SecDbKeychainItem.c [plain text]
#include <securityd/SecDbKeychainItem.h>
#include <securityd/SecItemSchema.h>
#include <CommonCrypto/CommonCryptor.h>
#include <CommonCrypto/CommonCryptorSPI.h>
#include <Security/SecBasePriv.h>
#include <Security/SecItem.h>
#include <Security/SecItemInternal.h>
#include <Security/SecRandom.h>
#include <Security/SecAccessControl.h>
#include <Security/SecAccessControlPriv.h>
#include <utilities/der_plist.h>
#if USE_KEYSTORE
#include <LocalAuthentication/LAPublicDefines.h>
#include <LocalAuthentication/LAPrivateDefines.h>
#include <coreauthd_spi.h>
#include <libaks_acl_cf_keys.h>
#include <securityd/spi.h>
#endif
pthread_key_t CURRENT_CONNECTION_KEY;
bool itemInAccessGroup(CFDictionaryRef item, CFArrayRef accessGroups);
static keyclass_t kc_parse_keyclass(CFTypeRef value, CFErrorRef *error);
static CFTypeRef kc_encode_keyclass(keyclass_t keyclass);
static CFDataRef kc_copy_protection_data(SecAccessControlRef access_control);
static CFTypeRef kc_copy_protection_from_data(CFDataRef data);
static CFMutableDictionaryRef s3dl_item_v2_decode(CFDataRef plain, CFErrorRef *error);
static CFMutableDictionaryRef s3dl_item_v3_decode(CFDataRef plain, CFErrorRef *error);
#if USE_KEYSTORE
static CFDataRef kc_copy_constraints_data(SecAccessControlRef access_control, CFDictionaryRef auth_attributes);
static void kc_dict_from_auth_data(const SecDbClass *class, const uint8_t *der, const uint8_t *der_end, CFMutableDictionaryRef *authenticated_attributes, CFMutableDictionaryRef *acl);
static CFDataRef kc_copy_access_groups_data(CFArrayRef access_groups, CFErrorRef *error);
#endif
bool ks_encrypt_data(keybag_handle_t keybag, SecAccessControlRef access_control, CFTypeRef *cred_handle,
CFDictionaryRef attributes, CFDictionaryRef authenticated_attributes, CFDataRef *pBlob, CFErrorRef *error) {
CFMutableDataRef blob = NULL;
CFDataRef ac_data = NULL;
bool ok = true;
const uint32_t bulkKeySize = 32;
const uint32_t maxKeyWrapOverHead = 8 + 32;
uint8_t bulkKey[bulkKeySize];
CFMutableDataRef bulkKeyWrapped = CFDataCreateMutable(NULL, 0);
CFDataSetLength(bulkKeyWrapped, bulkKeySize + maxKeyWrapOverHead);
uint32_t key_wrapped_size;
#if USE_KEYSTORE
CFDataRef access_control_data = NULL;
CFDataRef constraint_data = NULL;
CFDataRef acm_context = NULL;
#endif
const uint32_t version = SecAccessControlGetConstraints(access_control) ? 4 : 3;
CFDataRef plainText = NULL;
if (version < 4) {
CFMutableDictionaryRef attributes_dict = CFDictionaryCreateMutableCopy(NULL, 0, attributes);
if (authenticated_attributes) {
CFDictionaryForEach(authenticated_attributes, ^(const void *key, const void *value) {
CFDictionaryAddValue(attributes_dict, key, value);
});
}
if (attributes_dict) {
CFDictionaryRemoveValue(attributes_dict, kSecAttrAccessControl);
plainText = kc_plist_copy_der(attributes_dict, error);
CFRelease(attributes_dict);
}
} else {
#if USE_KEYSTORE
if (attributes) {
plainText = kc_plist_copy_der(attributes, error);
}
#else
CFMutableDictionaryRef attributes_dict = CFDictionaryCreateMutableCopy(NULL, 0, attributes);
if (authenticated_attributes) {
CFDictionaryForEach(authenticated_attributes, ^(const void *key, const void *value) {
CFDictionaryAddValue(attributes_dict, key, value);
});
}
if (attributes_dict) {
plainText = kc_plist_copy_der(attributes_dict, error);
CFRelease(attributes_dict);
}
#endif
}
if (!plainText || CFGetTypeID(plainText) != CFDataGetTypeID()
|| access_control == 0) {
ok = SecError(errSecParam, error, CFSTR("ks_encrypt_data: invalid plain text"));
goto out;
}
size_t ptLen = CFDataGetLength(plainText);
size_t ctLen = ptLen;
size_t tagLen = 16;
keyclass_t actual_class;
if (SecRandomCopyBytes(kSecRandomDefault, bulkKeySize, bulkKey)) {
ok = SecError(errSecAllocate, error, CFSTR("ks_encrypt_data: SecRandomCopyBytes failed"));
goto out;
}
keyclass_t keyclass = kc_parse_keyclass(SecAccessControlGetProtection(access_control), error);
if (!keyclass)
goto out;
#if USE_KEYSTORE
if (version >= 4) {
if (*cred_handle == NULL || isData(*cred_handle)) {
CFTypeRef auth_ref = VRCreateNewReferenceWithACMContext(*cred_handle, error);
if (!auth_ref) {
ok = false;
goto out;
}
CFReleaseSafe(*cred_handle);
*cred_handle = auth_ref;
}
access_control_data = SecAccessControlCopyData(access_control);
CFErrorRef authError = NULL;
ok = VRValidateACL(*cred_handle, access_control_data, &authError);
if (!ok) {
ok = SecCFCreateError(errSecParam, kSecErrorDomain, CFSTR("Invalid ACL"), authError, error);
CFReleaseSafe(authError);
goto out;
}
constraint_data = kc_copy_constraints_data(access_control, authenticated_attributes);
require_quiet(ok = ks_crypt_acl(kSecKsWrap, keybag,
keyclass, bulkKeySize, bulkKey, bulkKeyWrapped, constraint_data, NULL, NULL, error), out);
}
else {
#endif
require_quiet(ok = ks_crypt(kSecKsWrap, keybag,
keyclass, bulkKeySize, bulkKey,
&actual_class, bulkKeyWrapped,
error), out);
#if USE_KEYSTORE
}
#endif
key_wrapped_size = (uint32_t)CFDataGetLength(bulkKeyWrapped);
UInt8 *cursor;
size_t blobLen = sizeof(version);
uint32_t prot_length;
if (version == 3) {
blobLen += sizeof(actual_class);
} else {
require_quiet(ac_data = kc_copy_protection_data(access_control), out);
prot_length = (uint32_t)CFDataGetLength(ac_data);
blobLen += sizeof(prot_length) + prot_length;
}
blobLen += sizeof(key_wrapped_size) + key_wrapped_size + ctLen + tagLen;
require_quiet(blob = CFDataCreateMutable(NULL, blobLen), out);
CFDataSetLength(blob, blobLen);
cursor = CFDataGetMutableBytePtr(blob);
*((uint32_t *)cursor) = version;
cursor += sizeof(version);
if (version == 3) {
*((keyclass_t *)cursor) = actual_class;
cursor += sizeof(keyclass);
} else {
*((uint32_t *)cursor) = prot_length;
cursor += sizeof(prot_length);
CFDataGetBytes(ac_data, CFRangeMake(0, prot_length), cursor);
cursor += prot_length;
}
*((uint32_t *)cursor) = key_wrapped_size;
cursor += sizeof(key_wrapped_size);
memcpy(cursor, CFDataGetBytePtr(bulkKeyWrapped), key_wrapped_size);
cursor += key_wrapped_size;
CCCryptorStatus ccerr = CCCryptorGCM(kCCEncrypt, kCCAlgorithmAES128,
bulkKey, bulkKeySize,
NULL, 0,
NULL, 0,
CFDataGetBytePtr(plainText), ptLen,
cursor,
cursor + ctLen, &tagLen);
if (ccerr) {
ok = SecError(errSecInternal, error, CFSTR("ks_encrypt_data: CCCryptorGCM failed: %d"), ccerr);
goto out;
}
if (tagLen != 16) {
ok = SecError(errSecInternal, error, CFSTR("ks_encrypt_data: CCCryptorGCM expected: 16 got: %ld byte tag"), tagLen);
goto out;
}
out:
memset(bulkKey, 0, sizeof(bulkKey));
CFReleaseSafe(ac_data);
CFReleaseSafe(bulkKeyWrapped);
CFReleaseSafe(plainText);
if (!ok) {
CFReleaseSafe(blob);
} else {
*pBlob = blob;
}
#if USE_KEYSTORE
CFReleaseSafe(access_control_data);
CFReleaseSafe(constraint_data);
CFReleaseSafe(acm_context);
#endif
return ok;
}
bool ks_decrypt_data(keybag_handle_t keybag, enum SecKsCryptoOp cryptoOp, SecAccessControlRef *paccess_control, CFTypeRef *cred_handle,
CFDataRef blob, const SecDbClass *db_class, CFArrayRef caller_access_groups,
CFMutableDictionaryRef *attributes_p, uint32_t *version_p, CFErrorRef *error) {
const uint32_t v0KeyWrapOverHead = 8;
CFMutableDataRef bulkKey = CFDataCreateMutable(0, 32);
CFDataSetLength(bulkKey, 32);
bool ok = true;
SecAccessControlRef access_control = NULL;
CFMutableDataRef plainText = NULL;
CFMutableDictionaryRef attributes = NULL;
uint32_t version = 0;
CFDataRef access_control_data = NULL;
#if USE_KEYSTORE
CFDataRef acm_context = NULL;
CFMutableDictionaryRef authenticated_attributes = NULL;
CFDataRef caller_access_groups_data = NULL;
#if TARGET_OS_IPHONE
check(keybag >= 0);
#else
check((keybag >= 0) || (keybag == session_keybag_handle));
#endif
#endif
if (!blob) {
ok = SecError(errSecParam, error, CFSTR("ks_decrypt_data: invalid blob"));
goto out;
}
size_t blobLen = CFDataGetLength(blob);
const uint8_t *cursor = CFDataGetBytePtr(blob);
keyclass_t keyclass;
uint32_t wrapped_key_size;
if (blobLen < sizeof(version) + sizeof(keyclass) +
CFDataGetLength(bulkKey) + v0KeyWrapOverHead + 16) {
ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: Check for underflow"));
goto out;
}
version = *((uint32_t *)cursor);
cursor += sizeof(version);
size_t minimum_blob_len = sizeof(version) + 16;
size_t ctLen = blobLen - sizeof(version);
if (version == 4) {
uint32_t prot_length = *((uint32_t *)cursor);
cursor += sizeof(prot_length);
CFDataRef protection_data = CFDataCreate(kCFAllocatorDefault, cursor, prot_length);
CFTypeRef protection = kc_copy_protection_from_data(protection_data);
CFRelease(protection_data);
if (!protection) {
ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: invalid ACL"));
goto out;
}
else {
access_control = SecAccessControlCreate(NULL, NULL);
require_quiet(access_control, out);
ok = SecAccessControlSetProtection(access_control, protection, NULL);
CFRelease(protection);
if (!ok) {
SecError(errSecDecode, error, CFSTR("ks_decrypt_data: invalid ACL"));
goto out;
}
}
cursor += prot_length;
minimum_blob_len += sizeof(prot_length) + prot_length;
ctLen -= sizeof(prot_length) + prot_length;
keyclass = kc_parse_keyclass(SecAccessControlGetProtection(access_control), error);
if (!keyclass) {
ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: invalid ACL"));
goto out;
}
} else {
keyclass = *((keyclass_t *)cursor);
#if USE_KEYSTORE
CFTypeRef protection = kc_encode_keyclass(keyclass & key_class_last); #else
CFTypeRef protection = kc_encode_keyclass(keyclass);
#endif
if (protection) {
access_control = SecAccessControlCreateWithFlags(kCFAllocatorDefault, protection, 0, error);
}
if (!access_control) {
ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: invalid keyclass detected"));
goto out;
}
cursor += sizeof(keyclass);
minimum_blob_len += sizeof(keyclass);
ctLen -= sizeof(keyclass);
}
size_t tagLen = 0;
switch (version) {
case 0:
wrapped_key_size = (uint32_t)CFDataGetLength(bulkKey) + v0KeyWrapOverHead;
break;
case 2:
case 3:
case 4:
tagLen = 16;
minimum_blob_len -= 16; ctLen -= tagLen;
case 1:
wrapped_key_size = *((uint32_t *)cursor);
cursor += sizeof(wrapped_key_size);
minimum_blob_len += sizeof(wrapped_key_size);
ctLen -= sizeof(wrapped_key_size);
break;
default:
ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: invalid version %d"), version);
goto out;
}
require(blobLen - minimum_blob_len - tagLen >= wrapped_key_size, out);
ctLen -= wrapped_key_size;
if (version < 2 && (ctLen & 0xF) != 0) {
ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: invalid version"));
goto out;
}
#if USE_KEYSTORE
if (version >= 4) {
if (*cred_handle == NULL || isData(*cred_handle)) {
CFTypeRef auth_ref = VRCreateNewReferenceWithACMContext(*cred_handle, error);
if (!auth_ref) {
ok = false;
goto out;
}
CFReleaseSafe(*cred_handle);
*cred_handle = auth_ref;
}
CFMutableDictionaryRef acl = NULL;
kc_dict_from_auth_data(db_class, cursor, cursor + wrapped_key_size, &authenticated_attributes, &acl);
SecAccessControlSetConstraints(access_control, acl);
CFReleaseSafe(acl);
access_control_data = SecAccessControlCopyData(access_control);
static CFDictionaryRef hints = NULL;
static dispatch_once_t onceToken;
dispatch_once(&onceToken, ^{
CFNumberRef noninteractiveKey = CFNumberCreateWithCFIndex(kCFAllocatorDefault, kLAOptionNotInteractive);
hints = CFDictionaryCreateForCFTypes(kCFAllocatorDefault, noninteractiveKey, kCFBooleanTrue, NULL);
CFRelease(noninteractiveKey);
});
CFErrorRef authError = NULL;
ok = VREvaluateACL(*cred_handle, access_control_data, (cryptoOp == kSecKsDelete)?kAKSKeyOpDelete:kAKSKeyOpDecrypt, hints, &authError);
if (!ok) {
if (CFEqual(CFErrorGetDomain(authError), CFSTR(kLAErrorDomain)) &&
CFErrorGetCode(authError) == kLAErrorNotInteractive) {
ok = true;
} else {
ok = SecCFCreateError(errSecAuthFailed, kSecErrorDomain, CFSTR("CoreAuthentication failed"), authError, error);
}
CFReleaseSafe(authError);
goto out;
}
acm_context = VRCopyACMContext(*cred_handle, error);
if (caller_access_groups) {
caller_access_groups_data = kc_copy_access_groups_data(caller_access_groups, error);
require_quiet(ok = (caller_access_groups_data != NULL), out);
}
require_quiet(ok = ks_crypt_acl(cryptoOp, keybag,
keyclass, wrapped_key_size, cursor, bulkKey, NULL, acm_context, caller_access_groups_data, error), out);
if (cryptoOp == kSecKsDelete) {
attributes = CFRetainSafe(authenticated_attributes);
goto out;
}
}
else {
#endif
require_quiet(ok = ks_crypt(kSecKsUnwrap, keybag,
keyclass, wrapped_key_size, cursor, NULL, bulkKey, error), out);
#if USE_KEYSTORE
}
#endif
cursor += wrapped_key_size;
plainText = CFDataCreateMutable(NULL, ctLen);
if (!plainText) {
ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: failed to allocate data for plain text"));
goto out;
}
CFDataSetLength(plainText, ctLen);
CCCryptorStatus ccerr;
if (tagLen) {
uint8_t tag[tagLen];
ccerr = CCCryptorGCM(kCCDecrypt, kCCAlgorithmAES128,
CFDataGetBytePtr(bulkKey), CFDataGetLength(bulkKey),
NULL, 0,
NULL, 0,
cursor, ctLen,
CFDataGetMutableBytePtr(plainText),
tag, &tagLen);
if (ccerr) {
ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: CCCryptorGCM failed: %d"), ccerr);
goto out;
}
if (tagLen != 16) {
ok = SecError(errSecInternal, error, CFSTR("ks_decrypt_data: CCCryptorGCM expected: 16 got: %ld byte tag"), tagLen);
goto out;
}
cursor += ctLen;
if (memcmp(tag, cursor, tagLen)) {
ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: CCCryptorGCM computed tag not same as tag in blob"));
goto out;
}
} else {
size_t ptLen;
ccerr = CCCrypt(kCCDecrypt, kCCAlgorithmAES128, kCCOptionPKCS7Padding,
CFDataGetBytePtr(bulkKey), CFDataGetLength(bulkKey), NULL, cursor, ctLen,
CFDataGetMutableBytePtr(plainText), ctLen, &ptLen);
if (ccerr) {
ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: CCCrypt failed: %d"), ccerr);
goto out;
}
CFDataSetLength(plainText, ptLen);
}
if (version < 2) {
attributes = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
CFDictionaryAddValue(attributes, CFSTR("v_Data"), plainText);
} else if (version < 3) {
attributes = s3dl_item_v2_decode(plainText, error);
} else {
attributes = s3dl_item_v3_decode(plainText, error);
#if USE_KEYSTORE
if (version >= 4 && authenticated_attributes != NULL) {
CFDictionaryForEach(authenticated_attributes, ^(const void *key, const void *value) {
CFDictionaryAddValue(attributes, key, value);
});
}
#endif
}
if (!attributes) {
secerror("decode v%d failed: %@ [item: %@]", version, error ? *error : NULL, plainText);
ok = false;
}
out:
memset(CFDataGetMutableBytePtr(bulkKey), 0, CFDataGetLength(bulkKey));
CFReleaseSafe(bulkKey);
CFReleaseSafe(plainText);
if (paccess_control)
*paccess_control = access_control;
else
CFReleaseSafe(access_control);
if (ok) {
if (attributes_p)
*attributes_p = CFRetainSafe(attributes);
if (version_p)
*version_p = version;
}
CFReleaseSafe(attributes);
CFReleaseSafe(access_control_data);
#if USE_KEYSTORE
CFReleaseSafe(acm_context);
CFReleaseSafe(authenticated_attributes);
CFReleaseSafe(caller_access_groups_data);
#endif
return ok;
}
CFDataRef kc_plist_copy_der(CFPropertyListRef plist, CFErrorRef *error) {
size_t len = der_sizeof_plist(plist, error);
CFMutableDataRef encoded = CFDataCreateMutable(0, len);
CFDataSetLength(encoded, len);
uint8_t *der_end = CFDataGetMutableBytePtr(encoded);
const uint8_t *der = der_end;
der_end += len;
der_end = der_encode_plist(plist, error, der, der_end);
if (!der_end) {
CFReleaseNull(encoded);
} else {
assert(!der_end || der_end == der);
}
return encoded;
}
static CFDataRef kc_copy_digest(const struct ccdigest_info *di, size_t len,
const void *data, CFErrorRef *error) {
CFMutableDataRef digest = CFDataCreateMutable(0, di->output_size);
CFDataSetLength(digest, di->output_size);
ccdigest(di, len, data, CFDataGetMutableBytePtr(digest));
return digest;
}
CFDataRef kc_copy_sha1(size_t len, const void *data, CFErrorRef *error) {
return kc_copy_digest(ccsha1_di(), len, data, error);
}
CFDataRef kc_copy_plist_sha1(CFPropertyListRef plist, CFErrorRef *error) {
CFDataRef der = kc_plist_copy_der(plist, error);
CFDataRef digest = NULL;
if (der) {
digest = kc_copy_sha1(CFDataGetLength(der), CFDataGetBytePtr(der), error);
CFRelease(der);
}
return digest;
}
static keyclass_t kc_parse_keyclass(CFTypeRef value, CFErrorRef *error) {
if (!isString(value)) {
SecError(errSecParam, error, CFSTR("accessible attribute %@ not a string"), value);
} else if (CFEqual(value, kSecAttrAccessibleWhenUnlocked)) {
return key_class_ak;
} else if (CFEqual(value, kSecAttrAccessibleAfterFirstUnlock)) {
return key_class_ck;
} else if (CFEqual(value, kSecAttrAccessibleAlways)) {
return key_class_dk;
} else if (CFEqual(value, kSecAttrAccessibleWhenUnlockedThisDeviceOnly)) {
return key_class_aku;
} else if (CFEqual(value, kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly)) {
return key_class_cku;
} else if (CFEqual(value, kSecAttrAccessibleAlwaysThisDeviceOnly)) {
return key_class_dku;
} else if (CFEqual(value, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly)) {
return key_class_akpu;
} else {
SecError(errSecParam, error, CFSTR("accessible attribute %@ unknown"), value);
}
return 0;
}
static CFTypeRef kc_encode_keyclass(keyclass_t keyclass) {
switch (keyclass) {
case key_class_ak:
return kSecAttrAccessibleWhenUnlocked;
case key_class_ck:
return kSecAttrAccessibleAfterFirstUnlock;
case key_class_dk:
return kSecAttrAccessibleAlways;
case key_class_aku:
return kSecAttrAccessibleWhenUnlockedThisDeviceOnly;
case key_class_cku:
return kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly;
case key_class_dku:
return kSecAttrAccessibleAlwaysThisDeviceOnly;
case key_class_akpu:
return kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly;
default:
return 0;
}
}
#if USE_KEYSTORE
static void kc_dict_from_auth_data(const SecDbClass *class, const uint8_t *der, const uint8_t *der_end, CFMutableDictionaryRef *authenticated_attributes, CFMutableDictionaryRef *acl)
{
CFPropertyListRef aks_data = NULL;
der = der_decode_plist(NULL, kCFPropertyListImmutable, &aks_data, NULL, der, der_end);
if(der == der_end) {
CFDictionaryRef authenticated_data = CFDictionaryGetValue(aks_data, kAKSKeyAuthData);
if (authenticated_data) {
*acl = CFDictionaryCreateMutableCopy(NULL, 0, authenticated_data);
SecDbForEachAttrWithMask(class, attr_desc, kSecDbInAuthenticatedDataFlag) {
CFDictionaryRemoveValue(*acl, attr_desc->name);
CFTypeRef value = CFDictionaryGetValue(authenticated_data, attr_desc->name);
if (value) {
if (!*authenticated_attributes)
*authenticated_attributes = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
CFDictionaryAddValue(*authenticated_attributes, attr_desc->name, value);
}
}
}
}
CFReleaseSafe(aks_data);
}
static CFDataRef kc_copy_constraints_data(SecAccessControlRef access_control, CFDictionaryRef auth_attributes) {
CFDictionaryRef constraints = SecAccessControlGetConstraints(access_control);
CFMutableDictionaryRef auth_data = CFDictionaryCreateMutableCopy(NULL, 0, constraints);
if (auth_attributes) {
CFDictionaryForEach(auth_attributes, ^(const void *key, const void *value) {
CFDictionaryAddValue(auth_data, key, value);
});
}
CFDataRef encoded = kc_plist_copy_der(auth_data, NULL);
CFReleaseSafe(auth_data);
return encoded;
}
static CFDataRef kc_copy_access_groups_data(CFArrayRef access_groups, CFErrorRef *error)
{
size_t ag_size = der_sizeof_plist(access_groups, error);
CFMutableDataRef result = CFDataCreateMutable(kCFAllocatorDefault, 0);
CFDataSetLength(result, ag_size);
if (!der_encode_plist(access_groups, error, CFDataGetMutableBytePtr(result), CFDataGetMutableBytePtr(result) + ag_size)) {
CFRelease(result);
return NULL;
}
else
return result;
}
#endif
static CFDataRef kc_copy_protection_data(SecAccessControlRef access_control)
{
CFTypeRef protection = SecAccessControlGetProtection(access_control);
size_t protection_size = der_sizeof_plist(protection, NULL);
CFMutableDataRef result = CFDataCreateMutable(NULL, 0);
CFDataSetLength(result, protection_size);
if (!der_encode_plist(protection, NULL, CFDataGetMutableBytePtr(result), CFDataGetMutableBytePtr(result) + protection_size)) {
CFRelease(result);
return NULL;
}
else
return result;
}
static CFTypeRef kc_copy_protection_from_data(CFDataRef data)
{
CFTypeRef result = NULL;
der_decode_plist(NULL, kCFPropertyListImmutable, &result, NULL, CFDataGetBytePtr(data), CFDataGetBytePtr(data) + CFDataGetLength(data));
return result;
}
static CF_RETURNS_RETAINED
CFMutableDictionaryRef dictionaryFromPlist(CFPropertyListRef plist CF_CONSUMED, CFErrorRef *error) {
if (plist && !isDictionary(plist)) {
CFStringRef typeName = CFCopyTypeIDDescription(CFGetTypeID((CFTypeRef)plist));
SecError(errSecDecode, error, CFSTR("plist is a %@, expecting a dictionary"), typeName);
CFReleaseSafe(typeName);
CFReleaseNull(plist);
}
return (CFMutableDictionaryRef)plist;
}
static CF_RETURNS_RETAINED
CFMutableDictionaryRef s3dl_item_v2_decode(CFDataRef plain, CFErrorRef *error) {
CFPropertyListRef item;
item = CFPropertyListCreateWithData(0, plain, kCFPropertyListMutableContainers, NULL, error);
return dictionaryFromPlist(item, error);
}
static CF_RETURNS_RETAINED
CFMutableDictionaryRef s3dl_item_v3_decode(CFDataRef plain, CFErrorRef *error) {
CFPropertyListRef item = NULL;
const uint8_t *der = CFDataGetBytePtr(plain);
const uint8_t *der_end = der + CFDataGetLength(plain);
der = der_decode_plist(0, kCFPropertyListMutableContainers, &item, error, der, der_end);
if (der && der != der_end) {
SecCFCreateError(errSecDecode, kSecErrorDomain, CFSTR("trailing garbage at end of decrypted item"), NULL, error);
CFReleaseNull(item);
}
return dictionaryFromPlist(item, error);
}
bool s3dl_item_from_data(CFDataRef edata, Query *q, CFArrayRef accessGroups,
CFMutableDictionaryRef *item, SecAccessControlRef *access_control, CFErrorRef *error) {
SecAccessControlRef ac = NULL;
CFDataRef ac_data = NULL;
bool ok = false;
uint32_t version = 0;
require_quiet((ok = ks_decrypt_data(q->q_keybag, q->q_crypto_op, &ac, &q->q_use_cred_handle, edata, q->q_class, q->q_caller_access_groups, item, &version, error)), out);
if (version < 2) {
goto out;
}
ac_data = SecAccessControlCopyData(ac);
if (!*item) {
if (!q->q_required_access_controls) {
ok = SecError(errSecInteractionNotAllowed, error, CFSTR("item would need ui for decrypting"));
goto out;
}
CFArrayAppendValue(q->q_required_access_controls, ac_data);
*item = NULL;
goto out;
}
if (*item && !itemInAccessGroup(*item, accessGroups)) {
secerror("items accessGroup %@ not in %@",
CFDictionaryGetValue(*item, kSecAttrAccessGroup),
accessGroups);
ok = SecError(errSecDecode, error, CFSTR("items accessGroup %@ not in %@"),
CFDictionaryGetValue(*item, kSecAttrAccessGroup),
accessGroups);
CFReleaseNull(*item);
}
if (*item) {
CFDictionarySetValue(*item, kSecAttrAccessControl, ac_data);
}
out:
if (access_control)
*access_control = CFRetainSafe(ac);
CFReleaseSafe(ac);
CFReleaseSafe(ac_data);
return ok;
}
static bool SecDbItemImportMigrate(SecDbItemRef item, CFErrorRef *error) {
bool ok = true;
CFStringRef agrp = SecDbItemGetCachedValueWithName(item, kSecAttrAccessGroup);
CFStringRef accessible = SecDbItemGetCachedValueWithName(item, kSecAttrAccessible);
if (!isString(agrp) || !isString(accessible))
return ok;
if (SecDbItemGetClass(item) == &genp_class && CFEqual(accessible, kSecAttrAccessibleAlways)) {
CFStringRef svce = SecDbItemGetCachedValueWithName(item, kSecAttrService);
if (!isString(svce)) return ok;
if (CFEqual(agrp, CFSTR("apple"))) {
if (CFEqual(svce, CFSTR("AirPort"))) {
ok = SecDbItemSetValueWithName(item, kSecAttrAccessible, kSecAttrAccessibleAfterFirstUnlock, error);
} else if (CFEqual(svce, CFSTR("com.apple.airplay.password"))) {
ok = SecDbItemSetValueWithName(item, kSecAttrAccessible, kSecAttrAccessibleWhenUnlocked, error);
} else if (CFEqual(svce, CFSTR("YouTube"))) {
ok = (SecDbItemSetValueWithName(item, kSecAttrAccessible, kSecAttrAccessibleWhenUnlocked, error) &&
SecDbItemSetValueWithName(item, kSecAttrAccessGroup, CFSTR("com.apple.youtube.credentials"), error));
} else {
CFStringRef desc = SecDbItemGetCachedValueWithName(item, kSecAttrDescription);
if (!isString(desc)) return ok;
if (CFEqual(desc, CFSTR("IPSec Shared Secret")) || CFEqual(desc, CFSTR("PPP Password"))) {
ok = SecDbItemSetValueWithName(item, kSecAttrAccessible, kSecAttrAccessibleAfterFirstUnlock, error);
}
}
}
} else if (SecDbItemGetClass(item) == &inet_class && CFEqual(accessible, kSecAttrAccessibleAlways)) {
if (CFEqual(agrp, CFSTR("PrintKitAccessGroup"))) {
ok = SecDbItemSetValueWithName(item, kSecAttrAccessible, kSecAttrAccessibleWhenUnlocked, error);
} else if (CFEqual(agrp, CFSTR("apple"))) {
CFTypeRef ptcl = SecDbItemGetCachedValueWithName(item, kSecAttrProtocol);
bool is_proxy = false;
if (isNumber(ptcl)) {
SInt32 iptcl;
CFNumberGetValue(ptcl, kCFNumberSInt32Type, &iptcl);
is_proxy = (iptcl == FOUR_CHAR_CODE('htpx') ||
iptcl == FOUR_CHAR_CODE('htsx') ||
iptcl == FOUR_CHAR_CODE('ftpx') ||
iptcl == FOUR_CHAR_CODE('rtsx') ||
iptcl == FOUR_CHAR_CODE('xpth') ||
iptcl == FOUR_CHAR_CODE('xsth') ||
iptcl == FOUR_CHAR_CODE('xptf') ||
iptcl == FOUR_CHAR_CODE('xstr'));
} else if (isString(ptcl)) {
is_proxy = (CFEqual(ptcl, kSecAttrProtocolHTTPProxy) ||
CFEqual(ptcl, kSecAttrProtocolHTTPSProxy) ||
CFEqual(ptcl, kSecAttrProtocolRTSPProxy) ||
CFEqual(ptcl, kSecAttrProtocolFTPProxy));
}
if (is_proxy)
ok = SecDbItemSetValueWithName(item, kSecAttrAccessible, kSecAttrAccessibleWhenUnlocked, error);
}
}
return ok;
}
bool SecDbItemDecrypt(SecDbItemRef item, CFDataRef edata, CFDataRef *neededAuth, CFErrorRef *error) {
bool ok = true;
CFMutableDictionaryRef dict = NULL;
SecAccessControlRef access_control = NULL;
uint32_t version = 0;
if (!ks_decrypt_data(SecDbItemGetKeybag(item), item->cryptoOp, &access_control, &item->credHandle, edata, item->class, item->callerAccessGroups, &dict, &version, error)) {
if (neededAuth)
*neededAuth = SecAccessControlCopyData(access_control);
ok = false;
goto out;
}
if (!dict) {
if (neededAuth)
*neededAuth = SecAccessControlCopyData(access_control);
else
require_quiet(ok = SecError(errSecInteractionNotAllowed, error, CFSTR("auth needed, but caller does not provide it")), out);
} else {
if (neededAuth)
*neededAuth = NULL;
if (version < 2) {
ok = SecDbItemSetValueWithName(item, CFSTR("v_Data"), CFDictionaryGetValue(dict, CFSTR("v_Data")), error) &&
SecDbItemImportMigrate(item, error);
} else {
ok = dict && SecDbItemSetValues(item, dict, error);
}
}
SecAccessControlRef my_access_control = SecDbItemCopyAccessControl(item, error);
if (!my_access_control) {
ok = false;
goto out;
}
if (!CFEqual(SecAccessControlGetProtection(my_access_control), SecAccessControlGetProtection(access_control))) {
ok = SecError(errSecDecode, error, CFSTR("ACL protection doesn't match the one in blob (%@ : %@)"),
SecAccessControlGetProtection(my_access_control),
SecAccessControlGetProtection(access_control));
}
CFRelease(my_access_control);
ok = ok && SecDbItemSetAccessControl(item, access_control, error);
out:
CFReleaseSafe(dict);
CFReleaseSafe(access_control);
return ok;
}
bool SecDbItemInferSyncable(SecDbItemRef item, CFErrorRef *error)
{
CFStringRef agrp = SecDbItemGetCachedValueWithName(item, kSecAttrAccessGroup);
if (!isString(agrp))
return true;
if (CFEqual(agrp, CFSTR("com.apple.cfnetwork")) && SecDbItemGetClass(item) == &inet_class) {
CFTypeRef srvr = SecDbItemGetCachedValueWithName(item, kSecAttrServer);
CFTypeRef ptcl = SecDbItemGetCachedValueWithName(item, kSecAttrProtocol);
CFTypeRef atyp = SecDbItemGetCachedValueWithName(item, kSecAttrAuthenticationType);
if (isString(srvr) && isString(ptcl) && isString(atyp)) {
secnotice("item", "Make this item syncable: %@", item);
return SecDbItemSetSyncable(item, true, error);
}
}
return true;
}
SecDbItemRef SecDbItemCreateWithBackupDictionary(CFAllocatorRef allocator, const SecDbClass *dbclass, CFDictionaryRef dict, keybag_handle_t src_keybag, keybag_handle_t dst_keybag, CFErrorRef *error)
{
CFDataRef edata = CFDictionaryGetValue(dict, CFSTR("v_Data"));
SecDbItemRef item = NULL;
if (edata) {
item = SecDbItemCreateWithEncryptedData(kCFAllocatorDefault, dbclass, edata, src_keybag, error);
if (item)
if (!SecDbItemSetKeybag(item, dst_keybag, error))
CFReleaseNull(item);
} else {
SecError(errSecDecode, error, CFSTR("No v_Data in backup dictionary %@"), dict);
}
return item;
}
bool SecDbItemExtractRowIdFromBackupDictionary(SecDbItemRef item, CFDictionaryRef dict, CFErrorRef *error) {
CFDataRef ref = CFDictionaryGetValue(dict, CFSTR("v_PersistentRef"));
if (!ref)
return SecError(errSecDecode, error, CFSTR("No v_PersistentRef in backup dictionary %@"), dict);
CFStringRef className;
sqlite3_int64 rowid;
if (!_SecItemParsePersistentRef(ref, &className, &rowid))
return SecError(errSecDecode, error, CFSTR("v_PersistentRef %@ failed to decode"), ref);
if (!CFEqual(SecDbItemGetClass(item)->name, className))
return SecError(errSecDecode, error, CFSTR("v_PersistentRef has unexpected class %@"), className);
return SecDbItemSetRowId(item, rowid, error);
}