securityd-26232.tar.gz

diff --git a/securityd.xcode/project.pbxproj b/securityd.xcode/project.pbxproj
index b041ec51830e40e05fa428de9a0a844c21774b76..8c2be87590828609f440bd6a2bd811bb21345b97 100644 (file)
--- a/securityd.xcode/project.pbxproj
+++ b/securityd.xcode/project.pbxproj
@@ -838,21 +838,21 @@
                        );
                        buildSettings = {
                                BUILD_VARIANTS = "normal debug";
                        );
                        buildSettings = {
                                BUILD_VARIANTS = "normal debug";

-                               CURRENT_PROJECT_VERSION = 25991;
+                               CURRENT_PROJECT_VERSION = 26232;

                                FRAMEWORK_SEARCH_PATHS = "/usr/local/SecurityPieces/Frameworks /usr/local/SecurityPieces/Components/securityd $(SYSTEM_LIBRARY_DIR)/PrivateFrameworks";
                                INSTALL_PATH = /usr/sbin;
                                FRAMEWORK_SEARCH_PATHS = "/usr/local/SecurityPieces/Frameworks /usr/local/SecurityPieces/Components/securityd $(SYSTEM_LIBRARY_DIR)/PrivateFrameworks";
                                INSTALL_PATH = /usr/sbin;

-                               OPT_CPPXFLAGS = "$(OPT_CXFLAGS) -fno-enforce-eh-specs -fno-implement-inlines -fcoalesce-templates";
+                               OPT_CPPXFLAGS = "$(OPT_CXFLAGS)";

                                OPT_CXFLAGS = "-DNDEBUG $(OPT_INLINEXFLAGS)";
                                OPT_CXFLAGS = "-DNDEBUG $(OPT_INLINEXFLAGS)";

-                               OPT_INLINEXFLAGS = " -finline-functions --param max-inline-insns-single=150 --param max-inline-insns-auto=150 --param max-inline-insns=300 --param min-inline-insns=90";
+                               OPT_INLINEXFLAGS = "-finline-functions";

                                OPT_LDXFLAGS = "-dead_strip";
                                OPT_LDXNOPIC = ",_nopic";
                                OTHER_ASFLAGS_debug = "$(OTHER_CFLAGS)";
                                OTHER_ASFLAGS_normal = "-DNDEBUG $(OTHER_CFLAGS)";
                                OTHER_ASFLAGS_profile = "-DNDEBUG $(OTHER_CFLAGS) -pg";
                                OPT_LDXFLAGS = "-dead_strip";
                                OPT_LDXNOPIC = ",_nopic";
                                OTHER_ASFLAGS_debug = "$(OTHER_CFLAGS)";
                                OTHER_ASFLAGS_normal = "-DNDEBUG $(OTHER_CFLAGS)";
                                OTHER_ASFLAGS_profile = "-DNDEBUG $(OTHER_CFLAGS) -pg";

-                               OTHER_CFLAGS_debug = "$(OTHER_CFLAGS) -O0 -fno-inline";
+                               OTHER_CFLAGS_debug = "$(OTHER_CFLAGS) -O1 -fno-inline";

                                OTHER_CFLAGS_normal = "$(OPT_CXFLAGS) $(OTHER_CFLAGS)";
                                OTHER_CFLAGS_profile = "$(OPT_CXFLAGS) $(OTHER_CFLAGS) -pg";
                                OTHER_CFLAGS_normal = "$(OPT_CXFLAGS) $(OTHER_CFLAGS)";
                                OTHER_CFLAGS_profile = "$(OPT_CXFLAGS) $(OTHER_CFLAGS) -pg";

-                               OTHER_CPLUSPLUSFLAGS_debug = "$(OTHER_CPLUSPLUSFLAGS) -O0 -fno-inline";
+                               OTHER_CPLUSPLUSFLAGS_debug = "$(OTHER_CPLUSPLUSFLAGS) -O1 -fno-inline";

                                OTHER_CPLUSPLUSFLAGS_normal = "$(OPT_CPPXFLAGS) $(OTHER_CPLUSPLUSFLAGS)";
                                OTHER_CPLUSPLUSFLAGS_profile = "$(OPT_CPPXFLAGS) $(OTHER_CPLUSPLUSFLAGS) -pg";
                                OTHER_LDFLAGS = "-lbsm";
                                OTHER_CPLUSPLUSFLAGS_normal = "$(OPT_CPPXFLAGS) $(OTHER_CPLUSPLUSFLAGS)";
                                OTHER_CPLUSPLUSFLAGS_profile = "$(OPT_CPPXFLAGS) $(OTHER_CPLUSPLUSFLAGS) -pg";
                                OTHER_LDFLAGS = "-lbsm";


@@ -1380,8 +1380,8 @@
                                OPT_LDFLAGS = "";
                                OPT_LDXFLAGS = "";
                                OPT_LDXNOPIC = "";
                                OPT_LDFLAGS = "";
                                OPT_LDXFLAGS = "";
                                OPT_LDXNOPIC = "";

-                               OTHER_CFLAGS_normal = "$(OTHER_CFLAGS) -O0 -fno-inline";
-                               OTHER_CPLUSPLUSFLAGS_normal = "$(OTHER_CPLUSPLUSFLAGS) -O0 -fno-inline";
+                               OTHER_CFLAGS_normal = "$(OTHER_CFLAGS) -O1 -fno-inline";
+                               OTHER_CPLUSPLUSFLAGS_normal = "$(OTHER_CPLUSPLUSFLAGS) -O1 -fno-inline";

                        };
                        isa = PBXBuildStyle;
                        name = "normal with debug";
                        };
                        isa = PBXBuildStyle;
                        name = "normal with debug";

diff --git a/src/acls.cpp b/src/acls.cpp
index f820d00aca1d93cd7870b3497cc2b92185557c2a..aa2524a21ac71e91e597864bd4acaa07c6c44dd1 100644 (file)
--- a/src/acls.cpp
+++ b/src/acls.cpp
@@ -187,6 +187,9 @@ ObjectAcl *SecurityServerEnvironment::preAuthSource()
 //
 // The default AclSource denies having an ACL at all
 //
 //
 // The default AclSource denies having an ACL at all
 //

+AclSource::~AclSource()
+{ /* virtual */ }
+

 SecurityServerAcl &AclSource::acl()
 {
        CssmError::throwMe(CSSM_ERRCODE_OBJECT_ACL_NOT_SUPPORTED);
 SecurityServerAcl &AclSource::acl()
 {
        CssmError::throwMe(CSSM_ERRCODE_OBJECT_ACL_NOT_SUPPORTED);

diff --git a/src/acls.h b/src/acls.h
index 3a8453e550ce091540aad0e31ced03e9615f34f1..daa5ed01b84dfe13d4b486520cb6e6d8b48e2da7 100644 (file)
--- a/src/acls.h
+++ b/src/acls.h
@@ -118,6 +118,7 @@ public:
 class AclSource {
 protected:
        AclSource() { }
 class AclSource {
 protected:
        AclSource() { }

+       virtual ~AclSource();

        
 public:
        virtual SecurityServerAcl &acl();       // defaults to "no ACL; throw exception"
        
 public:
        virtual SecurityServerAcl &acl();       // defaults to "no ACL; throw exception"

diff --git a/src/agentquery.cpp b/src/agentquery.cpp
index 1876642b44ca09f84393bd500696ca22606e7893..9878249a3acd2d5567c6146482dd9fbee84a17fb 100644 (file)
--- a/src/agentquery.cpp
+++ b/src/agentquery.cpp
@@ -242,7 +242,7 @@ Reason QueryKeychainUse::queryUser (const char *database, const char *descriptio
        
        if (mPassphraseCheck)
        {
        
        if (mPassphraseCheck)
        {

-               create("builtin", "confirm-access-password", NULL);
+               create("builtin", "confirm-access-password", noSecuritySession);

                
                CssmAutoData data(Allocator::standard(Allocator::sensitive));
 
                
                CssmAutoData data(Allocator::standard(Allocator::sensitive));
 


@@ -280,7 +280,7 @@ Reason QueryKeychainUse::queryUser (const char *database, const char *descriptio
        }
        else
        {
        }
        else
        {

-               create("builtin", "confirm-access", NULL);
+               create("builtin", "confirm-access", noSecuritySession);

         setInput(hints, context);
                invoke();
        }
         setInput(hints, context);
                invoke();
        }


@@ -322,7 +322,7 @@ bool QueryCodeCheck::operator () (const char *aclPath)
        
        hints.insert(AuthItemRef(AGENT_HINT_APPLICATION_PATH, AuthValueOverlay(strlen(aclPath), const_cast<char*>(aclPath))));
        
        
        hints.insert(AuthItemRef(AGENT_HINT_APPLICATION_PATH, AuthValueOverlay(strlen(aclPath), const_cast<char*>(aclPath))));
        

-       create("builtin", "code-identity", NULL);
+       create("builtin", "code-identity", noSecuritySession);

 
     setInput(hints, context);
        status = invoke();
 
     setInput(hints, context);
        status = invoke();


@@ -366,7 +366,7 @@ Reason QueryOld::query()
 
        hints.insert(mClientHints.begin(), mClientHints.end());
 
 
        hints.insert(mClientHints.begin(), mClientHints.end());
 

-       create("builtin", "unlock-keychain", NULL);
+       create("builtin", "unlock-keychain", noSecuritySession);

 
        do
        {
 
        do
        {


@@ -478,10 +478,10 @@ Reason QueryNewPassphrase::query()
     switch (initialReason)
     {
         case SecurityAgent::newDatabase: 
     switch (initialReason)
     {
         case SecurityAgent::newDatabase: 

-            create("builtin", "new-passphrase", NULL);
+            create("builtin", "new-passphrase", noSecuritySession);

             break;
         case SecurityAgent::changePassphrase:
             break;
         case SecurityAgent::changePassphrase:

-            create("builtin", "change-passphrase", NULL);
+            create("builtin", "change-passphrase", noSecuritySession);

             break;
         default:
             assert(false);
             break;
         default:
             assert(false);


@@ -597,11 +597,11 @@ Reason QueryGenericPassphrase::query(const char *prompt, bool verify,
     // CSSM_ATTRIBUTE_ALERT_TITLE (optional alert panel title)
        
     if (false == verify) {  // import
     // CSSM_ATTRIBUTE_ALERT_TITLE (optional alert panel title)
        
     if (false == verify) {  // import

-               create("builtin", "generic-unlock", NULL);
+               create("builtin", "generic-unlock", noSecuritySession);

     } else {           // verify passphrase (export)
                                        // new-passphrase-generic works with the pre-4 June 2004 agent; 
                                        // generic-new-passphrase is required for the new agent
     } else {           // verify passphrase (export)
                                        // new-passphrase-generic works with the pre-4 June 2004 agent; 
                                        // generic-new-passphrase is required for the new agent

-               create("builtin", "generic-new-passphrase", NULL);
+               create("builtin", "generic-new-passphrase", noSecuritySession);

     }
     
     AuthItem *passwordItem;
     }
     
     AuthItem *passwordItem;


@@ -652,7 +652,7 @@ Reason QueryDBBlobSecret::query(DatabaseCryptoCore &dbCore, const DbBlob *secret
        
     hints.insert(mClientHints.begin(), mClientHints.end());
        
        
     hints.insert(mClientHints.begin(), mClientHints.end());
        

-       create("builtin", "generic-unlock-kcblob", NULL);
+       create("builtin", "generic-unlock-kcblob", noSecuritySession);

     
     AuthItem *secretItem;
     
     
     AuthItem *secretItem;
     

diff --git a/src/codesigdb.cpp b/src/codesigdb.cpp
index d8094fa3d89dacf19bca228edc53aaab2c905ea0..4ff3d6490680958d5ccbbe6150c22110301d403a 100644 (file)
--- a/src/codesigdb.cpp
+++ b/src/codesigdb.cpp
@@ -116,7 +116,8 @@ CodeSignatures::~CodeSignatures()
 void CodeSignatures::open(const char *path)
 {
        mDb.open(path, O_RDWR | O_CREAT, 0644);
 void CodeSignatures::open(const char *path)
 {
        mDb.open(path, O_RDWR | O_CREAT, 0644);

-       mDb.flush();
+       if (mDb)
+               mDb.flush();

        IFDUMPING("equiv", debugDump("reopen"));
 }
 
        IFDUMPING("equiv", debugDump("reopen"));
 }
 


@@ -144,6 +145,8 @@ string CodeSignatures::Identity::canonicalName(const string &path)
 //
 bool CodeSignatures::find(Identity &id, uid_t user)
 {
 //
 bool CodeSignatures::find(Identity &id, uid_t user)
 {

+       if (!mDb)
+               return false;

        if (id.mState != Identity::untried)
                return id.mState == Identity::valid;
        try {
        if (id.mState != Identity::untried)
                return id.mState == Identity::valid;
        try {


@@ -171,6 +174,8 @@ bool CodeSignatures::find(Identity &id, uid_t user)
 
 void CodeSignatures::makeLink(Identity &id, const string &ident, bool forUser, uid_t user)
 {
 
 void CodeSignatures::makeLink(Identity &id, const string &ident, bool forUser, uid_t user)
 {

+       if (!mDb)
+               UnixError::throwMe(ENOENT);

        DbKey key('H', id.getHash(mSigner), forUser, user);
        if (!mDb.put(key, StringData(ident)))
                UnixError::throwMe();
        DbKey key('H', id.getHash(mSigner), forUser, user);
        if (!mDb.put(key, StringData(ident)))
                UnixError::throwMe();


@@ -214,6 +219,8 @@ void CodeSignatures::addLink(const CssmData &oldHash, const CssmData &newHash,
 
 void CodeSignatures::removeLink(const CssmData &hash, const char *name, bool forSystem)
 {
 
 void CodeSignatures::removeLink(const CssmData &hash, const char *name, bool forSystem)
 {

+       if (!mDb)
+               UnixError::throwMe(ENOENT);

        AclIdentity code(hash, name);
        uid_t user = Server::process().uid();
        if (forSystem && user)  // only root user can remove forSystem links
        AclIdentity code(hash, name);
        uid_t user = Server::process().uid();
        if (forSystem && user)  // only root user can remove forSystem links


@@ -252,6 +259,12 @@ bool CodeSignatures::verify(Process &process,
                return false;
        }
        
                return false;
        }
        

+       // don't bother the user if the db is MIA
+       if (!mDb) {
+               secdebug("codesign", "database not open; cannot verify");
+               return false;
+       }
+       

        // ah well. Establish mediator objects for database signature links
        AclIdentity aclIdentity(trustedSignature, comment ? comment->interpretedAs<const char>() : NULL);
 
        // ah well. Establish mediator objects for database signature links
        AclIdentity aclIdentity(trustedSignature, comment ? comment->interpretedAs<const char>() : NULL);
 


@@ -302,7 +315,7 @@ bool CodeSignatures::verify(Process &process,
                        return false;
                }
        }
                        return false;
                }
        }

-       
+

        // ask the user
        QueryCodeCheck query;
     query.inferHints(process);
        // ask the user
        QueryCodeCheck query;
     query.inferHints(process);


@@ -357,20 +370,24 @@ void CodeSignatures::debugDump(const char *how) const
        if (!how)
                how = "dump";
        CssmData key, value;
        if (!how)
                how = "dump";
        CssmData key, value;

-       if (!mDb.first(key, value)) {
-               dump("CODE EQUIVALENTS DATABASE IS EMPTY (%s)\n", how);
+       if (!mDb) {
+               dump("CODE EQUIVALENTS DATABASE IS NOT OPEN (%s)", how);

        } else {
        } else {

-               dump("CODE EQUIVALENTS DATABASE DUMP (%s)\n", how);
-               do {
-                       const char *header = key.interpretedAs<const char>();
-                       size_t headerLength = strlen(header) + 1;
-                       dump("%s:", header);
-                       dumpData(key.at(headerLength), key.length() - headerLength);
-                       dump(" => ");
-                       dumpData(value);
-                       dump("\n");
-               } while (mDb.next(key, value));
-               dump("END DUMP\n");
+               if (!mDb.first(key, value)) {
+                       dump("CODE EQUIVALENTS DATABASE IS EMPTY (%s)\n", how);
+               } else {
+                       dump("CODE EQUIVALENTS DATABASE DUMP (%s)\n", how);
+                       do {
+                               const char *header = key.interpretedAs<const char>();
+                               size_t headerLength = strlen(header) + 1;
+                               dump("%s:", header);
+                               dumpData(key.at(headerLength), key.length() - headerLength);
+                               dump(" => ");
+                               dumpData(value);
+                               dump("\n");
+                       } while (mDb.next(key, value));
+                       dump("END DUMP\n");
+               }

        }
 }
 
        }
 }
 

diff --git a/src/dbcrypto.cpp b/src/dbcrypto.cpp
index b8506535da0dde1d6ae0a8f52f26bc3b32e27310..5054f85d1d6f71605795223fdda52c108599f1ac 100644 (file)
--- a/src/dbcrypto.cpp
+++ b/src/dbcrypto.cpp
@@ -238,7 +238,7 @@ DbBlob *DatabaseCryptoCore::encodeCore(const DbBlob &blobTemplate,
 // Throws exceptions if decoding fails.
 // Memory returned in privateAclBlob is allocated and becomes owned by caller.
 //
 // Throws exceptions if decoding fails.
 // Memory returned in privateAclBlob is allocated and becomes owned by caller.
 //

-void DatabaseCryptoCore::decodeCore(DbBlob *blob, void **privateAclBlob)
+void DatabaseCryptoCore::decodeCore(const DbBlob *blob, void **privateAclBlob)

 {
        assert(mHaveMaster);    // must have master key installed
     
 {
        assert(mHaveMaster);    // must have master key installed
     


@@ -247,8 +247,8 @@ void DatabaseCryptoCore::decodeCore(DbBlob *blob, void **privateAclBlob)
     decryptor.mode(CSSM_ALGMODE_CBCPadIV8);
     decryptor.padding(CSSM_PADDING_PKCS1);
     decryptor.key(mMasterKey);
     decryptor.mode(CSSM_ALGMODE_CBCPadIV8);
     decryptor.padding(CSSM_PADDING_PKCS1);
     decryptor.key(mMasterKey);

-    CssmData ivd(blob->iv, sizeof(blob->iv)); decryptor.initVector(ivd);
-    CssmData cryptoBlob(blob->cryptoBlob(), blob->cryptoBlobLength());
+    CssmData ivd = CssmData::wrap(blob->iv); decryptor.initVector(ivd);
+    CssmData cryptoBlob = CssmData::wrap(blob->cryptoBlob(), blob->cryptoBlobLength());

     CssmData decryptedBlob, remData;
     decryptor.decrypt(cryptoBlob, decryptedBlob, remData);
     DbBlob::PrivateBlob *privateBlob = decryptedBlob.interpretedAs<DbBlob::PrivateBlob>();
     CssmData decryptedBlob, remData;
     decryptor.decrypt(cryptoBlob, decryptedBlob, remData);
     DbBlob::PrivateBlob *privateBlob = decryptedBlob.interpretedAs<DbBlob::PrivateBlob>();


@@ -263,8 +263,8 @@ void DatabaseCryptoCore::decodeCore(DbBlob *blob, void **privateAclBlob)
     
     // verify signature on the whole blob
     CssmData signChunk[] = {
     
     // verify signature on the whole blob
     CssmData signChunk[] = {

-               CssmData(blob->data(), fieldOffsetOf(&DbBlob::blobSignature)),
-       CssmData(blob->publicAclBlob(), blob->publicAclBlobLength() + blob->cryptoBlobLength())
+               CssmData::wrap(blob->data(), fieldOffsetOf(&DbBlob::blobSignature)),
+       CssmData::wrap(blob->publicAclBlob(), blob->publicAclBlobLength() + blob->cryptoBlobLength())

        };
     CSSM_ALGORITHMS verifyAlgorithm = CSSM_ALGID_SHA1HMAC;
 #if defined(COMPAT_OSX_10_0)
        };
     CSSM_ALGORITHMS verifyAlgorithm = CSSM_ALGID_SHA1HMAC;
 #if defined(COMPAT_OSX_10_0)


@@ -273,7 +273,7 @@ void DatabaseCryptoCore::decodeCore(DbBlob *blob, void **privateAclBlob)
 #endif
     VerifyMac verifier(Server::csp(), verifyAlgorithm);
     verifier.key(mSigningKey);
 #endif
     VerifyMac verifier(Server::csp(), verifyAlgorithm);
     verifier.key(mSigningKey);

-    verifier.verify(signChunk, 2, CssmData(blob->blobSignature, sizeof(blob->blobSignature)));
+    verifier.verify(signChunk, 2, CssmData::wrap(blob->blobSignature));

     
     // all checks out; start extracting fields
     if (privateAclBlob) {
     
     // all checks out; start extracting fields
     if (privateAclBlob) {

diff --git a/src/dbcrypto.h b/src/dbcrypto.h
index 3067b70e0f81768da28ce8329bfc4bddd5203b47..16d42e3f00cd6798dc16af39b348f2e8f4628377 100644 (file)
--- a/src/dbcrypto.h
+++ b/src/dbcrypto.h
@@ -55,7 +55,7 @@ public:
        void setup(const DbBlob *blob, const CssmData &passphrase);
        void setup(const DbBlob *blob, CssmClient::Key master);
 
        void setup(const DbBlob *blob, const CssmData &passphrase);
        void setup(const DbBlob *blob, CssmClient::Key master);
 

-    void decodeCore(DbBlob *blob, void **privateAclBlob = NULL);
+    void decodeCore(const DbBlob *blob, void **privateAclBlob = NULL);

     DbBlob *encodeCore(const DbBlob &blobTemplate,
         const CssmData &publicAcl, const CssmData &privateAcl) const;
        void importSecrets(const DatabaseCryptoCore &src);
     DbBlob *encodeCore(const DbBlob &blobTemplate,
         const CssmData &publicAcl, const CssmData &privateAcl) const;
        void importSecrets(const DatabaseCryptoCore &src);

diff --git a/src/flippers.h b/src/flippers.h
index 6e437c0035caa8b69078cf26ffb8380c6fa0efda..a3cc1ab9bedc1ef79a0691eb24bea559f7dec141 100644 (file)
--- a/src/flippers.h
+++ b/src/flippers.h
@@ -56,8 +56,7 @@ inline void flip(T &obj)
 // It's a bad idea to try to flip a const, so flag that
 //
 template <class T>
 // It's a bad idea to try to flip a const, so flag that
 //
 template <class T>

-inline void flip(const T &)
-{ tryingToFlipAConstWontWork(); }
+inline void flip(const T &);

 
 
 //
 
 
 //

diff --git a/src/kcdatabase.cpp b/src/kcdatabase.cpp
index 8f723c5609e72c415dd913f7460c0c6629fcfe74..32160b54869062b69b567bc2265085e30de8176d 100644 (file)
--- a/src/kcdatabase.cpp
+++ b/src/kcdatabase.cpp
@@ -878,10 +878,10 @@ void KeychainDatabase::validateBlob(const DbBlob *blob)
        blob->validate(CSSMERR_APPLEDL_INVALID_DATABASE_BLOB);
        switch (blob->version()) {
 #if defined(COMPAT_OSX_10_0)
        blob->validate(CSSMERR_APPLEDL_INVALID_DATABASE_BLOB);
        switch (blob->version()) {
 #if defined(COMPAT_OSX_10_0)

-               case blob->version_MacOS_10_0:
+               case DbBlob::version_MacOS_10_0:

                        break;
 #endif
                        break;
 #endif

-               case blob->version_MacOS_10_1:
+               case DbBlob::version_MacOS_10_1:

                        break;
                default:
                        CssmError::throwMe(CSSMERR_APPLEDL_INCOMPATIBLE_DATABASE_BLOB);
                        break;
                default:
                        CssmError::throwMe(CSSMERR_APPLEDL_INCOMPATIBLE_DATABASE_BLOB);

diff --git a/src/kckey.cpp b/src/kckey.cpp
index 780f8cc749ee0c6f775dfa6e980fef5f99e8302e..3a5e8bdb19dfd3b95bd1c5cfb8ef4fa8ba426c1a 100644 (file)
--- a/src/kckey.cpp
+++ b/src/kckey.cpp
@@ -43,10 +43,10 @@ KeychainKey::KeychainKey(Database &db, const KeyBlob *blob)
     blob->validate(CSSMERR_APPLEDL_INVALID_KEY_BLOB);
     switch (blob->version()) {
 #if defined(COMPAT_OSX_10_0)
     blob->validate(CSSMERR_APPLEDL_INVALID_KEY_BLOB);
     switch (blob->version()) {
 #if defined(COMPAT_OSX_10_0)

-    case blob->version_MacOS_10_0:
+    case KeyBlob::version_MacOS_10_0:

         break;
 #endif
         break;
 #endif

-    case blob->version_MacOS_10_1:
+    case KeyBlob::version_MacOS_10_1:

         break;
     default:
         CssmError::throwMe(CSSMERR_APPLEDL_INCOMPATIBLE_KEY_BLOB);
         break;
     default:
         CssmError::throwMe(CSSMERR_APPLEDL_INCOMPATIBLE_KEY_BLOB);

diff --git a/src/main.cpp b/src/main.cpp
index 2208882c4b92a2d5d7d8c7808b50057b78ca7139..5b47f5ee3566f096fade24e7793b7d9e909fa88e 100644 (file)
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -64,7 +64,6 @@
 #include <security_cdsa_utilities/acl_preauth.h>
 #include "acl_keychain.h"
 
 #include <security_cdsa_utilities/acl_preauth.h>
 #include "acl_keychain.h"
 

-

 //
 // Local functions of the main program driver
 //
 //
 // Local functions of the main program driver
 //


@@ -261,7 +260,7 @@ int main(int argc, char *argv[])
     
     // install MDS and initialize the local CSSM
     server.loadCssm();
     
     // install MDS and initialize the local CSSM
     server.loadCssm();

-    
+

        // okay, we're ready to roll
        Syslog::notice("Entering service");
        secdebug("SS", "%s initialized", bootstrapName);
        // okay, we're ready to roll
        Syslog::notice("Entering service");
        secdebug("SS", "%s initialized", bootstrapName);

diff --git a/src/notifications.cpp b/src/notifications.cpp
index 0ac6a36fb6d87f0e1a18070b9c72d3ea6bd9ab6f..ebee947e35423b3cac0f528b8c7f27fe467359eb 100644 (file)
--- a/src/notifications.cpp
+++ b/src/notifications.cpp
@@ -29,7 +29,6 @@
 #include "server.h"
 #include <securityd_client/ucspNotify.h>
 
 #include "server.h"
 #include <securityd_client/ucspNotify.h>
 

-

 Listener::ListenerMap Listener::listeners;
 Mutex Listener::setLock;
 
 Listener::ListenerMap Listener::listeners;
 Mutex Listener::setLock;
 


@@ -116,7 +115,7 @@ void ProcessListener::notifyMe(NotificationDomain domain,
 {
     secdebug("notify", "%p sending domain %ld event 0x%lx to port %d process %d",
         this, domain, event, mPort.port(), process.pid());
 {
     secdebug("notify", "%p sending domain %ld event 0x%lx to port %d process %d",
         this, domain, event, mPort.port(), process.pid());

-    
+

     // send mach message (via MIG simpleroutine)
     if (IFDEBUG(kern_return_t rc =) ucsp_notify_sender_notify(mPort,
         domain, event, data.data(), data.length(),
     // send mach message (via MIG simpleroutine)
     if (IFDEBUG(kern_return_t rc =) ucsp_notify_sender_notify(mPort,
         domain, event, data.data(), data.length(),

diff --git a/src/server.h b/src/server.h
index 80c099281428bed2ca6f1d68cb91944b6d28924c..011a649fc95a6dfa1d16a0bd1182b93cc083f812 100644 (file)
--- a/src/server.h
+++ b/src/server.h
@@ -114,11 +114,11 @@ public:
        static AclSource &aclBearer(AclKind kind, CSSM_HANDLE handle);
        
        // Generic version of handle lookup
        static AclSource &aclBearer(AclKind kind, CSSM_HANDLE handle);
        
        // Generic version of handle lookup

-       template <class Type>
-       static RefPointer<Type> find(CSSM_HANDLE handle, CSSM_RETURN notFoundError)
+       template <class ProcessBearer>
+       static RefPointer<ProcessBearer> find(CSSM_HANDLE handle, CSSM_RETURN notFoundError)

        {
        {

-               RefPointer<Type> object = 
-                       HandleObject::findRef<Type>(handle, notFoundError);
+               RefPointer<ProcessBearer> object = 
+                       HandleObject::findRef<ProcessBearer>(handle, notFoundError);

                if (object->process() != Server::process())
                        CssmError::throwMe(notFoundError);
                return object;
                if (object->process() != Server::process())
                        CssmError::throwMe(notFoundError);
                return object;

diff --git a/src/session.cpp b/src/session.cpp
index 6bd0abf05b0e0266a6dd8504a2194e3b39eeed6c..7cabc913cbebd61d89e124dfc85a26e759b2d0d3 100644 (file)
--- a/src/session.cpp
+++ b/src/session.cpp
@@ -485,6 +485,7 @@ OSStatus Session::authorizationdbRemove(const AuthorizationBlob &authBlob, Autho
 void Session::mergeCredentials(CredentialSet &creds)
 {
     secdebug("SSsession", "%p merge creds @%p", this, &creds);
 void Session::mergeCredentials(CredentialSet &creds)
 {
     secdebug("SSsession", "%p merge creds @%p", this, &creds);

+       CredentialSet updatedCredentials = creds;

        for (CredentialSet::const_iterator it = creds.begin(); it != creds.end(); it++)
                if (((*it)->isShared() && (*it)->isValid())) {
                        CredentialSet::iterator old = mSessionCreds.find(*it);
        for (CredentialSet::const_iterator it = creds.begin(); it != creds.end(); it++)
                if (((*it)->isShared() && (*it)->isValid())) {
                        CredentialSet::iterator old = mSessionCreds.find(*it);


@@ -493,10 +494,11 @@ void Session::mergeCredentials(CredentialSet &creds)
             } else {
                 // replace "new" with "old" in input set to retain synchronization
                                (*old)->merge(**it);
             } else {
                 // replace "new" with "old" in input set to retain synchronization
                                (*old)->merge(**it);

-                creds.erase(it);
-                creds.insert(*old);
+                updatedCredentials.erase(*it);
+                updatedCredentials.insert(*old);

             }
                }
             }
                }

+       creds.swap(updatedCredentials);

 }
 
 
 }
 
 

diff --git a/src/session.h b/src/session.h
index b252964e8ffddfef2592facab6bf92e863904cdf..7799cc4dc028f4cf6a45e3ec113c35c5e4f751ab 100644 (file)
--- a/src/session.h
+++ b/src/session.h
@@ -139,7 +139,7 @@ protected:
        
        void kill();
        
        
        void kill();
        

-private:
+protected:

        static PortMap<Session> mSessions;
 };
 
        static PortMap<Session> mSessions;
 };
 

diff --git a/src/structure.h b/src/structure.h
index 2be75278203ba0b3a53b6c69da3cd3f3ae2e87c8..66f0d927b078e6a63b93ebbd1a8e1825a6f5b6b6 100644 (file)
--- a/src/structure.h
+++ b/src/structure.h
@@ -222,24 +222,24 @@ template <class Node>
 class PortMap : public Mutex, public std::map<Port, RefPointer<Node> > {
        typedef std::map<Port, RefPointer<Node> > _Map;
 public:
 class PortMap : public Mutex, public std::map<Port, RefPointer<Node> > {
        typedef std::map<Port, RefPointer<Node> > _Map;
 public:

-       bool contains(mach_port_t port) const   { return find(port) != end(); }
+       bool contains(mach_port_t port) const   { return this->find(port) != this->end(); }

        Node *getOpt(mach_port_t port) const
        {
        Node *getOpt(mach_port_t port) const
        {

-               typename _Map::const_iterator it = find(port);
-               return (it == end()) ? NULL : it->second;
+               typename _Map::const_iterator it = this->find(port);
+               return (it == this->end()) ? NULL : it->second;

        }
        
        Node *get(mach_port_t port) const
        {
        }
        
        Node *get(mach_port_t port) const
        {

-               typename _Map::const_iterator it = find(port);
-               assert(it != end());
+               typename _Map::const_iterator it = this->find(port);
+               assert(it != this->end());

                return it->second;
        }
        
        Node *get(mach_port_t port, OSStatus error) const
        {
                return it->second;
        }
        
        Node *get(mach_port_t port, OSStatus error) const
        {

-               typename _Map::const_iterator it = find(port);
-               if (it == end())
+               typename _Map::const_iterator it = this->find(port);
+               if (it == this->end())

                        MacOSError::throwMe(error);
                return it->second;
        }
                        MacOSError::throwMe(error);
                return it->second;
        }


@@ -250,7 +250,7 @@ public:
 template <class Node>
 void PortMap<Node>::dump()
 {
 template <class Node>
 void PortMap<Node>::dump()
 {

-       for (typename _Map::const_iterator it = begin(); it != end(); it++)
+       for (typename _Map::const_iterator it = this->begin(); it != this->end(); it++)

                it->second->dump();
 }
 
                it->second->dump();
 }
 

diff --git a/src/token.cpp b/src/token.cpp
index faf7172139474aa56f3b0d55516fffb19465c7c5..1447bcfbcf3ec61dc3eb0dd61687efefe6bcdf35 100644 (file)
--- a/src/token.cpp
+++ b/src/token.cpp
@@ -149,8 +149,8 @@ void Token::resetAcls()
        mResetLevel++;
        secdebug("token", "%p reset (level=%d, propagating to %ld common(s)",
                this, mResetLevel, mCommons.size());
        mResetLevel++;
        secdebug("token", "%p reset (level=%d, propagating to %ld common(s)",
                this, mResetLevel, mCommons.size());

-       for (CommonSet::const_iterator it = mCommons.begin(); it != mCommons.end(); it++)
-               RefPointer<TokenDbCommon>(*it)->resetAcls();
+       for (CommonSet::const_iterator it = mCommons.begin(); it != mCommons.end(); )
+               RefPointer<TokenDbCommon>(*it++)->resetAcls();

 }
 
 void Token::addCommon(TokenDbCommon &dbc)
 }
 
 void Token::addCommon(TokenDbCommon &dbc)

diff --git a/src/tokend.cpp b/src/tokend.cpp
index 170761801c4b7eb161c6867ac4a49309e48267a4..350752fa20907b0e9f31675f336a80f24ac79ae5 100644 (file)
--- a/src/tokend.cpp
+++ b/src/tokend.cpp
@@ -177,6 +177,13 @@ bool TokenDaemon::probe()
 }
 
 
 }
 
 

+//
+// FaultRelay
+//
+FaultRelay::~FaultRelay()
+{ /* virtual */ }
+
+

 //
 // Debug dump support
 //
 //
 // Debug dump support
 //

diff --git a/src/tokend.h b/src/tokend.h
index 6e407ab6bdd32dfebd8901ede3b02478709c7d38..e4b808a5904338337025605cc7b1604428c64fcc 100644 (file)
--- a/src/tokend.h
+++ b/src/tokend.h
@@ -41,6 +41,7 @@
 //
 class FaultRelay {
 public:
 //
 class FaultRelay {
 public:

+       virtual ~FaultRelay();

        virtual void relayFault(bool async) = 0;
 };
 
        virtual void relayFault(bool async) = 0;
 };
 

diff --git a/src/tokendatabase.cpp b/src/tokendatabase.cpp
index fcbee16caef8bf50a1aad8f144a6ef49c9d3c229..f53f401d3cbc089513859d8f42d7454828a60e5e 100644 (file)
--- a/src/tokendatabase.cpp
+++ b/src/tokendatabase.cpp
@@ -48,9 +48,9 @@ Token &TokenDbCommon::token() const
        return parent<Token>();
 }
 
        return parent<Token>();
 }
 

-string TokenDbCommon::dbName() const
+const std::string &TokenDbCommon::dbName() const

 {
 {

-       return token().printName().c_str();
+       return token().printName();

 }
 
 
 }
 
 

diff --git a/src/tokendatabase.h b/src/tokendatabase.h
index fa177a9d235f73744946ae27f68ab726144d8f26..60361c337a54dee3ed8ccb1580db967726044340 100644 (file)
--- a/src/tokendatabase.h
+++ b/src/tokendatabase.h
@@ -59,7 +59,7 @@ public:
        Token &token() const;
        
        uint32 subservice() const { return token().subservice(); }
        Token &token() const;
        
        uint32 subservice() const { return token().subservice(); }

-       std::string dbName() const;
+       const std::string &dbName() const;

 
        Adornable &store();
        void resetAcls();
 
        Adornable &store();
        void resetAcls();