Title: [169938] trunk/Source/WebKit2
- Revision
- 169938
- Author
- m...@apple.com
- Date
- 2014-06-13 11:04:34 -0700 (Fri, 13 Jun 2014)
Log Message
[iOS] Networking process always decodes keys
https://bugs.webkit.org/show_bug.cgi?id=133863
Reviewed by Anders Carlsson.
* Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.h:
(WebKit::XPCServiceInitializer): Call checkEntitlements on iOS, too.
* Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.mm:
(WebKit::XPCServiceInitializerDelegate::checkEntitlements): On iOS, allow decoding keys
if the application has the appropriate keychain access group.
* Shared/cf/ArgumentCodersCF.cpp:
(IPC::setAllowsDecodingSecKeyRef): Added. Sets static bool.
(IPC::decode): Check the secKeyRefDecodingAllowed bool before decoding a key.
* Shared/cf/ArgumentCodersCF.h:
Modified Paths
Diff
Modified: trunk/Source/WebKit2/ChangeLog (169937 => 169938)
--- trunk/Source/WebKit2/ChangeLog 2014-06-13 17:33:45 UTC (rev 169937)
+++ trunk/Source/WebKit2/ChangeLog 2014-06-13 18:04:34 UTC (rev 169938)
@@ -1,3 +1,21 @@
+2014-06-13 Dan Bernstein <m...@apple.com>
+
+ [iOS] Networking process always decodes keys
+ https://bugs.webkit.org/show_bug.cgi?id=133863
+
+ Reviewed by Anders Carlsson.
+
+ * Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.h:
+ (WebKit::XPCServiceInitializer): Call checkEntitlements on iOS, too.
+ * Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.mm:
+ (WebKit::XPCServiceInitializerDelegate::checkEntitlements): On iOS, allow decoding keys
+ if the application has the appropriate keychain access group.
+
+ * Shared/cf/ArgumentCodersCF.cpp:
+ (IPC::setAllowsDecodingSecKeyRef): Added. Sets static bool.
+ (IPC::decode): Check the secKeyRefDecodingAllowed bool before decoding a key.
+ * Shared/cf/ArgumentCodersCF.h:
+
2014-06-12 Anders Carlsson <ander...@apple.com>
Add overloads of HTTPHeaderMap::find and remove that take enums
Modified: trunk/Source/WebKit2/Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.h (169937 => 169938)
--- trunk/Source/WebKit2/Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.h 2014-06-13 17:33:45 UTC (rev 169937)
+++ trunk/Source/WebKit2/Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.h 2014-06-13 18:04:34 UTC (rev 169938)
@@ -50,9 +50,7 @@
virtual ~XPCServiceInitializerDelegate();
-#if PLATFORM(MAC)
virtual bool checkEntitlements();
-#endif
virtual bool getConnectionIdentifier(IPC::Connection::Identifier& identifier);
virtual bool getClientIdentifier(String& clientIdentifier);
@@ -78,10 +76,8 @@
InitializeWebKit2();
-#if PLATFORM(MAC)
if (!delegate.checkEntitlements())
exit(EXIT_FAILURE);
-#endif
ChildProcessInitializationParameters parameters;
if (!delegate.getConnectionIdentifier(parameters.connectionIdentifier))
Modified: trunk/Source/WebKit2/Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.mm (169937 => 169938)
--- trunk/Source/WebKit2/Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.mm 2014-06-13 17:33:45 UTC (rev 169937)
+++ trunk/Source/WebKit2/Shared/EntryPointUtilities/mac/XPCService/XPCServiceEntryPoint.mm 2014-06-13 18:04:34 UTC (rev 169938)
@@ -25,6 +25,7 @@
#import "config.h"
+#import "ArgumentCodersCF.h"
#import "SandboxUtilities.h"
#import "XPCServiceEntryPoint.h"
@@ -41,9 +42,9 @@
{
}
-#if PLATFORM(MAC)
bool XPCServiceInitializerDelegate::checkEntitlements()
{
+#if PLATFORM(MAC)
if (!isClientSandboxed())
return true;
@@ -52,10 +53,22 @@
NSLog(@"Application does not have the 'com.apple.security.network.client' entitlement.");
return false;
}
+#endif
+#if PLATFORM(IOS)
+ auto value = IPC::adoptXPC(xpc_connection_copy_entitlement_value(m_connection.get(), "keychain-access-groups"));
+ if (value && xpc_get_type(value.get()) == XPC_TYPE_ARRAY) {
+ xpc_array_apply(value.get(), ^bool(size_t index, xpc_object_t object) {
+ if (xpc_get_type(object) == XPC_TYPE_STRING && !strcmp(xpc_string_get_string_ptr(object), "com.apple.identities")) {
+ IPC::setAllowsDecodingSecKeyRef(true);
+ return false;
+ }
+ return true;
+ });
+ }
+#endif
return true;
}
-#endif
bool XPCServiceInitializerDelegate::getConnectionIdentifier(IPC::Connection::Identifier& identifier)
{
Modified: trunk/Source/WebKit2/Shared/cf/ArgumentCodersCF.cpp (169937 => 169938)
--- trunk/Source/WebKit2/Shared/cf/ArgumentCodersCF.cpp 2014-06-13 17:33:45 UTC (rev 169937)
+++ trunk/Source/WebKit2/Shared/cf/ArgumentCodersCF.cpp 2014-06-13 18:04:34 UTC (rev 169938)
@@ -591,6 +591,15 @@
return true;
}
+#if PLATFORM(IOS)
+static bool secKeyRefDecodingAllowed;
+
+void setAllowsDecodingSecKeyRef(bool allowsDecodingSecKeyRef)
+{
+ secKeyRefDecodingAllowed = allowsDecodingSecKeyRef;
+}
+#endif
+
void encode(ArgumentEncoder& encoder, SecIdentityRef identity)
{
SecCertificateRef certificate = nullptr;
@@ -636,7 +645,8 @@
SecKeyRef key = nullptr;
#if PLATFORM(IOS)
- SecKeyFindWithPersistentRef(keyData.get(), &key);
+ if (secKeyRefDecodingAllowed)
+ SecKeyFindWithPersistentRef(keyData.get(), &key);
#endif
#if PLATFORM(MAC)
SecKeychainItemCopyFromPersistentReference(keyData.get(), (SecKeychainItemRef*)&key);
Modified: trunk/Source/WebKit2/Shared/cf/ArgumentCodersCF.h (169937 => 169938)
--- trunk/Source/WebKit2/Shared/cf/ArgumentCodersCF.h 2014-06-13 17:33:45 UTC (rev 169937)
+++ trunk/Source/WebKit2/Shared/cf/ArgumentCodersCF.h 2014-06-13 18:04:34 UTC (rev 169938)
@@ -88,6 +88,10 @@
bool decode(ArgumentDecoder&, RetainPtr<SecKeychainItemRef>& result);
#endif
+#if PLATFORM(IOS)
+void setAllowsDecodingSecKeyRef(bool);
+#endif
+
CFTypeRef tokenNullTypeRef();
} // namespace IPC
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes