--- /dev/null
+/*
+ * Copyright (c) 2006-2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * SecItemServer.c - CoreFoundation-based constants and functions for
+ access to Security items (certificates, keys, identities, and
+ passwords.)
+ */
+
+#include <securityd/SecItemServer.h>
+
+#include <notify.h>
+#include <securityd/SecItemDataSource.h>
+#include <securityd/SecItemDb.h>
+#include <securityd/SecItemSchema.h>
+#include <securityd/SOSCloudCircleServer.h>
+#include <Security/SecBasePriv.h>
+#include <Security/SecItemPriv.h>
+#include <Security/SecItemInternal.h>
+#include <SecureObjectSync/SOSDigestVector.h>
+
+// TODO: Make this include work on both platforms. rdar://problem/16526848
+#if TARGET_OS_EMBEDDED
+#include <Security/SecEntitlements.h>
+#else
+/* defines from <Security/SecEntitlements.h> */
+#define kSecEntitlementAssociatedDomains CFSTR("com.apple.developer.associated-domains")
+#define kSecEntitlementPrivateAssociatedDomains CFSTR("com.apple.private.associated-domains")
+#endif
+
+#include <utilities/array_size.h>
+#include <utilities/SecFileLocations.h>
+#include <Security/SecuritydXPC.h>
+#include "swcagent_client.h"
+
+#if TARGET_OS_IPHONE
+#include <SharedWebCredentials/SharedWebCredentials.h>
+#else
+typedef uint32_t SWCFlags;
+#define kSWCFlags_None 0
+#define kSWCFlag_Pending ( 1U << 0 )
+#define kSWCFlag_SiteApproved ( 1U << 1 )
+#define kSWCFlag_SiteDenied ( 1U << 2 )
+#define kSWCFlag_UserApproved ( 1U << 3 )
+#define kSWCFlag_UserDenied ( 1U << 4 )
+#define kSWCFlag_ExternalMask ( kSWCFlag_UserApproved | kSWCFlag_UserDenied )
+#endif
+
+/* Changed the name of the keychain changed notification, for testing */
+static const char *g_keychain_changed_notification = kSecServerKeychainChangedNotification;
+
+void SecItemServerSetKeychainChangedNotification(const char *notification_name)
+{
+ g_keychain_changed_notification = notification_name;
+}
+
+void SecKeychainChanged(bool syncWithPeers) {
+ uint32_t result = notify_post(g_keychain_changed_notification);
+ if (syncWithPeers)
+ SOSCCSyncWithAllPeers();
+ if (result == NOTIFY_STATUS_OK)
+ secnotice("item", "Sent %s%s", syncWithPeers ? "SyncWithAllPeers and " : "", g_keychain_changed_notification);
+ else
+ secerror("%snotify_post %s returned: %" PRIu32, syncWithPeers ? "Sent SyncWithAllPeers, " : "", g_keychain_changed_notification, result);
+ }
+
+static const char * const s3dl_upgrade_sql[] = {
+ /* 0 */
+ "",
+
+ /* 1 */
+ /* Create indices. */
+ "CREATE INDEX igsha ON genp(sha1);"
+ "CREATE INDEX iisha ON inet(sha1);"
+ "CREATE INDEX icsha ON cert(sha1);"
+ "CREATE INDEX iksha ON keys(sha1);"
+ "CREATE INDEX ialis ON cert(alis);"
+ "CREATE INDEX isubj ON cert(subj);"
+ "CREATE INDEX iskid ON cert(skid);"
+ "CREATE INDEX ipkhh ON cert(pkhh);"
+ "CREATE INDEX ikcls ON keys(kcls);"
+ "CREATE INDEX iklbl ON keys(klbl);"
+ "CREATE INDEX iencr ON keys(encr);"
+ "CREATE INDEX idecr ON keys(decr);"
+ "CREATE INDEX idrve ON keys(drve);"
+ "CREATE INDEX isign ON keys(sign);"
+ "CREATE INDEX ivrfy ON keys(vrfy);"
+ "CREATE INDEX iwrap ON keys(wrap);"
+ "CREATE INDEX iunwp ON keys(unwp);",
+
+ /* 2 */
+ "",
+
+ /* 3 */
+ /* Rename version 2 or version 3 tables and drop version table since
+ step 0 creates it. */
+ "ALTER TABLE genp RENAME TO ogenp;"
+ "ALTER TABLE inet RENAME TO oinet;"
+ "ALTER TABLE cert RENAME TO ocert;"
+ "ALTER TABLE keys RENAME TO okeys;"
+ "DROP TABLE tversion;",
+
+ /* 4 */
+ "",
+
+ /* 5 */
+ "",
+
+ /* 6 */
+ "",
+
+ /* 7 */
+ /* Move data from version 5 tables to new ones and drop old ones. */
+ "INSERT INTO genp (rowid,cdat,mdat,desc,icmt,crtr,type,scrp,labl,alis,invi,nega,cusi,prot,acct,svce,gena,data,agrp,pdmn) SELECT rowid,cdat,mdat,desc,icmt,crtr,type,scrp,labl,alis,invi,nega,cusi,prot,acct,svce,gena,data,agrp,pdmn from ogenp;"
+ "INSERT INTO inet (rowid,cdat,mdat,desc,icmt,crtr,type,scrp,labl,alis,invi,nega,cusi,prot,acct,sdmn,srvr,ptcl,atyp,port,path,data,agrp,pdmn) SELECT rowid,cdat,mdat,desc,icmt,crtr,type,scrp,labl,alis,invi,nega,cusi,prot,acct,sdmn,srvr,ptcl,atyp,port,path,data,agrp,pdmn from oinet;"
+ "INSERT INTO cert (rowid,cdat,mdat,ctyp,cenc,labl,alis,subj,issr,slnr,skid,pkhh,data,agrp,pdmn) SELECT rowid,cdat,mdat,ctyp,cenc,labl,alis,subj,issr,slnr,skid,pkhh,data,agrp,pdmn from ocert;"
+ "INSERT INTO keys (rowid,cdat,mdat,kcls,labl,alis,perm,priv,modi,klbl,atag,crtr,type,bsiz,esiz,sdat,edat,sens,asen,extr,next,encr,decr,drve,sign,vrfy,snrc,vyrc,wrap,unwp,data,agrp,pdmn) SELECT rowid,cdat,mdat,kcls,labl,alis,perm,priv,modi,klbl,atag,crtr,type,bsiz,esiz,sdat,edat,sens,asen,extr,next,encr,decr,drve,sign,vrfy,snrc,vyrc,wrap,unwp,data,agrp,pdmn from okeys;"
+ "DROP TABLE ogenp;"
+ "DROP TABLE oinet;"
+ "DROP TABLE ocert;"
+ "DROP TABLE okeys;"
+ "CREATE INDEX igsha ON genp(sha1);"
+ "CREATE INDEX iisha ON inet(sha1);"
+ "CREATE INDEX icsha ON cert(sha1);"
+ "CREATE INDEX iksha ON keys(sha1);",
+};
+
+struct sql_stages {
+ int pre;
+ int main;
+ int post;
+ bool init_pdmn; // If true do a full export followed by an import of the entire database so all items are re-encoded.
+};
+
+/* On disk database format version upgrade scripts.
+ If pre is 0, version is unsupported and db is considered corrupt for having that version.
+ First entry creates the current db, each susequent entry upgrade to current from the version
+ represented by the index of the slot. Each script is either -1 (disabled) of the number of
+ the script in the main table.
+ {pre,main,post, reencode} */
+
+
+static struct sql_stages s3dl_upgrade_script[] = {
+ { -1, 0, 1, false },/* 0->current: Create version 6*/
+ {}, /* 1->current: Upgrade to version 6 from version 1 -- Unsupported. */
+ {}, /* 2->current: Upgrade to version 6 from version 2 -- Unsupported */
+ {}, /* 3->current: Upgrade to version 6 from version 3 -- Unsupported */
+ {}, /* 4->current: Upgrade to version 6 from version 4 -- Unsupported */
+ { 3, 0, 7, true }, /* 5->current: Upgrade to version 6 from version 5 */
+};
+
+static bool sql_run_script(SecDbConnectionRef dbt, int number, CFErrorRef *error)
+{
+ /* Script -1 == skip this step. */
+ if (number < 0)
+ return true;
+
+ /* If we are attempting to run a script we don't have, fail. */
+ if ((size_t)number >= array_size(s3dl_upgrade_sql))
+ return SecDbError(SQLITE_CORRUPT, error, CFSTR("script %d exceeds maximum %d"),
+ number, (int)(array_size(s3dl_upgrade_sql)));
+ __block bool ok = true;
+ if (number == 0) {
+ CFMutableStringRef sql = CFStringCreateMutable(0, 0);
+ SecDbAppendCreateTableWithClass(sql, &genp_class);
+ SecDbAppendCreateTableWithClass(sql, &inet_class);
+ SecDbAppendCreateTableWithClass(sql, &cert_class);
+ SecDbAppendCreateTableWithClass(sql, &keys_class);
+ CFStringAppend(sql, CFSTR("CREATE TABLE tversion(version INTEGER);INSERT INTO tversion(version) VALUES(6);"));
+ CFStringPerformWithCString(sql, ^(const char *sql_string) {
+ ok = SecDbErrorWithDb(sqlite3_exec(SecDbHandle(dbt), sql_string, NULL, NULL, NULL),
+ SecDbHandle(dbt), error, CFSTR("sqlite3_exec: %s"), sql_string);
+ });
+ CFReleaseSafe(sql);
+ } else {
+ ok = SecDbErrorWithDb(sqlite3_exec(SecDbHandle(dbt), s3dl_upgrade_sql[number], NULL, NULL, NULL),
+ SecDbHandle(dbt), error, CFSTR("sqlite3_exec: %s"), s3dl_upgrade_sql[number]);
+ }
+ return ok;
+}
+
+/* Return the current database version in *version. Returns a
+ SQLITE error. */
+static bool s3dl_dbt_get_version(SecDbConnectionRef dbt, int *version, CFErrorRef *error)
+{
+ CFStringRef sql = CFSTR("SELECT version FROM tversion LIMIT 1");
+ return SecDbWithSQL(dbt, sql, error, ^(sqlite3_stmt *stmt) {
+ __block bool found_version = false;
+ bool step_ok = SecDbForEach(stmt, error, ^(int row_index __unused) {
+ if (!found_version) {
+ *version = sqlite3_column_int(stmt, 0);
+ found_version = true;
+ }
+ return found_version;
+ });
+ if (!found_version) {
+ /* We have a tversion table but we didn't find a single version
+ value, now what? I suppose we pretend the db is corrupted
+ since this isn't supposed to ever happen. */
+ step_ok = SecDbError(SQLITE_CORRUPT, error, CFSTR("Failed to read version: database corrupt"));
+ secwarning("SELECT version step: %@", error ? *error : NULL);
+ }
+ return step_ok;
+ });
+}
+
+
+static bool s3dl_dbt_upgrade_from_version(SecDbConnectionRef dbt, int version, CFErrorRef *error)
+{
+ /* We need to go from db version to CURRENT_DB_VERSION, let's do so. */
+ __block bool ok = true;
+ /* O, guess we're done already. */
+ if (version == CURRENT_DB_VERSION)
+ return ok;
+
+ if (ok && version < 6) {
+ // Pre v6 keychains need to have WAL enabled, since SecDb only
+ // does this at db creation time.
+ // NOTE: This has to be run outside of a transaction.
+ ok = (SecDbExec(dbt, CFSTR("PRAGMA auto_vacuum = FULL"), error) &&
+ SecDbExec(dbt, CFSTR("PRAGMA journal_mode = WAL"), error));
+ }
+
+ // Start a transaction to do the upgrade within
+ if (ok) { ok = SecDbTransaction(dbt, kSecDbExclusiveTransactionType, error, ^(bool *commit) {
+ // Be conservative and get the version again once we start a transaction.
+ int cur_version = version;
+ s3dl_dbt_get_version(dbt, &cur_version, NULL);
+
+ /* If we are attempting to upgrade to a version greater than what we have
+ an upgrade script for, fail. */
+ if (ok && (cur_version < 0 ||
+ (size_t)cur_version >= array_size(s3dl_upgrade_script))) {
+ ok = SecDbError(SQLITE_CORRUPT, error, CFSTR("no upgrade script for version: %d"), cur_version);
+ secerror("no upgrade script for version %d", cur_version);
+ }
+
+ struct sql_stages *script;
+ if (ok) {
+ script = &s3dl_upgrade_script[cur_version];
+ if (script->pre == 0)
+ ok = SecDbError(SQLITE_CORRUPT, error, CFSTR("unsupported db version %d"), cur_version);
+ }
+ if (ok)
+ ok = sql_run_script(dbt, script->pre, error);
+ if (ok)
+ ok = sql_run_script(dbt, script->main, error);
+ if (ok)
+ ok = sql_run_script(dbt, script->post, error);
+ if (ok && script->init_pdmn) {
+ CFErrorRef localError = NULL;
+ CFDictionaryRef backup = SecServerExportKeychainPlist(dbt,
+ KEYBAG_DEVICE, KEYBAG_NONE, kSecNoItemFilter, &localError);
+ if (backup) {
+ if (localError) {
+ secerror("Ignoring export error: %@ during upgrade export", localError);
+ CFReleaseNull(localError);
+ }
+ ok = SecServerImportKeychainInPlist(dbt, KEYBAG_NONE,
+ KEYBAG_DEVICE, backup, kSecNoItemFilter, &localError);
+ CFRelease(backup);
+ } else {
+ ok = false;
+
+ if (localError && SecErrorGetOSStatus(localError) == errSecInteractionNotAllowed) {
+ SecError(errSecUpgradePending, error,
+ CFSTR("unable to complete upgrade due to device lock state"));
+ secerror("unable to complete upgrade due to device lock state");
+ } else {
+ secerror("unable to complete upgrade for unknown reason, marking DB as corrupt: %@", localError);
+ SecDbCorrupt(dbt);
+ }
+ }
+
+ if (localError) {
+ if (error && !*error)
+ *error = localError;
+ else
+ CFRelease(localError);
+ }
+ } else if (!ok) {
+ secerror("unable to complete upgrade scripts, marking DB as corrupt: %@", error ? *error : NULL);
+ SecDbCorrupt(dbt);
+ }
+ *commit = ok;
+ }); } else {
+ secerror("unable to complete upgrade scripts, marking DB as corrupt: %@", error ? *error : NULL);
+ SecDbCorrupt(dbt);
+ }
+
+ return ok;
+}
+
+
+/* This function is called if the db doesn't have the proper version. We
+ start an exclusive transaction and recheck the version, and then perform
+ the upgrade within that transaction. */
+static bool s3dl_dbt_upgrade(SecDbConnectionRef dbt, CFErrorRef *error)
+{
+ // Already in a transaction
+ //return kc_transaction(dbt, error, ^{
+ int version = 0; // Upgrade from version 0 == create new db
+ s3dl_dbt_get_version(dbt, &version, NULL);
+ return s3dl_dbt_upgrade_from_version(dbt, version, error);
+ //});
+}
+
+/* AUDIT[securityd](done):
+ accessGroup (ok) is a caller provided, non NULL CFTypeRef.
+
+ Return true iff accessGroup is allowable according to accessGroups.
+ */
+static bool accessGroupsAllows(CFArrayRef accessGroups,
+ CFStringRef accessGroup) {
+ /* NULL accessGroups is wildcard. */
+ if (!accessGroups)
+ return true;
+ /* Make sure we have a string. */
+ if (!isString(accessGroup))
+ return false;
+
+ /* Having the special accessGroup "*" allows access to all accessGroups. */
+ CFRange range = { 0, CFArrayGetCount(accessGroups) };
+ if (range.length &&
+ (CFArrayContainsValue(accessGroups, range, accessGroup) ||
+ CFArrayContainsValue(accessGroups, range, CFSTR("*"))))
+ return true;
+
+ return false;
+}
+
+bool itemInAccessGroup(CFDictionaryRef item, CFArrayRef accessGroups) {
+ return accessGroupsAllows(accessGroups,
+ CFDictionaryGetValue(item, kSecAttrAccessGroup));
+}
+
+
+static CF_RETURNS_RETAINED CFDataRef SecServerExportKeychain(SecDbConnectionRef dbt,
+ keybag_handle_t src_keybag, keybag_handle_t dest_keybag, CFErrorRef *error) {
+ CFDataRef data_out = NULL;
+ /* Export everything except the items for which SecItemIsSystemBound()
+ returns true. */
+ CFDictionaryRef keychain = SecServerExportKeychainPlist(dbt,
+ src_keybag, dest_keybag, kSecBackupableItemFilter,
+ error);
+ if (keychain) {
+ data_out = CFPropertyListCreateData(kCFAllocatorDefault, keychain,
+ kCFPropertyListBinaryFormat_v1_0,
+ 0, error);
+ CFRelease(keychain);
+ }
+
+ return data_out;
+}
+
+static bool SecServerImportKeychain(SecDbConnectionRef dbt,
+ keybag_handle_t src_keybag,
+ keybag_handle_t dest_keybag, CFDataRef data, CFErrorRef *error) {
+ return kc_transaction(dbt, error, ^{
+ bool ok = false;
+ CFDictionaryRef keychain;
+ keychain = CFPropertyListCreateWithData(kCFAllocatorDefault, data,
+ kCFPropertyListImmutable, NULL,
+ error);
+ if (keychain) {
+ if (isDictionary(keychain)) {
+ ok = SecServerImportKeychainInPlist(dbt, src_keybag,
+ dest_keybag, keychain,
+ kSecBackupableItemFilter,
+ error);
+ } else {
+ ok = SecError(errSecParam, error, CFSTR("import: keychain is not a dictionary"));
+ }
+ CFRelease(keychain);
+ }
+ return ok;
+ });
+}
+
+static CF_RETURNS_RETAINED CFDataRef SecServerKeychainBackup(SecDbConnectionRef dbt, CFDataRef keybag,
+ CFDataRef password, CFErrorRef *error) {
+ CFDataRef backup = NULL;
+ keybag_handle_t backup_keybag;
+ if (ks_open_keybag(keybag, password, &backup_keybag, error)) {
+ /* Export from system keybag to backup keybag. */
+ backup = SecServerExportKeychain(dbt, KEYBAG_DEVICE, backup_keybag, error);
+ if (!ks_close_keybag(backup_keybag, error)) {
+ CFReleaseNull(backup);
+ }
+ }
+ return backup;
+}
+
+static bool SecServerKeychainRestore(SecDbConnectionRef dbt, CFDataRef backup,
+ CFDataRef keybag, CFDataRef password, CFErrorRef *error) {
+ keybag_handle_t backup_keybag;
+ if (!ks_open_keybag(keybag, password, &backup_keybag, error))
+ return false;
+
+ /* Import from backup keybag to system keybag. */
+ bool ok = SecServerImportKeychain(dbt, backup_keybag, KEYBAG_DEVICE,
+ backup, error);
+ ok &= ks_close_keybag(backup_keybag, error);
+
+ return ok;
+}
+
+
+// MARK - External SPI support code.
+
+CFStringRef __SecKeychainCopyPath(void) {
+ CFStringRef kcRelPath = NULL;
+ if (use_hwaes()) {
+ kcRelPath = CFSTR("keychain-2.db");
+ } else {
+ kcRelPath = CFSTR("keychain-2-debug.db");
+ }
+
+ CFStringRef kcPath = NULL;
+ CFURLRef kcURL = SecCopyURLForFileInKeychainDirectory(kcRelPath);
+ if (kcURL) {
+ kcPath = CFURLCopyFileSystemPath(kcURL, kCFURLPOSIXPathStyle);
+ CFRelease(kcURL);
+ }
+ return kcPath;
+
+}
+
+// MARK; -
+// MARK: kc_dbhandle init and reset
+
+SecDbRef SecKeychainDbCreate(CFStringRef path) {
+ return SecDbCreate(path, ^bool (SecDbConnectionRef dbconn, bool didCreate, CFErrorRef *localError) {
+ bool ok;
+ if (didCreate)
+ ok = s3dl_dbt_upgrade_from_version(dbconn, 0, localError);
+ else
+ ok = s3dl_dbt_upgrade(dbconn, localError);
+
+ if (!ok)
+ secerror("Upgrade %sfailed: %@", didCreate ? "from v0 " : "", localError ? *localError : NULL);
+
+ return ok;
+ });
+}
+
+static SecDbRef _kc_dbhandle = NULL;
+
+static void kc_dbhandle_init(void) {
+ SecDbRef oldHandle = _kc_dbhandle;
+ _kc_dbhandle = NULL;
+ CFStringRef dbPath = __SecKeychainCopyPath();
+ if (dbPath) {
+ _kc_dbhandle = SecKeychainDbCreate(dbPath);
+ CFRelease(dbPath);
+ } else {
+ secerror("no keychain path available");
+ }
+ if (oldHandle) {
+ secerror("replaced %@ with %@", oldHandle, _kc_dbhandle);
+ CFRelease(oldHandle);
+ }
+}
+
+static dispatch_once_t _kc_dbhandle_once;
+
+static SecDbRef kc_dbhandle(void) {
+ dispatch_once(&_kc_dbhandle_once, ^{
+ kc_dbhandle_init();
+ });
+ return _kc_dbhandle;
+}
+
+/* For whitebox testing only */
+void kc_dbhandle_reset(void);
+void kc_dbhandle_reset(void)
+{
+ __block bool done = false;
+ dispatch_once(&_kc_dbhandle_once, ^{
+ kc_dbhandle_init();
+ done = true;
+ });
+ // TODO: Not thread safe at all! - FOR DEBUGGING ONLY
+ if (!done)
+ kc_dbhandle_init();
+}
+
+static SecDbConnectionRef kc_aquire_dbt(bool writeAndRead, CFErrorRef *error) {
+ SecDbRef db = kc_dbhandle();
+ if (db == NULL) {
+ SecError(errSecDataNotAvailable, error, CFSTR("failed to get a db handle"));
+ return NULL;
+ }
+ return SecDbConnectionAquire(db, !writeAndRead, error);
+}
+
+/* Return a per thread dbt handle for the keychain. If create is true create
+ the database if it does not yet exist. If it is false, just return an
+ error if it fails to auto-create. */
+static bool kc_with_dbt(bool writeAndRead, CFErrorRef *error, bool (^perform)(SecDbConnectionRef dbt))
+{
+ // Make sure we initialize our engines before writing to the keychain
+ if (writeAndRead)
+ SecItemDataSourceFactoryGetDefault();
+
+ bool ok = false;
+ SecDbConnectionRef dbt = kc_aquire_dbt(writeAndRead, error);
+ if (dbt) {
+ ok = perform(dbt);
+ SecDbConnectionRelease(dbt);
+ }
+ return ok;
+}
+
+static bool
+items_matching_issuer_parent(SecDbConnectionRef dbt, CFArrayRef accessGroups,
+ CFDataRef issuer, CFArrayRef issuers, int recurse)
+{
+ Query *q;
+ CFArrayRef results = NULL;
+ CFIndex i, count;
+ bool found = false;
+
+ if (CFArrayContainsValue(issuers, CFRangeMake(0, CFArrayGetCount(issuers)), issuer))
+ return true;
+
+ const void *keys[] = { kSecClass, kSecReturnRef, kSecAttrSubject };
+ const void *vals[] = { kSecClassCertificate, kCFBooleanTrue, issuer };
+ CFDictionaryRef query = CFDictionaryCreate(kCFAllocatorDefault, keys, vals, array_size(keys), NULL, NULL);
+
+ if (!query)
+ return false;
+
+ CFErrorRef localError = NULL;
+ q = query_create_with_limit(query, kSecMatchUnlimited, &localError);
+ CFRelease(query);
+ if (q) {
+ s3dl_copy_matching(dbt, q, (CFTypeRef*)&results, accessGroups, &localError);
+ query_destroy(q, &localError);
+ }
+ if (localError) {
+ secerror("items matching issuer parent: %@", localError);
+ CFReleaseNull(localError);
+ return false;
+ }
+
+ count = CFArrayGetCount(results);
+ for (i = 0; (i < count) && !found; i++) {
+ CFDictionaryRef cert_dict = (CFDictionaryRef)CFArrayGetValueAtIndex(results, i);
+ CFDataRef cert_issuer = CFDictionaryGetValue(cert_dict, kSecAttrIssuer);
+ if (CFEqual(cert_issuer, issuer))
+ continue;
+ if (recurse-- > 0)
+ found = items_matching_issuer_parent(dbt, accessGroups, cert_issuer, issuers, recurse);
+ }
+ CFReleaseSafe(results);
+
+ return found;
+}
+
+bool match_item(SecDbConnectionRef dbt, Query *q, CFArrayRef accessGroups, CFDictionaryRef item)
+{
+ if (q->q_match_issuer) {
+ CFDataRef issuer = CFDictionaryGetValue(item, kSecAttrIssuer);
+ if (!items_matching_issuer_parent(dbt, accessGroups, issuer, q->q_match_issuer, 10 /*max depth*/))
+ return false;
+ }
+
+ /* Add future match checks here. */
+
+ return true;
+}
+
+/****************************************************************************
+ **************** Beginning of Externally Callable Interface ****************
+ ****************************************************************************/
+
+#if 0
+// TODO Use as a safety wrapper
+static bool SecErrorWith(CFErrorRef *in_error, bool (^perform)(CFErrorRef *error)) {
+ CFErrorRef error = in_error ? *in_error : NULL;
+ bool ok;
+ if ((ok = perform(&error))) {
+ assert(error == NULL);
+ if (error)
+ secerror("error + success: %@", error);
+ } else {
+ assert(error);
+ OSStatus status = SecErrorGetOSStatus(error);
+ if (status != errSecItemNotFound) // Occurs in normal operation, so exclude
+ secerror("error:[%" PRIdOSStatus "] %@", status, error);
+ if (in_error) {
+ *in_error = error;
+ } else {
+ CFReleaseNull(error);
+ }
+ }
+ return ok;
+}
+#endif
+
+/* AUDIT[securityd](done):
+ query (ok) is a caller provided dictionary, only its cf type has been checked.
+ */
+static bool
+SecItemServerCopyMatching(CFDictionaryRef query, CFTypeRef *result,
+ CFArrayRef accessGroups, CFErrorRef *error)
+{
+ CFIndex ag_count;
+ if (!accessGroups || 0 == (ag_count = CFArrayGetCount(accessGroups))) {
+ return SecError(errSecMissingEntitlement, error,
+ CFSTR("client has neither application-identifier nor keychain-access-groups entitlements"));
+ }
+
+ if (CFArrayContainsValue(accessGroups, CFRangeMake(0, ag_count), CFSTR("*"))) {
+ /* Having the special accessGroup "*" allows access to all accessGroups. */
+ accessGroups = NULL;
+ }
+
+ bool ok = false;
+ Query *q = query_create_with_limit(query, 1, error);
+ if (q) {
+ CFStringRef agrp = CFDictionaryGetValue(q->q_item, kSecAttrAccessGroup);
+ if (agrp && accessGroupsAllows(accessGroups, agrp)) {
+ // TODO: Return an error if agrp is not NULL and accessGroupsAllows() fails above.
+ const void *val = agrp;
+ accessGroups = CFArrayCreate(0, &val, 1, &kCFTypeArrayCallBacks);
+ } else {
+ CFRetainSafe(accessGroups);
+ }
+
+ query_enable_interactive(q);
+ query_set_caller_access_groups(q, accessGroups);
+
+ /* Sanity check the query. */
+ if (q->q_use_item_list) {
+ ok = SecError(errSecUseItemListUnsupported, error, CFSTR("use item list unsupported"));
+#if defined(MULTIPLE_KEYCHAINS)
+ } else if (q->q_use_keychain) {
+ ok = SecError(errSecUseKeychainUnsupported, error, CFSTR("use keychain list unsupported"));
+#endif
+ } else if (q->q_match_issuer && ((q->q_class != &cert_class) &&
+ (q->q_class != &identity_class))) {
+ ok = SecError(errSecUnsupportedOperation, error, CFSTR("unsupported match attribute"));
+ } else if (q->q_return_type != 0 && result == NULL) {
+ ok = SecError(errSecReturnMissingPointer, error, CFSTR("missing pointer"));
+ } else if (!q->q_error) {
+ do {
+ ok = kc_with_dbt(false, error, ^(SecDbConnectionRef dbt) {
+ return s3dl_copy_matching(dbt, q, result, accessGroups, error);
+ });
+ } while (query_needs_authentication(q) && (ok = query_authenticate(q, &error)));
+ }
+
+ CFReleaseSafe(accessGroups);
+ if (!query_destroy(q, error))
+ ok = false;
+ }
+
+ return ok;
+}
+
+bool
+_SecItemCopyMatching(CFDictionaryRef query, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error) {
+ return SecItemServerCopyMatching(query, result, accessGroups, error);
+}
+
+/* AUDIT[securityd](done):
+ attributes (ok) is a caller provided dictionary, only its cf type has
+ been checked.
+ */
+bool
+_SecItemAdd(CFDictionaryRef attributes, CFArrayRef accessGroups,
+ CFTypeRef *result, CFErrorRef *error)
+{
+ bool ok = true;
+ CFIndex ag_count;
+ if (!accessGroups || 0 == (ag_count = CFArrayGetCount(accessGroups)))
+ return SecError(errSecMissingEntitlement, error,
+ CFSTR("client has neither application-identifier nor keychain-access-groups entitlements"));
+
+ Query *q = query_create_with_limit(attributes, 0, error);
+ if (q) {
+ /* Access group sanity checking. */
+ CFStringRef agrp = (CFStringRef)CFDictionaryGetValue(attributes,
+ kSecAttrAccessGroup);
+
+ CFArrayRef ag = accessGroups;
+ /* Having the special accessGroup "*" allows access to all accessGroups. */
+ if (CFArrayContainsValue(accessGroups, CFRangeMake(0, ag_count), CFSTR("*")))
+ accessGroups = NULL;
+
+ if (agrp) {
+ /* The user specified an explicit access group, validate it. */
+ if (!accessGroupsAllows(accessGroups, agrp))
+ return SecError(errSecNoAccessForItem, error, CFSTR("NoAccessForItem"));
+ } else {
+ agrp = (CFStringRef)CFArrayGetValueAtIndex(ag, 0);
+
+ /* We are using an implicit access group, add it as if the user
+ specified it as an attribute. */
+ query_add_attribute(kSecAttrAccessGroup, agrp, q);
+ }
+
+ query_ensure_access_control(q, agrp);
+ query_enable_interactive(q);
+
+ if (q->q_row_id)
+ ok = SecError(errSecValuePersistentRefUnsupported, error, CFSTR("q_row_id")); // TODO: better error string
+ #if defined(MULTIPLE_KEYCHAINS)
+ else if (q->q_use_keychain_list)
+ ok = SecError(errSecUseKeychainListUnsupported, error, CFSTR("q_use_keychain_list")); // TODO: better error string;
+ #endif
+ else if (!q->q_error) {
+ do {
+ ok = kc_with_dbt(true, error, ^(SecDbConnectionRef dbt){
+ return kc_transaction(dbt, error, ^{
+ query_pre_add(q, true);
+ return s3dl_query_add(dbt, q, result, error);
+ });
+ });
+ } while (query_needs_authentication(q) && (ok = query_authenticate(q, &error)));
+ }
+ ok = query_notify_and_destroy(q, ok, error);
+ } else {
+ ok = false;
+ }
+ return ok;
+}
+
+/* AUDIT[securityd](done):
+ query (ok) and attributesToUpdate (ok) are a caller provided dictionaries,
+ only their cf types have been checked.
+ */
+bool
+_SecItemUpdate(CFDictionaryRef query, CFDictionaryRef attributesToUpdate,
+ CFArrayRef accessGroups, CFErrorRef *error)
+{
+ CFIndex ag_count;
+ if (!accessGroups || 0 == (ag_count = CFArrayGetCount(accessGroups))) {
+ return SecError(errSecMissingEntitlement, error,
+ CFSTR("client has neither application-identifier nor keychain-access-groups entitlements"));
+ }
+
+ if (CFArrayContainsValue(accessGroups, CFRangeMake(0, ag_count), CFSTR("*"))) {
+ /* Having the special accessGroup "*" allows access to all accessGroups. */
+ accessGroups = NULL;
+ }
+
+ bool ok = true;
+ Query *q = query_create_with_limit(query, kSecMatchUnlimited, error);
+ if (!q) {
+ ok = false;
+ }
+ if (ok) {
+ /* Sanity check the query. */
+ query_set_caller_access_groups(q, accessGroups);
+ if (q->q_use_item_list) {
+ ok = SecError(errSecUseItemListUnsupported, error, CFSTR("use item list not supported"));
+ } else if (q->q_return_type & kSecReturnDataMask) {
+ /* Update doesn't return anything so don't ask for it. */
+ ok = SecError(errSecReturnDataUnsupported, error, CFSTR("return data not supported by update"));
+ } else if (q->q_return_type & kSecReturnAttributesMask) {
+ ok = SecError(errSecReturnAttributesUnsupported, error, CFSTR("return attributes not supported by update"));
+ } else if (q->q_return_type & kSecReturnRefMask) {
+ ok = SecError(errSecReturnRefUnsupported, error, CFSTR("return ref not supported by update"));
+ } else if (q->q_return_type & kSecReturnPersistentRefMask) {
+ ok = SecError(errSecReturnPersistentRefUnsupported, error, CFSTR("return persistent ref not supported by update"));
+ } else {
+ /* Access group sanity checking. */
+ CFStringRef agrp = (CFStringRef)CFDictionaryGetValue(attributesToUpdate,
+ kSecAttrAccessGroup);
+ if (agrp) {
+ /* The user is attempting to modify the access group column,
+ validate it to make sure the new value is allowable. */
+ if (!accessGroupsAllows(accessGroups, agrp)) {
+ ok = SecError(errSecNoAccessForItem, error, CFSTR("accessGroup %@ not in %@"), agrp, accessGroups);
+ }
+ }
+ }
+ }
+ if (ok) {
+ if (!q->q_use_tomb && SOSCCThisDeviceDefinitelyNotActiveInCircle()) {
+ q->q_use_tomb = kCFBooleanFalse;
+ }
+ query_enable_interactive(q);
+ do {
+ ok = kc_with_dbt(true, error, ^(SecDbConnectionRef dbt) {
+ return s3dl_query_update(dbt, q, attributesToUpdate, accessGroups, error);
+ });
+ } while (query_needs_authentication(q) && (ok = query_authenticate(q, &error)));
+ }
+ if (q) {
+ ok = query_notify_and_destroy(q, ok, error);
+ }
+ return ok;
+}
+
+
+/* AUDIT[securityd](done):
+ query (ok) is a caller provided dictionary, only its cf type has been checked.
+ */
+bool
+_SecItemDelete(CFDictionaryRef query, CFArrayRef accessGroups, CFErrorRef *error)
+{
+ CFIndex ag_count;
+ if (!accessGroups || 0 == (ag_count = CFArrayGetCount(accessGroups))) {
+ return SecError(errSecMissingEntitlement, error,
+ CFSTR("client has neither application-identifier nor keychain-access-groups entitlements"));
+ }
+
+ if (CFArrayContainsValue(accessGroups, CFRangeMake(0, ag_count), CFSTR("*"))) {
+ /* Having the special accessGroup "*" allows access to all accessGroups. */
+ accessGroups = NULL;
+ }
+
+ Query *q = query_create_with_limit(query, kSecMatchUnlimited, error);
+ bool ok;
+ if (q) {
+ q->q_crypto_op = kSecKsDelete;
+ query_set_caller_access_groups(q, accessGroups);
+ /* Sanity check the query. */
+ if (q->q_limit != kSecMatchUnlimited)
+ ok = SecError(errSecMatchLimitUnsupported, error, CFSTR("match limit not supported by delete"));
+ else if (query_match_count(q) != 0)
+ ok = SecError(errSecItemMatchUnsupported, error, CFSTR("match not supported by delete"));
+ else if (q->q_ref)
+ ok = SecError(errSecValueRefUnsupported, error, CFSTR("value ref not supported by delete"));
+ else if (q->q_row_id && query_attr_count(q))
+ ok = SecError(errSecItemIllegalQuery, error, CFSTR("rowid and other attributes are mutually exclusive"));
+ else {
+ if (!q->q_use_tomb && SOSCCThisDeviceDefinitelyNotActiveInCircle()) {
+ q->q_use_tomb = kCFBooleanFalse;
+ }
+ query_enable_interactive(q);
+ do {
+ ok = kc_with_dbt(true, error, ^(SecDbConnectionRef dbt) {
+ return s3dl_query_delete(dbt, q, accessGroups, error);
+ });
+ } while (query_needs_authentication(q) && (ok = query_authenticate(q, &error)));
+ }
+ ok = query_notify_and_destroy(q, ok, error);
+ } else {
+ ok = false;
+ }
+ return ok;
+}
+
+
+/* AUDIT[securityd](done):
+ No caller provided inputs.
+ */
+static bool
+SecItemServerDeleteAll(CFErrorRef *error) {
+ return kc_with_dbt(true, error, ^bool (SecDbConnectionRef dbt) {
+ return (kc_transaction(dbt, error, ^bool {
+ return (SecDbExec(dbt, CFSTR("DELETE from genp;"), error) &&
+ SecDbExec(dbt, CFSTR("DELETE from inet;"), error) &&
+ SecDbExec(dbt, CFSTR("DELETE from cert;"), error) &&
+ SecDbExec(dbt, CFSTR("DELETE from keys;"), error));
+ }) && SecDbExec(dbt, CFSTR("VACUUM;"), error));
+ });
+}
+
+bool
+_SecItemDeleteAll(CFErrorRef *error) {
+ return SecItemServerDeleteAll(error);
+}
+
+
+// MARK: -
+// MARK: Shared web credentials
+
+/* constants */
+#define SEC_CONST_DECL(k,v) CFTypeRef k = (CFTypeRef)(CFSTR(v));
+
+SEC_CONST_DECL (kSecSafariAccessGroup, "com.apple.cfnetwork");
+SEC_CONST_DECL (kSecSafariDefaultComment, "default");
+SEC_CONST_DECL (kSecSafariPasswordsNotSaved, "Passwords not saved");
+SEC_CONST_DECL (kSecSharedCredentialUrlScheme, "https://");
+SEC_CONST_DECL (kSecSharedWebCredentialsService, "webcredentials");
+
+#if !TARGET_IPHONE_SIMULATOR
+static SWCFlags
+_SecAppDomainApprovalStatus(CFStringRef appID, CFStringRef fqdn, CFErrorRef *error)
+{
+ __block SWCFlags flags = kSWCFlags_None;
+
+#if TARGET_OS_IPHONE
+ CFRetainSafe(appID);
+ CFRetainSafe(fqdn);
+ dispatch_semaphore_t semaphore = dispatch_semaphore_create(0);
+ dispatch_retain(semaphore);
+ if (0 == SWCCheckService(kSecSharedWebCredentialsService, appID, fqdn,
+ ^void (OSStatus inStatus, SWCFlags inFlags, CFDictionaryRef inDetails) {
+ if (!inStatus) { flags = inFlags; }
+ CFReleaseSafe(appID);
+ CFReleaseSafe(fqdn);
+ dispatch_semaphore_signal(semaphore);
+ dispatch_release(semaphore);
+ //secerror("SWCCheckService: inStatus=%d, flags=%0X", inStatus, flags);
+ }))
+ {
+ // wait for the block to complete, as we need its answer
+ dispatch_semaphore_wait(semaphore, DISPATCH_TIME_FOREVER);
+ }
+ else // didn't queue the block
+ {
+ CFReleaseSafe(appID);
+ CFReleaseSafe(fqdn);
+ dispatch_release(semaphore);
+ }
+ dispatch_release(semaphore);
+#else
+ flags |= (kSWCFlag_SiteApproved);
+#endif
+
+ if (!error) { return flags; }
+ *error = NULL;
+
+ // check website approval status
+ if (!(flags & kSWCFlag_SiteApproved)) {
+ if (flags & kSWCFlag_Pending) {
+ SecError(errSecAuthFailed, error, CFSTR("Approval is pending for \"%@\", try later"), fqdn);
+ } else {
+ SecError(errSecAuthFailed, error, CFSTR("\"%@\" failed to approve \"%@\""), fqdn, appID);
+ }
+ return flags;
+ }
+
+ // check user approval status
+ if (flags & kSWCFlag_UserDenied) {
+ SecError(errSecAuthFailed, error, CFSTR("User denied access to \"%@\" by \"%@\""), fqdn, appID);
+ }
+ return flags;
+}
+#endif
+
+#if !TARGET_IPHONE_SIMULATOR
+static bool
+_SecEntitlementContainsDomainForService(CFArrayRef domains, CFStringRef domain, CFStringRef service)
+{
+ bool result = false;
+ CFIndex idx, count = (domains) ? CFArrayGetCount(domains) : (CFIndex) 0;
+ if (!count || !domain || !service) {
+ return result;
+ }
+ for (idx=0; idx < count; idx++) {
+ CFStringRef str = (CFStringRef) CFArrayGetValueAtIndex(domains, idx);
+ if (str && CFStringHasPrefix(str, kSecSharedWebCredentialsService)) {
+ CFIndex prefix_len = CFStringGetLength(kSecSharedWebCredentialsService)+1;
+ CFIndex substr_len = CFStringGetLength(str) - prefix_len;
+ CFRange range = { prefix_len, substr_len };
+ CFStringRef substr = CFStringCreateWithSubstring(kCFAllocatorDefault, str, range);
+ if (substr && CFEqual(substr, domain)) {
+ result = true;
+ }
+ CFReleaseSafe(substr);
+ if (result) {
+ break;
+ }
+ }
+ }
+ return result;
+}
+#endif
+
+static bool
+_SecAddNegativeWebCredential(CFStringRef fqdn, CFStringRef appID, bool forSafari)
+{
+ bool result = false;
+ if (!fqdn) { return result; }
+
+#if TARGET_OS_IPHONE
+ // update our database
+ CFRetainSafe(appID);
+ CFRetainSafe(fqdn);
+ if (0 == SWCSetServiceFlags(kSecSharedWebCredentialsService,
+ appID, fqdn, kSWCFlag_ExternalMask, kSWCFlag_UserDenied,
+ ^void(OSStatus inStatus, SWCFlags inNewFlags){
+ CFReleaseSafe(appID);
+ CFReleaseSafe(fqdn);
+ }))
+ {
+ result = true;
+ }
+ else // didn't queue the block
+ {
+ CFReleaseSafe(appID);
+ CFReleaseSafe(fqdn);
+ }
+#endif
+ if (!forSafari) { return result; }
+
+ // below this point: create a negative Safari web credential item
+
+ CFMutableDictionaryRef attrs = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ if (!attrs) { return result; }
+
+ CFErrorRef error = NULL;
+ CFStringRef accessGroup = CFSTR("*");
+ CFArrayRef accessGroups = CFArrayCreate(kCFAllocatorDefault, (const void **)&accessGroup, 1, &kCFTypeArrayCallBacks);
+
+ CFDictionaryAddValue(attrs, kSecClass, kSecClassInternetPassword);
+ CFDictionaryAddValue(attrs, kSecAttrAccessGroup, kSecSafariAccessGroup);
+ CFDictionaryAddValue(attrs, kSecAttrAuthenticationType, kSecAttrAuthenticationTypeHTMLForm);
+ CFDictionaryAddValue(attrs, kSecAttrProtocol, kSecAttrProtocolHTTPS);
+ CFDictionaryAddValue(attrs, kSecAttrServer, fqdn);
+ CFDictionaryAddValue(attrs, kSecAttrSynchronizable, kCFBooleanTrue);
+
+ (void)_SecItemDelete(attrs, accessGroups, &error);
+ CFReleaseNull(error);
+
+ CFDictionaryAddValue(attrs, kSecAttrAccount, kSecSafariPasswordsNotSaved);
+ CFDictionaryAddValue(attrs, kSecAttrComment, kSecSafariDefaultComment);
+
+ CFStringRef label = CFStringCreateWithFormat(kCFAllocatorDefault,
+ NULL, CFSTR("%@ (%@)"), fqdn, kSecSafariPasswordsNotSaved);
+ if (label) {
+ CFDictionaryAddValue(attrs, kSecAttrLabel, label);
+ CFReleaseSafe(label);
+ }
+
+ UInt8 space = ' ';
+ CFDataRef data = CFDataCreate(kCFAllocatorDefault, &space, 1);
+ if (data) {
+ CFDictionarySetValue(attrs, kSecValueData, data);
+ CFReleaseSafe(data);
+ }
+
+ CFTypeRef addResult = NULL;
+ result = _SecItemAdd(attrs, accessGroups, &addResult, &error);
+
+ CFReleaseSafe(addResult);
+ CFReleaseSafe(error);
+ CFReleaseSafe(attrs);
+ CFReleaseSafe(accessGroups);
+
+ return result;
+}
+
+/* Specialized version of SecItemAdd for shared web credentials */
+bool
+_SecAddSharedWebCredential(CFDictionaryRef attributes,
+ const audit_token_t *clientAuditToken,
+ CFStringRef appID,
+ CFArrayRef domains,
+ CFTypeRef *result,
+ CFErrorRef *error) {
+
+ CFStringRef fqdn = CFDictionaryGetValue(attributes, kSecAttrServer);
+ CFStringRef account = CFDictionaryGetValue(attributes, kSecAttrAccount);
+#if TARGET_OS_IPHONE
+ CFStringRef password = CFDictionaryGetValue(attributes, kSecSharedPassword);
+#else
+ CFStringRef password = CFDictionaryGetValue(attributes, CFSTR("spwd"));
+#endif
+ CFStringRef accessGroup = CFSTR("*");
+ CFArrayRef accessGroups = NULL;
+ CFMutableDictionaryRef query = NULL, attrs = NULL;
+ SInt32 port = -1;
+ bool ok = false, update = false;
+ //bool approved = false;
+
+ // check autofill enabled status
+ if (!swca_autofill_enabled(clientAuditToken)) {
+ SecError(errSecBadReq, error, CFSTR("Autofill is not enabled in Safari settings"));
+ goto cleanup;
+ }
+
+ // parse fqdn with CFURL here, since it could be specified as domain:port
+ if (fqdn) {
+ CFRetainSafe(fqdn);
+ CFStringRef urlStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("%@%@"), kSecSharedCredentialUrlScheme, fqdn);
+ if (urlStr) {
+ CFURLRef url = CFURLCreateWithString(kCFAllocatorDefault, urlStr, nil);
+ if (url) {
+ CFStringRef hostname = CFURLCopyHostName(url);
+ if (hostname) {
+ CFReleaseSafe(fqdn);
+ fqdn = hostname;
+ port = CFURLGetPortNumber(url);
+ }
+ CFReleaseSafe(url);
+ }
+ CFReleaseSafe(urlStr);
+ }
+ }
+
+ if (!account) {
+ SecError(errSecParam, error, CFSTR("No account provided"));
+ goto cleanup;
+ }
+ if (!fqdn) {
+ SecError(errSecParam, error, CFSTR("No domain provided"));
+ goto cleanup;
+ }
+
+#if TARGET_IPHONE_SIMULATOR
+ secerror("app/site association entitlements not checked in Simulator");
+#else
+ OSStatus status = errSecMissingEntitlement;
+ // validate that fqdn is part of caller's shared credential domains entitlement
+ if (!appID) {
+ SecError(status, error, CFSTR("Missing application-identifier entitlement"));
+ goto cleanup;
+ }
+ if (_SecEntitlementContainsDomainForService(domains, fqdn, kSecSharedWebCredentialsService)) {
+ status = errSecSuccess;
+ }
+ if (errSecSuccess != status) {
+ CFStringRef msg = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
+ CFSTR("%@ not found in %@ entitlement"), fqdn, kSecEntitlementAssociatedDomains);
+ if (!msg) {
+ msg = CFRetain(CFSTR("Requested domain not found in entitlement"));
+ }
+ SecError(status, error, CFSTR("%@"), msg);
+ CFReleaseSafe(msg);
+ goto cleanup;
+ }
+#endif
+
+#if TARGET_IPHONE_SIMULATOR
+ secerror("Ignoring app/site approval state in the Simulator.");
+#else
+ // get approval status for this app/domain pair
+ SWCFlags flags = _SecAppDomainApprovalStatus(appID, fqdn, error);
+ //approved = ((flags & kSWCFlag_SiteApproved) && (flags & kSWCFlag_UserApproved));
+ if (!(flags & kSWCFlag_SiteApproved)) {
+ goto cleanup;
+ }
+#endif
+
+ // give ourselves access to see matching items for kSecSafariAccessGroup
+ accessGroups = CFArrayCreate(kCFAllocatorDefault, (const void **)&accessGroup, 1, &kCFTypeArrayCallBacks);
+
+ // create lookup query
+ query = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ if (!query) {
+ SecError(errSecAllocate, error, CFSTR("Unable to create query dictionary"));
+ goto cleanup;
+ }
+ CFDictionaryAddValue(query, kSecClass, kSecClassInternetPassword);
+ CFDictionaryAddValue(query, kSecAttrAccessGroup, kSecSafariAccessGroup);
+ CFDictionaryAddValue(query, kSecAttrAuthenticationType, kSecAttrAuthenticationTypeHTMLForm);
+ CFDictionaryAddValue(query, kSecAttrServer, fqdn);
+ CFDictionaryAddValue(query, kSecAttrSynchronizable, kCFBooleanTrue);
+
+ // check for presence of Safari's negative entry ('passwords not saved')
+ CFDictionarySetValue(query, kSecAttrAccount, kSecSafariPasswordsNotSaved);
+ ok = _SecItemCopyMatching(query, accessGroups, result, error);
+ CFReleaseNull(*result);
+ CFReleaseNull(*error);
+ if (ok) {
+ SecError(errSecDuplicateItem, error, CFSTR("Item already exists for this server"));
+ goto cleanup;
+ }
+
+ // now use the provided account (and optional port number, if one was present)
+ CFDictionarySetValue(query, kSecAttrAccount, account);
+ if (port < -1 || port > 0) {
+ SInt16 portValueShort = (port & 0xFFFF);
+ CFNumberRef portNumber = CFNumberCreate(NULL, kCFNumberSInt16Type, &portValueShort);
+ CFDictionaryAddValue(query, kSecAttrPort, portNumber);
+ CFReleaseSafe(portNumber);
+ }
+
+ // look up existing password
+ if (_SecItemCopyMatching(query, accessGroups, result, error)) {
+ // found it, so this becomes either an "update password" or "delete password" operation
+ CFReleaseNull(*result);
+ CFReleaseNull(*error);
+ update = (password != NULL);
+ if (update) {
+ attrs = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ CFDataRef credential = CFStringCreateExternalRepresentation(kCFAllocatorDefault, password, kCFStringEncodingUTF8, 0);
+ CFDictionaryAddValue(attrs, kSecValueData, credential);
+ CFReleaseSafe(credential);
+ CFDictionaryAddValue(attrs, kSecAttrComment, kSecSafariDefaultComment);
+
+ // confirm the update
+ // (per rdar://16676310 we always prompt, even if there was prior user approval)
+ ok = /*approved ||*/ swca_confirm_operation(swca_update_request_id, clientAuditToken, query, error,
+ ^void (CFStringRef fqdn) { _SecAddNegativeWebCredential(fqdn, appID, false); });
+ if (ok) {
+ ok = _SecItemUpdate(query, attrs, accessGroups, error);
+ }
+ }
+ else {
+ // confirm the delete
+ // (per rdar://16676288 we always prompt, even if there was prior user approval)
+ ok = /*approved ||*/ swca_confirm_operation(swca_delete_request_id, clientAuditToken, query, error,
+ ^void (CFStringRef fqdn) { _SecAddNegativeWebCredential(fqdn, appID, false); });
+ if (ok) {
+ ok = _SecItemDelete(query, accessGroups, error);
+ }
+ }
+ if (ok) {
+ CFReleaseNull(*error);
+ }
+ goto cleanup;
+ }
+ CFReleaseNull(*result);
+ CFReleaseNull(*error);
+
+ // password does not exist, so prepare to add it
+ if (true) {
+ CFStringRef label = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("%@ (%@)"), fqdn, account);
+ if (label) {
+ CFDictionaryAddValue(query, kSecAttrLabel, label);
+ CFReleaseSafe(label);
+ }
+ // NOTE: we always expect to use HTTPS for web forms.
+ CFDictionaryAddValue(query, kSecAttrProtocol, kSecAttrProtocolHTTPS);
+
+ CFDataRef credential = CFStringCreateExternalRepresentation(kCFAllocatorDefault, password, kCFStringEncodingUTF8, 0);
+ CFDictionarySetValue(query, kSecValueData, credential);
+ CFReleaseSafe(credential);
+ CFDictionarySetValue(query, kSecAttrComment, kSecSafariDefaultComment);
+
+ CFReleaseSafe(accessGroups);
+ accessGroups = CFArrayCreate(kCFAllocatorDefault, (const void **)&kSecSafariAccessGroup, 1, &kCFTypeArrayCallBacks);
+
+ // mark the item as created by this function
+ const int32_t creator_value = 'swca';
+ CFNumberRef creator = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &creator_value);
+ if (creator) {
+ CFDictionarySetValue(query, kSecAttrCreator, creator);
+ CFReleaseSafe(creator);
+ ok = true;
+ }
+ else {
+ // confirm the add
+ // (per rdar://16680019, we won't prompt here in the normal case)
+ ok = /*approved ||*/ swca_confirm_operation(swca_add_request_id, clientAuditToken, query, error,
+ ^void (CFStringRef fqdn) { _SecAddNegativeWebCredential(fqdn, appID, false); });
+ }
+ }
+ if (ok) {
+ ok = _SecItemAdd(query, accessGroups, result, error);
+ }
+
+cleanup:
+#if 0 /* debugging */
+{
+ const char *op_str = (password) ? ((update) ? "updated" : "added") : "deleted";
+ const char *result_str = (ok) ? "true" : "false";
+ secerror("result=%s, %s item %@, error=%@", result_str, op_str, *result, *error);
+}
+#else
+ (void)update;
+#endif
+ CFReleaseSafe(attrs);
+ CFReleaseSafe(query);
+ CFReleaseSafe(accessGroups);
+ CFReleaseSafe(fqdn);
+ return ok;
+}
+
+/* Specialized version of SecItemCopyMatching for shared web credentials */
+bool
+_SecCopySharedWebCredential(CFDictionaryRef query,
+ const audit_token_t *clientAuditToken,
+ CFStringRef appID,
+ CFArrayRef domains,
+ CFTypeRef *result,
+ CFErrorRef *error) {
+
+ CFMutableArrayRef credentials = NULL;
+ CFMutableArrayRef foundItems = NULL;
+ CFMutableArrayRef fqdns = NULL;
+ CFArrayRef accessGroups = NULL;
+ CFStringRef fqdn = NULL;
+ CFStringRef account = NULL;
+ CFIndex idx, count;
+ SInt32 port = -1;
+ bool ok = false;
+
+ require_quiet(result, cleanup);
+ credentials = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
+ foundItems = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
+ fqdns = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
+
+ // give ourselves access to see matching items for kSecSafariAccessGroup
+ CFStringRef accessGroup = CFSTR("*");
+ accessGroups = CFArrayCreate(kCFAllocatorDefault, (const void **)&accessGroup, 1, &kCFTypeArrayCallBacks);
+
+ // On input, the query dictionary contains optional fqdn and account entries.
+ fqdn = CFDictionaryGetValue(query, kSecAttrServer);
+ account = CFDictionaryGetValue(query, kSecAttrAccount);
+
+ // Check autofill enabled status
+ if (!swca_autofill_enabled(clientAuditToken)) {
+ SecError(errSecBadReq, error, CFSTR("Autofill is not enabled in Safari settings"));
+ goto cleanup;
+ }
+
+ // Check fqdn; if NULL, add domains from caller's entitlement.
+ if (fqdn) {
+ CFArrayAppendValue(fqdns, fqdn);
+ }
+ else if (domains) {
+ CFIndex idx, count = CFArrayGetCount(domains);
+ for (idx=0; idx < count; idx++) {
+ CFStringRef str = (CFStringRef) CFArrayGetValueAtIndex(domains, idx);
+ // Parse the entry for our service label prefix
+ if (str && CFStringHasPrefix(str, kSecSharedWebCredentialsService)) {
+ CFIndex prefix_len = CFStringGetLength(kSecSharedWebCredentialsService)+1;
+ CFIndex substr_len = CFStringGetLength(str) - prefix_len;
+ CFRange range = { prefix_len, substr_len };
+ fqdn = CFStringCreateWithSubstring(kCFAllocatorDefault, str, range);
+ if (fqdn) {
+ CFArrayAppendValue(fqdns, fqdn);
+ CFRelease(fqdn);
+ }
+ }
+ }
+ }
+ count = CFArrayGetCount(fqdns);
+ if (count < 1) {
+ SecError(errSecParam, error, CFSTR("No domain provided"));
+ goto cleanup;
+ }
+
+ // Aggregate search results for each domain
+ for (idx = 0; idx < count; idx++) {
+ CFMutableArrayRef items = NULL;
+ CFMutableDictionaryRef attrs = NULL;
+ fqdn = (CFStringRef) CFArrayGetValueAtIndex(fqdns, idx);
+ CFRetainSafe(fqdn);
+ port = -1;
+
+ // Parse the fqdn for a possible port specifier.
+ if (fqdn) {
+ CFStringRef urlStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("%@%@"), kSecSharedCredentialUrlScheme, fqdn);
+ if (urlStr) {
+ CFURLRef url = CFURLCreateWithString(kCFAllocatorDefault, urlStr, nil);
+ if (url) {
+ CFStringRef hostname = CFURLCopyHostName(url);
+ if (hostname) {
+ CFReleaseSafe(fqdn);
+ fqdn = hostname;
+ port = CFURLGetPortNumber(url);
+ }
+ CFReleaseSafe(url);
+ }
+ CFReleaseSafe(urlStr);
+ }
+ }
+
+ #if TARGET_IPHONE_SIMULATOR
+ secerror("app/site association entitlements not checked in Simulator");
+ #else
+ OSStatus status = errSecMissingEntitlement;
+ if (!appID) {
+ SecError(status, error, CFSTR("Missing application-identifier entitlement"));
+ CFReleaseSafe(fqdn);
+ goto cleanup;
+ }
+ // validate that fqdn is part of caller's entitlement
+ if (_SecEntitlementContainsDomainForService(domains, fqdn, kSecSharedWebCredentialsService)) {
+ status = errSecSuccess;
+ }
+ if (errSecSuccess != status) {
+ CFStringRef msg = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
+ CFSTR("%@ not found in %@ entitlement"), fqdn, kSecEntitlementAssociatedDomains);
+ if (!msg) {
+ msg = CFRetain(CFSTR("Requested domain not found in entitlement"));
+ }
+ SecError(status, error, CFSTR("%@"), msg);
+ CFReleaseSafe(msg);
+ CFReleaseSafe(fqdn);
+ goto cleanup;
+ }
+ #endif
+
+ attrs = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ if (!attrs) {
+ SecError(errSecAllocate, error, CFSTR("Unable to create query dictionary"));
+ CFReleaseSafe(fqdn);
+ goto cleanup;
+ }
+ CFDictionaryAddValue(attrs, kSecClass, kSecClassInternetPassword);
+ CFDictionaryAddValue(attrs, kSecAttrAccessGroup, kSecSafariAccessGroup);
+ CFDictionaryAddValue(attrs, kSecAttrAuthenticationType, kSecAttrAuthenticationTypeHTMLForm);
+ CFDictionaryAddValue(attrs, kSecAttrServer, fqdn);
+ if (account) {
+ CFDictionaryAddValue(attrs, kSecAttrAccount, account);
+ }
+ if (port < -1 || port > 0) {
+ SInt16 portValueShort = (port & 0xFFFF);
+ CFNumberRef portNumber = CFNumberCreate(NULL, kCFNumberSInt16Type, &portValueShort);
+ CFDictionaryAddValue(attrs, kSecAttrPort, portNumber);
+ CFReleaseSafe(portNumber);
+ }
+ CFDictionaryAddValue(attrs, kSecAttrSynchronizable, kCFBooleanTrue);
+ CFDictionaryAddValue(attrs, kSecMatchLimit, kSecMatchLimitAll);
+ CFDictionaryAddValue(attrs, kSecReturnAttributes, kCFBooleanTrue);
+ CFDictionaryAddValue(attrs, kSecReturnData, kCFBooleanTrue);
+
+ ok = _SecItemCopyMatching(attrs, accessGroups, (CFTypeRef*)&items, error);
+ if (count > 1) {
+ // ignore interim error since we have multiple domains to search
+ CFReleaseNull(*error);
+ }
+ if (ok && items && CFGetTypeID(items) == CFArrayGetTypeID()) {
+ #if TARGET_IPHONE_SIMULATOR
+ secerror("Ignoring app/site approval state in the Simulator.");
+ bool approved = true;
+ #else
+ // get approval status for this app/domain pair
+ SWCFlags flags = _SecAppDomainApprovalStatus(appID, fqdn, error);
+ if (count > 1) {
+ // ignore interim error since we have multiple domains to check
+ CFReleaseNull(*error);
+ }
+ bool approved = (flags & kSWCFlag_SiteApproved);
+ #endif
+ if (approved) {
+ CFArrayAppendArray(foundItems, items, CFRangeMake(0, CFArrayGetCount(items)));
+ }
+ }
+ CFReleaseSafe(items);
+ CFReleaseSafe(attrs);
+ CFReleaseSafe(fqdn);
+ }
+
+// If matching credentials are found, the credentials provided to the completionHandler
+// will be a CFArrayRef containing CFDictionaryRef entries. Each dictionary entry will
+// contain the following pairs (see Security/SecItem.h):
+// key: kSecAttrServer value: CFStringRef (the website)
+// key: kSecAttrAccount value: CFStringRef (the account)
+// key: kSecSharedPassword value: CFStringRef (the password)
+// Optional keys:
+// key: kSecAttrPort value: CFNumberRef (the port number, if non-standard for https)
+
+ count = CFArrayGetCount(foundItems);
+ for (idx = 0; idx < count; idx++) {
+ CFDictionaryRef dict = (CFDictionaryRef) CFArrayGetValueAtIndex(foundItems, idx);
+ CFMutableDictionaryRef newdict = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ if (newdict && dict && CFGetTypeID(dict) == CFDictionaryGetTypeID()) {
+ CFStringRef srvr = CFDictionaryGetValue(dict, kSecAttrServer);
+ CFStringRef acct = CFDictionaryGetValue(dict, kSecAttrAccount);
+ CFNumberRef pnum = CFDictionaryGetValue(dict, kSecAttrPort);
+ CFStringRef icmt = CFDictionaryGetValue(dict, kSecAttrComment);
+ CFDataRef data = CFDictionaryGetValue(dict, kSecValueData);
+ if (srvr) {
+ CFDictionaryAddValue(newdict, kSecAttrServer, srvr);
+ }
+ if (acct) {
+ CFDictionaryAddValue(newdict, kSecAttrAccount, acct);
+ }
+ if (pnum) {
+ SInt16 pval = -1;
+ if (CFNumberGetValue(pnum, kCFNumberSInt16Type, &pval) &&
+ (pval < -1 || pval > 0)) {
+ CFDictionaryAddValue(newdict, kSecAttrPort, pnum);
+ }
+ }
+ if (data) {
+ CFStringRef password = CFStringCreateFromExternalRepresentation(kCFAllocatorDefault, data, kCFStringEncodingUTF8);
+ if (password) {
+ #if TARGET_OS_IPHONE
+ CFDictionaryAddValue(newdict, kSecSharedPassword, password);
+ #else
+ CFDictionaryAddValue(newdict, CFSTR("spwd"), password);
+ #endif
+ CFReleaseSafe(password);
+ }
+ }
+ if (icmt && CFEqual(icmt, kSecSafariDefaultComment)) {
+ CFArrayInsertValueAtIndex(credentials, 0, newdict);
+ } else {
+ CFArrayAppendValue(credentials, newdict);
+ }
+ }
+ CFReleaseSafe(newdict);
+ }
+
+ if (count) {
+
+ ok = false;
+
+ // create a new array of dictionaries (without the actual password) for picker UI
+ count = CFArrayGetCount(credentials);
+ CFMutableArrayRef items = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
+ for (idx = 0; idx < count; idx++) {
+ CFDictionaryRef dict = (CFDictionaryRef) CFArrayGetValueAtIndex(credentials, idx);
+ CFMutableDictionaryRef newdict = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, dict);
+ #if TARGET_OS_IPHONE
+ CFDictionaryRemoveValue(newdict, kSecSharedPassword);
+ #else
+ CFDictionaryRemoveValue(newdict, CFSTR("spwd"));
+ #endif
+ CFArrayAppendValue(items, newdict);
+ CFReleaseSafe(newdict);
+ }
+
+ // prompt user to select one of the dictionary items
+ CFDictionaryRef selected = swca_copy_selected_dictionary(swca_select_request_id,
+ clientAuditToken, items, error);
+ if (selected) {
+ // find the matching item in our credentials array
+ CFStringRef srvr = CFDictionaryGetValue(selected, kSecAttrServer);
+ CFStringRef acct = CFDictionaryGetValue(selected, kSecAttrAccount);
+ CFNumberRef pnum = CFDictionaryGetValue(selected, kSecAttrPort);
+ for (idx = 0; idx < count; idx++) {
+ CFDictionaryRef dict = (CFDictionaryRef) CFArrayGetValueAtIndex(credentials, idx);
+ CFStringRef srvr1 = CFDictionaryGetValue(dict, kSecAttrServer);
+ CFStringRef acct1 = CFDictionaryGetValue(dict, kSecAttrAccount);
+ CFNumberRef pnum1 = CFDictionaryGetValue(dict, kSecAttrPort);
+
+ if (!srvr || !srvr1 || !CFEqual(srvr, srvr1)) continue;
+ if (!acct || !acct1 || !CFEqual(acct, acct1)) continue;
+ if ((pnum && pnum1) && !CFEqual(pnum, pnum1)) continue;
+
+ // we have a match!
+ CFReleaseSafe(selected);
+ CFRetainSafe(dict);
+ selected = dict;
+ ok = true;
+ break;
+ }
+ }
+ CFReleaseSafe(items);
+ CFArrayRemoveAllValues(credentials);
+ if (selected && ok) {
+#if TARGET_OS_IPHONE
+ fqdn = CFDictionaryGetValue(selected, kSecAttrServer);
+#endif
+ CFArrayAppendValue(credentials, selected);
+ }
+
+#if 0
+ // confirm the access
+ ok = swca_confirm_operation(swca_copy_request_id, clientAuditToken, query, error,
+ ^void (CFStringRef fqdn) { _SecAddNegativeWebCredential(fqdn, appID, false); });
+#endif
+ if (ok) {
+ #if TARGET_OS_IPHONE
+ // register confirmation with database
+ CFRetainSafe(appID);
+ CFRetainSafe(fqdn);
+ if (0 != SWCSetServiceFlags(kSecSharedWebCredentialsService,
+ appID, fqdn, kSWCFlag_ExternalMask, kSWCFlag_UserApproved,
+ ^void(OSStatus inStatus, SWCFlags inNewFlags){
+ CFReleaseSafe(appID);
+ CFReleaseSafe(fqdn);
+ }))
+ {
+ // we didn't queue the block
+ CFReleaseSafe(appID);
+ CFReleaseSafe(fqdn);
+ }
+ #endif
+ }
+ CFReleaseSafe(selected);
+ }
+ else if (NULL == *error) {
+ // found no items, and we haven't already filled in the error
+ SecError(errSecItemNotFound, error, CFSTR("no matching items found"));
+ }
+
+cleanup:
+ if (!ok) {
+ CFArrayRemoveAllValues(credentials);
+ }
+ CFReleaseSafe(foundItems);
+ *result = credentials;
+ CFReleaseSafe(accessGroups);
+ CFReleaseSafe(fqdns);
+#if 0 /* debugging */
+ secerror("result=%s, copied items %@, error=%@", (ok) ? "true" : "false", *result, *error);
+#endif
+ return ok;
+}
+
+// MARK: -
+// MARK: Keychain backup
+
+CF_RETURNS_RETAINED CFDataRef
+_SecServerKeychainBackup(CFDataRef keybag, CFDataRef passcode, CFErrorRef *error) {
+ CFDataRef backup;
+ SecDbConnectionRef dbt = SecDbConnectionAquire(kc_dbhandle(), false, error);
+
+ if (!dbt)
+ return NULL;
+
+ if (keybag == NULL && passcode == NULL) {
+#if USE_KEYSTORE
+ backup = SecServerExportKeychain(dbt, KEYBAG_DEVICE, backup_keybag_handle, error);
+#else /* !USE_KEYSTORE */
+ SecError(errSecParam, error, CFSTR("Why are you doing this?"));
+ backup = NULL;
+#endif /* USE_KEYSTORE */
+ } else {
+ backup = SecServerKeychainBackup(dbt, keybag, passcode, error);
+ }
+
+ SecDbConnectionRelease(dbt);
+
+ return backup;
+}
+
+bool
+_SecServerKeychainRestore(CFDataRef backup, CFDataRef keybag, CFDataRef passcode, CFErrorRef *error) {
+ if (backup == NULL || keybag == NULL)
+ return SecError(errSecParam, error, CFSTR("backup or keybag missing"));
+
+ __block bool ok = true;
+ ok &= SecDbPerformWrite(kc_dbhandle(), error, ^(SecDbConnectionRef dbconn) {
+ ok = SecServerKeychainRestore(dbconn, backup, keybag, passcode, error);
+ });
+
+ if (ok) {
+ SecKeychainChanged(true);
+ }
+
+ return ok;
+}
+
+// MARK: -
+// MARK: SecItemDataSource
+
+// Make sure to call this before any writes to the keychain, so that we fire
+// up the engines to monitor manifest changes.
+SOSDataSourceFactoryRef SecItemDataSourceFactoryGetDefault(void) {
+ return SecItemDataSourceFactoryGetShared(kc_dbhandle());
+ }
+
+/* AUDIT[securityd]:
+ args_in (ok) is a caller provided, CFDictionaryRef.
+ */
+
+CF_RETURNS_RETAINED CFArrayRef
+_SecServerKeychainSyncUpdateKeyParameter(CFDictionaryRef updates, CFErrorRef *error) {
+ // This never fails, trust us!
+ return SOSCCHandleUpdateKeyParameter(updates);
+}
+
+
+CF_RETURNS_RETAINED CFArrayRef
+_SecServerKeychainSyncUpdateCircle(CFDictionaryRef updates, CFErrorRef *error) {
+ // This never fails, trust us!
+ return SOSCCHandleUpdateCircle(updates);
+}
+
+CF_RETURNS_RETAINED CFArrayRef
+_SecServerKeychainSyncUpdateMessage(CFDictionaryRef updates, CFErrorRef *error) {
+ // This never fails, trust us!
+ return SOSCCHandleUpdateMessage(updates);
+}
+
+
+//
+// Truthiness in the cloud backup/restore support.
+//
+
+static CFDictionaryRef
+_SecServerCopyTruthInTheCloud(CFDataRef keybag, CFDataRef password,
+ CFDictionaryRef backup, CFErrorRef *error)
+{
+ SOSManifestRef mold = NULL, mnow = NULL, mdelete = NULL, madd = NULL;
+ __block CFMutableDictionaryRef backup_new = NULL;
+ keybag_handle_t bag_handle;
+ if (!ks_open_keybag(keybag, password, &bag_handle, error))
+ return backup_new;
+
+ // We need to have a datasource singleton for protection domain
+ // kSecAttrAccessibleWhenUnlocked and keep a single shared engine
+ // instance around which we create in the datasource constructor as well.
+ SOSDataSourceFactoryRef dsf = SecItemDataSourceFactoryGetDefault();
+ SOSDataSourceRef ds = dsf->create_datasource(dsf, kSecAttrAccessibleWhenUnlocked, error);
+ if (ds) {
+ backup_new = backup ? CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, backup) : CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ mold = SOSCreateManifestWithBackup(backup, error);
+ SOSEngineRef engine = SOSDataSourceGetSharedEngine(ds, error);
+ mnow = SOSEngineCopyManifest(engine, error);
+ if (!mnow) {
+ mnow = SOSDataSourceCopyManifest(ds, error);
+ }
+ if (!mnow) {
+ CFReleaseNull(backup_new);
+ secerror("failed to obtain manifest for keychain: %@", error ? *error : NULL);
+ } else {
+ SOSManifestDiff(mold, mnow, &mdelete, &madd, error);
+ }
+
+ // Delete everything from the new_backup that is no longer in the datasource according to the datasources manifest.
+ SOSManifestForEach(mdelete, ^(CFDataRef digest_data, bool *stop) {
+ CFStringRef deleted_item_key = CFDataCopyHexString(digest_data);
+ CFDictionaryRemoveValue(backup_new, deleted_item_key);
+ CFRelease(deleted_item_key);
+ });
+
+ __block struct SOSDigestVector dvdel = SOSDigestVectorInit;
+ SOSDataSourceForEachObject(ds, madd, error, ^void(CFDataRef digest, SOSObjectRef object, bool *stop) {
+ CFErrorRef localError = NULL;
+ CFDataRef digest_data = NULL;
+ CFTypeRef value = NULL;
+ if (!object) {
+ // Key in our manifest can't be found in db, remove it from our manifest
+ SOSDigestVectorAppend(&dvdel, CFDataGetBytePtr(digest));
+ } else if (!(digest_data = SOSObjectCopyDigest(ds, object, &localError))
+ || !(value = SOSObjectCopyBackup(ds, object, bag_handle, &localError))) {
+ if (SecErrorGetOSStatus(localError) == errSecDecode) {
+ // Ignore decode errors, pretend the objects aren't there
+ CFRelease(localError);
+ // Object undecodable, remove it from our manifest
+ SOSDigestVectorAppend(&dvdel, CFDataGetBytePtr(digest));
+ } else {
+ // Stop iterating and propagate out all other errors.
+ *stop = true;
+ *error = localError;
+ CFReleaseNull(backup_new);
+ }
+ } else {
+ // TODO: Should we skip tombstones here?
+ CFStringRef key = CFDataCopyHexString(digest_data);
+ CFDictionarySetValue(backup_new, key, value);
+ CFReleaseSafe(key);
+ }
+ CFReleaseSafe(digest_data);
+ CFReleaseSafe(value);
+ }) || CFReleaseNull(backup_new);
+
+ if (dvdel.count) {
+ struct SOSDigestVector dvadd = SOSDigestVectorInit;
+ if (!SOSEngineUpdateLocalManifest(engine, kSOSDataSourceSOSTransaction, &dvdel, &dvadd, error)) {
+ CFReleaseNull(backup_new);
+ }
+ SOSDigestVectorFree(&dvdel);
+ }
+
+ SOSDataSourceRelease(ds, error) || CFReleaseNull(backup_new);
+ }
+
+ CFReleaseSafe(mold);
+ CFReleaseSafe(mnow);
+ CFReleaseSafe(madd);
+ CFReleaseSafe(mdelete);
+ ks_close_keybag(bag_handle, error) || CFReleaseNull(backup_new);
+
+ return backup_new;
+}
+
+static bool
+_SecServerRestoreTruthInTheCloud(CFDataRef keybag, CFDataRef password, CFDictionaryRef backup_in, CFErrorRef *error) {
+ __block bool ok = true;
+ keybag_handle_t bag_handle;
+ if (!ks_open_keybag(keybag, password, &bag_handle, error))
+ return false;
+
+ SOSManifestRef mbackup = SOSCreateManifestWithBackup(backup_in, error);
+ if (mbackup) {
+ SOSDataSourceFactoryRef dsf = SecItemDataSourceFactoryGetDefault();
+ SOSDataSourceRef ds = dsf->create_datasource(dsf, kSecAttrAccessibleWhenUnlocked, error);
+ if (ds) {
+ ok = SOSDataSourceWith(ds, error, ^(SOSTransactionRef txn, bool *commit) {
+ SOSManifestRef mnow = SOSDataSourceCopyManifest(ds, error);
+ SOSManifestRef mdelete = NULL, madd = NULL;
+ SOSManifestDiff(mnow, mbackup, &mdelete, &madd, error);
+
+ // Don't delete everything in datasource not in backup.
+
+ // Add items from the backup
+ SOSManifestForEach(madd, ^void(CFDataRef e, bool *stop) {
+ CFDictionaryRef item = NULL;
+ CFStringRef sha1 = CFDataCopyHexString(e);
+ if (sha1) {
+ item = CFDictionaryGetValue(backup_in, sha1);
+ CFRelease(sha1);
+ }
+ if (item) {
+ CFErrorRef localError = NULL;
+
+ if (!SOSObjectRestoreObject(ds, txn, bag_handle, item, &localError)) {
+ OSStatus status = SecErrorGetOSStatus(localError);
+ if (status == errSecDuplicateItem) {
+ // Log and ignore duplicate item errors during restore
+ secnotice("titc", "restore %@ not replacing existing item", item);
+ } else {
+ if (status == errSecInteractionNotAllowed)
+ *stop = true;
+ // Propagate the first other error upwards (causing the restore to fail).
+ secerror("restore %@ failed %@", item, localError);
+ ok = false;
+ if (error && !*error) {
+ *error = localError;
+ localError = NULL;
+ }
+ }
+ CFReleaseSafe(localError);
+ }
+ }
+ });
+ ok &= SOSDataSourceRelease(ds, error);
+ CFReleaseNull(mdelete);
+ CFReleaseNull(madd);
+ CFReleaseNull(mnow);
+ });
+ } else {
+ ok = false;
+ }
+ CFRelease(mbackup);
+ }
+
+ ok &= ks_close_keybag(bag_handle, error);
+
+ return ok;
+}
+
+
+CF_RETURNS_RETAINED CFDictionaryRef
+_SecServerBackupSyncable(CFDictionaryRef backup, CFDataRef keybag, CFDataRef password, CFErrorRef *error) {
+ require_action_quiet(isData(keybag), errOut, SecError(errSecParam, error, CFSTR("keybag %@ not a data"), keybag));
+ require_action_quiet(!backup || isDictionary(backup), errOut, SecError(errSecParam, error, CFSTR("backup %@ not a dictionary"), backup));
+ require_action_quiet(!password || isData(password), errOut, SecError(errSecParam, error, CFSTR("password %@ not a data"), password));
+
+ return _SecServerCopyTruthInTheCloud(keybag, password, backup, error);
+
+errOut:
+ return NULL;
+}
+
+bool
+_SecServerRestoreSyncable(CFDictionaryRef backup, CFDataRef keybag, CFDataRef password, CFErrorRef *error) {
+ bool ok;
+ require_action_quiet(isData(keybag), errOut, ok = SecError(errSecParam, error, CFSTR("keybag %@ not a data"), keybag));
+ require_action_quiet(isDictionary(backup), errOut, ok = SecError(errSecParam, error, CFSTR("backup %@ not a dictionary"), backup));
+ if (password) {
+ require_action_quiet(isData(password), errOut, ok = SecError(errSecParam, error, CFSTR("password not a data")));
+ }
+
+ ok = _SecServerRestoreTruthInTheCloud(keybag, password, backup, error);
+
+errOut:
+ return ok;
+}
+
+bool _SecServerRollKeys(bool force, CFErrorRef *error) {
+#if USE_KEYSTORE
+ uint32_t keystore_generation_status = 0;
+ if (aks_generation(KEYBAG_DEVICE, generation_noop, &keystore_generation_status))
+ return false;
+ uint32_t current_generation = keystore_generation_status & generation_current;
+
+ return kc_with_dbt(true, error, ^(SecDbConnectionRef dbt) {
+ bool up_to_date = s3dl_dbt_keys_current(dbt, current_generation, NULL);
+
+ if (force && !up_to_date) {
+ up_to_date = s3dl_dbt_update_keys(dbt, error);
+ if (up_to_date) {
+ secerror("Completed roll keys.");
+ up_to_date = s3dl_dbt_keys_current(dbt, current_generation, NULL);
+ }
+ if (!up_to_date)
+ secerror("Failed to roll keys.");
+ }
+ return up_to_date;
+ });
+#else
+ return true;
+#endif
+}
projects / apple / security.git / blobdiff