static void get_uuid(char *str)
{
#ifdef HAVE_WINDOWS_H
UUID guid;
UuidCreate(&guid);
sprintf(str, "%08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X",
guid.Data1, guid.Data2, guid.Data3,
guid.Data4[0], guid.Data4[1], guid.Data4[2], guid.Data4[3],
guid.Data4[4], guid.Data4[5], guid.Data4[6], guid.Data4[7]);
#elif defined(HAVE_CFUUIDCREATE)
CFUUIDRef myUUID;
CFStringRef myUUIDString;
char strBuffer[100];
myUUID = CFUUIDCreate(kCFAllocatorDefault);
myUUIDString = CFUUIDCreateString(kCFAllocatorDefault, myUUID);/* This is the safest way to obtain a C string from a CFString.*/
CFStringGetCString(myUUIDString, str, SMPD_MAX_DBS_NAME_LEN, kCFStringEncodingASCII);
CFRelease(myUUIDString);
#elif defined(HAVE_UUID_GENERATE)
uuid_t guid;
uuid_generate(guid);
uuid_unparse(guid, str);
#else
sprintf(str, "%X%X%X%X", rand(), rand(), rand(), rand());
#endif
}
__private_extern__ CFStringRef _CFGetHostUUIDString(void) {
static CFStringRef __hostUUIDString = NULL;
if (!__hostUUIDString) {
CFUUIDBytes uuidBytes;
int getuuidErr = 0;
struct timespec timeout = {0, 0}; // Infinite timeout for gethostuuid()
getuuidErr = gethostuuid((unsigned char *)&uuidBytes, &timeout);
if (getuuidErr == -1) {
// An error has occurred trying to get the host UUID string. There's nothing we can do here, so we should just return NULL.
CFLog(kCFLogLevelWarning, CFSTR("_CFGetHostUUIDString: unable to determine UUID for host. Error: %d"), errno);
return NULL;
}
CFUUIDRef uuidRef = CFUUIDCreateFromUUIDBytes(kCFAllocatorSystemDefault, uuidBytes);
CFStringRef uuidAsString = CFUUIDCreateString(kCFAllocatorSystemDefault, uuidRef);
if (!OSAtomicCompareAndSwapPtrBarrier(NULL, (void *)uuidAsString, (void *)&__hostUUIDString)) {
CFRelease(uuidAsString); // someone else made the assignment, so just release the extra string.
}
CFRelease(uuidRef);
}
return __hostUUIDString;
}
CFStringRef SDMMD_CreateUUID()
{
CFUUIDRef uuid = CFUUIDCreate(kCFAllocatorDefault);
CFStringRef str = CFUUIDCreateString(kCFAllocatorDefault, uuid);
CFSafeRelease(uuid);
return str;
}
std::string DiskArbitrationEventPublisher::getProperty(
const CFStringRef& property, const CFDictionaryRef& dict) {
CFTypeRef value = (CFTypeRef)CFDictionaryGetValue(dict, property);
if (value == nullptr) {
return "";
}
if (CFStringCompare(property, CFSTR(kDAAppearanceTime_), kNilOptions) ==
kCFCompareEqualTo) {
return stringFromCFAbsoluteTime((CFDataRef)value);
}
if (CFGetTypeID(value) == CFNumberGetTypeID()) {
return stringFromCFNumber((CFDataRef)value,
CFNumberGetType((CFNumberRef)value));
} else if (CFGetTypeID(value) == CFStringGetTypeID()) {
return stringFromCFString((CFStringRef)value);
} else if (CFGetTypeID(value) == CFBooleanGetTypeID()) {
return (CFBooleanGetValue((CFBooleanRef)value)) ? "1" : "0";
} else if (CFGetTypeID(value) == CFUUIDGetTypeID()) {
return stringFromCFString(
CFUUIDCreateString(kCFAllocatorDefault, (CFUUIDRef)value));
}
return "";
}
int main()
{
CFUUIDRef uuid;
CFStringRef str;
char cstr[256];
// create a new UUID
uuid = CFUUIDCreate(NULL);
// get string representation, as a CFString
str = CFUUIDCreateString(NULL, uuid);
// convert it to a C string
CFStringGetCString(str, cstr, sizeof(cstr), kCFStringEncodingASCII);
// print the C string
printf("%s\n", cstr);
// print in a form suitable for use in code, a call to CFUUIDGetConstantUUIDWithBytes
printf("CFUUIDGetConstantUUIDWithBytes(NULL, ");
CFUUIDBytes uib = CFUUIDGetUUIDBytes(uuid);
Byte *p = &uib.byte0;
for (int i = 0; i < 16; ++i) {
printf("0x%02X", (int)*p++);
if (i != 15)
printf(", ");
}
printf(")\n");
return 0;
}
CFStringRef GetDisplayIdentifier(int DisplayID)
{
CFUUIDRef displayUUID = CGDisplayCreateUUIDFromDisplayID(DisplayID);
if (!displayUUID)
return NULL;
CFStringRef Identifier = CFUUIDCreateString(NULL, displayUUID);
CFRelease(displayUUID);
return Identifier;
}
bool Semaphore::Create(vint initialCount, vint maxCount, const WString& name)
{
if (internalData) return false;
if (initialCount > maxCount) return false;
internalData = new SemaphoreData;
#if defined(__APPLE__)
AString auuid;
if(name.Length() == 0)
{
CFUUIDRef cfuuid = CFUUIDCreate(kCFAllocatorDefault);
CFStringRef cfstr = CFUUIDCreateString(kCFAllocatorDefault, cfuuid);
auuid = CFStringGetCStringPtr(cfstr, kCFStringEncodingASCII);
CFRelease(cfstr);
CFRelease(cfuuid);
}
auuid = auuid.Insert(0, "/");
// OSX SEM_NAME_LENGTH = 31
if(auuid.Length() >= 30)
auuid = auuid.Sub(0, 30);
if ((internalData->semNamed = sem_open(auuid.Buffer(), O_CREAT, O_RDWR, initialCount)) == SEM_FAILED)
{
delete internalData;
internalData = 0;
return false;
}
#else
if (name == L"")
{
if(sem_init(&internalData->semUnnamed, 0, (int)initialCount) == -1)
{
delete internalData;
internalData = 0;
return false;
}
}
else
{
AString astr = wtoa(name);
if ((internalData->semNamed = sem_open(astr.Buffer(), O_CREAT, 0777, initialCount)) == SEM_FAILED)
{
delete internalData;
internalData = 0;
return false;
}
}
#endif
Release(initialCount);
return true;
}
string Utils::get_uuid4() {
CFUUIDRef cf_uuid_ref = CFUUIDCreate(kCFAllocatorDefault);
CFStringRef cf_uuid_str_ref = CFUUIDCreateString(kCFAllocatorDefault, cf_uuid_ref);
string uuid(CFStringGetCStringPtr(cf_uuid_str_ref, kCFStringEncodingUTF8));
transform(uuid.begin(), uuid.end(), uuid.begin(), ::tolower);
CFRelease(cf_uuid_ref);
CFRelease(cf_uuid_str_ref);
return uuid;
}
std::ostream& operator<<(std::ostream& out, CFUUIDRef u)
{
if(nullptr == u) {
out << "(null)";
return out;
}
SFB::CFString r = CFUUIDCreateString(kCFAllocatorDefault, u);
if(r)
out << r;
return out;
}
std::ostream& operator<<(std::ostream& out, CFUUIDRef u)
{
if(NULL == u) {
out << "(null)";
return out;
}
CFStringRef r = CFUUIDCreateString(kCFAllocatorDefault, u);
if(r) {
out << r;
CFRelease(r), r = NULL;
}
return out;
}
cc_int32 cci_os_identifier_new_uuid (cci_uuid_string_t *out_uuid_string)
{
cc_int32 err = ccNoError;
cci_uuid_string_t uuid_string = NULL;
CFUUIDRef uuid = NULL;
CFStringRef uuid_stringref = NULL;
CFStringEncoding encoding = kCFStringEncodingUTF8;
CFIndex length = 0;
if (!out_uuid_string) { err = cci_check_error (ccErrBadParam); }
if (!err) {
uuid = CFUUIDCreate (kCFAllocatorDefault);
if (!uuid) { err = cci_check_error (ccErrNoMem); }
}
if (!err) {
uuid_stringref = CFUUIDCreateString (kCFAllocatorDefault, uuid);
if (!uuid_stringref) { err = cci_check_error (ccErrNoMem); }
}
if (!err) {
length = CFStringGetMaximumSizeForEncoding (CFStringGetLength (uuid_stringref),
encoding) + 1;
uuid_string = malloc (length);
if (!uuid_string) { err = cci_check_error (ccErrNoMem); }
}
if (!err) {
if (!CFStringGetCString (uuid_stringref, uuid_string, length, encoding)) {
err = cci_check_error (ccErrNoMem);
}
}
if (!err) {
*out_uuid_string = uuid_string;
uuid_string = NULL; /* take ownership */
}
if (uuid_string ) { free (uuid_string); }
if (uuid_stringref) { CFRelease (uuid_stringref); }
if (uuid ) { CFRelease (uuid); }
return cci_check_error (err);
}
int
main(int argc, char *argv[])
{
/* Define variables and create a CFArray object containing
CFString objects containing paths to watch.
*/
CFStringRef mypath = CFSTR("/");
CFArrayRef pathsToWatch = CFArrayCreate(NULL, (const void **)&mypath, 1, NULL);
void *callbackInfo = NULL; // could put stream-specific data here.
FSEventStreamRef stream;
CFAbsoluteTime latency = 3.0; /* Latency in seconds */
struct stat Status;
stat("/", &Status);
dev_t device = Status.st_dev;
CFUUIDRef uuidO;
CFStringRef uuid;
uuidO = FSEventsCopyUUIDForDevice(device);
uuid = CFUUIDCreateString(NULL, uuidO);
show(CFSTR("%@:256"), uuid);
/* Create the stream, passing in a callback, */
stream = FSEventStreamCreateRelativeToDevice(NULL,
&myCallbackFunction,
callbackInfo,
device,
pathsToWatch,
atoi(argv[2]), /* Or a previous event ID */
latency,
kFSEventStreamCreateFlagNone /* Flags explained in reference */
);
/* Create the stream before calling this. */
FSEventStreamScheduleWithRunLoop(stream, CFRunLoopGetCurrent(), kCFRunLoopDefaultMode);
FSEventStreamStart(stream);
//CFRunLoopRun();
CFRunLoopRunInMode(kCFRunLoopDefaultMode,atoi(argv[1]),false);
//sleep(10);
}
String createCanonicalUUIDString()
{
#if PLATFORM(QT)
QUuid uuid = QUuid::createUuid();
String canonicalUuidStr = uuid.toString().mid(1, 36).toLower(); // remove opening and closing bracket and make it lower.
ASSERT(canonicalUuidStr[uuidVersionIdentifierIndex] == uuidVersionRequired);
return canonicalUuidStr;
#elif OS(WINDOWS)
GUID uuid = { 0 };
HRESULT hr = CoCreateGuid(&uuid);
if (FAILED(hr))
return String();
wchar_t uuidStr[40];
int num = StringFromGUID2(uuid, reinterpret_cast<LPOLESTR>(uuidStr), ARRAYSIZE(uuidStr));
ASSERT(num == 39);
String canonicalUuidStr = String(uuidStr + 1, num - 3).lower(); // remove opening and closing bracket and make it lower.
ASSERT(canonicalUuidStr[uuidVersionIdentifierIndex] == uuidVersionRequired);
return canonicalUuidStr;
#elif OS(DARWIN)
CFUUIDRef uuid = CFUUIDCreate(0);
CFStringRef uuidStrRef = CFUUIDCreateString(0, uuid);
String uuidStr(uuidStrRef);
CFRelease(uuidStrRef);
CFRelease(uuid);
String canonicalUuidStr = uuidStr.lower(); // make it lower.
ASSERT(canonicalUuidStr[uuidVersionIdentifierIndex] == uuidVersionRequired);
return canonicalUuidStr;
#elif OS(LINUX)
FILE* fptr = fopen("/proc/sys/kernel/random/uuid", "r");
if (!fptr)
return String();
char uuidStr[37];
char* result = fgets(uuidStr, sizeof(uuidStr), fptr);
fclose(fptr);
if (!result)
return String();
String canonicalUuidStr = String(uuidStr).lower(); // make it lower.
ASSERT(canonicalUuidStr[uuidVersionIdentifierIndex] == uuidVersionRequired);
return canonicalUuidStr;
#else
notImplemented();
return String();
#endif
}
/* Generates a UUID. The original version is truncated, so this is not 100%
* guaranteed to be unique. However, the `PBXObject#generate_uuid` method
* checks that the UUID does not exist yet, in the project, before using it.
*
* @note Meant for internal use only.
*
* @return [String] A 24 characters long UUID.
*/
static VALUE
generate_uuid(void) {
CFUUIDRef uuid = CFUUIDCreate(NULL);
CFStringRef strRef = CFUUIDCreateString(NULL, uuid);
CFRelease(uuid);
CFArrayRef components = CFStringCreateArrayBySeparatingStrings(NULL, strRef, CFSTR("-"));
CFRelease(strRef);
strRef = CFStringCreateByCombiningStrings(NULL, components, CFSTR(""));
CFRelease(components);
UniChar buffer[24];
CFStringGetCharacters(strRef, CFRangeMake(0, 24), buffer);
CFStringRef strRef2 = CFStringCreateWithCharacters(NULL, buffer, 24);
VALUE str = cfstr_to_str(strRef2);
CFRelease(strRef);
CFRelease(strRef2);
return str;
}
static CFStringRef extsuper_uuid(const char *device)
{
CFStringRef str;
CFUUIDRef uuid;
CFUUIDBytes *ubytes;
char *buf;
struct ext2_super_block *sbp;
if (extsuper_read(device, &buf, &sbp))
return (NULL);
ubytes = (CFUUIDBytes*)&sbp->s_uuid[0];
uuid = CFUUIDCreateFromUUIDBytes(kCFAllocatorDefault, *ubytes);
free(buf);
if (uuid) {
str = CFUUIDCreateString(kCFAllocatorDefault, uuid);
CFRelease(uuid);
return (str);
}
return (NULL);
}
static void testkeygen2(size_t keySizeInBits) {
SecKeyRef pubKey = NULL, privKey = NULL;
size_t keySizeInBytes = (keySizeInBits + 7) / 8;
CFNumberRef kzib;
int32_t keysz32 = (int32_t)keySizeInBits;
CFUUIDRef ourUUID = CFUUIDCreate(kCFAllocatorDefault);
CFStringRef uuidString = CFUUIDCreateString(kCFAllocatorDefault, ourUUID);
CFMutableStringRef publicName = CFStringCreateMutableCopy(kCFAllocatorDefault, 0, uuidString);
CFMutableStringRef privateName = CFStringCreateMutableCopy(kCFAllocatorDefault, 0, uuidString);
CFReleaseNull(ourUUID);
CFReleaseNull(uuidString);
CFStringAppend(publicName, CFSTR("-Public-41"));
CFStringAppend(privateName, CFSTR("-Private-41"));
CFMutableDictionaryRef pubd = CFDictionaryCreateMutableForCFTypesWith(kCFAllocatorDefault,
kSecAttrLabel, publicName,
NULL);
CFMutableDictionaryRef privd = CFDictionaryCreateMutableForCFTypesWith(kCFAllocatorDefault,
kSecAttrLabel, privateName,
NULL);
kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &keysz32);
CFDictionaryRef kgp = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
kSecAttrKeyType, kSecAttrKeyTypeEC,
kSecAttrKeySizeInBits, kzib,
kSecAttrIsPermanent, kCFBooleanTrue,
kSecPublicKeyAttrs, pubd,
kSecPrivateKeyAttrs, privd,
NULL);
CFReleaseNull(kzib);
OSStatus status;
ok_status(status = SecKeyGeneratePair(kgp, &pubKey, &privKey),
"Generate %ld bit (%ld byte) persistent RSA keypair",
keySizeInBits, keySizeInBytes);
CFReleaseNull(kgp);
SKIP: {
skip("keygen failed", 8, status == errSecSuccess);
ok(pubKey, "pubkey returned");
ok(privKey, "privKey returned");
is(SecKeyGetSize(pubKey, kSecKeyKeySizeInBits), (size_t) keySizeInBits, "public key size is ok");
is(SecKeyGetSize(privKey, kSecKeyKeySizeInBits), (size_t) keySizeInBits, "private key size is ok");
SecKeyRef pubKey2, privKey2;
CFDictionaryAddValue(pubd, kSecClass, kSecClassKey);
CFDictionaryAddValue(pubd, kSecReturnRef, kCFBooleanTrue);
CFDictionaryAddValue(privd, kSecClass, kSecClassKey);
CFDictionaryAddValue(privd, kSecReturnRef, kCFBooleanTrue);
CFDictionaryAddValue(privd, kSecAttrCanSign, kCFBooleanTrue);
ok_status(SecItemCopyMatching(pubd, (CFTypeRef *)&pubKey2),
"retrieve pub key by label");
ok(pubKey2, "got valid object");
ok_status(SecItemCopyMatching(privd, (CFTypeRef *)&privKey2),
"retrieve priv key by label and kSecAttrCanSign");
ok(privKey2, "got valid object");
/* Sign something. */
uint8_t something[20] = {0x80, 0xbe, 0xef, 0xba, 0xd0, };
size_t sigLen = SecKeyGetSize(privKey2, kSecKeySignatureSize);
uint8_t sig[sigLen];
ok_status(SecKeyRawSign(privKey2, kSecPaddingPKCS1,
something, sizeof(something), sig, &sigLen), "sign something");
ok_status(SecKeyRawVerify(pubKey2, kSecPaddingPKCS1,
something, sizeof(something), sig, sigLen), "verify sig on something");
/* Cleanup. */
CFReleaseNull(pubKey2);
CFReleaseNull(privKey2);
}
/* delete from keychain - note: do it before releasing publicName and privateName
because pubd and privd have no retain/release callbacks */
ok_status(SecItemDelete(pubd), "delete generated pub key");
ok_status(SecItemDelete(privd), "delete generated priv key");
/* Cleanup. */
CFReleaseNull(pubKey);
CFReleaseNull(privKey);
CFReleaseNull(publicName);
CFReleaseNull(privateName);
CFReleaseNull(pubd);
CFReleaseNull(privd);
}
//
// Executable code.
// Read from disk, evaluate properly, cache as indicated. The whole thing, so far.
//
void PolicyEngine::evaluateCode(CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result,
bool handleUnsignedCode /* = true */)
{
FileQuarantine qtn(cfString(path).c_str());
if (qtn.flag(QTN_FLAG_HARD))
MacOSError::throwMe(errSecCSFileHardQuarantined);
CFRef<SecStaticCodeRef> code;
MacOSError::check(SecStaticCodeCreateWithPath(path, kSecCSDefaultFlags, &code.aref()));
OSStatus rc = noErr; // last validation error
const SecCSFlags validationFlags = kSecCSEnforceRevocationChecks;
WhitelistPrescreen whitelistScreen(code); // pre-screening filter for whitelist pre-screening (only)
SQLite::Statement query(*this,
"SELECT allow, requirement, id, label, expires, flags, disabled, filter_unsigned, remarks FROM scan_authority"
" WHERE type = :type"
" ORDER BY priority DESC;");
query.bind(":type").integer(type);
SQLite3::int64 latentID = 0; // first (highest priority) disabled matching ID
std::string latentLabel; // ... and associated label, if any
while (query.nextRow()) {
bool allow = int(query[0]);
const char *reqString = query[1];
SQLite3::int64 id = query[2];
const char *label = query[3];
double expires = query[4];
sqlite3_int64 ruleFlags = query[5];
SQLite3::int64 disabled = query[6];
const char *filter = query[7];
const char *remarks = query[8];
CFRef<SecRequirementRef> requirement;
MacOSError::check(SecRequirementCreateWithString(CFTempString(reqString), kSecCSDefaultFlags, &requirement.aref()));
rc = SecStaticCodeCheckValidity(code, validationFlags, requirement);
// ad-hoc sign unsigned code, skip of Gatekeeper is off or the rule is disabled; but always do it for whitelist recording
if (rc == errSecCSUnsigned && handleUnsignedCode && (!(disabled || overrideAssessment()) || SYSPOLICY_RECORDER_MODE_ENABLED())) {
if (!SYSPOLICY_RECORDER_MODE_ENABLED()) {
// apply whitelist pre-screening to speed things up for non-matches
if (ruleFlags & kAuthorityFlagDefault) // can't ever match standard rules with unsigned code
continue;
if (whitelistScreen.reject(filter, remarks)) // apply whitelist pre-filter
continue;
}
try {
// ad-hoc sign the code and attach the signature
CFRef<CFDataRef> signature = CFDataCreateMutable(NULL, 0);
CFTemp<CFDictionaryRef> arguments("{%O=%O, %O=#N}", kSecCodeSignerDetached, signature.get(), kSecCodeSignerIdentity);
CFRef<SecCodeSignerRef> signer;
MacOSError::check(SecCodeSignerCreate(arguments, kSecCSDefaultFlags, &signer.aref()));
MacOSError::check(SecCodeSignerAddSignature(signer, code, kSecCSDefaultFlags));
MacOSError::check(SecCodeSetDetachedSignature(code, signature, kSecCSDefaultFlags));
// if we're in GKE recording mode, save that signature and report its location
if (SYSPOLICY_RECORDER_MODE_ENABLED()) {
int status = recorder_code_unable; // ephemeral signature (not recorded)
if (geteuid() == 0) {
CFRef<CFUUIDRef> uuid = CFUUIDCreate(NULL);
std::string sigfile = RECORDER_DIR + cfStringRelease(CFUUIDCreateString(NULL, uuid)) + ".tsig";
try {
UnixPlusPlus::AutoFileDesc fd(sigfile, O_WRONLY | O_CREAT);
fd.write(CFDataGetBytePtr(signature), CFDataGetLength(signature));
status = recorder_code_adhoc; // recorded signature
SYSPOLICY_RECORDER_MODE_ADHOC_PATH(cfString(path).c_str(), type, sigfile.c_str());
} catch (...) { }
}
// now report the D probe itself
CFRef<CFDictionaryRef> info;
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSDefaultFlags, &info.aref()));
CFDataRef cdhash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
SYSPOLICY_RECORDER_MODE(cfString(path).c_str(), type, "",
cdhash ? CFDataGetBytePtr(cdhash) : NULL, status);
}
// rerun the validation to update state
rc = SecStaticCodeCheckValidity(code, validationFlags | kSecCSBasicValidateOnly, requirement);
} catch (...) { }
}
switch (rc) {
case noErr: // well signed and satisfies requirement...
break; // ... continue below
case errSecCSSignatureFailed:
if (!codeInvalidityExceptions(code, result)) {
if (SYSPOLICY_ASSESS_OUTCOME_BROKEN_ENABLED())
SYSPOLICY_ASSESS_OUTCOME_BROKEN(cfString(path).c_str(), type, false);
MacOSError::throwMe(rc);
}
if (SYSPOLICY_ASSESS_OUTCOME_BROKEN_ENABLED())
SYSPOLICY_ASSESS_OUTCOME_BROKEN(cfString(path).c_str(), type, true);
// treat as unsigned to fix problems in the field
case errSecCSUnsigned:
if (handleUnsignedCode) {
cfadd(result, "{%O=#F}", kSecAssessmentAssessmentVerdict);
addAuthority(result, "no usable signature");
}
return;
case errSecCSReqFailed: // requirement missed, but otherwise okay
continue;
default: // broken in some way; all tests will fail like this so bail out
MacOSError::throwMe(rc);
}
if (disabled) {
if (latentID == 0) {
latentID = id;
if (label)
latentLabel = label;
}
continue; // the loop
}
CFRef<CFDictionaryRef> info; // as needed
if (flags & kSecAssessmentFlagRequestOrigin) {
if (!info)
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref()));
if (CFArrayRef chain = CFArrayRef(CFDictionaryGetValue(info, kSecCodeInfoCertificates)))
setOrigin(chain, result);
}
if (!(ruleFlags & kAuthorityFlagInhibitCache) && !(flags & kSecAssessmentFlagNoCache)) { // cache inhibit
if (!info)
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref()));
if (SecTrustRef trust = SecTrustRef(CFDictionaryGetValue(info, kSecCodeInfoTrust))) {
CFRef<CFDictionaryRef> xinfo;
MacOSError::check(SecTrustCopyExtendedResult(trust, &xinfo.aref()));
if (CFDateRef limit = CFDateRef(CFDictionaryGetValue(xinfo, kSecTrustExpirationDate))) {
this->recordOutcome(code, allow, type, min(expires, dateToJulian(limit)), id);
}
}
}
if (allow) {
if (SYSPOLICY_ASSESS_OUTCOME_ACCEPT_ENABLED()) {
if (!info)
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref()));
CFDataRef cdhash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
SYSPOLICY_ASSESS_OUTCOME_ACCEPT(cfString(path).c_str(), type, label, cdhash ? CFDataGetBytePtr(cdhash) : NULL);
}
} else {
if (SYSPOLICY_ASSESS_OUTCOME_DENY_ENABLED() || SYSPOLICY_RECORDER_MODE_ENABLED()) {
if (!info)
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref()));
CFDataRef cdhash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
std::string cpath = cfString(path);
const void *hashp = cdhash ? CFDataGetBytePtr(cdhash) : NULL;
SYSPOLICY_ASSESS_OUTCOME_DENY(cpath.c_str(), type, label, hashp);
SYSPOLICY_RECORDER_MODE(cpath.c_str(), type, label, hashp, recorder_code_untrusted);
}
}
cfadd(result, "{%O=%B}", kSecAssessmentAssessmentVerdict, allow);
addAuthority(result, label, id);
return;
}
if (rc == errSecCSUnsigned) { // skipped all applicable rules due to pre-screening
cfadd(result, "{%O=#F}", kSecAssessmentAssessmentVerdict);
addAuthority(result, "no usable signature");
return;
}
// no applicable authority (but signed, perhaps temporarily). Deny by default
CFRef<CFDictionaryRef> info;
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref()));
if (flags & kSecAssessmentFlagRequestOrigin) {
if (CFArrayRef chain = CFArrayRef(CFDictionaryGetValue(info, kSecCodeInfoCertificates)))
setOrigin(chain, result);
}
if (SYSPOLICY_ASSESS_OUTCOME_DEFAULT_ENABLED() || SYSPOLICY_RECORDER_MODE_ENABLED()) {
CFDataRef cdhash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
const void *hashp = cdhash ? CFDataGetBytePtr(cdhash) : NULL;
std::string cpath = cfString(path);
SYSPOLICY_ASSESS_OUTCOME_DEFAULT(cpath.c_str(), type, latentLabel.c_str(), hashp);
SYSPOLICY_RECORDER_MODE(cpath.c_str(), type, latentLabel.c_str(), hashp, 0);
}
if (!(flags & kSecAssessmentFlagNoCache))
this->recordOutcome(code, false, type, this->julianNow() + NEGATIVE_HOLD, latentID);
cfadd(result, "{%O=%B}", kSecAssessmentAssessmentVerdict, false);
addAuthority(result, latentLabel.c_str(), latentID);
}
// first look up the media object, then create a
// custom matching dictionary that should be persistent
// from boot to boot
int addMatchingInfoForBSDName(BLContextPtr context,
mach_port_t masterPort,
CFMutableDictionaryRef dict,
const char *bsdName,
bool shortForm)
{
io_service_t media = IO_OBJECT_NULL, checkMedia = IO_OBJECT_NULL;
CFStringRef uuid = NULL;
CFMutableDictionaryRef propDict = NULL;
kern_return_t kret;
CFStringRef lastBSDName = NULL;
lastBSDName = CFStringCreateWithCString(kCFAllocatorDefault,
bsdName,
kCFStringEncodingUTF8);
propDict = IOBSDNameMatching(masterPort, 0, bsdName);
CFDictionarySetValue(propDict, CFSTR(kIOProviderClassKey), CFSTR(kIOMediaClass));
media = IOServiceGetMatchingService(masterPort,
propDict);
propDict = NULL;
if(media == IO_OBJECT_NULL) {
contextprintf(context, kBLLogLevelError, "Could not find object for %s\n", bsdName);
CFRelease(lastBSDName);
return 1;
}
uuid = IORegistryEntryCreateCFProperty(media, CFSTR(kIOMediaUUIDKey),
kCFAllocatorDefault, 0);
if(uuid == NULL) {
CFUUIDRef fsuuid = NULL;
CFStringRef fsuuidstr = NULL;
io_string_t path;
#if USE_DISKARBITRATION
DASessionRef session = NULL;
DADiskRef dadisk = NULL;
contextprintf(context, kBLLogLevelVerbose, "IOMedia %s does not have a partition %s\n",
bsdName, kIOMediaUUIDKey);
session = DASessionCreate(kCFAllocatorDefault);
if(session) {
dadisk = DADiskCreateFromIOMedia(kCFAllocatorDefault, session,
media);
if(dadisk) {
CFDictionaryRef descrip = DADiskCopyDescription(dadisk);
if(descrip) {
fsuuid = CFDictionaryGetValue(descrip, kDADiskDescriptionVolumeUUIDKey);
if(fsuuid)
CFRetain(fsuuid);
CFRelease(descrip);
}
CFRelease(dadisk);
}
CFRelease(session);
}
#endif // USE_DISKARBITRATION
if(fsuuid) {
char fsuuidCString[64];
fsuuidstr = CFUUIDCreateString(kCFAllocatorDefault, fsuuid);
CFStringGetCString(fsuuidstr,fsuuidCString,sizeof(fsuuidCString),kCFStringEncodingUTF8);
contextprintf(context, kBLLogLevelVerbose, "DADiskRef %s has Volume UUID %s\n",
bsdName, fsuuidCString);
CFRelease(fsuuid);
} else {
contextprintf(context, kBLLogLevelVerbose, "IOMedia %s does not have a Volume UUID\n",
bsdName);
}
// we have a volume UUID, but our primary matching mechanism will be the device path
kret = IORegistryEntryGetPath(media, kIODeviceTreePlane,path);
if(kret) {
contextprintf(context, kBLLogLevelVerbose, "IOMedia %s does not have device tree path\n",
bsdName);
propDict = IOServiceMatching(kIOMediaClass);
CFDictionaryAddValue(propDict, CFSTR(kIOBSDNameKey), lastBSDName);
// add UUID as hint
if(fsuuidstr)
CFDictionaryAddValue(dict, CFSTR("BLVolumeUUID"), fsuuidstr);
} else {
CFStringRef blpath = CFStringCreateWithCString(kCFAllocatorDefault, path, kCFStringEncodingUTF8);
contextprintf(context, kBLLogLevelVerbose, "IOMedia %s has path %s\n",
bsdName, path);
propDict = IOServiceMatching(kIOMediaClass);
CFDictionaryAddValue(propDict, CFSTR(kIOPathMatchKey), blpath);
CFRelease(blpath);
// add UUID as hint
if(fsuuidstr)
CFDictionaryAddValue(dict, CFSTR("BLVolumeUUID"), fsuuidstr);
CFDictionaryAddValue(dict, CFSTR("BLLastBSDName"), lastBSDName);
}
if(fsuuidstr) {
CFRelease(fsuuidstr);
}
} else {
CFMutableDictionaryRef propMatch;
contextprintf(context, kBLLogLevelVerbose, "IOMedia %s has UUID %s\n",
bsdName, BLGetCStringDescription(uuid));
propMatch = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
CFDictionaryAddValue(propMatch, CFSTR(kIOMediaUUIDKey), uuid);
propDict = IOServiceMatching(kIOMediaClass);
CFDictionaryAddValue(propDict, CFSTR(kIOPropertyMatchKey), propMatch);
CFRelease(propMatch);
// add a hint to the top-level dict
CFDictionaryAddValue(dict, CFSTR("BLLastBSDName"), lastBSDName);
CFRelease(uuid);
}
// verify the dictionary matches
CFRetain(propDict); // consumed below
checkMedia = IOServiceGetMatchingService(masterPort,
propDict);
if(IO_OBJECT_NULL == checkMedia
|| !IOObjectIsEqualTo(media, checkMedia)) {
contextprintf(context, kBLLogLevelVerbose, "Inconsistent registry entries for %s\n",
bsdName);
if(IO_OBJECT_NULL != checkMedia) IOObjectRelease(checkMedia);
IOObjectRelease(media);
CFRelease(lastBSDName);
CFRelease(propDict);
return 2;
}
IOObjectRelease(checkMedia);
IOObjectRelease(media);
CFDictionaryAddValue(dict, CFSTR("IOMatch"), propDict);
CFRelease(lastBSDName);
CFRelease(propDict);
if(shortForm) {
CFDictionaryAddValue(dict, CFSTR("IOEFIShortForm"), kCFBooleanTrue);
}
return 0;
}
bool NDASPreferencesChangeNameOfRAIDDevice(PGUID raidID, CFStringRef name)
{
CFStringRef cfsKey = NULL;
CFMutableDictionaryRef dictEntry = NULL;
CFUUIDRef cfuGuid= NULL;
if (name) {
// Create Dict
dictEntry = CFDictionaryCreateMutable (kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
if (NULL == dictEntry) {
return false;
}
CFDictionaryAddValue(dictEntry,
CFSTR(KEY_NAME_STRING),
name
);
}
// GUID is key.
cfuGuid = CFUUIDCreateWithBytes(kCFAllocatorDefault,
raidID->guid[0], raidID->guid[1], raidID->guid[2], raidID->guid[3],
raidID->guid[4], raidID->guid[5], raidID->guid[6], raidID->guid[7],
raidID->guid[8], raidID->guid[9], raidID->guid[10], raidID->guid[11],
raidID->guid[12], raidID->guid[13], raidID->guid[14], raidID->guid[15]);
if (NULL == cfuGuid) {
return false;
}
cfsKey = CFUUIDCreateString (
kCFAllocatorDefault,
cfuGuid
);
if (NULL == cfsKey) {
return false;
}
// Set Values.
CFPreferencesSetValue(
cfsKey,
dictEntry,
NDAS_PREFERENCES_FILE_RAID_INFORMATION,
kCFPreferencesAnyUser,
kCFPreferencesCurrentHost
);
// Write out the preference data.
CFPreferencesSynchronize(
NDAS_PREFERENCES_FILE_RAID_INFORMATION,
kCFPreferencesAnyUser,
kCFPreferencesCurrentHost
);
if (cfsKey) CFRelease(cfsKey);
if (dictEntry) CFRelease(dictEntry);
if (cfuGuid) CFRelease(cfuGuid);
return true;
}
bool NDASPreferencesChangeConfigurationOfLogicalDevice(UInt32 index, UInt32 configuration)
{
// Get Logical Device.
NDASLogicalDeviceInformation NDASInfo = { 0 };
NDASInfo.index = index;
if(NDASGetLogicalDeviceInformationByIndex(&NDASInfo)) {
CFStringRef cfsKey = NULL;
CFNumberRef cfnConfiguration = NULL;
CFUUIDRef cfuGuid = NULL;
switch(configuration) {
case kNDASUnitConfigurationMountRW:
case kNDASUnitConfigurationMountRO:
{
cfnConfiguration = CFNumberCreate (NULL, kCFNumberSInt32Type, &configuration);
}
break;
case kNDASUnitConfigurationUnmount:
{
}
break;
}
// GUID is key.
cfuGuid = CFUUIDCreateWithBytes(kCFAllocatorDefault,
NDASInfo.LowerUnitDeviceID.guid[0], NDASInfo.LowerUnitDeviceID.guid[1], NDASInfo.LowerUnitDeviceID.guid[2], NDASInfo.LowerUnitDeviceID.guid[3],
NDASInfo.LowerUnitDeviceID.guid[4], NDASInfo.LowerUnitDeviceID.guid[5], NDASInfo.LowerUnitDeviceID.guid[6], NDASInfo.LowerUnitDeviceID.guid[7],
NDASInfo.LowerUnitDeviceID.guid[8], NDASInfo.LowerUnitDeviceID.guid[9], NDASInfo.LowerUnitDeviceID.guid[10], NDASInfo.LowerUnitDeviceID.guid[11],
NDASInfo.LowerUnitDeviceID.guid[12], NDASInfo.LowerUnitDeviceID.guid[13], NDASInfo.LowerUnitDeviceID.guid[14], NDASInfo.LowerUnitDeviceID.guid [15]);
cfsKey = CFUUIDCreateString(kCFAllocatorDefault, cfuGuid);
CFRelease(cfuGuid);
// Set Values.
CFPreferencesSetValue(
cfsKey,
cfnConfiguration,
NDAS_PREFERENCES_FILE_CONFIGURATION,
kCFPreferencesAnyUser,
kCFPreferencesCurrentHost
);
// Write out the preference data.
CFPreferencesSynchronize(
NDAS_PREFERENCES_FILE_CONFIGURATION,
kCFPreferencesAnyUser,
kCFPreferencesCurrentHost
);
if (cfsKey) CFRelease(cfsKey);
if (cfnConfiguration) CFRelease(cfnConfiguration);
} else {
return false;
}
return true;
}
static krb5_error_code
od_dump_entry(krb5_context kcontext, HDB *db, hdb_entry_ex *entry, void *data)
{
CFErrorRef error = NULL;
CFDictionaryRef dict;
CFStringRef fn, uuidstr;
CFUUIDRef uuid;
CFURLRef url;
dict = HeimODDumpHdbEntry(&entry->entry, &error);
if (dict == NULL) {
if (error)
CFRelease(error);
return 0;
}
uuid = CFUUIDCreate(NULL);
if (uuid == NULL) {
krb5_warnx(kcontext, "out of memory");
CFRelease(dict);
return 0;
}
uuidstr = CFUUIDCreateString(NULL, uuid);
CFRelease(uuid);
if (uuidstr == NULL) {
krb5_warnx(kcontext, "out of memory");
CFRelease(dict);
return 0;
}
fn = CFStringCreateWithFormat(NULL, NULL, CFSTR("%s/%@.plist"), (char *)data, uuidstr);
CFRelease(uuidstr);
if (fn == NULL) {
krb5_warnx(kcontext, "out of memory");
CFRelease(dict);
return 0;
}
url = CFURLCreateWithFileSystemPath(NULL, fn, kCFURLPOSIXPathStyle, false);
CFRelease(fn);
if (url == NULL) {
krb5_warnx(kcontext, "out of memory");
CFRelease(dict);
return 0;
}
CFDataRef xmldata = CFPropertyListCreateData(NULL, dict, kCFPropertyListXMLFormat_v1_0, 0, NULL);
CFRelease(dict);
if (xmldata == NULL) {
CFRelease(url);
krb5_warnx(kcontext, "out of memory");
return 0;
}
CFWriteStreamRef stream = CFWriteStreamCreateWithFile(NULL, url);
if (stream) {
if (CFWriteStreamOpen(stream))
CFWriteStreamWrite(stream, CFDataGetBytePtr(xmldata), CFDataGetLength(xmldata));
CFWriteStreamClose(stream);
CFRelease(stream);
}
CFRelease(url);
CFRelease(xmldata);
return 0;
}
static void testkeywrap(unsigned long keySizeInBits, CFTypeRef alg)
{
SecKeyRef pubKey = NULL, privKey = NULL;
size_t keySizeInBytes = (keySizeInBits + 7) / 8;
CFNumberRef kzib;
int32_t keysz32 = (int32_t)keySizeInBits;
CFUUIDRef ourUUID = CFUUIDCreate(kCFAllocatorDefault);
CFStringRef uuidString = CFUUIDCreateString(kCFAllocatorDefault, ourUUID);
CFMutableStringRef publicName = CFStringCreateMutableCopy(kCFAllocatorDefault, 0, uuidString);
CFMutableStringRef privateName = CFStringCreateMutableCopy(kCFAllocatorDefault, 0, uuidString);
CFReleaseNull(ourUUID);
CFReleaseNull(uuidString);
CFStringAppend(publicName, CFSTR("-Public-41"));
CFStringAppend(privateName, CFSTR("-Private-41"));
CFDictionaryRef pubd = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
kSecAttrLabel, publicName,
NULL);
CFDictionaryRef privd = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
kSecAttrLabel, privateName,
NULL);
CFReleaseNull(publicName);
CFReleaseNull(privateName);
kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &keysz32);
CFDictionaryRef kgp = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
kSecAttrKeyType, kSecAttrKeyTypeEC,
kSecAttrKeySizeInBits, kzib,
kSecAttrIsPermanent, kCFBooleanFalse,
kSecPublicKeyAttrs, pubd,
kSecPrivateKeyAttrs, privd,
NULL);
CFReleaseNull(pubd);
CFReleaseNull(privd);
CFReleaseNull(kzib);
OSStatus status;
ok_status(status = SecKeyGeneratePair(kgp, &pubKey, &privKey),
"Generate %ld bit (%ld byte) persistent RSA keypair (status = %d)",
keySizeInBits, keySizeInBytes, (int)status);
CFReleaseNull(kgp);
CFErrorRef localError;
CFDataRef secret = CFDataCreate(NULL, (void *)"0123456789012345", 16);
ok(secret, "secret");
CFDataRef fp = CFDataCreate(NULL, (void *)"01234567890123456789", 20);
ok(fp, "fingerprint");
int8_t sym_alg_data = 8;
CFNumberRef symalg = CFNumberCreate(NULL, kCFNumberSInt8Type, &sym_alg_data);
CFDictionaryRef param = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
_kSecKeyWrapPGPWrapAlg, alg,
_kSecKeyWrapPGPSymAlg, symalg,
_kSecKeyWrapPGPFingerprint, fp,
NULL);
CFDataRef wrapped = _SecKeyCopyWrapKey(pubKey, kSecKeyWrapPublicKeyPGP, secret, param, NULL, &localError);
ok(wrapped, "wrap key: %@", localError);
CFDataRef unwrapped = _SecKeyCopyUnwrapKey(privKey, kSecKeyWrapPublicKeyPGP, wrapped, param, NULL, &localError);
ok(unwrapped, "unwrap key: %@", localError);
CFReleaseNull(symalg);
ok(CFEqual(unwrapped, secret), "keys still same");
CFReleaseNull(fp);
CFReleaseNull(secret);
CFReleaseNull(unwrapped);
CFReleaseNull(wrapped);
CFReleaseNull(param);
CFReleaseNull(privKey);
CFReleaseNull(pubKey);
}
bool PolicyEngine::temporarySigning(SecStaticCodeRef code, AuthorityType type, CFURLRef path, SecAssessmentFlags matchFlags)
{
if (matchFlags == 0) { // playback; consult authority table for matches
DiskRep *rep = SecStaticCode::requiredStatic(code)->diskRep();
std::string screen;
if (CFRef<CFDataRef> info = rep->component(cdInfoSlot)) {
SHA1 hash;
hash.update(CFDataGetBytePtr(info), CFDataGetLength(info));
screen = createWhitelistScreen('I', hash);
} else if (rep->mainExecutableImage()) {
screen = "N";
} else {
SHA1 hash;
hashFileData(rep->mainExecutablePath().c_str(), &hash);
screen = createWhitelistScreen('M', hash);
}
SQLite::Statement query(*this,
"SELECT flags FROM authority "
"WHERE type = :type"
" AND NOT flags & :flag"
" AND CASE WHEN filter_unsigned IS NULL THEN remarks = :remarks ELSE filter_unsigned = :screen END");
query.bind(":type").integer(type);
query.bind(":flag").integer(kAuthorityFlagDefault);
query.bind(":screen") = screen;
query.bind(":remarks") = cfString(path);
if (!query.nextRow()) // guaranteed no matching rule
return false;
matchFlags = SQLite3::int64(query[0]);
}
try {
// ad-hoc sign the code and attach the signature
CFRef<CFDataRef> signature = CFDataCreateMutable(NULL, 0);
CFTemp<CFDictionaryRef> arguments("{%O=%O, %O=#N}", kSecCodeSignerDetached, signature.get(), kSecCodeSignerIdentity);
CFRef<SecCodeSignerRef> signer;
MacOSError::check(SecCodeSignerCreate(arguments, (matchFlags & kAuthorityFlagWhitelistV2) ? kSecCSSignOpaque : kSecCSSignV1, &signer.aref()));
MacOSError::check(SecCodeSignerAddSignature(signer, code, kSecCSDefaultFlags));
MacOSError::check(SecCodeSetDetachedSignature(code, signature, kSecCSDefaultFlags));
SecRequirementRef dr = NULL;
SecCodeCopyDesignatedRequirement(code, kSecCSDefaultFlags, &dr);
CFStringRef drs = NULL;
SecRequirementCopyString(dr, kSecCSDefaultFlags, &drs);
// if we're in GKE recording mode, save that signature and report its location
if (SYSPOLICY_RECORDER_MODE_ENABLED()) {
int status = recorder_code_unable; // ephemeral signature (not recorded)
if (geteuid() == 0) {
CFRef<CFUUIDRef> uuid = CFUUIDCreate(NULL);
std::string sigfile = RECORDER_DIR + cfStringRelease(CFUUIDCreateString(NULL, uuid)) + ".tsig";
try {
UnixPlusPlus::AutoFileDesc fd(sigfile, O_WRONLY | O_CREAT);
fd.write(CFDataGetBytePtr(signature), CFDataGetLength(signature));
status = recorder_code_adhoc; // recorded signature
SYSPOLICY_RECORDER_MODE_ADHOC_PATH(cfString(path).c_str(), type, sigfile.c_str());
} catch (...) { }
}
// now report the D probe itself
CFRef<CFDictionaryRef> info;
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSDefaultFlags, &info.aref()));
CFDataRef cdhash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
SYSPOLICY_RECORDER_MODE(cfString(path).c_str(), type, "",
cdhash ? CFDataGetBytePtr(cdhash) : NULL, status);
}
return true; // it worked; we're now (well) signed
} catch (...) { }
return false;
}
