X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/80e2389990082500d76eb566d4946be3e786c3ef..d8f41ccd20de16f8ebe2ccc84d47bf1cb2b26bbb:/Security/libsecurity_cdsa_utilities/lib/acl_preauth.h diff --git a/Security/libsecurity_cdsa_utilities/lib/acl_preauth.h b/Security/libsecurity_cdsa_utilities/lib/acl_preauth.h new file mode 100644 index 00000000..ee56b95e --- /dev/null +++ b/Security/libsecurity_cdsa_utilities/lib/acl_preauth.h @@ -0,0 +1,132 @@ +/* + * Copyright (c) 2004,2006-2007,2011 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + + +// +// acl_preauth - a subject type for modeling PINs and similar slot-specific +// pre-authentication schemes. +// +#ifndef _ACL_PREAUTH +#define _ACL_PREAUTH + +#include +#include + + +namespace Security { +namespace PreAuthorizationAcls { + + +class OriginMaker : public AclSubject::Maker { +protected: + typedef LowLevelMemoryUtilities::Reader Reader; + typedef LowLevelMemoryUtilities::Writer Writer; +public: + OriginMaker() : AclSubject::Maker(CSSM_ACL_SUBJECT_TYPE_PREAUTH) { } + AclSubject *make(const TypedList &list) const; + AclSubject *make(AclSubject::Version version, Reader &pub, Reader &priv) const; +}; + +class SourceMaker : public AclSubject::Maker { +protected: + typedef LowLevelMemoryUtilities::Reader Reader; + typedef LowLevelMemoryUtilities::Writer Writer; +public: + SourceMaker() : AclSubject::Maker(CSSM_ACL_SUBJECT_TYPE_PREAUTH_SOURCE) { } + AclSubject *make(const TypedList &list) const; + AclSubject *make(AclSubject::Version version, Reader &pub, Reader &priv) const; +}; + + +// +// The actual designation of the PreAuth source AclBearer is provide by the environment. +// +class Environment : public virtual AclValidationEnvironment { +public: + virtual ObjectAcl *preAuthSource() = 0; +}; + + +// +// This is the object that is being "attached" (as an Adornment) to hold +// the pre-authorization state of a SourceAclSubject. +// The Adornable used for storage is determined by the Environment's store() method. +// +struct AclState { + AclState() : accepted(false) { } + bool accepted; // was previously accepted by upstream +}; + + +// +// This is the "origin" subject class that gets created the usual way. +// It models a pre-auth "origin" - i.e. it points at a preauth slot and accepts +// its verdict on validation. Think of it as the "come from" part of the link. +// +class OriginAclSubject : public AclSubject { +public: + bool validate(const AclValidationContext &ctx) const; + CssmList toList(Allocator &alloc) const; + + OriginAclSubject(AclAuthorization auth); + + void exportBlob(Writer::Counter &pub, Writer::Counter &priv); + void exportBlob(Writer &pub, Writer &priv); + + IFDUMP(void debugDump() const); + +private: + AclAuthorization mAuthTag; // authorization tag referred to (origin only) +}; + + +// +// The "source" subject class describes the other end of the link; the "go to" part +// if you will. Its sourceSubject is consulted for actual validation; and prior validation +// state is remembered (through the environment store facility) so that future validation +// attempts will automaticaly succeed (that's the "pre" in PreAuth). +// +class SourceAclSubject : public AclSubject { +public: + bool validate(const AclValidationContext &ctx) const; + CssmList toList(Allocator &alloc) const; + + SourceAclSubject(AclSubject *subSubject, + CSSM_ACL_PREAUTH_TRACKING_STATE state = CSSM_ACL_PREAUTH_TRACKING_UNKNOWN); + + void exportBlob(Writer::Counter &pub, Writer::Counter &priv); + void exportBlob(Writer &pub, Writer &priv); + + IFDUMP(void debugDump() const); + +private: + RefPointer mSourceSubject; // subject determining outcome (source only) +}; + + + +} // namespace PreAuthorizationAcls +} // namespace Security + + +#endif //_ACL_PREAUTH