]> git.saurik.com Git - apple/security.git/blob - OSX/sec/securityd/Regressions/secd-81-item-acl.m
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Security-58286.41.2.tar.gz
[apple/security.git] / OSX / sec / securityd / Regressions / secd-81-item-acl.m
1 //
2 // si-81-item-acl.c
3 // sec
4 //
5 // Copyright (c) 2013-2014 Apple Inc. All Rights Reserved.
6 //
7 //
8
9 #include <CoreFoundation/CoreFoundation.h>
10 #include <Security/SecCertificate.h>
11 #include <Security/SecItem.h>
12 #include <Security/SecItemPriv.h>
13 #include <Security/SecBase.h>
14 #include <utilities/array_size.h>
15 #include <utilities/SecCFWrappers.h>
16 #include <stdlib.h>
17 #include <unistd.h>
18 #include <Security/SecAccessControl.h>
19 #include <Security/SecAccessControlPriv.h>
20 #include <libaks_acl_cf_keys.h>
21 #include <LocalAuthentication/LAPublicDefines.h>
22 #include <LocalAuthentication/LAPrivateDefines.h>
23 #include <securityd/SecItemServer.h>
24 #include <LocalAuthentication/LAPublicDefines.h>
25
26 #include "secd_regressions.h"
27
28 #if USE_KEYSTORE
29 #include <ACMLib.h>
30 #include <coreauthd_spi.h>
31 #include "SecdTestKeychainUtilities.h"
32 #if TARGET_OS_IPHONE
33 #include <MobileKeyBag/MobileKeyBag.h>
34 #endif
35
36 #if LA_CONTEXT_IMPLEMENTED
37 static keybag_handle_t test_keybag;
38 static const char *passcode1 = "passcode1";
39 static const char *passcode2 = "passcode2";
40
41 static bool changePasscode(const char *old_passcode, const char *new_passcode)
42 {
43 size_t old_passcode_len = 0;
44 size_t new_passcode_len = 0;
45
46 if (old_passcode)
47 old_passcode_len = strlen(old_passcode);
48
49 if (new_passcode)
50 new_passcode_len = strlen(new_passcode);
51
52 kern_return_t status = aks_change_secret(test_keybag, old_passcode, (int)old_passcode_len, new_passcode, (int)new_passcode_len, generation_noop, NULL);
53 return status == 0;
54 }
55
56 #endif
57 #endif
58
59
60 enum ItemAttrType {
61 kBoolItemAttr,
62 kNumberItemAttr,
63 kStringItemAttr,
64 kDataItemAttr,
65 kBlobItemAttr,
66 kDateItemAttr,
67 kAccessabilityItemAttr,
68 kAccessGroupItemAttr,
69 };
70
71 extern void LASetErrorCodeBlock(CFErrorRef (^newCreateErrorBlock)(void));
72
73 static void WithEachString(void(^each)(CFStringRef attr, enum ItemAttrType atype), ...) {
74 va_list ap;
75 va_start(ap, each);
76 CFStringRef attr;
77 while((attr = va_arg(ap, CFStringRef)) != NULL) {
78 enum ItemAttrType atype = va_arg(ap, enum ItemAttrType);
79 each(attr, atype);
80 }
81 va_end(ap);
82 }
83
84 static void ItemForEachPKAttr(CFMutableDictionaryRef item, void(^each)(CFStringRef attr, enum ItemAttrType atype)) {
85 CFStringRef iclass = CFDictionaryGetValue(item, kSecClass);
86 if (!iclass) {
87 return;
88 } else if (CFEqual(iclass, kSecClassGenericPassword)) {
89 WithEachString(each,
90 kSecAttrAccessible, kAccessabilityItemAttr,
91 kSecAttrAccessGroup, kAccessGroupItemAttr,
92 kSecAttrAccount, kStringItemAttr,
93 kSecAttrService, kStringItemAttr,
94 kSecAttrSynchronizable, kBoolItemAttr,
95 NULL);
96 } else if (CFEqual(iclass, kSecClassInternetPassword)) {
97 WithEachString(each,
98 kSecAttrAccessible, kAccessabilityItemAttr,
99 kSecAttrAccessGroup, kAccessGroupItemAttr,
100 kSecAttrAccount, kStringItemAttr,
101 kSecAttrSecurityDomain, kStringItemAttr,
102 kSecAttrServer, kStringItemAttr,
103 kSecAttrProtocol, kNumberItemAttr,
104 kSecAttrAuthenticationType, kNumberItemAttr,
105 kSecAttrPort, kNumberItemAttr,
106 kSecAttrPath, kStringItemAttr,
107 kSecAttrSynchronizable, kBoolItemAttr,
108 NULL);
109 } else if (CFEqual(iclass, kSecClassCertificate)) {
110 WithEachString(each,
111 kSecAttrAccessible, kAccessabilityItemAttr,
112 kSecAttrAccessGroup, kAccessGroupItemAttr,
113 kSecAttrCertificateType, kNumberItemAttr,
114 kSecAttrIssuer, kDataItemAttr,
115 kSecAttrSerialNumber, kDataItemAttr,
116 kSecAttrSynchronizable, kBoolItemAttr,
117 NULL);
118 } else if (CFEqual(iclass, kSecClassKey)) {
119 WithEachString(each,
120 kSecAttrAccessible, kAccessabilityItemAttr,
121 kSecAttrAccessGroup, kAccessGroupItemAttr,
122 kSecAttrKeyClass, kStringItemAttr, // kNumberItemAttr on replies
123 kSecAttrApplicationLabel, kDataItemAttr,
124 kSecAttrApplicationTag, kDataItemAttr,
125 kSecAttrKeyType, kNumberItemAttr,
126 kSecAttrKeySizeInBits, kNumberItemAttr,
127 kSecAttrEffectiveKeySize, kNumberItemAttr,
128 kSecAttrStartDate, kDateItemAttr,
129 kSecAttrEndDate, kDateItemAttr,
130 kSecAttrSynchronizable, kBoolItemAttr,
131 NULL);
132 } else if (CFEqual(iclass, kSecClassIdentity)) {
133 WithEachString(each,
134 kSecAttrAccessible, kAccessabilityItemAttr,
135 kSecAttrAccessGroup, kAccessGroupItemAttr,
136 kSecAttrCertificateType, kNumberItemAttr,
137 kSecAttrIssuer, kDataItemAttr,
138 kSecAttrSerialNumber, kDataItemAttr,
139 kSecAttrSynchronizable, kBoolItemAttr,
140 kSecAttrKeyClass, kStringItemAttr, // kNumberItemAttr on replies
141 kSecAttrApplicationLabel, kDataItemAttr,
142 kSecAttrApplicationTag, kDataItemAttr,
143 kSecAttrKeyType, kNumberItemAttr,
144 kSecAttrKeySizeInBits, kNumberItemAttr,
145 kSecAttrEffectiveKeySize, kNumberItemAttr,
146 kSecAttrStartDate, kDateItemAttr,
147 kSecAttrEndDate, kDateItemAttr,
148 kSecAttrSynchronizable, kBoolItemAttr,
149 NULL);
150 }
151 }
152
153 static void fillItem(CFMutableDictionaryRef item, uint32_t num)
154 {
155 ItemForEachPKAttr(item, ^(CFStringRef attr, enum ItemAttrType atype) {
156 CFTypeRef value = NULL;
157 switch (atype) {
158 case kBoolItemAttr:
159 value = (num % 2 == 0 ? kCFBooleanTrue : kCFBooleanFalse);
160 CFRetain(value);
161 break;
162 case kNumberItemAttr:
163 value = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &num);
164 break;
165 case kStringItemAttr:
166 case kBlobItemAttr:
167 value = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("acl-stress-string-%d"), num);
168 break;
169 case kDataItemAttr:
170 {
171 char buf[50];
172 int len = snprintf(buf, sizeof(buf), "acl-stress-data-%d", num);
173 value = CFDataCreate(kCFAllocatorDefault, (const UInt8 *)buf, len);
174 break;
175 }
176 case kDateItemAttr:
177 value = NULL; // Don't mess with dates on create.
178 break;
179 case kAccessabilityItemAttr:
180 { break; }
181 case kAccessGroupItemAttr:
182 {
183 CFStringRef accessGroups[] = {
184 NULL,
185 CFSTR("com.apple.security.sos"), // Secd internally uses this
186 };
187 value = accessGroups[num % array_size(accessGroups)];
188 break;
189 }
190 }
191 if (value)
192 CFDictionarySetValue(item, attr, value);
193 CFReleaseSafe(value);
194 });
195 }
196
197 #if LA_CONTEXT_IMPLEMENTED
198 CF_RETURNS_RETAINED
199 static CFErrorRef createCFError(CFStringRef message, CFIndex code)
200 {
201 const void* keysPtr[1];
202 const void* messagesPtr[1];
203
204 keysPtr[0] = kCFErrorLocalizedDescriptionKey;
205 messagesPtr[0] = message;
206 return CFErrorCreateWithUserInfoKeysAndValues(kCFAllocatorDefault, CFSTR(kLAErrorDomain), code, keysPtr, messagesPtr, 1);
207 }
208
209 #if TARGET_OS_IPHONE
210 static void set_app_password(ACMContextRef acmContext)
211 {
212 CFDataRef appPwdData = CFStringCreateExternalRepresentation(kCFAllocatorDefault, CFSTR("Application password"), kCFStringEncodingUTF8, 0);
213 ACMCredentialRef acmCredential = NULL;
214 ok_status(ACMCredentialCreate(kACMCredentialTypePassphraseEntered, &acmCredential), "Create ACM credential");
215 ACMPassphrasePurpose purpose = kACMPassphrasePurposeGeneral;
216 ok_status(ACMCredentialSetProperty(acmCredential, kACMCredentialPropertyPassphrase, CFDataGetBytePtr(appPwdData), CFDataGetLength(appPwdData)), "Set ACM credential property - passphrase");
217 ok_status(ACMCredentialSetProperty(acmCredential, kACMCredentialPropertyPassphrasePurpose, &purpose, sizeof(purpose)), "Set ACM credential property - purpose");
218 ok_status(ACMContextAddCredentialWithScope(acmContext, acmCredential, kACMScopeContext), "aad ACM credential to ACM context");
219 ACMCredentialDelete(acmCredential);
220 CFReleaseSafe(appPwdData);
221 }
222 #endif
223
224 static void item_with_application_password(uint32_t *item_num)
225 {
226 #if TARGET_OS_IPHONE
227 CFErrorRef (^okBlock)(void) = ^ {
228 return (CFErrorRef)NULL;
229 };
230
231 CFErrorRef (^authFailedBlock)(void) = ^ {
232 return createCFError(CFSTR(""), kLAErrorAuthenticationFailed);
233 };
234
235 CFMutableDictionaryRef item = CFDictionaryCreateMutableForCFTypesWith(kCFAllocatorDefault, kSecClass, kSecClassInternetPassword, NULL);
236 fillItem(item, (*item_num)++);
237
238 LASetErrorCodeBlock(okBlock);
239 SecAccessControlRef aclRef = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, kSecAccessControlApplicationPassword, NULL);
240 ok(aclRef, "Create SecAccessControlRef");
241
242 ACMContextRef acmContext = NULL;
243 ok_status(ACMContextCreate(&acmContext), "Create ACM context");
244 set_app_password(acmContext);
245
246 __block CFDataRef credRefData = NULL;
247 ACMContextGetExternalForm(acmContext, ^(const void *externalForm, size_t dataBufferLength) {
248 credRefData = CFDataCreate(kCFAllocatorDefault, externalForm, dataBufferLength);
249 });
250
251 CFDictionarySetValue(item, kSecAttrAccessControl, aclRef);
252 CFDictionarySetValue(item, kSecUseCredentialReference, credRefData);
253 CFDictionarySetValue(item, kSecAttrSynchronizable, kCFBooleanFalse);
254 ok_status(SecItemAdd(item, NULL), "add local - acl with application password");
255 ok_status(SecItemCopyMatching(item, NULL), "find local - acl with application password");
256 ok_status(SecItemDelete(item), "delete local - acl with application password");
257
258 CFReleaseSafe(aclRef);
259
260 LASetErrorCodeBlock(okBlock);
261 aclRef = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, kSecAccessControlUserPresence, NULL);
262 SecAccessControlSetRequirePassword(aclRef, true);
263 ok(aclRef, "Create SecAccessControlRef");
264
265 CFDictionarySetValue(item, kSecAttrAccessControl, aclRef);
266 CFDictionarySetValue(item, kSecUseCredentialReference, credRefData);
267 ok_status(SecItemAdd(item, NULL), "add local - acl with application password and user present");
268 LASetErrorCodeBlock(authFailedBlock);
269 is_status(SecItemCopyMatching(item, NULL), errSecAuthFailed, "find local - acl with application password and user present");
270 LASetErrorCodeBlock(okBlock);
271 set_app_password(acmContext);
272 ok_status(SecItemDelete(item), "delete local - acl with application password and user present");
273 CFReleaseSafe(aclRef);
274
275 LASetErrorCodeBlock(okBlock);
276 aclRef = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, kSecAccessControlUserPresence, NULL);
277 SecAccessControlSetRequirePassword(aclRef, true);
278 SecAccessConstraintRef constraint = SecAccessConstraintCreatePolicy(kCFAllocatorDefault, CFSTR(kACMPolicyDeviceOwnerAuthentication), NULL);
279 SecAccessControlAddConstraintForOperation(aclRef, kAKSKeyOpDelete, constraint, NULL);
280 CFRelease(constraint);
281 ok(aclRef, "Create SecAccessControlRef");
282
283 CFDictionarySetValue(item, kSecAttrAccessControl, aclRef);
284 CFDictionarySetValue(item, kSecUseCredentialReference, credRefData);
285 CFDictionarySetValue(item, kSecAttrSynchronizable, kCFBooleanFalse);
286 ok_status(SecItemAdd(item, NULL), "add local - acl with application password and user present");
287 LASetErrorCodeBlock(authFailedBlock);
288 is_status(SecItemCopyMatching(item, NULL), errSecAuthFailed, "find local - acl with application password and user present");
289 set_app_password(acmContext);
290 is_status(SecItemDelete(item), errSecAuthFailed, "delete local - acl with application password and user present");
291
292 CFRelease(item);
293 CFReleaseSafe(aclRef);
294
295 // Update tests for item with application password:
296
297 // Prepare query for item without ACL.
298 item = CFDictionaryCreateMutableForCFTypesWith(kCFAllocatorDefault, kSecClass, kSecClassInternetPassword, NULL);
299 fillItem(item, (*item_num)++);
300 CFDictionarySetValue(item, kSecAttrSynchronizable, kCFBooleanFalse);
301
302 // Add test item without ACL and check that it can be found.
303 ok_status(SecItemAdd(item, NULL), "add local - no acl");
304 ok_status(SecItemCopyMatching(item, NULL), "find local - no acl");
305
306 // Update test item by adding ACL with application password flag.
307 CFMutableDictionaryRef update = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
308 aclRef = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleAlwaysPrivate, kSecAccessControlApplicationPassword, NULL);
309 CFDictionarySetValue(update, kSecAttrAccessControl, aclRef);
310 set_app_password(acmContext);
311 CFDictionarySetValue(item, kSecUseCredentialReference, credRefData);
312 LASetErrorCodeBlock(okBlock);
313 ok_status(SecItemUpdate(item, update), "update local - acl with application password");
314
315 LASetErrorCodeBlock(authFailedBlock);
316 ok_status(SecItemCopyMatching(item, NULL), "find local - acl with application password");
317 CFDictionaryRemoveValue(item, kSecUseCredentialReference);
318 is_status(SecItemCopyMatching(item, NULL), errSecAuthFailed, "find local - acl with application password (without ACM context)");
319 CFDictionarySetValue(item, kSecUseCredentialReference, credRefData);
320 ok_status(SecItemCopyMatching(item, NULL), "find local - acl with application password (with ACM context)");
321
322 // Try to update item with ACL with application password with the same password (it will fail because ACM context is not allowd for update attributes).
323 CFDictionarySetValue(update, kSecUseCredentialReference, credRefData);
324 LASetErrorCodeBlock(okBlock);
325 is_status(SecItemUpdate(item, update), errSecNoSuchAttr, "update local - add application password");
326
327 CFDictionaryRemoveValue(update, kSecUseCredentialReference);
328 LASetErrorCodeBlock(okBlock);
329 ok_status(SecItemUpdate(item, update), "update local - updated with the same application password");
330 LASetErrorCodeBlock(authFailedBlock);
331 ok_status(SecItemCopyMatching(item, NULL), "find local - updated with the same application password"); // LA authFailedBlock is not called.
332
333 CFReleaseSafe(aclRef);
334 // Update item with ACL without application password.
335 aclRef = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleAlwaysPrivate, 0, NULL);
336 CFDictionarySetValue(update, kSecAttrAccessControl, aclRef);
337
338 LASetErrorCodeBlock(okBlock);
339 ok_status(SecItemUpdate(item, update), "update local - remove application password");
340
341 CFDictionaryRemoveValue(item, kSecUseCredentialReference);
342 LASetErrorCodeBlock(authFailedBlock);
343 ok_status(SecItemCopyMatching(item, NULL), "find local - acl without application password"); // LA authFailedBlock is not called.
344
345 ok_status(SecItemDelete(item), "delete local - acl without application password");
346
347 CFRelease(update);
348 CFRelease(item);
349 CFReleaseSafe(aclRef);
350
351 ACMContextDelete(acmContext, true);
352 CFReleaseSafe(credRefData);
353 #endif
354 }
355
356 static void item_with_invalid_acl(uint32_t *item_num)
357 {
358 CFErrorRef (^errorParamBlock)(void) = ^ {
359 return createCFError(CFSTR(""), kLAErrorParameter);
360 };
361
362 CFMutableDictionaryRef item = CFDictionaryCreateMutableForCFTypesWith(kCFAllocatorDefault, kSecClass, kSecClassInternetPassword, NULL);
363 fillItem(item, (*item_num)++);
364
365 SecAccessControlRef invalidAclRef = SecAccessControlCreate(kCFAllocatorDefault, NULL);
366 ok(invalidAclRef, "Create invalid SecAccessControlRef");
367 ok(SecAccessControlSetProtection(invalidAclRef, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, NULL), "Set protection");
368 CFTypeRef constraint = SecAccessConstraintCreatePolicy(kCFAllocatorDefault, CFSTR("invalidPolicy"), NULL);
369 ok(constraint, "Create invalid constraint");
370 ok(SecAccessControlAddConstraintForOperation(invalidAclRef, kAKSKeyOpDecrypt, constraint, NULL), "Add invalid constraint");
371 CFReleaseSafe(constraint);
372
373 CFDictionarySetValue(item, kSecAttrSynchronizable, kCFBooleanFalse);
374 CFDictionarySetValue(item, kSecAttrAccessControl, invalidAclRef);
375
376 LASetErrorCodeBlock(errorParamBlock);
377 is_status(SecItemAdd(item, NULL), errSecParam, "do not add local with invalid acl");
378 is_status(SecItemCopyMatching(item, NULL), errSecItemNotFound, "do not find after add failed");
379
380 CFReleaseSafe(invalidAclRef);
381 CFRelease(item);
382 }
383
384 static void item_with_acl_caused_maxauth(uint32_t *item_num)
385 {
386 CFErrorRef (^okBlock)(void) = ^ {
387 return (CFErrorRef)NULL;
388 };
389
390 CFMutableDictionaryRef item = CFDictionaryCreateMutableForCFTypesWith(kCFAllocatorDefault, kSecClass, kSecClassInternetPassword, NULL);
391 fillItem(item, (*item_num)++);
392
393 SecAccessControlRef aclRef = SecAccessControlCreate(kCFAllocatorDefault, NULL);
394 ok(aclRef, "Create SecAccessControlRef");
395 ok(SecAccessControlSetProtection(aclRef, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, NULL));
396 ok(SecAccessControlAddConstraintForOperation(aclRef, kAKSKeyOpEncrpyt, kCFBooleanFalse, NULL));
397
398 CFDictionarySetValue(item, kSecAttrSynchronizable, kCFBooleanFalse);
399 CFDictionarySetValue(item, kSecAttrAccessControl, aclRef);
400
401 __security_simulatecrash_enable(false);
402
403 LASetErrorCodeBlock(okBlock);
404 diag("this will cause an internal assert - on purpose");
405 is_status(SecItemAdd(item, NULL), errSecAuthFailed, "max auth attempts failed");
406
407 is(__security_simulatecrash_enable(true), 1, "Expecting simcrash max auth threshold passed");
408
409 CFReleaseSafe(aclRef);
410 CFRelease(item);
411 }
412
413 static void item_with_akpu(uint32_t *item_num)
414 {
415 CFErrorRef (^okBlock)(void) = ^ {
416 return (CFErrorRef)NULL;
417 };
418
419 CFMutableDictionaryRef item = CFDictionaryCreateMutableForCFTypesWith(kCFAllocatorDefault, kSecClass, kSecClassGenericPassword, NULL);
420 fillItem(item, (*item_num)++);
421
422 SecAccessControlRef aclRef = SecAccessControlCreate(kCFAllocatorDefault, NULL);
423 ok(aclRef, "Create SecAccessControlRef");
424 ok(SecAccessControlSetProtection(aclRef, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, NULL));
425 ok(SecAccessControlAddConstraintForOperation(aclRef, kAKSKeyOpEncrpyt, kCFBooleanTrue, NULL));
426 ok(SecAccessControlAddConstraintForOperation(aclRef, kAKSKeyOpDecrypt, kCFBooleanTrue, NULL));
427 ok(SecAccessControlAddConstraintForOperation(aclRef, kAKSKeyOpDelete, kCFBooleanTrue, NULL));
428
429 CFDictionarySetValue(item, kSecAttrSynchronizable, kCFBooleanFalse);
430 CFDictionarySetValue(item, kSecAttrAccessControl, aclRef);
431
432 LASetErrorCodeBlock(okBlock);
433 ok_status(SecItemAdd(item, NULL), "add item with akpu");
434 ok_status(SecItemCopyMatching(item, NULL), "find item with akpu");
435 changePasscode(passcode1, NULL);
436 is_status(SecItemCopyMatching(item, NULL), errSecItemNotFound, "do not find item with akpu");
437 is_status(SecItemAdd(item, NULL), errSecNotAvailable, "cannot add item with akpu without passcode");
438 changePasscode(NULL, passcode2);
439 is_status(SecItemCopyMatching(item, NULL), errSecItemNotFound, "do not find item with akpu");
440 ok_status(SecItemAdd(item, NULL), "add item with akpu");
441
442 changePasscode(passcode2, passcode1);
443 CFReleaseSafe(aclRef);
444 CFRelease(item);
445 }
446 #endif
447
448 static void item_with_skip_auth_ui(uint32_t *item_num)
449 {
450 CFMutableDictionaryRef item = CFDictionaryCreateMutableForCFTypesWith(kCFAllocatorDefault, kSecClass, kSecClassInternetPassword, NULL);
451 fillItem(item, (*item_num)++);
452
453 SecAccessControlRef aclRef = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, kSecAccessControlDevicePasscode, NULL);
454 ok(aclRef, "Create SecAccessControlRef");
455
456 CFDictionarySetValue(item, kSecAttrAccessControl, aclRef);
457 CFDictionarySetValue(item, kSecUseAuthenticationUI, kSecUseAuthenticationUISkip);
458 is_status(SecItemAdd(item, NULL), errSecParam, "add local - invalid kSecUseAuthenticationUISkip");
459 is_status(SecItemDelete(item), errSecParam, "delete local - invalid kSecUseAuthenticationUISkip");
460
461 CFReleaseNull(aclRef);
462 CFRelease(item);
463 }
464
465 int secd_81_item_acl(int argc, char *const *argv)
466 {
467 uint32_t item_num = 1;
468 #if LA_CONTEXT_IMPLEMENTED
469 secd_test_setup_temp_keychain(__FUNCTION__, ^{
470 keybag_state_t state;
471 int passcode_len=(int)strlen(passcode1);
472
473 ok(kIOReturnSuccess==aks_create_bag(passcode1, passcode_len, kAppleKeyStoreDeviceBag, &test_keybag), "create keybag");
474 ok(kIOReturnSuccess==aks_get_lock_state(test_keybag, &state), "get keybag state");
475 ok(!(state&keybag_state_locked), "keybag unlocked");
476 SecItemServerSetKeychainKeybag(test_keybag);
477 });
478 #if TARGET_OS_IPHONE
479 plan_tests(70);
480 #else
481 plan_tests(29);
482 #endif
483 item_with_skip_auth_ui(&item_num);
484 item_with_invalid_acl(&item_num);
485 item_with_application_password(&item_num);
486 item_with_acl_caused_maxauth(&item_num);
487 item_with_akpu(&item_num);
488 #else
489 plan_tests(3);
490 item_with_skip_auth_ui(&item_num);
491 #endif
492
493 #if LA_CONTEXT_IMPLEMENTED
494 SecItemServerResetKeychainKeybag();
495 #endif
496
497 return 0;
498 }
mirror of Security