Fix intendation

This commit is contained in:
opa334 2022-09-06 01:04:45 +02:00
parent 4d2bfbf667
commit 7d0f525f51
1 changed files with 203 additions and 203 deletions

View File

@ -24,7 +24,7 @@ extern NSString* BKSOpenApplicationOptionKeyActivateForEvent;
extern void BKSTerminateApplicationForReasonAndReportWithDescription(NSString *bundleID, int reasonID, bool report, NSString *description); extern void BKSTerminateApplicationForReasonAndReportWithDescription(NSString *bundleID, int reasonID, bool report, NSString *description);
typedef CF_OPTIONS(uint32_t, SecCSFlags) { typedef CF_OPTIONS(uint32_t, SecCSFlags) {
kSecCSDefaultFlags = 0 kSecCSDefaultFlags = 0
}; };
@ -202,213 +202,213 @@ int runLdid(NSArray* args, NSString** output, NSString** errorOutput)
SecStaticCodeRef getStaticCodeRef(NSString *binaryPath) SecStaticCodeRef getStaticCodeRef(NSString *binaryPath)
{ {
if(binaryPath == nil) if(binaryPath == nil)
{ {
return NULL; return NULL;
} }
CFURLRef binaryURL = CFURLCreateWithFileSystemPath(kCFAllocatorDefault, (__bridge CFStringRef)binaryPath, kCFURLPOSIXPathStyle, false); CFURLRef binaryURL = CFURLCreateWithFileSystemPath(kCFAllocatorDefault, (__bridge CFStringRef)binaryPath, kCFURLPOSIXPathStyle, false);
if(binaryURL == NULL) if(binaryURL == NULL)
{ {
NSLog(@"[getStaticCodeRef] failed to get URL to binary %@", binaryPath); NSLog(@"[getStaticCodeRef] failed to get URL to binary %@", binaryPath);
return NULL; return NULL;
} }
SecStaticCodeRef codeRef = NULL; SecStaticCodeRef codeRef = NULL;
OSStatus result; OSStatus result;
result = SecStaticCodeCreateWithPathAndAttributes(binaryURL, kSecCSDefaultFlags, NULL, &codeRef); result = SecStaticCodeCreateWithPathAndAttributes(binaryURL, kSecCSDefaultFlags, NULL, &codeRef);
CFRelease(binaryURL); CFRelease(binaryURL);
if(result != errSecSuccess) if(result != errSecSuccess)
{ {
NSLog(@"[getStaticCodeRef] failed to create static code for binary %@", binaryPath); NSLog(@"[getStaticCodeRef] failed to create static code for binary %@", binaryPath);
return NULL; return NULL;
} }
return codeRef; return codeRef;
} }
NSDictionary* dumpEntitlements(SecStaticCodeRef codeRef) NSDictionary* dumpEntitlements(SecStaticCodeRef codeRef)
{ {
if(codeRef == NULL) if(codeRef == NULL)
{ {
NSLog(@"[dumpEntitlements] attempting to dump entitlements without a StaticCodeRef"); NSLog(@"[dumpEntitlements] attempting to dump entitlements without a StaticCodeRef");
return nil; return nil;
} }
CFDictionaryRef signingInfo = NULL; CFDictionaryRef signingInfo = NULL;
OSStatus result; OSStatus result;
result = SecCodeCopySigningInformation(codeRef, kSecCSRequirementInformation, &signingInfo); result = SecCodeCopySigningInformation(codeRef, kSecCSRequirementInformation, &signingInfo);
if(result != errSecSuccess) if(result != errSecSuccess)
{ {
NSLog(@"[dumpEntitlements] failed to copy signing info from static code"); NSLog(@"[dumpEntitlements] failed to copy signing info from static code");
return nil; return nil;
} }
NSDictionary *entitlementsNSDict = nil; NSDictionary *entitlementsNSDict = nil;
CFDictionaryRef entitlements = CFDictionaryGetValue(signingInfo, kSecCodeInfoEntitlementsDict); CFDictionaryRef entitlements = CFDictionaryGetValue(signingInfo, kSecCodeInfoEntitlementsDict);
if(entitlements == NULL) if(entitlements == NULL)
{ {
NSLog(@"[dumpEntitlements] no entitlements specified"); NSLog(@"[dumpEntitlements] no entitlements specified");
} }
else if(CFGetTypeID(entitlements) != CFDictionaryGetTypeID()) else if(CFGetTypeID(entitlements) != CFDictionaryGetTypeID())
{ {
NSLog(@"[dumpEntitlements] invalid entitlements"); NSLog(@"[dumpEntitlements] invalid entitlements");
} }
else else
{ {
entitlementsNSDict = (__bridge NSDictionary *)(entitlements); entitlementsNSDict = (__bridge NSDictionary *)(entitlements);
NSLog(@"[dumpEntitlements] dumped %@", entitlementsNSDict); NSLog(@"[dumpEntitlements] dumped %@", entitlementsNSDict);
} }
CFRelease(signingInfo); CFRelease(signingInfo);
return entitlementsNSDict; return entitlementsNSDict;
} }
NSDictionary* dumpEntitlementsFromBinaryAtPath(NSString *binaryPath) NSDictionary* dumpEntitlementsFromBinaryAtPath(NSString *binaryPath)
{ {
// This function is intended for one-shot checks. Main-event functions should retain/release their own SecStaticCodeRefs // This function is intended for one-shot checks. Main-event functions should retain/release their own SecStaticCodeRefs
if(binaryPath == nil) if(binaryPath == nil)
{ {
return nil; return nil;
} }
SecStaticCodeRef codeRef = getStaticCodeRef(binaryPath); SecStaticCodeRef codeRef = getStaticCodeRef(binaryPath);
if(codeRef == NULL) if(codeRef == NULL)
{ {
return nil; return nil;
} }
NSDictionary *entitlements = dumpEntitlements(codeRef); NSDictionary *entitlements = dumpEntitlements(codeRef);
CFRelease(codeRef); CFRelease(codeRef);
return entitlements; return entitlements;
} }
BOOL certificateHasDataForExtensionOID(SecCertificateRef certificate, CFStringRef oidString) BOOL certificateHasDataForExtensionOID(SecCertificateRef certificate, CFStringRef oidString)
{ {
if(certificate == NULL || oidString == NULL) if(certificate == NULL || oidString == NULL)
{ {
NSLog(@"[certificateHasDataForExtensionOID] attempted to check null certificate or OID"); NSLog(@"[certificateHasDataForExtensionOID] attempted to check null certificate or OID");
return NO; return NO;
} }
CFDataRef extensionData = SecCertificateCopyExtensionValue(certificate, oidString, NULL); CFDataRef extensionData = SecCertificateCopyExtensionValue(certificate, oidString, NULL);
if(extensionData != NULL) if(extensionData != NULL)
{ {
CFRelease(extensionData); CFRelease(extensionData);
return YES; return YES;
} }
return NO; return NO;
} }
BOOL codeCertChainContainsFakeAppStoreExtensions(SecStaticCodeRef codeRef) BOOL codeCertChainContainsFakeAppStoreExtensions(SecStaticCodeRef codeRef)
{ {
if(codeRef == NULL) if(codeRef == NULL)
{ {
NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] attempted to check cert chain of null static code object"); NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] attempted to check cert chain of null static code object");
return NO; return NO;
} }
CFDictionaryRef signingInfo = NULL; CFDictionaryRef signingInfo = NULL;
OSStatus result; OSStatus result;
result = SecCodeCopySigningInformation(codeRef, kSecCSSigningInformation, &signingInfo); result = SecCodeCopySigningInformation(codeRef, kSecCSSigningInformation, &signingInfo);
if(result != errSecSuccess) if(result != errSecSuccess)
{ {
NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] failed to copy signing info from static code"); NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] failed to copy signing info from static code");
return NO; return NO;
} }
CFArrayRef certificates = CFDictionaryGetValue(signingInfo, kSecCodeInfoCertificates); CFArrayRef certificates = CFDictionaryGetValue(signingInfo, kSecCodeInfoCertificates);
if(certificates == NULL || CFArrayGetCount(certificates) == 0) if(certificates == NULL || CFArrayGetCount(certificates) == 0)
{ {
return NO; return NO;
} }
// If we match the standard Apple policy, we are signed properly, but we haven't been deliberately signed with a custom root // If we match the standard Apple policy, we are signed properly, but we haven't been deliberately signed with a custom root
SecPolicyRef appleAppStorePolicy = SecPolicyCreateWithProperties(kSecPolicyAppleiPhoneApplicationSigning, NULL); SecPolicyRef appleAppStorePolicy = SecPolicyCreateWithProperties(kSecPolicyAppleiPhoneApplicationSigning, NULL);
SecTrustRef trust = NULL; SecTrustRef trust = NULL;
SecTrustCreateWithCertificates(certificates, appleAppStorePolicy, &trust); SecTrustCreateWithCertificates(certificates, appleAppStorePolicy, &trust);
if(SecTrustEvaluateWithError(trust, nil)) if(SecTrustEvaluateWithError(trust, nil))
{ {
CFRelease(trust); CFRelease(trust);
CFRelease(appleAppStorePolicy); CFRelease(appleAppStorePolicy);
CFRelease(signingInfo); CFRelease(signingInfo);
NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] found certificate extension, but was issued by Apple (App Store)"); NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] found certificate extension, but was issued by Apple (App Store)");
return NO; return NO;
} }
// We haven't matched Apple, so keep going. Is the app profile signed? // We haven't matched Apple, so keep going. Is the app profile signed?
CFRelease(appleAppStorePolicy); CFRelease(appleAppStorePolicy);
SecPolicyRef appleProfileSignedPolicy = SecPolicyCreateWithProperties(kSecPolicyAppleiPhoneProfileApplicationSigning, NULL); SecPolicyRef appleProfileSignedPolicy = SecPolicyCreateWithProperties(kSecPolicyAppleiPhoneProfileApplicationSigning, NULL);
if(SecTrustSetPolicies(trust, appleProfileSignedPolicy) != errSecSuccess) if(SecTrustSetPolicies(trust, appleProfileSignedPolicy) != errSecSuccess)
{ {
NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] error replacing trust policy to check for profile-signed app"); NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] error replacing trust policy to check for profile-signed app");
CFRelease(trust); CFRelease(trust);
CFRelease(signingInfo); CFRelease(signingInfo);
return NO; return NO;
} }
if(SecTrustEvaluateWithError(trust, nil)) if(SecTrustEvaluateWithError(trust, nil))
{ {
CFRelease(trust); CFRelease(trust);
CFRelease(appleProfileSignedPolicy); CFRelease(appleProfileSignedPolicy);
CFRelease(signingInfo); CFRelease(signingInfo);
NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] found certificate extension, but was issued by Apple (profile-signed)"); NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] found certificate extension, but was issued by Apple (profile-signed)");
return NO; return NO;
} }
// Still haven't matched Apple. Are we using a custom root that would take the App Store fastpath? // Still haven't matched Apple. Are we using a custom root that would take the App Store fastpath?
CFRelease(appleProfileSignedPolicy); CFRelease(appleProfileSignedPolicy);
// Cert chain should be of length 3 // Cert chain should be of length 3
if(CFArrayGetCount(certificates) != 3) if(CFArrayGetCount(certificates) != 3)
{ {
CFRelease(signingInfo); CFRelease(signingInfo);
NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] certificate chain length != 3"); NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] certificate chain length != 3");
return NO; return NO;
} }
// AppleCodeSigning only checks for the codeSigning EKU by default // AppleCodeSigning only checks for the codeSigning EKU by default
SecPolicyRef customRootPolicy = SecPolicyCreateWithProperties(kSecPolicyAppleCodeSigning, NULL); SecPolicyRef customRootPolicy = SecPolicyCreateWithProperties(kSecPolicyAppleCodeSigning, NULL);
SecPolicySetOptionsValue(customRootPolicy, CFSTR("LeafMarkerOid"), CFSTR("1.2.840.113635.100.6.1.3")); SecPolicySetOptionsValue(customRootPolicy, CFSTR("LeafMarkerOid"), CFSTR("1.2.840.113635.100.6.1.3"));
if(SecTrustSetPolicies(trust, customRootPolicy) != errSecSuccess) if(SecTrustSetPolicies(trust, customRootPolicy) != errSecSuccess)
{ {
NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] error replacing trust policy to check for custom root"); NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] error replacing trust policy to check for custom root");
CFRelease(trust); CFRelease(trust);
CFRelease(signingInfo); CFRelease(signingInfo);
return NO; return NO;
} }
// Need to add our certificate chain to the anchor as it is expected to be a self-signed root // Need to add our certificate chain to the anchor as it is expected to be a self-signed root
SecTrustSetAnchorCertificates(trust, certificates); SecTrustSetAnchorCertificates(trust, certificates);
BOOL evaluatesToCustomAnchor = SecTrustEvaluateWithError(trust, nil); BOOL evaluatesToCustomAnchor = SecTrustEvaluateWithError(trust, nil);
NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] app signed with non-Apple certificate %@ using valid custom certificates", evaluatesToCustomAnchor ? @"IS" : @"is NOT"); NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] app signed with non-Apple certificate %@ using valid custom certificates", evaluatesToCustomAnchor ? @"IS" : @"is NOT");
CFRelease(trust); CFRelease(trust);
CFRelease(customRootPolicy); CFRelease(customRootPolicy);
CFRelease(signingInfo); CFRelease(signingInfo);
return evaluatesToCustomAnchor; return evaluatesToCustomAnchor;
} }
BOOL signApp(NSString* appPath, NSError** error) BOOL signApp(NSString* appPath, NSError** error)
@ -421,32 +421,32 @@ BOOL signApp(NSString* appPath, NSError** error)
if(![[NSFileManager defaultManager] fileExistsAtPath:executablePath]) return NO; if(![[NSFileManager defaultManager] fileExistsAtPath:executablePath]) return NO;
NSObject *tsBundleIsPreSigned = appInfoDict[@"TSBundlePreSigned"]; NSObject *tsBundleIsPreSigned = appInfoDict[@"TSBundlePreSigned"];
if([tsBundleIsPreSigned isKindOfClass:[NSNumber class]]) if([tsBundleIsPreSigned isKindOfClass:[NSNumber class]])
{ {
// if TSBundlePreSigned = YES, this bundle has been externally signed so we can skip over signing it now // if TSBundlePreSigned = YES, this bundle has been externally signed so we can skip over signing it now
NSNumber *tsBundleIsPreSignedNum = (NSNumber *)tsBundleIsPreSigned; NSNumber *tsBundleIsPreSignedNum = (NSNumber *)tsBundleIsPreSigned;
if([tsBundleIsPreSignedNum boolValue] == YES) if([tsBundleIsPreSignedNum boolValue] == YES)
{ {
NSLog(@"[signApp] taking fast path for app which declares it has already been signed (%@)", executablePath); NSLog(@"[signApp] taking fast path for app which declares it has already been signed (%@)", executablePath);
return YES; return YES;
} }
} }
SecStaticCodeRef codeRef = getStaticCodeRef(executablePath); SecStaticCodeRef codeRef = getStaticCodeRef(executablePath);
if(codeRef != NULL) if(codeRef != NULL)
{ {
if(codeCertChainContainsFakeAppStoreExtensions(codeRef)) if(codeCertChainContainsFakeAppStoreExtensions(codeRef))
{ {
NSLog(@"[signApp] taking fast path for app signed using a custom root certificate (%@)", executablePath); NSLog(@"[signApp] taking fast path for app signed using a custom root certificate (%@)", executablePath);
CFRelease(codeRef); CFRelease(codeRef);
return YES; return YES;
} }
} }
else else
{ {
NSLog(@"[signApp] failed to get static code, can't derive entitlements from %@, continuing anways...", executablePath); NSLog(@"[signApp] failed to get static code, can't derive entitlements from %@, continuing anways...", executablePath);
} }
if(!isLdidInstalled()) return NO; if(!isLdidInstalled()) return NO;
@ -456,8 +456,8 @@ BOOL signApp(NSString* appPath, NSError** error)
NSString* errorOutput; NSString* errorOutput;
int ldidRet; int ldidRet;
NSDictionary* entitlements = dumpEntitlements(codeRef); NSDictionary* entitlements = dumpEntitlements(codeRef);
CFRelease(codeRef); CFRelease(codeRef);
if(!entitlements) if(!entitlements)
{ {