diff --git a/Analytics/Clients/LocalKeychainAnalytics.m b/Analytics/Clients/LocalKeychainAnalytics.m index 9fad7b1d..f95f6dd5 100644 --- a/Analytics/Clients/LocalKeychainAnalytics.m +++ b/Analytics/Clients/LocalKeychainAnalytics.m @@ -8,6 +8,10 @@ #include #include +#ifdef DARLING +#import +#endif + @interface LKAUpgradeOutcomeReport : NSObject @property LKAKeychainUpgradeOutcome outcome; @property NSDictionary* attributes; @@ -24,6 +28,7 @@ } @end +#if !defined(DARLING) || defined(__OBJC2__) // Approved event types // rdar://problem/41745059 SFAnalytics: collect keychain upgrade outcome information LKAnalyticsFailableEvent const LKAEventUpgrade = (LKAnalyticsFailableEvent)@"LKAEventUpgrade"; @@ -174,22 +179,28 @@ NSString* const LKABackupLastSuccessDate = @"backupLastSuccess"; } @end +#endif // !defined(DARLING) || defined(__OBJC2__) // MARK: C Bridging void LKAReportKeychainUpgradeOutcome(int fromversion, int toversion, LKAKeychainUpgradeOutcome outcome) { + #if !defined(DARLING) || defined(__OBJC2__) @autoreleasepool { [[LocalKeychainAnalytics logger] reportKeychainUpgradeFrom:fromversion to:toversion outcome:outcome error:NULL]; } + #endif } void LKAReportKeychainUpgradeOutcomeWithError(int fromversion, int toversion, LKAKeychainUpgradeOutcome outcome, CFErrorRef error) { + #if !defined(DARLING) || defined(__OBJC2__) @autoreleasepool { [[LocalKeychainAnalytics logger] reportKeychainUpgradeFrom:fromversion to:toversion outcome:outcome error:(__bridge NSError*)error]; } + #endif } void LKABackupReportStart(bool hasKeybag, bool hasPasscode, bool isEMCS) { + #if !defined(DARLING) || defined(__OBJC2__) LKAKeychainBackupType type; if (isEMCS) { type = LKAKeychainBackupTypeEMCS; @@ -207,12 +218,15 @@ void LKABackupReportStart(bool hasKeybag, bool hasPasscode, bool isEMCS) { @autoreleasepool { [[LocalKeychainAnalytics logger] reportKeychainBackupStartWithType:type]; } + #endif } void LKABackupReportEnd(bool hasBackup, CFErrorRef error) { + #if !defined(DARLING) || defined(__OBJC2__) @autoreleasepool { [[LocalKeychainAnalytics logger] reportKeychainBackupEnd:hasBackup error:(__bridge NSError*)error]; } + #endif } void LKAForceClose(void) diff --git a/OSX/libsecurity_authorization/lib/Authorization.c b/OSX/libsecurity_authorization/lib/Authorization.c index 9aaa6dc5..c5a3a66d 100644 --- a/OSX/libsecurity_authorization/lib/Authorization.c +++ b/OSX/libsecurity_authorization/lib/Authorization.c @@ -16,7 +16,11 @@ #include #include #include +#ifndef DARLING #include +#else +typedef uint32_t CGWindowID; +#endif #include #include diff --git a/OSX/libsecurity_authorization/lib/Authorization.h b/OSX/libsecurity_authorization/lib/Authorization.h index 534c8adf..f316aae8 100644 --- a/OSX/libsecurity_authorization/lib/Authorization.h +++ b/OSX/libsecurity_authorization/lib/Authorization.h @@ -190,7 +190,16 @@ static const size_t kAuthorizationExternalFormLength = 32; potential attackers since it would authorize rights to them. */ typedef struct { +#if defined(DARLING) && defined(__clang__) + // this warning is useless and repeated throughout MANY compilation units if left enabled + // it's easier to disable it here than to disable in each and every CMakeLists.txt + #pragma GCC diagnostic push + #pragma GCC diagnostic ignored "-Wgnu-folding-constant" +#endif char bytes[kAuthorizationExternalFormLength]; +#if defined(DARLING) && defined(__clang__) + #pragma GCC diagnostic pop +#endif } AuthorizationExternalForm; diff --git a/OSX/libsecurity_codesigning/lib/SecStaticCode.h b/OSX/libsecurity_codesigning/lib/SecStaticCode.h index 565b10c3..1072e68d 100644 --- a/OSX/libsecurity_codesigning/lib/SecStaticCode.h +++ b/OSX/libsecurity_codesigning/lib/SecStaticCode.h @@ -39,6 +39,9 @@ #define _H_SECSTATICCODE #include +#ifdef DARLING +#include +#endif #ifdef __cplusplus extern "C" { diff --git a/OSX/libsecurity_codesigning/lib/cskernel.cpp b/OSX/libsecurity_codesigning/lib/cskernel.cpp index 0eca9653..7bd6d4d3 100644 --- a/OSX/libsecurity_codesigning/lib/cskernel.cpp +++ b/OSX/libsecurity_codesigning/lib/cskernel.cpp @@ -131,15 +131,18 @@ SecStaticCode *KernelCode::identifyGuest(SecCode *iguest, CFDataRef *cdhash) SecPointer code = new ProcessDynamicCode(guest); guest->pidBased()->setCredentials(code->codeDirectory()); +#ifndef DARLING SHA1::Digest kernelHash; MacOSError::check(guest->csops(CS_OPS_CDHASH, kernelHash, sizeof(kernelHash))); *cdhash = makeCFData(kernelHash, sizeof(kernelHash)); +#endif return code.yield(); } char path[2 * MAXPATHLEN]; // reasonable upper limit if (::proc_pidpath(guest->pid(), path, sizeof(path))) { +#ifndef DARLING off_t offset; csops(guest, CS_OPS_PIDOFFSET, &offset, sizeof(offset)); SecPointer code = new ProcessStaticCode(DiskRep::bestGuess(path, (size_t)offset)); @@ -160,6 +163,9 @@ SecStaticCode *KernelCode::identifyGuest(SecCode *iguest, CFDataRef *cdhash) *cdhash = makeCFData(kernelHash, sizeof(kernelHash)); CODESIGN_GUEST_CDHASH_PROCESS(guest, kernelHash, sizeof(kernelHash)); } +#else + SecPointer code = new ProcessStaticCode(DiskRep::bestGuess(path)); +#endif return code.yield(); } else UnixError::throwMe(); @@ -225,6 +231,7 @@ void KernelCode::identify() // void KernelCode::csops(ProcessCode *proc, unsigned int op, void *addr, size_t length) { +#ifndef DARLING if (proc->csops(op, addr, length) == -1) { switch (errno) { case ESRCH: @@ -233,6 +240,7 @@ void KernelCode::csops(ProcessCode *proc, unsigned int op, void *addr, size_t le UnixError::throwMe(); } } +#endif } diff --git a/OSX/libsecurity_mds/lib/MDSSession.cpp b/OSX/libsecurity_mds/lib/MDSSession.cpp index a0b9e8e1..9b4a9b4c 100644 --- a/OSX/libsecurity_mds/lib/MDSSession.cpp +++ b/OSX/libsecurity_mds/lib/MDSSession.cpp @@ -335,7 +335,12 @@ static bool doesFileExist( /* it's there...how does it look? */ mode_t fileType = sb.st_mode & S_IFMT; +#ifdef DARLING + // we don't care about UIDs in Darling + if((fileType == S_IFREG)) { +#else if((fileType == S_IFREG) && (sb.st_uid == forUid)) { +#endif return true; } if(!purge) { @@ -453,10 +458,12 @@ static bool doesDirectExist( directStatus = MDS_NotDirectory; return false; } +#ifndef DARLING if(sb.st_uid != forUid) { directStatus = MDS_BadOwnerMode; return false; } +#endif if((sb.st_mode & 07777) != mode) { directStatus = MDS_BadOwnerMode; return false; @@ -1440,7 +1447,7 @@ MDSSession::DbFilesInfo::~DbFilesInfo() } } -/* lazy evaluation of both DB handlesÊ*/ +/* lazy evaluation of both DB handles�*/ CSSM_DB_HANDLE MDSSession::DbFilesInfo::objDbHand() { if(mObjDbHand != 0) { diff --git a/OSX/libsecurity_ocspd/client/ocspdClient.cpp b/OSX/libsecurity_ocspd/client/ocspdClient.cpp index be931ce6..060deb24 100644 --- a/OSX/libsecurity_ocspd/client/ocspdClient.cpp +++ b/OSX/libsecurity_ocspd/client/ocspdClient.cpp @@ -32,7 +32,11 @@ #include #include #include +#ifdef DARLING +#include "ocspd.h" +#else #include /* MIG interface */ +#endif #include class ocspdGlobals { diff --git a/OSX/libsecurity_utilities/lib/dispatch.h b/OSX/libsecurity_utilities/lib/dispatch.h index c8d2d9ff..39d680a1 100644 --- a/OSX/libsecurity_utilities/lib/dispatch.h +++ b/OSX/libsecurity_utilities/lib/dispatch.h @@ -106,7 +106,11 @@ private: class SemaphoreWait { +// this has to be disabled because Clang 13 incorrectly detects a block variable non-const copy as a const copy in `libsecurity_codesigning/lib/csutilities.cpp`. +// it still compiles correctly, it just generates an incorrect error if this is left in. +#ifndef DARLING NOCOPY(SemaphoreWait) +#endif public: SemaphoreWait(SemaphoreWait& originalWait); SemaphoreWait(Semaphore& semaphore, dispatch_time_t timeout = DISPATCH_TIME_FOREVER); diff --git a/OSX/libsecurity_utilities/lib/powerwatch.cpp b/OSX/libsecurity_utilities/lib/powerwatch.cpp index f23735db..9d733bab 100644 --- a/OSX/libsecurity_utilities/lib/powerwatch.cpp +++ b/OSX/libsecurity_utilities/lib/powerwatch.cpp @@ -65,14 +65,18 @@ void PowerWatcher::systemWillPowerOn() IOPowerWatcher::IOPowerWatcher() : mKernelPort(0) { +#ifndef DARLING if (!(mKernelPort = ::IORegisterForSystemPower(this, &mPortRef, ioCallback, &mHandle))) UnixError::throwMe(EINVAL); // no clue +#endif } IOPowerWatcher::~IOPowerWatcher() { +#ifndef DARLING if (mKernelPort) ::IODeregisterForSystemPower(&mHandle); +#endif } // @@ -149,13 +153,17 @@ void IOPowerWatcher::ioCallback(void *refCon, io_service_t service, // PortPowerWatcher::PortPowerWatcher() { +#ifndef DARLING port(IONotificationPortGetMachPort(mPortRef)); +#endif } boolean_t PortPowerWatcher::handle(mach_msg_header_t *in) { +#ifndef DARLING IODispatchCalloutFromMessage(NULL, in, mPortRef); return TRUE; +#endif } diff --git a/OSX/sec/Security/SecCertificate.c b/OSX/sec/Security/SecCertificate.c index d9571455..8735a045 100644 --- a/OSX/sec/Security/SecCertificate.c +++ b/OSX/sec/Security/SecCertificate.c @@ -73,6 +73,9 @@ #include #include "AppleExternalRootCertificates.h" #include +#ifdef DARLING +#include +#endif #pragma clang diagnostic ignored "-Wformat=2" @@ -1644,7 +1647,11 @@ static bool SecCertificateParse(SecCertificateRef certificate) /* sequence we're given: encoded DERSubjPubKeyInfo */ DERSubjPubKeyInfo pubKeyInfo; +#ifdef DARLING + drtn = DERParseSequence(&tbsCert.subjectPubKey, +#else drtn = DERParseSequenceContent(&tbsCert.subjectPubKey, +#endif DERNumSubjPubKeyInfoItemSpecs, DERSubjPubKeyInfoItemSpecs, &pubKeyInfo, sizeof(pubKeyInfo)); require_noerr_quiet(drtn, badCert); diff --git a/OSX/sec/Security/SecPolicy.c b/OSX/sec/Security/SecPolicy.c index bad54204..b3e95637 100644 --- a/OSX/sec/Security/SecPolicy.c +++ b/OSX/sec/Security/SecPolicy.c @@ -46,6 +46,9 @@ #include #include #include +#ifdef DARLING +#include +#endif #include diff --git a/OSX/sec/Security/SecRecoveryKey.m b/OSX/sec/Security/SecRecoveryKey.m index 5f400e02..2ae7bf30 100644 --- a/OSX/sec/Security/SecRecoveryKey.m +++ b/OSX/sec/Security/SecRecoveryKey.m @@ -20,7 +20,9 @@ #if !TARGET_OS_BRIDGE #include +#ifndef DARLING #include +#endif #define PATH_FOR_APPLEIDAUTHSUPPORTFRAMEWORK "/System/Library/PrivateFrameworks/AppleIDAuthSupport.framework/AppleIDAuthSupport" #endif diff --git a/OSX/sec/Security/SecTrustStatusCodes.c b/OSX/sec/Security/SecTrustStatusCodes.c index 7ecba136..20ad72f6 100644 --- a/OSX/sec/Security/SecTrustStatusCodes.c +++ b/OSX/sec/Security/SecTrustStatusCodes.c @@ -32,6 +32,14 @@ #include #include #include +#ifdef DARLING +// if i had to guess, i'd say Apple changed up libDER when they stopped releasing it and now +// their "private" OIDs are included in the regular `libDER/oids.h` header +// +// if this error keeps popping up, i'll stop manually including `libDER/oidsPriv.h` and instead patch +// `libDER/oids.h` to include `libDER/oidsPriv.h` +#include +#endif struct resultmap_entry_s { const CFStringRef checkstr; diff --git a/OSX/utilities/SecDb.c b/OSX/utilities/SecDb.c index 54ad9327..ca5d959c 100644 --- a/OSX/utilities/SecDb.c +++ b/OSX/utilities/SecDb.c @@ -42,6 +42,9 @@ #include #include // xpc_transaction_exit_clean() +#ifdef DARLING +#include +#endif // // Architecturally inverted files diff --git a/OSX/utilities/SecKnownFilePaths.m b/OSX/utilities/SecKnownFilePaths.m index e22c546d..3482694a 100644 --- a/OSX/utilities/SecKnownFilePaths.m +++ b/OSX/utilities/SecKnownFilePaths.m @@ -16,7 +16,21 @@ CFURLRef SecCopyHomeURL(void) if (homeURL) { CFRetain(homeURL); } else { +#ifdef DARLING + // ported from an older version of Security + // + // i'm not sure how Apple is convincing the compiler that CFCopyHomeDirectoryURL is available on macOS + // because there's nothing new in the public headers to indicate that the function has suddenly become + // available on macOS, nor is there any indication in the Xcode build files that this code is being + // compiled for Catalyst for macOS + // + // maybe they're just not using compiler availability warnings/errors + // + // either way, this should work fine and provide the same behavior as Apple's code + homeURL = CFCopyHomeDirectoryURLForUser(NULL); +#else homeURL = CFCopyHomeDirectoryURL(); +#endif } return homeURL; diff --git a/base/SecBase.h b/base/SecBase.h index 028df742..96a7a3c6 100644 --- a/base/SecBase.h +++ b/base/SecBase.h @@ -27,6 +27,12 @@ #include #include #include +#ifdef DARLING + // for unprefixed API_AVAILABLE and friends + #include + // not sure if we're supposed to be including that header in CoreFoundation or in Availability.h, + // but this works for all of Security +#endif // Truth table for following declarations: // diff --git a/base/Security.h b/base/Security.h index c5c4914c..7df4ffea 100644 --- a/base/Security.h +++ b/base/Security.h @@ -114,7 +114,11 @@ #endif /* DER */ +#ifdef DARLING +#include +#else #include +#endif #endif // SEC_OS_OSX diff --git a/cmake/security_lib.cmake b/cmake/security_lib.cmake new file mode 100644 index 00000000..c083b7cd --- /dev/null +++ b/cmake/security_lib.cmake @@ -0,0 +1,126 @@ +include(CMakeParseArguments) + +# add_security_library +# Helper function for adding Security libraries +# (because there's a lot of them, and it's easier to configure all necessary options with a single function) +# +# Options: +# FAT +# Build the library for both x86_64 and i386. +# OBJC_ARC +# Enable Objective-C ARC for the library. +# MODERN_OBJC +# Only build the library for targets where the "modern" Objective-C runtime is available +# +# Single-value arguments: +# OUTPUT_NAME +# The filename for the built library. This is combined with PREFIX and SUFFIX to produce the full filename. +# Defaults to the target name. +# PREFIX +# The prefix to add to the library filename. +# Defaults to `lib`. +# SUFFIX +# The suffix to add to the library filename. +# Defaults to `.dylib`. +# C_STANDARD +# The C standard to use when compiling the code. E.g. `gnu99`, `c99`, etc. +# CXX_STANDARD +# The C++ standard to use when compiling the code. E.g. `gnu++11`, `c++1`, etc. +# +# Multi-value arguments: +# SOURCES +# A list of sources to use to build the library. +# Can include any source that `add_darling_static_library` supports. +# LIBRARIES +# A list of libraries to link to. If target names are provided, they are also added as dependencies. +# INCLUDES +# A list of directories to add as private header directories. +# DEFINITIONS +# A list of preprocessor definitions to add as private preprocessor definitions. +# Supports the same syntax as `add_compile_definitions`. +# FLAGS +# A list of flags to pass to the compiler when compiling the library. +# Supports the same syntax as `add_compile_options`. +function(add_security_library name) + cmake_parse_arguments(SECLIB "FAT;OBJC_ARC;MODERN_OBJC" "OUTPUT_NAME;PREFIX;SUFFIX;C_STANDARD;CXX_STANDARD" "SOURCES;LIBRARIES;INCLUDES;DEFINITIONS;FLAGS" ${ARGN}) + + set(STATICLIB_ARG_RUNTIME "") + set(STATICLIB_ARG_FAT "") + + if(SECLIB_FAT) + set(STATICLIB_ARG_FAT "FAT") + endif() + + if(SECLIB_MODERN_OBJC) + set(STATICLIB_ARG_RUNTIME "64BIT_ONLY") + set(STATICLIB_ARG_FAT "") + endif() + + add_darling_static_library(${name} ${STATICLIB_ARG_FAT} ${STATICLIB_ARG_RUNTIME} SOURCES ${SECLIB_SOURCES}) + + if(SECLIB_OBJC_ARC) + target_compile_options(${name} PRIVATE -fobjc-arc) + endif() + + if(DEFINED SECLIB_OUTPUT_NAME) + set_target_properties(${name} PROPERTIES OUTPUT_NAME "${SECLIB_OUTPUT_NAME}") + endif() + + if(DEFINED SECLIB_PREFIX) + set_target_properties(${name} PROPERTIES PREFIX "${SECLIB_PREFIX}") + endif() + + if(DEFINED SECLIB_SUFFIX) + set_target_properties(${name} PROPERTIES SUFFIX "${SECLIB_SUFFIX}") + endif() + + if(SECLIB_C_STANDARD) + set(SECLIB_C_STANDARD_VALID TRUE) + if(SECLIB_C_STANDARD MATCHES "[cC][0-9]+([a-zA-Z])?") + set_property(TARGET ${name} PROPERTY C_EXTENSIONS OFF) + elseif(SECLIB_C_STANDARD MATCHES "([gG][nN][uU])?[0-9]+([a-zA-Z])?") + # the default is to enable extensions + set_property(TARGET ${name} PROPERTY C_EXTENSIONS ON) + else() + set(SECLIB_C_STANDARD_VALID FALSE) + message(WARNING "Unrecognized C standard: ${SECLIB_C_STANDARD}") + endif() + if(SECLIB_C_STANDARD_VALID) + string(REGEX MATCH "[0-9]+" SECLIB_C_STANDARD_VERSION "${SECLIB_C_STANDARD}") + set_property(TARGET ${name} PROPERTY C_STANDARD "${SECLIB_C_STANDARD_VERSION}") + endif() + endif() + + if(SECLIB_CXX_STANDARD) + set(SECLIB_CXX_STANDARD_VALID TRUE) + if(SECLIB_CXX_STANDARD MATCHES "[cC](\\+\\+|[xX][xX])[0-9]+([a-zA-Z])?") + set_property(TARGET ${name} PROPERTY CXX_EXTENSIONS OFF) + elseif(SECLIB_CXX_STANDARD MATCHES "([gG][nN][uU](\\+\\+|[xX][xX]))?[0-9]+([a-zA-Z])?") + # the default is to enable extensions + set_property(TARGET ${name} PROPERTY CXX_EXTENSIONS ON) + else() + set(SECLIB_CXX_STANDARD_VALID FALSE) + message(WARNING "Unrecognized C standard: ${SECLIB_CXX_STANDARD}") + endif() + if(SECLIB_CXX_STANDARD_VALID) + string(REGEX MATCH "[0-9]+" SECLIB_CXX_STANDARD_VERSION "${SECLIB_CXX_STANDARD}") + set_property(TARGET ${name} PROPERTY CXX_STANDARD "${SECLIB_CXX_STANDARD_VERSION}") + endif() + endif() + + if(SECLIB_LIBRARIES) + target_link_libraries(${name} ${SECLIB_LIBRARIES}) + endif() + + if(SECLIB_INCLUDES) + target_include_directories(${name} PRIVATE ${SECLIB_INCLUDES}) + endif() + + if(SECLIB_DEFINITIONS) + target_compile_definitions(${name} PRIVATE ${SECLIB_DEFINITIONS}) + endif() + + if (SECLIB_FLAGS) + target_compile_options(${name} PRIVATE ${SECLIB_FLAGS}) + endif() +endfunction() diff --git a/cmake/security_xcconfigs.cmake b/cmake/security_xcconfigs.cmake new file mode 100644 index 00000000..ba3530dc --- /dev/null +++ b/cmake/security_xcconfigs.cmake @@ -0,0 +1,38 @@ +# some Xcode `.xcconfig` files translated into CMake functions + +include(security_lib) +include(CMakeParseArguments) + +function(add_macos_legacy_lib name) + add_security_library(${name} + FAT + INCLUDES + ${SECURITY_PROJECT_DIR}/OSX/libsecurity_cssm/lib + ${SECURITY_PROJECT_DIR}/OSX/include + ${SECURITY_PROJECT_DIR}/OSX/utilities/src + ${SECURITY_PROJECT_DIR}/OSX/libsecurity_apple_csp/open_ssl + ${SECURITY_PROJECT_DIR}/OSX/lib${name}/lib + ${ARGN} + ) +endfunction() + +function(add_lib_ios name) + add_security_library(${name} + FAT + C_STANDARD gnu99 + INCLUDES + ${SECURITY_PROJECT_DIR}/OSX/libsecurity_smime + #$(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers + DEFINITIONS + SEC_IOS_ON_OSX=1 + ${ARGN} + ) +endfunction() + +function(add_lib_ios_shim name) + add_lib_ios(${name} + DEFINITIONS + SECITEM_SHIM_OSX=1 + ${ARGN} + ) +endfunction() diff --git a/keychain/SigninMetrics/OctagonSignPosts.h b/keychain/SigninMetrics/OctagonSignPosts.h index b6a06b8d..82341ff4 100644 --- a/keychain/SigninMetrics/OctagonSignPosts.h +++ b/keychain/SigninMetrics/OctagonSignPosts.h @@ -138,6 +138,28 @@ extern os_log_t _OctagonSignpostLogSystem(void); extern OctagonSignpost _OctagonSignpostCreate(os_log_t subsystem); extern uint64_t _OctagonSignpostGetNanoseconds(OctagonSignpost signpost); +#ifdef DARLING +// the compiler was being weird with the preprocessor trickery that was happening in Apple's code +// so i had to manually expand parts of it +#define _OctagonSignpostBegin(subsystem, name, something, ...) __extension__({ \ + OctagonSignpost internalSignpost = _OctagonSignpostCreate(subsystem); \ + os_signpost_interval_begin(subsystem, internalSignpost.identifier, name, __VA_ARGS__); \ + os_log(subsystem, "BEGIN [%lld]: " name " " something, internalSignpost.identifier, ##__VA_ARGS__); \ + internalSignpost; \ +}) + +#define _OctagonSignpostEvent(subsystem, signpost, name, something, ...) __extension__({ \ + double interval = ((double)_OctagonSignpostGetNanoseconds(_signpost) / NSEC_PER_SEC); \ + os_signpost_event_emit(subsystem, signpost.identifier, name, __VA_ARGS__); \ + os_log(subsystem, "EVENT [%lld] %fs: " name " " something, signpost.identifier, interval, ##__VA_ARGS__); \ +}) + +#define _OctagonSignpostEnd(subsystem, signpost, name, something, ...) __extension__({ \ + double interval = ((double)_OctagonSignpostGetNanoseconds(signpost) / NSEC_PER_SEC); \ + os_signpost_interval_end(subsystem, signpost.identifier, name, __VA_ARGS__); \ + os_log(subsystem, "END [%lld] %fs: " name " " something, signpost.identifier, interval, ##__VA_ARGS__); \ +}) +#else #define _OctagonSignpostBegin(subsystem, name, ...) __extension__({ \ OctagonSignpost internalSignpost = _OctagonSignpostCreate(subsystem); \ os_signpost_interval_begin(subsystem, internalSignpost.identifier, name, __VA_ARGS__); \ @@ -159,6 +181,7 @@ extern uint64_t _OctagonSignpostGetNanoseconds(OctagonSignpost signpost); #define _OctagonSwizzle1(x, a, ...) a, x, ##__VA_ARGS__ #define _OctagonSwizzle2(x, y, a, ...) a, x, y, ##__VA_ARGS__ +#endif // DARLING NS_ASSUME_NONNULL_END diff --git a/keychain/escrowrequest/Framework/SecEscrowRequest.m b/keychain/escrowrequest/Framework/SecEscrowRequest.m index 8432a1f1..ef52512a 100644 --- a/keychain/escrowrequest/Framework/SecEscrowRequest.m +++ b/keychain/escrowrequest/Framework/SecEscrowRequest.m @@ -10,6 +10,8 @@ NSString* const SecEscrowRequestHavePrecord = @"have_prerecord"; NSString* const SecEscrowRequestPendingPasscode = @"pending_passcode"; NSString* const SecEscrowRequestPendingCertificate = @"pending_certificate"; +// `!defined(DARLING)` is used to indicate that normally (in Apple's original code) the body is present without a conditional +#if !defined(DARLING) || defined(__OBJC2__) @interface SecEscrowRequest () @property NSXPCConnection *connection; @end @@ -246,3 +248,5 @@ NSString* const SecEscrowRequestPendingCertificate = @"pending_certificate"; } @end + +#endif // !defined(DARLING) || defined(__OBJC2__) \ No newline at end of file diff --git a/keychain/ot/OTClique.h b/keychain/ot/OTClique.h index e0027c4c..535ca3c5 100644 --- a/keychain/ot/OTClique.h +++ b/keychain/ot/OTClique.h @@ -100,6 +100,22 @@ extern NSString* kSecEntitlementPrivateOctagonEscrow; @property (nonatomic, assign) BOOL useCachedAccountStatus; @end +#endif // this #endif was added for Darling +// see OTControlProtocol.m for an explanation of why we need to do this +#if defined(DARLING) || defined(__OBJC2__) + +#if defined(DARLING) +#if __OBJC2__ +NS_ASSUME_NONNULL_END +#endif + +#import + +#if __OBJC2__ +NS_ASSUME_NONNULL_BEGIN +#endif +#endif + typedef NSString* OTCliqueCDPContextType NS_STRING_ENUM; extern OTCliqueCDPContextType OTCliqueCDPContextTypeNone; extern OTCliqueCDPContextType OTCliqueCDPContextTypeSignIn; @@ -110,6 +126,8 @@ extern OTCliqueCDPContextType OTCliqueCDPContextTypeRecoveryKeyNew; extern OTCliqueCDPContextType OTCliqueCDPContextTypeUpdatePasscode; extern OTCliqueCDPContextType OTCliqueCDPContextTypeConfirmPasscodeCyrus; +#endif // defined(DARLING) || defined(__OBJC2__) +#if __OBJC2__ // this #if was added for Darling // OTClique diff --git a/keychain/ot/OTClique.m b/keychain/ot/OTClique.m index b3fb4522..f6a86afe 100644 --- a/keychain/ot/OTClique.m +++ b/keychain/ot/OTClique.m @@ -72,6 +72,13 @@ SOFT_LINK_CONSTANT(CloudServices, kSecureBackupUsesRecoveryKeyKey, NSString*); #pragma clang diagnostic pop #endif +#endif // this #endif was added for Darling +// see OTControlProtocol.m for an explanation of why we need to do this +#if defined(DARLING) || defined(__OBJC2__) + +#import +#import "keychain/ot/OTClique.h" + OTCliqueCDPContextType OTCliqueCDPContextTypeNone = @"cdpContextTypeNone"; OTCliqueCDPContextType OTCliqueCDPContextTypeSignIn = @"cdpContextTypeSignIn"; OTCliqueCDPContextType OTCliqueCDPContextTypeRepair = @"cdpContextTypeRepair"; @@ -128,6 +135,9 @@ NSString* OTCDPStatusToString(OTCDPStatus status) { } } +#endif // defined(DARLING) || defined(__OBJC2__) +#if __OBJC2__ // this #if was added for Darling + @implementation OTConfigurationContext diff --git a/keychain/ot/OTControlProtocol.m b/keychain/ot/OTControlProtocol.m index 5b3ea2fe..8ee9a01c 100644 --- a/keychain/ot/OTControlProtocol.m +++ b/keychain/ot/OTControlProtocol.m @@ -22,11 +22,20 @@ */ #import +#if !defined(DARLING) || OCTAGON +// Apple has some weird stuff going on here +// +// they say this function needs to be exported even when the "modern" Objective-C runtime (a.k.a. __OBJC2__) isn't available +// (you can see this in Security.exp-in) +// but then they turn around and make it impossible to compile this file as-is for i386 +// (because some classes and types aren't defined when __OBJC2__ isn't available) +// i had to manually disable these includes to make it possible to compile this file for i386 #import "keychain/ot/OTClique.h" #import "keychain/ot/OTControlProtocol.h" #import "keychain/ot/OTJoiningConfiguration.h" #import #include +#endif // !defined(DARLING) || OCTAGON NSXPCInterface* OTSetupControlProtocol(NSXPCInterface* interface) { #if OCTAGON diff --git a/keychain/securityd/SecItemDataSource.c b/keychain/securityd/SecItemDataSource.c index 9f6232e2..c6b700b2 100644 --- a/keychain/securityd/SecItemDataSource.c +++ b/keychain/securityd/SecItemDataSource.c @@ -43,6 +43,9 @@ #include #include #include +#ifdef DARLING +#include +#endif /* * @@ -403,9 +406,19 @@ static bool dsForEachObject(SOSDataSourceRef data_source, SOSTransactionRef txn, bool (^use_attr_in_where)(const SecDbAttr *attr) = ^bool (const SecDbAttr * attr) { return attr->kind == kSecDbSHA1Attr; }; +#ifdef DARLING + Query *select_queries[dsSyncedClassesSize]; + CFStringRef select_sql[dsSyncedClassesSize]; + sqlite3_stmt *select_stmts[dsSyncedClassesSize]; + + memset(select_queries, 0, sizeof(select_queries)); + memset(select_sql, 0, sizeof(select_sql)); + memset(select_stmts, 0, sizeof(select_stmts)); +#else Query *select_queries[dsSyncedClassesSize] = {}; CFStringRef select_sql[dsSyncedClassesSize] = {}; sqlite3_stmt *select_stmts[dsSyncedClassesSize] = {}; +#endif __block Query **queries = select_queries; __block CFStringRef *sqls = select_sql; diff --git a/securityd/src/securityd_dtrace.h b/securityd/src/securityd_dtrace.h new file mode 100644 index 00000000..75a20d42 --- /dev/null +++ b/securityd/src/securityd_dtrace.h @@ -0,0 +1,7 @@ +// fake DTrace probes for Darling +#ifndef _SECURITYD_SECURITYD_DTRACE_H +#define _SECURITYD_SECURITYD_DTRACE_H + + + +#endif // _SECURITYD_SECURITYD_DTRACE_H \ No newline at end of file diff --git a/securityd/src/server.cpp b/securityd/src/server.cpp index 194d8f41..768ab5aa 100644 --- a/securityd/src/server.cpp +++ b/securityd/src/server.cpp @@ -57,8 +57,10 @@ Server::Server(CodeSignatures &signatures, const char *bootstrapName) // make me eternal (in the object mesh) ref(); +#ifndef DARLING // engage the subsidiary port handler for sleep notifications add(sleepWatcher); +#endif } diff --git a/trust/trustd/OTATrustUtilities.m b/trust/trustd/OTATrustUtilities.m index 8c8d095e..f2293462 100644 --- a/trust/trustd/OTATrustUtilities.m +++ b/trust/trustd/OTATrustUtilities.m @@ -1700,10 +1700,14 @@ static SecOTAPKIRef SecOTACreate() { #if !TARGET_OS_BRIDGE /* Initialize our update handling */ +#ifndef DARLING InitializeOTATrustAsset(kOTABackgroundQueue); +#endif otapkiref->_ctKillSwitch = InitializeKillSwitch((__bridge NSString*)kOTAPKIKillSwitchCT); otapkiref->_nonTlsCtKillSwitch = InitializeKillSwitch((__bridge NSString*)kOTAPKIKillSwitchNonTLSCT); +#ifndef DARLING InitializeOTASecExperimentAsset(kOTABackgroundQueue); +#endif #else // TARGET_OS_BRIDGE otapkiref->_ctKillSwitch = true; // bridgeOS never enforces CT otapkiref->_nonTlsCtKillSwitch = true; diff --git a/trust/trustd/SecPinningDb.m b/trust/trustd/SecPinningDb.m index c33df091..d0562651 100644 --- a/trust/trustd/SecPinningDb.m +++ b/trust/trustd/SecPinningDb.m @@ -844,6 +844,9 @@ void SecPinningDbInitialize(void) { } CFDictionaryRef _Nullable SecPinningDbCopyMatching(CFDictionaryRef query) { +#ifdef DARLING + return nil; +#else @autoreleasepool { SecPinningDbInitialize(); NSDictionary *nsQuery = (__bridge NSDictionary*)query; @@ -860,6 +863,7 @@ CFDictionaryRef _Nullable SecPinningDbCopyMatching(CFDictionaryRef query) { results = [pinningDb queryForDomain:hostname]; return CFBridgingRetain(results); } +#endif } #if !TARGET_OS_BRIDGE diff --git a/trust/trustd/SecRevocationDb.c b/trust/trustd/SecRevocationDb.c index f950796c..275b0588 100644 --- a/trust/trustd/SecRevocationDb.c +++ b/trust/trustd/SecRevocationDb.c @@ -1020,7 +1020,7 @@ void SecRevocationDbInitialize() { CFIndex version = 0; secnotice("validupdate", "initializing database"); if (!SecValidUpdateSatisfiedLocally(server, version, true)) { -#if !TARGET_OS_BRIDGE +#if !TARGET_OS_BRIDGE && !defined(DARLING) /* Schedule full update as a maintenance task */ (void)SecValidUpdateRequest(SecRevocationDbGetUpdateQueue(), server, version); #endif @@ -1182,7 +1182,7 @@ static CFIndex _SecRevocationDbGetUpdateVersion(CFStringRef server) { static bool _SecRevocationDbIsUpdateEnabled(void) { CFTypeRef value = NULL; // determine whether update fetching is enabled -#if !TARGET_OS_WATCH && !TARGET_OS_BRIDGE +#if !TARGET_OS_WATCH && !TARGET_OS_BRIDGE && !defined(DARLING) // Valid update fetching was initially enabled on macOS 10.13 and iOS 11.0. // This conditional has been changed to include every platform and version // except for those where the db should not be updated over the air. diff --git a/trust/trustd/trustd.c b/trust/trustd/trustd.c index d930984a..684a3a5e 100644 --- a/trust/trustd/trustd.c +++ b/trust/trustd/trustd.c @@ -842,7 +842,12 @@ int main(int argc, char *argv[]) kill(getpid(), SIGSTOP); } + // fails in Darling because launchd sets the wrong HOME for its tasks + // doesn't matter because our libsanbox is a stub anyways (we don't do sandboxing) + // TODO: fix that by changing the user's home directory in our `/etc/passwd` (which is where launchd gets its value for HOME from) +#ifndef DARLING trustd_sandbox(); +#endif FixTrustdFilePermissions(); /* set up SQLite before some other component has a chance to create a database connection */ _SecDbServerSetup();