2 * Copyright (c) 2012-2014 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 #include <AssertMacros.h>
26 #include <CoreFoundation/CoreFoundation.h>
27 #include <CoreFoundation/CFPriv.h>
29 #include <Security/SecureObjectSync/SOSAccountTransaction.h>
31 #include <securityd/SOSCloudCircleServer.h>
32 #include <Security/SecureObjectSync/SOSCloudCircle.h>
33 #include <Security/SecureObjectSync/SOSCloudCircleInternal.h>
34 #include <Security/SecureObjectSync/SOSCircle.h>
35 #include <Security/SecureObjectSync/SOSAccount.h>
36 #include <Security/SecureObjectSync/SOSAccountPriv.h>
37 #include <Security/SecureObjectSync/SOSTransport.h>
38 #include <Security/SecureObjectSync/SOSFullPeerInfo.h>
39 #include <Security/SecureObjectSync/SOSPeerInfoV2.h>
41 #include <Security/SecureObjectSync/SOSPeerInfoPriv.h>
42 #include <Security/SecureObjectSync/SOSPeerInfoInternal.h>
43 #include <Security/SecureObjectSync/SOSInternal.h>
44 #include <Security/SecureObjectSync/SOSUserKeygen.h>
45 #include <Security/SecureObjectSync/SOSMessage.h>
46 #include <Security/SecureObjectSync/SOSBackupInformation.h>
47 #include <Security/SecureObjectSync/SOSDataSource.h>
48 #include <Security/SecureObjectSync/SOSKVSKeys.h>
49 #import <Security/SecureObjectSync/SOSAccountTrustClassic.h>
50 #import <Security/SecureObjectSync/SOSAccountTrustClassic+Circle.h>
51 #import <Security/SecureObjectSync/SOSAccountTrustClassic+Expansion.h>
52 #import <Security/SecureObjectSync/SOSAuthKitHelpers.h>
55 #include <utilities/SecADWrapper.h>
56 #include <utilities/SecCFWrappers.h>
57 #include <utilities/SecCFRelease.h>
59 #include <utilities/SecCFError.h>
60 #include <utilities/debugging.h>
61 #include <utilities/SecCoreCrypto.h>
62 #include <utilities/SecTrace.h>
64 #include <SOSCircle/CKBridge/SOSCloudKeychainClient.h>
66 #include <corecrypto/ccrng.h>
67 #include <corecrypto/ccrng_pbkdf2_prng.h>
68 #include <corecrypto/ccec.h>
69 #include <corecrypto/ccdigest.h>
70 #include <corecrypto/ccsha2.h>
71 #include <CommonCrypto/CommonRandomSPI.h>
72 #include <Security/SecKeyPriv.h>
73 #include <Security/SecFramework.h>
75 #include <utilities/SecFileLocations.h>
76 #include <utilities/SecAKSWrappers.h>
77 #include <securityd/SecItemServer.h>
78 #include <Security/SecItemPriv.h>
80 #include <TargetConditionals.h>
82 #include <utilities/iCloudKeychainTrace.h>
83 #include <Security/SecAccessControlPriv.h>
84 #include <securityd/SecDbKeychainItem.h>
86 #include <os/activity.h>
87 #include <os/state_private.h>
89 #if TARGET_OS_EMBEDDED || TARGET_IPHONE_SIMULATOR
90 #include <MobileGestalt.h>
92 #include <AppleSystemInfo/AppleSystemInfo.h>
95 #define SOSCKCSCOPE "sync"
96 #define RUN_AS_ROOT_ERROR 550
98 #define USE_SYSTEMCONFIGURATION_PRIVATE_HEADERS
99 #import <SystemConfiguration/SystemConfiguration.h>
103 static int64_t getTimeDifference(time_t start);
104 CFStringRef const SOSAggdSyncCompletionKey = CFSTR("com.apple.security.sos.synccompletion");
105 CFStringRef const SOSAggdSyncTimeoutKey = CFSTR("com.apple.security.sos.timeout");
107 typedef SOSDataSourceFactoryRef (^SOSCCAccountDataSourceFactoryBlock)(void);
109 static SOSCCAccountDataSourceFactoryBlock accountDataSourceOverride = NULL;
115 static void do_with_account(void (^action)(SOSAccountTransaction* txn));
121 CFStringRef kSOSAccountLabel = CFSTR("iCloud Keychain Account Meta-data");
123 CFStringRef kSOSBurnedRecoveryAttemptCount = CFSTR("Burned Recovery Attempt Count");
125 CFStringRef kSOSBurnedRecoveryAttemptAttestationDate = CFSTR("Burned Recovery Attempt Attestation Date");
127 static CFDictionaryRef SOSItemCopyQueryForSyncItems(CFStringRef service, bool returnData)
129 return CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
130 kSecClass, kSecClassGenericPassword,
131 kSecAttrService, service,
132 kSecAttrAccessGroup, kSOSInternalAccessGroup,
133 kSecReturnData, returnData ? kCFBooleanTrue : kCFBooleanFalse,
137 CFDataRef SOSItemCopy(CFStringRef service, CFErrorRef* error)
139 CFDictionaryRef query = SOSItemCopyQueryForSyncItems(service, true);
141 CFDataRef result = NULL;
143 OSStatus copyResult = SecItemCopyMatching(query, (CFTypeRef*) &result);
145 CFReleaseNull(query);
147 if (copyResult != noErr) {
148 SecError(copyResult, error, CFSTR("Error %@ reading for service '%@'"), result, service);
149 CFReleaseNull(result);
153 if (!isData(result)) {
154 SOSCreateErrorWithFormat(kSOSErrorProcessingFailure, NULL, error, NULL, CFSTR("SecItemCopyMatching returned non-data in '%@'"), service);
155 CFReleaseNull(result);
162 static CFDataRef SOSKeychainCopySavedAccountData()
164 CFErrorRef error = NULL;
165 CFDataRef accountData = SOSItemCopy(kSOSAccountLabel, &error);
167 secnotice("account", "Failed to load account: %@", error);
168 secerror("Failed to load account: %@", error);
170 CFReleaseNull(error);
175 bool SOSItemUpdateOrAdd(CFStringRef service, CFStringRef accessibility, CFDataRef data, CFErrorRef *error)
177 CFDictionaryRef query = SOSItemCopyQueryForSyncItems(service, false);
179 CFDictionaryRef update = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
181 kSecAttrAccessible, accessibility,
183 OSStatus saveStatus = SecItemUpdate(query, update);
185 if (errSecItemNotFound == saveStatus) {
186 CFMutableDictionaryRef add = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, query);
187 CFDictionaryForEach(update, ^(const void *key, const void *value) {
188 CFDictionaryAddValue(add, key, value);
190 saveStatus = SecItemAdd(add, NULL);
194 CFReleaseNull(query);
195 CFReleaseNull(update);
197 return SecError(saveStatus, error, CFSTR("Error saving %@ to service '%@'"), data, service);
200 static void SOSKeychainAccountEnsureSaved(CFDataRef accountAsData)
202 static CFDataRef sLastSavedAccountData = NULL;
204 CFErrorRef saveError = NULL;
205 require_quiet(!CFEqualSafe(sLastSavedAccountData, accountAsData), exit);
207 if (!SOSItemUpdateOrAdd(kSOSAccountLabel, kSecAttrAccessibleAlwaysThisDeviceOnlyPrivate, accountAsData, &saveError)) {
208 secerror("Can't save account: %@", saveError);
212 CFAssignRetained(sLastSavedAccountData, CFRetainSafe(accountAsData));
215 CFReleaseNull(saveError);
218 static SOSAccount* SOSKeychainAccountCreateSharedAccount(CFDictionaryRef our_gestalt)
220 secdebug("account", "Created account");
222 CFDataRef savedAccount = SOSKeychainCopySavedAccountData();
223 SOSAccount* account = NULL;
225 SOSDataSourceFactoryRef factory = accountDataSourceOverride ? accountDataSourceOverride()
226 : SecItemDataSourceFactoryGetDefault();
228 require_quiet(factory, done);
231 NSError* inflationError = NULL;
233 account = [SOSAccount accountFromData:(__bridge NSData*) savedAccount
235 error:&inflationError];
238 [account.trust updateGestalt:account newGestalt:our_gestalt];
240 secerror("Got error inflating account: %@", inflationError);
244 CFReleaseNull(savedAccount);
247 account = SOSAccountCreate(kCFAllocatorDefault, our_gestalt, factory);
250 secerror("Got NULL creating account");
254 CFReleaseNull(savedAccount);
259 // Mark: Gestalt Handling
262 CFStringRef SOSGestaltVersion = NULL;
263 CFStringRef SOSGestaltModel = NULL;
264 CFStringRef SOSGestaltDeviceName = NULL;
267 SOSCCSetGestalt_Server(CFStringRef deviceName,
272 SOSGestaltDeviceName = CFRetainSafe(deviceName);
273 SOSGestaltVersion = CFRetainSafe(version);
274 SOSGestaltModel = CFRetainSafe(model);
275 SOSGestaltSerial = CFRetainSafe(serial);
278 CFStringRef SOSCCCopyOSVersion(void)
280 static dispatch_once_t once;
281 dispatch_once(&once, ^{
282 if (SOSGestaltVersion == NULL) {
283 CFDictionaryRef versions = _CFCopySystemVersionDictionary();
285 CFTypeRef versionValue = CFDictionaryGetValue(versions, _kCFSystemVersionBuildVersionKey);
286 if (isString(versionValue))
287 SOSGestaltVersion = CFRetainSafe((CFStringRef) versionValue);
290 CFReleaseNull(versions);
291 if (SOSGestaltVersion == NULL) {
292 SOSGestaltVersion = CFSTR("Unknown model");
296 return CFRetainSafe(SOSGestaltVersion);
300 static CFStringRef CopyModelName(void)
302 static dispatch_once_t once;
303 dispatch_once(&once, ^{
304 if (SOSGestaltModel == NULL) {
305 #if TARGET_OS_EMBEDDED || TARGET_IPHONE_SIMULATOR
306 SOSGestaltModel = MGCopyAnswer(kMGQDeviceName, NULL);
308 SOSGestaltModel = ASI_CopyComputerModelName(FALSE);
310 if (SOSGestaltModel == NULL)
311 SOSGestaltModel = CFSTR("Unknown model");
314 return CFStringCreateCopy(kCFAllocatorDefault, SOSGestaltModel);
317 static CFStringRef CopyComputerName(SCDynamicStoreRef store)
319 if (SOSGestaltDeviceName == NULL) {
320 CFStringRef deviceName = SCDynamicStoreCopyComputerName(store, NULL);
321 if (deviceName == NULL) {
322 deviceName = CFSTR("Unknown name");
326 return SOSGestaltDeviceName;
329 static bool _EngineMessageProtocolV2Enabled(void)
333 static dispatch_once_t onceToken;
334 static bool v2_enabled = false;
335 dispatch_once(&onceToken, ^{
336 CFTypeRef v2Pref = (CFNumberRef)CFPreferencesCopyValue(CFSTR("engineV2"), CFSTR("com.apple.security"), kCFPreferencesAnyUser, kCFPreferencesCurrentHost);
338 if (v2Pref && CFGetTypeID(v2Pref) == CFBooleanGetTypeID()) {
339 v2_enabled = CFBooleanGetValue((CFBooleanRef)v2Pref);
340 secinfo("server", "Engine v2 : %s", v2_enabled ? "enabled":"disabled");
342 CFReleaseSafe(v2Pref);
352 static CFDictionaryRef CreateDeviceGestaltDictionary(SCDynamicStoreRef store, CFArrayRef keys, void *context)
354 CFStringRef modelName = CopyModelName();
355 CFStringRef computerName = CopyComputerName(store);
356 CFStringRef osVersion = SOSCCCopyOSVersion();
358 SInt32 version = _EngineMessageProtocolV2Enabled() ? kEngineMessageProtocolVersion : 0;
359 CFNumberRef protocolVersion = CFNumberCreate(0, kCFNumberSInt32Type, &version);
361 CFDictionaryRef gestalt = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
362 kPIUserDefinedDeviceNameKey, computerName,
363 kPIDeviceModelNameKey, modelName,
364 kPIMessageProtocolVersionKey, protocolVersion,
365 kPIOSVersionKey, osVersion,
367 CFReleaseSafe(osVersion);
368 CFReleaseSafe(modelName);
369 CFReleaseSafe(computerName);
370 CFReleaseSafe(protocolVersion);
375 static void SOSCCProcessGestaltUpdate(SCDynamicStoreRef store, CFArrayRef keys, void *context)
377 do_with_account(^(SOSAccountTransaction* txn) {
379 CFDictionaryRef gestalt = CreateDeviceGestaltDictionary(store, keys, context);
380 if ([txn.account.trust updateGestalt:txn.account newGestalt:gestalt]) {
381 secnotice("circleOps", "Changed our peer's gestalt information. This is not a circle change.");
383 CFReleaseSafe(gestalt);
389 static CFDictionaryRef CreateDeviceGestaltDictionaryAndRegisterForUpdate(dispatch_queue_t queue, void *info)
391 SCDynamicStoreContext context = { .info = info };
392 SCDynamicStoreRef store = SCDynamicStoreCreate(NULL, CFSTR("com.apple.securityd.cloudcircleserver"), SOSCCProcessGestaltUpdate, &context);
393 CFStringRef computerKey = SCDynamicStoreKeyCreateComputerName(NULL);
394 CFArrayRef keys = NULL;
395 CFDictionaryRef gestalt = NULL;
397 if (store == NULL || computerKey == NULL) {
400 keys = CFArrayCreate(NULL, (const void **)&computerKey, 1, &kCFTypeArrayCallBacks);
404 gestalt = CreateDeviceGestaltDictionary(store, keys, info);
405 SCDynamicStoreSetNotificationKeys(store, keys, NULL);
406 SCDynamicStoreSetDispatchQueue(store, queue);
409 if (store) CFRelease(store);
410 if (computerKey) CFRelease(computerKey);
411 if (keys) CFRelease(keys);
415 os_state_block_t accountStateBlock = ^os_state_data_t(os_state_hints_t hints) {
416 os_state_data_t retval = NULL;
417 CFDataRef savedAccount = NULL;
418 if(hints->osh_api != OS_STATE_API_REQUEST) return NULL;
420 /* Get account DER */
421 savedAccount = SOSKeychainCopySavedAccountData();
422 require_quiet(savedAccount, errOut);
424 /* make a os_state_data_t object to return. */
425 size_t statelen = CFDataGetLength(savedAccount);
426 retval = (os_state_data_t)calloc(1, OS_STATE_DATA_SIZE_NEEDED(statelen));
427 require_quiet(retval, errOut);
429 retval->osd_type = OS_STATE_DATA_PROTOCOL_BUFFER;
430 memcpy(retval->osd_data, CFDataGetBytePtr(savedAccount), statelen);
431 retval->osd_size = statelen;
432 strlcpy(retval->osd_title, "CloudCircle Account Object", sizeof(retval->osd_title));
435 CFReleaseNull(savedAccount);
441 static SOSAccount* GetSharedAccount(void) {
442 static SOSAccount* sSharedAccount = NULL;
443 static dispatch_once_t onceToken;
445 #if !(TARGET_OS_EMBEDDED)
447 secerror("Cannot inflate account object as root");
452 dispatch_once(&onceToken, ^{
453 secdebug("account", "Account Creation start");
455 CFDictionaryRef gestalt = CreateDeviceGestaltDictionaryAndRegisterForUpdate(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), NULL);
458 #if TARGET_OS_IPHONE && TARGET_IPHONE_SIMULATOR
459 gestalt = CFDictionaryCreateForCFTypes(kCFAllocatorDefault, NULL);
461 secerror("Didn't get machine gestalt! This is going to be ugly.");
465 sSharedAccount = SOSKeychainAccountCreateSharedAccount(gestalt);
467 SOSAccountAddChangeBlock(sSharedAccount, ^(SOSAccount *account, SOSCircleRef circle,
468 CFSetRef peer_additions, CFSetRef peer_removals,
469 CFSetRef applicant_additions, CFSetRef applicant_removals) {
470 CFErrorRef pi_error = NULL;
471 SOSPeerInfoRef me = account.peerInfo;
473 secinfo("circleOps", "Change block called with no peerInfo");
477 if(!SOSCircleHasPeer(circle, me, NULL)) {
478 secinfo("circleOps", "Change block called while not in circle");
482 // TODO: Figure out why peer_additions isn't right in some cases (like when joining a v2 circle with a v0 peer.
483 if (CFSetGetCount(peer_additions) != 0) {
484 secnotice("updates", "Requesting Ensure Peer Registration.");
485 SOSCloudKeychainRequestEnsurePeerRegistration(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), NULL);
487 secinfo("updates", "Not requesting Ensure Peer Registration, since it's not needed");
490 if (CFSetContainsValue(peer_additions, me)) {
491 // TODO: Potentially remove from here and move this to the engine
492 // TODO: We also need to do this when our views change.
493 CFMutableSetRef peers = SOSCircleCopyPeers(circle, kCFAllocatorDefault);
494 CFSetRemoveValue(peers, me);
495 if (!CFSetIsEmpty(peers)) {
496 SOSCCRequestSyncWithPeers(peers);
498 CFReleaseNull(peers);
501 CFReleaseNull(pi_error);
503 if (CFSetGetCount(peer_additions) != 0 ||
504 CFSetGetCount(peer_removals) != 0 ||
505 CFSetGetCount(applicant_additions) != 0 ||
506 CFSetGetCount(applicant_removals) != 0) {
508 if(CFSetGetCount(peer_removals) != 0)
510 CFErrorRef localError = NULL;
511 CFMutableArrayRef removed = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
512 CFSetForEach(peer_removals, ^(const void *value) {
513 CFArrayAppendValue(removed, value);
515 SOSAccountRemoveBackupPeers(account, removed, &localError);
517 secerror("Had trouble removing: %@, error: %@", removed, localError);
518 CFReleaseNull(localError);
519 CFReleaseNull(removed);
521 secnotice("circleOps", "peer counts changed, posting kSOSCCCircleChangedNotification");
522 account.notifyCircleChangeOnExit = true;
526 SOSCloudKeychainSetItemsChangedBlock(^CFArrayRef(CFDictionaryRef changes) {
527 CFRetainSafe(changes);
528 __block CFMutableArrayRef handledKeys = NULL;
529 do_with_account(^(SOSAccountTransaction* txn) {
530 CFStringRef changeDescription = SOSItemsChangedCopyDescription(changes, false);
531 secdebug(SOSCKCSCOPE, "Received: %@", changeDescription);
532 CFReleaseSafe(changeDescription);
534 CFErrorRef error = NULL;
535 handledKeys = SOSTransportDispatchMessages(txn, changes, &error);
536 if (!handledKeys || error) {
537 secerror("Error handling updates: %@", error);
539 CFReleaseNull(error);
541 CFReleaseSafe(changes);
544 CFReleaseSafe(gestalt);
546 sSharedAccount.saveBlock = ^(CFDataRef flattenedAccount, CFErrorRef flattenFailError) {
547 if (flattenedAccount) {
548 SOSKeychainAccountEnsureSaved(flattenedAccount);
550 secerror("Failed to transform account into data, error: %@", flattenFailError);
553 // TODO: We should not be doing extra work whenever securityd is launched, let's see if we can eliminate this call
554 SOSCloudKeychainRequestEnsurePeerRegistration(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), NULL);
556 // provide state handler to sysdiagnose and logging
557 os_state_add_handler(dispatch_get_global_queue(0, 0), accountStateBlock);
562 return sSharedAccount;
565 CFTypeRef GetSharedAccountRef(void)
567 return (__bridge CFTypeRef)GetSharedAccount();
570 static void do_with_account(void (^action)(SOSAccountTransaction* txn)) {
572 SOSAccount* account = GetSharedAccount();
575 [account performTransaction:^(SOSAccountTransaction * _Nonnull txn) {
582 static bool isValidUser(CFErrorRef* error) {
583 #if !(TARGET_OS_EMBEDDED)
585 secerror("Cannot inflate account object as root");
586 SOSErrorCreate(kSOSErrorUnsupported, error, NULL, CFSTR("Cannot inflate account object as root"));
594 static bool do_if_after_first_unlock(CFErrorRef *error, dispatch_block_t action)
596 #if TARGET_IPHONE_SIMULATOR
600 bool beenUnlocked = false;
601 require_quiet(SecAKSGetHasBeenUnlocked(&beenUnlocked, error), fail);
603 require_action_quiet(beenUnlocked, fail,
604 SOSCreateErrorWithFormat(kSOSErrorNotReady, NULL, error, NULL,
605 CFSTR("Keybag never unlocked, ask after first unlock")));
616 static bool do_with_account_if_after_first_unlock(CFErrorRef *error, bool (^action)(SOSAccountTransaction* txn, CFErrorRef* error))
618 static dispatch_once_t initialNotificationToken;
619 __block bool action_result = false;
621 return isValidUser(error) && do_if_after_first_unlock(error, ^{
622 do_with_account(^(SOSAccountTransaction* txn) {
623 action_result = action(txn, error);
625 // The first time we run do_with_account_if_after_first_unlock and the bag is unlocked,
626 // if we are now 'in circle', notify our listeners of a 'circle change' and a 'view change'.
627 // This will prompt them to refetch circle status, and we can actually respond correctly now!
628 // If we are out of circle, don't send the notification--all clients 'know' we're out of circle anyway.
629 dispatch_once(&initialNotificationToken, ^{
630 CFErrorRef cferror = NULL;
632 SOSCCStatus status = [txn.account getCircleStatus:&cferror];
634 secerror("error getting circle status on first unlock: %@", cferror);
635 } else if (status == kSOSCCInCircle) {
636 secnotice("secdNotify", "Notified clients of kSOSCCCircleChangedNotification && kSOSCCViewMembershipChangedNotification for in-circle initial unlock");
637 txn.account.notifyCircleChangeOnExit = true;
638 txn.account.notifyViewChangeOnExit = true;
640 CFReleaseNull(cferror);
647 static bool isAssertionLockAcquireError(CFErrorRef error) {
648 return (CFErrorGetCode(error) == kIOReturnNotPermitted) && (CFEqualSafe(CFErrorGetDomain(error), kSecKernDomain));
651 static bool do_with_account_while_unlocked(CFErrorRef *error, bool (^action)(SOSAccountTransaction* txn, CFErrorRef* error))
655 CFErrorRef statusError = NULL;
657 __block bool action_result = false;
658 __block bool attempted_action = false;
659 __block CFErrorRef localError = NULL;
662 if(!isValidUser(error)){
663 if (error && !*error && localError) {
664 CFTransferRetained(*error, localError);
666 CFReleaseNull(localError);
667 CFReleaseNull(statusError);
672 result = SecAKSDoWhileUserBagLocked(&localError, ^{
673 do_with_account(^(SOSAccountTransaction* txn) {
674 SOSAccount *account = txn.account;
675 if([account isInCircle: NULL]) {
676 if(![SOSAuthKitHelpers peerinfoHasMID: account]) {
677 // This is the first good opportunity to update our FullPeerInfo and
678 // push the resulting circle.
679 [SOSAuthKitHelpers updateMIDInPeerInfo: account];
682 attempted_action = true;
683 action_result = action(txn, error);
687 // For <rdar://problem/24355048> 13E196: Circle join fails after successful recovery with a mach error if performed while device is locked
688 // If we fail with an error attempting to get an assertion while someone else has one and the system is unlocked, it must be trying to lock.
689 // we assume our caller will hold the lock assertion for us to finsh our job.
690 // to be extra paranoid we track if we tried the caller's block. If we did we don't do it again.
692 if(result || !isAssertionLockAcquireError(localError)){
693 if (error && !*error && localError) {
694 CFTransferRetained(*error, localError);
696 CFReleaseNull(localError);
697 CFReleaseNull(statusError);
699 return (result && action_result);
701 if(attempted_action){
702 if (error && !*error && localError) {
703 CFTransferRetained(*error, localError);
705 CFReleaseNull(localError);
706 CFReleaseNull(statusError);
708 return (result && action_result);
711 bool isUnlocked = false;
712 (void) SecAKSGetIsUnlocked(&isUnlocked, &statusError);
714 secnotice("while-unlocked-hack", "Not trying action, aks bag locked (%@)", statusError);
715 if (error && !*error && localError) {
716 CFTransferRetained(*error, localError);
718 CFReleaseNull(localError);
719 CFReleaseNull(statusError);
721 return result && action_result;
724 CFReleaseNull(localError);
726 secnotice("while-unlocked-hack", "Trying action while unlocked without assertion");
729 do_with_account(^(SOSAccountTransaction* txn) {
730 action_result = action(txn, &localError);
733 secnotice("while-unlocked-hack", "Action %s (%@)", action_result ? "succeeded" : "failed", localError);
735 if (error && !*error && localError) {
736 CFTransferRetained(*error, localError);
738 CFReleaseNull(localError);
739 CFReleaseNull(statusError);
741 return result && action_result;
746 CFTypeRef SOSKeychainAccountGetSharedAccount()
748 __block SOSAccount* result = NULL;
749 CFErrorRef localError = NULL;
751 bool success = do_with_account_if_after_first_unlock(&localError, ^bool (SOSAccountTransaction* txn, CFErrorRef *error) {
752 result = txn.account;
757 secnotice("secAccount", "Failed request for account object (%@)", localError);
758 CFReleaseNull(localError);
761 return (__bridge CFTypeRef)result;
765 // Mark: Credential processing
768 bool SOSCCTryUserCredentials_Server(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error) {
769 secnotice("updates", "Trying credentials and dsid (%@) for %@", dsid, user_label);
771 return do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
772 if (dsid != NULL && CFStringCompare(dsid, CFSTR(""), 0) != 0) {
773 SOSAccountAssertDSID(txn.account, dsid);
775 return SOSAccountTryUserCredentials(txn.account, user_label, user_password, block_error);
779 SOSViewResultCode SOSCCView_Server(CFStringRef viewname, SOSViewActionCode action, CFErrorRef *error) {
780 __block SOSViewResultCode status = kSOSCCGeneralViewError;
782 do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
786 case kSOSCCViewQuery:
787 status = [txn.account.trust viewStatus:txn.account name:viewname err:error];
790 case kSOSCCViewEnable:
791 status = [txn.account.trust updateView:txn.account name:viewname code:action err:error];
795 case kSOSCCViewDisable:
796 status = [txn.account.trust updateView:txn.account name:viewname code:action err:error];
800 secnotice("views", "Bad SOSViewActionCode - %d", (int) action);
809 bool SOSCCViewSetWithAnalytics_Server(CFSetRef enabledViews, CFSetRef disabledViews, CFDataRef parentEvent) {
810 __block bool status = false;
812 do_with_account_if_after_first_unlock(NULL, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
813 status = [txn.account.trust updateViewSetsWithAnalytics:txn.account enabled:enabledViews disabled:disabledViews parentEvent:(__bridge NSData*)parentEvent];
819 bool SOSCCViewSet_Server(CFSetRef enabledViews, CFSetRef disabledViews) {
820 __block bool status = false;
822 do_with_account_if_after_first_unlock(NULL, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
823 status = [txn.account.trust updateViewSets:txn.account enabled:enabledViews disabled:disabledViews];
830 void sync_the_last_data_to_kvs(CFTypeRef account, bool waitForeverForSynchronization){
832 dispatch_semaphore_t wait_for = dispatch_semaphore_create(0);
834 secnoticeq("force-push", "calling SOSCloudKeychainSynchronizeAndWait");
836 SOSCloudKeychainSynchronizeAndWait(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^(CFDictionaryRef returnedValues, CFErrorRef sync_error) {
838 secerrorq("SOSCloudKeychainSynchronizeAndWait: %@", sync_error);
840 secnoticeq("force-push", "returned from call; in callback to SOSCloudKeychainSynchronizeAndWait: results: %@", returnedValues);
843 dispatch_semaphore_signal(wait_for);
846 if(waitForeverForSynchronization)
847 dispatch_semaphore_wait(wait_for, DISPATCH_TIME_FOREVER);
849 dispatch_semaphore_wait(wait_for, dispatch_time(DISPATCH_TIME_NOW, 60ull * NSEC_PER_SEC));
854 #define kWAIT2MINID "EFRESH"
856 static bool SyncKVSAndWait(CFErrorRef *error) {
857 dispatch_semaphore_t wait_for = dispatch_semaphore_create(0);
859 __block bool success = false;
861 secnoticeq("fresh", "EFP calling SOSCloudKeychainSynchronizeAndWait");
863 os_activity_initiate("CloudCircle EFRESH", OS_ACTIVITY_FLAG_DEFAULT, ^(void) {
864 SOSCloudKeychainSynchronizeAndWait(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^(__unused CFDictionaryRef returnedValues, CFErrorRef sync_error) {
865 secnotice("fresh", "EFP returned, callback error: %@", sync_error);
867 success = (sync_error == NULL);
869 CFRetainAssign(*error, sync_error);
872 dispatch_semaphore_signal(wait_for);
876 dispatch_semaphore_wait(wait_for, DISPATCH_TIME_FOREVER);
877 secnotice("fresh", "EFP complete: %s %@", success ? "success" : "failure", error ? *error : NULL);
883 static bool Flush(CFErrorRef *error) {
884 __block bool success = false;
886 dispatch_semaphore_t wait_for = dispatch_semaphore_create(0);
887 secnotice("flush", "Starting");
889 SOSCloudKeychainFlush(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^(CFDictionaryRef returnedValues, CFErrorRef sync_error) {
890 success = (sync_error == NULL);
892 CFRetainAssign(*error, sync_error);
895 dispatch_semaphore_signal(wait_for);
898 dispatch_semaphore_wait(wait_for, DISPATCH_TIME_FOREVER);
900 secnotice("flush", "Returned %s", success? "Success": "Failure");
905 static bool SOSCCAssertUserCredentialsAndOptionalDSID(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error) {
906 secnotice("updates", "Setting credentials and dsid (%@) for %@", dsid, user_label);
908 bool result = do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
909 if (dsid != NULL && CFStringCompare(dsid, CFSTR(""), 0) != 0) {
910 SOSAccountAssertDSID(txn.account, dsid);
915 require_quiet(result, done);
917 require_quiet(SyncKVSAndWait(error), done); // Make sure we've seen what the server has
918 require_quiet(Flush(error), done); // And processed it already...before asserting
920 result = do_with_account_while_unlocked(error, ^bool(SOSAccountTransaction* txn, CFErrorRef *block_error) {
921 return SOSAccountAssertUserCredentials(txn.account, user_label, user_password, block_error);
924 require_quiet(result, done);
925 require_quiet(Flush(error), done); // Process any incoming information..circles et.al. before fixing our signature
927 result = do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
928 return SOSAccountGenerationSignatureUpdate(txn.account, error);
935 static bool SOSCCAssertUserCredentialsAndOptionalDSIDWithAnalytics(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, NSData* parentEvent, CFErrorRef *error) {
936 secnotice("updates", "Setting credentials and dsid (%@) for %@", dsid, user_label);
938 NSError* localError = nil;
939 SFSignInAnalytics* parent = [NSKeyedUnarchiver unarchivedObjectOfClass:[SFSignInAnalytics class] fromData:parentEvent error:&localError];
941 SFSignInAnalytics *syncAndWaitEvent = nil;
942 SFSignInAnalytics *flushEvent = nil;
943 SFSignInAnalytics *secondFlushEvent = nil;
944 SFSignInAnalytics *generationSignatureUpdateEvent = nil;
946 bool result = do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
947 if (dsid != NULL && CFStringCompare(dsid, CFSTR(""), 0) != 0) {
948 SOSAccountAssertDSID(txn.account, dsid);
953 require_quiet(result, done);
954 syncAndWaitEvent = [parent newSubTaskForEvent:@"syncAndWaitEvent"];
955 require_quiet(SyncKVSAndWait(error), done); // Make sure we've seen what the server has
956 [syncAndWaitEvent stopWithAttributes:nil];
958 flushEvent = [parent newSubTaskForEvent:@"flushEvent"];
959 require_quiet(Flush(error), done); // And processed it already...before asserting
960 [flushEvent stopWithAttributes:nil];
962 result = do_with_account_while_unlocked(error, ^bool(SOSAccountTransaction* txn, CFErrorRef *block_error) {
963 return SOSAccountAssertUserCredentials(txn.account, user_label, user_password, block_error);
966 require_quiet(result, done);
967 secondFlushEvent = [parent newSubTaskForEvent:@"secondFlushEvent"];
968 require_quiet(Flush(error), done); // Process any incoming information..circles et.al. before fixing our signature
969 [secondFlushEvent stopWithAttributes:nil];
971 generationSignatureUpdateEvent = [parent newSubTaskForEvent:@"generationSignatureUpdateEvent"];
972 result = do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
973 return SOSAccountGenerationSignatureUpdate(txn.account, error);
975 [generationSignatureUpdateEvent stopWithAttributes:nil];
979 if(syncAndWaitEvent){
980 [syncAndWaitEvent stopWithAttributes:nil];
983 [flushEvent stopWithAttributes:nil];
985 if(secondFlushEvent){
986 [secondFlushEvent stopWithAttributes:nil];
988 if(generationSignatureUpdateEvent){
989 [generationSignatureUpdateEvent stopWithAttributes:nil];
994 bool SOSCCSetUserCredentialsAndDSID_Server(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error)
996 // TODO: Return error if DSID is NULL to insist our callers provide one?
997 return SOSCCAssertUserCredentialsAndOptionalDSID(user_label, user_password, dsid, error);
1000 bool SOSCCSetUserCredentialsAndDSIDWithAnalytics_Server(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFDataRef parentEvent, CFErrorRef *error)
1002 return SOSCCAssertUserCredentialsAndOptionalDSIDWithAnalytics(user_label, user_password, dsid, (__bridge NSData*)parentEvent, error);
1004 bool SOSCCSetUserCredentials_Server(CFStringRef user_label, CFDataRef user_password, CFErrorRef *error)
1006 return SOSCCAssertUserCredentialsAndOptionalDSID(user_label, user_password, NULL, error);
1009 bool SOSCCCanAuthenticate_Server(CFErrorRef *error)
1011 bool result = do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1012 // If we reply that yes we can authenticate, then let's make sure we can authenticate for a while yet.
1013 // <rdar://problem/32732066>
1014 SOSAccountRestartPrivateCredentialTimer(txn.account);
1015 return SOSAccountGetPrivateCredential(txn.account, block_error) != NULL;
1018 if (!result && error && *error && CFErrorGetDomain(*error) == kSOSErrorDomain) {
1019 CFIndex code = CFErrorGetCode(*error);
1020 if (code == kSOSErrorPrivateKeyAbsent || code == kSOSErrorPublicKeyAbsent) {
1021 CFReleaseNull(*error);
1028 bool SOSCCPurgeUserCredentials_Server(CFErrorRef *error)
1030 return do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1031 SOSAccountPurgePrivateCredential(txn.account);
1036 SOSCCStatus SOSCCThisDeviceIsInCircle_Server(CFErrorRef *error)
1038 __block SOSCCStatus status;
1040 return do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1041 status = [txn.account getCircleStatus:block_error];
1044 }) ? status : kSOSCCError;
1047 bool SOSCCRequestToJoinCircle_Server(CFErrorRef* error)
1049 __block bool result = true;
1051 return do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1052 result = SOSAccountJoinCircles(txn, block_error);
1057 bool SOSCCRequestToJoinCircleWithAnalytics_Server(CFDataRef parentEvent, CFErrorRef* error)
1059 __block bool result = true;
1061 return do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1062 result = SOSAccountJoinCirclesWithAnalytics(txn, (__bridge NSData*)parentEvent, block_error);
1067 bool SOSCCAccountHasPublicKey_Server(CFErrorRef *error)
1069 __block bool result = true;
1070 __block CFErrorRef localError = NULL;
1072 bool hasPublicKey = do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1073 result = SOSAccountHasPublicKey(txn.account, &localError);
1077 if(error != NULL && localError != NULL)
1078 *error = localError;
1080 return hasPublicKey;
1083 bool SOSCCAccountIsNew_Server(CFErrorRef *error)
1085 __block bool result = true;
1086 __block CFErrorRef localError = NULL;
1088 (void) do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1089 result = SOSAccountIsNew(txn.account, &localError);
1093 if(error != NULL && localError != NULL)
1094 *error = localError;
1098 bool SOSCCRequestToJoinCircleAfterRestore_Server(CFErrorRef* error)
1100 __block bool result = true;
1101 bool returned = false;
1102 returned = do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1103 SOSAccountEnsurePeerRegistration(txn.account, block_error);
1104 result = SOSAccountJoinCirclesAfterRestore(txn, block_error);
1111 bool SOSCCRequestToJoinCircleAfterRestoreWithAnalytics_Server(CFDataRef parentEvent, CFErrorRef* error)
1113 __block bool result = true;
1114 bool returned = false;
1115 returned = do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1116 NSError* localError = nil;
1117 SFSignInAnalytics* parent = [NSKeyedUnarchiver unarchivedObjectOfClass:[SFSignInAnalytics class] fromData:(__bridge NSData*)parentEvent error:&localError];
1119 SFSignInAnalytics *ensurePeerRegistrationEvent = [parent newSubTaskForEvent:@"ensurePeerRegistrationEvent"];
1120 SOSAccountEnsurePeerRegistration(txn.account, block_error);
1121 if(block_error && *block_error){
1122 NSError* blockError = (__bridge NSError*)*block_error;
1124 [ensurePeerRegistrationEvent logRecoverableError:blockError];
1125 secerror("ensure peer registration error: %@", blockError);
1128 [ensurePeerRegistrationEvent stopWithAttributes:nil];
1129 result = SOSAccountJoinCirclesAfterRestoreWithAnalytics(txn, (__bridge NSData*)parentEvent, block_error);
1136 bool SOSCCRequestEnsureFreshParameters_Server(CFErrorRef* error)
1138 bool returned = false;
1139 returned = do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1140 return SyncKVSAndWait(block_error);
1143 returned = Flush(error);
1148 bool SOSCCApplyToARing_Server(CFStringRef ringName, CFErrorRef *error){
1149 __block bool result = true;
1150 bool returned = false;
1151 returned = do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1152 SOSFullPeerInfoRef fpi = txn.account.fullPeerInfo;
1153 SOSRingRef ring = [txn.account.trust copyRing:ringName err:error];
1156 result = SOSRingApply(ring, txn.account.accountKey, fpi , error);
1158 CFReleaseNull(ring);
1164 bool SOSCCWithdrawlFromARing_Server(CFStringRef ringName, CFErrorRef *error){
1165 __block bool result = true;
1166 bool returned = false;
1167 returned = do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1168 SOSFullPeerInfoRef fpi = txn.account.fullPeerInfo;
1169 SOSRingRef ring = [txn.account.trust copyRing:ringName err:error];
1171 result = SOSRingWithdraw(ring, txn.account.accountKey, fpi , error);
1173 CFReleaseNull(ring);
1179 bool SOSCCEnableRing_Server(CFStringRef ringName, CFErrorRef *error){
1180 __block bool result = true;
1181 bool returned = false;
1182 returned = do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1183 SOSFullPeerInfoRef fpi = txn.account.fullPeerInfo;
1184 SOSRingRef ring = [txn.account.trust copyRing:ringName err:error];
1186 result = SOSRingResetToOffering(ring, NULL, fpi, error);
1188 CFReleaseNull(ring);
1194 CFStringRef SOSCCGetAllTheRings_Server(CFErrorRef *error){
1195 __block CFMutableDictionaryRef result = NULL;
1196 __block CFMutableStringRef description = CFStringCreateMutable(kCFAllocatorDefault, 0);
1198 (void) do_with_account_while_unlocked(error, ^bool(SOSAccountTransaction* txn, CFErrorRef *error) {
1199 SOSAccountForEachRing(txn.account, ^SOSRingRef(CFStringRef name, SOSRingRef ring) {
1200 CFStringAppendFormat(description, NULL, CFSTR("%@\n"), ring);
1211 SOSRingStatus SOSCCRingStatus_Server(CFStringRef ringName, CFErrorRef *error){
1212 __block bool result = true;
1213 SOSRingStatus returned;
1214 returned = do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1215 SOSFullPeerInfoRef fpi = txn.account.fullPeerInfo;
1216 SOSPeerInfoRef myPeer = SOSFullPeerInfoGetPeerInfo(fpi);
1218 SOSRingRef ring = [txn.account.trust copyRing:ringName err:error];
1219 if(myPeer && ring) {
1220 result = SOSRingDeviceIsInRing(ring, SOSPeerInfoGetPeerID(myPeer));
1222 CFReleaseNull(ring);
1229 bool SOSCCAccountSetToNew_Server(CFErrorRef *error)
1231 return do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1232 SOSAccountSetToNew(txn.account);
1237 bool SOSCCResetToOffering_Server(CFErrorRef* error)
1239 return do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1240 SecKeyRef user_key = SOSAccountGetPrivateCredential(txn.account, error);
1243 return [txn.account.trust resetToOffering:txn key:user_key err:block_error];
1248 bool SOSCCResetToEmpty_Server(CFErrorRef* error)
1250 return do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1251 if (!SOSAccountHasPublicKey(txn.account, error))
1253 return [txn.account.trust resetAccountToEmpty:txn.account transport:txn.account.circle_transport err:block_error];
1258 bool SOSCCResetToEmptyWithAnalytics_Server(CFDataRef parentEvent, CFErrorRef* error)
1260 return do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1261 if (!SOSAccountHasPublicKey(txn.account, error))
1263 return [txn.account.trust resetAccountToEmptyWithAnalytics:txn.account transport:txn.account.circle_transport parentEvent:(__bridge NSData*)parentEvent err:block_error];
1268 bool SOSCCRemoveThisDeviceFromCircleWithAnalytics_Server(CFDataRef parentEvent, CFErrorRef* error)
1270 return do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1271 return [txn.account.trust leaveCircleWithAccount:txn.account withAnalytics:(__bridge NSData*)parentEvent err:error];
1275 bool SOSCCRemoveThisDeviceFromCircle_Server(CFErrorRef* error)
1277 return do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1278 return [txn.account.trust leaveCircle:txn.account err:block_error];
1282 bool SOSCCRemovePeersFromCircle_Server(CFArrayRef peers, CFErrorRef* error)
1284 return do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1285 return SOSAccountRemovePeersFromCircle(txn.account, peers, block_error);
1289 bool SOSCCRemovePeersFromCircleWithAnalytics_Server(CFArrayRef peers, CFDataRef parentEvent, CFErrorRef* error)
1291 return do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1292 return SOSAccountRemovePeersFromCircleWithAnalytics(txn.account, peers, (__bridge NSData*)parentEvent, block_error);
1296 bool SOSCCLoggedOutOfAccount_Server(CFErrorRef *error)
1298 return do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1299 secnotice("circleOps", "Signed out of account!");
1301 bool waitForeverForSynchronization = true;
1303 bool result = [txn.account.trust leaveCircle:txn.account err:block_error];
1305 [txn restart]; // Make sure this gets finished before we set to new.
1307 sync_the_last_data_to_kvs((__bridge CFTypeRef)(txn.account), waitForeverForSynchronization);
1309 SOSAccountSetToNew(txn.account);
1315 bool SOSCCBailFromCircle_Server(uint64_t limit_in_seconds, CFErrorRef* error)
1317 return do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1318 bool waitForeverForSynchronization = false;
1320 bool result = SOSAccountBail(txn.account, limit_in_seconds, block_error);
1322 [txn restart]; // Make sure this gets finished before we set to new.
1324 sync_the_last_data_to_kvs((__bridge CFTypeRef)(txn.account), waitForeverForSynchronization);
1331 CFArrayRef SOSCCCopyApplicantPeerInfo_Server(CFErrorRef* error)
1333 __block CFArrayRef result = NULL;
1335 (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1336 result = SOSAccountCopyApplicants(txn.account, block_error);
1337 return result != NULL;
1343 CFArrayRef SOSCCCopyGenerationPeerInfo_Server(CFErrorRef* error)
1345 __block CFArrayRef result = NULL;
1347 (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1348 result = SOSAccountCopyGeneration(txn.account, block_error);
1349 return result != NULL;
1355 CFArrayRef SOSCCCopyValidPeerPeerInfo_Server(CFErrorRef* error)
1357 __block CFArrayRef result = NULL;
1361 (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1363 result = SOSAccountCopyValidPeers(txn.account, block_error);
1365 return result != NULL;
1372 bool SOSCCValidateUserPublic_Server(CFErrorRef* error)
1374 __block bool result = NULL;
1376 (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1377 result = SOSValidateUserPublic(txn.account, block_error);
1384 CFArrayRef SOSCCCopyNotValidPeerPeerInfo_Server(CFErrorRef* error)
1386 __block CFArrayRef result = NULL;
1388 (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1389 result = SOSAccountCopyNotValidPeers(txn.account, block_error);
1390 return result != NULL;
1396 CFArrayRef SOSCCCopyRetirementPeerInfo_Server(CFErrorRef* error)
1398 __block CFArrayRef result = NULL;
1400 (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1401 result = SOSAccountCopyRetired(txn.account, block_error);
1402 return result != NULL;
1408 CFArrayRef SOSCCCopyViewUnawarePeerInfo_Server(CFErrorRef* error)
1410 __block CFArrayRef result = NULL;
1412 (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1413 result = SOSAccountCopyViewUnaware(txn.account, block_error);
1414 return result != NULL;
1420 CFArrayRef SOSCCCopyEngineState_Server(CFErrorRef* error)
1422 CFArrayRef result = NULL;
1423 SOSDataSourceFactoryRef dsf = SecItemDataSourceFactoryGetDefault();
1424 SOSDataSourceRef ds = SOSDataSourceFactoryCreateDataSource(dsf, kSecAttrAccessibleWhenUnlocked, error);
1426 SOSEngineRef engine = SOSDataSourceGetSharedEngine(ds, error);
1427 result = SOSEngineCopyPeerConfirmedDigests(engine, error);
1428 SOSDataSourceRelease(ds, error);
1434 static int64_t getTimeDifference(time_t start)
1441 duration = stop - start;
1443 return SecBucket1Significant(duration);
1446 static uint64_t initialSyncTimeoutFromDefaultsWrite(void)
1448 uint64_t timeout = 10;
1450 //sudo defaults write /Library/Preferences/com.apple.authd enforceEntitlement -bool true
1451 CFTypeRef initialSyncTimeout = (CFNumberRef)CFPreferencesCopyValue(CFSTR("InitialSync.WaitPeriod"), CFSTR("com.apple.security"), kCFPreferencesAnyUser, kCFPreferencesCurrentHost);
1453 if (isNumber(initialSyncTimeout)) {
1454 CFNumberGetValue((CFNumberRef)initialSyncTimeout, kCFNumberSInt64Type, &timeout);
1456 CFReleaseNull(initialSyncTimeout);
1460 bool SOSCCWaitForInitialSyncWithAnalytics_Server(CFDataRef parentEvent, CFErrorRef* error) {
1461 __block dispatch_semaphore_t inSyncSema = NULL;
1462 __block bool result = false;
1463 __block bool synced = false;
1464 bool timed_out = false;
1465 __block CFStringRef inSyncCallID = NULL;
1466 __block time_t start;
1467 __block CFBooleanRef shouldUseInitialSyncV0 = false;
1468 SFSignInAnalytics* syncingEvent = nil;
1470 NSError* localError = nil;
1471 SFSignInAnalytics* parent = [NSKeyedUnarchiver unarchivedObjectOfClass:[SFSignInAnalytics class] fromData:(__bridge NSData*)parentEvent error:&localError];
1473 secnotice("initial sync", "Wait for initial sync start!");
1475 result = do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1476 shouldUseInitialSyncV0 = (CFBooleanRef)SOSAccountGetValue(txn.account, kSOSInitialSyncTimeoutV0, error);
1477 bool alreadyInSync = (SOSAccountHasCompletedInitialSync(txn.account));
1479 if (!alreadyInSync) {
1480 txn.account.isInitialSyncing = true;
1482 inSyncSema = dispatch_semaphore_create(0);
1484 SFSignInAnalytics* callWhenInSyncEvent = [parent newSubTaskForEvent:@"callWhenInSync"];
1485 inSyncCallID = SOSAccountCallWhenInSync(txn.account, ^bool(SOSAccount* mightBeSynced) {
1489 dispatch_semaphore_signal(inSyncSema);
1490 NSDictionary* attributes = @{@"finishedSyncing" : @YES};
1491 [syncingEvent stopWithAttributes:attributes];
1495 NSDictionary* attributes = @{};
1496 [callWhenInSyncEvent stopWithAttributes:attributes];
1504 require_quiet(result, fail);
1508 syncingEvent = [parent newSubTaskForEvent:@"initialSyncEvent"];
1509 if(shouldUseInitialSyncV0){
1510 secnotice("piggy","setting initial sync timeout to 5 minutes");
1511 timed_out = dispatch_semaphore_wait(inSyncSema, dispatch_time(DISPATCH_TIME_NOW, 300ull * NSEC_PER_SEC));
1514 uint64_t timeoutFromDefaultsWrite = initialSyncTimeoutFromDefaultsWrite();
1515 secnotice("piggy","setting initial sync timeout to %llu seconds", timeoutFromDefaultsWrite);
1516 timed_out = dispatch_semaphore_wait(inSyncSema, dispatch_time(DISPATCH_TIME_NOW, timeoutFromDefaultsWrite * NSEC_PER_SEC));
1519 if (timed_out && shouldUseInitialSyncV0) {
1520 do_with_account(^(SOSAccountTransaction* txn) {
1521 if (SOSAccountUnregisterCallWhenInSync(txn.account, inSyncCallID)) {
1523 inSyncSema = NULL; // We've canceled the timeout so we must be the last.
1527 NSError* error = [NSError errorWithDomain:@"securityd" code:errSecTimedOut userInfo:@{NSLocalizedDescriptionKey: @"timed out waiting for initial sync"}];
1528 [syncingEvent logUnrecoverableError:error];
1529 NSDictionary* attributes = @{@"finishedSyncing" : @NO, @"legacyPiggybacking" : @YES};
1530 [syncingEvent stopWithAttributes:attributes];
1533 require_quiet(result, fail);
1537 SecADClientPushValueForDistributionKey(SOSAggdSyncCompletionKey, getTimeDifference(start));
1541 SecADAddValueForScalarKey(SOSAggdSyncTimeoutKey, 1);
1544 (void)do_with_account(^(SOSAccountTransaction *txn) {
1545 txn.account.isInitialSyncing = false;
1548 secnotice("initial sync", "Finished!: %d", result);
1551 CFReleaseNull(inSyncCallID);
1555 bool SOSCCWaitForInitialSync_Server(CFErrorRef* error) {
1557 __block dispatch_semaphore_t inSyncSema = NULL;
1558 __block bool result = false;
1559 __block bool synced = false;
1560 bool timed_out = false;
1561 __block CFStringRef inSyncCallID = NULL;
1562 __block time_t start;
1563 __block CFBooleanRef shouldUseInitialSyncV0 = false;
1565 secnotice("initial sync", "Wait for initial sync start!");
1567 result = do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1568 shouldUseInitialSyncV0 = (CFBooleanRef)SOSAccountGetValue(txn.account, kSOSInitialSyncTimeoutV0, error);
1569 bool alreadyInSync = (SOSAccountHasCompletedInitialSync(txn.account));
1571 if (!alreadyInSync) {
1572 txn.account.isInitialSyncing = true;
1574 inSyncSema = dispatch_semaphore_create(0);
1576 inSyncCallID = SOSAccountCallWhenInSync(txn.account, ^bool(SOSAccount* mightBeSynced) {
1580 dispatch_semaphore_signal(inSyncSema);
1592 require_quiet(result, fail);
1595 if(shouldUseInitialSyncV0){
1596 secnotice("piggy","setting initial sync timeout to 5 minutes");
1597 timed_out = dispatch_semaphore_wait(inSyncSema, dispatch_time(DISPATCH_TIME_NOW, 300ull * NSEC_PER_SEC));
1600 uint64_t timeoutFromDefaultsWrite = initialSyncTimeoutFromDefaultsWrite();
1601 secnotice("piggy","setting initial sync timeout to %llu seconds", timeoutFromDefaultsWrite);
1602 timed_out = dispatch_semaphore_wait(inSyncSema, dispatch_time(DISPATCH_TIME_NOW, timeoutFromDefaultsWrite * NSEC_PER_SEC));
1605 if (timed_out && shouldUseInitialSyncV0) {
1606 do_with_account(^(SOSAccountTransaction* txn) {
1607 if (SOSAccountUnregisterCallWhenInSync(txn.account, inSyncCallID)) {
1609 inSyncSema = NULL; // We've canceled the timeout so we must be the last.
1615 require_quiet(result, fail);
1619 SecADClientPushValueForDistributionKey(SOSAggdSyncCompletionKey, getTimeDifference(start));
1623 SecADAddValueForScalarKey(SOSAggdSyncTimeoutKey, 1);
1626 (void)do_with_account(^(SOSAccountTransaction *txn) {
1627 txn.account.isInitialSyncing = false;
1630 secnotice("initial sync", "Finished!: %d", result);
1633 CFReleaseNull(inSyncCallID);
1638 static CFArrayRef SOSAccountCopyYetToSyncViews(SOSAccount* account, CFErrorRef *error) {
1639 __block CFArrayRef result = NULL;
1641 CFTypeRef valueFetched = SOSAccountGetValue(account, kSOSUnsyncedViewsKey, error);
1642 if (valueFetched == kCFBooleanTrue) {
1643 SOSPeerInfoRef myPI = account.peerInfo;
1645 SOSPeerInfoWithEnabledViewSet(myPI, ^(CFSetRef enabled) {
1646 result = CFSetCopyValues(enabled);
1649 } else if (isSet(valueFetched)) {
1650 result = CFSetCopyValues((CFSetRef)valueFetched);
1653 if (result == NULL) {
1654 result = CFArrayCreateForCFTypes(kCFAllocatorDefault, NULL);
1660 CFArrayRef SOSCCCopyYetToSyncViewsList_Server(CFErrorRef* error) {
1662 __block CFArrayRef views = NULL;
1664 (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1665 views = SOSAccountCopyYetToSyncViews(txn.account, error);
1673 bool SOSWrapToBackupSliceKeyBagForView_Server(CFStringRef viewName, CFDataRef input, CFDataRef* output, CFDataRef* bskbEncoded, CFErrorRef* error) {
1674 CFErrorRef localerror = NULL;
1675 SOSBackupSliceKeyBagRef bskb = SOSBackupSliceKeyBagForView(viewName, &localerror);
1677 if(bskbEncoded && bskb) {
1678 *bskbEncoded = SOSBSKBCopyEncoded(bskb, &localerror);
1682 *output = SOSWrapToBackupSliceKeyBag(bskb, input, &localerror);
1686 *error = localerror;
1688 return localerror == NULL;
1691 SOSBackupSliceKeyBagRef SOSBackupSliceKeyBagForView(CFStringRef viewName, CFErrorRef* error){
1692 __block SOSBackupSliceKeyBagRef bskb = NULL;
1693 (void) do_with_account(^ (SOSAccountTransaction* txn) {
1694 bskb = SOSAccountBackupSliceKeyBagForView(txn.account, viewName, error);
1699 CFDataRef SOSWrapToBackupSliceKeyBag(SOSBackupSliceKeyBagRef bskb, CFDataRef input, CFErrorRef* error) {
1700 CFDataRef encrypted = NULL;
1701 bskb_keybag_handle_t bskb_handle = 0;
1703 require_quiet(bskb, exit);
1705 bskb_handle = SOSBSKBLoadLocked(bskb, error);
1706 require_quiet(bskb_handle, exit);
1708 SecAccessControlRef access = NULL;
1709 require_quiet(access = SecAccessControlCreate(kCFAllocatorDefault, error), exit);
1710 require_quiet(SecAccessControlSetProtection(access, kSecAttrAccessibleWhenUnlocked, error), exit);
1712 // ks_encrypt_data takes a dictionary as its plaintext.
1713 CFMutableDictionaryRef plaintext = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
1714 CFDictionarySetValue(plaintext, CFSTR("data"), input);
1716 require_quiet(ks_encrypt_data_legacy(bskb_handle, access, NULL, plaintext, NULL, &encrypted, false, error), exit);
1719 CFReleaseNull(bskb);
1720 if(bskb_handle != 0) {
1721 ks_close_keybag(bskb_handle, error);
1723 if(error && *error) {
1724 secnotice("backup", "Failed to wrap to a BKSB: %@", *error);
1730 CFDictionaryRef SOSCCCopyEscrowRecord_Server(CFErrorRef *error){
1732 __block CFDictionaryRef result = NULL;
1734 (void) do_with_account_if_after_first_unlock(error, ^bool(SOSAccountTransaction* txn, CFErrorRef *error) {
1735 CFErrorRef localError = NULL;
1736 SOSCCStatus status = [txn.account getCircleStatus:&localError];
1738 CFStringRef dsid = SOSAccountGetValue(txn.account, kSOSDSIDKey, error);
1739 CFDictionaryRef escrowRecords = NULL;
1740 CFDictionaryRef record = NULL;
1742 case kSOSCCInCircle:
1743 //get the escrow record in the peer info!
1744 escrowRecords = SOSPeerInfoCopyEscrowRecord(txn.account.peerInfo);
1746 record = CFDictionaryGetValue(escrowRecords, dsid);
1748 result = CFRetainSafe(record);
1750 CFReleaseNull(escrowRecords);
1752 case kSOSCCRequestPending:
1753 //set the escrow record in the peer info/application?
1755 case kSOSCCNotInCircle:
1756 case kSOSCCCircleAbsent:
1757 //set the escrow record in the account expansion!
1758 escrowRecords = SOSAccountGetValue(txn.account, kSOSEscrowRecord, error);
1760 record = CFDictionaryGetValue(escrowRecords, dsid);
1762 result = CFRetainSafe(record);
1766 secdebug("account", "no circle status!");
1775 CFDictionaryRef SOSCCCopyBackupInformation_Server(CFErrorRef *error) {
1776 __block CFDictionaryRef result = NULL;
1778 (void) do_with_account_if_after_first_unlock(error, ^bool(SOSAccountTransaction* txn, CFErrorRef *error) {
1779 result = SOSBackupInformation(txn, error);
1785 bool SOSCCSetEscrowRecord_Server(CFStringRef escrow_label, uint64_t tries, CFErrorRef *error){
1787 if (escrow_label == NULL) {
1791 __block bool result = true;
1792 __block CFErrorRef block_error = NULL;
1794 (void) do_with_account_if_after_first_unlock(error, ^bool(SOSAccountTransaction* txn, CFErrorRef *error) {
1795 SOSCCStatus status = [txn.account getCircleStatus:&block_error];
1797 CFStringRef dsid = SOSAccountGetValue(txn.account, kSOSDSIDKey, error);
1799 CFMutableStringRef timeDescription = CFStringCreateMutableCopy(kCFAllocatorDefault, 0, CFSTR("["));
1800 CFAbsoluteTime currentTimeAndDate = CFAbsoluteTimeGetCurrent();
1802 withStringOfAbsoluteTime(currentTimeAndDate, ^(CFStringRef decription) {
1803 CFStringAppend(timeDescription, decription);
1805 CFStringAppend(timeDescription, CFSTR("]"));
1807 CFNumberRef attempts = CFNumberCreate(kCFAllocatorDefault, kCFNumberLongLongType, (const void*)&tries);
1809 CFMutableDictionaryRef escrowTimeAndTries = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
1810 CFDictionaryAddValue(escrowTimeAndTries, kSOSBurnedRecoveryAttemptCount, attempts);
1811 CFDictionaryAddValue(escrowTimeAndTries, kSOSBurnedRecoveryAttemptAttestationDate, timeDescription);
1813 CFMutableDictionaryRef escrowRecord = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
1814 CFDictionaryAddValue(escrowRecord, escrow_label, escrowTimeAndTries);
1817 case kSOSCCInCircle:
1818 //set the escrow record in the peer info!
1819 if(!SOSFullPeerInfoAddEscrowRecord(txn.account.fullPeerInfo, dsid, escrowRecord, error)){
1820 secdebug("accout", "Could not set escrow record in the full peer info");
1824 case kSOSCCRequestPending:
1825 //set the escrow record in the peer info/application?
1827 case kSOSCCNotInCircle:
1828 case kSOSCCCircleAbsent:
1829 //set the escrow record in the account expansion!
1831 if(!SOSAccountAddEscrowRecords(txn.account, dsid, escrowRecord, error)) {
1832 secdebug("account", "Could not set escrow record in expansion data");
1837 secdebug("account", "no circle status!");
1840 CFReleaseNull(attempts);
1841 CFReleaseNull(timeDescription);
1842 CFReleaseNull(escrowTimeAndTries);
1843 CFReleaseNull(escrowRecord);
1851 bool SOSCCAcceptApplicants_Server(CFArrayRef applicants, CFErrorRef* error)
1853 return do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1854 return SOSAccountAcceptApplicants(txn.account, applicants, block_error);
1859 bool SOSCCRejectApplicants_Server(CFArrayRef applicants, CFErrorRef* error)
1861 return do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1862 return SOSAccountRejectApplicants(txn.account, applicants, block_error);
1866 CFArrayRef SOSCCCopyPeerPeerInfo_Server(CFErrorRef* error)
1868 __block CFArrayRef result = NULL;
1870 (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1871 result = SOSAccountCopyPeers(txn.account, block_error);
1872 return result != NULL;
1878 CFArrayRef SOSCCCopyConcurringPeerPeerInfo_Server(CFErrorRef* error)
1880 __block CFArrayRef result = NULL;
1882 (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1883 result = SOSAccountCopyConcurringPeers(txn.account, block_error);
1884 return result != NULL;
1890 SOSPeerInfoRef SOSCCCopyMyPeerInfo_Server(CFErrorRef* error)
1892 __block SOSPeerInfoRef result = NULL;
1894 (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1895 // Create a copy to be DERed/sent back to client
1896 result = SOSPeerInfoCreateCopy(kCFAllocatorDefault, txn.account.peerInfo, block_error);
1897 return result != NULL;
1903 CFDataRef SOSCCCopyAccountState_Server(CFErrorRef* error)
1905 __block CFDataRef accountState = NULL;
1907 (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1908 // Copy account state from the keychain
1909 accountState = SOSAccountCopyAccountStateFromKeychain(block_error);
1910 return accountState != NULL;
1913 return accountState;
1916 bool SOSCCDeleteAccountState_Server(CFErrorRef* error)
1918 __block bool result = NULL;
1920 (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1921 // Delete account state from the keychain
1922 result = SOSAccountDeleteAccountStateFromKeychain(block_error);
1929 CFDataRef SOSCCCopyEngineData_Server(CFErrorRef* error)
1931 __block CFDataRef engineState = NULL;
1933 (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1934 // Copy engine state from the keychain
1935 engineState = SOSAccountCopyEngineStateFromKeychain(block_error);
1936 return engineState != NULL;
1942 bool SOSCCDeleteEngineState_Server(CFErrorRef* error)
1944 __block bool result = NULL;
1946 (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1947 // Delete engine state from the keychain
1948 result = SOSAccountDeleteEngineStateFromKeychain(block_error);
1957 SOSPeerInfoRef SOSCCSetNewPublicBackupKey_Server(CFDataRef newPublicBackup, CFErrorRef *error){
1958 __block SOSPeerInfoRef result = NULL;
1960 secnotice("devRecovery", "SOSCCSetNewPublicBackupKey_Server acquiring account lock");
1961 (void) do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1962 secnotice("devRecovery", "SOSCCSetNewPublicBackupKey_Server acquired account lock");
1963 if(SOSAccountSetBackupPublicKey(txn,newPublicBackup, error)){
1964 secnotice("devRecovery", "SOSCCSetNewPublicBackupKey_Server, new public backup is set in account");
1965 [txn restart]; // Finish the transaction to update any changes to the peer info.
1967 // Create a copy to be DERed/sent back to client
1968 result = SOSPeerInfoCreateCopy(kCFAllocatorDefault, txn.account.peerInfo, block_error);
1969 secnotice("devRecovery", "SOSCCSetNewPublicBackupKey_Server, new public backup is set and pushed");
1973 secnotice("devRecovery", "SOSCCSetNewPublicBackupKey_Server, could not set new public backup");
1975 return result != NULL;
1981 bool SOSCCRegisterSingleRecoverySecret_Server(CFDataRef aks_bag, bool setupV0Only, CFErrorRef *error){
1982 return do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1983 return SOSAccountSetBSKBagForAllSlices(txn.account, aks_bag, setupV0Only, error);
1987 CFStringRef SOSCCCopyIncompatibilityInfo_Server(CFErrorRef* error)
1989 __block CFStringRef result = NULL;
1991 (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
1992 result = SOSAccountCopyIncompatibilityInfo(txn.account, block_error);
1993 return result != NULL;
1999 bool SOSCCkSecXPCOpIsThisDeviceLastBackup_Server(CFErrorRef *error) {
2000 bool result = do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
2001 return SOSAccountIsLastBackupPeer(txn.account, block_error);
2006 enum DepartureReason SOSCCGetLastDepartureReason_Server(CFErrorRef* error)
2008 __block enum DepartureReason result = kSOSDepartureReasonError;
2010 (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
2011 result = SOSAccountGetLastDepartureReason(txn.account, block_error);
2012 return result != kSOSDepartureReasonError;
2018 bool SOSCCSetLastDepartureReason_Server(enum DepartureReason reason, CFErrorRef *error){
2019 return do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
2020 SOSAccountSetLastDepartureReason(txn.account, reason);
2025 bool SOSCCProcessEnsurePeerRegistration_Server(CFErrorRef* error)
2027 secnotice("updates", "Request for registering peers");
2028 return do_with_account_while_unlocked(error, ^bool(SOSAccountTransaction* txn, CFErrorRef *error) {
2029 return SOSAccountEnsurePeerRegistration(txn.account, error);
2033 CF_RETURNS_RETAINED CFSetRef SOSCCProcessSyncWithPeers_Server(CFSetRef peers, CFSetRef backupPeers, CFErrorRef *error) {
2034 __block CFSetRef result = NULL;
2035 if (!do_with_account_while_unlocked(error, ^bool(SOSAccountTransaction* txn, CFErrorRef *error) {
2036 result = SOSAccountProcessSyncWithPeers(txn, peers, backupPeers, error);
2037 return result != NULL;
2039 // Be sure we don't return a result if we got an error
2040 CFReleaseNull(result);
2046 SyncWithAllPeersReason SOSCCProcessSyncWithAllPeers_Server(CFErrorRef* error)
2049 #define kIOReturnLockedRead iokit_common_err(0x2c3) // device read locked
2050 #define kIOReturnLockedWrite iokit_common_err(0x2c4) // device write locked
2052 __block SyncWithAllPeersReason result = kSyncWithAllPeersSuccess;
2054 CFErrorRef action_error = NULL;
2056 if (!do_with_account_while_unlocked(&action_error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) {
2057 return SOSAccountRequestSyncWithAllPeers(txn, block_error);
2060 if (SecErrorGetOSStatus(action_error) == errSecInteractionNotAllowed) {
2061 secnotice("updates", "SOSAccountSyncWithAllKVSPeers failed because device is locked; letting CloudKeychainProxy know");
2062 result = kSyncWithAllPeersLocked; // tell CloudKeychainProxy to call us back when device unlocks
2063 CFReleaseNull(action_error);
2065 secerror("Unexpected error: %@", action_error);
2069 SecErrorPropagate(action_error, error);
2079 void SOSCCRequestSyncWithPeer(CFStringRef peerID) {
2080 CFArrayRef peers = CFArrayCreateForCFTypes(kCFAllocatorDefault, peerID, NULL);
2082 SOSCCRequestSyncWithPeersList(peers);
2084 CFReleaseNull(peers);
2087 void SOSCCRequestSyncWithPeers(CFSetRef /*SOSPeerInfoRef/CFStringRef*/ peerIDs) {
2088 CFMutableArrayRef peerIDArray = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
2090 CFSetForEach(peerIDs, ^(const void *value) {
2091 if (isString(value)) {
2092 CFArrayAppendValue(peerIDArray, value);
2093 } else if (isSOSPeerInfo(value)) {
2094 SOSPeerInfoRef peer = asSOSPeerInfo(value);
2095 CFArrayAppendValue(peerIDArray, SOSPeerInfoGetPeerID(peer));
2097 secerror("Bad element, skipping: %@", value);
2101 SOSCCRequestSyncWithPeersList(peerIDArray);
2103 CFReleaseNull(peerIDArray);
2106 void SOSCCRequestSyncWithPeersList(CFArrayRef /*CFStringRef*/ peerIDs) {
2107 os_activity_initiate("CloudCircle RequestSyncWithPeersList", OS_ACTIVITY_FLAG_DEFAULT, ^(void) {
2108 CFArrayRef empty = CFArrayCreateForCFTypes(kCFAllocatorDefault, NULL);
2110 CFStringArrayPerformWithDescription(peerIDs, ^(CFStringRef description) {
2111 secnotice("syncwith", "Request Sync With: %@", description);
2114 SOSCloudKeychainRequestSyncWithPeers(peerIDs, empty,
2115 dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), NULL);
2116 CFReleaseNull(empty);
2120 void SOSCCRequestSyncWithBackupPeer(CFStringRef backupPeerId) {
2121 os_activity_initiate("CloudCircle RequestSyncWithPeersList", OS_ACTIVITY_FLAG_DEFAULT, ^(void) {
2122 CFArrayRef empty = CFArrayCreateForCFTypes(kCFAllocatorDefault, NULL);
2123 CFArrayRef backupPeerList = CFArrayCreateForCFTypes(kCFAllocatorDefault, backupPeerId, NULL);
2125 CFStringArrayPerformWithDescription(backupPeerList, ^(CFStringRef description) {
2126 secnotice("syncwith", "Request backup sync With: %@", description);
2129 SOSCloudKeychainRequestSyncWithPeers(empty, backupPeerList,
2130 dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), NULL);
2132 CFReleaseNull(empty);
2133 CFReleaseNull(backupPeerList);
2137 bool SOSCCIsSyncPendingFor(CFStringRef peerID, CFErrorRef *error) {
2138 return SOSCloudKeychainHasPendingSyncWithPeer(peerID, error);
2141 void SOSCCEnsurePeerRegistration(void)
2143 os_activity_initiate("CloudCircle EnsurePeerRegistration", OS_ACTIVITY_FLAG_DEFAULT, ^(void) {
2145 SOSCloudKeychainRequestEnsurePeerRegistration(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), NULL);
2150 CF_RETURNS_RETAINED CFArrayRef SOSCCHandleUpdateMessage(CFDictionaryRef updates)
2152 CFArrayRef result = NULL;
2153 SOSAccount* account = (__bridge SOSAccount *)(SOSKeychainAccountGetSharedAccount()); //HACK to make sure itemsChangedBlock is set
2155 (account) ? (result = SOSCloudKeychainHandleUpdateMessage(updates)) : (result = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault));
2159 SOSPeerInfoRef SOSCCCopyApplication_Server(CFErrorRef *error) {
2160 __block SOSPeerInfoRef application = NULL;
2161 do_with_account_while_unlocked(error, ^bool(SOSAccountTransaction* txn, CFErrorRef *error) {
2162 application = SOSAccountCopyApplication(txn.account, error);
2163 return application != NULL;
2169 bool SOSCCCleanupKVSKeys_Server(CFErrorRef *error) {
2170 bool result = do_with_account_while_unlocked(error, ^bool(SOSAccountTransaction* txn, CFErrorRef *error) {
2171 return SOSAccountCleanupAllKVSKeys(txn.account, error);
2173 if(result && error && *error) {
2174 CFReleaseNull(*error);
2179 bool SOSCCTestPopulateKVSWithBadKeys_Server(CFErrorRef *error)
2181 __block bool result = false;
2182 do_with_account_while_unlocked(error, ^bool(SOSAccountTransaction* txn, CFErrorRef *error) {
2183 return SOSAccountPopulateKVSWithBadKeys(txn.account, error);
2187 CFDataRef SOSCCCopyCircleJoiningBlob_Server(SOSPeerInfoRef applicant, CFErrorRef *error) {
2188 __block CFDataRef pbblob = NULL;
2189 do_with_account_while_unlocked(error, ^bool(SOSAccountTransaction* txn, CFErrorRef *error) {
2190 pbblob = SOSAccountCopyCircleJoiningBlob(txn.account, applicant, error);
2191 return pbblob != NULL;
2196 CFDataRef SOSCCCopyInitialSyncData_Server(CFErrorRef *error) {
2197 __block CFDataRef pbblob = NULL;
2198 do_with_account_while_unlocked(error, ^bool(SOSAccountTransaction* txn, CFErrorRef *error) {
2199 pbblob = SOSAccountCopyInitialSyncData(txn.account, error);
2200 return pbblob != NULL;
2205 bool SOSCCJoinWithCircleJoiningBlob_Server(CFDataRef joiningBlob, PiggyBackProtocolVersion version, CFErrorRef *error) {
2206 return do_with_account_while_unlocked(error, ^bool(SOSAccountTransaction* txn, CFErrorRef *error) {
2207 return SOSAccountJoinWithCircleJoiningBlob(txn.account, joiningBlob, version, error);
2212 CFBooleanRef SOSCCPeersHaveViewsEnabled_Server(CFArrayRef viewNames, CFErrorRef *error) {
2213 __block CFBooleanRef result = NULL;
2214 do_with_account_if_after_first_unlock(error, ^bool(SOSAccountTransaction* txn, CFErrorRef *error) {
2215 result = SOSAccountPeersHaveViewsEnabled(txn.account, viewNames, error);
2216 return result != NULL;
2222 bool SOSCCRegisterRecoveryPublicKey_Server(CFDataRef recovery_key, CFErrorRef *error){
2223 return do_with_account_if_after_first_unlock(error, ^bool(SOSAccountTransaction* txn, CFErrorRef *error) {
2224 if(recovery_key != NULL && CFDataGetLength(recovery_key) != 0)
2225 return SOSAccountRegisterRecoveryPublicKey(txn, recovery_key, error);
2227 return SOSAccountClearRecoveryPublicKey(txn, recovery_key, error);
2231 CFDataRef SOSCCCopyRecoveryPublicKey_Server(CFErrorRef *error){
2233 __block CFDataRef result = NULL;
2234 do_with_account_if_after_first_unlock(error, ^bool(SOSAccountTransaction* txn, CFErrorRef *error) {
2235 result = SOSAccountCopyRecoveryPublicKey(txn, error);
2236 return result != NULL;
2242 bool SOSCCMessageFromPeerIsPending_Server(SOSPeerInfoRef peer, CFErrorRef *error) {
2243 return do_with_account_if_after_first_unlock(error, ^bool(SOSAccountTransaction* txn, CFErrorRef *error) {
2244 return SOSAccountMessageFromPeerIsPending(txn, peer, error);
2248 bool SOSCCSendToPeerIsPending_Server(SOSPeerInfoRef peer, CFErrorRef *error) {
2249 return do_with_account_if_after_first_unlock(error, ^bool(SOSAccountTransaction* txn, CFErrorRef *error) {
2250 return SOSAccountSendToPeerIsPending(txn, peer, error);
2254 void SOSCCResetOTRNegotiation_Server(CFStringRef peerid)
2256 CFErrorRef localError = NULL;
2257 do_with_account_while_unlocked(&localError, ^bool(SOSAccountTransaction* txn, CFErrorRef *error) {
2258 SOSAccountResetOTRNegotiationCoder(txn.account, peerid);
2263 secerror("error resetting otr negotation: %@", localError);
2267 void SOSCCPeerRateLimiterSendNextMessage_Server(CFStringRef peerid, CFStringRef accessGroup)
2269 CFErrorRef localError = NULL;
2270 do_with_account_while_unlocked(&localError, ^bool(SOSAccountTransaction* txn, CFErrorRef *error) {
2271 SOSAccountTimerFiredSendNextMessage(txn, (__bridge NSString*)peerid, (__bridge NSString*)accessGroup);
2276 secerror("error sending next message: %@", localError);
2280 void SOSCCPerformWithOctagonSigningKey(void (^action)(SecKeyRef octagonPrivSigningKey, CFErrorRef error))
2282 CFErrorRef error = NULL;
2283 do_with_account_if_after_first_unlock(&error, ^bool(SOSAccountTransaction *txn, CFErrorRef *err) {
2284 SOSFullPeerInfoRef fpi = txn.account.trust.fullPeerInfo;
2285 SecKeyRef signingKey = SOSFullPeerInfoCopyOctagonSigningKey(fpi, err);
2286 CFErrorRef errorArg = err ? *err : NULL;
2287 action(signingKey, errorArg);
2288 CFReleaseNull(signingKey);
2291 CFReleaseNull(error);
2294 void SOSCCPerformWithOctagonSigningPublicKey(void (^action)(SecKeyRef octagonPublicKey, CFErrorRef error))
2296 CFErrorRef error = NULL;
2297 do_with_account_if_after_first_unlock(&error, ^bool(SOSAccountTransaction *txn, CFErrorRef *err) {
2298 SOSFullPeerInfoRef fpi = txn.account.trust.fullPeerInfo;
2299 SecKeyRef signingKey = SOSFullPeerInfoCopyOctagonPublicSigningKey(fpi, err);
2300 CFErrorRef errorArg = err ? *err : NULL;
2301 action(signingKey, errorArg);
2302 CFReleaseNull(signingKey);
2305 CFReleaseNull(error);
2308 void SOSCCPerformWithOctagonEncryptionKey(void (^action)(SecKeyRef octagonPrivEncryptionKey, CFErrorRef error))
2310 CFErrorRef error = NULL;
2311 do_with_account_if_after_first_unlock(&error, ^bool(SOSAccountTransaction *txn, CFErrorRef *err) {
2312 SOSFullPeerInfoRef fpi = txn.account.trust.fullPeerInfo;
2313 SecKeyRef signingKey = SOSFullPeerInfoCopyOctagonEncryptionKey(fpi, err);
2314 CFErrorRef errorArg = err ? *err : NULL;
2315 action(signingKey, errorArg);
2316 CFReleaseNull(signingKey);
2319 CFReleaseNull(error);
2322 void SOSCCPerformWithOctagonEncryptionPublicKey(void (^action)(SecKeyRef octagonPublicEncryptionKey, CFErrorRef error))
2324 CFErrorRef error = NULL;
2325 do_with_account_if_after_first_unlock(&error, ^bool(SOSAccountTransaction *txn, CFErrorRef *err) {
2326 SOSFullPeerInfoRef fpi = txn.account.trust.fullPeerInfo;
2327 SecKeyRef signingKey = SOSFullPeerInfoCopyOctagonPublicEncryptionKey(fpi, err);
2328 CFErrorRef errorArg = err ? *err : NULL;
2329 action(signingKey, errorArg);
2330 CFReleaseNull(signingKey);
2333 CFReleaseNull(error);
2336 void SOSCCPerformWithAllOctagonKeys(void (^action)(SecKeyRef octagonEncryptionKey, SecKeyRef octagonSigningKey, CFErrorRef error))
2338 CFErrorRef localError = NULL;
2339 do_with_account_if_after_first_unlock(&localError, ^bool(SOSAccountTransaction *txn, CFErrorRef *err) {
2340 SecKeyRef encryptionKey = NULL;
2341 SecKeyRef signingKey = NULL;
2342 CFErrorRef errorArg = err ? *err : NULL;
2344 SOSFullPeerInfoRef fpi = txn.account.trust.fullPeerInfo;
2345 require_action_quiet(fpi, fail, secerror("device does not have a peer"); SOSCreateError(kSOSErrorPeerNotFound, CFSTR("No Peer for Account"), NULL, &errorArg));
2347 signingKey = SOSFullPeerInfoCopyOctagonSigningKey(fpi, &errorArg);
2348 require_action_quiet(signingKey && !errorArg, fail, secerror("SOSCCPerformWithAllOctagonKeys signing key error: %@", errorArg));
2349 CFReleaseNull(errorArg);
2351 encryptionKey = SOSFullPeerInfoCopyOctagonEncryptionKey(fpi, &errorArg);
2352 require_action_quiet(encryptionKey && !errorArg, fail, secerror("SOSCCPerformWithAllOctagonKeys encryption key error: %@", errorArg));
2354 action(encryptionKey, signingKey, errorArg);
2355 CFReleaseNull(signingKey);
2356 CFReleaseNull(encryptionKey);
2357 CFReleaseNull(errorArg);
2360 action(NULL, NULL, errorArg);
2361 CFReleaseNull(errorArg);
2362 CFReleaseNull(signingKey);
2363 CFReleaseNull(encryptionKey);
2366 CFReleaseNull(localError);
2368 void SOSCCPerformWithTrustedPeers(void (^action)(CFSetRef sosPeerInfoRefs, CFErrorRef error))
2370 CFErrorRef cfAccountError = NULL;
2371 do_with_account_if_after_first_unlock(&cfAccountError, ^bool(SOSAccountTransaction *txn, CFErrorRef *cferror) {
2372 CFSetRef sosPeerSet = [txn.account.trust copyPeerSetMatching:^bool(SOSPeerInfoRef peer) {
2376 CFErrorRef errorArg = cferror ? *cferror : NULL;
2377 action(sosPeerSet, errorArg);
2378 CFReleaseNull(sosPeerSet);
2381 CFReleaseNull(cfAccountError);
2384 void SOSCCPerformWithPeerID(void (^action)(CFStringRef peerID, CFErrorRef error))
2386 CFErrorRef cfAccountError = NULL;
2387 do_with_account_if_after_first_unlock(&cfAccountError, ^bool(SOSAccountTransaction *txn, CFErrorRef *cferror) {
2388 SOSAccount* account = txn.account;
2389 NSString* peerID = nil;
2390 CFErrorRef localError = nil;
2392 if([account getCircleStatus:nil] == kSOSCCInCircle){
2393 peerID = [txn.account peerID];
2396 SOSErrorCreate(kSOSErrorNoCircle, &localError, NULL, CFSTR("Not in circle"));
2398 action((__bridge CFStringRef)peerID, localError);
2399 CFReleaseNull(localError);
2402 CFReleaseNull(cfAccountError);
projects / apple / security.git / blob