]> git.saurik.com Git - apple/security.git/blob - OSX/sec/ipc/server.c
projects / apple / security.git / blob
? search:


cfef1c392f3a83010c09149cbcae2c663270b371
[apple/security.git] / OSX / sec / ipc / server.c
1 /*
2 * Copyright (c) 2007-2017 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 #if TARGET_DARWINOS
25 #undef OCTAGON
26 #undef SECUREOBJECTSYNC
27 #undef SHAREDWEBCREDENTIALS
28 #endif
29
30 #include <os/transaction_private.h>
31 #include <os/variant_private.h>
32
33 #include "keychain/SecureObjectSync/SOSPeerInfoDER.h"
34 #include <Security/SecureObjectSync/SOSCloudCircle.h>
35 #include <Security/SecureObjectSync/SOSCloudCircleInternal.h>
36 #include "keychain/SecureObjectSync/SOSInternal.h"
37 #include "keychain/SecureObjectSync/SOSPeerInfoCollections.h"
38 #include "keychain/SecureObjectSync/SOSControlServer.h"
39 #include <Security/SecBase.h>
40 #include <Security/SecBasePriv.h>
41 #include <Security/SecCertificatePriv.h>
42 #include <Security/SecEntitlements.h>
43 #include <Security/SecInternal.h>
44 #include <Security/SecItem.h>
45 #include <Security/SecItemPriv.h>
46 #include <Security/SecPolicy.h>
47 #include <Security/SecPolicyInternal.h>
48 #include <Security/SecTask.h>
49 #include <Security/SecTrustInternal.h>
50 #include <Security/SecuritydXPC.h>
51 #include <securityd/OTATrustUtilities.h>
52 #include <securityd/SOSCloudCircleServer.h>
53 #include <securityd/SecItemBackupServer.h>
54 #include <securityd/SecItemServer.h>
55 #include <securityd/SecLogSettingsServer.h>
56 #include <securityd/SecOTRRemote.h>
57 #include <securityd/SecTrustServer.h>
58 #include <securityd/SecTrustStoreServer.h>
59 #include <securityd/iCloudTrace.h>
60 #include <securityd/spi.h>
61 #include <utilities/SecCFError.h>
62 #include <utilities/SecCFWrappers.h>
63 #include <utilities/SecDb.h>
64 #include <utilities/SecIOFormat.h>
65 #include <utilities/SecXPCError.h>
66 #include <utilities/debugging.h>
67 #include <utilities/SecInternalReleasePriv.h>
68 #include <utilities/der_plist_internal.h>
69 #include <utilities/der_plist.h>
70 #include <securityd/personalization.h>
71 #include <securityd/SecPinningDb.h>
72 #include <securityd/SFKeychainControlManager.h>
73
74 #include <keychain/ckks/CKKS.h>
75 #include <keychain/ckks/CKKSControlServer.h>
76 #include "keychain/ot/OctagonControlServer.h"
77
78 #include <securityd/SFKeychainServer.h>
79 #if !TARGET_OS_BRIDGE
80 #include <securityd/PolicyReporter.h>
81 #endif
82
83 #include <AssertMacros.h>
84 #include <CoreFoundation/CFXPCBridge.h>
85 #include <CoreFoundation/CoreFoundation.h>
86 // <rdar://problem/22425706> 13B104+Roots:Device never moved past spinner after using approval to ENABLE icdp
87
88 #if TARGET_OS_OSX
89 #include <Security/SecTaskPriv.h>
90 #include <login/SessionAgentStatusCom.h>
91 #endif
92 #include <asl.h>
93 #include <bsm/libbsm.h>
94 #include <ipc/securityd_client.h>
95 #include <libkern/OSAtomic.h>
96 #include <mach/mach.h>
97 #include <mach/message.h>
98 #include <notify.h>
99 #include <stdlib.h>
100 #include <sys/queue.h>
101 #include <sys/sysctl.h>
102 #include <syslog.h>
103 #include <xpc/private.h>
104 #include <xpc/xpc.h>
105
106 #include <ipc/server_security_helpers.h>
107 #include <ipc/server_entitlement_helpers.h>
108
109 #include "keychain/ot/OT.h"
110 #include "keychain/escrowrequest/EscrowRequestXPCServer.h"
111 #include "keychain/escrowrequest/EscrowRequestServerHelpers.h"
112
113 #if TARGET_OS_OSX
114 #include <sandbox.h>
115 #include <pwd.h>
116 #include <err.h>
117 #endif
118
119 #include "util.h"
120
121 #if SECUREOBJECTSYNC
122
123 CF_RETURNS_RETAINED
124 static CFStringRef
125 _xpc_dictionary_copy_CFString(xpc_object_t xdict, const char *key)
126 {
127 CFStringRef result = NULL;
128 const char *str = xpc_dictionary_get_string(xdict, key);
129 if (str != NULL) {
130 result = CFStringCreateWithCString(kCFAllocatorDefault, str, kCFStringEncodingUTF8);
131 }
132 return result;
133 }
134
135 CF_RETURNS_RETAINED
136 static CFDataRef
137 _xpc_dictionary_copy_CFDataNoCopy(xpc_object_t xdict, const char *key)
138 {
139 CFDataRef result = NULL;
140 size_t len = 0;
141 const void *ptr = xpc_dictionary_get_data(xdict, key, &len);
142 if (ptr != NULL) {
143 result = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, ptr, len, kCFAllocatorNull);
144 }
145 return result;
146 }
147
148 static void with_label_and_password(xpc_object_t message, void (^action)(CFStringRef label, CFDataRef password)) {
149 CFStringRef user_label = _xpc_dictionary_copy_CFString(message, kSecXPCKeyUserLabel);
150 CFDataRef user_password = _xpc_dictionary_copy_CFDataNoCopy(message, kSecXPCKeyUserPassword);
151
152 if (user_label != NULL && user_password != NULL) {
153 action(user_label, user_password);
154 }
155
156 CFReleaseNull(user_label);
157 CFReleaseNull(user_password);
158 }
159
160 static void with_label_and_password_and_dsid(xpc_object_t message, void (^action)(CFStringRef label, CFDataRef password, CFStringRef dsid)) {
161 CFStringRef user_label = _xpc_dictionary_copy_CFString(message, kSecXPCKeyUserLabel);
162 CFDataRef user_password = _xpc_dictionary_copy_CFDataNoCopy(message, kSecXPCKeyUserPassword);
163 CFStringRef dsid = _xpc_dictionary_copy_CFString(message, kSecXPCKeyDSID);
164
165 /* dsid is optional */
166 if (user_label != NULL && user_password != NULL) {
167 action(user_label, user_password, dsid);
168 }
169
170 CFReleaseNull(user_label);
171 CFReleaseNull(user_password);
172 CFReleaseNull(dsid);
173 }
174
175 static void with_view_and_action(xpc_object_t message, void (^action)(CFStringRef view_name, uint64_t view_action_code)) {
176 CFStringRef view = _xpc_dictionary_copy_CFString(message, kSecXPCKeyViewName);
177 const int64_t number = xpc_dictionary_get_int64(message, kSecXPCKeyViewActionCode);
178
179 if (view != NULL) {
180 action(view, number);
181 }
182
183 CFReleaseNull(view);
184 }
185
186 static CFArrayRef SecXPCDictionaryCopyPeerInfoArray(xpc_object_t dictionary, const char *key, CFErrorRef *error) {
187 return CreateArrayOfPeerInfoWithXPCObject(xpc_dictionary_get_value(dictionary, key), error);
188 }
189
190 static CFDataRef SecXPCDictionaryCopyCFDataRef(xpc_object_t message, const char *key, CFErrorRef *error) {
191 CFDataRef retval = NULL;
192 const uint8_t *bytes = NULL;
193 size_t len = 0;
194
195 bytes = xpc_dictionary_get_data(message, key, &len);
196 require_action_quiet(bytes, errOut, SOSCreateError(kSOSErrorBadKey, CFSTR("missing CFDataRef info"), NULL, error));
197 retval = CFDataCreate(NULL, bytes, len);
198 require_action_quiet(retval, errOut, SOSCreateError(kSOSErrorBadKey, CFSTR("could not allocate CFDataRef info"), NULL, error));
199 errOut:
200 return retval;
201 }
202
203 static CFSetRef CreateCFSetRefFromXPCObject(xpc_object_t xpcSetDER, CFErrorRef* error) {
204 CFSetRef retval = NULL;
205 require_action_quiet(xpcSetDER, errOut, SecCFCreateErrorWithFormat(kSecXPCErrorUnexpectedNull, sSecXPCErrorDomain, NULL, error, NULL, CFSTR("Unexpected Null Set to decode")));
206
207 require_action_quiet(xpc_get_type(xpcSetDER) == XPC_TYPE_DATA, errOut, SecCFCreateErrorWithFormat(kSecXPCErrorUnexpectedType, sSecXPCErrorDomain, NULL, error, NULL, CFSTR("xpcSetDER not data, got %@"), xpcSetDER));
208
209 const uint8_t* der = xpc_data_get_bytes_ptr(xpcSetDER);
210 const uint8_t* der_end = der + xpc_data_get_length(xpcSetDER);
211 der = der_decode_set(kCFAllocatorDefault, kCFPropertyListMutableContainersAndLeaves, &retval, error, der, der_end);
212 if (der != der_end) {
213 SecError(errSecDecode, error, CFSTR("trailing garbage at end of SecAccessControl data"));
214 goto errOut;
215 }
216 return retval;
217 errOut:
218 CFReleaseNull(retval);
219 return NULL;
220 }
221
222 static SOSPeerInfoRef SecXPCDictionaryCopyPeerInfo(xpc_object_t message, const char *key, CFErrorRef *error) {
223 size_t length = 0;
224 const uint8_t *der = xpc_dictionary_get_data(message, key, &length);
225
226 return SecRequirementError(der != NULL, error, CFSTR("No data for key %s"), key) ? SOSPeerInfoCreateFromDER(kCFAllocatorDefault, error, &der, der + length) : NULL;
227 }
228
229 static CFSetRef SecXPCSetCreateFromXPCDictionaryElement(xpc_object_t event, const char *key) {
230 CFErrorRef error = NULL;
231 xpc_object_t object = xpc_dictionary_get_value(event, key);
232 CFSetRef retval = NULL;
233 if(object) retval = CreateCFSetRefFromXPCObject(object, &error);
234 CFReleaseNull(error);
235 return retval;
236 }
237
238 static inline
239 void xpc_dictionary_set_and_consume_CFArray(xpc_object_t xdict, const char *key, CF_CONSUMED CFArrayRef cf_array) {
240 if (cf_array) {
241 xpc_object_t xpc_array = _CFXPCCreateXPCObjectFromCFObject(cf_array);
242 xpc_dictionary_set_value(xdict, key, xpc_array);
243 xpc_release(xpc_array);
244 }
245 CFReleaseNull(cf_array);
246 }
247
248 static inline
249 bool xpc_dictionary_set_and_consume_PeerInfoArray(xpc_object_t xdict, const char *key, CF_CONSUMED CFArrayRef cf_array, CFErrorRef *error) {
250 bool success = true;
251 if (cf_array) {
252 xpc_object_t xpc_array = CreateXPCObjectWithArrayOfPeerInfo(cf_array, error);
253 if (xpc_array) {
254 xpc_dictionary_set_value(xdict, key, xpc_array);
255 xpc_release(xpc_array);
256 } else {
257 success = false;
258 }
259 }
260 CFReleaseNull(cf_array);
261 return success;
262 }
263
264 #endif /* SECUREOBJECTSYNC */
265
266 static CFDataRef
267 SecDataCopyMmapFileDescriptor(int fd, void **mem, size_t *size, CFErrorRef *error)
268 {
269 struct stat sb;
270 if (fstat(fd, &sb) < 0) {
271 return NULL;
272 }
273
274 *size = (size_t)sb.st_size;
275 if ((off_t)*size != sb.st_size) {
276 return NULL;
277 }
278
279 *mem = mmap(NULL, *size, PROT_READ, MAP_SHARED, fd, 0);
280 if (*mem == MAP_FAILED) {
281 return NULL;
282 }
283
284 return CFDataCreateWithBytesNoCopy(NULL, *mem, *size, kCFAllocatorNull);
285 }
286
287 static bool
288 SecDataWriteFileDescriptor(int fd, CFDataRef data)
289 {
290 CFIndex count = CFDataGetLength(data);
291 const uint8_t *ptr = CFDataGetBytePtr(data);
292 bool writeResult = false;
293
294 while (count) {
295 ssize_t ret = write(fd, ptr, count);
296 if (ret <= 0)
297 break;
298 count -= ret;
299 ptr += ret;
300 }
301 if (count == 0)
302 writeResult = true;
303
304 return writeResult;
305 }
306
307 // Returns error if entitlement isn't present.
308 static bool
309 EntitlementPresentAndTrue(uint64_t op, SecTaskRef clientTask, CFStringRef entitlement, CFErrorRef *error)
310 {
311 if (!SecTaskGetBooleanValueForEntitlement(clientTask, entitlement)) {
312 SecError(errSecMissingEntitlement, error, CFSTR("%@: %@ lacks entitlement %@"), SOSCCGetOperationDescription((enum SecXPCOperation)op), clientTask, entitlement);
313 return false;
314 }
315 return true;
316 }
317
318 static bool
319 EntitlementAbsentOrFalse(uint64_t op, SecTaskRef clientTask, CFStringRef entitlement, CFErrorRef *error)
320 {
321 if (SecTaskGetBooleanValueForEntitlement(clientTask, entitlement)) {
322 SecError(errSecNotAvailable, error, CFSTR("%@: %@ has entitlement %@"), SOSCCGetOperationDescription((enum SecXPCOperation) op), clientTask, entitlement);
323 return false;
324 }
325 return true;
326 }
327
328 static void securityd_xpc_dictionary_handler(const xpc_connection_t connection, xpc_object_t event) {
329 xpc_type_t type = xpc_get_type(event);
330 __block CFErrorRef error = NULL;
331 xpc_object_t xpcError = NULL;
332 xpc_object_t replyMessage = NULL;
333 CFDataRef clientAuditToken = NULL;
334 CFArrayRef domains = NULL;
335 SecurityClient client = {
336 .task = NULL,
337 .accessGroups = NULL,
338 .musr = NULL,
339 .uid = xpc_connection_get_euid(connection),
340 .allowSystemKeychain = false,
341 .allowSyncBubbleKeychain = false,
342 .isNetworkExtension = false,
343 .canAccessNetworkExtensionAccessGroups = false,
344 };
345
346 secdebug("serverxpc", "entering");
347 if (type == XPC_TYPE_DICTIONARY) {
348 // TODO: Find out what we're dispatching.
349 replyMessage = xpc_dictionary_create_reply(event);
350
351 uint64_t operation = xpc_dictionary_get_uint64(event, kSecXPCKeyOperation);
352
353 audit_token_t auditToken = {};
354 xpc_connection_get_audit_token(connection, &auditToken);
355 clientAuditToken = CFDataCreate(kCFAllocatorDefault, (const UInt8*)&auditToken, sizeof(auditToken));
356
357 if (!fill_security_client(&client, xpc_connection_get_euid(connection), auditToken)) {
358 CFReleaseNull(clientAuditToken);
359 xpc_connection_send_message(connection, replyMessage);
360 xpc_release(replyMessage);
361 return;
362 }
363
364 #if TARGET_OS_IOS
365 if (operation == sec_add_shared_web_credential_id || operation == sec_copy_shared_web_credential_id) {
366 domains = SecTaskCopySharedWebCredentialDomains(client.task);
367 }
368 #endif
369 secinfo("serverxpc", "XPC [%@] operation: %@ (%" PRIu64 ")", client.task, SOSCCGetOperationDescription((enum SecXPCOperation)operation), operation);
370
371 switch (operation)
372 {
373 case sec_item_add_id:
374 {
375 if (EntitlementAbsentOrFalse(sec_item_add_id, client.task, kSecEntitlementKeychainDeny, &error)) {
376 CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
377 if (query) {
378 // Check for any entitlement-required attributes
379 bool entitlementsCorrect = true;
380 if(CFDictionaryGetValue(query, kSecAttrDeriveSyncIDFromItemAttributes) ||
381 CFDictionaryGetValue(query, kSecAttrPCSPlaintextServiceIdentifier) ||
382 CFDictionaryGetValue(query, kSecAttrPCSPlaintextPublicKey) ||
383 CFDictionaryGetValue(query, kSecAttrPCSPlaintextPublicIdentity)) {
384 entitlementsCorrect = EntitlementPresentAndTrue(sec_item_add_id, client.task, kSecEntitlementPrivateCKKSPlaintextFields, &error);
385 }
386 if (entitlementsCorrect && CFDictionaryGetValue(query, kSecAttrSysBound)) {
387 entitlementsCorrect = EntitlementPresentAndTrue(sec_item_add_id, client.task, kSecEntitlementPrivateSysBound, &error);
388 }
389
390 CFTypeRef result = NULL;
391 if(entitlementsCorrect) {
392 if (_SecItemAdd(query, &client, &result, &error) && result) {
393 SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
394 CFReleaseNull(result);
395 }
396 }
397 CFReleaseNull(query);
398 }
399 break;
400 }
401 }
402 case sec_item_copy_matching_id:
403 {
404 if (EntitlementAbsentOrFalse(sec_item_add_id, client.task, kSecEntitlementKeychainDeny, &error)) {
405 CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
406 if (query) {
407 CFTypeRef result = NULL;
408 if (_SecItemCopyMatching(query, &client, &result, &error) && result) {
409 SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
410 CFReleaseNull(result);
411 }
412 CFReleaseNull(query);
413 }
414 break;
415 }
416 }
417 case sec_item_update_id:
418 {
419 if (EntitlementAbsentOrFalse(sec_item_update_id, client.task, kSecEntitlementKeychainDeny, &error)) {
420 CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
421 if (query) {
422 CFDictionaryRef attributesToUpdate = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyAttributesToUpdate, &error);
423 if (attributesToUpdate) {
424 // Check for any entitlement-required attributes
425 bool entitlementsCorrect = true;
426 if(CFDictionaryGetValue(query, kSecAttrDeriveSyncIDFromItemAttributes) ||
427 CFDictionaryGetValue(attributesToUpdate, kSecAttrPCSPlaintextServiceIdentifier) ||
428 CFDictionaryGetValue(attributesToUpdate, kSecAttrPCSPlaintextPublicKey) ||
429 CFDictionaryGetValue(attributesToUpdate, kSecAttrPCSPlaintextPublicIdentity)) {
430 entitlementsCorrect = EntitlementPresentAndTrue(sec_item_update_id, client.task, kSecEntitlementPrivateCKKSPlaintextFields, &error);
431 }
432 if (entitlementsCorrect && CFDictionaryGetValue(query, kSecAttrSysBound)) {
433 entitlementsCorrect = EntitlementPresentAndTrue(sec_item_update_id, client.task, kSecEntitlementPrivateSysBound, &error);
434 }
435
436 if(entitlementsCorrect) {
437 bool result = _SecItemUpdate(query, attributesToUpdate, &client, &error);
438 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
439 }
440 CFReleaseNull(attributesToUpdate);
441 }
442 CFReleaseNull(query);
443 }
444 }
445 break;
446 }
447 case sec_item_delete_id:
448 {
449 if (EntitlementAbsentOrFalse(sec_item_add_id, client.task, kSecEntitlementKeychainDeny, &error)) {
450 CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
451 if (query) {
452 bool result = _SecItemDelete(query, &client, &error);
453 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
454 CFReleaseNull(query);
455 }
456 }
457 break;
458 }
459 case sec_item_update_token_items_id:
460 {
461 if (EntitlementAbsentOrFalse(sec_item_add_id, client.task, kSecEntitlementKeychainDeny, &error)) {
462 CFStringRef tokenID = SecXPCDictionaryCopyString(event, kSecXPCKeyString, &error);
463 CFArrayRef attributes = SecXPCDictionaryCopyArray(event, kSecXPCKeyQuery, &error);
464 if (tokenID) {
465 bool result = _SecItemUpdateTokenItems(tokenID, attributes, &client, &error);
466 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
467 }
468 CFReleaseNull(tokenID);
469 CFReleaseNull(attributes);
470 }
471 break;
472 }
473 case sec_delete_all_id:
474 {
475 bool retval = false;
476 #if TARGET_OS_IPHONE
477 /* buddy is temporary allowed to do this */
478 CFStringRef applicationIdentifier = SecTaskCopyApplicationIdentifier(client.task);
479 bool isBuddy = applicationIdentifier &&
480 CFEqual(applicationIdentifier, CFSTR("com.apple.purplebuddy"));
481 CFReleaseNull(applicationIdentifier);
482
483 if (isBuddy || EntitlementPresentAndTrue(operation, client.task, kSecEntitlementPrivateDeleteAll, &error))
484 {
485 retval = _SecItemDeleteAll(&error);
486 }
487 #endif
488 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, retval);
489 break;
490 }
491 case sec_keychain_backup_id:
492 {
493 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
494 CFDataRef keybag = NULL, passcode = NULL;
495 if (SecXPCDictionaryCopyDataOptional(event, kSecXPCKeyKeybag, &keybag, &error)) {
496 if (SecXPCDictionaryCopyDataOptional(event, kSecXPCKeyUserPassword, &passcode, &error)) {
497 bool emcs = SecXPCDictionaryGetBool(event, kSecXPCKeyEMCSBackup, NULL);
498 CFDataRef backup = _SecServerKeychainCreateBackup(&client, keybag, passcode, emcs, &error);
499 if (backup) {
500 int fd = SecXPCDictionaryDupFileDescriptor(event, kSecXPCKeyFileDescriptor, NULL);
501 if (fd < 0) {
502 SecXPCDictionarySetData(replyMessage, kSecXPCKeyResult, backup, &error);
503 } else {
504 bool writeResult = SecDataWriteFileDescriptor(fd, backup);
505 if (close(fd) != 0)
506 writeResult = false;
507 if (!writeResult)
508 SecError(errSecIO, &error, CFSTR("Failed to write backup file: %d"), errno);
509 SecXPCDictionarySetBool(replyMessage, kSecXPCKeyResult, writeResult, NULL);
510 }
511 CFRelease(backup);
512 }
513 CFReleaseSafe(passcode);
514 }
515 CFReleaseSafe(keybag);
516 }
517 }
518 break;
519 }
520 case sec_keychain_restore_id:
521 {
522 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
523 CFDataRef backup = NULL;
524 void *mem = NULL;
525 size_t size = 0;
526
527 int fd = SecXPCDictionaryDupFileDescriptor(event, kSecXPCKeyFileDescriptor, NULL);
528 if (fd != -1) {
529 backup = SecDataCopyMmapFileDescriptor(fd, &mem, &size, &error);
530 } else {
531 backup = SecXPCDictionaryCopyData(event, kSecXPCKeyBackup, &error);
532 }
533 if (backup) {
534 CFDataRef keybag = SecXPCDictionaryCopyData(event, kSecXPCKeyKeybag, &error);
535 if (keybag) {
536 CFDataRef passcode = NULL;
537 if (SecXPCDictionaryCopyDataOptional(event, kSecXPCKeyUserPassword, &passcode, &error)) {
538 bool result = _SecServerKeychainRestore(backup, &client, keybag, passcode, &error);
539 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
540 CFReleaseSafe(passcode);
541 }
542 }
543 CFReleaseNull(keybag);
544 }
545 CFReleaseNull(backup);
546 if (fd != -1)
547 close(fd);
548 if (mem) {
549 munmap(mem, size);
550 }
551 }
552 break;
553 }
554 case sec_keychain_backup_keybag_uuid_id:
555 {
556 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
557 CFDataRef backup = NULL;
558 CFStringRef uuid = NULL;
559 void *mem = NULL;
560 size_t size = 0;
561
562 int fd = SecXPCDictionaryDupFileDescriptor(event, kSecXPCKeyFileDescriptor, NULL);
563 if (fd != -1) {
564 backup = SecDataCopyMmapFileDescriptor(fd, &mem, &size, &error);
565 if (backup)
566 uuid = _SecServerBackupCopyUUID(backup, &error);
567 }
568 if (uuid)
569 SecXPCDictionarySetString(replyMessage, kSecXPCKeyResult, uuid, &error);
570
571 CFReleaseNull(backup);
572 if (fd != -1)
573 close(fd);
574 if (mem) {
575 munmap(mem, size);
576 }
577 CFReleaseNull(uuid);
578 }
579 break;
580 }
581 #if SECUREOBJECTSYNC
582 case sec_keychain_sync_update_message_id:
583 {
584 CFDictionaryRef updates = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
585 if (updates) {
586 CFArrayRef result = _SecServerKeychainSyncUpdateMessage(updates, &error);
587 SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
588 CFReleaseNull(result);
589 }
590 CFReleaseNull(updates);
591 break;
592 }
593 case sec_keychain_backup_syncable_id:
594 {
595 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
596 CFDictionaryRef oldbackup = NULL;
597 if (SecXPCDictionaryCopyDictionaryOptional(event, kSecXPCKeyBackup, &oldbackup, &error)) {
598 CFDataRef keybag = SecXPCDictionaryCopyData(event, kSecXPCKeyKeybag, &error);
599 if (keybag) {
600 CFDataRef passcode = NULL;
601 if (SecXPCDictionaryCopyDataOptional(event, kSecXPCKeyUserPassword, &passcode, &error)) {
602 CFDictionaryRef newbackup = _SecServerBackupSyncable(oldbackup, keybag, passcode, &error);
603 if (newbackup) {
604 SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, newbackup, &error);
605 CFRelease(newbackup);
606 }
607 CFReleaseSafe(passcode);
608 }
609 CFReleaseNull(keybag);
610 }
611 CFReleaseSafe(oldbackup);
612 }
613 }
614 break;
615 }
616 case sec_keychain_restore_syncable_id:
617 {
618 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
619 CFDictionaryRef backup = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyBackup, &error);
620 if (backup) {
621 CFDataRef keybag = SecXPCDictionaryCopyData(event, kSecXPCKeyKeybag, &error);
622 if (keybag) {
623 CFDataRef passcode = NULL;
624 if (SecXPCDictionaryCopyDataOptional(event, kSecXPCKeyUserPassword, &passcode, &error)) {
625 bool result = _SecServerRestoreSyncable(backup, keybag, passcode, &error);
626 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
627 CFReleaseSafe(passcode);
628 }
629 CFReleaseNull(keybag);
630 }
631 CFReleaseNull(backup);
632 }
633 }
634 break;
635 }
636 case sec_item_backup_copy_names_id:
637 {
638 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
639 CFArrayRef names = SecServerItemBackupCopyNames(&error);
640 SecXPCDictionarySetPListOptional(replyMessage, kSecXPCKeyResult, names, &error);
641 CFReleaseSafe(names);
642 }
643 break;
644 }
645 case sec_item_backup_handoff_fd_id:
646 {
647 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
648 CFStringRef backupName = SecXPCDictionaryCopyString(event, kSecXPCKeyBackup, &error);
649 int fd = -1;
650 if (backupName) {
651 fd = SecServerItemBackupHandoffFD(backupName, &error);
652 CFRelease(backupName);
653 }
654 SecXPCDictionarySetFileDescriptor(replyMessage, kSecXPCKeyResult, fd, &error);
655 if (fd != -1)
656 close(fd);
657 }
658 break;
659 }
660 case sec_item_backup_set_confirmed_manifest_id:
661 {
662 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
663 CFDataRef keybagDigest = NULL;
664 if (SecXPCDictionaryCopyDataOptional(event, kSecXPCKeyKeybag, &keybagDigest, &error)) {
665 CFDataRef manifest = NULL;
666 if (SecXPCDictionaryCopyDataOptional(event, kSecXPCData, &manifest, &error)) {
667 CFStringRef backupName = SecXPCDictionaryCopyString(event, kSecXPCKeyBackup, &error);
668 if (backupName) {
669 bool result = SecServerItemBackupSetConfirmedManifest(backupName, keybagDigest, manifest, &error);
670 CFRelease(backupName);
671 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
672 }
673 CFReleaseSafe(manifest);
674 }
675 }
676 CFReleaseNull(keybagDigest);
677 }
678 break;
679 }
680 case sec_item_backup_restore_id:
681 {
682 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
683 bool result = false;
684 CFStringRef backupName = SecXPCDictionaryCopyString(event, kSecXPCKeyBackup, &error);
685 if (backupName) {
686 CFStringRef peerID = NULL;
687 if (SecXPCDictionaryCopyStringOptional(event, kSecXPCKeyDigest, &peerID, &error)) {
688 CFDataRef keybag = SecXPCDictionaryCopyData(event, kSecXPCKeyKeybag, &error);
689 if (keybag) {
690 CFDataRef secret = SecXPCDictionaryCopyData(event, kSecXPCKeyUserPassword, &error);
691 if (secret) {
692 CFDataRef backup = SecXPCDictionaryCopyData(event, kSecXPCData, &error);
693 if (backup) {
694 result = SecServerItemBackupRestore(backupName, peerID, keybag, secret, backup, &error);
695 CFRelease(backup);
696 }
697 CFRelease(secret);
698 }
699 CFRelease(keybag);
700 }
701 CFReleaseSafe(peerID);
702 }
703 CFRelease(backupName);
704 }
705 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
706 }
707 break;
708 }
709 case sec_add_shared_web_credential_id:
710 {
711 #if SHAREDWEBCREDENTIALS
712 CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
713 if (query) {
714 CFTypeRef result = NULL;
715
716 CFStringRef appID = (client.task) ? SecTaskCopyApplicationIdentifier(client.task) : NULL;
717 if (_SecAddSharedWebCredential(query, &client, &auditToken, appID, domains, &result, &error) && result) {
718 SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
719 CFReleaseNull(result);
720 }
721 CFReleaseSafe(appID);
722 CFReleaseNull(query);
723 }
724 #else
725 SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, kCFBooleanFalse, &error);
726 #endif
727 break;
728 }
729 case sec_copy_shared_web_credential_id:
730 {
731 #if SHAREDWEBCREDENTIALS
732 CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
733 if (query) {
734 CFTypeRef result = NULL;
735 CFStringRef appID = (client.task) ? SecTaskCopyApplicationIdentifier(client.task) : NULL;
736 if (_SecCopySharedWebCredential(query, &client, &auditToken, appID, domains, &result, &error) && result) {
737 SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
738 CFReleaseNull(result);
739 }
740 CFReleaseSafe(appID);
741 CFReleaseNull(query);
742 }
743 #else
744 SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, kCFBooleanFalse, &error);
745 #endif
746 break;
747 }
748 case sec_get_log_settings_id:
749 {
750 CFPropertyListRef currentList = SecCopyLogSettings_Server(&error);
751 if (currentList) {
752 SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, currentList, &error);
753 }
754 CFReleaseSafe(currentList);
755 break;
756 }
757 case sec_set_xpc_log_settings_id:
758 {
759 CFPropertyListRef newSettings = SecXPCDictionaryCopyPList(event, kSecXPCKeyQuery, &error);
760 if (newSettings) {
761 SecSetXPCLogSettings_Server(newSettings, &error);
762 }
763 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, true);
764 CFReleaseNull(newSettings);
765 break;
766 }
767 case sec_set_circle_log_settings_id:
768 {
769 CFPropertyListRef newSettings = SecXPCDictionaryCopyPList(event, kSecXPCKeyQuery, &error);
770 if (newSettings) {
771 SecSetCircleLogSettings_Server(newSettings, &error);
772 }
773 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, true);
774 CFReleaseNull(newSettings);
775 break;
776 }
777 case sec_otr_session_create_remote_id:
778 {
779 CFDataRef publicPeerId = NULL;
780 if (SecXPCDictionaryCopyDataOptional(event, kSecXPCPublicPeerId, &publicPeerId, &error)) {
781 CFDataRef otrSession = _SecOTRSessionCreateRemote(publicPeerId, &error);
782 if (otrSession) {
783 SecXPCDictionarySetData(replyMessage, kSecXPCKeyResult, otrSession, &error);
784 CFReleaseNull(otrSession);
785 }
786 CFReleaseSafe(publicPeerId);
787 }
788 break;
789 }
790 case sec_otr_session_process_packet_remote_id:
791 {
792 CFDataRef sessionData = NULL, inputPacket = NULL, outputSessionData = NULL, outputPacket = NULL;
793 bool readyForMessages = false;
794 if (SecXPCDictionaryCopyDataOptional(event, kSecXPCOTRSession, &sessionData, &error)) {
795 if (SecXPCDictionaryCopyDataOptional(event, kSecXPCData, &inputPacket, &error)) {
796 bool result = _SecOTRSessionProcessPacketRemote(sessionData, inputPacket, &outputSessionData, &outputPacket, &readyForMessages, &error);
797 if (result) {
798 SecXPCDictionarySetData(replyMessage, kSecXPCOTRSession, outputSessionData, &error);
799 SecXPCDictionarySetData(replyMessage, kSecXPCData, outputPacket, &error);
800 xpc_dictionary_set_bool(replyMessage, kSecXPCOTRReady, readyForMessages);
801 CFReleaseNull(outputSessionData);
802 CFReleaseNull(outputPacket);
803 }
804 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
805
806 CFReleaseSafe(inputPacket);
807 }
808 CFReleaseSafe(sessionData);
809 }
810 break;
811 }
812 case kSecXPCOpTryUserCredentials:
813 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
814 with_label_and_password_and_dsid(event, ^(CFStringRef label, CFDataRef password, CFStringRef dsid) {
815 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
816 SOSCCTryUserCredentials_Server(label, password, dsid, &error));
817 });
818 }
819 break;
820 case kSecXPCOpSetUserCredentials:
821 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
822 with_label_and_password(event, ^(CFStringRef label, CFDataRef password) {
823 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
824 SOSCCSetUserCredentials_Server(label, password, &error));
825 });
826 }
827 break;
828 case kSecXPCOpSetUserCredentialsAndDSID:
829 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
830 with_label_and_password_and_dsid(event, ^(CFStringRef label, CFDataRef password, CFStringRef dsid) {
831 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
832 SOSCCSetUserCredentialsAndDSID_Server(label, password, dsid, &error));
833 });
834 }
835 break;
836 case kSecXPCOpSetUserCredentialsAndDSIDWithAnalytics:
837 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
838 with_label_and_password_and_dsid(event, ^(CFStringRef label, CFDataRef password, CFStringRef dsid) {
839 CFDataRef parentEvent = NULL;
840 if(SecXPCDictionaryCopyDataOptional(event, kSecXPCKeySignInAnalytics, &parentEvent, &error) && parentEvent != NULL){
841 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCSetUserCredentialsAndDSIDWithAnalytics_Server(label, password, dsid, parentEvent, &error));
842 }else{
843 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCSetUserCredentialsAndDSID_Server(label, password, dsid, &error));
844 }
845 CFReleaseNull(parentEvent);
846 });
847 }
848 break;
849 case kSecXPCOpView:
850 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
851 with_view_and_action(event, ^(CFStringRef view, uint64_t actionCode) {
852 xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
853 SOSCCView_Server(view, (SOSViewActionCode)actionCode, &error));
854 });
855 }
856 break;
857 case kSecXPCOpViewSet: // FALLTHROUGH
858 case kSecXPCOpViewSetWithAnalytics:
859 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
860 CFSetRef enabledViews = SecXPCSetCreateFromXPCDictionaryElement(event, kSecXPCKeyEnabledViewsKey);
861 CFSetRef disabledViews = SecXPCSetCreateFromXPCDictionaryElement(event, kSecXPCKeyDisabledViewsKey);
862 CFDataRef parentEvent = NULL;
863 if(SecXPCDictionaryCopyDataOptional(event, kSecXPCKeySignInAnalytics, &parentEvent, &error)){
864 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCViewSetWithAnalytics_Server(enabledViews, disabledViews, parentEvent));
865 }
866 CFReleaseNull(enabledViews);
867 CFReleaseNull(disabledViews);
868 CFReleaseNull(parentEvent);
869 }
870 break;
871 case kSecXPCOpCanAuthenticate:
872 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
873 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
874 SOSCCCanAuthenticate_Server(&error));
875 }
876 break;
877 case kSecXPCOpPurgeUserCredentials:
878 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
879 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
880 SOSCCPurgeUserCredentials_Server(&error));
881 }
882 break;
883 case kSecXPCOpDeviceInCircle:
884 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
885 xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
886 SOSCCThisDeviceIsInCircle_Server(&error));
887 }
888 break;
889 case kSecXPCOpRequestToJoin:
890 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
891 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
892 SOSCCRequestToJoinCircle_Server(&error));
893 }
894 break;
895 case kSecXPCOpRequestToJoinWithAnalytics:
896 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
897 CFDataRef parentEvent = NULL;
898 if(SecXPCDictionaryCopyDataOptional(event, kSecXPCKeySignInAnalytics, &parentEvent, &error) && parentEvent != NULL){
899 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCRequestToJoinCircleWithAnalytics_Server(parentEvent, &error));
900 }else{
901 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCRequestToJoinCircle_Server(&error));
902 }
903 CFReleaseNull(parentEvent);
904 }
905 break;
906 case kSecXPCOpAccountHasPublicKey:
907 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
908 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
909 SOSCCAccountHasPublicKey_Server(&error));
910 }
911 break;
912 case kSecXPCOpAccountIsNew:
913 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
914 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
915 SOSCCAccountIsNew_Server(&error));
916 }
917 break;
918 case kSecXPCOpRequestToJoinAfterRestore:
919 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
920 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
921 SOSCCRequestToJoinCircleAfterRestore_Server(&error));
922 }
923 break;
924 case kSecXPCOpRequestToJoinAfterRestoreWithAnalytics:
925 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
926 CFDataRef parentEvent = NULL;
927 if(SecXPCDictionaryCopyDataOptional(event, kSecXPCKeySignInAnalytics, &parentEvent, &error) && parentEvent != NULL){
928 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCRequestToJoinCircleAfterRestoreWithAnalytics_Server(parentEvent, &error));
929 }else{
930 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCRequestToJoinCircleAfterRestore_Server(&error));
931 }
932 CFReleaseNull(parentEvent);
933 }
934 break;
935 case kSecXPCOpRequestEnsureFreshParameters:
936 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
937 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
938 SOSCCRequestEnsureFreshParameters_Server(&error));
939 }
940 break;
941 case kSecXPCOpGetAllTheRings:
942 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
943 CFStringRef ringDescriptions = SOSCCGetAllTheRings_Server(&error);
944 xpc_object_t xpc_dictionary = _CFXPCCreateXPCObjectFromCFObject(ringDescriptions);
945 xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_dictionary);
946 xpc_release(xpc_dictionary);
947 CFReleaseNull(ringDescriptions);
948 }
949 break;
950 case kSecXPCOpApplyToARing:
951 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
952 CFStringRef ringName = SecXPCDictionaryCopyString(event, kSecXPCKeyString, &error);
953 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCApplyToARing_Server(ringName, &error));
954 CFReleaseNull(ringName);
955 }
956 break;
957 case kSecXPCOpWithdrawlFromARing:
958 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
959 CFStringRef ringName = SecXPCDictionaryCopyString(event, kSecXPCKeyString, &error);
960 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCWithdrawlFromARing_Server(ringName, &error));
961 CFReleaseNull(ringName);
962 }
963 break;
964 case kSecXPCOpRingStatus:
965 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
966 CFStringRef ringName = SecXPCDictionaryCopyString(event, kSecXPCKeyString, &error);
967 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCRingStatus_Server(ringName, &error));
968 CFReleaseNull(ringName);
969 }
970 break;
971 case kSecXPCOpEnableRing:
972 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
973 CFStringRef ringName = SecXPCDictionaryCopyString(event, kSecXPCKeyString, &error);
974 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCEnableRing_Server(ringName, &error));
975 CFReleaseNull(ringName);
976 }
977 break;
978 case kSecXPCOpRequestDeviceID:
979 case kSecXPCOpSetDeviceID:
980 case kSecXPCOpHandleIDSMessage:
981 case kSecXPCOpSyncWithIDSPeer:
982 case kSecXPCOpSendIDSMessage:
983 case kSecXPCOpPingTest:
984 case kSecXPCOpIDSDeviceID:
985 case kSecXPCOpSyncWithKVSPeerIDOnly:{
986 xpc_dictionary_set_int64(replyMessage, kSecXPCKeyError, errSecUnimplemented);
987 }
988 break;
989 case kSecXPCOpAccountSetToNew:
990 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
991 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCAccountSetToNew_Server(&error));
992 }
993 break;
994 case kSecXPCOpResetToOffering:
995 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
996 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
997 SOSCCResetToOffering_Server(&error));
998 }
999 break;
1000 case kSecXPCOpResetToEmpty:
1001 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1002 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
1003 SOSCCResetToEmpty_Server(&error));
1004 }
1005 break;
1006 case kSecXPCOpResetToEmptyWithAnalytics:
1007 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1008 CFDataRef parentEvent = NULL;
1009 if(SecXPCDictionaryCopyDataOptional(event, kSecXPCKeySignInAnalytics, &parentEvent, &error) && parentEvent != NULL){
1010 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCResetToEmptyWithAnalytics_Server(parentEvent, &error));
1011 }else{
1012 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCResetToEmpty_Server(&error));
1013 }
1014 }
1015 break;
1016 case kSecXPCOpRemoveThisDeviceFromCircle:
1017 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1018 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
1019 SOSCCRemoveThisDeviceFromCircle_Server(&error));
1020 }
1021 break;
1022 case kSecXPCOpRemoveThisDeviceFromCircleWithAnalytics:
1023 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1024 CFDataRef parentEvent = NULL;
1025 if(SecXPCDictionaryCopyDataOptional(event, kSecXPCKeySignInAnalytics, &parentEvent, &error) && parentEvent != NULL){
1026 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCRemoveThisDeviceFromCircleWithAnalytics_Server(parentEvent, &error));
1027 }else{
1028 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCRemoveThisDeviceFromCircle_Server(&error));
1029 }
1030 CFReleaseNull(parentEvent);
1031 }
1032 break;
1033 case kSecXPCOpRemovePeersFromCircle:
1034 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1035 CFArrayRef applicants = SecXPCDictionaryCopyPeerInfoArray(event, kSecXPCKeyPeerInfoArray, &error);
1036 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
1037 SOSCCRemovePeersFromCircle_Server(applicants, &error));
1038 CFReleaseNull(applicants);
1039 }
1040 break;
1041 case kSecXPCOpRemovePeersFromCircleWithAnalytics:
1042 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1043 CFArrayRef applicants = SecXPCDictionaryCopyPeerInfoArray(event, kSecXPCKeyPeerInfoArray, &error);
1044 CFDataRef parentEvent = NULL;
1045 if(SecXPCDictionaryCopyDataOptional(event, kSecXPCKeySignInAnalytics, &parentEvent, &error) && parentEvent != NULL){
1046 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCRemovePeersFromCircleWithAnalytics_Server(applicants, parentEvent, &error));
1047 }else{
1048 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCRemovePeersFromCircle_Server(applicants, &error));
1049 }
1050 CFReleaseNull(parentEvent);
1051 CFReleaseNull(applicants);
1052 }
1053 break;
1054 case kSecXPCOpLoggedOutOfAccount:
1055 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1056 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
1057 SOSCCLoggedOutOfAccount_Server(&error));
1058 }
1059 break;
1060 case kSecXPCOpBailFromCircle:
1061 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1062 // 0 is valid; ok for this parameter to be unset or incorrect type. Note: kSecXPCLimitInMinutes is actually seconds, not minutes
1063 uint64_t limit_in_seconds = xpc_dictionary_get_uint64(event, kSecXPCLimitInMinutes);
1064 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
1065 SOSCCBailFromCircle_Server(limit_in_seconds, &error));
1066 }
1067 break;
1068 case kSecXPCOpAcceptApplicants:
1069 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1070 xpc_object_t xapplicants = xpc_dictionary_get_value(event, kSecXPCKeyPeerInfoArray);
1071 // CreateArrayOfPeerInfoWithXPCObject enforces that xapplicants is a non-NULL xpc data object
1072 CFArrayRef applicants = CreateArrayOfPeerInfoWithXPCObject(xapplicants, &error); //(CFArrayRef)(_CFXPCCreateCFObjectFromXPCObject(xapplicants));
1073 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
1074 (applicants && SOSCCAcceptApplicants_Server(applicants, &error)));
1075 CFReleaseSafe(applicants);
1076 }
1077 break;
1078 case kSecXPCOpRejectApplicants:
1079 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1080 xpc_object_t xapplicants = xpc_dictionary_get_value(event, kSecXPCKeyPeerInfoArray);
1081 // CreateArrayOfPeerInfoWithXPCObject enforces that xapplicants is a non-NULL xpc data object
1082 CFArrayRef applicants = CreateArrayOfPeerInfoWithXPCObject(xapplicants, &error); //(CFArrayRef)(_CFXPCCreateCFObjectFromXPCObject(xapplicants));
1083 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
1084 (applicants && SOSCCRejectApplicants_Server(applicants, &error)));
1085 CFReleaseSafe(applicants);
1086 }
1087 break;
1088 case kSecXPCOpSetNewPublicBackupKey:
1089 {
1090 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
1091 CFDataRef publicBackupKey = SecXPCDictionaryCopyData(event, kSecXPCKeyNewPublicBackupKey, &error);
1092 if (publicBackupKey != NULL) {
1093 SOSPeerInfoRef peerInfo = SOSCCSetNewPublicBackupKey_Server(publicBackupKey, &error);
1094 CFDataRef peerInfoData = peerInfo ? SOSPeerInfoCopyEncodedData(peerInfo, kCFAllocatorDefault, &error) : NULL;
1095 CFReleaseNull(peerInfo);
1096 if (peerInfoData) {
1097 xpc_object_t xpc_object = _CFXPCCreateXPCObjectFromCFObject(peerInfoData);
1098 xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_object);
1099 xpc_release(xpc_object);
1100 }
1101 CFReleaseNull(peerInfoData);
1102 CFReleaseSafe(publicBackupKey);
1103 }
1104 }
1105 }
1106 break;
1107 case kSecXPCOpRegisterRecoveryPublicKey:
1108 {
1109 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
1110 CFDataRef recovery_key = SecXPCDictionaryCopyData(event, kSecXPCKeyRecoveryPublicKey, &error);
1111 if (recovery_key != NULL) {
1112 uint8_t zero = 0;
1113 CFDataRef nullData = CFDataCreate(kCFAllocatorDefault, &zero, 1); // token we send if we really wanted to send NULL
1114 if(CFEqual(recovery_key, nullData)) {
1115 CFReleaseNull(recovery_key);
1116 }
1117 CFReleaseNull(nullData);
1118 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCRegisterRecoveryPublicKey_Server(recovery_key, &error));
1119 CFReleaseNull(recovery_key);
1120 }
1121 }
1122 }
1123 break;
1124 case kSecXPCOpGetRecoveryPublicKey:
1125 {
1126 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
1127 xpc_object_t xpc_recovery_object = NULL;
1128 CFDataRef recovery = SOSCCCopyRecoveryPublicKey(&error);
1129 if(recovery)
1130 xpc_recovery_object = _CFXPCCreateXPCObjectFromCFObject(recovery);
1131
1132 xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_recovery_object);
1133 CFReleaseNull(recovery);
1134 }
1135 }
1136 break;
1137 case kSecXPCOpSetBagForAllSlices:
1138 {
1139 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
1140 CFDataRef backupSlice = SecXPCDictionaryCopyData(event, kSecXPCKeyKeybag, &error); // NULL checked below
1141 bool includeV0 = xpc_dictionary_get_bool(event, kSecXPCKeyIncludeV0); // false is ok, so it's safe for this paramter to be unset or incorrect type
1142 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, backupSlice && SOSCCRegisterSingleRecoverySecret_Server(backupSlice, includeV0, &error));
1143 CFReleaseSafe(backupSlice);
1144 }
1145 }
1146 break;
1147 case kSecXPCOpCopyApplicantPeerInfo:
1148 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1149 xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
1150 SOSCCCopyApplicantPeerInfo_Server(&error),
1151 &error);
1152 }
1153 break;
1154 case kSecXPCOpCopyValidPeerPeerInfo:
1155 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1156 xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
1157 SOSCCCopyValidPeerPeerInfo_Server(&error),
1158 &error);
1159 }
1160 break;
1161 case kSecXPCOpValidateUserPublic:
1162 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1163 bool trusted = SOSCCValidateUserPublic_Server(&error);
1164 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, trusted);
1165 }
1166 break;
1167 case kSecXPCOpCopyNotValidPeerPeerInfo:
1168 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1169 xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
1170 SOSCCCopyNotValidPeerPeerInfo_Server(&error),
1171 &error);
1172 }
1173 break;
1174 case kSecXPCOpCopyGenerationPeerInfo:
1175 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1176 xpc_dictionary_set_and_consume_CFArray(replyMessage, kSecXPCKeyResult,
1177 SOSCCCopyGenerationPeerInfo_Server(&error));
1178 }
1179 break;
1180 case kSecXPCOpCopyRetirementPeerInfo:
1181 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1182 xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
1183 SOSCCCopyRetirementPeerInfo_Server(&error),
1184 &error);
1185 }
1186 break;
1187 case kSecXPCOpCopyViewUnawarePeerInfo:
1188 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1189 xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
1190 SOSCCCopyViewUnawarePeerInfo_Server(&error),
1191 &error);
1192 }
1193 break;
1194 case kSecXPCOpCopyAccountData:
1195 {
1196 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1197 xpc_object_t xpc_account_object = NULL;
1198 CFDataRef accountData = SOSCCCopyAccountState_Server(&error);
1199 if(accountData)
1200 xpc_account_object = _CFXPCCreateXPCObjectFromCFObject(accountData);
1201
1202 xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_account_object);
1203 CFReleaseNull(accountData);
1204 }
1205 break;
1206 }
1207 case kSecXPCOpDeleteAccountData:
1208 {
1209 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1210 bool status = SOSCCDeleteAccountState_Server(&error);
1211 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, status);
1212 }
1213 break;
1214 }
1215 case kSecXPCOpCopyEngineData:
1216 {
1217 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1218
1219 xpc_object_t xpc_engine_object = NULL;
1220 CFDataRef engineData = SOSCCCopyEngineData_Server(&error);
1221 if(engineData)
1222 xpc_engine_object = _CFXPCCreateXPCObjectFromCFObject(engineData);
1223
1224 xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_engine_object);
1225 CFReleaseNull(engineData);
1226
1227 }
1228 break;
1229 }
1230 case kSecXPCOpDeleteEngineData:
1231 {
1232 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1233 bool status = SOSCCDeleteEngineState_Server(&error);
1234 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, status);
1235 }
1236 break;
1237 }
1238 case kSecXPCOpCopyEngineState:
1239 {
1240 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1241 CFArrayRef array = SOSCCCopyEngineState_Server(&error);
1242 CFDataRef derData = NULL;
1243
1244 require_quiet(array, done);
1245 derData = CFPropertyListCreateDERData(kCFAllocatorDefault, array, &error);
1246
1247 require_quiet(derData, done);
1248 xpc_dictionary_set_data(replyMessage, kSecXPCKeyResult, CFDataGetBytePtr(derData), CFDataGetLength(derData));
1249 done:
1250 CFReleaseNull(derData);
1251 CFReleaseNull(array);
1252 }
1253 }
1254 break;
1255 case kSecXPCOpCopyPeerPeerInfo:
1256 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1257 xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
1258 SOSCCCopyPeerPeerInfo_Server(&error),
1259 &error);
1260 }
1261 break;
1262 case kSecXPCOpCopyConcurringPeerPeerInfo:
1263 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1264 xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
1265 SOSCCCopyConcurringPeerPeerInfo_Server(&error),
1266 &error);
1267 }
1268 break;
1269 case kSecXPCOpCopyMyPeerInfo:
1270 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1271 SOSPeerInfoRef peerInfo = SOSCCCopyMyPeerInfo_Server(&error);
1272 CFDataRef peerInfoData = peerInfo ? SOSPeerInfoCopyEncodedData(peerInfo, kCFAllocatorDefault, &error) : NULL;
1273 CFReleaseNull(peerInfo);
1274 if (peerInfoData) {
1275 xpc_object_t xpc_object = _CFXPCCreateXPCObjectFromCFObject(peerInfoData);
1276 xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_object);
1277 xpc_release(xpc_object);
1278 }
1279 CFReleaseNull(peerInfoData);
1280 }
1281 break;
1282 case kSecXPCOpGetLastDepartureReason:
1283 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1284 xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
1285 SOSCCGetLastDepartureReason_Server(&error));
1286 }
1287 break;
1288 case kSecXPCOpSetLastDepartureReason:
1289 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1290 // 0 is a legitimate reason (kSOSDepartureReasonError), so it's safe for this parameter to be unset or incorrect type
1291 int32_t reason = (int32_t) xpc_dictionary_get_int64(event, kSecXPCKeyReason);
1292 xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
1293 SOSCCSetLastDepartureReason_Server(reason, &error));
1294 }
1295 break;
1296 case kSecXPCOpProcessSyncWithPeers:
1297 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainSyncUpdates, &error)) {
1298 CFSetRef peers = SecXPCDictionaryCopySet(event, kSecXPCKeySet, &error);
1299 CFSetRef backupPeers = SecXPCDictionaryCopySet(event, kSecXPCKeySet2, &error);
1300 if (peers && backupPeers) {
1301 CFSetRef result = SOSCCProcessSyncWithPeers_Server(peers, backupPeers, &error);
1302 if (result) {
1303 SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
1304 }
1305 CFReleaseNull(result);
1306 }
1307 CFReleaseNull(peers);
1308 CFReleaseNull(backupPeers);
1309 }
1310 break;
1311 case kSecXPCOpProcessSyncWithAllPeers:
1312 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainSyncUpdates, &error)) {
1313 xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
1314 SOSCCProcessSyncWithAllPeers_Server(&error));
1315 }
1316 break;
1317 case soscc_EnsurePeerRegistration_id:
1318 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainSyncUpdates, &error)) {
1319 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
1320 SOSCCProcessEnsurePeerRegistration_Server(&error));
1321 }
1322 break;
1323 case kSecXPCOpCopyIncompatibilityInfo:
1324 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1325 CFStringRef iis = SOSCCCopyIncompatibilityInfo_Server(&error);
1326 SecXPCDictionarySetString(replyMessage, kSecXPCKeyResult, iis, &error);
1327 CFReleaseSafe(iis);
1328 }
1329 break;
1330 case kSecXPCOpRollKeys:
1331 {
1332 // false is valid, so it's safe for this parameter to be unset or incorrect type
1333 bool force = xpc_dictionary_get_bool(event, "force");
1334 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
1335 _SecServerRollKeys(force, &client, &error));
1336 }
1337 break;
1338 case kSecXPCOpWaitForInitialSync:
1339 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1340 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
1341 SOSCCWaitForInitialSync_Server(&error));
1342 }
1343 break;
1344
1345 case kSecXPCOpWaitForInitialSyncWithAnalytics:
1346 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1347 CFDataRef parentEvent = NULL;
1348 if(SecXPCDictionaryCopyDataOptional(event, kSecXPCKeySignInAnalytics, &parentEvent, &error) && parentEvent != NULL){
1349 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCWaitForInitialSyncWithAnalytics_Server(parentEvent, &error));
1350 }else{
1351 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCWaitForInitialSync_Server(&error));
1352 }
1353 CFReleaseNull(parentEvent);
1354 }
1355 break;
1356 case kSecXPCOpCopyYetToSyncViews:
1357 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1358 CFArrayRef array = SOSCCCopyYetToSyncViewsList_Server(&error);
1359 if (array) {
1360 xpc_object_t xpc_array = _CFXPCCreateXPCObjectFromCFObject(array);
1361 xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_array);
1362 xpc_release(xpc_array);
1363 }
1364 CFReleaseNull(array);
1365 }
1366 break;
1367 case kSecXPCOpSetEscrowRecord:
1368 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1369 CFStringRef escrow_label = SecXPCDictionaryCopyString(event, kSecXPCKeyEscrowLabel, &error); // NULL checked below
1370 uint64_t tries = xpc_dictionary_get_int64(event, kSecXPCKeyTriesLabel); // 0 is acceptable; safe for this parameter to be unset or incorrect type
1371
1372 if (escrow_label != NULL) {
1373 bool result = SOSCCSetEscrowRecord_Server(escrow_label, tries, &error);
1374 if (result) {
1375 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
1376 }
1377 CFReleaseNull(escrow_label);
1378 }
1379 }
1380 break;
1381 case kSecXPCOpGetEscrowRecord:
1382 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1383 CFDictionaryRef record = SOSCCCopyEscrowRecord_Server(&error);
1384 if (record) {
1385 xpc_object_t xpc_dictionary = _CFXPCCreateXPCObjectFromCFObject(record);
1386 xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_dictionary);
1387 xpc_release(xpc_dictionary);
1388 }
1389 CFReleaseNull(record);
1390 }
1391 break;
1392 case kSecXPCOpCopyBackupInformation:
1393 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1394 CFDictionaryRef record = SOSCCCopyBackupInformation_Server(&error);
1395 if (record) {
1396 xpc_object_t xpc_dictionary = _CFXPCCreateXPCObjectFromCFObject(record);
1397 xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_dictionary);
1398 xpc_release(xpc_dictionary);
1399 }
1400 CFReleaseNull(record);
1401 }
1402 break;
1403
1404 case kSecXPCOpIsThisDeviceLastBackup:
1405 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1406 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCkSecXPCOpIsThisDeviceLastBackup_Server(&error));
1407 }
1408 break;
1409 case kSecXPCOpPeersHaveViewsEnabled:
1410 {
1411 CFArrayRef viewSet = SecXPCDictionaryCopyArray(event, kSecXPCKeyArray, &error);
1412 if (viewSet) {
1413 CFBooleanRef result = SOSCCPeersHaveViewsEnabled_Server(viewSet, &error);
1414 if (result != NULL) {
1415 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result != kCFBooleanFalse);
1416 }
1417 }
1418 CFReleaseNull(viewSet);
1419 }
1420 break;
1421
1422 case kSecXPCOpWhoAmI:
1423 {
1424 if (client.musr)
1425 xpc_dictionary_set_data(replyMessage, "musr", CFDataGetBytePtr(client.musr), CFDataGetLength(client.musr));
1426 xpc_dictionary_set_bool(replyMessage, "system-keychain", client.allowSystemKeychain);
1427 xpc_dictionary_set_bool(replyMessage, "syncbubble-keychain", client.allowSyncBubbleKeychain);
1428 xpc_dictionary_set_bool(replyMessage, "network-extension", client.isNetworkExtension);
1429 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, true);
1430 }
1431 break;
1432 case kSecXPCOpTransmogrifyToSyncBubble:
1433 {
1434 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementPrivateKeychainSyncBubble, &error)) {
1435 #if TARGET_OS_IOS
1436 uid_t uid = (uid_t)xpc_dictionary_get_int64(event, "uid");
1437 CFArrayRef services = SecXPCDictionaryCopyArray(event, "services", &error);
1438 bool res = false;
1439 if (uid && services) {
1440 res = _SecServerTransmogrifyToSyncBubble(services, uid, &client, &error);
1441 }
1442 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, res);
1443 CFReleaseNull(services);
1444 #else
1445 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, false);
1446 #endif
1447 }
1448 }
1449 break;
1450 case kSecXPCOpTransmogrifyToSystemKeychain:
1451 {
1452 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementPrivateKeychainMigrateSystemKeychain, &error)) {
1453 #if TARGET_OS_IOS
1454 bool res = _SecServerTransmogrifyToSystemKeychain(&client, &error);
1455 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, res);
1456 #else
1457 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, false);
1458 #endif
1459
1460 }
1461 }
1462 break;
1463 case kSecXPCOpDeleteUserView:
1464 {
1465 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementPrivateKeychainMigrateSystemKeychain, &error)) {
1466 bool res = false;
1467 #if TARGET_OS_IOS
1468 uid_t uid = (uid_t)xpc_dictionary_get_int64(event, "uid");
1469 if (uid) {
1470 res = _SecServerDeleteMUSERViews(&client, uid, &error);
1471 }
1472 #endif
1473 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, res);
1474
1475 }
1476 }
1477 break;
1478 case kSecXPCOpWrapToBackupSliceKeyBagForView:
1479 {
1480 CFStringRef viewname = SecXPCDictionaryCopyString(event, kSecXPCKeyViewName, &error);
1481 if(viewname) {
1482 CFDataRef plaintext = SecXPCDictionaryCopyData(event, kSecXPCData, &error);
1483 if (plaintext) {
1484 CFDataRef ciphertext = NULL;
1485 CFDataRef bskbEncoded = NULL;
1486
1487 bool result = SOSWrapToBackupSliceKeyBagForView_Server(viewname, plaintext, &ciphertext, &bskbEncoded, &error);
1488 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
1489
1490 if(!error && result) {
1491 if(ciphertext) {
1492 xpc_dictionary_set_data(replyMessage, kSecXPCData, CFDataGetBytePtr(ciphertext), CFDataGetLength(ciphertext));
1493 }
1494 if(bskbEncoded) {
1495 xpc_dictionary_set_data(replyMessage, kSecXPCKeyKeybag, CFDataGetBytePtr(bskbEncoded), CFDataGetLength(bskbEncoded));
1496 }
1497 }
1498 CFReleaseSafe(ciphertext);
1499 CFReleaseSafe(bskbEncoded);
1500 }
1501 CFReleaseSafe(plaintext);
1502 }
1503 CFReleaseNull(viewname);
1504 }
1505 break;
1506 case kSecXPCOpCopyApplication:
1507 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementCircleJoin, &error)) {
1508 SOSPeerInfoRef peerInfo = SOSCCCopyApplication_Server(&error);
1509 CFDataRef peerInfoData = peerInfo ? SOSPeerInfoCopyEncodedData(peerInfo, kCFAllocatorDefault, &error) : NULL;
1510 CFReleaseNull(peerInfo);
1511 if (peerInfoData) {
1512 xpc_object_t xpc_object = _CFXPCCreateXPCObjectFromCFObject(peerInfoData);
1513 xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_object);
1514 xpc_release(xpc_object);
1515 }
1516 CFReleaseNull(peerInfoData);
1517 }
1518 break;
1519 case kSecXPCOpCopyCircleJoiningBlob:
1520 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementCircleJoin, &error)) {
1521 CFDataRef appBlob = SecXPCDictionaryCopyCFDataRef(event, kSecXPCData, &error);
1522 if (appBlob != NULL) {
1523 SOSPeerInfoRef applicant = SOSPeerInfoCreateFromData(kCFAllocatorDefault, &error, appBlob);
1524 if (applicant != NULL) {
1525 CFDataRef pbblob = SOSCCCopyCircleJoiningBlob_Server(applicant, &error);
1526 if (pbblob) {
1527 xpc_object_t xpc_object = _CFXPCCreateXPCObjectFromCFObject(pbblob);
1528 xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_object);
1529 xpc_release(xpc_object);
1530 }
1531 CFReleaseNull(pbblob);
1532 CFReleaseNull(applicant);
1533 }
1534 CFReleaseNull(appBlob);
1535 }
1536 }
1537 break;
1538 case kSecXPCOpCopyInitialSyncBlob:
1539 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementCircleJoin, &error)) {
1540 CFDataRef initialblob = SOSCCCopyInitialSyncData_Server(&error);
1541 if (initialblob) {
1542 xpc_object_t xpc_object = _CFXPCCreateXPCObjectFromCFObject(initialblob);
1543 xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_object);
1544 xpc_release(xpc_object);
1545 }
1546 CFReleaseNull(initialblob);
1547 }
1548 break;
1549 case kSecXPCOpJoinWithCircleJoiningBlob:
1550 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementCircleJoin, &error)) {
1551 CFDataRef joiningBlob = SecXPCDictionaryCopyCFDataRef(event, kSecXPCData, &error); // NULL checked below
1552 uint64_t version = xpc_dictionary_get_uint64(event, kSecXPCVersion); // 0 is valid, so this parameter can be unset or incorrect type
1553 if (joiningBlob != NULL) {
1554 bool retval = SOSCCJoinWithCircleJoiningBlob_Server(joiningBlob, (PiggyBackProtocolVersion) version, &error);
1555 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, retval);
1556 CFReleaseNull(joiningBlob);
1557 }
1558 }
1559 break;
1560
1561 case kSecXPCOpKVSKeyCleanup:
1562 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1563 bool retval = SOSCCCleanupKVSKeys_Server(&error);
1564 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, retval);
1565 }
1566 break;
1567 case kSecXPCOpPopulateKVS:
1568 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1569 bool retval = SOSCCTestPopulateKVSWithBadKeys_Server(&error);
1570 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, retval);
1571 }
1572 break;
1573 case kSecXPCOpMessageFromPeerIsPending:
1574 {
1575 SOSPeerInfoRef peer = SecXPCDictionaryCopyPeerInfo(event, kSecXPCKeyPeerInfo, &error);
1576 if (peer) {
1577 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
1578 SOSCCMessageFromPeerIsPending_Server(peer, &error));
1579 }
1580 CFReleaseNull(peer);
1581 break;
1582 }
1583 case kSecXPCOpSendToPeerIsPending:
1584 {
1585 SOSPeerInfoRef peer = SecXPCDictionaryCopyPeerInfo(event, kSecXPCKeyPeerInfo, &error);
1586 if (peer) {
1587 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
1588 SOSCCSendToPeerIsPending(peer, &error));
1589 }
1590 CFReleaseNull(peer);
1591 break;
1592 }
1593 #endif /* !SECUREOBJECTSYNC */
1594 case sec_delete_items_with_access_groups_id:
1595 {
1596 bool retval = false;
1597 #if TARGET_OS_IPHONE
1598 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementPrivateUninstallDeletion, &error)) {
1599 CFArrayRef accessGroups = SecXPCDictionaryCopyArray(event, kSecXPCKeyAccessGroups, &error);
1600
1601 if (accessGroups) {
1602 retval = _SecItemServerDeleteAllWithAccessGroups(accessGroups, &client, &error);
1603 }
1604 CFReleaseNull(accessGroups);
1605 }
1606 #endif
1607 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, retval);
1608 }
1609 break;
1610 case kSecXPCOpBackupKeybagAdd: {
1611 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementBackupTableOperations, &error)) {
1612 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, false);
1613 }
1614 break;
1615 }
1616 case kSecXPCOpBackupKeybagDelete: {
1617 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementBackupTableOperations, &error)) {
1618 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, false);
1619 }
1620 break;
1621 }
1622 case kSecXPCOpKeychainControlEndpoint: {
1623 if(EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainControl, &error)) {
1624 xpc_endpoint_t endpoint = SecServerCreateKeychainControlEndpoint();
1625 if (endpoint) {
1626 xpc_dictionary_set_value(replyMessage, kSecXPCKeyEndpoint, endpoint);
1627 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, true);
1628 xpc_release(endpoint);
1629 } else {
1630 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, false);
1631 }
1632 }
1633 break;
1634 }
1635 case sec_item_copy_parent_certificates_id: {
1636 CFArrayRef results = NULL;
1637 if(EntitlementPresentAndTrue(operation, client.task, kSecEntitlementPrivateCertificateAllAccess, &error)) {
1638 CFDataRef issuer = SecXPCDictionaryCopyData(event, kSecXPCKeyNormalizedIssuer, &error);
1639 CFArrayRef accessGroups = SecXPCDictionaryCopyArray(event, kSecXPCKeyAccessGroups, &error);
1640 if (issuer && accessGroups) {
1641 results = _SecItemCopyParentCertificates(issuer, accessGroups, &error);
1642 }
1643 CFReleaseNull(issuer);
1644 CFReleaseNull(accessGroups);
1645 }
1646 SecXPCDictionarySetPListOptional(replyMessage, kSecXPCKeyResult, results, &error);
1647 CFReleaseNull(results);
1648 break;
1649 }
1650 case sec_item_certificate_exists_id: {
1651 bool result = false;
1652 if(EntitlementPresentAndTrue(operation, client.task, kSecEntitlementPrivateCertificateAllAccess, &error)) {
1653 CFDataRef issuer = SecXPCDictionaryCopyData(event, kSecXPCKeyNormalizedIssuer, &error);
1654 CFDataRef serialNum = SecXPCDictionaryCopyData(event, kSecXPCKeySerialNumber, &error);
1655 CFArrayRef accessGroups = SecXPCDictionaryCopyArray(event, kSecXPCKeyAccessGroups, &error);
1656 if (issuer && serialNum && accessGroups) {
1657 result = _SecItemCertificateExists(issuer, serialNum, accessGroups, &error);
1658 }
1659 CFReleaseNull(issuer);
1660 CFReleaseNull(serialNum);
1661 CFReleaseNull(accessGroups);
1662 }
1663 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
1664 break;
1665 }
1666 default:
1667 break;
1668 }
1669
1670 if (error)
1671 {
1672 if(SecErrorGetOSStatus(error) == errSecItemNotFound || isSOSErrorCoded(error, kSOSErrorPublicKeyAbsent))
1673 secdebug("ipc", "%@ %@ %@", client.task, SOSCCGetOperationDescription((enum SecXPCOperation)operation), error);
1674 else if (SecErrorGetOSStatus(error) == errSecAuthNeeded)
1675 secwarning("Authentication is needed %@ %@ %@", client.task, SOSCCGetOperationDescription((enum SecXPCOperation)operation), error);
1676 else
1677 secerror("%@ %@ %@", client.task, SOSCCGetOperationDescription((enum SecXPCOperation)operation), error);
1678
1679 xpcError = SecCreateXPCObjectWithCFError(error);
1680 if (replyMessage) {
1681 xpc_dictionary_set_value(replyMessage, kSecXPCKeyError, xpcError);
1682 }
1683 } else if (replyMessage) {
1684 secdebug("ipc", "%@ %@ responding %@", client.task, SOSCCGetOperationDescription((enum SecXPCOperation)operation), replyMessage);
1685 }
1686 } else {
1687 SecCFCreateErrorWithFormat(kSecXPCErrorUnexpectedType, sSecXPCErrorDomain, NULL, &error, 0, CFSTR("Messages expect to be xpc dictionary, got: %@"), event);
1688 secerror("%@: returning error: %@", client.task, error);
1689 xpcError = SecCreateXPCObjectWithCFError(error);
1690 replyMessage = xpc_create_reply_with_format(event, "{%string: %value}", kSecXPCKeyError, xpcError);
1691 }
1692
1693 if (replyMessage) {
1694 xpc_connection_send_message(connection, replyMessage);
1695 xpc_release(replyMessage);
1696 }
1697 if (xpcError)
1698 xpc_release(xpcError);
1699 CFReleaseSafe(error);
1700 CFReleaseSafe(client.accessGroups);
1701 CFReleaseSafe(client.musr);
1702 CFReleaseSafe(client.task);
1703 CFReleaseSafe(domains);
1704 CFReleaseSafe(clientAuditToken);
1705 }
1706
1707 static void securityd_xpc_init(const char *service_name)
1708 {
1709 secdebug("serverxpc", "start");
1710 xpc_connection_t listener = xpc_connection_create_mach_service(service_name, NULL, XPC_CONNECTION_MACH_SERVICE_LISTENER);
1711 if (!listener) {
1712 seccritical("security failed to register xpc listener for %s, exiting", service_name);
1713 abort();
1714 }
1715
1716 xpc_connection_set_event_handler(listener, ^(xpc_object_t connection) {
1717 if (xpc_get_type(connection) == XPC_TYPE_CONNECTION) {
1718 xpc_connection_set_event_handler(connection, ^(xpc_object_t event) {
1719 if (xpc_get_type(event) == XPC_TYPE_DICTIONARY) {
1720 // Synchronous. The client has a connection pool so they can be somewhat re-entrant if they need.
1721 securityd_xpc_dictionary_handler(connection, event);
1722 }
1723 });
1724 xpc_connection_resume(connection);
1725 }
1726 });
1727 xpc_connection_resume(listener);
1728
1729 #if OCTAGON
1730 xpc_activity_register("com.apple.securityd.daily", XPC_ACTIVITY_CHECK_IN, ^(xpc_activity_t activity) {
1731 xpc_activity_state_t activityState = xpc_activity_get_state(activity);
1732 if (activityState == XPC_ACTIVITY_STATE_RUN) {
1733 SecCKKS24hrNotification();
1734 SecOctagon24hrNotification();
1735 }
1736 });
1737 #endif
1738
1739 #if OCTAGON && !TARGET_OS_BRIDGE
1740 // Kick off reporting tasks.
1741 if (os_variant_has_internal_diagnostics("com.apple.security") && !os_variant_is_recovery("securityd")) {
1742 InitPolicyReporter();
1743 }
1744 #endif
1745 }
1746
1747
1748 // <rdar://problem/22425706> 13B104+Roots:Device never moved past spinner after using approval to ENABLE icdp
1749
1750 #if TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR
1751 static void securityd_soscc_lock_hack() {
1752 dispatch_queue_t soscc_lock_queue = dispatch_queue_create("soscc_lock_queue", DISPATCH_QUEUE_PRIORITY_DEFAULT);
1753 int soscc_tok;
1754
1755 // <rdar://problem/22500239> Prevent securityd from quitting while holding a keychain assertion
1756 // FIXME: securityd isn't currently registering for any other notifyd events. If/when it does,
1757 // this code will need to be generalized / migrated away from just this specific purpose.
1758 xpc_set_event_stream_handler("com.apple.notifyd.matching", dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0), ^(xpc_object_t object) {
1759 char *event_description = xpc_copy_description(object);
1760 secnotice("events", "%s", event_description);
1761 free(event_description);
1762 });
1763
1764 secnotice("lockassertion", "notify_register_dispatch(kSOSCCHoldLockForInitialSync)");
1765 notify_register_dispatch(kSOSCCHoldLockForInitialSync, &soscc_tok, soscc_lock_queue, ^(int token __unused) {
1766 secnotice("lockassertion", "kSOSCCHoldLockForInitialSync: grabbing the lock");
1767 CFErrorRef error = NULL;
1768
1769 uint64_t one_minute = 60ull;
1770 if(SecAKSUserKeybagHoldLockAssertion(one_minute, &error)){
1771 // <rdar://problem/22500239> Prevent securityd from quitting while holding a keychain assertion
1772 os_transaction_t transaction = os_transaction_create("securityd-LockAssertedingHolder");
1773
1774 dispatch_after(dispatch_time(DISPATCH_TIME_NOW, one_minute*NSEC_PER_SEC), soscc_lock_queue, ^{
1775 CFErrorRef localError = NULL;
1776 if(!SecAKSUserKeybagDropLockAssertion(&localError))
1777 secerror("failed to unlock: %@", localError);
1778 CFReleaseNull(localError);
1779 os_release(transaction);
1780 });
1781 } else {
1782 secerror("Failed to take device lock assertion: %@", error);
1783 }
1784 CFReleaseNull(error);
1785 secnotice("lockassertion", "kSOSCCHoldLockForInitialSync => done");
1786 });
1787 }
1788 #endif
1789
1790 #if TARGET_OS_OSX
1791
1792 static char *
1793 homedirPath(void)
1794 {
1795 static char homeDir[PATH_MAX] = {};
1796
1797 if (homeDir[0] == '\0') {
1798 struct passwd* pwd = getpwuid(getuid());
1799 if (pwd == NULL)
1800 return NULL;
1801
1802 if (realpath(pwd->pw_dir, homeDir) == NULL) {
1803 strlcpy(homeDir, pwd->pw_dir, sizeof(homeDir));
1804 }
1805 }
1806 return homeDir;
1807 }
1808 #endif
1809
1810
1811 int main(int argc, char *argv[])
1812 {
1813 DisableLocalization();
1814
1815 char *wait4debugger = getenv("WAIT4DEBUGGER");
1816 if (wait4debugger && !strcasecmp("YES", wait4debugger)) {
1817 seccritical("SIGSTOPing self, awaiting debugger");
1818 kill(getpid(), SIGSTOP);
1819 seccritical("Again, for good luck (or bad debuggers)");
1820 kill(getpid(), SIGSTOP);
1821 }
1822
1823 /* <rdar://problem/15792007> Users with network home folders are unable to use/save password for Mail/Cal/Contacts/websites
1824 Secd doesn't realize DB connections get invalidated when network home directory users logout
1825 and their home gets unmounted. Exit secd, start fresh when user logs back in.
1826 */
1827 #if TARGET_OS_OSX
1828 int sessionstatechanged_tok;
1829 notify_register_dispatch(kSA_SessionStateChangedNotification, &sessionstatechanged_tok, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^(int token __unused) {
1830 // we could be a process running as root.
1831 // However, since root never logs out this isn't an issue.
1832 if (SASSessionStateForUser(getuid()) == kSA_state_loggingout_pointofnoreturn) {
1833 dispatch_after(dispatch_time(DISPATCH_TIME_NOW, 3ull*NSEC_PER_SEC), dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
1834 xpc_transaction_exit_clean();
1835 });
1836 }
1837 });
1838 #endif
1839
1840 #if TARGET_OS_OSX
1841 #define SECD_PROFILE_NAME "com.apple.secd"
1842 const char *homedir = homedirPath();
1843 if (homedir == NULL)
1844 errx(1, "failed to get home directory for secd");
1845
1846 char *errorbuf = NULL;
1847 const char *sandbox_params[] = {
1848 "_HOME", homedir,
1849 NULL
1850 };
1851 int32_t rc;
1852
1853 rc = sandbox_init_with_parameters(SECD_PROFILE_NAME, SANDBOX_NAMED, sandbox_params, &errorbuf);
1854 if (rc)
1855 err(1, "Failed to process in a sandbox: %d %s", rc, errorbuf);
1856 #endif /* TARGET_OS_OSX */
1857
1858 const char *serviceName = kSecuritydXPCServiceName;
1859
1860 // Mark our interest in running some features (before we bring the DB layer up)
1861 #if OCTAGON
1862 EscrowRequestServerSetEnabled(true);
1863 OctagonSetShouldPerformInitialization(true);
1864 SecCKKSEnable();
1865 #endif
1866
1867 /* setup SQDLite before some other component have a chance to create a database connection */
1868 _SecDbServerSetup();
1869
1870 securityd_init_server();
1871 securityd_xpc_init(serviceName);
1872
1873 SecCreateSecuritydXPCServer();
1874 #if SECUREOBJECTSYNC
1875 SOSControlServerInitialize();
1876 #endif
1877 #if OCTAGON
1878 CKKSControlServerInitialize();
1879 OctagonControlServerInitialize();
1880 EscrowRequestXPCServerInitialize();
1881 #endif
1882
1883 // <rdar://problem/22425706> 13B104+Roots:Device never moved past spinner after using approval to ENABLE icdp
1884 #if TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR
1885 securityd_soscc_lock_hack();
1886 #endif
1887
1888 CFRunLoopRun();
1889 }
1890
1891 /* vi:set ts=4 sw=4 et: */
mirror of Security