+++ /dev/null
-/*
- * Copyright (c) 2006-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-/*
- * SecKeybagSupport.c - CoreFoundation-based constants and functions for
- access to Security items (certificates, keys, identities, and
- passwords.)
- */
-
-#include <securityd/SecKeybagSupport.h>
-
-#include <securityd/SecItemServer.h>
-
-#if USE_KEYSTORE
-#include <IOKit/IOKitLib.h>
-#include <libaks.h>
-#include <libaks_acl_cf_keys.h>
-#include <utilities/der_plist.h>
-#include <corecrypto/ccder.h>
-#if TARGET_OS_EMBEDDED
-#include <MobileKeyBag/MobileKeyBag.h>
-#endif
-#endif /* USE_KEYSTORE */
-
-
-/* g_keychain_handle is the keybag handle used for encrypting item in the keychain.
- For testing purposes, it can be set to something other than the default, with SecItemServerSetKeychainKeybag */
-#if USE_KEYSTORE
-#if TARGET_OS_MAC && !TARGET_OS_EMBEDDED
-keybag_handle_t g_keychain_keybag = session_keybag_handle;
-#else
-keybag_handle_t g_keychain_keybag = device_keybag_handle;
-#endif
-#else /* !USE_KEYSTORE */
-keybag_handle_t g_keychain_keybag = 0; /* 0 == device_keybag_handle, constant dictated by AKS */
-#endif /* USE_KEYSTORE */
-
-void SecItemServerSetKeychainKeybag(int32_t keybag)
-{
- g_keychain_keybag=keybag;
-}
-
-void SecItemServerResetKeychainKeybag(void)
-{
-#if USE_KEYSTORE
-#if TARGET_OS_MAC && !TARGET_OS_EMBEDDED
- g_keychain_keybag = session_keybag_handle;
-#else
- g_keychain_keybag = device_keybag_handle;
-#endif
-#else /* !USE_KEYSTORE */
- g_keychain_keybag = 0; /* 0 == device_keybag_handle, constant dictated by AKS */
-#endif /* USE_KEYSTORE */
-}
-
-#if USE_KEYSTORE
-
-static bool hwaes_key_available(void)
-{
- keybag_handle_t handle = bad_keybag_handle;
- keybag_handle_t special_handle = bad_keybag_handle;
-#if TARGET_OS_MAC && !TARGET_OS_EMBEDDED
- special_handle = session_keybag_handle;
-#elif TARGET_OS_EMBEDDED
- special_handle = device_keybag_handle;
-#endif
- kern_return_t kr = aks_get_system(special_handle, &handle);
- if (kr != kIOReturnSuccess) {
-#if TARGET_OS_EMBEDDED
- /* TODO: Remove this once the kext runs the daemon on demand if
- there is no system keybag. */
- int kb_state = MKBGetDeviceLockState(NULL);
- asl_log(NULL, NULL, ASL_LEVEL_INFO, "AppleKeyStore lock state: %d", kb_state);
-#endif
- }
- return true;
-}
-
-#else /* !USE_KEYSTORE */
-
-static bool hwaes_key_available(void)
-{
- return false;
-}
-
-#endif /* USE_KEYSTORE */
-
-/* Wrap takes a 128 - 256 bit key as input and returns output of
- inputsize + 64 bits.
- In bytes this means that a
- 16 byte (128 bit) key returns a 24 byte wrapped key
- 24 byte (192 bit) key returns a 32 byte wrapped key
- 32 byte (256 bit) key returns a 40 byte wrapped key */
-bool ks_crypt(uint32_t operation, keybag_handle_t keybag,
- keyclass_t keyclass, uint32_t textLength, const uint8_t *source, keyclass_t *actual_class, CFMutableDataRef dest, CFErrorRef *error) {
-#if USE_KEYSTORE
- kern_return_t kernResult = kIOReturnBadArgument;
-
- int dest_len = (int)CFDataGetLength(dest);
- if (operation == kSecKsWrap) {
- kernResult = aks_wrap_key(source, textLength, keyclass, keybag, CFDataGetMutableBytePtr(dest), &dest_len, actual_class);
- } else if (operation == kSecKsUnwrap) {
- kernResult = aks_unwrap_key(source, textLength, keyclass, keybag, CFDataGetMutableBytePtr(dest), &dest_len);
- }
-
- if (kernResult != KERN_SUCCESS) {
- if ((kernResult == kIOReturnNotPermitted) || (kernResult == kIOReturnNotPrivileged)) {
- /* Access to item attempted while keychain is locked. */
- return SecError(errSecInteractionNotAllowed, error, CFSTR("ks_crypt: %x failed to %s item (class %"PRId32", bag: %"PRId32") Access to item attempted while keychain is locked."),
- kernResult, (operation == kSecKsWrap ? "wrap" : "unwrap"), keyclass, keybag);
- } else if (kernResult == kIOReturnError) {
- /* Item can't be decrypted on this device, ever, so drop the item. */
- return SecError(errSecDecode, error, CFSTR("ks_crypt: %x failed to %s item (class %"PRId32", bag: %"PRId32") Item can't be decrypted on this device, ever, so drop the item."),
- kernResult, (operation == kSecKsWrap ? "wrap" : "unwrap"), keyclass, keybag);
- } else {
- return SecError(errSecNotAvailable, error, CFSTR("ks_crypt: %x failed to %s item (class %"PRId32", bag: %"PRId32")"),
- kernResult, (operation == kSecKsWrap ? "wrap" : "unwrap"), keyclass, keybag);
- }
- }
- else
- CFDataSetLength(dest, dest_len);
- return true;
-#else /* !USE_KEYSTORE */
- uint32_t dest_len = (uint32_t)CFDataGetLength(dest);
- if (operation == kSecKsWrap) {
- /* The no encryption case. */
- if (dest_len >= textLength + 8) {
- memcpy(CFDataGetMutableBytePtr(dest), source, textLength);
- memset(CFDataGetMutableBytePtr(dest) + textLength, 8, 8);
- CFDataSetLength(dest, textLength + 8);
- *actual_class = keyclass;
- } else
- return SecError(errSecNotAvailable, error, CFSTR("ks_crypt: failed to wrap item (class %"PRId32")"), keyclass);
- } else if (operation == kSecKsUnwrap) {
- if (dest_len + 8 >= textLength) {
- memcpy(CFDataGetMutableBytePtr(dest), source, textLength - 8);
- CFDataSetLength(dest, textLength - 8);
- } else
- return SecError(errSecNotAvailable, error, CFSTR("ks_crypt: failed to unwrap item (class %"PRId32")"), keyclass);
- }
- return true;
-#endif /* USE_KEYSTORE */
-}
-
-#if USE_KEYSTORE
-bool ks_crypt_acl(uint32_t operation, keybag_handle_t keybag, keyclass_t keyclass,
- uint32_t textLength, const uint8_t *source, CFMutableDataRef dest,
- CFDataRef acl, CFDataRef acm_context, CFDataRef caller_access_groups, CFErrorRef *error) {
- kern_return_t kernResult = kIOReturnBadArgument;
- uint8_t *params = NULL, *der = NULL;
- const uint8_t *access_groups = caller_access_groups?CFDataGetBytePtr(caller_access_groups):NULL;
- size_t params_len = 0, der_len = 0, access_groups_len = caller_access_groups?CFDataGetLength(caller_access_groups):0;
-
- if (operation == kSecKsWrap) {
- aks_operation_optional_params(0, 0, CFDataGetBytePtr(acl), CFDataGetLength(acl), 0, 0, (void**)¶ms, ¶ms_len);
- kernResult = aks_encrypt(keybag, keyclass, source, textLength, params, params_len, (void**)&der, &der_len);
- } else if (operation == kSecKsUnwrap) {
- aks_operation_optional_params(access_groups, access_groups_len, 0, 0, CFDataGetBytePtr(acm_context), (int)CFDataGetLength(acm_context), (void**)¶ms, ¶ms_len);
- kernResult = aks_decrypt(keybag, source, textLength, params, params_len, (void**)&der, &der_len);
- } else if (operation == kSecKsDelete) {
- aks_operation_optional_params(access_groups, access_groups_len, 0, 0, CFDataGetBytePtr(acm_context), (int)CFDataGetLength(acm_context), (void**)¶ms, ¶ms_len);
- kernResult = aks_delete(keybag, source, textLength, params, params_len);
- }
-
- bool result = false;
- if (kernResult != KERN_SUCCESS) {
- if ((kernResult == kIOReturnNotPermitted) || (kernResult == kIOReturnNotPrivileged)) {
- /* Access to item attempted while keychain is locked. */
- result = SecError(errSecInteractionNotAllowed, error, CFSTR("ks_crypt_acl: %x failed to %s item (class %"PRId32", bag: %"PRId32") Access to item attempted while keychain is locked."),
- kernResult, (operation == kSecKsWrap ? "wrap" : "unwrap"), keyclass, keybag);
- } else if (kernResult == kIOReturnError) {
- /* Item can't be decrypted on this device, ever, so drop the item. */
- result = SecError(errSecDecode, error, CFSTR("ks_crypt_acl: %x failed to %s item (class %"PRId32", bag: %"PRId32") Item can't be decrypted on this device, ever, so drop the item."),
- kernResult, (operation == kSecKsWrap ? "wrap" : "unwrap"), keyclass, keybag);
- } else {
- result = SecError(errSecNotAvailable, error, CFSTR("ks_crypt_acl: %x failed to %s item (class %"PRId32", bag: %"PRId32")"),
- kernResult, (operation == kSecKsWrap ? "wrap" : "unwrap"), keyclass, keybag);
- }
- }
- else {
- if (operation != kSecKsDelete) {
- const uint8_t *value = der;
- if (operation == kSecKsUnwrap) {
- ccder_tag der_tag;
- size_t der_tag_len;
- value = ccder_decode_tag(&der_tag, der, der + der_len);
- value = ccder_decode_len(&der_tag_len, value, der + der_len);
-
- require_action(der_tag == CCDER_OCTET_STRING, out,
- SecError(errSecDecode, error, CFSTR("ks_crypt_acl: %x failed to %s item (class %"PRId32", bag: %"PRId32") Item can't be decrypted due to invalid der tag, so drop the item."),
- kernResult, (operation == kSecKsWrap ? "wrap" : "unwrap"), keyclass, keybag));
- require_action(der_tag_len == (size_t)((der + der_len) - value), out,
- SecError(errSecDecode, error, CFSTR("ks_crypt_acl: %x failed to %s item (class %"PRId32", bag: %"PRId32") Item can't be decrypted due to invalid der tag length, so drop the item."),
- kernResult, (operation == kSecKsWrap ? "wrap" : "unwrap"), keyclass, keybag));
- }
-
- if(CFDataGetLength(dest) != (der + der_len) - value)
- CFDataSetLength(dest, (der + der_len) - value);
-
- memcpy(CFDataGetMutableBytePtr(dest), value, CFDataGetLength(dest));
- }
- result = true;
- }
-
-out:
- if(params)
- free(params);
- if(der)
- free(der);
- return result;
-}
-#endif
-
-bool use_hwaes(void) {
- static bool use_hwaes;
- static dispatch_once_t check_once;
- dispatch_once(&check_once, ^{
- use_hwaes = hwaes_key_available();
- if (use_hwaes) {
- asl_log(NULL, NULL, ASL_LEVEL_INFO, "using hwaes key");
- } else {
- asl_log(NULL, NULL, ASL_LEVEL_ERR, "unable to access hwaes key");
- }
- });
- return use_hwaes;
-}
-
-bool ks_open_keybag(CFDataRef keybag, CFDataRef password, keybag_handle_t *handle, CFErrorRef *error) {
-#if USE_KEYSTORE
- kern_return_t kernResult;
- kernResult = aks_load_bag(CFDataGetBytePtr(keybag), (int)CFDataGetLength(keybag), handle);
- if (kernResult)
- return SecKernError(kernResult, error, CFSTR("aks_load_bag failed: %@"), keybag);
-
- if (password) {
- kernResult = aks_unlock_bag(*handle, CFDataGetBytePtr(password), (int)CFDataGetLength(password));
- if (kernResult) {
- aks_unload_bag(*handle);
- return SecKernError(kernResult, error, CFSTR("aks_unlock_bag failed"));
- }
- }
- return true;
-#else /* !USE_KEYSTORE */
- *handle = KEYBAG_NONE;
- return true;
-#endif /* USE_KEYSTORE */
-}
-
-bool ks_close_keybag(keybag_handle_t keybag, CFErrorRef *error) {
-#if USE_KEYSTORE
- IOReturn kernResult = aks_unload_bag(keybag);
- if (kernResult) {
- return SecKernError(kernResult, error, CFSTR("aks_unload_bag failed"));
- }
-#endif /* USE_KEYSTORE */
- return true;
-}
projects / apple / security.git / blobdiff