+++ /dev/null
-/*
- * Copyright (c) 2000-2004,2006-2007,2011,2013 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-
-//
-// acl_preauth - a subject type for modeling PINs and similar slot-specific
-// pre-authentication schemes.
-//
-#include "acl_preauth.h"
-#include <security_utilities/debugging.h>
-
-
-namespace Security {
-namespace PreAuthorizationAcls {
-
-
-//
-// Origin forms
-//
-AclSubject *OriginMaker::make(const TypedList &list) const
-{
- ListElement *args[1];
- crack(list, 1, args, CSSM_LIST_ELEMENT_WORDID);
- return new OriginAclSubject(*args[0]);
-}
-
-AclSubject *OriginMaker::make(AclSubject::Version version, Reader &pub, Reader &) const
-{
- // just an integer containing the auth tag
- Endian<uint32> auth;
- pub(auth);
- return new OriginAclSubject(AclAuthorization(auth));
-}
-
-
-//
-// Validate the origin form.
-// This tries to find the source AclObject and hands the question off to it.
-// If anything isn't right, fail the validation.
-//
-bool OriginAclSubject::validate(const AclValidationContext &ctx) const
-{
- if (Environment *env = ctx.environment<Environment>())
- if (ObjectAcl *source = env->preAuthSource())
- if (source->validates(mAuthTag, ctx.cred(), ctx.environment()))
- return true;
-
- // no joy (the sad default)
- return false;
-}
-
-
-CssmList OriginAclSubject::toList(Allocator &alloc) const
-{
- return TypedList(alloc, CSSM_ACL_SUBJECT_TYPE_PREAUTH,
- new(alloc) ListElement(mAuthTag));
-}
-
-OriginAclSubject::OriginAclSubject(AclAuthorization auth)
- : AclSubject(CSSM_ACL_SUBJECT_TYPE_PREAUTH), mAuthTag(auth)
-{
- if (auth < CSSM_ACL_AUTHORIZATION_PREAUTH_BASE || auth >= CSSM_ACL_AUTHORIZATION_PREAUTH_END)
- CssmError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE);
-}
-
-
-//
-// Origin exported form is just a four-byte integer (preauth authorization tag)
-//
-void OriginAclSubject::exportBlob(Writer::Counter &pub, Writer::Counter &priv)
-{
- Endian<uint32> auth = mAuthTag;
- pub(auth);
-}
-
-void OriginAclSubject::exportBlob(Writer &pub, Writer &priv)
-{
- Endian<uint32> auth = mAuthTag;
- pub(auth);
-}
-
-
-//
-// Now for the other side of the coin.
-// SourceAclSubjects describe the unusual side (for ACL management) of this game.
-// The AclSubject of a preauth source MUST be of PREAUTH_SOURCE type. This subject
-// contains the actual validation conditions as a sub-subject, and may provide
-// additional information to represent known state of the preauth system.
-//
-// Think of the extra data in a PreAuthSource ACL as "current state informational"
-// that only exists internally, and in the CssmList view. It does not get put into
-// persistent (externalized) ACL storage at all. (After all, there's nothing persistent
-// about it.)
-//
-AclSubject *SourceMaker::make(const TypedList &list) const
-{
- // minimum requirement: item[1] = sub-subject (sublist)
- if (list.length() < 2)
- CssmError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE);
- ListElement &sub = list[1];
- RefPointer<AclSubject> subSubject = ObjectAcl::make(sub);
-
- // anything else is interpreted as tracking state (defaulted if missing)
- switch (list.length()) {
- case 2: // no tracking state
- return new SourceAclSubject(subSubject);
- case 3:
- if (list[2].type() == CSSM_LIST_ELEMENT_WORDID)
- return new SourceAclSubject(subSubject, list[2]);
- // fall through
- default:
- CssmError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE);
- }
-}
-
-AclSubject *SourceMaker::make(AclSubject::Version version, Reader &pub, Reader &priv) const
-{
- // external form does not contain tracking state - defaults to unknown
- RefPointer<AclSubject> subSubject = ObjectAcl::importSubject(pub, priv);
- return new SourceAclSubject(subSubject);
-}
-
-
-//
-// Source validation uses its own home-cooked validation context.
-//
-class SourceValidationContext : public AclValidationContext {
-public:
- SourceValidationContext(const AclValidationContext &base)
- : AclValidationContext(base), mCredTag(base.entryTag()) { }
-
- uint32 count() const { return cred() ? cred()->samples().length() : 0; }
- uint32 size() const { return count(); }
- const TypedList &sample(uint32 n) const
- { assert(n < count()); return cred()->samples()[n]; }
-
- const char *credTag() const { return mCredTag; } // override
-
- void matched(const TypedList *) const { } //@@@ prelim
-
-private:
- const char *mCredTag;
-};
-
-bool SourceAclSubject::SourceAclSubject::validate(const AclValidationContext &baseCtx) const
-{
- // try to authenticate our sub-subject
- if (Environment *env = baseCtx.environment<Environment>()) {
- AclAuthorization auth = baseCtx.authorization();
- if (!CSSM_ACL_AUTHORIZATION_IS_PREAUTH(auth)) // all muddled up; bail
- CssmError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE);
- uint32 slot = CSSM_ACL_AUTHORIZATION_PREAUTH_SLOT(auth);
- secdebug("preauth", "using state %d@%p", slot, &env->store(this));
- bool &accepted = env->store(this).attachment<AclState>((void *)((size_t) slot)).accepted;
- if (!accepted) {
- secdebug("preauth", "%p needs to authenticate its subject", this);
- SourceValidationContext ctx(baseCtx);
- if (mSourceSubject->validate(ctx)) {
- secdebug("preauth", "%p pre-authenticated", this);
- accepted = true;
- }
- }
- return accepted;
- }
- return false;
-}
-
-
-CssmList SourceAclSubject::toList(Allocator &alloc) const
-{
- return TypedList(alloc, CSSM_ACL_SUBJECT_TYPE_PREAUTH_SOURCE,
- new(alloc) ListElement(mSourceSubject->toList(alloc)));
-}
-
-
-SourceAclSubject::SourceAclSubject(AclSubject *subSubject, CSSM_ACL_PREAUTH_TRACKING_STATE state)
- : AclSubject(CSSM_ACL_SUBJECT_TYPE_PREAUTH),
- mSourceSubject(subSubject)
-{
-}
-
-
-//
-// Export the subject to a memory blob
-//
-void SourceAclSubject::exportBlob(Writer::Counter &pub, Writer::Counter &priv)
-{
- mSourceSubject->exportBlob(pub, priv);
-}
-
-void SourceAclSubject::exportBlob(Writer &pub, Writer &priv)
-{
- mSourceSubject->exportBlob(pub, priv);
- // tracking state is not exported
-}
-
-
-#ifdef DEBUGDUMP
-
-void OriginAclSubject::debugDump() const
-{
- Debug::dump("Preauth(to slot %d)", mAuthTag - CSSM_ACL_AUTHORIZATION_PREAUTH_BASE);
-}
-
-void SourceAclSubject::debugDump() const
-{
- Debug::dump("Preauth source: ");
- if (mSourceSubject)
- mSourceSubject->debugDump();
- else
- Debug::dump("NULL?");
-}
-
-#endif //DEBUGDUMP
-
-
-} // namespace PreAuthorizationAcls
-} // namespace Security
projects / apple / security.git / blobdiff