]> git.saurik.com Git - apple/securityd.git/blob - src/database.cpp
securityd-55137.1.tar.gz
[apple/securityd.git] / src / database.cpp
1 /*
2 * Copyright (c) 2000-2007 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24
25 //
26 // database - database session management
27 //
28 #include "database.h"
29 #include "agentquery.h"
30 #include "key.h"
31 #include "server.h"
32 #include "session.h"
33 #include "notifications.h"
34 #include <security_agent_client/agentclient.h>
35 #include <securityd_client/dictionary.h>
36 #include <security_cdsa_utilities/acl_any.h> // for default owner ACLs
37 #include <security_cdsa_client/wrapkey.h>
38 #include <security_utilities/endian.h>
39
40 using namespace UnixPlusPlus;
41
42
43 //
44 // DbCommon basics
45 //
46 DbCommon::DbCommon(Session &session)
47 {
48 referent(session);
49 }
50
51 Session &DbCommon::session() const
52 {
53 return referent<Session>();
54 }
55
56
57 //
58 // Database basics
59 //
60 Database::Database(Process &proc)
61 {
62 referent(proc);
63 }
64
65
66 Process& Database::process() const
67 {
68 return referent<Process>();
69 }
70
71
72 //
73 // Send a keychain-related notification event about this database
74 //
75 void DbCommon::notify(NotificationEvent event, const DLDbIdentifier &ident)
76 {
77 // form the data (encoded DLDbIdentifier)
78 NameValueDictionary nvd;
79 NameValueDictionary::MakeNameValueDictionaryFromDLDbIdentifier(ident, nvd);
80 CssmData data;
81 nvd.Export(data);
82
83 // inject notification into Security event system
84 Listener::notify(kNotificationDomainDatabase, event, data);
85
86 // clean up
87 free (data.data());
88 }
89
90
91 //
92 // Default behaviors
93 //
94 void DbCommon::sleepProcessing()
95 {
96 // nothing
97 }
98
99 void DbCommon::lockProcessing()
100 {
101 // nothing
102 }
103
104 bool DbCommon::belongsToSystem() const
105 {
106 return false;
107 }
108
109
110 void Database::releaseKey(Key &key)
111 {
112 kill(key);
113 }
114
115 void Database::releaseSearch(Search &search)
116 {
117 kill(search);
118 }
119
120 void Database::releaseRecord(Record &record)
121 {
122 kill(record);
123 }
124
125 void Database::dbName(const char *name)
126 {
127 CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
128 }
129
130
131 //
132 // Functions that aren't implemented at the Database level but can stay that way
133 //
134 void Database::findFirst(const CssmQuery &query,
135 CssmDbRecordAttributeData *inAttributes, mach_msg_type_number_t inAttributesLength,
136 CssmData *data, RefPointer<Key> &key, RefPointer<Search> &search, RefPointer<Record> &record,
137 CssmDbRecordAttributeData * &outAttributes, mach_msg_type_number_t &outAttributesLength)
138 {
139 secdebug("database", "%p calling unimplemented findFirst", this);
140 CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
141 }
142
143 void Database::findNext(Search *search,
144 CssmDbRecordAttributeData *inAttributes, mach_msg_type_number_t inAttributesLength,
145 CssmData *data, RefPointer<Key> &key, RefPointer<Record> &record,
146 CssmDbRecordAttributeData * &outAttributes, mach_msg_type_number_t &outAttributesLength)
147 {
148 secdebug("database", "%p calling unimplemented findNext", this);
149 CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
150 }
151
152 void Database::findRecordHandle(Record *record,
153 CssmDbRecordAttributeData *inAttributes, mach_msg_type_number_t inAttributesLength,
154 CssmData *data, RefPointer<Key> &key,
155 CssmDbRecordAttributeData * &outAttributes, mach_msg_type_number_t &outAttributesLength)
156 {
157 secdebug("database", "%p calling unimplemented findRecordHandle", this);
158 CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
159 }
160
161 void Database::insertRecord(CSSM_DB_RECORDTYPE recordtype,
162 const CssmDbRecordAttributeData *attributes, mach_msg_type_number_t inAttributesLength,
163 const CssmData &data, RecordHandle &record)
164 {
165 secdebug("database", "%p calling unimplemented insertRecord", this);
166 CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
167 }
168
169 void Database::modifyRecord(CSSM_DB_RECORDTYPE recordtype, Record *record,
170 const CssmDbRecordAttributeData *attributes, mach_msg_type_number_t inAttributesLength,
171 const CssmData *data, CSSM_DB_MODIFY_MODE modifyMode)
172 {
173 secdebug("database", "%p calling unimplemented modifyRecord", this);
174 CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
175 }
176
177 void Database::deleteRecord(Database::Record *record)
178 {
179 secdebug("database", "%p calling unimplemented deleteRecord", this);
180 CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
181 }
182
183 void Database::authenticate(CSSM_DB_ACCESS_TYPE, const AccessCredentials *)
184 {
185 secdebug("database", "%p calling unimplemented authenticate", this);
186 CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
187 }
188
189 SecurityServerAcl &Database::acl()
190 {
191 secdebug("database", "%p has no ACL implementation", this);
192 CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
193 }
194
195 bool Database::isLocked()
196 {
197 secdebug("database", "%p calling unimplemented isLocked", this);
198 CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
199 }
200
201
202 //
203 // SecurityServerAcl personality implementation.
204 // This is the trivial (type coding) stuff. The hard stuff is virtually mixed in.
205 //
206 Database *Database::relatedDatabase()
207 {
208 return this;
209 }
210
211 AclKind Database::aclKind() const
212 {
213 return dbAcl;
214 }
215
216
217 //
218 // Remote validation is not, by default, supported
219 //
220 bool Database::validateSecret(const AclSubject *, const AccessCredentials *)
221 {
222 return false;
223 }
224
225
226 //
227 // Implementation of a "system keychain unlock key store"
228 //
229 SystemKeychainKey::SystemKeychainKey(const char *path)
230 : mPath(path), mValid(false)
231 {
232 // explicitly set up a key header for a raw 3DES key
233 CssmKey::Header &hdr = mKey.header();
234 hdr.blobType(CSSM_KEYBLOB_RAW);
235 hdr.blobFormat(CSSM_KEYBLOB_RAW_FORMAT_OCTET_STRING);
236 hdr.keyClass(CSSM_KEYCLASS_SESSION_KEY);
237 hdr.algorithm(CSSM_ALGID_3DES_3KEY_EDE);
238 hdr.KeyAttr = 0;
239 hdr.KeyUsage = CSSM_KEYUSE_ANY;
240 mKey = CssmData::wrap(mBlob.masterKey);
241 }
242
243 SystemKeychainKey::~SystemKeychainKey()
244 {
245 }
246
247 bool SystemKeychainKey::matches(const DbBlob::Signature &signature)
248 {
249 return update() && signature == mBlob.signature;
250 }
251
252 bool SystemKeychainKey::update()
253 {
254 // if we checked recently, just assume it's okay
255 if (mValid && mUpdateThreshold > Time::now())
256 return mValid;
257
258 // check the file
259 struct stat st;
260 if (::stat(mPath.c_str(), &st)) {
261 // something wrong with the file; can't use it
262 mUpdateThreshold = Time::now() + Time::Interval(checkDelay);
263 return mValid = false;
264 }
265 if (mValid && Time::Absolute(st.st_mtimespec) == mCachedDate)
266 return true;
267 mUpdateThreshold = Time::now() + Time::Interval(checkDelay);
268
269 try {
270 secdebug("syskc", "reading system unlock record from %s", mPath.c_str());
271 AutoFileDesc fd(mPath, O_RDONLY);
272 if (fd.read(mBlob) != sizeof(mBlob))
273 return false;
274 if (mBlob.isValid()) {
275 mCachedDate = st.st_mtimespec;
276 return mValid = true;
277 } else
278 return mValid = false;
279 } catch (...) {
280 secdebug("syskc", "system unlock record not available");
281 return false;
282 }
283 }