrototype &edit);
330
331	// database key manipulations
332	void extractMasterKey(DbHandle db, const Context &context, DbHandle sourceDb,
333	uint32 keyUsage, uint32 keyAttr,
334	const AccessCredentials cred, const AclEntryInput owner,
335	KeyHandle &newKey, CssmKey::Header &newHeader, Allocator &alloc);
336	void extractMasterKey(DbHandle db, const Context &context, DbHandle sourceDb,
337	uint32 keyUsage, uint32 keyAttr,
338	const AccessCredentials cred, const AclEntryInput owner,
339	KeyHandle &newKey, CssmKey::Header &newHeader)
340	{ return extractMasterKey(db, context, sourceDb, keyUsage, keyAttr, cred, owner,
341	newKey, newHeader, returnAllocator); }
fa7225c8	342
b1ab9ed8	343	public:
fa7225c8 A	344	// Testing support calls
	345	void getUserPromptAttempts(uint32_t& attempts);
	346
b1ab9ed8 A	347	public:
	348	// Notification core support
	349	void postNotification(NotificationDomain domain, NotificationEvent event, const CssmData &data);
	350
	351	// low-level callback (C form)
	352	typedef OSStatus ConsumeNotification(NotificationDomain domain, NotificationEvent event,
	353	const void data, size_t dataLength, void context);
	354
b1ab9ed8	355	public:
b54c578e	356	// securityd helper support. The taskPort argument is no longer used, server will use client's audit token
b1ab9ed8 A	357	void childCheckIn(Port serverPort, Port taskPort);
b1ab9ed8 A	358
b1ab9ed8 A	359	public:
	360	// temporary hack to deal with "edit acl" pseudo-error returns
	361	typedef void DidChangeKeyAclCallback(void *context, ClientSession &clientSession,
	362	KeyHandle key, CSSM_ACL_AUTHORIZATION_TAG tag);
	363	void registerForAclEdits(DidChangeKeyAclCallback callback, void context);
	364
b1ab9ed8 A	365	private:
	366	static Port findSecurityd();
	367	void getAcl(AclKind kind, GenericHandle key, const char *tag,
	368	uint32 &count, AclEntryInfo * &info, Allocator &alloc);
	369	void changeAcl(AclKind kind, GenericHandle key,
	370	const AccessCredentials &cred, const AclEdit &edit);
	371	void getOwner(AclKind kind, GenericHandle key,
	372	AclOwnerPrototype &owner, Allocator &alloc);
	373	void changeOwner(AclKind kind, GenericHandle key,
	374	const AccessCredentials &cred, const AclOwnerPrototype &edit);
	375
	376	static OSStatus consumerDispatch(NotificationDomain domain, NotificationEvent event,
	377	const void data, size_t dataLength, void context);
	378
	379	void notifyAclChange(KeyHandle key, CSSM_ACL_AUTHORIZATION_TAG tag);
	380
	381	void returnAttrsAndData(CssmDbRecordAttributeData *inOutAttributes,
	382	CssmDbRecordAttributeData attrs, CssmDbRecordAttributeData attrsBase, mach_msg_type_number_t attrsLength,
	383	CssmData inOutData, void dataPtr, mach_msg_type_number_t dataLength);
	384	private:
	385	DidChangeKeyAclCallback *mCallback;
	386	void *mCallbackContext;
	387
	388	static UnixPlusPlus::StaticForkMonitor mHasForked; // global fork indicator
	389
	390	struct Thread {
b54c578e	391	Thread() : registered(false), notifySeq(0) { }
b1ab9ed8 A	392	operator bool() const { return registered; }
	393
	394	ReceivePort replyPort; // dedicated reply port (send right held by SecurityServer)
	395	bool registered; // has been registered with SecurityServer
	396	uint32 notifySeq; // notification sequence number
b1ab9ed8 A	397	};
	398
	399	struct Global {
	400	Global();
	401	Port serverPort;
	402	RefPointer<OSXCode> myself;
	403	ThreadNexus<Thread> thread;
	404	};
	405
	406	static ModuleNexus<Global> mGlobal;
	407	static const char *mContactName;
b1ab9ed8 A	408	};
	409
	410
	411	} // end namespace SecurityServer
	412	} // end namespace Security
	413
	414	#endif //__cplusplus
	415
	416
	417	#endif //_H_SSCLIENT