]> git.cameronkatri.com Git - ldid.git/blob - ldid.cpp
6bcc2482f545aa5303e900fac3fc828cdded0248
[ldid.git] / ldid.cpp
1 /* ldid - (Mach-O) Link-Loader Identity Editor
2 * Copyright (C) 2007-2015 Jay Freeman (saurik)
3 */
4
5 /* SPDX-License-Identifier: AGPL-3.0-only */
6 /* GNU Affero General Public License, Version 3 {{{ */
7 /*
8 * This program is free software: you can redistribute it and/or modify
9 * it under the terms of the GNU Affero General Public License as published by
10 * the Free Software Foundation, either version 3 of the License, or
11 * (at your option) any later version.
12
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU Affero General Public License for more details.
17
18 * You should have received a copy of the GNU Affero General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>.
20 **/
21 /* }}} */
22
23 #include <algorithm>
24 #include <cstdio>
25 #include <cstdlib>
26 #include <cstring>
27 #include <fstream>
28 #include <iostream>
29 #include <memory>
30 #include <set>
31 #include <sstream>
32 #include <string>
33 #include <vector>
34
35 #include <dirent.h>
36 #include <errno.h>
37 #include <fcntl.h>
38 #include <regex.h>
39 #include <stdbool.h>
40 #include <stdint.h>
41 #include <unistd.h>
42
43 #include <sys/mman.h>
44 #include <sys/stat.h>
45 #include <sys/types.h>
46
47 #include <openssl/opensslv.h>
48 # if OPENSSL_VERSION_MAJOR >= 3
49 # include <openssl/provider.h>
50 # endif
51 #include <openssl/err.h>
52 #include <openssl/pem.h>
53 #include <openssl/pkcs7.h>
54 #include <openssl/pkcs12.h>
55 #include <openssl/ui.h>
56
57 #include <openssl/evp.h>
58
59 #include <plist/plist.h>
60
61 #include "ldid.hpp"
62
63 #include "machine.h"
64
65 #define _assert___(line) \
66 #line
67 #define _assert__(line) \
68 _assert___(line)
69
70 #ifndef $
71 #define $(value) value
72 #endif
73
74 #ifdef __EXCEPTIONS
75 #define _assert_(expr, format, ...) \
76 do if (!(expr)) { \
77 fprintf(stderr, $("%s(%u): _assert(): " format "\n"), __FILE__, __LINE__, ## __VA_ARGS__); \
78 throw $(__FILE__ "(" _assert__(__LINE__) "): _assert(" #expr ")"); \
79 } while (false)
80 #else
81 // XXX: this is not acceptable
82 #define _assert_(expr, format, ...) \
83 do if (!(expr)) { \
84 fprintf(stderr, $("%s(%u): _assert(): " format "\n"), __FILE__, __LINE__, ## __VA_ARGS__); \
85 exit(-1); \
86 } while (false)
87 #endif
88
89 #define _assert(expr) \
90 _assert_(expr, "%s", $(#expr))
91
92 #define _syscall(expr, ...) [&] { for (;;) { \
93 auto _value(expr); \
94 if ((long) _value != -1) \
95 return _value; \
96 int error(errno); \
97 if (error == EINTR) \
98 continue; \
99 /* XXX: EINTR is included in this list to fix g++ */ \
100 for (auto success : (long[]) {EINTR, __VA_ARGS__}) \
101 if (error == success) \
102 return (decltype(expr)) -success; \
103 fprintf(stderr, "ldid: %s: %s\n", __func__, strerror(error)); \
104 exit(1); \
105 } }()
106
107 #define _trace() \
108 fprintf(stderr, $("_trace(%s:%u): %s\n"), __FILE__, __LINE__, $(__FUNCTION__))
109
110 #define _not(type) \
111 ((type) ~ (type) 0)
112
113 #define _packed \
114 __attribute__((packed))
115
116 std::string password;
117 std::vector<std::string> cleanup;
118
119 template <typename Type_>
120 struct Iterator_ {
121 typedef typename Type_::const_iterator Result;
122 };
123
124 #define _foreach(item, list) \
125 for (bool _stop(true); _stop; ) \
126 for (const __typeof__(list) &_list = (list); _stop; _stop = false) \
127 for (Iterator_<__typeof__(list)>::Result _item = _list.begin(); _item != _list.end(); ++_item) \
128 for (bool _suck(true); _suck; _suck = false) \
129 for (const __typeof__(*_item) &item = *_item; _suck; _suck = false)
130
131 class _Scope {
132 };
133
134 template <typename Function_>
135 class Scope :
136 public _Scope
137 {
138 private:
139 Function_ function_;
140
141 public:
142 Scope(const Function_ &function) :
143 function_(function)
144 {
145 }
146
147 ~Scope() {
148 function_();
149 }
150 };
151
152 template <typename Function_>
153 Scope<Function_> _scope(const Function_ &function) {
154 return Scope<Function_>(function);
155 }
156
157 #define _scope__(counter, function) \
158 __attribute__((__unused__)) \
159 const _Scope &_scope ## counter(_scope([&]function))
160 #define _scope_(counter, function) \
161 _scope__(counter, function)
162 #define _scope(function) \
163 _scope_(__COUNTER__, function)
164
165 struct fat_header {
166 uint32_t magic;
167 uint32_t nfat_arch;
168 } _packed;
169
170 #define FAT_MAGIC 0xcafebabe
171 #define FAT_CIGAM 0xbebafeca
172
173 struct fat_arch {
174 uint32_t cputype;
175 uint32_t cpusubtype;
176 uint32_t offset;
177 uint32_t size;
178 uint32_t align;
179 } _packed;
180
181 struct mach_header {
182 uint32_t magic;
183 uint32_t cputype;
184 uint32_t cpusubtype;
185 uint32_t filetype;
186 uint32_t ncmds;
187 uint32_t sizeofcmds;
188 uint32_t flags;
189 } _packed;
190
191 #define MH_MAGIC 0xfeedface
192 #define MH_CIGAM 0xcefaedfe
193
194 #define MH_MAGIC_64 0xfeedfacf
195 #define MH_CIGAM_64 0xcffaedfe
196
197 #define MH_DYLDLINK 0x4
198
199 #define MH_OBJECT 0x1
200 #define MH_EXECUTE 0x2
201 #define MH_DYLIB 0x6
202 #define MH_DYLINKER 0x7
203 #define MH_BUNDLE 0x8
204 #define MH_DYLIB_STUB 0x9
205
206 struct load_command {
207 uint32_t cmd;
208 uint32_t cmdsize;
209 } _packed;
210
211 #define LC_REQ_DYLD uint32_t(0x80000000)
212
213 #define LC_SEGMENT uint32_t(0x01)
214 #define LC_SYMTAB uint32_t(0x02)
215 #define LC_DYSYMTAB uint32_t(0x0b)
216 #define LC_LOAD_DYLIB uint32_t(0x0c)
217 #define LC_ID_DYLIB uint32_t(0x0d)
218 #define LC_SEGMENT_64 uint32_t(0x19)
219 #define LC_UUID uint32_t(0x1b)
220 #define LC_CODE_SIGNATURE uint32_t(0x1d)
221 #define LC_SEGMENT_SPLIT_INFO uint32_t(0x1e)
222 #define LC_REEXPORT_DYLIB uint32_t(0x1f | LC_REQ_DYLD)
223 #define LC_ENCRYPTION_INFO uint32_t(0x21)
224 #define LC_DYLD_INFO uint32_t(0x22)
225 #define LC_DYLD_INFO_ONLY uint32_t(0x22 | LC_REQ_DYLD)
226 #define LC_ENCRYPTION_INFO_64 uint32_t(0x2c)
227
228 union Version {
229 struct {
230 uint8_t patch;
231 uint8_t minor;
232 uint16_t major;
233 } _packed;
234
235 uint32_t value;
236 };
237
238 struct dylib {
239 uint32_t name;
240 uint32_t timestamp;
241 uint32_t current_version;
242 uint32_t compatibility_version;
243 } _packed;
244
245 struct dylib_command {
246 uint32_t cmd;
247 uint32_t cmdsize;
248 struct dylib dylib;
249 } _packed;
250
251 struct uuid_command {
252 uint32_t cmd;
253 uint32_t cmdsize;
254 uint8_t uuid[16];
255 } _packed;
256
257 struct symtab_command {
258 uint32_t cmd;
259 uint32_t cmdsize;
260 uint32_t symoff;
261 uint32_t nsyms;
262 uint32_t stroff;
263 uint32_t strsize;
264 } _packed;
265
266 struct dyld_info_command {
267 uint32_t cmd;
268 uint32_t cmdsize;
269 uint32_t rebase_off;
270 uint32_t rebase_size;
271 uint32_t bind_off;
272 uint32_t bind_size;
273 uint32_t weak_bind_off;
274 uint32_t weak_bind_size;
275 uint32_t lazy_bind_off;
276 uint32_t lazy_bind_size;
277 uint32_t export_off;
278 uint32_t export_size;
279 } _packed;
280
281 struct dysymtab_command {
282 uint32_t cmd;
283 uint32_t cmdsize;
284 uint32_t ilocalsym;
285 uint32_t nlocalsym;
286 uint32_t iextdefsym;
287 uint32_t nextdefsym;
288 uint32_t iundefsym;
289 uint32_t nundefsym;
290 uint32_t tocoff;
291 uint32_t ntoc;
292 uint32_t modtaboff;
293 uint32_t nmodtab;
294 uint32_t extrefsymoff;
295 uint32_t nextrefsyms;
296 uint32_t indirectsymoff;
297 uint32_t nindirectsyms;
298 uint32_t extreloff;
299 uint32_t nextrel;
300 uint32_t locreloff;
301 uint32_t nlocrel;
302 } _packed;
303
304 struct dylib_table_of_contents {
305 uint32_t symbol_index;
306 uint32_t module_index;
307 } _packed;
308
309 struct dylib_module {
310 uint32_t module_name;
311 uint32_t iextdefsym;
312 uint32_t nextdefsym;
313 uint32_t irefsym;
314 uint32_t nrefsym;
315 uint32_t ilocalsym;
316 uint32_t nlocalsym;
317 uint32_t iextrel;
318 uint32_t nextrel;
319 uint32_t iinit_iterm;
320 uint32_t ninit_nterm;
321 uint32_t objc_module_info_addr;
322 uint32_t objc_module_info_size;
323 } _packed;
324
325 struct dylib_reference {
326 uint32_t isym:24;
327 uint32_t flags:8;
328 } _packed;
329
330 struct relocation_info {
331 int32_t r_address;
332 uint32_t r_symbolnum:24;
333 uint32_t r_pcrel:1;
334 uint32_t r_length:2;
335 uint32_t r_extern:1;
336 uint32_t r_type:4;
337 } _packed;
338
339 struct nlist {
340 union {
341 char *n_name;
342 int32_t n_strx;
343 } n_un;
344
345 uint8_t n_type;
346 uint8_t n_sect;
347 uint8_t n_desc;
348 uint32_t n_value;
349 } _packed;
350
351 struct segment_command {
352 uint32_t cmd;
353 uint32_t cmdsize;
354 char segname[16];
355 uint32_t vmaddr;
356 uint32_t vmsize;
357 uint32_t fileoff;
358 uint32_t filesize;
359 uint32_t maxprot;
360 uint32_t initprot;
361 uint32_t nsects;
362 uint32_t flags;
363 } _packed;
364
365 struct segment_command_64 {
366 uint32_t cmd;
367 uint32_t cmdsize;
368 char segname[16];
369 uint64_t vmaddr;
370 uint64_t vmsize;
371 uint64_t fileoff;
372 uint64_t filesize;
373 uint32_t maxprot;
374 uint32_t initprot;
375 uint32_t nsects;
376 uint32_t flags;
377 } _packed;
378
379 struct section {
380 char sectname[16];
381 char segname[16];
382 uint32_t addr;
383 uint32_t size;
384 uint32_t offset;
385 uint32_t align;
386 uint32_t reloff;
387 uint32_t nreloc;
388 uint32_t flags;
389 uint32_t reserved1;
390 uint32_t reserved2;
391 } _packed;
392
393 struct section_64 {
394 char sectname[16];
395 char segname[16];
396 uint64_t addr;
397 uint64_t size;
398 uint32_t offset;
399 uint32_t align;
400 uint32_t reloff;
401 uint32_t nreloc;
402 uint32_t flags;
403 uint32_t reserved1;
404 uint32_t reserved2;
405 uint32_t reserved3;
406 } _packed;
407
408 struct linkedit_data_command {
409 uint32_t cmd;
410 uint32_t cmdsize;
411 uint32_t dataoff;
412 uint32_t datasize;
413 } _packed;
414
415 struct encryption_info_command {
416 uint32_t cmd;
417 uint32_t cmdsize;
418 uint32_t cryptoff;
419 uint32_t cryptsize;
420 uint32_t cryptid;
421 } _packed;
422
423 #define BIND_OPCODE_MASK 0xf0
424 #define BIND_IMMEDIATE_MASK 0x0f
425 #define BIND_OPCODE_DONE 0x00
426 #define BIND_OPCODE_SET_DYLIB_ORDINAL_IMM 0x10
427 #define BIND_OPCODE_SET_DYLIB_ORDINAL_ULEB 0x20
428 #define BIND_OPCODE_SET_DYLIB_SPECIAL_IMM 0x30
429 #define BIND_OPCODE_SET_SYMBOL_TRAILING_FLAGS_IMM 0x40
430 #define BIND_OPCODE_SET_TYPE_IMM 0x50
431 #define BIND_OPCODE_SET_ADDEND_SLEB 0x60
432 #define BIND_OPCODE_SET_SEGMENT_AND_OFFSET_ULEB 0x70
433 #define BIND_OPCODE_ADD_ADDR_ULEB 0x80
434 #define BIND_OPCODE_DO_BIND 0x90
435 #define BIND_OPCODE_DO_BIND_ADD_ADDR_ULEB 0xa0
436 #define BIND_OPCODE_DO_BIND_ADD_ADDR_IMM_SCALED 0xb0
437 #define BIND_OPCODE_DO_BIND_ULEB_TIMES_SKIPPING_ULEB 0xc0
438
439 struct : ldid::Progress {
440 virtual void operator()(const std::string &value) const {
441 }
442
443 virtual void operator()(double value) const {
444 }
445 } dummy_;
446
447 struct Progression : ldid::Progress {
448 const ldid::Progress &progress_;
449 std::string name_;
450
451 Progression(const ldid::Progress &progress, const std::string &name) :
452 progress_(progress),
453 name_(name)
454 {
455 }
456
457 virtual void operator()(const std::string &value) const {
458 return progress_(name_ + " (" + value + ")");
459 }
460
461 virtual void operator()(double value) const {
462 return progress_(value);
463 }
464 };
465
466 static std::streamsize read(std::streambuf &stream, void *data, size_t size) {
467 auto writ(stream.sgetn(static_cast<char *>(data), size));
468 _assert(writ >= 0);
469 return writ;
470 }
471
472 static inline void put(std::streambuf &stream, uint8_t value) {
473 _assert(stream.sputc(value) != EOF);
474 }
475
476 static inline void get(std::streambuf &stream, void *data, size_t size) {
477 _assert(read(stream, data, size) == size);
478 }
479
480 static inline void put(std::streambuf &stream, const void *data, size_t size) {
481 _assert(stream.sputn(static_cast<const char *>(data), size) == size);
482 }
483
484 static inline void put(std::streambuf &stream, const void *data, size_t size, const ldid::Progress &progress) {
485 progress(0);
486 for (size_t total(0); total != size;) {
487 auto writ(std::min(size - total, size_t(4096 * 4)));
488 _assert(stream.sputn(static_cast<const char *>(data) + total, writ) == writ);
489 total += writ;
490 progress(double(total) / size);
491 }
492 }
493
494 static inline void put(std::streambuf &stream, const std::string &data) {
495 return put(stream, data.data(), data.size());
496 }
497
498 static size_t most(std::streambuf &stream, void *data, size_t size) {
499 size_t total(size);
500 while (size > 0)
501 if (auto writ = read(stream, data, size))
502 size -= writ;
503 else break;
504 return total - size;
505 }
506
507 static inline void pad(std::streambuf &stream, size_t size) {
508 char padding[size];
509 memset(padding, 0, size);
510 put(stream, padding, size);
511 }
512
513 template <typename Type_>
514 Type_ Align(Type_ value, size_t align) {
515 value += align - 1;
516 value /= align;
517 value *= align;
518 return value;
519 }
520
521 static const uint8_t PageShift_(0x0c);
522 static const uint32_t PageSize_(1 << PageShift_);
523
524 static inline unsigned bytes(uint64_t value) {
525 return (64 - __builtin_clzll(value) + 7) / 8;
526 }
527
528 static void put(std::streambuf &stream, uint64_t value, size_t length) {
529 length *= 8;
530 do put(stream, uint8_t(value >> (length -= 8)));
531 while (length != 0);
532 }
533
534 static void der(std::streambuf &stream, uint64_t value) {
535 if (value < 128)
536 put(stream, value);
537 else {
538 unsigned length(bytes(value));
539 put(stream, 0x80 | length);
540 put(stream, value, length);
541 }
542 }
543
544 static std::string der(uint8_t tag, const char *value, size_t length) {
545 std::stringbuf data;
546 put(data, tag);
547 der(data, length);
548 put(data, value, length);
549 return data.str();
550 }
551
552 static std::string der(uint8_t tag, const char *value) {
553 return der(tag, value, strlen(value)); }
554 static std::string der(uint8_t tag, const std::string &value) {
555 return der(tag, value.data(), value.size()); }
556
557 template <typename Type_>
558 static void der_(std::stringbuf &data, const Type_ &values) {
559 size_t size(0);
560 for (const auto &value : values)
561 size += value.size();
562 der(data, size);
563 for (const auto &value : values)
564 put(data, value);
565 }
566
567 static std::string der(const std::vector<std::string> &values) {
568 std::stringbuf data;
569 put(data, 0x30);
570 der_(data, values);
571 return data.str();
572 }
573
574 static std::string der(const std::multiset<std::string> &values) {
575 std::stringbuf data;
576 put(data, 0x31);
577 der_(data, values);
578 return data.str();
579 }
580
581 static std::string der(const std::pair<std::string, std::string> &value) {
582 const auto key(der(0x0c, value.first));
583 std::stringbuf data;
584 put(data, 0x30);
585 der(data, key.size() + value.second.size());
586 put(data, key);
587 put(data, value.second);
588 return data.str();
589 }
590
591 static std::string der(plist_t data) {
592 switch (const auto type = plist_get_node_type(data)) {
593 case PLIST_BOOLEAN: {
594 uint8_t value(0);
595 plist_get_bool_val(data, &value);
596
597 std::stringbuf data;
598 put(data, 0x01);
599 der(data, 1);
600 put(data, value != 0 ? 1 : 0);
601 return data.str();
602 } break;
603
604 case PLIST_UINT: {
605 uint64_t value;
606 plist_get_uint_val(data, &value);
607 const auto length(bytes(value));
608
609 std::stringbuf data;
610 put(data, 0x02);
611 der(data, length);
612 put(data, value, length);
613 return data.str();
614 } break;
615
616 case PLIST_REAL: {
617 fprintf(stderr, "ldid: Invalid plist entry type\n");
618 exit(1);
619 } break;
620
621 case PLIST_DATE: {
622 fprintf(stderr, "ldid: Invalid plist entry type\n");
623 exit(1);
624 } break;
625
626 case PLIST_DATA: {
627 char *value;
628 uint64_t length;
629 plist_get_data_val(data, &value, &length);
630 _scope({ free(value); });
631 return der(0x04, value, length);
632 } break;
633
634 case PLIST_STRING: {
635 char *value;
636 plist_get_string_val(data, &value);
637 _scope({ free(value); });
638 return der(0x0c, value);
639 } break;
640
641 case PLIST_ARRAY: {
642 std::vector<std::string> values;
643 for (auto e(plist_array_get_size(data)), i(decltype(e)(0)); i != e; ++i)
644 values.push_back(der(plist_array_get_item(data, i)));
645 return der(values);
646 } break;
647
648 case PLIST_DICT: {
649 std::multiset<std::string> values;
650
651 plist_dict_iter iterator(NULL);
652 plist_dict_new_iter(data, &iterator);
653 _scope({ free(iterator); });
654
655 for (;;) {
656 char *key(NULL);
657 plist_t value(NULL);
658 plist_dict_next_item(data, iterator, &key, &value);
659 if (key == NULL)
660 break;
661 _scope({ free(key); });
662 values.insert(der(std::make_pair(key, der(value))));
663 }
664
665 return der(values);
666 } break;
667
668 default: {
669 fprintf(stderr, "ldid: Unsupported plist type %d", type);
670 exit(1);
671 } break;
672 }
673 }
674
675 static inline uint16_t Swap_(uint16_t value) {
676 return
677 ((value >> 8) & 0x00ff) |
678 ((value << 8) & 0xff00);
679 }
680
681 static inline uint32_t Swap_(uint32_t value) {
682 value = ((value >> 8) & 0x00ff00ff) |
683 ((value << 8) & 0xff00ff00);
684 value = ((value >> 16) & 0x0000ffff) |
685 ((value << 16) & 0xffff0000);
686 return value;
687 }
688
689 static inline uint64_t Swap_(uint64_t value) {
690 value = (value & 0x00000000ffffffff) << 32 | (value & 0xffffffff00000000) >> 32;
691 value = (value & 0x0000ffff0000ffff) << 16 | (value & 0xffff0000ffff0000) >> 16;
692 value = (value & 0x00ff00ff00ff00ff) << 8 | (value & 0xff00ff00ff00ff00) >> 8;
693 return value;
694 }
695
696 static inline int16_t Swap_(int16_t value) {
697 return Swap_(static_cast<uint16_t>(value));
698 }
699
700 static inline int32_t Swap_(int32_t value) {
701 return Swap_(static_cast<uint32_t>(value));
702 }
703
704 static inline int64_t Swap_(int64_t value) {
705 return Swap_(static_cast<uint64_t>(value));
706 }
707
708 static bool little_(true);
709
710 static inline uint16_t Swap(uint16_t value) {
711 return little_ ? Swap_(value) : value;
712 }
713
714 static inline uint32_t Swap(uint32_t value) {
715 return little_ ? Swap_(value) : value;
716 }
717
718 static inline uint64_t Swap(uint64_t value) {
719 return little_ ? Swap_(value) : value;
720 }
721
722 static inline int16_t Swap(int16_t value) {
723 return Swap(static_cast<uint16_t>(value));
724 }
725
726 static inline int32_t Swap(int32_t value) {
727 return Swap(static_cast<uint32_t>(value));
728 }
729
730 static inline int64_t Swap(int64_t value) {
731 return Swap(static_cast<uint64_t>(value));
732 }
733
734 class Swapped {
735 protected:
736 bool swapped_;
737
738 Swapped() :
739 swapped_(false)
740 {
741 }
742
743 public:
744 Swapped(bool swapped) :
745 swapped_(swapped)
746 {
747 }
748
749 template <typename Type_>
750 Type_ Swap(Type_ value) const {
751 return swapped_ ? Swap_(value) : value;
752 }
753 };
754
755 class Data :
756 public Swapped
757 {
758 private:
759 void *base_;
760 size_t size_;
761
762 public:
763 Data(void *base, size_t size) :
764 base_(base),
765 size_(size)
766 {
767 }
768
769 void *GetBase() const {
770 return base_;
771 }
772
773 size_t GetSize() const {
774 return size_;
775 }
776 };
777
778 class MachHeader :
779 public Data
780 {
781 private:
782 bool bits64_;
783
784 struct mach_header *mach_header_;
785 struct load_command *load_command_;
786
787 public:
788 MachHeader(void *base, size_t size) :
789 Data(base, size)
790 {
791 mach_header_ = (mach_header *) base;
792
793 switch (Swap(mach_header_->magic)) {
794 case MH_CIGAM:
795 swapped_ = !swapped_;
796 case MH_MAGIC:
797 bits64_ = false;
798 break;
799
800 case MH_CIGAM_64:
801 swapped_ = !swapped_;
802 case MH_MAGIC_64:
803 bits64_ = true;
804 break;
805
806 default:
807 fprintf(stderr, "ldid: Unknown header magic\nAre you sure that is a Mach-O?\n");
808 exit(1);
809 }
810
811 void *post = mach_header_ + 1;
812 if (bits64_)
813 post = (uint32_t *) post + 1;
814 load_command_ = (struct load_command *) post;
815
816 if (Swap(mach_header_->filetype) != MH_EXECUTE &&
817 Swap(mach_header_->filetype) != MH_DYLIB &&
818 Swap(mach_header_->filetype) != MH_DYLINKER &&
819 Swap(mach_header_->filetype) != MH_BUNDLE) {
820 fprintf(stderr, "ldid: Unsupported Mach-O type\n");
821 exit(1);
822 }
823 }
824
825 bool Bits64() const {
826 return bits64_;
827 }
828
829 struct mach_header *operator ->() const {
830 return mach_header_;
831 }
832
833 operator struct mach_header *() const {
834 return mach_header_;
835 }
836
837 uint32_t GetCPUType() const {
838 return Swap(mach_header_->cputype);
839 }
840
841 uint32_t GetCPUSubtype() const {
842 return Swap(mach_header_->cpusubtype) & 0xff;
843 }
844
845 struct load_command *GetLoadCommand() const {
846 return load_command_;
847 }
848
849 std::vector<struct load_command *> GetLoadCommands() const {
850 std::vector<struct load_command *> load_commands;
851
852 struct load_command *load_command = load_command_;
853 for (uint32_t cmd = 0; cmd != Swap(mach_header_->ncmds); ++cmd) {
854 load_commands.push_back(load_command);
855 load_command = (struct load_command *) ((uint8_t *) load_command + Swap(load_command->cmdsize));
856 }
857
858 return load_commands;
859 }
860
861 void ForSection(const ldid::Functor<void (const char *, const char *, void *, size_t)> &code) const {
862 _foreach (load_command, GetLoadCommands())
863 switch (Swap(load_command->cmd)) {
864 case LC_SEGMENT: {
865 auto segment(reinterpret_cast<struct segment_command *>(load_command));
866 code(segment->segname, NULL, GetOffset<void>(segment->fileoff), segment->filesize);
867 auto section(reinterpret_cast<struct section *>(segment + 1));
868 for (uint32_t i(0), e(Swap(segment->nsects)); i != e; ++i, ++section)
869 code(segment->segname, section->sectname, GetOffset<void>(segment->fileoff + section->offset), section->size);
870 } break;
871
872 case LC_SEGMENT_64: {
873 auto segment(reinterpret_cast<struct segment_command_64 *>(load_command));
874 code(segment->segname, NULL, GetOffset<void>(segment->fileoff), segment->filesize);
875 auto section(reinterpret_cast<struct section_64 *>(segment + 1));
876 for (uint32_t i(0), e(Swap(segment->nsects)); i != e; ++i, ++section)
877 code(segment->segname, section->sectname, GetOffset<void>(segment->fileoff + section->offset), section->size);
878 } break;
879 }
880 }
881
882 template <typename Target_>
883 Target_ *GetOffset(uint32_t offset) const {
884 return reinterpret_cast<Target_ *>(offset + (uint8_t *) mach_header_);
885 }
886 };
887
888 class FatMachHeader :
889 public MachHeader
890 {
891 private:
892 fat_arch *fat_arch_;
893
894 public:
895 FatMachHeader(void *base, size_t size, fat_arch *fat_arch) :
896 MachHeader(base, size),
897 fat_arch_(fat_arch)
898 {
899 }
900
901 fat_arch *GetFatArch() const {
902 return fat_arch_;
903 }
904 };
905
906 class FatHeader :
907 public Data
908 {
909 private:
910 fat_header *fat_header_;
911 std::vector<FatMachHeader> mach_headers_;
912
913 public:
914 FatHeader(void *base, size_t size) :
915 Data(base, size)
916 {
917 fat_header_ = reinterpret_cast<struct fat_header *>(base);
918
919 if (Swap(fat_header_->magic) == FAT_CIGAM) {
920 swapped_ = !swapped_;
921 goto fat;
922 } else if (Swap(fat_header_->magic) != FAT_MAGIC) {
923 fat_header_ = NULL;
924 mach_headers_.push_back(FatMachHeader(base, size, NULL));
925 } else fat: {
926 size_t fat_narch = Swap(fat_header_->nfat_arch);
927 fat_arch *fat_arch = reinterpret_cast<struct fat_arch *>(fat_header_ + 1);
928 size_t arch;
929 for (arch = 0; arch != fat_narch; ++arch) {
930 uint32_t arch_offset = Swap(fat_arch->offset);
931 uint32_t arch_size = Swap(fat_arch->size);
932 mach_headers_.push_back(FatMachHeader((uint8_t *) base + arch_offset, arch_size, fat_arch));
933 ++fat_arch;
934 }
935 }
936 }
937
938 std::vector<FatMachHeader> &GetMachHeaders() {
939 return mach_headers_;
940 }
941
942 bool IsFat() const {
943 return fat_header_ != NULL;
944 }
945
946 struct fat_header *operator ->() const {
947 return fat_header_;
948 }
949
950 operator struct fat_header *() const {
951 return fat_header_;
952 }
953 };
954
955 #define CSMAGIC_REQUIREMENT uint32_t(0xfade0c00)
956 #define CSMAGIC_REQUIREMENTS uint32_t(0xfade0c01)
957 #define CSMAGIC_CODEDIRECTORY uint32_t(0xfade0c02)
958 #define CSMAGIC_EMBEDDED_SIGNATURE uint32_t(0xfade0cc0)
959 #define CSMAGIC_EMBEDDED_SIGNATURE_OLD uint32_t(0xfade0b02)
960 #define CSMAGIC_EMBEDDED_ENTITLEMENTS uint32_t(0xfade7171)
961 #define CSMAGIC_EMBEDDED_DERFORMAT uint32_t(0xfade7172) // name?
962 #define CSMAGIC_DETACHED_SIGNATURE uint32_t(0xfade0cc1)
963 #define CSMAGIC_BLOBWRAPPER uint32_t(0xfade0b01)
964
965 #define CSSLOT_CODEDIRECTORY uint32_t(0x00000)
966 #define CSSLOT_INFOSLOT uint32_t(0x00001)
967 #define CSSLOT_REQUIREMENTS uint32_t(0x00002)
968 #define CSSLOT_RESOURCEDIR uint32_t(0x00003)
969 #define CSSLOT_APPLICATION uint32_t(0x00004)
970 #define CSSLOT_ENTITLEMENTS uint32_t(0x00005)
971 #define CSSLOT_REPSPECIFIC uint32_t(0x00006) // name?
972 #define CSSLOT_DERFORMAT uint32_t(0x00007) // name?
973 #define CSSLOT_ALTERNATE uint32_t(0x01000)
974
975 #define CSSLOT_SIGNATURESLOT uint32_t(0x10000)
976
977 #define CS_HASHTYPE_SHA160_160 1
978 #define CS_HASHTYPE_SHA256_256 2
979 #define CS_HASHTYPE_SHA256_160 3
980 #define CS_HASHTYPE_SHA386_386 4
981
982 #if 0
983 #define CS_EXECSEG_MAIN_BINARY 0x001 /* executable segment denotes main binary */
984 #define CS_EXECSEG_ALLOW_UNSIGNED 0x010 /* allow unsigned pages (for debugging) */
985 #define CS_EXECSEG_DEBUGGER 0x020 /* main binary is debugger */
986 #define CS_EXECSEG_JIT 0x040 /* JIT enabled */
987 #define CS_EXECSEG_SKIP_LV 0x080 /* skip library validation */
988 #define CS_EXECSEG_CAN_LOAD_CDHASH 0x100 /* can bless cdhash for execution */
989 #define CS_EXECSEG_CAN_EXEC_CDHASH 0x200 /* can execute blessed cdhash */
990 #else
991 enum SecCodeExecSegFlags {
992 kSecCodeExecSegMainBinary = 0x001,
993 kSecCodeExecSegAllowUnsigned = 0x010,
994 kSecCodeExecSegDebugger = 0x020,
995 kSecCodeExecSegJit = 0x040,
996 kSecCodeExecSegSkipLibraryVal = 0x080,
997 kSecCodeExecSegCanLoadCdHash = 0x100,
998 kSecCodeExecSegCanExecCdHash = 0x100,
999 };
1000 #endif
1001
1002 struct BlobIndex {
1003 uint32_t type;
1004 uint32_t offset;
1005 } _packed;
1006
1007 struct Blob {
1008 uint32_t magic;
1009 uint32_t length;
1010 } _packed;
1011
1012 struct SuperBlob {
1013 struct Blob blob;
1014 uint32_t count;
1015 struct BlobIndex index[];
1016 } _packed;
1017
1018 struct CodeDirectory {
1019 uint32_t version;
1020 uint32_t flags;
1021 uint32_t hashOffset;
1022 uint32_t identOffset;
1023 uint32_t nSpecialSlots;
1024 uint32_t nCodeSlots;
1025 uint32_t codeLimit;
1026 uint8_t hashSize;
1027 uint8_t hashType;
1028 uint8_t platform;
1029 uint8_t pageSize;
1030 uint32_t spare2;
1031 uint32_t scatterOffset;
1032 uint32_t teamIDOffset;
1033 uint32_t spare3;
1034 uint64_t codeLimit64;
1035 uint64_t execSegBase;
1036 uint64_t execSegLimit;
1037 uint64_t execSegFlags;
1038 #if 0 // version = 0x20500
1039 uint32_t runtime;
1040 uint32_t preEncryptOffset;
1041 #endif
1042 #if 0 // version = 0x20600
1043 uint8_t linkageHashType;
1044 uint8_t linkageTruncated;
1045 uint16_t spare4;
1046 uint32_t linkageOffset;
1047 uint32_t linkageSize;
1048 #endif
1049 } _packed;
1050
1051 enum CodeSignatureFlags {
1052 kSecCodeSignatureHost = 0x0001,
1053 kSecCodeSignatureAdhoc = 0x0002,
1054 kSecCodeSignatureForceHard = 0x0100,
1055 kSecCodeSignatureForceKill = 0x0200,
1056 kSecCodeSignatureForceExpiration = 0x0400,
1057 kSecCodeSignatureRestrict = 0x0800,
1058 kSecCodeSignatureEnforcement = 0x1000,
1059 kSecCodeSignatureLibraryValidation = 0x2000,
1060 kSecCodeSignatureRuntime = 0x10000,
1061 };
1062
1063 enum Kind : uint32_t {
1064 exprForm = 1, // prefix expr form
1065 };
1066
1067 enum ExprOp : uint32_t {
1068 opFalse, // unconditionally false
1069 opTrue, // unconditionally true
1070 opIdent, // match canonical code [string]
1071 opAppleAnchor, // signed by Apple as Apple's product
1072 opAnchorHash, // match anchor [cert hash]
1073 opInfoKeyValue, // *legacy* - use opInfoKeyField [key; value]
1074 opAnd, // binary prefix expr AND expr [expr; expr]
1075 opOr, // binary prefix expr OR expr [expr; expr]
1076 opCDHash, // match hash of CodeDirectory directly [cd hash]
1077 opNot, // logical inverse [expr]
1078 opInfoKeyField, // Info.plist key field [string; match suffix]
1079 opCertField, // Certificate field [cert index; field name; match suffix]
1080 opTrustedCert, // require trust settings to approve one particular cert [cert index]
1081 opTrustedCerts, // require trust settings to approve the cert chain
1082 opCertGeneric, // Certificate component by OID [cert index; oid; match suffix]
1083 opAppleGenericAnchor, // signed by Apple in any capacity
1084 opEntitlementField, // entitlement dictionary field [string; match suffix]
1085 opCertPolicy, // Certificate policy by OID [cert index; oid; match suffix]
1086 opNamedAnchor, // named anchor type
1087 opNamedCode, // named subroutine
1088 opPlatform, // platform constraint [integer]
1089 exprOpCount // (total opcode count in use)
1090 };
1091
1092 enum MatchOperation {
1093 matchExists, // anything but explicit "false" - no value stored
1094 matchEqual, // equal (CFEqual)
1095 matchContains, // partial match (substring)
1096 matchBeginsWith, // partial match (initial substring)
1097 matchEndsWith, // partial match (terminal substring)
1098 matchLessThan, // less than (string with numeric comparison)
1099 matchGreaterThan, // greater than (string with numeric comparison)
1100 matchLessEqual, // less or equal (string with numeric comparison)
1101 matchGreaterEqual, // greater or equal (string with numeric comparison)
1102 };
1103
1104 #define OID_ISO_MEMBER 42
1105 #define OID_US OID_ISO_MEMBER, 134, 72
1106 #define APPLE_OID OID_US, 0x86, 0xf7, 0x63
1107 #define APPLE_ADS_OID APPLE_OID, 0x64
1108 #define APPLE_EXTENSION_OID APPLE_ADS_OID, 6
1109
1110
1111 struct Algorithm {
1112 size_t size_;
1113 uint8_t type_;
1114
1115 Algorithm(size_t size, uint8_t type) :
1116 size_(size),
1117 type_(type)
1118 {
1119 }
1120
1121 virtual const uint8_t *operator [](const ldid::Hash &hash) const = 0;
1122
1123 virtual void operator ()(uint8_t *hash, const void *data, size_t size) const = 0;
1124 virtual void operator ()(ldid::Hash &hash, const void *data, size_t size) const = 0;
1125 virtual void operator ()(std::vector<char> &hash, const void *data, size_t size) const = 0;
1126
1127 virtual const char *name() = 0;
1128 };
1129
1130 struct AlgorithmSHA1 :
1131 Algorithm
1132 {
1133 AlgorithmSHA1() :
1134 Algorithm(SHA_DIGEST_LENGTH, CS_HASHTYPE_SHA160_160)
1135 {
1136 }
1137
1138 virtual const uint8_t *operator [](const ldid::Hash &hash) const {
1139 return hash.sha1_;
1140 }
1141
1142 void operator ()(uint8_t *hash, const void *data, size_t size) const {
1143 SHA1(static_cast<const uint8_t *>(data), size, hash);
1144 }
1145
1146 void operator ()(ldid::Hash &hash, const void *data, size_t size) const {
1147 return operator()(hash.sha1_, data, size);
1148 }
1149
1150 void operator ()(std::vector<char> &hash, const void *data, size_t size) const {
1151 hash.resize(SHA_DIGEST_LENGTH);
1152 return operator ()(reinterpret_cast<uint8_t *>(hash.data()), data, size);
1153 }
1154
1155 virtual const char *name() {
1156 return "sha1";
1157 }
1158 };
1159
1160 struct AlgorithmSHA256 :
1161 Algorithm
1162 {
1163 AlgorithmSHA256() :
1164 Algorithm(SHA256_DIGEST_LENGTH, CS_HASHTYPE_SHA256_256)
1165 {
1166 }
1167
1168 virtual const uint8_t *operator [](const ldid::Hash &hash) const {
1169 return hash.sha256_;
1170 }
1171
1172 void operator ()(uint8_t *hash, const void *data, size_t size) const {
1173 SHA256(static_cast<const uint8_t *>(data), size, hash);
1174 }
1175
1176 void operator ()(ldid::Hash &hash, const void *data, size_t size) const {
1177 return operator()(hash.sha256_, data, size);
1178 }
1179
1180 void operator ()(std::vector<char> &hash, const void *data, size_t size) const {
1181 hash.resize(SHA256_DIGEST_LENGTH);
1182 return operator ()(reinterpret_cast<uint8_t *>(hash.data()), data, size);
1183 }
1184
1185 virtual const char *name() {
1186 return "sha256";
1187 }
1188 };
1189
1190 static bool do_sha1(true);
1191 static bool do_sha256(true);
1192
1193 static const std::vector<Algorithm *> &GetAlgorithms() {
1194 static AlgorithmSHA1 sha1;
1195 static AlgorithmSHA256 sha256;
1196
1197 static std::vector<Algorithm *> algorithms;
1198 if (algorithms.empty()) {
1199 if (do_sha1)
1200 algorithms.push_back(&sha1);
1201 if (do_sha256)
1202 algorithms.push_back(&sha256);
1203 }
1204
1205 return algorithms;
1206 }
1207
1208 struct Baton {
1209 std::string entitlements_;
1210 std::string derformat_;
1211 };
1212
1213 struct CodesignAllocation {
1214 FatMachHeader mach_header_;
1215 uint64_t offset_;
1216 uint32_t size_;
1217 uint64_t limit_;
1218 uint32_t alloc_;
1219 uint32_t align_;
1220 const char *arch_;
1221 Baton baton_;
1222
1223 CodesignAllocation(FatMachHeader mach_header, size_t offset, size_t size, size_t limit, size_t alloc, size_t align, const char *arch, const Baton &baton) :
1224 mach_header_(mach_header),
1225 offset_(offset),
1226 size_(size),
1227 limit_(limit),
1228 alloc_(alloc),
1229 align_(align),
1230 arch_(arch),
1231 baton_(baton)
1232 {
1233 }
1234 };
1235
1236 #ifndef LDID_NOTOOLS
1237 class File {
1238 private:
1239 int file_;
1240
1241 public:
1242 File() :
1243 file_(-1)
1244 {
1245 }
1246
1247 ~File() {
1248 if (file_ != -1)
1249 _syscall(close(file_));
1250 }
1251
1252 void open(const char *path, int flags) {
1253 file_ = ::open(path, flags);
1254 if (file_ == -1) {
1255 fprintf(stderr, "ldid: %s: %s\n", path, strerror(errno));
1256 exit(1);
1257 }
1258 }
1259
1260 int file() const {
1261 return file_;
1262 }
1263 };
1264
1265 class Map {
1266 private:
1267 File file_;
1268 void *data_;
1269 size_t size_;
1270
1271 public:
1272 Map() :
1273 data_(NULL),
1274 size_(0)
1275 {
1276 }
1277
1278 Map(const std::string &path, int oflag, int pflag, int mflag) :
1279 Map()
1280 {
1281 open(path, oflag, pflag, mflag);
1282 }
1283
1284 Map(const std::string &path, bool edit) :
1285 Map()
1286 {
1287 open(path, edit);
1288 }
1289
1290 ~Map() {
1291 clear();
1292 }
1293
1294 bool empty() const {
1295 return data_ == NULL;
1296 }
1297
1298 void open(const std::string &path, int oflag, int pflag, int mflag) {
1299 clear();
1300
1301 file_.open(path.c_str(), oflag);
1302 int file(file_.file());
1303
1304 struct stat stat;
1305 _syscall(fstat(file, &stat));
1306 size_ = stat.st_size;
1307
1308 data_ = _syscall(mmap(NULL, size_, pflag, mflag, file, 0));
1309 }
1310
1311 void open(const std::string &path, bool edit) {
1312 if (edit)
1313 open(path, O_RDWR, PROT_READ | PROT_WRITE, MAP_SHARED);
1314 else
1315 open(path, O_RDONLY, PROT_READ, MAP_PRIVATE);
1316 }
1317
1318 void clear() {
1319 if (data_ == NULL)
1320 return;
1321 _syscall(munmap(data_, size_));
1322 data_ = NULL;
1323 size_ = 0;
1324 }
1325
1326 void *data() const {
1327 return data_;
1328 }
1329
1330 size_t size() const {
1331 return size_;
1332 }
1333
1334 operator std::string() const {
1335 return std::string(static_cast<char *>(data_), size_);
1336 }
1337 };
1338 #endif // LDID_NOTOOLS
1339
1340 namespace ldid {
1341
1342 static plist_t plist(const std::string &data);
1343
1344 void Analyze(const MachHeader &mach_header, const Functor<void (const char *data, size_t size)> &entitle) {
1345 _foreach (load_command, mach_header.GetLoadCommands())
1346 if (mach_header.Swap(load_command->cmd) == LC_CODE_SIGNATURE) {
1347 auto signature(reinterpret_cast<struct linkedit_data_command *>(load_command));
1348 auto offset(mach_header.Swap(signature->dataoff));
1349 auto pointer(reinterpret_cast<uint8_t *>(mach_header.GetBase()) + offset);
1350 auto super(reinterpret_cast<struct SuperBlob *>(pointer));
1351
1352 for (size_t index(0); index != Swap(super->count); ++index)
1353 if (Swap(super->index[index].type) == CSSLOT_ENTITLEMENTS) {
1354 auto begin(Swap(super->index[index].offset));
1355 auto blob(reinterpret_cast<struct Blob *>(pointer + begin));
1356 auto writ(Swap(blob->length) - sizeof(*blob));
1357 entitle(reinterpret_cast<char *>(blob + 1), writ);
1358 }
1359 }
1360 }
1361
1362 std::string Analyze(const void *data, size_t size) {
1363 std::string entitlements;
1364
1365 FatHeader fat_header(const_cast<void *>(data), size);
1366 _foreach (mach_header, fat_header.GetMachHeaders())
1367 Analyze(mach_header, fun([&](const char *data, size_t size) {
1368 if (entitlements.empty())
1369 entitlements.assign(data, size);
1370 else
1371 if (entitlements.compare(0, entitlements.size(), data, size) != 0) {
1372 fprintf(stderr, "ldid: Entitlements do not match\n");
1373 exit(1);
1374 }
1375 }));
1376
1377 return entitlements;
1378 }
1379
1380 static void Allocate(const void *idata, size_t isize, std::streambuf &output, const Functor<size_t (const MachHeader &, Baton &, size_t)> &allocate, const Functor<size_t (const MachHeader &, const Baton &, std::streambuf &output, size_t, size_t, size_t, const std::string &, const char *, const Progress &)> &save, const Progress &progress) {
1381 FatHeader source(const_cast<void *>(idata), isize);
1382
1383 size_t offset(0);
1384 if (source.IsFat())
1385 offset += sizeof(fat_header) + sizeof(fat_arch) * source.Swap(source->nfat_arch);
1386
1387 std::vector<CodesignAllocation> allocations;
1388 _foreach (mach_header, source.GetMachHeaders()) {
1389 struct linkedit_data_command *signature(NULL);
1390 struct symtab_command *symtab(NULL);
1391
1392 _foreach (load_command, mach_header.GetLoadCommands()) {
1393 uint32_t cmd(mach_header.Swap(load_command->cmd));
1394 if (cmd == LC_CODE_SIGNATURE)
1395 signature = reinterpret_cast<struct linkedit_data_command *>(load_command);
1396 else if (cmd == LC_SYMTAB)
1397 symtab = reinterpret_cast<struct symtab_command *>(load_command);
1398 }
1399
1400 size_t size;
1401 if (signature == NULL)
1402 size = mach_header.GetSize();
1403 else {
1404 size = mach_header.Swap(signature->dataoff);
1405 _assert(size <= mach_header.GetSize());
1406 }
1407
1408 if (symtab != NULL) {
1409 auto end(mach_header.Swap(symtab->stroff) + mach_header.Swap(symtab->strsize));
1410 if (symtab->stroff != 0 || symtab->strsize != 0) {
1411 _assert(end <= size);
1412 _assert(end >= size - 0x10);
1413 size = end;
1414 }
1415 }
1416
1417 Baton baton;
1418 size_t alloc(allocate(mach_header, baton, size));
1419
1420 auto *fat_arch(mach_header.GetFatArch());
1421 uint32_t align;
1422
1423 if (fat_arch != NULL)
1424 align = source.Swap(fat_arch->align);
1425 else switch (mach_header.GetCPUType()) {
1426 case CPU_TYPE_POWERPC:
1427 case CPU_TYPE_POWERPC64:
1428 case CPU_TYPE_X86:
1429 case CPU_TYPE_X86_64:
1430 align = 0xc;
1431 break;
1432 case CPU_TYPE_ARM:
1433 case CPU_TYPE_ARM64:
1434 case CPU_TYPE_ARM64_32:
1435 align = 0xe;
1436 break;
1437 default:
1438 align = 0x0;
1439 break;
1440 }
1441
1442 const char *arch(NULL);
1443 switch (mach_header.GetCPUType()) {
1444 case CPU_TYPE_POWERPC:
1445 arch = "ppc";
1446 break;
1447 case CPU_TYPE_POWERPC64:
1448 arch = "ppc64";
1449 break;
1450 case CPU_TYPE_X86:
1451 arch = "i386";
1452 break;
1453 case CPU_TYPE_X86_64:
1454 arch = "x86_64";
1455 break;
1456 case CPU_TYPE_ARM:
1457 arch = "arm";
1458 break;
1459 case CPU_TYPE_ARM64:
1460 arch = "arm64";
1461 break;
1462 case CPU_TYPE_ARM64_32:
1463 arch = "arm64_32";
1464 break;
1465 }
1466
1467 offset = Align(offset, 1 << align);
1468
1469 uint32_t limit(size);
1470 if (alloc != 0)
1471 limit = Align(limit, 0x10);
1472
1473 allocations.push_back(CodesignAllocation(mach_header, offset, size, limit, alloc, align, arch, baton));
1474 offset += size + alloc;
1475 offset = Align(offset, 0x10);
1476 }
1477
1478 size_t position(0);
1479
1480 if (source.IsFat()) {
1481 fat_header fat_header;
1482 fat_header.magic = Swap(FAT_MAGIC);
1483 fat_header.nfat_arch = Swap(uint32_t(allocations.size()));
1484 put(output, &fat_header, sizeof(fat_header));
1485 position += sizeof(fat_header);
1486
1487 // XXX: support fat_arch_64 (not in my toolchain)
1488 // probably use C++14 generic lambda (not in my toolchain)
1489
1490 _assert_(![&]() {
1491 _foreach (allocation, allocations) {
1492 const auto offset(allocation.offset_);
1493 const auto size(allocation.limit_ + allocation.alloc_);
1494 if (uint32_t(offset) != offset || uint32_t(size) != size)
1495 return true;
1496 }
1497 return false;
1498 }(), "FAT slice >=4GiB not currently supported");
1499
1500 _foreach (allocation, allocations) {
1501 auto &mach_header(allocation.mach_header_);
1502
1503 fat_arch fat_arch;
1504 fat_arch.cputype = Swap(mach_header->cputype);
1505 fat_arch.cpusubtype = Swap(mach_header->cpusubtype);
1506 fat_arch.offset = Swap(uint32_t(allocation.offset_));
1507 fat_arch.size = Swap(uint32_t(allocation.limit_ + allocation.alloc_));
1508 fat_arch.align = Swap(allocation.align_);
1509 put(output, &fat_arch, sizeof(fat_arch));
1510 position += sizeof(fat_arch);
1511 }
1512 }
1513
1514 _foreach (allocation, allocations) {
1515 progress(allocation.arch_);
1516 auto &mach_header(allocation.mach_header_);
1517
1518 pad(output, allocation.offset_ - position);
1519 position = allocation.offset_;
1520
1521 size_t left(-1);
1522 size_t right(0);
1523
1524 std::vector<std::string> commands;
1525
1526 _foreach (load_command, mach_header.GetLoadCommands()) {
1527 std::string copy(reinterpret_cast<const char *>(load_command), load_command->cmdsize);
1528
1529 switch (mach_header.Swap(load_command->cmd)) {
1530 case LC_CODE_SIGNATURE:
1531 continue;
1532 break;
1533
1534 // XXX: this is getting ridiculous: provide a better abstraction
1535
1536 case LC_SEGMENT: {
1537 auto segment_command(reinterpret_cast<struct segment_command *>(&copy[0]));
1538
1539 if ((segment_command->initprot & 04) != 0) {
1540 auto begin(mach_header.Swap(segment_command->fileoff));
1541 auto end(begin + mach_header.Swap(segment_command->filesize));
1542 if (left > begin)
1543 left = begin;
1544 if (right < end)
1545 right = end;
1546 }
1547
1548 if (strncmp(segment_command->segname, "__LINKEDIT", 16) == 0) {
1549 size_t size(mach_header.Swap(allocation.limit_ + allocation.alloc_ - mach_header.Swap(segment_command->fileoff)));
1550 segment_command->filesize = size;
1551 segment_command->vmsize = Align(size, 1 << allocation.align_);
1552 }
1553 } break;
1554
1555 case LC_SEGMENT_64: {
1556 auto segment_command(reinterpret_cast<struct segment_command_64 *>(&copy[0]));
1557
1558 if ((segment_command->initprot & 04) != 0) {
1559 auto begin(mach_header.Swap(segment_command->fileoff));
1560 auto end(begin + mach_header.Swap(segment_command->filesize));
1561 if (left > begin)
1562 left = begin;
1563 if (right < end)
1564 right = end;
1565 }
1566
1567 if (strncmp(segment_command->segname, "__LINKEDIT", 16) == 0) {
1568 size_t size(mach_header.Swap(allocation.limit_ + allocation.alloc_ - mach_header.Swap(segment_command->fileoff)));
1569 segment_command->filesize = size;
1570 segment_command->vmsize = Align(size, 1 << allocation.align_);
1571 }
1572 } break;
1573 }
1574
1575 commands.push_back(copy);
1576 }
1577
1578 if (allocation.alloc_ != 0) {
1579 linkedit_data_command signature;
1580 signature.cmd = mach_header.Swap(LC_CODE_SIGNATURE);
1581 signature.cmdsize = mach_header.Swap(uint32_t(sizeof(signature)));
1582 signature.dataoff = mach_header.Swap(allocation.limit_);
1583 signature.datasize = mach_header.Swap(allocation.alloc_);
1584 commands.push_back(std::string(reinterpret_cast<const char *>(&signature), sizeof(signature)));
1585 }
1586
1587 size_t begin(position);
1588
1589 uint32_t after(0);
1590 _foreach(command, commands)
1591 after += command.size();
1592
1593 std::stringbuf altern;
1594
1595 struct mach_header header(*mach_header);
1596 header.ncmds = mach_header.Swap(uint32_t(commands.size()));
1597 header.sizeofcmds = mach_header.Swap(after);
1598 put(output, &header, sizeof(header));
1599 put(altern, &header, sizeof(header));
1600 position += sizeof(header);
1601
1602 if (mach_header.Bits64()) {
1603 auto pad(mach_header.Swap(uint32_t(0)));
1604 put(output, &pad, sizeof(pad));
1605 put(altern, &pad, sizeof(pad));
1606 position += sizeof(pad);
1607 }
1608
1609 _foreach(command, commands) {
1610 put(output, command.data(), command.size());
1611 put(altern, command.data(), command.size());
1612 position += command.size();
1613 }
1614
1615 uint32_t before(mach_header.Swap(mach_header->sizeofcmds));
1616 if (before > after) {
1617 pad(output, before - after);
1618 pad(altern, before - after);
1619 position += before - after;
1620 }
1621
1622 auto top(reinterpret_cast<char *>(mach_header.GetBase()));
1623
1624 std::string overlap(altern.str());
1625 overlap.append(top + overlap.size(), Align(overlap.size(), 0x1000) - overlap.size());
1626
1627 put(output, top + (position - begin), allocation.size_ - (position - begin), progress);
1628 position = begin + allocation.size_;
1629
1630 pad(output, allocation.limit_ - allocation.size_);
1631 position += allocation.limit_ - allocation.size_;
1632
1633 size_t saved(save(mach_header, allocation.baton_, output, allocation.limit_, left, right, overlap, top, progress));
1634 if (allocation.alloc_ > saved)
1635 pad(output, allocation.alloc_ - saved);
1636 else
1637 _assert(allocation.alloc_ == saved);
1638 position += allocation.alloc_;
1639 }
1640 }
1641
1642 }
1643
1644 typedef std::map<uint32_t, std::string> Blobs;
1645
1646 static void insert(Blobs &blobs, uint32_t slot, const std::stringbuf &buffer) {
1647 auto value(buffer.str());
1648 std::swap(blobs[slot], value);
1649 }
1650
1651 static const std::string &insert(Blobs &blobs, uint32_t slot, uint32_t magic, const std::stringbuf &buffer) {
1652 auto value(buffer.str());
1653 Blob blob;
1654 blob.magic = Swap(magic);
1655 blob.length = Swap(uint32_t(sizeof(blob) + value.size()));
1656 value.insert(0, reinterpret_cast<char *>(&blob), sizeof(blob));
1657 auto &save(blobs[slot]);
1658 std::swap(save, value);
1659 return save;
1660 }
1661
1662 static size_t put(std::streambuf &output, uint32_t magic, const Blobs &blobs) {
1663 size_t total(0);
1664 _foreach (blob, blobs)
1665 total += blob.second.size();
1666
1667 struct SuperBlob super;
1668 super.blob.magic = Swap(magic);
1669 super.blob.length = Swap(uint32_t(sizeof(SuperBlob) + blobs.size() * sizeof(BlobIndex) + total));
1670 super.count = Swap(uint32_t(blobs.size()));
1671 put(output, &super, sizeof(super));
1672
1673 size_t offset(sizeof(SuperBlob) + sizeof(BlobIndex) * blobs.size());
1674
1675 _foreach (blob, blobs) {
1676 BlobIndex index;
1677 index.type = Swap(blob.first);
1678 index.offset = Swap(uint32_t(offset));
1679 put(output, &index, sizeof(index));
1680 offset += blob.second.size();
1681 }
1682
1683 _foreach (blob, blobs)
1684 put(output, blob.second.data(), blob.second.size());
1685
1686 return offset;
1687 }
1688
1689 class Buffer {
1690 private:
1691 BIO *bio_;
1692
1693 public:
1694 Buffer(BIO *bio) :
1695 bio_(bio)
1696 {
1697 _assert(bio_ != NULL);
1698 }
1699
1700 Buffer() :
1701 bio_(BIO_new(BIO_s_mem()))
1702 {
1703 }
1704
1705 Buffer(const char *data, size_t size) :
1706 Buffer(BIO_new_mem_buf(const_cast<char *>(data), size))
1707 {
1708 }
1709
1710 Buffer(const std::string &data) :
1711 Buffer(data.data(), data.size())
1712 {
1713 }
1714
1715 Buffer(PKCS7 *pkcs) :
1716 Buffer()
1717 {
1718 if (i2d_PKCS7_bio(bio_, pkcs) == 0){
1719 fprintf(stderr, "ldid: An error occured while getting the PKCS7 file: %s\n", ERR_error_string(ERR_get_error(), NULL));
1720 exit(1);
1721 }
1722 }
1723
1724 ~Buffer() {
1725 BIO_free_all(bio_);
1726 }
1727
1728 operator BIO *() const {
1729 return bio_;
1730 }
1731
1732 explicit operator std::string() const {
1733 char *data;
1734 auto size(BIO_get_mem_data(bio_, &data));
1735 return std::string(data, size);
1736 }
1737 };
1738
1739 class Stuff {
1740 private:
1741 PKCS12 *value_;
1742 EVP_PKEY *key_;
1743 X509 *cert_;
1744 STACK_OF(X509) *ca_;
1745
1746 public:
1747 Stuff(BIO *bio) :
1748 value_(d2i_PKCS12_bio(bio, NULL)),
1749 ca_(NULL)
1750 {
1751 if (value_ == NULL){
1752 fprintf(stderr, "ldid: An error occured while getting the PKCS12 file: %s\n", ERR_error_string(ERR_get_error(), NULL));
1753 exit(1);
1754 }
1755
1756 if (!PKCS12_verify_mac(value_, "", 0) && password.empty()) {
1757 char passbuf[2048];
1758 UI_UTIL_read_pw_string(passbuf, 2048, "Enter password: ", 0);
1759 password = passbuf;
1760 }
1761
1762 if (PKCS12_parse(value_, password.c_str(), &key_, &cert_, &ca_) <= 0){
1763 fprintf(stderr, "ldid: An error occured while parsing: %s\n", ERR_error_string(ERR_get_error(), NULL));
1764 exit(1);
1765 }
1766 if (key_ == NULL || cert_ == NULL){
1767 fprintf(stderr, "ldid: An error occured while parsing: %s\nYour p12 cert might not be valid\n", ERR_error_string(ERR_get_error(), NULL));
1768 exit(1);
1769 }
1770
1771 if (ca_ == NULL)
1772 ca_ = sk_X509_new_null();
1773 if (ca_ == NULL){
1774 fprintf(stderr, "ldid: An error occured while parsing: %s\n", ERR_error_string(ERR_get_error(), NULL));
1775 exit(1);
1776 }
1777 }
1778
1779 Stuff(const std::string &data) :
1780 Stuff(Buffer(data))
1781 {
1782 }
1783
1784 ~Stuff() {
1785 sk_X509_pop_free(ca_, X509_free);
1786 X509_free(cert_);
1787 EVP_PKEY_free(key_);
1788 PKCS12_free(value_);
1789 }
1790
1791 operator PKCS12 *() const {
1792 return value_;
1793 }
1794
1795 operator EVP_PKEY *() const {
1796 return key_;
1797 }
1798
1799 operator X509 *() const {
1800 return cert_;
1801 }
1802
1803 operator STACK_OF(X509) *() const {
1804 return ca_;
1805 }
1806 };
1807
1808 // xina fix;
1809 struct SEQUENCE_hash_sha1 {
1810 uint8_t SEQUENCE[2] = {0x30, 0x1d}; // size
1811 uint8_t OBJECT_IDENTIFIER[7] = {0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A}; // OBJECT IDENTIFIER 1.3.14.3.2.26 sha1 (OIW)
1812 uint8_t hash_size[2] = {0x04, 0x14};
1813 char hash[20];
1814 };
1815
1816 struct SEQUENCE_hash_sha256 {
1817 uint8_t SEQUENCE[2] = {0x30, 0x2d}; // size
1818 uint8_t OBJECT_IDENTIFIER[11] = {0x06 ,0x09 ,0x60, 0x86, 0x48, 0x01 ,0x65, 0x03, 0x04, 0x02, 0x01}; // 2.16.840.1.101.3.4.2.1 sha-256 (NIST Algorithm)
1819 uint8_t hash_size[2] = {0x04, 0x20}; // hash size
1820 char hash[32];
1821 };
1822
1823 class Signature {
1824 private:
1825 PKCS7 *value_;
1826
1827 public:
1828 Signature(const Stuff &stuff, const Buffer &data, const std::string &xml, const std::vector<char>& alternateCDSHA1, const std::vector<char>& alternateCDSHA256) {
1829 value_ = PKCS7_new();
1830 if (value_ == NULL){
1831 fprintf(stderr, "ldid: An error occured while getting creating PKCS7 file: %s\n", ERR_error_string(ERR_get_error(), NULL));
1832 exit(1);
1833 }
1834
1835 if (PKCS7_set_type(value_, NID_pkcs7_signed) == 0 ||
1836 PKCS7_content_new(value_, NID_pkcs7_data) == 0) {
1837 fprintf(stderr, "ldid: An error occured while getting creating PKCS7 file: %s\n", ERR_error_string(ERR_get_error(), NULL));
1838 exit(1);
1839 }
1840
1841 STACK_OF(X509) *certs(stuff);
1842 for (unsigned i(0), e(sk_X509_num(certs)); i != e; i++) {
1843 if (PKCS7_add_certificate(value_, sk_X509_value(certs, e - i - 1)) == 0) {
1844 fprintf(stderr, "ldid: An error occured while signing: %s\n", ERR_error_string(ERR_get_error(), NULL));
1845 exit(1);
1846 }
1847 }
1848
1849 auto info(PKCS7_sign_add_signer(value_, stuff, stuff, NULL, PKCS7_NOSMIMECAP));
1850 if (info == NULL){
1851 fprintf(stderr, "ldid: An error occured while signing: %s\n", ERR_error_string(ERR_get_error(), NULL));
1852 exit(1);
1853 }
1854
1855 X509_ATTRIBUTE *attribute = X509_ATTRIBUTE_new();
1856 ASN1_OBJECT *obj2 = OBJ_txt2obj("1.2.840.113635.100.9.2", 1);
1857 X509_ATTRIBUTE_set1_object(attribute, obj2);
1858 if (alternateCDSHA1.size() != 0) {
1859 // xina fix;
1860 SEQUENCE_hash_sha1 seq1;
1861 memcpy((void *)seq1.hash, (void *)alternateCDSHA1.data(), alternateCDSHA1.size());
1862 X509_ATTRIBUTE_set1_data(attribute, V_ASN1_SEQUENCE, &seq1, sizeof(seq1));
1863 }
1864 if (alternateCDSHA256.size() != 0) {
1865 // xina fix;
1866 SEQUENCE_hash_sha256 seq256;
1867 memcpy((void *)seq256.hash, (void *)alternateCDSHA256.data(), alternateCDSHA256.size());
1868 X509_ATTRIBUTE_set1_data(attribute, V_ASN1_SEQUENCE, &seq256, sizeof(seq256));
1869 }
1870
1871 STACK_OF(X509_ATTRIBUTE) *sk = PKCS7_get_signed_attributes(info);
1872 if (!sk_X509_ATTRIBUTE_push(sk, attribute)) {
1873 fprintf(stderr, "ldid: sk_X509_ATTRIBUTE_push failed: %s\n", ERR_error_string(ERR_get_error(), NULL));
1874 exit(1);
1875 }
1876
1877 PKCS7_set_detached(value_, 1);
1878
1879 ASN1_OCTET_STRING *string(ASN1_OCTET_STRING_new());
1880 if (string == NULL) {
1881 fprintf(stderr, "ldid: %s\n", ERR_error_string(ERR_get_error(), NULL));
1882 exit(1);
1883 }
1884
1885 try {
1886 if (ASN1_STRING_set(string, xml.data(), xml.size()) == 0) {
1887 fprintf(stderr, "ldid: %s\n", ERR_error_string(ERR_get_error(), NULL));
1888 exit(1);
1889 }
1890
1891 static auto nid(OBJ_create("1.2.840.113635.100.9.1", "", ""));
1892 if (PKCS7_add_signed_attribute(info, nid, V_ASN1_OCTET_STRING, string) == 0) {
1893 fprintf(stderr, "ldid: %s\n", ERR_error_string(ERR_get_error(), NULL));
1894 exit(1);
1895 }
1896 } catch (...) {
1897 ASN1_OCTET_STRING_free(string);
1898 throw;
1899 }
1900
1901 if (PKCS7_final(value_, data, PKCS7_BINARY) == 0) {
1902 fprintf(stderr, "ldid: Failed to sign: %s\n", ERR_error_string(ERR_get_error(), NULL));
1903 exit(1);
1904 }
1905 }
1906
1907 ~Signature() {
1908 PKCS7_free(value_);
1909 }
1910
1911 operator PKCS7 *() const {
1912 return value_;
1913 }
1914 };
1915
1916 class NullBuffer :
1917 public std::streambuf
1918 {
1919 public:
1920 virtual std::streamsize xsputn(const char_type *data, std::streamsize size) {
1921 return size;
1922 }
1923
1924 virtual int_type overflow(int_type next) {
1925 return next;
1926 }
1927 };
1928
1929 class HashBuffer :
1930 public std::streambuf
1931 {
1932 private:
1933 ldid::Hash &hash_;
1934
1935 EVP_MD_CTX *sha1_;
1936 EVP_MD_CTX *sha256_;
1937
1938 public:
1939 HashBuffer(ldid::Hash &hash) :
1940 hash_(hash)
1941 {
1942 sha1_ = EVP_MD_CTX_new();
1943 sha256_ = EVP_MD_CTX_new();
1944
1945 EVP_DigestInit_ex(sha1_, EVP_get_digestbyname("sha1"), nullptr);
1946 EVP_DigestInit_ex(sha256_, EVP_get_digestbyname("sha256"), nullptr);
1947 }
1948
1949 ~HashBuffer() {
1950 EVP_DigestFinal_ex(sha1_, reinterpret_cast<uint8_t *>(hash_.sha1_), nullptr);
1951 EVP_DigestFinal_ex(sha256_, reinterpret_cast<uint8_t *>(hash_.sha256_), nullptr);
1952
1953 EVP_MD_CTX_free(sha1_);
1954 EVP_MD_CTX_free(sha256_);
1955 }
1956
1957 virtual std::streamsize xsputn(const char_type *data, std::streamsize size) {
1958 EVP_DigestUpdate(sha1_, data, size);
1959 EVP_DigestUpdate(sha256_, data, size);
1960 return size;
1961 }
1962
1963 virtual int_type overflow(int_type next) {
1964 if (next == traits_type::eof())
1965 return sync();
1966 char value(next);
1967 xsputn(&value, 1);
1968 return next;
1969 }
1970 };
1971
1972 class HashProxy :
1973 public HashBuffer
1974 {
1975 private:
1976 std::streambuf &buffer_;
1977
1978 public:
1979 HashProxy(ldid::Hash &hash, std::streambuf &buffer) :
1980 HashBuffer(hash),
1981 buffer_(buffer)
1982 {
1983 }
1984
1985 virtual std::streamsize xsputn(const char_type *data, std::streamsize size) {
1986 _assert(HashBuffer::xsputn(data, size) == size);
1987 return buffer_.sputn(data, size);
1988 }
1989 };
1990
1991 #ifndef LDID_NOTOOLS
1992 static bool Starts(const std::string &lhs, const std::string &rhs) {
1993 return lhs.size() >= rhs.size() && lhs.compare(0, rhs.size(), rhs) == 0;
1994 }
1995
1996 class Split {
1997 public:
1998 std::string dir;
1999 std::string base;
2000
2001 Split(const std::string &path) {
2002 size_t slash(path.rfind('/'));
2003 if (slash == std::string::npos)
2004 base = path;
2005 else {
2006 dir = path.substr(0, slash + 1);
2007 base = path.substr(slash + 1);
2008 }
2009 }
2010 };
2011
2012 static void mkdir_p(const std::string &path) {
2013 if (path.empty())
2014 return;
2015 #ifdef __WIN32__
2016 if (_syscall(mkdir(path.c_str()), EEXIST) == -EEXIST)
2017 return;
2018 #else
2019 if (_syscall(mkdir(path.c_str(), 0755), EEXIST) == -EEXIST)
2020 return;
2021 #endif
2022 auto slash(path.rfind('/', path.size() - 1));
2023 if (slash == std::string::npos)
2024 return;
2025 mkdir_p(path.substr(0, slash));
2026 }
2027
2028 static std::string Temporary(std::filebuf &file, const Split &split) {
2029 std::string temp(split.dir + ".ldid." + split.base);
2030 mkdir_p(split.dir);
2031 _assert_(file.open(temp.c_str(), std::ios::out | std::ios::trunc | std::ios::binary) == &file, "open(): %s", temp.c_str());
2032 cleanup.push_back(temp);
2033 return temp;
2034 }
2035
2036 static void Commit(const std::string &path, const std::string &temp) {
2037 struct stat info;
2038 if (_syscall(stat(path.c_str(), &info), ENOENT) == 0) {
2039 #ifndef __WIN32__
2040 _syscall(chown(temp.c_str(), info.st_uid, info.st_gid));
2041 #endif
2042 _syscall(chmod(temp.c_str(), info.st_mode));
2043 }
2044
2045 _syscall(rename(temp.c_str(), path.c_str()));
2046 cleanup.erase(std::remove(cleanup.begin(), cleanup.end(), temp), cleanup.end());
2047 }
2048 #endif // LDID_NOTOOLS
2049
2050 namespace ldid {
2051
2052 static void get(std::string &value, X509_NAME *name, int nid) {
2053 auto index(X509_NAME_get_index_by_NID(name, nid, -1));
2054 if (index < 0) {
2055 fprintf(stderr, "ldid: An error occursed while parsing the certificate: %s\n", ERR_error_string(ERR_get_error(), NULL));
2056 exit(1);
2057 }
2058 auto next(X509_NAME_get_index_by_NID(name, nid, index));
2059 if (next != -1) {
2060 fprintf(stderr, "ldid: An error occursed while parsing the certificate: %s\n", ERR_error_string(ERR_get_error(), NULL));
2061 exit(1);
2062 }
2063 auto entry(X509_NAME_get_entry(name, index));
2064 if (entry == NULL) {
2065 fprintf(stderr, "ldid: An error occursed while parsing the certificate: %s\n", ERR_error_string(ERR_get_error(), NULL));
2066 exit(1);
2067 }
2068 auto asn(X509_NAME_ENTRY_get_data(entry));
2069 if (asn == NULL) {
2070 fprintf(stderr, "ldid: An error occursed while parsing the certificate: %s\n", ERR_error_string(ERR_get_error(), NULL));
2071 exit(1);
2072 }
2073 value.assign(reinterpret_cast<const char *>(ASN1_STRING_get0_data(asn)), ASN1_STRING_length(asn));
2074 }
2075
2076 static void req(std::streambuf &buffer, uint32_t value) {
2077 value = Swap(value);
2078 put(buffer, &value, sizeof(value));
2079 }
2080
2081 static void req(std::streambuf &buffer, const std::string &value) {
2082 req(buffer, value.size());
2083 put(buffer, value.data(), value.size());
2084 static uint8_t zeros[] = {0,0,0,0};
2085 put(buffer, zeros, 3 - (value.size() + 3) % 4);
2086 }
2087
2088 template <size_t Size_>
2089 static void req(std::streambuf &buffer, uint8_t (&&data)[Size_]) {
2090 req(buffer, Size_);
2091 put(buffer, data, Size_);
2092 static uint8_t zeros[] = {0,0,0,0};
2093 put(buffer, zeros, 3 - (Size_ + 3) % 4);
2094 }
2095
2096 Hash Sign(const void *idata, size_t isize, std::streambuf &output, const std::string &identifier, const std::string &entitlements, bool merge, const std::string &requirements, const std::string &key, const Slots &slots, uint32_t flags, uint8_t platform, const Progress &progress) {
2097 Hash hash;
2098
2099
2100 std::string team;
2101 std::string common;
2102
2103 if (!key.empty()) {
2104 Stuff stuff(key);
2105 auto name(X509_get_subject_name(stuff));
2106 if (name == NULL){
2107 fprintf(stderr, "ldid: Your certificate might not be valid: %s\n", ERR_error_string(ERR_get_error(), NULL));
2108 exit(1);
2109 }
2110 get(team, name, NID_organizationalUnitName);
2111 get(common, name, NID_commonName);
2112 }
2113
2114
2115 std::stringbuf backing;
2116
2117 if (!requirements.empty()) {
2118 put(backing, requirements.data(), requirements.size());
2119 } else {
2120 Blobs blobs;
2121
2122 std::stringbuf requirement;
2123 req(requirement, exprForm);
2124 req(requirement, opAnd);
2125 req(requirement, opIdent);
2126 req(requirement, identifier);
2127 req(requirement, opAnd);
2128 req(requirement, opAppleGenericAnchor);
2129 req(requirement, opAnd);
2130 req(requirement, opCertField);
2131 req(requirement, 0);
2132 req(requirement, "subject.CN");
2133 req(requirement, matchEqual);
2134 req(requirement, common);
2135 req(requirement, opCertGeneric);
2136 req(requirement, 1);
2137 req(requirement, (uint8_t []) {APPLE_EXTENSION_OID, 2, 1});
2138 req(requirement, matchExists);
2139 insert(blobs, 3, CSMAGIC_REQUIREMENT, requirement);
2140
2141 put(backing, CSMAGIC_REQUIREMENTS, blobs);
2142 }
2143
2144
2145 // XXX: this is just a "sufficiently large number"
2146 size_t certificate(0x3000);
2147
2148 Allocate(idata, isize, output, fun([&](const MachHeader &mach_header, Baton &baton, size_t size) -> size_t {
2149 size_t alloc(sizeof(struct SuperBlob));
2150
2151 uint32_t normal((size + PageSize_ - 1) / PageSize_);
2152
2153 uint32_t special(0);
2154
2155 _foreach (slot, slots)
2156 special = std::max(special, slot.first);
2157
2158 mach_header.ForSection(fun([&](const char *segment, const char *section, void *data, size_t size) {
2159 if (strcmp(segment, "__TEXT") == 0 && section != NULL && strcmp(section, "__info_plist") == 0)
2160 special = std::max(special, CSSLOT_INFOSLOT);
2161 }));
2162
2163 special = std::max(special, CSSLOT_REQUIREMENTS);
2164 alloc += sizeof(struct BlobIndex);
2165 alloc += backing.str().size();
2166
2167 if (merge)
2168 Analyze(mach_header, fun([&](const char *data, size_t size) {
2169 baton.entitlements_.assign(data, size);
2170 }));
2171
2172 if (!baton.entitlements_.empty() || !entitlements.empty()) {
2173 auto combined(plist(baton.entitlements_));
2174 _scope({ plist_free(combined); });
2175 if (plist_get_node_type(combined) != PLIST_DICT) {
2176 fprintf(stderr, "ldid: Existing entitlements are in wrong format\n");
2177 exit(1);
2178 };
2179
2180 auto merging(plist(entitlements));
2181 _scope({ plist_free(merging); });
2182 if (plist_get_node_type(merging) != PLIST_DICT) {
2183 fprintf(stderr, "ldid: Entitlements need a root key of dict\n");
2184 exit(1);
2185 };
2186
2187 plist_dict_iter iterator(NULL);
2188 plist_dict_new_iter(merging, &iterator);
2189 _scope({ free(iterator); });
2190
2191 for (;;) {
2192 char *key(NULL);
2193 plist_t value(NULL);
2194 plist_dict_next_item(merging, iterator, &key, &value);
2195 if (key == NULL)
2196 break;
2197 _scope({ free(key); });
2198 plist_dict_set_item(combined, key, plist_copy(value));
2199 }
2200
2201 baton.derformat_ = der(combined);
2202
2203 char *xml(NULL);
2204 uint32_t size;
2205 plist_to_xml(combined, &xml, &size);
2206 _scope({ free(xml); });
2207
2208 baton.entitlements_.assign(xml, size);
2209 }
2210
2211 if (!baton.entitlements_.empty()) {
2212 special = std::max(special, CSSLOT_ENTITLEMENTS);
2213 alloc += sizeof(struct BlobIndex);
2214 alloc += sizeof(struct Blob);
2215 alloc += baton.entitlements_.size();
2216 }
2217
2218 if (!baton.derformat_.empty()) {
2219 special = std::max(special, CSSLOT_DERFORMAT);
2220 alloc += sizeof(struct BlobIndex);
2221 alloc += sizeof(struct Blob);
2222 alloc += baton.derformat_.size();
2223 }
2224
2225 size_t directory(0);
2226
2227 directory += sizeof(struct BlobIndex);
2228 directory += sizeof(struct Blob);
2229 directory += sizeof(struct CodeDirectory);
2230 directory += identifier.size() + 1;
2231
2232 if (!team.empty())
2233 directory += team.size() + 1;
2234
2235 for (Algorithm *algorithm : GetAlgorithms())
2236 alloc = Align(alloc + directory + (special + normal) * algorithm->size_, 16);
2237
2238 if (!key.empty()) {
2239 alloc += sizeof(struct BlobIndex);
2240 alloc += sizeof(struct Blob);
2241 alloc += certificate;
2242 }
2243
2244 return alloc;
2245 }), fun([&](const MachHeader &mach_header, const Baton &baton, std::streambuf &output, size_t limit, size_t left, size_t right, const std::string &overlap, const char *top, const Progress &progress) -> size_t {
2246 Blobs blobs;
2247
2248 if (true) {
2249 insert(blobs, CSSLOT_REQUIREMENTS, backing);
2250 }
2251
2252 uint64_t execs(0);
2253 if (mach_header.Swap(mach_header->filetype) == MH_EXECUTE)
2254 execs |= kSecCodeExecSegMainBinary;
2255
2256 if (!baton.entitlements_.empty()) {
2257 std::stringbuf data;
2258 put(data, baton.entitlements_.data(), baton.entitlements_.size());
2259 insert(blobs, CSSLOT_ENTITLEMENTS, CSMAGIC_EMBEDDED_ENTITLEMENTS, data);
2260
2261 auto entitlements(plist(baton.entitlements_));
2262 _scope({ plist_free(entitlements); });
2263 if (plist_get_node_type(entitlements) != PLIST_DICT) {
2264 fprintf(stderr, "ldid: Entitlements should be a plist dicionary\n");
2265 exit(1);
2266 }
2267
2268 const auto entitled([&](const char *key) {
2269 auto item(plist_dict_get_item(entitlements, key));
2270 if (plist_get_node_type(item) != PLIST_BOOLEAN)
2271 return false;
2272 uint8_t value(0);
2273 plist_get_bool_val(item, &value);
2274 return value != 0;
2275 });
2276
2277 if (entitled("get-task-allow"))
2278 execs |= kSecCodeExecSegAllowUnsigned;
2279 if (entitled("run-unsigned-code"))
2280 execs |= kSecCodeExecSegAllowUnsigned;
2281 if (entitled("com.apple.private.cs.debugger"))
2282 execs |= kSecCodeExecSegDebugger;
2283 if (entitled("dynamic-codesigning"))
2284 execs |= kSecCodeExecSegJit;
2285 if (entitled("com.apple.private.skip-library-validation"))
2286 execs |= kSecCodeExecSegSkipLibraryVal;
2287 if (entitled("com.apple.private.amfi.can-load-cdhash"))
2288 execs |= kSecCodeExecSegCanLoadCdHash;
2289 if (entitled("com.apple.private.amfi.can-execute-cdhash"))
2290 execs |= kSecCodeExecSegCanExecCdHash;
2291 }
2292
2293 if (!baton.derformat_.empty()) {
2294 std::stringbuf data;
2295 put(data, baton.derformat_.data(), baton.derformat_.size());
2296 insert(blobs, CSSLOT_DERFORMAT, CSMAGIC_EMBEDDED_DERFORMAT, data);
2297 }
2298
2299 Slots posts(slots);
2300
2301 mach_header.ForSection(fun([&](const char *segment, const char *section, void *data, size_t size) {
2302 if (strcmp(segment, "__TEXT") == 0 && section != NULL && strcmp(section, "__info_plist") == 0) {
2303 auto &slot(posts[CSSLOT_INFOSLOT]);
2304 for (Algorithm *algorithm : GetAlgorithms())
2305 (*algorithm)(slot, data, size);
2306 }
2307 }));
2308
2309 unsigned total(0);
2310 for (Algorithm *pointer : GetAlgorithms()) {
2311 Algorithm &algorithm(*pointer);
2312
2313 std::stringbuf data;
2314
2315 uint32_t special(0);
2316 _foreach (blob, blobs)
2317 special = std::max(special, blob.first);
2318 _foreach (slot, posts)
2319 special = std::max(special, slot.first);
2320 uint32_t normal((limit + PageSize_ - 1) / PageSize_);
2321
2322 CodeDirectory directory;
2323 directory.version = Swap(uint32_t(0x00020400));
2324 directory.flags = Swap(uint32_t(flags));
2325 directory.nSpecialSlots = Swap(special);
2326 directory.codeLimit = Swap(uint32_t(limit > UINT32_MAX ? UINT32_MAX : limit));
2327 directory.nCodeSlots = Swap(normal);
2328 directory.hashSize = algorithm.size_;
2329 directory.hashType = algorithm.type_;
2330 directory.platform = platform;
2331 directory.pageSize = PageShift_;
2332 directory.spare2 = Swap(uint32_t(0));
2333 directory.scatterOffset = Swap(uint32_t(0));
2334 directory.spare3 = Swap(uint32_t(0));
2335 directory.codeLimit64 = Swap(uint64_t(limit > UINT32_MAX ? limit : 0));
2336 directory.execSegBase = Swap(uint64_t(left));
2337 directory.execSegLimit = Swap(uint64_t(right - left));
2338 directory.execSegFlags = Swap(execs);
2339
2340 uint32_t offset(sizeof(Blob) + sizeof(CodeDirectory));
2341
2342 directory.identOffset = Swap(uint32_t(offset));
2343 offset += identifier.size() + 1;
2344
2345 if (team.empty())
2346 directory.teamIDOffset = Swap(uint32_t(0));
2347 else {
2348 directory.teamIDOffset = Swap(uint32_t(offset));
2349 offset += team.size() + 1;
2350 }
2351
2352 offset += special * algorithm.size_;
2353 directory.hashOffset = Swap(uint32_t(offset));
2354 offset += normal * algorithm.size_;
2355
2356 put(data, &directory, sizeof(directory));
2357
2358 put(data, identifier.c_str(), identifier.size() + 1);
2359 if (!team.empty())
2360 put(data, team.c_str(), team.size() + 1);
2361
2362 std::vector<uint8_t> storage((special + normal) * algorithm.size_);
2363 auto *hashes(&storage[special * algorithm.size_]);
2364
2365 memset(storage.data(), 0, special * algorithm.size_);
2366
2367 _foreach (blob, blobs) {
2368 auto local(reinterpret_cast<const Blob *>(&blob.second[0]));
2369 algorithm(hashes - blob.first * algorithm.size_, local, Swap(local->length));
2370 }
2371
2372 _foreach (slot, posts)
2373 memcpy(hashes - slot.first * algorithm.size_, algorithm[slot.second], algorithm.size_);
2374
2375 progress(0);
2376 if (normal != 1)
2377 for (size_t i = 0; i != normal - 1; ++i) {
2378 algorithm(hashes + i * algorithm.size_, (PageSize_ * i < overlap.size() ? overlap.data() : top) + PageSize_ * i, PageSize_);
2379 progress(double(i) / normal);
2380 }
2381 if (normal != 0)
2382 algorithm(hashes + (normal - 1) * algorithm.size_, top + PageSize_ * (normal - 1), ((limit - 1) % PageSize_) + 1);
2383 progress(1);
2384
2385 put(data, storage.data(), storage.size());
2386
2387 const auto &save(insert(blobs, total == 0 ? CSSLOT_CODEDIRECTORY : CSSLOT_ALTERNATE + total - 1, CSMAGIC_CODEDIRECTORY, data));
2388 algorithm(hash, save.data(), save.size());
2389
2390 ++total;
2391 }
2392
2393 if (!key.empty()) {
2394 auto plist(plist_new_dict());
2395 _scope({ plist_free(plist); });
2396
2397 auto cdhashes(plist_new_array());
2398 plist_dict_set_item(plist, "cdhashes", cdhashes);
2399
2400 std::vector<char> alternateCDSHA256;
2401 std::vector<char> alternateCDSHA1;
2402
2403 unsigned total(0);
2404 for (Algorithm *pointer : GetAlgorithms()) {
2405 Algorithm &algorithm(*pointer);
2406 (void) algorithm;
2407
2408 const auto &blob(blobs[total == 0 ? CSSLOT_CODEDIRECTORY : CSSLOT_ALTERNATE + total - 1]);
2409 ++total;
2410
2411 std::vector<char> hash;
2412 algorithm(hash, blob.data(), blob.size());
2413 if (algorithm.type_ == CS_HASHTYPE_SHA256_256)
2414 alternateCDSHA256 = hash;
2415 else if (algorithm.type_ == CS_HASHTYPE_SHA160_160)
2416 alternateCDSHA1 = hash;
2417 hash.resize(20);
2418
2419 plist_array_append_item(cdhashes, plist_new_data(hash.data(), hash.size()));
2420 }
2421
2422 char *xml(NULL);
2423 uint32_t size;
2424 plist_to_xml(plist, &xml, &size);
2425 _scope({ free(xml); });
2426
2427 std::stringbuf data;
2428 const std::string &sign(blobs[CSSLOT_CODEDIRECTORY]);
2429
2430 Stuff stuff(key);
2431 Buffer bio(sign);
2432
2433 Signature signature(stuff, sign, std::string(xml, size), alternateCDSHA1, alternateCDSHA256);
2434 Buffer result(signature);
2435 std::string value(result);
2436 put(data, value.data(), value.size());
2437
2438 const auto &save(insert(blobs, CSSLOT_SIGNATURESLOT, CSMAGIC_BLOBWRAPPER, data));
2439 _assert(save.size() <= certificate);
2440 }
2441
2442 return put(output, CSMAGIC_EMBEDDED_SIGNATURE, blobs);
2443 }), progress);
2444
2445 return hash;
2446 }
2447
2448 #ifndef LDID_NOTOOLS
2449 static void Unsign(void *idata, size_t isize, std::streambuf &output, const Progress &progress) {
2450 Allocate(idata, isize, output, fun([](const MachHeader &mach_header, Baton &baton, size_t size) -> size_t {
2451 return 0;
2452 }), fun([](const MachHeader &mach_header, const Baton &baton, std::streambuf &output, size_t limit, size_t left, size_t right, const std::string &overlap, const char *top, const Progress &progress) -> size_t {
2453 return 0;
2454 }), progress);
2455 }
2456
2457 std::string DiskFolder::Path(const std::string &path) const {
2458 return path_ + path;
2459 }
2460
2461 DiskFolder::DiskFolder(const std::string &path) :
2462 path_(path)
2463 {
2464 _assert_(path_.size() != 0 && path_[path_.size() - 1] == '/', "missing / on %s", path_.c_str());
2465 }
2466
2467 DiskFolder::~DiskFolder() {
2468 if (!std::uncaught_exception())
2469 for (const auto &commit : commit_)
2470 Commit(commit.first, commit.second);
2471 }
2472
2473 #ifndef __WIN32__
2474 std::string readlink(const std::string &path) {
2475 for (size_t size(1024); ; size *= 2) {
2476 std::string data;
2477 data.resize(size);
2478
2479 int writ(_syscall(::readlink(path.c_str(), &data[0], data.size())));
2480 if (size_t(writ) >= size)
2481 continue;
2482
2483 data.resize(writ);
2484 return data;
2485 }
2486 }
2487 #endif
2488
2489 void DiskFolder::Find(const std::string &root, const std::string &base, const Functor<void (const std::string &)> &code, const Functor<void (const std::string &, const Functor<std::string ()> &)> &link) const {
2490 std::string path(Path(root) + base);
2491
2492 DIR *dir(opendir(path.c_str()));
2493 _assert(dir != NULL);
2494 _scope({ _syscall(closedir(dir)); });
2495
2496 while (auto child = readdir(dir)) {
2497 std::string name(child->d_name);
2498 if (name == "." || name == "..")
2499 continue;
2500 if (Starts(name, ".ldid."))
2501 continue;
2502
2503 bool directory;
2504
2505 #ifdef __WIN32__
2506 struct stat info;
2507 _syscall(stat((path + name).c_str(), &info));
2508 if (S_ISDIR(info.st_mode))
2509 directory = true;
2510 else if (S_ISREG(info.st_mode))
2511 directory = false;
2512 else
2513 _assert_(false, "st_mode=%x", info.st_mode);
2514 #else
2515 switch (child->d_type) {
2516 case DT_DIR:
2517 directory = true;
2518 break;
2519 case DT_REG:
2520 directory = false;
2521 break;
2522 case DT_LNK:
2523 link(base + name, fun([&]() { return readlink(path + name); }));
2524 continue;
2525 default:
2526 _assert_(false, "d_type=%u", child->d_type);
2527 }
2528 #endif
2529
2530 if (directory)
2531 Find(root, base + name + "/", code, link);
2532 else
2533 code(base + name);
2534 }
2535 }
2536
2537 void DiskFolder::Save(const std::string &path, bool edit, const void *flag, const Functor<void (std::streambuf &)> &code) {
2538 if (!edit) {
2539 NullBuffer save;
2540 code(save);
2541 } else {
2542 std::filebuf save;
2543 auto from(Path(path));
2544 commit_[from] = Temporary(save, from);
2545 code(save);
2546 }
2547 }
2548
2549 bool DiskFolder::Look(const std::string &path) const {
2550 return _syscall(access(Path(path).c_str(), R_OK), ENOENT) == 0;
2551 }
2552
2553 void DiskFolder::Open(const std::string &path, const Functor<void (std::streambuf &, size_t, const void *)> &code) const {
2554 std::filebuf data;
2555 auto result(data.open(Path(path).c_str(), std::ios::binary | std::ios::in));
2556 _assert_(result == &data, "DiskFolder::Open(%s)", Path(path).c_str());
2557
2558 auto length(data.pubseekoff(0, std::ios::end, std::ios::in));
2559 data.pubseekpos(0, std::ios::in);
2560 code(data, length, NULL);
2561 }
2562
2563 void DiskFolder::Find(const std::string &path, const Functor<void (const std::string &)> &code, const Functor<void (const std::string &, const Functor<std::string ()> &)> &link) const {
2564 Find(path, "", code, link);
2565 }
2566 #endif // LDID_NOTOOLS
2567
2568 SubFolder::SubFolder(Folder &parent, const std::string &path) :
2569 parent_(parent),
2570 path_(path)
2571 {
2572 _assert_(path_.size() == 0 || path_[path_.size() - 1] == '/', "missing / on %s", path_.c_str());
2573 }
2574
2575 std::string SubFolder::Path(const std::string &path) const {
2576 return path_ + path;
2577 }
2578
2579 void SubFolder::Save(const std::string &path, bool edit, const void *flag, const Functor<void (std::streambuf &)> &code) {
2580 return parent_.Save(Path(path), edit, flag, code);
2581 }
2582
2583 bool SubFolder::Look(const std::string &path) const {
2584 return parent_.Look(Path(path));
2585 }
2586
2587 void SubFolder::Open(const std::string &path, const Functor<void (std::streambuf &, size_t, const void *)> &code) const {
2588 return parent_.Open(Path(path), code);
2589 }
2590
2591 void SubFolder::Find(const std::string &path, const Functor<void (const std::string &)> &code, const Functor<void (const std::string &, const Functor<std::string ()> &)> &link) const {
2592 return parent_.Find(Path(path), code, link);
2593 }
2594
2595 std::string UnionFolder::Map(const std::string &path) const {
2596 auto remap(remaps_.find(path));
2597 if (remap == remaps_.end())
2598 return path;
2599 return remap->second;
2600 }
2601
2602 void UnionFolder::Map(const std::string &path, const Functor<void (const std::string &)> &code, const std::string &file, const Functor<void (const Functor<void (std::streambuf &, size_t, const void *)> &)> &save) const {
2603 if (file.size() >= path.size() && file.substr(0, path.size()) == path)
2604 code(file.substr(path.size()));
2605 }
2606
2607 UnionFolder::UnionFolder(Folder &parent) :
2608 parent_(parent)
2609 {
2610 }
2611
2612 void UnionFolder::Save(const std::string &path, bool edit, const void *flag, const Functor<void (std::streambuf &)> &code) {
2613 return parent_.Save(Map(path), edit, flag, code);
2614 }
2615
2616 bool UnionFolder::Look(const std::string &path) const {
2617 auto file(resets_.find(path));
2618 if (file != resets_.end())
2619 return true;
2620 return parent_.Look(Map(path));
2621 }
2622
2623 void UnionFolder::Open(const std::string &path, const Functor<void (std::streambuf &, size_t, const void *)> &code) const {
2624 auto file(resets_.find(path));
2625 if (file == resets_.end())
2626 return parent_.Open(Map(path), code);
2627 auto &entry(file->second);
2628
2629 auto &data(*entry.data_);
2630 auto length(data.pubseekoff(0, std::ios::end, std::ios::in));
2631 data.pubseekpos(0, std::ios::in);
2632 code(data, length, entry.flag_);
2633 }
2634
2635 void UnionFolder::Find(const std::string &path, const Functor<void (const std::string &)> &code, const Functor<void (const std::string &, const Functor<std::string ()> &)> &link) const {
2636 for (auto &reset : resets_)
2637 Map(path, code, reset.first, fun([&](const Functor<void (std::streambuf &, size_t, const void *)> &code) {
2638 auto &entry(reset.second);
2639 auto &data(*entry.data_);
2640 auto length(data.pubseekoff(0, std::ios::end, std::ios::in));
2641 data.pubseekpos(0, std::ios::in);
2642 code(data, length, entry.flag_);
2643 }));
2644
2645 for (auto &remap : remaps_)
2646 Map(path, code, remap.first, fun([&](const Functor<void (std::streambuf &, size_t, const void *)> &code) {
2647 parent_.Open(remap.second, fun([&](std::streambuf &data, size_t length, const void *flag) {
2648 code(data, length, flag);
2649 }));
2650 }));
2651
2652 parent_.Find(path, fun([&](const std::string &name) {
2653 if (deletes_.find(path + name) == deletes_.end())
2654 code(name);
2655 }), fun([&](const std::string &name, const Functor<std::string ()> &read) {
2656 if (deletes_.find(path + name) == deletes_.end())
2657 link(name, read);
2658 }));
2659 }
2660
2661 #ifndef LDID_NOTOOLS
2662 static void copy(std::streambuf &source, std::streambuf &target, size_t length, const Progress &progress) {
2663 progress(0);
2664 size_t total(0);
2665 for (;;) {
2666 char data[4096 * 4];
2667 size_t writ(source.sgetn(data, sizeof(data)));
2668 if (writ == 0)
2669 break;
2670 _assert(target.sputn(data, writ) == writ);
2671 total += writ;
2672 progress(double(total) / length);
2673 }
2674 }
2675
2676 static plist_t plist(const std::string &data) {
2677 if (data.empty())
2678 return plist_new_dict();
2679 plist_t plist(NULL);
2680 if (Starts(data, "bplist00"))
2681 plist_from_bin(data.data(), data.size(), &plist);
2682 else
2683 plist_from_xml(data.data(), data.size(), &plist);
2684 if (plist == NULL) {
2685 fprintf(stderr, "ldid: Failed to parse plist\n");
2686 exit(1);
2687 }
2688 return plist;
2689 }
2690
2691 static void plist_d(std::streambuf &buffer, size_t length, const Functor<void (plist_t)> &code) {
2692 std::stringbuf data;
2693 copy(buffer, data, length, dummy_);
2694 auto node(plist(data.str()));
2695 _scope({ plist_free(node); });
2696 if (plist_get_node_type(node) != PLIST_DICT) {
2697 fprintf(stderr, "ldid: Unexpected plist type. Expected <dict>\n");
2698 exit(1);
2699 }
2700 code(node);
2701 }
2702
2703 static std::string plist_s(plist_t node) {
2704 if (node == NULL)
2705 return NULL;
2706 if (plist_get_node_type(node) != PLIST_STRING) {
2707 fprintf(stderr, "ldid: Unexpected plist type. Expected <string>\n");
2708 exit(1);
2709 }
2710 char *data;
2711 plist_get_string_val(node, &data);
2712 _scope({ free(data); });
2713 return data;
2714 }
2715
2716 enum Mode {
2717 NoMode,
2718 OptionalMode,
2719 OmitMode,
2720 NestedMode,
2721 TopMode,
2722 };
2723
2724 class Expression {
2725 private:
2726 regex_t regex_;
2727 std::vector<std::string> matches_;
2728
2729 public:
2730 Expression(const std::string &code) {
2731 _assert_(regcomp(&regex_, code.c_str(), REG_EXTENDED) == 0, "regcomp()");
2732 matches_.resize(regex_.re_nsub + 1);
2733 }
2734
2735 ~Expression() {
2736 regfree(&regex_);
2737 }
2738
2739 bool operator ()(const std::string &data) {
2740 regmatch_t matches[matches_.size()];
2741 auto value(regexec(&regex_, data.c_str(), matches_.size(), matches, 0));
2742 if (value == REG_NOMATCH)
2743 return false;
2744 _assert_(value == 0, "regexec()");
2745 for (size_t i(0); i != matches_.size(); ++i)
2746 matches_[i].assign(data.data() + matches[i].rm_so, matches[i].rm_eo - matches[i].rm_so);
2747 return true;
2748 }
2749
2750 const std::string &operator [](size_t index) const {
2751 return matches_[index];
2752 }
2753 };
2754
2755 struct Rule {
2756 unsigned weight_;
2757 Mode mode_;
2758 std::string code_;
2759
2760 mutable std::unique_ptr<Expression> regex_;
2761
2762 Rule(unsigned weight, Mode mode, const std::string &code) :
2763 weight_(weight),
2764 mode_(mode),
2765 code_(code)
2766 {
2767 }
2768
2769 Rule(const Rule &rhs) :
2770 weight_(rhs.weight_),
2771 mode_(rhs.mode_),
2772 code_(rhs.code_)
2773 {
2774 }
2775
2776 void Compile() const {
2777 regex_.reset(new Expression(code_));
2778 }
2779
2780 bool operator ()(const std::string &data) const {
2781 _assert(regex_.get() != NULL);
2782 return (*regex_)(data);
2783 }
2784
2785 bool operator <(const Rule &rhs) const {
2786 if (weight_ > rhs.weight_)
2787 return true;
2788 if (weight_ < rhs.weight_)
2789 return false;
2790 return mode_ > rhs.mode_;
2791 }
2792 };
2793
2794 struct RuleCode {
2795 bool operator ()(const Rule *lhs, const Rule *rhs) const {
2796 return lhs->code_ < rhs->code_;
2797 }
2798 };
2799
2800 static Hash Sign(const uint8_t *prefix, size_t size, std::streambuf &buffer, Hash &hash, std::streambuf &save, const std::string &identifier, const std::string &entitlements, bool merge, const std::string &requirements, const std::string &key, const Slots &slots, size_t length, uint32_t flags, uint8_t platform, const Progress &progress) {
2801 // XXX: this is a miserable fail
2802 std::stringbuf temp;
2803 put(temp, prefix, size);
2804 copy(buffer, temp, length - size, progress);
2805 // XXX: this is a stupid hack
2806 pad(temp, 0x10 - (length & 0xf));
2807 auto data(temp.str());
2808
2809 HashProxy proxy(hash, save);
2810 return Sign(data.data(), data.size(), proxy, identifier, entitlements, merge, requirements, key, slots, flags, platform, progress);
2811 }
2812
2813 struct State {
2814 std::map<std::string, Hash> files;
2815 std::map<std::string, std::string> links;
2816
2817 void Merge(const std::string &root, const State &state) {
2818 for (const auto &entry : state.files)
2819 files[root + entry.first] = entry.second;
2820 for (const auto &entry : state.links)
2821 links[root + entry.first] = entry.second;
2822 }
2823 };
2824
2825 Bundle Sign(const std::string &root, Folder &parent, const std::string &key, State &local, const std::string &requirements, const Functor<std::string (const std::string &, const std::string &)> &alter, bool merge, const Progress &progress) {
2826 std::string executable;
2827 std::string identifier;
2828
2829 bool mac(false);
2830
2831 std::string info("Info.plist");
2832
2833 SubFolder folder(parent, [&]() {
2834 if (parent.Look(info))
2835 return "";
2836 mac = true;
2837 if (parent.Look("Contents/" + info))
2838 return "Contents/";
2839 else if (parent.Look("Resources/" + info)) {
2840 info = "Resources/" + info;
2841 return "";
2842 } else {
2843 fprintf(stderr, "ldid: Could not find Info.plist\n");
2844 exit(1);
2845 }
2846 }());
2847
2848 folder.Open(info, fun([&](std::streambuf &buffer, size_t length, const void *flag) {
2849 plist_d(buffer, length, fun([&](plist_t node) {
2850 plist_t nodebuf(plist_dict_get_item(node, "CFBundleExecutable"));
2851 if (nodebuf == NULL) {
2852 fprintf(stderr, "ldid: Cannot find key CFBundleExecutable\n");
2853 exit(1);
2854 }
2855 executable = plist_s(nodebuf);
2856 nodebuf = plist_dict_get_item(node, "CFBundleIdentifier");
2857 if (nodebuf == NULL) {
2858 fprintf(stderr, "ldid: Cannot find key CFBundleIdentifier\n");
2859 exit(1);
2860 }
2861 identifier = plist_s(nodebuf);
2862 }));
2863 }));
2864
2865 if (mac && info == "Info.plist")
2866 executable = "MacOS/" + executable;
2867
2868 progress(root + "*");
2869
2870 std::string entitlements;
2871 folder.Open(executable, fun([&](std::streambuf &buffer, size_t length, const void *flag) {
2872 // XXX: this is a miserable fail
2873 std::stringbuf temp;
2874 copy(buffer, temp, length, progress);
2875 // XXX: this is a stupid hack
2876 pad(temp, 0x10 - (length & 0xf));
2877 auto data(temp.str());
2878 entitlements = alter(root, Analyze(data.data(), data.size()));
2879 }));
2880
2881 static const std::string directory("_CodeSignature/");
2882 static const std::string signature(directory + "CodeResources");
2883
2884 std::map<std::string, std::multiset<Rule>> versions;
2885
2886 auto &rules1(versions[""]);
2887 auto &rules2(versions["2"]);
2888
2889 const std::string resources(mac ? "Resources/" : "");
2890
2891 if (true) {
2892 rules1.insert(Rule{1, NoMode, "^" + (resources == "" ? ".*" : resources)});
2893 rules1.insert(Rule{1000, OptionalMode, "^" + resources + ".*\\.lproj/"});
2894 rules1.insert(Rule{1100, OmitMode, "^" + resources + ".*\\.lproj/locversion.plist$"});
2895 rules1.insert(Rule{1010, NoMode, "^" + resources + "Base\\.lproj/"});
2896 rules1.insert(Rule{1, NoMode, "^version.plist$"});
2897 }
2898
2899 if (true) {
2900 rules2.insert(Rule{11, NoMode, ".*\\.dSYM($|/)"});
2901 if (mac) rules2.insert(Rule{20, NoMode, "^" + resources});
2902 rules2.insert(Rule{2000, OmitMode, "^(.*/)?\\.DS_Store$"});
2903 if (mac) rules2.insert(Rule{10, NestedMode, "^(Frameworks|SharedFrameworks|PlugIns|Plug-ins|XPCServices|Helpers|MacOS|Library/(Automator|Spotlight|LoginItems))/"});
2904 rules2.insert(Rule{1, NoMode, "^.*"});
2905 rules2.insert(Rule{1000, OptionalMode, "^" + resources + ".*\\.lproj/"});
2906 rules2.insert(Rule{1100, OmitMode, "^" + resources + ".*\\.lproj/locversion.plist$"});
2907 if (!mac) rules2.insert(Rule{1010, NoMode, "^Base\\.lproj/"});
2908 rules2.insert(Rule{20, OmitMode, "^Info\\.plist$"});
2909 rules2.insert(Rule{20, OmitMode, "^PkgInfo$"});
2910 if (mac) rules2.insert(Rule{10, NestedMode, "^[^/]+$"});
2911 rules2.insert(Rule{20, NoMode, "^embedded\\.provisionprofile$"});
2912 if (mac) rules2.insert(Rule{1010, NoMode, "^" + resources + "Base\\.lproj/"});
2913 rules2.insert(Rule{20, NoMode, "^version\\.plist$"});
2914 }
2915
2916 std::string failure(mac ? "Contents/|Versions/[^/]*/Resources/" : "");
2917 Expression nested("^(Frameworks/[^/]*\\.framework|PlugIns/[^/]*\\.appex(()|/[^/]*.app))/(" + failure + ")Info\\.plist$");
2918 std::map<std::string, Bundle> bundles;
2919
2920 folder.Find("", fun([&](const std::string &name) {
2921 if (!nested(name))
2922 return;
2923 auto bundle(Split(name).dir);
2924 if (mac) {
2925 _assert(!bundle.empty());
2926 bundle = Split(bundle.substr(0, bundle.size() - 1)).dir;
2927 }
2928 SubFolder subfolder(folder, bundle);
2929
2930 State remote;
2931 bundles[nested[1]] = Sign(root + bundle, subfolder, key, remote, "", Starts(name, "PlugIns/") ? alter :
2932 static_cast<const Functor<std::string (const std::string &, const std::string &)> &>(fun([&](const std::string &, const std::string &) -> std::string { return entitlements; }))
2933 , merge, progress);
2934 local.Merge(bundle, remote);
2935 }), fun([&](const std::string &name, const Functor<std::string ()> &read) {
2936 }));
2937
2938 std::set<std::string> excludes;
2939
2940 auto exclude([&](const std::string &name) {
2941 // BundleDiskRep::adjustResources -> builder.addExclusion
2942 if (name == executable || Starts(name, directory) || Starts(name, "_MASReceipt/") || name == "CodeResources")
2943 return true;
2944
2945 for (const auto &bundle : bundles)
2946 if (Starts(name, bundle.first + "/")) {
2947 excludes.insert(name);
2948 return true;
2949 }
2950
2951 return false;
2952 });
2953
2954 folder.Find("", fun([&](const std::string &name) {
2955 if (exclude(name))
2956 return;
2957
2958 if (local.files.find(name) != local.files.end())
2959 return;
2960 auto &hash(local.files[name]);
2961
2962 folder.Open(name, fun([&](std::streambuf &data, size_t length, const void *flag) {
2963 progress(root + name);
2964
2965 union {
2966 struct {
2967 uint32_t magic;
2968 uint32_t count;
2969 };
2970
2971 uint8_t bytes[8];
2972 } header;
2973
2974 auto size(most(data, &header.bytes, sizeof(header.bytes)));
2975
2976 if (name != "_WatchKitStub/WK" && size == sizeof(header.bytes))
2977 switch (Swap(header.magic)) {
2978 case FAT_MAGIC:
2979 // Java class file format
2980 if (Swap(header.count) >= 40)
2981 break;
2982 case FAT_CIGAM:
2983 case MH_MAGIC: case MH_MAGIC_64:
2984 case MH_CIGAM: case MH_CIGAM_64:
2985 folder.Save(name, true, flag, fun([&](std::streambuf &save) {
2986 Slots slots;
2987 Sign(header.bytes, size, data, hash, save, identifier, "", false, "", key, slots, length, 0, false, Progression(progress, root + name));
2988 }));
2989 return;
2990 }
2991
2992 folder.Save(name, false, flag, fun([&](std::streambuf &save) {
2993 HashProxy proxy(hash, save);
2994 put(proxy, header.bytes, size);
2995 copy(data, proxy, length - size, progress);
2996 }));
2997 }));
2998 }), fun([&](const std::string &name, const Functor<std::string ()> &read) {
2999 if (exclude(name))
3000 return;
3001
3002 local.links[name] = read();
3003 }));
3004
3005 auto plist(plist_new_dict());
3006 _scope({ plist_free(plist); });
3007
3008 for (const auto &version : versions) {
3009 auto files(plist_new_dict());
3010 plist_dict_set_item(plist, ("files" + version.first).c_str(), files);
3011
3012 for (const auto &rule : version.second)
3013 rule.Compile();
3014
3015 bool old(&version.second == &rules1);
3016
3017 for (const auto &hash : local.files)
3018 for (const auto &rule : version.second)
3019 if (rule(hash.first)) {
3020 if (!old && mac && excludes.find(hash.first) != excludes.end());
3021 else if (old && rule.mode_ == NoMode)
3022 plist_dict_set_item(files, hash.first.c_str(), plist_new_data(reinterpret_cast<const char *>(hash.second.sha1_), sizeof(hash.second.sha1_)));
3023 else if (rule.mode_ != OmitMode) {
3024 auto entry(plist_new_dict());
3025 plist_dict_set_item(entry, "hash", plist_new_data(reinterpret_cast<const char *>(hash.second.sha1_), sizeof(hash.second.sha1_)));
3026 if (!old)
3027 plist_dict_set_item(entry, "hash2", plist_new_data(reinterpret_cast<const char *>(hash.second.sha256_), sizeof(hash.second.sha256_)));
3028 if (rule.mode_ == OptionalMode)
3029 plist_dict_set_item(entry, "optional", plist_new_bool(true));
3030 plist_dict_set_item(files, hash.first.c_str(), entry);
3031 }
3032
3033 break;
3034 }
3035
3036 if (!old)
3037 for (const auto &link : local.links)
3038 for (const auto &rule : version.second)
3039 if (rule(link.first)) {
3040 if (rule.mode_ != OmitMode) {
3041 auto entry(plist_new_dict());
3042 plist_dict_set_item(entry, "symlink", plist_new_string(link.second.c_str()));
3043 if (rule.mode_ == OptionalMode)
3044 plist_dict_set_item(entry, "optional", plist_new_bool(true));
3045 plist_dict_set_item(files, link.first.c_str(), entry);
3046 }
3047
3048 break;
3049 }
3050
3051 if (!old && mac)
3052 for (const auto &bundle : bundles) {
3053 auto entry(plist_new_dict());
3054 plist_dict_set_item(entry, "cdhash", plist_new_data(reinterpret_cast<const char *>(bundle.second.hash.sha256_), sizeof(bundle.second.hash.sha256_)));
3055 plist_dict_set_item(entry, "requirement", plist_new_string("anchor apple generic"));
3056 plist_dict_set_item(files, bundle.first.c_str(), entry);
3057 }
3058 }
3059
3060 for (const auto &version : versions) {
3061 auto rules(plist_new_dict());
3062 plist_dict_set_item(plist, ("rules" + version.first).c_str(), rules);
3063
3064 std::multiset<const Rule *, RuleCode> ordered;
3065 for (const auto &rule : version.second)
3066 ordered.insert(&rule);
3067
3068 for (const auto &rule : ordered)
3069 if (rule->weight_ == 1 && rule->mode_ == NoMode)
3070 plist_dict_set_item(rules, rule->code_.c_str(), plist_new_bool(true));
3071 else {
3072 auto entry(plist_new_dict());
3073 plist_dict_set_item(rules, rule->code_.c_str(), entry);
3074
3075 switch (rule->mode_) {
3076 case NoMode:
3077 break;
3078 case OmitMode:
3079 plist_dict_set_item(entry, "omit", plist_new_bool(true));
3080 break;
3081 case OptionalMode:
3082 plist_dict_set_item(entry, "optional", plist_new_bool(true));
3083 break;
3084 case NestedMode:
3085 plist_dict_set_item(entry, "nested", plist_new_bool(true));
3086 break;
3087 case TopMode:
3088 plist_dict_set_item(entry, "top", plist_new_bool(true));
3089 break;
3090 }
3091
3092 if (rule->weight_ >= 10000)
3093 plist_dict_set_item(entry, "weight", plist_new_uint(rule->weight_));
3094 else if (rule->weight_ != 1)
3095 plist_dict_set_item(entry, "weight", plist_new_real(rule->weight_));
3096 }
3097 }
3098
3099 folder.Save(signature, true, NULL, fun([&](std::streambuf &save) {
3100 HashProxy proxy(local.files[signature], save);
3101 char *xml(NULL);
3102 uint32_t size;
3103 plist_to_xml(plist, &xml, &size);
3104 _scope({ free(xml); });
3105 put(proxy, xml, size);
3106 }));
3107
3108 Bundle bundle;
3109 bundle.path = folder.Path(executable);
3110
3111 folder.Open(executable, fun([&](std::streambuf &buffer, size_t length, const void *flag) {
3112 progress(root + executable);
3113 folder.Save(executable, true, flag, fun([&](std::streambuf &save) {
3114 Slots slots;
3115 slots[1] = local.files.at(info);
3116 slots[3] = local.files.at(signature);
3117 bundle.hash = Sign(NULL, 0, buffer, local.files[executable], save, identifier, entitlements, merge, requirements, key, slots, length, 0, false, Progression(progress, root + executable));
3118 }));
3119 }));
3120
3121 return bundle;
3122 }
3123
3124 Bundle Sign(const std::string &root, Folder &folder, const std::string &key, const std::string &requirements, const Functor<std::string (const std::string &, const std::string &)> &alter, bool merge, const Progress &progress) {
3125 State local;
3126 return Sign(root, folder, key, local, requirements, alter, merge, progress);
3127 }
3128
3129 #endif
3130 }
3131
3132 std::string Hex(const uint8_t *data, size_t size) {
3133 std::string hex;
3134 hex.reserve(size * 2);
3135 for (size_t i(0); i != size; ++i) {
3136 hex += "0123456789abcdef"[data[i] >> 4];
3137 hex += "0123456789abcdef"[data[i] & 0xf];
3138 }
3139 return hex;
3140 }
3141
3142 static void usage(const char *argv0) {
3143 fprintf(stderr, "Link Identity Editor %s\n\n", LDID_VERSION);
3144 fprintf(stderr, "Usage: %s [-Acputype:subtype] [-a] [-C[adhoc | enforcement | expires | hard |\n", argv0);
3145 fprintf(stderr, " host | kill | library-validation | restrict | runtime]] [-D] [-d]\n");
3146 fprintf(stderr, " [-Enum:file] [-e] [-H[sha1 | sha256]] [-h] [-Iname]\n");
3147 fprintf(stderr, " [-Kkey.p12 [-Upassword]] [-M] [-P] [-Qrequirements.xml] [-q]\n");
3148 fprintf(stderr, " [-r | -Sfile.xml | -s] [-u] [-arch arch_type] file ...\n");
3149 fprintf(stderr, "Options:\n");
3150 fprintf(stderr, " -S[file.xml] Pseudo-sign using the entitlements in file.xml\n");
3151 fprintf(stderr, " -Kkey.p12 Sign using private key in key.p12\n");
3152 fprintf(stderr, " -Upassword Use password to unlock key.p12\n");
3153 fprintf(stderr, " -M Merge entitlements with any existing\n");
3154 fprintf(stderr, " -h Print CDHash of file\n\n");
3155 fprintf(stderr, "More information: 'man ldid'\n");
3156 }
3157
3158 void cleanupfunc(void) {
3159 for (const auto &temp : cleanup)
3160 remove(temp.c_str());
3161 }
3162
3163 #ifndef LDID_NOTOOLS
3164 int main(int argc, char *argv[]) {
3165 std::atexit(cleanupfunc);
3166 OpenSSL_add_all_algorithms();
3167 # if OPENSSL_VERSION_MAJOR >= 3
3168 OSSL_PROVIDER *legacy = OSSL_PROVIDER_load(NULL, "legacy");
3169 OSSL_PROVIDER *deflt = OSSL_PROVIDER_load(NULL, "default");
3170 # endif
3171
3172 union {
3173 uint16_t word;
3174 uint8_t byte[2];
3175 } endian = {1};
3176
3177 little_ = endian.byte[0];
3178
3179 bool flag_r(false);
3180 bool flag_e(false);
3181 bool flag_q(false);
3182
3183 bool flag_H(false);
3184 bool flag_h(false);
3185
3186
3187 bool flag_S(false);
3188 bool flag_s(false);
3189
3190 bool flag_D(false);
3191 bool flag_d(false);
3192
3193 bool flag_A(false);
3194 bool flag_a(false);
3195
3196 bool flag_u(false);
3197
3198 bool flag_M(false);
3199
3200 uint32_t flags(0);
3201 uint8_t platform(0);
3202
3203 uint32_t flag_CPUType(_not(uint32_t));
3204 uint32_t flag_CPUSubtype(_not(uint32_t));
3205
3206 const char *flag_I(NULL);
3207
3208
3209 Map entitlements;
3210 Map requirements;
3211 Map key;
3212 ldid::Slots slots;
3213
3214 std::vector<std::string> files;
3215
3216 if (argc == 1) {
3217 usage(argv[0]);
3218 return 0;
3219 }
3220
3221 for (int argi(1); argi != argc; ++argi)
3222 if (argv[argi][0] != '-')
3223 files.push_back(argv[argi]);
3224 else if (strcmp(argv[argi], "-arch") == 0) {
3225 bool foundarch = false;
3226 flag_A = true;
3227 argi++;
3228 if (argi == argc) {
3229 fprintf(stderr, "ldid: -arch must be followed by an architecture string\n");
3230 exit(1);
3231 }
3232 for (int i = 0; archs[i].name != NULL; i++) {
3233 if (strcmp(archs[i].name, argv[argi]) == 0) {
3234 flag_CPUType = archs[i].cputype;
3235 flag_CPUSubtype = archs[i].cpusubtype;
3236 foundarch = true;
3237 }
3238 if (foundarch)
3239 break;
3240 }
3241
3242 if (!foundarch) {
3243 fprintf(stderr, "error: unknown architecture specification flag: -arch %s\n", argv[argi]);
3244 exit(1);
3245 }
3246 } else switch (argv[argi][1]) {
3247 case 'r':
3248 if (flag_s || flag_S) {
3249 fprintf(stderr, "ldid: Can only specify one of -r, -S, -s\n");
3250 exit(1);
3251 }
3252 flag_r = true;
3253 break;
3254
3255 case 'e': flag_e = true; break;
3256
3257 case 'E': {
3258 const char *string = argv[argi] + 2;
3259 const char *colon = strchr(string, ':');
3260 if (colon == NULL) {
3261 usage(argv[0]);
3262 exit(1);
3263 }
3264 Map file(colon + 1, O_RDONLY, PROT_READ, MAP_PRIVATE);
3265 char *arge;
3266 unsigned number(strtoul(string, &arge, 0));
3267 if (arge != colon || (number == 0 && errno == EINVAL)) {
3268 usage(argv[0]);
3269 exit(1);
3270 }
3271 auto &slot(slots[number]);
3272 for (Algorithm *algorithm : GetAlgorithms())
3273 (*algorithm)(slot, file.data(), file.size());
3274 } break;
3275
3276 case 'q': flag_q = true; break;
3277
3278 case 'H': {
3279 const char *hash = argv[argi] + 2;
3280
3281 if (!flag_H) {
3282 flag_H = true;
3283
3284 do_sha1 = false;
3285 do_sha256 = false;
3286 }
3287
3288 if (strcmp(hash, "sha1") == 0)
3289 do_sha1 = true;
3290 else if (strcmp(hash, "sha256") == 0)
3291 do_sha256 = true;
3292 else {
3293 fprintf(stderr, "ldid: only sha1 and sha256 are supported at this time\n");
3294 exit(1);
3295 }
3296 } break;
3297
3298 case 'h': flag_h = true; break;
3299
3300 case 'Q': {
3301 const char *xml = argv[argi] + 2;
3302 requirements.open(xml, O_RDONLY, PROT_READ, MAP_PRIVATE);
3303 } break;
3304
3305 case 'D': flag_D = true; break;
3306 case 'd': flag_d = true; break;
3307
3308 case 'a': flag_a = true; break;
3309
3310 case 'A':
3311 if (flag_A) {
3312 fprintf(stderr, "ldid: -A can only be specified once\n");
3313 exit(1);
3314 }
3315 flag_A = true;
3316 if (argv[argi][2] != '\0') {
3317 const char *cpu = argv[argi] + 2;
3318 const char *colon = strchr(cpu, ':');
3319 if (colon == NULL) {
3320 usage(argv[0]);
3321 exit(1);
3322 }
3323 char *arge;
3324 flag_CPUType = strtoul(cpu, &arge, 0);
3325 if (arge != colon || (flag_CPUType == 0 && errno == EINVAL)) {
3326 usage(argv[0]);
3327 exit(1);
3328 }
3329 flag_CPUSubtype = strtoul(colon + 1, &arge, 0);
3330 if (arge != argv[argi] + strlen(argv[argi]) || (flag_CPUSubtype == 0 && errno == EINVAL)) {
3331 usage(argv[0]);
3332 exit(1);
3333 }
3334 }
3335 break;
3336
3337 case 'C': {
3338 const char *name = argv[argi] + 2;
3339 if (strcmp(name, "host") == 0)
3340 flags |= kSecCodeSignatureHost;
3341 else if (strcmp(name, "adhoc") == 0)
3342 flags |= kSecCodeSignatureAdhoc;
3343 else if (strcmp(name, "hard") == 0)
3344 flags |= kSecCodeSignatureForceHard;
3345 else if (strcmp(name, "kill") == 0)
3346 flags |= kSecCodeSignatureForceKill;
3347 else if (strcmp(name, "expires") == 0)
3348 flags |= kSecCodeSignatureForceExpiration;
3349 else if (strcmp(name, "restrict") == 0)
3350 flags |= kSecCodeSignatureRestrict;
3351 else if (strcmp(name, "enforcement") == 0)
3352 flags |= kSecCodeSignatureEnforcement;
3353 else if (strcmp(name, "library-validation") == 0)
3354 flags |= kSecCodeSignatureLibraryValidation;
3355 else if (strcmp(name, "runtime") == 0)
3356 flags |= kSecCodeSignatureRuntime;
3357 else {
3358 fprintf(stderr, "ldid: -C: Unsupported option\n");
3359 exit(1);
3360 }
3361 } break;
3362
3363 case 'P':
3364 if (argv[argi][2] != '\0') {
3365 char *platformchar = argv[argi] + 2;
3366 char *arge;
3367 platform = strtoul(platformchar, &arge, 0);
3368 } else {
3369 platform = 13;
3370 }
3371 break;
3372
3373 case 's':
3374 if (flag_r || flag_S) {
3375 fprintf(stderr, "ldid: Can only specify one of -r, -S, -s\n");
3376 exit(1);
3377 }
3378 flag_s = true;
3379 entitlements.clear();
3380 flag_M = true;
3381 break;
3382
3383 case 'S':
3384 if (flag_r || flag_s) {
3385 fprintf(stderr, "ldid: Can only specify one of -r, -S, -s\n");
3386 exit(1);
3387 }
3388 flag_S = true;
3389 if (argv[argi][2] != '\0') {
3390 const char *xml = argv[argi] + 2;
3391 entitlements.open(xml, O_RDONLY, PROT_READ, MAP_PRIVATE);
3392 }
3393 break;
3394
3395 case 'M':
3396 flag_M = true;
3397 break;
3398
3399 case 'U':
3400 password = argv[argi] + 2;
3401 break;
3402
3403 case 'K':
3404 if (argv[argi][2] != '\0')
3405 key.open(argv[argi] + 2, O_RDONLY, PROT_READ, MAP_PRIVATE);
3406 break;
3407
3408 case 'T': break;
3409
3410 case 'u': {
3411 flag_u = true;
3412 } break;
3413
3414 case 'I': {
3415 flag_I = argv[argi] + 2;
3416 } break;
3417
3418 default:
3419 usage(argv[0]);
3420 return 1;
3421 break;
3422 }
3423
3424 if (flag_I != NULL && !flag_S) {
3425 fprintf(stderr, "ldid: -I requires -S\n");
3426 exit(1);
3427 }
3428
3429 if (files.empty())
3430 return 0;
3431
3432 size_t filei(0), filee(0);
3433 _foreach (file, files) try {
3434 std::string path(file);
3435
3436 struct stat info;
3437 if (stat(path.c_str(), &info) == -1) {
3438 fprintf(stderr, "ldid: %s: %s\n", path.c_str(), strerror(errno));
3439 exit(1);
3440 }
3441
3442 if (S_ISDIR(info.st_mode)) {
3443 if (!flag_S && !flag_s) {
3444 fprintf(stderr, "ldid: Only -S and -s can be used on directories\n");
3445 exit(1);
3446 }
3447 ldid::DiskFolder folder(path + "/");
3448 path += "/" + Sign("", folder, key, requirements, ldid::fun([&](const std::string &, const std::string &) -> std::string { return entitlements; }), flag_M, dummy_).path;
3449 } else if (flag_S || flag_r || flag_s) {
3450 Map input(path, O_RDONLY, PROT_READ, MAP_PRIVATE);
3451
3452 std::filebuf output;
3453 Split split(path);
3454 auto temp(Temporary(output, split));
3455
3456 if (flag_r)
3457 ldid::Unsign(input.data(), input.size(), output, dummy_);
3458 else {
3459 std::string identifier(flag_I ?: split.base.c_str());
3460 ldid::Sign(input.data(), input.size(), output, identifier, entitlements, flag_M, requirements, key, slots, flags, platform, dummy_);
3461 }
3462
3463 Commit(path, temp);
3464 }
3465
3466 Map mapping(path, flag_D ? true : false);
3467 FatHeader fat_header(mapping.data(), mapping.size());
3468
3469 _foreach (mach_header, fat_header.GetMachHeaders()) {
3470 struct linkedit_data_command *signature(NULL);
3471 struct encryption_info_command *encryption(NULL);
3472
3473 if (flag_A) {
3474 if (mach_header.GetCPUType() != flag_CPUType)
3475 continue;
3476 if (mach_header.GetCPUSubtype() != flag_CPUSubtype)
3477 continue;
3478 }
3479
3480 if (flag_a)
3481 printf("cpu=0x%x:0x%x\n", mach_header.GetCPUType(), mach_header.GetCPUSubtype());
3482
3483 _foreach (load_command, mach_header.GetLoadCommands()) {
3484 uint32_t cmd(mach_header.Swap(load_command->cmd));
3485
3486 if (cmd == LC_CODE_SIGNATURE)
3487 signature = reinterpret_cast<struct linkedit_data_command *>(load_command);
3488 else if (cmd == LC_ENCRYPTION_INFO || cmd == LC_ENCRYPTION_INFO_64)
3489 encryption = reinterpret_cast<struct encryption_info_command *>(load_command);
3490 else if (cmd == LC_LOAD_DYLIB) {
3491 volatile struct dylib_command *dylib_command(reinterpret_cast<struct dylib_command *>(load_command));
3492 const char *name(reinterpret_cast<const char *>(load_command) + mach_header.Swap(dylib_command->dylib.name));
3493
3494 if (strcmp(name, "/System/Library/Frameworks/UIKit.framework/UIKit") == 0) {
3495 if (flag_u) {
3496 Version version;
3497 version.value = mach_header.Swap(dylib_command->dylib.current_version);
3498 printf("uikit=%u.%u.%u\n", version.major, version.minor, version.patch);
3499 }
3500 }
3501 }
3502 }
3503
3504 if (flag_d && encryption != NULL) {
3505 printf("cryptid=%d\n", mach_header.Swap(encryption->cryptid));
3506 }
3507
3508 if (flag_D) {
3509 if (encryption == NULL) {
3510 fprintf(stderr, "ldid: -D requires an encrypted binary\n");
3511 exit(1);
3512 }
3513 encryption->cryptid = mach_header.Swap(0);
3514 }
3515
3516 if ((flag_e || flag_q || flag_h) && signature == NULL) {
3517 fprintf(stderr, "ldid: -e, -q, and -h requre a signed binary\n");
3518 exit(1);
3519 }
3520
3521 if (flag_e) {
3522 uint32_t data = mach_header.Swap(signature->dataoff);
3523
3524 uint8_t *top = reinterpret_cast<uint8_t *>(mach_header.GetBase());
3525 uint8_t *blob = top + data;
3526 struct SuperBlob *super = reinterpret_cast<struct SuperBlob *>(blob);
3527
3528 for (size_t index(0); index != Swap(super->count); ++index)
3529 if (Swap(super->index[index].type) == CSSLOT_ENTITLEMENTS) {
3530 uint32_t begin = Swap(super->index[index].offset);
3531 struct Blob *entitlements = reinterpret_cast<struct Blob *>(blob + begin);
3532 fwrite(entitlements + 1, 1, Swap(entitlements->length) - sizeof(*entitlements), stdout);
3533 }
3534 }
3535
3536 if (flag_q) {
3537 uint32_t data = mach_header.Swap(signature->dataoff);
3538
3539 uint8_t *top = reinterpret_cast<uint8_t *>(mach_header.GetBase());
3540 uint8_t *blob = top + data;
3541 struct SuperBlob *super = reinterpret_cast<struct SuperBlob *>(blob);
3542
3543 for (size_t index(0); index != Swap(super->count); ++index)
3544 if (Swap(super->index[index].type) == CSSLOT_REQUIREMENTS) {
3545 uint32_t begin = Swap(super->index[index].offset);
3546 struct Blob *requirement = reinterpret_cast<struct Blob *>(blob + begin);
3547 fwrite(requirement, 1, Swap(requirement->length), stdout);
3548 }
3549 }
3550
3551 if (flag_h) {
3552 char *buf = _syscall(realpath(file.c_str(), NULL));
3553 printf("Executable=%s\n", buf);
3554 free(buf);
3555
3556 auto algorithms(GetAlgorithms());
3557
3558 uint32_t data = mach_header.Swap(signature->dataoff);
3559
3560 uint8_t *top = reinterpret_cast<uint8_t *>(mach_header.GetBase());
3561 uint8_t *blob = top + data;
3562 struct SuperBlob *super = reinterpret_cast<struct SuperBlob *>(blob);
3563
3564 struct Candidate {
3565 CodeDirectory *directory_;
3566 size_t size_;
3567 Algorithm &algorithm_;
3568 std::string hash_;
3569 uint32_t offset;
3570 };
3571
3572 std::map<uint8_t, Candidate> candidates;
3573 uint32_t cmsBegin = 0, cmsEnd = 0;
3574
3575 for (size_t index(0); index != Swap(super->count); ++index) {
3576 auto type(Swap(super->index[index].type));
3577 if ((type == CSSLOT_CODEDIRECTORY || type >= CSSLOT_ALTERNATE) && type != CSSLOT_SIGNATURESLOT) {
3578 uint32_t begin = Swap(super->index[index].offset);
3579 uint32_t end = index + 1 == Swap(super->count) ? Swap(super->blob.length) : Swap(super->index[index + 1].offset);
3580 struct CodeDirectory *directory = reinterpret_cast<struct CodeDirectory *>(blob + begin + sizeof(Blob));
3581 auto type(directory->hashType);
3582 _assert(type > 0 && type <= algorithms.size());
3583 auto &algorithm(*algorithms[type - 1]);
3584 uint8_t hash[algorithm.size_];
3585 algorithm(hash, blob + begin, end - begin);
3586 candidates.insert({type, {directory, end - begin, algorithm, Hex(hash, algorithm.size_), begin}});
3587 } else if (type == CSSLOT_SIGNATURESLOT) {
3588 cmsBegin = Swap(super->index[index].offset);
3589 cmsEnd = index + 1 == Swap(super->count) ? Swap(super->blob.length) : Swap(super->index[index + 1].offset);
3590 }
3591 }
3592
3593 _assert(!candidates.empty());
3594 auto best(candidates.end());
3595 --best;
3596
3597 const auto directory(best->second.directory_);
3598 const auto flags(Swap(directory->flags));
3599
3600 printf("Identifier=%s\n", blob + best->second.offset + Swap(directory->identOffset));
3601
3602 std::string names;
3603 if (flags & kSecCodeSignatureHost)
3604 names += ",host";
3605 if (flags & kSecCodeSignatureAdhoc)
3606 names += ",adhoc";
3607 if (flags & kSecCodeSignatureForceHard)
3608 names += ",hard";
3609 if (flags & kSecCodeSignatureForceKill)
3610 names += ",kill";
3611 if (flags & kSecCodeSignatureForceExpiration)
3612 names += ",expires";
3613 if (flags & kSecCodeSignatureRestrict)
3614 names += ",restrict";
3615 if (flags & kSecCodeSignatureEnforcement)
3616 names += ",enforcement";
3617 if (flags & kSecCodeSignatureLibraryValidation)
3618 names += ",library-validation";
3619 if (flags & kSecCodeSignatureRuntime)
3620 names += ",runtime";
3621
3622 printf("CodeDirectory v=%x size=%zd flags=0x%x(%s) hashes=%d+%d location=embedded\n",
3623 Swap(directory->version), best->second.size_, flags, names.empty() ? "none" : names.c_str() + 1, Swap(directory->nCodeSlots), Swap(directory->nSpecialSlots));
3624 printf("Hash type=%s size=%d\n", best->second.algorithm_.name(), directory->hashSize);
3625
3626 std::string choices;
3627 for (const auto &candidate : candidates) {
3628 auto choice(candidate.second.algorithm_.name());
3629 choices += ',';
3630 choices += choice;
3631 printf("CandidateCDHash %s=%.40s\n", choice, candidate.second.hash_.c_str());
3632 printf("CandidateCDHashFull %s=%s\n", choice, candidate.second.hash_.c_str());
3633 }
3634 printf("Hash choices=%s\n", choices.c_str() + 1);
3635
3636 printf("CDHash=%.40s\n", best->second.hash_.c_str());
3637
3638 if (cmsBegin != 0 && cmsEnd != 0) {
3639 // This loads the CMS blob and parses each X509 cert in the blob to extract the
3640 // common name and print it as "Authority=%s"
3641 Buffer bio(reinterpret_cast<const char *>(blob) + cmsBegin + sizeof(Blob), cmsEnd - cmsBegin);
3642 PKCS7 *p7 = NULL;
3643 if ((p7 = d2i_PKCS7_bio(bio, NULL)) == NULL) {
3644 // In order to follow codesign, we just ignore errors
3645 printf("Authority=(unavailable)\n");
3646 } else {
3647 STACK_OF(X509) *certs = NULL;
3648 switch (OBJ_obj2nid(p7->type)) {
3649 case NID_pkcs7_signed:
3650 if (p7->d.sign != NULL)
3651 certs = p7->d.sign->cert;
3652 break;
3653 case NID_pkcs7_signedAndEnveloped:
3654 if (p7->d.signed_and_enveloped != NULL)
3655 certs = p7->d.signed_and_enveloped->cert;
3656 break;
3657 default:
3658 break;
3659 }
3660 if (certs != NULL) {
3661 X509 *x;
3662 for (int i = 0; i < sk_X509_num(certs); i++) {
3663 x = sk_X509_value(certs, i);
3664 int lastpos = -1;
3665 X509_NAME *nm = X509_get_subject_name(x);
3666 X509_NAME_ENTRY *e;
3667
3668 for (;;) {
3669 lastpos = X509_NAME_get_index_by_NID(nm, NID_commonName, lastpos);
3670 if (lastpos == -1)
3671 break;
3672 e = X509_NAME_get_entry(nm, lastpos);
3673 ASN1_STRING *s = X509_NAME_ENTRY_get_data(e);
3674 printf("Authority=%s\n", reinterpret_cast<const char *>(ASN1_STRING_get0_data(s)));
3675 }
3676 }
3677 } else {
3678 printf("Authority=(unavailable)\n");
3679 }
3680 }
3681 PKCS7_free(p7);
3682 }
3683
3684 if (Swap(directory->teamIDOffset) > 0)
3685 printf("TeamIdentifier=%s\n", blob + best->second.offset + Swap(directory->teamIDOffset));
3686 else
3687 printf("TeamIdentifier=not set\n");
3688 }
3689 }
3690
3691 ++filei;
3692 } catch (const char *) {
3693 ++filee;
3694 ++filei;
3695 }
3696
3697 # if OPENSSL_VERSION_MAJOR >= 3
3698 OSSL_PROVIDER_unload(legacy);
3699 OSSL_PROVIDER_unload(deflt);
3700 # endif
3701
3702 return filee;
3703 }
3704 #endif // LDID_NOTOOLS