From: Apple Date: Tue, 12 Aug 2014 23:37:53 +0000 (+0000) Subject: Security-55471.14.4.tar.gz X-Git-Tag: os-x-1093^0 X-Git-Url: https://git.saurik.com/apple/security.git/commitdiff_plain/420ff9d9379a8d93f2c90f026a797bdea1eb4517 Security-55471.14.4.tar.gz --- diff --git a/CloudKeychainProxy/CloudKeychainProxy-Info.plist b/CloudKeychainProxy/CloudKeychainProxy-Info.plist index 307d5a82..4b3a1ba4 100644 --- a/CloudKeychainProxy/CloudKeychainProxy-Info.plist +++ b/CloudKeychainProxy/CloudKeychainProxy-Info.plist @@ -21,7 +21,7 @@ CFBundleSignature ???? CFBundleVersion - 55471.14 + 55471.14.4 NSHumanReadableCopyright Copyright © 2013 Apple, Inc. All rights reserved. diff --git a/Keychain Circle Notification/Keychain Circle Notification-Info.plist b/Keychain Circle Notification/Keychain Circle Notification-Info.plist index fcfb823b..471548b6 100644 --- a/Keychain Circle Notification/Keychain Circle Notification-Info.plist +++ b/Keychain Circle Notification/Keychain Circle Notification-Info.plist @@ -21,7 +21,7 @@ CFBundleSignature ???? CFBundleVersion - 55471.14 + 55471.14.4 LSApplicationCategoryType LSMinimumSystemVersion diff --git a/Keychain/Keychain-Info.plist b/Keychain/Keychain-Info.plist index 0e3211c0..0b234892 100644 --- a/Keychain/Keychain-Info.plist +++ b/Keychain/Keychain-Info.plist @@ -21,7 +21,7 @@ CFBundleSignature ???? CFBundleVersion - 55471.14 + 55471.14.4 LSMinimumSystemVersion ${MACOSX_DEPLOYMENT_TARGET} NSMainNibFile diff --git a/authd/Info.plist b/authd/Info.plist index 55e3b905..55e7c843 100644 --- a/authd/Info.plist +++ b/authd/Info.plist @@ -19,7 +19,7 @@ CFBundleSignature ???? CFBundleVersion - 55471.14 + 55471.14.4 NSHumanReadableCopyright Copyright © 2012 Apple. All rights reserved. XPCService diff --git a/lib/Info-Security.plist b/lib/Info-Security.plist index 683ab139..1bd358d9 100644 --- a/lib/Info-Security.plist +++ b/lib/Info-Security.plist @@ -19,6 +19,6 @@ CFBundleSignature ???? CFBundleVersion - 55471.14 + 55471.14.4 diff --git a/lib/plugins/csparser-Info.plist b/lib/plugins/csparser-Info.plist index 53cef937..21b38856 100644 --- a/lib/plugins/csparser-Info.plist +++ b/lib/plugins/csparser-Info.plist @@ -17,7 +17,7 @@ CFBundleSignature ???? CFBundleVersion - 55471.14 + 55471.14.4 CFBundleShortVersionString 3.0 diff --git a/lib/security.exp-in b/lib/security.exp-in index 301de44b..585b1198 100644 --- a/lib/security.exp-in +++ b/lib/security.exp-in @@ -328,6 +328,7 @@ _kSecCodeSignerResourceRules _kSecCodeSignerSDKRoot _kSecCodeSignerSigningTime _kSecCodeSignerRequireTimestamp +_kSecCodeSignerTeamIdentifier _kSecCodeSignerTimestampServer _kSecCodeSignerTimestampAuthentication _kSecCodeSignerTimestampOmitCertificates @@ -350,6 +351,7 @@ _kSecCodeInfoRequirements _kSecCodeInfoRequirementData _kSecCodeInfoSource _kSecCodeInfoStatus +_kSecCodeInfoTeamIdentifier _kSecCodeInfoTrust _kSecCodeInfoUnique _kSecCodeInfoCodeDirectory diff --git a/libsecurity_codesigning/lib/CSCommon.h b/libsecurity_codesigning/lib/CSCommon.h index 23cd134a..15f04c70 100644 --- a/libsecurity_codesigning/lib/CSCommon.h +++ b/libsecurity_codesigning/lib/CSCommon.h @@ -231,6 +231,7 @@ enum { kSecCodeSignatureForceExpiration = 0x0400, /* force certificate expiration checks */ kSecCodeSignatureRestrict = 0x0800, /* restrict dyld loading */ kSecCodeSignatureEnforcement = 0x1000, /* enforce code signing */ + kSecCodeSignatureLibraryValidation = 0x2000, /* library validation required */ }; diff --git a/libsecurity_codesigning/lib/CodeSigner.cpp b/libsecurity_codesigning/lib/CodeSigner.cpp index 6d1f07aa..004fb125 100644 --- a/libsecurity_codesigning/lib/CodeSigner.cpp +++ b/libsecurity_codesigning/lib/CodeSigner.cpp @@ -32,6 +32,7 @@ #include #include #include +#include #include namespace Security { @@ -89,6 +90,30 @@ void SecCodeSigner::parameters(CFDictionaryRef paramDict) MacOSError::throwMe(errSecCSInvalidObjectRef); } +// +// Retrieve the team ID from the signing certificate if and only if +// it is an apple developer signing cert +// +std::string SecCodeSigner::getTeamIDFromSigner(CFArrayRef certs) +{ + if (mSigner && mSigner != SecIdentityRef(kCFNull)) { + CFRef signerCert; + MacOSError::check(SecIdentityCopyCertificate(mSigner, &signerCert.aref())); + + /* Make sure the certificate looks like an Apple certificate, because we do not + extract the team ID from a non Apple certificate */ + if (SecStaticCode::isAppleDeveloperCert(certs)) { + CFRef teamIDFromCert; + + MacOSError::check(SecCertificateCopySubjectComponent(signerCert.get(), &CSSMOID_OrganizationalUnitName, &teamIDFromCert.aref())); + + if (teamIDFromCert) + return cfString(teamIDFromCert); + } + } + + return ""; +} // // Roughly check for validity. @@ -218,6 +243,9 @@ SecCodeSigner::Parser::Parser(SecCodeSigner &state, CFDictionaryRef parameters) if (CFStringRef ident = get(kSecCodeSignerIdentifier)) state.mIdentifier = cfString(ident); + if (CFStringRef teamid = get(kSecCodeSignerTeamIdentifier)) + state.mTeamID = cfString(teamid); + if (CFStringRef prefix = get(kSecCodeSignerIdentifierPrefix)) state.mIdentifierPrefix = cfString(prefix); diff --git a/libsecurity_codesigning/lib/CodeSigner.h b/libsecurity_codesigning/lib/CodeSigner.h index 9b050c18..18f327ef 100644 --- a/libsecurity_codesigning/lib/CodeSigner.h +++ b/libsecurity_codesigning/lib/CodeSigner.h @@ -55,12 +55,14 @@ public: void parameters(CFDictionaryRef args); // parse and set parameters bool valid() const; + + std::string getTeamIDFromSigner(CFArrayRef certs); void sign(SecStaticCode *code, SecCSFlags flags); void remove(SecStaticCode *code, SecCSFlags flags); void returnDetachedSignature(BlobCore *blob, Signer &signer); - + protected: std::string sdkPath(const std::string &path) const; bool isAdhoc() const; @@ -84,6 +86,7 @@ private: CodeDirectory::HashAlgorithm mDigestAlgorithm; // interior digest (hash) algorithm std::string mIdentifier; // unique identifier override std::string mIdentifierPrefix; // prefix for un-dotted default identifiers + std::string mTeamID; // teamID bool mNoMachO; // override to perform non-Mach-O signing bool mDryRun; // dry run (do not change target) CFRef mPageSize; // main executable page size diff --git a/libsecurity_codesigning/lib/SecCode.cpp b/libsecurity_codesigning/lib/SecCode.cpp index cd91d813..12e719fa 100644 --- a/libsecurity_codesigning/lib/SecCode.cpp +++ b/libsecurity_codesigning/lib/SecCode.cpp @@ -242,6 +242,7 @@ const CFStringRef kSecCodeInfoRequirements = CFSTR("requirements"); const CFStringRef kSecCodeInfoRequirementData = CFSTR("requirement-data"); const CFStringRef kSecCodeInfoSource = CFSTR("source"); const CFStringRef kSecCodeInfoStatus = CFSTR("status"); +const CFStringRef kSecCodeInfoTeamIdentifier = CFSTR("teamid"); const CFStringRef kSecCodeInfoTime = CFSTR("signing-time"); const CFStringRef kSecCodeInfoTimestamp = CFSTR("signing-timestamp"); const CFStringRef kSecCodeInfoTrust = CFSTR("trust"); diff --git a/libsecurity_codesigning/lib/SecCode.h b/libsecurity_codesigning/lib/SecCode.h index 1afbfebd..ee773ae1 100644 --- a/libsecurity_codesigning/lib/SecCode.h +++ b/libsecurity_codesigning/lib/SecCode.h @@ -413,6 +413,7 @@ extern const CFStringRef kSecCodeInfoRequirements; /* Requirement */ extern const CFStringRef kSecCodeInfoRequirementData; /* Requirement */ extern const CFStringRef kSecCodeInfoSource; /* generic */ extern const CFStringRef kSecCodeInfoStatus; /* Dynamic */ +extern const CFStringRef kSecCodeInfoTeamIdentifier; /* Signing */ extern const CFStringRef kSecCodeInfoTime; /* Signing */ extern const CFStringRef kSecCodeInfoTimestamp; /* Signing */ extern const CFStringRef kSecCodeInfoTrust; /* Signing */ diff --git a/libsecurity_codesigning/lib/SecCodeSigner.cpp b/libsecurity_codesigning/lib/SecCodeSigner.cpp index 33e38029..a705ba71 100644 --- a/libsecurity_codesigning/lib/SecCodeSigner.cpp +++ b/libsecurity_codesigning/lib/SecCodeSigner.cpp @@ -57,6 +57,7 @@ const CFStringRef kSecCodeSignerTimestampServer = CFSTR("timestamp-url"); const CFStringRef kSecCodeSignerTimestampAuthentication = CFSTR("timestamp-authentication"); const CFStringRef kSecCodeSignerTimestampOmitCertificates = CFSTR("timestamp-omit-certificates"); const CFStringRef kSecCodeSignerPreserveMetadata = CFSTR("preserve-metadata"); +const CFStringRef kSecCodeSignerTeamIdentifier = CFSTR("teamidentifier"); // temporary add-back to bridge B&I build dependencies -- remove soon const CFStringRef kSecCodeSignerTSAUse = CFSTR("timestamp-required"); diff --git a/libsecurity_codesigning/lib/SecCodeSigner.h b/libsecurity_codesigning/lib/SecCodeSigner.h index b0c22383..d5c15962 100644 --- a/libsecurity_codesigning/lib/SecCodeSigner.h +++ b/libsecurity_codesigning/lib/SecCodeSigner.h @@ -155,6 +155,7 @@ extern const CFStringRef kSecCodeSignerRequireTimestamp; extern const CFStringRef kSecCodeSignerTimestampServer; extern const CFStringRef kSecCodeSignerTimestampOmitCertificates; extern const CFStringRef kSecCodeSignerPreserveMetadata; +extern const CFStringRef kSecCodeSignerTeamIdentifier; enum { kSecCodeSignerPreserveIdentifier = 1 << 0, // preserve signing identifier @@ -162,6 +163,7 @@ enum { kSecCodeSignerPreserveEntitlements = 1 << 2, // preserve entitlements kSecCodeSignerPreserveResourceRules = 1 << 3, // preserve resource rules (and thus resources) kSecCodeSignerPreserveFlags = 1 << 4, // preserve signing flags + kSecCodeSignerPreserveTeamIdentifier = 1 << 5, // preserve team identifier flags }; diff --git a/libsecurity_codesigning/lib/StaticCode.cpp b/libsecurity_codesigning/lib/StaticCode.cpp index a26a1fee..62bfe215 100644 --- a/libsecurity_codesigning/lib/StaticCode.cpp +++ b/libsecurity_codesigning/lib/StaticCode.cpp @@ -47,6 +47,7 @@ #include #include #include +#include namespace Security { @@ -54,6 +55,13 @@ namespace CodeSigning { using namespace UnixPlusPlus; +// A requirement representing a Mac or iOS dev cert, a Mac or iOS distribution cert, or a developer ID +static const char WWDRRequirement[] = "anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.1] exists " + "and ( cert leaf[subject.CN] = \"Mac Developer: \"* or cert leaf[subject.CN] = \"iPhone Developer: \"* )"; +static const char developerID[] = "anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists" + " and certificate leaf[field.1.2.840.113635.100.6.1.13] exists"; +static const char distributionCertificate[] = "anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.7] exists"; +static const char iPhoneDistributionCert[] = "anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.4] exists"; // // Map a component slot number to a suitable error code for a failure @@ -478,6 +486,30 @@ bool SecStaticCode::verifySignature() SecTrustResultType trustResult; MacOSError::check(SecTrustEvaluate(mTrust, &trustResult)); MacOSError::check(SecTrustGetResult(mTrust, &trustResult, &mCertChain.aref(), &mEvalDetails)); + + // if this is an Apple developer cert.... + if (teamID() && SecStaticCode::isAppleDeveloperCert(mCertChain)) { + CFRef teamIDFromCert; + if (CFArrayGetCount(mCertChain) > 0) { + /* Note that SecCertificateCopySubjectComponent sets the out paramater to NULL if there is no field present */ + MacOSError::check(SecCertificateCopySubjectComponent((SecCertificateRef)CFArrayGetValueAtIndex(mCertChain, Requirement::leafCert), + &CSSMOID_OrganizationalUnitName, + &teamIDFromCert.aref())); + + if (teamIDFromCert) { + CFRef teamIDFromCD = CFStringCreateWithCString(NULL, teamID(), kCFStringEncodingUTF8); + if (!teamIDFromCD) { + MacOSError::throwMe(errSecCSInternalError); + } + + if (CFStringCompare(teamIDFromCert, teamIDFromCD, 0) != kCFCompareEqualTo) { + Security::Syslog::error("Team identifier in the signing certificate (%s) does not match the team identifier (%s) in the code directory", cfString(teamIDFromCert).c_str(), teamID()); + MacOSError::throwMe(errSecCSSignatureInvalid); + } + } + } + } + CODESIGN_EVAL_STATIC_SIGNATURE_RESULT(this, trustResult, mCertChain ? (int)CFArrayGetCount(mCertChain) : 0); switch (trustResult) { case kSecTrustResultProceed: @@ -1162,6 +1194,8 @@ CFDictionaryRef SecStaticCode::signingInformation(SecCSFlags flags) if (CFAbsoluteTime time = this->signingTimestamp()) if (CFRef date = CFDateCreate(NULL, time)) CFDictionaryAddValue(dict, kSecCodeInfoTimestamp, date); + if (const char *teamID = this->teamID()) + CFDictionaryAddValue(dict, kSecCodeInfoTeamIdentifier, CFTempString(teamID)); } catch (...) { } // @@ -1343,6 +1377,11 @@ void SecStaticCode::handleOtherArchitectures(void (^handle)(SecStaticCode* other if (ctx.offset != activeOffset) { // inactive architecture; check it SecPointer subcode = new SecStaticCode(DiskRep::bestGuess(this->mainExecutablePath(), &ctx)); subcode->detachedSignature(this->mDetachedSig); // carry over explicit (but not implicit) detached signature + if (this->teamID() == NULL || subcode->teamID() == NULL) { + if (this->teamID() != subcode->teamID()) + MacOSError::throwMe(errSecCSSignatureInvalid); + } else if (strcmp(this->teamID(), subcode->teamID()) != 0) + MacOSError::throwMe(errSecCSSignatureInvalid); handle(subcode); } } @@ -1350,6 +1389,19 @@ void SecStaticCode::handleOtherArchitectures(void (^handle)(SecStaticCode* other } } +// +// A method that takes a certificate chain (certs) and evaluates +// if it is a Mac or IPhone developer cert, an app store distribution cert, +// or a developer ID +// +bool SecStaticCode::isAppleDeveloperCert(CFArrayRef certs) +{ + static const std::string appleDeveloperRequirement = "(" + std::string(WWDRRequirement) + ") or (" + developerID + ") or (" + distributionCertificate + ") or (" + iPhoneDistributionCert + ")"; + SecRequirement *req = new SecRequirement(parseRequirement(appleDeveloperRequirement), true); + Requirement::Context ctx(certs, NULL, NULL, "", NULL); + + return req->requirement()->validates(ctx); +} } // end namespace CodeSigning } // end namespace Security diff --git a/libsecurity_codesigning/lib/StaticCode.h b/libsecurity_codesigning/lib/StaticCode.h index 66b05ed0..b7c5b72a 100644 --- a/libsecurity_codesigning/lib/StaticCode.h +++ b/libsecurity_codesigning/lib/StaticCode.h @@ -119,6 +119,7 @@ public: std::string mainExecutablePath() { return mRep->mainExecutablePath(); } CFURLRef canonicalPath() const { return mRep->canonicalPath(); } std::string identifier() { return codeDirectory()->identifier(); } + const char *teamID() { return codeDirectory()->teamID(); } std::string format() const { return mRep->format(); } std::string signatureSource(); virtual CFDataRef component(CodeDirectory::SpecialSlot slot, OSStatus fail = errSecCSSignatureFailed); @@ -169,10 +170,12 @@ public: CFDictionaryRef signingInformation(SecCSFlags flags); // omnibus information-gathering API (creates new dictionary) + static bool isAppleDeveloperCert(CFArrayRef certs); // determines if this is an apple developer certificate for libraray validation + public: void staticValidate(SecCSFlags flags, const SecRequirement *req); void staticValidateCore(SecCSFlags flags, const SecRequirement *req); - + protected: CFDictionaryRef getDictionary(CodeDirectory::SpecialSlot slot, bool check = true); // component value as a dictionary bool verifySignature(); diff --git a/libsecurity_codesigning/lib/cdbuilder.cpp b/libsecurity_codesigning/lib/cdbuilder.cpp index e1917792..279998f8 100644 --- a/libsecurity_codesigning/lib/cdbuilder.cpp +++ b/libsecurity_codesigning/lib/cdbuilder.cpp @@ -108,11 +108,24 @@ CodeDirectory::Scatter *CodeDirectory::Builder::scatter(unsigned count) return mScatter; } +// This calculates the fixed size of the code directory +// Because of , if the team ID +// field is not used, we leave out the team ID offset +// as well, to keep cd hashes consistent between +// versions. +const size_t CodeDirectory::Builder::fixedSize(const uint32_t version) +{ + size_t cdSize = sizeof(CodeDirectory); + if (version < supportsTeamID) + cdSize -= sizeof(mDir->teamIDOffset); + + return cdSize; +} // // Calculate the size we'll need for the CodeDirectory as described so far // -size_t CodeDirectory::Builder::size() +size_t CodeDirectory::Builder::size(const uint32_t version) { assert(mExec); // must have called executable() if (mExecLength == 0) @@ -125,10 +138,14 @@ size_t CodeDirectory::Builder::size() mCodeSlots = (mExecLength + mPageSize - 1) / mPageSize; // round up } - size_t offset = sizeof(CodeDirectory); + size_t offset = fixedSize(version); + offset += mScatterSize; // scatter vector offset += mIdentifier.size() + 1; // size of identifier (with null byte) + if (mTeamID.size()) + offset += mTeamID.size() + 1; // size of teamID (with null byte) offset += (mCodeSlots + mSpecialSlots) * mDigestLength; // hash vector + return offset; } @@ -149,16 +166,26 @@ size_t CodeDirectory::Builder::size() CodeDirectory *CodeDirectory::Builder::build() { assert(mExec); // must have (successfully) called executable() - + uint32_t version; + // size and allocate size_t identLength = mIdentifier.size() + 1; - size_t total = size(); + size_t teamIDLength = mTeamID.size() + 1; + + // Determine the version + if (mTeamID.size()) { + version = currentVersion; + } else { + version = supportsScatter; + } + + size_t total = size(version); if (!(mDir = (CodeDirectory *)calloc(1, total))) // initialize to zero UnixError::throwMe(ENOMEM); // fill header mDir->initialize(total); - mDir->version = currentVersion; + mDir->version = version; mDir->flags = mFlags; mDir->nSpecialSlots = (uint32_t)mSpecialSlots; mDir->nCodeSlots = (uint32_t)mCodeSlots; @@ -175,8 +202,8 @@ CodeDirectory *CodeDirectory::Builder::build() mDir->pageSize = 0; // means infinite page size // locate and fill flex fields - size_t offset = sizeof(CodeDirectory); - + size_t offset = fixedSize(mDir->version); + if (mScatter) { mDir->scatterOffset = (uint32_t)offset; memcpy(mDir->scatterVector(), mScatter, mScatterSize); @@ -186,7 +213,12 @@ CodeDirectory *CodeDirectory::Builder::build() mDir->identOffset = (uint32_t)offset; memcpy(mDir->identifier(), mIdentifier.c_str(), identLength); offset += identLength; - + + if (mTeamID.size()) { + mDir->teamIDOffset = (uint32_t)offset; + memcpy(mDir->teamID(), mTeamID.c_str(), teamIDLength); + offset += teamIDLength; + } // (add new flexibly-allocated fields here) mDir->hashOffset = (uint32_t)(offset + mSpecialSlots * mDigestLength); diff --git a/libsecurity_codesigning/lib/cdbuilder.h b/libsecurity_codesigning/lib/cdbuilder.h index fd5e54b0..5e697896 100644 --- a/libsecurity_codesigning/lib/cdbuilder.h +++ b/libsecurity_codesigning/lib/cdbuilder.h @@ -51,13 +51,15 @@ public: void specialSlot(SpecialSlot slot, CFDataRef data); void identifier(const std::string &code) { mIdentifier = code; } + void teamID(const std::string &team) { mTeamID = team; } void flags(uint32_t f) { mFlags = f; } Scatter *scatter(unsigned count); // allocate that many scatter elements (w/o sentinel) Scatter *scatter() { return mScatter; } // return already allocated scatter vector - size_t size(); // calculate size + size_t size(const uint32_t version); // calculate size CodeDirectory *build(); // build CodeDirectory and return it + const size_t fixedSize(const uint32_t version); // calculate fixed size of the CodeDirectory DynamicHash *getHash() const { return CodeDirectory::hashFor(this->mHashType); } @@ -77,6 +79,7 @@ private: uint32_t mHashType; // digest algorithm code uint32_t mDigestLength; // number of bytes in a single glue digest std::string mIdentifier; // canonical identifier + std::string mTeamID; // team identifier size_t mSpecialSlots; // highest special slot set size_t mCodeSlots; // number of code pages (slots) diff --git a/libsecurity_codesigning/lib/codedirectory.cpp b/libsecurity_codesigning/lib/codedirectory.cpp index 06f67a32..706a7b0f 100644 --- a/libsecurity_codesigning/lib/codedirectory.cpp +++ b/libsecurity_codesigning/lib/codedirectory.cpp @@ -143,6 +143,8 @@ void CodeDirectory::checkIntegrity() const // now check interior offsets for validity if (!stringAt(identOffset)) MacOSError::throwMe(errSecCSSignatureFailed); // identifier out of blob range + if (version >= supportsTeamID && teamIDOffset != 0 && !stringAt(teamIDOffset)) + MacOSError::throwMe(errSecCSSignatureFailed); // identifier out of blob range if (!contains(hashOffset - int64_t(hashSize) * nSpecialSlots, hashSize * (int64_t(nSpecialSlots) + nCodeSlots))) MacOSError::throwMe(errSecCSSignatureFailed); // hash array out of blob range if (const Scatter *scatter = this->scatterVector()) { @@ -292,5 +294,6 @@ const SecCodeDirectoryFlagTable kSecCodeDirectoryFlagTable[] = { { "expires", kSecCodeSignatureForceExpiration, true }, { "restrict", kSecCodeSignatureRestrict, true }, { "enforcement", kSecCodeSignatureEnforcement, true }, + { "library-validation", kSecCodeSignatureLibraryValidation, true }, { NULL } }; diff --git a/libsecurity_codesigning/lib/codedirectory.h b/libsecurity_codesigning/lib/codedirectory.h index 08c81c68..4b64c146 100644 --- a/libsecurity_codesigning/lib/codedirectory.h +++ b/libsecurity_codesigning/lib/codedirectory.h @@ -180,13 +180,15 @@ public: uint8_t pageSize; // log2(page size in bytes); 0 => infinite Endian spare2; // unused (must be zero) Endian scatterOffset; // offset of optional scatter vector (zero if absent) + Endian teamIDOffset; // offset of optional teamID string // works with the version field; see comments above - static const uint32_t currentVersion = 0x20100; // "version 2.1" + static const uint32_t currentVersion = 0x20200; // "version 2.2" static const uint32_t compatibilityLimit = 0x2F000; // "version 3 with wiggle room" static const uint32_t earliestVersion = 0x20001; // earliest supported version static const uint32_t supportsScatter = 0x20100; // first version to support scatter option + static const uint32_t supportsTeamID = 0x20200; // first version to support team ID option void checkIntegrity() const; // throws if inconsistent or unsupported version @@ -196,7 +198,7 @@ public: const char *identifier() const { return at(identOffset); } char *identifier() { return at(identOffset); } - + // main hash array access SpecialSlot maxSpecialSlot() const; @@ -230,7 +232,10 @@ public: { return (version >= supportsScatter && scatterOffset) ? at(scatterOffset) : NULL; } const Scatter *scatterVector() const { return (version >= supportsScatter && scatterOffset) ? at(scatterOffset) : NULL; } - + + const char *teamID() const { return version >= supportsTeamID && teamIDOffset ? at(teamIDOffset) : NULL; } + char *teamID() { return version >= supportsTeamID && teamIDOffset ? at(teamIDOffset) : NULL; } + public: bool validateSlot(const void *data, size_t size, Slot slot) const; // validate memory buffer against page slot bool validateSlot(UnixPlusPlus::FileDesc fd, size_t size, Slot slot) const; // read and validate file diff --git a/libsecurity_codesigning/lib/signer.cpp b/libsecurity_codesigning/lib/signer.cpp index 968accf1..9b676c33 100644 --- a/libsecurity_codesigning/lib/signer.cpp +++ b/libsecurity_codesigning/lib/signer.cpp @@ -53,8 +53,33 @@ void SecCodeSigner::Signer::sign(SecCSFlags flags) { rep = code->diskRep()->base(); this->prepare(flags); - + PreSigningContext context(*this); + + /* If an explicit teamID was passed in it must be + the same as what came from the cert */ + std::string teamIDFromCert = state.getTeamIDFromSigner(context.certs); + + if (state.mPreserveMetadata & kSecCodeSignerPreserveTeamIdentifier) { + /* If preserving the team identifier, teamID is set previously when the + code object is still available */ + if (!teamIDFromCert.empty() && teamID != teamIDFromCert) + MacOSError::throwMe(errSecCSInvalidFlags); + } else { + if (teamIDFromCert.empty()) { + /* state.mTeamID is an explicitly passed teamID */ + teamID = state.mTeamID; + } else if (state.mTeamID.empty() || (state.mTeamID == teamIDFromCert)) { + /* If there was no explicit team ID set, or the explicit team ID matches + what is in the cert, use the team ID from the certificate */ + teamID = teamIDFromCert; + } else { + /* The caller passed in an explicit team ID that does not match what is + in the signing cert, which is an invalid usage */ + MacOSError::throwMe(errSecCSInvalidFlags); + } + } + if (Universal *fat = state.mNoMachO ? NULL : rep->mainExecutableImage()) { signMachO(fat, context); } else { @@ -113,6 +138,13 @@ void SecCodeSigner::Signer::prepare(SecCSFlags flags) } else secdebug("signer", "using explicit identifier=%s", identifier.c_str()); + teamID = state.mTeamID; + if (teamID.empty() && (inherit & kSecCodeSignerPreserveTeamIdentifier)) { + const char *c_id = code->teamID(); + if (c_id) + teamID = c_id; + } + entitlements = state.mEntitlementData; if (!entitlements && (inherit & kSecCodeSignerPreserveEntitlements)) entitlements = code->component(cdEntitlementSlot); @@ -374,7 +406,7 @@ void SecCodeSigner::Signer::signMachO(Universal *fat, const Requirement::Context } // prepare SuperBlob size estimate - size_t cdSize = arch.cdbuilder.size(); + size_t cdSize = arch.cdbuilder.size(CodeDirectory::currentVersion); arch.blobSize = arch.size(cdSize, state.mCMSSize, 0); } @@ -460,7 +492,8 @@ void SecCodeSigner::Signer::populate(CodeDirectory::Builder &builder, DiskRep::W builder.executable(rep->mainExecutablePath(), pagesize, offset, length); builder.flags(cdFlags); builder.identifier(identifier); - + builder.teamID(teamID); + if (CFRef data = rep->component(cdInfoSlot)) builder.specialSlot(cdInfoSlot, data); if (ireqs) { diff --git a/libsecurity_codesigning/lib/signer.h b/libsecurity_codesigning/lib/signer.h index dbbd1b44..495cc00c 100644 --- a/libsecurity_codesigning/lib/signer.h +++ b/libsecurity_codesigning/lib/signer.h @@ -83,6 +83,7 @@ private: CFRef resourceDirectory; // resource directory CFRef resourceDictData; // XML form of resourceDirectory std::string identifier; // signing identifier + std::string teamID; // team identifier CFRef entitlements; // entitlements uint32_t cdFlags; // CodeDirectory flags const Requirements *requirements; // internal requirements ready-to-use diff --git a/libsecurity_keychain/lib/Certificate.cpp b/libsecurity_keychain/lib/Certificate.cpp index 95fdeb10..0dbc174b 100644 --- a/libsecurity_keychain/lib/Certificate.cpp +++ b/libsecurity_keychain/lib/Certificate.cpp @@ -894,6 +894,8 @@ Certificate::copyDNSNames() /* Encoding is kCFStringEncodingUTF8 since the string is either PRINTABLE_STRING, IA5_STRING, T61_STRING or PKIX_UTF8_STRING. */ CFStringRef string = CFStringCreateWithBytes(NULL, it->Data, static_cast(it->Length), kCFStringEncodingUTF8, true); + /* Be prepared for improperly formatted (non-UTF8) strings! */ + if (!string) continue; CFArrayAppendValue(array, string); CFRelease(string); } @@ -932,6 +934,8 @@ Certificate::copyEmailAddresses() /* Encoding is kCFStringEncodingUTF8 since the string is either PRINTABLE_STRING, IA5_STRING, T61_STRING or PKIX_UTF8_STRING. */ CFStringRef string = CFStringCreateWithBytes(NULL, it->Data, static_cast(it->Length), kCFStringEncodingUTF8, true); + /* Be prepared for improperly formatted (non-UTF8) strings! */ + if (!string) continue; CFArrayAppendValue(array, string); CFRelease(string); } diff --git a/libsecurity_ssl/lib/SecureTransport.h b/libsecurity_ssl/lib/SecureTransport.h index 856d7f14..e0a5cf48 100644 --- a/libsecurity_ssl/lib/SecureTransport.h +++ b/libsecurity_ssl/lib/SecureTransport.h @@ -130,6 +130,11 @@ typedef enum { * using a block cipher. */ kSSLSessionOptionSendOneByteRecord, + /* + * Allow/Disallow server identity change on renegotiation. Disallow by default + * to avoid Triple Handshake attack. + */ + kSSLSessionOptionAllowServerIdentityChange, } SSLSessionOption; diff --git a/libsecurity_ssl/lib/sslCert.c b/libsecurity_ssl/lib/sslCert.c index 081e8726..4aee2efb 100644 --- a/libsecurity_ssl/lib/sslCert.c +++ b/libsecurity_ssl/lib/sslCert.c @@ -143,12 +143,8 @@ SSLProcessCertificate(SSLBuffer message, SSLContext *ctx) size_t listLen, certLen; UInt8 *p; OSStatus err; -#ifdef USE_SSLCERTIFICATE - SSLCertificate *cert; -#else CFMutableArrayRef certChain = NULL; SecCertificateRef cert; -#endif p = message.data; listLen = SSLDecodeInt(p,3); @@ -159,38 +155,23 @@ SSLProcessCertificate(SSLBuffer message, SSLContext *ctx) } while (listLen > 0) - { certLen = SSLDecodeInt(p,3); + { + if (listLen < 3) { + sslErrorLog("SSLProcessCertificate: length decode error 2\n"); + return errSSLProtocol; + } + certLen = SSLDecodeInt(p,3); p += 3; if (listLen < certLen + 3) { - sslErrorLog("SSLProcessCertificate: length decode error 2\n"); + sslErrorLog("SSLProcessCertificate: length decode error 3\n"); return errSSLProtocol; } -#ifdef USE_SSLCERTIFICATE - cert = (SSLCertificate *)sslMalloc(sizeof(SSLCertificate)); - if(cert == NULL) { - return errSecAllocate; - } - if ((err = SSLAllocBuffer(&cert->derCert, certLen) - { sslFree(cert); - return err; - } - memcpy(cert->derCert.data, p, certLen); - p += certLen; - cert->next = ctx->peerCert; /* Insert backwards; root cert - * will be first in linked list */ - ctx->peerCert = cert; -#else if (!certChain) { certChain = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); if (certChain == NULL) { return errSecAllocate; } - if (ctx->peerCert) { - sslDebugLog("SSLProcessCertificate: releasing existing cert chain\n"); - CFRelease(ctx->peerCert); - } - ctx->peerCert = certChain; } cert = SecCertificateCreateWithBytes(NULL, p, certLen); #if SSL_DEBUG && !TARGET_OS_IPHONE @@ -212,11 +193,28 @@ SSLProcessCertificate(SSLBuffer message, SSLContext *ctx) /* Insert forwards; root cert will be last in linked list */ CFArrayAppendValue(certChain, cert); CFRelease(cert); -#endif listLen -= 3+certLen; } assert(p == message.data + message.length && listLen == 0); + if (ctx->protocolSide == kSSLClientSide && ctx->peerCert && !ctx->allowServerIdentityChange) { + // Do not accept a different server cert during renegotiation unless allowed. + if((certChain!=NULL) && !CFEqual(ctx->peerCert, certChain)) + { + CFRelease(certChain); + sslErrorLog("Illegal server identity change during renegotiation\n"); + return errSSLProtocol; + } + } + + // Replace old cert with new cert. + if (ctx->peerCert) { + sslDebugLog("SSLProcessCertificate: releasing existing cert chain\n"); + CFRelease(ctx->peerCert); + } + + ctx->peerCert = certChain; + if (!ctx->peerCert) { /* this *might* be OK... */ if((ctx->protocolSide == kSSLServerSide) && @@ -241,6 +239,8 @@ SSLProcessCertificate(SSLBuffer message, SSLContext *ctx) } } + + if((err = sslVerifyCertChain(ctx, ctx->peerCert, true)) != 0) { AlertDescription desc; switch(err) { diff --git a/libsecurity_ssl/lib/sslContext.c b/libsecurity_ssl/lib/sslContext.c index c041afaa..cc74aa16 100644 --- a/libsecurity_ssl/lib/sslContext.c +++ b/libsecurity_ssl/lib/sslContext.c @@ -115,6 +115,7 @@ Boolean sslIsSessionActive(const SSLContext *ctx) static CFTypeID kSSLContextTypeID; int kSplitDefaultValue; +bool kAllowServerIdentityChangeDefaultValue; static void _sslContextDestroy(CFTypeRef arg); static Boolean _sslContextEqual(CFTypeRef a, CFTypeRef b); @@ -126,11 +127,12 @@ static void _SSLContextReadDefault() /* 0 = disabled, 1 = split every write, 2 = split second and subsequent writes */ /* Enabled by default, this make cause some interop issues, see and */ const int defaultSplitDefaultValue = 2; - + //To change: + //sudo defaults write /Library/Preferences/com.apple.security SSLWriteSplit -int 0 CFTypeRef value = (CFTypeRef)CFPreferencesCopyValue(CFSTR("SSLWriteSplit"), CFSTR("com.apple.security"), kCFPreferencesAnyUser, - kCFPreferencesAnyHost); + kCFPreferencesCurrentHost); if (value) { if (CFGetTypeID(value) == CFBooleanGetTypeID()) kSplitDefaultValue = CFBooleanGetValue((CFBooleanRef)value) ? 1 : 0; @@ -146,6 +148,33 @@ static void _SSLContextReadDefault() else { kSplitDefaultValue = defaultSplitDefaultValue; } + + + /* 0 = disallowed, 1 = allowed */ + /* Disallowed by default */ + const bool defaultValue = false; + //To change: + //sudo defaults write /Library/Preferences/com.apple.security SSLAllowServerIdentityChange -bool YES + value = (CFTypeRef)CFPreferencesCopyValue(CFSTR("SSLAllowServerIdentityChange"), + CFSTR("com.apple.security"), + kCFPreferencesAnyUser, + kCFPreferencesCurrentHost); + if (value) { + if (CFGetTypeID(value) == CFBooleanGetTypeID()) + kAllowServerIdentityChangeDefaultValue = CFBooleanGetValue((CFBooleanRef)value); + else if (CFGetTypeID(value) == CFNumberGetTypeID()) { + int localValue; + if (!CFNumberGetValue((CFNumberRef)value, kCFNumberIntType, &localValue)) { + kAllowServerIdentityChangeDefaultValue = defaultValue; + } else { + kAllowServerIdentityChangeDefaultValue = localValue; + } + } + CFRelease(value); + } + else { + kAllowServerIdentityChangeDefaultValue = defaultValue; + } } static void _SSLContextRegisterClass() @@ -274,6 +303,9 @@ SSLContextRef SSLCreateContextWithRecordFuncs(CFAllocatorRef alloc, SSLProtocolS /* Default for sending one-byte app data record is DISABLED */ ctx->oneByteRecordEnable = false; + /* Default for allowing server identity change on renegotiation is FALSE */ + ctx->allowServerIdentityChange = false; + /* Consult global system preference for default behavior: * 0 = disabled, 1 = split every write, 2 = split second and subsequent writes * (caller can override by setting kSSLSessionOptionSendOneByteRecord) @@ -282,6 +314,8 @@ SSLContextRef SSLCreateContextWithRecordFuncs(CFAllocatorRef alloc, SSLProtocolS pthread_once(&sReadDefault, _SSLContextReadDefault); if (kSplitDefaultValue > 0) ctx->oneByteRecordEnable = true; + if (kAllowServerIdentityChangeDefaultValue>0) + ctx->allowServerIdentityChange = true; /* default for anonymous ciphers is DISABLED */ ctx->anonCipherEnable = false; @@ -574,6 +608,9 @@ SSLSetSessionOption (SSLContextRef context, case kSSLSessionOptionFalseStart: context->falseStartEnabled = value; break; + case kSSLSessionOptionAllowServerIdentityChange: + context->allowServerIdentityChange = value; + break; default: return errSecParam; } diff --git a/libsecurity_ssl/lib/sslContext.h b/libsecurity_ssl/lib/sslContext.h index eee676cc..a3e13cd9 100644 --- a/libsecurity_ssl/lib/sslContext.h +++ b/libsecurity_ssl/lib/sslContext.h @@ -351,6 +351,8 @@ struct SSLContext Boolean rsaBlindingEnable; Boolean oneByteRecordEnable; /* enable 1/n-1 data splitting for TLSv1 and SSLv3 */ Boolean wroteAppData; /* at least one write completed with current writeCipher */ + Boolean allowServerIdentityChange; /* allow server identity change on renegotiation + disallowed by default to avoid triple handshake attack */ /* optional session cache timeout (in seconds) override - 0 means default */ uint32_t sessionCacheTimeout; diff --git a/libsecurity_ssl/regressions/ssl-43-ciphers.c b/libsecurity_ssl/regressions/ssl-43-ciphers.c index 933a77d9..92afa7e4 100644 --- a/libsecurity_ssl/regressions/ssl-43-ciphers.c +++ b/libsecurity_ssl/regressions/ssl-43-ciphers.c @@ -85,7 +85,7 @@ static struct { { OPENSSL_SERVER, 4000, 0, false}, //openssl s_server w/o client side auth { GNUTLS_SERVER, 5000, 1, false}, // gnutls-serv w/o client side auth { "www.mikestoolbox.org", 442, 2, false}, // mike's w/o client side auth -// { "tls.secg.org", 40022, 3, false}, // secg ecc server w/o client side auth +// { "tls.secg.org", 40022, 3, false}, // secg ecc server w/o client side auth - This server generate DH params we dont support. { OPENSSL_SERVER, 4010, 0, true}, //openssl s_server w/ client side auth { GNUTLS_SERVER, 5010, 1, true}, // gnutls-serv w/ client side auth diff --git a/sec/SOSCircle/CloudKeychainProxy/scripts/sosbuildroot b/sec/SOSCircle/CloudKeychainProxy/scripts/sosbuildroot index 70d43f1c..efa31374 100755 --- a/sec/SOSCircle/CloudKeychainProxy/scripts/sosbuildroot +++ b/sec/SOSCircle/CloudKeychainProxy/scripts/sosbuildroot @@ -11,7 +11,7 @@ config=${2-Release} roots=/var/tmp project=Security -~rc/bin/buildit . --rootsDirectory=/var/tmp -noverify -release iOS -project $project -archive -dsymsInDstroot \ +~rc/bin/buildit . --rootsDirectory=/var/tmp -noverify -project $project -archive -dsymsInDstroot \ -target $target \ -configuration $config || { echo 'build failed' ; exit 1; } diff --git a/sec/SOSCircle/SecureObjectSync/SOSCoder.c b/sec/SOSCircle/SecureObjectSync/SOSCoder.c index 7a9eb8ff..581d1f2f 100644 --- a/sec/SOSCircle/SecureObjectSync/SOSCoder.c +++ b/sec/SOSCircle/SecureObjectSync/SOSCoder.c @@ -164,7 +164,7 @@ SOSCoderRef SOSCoderCreateFromData(CFDataRef exportedData, CFErrorRef *error) { require(ccder_decode_tag(&tag, der, der_end),fail); switch (tag) { - case CCDER_OCTET_STRING: + case CCDER_OCTET_STRING: { der = der_decode_data(kCFAllocatorDefault, 0, &otr_data, error, der, der_end); p->waitingForDataPacket = false; diff --git a/sec/Security/Regressions/secitem/si-33-keychain-backup.c b/sec/Security/Regressions/secitem/si-33-keychain-backup.c index dddb3d10..0456964a 100644 --- a/sec/Security/Regressions/secitem/si-33-keychain-backup.c +++ b/sec/Security/Regressions/secitem/si-33-keychain-backup.c @@ -409,6 +409,7 @@ static void tests(void) "Found the item we added after restore"); CFReleaseNull(backup); + // force tombstone to be added, since it's not the default behavior in Innsbruck per rdar://14680869 CFDictionaryAddValue(query, kSecUseTombstones, kCFBooleanTrue); ok_status(SecItemDelete(query), "Deleted item we added"); diff --git a/sec/sec.xcodeproj/project.xcworkspace/contents.xcworkspacedata b/sec/sec.xcodeproj/project.xcworkspace/contents.xcworkspacedata new file mode 100644 index 00000000..2310a48b --- /dev/null +++ b/sec/sec.xcodeproj/project.xcworkspace/contents.xcworkspacedata @@ -0,0 +1,7 @@ + + + + + diff --git a/sec/sec.xcodeproj/project.xcworkspace/xcshareddata/sec.xccheckout b/sec/sec.xcodeproj/project.xcworkspace/xcshareddata/sec.xccheckout new file mode 100644 index 00000000..3e2b35f5 --- /dev/null +++ b/sec/sec.xcodeproj/project.xcworkspace/xcshareddata/sec.xccheckout @@ -0,0 +1,41 @@ + + + + + IDESourceControlProjectFavoriteDictionaryKey + + IDESourceControlProjectIdentifier + 55BE31B1-4B75-46C3-99C0-AC509F5CE8EA + IDESourceControlProjectName + sec + IDESourceControlProjectOriginsDictionary + + B1756FC7-4092-4712-B882-FDA75264D61A + git.apple.com:/git/projects/secmodules/sec + + IDESourceControlProjectPath + sec.xcodeproj/project.xcworkspace + IDESourceControlProjectRelativeInstallPathDictionary + + B1756FC7-4092-4712-B882-FDA75264D61A + ../.. + + IDESourceControlProjectURL + git.apple.com:/git/projects/secmodules/sec + IDESourceControlProjectVersion + 110 + IDESourceControlProjectWCCIdentifier + B1756FC7-4092-4712-B882-FDA75264D61A + IDESourceControlProjectWCConfigurations + + + IDESourceControlRepositoryExtensionIdentifierKey + public.vcs.git + IDESourceControlWCCIdentifierKey + B1756FC7-4092-4712-B882-FDA75264D61A + IDESourceControlWCCName + sec + + + + diff --git a/sec/sec.xcodeproj/project.xcworkspace/xcuserdata/jkauth.xcuserdatad/UserInterfaceState.xcuserstate b/sec/sec.xcodeproj/project.xcworkspace/xcuserdata/jkauth.xcuserdatad/UserInterfaceState.xcuserstate new file mode 100644 index 00000000..9860dcc4 Binary files /dev/null and b/sec/sec.xcodeproj/project.xcworkspace/xcuserdata/jkauth.xcuserdatad/UserInterfaceState.xcuserstate differ diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libCPSRegresssions.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libCPSRegresssions.xcscheme new file mode 100644 index 00000000..6926d6a6 --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libCPSRegresssions.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libCloudKeychainProxy.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libCloudKeychainProxy.xcscheme new file mode 100644 index 00000000..bac26879 --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libCloudKeychainProxy.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libCloudProtection.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libCloudProtection.xcscheme new file mode 100644 index 00000000..5880dcd5 --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libCloudProtection.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSOSCommands.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSOSCommands.xcscheme new file mode 100644 index 00000000..2144bfeb --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSOSCommands.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSOSRegressions.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSOSRegressions.xcscheme new file mode 100644 index 00000000..9e81d34a --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSOSRegressions.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecItemShimOSX.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecItemShimOSX.xcscheme new file mode 100644 index 00000000..f75e31b7 --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecItemShimOSX.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecOtrOSX.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecOtrOSX.xcscheme new file mode 100644 index 00000000..95daee4d --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecOtrOSX.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecureObjectSync.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecureObjectSync.xcscheme new file mode 100644 index 00000000..91e9ff49 --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecureObjectSync.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecurityCommands.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecurityCommands.xcscheme new file mode 100644 index 00000000..93eabc64 --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecurityCommands.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecurityRegressions.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecurityRegressions.xcscheme new file mode 100644 index 00000000..e5b07f27 --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecurityRegressions.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecurityTool.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecurityTool.xcscheme new file mode 100644 index 00000000..32f54126 --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecurityTool.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecdRegressions.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecdRegressions.xcscheme new file mode 100644 index 00000000..27a28f0a --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecdRegressions.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecipc_client.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecipc_client.xcscheme new file mode 100644 index 00000000..c2be7edd --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecipc_client.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecurity.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecurity.xcscheme new file mode 100644 index 00000000..a1652457 --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecurity.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecurityd.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecurityd.xcscheme new file mode 100644 index 00000000..434f12ef --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecurityd.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecuritydRegressions.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecuritydRegressions.xcscheme new file mode 100644 index 00000000..904ed592 --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecuritydRegressions.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/xcschememanagement.plist b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/xcschememanagement.plist new file mode 100644 index 00000000..f24515bb --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/xcschememanagement.plist @@ -0,0 +1,172 @@ + + + + + SchemeUserState + + libCPSRegresssions.xcscheme + + orderHint + 15 + + libCloudKeychainProxy.xcscheme + + orderHint + 9 + + libCloudProtection.xcscheme + + orderHint + 14 + + libSOSCommands.xcscheme + + orderHint + 12 + + libSOSRegressions.xcscheme + + orderHint + 5 + + libSecItemShimOSX.xcscheme + + orderHint + 2 + + libSecOtrOSX.xcscheme + + orderHint + 8 + + libSecureObjectSync.xcscheme + + orderHint + 4 + + libSecurityCommands.xcscheme + + orderHint + 11 + + libSecurityRegressions.xcscheme + + orderHint + 6 + + libSecurityTool.xcscheme + + orderHint + 10 + + libsecdRegressions.xcscheme + + orderHint + 13 + + libsecipc_client.xcscheme + + orderHint + 3 + + libsecurity.xcscheme + + orderHint + 0 + + libsecurityd.xcscheme + + orderHint + 1 + + libsecuritydRegressions.xcscheme + + orderHint + 7 + + + SuppressBuildableAutocreation + + 0C0BDB55175687EC00BC1A7E + + primary + + + 18270F5414CF651900B05E7F + + primary + + + 186CDD0E14CA116C00AF9171 + + primary + + + 18D4043414CE0CF300A2BE4E + + primary + + + 18D4056114CE53C200A2BE4E + + primary + + + 4A5CCA4E15ACEFA500702357 + + primary + + + 4A824AFB158FF07000F932C0 + + primary + + + 4CC92AC215A3BC6B00C6D578 + + primary + + + 5284029F164445760035F320 + + primary + + + E702E73514E1F3EA00CDE635 + + primary + + + E702E75714E1F48800CDE635 + + primary + + + E71049F1169E023B00DB0045 + + primary + + + E7104A12169E216E00DB0045 + + primary + + + E7CBDB711890BD810010B75B + + primary + + + E7CBDB911890BF350010B75B + + primary + + + E7FEFB82169E363300E18152 + + primary + + + + + diff --git a/sec/securityd/Regressions/secd-55-account-circle.c b/sec/securityd/Regressions/secd-55-account-circle.c index af4bec9f..fc4f8348 100644 --- a/sec/securityd/Regressions/secd-55-account-circle.c +++ b/sec/securityd/Regressions/secd-55-account-circle.c @@ -213,6 +213,8 @@ static void tests(void) // Both in circle. + // Emulation of Innsbruck11A368 +Roots: Device A was removed when Device B joined. + // We want Alice to leave circle while an Applicant on a full concordance signed circle with old-Alice as an Alum and Bob a peer. // ZZZ ok(SOSAccountLeaveCircles(alice_account, &error), "Alice leaves once more (%@)", error); diff --git a/sec/securityd/SecItemServer.c b/sec/securityd/SecItemServer.c index 729a7431..29485ea8 100644 --- a/sec/securityd/SecItemServer.c +++ b/sec/securityd/SecItemServer.c @@ -611,12 +611,12 @@ struct sql_stages { the script in the main table. {pre,main,post, reencode} */ static struct sql_stages s3dl_upgrade_script[] = { - { -1, 0, 1, false },/* 0->current: Create version 6 database. */ - {}, /* 1->current: Upgrade to version 6 from version 1 -- Unsupported. */ - {}, /* 2->current: Upgrade to version 6 from version 2 -- Unsupported */ - {}, /* 3->current: Upgrade to version 6 from version 3 -- Unsupported */ - {}, /* 4->current: Upgrade to version 6 from version 4 -- Unsupported */ - { 3, 0, 7, true }, /* 5->current: Upgrade to version 6 from version 5 */ + { -1, 0, 1, false },/* 0->current: Create version 6 (Innsbruck) database. */ + {}, /* 1->current: Upgrade to version 6 from version 1 (LittleBear) -- Unsupported. */ + {}, /* 2->current: Upgrade to version 6 from version 2 (BigBearBeta) -- Unsupported */ + {}, /* 3->current: Upgrade to version 6 from version 3 (Apex) -- Unsupported */ + {}, /* 4->current: Upgrade to version 6 from version 4 (Telluride) -- Unsupported */ + { 3, 0, 7, true }, /* 5->current: Upgrade to version 6 from version 5 (TellurideGM). */ }; static bool sql_run_script(SecDbConnectionRef dbt, int number, CFErrorRef *error)