From 420ff9d9379a8d93f2c90f026a797bdea1eb4517 Mon Sep 17 00:00:00 2001 From: Apple Date: Tue, 12 Aug 2014 23:37:53 +0000 Subject: [PATCH] Security-55471.14.4.tar.gz --- .../CloudKeychainProxy-Info.plist | 2 +- .../Keychain Circle Notification-Info.plist | 2 +- Keychain/Keychain-Info.plist | 2 +- authd/Info.plist | 2 +- lib/Info-Security.plist | 2 +- lib/plugins/csparser-Info.plist | 2 +- lib/security.exp-in | 2 + libsecurity_codesigning/lib/CSCommon.h | 1 + libsecurity_codesigning/lib/CodeSigner.cpp | 28 +++ libsecurity_codesigning/lib/CodeSigner.h | 5 +- libsecurity_codesigning/lib/SecCode.cpp | 1 + libsecurity_codesigning/lib/SecCode.h | 1 + libsecurity_codesigning/lib/SecCodeSigner.cpp | 1 + libsecurity_codesigning/lib/SecCodeSigner.h | 2 + libsecurity_codesigning/lib/StaticCode.cpp | 52 ++++++ libsecurity_codesigning/lib/StaticCode.h | 5 +- libsecurity_codesigning/lib/cdbuilder.cpp | 48 ++++- libsecurity_codesigning/lib/cdbuilder.h | 5 +- libsecurity_codesigning/lib/codedirectory.cpp | 3 + libsecurity_codesigning/lib/codedirectory.h | 11 +- libsecurity_codesigning/lib/signer.cpp | 39 +++- libsecurity_codesigning/lib/signer.h | 1 + libsecurity_keychain/lib/Certificate.cpp | 4 + libsecurity_ssl/lib/SecureTransport.h | 5 + libsecurity_ssl/lib/sslCert.c | 54 +++--- libsecurity_ssl/lib/sslContext.c | 41 ++++- libsecurity_ssl/lib/sslContext.h | 2 + libsecurity_ssl/regressions/ssl-43-ciphers.c | 2 +- .../CloudKeychainProxy/scripts/sosbuildroot | 2 +- sec/SOSCircle/SecureObjectSync/SOSCoder.c | 2 +- .../secitem/si-33-keychain-backup.c | 1 + .../contents.xcworkspacedata | 7 + .../xcshareddata/sec.xccheckout | 41 +++++ .../UserInterfaceState.xcuserstate | Bin 0 -> 12304 bytes .../xcschemes/libCPSRegresssions.xcscheme | 59 ++++++ .../xcschemes/libCloudKeychainProxy.xcscheme | 59 ++++++ .../xcschemes/libCloudProtection.xcscheme | 59 ++++++ .../xcschemes/libSOSCommands.xcscheme | 59 ++++++ .../xcschemes/libSOSRegressions.xcscheme | 59 ++++++ .../xcschemes/libSecItemShimOSX.xcscheme | 59 ++++++ .../xcschemes/libSecOtrOSX.xcscheme | 59 ++++++ .../xcschemes/libSecureObjectSync.xcscheme | 59 ++++++ .../xcschemes/libSecurityCommands.xcscheme | 59 ++++++ .../xcschemes/libSecurityRegressions.xcscheme | 59 ++++++ .../xcschemes/libSecurityTool.xcscheme | 59 ++++++ .../xcschemes/libsecdRegressions.xcscheme | 59 ++++++ .../xcschemes/libsecipc_client.xcscheme | 59 ++++++ .../xcschemes/libsecurity.xcscheme | 59 ++++++ .../xcschemes/libsecurityd.xcscheme | 59 ++++++ .../libsecuritydRegressions.xcscheme | 59 ++++++ .../xcschemes/xcschememanagement.plist | 172 ++++++++++++++++++ .../Regressions/secd-55-account-circle.c | 2 + sec/securityd/SecItemServer.c | 12 +- 53 files changed, 1447 insertions(+), 61 deletions(-) create mode 100644 sec/sec.xcodeproj/project.xcworkspace/contents.xcworkspacedata create mode 100644 sec/sec.xcodeproj/project.xcworkspace/xcshareddata/sec.xccheckout create mode 100644 sec/sec.xcodeproj/project.xcworkspace/xcuserdata/jkauth.xcuserdatad/UserInterfaceState.xcuserstate create mode 100644 sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libCPSRegresssions.xcscheme create mode 100644 sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libCloudKeychainProxy.xcscheme create mode 100644 sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libCloudProtection.xcscheme create mode 100644 sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSOSCommands.xcscheme create mode 100644 sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSOSRegressions.xcscheme create mode 100644 sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecItemShimOSX.xcscheme create mode 100644 sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecOtrOSX.xcscheme create mode 100644 sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecureObjectSync.xcscheme create mode 100644 sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecurityCommands.xcscheme create mode 100644 sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecurityRegressions.xcscheme create mode 100644 sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecurityTool.xcscheme create mode 100644 sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecdRegressions.xcscheme create mode 100644 sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecipc_client.xcscheme create mode 100644 sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecurity.xcscheme create mode 100644 sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecurityd.xcscheme create mode 100644 sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecuritydRegressions.xcscheme create mode 100644 sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/xcschememanagement.plist diff --git a/CloudKeychainProxy/CloudKeychainProxy-Info.plist b/CloudKeychainProxy/CloudKeychainProxy-Info.plist index 307d5a82..4b3a1ba4 100644 --- a/CloudKeychainProxy/CloudKeychainProxy-Info.plist +++ b/CloudKeychainProxy/CloudKeychainProxy-Info.plist @@ -21,7 +21,7 @@ CFBundleSignature ???? CFBundleVersion - 55471.14 + 55471.14.4 NSHumanReadableCopyright Copyright © 2013 Apple, Inc. All rights reserved. diff --git a/Keychain Circle Notification/Keychain Circle Notification-Info.plist b/Keychain Circle Notification/Keychain Circle Notification-Info.plist index fcfb823b..471548b6 100644 --- a/Keychain Circle Notification/Keychain Circle Notification-Info.plist +++ b/Keychain Circle Notification/Keychain Circle Notification-Info.plist @@ -21,7 +21,7 @@ CFBundleSignature ???? CFBundleVersion - 55471.14 + 55471.14.4 LSApplicationCategoryType LSMinimumSystemVersion diff --git a/Keychain/Keychain-Info.plist b/Keychain/Keychain-Info.plist index 0e3211c0..0b234892 100644 --- a/Keychain/Keychain-Info.plist +++ b/Keychain/Keychain-Info.plist @@ -21,7 +21,7 @@ CFBundleSignature ???? CFBundleVersion - 55471.14 + 55471.14.4 LSMinimumSystemVersion ${MACOSX_DEPLOYMENT_TARGET} NSMainNibFile diff --git a/authd/Info.plist b/authd/Info.plist index 55e3b905..55e7c843 100644 --- a/authd/Info.plist +++ b/authd/Info.plist @@ -19,7 +19,7 @@ CFBundleSignature ???? CFBundleVersion - 55471.14 + 55471.14.4 NSHumanReadableCopyright Copyright © 2012 Apple. All rights reserved. XPCService diff --git a/lib/Info-Security.plist b/lib/Info-Security.plist index 683ab139..1bd358d9 100644 --- a/lib/Info-Security.plist +++ b/lib/Info-Security.plist @@ -19,6 +19,6 @@ CFBundleSignature ???? CFBundleVersion - 55471.14 + 55471.14.4 diff --git a/lib/plugins/csparser-Info.plist b/lib/plugins/csparser-Info.plist index 53cef937..21b38856 100644 --- a/lib/plugins/csparser-Info.plist +++ b/lib/plugins/csparser-Info.plist @@ -17,7 +17,7 @@ CFBundleSignature ???? CFBundleVersion - 55471.14 + 55471.14.4 CFBundleShortVersionString 3.0 diff --git a/lib/security.exp-in b/lib/security.exp-in index 301de44b..585b1198 100644 --- a/lib/security.exp-in +++ b/lib/security.exp-in @@ -328,6 +328,7 @@ _kSecCodeSignerResourceRules _kSecCodeSignerSDKRoot _kSecCodeSignerSigningTime _kSecCodeSignerRequireTimestamp +_kSecCodeSignerTeamIdentifier _kSecCodeSignerTimestampServer _kSecCodeSignerTimestampAuthentication _kSecCodeSignerTimestampOmitCertificates @@ -350,6 +351,7 @@ _kSecCodeInfoRequirements _kSecCodeInfoRequirementData _kSecCodeInfoSource _kSecCodeInfoStatus +_kSecCodeInfoTeamIdentifier _kSecCodeInfoTrust _kSecCodeInfoUnique _kSecCodeInfoCodeDirectory diff --git a/libsecurity_codesigning/lib/CSCommon.h b/libsecurity_codesigning/lib/CSCommon.h index 23cd134a..15f04c70 100644 --- a/libsecurity_codesigning/lib/CSCommon.h +++ b/libsecurity_codesigning/lib/CSCommon.h @@ -231,6 +231,7 @@ enum { kSecCodeSignatureForceExpiration = 0x0400, /* force certificate expiration checks */ kSecCodeSignatureRestrict = 0x0800, /* restrict dyld loading */ kSecCodeSignatureEnforcement = 0x1000, /* enforce code signing */ + kSecCodeSignatureLibraryValidation = 0x2000, /* library validation required */ }; diff --git a/libsecurity_codesigning/lib/CodeSigner.cpp b/libsecurity_codesigning/lib/CodeSigner.cpp index 6d1f07aa..004fb125 100644 --- a/libsecurity_codesigning/lib/CodeSigner.cpp +++ b/libsecurity_codesigning/lib/CodeSigner.cpp @@ -32,6 +32,7 @@ #include #include #include +#include #include namespace Security { @@ -89,6 +90,30 @@ void SecCodeSigner::parameters(CFDictionaryRef paramDict) MacOSError::throwMe(errSecCSInvalidObjectRef); } +// +// Retrieve the team ID from the signing certificate if and only if +// it is an apple developer signing cert +// +std::string SecCodeSigner::getTeamIDFromSigner(CFArrayRef certs) +{ + if (mSigner && mSigner != SecIdentityRef(kCFNull)) { + CFRef signerCert; + MacOSError::check(SecIdentityCopyCertificate(mSigner, &signerCert.aref())); + + /* Make sure the certificate looks like an Apple certificate, because we do not + extract the team ID from a non Apple certificate */ + if (SecStaticCode::isAppleDeveloperCert(certs)) { + CFRef teamIDFromCert; + + MacOSError::check(SecCertificateCopySubjectComponent(signerCert.get(), &CSSMOID_OrganizationalUnitName, &teamIDFromCert.aref())); + + if (teamIDFromCert) + return cfString(teamIDFromCert); + } + } + + return ""; +} // // Roughly check for validity. @@ -218,6 +243,9 @@ SecCodeSigner::Parser::Parser(SecCodeSigner &state, CFDictionaryRef parameters) if (CFStringRef ident = get(kSecCodeSignerIdentifier)) state.mIdentifier = cfString(ident); + if (CFStringRef teamid = get(kSecCodeSignerTeamIdentifier)) + state.mTeamID = cfString(teamid); + if (CFStringRef prefix = get(kSecCodeSignerIdentifierPrefix)) state.mIdentifierPrefix = cfString(prefix); diff --git a/libsecurity_codesigning/lib/CodeSigner.h b/libsecurity_codesigning/lib/CodeSigner.h index 9b050c18..18f327ef 100644 --- a/libsecurity_codesigning/lib/CodeSigner.h +++ b/libsecurity_codesigning/lib/CodeSigner.h @@ -55,12 +55,14 @@ public: void parameters(CFDictionaryRef args); // parse and set parameters bool valid() const; + + std::string getTeamIDFromSigner(CFArrayRef certs); void sign(SecStaticCode *code, SecCSFlags flags); void remove(SecStaticCode *code, SecCSFlags flags); void returnDetachedSignature(BlobCore *blob, Signer &signer); - + protected: std::string sdkPath(const std::string &path) const; bool isAdhoc() const; @@ -84,6 +86,7 @@ private: CodeDirectory::HashAlgorithm mDigestAlgorithm; // interior digest (hash) algorithm std::string mIdentifier; // unique identifier override std::string mIdentifierPrefix; // prefix for un-dotted default identifiers + std::string mTeamID; // teamID bool mNoMachO; // override to perform non-Mach-O signing bool mDryRun; // dry run (do not change target) CFRef mPageSize; // main executable page size diff --git a/libsecurity_codesigning/lib/SecCode.cpp b/libsecurity_codesigning/lib/SecCode.cpp index cd91d813..12e719fa 100644 --- a/libsecurity_codesigning/lib/SecCode.cpp +++ b/libsecurity_codesigning/lib/SecCode.cpp @@ -242,6 +242,7 @@ const CFStringRef kSecCodeInfoRequirements = CFSTR("requirements"); const CFStringRef kSecCodeInfoRequirementData = CFSTR("requirement-data"); const CFStringRef kSecCodeInfoSource = CFSTR("source"); const CFStringRef kSecCodeInfoStatus = CFSTR("status"); +const CFStringRef kSecCodeInfoTeamIdentifier = CFSTR("teamid"); const CFStringRef kSecCodeInfoTime = CFSTR("signing-time"); const CFStringRef kSecCodeInfoTimestamp = CFSTR("signing-timestamp"); const CFStringRef kSecCodeInfoTrust = CFSTR("trust"); diff --git a/libsecurity_codesigning/lib/SecCode.h b/libsecurity_codesigning/lib/SecCode.h index 1afbfebd..ee773ae1 100644 --- a/libsecurity_codesigning/lib/SecCode.h +++ b/libsecurity_codesigning/lib/SecCode.h @@ -413,6 +413,7 @@ extern const CFStringRef kSecCodeInfoRequirements; /* Requirement */ extern const CFStringRef kSecCodeInfoRequirementData; /* Requirement */ extern const CFStringRef kSecCodeInfoSource; /* generic */ extern const CFStringRef kSecCodeInfoStatus; /* Dynamic */ +extern const CFStringRef kSecCodeInfoTeamIdentifier; /* Signing */ extern const CFStringRef kSecCodeInfoTime; /* Signing */ extern const CFStringRef kSecCodeInfoTimestamp; /* Signing */ extern const CFStringRef kSecCodeInfoTrust; /* Signing */ diff --git a/libsecurity_codesigning/lib/SecCodeSigner.cpp b/libsecurity_codesigning/lib/SecCodeSigner.cpp index 33e38029..a705ba71 100644 --- a/libsecurity_codesigning/lib/SecCodeSigner.cpp +++ b/libsecurity_codesigning/lib/SecCodeSigner.cpp @@ -57,6 +57,7 @@ const CFStringRef kSecCodeSignerTimestampServer = CFSTR("timestamp-url"); const CFStringRef kSecCodeSignerTimestampAuthentication = CFSTR("timestamp-authentication"); const CFStringRef kSecCodeSignerTimestampOmitCertificates = CFSTR("timestamp-omit-certificates"); const CFStringRef kSecCodeSignerPreserveMetadata = CFSTR("preserve-metadata"); +const CFStringRef kSecCodeSignerTeamIdentifier = CFSTR("teamidentifier"); // temporary add-back to bridge B&I build dependencies -- remove soon const CFStringRef kSecCodeSignerTSAUse = CFSTR("timestamp-required"); diff --git a/libsecurity_codesigning/lib/SecCodeSigner.h b/libsecurity_codesigning/lib/SecCodeSigner.h index b0c22383..d5c15962 100644 --- a/libsecurity_codesigning/lib/SecCodeSigner.h +++ b/libsecurity_codesigning/lib/SecCodeSigner.h @@ -155,6 +155,7 @@ extern const CFStringRef kSecCodeSignerRequireTimestamp; extern const CFStringRef kSecCodeSignerTimestampServer; extern const CFStringRef kSecCodeSignerTimestampOmitCertificates; extern const CFStringRef kSecCodeSignerPreserveMetadata; +extern const CFStringRef kSecCodeSignerTeamIdentifier; enum { kSecCodeSignerPreserveIdentifier = 1 << 0, // preserve signing identifier @@ -162,6 +163,7 @@ enum { kSecCodeSignerPreserveEntitlements = 1 << 2, // preserve entitlements kSecCodeSignerPreserveResourceRules = 1 << 3, // preserve resource rules (and thus resources) kSecCodeSignerPreserveFlags = 1 << 4, // preserve signing flags + kSecCodeSignerPreserveTeamIdentifier = 1 << 5, // preserve team identifier flags }; diff --git a/libsecurity_codesigning/lib/StaticCode.cpp b/libsecurity_codesigning/lib/StaticCode.cpp index a26a1fee..62bfe215 100644 --- a/libsecurity_codesigning/lib/StaticCode.cpp +++ b/libsecurity_codesigning/lib/StaticCode.cpp @@ -47,6 +47,7 @@ #include #include #include +#include namespace Security { @@ -54,6 +55,13 @@ namespace CodeSigning { using namespace UnixPlusPlus; +// A requirement representing a Mac or iOS dev cert, a Mac or iOS distribution cert, or a developer ID +static const char WWDRRequirement[] = "anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.1] exists " + "and ( cert leaf[subject.CN] = \"Mac Developer: \"* or cert leaf[subject.CN] = \"iPhone Developer: \"* )"; +static const char developerID[] = "anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists" + " and certificate leaf[field.1.2.840.113635.100.6.1.13] exists"; +static const char distributionCertificate[] = "anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.7] exists"; +static const char iPhoneDistributionCert[] = "anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.4] exists"; // // Map a component slot number to a suitable error code for a failure @@ -478,6 +486,30 @@ bool SecStaticCode::verifySignature() SecTrustResultType trustResult; MacOSError::check(SecTrustEvaluate(mTrust, &trustResult)); MacOSError::check(SecTrustGetResult(mTrust, &trustResult, &mCertChain.aref(), &mEvalDetails)); + + // if this is an Apple developer cert.... + if (teamID() && SecStaticCode::isAppleDeveloperCert(mCertChain)) { + CFRef teamIDFromCert; + if (CFArrayGetCount(mCertChain) > 0) { + /* Note that SecCertificateCopySubjectComponent sets the out paramater to NULL if there is no field present */ + MacOSError::check(SecCertificateCopySubjectComponent((SecCertificateRef)CFArrayGetValueAtIndex(mCertChain, Requirement::leafCert), + &CSSMOID_OrganizationalUnitName, + &teamIDFromCert.aref())); + + if (teamIDFromCert) { + CFRef teamIDFromCD = CFStringCreateWithCString(NULL, teamID(), kCFStringEncodingUTF8); + if (!teamIDFromCD) { + MacOSError::throwMe(errSecCSInternalError); + } + + if (CFStringCompare(teamIDFromCert, teamIDFromCD, 0) != kCFCompareEqualTo) { + Security::Syslog::error("Team identifier in the signing certificate (%s) does not match the team identifier (%s) in the code directory", cfString(teamIDFromCert).c_str(), teamID()); + MacOSError::throwMe(errSecCSSignatureInvalid); + } + } + } + } + CODESIGN_EVAL_STATIC_SIGNATURE_RESULT(this, trustResult, mCertChain ? (int)CFArrayGetCount(mCertChain) : 0); switch (trustResult) { case kSecTrustResultProceed: @@ -1162,6 +1194,8 @@ CFDictionaryRef SecStaticCode::signingInformation(SecCSFlags flags) if (CFAbsoluteTime time = this->signingTimestamp()) if (CFRef date = CFDateCreate(NULL, time)) CFDictionaryAddValue(dict, kSecCodeInfoTimestamp, date); + if (const char *teamID = this->teamID()) + CFDictionaryAddValue(dict, kSecCodeInfoTeamIdentifier, CFTempString(teamID)); } catch (...) { } // @@ -1343,6 +1377,11 @@ void SecStaticCode::handleOtherArchitectures(void (^handle)(SecStaticCode* other if (ctx.offset != activeOffset) { // inactive architecture; check it SecPointer subcode = new SecStaticCode(DiskRep::bestGuess(this->mainExecutablePath(), &ctx)); subcode->detachedSignature(this->mDetachedSig); // carry over explicit (but not implicit) detached signature + if (this->teamID() == NULL || subcode->teamID() == NULL) { + if (this->teamID() != subcode->teamID()) + MacOSError::throwMe(errSecCSSignatureInvalid); + } else if (strcmp(this->teamID(), subcode->teamID()) != 0) + MacOSError::throwMe(errSecCSSignatureInvalid); handle(subcode); } } @@ -1350,6 +1389,19 @@ void SecStaticCode::handleOtherArchitectures(void (^handle)(SecStaticCode* other } } +// +// A method that takes a certificate chain (certs) and evaluates +// if it is a Mac or IPhone developer cert, an app store distribution cert, +// or a developer ID +// +bool SecStaticCode::isAppleDeveloperCert(CFArrayRef certs) +{ + static const std::string appleDeveloperRequirement = "(" + std::string(WWDRRequirement) + ") or (" + developerID + ") or (" + distributionCertificate + ") or (" + iPhoneDistributionCert + ")"; + SecRequirement *req = new SecRequirement(parseRequirement(appleDeveloperRequirement), true); + Requirement::Context ctx(certs, NULL, NULL, "", NULL); + + return req->requirement()->validates(ctx); +} } // end namespace CodeSigning } // end namespace Security diff --git a/libsecurity_codesigning/lib/StaticCode.h b/libsecurity_codesigning/lib/StaticCode.h index 66b05ed0..b7c5b72a 100644 --- a/libsecurity_codesigning/lib/StaticCode.h +++ b/libsecurity_codesigning/lib/StaticCode.h @@ -119,6 +119,7 @@ public: std::string mainExecutablePath() { return mRep->mainExecutablePath(); } CFURLRef canonicalPath() const { return mRep->canonicalPath(); } std::string identifier() { return codeDirectory()->identifier(); } + const char *teamID() { return codeDirectory()->teamID(); } std::string format() const { return mRep->format(); } std::string signatureSource(); virtual CFDataRef component(CodeDirectory::SpecialSlot slot, OSStatus fail = errSecCSSignatureFailed); @@ -169,10 +170,12 @@ public: CFDictionaryRef signingInformation(SecCSFlags flags); // omnibus information-gathering API (creates new dictionary) + static bool isAppleDeveloperCert(CFArrayRef certs); // determines if this is an apple developer certificate for libraray validation + public: void staticValidate(SecCSFlags flags, const SecRequirement *req); void staticValidateCore(SecCSFlags flags, const SecRequirement *req); - + protected: CFDictionaryRef getDictionary(CodeDirectory::SpecialSlot slot, bool check = true); // component value as a dictionary bool verifySignature(); diff --git a/libsecurity_codesigning/lib/cdbuilder.cpp b/libsecurity_codesigning/lib/cdbuilder.cpp index e1917792..279998f8 100644 --- a/libsecurity_codesigning/lib/cdbuilder.cpp +++ b/libsecurity_codesigning/lib/cdbuilder.cpp @@ -108,11 +108,24 @@ CodeDirectory::Scatter *CodeDirectory::Builder::scatter(unsigned count) return mScatter; } +// This calculates the fixed size of the code directory +// Because of , if the team ID +// field is not used, we leave out the team ID offset +// as well, to keep cd hashes consistent between +// versions. +const size_t CodeDirectory::Builder::fixedSize(const uint32_t version) +{ + size_t cdSize = sizeof(CodeDirectory); + if (version < supportsTeamID) + cdSize -= sizeof(mDir->teamIDOffset); + + return cdSize; +} // // Calculate the size we'll need for the CodeDirectory as described so far // -size_t CodeDirectory::Builder::size() +size_t CodeDirectory::Builder::size(const uint32_t version) { assert(mExec); // must have called executable() if (mExecLength == 0) @@ -125,10 +138,14 @@ size_t CodeDirectory::Builder::size() mCodeSlots = (mExecLength + mPageSize - 1) / mPageSize; // round up } - size_t offset = sizeof(CodeDirectory); + size_t offset = fixedSize(version); + offset += mScatterSize; // scatter vector offset += mIdentifier.size() + 1; // size of identifier (with null byte) + if (mTeamID.size()) + offset += mTeamID.size() + 1; // size of teamID (with null byte) offset += (mCodeSlots + mSpecialSlots) * mDigestLength; // hash vector + return offset; } @@ -149,16 +166,26 @@ size_t CodeDirectory::Builder::size() CodeDirectory *CodeDirectory::Builder::build() { assert(mExec); // must have (successfully) called executable() - + uint32_t version; + // size and allocate size_t identLength = mIdentifier.size() + 1; - size_t total = size(); + size_t teamIDLength = mTeamID.size() + 1; + + // Determine the version + if (mTeamID.size()) { + version = currentVersion; + } else { + version = supportsScatter; + } + + size_t total = size(version); if (!(mDir = (CodeDirectory *)calloc(1, total))) // initialize to zero UnixError::throwMe(ENOMEM); // fill header mDir->initialize(total); - mDir->version = currentVersion; + mDir->version = version; mDir->flags = mFlags; mDir->nSpecialSlots = (uint32_t)mSpecialSlots; mDir->nCodeSlots = (uint32_t)mCodeSlots; @@ -175,8 +202,8 @@ CodeDirectory *CodeDirectory::Builder::build() mDir->pageSize = 0; // means infinite page size // locate and fill flex fields - size_t offset = sizeof(CodeDirectory); - + size_t offset = fixedSize(mDir->version); + if (mScatter) { mDir->scatterOffset = (uint32_t)offset; memcpy(mDir->scatterVector(), mScatter, mScatterSize); @@ -186,7 +213,12 @@ CodeDirectory *CodeDirectory::Builder::build() mDir->identOffset = (uint32_t)offset; memcpy(mDir->identifier(), mIdentifier.c_str(), identLength); offset += identLength; - + + if (mTeamID.size()) { + mDir->teamIDOffset = (uint32_t)offset; + memcpy(mDir->teamID(), mTeamID.c_str(), teamIDLength); + offset += teamIDLength; + } // (add new flexibly-allocated fields here) mDir->hashOffset = (uint32_t)(offset + mSpecialSlots * mDigestLength); diff --git a/libsecurity_codesigning/lib/cdbuilder.h b/libsecurity_codesigning/lib/cdbuilder.h index fd5e54b0..5e697896 100644 --- a/libsecurity_codesigning/lib/cdbuilder.h +++ b/libsecurity_codesigning/lib/cdbuilder.h @@ -51,13 +51,15 @@ public: void specialSlot(SpecialSlot slot, CFDataRef data); void identifier(const std::string &code) { mIdentifier = code; } + void teamID(const std::string &team) { mTeamID = team; } void flags(uint32_t f) { mFlags = f; } Scatter *scatter(unsigned count); // allocate that many scatter elements (w/o sentinel) Scatter *scatter() { return mScatter; } // return already allocated scatter vector - size_t size(); // calculate size + size_t size(const uint32_t version); // calculate size CodeDirectory *build(); // build CodeDirectory and return it + const size_t fixedSize(const uint32_t version); // calculate fixed size of the CodeDirectory DynamicHash *getHash() const { return CodeDirectory::hashFor(this->mHashType); } @@ -77,6 +79,7 @@ private: uint32_t mHashType; // digest algorithm code uint32_t mDigestLength; // number of bytes in a single glue digest std::string mIdentifier; // canonical identifier + std::string mTeamID; // team identifier size_t mSpecialSlots; // highest special slot set size_t mCodeSlots; // number of code pages (slots) diff --git a/libsecurity_codesigning/lib/codedirectory.cpp b/libsecurity_codesigning/lib/codedirectory.cpp index 06f67a32..706a7b0f 100644 --- a/libsecurity_codesigning/lib/codedirectory.cpp +++ b/libsecurity_codesigning/lib/codedirectory.cpp @@ -143,6 +143,8 @@ void CodeDirectory::checkIntegrity() const // now check interior offsets for validity if (!stringAt(identOffset)) MacOSError::throwMe(errSecCSSignatureFailed); // identifier out of blob range + if (version >= supportsTeamID && teamIDOffset != 0 && !stringAt(teamIDOffset)) + MacOSError::throwMe(errSecCSSignatureFailed); // identifier out of blob range if (!contains(hashOffset - int64_t(hashSize) * nSpecialSlots, hashSize * (int64_t(nSpecialSlots) + nCodeSlots))) MacOSError::throwMe(errSecCSSignatureFailed); // hash array out of blob range if (const Scatter *scatter = this->scatterVector()) { @@ -292,5 +294,6 @@ const SecCodeDirectoryFlagTable kSecCodeDirectoryFlagTable[] = { { "expires", kSecCodeSignatureForceExpiration, true }, { "restrict", kSecCodeSignatureRestrict, true }, { "enforcement", kSecCodeSignatureEnforcement, true }, + { "library-validation", kSecCodeSignatureLibraryValidation, true }, { NULL } }; diff --git a/libsecurity_codesigning/lib/codedirectory.h b/libsecurity_codesigning/lib/codedirectory.h index 08c81c68..4b64c146 100644 --- a/libsecurity_codesigning/lib/codedirectory.h +++ b/libsecurity_codesigning/lib/codedirectory.h @@ -180,13 +180,15 @@ public: uint8_t pageSize; // log2(page size in bytes); 0 => infinite Endian spare2; // unused (must be zero) Endian scatterOffset; // offset of optional scatter vector (zero if absent) + Endian teamIDOffset; // offset of optional teamID string // works with the version field; see comments above - static const uint32_t currentVersion = 0x20100; // "version 2.1" + static const uint32_t currentVersion = 0x20200; // "version 2.2" static const uint32_t compatibilityLimit = 0x2F000; // "version 3 with wiggle room" static const uint32_t earliestVersion = 0x20001; // earliest supported version static const uint32_t supportsScatter = 0x20100; // first version to support scatter option + static const uint32_t supportsTeamID = 0x20200; // first version to support team ID option void checkIntegrity() const; // throws if inconsistent or unsupported version @@ -196,7 +198,7 @@ public: const char *identifier() const { return at(identOffset); } char *identifier() { return at(identOffset); } - + // main hash array access SpecialSlot maxSpecialSlot() const; @@ -230,7 +232,10 @@ public: { return (version >= supportsScatter && scatterOffset) ? at(scatterOffset) : NULL; } const Scatter *scatterVector() const { return (version >= supportsScatter && scatterOffset) ? at(scatterOffset) : NULL; } - + + const char *teamID() const { return version >= supportsTeamID && teamIDOffset ? at(teamIDOffset) : NULL; } + char *teamID() { return version >= supportsTeamID && teamIDOffset ? at(teamIDOffset) : NULL; } + public: bool validateSlot(const void *data, size_t size, Slot slot) const; // validate memory buffer against page slot bool validateSlot(UnixPlusPlus::FileDesc fd, size_t size, Slot slot) const; // read and validate file diff --git a/libsecurity_codesigning/lib/signer.cpp b/libsecurity_codesigning/lib/signer.cpp index 968accf1..9b676c33 100644 --- a/libsecurity_codesigning/lib/signer.cpp +++ b/libsecurity_codesigning/lib/signer.cpp @@ -53,8 +53,33 @@ void SecCodeSigner::Signer::sign(SecCSFlags flags) { rep = code->diskRep()->base(); this->prepare(flags); - + PreSigningContext context(*this); + + /* If an explicit teamID was passed in it must be + the same as what came from the cert */ + std::string teamIDFromCert = state.getTeamIDFromSigner(context.certs); + + if (state.mPreserveMetadata & kSecCodeSignerPreserveTeamIdentifier) { + /* If preserving the team identifier, teamID is set previously when the + code object is still available */ + if (!teamIDFromCert.empty() && teamID != teamIDFromCert) + MacOSError::throwMe(errSecCSInvalidFlags); + } else { + if (teamIDFromCert.empty()) { + /* state.mTeamID is an explicitly passed teamID */ + teamID = state.mTeamID; + } else if (state.mTeamID.empty() || (state.mTeamID == teamIDFromCert)) { + /* If there was no explicit team ID set, or the explicit team ID matches + what is in the cert, use the team ID from the certificate */ + teamID = teamIDFromCert; + } else { + /* The caller passed in an explicit team ID that does not match what is + in the signing cert, which is an invalid usage */ + MacOSError::throwMe(errSecCSInvalidFlags); + } + } + if (Universal *fat = state.mNoMachO ? NULL : rep->mainExecutableImage()) { signMachO(fat, context); } else { @@ -113,6 +138,13 @@ void SecCodeSigner::Signer::prepare(SecCSFlags flags) } else secdebug("signer", "using explicit identifier=%s", identifier.c_str()); + teamID = state.mTeamID; + if (teamID.empty() && (inherit & kSecCodeSignerPreserveTeamIdentifier)) { + const char *c_id = code->teamID(); + if (c_id) + teamID = c_id; + } + entitlements = state.mEntitlementData; if (!entitlements && (inherit & kSecCodeSignerPreserveEntitlements)) entitlements = code->component(cdEntitlementSlot); @@ -374,7 +406,7 @@ void SecCodeSigner::Signer::signMachO(Universal *fat, const Requirement::Context } // prepare SuperBlob size estimate - size_t cdSize = arch.cdbuilder.size(); + size_t cdSize = arch.cdbuilder.size(CodeDirectory::currentVersion); arch.blobSize = arch.size(cdSize, state.mCMSSize, 0); } @@ -460,7 +492,8 @@ void SecCodeSigner::Signer::populate(CodeDirectory::Builder &builder, DiskRep::W builder.executable(rep->mainExecutablePath(), pagesize, offset, length); builder.flags(cdFlags); builder.identifier(identifier); - + builder.teamID(teamID); + if (CFRef data = rep->component(cdInfoSlot)) builder.specialSlot(cdInfoSlot, data); if (ireqs) { diff --git a/libsecurity_codesigning/lib/signer.h b/libsecurity_codesigning/lib/signer.h index dbbd1b44..495cc00c 100644 --- a/libsecurity_codesigning/lib/signer.h +++ b/libsecurity_codesigning/lib/signer.h @@ -83,6 +83,7 @@ private: CFRef resourceDirectory; // resource directory CFRef resourceDictData; // XML form of resourceDirectory std::string identifier; // signing identifier + std::string teamID; // team identifier CFRef entitlements; // entitlements uint32_t cdFlags; // CodeDirectory flags const Requirements *requirements; // internal requirements ready-to-use diff --git a/libsecurity_keychain/lib/Certificate.cpp b/libsecurity_keychain/lib/Certificate.cpp index 95fdeb10..0dbc174b 100644 --- a/libsecurity_keychain/lib/Certificate.cpp +++ b/libsecurity_keychain/lib/Certificate.cpp @@ -894,6 +894,8 @@ Certificate::copyDNSNames() /* Encoding is kCFStringEncodingUTF8 since the string is either PRINTABLE_STRING, IA5_STRING, T61_STRING or PKIX_UTF8_STRING. */ CFStringRef string = CFStringCreateWithBytes(NULL, it->Data, static_cast(it->Length), kCFStringEncodingUTF8, true); + /* Be prepared for improperly formatted (non-UTF8) strings! */ + if (!string) continue; CFArrayAppendValue(array, string); CFRelease(string); } @@ -932,6 +934,8 @@ Certificate::copyEmailAddresses() /* Encoding is kCFStringEncodingUTF8 since the string is either PRINTABLE_STRING, IA5_STRING, T61_STRING or PKIX_UTF8_STRING. */ CFStringRef string = CFStringCreateWithBytes(NULL, it->Data, static_cast(it->Length), kCFStringEncodingUTF8, true); + /* Be prepared for improperly formatted (non-UTF8) strings! */ + if (!string) continue; CFArrayAppendValue(array, string); CFRelease(string); } diff --git a/libsecurity_ssl/lib/SecureTransport.h b/libsecurity_ssl/lib/SecureTransport.h index 856d7f14..e0a5cf48 100644 --- a/libsecurity_ssl/lib/SecureTransport.h +++ b/libsecurity_ssl/lib/SecureTransport.h @@ -130,6 +130,11 @@ typedef enum { * using a block cipher. */ kSSLSessionOptionSendOneByteRecord, + /* + * Allow/Disallow server identity change on renegotiation. Disallow by default + * to avoid Triple Handshake attack. + */ + kSSLSessionOptionAllowServerIdentityChange, } SSLSessionOption; diff --git a/libsecurity_ssl/lib/sslCert.c b/libsecurity_ssl/lib/sslCert.c index 081e8726..4aee2efb 100644 --- a/libsecurity_ssl/lib/sslCert.c +++ b/libsecurity_ssl/lib/sslCert.c @@ -143,12 +143,8 @@ SSLProcessCertificate(SSLBuffer message, SSLContext *ctx) size_t listLen, certLen; UInt8 *p; OSStatus err; -#ifdef USE_SSLCERTIFICATE - SSLCertificate *cert; -#else CFMutableArrayRef certChain = NULL; SecCertificateRef cert; -#endif p = message.data; listLen = SSLDecodeInt(p,3); @@ -159,38 +155,23 @@ SSLProcessCertificate(SSLBuffer message, SSLContext *ctx) } while (listLen > 0) - { certLen = SSLDecodeInt(p,3); + { + if (listLen < 3) { + sslErrorLog("SSLProcessCertificate: length decode error 2\n"); + return errSSLProtocol; + } + certLen = SSLDecodeInt(p,3); p += 3; if (listLen < certLen + 3) { - sslErrorLog("SSLProcessCertificate: length decode error 2\n"); + sslErrorLog("SSLProcessCertificate: length decode error 3\n"); return errSSLProtocol; } -#ifdef USE_SSLCERTIFICATE - cert = (SSLCertificate *)sslMalloc(sizeof(SSLCertificate)); - if(cert == NULL) { - return errSecAllocate; - } - if ((err = SSLAllocBuffer(&cert->derCert, certLen) - { sslFree(cert); - return err; - } - memcpy(cert->derCert.data, p, certLen); - p += certLen; - cert->next = ctx->peerCert; /* Insert backwards; root cert - * will be first in linked list */ - ctx->peerCert = cert; -#else if (!certChain) { certChain = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); if (certChain == NULL) { return errSecAllocate; } - if (ctx->peerCert) { - sslDebugLog("SSLProcessCertificate: releasing existing cert chain\n"); - CFRelease(ctx->peerCert); - } - ctx->peerCert = certChain; } cert = SecCertificateCreateWithBytes(NULL, p, certLen); #if SSL_DEBUG && !TARGET_OS_IPHONE @@ -212,11 +193,28 @@ SSLProcessCertificate(SSLBuffer message, SSLContext *ctx) /* Insert forwards; root cert will be last in linked list */ CFArrayAppendValue(certChain, cert); CFRelease(cert); -#endif listLen -= 3+certLen; } assert(p == message.data + message.length && listLen == 0); + if (ctx->protocolSide == kSSLClientSide && ctx->peerCert && !ctx->allowServerIdentityChange) { + // Do not accept a different server cert during renegotiation unless allowed. + if((certChain!=NULL) && !CFEqual(ctx->peerCert, certChain)) + { + CFRelease(certChain); + sslErrorLog("Illegal server identity change during renegotiation\n"); + return errSSLProtocol; + } + } + + // Replace old cert with new cert. + if (ctx->peerCert) { + sslDebugLog("SSLProcessCertificate: releasing existing cert chain\n"); + CFRelease(ctx->peerCert); + } + + ctx->peerCert = certChain; + if (!ctx->peerCert) { /* this *might* be OK... */ if((ctx->protocolSide == kSSLServerSide) && @@ -241,6 +239,8 @@ SSLProcessCertificate(SSLBuffer message, SSLContext *ctx) } } + + if((err = sslVerifyCertChain(ctx, ctx->peerCert, true)) != 0) { AlertDescription desc; switch(err) { diff --git a/libsecurity_ssl/lib/sslContext.c b/libsecurity_ssl/lib/sslContext.c index c041afaa..cc74aa16 100644 --- a/libsecurity_ssl/lib/sslContext.c +++ b/libsecurity_ssl/lib/sslContext.c @@ -115,6 +115,7 @@ Boolean sslIsSessionActive(const SSLContext *ctx) static CFTypeID kSSLContextTypeID; int kSplitDefaultValue; +bool kAllowServerIdentityChangeDefaultValue; static void _sslContextDestroy(CFTypeRef arg); static Boolean _sslContextEqual(CFTypeRef a, CFTypeRef b); @@ -126,11 +127,12 @@ static void _SSLContextReadDefault() /* 0 = disabled, 1 = split every write, 2 = split second and subsequent writes */ /* Enabled by default, this make cause some interop issues, see and */ const int defaultSplitDefaultValue = 2; - + //To change: + //sudo defaults write /Library/Preferences/com.apple.security SSLWriteSplit -int 0 CFTypeRef value = (CFTypeRef)CFPreferencesCopyValue(CFSTR("SSLWriteSplit"), CFSTR("com.apple.security"), kCFPreferencesAnyUser, - kCFPreferencesAnyHost); + kCFPreferencesCurrentHost); if (value) { if (CFGetTypeID(value) == CFBooleanGetTypeID()) kSplitDefaultValue = CFBooleanGetValue((CFBooleanRef)value) ? 1 : 0; @@ -146,6 +148,33 @@ static void _SSLContextReadDefault() else { kSplitDefaultValue = defaultSplitDefaultValue; } + + + /* 0 = disallowed, 1 = allowed */ + /* Disallowed by default */ + const bool defaultValue = false; + //To change: + //sudo defaults write /Library/Preferences/com.apple.security SSLAllowServerIdentityChange -bool YES + value = (CFTypeRef)CFPreferencesCopyValue(CFSTR("SSLAllowServerIdentityChange"), + CFSTR("com.apple.security"), + kCFPreferencesAnyUser, + kCFPreferencesCurrentHost); + if (value) { + if (CFGetTypeID(value) == CFBooleanGetTypeID()) + kAllowServerIdentityChangeDefaultValue = CFBooleanGetValue((CFBooleanRef)value); + else if (CFGetTypeID(value) == CFNumberGetTypeID()) { + int localValue; + if (!CFNumberGetValue((CFNumberRef)value, kCFNumberIntType, &localValue)) { + kAllowServerIdentityChangeDefaultValue = defaultValue; + } else { + kAllowServerIdentityChangeDefaultValue = localValue; + } + } + CFRelease(value); + } + else { + kAllowServerIdentityChangeDefaultValue = defaultValue; + } } static void _SSLContextRegisterClass() @@ -274,6 +303,9 @@ SSLContextRef SSLCreateContextWithRecordFuncs(CFAllocatorRef alloc, SSLProtocolS /* Default for sending one-byte app data record is DISABLED */ ctx->oneByteRecordEnable = false; + /* Default for allowing server identity change on renegotiation is FALSE */ + ctx->allowServerIdentityChange = false; + /* Consult global system preference for default behavior: * 0 = disabled, 1 = split every write, 2 = split second and subsequent writes * (caller can override by setting kSSLSessionOptionSendOneByteRecord) @@ -282,6 +314,8 @@ SSLContextRef SSLCreateContextWithRecordFuncs(CFAllocatorRef alloc, SSLProtocolS pthread_once(&sReadDefault, _SSLContextReadDefault); if (kSplitDefaultValue > 0) ctx->oneByteRecordEnable = true; + if (kAllowServerIdentityChangeDefaultValue>0) + ctx->allowServerIdentityChange = true; /* default for anonymous ciphers is DISABLED */ ctx->anonCipherEnable = false; @@ -574,6 +608,9 @@ SSLSetSessionOption (SSLContextRef context, case kSSLSessionOptionFalseStart: context->falseStartEnabled = value; break; + case kSSLSessionOptionAllowServerIdentityChange: + context->allowServerIdentityChange = value; + break; default: return errSecParam; } diff --git a/libsecurity_ssl/lib/sslContext.h b/libsecurity_ssl/lib/sslContext.h index eee676cc..a3e13cd9 100644 --- a/libsecurity_ssl/lib/sslContext.h +++ b/libsecurity_ssl/lib/sslContext.h @@ -351,6 +351,8 @@ struct SSLContext Boolean rsaBlindingEnable; Boolean oneByteRecordEnable; /* enable 1/n-1 data splitting for TLSv1 and SSLv3 */ Boolean wroteAppData; /* at least one write completed with current writeCipher */ + Boolean allowServerIdentityChange; /* allow server identity change on renegotiation + disallowed by default to avoid triple handshake attack */ /* optional session cache timeout (in seconds) override - 0 means default */ uint32_t sessionCacheTimeout; diff --git a/libsecurity_ssl/regressions/ssl-43-ciphers.c b/libsecurity_ssl/regressions/ssl-43-ciphers.c index 933a77d9..92afa7e4 100644 --- a/libsecurity_ssl/regressions/ssl-43-ciphers.c +++ b/libsecurity_ssl/regressions/ssl-43-ciphers.c @@ -85,7 +85,7 @@ static struct { { OPENSSL_SERVER, 4000, 0, false}, //openssl s_server w/o client side auth { GNUTLS_SERVER, 5000, 1, false}, // gnutls-serv w/o client side auth { "www.mikestoolbox.org", 442, 2, false}, // mike's w/o client side auth -// { "tls.secg.org", 40022, 3, false}, // secg ecc server w/o client side auth +// { "tls.secg.org", 40022, 3, false}, // secg ecc server w/o client side auth - This server generate DH params we dont support. { OPENSSL_SERVER, 4010, 0, true}, //openssl s_server w/ client side auth { GNUTLS_SERVER, 5010, 1, true}, // gnutls-serv w/ client side auth diff --git a/sec/SOSCircle/CloudKeychainProxy/scripts/sosbuildroot b/sec/SOSCircle/CloudKeychainProxy/scripts/sosbuildroot index 70d43f1c..efa31374 100755 --- a/sec/SOSCircle/CloudKeychainProxy/scripts/sosbuildroot +++ b/sec/SOSCircle/CloudKeychainProxy/scripts/sosbuildroot @@ -11,7 +11,7 @@ config=${2-Release} roots=/var/tmp project=Security -~rc/bin/buildit . --rootsDirectory=/var/tmp -noverify -release iOS -project $project -archive -dsymsInDstroot \ +~rc/bin/buildit . --rootsDirectory=/var/tmp -noverify -project $project -archive -dsymsInDstroot \ -target $target \ -configuration $config || { echo 'build failed' ; exit 1; } diff --git a/sec/SOSCircle/SecureObjectSync/SOSCoder.c b/sec/SOSCircle/SecureObjectSync/SOSCoder.c index 7a9eb8ff..581d1f2f 100644 --- a/sec/SOSCircle/SecureObjectSync/SOSCoder.c +++ b/sec/SOSCircle/SecureObjectSync/SOSCoder.c @@ -164,7 +164,7 @@ SOSCoderRef SOSCoderCreateFromData(CFDataRef exportedData, CFErrorRef *error) { require(ccder_decode_tag(&tag, der, der_end),fail); switch (tag) { - case CCDER_OCTET_STRING: + case CCDER_OCTET_STRING: { der = der_decode_data(kCFAllocatorDefault, 0, &otr_data, error, der, der_end); p->waitingForDataPacket = false; diff --git a/sec/Security/Regressions/secitem/si-33-keychain-backup.c b/sec/Security/Regressions/secitem/si-33-keychain-backup.c index dddb3d10..0456964a 100644 --- a/sec/Security/Regressions/secitem/si-33-keychain-backup.c +++ b/sec/Security/Regressions/secitem/si-33-keychain-backup.c @@ -409,6 +409,7 @@ static void tests(void) "Found the item we added after restore"); CFReleaseNull(backup); + // force tombstone to be added, since it's not the default behavior in Innsbruck per rdar://14680869 CFDictionaryAddValue(query, kSecUseTombstones, kCFBooleanTrue); ok_status(SecItemDelete(query), "Deleted item we added"); diff --git a/sec/sec.xcodeproj/project.xcworkspace/contents.xcworkspacedata b/sec/sec.xcodeproj/project.xcworkspace/contents.xcworkspacedata new file mode 100644 index 00000000..2310a48b --- /dev/null +++ b/sec/sec.xcodeproj/project.xcworkspace/contents.xcworkspacedata @@ -0,0 +1,7 @@ + + + + + diff --git a/sec/sec.xcodeproj/project.xcworkspace/xcshareddata/sec.xccheckout b/sec/sec.xcodeproj/project.xcworkspace/xcshareddata/sec.xccheckout new file mode 100644 index 00000000..3e2b35f5 --- /dev/null +++ b/sec/sec.xcodeproj/project.xcworkspace/xcshareddata/sec.xccheckout @@ -0,0 +1,41 @@ + + + + + IDESourceControlProjectFavoriteDictionaryKey + + IDESourceControlProjectIdentifier + 55BE31B1-4B75-46C3-99C0-AC509F5CE8EA + IDESourceControlProjectName + sec + IDESourceControlProjectOriginsDictionary + + B1756FC7-4092-4712-B882-FDA75264D61A + git.apple.com:/git/projects/secmodules/sec + + IDESourceControlProjectPath + sec.xcodeproj/project.xcworkspace + IDESourceControlProjectRelativeInstallPathDictionary + + B1756FC7-4092-4712-B882-FDA75264D61A + ../.. + + IDESourceControlProjectURL + git.apple.com:/git/projects/secmodules/sec + IDESourceControlProjectVersion + 110 + IDESourceControlProjectWCCIdentifier + B1756FC7-4092-4712-B882-FDA75264D61A + IDESourceControlProjectWCConfigurations + + + IDESourceControlRepositoryExtensionIdentifierKey + public.vcs.git + IDESourceControlWCCIdentifierKey + B1756FC7-4092-4712-B882-FDA75264D61A + IDESourceControlWCCName + sec + + + + diff --git a/sec/sec.xcodeproj/project.xcworkspace/xcuserdata/jkauth.xcuserdatad/UserInterfaceState.xcuserstate b/sec/sec.xcodeproj/project.xcworkspace/xcuserdata/jkauth.xcuserdatad/UserInterfaceState.xcuserstate new file mode 100644 index 0000000000000000000000000000000000000000..9860dcc4d59134c16326b333dc2a9b1ed6ec0fc7 GIT binary patch literal 12304 zcmch734BvU*Z0ia+cs&EHv7^vds5k2TDqeMrDYQ+*p0H5w7s-}G$~06l!{D577-L= z6Gfy2K|}->+{FbEaRUKy!5!J$cM(zFbCcfCDn35H@BO~7{k6%RIWu!+&h|fNZf&#I z6AWc$9zz%r#2^;Mp?G#Zdq=f%78eM5{Jv_ZzjiuT7YdGdx&w8M9%!y`hWyP+gcohv zrN9GF0umt=QX>uOjryQ;l!5x9Oq7NCp=^|ca?t>EH5!P9ppj@4Dn~VFDsrP*REO#j zho+$hGy?_EY%~X5hvuQ1&{A|WT87r5b?A1q9^HX9p?1`P?n67!{b(n806l~rMNgq; z(R1h+dJ7##Z=-k6yXZZ10=o8Lq?=@Kjun8*vD?;8}P!o`We~ zh;PL!@JhTEugC4U1K)%1!#nW(_(8k}KaQWmuj4oHA$%CWiI3o;_!xc*pTO_qPw`3o z75*B3gTKY+@vrz#5=SINL3Bh<48%fQB%NfFLQ+HqlWWLGQcfyJC8;9KWF`raAPJEc zGKwgLSff*mO3F z&1bJ-OV}aoP_~pE!;WRE*;=-d^|L{CHrvL|XDNFldlS2yUCFMgboyGn-lIs25|IQ+ zQ8H4FD=p8M!Lzr3yq`kG=Yk!m?lyQl~UPuWJ7l3Ku+XBY3K^n1NERuG?}K; z44OsrXaP0BuLal|9N^qDn*APMC|Fb%^2~CFxcVA-N(nd3-Qo=msrQ8Zf$|Wv28a3s zm1U!XHF8}ESKHFi;PEw#^Z4rhvj=mH?pYpxU{YiPuDq_1YvN$)=wn%nuY?PRJU({_ zjJ!skENnhH80OQLadmJQ(Y1u$&ZUZ)n}@<-1xNTsdwibQ!Z3Tc=VHGv==XAB;iU3V zA?nqE@=*bmQ$+{rkFKOjYUOvFR$b?>=Q2PXBR!#v?u%xW`&$BaTrm*T$n*X?!eW0@ zvpe7k`hC&41QrIN!Kha|Dx#`(R7|zhauf{(yDUVUoaL2e>^1~@OA%`A>0 zs-fx{`M7BwFW0|s-@a9TFQ`edZ;3nP&h9&XhPx%y*tdk6#d-bBy!!MFdEI@>xw@8s zC)CdW%`}ixM%@uK8kM3kXzYZjqWauTTy^v-7pyETha>Mm z*P^oM*Xq*pF%f?(Y^VZ_N4>V7N>qi$p=zq5dTO94ThIhF5%g;^HPTejDKme@`mq5| zlRMBV2(!Wi+X%UvnnB_J(pBXNdTPB~aicrnt_yL2GPkdRn>^f8&lP#SBZ9#e4m8B| zmqF#67Xk%W-+h#$=!h(6CiEUYVc{y3|STHYo293y5 zBUhD{k8TOMVet|VXujVE3~xq_XgVsJR9b$iP1wH|`FWjcLOyDvjtOdJ*_t&EZmzDmFXdy^{F-@aafb@G% z3onKH8jmstkV0N&zlaoa3g&ecf-vWDv=a5&jH*GSDrpMnlWsG*4Xr|}X)oHF_Mw*X zZTWdQxqYlT^Cq?Bo z;N_tJII4+WPc7I-#88AGo6%NYo?Fm8v>(mxK-7K$`m2D!U}v5>Zj`^S({E{F zZACmf34sE(1i($$>t}`PBedyWAoix$fkS8kP3|9gZ1e|1RdWjRYVvZ9M54zo^k6&0 z2ZrWHb@5^J$ds5S76k%sP{N1N9#jS{BJvm=_85Aw0~MhssEQWS{H|KCH=+go|G#L# z^XL`S>t6H%+J|05`_W720D2i6q*u`a^lCbg4x&YLFfG0py^3B#uY+DB0ig|IPYE3o z##e!YFhH5ahn^{LoY4p{Gyr0%kzdU>2m!LfT?;Nf6!3e!T%e{PE4whKII|$VI48R} zJ*Q-7QF>u^NmhDp$&iA);{2SxcbY_1CGQHTXlqQD1`K2U4Y|! zqa*&lPge$_tX<-v(&w4k!i}g0uj`rS0iNU*Adg14%dggTG2R>3x&tGEo!$;SWQ-Bm z>fr8OZEblu;H(NW=k>9+W##jZtgv6&?$5pouNbN zFgl!$px4lmbQB#;OSc0Au%R!|m*^|>HGKOPeFqRAiH@OT=|s92zTHoE@(Qml3I+k5 zyM-tm9OZ8Hw*Wqo1E1xM{@JAv;Tzn51tvlRusq6L%Xw?$>HIb>E40dx#|u%Z2;fCI zK>tvchnpRpE;be4S0nFs?A_!Ju))*dyUYwcL(%y?T##2J7&a7Q=2&;Ak+=J3AdXI- z{Ffjo9O54s@ebopdTl$#v@BxvB~=wMUPpwureMVMa2%K(j>ieKoQ~&BFM=9=4Dwqe;{-|@c7X%McI?1TI*CrEQ#Ru??8H524V^+4@td-CLouV7Vd|$aSqPKc{m>z;6gf; zx@j$~qxF=d(`W;2q#inb2fh+H@Bn-@9*76wBKW)-+3-L*15~q#QW~Z=&>P{Cf_jGe zEjU4>F?M4-7K3kaHwU@;VF7L{Lw zBzO{@jHlolz?;!?hjn6y5TrgjpEe%>GB>Wpb>jgp2O|-k`fKFMm~Hbiu7M}8SircL z!_y$qh;bF2cQZ6Mpt9IHf(CoA4=K0c>39bA;wCzi2569mwqQSQ#xwCu+Cpd3>);oX zIC*LLSiq?b0e5p$6(B}~9{K}SrR75*UO^xq6YxN0UPpO+TqGIe#Yd5xrL*KDx}7k-0kW>xcDl2$885&$@<;to z1eam^EnsR9UW}LEoA6S6GhT+5<6D5E$X$?yOfh}Yl1cL`gjZM0P$ zPv_9NRpqTg@RqPnT{LD_aC1VD;YaapcrmQC3a`dXVc<9(Hx152a)!1=x3&)7E=<^g z*P*gw_zrw0-T-6n!W;43coUp#xo0j1Qkyo^>uw0bGtY%%P+G(jB85~==h5py+!>=< z>OA%CVF3WHT;+)9{G0KXPT6$e&8RHexD{`M=o~xGn6`Bq{$_kH-p-%sKa+s&ba`6&gZJWR@pJfj`~u!b7tWr0XM*vI1~a6oN&Qc_H)r`_N>5=Fa>rI*P|aeE8<&3LzYp@(CW8ca?;vG6ew(gn$M4dWygl>0RJpy7 zV-^MZ8HDrv0DlDF0DnktYsVkcRn$@r$%D}O83y>Z8K1(Z@fo_BuAyr;<8$~7JglQ@ z;nz|vWKolZFFgK>3F|xjBjg?Udl+y#UE2{E85vi>lL@O_z!ziO{!Z_p)twy#5hCzL z7r4A`c;yb>lx3`mIde@~6B~e2MQPGXClYh1 z(;$*$)Kx}m2f`95BvoLFm}vVYrmVysW6D80E-jHpdh(k+gHOZ!Yr1S!m@FQ_wtmhmUN>WMaFccBxA|7^gg;H;_^X7Vpx-hl(A)MLK}UcDxBy?h zJ0KW+q#zjS7{>WLEkPb{^K(Q;fM=+RR`a9JM5Y8ranNQ9q(p{cA>7gD2?VV-E z2t!eBtes6``Dr1{_(A}b0$dQjL=tnrQwo9q7F#&fmm^0A`Je3%Q4ECEJJ!ils&L z75XYYL_ee(p=_$6mPx!@=Btl9JUnW zfN+^UqtG{G4#=0k3c8d&O%(c|I0@dVxuw?YsmrKK4@L^L!bbOyCjr9!tu#rVB2R-+ z?4_^K*TD?l0L$k~gu7naSJAyh*tIzI7I~5EM-uW9IY3?}2gxhsRpbCe5f~Ao_>@ab z@_A>3q6swOQZrux;4%N0X~Nh`ee?uY#2YH`-5DoK} z1R0IG5z4V{PoRT*$fF=03j8BY=X&^i(DnBqo~6@cLenX73Yu2ax9Kr?oWR$)2;I9p z9UoI8te`#Q>khu+b(DMytbd2DAwQtu6YD!KNkH=BLqY+Ws_FYQnm3c5$uHnFAiEZh zR}f7HInOhGxvuEmFOc7Aeg>7zh?^5KTKhnVWSw@v zBrytpOfq<>Q}pQ$M#-q?Y5D~eQj2&52Ujox#9?#{6dAfZEG88>7&AQs!Z}B)BkVFZ zs8%v|dNvk+85fg=dTj#C7$xY*6ZE2=)BJAx$;sy7SJ(YyF#Z0vU^Xn6OTUB#F9-`3 z@aI!VzlwP=<|?M--@OJ+TI5CVRVW3Imdj?d=bW~Fjj}LCXBUPn6H?x zNh9-Z80*5=L@$Q11@f9v+_Xp?cYK+rp)vApLKHkj@L&Yk#UNM=!U@**3v-cQ?L6}< zbAkCSjP+q`2;-D6Hg1870tfRavVrx1>ZAfz1$1Vtf?HJ{UO>^Do6SSaV3~V%G+ToU z>h8Ur0I9PSXYJM*8SW2+pqyM6@H9gW8vvHJ8%bn#9^*vpmQ5h*H^tPIO=P8D1T4tc z+>RU|7hq1&dEp$*Kl$xpDYY_EvOoDo{uHKk!Q*uGIWEil%P&51FV8^%`%j1};V z6|()qxJMZGzQou7c2L*F*dlgt821e0UbK3A48c1Fd8T$-b{Kn2w^1Y6QDNLCjMIg5 zTfpkkRBF<5kWpj!8qQX+P*YR}{Qgi>yLcF18o8p;HAHfbC=lf@XQ0p& z?a?m07zVbLbo}B<|Ok^jqlVP0-b}HV*y3zV-xX<&}2RL69+~h-I zF_Euh!DqD4Y88OUKjDLk{(whFNBFf0!Wd37vx_fb>)3k1m*j_WRu^Bwdcc>k)7crU zmu(8;eqo#)#yMe}`@i=k>~&FJlJ_5cNw+g$7s9Dbg_og*qxE4Z-@{(|^I!{t3A+^h z3R?vSN#BcLDE1ci)@ac?22i_Q-gFmT2fKoYP<)O2zafvVa2vZSTGjuzAsy^$es=x> z;NM82n^_B+LHpn;5_}|-UPp4RTzyo!T;NUiPIg0OB+H=~UN|$ri!{CA<+A>0AbAE} zaym@jftQ;;hu50EBR`Pym!>dN;RU98i1>}nbjHj0m@vG$w2)a0 zuP@!qEQeQ^Rx+!YHO&3YLFOd$Et|j^*c^BPiDRe1i$`mjA z?62%^>>qI`j>IL$>Eax5uDC1Wdd4k?TNbx2Zd2UWxE*m1#yuH#AntJ7k+@@V$K&3K z`y}pU+^M)Tap&T`h>wp?kH0d$F5VkIH@+=?ar}z-t?@hKpNu~c|62ST@rUEzihn!) z-S`vnXX8JQ|1$pTgy9L53F8vRCrnIuJYj#r8wrOKjwBpQIG*rP!Y2tQ6HX#n*^OiA%*3#goM~Vz+p& z_*L=y;t$0ii$4{ACO$1bEB;*krTBO8pNTk;O^i}uH{*vak2)PPu468$U?GN zvh}i^vcs|uWIxJ&mYtVfkX@Ahk%W>+5}OpCBuYw5vL!i^TuE0X^-SuWl%CW#DJv;E zDK{xUsW543(xRk?l3q>vC|R6bkUS>YpS&dbiR2fO4<)~u{9f|c$v?@(a<$wh?r{C@cZ^4;<$hc_ zl>A3UoINU6>lltR=le?q4-qs zlaeSCl`>_rQlU&y+Lc!*3zP$u!|v&lgd-d zZ&XMnQK?m0m0o32^-*Q1u2KzA4O5L!m8mLJm8x3ROjS_TqMEI0Rkf++sphM0QLRwj zrdq99tGZovhiZdrqiUz>HPuOVg4&?YQP-*Gsu!!5s+Xy6Rj*X9Qs1L~NWDk>nEFZe z)9StI7u1K;$JOts-&4P@KB+#XKBGRT{zCnu25X2WS)HRRk}60dv(w2-qD@b{jL}3t@=Fuczu(8j((wjiGHbmx&BuD zO8pc1m-Gkquj=2>AJ!kyzpejF|Aqc5{WtpW^yl>#^cVGi7?7clp~NuBz!@41(+yrj zt6_;@sbQJn7Q+g|ZHCo`wT62P+YH+cI}AGwy9^H+9yaVTykL04aL(|1iXkOGr8uQB zr8Z?oN>hqIWoAk+<+_yXQ)tQ!DL1ApO1U-Vu9WR5dsE&_`8eeVW3o|UR2el!ozY+% zX{<0#Hr5#3#yTTsY%qq5^NkCQi;XuKZ#J$rK5Ts4__pyg<7wkrqrpc!1CckN>DQKEwnrphwbiHYbX^m-vX`^YAsl&A0 zw8OO1w9E9M=}FTwre{sho8B-TG95M@F`Y1dX!_Xnsp(g9yjf;WHY?03bBa0DY&KiX zc5`oYhB?#R&pgmvY94DYGgp|a%+=-z=1Jxm<|eb>JkuOBx0q*}Tg`3eCFYgpRpvG3 zb>{Wv4)YfCR`b2)`^@*7_n7yY51BtRpEjR0e{TNL{I&TP3$hRkYl*jrEQuDK#b7a7 zOqO1jK9&qire%O-pry!CY#D1Qvs75BEE6mZ7LR3yrO7hO(rRh5%(JYvv|F}VwpzAZ zc35^=p0qq;dDilRWxwTs<(TD!$y7emS)z%_wiFKHDgmt8Kv~`Sil9jVISUuJm)+XyLYpeA->-E;Kb%Ax6 z^$zP+>r>Xf*5|GJtoyA8tcR`dTHm*RWc}27%6i87qxEO&dFusRf=z6b*kra8TdK`$ zv)a;anYMnm99w~Hh;5i{gl(j));7cDv(2;xZ8zI)x3$~0*tXg3v+cA!YJ0-=v~92L zdD}kQYqsOIPi(*1v+*|!10RXHOFzsM~*KY-#LD8{N%Xc_}z(|#Hn_goEgqy=Va#`XPa}LlR6hTH#qNc z-tT)t^`-2OXf;;DO@U7s>|i-;p*+maAmo&U4vYMT_vueu5wqU zYn*GmYnrRkHQnWPwYsizUGJi<8(k}1t6Xbb>s-5C54-lb9(O(I+UI)7bzM10 vG$t)QEiY|SnmcWA+KRMQX=~EfrEO1pAnlO|uIKNnB0ub1(NE!j+N1vim-JU- literal 0 HcmV?d00001 diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libCPSRegresssions.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libCPSRegresssions.xcscheme new file mode 100644 index 00000000..6926d6a6 --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libCPSRegresssions.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libCloudKeychainProxy.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libCloudKeychainProxy.xcscheme new file mode 100644 index 00000000..bac26879 --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libCloudKeychainProxy.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libCloudProtection.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libCloudProtection.xcscheme new file mode 100644 index 00000000..5880dcd5 --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libCloudProtection.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSOSCommands.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSOSCommands.xcscheme new file mode 100644 index 00000000..2144bfeb --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSOSCommands.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSOSRegressions.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSOSRegressions.xcscheme new file mode 100644 index 00000000..9e81d34a --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSOSRegressions.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecItemShimOSX.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecItemShimOSX.xcscheme new file mode 100644 index 00000000..f75e31b7 --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecItemShimOSX.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecOtrOSX.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecOtrOSX.xcscheme new file mode 100644 index 00000000..95daee4d --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecOtrOSX.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecureObjectSync.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecureObjectSync.xcscheme new file mode 100644 index 00000000..91e9ff49 --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecureObjectSync.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecurityCommands.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecurityCommands.xcscheme new file mode 100644 index 00000000..93eabc64 --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecurityCommands.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecurityRegressions.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecurityRegressions.xcscheme new file mode 100644 index 00000000..e5b07f27 --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecurityRegressions.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecurityTool.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecurityTool.xcscheme new file mode 100644 index 00000000..32f54126 --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libSecurityTool.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecdRegressions.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecdRegressions.xcscheme new file mode 100644 index 00000000..27a28f0a --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecdRegressions.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecipc_client.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecipc_client.xcscheme new file mode 100644 index 00000000..c2be7edd --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecipc_client.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecurity.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecurity.xcscheme new file mode 100644 index 00000000..a1652457 --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecurity.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecurityd.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecurityd.xcscheme new file mode 100644 index 00000000..434f12ef --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecurityd.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecuritydRegressions.xcscheme b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecuritydRegressions.xcscheme new file mode 100644 index 00000000..904ed592 --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/libsecuritydRegressions.xcscheme @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/xcschememanagement.plist b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/xcschememanagement.plist new file mode 100644 index 00000000..f24515bb --- /dev/null +++ b/sec/sec.xcodeproj/xcuserdata/jkauth.xcuserdatad/xcschemes/xcschememanagement.plist @@ -0,0 +1,172 @@ + + + + + SchemeUserState + + libCPSRegresssions.xcscheme + + orderHint + 15 + + libCloudKeychainProxy.xcscheme + + orderHint + 9 + + libCloudProtection.xcscheme + + orderHint + 14 + + libSOSCommands.xcscheme + + orderHint + 12 + + libSOSRegressions.xcscheme + + orderHint + 5 + + libSecItemShimOSX.xcscheme + + orderHint + 2 + + libSecOtrOSX.xcscheme + + orderHint + 8 + + libSecureObjectSync.xcscheme + + orderHint + 4 + + libSecurityCommands.xcscheme + + orderHint + 11 + + libSecurityRegressions.xcscheme + + orderHint + 6 + + libSecurityTool.xcscheme + + orderHint + 10 + + libsecdRegressions.xcscheme + + orderHint + 13 + + libsecipc_client.xcscheme + + orderHint + 3 + + libsecurity.xcscheme + + orderHint + 0 + + libsecurityd.xcscheme + + orderHint + 1 + + libsecuritydRegressions.xcscheme + + orderHint + 7 + + + SuppressBuildableAutocreation + + 0C0BDB55175687EC00BC1A7E + + primary + + + 18270F5414CF651900B05E7F + + primary + + + 186CDD0E14CA116C00AF9171 + + primary + + + 18D4043414CE0CF300A2BE4E + + primary + + + 18D4056114CE53C200A2BE4E + + primary + + + 4A5CCA4E15ACEFA500702357 + + primary + + + 4A824AFB158FF07000F932C0 + + primary + + + 4CC92AC215A3BC6B00C6D578 + + primary + + + 5284029F164445760035F320 + + primary + + + E702E73514E1F3EA00CDE635 + + primary + + + E702E75714E1F48800CDE635 + + primary + + + E71049F1169E023B00DB0045 + + primary + + + E7104A12169E216E00DB0045 + + primary + + + E7CBDB711890BD810010B75B + + primary + + + E7CBDB911890BF350010B75B + + primary + + + E7FEFB82169E363300E18152 + + primary + + + + + diff --git a/sec/securityd/Regressions/secd-55-account-circle.c b/sec/securityd/Regressions/secd-55-account-circle.c index af4bec9f..fc4f8348 100644 --- a/sec/securityd/Regressions/secd-55-account-circle.c +++ b/sec/securityd/Regressions/secd-55-account-circle.c @@ -213,6 +213,8 @@ static void tests(void) // Both in circle. + // Emulation of Innsbruck11A368 +Roots: Device A was removed when Device B joined. + // We want Alice to leave circle while an Applicant on a full concordance signed circle with old-Alice as an Alum and Bob a peer. // ZZZ ok(SOSAccountLeaveCircles(alice_account, &error), "Alice leaves once more (%@)", error); diff --git a/sec/securityd/SecItemServer.c b/sec/securityd/SecItemServer.c index 729a7431..29485ea8 100644 --- a/sec/securityd/SecItemServer.c +++ b/sec/securityd/SecItemServer.c @@ -611,12 +611,12 @@ struct sql_stages { the script in the main table. {pre,main,post, reencode} */ static struct sql_stages s3dl_upgrade_script[] = { - { -1, 0, 1, false },/* 0->current: Create version 6 database. */ - {}, /* 1->current: Upgrade to version 6 from version 1 -- Unsupported. */ - {}, /* 2->current: Upgrade to version 6 from version 2 -- Unsupported */ - {}, /* 3->current: Upgrade to version 6 from version 3 -- Unsupported */ - {}, /* 4->current: Upgrade to version 6 from version 4 -- Unsupported */ - { 3, 0, 7, true }, /* 5->current: Upgrade to version 6 from version 5 */ + { -1, 0, 1, false },/* 0->current: Create version 6 (Innsbruck) database. */ + {}, /* 1->current: Upgrade to version 6 from version 1 (LittleBear) -- Unsupported. */ + {}, /* 2->current: Upgrade to version 6 from version 2 (BigBearBeta) -- Unsupported */ + {}, /* 3->current: Upgrade to version 6 from version 3 (Apex) -- Unsupported */ + {}, /* 4->current: Upgrade to version 6 from version 4 (Telluride) -- Unsupported */ + { 3, 0, 7, true }, /* 5->current: Upgrade to version 6 from version 5 (TellurideGM). */ }; static bool sql_run_script(SecDbConnectionRef dbt, int number, CFErrorRef *error) -- 2.47.2