OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSAccountCredentials.c

   1 /*
   2  * Copyright (c) 2013-2014 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24
  25 #include <stdio.h>
  26 #include "SOSAccountPriv.h"
  27 #include "SOSPeerInfoCollections.h"
  28 #include "SOSTransport.h"
  29
  30 //
  31 // MARK: User Credential management
  32 //
  33
  34 void SOSAccountSetPreviousPublic(SOSAccountRef account) {
  35     CFReleaseNull(account->previous_public);
  36     account->previous_public = account->user_public;
  37     CFRetain(account->previous_public);
  38 }
  39
  40 static void SOSAccountRemoveInvalidApplications(SOSAccountRef account, SOSCircleRef circle)
  41 {
  42     CFMutableSetRef peersToRemove = CFSetCreateMutableForSOSPeerInfosByID(kCFAllocatorDefault);
  43     SOSCircleForEachApplicant(circle, ^(SOSPeerInfoRef peer) {
  44         if (!SOSPeerInfoApplicationVerify(peer, account->user_public, NULL))
  45             CFSetAddValue(peersToRemove, peer);
  46     });
  47
  48     CFSetForEach(peersToRemove, ^(const void *value) {
  49         SOSPeerInfoRef peer = (SOSPeerInfoRef) value;
  50
  51         SOSCircleWithdrawRequest(circle, peer, NULL);
  52     });
  53 }
  54
  55 static void SOSAccountGenerationSignatureUpdateWith(SOSAccountRef account, SecKeyRef privKey) {
  56     if (account->trusted_circle && account->my_identity &&
  57         SOSCircleHasPeer(account->trusted_circle, SOSFullPeerInfoGetPeerInfo(account->my_identity), NULL) &&
  58         !SOSCircleVerify(account->trusted_circle, account->user_public, NULL)) {
  59         SOSAccountModifyCircle(account, NULL, ^(SOSCircleRef circle) {
  60             SOSAccountRemoveInvalidApplications(account, circle); // We might be updating our signatures so remove, but don't reject applicants
  61
  62             SOSFullPeerInfoRef cloud_fpi = SOSCircleCopyiCloudFullPeerInfoRef(circle, NULL);
  63             require_quiet(cloud_fpi != NULL, gen_sign);
  64             require_quiet(SOSFullPeerInfoUpgradeSignatures(cloud_fpi, privKey, NULL), gen_sign);
  65             if(!SOSCircleUpdatePeerInfo(circle, SOSFullPeerInfoGetPeerInfo(cloud_fpi))) {
  66             }
  67         gen_sign: // finally generation sign this.
  68             SOSCircleGenerationUpdate(circle, privKey, account->my_identity, NULL);
  69             account->departure_code = kSOSNeverLeftCircle;
  70             return (bool) true;
  71         });
  72     }
  73 }
  74
  75 bool SOSAccountGenerationSignatureUpdate(SOSAccountRef account, CFErrorRef *error) {
  76     bool result = false;
  77     SecKeyRef priv_key = SOSAccountGetPrivateCredential(account, error);
  78     require_quiet(priv_key, bail);
  79
  80     SOSAccountGenerationSignatureUpdateWith(account, priv_key);
  81
  82     result = true;
  83 bail:
  84     return result;
  85 }
  86
  87 /* this one is meant to be local - not published over KVS. */
  88 static bool SOSAccountPeerSignatureUpdate(SOSAccountRef account, SecKeyRef privKey, CFErrorRef *error) {
  89     return account->my_identity && SOSFullPeerInfoUpgradeSignatures(account->my_identity, privKey, error);
  90 }
  91
  92
  93 void SOSAccountPurgePrivateCredential(SOSAccountRef account)
  94 {
  95     CFReleaseNull(account->_user_private);
  96     CFReleaseNull(account->_password_tmp);
  97     if (account->user_private_timer) {
  98         dispatch_source_cancel(account->user_private_timer);
  99         dispatch_release(account->user_private_timer);
 100         account->user_private_timer = NULL;
 101         xpc_transaction_end();
 102     }
 103     if (account->lock_notification_token) {
 104         notify_cancel(account->lock_notification_token);
 105         account->lock_notification_token = 0;
 106     }
 107 }
 108
 109
 110 static void SOSAccountSetTrustedUserPublicKey(SOSAccountRef account, bool public_was_trusted, SecKeyRef privKey)
 111 {
 112     if (!privKey) return;
 113     SecKeyRef publicKey = SecKeyCreatePublicFromPrivate(privKey);
 114
 115     if (account->user_public && account->user_public_trusted && CFEqual(publicKey, account->user_public)) return;
 116
 117     if(public_was_trusted && account->user_public) {
 118         CFReleaseNull(account->previous_public);
 119         account->previous_public = account->user_public;
 120         CFRetain(account->previous_public);
 121     }
 122
 123     CFReleaseNull(account->user_public);
 124     account->user_public = publicKey;
 125     account->user_public_trusted = true;
 126
 127     if(!account->previous_public) {
 128         account->previous_public = account->user_public;
 129         CFRetain(account->previous_public);
 130     }
 131
 132         secnotice("keygen", "trusting new public key: %@", account->user_public);
 133 }
 134
 135 void SOSAccountSetUnTrustedUserPublicKey(SOSAccountRef account, SecKeyRef publicKey) {
 136     if(account->user_public_trusted && account->user_public) {
 137         secnotice("keygen", "Moving : %@ to previous_public", account->user_public);
 138         CFRetainAssign(account->previous_public, account->user_public);
 139     }
 140
 141     CFReleaseNull(account->user_public);
 142     account->user_public = publicKey;
 143     account->user_public_trusted = false;
 144
 145     if(!account->previous_public) {
 146         CFRetainAssign(account->previous_public, account->user_public);
 147     }
 148
 149     secnotice("keygen", "not trusting new public key: %@", account->user_public);
 150 }
 151
 152
 153 static void SOSAccountSetPrivateCredential(SOSAccountRef account, SecKeyRef private, CFDataRef password) {
 154     if (!private)
 155         return SOSAccountPurgePrivateCredential(account);
 156
 157     CFRetain(private);
 158     CFReleaseSafe(account->_user_private);
 159     account->_user_private = private;
 160     CFReleaseSafe(account->_password_tmp);
 161     account->_password_tmp = CFDataCreateCopy(kCFAllocatorDefault, password);
 162
 163     bool resume_timer = false;
 164     if (!account->user_private_timer) {
 165         xpc_transaction_begin();
 166         resume_timer = true;
 167         account->user_private_timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, account->queue);
 168         dispatch_source_set_event_handler(account->user_private_timer, ^{
 169             SOSAccountPurgePrivateCredential(account);
 170         });
 171
 172         notify_register_dispatch(kUserKeybagStateChangeNotification, &account->lock_notification_token, account->queue, ^(int token) {
 173             bool locked = false;
 174             CFErrorRef lockCheckError = NULL;
 175
 176             if (!SecAKSGetIsLocked(&locked, &lockCheckError)) {
 177                 secerror("Checking for locked after change failed: %@", lockCheckError);
 178             }
 179
 180             if (locked) {
 181                 SOSAccountPurgePrivateCredential(account);
 182             }
 183         });
 184     }
 185
 186     // (Re)set the timer's fire time to now + 120 seconds with a 5 second fuzz factor.
 187     dispatch_time_t purgeTime = dispatch_time(DISPATCH_TIME_NOW, (int64_t)(10 * 60 * NSEC_PER_SEC));
 188     dispatch_source_set_timer(account->user_private_timer, purgeTime, DISPATCH_TIME_FOREVER, (int64_t)(5 * NSEC_PER_SEC));
 189     if (resume_timer)
 190         dispatch_resume(account->user_private_timer);
 191 }
 192
 193 SecKeyRef SOSAccountGetPrivateCredential(SOSAccountRef account, CFErrorRef* error)
 194 {
 195     if (account->_user_private == NULL) {
 196         SOSCreateError(kSOSErrorPrivateKeyAbsent, CFSTR("Private Key not available - failed to prompt user recently"), NULL, error);
 197     }
 198     return account->_user_private;
 199 }
 200
 201 CFDataRef SOSAccountGetCachedPassword(SOSAccountRef account, CFErrorRef* error)
 202 {
 203     if (account->_password_tmp == NULL) {
 204         secnotice("keygen", "Password cache expired");
 205     }
 206     return account->_password_tmp;
 207 }
 208
 209
 210 bool SOSAccountHasPublicKey(SOSAccountRef account, CFErrorRef* error)
 211 {
 212     if (account->user_public == NULL || account->user_public_trusted == false) {
 213         SOSCreateError(kSOSErrorPublicKeyAbsent, CFSTR("Public Key not available - failed to register before call"), NULL, error);
 214         return false;
 215     }
 216
 217     return true;
 218 }
 219
 220 static void sosAccountSetTrustedCredentials(SOSAccountRef account, CFDataRef user_password, SecKeyRef user_private, bool public_was_trusted) {
 221     (void) SOSAccountPeerSignatureUpdate(account, user_private, NULL);
 222     SOSAccountSetTrustedUserPublicKey(account, public_was_trusted, user_private);
 223     SOSAccountSetPrivateCredential(account, user_private, user_password);
 224 }
 225
 226 static bool sosAccountValidatePasswordOrFail(SOSAccountRef account, CFDataRef user_password, CFErrorRef *error) {
 227     bool public_was_trusted = account->user_public_trusted;
 228     account->user_public_trusted = false;
 229     SecKeyRef user_private = NULL;
 230
 231     if (account->user_public && account->user_key_parameters) {
 232         // We have an untrusted public key – see if our generation makes the same key:
 233         // if so we trust it and we have the private key.
 234         // if not we still don't trust it.
 235         require_quiet(user_private = SOSUserKeygen(user_password, account->user_key_parameters, error), errOut);
 236         SecKeyRef public_candidate = SecKeyCreatePublicFromPrivate(user_private);
 237
 238         if (!CFEqualSafe(account->user_public, public_candidate)) { // We don't trust the account->user_public
 239             secnotice("keygen", "Public keys don't match:  expected: %@, calculated: %@", account->user_public, public_candidate);
 240             debugDumpUserParameters(CFSTR("params"), account->user_key_parameters);
 241         } else {                                                    // We trust the account->user_public
 242             sosAccountSetTrustedCredentials(account, user_password, user_private, public_was_trusted);
 243         }
 244         CFReleaseNull(user_private);
 245         CFReleaseSafe(public_candidate);
 246     }
 247 errOut:
 248     return account->user_public_trusted;
 249 }
 250
 251 bool SOSAccountAssertUserCredentials(SOSAccountRef account, CFStringRef user_account __unused, CFDataRef user_password, CFErrorRef *error)
 252 {
 253     bool public_was_trusted = account->user_public_trusted;
 254     account->user_public_trusted = false;
 255     SecKeyRef user_private = NULL;
 256
 257     if (!sosAccountValidatePasswordOrFail(account, user_password, error)) {
 258         // We may or may not have parameters here.
 259         // In any case we tried using them and they didn't match
 260         // So forget all that and start again, assume we're the first to push anything useful.
 261
 262         if (CFDataGetLength(user_password) > 20) {
 263             secwarning("Long password (>20 byte utf8) being used to derive account key – this may be a PET by mistake!!");
 264         }
 265
 266         CFReleaseNull(account->user_key_parameters);
 267         account->user_key_parameters = SOSUserKeyCreateGenerateParameters(error);
 268         require_quiet(user_private = SOSUserKeygen(user_password, account->user_key_parameters, error), errOut);
 269
 270         sosAccountSetTrustedCredentials(account, user_password, user_private, public_was_trusted);
 271
 272         CFErrorRef publishError = NULL;
 273         if (!SOSAccountPublishCloudParameters(account, &publishError))
 274             secerror("Failed to publish new cloud parameters: %@", publishError);
 275
 276         CFReleaseSafe(publishError);
 277     }
 278
 279 errOut:
 280     SOSUpdateKeyInterest();
 281
 282     CFReleaseSafe(user_private);
 283
 284     return account->user_public_trusted;
 285 }
 286
 287
 288 bool SOSAccountTryUserCredentials(SOSAccountRef account, CFStringRef user_account __unused, CFDataRef user_password, CFErrorRef *error)
 289 {
 290     bool success = false;
 291
 292     if (!SOSAccountHasPublicKey(account, error))
 293         return false;
 294
 295     if (account->user_key_parameters) {
 296         SecKeyRef new_key = SOSUserKeygen(user_password, account->user_key_parameters, error);
 297         if (new_key) {
 298             SecKeyRef new_public_key = SecKeyCreatePublicFromPrivate(new_key);
 299
 300             if (CFEqualSafe(new_public_key, account->user_public)) {
 301                 SOSAccountSetPrivateCredential(account, new_key, user_password);
 302                 success = true;
 303             } else {
 304                 SOSCreateError(kSOSErrorWrongPassword, CFSTR("Password passed in incorrect: ▇█████▇▇██"), NULL, error);
 305             }
 306             CFReleaseSafe(new_public_key);
 307             CFReleaseSafe(new_key);
 308         }
 309     } else {
 310         SOSCreateError(kSOSErrorProcessingFailure, CFSTR("Have public key but no parameters??"), NULL, error);
 311     }
 312
 313     return success;
 314 }
 315
 316 bool SOSAccountRetryUserCredentials(SOSAccountRef account) {
 317     CFDataRef cached_password = SOSAccountGetCachedPassword(account, NULL);
 318     return (cached_password != NULL) && sosAccountValidatePasswordOrFail(account, cached_password, NULL);
 319 }
 320
 321
 322