]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurityd/mig/ucsp.defs
Security-59306.101.1.tar.gz
[apple/security.git] / OSX / libsecurityd / mig / ucsp.defs
1 //
2 // Copyright (c) 2001-2007,2011-2013 Apple Inc. All Rights Reserved.
3 //
4 // @APPLE_LICENSE_HEADER_START@
5 //
6 // This file contains Original Code and/or Modifications of Original Code
7 // as defined in and that are subject to the Apple Public Source License
8 // Version 2.0 (the 'License'). You may not use this file except in
9 // compliance with the License. Please obtain a copy of the License at
10 // http://www.opensource.apple.com/apsl/ and read it before using this
11 // file.
12 //
13 // The Original Code and all software distributed under the License are
14 // distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 // EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 // INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 // FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 // Please see the License for the specific language governing rights and
19 // limitations under the License.
20 //
21 // @APPLE_LICENSE_HEADER_END@
22 //
23 // ucsp.defs - Mach RPC interface between SecurityServer and its clients
24 //
25 #include <mach/std_types.defs>
26 #include <mach/mach_types.defs>
27 #include "ss_types.defs"
28
29 subsystem ucsp 1000;
30 serverprefix ucsp_server_;
31 userprefix ucsp_client_;
32
33 import <securityd_client/ucsp_types.h>;
34
35
36 //
37 // Common argument profiles
38 //
39 #define UCSP_PORTS requestport sport: mach_port_t; \
40 replyport rport: mach_port_make_send_t; \
41 serveraudittoken sourceAudit: audit_token_t; \
42 usersectoken securitydCreds: security_token_t; \
43 out rcode: CSSM_RETURN
44
45
46 //
47 // Management and administrative functions
48 //
49 routine setup(UCSP_PORTS; in tport: mach_port_t; in info: SetupInfo; in FilePath: FilePath);
50 skip; // was setupNew - no longer needed
51 routine setupThread(UCSP_PORTS; in tport: mach_port_t);
52
53
54 //
55 // Common database functions
56 //
57 routine authenticateDb(UCSP_PORTS; in db: IPCDbHandle; in accessType: CSSM_DB_ACCESS_TYPE; in accessCredentials: Data);
58 routine releaseDb(UCSP_PORTS; in db: IPCDbHandle);
59 routine getDbName(UCSP_PORTS; in db: IPCDbHandle; out name: FilePathOut);
60 routine setDbName(UCSP_PORTS; in db: IPCDbHandle; in name: FilePath);
61
62
63 //
64 // External database interface
65 //
66 routine openToken(UCSP_PORTS; in ssid: uint32; in name: FilePath;
67 in accessCredentials: Data; out db: IPCDbHandle);
68
69 routine findFirst(UCSP_PORTS; in db: IPCDbHandle; in query: Data;
70 in inAttributes : Data; out outAttributes: Data;
71 in getData: boolean_t; out data: Data; out key: IPCKeyHandle; out search: IPCSearchHandle; out record: IPCRecordHandle);
72 routine findNext(UCSP_PORTS; in search: IPCSearchHandle;
73 in inAttributes : Data; out outAttributes: Data;
74 in getData: boolean_t; out data: Data; out key: IPCKeyHandle; out record: IPCRecordHandle);
75 routine findRecordHandle(UCSP_PORTS; in record: IPCRecordHandle;
76 in inAttributes : Data; out outAttributes: Data;
77 in getData: boolean_t; out data: Data; out key: IPCKeyHandle);
78 routine insertRecord(UCSP_PORTS; in db: IPCDbHandle; in recordType: CSSM_DB_RECORDTYPE;
79 in attributes : Data; in data: Data; out record: IPCRecordHandle);
80 routine deleteRecord(UCSP_PORTS; in db: IPCDbHandle; in record: IPCRecordHandle);
81 routine modifyRecord(UCSP_PORTS; in db: IPCDbHandle; inout record: IPCRecordHandle; in recordType: CSSM_DB_RECORDTYPE;
82 in attributes : Data; in setData: boolean_t; in data: Data;
83 in modifyMode: CSSM_DB_MODIFY_MODE);
84 routine releaseSearch(UCSP_PORTS; in search: IPCSearchHandle);
85 routine releaseRecord(UCSP_PORTS; in record: IPCRecordHandle);
86
87
88
89 //
90 // Internal database interface
91 //
92 routine createDb(UCSP_PORTS; out db: IPCDbHandle; in ident: Data;
93 in accessCredentials: Data; in aclEntryPrototype: Data;
94 in params: DBParameters);
95 skip;
96 #if 0
97 // should move here from below, next time we break compatibility for another reason
98 routine commitDbForSync(UCSP_PORTS; in srcDb: IPCDbHandle; in cloneDb: IPCDbHandle;
99 out blob: DbBlob);
100 #endif
101 routine decodeDb(UCSP_PORTS; out db: IPCDbHandle; in ident: Data;
102 in accessCredentials: Data; in blob: DbBlob);
103 routine encodeDb(UCSP_PORTS; in db: IPCDbHandle; out blob: DbBlob);
104 routine setDbParameters(UCSP_PORTS; in db: IPCDbHandle; in params: DBParameters);
105 routine getDbParameters(UCSP_PORTS; in db: IPCDbHandle; out params: DBParameters);
106 routine changePassphrase(UCSP_PORTS; in db: IPCDbHandle;
107 in accessCredentials: Data);
108 routine lockAll(UCSP_PORTS; in forSleep: boolean_t);
109 routine unlockDb(UCSP_PORTS; in db: IPCDbHandle);
110 routine unlockDbWithPassphrase(UCSP_PORTS; in db: IPCDbHandle; in passPhrase: Data);
111 routine isLocked(UCSP_PORTS; in db: IPCDbHandle; out locked: boolean_t);
112
113 //
114 // Key management
115 //
116 routine encodeKey(UCSP_PORTS; in key: IPCKeyHandle; out blob: KeyBlob;
117 in wantUid: boolean_t; out uid: Data);
118 routine decodeKey(UCSP_PORTS; out key: IPCKeyHandle; out header: Data;
119 in db: IPCDbHandle; in blob: KeyBlob);
120 // keychain synchronization
121 routine recodeKey(UCSP_PORTS; in oldDb: IPCDbHandle; in key: IPCKeyHandle;
122 in newDb: IPCDbHandle; out newBlob: KeyBlob);
123 routine releaseKey(UCSP_PORTS; in key: IPCKeyHandle);
124
125 routine queryKeySizeInBits(UCSP_PORTS; in key: IPCKeyHandle; out length: CSSM_KEY_SIZE);
126 routine getOutputSize(UCSP_PORTS; in context: Data; in key: IPCKeyHandle;
127 in inputSize: uint32; in encrypt: boolean_t; out outputSize: uint32);
128
129 routine getKeyDigest(UCSP_PORTS; in key: IPCKeyHandle; out digest: Data);
130
131
132 //
133 // Cryptographic operations
134 //
135 routine generateSignature(UCSP_PORTS; in context: Data; in key: IPCKeyHandle;
136 in signOnlyAlgorithm: CSSM_ALGORITHMS; in data: Data; out signature: Data);
137 routine verifySignature(UCSP_PORTS; in context: Data; in key: IPCKeyHandle;
138 in signOnlyAlgorithm: CSSM_ALGORITHMS; in data: Data; in signature: Data);
139 routine generateMac(UCSP_PORTS; in context: Data; in key: IPCKeyHandle;
140 in data: Data; out signature: Data);
141 routine verifyMac(UCSP_PORTS; in context: Data; in key: IPCKeyHandle;
142 in data: Data; in signature: Data);
143
144 routine encrypt(UCSP_PORTS; in context: Data; in key: IPCKeyHandle; in clear: Data; out cipher: Data);
145 routine decrypt(UCSP_PORTS; in context: Data; in key: IPCKeyHandle; in cipher: Data; out clear: Data);
146
147 routine generateKey(UCSP_PORTS; in db: IPCDbHandle; in context: Data;
148 in accessCredentials: Data; in aclEntryPrototype: Data;
149 in keyUsage: uint32; in keyAttrs: uint32; out key: IPCKeyHandle; out header: Data);
150 routine generateKeyPair(UCSP_PORTS; in db: IPCDbHandle; in context: Data;
151 in accessCredentials: Data; in aclEntryPrototype: Data;
152 in pubUsage: uint32; in pubAttrs: uint32; in privUsage: uint32; in privAttrs: uint32;
153 out pubKey: IPCKeyHandle; out pubHeader: Data;
154 out privKey: IPCKeyHandle; out privHeader: Data);
155
156 routine wrapKey(UCSP_PORTS; in context: Data; in key: IPCKeyHandle;
157 in accessCredentials: Data; in keyToBeWrapped: IPCKeyHandle;
158 in descriptiveData: Data; out wrappedKey: Data);
159 routine unwrapKey(UCSP_PORTS; in db: IPCDbHandle; in context: Data; in key: IPCKeyHandle;
160 in accessCredentials: Data; in aclEntryPrototype: Data;
161 in publicKey: IPCKeyHandle; in wrappedKey: Data;
162 in usage: uint32; in attributes: uint32; out data: Data;
163 out resultKey: IPCKeyHandle; out header: Data);
164
165 routine deriveKey(UCSP_PORTS; in db: IPCDbHandle; in context: Data; in baseKey: IPCKeyHandle;
166 in accessCredentials: Data; in aclEntryPrototype: Data;
167 in paramInput: Data; out paramOutput: Data;
168 in keyUsage: uint32; in keyAttrs: uint32; out key: IPCKeyHandle; out header: Data);
169
170 // routine generateRandom(UCSP_PORTS; in ssid: uint32; in context: Data; out data: Data);
171 skip;
172
173
174 //
175 // ACL management
176 //
177 routine getOwner(UCSP_PORTS; in kind: AclKind; in key: IPCGenericHandle;
178 out proto: Data);
179 routine setOwner(UCSP_PORTS; in kind: AclKind; in key: IPCGenericHandle;
180 in accessCredentials: Data; in aclOwnerPrototype: Data);
181 routine getAcl(UCSP_PORTS; in kind: AclKind; in key: IPCGenericHandle;
182 in haveTag: boolean_t; in tag: CssmString;
183 out count: uint32; out acls: Data);
184 routine changeAcl(UCSP_PORTS; in kind: AclKind; in key: IPCGenericHandle;
185 in accessCredentials: Data;
186 in mode: CSSM_ACL_EDIT_MODE; in handle: IPCGenericHandle;
187 in aclEntryInput: Data);
188
189 routine login(UCSP_PORTS; in accessCredentials: Data; in name: Data);
190 routine logout(UCSP_PORTS);
191
192
193 //
194 // Miscellanea
195 //
196 routine getStatistics(UCSP_PORTS; in ssid: uint32; out statistics: CSSM_CSP_OPERATIONAL_STATISTICS);
197 routine getTime(UCSP_PORTS; in ssid: uint32; in algorithm: CSSM_ALGORITHMS; out data: Data);
198 routine getCounter(UCSP_PORTS; in ssid: uint32; out data: Data);
199 routine selfVerify(UCSP_PORTS; in ssid: uint32);
200
201 routine cspPassThrough(UCSP_PORTS; in ssid: uint32; in id: uint32; in context: Data; in hKey: IPCKeyHandle;
202 in inData: Data; out outData: Data);
203 routine dlPassThrough(UCSP_PORTS; in ssid: uint32; in id: uint32; in inData: Data; out outData: Data);
204
205
206 //
207 // Authorization subsystem
208 //
209 // routine authorizationCreate(UCSP_PORTS;
210 // in rights: Data;
211 // in flags: uint32;
212 // in environment: Data;
213 // out authorization: AuthorizationBlob);
214 skip;
215
216 // routine authorizationRelease(UCSP_PORTS; in authorization: AuthorizationBlob;
217 // in flags: uint32);
218 skip;
219
220 // routine authorizationCopyRights(UCSP_PORTS; in authorization: AuthorizationBlob;
221 // in rights: Data;
222 // in flags: uint32;
223 // in environment: Data;
224 // out result: Data);
225 skip;
226
227 // routine authorizationCopyInfo(UCSP_PORTS; in authorization: AuthorizationBlob;
228 // in tag: AuthorizationString;
229 // out info: Data);
230 skip;
231
232 // routine authorizationExternalize(UCSP_PORTS; in authorization: AuthorizationBlob;
233 // out form: AuthorizationExternalForm);
234 skip;
235
236 // routine authorizationInternalize(UCSP_PORTS; in form: AuthorizationExternalForm;
237 // out authorization: AuthorizationBlob);
238 skip;
239
240
241 //
242 // Session management subsystem
243 //
244 skip; // was getSessionInfo -- now kept by the kernel
245 skip; // was setupSession -- now kept by the kernel
246 skip; // was setSessionDistinguishedUid -- now kept by the kernel
247 skip; // was getSessionDistinguishedUid -- now kept by the kernel
248 skip; // was routine setSessionUserPrefs(UCSP_PORTS; in sessionId: SecuritySessionId; in userPrefs: Data);
249
250 //
251 // Notification subsystem
252 //
253 routine postNotification(UCSP_PORTS; in domain: uint32; in event: uint32; in data: Data;
254 in sequence: uint32);
255
256
257 //
258 // Database key management
259 //
260 routine extractMasterKey(UCSP_PORTS; in db: IPCDbHandle; in context: Data; in sourceDb: IPCDbHandle;
261 in accessCredentials: Data; in aclEntryPrototype: Data;
262 in keyUsage: uint32; in keyAttrs: uint32; out key: IPCKeyHandle; out header: Data);
263
264
265 //
266 // AuthorizationDB operations
267 //
268 skip; // was: routine authorizationdbGet(UCSP_PORTS; in rightname: AuthorizationString; out rightdefinition: Data);
269 skip; // was: routine authorizationdbSet(UCSP_PORTS; in authorization: AuthorizationBlob; in rightname: AuthorizationString; in rightDefinition: Data);
270 skip; // was: routine authorizationdbRemove(UCSP_PORTS; in authorization: AuthorizationBlob; in rightname: AuthorizationString);
271
272
273 //
274 // Miscellaneous administrative calls
275 //
276 skip; // was addCodeEquivalence
277 skip; // was removeCodeEquivalence
278 skip; // was setAlternateSystemRoot
279
280 //
281 // Subsidiary process (child) management.
282 // This call does NOT cause securityd-client activation.
283 //
284 simpleroutine childCheckIn(ServerAuditToken sourceAudit: audit_token_t; requestport sport: mach_port_t;
285 in servicePort: mach_port_make_send_t; in task_port: mach_port_t);
286
287 #if 1
288 // This should move up to be with its buddies (see #if 0 above), but it won't move
289 // until we need to force an incompatible change for some other reason.
290 routine commitDbForSync(UCSP_PORTS; in srcDb: IPCDbHandle; in cloneDb: IPCDbHandle;
291 out blob: DbBlob);
292 #endif
293
294 //
295 // The following three blocks of skips replace the old Code Hosting routines
296 //
297
298 skip;
299 skip;
300 skip;
301
302 skip;
303 skip;
304 skip;
305
306 skip;
307
308 //
309 // Keychain Syncing setup support calls
310 //
311 routine recodeDbForSync(UCSP_PORTS; in dbToClone: IPCDbHandle;
312 in srcDb: IPCDbHandle; out newDb: IPCDbHandle);
313 routine authenticateDbsForSync(UCSP_PORTS; in ipcDbHandleArray: Data;
314 in agentData: Data; out newDb: IPCDbHandle);
315
316 //
317 // Allows the client to verify that the server really is root.
318 //
319 routine verifyPrivileged(UCSP_PORTS);
320
321 //
322 // The original verifyPrivileged is subject to a Mach service in the middle attack (6986198).
323 //
324 routine verifyPrivileged2(UCSP_PORTS; out originPort: mach_port_make_send_t);
325
326 // Internal Database call additions
327 routine stashDb(UCSP_PORTS; in db: IPCDbHandle);
328 routine stashDbCheck(UCSP_PORTS; in db: IPCDbHandle);
329
330 routine verifyKeyStorePassphrase(UCSP_PORTS; in retries: uint32_t);
331 routine resetKeyStorePassphrase(UCSP_PORTS; in passPhrase: Data);
332 routine changeKeyStorePassphrase(UCSP_PORTS);
333
334 //
335 // Keychain version change support calls
336 //
337 routine recodeDbToVersion(UCSP_PORTS; in newVersion: uint32; in srcDb: IPCDbHandle; out newDb: IPCDbHandle);
338 routine cloneDb(UCSP_PORTS; in srcDb: IPCDbHandle; in ident: Data; out newDb: IPCDbHandle);
339 routine recodeFinished(UCSP_PORTS; in db: IPCDbHandle);
340
341 //
342 // Keychain Test Support calls
343 //
344 routine getUserPromptAttempts(UCSP_PORTS; out attempts: uint32_t);
345