securityd-55199.3.tar.gz

[apple/securityd.git] / src / codesigdb.cpp
diff --git a/src/codesigdb.cpp b/src/codesigdb.cpp

index 411f8ec481f8646b492b227f1a2276f2c36bb495..c0b78686c51a697497daaa79d9cc8652674bf166 100644 (file)
--- a/src/codesigdb.cpp
+++ b/src/codesigdb.cpp
@@ -1,5 +1,5 @@
  /*
  /*
- * Copyright (c) 2003-2007 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2003-2008 Apple Inc. All Rights Reserved.
   * 
   * @APPLE_LICENSE_HEADER_START@
   * 
   * 
   * @APPLE_LICENSE_HEADER_START@
   * 
@@ -28,10 +28,10 @@
  #include "codesigdb.h"
  #include "process.h"
  #include "server.h"
  #include "codesigdb.h"
  #include "process.h"
  #include "server.h"
-#include "osxcodewrap.h"
  #include "agentquery.h"
  #include <security_utilities/memutils.h>
  #include <security_utilities/logging.h>
  #include "agentquery.h"
  #include <security_utilities/memutils.h>
  #include <security_utilities/logging.h>
+#include <Security/SecRequirementPriv.h>
  
  
  //
  
  
  //
@@ -228,19 +228,18 @@ bool CodeSignatures::verify(Process &process,
  {
         secdebug("codesign", "start verify");
  
  {
         secdebug("codesign", "start verify");
  
-       // if we have no client code, we cannot possibly match this
+       StLock<Mutex> _(process);
         SecCodeRef code = process.currentGuest();
         if (!code) {
                 secdebug("codesign", "no code base: fail");
                 return false;
         }
         SecCodeRef code = process.currentGuest();
         if (!code) {
                 secdebug("codesign", "no code base: fail");
                 return false;
         }
-       
         if (SecRequirementRef requirement = verifier.requirement()) {
                 // If the ACL contains a code signature (requirement), we won't match against unsigned code at all.
                 // The legacy hash is ignored (it's for use by pre-Leopard systems).
                 secdebug("codesign", "CS requirement present; ignoring legacy hashes");
                 Server::active().longTermActivity();
         if (SecRequirementRef requirement = verifier.requirement()) {
                 // If the ACL contains a code signature (requirement), we won't match against unsigned code at all.
                 // The legacy hash is ignored (it's for use by pre-Leopard systems).
                 secdebug("codesign", "CS requirement present; ignoring legacy hashes");
                 Server::active().longTermActivity();
-               switch (IFDEBUG(OSStatus rc =) SecCodeCheckValidity(code, kSecCSDefaultFlags, requirement)) {
+               switch (OSStatus rc = SecCodeCheckValidity(code, kSecCSDefaultFlags, requirement)) {
                 case noErr:
                         secdebug("codesign", "CS verify passed");
                         return true;
                 case noErr:
                         secdebug("codesign", "CS verify passed");
                         return true;
@@ -248,7 +247,7 @@ bool CodeSignatures::verify(Process &process,
                         secdebug("codesign", "CS verify against unsigned binary failed");
                         return false;
                 default:
                         secdebug("codesign", "CS verify against unsigned binary failed");
                         return false;
                 default:
-                       secdebug("codesign", "CS verify failed OSStatus=%ld", rc);
+                       secdebug("codesign", "CS verify failed OSStatus=%d", int32_t(rc));
                         return false;
                 }
         }
                         return false;
                 }
         }
@@ -361,7 +360,7 @@ OSStatus CodeSignatures::matchSignedClientToLegacyACL(Process &process,
                                 return noErr;
                         }
                 default:
                                 return noErr;
                         }
                 default:
-                       secdebug("codesign", "validation fails with rc=%ld, rejecting", rc);
+                       secdebug("codesign", "validation fails with rc=%d, rejecting", int32_t(rc));
                         return rc;
                 }
                 secdebug("codesign", "does not withstand strict scrutiny; ask the user");
                         return rc;
                 }
                 secdebug("codesign", "does not withstand strict scrutiny; ask the user");
@@ -408,6 +407,8 @@ bool CodeSignatures::verifyLegacy(Process &process, const CssmData &signature, s
                 return false;
         }
         
                 return false;
         }
         
+#if CONSULT_LEGACY_CODE_EQUIVALENCE_DATABASE
+       
         // Ah well. Establish mediator objects for database signature links
         AclIdentity aclIdentity(signature, path);
  
         // Ah well. Establish mediator objects for database signature links
         AclIdentity aclIdentity(signature, path);
  
@@ -496,6 +497,12 @@ bool CodeSignatures::verifyLegacy(Process &process, const CssmData &signature, s
         mDb.flush();
         secdebug("codesign", "new linkages established: pass");
         return true;
         mDb.flush();
         secdebug("codesign", "new linkages established: pass");
         return true;
+
+#else /* ignore Code Equivalence Database */
+
+       return false;
+
+#endif
  }
  
  
  }