);
buildSettings = {
BUILD_VARIANTS = "normal debug";
- CURRENT_PROJECT_VERSION = 26674;
+ CURRENT_PROJECT_VERSION = 26692;
FRAMEWORK_SEARCH_PATHS = "/usr/local/SecurityPieces/Frameworks /usr/local/SecurityPieces/Components/securityd $(SYSTEM_LIBRARY_DIR)/PrivateFrameworks";
INSTALL_PATH = /usr/sbin;
- OPT_CPPXFLAGS = "$(OPT_CXFLAGS)";
+ OPT_CPPXFLAGS = "$(OPT_CXFLAGS) -fno-enforce-eh-specs -fno-implement-inlines -fcoalesce-templates";
OPT_CXFLAGS = "-DNDEBUG $(OPT_INLINEXFLAGS)";
- OPT_INLINEXFLAGS = "-finline-functions";
+ OPT_INLINEXFLAGS = " -finline-functions --param max-inline-insns-single=150 --param max-inline-insns-auto=150 --param max-inline-insns=300 --param min-inline-insns=90";
OPT_LDXFLAGS = "-dead_strip";
OPT_LDXNOPIC = ",_nopic";
OTHER_ASFLAGS_debug = "$(OTHER_CFLAGS)";
OTHER_ASFLAGS_normal = "-DNDEBUG $(OTHER_CFLAGS)";
OTHER_ASFLAGS_profile = "-DNDEBUG $(OTHER_CFLAGS) -pg";
- OTHER_CFLAGS_debug = "$(OTHER_CFLAGS) -O1 -fno-inline";
+ OTHER_CFLAGS_debug = "$(OTHER_CFLAGS) -O0 -fno-inline";
OTHER_CFLAGS_normal = "$(OPT_CXFLAGS) $(OTHER_CFLAGS)";
OTHER_CFLAGS_profile = "$(OPT_CXFLAGS) $(OTHER_CFLAGS) -pg";
- OTHER_CPLUSPLUSFLAGS_debug = "$(OTHER_CPLUSPLUSFLAGS) -O1 -fno-inline";
+ OTHER_CPLUSPLUSFLAGS_debug = "$(OTHER_CPLUSPLUSFLAGS) -O0 -fno-inline";
OTHER_CPLUSPLUSFLAGS_normal = "$(OPT_CPPXFLAGS) $(OTHER_CPLUSPLUSFLAGS)";
OTHER_CPLUSPLUSFLAGS_profile = "$(OPT_CPPXFLAGS) $(OTHER_CPLUSPLUSFLAGS) -pg";
OTHER_LDFLAGS = "-lbsm";
OPT_LDFLAGS = "";
OPT_LDXFLAGS = "";
OPT_LDXNOPIC = "";
- OTHER_CFLAGS_normal = "$(OTHER_CFLAGS) -O1 -fno-inline";
- OTHER_CPLUSPLUSFLAGS_normal = "$(OTHER_CPLUSPLUSFLAGS) -O1 -fno-inline";
+ OTHER_CFLAGS_normal = "$(OTHER_CFLAGS) -O0 -fno-inline";
+ OTHER_CPLUSPLUSFLAGS_normal = "$(OTHER_CPLUSPLUSFLAGS) -O0 -fno-inline";
};
isa = PBXBuildStyle;
name = "normal with debug";
//
// The default AclSource denies having an ACL at all
//
-AclSource::~AclSource()
-{ /* virtual */ }
-
SecurityServerAcl &AclSource::acl()
{
CssmError::throwMe(CSSM_ERRCODE_OBJECT_ACL_NOT_SUPPORTED);
class AclSource {
protected:
AclSource() { }
- virtual ~AclSource();
public:
virtual SecurityServerAcl &acl(); // defaults to "no ACL; throw exception"
if (mPassphraseCheck)
{
- create("builtin", "confirm-access-password", noSecuritySession);
+ create("builtin", "confirm-access-password", NULL);
CssmAutoData data(Allocator::standard(Allocator::sensitive));
}
else
{
- create("builtin", "confirm-access", noSecuritySession);
+ create("builtin", "confirm-access", NULL);
setInput(hints, context);
invoke();
}
hints.insert(AuthItemRef(AGENT_HINT_APPLICATION_PATH, AuthValueOverlay(strlen(aclPath), const_cast<char*>(aclPath))));
- create("builtin", "code-identity", noSecuritySession);
+ create("builtin", "code-identity", NULL);
setInput(hints, context);
status = invoke();
hints.insert(mClientHints.begin(), mClientHints.end());
- create("builtin", "unlock-keychain", noSecuritySession);
+ create("builtin", "unlock-keychain", NULL);
do
{
switch (initialReason)
{
case SecurityAgent::newDatabase:
- create("builtin", "new-passphrase", noSecuritySession);
+ create("builtin", "new-passphrase", NULL);
break;
case SecurityAgent::changePassphrase:
- create("builtin", "change-passphrase", noSecuritySession);
+ create("builtin", "change-passphrase", NULL);
break;
default:
assert(false);
// CSSM_ATTRIBUTE_ALERT_TITLE (optional alert panel title)
if (false == verify) { // import
- create("builtin", "generic-unlock", noSecuritySession);
+ create("builtin", "generic-unlock", NULL);
} else { // verify passphrase (export)
// new-passphrase-generic works with the pre-4 June 2004 agent;
// generic-new-passphrase is required for the new agent
- create("builtin", "generic-new-passphrase", noSecuritySession);
+ create("builtin", "generic-new-passphrase", NULL);
}
AuthItem *passwordItem;
hints.insert(mClientHints.begin(), mClientHints.end());
- create("builtin", "generic-unlock-kcblob", noSecuritySession);
+ create("builtin", "generic-unlock-kcblob", NULL);
AuthItem *secretItem;
void CodeSignatures::open(const char *path)
{
mDb.open(path, O_RDWR | O_CREAT, 0644);
- if (mDb)
- mDb.flush();
+ mDb.flush();
IFDUMPING("equiv", debugDump("reopen"));
}
//
bool CodeSignatures::find(Identity &id, uid_t user)
{
- if (!mDb)
- return false;
if (id.mState != Identity::untried)
return id.mState == Identity::valid;
try {
void CodeSignatures::makeLink(Identity &id, const string &ident, bool forUser, uid_t user)
{
- if (!mDb)
- UnixError::throwMe(ENOENT);
DbKey key('H', id.getHash(mSigner), forUser, user);
if (!mDb.put(key, StringData(ident)))
UnixError::throwMe();
void CodeSignatures::removeLink(const CssmData &hash, const char *name, bool forSystem)
{
- if (!mDb)
- UnixError::throwMe(ENOENT);
AclIdentity code(hash, name);
uid_t user = Server::process().uid();
if (forSystem && user) // only root user can remove forSystem links
return false;
}
- // don't bother the user if the db is MIA
- if (!mDb) {
- secdebug("codesign", "database not open; cannot verify");
- return false;
- }
-
// ah well. Establish mediator objects for database signature links
AclIdentity aclIdentity(trustedSignature, comment ? comment->interpretedAs<const char>() : NULL);
return false;
}
}
-
+
// ask the user
QueryCodeCheck query;
query.inferHints(process);
if (!how)
how = "dump";
CssmData key, value;
- if (!mDb) {
- dump("CODE EQUIVALENTS DATABASE IS NOT OPEN (%s)", how);
+ if (!mDb.first(key, value)) {
+ dump("CODE EQUIVALENTS DATABASE IS EMPTY (%s)\n", how);
} else {
- if (!mDb.first(key, value)) {
- dump("CODE EQUIVALENTS DATABASE IS EMPTY (%s)\n", how);
- } else {
- dump("CODE EQUIVALENTS DATABASE DUMP (%s)\n", how);
- do {
- const char *header = key.interpretedAs<const char>();
- size_t headerLength = strlen(header) + 1;
- dump("%s:", header);
- dumpData(key.at(headerLength), key.length() - headerLength);
- dump(" => ");
- dumpData(value);
- dump("\n");
- } while (mDb.next(key, value));
- dump("END DUMP\n");
- }
+ dump("CODE EQUIVALENTS DATABASE DUMP (%s)\n", how);
+ do {
+ const char *header = key.interpretedAs<const char>();
+ size_t headerLength = strlen(header) + 1;
+ dump("%s:", header);
+ dumpData(key.at(headerLength), key.length() - headerLength);
+ dump(" => ");
+ dumpData(value);
+ dump("\n");
+ } while (mDb.next(key, value));
+ dump("END DUMP\n");
}
}
// Throws exceptions if decoding fails.
// Memory returned in privateAclBlob is allocated and becomes owned by caller.
//
-void DatabaseCryptoCore::decodeCore(const DbBlob *blob, void **privateAclBlob)
+void DatabaseCryptoCore::decodeCore(DbBlob *blob, void **privateAclBlob)
{
assert(mHaveMaster); // must have master key installed
decryptor.mode(CSSM_ALGMODE_CBCPadIV8);
decryptor.padding(CSSM_PADDING_PKCS1);
decryptor.key(mMasterKey);
- CssmData ivd = CssmData::wrap(blob->iv); decryptor.initVector(ivd);
- CssmData cryptoBlob = CssmData::wrap(blob->cryptoBlob(), blob->cryptoBlobLength());
+ CssmData ivd(blob->iv, sizeof(blob->iv)); decryptor.initVector(ivd);
+ CssmData cryptoBlob(blob->cryptoBlob(), blob->cryptoBlobLength());
CssmData decryptedBlob, remData;
decryptor.decrypt(cryptoBlob, decryptedBlob, remData);
DbBlob::PrivateBlob *privateBlob = decryptedBlob.interpretedAs<DbBlob::PrivateBlob>();
// verify signature on the whole blob
CssmData signChunk[] = {
- CssmData::wrap(blob->data(), fieldOffsetOf(&DbBlob::blobSignature)),
- CssmData::wrap(blob->publicAclBlob(), blob->publicAclBlobLength() + blob->cryptoBlobLength())
+ CssmData(blob->data(), fieldOffsetOf(&DbBlob::blobSignature)),
+ CssmData(blob->publicAclBlob(), blob->publicAclBlobLength() + blob->cryptoBlobLength())
};
CSSM_ALGORITHMS verifyAlgorithm = CSSM_ALGID_SHA1HMAC;
#if defined(COMPAT_OSX_10_0)
#endif
VerifyMac verifier(Server::csp(), verifyAlgorithm);
verifier.key(mSigningKey);
- verifier.verify(signChunk, 2, CssmData::wrap(blob->blobSignature));
+ verifier.verify(signChunk, 2, CssmData(blob->blobSignature, sizeof(blob->blobSignature)));
// all checks out; start extracting fields
if (privateAclBlob) {
void setup(const DbBlob *blob, const CssmData &passphrase);
void setup(const DbBlob *blob, CssmClient::Key master);
- void decodeCore(const DbBlob *blob, void **privateAclBlob = NULL);
+ void decodeCore(DbBlob *blob, void **privateAclBlob = NULL);
DbBlob *encodeCore(const DbBlob &blobTemplate,
const CssmData &publicAcl, const CssmData &privateAcl) const;
void importSecrets(const DatabaseCryptoCore &src);
// It's a bad idea to try to flip a const, so flag that
//
template <class T>
-inline void flip(const T &);
+inline void flip(const T &)
+{ tryingToFlipAConstWontWork(); }
//
blob->validate(CSSMERR_APPLEDL_INVALID_DATABASE_BLOB);
switch (blob->version()) {
#if defined(COMPAT_OSX_10_0)
- case DbBlob::version_MacOS_10_0:
+ case blob->version_MacOS_10_0:
break;
#endif
- case DbBlob::version_MacOS_10_1:
+ case blob->version_MacOS_10_1:
break;
default:
CssmError::throwMe(CSSMERR_APPLEDL_INCOMPATIBLE_DATABASE_BLOB);
blob->validate(CSSMERR_APPLEDL_INVALID_KEY_BLOB);
switch (blob->version()) {
#if defined(COMPAT_OSX_10_0)
- case KeyBlob::version_MacOS_10_0:
+ case blob->version_MacOS_10_0:
break;
#endif
- case KeyBlob::version_MacOS_10_1:
+ case blob->version_MacOS_10_1:
break;
default:
CssmError::throwMe(CSSMERR_APPLEDL_INCOMPATIBLE_KEY_BLOB);
#include <security_cdsa_utilities/acl_preauth.h>
#include "acl_keychain.h"
+
//
// Local functions of the main program driver
//
// install MDS and initialize the local CSSM
server.loadCssm();
-
+
// okay, we're ready to roll
Syslog::notice("Entering service");
secdebug("SS", "%s initialized", bootstrapName);
#include "server.h"
#include <securityd_client/ucspNotify.h>
+
Listener::ListenerMap Listener::listeners;
Mutex Listener::setLock;
{
secdebug("notify", "%p sending domain %ld event 0x%lx to port %d process %d",
this, domain, event, mPort.port(), process.pid());
-
+
// send mach message (via MIG simpleroutine)
if (IFDEBUG(kern_return_t rc =) ucsp_notify_sender_notify(mPort,
domain, event, data.data(), data.length(),
try {
secdebug("scsel", "%s", dev.path().c_str());
- // composite USB device with interface class
+ // composite USB device with interface class
if (CFRef<CFNumberRef> cfInterface = dev.property<CFNumberRef>("bInterfaceClass"))
switch (IFDEBUG(uint32 clas =) cfNumber(cfInterface)) {
case kUSBChipSmartCardInterfaceClass: // CCID smartcard reader - go
return impossible;
}
- // noncomposite USB device
+ // noncomposite USB device
if (CFRef<CFNumberRef> cfDevice = dev.property<CFNumberRef>("bDeviceClass"))
if (cfNumber(cfDevice) == kUSBVendorSpecificClass) {
secdebug("scsel", " Vendor-specific device - possible match");
return possible;
}
- // PCCard (aka PCMCIA aka ...) interface (don't know how to recognize a reader here)
- if (CFRef<CFStringRef> ioName = dev.property<CFStringRef>("IOName"))
- if (cfString(ioName).find("pccard", 0, 1) == 0) {
- secdebug("scsel", " PCCard - possible match");
- return possible;
- }
+ // PCCard (aka PCMCIA aka ...) interface (don't know how to recognize a reader here)
+ if (CFRef<CFStringRef> ioName = dev.property<CFStringRef>("IOName"))
+ if (cfString(ioName).find("pccard", 0, 1) == 0) {
+ secdebug("scsel", " PCCard - possible match");
+ return possible;
+ }
return impossible;
} catch (...) {
secdebug("scsel", " exception while examining device - ignoring it");
static AclSource &aclBearer(AclKind kind, CSSM_HANDLE handle);
// Generic version of handle lookup
- template <class ProcessBearer>
- static RefPointer<ProcessBearer> find(CSSM_HANDLE handle, CSSM_RETURN notFoundError)
+ template <class Type>
+ static RefPointer<Type> find(CSSM_HANDLE handle, CSSM_RETURN notFoundError)
{
- RefPointer<ProcessBearer> object =
- HandleObject::findRef<ProcessBearer>(handle, notFoundError);
+ RefPointer<Type> object =
+ HandleObject::findRef<Type>(handle, notFoundError);
if (object->process() != Server::process())
CssmError::throwMe(notFoundError);
return object;
void Session::mergeCredentials(CredentialSet &creds)
{
secdebug("SSsession", "%p merge creds @%p", this, &creds);
- CredentialSet updatedCredentials = creds;
for (CredentialSet::const_iterator it = creds.begin(); it != creds.end(); it++)
if (((*it)->isShared() && (*it)->isValid())) {
CredentialSet::iterator old = mSessionCreds.find(*it);
} else {
// replace "new" with "old" in input set to retain synchronization
(*old)->merge(**it);
- updatedCredentials.erase(*it);
- updatedCredentials.insert(*old);
+ creds.erase(it);
+ creds.insert(*old);
}
}
- creds.swap(updatedCredentials);
}
void kill();
-protected:
+private:
static PortMap<Session> mSessions;
};
class PortMap : public Mutex, public std::map<Port, RefPointer<Node> > {
typedef std::map<Port, RefPointer<Node> > _Map;
public:
- bool contains(mach_port_t port) const { return this->find(port) != this->end(); }
+ bool contains(mach_port_t port) const { return find(port) != end(); }
Node *getOpt(mach_port_t port) const
{
- typename _Map::const_iterator it = this->find(port);
- return (it == this->end()) ? NULL : it->second;
+ typename _Map::const_iterator it = find(port);
+ return (it == end()) ? NULL : it->second;
}
Node *get(mach_port_t port) const
{
- typename _Map::const_iterator it = this->find(port);
- assert(it != this->end());
+ typename _Map::const_iterator it = find(port);
+ assert(it != end());
return it->second;
}
Node *get(mach_port_t port, OSStatus error) const
{
- typename _Map::const_iterator it = this->find(port);
- if (it == this->end())
+ typename _Map::const_iterator it = find(port);
+ if (it == end())
MacOSError::throwMe(error);
return it->second;
}
template <class Node>
void PortMap<Node>::dump()
{
- for (typename _Map::const_iterator it = this->begin(); it != this->end(); it++)
+ for (typename _Map::const_iterator it = begin(); it != end(); it++)
it->second->dump();
}
mResetLevel++;
secdebug("token", "%p reset (level=%d, propagating to %ld common(s)",
this, mResetLevel, mCommons.size());
- for (CommonSet::const_iterator it = mCommons.begin(); it != mCommons.end(); )
- RefPointer<TokenDbCommon>(*it++)->resetAcls();
+ for (CommonSet::const_iterator it = mCommons.begin(); it != mCommons.end(); it++)
+ RefPointer<TokenDbCommon>(*it)->resetAcls();
}
void Token::addCommon(TokenDbCommon &dbc)
}
-//
-// FaultRelay
-//
-FaultRelay::~FaultRelay()
-{ /* virtual */ }
-
-
//
// Debug dump support
//
//
class FaultRelay {
public:
- virtual ~FaultRelay();
virtual void relayFault(bool async) = 0;
};
return parent<Token>();
}
-const std::string &TokenDbCommon::dbName() const
+string TokenDbCommon::dbName() const
{
- return token().printName();
+ return token().printName().c_str();
}
Token &token() const;
uint32 subservice() const { return token().subservice(); }
- const std::string &dbName() const;
+ std::string dbName() const;
Adornable &store();
void resetAcls();
projects / apple / securityd.git / commitdiff
