keychain/SecureObjectSync/SOSAccountPriv.h

   1 //
   2 //  SOSAccountPriv.h
   3 //  Security
   4 //
   5
   6 #ifndef SOSAccountPriv_h
   7 #define SOSAccountPriv_h
   8
   9 #import <Foundation/Foundation.h>
  10
  11 #include <CoreFoundation/CoreFoundation.h>
  12 #include <CoreFoundation/CFRuntime.h>
  13 #include <utilities/SecCFWrappers.h>
  14 #include <utilities/SecCFError.h>
  15 #include <utilities/SecAKSWrappers.h>
  16
  17 #include <Security/SecKeyPriv.h>
  18
  19 #include <Security/der_plist.h>
  20 #include <utilities/der_plist_internal.h>
  21 #include <corecrypto/ccder.h>
  22
  23 #include <AssertMacros.h>
  24 #include <assert.h>
  25
  26 #import <notify.h>
  27
  28 #include "keychain/SecureObjectSync/SOSInternal.h"
  29
  30 #include "keychain/SecureObjectSync/SOSCircle.h"
  31 #include "keychain/SecureObjectSync/SOSCircleV2.h"
  32 #include "keychain/SecureObjectSync/SOSRing.h"
  33 #include "keychain/SecureObjectSync/SOSRingUtils.h"
  34 #include <Security/SecureObjectSync/SOSCloudCircle.h>
  35 #include "keychain/securityd/SOSCloudCircleServer.h"
  36 #include "keychain/SecureObjectSync/SOSEngine.h"
  37 #include "keychain/SecureObjectSync/SOSPeer.h"
  38 #include "keychain/SecureObjectSync/SOSFullPeerInfo.h"
  39 #include <Security/SecureObjectSync/SOSPeerInfo.h>
  40
  41 #include "keychain/SecureObjectSync/SOSPeerInfoInternal.h"
  42 #include "keychain/SecureObjectSync/SOSUserKeygen.h"
  43 #include "keychain/SecureObjectSync/SOSTransportCircle.h"
  44
  45 #include <utilities/iCloudKeychainTrace.h>
  46
  47 #include <Security/SecItemPriv.h>
  48
  49
  50 extern const CFStringRef kSOSUnsyncedViewsKey;
  51 extern const CFStringRef kSOSPendingEnableViewsToBeSetKey;
  52 extern const CFStringRef kSOSPendingDisableViewsToBeSetKey;
  53 extern const CFStringRef kSOSRecoveryKey;
  54 extern const CFStringRef kSOSAccountUUID;
  55 extern const CFStringRef kSOSAccountPeerNegotiationTimeouts;
  56 extern const CFStringRef kSOSRecoveryRing;
  57 extern const CFStringRef kSOSEscrowRecord;
  58 extern const CFStringRef kSOSAccountName;
  59 extern const CFStringRef kSOSTestV2Settings;
  60 extern const CFStringRef kSOSRateLimitingCounters;
  61 extern const CFStringRef kSOSAccountPeerLastSentTimestamp;
  62 extern const CFStringRef kSOSAccountRenegotiationRetryCount;
  63 extern const CFStringRef kSOSInitialSyncTimeoutV0;
  64
  65 typedef void (^SOSAccountSaveBlock)(CFDataRef flattenedAccount, CFErrorRef flattenFailError);
  66
  67 @class SOSMessageKVS;
  68 @class CKKeyParameter;
  69 @class SOSAccountTrustClassic;
  70 @class SOSKVSCircleStorageTransport;
  71 @class SOSCircleStorageTransport;
  72 @class SOSCKCircleStorage;
  73
  74 @interface SOSAccount : NSObject <SOSControlProtocol>
  75
  76 @property   (nonatomic, retain)     NSDictionary                *gestalt;
  77 @property   (nonatomic, retain)     NSData                      *backup_key;
  78 @property   (nonatomic, retain)     NSString                    *deviceID;
  79
  80 @property   (nonatomic, retain)     SOSAccountTrustClassic      *trust;
  81
  82 @property   (nonatomic, retain)     dispatch_queue_t            queue;
  83 @property   (nonatomic, retain)     dispatch_source_t           user_private_timer;
  84 @property   (nonatomic)             SecKeyRef                   accountPrivateKey;
  85
  86 @property   (nonatomic)             SOSDataSourceFactoryRef     factory;
  87
  88 @property   (nonatomic, retain)     NSData                      *_password_tmp;
  89 @property   (nonatomic, assign)     BOOL                        isListeningForSync;
  90 @property   (nonatomic, assign)     int                         lock_notification_token;
  91 @property   (nonatomic, retain)     CKKeyParameter*             key_transport;
  92 @property   (nonatomic, retain)     SOSKVSCircleStorageTransport*  circle_transport;
  93 @property   (nonatomic, retain)     SOSMessageKVS*              kvs_message_transport;
  94 @property   (nonatomic, retain)     SOSCKCircleStorage*         ck_storage;
  95
  96
  97 @property   (nonatomic, assign)     BOOL                        circle_rings_retirements_need_attention;
  98 @property   (nonatomic, assign)     BOOL                        engine_peer_state_needs_repair;
  99 @property   (nonatomic, assign)     BOOL                        key_interests_need_updating;
 100
 101 @property   (nonatomic, retain)     NSMutableArray               *change_blocks;
 102
 103 @property   (nonatomic, retain)     NSMutableDictionary          *waitForInitialSync_blocks;
 104
 105 @property   (nonatomic, retain)     NSData*                     accountKeyDerivationParamters;
 106
 107 @property   (nonatomic, assign)     BOOL                        accountKeyIsTrusted;
 108 @property   (nonatomic)             SecKeyRef                   accountKey;
 109 @property   (nonatomic)             SecKeyRef                   previousAccountKey;
 110
 111 @property   (copy)                  SOSAccountSaveBlock         saveBlock;
 112
 113
 114 // Identity access properties, all delegated to the trust object
 115 @property   (readonly, nonatomic)   BOOL                        hasPeerInfo;
 116 @property   (readonly, nonatomic)   SOSPeerInfoRef              peerInfo;
 117 @property   (readonly, nonatomic)   SOSFullPeerInfoRef          fullPeerInfo;
 118 @property   (readonly, nonatomic)   NSString*                   peerID;
 119
 120 @property   (nonatomic, assign)     BOOL                        notifyCircleChangeOnExit;
 121 @property   (nonatomic, assign)     BOOL                        notifyViewChangeOnExit;
 122 @property   (nonatomic, assign)     BOOL                        notifyBackupOnExit;
 123
 124 @property   (nonatomic, retain)     NSUserDefaults*              settings;
 125
 126
 127
 128 -(id) init NS_UNAVAILABLE;
 129 -(id) initWithGestalt:(CFDictionaryRef)gestalt factory:(SOSDataSourceFactoryRef)factory;
 130
 131 - (void)startStateMachine;
 132
 133 void SOSAccountAddSyncablePeerBlock(SOSAccount*  a,
 134                                     CFStringRef ds_name,
 135                                     SOSAccountSyncablePeersBlock changeBlock);
 136
 137 -(bool) ensureFactoryCircles;
 138 -(void) ensureOctagonPeerKeys;
 139
 140 -(void) flattenToSaveBlock;
 141
 142 -(void) ghostBustSchedule;
 143 + (SOSAccountGhostBustingOptions) ghostBustGetRampSettings;
 144 - (bool) ghostBustCheckDate;
 145
 146 #if OCTAGON
 147 - (void)triggerBackupForPeers:(NSArray<NSString*>*)backupPeer;
 148 - (void)triggerRingUpdate;
 149 #endif
 150
 151
 152 void SOSAccountSetToNew(SOSAccount*  a);
 153
 154 bool SOSAccountIsMyPeerActive(SOSAccount* account, CFErrorRef* error);
 155
 156 // MARK: In Sync checking
 157 typedef bool (^SOSAccountWaitForInitialSyncBlock)(SOSAccount*  account);
 158
 159 CF_RETURNS_RETAINED CFStringRef SOSAccountCallWhenInSync(SOSAccount* account, SOSAccountWaitForInitialSyncBlock syncBlock);
 160 bool SOSAccountUnregisterCallWhenInSync(SOSAccount* account, CFStringRef id);
 161
 162 bool SOSAccountHandleOutOfSyncUpdate(SOSAccount* account, CFSetRef oldOOSViews, CFSetRef newOOSViews);
 163
 164 void SOSAccountEnsureSyncChecking(SOSAccount* account);
 165 void SOSAccountCancelSyncChecking(SOSAccount* account);
 166 void SOSAccountInitializeInitialSync(SOSAccount* account);
 167 CFMutableSetRef SOSAccountCopyOutstandingViews(SOSAccount* account);
 168 CFSetRef SOSAccountCopyEnabledViews(SOSAccount* account);
 169 void SOSAccountNotifyEngines(SOSAccount* account);
 170 CFMutableSetRef SOSAccountCopyOutstandingViews(SOSAccount* account);
 171 bool SOSAccountIsViewOutstanding(SOSAccount* account, CFStringRef view);
 172 CFMutableSetRef SOSAccountCopyIntersectionWithOustanding(SOSAccount* account, CFSetRef inSet);
 173 bool SOSAccountIntersectsWithOutstanding(SOSAccount* account, CFSetRef views);
 174 bool SOSAccountHasOustandingViews(SOSAccount* account);
 175 bool SOSAccountHasCompletedInitialSync(SOSAccount* account);
 176 bool SOSAccountHasCompletedRequiredBackupSync(SOSAccount* account);
 177 CFMutableSetRef SOSAccountCopyOutstandingViews(SOSAccount* account);
 178 bool SOSAccountSyncingV0(SOSAccount* account);
 179
 180 // MARK: DER Stuff
 181
 182
 183 size_t der_sizeof_fullpeer_or_null(SOSFullPeerInfoRef data, CFErrorRef* error);
 184
 185 uint8_t* der_encode_fullpeer_or_null(SOSFullPeerInfoRef data, CFErrorRef* error, const uint8_t* der, uint8_t* der_end);
 186
 187 const uint8_t* der_decode_fullpeer_or_null(CFAllocatorRef allocator, SOSFullPeerInfoRef* data,
 188                                            CFErrorRef* error,
 189                                            const uint8_t* der, const uint8_t* der_end);
 190
 191
 192 size_t der_sizeof_public_bytes(SecKeyRef publicKey, CFErrorRef* error);
 193
 194 uint8_t* der_encode_public_bytes(SecKeyRef publicKey, CFErrorRef* error, const uint8_t* der, uint8_t* der_end);
 195
 196 const uint8_t* der_decode_public_bytes(CFAllocatorRef allocator, CFIndex algorithmID, SecKeyRef* publicKey, CFErrorRef* error, const uint8_t* der, const uint8_t* der_end);
 197
 198
 199 // Update
 200 -(SOSCCStatus) getCircleStatus:(CFErrorRef*) error;
 201 -(bool) isInCircle:(CFErrorRef *)error;
 202
 203 bool SOSAccountHandleCircleMessage(SOSAccount* account,
 204                                    CFStringRef circleName, CFDataRef encodedCircleMessage, CFErrorRef *error);
 205
 206 CF_RETURNS_RETAINED
 207 CFDictionaryRef SOSAccountHandleRetirementMessages(SOSAccount* account, CFDictionaryRef circle_retirement_messages, CFErrorRef *error);
 208
 209 bool SOSAccountHandleUpdateCircle(SOSAccount* account,
 210                                   SOSCircleRef prospective_circle,
 211                                   bool writeUpdate,
 212                                   CFErrorRef *error);
 213
 214
 215 // My Peer
 216 bool SOSAccountHasFullPeerInfo(SOSAccount* account, CFErrorRef* error);
 217
 218 bool SOSAccountIsMyPeerInBackupAndCurrentInView(SOSAccount* account, CFStringRef viewname);
 219 bool SOSAccountUpdateOurPeerInBackup(SOSAccount* account, SOSRingRef oldRing, CFErrorRef *error);
 220 bool SOSAccountIsPeerInBackupAndCurrentInView(SOSAccount* account, SOSPeerInfoRef testPeer, CFStringRef viewname);
 221 bool SOSDeleteV0Keybag(CFErrorRef *error);
 222 bool SOSAccountUpdatePeerInfo(SOSAccount* account, CFStringRef updateDescription, CFErrorRef *error, bool (^update)(SOSFullPeerInfoRef fpi, CFErrorRef *error));
 223 bool SOSAccountUpdatePeerInfoAndPush(SOSAccount* account, CFStringRef updateDescription, CFErrorRef *error,
 224                                      bool (^update)(SOSPeerInfoRef pi, CFErrorRef *error));
 225
 226 // Currently permitted backup rings.
 227 void SOSAccountForEachBackupRingName(SOSAccount* account, void (^operation)(CFStringRef value));
 228 void SOSAccountForEachRingName(SOSAccount* account, void (^operation)(CFStringRef value));
 229 void SOSAccountForEachBackupView(SOSAccount* account,  void (^operation)(const void *value));
 230 SOSRingRef SOSAccountCreateBackupRingForView(SOSAccount* account, CFStringRef ringBackupViewName, CFErrorRef *error);
 231
 232
 233 // My Circle
 234 bool SOSAccountHasCircle(SOSAccount* account, CFErrorRef* error);
 235 SOSCircleRef CF_RETURNS_RETAINED SOSAccountEnsureCircle(SOSAccount* a, CFStringRef name, CFErrorRef *error);
 236
 237 void AppendCircleKeyName(CFMutableArrayRef array, CFStringRef name);
 238
 239 CFStringRef SOSInterestListCopyDescription(CFArrayRef interests);
 240
 241
 242 // FullPeerInfos - including Cloud Identity
 243 SOSFullPeerInfoRef CopyCloudKeychainIdentity(SOSPeerInfoRef cloudPeer, CFErrorRef *error);
 244
 245 bool SOSAccountIsAccountIdentity(SOSAccount* account, SOSPeerInfoRef peer_info, CFErrorRef *error);
 246 bool SOSAccountFullPeerInfoVerify(SOSAccount* account, SecKeyRef privKey, CFErrorRef *error);
 247 CF_RETURNS_RETAINED SOSPeerInfoRef GenerateNewCloudIdentityPeerInfo(CFErrorRef *error);
 248
 249 // Credentials
 250 bool SOSAccountHasPublicKey(SOSAccount* account, CFErrorRef* error);
 251 bool SOSAccountPublishCloudParameters(SOSAccount* account, CFErrorRef* error);
 252 bool SOSAccountRetrieveCloudParameters(SOSAccount* account, SecKeyRef *newKey,
 253                                        CFDataRef derparms,
 254                                        CFDataRef *newParameters, CFErrorRef* error);
 255
 256 //DSID
 257 void SOSAccountAssertDSID(SOSAccount* account, CFStringRef dsid);
 258
 259 //
 260 // Key extraction
 261 //
 262
 263 SecKeyRef SOSAccountCopyDeviceKey(SOSAccount* account, CFErrorRef *error);
 264 SecKeyRef CF_RETURNS_RETAINED GeneratePermanentFullECKey(int keySize, CFStringRef name, CFErrorRef* error);
 265
 266 // Testing
 267 void SOSAccountSetLastDepartureReason(SOSAccount* account, enum DepartureReason reason);
 268 void SOSAccountSetUserPublicTrustedForTesting(SOSAccount* account);
 269
 270 void SOSAccountPurgeIdentity(SOSAccount*);
 271 bool sosAccountLeaveCircle(SOSAccount* account, SOSCircleRef circle, CFErrorRef* error);
 272 bool sosAccountLeaveCircleWithAnalytics(SOSAccount* account, SOSCircleRef circle, NSData* parentData, CFErrorRef* error);
 273
 274 bool sosAccountLeaveRing(SOSAccount*  account, SOSRingRef ring, CFErrorRef* error);
 275 bool SOSAccountForEachRing(SOSAccount* account, SOSRingRef (^action)(CFStringRef name, SOSRingRef ring));
 276 bool SOSAccountUpdateBackUp(SOSAccount* account, CFStringRef viewname, CFErrorRef *error);
 277 void SOSAccountEnsureRecoveryRing(SOSAccount* account);
 278
 279 bool SOSAccountEnsurePeerRegistration(SOSAccount* account, CFErrorRef *error);
 280
 281 extern const CFStringRef kSOSUnsyncedViewsKey;
 282 extern const CFStringRef kSOSPendingEnableViewsToBeSetKey;
 283 extern const CFStringRef kSOSPendingDisableViewsToBeSetKey;
 284 extern const CFStringRef kSOSRecoveryKey;
 285
 286 typedef enum{
 287     kSOSTransportNone = 0,
 288     kSOSTransportIDS = 1,
 289     kSOSTransportKVS = 2,
 290     kSOSTransportFuture = 3,
 291     kSOSTransportPresent = 4
 292 }TransportType;
 293
 294 SOSPeerInfoRef SOSAccountCopyPeerWithID(SOSAccount* account, CFStringRef peerid, CFErrorRef *error);
 295
 296 bool SOSAccountSetValue(SOSAccount* account, CFStringRef key, CFTypeRef value, CFErrorRef *error);
 297 bool SOSAccountClearValue(SOSAccount* account, CFStringRef key, CFErrorRef *error);
 298 CFTypeRef SOSAccountGetValue(SOSAccount* account, CFStringRef key, CFErrorRef *error);
 299
 300 bool SOSAccountAddEscrowToPeerInfo(SOSAccount* account, SOSFullPeerInfoRef myPeer, CFErrorRef *error);
 301 bool SOSAccountAddEscrowRecords(SOSAccount* account, CFStringRef dsid, CFDictionaryRef record, CFErrorRef *error);
 302 void SOSAccountRemoveRing(SOSAccount* a, CFStringRef ringName);
 303 SOSRingRef SOSAccountCopyRingNamed(SOSAccount* a, CFStringRef ringName, CFErrorRef *error);
 304 SOSRingRef SOSAccountRingCreateForName(SOSAccount* a, CFStringRef ringName, CFErrorRef *error);
 305 bool SOSAccountUpdateRingFromRemote(SOSAccount* account, SOSRingRef newRing, CFErrorRef *error);
 306 bool SOSAccountUpdateRing(SOSAccount* account, SOSRingRef newRing, CFErrorRef *error);
 307 bool SOSAccountRemoveBackupPeers(SOSAccount* account, CFArrayRef peerIDs, CFErrorRef *error);
 308 bool SOSAccountResetRing(SOSAccount* account, CFStringRef ringName, CFErrorRef *error);
 309 bool SOSAccountCheckPeerAvailability(SOSAccount* account, CFErrorRef *error);
 310 bool SOSAccountUpdateNamedRing(SOSAccount* account, CFStringRef ringName, CFErrorRef *error,
 311                                SOSRingRef (^create)(CFStringRef ringName, CFErrorRef *error),
 312                                SOSRingRef (^copyModified)(SOSRingRef existing, CFErrorRef *error));
 313
 314 //
 315 // MARK: Backup translation functions
 316 //
 317
 318 CFStringRef SOSBackupCopyRingNameForView(CFStringRef viewName);
 319 bool SOSAccountUpdateBackupRing(SOSAccount*  account, CFStringRef viewName, CFErrorRef *error,
 320                                 SOSRingRef (^modify)(SOSRingRef existing, CFErrorRef *error));
 321 //
 322 // Security tool test/debug functions
 323 //
 324 bool SOSAccountPostDebugScope(SOSAccount*  account, CFTypeRef scope, CFErrorRef *error);
 325 CFDataRef SOSAccountCopyAccountStateFromKeychain(CFErrorRef *error);
 326 bool SOSAccountDeleteAccountStateFromKeychain(CFErrorRef *error);
 327 CFDataRef SOSAccountCopyEngineStateFromKeychain(CFErrorRef *error);
 328 bool SOSAccountDeleteEngineStateFromKeychain(CFErrorRef *error);
 329
 330 bool SOSAccountIsNew(SOSAccount* account, CFErrorRef *error);
 331 bool SOSAccountCheckForAlwaysOnViews(SOSAccount* account);
 332 // UUID, no setter just getter and ensuring value.
 333 void SOSAccountEnsureUUID(SOSAccount* account);
 334 CFStringRef CF_RETURNS_RETAINED SOSAccountCopyUUID(SOSAccount* account);
 335 const uint8_t* der_decode_cloud_parameters(CFAllocatorRef allocator,
 336                                            CFIndex algorithmID, SecKeyRef* publicKey,
 337                                            CFDataRef *parameters,
 338                                            CFErrorRef* error,
 339                                            const uint8_t* der, const uint8_t* der_end);
 340
 341 /*
 342  * HSA2/piggybacking
 343  */
 344
 345 CFDataRef SOSPiggyBackBlobCopyEncodedData(SOSGenCountRef gencount, SecKeyRef pubKey, CFDataRef signature, CFErrorRef *error);
 346
 347 #if __OBJC__
 348 NSData *SOSPiggyCreateInitialSyncData(NSArray<NSData*> *identities, NSArray<NSDictionary *>* tlks);
 349 NSDictionary * SOSPiggyCopyInitialSyncData(const uint8_t** der, const uint8_t *der_end);
 350 NSArray<NSDictionary*>* SOSAccountSortTLKS(NSArray<NSDictionary*>* tlks);
 351 #endif
 352
 353 bool SOSAccountCleanupAllKVSKeys(SOSAccount* account, CFErrorRef* error);
 354 bool SOSAccountPopulateKVSWithBadKeys(SOSAccount*  account, CFErrorRef* error);
 355
 356 @end
 357
 358 @interface SOSAccount (Persistence)
 359
 360 +(instancetype) accountFromData: (NSData*) data
 361                         factory: (SOSDataSourceFactoryRef) factory
 362                           error: (NSError**) error;
 363 +(instancetype) accountFromDER: (const uint8_t**) der
 364                            end: (const uint8_t*) der_end
 365                        factory: (SOSDataSourceFactoryRef) factory
 366                          error: (NSError**) error;
 367
 368 -(NSData*) encodedData: (NSError**) error;
 369
 370
 371 @end
 372
 373 #endif /* SOSAccount_h */