]> git.saurik.com Git - apple/security.git/blob - libsecurity_codesigning/lib/codedirectory.cpp
projects / apple / security.git / blob
? search:


06f67a3239df23a7643a0b82de087df036a9b5fb
[apple/security.git] / libsecurity_codesigning / lib / codedirectory.cpp
1 /*
2 * Copyright (c) 2006-2010 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 //
25 // codedirectory - format and operations for code signing "code directory" structures
26 //
27 #include "codedirectory.h"
28 #include "csutilities.h"
29 #include "CSCommonPriv.h"
30
31 using namespace UnixPlusPlus;
32
33
34 namespace Security {
35 namespace CodeSigning {
36
37
38 //
39 // Highest understood special slot in this CodeDirectory.
40 //
41 CodeDirectory::SpecialSlot CodeDirectory::maxSpecialSlot() const
42 {
43 SpecialSlot slot = this->nSpecialSlots;
44 if (slot > cdSlotMax)
45 slot = cdSlotMax;
46 return slot;
47 }
48
49
50 //
51 // Canonical filesystem names for select slot numbers.
52 // These are variously used for filenames, extended attribute names, etc.
53 // to get some consistency in naming. These are for storing signing-related
54 // data; they have no bearing on the actual hash slots in the CodeDirectory.
55 //
56 const char *CodeDirectory::canonicalSlotName(SpecialSlot slot)
57 {
58 switch (slot) {
59 case cdRequirementsSlot:
60 return kSecCS_REQUIREMENTSFILE;
61 case cdResourceDirSlot:
62 return kSecCS_RESOURCEDIRFILE;
63 case cdCodeDirectorySlot:
64 return kSecCS_CODEDIRECTORYFILE;
65 case cdSignatureSlot:
66 return kSecCS_SIGNATUREFILE;
67 case cdApplicationSlot:
68 return kSecCS_APPLICATIONFILE;
69 case cdEntitlementSlot:
70 return kSecCS_ENTITLEMENTFILE;
71 default:
72 return NULL;
73 }
74 }
75
76
77 //
78 // Canonical attributes of SpecialSlots.
79 //
80 unsigned CodeDirectory::slotAttributes(SpecialSlot slot)
81 {
82 switch (slot) {
83 case cdRequirementsSlot:
84 return cdComponentIsBlob; // global
85 case cdCodeDirectorySlot:
86 return cdComponentPerArchitecture | cdComponentIsBlob;
87 case cdSignatureSlot:
88 return cdComponentPerArchitecture; // raw
89 case cdEntitlementSlot:
90 return cdComponentIsBlob; // global
91 case cdIdentificationSlot:
92 return cdComponentPerArchitecture; // raw
93 default:
94 return 0; // global, raw
95 }
96 }
97
98
99 //
100 // Symbolic names for code directory special slots.
101 // These are only used for debug output. They are not API-official.
102 // Needs to be coordinated with the cd*Slot enumeration in codedirectory.h.
103 //
104 #if !defined(NDEBUG)
105 const char * const CodeDirectory::debugSlotName[] = {
106 "codedirectory",
107 "info",
108 "requirements",
109 "resources",
110 "application",
111 "entitlement"
112 };
113 #endif //NDEBUG
114
115
116 //
117 // Check a CodeDirectory for basic integrity. This should ensure that the
118 // version is understood by our code, and that the internal structure
119 // (offsets etc.) is intact. In particular, it must make sure that no offsets
120 // point outside the CodeDirectory.
121 // Throws if the directory is corrupted or out of versioning bounds.
122 // Returns if the version is usable (perhaps with degraded features due to
123 // compatibility hacks).
124 //
125 // Note: There are some things we don't bother checking because they won't
126 // cause crashes, and will just be flagged as nonsense later. For example,
127 // a Bad Guy could overlap the identifier and hash fields, which is nonsense
128 // but not dangerous.
129 //
130 void CodeDirectory::checkIntegrity() const
131 {
132 // check version for support
133 if (!this->validateBlob())
134 MacOSError::throwMe(errSecCSSignatureInvalid); // busted
135 if (version > compatibilityLimit)
136 MacOSError::throwMe(errSecCSSignatureUnsupported); // too new - no clue
137 if (version < earliestVersion)
138 MacOSError::throwMe(errSecCSSignatureUnsupported); // too old - can't support
139 if (version > currentVersion)
140 secdebug("codedir", "%p version 0x%x newer than current 0x%x",
141 this, uint32_t(version), currentVersion);
142
143 // now check interior offsets for validity
144 if (!stringAt(identOffset))
145 MacOSError::throwMe(errSecCSSignatureFailed); // identifier out of blob range
146 if (!contains(hashOffset - int64_t(hashSize) * nSpecialSlots, hashSize * (int64_t(nSpecialSlots) + nCodeSlots)))
147 MacOSError::throwMe(errSecCSSignatureFailed); // hash array out of blob range
148 if (const Scatter *scatter = this->scatterVector()) {
149 // the optional scatter vector is terminated with an element having (count == 0)
150 unsigned int pagesConsumed = 0;
151 for (;; scatter++) {
152 if (!contains(scatter, sizeof(Scatter)))
153 MacOSError::throwMe(errSecCSSignatureFailed);
154 if (scatter->count == 0)
155 break;
156 pagesConsumed += scatter->count;
157 }
158 if (!contains((*this)[pagesConsumed-1], hashSize)) // referenced too many main hash slots
159 MacOSError::throwMe(errSecCSSignatureFailed);
160 }
161 }
162
163
164 //
165 // Validate a slot against data in memory.
166 //
167 bool CodeDirectory::validateSlot(const void *data, size_t length, Slot slot) const
168 {
169 secdebug("codedir", "%p validating slot %d", this, int(slot));
170 MakeHash<CodeDirectory> hasher(this);
171 Hashing::Byte digest[hasher->digestLength()];
172 generateHash(hasher, data, length, digest);
173 return memcmp(digest, (*this)[slot], hasher->digestLength()) == 0;
174 }
175
176
177 //
178 // Validate a slot against the contents of an open file. At most 'length' bytes
179 // will be read from the file.
180 //
181 bool CodeDirectory::validateSlot(FileDesc fd, size_t length, Slot slot) const
182 {
183 MakeHash<CodeDirectory> hasher(this);
184 Hashing::Byte digest[hasher->digestLength()];
185 generateHash(hasher, fd, digest, length);
186 return memcmp(digest, (*this)[slot], hasher->digestLength()) == 0;
187 }
188
189
190 //
191 // Check whether a particular slot is present.
192 // Absense is indicated by either a zero hash, or by lying outside
193 // the slot range.
194 //
195 bool CodeDirectory::slotIsPresent(Slot slot) const
196 {
197 if (slot >= -Slot(nSpecialSlots) && slot < Slot(nCodeSlots)) {
198 const Hashing::Byte *digest = (*this)[slot];
199 for (unsigned n = 0; n < hashSize; n++)
200 if (digest[n])
201 return true; // non-zero digest => present
202 }
203 return false; // absent
204 }
205
206
207 //
208 // Given a hash type code, create an appropriate subclass of DynamicHash
209 // and return it. The caller owns the object and must delete it when done.
210 // This function never returns NULL. It throws if the hashType is unsuupported,
211 // or if there's an error creating the hasher.
212 //
213 DynamicHash *CodeDirectory::hashFor(HashAlgorithm hashType)
214 {
215 CCDigestAlg alg;
216 switch (hashType) {
217 case kSecCodeSignatureHashSHA1: alg = kCCDigestSHA1; break;
218 case kSecCodeSignatureHashSHA256: alg = kCCDigestSHA256; break;
219 default:
220 MacOSError::throwMe(errSecCSSignatureUnsupported);
221 }
222 return new CCHashInstance(alg);
223 }
224
225
226 //
227 // Hash the next limit bytes of a file and return the digest.
228 // If the file is shorter, hash as much as you can.
229 // Limit==0 means unlimited (to end of file).
230 // Return how many bytes were actually hashed.
231 // Throw on any errors.
232 //
233 size_t CodeDirectory::generateHash(DynamicHash *hasher, FileDesc fd, Hashing::Byte *digest, size_t limit)
234 {
235 size_t size = hashFileData(fd, hasher, limit);
236 hasher->finish(digest);
237 return size;
238 }
239
240
241 //
242 // Ditto, but hash a memory buffer instead.
243 //
244 size_t CodeDirectory::generateHash(DynamicHash *hasher, const void *data, size_t length, Hashing::Byte *digest)
245 {
246 hasher->update(data, length);
247 hasher->finish(digest);
248 return length;
249 }
250
251
252 //
253 // Turn a hash of canonical type into a hex string
254 //
255 std::string CodeDirectory::hexHash(const unsigned char *hash) const
256 {
257 size_t size = this->hashSize;
258 char result[2*size+1];
259 for (unsigned n = 0; n < size; n++)
260 sprintf(result+2*n, "%02.2x", hash[n]);
261 return result;
262 }
263
264
265 //
266 // Generate a screening code string from a (complete) CodeDirectory.
267 // This can be used to make a lightweight pre-screening code from (just) a CodeDirectory.
268 //
269 std::string CodeDirectory::screeningCode() const
270 {
271 if (slotIsPresent(-cdInfoSlot)) // has Info.plist
272 return "I" + hexHash((*this)[-cdInfoSlot]); // use Info.plist hash
273 if (pageSize == 0) // good-enough proxy for "not a Mach-O file"
274 return "M" + hexHash((*this)[0]); // use hash of main executable
275 return "N"; // no suitable screening code
276 }
277
278
279 } // CodeSigning
280 } // Security
281
282
283 //
284 // Canonical text form for user-settable code directory flags.
285 // Note: This table is actually exported from Security.framework.
286 //
287 const SecCodeDirectoryFlagTable kSecCodeDirectoryFlagTable[] = {
288 { "host", kSecCodeSignatureHost, true },
289 { "adhoc", kSecCodeSignatureAdhoc, false },
290 { "hard", kSecCodeSignatureForceHard, true },
291 { "kill", kSecCodeSignatureForceKill, true },
292 { "expires", kSecCodeSignatureForceExpiration, true },
293 { "restrict", kSecCodeSignatureRestrict, true },
294 { "enforcement", kSecCodeSignatureEnforcement, true },
295 { NULL }
296 };
mirror of Security