src/database.cpp

   1 /*
   2  * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24
  25 //
  26 // database - database session management
  27 //
  28 #include "database.h"
  29 #include "agentquery.h"
  30 #include "key.h"
  31 #include "server.h"
  32 #include "session.h"
  33 #include "notifications.h"
  34 #include <security_agent_client/agentclient.h>
  35 #include <securityd_client/dictionary.h>
  36 #include <security_cdsa_utilities/acl_any.h>    // for default owner ACLs
  37 #include <security_cdsa_client/wrapkey.h>
  38 #include <security_utilities/endian.h>
  39
  40 using namespace UnixPlusPlus;
  41
  42
  43 //
  44 // DbCommon basics
  45 //
  46 DbCommon::DbCommon(Session &session)
  47 {
  48         referent(session);
  49 }
  50
  51 Session &DbCommon::session() const
  52 {
  53         return referent<Session>();
  54 }
  55
  56
  57 //
  58 // Database basics
  59 //
  60 Database::Database(Process &proc)
  61 {
  62         referent(proc);
  63 }
  64
  65
  66 Process& Database::process() const
  67 {
  68         return referent<Process>();
  69 }
  70
  71
  72 //
  73 // Send a keychain-related notification event about this database
  74 //
  75 void DbCommon::notify(NotificationEvent event, const DLDbIdentifier &ident)
  76 {
  77         // form the data (encoded DLDbIdentifier)
  78     NameValueDictionary nvd;
  79     NameValueDictionary::MakeNameValueDictionaryFromDLDbIdentifier(ident, nvd);
  80     CssmData data;
  81     nvd.Export(data);
  82
  83         // inject notification into Security event system
  84     Listener::notify(kNotificationDomainDatabase, event, data);
  85
  86         // clean up
  87     free (data.data());
  88 }
  89
  90 //
  91 // Default behaviors
  92 //
  93 void DbCommon::sleepProcessing()
  94 {
  95         // nothing
  96 }
  97
  98 void DbCommon::lockProcessing()
  99 {
 100         // nothing
 101 }
 102
 103
 104 void Database::releaseKey(Key &key)
 105 {
 106         kill(key);
 107 }
 108
 109 void Database::releaseSearch(Search &search)
 110 {
 111         kill(search);
 112 }
 113
 114 void Database::releaseRecord(Record &record)
 115 {
 116         kill(record);
 117 }
 118
 119 void Database::dbName(const char *name)
 120 {
 121         CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
 122 }
 123
 124
 125 //
 126 // Functions that aren't implemented at the Database level but can stay that way
 127 //
 128 void Database::findFirst(const CssmQuery &query,
 129         CssmDbRecordAttributeData *inAttributes, mach_msg_type_number_t inAttributesLength,
 130         CssmData *data, RefPointer<Key> &key, RefPointer<Search> &search, RefPointer<Record> &record,
 131         CssmDbRecordAttributeData * &outAttributes, mach_msg_type_number_t &outAttributesLength)
 132 {
 133         secdebug("database", "%p calling unimplemented findFirst", this);
 134         CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
 135 }
 136
 137 void Database::findNext(Search *search,
 138         CssmDbRecordAttributeData *inAttributes, mach_msg_type_number_t inAttributesLength,
 139         CssmData *data, RefPointer<Key> &key, RefPointer<Record> &record,
 140         CssmDbRecordAttributeData * &outAttributes, mach_msg_type_number_t &outAttributesLength)
 141 {
 142         secdebug("database", "%p calling unimplemented findNext", this);
 143         CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
 144 }
 145
 146 void Database::findRecordHandle(Record *record,
 147         CssmDbRecordAttributeData *inAttributes, mach_msg_type_number_t inAttributesLength,
 148         CssmData *data, RefPointer<Key> &key,
 149         CssmDbRecordAttributeData * &outAttributes, mach_msg_type_number_t &outAttributesLength)
 150 {
 151         secdebug("database", "%p calling unimplemented findRecordHandle", this);
 152         CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
 153 }
 154
 155 void Database::insertRecord(CSSM_DB_RECORDTYPE recordtype,
 156         const CssmDbRecordAttributeData *attributes, mach_msg_type_number_t inAttributesLength,
 157         const CssmData &data, RecordHandle &record)
 158 {
 159         secdebug("database", "%p calling unimplemented insertRecord", this);
 160         CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
 161 }
 162
 163 void Database::modifyRecord(CSSM_DB_RECORDTYPE recordtype, Record *record,
 164         const CssmDbRecordAttributeData *attributes, mach_msg_type_number_t inAttributesLength,
 165         const CssmData *data, CSSM_DB_MODIFY_MODE modifyMode)
 166 {
 167         secdebug("database", "%p calling unimplemented modifyRecord", this);
 168         CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
 169 }
 170
 171 void Database::deleteRecord(Database::Record *record)
 172 {
 173         secdebug("database", "%p calling unimplemented deleteRecord", this);
 174         CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
 175 }
 176
 177 void Database::authenticate(CSSM_DB_ACCESS_TYPE, const AccessCredentials *)
 178 {
 179         secdebug("database", "%p calling unimplemented authenticate", this);
 180         CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
 181 }
 182
 183 SecurityServerAcl &Database::acl()
 184 {
 185         secdebug("database", "%p has no ACL implementation", this);
 186         CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
 187 }
 188
 189 bool Database::isLocked() const
 190 {
 191         secdebug("database", "%p calling unimplemented isLocked", this);
 192         CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
 193 }
 194
 195
 196 //
 197 // SecurityServerAcl personality implementation.
 198 // This is the trivial (type coding) stuff. The hard stuff is virtually mixed in.
 199 //
 200 Database *Database::relatedDatabase()
 201 {
 202         return this;
 203 }
 204
 205 AclKind Database::aclKind() const
 206 {
 207         return dbAcl;
 208 }
 209
 210 GenericHandle Database::aclHandle() const
 211 {
 212         return HandleObject::handle();
 213 }
 214
 215
 216 //
 217 // Remote validation is not, by default, supported
 218 //
 219 bool Database::validateSecret(const AclSubject *, const AccessCredentials *)
 220 {
 221         return false;
 222 }
 223
 224
 225 //
 226 // Implementation of a "system keychain unlock key store"
 227 //
 228 SystemKeychainKey::SystemKeychainKey(const char *path)
 229         : mPath(path), mValid(false)
 230 {
 231         // explicitly set up a key header for a raw 3DES key
 232         CssmKey::Header &hdr = mKey.header();
 233         hdr.blobType(CSSM_KEYBLOB_RAW);
 234         hdr.blobFormat(CSSM_KEYBLOB_RAW_FORMAT_OCTET_STRING);
 235         hdr.keyClass(CSSM_KEYCLASS_SESSION_KEY);
 236         hdr.algorithm(CSSM_ALGID_3DES_3KEY_EDE);
 237         hdr.KeyAttr = 0;
 238         hdr.KeyUsage = CSSM_KEYUSE_ANY;
 239         mKey = CssmData::wrap(mBlob.masterKey);
 240 }
 241
 242 SystemKeychainKey::~SystemKeychainKey()
 243 {
 244 }
 245
 246 bool SystemKeychainKey::matches(const DbBlob::Signature &signature)
 247 {
 248         return update() && signature == mBlob.signature;
 249 }
 250
 251 bool SystemKeychainKey::update()
 252 {
 253         // if we checked recently, just assume it's okay
 254         if (mValid && mUpdateThreshold > Time::now())
 255                 return mValid;
 256
 257         // check the file
 258         struct stat st;
 259         if (::stat(mPath.c_str(), &st)) {
 260                 // something wrong with the file; can't use it
 261                 mUpdateThreshold = Time::now() + Time::Interval(checkDelay);
 262                 return mValid = false;
 263         }
 264         if (mValid && Time::Absolute(st.st_mtimespec) == mCachedDate)
 265                 return true;
 266         mUpdateThreshold = Time::now() + Time::Interval(checkDelay);
 267
 268         try {
 269                 secdebug("syskc", "reading system unlock record from %s", mPath.c_str());
 270                 AutoFileDesc fd(mPath, O_RDONLY);
 271                 if (fd.read(mBlob) != sizeof(mBlob))
 272                         return false;
 273                 if (mBlob.isValid()) {
 274                         mCachedDate = st.st_mtimespec;
 275                         return mValid = true;
 276                 } else
 277                         return mValid = false;
 278         } catch (...) {
 279                 secdebug("syskc", "system unlock record not available");
 280                 return false;
 281         }
 282 }