+++ /dev/null
-/*
- * Copyright (c) 2000-2004,2011-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-
-/*
- DLDBListCFPref.cpp
-*/
-
-#include "DLDBListCFPref.h"
-#include <Security/cssmapple.h>
-#include <security_utilities/debugging.h>
-#include <security_utilities/utilities.h>
-#include <memory>
-#include <fcntl.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include <pwd.h>
-#include <sys/param.h>
-#include <copyfile.h>
-#include <xpc/private.h>
-#include <syslog.h>
-#include <sandbox.h>
-
-dispatch_once_t AppSandboxChecked;
-xpc_object_t KeychainHomeFromXPC;
-
-using namespace CssmClient;
-
-static const double kDLDbListCFPrefRevertInterval = 30.0;
-
-// normal debug calls, which get stubbed out for deployment builds
-
-#define kKeyGUID CFSTR("GUID")
-#define kKeySubserviceId CFSTR("SubserviceId")
-#define kKeySubserviceType CFSTR("SubserviceType")
-#define kKeyDbName CFSTR("DbName")
-#define kKeyDbLocation CFSTR("DbLocation")
-#define kKeyActive CFSTR("Active")
-#define kKeyMajorVersion CFSTR("MajorVersion")
-#define kKeyMinorVersion CFSTR("MinorVersion")
-#define kDefaultDLDbListKey CFSTR("DLDBSearchList")
-#define kDefaultKeychainKey CFSTR("DefaultKeychain")
-#define kLoginKeychainKey CFSTR("LoginKeychain")
-#define kUserDefaultPath "~/Library/Preferences/com.apple.security.plist"
-#define kSystemDefaultPath "/Library/Preferences/com.apple.security.plist"
-#define kCommonDefaultPath "/Library/Preferences/com.apple.security-common.plist"
-#define kLoginKeychainPathPrefix "~/Library/Keychains/"
-#define kUserLoginKeychainPath "~/Library/Keychains/login.keychain"
-#define kSystemLoginKeychainPath "/Library/Keychains/System.keychain"
-
-
-// A utility class for managing password database lookups
-
-const time_t kPasswordCacheExpire = 30; // number of seconds cached password db info is valid
-
-PasswordDBLookup::PasswordDBLookup () : mValid (false), mCurrent (0), mTime (0)
-{
-}
-
-void PasswordDBLookup::lookupInfoOnUID (uid_t uid)
-{
- time_t currentTime = time (NULL);
-
- if (!mValid || uid != mCurrent || currentTime - mTime >= kPasswordCacheExpire)
- {
- struct passwd* pw = getpwuid(uid);
- if (pw == NULL)
- {
- UnixError::throwMe (EPERM);
- }
-
- mDirectory = pw->pw_dir;
- mName = pw->pw_name;
- mValid = true;
- mCurrent = uid;
- mTime = currentTime;
-
- secdebug("secpref", "uid=%d caching home=%s", uid, pw->pw_dir);
-
- endpwent();
- }
-}
-
-PasswordDBLookup *DLDbListCFPref::mPdbLookup = NULL;
-
-//-------------------------------------------------------------------------------------
-//
-// Lists of DL/DBs, with CFPreferences backing store
-//
-//-------------------------------------------------------------------------------------
-
-DLDbListCFPref::DLDbListCFPref(SecPreferencesDomain domain) : mDomain(domain), mPropertyList(NULL), mChanged(false),
- mSearchListSet(false), mDefaultDLDbIdentifierSet(false), mLoginDLDbIdentifierSet(false)
-{
- secdebug("secpref", "New DLDbListCFPref %p for domain %d", this, domain);
- loadPropertyList(true);
-}
-
-void DLDbListCFPref::set(SecPreferencesDomain domain)
-{
- save();
-
- mDomain = domain;
-
- secdebug("secpref", "DLDbListCFPref %p domain set to %d", this, domain);
-
- if (loadPropertyList(true))
- resetCachedValues();
-}
-
-DLDbListCFPref::~DLDbListCFPref()
-{
- save();
-
- if (mPropertyList)
- CFRelease(mPropertyList);
-}
-
-void
-DLDbListCFPref::forceUserSearchListReread()
-{
- // set mPrefsTimeStamp so that it will "expire" the next time loadPropertyList is called
- mPrefsTimeStamp = CFAbsoluteTimeGetCurrent() - kDLDbListCFPrefRevertInterval;
-}
-
-bool
-DLDbListCFPref::loadPropertyList(bool force)
-{
- string prefsPath;
-
- switch (mDomain)
- {
- case kSecPreferencesDomainUser:
- prefsPath = ExpandTildesInPath(kUserDefaultPath);
- break;
- case kSecPreferencesDomainSystem:
- prefsPath = kSystemDefaultPath;
- break;
- case kSecPreferencesDomainCommon:
- prefsPath = kCommonDefaultPath;
- break;
- default:
- MacOSError::throwMe(errSecInvalidPrefsDomain);
- }
-
- secdebug("secpref", "force=%s prefsPath=%s", force ? "true" : "false",
- prefsPath.c_str());
-
- CFAbsoluteTime now = CFAbsoluteTimeGetCurrent();
-
- // If for some reason the prefs file path has changed, blow away the old plist and force an update
- if (mPrefsPath != prefsPath)
- {
- mPrefsPath = prefsPath;
- if (mPropertyList)
- {
- CFRelease(mPropertyList);
- mPropertyList = NULL;
- }
-
- mPrefsTimeStamp = now;
- }
- else if (!force)
- {
- if (now - mPrefsTimeStamp < kDLDbListCFPrefRevertInterval)
- return false;
-
- mPrefsTimeStamp = now;
- }
-
- struct stat st;
- if (stat(mPrefsPath.c_str(), &st))
- {
- if (errno == ENOENT)
- {
- if (mPropertyList)
- {
- if (CFDictionaryGetCount(mPropertyList) == 0)
- return false;
- CFRelease(mPropertyList);
- }
-
- mPropertyList = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
- return true;
- }
- }
- else
- {
- if (mPropertyList)
- {
- if (mTimespec.tv_sec == st.st_mtimespec.tv_sec
- && mTimespec.tv_nsec == st.st_mtimespec.tv_nsec)
- return false;
- }
-
- mTimespec = st.st_mtimespec;
- }
-
- CFMutableDictionaryRef thePropertyList = NULL;
- CFMutableDataRef xmlData = NULL;
- CFStringRef errorString = NULL;
- int fd = -1;
-
- do
- {
- fd = open(mPrefsPath.c_str(), O_RDONLY, 0);
- if (fd < 0)
- break;
-
- off_t theSize = lseek(fd, 0, SEEK_END);
- if (theSize <= 0)
- break;
-
- if (lseek(fd, 0, SEEK_SET))
- break;
-
- xmlData = CFDataCreateMutable(NULL, CFIndex(theSize));
- if (!xmlData)
- break;
- CFDataSetLength(xmlData, CFIndex(theSize));
- void *buffer = reinterpret_cast<void *>(CFDataGetMutableBytePtr(xmlData));
- if (!buffer)
- break;
- ssize_t bytesRead = read(fd, buffer, (size_t)theSize);
- if (bytesRead != theSize)
- break;
-
- thePropertyList = CFMutableDictionaryRef(CFPropertyListCreateFromXMLData(NULL, xmlData, kCFPropertyListMutableContainers, &errorString));
- if (!thePropertyList)
- break;
-
- if (CFGetTypeID(thePropertyList) != CFDictionaryGetTypeID())
- {
- CFRelease(thePropertyList);
- thePropertyList = NULL;
- break;
- }
- } while (0);
-
- if (fd >= 0)
- close(fd);
- if (xmlData)
- CFRelease(xmlData);
- if (errorString)
- CFRelease(errorString);
-
- if (!thePropertyList)
- {
- thePropertyList = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
- }
-
- if (mPropertyList)
- {
- if (CFEqual(mPropertyList, thePropertyList))
- {
- // The new property list is the same as the old one, so nothing has changed.
- CFRelease(thePropertyList);
- return false;
- }
- CFRelease(mPropertyList);
- }
-
- mPropertyList = thePropertyList;
- return true;
-}
-
-void
-DLDbListCFPref::writePropertyList()
-{
- if (!mPropertyList || CFDictionaryGetCount(mPropertyList) == 0)
- {
- // There is nothing in the mPropertyList dictionary,
- // so we don't need a prefs file.
- unlink(mPrefsPath.c_str());
- }
- else
- {
- if(testAndFixPropertyList())
- return;
-
- CFDataRef xmlData = CFPropertyListCreateXMLData(NULL, mPropertyList);
- if (!xmlData)
- return; // Bad out of memory or something evil happened let's act like CF and do nothing.
-
- // The prefs file should at least be made readable by user/group/other and writable by the owner.
- // Change from euid to ruid if needed for the duration of the new prefs file creat.
-
- mode_t mode = 0666;
- changeIdentity(UNPRIV);
- int fd = open(mPrefsPath.c_str(), O_WRONLY|O_CREAT|O_TRUNC, mode);
- changeIdentity(PRIV);
- if (fd >= 0)
- {
- const void *buffer = CFDataGetBytePtr(xmlData);
- size_t toWrite = CFDataGetLength(xmlData);
- /* ssize_t bytesWritten = */ write(fd, buffer, toWrite);
- // Emulate CFPreferences by not checking for any errors.
-
- fsync(fd);
- struct stat st;
- if (!fstat(fd, &st))
- mTimespec = st.st_mtimespec;
-
- close(fd);
- }
-
- CFRelease(xmlData);
- }
-
- mPrefsTimeStamp = CFAbsoluteTimeGetCurrent();
-}
-
-// This function can clean up some problems caused by setuid clients. We've had instances where the
-// Keychain search list has become owned by root, but is still able to be re-written by the user because
-// of the permissions on the directory above. We'll take advantage of that fact to recreate the file with
-// the correct ownership by copying it.
-
-int
-DLDbListCFPref::testAndFixPropertyList()
-{
- char *prefsPath = (char *)mPrefsPath.c_str();
-
- int fd1, fd2, retval;
- struct stat stbuf;
-
- if((fd1 = open(prefsPath, O_RDONLY)) < 0) {
- if (errno == ENOENT) return 0; // Doesn't exist - the default case
- else return -1;
- }
-
- if((retval = fstat(fd1, &stbuf)) == -1) return -1;
-
- if(stbuf.st_uid != getuid()) {
- char tempfile[MAXPATHLEN+1];
-
- snprintf(tempfile, MAXPATHLEN, "%s.XXXXX", prefsPath);
- mktemp(tempfile);
- changeIdentity(UNPRIV);
- if((fd2 = open(tempfile, O_RDWR | O_CREAT | O_EXCL, 0666)) < 0) {
- retval = -1;
- } else {
- copyfile_state_t s = copyfile_state_alloc();
- retval = fcopyfile(fd1, fd2, s, COPYFILE_DATA);
- copyfile_state_free(s);
- if(!retval) retval = ::unlink(prefsPath);
- if(!retval) retval = ::rename(tempfile, prefsPath);
- }
- changeIdentity(PRIV);
- close(fd2);
- }
- close(fd1);
- return retval;
-}
-
-// Encapsulated process uid/gid change routine.
-void
-DLDbListCFPref::changeIdentity(ID_Direction toPriv)
-{
- if(toPriv == UNPRIV) {
- savedEUID = geteuid();
- savedEGID = getegid();
- if(savedEGID != getgid()) setegid(getgid());
- if(savedEUID != getuid()) seteuid(getuid());
- } else {
- if(savedEUID != getuid()) seteuid(savedEUID);
- if(savedEGID != getgid()) setegid(savedEGID);
- }
-}
-
-void
-DLDbListCFPref::resetCachedValues()
-{
- // Unset the login and default Keychain.
- mLoginDLDbIdentifier = mDefaultDLDbIdentifier = DLDbIdentifier();
-
- // Clear the searchList.
- mSearchList.clear();
-
- changed(false);
-
- // Note that none of our cached values are valid
- mSearchListSet = mDefaultDLDbIdentifierSet = mLoginDLDbIdentifierSet = false;
-
- mPrefsTimeStamp = CFAbsoluteTimeGetCurrent();
-}
-
-void DLDbListCFPref::save()
-{
- if (!hasChanged())
- return;
-
- // Resync from disc to make sure we don't clobber anyone elses changes.
- // @@@ This is probably already done by the next layer up so we don't
- // really need to do it here again.
- loadPropertyList(true);
-
- // Do the searchList first since it might end up invoking defaultDLDbIdentifier() which can set
- // mLoginDLDbIdentifierSet and mDefaultDLDbIdentifierSet to true.
- if (mSearchListSet)
- {
- // Make a temporary CFArray with the contents of the vector
- if (mSearchList.size() == 1 && mSearchList[0] == defaultDLDbIdentifier() && mSearchList[0] == LoginDLDbIdentifier())
- {
- // The only element in the search list is the default keychain, which is a
- // post Jaguar style login keychain, so omit the entry from the prefs file.
- CFDictionaryRemoveValue(mPropertyList, kDefaultDLDbListKey);
- }
- else
- {
- CFMutableArrayRef searchArray = CFArrayCreateMutable(kCFAllocatorDefault, mSearchList.size(), &kCFTypeArrayCallBacks);
- for (DLDbList::const_iterator ix=mSearchList.begin();ix!=mSearchList.end();ix++)
- {
- CFDictionaryRef aDict = dlDbIdentifierToCFDictionaryRef(*ix);
- CFArrayAppendValue(searchArray, aDict);
- CFRelease(aDict);
- }
-
- CFDictionarySetValue(mPropertyList, kDefaultDLDbListKey, searchArray);
- CFRelease(searchArray);
- }
- }
-
- if (mLoginDLDbIdentifierSet)
- {
- // Make a temporary CFArray with the login keychain
- CFArrayRef loginArray = NULL;
- if (!mLoginDLDbIdentifier)
- {
- loginArray = CFArrayCreate(kCFAllocatorDefault, NULL, 0, &kCFTypeArrayCallBacks);
- }
- else if (!(mLoginDLDbIdentifier == LoginDLDbIdentifier()))
- {
- CFDictionaryRef aDict = dlDbIdentifierToCFDictionaryRef(mLoginDLDbIdentifier);
- const void *value = reinterpret_cast<const void *>(aDict);
- loginArray = CFArrayCreate(kCFAllocatorDefault, &value, 1, &kCFTypeArrayCallBacks);
- CFRelease(aDict);
- }
-
- if (loginArray)
- {
- CFDictionarySetValue(mPropertyList, kLoginKeychainKey, loginArray);
- CFRelease(loginArray);
- }
- else
- CFDictionaryRemoveValue(mPropertyList, kLoginKeychainKey);
- }
-
- if (mDefaultDLDbIdentifierSet)
- {
- // Make a temporary CFArray with the default keychain
- CFArrayRef defaultArray = NULL;
- if (!mDefaultDLDbIdentifier)
- {
- defaultArray = CFArrayCreate(kCFAllocatorDefault, NULL, 0, &kCFTypeArrayCallBacks);
- }
- else if (!(mDefaultDLDbIdentifier == LoginDLDbIdentifier()))
- {
- CFDictionaryRef aDict = dlDbIdentifierToCFDictionaryRef(mDefaultDLDbIdentifier);
- const void *value = reinterpret_cast<const void *>(aDict);
- defaultArray = CFArrayCreate(kCFAllocatorDefault, &value, 1, &kCFTypeArrayCallBacks);
- CFRelease(aDict);
- }
-
- if (defaultArray)
- {
- CFDictionarySetValue(mPropertyList, kDefaultKeychainKey, defaultArray);
- CFRelease(defaultArray);
- }
- else
- CFDictionaryRemoveValue(mPropertyList, kDefaultKeychainKey);
- }
-
- writePropertyList();
- changed(false);
-}
-
-
-//----------------------------------------------------------------------
-// Conversions
-//----------------------------------------------------------------------
-
-DLDbIdentifier DLDbListCFPref::LoginDLDbIdentifier()
-{
- CSSM_VERSION theVersion={};
- CssmSubserviceUid ssuid(gGuidAppleCSPDL,&theVersion,0,CSSM_SERVICE_DL|CSSM_SERVICE_CSP);
- CssmNetAddress *dbLocation=NULL;
-
- switch (mDomain) {
- case kSecPreferencesDomainUser:
- return DLDbIdentifier(ssuid, ExpandTildesInPath(kUserLoginKeychainPath).c_str(), dbLocation);
- default:
- assert(false);
- case kSecPreferencesDomainSystem:
- case kSecPreferencesDomainCommon:
- return DLDbIdentifier(ssuid, kSystemLoginKeychainPath, dbLocation);
- }
-}
-
-DLDbIdentifier DLDbListCFPref::JaguarLoginDLDbIdentifier()
-{
- CSSM_VERSION theVersion={};
- CssmSubserviceUid ssuid(gGuidAppleCSPDL,&theVersion,0,CSSM_SERVICE_DL|CSSM_SERVICE_CSP);
- CssmNetAddress *dbLocation=NULL;
-
- switch (mDomain) {
- case kSecPreferencesDomainUser:
- {
- string basepath = ExpandTildesInPath(kLoginKeychainPathPrefix) + getPwInfo(kUsername);
- return DLDbIdentifier(ssuid,basepath.c_str(),dbLocation);
- }
- case kSecPreferencesDomainSystem:
- case kSecPreferencesDomainCommon:
- return DLDbIdentifier(ssuid, kSystemLoginKeychainPath, dbLocation);
- default:
- assert(false);
- return DLDbIdentifier();
- }
-}
-
-DLDbIdentifier DLDbListCFPref::makeDLDbIdentifier (const CSSM_GUID &guid, const CSSM_VERSION &version,
- uint32 subserviceId, CSSM_SERVICE_TYPE subserviceType,
- const char* dbName, CSSM_NET_ADDRESS *dbLocation)
-{
- CssmSubserviceUid ssuid (guid, &version, subserviceId, subserviceType);
- return DLDbIdentifier (ssuid, ExpandTildesInPath (dbName).c_str (), dbLocation);
-}
-
-DLDbIdentifier DLDbListCFPref::cfDictionaryRefToDLDbIdentifier(CFDictionaryRef theDict)
-{
- // We must get individual values from the dictionary and store in basic types
- if (CFGetTypeID(theDict) != CFDictionaryGetTypeID())
- throw std::logic_error("wrong type in property list");
-
- // GUID
- CCFValue vGuid(::CFDictionaryGetValue(theDict,kKeyGUID));
- string guidStr=vGuid;
- const Guid guid(guidStr.c_str());
-
- //CSSM_VERSION
- CSSM_VERSION theVersion={0,};
- CCFValue vMajor(::CFDictionaryGetValue(theDict,kKeyMajorVersion));
- theVersion.Major = vMajor;
- CCFValue vMinor(::CFDictionaryGetValue(theDict,kKeyMinorVersion));
- theVersion.Minor = vMinor;
-
- //subserviceId
- CCFValue vSsid(::CFDictionaryGetValue(theDict,kKeySubserviceId));
- uint32 subserviceId=sint32(vSsid);
-
- //CSSM_SERVICE_TYPE
- CSSM_SERVICE_TYPE subserviceType=CSSM_SERVICE_DL;
- CCFValue vSsType(::CFDictionaryGetValue(theDict,kKeySubserviceType));
- subserviceType=vSsType;
-
- // Get DbName from dictionary
- CCFValue vDbName(::CFDictionaryGetValue(theDict,kKeyDbName));
- string dbName=vDbName;
-
- // jch Get DbLocation from dictionary
- CssmNetAddress *dbLocation=NULL;
-
- return makeDLDbIdentifier (guid, theVersion, subserviceId, subserviceType, dbName.c_str (), dbLocation);
-}
-
-void DLDbListCFPref::clearPWInfo ()
-{
- if (mPdbLookup != NULL)
- {
- delete mPdbLookup;
- mPdbLookup = NULL;
- }
-}
-
-string DLDbListCFPref::getPwInfo(PwInfoType type)
-{
- const char *value;
- switch (type)
- {
- case kHomeDir:
- if (KeychainHomeFromXPC) {
- value = xpc_string_get_string_ptr(KeychainHomeFromXPC);
- } else {
- value = getenv("HOME");
- }
- if (value)
- return value;
- break;
- case kUsername:
- value = getenv("USER");
- if (value)
- return value;
- break;
- }
-
- // Get our effective uid
- uid_t uid = geteuid();
- // If we are setuid root use the real uid instead
- if (!uid) uid = getuid();
-
- // get the password entries
- if (mPdbLookup == NULL)
- {
- mPdbLookup = new PasswordDBLookup ();
- }
-
- mPdbLookup->lookupInfoOnUID (uid);
-
- string result;
- switch (type)
- {
- case kHomeDir:
- result = mPdbLookup->getDirectory ();
- break;
- case kUsername:
- result = mPdbLookup->getName ();
- break;
- }
-
- return result;
-}
-
-static void check_app_sandbox()
-{
- if (!_xpc_runtime_is_app_sandboxed()) {
- // We are not in a sandbox, no work to do here
- return;
- }
-
- extern xpc_object_t xpc_create_with_format(const char * format, ...);
- xpc_connection_t con = xpc_connection_create("com.apple.security.XPCKeychainSandboxCheck", NULL);
- xpc_connection_set_event_handler(con, ^(xpc_object_t event) {
- xpc_type_t xtype = xpc_get_type(event);
- if (XPC_TYPE_ERROR == xtype) {
- syslog(LOG_ERR, "Keychain sandbox connection error: %s\n", xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION));
- } else {
- syslog(LOG_ERR, "Keychain sandbox unexpected connection event %p\n", event);
- }
- });
- xpc_connection_resume(con);
-
- xpc_object_t message = xpc_create_with_format("{op: GrantKeychainPaths}");
- xpc_object_t reply = xpc_connection_send_message_with_reply_sync(con, message);
- xpc_type_t xtype = xpc_get_type(reply);
- if (XPC_TYPE_DICTIONARY == xtype) {
-#if 0
- // This is useful for debugging.
- char *debug = xpc_copy_description(reply);
- syslog(LOG_ERR, "DEBUG (KCsandbox) %s\n", debug);
- free(debug);
-#endif
-
- xpc_object_t extensions_array = xpc_dictionary_get_value(reply, "extensions");
- xpc_array_apply(extensions_array, ^(size_t index, xpc_object_t extension) {
- char pbuf[MAXPATHLEN];
- char *path = pbuf;
- int status = sandbox_consume_fs_extension(xpc_string_get_string_ptr(extension), &path);
- if (status) {
- syslog(LOG_ERR, "Keychain sandbox consume extension error: s=%d p=%s %m\n", status, path);
- }
- status = sandbox_release_fs_extension(xpc_string_get_string_ptr(extension));
- if (status) {
- syslog(LOG_ERR, "Keychain sandbox release extension error: s=%d p=%s %m\n", status, path);
- }
-
- return (bool)true;
- });
-
- KeychainHomeFromXPC = xpc_dictionary_get_value(reply, "keychain-home");
- xpc_retain(KeychainHomeFromXPC);
- xpc_release(con);
- } else if (XPC_TYPE_ERROR == xtype) {
- syslog(LOG_ERR, "Keychain sandbox message error: %s\n", xpc_dictionary_get_string(reply, XPC_ERROR_KEY_DESCRIPTION));
- } else {
- syslog(LOG_ERR, "Keychain sandbox unexpected message reply type %p\n", xtype);
- }
- xpc_release(message);
- xpc_release(reply);
-}
-
-
-
-string DLDbListCFPref::ExpandTildesInPath(const string &inPath)
-{
- dispatch_once(&AppSandboxChecked, ^{
- check_app_sandbox();
- });
-
- if ((short)inPath.find("~/",0,2) == 0)
- return getPwInfo(kHomeDir) + inPath.substr(1, inPath.length() - 1);
- else
- return inPath;
-}
-
-string DLDbListCFPref::StripPathStuff(const string &inPath)
-{
- if (inPath.find("/private/var/automount/Network/",0,31) == 0)
- return inPath.substr(22);
- if (inPath.find("/private/automount/Servers/",0,27) == 0)
- return "/Network" + inPath.substr(18);
- if (inPath.find("/automount/Servers/",0,19) == 0)
- return "/Network" + inPath.substr(10);
- if (inPath.find("/private/automount/Network/",0,27) == 0)
- return inPath.substr(18);
- if (inPath.find("/automount/Network/",0,19) == 0)
- return inPath.substr(10);
- if (inPath.find("/private/Network/",0,17) == 0)
- return inPath.substr(8);
- return inPath;
-}
-
-string DLDbListCFPref::AbbreviatedPath(const string &inPath)
-{
- string path = StripPathStuff(inPath);
- string home = StripPathStuff(getPwInfo(kHomeDir) + "/");
- size_t homeLen = home.length();
-
- if (homeLen > 1 && path.find(home.c_str(), 0, homeLen) == 0)
- return "~" + path.substr(homeLen - 1);
- else
- return path;
-}
-
-CFDictionaryRef DLDbListCFPref::dlDbIdentifierToCFDictionaryRef(const DLDbIdentifier& dldbIdentifier)
-{
- CFRef<CFMutableDictionaryRef> aDict(CFDictionaryCreateMutable(kCFAllocatorDefault,0,
- &kCFTypeDictionaryKeyCallBacks,&kCFTypeDictionaryValueCallBacks));
- if (!aDict)
- throw ::std::bad_alloc();
-
- // Put SUBSERVICE_UID in dictionary
- char buffer[Guid::stringRepLength+1];
- const CssmSubserviceUid& ssuid=dldbIdentifier.ssuid();
- const Guid &theGuid = Guid::overlay(ssuid.Guid);
- CFRef<CFStringRef> stringGuid(::CFStringCreateWithCString(kCFAllocatorDefault,
- theGuid.toString(buffer),kCFStringEncodingMacRoman));
- if (stringGuid)
- ::CFDictionarySetValue(aDict,kKeyGUID,stringGuid);
-
- if (ssuid.SubserviceId!=0)
- {
- CFRef<CFNumberRef> subserviceId(::CFNumberCreate(kCFAllocatorDefault,kCFNumberSInt32Type,&ssuid.SubserviceId));
- if (subserviceId)
- ::CFDictionarySetValue(aDict,kKeySubserviceId,subserviceId);
- }
- if (ssuid.SubserviceType!=0)
- {
- CFRef<CFNumberRef> subserviceType(CFNumberCreate(kCFAllocatorDefault,kCFNumberSInt32Type,&ssuid.SubserviceType));
- if (subserviceType)
- ::CFDictionarySetValue(aDict,kKeySubserviceType,subserviceType);
- }
- if (ssuid.Version.Major!=0 && ssuid.Version.Minor!=0)
- {
- CFRef<CFNumberRef> majorVersion(::CFNumberCreate(kCFAllocatorDefault,kCFNumberSInt32Type,&ssuid.Version.Major));
- if (majorVersion)
- ::CFDictionarySetValue(aDict,kKeyMajorVersion,majorVersion);
- CFRef<CFNumberRef> minorVersion(::CFNumberCreate(kCFAllocatorDefault,kCFNumberSInt32Type,&ssuid.Version.Minor));
- if (minorVersion)
- ::CFDictionarySetValue(aDict,kKeyMinorVersion,minorVersion);
- }
-
- // Put DbName in dictionary
- const char *dbName=dldbIdentifier.dbName();
- if (dbName)
- {
- CFRef<CFStringRef> theDbName(::CFStringCreateWithCString(kCFAllocatorDefault,AbbreviatedPath(dbName).c_str(),kCFStringEncodingUTF8));
- ::CFDictionarySetValue(aDict,kKeyDbName,theDbName);
- }
- // Put DbLocation in dictionary
- const CSSM_NET_ADDRESS *dbLocation=dldbIdentifier.dbLocation();
- if (dbLocation!=NULL && dbLocation->AddressType!=CSSM_ADDR_NONE)
- {
- CFRef<CFDataRef> theData(::CFDataCreate(kCFAllocatorDefault,dbLocation->Address.Data,dbLocation->Address.Length));
- if (theData)
- ::CFDictionarySetValue(aDict,kKeyDbLocation,theData);
- }
-
- ::CFRetain(aDict);
- return aDict;
-}
-
-bool DLDbListCFPref::revert(bool force)
-{
- // If the prefs have not been refreshed in the last kDLDbListCFPrefRevertInterval
- // seconds or we are asked to force a reload, then reload.
- if (!loadPropertyList(force))
- return false;
-
- resetCachedValues();
- return true;
-}
-
-void
-DLDbListCFPref::add(const DLDbIdentifier &dldbIdentifier)
-{
- // convert the location specified in dldbIdentifier to a standard form
- // make a canonical form of the database name
- std::string canon = ExpandTildesInPath(AbbreviatedPath(dldbIdentifier.dbName()).c_str());
-
- DLDbIdentifier localIdentifier (dldbIdentifier.ssuid(), canon.c_str(), dldbIdentifier.dbLocation ());
-
- if (member(localIdentifier))
- return;
-
- mSearchList.push_back(localIdentifier);
- changed(true);
-}
-
-void
-DLDbListCFPref::remove(const DLDbIdentifier &dldbIdentifier)
-{
- // Make sure mSearchList is set
- searchList();
- for (vector<DLDbIdentifier>::iterator ix = mSearchList.begin(); ix != mSearchList.end(); ++ix)
- {
- if (*ix==dldbIdentifier) // found in list
- {
- mSearchList.erase(ix);
- changed(true);
- break;
- }
- }
-}
-
-void
-DLDbListCFPref::rename(const DLDbIdentifier &oldId, const DLDbIdentifier &newId)
-{
- // Make sure mSearchList is set
- searchList();
- for (vector<DLDbIdentifier>::iterator ix = mSearchList.begin();
- ix != mSearchList.end(); ++ix)
- {
- if (*ix==oldId)
- {
- // replace oldId with newId
- *ix = newId;
- changed(true);
- }
- else if (*ix==newId)
- {
- // remove newId except where we just inserted it
- mSearchList.erase(ix);
- changed(true);
- }
- }
-}
-
-bool
-DLDbListCFPref::member(const DLDbIdentifier &dldbIdentifier)
-{
- if (dldbIdentifier.IsImplEmpty())
- {
- return false;
- }
-
- for (vector<DLDbIdentifier>::const_iterator ix = searchList().begin(); ix != mSearchList.end(); ++ix)
- {
- if (ix->mImpl == NULL)
- {
- continue;
- }
-
- // compare the dldbIdentifiers based on the full, real path to the keychain
- if (ix->ssuid() == dldbIdentifier.ssuid())
- {
- char localPath[PATH_MAX],
- inPath[PATH_MAX];
-
- // try to resolve these down to a canonical form
- const char* localPathPtr = cached_realpath(ix->dbName(), localPath);
- const char* inPathPtr = cached_realpath(dldbIdentifier.dbName(), inPath);
-
- // if either of the paths didn't resolve for some reason, use the originals
- if (localPathPtr == NULL)
- {
- localPathPtr = ix->dbName();
- }
-
- if (inPathPtr == NULL)
- {
- inPathPtr = dldbIdentifier.dbName();
- }
-
- if (strcmp(localPathPtr, inPathPtr) == 0)
- {
- return true;
- }
- }
- }
-
- return false;
-}
-
-const vector<DLDbIdentifier> &
-DLDbListCFPref::searchList()
-{
- if (!mSearchListSet)
- {
- CFArrayRef searchList = reinterpret_cast<CFArrayRef>(CFDictionaryGetValue(mPropertyList, kDefaultDLDbListKey));
- if (searchList && CFGetTypeID(searchList) != CFArrayGetTypeID())
- searchList = NULL;
-
- if (searchList)
- {
- CFIndex top = CFArrayGetCount(searchList);
- // Each entry is a CFDictionary; peel it off & add it to the array
- for (CFIndex idx = 0; idx < top; ++idx)
- {
- CFDictionaryRef theDict = reinterpret_cast<CFDictionaryRef>(CFArrayGetValueAtIndex(searchList, idx));
- try
- {
- mSearchList.push_back(cfDictionaryRefToDLDbIdentifier(theDict));
- }
- catch (...)
- {
- // Drop stuff that doesn't parse on the floor.
- }
- }
-
- // If there were entries specified, but they were invalid revert to using the
- // default keychain in the searchlist.
- if (top > 0 && mSearchList.size() == 0)
- searchList = NULL;
- }
-
- // The default when no search list is specified is to only search the
- // default keychain.
- if (!searchList && static_cast<bool>(defaultDLDbIdentifier()))
- mSearchList.push_back(mDefaultDLDbIdentifier);
-
- mSearchListSet = true;
- }
-
- return mSearchList;
-}
-
-void
-DLDbListCFPref::searchList(const vector<DLDbIdentifier> &searchList)
-{
- vector<DLDbIdentifier> newList(searchList);
- mSearchList.swap(newList);
- mSearchListSet = true;
- changed(true);
-}
-
-void
-DLDbListCFPref::defaultDLDbIdentifier(const DLDbIdentifier &dlDbIdentifier)
-{
- if (!(defaultDLDbIdentifier() == dlDbIdentifier))
- {
- mDefaultDLDbIdentifier = dlDbIdentifier;
- changed(true);
- }
-}
-
-const DLDbIdentifier &
-DLDbListCFPref::defaultDLDbIdentifier()
-{
-
- if (!mDefaultDLDbIdentifierSet)
- {
- CFArrayRef defaultArray = reinterpret_cast<CFArrayRef>(CFDictionaryGetValue(mPropertyList, kDefaultKeychainKey));
- if (defaultArray && CFGetTypeID(defaultArray) != CFArrayGetTypeID())
- defaultArray = NULL;
-
- if (defaultArray && CFArrayGetCount(defaultArray) > 0)
- {
- CFDictionaryRef defaultDict = reinterpret_cast<CFDictionaryRef>(CFArrayGetValueAtIndex(defaultArray, 0));
- try
- {
- secdebug("secpref", "getting default DLDbIdentifier from defaultDict");
- mDefaultDLDbIdentifier = cfDictionaryRefToDLDbIdentifier(defaultDict);
- secdebug("secpref", "now we think the default keychain is %s", (mDefaultDLDbIdentifier) ? mDefaultDLDbIdentifier.dbName() : "<NULL>");
- }
- catch (...)
- {
- // If defaultArray doesn't parse fall back on the default way of getting the default keychain
- defaultArray = NULL;
- }
- }
-
- if (!defaultArray)
- {
-
- // If the Panther style login keychain actually exists we use that otherwise no
- // default is set.
- mDefaultDLDbIdentifier = loginDLDbIdentifier();
- secdebug("secpref", "now we think the default keychain is: %s", (mDefaultDLDbIdentifier) ? mDefaultDLDbIdentifier.dbName() :
- "Name doesn't exist");
-
- struct stat st;
- int st_result = -1;
-
- if (mDefaultDLDbIdentifier.mImpl != NULL)
- {
- st_result = stat(mDefaultDLDbIdentifier.dbName(), &st);
- }
-
- if (st_result)
- {
- secdebug("secpref", "stat(%s) -> %d", mDefaultDLDbIdentifier.dbName(), st_result);
- mDefaultDLDbIdentifier = DLDbIdentifier(); // initialize a NULL keychain
- secdebug("secpref", "after DLDbIdentifier(), we think the default keychain is %s", static_cast<bool>(mDefaultDLDbIdentifier) ? mDefaultDLDbIdentifier.dbName() : "<NULL>");
- }
- }
-
- mDefaultDLDbIdentifierSet = true;
- }
-
-
- return mDefaultDLDbIdentifier;
-}
-
-void
-DLDbListCFPref::loginDLDbIdentifier(const DLDbIdentifier &dlDbIdentifier)
-{
- if (!(loginDLDbIdentifier() == dlDbIdentifier))
- {
- mLoginDLDbIdentifier = dlDbIdentifier;
- changed(true);
- }
-}
-
-const DLDbIdentifier &
-DLDbListCFPref::loginDLDbIdentifier()
-{
- if (!mLoginDLDbIdentifierSet)
- {
- CFArrayRef loginArray = reinterpret_cast<CFArrayRef>(CFDictionaryGetValue(mPropertyList, kLoginKeychainKey));
- if (loginArray && CFGetTypeID(loginArray) != CFArrayGetTypeID())
- loginArray = NULL;
-
- if (loginArray && CFArrayGetCount(loginArray) > 0)
- {
- CFDictionaryRef loginDict = reinterpret_cast<CFDictionaryRef>(CFArrayGetValueAtIndex(loginArray, 0));
- try
- {
- secdebug("secpref", "Getting login DLDbIdentifier from loginDict");
- mLoginDLDbIdentifier = cfDictionaryRefToDLDbIdentifier(loginDict);
- secdebug("secpref", "we think the login keychain is %s", static_cast<bool>(mLoginDLDbIdentifier) ? mLoginDLDbIdentifier.dbName() : "<NULL>");
- }
- catch (...)
- {
- // If loginArray doesn't parse fall back on the default way of getting the login keychain.
- loginArray = NULL;
- }
- }
-
- if (!loginArray)
- {
- mLoginDLDbIdentifier = LoginDLDbIdentifier();
- secdebug("secpref", "after LoginDLDbIdentifier(), we think the login keychain is %s", static_cast<bool>(mLoginDLDbIdentifier) ? mLoginDLDbIdentifier.dbName() : "<NULL>");
- }
-
- mLoginDLDbIdentifierSet = true;
- }
-
- return mLoginDLDbIdentifier;
-}
projects / apple / security.git / blobdiff