#include "codesigdb.h"
#include "process.h"
#include "server.h"
#include "agentquery.h"
#include <Security/memutils.h>
class DbKey : public CssmAutoData {
public:
DbKey(char type, const CssmData &key, bool perUser = false, uid_t user = 0);
};
DbKey::DbKey(char type, const CssmData &key, bool perUser, uid_t user)
: CssmAutoData(CssmAllocator::standard())
{
using namespace LowLevelMemoryUtilities;
char header[20];
size_t headerLength;
if (perUser)
headerLength = 1 + sprintf(header, "%c%d", type, user);
else
headerLength = 1 + sprintf(header, "%cS", type);
malloc(headerLength + key.length());
memcpy(this->data(), header, headerLength);
memcpy(get().at(headerLength), key.data(), key.length());
}
class AclIdentity : public CodeSignatures::Identity {
public:
AclIdentity(const CodeSigning::Signature *sig, const char *comment)
: mHash(*sig), mPath(comment ? comment : "") { }
AclIdentity(const CssmData &hash, const char *comment)
: mHash(hash), mPath(comment ? comment : "") { }
protected:
std::string getPath() const { return mPath; }
const CssmData getHash(CodeSigning::OSXSigner &) const { return mHash; }
private:
const CssmData mHash;
std::string mPath;
};
CodeSignatures::CodeSignatures(const char *path)
{
try {
mDb.open(path, O_RDWR | O_CREAT, 0644);
} catch (const CssmCommonError &err) {
try {
mDb.open(path, O_RDONLY, 0644);
Syslog::warning("database %s opened READONLY (R/W failed errno=%d)", path, err.unixError());
secdebug("codesign", "database %s opened READONLY (R/W failed errno=%d)", path, err.unixError());
} catch (...) {
Syslog::warning("cannot open %s; using no code equivalents", path);
secdebug("codesign", "unable to open %s; using no code equivalents", path);
}
}
if (mDb)
mDb.flush(); IFDUMPING("equiv", debugDump("open"));
}
CodeSignatures::~CodeSignatures()
{
}
void CodeSignatures::open(const char *path)
{
mDb.open(path, O_RDWR | O_CREAT, 0644);
mDb.flush();
IFDUMPING("equiv", debugDump("reopen"));
}
CodeSignatures::Identity::Identity() : mState(untried)
{ }
CodeSignatures::Identity::~Identity()
{ }
string CodeSignatures::Identity::canonicalName(const string &path)
{
string::size_type slash = path.rfind('/');
if (slash == string::npos) return path;
return path.substr(slash+1);
}
bool CodeSignatures::find(Identity &id, uid_t user)
{
if (id.mState != Identity::untried)
return id.mState == Identity::valid;
try {
DbKey userKey('H', id.getHash(mSigner), true, user);
CssmData linkValue;
if (mDb.get(userKey, linkValue)) {
id.mName = string(linkValue.interpretedAs<const char>(), linkValue.length());
IFDUMPING("equiv", id.debugDump("found/user"));
id.mState = Identity::valid;
return true;
}
DbKey sysKey('H', id.getHash(mSigner));
if (mDb.get(sysKey, linkValue)) {
id.mName = string(linkValue.interpretedAs<const char>(), linkValue.length());
IFDUMPING("equiv", id.debugDump("found/system"));
id.mState = Identity::valid;
return true;
}
} catch (...) {
secdebug("codesign", "exception validating identity for %s - marking failed", id.path().c_str());
id.mState = Identity::invalid;
}
return id.mState == Identity::valid;
}
void CodeSignatures::makeLink(Identity &id, const string &ident, bool forUser, uid_t user)
{
DbKey key('H', id.getHash(mSigner), forUser, user);
if (!mDb.put(key, StringData(ident)))
UnixError::throwMe();
}
void CodeSignatures::makeApplication(const std::string &name, const std::string &path)
{
}
void CodeSignatures::addLink(const CssmData &oldHash, const CssmData &newHash,
const char *inName, bool forSystem)
{
string name = Identity::canonicalName(inName);
uid_t user = Server::connection().process.uid();
if (forSystem && user) UnixError::throwMe(EACCES);
if (!forSystem) UnixError::throwMe(EACCES);
AclIdentity oldCode(oldHash, name.c_str());
AclIdentity newCode(newHash, name.c_str());
secdebug("codesign", "addlink for name %s", name.c_str());
StLock<Mutex> _(mDatabaseLock);
if (oldCode) {
if (oldCode.trustedName() != name) {
secdebug("codesign", "addlink does not match existing name %s",
oldCode.trustedName().c_str());
MacOSError::throwMe(CSSMERR_CSP_VERIFY_FAILED);
}
} else {
makeLink(oldCode, name, !forSystem, user);
}
if (!newCode)
makeLink(newCode, name, !forSystem, user);
mDb.flush();
}
void CodeSignatures::removeLink(const CssmData &hash, const char *name, bool forSystem)
{
AclIdentity code(hash, name);
uid_t user = Server::connection().process.uid();
if (forSystem && user) UnixError::throwMe(EACCES);
DbKey key('H', hash, !forSystem, user);
StLock<Mutex> _(mDatabaseLock);
mDb.erase(key);
mDb.flush();
}
bool CodeSignatures::verify(Process &process,
const CodeSigning::Signature *trustedSignature, const CssmData *comment)
{
secdebug("codesign", "start verify");
if (!process.clientCode()) {
secdebug("codesign", "no code base: fail");
return false;
}
Identity &clientIdentity = process;
try {
if (clientIdentity.getHash(mSigner) == CssmData(*trustedSignature)) {
secdebug("codesign", "direct match: pass");
return true;
}
} catch (...) {
secdebug("codesign", "exception getting client code hash: fail");
return false;
}
AclIdentity aclIdentity(trustedSignature, comment ? comment->interpretedAs<const char>() : NULL);
uid_t user = process.uid();
{
StLock<Mutex> _(mDatabaseLock);
find(aclIdentity, user);
find(clientIdentity, user);
}
if (aclIdentity && clientIdentity) {
if (aclIdentity.trustedName() == clientIdentity.trustedName()) {
secdebug("codesign", "app references match: pass");
return true;
} else {
secdebug("codesign", "client/acl links exist but are unequal: fail");
return false;
}
}
secdebug("codesign", "matching client %s against acl %s",
clientIdentity.name().c_str(), aclIdentity.name().c_str());
if (aclIdentity.name() != clientIdentity.name()) {
secdebug("codesign", "name/path mismatch: fail");
return false;
}
Server::active().longTermActivity();
StLock<Mutex> uiLocker(mUILock);
{
StLock<Mutex> _(mDatabaseLock);
find(aclIdentity, user);
find(clientIdentity, user);
}
if (aclIdentity && clientIdentity) {
if (aclIdentity.trustedName() == clientIdentity.trustedName()) {
secdebug("codesign", "app references match: pass (on the rematch)");
return true;
} else {
secdebug("codesign", "client/acl links exist but are unequal: fail (on the rematch)");
return false;
}
}
QueryCodeCheck query;
query(aclIdentity.path().c_str());
if (!query.allowAccess) {
secdebug("codesign", "user declined equivalence: fail");
return false;
}
StLock<Mutex> _(mDatabaseLock);
if (aclIdentity) {
makeLink(clientIdentity, aclIdentity.trustedName(), true, user);
mDb.flush();
secdebug("codesign", "client %s linked to application %s: pass",
clientIdentity.path().c_str(), aclIdentity.trustedName().c_str());
return true;
}
if (clientIdentity) { makeLink(aclIdentity, clientIdentity.trustedName(), true, user);
mDb.flush();
secdebug("codesign", "acl %s linked to client %s: pass",
aclIdentity.path().c_str(), clientIdentity.trustedName().c_str());
return true;
}
string ident = clientIdentity.name();
makeApplication(ident, clientIdentity.path());
makeLink(clientIdentity, ident, true, user);
makeLink(aclIdentity, ident, true, user);
mDb.flush();
secdebug("codesign", "new linkages established: pass");
return true;
}
#if defined(DEBUGDUMP)
void CodeSignatures::debugDump(const char *how) const
{
using namespace Debug;
using namespace LowLevelMemoryUtilities;
if (!how)
how = "dump";
CssmData key, value;
if (!mDb.first(key, value)) {
dump("CODE EQUIVALENTS DATABASE IS EMPTY (%s)\n", how);
} else {
dump("CODE EQUIVALENTS DATABASE DUMP (%s)\n", how);
do {
const char *header = key.interpretedAs<const char>();
size_t headerLength = strlen(header) + 1;
dump("%s:", header);
dumpData(key.at(headerLength), key.length() - headerLength);
dump(" => ");
dumpData(value);
dump("\n");
} while (mDb.next(key, value));
dump("END DUMP\n");
}
}
void CodeSignatures::Identity::debugDump(const char *how) const
{
using namespace Debug;
if (!how)
how = "dump";
dump("IDENTITY (%s) path=%s", how, getPath().c_str());
dump(" name=%s hash=", mName.empty() ? "(unset)" : mName.c_str());
CodeSigning::OSXSigner signer;
dumpData(getHash(signer));
dump("\n");
}
#endif //DEBUGDUMP