#include <SecureObjectSync/SOSCloudCircle.h>
#include <SecureObjectSync/SOSCloudCircleInternal.h>
#include <SecureObjectSync/SOSInternal.h>
#include <SecureObjectSync/SOSPeerInfoCollections.h>
#include <Security/SecBasePriv.h>
#include <Security/SecCertificatePriv.h>
#include <Security/SecEntitlements.h>
#include <Security/SecInternal.h>
#include <Security/SecItemPriv.h>
#include <Security/SecPolicyInternal.h>
#include <Security/SecTask.h>
#include <Security/SecuritydXPC.h>
#include <securityd/OTATrustUtilities.h>
#include <securityd/SOSCloudCircleServer.h>
#include <securityd/SecItemServer.h>
#include <securityd/SecLogSettingsServer.h>
#include <securityd/SecOTRRemote.h>
#include <securityd/SecTrustServer.h>
#include <securityd/SecTrustStoreServer.h>
#include <securityd/iCloudTrace.h>
#include <securityd/spi.h>
#include <utilities/SecCFError.h>
#include <utilities/SecCFWrappers.h>
#include <utilities/SecDb.h>
#include <utilities/SecIOFormat.h>
#include <utilities/SecXPCError.h>
#include <utilities/debugging.h>
#include <AssertMacros.h>
#include <CoreFoundation/CFXPCBridge.h>
#include <CoreFoundation/CoreFoundation.h>
#include <asl.h>
#include <bsm/libbsm.h>
#include <ipc/securityd_client.h>
#include <libkern/OSAtomic.h>
#include <mach/mach.h>
#include <mach/message.h>
#include <stdlib.h>
#include <sys/queue.h>
#include <sys/sysctl.h>
#include <syslog.h>
#include <xpc/private.h>
#include <xpc/xpc.h>
#if TARGET_OS_MAC
#include <Security/SecTaskPriv.h>
#endif
static CFStringRef SecTaskCopyStringForEntitlement(SecTaskRef task,
CFStringRef entitlement)
{
CFStringRef value = (CFStringRef)SecTaskCopyValueForEntitlement(task,
entitlement, NULL);
if (value && CFGetTypeID(value) != CFStringGetTypeID()) {
CFRelease(value);
value = NULL;
}
return value;
}
static CFArrayRef SecTaskCopyArrayOfStringsForEntitlement(SecTaskRef task,
CFStringRef entitlement)
{
CFArrayRef value = (CFArrayRef)SecTaskCopyValueForEntitlement(task,
entitlement, NULL);
if (value) {
if (CFGetTypeID(value) == CFArrayGetTypeID()) {
CFIndex ix, count = CFArrayGetCount(value);
for (ix = 0; ix < count; ++ix) {
CFStringRef string = (CFStringRef)CFArrayGetValueAtIndex(value, ix);
if (CFGetTypeID(string) != CFStringGetTypeID()) {
CFRelease(value);
value = NULL;
break;
}
}
} else {
CFRelease(value);
value = NULL;
}
}
return value;
}
static CFStringRef SecTaskCopyApplicationIdentifier(SecTaskRef task) {
return SecTaskCopyStringForEntitlement(task,
kSecEntitlementApplicationIdentifier);
}
static CFArrayRef SecTaskCopySharedWebCredentialDomains(SecTaskRef task) {
return SecTaskCopyArrayOfStringsForEntitlement(task,
kSecEntitlementAssociatedDomains);
}
static CFArrayRef SecTaskCopyAccessGroups(SecTaskRef task) {
CFMutableArrayRef groups = NULL;
CFArrayRef keychainAccessGroups = SecTaskCopyArrayOfStringsForEntitlement(task,
kSecEntitlementKeychainAccessGroups);
CFArrayRef appleSecurityApplicationGroups = SecTaskCopyArrayOfStringsForEntitlement(task,
kSecEntitlementAppleSecurityApplicationGroups);
CFStringRef appID = SecTaskCopyApplicationIdentifier(task);
CFIndex kagLen = keychainAccessGroups ? CFArrayGetCount(keychainAccessGroups) : 0;
CFIndex asagLen = appleSecurityApplicationGroups ? CFArrayGetCount(appleSecurityApplicationGroups) : 0;
#if TARGET_OS_MAC
if ((appID || asagLen) && !SecTaskEntitlementsValidated(task)) {
CFReleaseNull(appID);
asagLen = 0;
}
#endif
CFIndex len = kagLen + asagLen + (appID ? 1 : 0);
if (len) {
groups = CFArrayCreateMutable(kCFAllocatorDefault, len, &kCFTypeArrayCallBacks);
if (kagLen)
CFArrayAppendArray(groups, keychainAccessGroups, CFRangeMake(0, kagLen));
if (appID)
CFArrayAppendValue(groups, appID);
if (asagLen)
CFArrayAppendArray(groups, appleSecurityApplicationGroups, CFRangeMake(0, asagLen));
#if TARGET_IPHONE_SIMULATOR
} else {
secwarning("No keychain access group specified whilst running in simulator, falling back to default set");
groups = (CFMutableArrayRef)CFRetainSafe(SecAccessGroupsGetCurrent());
#endif
}
CFReleaseSafe(appID);
CFReleaseSafe(keychainAccessGroups);
CFReleaseSafe(appleSecurityApplicationGroups);
return groups;
}
static bool SecTaskGetBooleanValueForEntitlement(SecTaskRef task,
CFStringRef entitlement) {
CFStringRef canModify = (CFStringRef)SecTaskCopyValueForEntitlement(task,
entitlement, NULL);
if (!canModify)
return false;
CFTypeID canModifyType = CFGetTypeID(canModify);
bool ok = (CFBooleanGetTypeID() == canModifyType) && CFBooleanGetValue((CFBooleanRef)canModify);
CFRelease(canModify);
return ok;
}
static void with_label_and_password(xpc_object_t message, void (^action)(CFStringRef label, CFDataRef password)) {
const char *label_utf8 = xpc_dictionary_get_string(message, kSecXPCKeyUserLabel);
size_t password_length = 0;
const void *password_data = xpc_dictionary_get_data(message, kSecXPCKeyUserPassword, &password_length);
CFDataRef user_password = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, password_data, password_length, kCFAllocatorNull);
CFStringRef user_label = CFStringCreateWithCString(kCFAllocatorDefault, label_utf8, kCFStringEncodingUTF8);
action(user_label, user_password);
CFReleaseNull(user_password);
CFReleaseNull(user_label);
}
static bool SecXPCDictionarySetChainOptional(xpc_object_t message, const char *key, SecCertificatePathRef path, CFErrorRef *error) {
if (!path)
return true;
xpc_object_t xpc_chain = SecCertificatePathCopyXPCArray(path, error);
if (!xpc_chain)
return false;
xpc_dictionary_set_value(message, key, xpc_chain);
xpc_release(xpc_chain);
return true;
}
static SecCertificateRef SecXPCDictionaryCopyCertificate(xpc_object_t message, const char *key, CFErrorRef *error) {
size_t length = 0;
const void *bytes = xpc_dictionary_get_data(message, key, &length);
if (bytes) {
SecCertificateRef certificate = SecCertificateCreateWithBytes(kCFAllocatorDefault, bytes, length);
if (certificate)
return certificate;
SecError(errSecDecode, error, CFSTR("object for key %s failed to create certificate from data"), key);
} else {
SecError(errSecParam, error, CFSTR("object for key %s missing"), key);
}
return NULL;
}
static bool SecXPCDictionaryCopyCertificates(xpc_object_t message, const char *key, CFArrayRef *certificates, CFErrorRef *error) {
xpc_object_t xpc_certificates = xpc_dictionary_get_value(message, key);
if (!xpc_certificates)
return SecError(errSecAllocate, error, CFSTR("no certs for key %s"), key);
*certificates = SecCertificateXPCArrayCopyArray(xpc_certificates, error);
return *certificates;
}
static bool SecXPCDictionaryCopyCertificatesOptional(xpc_object_t message, const char *key, CFArrayRef *certificates, CFErrorRef *error) {
xpc_object_t xpc_certificates = xpc_dictionary_get_value(message, key);
if (!xpc_certificates) {
*certificates = NULL;
return true;
}
*certificates = SecCertificateXPCArrayCopyArray(xpc_certificates, error);
return *certificates;
}
static bool SecXPCDictionaryCopyPoliciesOptional(xpc_object_t message, const char *key, CFArrayRef *policies, CFErrorRef *error) {
xpc_object_t xpc_policies = xpc_dictionary_get_value(message, key);
if (!xpc_policies) {
if (policies)
*policies = NULL;
return true;
}
*policies = SecPolicyXPCArrayCopyArray(xpc_policies, error);
return *policies != NULL;
}
static SecTrustStoreRef SecXPCDictionaryGetTrustStore(xpc_object_t message, const char *key, CFErrorRef *error) {
SecTrustStoreRef ts = NULL;
CFStringRef domain = SecXPCDictionaryCopyString(message, key, error);
if (domain) {
ts = SecTrustStoreForDomainName(domain, error);
CFRelease(domain);
}
return ts;
}
static bool SecXPCDictionaryGetDouble(xpc_object_t message, const char *key, double *pvalue, CFErrorRef *error) {
*pvalue = xpc_dictionary_get_double(message, key);
if (*pvalue == NAN) {
return SecError(errSecParam, error, CFSTR("object for key %s bad double"), key);
}
return true;
}
static void securityd_xpc_dictionary_handler(const xpc_connection_t connection, xpc_object_t event) {
xpc_type_t type = xpc_get_type(event);
__block CFErrorRef error = NULL;
xpc_object_t xpcError = NULL;
xpc_object_t replyMessage = NULL;
SecTaskRef clientTask = NULL;
CFArrayRef accessGroups = NULL;
CFArrayRef domains = NULL;
secdebug("serverxpc", "entering");
if (type == XPC_TYPE_DICTIONARY) {
replyMessage = xpc_dictionary_create_reply(event);
uint64_t operation = xpc_dictionary_get_uint64(event, kSecXPCKeyOperation);
secdebug("serverxpc", "operation: %@ (%" PRIu64 ")", SOSCCGetOperationDescription((enum SecXPCOperation)operation), operation);
bool hasEntitlement;
audit_token_t auditToken = {};
xpc_connection_get_audit_token(connection, &auditToken);
clientTask = SecTaskCreateWithAuditToken(kCFAllocatorDefault, auditToken);
accessGroups = SecTaskCopyAccessGroups(clientTask);
if (operation == sec_add_shared_web_credential_id || operation == sec_copy_shared_web_credential_id) {
domains = SecTaskCopySharedWebCredentialDomains(clientTask);
}
hasEntitlement = (operation < kSecXPCOpTryUserCredentials) ||
(clientTask && SecTaskGetBooleanValueForEntitlement(clientTask, kSecEntitlementKeychainCloudCircle));
if (!hasEntitlement) {
CFErrorRef entitlementError = NULL;
SecError(errSecMissingEntitlement, &entitlementError, CFSTR("%@: %@ lacks entitlement %@"), SOSCCGetOperationDescription((enum SecXPCOperation)operation), clientTask, kSecEntitlementKeychainCloudCircle);
secnotice("serverxpc", "MissingEntitlement: %@", entitlementError);
CFReleaseSafe(entitlementError);
}
if (true) {
switch (operation)
{
case sec_item_add_id:
{
CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
if (query) {
CFTypeRef result = NULL;
if (_SecItemAdd(query, accessGroups, &result, &error) && result) {
SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
CFRelease(result);
}
CFRelease(query);
}
break;
}
case sec_item_copy_matching_id:
{
CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
if (query) {
CFTypeRef result = NULL;
if (_SecItemCopyMatching(query, accessGroups, &result, &error) && result) {
SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
CFRelease(result);
}
CFRelease(query);
}
break;
}
case sec_item_update_id:
{
CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
if (query) {
CFDictionaryRef attributesToUpdate = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyAttributesToUpdate, &error);
if (attributesToUpdate) {
bool result = _SecItemUpdate(query, attributesToUpdate, accessGroups, &error);
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
CFRelease(attributesToUpdate);
}
CFRelease(query);
}
break;
}
case sec_item_delete_id:
{
CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
if (query) {
bool result = _SecItemDelete(query, accessGroups, &error);
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
CFRelease(query);
}
break;
}
case sec_trust_store_contains_id:
{
SecTrustStoreRef ts = SecXPCDictionaryGetTrustStore(event, kSecXPCKeyDomain, &error);
if (ts) {
CFDataRef digest = SecXPCDictionaryCopyData(event, kSecXPCKeyDigest, &error);
if (digest) {
bool contains;
if (SecTrustStoreContainsCertificateWithDigest(ts, digest, &contains, &error))
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, contains);
CFRelease(digest);
}
}
break;
}
case sec_trust_store_set_trust_settings_id:
{
SecTrustStoreRef ts = SecXPCDictionaryGetTrustStore(event, kSecXPCKeyDomain, &error);
if (ts) {
SecCertificateRef certificate = SecXPCDictionaryCopyCertificate(event, kSecXPCKeyCertificate, &error);
if (certificate) {
CFTypeRef trustSettingsDictOrArray = NULL;
if (SecXPCDictionaryCopyPListOptional(event, kSecXPCKeySettings, &trustSettingsDictOrArray, &error)) {
bool result = _SecTrustStoreSetTrustSettings(ts, certificate, trustSettingsDictOrArray, &error);
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
CFReleaseSafe(trustSettingsDictOrArray);
}
CFRelease(certificate);
}
}
break;
}
case sec_trust_store_remove_certificate_id:
{
SecTrustStoreRef ts = SecXPCDictionaryGetTrustStore(event, kSecXPCKeyDomain, &error);
if (ts) {
CFDataRef digest = SecXPCDictionaryCopyData(event, kSecXPCKeyDigest, &error);
if (digest) {
bool result = SecTrustStoreRemoveCertificateWithDigest(ts, digest, &error);
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
CFRelease(digest);
}
}
break;
}
case sec_delete_all_id:
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, _SecItemDeleteAll(&error));
break;
case sec_trust_evaluate_id:
{
CFArrayRef certificates = NULL, anchors = NULL, policies = NULL;
bool anchorsOnly = xpc_dictionary_get_bool(event, kSecTrustAnchorsOnlyKey);
double verifyTime;
if (SecXPCDictionaryCopyCertificates(event, kSecTrustCertificatesKey, &certificates, &error) &&
SecXPCDictionaryCopyCertificatesOptional(event, kSecTrustAnchorsKey, &anchors, &error) &&
SecXPCDictionaryCopyPoliciesOptional(event, kSecTrustPoliciesKey, &policies, &error) &&
SecXPCDictionaryGetDouble(event, kSecTrustVerifyDateKey, &verifyTime, &error)) {
xpc_retain(connection);
CFRetainSafe(clientTask);
xpc_object_t asyncReply = replyMessage;
replyMessage = NULL;
SecTrustServerEvaluateBlock(certificates, anchors, anchorsOnly, policies, verifyTime, accessGroups, ^(SecTrustResultType tr, CFArrayRef details, CFDictionaryRef info, SecCertificatePathRef chain, CFErrorRef replyError) {
if (replyError) {
CFRetain(replyError);
} else {
xpc_dictionary_set_int64(asyncReply, kSecTrustResultKey, tr);
SecXPCDictionarySetPListOptional(asyncReply, kSecTrustDetailsKey, details, &replyError) &&
SecXPCDictionarySetPListOptional(asyncReply, kSecTrustInfoKey, info, &replyError) &&
SecXPCDictionarySetChainOptional(asyncReply, kSecTrustChainKey, chain, &replyError);
}
if (replyError) {
secdebug("ipc", "%@ %@ %@", clientTask, SOSCCGetOperationDescription((enum SecXPCOperation)operation), replyError);
xpc_object_t xpcReplyError = SecCreateXPCObjectWithCFError(replyError);
if (xpcReplyError) {
xpc_dictionary_set_value(asyncReply, kSecXPCKeyError, xpcReplyError);
xpc_release(xpcReplyError);
}
CFRelease(replyError);
} else {
secdebug("ipc", "%@ %@ reponding %@", clientTask, SOSCCGetOperationDescription((enum SecXPCOperation)operation), asyncReply);
}
xpc_connection_send_message(connection, asyncReply);
xpc_release(asyncReply);
xpc_release(connection);
CFReleaseSafe(clientTask);
});
}
CFReleaseSafe(policies);
CFReleaseSafe(anchors);
CFReleaseSafe(certificates);
break;
}
case sec_keychain_backup_id:
{
CFDataRef keybag = NULL, passcode = NULL;
if (SecXPCDictionaryCopyDataOptional(event, kSecXPCKeyKeybag, &keybag, &error)) {
if (SecXPCDictionaryCopyDataOptional(event, kSecXPCKeyUserPassword, &passcode, &error)) {
CFDataRef backup = _SecServerKeychainBackup(keybag, passcode, &error);
if (backup) {
SecXPCDictionarySetData(replyMessage, kSecXPCKeyResult, backup, &error);
CFRelease(backup);
}
CFReleaseSafe(passcode);
}
CFReleaseSafe(keybag);
}
break;
}
case sec_keychain_restore_id:
{
CFDataRef backup = SecXPCDictionaryCopyData(event, kSecXPCKeyBackup, &error);
if (backup) {
CFDataRef keybag = SecXPCDictionaryCopyData(event, kSecXPCKeyKeybag, &error);
if (keybag) {
CFDataRef passcode = NULL;
if (SecXPCDictionaryCopyDataOptional(event, kSecXPCKeyUserPassword, &passcode, &error)) {
bool result = _SecServerKeychainRestore(backup, keybag, passcode, &error);
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
CFReleaseSafe(passcode);
}
CFRelease(keybag);
}
CFRelease(backup);
}
break;
}
case sec_keychain_sync_update_key_parameter_id:
{
CFDictionaryRef updates = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
if (updates) {
CFArrayRef result = _SecServerKeychainSyncUpdateKeyParameter(updates, &error);
SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
CFReleaseNull(result);
}
CFReleaseNull(updates);
break;
}
case sec_keychain_sync_update_circle_id:
{
CFDictionaryRef updates = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
if (updates) {
CFArrayRef result = _SecServerKeychainSyncUpdateCircle(updates, &error);
SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
CFReleaseNull(result);
}
CFReleaseNull(updates);
break;
}
case sec_keychain_sync_update_message_id:
{
CFDictionaryRef updates = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
if (updates) {
CFArrayRef result = _SecServerKeychainSyncUpdateMessage(updates, &error);
SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
CFReleaseNull(result);
}
CFReleaseNull(updates);
break;
}
case sec_keychain_backup_syncable_id:
{
CFDictionaryRef oldbackup = NULL;
if (SecXPCDictionaryCopyDictionaryOptional(event, kSecXPCKeyBackup, &oldbackup, &error)) {
CFDataRef keybag = SecXPCDictionaryCopyData(event, kSecXPCKeyKeybag, &error);
if (keybag) {
CFDataRef passcode = NULL;
if (SecXPCDictionaryCopyDataOptional(event, kSecXPCKeyUserPassword, &passcode, &error)) {
CFDictionaryRef newbackup = _SecServerBackupSyncable(oldbackup, keybag, passcode, &error);
if (newbackup) {
SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, newbackup, &error);
CFRelease(newbackup);
}
CFReleaseSafe(passcode);
}
CFRelease(keybag);
}
CFReleaseSafe(oldbackup);
}
break;
}
case sec_keychain_restore_syncable_id:
{
CFDictionaryRef backup = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyBackup, &error);
if (backup) {
CFDataRef keybag = SecXPCDictionaryCopyData(event, kSecXPCKeyKeybag, &error);
if (keybag) {
CFDataRef passcode = NULL;
if (SecXPCDictionaryCopyDataOptional(event, kSecXPCKeyUserPassword, &passcode, &error)) {
bool result = _SecServerRestoreSyncable(backup, keybag, passcode, &error);
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
CFReleaseSafe(passcode);
}
CFRelease(keybag);
}
CFRelease(backup);
}
break;
}
case sec_ota_pki_asset_version_id:
{
xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
SecOTAPKIGetCurrentAssetVersion(&error));
break;
}
case sec_add_shared_web_credential_id:
{
CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
if (query) {
CFTypeRef result = NULL;
CFStringRef appID = (clientTask) ? SecTaskCopyApplicationIdentifier(clientTask) : NULL;
if (_SecAddSharedWebCredential(query, &auditToken, appID, domains, &result, &error) && result) {
SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
CFRelease(result);
}
CFReleaseSafe(appID);
CFRelease(query);
}
break;
}
case sec_copy_shared_web_credential_id:
{
CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
if (query) {
CFTypeRef result = NULL;
CFStringRef appID = (clientTask) ? SecTaskCopyApplicationIdentifier(clientTask) : NULL;
if (_SecCopySharedWebCredential(query, &auditToken, appID, domains, &result, &error) && result) {
SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
CFRelease(result);
}
CFReleaseSafe(appID);
CFRelease(query);
}
break;
}
case sec_get_log_settings_id:
{
CFPropertyListRef currentList = SecCopyLogSettings_Server(&error);
if (currentList) {
SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, currentList, &error);
}
CFReleaseSafe(currentList);
break;
}
case sec_set_xpc_log_settings_id:
{
CFPropertyListRef newSettings = SecXPCDictionaryCopyPList(event, kSecXPCKeyQuery, &error);
if (newSettings) {
SecSetXPCLogSettings_Server(newSettings, &error);
}
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, true);
CFReleaseNull(newSettings);
break;
}
case sec_otr_session_create_remote_id:
{
CFDataRef publicPeerId = NULL;
if (SecXPCDictionaryCopyDataOptional(event, kSecXPCPublicPeerId, &publicPeerId, &error)) {
CFDataRef otrSession = _SecOTRSessionCreateRemote(publicPeerId, &error);
if (otrSession) {
SecXPCDictionarySetData(replyMessage, kSecXPCKeyResult, otrSession, &error);
CFRelease(otrSession);
}
CFReleaseSafe(publicPeerId);
}
break;
}
case sec_otr_session_process_packet_remote_id:
{
CFDataRef sessionData = NULL, inputPacket = NULL, outputSessionData = NULL, outputPacket = NULL;
bool readyForMessages = false;
if (SecXPCDictionaryCopyDataOptional(event, kSecXPCOTRSession, &sessionData, &error)) {
if (SecXPCDictionaryCopyDataOptional(event, kSecXPCData, &inputPacket, &error)) {
bool result = _SecOTRSessionProcessPacketRemote(sessionData, inputPacket, &outputSessionData, &outputPacket, &readyForMessages, &error);
if (result) {
SecXPCDictionarySetData(replyMessage, kSecXPCOTRSession, outputSessionData, &error);
SecXPCDictionarySetData(replyMessage, kSecXPCData, outputPacket, &error);
xpc_dictionary_set_bool(replyMessage, kSecXPCOTRReady, readyForMessages);
CFRelease(outputSessionData);
CFRelease(outputPacket);
}
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
CFReleaseSafe(inputPacket);
}
CFReleaseSafe(sessionData);
}
break;
}
case kSecXPCOpTryUserCredentials:
with_label_and_password(event, ^(CFStringRef label, CFDataRef password) {
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
SOSCCTryUserCredentials_Server(label, password, &error));
});
break;
case kSecXPCOpSetUserCredentials:
with_label_and_password(event, ^(CFStringRef label, CFDataRef password) {
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
SOSCCSetUserCredentials_Server(label, password, &error));
});
break;
case kSecXPCOpCanAuthenticate:
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
SOSCCCanAuthenticate_Server(&error));
break;
case kSecXPCOpPurgeUserCredentials:
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
SOSCCPurgeUserCredentials_Server(&error));
break;
case kSecXPCOpDeviceInCircle:
xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
SOSCCThisDeviceIsInCircle_Server(&error));
break;
case kSecXPCOpRequestToJoin:
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
SOSCCRequestToJoinCircle_Server(&error));
break;
case kSecXPCOpRequestToJoinAfterRestore:
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
SOSCCRequestToJoinCircleAfterRestore_Server(&error));
break;
case kSecXPCOpRequestEnsureFreshParameters:
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
SOSCCRequestEnsureFreshParameters_Server(&error));
break;
case kSecXPCOpRequestDeviceID:
{
CFStringRef deviceID = SOSCCRequestDeviceID_Server(&error);
if (deviceID) {
SecXPCDictionarySetString(replyMessage, kSecXPCKeyResult, deviceID, &error);
}
}
break;
case kSecXPCOpSetDeviceID:
{
secerror("securityd_xpc_dictionary_handler!");
CFStringRef IDS = SecXPCDictionaryCopyString(event, kSecXPCKeyDeviceID, &error);
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCSetDeviceID_Server(IDS, &error));
CFReleaseNull(IDS);
}
break;
case kSecXPCOpResetToOffering:
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
SOSCCResetToOffering_Server(&error));
break;
case kSecXPCOpResetToEmpty:
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
SOSCCResetToEmpty_Server(&error));
break;
case kSecXPCOpRemoveThisDeviceFromCircle:
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
SOSCCRemoveThisDeviceFromCircle_Server(&error));
break;
case kSecXPCOpBailFromCircle:
{
uint64_t limit_in_seconds = xpc_dictionary_get_uint64(event, kSecXPCLimitInMinutes);
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
SOSCCBailFromCircle_Server(limit_in_seconds, &error));
}
break;
case kSecXPCOpAcceptApplicants:
{
xpc_object_t xapplicants = xpc_dictionary_get_value(event, kSecXPCKeyPeerInfos);
CFArrayRef applicants = CreateArrayOfPeerInfoWithXPCObject(xapplicants, &error); xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
(applicants && SOSCCAcceptApplicants_Server(applicants, &error)));
CFReleaseSafe(applicants);
}
break;
case kSecXPCOpRejectApplicants:
{
xpc_object_t xapplicants = xpc_dictionary_get_value(event, kSecXPCKeyPeerInfos);
CFArrayRef applicants = CreateArrayOfPeerInfoWithXPCObject(xapplicants, &error); xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
(applicants && SOSCCRejectApplicants_Server(applicants, &error)));
CFReleaseSafe(applicants);
}
break;
case kSecXPCOpCopyApplicantPeerInfo:
{
CFArrayRef array = SOSCCCopyApplicantPeerInfo_Server(&error);
if (array) {
xpc_object_t xpc_array = CreateXPCObjectWithArrayOfPeerInfo(array, &error);
xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_array);
xpc_release(xpc_array);
}
CFReleaseNull(array);
}
break;
case kSecXPCOpCopyValidPeerPeerInfo:
{
CFArrayRef array = SOSCCCopyValidPeerPeerInfo_Server(&error);
if (array) {
xpc_object_t xpc_array = CreateXPCObjectWithArrayOfPeerInfo(array, &error);
xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_array);
xpc_release(xpc_array);
}
CFReleaseNull(array);
}
break;
case kSecXPCOpValidateUserPublic:
{
bool trusted = SOSCCValidateUserPublic_Server(&error);
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, trusted);
}
break;
case kSecXPCOpCopyNotValidPeerPeerInfo:
{
CFArrayRef array = SOSCCCopyNotValidPeerPeerInfo_Server(&error);
if (array) {
xpc_object_t xpc_array = CreateXPCObjectWithArrayOfPeerInfo(array, &error);
xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_array);
xpc_release(xpc_array);
}
CFReleaseNull(array);
}
break;
case kSecXPCOpCopyGenerationPeerInfo:
{
CFArrayRef array = SOSCCCopyGenerationPeerInfo_Server(&error);
if (array) {
xpc_object_t xpc_array = _CFXPCCreateXPCObjectFromCFObject(array);
xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_array);
xpc_release(xpc_array);
}
CFReleaseNull(array);
}
break;
case kSecXPCOpCopyRetirementPeerInfo:
{
CFArrayRef array = SOSCCCopyRetirementPeerInfo_Server(&error);
if (array) {
xpc_object_t xpc_array = CreateXPCObjectWithArrayOfPeerInfo(array, &error);
xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_array);
xpc_release(xpc_array);
}
CFReleaseNull(array);
}
break;
case kSecXPCOpCopyPeerPeerInfo:
{
CFArrayRef array = SOSCCCopyPeerPeerInfo_Server(&error);
if (array) {
xpc_object_t xpc_array = CreateXPCObjectWithArrayOfPeerInfo(array, &error);
xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_array);
xpc_release(xpc_array);
}
CFReleaseNull(array);
}
break;
case kSecXPCOpCopyConcurringPeerPeerInfo:
{
CFArrayRef array = SOSCCCopyConcurringPeerPeerInfo_Server(&error);
if (array) {
xpc_object_t xpc_array = CreateXPCObjectWithArrayOfPeerInfo(array, &error);
xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_array);
xpc_release(xpc_array);
}
CFReleaseNull(array);
}
break;
case kSecXPCOpGetLastDepartureReason:
xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
SOSCCGetLastDepartureReason_Server(&error));
break;
case kSecXPCOpProcessSyncWithAllPeers:
xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
SOSCCProcessSyncWithAllPeers_Server(&error));
break;
case soscc_EnsurePeerRegistration_id:
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
SOSCCProcessEnsurePeerRegistration_Server(&error));
break;
case kSecXPCOpCopyIncompatibilityInfo: {
CFStringRef iis = SOSCCCopyIncompatibilityInfo_Server(&error);
SecXPCDictionarySetString(replyMessage, kSecXPCKeyResult, iis, &error);
CFReleaseSafe(iis);
break;
}
case kSecXPCOpOTAGetEscrowCertificates:
{
uint32_t escrowRootType = (uint32_t)xpc_dictionary_get_uint64(event, "escrowType");
CFArrayRef array = SecOTAPKICopyCurrentEscrowCertificates(escrowRootType, &error);
if (array) {
xpc_object_t xpc_array = _CFXPCCreateXPCObjectFromCFObject(array);
xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_array);
xpc_release(xpc_array);
}
CFReleaseNull(array);
}
break;
case kSecXPCOpOTAPKIGetNewAsset:
xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
SecOTAPKISignalNewAsset(&error));
break;
case kSecXPCOpRollKeys:
{
bool force = xpc_dictionary_get_bool(event, "force");
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
_SecServerRollKeys(force, &error));
}
break;
default:
break;
}
}
if (error)
{
if(SecErrorGetOSStatus(error) == errSecItemNotFound || isSOSErrorCoded(error, kSOSErrorPublicKeyAbsent))
secdebug("ipc", "%@ %@ %@", clientTask, SOSCCGetOperationDescription((enum SecXPCOperation)operation), error);
else
secerror("%@ %@ %@", clientTask, SOSCCGetOperationDescription((enum SecXPCOperation)operation), error);
xpcError = SecCreateXPCObjectWithCFError(error);
xpc_dictionary_set_value(replyMessage, kSecXPCKeyError, xpcError);
} else if (replyMessage) {
secdebug("ipc", "%@ %@ responding %@", clientTask, SOSCCGetOperationDescription((enum SecXPCOperation)operation), replyMessage);
}
} else {
SecCFCreateErrorWithFormat(kSecXPCErrorUnexpectedType, sSecXPCErrorDomain, NULL, &error, 0, CFSTR("Messages expect to be xpc dictionary, got: %@"), event);
secerror("%@: returning error: %@", clientTask, error);
xpcError = SecCreateXPCObjectWithCFError(error);
replyMessage = xpc_create_reply_with_format(event, "{%string: %value}", kSecXPCKeyError, xpcError);
}
if (replyMessage) {
xpc_connection_send_message(connection, replyMessage);
xpc_release(replyMessage);
}
if (xpcError)
xpc_release(xpcError);
CFReleaseSafe(error);
CFReleaseSafe(accessGroups);
CFReleaseSafe(domains);
CFReleaseSafe(clientTask);
}
static void securityd_xpc_init()
{
secdebug("serverxpc", "start");
xpc_connection_t listener = xpc_connection_create_mach_service(kSecuritydXPCServiceName, NULL, XPC_CONNECTION_MACH_SERVICE_LISTENER);
if (!listener) {
seccritical("security failed to register xpc listener, exiting");
abort();
}
xpc_connection_set_event_handler(listener, ^(xpc_object_t connection) {
if (xpc_get_type(connection) == XPC_TYPE_CONNECTION) {
xpc_connection_set_event_handler(connection, ^(xpc_object_t event) {
if (xpc_get_type(event) == XPC_TYPE_DICTIONARY) {
xpc_retain(connection);
xpc_retain(event);
dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
securityd_xpc_dictionary_handler(connection, event);
xpc_release(event);
xpc_release(connection);
});
}
});
xpc_connection_resume(connection);
}
});
xpc_connection_resume(listener);
}
int main(int argc, char *argv[])
{
char *wait4debugger = getenv("WAIT4DEBUGGER");
if (wait4debugger && !strcasecmp("YES", wait4debugger)) {
seccritical("SIGSTOPing self, awaiting debugger");
kill(getpid(), SIGSTOP);
asl_log(NULL, NULL, ASL_LEVEL_CRIT,
"Again, for good luck (or bad debuggers)");
kill(getpid(), SIGSTOP);
}
securityd_init_server();
securityd_xpc_init();
dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (NSEC_PER_SEC * 10)), dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0),
^{
InitializeCloudKeychainTracing();
});
dispatch_main();
return 0;
}