+++ /dev/null
-/*
- * Copyright (c) 2000-2004,2011-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-
-/*
- File: StorageManager.cpp
-
- Contains: Working with multiple keychains
-
-*/
-
-#include "StorageManager.h"
-#include "KCEventNotifier.h"
-
-#include <Security/cssmapple.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <syslog.h>
-#include <pwd.h>
-#include <algorithm>
-#include <string>
-#include <stdio.h>
-//#include <Security/AuthorizationTags.h>
-//#include <Security/AuthSession.h>
-#include <security_utilities/debugging.h>
-#include <security_keychain/SecCFTypes.h>
-//#include <Security/SecurityAgentClient.h>
-#include <securityd_client/ssclient.h>
-#include <Security/AuthorizationTags.h>
-#include <Security/AuthorizationTagsPriv.h>
-#include <Security/SecTask.h>
-#include <security_keychain/SecCFTypes.h>
-#include "TrustSettingsSchema.h"
-#include <security_cdsa_client/wrapkey.h>
-
-//%%% add this to AuthorizationTagsPriv.h later
-#ifndef AGENT_HINT_LOGIN_KC_SUPPRESS_RESET_PANEL
-#define AGENT_HINT_LOGIN_KC_SUPPRESS_RESET_PANEL "loginKCCreate:suppressResetPanel"
-#endif
-
-#include "KCCursor.h"
-#include "Globals.h"
-
-
-using namespace CssmClient;
-using namespace KeychainCore;
-
-#define kLoginKeychainPathPrefix "~/Library/Keychains/"
-#define kUserLoginKeychainPath "~/Library/Keychains/login.keychain"
-#define kEmptyKeychainSizeInBytes 20460
-
-//-----------------------------------------------------------------------------------
-
-static SecPreferencesDomain defaultPreferenceDomain()
-{
- SessionAttributeBits sessionAttrs;
- if (gServerMode) {
- secdebug("servermode", "StorageManager initialized in server mode");
- sessionAttrs = sessionIsRoot;
- } else {
- MacOSError::check(SessionGetInfo(callerSecuritySession, NULL, &sessionAttrs));
- }
-
- // If this is the root session, use system preferences.
- // (In SecurityServer debug mode, you'll get a (fake) root session
- // that has graphics access. Ignore that to help testing.)
- if ((sessionAttrs & sessionIsRoot)
- IFDEBUG( && !(sessionAttrs & sessionHasGraphicAccess))) {
- secdebug("storagemgr", "using system preferences");
- return kSecPreferencesDomainSystem;
- }
-
- // otherwise, use normal (user) preferences
- return kSecPreferencesDomainUser;
-}
-
-static bool isAppSandboxed()
-{
- bool result = false;
- SecTaskRef task = SecTaskCreateFromSelf(NULL);
- if(task != NULL) {
- CFTypeRef appSandboxValue = SecTaskCopyValueForEntitlement(task,
- CFSTR("com.apple.security.app-sandbox"), NULL);
- if(appSandboxValue != NULL) {
- result = true;
- CFRelease(appSandboxValue);
- }
- CFRelease(task);
- }
- return result;
-}
-
-static bool shouldAddToSearchList(const DLDbIdentifier &dLDbIdentifier)
-{
- // Creation of a private keychain should not modify the search list: rdar://13529331
- // However, we want to ensure the login and System keychains are in
- // the search list if that is not the case when they are created.
- // Note that App Sandbox apps may not modify the list in either case.
-
- bool loginOrSystemKeychain = false;
- const char *dbname = dLDbIdentifier.dbName();
- if (dbname) {
- if ((!strcmp(dbname, "/Library/Keychains/System.keychain")) ||
- (strstr(dbname, "/login.keychain")) ) {
- loginOrSystemKeychain = true;
- }
- }
- return (loginOrSystemKeychain && !isAppSandboxed());
-}
-
-
-StorageManager::StorageManager() :
- mSavedList(defaultPreferenceDomain()),
- mCommonList(kSecPreferencesDomainCommon),
- mDomain(kSecPreferencesDomainUser),
- mMutex(Mutex::recursive)
-{
-}
-
-
-Mutex*
-StorageManager::getStorageManagerMutex()
-{
- return &mKeychainMapMutex;
-}
-
-
-Keychain
-StorageManager::keychain(const DLDbIdentifier &dLDbIdentifier)
-{
- StLock<Mutex>_(mKeychainMapMutex);
-
- if (!dLDbIdentifier)
- return Keychain();
-
- KeychainMap::iterator it = mKeychains.find(dLDbIdentifier);
- if (it != mKeychains.end())
- {
- if (it->second == NULL) // cleared by weak reference?
- {
- mKeychains.erase(it);
- }
- else
- {
- return it->second;
- }
- }
-
- if (gServerMode) {
- secdebug("servermode", "keychain reference in server mode");
- return Keychain();
- }
-
- // The keychain is not in our cache. Create it.
- Module module(dLDbIdentifier.ssuid().guid());
- DL dl;
- if (dLDbIdentifier.ssuid().subserviceType() & CSSM_SERVICE_CSP)
- dl = SSCSPDL(module);
- else
- dl = DL(module);
-
- dl->subserviceId(dLDbIdentifier.ssuid().subserviceId());
- dl->version(dLDbIdentifier.ssuid().version());
- Db db(dl, dLDbIdentifier.dbName());
-
- Keychain keychain(db);
- // Add the keychain to the cache.
- mKeychains.insert(KeychainMap::value_type(dLDbIdentifier, &*keychain));
- keychain->inCache(true);
-
- return keychain;
-}
-
-void
-StorageManager::removeKeychain(const DLDbIdentifier &dLDbIdentifier,
- KeychainImpl *keychainImpl)
-{
- // Lock the recursive mutex
-
- StLock<Mutex>_(mKeychainMapMutex);
-
- KeychainMap::iterator it = mKeychains.find(dLDbIdentifier);
- if (it != mKeychains.end() && (KeychainImpl*) it->second == keychainImpl)
- mKeychains.erase(it);
-
- keychainImpl->inCache(false);
-}
-
-void
-StorageManager::didRemoveKeychain(const DLDbIdentifier &dLDbIdentifier)
-{
- // Lock the recursive mutex
-
- StLock<Mutex>_(mKeychainMapMutex);
-
- KeychainMap::iterator it = mKeychains.find(dLDbIdentifier);
- if (it != mKeychains.end())
- {
- if (it->second != NULL) // did we get zapped by weak reference destruction
- {
- KeychainImpl *keychainImpl = it->second;
- keychainImpl->inCache(false);
- }
-
- mKeychains.erase(it);
- }
-}
-
-// Create keychain if it doesn't exist, and optionally add it to the search list.
-Keychain
-StorageManager::makeKeychain(const DLDbIdentifier &dLDbIdentifier, bool add)
-{
- StLock<Mutex>_(mKeychainMapMutex);
-
- Keychain theKeychain = keychain(dLDbIdentifier);
- bool post = false;
- bool updateList = (add && shouldAddToSearchList(dLDbIdentifier));
-
- if (updateList)
- {
- mSavedList.revert(false);
- DLDbList searchList = mSavedList.searchList();
- if (find(searchList.begin(), searchList.end(), dLDbIdentifier) != searchList.end())
- return theKeychain; // theKeychain is already in the searchList.
-
- mCommonList.revert(false);
- searchList = mCommonList.searchList();
- if (find(searchList.begin(), searchList.end(), dLDbIdentifier) != searchList.end())
- return theKeychain; // theKeychain is already in the commonList don't add it to the searchList.
-
- // If theKeychain doesn't exist don't bother adding it to the search list yet.
- if (!theKeychain->exists())
- return theKeychain;
-
- // theKeychain exists and is not in our search list, so add it to the
- // search list.
- mSavedList.revert(true);
- mSavedList.add(dLDbIdentifier);
- mSavedList.save();
- post = true;
- }
-
- if (post)
- {
- // Make sure we are not holding mStorageManagerLock anymore when we
- // post this event.
- KCEventNotifier::PostKeychainEvent(kSecKeychainListChangedEvent);
- }
-
- return theKeychain;
-}
-
-// Be notified a Keychain just got created.
-void
-StorageManager::created(const Keychain &keychain)
-{
- StLock<Mutex>_(mKeychainMapMutex);
-
- DLDbIdentifier dLDbIdentifier = keychain->dlDbIdentifier();
- bool defaultChanged = false;
- bool updateList = shouldAddToSearchList(dLDbIdentifier);
-
- if (updateList)
- {
- mSavedList.revert(true);
- // If we don't have a default Keychain yet. Make the newly created
- // keychain the default.
- if (!mSavedList.defaultDLDbIdentifier())
- {
- mSavedList.defaultDLDbIdentifier(dLDbIdentifier);
- defaultChanged = true;
- }
-
- // Add the keychain to the search list prefs.
- mSavedList.add(dLDbIdentifier);
- mSavedList.save();
-
- // Make sure we are not holding mLock when we post these events.
- KCEventNotifier::PostKeychainEvent(kSecKeychainListChangedEvent);
- }
-
- if (defaultChanged)
- {
- KCEventNotifier::PostKeychainEvent(kSecDefaultChangedEvent, dLDbIdentifier);
- }
-}
-
-KCCursor
-StorageManager::createCursor(SecItemClass itemClass,
- const SecKeychainAttributeList *attrList)
-{
- StLock<Mutex>_(mMutex);
-
- KeychainList searchList;
- getSearchList(searchList);
- return KCCursor(searchList, itemClass, attrList);
-}
-
-KCCursor
-StorageManager::createCursor(const SecKeychainAttributeList *attrList)
-{
- StLock<Mutex>_(mMutex);
-
- KeychainList searchList;
- getSearchList(searchList);
- return KCCursor(searchList, attrList);
-}
-
-void
-StorageManager::lockAll()
-{
- StLock<Mutex>_(mMutex);
-
- SecurityServer::ClientSession ss(Allocator::standard(), Allocator::standard());
- ss.lockAll (false);
-}
-
-Keychain
-StorageManager::defaultKeychain()
-{
- StLock<Mutex>_(mMutex);
-
- Keychain theKeychain;
- CFTypeRef ref;
-
- {
- mSavedList.revert(false);
- DLDbIdentifier defaultDLDbIdentifier(mSavedList.defaultDLDbIdentifier());
- if (defaultDLDbIdentifier)
- {
- theKeychain = keychain(defaultDLDbIdentifier);
- ref = theKeychain->handle(false);
- }
- }
-
- if (theKeychain /* && theKeychain->exists() */)
- return theKeychain;
-
- MacOSError::throwMe(errSecNoDefaultKeychain);
-}
-
-void
-StorageManager::defaultKeychain(const Keychain &keychain)
-{
- StLock<Mutex>_(mMutex);
-
- // Only set a keychain as the default if we own it and can read/write it,
- // and our uid allows modifying the directory for that preference domain.
- if (!keychainOwnerPermissionsValidForDomain(keychain->name(), mDomain))
- MacOSError::throwMe(errSecWrPerm);
-
- DLDbIdentifier oldDefaultId;
- DLDbIdentifier newDefaultId(keychain->dlDbIdentifier());
- {
- oldDefaultId = mSavedList.defaultDLDbIdentifier();
- mSavedList.revert(true);
- mSavedList.defaultDLDbIdentifier(newDefaultId);
- mSavedList.save();
- }
-
- if (!(oldDefaultId == newDefaultId))
- {
- // Make sure we are not holding mLock when we post this event.
- KCEventNotifier::PostKeychainEvent(kSecDefaultChangedEvent, newDefaultId);
- }
-}
-
-Keychain
-StorageManager::defaultKeychain(SecPreferencesDomain domain)
-{
- StLock<Mutex>_(mMutex);
-
- if (domain == kSecPreferencesDomainDynamic)
- MacOSError::throwMe(errSecInvalidPrefsDomain);
-
- if (domain == mDomain)
- return defaultKeychain();
- else
- {
- DLDbIdentifier defaultDLDbIdentifier(DLDbListCFPref(domain).defaultDLDbIdentifier());
- if (defaultDLDbIdentifier)
- return keychain(defaultDLDbIdentifier);
-
- MacOSError::throwMe(errSecNoDefaultKeychain);
- }
-}
-
-void
-StorageManager::defaultKeychain(SecPreferencesDomain domain, const Keychain &keychain)
-{
- StLock<Mutex>_(mMutex);
-
- if (domain == kSecPreferencesDomainDynamic)
- MacOSError::throwMe(errSecInvalidPrefsDomain);
-
- if (domain == mDomain)
- defaultKeychain(keychain);
- else
- DLDbListCFPref(domain).defaultDLDbIdentifier(keychain->dlDbIdentifier());
-}
-
-Keychain
-StorageManager::loginKeychain()
-{
- StLock<Mutex>_(mMutex);
-
- Keychain theKeychain;
- {
- mSavedList.revert(false);
- DLDbIdentifier loginDLDbIdentifier(mSavedList.loginDLDbIdentifier());
- if (loginDLDbIdentifier)
- {
- theKeychain = keychain(loginDLDbIdentifier);
- }
- }
-
- if (theKeychain && theKeychain->exists())
- return theKeychain;
-
- MacOSError::throwMe(errSecNoSuchKeychain);
-}
-
-void
-StorageManager::loginKeychain(Keychain keychain)
-{
- StLock<Mutex>_(mMutex);
-
- mSavedList.revert(true);
- mSavedList.loginDLDbIdentifier(keychain->dlDbIdentifier());
- mSavedList.save();
-}
-
-size_t
-StorageManager::size()
-{
- StLock<Mutex>_(mMutex);
-
- mSavedList.revert(false);
- mCommonList.revert(false);
- return mSavedList.searchList().size() + mCommonList.searchList().size();
-}
-
-Keychain
-StorageManager::at(unsigned int ix)
-{
- StLock<Mutex>_(mMutex);
-
- mSavedList.revert(false);
- DLDbList dLDbList = mSavedList.searchList();
- if (ix < dLDbList.size())
- {
- return keychain(dLDbList[ix]);
- }
- else
- {
- ix -= dLDbList.size();
- mCommonList.revert(false);
- DLDbList commonList = mCommonList.searchList();
- if (ix >= commonList.size())
- MacOSError::throwMe(errSecInvalidKeychain);
-
- return keychain(commonList[ix]);
- }
-}
-
-Keychain
-StorageManager::operator[](unsigned int ix)
-{
- StLock<Mutex>_(mMutex);
-
- return at(ix);
-}
-
-void StorageManager::rename(Keychain keychain, const char* newName)
-{
-
- StLock<Mutex>_(mKeychainMapMutex);
-
- bool changedDefault = false;
- DLDbIdentifier newDLDbIdentifier;
- {
- mSavedList.revert(true);
- DLDbIdentifier defaultId = mSavedList.defaultDLDbIdentifier();
-
- // Find the keychain object for the given ref
- DLDbIdentifier dLDbIdentifier = keychain->dlDbIdentifier();
-
- // Actually rename the database on disk.
- keychain->database()->rename(newName);
-
- if (dLDbIdentifier == defaultId)
- changedDefault=true;
-
- newDLDbIdentifier = keychain->dlDbIdentifier();
- // Rename the keychain in the search list.
- mSavedList.rename(dLDbIdentifier, newDLDbIdentifier);
-
- // If this was the default keychain change it accordingly
- if (changedDefault)
- mSavedList.defaultDLDbIdentifier(newDLDbIdentifier);
-
- mSavedList.save();
-
- // we aren't worried about a weak reference here, because we have to
- // hold a lock on an item in order to do the rename
-
- // Now update the Keychain cache
- if (keychain->inCache())
- {
- KeychainMap::iterator it = mKeychains.find(dLDbIdentifier);
- if (it != mKeychains.end() && (KeychainImpl*) it->second == keychain.get())
- {
- // Remove the keychain from the cache under its old
- // dLDbIdentifier
- mKeychains.erase(it);
- }
- }
-
- // If we renamed this keychain on top of an existing one we should
- // drop the old one from the cache.
- KeychainMap::iterator it = mKeychains.find(newDLDbIdentifier);
- if (it != mKeychains.end())
- {
- Keychain oldKeychain(it->second);
- oldKeychain->inCache(false);
- // @@@ Ideally we should invalidate or fault this keychain object.
- }
-
- if (keychain->inCache())
- {
- // If the keychain wasn't in the cache to being with let's not put
- // it there now. There was probably a good reason it wasn't in it.
- // If the keychain was in the cache, update it to use
- // newDLDbIdentifier.
- mKeychains.insert(KeychainMap::value_type(newDLDbIdentifier,
- keychain));
- }
- }
-
- // Make sure we are not holding mLock when we post these events.
- KCEventNotifier::PostKeychainEvent(kSecKeychainListChangedEvent);
-
- if (changedDefault)
- KCEventNotifier::PostKeychainEvent(kSecDefaultChangedEvent,
- newDLDbIdentifier);
-}
-
-void StorageManager::renameUnique(Keychain keychain, CFStringRef newName)
-{
- StLock<Mutex>_(mMutex);
-
- bool doneCreating = false;
- int index = 1;
- do
- {
- char newNameCString[MAXPATHLEN];
- if ( CFStringGetCString(newName, newNameCString, MAXPATHLEN, kCFStringEncodingUTF8) ) // make sure it fits in MAXPATHLEN, etc.
- {
- // Construct the new name...
- //
- CFMutableStringRef newNameCFStr = NULL;
- newNameCFStr = CFStringCreateMutable(NULL, MAXPATHLEN);
- if ( newNameCFStr )
- {
- CFStringAppendFormat(newNameCFStr, NULL, CFSTR("%s%d"), newNameCString, index);
- CFStringAppend(newNameCFStr, CFSTR(kKeychainSuffix)); // add .keychain
- char toUseBuff2[MAXPATHLEN];
- if ( CFStringGetCString(newNameCFStr, toUseBuff2, MAXPATHLEN, kCFStringEncodingUTF8) ) // make sure it fits in MAXPATHLEN, etc.
- {
- struct stat filebuf;
- if ( lstat(toUseBuff2, &filebuf) )
- {
- rename(keychain, toUseBuff2);
- KeychainList kcList;
- kcList.push_back(keychain);
- remove(kcList, false);
- doneCreating = true;
- }
- else
- index++;
- }
- else
- doneCreating = true; // failure to get c string.
- CFRelease(newNameCFStr);
- }
- else
- doneCreating = false; // failure to create mutable string.
- }
- else
- doneCreating = false; // failure to get the string (i.e. > MAXPATHLEN?)
- }
- while (!doneCreating && index != INT_MAX);
-}
-
-#define KEYCHAIN_SYNC_KEY CFSTR("KeychainSyncList")
-#define KEYCHAIN_SYNC_DOMAIN CFSTR("com.apple.keychainsync")
-
-static CFStringRef MakeExpandedPath (const char* path)
-{
- std::string name = DLDbListCFPref::ExpandTildesInPath (std::string (path));
- CFStringRef expanded = CFStringCreateWithCString (NULL, name.c_str (), 0);
- return expanded;
-}
-
-void StorageManager::removeKeychainFromSyncList (const DLDbIdentifier &id)
-{
- StLock<Mutex>_(mMutex);
-
- // make a CFString of our identifier
- const char* idname = id.dbName ();
- if (idname == NULL)
- {
- return;
- }
-
- CFRef<CFStringRef> idString = MakeExpandedPath (idname);
-
- // check and see if this keychain is in the keychain syncing list
- CFArrayRef value =
- (CFArrayRef) CFPreferencesCopyValue (KEYCHAIN_SYNC_KEY,
- KEYCHAIN_SYNC_DOMAIN,
- kCFPreferencesCurrentUser,
- kCFPreferencesAnyHost);
- if (value == NULL)
- {
- return;
- }
-
- // make a mutable copy of the dictionary
- CFRef<CFMutableArrayRef> mtValue = CFArrayCreateMutableCopy (NULL, 0, value);
- CFRelease (value);
-
- // walk the array, looking for the value
- CFIndex i;
- CFIndex limit = CFArrayGetCount (mtValue.get());
- bool found = false;
-
- for (i = 0; i < limit; ++i)
- {
- CFDictionaryRef idx = (CFDictionaryRef) CFArrayGetValueAtIndex (mtValue.get(), i);
- CFStringRef v = (CFStringRef) CFDictionaryGetValue (idx, CFSTR("DbName"));
- if (v == NULL)
- {
- return; // something is really wrong if this is taken
- }
-
- char* stringBuffer = NULL;
- const char* pathString = CFStringGetCStringPtr(v, 0);
- if (pathString == 0)
- {
- CFIndex maxLen = CFStringGetMaximumSizeForEncoding(CFStringGetLength(v), kCFStringEncodingUTF8) + 1;
- stringBuffer = (char*) malloc(maxLen);
- CFStringGetCString(v, stringBuffer, maxLen, kCFStringEncodingUTF8);
- pathString = stringBuffer;
- }
-
- CFStringRef vExpanded = MakeExpandedPath(pathString);
- CFComparisonResult result = CFStringCompare (vExpanded, idString.get(), 0);
- if (stringBuffer != NULL)
- {
- free(stringBuffer);
- }
-
- CFRelease (vExpanded);
-
- if (result == 0)
- {
- CFArrayRemoveValueAtIndex (mtValue.get(), i);
- found = true;
- break;
- }
- }
-
- if (found)
- {
-#ifndef NDEBUG
- CFShow (mtValue.get());
-#endif
-
- CFPreferencesSetValue (KEYCHAIN_SYNC_KEY,
- mtValue,
- KEYCHAIN_SYNC_DOMAIN,
- kCFPreferencesCurrentUser,
- kCFPreferencesAnyHost);
- CFPreferencesSynchronize (KEYCHAIN_SYNC_DOMAIN, kCFPreferencesCurrentUser, kCFPreferencesAnyHost);
- }
-}
-
-void StorageManager::remove(const KeychainList &kcsToRemove, bool deleteDb)
-{
- StLock<Mutex>_(mMutex);
-
- bool unsetDefault = false;
- bool updateList = (!isAppSandboxed());
-
- if (updateList)
- {
- mSavedList.revert(true);
- DLDbIdentifier defaultId = mSavedList.defaultDLDbIdentifier();
- for (KeychainList::const_iterator ix = kcsToRemove.begin();
- ix != kcsToRemove.end(); ++ix)
- {
- // Find the keychain object for the given ref
- Keychain theKeychain = *ix;
- DLDbIdentifier dLDbIdentifier = theKeychain->dlDbIdentifier();
-
- // Remove it from the saved list
- mSavedList.remove(dLDbIdentifier);
- if (dLDbIdentifier == defaultId)
- unsetDefault=true;
-
- if (deleteDb)
- {
- removeKeychainFromSyncList (dLDbIdentifier);
-
- // Now remove it from the cache
- removeKeychain(dLDbIdentifier, theKeychain.get());
- }
- }
-
- if (unsetDefault)
- mSavedList.defaultDLDbIdentifier(DLDbIdentifier());
-
- mSavedList.save();
- }
-
- if (deleteDb)
- {
- // Delete the actual databases without holding any locks.
- for (KeychainList::const_iterator ix = kcsToRemove.begin();
- ix != kcsToRemove.end(); ++ix)
- {
- (*ix)->database()->deleteDb();
- }
- }
-
- if (updateList) {
- // Make sure we are not holding mLock when we post these events.
- KCEventNotifier::PostKeychainEvent(kSecKeychainListChangedEvent);
- }
-
- if (unsetDefault)
- KCEventNotifier::PostKeychainEvent(kSecDefaultChangedEvent);
-}
-
-void
-StorageManager::getSearchList(KeychainList &keychainList)
-{
- // hold the global lock since we make keychain objects in this function
-
- // to do: each of the items in this list must be retained, otherwise mayhem will occur
- StLock<Mutex>_(mMutex);
-
- if (gServerMode) {
- keychainList.clear();
- return;
- }
-
- mSavedList.revert(false);
- mCommonList.revert(false);
-
- // Merge mSavedList, mDynamicList and mCommonList
- DLDbList dLDbList = mSavedList.searchList();
- DLDbList dynamicList = mDynamicList.searchList();
- DLDbList commonList = mCommonList.searchList();
- KeychainList result;
- result.reserve(dLDbList.size() + dynamicList.size() + commonList.size());
-
- {
- for (DLDbList::const_iterator it = dynamicList.begin();
- it != dynamicList.end(); ++it)
- {
- Keychain k = keychain(*it);
- result.push_back(k);
- }
-
- for (DLDbList::const_iterator it = dLDbList.begin();
- it != dLDbList.end(); ++it)
- {
- Keychain k = keychain(*it);
- result.push_back(k);
- }
-
- for (DLDbList::const_iterator it = commonList.begin();
- it != commonList.end(); ++it)
- {
- Keychain k = keychain(*it);
- result.push_back(k);
- }
- }
-
- keychainList.swap(result);
-}
-
-void
-StorageManager::setSearchList(const KeychainList &keychainList)
-{
- StLock<Mutex>_(mMutex);
-
- DLDbList commonList = mCommonList.searchList();
-
- // Strip out the common list part from the end of the search list.
- KeychainList::const_iterator it_end = keychainList.end();
- DLDbList::const_reverse_iterator end_common = commonList.rend();
- for (DLDbList::const_reverse_iterator it_common = commonList.rbegin(); it_common != end_common; ++it_common)
- {
- // Eliminate common entries from the end of the passed in keychainList.
- if (it_end == keychainList.begin())
- break;
-
- --it_end;
- if (!((*it_end)->dlDbIdentifier() == *it_common))
- {
- ++it_end;
- break;
- }
- }
-
- /* it_end now points one past the last element in keychainList which is not in commonList. */
- DLDbList searchList, oldSearchList(mSavedList.searchList());
- for (KeychainList::const_iterator it = keychainList.begin(); it != it_end; ++it)
- {
- searchList.push_back((*it)->dlDbIdentifier());
- }
-
- {
- // Set the current searchlist to be what was passed in, the old list will be freed
- // upon exit of this stackframe.
- mSavedList.revert(true);
- mSavedList.searchList(searchList);
- mSavedList.save();
- }
-
- if (!(oldSearchList == searchList))
- {
- // Make sure we are not holding mLock when we post this event.
- KCEventNotifier::PostKeychainEvent(kSecKeychainListChangedEvent);
- }
-}
-
-void
-StorageManager::getSearchList(SecPreferencesDomain domain, KeychainList &keychainList)
-{
- StLock<Mutex>_(mMutex);
-
- if (gServerMode) {
- keychainList.clear();
- return;
- }
-
- if (domain == kSecPreferencesDomainDynamic)
- {
- convertList(keychainList, mDynamicList.searchList());
- }
- else if (domain == mDomain)
- {
- mSavedList.revert(false);
- convertList(keychainList, mSavedList.searchList());
- }
- else
- {
- convertList(keychainList, DLDbListCFPref(domain).searchList());
- }
-}
-
-void StorageManager::forceUserSearchListReread()
-{
- mSavedList.forceUserSearchListReread();
-}
-
-void
-StorageManager::setSearchList(SecPreferencesDomain domain, const KeychainList &keychainList)
-{
- StLock<Mutex>_(mMutex);
-
- if (domain == kSecPreferencesDomainDynamic)
- MacOSError::throwMe(errSecInvalidPrefsDomain);
-
- DLDbList searchList;
- convertList(searchList, keychainList);
-
- if (domain == mDomain)
- {
- DLDbList oldSearchList(mSavedList.searchList());
- {
- // Set the current searchlist to be what was passed in, the old list will be freed
- // upon exit of this stackframe.
- mSavedList.revert(true);
- mSavedList.searchList(searchList);
- mSavedList.save();
- }
-
- if (!(oldSearchList == searchList))
- {
- KCEventNotifier::PostKeychainEvent(kSecKeychainListChangedEvent);
- }
- }
- else
- {
- DLDbListCFPref(domain).searchList(searchList);
- }
-}
-
-void
-StorageManager::domain(SecPreferencesDomain domain)
-{
- StLock<Mutex>_(mMutex);
-
- if (domain == kSecPreferencesDomainDynamic)
- MacOSError::throwMe(errSecInvalidPrefsDomain);
-
- if (domain == mDomain)
- return; // no change
-
-#if !defined(NDEBUG)
- switch (domain)
- {
- case kSecPreferencesDomainSystem:
- secdebug("storagemgr", "switching to system domain"); break;
- case kSecPreferencesDomainUser:
- secdebug("storagemgr", "switching to user domain (uid %d)", getuid()); break;
- default:
- secdebug("storagemgr", "switching to weird prefs domain %d", domain); break;
- }
-#endif
-
- mDomain = domain;
- mSavedList.set(domain);
-}
-
-void
-StorageManager::optionalSearchList(CFTypeRef keychainOrArray, KeychainList &keychainList)
-{
- StLock<Mutex>_(mMutex);
-
- if (!keychainOrArray)
- getSearchList(keychainList);
- else
- {
- CFTypeID typeID = CFGetTypeID(keychainOrArray);
- if (typeID == CFArrayGetTypeID())
- convertToKeychainList(CFArrayRef(keychainOrArray), keychainList);
- else if (typeID == gTypes().KeychainImpl.typeID)
- keychainList.push_back(KeychainImpl::required(SecKeychainRef(keychainOrArray)));
- else
- MacOSError::throwMe(errSecParam);
- }
-}
-
-// static methods.
-void
-StorageManager::convertToKeychainList(CFArrayRef keychainArray, KeychainList &keychainList)
-{
- CFIndex count = CFArrayGetCount(keychainArray);
- if (!(count > 0))
- return;
-
- KeychainList keychains(count);
- for (CFIndex ix = 0; ix < count; ++ix)
- {
- keychains[ix] = KeychainImpl::required(SecKeychainRef(CFArrayGetValueAtIndex(keychainArray, ix)));
- }
-
- keychainList.swap(keychains);
-}
-
-CFArrayRef
-StorageManager::convertFromKeychainList(const KeychainList &keychainList)
-{
- CFRef<CFMutableArrayRef> keychainArray(CFArrayCreateMutable(NULL, keychainList.size(), &kCFTypeArrayCallBacks));
-
- for (KeychainList::const_iterator ix = keychainList.begin(); ix != keychainList.end(); ++ix)
- {
- SecKeychainRef keychainRef = (*ix)->handle();
- CFArrayAppendValue(keychainArray, keychainRef);
- CFRelease(keychainRef);
- }
-
- // Counter the CFRelease that CFRef<> is about to do when keychainArray goes out of scope.
- CFRetain(keychainArray);
- return keychainArray;
-}
-
-void StorageManager::convertList(DLDbList &ids, const KeychainList &kcs)
-{
- DLDbList result;
- result.reserve(kcs.size());
- for (KeychainList::const_iterator ix = kcs.begin(); ix != kcs.end(); ++ix)
- {
- result.push_back((*ix)->dlDbIdentifier());
- }
- ids.swap(result);
-}
-
-void StorageManager::convertList(KeychainList &kcs, const DLDbList &ids)
-{
- StLock<Mutex>_(mMutex);
-
- KeychainList result;
- result.reserve(ids.size());
- {
- for (DLDbList::const_iterator ix = ids.begin(); ix != ids.end(); ++ix)
- result.push_back(keychain(*ix));
- }
- kcs.swap(result);
-}
-
-#pragma mark ____ Login Functions ____
-
-void StorageManager::login(AuthorizationRef authRef, UInt32 nameLength, const char* name)
-{
- StLock<Mutex>_(mMutex);
-
- AuthorizationItemSet* info = NULL;
- OSStatus result = AuthorizationCopyInfo(authRef, NULL, &info); // get the results of the copy rights call.
- Boolean created = false;
- if ( result == errSecSuccess && info->count )
- {
- // Grab the password from the auth context (info) and create the keychain...
- //
- AuthorizationItem* currItem = info->items;
- for (UInt32 index = 1; index <= info->count; index++) //@@@plugin bug won't return a specific context.
- {
- if (strcmp(currItem->name, kAuthorizationEnvironmentPassword) == 0)
- {
- // creates the login keychain with the specified password
- try
- {
- login(nameLength, name, (UInt32)currItem->valueLength, currItem->value);
- created = true;
- }
- catch(...)
- {
- }
- break;
- }
- currItem++;
- }
- }
- if ( info )
- AuthorizationFreeItemSet(info);
-
- if ( !created )
- MacOSError::throwMe(errAuthorizationInternal);
-}
-
-void StorageManager::login(ConstStringPtr name, ConstStringPtr password)
-{
- StLock<Mutex>_(mMutex);
-
- if ( name == NULL || password == NULL )
- MacOSError::throwMe(errSecParam);
-
- login(name[0], name + 1, password[0], password + 1);
-}
-
-void StorageManager::login(UInt32 nameLength, const void *name,
- UInt32 passwordLength, const void *password)
-{
- if (passwordLength != 0 && password == NULL)
- {
- secdebug("KCLogin", "StorageManager::login: invalid argument (NULL password)");
- MacOSError::throwMe(errSecParam);
- }
-
- DLDbIdentifier loginDLDbIdentifier;
- {
- mSavedList.revert(true);
- loginDLDbIdentifier = mSavedList.loginDLDbIdentifier();
- }
-
- secdebug("KCLogin", "StorageManager::login: loginDLDbIdentifier is %s", (loginDLDbIdentifier) ? loginDLDbIdentifier.dbName() : "<NULL>");
- if (!loginDLDbIdentifier)
- MacOSError::throwMe(errSecNoSuchKeychain);
-
-
- //***************************************************************
- // gather keychain information
- //***************************************************************
-
- // user name
- int uid = geteuid();
- struct passwd *pw = getpwuid(uid);
- if (pw == NULL) {
- secdebug("KCLogin", "StorageManager::login: invalid argument (NULL uid)");
- MacOSError::throwMe(errSecParam);
- }
- char *userName = pw->pw_name;
-
- // make keychain path strings
- std::string keychainPath = DLDbListCFPref::ExpandTildesInPath(kLoginKeychainPathPrefix);
- std::string shortnameKeychain = keychainPath + userName;
- std::string shortnameDotKeychain = shortnameKeychain + ".keychain";
- std::string loginDotKeychain = keychainPath + "login.keychain";
- std::string loginRenamed1Keychain = keychainPath + "login_renamed1.keychain";
-
- // check for existence of keychain files
- bool shortnameKeychainExists = false;
- bool shortnameDotKeychainExists = false;
- bool loginKeychainExists = false;
- bool loginRenamed1KeychainExists = false;
- {
- struct stat st;
- int stat_result;
- stat_result = ::stat(shortnameKeychain.c_str(), &st);
- shortnameKeychainExists = (stat_result == 0);
- stat_result = ::stat(shortnameDotKeychain.c_str(), &st);
- shortnameDotKeychainExists = (stat_result == 0);
- stat_result = ::stat(loginDotKeychain.c_str(), &st);
- loginKeychainExists = (stat_result == 0);
- stat_result = ::stat(loginRenamed1Keychain.c_str(), &st);
- loginRenamed1KeychainExists = (stat_result == 0);
- }
-
- bool loginUnlocked = false;
-
- // make the keychain identifiers
- CSSM_VERSION version = {0, 0};
- DLDbIdentifier shortnameDLDbIdentifier = DLDbListCFPref::makeDLDbIdentifier(gGuidAppleCSPDL, version, 0, CSSM_SERVICE_CSP | CSSM_SERVICE_DL, shortnameKeychain.c_str(), NULL);
- DLDbIdentifier shortnameDotDLDbIdentifier = DLDbListCFPref::makeDLDbIdentifier(gGuidAppleCSPDL, version, 0, CSSM_SERVICE_CSP | CSSM_SERVICE_DL, shortnameDotKeychain.c_str(), NULL);
- DLDbIdentifier loginRenamed1DLDbIdentifier = DLDbListCFPref::makeDLDbIdentifier(gGuidAppleCSPDL, version, 0, CSSM_SERVICE_CSP | CSSM_SERVICE_DL, loginRenamed1Keychain.c_str(), NULL);
-
- //***************************************************************
- // make file renaming changes first
- //***************************************************************
-
- // if "~/Library/Keychains/shortname" exists, we need to migrate it forward;
- // either to login.keychain if there isn't already one, otherwise to shortname.keychain
- if (shortnameKeychainExists) {
- int rename_stat = 0;
- if (loginKeychainExists) {
- struct stat st;
- int tmp_result = ::stat(loginDotKeychain.c_str(), &st);
- if (tmp_result == 0) {
- if (st.st_size <= kEmptyKeychainSizeInBytes) {
- tmp_result = ::unlink(loginDotKeychain.c_str());
- rename_stat = ::rename(shortnameKeychain.c_str(), loginDotKeychain.c_str());
- shortnameKeychainExists = (rename_stat != 0);
- }
- }
- }
- if (shortnameKeychainExists) {
- if (loginKeychainExists && !shortnameDotKeychainExists) {
- rename_stat = ::rename(shortnameKeychain.c_str(), shortnameDotKeychain.c_str());
- shortnameDotKeychainExists = (rename_stat == 0);
- } else if (!loginKeychainExists) {
- rename_stat = ::rename(shortnameKeychain.c_str(), loginDotKeychain.c_str());
- loginKeychainExists = (rename_stat == 0);
- } else {
- // we have all 3 keychains: login.keychain, shortname, and shortname.keychain.
- // on Leopard we never want a shortname keychain, so we must move it aside.
- char pathbuf[MAXPATHLEN];
- std::string shortnameRenamedXXXKeychain = keychainPath;
- shortnameRenamedXXXKeychain += userName;
- shortnameRenamedXXXKeychain += "_renamed_XXX.keychain";
- ::strlcpy(pathbuf, shortnameRenamedXXXKeychain.c_str(), sizeof(pathbuf));
- ::mkstemps(pathbuf, 9); // 9 == strlen(".keychain")
- rename_stat = ::rename(shortnameKeychain.c_str(), pathbuf);
- shortnameKeychainExists = (rename_stat != 0);
- }
- }
- if (rename_stat != 0) {
- MacOSError::throwMe(errno);
- }
- }
-
- //***************************************************************
- // handle special case where user previously reset the keychain
- //***************************************************************
- // Since 9A581, we have changed the definition of kKeychainRenamedSuffix from "_renamed" to "_renamed_".
- // Therefore, if "login_renamed1.keychain" exists and there is no plist, the user may have run into a
- // prior upgrade issue and clicked Reset. If we can successfully unlock login_renamed1.keychain with the
- // supplied password, then we will attempt to rename it to login.keychain if that file is empty, or with
- // "shortname.keychain" if it is not.
-
- if (loginRenamed1KeychainExists && (!loginKeychainExists ||
- (mSavedList.searchList().size() == 1 && mSavedList.member(loginDLDbIdentifier)) )) {
- try
- {
- Keychain loginRenamed1KC(keychain(loginRenamed1DLDbIdentifier));
- secdebug("KCLogin", "Attempting to unlock %s with %d-character password",
- (loginRenamed1KC) ? loginRenamed1KC->name() : "<NULL>", (unsigned int)passwordLength);
- loginRenamed1KC->unlock(CssmData(const_cast<void *>(password), passwordLength));
- // if we get here, we unlocked it
- if (loginKeychainExists) {
- struct stat st;
- int tmp_result = ::stat(loginDotKeychain.c_str(), &st);
- if (tmp_result == 0) {
- if (st.st_size <= kEmptyKeychainSizeInBytes) {
- tmp_result = ::unlink(loginDotKeychain.c_str());
- tmp_result = ::rename(loginRenamed1Keychain.c_str(), loginDotKeychain.c_str());
- } else if (!shortnameDotKeychainExists) {
- tmp_result = ::rename(loginRenamed1Keychain.c_str(), shortnameDotKeychain.c_str());
- shortnameDotKeychainExists = (tmp_result == 0);
- } else {
- throw 1; // can't do anything with it except move it out of the way
- }
- }
- } else {
- int tmp_result = ::rename(loginRenamed1Keychain.c_str(), loginDotKeychain.c_str());
- loginKeychainExists = (tmp_result == 0);
- }
- }
- catch(...)
- {
- // we failed to unlock the login_renamed1.keychain file with the login password.
- // move it aside so we don't try to deal with it again.
- char pathbuf[MAXPATHLEN];
- std::string loginRenamedXXXKeychain = keychainPath;
- loginRenamedXXXKeychain += "login_renamed_XXX.keychain";
- ::strlcpy(pathbuf, loginRenamedXXXKeychain.c_str(), sizeof(pathbuf));
- ::mkstemps(pathbuf, 9); // 9 == strlen(".keychain")
- ::rename(loginRenamed1Keychain.c_str(), pathbuf);
- }
- }
-
- // if login.keychain does not exist at this point, create it
- if (!loginKeychainExists) {
- Keychain theKeychain(keychain(loginDLDbIdentifier));
- secdebug("KCLogin", "Creating login keychain %s", (loginDLDbIdentifier) ? loginDLDbIdentifier.dbName() : "<NULL>");
- theKeychain->create(passwordLength, password);
- secdebug("KCLogin", "Login keychain created successfully");
- loginKeychainExists = true;
- // Set the prefs for this new login keychain.
- loginKeychain(theKeychain);
- // Login Keychain does not lock on sleep nor lock after timeout by default.
- theKeychain->setSettings(INT_MAX, false);
- loginUnlocked = true;
- mSavedList.revert(true);
- }
-
- //***************************************************************
- // make plist changes after files have been renamed or created
- //***************************************************************
-
- // if the shortname keychain exists in the search list, either rename or remove the entry
- if (mSavedList.member(shortnameDLDbIdentifier)) {
- if (shortnameDotKeychainExists && !mSavedList.member(shortnameDotDLDbIdentifier)) {
- // change shortname to shortname.keychain (login.keychain will be added later if not present)
- secdebug("KCLogin", "Renaming %s to %s in keychain search list",
- (shortnameDLDbIdentifier) ? shortnameDLDbIdentifier.dbName() : "<NULL>",
- (shortnameDotDLDbIdentifier) ? shortnameDotDLDbIdentifier.dbName() : "<NULL>");
- mSavedList.rename(shortnameDLDbIdentifier, shortnameDotDLDbIdentifier);
- } else if (!mSavedList.member(loginDLDbIdentifier)) {
- // change shortname to login.keychain
- secdebug("KCLogin", "Renaming %s to %s in keychain search list",
- (shortnameDLDbIdentifier) ? shortnameDLDbIdentifier.dbName() : "<NULL>",
- (loginDLDbIdentifier) ? loginDLDbIdentifier.dbName() : "<NULL>");
- mSavedList.rename(shortnameDLDbIdentifier, loginDLDbIdentifier);
- } else {
- // already have login.keychain in list, and renaming to shortname.keychain isn't an option,
- // so just remove the entry
- secdebug("KCLogin", "Removing %s from keychain search list", (shortnameDLDbIdentifier) ? shortnameDLDbIdentifier.dbName() : "<NULL>");
- mSavedList.remove(shortnameDLDbIdentifier);
- }
-
- // note: save() will cause the plist to be unlinked if the only remaining entry is for login.keychain
- mSavedList.save();
- mSavedList.revert(true);
- }
-
- // make sure that login.keychain is in the search list
- if (!mSavedList.member(loginDLDbIdentifier)) {
- secdebug("KCLogin", "Adding %s to keychain search list", (loginDLDbIdentifier) ? loginDLDbIdentifier.dbName() : "<NULL>");
- mSavedList.add(loginDLDbIdentifier);
- mSavedList.save();
- mSavedList.revert(true);
- }
-
- // if we have a shortname.keychain, always include it in the plist (after login.keychain)
- if (shortnameDotKeychainExists && !mSavedList.member(shortnameDotDLDbIdentifier)) {
- mSavedList.add(shortnameDotDLDbIdentifier);
- mSavedList.save();
- mSavedList.revert(true);
- }
-
- // make sure that the default keychain is in the search list; if not, reset the default to login.keychain
- if (!mSavedList.member(mSavedList.defaultDLDbIdentifier())) {
- secdebug("KCLogin", "Changing default keychain to %s", (loginDLDbIdentifier) ? loginDLDbIdentifier.dbName() : "<NULL>");
- mSavedList.defaultDLDbIdentifier(loginDLDbIdentifier);
- mSavedList.save();
- mSavedList.revert(true);
- }
-
- //***************************************************************
- // auto-unlock the login keychain(s)
- //***************************************************************
- // all our preflight fixups are finally done, so we can now attempt to unlock the login keychain
-
- OSStatus loginResult = errSecSuccess;
- if (!loginUnlocked) {
- try
- {
- Keychain theKeychain(keychain(loginDLDbIdentifier));
- secdebug("KCLogin", "Attempting to unlock login keychain \"%s\" with %d-character password",
- (theKeychain) ? theKeychain->name() : "<NULL>", (unsigned int)passwordLength);
- theKeychain->unlock(CssmData(const_cast<void *>(password), passwordLength));
- loginUnlocked = true;
- }
- catch(const CssmError &e)
- {
- loginResult = e.osStatus(); // save this result
- }
- }
-
- if (!loginUnlocked) {
- try {
- loginResult = errSecSuccess;
- Keychain theKeychain(keychain(loginDLDbIdentifier));
-
- // build a fake key
- CssmKey key;
- key.header().BlobType = CSSM_KEYBLOB_RAW;
- key.header().Format = CSSM_KEYBLOB_RAW_FORMAT_OCTET_STRING;
- key.header().AlgorithmId = CSSM_ALGID_3DES_3KEY;
- key.header().KeyClass = CSSM_KEYCLASS_SESSION_KEY;
- key.header().KeyUsage = CSSM_KEYUSE_ENCRYPT | CSSM_KEYUSE_DECRYPT | CSSM_KEYATTR_EXTRACTABLE;
- key.header().KeyAttr = 0;
- key.KeyData = CssmData(const_cast<void *>(password), passwordLength);
-
- // unwrap it into the CSP (but keep it raw)
- UnwrapKey unwrap(theKeychain->csp(), CSSM_ALGID_NONE);
- CssmKey masterKey;
- CssmData descriptiveData;
- unwrap(key,
- KeySpec(CSSM_KEYUSE_ANY, CSSM_KEYATTR_EXTRACTABLE),
- masterKey, &descriptiveData, NULL);
-
- CssmClient::Db db = theKeychain->database();
-
- // create the keychain, using appropriate credentials
- Allocator &alloc = db->allocator();
- AutoCredentials cred(alloc); // will leak, but we're quitting soon :-)
-
- // use this passphrase
- cred += TypedList(alloc, CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK,
- new(alloc) ListElement(CSSM_SAMPLE_TYPE_SYMMETRIC_KEY),
- new(alloc) ListElement(CssmData::wrap(theKeychain->csp()->handle())),
- new(alloc) ListElement(CssmData::wrap(masterKey)),
- new(alloc) ListElement(CssmData()));
- db->authenticate(CSSM_DB_ACCESS_READ, &cred);
- db->unlock();
- loginUnlocked = true;
- } catch (const CssmError &e) {
- loginResult = e.osStatus();
- }
- }
-
- // if "shortname.keychain" exists and is in the search list, attempt to auto-unlock it with the same password
- if (shortnameDotKeychainExists && mSavedList.member(shortnameDotDLDbIdentifier)) {
- try
- {
- Keychain shortnameDotKC(keychain(shortnameDotDLDbIdentifier));
- secdebug("KCLogin", "Attempting to unlock %s",
- (shortnameDotKC) ? shortnameDotKC->name() : "<NULL>");
- shortnameDotKC->unlock(CssmData(const_cast<void *>(password), passwordLength));
- }
- catch(const CssmError &e)
- {
- // ignore; failure to unlock this keychain is not considered an error
- }
- }
-
- if (loginResult != errSecSuccess) {
- MacOSError::throwMe(loginResult);
- }
-}
-
-void StorageManager::stashLogin()
-{
- OSStatus loginResult = errSecSuccess;
-
- DLDbIdentifier loginDLDbIdentifier;
- {
- mSavedList.revert(true);
- loginDLDbIdentifier = mSavedList.loginDLDbIdentifier();
- }
-
- secdebug("KCLogin", "StorageManager::stash: loginDLDbIdentifier is %s", (loginDLDbIdentifier) ? loginDLDbIdentifier.dbName() : "<NULL>");
- if (!loginDLDbIdentifier)
- MacOSError::throwMe(errSecNoSuchKeychain);
-
- try
- {
- CssmData empty;
- Keychain theKeychain(keychain(loginDLDbIdentifier));
- secdebug("KCLogin", "Attempting to use stash for login keychain \"%s\"",
- (theKeychain) ? theKeychain->name() : "<NULL>");
- theKeychain->stashCheck();
- }
- catch(const CssmError &e)
- {
- loginResult = e.osStatus(); // save this result
- }
-
-
- if (loginResult != errSecSuccess) {
- MacOSError::throwMe(loginResult);
- }
-}
-
-void StorageManager::stashKeychain()
-{
- OSStatus loginResult = errSecSuccess;
-
- DLDbIdentifier loginDLDbIdentifier;
- {
- mSavedList.revert(true);
- loginDLDbIdentifier = mSavedList.loginDLDbIdentifier();
- }
-
- secdebug("KCLogin", "StorageManager::stash: loginDLDbIdentifier is %s", (loginDLDbIdentifier) ? loginDLDbIdentifier.dbName() : "<NULL>");
- if (!loginDLDbIdentifier)
- MacOSError::throwMe(errSecNoSuchKeychain);
-
- try
- {
- Keychain theKeychain(keychain(loginDLDbIdentifier));
- secdebug("KCLogin", "Attempting to stash login keychain \"%s\"",
- (theKeychain) ? theKeychain->name() : "<NULL>");
- theKeychain->stash();
- }
- catch(const CssmError &e)
- {
- loginResult = e.osStatus(); // save this result
- }
-
-
- if (loginResult != errSecSuccess) {
- MacOSError::throwMe(loginResult);
- }
-}
-
-void StorageManager::logout()
-{
- // nothing left to do here
-}
-
-void StorageManager::changeLoginPassword(ConstStringPtr oldPassword, ConstStringPtr newPassword)
-{
- StLock<Mutex>_(mMutex);
-
- loginKeychain()->changePassphrase(oldPassword, newPassword);
- secdebug("KClogin", "Changed login keychain password successfully");
-}
-
-
-void StorageManager::changeLoginPassword(UInt32 oldPasswordLength, const void *oldPassword, UInt32 newPasswordLength, const void *newPassword)
-{
- StLock<Mutex>_(mMutex);
-
- loginKeychain()->changePassphrase(oldPasswordLength, oldPassword, newPasswordLength, newPassword);
- secdebug("KClogin", "Changed login keychain password successfully");
-}
-
-// Clear out the keychain search list and rename the existing login.keychain.
-//
-void StorageManager::resetKeychain(Boolean resetSearchList)
-{
- StLock<Mutex>_(mMutex);
-
- // Clear the keychain search list.
- try
- {
- if ( resetSearchList )
- {
- StorageManager::KeychainList keychainList;
- setSearchList(keychainList);
- }
- // Get a reference to the existing login keychain...
- // If we don't have one, we throw (not requiring a rename).
- //
- Keychain keychain = loginKeychain();
- //
- // Rename the existing login.keychain (i.e. put it aside).
- //
- CFMutableStringRef newName = NULL;
- newName = CFStringCreateMutable(NULL, 0);
- CFStringRef currName = NULL;
- currName = CFStringCreateWithCString(NULL, keychain->name(), kCFStringEncodingUTF8);
- if ( newName && currName )
- {
- CFStringAppend(newName, currName);
- CFStringRef kcSuffix = CFSTR(kKeychainSuffix);
- if ( CFStringHasSuffix(newName, kcSuffix) ) // remove the .keychain extension
- {
- CFRange suffixRange = CFStringFind(newName, kcSuffix, 0);
- CFStringFindAndReplace(newName, kcSuffix, CFSTR(""), suffixRange, 0);
- }
- CFStringAppend(newName, CFSTR(kKeychainRenamedSuffix)); // add "_renamed_"
- try
- {
- renameUnique(keychain, newName);
- }
- catch(...)
- {
- // we need to release 'newName' & 'currName'
- }
- } // else, let the login call report a duplicate
- if ( newName )
- CFRelease(newName);
- if ( currName )
- CFRelease(currName);
- }
- catch(...)
- {
- // We either don't have a login keychain, or there was a
- // failure to rename the existing one.
- }
-}
-
-#pragma mark ____ File Related ____
-
-Keychain StorageManager::make(const char *pathName)
-{
- return make(pathName, true);
-}
-
-Keychain StorageManager::make(const char *pathName, bool add)
-{
- StLock<Mutex>_(mMutex);
-
- string fullPathName;
- if ( pathName[0] == '/' )
- fullPathName = pathName;
- else
- {
- // Get Home directory from environment.
- switch (mDomain)
- {
- case kSecPreferencesDomainUser:
- {
- const char *homeDir = getenv("HOME");
- if (homeDir == NULL)
- {
- // If $HOME is unset get the current user's home directory
- // from the passwd file.
- uid_t uid = geteuid();
- if (!uid) uid = getuid();
- struct passwd *pw = getpwuid(uid);
- if (!pw)
- MacOSError::throwMe(errSecParam);
- homeDir = pw->pw_dir;
- }
- fullPathName = homeDir;
- }
- break;
- case kSecPreferencesDomainSystem:
- fullPathName = "";
- break;
- default:
- assert(false); // invalid domain for this
- }
-
- fullPathName += "/Library/Keychains/";
- fullPathName += pathName;
- }
-
- const CSSM_NET_ADDRESS *DbLocation = NULL; // NULL for keychains
- const CSSM_VERSION *version = NULL;
- uint32 subserviceId = 0;
- CSSM_SERVICE_TYPE subserviceType = CSSM_SERVICE_DL | CSSM_SERVICE_CSP;
- const CssmSubserviceUid ssuid(gGuidAppleCSPDL, version,
- subserviceId, subserviceType);
- DLDbIdentifier dLDbIdentifier(ssuid, fullPathName.c_str(), DbLocation);
- return makeKeychain(dLDbIdentifier, add);
-}
-
-Keychain StorageManager::makeLoginAuthUI(const Item *item)
-{
- StLock<Mutex>_(mMutex);
-
- // Create a login/default keychain for the user using UI.
- // The user can cancel out of the operation, or create a new login keychain.
- // If auto-login is turned off, the user will be asked for their login password.
- //
- OSStatus result = errSecSuccess;
- Keychain keychain; // We return this keychain.
- //
- // Set up the Auth ref to bring up UI.
- //
- AuthorizationItem *currItem, *authEnvirItemArrayPtr = NULL;
- AuthorizationRef authRef = NULL;
- try
- {
- result = AuthorizationCreate(NULL, NULL, kAuthorizationFlagDefaults, &authRef);
- if ( result )
- MacOSError::throwMe(result);
-
- AuthorizationEnvironment envir;
- envir.count = 6; // up to 6 hints can be used.
- authEnvirItemArrayPtr = (AuthorizationItem*)malloc(sizeof(AuthorizationItem) * envir.count);
- if ( !authEnvirItemArrayPtr )
- MacOSError::throwMe(errAuthorizationInternal);
-
- currItem = envir.items = authEnvirItemArrayPtr;
-
- //
- // 1st Hint (optional): The keychain item's account attribute string.
- // When item is specified, we assume an 'add' operation is being attempted.
- char buff[256];
- UInt32 actLen = 0;
- SecKeychainAttribute attr = { kSecAccountItemAttr, 255, &buff };
- if ( item )
- {
- try
- {
- (*item)->getAttribute(attr, &actLen);
- }
- catch(...)
- {
- actLen = 0; // This item didn't have the account attribute, so don't display one in the UI.
- }
- }
- currItem->name = AGENT_HINT_ATTR_NAME; // name str that identifies this hint as attr name
- if ( actLen ) // Fill in the hint if we have an account attr
- {
- if ( actLen >= sizeof(buff) )
- buff[sizeof(buff)-1] = 0;
- else
- buff[actLen] = 0;
- currItem->valueLength = strlen(buff)+1;
- currItem->value = buff;
- }
- else
- {
- currItem->valueLength = 0;
- currItem->value = NULL;
- }
- currItem->flags = 0;
-
- //
- // 2nd Hint (optional): The item's keychain full path.
- //
- currItem++;
- char* currDefaultName = NULL;
- try
- {
- currDefaultName = (char*)defaultKeychain()->name(); // Use the name if we have it.
- currItem->name = AGENT_HINT_LOGIN_KC_NAME; // Name str that identifies this hint as kc path
- currItem->valueLength = (currDefaultName) ? strlen(currDefaultName) : 0;
- currItem->value = (currDefaultName) ? (void*)currDefaultName : (void*)"";
- currItem->flags = 0;
- currItem++;
- }
- catch(...)
- {
- envir.count--;
- }
-
- //
- // 3rd Hint (required): check if curr default keychain is unavailable.
- // This is determined by the parent not existing.
- //
- currItem->name = AGENT_HINT_LOGIN_KC_EXISTS_IN_KC_FOLDER;
- Boolean loginUnavail = false;
- try
- {
- Keychain defaultKC = defaultKeychain();
- if ( !defaultKC->exists() )
- loginUnavail = true;
- }
- catch(...) // login.keychain not present
- {
- }
- currItem->valueLength = sizeof(Boolean);
- currItem->value = (void*)&loginUnavail;
- currItem->flags = 0;
-
- //
- // 4th Hint (required): userName
- //
- currItem++;
- currItem->name = AGENT_HINT_LOGIN_KC_USER_NAME;
- char* uName = getenv("USER");
- string userName = uName ? uName : "";
- if ( userName.length() == 0 )
- {
- uid_t uid = geteuid();
- if (!uid) uid = getuid();
- struct passwd *pw = getpwuid(uid); // fallback case...
- if (pw)
- userName = pw->pw_name;
- endpwent();
- }
- if ( userName.length() == 0 ) // did we ultimately get one?
- MacOSError::throwMe(errAuthorizationInternal);
-
- currItem->value = (void*)userName.c_str();
- currItem->valueLength = userName.length();
- currItem->flags = 0;
-
- //
- // 5th Hint (required): flags if user has more than 1 keychain (used for a later warning when reset to default).
- //
- currItem++;
- currItem->name = AGENT_HINT_LOGIN_KC_USER_HAS_OTHER_KCS_STR;
- Boolean moreThanOneKCExists = false;
- {
- // if item is NULL, then this is a user-initiated full reset
- if (item && mSavedList.searchList().size() > 1)
- moreThanOneKCExists = true;
- }
- currItem->value = &moreThanOneKCExists;
- currItem->valueLength = sizeof(Boolean);
- currItem->flags = 0;
-
- //
- // 6th Hint (required): If no item is involved, this is a user-initiated full reset.
- // We want to suppress the "do you want to reset to defaults?" panel in this case.
- //
- currItem++;
- currItem->name = AGENT_HINT_LOGIN_KC_SUPPRESS_RESET_PANEL;
- Boolean suppressResetPanel = (item == NULL) ? TRUE : FALSE;
- currItem->valueLength = sizeof(Boolean);
- currItem->value = (void*)&suppressResetPanel;
- currItem->flags = 0;
-
- //
- // Set up the auth rights and make the auth call.
- //
- AuthorizationItem authItem = { LOGIN_KC_CREATION_RIGHT, 0 , NULL, 0 };
- AuthorizationRights rights = { 1, &authItem };
- AuthorizationFlags flags = kAuthorizationFlagDefaults | kAuthorizationFlagInteractionAllowed | kAuthorizationFlagExtendRights;
- result = AuthorizationCopyRights(authRef, &rights, &envir, flags, NULL);
- if ( result )
- MacOSError::throwMe(result);
- try
- {
- resetKeychain(true); // Clears the plist, moves aside existing login.keychain
- }
- catch (...) // can throw if no existing login.keychain is found
- {
- }
- login(authRef, (UInt32)userName.length(), userName.c_str()); // Create login.keychain
- keychain = loginKeychain(); // Get newly-created login keychain
- defaultKeychain(keychain); // Set it to be the default
-
- free(authEnvirItemArrayPtr);
- AuthorizationFree(authRef, kAuthorizationFlagDefaults);
- }
-
- catch (...)
- {
- // clean up allocations, then rethrow error
- if ( authEnvirItemArrayPtr )
- free(authEnvirItemArrayPtr);
- if ( authRef )
- AuthorizationFree(authRef, kAuthorizationFlagDefaults);
- throw;
- }
-
- return keychain;
-}
-
-Keychain StorageManager::defaultKeychainUI(Item &item)
-{
- StLock<Mutex>_(mMutex);
-
- Keychain returnedKeychain;
- try
- {
- returnedKeychain = defaultKeychain(); // If we have one, return it.
- if ( returnedKeychain->exists() )
- return returnedKeychain;
- }
- catch(...) // We could have one, but it isn't available (i.e. on a un-mounted volume).
- {
- }
- if ( globals().getUserInteractionAllowed() )
- {
- returnedKeychain = makeLoginAuthUI(&item); // If no Keychains is present, one will be created.
- if ( !returnedKeychain )
- MacOSError::throwMe(errSecInvalidKeychain); // Something went wrong...
- }
- else
- MacOSError::throwMe(errSecInteractionNotAllowed); // If UI isn't allowed, return an error.
-
- return returnedKeychain;
-}
-
-void
-StorageManager::addToDomainList(SecPreferencesDomain domain,
- const char* dbName, const CSSM_GUID &guid, uint32 subServiceType)
-{
- StLock<Mutex>_(mMutex);
-
- if (domain == kSecPreferencesDomainDynamic)
- MacOSError::throwMe(errSecInvalidPrefsDomain);
-
- // make the identifier
- CSSM_VERSION version = {0, 0};
- DLDbIdentifier id = DLDbListCFPref::makeDLDbIdentifier (guid, version, 0,
- subServiceType, dbName, NULL);
-
- if (domain == mDomain)
- {
- // manipulate the user's list
- {
- mSavedList.revert(true);
- mSavedList.add(id);
- mSavedList.save();
- }
-
- KCEventNotifier::PostKeychainEvent(kSecKeychainListChangedEvent);
- }
- else
- {
- // manipulate the other list
- DLDbListCFPref(domain).add(id);
- }
-}
-
-void
-StorageManager::isInDomainList(SecPreferencesDomain domain,
- const char* dbName, const CSSM_GUID &guid, uint32 subServiceType)
-{
- StLock<Mutex>_(mMutex);
-
- if (domain == kSecPreferencesDomainDynamic)
- MacOSError::throwMe(errSecInvalidPrefsDomain);
-
- CSSM_VERSION version = {0, 0};
- DLDbIdentifier id = DLDbListCFPref::makeDLDbIdentifier (guid, version, 0,
- subServiceType, dbName, NULL);
-
- // determine the list to search
- bool result;
- if (domain == mDomain)
- {
- result = mSavedList.member(id);
- }
- else
- {
- result = DLDbListCFPref(domain).member(id);
- }
-
- // do the search
- if (!result)
- {
- MacOSError::throwMe(errSecNoSuchKeychain);
- }
-}
-
-void
-StorageManager::removeFromDomainList(SecPreferencesDomain domain,
- const char* dbName, const CSSM_GUID &guid, uint32 subServiceType)
-{
- StLock<Mutex>_(mMutex);
-
- if (domain == kSecPreferencesDomainDynamic)
- MacOSError::throwMe(errSecInvalidPrefsDomain);
-
- // make the identifier
- CSSM_VERSION version = {0, 0};
- DLDbIdentifier id = DLDbListCFPref::makeDLDbIdentifier (guid, version, 0,
- subServiceType, dbName, NULL);
-
- if (domain == mDomain)
- {
- // manipulate the user's list
- {
- mSavedList.revert(true);
- mSavedList.remove(id);
- mSavedList.save();
- }
-
- KCEventNotifier::PostKeychainEvent(kSecKeychainListChangedEvent);
- }
- else
- {
- // manipulate the other list
- DLDbListCFPref(domain).remove(id);
- }
-}
-
-bool
-StorageManager::keychainOwnerPermissionsValidForDomain(const char* path, SecPreferencesDomain domain)
-{
- struct stat sb;
- mode_t perms;
- const char* sysPrefDir = "/Library/Preferences";
- const char* errMsg = "Will not set default";
- char* mustOwnDir = NULL;
- struct passwd* pw = NULL;
-
- // get my uid
- uid_t uid = geteuid();
- if (!uid) uid = getuid();
-
- // our (e)uid must own the appropriate preferences or home directory
- // for the specified preference domain whose default we will be modifying
- switch (domain) {
- case kSecPreferencesDomainUser:
- mustOwnDir = getenv("HOME");
- if (mustOwnDir == NULL) {
- pw = getpwuid(uid);
- if (!pw) return false;
- mustOwnDir = pw->pw_dir;
- }
- break;
- case kSecPreferencesDomainSystem:
- mustOwnDir = (char*)sysPrefDir;
- break;
- case kSecPreferencesDomainCommon:
- mustOwnDir = (char*)sysPrefDir;
- break;
- default:
- return false;
- }
-
- if (mustOwnDir != NULL) {
- struct stat dsb;
- if ( (stat(mustOwnDir, &dsb) != 0) || (dsb.st_uid != uid) ) {
- fprintf(stderr, "%s: UID=%d does not own directory %s\n", errMsg, (int)uid, mustOwnDir);
- mustOwnDir = NULL; // will return below after calling endpwent()
- }
- }
-
- if (pw != NULL)
- endpwent();
-
- if (mustOwnDir == NULL)
- return false;
-
- // check that file actually exists
- if (stat(path, &sb) != 0) {
- fprintf(stderr, "%s: file %s does not exist\n", errMsg, path);
- return false;
- }
-
- // check flags
- if (sb.st_flags & (SF_IMMUTABLE | UF_IMMUTABLE)) {
- fprintf(stderr, "%s: file %s is immutable\n", errMsg, path);
- return false;
- }
-
- // check ownership
- if (sb.st_uid != uid) {
- fprintf(stderr, "%s: file %s is owned by UID=%d, but we have UID=%d\n",
- errMsg, path, (int)sb.st_uid, (int)uid);
- return false;
- }
-
- // check mode
- perms = sb.st_mode;
- perms |= 0600; // must have owner read/write permission set
- if (sb.st_mode != perms) {
- fprintf(stderr, "%s: file %s does not have the expected permissions\n", errMsg, path);
- return false;
- }
-
- // user owns file and can read/write it
- return true;
-}
projects / apple / security.git / blobdiff