--- /dev/null
+/*
+ * Copyright (c) 2004-2006 Apple Computer, Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * aclUtils.cpp - ACL utility functions, copied from the SecurityTool project.
+ */
+
+#include "aclUtils.h"
+#include <Security/SecTrustedApplicationPriv.h>
+#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
+
+/* Read a line from stdin into buffer as a null terminated string. If buffer is
+ non NULL use at most buffer_size bytes and return a pointer to buffer. Otherwise
+ return a newly malloced buffer.
+ if EOF is read this function returns NULL. */
+char *
+readline(char *buffer, int buffer_size)
+{
+ int ix = 0, bytes_malloced = 0;
+
+ if (!buffer)
+ {
+ bytes_malloced = 64;
+ buffer = (char *)malloc(bytes_malloced);
+ buffer_size = bytes_malloced;
+ }
+
+ for (;;++ix)
+ {
+ int ch;
+
+ if (ix == buffer_size - 1)
+ {
+ if (!bytes_malloced)
+ break;
+ bytes_malloced += bytes_malloced;
+ buffer = (char *)realloc(buffer, bytes_malloced);
+ buffer_size = bytes_malloced;
+ }
+
+ ch = getchar();
+ if (ch == EOF)
+ {
+ if (bytes_malloced)
+ free(buffer);
+ return NULL;
+ }
+ if (ch == '\n')
+ break;
+ buffer[ix] = ch;
+ }
+
+ /* 0 terminate buffer. */
+ buffer[ix] = '\0';
+
+ return buffer;
+}
+
+void
+print_buffer_hex(FILE *stream, UInt32 length, const void *data)
+{
+ unsigned i;
+ const unsigned char *cp = (const unsigned char *)data;
+
+ printf("\n ");
+ for(i=0; i<length; i++) {
+ fprintf(stream, "%02X ", cp[i]);
+ if((i % 24) == 23) {
+ printf("\n ");
+ }
+ }
+}
+
+void
+print_buffer_ascii(FILE *stream, UInt32 length, const void *data)
+{
+ uint8 *p = (uint8 *) data;
+ while (length--)
+ {
+ int ch = *p++;
+ if (ch >= ' ' && ch <= '~' && ch != '\\')
+ {
+ fputc(ch, stream);
+ }
+ else
+ {
+ fputc('\\', stream);
+ fputc('0' + ((ch >> 6) & 7), stream);
+ fputc('0' + ((ch >> 3) & 7), stream);
+ fputc('0' + ((ch >> 0) & 7), stream);
+ }
+ }
+}
+
+void
+print_buffer(FILE *stream, UInt32 length, const void *data)
+{
+ uint8 *p = (uint8 *) data;
+ Boolean ascii = TRUE; // unless we determine otherwise
+ UInt32 ix;
+ for (ix = 0; ix < length; ++ix) {
+ int ch = *p++;
+ if ((ch < ' ') || (ch > '~')) {
+ if((ch == 0) && (ix == (length - 1))) {
+ /* ignore trailing null */
+ length--;
+ break;
+ }
+ ascii = FALSE;
+ break;
+ }
+ }
+
+ if (ascii) {
+ fputc('"', stream);
+ print_buffer_ascii(stream, length, data);
+ fputc('"', stream);
+ }
+ else {
+ print_buffer_hex(stream, length, data);
+ }
+}
+
+void
+print_cfdata(FILE *stream, CFDataRef data)
+{
+ if (data)
+ return print_buffer(stream, CFDataGetLength(data), CFDataGetBytePtr(data));
+ else
+ fprintf(stream, "<NULL>");
+}
+
+void
+print_cfstring(FILE *stream, CFStringRef string)
+{
+ if (!string)
+ fprintf(stream, "<NULL>");
+ else
+ {
+ const char *utf8 = CFStringGetCStringPtr(string, kCFStringEncodingUTF8);
+ if (utf8)
+ fprintf(stream, "%s", utf8);
+ else
+ {
+ CFRange rangeToProcess = CFRangeMake(0, CFStringGetLength(string));
+ while (rangeToProcess.length > 0)
+ {
+ UInt8 localBuffer[256];
+ CFIndex usedBufferLength;
+ CFIndex numChars = CFStringGetBytes(string, rangeToProcess,
+ kCFStringEncodingUTF8, '?', FALSE, localBuffer,
+ sizeof(localBuffer), &usedBufferLength);
+ if (numChars == 0)
+ break; // Failed to convert anything...
+
+ fprintf(stream, "%.*s", (int)usedBufferLength, localBuffer);
+ rangeToProcess.location += numChars;
+ rangeToProcess.length -= numChars;
+ }
+ }
+ }
+}
+
+
+int
+print_access(FILE *stream, SecAccessRef access, Boolean interactive)
+{
+ CFArrayRef aclList = NULL;
+ CFIndex aclix, aclCount;
+ int result = 0;
+ OSStatus status;
+
+ status = SecAccessCopyACLList(access, &aclList);
+ if (status)
+ {
+ cssmPerror("SecAccessCopyACLList", status);
+ result = 1;
+ goto loser;
+ }
+
+ aclCount = CFArrayGetCount(aclList);
+ fprintf(stream, "access: %lu entries\n", aclCount);
+ for (aclix = 0; aclix < aclCount; ++aclix)
+ {
+ CFArrayRef applicationList = NULL;
+ CFStringRef description = NULL;
+ CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR promptSelector = {};
+ CFIndex appix, appCount;
+
+ SecACLRef acl = (SecACLRef)CFArrayGetValueAtIndex(aclList, aclix);
+ CSSM_ACL_AUTHORIZATION_TAG tags[64]; // Pick some upper limit
+ uint32 tagix, tagCount = sizeof(tags) / sizeof(*tags);
+ status = SecACLGetAuthorizations(acl, tags, &tagCount);
+ if (status)
+ {
+ cssmPerror("SecACLGetAuthorizations", status);
+ result = 1;
+ goto loser;
+ }
+
+ fprintf(stream, " entry %lu:\n authorizations (%lu):", aclix, (unsigned long)tagCount);
+ for (tagix = 0; tagix < tagCount; ++tagix)
+ {
+ CSSM_ACL_AUTHORIZATION_TAG tag = tags[tagix];
+ switch (tag)
+ {
+ case CSSM_ACL_AUTHORIZATION_ANY:
+ fputs(" any", stream);
+ break;
+ case CSSM_ACL_AUTHORIZATION_LOGIN:
+ fputs(" login", stream);
+ break;
+ case CSSM_ACL_AUTHORIZATION_GENKEY:
+ fputs(" genkey", stream);
+ break;
+ case CSSM_ACL_AUTHORIZATION_DELETE:
+ fputs(" delete", stream);
+ break;
+ case CSSM_ACL_AUTHORIZATION_EXPORT_WRAPPED:
+ fputs(" export_wrapped", stream);
+ break;
+ case CSSM_ACL_AUTHORIZATION_EXPORT_CLEAR:
+ fputs(" export_clear", stream);
+ break;
+ case CSSM_ACL_AUTHORIZATION_IMPORT_WRAPPED:
+ fputs(" import_wrapped", stream);
+ break;
+ case CSSM_ACL_AUTHORIZATION_IMPORT_CLEAR:
+ fputs(" import_clear", stream);
+ break;
+ case CSSM_ACL_AUTHORIZATION_SIGN:
+ fputs(" sign", stream);
+ break;
+ case CSSM_ACL_AUTHORIZATION_ENCRYPT:
+ fputs(" encrypt", stream);
+ break;
+ case CSSM_ACL_AUTHORIZATION_DECRYPT:
+ fputs(" decrypt", stream);
+ break;
+ case CSSM_ACL_AUTHORIZATION_MAC:
+ fputs(" mac", stream);
+ break;
+ case CSSM_ACL_AUTHORIZATION_DERIVE:
+ fputs(" derive", stream);
+ break;
+ case CSSM_ACL_AUTHORIZATION_DBS_CREATE:
+ fputs(" dbs_create", stream);
+ break;
+ case CSSM_ACL_AUTHORIZATION_DBS_DELETE:
+ fputs(" dbs_delete", stream);
+ break;
+ case CSSM_ACL_AUTHORIZATION_DB_READ:
+ fputs(" db_read", stream);
+ break;
+ case CSSM_ACL_AUTHORIZATION_DB_INSERT:
+ fputs(" db_insert", stream);
+ break;
+ case CSSM_ACL_AUTHORIZATION_DB_MODIFY:
+ fputs(" db_modify", stream);
+ break;
+ case CSSM_ACL_AUTHORIZATION_DB_DELETE:
+ fputs(" db_delete", stream);
+ break;
+ case CSSM_ACL_AUTHORIZATION_CHANGE_ACL:
+ fputs(" change_acl", stream);
+ break;
+ case CSSM_ACL_AUTHORIZATION_CHANGE_OWNER:
+ fputs(" change_owner", stream);
+ break;
+ default:
+ fprintf(stream, " tag=%lu", (unsigned long)tag);
+ break;
+ }
+ }
+ fputc('\n', stream);
+
+ status = SecACLCopySimpleContents(acl, &applicationList, &description, &promptSelector);
+ if (status)
+ {
+ cssmPerror("SecACLCopySimpleContents", status);
+ continue;
+ }
+
+ if (promptSelector.flags & CSSM_ACL_KEYCHAIN_PROMPT_REQUIRE_PASSPHRASE)
+ fputs(" require-password\n", stream);
+ else
+ fputs(" don't-require-password\n", stream);
+
+ fputs(" description: ", stream);
+ print_cfstring(stream, description);
+ fputc('\n', stream);
+
+ if (applicationList)
+ {
+ appCount = CFArrayGetCount(applicationList);
+ fprintf(stream, " applications (%lu):\n", appCount);
+ }
+ else
+ {
+ appCount = 0;
+ fprintf(stream, " applications: <null>\n");
+ }
+
+ for (appix = 0; appix < appCount; ++appix)
+ {
+ const UInt8* bytes;
+ SecTrustedApplicationRef app = (SecTrustedApplicationRef)CFArrayGetValueAtIndex(applicationList, appix);
+ CFDataRef data = NULL;
+ fprintf(stream, " %lu: ", appix);
+ status = SecTrustedApplicationCopyData(app, &data);
+ if (status)
+ {
+ cssmPerror("SecTrustedApplicationCopyData", status);
+ continue;
+ }
+
+ bytes = CFDataGetBytePtr(data);
+ if (bytes && bytes[0] == 0x2f) {
+ fprintf(stream, "%s", (const char *)bytes);
+ if ((status = SecTrustedApplicationValidateWithPath(app, (const char *)bytes)) == noErr) {
+ fprintf(stream, " (OK)");
+ } else {
+ fprintf(stream, " (status %ld)", status);
+ }
+ fprintf(stream, "\n");
+ } else {
+ print_cfdata(stream, data);
+ fputc('\n', stream);
+ }
+ if (data)
+ CFRelease(data);
+ }
+
+
+ if (interactive)
+ {
+ char buffer[10] = {};
+ if(applicationList != NULL) {
+ fprintf(stderr, "NULL out this application list? ");
+ if (readline(buffer, sizeof(buffer)) && buffer[0] == 'y')
+ {
+ /*
+ * This makes the ops in this entry wide-open, no dialog or confirmation
+ * other than requiring the keychain be open.
+ */
+ fprintf(stderr, "setting app list to NULL\n");
+ status = SecACLSetSimpleContents(acl, NULL, description, &promptSelector);
+ if (status)
+ {
+ cssmPerror("SecACLSetSimpleContents", status);
+ continue;
+ }
+ }
+ else {
+ fprintf(stderr, "Set this application list to empty array? ");
+ if (readline(buffer, sizeof(buffer)) && buffer[0] == 'y')
+ {
+ /*
+ * This means "always get confirmation, from all apps".
+ */
+ fprintf(stderr, "setting app list to empty array\n");
+ status = SecACLSetSimpleContents(acl,
+ CFArrayCreate(NULL, NULL, 0, &kCFTypeArrayCallBacks),
+ description, &promptSelector);
+ if (status)
+ {
+ cssmPerror("SecACLSetSimpleContents", status);
+ continue;
+ }
+ }
+ }
+ }
+ else {
+ fprintf(stderr, "Remove this acl? ");
+ if (readline(buffer, sizeof(buffer)) && buffer[0] == 'y')
+ {
+ /*
+ * This make ths ops in this entry completely inaccessible.
+ */
+ fprintf(stderr, "removing acl\n");
+ status = SecACLRemove(acl);
+ if (status)
+ {
+ cssmPerror("SecACLRemove", status);
+ continue;
+ }
+ }
+ }
+ }
+ if (description)
+ CFRelease(description);
+ if (applicationList)
+ CFRelease(applicationList);
+
+ }
+
+loser:
+ if (aclList)
+ CFRelease(aclList);
+
+ return result;
+}
+
+/* Simluate what StickyRecord is trying to do.... */
+
+/*
+ * Given an Access object:
+ * -- extract the ACL for the specified CSSM_ACL_AUTHORIZATION_TAG. We expect there
+ * to exactly one of these - if the form of a default ACL changes we'll have to
+ * revisit this.
+ * -- set the ACL's app list to the provided CFArray, which may be NULL (meaning
+ * "any app can access this, no problem"), an empty array (meaning "always
+ * prompt"), or an actual app list.
+ * -- set or clear the PROMPT_REQUIRE_PASSPHRASE bit per the requirePassphrase
+ * argument
+ */
+static OSStatus srUpdateAcl(
+ SecAccessRef accessRef,
+ CSSM_ACL_AUTHORIZATION_TAG whichAcl, // e.g. CSSM_ACL_AUTHORIZATION_DECRYPT
+ CFArrayRef appArray,
+ bool requirePassphrase)
+{
+ OSStatus ortn;
+ CFArrayRef aclList = NULL;
+
+ ortn = SecAccessCopySelectedACLList(accessRef, whichAcl, &aclList);
+ if(ortn) {
+ cssmPerror("SecAccessCopySelectedACLList", ortn);
+ return ortn;
+ }
+
+ if(CFArrayGetCount(aclList) != 1) {
+ printf("StickyRecord::updateAcl - unexpected ACL list count (%d)",
+ (int)CFArrayGetCount(aclList));
+ return internalComponentErr;
+ }
+ SecACLRef acl = (SecACLRef)CFArrayGetValueAtIndex(aclList, 0);
+
+ CFArrayRef applicationList = NULL;
+ CFStringRef description = NULL;
+ CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR promptSelector = {};
+ ortn = SecACLCopySimpleContents(acl, &applicationList, &description, &promptSelector);
+ if(ortn) {
+ cssmPerror("SecACLCopySimpleContents", ortn);
+ return ortn;
+ }
+ if(applicationList != NULL) {
+ CFRelease(applicationList);
+ }
+ if(requirePassphrase) {
+ promptSelector.flags |= CSSM_ACL_KEYCHAIN_PROMPT_REQUIRE_PASSPHRASE;
+ }
+ else {
+ promptSelector.flags &= ~CSSM_ACL_KEYCHAIN_PROMPT_REQUIRE_PASSPHRASE;
+ }
+ /* update */
+ ortn = SecACLSetSimpleContents(acl, appArray, description, &promptSelector);
+
+ /* we got this from SecACLCopySimpleContents - release it regardless */
+ if(description != NULL) {
+ CFRelease(description);
+ }
+ if(ortn) {
+ cssmPerror("SecACLSetSimpleContents", ortn);
+ }
+ if(aclList != NULL) {
+ CFRelease(aclList);
+ }
+ return ortn;
+}
+
+OSStatus stickyRecordUpdateAcl(
+ SecAccessRef accessRef)
+{
+ OSStatus ortn;
+
+ printf("...updating ACL to simulate a StickyRecord\n");
+
+ /* First: decrypt. Wide open (NULL app list), !REQUIRE_PASSPHRASE. */
+ ortn = srUpdateAcl(accessRef, CSSM_ACL_AUTHORIZATION_DECRYPT, NULL, false);
+ if(ortn) {
+ return ortn;
+ }
+
+ /* encrypt: always ask (empty app list, require passphrase */
+ CFArrayRef nullArray = CFArrayCreate(NULL, NULL, 0, &kCFTypeArrayCallBacks);
+ return srUpdateAcl(accessRef, CSSM_ACL_AUTHORIZATION_ENCRYPT, nullArray, true);
+
+}
projects / apple / security.git / blobdiff