]> git.saurik.com Git - apple/security.git/blob - ckcdiagnose/ckcdiagnose.sh
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-57336.1.9.tar.gz
[apple/security.git] / ckcdiagnose / ckcdiagnose.sh
1 #!/bin/sh
2
3 # Poor man's option parsing.
4 # Replace with shift/case once more options come along.
5 SHORT=0
6 if [ "$1" == "-s" ]; then
7 SHORT=1
8 fi
9
10 PRODUCT_NAME=$(sw_vers -productName)
11 PRODUCT_VERSION=$(sw_vers -buildVersion)
12 HOSTNAME=$(hostname -s)
13 NOW=$(date "+%Y%m%d%H%M%S")
14
15 case $PRODUCT_NAME in
16 "Mac OS X")
17 PROD=OSX
18 secd=secd
19 secexec=security2
20 OUTPUTPARENT=/var/tmp
21 CRASHDIR=/Library/Logs/DiagnosticReports
22 SECLOGPATH=/var/log/module/com.apple.securityd
23 syd=/System/Library/PrivateFrameworks/SyncedDefaults.framework/Support/syncdefaultsd
24 kvsutil=/AppleInternal/Applications/kvsutil
25 ;;
26 *)
27 PROD=IOS
28 secd=securityd
29 secexec=security
30 OUTPUTPARENT=/Library/Logs/CrashReporter
31 CRASHDIR=/var/mobile/Library/Logs/CrashReporter
32 SECLOGPATH=/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs
33 syd=/System/Library/PrivateFrameworks/SyncedDefaults.framework/Support/syncdefaultsd
34 kvsutil=/usr/local/bin/kvsutil
35 ;;
36 esac
37
38 if (( ! $SHORT )); then
39 OUTPUTBASE=ckcdiagnose_${HOSTNAME}_${PRODUCT_VERSION}_${NOW}
40 else
41 OUTPUTBASE=ckcdiagnose_snapshot_${HOSTNAME}_${PRODUCT_VERSION}_${NOW}
42 fi
43 OUTPUT=$OUTPUTPARENT/$OUTPUTBASE
44
45 mkdir $OUTPUT
46
47 if [ "$PROD" = "IOS" ]; then
48 while !(/usr/local/bin/profilectl cpstate | grep -Eq 'Unlocked|Disabled'); do
49 echo Please ensure that your device is unlocked and press Enter. >&2
50 read enter
51 done
52 fi
53
54 (
55 echo Outputting to $OUTPUT
56 set -x
57
58 sw_vers > $OUTPUT/sw_vers.log
59
60 $secexec sync -D > $OUTPUT/syncD.log
61
62 $secexec sync -i > $OUTPUT/synci.log
63
64 (( $SHORT )) || ([ -x $kvsutil ] && $kvsutil show com.apple.security.cloudkeychainproxy3 > $OUTPUT/kvsutil_show.txt 2>&1)
65
66 if [ "$PROD" == "OSX" ]; then
67 $secexec item -g class=genp,nleg=1,svce="iCloud Keychain Account Meta-data" > $OUTPUT/ickcmetadata.log
68 $secexec item -g class=genp,nleg=1,acct=engine-state > $OUTPUT/engine-state.log
69 elif [ "$PROD" == "IOS" ]; then
70 $secexec item -g class=genp,svce="iCloud Keychain Account Meta-data" > $OUTPUT/ickcmetadata.log
71 $secexec item -g class=genp,acct=engine-state > $OUTPUT/engine-state.log
72 fi
73
74 # In preparation, before getting any of the logs, query all classes,
75 # just in order to excercise the decryption and corruption
76 # verification for all items. This will log errors and simulated crashes
77 # if any of the items should turn out corrupted.
78 # The items are NOT saved in the diagnostic log, because they potentially
79 # contain very private items.
80 for class in genp inet cert keys; do
81 for sync in 0 1; do
82 for tomb in 0 1; do
83 echo class=${class},sync=${sync},tomb=${tomb}: >> $OUTPUT/keychain-state.log
84 ${secexec} item -q class=${class},sync=${sync},tomb=${tomb} | grep '^acct'|wc -l 2>&1 >> $OUTPUT/keychain-state.log
85 done
86 done
87 done
88
89 if (( ! $SHORT )); then
90 syslog -k Sender Seq syncdefaults > $OUTPUT/syslog_syncdefaults.log
91 syslog -k Sender Seq $secd > $OUTPUT/syslog_secd.log
92 syslog -k Sender Seq CloudKeychain > $OUTPUT/syslog_cloudkeychain.log
93 fi
94
95 (( $SHORT )) || (sbdtool status > $OUTPUT/sbdtool_status.log 2>&1)
96
97 $syd status > $OUTPUT/syd_status.txt 2>&1
98 $syd lastrequest > $OUTPUT/syd_lastrequest.txt 2>&1
99 $syd serverlimits > $OUTPUT/syd_serverlimits.txt 2>&1
100
101 # Compare kvsutil and sync -D state, shows if store diverged from on-device state.
102 if (( ! $SHORT )); then
103 if [ -f $OUTPUT/kvsutil_show.txt ]; then
104 cat $OUTPUT/kvsutil_show.txt | grep -E '^ "?[o-]?ak.* = ' | sed -E 's/^ "?([^"]*)"? = \<.* (.*) (.*)\>.*$/\1 \2\3/g;s/^(.*) [0-9a-f]*([0-9a-f]{8})/\1 \2/g' | sort > $OUTPUT/kvs_keys.txt
105 cat $OUTPUT/syncD.log | grep -E 'contents = "?[o-]?ak' | sed -E 's/^.*contents = "?([^"]*)"?\} = .*bytes = .* ... [0-9a-f]+([0-9a-f]{8})\}/\1 \2/g' | sort > $OUTPUT/syncD_keys.txt
106 diff -u $OUTPUT/kvs_keys.txt $OUTPUT/syncD_keys.txt > $OUTPUT/kvs_syncD_diff.txt
107 fi
108 fi
109
110 if [ "$PROD" = "IOS" ]; then
111 cp /private/var/preferences/com.apple.security.cloudkeychainproxy3.keysToRegister.plist $OUTPUT/
112 cp /var/mobile/Library/SyncedPreferences/com.apple.security.cloudkeychainproxy3.plist $OUTPUT/
113 else
114 cp ~/Library/Preferences/com.apple.security.cloudkeychainproxy3.keysToRegister.plist $OUTPUT/
115 cp ~/Library/SyncedPreferences/com.apple.security.cloudkeychainproxy3.plist $OUTPUT/
116 fi
117
118 if (( ! $SHORT )); then
119 cp $SECLOGPATH/security.log* $OUTPUT/
120
121 cp $CRASHDIR/*${secd}* $OUTPUT/
122 cp $CRASHDIR/*syncdefaults* $OUTPUT/
123 cp $CRASHDIR/*CloudKeychain* $OUTPUT/
124
125 (cd $SECLOGPATH; gzcat -c -f security.log*) > $OUTPUT/security-complete.log
126
127 # potential problems
128 (cd $SECLOGPATH; gzcat -c security.log.*.gz; cat security.log.*Z) | grep -E -- 'Invalid date.|-26275|[cC]orrupt|[cC]rash|Public Key not available' > $OUTPUT/problems.log
129 (cd $SECLOGPATH; gzcat -c security.log.*.gz; cat security.log.*Z) | cut -d ' ' -f 6- | sort |uniq -c | sort -n > $OUTPUT/security-sorted.log
130 fi
131
132 ) > $OUTPUT/ckcdiagnose.log 2>&1
133
134 tar czf $OUTPUT.tgz -C $OUTPUTPARENT $OUTPUTBASE
135
136 rm -r $OUTPUT
137
138 if (( ! $SHORT )); then
139 echo
140 echo "The file containing the diagnostic information is "
141 echo " $OUTPUT.tgz"
142 echo 'Please attach it to a Radar in "Security / iCloud Keychain"'
143 echo
144
145 [ "$PROD" = "OSX" ] && open $OUTPUTPARENT
146 else
147 echo $OUTPUT.tgz
148 fi
149
150
mirror of Security