X-Git-Url: https://git.saurik.com/apple/securityd.git/blobdiff_plain/f7aa9f666a1c7ab343b4ce8f1677ea253c4e126e..4cd1cad0dea00daa03e1b54fdf2797a02373ad5b:/src/codesigdb.cpp?ds=inline

diff --git a/src/codesigdb.cpp b/src/codesigdb.cpp
index 411f8ec..c0b7868 100644
--- a/src/codesigdb.cpp
+++ b/src/codesigdb.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003-2007 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2003-2008 Apple Inc. All Rights Reserved.
  * 
  * @APPLE_LICENSE_HEADER_START@
  * 
@@ -28,10 +28,10 @@
 #include "codesigdb.h"
 #include "process.h"
 #include "server.h"
-#include "osxcodewrap.h"
 #include "agentquery.h"
 #include <security_utilities/memutils.h>
 #include <security_utilities/logging.h>
+#include <Security/SecRequirementPriv.h>
 
 
 //
@@ -228,19 +228,18 @@ bool CodeSignatures::verify(Process &process,
 {
 	secdebug("codesign", "start verify");
 
-	// if we have no client code, we cannot possibly match this
+	StLock<Mutex> _(process);
 	SecCodeRef code = process.currentGuest();
 	if (!code) {
 		secdebug("codesign", "no code base: fail");
 		return false;
 	}
-	
 	if (SecRequirementRef requirement = verifier.requirement()) {
 		// If the ACL contains a code signature (requirement), we won't match against unsigned code at all.
 		// The legacy hash is ignored (it's for use by pre-Leopard systems).
 		secdebug("codesign", "CS requirement present; ignoring legacy hashes");
 		Server::active().longTermActivity();
-		switch (IFDEBUG(OSStatus rc =) SecCodeCheckValidity(code, kSecCSDefaultFlags, requirement)) {
+		switch (OSStatus rc = SecCodeCheckValidity(code, kSecCSDefaultFlags, requirement)) {
 		case noErr:
 			secdebug("codesign", "CS verify passed");
 			return true;
@@ -248,7 +247,7 @@ bool CodeSignatures::verify(Process &process,
 			secdebug("codesign", "CS verify against unsigned binary failed");
 			return false;
 		default:
-			secdebug("codesign", "CS verify failed OSStatus=%ld", rc);
+			secdebug("codesign", "CS verify failed OSStatus=%d", int32_t(rc));
 			return false;
 		}
 	}
@@ -361,7 +360,7 @@ OSStatus CodeSignatures::matchSignedClientToLegacyACL(Process &process,
 				return noErr;
 			}
 		default:
-			secdebug("codesign", "validation fails with rc=%ld, rejecting", rc);
+			secdebug("codesign", "validation fails with rc=%d, rejecting", int32_t(rc));
 			return rc;
 		}
 		secdebug("codesign", "does not withstand strict scrutiny; ask the user");
@@ -408,6 +407,8 @@ bool CodeSignatures::verifyLegacy(Process &process, const CssmData &signature, s
 		return false;
 	}
 	
+#if CONSULT_LEGACY_CODE_EQUIVALENCE_DATABASE
+	
 	// Ah well. Establish mediator objects for database signature links
 	AclIdentity aclIdentity(signature, path);
 
@@ -496,6 +497,12 @@ bool CodeSignatures::verifyLegacy(Process &process, const CssmData &signature, s
 	mDb.flush();
 	secdebug("codesign", "new linkages established: pass");
 	return true;
+
+#else /* ignore Code Equivalence Database */
+
+	return false;
+
+#endif
 }