2 * Copyright (c) 2012-2014 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
26 * SOSCircle.c - Implementation of the secure object syncing transport
29 #include <AssertMacros.h>
31 #include <CoreFoundation/CFArray.h>
32 #include <Security/SecureObjectSync/SOSCircle.h>
33 #include <Security/SecureObjectSync/SOSCloudCircleInternal.h>
34 #include <Security/SecureObjectSync/SOSInternal.h>
35 #include <Security/SecureObjectSync/SOSEngine.h>
36 #include <Security/SecureObjectSync/SOSPeer.h>
37 #include <Security/SecureObjectSync/SOSPeerInfoInternal.h>
38 #include <Security/SecureObjectSync/SOSGenCount.h>
39 #include <Security/SecureObjectSync/SOSPeerInfoCollections.h>
40 #include <Security/SecureObjectSync/SOSGenCount.h>
41 #include <CoreFoundation/CoreFoundation.h>
42 #include <Security/SecFramework.h>
44 #include <Security/SecKey.h>
45 #include <Security/SecKeyPriv.h>
47 #include <utilities/SecCFWrappers.h>
48 #include <Security/SecureObjectSync/SOSCirclePriv.h>
50 //#include "ckdUtilities.h"
52 #include <corecrypto/ccder.h>
53 #include <corecrypto/ccdigest.h>
54 #include <corecrypto/ccsha2.h>
59 CFGiblisWithCompareFor(SOSCircle
);
61 SOSCircleRef
SOSCircleCreate(CFAllocatorRef allocator
, CFStringRef name
, CFErrorRef
*error
) {
62 SOSCircleRef c
= CFTypeAllocate(SOSCircle
, struct __OpaqueSOSCircle
, allocator
);
67 c
->name
= CFStringCreateCopy(allocator
, name
);
68 c
->generation
= CFNumberCreate(allocator
, kCFNumberSInt64Type
, &gen
);
69 c
->peers
= CFSetCreateMutableForSOSPeerInfosByID(allocator
);
70 c
->applicants
= CFSetCreateMutableForSOSPeerInfosByID(allocator
);
71 c
->rejected_applicants
= CFSetCreateMutableForSOSPeerInfosByID(allocator
);
72 c
->signatures
= CFDictionaryCreateMutableForCFTypes(allocator
);
76 static CFNumberRef
SOSCircleGenerationCopy(CFNumberRef generation
) {
78 CFAllocatorRef allocator
= CFGetAllocator(generation
);
79 CFNumberGetValue(generation
, kCFNumberSInt64Type
, &value
);
80 return CFNumberCreate(allocator
, kCFNumberSInt64Type
, &value
);
83 static CFMutableSetRef
CFSetOfPeerInfoDeepCopy(CFAllocatorRef allocator
, CFSetRef peerInfoSet
)
85 __block CFMutableSetRef result
= CFSetCreateMutableForSOSPeerInfosByID(allocator
);
86 CFSetForEach(peerInfoSet
, ^(const void *value
) {
87 SOSPeerInfoRef pi
= (SOSPeerInfoRef
) value
;
88 CFErrorRef localError
= NULL
;
89 SOSPeerInfoRef copiedPeer
= SOSPeerInfoCreateCopy(allocator
, pi
, &localError
);
91 CFSetAddValue(result
, copiedPeer
);
93 secerror("Failed to copy peer: %@ (%@)", pi
, localError
);
95 CFReleaseSafe(copiedPeer
);
96 CFReleaseSafe(localError
);
101 SOSCircleRef
SOSCircleCopyCircle(CFAllocatorRef allocator
, SOSCircleRef otherCircle
, CFErrorRef
*error
)
103 SOSCircleRef c
= CFTypeAllocate(SOSCircle
, struct __OpaqueSOSCircle
, allocator
);
106 c
->name
= CFStringCreateCopy(allocator
, otherCircle
->name
);
107 c
->generation
= SOSCircleGenerationCopy(otherCircle
->generation
);
109 c
->peers
= CFSetOfPeerInfoDeepCopy(allocator
, otherCircle
->peers
);
110 c
->applicants
= CFSetOfPeerInfoDeepCopy(allocator
, otherCircle
->applicants
);
111 c
->rejected_applicants
= CFSetOfPeerInfoDeepCopy(allocator
, otherCircle
->rejected_applicants
);
113 c
->signatures
= CFDictionaryCreateMutableCopy(allocator
, 0, otherCircle
->signatures
);
118 static Boolean
SOSCircleCompare(CFTypeRef lhs
, CFTypeRef rhs
) {
119 if (CFGetTypeID(lhs
) != SOSCircleGetTypeID()
120 || CFGetTypeID(rhs
) != SOSCircleGetTypeID())
123 SOSCircleRef left
= SOSCircleConvertAndAssertStable(lhs
);
124 SOSCircleRef right
= SOSCircleConvertAndAssertStable(rhs
);
126 // TODO: we should be doing set equality for peers and applicants.
127 return NULL
!= left
&& NULL
!= right
128 && CFEqualSafe(left
->generation
, right
->generation
)
129 && SOSPeerInfoSetContainsIdenticalPeers(left
->peers
, right
->peers
)
130 && SOSPeerInfoSetContainsIdenticalPeers(left
->applicants
, right
->applicants
)
131 && SOSPeerInfoSetContainsIdenticalPeers(left
->rejected_applicants
, right
->rejected_applicants
)
132 && CFEqualSafe(left
->signatures
, right
->signatures
);
135 static CFMutableArrayRef
CFSetCopyValuesCFArray(CFSetRef set
)
137 CFIndex count
= CFSetGetCount(set
);
139 CFMutableArrayRef result
= CFArrayCreateMutableForCFTypes(kCFAllocatorDefault
);
141 const void * values
[count
];
142 CFSetGetValues(set
, values
);
143 for (int current
= 0; current
< count
; ++current
) {
144 CFArrayAppendValue(result
, values
[current
]);
151 static bool SOSCircleDigestArray(const struct ccdigest_info
*di
, CFMutableArrayRef array
, void *hash_result
, CFErrorRef
*error
)
153 __block
bool success
= true;
154 ccdigest_di_decl(di
, array_digest
);
155 const void * a_digest
= array_digest
;
157 ccdigest_init(di
, array_digest
);
158 CFArraySortValues(array
, CFRangeMake(0, CFArrayGetCount(array
)), SOSPeerInfoCompareByID
, SOSPeerCmpPubKeyHash
);
159 CFArrayForEach(array
, ^(const void *peer
) {
160 if (!SOSPeerInfoUpdateDigestWithPublicKeyBytes((SOSPeerInfoRef
)peer
, di
, a_digest
, error
))
163 ccdigest_final(di
, array_digest
, hash_result
);
168 static bool SOSCircleDigestSet(const struct ccdigest_info
*di
, CFMutableSetRef set
, void *hash_result
, CFErrorRef
*error
)
170 CFMutableArrayRef values
= CFSetCopyValuesCFArray(set
);
172 bool result
= SOSCircleDigestArray(di
, values
, hash_result
, error
);
174 CFReleaseSafe(values
);
180 static bool SOSCircleHash(const struct ccdigest_info
*di
, SOSCircleRef circle
, void *hash_result
, CFErrorRef
*error
) {
181 ccdigest_di_decl(di
, circle_digest
);
182 ccdigest_init(di
, circle_digest
);
183 int64_t gen
= SOSCircleGetGenerationSint(circle
);
184 ccdigest_update(di
, circle_digest
, sizeof(gen
), &gen
);
186 SOSCircleDigestSet(di
, circle
->peers
, hash_result
, error
);
187 ccdigest_update(di
, circle_digest
, di
->output_size
, hash_result
);
188 ccdigest_final(di
, circle_digest
, hash_result
);
192 static bool SOSCircleSetSignature(SOSCircleRef circle
, SecKeyRef pubkey
, CFDataRef signature
, CFErrorRef
*error
) {
195 CFStringRef pubKeyID
= SOSCopyIDOfKey(pubkey
, error
);
196 require_quiet(pubKeyID
, fail
);
197 CFDictionarySetValue(circle
->signatures
, pubKeyID
, signature
);
201 CFReleaseSafe(pubKeyID
);
205 static bool SOSCircleRemoveSignatures(SOSCircleRef circle
, CFErrorRef
*error
) {
206 CFDictionaryRemoveAllValues(circle
->signatures
);
210 static CFDataRef
SOSCircleGetSignature(SOSCircleRef circle
, SecKeyRef pubkey
, CFErrorRef
*error
) {
211 CFStringRef pubKeyID
= SOSCopyIDOfKey(pubkey
, error
);
212 CFDataRef result
= NULL
;
213 require_quiet(pubKeyID
, fail
);
215 CFTypeRef value
= (CFDataRef
)CFDictionaryGetValue(circle
->signatures
, pubKeyID
);
217 if (isData(value
)) result
= (CFDataRef
) value
;
220 CFReleaseSafe(pubKeyID
);
224 bool SOSCircleSign(SOSCircleRef circle
, SecKeyRef privKey
, CFErrorRef
*error
) {
225 if (!privKey
) return false; // Really assertion but not always true for now.
226 CFAllocatorRef allocator
= CFGetAllocator(circle
);
228 size_t tmplen
= 4096;
229 const struct ccdigest_info
*di
= ccsha256_di();
230 uint8_t hash_result
[di
->output_size
];
232 SOSCircleHash(di
, circle
, hash_result
, error
);
233 OSStatus stat
= SecKeyRawSign(privKey
, kSecPaddingNone
, hash_result
, di
->output_size
, tmp
, &tmplen
);
235 // TODO - Create a CFErrorRef;
236 secerror("Bad Circle SecKeyRawSign, stat: %ld", (long)stat
);
237 SOSCreateError(kSOSErrorBadFormat
, CFSTR("Bad Circle SecKeyRawSign"), (error
!= NULL
) ? *error
: NULL
, error
);
240 CFDataRef signature
= CFDataCreate(allocator
, tmp
, tmplen
);
241 SecKeyRef publicKey
= SecKeyCreatePublicFromPrivate(privKey
);
242 SOSCircleSetSignature(circle
, publicKey
, signature
, error
);
243 CFReleaseNull(publicKey
);
244 CFRelease(signature
);
248 static bool SOSCircleConcordanceRingSign(SOSCircleRef circle
, SecKeyRef privKey
, CFErrorRef
*error
) {
249 secnotice("Development", "SOSCircleEnsureRingConsistency requires ring signing op", NULL
);
254 bool SOSCircleVerifySignatureExists(SOSCircleRef circle
, SecKeyRef pubKey
, CFErrorRef
*error
) {
257 secerror("SOSCircleVerifySignatureExists no pubKey");
258 SOSCreateError(kSOSErrorBadFormat
, CFSTR("SOSCircleVerifySignatureExists no pubKey"), (error
!= NULL
) ? *error
: NULL
, error
);
261 CFDataRef signature
= SOSCircleGetSignature(circle
, pubKey
, error
);
262 return NULL
!= signature
;
265 bool SOSCircleVerify(SOSCircleRef circle
, SecKeyRef pubKey
, CFErrorRef
*error
) {
266 const struct ccdigest_info
*di
= ccsha256_di();
267 uint8_t hash_result
[di
->output_size
];
269 SOSCircleHash(di
, circle
, hash_result
, error
);
271 CFDataRef signature
= SOSCircleGetSignature(circle
, pubKey
, error
);
272 if(!signature
) return false;
274 return SecKeyRawVerify(pubKey
, kSecPaddingNone
, hash_result
, di
->output_size
,
275 CFDataGetBytePtr(signature
), CFDataGetLength(signature
)) == errSecSuccess
;
278 bool SOSCircleVerifyPeerSigned(SOSCircleRef circle
, SOSPeerInfoRef peer
, CFErrorRef
*error
) {
279 SecKeyRef pub_key
= SOSPeerInfoCopyPubKey(peer
);
280 bool result
= SOSCircleVerify(circle
, pub_key
, error
);
281 CFReleaseSafe(pub_key
);
285 static void CFSetRemoveAllPassing(CFMutableSetRef set
, bool (^test
)(const void *) ){
286 CFMutableArrayRef toBeRemoved
= CFArrayCreateMutable(kCFAllocatorDefault
, 0, NULL
);
288 CFSetForEach(set
, ^(const void *value
) {
290 CFArrayAppendValue(toBeRemoved
, value
);
293 CFArrayForEach(toBeRemoved
, ^(const void *value
) {
294 CFSetRemoveValue(set
, value
);
296 CFReleaseNull(toBeRemoved
);
299 static void SOSCircleRejectNonValidApplicants(SOSCircleRef circle
, SecKeyRef pubkey
) {
300 CFMutableSetRef applicants
= SOSCircleCopyApplicants(circle
, NULL
);
301 CFSetForEach(applicants
, ^(const void *value
) {
302 SOSPeerInfoRef pi
= (SOSPeerInfoRef
) value
;
303 if(!SOSPeerInfoApplicationVerify(pi
, pubkey
, NULL
)) {
304 CFSetTransferObject(pi
, circle
->applicants
, circle
->rejected_applicants
);
307 CFReleaseNull(applicants
);
310 static SOSPeerInfoRef
SOSCircleCopyPeerInfo(SOSCircleRef circle
, CFStringRef peer_id
, CFErrorRef
*error
) {
311 __block SOSPeerInfoRef result
= NULL
;
313 CFSetForEach(circle
->peers
, ^(const void *value
) {
314 if (result
== NULL
) {
315 SOSPeerInfoRef tpi
= (SOSPeerInfoRef
)value
;
316 if (CFEqual(SOSPeerInfoGetPeerID(tpi
), peer_id
))
321 CFRetainSafe(result
);
325 static bool SOSCircleUpgradePeerInfo(SOSCircleRef circle
, SecKeyRef user_approver
, SOSFullPeerInfoRef peerinfo
) {
327 SecKeyRef userPubKey
= SecKeyCreatePublicFromPrivate(user_approver
);
328 SOSPeerInfoRef fpi_pi
= SOSFullPeerInfoGetPeerInfo(peerinfo
);
329 SOSPeerInfoRef pi
= SOSCircleCopyPeerInfo(circle
, SOSPeerInfoGetPeerID(fpi_pi
), NULL
);
330 require_quiet(pi
, out
);
331 require_quiet(SOSPeerInfoApplicationVerify(pi
, userPubKey
, NULL
), re_sign
);
332 CFReleaseNull(userPubKey
);
337 secnotice("circle", "SOSCircleGenerationSign: Upgraded peer's Application Signature");
338 SecKeyRef device_key
= SOSFullPeerInfoCopyDeviceKey(peerinfo
, NULL
);
339 require_quiet(device_key
, out
);
340 SOSPeerInfoRef new_pi
= SOSPeerInfoCopyAsApplication(pi
, user_approver
, device_key
, NULL
);
341 if(SOSCircleUpdatePeerInfo(circle
, new_pi
))
343 CFReleaseNull(new_pi
);
344 CFReleaseNull(device_key
);
346 CFReleaseNull(userPubKey
);
351 static bool SOSCircleEnsureRingConsistency(SOSCircleRef circle
, CFErrorRef
*error
) {
352 secnotice("Development", "SOSCircleEnsureRingConsistency requires ring membership and generation count consistency check", NULL
);
356 bool SOSCircleSignOldStyleResetToOfferingCircle(SOSCircleRef circle
, SOSFullPeerInfoRef peerinfo
, SecKeyRef user_approver
, CFErrorRef
*error
){
358 SecKeyRef ourKey
= SOSFullPeerInfoCopyDeviceKey(peerinfo
, error
);
359 SecKeyRef publicKey
= NULL
;
360 require_quiet(ourKey
, fail
);
362 // Check if we're using an invalid peerinfo for this op. There are cases where we might not be "upgraded".
363 require_quiet(SOSCircleUpgradePeerInfo(circle
, user_approver
, peerinfo
), fail
);
364 SOSCircleRemoveRetired(circle
, error
); // Prune off retirees since we're signing this one
365 CFSetRemoveAllValues(circle
->rejected_applicants
); // Dump rejects so we clean them up sometime.
366 publicKey
= SecKeyCreatePublicFromPrivate(user_approver
);
367 SOSCircleRejectNonValidApplicants(circle
, publicKey
);
368 require_quiet(SOSCircleEnsureRingConsistency(circle
, error
), fail
);
369 require_quiet(SOSCircleRemoveSignatures(circle
, error
), fail
);
370 require_quiet(SOSCircleSign(circle
, user_approver
, error
), fail
);
371 require_quiet(SOSCircleSign(circle
, ourKey
, error
), fail
);
373 CFReleaseNull(ourKey
);
374 CFReleaseNull(publicKey
);
378 CFReleaseNull(ourKey
);
379 CFReleaseNull(publicKey
);
384 bool SOSCircleGenerationSign(SOSCircleRef circle
, SecKeyRef user_approver
, SOSFullPeerInfoRef peerinfo
, CFErrorRef
*error
) {
385 SecKeyRef ourKey
= SOSFullPeerInfoCopyDeviceKey(peerinfo
, error
);
386 SecKeyRef publicKey
= NULL
;
387 require_quiet(ourKey
, fail
);
389 // Check if we're using an invalid peerinfo for this op. There are cases where we might not be "upgraded".
390 require_quiet(SOSCircleUpgradePeerInfo(circle
, user_approver
, peerinfo
), fail
);
391 SOSCircleRemoveRetired(circle
, error
); // Prune off retirees since we're signing this one
392 CFSetRemoveAllValues(circle
->rejected_applicants
); // Dump rejects so we clean them up sometime.
393 publicKey
= SecKeyCreatePublicFromPrivate(user_approver
);
394 SOSCircleRejectNonValidApplicants(circle
, publicKey
);
395 SOSCircleGenerationIncrement(circle
);
396 require_quiet(SOSCircleEnsureRingConsistency(circle
, error
), fail
);
397 require_quiet(SOSCircleRemoveSignatures(circle
, error
), fail
);
398 require_quiet(SOSCircleSign(circle
, user_approver
, error
), fail
);
399 require_quiet(SOSCircleSign(circle
, ourKey
, error
), fail
);
401 CFReleaseNull(ourKey
);
402 CFReleaseNull(publicKey
);
406 CFReleaseNull(ourKey
);
407 CFReleaseNull(publicKey
);
411 bool SOSCircleGenerationUpdate(SOSCircleRef circle
, SecKeyRef user_approver
, SOSFullPeerInfoRef peerinfo
, CFErrorRef
*error
) {
413 return SOSCircleGenerationSign(circle
, user_approver
, peerinfo
, error
);
416 bool success
= false;
418 SecKeyRef ourKey
= SOSFullPeerInfoCopyDeviceKey(peerinfo
, error
);
419 require_quiet(ourKey
, fail
);
421 require_quiet(SOSCircleSign(circle
, user_approver
, error
), fail
);
422 require_quiet(SOSCircleSign(circle
, ourKey
, error
), fail
);
427 CFReleaseNull(ourKey
);
432 bool SOSCircleConcordanceSign(SOSCircleRef circle
, SOSFullPeerInfoRef peerinfo
, CFErrorRef
*error
) {
433 bool success
= false;
434 SecKeyRef ourKey
= SOSFullPeerInfoCopyDeviceKey(peerinfo
, error
);
435 require_quiet(ourKey
, exit
);
437 success
= SOSCircleSign(circle
, ourKey
, error
);
438 SOSCircleConcordanceRingSign(circle
, ourKey
, error
);
441 CFReleaseNull(ourKey
);
445 static inline SOSConcordanceStatus
CheckPeerStatus(SOSCircleRef circle
, SOSPeerInfoRef peer
, SecKeyRef user_public_key
, CFErrorRef
*error
) {
446 SOSConcordanceStatus result
= kSOSConcordanceNoPeer
;
447 SecKeyRef pubKey
= SOSPeerInfoCopyPubKey(peer
);
449 require_action_quiet(SOSCircleHasActiveValidPeer(circle
, peer
, user_public_key
, error
), exit
, result
= kSOSConcordanceNoPeer
);
450 require_action_quiet(SOSCircleVerifySignatureExists(circle
, pubKey
, error
), exit
, result
= kSOSConcordanceNoPeerSig
);
451 require_action_quiet(SOSCircleVerify(circle
, pubKey
, error
), exit
, result
= kSOSConcordanceBadPeerSig
);
453 result
= kSOSConcordanceTrusted
;
456 CFReleaseNull(pubKey
);
460 static inline SOSConcordanceStatus
CombineStatus(SOSConcordanceStatus status1
, SOSConcordanceStatus status2
)
462 if (status1
== kSOSConcordanceTrusted
|| status2
== kSOSConcordanceTrusted
)
463 return kSOSConcordanceTrusted
;
465 if (status1
== kSOSConcordanceBadPeerSig
|| status2
== kSOSConcordanceBadPeerSig
)
466 return kSOSConcordanceBadPeerSig
;
468 if (status1
== kSOSConcordanceNoPeerSig
|| status2
== kSOSConcordanceNoPeerSig
)
469 return kSOSConcordanceNoPeerSig
;
474 static inline bool SOSCircleIsEmpty(SOSCircleRef circle
) {
475 return SOSCircleCountPeers(circle
) == 0;
478 static inline bool SOSCircleIsOffering(SOSCircleRef circle
) {
479 return SOSCircleCountPeers(circle
) == 1;
482 static inline bool SOSCircleHasDegenerateGeneration(SOSCircleRef deGenCircle
){
484 CFNumberRef genCountTest
= SOSCircleGetGeneration(deGenCircle
);
485 CFNumberGetValue(genCountTest
, kCFNumberCFIndexType
, &testPtr
);
486 return (testPtr
== 0);
490 static inline bool SOSCircleIsDegenerateReset(SOSCircleRef deGenCircle
){
491 return SOSCircleHasDegenerateGeneration(deGenCircle
) && SOSCircleIsEmpty(deGenCircle
);
495 __unused
static inline bool SOSCircleIsResignOffering(SOSCircleRef circle
, SecKeyRef pubkey
) {
496 return SOSCircleCountActiveValidPeers(circle
, pubkey
) == 1;
499 static inline SOSConcordanceStatus
GetSignersStatus(SOSCircleRef signers_circle
, SOSCircleRef status_circle
,
500 SecKeyRef user_pubKey
, SOSPeerInfoRef exclude
, CFErrorRef
*error
) {
501 CFStringRef excluded_id
= exclude
? SOSPeerInfoGetPeerID(exclude
) : NULL
;
503 __block SOSConcordanceStatus status
= kSOSConcordanceNoPeer
;
504 SOSCircleForEachActivePeer(signers_circle
, ^(SOSPeerInfoRef peer
) {
505 SOSConcordanceStatus peerStatus
= CheckPeerStatus(status_circle
, peer
, user_pubKey
, error
);
507 if (peerStatus
== kSOSConcordanceNoPeerSig
&&
508 (CFEqualSafe(SOSPeerInfoGetPeerID(peer
), excluded_id
) || SOSPeerInfoIsCloudIdentity(peer
)))
509 peerStatus
= kSOSConcordanceNoPeer
;
511 status
= CombineStatus(status
, peerStatus
); // TODO: Use multiple error gathering.
517 // Is proposed older than current?
518 static inline bool isOlderGeneration(SOSCircleRef current
, SOSCircleRef proposed
) {
519 return CFNumberCompare(current
->generation
, proposed
->generation
, NULL
) == kCFCompareGreaterThan
;
522 static inline bool SOSCircleIsValidReset(SOSCircleRef current
, SOSCircleRef proposed
) {
523 return (!isOlderGeneration(current
, proposed
)) && SOSCircleIsEmpty(proposed
); // is current older or equal to proposed and is proposed empty
527 bool SOSCircleSharedTrustedPeers(SOSCircleRef current
, SOSCircleRef proposed
, SOSPeerInfoRef me
) {
528 __block
bool retval
= false;
529 SOSCircleForEachPeer(current
, ^(SOSPeerInfoRef peer
) {
530 if(!CFEqual(me
, peer
) && SOSCircleHasPeer(proposed
, peer
, NULL
)) retval
= true;
536 SOSConcordanceStatus
SOSCircleConcordanceTrust(SOSCircleRef known_circle
, SOSCircleRef proposed_circle
,
537 SecKeyRef known_pubkey
, SecKeyRef user_pubkey
,
538 SOSPeerInfoRef me
, CFErrorRef
*error
) {
539 if(user_pubkey
== NULL
) {
540 SOSCreateError(kSOSErrorPublicKeyAbsent
, CFSTR("Concordance with no public key"), NULL
, error
);
541 return kSOSConcordanceNoUserKey
; //TODO: - needs to return an error
544 if(SOSCircleIsDegenerateReset(proposed_circle
)) {
545 return kSOSConcordanceTrusted
;
548 if (SOSCircleIsValidReset(known_circle
, proposed_circle
)) {
549 return kSOSConcordanceTrusted
;
552 if(!SOSCircleVerifySignatureExists(proposed_circle
, user_pubkey
, error
)) {
553 SOSCreateError(kSOSErrorBadSignature
, CFSTR("No public signature"), (error
!= NULL
) ? *error
: NULL
, error
);
554 return kSOSConcordanceNoUserSig
;
557 if(!SOSCircleVerify(proposed_circle
, user_pubkey
, error
)) {
558 SOSCreateError(kSOSErrorBadSignature
, CFSTR("Bad public signature"), (error
!= NULL
) ? *error
: NULL
, error
);
559 debugDumpCircle(CFSTR("proposed_circle"), proposed_circle
);
560 return kSOSConcordanceBadUserSig
;
563 if (SOSCircleIsEmpty(known_circle
)) {
564 return GetSignersStatus(proposed_circle
, proposed_circle
, user_pubkey
, NULL
, error
);
567 if(SOSCircleHasDegenerateGeneration(proposed_circle
) && SOSCircleIsOffering(proposed_circle
)){
568 return GetSignersStatus(proposed_circle
, proposed_circle
, user_pubkey
, NULL
, error
);
571 if(isOlderGeneration(known_circle
, proposed_circle
)) {
572 SOSCreateError(kSOSErrorReplay
, CFSTR("Bad generation"), NULL
, error
);
573 debugDumpCircle(CFSTR("isOlderGeneration known_circle"), known_circle
);
574 debugDumpCircle(CFSTR("isOlderGeneration proposed_circle"), proposed_circle
);
575 return kSOSConcordanceGenOld
;
578 if(SOSCircleIsOffering(proposed_circle
)){
579 return GetSignersStatus(proposed_circle
, proposed_circle
, user_pubkey
, NULL
, error
);
582 return GetSignersStatus(known_circle
, proposed_circle
, user_pubkey
, me
, error
);
586 static void SOSCircleDestroy(CFTypeRef aObj
) {
587 SOSCircleRef c
= (SOSCircleRef
) aObj
;
589 CFReleaseNull(c
->name
);
590 CFReleaseNull(c
->generation
);
591 CFReleaseNull(c
->peers
);
592 CFReleaseNull(c
->applicants
);
593 CFReleaseNull(c
->rejected_applicants
);
594 CFReleaseNull(c
->signatures
);
597 static CFMutableStringRef
defaultDescription(CFTypeRef aObj
){
598 SOSCircleRef c
= (SOSCircleRef
) aObj
;
600 CFMutableStringRef description
= CFStringCreateMutable(kCFAllocatorDefault
, 0);
602 SOSGenerationCountWithDescription(c
->generation
, ^(CFStringRef genDescription
) {
603 CFStringAppendFormat(description
, NULL
, CFSTR("<SOSCircle@%p: '%@' %@ P:["), c
, c
->name
, genDescription
);
606 __block CFStringRef separator
= CFSTR("");
607 SOSCircleForEachActivePeer(c
, ^(SOSPeerInfoRef peer
) {
608 CFStringRef sig
= NULL
;
609 if (SOSCircleVerifyPeerSigned(c
, peer
, NULL
)) {
612 SecKeyRef pub_key
= SOSPeerInfoCopyPubKey(peer
);
613 CFDataRef signature
= SOSCircleGetSignature(c
, pub_key
, NULL
);
614 sig
= (signature
== NULL
) ? CFSTR("-") : CFSTR("?");
615 CFReleaseNull(pub_key
);
618 CFStringAppendFormat(description
, NULL
, CFSTR("%@%@ %@"), separator
, peer
, sig
);
619 separator
= CFSTR(",");
623 CFStringAppend(description
, CFSTR("], A:["));
624 separator
= CFSTR("");
625 if(CFSetGetCount(c
->applicants
) == 0 )
626 CFStringAppendFormat(description
, NULL
, CFSTR("-"));
629 SOSCircleForEachApplicant(c
, ^(SOSPeerInfoRef peer
) {
630 CFStringAppendFormat(description
, NULL
, CFSTR("%@%@"), separator
, peer
);
631 separator
= CFSTR(",");
636 CFStringAppend(description
, CFSTR("], R:["));
637 separator
= CFSTR("");
638 if(CFSetGetCount(c
->rejected_applicants
) == 0)
639 CFStringAppendFormat(description
, NULL
, CFSTR("-"));
641 CFSetForEach(c
->rejected_applicants
, ^(const void *value
) {
642 SOSPeerInfoRef peer
= (SOSPeerInfoRef
) value
;
643 CFStringAppendFormat(description
, NULL
, CFSTR("%@%@"), separator
, peer
);
644 separator
= CFSTR(",");
647 CFStringAppend(description
, CFSTR("]>"));
651 static CFMutableStringRef
descriptionWithFormatOptions(CFTypeRef aObj
, CFDictionaryRef formatOptions
){
652 SOSCircleRef c
= (SOSCircleRef
) aObj
;
654 CFMutableStringRef description
= CFStringCreateMutable(kCFAllocatorDefault
, 0);
656 if(CFDictionaryContainsKey(formatOptions
, CFSTR("SyncD"))) {
657 CFStringRef generationDescription
= SOSGenerationCountCopyDescription(c
->generation
);
658 CFStringAppendFormat(description
, NULL
, CFSTR("<C: gen:'%@' %@>\n"), generationDescription
, c
->name
);
659 CFReleaseNull(generationDescription
);
660 __block CFStringRef separator
= CFSTR("\t\t");
661 SOSCircleForEachActivePeer(c
, ^(SOSPeerInfoRef peer
) {
662 CFStringRef sig
= NULL
;
663 if (SOSCircleVerifyPeerSigned(c
, peer
, NULL
)) {
666 SecKeyRef pub_key
= SOSPeerInfoCopyPubKey(peer
);
667 CFDataRef signature
= SOSCircleGetSignature(c
, pub_key
, NULL
);
668 sig
= (signature
== NULL
) ? CFSTR("-") : CFSTR("?");
669 CFReleaseNull(pub_key
);
672 CFStringAppendFormat(description
, formatOptions
, CFSTR("%@%@ %@"), separator
, peer
, sig
);
673 separator
= CFSTR("\n\t\t");
675 CFStringAppend(description
, CFSTR("\n\t\t<A:["));
676 separator
= CFSTR("");
679 if(CFSetGetCount(c
->applicants
) == 0 )
680 CFStringAppendFormat(description
, NULL
, CFSTR("-"));
683 SOSCircleForEachApplicant(c
, ^(SOSPeerInfoRef peer
) {
684 CFStringAppendFormat(description
, formatOptions
, CFSTR("%@A: %@"), separator
, peer
);
685 separator
= CFSTR("\n\t\t\t");
689 CFStringAppend(description
, CFSTR("]> \n\t\t<R:["));
690 separator
= CFSTR("");
691 if(CFSetGetCount(c
->rejected_applicants
) == 0)
692 CFStringAppendFormat(description
, NULL
, CFSTR("-"));
694 CFSetForEach(c
->rejected_applicants
, ^(const void *value
) {
695 SOSPeerInfoRef peer
= (SOSPeerInfoRef
) value
;
696 CFStringAppendFormat(description
, formatOptions
, CFSTR("%@R: %@"), separator
, peer
);
697 separator
= CFSTR("\n\t\t");
700 CFStringAppend(description
, CFSTR("]>"));
704 CFReleaseNull(description
);
705 description
= defaultDescription(aObj
);
713 static CFStringRef
SOSCircleCopyFormatDescription(CFTypeRef aObj
, CFDictionaryRef formatOptions
) {
714 SOSCircleRef c
= (SOSCircleRef
) aObj
;
715 SOSCircleAssertStable(c
);
716 CFMutableStringRef description
= NULL
;
718 if(formatOptions
!= NULL
){
719 description
= descriptionWithFormatOptions(aObj
, formatOptions
);
722 description
= defaultDescription(aObj
);
727 CFStringRef
SOSCircleGetName(SOSCircleRef circle
) {
729 assert(circle
->name
);
733 const char *SOSCircleGetNameC(SOSCircleRef circle
) {
734 CFStringRef name
= SOSCircleGetName(circle
);
737 return CFStringToCString(name
);
740 CFNumberRef
SOSCircleGetGeneration(SOSCircleRef circle
) {
742 assert(circle
->generation
);
743 return circle
->generation
;
746 void SOSCircleSetGeneration(SOSCircleRef circle
, CFNumberRef gencount
) {
748 CFReleaseNull(circle
->generation
);
749 circle
->generation
= CFRetainSafe(gencount
);
752 int64_t SOSCircleGetGenerationSint(SOSCircleRef circle
) {
753 CFNumberRef gen
= SOSCircleGetGeneration(circle
);
756 CFNumberGetValue(gen
, kCFNumberSInt64Type
, &value
);
760 void SOSCircleGenerationSetValue(SOSCircleRef circle
, int64_t value
)
762 CFAllocatorRef allocator
= CFGetAllocator(circle
->generation
);
763 CFAssignRetained(circle
->generation
, CFNumberCreate(allocator
, kCFNumberSInt64Type
, &value
));
767 static int64_t GenerationSetHighBits(int64_t value
, int32_t high_31
)
769 value
&= 0xFFFFFFFF; // Keep the low 32 bits.
770 value
|= ((int64_t) high_31
) << 32;
776 void SOSCircleGenerationIncrement(SOSCircleRef circle
) {
777 int64_t value
= SOSCircleGetGenerationSint(circle
);
779 if ((value
>> 32) == 0) {
780 uint32_t seconds
= CFAbsoluteTimeGetCurrent(); // seconds
781 value
= GenerationSetHighBits(value
, (seconds
>> 1));
786 SOSCircleGenerationSetValue(circle
, value
);
789 int SOSCircleCountPeers(SOSCircleRef circle
) {
790 SOSCircleAssertStable(circle
);
791 __block
int count
= 0;
792 SOSCircleForEachPeer(circle
, ^(SOSPeerInfoRef peer
) {
798 int SOSCircleCountActivePeers(SOSCircleRef circle
) {
799 SOSCircleAssertStable(circle
);
800 __block
int count
= 0;
801 SOSCircleForEachActivePeer(circle
, ^(SOSPeerInfoRef peer
) {
807 int SOSCircleCountActiveValidPeers(SOSCircleRef circle
, SecKeyRef pubkey
) {
808 SOSCircleAssertStable(circle
);
809 __block
int count
= 0;
810 SOSCircleForEachActiveValidPeer(circle
, pubkey
, ^(SOSPeerInfoRef peer
) {
816 int SOSCircleCountRetiredPeers(SOSCircleRef circle
) {
817 SOSCircleAssertStable(circle
);
818 __block
int count
= 0;
819 SOSCircleForEachRetiredPeer(circle
, ^(SOSPeerInfoRef peer
) {
825 int SOSCircleCountApplicants(SOSCircleRef circle
) {
826 SOSCircleAssertStable(circle
);
828 return (int)CFSetGetCount(circle
->applicants
);
831 bool SOSCircleHasApplicant(SOSCircleRef circle
, SOSPeerInfoRef peerInfo
, CFErrorRef
*error
) {
832 SOSCircleAssertStable(circle
);
834 return CFSetContainsValue(circle
->applicants
, peerInfo
);
837 CFMutableSetRef
SOSCircleCopyApplicants(SOSCircleRef circle
, CFAllocatorRef allocator
) {
838 SOSCircleAssertStable(circle
);
840 return CFSetCreateMutableCopy(allocator
, 0, circle
->applicants
);
843 int SOSCircleCountRejectedApplicants(SOSCircleRef circle
) {
844 SOSCircleAssertStable(circle
);
846 return (int)CFSetGetCount(circle
->rejected_applicants
);
849 bool SOSCircleHasRejectedApplicant(SOSCircleRef circle
, SOSPeerInfoRef peerInfo
, CFErrorRef
*error
) {
850 SOSCircleAssertStable(circle
);
851 return CFSetContainsValue(circle
->rejected_applicants
, peerInfo
);
854 SOSPeerInfoRef
SOSCircleCopyRejectedApplicant(SOSCircleRef circle
, SOSPeerInfoRef peerInfo
, CFErrorRef
*error
) {
855 SOSCircleAssertStable(circle
);
856 return CFRetainSafe((SOSPeerInfoRef
)CFSetGetValue(circle
->rejected_applicants
, peerInfo
));
859 CFMutableArrayRef
SOSCircleCopyRejectedApplicants(SOSCircleRef circle
, CFAllocatorRef allocator
) {
860 SOSCircleAssertStable(circle
);
862 return CFSetCopyValuesCFArray(circle
->rejected_applicants
);
865 bool SOSCircleHasPeerWithID(SOSCircleRef circle
, CFStringRef peerid
, CFErrorRef
*error
) {
866 SOSCircleAssertStable(circle
);
867 __block
bool found
= false;
868 SOSCircleForEachPeer(circle
, ^(SOSPeerInfoRef peer
) {
869 if(peerid
&& peer
&& CFEqualSafe(peerid
, SOSPeerInfoGetPeerID(peer
))) found
= true;
874 SOSPeerInfoRef
SOSCircleCopyPeerWithID(SOSCircleRef circle
, CFStringRef peerid
, CFErrorRef
*error
) {
875 SOSCircleAssertStable(circle
);
876 __block SOSPeerInfoRef found
= NULL
;
877 SOSCircleForEachPeer(circle
, ^(SOSPeerInfoRef peer
) {
878 if(peerid
&& peer
&& CFEqualSafe(peerid
, SOSPeerInfoGetPeerID(peer
))) found
= peer
;
880 return found
? SOSPeerInfoCreateCopy(kCFAllocatorDefault
, found
, NULL
) : NULL
;
883 bool SOSCircleHasPeer(SOSCircleRef circle
, SOSPeerInfoRef peerInfo
, CFErrorRef
*error
) {
884 if(!peerInfo
) return false;
885 return SOSCircleHasPeerWithID(circle
, SOSPeerInfoGetPeerID(peerInfo
), error
);
888 bool SOSCircleHasActivePeerWithID(SOSCircleRef circle
, CFStringRef peerid
, CFErrorRef
*error
) {
889 SOSCircleAssertStable(circle
);
890 __block
bool found
= false;
891 SOSCircleForEachActivePeer(circle
, ^(SOSPeerInfoRef peer
) {
892 if(peerid
&& peer
&& CFEqualSafe(peerid
, SOSPeerInfoGetPeerID(peer
))) found
= true;
897 bool SOSCircleHasActivePeer(SOSCircleRef circle
, SOSPeerInfoRef peerInfo
, CFErrorRef
*error
) {
898 if(!peerInfo
) return false;
899 return SOSCircleHasActivePeerWithID(circle
, SOSPeerInfoGetPeerID(peerInfo
), error
);
902 bool SOSCircleHasActiveValidPeerWithID(SOSCircleRef circle
, CFStringRef peerid
, SecKeyRef user_public_key
, CFErrorRef
*error
) {
903 SOSCircleAssertStable(circle
);
904 __block
bool found
= false;
905 SOSCircleForEachActivePeer(circle
, ^(SOSPeerInfoRef peer
) {
906 if(peerid
&& peer
&& CFEqualSafe(peerid
, SOSPeerInfoGetPeerID(peer
)) && SOSPeerInfoApplicationVerify(peer
, user_public_key
, NULL
)) found
= true;
911 bool SOSCircleHasActiveValidPeer(SOSCircleRef circle
, SOSPeerInfoRef peerInfo
, SecKeyRef user_public_key
, CFErrorRef
*error
) {
912 if(!peerInfo
) return false;
913 return SOSCircleHasActiveValidPeerWithID(circle
, SOSPeerInfoGetPeerID(peerInfo
), user_public_key
, error
);
917 bool SOSCircleResetToEmpty(SOSCircleRef circle
, CFErrorRef
*error
) {
918 CFSetRemoveAllValues(circle
->applicants
);
919 CFSetRemoveAllValues(circle
->rejected_applicants
);
920 CFSetRemoveAllValues(circle
->peers
);
921 CFDictionaryRemoveAllValues(circle
->signatures
);
923 int64_t old_value
= SOSCircleGetGenerationSint(circle
);
925 SOSCircleGenerationSetValue(circle
, 0);
926 SOSCircleGenerationIncrement(circle
); // Increment to get high bits set.
928 int64_t new_value
= SOSCircleGetGenerationSint(circle
);
930 if (new_value
<= old_value
) {
931 int64_t new_new_value
= GenerationSetHighBits(new_value
, (old_value
>> 32) + 1);
932 SOSCircleGenerationSetValue(circle
, new_new_value
);
938 bool SOSCircleResetToOffering(SOSCircleRef circle
, SecKeyRef user_privkey
, SOSFullPeerInfoRef requestor
, CFErrorRef
*error
){
940 return SOSCircleResetToEmpty(circle
, error
)
941 && SOSCircleRequestAdmission(circle
, user_privkey
, requestor
, error
)
942 && SOSCircleAcceptRequest(circle
, user_privkey
, requestor
, SOSFullPeerInfoGetPeerInfo(requestor
), error
);
945 bool SOSCircleRemoveRetired(SOSCircleRef circle
, CFErrorRef
*error
) {
946 CFSetRemoveAllPassing(circle
->peers
, ^ bool (const void *element
) {
947 SOSPeerInfoRef peer
= (SOSPeerInfoRef
) element
;
949 return SOSPeerInfoIsRetirementTicket(peer
);
955 static bool SOSCircleRecordAdmissionRequest(SOSCircleRef circle
, SecKeyRef user_pubkey
, SOSPeerInfoRef requestorPeerInfo
, CFErrorRef
*error
) {
956 SOSCircleAssertStable(circle
);
958 bool isPeer
= SOSCircleHasPeer(circle
, requestorPeerInfo
, error
);
960 require_action_quiet(!isPeer
, fail
, SOSCreateError(kSOSErrorAlreadyPeer
, CFSTR("Cannot request admission when already a peer"), NULL
, error
));
962 CFSetTransferObject(requestorPeerInfo
, circle
->rejected_applicants
, circle
->applicants
);
971 bool SOSCircleRequestReadmission(SOSCircleRef circle
, SecKeyRef user_pubkey
, SOSPeerInfoRef peer
, CFErrorRef
*error
) {
972 bool success
= false;
974 require_quiet(SOSPeerInfoApplicationVerify(peer
, user_pubkey
, error
), fail
);
975 success
= SOSCircleRecordAdmissionRequest(circle
, user_pubkey
, peer
, error
);
980 bool SOSCircleRequestAdmission(SOSCircleRef circle
, SecKeyRef user_privkey
, SOSFullPeerInfoRef requestor
, CFErrorRef
*error
) {
981 bool success
= false;
983 SecKeyRef user_pubkey
= SecKeyCreatePublicFromPrivate(user_privkey
);
984 require_action_quiet(user_pubkey
, fail
, SOSCreateError(kSOSErrorBadKey
, CFSTR("No public key for key"), NULL
, error
));
986 require(SOSFullPeerInfoPromoteToApplication(requestor
, user_privkey
, error
), fail
);
988 success
= SOSCircleRecordAdmissionRequest(circle
, user_pubkey
, SOSFullPeerInfoGetPeerInfo(requestor
), error
);
990 CFReleaseNull(user_pubkey
);
994 static bool sosCircleUpdatePeerInfoSet(CFMutableSetRef theSet
, SOSPeerInfoRef replacement_peer_info
) {
995 CFTypeRef old
= NULL
;
996 if(!replacement_peer_info
) return false;
997 if(!(old
= CFSetGetValue(theSet
, replacement_peer_info
))) return false;
998 if(CFEqualSafe(old
, replacement_peer_info
)) return false;
999 CFSetReplaceValue(theSet
, replacement_peer_info
);
1003 bool SOSCircleUpdatePeerInfo(SOSCircleRef circle
, SOSPeerInfoRef replacement_peer_info
) {
1004 if(sosCircleUpdatePeerInfoSet(circle
->peers
, replacement_peer_info
)) return true;
1005 if(sosCircleUpdatePeerInfoSet(circle
->applicants
, replacement_peer_info
)) return true;
1006 if(sosCircleUpdatePeerInfoSet(circle
->rejected_applicants
, replacement_peer_info
)) return true;
1010 bool SOSCircleRemovePeer(SOSCircleRef circle
, SecKeyRef user_privkey
, SOSFullPeerInfoRef requestor
, SOSPeerInfoRef peer_to_remove
, CFErrorRef
*error
) {
1011 SOSPeerInfoRef requestor_peer_info
= SOSFullPeerInfoGetPeerInfo(requestor
);
1013 if (SOSCircleHasApplicant(circle
, peer_to_remove
, error
)) {
1014 return SOSCircleRejectRequest(circle
, requestor
, peer_to_remove
, error
);
1017 if (!SOSCircleHasPeer(circle
, requestor_peer_info
, error
)) {
1018 SOSCreateError(kSOSErrorAlreadyPeer
, CFSTR("Must be peer to remove peer"), NULL
, error
);
1022 CFSetRemoveValue(circle
->peers
, peer_to_remove
);
1024 SOSCircleGenerationSign(circle
, user_privkey
, requestor
, error
);
1029 bool SOSCircleAcceptRequest(SOSCircleRef circle
, SecKeyRef user_privkey
, SOSFullPeerInfoRef device_approver
, SOSPeerInfoRef peerInfo
, CFErrorRef
*error
) {
1030 SOSCircleAssertStable(circle
);
1032 SecKeyRef publicKey
= NULL
;
1033 bool result
= false;
1035 require_action_quiet(CFSetContainsValue(circle
->applicants
, peerInfo
), fail
,
1036 SOSCreateError(kSOSErrorNotApplicant
, CFSTR("Cannot accept non-applicant"), NULL
, error
));
1038 publicKey
= SecKeyCreatePublicFromPrivate(user_privkey
);
1039 require_quiet(SOSPeerInfoApplicationVerify(peerInfo
, publicKey
, error
), fail
);
1041 CFSetTransferObject(peerInfo
, circle
->applicants
, circle
->peers
);
1043 result
= SOSCircleGenerationSign(circle
, user_privkey
, device_approver
, error
);
1046 CFReleaseNull(publicKey
);
1050 bool SOSCircleWithdrawRequest(SOSCircleRef circle
, SOSPeerInfoRef peerInfo
, CFErrorRef
*error
) {
1051 SOSCircleAssertStable(circle
);
1053 CFSetRemoveValue(circle
->applicants
, peerInfo
);
1058 bool SOSCircleRemoveRejectedPeer(SOSCircleRef circle
, SOSPeerInfoRef peerInfo
, CFErrorRef
*error
) {
1059 SOSCircleAssertStable(circle
);
1061 CFSetRemoveValue(circle
->rejected_applicants
, peerInfo
);
1067 bool SOSCircleRejectRequest(SOSCircleRef circle
, SOSFullPeerInfoRef device_rejector
,
1068 SOSPeerInfoRef peerInfo
, CFErrorRef
*error
) {
1069 SOSCircleAssertStable(circle
);
1071 if (CFEqual(SOSPeerInfoGetPeerID(peerInfo
), SOSPeerInfoGetPeerID(SOSFullPeerInfoGetPeerInfo(device_rejector
))))
1072 return SOSCircleWithdrawRequest(circle
, peerInfo
, error
);
1074 if (!CFSetContainsValue(circle
->applicants
, peerInfo
)) {
1075 SOSCreateError(kSOSErrorNotApplicant
, CFSTR("Cannot reject non-applicant"), NULL
, error
);
1079 CFSetTransferObject(peerInfo
, circle
->applicants
, circle
->rejected_applicants
);
1081 // TODO: Maybe we sign the rejection with device_rejector.
1086 bool SOSCircleAcceptRequests(SOSCircleRef circle
, SecKeyRef user_privkey
, SOSFullPeerInfoRef device_approver
,
1087 CFErrorRef
*error
) {
1088 // Returns true if we accepted someone and therefore have to post the circle back to KVS
1089 __block
bool result
= false;
1091 SOSCircleForEachApplicant(circle
, ^(SOSPeerInfoRef peer
) {
1092 if (!SOSCircleAcceptRequest(circle
, user_privkey
, device_approver
, peer
, error
)) {
1093 secnotice("circle", "error in SOSCircleAcceptRequest\n");
1095 secnotice("circle", "Accepted peer: %@", peer
);
1101 SOSCircleGenerationSign(circle
, user_privkey
, device_approver
, error
);
1102 secnotice("circle", "Countersigned accepted requests");
1108 bool SOSCirclePeerSigUpdate(SOSCircleRef circle
, SecKeyRef userPrivKey
, SOSFullPeerInfoRef fpi
,
1109 CFErrorRef
*error
) {
1110 // Returns true if we accepted someone and therefore have to post the circle back to KVS
1111 __block
bool result
= false;
1112 SecKeyRef userPubKey
= SecKeyCreatePublicFromPrivate(userPrivKey
);
1114 // We're going to remove any applicants using a mismatched user key.
1115 SOSCircleForEachApplicant(circle
, ^(SOSPeerInfoRef peer
) {
1116 if(!SOSPeerInfoApplicationVerify(peer
, userPubKey
, NULL
)) {
1117 if(!SOSCircleRejectRequest(circle
, fpi
, peer
, NULL
)) {
1123 result
= SOSCircleUpdatePeerInfo(circle
, SOSFullPeerInfoGetPeerInfo(fpi
));
1126 SOSCircleGenerationSign(circle
, userPrivKey
, fpi
, error
);
1127 secnotice("circle", "Generation signed updated signatures on peerinfo");
1133 static inline void SOSCircleForEachPeerMatching(SOSCircleRef circle
,
1134 void (^action
)(SOSPeerInfoRef peer
),
1135 bool (^condition
)(SOSPeerInfoRef peer
)) {
1136 CFSetForEach(circle
->peers
, ^(const void *value
) {
1137 SOSPeerInfoRef peer
= (SOSPeerInfoRef
) value
;
1138 if (condition(peer
))
1143 static inline bool isHiddenPeer(SOSPeerInfoRef peer
) {
1144 return SOSPeerInfoIsRetirementTicket(peer
) || SOSPeerInfoIsCloudIdentity(peer
);
1147 void SOSCircleForEachPeer(SOSCircleRef circle
, void (^action
)(SOSPeerInfoRef peer
)) {
1148 SOSCircleForEachPeerMatching(circle
, action
, ^bool(SOSPeerInfoRef peer
) {
1149 return !isHiddenPeer(peer
);
1153 void SOSCircleForEachRetiredPeer(SOSCircleRef circle
, void (^action
)(SOSPeerInfoRef peer
)) {
1154 SOSCircleForEachPeerMatching(circle
, action
, ^bool(SOSPeerInfoRef peer
) {
1155 return SOSPeerInfoIsRetirementTicket(peer
);
1159 void SOSCircleForEachActivePeer(SOSCircleRef circle
, void (^action
)(SOSPeerInfoRef peer
)) {
1160 SOSCircleForEachPeerMatching(circle
, action
, ^bool(SOSPeerInfoRef peer
) {
1165 void SOSCircleForEachActiveValidPeer(SOSCircleRef circle
, SecKeyRef user_public_key
, void (^action
)(SOSPeerInfoRef peer
)) {
1166 SOSCircleForEachPeerMatching(circle
, action
, ^bool(SOSPeerInfoRef peer
) {
1167 return SOSPeerInfoApplicationVerify(peer
, user_public_key
, NULL
);
1171 void SOSCircleForEachValidPeer(SOSCircleRef circle
, SecKeyRef user_public_key
, void (^action
)(SOSPeerInfoRef peer
)) {
1172 SOSCircleForEachPeerMatching(circle
, action
, ^bool(SOSPeerInfoRef peer
) {
1173 return !isHiddenPeer(peer
) && SOSPeerInfoApplicationVerify(peer
, user_public_key
, NULL
);
1177 void SOSCircleForEachApplicant(SOSCircleRef circle
, void (^action
)(SOSPeerInfoRef peer
)) {
1178 CFSetForEach(circle
->applicants
, ^(const void*value
) { action((SOSPeerInfoRef
) value
); } );
1182 CFMutableSetRef
SOSCircleCopyPeers(SOSCircleRef circle
, CFAllocatorRef allocator
) {
1183 SOSCircleAssertStable(circle
);
1185 CFMutableSetRef result
= CFSetCreateMutableForSOSPeerInfosByID(allocator
);
1187 SOSCircleForEachPeer(circle
, ^(SOSPeerInfoRef peer
) {
1188 CFSetAddValue(result
, peer
);
1194 bool SOSCircleAppendConcurringPeers(SOSCircleRef circle
, CFMutableArrayRef appendHere
, CFErrorRef
*error
) {
1195 SOSCircleForEachActivePeer(circle
, ^(SOSPeerInfoRef peer
) {
1196 CFErrorRef localError
= NULL
;
1197 if (SOSCircleVerifyPeerSigned(circle
, peer
, &localError
)) {
1198 SOSPeerInfoRef peerInfo
= SOSPeerInfoCreateCopy(kCFAllocatorDefault
, peer
, error
);
1199 CFArrayAppendValue(appendHere
, peerInfo
);
1200 CFRelease(peerInfo
);
1201 } else if (error
!= NULL
) {
1202 secerror("Error checking concurrence: %@", localError
);
1204 CFReleaseNull(localError
);
1210 CFMutableArrayRef
SOSCircleCopyConcurringPeers(SOSCircleRef circle
, CFErrorRef
* error
) {
1211 SOSCircleAssertStable(circle
);
1213 CFMutableArrayRef concurringPeers
= CFArrayCreateMutableForCFTypes(kCFAllocatorDefault
);
1215 if (!SOSCircleAppendConcurringPeers(circle
, concurringPeers
, error
))
1216 CFReleaseNull(concurringPeers
);
1218 return concurringPeers
;
1221 SOSFullPeerInfoRef
SOSCircleCopyiCloudFullPeerInfoRef(SOSCircleRef circle
, CFErrorRef
*error
) {
1222 __block SOSFullPeerInfoRef cloud_full_peer
= NULL
;
1223 __block CFErrorRef searchError
= NULL
;
1224 SOSCircleForEachActivePeer(circle
, ^(SOSPeerInfoRef peer
) {
1225 if (SOSPeerInfoIsCloudIdentity(peer
)) {
1226 if (cloud_full_peer
== NULL
) {
1228 secerror("More than one cloud identity found, first had error, trying new one.");
1230 CFReleaseNull(searchError
);
1231 cloud_full_peer
= SOSFullPeerInfoCreateCloudIdentity(kCFAllocatorDefault
, peer
, &searchError
);
1232 if (!cloud_full_peer
) {
1233 secnotice("icloud-identity", "Failed to make FullPeer for iCloud Identity: %@ (%@)", cloud_full_peer
, searchError
);
1236 secerror("Additional cloud identity found in circle after successful creation: %@", circle
);
1240 // If we didn't find one at all, report the error.
1241 if (cloud_full_peer
== NULL
&& searchError
== NULL
) {
1242 SOSErrorCreate(kSOSErrorNoiCloudPeer
, &searchError
, NULL
, CFSTR("No iCloud identity PeerInfo found in circle"));
1243 secnotice("icloud-identity", "No iCloud identity PeerInfo found in circle");
1246 CFTransferRetained(*error
, searchError
);
1248 CFReleaseNull(searchError
);
1249 return cloud_full_peer
;
1252 void debugDumpCircle(CFStringRef message
, SOSCircleRef circle
) {
1255 secinfo("circledebug", "%@: %@", message
, circle
);
1259 CFDataRef derdata
= SOSCircleCopyEncodedData(circle
, kCFAllocatorDefault
, &error
);
1261 CFStringRef hex
= CFDataCopyHexString(derdata
);
1262 secinfo("circledebug", "Full contents: %@", hex
);
1263 if (hex
) CFRelease(hex
);