From 8e292c995b66f335f19def2bcdd227168935ede0 Mon Sep 17 00:00:00 2001 From: Apple Date: Thu, 9 Aug 2012 00:04:44 +0000 Subject: [PATCH] Security-55178.0.1.tar.gz --- lib/Info-Security.plist | 2 +- lib/plugins/csparser-Info.plist | 2 +- libsecurity_keychain/lib/StorageManager.cpp | 13 ++++++++----- libsecurity_keychain/lib/Trust.cpp | 13 +++++++++---- libsecurity_smime/lib/tsaSupport.c | 11 ++++++++--- libsecurity_ssl/lib/cipherSpecs.c | 2 +- 6 files changed, 28 insertions(+), 15 deletions(-) diff --git a/lib/Info-Security.plist b/lib/Info-Security.plist index f8cf6e9a..99d3ceba 100644 --- a/lib/Info-Security.plist +++ b/lib/Info-Security.plist @@ -19,6 +19,6 @@ CFBundleSignature ???? CFBundleVersion - 55163.44 + 55178.0.1 diff --git a/lib/plugins/csparser-Info.plist b/lib/plugins/csparser-Info.plist index 0f0f8b44..a17c62bc 100644 --- a/lib/plugins/csparser-Info.plist +++ b/lib/plugins/csparser-Info.plist @@ -17,7 +17,7 @@ CFBundleSignature ???? CFBundleVersion - 55163.44 + 55178.0.1 CFBundleShortVersionString 3.0 diff --git a/libsecurity_keychain/lib/StorageManager.cpp b/libsecurity_keychain/lib/StorageManager.cpp index 54af54ee..4ecee452 100644 --- a/libsecurity_keychain/lib/StorageManager.cpp +++ b/libsecurity_keychain/lib/StorageManager.cpp @@ -51,6 +51,7 @@ #include #include #include +#include "TrustSettingsSchema.h" //%%% add this to AuthorizationTagsPriv.h later #ifndef AGENT_HINT_LOGIN_KC_SUPPRESS_RESET_PANEL @@ -134,11 +135,6 @@ StorageManager::keychain(const DLDbIdentifier &dLDbIdentifier) if (!dLDbIdentifier) return Keychain(); - if (gServerMode) { - secdebug("servermode", "keychain reference in server mode"); - return Keychain(); - } - KeychainMap::iterator it = mKeychains.find(dLDbIdentifier); if (it != mKeychains.end()) { @@ -152,6 +148,13 @@ StorageManager::keychain(const DLDbIdentifier &dLDbIdentifier) } } + if (gServerMode) { + secdebug("servermode", "keychain reference in server mode"); + const char *dbname = dLDbIdentifier.dbName(); + if (!dbname || (strcmp(dbname, SYSTEM_ROOT_STORE_PATH)!=0)) + return Keychain(); + } + // The keychain is not in our cache. Create it. Module module(dLDbIdentifier.ssuid().guid()); DL dl; diff --git a/libsecurity_keychain/lib/Trust.cpp b/libsecurity_keychain/lib/Trust.cpp index 4105717b..92236a0b 100644 --- a/libsecurity_keychain/lib/Trust.cpp +++ b/libsecurity_keychain/lib/Trust.cpp @@ -64,6 +64,7 @@ ModuleNexus Trust::gStore; #pragma mark -- TrustKeychains -- +static const CSSM_DL_DB_HANDLE nullCSSMDLDBHandle = {0,}; // // TrustKeychains maintains a global reference to standard system keychains, // to avoid having them be opened anew for each Trust instance. @@ -73,8 +74,8 @@ class TrustKeychains public: TrustKeychains(); ~TrustKeychains() {} - CSSM_DL_DB_HANDLE rootStoreHandle() { return mRootStore->database()->handle(); } - CSSM_DL_DB_HANDLE systemKcHandle() { return mSystem->database()->handle(); } + CSSM_DL_DB_HANDLE rootStoreHandle() { return mRootStore ? mRootStore->database()->handle() : nullCSSMDLDBHandle; } + CSSM_DL_DB_HANDLE systemKcHandle() { return mSystem ? mSystem->database()->handle() : nullCSSMDLDBHandle; } Keychain &rootStore() { return mRootStore; } Keychain &systemKc() { return mSystem; } private: @@ -380,7 +381,9 @@ void Trust::evaluate(bool disableEV) if(mUsingTrustSettings) { /* Append system anchors for use with Trust Settings */ try { - dlDbList.push_back(trustKeychains().rootStoreHandle()); + CSSM_DL_DB_HANDLE rootStoreHandle = trustKeychains().rootStoreHandle(); + if (rootStoreHandle.DBHandle) + dlDbList.push_back(rootStoreHandle); actionDataP->ActionFlags |= CSSM_TP_ACTION_TRUST_SETTINGS; } catch (...) { @@ -388,7 +391,9 @@ void Trust::evaluate(bool disableEV) mUsingTrustSettings = false; } try { - dlDbList.push_back(trustKeychains().systemKcHandle()); + CSSM_DL_DB_HANDLE systemKcHandle = trustKeychains().systemKcHandle(); + if (systemKcHandle.DBHandle) + dlDbList.push_back(systemKcHandle); } catch(...) { /* Oh well, at least we got the root store DB */ diff --git a/libsecurity_smime/lib/tsaSupport.c b/libsecurity_smime/lib/tsaSupport.c index e25ebf35..3087e915 100644 --- a/libsecurity_smime/lib/tsaSupport.c +++ b/libsecurity_smime/lib/tsaSupport.c @@ -1038,7 +1038,7 @@ static OSStatus verifySigners(SecCmsSignedDataRef signedData, int numberOfSigner dtprintf("[%s] SecCmsSignedDataVerifySignerInfo: result: %d, signer: %d\n", __FUNCTION__, result, jx); require_noerr(result, xit); - + result = SecTrustEvaluate (trustRef, &trustResultType); dtprintf("[%s] SecTrustEvaluate: result: %d, trustResult: %s (%d)\n", __FUNCTION__, result, trustResultTypeString(trustResultType), trustResultType); @@ -1142,8 +1142,9 @@ xit: static void saveTSACertificates(CSSM_DATA **signingCerts, CFMutableArrayRef outArray) { SecKeychainRef defaultKeychain = NULL; - if (SecKeychainCopyDefault(&defaultKeychain)) - return; + // Don't save certificates in keychain to avoid securityd issues +// if (SecKeychainCopyDefault(&defaultKeychain)) +// defaultKeychain = NULL; unsigned certCount = SecCmsArrayCount((void **)signingCerts); unsigned dex; @@ -1260,6 +1261,10 @@ OSStatus decodeTimeStampToken(SecCmsSignerInfoRef signerinfo, CSSM_DATA_PTR inDa OSStatus result = errSecUnknownFormat; CSSM_DATA **signingCerts = NULL; + OSStatus currentPORTErr = PORT_GetError(); + dtprintf("decodeTimeStampToken top: PORT_GetError() %d -----\n", (int)currentPORTErr); + PORT_SetError(0); + /* decode the message */ require_noerr(result = SecCmsDecoderCreate (NULL, NULL, NULL, NULL, NULL, NULL, NULL, &decoderContext), xit); result = SecCmsDecoderUpdate(decoderContext, inData->Data, inData->Length); diff --git a/libsecurity_ssl/lib/cipherSpecs.c b/libsecurity_ssl/lib/cipherSpecs.c index 3dde84cb..67c4e344 100644 --- a/libsecurity_ssl/lib/cipherSpecs.c +++ b/libsecurity_ssl/lib/cipherSpecs.c @@ -1379,7 +1379,7 @@ cipherSuitesToCipherSuites( if(*numCiphers < numCipherSuites) { return errSSLBufferOverflow; } - memcpy(ciphers, cipherSuites, numCipherSuites * 2); + memcpy(ciphers, cipherSuites, numCipherSuites * sizeof(SSLCipherSuite)); *numCiphers = numCipherSuites; return noErr; } -- 2.47.2