From 5dd5f9ec28f304ca377c42fd7f711d6cf12b90e1 Mon Sep 17 00:00:00 2001 From: Apple Date: Thu, 27 Aug 2015 06:13:47 +0000 Subject: [PATCH] Security-57031.40.6.tar.gz --- CircleJoinRequested/Readme.txt | 1 - Security/authd/authdb.c | 5 +++ Security/authd/authorization.plist | 19 +++++++++-- .../lib/tpCredRequest.cpp | 30 +++++++++++++++-- Security/libsecurity_asn1/lib/plarena.h | 7 ++-- Security/libsecurity_keychain/lib/Trust.cpp | 6 ++++ Security/sec/Security/SecPolicy.c | 3 +- .../testSubjects/anchorAndDb/anchorAndDb.scr | 2 +- .../ota_cert_tool/TestValidator/Readme.txt | 5 +++ libsecurity_smime/lib/cmsrecinfo.c | 2 +- securityd/src/agentquery.cpp | 32 ++++++++++++++++--- 11 files changed, 95 insertions(+), 17 deletions(-) diff --git a/CircleJoinRequested/Readme.txt b/CircleJoinRequested/Readme.txt index 0e237bb1..6f96d109 100644 --- a/CircleJoinRequested/Readme.txt +++ b/CircleJoinRequested/Readme.txt @@ -2,5 +2,4 @@ This project is a copy of the normal Foundation command-line tool, and the diffe It uses the standard Debug and Release configurations. Currently, command-line tools aren't supported in the Simulator. - Thanks! diff --git a/Security/authd/authdb.c b/Security/authd/authdb.c index c52e61ba..ca1416f3 100644 --- a/Security/authd/authdb.c +++ b/Security/authd/authdb.c @@ -203,6 +203,11 @@ static void _db_load_data(authdb_connection_t dbconn, auth_items_t config) old_ts = auth_items_get_double(config, "data_ts"); + // SEED: BUG: Fast User Switching Not Working + // After Mavericks => Yosemite upgrade install, the new Yosemite rule "system.login.fus" was missing. + // Somehow (probably during install) ts < old_ts, even though that should never happen. + // Solution: always import plist and update db when time stamps don't match. + // After a successful import, old_ts = ts below. if (ts != old_ts) { LOGV("authdb: %s modified old=%f, new=%f", AUTHDB_DATA, old_ts, ts); CFURLCreateDataAndPropertiesFromResource(kCFAllocatorDefault, authURL, &data, NULL, NULL, (SInt32*)&rc); diff --git a/Security/authd/authorization.plist b/Security/authd/authorization.plist index ca131696..26ae0530 100644 --- a/Security/authd/authorization.plist +++ b/Security/authd/authorization.plist @@ -185,7 +185,7 @@ See remaining rules for examples. class user comment - This right is used by Safari to show passwords + This right is used by Safari to show passwords. session-owner shared @@ -193,6 +193,19 @@ See remaining rules for examples. timeout 10 + com.apple.Safari.install-ephemeral-extensions + + class + user + comment + This is the right used by Safari to install an ephemeral extension without a developer certificate present. + session-owner + + shared + + timeout + 0 + com.apple.ServiceManagement.blesshelper allow-root @@ -936,7 +949,9 @@ See remaining rules for examples. group admin shared - + + version + 1 system.preferences.energysaver diff --git a/Security/libsecurity_apple_x509_tp/lib/tpCredRequest.cpp b/Security/libsecurity_apple_x509_tp/lib/tpCredRequest.cpp index efd88960..be25daea 100644 --- a/Security/libsecurity_apple_x509_tp/lib/tpCredRequest.cpp +++ b/Security/libsecurity_apple_x509_tp/lib/tpCredRequest.cpp @@ -293,9 +293,35 @@ void AppleTPSession::makeCertTemplate( CSSM_BOOL freeRawKey = CSSM_FALSE; rawCert = NULL; + + /* + * Set Signature Algorithm OID and parameters + */ algId.algorithm = sigOid; - algId.parameters.Data = NULL; - algId.parameters.Length = 0; + + /* NULL params - skip for ECDSA */ + CSSM_ALGORITHMS algorithmType = 0; + cssmOidToAlg(&sigOid, &algorithmType); + switch(algorithmType) { + case CSSM_ALGID_SHA1WithECDSA: + case CSSM_ALGID_SHA224WithECDSA: + case CSSM_ALGID_SHA256WithECDSA: + case CSSM_ALGID_SHA384WithECDSA: + case CSSM_ALGID_SHA512WithECDSA: + case CSSM_ALGID_ECDSA_SPECIFIED: + algId.parameters.Data = NULL; + algId.parameters.Length = 0; + break; + default: + static const uint8 encNull[2] = { SEC_ASN1_NULL, 0 }; + CSSM_DATA encNullData; + encNullData.Data = (uint8 *)encNull; + encNullData.Length = 2; + + algId.parameters = encNullData; + break; + } + /* * Convert possible ref public key to raw format as required by CL. diff --git a/Security/libsecurity_asn1/lib/plarena.h b/Security/libsecurity_asn1/lib/plarena.h index 44eaf27d..090ad107 100644 --- a/Security/libsecurity_asn1/lib/plarena.h +++ b/Security/libsecurity_asn1/lib/plarena.h @@ -119,12 +119,11 @@ struct PLArenaPool { #define PL_ARENA_GROW(p, pool, size, incr) \ PR_BEGIN_MACRO \ PLArena *_a = (pool)->current; \ - typeof((incr)) _incr = PL_ARENA_ALIGN(pool, incr); /* __APPLE__ more to be generic */ \ PRUword _p = _a->avail; \ - PRUword _q = _p + _incr; \ + PRUword _q = (PRUword)p + size + incr; /*__APPLE__ */ \ if (_p == (PRUword)(p) + PL_ARENA_ALIGN(pool, size) && \ - _incr <= _a->limit - _a->avail) { /* __APPLE__ */\ - _a->avail = _q; \ + _a->limit >= PL_ARENA_ALIGN(pool,_q)) { /* __APPLE__ */ \ + _a->avail = PL_ARENA_ALIGN(pool, _q); /*__APPLE__ */ \ PL_ArenaCountInplaceGrowth(pool, size, incr); \ } else { \ p = PL_ArenaGrow(pool, p, size, incr); \ diff --git a/Security/libsecurity_keychain/lib/Trust.cpp b/Security/libsecurity_keychain/lib/Trust.cpp index 04a27c24..dad88911 100644 --- a/Security/libsecurity_keychain/lib/Trust.cpp +++ b/Security/libsecurity_keychain/lib/Trust.cpp @@ -326,6 +326,12 @@ void Trust::evaluate(bool disableEV) else if (mNetworkPolicy == useNetworkDisabled) actionDataP->ActionFlags &= ~(CSSM_TP_ACTION_FETCH_CERT_FROM_NET); + if (policySpecified(mPolicies, CSSMOID_APPLE_TP_ESCROW_SERVICE)) { + // ignore expiration dates, per rdar://21943474 + actionDataP->ActionFlags |= (CSSM_TP_ACTION_ALLOW_EXPIRED | + CSSM_TP_ACTION_ALLOW_EXPIRED_ROOT); + } + /* * Policies (one at least, please). * For revocation policies, see if any have been explicitly specified... diff --git a/Security/sec/Security/SecPolicy.c b/Security/sec/Security/SecPolicy.c index 7cf760f5..23823878 100644 --- a/Security/sec/Security/SecPolicy.c +++ b/Security/sec/Security/SecPolicy.c @@ -1785,7 +1785,8 @@ CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateEscrowServiceSigner(void) &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut); - SecPolicyAddBasicX509Options(options); + // X509, ignoring date validity + SecPolicyAddBasicCertOptions(options); add_ku(options, kSecKeyUsageKeyEncipherment); diff --git a/SecurityTests/clxutils/certcrl/testSubjects/anchorAndDb/anchorAndDb.scr b/SecurityTests/clxutils/certcrl/testSubjects/anchorAndDb/anchorAndDb.scr index 88f929b0..ebc9790b 100644 --- a/SecurityTests/clxutils/certcrl/testSubjects/anchorAndDb/anchorAndDb.scr +++ b/SecurityTests/clxutils/certcrl/testSubjects/anchorAndDb/anchorAndDb.scr @@ -12,7 +12,7 @@ # be sure to replace the certs in the corresponding keychain. # # Note: since the RSA MD2 root which signed the amazon.com certificate has -# been removed from the System Roots keychain (), +# been removed from the System Roots keychain in (), # we are no longer checking the CSSM_CERT_STATUS_IS_IN_ANCHORS bit for that cert. # globals diff --git a/certificates/ota_cert_tool/TestValidator/Readme.txt b/certificates/ota_cert_tool/TestValidator/Readme.txt index e69de29b..6f96d109 100644 --- a/certificates/ota_cert_tool/TestValidator/Readme.txt +++ b/certificates/ota_cert_tool/TestValidator/Readme.txt @@ -0,0 +1,5 @@ +This project is a copy of the normal Foundation command-line tool, and the differences are summarized below. + +It uses the standard Debug and Release configurations. Currently, command-line tools aren't supported in the Simulator. + +Thanks! diff --git a/libsecurity_smime/lib/cmsrecinfo.c b/libsecurity_smime/lib/cmsrecinfo.c index 5c2b356d..77f4814d 100644 --- a/libsecurity_smime/lib/cmsrecinfo.c +++ b/libsecurity_smime/lib/cmsrecinfo.c @@ -288,7 +288,7 @@ loser: SecCmsRecipientInfoRef SecCmsRecipientInfoCreate(SecCmsEnvelopedDataRef envd, SecCertificateRef cert) { - /* TODO: we might want to prefer subjkeyid */ + /* TODO: We might want to prefer subjkeyid */ #if 0 SecCmsRecipientInfoRef info = SecCmsRecipientInfoCreateWithSubjKeyIDFromCert(envd, cert); diff --git a/securityd/src/agentquery.cpp b/securityd/src/agentquery.cpp index aa797acd..9694585b 100644 --- a/securityd/src/agentquery.cpp +++ b/securityd/src/agentquery.cpp @@ -35,6 +35,8 @@ #include #include #include // AUE_ssauthint +#include +#include #include #include #include @@ -1563,12 +1565,32 @@ QueryKeychainAuth::operator () (const char *database, const char *description, A Reason QueryKeychainAuth::accept(string &username, string &passphrase) { - const char *user = username.c_str(); - const char *passwd = passphrase.c_str(); - int checkpw_status = checkpw(user, passwd); - - if (checkpw_status != CHECKPW_SUCCESS) + // Note: QueryKeychainAuth currently requires that the + // specified user be in the admin group. If this requirement + // ever needs to change, the group name should be passed as + // a separate argument to this method. + + const char *user = username.c_str(); + const char *passwd = passphrase.c_str(); + int checkpw_status = checkpw(user, passwd); + + if (checkpw_status != CHECKPW_SUCCESS) { return SecurityAgent::invalidPassphrase; + } + + const char *group = "admin"; + if (group) { + int rc, ismember; + uuid_t group_uuid, user_uuid; + rc = mbr_group_name_to_uuid(group, group_uuid); + if (rc) { return SecurityAgent::userNotInGroup; } + + rc = mbr_user_name_to_uuid(user, user_uuid); + if (rc) { return SecurityAgent::userNotInGroup; } + + rc = mbr_check_membership(user_uuid, group_uuid, &ismember); + if (rc || !ismember) { return SecurityAgent::userNotInGroup; } + } return SecurityAgent::noReason; } -- 2.47.2