//
// GUID <-> string conversions.
// Note that we DO check for {} on input and insist on rigid formatting.
// We don't require a terminating null byte on input, but generate it on output.
//
char *Guid::toString(char buffer[stringRepLength+1]) const
{
sprintf(buffer, "{%8.8x-%4.4hx-%4.4hx-",
int(n2h(Data1)), n2h(Data2), n2h(Data3));
for (int n = 0; n < 2; n++)
sprintf(buffer + 20 + 2*n, "%2.2hhx", Data4[n]);
buffer[24] = '-';
for (int n = 2; n < 8; n++)
sprintf(buffer + 21 + 2*n, "%2.2hhx", Data4[n]);
buffer[37] = '}';
buffer[38] = '\0';
return buffer;
}
bool SharedMemoryListener::needsPrivacyFilter(Notification *notification) {
if (notification->domain == kNotificationDomainPCSC || notification->domain == kNotificationDomainCDSA)
return false;
// kNotificationDomainDatabase = 1, // something happened to a database (aka keychain)
switch (notification->event) {
case kSecLockEvent: // kNotificationEventLocked
case kSecUnlockEvent: // kNotificationEventUnlocked
case kSecPasswordChangedEvent: // kNotificationEventPassphraseChanged
case kSecDefaultChangedEvent:
case kSecDataAccessEvent:
case kSecKeychainListChangedEvent:
case kSecTrustSettingsChangedEvent:
return false;
case kSecAddEvent:
case kSecDeleteEvent:
case kSecUpdateEvent:
break;
}
secdebug("MDSPRIVACY","[%03d] Evaluating event %s", mUID, notification->description().c_str());
NameValueDictionary dictionary (notification->data);
const NameValuePair *item = dictionary.FindByName(ITEM_KEY);
// If we don't have an item, there is nothing to filter
if (!item) {
secdebug("MDSPRIVACY","[%03d] Item event did not contain an item", mUID);
return false;
}
pid_t thisPid = 0;
const NameValuePair *pidRef = dictionary.FindByName(PID_KEY);
if (pidRef != 0) {
thisPid = n2h(*reinterpret_cast<pid_t*>(pidRef->Value().data()));
}
uid_t out_euid = 0;
int rx = SharedMemoryListener::get_process_euid(thisPid, out_euid);
if (rx != 0) {
secdebug("MDSPRIVACY","[%03d] get_process_euid failed (rx=%d), filtering out item", mUID, rx);
return true;
}
if (out_euid == mUID) {
return false; // Listener owns this item, so no filtering
}
// Allow processes running as root to pass through certificates
if (out_euid == 0) {
CSSM_DB_RECORDTYPE recordType = getRecordType(item->Value());
if (recordType == CSSM_DL_DB_RECORD_X509_CERTIFICATE) {
return false;
}
}
secdebug("MDSPRIVACY","[%03d] Filtering event %s", mUID, notification->description().c_str());
return true;
}
//
// Create a Key object from a database-encoded blob.
// Note that this doesn't decode the blob (yet).
//
KeychainKey::KeychainKey(Database &db, const KeyBlob *blob)
: LocalKey(db, n2h(blob->header.attributes()))
{
// perform basic validation on the incoming blob
assert(blob);
blob->validate(CSSMERR_APPLEDL_INVALID_KEY_BLOB);
switch (blob->version()) {
#if defined(COMPAT_OSX_10_0)
case KeyBlob::version_MacOS_10_0:
break;
#endif
case KeyBlob::version_MacOS_10_1:
break;
default:
CssmError::throwMe(CSSMERR_APPLEDL_INCOMPATIBLE_KEY_BLOB);
}
// set it up
mBlob = blob->copy(Allocator::standard());
mValidBlob = true;
db.addReference(*this);
secdebug("SSkey", "%p (handle %#x) created from blob version %x",
this, handle(), blob->version());
}
