]> git.saurik.com Git - apple/security.git/blob - trust/trustd/SecTrustExceptionResetCount.m
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Security-59754.41.1.tar.gz
[apple/security.git] / trust / trustd / SecTrustExceptionResetCount.m
1 //
2 // SecTrustExceptionResetCount.m
3 // Security_ios
4 //
5
6 #import <Foundation/Foundation.h>
7 #import "SecTrustExceptionResetCount.h"
8
9 #import <utilities/SecCFWrappers.h>
10 #import <utilities/SecFileLocations.h>
11
12 static NSString *kExceptionResetCountKey = @"ExceptionResetCount";
13 static NSString *exceptionResetCounterFile = @"com.apple.security.exception_reset_counter.plist";
14
15 /* Returns the path to the, existing or internally-created, 'exceptionResetCounterFile' file. */
16 static NSString *SecPlistFileExistsInKeychainDirectory(CFErrorRef *error) {
17 NSString *status = NULL;
18
19 NSString *path = [(__bridge_transfer NSURL*)SecCopyURLForFileInKeychainDirectory((__bridge CFStringRef)exceptionResetCounterFile) path];
20 if (!path) {
21 secerror("Unable to address permanent storage for '%{public}@'.", exceptionResetCounterFile);
22 if (error) {
23 *error = CFErrorCreate(NULL, kCFErrorDomainPOSIX, ENOENT, NULL);
24 }
25 return status;
26 }
27 secinfo("trust", "'%{public}@' is at '%{public}@'.", exceptionResetCounterFile, path);
28
29 NSFileManager *fm = [NSFileManager defaultManager];
30 if (!fm) {
31 secerror("Failed to initialize the file manager in '%{public}s'.", __func__);
32 if (error) {
33 *error = CFErrorCreate(NULL, kCFErrorDomainPOSIX, ENOMEM, NULL);
34 }
35 return status;
36 }
37
38 BOOL isDir = false;
39 bool fileExists = [fm fileExistsAtPath:path isDirectory:&isDir];
40 if (isDir) {
41 secerror("'%{public}@' is a directory. (not a file)", path);
42 if (error) {
43 *error = CFErrorCreate(NULL, kCFErrorDomainPOSIX, EISDIR, NULL);
44 }
45 return status;
46 }
47 if (fileExists) {
48 secdebug("trust", "'%{public}@' already exists.", path);
49 status = path;
50 return status;
51 }
52
53 if (![fm createFileAtPath:path contents:nil attributes:nil]) {
54 secerror("Failed to create permanent storage at '%{public}@'.", path);
55 if (error) {
56 *error = CFErrorCreate(NULL, kCFErrorDomainPOSIX, EIO, NULL);
57 }
58 return status;
59 }
60 secinfo("trust", "'%{public}@' has been created.", path);
61 status = path;
62
63 return status;
64 }
65
66 static uint64_t SecReadPlistFromFileInKeychainDirectory(CFErrorRef *error) {
67 uint64_t value = 0;
68
69 CFErrorRef localError = NULL;
70 NSString *path = SecPlistFileExistsInKeychainDirectory(&localError);
71 if (localError) {
72 if (error) {
73 *error = localError;
74 }
75 secerror("Permanent storage for the exceptions epoch is unavailable.");
76 return value;
77 }
78 if (!path) {
79 secinfo("trust", "Permanent storage for the exceptions epoch is missing. Defaulting to value %llu.", value);
80 return value;
81 }
82
83 NSMutableDictionary *plDict = [NSMutableDictionary dictionaryWithContentsOfFile:path];
84 if (!plDict) {
85 secerror("Failed to read from permanent storage at '%{public}@' or the data is bad. Defaulting to value %llu.", path, value);
86 if (error) {
87 *error = CFErrorCreate(NULL, kCFErrorDomainPOSIX, ENXIO, NULL);
88 }
89 return value;
90 }
91
92 id valueObject = [plDict objectForKey:kExceptionResetCountKey];
93 if (!valueObject) {
94 secinfo("trust", "Could not find key '%{public}@'. Defaulting to value %llu.", kExceptionResetCountKey, value);
95 if (error) {
96 *error = CFErrorCreate(NULL, kCFErrorDomainPOSIX, ENXIO, NULL);
97 }
98 return value;
99 }
100 if (![valueObject isKindOfClass:[NSNumber class]]) {
101 secerror("The value for key '%{public}@' is not a number.", kExceptionResetCountKey);
102 if (error) {
103 *error = CFErrorCreate(NULL, kCFErrorDomainPOSIX, EDOM, NULL);
104 }
105 return value;
106 }
107
108 value = [valueObject unsignedIntValue];
109
110 secinfo("trust", "'%{public}@' is %llu.", kExceptionResetCountKey, value);
111 return value;
112 }
113
114 static bool SecWritePlistToFileInKeychainDirectory(uint64_t exceptionResetCount, CFErrorRef *error) {
115 bool status = false;
116
117 CFErrorRef localError = NULL;
118 SecPlistFileExistsInKeychainDirectory(&localError);
119 if (localError) {
120 if (error) {
121 *error = localError;
122 } else {
123 CFReleaseNull(localError);
124 }
125 secerror("Permanent storage for the exceptions epoch is unavailable.");
126 return status;
127 }
128
129 NSString *path = [(__bridge_transfer NSURL*)SecCopyURLForFileInKeychainDirectory((__bridge CFStringRef)exceptionResetCounterFile) path];
130 if (!path) {
131 secerror("Unable to address permanent storage for '%{public}@'.", exceptionResetCounterFile);
132 if (error) {
133 *error = CFErrorCreate(NULL, kCFErrorDomainPOSIX, EIO, NULL);
134 }
135 return status;
136 }
137
138 NSMutableDictionary *dataToSave = [NSMutableDictionary new];
139 if (!dataToSave) {
140 secerror("Failed to allocate memory for the exceptions epoch structure.");
141 if (error) {
142 *error = CFErrorCreate(NULL, kCFErrorDomainPOSIX, ENOMEM, NULL);
143 }
144 return status;
145 }
146 dataToSave[@"Version"] = [NSNumber numberWithUnsignedInteger:1];
147 dataToSave[kExceptionResetCountKey] = [NSNumber numberWithUnsignedInteger:exceptionResetCount];
148
149 status = [dataToSave writeToFile:path atomically:YES];
150 if (!status) {
151 secerror("Failed to write to permanent storage at '%{public}@'.", path);
152 if (error) {
153 *error = CFErrorCreate(NULL, kCFErrorDomainPOSIX, EIO, NULL);
154 }
155 return status;
156 }
157
158 secinfo("trust", "'%{public}@' has been committed to permanent storage at '%{public}@'.", kExceptionResetCountKey, path);
159 return status;
160 }
161
162 uint64_t SecTrustServerGetExceptionResetCount(CFErrorRef *error) {
163 CFErrorRef localError = NULL;
164 uint64_t exceptionResetCount = SecReadPlistFromFileInKeychainDirectory(&localError);
165 /* Treat ENXIO as a transient error; I/O seems to be working but we have failed to read the current epoch.
166 * That's expected when epoch is still 0 and there is nothing to store in permanent storage. (and later read)
167 */
168 if (localError && CFEqualSafe(CFErrorGetDomain(localError), kCFErrorDomainPOSIX) && CFErrorGetCode(localError) == ENXIO) {
169 CFReleaseNull(localError);
170 }
171 if (localError) {
172 if (error) {
173 *error = localError;
174 } else {
175 CFReleaseNull(localError);
176 }
177 }
178 secinfo("trust", "exceptionResetCount: %llu (%s)", exceptionResetCount, error ? (*error ? "Error" : "OK") : "N/A");
179 return exceptionResetCount;
180 }
181
182 bool SecTrustServerIncrementExceptionResetCount(CFErrorRef *error) {
183 bool status = false;
184
185 uint64_t currentExceptionResetCount = SecTrustServerGetExceptionResetCount(error);
186 if (error && *error) {
187 secerror("Failed to increment the extensions epoch.");
188 return status;
189 }
190 if (currentExceptionResetCount >= INT64_MAX) {
191 secerror("Current exceptions epoch value is too large. (%llu) Won't increment.", currentExceptionResetCount);
192 if (error) {
193 *error = CFErrorCreate(NULL, kCFErrorDomainPOSIX, ERANGE, NULL);
194 }
195 return status;
196 }
197
198 return SecWritePlistToFileInKeychainDirectory(currentExceptionResetCount + 1, error);
199 }
mirror of Security