From 14334c0c7767094c564044bfac67c6753260926d Mon Sep 17 00:00:00 2001 From: Andrew Hyatt Date: Sun, 13 Jan 2019 22:45:16 -0500 Subject: [PATCH] SecurityTokend-55111 --- APPLE_LICENSE | 367 +++++++++++++ ChangeLog | 125 +++++ English.lproj/InfoPlist.strings | Bin 0 -> 340 bytes Info-SecurityTokend.plist | 26 + Info-security_tokend_client.plist | 5 + Info.plist | 20 + SecurityTokend.xcodeproj/project.pbxproj | 543 +++++++++++++++++++ config/debug.xcconfig | 3 + config/project.xcconfig | 25 + config/release.xcconfig | 3 + lib/SecTokend.cpp | 127 +++++ lib/SecTokend.h | 230 ++++++++ lib/SecurityTokend.exp | 23 + lib/server.cpp | 122 +++++ lib/server.h | 76 +++ lib/tdclient.cpp | 77 +++ lib/tdclient.h | 196 +++++++ lib/tdtransit.cpp | 535 +++++++++++++++++++ lib/tdtransit.h | 111 ++++ lib/tokend_types.h | 48 ++ lib/transit.cpp | 161 ++++++ lib/transit.h | 191 +++++++ lib/transition.cpp | 645 +++++++++++++++++++++++ mig/mig.mk | 50 ++ mig/tokend.defs | 187 +++++++ security_tokend_client | 1 + tokend_test-Info.plist | 20 + 27 files changed, 3917 insertions(+) create mode 100644 APPLE_LICENSE create mode 100644 ChangeLog create mode 100644 English.lproj/InfoPlist.strings create mode 100644 Info-SecurityTokend.plist create mode 100644 Info-security_tokend_client.plist create mode 100644 Info.plist create mode 100644 SecurityTokend.xcodeproj/project.pbxproj create mode 100644 config/debug.xcconfig create mode 100644 config/project.xcconfig create mode 100644 config/release.xcconfig create mode 100644 lib/SecTokend.cpp create mode 100644 lib/SecTokend.h create mode 100644 lib/SecurityTokend.exp create mode 100644 lib/server.cpp create mode 100644 lib/server.h create mode 100644 lib/tdclient.cpp create mode 100644 lib/tdclient.h create mode 100644 lib/tdtransit.cpp create mode 100644 lib/tdtransit.h create mode 100644 lib/tokend_types.h create mode 100644 lib/transit.cpp create mode 100644 lib/transit.h create mode 100644 lib/transition.cpp create mode 100644 mig/mig.mk create mode 100644 mig/tokend.defs create mode 120000 security_tokend_client create mode 100644 tokend_test-Info.plist diff --git a/APPLE_LICENSE b/APPLE_LICENSE new file mode 100644 index 0000000..fe81a60 --- /dev/null +++ b/APPLE_LICENSE @@ -0,0 +1,367 @@ +APPLE PUBLIC SOURCE LICENSE +Version 2.0 - August 6, 2003 + +Please read this License carefully before downloading this software. +By downloading or using this software, you are agreeing to be bound by +the terms of this License. If you do not or cannot agree to the terms +of this License, please do not download or use the software. + +1. General; Definitions. This License applies to any program or other +work which Apple Computer, Inc. ("Apple") makes publicly available and +which contains a notice placed by Apple identifying such program or +work as "Original Code" and stating that it is subject to the terms of +this Apple Public Source License version 2.0 ("License"). As used in +this License: + +1.1 "Applicable Patent Rights" mean: (a) in the case where Apple is +the grantor of rights, (i) claims of patents that are now or hereafter +acquired, owned by or assigned to Apple and (ii) that cover subject +matter contained in the Original Code, but only to the extent +necessary to use, reproduce and/or distribute the Original Code +without infringement; and (b) in the case where You are the grantor of +rights, (i) claims of patents that are now or hereafter acquired, +owned by or assigned to You and (ii) that cover subject matter in Your +Modifications, taken alone or in combination with Original Code. + +1.2 "Contributor" means any person or entity that creates or +contributes to the creation of Modifications. + +1.3 "Covered Code" means the Original Code, Modifications, the +combination of Original Code and any Modifications, and/or any +respective portions thereof. + +1.4 "Externally Deploy" means: (a) to sublicense, distribute or +otherwise make Covered Code available, directly or indirectly, to +anyone other than You; and/or (b) to use Covered Code, alone or as +part of a Larger Work, in any way to provide a service, including but +not limited to delivery of content, through electronic communication +with a client other than You. + +1.5 "Larger Work" means a work which combines Covered Code or portions +thereof with code not governed by the terms of this License. + +1.6 "Modifications" mean any addition to, deletion from, and/or change +to, the substance and/or structure of the Original Code, any previous +Modifications, the combination of Original Code and any previous +Modifications, and/or any respective portions thereof. When code is +released as a series of files, a Modification is: (a) any addition to +or deletion from the contents of a file containing Covered Code; +and/or (b) any new file or other representation of computer program +statements that contains any part of Covered Code. + +1.7 "Original Code" means (a) the Source Code of a program or other +work as originally made available by Apple under this License, +including the Source Code of any updates or upgrades to such programs +or works made available by Apple under this License, and that has been +expressly identified by Apple as such in the header file(s) of such +work; and (b) the object code compiled from such Source Code and +originally made available by Apple under this License. + +1.8 "Source Code" means the human readable form of a program or other +work that is suitable for making modifications to it, including all +modules it contains, plus any associated interface definition files, +scripts used to control compilation and installation of an executable +(object code). + +1.9 "You" or "Your" means an individual or a legal entity exercising +rights under this License. For legal entities, "You" or "Your" +includes any entity which controls, is controlled by, or is under +common control with, You, where "control" means (a) the power, direct +or indirect, to cause the direction or management of such entity, +whether by contract or otherwise, or (b) ownership of fifty percent +(50%) or more of the outstanding shares or beneficial ownership of +such entity. + +2. Permitted Uses; Conditions & Restrictions. Subject to the terms +and conditions of this License, Apple hereby grants You, effective on +the date You accept this License and download the Original Code, a +world-wide, royalty-free, non-exclusive license, to the extent of +Apple's Applicable Patent Rights and copyrights covering the Original +Code, to do the following: + +2.1 Unmodified Code. You may use, reproduce, display, perform, +internally distribute within Your organization, and Externally Deploy +verbatim, unmodified copies of the Original Code, for commercial or +non-commercial purposes, provided that in each instance: + +(a) You must retain and reproduce in all copies of Original Code the +copyright and other proprietary notices and disclaimers of Apple as +they appear in the Original Code, and keep intact all notices in the +Original Code that refer to this License; and + +(b) You must include a copy of this License with every copy of Source +Code of Covered Code and documentation You distribute or Externally +Deploy, and You may not offer or impose any terms on such Source Code +that alter or restrict this License or the recipients' rights +hereunder, except as permitted under Section 6. + +2.2 Modified Code. You may modify Covered Code and use, reproduce, +display, perform, internally distribute within Your organization, and +Externally Deploy Your Modifications and Covered Code, for commercial +or non-commercial purposes, provided that in each instance You also +meet all of these conditions: + +(a) You must satisfy all the conditions of Section 2.1 with respect to +the Source Code of the Covered Code; + +(b) You must duplicate, to the extent it does not already exist, the +notice in Exhibit A in each file of the Source Code of all Your +Modifications, and cause the modified files to carry prominent notices +stating that You changed the files and the date of any change; and + +(c) If You Externally Deploy Your Modifications, You must make +Source Code of all Your Externally Deployed Modifications either +available to those to whom You have Externally Deployed Your +Modifications, or publicly available. Source Code of Your Externally +Deployed Modifications must be released under the terms set forth in +this License, including the license grants set forth in Section 3 +below, for as long as you Externally Deploy the Covered Code or twelve +(12) months from the date of initial External Deployment, whichever is +longer. You should preferably distribute the Source Code of Your +Externally Deployed Modifications electronically (e.g. download from a +web site). + +2.3 Distribution of Executable Versions. In addition, if You +Externally Deploy Covered Code (Original Code and/or Modifications) in +object code, executable form only, You must include a prominent +notice, in the code itself as well as in related documentation, +stating that Source Code of the Covered Code is available under the +terms of this License with information on how and where to obtain such +Source Code. + +2.4 Third Party Rights. You expressly acknowledge and agree that +although Apple and each Contributor grants the licenses to their +respective portions of the Covered Code set forth herein, no +assurances are provided by Apple or any Contributor that the Covered +Code does not infringe the patent or other intellectual property +rights of any other entity. Apple and each Contributor disclaim any +liability to You for claims brought by any other entity based on +infringement of intellectual property rights or otherwise. As a +condition to exercising the rights and licenses granted hereunder, You +hereby assume sole responsibility to secure any other intellectual +property rights needed, if any. For example, if a third party patent +license is required to allow You to distribute the Covered Code, it is +Your responsibility to acquire that license before distributing the +Covered Code. + +3. Your Grants. In consideration of, and as a condition to, the +licenses granted to You under this License, You hereby grant to any +person or entity receiving or distributing Covered Code under this +License a non-exclusive, royalty-free, perpetual, irrevocable license, +under Your Applicable Patent Rights and other intellectual property +rights (other than patent) owned or controlled by You, to use, +reproduce, display, perform, modify, sublicense, distribute and +Externally Deploy Your Modifications of the same scope and extent as +Apple's licenses under Sections 2.1 and 2.2 above. + +4. Larger Works. You may create a Larger Work by combining Covered +Code with other code not governed by the terms of this License and +distribute the Larger Work as a single product. In each such instance, +You must make sure the requirements of this License are fulfilled for +the Covered Code or any portion thereof. + +5. Limitations on Patent License. Except as expressly stated in +Section 2, no other patent rights, express or implied, are granted by +Apple herein. Modifications and/or Larger Works may require additional +patent licenses from Apple which Apple may grant in its sole +discretion. + +6. Additional Terms. You may choose to offer, and to charge a fee for, +warranty, support, indemnity or liability obligations and/or other +rights consistent with the scope of the license granted herein +("Additional Terms") to one or more recipients of Covered Code. +However, You may do so only on Your own behalf and as Your sole +responsibility, and not on behalf of Apple or any Contributor. You +must obtain the recipient's agreement that any such Additional Terms +are offered by You alone, and You hereby agree to indemnify, defend +and hold Apple and every Contributor harmless for any liability +incurred by or claims asserted against Apple or such Contributor by +reason of any such Additional Terms. + +7. Versions of the License. Apple may publish revised and/or new +versions of this License from time to time. Each version will be given +a distinguishing version number. Once Original Code has been published +under a particular version of this License, You may continue to use it +under the terms of that version. You may also choose to use such +Original Code under the terms of any subsequent version of this +License published by Apple. No one other than Apple has the right to +modify the terms applicable to Covered Code created under this +License. + +8. NO WARRANTY OR SUPPORT. The Covered Code may contain in whole or in +part pre-release, untested, or not fully tested works. The Covered +Code may contain errors that could cause failures or loss of data, and +may be incomplete or contain inaccuracies. You expressly acknowledge +and agree that use of the Covered Code, or any portion thereof, is at +Your sole and entire risk. THE COVERED CODE IS PROVIDED "AS IS" AND +WITHOUT WARRANTY, UPGRADES OR SUPPORT OF ANY KIND AND APPLE AND +APPLE'S LICENSOR(S) (COLLECTIVELY REFERRED TO AS "APPLE" FOR THE +PURPOSES OF SECTIONS 8 AND 9) AND ALL CONTRIBUTORS EXPRESSLY DISCLAIM +ALL WARRANTIES AND/OR CONDITIONS, EXPRESS OR IMPLIED, INCLUDING, BUT +NOT LIMITED TO, THE IMPLIED WARRANTIES AND/OR CONDITIONS OF +MERCHANTABILITY, OF SATISFACTORY QUALITY, OF FITNESS FOR A PARTICULAR +PURPOSE, OF ACCURACY, OF QUIET ENJOYMENT, AND NONINFRINGEMENT OF THIRD +PARTY RIGHTS. APPLE AND EACH CONTRIBUTOR DOES NOT WARRANT AGAINST +INTERFERENCE WITH YOUR ENJOYMENT OF THE COVERED CODE, THAT THE +FUNCTIONS CONTAINED IN THE COVERED CODE WILL MEET YOUR REQUIREMENTS, +THAT THE OPERATION OF THE COVERED CODE WILL BE UNINTERRUPTED OR +ERROR-FREE, OR THAT DEFECTS IN THE COVERED CODE WILL BE CORRECTED. NO +ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY APPLE, AN APPLE +AUTHORIZED REPRESENTATIVE OR ANY CONTRIBUTOR SHALL CREATE A WARRANTY. +You acknowledge that the Covered Code is not intended for use in the +operation of nuclear facilities, aircraft navigation, communication +systems, or air traffic control machines in which case the failure of +the Covered Code could lead to death, personal injury, or severe +physical or environmental damage. + +9. LIMITATION OF LIABILITY. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO +EVENT SHALL APPLE OR ANY CONTRIBUTOR BE LIABLE FOR ANY INCIDENTAL, +SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR RELATING +TO THIS LICENSE OR YOUR USE OR INABILITY TO USE THE COVERED CODE, OR +ANY PORTION THEREOF, WHETHER UNDER A THEORY OF CONTRACT, WARRANTY, +TORT (INCLUDING NEGLIGENCE), PRODUCTS LIABILITY OR OTHERWISE, EVEN IF +APPLE OR SUCH CONTRIBUTOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH +DAMAGES AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY +REMEDY. SOME JURISDICTIONS DO NOT ALLOW THE LIMITATION OF LIABILITY OF +INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION MAY NOT APPLY +TO YOU. In no event shall Apple's total liability to You for all +damages (other than as may be required by applicable law) under this +License exceed the amount of fifty dollars ($50.00). + +10. Trademarks. This License does not grant any rights to use the +trademarks or trade names "Apple", "Apple Computer", "Mac", "Mac OS", +"QuickTime", "QuickTime Streaming Server" or any other trademarks, +service marks, logos or trade names belonging to Apple (collectively +"Apple Marks") or to any trademark, service mark, logo or trade name +belonging to any Contributor. You agree not to use any Apple Marks in +or as part of the name of products derived from the Original Code or +to endorse or promote products derived from the Original Code other +than as expressly permitted by and in strict compliance at all times +with Apple's third party trademark usage guidelines which are posted +at http://www.apple.com/legal/guidelinesfor3rdparties.html. + +11. Ownership. Subject to the licenses granted under this License, +each Contributor retains all rights, title and interest in and to any +Modifications made by such Contributor. Apple retains all rights, +title and interest in and to the Original Code and any Modifications +made by or on behalf of Apple ("Apple Modifications"), and such Apple +Modifications will not be automatically subject to this License. Apple +may, at its sole discretion, choose to license such Apple +Modifications under this License, or on different terms from those +contained in this License or may choose not to license them at all. + +12. Termination. + +12.1 Termination. This License and the rights granted hereunder will +terminate: + +(a) automatically without notice from Apple if You fail to comply with +any term(s) of this License and fail to cure such breach within 30 +days of becoming aware of such breach; + +(b) immediately in the event of the circumstances described in Section +13.5(b); or + +(c) automatically without notice from Apple if You, at any time during +the term of this License, commence an action for patent infringement +against Apple; provided that Apple did not first commence +an action for patent infringement against You in that instance. + +12.2 Effect of Termination. Upon termination, You agree to immediately +stop any further use, reproduction, modification, sublicensing and +distribution of the Covered Code. All sublicenses to the Covered Code +which have been properly granted prior to termination shall survive +any termination of this License. Provisions which, by their nature, +should remain in effect beyond the termination of this License shall +survive, including but not limited to Sections 3, 5, 8, 9, 10, 11, +12.2 and 13. No party will be liable to any other for compensation, +indemnity or damages of any sort solely as a result of terminating +this License in accordance with its terms, and termination of this +License will be without prejudice to any other right or remedy of +any party. + +13. Miscellaneous. + +13.1 Government End Users. The Covered Code is a "commercial item" as +defined in FAR 2.101. Government software and technical data rights in +the Covered Code include only those rights customarily provided to the +public as defined in this License. This customary commercial license +in technical data and software is provided in accordance with FAR +12.211 (Technical Data) and 12.212 (Computer Software) and, for +Department of Defense purchases, DFAR 252.227-7015 (Technical Data -- +Commercial Items) and 227.7202-3 (Rights in Commercial Computer +Software or Computer Software Documentation). Accordingly, all U.S. +Government End Users acquire Covered Code with only those rights set +forth herein. + +13.2 Relationship of Parties. This License will not be construed as +creating an agency, partnership, joint venture or any other form of +legal association between or among You, Apple or any Contributor, and +You will not represent to the contrary, whether expressly, by +implication, appearance or otherwise. + +13.3 Independent Development. Nothing in this License will impair +Apple's right to acquire, license, develop, have others develop for +it, market and/or distribute technology or products that perform the +same or similar functions as, or otherwise compete with, +Modifications, Larger Works, technology or products that You may +develop, produce, market or distribute. + +13.4 Waiver; Construction. Failure by Apple or any Contributor to +enforce any provision of this License will not be deemed a waiver of +future enforcement of that or any other provision. Any law or +regulation which provides that the language of a contract shall be +construed against the drafter will not apply to this License. + +13.5 Severability. (a) If for any reason a court of competent +jurisdiction finds any provision of this License, or portion thereof, +to be unenforceable, that provision of the License will be enforced to +the maximum extent permissible so as to effect the economic benefits +and intent of the parties, and the remainder of this License will +continue in full force and effect. (b) Notwithstanding the foregoing, +if applicable law prohibits or restricts You from fully and/or +specifically complying with Sections 2 and/or 3 or prevents the +enforceability of either of those Sections, this License will +immediately terminate and You must immediately discontinue any use of +the Covered Code and destroy all copies of it that are in your +possession or control. + +13.6 Dispute Resolution. Any litigation or other dispute resolution +between You and Apple relating to this License shall take place in the +Northern District of California, and You and Apple hereby consent to +the personal jurisdiction of, and venue in, the state and federal +courts within that District with respect to this License. The +application of the United Nations Convention on Contracts for the +International Sale of Goods is expressly excluded. + +13.7 Entire Agreement; Governing Law. This License constitutes the +entire agreement between the parties with respect to the subject +matter hereof. This License shall be governed by the laws of the +United States and the State of California, except that body of +California law concerning conflicts of law. + +Where You are located in the province of Quebec, Canada, the following +clause applies: The parties hereby confirm that they have requested +that this License and all related documents be drafted in English. Les +parties ont exige que le present contrat et tous les documents +connexes soient rediges en anglais. + +EXHIBIT A. + +"Portions Copyright (c) 1999-2003 Apple Computer, Inc. All Rights +Reserved. + +This file contains Original Code and/or Modifications of Original Code +as defined in and that are subject to the Apple Public Source License +Version 2.0 (the 'License'). You may not use this file except in +compliance with the License. Please obtain a copy of the License at +http://www.opensource.apple.com/apsl/ and read it before using this +file. + +The Original Code and all software distributed under the License are +distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER +EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, +INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. +Please see the License for the specific language governing rights and +limitations under the License." diff --git a/ChangeLog b/ChangeLog new file mode 100644 index 0000000..41a030a --- /dev/null +++ b/ChangeLog @@ -0,0 +1,125 @@ +# do not edit -- automatically generated by arch changelog +# arch-tag: automatic-ChangeLog--mb@apple.com--SmartCards-2004/SecurityTokend--Tiger--1.0 +# + +2004-07-14 00:02:03 GMT Michael Brouwer patch-5 + + Summary: + Added libsecurity_tokend_client target + Revision: + SecurityTokend--Tiger--1.0--patch-5 + + Added libsecurity_tokend_client target. + + new files: + lib/.arch-ids/=id lib/.arch-ids/tdclient.cpp.id + lib/.arch-ids/tdclient.h.id lib/.arch-ids/tdtransit.cpp.id + lib/.arch-ids/tdtransit.h.id lib/tdclient.cpp lib/tdclient.h + lib/tdtransit.cpp lib/tdtransit.h mig/.arch-ids/=id + mig/.arch-ids/mig.mk.id mig/mig.mk + + modified files: + ChangeLog SecurityTokend.xcode/project.pbxproj + lib/transition.c + + renamed files: + .arch-ids/SecTokend.c.id + ==> lib/.arch-ids/SecTokend.c.id + .arch-ids/SecTokend.h.id + ==> lib/.arch-ids/SecTokend.h.id + .arch-ids/tokend.defs.id + ==> mig/.arch-ids/tokend.defs.id + .arch-ids/tokend_types.h.id + ==> lib/.arch-ids/tokend_types.h.id + .arch-ids/transition.c.id + ==> lib/.arch-ids/transition.c.id + SecTokend.c + ==> lib/SecTokend.c + SecTokend.h + ==> lib/SecTokend.h + tokend.defs + ==> mig/tokend.defs + tokend_types.h + ==> lib/tokend_types.h + transition.c + ==> lib/transition.c + + new directories: + lib lib/.arch-ids mig mig/.arch-ids + + +2004-06-15 19:11:08 GMT Michael Brouwer patch-4 + + Summary: + Added transition.c + Revision: + SecurityTokend--Tiger--1.0--patch-4 + + Added transition.c. Ignore xcode .mode1 files. + + new files: + .arch-ids/transition.c.id transition.c + + modified files: + ChangeLog {arch}/=tagging-method + + +2004-06-15 00:29:53 GMT Michael Brouwer patch-3 + + Summary: + Implement tokend.defs server callbacks + Revision: + SecurityTokend--Tiger--1.0--patch-3 + + Add callbacks server side of tokend.defs and implement stubs for + all the functions. + + modified files: + ChangeLog SecTokend.c SecurityTokend.xcode/project.pbxproj + tokend.defs tokend_types.h + + +2004-06-05 01:32:05 GMT Michael Brouwer patch-2 + + Summary: + Register my port with securityd + Revision: + SecurityTokend--Tiger--1.0--patch-2 + + Register a receive right with securityd + + modified files: + ChangeLog SecTokend.c + + +2004-05-14 01:22:43 GMT Michael Brouwer patch-1 + + Summary: + Added ChangeLog + Revision: + SecurityTokend--Tiger--1.0--patch-1 + + Switched to auto generated ChangeLog file and make default tagging method tagline. + + new files: + ChangeLog + + modified files: + {arch}/=tagging-method + + +2004-05-14 01:06:38 GMT Michael Brouwer base-0 + + Summary: + Initial checkin of SecurityTokend.framework project + Revision: + SecurityTokend--Tiger--1.0--base-0 + + Basic private framework for writing tokend instances. + + new files: + APPLE_LICENSE English.lproj/InfoPlist.strings Info.plist + SecTokend.c SecTokend.h SecurityTokend.xcode/project.pbxproj + tokend.defs tokend_types.h + + diff --git a/English.lproj/InfoPlist.strings b/English.lproj/InfoPlist.strings new file mode 100644 index 0000000000000000000000000000000000000000..296ffdd2fb3f52f21b9c77cb3693368d30fa49f3 GIT binary patch literal 340 zcmZvYOA5kJ3`OtQRg?~ks0fb4ffhtTI#4%ITYuPA=||8Vxk>fp6=(8jlb4*_B=7xE zUx7TWbXB5Qna+A@uawvwTdE>*Re|-e2mVWL2mGFHj;~Y`y+A)46`twHC^Hh$vmr7yX)L)?jI>`V4 literal 0 HcmV?d00001 diff --git a/Info-SecurityTokend.plist b/Info-SecurityTokend.plist new file mode 100644 index 0000000..b8aff41 --- /dev/null +++ b/Info-SecurityTokend.plist @@ -0,0 +1,26 @@ + + + + + CFBundleDevelopmentRegion + English + CFBundleExecutable + SecurityTokend + CFBundleIconFile + + CFBundleIdentifier + com.apple.securitytokend + CFBundleInfoDictionaryVersion + 6.0 + CFBundleName + + CFBundlePackageType + FMWK + CFBundleShortVersionString + 4.0 + CFBundleSignature + ???? + CFBundleVersion + ${CURRENT_PROJECT_VERSION} + + diff --git a/Info-security_tokend_client.plist b/Info-security_tokend_client.plist new file mode 100644 index 0000000..0c67376 --- /dev/null +++ b/Info-security_tokend_client.plist @@ -0,0 +1,5 @@ + + + + + diff --git a/Info.plist b/Info.plist new file mode 100644 index 0000000..39d26e6 --- /dev/null +++ b/Info.plist @@ -0,0 +1,20 @@ + + + + + CFBundleDevelopmentRegion + English + CFBundleExecutable + SecurityTokend + CFBundleIdentifier + com.apple.SecurityTokend + CFBundleInfoDictionaryVersion + 6.0 + CFBundlePackageType + FMWK + CFBundleSignature + ???? + CFBundleVersion + 1.0 + + diff --git a/SecurityTokend.xcodeproj/project.pbxproj b/SecurityTokend.xcodeproj/project.pbxproj new file mode 100644 index 0000000..dbe2ab0 --- /dev/null +++ b/SecurityTokend.xcodeproj/project.pbxproj @@ -0,0 +1,543 @@ +// !$*UTF8*$! +{ + archiveVersion = 1; + classes = { + }; + objectVersion = 45; + objects = { + +/* Begin PBXBuildFile section */ + 18B9659B147300AF005A4D2E /* tdclient.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CAC26FF069DD074002EB81D /* tdclient.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18B965A41473124F005A4D2E /* libsecurity_utilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18B965A31473124F005A4D2E /* libsecurity_utilities.a */; }; + 18B965A614731276005A4D2E /* libsecurityd_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18B965A514731276005A4D2E /* libsecurityd_client.a */; }; + 18B965AA147312A3005A4D2E /* libsecurity_cdsa_utilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18B965A9147312A3005A4D2E /* libsecurity_cdsa_utilities.a */; }; + 4C720FD806CC44540016CA88 /* tdtransit.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C720FD706CC44540016CA88 /* tdtransit.h */; }; + 4CAC271F069DD236002EB81D /* tdclient.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4CAC26FE069DD074002EB81D /* tdclient.cpp */; }; + 4CAC2737069DD309002EB81D /* tokendClient.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4CAC2734069DD309002EB81D /* tokendClient.cpp */; }; + 4CC46A1806A4AC0200027192 /* SecTokend.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4CC46A1506A4AC0200027192 /* SecTokend.cpp */; }; + 4CC46A1A06A4AC0200027192 /* transition.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4CC46A1706A4AC0200027192 /* transition.cpp */; }; + 4CC46A1B06A4AC2C00027192 /* tokend_types.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CAC2702069DD074002EB81D /* tokend_types.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 4CC46A3506A4AD9E00027192 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CC46A3406A4AD9E00027192 /* CoreFoundation.framework */; }; + 4CC46A4306A4AE2000027192 /* tdtransit.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4CAC2700069DD074002EB81D /* tdtransit.cpp */; }; + C20D962406D5A400000AEB0D /* tokend.h in Headers */ = {isa = PBXBuildFile; fileRef = C20D962306D5A400000AEB0D /* tokend.h */; }; + C282709E06B73F8D00BE171E /* server.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C282709C06B73F8D00BE171E /* server.cpp */; }; + C282709F06B73F8D00BE171E /* server.h in Headers */ = {isa = PBXBuildFile; fileRef = C282709D06B73F8D00BE171E /* server.h */; settings = {ATTRIBUTES = (); }; }; + C2871EF606CC20A3009ACFA5 /* tdclient.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CAC26FF069DD074002EB81D /* tdclient.h */; settings = {ATTRIBUTES = (Private, ); }; }; + C2871FEF06CC2FC4009ACFA5 /* SecTokend.h in Headers */ = {isa = PBXBuildFile; fileRef = C2871FEE06CC2FC4009ACFA5 /* SecTokend.h */; settings = {ATTRIBUTES = (Public, ); }; }; + C28C0F2006D30837004CF059 /* transit.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C28C0F1E06D30837004CF059 /* transit.cpp */; }; + C28C0F2106D30837004CF059 /* transit.h in Headers */ = {isa = PBXBuildFile; fileRef = C28C0F1F06D30837004CF059 /* transit.h */; }; + C28C736906B1DD8600E4B6B4 /* tokendServer.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4CAC2735069DD309002EB81D /* tokendServer.cpp */; }; + C2F8ED9407A6E871008FA709 /* InfoPlist.strings in Resources */ = {isa = PBXBuildFile; fileRef = C2F8ED9207A6E871008FA709 /* InfoPlist.strings */; }; + DCC07E771CFF50C9005C35C8 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DCC07E761CFF50C9005C35C8 /* Security.framework */; }; +/* End PBXBuildFile section */ + +/* Begin PBXContainerItemProxy section */ + 18B9659C147300D4005A4D2E /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4CA1FEAB052A3C3800F22E42 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 4C09A2920557240300FED7A3; + remoteInfo = "generate mig"; + }; + 18B9659E147300DD005A4D2E /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4CA1FEAB052A3C3800F22E42 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 4CAC2710069DD183002EB81D; + remoteInfo = libsecurity_tokend_client; + }; +/* End PBXContainerItemProxy section */ + +/* Begin PBXFileReference section */ + 1865FF881474F5B600FD79DF /* debug.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = debug.xcconfig; sourceTree = ""; }; + 1865FF891474F5B600FD79DF /* project.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = project.xcconfig; sourceTree = ""; }; + 1865FF8A1474F5B600FD79DF /* release.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = release.xcconfig; sourceTree = ""; }; + 18B965A31473124F005A4D2E /* libsecurity_utilities.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libsecurity_utilities.a; path = /usr/local/lib/libsecurity_utilities.a; sourceTree = ""; }; + 18B965A514731276005A4D2E /* libsecurityd_client.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libsecurityd_client.a; path = /usr/local/lib/libsecurityd_client.a; sourceTree = ""; }; + 18B965A9147312A3005A4D2E /* libsecurity_cdsa_utilities.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libsecurity_cdsa_utilities.a; path = /usr/local/lib/libsecurity_cdsa_utilities.a; sourceTree = ""; }; + 4C24BEF7055724C300C95CD3 /* mig.mk */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; path = mig.mk; sourceTree = ""; }; + 4C58E3900540C0DD00B89535 /* SecurityTokend.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; path = SecurityTokend.framework; sourceTree = BUILT_PRODUCTS_DIR; }; + 4C720FD706CC44540016CA88 /* tdtransit.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = tdtransit.h; path = lib/tdtransit.h; sourceTree = ""; }; + 4CAC26FE069DD074002EB81D /* tdclient.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = tdclient.cpp; path = lib/tdclient.cpp; sourceTree = ""; }; + 4CAC26FF069DD074002EB81D /* tdclient.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = tdclient.h; path = lib/tdclient.h; sourceTree = ""; }; + 4CAC2700069DD074002EB81D /* tdtransit.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = tdtransit.cpp; path = lib/tdtransit.cpp; sourceTree = ""; }; + 4CAC2702069DD074002EB81D /* tokend_types.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = tokend_types.h; path = lib/tokend_types.h; sourceTree = SOURCE_ROOT; }; + 4CAC2708069DD094002EB81D /* tokend.defs */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.mig; path = tokend.defs; sourceTree = ""; }; + 4CAC2718069DD183002EB81D /* libsecurity_tokend_client.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libsecurity_tokend_client.a; sourceTree = BUILT_PRODUCTS_DIR; }; + 4CAC2734069DD309002EB81D /* tokendClient.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = tokendClient.cpp; sourceTree = ""; }; + 4CAC2735069DD309002EB81D /* tokendServer.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = tokendServer.cpp; sourceTree = ""; }; + 4CC46A1506A4AC0200027192 /* SecTokend.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = SecTokend.cpp; path = lib/SecTokend.cpp; sourceTree = ""; }; + 4CC46A1706A4AC0200027192 /* transition.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = transition.cpp; path = lib/transition.cpp; sourceTree = ""; }; + 4CC46A3406A4AD9E00027192 /* CoreFoundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CoreFoundation.framework; path = /System/Library/Frameworks/CoreFoundation.framework; sourceTree = ""; }; + C20D962306D5A400000AEB0D /* tokend.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = tokend.h; sourceTree = ""; }; + C282709C06B73F8D00BE171E /* server.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = server.cpp; path = lib/server.cpp; sourceTree = ""; }; + C282709D06B73F8D00BE171E /* server.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = server.h; path = lib/server.h; sourceTree = ""; }; + C2871FEE06CC2FC4009ACFA5 /* SecTokend.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = SecTokend.h; path = lib/SecTokend.h; sourceTree = ""; }; + C28C0F1E06D30837004CF059 /* transit.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = transit.cpp; path = lib/transit.cpp; sourceTree = ""; }; + C28C0F1F06D30837004CF059 /* transit.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = transit.h; path = lib/transit.h; sourceTree = ""; }; + C2B6F2370B83E5A000187FD9 /* SecurityTokend.exp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.exports; name = SecurityTokend.exp; path = lib/SecurityTokend.exp; sourceTree = ""; }; + C2F8ED9307A6E871008FA709 /* English */ = {isa = PBXFileReference; fileEncoding = 10; lastKnownFileType = text.plist.strings; name = English; path = English.lproj/InfoPlist.strings; sourceTree = ""; }; + DCC07E761CFF50C9005C35C8 /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = System/Library/Frameworks/Security.framework; sourceTree = SDKROOT; }; +/* End PBXFileReference section */ + +/* Begin PBXFrameworksBuildPhase section */ + 4C608E2306A4A83400F1CEDD /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + DCC07E771CFF50C9005C35C8 /* Security.framework in Frameworks */, + 18B965AA147312A3005A4D2E /* libsecurity_cdsa_utilities.a in Frameworks */, + 18B965A614731276005A4D2E /* libsecurityd_client.a in Frameworks */, + 18B965A41473124F005A4D2E /* libsecurity_utilities.a in Frameworks */, + 4CC46A3506A4AD9E00027192 /* CoreFoundation.framework in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 4CAC2715069DD183002EB81D /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + ); + runOnlyForDeploymentPostprocessing = 0; + }; +/* End PBXFrameworksBuildPhase section */ + +/* Begin PBXGroup section */ + 1865FF871474F5B600FD79DF /* config */ = { + isa = PBXGroup; + children = ( + 1865FF881474F5B600FD79DF /* debug.xcconfig */, + 1865FF891474F5B600FD79DF /* project.xcconfig */, + 1865FF8A1474F5B600FD79DF /* release.xcconfig */, + ); + path = config; + sourceTree = ""; + }; + 4CA1FEA7052A3C3800F22E42 = { + isa = PBXGroup; + children = ( + 1865FF871474F5B600FD79DF /* config */, + C2A593CE052E3A8400AF1EE3 /* lib */, + C2F8ED8F07A6E842008FA709 /* intl */, + C2A5941F052E3F2100AF1EE3 /* mig */, + 4CAF734405363FE000D9DA7C /* derived_src */, + 4CA1FEBF052A3C8100F22E42 /* Products */, + 4CC46A3306A4AD6F00027192 /* Frameworks */, + ); + sourceTree = ""; + }; + 4CA1FEBF052A3C8100F22E42 /* Products */ = { + isa = PBXGroup; + children = ( + 4C58E3900540C0DD00B89535 /* SecurityTokend.framework */, + 4CAC2718069DD183002EB81D /* libsecurity_tokend_client.a */, + ); + name = Products; + sourceTree = ""; + }; + 4CAF734405363FE000D9DA7C /* derived_src */ = { + isa = PBXGroup; + children = ( + C20D962306D5A400000AEB0D /* tokend.h */, + 4CAC2734069DD309002EB81D /* tokendClient.cpp */, + 4CAC2735069DD309002EB81D /* tokendServer.cpp */, + ); + path = derived_src; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 4CC46A3306A4AD6F00027192 /* Frameworks */ = { + isa = PBXGroup; + children = ( + DCC07E761CFF50C9005C35C8 /* Security.framework */, + 18B965A9147312A3005A4D2E /* libsecurity_cdsa_utilities.a */, + 18B965A514731276005A4D2E /* libsecurityd_client.a */, + 18B965A31473124F005A4D2E /* libsecurity_utilities.a */, + 4CC46A3406A4AD9E00027192 /* CoreFoundation.framework */, + ); + name = Frameworks; + sourceTree = ""; + }; + C28C0F1006D30781004CF059 /* Client */ = { + isa = PBXGroup; + children = ( + 4CAC26FF069DD074002EB81D /* tdclient.h */, + 4CAC26FE069DD074002EB81D /* tdclient.cpp */, + 4C720FD706CC44540016CA88 /* tdtransit.h */, + 4CAC2700069DD074002EB81D /* tdtransit.cpp */, + ); + name = Client; + sourceTree = ""; + }; + C28C0F1306D3079B004CF059 /* Server */ = { + isa = PBXGroup; + children = ( + 4CC46A1706A4AC0200027192 /* transition.cpp */, + C28C0F1F06D30837004CF059 /* transit.h */, + C28C0F1E06D30837004CF059 /* transit.cpp */, + ); + name = Server; + sourceTree = ""; + }; + C28C0F1606D307AC004CF059 /* Plugin Driver */ = { + isa = PBXGroup; + children = ( + C2871FEE06CC2FC4009ACFA5 /* SecTokend.h */, + 4CC46A1506A4AC0200027192 /* SecTokend.cpp */, + C282709D06B73F8D00BE171E /* server.h */, + C282709C06B73F8D00BE171E /* server.cpp */, + C2B6F2370B83E5A000187FD9 /* SecurityTokend.exp */, + ); + name = "Plugin Driver"; + sourceTree = ""; + }; + C2A593CE052E3A8400AF1EE3 /* lib */ = { + isa = PBXGroup; + children = ( + C28C0F1606D307AC004CF059 /* Plugin Driver */, + C28C0F1006D30781004CF059 /* Client */, + C28C0F1306D3079B004CF059 /* Server */, + ); + name = lib; + sourceTree = ""; + }; + C2A5941F052E3F2100AF1EE3 /* mig */ = { + isa = PBXGroup; + children = ( + 4CAC2708069DD094002EB81D /* tokend.defs */, + 4CAC2702069DD074002EB81D /* tokend_types.h */, + 4C24BEF7055724C300C95CD3 /* mig.mk */, + ); + path = mig; + sourceTree = ""; + }; + C2F8ED8F07A6E842008FA709 /* intl */ = { + isa = PBXGroup; + children = ( + C2F8ED9207A6E871008FA709 /* InfoPlist.strings */, + ); + name = intl; + sourceTree = ""; + }; +/* End PBXGroup section */ + +/* Begin PBXHeadersBuildPhase section */ + 4C58E38A0540C0DD00B89535 /* Headers */ = { + isa = PBXHeadersBuildPhase; + buildActionMask = 2147483647; + files = ( + C2871FEF06CC2FC4009ACFA5 /* SecTokend.h in Headers */, + C282709F06B73F8D00BE171E /* server.h in Headers */, + C2871EF606CC20A3009ACFA5 /* tdclient.h in Headers */, + 4C720FD806CC44540016CA88 /* tdtransit.h in Headers */, + 4CC46A1B06A4AC2C00027192 /* tokend_types.h in Headers */, + C28C0F2106D30837004CF059 /* transit.h in Headers */, + C20D962406D5A400000AEB0D /* tokend.h in Headers */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 4CAC2713069DD183002EB81D /* Headers */ = { + isa = PBXHeadersBuildPhase; + buildActionMask = 2147483647; + files = ( + 18B9659B147300AF005A4D2E /* tdclient.h in Headers */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; +/* End PBXHeadersBuildPhase section */ + +/* Begin PBXLegacyTarget section */ + 4C09A2920557240300FED7A3 /* generate mig */ = { + isa = PBXLegacyTarget; + buildArgumentsString = "-f mig/mig.mk $(ACTION)"; + buildConfigurationList = C27AD1950987FCDB001272E0 /* Build configuration list for PBXLegacyTarget "generate mig" */; + buildPhases = ( + ); + buildToolPath = /usr/bin/gnumake; + buildWorkingDirectory = ""; + dependencies = ( + ); + name = "generate mig"; + passBuildSettingsInEnvironment = 1; + productName = "generate mig"; + }; +/* End PBXLegacyTarget section */ + +/* Begin PBXNativeTarget section */ + 4C58E38F0540C0DD00B89535 /* SecurityTokend */ = { + isa = PBXNativeTarget; + buildConfigurationList = C27AD1A40987FCDB001272E0 /* Build configuration list for PBXNativeTarget "SecurityTokend" */; + buildPhases = ( + 4C58E38A0540C0DD00B89535 /* Headers */, + C2F8ED8507A6E7F5008FA709 /* Resources */, + 4C608E2206A4A82A00F1CEDD /* Sources */, + 4C608E2306A4A83400F1CEDD /* Frameworks */, + ); + buildRules = ( + ); + dependencies = ( + 18B9659F147300DD005A4D2E /* PBXTargetDependency */, + ); + name = SecurityTokend; + productInstallPath = "$(LOCAL_LIBRARY_DIR)/Frameworks"; + productName = securityd_server; + productReference = 4C58E3900540C0DD00B89535 /* SecurityTokend.framework */; + productType = "com.apple.product-type.framework"; + }; + 4CAC2710069DD183002EB81D /* libsecurity_tokend_client */ = { + isa = PBXNativeTarget; + buildConfigurationList = C27AD19F0987FCDB001272E0 /* Build configuration list for PBXNativeTarget "libsecurity_tokend_client" */; + buildPhases = ( + 4CAC2713069DD183002EB81D /* Headers */, + 4CAC2714069DD183002EB81D /* Sources */, + 4CAC2715069DD183002EB81D /* Frameworks */, + 1865FFC214750EEE00FD79DF /* ShellScript */, + ); + buildRules = ( + ); + dependencies = ( + 18B9659D147300D4005A4D2E /* PBXTargetDependency */, + ); + name = libsecurity_tokend_client; + productInstallPath = /usr/local/lib; + productName = libsecurityd; + productReference = 4CAC2718069DD183002EB81D /* libsecurity_tokend_client.a */; + productType = "com.apple.product-type.library.static"; + }; +/* End PBXNativeTarget section */ + +/* Begin PBXProject section */ + 4CA1FEAB052A3C3800F22E42 /* Project object */ = { + isa = PBXProject; + attributes = { + }; + buildConfigurationList = C27AD1AE0987FCDB001272E0 /* Build configuration list for PBXProject "SecurityTokend" */; + compatibilityVersion = "Xcode 2.4"; + developmentRegion = English; + hasScannedForEncodings = 1; + knownRegions = ( + en, + ); + mainGroup = 4CA1FEA7052A3C3800F22E42; + productRefGroup = 4CA1FEBF052A3C8100F22E42 /* Products */; + projectDirPath = ""; + projectRoot = ""; + targets = ( + 4C58E38F0540C0DD00B89535 /* SecurityTokend */, + 4CAC2710069DD183002EB81D /* libsecurity_tokend_client */, + 4C09A2920557240300FED7A3 /* generate mig */, + ); + }; +/* End PBXProject section */ + +/* Begin PBXResourcesBuildPhase section */ + C2F8ED8507A6E7F5008FA709 /* Resources */ = { + isa = PBXResourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + C2F8ED9407A6E871008FA709 /* InfoPlist.strings in Resources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; +/* End PBXResourcesBuildPhase section */ + +/* Begin PBXShellScriptBuildPhase section */ + 1865FFC214750EEE00FD79DF /* ShellScript */ = { + isa = PBXShellScriptBuildPhase; + buildActionMask = 2147483647; + files = ( + ); + inputPaths = ( + ); + outputPaths = ( + ); + runOnlyForDeploymentPostprocessing = 0; + shellPath = /bin/sh; + shellScript = "nmedit -p \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"\nranlib \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\""; + }; +/* End PBXShellScriptBuildPhase section */ + +/* Begin PBXSourcesBuildPhase section */ + 4C608E2206A4A82A00F1CEDD /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 4CC46A1806A4AC0200027192 /* SecTokend.cpp in Sources */, + C282709E06B73F8D00BE171E /* server.cpp in Sources */, + C28C736906B1DD8600E4B6B4 /* tokendServer.cpp in Sources */, + 4CC46A1A06A4AC0200027192 /* transition.cpp in Sources */, + C28C0F2006D30837004CF059 /* transit.cpp in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 4CAC2714069DD183002EB81D /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 4CAC271F069DD236002EB81D /* tdclient.cpp in Sources */, + 4CC46A4306A4AE2000027192 /* tdtransit.cpp in Sources */, + 4CAC2737069DD309002EB81D /* tokendClient.cpp in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; +/* End PBXSourcesBuildPhase section */ + +/* Begin PBXTargetDependency section */ + 18B9659D147300D4005A4D2E /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 4C09A2920557240300FED7A3 /* generate mig */; + targetProxy = 18B9659C147300D4005A4D2E /* PBXContainerItemProxy */; + }; + 18B9659F147300DD005A4D2E /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 4CAC2710069DD183002EB81D /* libsecurity_tokend_client */; + targetProxy = 18B9659E147300DD005A4D2E /* PBXContainerItemProxy */; + }; +/* End PBXTargetDependency section */ + +/* Begin PBXVariantGroup section */ + C2F8ED9207A6E871008FA709 /* InfoPlist.strings */ = { + isa = PBXVariantGroup; + children = ( + C2F8ED9307A6E871008FA709 /* English */, + ); + name = InfoPlist.strings; + sourceTree = ""; + }; +/* End PBXVariantGroup section */ + +/* Begin XCBuildConfiguration section */ + C27AD1960987FCDB001272E0 /* Debug */ = { + isa = XCBuildConfiguration; + buildSettings = { + }; + name = Debug; + }; + C27AD1990987FCDB001272E0 /* Release */ = { + isa = XCBuildConfiguration; + buildSettings = { + }; + name = Release; + }; + C27AD1A00987FCDB001272E0 /* Debug */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 1865FF881474F5B600FD79DF /* debug.xcconfig */; + buildSettings = { + EXECUTABLE_PREFIX = ""; + GCC_SYMBOLS_PRIVATE_EXTERN = NO; + HEADER_SEARCH_PATHS = ( + "$(inherited)", + "$(BUILT_PRODUCTS_DIR)/derived_src", + "$(SRCROOT)", + ); + PUBLIC_HEADERS_FOLDER_PATH = /usr/local/include/security_tokend_client; + }; + name = Debug; + }; + C27AD1A30987FCDB001272E0 /* Release */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 1865FF8A1474F5B600FD79DF /* release.xcconfig */; + buildSettings = { + EXECUTABLE_PREFIX = ""; + GCC_SYMBOLS_PRIVATE_EXTERN = NO; + HEADER_SEARCH_PATHS = ( + "$(inherited)", + "$(BUILT_PRODUCTS_DIR)/derived_src", + "$(SRCROOT)", + ); + PUBLIC_HEADERS_FOLDER_PATH = /usr/local/include/security_tokend_client; + }; + name = Release; + }; + C27AD1A50987FCDB001272E0 /* Debug */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 1865FF881474F5B600FD79DF /* debug.xcconfig */; + buildSettings = { + ARCHS = "$(ARCHS_STANDARD_64_BIT)"; + DYLIB_COMPATIBILITY_VERSION = 1; + DYLIB_CURRENT_VERSION = "$(CURRENT_PROJECT_VERSION)"; + EXPORTED_SYMBOLS_FILE = "$(SRCROOT)/lib/SecurityTokend.exp"; + HEADER_SEARCH_PATHS = ( + "$(inherited)", + "$(BUILT_PRODUCTS_DIR)/derived_src", + ); + INFOPLIST_FILE = "Info-SecurityTokend.plist"; + INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks"; + VALID_ARCHS = x86_64; + }; + name = Debug; + }; + C27AD1A80987FCDB001272E0 /* Release */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 1865FF8A1474F5B600FD79DF /* release.xcconfig */; + buildSettings = { + ARCHS = "$(ARCHS_STANDARD_64_BIT)"; + DYLIB_COMPATIBILITY_VERSION = 1; + DYLIB_CURRENT_VERSION = "$(CURRENT_PROJECT_VERSION)"; + EXPORTED_SYMBOLS_FILE = "$(SRCROOT)/lib/SecurityTokend.exp"; + HEADER_SEARCH_PATHS = ( + "$(inherited)", + "$(BUILT_PRODUCTS_DIR)/derived_src", + ); + INFOPLIST_FILE = "Info-SecurityTokend.plist"; + INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks"; + VALID_ARCHS = x86_64; + }; + name = Release; + }; + C27AD1AF0987FCDB001272E0 /* Debug */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 1865FF891474F5B600FD79DF /* project.xcconfig */; + buildSettings = { + }; + name = Debug; + }; + C27AD1B20987FCDB001272E0 /* Release */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 1865FF891474F5B600FD79DF /* project.xcconfig */; + buildSettings = { + }; + name = Release; + }; +/* End XCBuildConfiguration section */ + +/* Begin XCConfigurationList section */ + C27AD1950987FCDB001272E0 /* Build configuration list for PBXLegacyTarget "generate mig" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + C27AD1960987FCDB001272E0 /* Debug */, + C27AD1990987FCDB001272E0 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + C27AD19F0987FCDB001272E0 /* Build configuration list for PBXNativeTarget "libsecurity_tokend_client" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + C27AD1A00987FCDB001272E0 /* Debug */, + C27AD1A30987FCDB001272E0 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + C27AD1A40987FCDB001272E0 /* Build configuration list for PBXNativeTarget "SecurityTokend" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + C27AD1A50987FCDB001272E0 /* Debug */, + C27AD1A80987FCDB001272E0 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + C27AD1AE0987FCDB001272E0 /* Build configuration list for PBXProject "SecurityTokend" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + C27AD1AF0987FCDB001272E0 /* Debug */, + C27AD1B20987FCDB001272E0 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; +/* End XCConfigurationList section */ + }; + rootObject = 4CA1FEAB052A3C3800F22E42 /* Project object */; +} diff --git a/config/debug.xcconfig b/config/debug.xcconfig new file mode 100644 index 0000000..937d177 --- /dev/null +++ b/config/debug.xcconfig @@ -0,0 +1,3 @@ +GCC_OPTIMIZATION_LEVEL = 0 +GCC_PREPROCESSOR_DEFINITIONS = DEBUG=1 $(inherited) +COPY_PHASE_STRIP = NO diff --git a/config/project.xcconfig b/config/project.xcconfig new file mode 100644 index 0000000..39c7976 --- /dev/null +++ b/config/project.xcconfig @@ -0,0 +1,25 @@ +ARCHS = $(ARCHS_STANDARD_32_64_BIT) +CODE_SIGN_IDENTITY = -; +GCC_VERSION = com.apple.compilers.llvm.clang.1_0 +DEBUG_INFORMATION_FORMAT = dwarf-with-dsym +SDKROOT = +CURRENT_PROJECT_VERSION = $(RC_ProjectSourceVersion) +VERSIONING_SYSTEM = apple-generic; +DEAD_CODE_STRIPPING = YES; + +FRAMEWORK_SEARCH_PATHS = $(SYSTEM_LIBRARY_DIR)/PrivateFrameworks + +PRODUCT_NAME = $(TARGET_NAME) + +ALWAYS_SEARCH_USER_PATHS = NO + +GCC_C_LANGUAGE_STANDARD = gnu99 + +WARNING_CFLAGS = -Wmost -Wno-four-char-constants -Wno-unknown-pragmas $(inherited) + +GCC_WARN_ABOUT_DEPRECATED_FUNCTIONS = NO + +GCC_WARN_64_TO_32_BIT_CONVERSION = YES +GCC_WARN_ABOUT_MISSING_PROTOTYPES = YES +GCC_WARN_ABOUT_RETURN_TYPE = YES +GCC_WARN_UNUSED_VARIABLE = YES \ No newline at end of file diff --git a/config/release.xcconfig b/config/release.xcconfig new file mode 100644 index 0000000..dc5f876 --- /dev/null +++ b/config/release.xcconfig @@ -0,0 +1,3 @@ +GCC_PREPROCESSOR_DEFINITIONS = NDEBUG=1 $(inherited) +COPY_PHASE_STRIP = YES + diff --git a/lib/SecTokend.cpp b/lib/SecTokend.cpp new file mode 100644 index 0000000..4fc02e0 --- /dev/null +++ b/lib/SecTokend.cpp @@ -0,0 +1,127 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#include "SecTokend.h" +#include "server.h" +#include + + +namespace Security { +namespace Tokend { + + +using namespace MachPlusPlus; + + +// +// Support callbacks provided for the implementation +// +static const SCARD_READERSTATE *cbStartupReaderInfo() +{ + return &server->startupReaderState(); +} + +static const char *cbTokenUid() +{ + return server->tokenUid(); +} + +static void *cbMalloc(uint32 size) +{ + return malloc(size); +} + +static void cbFree(void *ptr) +{ + return free(ptr); +} + +static void *cbMallocSensitive(uint32 size) +{ + return malloc(size); +} + +static void cbFreeSensitive(void *ptr) +{ + return free(ptr); +} + + +// +// Vector of support functions passed to implementation +// +static SecTokendSupport supportVector = { + cbStartupReaderInfo, + cbTokenUid, + cbMalloc, cbFree, + cbMallocSensitive, cbFreeSensitive +}; + + +extern "C" { + + +// +// The main driver function. +// This is called from the daemon's main() and takes over from there. +// +int SecTokendMain(int argc, const char * argv[], + const SecTokendCallbacks *callbacks, SecTokendSupport *support) +{ + // first, check interface version and abort if we don't support it + if (!callbacks) { + secdebug("tokenlib", "NULL callback structure"); + exit(1); + } + if (callbacks->version != kSecTokendCallbackVersion) { + secdebug("tokenlib", "callback structure is version %d (supporting %d)", + callbacks->version, kSecTokendCallbackVersion); + exit(1); + } + secdebug("tokenlib", "API interface version %d", callbacks->version); + + server = new Server(); + if (!server) + { + secdebug("tokenlib", "can't create server object"); + exit(1); + } + + // set globals (we know by now that the version is okay) + server->callbacks() = *callbacks; + if (support) + *support = supportVector; + + try { + return (*server)(argc, argv, callbacks->flags); + } catch (...) { + secdebug("tokenlib", "server aborted with exception"); + return 1; + } +} + +} // extern "C" + + +} // namespace Tokend +} // namespace Security diff --git a/lib/SecTokend.h b/lib/SecTokend.h new file mode 100644 index 0000000..87120bb --- /dev/null +++ b/lib/SecTokend.h @@ -0,0 +1,230 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +/*! + @header SecTokend.h + @copyright 2004 Apple Computer, Inc. All Rights Reserved. + @abstract SPIs for creating a tokend. + */ + +#ifndef _SECURITYTOKEND_SECTOKEND_H_ +#define _SECURITYTOKEND_SECTOKEND_H_ 1 + +#include +#include +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + + +// +// Constants and fixed values +// +enum { + kSecTokendCallbackVersion = 11 // interface version for callback structure +}; + +enum { + TOKEND_MAX_UID = 128 // max. length of token identifier string +}; + +// flags to establish() +typedef uint32 SecTokendCallbackFlags; +typedef uint32 SecTokendProbeFlags; +typedef uint32 SecTokendEstablishFlags; + +enum { + // flags in the callback structure passed to SecTokendMain() + kSecTokendCallbacksDefault = 0, // default flags in callbacks struct + + // flags to probe() + kSecTokendProbeDefault = 0, // default flags to probe() call + kSecTokendProbeKeepToken = 0x0001, // may keep token connected when returning + + // flags to establish() + kSecTokendEstablishNewCache = 0x0001, // the on-disk cache is new (and empty) + kSecTokendEstablishMakeMDS = 0x0002, // (must) write MDS files to cache + + // test/debug flags (not for normal operation) + kSecTokendCallbacksTestNoServer = 0x0001, // don't start server; return after setup +}; + + +/* + * Common arguments for data retrieval + */ +typedef struct { + CSSM_DB_RECORD_ATTRIBUTE_DATA *attributes; // add attribute values here + CSSM_DATA *data; // store item data there unless NULL + CSSM_HANDLE record; // store record-id here + CSSM_HANDLE keyhandle; // key handle if key, 0 otherwise +} TOKEND_RETURN_DATA; + + +/*! + @typedef + @abstract Functions a particular tokend instance needs to implement + */ +typedef struct +{ + uint32_t version; + SecTokendCallbackFlags flags; + + CSSM_RETURN (*initial)(); + CSSM_RETURN (*probe)(SecTokendProbeFlags flags, uint32 *score, char tokenUid[TOKEND_MAX_UID]); + CSSM_RETURN (*establish)(const CSSM_GUID *guid, uint32 subserviceId, + SecTokendEstablishFlags flags, const char *cacheDirectory, const char *workDirectory, + char mdsDirectory[PATH_MAX], char printName[PATH_MAX]); + CSSM_RETURN (*terminate)(uint32 reason, uint32 options); + + CSSM_RETURN (*findFirst)(const CSSM_QUERY *query, TOKEND_RETURN_DATA *data, + CSSM_HANDLE *hSearch); + CSSM_RETURN (*findNext)(CSSM_HANDLE hSearch, TOKEND_RETURN_DATA *data); + CSSM_RETURN (*findRecordHandle)(CSSM_HANDLE hRecord, TOKEND_RETURN_DATA *data); + CSSM_RETURN (*insertRecord)(CSSM_DB_RECORDTYPE recordType, + const CSSM_DB_RECORD_ATTRIBUTE_DATA *attributes, const CSSM_DATA *data, + CSSM_HANDLE *hRecord); + CSSM_RETURN (*modifyRecord)(CSSM_DB_RECORDTYPE recordType, CSSM_HANDLE *hRecord, + const CSSM_DB_RECORD_ATTRIBUTE_DATA *attributes, const CSSM_DATA *data, + CSSM_DB_MODIFY_MODE modifyMode); + CSSM_RETURN (*deleteRecord)(CSSM_HANDLE hRecord); + CSSM_RETURN (*releaseSearch)(CSSM_HANDLE hSearch); + CSSM_RETURN (*releaseRecord)(CSSM_HANDLE hRecord); + + CSSM_RETURN (*freeRetrievedData)(TOKEND_RETURN_DATA *data); + + CSSM_RETURN (*releaseKey)(CSSM_HANDLE hKey); + CSSM_RETURN (*getKeySize)(CSSM_HANDLE hKey, CSSM_KEY_SIZE *size); + CSSM_RETURN (*getOutputSize)(const CSSM_CONTEXT *context, CSSM_HANDLE hKey, + uint32 inputSize, CSSM_BOOL encrypting, uint32 *outputSize); + + CSSM_RETURN (*generateSignature)(const CSSM_CONTEXT *context, CSSM_HANDLE hKey, + CSSM_ALGORITHMS signOnly, const CSSM_DATA *input, CSSM_DATA *signature); + CSSM_RETURN (*verifySignature)(const CSSM_CONTEXT *context, CSSM_HANDLE hKey, + CSSM_ALGORITHMS signOnly, const CSSM_DATA *input, const CSSM_DATA *signature); + CSSM_RETURN (*generateMac)(const CSSM_CONTEXT *context, CSSM_HANDLE hKey, + const CSSM_DATA *input, CSSM_DATA *mac); + CSSM_RETURN (*verifyMac)(const CSSM_CONTEXT *context, CSSM_HANDLE hKey, + const CSSM_DATA *input, const CSSM_DATA *mac); + CSSM_RETURN (*encrypt)(const CSSM_CONTEXT *context, CSSM_HANDLE hKey, + const CSSM_DATA *clear, CSSM_DATA *cipher); + CSSM_RETURN (*decrypt)(const CSSM_CONTEXT *context, CSSM_HANDLE hKey, + const CSSM_DATA *cipher, CSSM_DATA *clear); + + CSSM_RETURN (*generateKey)(const CSSM_CONTEXT *context, + const CSSM_ACCESS_CREDENTIALS *creds, const CSSM_ACL_ENTRY_PROTOTYPE *owner, + CSSM_KEYUSE usage, CSSM_KEYATTR_FLAGS attrs, + CSSM_HANDLE *hKey, CSSM_KEY *header); + CSSM_RETURN (*generateKeyPair)(const CSSM_CONTEXT *context, + const CSSM_ACCESS_CREDENTIALS *creds, const CSSM_ACL_ENTRY_PROTOTYPE *owner, + CSSM_KEYUSE pubUsage, CSSM_KEYATTR_FLAGS pubAttrs, + CSSM_KEYUSE privUsage, CSSM_KEYATTR_FLAGS privAttrs, + CSSM_HANDLE *hPubKey, CSSM_KEY *pubHeader, + CSSM_HANDLE *hPrivKey, CSSM_KEY *privHeader); + + CSSM_RETURN (*wrapKey)(const CSSM_CONTEXT *context, + CSSM_HANDLE hWrappingKey, const CSSM_KEY *wrappingKey, const CSSM_ACCESS_CREDENTIALS *cred, + CSSM_HANDLE hKeyToBeWrapped, const CSSM_KEY *keyToBeWrapped, const CSSM_DATA *descriptiveData, + CSSM_KEY *wrappedKey); + CSSM_RETURN (*unwrapKey)(const CSSM_CONTEXT *context, + CSSM_HANDLE hWrappingKey, const CSSM_KEY *wrappingKey, const CSSM_ACCESS_CREDENTIALS *cred, + const CSSM_ACL_ENTRY_PROTOTYPE *access, + CSSM_HANDLE hPublicKey, const CSSM_KEY *publicKey, const CSSM_KEY *wrappedKey, + CSSM_KEYUSE usage, CSSM_KEYATTR_FLAGS attributes, + CSSM_DATA *descriptiveData, + CSSM_HANDLE *hUnwrappedKey, CSSM_KEY *unwrappedKey); + CSSM_RETURN (*deriveKey)(const CSSM_CONTEXT *context, + CSSM_HANDLE hSourceKey, const CSSM_KEY *sourceKey, const CSSM_ACCESS_CREDENTIALS *cred, + const CSSM_ACL_ENTRY_PROTOTYPE *access, CSSM_DATA *parameters, + CSSM_KEYUSE usage, CSSM_KEYATTR_FLAGS attributes, + CSSM_HANDLE *hKey, CSSM_KEY *key); + + CSSM_RETURN (*getDatabaseOwner)(CSSM_ACL_OWNER_PROTOTYPE *owner); + CSSM_RETURN (*getDatabaseAcl)(const char *tag, uint32 *count, CSSM_ACL_ENTRY_INFO **entries); + CSSM_RETURN (*getObjectOwner)(CSSM_HANDLE hRecord, CSSM_ACL_OWNER_PROTOTYPE *owner); + CSSM_RETURN (*getObjectAcl)(CSSM_HANDLE hRecord, const char *tag, + uint32 *count, CSSM_ACL_ENTRY_INFO **entries); + CSSM_RETURN (*getKeyOwner)(CSSM_HANDLE hKey, CSSM_ACL_OWNER_PROTOTYPE *owner); + CSSM_RETURN (*getKeyAcl)(CSSM_HANDLE hKey, + const char *tag, uint32 *count, CSSM_ACL_ENTRY_INFO **entries); + + CSSM_RETURN (*freeOwnerData)(CSSM_ACL_OWNER_PROTOTYPE *owner); + CSSM_RETURN (*freeAclData)(uint32 count, CSSM_ACL_ENTRY_INFO *entries); + + CSSM_RETURN (*authenticateDatabase)(CSSM_DB_ACCESS_TYPE mode, + const CSSM_ACCESS_CREDENTIALS *cred); + + CSSM_RETURN (*changeDatabaseOwner)(const CSSM_ACL_OWNER_PROTOTYPE *owner); + CSSM_RETURN (*changeDatabaseAcl)(const CSSM_ACCESS_CREDENTIALS *cred, const CSSM_ACL_EDIT *edit); + CSSM_RETURN (*changeObjectOwner)(CSSM_HANDLE hRecord, const CSSM_ACL_OWNER_PROTOTYPE *owner); + CSSM_RETURN (*changeObjectAcl)(CSSM_HANDLE hRecord, const CSSM_ACCESS_CREDENTIALS *cred, const CSSM_ACL_EDIT *edit); + CSSM_RETURN (*changeKeyOwner)(CSSM_HANDLE key, const CSSM_ACL_OWNER_PROTOTYPE *owner); + CSSM_RETURN (*changeKeyAcl)(CSSM_HANDLE key, const CSSM_ACCESS_CREDENTIALS *cred, const CSSM_ACL_EDIT *edit); + + CSSM_RETURN (*generateRandom)(const CSSM_CONTEXT *context, CSSM_DATA *result); + CSSM_RETURN (*getStatistics)(CSSM_CSP_OPERATIONAL_STATISTICS *result); + CSSM_RETURN (*getTime)(CSSM_ALGORITHMS algorithm, CSSM_DATA *result); + CSSM_RETURN (*getCounter)(CSSM_DATA *result); + CSSM_RETURN (*selfVerify)(); + + CSSM_RETURN (*cspPassThrough)(uint32 id, const CSSM_CONTEXT *context, + CSSM_HANDLE hKey, const CSSM_KEY *key, const CSSM_DATA *input, CSSM_DATA *output); + CSSM_RETURN (*dlPassThrough)(uint32 id, const CSSM_DATA *input, CSSM_DATA *output); + CSSM_RETURN (*isLocked)(uint32 *locked); + +} SecTokendCallbacks; + + +/* + * + */ +typedef struct { + const SCARD_READERSTATE *(*startupReaderInfo)(); // get reader information + const char *(*tokenUid)(); // uid string in use for this token + void *(*malloc)(uint32 size); // ordinary memory to interface + void (*free)(void *data); // free malloc'ed data + void *(*mallocSensitive)(uint32 size); // sensitive memory to interface + void (*freeSensitive)(void *data); // free mallocSensitive'ed data +} SecTokendSupport; + + +/*! + @function + @abstract call this from main in your program + @param argc The argc passed to main(). + @param argv The argv passed to main(). + @param callbacks Pointer to a SecTokendCallbacks struct containing pointers to all the functions this tokend instance implements. + @description The main of your program should look like: + + int main(argc, argv) { ...Create context... return SecTokendMain(argc, argv, &callbacks, &supportCalls); } + */ +int SecTokendMain(int argc, const char * argv[], const SecTokendCallbacks *callbacks, SecTokendSupport *support); + +#ifdef __cplusplus +} +#endif + +#endif /* _SECURITYTOKEND_SECTOKEND_H_ */ diff --git a/lib/SecurityTokend.exp b/lib/SecurityTokend.exp new file mode 100644 index 0000000..a9cac83 --- /dev/null +++ b/lib/SecurityTokend.exp @@ -0,0 +1,23 @@ +# +# Copyright (c) 2007 Apple Computer, Inc. All Rights Reserved. +# +# @APPLE_LICENSE_HEADER_START@ +# +# This file contains Original Code and/or Modifications of Original Code +# as defined in and that are subject to the Apple Public Source License +# Version 2.0 (the 'License'). You may not use this file except in +# compliance with the License. Please obtain a copy of the License at +# http://www.opensource.apple.com/apsl/ and read it before using this +# file. +# +# The Original Code and all software distributed under the License are +# distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER +# EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, +# INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. +# Please see the License for the specific language governing rights and +# limitations under the License. +# +# @APPLE_LICENSE_HEADER_END@ +# +_SecTokendMain diff --git a/lib/server.cpp b/lib/server.cpp new file mode 100644 index 0000000..81ea39b --- /dev/null +++ b/lib/server.cpp @@ -0,0 +1,122 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ +// +// server - master server loop for tokend +// +#include "server.h" +#include "tdclient.h" +#include +#include + +using namespace MachPlusPlus; + + +// +// The MIG-generated server dispatch function +// +extern boolean_t tokend_server(mach_msg_header_t *in, mach_msg_header_t *out); + + +namespace Security { +namespace Tokend { + + +// +// The server singleton +// +Server *server = NULL; + + +// +// Drive the server +// +int Server::operator () (int argc, const char *argv[], SecTokendCallbackFlags flags) +{ + // process command-line arguments as sent by securityd + if (argc != 4) { + secdebug("tokenlib", "invalid argument count (%d)", argc); + Syslog::notice("token daemon invoked with invalid arguments"); + return 2; + } + + // argv[1] == version of wire protocol + const char *versionString = argv[1]; + if (atol(versionString) != TDPROTOVERSION) { + // This would be a mismatch between securityd and the SecurityTokend.framework + // It's NOT a "binary compatibility" mismatch; that got checked for by our caller. + secdebug("tokenlib", "incoming protocol %s expected %d - aborting", + versionString, TDPROTOVERSION); + return 2; + } + + // argv[2] == reader name + mReaderName = argv[2]; + secdebug("tokenlib", "reader '%s' wire protocol %s", mReaderName, versionString); + + // argv[3] == hex coding of reader state, with name() undefined + CssmData::wrap(mStartupReaderState).fromHex(argv[3]); + mStartupReaderState.name(readerName()); // fix name pointer (shipped separately) + +#if !defined(NDEBUG) + // stop right here; do not run the server. We're being run from the command line + if (flags & kSecTokendCallbacksTestNoServer) + return 0; +#endif + + // handshake with securityd + secdebug("tokenlib", "checking in with securityd"); + SecurityServer::ClientSession client(Allocator::standard(), Allocator::standard()); + client.childCheckIn(primaryServicePort(), TaskPort()); + + // start dispatch; from here on securityd is driving us + secdebug("tokenlib", "starting server loop"); + run(); + + // we don't usually return from run(), but just in case + termination(0, 0); +} + + +// +// Handle the terminate message +// +void Server::termination(uint32 reason, uint32 options) +{ + secdebug("tokenlib", "terminate(%d,0x%x) received", reason, options); + if (terminate) + terminate(reason, options); // ignore return code + exit(0); +} + + +// +// MIG handler hook +// +boolean_t Server::handle(mach_msg_header_t *in, mach_msg_header_t *out) +{ + return tokend_server(in, out); +} + + +} // namespace Tokend +} // namespace Security diff --git a/lib/server.h b/lib/server.h new file mode 100644 index 0000000..1fd785c --- /dev/null +++ b/lib/server.h @@ -0,0 +1,76 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ +#ifndef _H_TOKEND_SERVER +#define _H_TOKEND_SERVER + + +// +// server - master server loop for tokend +// +#include "SecTokend.h" +#include +#include +#include +#include + +namespace Security { +namespace Tokend { + + +// +// The server class that drives this tokend +// + class Server : public MachPlusPlus::MachServer, public SecTokendCallbacks { +public: + int operator() (int argc, const char *argv[], SecTokendCallbackFlags flags); + + const char *readerName() const { return mReaderName; } + const PCSC::ReaderState &startupReaderState() const { return mStartupReaderState; } + + const char *tokenUid() const { return mTokenUid.c_str(); } + void tokenUid(const char *uid) { mTokenUid = uid; } + + SecTokendCallbacks &callbacks() { return static_cast(*this); } + + void termination(uint32 reason, uint32 options) __attribute__((noreturn)); + +protected: + boolean_t handle(mach_msg_header_t *in, mach_msg_header_t *out); + +private: + const char *mReaderName; + PCSC::ReaderState mStartupReaderState; + std::string mTokenUid; +}; + + +// +// The server singleton +// +extern Server *server; + + +} // namespace Tokend +} // namespace Security + +#endif //_H_TOKEND_SERVER diff --git a/lib/tdclient.cpp b/lib/tdclient.cpp new file mode 100644 index 0000000..c948df9 --- /dev/null +++ b/lib/tdclient.cpp @@ -0,0 +1,77 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// tdclient - Security tokend client interface library +// +#include "tdtransit.h" +#include + +using MachPlusPlus::check; +using MachPlusPlus::Bootstrap; + + +namespace Security { +namespace Tokend { + + +// +// Construct a client session +// +ClientSession::ClientSession(Allocator &std, Allocator &rtn) + : ClientCommon(std, rtn) +{ +} + + +// +// Destroy a session +// +ClientSession::~ClientSession() +{ } + + +// +// The default fault() notifier does nothing +// +void ClientSession::fault() +{ +} + + +// +// Administrativa +// +void ClientSession::servicePort(Port p) +{ + // record service port + assert(!mServicePort); // no overwrite + mServicePort = p; + + // come back if the service port dies (usually a tokend crash) + mServicePort.requestNotify(mReplyPort); +} + + +} // end namespace Tokend +} // end namespace Security diff --git a/lib/tdclient.h b/lib/tdclient.h new file mode 100644 index 0000000..1055365 --- /dev/null +++ b/lib/tdclient.h @@ -0,0 +1,196 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// tdclient - Security tokend client interface library +// +// This interface is private to the Security system. It is not a public interface, +// and it may change at any time. You have been warned. +// +#ifndef _H_TDCLIENT +#define _H_TDCLIENT + +#include +#include +#include +#include + +#define __MigTypeCheck 1 + + +namespace Security { +namespace Tokend { + +using namespace SecurityServer; + + +// +// Securityd/tokend protocol version. +// Tokend must support this or abort immediately (i.e. don't even try to +// bring up the server loop if you don't). +// +#define TDPROTOVERSION 5 + + +// +// A client connection (session) +// +class ClientSession : public ClientCommon { +public: + ClientSession(Allocator &standard, Allocator &returning); + virtual ~ClientSession(); + + Port servicePort() const { return mServicePort; } + +public: + // tokend setup/teardown interface + typedef uint32 Score; + void probe(Score &score, std::string &tokenUid); + void establish(Guid &guid, uint32 subserviceID, + uint32 flags, const char *cacheDirectory, const char *workDirectory, + char mdsDirectory[PATH_MAX], char printName[PATH_MAX]); + void terminate(uint32 reason, uint32 options); + + // search/retrieve interface + RecordHandle findFirst(const CssmQuery &query, + CssmDbRecordAttributeData *inAttributes, size_t inAttributesLength, + SearchHandle &hSearch, CssmData *outData, KeyHandle &hKey, + CssmDbRecordAttributeData *&outAttributes, mach_msg_type_number_t &outAttributesLength); + RecordHandle findNext(SearchHandle hSearch, + CssmDbRecordAttributeData *inAttributes, size_t inAttributesLength, + CssmData *outData, KeyHandle &hKey, + CssmDbRecordAttributeData *&outAttributes, mach_msg_type_number_t &outAttributesLength); + void findRecordHandle(RecordHandle record, + CssmDbRecordAttributeData *inAttributes, size_t inAttributesLength, + CssmData *inOutData, KeyHandle &hKey, + CssmDbRecordAttributeData *&outAttributes, mach_msg_type_number_t &outAttributesLength); + void insertRecord(CSSM_DB_RECORDTYPE recordType, + const CssmDbRecordAttributeData *attributes, size_t attributesLength, + const CssmData &data, RecordHandle &hRecord); + void modifyRecord(CSSM_DB_RECORDTYPE recordType, RecordHandle &hRecord, + const CssmDbRecordAttributeData *attributes, size_t attributesLength, + const CssmData *data, CSSM_DB_MODIFY_MODE modifyMode); + void deleteRecord(RecordHandle hRecord); + + void releaseSearch(SearchHandle hSeearch); + void releaseRecord(RecordHandle hRecord); + +public: + // key objects + void releaseKey(KeyHandle key); + + void queryKeySizeInBits(KeyHandle key, CssmKeySize &result); + void getOutputSize(const Security::Context &context, KeyHandle key, + uint32 inputSize, bool encrypt, uint32 &result); + + // encrypt/decrypt + void encrypt(const Security::Context &context, KeyHandle key, + const CssmData &in, CssmData &out); + void decrypt(const Security::Context &context, KeyHandle key, + const CssmData &in, CssmData &out); + + // signatures + void generateSignature(const Security::Context &context, KeyHandle key, + const CssmData &data, CssmData &signature, + CSSM_ALGORITHMS signOnlyAlgorithm = CSSM_ALGID_NONE); + void verifySignature(const Security::Context &context, KeyHandle key, + const CssmData &data, const CssmData &signature, + CSSM_ALGORITHMS verifyOnlyAlgorithm = CSSM_ALGID_NONE); + + // MACs + void generateMac(const Security::Context &context, KeyHandle key, + const CssmData &data, CssmData &mac); + void verifyMac(const Security::Context &context, KeyHandle key, + const CssmData &data, const CssmData &mac); + +public: + // key generation and derivation + void generateKey(const Security::Context &context, + const AccessCredentials *cred, const AclEntryPrototype *owner, + uint32 keyUsage, uint32 keyAttr, + KeyHandle &hKey, CssmKey *&key); + void generateKey(const Security::Context &context, + const AccessCredentials *cred, const AclEntryPrototype *owner, + CSSM_KEYUSE pubKeyUsage, CSSM_KEYATTR_FLAGS pubKeyAttr, + CSSM_KEYUSE privKeyUsage, CSSM_KEYATTR_FLAGS privKeyAttr, + KeyHandle &hPublic, CssmKey *&publicKey, + KeyHandle &hPrivate, CssmKey *&privateKey); + //void generateAlgorithmParameters(); // not implemented + +public: + // key wrapping and unwrapping + void wrapKey(const Security::Context &context, const AccessCredentials *cred, + KeyHandle hWrappingKey, const CssmKey *wrappingKey, + KeyHandle hSubjectKey, const CssmKey *subjectKey, + const CssmData &descriptiveData, CssmWrappedKey *&wrappedKey); + void unwrapKey(const Security::Context &context, + const AccessCredentials *cred, const AclEntryPrototype *owner, + KeyHandle hSourceKey, const CssmKey *sourceKey, + KeyHandle hPublicKey, const CssmKey *publicKey, + const CssmWrappedKey &wrappedKey, uint32 keyUsage, uint32 keyAttr, + CssmData &data, KeyHandle &hUnwrappedKey, CssmKey *&unwrappedKey); + + // key derivation + void deriveKey(DbHandle db, const Security::Context &context, + KeyHandle hBaseKey, const CssmKey *baseKey, + uint32 keyUsage, uint32 keyAttr, CssmData ¶m, + const AccessCredentials *cred, const AclEntryPrototype *owner, + KeyHandle &hDerivedKey, CssmKey *&derivedKey); + + void generateRandom(CssmData &data); + +public: + // access control + void authenticate(CSSM_DB_ACCESS_TYPE mode, const AccessCredentials *cred); + + void getAcl(AclKind kind, GenericHandle key, const char *tag, + uint32 &count, AclEntryInfo * &info); + void changeAcl(AclKind kind, GenericHandle key, + const AccessCredentials &cred, const AclEdit &edit); + void getOwner(AclKind kind, GenericHandle key, AclOwnerPrototype *&owner); + void changeOwner(AclKind kind, GenericHandle key, const AccessCredentials &cred, + const AclOwnerPrototype &edit); + + bool isLocked(); + +public: + virtual void fault(); // called if tokend connection fails + +protected: + void servicePort(Port p); + +private: + void check(kern_return_t rc); + +private: + Port mServicePort; // tokend's service port + ReceivePort mReplyPort; // the reply port we use +}; + + +} // end namespace Tokend +} // end namespace Security + + +#endif //_H_TDCLIENT + diff --git a/lib/tdtransit.cpp b/lib/tdtransit.cpp new file mode 100644 index 0000000..959f955 --- /dev/null +++ b/lib/tdtransit.cpp @@ -0,0 +1,535 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + + +// +// tdtransit - security tokend client library transition code. +// +#include "tdtransit.h" +#include "tokend.h" +#include + + +namespace Security { +namespace Tokend { + +static void copyDataFromIPC(void *dataPtr, mach_msg_type_number_t dataLength, CssmData *outData); + +using MachPlusPlus::VMGuard; + + +void ClientSession::check(kern_return_t rc) +{ + switch (rc) { + case KERN_SUCCESS: + return; + case MIG_SERVER_DIED: + fault(); + CssmError::throwMe(CSSM_ERRCODE_DEVICE_FAILED); + default: + MachPlusPlus::check(rc); + } +} + + +// +// DataOutput helper. +// This happens "at the end" of a glue method, via the DataOutput destructor. +// +DataOutput::~DataOutput() +{ + // @@@ Why are we setting up a VMGuard if mData is NULL? + VMGuard _(mData, mLength); + if (mData) { // was assigned to; IPC returned OK + if (argument) { // buffer was provided + if (argument.length() < mLength) + CssmError::throwMe(CSSMERR_CSP_OUTPUT_LENGTH_ERROR); + argument.length(mLength); + } else { // allocate buffer + argument = CssmData(allocator.malloc(mLength), mLength); + } + memcpy(argument.data(), mData, mLength); + } +} + + +// +// Create a packaged-up Context for IPC transmission. +// In addition to collecting the context into a contiguous blob for transmission, +// we also evaluate CssmCryptoData callbacks at this time. +// +SendContext::SendContext(const Security::Context &ctx) : context(ctx) +{ + CssmCryptoData cryptoDataValue; // holding area for CssmCryptoData element + IFDEBUG(uint32 cryptoDataUsed = 0); + Context::Builder builder(Allocator::standard()); + for (unsigned n = 0; n < ctx.attributesInUse(); n++) { + switch (ctx[n].baseType()) { + case CSSM_ATTRIBUTE_DATA_CRYPTO_DATA: { + CssmCryptoData &data = ctx[n]; // extract CssmCryptoData value + cryptoDataValue = data(); // evaluate callback (if any) + builder.setup(&cryptoDataValue); // use evaluted value + IFDEBUG(cryptoDataUsed++); + break; + } + default: + builder.setup(ctx[n]); + break; + } + } + attributeSize = builder.make(); + for (unsigned n = 0; n < ctx.attributesInUse(); n++) { + const Context::Attr &attr = ctx[n]; + switch (attr.baseType()) { + case CSSM_ATTRIBUTE_DATA_CRYPTO_DATA: + builder.put(attr.type(), &cryptoDataValue); + break; + default: + builder.put(attr); + break; + } + } + uint32 count; // not needed + builder.done(attributes, count); + assert(cryptoDataUsed <= 1); // no more than one slot converted +} + + +// +// Setup and basic control +// +void ClientSession::probe(Score &score, std::string &tokenUid) +{ + char uid[PATH_MAX]; + IPC(tokend_client_probe(TOKEND_ARGS, &score, uid)); + tokenUid = uid; +} + + +void ClientSession::establish(Guid &guid, uint32 ssid, + uint32 flags, const char *cacheDirectory, const char *workDirectory, + char mdsDirectory[PATH_MAX], char printName[PATH_MAX]) +{ + IPC(tokend_client_establish(TOKEND_ARGS, guid, ssid, + flags, cacheDirectory, workDirectory, mdsDirectory, printName)); +} + + +// +// The soft kiss-of-death. This is a one-way RPC; no reply is sent or received; +// the call returns immediately. +// +void ClientSession::terminate(uint32 reason, uint32 options) +{ + IPC((rcode = CSSM_OK, tokend_client_terminate(mServicePort, reason, options))); +} + + +// +// Data search/retrieval interface +// +RecordHandle ClientSession::findFirst(const CssmQuery &query, + CssmDbRecordAttributeData *inAttributes, size_t inAttributesLength, + SearchHandle &hSearch, CssmData *outData, KeyHandle &hKey, + CssmDbRecordAttributeData *&outAttributes, mach_msg_type_number_t &outAttributesLength) +{ + Copier theQuery(&query, internalAllocator); + void *dataPtr; mach_msg_type_number_t dataLength; + RecordHandle hRecord; + CssmDbRecordAttributeData *outAttributesBase; + CssmDbRecordAttributeData *tmpOutAttributes = NULL; + IPC(tokend_client_findFirst(TOKEND_ARGS, COPY(theQuery), COPYFLAT(inAttributes), + outData != NULL, &dataPtr, &dataLength, &hKey, + &tmpOutAttributes, &outAttributesLength, &outAttributesBase, + &hSearch, &hRecord)); +// DataOutput out_data(data, returnAllocator); + if (outAttributesLength) + { + outAttributes = static_cast(malloc(outAttributesLength)); + memcpy(outAttributes, tmpOutAttributes, outAttributesLength); + relocate(outAttributes, outAttributesBase); + } + else + outAttributes = NULL; + copyDataFromIPC(dataPtr, dataLength, outData); + if (tmpOutAttributes) + mig_deallocate(reinterpret_cast(tmpOutAttributes), outAttributesLength); + return hRecord; +} + +RecordHandle ClientSession::findNext(SearchHandle hSearch, + CssmDbRecordAttributeData *inAttributes, size_t inAttributesLength, + CssmData *outData, KeyHandle &hKey, + CssmDbRecordAttributeData *&outAttributes, mach_msg_type_number_t &outAttributesLength) +{ + void *dataPtr; mach_msg_type_number_t dataLength; + RecordHandle hRecord; + CssmDbRecordAttributeData *outAttributesBase; + CssmDbRecordAttributeData *tmpOutAttributes = NULL; + IPC(tokend_client_findNext(TOKEND_ARGS, hSearch, COPYFLAT(inAttributes), + outData != NULL, &dataPtr, &dataLength, &hKey, + &tmpOutAttributes, &outAttributesLength, &outAttributesBase, + &hRecord)); + if (outAttributesLength) + { + outAttributes = static_cast(malloc(outAttributesLength)); + memcpy(outAttributes, tmpOutAttributes, outAttributesLength); + relocate(outAttributes, outAttributesBase); + } + else + outAttributes = NULL; + copyDataFromIPC(dataPtr, dataLength, outData); + if (tmpOutAttributes) + mig_deallocate(reinterpret_cast(tmpOutAttributes), outAttributesLength); + return hRecord; +} + +void ClientSession::findRecordHandle(RecordHandle hRecord, + CssmDbRecordAttributeData *inAttributes, size_t inAttributesLength, + CssmData *outData, KeyHandle &hKey, + CssmDbRecordAttributeData *&outAttributes, mach_msg_type_number_t &outAttributesLength) +{ + void *dataPtr; mach_msg_type_number_t dataLength; + CssmDbRecordAttributeData *outAttributesBase; + CssmDbRecordAttributeData *tmpOutAttributes = NULL; + IPC(tokend_client_findRecordHandle(TOKEND_ARGS, hRecord, COPYFLAT(inAttributes), + outData != NULL, &dataPtr, &dataLength, &hKey, + &tmpOutAttributes, &outAttributesLength, &outAttributesBase)); + if (outAttributesLength) + { + outAttributes = static_cast(malloc(outAttributesLength)); + memcpy(outAttributes, tmpOutAttributes, outAttributesLength); + relocate(outAttributes, outAttributesBase); + } + else + outAttributes = NULL; + if (tmpOutAttributes) + mig_deallocate(reinterpret_cast(tmpOutAttributes), outAttributesLength); + copyDataFromIPC(dataPtr, dataLength, outData); +} + +void ClientSession::insertRecord(CSSM_DB_RECORDTYPE recordType, + const CssmDbRecordAttributeData *inAttributes, size_t attributesLength, + const CssmData &data, RecordHandle &hRecord) +{ + CssmDbRecordAttributeData *attributes = const_cast(inAttributes); + IPC(tokend_client_insertRecord(TOKEND_ARGS, recordType, COPYFLAT(attributes), + DATA(data), &hRecord)); +} + +void ClientSession::modifyRecord(CSSM_DB_RECORDTYPE recordType, RecordHandle &hRecord, + const CssmDbRecordAttributeData *inAttributes, size_t attributesLength, + const CssmData *data, CSSM_DB_MODIFY_MODE modifyMode) +{ + CssmDbRecordAttributeData *attributes = const_cast(inAttributes); + IPC(tokend_client_modifyRecord(TOKEND_ARGS, recordType, &hRecord, COPYFLAT(attributes), + data != NULL, OPTIONALDATA(data), modifyMode)); +} + +void ClientSession::deleteRecord(RecordHandle hRecord) +{ + IPC(tokend_client_deleteRecord(TOKEND_ARGS, hRecord)); +} + +void ClientSession::releaseSearch(SearchHandle hSearch) +{ + IPC(tokend_client_releaseSearch(TOKEND_ARGS, hSearch)); +} + +void ClientSession::releaseRecord(RecordHandle hRecord) +{ + IPC(tokend_client_releaseRecord(TOKEND_ARGS, hRecord)); +} + + +// +// Key management and inquiry +// +void ClientSession::releaseKey(KeyHandle hKey) +{ + IPC(tokend_client_releaseKey(TOKEND_ARGS, hKey)); +} + +void ClientSession::queryKeySizeInBits(KeyHandle hKey, CssmKeySize &result) +{ + IPC(tokend_client_queryKeySizeInBits(TOKEND_ARGS, hKey, &result)); +} + + +void ClientSession::getOutputSize(const Context &context, KeyHandle hKey, + uint32 inputSize, bool encrypt, uint32 &result) +{ + SendContext ctx(context); + IPC(tokend_client_getOutputSize(TOKEND_ARGS, CONTEXT(ctx), hKey, inputSize, encrypt, &result)); +} + + +// +// Signatures and MACs +// +void ClientSession::generateSignature(const Context &context, KeyHandle hKey, + const CssmData &data, CssmData &signature, CSSM_ALGORITHMS signOnlyAlgorithm) +{ + SendContext ctx(context); + DataOutput sig(signature, returnAllocator); + IPC(tokend_client_generateSignature(TOKEND_ARGS, CONTEXT(ctx), hKey, signOnlyAlgorithm, + DATA(data), DATA(sig))); +} + +void ClientSession::verifySignature(const Context &context, KeyHandle hKey, + const CssmData &data, const CssmData &signature, CSSM_ALGORITHMS verifyOnlyAlgorithm) +{ + SendContext ctx(context); + IPC(tokend_client_verifySignature(TOKEND_ARGS, CONTEXT(ctx), hKey, verifyOnlyAlgorithm, + DATA(data), DATA(signature))); +} + + +void ClientSession::generateMac(const Context &context, KeyHandle hKey, + const CssmData &data, CssmData &signature) +{ + SendContext ctx(context); + DataOutput sig(signature, returnAllocator); + IPC(tokend_client_generateMac(TOKEND_ARGS, CONTEXT(ctx), hKey, + DATA(data), DATA(sig))); +} + +void ClientSession::verifyMac(const Context &context, KeyHandle hKey, + const CssmData &data, const CssmData &signature) +{ + SendContext ctx(context); + IPC(tokend_client_verifyMac(TOKEND_ARGS, CONTEXT(ctx), hKey, + DATA(data), DATA(signature))); +} + + +// +// Encryption/Decryption +// + +void ClientSession::encrypt(const Context &context, KeyHandle hKey, + const CssmData &clear, CssmData &cipher) +{ + SendContext ctx(context); + DataOutput cipherOut(cipher, returnAllocator); + IPC(tokend_client_encrypt(TOKEND_ARGS, CONTEXT(ctx), hKey, DATA(clear), DATA(cipherOut))); +} + +void ClientSession::decrypt(const Context &context, KeyHandle hKey, + const CssmData &cipher, CssmData &clear) +{ + SendContext ctx(context); + DataOutput clearOut(clear, returnAllocator); + IPC(tokend_client_decrypt(TOKEND_ARGS, CONTEXT(ctx), hKey, DATA(cipher), DATA(clearOut))); +} + + +// +// Key generation +// +void ClientSession::generateKey(const Security::Context &context, + const AccessCredentials *cred, const AclEntryPrototype *proto, + uint32 keyUsage, uint32 keyAttr, + KeyHandle &hKey, CssmKey *&key) +{ + SendContext ctx(context); + Copier creds(cred, internalAllocator); + Copier owner(proto, internalAllocator); + CssmKey *keyBase; mach_msg_type_number_t keyLength; + IPC(tokend_client_generateKey(TOKEND_ARGS, CONTEXT(ctx), + COPY(creds), COPY(owner), keyUsage, keyAttr, &hKey, COPY_OUT(key))); + relocate(key, keyBase); +} + +void ClientSession::generateKey(const Security::Context &context, + const AccessCredentials *cred, const AclEntryPrototype *proto, + CSSM_KEYUSE pubKeyUsage, CSSM_KEYATTR_FLAGS pubKeyAttr, + CSSM_KEYUSE privKeyUsage, CSSM_KEYATTR_FLAGS privKeyAttr, + KeyHandle &hPubKey, CssmKey *&pubKey, + KeyHandle &hPrivKey, CssmKey *&privKey) +{ + SendContext ctx(context); + Copier creds(cred, internalAllocator); + Copier owner(proto, internalAllocator); + CssmKey *pubKeyBase; mach_msg_type_number_t pubKeyLength; + CssmKey *privKeyBase; mach_msg_type_number_t privKeyLength; + IPC(tokend_client_generateKeyPair(TOKEND_ARGS, CONTEXT(ctx), + COPY(creds), COPY(owner), + pubKeyUsage, pubKeyAttr, privKeyUsage, privKeyAttr, + &hPubKey, COPY_OUT(pubKey), &hPrivKey, COPY_OUT(privKey))); + relocate(pubKey, pubKeyBase); + relocate(privKey, privKeyBase); +} + + +// +// Key wrapping and unwrapping +// +void ClientSession::wrapKey(const Context &context, const AccessCredentials *cred, + KeyHandle hWrappingKey, const CssmKey *wrappingKey, + KeyHandle hSubjectKey, const CssmKey *subjectKey, + const CssmData &descriptiveData, CssmWrappedKey *&wrappedKey) +{ + SendContext ctx(context); + Copier creds(cred, internalAllocator); + Copier cWrappingKey(wrappingKey, internalAllocator); + Copier cSubjectKey(subjectKey, internalAllocator); + CssmKey *wrappedKeyBase; mach_msg_type_number_t wrappedKeyLength; + IPC(tokend_client_wrapKey(TOKEND_ARGS, CONTEXT(ctx), hWrappingKey, COPY(cWrappingKey), COPY(creds), + hSubjectKey, COPY(cSubjectKey), DATA(descriptiveData), COPY_OUT(wrappedKey))) +} + +void ClientSession::unwrapKey(const Security::Context &context, + const AccessCredentials *cred, const AclEntryPrototype *proto, + KeyHandle hWrappingKey, const CssmKey *wrappingKey, + KeyHandle hPublicKey, const CssmKey *publicKey, + const CssmWrappedKey &wrappedKey, uint32 usage, uint32 attrs, + CssmData &descriptiveData, KeyHandle &hKey, CssmKey *&key) +{ + SendContext ctx(context); + Copier creds(cred, internalAllocator); + Copier owner(proto, internalAllocator); + Copier cWrappingKey(wrappingKey, internalAllocator); + Copier cPublicKey(publicKey, internalAllocator); + Copier cWrappedKey(&wrappedKey, internalAllocator); + CssmKey *tmpKeyBase; mach_msg_type_number_t tmpKeyLength; + CssmKey *tmpKey; + DataOutput descriptor(descriptiveData, returnAllocator); + IPC(tokend_client_unwrapKey(TOKEND_ARGS, CONTEXT(ctx), hWrappingKey, COPY(cWrappingKey), + COPY(creds), COPY(owner), hPublicKey, COPY(cPublicKey), + COPY(cWrappedKey), usage, attrs, DATA(descriptor), + &hKey, COPY_OUT(tmpKey))); + relocate(tmpKey, tmpKeyBase); + key = chunkCopy(tmpKey); +} + + +// +// Key derivation +// +void ClientSession::deriveKey(DbHandle db, const Context &context, + KeyHandle hBaseKey, const CssmKey *baseKey, + uint32 keyUsage, uint32 keyAttr, CssmData ¶m, + const AccessCredentials *cred, const AclEntryPrototype *proto, + KeyHandle &hKey, CssmKey *&key) +{ + SendContext ctx(context); + Copier creds(cred, internalAllocator); + Copier owner(proto, internalAllocator); + Copier cBaseKey(baseKey, internalAllocator); + CssmDeriveData inForm(param, context.algorithm()); + Copier inParam(&inForm, internalAllocator); + CssmKey *keyBase; mach_msg_type_number_t keyLength; + DataOutput paramOutput(param, returnAllocator); + IPC(tokend_client_deriveKey(TOKEND_ARGS, CONTEXT(ctx), hBaseKey, COPY(cBaseKey), + COPY(creds), COPY(owner), COPY(inParam), DATA(paramOutput), + keyUsage, keyAttr, &hKey, COPY_OUT(key))); +} + + +// +// ACL getting/setting interface. +// Note that this layer, unlike the securityd-client one, does not return its +// output data as separate allocated (chunked) copies. It returns its data +// directly as a (relocated) flat blob. +// +void ClientSession::getAcl(AclKind kind, GenericHandle key, const char *tag, + uint32 &count, AclEntryInfo * &info) +{ + AclEntryInfo *infoBase; + mach_msg_type_number_t infoLength; + IPC(tokend_client_getAcl(TOKEND_ARGS, kind, key, + (tag != NULL), tag ? tag : "", + &count, COPY_OUT(info))); + + // relocate incoming AclEntryInfo array + ReconstituteWalker relocator(info, infoBase); + for (uint32 n = 0; n < count; n++) + walk(relocator, info[n]); +} + +void ClientSession::changeAcl(AclKind kind, GenericHandle key, + const AccessCredentials &cred, const AclEdit &edit) +{ + Copier creds(&cred, internalAllocator); + Copier infos(edit.newEntry(), internalAllocator); + IPC(tokend_client_changeAcl(TOKEND_ARGS, kind, key, COPY(creds), + edit.mode(), edit.handle(), COPY(infos))); +} + +void ClientSession::getOwner(AclKind kind, GenericHandle handle, AclOwnerPrototype *&owner) +{ + AclOwnerPrototype *ownerBase; mach_msg_type_number_t ownerLength; + IPC(tokend_client_getOwner(TOKEND_ARGS, kind, handle, COPY_OUT(owner))); + // turn the returned AclOwnerPrototype into its proper output form + relocate(owner, ownerBase); +} + +void ClientSession::changeOwner(AclKind kind, GenericHandle key, const AccessCredentials &cred, + const AclOwnerPrototype &edit) +{ + CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED); +} + + +void ClientSession::authenticate(CSSM_DB_ACCESS_TYPE mode, const AccessCredentials *cred) +{ + Copier creds(cred, internalAllocator); + IPC(tokend_client_authenticate(TOKEND_ARGS, mode, COPY(creds))); +} + +bool ClientSession::isLocked() +{ + uint32 locked = 0; + IPC(tokend_client_isLocked(TOKEND_ARGS, &locked)); + return locked; +} + +static void copyDataFromIPC(void *dataPtr, mach_msg_type_number_t dataLength, CssmData *outData) +{ + if (!outData || !dataPtr) + return; + + /* + securityd leaks VM memory during certain smartcard operations + The preceeding IPC call to tokend_client_findRecordHandle() vm_allocates()s the memory + for returning dataPtr. The rest of the system wants to treat this memory as a CssmData object + and call free() on it. But free() won't work for vm_allocate()d memory, so copy the data into + heap memory. + */ + + void *newData = malloc(dataLength); + if (newData == NULL) + CssmError::throwMe(CSSM_ERRCODE_MEMORY_ERROR); + + memcpy(newData, dataPtr, dataLength); + *outData = CssmData(newData, dataLength); + +// secdebug(who, "dataPtr (%p), dataLength (%d); newData (%p)", dataPtr, dataLength, newData); + + mig_deallocate(reinterpret_cast(dataPtr), (vm_size_t)dataLength); +} + + +} // namespace Tokend +} // namespace Security diff --git a/lib/tdtransit.h b/lib/tdtransit.h new file mode 100644 index 0000000..624c873 --- /dev/null +++ b/lib/tdtransit.h @@ -0,0 +1,111 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// +// WARNING! HERE BE DRAGONS! +// This code involves moderately arcane magic including (but not limited to) +// dancing macros paired off with self-maintaining stack objects. Don't take +// anything for granted! Be very afraid of ALL-CAPS names. Your best bet is +// probably to stick with the existing patterns. +// +#ifndef _H_TDTRANSIT +#define _H_TDTRANSIT + +#include +#include +#include +#include "tokend_types.h" +#include "tokend.h" + +namespace Security { +namespace Tokend { + + +// stock leading argument profile used by all calls +#define TOKEND_ARGS mServicePort, mReplyPort, &rcode + +// IPC wraps the actual MIG call +#define IPC(statement) \ + { CSSM_RETURN rcode; check(statement); if (rcode != CSSM_OK) CssmError::throwMe(rcode); } + +// pass mandatory or optional CssmData arguments into an IPC call +#define DATA(arg) arg.data(), arg.length() +#define OPTIONALDATA(arg) (arg ? arg->data() : NULL), (arg ? arg->length() : 0) + +// pass structured arguments in/out of IPC calls. See "data walkers" for details +#define COPY(copy) copy, copy.length(), copy +#define COPYFLAT(copy) copy, copy##Length, copy +#define COPY_OUT(copy) ©, ©##Length, ©##Base +#define COPY_OUT_DECL(type,name) type *name, *name##Base; mach_msg_type_number_t name##Length + + +// +// DataOutput manages an output CssmData argument. +// +class DataOutput { +public: + DataOutput(CssmData &arg, Allocator &alloc) + : argument(arg), allocator(alloc) { mData = NULL; mLength = 0; } + ~DataOutput(); + + void **data() { return &mData; } + mach_msg_type_number_t *length() { return &mLength; } + + CssmData &argument; + Allocator &allocator; + +private: + void *mData; + mach_msg_type_number_t mLength; +}; + + +// +// Bundle up a Context for IPC transmission +// +class SendContext { +public: + SendContext(const Context &ctx); + ~SendContext() { Allocator::standard().free(attributes); } + + const Context &context; + CSSM_CONTEXT_ATTRIBUTE *attributes; + size_t attributeSize; +}; + +#define CONTEXT(ctx) ctx.context, ctx.attributes, ctx.attributes, ctx.attributeSize + + +// +// A PodWrapper for TOKEND_RETURN_DATA (used in the tokend APIs) +// +class TokendReturnData : public PodWrapper { +public: +}; + + +} // namespace Tokend +} // namespace Security + +#endif //_H_TDTRANSIT diff --git a/lib/tokend_types.h b/lib/tokend_types.h new file mode 100644 index 0000000..c047619 --- /dev/null +++ b/lib/tokend_types.h @@ -0,0 +1,48 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + + +// +// securityd-tokend interface types +// +#ifndef _H_TOKEND_TYPES +#define _H_TOKEND_TYPES + + +#include + + +typedef Tokend::ClientSession::Score TokenScore; +typedef char *TokenUidString; + + +// +// Customization macros for MIG code +// +#define __AfterSendRpc(id, name) \ + if (msg_result == MACH_MSG_SUCCESS && Out0P->Head.msgh_id == MACH_NOTIFY_DEAD_NAME) \ + return MIG_SERVER_DIED; + +#define UseStaticTemplates 0 + +#endif //_H_TOKEND_TYPES diff --git a/lib/transit.cpp b/lib/transit.cpp new file mode 100644 index 0000000..2896a36 --- /dev/null +++ b/lib/transit.cpp @@ -0,0 +1,161 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ +#include "transit.h" + + +namespace Security { +namespace Tokend { + + +// +// Relocation support +// +void relocate(Context &context, void *base, Context::Attr *attrs, uint32 attrSize) +{ + ReconstituteWalker relocator(attrs, base); + context.ContextAttributes = attrs; // fix context->attr vector link + for (uint32 n = 0; n < context.attributesInUse(); n++) + walk(relocator, context[n]); +} + + +// +// Data search and retrieval interface +// +DataRetrieval::DataRetrieval(CssmDbRecordAttributeData *inAttributes, bool getData) +{ + this->attributes = inAttributes; + this->data = getData ? &mData : NULL; + this->record = CSSM_INVALID_HANDLE; + this->keyhandle = CSSM_INVALID_HANDLE; +} + + +DataRetrieval::~DataRetrieval() +{ +} + + +void DataRetrieval::returnData(KeyHandle &hKey, RecordHandle &hRecord, + void *&outData, mach_msg_type_number_t &outDataLength, + CssmDbRecordAttributeData *&outAttributes, mach_msg_type_number_t &outAttributesLength, + CssmDbRecordAttributeData *&outAttributesBase) +{ + Copier outCopy(CssmDbRecordAttributeData::overlay(this->attributes)); + outAttributesLength = outCopy.length(); + outAttributes = outAttributesBase = outCopy.keep(); + if (this->data) { + outData = this->data->Data; + outDataLength = this->data->Length; + } else { + outData = NULL; + outDataLength = 0; + } + + /* + "record" and "keyhandle" below come from the underlying TOKEND_RETURN_DATA, + and are native-sized quantities. These need to be converted to a client + handle (32 bit) + */ + + hKey = (this->keyhandle)?TokendHandleObject::make(this->keyhandle)->ipcHandle():0; + hRecord = (this->record)?TokendHandleObject::make(this->record)->ipcHandle():0; + + server->freeRetrievedData(this); + //@@@ deferred-release outAttributes == Copier +} + +/* + Cheat sheet + + CSSM_HANDLE + - native size, 64 bit or 32 bit + - passed along to Tokend e.g. Tokend::Token::_findRecordHandle + - passed e.g. as CALL(findNext, ...) + + RecordHandle & SearchHandle + - always 32 bit + - returned to callers through SecurityTokend interface +*/ + +TokendHandleObject::TokendHandleObject(CSSM_HANDLE cssmh) : mTokendHandle(cssmh) +{ + thmstate().add(ipcHandle(), this); +} + +TokendHandleObject::~TokendHandleObject() +{ + thmstate().erase(ipcHandle()); +} + + +ModuleNexus TokendHandleObject::thmstate; + +TokendHandleObject::TokendHandleMapState::TokendHandleMapState() +{ +} + +// static factory method +TokendHandleObject *TokendHandleObject::make(CSSM_HANDLE cssmh) +{ + // This will create a new TokendHandleObject, add it to the map, and return + // the value of the newly created object + if (!cssmh) + CssmError::throwMe(CSSMERR_CSSM_INVALID_ADDIN_HANDLE); + return new TokendHandleObject(cssmh); +} + +// static method +CSSM_HANDLE TokendHandleObject::findTDHandle(TokendHandleObject::TransitHandle thdl) +{ + /* + Find a handle that we can pass along to tokend. We do this so that Tokend + can return different errors for different calls -- even if we don't find + it in our map, we will still call out to Tokend. It might be better to + use a distinctive non-zero value for the bad handle for tracking + */ + const CSSM_HANDLE knownBadHandle = 0; // for now + + if (!thdl) + return knownBadHandle; + + TokendHandleMap::const_iterator it = thmstate().find(thdl); + return (it == thmstate().end()) ? knownBadHandle : it->second->tokendHandle(); +} + +void TokendHandleObject::TokendHandleMapState::add(TransitHandle thdl, TokendHandleObject *tho) +{ + StLock _(*this); + thmstate().insert(thmstate().end(), make_pair(thdl,tho)); +} + +void TokendHandleObject::TokendHandleMapState::erase(TransitHandle thdl) +{ + StLock _(*this); + // @@@ check cssmh, don't erase if not valid + TokendHandleMap::erase(thdl); +} + +} // namespace Tokend +} // namespace Security + diff --git a/lib/transit.h b/lib/transit.h new file mode 100644 index 0000000..a67abb1 --- /dev/null +++ b/lib/transit.h @@ -0,0 +1,191 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ +#ifndef _H_TRANSIT +#define _H_TRANSIT + +#include "tdclient.h" +#include "tokend.h" +#include "server.h" +#include +#include +#include +#include + + +namespace Security { +namespace Tokend { + + +using namespace Security::Tokend; +using namespace Security::DataWalkers; + + +#define TOKEND_ARGS \ + mach_port_t servicePort, mach_port_t replyPort, CSSM_RETURN *rcode + +#define CONTEXT_ARGS Context context, Pointer contextBase, Context::Attr *attributes, mach_msg_type_number_t attrSize + +#define BEGIN_IPC *rcode = CSSM_OK; try { +#define END_IPC(base) } \ + catch (const CommonError &err) { *rcode = CssmError::cssmError(err, CSSM_ ## base ## _BASE_ERROR); } \ + catch (const std::bad_alloc &) { *rcode = CssmError::merge(CSSM_ERRCODE_MEMORY_ERROR, CSSM_ ## base ## _BASE_ERROR); } \ + catch (...) { *rcode = CssmError::cssmError(CSSM_ERRCODE_INTERNAL_ERROR, CSSM_ ## base ## _BASE_ERROR); } \ + return KERN_SUCCESS; + +#define DATA_IN(base) void *base, mach_msg_type_number_t base##Length +#define DATA_OUT(base) void **base, mach_msg_type_number_t *base##Length +#define DATA(base) CssmData(base, base##Length) + +#define COPY_IN(type,name) type *name, mach_msg_type_number_t name##Length, type *name##Base +#define COPY_OUT(type,name) \ + type **name, mach_msg_type_number_t *name##Length, type **name##Base + + +#define CALL(func,args) { \ + if (server->func) \ + { if (*rcode = server->func args) return KERN_SUCCESS; /* and rcode */ } \ + else \ + CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED); } + + +using LowLevelMemoryUtilities::increment; +using LowLevelMemoryUtilities::difference; + + +// +// An OutputData object will take memory allocated within the SecurityServer, +// hand it to the MIG return-output parameters, and schedule it to be released +// after the MIG reply has been sent. It will also get rid of it in case of +// error. +// +class OutputData : public CssmData { +public: + OutputData(void **outP, mach_msg_type_number_t *outLength) + : mData(*outP), mLength(*outLength) { } + ~OutputData() + { mData = data(); mLength = length(); server->releaseWhenDone(Allocator::standard(), mData); } + + void operator = (const CssmData &source) + { CssmData::operator = (source); } + +private: + void * &mData; + mach_msg_type_number_t &mLength; +}; + + +// +// A local copy of a structured return value (COPY_OUT form), self-managing +// +template +class Return : public T { +public: + Return(T **p, mach_msg_type_number_t *l, T **b) + : ptr(*p), len(*l), base(*b) { ptr = NULL; } + ~Return(); + +private: + T *&ptr; + mach_msg_type_number_t &len; + T *&base; +}; + +template +Return::~Return() +{ + Copier copier(static_cast(this), Allocator::standard()); + ptr = base = copier; + len = copier.length(); + server->releaseWhenDone(Allocator::standard(), copier.keep()); +} + + +// +// Relocation support +// +void relocate(Context &context, void *base, Context::Attr *attrs, uint32 attrSize); + + +// +// Data search and retrieval interface +// +class DataRetrieval : public TOKEND_RETURN_DATA { +public: + DataRetrieval(CssmDbRecordAttributeData *inAttributes, bool getData); + ~DataRetrieval(); + void returnData(KeyHandle &hKey, RecordHandle &hRecord, + void *&outData, mach_msg_type_number_t &outDataLength, + CssmDbRecordAttributeData *&outAttributes, mach_msg_type_number_t &outAttrLength, + CssmDbRecordAttributeData *&outAttributesBase); + +private: + CssmData mData; +}; + +// +// Tokend handles <---> client-IPC handles +// the "key" into the map is the 32 bit handle, the value is 64 bit (i.e. native) +// +class TokendHandle : public TypedHandle +{ +public: + TokendHandle(CSSM_HANDLE cssmh) : TypedHandle(cssmh) { } + virtual ~TokendHandle() { } +}; + +class TokendHandleObject : public U32HandleObject +{ + +public: + // typedef TypedHandle TokendHandle; + typedef uint32_t TransitHandle; // maybe should be U32HandleObject::Handle + +public: + static TokendHandleObject *make(CSSM_HANDLE cssmh); + static CSSM_HANDLE findTDHandle(TransitHandle thdl); + + TokendHandleObject(CSSM_HANDLE tokendh); + virtual ~TokendHandleObject(); + CSSM_HANDLE tokendHandle() const { return mTokendHandle.handle(); } + U32HandleObject::Handle ipcHandle() const { return U32HandleObject::handle(); } + +private: + TokendHandle mTokendHandle; + + // key,value + typedef std::map TokendHandleMap; + class TokendHandleMapState : public Mutex, public TokendHandleMap + { + public: + TokendHandleMapState(); + bool handleInUse(CSSM_HANDLE cssmh); + void add(TransitHandle thdl, TokendHandleObject *tho); + void erase(TransitHandle thdl); + }; + static ModuleNexus thmstate; +}; + +} // namespace Tokend +} // namespace Security + +#endif //_H_TRANSIT diff --git a/lib/transition.cpp b/lib/transition.cpp new file mode 100644 index 0000000..257f525 --- /dev/null +++ b/lib/transition.cpp @@ -0,0 +1,645 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ +#include "transit.h" + +using namespace Security::Tokend; + + +// +// Server inbound transition layer. +// These are C functions in the global namespace, called by the MIG dispatch. +// + + +// +// Probe: Examine token, determine score, and generate token uid string +// +kern_return_t tokend_server_probe(TOKEND_ARGS, TokenScore *score, TokenUidString uid) +{ + BEGIN_IPC + uid[0] = '\0'; // default to no uid obtained + CALL(probe, (kSecTokendCallbacksDefault, score, uid)); + // We do not support 32 bit tokends on 10.6 and later + // since securityd always runs 64 bit + if (sizeof(int*) == 4) + { + Syslog::error("32-bit tokends not supported"); + CssmError::throwMe(CSSMERR_CSP_DEVICE_ERROR); + } + uid[TOKEND_MAX_UID-1] = '\0'; // enforce null termination + server->tokenUid(uid); + END_IPC(CSSM) +} + + +// +// Establish: take securityd's information and stash it away; +// determine MDS resources and return them. +// +kern_return_t tokend_server_establish(TOKEND_ARGS, + CSSM_GUID guid, uint32 ssid, SecTokendEstablishFlags flags, + const char *cacheDirectory, const char *workDirectory, + char mdsDirectory[PATH_MAX], char printName[PATH_MAX]) +{ + BEGIN_IPC + mdsDirectory[0] = '\0'; // default to all resources + printName[0] = '\0'; // default to no print name + CALL(establish, (&guid, ssid, flags, cacheDirectory, workDirectory, mdsDirectory, printName)); + END_IPC(CSSM) +} + + +// +// Induce termination +// +kern_return_t tokend_server_terminate(mach_port_t servicePort, uint32 reason, uint32 options) +{ + server->termination(reason, options); +} + + +// +// Find/retrieve interface +// +kern_return_t tokend_server_findFirst(TOKEND_ARGS, + COPY_IN(CssmQuery, query), + COPY_IN(CssmDbRecordAttributeData, inAttributes), + boolean_t getData, DATA_OUT(outData), KeyHandle *hKey, + COPY_OUT(CssmDbRecordAttributeData, outAttributes), + SearchHandle *hSearch, RecordHandle *hRecord) +{ + BEGIN_IPC + relocate(query, queryBase); + relocate(inAttributes, inAttributesBase); + DataRetrieval interface(inAttributes, getData); + CSSM_HANDLE searchHandle = 0; + *hSearch = 0; // to prevent uninitialized value when following CALL ends with exception + CALL(findFirst, (query, &interface, &searchHandle)); + interface.returnData(*hKey, *hRecord, *outData, *outDataLength, + *outAttributes, *outAttributesLength, *outAttributesBase); + /* + findFirst and findNext do not return an error if nothing was found. + Instead, hKey and hRecord are set to 0. In this case, we don't want to + set up a search handle + */ + if (searchHandle) + *hSearch = TokendHandleObject::make(searchHandle)->ipcHandle(); + server->releaseWhenDone(Allocator::standard(), *outAttributes); + END_IPC(DL) +} + + +kern_return_t tokend_server_findNext(TOKEND_ARGS, SearchHandle hSearch, + COPY_IN(CssmDbRecordAttributeData, inAttributes), + boolean_t getData, DATA_OUT(outData), KeyHandle *hKey, + COPY_OUT(CssmDbRecordAttributeData, outAttributes), + RecordHandle *hRecord) +{ + BEGIN_IPC + relocate(inAttributes, inAttributesBase); + DataRetrieval interface(inAttributes, getData); + CSSM_HANDLE searchHandle = TokendHandleObject::findTDHandle(hSearch); + CALL(findNext, (searchHandle, &interface)); + interface.returnData(*hKey, *hRecord, *outData, *outDataLength, + *outAttributes, *outAttributesLength, *outAttributesBase); + server->releaseWhenDone(Allocator::standard(), *outAttributes); + END_IPC(DL) +} + + +kern_return_t tokend_server_findRecordHandle(TOKEND_ARGS, RecordHandle hRecord, + COPY_IN(CssmDbRecordAttributeData, inAttributes), + boolean_t getData, DATA_OUT(outData), KeyHandle *hKey, + COPY_OUT(CssmDbRecordAttributeData, outAttributes)) +{ + BEGIN_IPC + relocate(inAttributes, inAttributesBase); + DataRetrieval interface(inAttributes, getData); + CSSM_HANDLE recordHandle = TokendHandleObject::findTDHandle(hRecord); + CALL(findRecordHandle, (recordHandle, &interface)); + interface.returnData(*hKey, hRecord, *outData, *outDataLength, + *outAttributes, *outAttributesLength, *outAttributesBase); + server->releaseWhenDone(Allocator::standard(), *outAttributes); + END_IPC(DL) +} + + +kern_return_t tokend_server_insertRecord(TOKEND_ARGS, CSSM_DB_RECORDTYPE recordType, + COPY_IN(CssmDbRecordAttributeData, attributes), DATA_IN(data), + RecordHandle *hRecord) +{ + BEGIN_IPC + relocate(attributes, attributesBase); + const CssmData dataBlob(DATA(data)); + CSSM_HANDLE recordHandle; + CALL(insertRecord, (recordType, attributes, data ? &dataBlob : NULL, &recordHandle)); + *hRecord = TokendHandleObject::make(recordHandle)->ipcHandle(); + END_IPC(DL) +} + + +kern_return_t tokend_server_modifyRecord(TOKEND_ARGS, CSSM_DB_RECORDTYPE recordType, + RecordHandle *hRecord, COPY_IN(CssmDbRecordAttributeData, attributes), + boolean_t setData, DATA_IN(data), CSSM_DB_MODIFY_MODE modifyMode) +{ + BEGIN_IPC + relocate(attributes, attributesBase); + const CssmData dataBlob(DATA(data)); + CSSM_HANDLE recordHandle; + CALL(modifyRecord, (recordType, &recordHandle, attributes, + setData ? &dataBlob : NULL, modifyMode)); + *hRecord = TokendHandleObject::make(recordHandle)->ipcHandle(); + END_IPC(DL) +} + + +kern_return_t tokend_server_deleteRecord(TOKEND_ARGS, RecordHandle hRecord) +{ + BEGIN_IPC + CSSM_HANDLE recordHandle = TokendHandleObject::findTDHandle(hRecord); + CALL(deleteRecord, (recordHandle)); + END_IPC(DL) +} + + +kern_return_t tokend_server_releaseSearch(TOKEND_ARGS, SearchHandle hSearch) +{ + BEGIN_IPC + CSSM_HANDLE searchHandle = TokendHandleObject::findTDHandle(hSearch); + CALL(releaseSearch, (searchHandle)); + END_IPC(DL) +} + +kern_return_t tokend_server_releaseRecord(TOKEND_ARGS, RecordHandle hRecord) +{ + BEGIN_IPC + CSSM_HANDLE recordHandle = TokendHandleObject::findTDHandle(hRecord); + CALL(releaseRecord, (recordHandle)); + END_IPC(DL) +} + + +// +// Key management +// +kern_return_t tokend_server_releaseKey(TOKEND_ARGS, KeyHandle hKey) +{ + BEGIN_IPC + CSSM_HANDLE keyHandle = TokendHandleObject::findTDHandle(hKey); + CALL(releaseKey, (keyHandle)); + END_IPC(DL) +} + +kern_return_t tokend_server_queryKeySizeInBits(TOKEND_ARGS, KeyHandle hKey, + CSSM_KEY_SIZE *size) +{ + BEGIN_IPC + CSSM_HANDLE keyHandle = TokendHandleObject::findTDHandle(hKey); + CALL(getKeySize, (keyHandle, size)); + END_IPC(CSP) +} + +kern_return_t tokend_server_getOutputSize(TOKEND_ARGS, CONTEXT_ARGS, KeyHandle hKey, + uint32 inputSize, boolean_t encrypt, uint32 *outputSize) +{ + BEGIN_IPC + relocate(context, contextBase, attributes, attrSize); + CSSM_HANDLE keyHandle = TokendHandleObject::findTDHandle(hKey); + CALL(getOutputSize, (&context, keyHandle, inputSize, encrypt, outputSize)); + END_IPC(CSP) +} + + +// +// Signatures and MACs +// +kern_return_t tokend_server_generateSignature(TOKEND_ARGS, CONTEXT_ARGS, KeyHandle hKey, + CSSM_ALGORITHMS signOnlyAlgorithm, DATA_IN(data), DATA_OUT(signature)) +{ + BEGIN_IPC + relocate(context, contextBase, attributes, attrSize); + const CssmData dataBlob(DATA(data)); + OutputData sigData(signature, signatureLength); + CSSM_HANDLE keyHandle = TokendHandleObject::findTDHandle(hKey); + CALL(generateSignature, (&context, keyHandle, signOnlyAlgorithm, + &dataBlob, &sigData)); + END_IPC(CSP) +} + +kern_return_t tokend_server_verifySignature(TOKEND_ARGS, CONTEXT_ARGS, KeyHandle hKey, + CSSM_ALGORITHMS verifyOnlyAlgorithm, DATA_IN(data), DATA_IN(signature)) +{ + BEGIN_IPC + relocate(context, contextBase, attributes, attrSize); + const CssmData dataBlob(DATA(data)); + const CssmData signatureBlob(DATA(signature)); + CSSM_HANDLE keyHandle = TokendHandleObject::findTDHandle(hKey); + CALL(verifySignature, (&context, keyHandle, verifyOnlyAlgorithm, &dataBlob, &signatureBlob)); + END_IPC(CSP) +} + +kern_return_t tokend_server_generateMac(TOKEND_ARGS, CONTEXT_ARGS, KeyHandle hKey, + DATA_IN(data), DATA_OUT(mac)) +{ + BEGIN_IPC + relocate(context, contextBase, attributes, attrSize); + const CssmData dataBlob(DATA(data)); + OutputData macData(mac, macLength); + CSSM_HANDLE keyHandle = TokendHandleObject::findTDHandle(hKey); + CALL(generateMac, (&context, keyHandle, &dataBlob, &macData)); + END_IPC(CSP) +} + +kern_return_t tokend_server_verifyMac(TOKEND_ARGS, CONTEXT_ARGS, KeyHandle hKey, + DATA_IN(data), DATA_IN(mac)) +{ + BEGIN_IPC + relocate(context, contextBase, attributes, attrSize); + const CssmData dataBlob(DATA(data)); + const CssmData macBlob(DATA(mac)); + CSSM_HANDLE keyHandle = TokendHandleObject::findTDHandle(hKey); + CALL(verifyMac, (&context, keyHandle, &dataBlob, &macBlob)); + END_IPC(CSP) +} + + +// +// Encryption/Decryption +// +kern_return_t tokend_server_encrypt(TOKEND_ARGS, CONTEXT_ARGS, KeyHandle hKey, + DATA_IN(clear), DATA_OUT(cipher)) +{ + BEGIN_IPC + relocate(context, contextBase, attributes, attrSize); + const CssmData clearBlob(DATA(clear)); + OutputData cipherOut(cipher, cipherLength); + CSSM_HANDLE keyHandle = TokendHandleObject::findTDHandle(hKey); + CALL(encrypt, (&context, keyHandle, &clearBlob, &cipherOut)); + END_IPC(CSP) +} + +kern_return_t tokend_server_decrypt(TOKEND_ARGS, CONTEXT_ARGS, KeyHandle hKey, + DATA_IN(cipher), DATA_OUT(clear)) +{ + BEGIN_IPC + relocate(context, contextBase, attributes, attrSize); + const CssmData cipherBlob(DATA(cipher)); + OutputData clearOut(clear, clearLength); + CSSM_HANDLE keyHandle = TokendHandleObject::findTDHandle(hKey); + CALL(decrypt, (&context, keyHandle, &cipherBlob, &clearOut)); + END_IPC(CSP) +} + + +// +// Key generation +// +kern_return_t tokend_server_generateKey(TOKEND_ARGS, CONTEXT_ARGS, + COPY_IN(AccessCredentials, cred), COPY_IN(AclEntryPrototype, owner), + uint32 usage, uint32 attrs, KeyHandle *hKey, COPY_OUT(CssmKey, key)) +{ + BEGIN_IPC + relocate(context, contextBase, attributes, attrSize); + relocate(cred, credBase); + relocate(owner, ownerBase); + Return rKey(key, keyLength, keyBase); + CSSM_HANDLE keyHandle; + CALL(generateKey, (&context, cred, owner, usage, attrs, &keyHandle, &rKey)); + *hKey = TokendHandleObject::make(keyHandle)->ipcHandle(); + END_IPC(CSP) +} + +kern_return_t tokend_server_generateKeyPair(TOKEND_ARGS, CONTEXT_ARGS, + COPY_IN(AccessCredentials, cred), COPY_IN(AclEntryPrototype, owner), + CSSM_KEYUSE pubUsage, CSSM_KEYATTR_FLAGS pubAttrs, + CSSM_KEYUSE privUsage, CSSM_KEYATTR_FLAGS privAttrs, + KeyHandle *hPubKey, COPY_OUT(CssmKey, pubKey), + KeyHandle *hPrivKey, COPY_OUT(CssmKey, privKey)) +{ + BEGIN_IPC + relocate(context, contextBase, attributes, attrSize); + relocate(cred, credBase); + relocate(owner, ownerBase); + Return rPubKey(pubKey, pubKeyLength, pubKeyBase); + Return rPrivKey(privKey, privKeyLength, privKeyBase); + CSSM_HANDLE cssmPubKey, cssmPrivKey; + CALL(generateKeyPair, (&context, cred, owner, + pubUsage, pubAttrs, privUsage, privAttrs, + &cssmPubKey, &rPubKey, &cssmPrivKey, &rPrivKey)); + *hPubKey = TokendHandleObject::make(cssmPubKey)->ipcHandle(); + *hPrivKey = TokendHandleObject::make(cssmPrivKey)->ipcHandle(); + END_IPC(CSP) +} + + +// +// Key wrapping and unwrapping +// +kern_return_t tokend_server_wrapKey(TOKEND_ARGS, CONTEXT_ARGS, + KeyHandle hWrappingKey, COPY_IN(CssmKey, wrappingKey), + COPY_IN(AccessCredentials, cred), + KeyHandle hSubjectKey, COPY_IN(CssmKey, subjectKey), + DATA_IN(descriptiveData), COPY_OUT(CssmWrappedKey, wrappedKey)) +{ + BEGIN_IPC + relocate(context, contextBase, attributes, attrSize); + relocate(cred, credBase); + relocate(wrappingKey, wrappingKeyBase); + relocate(subjectKey, subjectKeyBase); + CssmData ddata(DATA(descriptiveData)); + Return rKey(wrappedKey, wrappedKeyLength, wrappedKeyBase); + CSSM_HANDLE keyHandle = TokendHandleObject::findTDHandle(hSubjectKey); + CALL(wrapKey, (&context, hWrappingKey, wrappingKey, cred, + keyHandle, subjectKey, descriptiveData ? &ddata : NULL, &rKey)); + END_IPC(CSP) +} + +kern_return_t tokend_server_unwrapKey(TOKEND_ARGS, CONTEXT_ARGS, + KeyHandle hWrappingKey, COPY_IN(CssmKey, wrappingKey), + COPY_IN(AccessCredentials, cred), COPY_IN(AclEntryPrototype, owner), + KeyHandle hPublicKey, COPY_IN(CssmKey, publicKey), + COPY_IN(CssmWrappedKey, wrappedKey), + uint32 usage, uint32 attrs, DATA_OUT(descriptiveData), + KeyHandle *hUnwrappedKey, COPY_OUT(CssmKey, unwrappedKey)) +{ + BEGIN_IPC + relocate(context, contextBase, attributes, attrSize); + relocate(cred, credBase); + relocate(owner, ownerBase); + relocate(wrappingKey, wrappingKeyBase); + relocate(publicKey, publicKeyBase); + relocate(wrappedKey, wrappedKeyBase); + Return rKey(unwrappedKey, unwrappedKeyLength, unwrappedKeyBase); + OutputData descriptives(descriptiveData, descriptiveDataLength); + CSSM_HANDLE cssmUnwrappedKey; + CSSM_HANDLE keyHandle = TokendHandleObject::findTDHandle(hPublicKey); + CSSM_HANDLE wrapKeyHandle = TokendHandleObject::findTDHandle(hWrappingKey); + CALL(unwrapKey, (&context, wrapKeyHandle, wrappingKey, cred, owner, + keyHandle, publicKey, wrappedKey, + usage, attrs, &descriptives, &cssmUnwrappedKey, &rKey)); + *hUnwrappedKey = TokendHandleObject::make(cssmUnwrappedKey)->ipcHandle(); + END_IPC(CSP) +} + + +// +// Key derivation. +// +kern_return_t tokend_server_deriveKey(TOKEND_ARGS, CONTEXT_ARGS, + KeyHandle hBaseKey, COPY_IN(CssmKey, baseKey), + COPY_IN(AccessCredentials, cred), COPY_IN(AclEntryPrototype, owner), + COPY_IN(CssmDeriveData,paramInput), DATA_OUT(paramOutput), + CSSM_KEYUSE usage, CSSM_KEYATTR_FLAGS attrs, + KeyHandle *hKey, COPY_OUT(CssmKey, key)) +{ + BEGIN_IPC + relocate(context, contextBase, attributes, attrSize); + relocate(cred, credBase); + relocate(owner, ownerBase); + relocate(baseKey, baseKeyBase); + relocate(paramInput, paramInputBase); + if (!paramInput || paramInput->algorithm != context.algorithm()) + CssmError::throwMe(CSSMERR_CSP_INVALID_ATTR_ALG_PARAMS); + Return rKey(key, keyLength, keyBase); + CSSM_HANDLE cssmKeyHandle; + CALL(deriveKey, (&context, hBaseKey, baseKey, cred, owner, ¶mInput->baseData, + usage, attrs, &cssmKeyHandle, &rKey)); + *hKey = TokendHandleObject::make(cssmKeyHandle)->ipcHandle(); + OutputData(paramOutput, paramOutputLength) = paramInput->baseData; + END_IPC(CSP) +} + + +// +// Random generation +// +kern_return_t tokend_server_generateRandom(TOKEND_ARGS, CONTEXT_ARGS, DATA_OUT(result)) +{ + BEGIN_IPC + relocate(context, contextBase, attributes, attrSize); + OutputData results(result, resultLength); + CALL(generateRandom, (&context, &results)); + END_IPC(CSP) +} + + +// +// ACL management. +// Watch out for the memory-management tap-dance. +// +kern_return_t tokend_server_getOwner(TOKEND_ARGS, AclKind kind, GenericHandle hHandle, + COPY_OUT(AclOwnerPrototype, owner)) +{ + BEGIN_IPC + Return proto(owner, ownerLength, ownerBase); + switch (kind) { + case dbAcl: + CALL(getDatabaseOwner, (&proto)); + break; + case keyAcl: + { + CSSM_HANDLE tdHandle = TokendHandleObject::findTDHandle(hHandle); + CALL(getKeyOwner, (tdHandle, &proto)); + } + break; + case objectAcl: + { + CSSM_HANDLE tdHandle = TokendHandleObject::findTDHandle(hHandle); + CALL(getObjectOwner, (tdHandle, &proto)); + } + break; + case loginAcl: + CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED); + } + END_IPC(CSP) +} + +kern_return_t tokend_server_setOwner(TOKEND_ARGS, AclKind kind, GenericHandle key, + COPY_IN(AccessCredentials, cred), COPY_IN(AclOwnerPrototype, owner)) +{ + BEGIN_IPC + relocate(cred, credBase); + relocate(owner, ownerBase); + CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED); + END_IPC(CSP) +} + +kern_return_t tokend_server_getAcl(TOKEND_ARGS, AclKind kind, GenericHandle hObject, + boolean_t haveTag, const char *inTag, + uint32 *countp, COPY_OUT(AclEntryInfo, acls)) +{ + BEGIN_IPC + const char *tag = haveTag ? inTag : NULL; + AclEntryInfo *infos; + switch (kind) { + case dbAcl: + CALL(getDatabaseAcl, (tag, countp, (CSSM_ACL_ENTRY_INFO**)&infos)); + break; + case keyAcl: + { + CSSM_HANDLE tdHandle = TokendHandleObject::findTDHandle(hObject); + CALL(getKeyAcl, (tdHandle, tag, countp, (CSSM_ACL_ENTRY_INFO**)&infos)); + } + break; + case objectAcl: + { + CSSM_HANDLE tdHandle = TokendHandleObject::findTDHandle(hObject); + CALL(getObjectAcl, (tdHandle, tag, countp, (CSSM_ACL_ENTRY_INFO**)&infos)); + } + break; + case loginAcl: + CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED); + } + + // package up (count, infos) as a return blob + Copier aclsOut(infos, *countp); + *aclsLength = aclsOut.length(); + *acls = *aclsBase = aclsOut; + aclsOut.keep(); + server->releaseWhenDone(Allocator::standard(), *acls); + END_IPC(CSP) +} + +kern_return_t tokend_server_changeAcl(TOKEND_ARGS, AclKind kind, GenericHandle key, + COPY_IN(AccessCredentials, cred), CSSM_ACL_EDIT_MODE mode, CSSM_ACL_HANDLE handle, + COPY_IN(AclEntryInput, acl)) +{ + BEGIN_IPC + relocate(cred, credBase); + relocate(acl, aclBase); + AclEdit edit(mode, handle, acl); + switch (kind) { + case dbAcl: + CALL(changeDatabaseAcl, (cred, &edit)); + break; + case keyAcl: + { + CSSM_HANDLE keyHandle = TokendHandleObject::findTDHandle(key); + CALL(changeKeyAcl, (keyHandle, cred, &edit)); + } + break; + case objectAcl: + { + CSSM_HANDLE keyHandle = TokendHandleObject::findTDHandle(key); + CALL(changeObjectAcl, (keyHandle, cred, &edit)); + } + break; + case loginAcl: + CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED); + } + END_IPC(CSP) +} + + +kern_return_t tokend_server_authenticate(TOKEND_ARGS, + CSSM_DB_ACCESS_TYPE mode, COPY_IN(AccessCredentials, cred)) +{ + BEGIN_IPC + relocate(cred, credBase); + CALL(authenticateDatabase, (mode, cred)); + END_IPC(DL) +} + + +kern_return_t tokend_server_login(TOKEND_ARGS, COPY_IN(AccessCredentials, cred), DATA_IN(name)) +{ + BEGIN_IPC + relocate(cred, credBase); + //CALL(login, (cred)); + END_IPC(DL) +} + +kern_return_t tokend_server_logout(TOKEND_ARGS) +{ + BEGIN_IPC + //CALL(logout, ()); + END_IPC(DL) +} + + +// +// Miscellaneous CSP-related calls +// +kern_return_t tokend_server_getStatistics(TOKEND_ARGS, CSPOperationalStatistics *statistics) +{ + BEGIN_IPC + CALL(getStatistics, (statistics)); + END_IPC(CSP) +} + +kern_return_t tokend_server_getTime(TOKEND_ARGS, CSSM_ALGORITHMS algorithm, DATA_OUT(data)) +{ + BEGIN_IPC + OutputData datas(data, dataLength); + CALL(getTime, (algorithm, &datas)); + END_IPC(CSP) +} + +kern_return_t tokend_server_getCounter(TOKEND_ARGS, DATA_OUT(data)) +{ + BEGIN_IPC + OutputData datas(data, dataLength); + CALL(getCounter, (&datas)); + END_IPC(CSP) +} + +kern_return_t tokend_server_selfVerify(TOKEND_ARGS) +{ + BEGIN_IPC + CALL(selfVerify, ()); + END_IPC(CSP) +} + + +// +// Passthrough calls (separate for CSP and DL passthroughs) +// +kern_return_t tokend_server_cspPassThrough(TOKEND_ARGS, uint32 id, CONTEXT_ARGS, + KeyHandle hKey, COPY_IN(CssmKey, key), DATA_IN(inData), DATA_OUT(outData)) +{ + BEGIN_IPC + relocate(context, contextBase, attributes, attrSize); + relocate(key, keyBase); + const CssmData inDataBlob(DATA(inData)); + OutputData outputs(outData, outDataLength); + CSSM_HANDLE keyHandle = TokendHandleObject::findTDHandle(hKey); + CALL(cspPassThrough, (id, &context, keyHandle, key, inData ? &inDataBlob : NULL, &outputs)); + END_IPC(CSP) +} + +kern_return_t tokend_server_dlPassThrough(TOKEND_ARGS, uint32 id, + DATA_IN(inData), DATA_OUT(outData)) +{ + BEGIN_IPC + const CssmData inDataBlob(DATA(inData)); + OutputData outputs(outData, outDataLength); + CALL(dlPassThrough, (id, inData ? &inDataBlob : NULL, &outputs)); + END_IPC(DL) +} + +kern_return_t tokend_server_isLocked(TOKEND_ARGS, uint32 *locked) +{ + BEGIN_IPC + CALL(isLocked, (locked)); + END_IPC(DL) +} diff --git a/mig/mig.mk b/mig/mig.mk new file mode 100644 index 0000000..9332110 --- /dev/null +++ b/mig/mig.mk @@ -0,0 +1,50 @@ +# +# Copyright (c) 2003-2004 Apple Computer, Inc. All Rights Reserved. +# +# @APPLE_LICENSE_HEADER_START@ +# +# This file contains Original Code and/or Modifications of Original Code +# as defined in and that are subject to the Apple Public Source License +# Version 2.0 (the 'License'). You may not use this file except in +# compliance with the License. Please obtain a copy of the License at +# http://www.opensource.apple.com/apsl/ and read it before using this +# file. +# +# The Original Code and all software distributed under the License are +# distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER +# EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, +# INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. +# Please see the License for the specific language governing rights and +# limitations under the License. +# +# @APPLE_LICENSE_HEADER_END@ +# +# Makefile to build MIG-generated sources and headers +# +DEFS = $(SRCROOT)/mig/tokend.defs +DERIVED_SRC = $(BUILT_PRODUCTS_DIR)/derived_src +HEADER = $(DERIVED_SRC)/tokend.h +HDRS = $(HEADER) +SERVER = $(DERIVED_SRC)/tokendServer.cpp +CLIENT = $(DERIVED_SRC)/tokendClient.cpp +SRCS = $(SERVER) $(CLIENT) +SDKROOT := $(shell xcrun --show-sdk-path --sdk macosx.internal) + +build: $(HDRS) $(SRCS) + +install: build + +installhdrs: $(HDRS) + +installsrc: + +clean: + rm -f $(HDRS) $(SRCS) + +$(SRCS) $(HDRS): $(DEFS) + mkdir -p $(DERIVED_SRC) + xcrun mig -isysroot "$(SDKROOT)" $(MIGFLAGS) \ + -server $(SERVER) \ + -user $(CLIENT) \ + -header $(HEADER) $(DEFS) diff --git a/mig/tokend.defs b/mig/tokend.defs new file mode 100644 index 0000000..8793c1f --- /dev/null +++ b/mig/tokend.defs @@ -0,0 +1,187 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +/*! + @header tokend.defs + @abstract Mach RPC interface between securityd and tokend. + */ + +#include +#include +#include + +subsystem tokend 2000; +serverprefix tokend_server_; +userprefix tokend_client_; + +import "tokend.h"; +import "tdclient.h"; +import ; + + +type TokenScore = uint32_t; +type EstablishFlags = uint32_t; +type TokenUidString = c_string[*:256]; //@@@ initial guess + + +/* + * Common argument profiles + */ +#define TOKEND_PORTS requestport sport: mach_port_t; \ + replyport rport: mach_port_make_send_t; \ + out rcode: CSSM_RETURN + + +// +// Setup and control calls +// +routine probe(TOKEND_PORTS; out score: TokenScore; out uid: TokenUidString); + +routine establish(TOKEND_PORTS; in guid: Guid; in ssid: uint32; + in state: uint32; in cacheDirectory: FilePath; in workDirectory: FilePath; + out mdsDirectory: FilePathOut; out printName: FilePathOut); + +simpleroutine terminate(requestport sport: mach_port_t; in reason: uint32; in options: uint32); + + +// +// DL I/O and search functions +// +routine findFirst(TOKEND_PORTS; IN_BLOB(query,CssmQuery); + IN_BLOB(inAttributes,CssmDbRecordAttributeData); + in getData: boolean_t; out data: Data; out hKey: KeyHandle; + OUT_BLOB(outAttributes,CssmDbRecordAttributeData); + out search: SearchHandle; out record: RecordHandle); + +routine findNext(TOKEND_PORTS; in hSearch: SearchHandle; + IN_BLOB(inAttributes,CssmDbRecordAttributeData); + in getData: boolean_t; out data: Data; out hKey: KeyHandle; + OUT_BLOB(outAttributes,CssmDbRecordAttributeData); + out record: RecordHandle); + +routine findRecordHandle(TOKEND_PORTS; in hRecord: RecordHandle; + IN_BLOB(inAttributes,CssmDbRecordAttributeData); + in getData: boolean_t; out data: Data; out hKey: KeyHandle; + OUT_BLOB(outAttributes,CssmDbRecordAttributeData)); + +routine insertRecord(TOKEND_PORTS; in recordType: CSSM_DB_RECORDTYPE; + IN_BLOB(attributes,CssmDbRecordAttributeData); + in data: Data; out hRecord: RecordHandle); + +routine modifyRecord(TOKEND_PORTS; in recordType: CSSM_DB_RECORDTYPE; + inout hRecord: RecordHandle; IN_BLOB(attributes,CssmDbRecordAttributeData); + in setData: boolean_t; in data: Data; in modifyMode: CSSM_DB_MODIFY_MODE); + +routine deleteRecord(TOKEND_PORTS; in record: RecordHandle); + +routine releaseSearch(TOKEND_PORTS; in hSearch: SearchHandle); +routine releaseRecord(TOKEND_PORTS; in hRecord: RecordHandle); + + +// +// Key management +// +routine releaseKey(TOKEND_PORTS; in key: KeyHandle); +routine queryKeySizeInBits(TOKEND_PORTS; in key: KeyHandle; out length: CSSM_KEY_SIZE); +routine getOutputSize(TOKEND_PORTS; IN_CONTEXT; in key: KeyHandle; + in inputSize: uint32; in encrypt: boolean_t; out outputSize: uint32); + + +// +// Cryptographic operations +// +routine generateSignature(TOKEND_PORTS; IN_CONTEXT; in key: KeyHandle; + in signOnlyAlgorithm: CSSM_ALGORITHMS; in data: Data; out signature: Data); +routine verifySignature(TOKEND_PORTS; IN_CONTEXT; in key: KeyHandle; + in signOnlyAlgorithm: CSSM_ALGORITHMS; in data: Data; in signature: Data); +routine generateMac(TOKEND_PORTS; IN_CONTEXT; in key: KeyHandle; + in data: Data; out signature: Data); +routine verifyMac(TOKEND_PORTS; IN_CONTEXT; in key: KeyHandle; + in data: Data; in signature: Data); + +routine encrypt(TOKEND_PORTS; IN_CONTEXT; in key: KeyHandle; in clear: Data; out cipher: Data); +routine decrypt(TOKEND_PORTS; IN_CONTEXT; in key: KeyHandle; in cipher: Data; out clear: Data); + +routine generateKey(TOKEND_PORTS; IN_CONTEXT; + IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype); + in keyUsage: uint32; in keyAttrs: uint32; + out hKey: KeyHandle; out key: CssmKeyBlob; out keyBase: CssmKeyPtr); +routine generateKeyPair(TOKEND_PORTS; IN_CONTEXT; + IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype); + in pubUsage: uint32; in pubAttrs: uint32; in privUsage: uint32; in privAttrs: uint32; + out hPubKey: KeyHandle; out pubKey: CssmKeyBlob; out pubKeyBase: CssmKeyPtr; + out hPrivKey: KeyHandle; out privKey: CssmKeyBlob; out privKeyBase: CssmKeyPtr); + +routine wrapKey(TOKEND_PORTS; IN_CONTEXT; in hWrappingKey: KeyHandle; IN_BLOB(wrappingKey, CssmKey); + IN_BLOB(accessCredentials,AccessCredentials); + in hSubjectKey: KeyHandle; IN_BLOB(subjectKey, CssmKey); + in data: Data; OUT_BLOB(wrappedKey, CssmKey)); +routine unwrapKey(TOKEND_PORTS; IN_CONTEXT; in hWrappingKey: KeyHandle; IN_BLOB(wrappingKey, CssmKey); + IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype); + in hPublicKey: KeyHandle; IN_BLOB(publicKey, CssmKey); IN_BLOB(wrappedKey, CssmKey); + in usage: uint32; in attributes: uint32; out data: Data; + out hKey: KeyHandle; out key: CssmKeyBlob; out keyBase: CssmKeyPtr); +routine deriveKey(TOKEND_PORTS; IN_CONTEXT; in hSourceKey: KeyHandle; IN_BLOB(sourceKey, CssmKey); + IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype); + IN_BLOB(paramInput,CssmDeriveData); out paramOutput: Data; + in keyUsage: uint32; in keyAttrs: uint32; + out hKey: KeyHandle; OUT_BLOB(key, CssmKey)); + +routine generateRandom(TOKEND_PORTS; IN_CONTEXT; out data: Data); + + +// +// ACL management +// +routine getOwner(TOKEND_PORTS; in kind: AclKind; in key: GenericHandle; + out proto: AclOwnerPrototypeBlob; out protoBase: AclOwnerPrototypePtr); +routine setOwner(TOKEND_PORTS; in kind: AclKind; in key: GenericHandle; + IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclOwnerPrototype,AclOwnerPrototype)); +routine getAcl(TOKEND_PORTS; in kind: AclKind; in key: GenericHandle; + in haveTag: boolean_t; in tag: CssmString; + out count: uint32; out acls: AclEntryInfoBlob; out aclsBase: AclEntryInfoPtr); +routine changeAcl(TOKEND_PORTS; in kind: AclKind; in key: GenericHandle; + IN_BLOB(accessCredentials,AccessCredentials); + in mode: CSSM_ACL_EDIT_MODE; in handle: CSSM_ACL_HANDLE; + IN_BLOB(aclEntryInput,AclEntryInput)); + +routine authenticate(TOKEND_PORTS; + in mode: CSSM_DB_ACCESS_TYPE; IN_BLOB(accessCredentials, AccessCredentials)); + +routine login(TOKEND_PORTS; IN_BLOB(accessCredentials,AccessCredentials); in name: Data); +routine logout(TOKEND_PORTS); + + +// +// Miscellanea +// +routine getStatistics(TOKEND_PORTS; out statistics: CSPOperationalStatistics); +routine getTime(TOKEND_PORTS; in algorithm: CSSM_ALGORITHMS; out data: Data); +routine getCounter(TOKEND_PORTS; out data: Data); +routine selfVerify(TOKEND_PORTS); + +routine cspPassThrough(TOKEND_PORTS; in id: uint32; IN_CONTEXT; in hKey: KeyHandle; IN_BLOB(key, CssmKey); + in inData: Data; out outData: Data); +routine dlPassThrough(TOKEND_PORTS; in id: uint32; in inData: Data; out outData: Data); + +routine isLocked(TOKEND_PORTS; out locked: uint32); diff --git a/security_tokend_client b/security_tokend_client new file mode 120000 index 0000000..7951405 --- /dev/null +++ b/security_tokend_client @@ -0,0 +1 @@ +lib \ No newline at end of file diff --git a/tokend_test-Info.plist b/tokend_test-Info.plist new file mode 100644 index 0000000..cdc50f6 --- /dev/null +++ b/tokend_test-Info.plist @@ -0,0 +1,20 @@ + + + + + CFBundleDevelopmentRegion + English + CFBundleExecutable + tokend_test + CFBundleIdentifier + com.apple.tokend.test + CFBundleInfoDictionaryVersion + 6.0 + CFBundlePackageType + APPL + CFBundleSignature + ???? + CFBundleVersion + 1.0 + +