securityd-27887.tar.gz

author Apple <opensource@apple.com>

Mon, 15 May 2006 22:58:08 +0000 (22:58 +0000)

committer Apple <opensource@apple.com>

Mon, 15 May 2006 22:58:08 +0000 (22:58 +0000)
author Apple <opensource@apple.com>
Mon, 15 May 2006 22:58:08 +0000 (22:58 +0000)
committer Apple <opensource@apple.com>
Mon, 15 May 2006 22:58:08 +0000 (22:58 +0000)
diff --git a/etc/CodeEquivalenceCandidates b/etc/CodeEquivalenceCandidates

index 7c90c92fc0d7db76c1787a4f918d6e15364ed910..01914b6675b41f9ea1c1467ca8c26096ca4436a3 100644 (file)
--- a/etc/CodeEquivalenceCandidates
+++ b/etc/CodeEquivalenceCandidates
@@ -33,8 +33,10 @@
  /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/AE.framework/Versions/Current/Support/AEServer
  /System/Library/Frameworks/ApplicationServices.framework/Versions/Current/Frameworks/AE.framework/Versions/Current/Support/AEServer
  /System/Library/Frameworks/InstantMessage.framework/iChatAgent.app
  /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/AE.framework/Versions/Current/Support/AEServer
  /System/Library/Frameworks/ApplicationServices.framework/Versions/Current/Frameworks/AE.framework/Versions/Current/Support/AEServer
  /System/Library/Frameworks/InstantMessage.framework/iChatAgent.app
+/System/Library/Frameworks/SecurityFoundation.framework/Resources/dotmacfx.app
  /System/Library/Frameworks/SecurityFoundation.framework/Resources/kcSync.app
  /System/Library/PreferencePanes/Mac.prefPane
  /System/Library/Frameworks/SecurityFoundation.framework/Resources/kcSync.app
  /System/Library/PreferencePanes/Mac.prefPane
+/System/Library/PreferencePanes/Mac.prefPane/Contents/Resources/dotMacPrefTool
  /System/Library/PrivateFrameworks/Admin.framework/Resources/writeconfig
  /System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/writeconfig
  /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport
  /System/Library/PrivateFrameworks/Admin.framework/Resources/writeconfig
  /System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/writeconfig
  /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport
@@ -46,6 +48,9 @@
  /System/Library/PrivateFrameworks/DMNotification.framework/Resources/dmnotifyd
  /System/Library/PrivateFrameworks/DMNotification.framework/Versions/A/Resources/dmnotifyd
  /System/Library/PrivateFrameworks/DMNotification.framework/Versions/Current/Resources/dmnotifyd
  /System/Library/PrivateFrameworks/DMNotification.framework/Resources/dmnotifyd
  /System/Library/PrivateFrameworks/DMNotification.framework/Versions/A/Resources/dmnotifyd
  /System/Library/PrivateFrameworks/DMNotification.framework/Versions/Current/Resources/dmnotifyd
+/System/Library/PrivateFrameworks/Syndication.framework/Resources/SyndicationAgent.app/Contents/MacOS/SyndicationAgent
+/System/Library/PrivateFrameworks/Syndication.framework/Versions/A/Resources/SyndicationAgent.app/Contents/MacOS/SyndicationAgent
+/System/Library/PrivateFrameworks/Syndication.framework/Versions/Current/Resources/SyndicationAgent.app/Contents/MacOS/SyndicationAgent
  /System/Library/ScriptingAdditions/Keychain Scripting.app
  /sbin/mount_smbfs
  /sbin/mount_webdav
  /System/Library/ScriptingAdditions/Keychain Scripting.app
  /sbin/mount_smbfs
  /sbin/mount_webdav
diff --git a/securityd.xcode/project.pbxproj b/securityd.xcode/project.pbxproj

index 4154d1d6d256511e53a534c4225474fa99c0fb7f..6b77cb6edf3dadc2fdd48f453bc7b814a7eaed49 100644 (file)
--- a/securityd.xcode/project.pbxproj
+++ b/securityd.xcode/project.pbxproj
@@ -687,7 +687,6 @@
                         buildSettings = {
                                 BUILD_VARIANTS = debug;
                                 COPY_PHASE_STRIP = NO;
                         buildSettings = {
                                 BUILD_VARIANTS = debug;
                                 COPY_PHASE_STRIP = NO;
-                               CSSM_HEADERS = "$(BUILT_PRODUCTS_DIR)/Security.framework/Headers";
                                 GCC_DYNAMIC_NO_PIC = NO;
                                 GCC_ENABLE_FIX_AND_CONTINUE = YES;
                                 GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
                                 GCC_DYNAMIC_NO_PIC = NO;
                                 GCC_ENABLE_FIX_AND_CONTINUE = YES;
                                 GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
@@ -699,7 +698,6 @@
                 };
                 4CA1FEAF052A3C5800F22E42 = {
                         buildSettings = {
                 };
                 4CA1FEAF052A3C5800F22E42 = {
                         buildSettings = {
-                               CSSM_HEADERS = "$(BUILT_PRODUCTS_DIR)/Security.framework/Headers";
                                 DEAD_CODE_STRIPPING = YES;
                                 GCC_DYNAMIC_NO_PIC = NO;
                                 GCC_ENABLE_FIX_AND_CONTINUE = YES;
                                 DEAD_CODE_STRIPPING = YES;
                                 GCC_DYNAMIC_NO_PIC = NO;
                                 GCC_ENABLE_FIX_AND_CONTINUE = YES;
@@ -838,7 +836,7 @@
                         );
                         buildSettings = {
                                 BUILD_VARIANTS = "normal debug";
                         );
                         buildSettings = {
                                 BUILD_VARIANTS = "normal debug";
-                               CURRENT_PROJECT_VERSION = 26692;
+                               CURRENT_PROJECT_VERSION = 27887;
                                 FRAMEWORK_SEARCH_PATHS = "/usr/local/SecurityPieces/Frameworks /usr/local/SecurityPieces/Components/securityd $(SYSTEM_LIBRARY_DIR)/PrivateFrameworks";
                                 INSTALL_PATH = /usr/sbin;
                                 OPT_CPPXFLAGS = "$(OPT_CXFLAGS) -fno-enforce-eh-specs -fno-implement-inlines -fcoalesce-templates";
                                 FRAMEWORK_SEARCH_PATHS = "/usr/local/SecurityPieces/Frameworks /usr/local/SecurityPieces/Components/securityd $(SYSTEM_LIBRARY_DIR)/PrivateFrameworks";
                                 INSTALL_PATH = /usr/sbin;
                                 OPT_CPPXFLAGS = "$(OPT_CXFLAGS) -fno-enforce-eh-specs -fno-implement-inlines -fcoalesce-templates";
@@ -1002,14 +1000,14 @@
                         );
                         runOnlyForDeploymentPostprocessing = 0;
                         shellPath = /bin/sh;
                         );
                         runOnlyForDeploymentPostprocessing = 0;
                         shellPath = /bin/sh;
-                       shellScript = "THEADER=$BUILT_PRODUCTS_DIR/include/flip_gen.h\nTCPP=$BUILT_PRODUCTS_DIR/include/flip_gen.cpp\nmkdir -p $BUILT_PRODUCTS_DIR/include\nsrc/generate.pl src/generate.cf $THEADER.new $TCPP.new $CSSM_HEADERS/cssmtype.h\ncmp -s $THEADER.new $THEADER || mv $THEADER.new $THEADER\ncmp -s $TCPP.new $TCPP || mv $TCPP.new $TCPP\n";
+                       shellScript = "THEADER=$BUILT_PRODUCTS_DIR/include/flip_gen.h\nTCPP=$BUILT_PRODUCTS_DIR/include/flip_gen.cpp\nmkdir -p $BUILT_PRODUCTS_DIR/include\nsrc/generate.pl src/generate.cf $THEADER.new $TCPP.new cssmtype.h $CSSM_HEADERS\ncmp -s $THEADER.new $THEADER || mv $THEADER.new $THEADER\ncmp -s $TCPP.new $TCPP || mv $TCPP.new $TCPP\n";
                 };
                 4CDD4F7A053751FF00FEC36D = {
                         buildPhases = (
                                 4CDD4F79053751FF00FEC36D,
                         );
                         buildSettings = {
                 };
                 4CDD4F7A053751FF00FEC36D = {
                         buildPhases = (
                                 4CDD4F79053751FF00FEC36D,
                         );
                         buildSettings = {
-                               CSSM_HEADERS = "$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Headers";
+                               CSSM_HEADERS = "$(BUILT_PRODUCTS_DIR)/Security.framework/Headers:$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Headers";
                                 OTHER_CFLAGS = "";
                                 OTHER_LDFLAGS = "";
                                 OTHER_REZFLAGS = "";
                                 OTHER_CFLAGS = "";
                                 OTHER_LDFLAGS = "";
                                 OTHER_REZFLAGS = "";
diff --git a/src/acls.h b/src/acls.h

index 3a8453e550ce091540aad0e31ced03e9615f34f1..0aad47f6d36e453d108c4df0d4841dc9f4b5bea5 100644 (file)
--- a/src/acls.h
+++ b/src/acls.h
@@ -62,7 +62,7 @@ public:
         virtual ~SecurityServerAcl();
  
      // validation calls restated
         virtual ~SecurityServerAcl();
  
      // validation calls restated
-       void validate(AclAuthorization auth, const AccessCredentials *cred, Database *relatedDatabase);
+   virtual void validate(AclAuthorization auth, const AccessCredentials *cred, Database *relatedDatabase);
         void validate(AclAuthorization auth, const Context &context, Database *relatedDatabase);
  
         // CSSM layer ACL calls
         void validate(AclAuthorization auth, const Context &context, Database *relatedDatabase);
  
         // CSSM layer ACL calls
diff --git a/src/entropy.h b/src/entropy.h

index 9537ff2dd5379b143bd32208c102bcc493b1cfd3..8eedeeb8ebc5e11ed569504495d10b31167871cc 100644 (file)
--- a/src/entropy.h
+++ b/src/entropy.h
@@ -42,7 +42,7 @@ using MachPlusPlus::MachServer;
  class EntropyManager : public MachServer::Timer, private DevRandomGenerator {
      // all the parameters you ever (should) want to change :-)
      static const int collectInterval = 600; // collect every 10 minutes
  class EntropyManager : public MachServer::Timer, private DevRandomGenerator {
      // all the parameters you ever (should) want to change :-)
      static const int collectInterval = 600; // collect every 10 minutes
-    static const int updateInterval = 3600; // update file every hour
+    static const int updateInterval = 3600 * 6; // update file every 6 hours
      static const int timingsToCollect = 40; // how many timings?
  
  public:
      static const int timingsToCollect = 40; // how many timings?
  
  public:
diff --git a/src/generate.pl b/src/generate.pl

index 4599316cf78a393cd78709923d0225c4df2ecc0f..4ec7cd1ab6111dec0d5d3e276993580e0f3b8cc6 100755 (executable)
--- a/src/generate.pl
+++ b/src/generate.pl
@@ -2,20 +2,23 @@
  #
  #
  #
  #
  #
  #
-use strict;
+#use strict;
  
  my $disclaimer = "Automatically generated - do not edit on penalty of futility!";
  
  
  # arguments
  
  my $disclaimer = "Automatically generated - do not edit on penalty of futility!";
  
  
  # arguments
-my ($configfile, $out_h, $out_cpp, $types) = @ARGV;
+my ($configfile, $out_h, $out_cpp, $types, $hdrpath) = @ARGV;
  
  
  # open configuration file
  open(CFG, "$configfile") || die "$configfile: $!";
  
  # open and load cssmtypes file
  
  
  # open configuration file
  open(CFG, "$configfile") || die "$configfile: $!";
  
  # open and load cssmtypes file
-open(TYPES, "$types") || die "$types: $!";
+for my $hdrdir (split (/:/, $hdrpath)) {
+  open(TYPES, "$hdrdir/$types") and last;
+}
+TYPES or die "cannot find $types in $hdrpath: $!";
  $/=undef;
  my $types_h = <TYPES>;
  close(TYPES); $/="\n";
  $/=undef;
  my $types_h = <TYPES>;
  close(TYPES); $/="\n";
diff --git a/src/kckey.cpp b/src/kckey.cpp

index 780f8cc749ee0c6f775dfa6e980fef5f99e8302e..c5c825eba9f498c9f9ef7a6fe918532d2a3a8f06 100644 (file)
--- a/src/kckey.cpp
+++ b/src/kckey.cpp
@@ -189,6 +189,18 @@ void KeychainKey::changedAcl()
  }
  
  
  }
  
  
+//
+// Intercept Key validation and double-check that the keychain is (still) unlocked
+//
+void KeychainKey::validate(AclAuthorization auth, const AccessCredentials *cred,
+       Database *relatedDatabase)
+{
+       if (KeychainDatabase *db = dynamic_cast<KeychainDatabase *>(relatedDatabase))
+               db->unlockDb();
+       SecurityServerAcl::validate(auth, cred, relatedDatabase);
+}
+
+
  //
  // We're a key (duh)
  //
  //
  // We're a key (duh)
  //
diff --git a/src/kckey.h b/src/kckey.h

index b42a43ce7eb0f4a92828c5cf650ed66d470d8fe9..a5d5ce602bad8a00eb81b5e9caf2bee84a89ab7d 100644 (file)
--- a/src/kckey.h
+++ b/src/kckey.h
@@ -66,6 +66,7 @@ public:
         void instantiateAcl();
         void changedAcl();
      Database *relatedDatabase();
         void instantiateAcl();
         void changedAcl();
      Database *relatedDatabase();
+       void validate(AclAuthorization auth, const AccessCredentials *cred, Database *relatedDatabase);
  
  public:
         // SecurityServerAcl personality
  
  public:
         // SecurityServerAcl personality
diff --git a/src/session.cpp b/src/session.cpp

index 6bd0abf05b0e0266a6dd8504a2194e3b39eeed6c..9f4854fcb85e2e436bf89d7decb5a65dd41fe52d 100644 (file)
--- a/src/session.cpp
+++ b/src/session.cpp
@@ -485,6 +485,7 @@ OSStatus Session::authorizationdbRemove(const AuthorizationBlob &authBlob, Autho
  void Session::mergeCredentials(CredentialSet &creds)
  {
      secdebug("SSsession", "%p merge creds @%p", this, &creds);
  void Session::mergeCredentials(CredentialSet &creds)
  {
      secdebug("SSsession", "%p merge creds @%p", this, &creds);
+    CredentialSet updatedCredentials = creds;
         for (CredentialSet::const_iterator it = creds.begin(); it != creds.end(); it++)
                 if (((*it)->isShared() && (*it)->isValid())) {
                         CredentialSet::iterator old = mSessionCreds.find(*it);
         for (CredentialSet::const_iterator it = creds.begin(); it != creds.end(); it++)
                 if (((*it)->isShared() && (*it)->isValid())) {
                         CredentialSet::iterator old = mSessionCreds.find(*it);
@@ -493,10 +494,11 @@ void Session::mergeCredentials(CredentialSet &creds)
              } else {
                  // replace "new" with "old" in input set to retain synchronization
                                 (*old)->merge(**it);
              } else {
                  // replace "new" with "old" in input set to retain synchronization
                                 (*old)->merge(**it);
-                creds.erase(it);
-                creds.insert(*old);
+                updatedCredentials.erase(*it);
+                updatedCredentials.insert(*old);
              }
                 }
              }
                 }
+    creds.swap(updatedCredentials);
  }
  
  
  }
  
  
diff --git a/src/tokenaccess.cpp b/src/tokenaccess.cpp

index 0e68232cbcd51d8c8f3f21d09fc8aa82340ed5d1..5c064503ce4e3d68f9c16fa3495470034440da64 100644 (file)
--- a/src/tokenaccess.cpp
+++ b/src/tokenaccess.cpp
@@ -58,5 +58,6 @@ void Access::operator () (const CssmError &err)
                         return; // induce retry
                 }
         // all others are non-recoverable
                         return; // induce retry
                 }
         // all others are non-recoverable
+       secdebug("tokendb", "non-recoverable error in Access(): %d", err.error);
         throw;
  }
         throw;
  }
diff --git a/src/tokendatabase.cpp b/src/tokendatabase.cpp

index fcbee16caef8bf50a1aad8f144a6ef49c9d3c229..5d75cb67a54ae12d9a5c69c649327a5bc4d5fd67 100644 (file)
--- a/src/tokendatabase.cpp
+++ b/src/tokendatabase.cpp
@@ -48,9 +48,9 @@ Token &TokenDbCommon::token() const
         return parent<Token>();
  }
  
         return parent<Token>();
  }
  
-string TokenDbCommon::dbName() const
+const std::string &TokenDbCommon::dbName() const
  {
  {
-       return token().printName().c_str();
+       return token().printName();
  }
  
  
  }
  
  
@@ -233,9 +233,11 @@ bool TokenDatabase::validateSecret(const AclSubject *subject, const AccessCreden
                 access().authenticate(CSSM_DB_ACCESS_READ, cred);
                 secdebug("tokendb", "%p remote validation successful", this);
                 return true;
                 access().authenticate(CSSM_DB_ACCESS_READ, cred);
                 secdebug("tokendb", "%p remote validation successful", this);
                 return true;
-       } catch (...) {
+       }
+       catch (...) {
                 secdebug("tokendb", "%p remote validation failed", this);
                 secdebug("tokendb", "%p remote validation failed", this);
-               return false;
+       //      return false;
+       throw;  // try not to mask error
         }
  }
  
         }
  }
  
@@ -467,13 +469,16 @@ void TokenDatabase::getOutputSize(const Context &context, Key &key,
  //
  void TokenDatabase::authenticate(CSSM_DB_ACCESS_TYPE mode, const AccessCredentials *cred)
  {
  //
  void TokenDatabase::authenticate(CSSM_DB_ACCESS_TYPE mode, const AccessCredentials *cred)
  {
+       Access access(token());
+       TRY
+       GUARD
         if (mode != CSSM_DB_ACCESS_RESET && cred) {
         if (mode != CSSM_DB_ACCESS_RESET && cred) {
+               secdebug("tokendb", "%p authenticate calling validate", this);
                 int pin;
                 if (sscanf(cred->EntryTag, "PIN%d", &pin) == 1)
                         return validate(CSSM_ACL_AUTHORIZATION_PREAUTH(pin), cred);
         }
  
                 int pin;
                 if (sscanf(cred->EntryTag, "PIN%d", &pin) == 1)
                         return validate(CSSM_ACL_AUTHORIZATION_PREAUTH(pin), cred);
         }
  
-       Access access(token());
         access().authenticate(mode, cred);
         switch (mode) {
         case CSSM_DB_ACCESS_RESET:
         access().authenticate(mode, cred);
         switch (mode) {
         case CSSM_DB_ACCESS_RESET:
@@ -490,9 +495,9 @@ void TokenDatabase::authenticate(CSSM_DB_ACCESS_TYPE mode, const AccessCredentia
                 break;
         }
         }
                 break;
         }
         }
+       DONE
  }
  
  }
  
-
  //
  // Data access interface.
  //
  //
  // Data access interface.
  //
diff --git a/src/tokendatabase.h b/src/tokendatabase.h

index fa177a9d235f73744946ae27f68ab726144d8f26..60361c337a54dee3ed8ccb1580db967726044340 100644 (file)
--- a/src/tokendatabase.h
+++ b/src/tokendatabase.h
@@ -59,7 +59,7 @@ public:
         Token &token() const;
         
         uint32 subservice() const { return token().subservice(); }
         Token &token() const;
         
         uint32 subservice() const { return token().subservice(); }
-       std::string dbName() const;
+       const std::string &dbName() const;
  
         Adornable &store();
         void resetAcls();
  
         Adornable &store();
         void resetAcls();
author	Apple <opensource@apple.com>
	Mon, 15 May 2006 22:58:08 +0000 (22:58 +0000)
committer	Apple <opensource@apple.com>
	Mon, 15 May 2006 22:58:08 +0000 (22:58 +0000)
etc/CodeEquivalenceCandidates		patch \| blob \| blame \| history
securityd.xcode/project.pbxproj		patch \| blob \| blame \| history
src/acls.h		patch \| blob \| blame \| history
src/entropy.h		patch \| blob \| blame \| history
src/generate.pl		patch \| blob \| blame \| history
src/kckey.cpp		patch \| blob \| blame \| history
src/kckey.h		patch \| blob \| blame \| history
src/session.cpp		patch \| blob \| blame \| history
src/tokenaccess.cpp		patch \| blob \| blame \| history
src/tokendatabase.cpp		patch \| blob \| blame \| history
src/tokendatabase.h		patch \| blob \| blame \| history