libsecurity_codesigning/lib/codedirectory.cpp

   1 /*
   2  * Copyright (c) 2006-2010 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 //
  25 // codedirectory - format and operations for code signing "code directory" structures
  26 //
  27 #include "codedirectory.h"
  28 #include "csutilities.h"
  29 #include "CSCommonPriv.h"
  30
  31 using namespace UnixPlusPlus;
  32
  33
  34 namespace Security {
  35 namespace CodeSigning {
  36
  37
  38 //
  39 // Highest understood special slot in this CodeDirectory.
  40 //
  41 CodeDirectory::SpecialSlot CodeDirectory::maxSpecialSlot() const
  42 {
  43         SpecialSlot slot = this->nSpecialSlots;
  44         if (slot > cdSlotMax)
  45                 slot = cdSlotMax;
  46         return slot;
  47 }
  48
  49
  50 //
  51 // Canonical filesystem names for select slot numbers.
  52 // These are variously used for filenames, extended attribute names, etc.
  53 // to get some consistency in naming. These are for storing signing-related
  54 // data; they have no bearing on the actual hash slots in the CodeDirectory.
  55 //
  56 const char *CodeDirectory::canonicalSlotName(SpecialSlot slot)
  57 {
  58         switch (slot) {
  59         case cdRequirementsSlot:
  60                 return kSecCS_REQUIREMENTSFILE;
  61         case cdResourceDirSlot:
  62                 return kSecCS_RESOURCEDIRFILE;
  63         case cdCodeDirectorySlot:
  64                 return kSecCS_CODEDIRECTORYFILE;
  65         case cdSignatureSlot:
  66                 return kSecCS_SIGNATUREFILE;
  67         case cdApplicationSlot:
  68                 return kSecCS_APPLICATIONFILE;
  69         case cdEntitlementSlot:
  70                 return kSecCS_ENTITLEMENTFILE;
  71         default:
  72                 return NULL;
  73         }
  74 }
  75
  76
  77 //
  78 // Canonical attributes of SpecialSlots.
  79 //
  80 unsigned CodeDirectory::slotAttributes(SpecialSlot slot)
  81 {
  82         switch (slot) {
  83         case cdRequirementsSlot:
  84                 return cdComponentIsBlob; // global
  85         case cdCodeDirectorySlot:
  86                 return cdComponentPerArchitecture | cdComponentIsBlob;
  87         case cdSignatureSlot:
  88                 return cdComponentPerArchitecture; // raw
  89         case cdEntitlementSlot:
  90                 return cdComponentIsBlob; // global
  91         case cdIdentificationSlot:
  92                 return cdComponentPerArchitecture; // raw
  93         default:
  94                 return 0; // global, raw
  95         }
  96 }
  97
  98
  99 //
 100 // Symbolic names for code directory special slots.
 101 // These are only used for debug output. They are not API-official.
 102 // Needs to be coordinated with the cd*Slot enumeration in codedirectory.h.
 103 //
 104 #if !defined(NDEBUG)
 105 const char * const CodeDirectory::debugSlotName[] = {
 106         "codedirectory",
 107         "info",
 108         "requirements",
 109         "resources",
 110         "application",
 111         "entitlement"
 112 };
 113 #endif //NDEBUG
 114
 115
 116 //
 117 // Check a CodeDirectory for basic integrity. This should ensure that the
 118 // version is understood by our code, and that the internal structure
 119 // (offsets etc.) is intact. In particular, it must make sure that no offsets
 120 // point outside the CodeDirectory.
 121 // Throws if the directory is corrupted or out of versioning bounds.
 122 // Returns if the version is usable (perhaps with degraded features due to
 123 // compatibility hacks).
 124 //
 125 // Note: There are some things we don't bother checking because they won't
 126 // cause crashes, and will just be flagged as nonsense later. For example,
 127 // a Bad Guy could overlap the identifier and hash fields, which is nonsense
 128 // but not dangerous.
 129 //
 130 void CodeDirectory::checkIntegrity() const
 131 {
 132         // check version for support
 133         if (!this->validateBlob())
 134                 MacOSError::throwMe(errSecCSSignatureInvalid);  // busted
 135         if (version > compatibilityLimit)
 136                 MacOSError::throwMe(errSecCSSignatureUnsupported);      // too new - no clue
 137         if (version < earliestVersion)
 138                 MacOSError::throwMe(errSecCSSignatureUnsupported);      // too old - can't support
 139         if (version > currentVersion)
 140                 secdebug("codedir", "%p version 0x%x newer than current 0x%x",
 141                         this, uint32_t(version), currentVersion);
 142
 143         // now check interior offsets for validity
 144         if (!stringAt(identOffset))
 145                 MacOSError::throwMe(errSecCSSignatureFailed); // identifier out of blob range
 146         if (version >= supportsTeamID && teamIDOffset != 0 && !stringAt(teamIDOffset))
 147                         MacOSError::throwMe(errSecCSSignatureFailed); // identifier out of blob range
 148         if (!contains(hashOffset - int64_t(hashSize) * nSpecialSlots, hashSize * (int64_t(nSpecialSlots) + nCodeSlots)))
 149                 MacOSError::throwMe(errSecCSSignatureFailed); // hash array out of blob range
 150         if (const Scatter *scatter = this->scatterVector()) {
 151                 // the optional scatter vector is terminated with an element having (count == 0)
 152                 unsigned int pagesConsumed = 0;
 153                 for (;; scatter++) {
 154                         if (!contains(scatter, sizeof(Scatter)))
 155                                 MacOSError::throwMe(errSecCSSignatureFailed);
 156                         if (scatter->count == 0)
 157                                 break;
 158                         pagesConsumed += scatter->count;
 159                 }
 160                 if (!contains((*this)[pagesConsumed-1], hashSize))      // referenced too many main hash slots
 161                         MacOSError::throwMe(errSecCSSignatureFailed);
 162         }
 163 }
 164
 165
 166 //
 167 // Validate a slot against data in memory.
 168 //
 169 bool CodeDirectory::validateSlot(const void *data, size_t length, Slot slot) const
 170 {
 171         secdebug("codedir", "%p validating slot %d", this, int(slot));
 172         MakeHash<CodeDirectory> hasher(this);
 173         Hashing::Byte digest[hasher->digestLength()];
 174         generateHash(hasher, data, length, digest);
 175         return memcmp(digest, (*this)[slot], hasher->digestLength()) == 0;
 176 }
 177
 178
 179 //
 180 // Validate a slot against the contents of an open file. At most 'length' bytes
 181 // will be read from the file.
 182 //
 183 bool CodeDirectory::validateSlot(FileDesc fd, size_t length, Slot slot) const
 184 {
 185         MakeHash<CodeDirectory> hasher(this);
 186         Hashing::Byte digest[hasher->digestLength()];
 187         generateHash(hasher, fd, digest, length);
 188         return memcmp(digest, (*this)[slot], hasher->digestLength()) == 0;
 189 }
 190
 191
 192 //
 193 // Check whether a particular slot is present.
 194 // Absense is indicated by either a zero hash, or by lying outside
 195 // the slot range.
 196 //
 197 bool CodeDirectory::slotIsPresent(Slot slot) const
 198 {
 199         if (slot >= -Slot(nSpecialSlots) && slot < Slot(nCodeSlots)) {
 200                 const Hashing::Byte *digest = (*this)[slot];
 201                 for (unsigned n = 0; n < hashSize; n++)
 202                         if (digest[n])
 203                                 return true;    // non-zero digest => present
 204         }
 205         return false;   // absent
 206 }
 207
 208
 209 //
 210 // Given a hash type code, create an appropriate subclass of DynamicHash
 211 // and return it. The caller owns the object and  must delete it when done.
 212 // This function never returns NULL. It throws if the hashType is unsuupported,
 213 // or if there's an error creating the hasher.
 214 //
 215 DynamicHash *CodeDirectory::hashFor(HashAlgorithm hashType)
 216 {
 217         CCDigestAlg alg;
 218         switch (hashType) {
 219         case kSecCodeSignatureHashSHA1:                                         alg = kCCDigestSHA1; break;
 220         case kSecCodeSignatureHashSHA256:                                       alg = kCCDigestSHA256; break;
 221         default:
 222                 MacOSError::throwMe(errSecCSSignatureUnsupported);
 223         }
 224         return new CCHashInstance(alg);
 225 }
 226
 227
 228 //
 229 // Hash the next limit bytes of a file and return the digest.
 230 // If the file is shorter, hash as much as you can.
 231 // Limit==0 means unlimited (to end of file).
 232 // Return how many bytes were actually hashed.
 233 // Throw on any errors.
 234 //
 235 size_t CodeDirectory::generateHash(DynamicHash *hasher, FileDesc fd, Hashing::Byte *digest, size_t limit)
 236 {
 237         size_t size = hashFileData(fd, hasher, limit);
 238         hasher->finish(digest);
 239         return size;
 240 }
 241
 242
 243 //
 244 // Ditto, but hash a memory buffer instead.
 245 //
 246 size_t CodeDirectory::generateHash(DynamicHash *hasher, const void *data, size_t length, Hashing::Byte *digest)
 247 {
 248         hasher->update(data, length);
 249         hasher->finish(digest);
 250         return length;
 251 }
 252
 253
 254 //
 255 // Turn a hash of canonical type into a hex string
 256 //
 257 std::string CodeDirectory::hexHash(const unsigned char *hash) const
 258 {
 259         size_t size = this->hashSize;
 260         char result[2*size+1];
 261         for (unsigned n = 0; n < size; n++)
 262                 sprintf(result+2*n, "%02.2x", hash[n]);
 263         return result;
 264 }
 265
 266
 267 //
 268 // Generate a screening code string from a (complete) CodeDirectory.
 269 // This can be used to make a lightweight pre-screening code from (just) a CodeDirectory.
 270 //
 271 std::string CodeDirectory::screeningCode() const
 272 {
 273         if (slotIsPresent(-cdInfoSlot))         // has Info.plist
 274                 return "I" + hexHash((*this)[-cdInfoSlot]); // use Info.plist hash
 275         if (pageSize == 0)                                      // good-enough proxy for "not a Mach-O file"
 276                 return "M" + hexHash((*this)[0]); // use hash of main executable
 277         return "N";                                                     // no suitable screening code
 278 }
 279
 280
 281 }       // CodeSigning
 282 }       // Security
 283
 284
 285 //
 286 // Canonical text form for user-settable code directory flags.
 287 // Note: This table is actually exported from Security.framework.
 288 //
 289 const SecCodeDirectoryFlagTable kSecCodeDirectoryFlagTable[] = {
 290         { "host",               kSecCodeSignatureHost,                  true },
 291         { "adhoc",              kSecCodeSignatureAdhoc,                 false },
 292         { "hard",               kSecCodeSignatureForceHard,             true },
 293         { "kill",               kSecCodeSignatureForceKill,             true },
 294         { "expires",            kSecCodeSignatureForceExpiration,       true },
 295         { "restrict",           kSecCodeSignatureRestrict,              true },
 296         { "enforcement",        kSecCodeSignatureEnforcement,           true },
 297         { "library-validation", kSecCodeSignatureLibraryValidation,             true },
 298         { NULL }
 299 };