X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/5c19dc3ae3bd8e40a9c028b0deddd50ff337692c..b04fe171f0375ecd5d8a24747ca1dff85720a0ca:/OSX/libsecurity_codesigning/lib/SecStaticCode.cpp diff --git a/OSX/libsecurity_codesigning/lib/SecStaticCode.cpp b/OSX/libsecurity_codesigning/lib/SecStaticCode.cpp index 0d3ed8b1..f4889f69 100644 --- a/OSX/libsecurity_codesigning/lib/SecStaticCode.cpp +++ b/OSX/libsecurity_codesigning/lib/SecStaticCode.cpp @@ -105,7 +105,6 @@ OSStatus SecStaticCodeCheckValidity(SecStaticCodeRef staticCodeRef, SecCSFlags f OSStatus SecStaticCodeCheckValidityWithErrors(SecStaticCodeRef staticCodeRef, SecCSFlags flags, SecRequirementRef requirementRef, CFErrorRef *errors) { -#if !SECTRUST_OSX BEGIN_CSAPI checkFlags(flags, @@ -114,12 +113,14 @@ OSStatus SecStaticCodeCheckValidityWithErrors(SecStaticCodeRef staticCodeRef, Se | kSecCSDoNotValidateExecutable | kSecCSDoNotValidateResources | kSecCSConsiderExpiration - | kSecCSEnforceRevocationChecks + | kSecCSEnforceRevocationChecks | kSecCSNoNetworkAccess | kSecCSCheckNestedCode | kSecCSStrictValidate + | kSecCSRestrictSidebandData | kSecCSCheckGatekeeperArchitectures | kSecCSRestrictSymlinks + | kSecCSRestrictToAppLike ); if (errors) @@ -132,56 +133,6 @@ OSStatus SecStaticCodeCheckValidityWithErrors(SecStaticCodeRef staticCodeRef, Se code->staticValidate(flags, req); END_CSAPI_ERRORS -#else -#warning resolve before enabling SECTRUST_OSX: - OSStatus result = errSecSuccess; - const char *func = "SecStaticCodeCheckValidity"; - CFErrorRef localErrors = NULL; - if (!errors) { errors = &localErrors; } - try { - checkFlags(flags, - kSecCSReportProgress - | kSecCSCheckAllArchitectures - | kSecCSDoNotValidateExecutable - | kSecCSDoNotValidateResources - | kSecCSConsiderExpiration - | kSecCSEnforceRevocationChecks - | kSecCSNoNetworkAccess - | kSecCSCheckNestedCode - | kSecCSStrictValidate - | kSecCSCheckGatekeeperArchitectures - ); - - if (errors) - flags |= kSecCSFullReport; // internal-use flag - - SecPointer code = SecStaticCode::requiredStatic(staticCodeRef); - code->setValidationFlags(flags); - const SecRequirement *req = SecRequirement::optional(requirementRef); - DTRACK(CODESIGN_EVAL_STATIC, code, (char*)code->mainExecutablePath().c_str()); - code->staticValidate(flags, req); - } - catch (...) { - // the actual error being thrown is not being caught by any of the - // type-specific blocks contained in the END_CSAPI_ERRORS macro, - // so we only have the catch-all block here for now. - result = errSecCSInternalError; - } - - if (errors && *errors) { - CFShow(errors); - CFRelease(errors); - *errors = NULL; - } - if (result == errSecCSInternalError) { - #if !NDEBUG - Security::Syslog::error("WARNING: %s ignored error %d", func, (int)result); - #endif - result = errSecSuccess; - } - return result; - -#endif } @@ -322,3 +273,36 @@ OSStatus SecStaticCodeCancelValidation(SecStaticCodeRef codeRef, SecCSFlags flag END_CSAPI } + + +// +// Retrieve a component object for a special slot directly. +// +CFDataRef SecCodeCopyComponent(SecCodeRef codeRef, int slot, CFDataRef hash) +{ + BEGIN_CSAPI + + SecStaticCode* code = SecStaticCode::requiredStatic(codeRef); + return code->copyComponent(slot, hash); + + END_CSAPI1(NULL) +} + + +// +// Validate a single plain file's resource seal against a memory copy. +// This will fail for any other file type (symlink, directory, nested code, etc. etc.) +// +OSStatus SecCodeValidateFileResource(SecStaticCodeRef codeRef, CFStringRef relativePath, CFDataRef fileData, SecCSFlags flags) +{ + BEGIN_CSAPI + + checkFlags(0); + if (fileData == NULL) + MacOSError::throwMe(errSecCSObjectRequired); + SecStaticCode *code = SecStaticCode::requiredStatic(codeRef); + code->validatePlainMemoryResource(cfString(relativePath), fileData, flags); + + END_CSAPI + +}