protocol/SecProtocolConfiguration.m

   1 //
   2 //  SecProtocolConfiguration.m
   3 //  Security
   4 //
   5
   6 #import "SecProtocolInternal.h"
   7 #import <Security/SecProtocolObject.h>
   8 #import <Security/SecProtocolConfiguration.h>
   9 #import <Security/SecureTransportPriv.h>
  10 #import <CoreFoundation/CFPriv.h>
  11 #import <Foundation/Foundation.h>
  12
  13 #define MINIMUM_RSA_KEY_SIZE 2048
  14 #define MINIMUM_ECDSA_KEY_SIZE 2048
  15 #define MINIMUM_HASH_ALGORITHM kSecSignatureHashAlgorithmSHA256
  16 #define MINIMUM_PROTOCOL kTLSProtocol12
  17
  18 static const char *
  19 get_running_process()
  20 {
  21     static const char *processName = NULL;
  22     static dispatch_once_t onceToken;
  23     dispatch_once(&onceToken, ^{
  24         const char **procName = _CFGetProgname();
  25         processName = *procName;
  26     });
  27     return processName;
  28 }
  29
  30 static bool
  31 process_matches_target(const char *target_process)
  32 {
  33     if (target_process == NULL) {
  34         return false;
  35     }
  36
  37     const char *process = get_running_process();
  38     if (process != NULL) {
  39         return (strlen(target_process) == strlen(process) &&
  40                 strncmp(process, target_process, strlen(target_process)) == 0);
  41     }
  42     return false;
  43 }
  44
  45 static bool
  46 client_is_WebKit()
  47 {
  48     static bool is_WebKit = false;
  49     static dispatch_once_t onceToken;
  50     dispatch_once(&onceToken, ^{
  51         is_WebKit = process_matches_target("com.apple.WebKit");
  52     });
  53     return is_WebKit;
  54 }
  55
  56 static bool
  57 client_is_mediaserverd()
  58 {
  59     static bool is_mediaserverd = false;
  60     static dispatch_once_t onceToken;
  61     dispatch_once(&onceToken, ^{
  62         is_mediaserverd = process_matches_target("mediaserverd");
  63     });
  64     return is_mediaserverd;
  65 }
  66
  67 sec_protocol_configuration_t
  68 sec_protocol_configuration_copy_singleton(void)
  69 {
  70     static dispatch_once_t onceToken;
  71     static sec_protocol_configuration_t singleton = nil;
  72     dispatch_once(&onceToken, ^{
  73         singleton = sec_protocol_configuration_create_with_builder(sec_protocol_configuration_builder_copy_default());
  74     });
  75     return singleton;
  76 }
  77
  78 static sec_protocol_options_t
  79 sec_protocol_configuration_copy_transformed_options_with_ats_minimums(sec_protocol_options_t options)
  80 {
  81     sec_protocol_options_set_ats_required(options, true);
  82     sec_protocol_options_set_trusted_peer_certificate(options, true);
  83     sec_protocol_options_set_minimum_rsa_key_size(options, MINIMUM_RSA_KEY_SIZE);
  84     sec_protocol_options_set_minimum_ecdsa_key_size(options, MINIMUM_ECDSA_KEY_SIZE);
  85     sec_protocol_options_set_minimum_signature_algorithm(options, MINIMUM_HASH_ALGORITHM);
  86     sec_protocol_options_set_min_tls_protocol_version(options, tls_protocol_version_TLSv12);
  87     return options;
  88 }
  89
  90 sec_protocol_options_t
  91 sec_protocol_configuration_copy_transformed_options(__unused sec_protocol_configuration_t config, sec_protocol_options_t options)
  92 {
  93     sec_protocol_options_clear_tls_ciphersuites(options);
  94     sec_protocol_options_append_tls_ciphersuite_group(options, tls_ciphersuite_group_ats);
  95     return sec_protocol_configuration_copy_transformed_options_with_ats_minimums(options);
  96 }
  97
  98 static const char *
  99 _find_parent_domain(const char *domain)
 100 {
 101     size_t domain_len = strlen(domain);
 102     size_t index = 0;
 103     while (index < domain_len) {
 104         // Once we hit a dot, the parent domain begins at the next segment.
 105         if (domain[index] == '.' && index < domain_len) {
 106             return domain + 1;
 107         }
 108
 109         // Skip over all characters that are not dots.
 110         index++;
 111     }
 112
 113     return NULL;
 114 }
 115
 116 static sec_protocol_options_t
 117 sec_protocol_configuration_copy_transformed_options_for_host_internal(sec_protocol_configuration_t config, sec_protocol_options_t options,
 118                                                                 const char *host, bool parent_domain)
 119 {
 120     xpc_object_t map = sec_protocol_configuration_get_map(config);
 121     if (map == nil) {
 122         return options;
 123     }
 124
 125     xpc_object_t domain_map = xpc_dictionary_get_dictionary(map, kExceptionDomains);
 126     if (domain_map == nil) {
 127         return options;
 128     }
 129
 130     xpc_object_t entry = xpc_dictionary_get_dictionary(domain_map, host);
 131     if (entry == nil) {
 132         const char *parent_host = _find_parent_domain(host);
 133         if (parent_host != NULL) {
 134             return sec_protocol_configuration_copy_transformed_options_for_host_internal(config, options, parent_host, true);
 135         }
 136
 137         // If we could not find a matching domain, apply the default connection properties.
 138         return sec_protocol_configuration_copy_transformed_options(config, options);
 139     }
 140
 141     bool pfs_required = xpc_dictionary_get_bool(entry, kExceptionRequiresForwardSecrecy);
 142     if (pfs_required) {
 143         sec_protocol_options_clear_tls_ciphersuites(options);
 144         sec_protocol_options_append_tls_ciphersuite_group(options, tls_ciphersuite_group_ats);
 145     } else {
 146         // Otherwise, record the fact that non-PFS ciphersuites are permitted.
 147         // This does not mean that the caller actually configured a non-PFS ciphersuite.
 148         sec_protocol_options_set_ats_non_pfs_ciphersuite_allowed(options, true);
 149     }
 150
 151     tls_protocol_version_t minimum_protocol = (SSLProtocol)xpc_dictionary_get_int64(entry, kExceptionMinimumTLSVersion);
 152     if (minimum_protocol != 0) {
 153         // Record the fact that an excepted TLS version was configured.
 154         sec_protocol_options_set_min_tls_protocol_version(options, minimum_protocol);
 155         sec_protocol_options_set_ats_minimum_tls_version_allowed(options, true);
 156     }
 157
 158     return options;
 159 }
 160
 161 sec_protocol_options_t
 162 sec_protocol_configuration_copy_transformed_options_for_host(sec_protocol_configuration_t config, sec_protocol_options_t options, const char *host)
 163 {
 164     return sec_protocol_configuration_copy_transformed_options_for_host_internal(config, sec_protocol_configuration_copy_transformed_options_with_ats_minimums(options), host, false);
 165 }
 166
 167 bool
 168 sec_protocol_configuration_tls_required(sec_protocol_configuration_t config)
 169 {
 170     xpc_object_t map = sec_protocol_configuration_get_map(config);
 171     if (map == nil) {
 172         // Fail closed.
 173         return true;
 174     }
 175
 176     bool allows_media_loads = xpc_dictionary_get_bool(map, kAllowsArbitraryLoadsForMedia);
 177     if (allows_media_loads && client_is_mediaserverd()) {
 178         return false;
 179     }
 180
 181     bool allows_web_loads = xpc_dictionary_get_bool(map, kAllowsArbitraryLoadsInWebContent);
 182     if (allows_web_loads && client_is_WebKit()) {
 183         return false;
 184     }
 185
 186     return !xpc_dictionary_get_bool(map, kAllowsArbitraryLoads);
 187 }
 188
 189 static bool
 190 sec_protocol_configuration_tls_required_for_host_internal(sec_protocol_configuration_t config, const char *host, bool parent_domain)
 191 {
 192     xpc_object_t map = sec_protocol_configuration_get_map(config);
 193     if (map == nil) {
 194         // Fail closed.
 195         return true;
 196     }
 197
 198     xpc_object_t domain_map = xpc_dictionary_get_dictionary(map, kExceptionDomains);
 199     if (domain_map == nil) {
 200         // Absent per-domain exceptions, use the default.
 201         return sec_protocol_configuration_tls_required(config);
 202     }
 203
 204     xpc_object_t entry = xpc_dictionary_get_dictionary(domain_map, host);
 205     if (entry == nil) {
 206         const char *parent_host = _find_parent_domain(host);
 207         if (parent_host != NULL) {
 208             return sec_protocol_configuration_tls_required_for_host_internal(config, parent_host, true);
 209         }
 210         return sec_protocol_configuration_tls_required(config);
 211     }
 212
 213     bool requires_tls = !xpc_dictionary_get_bool(entry, kExceptionAllowsInsecureHTTPLoads);
 214     bool includes_subdomains = !xpc_dictionary_get_bool(entry, kExceptionAllowsInsecureHTTPLoads);
 215
 216     if (parent_domain && !includes_subdomains) {
 217         // If this domain's exceptions do not apply to subdomains, then default to the application default policy.
 218         return sec_protocol_configuration_tls_required(config);
 219     }
 220
 221     return requires_tls;
 222 }
 223
 224 bool
 225 sec_protocol_configuration_tls_required_for_host(sec_protocol_configuration_t config, const char *host)
 226 {
 227     return sec_protocol_configuration_tls_required_for_host_internal(config, host, false);
 228 }
 229
 230 bool
 231 sec_protocol_configuration_tls_required_for_address(sec_protocol_configuration_t config, const char *address)
 232 {
 233     xpc_object_t map = sec_protocol_configuration_get_map(config);
 234     if (map == nil) {
 235         // Fail closed.
 236         return true;
 237     }
 238
 239     return !xpc_dictionary_get_bool(map, kAllowsLocalNetworking);
 240 }
 241
 242 static tls_protocol_version_t
 243 sec_protocol_configuration_protocol_string_to_version(const char *protocol)
 244 {
 245     if (protocol == NULL) {
 246         return 0;
 247     }
 248
 249     const char *tlsv10 = "TLSv1.0";
 250     const char *tlsv11 = "TLSv1.1";
 251     const char *tlsv12 = "TLSv1.2";
 252     const char *tlsv13 = "TLSv1.3";
 253
 254     if (strlen(protocol) == strlen(tlsv10) && strncmp(protocol, tlsv10, strlen(protocol)) == 0) {
 255         return tls_protocol_version_TLSv10;
 256     } else if (strlen(protocol) == strlen(tlsv11) && strncmp(protocol, tlsv11, strlen(protocol)) == 0) {
 257         return tls_protocol_version_TLSv11;
 258     } else if (strlen(protocol) == strlen(tlsv12) && strncmp(protocol, tlsv12, strlen(protocol)) == 0) {
 259         return tls_protocol_version_TLSv12;
 260     } else if (strlen(protocol) == strlen(tlsv13) && strncmp(protocol, tlsv13, strlen(protocol)) == 0) {
 261         return tls_protocol_version_TLSv13;
 262     }
 263
 264     return 0;
 265 }
 266
 267 static void
 268 sec_protocol_configuration_register_builtin_exception(xpc_object_t dict, const char *name,
 269                                                       tls_protocol_version_t protocol, bool requires_pfs,
 270                                                       bool allows_http, bool includes_subdomains, bool require_ct)
 271 {
 272     xpc_object_t domain_map = xpc_dictionary_get_dictionary(dict, kExceptionDomains);
 273     if (domain_map) {
 274         xpc_object_t entry = xpc_dictionary_create(NULL, NULL, 0);
 275         xpc_dictionary_set_value(entry, kExceptionDomains, domain_map);
 276
 277         xpc_dictionary_set_bool(entry, kIncludesSubdomains, includes_subdomains);
 278         xpc_dictionary_set_int64(entry, kExceptionMinimumTLSVersion, protocol);
 279         xpc_dictionary_set_bool(entry, kExceptionAllowsInsecureHTTPLoads, allows_http);
 280         xpc_dictionary_set_bool(entry, kExceptionRequiresForwardSecrecy, requires_pfs);
 281
 282         xpc_dictionary_set_value(domain_map, name, entry);
 283     }
 284 }
 285
 286 void
 287 sec_protocol_configuration_register_builtin_exceptions(sec_protocol_configuration_t config)
 288 {
 289     xpc_object_t dict = sec_protocol_configuration_get_map(config);
 290     sec_protocol_configuration_register_builtin_exception(dict, "apple.com", tls_protocol_version_TLSv12, false, true, true, true);
 291     sec_protocol_configuration_register_builtin_exception(dict, "ls.apple.com", tls_protocol_version_TLSv10, false, true, true, true);
 292     sec_protocol_configuration_register_builtin_exception(dict, "gs.apple.com", tls_protocol_version_TLSv10, false, true, true, true);
 293     sec_protocol_configuration_register_builtin_exception(dict, "geo.apple.com", tls_protocol_version_TLSv10, false, true, true, true);
 294     sec_protocol_configuration_register_builtin_exception(dict, "is.autonavi.com", tls_protocol_version_TLSv10, false, true, true, true);
 295     sec_protocol_configuration_register_builtin_exception(dict, "apple-mapkit.com", tls_protocol_version_TLSv10, false, true, true, true);
 296     sec_protocol_configuration_register_builtin_exception(dict, "setup.icloud.com", tls_protocol_version_TLSv12, false, true, true, true);
 297 }
 298
 299 void
 300 sec_protocol_configuration_populate_insecure_defaults(sec_protocol_configuration_t config)
 301 {
 302     xpc_object_t dict = sec_protocol_configuration_get_map(config);
 303     xpc_object_t domain_map = xpc_dictionary_create(NULL, NULL, 0);
 304     xpc_dictionary_set_value(dict, kExceptionDomains, domain_map);
 305
 306     xpc_dictionary_set_bool(dict, kAllowsArbitraryLoadsInWebContent, true);
 307     xpc_dictionary_set_bool(dict, kAllowsArbitraryLoadsForMedia, true);
 308     xpc_dictionary_set_bool(dict, kAllowsLocalNetworking, true);
 309     xpc_dictionary_set_bool(dict, kAllowsArbitraryLoads, true);
 310 }
 311
 312 void
 313 sec_protocol_configuration_populate_secure_defaults(sec_protocol_configuration_t config)
 314 {
 315     xpc_object_t dict = sec_protocol_configuration_get_map(config);
 316     xpc_object_t domain_map = xpc_dictionary_create(NULL, NULL, 0);
 317     xpc_dictionary_set_value(dict, kExceptionDomains, domain_map);
 318
 319     xpc_dictionary_set_bool(dict, kAllowsArbitraryLoadsInWebContent, false);
 320     xpc_dictionary_set_bool(dict, kAllowsArbitraryLoadsForMedia, false);
 321     xpc_dictionary_set_bool(dict, kAllowsLocalNetworking, false);
 322     xpc_dictionary_set_bool(dict, kAllowsArbitraryLoads, false);
 323 }
 324
 325 bool
 326 sec_protocol_configuration_set_ats_overrides(sec_protocol_configuration_t config, CFDictionaryRef plist)
 327 {
 328     if (plist == NULL) {
 329         return false;
 330     }
 331
 332 #define BOOLEAN_FOR_KEY(dictionary, key, value, default) \
 333     bool value = default; \
 334     { \
 335         NSNumber *nsValue = [dictionary valueForKey:[[NSString alloc] initWithFormat:@"%s", key]]; \
 336         if (nsValue) { \
 337             value = [nsValue boolValue]; \
 338         } \
 339     }
 340 #define STRING_FOR_KEY(dictionary, key, value, default) \
 341     NSString *value = default; \
 342     { \
 343         NSString *nsValue = [dictionary valueForKey:[[NSString alloc] initWithFormat:@"%s", key]]; \
 344         if (nsValue) { \
 345             value = nsValue; \
 346         } \
 347     }
 348
 349     xpc_object_t dict = sec_protocol_configuration_get_map(config);
 350     if (dict == nil) {
 351         return false;
 352     }
 353
 354     NSDictionary *plist_dictionary = (__bridge NSDictionary *)plist;
 355     BOOLEAN_FOR_KEY(plist_dictionary, kAllowsArbitraryLoads, arbitrary_loads, false);
 356     BOOLEAN_FOR_KEY(plist_dictionary, kAllowsArbitraryLoadsInWebContent, web_loads, false);
 357     BOOLEAN_FOR_KEY(plist_dictionary, kAllowsArbitraryLoadsForMedia, media_loads, false);
 358     BOOLEAN_FOR_KEY(plist_dictionary, kAllowsLocalNetworking, local_networking, false);
 359
 360     xpc_dictionary_set_bool(dict, kAllowsArbitraryLoads, arbitrary_loads);
 361     xpc_dictionary_set_bool(dict, kAllowsArbitraryLoadsInWebContent, web_loads);
 362     xpc_dictionary_set_bool(dict, kAllowsArbitraryLoadsForMedia, media_loads);
 363     xpc_dictionary_set_bool(dict, kAllowsLocalNetworking, local_networking);
 364
 365     NSDictionary *exception_domains = [plist_dictionary valueForKey:[[NSString alloc] initWithFormat:@"%s", kExceptionDomains]];
 366     if (exception_domains == nil) {
 367         return true;
 368     }
 369
 370     xpc_object_t domain_map = xpc_dictionary_get_dictionary(dict, kExceptionDomains);
 371     if (domain_map == nil) {
 372         // The domain map MUST be present during initialziation
 373         return false;
 374     }
 375
 376     [exception_domains enumerateKeysAndObjectsUsingBlock:^(id _key, id _obj, BOOL *stop) {
 377         NSString *domain = (NSString *)_key;
 378         NSDictionary *entry = (NSDictionary *)_obj;
 379         if (entry == nil) {
 380             // Exception domains MUST have ATS information set.
 381             *stop = YES;
 382         }
 383
 384         xpc_object_t entry_map = xpc_dictionary_create(NULL, NULL, 0);
 385
 386         BOOLEAN_FOR_KEY(entry_map, kExceptionAllowsInsecureHTTPLoads, allows_http, false);
 387         BOOLEAN_FOR_KEY(entry_map, kIncludesSubdomains, includes_subdomains, false);
 388         BOOLEAN_FOR_KEY(entry_map, kExceptionRequiresForwardSecrecy, requires_pfs, false);
 389         STRING_FOR_KEY(entry_map, kExceptionMinimumTLSVersion, minimum_tls, @"TLSv1.2");
 390
 391         xpc_dictionary_set_bool(entry_map, kIncludesSubdomains, includes_subdomains);
 392         xpc_dictionary_set_bool(entry_map, kExceptionAllowsInsecureHTTPLoads, allows_http);
 393         xpc_dictionary_set_bool(entry_map, kExceptionRequiresForwardSecrecy, requires_pfs);
 394         xpc_dictionary_set_int64(entry_map, kExceptionMinimumTLSVersion, sec_protocol_configuration_protocol_string_to_version([minimum_tls cStringUsingEncoding:NSUTF8StringEncoding]));
 395         xpc_dictionary_set_value(domain_map, [domain cStringUsingEncoding:NSUTF8StringEncoding], entry_map);
 396     }];
 397
 398 #undef STRING_FOR_KEY
 399 #undef BOOLEAN_FOR_KEY
 400
 401     return true;
 402 }