2 * Copyright (c) 2000-2015 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 // passphrases - canonical code to obtain passphrases
27 #define __STDC_WANT_LIB_EXT1__ 1
30 #include "agentquery.h"
31 #include "ccaudit_extensions.h"
33 #include <Security/AuthorizationTags.h>
34 #include <Security/AuthorizationTagsPriv.h>
35 #include <Security/checkpw.h>
36 #include <Security/Security.h>
37 #include <System/sys/fileport.h>
38 #include <bsm/audit.h>
39 #include <bsm/audit_uevents.h> // AUE_ssauthint
40 #include <membership.h>
41 #include <membershipPriv.h>
42 #include <security_utilities/logging.h>
43 #include <security_utilities/mach++.h>
46 #include <xpc/private.h>
47 #include "securityd_service/securityd_service/securityd_service_client.h"
49 // Includes for <rdar://problem/34677969> Always require the user's password on keychain approval dialogs
52 #define SECURITYAGENT_BOOTSTRAP_NAME_BASE "com.apple.security.agent"
53 #define SECURITYAGENT_LOGINWINDOW_BOOTSTRAP_NAME_BASE "com.apple.security.agent.login"
55 #define AUTH_XPC_ITEM_NAME "_item_name"
56 #define AUTH_XPC_ITEM_FLAGS "_item_flags"
57 #define AUTH_XPC_ITEM_VALUE "_item_value"
58 #define AUTH_XPC_ITEM_TYPE "_item_type"
59 #define AUTH_XPC_ITEM_SENSITIVE_VALUE_LENGTH "_item_sensitive_value_length"
61 #define AUTH_XPC_REQUEST_METHOD_KEY "_agent_request_key"
62 #define AUTH_XPC_REQUEST_METHOD_CREATE "_agent_request_create"
63 #define AUTH_XPC_REQUEST_METHOD_INVOKE "_agent_request_invoke"
64 #define AUTH_XPC_REQUEST_METHOD_DEACTIVATE "_agent_request_deactivate"
65 #define AUTH_XPC_REQUEST_METHOD_DESTROY "_agent_request_destroy"
66 #define AUTH_XPC_REPLY_METHOD_KEY "_agent_reply_key"
67 #define AUTH_XPC_REPLY_METHOD_RESULT "_agent_reply_result"
68 #define AUTH_XPC_REPLY_METHOD_INTERRUPT "_agent_reply_interrupt"
69 #define AUTH_XPC_REPLY_METHOD_CREATE "_agent_reply_create"
70 #define AUTH_XPC_REPLY_METHOD_DEACTIVATE "_agent_reply_deactivate"
71 #define AUTH_XPC_PLUGIN_NAME "_agent_plugin"
72 #define AUTH_XPC_MECHANISM_NAME "_agent_mechanism"
73 #define AUTH_XPC_HINTS_NAME "_agent_hints"
74 #define AUTH_XPC_CONTEXT_NAME "_agent_context"
75 #define AUTH_XPC_IMMUTABLE_HINTS_NAME "_agent_immutable_hints"
76 #define AUTH_XPC_REQUEST_INSTANCE "_agent_instance"
77 #define AUTH_XPC_REPLY_RESULT_VALUE "_agent_reply_result_value"
78 #define AUTH_XPC_AUDIT_SESSION_PORT "_agent_audit_session_port"
79 #define AUTH_XPC_BOOTSTRAP_PORT "_agent_bootstrap_port"
81 #define UUID_INITIALIZER_FROM_SESSIONID(sessionid) \
82 { 0,0,0,0, 0,0,0,0, 0,0,0,0, (unsigned char)((0xff000000 & (sessionid))>>24), (unsigned char)((0x00ff0000 & (sessionid))>>16), (unsigned char)((0x0000ff00 & (sessionid))>>8), (unsigned char)((0x000000ff & (sessionid))) }
85 // SecurityAgentXPCConnection
87 SecurityAgentXPCConnection::SecurityAgentXPCConnection(Session
&session
)
88 : mHostInstance(session
.authhost()),
90 mConnection(&Server::connection()),
91 mAuditToken(Server::connection().auditToken())
93 // this may take a while
94 Server::active().longTermActivity();
95 secnotice("SecurityAgentConnection", "new SecurityAgentConnection(%p)", this);
96 mXPCConnection
= NULL
;
98 struct passwd
*pw
= getpwnam("nobody");
100 mNobodyUID
= pw
->pw_uid
;
104 SecurityAgentXPCConnection::~SecurityAgentXPCConnection()
106 secnotice("SecurityAgentConnection", "SecurityAgentConnection(%p) dying", this);
107 mConnection
->useAgent(NULL
);
109 // If a connection has been established, we need to tear it down.
110 if (NULL
!= mXPCConnection
) {
111 // Tearing this down is a multi-step process. First, request a cancellation.
112 // This is safe even if the connection is already in the canceled state.
113 xpc_connection_cancel(mXPCConnection
);
115 // Then release the XPC connection
116 xpc_release(mXPCConnection
);
117 mXPCConnection
= NULL
;
121 bool SecurityAgentXPCConnection::inDarkWake()
123 return mSession
.server().inDarkWake();
127 SecurityAgentXPCConnection::activate(bool ignoreUid
)
129 secnotice("SecurityAgentConnection", "activate(%p)", this);
131 mConnection
->useAgent(this);
132 if (mXPCConnection
!= NULL
) {
133 // If we already have an XPC connection, there's nothing to do.
138 uuid_t sessionUUID
= UUID_INITIALIZER_FROM_SESSIONID(mSession
.sessionId());
140 // Yes, these need to be throws, as we're still in securityd, and thus still have to do flow control with exceptions.
141 if (!(mSession
.attributes() & sessionHasGraphicAccess
))
142 CssmError::throwMe(CSSM_ERRCODE_NO_USER_INTERACTION
);
144 CssmError::throwMe(CSSM_ERRCODE_IN_DARK_WAKE
);
145 uid_t targetUid
= mHostInstance
->session().originatorUid();
147 secnotice("SecurityAgentXPCConnection","Retrieved UID %d for this session", targetUid
);
148 if (!ignoreUid
&& targetUid
!= 0 && targetUid
!= mNobodyUID
) {
149 mXPCConnection
= xpc_connection_create_mach_service(SECURITYAGENT_BOOTSTRAP_NAME_BASE
, NULL
, 0);
150 xpc_connection_set_target_uid(mXPCConnection
, targetUid
);
151 secnotice("SecurityAgentXPCConnection", "Creating a standard security agent");
153 mXPCConnection
= xpc_connection_create_mach_service(SECURITYAGENT_LOGINWINDOW_BOOTSTRAP_NAME_BASE
, NULL
, 0);
154 xpc_connection_set_instance(mXPCConnection
, sessionUUID
);
155 secnotice("SecurityAgentXPCConnection", "Creating a loginwindow security agent");
158 xpc_connection_set_event_handler(mXPCConnection
, ^(xpc_object_t object
) {
159 if (xpc_get_type(object
) == XPC_TYPE_ERROR
) {
160 secnotice("SecurityAgentXPCConnection", "error during xpc: %s", xpc_dictionary_get_string(object
, XPC_ERROR_KEY_DESCRIPTION
));
163 xpc_connection_resume(mXPCConnection
);
164 secnotice("SecurityAgentXPCConnection", "%p activated", this);
166 catch (MacOSError
&err
) {
167 mConnection
->useAgent(NULL
); // guess not
168 Syslog::error("SecurityAgentConnection: error activating SecurityAgent instance %p", this);
172 secnotice("SecurityAgentXPCConnection", "contact didn't throw (%p)", this);
176 SecurityAgentXPCConnection::terminate()
180 // @@@ This happens already in the destructor; presumably we do this to tear things down orderly
181 mConnection
->useAgent(NULL
);
185 using SecurityAgent::Reason
;
186 using namespace Authorization
;
188 ModuleNexus
<RecursiveMutex
> gAllXPCClientsMutex
;
189 ModuleNexus
<set
<SecurityAgentXPCQuery
*> > allXPCClients
;
192 SecurityAgentXPCQuery::killAllXPCClients()
194 // grab the lock for the client list -- we need to make sure no one modifies the structure while we are iterating it.
195 StLock
<Mutex
> _(gAllXPCClientsMutex());
197 set
<SecurityAgentXPCQuery
*>::iterator clientIterator
= allXPCClients().begin();
198 while (clientIterator
!= allXPCClients().end())
200 set
<SecurityAgentXPCQuery
*>::iterator thisClient
= clientIterator
++;
201 if ((*thisClient
)->getTerminateOnSleep())
203 (*thisClient
)->terminate();
209 SecurityAgentXPCQuery::SecurityAgentXPCQuery(Session
&session
)
210 : SecurityAgentXPCConnection(session
), mAgentConnected(false), mTerminateOnSleep(false)
212 secnotice("SecurityAgentXPCQuery", "new SecurityAgentXPCQuery(%p)", this);
215 SecurityAgentXPCQuery::~SecurityAgentXPCQuery()
217 secnotice("SecurityAgentXPCQuery", "SecurityAgentXPCQuery(%p) dying", this);
218 if (mAgentConnected
) {
224 SecurityAgentXPCQuery::inferHints(Process
&thisProcess
)
226 AuthItemSet clientHints
;
227 SecurityAgent::RequestorType type
= SecurityAgent::bundle
;
228 pid_t clientPid
= thisProcess
.pid();
229 uid_t clientUid
= thisProcess
.uid();
230 string guestPath
= thisProcess
.getPath();
231 Boolean ignoreSession
= TRUE
;
233 clientHints
.insert(AuthItemRef(AGENT_HINT_CLIENT_TYPE
, AuthValueOverlay(sizeof(type
), &type
)));
234 clientHints
.insert(AuthItemRef(AGENT_HINT_CLIENT_PATH
, AuthValueOverlay(guestPath
)));
235 clientHints
.insert(AuthItemRef(AGENT_HINT_CLIENT_PID
, AuthValueOverlay(sizeof(clientPid
), &clientPid
)));
236 clientHints
.insert(AuthItemRef(AGENT_HINT_CLIENT_UID
, AuthValueOverlay(sizeof(clientUid
), &clientUid
)));
239 * If its loginwindow that's asking, override the loginwindow shield detection
240 * up front so that it can trigger SecurityAgent dialogs (like password change)
241 * for when the OD password and keychain password is out of sync.
244 if (guestPath
== "/System/Library/CoreServices/loginwindow.app") {
245 clientHints
.insert(AuthItemRef(AGENT_HINT_IGNORE_SESSION
, AuthValueOverlay(sizeof(ignoreSession
), &ignoreSession
)));
248 mClientHints
.insert(clientHints
.begin(), clientHints
.end());
250 bool validSignature
= thisProcess
.checkAppleSigned();
251 AuthItemSet clientImmutableHints
;
253 clientImmutableHints
.insert(AuthItemRef(AGENT_HINT_CLIENT_SIGNED
, AuthValueOverlay(sizeof(validSignature
), &validSignature
)));
255 mImmutableHints
.insert(clientImmutableHints
.begin(), clientImmutableHints
.end());
258 void SecurityAgentXPCQuery::addHint(const char *name
, const void *value
, UInt32 valueLen
, UInt32 flags
)
260 AuthorizationItem item
= { name
, valueLen
, const_cast<void *>(value
), flags
};
261 mClientHints
.insert(AuthItemRef(item
));
266 SecurityAgentXPCQuery::readChoice()
271 AuthItem
*allowAction
= mOutContext
.find(AGENT_CONTEXT_ALLOW
);
275 if (allowAction
->getString(allowString
)
276 && (allowString
== "YES"))
280 AuthItem
*rememberAction
= mOutContext
.find(AGENT_CONTEXT_REMEMBER_ACTION
);
283 string rememberString
;
284 if (rememberAction
->getString(rememberString
)
285 && (rememberString
== "YES"))
291 SecurityAgentXPCQuery::disconnect()
293 if (NULL
!= mXPCConnection
) {
294 xpc_object_t requestObject
= xpc_dictionary_create(NULL
, NULL
, 0);
295 xpc_dictionary_set_string(requestObject
, AUTH_XPC_REQUEST_METHOD_KEY
, AUTH_XPC_REQUEST_METHOD_DESTROY
);
296 xpc_connection_send_message(mXPCConnection
, requestObject
);
297 xpc_release(requestObject
);
300 StLock
<Mutex
> _(gAllXPCClientsMutex());
301 allXPCClients().erase(this);
305 SecurityAgentXPCQuery::terminate()
310 static void xpcArrayToAuthItemSet(AuthItemSet
*setToBuild
, xpc_object_t input
) {
313 xpc_array_apply(input
, ^bool(size_t index
, xpc_object_t item
) {
314 const char *name
= xpc_dictionary_get_string(item
, AUTH_XPC_ITEM_NAME
);
317 const void *data
= xpc_dictionary_get_data(item
, AUTH_XPC_ITEM_VALUE
, &length
);
320 // <rdar://problem/13033889> authd is holding on to multiple copies of my password in the clear
321 bool sensitive
= xpc_dictionary_get_value(item
, AUTH_XPC_ITEM_SENSITIVE_VALUE_LENGTH
);
323 size_t sensitiveLength
= (size_t)xpc_dictionary_get_uint64(item
, AUTH_XPC_ITEM_SENSITIVE_VALUE_LENGTH
);
324 if (sensitiveLength
> length
) {
325 secnotice("SecurityAgentXPCQuery", "Sensitive data len %zu is not valid", sensitiveLength
);
328 dataCopy
= malloc(sensitiveLength
);
329 memcpy(dataCopy
, data
, sensitiveLength
);
330 memset_s((void *)data
, length
, 0, sensitiveLength
); // clear the sensitive data, memset_s is never optimized away
331 length
= sensitiveLength
;
333 dataCopy
= malloc(length
);
334 memcpy(dataCopy
, data
, length
);
337 uint64_t flags
= xpc_dictionary_get_uint64(item
, AUTH_XPC_ITEM_FLAGS
);
338 AuthItemRef
nextItem(name
, AuthValueOverlay((uint32_t)length
, dataCopy
), (uint32_t)flags
);
339 setToBuild
->insert(nextItem
);
340 memset(dataCopy
, 0, length
); // The authorization items contain things like passwords, so wiping clean is important.
347 SecurityAgentXPCQuery::create(const char *pluginId
, const char *mechanismId
)
349 bool ignoreUid
= false;
354 mAgentConnected
= false;
356 xpc_object_t requestObject
= xpc_dictionary_create(NULL
, NULL
, 0);
357 xpc_dictionary_set_string(requestObject
, AUTH_XPC_REQUEST_METHOD_KEY
, AUTH_XPC_REQUEST_METHOD_CREATE
);
358 xpc_dictionary_set_string(requestObject
, AUTH_XPC_PLUGIN_NAME
, pluginId
);
359 xpc_dictionary_set_string(requestObject
, AUTH_XPC_MECHANISM_NAME
, mechanismId
);
361 uid_t targetUid
= Server::process().uid();
362 bool doSwitchAudit
= (ignoreUid
|| targetUid
== 0 || targetUid
== mNobodyUID
);
363 bool doSwitchBootstrap
= (ignoreUid
|| targetUid
== 0 || targetUid
== mNobodyUID
);
366 mach_port_name_t jobPort
;
367 if (0 == audit_session_port(mSession
.sessionId(), &jobPort
)) {
368 secnotice("SecurityAgentXPCQuery", "attaching an audit session port because the uid was %d", targetUid
);
369 xpc_dictionary_set_mach_send(requestObject
, AUTH_XPC_AUDIT_SESSION_PORT
, jobPort
);
370 if (mach_port_mod_refs(mach_task_self(), jobPort
, MACH_PORT_RIGHT_SEND
, -1) != KERN_SUCCESS
) {
371 secnotice("SecurityAgentXPCQuery", "unable to release send right for audit session, leaking");
376 if (doSwitchBootstrap
) {
377 secnotice("SecurityAgentXPCQuery", "attaching a bootstrap port because the uid was %d", targetUid
);
378 MachPlusPlus::Bootstrap processBootstrap
= Server::process().taskPort().bootstrap();
379 xpc_dictionary_set_mach_send(requestObject
, AUTH_XPC_BOOTSTRAP_PORT
, processBootstrap
);
382 xpc_object_t object
= xpc_connection_send_message_with_reply_sync(mXPCConnection
, requestObject
);
383 if (xpc_get_type(object
) == XPC_TYPE_DICTIONARY
) {
384 const char *replyType
= xpc_dictionary_get_string(object
, AUTH_XPC_REPLY_METHOD_KEY
);
385 if (0 == strcmp(replyType
, AUTH_XPC_REPLY_METHOD_CREATE
)) {
386 uint64_t status
= xpc_dictionary_get_uint64(object
, AUTH_XPC_REPLY_RESULT_VALUE
);
387 if (status
== kAuthorizationResultAllow
) {
388 mAgentConnected
= true;
390 secnotice("SecurityAgentXPCQuery", "plugin create failed in SecurityAgent");
391 MacOSError::throwMe(errAuthorizationInternal
);
394 } else if (xpc_get_type(object
) == XPC_TYPE_ERROR
) {
395 if (XPC_ERROR_CONNECTION_INVALID
== object
) {
396 // If we get an error before getting the create response, try again without the UID
398 secnotice("SecurityAgentXPCQuery", "failed to establish connection, no retries left");
400 MacOSError::throwMe(errAuthorizationInternal
);
402 secnotice("SecurityAgentXPCQuery", "failed to establish connection, retrying with no UID");
404 xpc_release(mXPCConnection
);
405 mXPCConnection
= NULL
;
407 } else if (XPC_ERROR_CONNECTION_INTERRUPTED
== object
) {
408 // If we get an error before getting the create response, try again
412 xpc_release(requestObject
);
413 } while (!mAgentConnected
);
415 StLock
<Mutex
> _(gAllXPCClientsMutex());
416 allXPCClients().insert(this);
419 static xpc_object_t
authItemSetToXPCArray(AuthItemSet input
) {
420 xpc_object_t outputArray
= xpc_array_create(NULL
, 0);
421 for (AuthItemSet::iterator i
= input
.begin(); i
!= input
.end(); i
++) {
422 AuthItemRef item
= *i
;
424 xpc_object_t xpc_data
= xpc_dictionary_create(NULL
, NULL
, 0);
425 xpc_dictionary_set_string(xpc_data
, AUTH_XPC_ITEM_NAME
, item
->name());
426 AuthorizationValue value
= item
->value();
427 if (value
.data
!= NULL
) {
428 xpc_dictionary_set_data(xpc_data
, AUTH_XPC_ITEM_VALUE
, value
.data
, value
.length
);
430 xpc_dictionary_set_uint64(xpc_data
, AUTH_XPC_ITEM_FLAGS
, item
->flags());
431 xpc_array_append_value(outputArray
, xpc_data
);
432 xpc_release(xpc_data
);
438 SecurityAgentXPCQuery::invoke() {
439 xpc_object_t hintsArray
= authItemSetToXPCArray(mInHints
);
440 xpc_object_t contextArray
= authItemSetToXPCArray(mInContext
);
441 xpc_object_t immutableHintsArray
= authItemSetToXPCArray(mImmutableHints
);
443 xpc_object_t requestObject
= xpc_dictionary_create(NULL
, NULL
, 0);
444 xpc_dictionary_set_string(requestObject
, AUTH_XPC_REQUEST_METHOD_KEY
, AUTH_XPC_REQUEST_METHOD_INVOKE
);
445 xpc_dictionary_set_value(requestObject
, AUTH_XPC_HINTS_NAME
, hintsArray
);
446 xpc_dictionary_set_value(requestObject
, AUTH_XPC_CONTEXT_NAME
, contextArray
);
447 xpc_dictionary_set_value(requestObject
, AUTH_XPC_IMMUTABLE_HINTS_NAME
, immutableHintsArray
);
449 xpc_object_t object
= xpc_connection_send_message_with_reply_sync(mXPCConnection
, requestObject
);
450 if (xpc_get_type(object
) == XPC_TYPE_DICTIONARY
) {
451 const char *replyType
= xpc_dictionary_get_string(object
, AUTH_XPC_REPLY_METHOD_KEY
);
452 if (0 == strcmp(replyType
, AUTH_XPC_REPLY_METHOD_RESULT
)) {
453 xpc_object_t xpcHints
= xpc_dictionary_get_value(object
, AUTH_XPC_HINTS_NAME
);
454 xpc_object_t xpcContext
= xpc_dictionary_get_value(object
, AUTH_XPC_CONTEXT_NAME
);
455 AuthItemSet tempHints
, tempContext
;
456 xpcArrayToAuthItemSet(&tempHints
, xpcHints
);
457 xpcArrayToAuthItemSet(&tempContext
, xpcContext
);
458 mOutHints
= tempHints
;
459 mOutContext
= tempContext
;
460 mLastResult
= xpc_dictionary_get_uint64(object
, AUTH_XPC_REPLY_RESULT_VALUE
);
462 } else if (xpc_get_type(object
) == XPC_TYPE_ERROR
) {
463 if (XPC_ERROR_CONNECTION_INVALID
== object
) {
464 // If the connection drops, return an "auth undefined" result, because we cannot continue
465 } else if (XPC_ERROR_CONNECTION_INTERRUPTED
== object
) {
466 // If the agent dies, return an "auth undefined" result, because we cannot continue
471 xpc_release(hintsArray
);
472 xpc_release(contextArray
);
473 xpc_release(immutableHintsArray
);
474 xpc_release(requestObject
);
477 void SecurityAgentXPCQuery::checkResult()
479 // now check the OSStatus return from the server side
480 switch (mLastResult
) {
481 case kAuthorizationResultAllow
: return;
482 case kAuthorizationResultDeny
:
483 case kAuthorizationResultUserCanceled
: CssmError::throwMe(CSSM_ERRCODE_USER_CANCELED
);
484 default: MacOSError::throwMe(errAuthorizationInternal
);
489 // Perform the "rogue app" access query dialog
491 QueryKeychainUse::QueryKeychainUse(bool needPass
, const Database
*db
)
492 : mPassphraseCheck(NULL
)
494 // if passphrase checking requested, save KeychainDatabase reference
495 // (will quietly disable check if db isn't a keychain)
497 // Always require password due to <rdar://problem/34677969>
498 mPassphraseCheck
= dynamic_cast<const KeychainDatabase
*>(db
);
500 setTerminateOnSleep(true);
503 // Callers to this function must hold the common lock
504 Reason
QueryKeychainUse::queryUser (const char *database
, const char *description
, AclAuthorization action
)
506 Reason reason
= SecurityAgent::noReason
;
507 uint32_t retryCount
= 0;
508 AuthItemSet hints
, context
;
510 // prepopulate with client hints
511 hints
.insert(mClientHints
.begin(), mClientHints
.end());
513 // put action/operation (sint32) into hints
514 hints
.insert(AuthItemRef(AGENT_HINT_ACL_TAG
, AuthValueOverlay(sizeof(action
), static_cast<sint32
*>(&action
))));
516 // item name into hints
518 hints
.insert(AuthItemRef(AGENT_HINT_KEYCHAIN_ITEM_NAME
, AuthValueOverlay(description
? (uint32_t)strlen(description
) : 0, const_cast<char*>(description
))));
520 // keychain name into hints
521 hints
.insert(AuthItemRef(AGENT_HINT_KEYCHAIN_PATH
, AuthValueOverlay(database
? (uint32_t)strlen(database
) : 0, const_cast<char*>(database
))));
523 if (mPassphraseCheck
)
525 create("builtin", "confirm-access-password");
527 CssmAutoData
data(Allocator::standard(Allocator::sensitive
));
532 AuthItemRef
triesHint(AGENT_HINT_TRIES
, AuthValueOverlay(sizeof(retryCount
), &retryCount
));
533 hints
.erase(triesHint
); hints
.insert(triesHint
); // replace
535 if (retryCount
++ > kMaximumAuthorizationTries
)
537 reason
= SecurityAgent::tooManyTries
;
540 AuthItemRef
retryHint(AGENT_HINT_RETRY_REASON
, AuthValueOverlay(sizeof(reason
), &reason
));
541 hints
.erase(retryHint
); hints
.insert(retryHint
); // replace
543 setInput(hints
, context
);
546 // Must drop the common lock while showing UI.
547 StSyncLock
<Mutex
, Mutex
> syncLock(const_cast<KeychainDatabase
*>(mPassphraseCheck
)->common().uiLock(), const_cast<KeychainDatabase
*>(mPassphraseCheck
)->common());
551 if (retryCount
> kMaximumAuthorizationTries
)
558 AuthItem
*passwordItem
= mOutContext
.find(kAuthorizationEnvironmentPassword
);
562 passwordItem
->getCssmData(data
);
564 reason
= (const_cast<KeychainDatabase
*>(mPassphraseCheck
)->decode(data
) ? SecurityAgent::noReason
: SecurityAgent::invalidPassphrase
);
566 while (reason
!= SecurityAgent::noReason
);
572 // create("builtin", "confirm-access");
573 // setInput(hints, context);
576 // This is a hack to support <rdar://problem/34677969>, we can never simply prompt for confirmation
577 secerror("ACL validation fallback case! Must ask user for account password because we have no database");
578 Session
&session
= Server::session();
580 session
.verifyKeyStorePassphrase(1, true, description
);
582 return SecurityAgent::invalidPassphrase
;
584 SecurityAgentXPCQuery::allow
= true;
591 // Obtain passphrases and submit them to the accept() method until it is accepted
592 // or we can't get another passphrase. Accept() should consume the passphrase
593 // if it is accepted. If no passphrase is acceptable, throw out of here.
595 Reason
QueryOld::query()
597 Reason reason
= SecurityAgent::noReason
;
598 AuthItemSet hints
, context
;
599 CssmAutoData
passphrase(Allocator::standard(Allocator::sensitive
));
602 // prepopulate with client hints
604 const char *keychainPath
= database
.dbName();
605 hints
.insert(AuthItemRef(AGENT_HINT_KEYCHAIN_PATH
, AuthValueOverlay((uint32_t)strlen(keychainPath
), const_cast<char*>(keychainPath
))));
607 hints
.insert(mClientHints
.begin(), mClientHints
.end());
609 create("builtin", "unlock-keychain");
613 AuthItemRef
triesHint(AGENT_HINT_TRIES
, AuthValueOverlay(sizeof(retryCount
), &retryCount
));
614 hints
.erase(triesHint
); hints
.insert(triesHint
); // replace
618 if (retryCount
> maxTries
)
620 reason
= SecurityAgent::tooManyTries
;
623 AuthItemRef
retryHint(AGENT_HINT_RETRY_REASON
, AuthValueOverlay(sizeof(reason
), &reason
));
624 hints
.erase(retryHint
); hints
.insert(retryHint
); // replace
626 setInput(hints
, context
);
629 if (retryCount
> maxTries
)
636 AuthItem
*passwordItem
= mOutContext
.find(kAuthorizationEnvironmentPassword
);
640 passwordItem
->getCssmData(passphrase
);
643 while ((reason
= accept(passphrase
)));
645 return SecurityAgent::noReason
;
650 // Get existing passphrase (unlock) Query
652 Reason
QueryOld::operator () ()
659 // End-classes for old secrets
661 Reason
QueryUnlock::accept(CssmManagedData
&passphrase
)
663 // Must hold the 'common' lock to call decode; otherwise there's a data corruption issue
664 StLock
<Mutex
> _(safer_cast
<KeychainDatabase
&>(database
).common());
666 if (safer_cast
<KeychainDatabase
&>(database
).decode(passphrase
))
667 return SecurityAgent::noReason
;
669 return SecurityAgent::invalidPassphrase
;
672 Reason
QueryUnlock::retrievePassword(CssmOwnedData
&passphrase
) {
673 CssmAutoData
pass(Allocator::standard(Allocator::sensitive
));
675 AuthItem
*passwordItem
= mOutContext
.find(kAuthorizationEnvironmentPassword
);
677 return SecurityAgent::invalidPassphrase
;
679 passwordItem
->getCssmData(pass
);
683 return SecurityAgent::noReason
;
686 QueryKeybagPassphrase::QueryKeybagPassphrase(Session
& session
, int32_t tries
) : mSession(session
), mContext(), mRetries(tries
)
688 setTerminateOnSleep(true);
689 mContext
= mSession
.get_current_service_context();
692 Reason
QueryKeybagPassphrase::query()
694 Reason reason
= SecurityAgent::noReason
;
695 AuthItemSet hints
, context
;
696 CssmAutoData
passphrase(Allocator::standard(Allocator::sensitive
));
699 // prepopulate with client hints
701 const char *keychainPath
= "iCloud";
702 hints
.insert(AuthItemRef(AGENT_HINT_KEYCHAIN_PATH
, AuthValueOverlay((uint32_t)strlen(keychainPath
), const_cast<char*>(keychainPath
))));
704 hints
.insert(mClientHints
.begin(), mClientHints
.end());
706 create("builtin", "unlock-keychain");
711 currentTry
= retryCount
;
712 if (retryCount
> mRetries
)
714 return SecurityAgent::tooManyTries
;
718 AuthItemRef
triesHint(AGENT_HINT_TRIES
, AuthValueOverlay(sizeof(currentTry
), ¤tTry
));
719 hints
.erase(triesHint
); hints
.insert(triesHint
); // replace
721 AuthItemRef
retryHint(AGENT_HINT_RETRY_REASON
, AuthValueOverlay(sizeof(reason
), &reason
));
722 hints
.erase(retryHint
); hints
.insert(retryHint
); // replace
724 setInput(hints
, context
);
729 AuthItem
*passwordItem
= mOutContext
.find(kAuthorizationEnvironmentPassword
);
733 passwordItem
->getCssmData(passphrase
);
735 while ((reason
= accept(passphrase
)));
737 return SecurityAgent::noReason
;
740 Reason
QueryKeybagPassphrase::accept(Security::CssmManagedData
& password
)
742 if (service_client_kb_unlock(&mContext
, password
.data(), (int)password
.length()) == 0) {
743 mSession
.keybagSetState(session_keybag_unlocked
);
744 return SecurityAgent::noReason
;
746 return SecurityAgent::invalidPassphrase
;
749 QueryKeybagNewPassphrase::QueryKeybagNewPassphrase(Session
& session
) : QueryKeybagPassphrase(session
) {}
751 Reason
QueryKeybagNewPassphrase::query(CssmOwnedData
&oldPassphrase
, CssmOwnedData
&passphrase
)
753 CssmAutoData
pass(Allocator::standard(Allocator::sensitive
));
754 CssmAutoData
oldPass(Allocator::standard(Allocator::sensitive
));
755 Reason reason
= SecurityAgent::noReason
;
756 AuthItemSet hints
, context
;
759 // prepopulate with client hints
761 const char *keychainPath
= "iCloud";
762 hints
.insert(AuthItemRef(AGENT_HINT_KEYCHAIN_PATH
, AuthValueOverlay((uint32_t)strlen(keychainPath
), const_cast<char*>(keychainPath
))));
764 const char *showResetString
= "YES";
765 hints
.insert(AuthItemRef(AGENT_HINT_SHOW_RESET
, AuthValueOverlay((uint32_t)strlen(showResetString
), const_cast<char*>(showResetString
))));
767 hints
.insert(mClientHints
.begin(), mClientHints
.end());
769 create("builtin", "change-passphrase");
772 AuthItem
*resetPassword
= NULL
;
775 currentTry
= retryCount
;
776 if (retryCount
> mRetries
)
778 return SecurityAgent::tooManyTries
;
782 AuthItemRef
triesHint(AGENT_HINT_TRIES
, AuthValueOverlay(sizeof(currentTry
), ¤tTry
));
783 hints
.erase(triesHint
); hints
.insert(triesHint
); // replace
785 AuthItemRef
retryHint(AGENT_HINT_RETRY_REASON
, AuthValueOverlay(sizeof(reason
), &reason
));
786 hints
.erase(retryHint
); hints
.insert(retryHint
); // replace
788 setInput(hints
, context
);
793 resetPassword
= mOutContext
.find(AGENT_CONTEXT_RESET_PASSWORD
);
794 if (resetPassword
!= NULL
) {
795 return SecurityAgent::resettingPassword
;
798 AuthItem
*oldPasswordItem
= mOutContext
.find(AGENT_PASSWORD
);
799 if (!oldPasswordItem
)
802 oldPasswordItem
->getCssmData(oldPass
);
804 while ((reason
= accept(oldPass
)));
806 if (reason
== SecurityAgent::noReason
) {
807 AuthItem
*passwordItem
= mOutContext
.find(AGENT_CONTEXT_NEW_PASSWORD
);
809 return SecurityAgent::invalidPassphrase
;
811 passwordItem
->getCssmData(pass
);
813 oldPassphrase
= oldPass
;
817 return SecurityAgent::noReason
;
820 QueryPIN::QueryPIN(Database
&db
)
821 : QueryOld(db
), mPin(Allocator::standard())
823 this->inferHints(Server::process());
827 Reason
QueryPIN::accept(CssmManagedData
&pin
)
829 // no retries for now
831 return SecurityAgent::noReason
;
836 // Obtain passphrases and submit them to the accept() method until it is accepted
837 // or we can't get another passphrase. Accept() should consume the passphrase
838 // if it is accepted. If no passphrase is acceptable, throw out of here.
840 Reason
QueryNewPassphrase::query()
842 Reason reason
= initialReason
;
843 CssmAutoData
passphrase(Allocator::standard(Allocator::sensitive
));
844 CssmAutoData
oldPassphrase(Allocator::standard(Allocator::sensitive
));
846 AuthItemSet hints
, context
;
850 // prepopulate with client hints
851 hints
.insert(mClientHints
.begin(), mClientHints
.end());
853 // keychain name into hints
854 hints
.insert(AuthItemRef(AGENT_HINT_KEYCHAIN_PATH
, AuthValueOverlay(database
.dbName())));
856 switch (initialReason
)
858 case SecurityAgent::newDatabase
:
859 create("builtin", "new-passphrase");
861 case SecurityAgent::changePassphrase
:
862 create("builtin", "change-passphrase");
870 AuthItemRef
triesHint(AGENT_HINT_TRIES
, AuthValueOverlay(sizeof(retryCount
), &retryCount
));
871 hints
.erase(triesHint
); hints
.insert(triesHint
); // replace
873 if (++retryCount
> maxTries
)
875 reason
= SecurityAgent::tooManyTries
;
878 AuthItemRef
retryHint(AGENT_HINT_RETRY_REASON
, AuthValueOverlay(sizeof(reason
), &reason
));
879 hints
.erase(retryHint
); hints
.insert(retryHint
); // replace
881 setInput(hints
, context
);
884 if (retryCount
> maxTries
)
891 if (SecurityAgent::changePassphrase
== initialReason
)
893 AuthItem
*oldPasswordItem
= mOutContext
.find(AGENT_PASSWORD
);
894 if (!oldPasswordItem
)
897 oldPasswordItem
->getCssmData(oldPassphrase
);
900 AuthItem
*passwordItem
= mOutContext
.find(AGENT_CONTEXT_NEW_PASSWORD
);
904 passwordItem
->getCssmData(passphrase
);
907 while ((reason
= accept(passphrase
, (initialReason
== SecurityAgent::changePassphrase
) ? &oldPassphrase
.get() : NULL
)));
909 return SecurityAgent::noReason
;
914 // Get new passphrase Query
916 Reason
QueryNewPassphrase::operator () (CssmOwnedData
&oldPassphrase
, CssmOwnedData
&passphrase
)
918 if (Reason result
= query())
919 return result
; // failed
920 passphrase
= mPassphrase
;
921 oldPassphrase
= mOldPassphrase
;
922 return SecurityAgent::noReason
; // success
925 Reason
QueryNewPassphrase::accept(CssmManagedData
&passphrase
, CssmData
*oldPassphrase
)
927 //@@@ acceptance criteria are currently hardwired here
928 //@@@ This validation presumes ASCII - UTF8 might be more lenient
930 // if we have an old passphrase, check it
931 if (oldPassphrase
&& !safer_cast
<KeychainDatabase
&>(database
).validatePassphrase(*oldPassphrase
))
932 return SecurityAgent::oldPassphraseWrong
;
934 // sanity check the new passphrase (but allow user override)
935 if (!(mPassphraseValid
&& passphrase
.get() == mPassphrase
)) {
936 mPassphrase
= passphrase
;
937 if (oldPassphrase
) mOldPassphrase
= *oldPassphrase
;
938 mPassphraseValid
= true;
939 if (mPassphrase
.length() == 0)
940 return SecurityAgent::passphraseIsNull
;
941 if (mPassphrase
.length() < 6)
942 return SecurityAgent::passphraseTooSimple
;
946 return SecurityAgent::noReason
;
950 // Get a passphrase for unspecified use
952 Reason
QueryGenericPassphrase::operator () (const CssmData
*prompt
, bool verify
,
955 return query(prompt
, verify
, passphrase
);
958 Reason
QueryGenericPassphrase::query(const CssmData
*prompt
, bool verify
,
961 Reason reason
= SecurityAgent::noReason
;
962 AuthItemSet hints
, context
;
964 hints
.insert(mClientHints
.begin(), mClientHints
.end());
965 hints
.insert(AuthItemRef(AGENT_HINT_CUSTOM_PROMPT
, AuthValueOverlay(prompt
? (UInt32
)prompt
->length() : 0, prompt
? prompt
->data() : NULL
)));
966 // XXX/gh defined by dmitch but no analogous hint in
967 // AuthorizationTagsPriv.h:
968 // CSSM_ATTRIBUTE_ALERT_TITLE (optional alert panel title)
970 if (false == verify
) { // import
971 create("builtin", "generic-unlock");
972 } else { // verify passphrase (export)
973 create("builtin", "generic-new-passphrase");
976 AuthItem
*passwordItem
;
979 setInput(hints
, context
);
982 passwordItem
= mOutContext
.find(AGENT_PASSWORD
);
984 } while (!passwordItem
);
986 passwordItem
->getString(passphrase
);
993 // Get a DB blob's passphrase--keychain synchronization
995 Reason
QueryDBBlobSecret::operator () (DbHandle
*dbHandleArray
, uint8 dbHandleArrayCount
, DbHandle
*dbHandleAuthenticated
)
997 return query(dbHandleArray
, dbHandleArrayCount
, dbHandleAuthenticated
);
1000 Reason
QueryDBBlobSecret::query(DbHandle
*dbHandleArray
, uint8 dbHandleArrayCount
, DbHandle
*dbHandleAuthenticated
)
1002 Reason reason
= SecurityAgent::noReason
;
1003 CssmAutoData
passphrase(Allocator::standard(Allocator::sensitive
));
1004 AuthItemSet hints
/*NUKEME*/, context
;
1006 hints
.insert(mClientHints
.begin(), mClientHints
.end());
1007 create("builtin", "generic-unlock-kcblob");
1009 AuthItem
*secretItem
;
1014 AuthItemRef
triesHint(AGENT_HINT_TRIES
, AuthValueOverlay(sizeof(retryCount
), &retryCount
));
1015 hints
.erase(triesHint
); hints
.insert(triesHint
); // replace
1017 if (++retryCount
> maxTries
)
1019 reason
= SecurityAgent::tooManyTries
;
1022 AuthItemRef
retryHint(AGENT_HINT_RETRY_REASON
, AuthValueOverlay(sizeof(reason
), &reason
));
1023 hints
.erase(retryHint
); hints
.insert(retryHint
); // replace
1025 setInput(hints
, context
);
1028 secretItem
= mOutContext
.find(AGENT_PASSWORD
);
1031 secretItem
->getCssmData(passphrase
);
1033 } while ((reason
= accept(passphrase
, dbHandleArray
, dbHandleArrayCount
, dbHandleAuthenticated
)));
1038 Reason
QueryDBBlobSecret::accept(CssmManagedData
&passphrase
,
1039 DbHandle
*dbHandlesToAuthenticate
, uint8 dbHandleCount
, DbHandle
*dbHandleAuthenticated
)
1041 DbHandle
*currHdl
= dbHandlesToAuthenticate
;
1043 Boolean authenticated
= false;
1044 for (index
=0; index
< dbHandleCount
&& !authenticated
; index
++)
1048 RefPointer
<KeychainDatabase
> dbToUnlock
= Server::keychain(*currHdl
);
1049 dbToUnlock
->unlockDb(passphrase
, false);
1050 authenticated
= true;
1051 *dbHandleAuthenticated
= *currHdl
; // return the DbHandle that 'passphrase' authenticated with.
1053 catch (const CommonError
&err
)
1055 currHdl
++; // we failed to authenticate with this one, onto the next one.
1058 if ( !authenticated
)
1059 return SecurityAgent::invalidPassphrase
;
1061 return SecurityAgent::noReason
;
1064 // @@@ no pluggable authentication possible!
1066 QueryKeychainAuth::operator () (const char *database
, const char *description
, AclAuthorization action
, const char *prompt
)
1068 Reason reason
= SecurityAgent::noReason
;
1069 AuthItemSet hints
, context
;
1074 using CommonCriteria::Securityd::KeychainAuthLogger
;
1075 KeychainAuthLogger
logger(mAuditToken
, (short)AUE_ssauthint
, database
, description
);
1077 hints
.insert(mClientHints
.begin(), mClientHints
.end());
1079 // put action/operation (sint32) into hints
1080 hints
.insert(AuthItemRef(AGENT_HINT_ACL_TAG
, AuthValueOverlay(sizeof(action
), static_cast<sint32
*>(&action
))));
1082 hints
.insert(AuthItemRef(AGENT_HINT_CUSTOM_PROMPT
, AuthValueOverlay(prompt
? (uint32_t)strlen(prompt
) : 0, const_cast<char*>(prompt
))));
1084 // item name into hints
1085 hints
.insert(AuthItemRef(AGENT_HINT_KEYCHAIN_ITEM_NAME
, AuthValueOverlay(description
? (uint32_t)strlen(description
) : 0, const_cast<char*>(description
))));
1087 // keychain name into hints
1088 hints
.insert(AuthItemRef(AGENT_HINT_KEYCHAIN_PATH
, AuthValueOverlay(database
? (uint32_t)strlen(database
) : 0, const_cast<char*>(database
))));
1090 create("builtin", "confirm-access-user-password");
1092 AuthItem
*usernameItem
;
1093 AuthItem
*passwordItem
;
1097 AuthItemRef
triesHint(AGENT_HINT_TRIES
, AuthValueOverlay(sizeof(retryCount
), &retryCount
));
1098 hints
.erase(triesHint
); hints
.insert(triesHint
); // replace
1100 if (++retryCount
> maxTries
)
1101 reason
= SecurityAgent::tooManyTries
;
1103 if (SecurityAgent::noReason
!= reason
)
1105 if (SecurityAgent::tooManyTries
== reason
)
1106 logger
.logFailure(NULL
, CommonCriteria::errTooManyTries
);
1108 logger
.logFailure();
1111 AuthItemRef
retryHint(AGENT_HINT_RETRY_REASON
, AuthValueOverlay(sizeof(reason
), &reason
));
1112 hints
.erase(retryHint
); hints
.insert(retryHint
); // replace
1114 setInput(hints
, context
);
1120 catch (...) // user probably clicked "deny"
1122 logger
.logFailure();
1125 usernameItem
= mOutContext
.find(AGENT_USERNAME
);
1126 passwordItem
= mOutContext
.find(AGENT_PASSWORD
);
1127 if (!usernameItem
|| !passwordItem
)
1129 usernameItem
->getString(username
);
1130 passwordItem
->getString(password
);
1131 } while ((reason
= accept(username
, password
)));
1133 if (SecurityAgent::noReason
== reason
)
1134 logger
.logSuccess();
1135 // else we logged the denial in the loop
1141 QueryKeychainAuth::accept(string
&username
, string
&passphrase
)
1143 // Note: QueryKeychainAuth currently requires that the
1144 // specified user be in the admin group. If this requirement
1145 // ever needs to change, the group name should be passed as
1146 // a separate argument to this method.
1148 const char *user
= username
.c_str();
1149 const char *passwd
= passphrase
.c_str();
1150 int checkpw_status
= checkpw(user
, passwd
);
1152 if (checkpw_status
!= CHECKPW_SUCCESS
) {
1153 return SecurityAgent::invalidPassphrase
;
1156 const char *group
= "admin";
1159 uuid_t group_uuid
, user_uuid
;
1160 rc
= mbr_group_name_to_uuid(group
, group_uuid
);
1161 if (rc
) { return SecurityAgent::userNotInGroup
; }
1163 rc
= mbr_user_name_to_uuid(user
, user_uuid
);
1164 if (rc
) { return SecurityAgent::userNotInGroup
; }
1166 rc
= mbr_check_membership(user_uuid
, group_uuid
, &ismember
);
1167 if (rc
|| !ismember
) { return SecurityAgent::userNotInGroup
; }
1170 return SecurityAgent::noReason
;