CFStringRef SDMMD_CreateUUID()
{
CFUUIDRef uuid = CFUUIDCreate(kCFAllocatorDefault);
CFStringRef str = CFUUIDCreateString(kCFAllocatorDefault, uuid);
CFSafeRelease(uuid);
return str;
}
static void get_uuid(char *str)
{
#ifdef HAVE_WINDOWS_H
UUID guid;
UuidCreate(&guid);
sprintf(str, "%08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X",
guid.Data1, guid.Data2, guid.Data3,
guid.Data4[0], guid.Data4[1], guid.Data4[2], guid.Data4[3],
guid.Data4[4], guid.Data4[5], guid.Data4[6], guid.Data4[7]);
#elif defined(HAVE_CFUUIDCREATE)
CFUUIDRef myUUID;
CFStringRef myUUIDString;
char strBuffer[100];
myUUID = CFUUIDCreate(kCFAllocatorDefault);
myUUIDString = CFUUIDCreateString(kCFAllocatorDefault, myUUID);/* This is the safest way to obtain a C string from a CFString.*/
CFStringGetCString(myUUIDString, str, SMPD_MAX_DBS_NAME_LEN, kCFStringEncodingASCII);
CFRelease(myUUIDString);
#elif defined(HAVE_UUID_GENERATE)
uuid_t guid;
uuid_generate(guid);
uuid_unparse(guid, str);
#else
sprintf(str, "%X%X%X%X", rand(), rand(), rand(), rand());
#endif
}
int main()
{
CFUUIDRef uuid;
CFStringRef str;
char cstr[256];
// create a new UUID
uuid = CFUUIDCreate(NULL);
// get string representation, as a CFString
str = CFUUIDCreateString(NULL, uuid);
// convert it to a C string
CFStringGetCString(str, cstr, sizeof(cstr), kCFStringEncodingASCII);
// print the C string
printf("%s\n", cstr);
// print in a form suitable for use in code, a call to CFUUIDGetConstantUUIDWithBytes
printf("CFUUIDGetConstantUUIDWithBytes(NULL, ");
CFUUIDBytes uib = CFUUIDGetUUIDBytes(uuid);
Byte *p = &uib.byte0;
for (int i = 0; i < 16; ++i) {
printf("0x%02X", (int)*p++);
if (i != 15)
printf(", ");
}
printf(")\n");
return 0;
}
bool Semaphore::Create(vint initialCount, vint maxCount, const WString& name)
{
if (internalData) return false;
if (initialCount > maxCount) return false;
internalData = new SemaphoreData;
#if defined(__APPLE__)
AString auuid;
if(name.Length() == 0)
{
CFUUIDRef cfuuid = CFUUIDCreate(kCFAllocatorDefault);
CFStringRef cfstr = CFUUIDCreateString(kCFAllocatorDefault, cfuuid);
auuid = CFStringGetCStringPtr(cfstr, kCFStringEncodingASCII);
CFRelease(cfstr);
CFRelease(cfuuid);
}
auuid = auuid.Insert(0, "/");
// OSX SEM_NAME_LENGTH = 31
if(auuid.Length() >= 30)
auuid = auuid.Sub(0, 30);
if ((internalData->semNamed = sem_open(auuid.Buffer(), O_CREAT, O_RDWR, initialCount)) == SEM_FAILED)
{
delete internalData;
internalData = 0;
return false;
}
#else
if (name == L"")
{
if(sem_init(&internalData->semUnnamed, 0, (int)initialCount) == -1)
{
delete internalData;
internalData = 0;
return false;
}
}
else
{
AString astr = wtoa(name);
if ((internalData->semNamed = sem_open(astr.Buffer(), O_CREAT, 0777, initialCount)) == SEM_FAILED)
{
delete internalData;
internalData = 0;
return false;
}
}
#endif
Release(initialCount);
return true;
}
TEST( CFPP_WriteStream, CTOR_AutoPointer )
{
CF::WriteStream s1( CF::AutoPointer( CFWriteStreamCreateWithFile( NULL, CF::URL( "file:///etc/hosts" ) ) ) );
CF::WriteStream s2( CF::AutoPointer( CFUUIDCreate( NULL ) ) );
CF::WriteStream s3( CF::AutoPointer( NULL ) );
ASSERT_TRUE( s1.IsValid() );
ASSERT_FALSE( s2.IsValid() );
ASSERT_FALSE( s3.IsValid() );
}
void uuid::create( uuid *result ) {
#if defined( __APPLE__ )
CFUUIDRef uuid_ref = CFUUIDCreate( NULL );
CFUUIDBytes uuid_bytes = CFUUIDGetUUIDBytes( uuid_ref );
CFRelease( uuid_ref );
::memcpy( result->data, &uuid_bytes, sizeof result->data );
#elif defined( ZORBA_HAVE_UUID_H )
uuid_generate( result->data );
#elif defined( _WIN32 )
UuidCreateSequential( (UUID*)result->data );
#endif /* _WIN32 */
}
string Utils::get_uuid4() {
CFUUIDRef cf_uuid_ref = CFUUIDCreate(kCFAllocatorDefault);
CFStringRef cf_uuid_str_ref = CFUUIDCreateString(kCFAllocatorDefault, cf_uuid_ref);
string uuid(CFStringGetCStringPtr(cf_uuid_str_ref, kCFStringEncodingUTF8));
transform(uuid.begin(), uuid.end(), uuid.begin(), ::tolower);
CFRelease(cf_uuid_ref);
CFRelease(cf_uuid_str_ref);
return uuid;
}
cc_int32 cci_os_identifier_new_uuid (cci_uuid_string_t *out_uuid_string)
{
cc_int32 err = ccNoError;
cci_uuid_string_t uuid_string = NULL;
CFUUIDRef uuid = NULL;
CFStringRef uuid_stringref = NULL;
CFStringEncoding encoding = kCFStringEncodingUTF8;
CFIndex length = 0;
if (!out_uuid_string) { err = cci_check_error (ccErrBadParam); }
if (!err) {
uuid = CFUUIDCreate (kCFAllocatorDefault);
if (!uuid) { err = cci_check_error (ccErrNoMem); }
}
if (!err) {
uuid_stringref = CFUUIDCreateString (kCFAllocatorDefault, uuid);
if (!uuid_stringref) { err = cci_check_error (ccErrNoMem); }
}
if (!err) {
length = CFStringGetMaximumSizeForEncoding (CFStringGetLength (uuid_stringref),
encoding) + 1;
uuid_string = malloc (length);
if (!uuid_string) { err = cci_check_error (ccErrNoMem); }
}
if (!err) {
if (!CFStringGetCString (uuid_stringref, uuid_string, length, encoding)) {
err = cci_check_error (ccErrNoMem);
}
}
if (!err) {
*out_uuid_string = uuid_string;
uuid_string = NULL; /* take ownership */
}
if (uuid_string ) { free (uuid_string); }
if (uuid_stringref) { CFRelease (uuid_stringref); }
if (uuid ) { CFRelease (uuid); }
return cci_check_error (err);
}
TEST( CFPP_WriteStream, OperatorAssignAutoPointer )
{
CF::WriteStream s1;
CF::WriteStream s2( CF::URL( "file:///etc/hosts" ) );
CF::WriteStream s3( CF::URL( "file:///etc/hosts" ) );
ASSERT_FALSE( s1.IsValid() );
ASSERT_TRUE( s2.IsValid() );
ASSERT_TRUE( s3.IsValid() );
s1 = CF::AutoPointer( CFWriteStreamCreateWithFile( NULL, CF::URL( "file:///etc/hosts" ) ) );
s2 = CF::AutoPointer( CFUUIDCreate( NULL ) );
s3 = CF::AutoPointer( NULL );
ASSERT_TRUE( s1.IsValid() );
ASSERT_FALSE( s2.IsValid() );
ASSERT_FALSE( s3.IsValid() );
}
String createCanonicalUUIDString()
{
#if PLATFORM(QT)
QUuid uuid = QUuid::createUuid();
String canonicalUuidStr = uuid.toString().mid(1, 36).toLower(); // remove opening and closing bracket and make it lower.
ASSERT(canonicalUuidStr[uuidVersionIdentifierIndex] == uuidVersionRequired);
return canonicalUuidStr;
#elif OS(WINDOWS)
GUID uuid = { 0 };
HRESULT hr = CoCreateGuid(&uuid);
if (FAILED(hr))
return String();
wchar_t uuidStr[40];
int num = StringFromGUID2(uuid, reinterpret_cast<LPOLESTR>(uuidStr), ARRAYSIZE(uuidStr));
ASSERT(num == 39);
String canonicalUuidStr = String(uuidStr + 1, num - 3).lower(); // remove opening and closing bracket and make it lower.
ASSERT(canonicalUuidStr[uuidVersionIdentifierIndex] == uuidVersionRequired);
return canonicalUuidStr;
#elif OS(DARWIN)
CFUUIDRef uuid = CFUUIDCreate(0);
CFStringRef uuidStrRef = CFUUIDCreateString(0, uuid);
String uuidStr(uuidStrRef);
CFRelease(uuidStrRef);
CFRelease(uuid);
String canonicalUuidStr = uuidStr.lower(); // make it lower.
ASSERT(canonicalUuidStr[uuidVersionIdentifierIndex] == uuidVersionRequired);
return canonicalUuidStr;
#elif OS(LINUX)
FILE* fptr = fopen("/proc/sys/kernel/random/uuid", "r");
if (!fptr)
return String();
char uuidStr[37];
char* result = fgets(uuidStr, sizeof(uuidStr), fptr);
fclose(fptr);
if (!result)
return String();
String canonicalUuidStr = String(uuidStr).lower(); // make it lower.
ASSERT(canonicalUuidStr[uuidVersionIdentifierIndex] == uuidVersionRequired);
return canonicalUuidStr;
#else
notImplemented();
return String();
#endif
}
/* Generates a UUID. The original version is truncated, so this is not 100%
* guaranteed to be unique. However, the `PBXObject#generate_uuid` method
* checks that the UUID does not exist yet, in the project, before using it.
*
* @note Meant for internal use only.
*
* @return [String] A 24 characters long UUID.
*/
static VALUE
generate_uuid(void) {
CFUUIDRef uuid = CFUUIDCreate(NULL);
CFStringRef strRef = CFUUIDCreateString(NULL, uuid);
CFRelease(uuid);
CFArrayRef components = CFStringCreateArrayBySeparatingStrings(NULL, strRef, CFSTR("-"));
CFRelease(strRef);
strRef = CFStringCreateByCombiningStrings(NULL, components, CFSTR(""));
CFRelease(components);
UniChar buffer[24];
CFStringGetCharacters(strRef, CFRangeMake(0, 24), buffer);
CFStringRef strRef2 = CFStringCreateWithCharacters(NULL, buffer, 24);
VALUE str = cfstr_to_str(strRef2);
CFRelease(strRef);
CFRelease(strRef2);
return str;
}
// Generate a unique user ID. We're using a GUID form,
// but not jumping through hoops to make it cryptographically
// secure. We just want it to distinguish unique users.
static nsresult
InitUserID(nsACString& aUserID)
{
nsID id;
// copied shamelessly from nsUUIDGenerator.cpp
#if defined(XP_WIN)
HRESULT hr = CoCreateGuid((GUID*)&id);
if (NS_FAILED(hr))
return NS_ERROR_FAILURE;
#elif defined(XP_MACOSX)
CFUUIDRef uuid = CFUUIDCreate(kCFAllocatorDefault);
if (!uuid)
return NS_ERROR_FAILURE;
CFUUIDBytes bytes = CFUUIDGetUUIDBytes(uuid);
memcpy(&id, &bytes, sizeof(nsID));
CFRelease(uuid);
#else
// UNIX or some such thing
id.m0 = random();
id.m1 = random();
id.m2 = random();
*reinterpret_cast<PRUint32*>(&id.m3[0]) = random();
*reinterpret_cast<PRUint32*>(&id.m3[4]) = random();
#endif
char* id_cstr = id.ToString();
NS_ENSURE_TRUE(id_cstr, NS_ERROR_OUT_OF_MEMORY);
nsDependentCString id_str(id_cstr);
aUserID = Substring(id_str, 1, id_str.Length()-2);
PR_Free(id_cstr);
return NS_OK;
}
bool PolicyEngine::temporarySigning(SecStaticCodeRef code, AuthorityType type, CFURLRef path, SecAssessmentFlags matchFlags)
{
if (matchFlags == 0) { // playback; consult authority table for matches
DiskRep *rep = SecStaticCode::requiredStatic(code)->diskRep();
std::string screen;
if (CFRef<CFDataRef> info = rep->component(cdInfoSlot)) {
SHA1 hash;
hash.update(CFDataGetBytePtr(info), CFDataGetLength(info));
screen = createWhitelistScreen('I', hash);
} else if (rep->mainExecutableImage()) {
screen = "N";
} else {
SHA1 hash;
hashFileData(rep->mainExecutablePath().c_str(), &hash);
screen = createWhitelistScreen('M', hash);
}
SQLite::Statement query(*this,
"SELECT flags FROM authority "
"WHERE type = :type"
" AND NOT flags & :flag"
" AND CASE WHEN filter_unsigned IS NULL THEN remarks = :remarks ELSE filter_unsigned = :screen END");
query.bind(":type").integer(type);
query.bind(":flag").integer(kAuthorityFlagDefault);
query.bind(":screen") = screen;
query.bind(":remarks") = cfString(path);
if (!query.nextRow()) // guaranteed no matching rule
return false;
matchFlags = SQLite3::int64(query[0]);
}
try {
// ad-hoc sign the code and attach the signature
CFRef<CFDataRef> signature = CFDataCreateMutable(NULL, 0);
CFTemp<CFDictionaryRef> arguments("{%O=%O, %O=#N}", kSecCodeSignerDetached, signature.get(), kSecCodeSignerIdentity);
CFRef<SecCodeSignerRef> signer;
MacOSError::check(SecCodeSignerCreate(arguments, (matchFlags & kAuthorityFlagWhitelistV2) ? kSecCSSignOpaque : kSecCSSignV1, &signer.aref()));
MacOSError::check(SecCodeSignerAddSignature(signer, code, kSecCSDefaultFlags));
MacOSError::check(SecCodeSetDetachedSignature(code, signature, kSecCSDefaultFlags));
SecRequirementRef dr = NULL;
SecCodeCopyDesignatedRequirement(code, kSecCSDefaultFlags, &dr);
CFStringRef drs = NULL;
SecRequirementCopyString(dr, kSecCSDefaultFlags, &drs);
// if we're in GKE recording mode, save that signature and report its location
if (SYSPOLICY_RECORDER_MODE_ENABLED()) {
int status = recorder_code_unable; // ephemeral signature (not recorded)
if (geteuid() == 0) {
CFRef<CFUUIDRef> uuid = CFUUIDCreate(NULL);
std::string sigfile = RECORDER_DIR + cfStringRelease(CFUUIDCreateString(NULL, uuid)) + ".tsig";
try {
UnixPlusPlus::AutoFileDesc fd(sigfile, O_WRONLY | O_CREAT);
fd.write(CFDataGetBytePtr(signature), CFDataGetLength(signature));
status = recorder_code_adhoc; // recorded signature
SYSPOLICY_RECORDER_MODE_ADHOC_PATH(cfString(path).c_str(), type, sigfile.c_str());
} catch (...) { }
}
// now report the D probe itself
CFRef<CFDictionaryRef> info;
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSDefaultFlags, &info.aref()));
CFDataRef cdhash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
SYSPOLICY_RECORDER_MODE(cfString(path).c_str(), type, "",
cdhash ? CFDataGetBytePtr(cdhash) : NULL, status);
}
return true; // it worked; we're now (well) signed
} catch (...) { }
return false;
}
//
// Executable code.
// Read from disk, evaluate properly, cache as indicated. The whole thing, so far.
//
void PolicyEngine::evaluateCode(CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result,
bool handleUnsignedCode /* = true */)
{
FileQuarantine qtn(cfString(path).c_str());
if (qtn.flag(QTN_FLAG_HARD))
MacOSError::throwMe(errSecCSFileHardQuarantined);
CFRef<SecStaticCodeRef> code;
MacOSError::check(SecStaticCodeCreateWithPath(path, kSecCSDefaultFlags, &code.aref()));
OSStatus rc = noErr; // last validation error
const SecCSFlags validationFlags = kSecCSEnforceRevocationChecks;
WhitelistPrescreen whitelistScreen(code); // pre-screening filter for whitelist pre-screening (only)
SQLite::Statement query(*this,
"SELECT allow, requirement, id, label, expires, flags, disabled, filter_unsigned, remarks FROM scan_authority"
" WHERE type = :type"
" ORDER BY priority DESC;");
query.bind(":type").integer(type);
SQLite3::int64 latentID = 0; // first (highest priority) disabled matching ID
std::string latentLabel; // ... and associated label, if any
while (query.nextRow()) {
bool allow = int(query[0]);
const char *reqString = query[1];
SQLite3::int64 id = query[2];
const char *label = query[3];
double expires = query[4];
sqlite3_int64 ruleFlags = query[5];
SQLite3::int64 disabled = query[6];
const char *filter = query[7];
const char *remarks = query[8];
CFRef<SecRequirementRef> requirement;
MacOSError::check(SecRequirementCreateWithString(CFTempString(reqString), kSecCSDefaultFlags, &requirement.aref()));
rc = SecStaticCodeCheckValidity(code, validationFlags, requirement);
// ad-hoc sign unsigned code, skip of Gatekeeper is off or the rule is disabled; but always do it for whitelist recording
if (rc == errSecCSUnsigned && handleUnsignedCode && (!(disabled || overrideAssessment()) || SYSPOLICY_RECORDER_MODE_ENABLED())) {
if (!SYSPOLICY_RECORDER_MODE_ENABLED()) {
// apply whitelist pre-screening to speed things up for non-matches
if (ruleFlags & kAuthorityFlagDefault) // can't ever match standard rules with unsigned code
continue;
if (whitelistScreen.reject(filter, remarks)) // apply whitelist pre-filter
continue;
}
try {
// ad-hoc sign the code and attach the signature
CFRef<CFDataRef> signature = CFDataCreateMutable(NULL, 0);
CFTemp<CFDictionaryRef> arguments("{%O=%O, %O=#N}", kSecCodeSignerDetached, signature.get(), kSecCodeSignerIdentity);
CFRef<SecCodeSignerRef> signer;
MacOSError::check(SecCodeSignerCreate(arguments, kSecCSDefaultFlags, &signer.aref()));
MacOSError::check(SecCodeSignerAddSignature(signer, code, kSecCSDefaultFlags));
MacOSError::check(SecCodeSetDetachedSignature(code, signature, kSecCSDefaultFlags));
// if we're in GKE recording mode, save that signature and report its location
if (SYSPOLICY_RECORDER_MODE_ENABLED()) {
int status = recorder_code_unable; // ephemeral signature (not recorded)
if (geteuid() == 0) {
CFRef<CFUUIDRef> uuid = CFUUIDCreate(NULL);
std::string sigfile = RECORDER_DIR + cfStringRelease(CFUUIDCreateString(NULL, uuid)) + ".tsig";
try {
UnixPlusPlus::AutoFileDesc fd(sigfile, O_WRONLY | O_CREAT);
fd.write(CFDataGetBytePtr(signature), CFDataGetLength(signature));
status = recorder_code_adhoc; // recorded signature
SYSPOLICY_RECORDER_MODE_ADHOC_PATH(cfString(path).c_str(), type, sigfile.c_str());
} catch (...) { }
}
// now report the D probe itself
CFRef<CFDictionaryRef> info;
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSDefaultFlags, &info.aref()));
CFDataRef cdhash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
SYSPOLICY_RECORDER_MODE(cfString(path).c_str(), type, "",
cdhash ? CFDataGetBytePtr(cdhash) : NULL, status);
}
// rerun the validation to update state
rc = SecStaticCodeCheckValidity(code, validationFlags | kSecCSBasicValidateOnly, requirement);
} catch (...) { }
}
switch (rc) {
case noErr: // well signed and satisfies requirement...
break; // ... continue below
case errSecCSSignatureFailed:
if (!codeInvalidityExceptions(code, result)) {
if (SYSPOLICY_ASSESS_OUTCOME_BROKEN_ENABLED())
SYSPOLICY_ASSESS_OUTCOME_BROKEN(cfString(path).c_str(), type, false);
MacOSError::throwMe(rc);
}
if (SYSPOLICY_ASSESS_OUTCOME_BROKEN_ENABLED())
SYSPOLICY_ASSESS_OUTCOME_BROKEN(cfString(path).c_str(), type, true);
// treat as unsigned to fix problems in the field
case errSecCSUnsigned:
if (handleUnsignedCode) {
cfadd(result, "{%O=#F}", kSecAssessmentAssessmentVerdict);
addAuthority(result, "no usable signature");
}
return;
case errSecCSReqFailed: // requirement missed, but otherwise okay
continue;
default: // broken in some way; all tests will fail like this so bail out
MacOSError::throwMe(rc);
}
if (disabled) {
if (latentID == 0) {
latentID = id;
if (label)
latentLabel = label;
}
continue; // the loop
}
CFRef<CFDictionaryRef> info; // as needed
if (flags & kSecAssessmentFlagRequestOrigin) {
if (!info)
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref()));
if (CFArrayRef chain = CFArrayRef(CFDictionaryGetValue(info, kSecCodeInfoCertificates)))
setOrigin(chain, result);
}
if (!(ruleFlags & kAuthorityFlagInhibitCache) && !(flags & kSecAssessmentFlagNoCache)) { // cache inhibit
if (!info)
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref()));
if (SecTrustRef trust = SecTrustRef(CFDictionaryGetValue(info, kSecCodeInfoTrust))) {
CFRef<CFDictionaryRef> xinfo;
MacOSError::check(SecTrustCopyExtendedResult(trust, &xinfo.aref()));
if (CFDateRef limit = CFDateRef(CFDictionaryGetValue(xinfo, kSecTrustExpirationDate))) {
this->recordOutcome(code, allow, type, min(expires, dateToJulian(limit)), id);
}
}
}
if (allow) {
if (SYSPOLICY_ASSESS_OUTCOME_ACCEPT_ENABLED()) {
if (!info)
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref()));
CFDataRef cdhash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
SYSPOLICY_ASSESS_OUTCOME_ACCEPT(cfString(path).c_str(), type, label, cdhash ? CFDataGetBytePtr(cdhash) : NULL);
}
} else {
if (SYSPOLICY_ASSESS_OUTCOME_DENY_ENABLED() || SYSPOLICY_RECORDER_MODE_ENABLED()) {
if (!info)
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref()));
CFDataRef cdhash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
std::string cpath = cfString(path);
const void *hashp = cdhash ? CFDataGetBytePtr(cdhash) : NULL;
SYSPOLICY_ASSESS_OUTCOME_DENY(cpath.c_str(), type, label, hashp);
SYSPOLICY_RECORDER_MODE(cpath.c_str(), type, label, hashp, recorder_code_untrusted);
}
}
cfadd(result, "{%O=%B}", kSecAssessmentAssessmentVerdict, allow);
addAuthority(result, label, id);
return;
}
if (rc == errSecCSUnsigned) { // skipped all applicable rules due to pre-screening
cfadd(result, "{%O=#F}", kSecAssessmentAssessmentVerdict);
addAuthority(result, "no usable signature");
return;
}
// no applicable authority (but signed, perhaps temporarily). Deny by default
CFRef<CFDictionaryRef> info;
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref()));
if (flags & kSecAssessmentFlagRequestOrigin) {
if (CFArrayRef chain = CFArrayRef(CFDictionaryGetValue(info, kSecCodeInfoCertificates)))
setOrigin(chain, result);
}
if (SYSPOLICY_ASSESS_OUTCOME_DEFAULT_ENABLED() || SYSPOLICY_RECORDER_MODE_ENABLED()) {
CFDataRef cdhash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
const void *hashp = cdhash ? CFDataGetBytePtr(cdhash) : NULL;
std::string cpath = cfString(path);
SYSPOLICY_ASSESS_OUTCOME_DEFAULT(cpath.c_str(), type, latentLabel.c_str(), hashp);
SYSPOLICY_RECORDER_MODE(cpath.c_str(), type, latentLabel.c_str(), hashp, 0);
}
if (!(flags & kSecAssessmentFlagNoCache))
this->recordOutcome(code, false, type, this->julianNow() + NEGATIVE_HOLD, latentID);
cfadd(result, "{%O=%B}", kSecAssessmentAssessmentVerdict, false);
addAuthority(result, latentLabel.c_str(), latentID);
}
static krb5_error_code
od_dump_entry(krb5_context kcontext, HDB *db, hdb_entry_ex *entry, void *data)
{
CFErrorRef error = NULL;
CFDictionaryRef dict;
CFStringRef fn, uuidstr;
CFUUIDRef uuid;
CFURLRef url;
dict = HeimODDumpHdbEntry(&entry->entry, &error);
if (dict == NULL) {
if (error)
CFRelease(error);
return 0;
}
uuid = CFUUIDCreate(NULL);
if (uuid == NULL) {
krb5_warnx(kcontext, "out of memory");
CFRelease(dict);
return 0;
}
uuidstr = CFUUIDCreateString(NULL, uuid);
CFRelease(uuid);
if (uuidstr == NULL) {
krb5_warnx(kcontext, "out of memory");
CFRelease(dict);
return 0;
}
fn = CFStringCreateWithFormat(NULL, NULL, CFSTR("%s/%@.plist"), (char *)data, uuidstr);
CFRelease(uuidstr);
if (fn == NULL) {
krb5_warnx(kcontext, "out of memory");
CFRelease(dict);
return 0;
}
url = CFURLCreateWithFileSystemPath(NULL, fn, kCFURLPOSIXPathStyle, false);
CFRelease(fn);
if (url == NULL) {
krb5_warnx(kcontext, "out of memory");
CFRelease(dict);
return 0;
}
CFDataRef xmldata = CFPropertyListCreateData(NULL, dict, kCFPropertyListXMLFormat_v1_0, 0, NULL);
CFRelease(dict);
if (xmldata == NULL) {
CFRelease(url);
krb5_warnx(kcontext, "out of memory");
return 0;
}
CFWriteStreamRef stream = CFWriteStreamCreateWithFile(NULL, url);
if (stream) {
if (CFWriteStreamOpen(stream))
CFWriteStreamWrite(stream, CFDataGetBytePtr(xmldata), CFDataGetLength(xmldata));
CFWriteStreamClose(stream);
CFRelease(stream);
}
CFRelease(url);
CFRelease(xmldata);
return 0;
}
static void testkeywrap(unsigned long keySizeInBits, CFTypeRef alg)
{
SecKeyRef pubKey = NULL, privKey = NULL;
size_t keySizeInBytes = (keySizeInBits + 7) / 8;
CFNumberRef kzib;
int32_t keysz32 = (int32_t)keySizeInBits;
CFUUIDRef ourUUID = CFUUIDCreate(kCFAllocatorDefault);
CFStringRef uuidString = CFUUIDCreateString(kCFAllocatorDefault, ourUUID);
CFMutableStringRef publicName = CFStringCreateMutableCopy(kCFAllocatorDefault, 0, uuidString);
CFMutableStringRef privateName = CFStringCreateMutableCopy(kCFAllocatorDefault, 0, uuidString);
CFReleaseNull(ourUUID);
CFReleaseNull(uuidString);
CFStringAppend(publicName, CFSTR("-Public-41"));
CFStringAppend(privateName, CFSTR("-Private-41"));
CFDictionaryRef pubd = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
kSecAttrLabel, publicName,
NULL);
CFDictionaryRef privd = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
kSecAttrLabel, privateName,
NULL);
CFReleaseNull(publicName);
CFReleaseNull(privateName);
kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &keysz32);
CFDictionaryRef kgp = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
kSecAttrKeyType, kSecAttrKeyTypeEC,
kSecAttrKeySizeInBits, kzib,
kSecAttrIsPermanent, kCFBooleanFalse,
kSecPublicKeyAttrs, pubd,
kSecPrivateKeyAttrs, privd,
NULL);
CFReleaseNull(pubd);
CFReleaseNull(privd);
CFReleaseNull(kzib);
OSStatus status;
ok_status(status = SecKeyGeneratePair(kgp, &pubKey, &privKey),
"Generate %ld bit (%ld byte) persistent RSA keypair (status = %d)",
keySizeInBits, keySizeInBytes, (int)status);
CFReleaseNull(kgp);
CFErrorRef localError;
CFDataRef secret = CFDataCreate(NULL, (void *)"0123456789012345", 16);
ok(secret, "secret");
CFDataRef fp = CFDataCreate(NULL, (void *)"01234567890123456789", 20);
ok(fp, "fingerprint");
int8_t sym_alg_data = 8;
CFNumberRef symalg = CFNumberCreate(NULL, kCFNumberSInt8Type, &sym_alg_data);
CFDictionaryRef param = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
_kSecKeyWrapPGPWrapAlg, alg,
_kSecKeyWrapPGPSymAlg, symalg,
_kSecKeyWrapPGPFingerprint, fp,
NULL);
CFDataRef wrapped = _SecKeyCopyWrapKey(pubKey, kSecKeyWrapPublicKeyPGP, secret, param, NULL, &localError);
ok(wrapped, "wrap key: %@", localError);
CFDataRef unwrapped = _SecKeyCopyUnwrapKey(privKey, kSecKeyWrapPublicKeyPGP, wrapped, param, NULL, &localError);
ok(unwrapped, "unwrap key: %@", localError);
CFReleaseNull(symalg);
ok(CFEqual(unwrapped, secret), "keys still same");
CFReleaseNull(fp);
CFReleaseNull(secret);
CFReleaseNull(unwrapped);
CFReleaseNull(wrapped);
CFReleaseNull(param);
CFReleaseNull(privKey);
CFReleaseNull(pubKey);
}
static void testkeygen2(size_t keySizeInBits) {
SecKeyRef pubKey = NULL, privKey = NULL;
size_t keySizeInBytes = (keySizeInBits + 7) / 8;
CFNumberRef kzib;
int32_t keysz32 = (int32_t)keySizeInBits;
CFUUIDRef ourUUID = CFUUIDCreate(kCFAllocatorDefault);
CFStringRef uuidString = CFUUIDCreateString(kCFAllocatorDefault, ourUUID);
CFMutableStringRef publicName = CFStringCreateMutableCopy(kCFAllocatorDefault, 0, uuidString);
CFMutableStringRef privateName = CFStringCreateMutableCopy(kCFAllocatorDefault, 0, uuidString);
CFReleaseNull(ourUUID);
CFReleaseNull(uuidString);
CFStringAppend(publicName, CFSTR("-Public-41"));
CFStringAppend(privateName, CFSTR("-Private-41"));
CFMutableDictionaryRef pubd = CFDictionaryCreateMutableForCFTypesWith(kCFAllocatorDefault,
kSecAttrLabel, publicName,
NULL);
CFMutableDictionaryRef privd = CFDictionaryCreateMutableForCFTypesWith(kCFAllocatorDefault,
kSecAttrLabel, privateName,
NULL);
kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &keysz32);
CFDictionaryRef kgp = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
kSecAttrKeyType, kSecAttrKeyTypeEC,
kSecAttrKeySizeInBits, kzib,
kSecAttrIsPermanent, kCFBooleanTrue,
kSecPublicKeyAttrs, pubd,
kSecPrivateKeyAttrs, privd,
NULL);
CFReleaseNull(kzib);
OSStatus status;
ok_status(status = SecKeyGeneratePair(kgp, &pubKey, &privKey),
"Generate %ld bit (%ld byte) persistent RSA keypair",
keySizeInBits, keySizeInBytes);
CFReleaseNull(kgp);
SKIP: {
skip("keygen failed", 8, status == errSecSuccess);
ok(pubKey, "pubkey returned");
ok(privKey, "privKey returned");
is(SecKeyGetSize(pubKey, kSecKeyKeySizeInBits), (size_t) keySizeInBits, "public key size is ok");
is(SecKeyGetSize(privKey, kSecKeyKeySizeInBits), (size_t) keySizeInBits, "private key size is ok");
SecKeyRef pubKey2, privKey2;
CFDictionaryAddValue(pubd, kSecClass, kSecClassKey);
CFDictionaryAddValue(pubd, kSecReturnRef, kCFBooleanTrue);
CFDictionaryAddValue(privd, kSecClass, kSecClassKey);
CFDictionaryAddValue(privd, kSecReturnRef, kCFBooleanTrue);
CFDictionaryAddValue(privd, kSecAttrCanSign, kCFBooleanTrue);
ok_status(SecItemCopyMatching(pubd, (CFTypeRef *)&pubKey2),
"retrieve pub key by label");
ok(pubKey2, "got valid object");
ok_status(SecItemCopyMatching(privd, (CFTypeRef *)&privKey2),
"retrieve priv key by label and kSecAttrCanSign");
ok(privKey2, "got valid object");
/* Sign something. */
uint8_t something[20] = {0x80, 0xbe, 0xef, 0xba, 0xd0, };
size_t sigLen = SecKeyGetSize(privKey2, kSecKeySignatureSize);
uint8_t sig[sigLen];
ok_status(SecKeyRawSign(privKey2, kSecPaddingPKCS1,
something, sizeof(something), sig, &sigLen), "sign something");
ok_status(SecKeyRawVerify(pubKey2, kSecPaddingPKCS1,
something, sizeof(something), sig, sigLen), "verify sig on something");
/* Cleanup. */
CFReleaseNull(pubKey2);
CFReleaseNull(privKey2);
}
/* delete from keychain - note: do it before releasing publicName and privateName
because pubd and privd have no retain/release callbacks */
ok_status(SecItemDelete(pubd), "delete generated pub key");
ok_status(SecItemDelete(privd), "delete generated priv key");
/* Cleanup. */
CFReleaseNull(pubKey);
CFReleaseNull(privKey);
CFReleaseNull(publicName);
CFReleaseNull(privateName);
CFReleaseNull(pubd);
CFReleaseNull(privd);
}
NS_IMETHODIMP
nsUUIDGenerator::GenerateUUIDInPlace(nsID* id)
{
// The various code in this method is probably not threadsafe, so lock
// across the whole method.
nsAutoLock lock(mLock);
#if defined(WINCE)
// WINCE only has CoCreateGuid if DCOM support is compiled into the BSP;
// there's usually very little reason for DCOM to be present!
if (!CeGenRandom(sizeof(nsID), (BYTE*) id))
return NS_ERROR_FAILURE;
/* Put in the version */
id->m2 &= 0x0fff;
id->m2 |= 0x4000;
/* Put in the variant */
id->m3[0] &= 0x3f;
id->m3[0] |= 0x80;
#elif defined(XP_WIN)
HRESULT hr = CoCreateGuid((GUID*)id);
if (NS_FAILED(hr))
return NS_ERROR_FAILURE;
#elif defined(XP_MACOSX)
CFUUIDRef uuid = CFUUIDCreate(kCFAllocatorDefault);
if (!uuid)
return NS_ERROR_FAILURE;
CFUUIDBytes bytes = CFUUIDGetUUIDBytes(uuid);
memcpy(id, &bytes, sizeof(nsID));
CFRelease(uuid);
#else /* not windows or OS X; generate randomness using random(). */
/* XXX we should be saving the return of setstate here and switching
* back to it; instead, we use the value returned when we called
* initstate, since older glibc's have broken setstate() return values
*/
#ifndef ANDROID
setstate(mState);
#endif
PRSize bytesLeft = sizeof(nsID);
while (bytesLeft > 0) {
#ifdef ANDROID
long rval = arc4random();
const int mRBytes = 4;
#else
long rval = random();
#endif
PRUint8 *src = (PRUint8*)&rval;
// We want to grab the mRBytes least significant bytes of rval, since
// mRBytes less than sizeof(rval) means the high bytes are 0.
#ifdef IS_BIG_ENDIAN
src += sizeof(rval) - mRBytes;
#endif
PRUint8 *dst = ((PRUint8*) id) + (sizeof(nsID) - bytesLeft);
PRSize toWrite = (bytesLeft < mRBytes ? bytesLeft : mRBytes);
for (PRSize i = 0; i < toWrite; i++)
dst[i] = src[i];
bytesLeft -= toWrite;
}
/* Put in the version */
id->m2 &= 0x0fff;
id->m2 |= 0x4000;
/* Put in the variant */
id->m3[0] &= 0x3f;
id->m3[0] |= 0x80;
#ifndef ANDROID
/* Restore the previous RNG state */
setstate(mSavedState);
#endif
#endif
return NS_OK;
}