securityd-27887.tar.gz

diff --git a/etc/CodeEquivalenceCandidates b/etc/CodeEquivalenceCandidates
index 7c90c92fc0d7db76c1787a4f918d6e15364ed910..01914b6675b41f9ea1c1467ca8c26096ca4436a3 100644 (file)
--- a/etc/CodeEquivalenceCandidates
+++ b/etc/CodeEquivalenceCandidates
@@ -33,8 +33,10 @@
 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/AE.framework/Versions/Current/Support/AEServer
 /System/Library/Frameworks/ApplicationServices.framework/Versions/Current/Frameworks/AE.framework/Versions/Current/Support/AEServer
 /System/Library/Frameworks/InstantMessage.framework/iChatAgent.app
+/System/Library/Frameworks/SecurityFoundation.framework/Resources/dotmacfx.app
 /System/Library/Frameworks/SecurityFoundation.framework/Resources/kcSync.app
 /System/Library/PreferencePanes/Mac.prefPane
+/System/Library/PreferencePanes/Mac.prefPane/Contents/Resources/dotMacPrefTool
 /System/Library/PrivateFrameworks/Admin.framework/Resources/writeconfig
 /System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/writeconfig
 /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport
@@ -46,6 +48,9 @@
 /System/Library/PrivateFrameworks/DMNotification.framework/Resources/dmnotifyd
 /System/Library/PrivateFrameworks/DMNotification.framework/Versions/A/Resources/dmnotifyd
 /System/Library/PrivateFrameworks/DMNotification.framework/Versions/Current/Resources/dmnotifyd
+/System/Library/PrivateFrameworks/Syndication.framework/Resources/SyndicationAgent.app/Contents/MacOS/SyndicationAgent
+/System/Library/PrivateFrameworks/Syndication.framework/Versions/A/Resources/SyndicationAgent.app/Contents/MacOS/SyndicationAgent
+/System/Library/PrivateFrameworks/Syndication.framework/Versions/Current/Resources/SyndicationAgent.app/Contents/MacOS/SyndicationAgent
 /System/Library/ScriptingAdditions/Keychain Scripting.app
 /sbin/mount_smbfs
 /sbin/mount_webdav

diff --git a/securityd.xcode/project.pbxproj b/securityd.xcode/project.pbxproj
index 4154d1d6d256511e53a534c4225474fa99c0fb7f..6b77cb6edf3dadc2fdd48f453bc7b814a7eaed49 100644 (file)
--- a/securityd.xcode/project.pbxproj
+++ b/securityd.xcode/project.pbxproj
@@ -687,7 +687,6 @@
                        buildSettings = {
                                BUILD_VARIANTS = debug;
                                COPY_PHASE_STRIP = NO;
-                               CSSM_HEADERS = "$(BUILT_PRODUCTS_DIR)/Security.framework/Headers";
                                GCC_DYNAMIC_NO_PIC = NO;
                                GCC_ENABLE_FIX_AND_CONTINUE = YES;
                                GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
@@ -699,7 +698,6 @@
                };
                4CA1FEAF052A3C5800F22E42 = {
                        buildSettings = {
-                               CSSM_HEADERS = "$(BUILT_PRODUCTS_DIR)/Security.framework/Headers";
                                DEAD_CODE_STRIPPING = YES;
                                GCC_DYNAMIC_NO_PIC = NO;
                                GCC_ENABLE_FIX_AND_CONTINUE = YES;
@@ -838,7 +836,7 @@
                        );
                        buildSettings = {
                                BUILD_VARIANTS = "normal debug";
-                               CURRENT_PROJECT_VERSION = 26692;
+                               CURRENT_PROJECT_VERSION = 27887;
                                FRAMEWORK_SEARCH_PATHS = "/usr/local/SecurityPieces/Frameworks /usr/local/SecurityPieces/Components/securityd $(SYSTEM_LIBRARY_DIR)/PrivateFrameworks";
                                INSTALL_PATH = /usr/sbin;
                                OPT_CPPXFLAGS = "$(OPT_CXFLAGS) -fno-enforce-eh-specs -fno-implement-inlines -fcoalesce-templates";
@@ -1002,14 +1000,14 @@
                        );
                        runOnlyForDeploymentPostprocessing = 0;
                        shellPath = /bin/sh;
-                       shellScript = "THEADER=$BUILT_PRODUCTS_DIR/include/flip_gen.h\nTCPP=$BUILT_PRODUCTS_DIR/include/flip_gen.cpp\nmkdir -p $BUILT_PRODUCTS_DIR/include\nsrc/generate.pl src/generate.cf $THEADER.new $TCPP.new $CSSM_HEADERS/cssmtype.h\ncmp -s $THEADER.new $THEADER || mv $THEADER.new $THEADER\ncmp -s $TCPP.new $TCPP || mv $TCPP.new $TCPP\n";
+                       shellScript = "THEADER=$BUILT_PRODUCTS_DIR/include/flip_gen.h\nTCPP=$BUILT_PRODUCTS_DIR/include/flip_gen.cpp\nmkdir -p $BUILT_PRODUCTS_DIR/include\nsrc/generate.pl src/generate.cf $THEADER.new $TCPP.new cssmtype.h $CSSM_HEADERS\ncmp -s $THEADER.new $THEADER || mv $THEADER.new $THEADER\ncmp -s $TCPP.new $TCPP || mv $TCPP.new $TCPP\n";
                };
                4CDD4F7A053751FF00FEC36D = {
                        buildPhases = (
                                4CDD4F79053751FF00FEC36D,
                        );
                        buildSettings = {
-                               CSSM_HEADERS = "$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Headers";
+                               CSSM_HEADERS = "$(BUILT_PRODUCTS_DIR)/Security.framework/Headers:$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Headers";
                                OTHER_CFLAGS = "";
                                OTHER_LDFLAGS = "";
                                OTHER_REZFLAGS = "";

diff --git a/src/acls.h b/src/acls.h
index 3a8453e550ce091540aad0e31ced03e9615f34f1..0aad47f6d36e453d108c4df0d4841dc9f4b5bea5 100644 (file)
--- a/src/acls.h
+++ b/src/acls.h
@@ -62,7 +62,7 @@ public:
        virtual ~SecurityServerAcl();
 
     // validation calls restated
-       void validate(AclAuthorization auth, const AccessCredentials *cred, Database *relatedDatabase);
+   virtual void validate(AclAuthorization auth, const AccessCredentials *cred, Database *relatedDatabase);
        void validate(AclAuthorization auth, const Context &context, Database *relatedDatabase);
 
        // CSSM layer ACL calls

diff --git a/src/entropy.h b/src/entropy.h
index 9537ff2dd5379b143bd32208c102bcc493b1cfd3..8eedeeb8ebc5e11ed569504495d10b31167871cc 100644 (file)
--- a/src/entropy.h
+++ b/src/entropy.h
@@ -42,7 +42,7 @@ using MachPlusPlus::MachServer;
 class EntropyManager : public MachServer::Timer, private DevRandomGenerator {
     // all the parameters you ever (should) want to change :-)
     static const int collectInterval = 600; // collect every 10 minutes
-    static const int updateInterval = 3600; // update file every hour
+    static const int updateInterval = 3600 * 6; // update file every 6 hours
     static const int timingsToCollect = 40; // how many timings?
 
 public:

diff --git a/src/generate.pl b/src/generate.pl
index 4599316cf78a393cd78709923d0225c4df2ecc0f..4ec7cd1ab6111dec0d5d3e276993580e0f3b8cc6 100755 (executable)
--- a/src/generate.pl
+++ b/src/generate.pl
@@ -2,20 +2,23 @@
 #
 #
 #
-use strict;
+#use strict;
 
 my $disclaimer = "Automatically generated - do not edit on penalty of futility!";
 
 
 # arguments
-my ($configfile, $out_h, $out_cpp, $types) = @ARGV;
+my ($configfile, $out_h, $out_cpp, $types, $hdrpath) = @ARGV;
 
 
 # open configuration file
 open(CFG, "$configfile") || die "$configfile: $!";
 
 # open and load cssmtypes file
-open(TYPES, "$types") || die "$types: $!";
+for my $hdrdir (split (/:/, $hdrpath)) {
+  open(TYPES, "$hdrdir/$types") and last;
+}
+TYPES or die "cannot find $types in $hdrpath: $!";
 $/=undef;
 my $types_h = <TYPES>;
 close(TYPES); $/="\n";

diff --git a/src/kckey.cpp b/src/kckey.cpp
index 780f8cc749ee0c6f775dfa6e980fef5f99e8302e..c5c825eba9f498c9f9ef7a6fe918532d2a3a8f06 100644 (file)
--- a/src/kckey.cpp
+++ b/src/kckey.cpp
@@ -189,6 +189,18 @@ void KeychainKey::changedAcl()
 }
 
 
+//
+// Intercept Key validation and double-check that the keychain is (still) unlocked
+//
+void KeychainKey::validate(AclAuthorization auth, const AccessCredentials *cred,
+       Database *relatedDatabase)
+{
+       if (KeychainDatabase *db = dynamic_cast<KeychainDatabase *>(relatedDatabase))
+               db->unlockDb();
+       SecurityServerAcl::validate(auth, cred, relatedDatabase);
+}
+
+
 //
 // We're a key (duh)
 //

diff --git a/src/kckey.h b/src/kckey.h
index b42a43ce7eb0f4a92828c5cf650ed66d470d8fe9..a5d5ce602bad8a00eb81b5e9caf2bee84a89ab7d 100644 (file)
--- a/src/kckey.h
+++ b/src/kckey.h
@@ -66,6 +66,7 @@ public:
        void instantiateAcl();
        void changedAcl();
     Database *relatedDatabase();
+       void validate(AclAuthorization auth, const AccessCredentials *cred, Database *relatedDatabase);
 
 public:
        // SecurityServerAcl personality

diff --git a/src/session.cpp b/src/session.cpp
index 6bd0abf05b0e0266a6dd8504a2194e3b39eeed6c..9f4854fcb85e2e436bf89d7decb5a65dd41fe52d 100644 (file)
--- a/src/session.cpp
+++ b/src/session.cpp
@@ -485,6 +485,7 @@ OSStatus Session::authorizationdbRemove(const AuthorizationBlob &authBlob, Autho
 void Session::mergeCredentials(CredentialSet &creds)
 {
     secdebug("SSsession", "%p merge creds @%p", this, &creds);
+    CredentialSet updatedCredentials = creds;
        for (CredentialSet::const_iterator it = creds.begin(); it != creds.end(); it++)
                if (((*it)->isShared() && (*it)->isValid())) {
                        CredentialSet::iterator old = mSessionCreds.find(*it);
@@ -493,10 +494,11 @@ void Session::mergeCredentials(CredentialSet &creds)
             } else {
                 // replace "new" with "old" in input set to retain synchronization
                                (*old)->merge(**it);
-                creds.erase(it);
-                creds.insert(*old);
+                updatedCredentials.erase(*it);
+                updatedCredentials.insert(*old);
             }
                }
+    creds.swap(updatedCredentials);
 }
 
 

diff --git a/src/tokenaccess.cpp b/src/tokenaccess.cpp
index 0e68232cbcd51d8c8f3f21d09fc8aa82340ed5d1..5c064503ce4e3d68f9c16fa3495470034440da64 100644 (file)
--- a/src/tokenaccess.cpp
+++ b/src/tokenaccess.cpp
@@ -58,5 +58,6 @@ void Access::operator () (const CssmError &err)
                        return; // induce retry
                }
        // all others are non-recoverable
+       secdebug("tokendb", "non-recoverable error in Access(): %d", err.error);
        throw;
 }

diff --git a/src/tokendatabase.cpp b/src/tokendatabase.cpp
index fcbee16caef8bf50a1aad8f144a6ef49c9d3c229..5d75cb67a54ae12d9a5c69c649327a5bc4d5fd67 100644 (file)
--- a/src/tokendatabase.cpp
+++ b/src/tokendatabase.cpp
@@ -48,9 +48,9 @@ Token &TokenDbCommon::token() const
        return parent<Token>();
 }
 
-string TokenDbCommon::dbName() const
+const std::string &TokenDbCommon::dbName() const
 {
-       return token().printName().c_str();
+       return token().printName();
 }
 
 
@@ -233,9 +233,11 @@ bool TokenDatabase::validateSecret(const AclSubject *subject, const AccessCreden
                access().authenticate(CSSM_DB_ACCESS_READ, cred);
                secdebug("tokendb", "%p remote validation successful", this);
                return true;
-       } catch (...) {
+       }
+       catch (...) {
                secdebug("tokendb", "%p remote validation failed", this);
-               return false;
+       //      return false;
+       throw;  // try not to mask error
        }
 }
 
@@ -467,13 +469,16 @@ void TokenDatabase::getOutputSize(const Context &context, Key &key,
 //
 void TokenDatabase::authenticate(CSSM_DB_ACCESS_TYPE mode, const AccessCredentials *cred)
 {
+       Access access(token());
+       TRY
+       GUARD
        if (mode != CSSM_DB_ACCESS_RESET && cred) {
+               secdebug("tokendb", "%p authenticate calling validate", this);
                int pin;
                if (sscanf(cred->EntryTag, "PIN%d", &pin) == 1)
                        return validate(CSSM_ACL_AUTHORIZATION_PREAUTH(pin), cred);
        }
 
-       Access access(token());
        access().authenticate(mode, cred);
        switch (mode) {
        case CSSM_DB_ACCESS_RESET:
@@ -490,9 +495,9 @@ void TokenDatabase::authenticate(CSSM_DB_ACCESS_TYPE mode, const AccessCredentia
                break;
        }
        }
+       DONE
 }
 
-
 //
 // Data access interface.
 //

diff --git a/src/tokendatabase.h b/src/tokendatabase.h
index fa177a9d235f73744946ae27f68ab726144d8f26..60361c337a54dee3ed8ccb1580db967726044340 100644 (file)
--- a/src/tokendatabase.h
+++ b/src/tokendatabase.h
@@ -59,7 +59,7 @@ public:
        Token &token() const;
        
        uint32 subservice() const { return token().subservice(); }
-       std::string dbName() const;
+       const std::string &dbName() const;
 
        Adornable &store();
        void resetAcls();