Security-58286.20.16.tar.gz

[apple/security.git] / OSX / libsecurity_codesigning / lib / singlediskrep.cpp

diff --git a/OSX/libsecurity_codesigning/lib/singlediskrep.cpp b/OSX/libsecurity_codesigning/lib/singlediskrep.cpp
index 5b01b1381f777e051ba5c01e2dadb970f9c63516..2c0cbd27f76f7b8e17ef5f9a6cf10526a58549d0 100644 (file)
--- a/OSX/libsecurity_codesigning/lib/singlediskrep.cpp
+++ b/OSX/libsecurity_codesigning/lib/singlediskrep.cpp
@@ -82,6 +82,14 @@ size_t SingleDiskRep::signingLimit()
        return fd().fileSize();
 }
 
+//
+// No executable segment in non-machO files.
+//
+size_t SingleDiskRep::execSegLimit(const Architecture *)
+{
+       return 0;
+}
+
 //
 // A lazily opened read-only file descriptor for the path.
 //
@@ -89,7 +97,6 @@ FileDesc &SingleDiskRep::fd()
 {
        if (!mFd)
                mFd.open(mPath, O_RDONLY);
-
        return mFd;
 }
 
@@ -101,7 +108,6 @@ void SingleDiskRep::flush()
        mFd.close();
 }
 
-
 //
 // The recommended identifier of a SingleDiskRep is, absent any better clue,
 // the basename of its path.
@@ -115,10 +121,17 @@ string SingleDiskRep::recommendedIdentifier(const SigningContext &)
 //
 // Paranoid validation
 //
-void SingleDiskRep::strictValidate(const CodeDirectory* cd, const ToleratedErrors& tolerated)
+void SingleDiskRep::strictValidate(const CodeDirectory* cd, const ToleratedErrors& tolerated, SecCSFlags flags)
 {
+       DiskRep::strictValidate(cd, tolerated, flags);
+
+       if (flags & kSecCSRestrictSidebandData)
+               if (fd().hasExtendedAttribute(XATTR_RESOURCEFORK_NAME) || fd().hasExtendedAttribute(XATTR_FINDERINFO_NAME))
+                       if (tolerated.find(errSecCSInvalidAssociatedFileData) == tolerated.end())
+                               MacOSError::throwMe(errSecCSInvalidAssociatedFileData);
+       
        // code limit must cover (exactly) the entire file
-       if (cd && cd->codeLimit != signingLimit())
+       if (cd && cd->signingLimit() != signingLimit())
                MacOSError::throwMe(errSecCSSignatureInvalid);
 }