OSX/libsecurityd/mig/ucsp.defs

   1 //
   2 // Copyright (c) 2001-2007,2011-2013 Apple Inc. All Rights Reserved.
   3 //
   4 // @APPLE_LICENSE_HEADER_START@
   5 //
   6 // This file contains Original Code and/or Modifications of Original Code
   7 // as defined in and that are subject to the Apple Public Source License
   8 // Version 2.0 (the 'License'). You may not use this file except in
   9 // compliance with the License. Please obtain a copy of the License at
  10 // http://www.opensource.apple.com/apsl/ and read it before using this
  11 // file.
  12 //
  13 // The Original Code and all software distributed under the License are
  14 // distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15 // EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16 // INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17 // FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18 // Please see the License for the specific language governing rights and
  19 // limitations under the License.
  20 //
  21 // @APPLE_LICENSE_HEADER_END@
  22 //
  23 // ucsp.defs - Mach RPC interface between SecurityServer and its clients
  24 //
  25 #include <mach/std_types.defs>
  26 #include <mach/mach_types.defs>
  27 #include "ss_types.defs"
  28
  29 subsystem ucsp 1000;
  30 serverprefix ucsp_server_;
  31 userprefix ucsp_client_;
  32
  33 import <securityd_client/ucsp_types.h>;
  34
  35
  36 //
  37 // Common argument profiles
  38 //
  39 #define UCSP_PORTS      requestport sport: mach_port_t; \
  40                                         replyport rport: mach_port_make_send_t; \
  41                     serveraudittoken sourceAudit: audit_token_t; \
  42                                         usersectoken securitydCreds: security_token_t; \
  43                                         out rcode: CSSM_RETURN
  44
  45
  46 //
  47 // Management and administrative functions
  48 //
  49 routine setup(UCSP_PORTS; in tport: mach_port_t; in info: SetupInfo; in FilePath: FilePath);
  50 skip;           // was setupNew - no longer needed
  51 routine setupThread(UCSP_PORTS; in tport: mach_port_t);
  52
  53
  54 //
  55 // Common database functions
  56 //
  57 routine authenticateDb(UCSP_PORTS; in db: IPCDbHandle; in accessType: CSSM_DB_ACCESS_TYPE; in accessCredentials: Data);
  58 routine releaseDb(UCSP_PORTS; in db: IPCDbHandle);
  59 routine getDbName(UCSP_PORTS; in db: IPCDbHandle; out name: FilePathOut);
  60 routine setDbName(UCSP_PORTS; in db: IPCDbHandle; in name: FilePath);
  61
  62
  63 //
  64 // External database interface
  65 //
  66 routine openToken(UCSP_PORTS; in ssid: uint32; in name: FilePath;
  67         in accessCredentials: Data; out db: IPCDbHandle);
  68
  69 routine findFirst(UCSP_PORTS; in db: IPCDbHandle; in query: Data;
  70         in inAttributes : Data; out outAttributes: Data;
  71         in getData: boolean_t; out data: Data; out key: IPCKeyHandle; out search: IPCSearchHandle; out record: IPCRecordHandle);
  72 routine findNext(UCSP_PORTS; in search: IPCSearchHandle;
  73         in inAttributes : Data; out outAttributes: Data;
  74         in getData: boolean_t; out data: Data; out key: IPCKeyHandle; out record: IPCRecordHandle);
  75 routine findRecordHandle(UCSP_PORTS; in record: IPCRecordHandle;
  76         in inAttributes : Data; out outAttributes: Data;
  77         in getData: boolean_t; out data: Data; out key: IPCKeyHandle);
  78 routine insertRecord(UCSP_PORTS; in db: IPCDbHandle; in recordType: CSSM_DB_RECORDTYPE;
  79         in attributes : Data; in data: Data; out record: IPCRecordHandle);
  80 routine deleteRecord(UCSP_PORTS; in db: IPCDbHandle; in record: IPCRecordHandle);
  81 routine modifyRecord(UCSP_PORTS; in db: IPCDbHandle; inout record: IPCRecordHandle; in recordType: CSSM_DB_RECORDTYPE;
  82         in attributes : Data; in setData: boolean_t; in data: Data;
  83         in modifyMode: CSSM_DB_MODIFY_MODE);
  84 routine releaseSearch(UCSP_PORTS; in search: IPCSearchHandle);
  85 routine releaseRecord(UCSP_PORTS; in record: IPCRecordHandle);
  86
  87
  88
  89 //
  90 // Internal database interface
  91 //
  92 routine createDb(UCSP_PORTS; out db: IPCDbHandle; in ident: Data;
  93     in accessCredentials: Data; in aclEntryPrototype: Data;
  94     in params: DBParameters);
  95 skip;
  96 #if 0
  97 // should move here from below, next time we break compatibility for another reason
  98 routine commitDbForSync(UCSP_PORTS; in srcDb: IPCDbHandle; in cloneDb: IPCDbHandle;
  99     out blob: DbBlob);
 100 #endif
 101 routine decodeDb(UCSP_PORTS; out db: IPCDbHandle; in ident: Data;
 102     in accessCredentials: Data; in blob: DbBlob);
 103 routine encodeDb(UCSP_PORTS; in db: IPCDbHandle; out blob: DbBlob);
 104 routine setDbParameters(UCSP_PORTS; in db: IPCDbHandle; in params: DBParameters);
 105 routine getDbParameters(UCSP_PORTS; in db: IPCDbHandle; out params: DBParameters);
 106 routine changePassphrase(UCSP_PORTS; in db: IPCDbHandle;
 107         in accessCredentials: Data);
 108 routine lockAll(UCSP_PORTS; in forSleep: boolean_t);
 109 routine unlockDb(UCSP_PORTS; in db: IPCDbHandle);
 110 routine unlockDbWithPassphrase(UCSP_PORTS; in db: IPCDbHandle; in passPhrase: Data);
 111 routine isLocked(UCSP_PORTS; in db: IPCDbHandle; out locked: boolean_t);
 112
 113 //
 114 // Key management
 115 //
 116 routine encodeKey(UCSP_PORTS; in key: IPCKeyHandle; out blob: KeyBlob;
 117     in wantUid: boolean_t; out uid: Data);
 118 routine decodeKey(UCSP_PORTS; out key: IPCKeyHandle; out header: Data;
 119     in db: IPCDbHandle; in blob: KeyBlob);
 120 // keychain synchronization
 121 routine recodeKey(UCSP_PORTS; in oldDb: IPCDbHandle; in key: IPCKeyHandle;
 122     in newDb: IPCDbHandle; out newBlob: KeyBlob);
 123 routine releaseKey(UCSP_PORTS; in key: IPCKeyHandle);
 124
 125 routine queryKeySizeInBits(UCSP_PORTS; in key: IPCKeyHandle; out length: CSSM_KEY_SIZE);
 126 routine getOutputSize(UCSP_PORTS; in context: Data; in key: IPCKeyHandle;
 127     in inputSize: uint32; in encrypt: boolean_t; out outputSize: uint32);
 128
 129 routine getKeyDigest(UCSP_PORTS; in key: IPCKeyHandle; out digest: Data);
 130
 131
 132 //
 133 // Cryptographic operations
 134 //
 135 routine generateSignature(UCSP_PORTS; in context: Data; in key: IPCKeyHandle;
 136     in signOnlyAlgorithm: CSSM_ALGORITHMS; in data: Data; out signature: Data);
 137 routine verifySignature(UCSP_PORTS; in context: Data; in key: IPCKeyHandle;
 138         in signOnlyAlgorithm: CSSM_ALGORITHMS; in data: Data; in signature: Data);
 139 routine generateMac(UCSP_PORTS; in context: Data; in key: IPCKeyHandle;
 140         in data: Data; out signature: Data);
 141 routine verifyMac(UCSP_PORTS; in context: Data; in key: IPCKeyHandle;
 142         in data: Data; in signature: Data);
 143
 144 routine encrypt(UCSP_PORTS; in context: Data; in key: IPCKeyHandle; in clear: Data; out cipher: Data);
 145 routine decrypt(UCSP_PORTS; in context: Data; in key: IPCKeyHandle; in cipher: Data; out clear: Data);
 146
 147 routine generateKey(UCSP_PORTS; in db: IPCDbHandle; in context: Data;
 148         in accessCredentials: Data; in aclEntryPrototype: Data;
 149         in keyUsage: uint32; in keyAttrs: uint32; out key: IPCKeyHandle; out header: Data);
 150 routine generateKeyPair(UCSP_PORTS; in db: IPCDbHandle; in context: Data;
 151         in accessCredentials: Data; in aclEntryPrototype: Data;
 152         in pubUsage: uint32; in pubAttrs: uint32; in privUsage: uint32; in privAttrs: uint32;
 153         out pubKey: IPCKeyHandle; out pubHeader: Data;
 154     out privKey: IPCKeyHandle; out privHeader: Data);
 155
 156 routine wrapKey(UCSP_PORTS; in context: Data; in key: IPCKeyHandle;
 157     in accessCredentials: Data; in keyToBeWrapped: IPCKeyHandle;
 158         in descriptiveData: Data; out wrappedKey: Data);
 159 routine unwrapKey(UCSP_PORTS; in db: IPCDbHandle; in context: Data; in key: IPCKeyHandle;
 160         in accessCredentials: Data; in aclEntryPrototype: Data;
 161         in publicKey: IPCKeyHandle; in wrappedKey: Data;
 162         in usage: uint32; in attributes: uint32; out data: Data;
 163     out resultKey: IPCKeyHandle; out header: Data);
 164
 165 routine deriveKey(UCSP_PORTS; in db: IPCDbHandle; in context: Data; in baseKey: IPCKeyHandle;
 166         in accessCredentials: Data; in aclEntryPrototype: Data;
 167     in paramInput: Data; out paramOutput: Data;
 168         in keyUsage: uint32; in keyAttrs: uint32; out key: IPCKeyHandle; out header: Data);
 169
 170 // routine generateRandom(UCSP_PORTS; in ssid: uint32; in context: Data; out data: Data);
 171 skip;
 172
 173
 174 //
 175 // ACL management
 176 //
 177 routine getOwner(UCSP_PORTS; in kind: AclKind; in key: IPCGenericHandle;
 178         out proto: Data);
 179 routine setOwner(UCSP_PORTS; in kind: AclKind; in key: IPCGenericHandle;
 180         in accessCredentials: Data; in aclOwnerPrototype: Data);
 181 routine getAcl(UCSP_PORTS; in kind: AclKind; in key: IPCGenericHandle;
 182         in haveTag: boolean_t; in tag: CssmString;
 183         out count: uint32; out acls: Data);
 184 routine changeAcl(UCSP_PORTS; in kind: AclKind; in key: IPCGenericHandle;
 185         in accessCredentials: Data;
 186         in mode: CSSM_ACL_EDIT_MODE; in handle: IPCGenericHandle;
 187         in aclEntryInput: Data);
 188
 189 routine login(UCSP_PORTS; in accessCredentials: Data; in name: Data);
 190 routine logout(UCSP_PORTS);
 191
 192
 193 //
 194 // Miscellanea
 195 //
 196 routine getStatistics(UCSP_PORTS; in ssid: uint32; out statistics: CSSM_CSP_OPERATIONAL_STATISTICS);
 197 routine getTime(UCSP_PORTS; in ssid: uint32; in algorithm: CSSM_ALGORITHMS; out data: Data);
 198 routine getCounter(UCSP_PORTS; in ssid: uint32; out data: Data);
 199 routine selfVerify(UCSP_PORTS; in ssid: uint32);
 200
 201 routine cspPassThrough(UCSP_PORTS; in ssid: uint32; in id: uint32; in context: Data; in hKey: IPCKeyHandle;
 202         in inData: Data; out outData: Data);
 203 routine dlPassThrough(UCSP_PORTS; in ssid: uint32; in id: uint32; in inData: Data; out outData: Data);
 204
 205
 206 //
 207 // Authorization subsystem
 208 //
 209 //      routine authorizationCreate(UCSP_PORTS;
 210 //              in rights: Data;
 211 //              in flags: uint32;
 212 //              in environment: Data;
 213 //              out authorization: AuthorizationBlob);
 214 skip;
 215
 216 //      routine authorizationRelease(UCSP_PORTS; in authorization: AuthorizationBlob;
 217 //              in flags: uint32);
 218 skip;
 219
 220 //      routine authorizationCopyRights(UCSP_PORTS; in authorization: AuthorizationBlob;
 221 //              in rights: Data;
 222 //              in flags: uint32;
 223 //              in environment: Data;
 224 //              out result: Data);
 225 skip;
 226
 227 //      routine authorizationCopyInfo(UCSP_PORTS; in authorization: AuthorizationBlob;
 228 //              in tag: AuthorizationString;
 229 //              out info: Data);
 230 skip;
 231
 232 //      routine authorizationExternalize(UCSP_PORTS; in authorization: AuthorizationBlob;
 233 //              out form: AuthorizationExternalForm);
 234 skip;
 235
 236 //      routine authorizationInternalize(UCSP_PORTS; in form: AuthorizationExternalForm;
 237 //              out authorization: AuthorizationBlob);
 238 skip;
 239
 240
 241 //
 242 // Session management subsystem
 243 //
 244 skip;   // was getSessionInfo -- now kept by the kernel
 245 skip;   // was setupSession -- now kept by the kernel
 246 skip;   // was setSessionDistinguishedUid -- now kept by the kernel
 247 skip;   // was getSessionDistinguishedUid -- now kept by the kernel
 248 skip;   // was routine setSessionUserPrefs(UCSP_PORTS; in sessionId: SecuritySessionId; in userPrefs: Data);
 249
 250 //
 251 // Notification subsystem
 252 //
 253 routine postNotification(UCSP_PORTS; in domain: uint32; in event: uint32; in data: Data;
 254         in sequence: uint32);
 255
 256
 257 //
 258 // Database key management
 259 //
 260 routine extractMasterKey(UCSP_PORTS; in db: IPCDbHandle; in context: Data; in sourceDb: IPCDbHandle;
 261         in accessCredentials: Data; in aclEntryPrototype: Data;
 262         in keyUsage: uint32; in keyAttrs: uint32; out key: IPCKeyHandle; out header: Data);
 263
 264
 265 //
 266 // AuthorizationDB operations
 267 //
 268 skip;   // was: routine authorizationdbGet(UCSP_PORTS; in rightname: AuthorizationString; out rightdefinition: Data);
 269 skip;   // was: routine authorizationdbSet(UCSP_PORTS; in authorization: AuthorizationBlob; in rightname: AuthorizationString; in rightDefinition: Data);
 270 skip;   // was: routine authorizationdbRemove(UCSP_PORTS; in authorization: AuthorizationBlob; in rightname: AuthorizationString);
 271
 272
 273 //
 274 // Miscellaneous administrative calls
 275 //
 276 skip; // was addCodeEquivalence
 277 skip; // was removeCodeEquivalence
 278 skip; // was setAlternateSystemRoot
 279
 280 //
 281 // Subsidiary process (child) management.
 282 // This call does NOT cause securityd-client activation.
 283 //
 284 simpleroutine childCheckIn(ServerAuditToken sourceAudit: audit_token_t; requestport sport: mach_port_t;
 285         in servicePort: mach_port_make_send_t; in task_port: mach_port_t);
 286
 287 #if 1
 288 // This should move up to be with its buddies (see #if 0 above), but it won't move
 289 // until we need to force an incompatible change for some other reason.
 290 routine commitDbForSync(UCSP_PORTS; in srcDb: IPCDbHandle; in cloneDb: IPCDbHandle;
 291     out blob: DbBlob);
 292 #endif
 293
 294 //
 295 // The following three blocks of skips replace the old Code Hosting routines
 296 //
 297
 298 skip;
 299 skip;
 300 skip;
 301
 302 skip;
 303 skip;
 304 skip;
 305
 306 skip;
 307
 308 //
 309 // Keychain Syncing setup support calls
 310 //
 311 routine recodeDbForSync(UCSP_PORTS; in dbToClone: IPCDbHandle;
 312     in srcDb: IPCDbHandle; out newDb: IPCDbHandle);
 313 routine authenticateDbsForSync(UCSP_PORTS; in ipcDbHandleArray: Data;
 314     in agentData: Data; out newDb: IPCDbHandle);
 315
 316 //
 317 // Allows the client to verify that the server really is root.
 318 //
 319 routine verifyPrivileged(UCSP_PORTS);
 320
 321 //
 322 // The original verifyPrivileged is subject to a Mach service in the middle attack (6986198).
 323 //
 324 routine verifyPrivileged2(UCSP_PORTS; out originPort: mach_port_make_send_t);
 325
 326 // Internal Database call additions
 327 routine stashDb(UCSP_PORTS; in db: IPCDbHandle);
 328 routine stashDbCheck(UCSP_PORTS; in db: IPCDbHandle);
 329
 330 routine verifyKeyStorePassphrase(UCSP_PORTS; in retries: uint32_t);
 331 routine resetKeyStorePassphrase(UCSP_PORTS; in passPhrase: Data);
 332 routine changeKeyStorePassphrase(UCSP_PORTS);
 333
 334 //
 335 // Keychain version change support calls
 336 //
 337 routine recodeDbToVersion(UCSP_PORTS; in newVersion: uint32; in srcDb: IPCDbHandle; out newDb: IPCDbHandle);
 338 routine cloneDb(UCSP_PORTS; in srcDb: IPCDbHandle; in ident: Data; out newDb: IPCDbHandle);
 339 routine recodeFinished(UCSP_PORTS; in db: IPCDbHandle);
 340
 341 //
 342 // Keychain Test Support calls
 343 //
 344 routine getUserPromptAttempts(UCSP_PORTS; out attempts: uint32_t);
 345