2 * Copyright (c) 2000-2009,2012-2014 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
26 // kcdatabase - software database container implementation.
28 // General implementation notes:
29 // This leverages LocalDatabase/LocalKey for cryptography, and adds the
30 // storage coder/decoder logic that implements "keychain" databases in their
31 // intricately choreographed dance between securityd and the AppleCSPDL.
32 // As always, Database objects are lifetime-bound to their Process referent;
33 // they can also be destroyed explicitly with a client release call.
34 // DbCommons are reference-held by their Databases, with one extra special
35 // reference (from the Session) introduced when the database unlocks, and
36 // removed when it locks again. That way, an unused DbCommon dies when it
37 // is locked or when the Session dies, whichever happens earlier.
38 // There is (as yet) no global-scope Database object for Keychain databases.
40 #include "kcdatabase.h"
41 #include "agentquery.h"
45 #include "notifications.h"
46 #include <vector> // @@@ 4003540 workaround
47 #include <security_agent_client/agentclient.h>
48 #include <security_cdsa_utilities/acl_any.h> // for default owner ACLs
49 #include <security_cdsa_utilities/cssmendian.h>
50 #include <security_cdsa_client/wrapkey.h>
51 #include <security_cdsa_client/genkey.h>
52 #include <security_cdsa_client/signclient.h>
53 #include <security_cdsa_client/cryptoclient.h>
54 #include <security_cdsa_client/macclient.h>
55 #include <securityd_client/dictionary.h>
56 #include <security_utilities/endian.h>
57 #include "securityd_service/securityd_service/securityd_service_client.h"
58 #include <AssertMacros.h>
61 void unflattenKey(const CssmData
&flatKey
, CssmKey
&rawKey
); //>> make static method on KeychainDatabase
64 unlock_keybag(KeychainDbCommon
& dbCommon
, const void * secret
, int secret_len
)
68 if (!dbCommon
.isLoginKeychain()) return 0;
70 service_context_t context
= dbCommon
.session().get_current_service_context();
72 // try to unlock first if not found then load/create or unlock
73 // loading should happen when the kb common object is created
74 // if it doesn't exist yet then the unlock will fail and we'll create everything
75 rc
= service_client_kb_unlock(&context
, secret
, secret_len
);
76 if (rc
== KB_BagNotLoaded
) {
77 if (service_client_kb_load(&context
) == KB_BagNotFound
) {
78 rc
= service_client_kb_create(&context
, secret
, secret_len
);
80 rc
= service_client_kb_unlock(&context
, secret
, secret_len
);
84 if (rc
!= 0) { // if we just upgraded make sure we swap the encryption key to the password
85 if (!dbCommon
.session().keybagGetState(session_keybag_check_master_key
)) {
86 CssmAutoData
encKey(Allocator::standard(Allocator::sensitive
));
87 dbCommon
.get_encryption_key(encKey
);
88 if ((rc
= service_client_kb_unlock(&context
, encKey
.data(), (int)encKey
.length())) == 0) {
89 rc
= service_client_kb_change_secret(&context
, encKey
.data(), (int)encKey
.length(), secret
, secret_len
);
92 if (rc
!= 0) { // if a login.keychain password exists but doesnt on the keybag update it
94 if ((secret_len
> 0) && service_client_kb_is_locked(&context
, NULL
, &no_pin
) == 0) {
96 syslog(LOG_ERR
, "Updating iCloud keychain passphrase for uid %d", dbCommon
.session().originatorUid());
97 service_client_kb_change_secret(&context
, NULL
, 0, secret
, secret_len
);
101 } // session_keybag_check_master_key
105 dbCommon
.session().keybagSetState(session_keybag_unlocked
|session_keybag_loaded
|session_keybag_check_master_key
);
107 syslog(LOG_ERR
, "Failed to unlock iCloud keychain for uid %d", dbCommon
.session().originatorUid());
114 change_secret_on_keybag(KeychainDbCommon
& dbCommon
, const void * secret
, int secret_len
, const void * new_secret
, int new_secret_len
)
116 if (!dbCommon
.isLoginKeychain()) return;
118 service_context_t context
= dbCommon
.session().get_current_service_context();
120 // if a login.keychain doesn't exist yet it comes into securityd as a create then change_secret
121 // we need to create the keybag in this case if it doesn't exist
122 if (service_client_kb_change_secret(&context
, secret
, secret_len
, new_secret
, new_secret_len
) == KB_BagNotLoaded
) {
123 if (service_client_kb_load(&context
) == KB_BagNotFound
) {
124 service_client_kb_create(&context
, new_secret
, new_secret_len
);
130 // Create a Database object from initial parameters (create operation)
132 KeychainDatabase::KeychainDatabase(const DLDbIdentifier
&id
, const DBParameters
¶ms
, Process
&proc
,
133 const AccessCredentials
*cred
, const AclEntryPrototype
*owner
)
134 : LocalDatabase(proc
), mValidData(false), mSecret(Allocator::standard(Allocator::sensitive
)), mSaveSecret(false), version(0), mBlob(NULL
)
136 // save a copy of the credentials for later access control
137 mCred
= DataWalkers::copy(cred
, Allocator::standard());
139 // create a new random signature to complete the DLDbIdentifier
140 DbBlob::Signature newSig
;
141 Server::active().random(newSig
.bytes
);
142 DbIdentifier
ident(id
, newSig
);
144 // create common block and initialize
145 RefPointer
<KeychainDbCommon
> newCommon
= new KeychainDbCommon(proc
.session(), ident
);
146 StLock
<Mutex
> _(*newCommon
);
148 // new common is now visible (in ident-map) but we hold its lock
150 // establish the new master secret
151 establishNewSecrets(cred
, SecurityAgent::newDatabase
);
153 // set initial database parameters
154 common().mParams
= params
;
156 // the common is "unlocked" now
157 common().makeNewSecrets();
159 // establish initial ACL
161 acl().cssmSetInitial(*owner
);
163 acl().cssmSetInitial(new AnyAclSubject());
166 // for now, create the blob immediately
169 proc
.addReference(*this);
171 // this new keychain is unlocked; make it so
174 SECURITYD_KEYCHAIN_CREATE(&common(), (char*)this->dbName(), this);
179 // Create a Database object from a database blob (decoding)
181 KeychainDatabase::KeychainDatabase(const DLDbIdentifier
&id
, const DbBlob
*blob
, Process
&proc
,
182 const AccessCredentials
*cred
)
183 : LocalDatabase(proc
), mValidData(false), mSecret(Allocator::standard(Allocator::sensitive
)), mSaveSecret(false), version(0), mBlob(NULL
)
187 // save a copy of the credentials for later access control
188 mCred
= DataWalkers::copy(cred
, Allocator::standard());
189 mBlob
= blob
->copy();
191 // check to see if we already know about this database
192 DbIdentifier
ident(id
, blob
->randomSignature
);
193 Session
&session
= process().session();
194 if (RefPointer
<KeychainDbCommon
> dbcom
=
195 session
.findFirst
<KeychainDbCommon
, const DbIdentifier
&>(&KeychainDbCommon::identifier
, ident
)) {
197 //@@@ arbitrate sequence number here, perhaps update common().mParams
198 SECURITYD_KEYCHAIN_JOIN(&common(), (char*)this->dbName(), this);
200 // DbCommon not present; make a new one
201 parent(*new KeychainDbCommon(proc
.session(), ident
));
202 common().mParams
= blob
->params
;
203 SECURITYD_KEYCHAIN_MAKE(&common(), (char*)this->dbName(), this);
204 // this DbCommon is locked; no timer or reference setting
206 proc
.addReference(*this);
212 // Special-purpose constructor for keychain synchronization. Copies an
213 // existing keychain but uses the operational keys from secretsBlob. The
214 // new KeychainDatabase will silently replace the existing KeychainDatabase
215 // as soon as the client declares that re-encoding of all keychain items is
216 // finished. This is a little perilous since it allows a client to dictate
217 // securityd state, but we try to ensure that only the client that started
218 // the re-encoding can declare it done.
220 KeychainDatabase::KeychainDatabase(KeychainDatabase
&src
, Process
&proc
, DbHandle dbToClone
)
221 : LocalDatabase(proc
), mValidData(false), mSecret(Allocator::standard(Allocator::sensitive
)), mSaveSecret(false), version(0), mBlob(NULL
)
223 mCred
= DataWalkers::copy(src
.mCred
, Allocator::standard());
225 // Give this KeychainDatabase a temporary name
226 std::string newDbName
= std::string("////") + std::string(src
.identifier().dbName());
227 DLDbIdentifier
newDLDbIdent(src
.identifier().dlDbIdentifier().ssuid(), newDbName
.c_str(), src
.identifier().dlDbIdentifier().dbLocation());
228 DbIdentifier
ident(newDLDbIdent
, src
.identifier());
230 // create common block and initialize
231 RefPointer
<KeychainDbCommon
> newCommon
= new KeychainDbCommon(proc
.session(), ident
);
232 StLock
<Mutex
> _(*newCommon
);
235 // set initial database parameters from the source keychain
236 common().mParams
= src
.common().mParams
;
238 // establish the source keychain's master secret as ours
239 // @@@ NB: this is a v. 0.1 assumption. We *should* trigger new UI
240 // that offers the user the option of using the existing password
241 // or choosing a new one. That would require a new
242 // SecurityAgentQuery type, new UI, and--possibly--modifications to
243 // ensure that the new password is available here to generate the
244 // new master secret.
245 src
.unlockDb(); // precaution for masterKey()
246 common().setup(src
.blob(), src
.common().masterKey());
248 // import the operational secrets
249 RefPointer
<KeychainDatabase
> srcKC
= Server::keychain(dbToClone
);
250 common().importSecrets(srcKC
->common());
252 // import source keychain's ACL
253 CssmData pubAcl
, privAcl
;
254 src
.acl().exportBlob(pubAcl
, privAcl
);
255 importBlob(pubAcl
.data(), privAcl
.data());
256 src
.acl().allocator
.free(pubAcl
);
257 src
.acl().allocator
.free(privAcl
);
259 // indicate that this keychain should be allowed to do some otherwise
260 // risky things required for copying, like re-encoding keys
261 mRecodingSource
= &src
;
263 common().setUnlocked();
268 proc
.addReference(*this);
269 secdebug("SSdb", "database %s(%p) created as copy, common at %p",
270 common().dbName(), this, &common());
274 // Destroy a Database
276 KeychainDatabase::~KeychainDatabase()
278 secdebug("KCdb", "deleting database %s(%p) common %p",
279 common().dbName(), this, &common());
280 Allocator::standard().free(mCred
);
281 Allocator::standard().free(mBlob
);
286 // Basic Database virtual implementations
288 KeychainDbCommon
&KeychainDatabase::common() const
290 return parent
<KeychainDbCommon
>();
293 const char *KeychainDatabase::dbName() const
295 return common().dbName();
298 bool KeychainDatabase::transient() const
300 return false; // has permanent store
303 AclKind
KeychainDatabase::aclKind() const
308 Database
*KeychainDatabase::relatedDatabase()
314 static inline KeychainKey
&myKey(Key
*key
)
316 return *safe_cast
<KeychainKey
*>(key
);
321 // (Re-)Authenticate the database. This changes the stored credentials.
323 void KeychainDatabase::authenticate(CSSM_DB_ACCESS_TYPE mode
,
324 const AccessCredentials
*cred
)
326 StLock
<Mutex
> _(common());
328 // the (Apple specific) RESET bit means "lock the database now"
330 case CSSM_DB_ACCESS_RESET
:
331 secdebug("KCdb", "%p ACCESS_RESET triggers keychain lock", this);
335 // store the new credentials for future use
336 secdebug("KCdb", "%p authenticate stores new database credentials", this);
337 AccessCredentials
*newCred
= DataWalkers::copy(cred
, Allocator::standard());
338 Allocator::standard().free(mCred
);
345 // Make a new KeychainKey.
346 // If PERMANENT is off, make a temporary key instead.
347 // The db argument allows you to create for another KeychainDatabase (only);
348 // it defaults to ourselves.
350 RefPointer
<Key
> KeychainDatabase::makeKey(Database
&db
, const CssmKey
&newKey
,
351 uint32 moreAttributes
, const AclEntryPrototype
*owner
)
354 if (moreAttributes
& CSSM_KEYATTR_PERMANENT
)
355 return new KeychainKey(db
, newKey
, moreAttributes
, owner
);
357 return process().makeTemporaryKey(newKey
, moreAttributes
, owner
);
360 RefPointer
<Key
> KeychainDatabase::makeKey(const CssmKey
&newKey
,
361 uint32 moreAttributes
, const AclEntryPrototype
*owner
)
363 return makeKey(*this, newKey
, moreAttributes
, owner
);
368 // Return the database blob, recalculating it as needed.
370 DbBlob
*KeychainDatabase::blob()
372 StLock
<Mutex
> _(common());
374 makeUnlocked(); // unlock to get master secret
375 encode(); // (re)encode blob if needed
377 activity(); // reset timeout
378 assert(validBlob()); // better have a valid blob now...
384 // Encode the current database as a blob.
385 // Note that this returns memory we own and keep.
386 // Caller must hold common lock.
388 void KeychainDatabase::encode()
390 DbBlob
*blob
= common().encode(*this);
391 Allocator::standard().free(mBlob
);
393 version
= common().version
;
394 secdebug("KCdb", "encoded database %p common %p(%s) version %u params=(%u,%u)",
395 this, &common(), dbName(), version
,
396 common().mParams
.idleTimeout
, common().mParams
.lockOnSleep
);
401 // Change the passphrase on a database
403 void KeychainDatabase::changePassphrase(const AccessCredentials
*cred
)
405 // get and hold the common lock (don't let other threads break in here)
406 StLock
<Mutex
> _(common());
408 // establish OLD secret - i.e. unlock the database
409 //@@@ do we want to leave the final lock state alone?
410 if (common().isLoginKeychain()) mSaveSecret
= true;
413 // establish NEW secret
414 establishNewSecrets(cred
, SecurityAgent::changePassphrase
);
415 if (mSecret
) { mSecret
.reset(); }
417 common().invalidateBlob(); // blob state changed
418 secdebug("KCdb", "Database %s(%p) master secret changed", common().dbName(), this);
419 encode(); // force rebuild of local blob
421 // send out a notification
422 notify(kNotificationEventPassphraseChanged
);
424 // I guess this counts as an activity
429 // Second stage of keychain synchronization: overwrite the original keychain's
430 // (this KeychainDatabase's) operational secrets
432 void KeychainDatabase::commitSecretsForSync(KeychainDatabase
&cloneDb
)
434 StLock
<Mutex
> _(common());
436 // try to detect spoofing
437 if (cloneDb
.mRecodingSource
!= this)
438 CssmError::throwMe(CSSM_ERRCODE_INVALID_DB_HANDLE
);
440 // in case we autolocked since starting the sync
441 makeUnlocked(); // call this because we already own the lock
442 cloneDb
.unlockDb(); // we may not own the lock here, so calling unlockDb will lock the cloneDb's common lock
444 // Decode all keys whose handles refer to this on-disk keychain so that
445 // if the holding client commits the key back to disk, it's encoded with
446 // the new operational secrets. The recoding client *must* hold a write
447 // lock for the on-disk keychain from the moment it starts recoding key
448 // items until after this call.
450 // @@@ This specific implementation is a workaround for 4003540.
451 std::vector
<U32HandleObject::Handle
> handleList
;
452 U32HandleObject::findAllRefs
<KeychainKey
>(handleList
);
453 size_t count
= handleList
.size();
455 for (unsigned int n
= 0; n
< count
; ++n
) {
456 RefPointer
<KeychainKey
> kckey
=
457 U32HandleObject::findRefAndLock
<KeychainKey
>(handleList
[n
], CSSMERR_CSP_INVALID_KEY_REFERENCE
);
458 StLock
<Mutex
> _(*kckey
/*, true*/);
459 if (kckey
->database().global().identifier() == identifier()) {
460 kckey
->key(); // force decode
461 kckey
->invalidateBlob();
462 secdebug("kcrecode", "changed extant key %p (proc %d)",
463 &*kckey
, kckey
->process().pid());
468 // it is now safe to replace the old op secrets
469 common().importSecrets(cloneDb
.common());
470 common().invalidateBlob();
475 // Extract the database master key as a proper Key object.
477 RefPointer
<Key
> KeychainDatabase::extractMasterKey(Database
&db
,
478 const AccessCredentials
*cred
, const AclEntryPrototype
*owner
,
479 uint32 usage
, uint32 attrs
)
481 // get and hold common lock
482 StLock
<Mutex
> _(common());
484 // force lock to require re-validation of credentials
487 // unlock to establish master secret
490 // extract the raw cryptographic key
491 CssmClient::WrapKey
wrap(Server::csp(), CSSM_ALGID_NONE
);
493 wrap(common().masterKey(), key
);
495 // make the key object and return it
496 return makeKey(db
, key
, attrs
& LocalKey::managedAttributes
, owner
);
501 // Unlock this database (if needed) by obtaining the master secret in some
502 // suitable way and then proceeding to unlock with it.
503 // Does absolutely nothing if the database is already unlocked.
504 // The makeUnlocked forms are identical except the assume the caller already
505 // holds the common lock.
507 void KeychainDatabase::unlockDb()
509 StLock
<Mutex
> _(common());
513 void KeychainDatabase::makeUnlocked()
515 return makeUnlocked(mCred
);
518 void KeychainDatabase::makeUnlocked(const AccessCredentials
*cred
)
521 secdebug("KCdb", "%p(%p) unlocking for makeUnlocked()", this, &common());
522 assert(mBlob
|| (mValidData
&& common().hasMaster()));
523 establishOldSecrets(cred
);
524 common().setUnlocked(); // mark unlocked
525 if (common().isLoginKeychain()) {
526 CssmKey master
= common().masterKey();
528 CssmClient::WrapKey
wrap(Server::csp(), CSSM_ALGID_NONE
);
529 wrap(master
, rawMaster
);
531 service_context_t context
= common().session().get_current_service_context();
532 service_client_stash_load_key(&context
, rawMaster
.keyData(), (int)rawMaster
.length());
534 } else if (common().isLoginKeychain()) {
536 service_context_t context
= common().session().get_current_service_context();
537 if ((service_client_kb_is_locked(&context
, &locked
, NULL
) == 0) && locked
) {
538 StSyncLock
<Mutex
, Mutex
> uisync(common().uiLock(), common());
539 QueryKeybagPassphrase
keybagQuery(common().session(), 3);
540 keybagQuery
.inferHints(Server::process());
541 if (keybagQuery
.query() != SecurityAgent::noReason
) {
542 syslog(LOG_NOTICE
, "failed to unlock iCloud keychain");
546 if (!mValidData
) { // need to decode to get our ACLs, master secret available
547 secdebug("KCdb", "%p(%p) is unlocked; decoding for makeUnlocked()", this, &common());
549 CssmError::throwMe(CSSM_ERRCODE_OPERATION_AUTH_DENIED
);
556 // Invoke the securityd_service to retrieve the keychain master
557 // key from the AppleFDEKeyStore.
559 void KeychainDatabase::stashDbCheck()
561 CssmAutoData
masterKey(Allocator::standard(Allocator::sensitive
));
562 CssmAutoData
encKey(Allocator::standard(Allocator::sensitive
));
566 void * stash_key
= NULL
;
567 int stash_key_len
= 0;
568 service_context_t context
= common().session().get_current_service_context();
569 rc
= service_client_stash_get_key(&context
, &stash_key
, &stash_key_len
);
572 masterKey
.copy(CssmData((void *)stash_key
,stash_key_len
));
573 memset(stash_key
, 0, stash_key_len
);
577 CssmError::throwMe(rc
);
581 StLock
<Mutex
> _(common());
583 // Now establish it as the keychain master key
584 CssmClient::Key
key(Server::csp(), masterKey
.get());
585 CssmKey::Header
&hdr
= key
.header();
586 hdr
.keyClass(CSSM_KEYCLASS_SESSION_KEY
);
587 hdr
.algorithm(CSSM_ALGID_3DES_3KEY_EDE
);
588 hdr
.usage(CSSM_KEYUSE_ANY
);
589 hdr
.blobType(CSSM_KEYBLOB_RAW
);
590 hdr
.blobFormat(CSSM_KEYBLOB_RAW_FORMAT_OCTET_STRING
);
591 common().setup(mBlob
, key
);
594 CssmError::throwMe(CSSM_ERRCODE_OPERATION_AUTH_DENIED
);
596 common().get_encryption_key(encKey
);
599 // when upgrading from pre-10.9 create a keybag if it doesn't exist with the encryption key
600 // only do this after we have verified the master key unlocks the login.keychain
601 if (service_client_kb_load(&context
) == KB_BagNotFound
) {
602 service_client_kb_create(&context
, encKey
.data(), (int)encKey
.length());
607 // Get the keychain master key and invoke the securityd_service
608 // to stash it in the AppleFDEKeyStore ready for commit to the
611 void KeychainDatabase::stashDb()
613 CssmAutoData
data(Allocator::standard(Allocator::sensitive
));
616 StLock
<Mutex
> _(common());
618 if (!common().isValid()) {
619 CssmError::throwMe(CSSMERR_CSP_INVALID_KEY
);
622 CssmKey key
= common().masterKey();
623 data
.copy(key
.keyData());
626 service_context_t context
= common().session().get_current_service_context();
627 int rc
= service_client_stash_set_key(&context
, data
.data(), (int)data
.length());
628 if (rc
!= 0) CssmError::throwMe(rc
);
632 // The following unlock given an explicit passphrase, rather than using
633 // (special cred sample based) default procedures.
635 void KeychainDatabase::unlockDb(const CssmData
&passphrase
)
637 StLock
<Mutex
> _(common());
638 makeUnlocked(passphrase
);
641 void KeychainDatabase::makeUnlocked(const CssmData
&passphrase
)
644 if (decode(passphrase
))
647 CssmError::throwMe(CSSM_ERRCODE_OPERATION_AUTH_DENIED
);
648 } else if (!mValidData
) { // need to decode to get our ACLs, passphrase available
650 CssmError::throwMe(CSSM_ERRCODE_OPERATION_AUTH_DENIED
);
653 if (common().isLoginKeychain()) {
655 service_context_t context
= common().session().get_current_service_context();
656 if (!common().session().keybagGetState(session_keybag_check_master_key
) || ((service_client_kb_is_locked(&context
, &locked
, NULL
) == 0) && locked
)) {
657 unlock_keybag(common(), passphrase
.data(), (int)passphrase
.length());
667 // Nonthrowing passphrase-based unlock. This returns false if unlock failed.
668 // Note that this requires an explicitly given passphrase.
669 // Caller must hold common lock.
671 bool KeychainDatabase::decode(const CssmData
&passphrase
)
674 common().setup(mBlob
, passphrase
);
675 bool success
= decode();
676 if (success
&& common().isLoginKeychain()) {
677 unlock_keybag(common(), passphrase
.data(), (int)passphrase
.length());
684 // Given the established master secret, decode the working keys and other
685 // functional secrets for this database. Return false (do NOT throw) if
686 // the decode fails. Call this in low(er) level code once you established
689 bool KeychainDatabase::decode()
692 assert(common().hasMaster());
693 void *privateAclBlob
;
694 if (common().unlockDb(mBlob
, &privateAclBlob
)) {
696 acl().importBlob(mBlob
->publicAclBlob(), privateAclBlob
);
699 Allocator::standard().free(privateAclBlob
);
702 secdebug("KCdb", "%p decode failed", this);
708 // Given an AccessCredentials for this database, wring out the existing primary
709 // database secret by whatever means necessary.
710 // On entry, caller must hold the database common lock. It will be held
711 // throughout except when user interaction is required. User interaction
712 // requires relinquishing the database common lock and taking the UI lock. On
713 // return from user interaction, the UI lock is relinquished and the database
714 // common lock must be reacquired. At no time may the caller hold both locks.
715 // On exit, the crypto core has its master secret. If things go wrong,
716 // we will throw a suitable exception. Note that encountering any malformed
717 // credential sample will throw, but this is not guaranteed -- don't assume
718 // that NOT throwing means creds is entirely well-formed (it may just be good
719 // enough to work THIS time).
722 // Walk through the creds. Fish out those credentials (in order) that
723 // are for unlock processing (they have no ACL subject correspondents),
724 // and (try to) obey each in turn, until one produces a valid secret
725 // or you run out. If no special samples are found at all, interpret that as
726 // "use the system global default," which happens to be hard-coded right here.
728 void KeychainDatabase::establishOldSecrets(const AccessCredentials
*creds
)
730 bool forSystem
= this->belongsToSystem(); // this keychain belongs to the system security domain
732 // attempt system-keychain unlock
734 SystemKeychainKey
systemKeychain(kSystemUnlockFile
);
735 if (systemKeychain
.matches(mBlob
->randomSignature
)) {
736 secdebug("KCdb", "%p attempting system unlock", this);
737 common().setup(mBlob
, CssmClient::Key(Server::csp(), systemKeychain
.key(), true));
743 list
<CssmSample
> samples
;
744 if (creds
&& creds
->samples().collect(CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK
, samples
)) {
745 for (list
<CssmSample
>::iterator it
= samples
.begin(); it
!= samples
.end(); it
++) {
746 TypedList
&sample
= *it
;
747 sample
.checkProper();
748 switch (sample
.type()) {
749 // interactively prompt the user - no additional data
750 case CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT
:
752 if (interactiveUnlock())
756 // try to use an explicitly given passphrase - Data:passphrase
757 case CSSM_SAMPLE_TYPE_PASSWORD
:
758 if (sample
.length() != 2)
759 CssmError::throwMe(CSSM_ERRCODE_INVALID_SAMPLE_VALUE
);
760 secdebug("KCdb", "%p attempting passphrase unlock", this);
761 if (decode(sample
[1]))
764 // try to open with a given master key - Data:CSP or KeyHandle, Data:CssmKey
765 case CSSM_SAMPLE_TYPE_SYMMETRIC_KEY
:
766 case CSSM_SAMPLE_TYPE_ASYMMETRIC_KEY
:
768 secdebug("KCdb", "%p attempting explicit key unlock", this);
769 common().setup(mBlob
, keyFromCreds(sample
, 4));
774 // explicitly defeat the default action but don't try anything in particular
775 case CSSM_WORDID_CANCELED
:
776 secdebug("KCdb", "%p defeat default action", this);
779 // Unknown sub-sample for unlocking.
780 // If we wanted to be fascist, we could now do
781 // CssmError::throwMe(CSSM_ERRCODE_SAMPLE_VALUE_NOT_SUPPORTED);
782 // But instead we try to be tolerant and continue on.
783 // This DOES however count as an explicit attempt at specifying unlock,
784 // so we will no longer try the default case below...
785 secdebug("KCdb", "%p unknown sub-sample unlock (%d) ignored", this, sample
.type());
794 if (interactiveUnlock())
799 // out of options - no secret obtained
800 CssmError::throwMe(CSSM_ERRCODE_OPERATION_AUTH_DENIED
);
803 bool KeychainDatabase::interactiveUnlock()
805 secdebug("KCdb", "%p attempting interactive unlock", this);
806 SecurityAgent::Reason reason
= SecurityAgent::noReason
;
807 QueryUnlock
query(*this);
808 // take UI interlock and release DbCommon lock (to avoid deadlocks)
809 StSyncLock
<Mutex
, Mutex
> uisync(common().uiLock(), common());
811 // now that we have the UI lock, interact unless another thread unlocked us first
813 query
.inferHints(Server::process());
815 if (mSaveSecret
&& reason
== SecurityAgent::noReason
) {
816 query
.retrievePassword(mSecret
);
820 secdebug("KCdb", "%p was unlocked during uiLock delay", this);
823 if (common().isLoginKeychain()) {
825 service_context_t context
= common().session().get_current_service_context();
826 if ((service_client_kb_is_locked(&context
, &locked
, NULL
) == 0) && locked
) {
827 QueryKeybagNewPassphrase
keybagQuery(common().session());
828 keybagQuery
.inferHints(Server::process());
829 CssmAutoData
pass(Allocator::standard(Allocator::sensitive
));
830 CssmAutoData
oldPass(Allocator::standard(Allocator::sensitive
));
831 SecurityAgent::Reason queryReason
= keybagQuery
.query(oldPass
, pass
);
832 if (queryReason
== SecurityAgent::noReason
) {
833 service_client_kb_change_secret(&context
, oldPass
.data(), (int)oldPass
.length(), pass
.data(), (int)pass
.length());
834 } else if (queryReason
== SecurityAgent::resettingPassword
) {
835 query
.retrievePassword(pass
);
836 service_client_kb_reset(&context
, pass
.data(), (int)pass
.length());
842 return reason
== SecurityAgent::noReason
;
847 // Same thing, but obtain a new secret somehow and set it into the common.
849 void KeychainDatabase::establishNewSecrets(const AccessCredentials
*creds
, SecurityAgent::Reason reason
)
851 list
<CssmSample
> samples
;
852 if (creds
&& creds
->samples().collect(CSSM_SAMPLE_TYPE_KEYCHAIN_CHANGE_LOCK
, samples
)) {
853 for (list
<CssmSample
>::iterator it
= samples
.begin(); it
!= samples
.end(); it
++) {
854 TypedList
&sample
= *it
;
855 sample
.checkProper();
856 switch (sample
.type()) {
857 // interactively prompt the user
858 case CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT
:
860 secdebug("KCdb", "%p specified interactive passphrase", this);
861 QueryNewPassphrase
query(*this, reason
);
862 StSyncLock
<Mutex
, Mutex
> uisync(common().uiLock(), common());
863 query
.inferHints(Server::process());
864 CssmAutoData
passphrase(Allocator::standard(Allocator::sensitive
));
865 CssmAutoData
oldPassphrase(Allocator::standard(Allocator::sensitive
));
866 if (query(oldPassphrase
, passphrase
) == SecurityAgent::noReason
) {
867 common().setup(NULL
, passphrase
);
868 change_secret_on_keybag(common(), oldPassphrase
.data(), (int)oldPassphrase
.length(), passphrase
.data(), (int)passphrase
.length());
873 // try to use an explicitly given passphrase
874 case CSSM_SAMPLE_TYPE_PASSWORD
:
876 secdebug("KCdb", "%p specified explicit passphrase", this);
877 if (sample
.length() != 2)
878 CssmError::throwMe(CSSM_ERRCODE_INVALID_SAMPLE_VALUE
);
879 common().setup(NULL
, sample
[1]);
880 if (common().isLoginKeychain()) {
881 CssmAutoData
oldPassphrase(Allocator::standard(Allocator::sensitive
));
882 list
<CssmSample
> oldSamples
;
883 creds
->samples().collect(CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK
, oldSamples
);
884 for (list
<CssmSample
>::iterator oit
= oldSamples
.begin(); oit
!= oldSamples
.end(); oit
++) {
885 TypedList
&tmpList
= *oit
;
886 tmpList
.checkProper();
887 if (tmpList
.type() == CSSM_SAMPLE_TYPE_PASSWORD
) {
888 if (tmpList
.length() == 2) {
889 oldPassphrase
= tmpList
[1].data();
893 if (!oldPassphrase
.length() && mSecret
&& mSecret
.length()) {
894 oldPassphrase
= mSecret
;
896 change_secret_on_keybag(common(), oldPassphrase
.data(), (int)oldPassphrase
.length(), sample
[1].data().data(), (int)sample
[1].data().length());
900 // try to open with a given master key
901 case CSSM_WORDID_SYMMETRIC_KEY
:
902 case CSSM_SAMPLE_TYPE_ASYMMETRIC_KEY
:
903 secdebug("KCdb", "%p specified explicit master key", this);
904 common().setup(NULL
, keyFromCreds(sample
, 3));
906 // explicitly defeat the default action but don't try anything in particular
907 case CSSM_WORDID_CANCELED
:
908 secdebug("KCdb", "%p defeat default action", this);
911 // Unknown sub-sample for acquiring new secret.
912 // If we wanted to be fascist, we could now do
913 // CssmError::throwMe(CSSM_ERRCODE_SAMPLE_VALUE_NOT_SUPPORTED);
914 // But instead we try to be tolerant and continue on.
915 // This DOES however count as an explicit attempt at specifying unlock,
916 // so we will no longer try the default case below...
917 secdebug("KCdb", "%p unknown sub-sample acquisition (%d) ignored",
918 this, sample
.type());
923 // default action -- interactive (only)
924 QueryNewPassphrase
query(*this, reason
);
925 StSyncLock
<Mutex
, Mutex
> uisync(common().uiLock(), common());
926 query
.inferHints(Server::process());
927 CssmAutoData
passphrase(Allocator::standard(Allocator::sensitive
));
928 CssmAutoData
oldPassphrase(Allocator::standard(Allocator::sensitive
));
929 if (query(oldPassphrase
, passphrase
) == SecurityAgent::noReason
) {
930 common().setup(NULL
, passphrase
);
931 change_secret_on_keybag(common(), oldPassphrase
.data(), (int)oldPassphrase
.length(), passphrase
.data(), (int)passphrase
.length());
936 // out of options - no secret obtained
937 CssmError::throwMe(CSSM_ERRCODE_OPERATION_AUTH_DENIED
);
942 // Given a (truncated) Database credentials TypedList specifying a master key,
943 // locate the key and return a reference to it.
945 CssmClient::Key
KeychainDatabase::keyFromCreds(const TypedList
&sample
, unsigned int requiredLength
)
947 // decode TypedList structure (sample type; Data:CSPHandle; Data:CSSM_KEY)
948 assert(sample
.type() == CSSM_SAMPLE_TYPE_SYMMETRIC_KEY
|| sample
.type() == CSSM_SAMPLE_TYPE_ASYMMETRIC_KEY
);
949 if (sample
.length() != requiredLength
950 || sample
[1].type() != CSSM_LIST_ELEMENT_DATUM
951 || sample
[2].type() != CSSM_LIST_ELEMENT_DATUM
952 || (requiredLength
== 4 && sample
[3].type() != CSSM_LIST_ELEMENT_DATUM
))
953 CssmError::throwMe(CSSM_ERRCODE_INVALID_SAMPLE_VALUE
);
954 KeyHandle
&handle
= *sample
[1].data().interpretedAs
<KeyHandle
>(CSSM_ERRCODE_INVALID_SAMPLE_VALUE
);
955 // We used to be able to check the length but supporting multiple client
956 // architectures dishes that (sizeof(CSSM_KEY) varies due to alignment and
957 // field-size differences). The decoding in the transition layer should
958 // serve as a sufficient garbling check anyway.
959 if (sample
[2].data().data() == NULL
)
960 CssmError::throwMe(CSSM_ERRCODE_INVALID_SAMPLE_VALUE
);
961 CssmKey
&key
= *sample
[2].data().interpretedAs
<CssmKey
>();
963 if (key
.header().cspGuid() == gGuidAppleCSPDL
) {
964 // handleOrKey is a SecurityServer KeyHandle; ignore key argument
965 return safer_cast
<LocalKey
&>(*Server::key(handle
));
967 if (sample
.type() == CSSM_SAMPLE_TYPE_ASYMMETRIC_KEY
) {
969 Contents (see DefaultCredentials::unlockKey in libsecurity_keychain/defaultcreds.cpp)
971 sample[0] sample type
972 sample[1] csp handle for master or wrapping key; is really a keyhandle
973 sample[2] masterKey [not used since securityd cannot interpret; use sample[1] handle instead]
974 sample[3] UnlockReferralRecord data, in this case the flattened symmetric key
977 // RefPointer<Key> Server::key(KeyHandle key)
978 KeyHandle keyhandle
= *sample
[1].data().interpretedAs
<KeyHandle
>(CSSM_ERRCODE_INVALID_SAMPLE_VALUE
);
979 CssmData
&flattenedKey
= sample
[3].data();
980 RefPointer
<Key
> unwrappingKey
= Server::key(keyhandle
);
981 Database
&db
=unwrappingKey
->database();
983 CssmKey rawWrappedKey
;
984 unflattenKey(flattenedKey
, rawWrappedKey
);
986 RefPointer
<Key
> masterKey
;
987 CssmData emptyDescriptiveData
;
988 const AccessCredentials
*cred
= NULL
;
989 const AclEntryPrototype
*owner
= NULL
;
990 CSSM_KEYUSE usage
= CSSM_KEYUSE_ANY
;
991 CSSM_KEYATTR_FLAGS attrs
= CSSM_KEYATTR_EXTRACTABLE
; //CSSM_KEYATTR_RETURN_REF |
993 // Get default credentials for unwrappingKey (the one on the token)
994 // Copied from Statics::Statics() in libsecurity_keychain/aclclient.cpp
995 // Following KeyItem::getCredentials, one sees that the "operation" parameter
996 // e.g. "CSSM_ACL_AUTHORIZATION_DECRYPT" is ignored
997 Allocator
&alloc
= Allocator::standard();
998 AutoCredentials
promptCred(alloc
, 3);// enable interactive prompting
1000 // promptCred: a credential permitting user prompt confirmations
1002 // a KEYCHAIN_PROMPT sample, both by itself and in a THRESHOLD
1003 // a PROMPTED_PASSWORD sample
1004 promptCred
.sample(0) = TypedList(alloc
, CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT
);
1005 promptCred
.sample(1) = TypedList(alloc
, CSSM_SAMPLE_TYPE_THRESHOLD
,
1006 new(alloc
) ListElement(TypedList(alloc
, CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT
)));
1007 promptCred
.sample(2) = TypedList(alloc
, CSSM_SAMPLE_TYPE_PROMPTED_PASSWORD
,
1008 new(alloc
) ListElement(alloc
, CssmData()));
1010 // This unwrap object is here just to provide a context
1011 CssmClient::UnwrapKey
unwrap(Server::csp(), CSSM_ALGID_NONE
); //ok to lie about csp here
1012 unwrap
.mode(CSSM_ALGMODE_NONE
);
1013 unwrap
.padding(CSSM_PADDING_PKCS1
);
1014 unwrap
.cred(promptCred
);
1015 unwrap
.add(CSSM_ATTRIBUTE_WRAPPED_KEY_FORMAT
, uint32(CSSM_KEYBLOB_WRAPPED_FORMAT_PKCS7
));
1016 Security::Context
*tmpContext
;
1017 CSSM_CC_HANDLE CCHandle
= unwrap
.handle();
1018 /*CSSM_RETURN rx = */ CSSM_GetContext (CCHandle
, (CSSM_CONTEXT_PTR
*)&tmpContext
);
1020 // OK, this is skanky but necessary. We overwrite fields in the context struct
1022 tmpContext
->ContextType
= CSSM_ALGCLASS_ASYMMETRIC
;
1023 tmpContext
->AlgorithmType
= CSSM_ALGID_RSA
;
1025 db
.unwrapKey(*tmpContext
, cred
, owner
, unwrappingKey
, NULL
, usage
, attrs
,
1026 rawWrappedKey
, masterKey
, emptyDescriptiveData
);
1028 Allocator::standard().free(rawWrappedKey
.KeyData
.Data
);
1030 return safer_cast
<LocalKey
&>(*masterKey
).key();
1034 // not a KeyHandle reference; use key as a raw key
1035 if (key
.header().blobType() != CSSM_KEYBLOB_RAW
)
1036 CssmError::throwMe(CSSMERR_CSP_INVALID_KEY_REFERENCE
);
1037 if (key
.header().keyClass() != CSSM_KEYCLASS_SESSION_KEY
)
1038 CssmError::throwMe(CSSMERR_CSP_INVALID_KEY_CLASS
);
1039 return CssmClient::Key(Server::csp(), key
, true);
1043 void unflattenKey(const CssmData
&flatKey
, CssmKey
&rawKey
)
1045 // unflatten the raw input key naively: key header then key data
1046 // We also convert it back to host byte order
1047 // A CSSM_KEY is a CSSM_KEYHEADER followed by a CSSM_DATA
1049 // Now copy: header, then key struct, then key data
1050 memcpy(&rawKey
.KeyHeader
, flatKey
.Data
, sizeof(CSSM_KEYHEADER
));
1051 memcpy(&rawKey
.KeyData
, flatKey
.Data
+ sizeof(CSSM_KEYHEADER
), sizeof(CSSM_DATA
));
1052 const uint32 keyDataLength
= flatKey
.length() - sizeof(CSSM_KEY
);
1053 rawKey
.KeyData
.Data
= Allocator::standard().malloc
<uint8
>(keyDataLength
);
1054 rawKey
.KeyData
.Length
= keyDataLength
;
1055 memcpy(rawKey
.KeyData
.Data
, flatKey
.Data
+ sizeof(CSSM_KEY
), keyDataLength
);
1056 Security::n2hi(rawKey
.KeyHeader
); // convert it to host byte order
1061 // Verify a putative database passphrase.
1062 // If the database is already unlocked, just check the passphrase.
1063 // Otherwise, unlock with that passphrase and report success.
1064 // Caller must hold the common lock.
1066 bool KeychainDatabase::validatePassphrase(const CssmData
&passphrase
) const
1068 if (common().hasMaster()) {
1069 // verify against known secret
1070 return common().validatePassphrase(passphrase
);
1072 // no master secret - perform "blind" unlock to avoid actual unlock
1074 DatabaseCryptoCore test
;
1075 test
.setup(mBlob
, passphrase
);
1076 test
.decodeCore(mBlob
, NULL
);
1086 // Lock this database
1088 void KeychainDatabase::lockDb()
1095 // Given a Key for this database, encode it into a blob and return it.
1097 KeyBlob
*KeychainDatabase::encodeKey(const CssmKey
&key
, const CssmData
&pubAcl
, const CssmData
&privAcl
)
1099 bool inTheClear
= false;
1100 if((key
.keyClass() == CSSM_KEYCLASS_PUBLIC_KEY
) &&
1101 !(key
.attribute(CSSM_KEYATTR_PUBLIC_KEY_ENCRYPT
))) {
1104 StLock
<Mutex
> _(common());
1108 // tell the cryptocore to form the key blob
1109 return common().encodeKeyCore(key
, pubAcl
, privAcl
, inTheClear
);
1114 // Given a "blobbed" key for this database, decode it into its real
1115 // key object and (re)populate its ACL.
1117 void KeychainDatabase::decodeKey(KeyBlob
*blob
, CssmKey
&key
, void * &pubAcl
, void * &privAcl
)
1119 StLock
<Mutex
> _(common());
1121 if(!blob
->isClearText())
1122 makeUnlocked(); // we need our keys
1124 common().decodeKeyCore(blob
, key
, pubAcl
, privAcl
);
1125 // memory protocol: pubAcl points into blob; privAcl was allocated
1131 // Given a KeychainKey (that implicitly belongs to another keychain),
1132 // return it encoded using this keychain's operational secrets.
1134 KeyBlob
*KeychainDatabase::recodeKey(KeychainKey
&oldKey
)
1136 if (mRecodingSource
!= &oldKey
.referent
<KeychainDatabase
>()) {
1137 CssmError::throwMe(CSSMERR_CSP_INVALID_KEY
);
1139 oldKey
.instantiateAcl(); // make sure key is decoded
1140 CssmData publicAcl
, privateAcl
;
1141 oldKey
.exportBlob(publicAcl
, privateAcl
);
1142 // NB: blob's memory belongs to caller, not the common
1145 * Make sure the new key is in the same cleartext/encrypted state.
1147 bool inTheClear
= false;
1148 assert(oldKey
.blob());
1149 if(oldKey
.blob() && oldKey
.blob()->isClearText()) {
1153 KeyBlob
*blob
= common().encodeKeyCore(oldKey
.cssmKey(), publicAcl
, privateAcl
, inTheClear
);
1154 oldKey
.acl().allocator
.free(publicAcl
);
1155 oldKey
.acl().allocator
.free(privateAcl
);
1161 // Modify database parameters
1163 void KeychainDatabase::setParameters(const DBParameters
¶ms
)
1165 StLock
<Mutex
> _(common());
1167 common().mParams
= params
;
1168 common().invalidateBlob(); // invalidate old blobs
1169 activity(); // (also resets the timeout timer)
1170 secdebug("KCdb", "%p common %p(%s) set params=(%u,%u)",
1171 this, &common(), dbName(), params
.idleTimeout
, params
.lockOnSleep
);
1176 // Retrieve database parameters
1178 void KeychainDatabase::getParameters(DBParameters
¶ms
)
1180 StLock
<Mutex
> _(common());
1182 params
= common().mParams
;
1183 //activity(); // getting parameters does not reset the idle timer
1188 // RIGHT NOW, database ACLs are attached to the database.
1189 // This will soon move upstairs.
1191 SecurityServerAcl
&KeychainDatabase::acl()
1198 // Intercept ACL change requests and reset blob validity
1200 void KeychainDatabase::instantiateAcl()
1202 StLock
<Mutex
> _(common());
1206 void KeychainDatabase::changedAcl()
1208 StLock
<Mutex
> _(common());
1214 // Check an incoming DbBlob for basic viability
1216 void KeychainDatabase::validateBlob(const DbBlob
*blob
)
1218 // perform basic validation on the blob
1220 blob
->validate(CSSMERR_APPLEDL_INVALID_DATABASE_BLOB
);
1221 switch (blob
->version()) {
1222 #if defined(COMPAT_OSX_10_0)
1223 case DbBlob::version_MacOS_10_0
:
1226 case DbBlob::version_MacOS_10_1
:
1229 CssmError::throwMe(CSSMERR_APPLEDL_INCOMPATIBLE_DATABASE_BLOB
);
1235 // Debugging support
1237 #if defined(DEBUGDUMP)
1239 void KeychainDbCommon::dumpNode()
1241 PerSession::dumpNode();
1242 uint32 sig
; memcpy(&sig
, &mIdentifier
.signature(), sizeof(sig
));
1243 Debug::dump(" %s[%8.8x]", mIdentifier
.dbName(), sig
);
1245 Debug::dump(" locked");
1247 time_t whenTime
= time_t(when());
1248 Debug::dump(" unlocked(%24.24s/%.2g)", ctime(&whenTime
),
1249 (when() - Time::now()).seconds());
1251 Debug::dump(" params=(%u,%u)", mParams
.idleTimeout
, mParams
.lockOnSleep
);
1254 void KeychainDatabase::dumpNode()
1256 PerProcess::dumpNode();
1257 Debug::dump(" %s vers=%u",
1258 mValidData
? " data" : " nodata", version
);
1260 uint32 sig
; memcpy(&sig
, &mBlob
->randomSignature
, sizeof(sig
));
1261 Debug::dump(" blob=%p[%8.8x]", mBlob
, sig
);
1263 Debug::dump(" noblob");
1271 // DbCommon basic features
1273 KeychainDbCommon::KeychainDbCommon(Session
&ssn
, const DbIdentifier
&id
)
1274 : LocalDbCommon(ssn
), sequence(0), version(1), mIdentifier(id
),
1275 mIsLocked(true), mValidParams(false), mLoginKeychain(false)
1277 // match existing DbGlobal or create a new one
1279 Server
&server
= Server::active();
1280 StLock
<Mutex
> _(server
);
1281 if (KeychainDbGlobal
*dbglobal
=
1282 server
.findFirst
<KeychainDbGlobal
, const DbIdentifier
&>(&KeychainDbGlobal::identifier
, identifier())) {
1284 secdebug("KCdb", "%p linking to existing DbGlobal %p", this, dbglobal
);
1286 // DbGlobal not present; make a new one
1287 parent(*new KeychainDbGlobal(identifier()));
1288 secdebug("KCdb", "%p linking to new DbGlobal %p", this, &global());
1291 // link lifetime to the Session
1292 session().addReference(*this);
1294 if (strcasestr(id
.dbName(), "login.keychain") != NULL
) {
1295 mLoginKeychain
= true;
1299 if (mLoginKeychain
&& !session().keybagGetState(session_keybag_loaded
)) {
1300 service_context_t context
= session().get_current_service_context();
1301 if (service_client_kb_load(&context
) == 0) {
1302 session().keybagSetState(session_keybag_loaded
);
1307 KeychainDbCommon::~KeychainDbCommon()
1309 SECURITYD_KEYCHAIN_RELEASE(this, (char*)this->dbName());
1311 // explicitly unschedule ourselves
1312 Server::active().clearTimer(this);
1313 if (mLoginKeychain
) {
1314 session().keybagClearState(session_keybag_unlocked
);
1318 KeychainDbGlobal
&KeychainDbCommon::global() const
1320 return parent
<KeychainDbGlobal
>();
1324 void KeychainDbCommon::select()
1327 void KeychainDbCommon::unselect()
1332 void KeychainDbCommon::makeNewSecrets()
1334 // we already have a master key (right?)
1335 assert(hasMaster());
1337 // tell crypto core to generate the use keys
1338 DatabaseCryptoCore::generateNewSecrets();
1340 // we're now officially "unlocked"; set the timer
1346 // All unlocking activity ultimately funnels through this method.
1347 // This unlocks a DbCommon using the secrets setup in its crypto core
1348 // component, and performs all the housekeeping needed to represent
1349 // the state change.
1350 // Returns true if unlock was successful, false if it failed due to
1351 // invalid/insufficient secrets. Throws on other errors.
1353 bool KeychainDbCommon::unlockDb(DbBlob
*blob
, void **privateAclBlob
)
1356 // Tell the cryptocore to (try to) decode itself. This will fail
1357 // in an astonishing variety of ways if the passphrase is wrong.
1358 assert(hasMaster());
1359 decodeCore(blob
, privateAclBlob
);
1360 secdebug("KCdb", "%p unlock successful", this);
1362 secdebug("KCdb", "%p unlock failed", this);
1366 // get the database parameters only if we haven't got them yet
1367 if (!mValidParams
) {
1368 mParams
= blob
->params
;
1369 n2hi(mParams
.idleTimeout
);
1370 mValidParams
= true; // sticky
1373 bool isLocked
= mIsLocked
;
1375 setUnlocked(); // mark unlocked
1378 // broadcast unlock notification, but only if we were previously locked
1379 notify(kNotificationEventUnlocked
);
1380 SECURITYD_KEYCHAIN_UNLOCK(this, (char*)this->dbName());
1385 void KeychainDbCommon::setUnlocked()
1387 session().addReference(*this); // active/held
1388 mIsLocked
= false; // mark unlocked
1389 activity(); // set timeout timer
1393 void KeychainDbCommon::lockDb()
1397 StLock
<Mutex
> _(*this);
1399 DatabaseCryptoCore::invalidate();
1400 notify(kNotificationEventLocked
);
1401 SECURITYD_KEYCHAIN_LOCK(this, (char*)this->dbName());
1402 Server::active().clearTimer(this);
1404 mIsLocked
= true; // mark locked
1407 // this call may destroy us if we have no databases anymore
1408 session().removeReference(*this);
1412 if (mLoginKeychain
&& lock
) {
1413 service_context_t context
= session().get_current_service_context();
1414 service_client_kb_lock(&context
);
1415 session().keybagClearState(session_keybag_unlocked
);
1420 DbBlob
*KeychainDbCommon::encode(KeychainDatabase
&db
)
1422 assert(!isLocked()); // must have been unlocked by caller
1424 // export database ACL to blob form
1425 CssmData pubAcl
, privAcl
;
1426 db
.acl().exportBlob(pubAcl
, privAcl
);
1428 // tell the cryptocore to form the blob
1430 form
.randomSignature
= identifier();
1431 form
.sequence
= sequence
;
1432 form
.params
= mParams
;
1433 h2ni(form
.params
.idleTimeout
);
1435 assert(hasMaster());
1436 DbBlob
*blob
= encodeCore(form
, pubAcl
, privAcl
);
1439 db
.acl().allocator
.free(pubAcl
);
1440 db
.acl().allocator
.free(privAcl
);
1446 // Perform deferred lock processing for a database.
1448 void KeychainDbCommon::action()
1450 secdebug("KCdb", "common %s(%p) locked by timer", dbName(), this);
1454 void KeychainDbCommon::activity()
1457 secdebug("KCdb", "setting DbCommon %p timer to %d",
1458 this, int(mParams
.idleTimeout
));
1459 Server::active().setTimer(this, Time::Interval(int(mParams
.idleTimeout
)));
1463 void KeychainDbCommon::sleepProcessing()
1465 secdebug("KCdb", "common %s(%p) sleep-lock processing", dbName(), this);
1466 StLock
<Mutex
> _(*this);
1467 if (mParams
.lockOnSleep
)
1471 void KeychainDbCommon::lockProcessing()
1478 // We consider a keychain to belong to the system domain if it resides
1479 // in /Library/Keychains. That's not exactly fool-proof, but we don't
1480 // currently have any internal markers to interrogate.
1482 bool KeychainDbCommon::belongsToSystem() const
1484 if (const char *name
= this->dbName())
1485 return !strncmp(name
, "/Library/Keychains/", 19);
1491 // Keychain global objects
1493 KeychainDbGlobal::KeychainDbGlobal(const DbIdentifier
&id
)
1498 KeychainDbGlobal::~KeychainDbGlobal()
1500 secdebug("KCdb", "DbGlobal %p destroyed", this);