From 066282b57c385d86de8033699a232cc84b9a0e88 Mon Sep 17 00:00:00 2001 From: Apple Date: Mon, 15 May 2006 22:58:08 +0000 Subject: [PATCH] securityd-27887.tar.gz --- etc/CodeEquivalenceCandidates | 5 +++++ securityd.xcode/project.pbxproj | 8 +++----- src/acls.h | 2 +- src/entropy.h | 2 +- src/generate.pl | 9 ++++++--- src/kckey.cpp | 12 ++++++++++++ src/kckey.h | 1 + src/session.cpp | 6 ++++-- src/tokenaccess.cpp | 1 + src/tokendatabase.cpp | 17 +++++++++++------ src/tokendatabase.h | 2 +- 11 files changed, 46 insertions(+), 19 deletions(-) diff --git a/etc/CodeEquivalenceCandidates b/etc/CodeEquivalenceCandidates index 7c90c92..01914b6 100644 --- a/etc/CodeEquivalenceCandidates +++ b/etc/CodeEquivalenceCandidates @@ -33,8 +33,10 @@ /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/AE.framework/Versions/Current/Support/AEServer /System/Library/Frameworks/ApplicationServices.framework/Versions/Current/Frameworks/AE.framework/Versions/Current/Support/AEServer /System/Library/Frameworks/InstantMessage.framework/iChatAgent.app +/System/Library/Frameworks/SecurityFoundation.framework/Resources/dotmacfx.app /System/Library/Frameworks/SecurityFoundation.framework/Resources/kcSync.app /System/Library/PreferencePanes/Mac.prefPane +/System/Library/PreferencePanes/Mac.prefPane/Contents/Resources/dotMacPrefTool /System/Library/PrivateFrameworks/Admin.framework/Resources/writeconfig /System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/writeconfig /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport @@ -46,6 +48,9 @@ /System/Library/PrivateFrameworks/DMNotification.framework/Resources/dmnotifyd /System/Library/PrivateFrameworks/DMNotification.framework/Versions/A/Resources/dmnotifyd /System/Library/PrivateFrameworks/DMNotification.framework/Versions/Current/Resources/dmnotifyd +/System/Library/PrivateFrameworks/Syndication.framework/Resources/SyndicationAgent.app/Contents/MacOS/SyndicationAgent +/System/Library/PrivateFrameworks/Syndication.framework/Versions/A/Resources/SyndicationAgent.app/Contents/MacOS/SyndicationAgent +/System/Library/PrivateFrameworks/Syndication.framework/Versions/Current/Resources/SyndicationAgent.app/Contents/MacOS/SyndicationAgent /System/Library/ScriptingAdditions/Keychain Scripting.app /sbin/mount_smbfs /sbin/mount_webdav diff --git a/securityd.xcode/project.pbxproj b/securityd.xcode/project.pbxproj index 4154d1d..6b77cb6 100644 --- a/securityd.xcode/project.pbxproj +++ b/securityd.xcode/project.pbxproj @@ -687,7 +687,6 @@ buildSettings = { BUILD_VARIANTS = debug; COPY_PHASE_STRIP = NO; - CSSM_HEADERS = "$(BUILT_PRODUCTS_DIR)/Security.framework/Headers"; GCC_DYNAMIC_NO_PIC = NO; GCC_ENABLE_FIX_AND_CONTINUE = YES; GCC_GENERATE_DEBUGGING_SYMBOLS = YES; @@ -699,7 +698,6 @@ }; 4CA1FEAF052A3C5800F22E42 = { buildSettings = { - CSSM_HEADERS = "$(BUILT_PRODUCTS_DIR)/Security.framework/Headers"; DEAD_CODE_STRIPPING = YES; GCC_DYNAMIC_NO_PIC = NO; GCC_ENABLE_FIX_AND_CONTINUE = YES; @@ -838,7 +836,7 @@ ); buildSettings = { BUILD_VARIANTS = "normal debug"; - CURRENT_PROJECT_VERSION = 26692; + CURRENT_PROJECT_VERSION = 27887; FRAMEWORK_SEARCH_PATHS = "/usr/local/SecurityPieces/Frameworks /usr/local/SecurityPieces/Components/securityd $(SYSTEM_LIBRARY_DIR)/PrivateFrameworks"; INSTALL_PATH = /usr/sbin; OPT_CPPXFLAGS = "$(OPT_CXFLAGS) -fno-enforce-eh-specs -fno-implement-inlines -fcoalesce-templates"; @@ -1002,14 +1000,14 @@ ); runOnlyForDeploymentPostprocessing = 0; shellPath = /bin/sh; - shellScript = "THEADER=$BUILT_PRODUCTS_DIR/include/flip_gen.h\nTCPP=$BUILT_PRODUCTS_DIR/include/flip_gen.cpp\nmkdir -p $BUILT_PRODUCTS_DIR/include\nsrc/generate.pl src/generate.cf $THEADER.new $TCPP.new $CSSM_HEADERS/cssmtype.h\ncmp -s $THEADER.new $THEADER || mv $THEADER.new $THEADER\ncmp -s $TCPP.new $TCPP || mv $TCPP.new $TCPP\n"; + shellScript = "THEADER=$BUILT_PRODUCTS_DIR/include/flip_gen.h\nTCPP=$BUILT_PRODUCTS_DIR/include/flip_gen.cpp\nmkdir -p $BUILT_PRODUCTS_DIR/include\nsrc/generate.pl src/generate.cf $THEADER.new $TCPP.new cssmtype.h $CSSM_HEADERS\ncmp -s $THEADER.new $THEADER || mv $THEADER.new $THEADER\ncmp -s $TCPP.new $TCPP || mv $TCPP.new $TCPP\n"; }; 4CDD4F7A053751FF00FEC36D = { buildPhases = ( 4CDD4F79053751FF00FEC36D, ); buildSettings = { - CSSM_HEADERS = "$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Headers"; + CSSM_HEADERS = "$(BUILT_PRODUCTS_DIR)/Security.framework/Headers:$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Headers"; OTHER_CFLAGS = ""; OTHER_LDFLAGS = ""; OTHER_REZFLAGS = ""; diff --git a/src/acls.h b/src/acls.h index 3a8453e..0aad47f 100644 --- a/src/acls.h +++ b/src/acls.h @@ -62,7 +62,7 @@ public: virtual ~SecurityServerAcl(); // validation calls restated - void validate(AclAuthorization auth, const AccessCredentials *cred, Database *relatedDatabase); + virtual void validate(AclAuthorization auth, const AccessCredentials *cred, Database *relatedDatabase); void validate(AclAuthorization auth, const Context &context, Database *relatedDatabase); // CSSM layer ACL calls diff --git a/src/entropy.h b/src/entropy.h index 9537ff2..8eedeeb 100644 --- a/src/entropy.h +++ b/src/entropy.h @@ -42,7 +42,7 @@ using MachPlusPlus::MachServer; class EntropyManager : public MachServer::Timer, private DevRandomGenerator { // all the parameters you ever (should) want to change :-) static const int collectInterval = 600; // collect every 10 minutes - static const int updateInterval = 3600; // update file every hour + static const int updateInterval = 3600 * 6; // update file every 6 hours static const int timingsToCollect = 40; // how many timings? public: diff --git a/src/generate.pl b/src/generate.pl index 4599316..4ec7cd1 100755 --- a/src/generate.pl +++ b/src/generate.pl @@ -2,20 +2,23 @@ # # # -use strict; +#use strict; my $disclaimer = "Automatically generated - do not edit on penalty of futility!"; # arguments -my ($configfile, $out_h, $out_cpp, $types) = @ARGV; +my ($configfile, $out_h, $out_cpp, $types, $hdrpath) = @ARGV; # open configuration file open(CFG, "$configfile") || die "$configfile: $!"; # open and load cssmtypes file -open(TYPES, "$types") || die "$types: $!"; +for my $hdrdir (split (/:/, $hdrpath)) { + open(TYPES, "$hdrdir/$types") and last; +} +TYPES or die "cannot find $types in $hdrpath: $!"; $/=undef; my $types_h = ; close(TYPES); $/="\n"; diff --git a/src/kckey.cpp b/src/kckey.cpp index 780f8cc..c5c825e 100644 --- a/src/kckey.cpp +++ b/src/kckey.cpp @@ -189,6 +189,18 @@ void KeychainKey::changedAcl() } +// +// Intercept Key validation and double-check that the keychain is (still) unlocked +// +void KeychainKey::validate(AclAuthorization auth, const AccessCredentials *cred, + Database *relatedDatabase) +{ + if (KeychainDatabase *db = dynamic_cast(relatedDatabase)) + db->unlockDb(); + SecurityServerAcl::validate(auth, cred, relatedDatabase); +} + + // // We're a key (duh) // diff --git a/src/kckey.h b/src/kckey.h index b42a43c..a5d5ce6 100644 --- a/src/kckey.h +++ b/src/kckey.h @@ -66,6 +66,7 @@ public: void instantiateAcl(); void changedAcl(); Database *relatedDatabase(); + void validate(AclAuthorization auth, const AccessCredentials *cred, Database *relatedDatabase); public: // SecurityServerAcl personality diff --git a/src/session.cpp b/src/session.cpp index 6bd0abf..9f4854f 100644 --- a/src/session.cpp +++ b/src/session.cpp @@ -485,6 +485,7 @@ OSStatus Session::authorizationdbRemove(const AuthorizationBlob &authBlob, Autho void Session::mergeCredentials(CredentialSet &creds) { secdebug("SSsession", "%p merge creds @%p", this, &creds); + CredentialSet updatedCredentials = creds; for (CredentialSet::const_iterator it = creds.begin(); it != creds.end(); it++) if (((*it)->isShared() && (*it)->isValid())) { CredentialSet::iterator old = mSessionCreds.find(*it); @@ -493,10 +494,11 @@ void Session::mergeCredentials(CredentialSet &creds) } else { // replace "new" with "old" in input set to retain synchronization (*old)->merge(**it); - creds.erase(it); - creds.insert(*old); + updatedCredentials.erase(*it); + updatedCredentials.insert(*old); } } + creds.swap(updatedCredentials); } diff --git a/src/tokenaccess.cpp b/src/tokenaccess.cpp index 0e68232..5c06450 100644 --- a/src/tokenaccess.cpp +++ b/src/tokenaccess.cpp @@ -58,5 +58,6 @@ void Access::operator () (const CssmError &err) return; // induce retry } // all others are non-recoverable + secdebug("tokendb", "non-recoverable error in Access(): %d", err.error); throw; } diff --git a/src/tokendatabase.cpp b/src/tokendatabase.cpp index fcbee16..5d75cb6 100644 --- a/src/tokendatabase.cpp +++ b/src/tokendatabase.cpp @@ -48,9 +48,9 @@ Token &TokenDbCommon::token() const return parent(); } -string TokenDbCommon::dbName() const +const std::string &TokenDbCommon::dbName() const { - return token().printName().c_str(); + return token().printName(); } @@ -233,9 +233,11 @@ bool TokenDatabase::validateSecret(const AclSubject *subject, const AccessCreden access().authenticate(CSSM_DB_ACCESS_READ, cred); secdebug("tokendb", "%p remote validation successful", this); return true; - } catch (...) { + } + catch (...) { secdebug("tokendb", "%p remote validation failed", this); - return false; + // return false; + throw; // try not to mask error } } @@ -467,13 +469,16 @@ void TokenDatabase::getOutputSize(const Context &context, Key &key, // void TokenDatabase::authenticate(CSSM_DB_ACCESS_TYPE mode, const AccessCredentials *cred) { + Access access(token()); + TRY + GUARD if (mode != CSSM_DB_ACCESS_RESET && cred) { + secdebug("tokendb", "%p authenticate calling validate", this); int pin; if (sscanf(cred->EntryTag, "PIN%d", &pin) == 1) return validate(CSSM_ACL_AUTHORIZATION_PREAUTH(pin), cred); } - Access access(token()); access().authenticate(mode, cred); switch (mode) { case CSSM_DB_ACCESS_RESET: @@ -490,9 +495,9 @@ void TokenDatabase::authenticate(CSSM_DB_ACCESS_TYPE mode, const AccessCredentia break; } } + DONE } - // // Data access interface. // diff --git a/src/tokendatabase.h b/src/tokendatabase.h index fa177a9..60361c3 100644 --- a/src/tokendatabase.h +++ b/src/tokendatabase.h @@ -59,7 +59,7 @@ public: Token &token() const; uint32 subservice() const { return token().subservice(); } - std::string dbName() const; + const std::string &dbName() const; Adornable &store(); void resetAcls(); -- 2.45.2