keychain/SecureObjectSync/SOSAccountCredentials.m

   1 /*
   2  * Copyright (c) 2013-2014 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24
  25 #include <stdio.h>
  26 #include <AssertMacros.h>
  27 #include "SOSAccountPriv.h"
  28 #include "SOSPeerInfoCollections.h"
  29 #include "SOSTransport.h"
  30 #import "keychain/SecureObjectSync/SOSAccountTrust.h"
  31 #import "keychain/SecureObjectSync/SOSAccountTrustClassic+Circle.h"
  32 #import "keychain/SecureObjectSync/SOSAccountTrustClassic+Expansion.h"
  33
  34 #define kPublicKeyAvailable "com.apple.security.publickeyavailable"
  35 //
  36 // MARK: User Credential management
  37 //
  38
  39
  40 // List of things to do
  41 // Update myFullPeerInfo in circle if needed
  42 // Fix iCloud Identity if needed
  43 // Gen sign if private key changed
  44
  45 bool SOSAccountGenerationSignatureUpdate(SOSAccount* account, CFErrorRef *error) {
  46     bool result = false;
  47     SecKeyRef priv_key = SOSAccountGetPrivateCredential(account, error);
  48     require_quiet(priv_key, bail);
  49
  50     [account.trust generationSignatureUpdateWith:account key:priv_key];
  51
  52     result = true;
  53 bail:
  54     return result;
  55 }
  56
  57 /* this one is meant to be local - not published over KVS. */
  58 static bool SOSAccountPeerSignatureUpdate(SOSAccount* account, SecKeyRef privKey, CFErrorRef *error) {
  59     SOSFullPeerInfoRef identity = NULL;
  60     SOSAccountTrustClassic *trust = account.trust;
  61     identity = trust.fullPeerInfo;
  62
  63     return identity && SOSFullPeerInfoUpgradeSignatures(identity, privKey, error);
  64 }
  65
  66
  67 void SOSAccountPurgePrivateCredential(SOSAccount* account)
  68 {
  69     secnotice("circleOps", "Purging private account credential");
  70
  71     if(account.accountPrivateKey)
  72     {
  73         account.accountPrivateKey = NULL;
  74     }
  75     if(account._password_tmp)
  76     {
  77         account._password_tmp = NULL;
  78     }
  79     if (account.user_private_timer) {
  80         dispatch_source_cancel(account.user_private_timer);
  81         account.user_private_timer = NULL;
  82         xpc_transaction_end();
  83     }
  84     if (account.lock_notification_token != NOTIFY_TOKEN_INVALID) {
  85         notify_cancel(account.lock_notification_token);
  86         account.lock_notification_token = NOTIFY_TOKEN_INVALID;
  87     }
  88 }
  89
  90
  91 static void SOSAccountSetTrustedUserPublicKey(SOSAccount* account, bool public_was_trusted, SecKeyRef privKey)
  92 {
  93     if (!privKey) return;
  94     SecKeyRef publicKey = SecKeyCreatePublicFromPrivate(privKey);
  95
  96     if (account.accountKey && account.accountKeyIsTrusted && CFEqual(publicKey, account.accountKey)) {
  97         CFReleaseNull(publicKey);
  98         return;
  99     }
 100
 101     if(public_was_trusted && account.accountKey) {
 102         account.previousAccountKey = account.accountKey;
 103     }
 104
 105     account.accountKey = publicKey;
 106     account.accountKeyIsTrusted = true;
 107
 108     if(!account.previousAccountKey) {
 109         account.previousAccountKey = account.accountKey;
 110     }
 111
 112     CFReleaseNull(publicKey);
 113
 114         secnotice("circleOps", "trusting new public key: %@", account.accountKey);
 115     notify_post(kPublicKeyAvailable);
 116 }
 117
 118 void SOSAccountSetUnTrustedUserPublicKey(SOSAccount* account, SecKeyRef publicKey) {
 119     if(account.accountKeyIsTrusted && account.accountKey) {
 120         secnotice("circleOps", "Moving : %@ to previousAccountKey", account.accountKey);
 121         account.previousAccountKey = account.accountKey;
 122     }
 123
 124     account.accountKey = publicKey;
 125     account.accountKeyIsTrusted = false;
 126
 127     if(!account.previousAccountKey) {
 128         account.previousAccountKey = account.accountKey;
 129     }
 130
 131     secnotice("circleOps", "not trusting new public key: %@", account.accountKey);
 132 }
 133
 134
 135 static void SOSAccountSetPrivateCredential(SOSAccount* account, SecKeyRef private, CFDataRef password) {
 136     if (!private)
 137         return SOSAccountPurgePrivateCredential(account);
 138
 139     secnotice("circleOps", "setting new private credential");
 140
 141     account.accountPrivateKey = private;
 142
 143     if (password) {
 144         account._password_tmp = [[NSData alloc] initWithData:(__bridge NSData * _Nonnull)(password)];
 145     } else {
 146         account._password_tmp = NULL;
 147     }
 148
 149     bool resume_timer = false;
 150     if (!account.user_private_timer) {
 151         xpc_transaction_begin();
 152         resume_timer = true;
 153         account.user_private_timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, account.queue);
 154         dispatch_source_set_event_handler(account.user_private_timer, ^{
 155             secnotice("keygen", "Timing out, purging private account credential");
 156             SOSAccountPurgePrivateCredential(account);
 157         });
 158         int lockNotification;
 159
 160         notify_register_dispatch(kUserKeybagStateChangeNotification, &lockNotification, account.queue, ^(int token) {
 161             bool locked = false;
 162             CFErrorRef lockCheckError = NULL;
 163
 164             if (!SecAKSGetIsLocked(&locked, &lockCheckError)) {
 165                 secerror("Checking for locked after change failed: %@", lockCheckError);
 166             }
 167
 168             if (locked) {
 169                 SOSAccountPurgePrivateCredential(account);
 170             }
 171         });
 172         [account setLock_notification_token:lockNotification];
 173     }
 174
 175     SOSAccountRestartPrivateCredentialTimer(account);
 176
 177     if (resume_timer)
 178         dispatch_resume(account.user_private_timer);
 179 }
 180
 181 void SOSAccountRestartPrivateCredentialTimer(SOSAccount*  account)
 182 {
 183     if (account.user_private_timer) {
 184         // (Re)set the timer's fire time to now + 10 minutes with a 5 second fuzz factor.
 185         dispatch_time_t purgeTime = dispatch_time(DISPATCH_TIME_NOW, (int64_t)(10 * 60 * NSEC_PER_SEC));
 186         dispatch_source_set_timer(account.user_private_timer, purgeTime, DISPATCH_TIME_FOREVER, (int64_t)(5 * NSEC_PER_SEC));
 187     }
 188 }
 189
 190 SecKeyRef SOSAccountGetPrivateCredential(SOSAccount* account, CFErrorRef* error)
 191 {
 192     if (account.accountPrivateKey == NULL) {
 193         SOSCreateError(kSOSErrorPrivateKeyAbsent, CFSTR("Private Key not available - failed to prompt user recently"), NULL, error);
 194     }
 195     return account.accountPrivateKey;
 196 }
 197
 198 CFDataRef SOSAccountGetCachedPassword(SOSAccount* account, CFErrorRef* error)
 199 {
 200     if (account._password_tmp == NULL) {
 201         secnotice("circleOps", "Password cache expired");
 202     }
 203     return (__bridge CFDataRef)(account._password_tmp);
 204 }
 205 static NSString *SOSUserCredentialAccount = @"SOSUserCredential";
 206 static NSString *SOSUserCredentialAccessGroup = @"com.apple.security.sos-usercredential";
 207
 208 void SOSAccountStashAccountKey(SOSAccount* account)
 209 {
 210     OSStatus status;
 211     SecKeyRef user_private = account.accountPrivateKey;
 212     NSData *data = CFBridgingRelease(SecKeyCopyExternalRepresentation(user_private, NULL));
 213     if (data == NULL){
 214         return;
 215     }
 216
 217     NSDictionary *attributes = @{
 218         (__bridge id)kSecClass : (__bridge id)kSecClassInternetPassword,
 219         (__bridge id)kSecAttrAccount : SOSUserCredentialAccount,
 220         (__bridge id)kSecAttrIsInvisible : @YES,
 221         (__bridge id)kSecAttrAccessible : (__bridge id)kSecAttrAccessibleWhenUnlocked,
 222         (__bridge id)kSecAttrAccessGroup : SOSUserCredentialAccessGroup,
 223         (__bridge id)kSecAttrSysBound : @(kSecSecAttrSysBoundPreserveDuringRestore),
 224         (__bridge id)kSecValueData : data,
 225     };
 226
 227     status = SecItemAdd((__bridge CFDictionaryRef)attributes, NULL);
 228
 229     if (status == errSecDuplicateItem) {
 230         attributes = @{
 231                        (__bridge id)kSecClass : (__bridge id)kSecClassInternetPassword,
 232                        (__bridge id)kSecAttrAccount : SOSUserCredentialAccount,
 233                        (__bridge id)kSecAttrAccessGroup : SOSUserCredentialAccessGroup,
 234                        (__bridge id)kSecUseDataProtectionKeychain : @YES,
 235                        };
 236
 237         status = SecItemUpdate((__bridge CFDictionaryRef)attributes, (__bridge CFDictionaryRef)@{
 238              (__bridge id)kSecValueData : data,
 239              (__bridge id)kSecAttrSysBound : @(kSecSecAttrSysBoundPreserveDuringRestore)
 240         });
 241
 242         if (status) {
 243             secnotice("circleOps", "Failed to update user private key to keychain: %d", (int)status);
 244         }
 245     } else if (status != 0) {
 246         secnotice("circleOps", "Failed to add user private key to keychain: %d", (int)status);
 247     }
 248
 249     if(status == 0) {
 250         secnotice("circleOps", "Stored user private key stashed local keychain");
 251     }
 252
 253     return;
 254 }
 255
 256 SecKeyRef SOSAccountCopyStashedUserPrivateKey(SOSAccount* account, CFErrorRef *error)
 257 {
 258     SecKeyRef key = NULL;
 259     CFDataRef data = NULL;
 260     OSStatus status;
 261
 262     NSDictionary *attributes = @{
 263         (__bridge id)kSecClass : (__bridge id)kSecClassInternetPassword,
 264         (__bridge id)kSecAttrAccount : SOSUserCredentialAccount,
 265         (__bridge id)kSecAttrAccessGroup : SOSUserCredentialAccessGroup,
 266         (__bridge id)kSecReturnData : @YES,
 267         (__bridge id)kSecMatchLimit : (__bridge id)kSecMatchLimitOne,
 268     };
 269
 270     status = SecItemCopyMatching((__bridge CFDictionaryRef)attributes, (CFTypeRef *)&data);
 271     if (status) {
 272         SecError(status, error, CFSTR("Failed fetching account credential: %d"), (int)status);
 273         return NULL;
 274     }
 275
 276     NSDictionary *keyAttributes = @{
 277         (__bridge id)kSecAttrKeyClass : (__bridge id)kSecAttrKeyClassPrivate,
 278         (__bridge id)kSecAttrKeyType : (__bridge id)kSecAttrKeyTypeEC,
 279     };
 280
 281
 282     key = SecKeyCreateWithData(data, (__bridge CFDictionaryRef)keyAttributes, error);
 283     CFReleaseNull(data);
 284
 285     return key;
 286 }
 287
 288 SecKeyRef SOSAccountGetTrustedPublicCredential(SOSAccount* account, CFErrorRef* error)
 289 {
 290     if (account.accountKey == NULL || account.accountKeyIsTrusted == false) {
 291         SOSCreateError(kSOSErrorPublicKeyAbsent, CFSTR("Public Key isn't available. The iCloud Password must be provided to the syncing subsystem to repair this."), NULL, error);
 292         return NULL;
 293     }
 294     return account.accountKey;
 295 }
 296
 297 bool SOSAccountHasPublicKey(SOSAccount* account, CFErrorRef* error)
 298 {
 299     return SOSAccountGetTrustedPublicCredential(account, error);
 300 }
 301
 302 static void sosAccountSetTrustedCredentials(SOSAccount* account, CFDataRef user_password, SecKeyRef user_private, bool public_was_trusted) {
 303     if(!SOSAccountFullPeerInfoVerify(account, user_private, NULL)){
 304         (void) SOSAccountPeerSignatureUpdate(account, user_private, NULL);
 305     }
 306     SOSAccountSetTrustedUserPublicKey(account, public_was_trusted, user_private);
 307     SOSAccountSetPrivateCredential(account, user_private, user_password);
 308     SOSAccountCheckForAlwaysOnViews(account);
 309 }
 310
 311 static SecKeyRef sosAccountCreateKeyIfPasswordIsCorrect(SOSAccount* account, CFDataRef user_password, CFErrorRef *error) {
 312     SecKeyRef user_private = NULL;
 313     require_quiet(account.accountKey && account.accountKeyDerivationParamters, errOut);
 314     user_private = SOSUserKeygen(user_password, (__bridge CFDataRef)(account.accountKeyDerivationParamters), error);
 315     require_quiet(user_private, errOut);
 316
 317     require_action_quiet(SOSAccountValidateAccountCredential(account, user_private, error), errOut, CFReleaseNull(user_private));
 318 errOut:
 319     return user_private;
 320 }
 321
 322 static bool sosAccountValidatePasswordOrFail(SOSAccount* account, CFDataRef user_password, CFErrorRef *error) {
 323     SecKeyRef privKey = sosAccountCreateKeyIfPasswordIsCorrect(account, user_password, error);
 324     if(!privKey) {
 325         if(account.accountKeyDerivationParamters) debugDumpUserParameters(CFSTR("sosAccountValidatePasswordOrFail"), (__bridge CFDataRef)(account.accountKeyDerivationParamters));
 326         SOSCreateError(kSOSErrorWrongPassword, CFSTR("Could not create correct key with password."), NULL, error);
 327         return false;
 328     }
 329     sosAccountSetTrustedCredentials(account, user_password, privKey, account.accountKeyIsTrusted);
 330     CFReleaseNull(privKey);
 331     return true;
 332 }
 333
 334 void SOSAccountSetParameters(SOSAccount* account, CFDataRef parameters) {
 335     account.accountKeyDerivationParamters = (__bridge NSData *) parameters;
 336 }
 337
 338 bool SOSAccountValidateAccountCredential(SOSAccount* account, SecKeyRef accountPrivateKey, CFErrorRef *error)
 339 {
 340     bool res = false;
 341     SecKeyRef publicCandidate = SecKeyCreatePublicFromPrivate(accountPrivateKey);
 342
 343     if(CFEqualSafe(account.accountKey, publicCandidate)) {
 344         res = true;
 345     } else {
 346         CFErrorRef localError = NULL;
 347         CFStringRef accountHpub = SOSCopyIDOfKey(account.accountKey, NULL);
 348         CFStringRef candidateHpub = SOSCopyIDOfKey(publicCandidate, NULL);
 349         SOSCreateErrorWithFormat(kSOSErrorWrongPassword, NULL, &localError, NULL, CFSTR("Password generated pubkey doesn't match - candidate: %@  known: %@"), candidateHpub, accountHpub);
 350         secnotice("circleop", "%@", localError);
 351         if (error) {
 352             *error = localError;
 353             localError = NULL;
 354         } else {
 355             CFReleaseNull(localError);
 356         }
 357         CFReleaseNull(accountHpub);
 358         CFReleaseNull(candidateHpub);
 359     }
 360     CFReleaseNull(publicCandidate);
 361     return res;
 362 }
 363
 364 bool SOSAccountAssertStashedAccountCredential(SOSAccount* account, CFErrorRef *error)
 365 {
 366     SecKeyRef accountPrivateKey = NULL, publicCandidate = NULL;
 367     bool result = false;
 368
 369     require_action(account.accountKey, fail, SOSCreateError(kSOSErrorWrongPassword, CFSTR("account public key missing, can't check stashed copy"), NULL, error));
 370     require_action(account.accountKeyIsTrusted, fail, SOSCreateError(kSOSErrorWrongPassword, CFSTR("public key no not valid, can't check stashed copy"), NULL, error));
 371
 372     accountPrivateKey = SOSAccountCopyStashedUserPrivateKey(account, error);
 373     require_action_quiet(accountPrivateKey, fail, secnotice("circleOps", "Looked for a stashed private key, didn't find one"));
 374
 375     require(SOSAccountValidateAccountCredential(account, accountPrivateKey, error), fail);
 376
 377     sosAccountSetTrustedCredentials(account, NULL, accountPrivateKey, true);
 378
 379     result = true;
 380 fail:
 381     CFReleaseSafe(publicCandidate);
 382     CFReleaseSafe(accountPrivateKey);
 383
 384     return result;
 385 }
 386
 387
 388
 389 bool SOSAccountAssertUserCredentials(SOSAccount* account, CFStringRef user_account, CFDataRef user_password, CFErrorRef *error)
 390 {
 391     bool public_was_trusted = account.accountKeyIsTrusted;
 392     account.accountKeyIsTrusted = false;
 393     SecKeyRef user_private = NULL;
 394     CFDataRef parameters = NULL;
 395
 396     // if this succeeds, skip to the end.  Success will update account.accountKeyIsTrusted by side-effect.
 397     require_quiet(!sosAccountValidatePasswordOrFail(account, user_password, error), recordCred);
 398
 399     // We may or may not have parameters here.
 400     // In any case we tried using them and they didn't match
 401     // So forget all that and start again, assume we're the first to push anything useful.
 402
 403     if (CFDataGetLength(user_password) > 20) {
 404         secwarning("Long password (>20 byte utf8) being used to derive account key – this may be a PET by mistake!!");
 405     }
 406
 407     parameters = SOSUserKeyCreateGenerateParameters(error);
 408     require_quiet(user_private = SOSUserKeygen(user_password, parameters, error), errOut);
 409     SOSAccountSetParameters(account, parameters);
 410     sosAccountSetTrustedCredentials(account, user_password, user_private, public_was_trusted);
 411
 412     CFErrorRef publishError = NULL;
 413     if (!SOSAccountPublishCloudParameters(account, &publishError)) {
 414         secerror("Failed to publish new cloud parameters: %@", publishError);
 415     }
 416
 417     CFReleaseNull(publishError);
 418 recordCred:
 419     SOSAccountStashAccountKey(account);
 420     SOSAccountSetValue(account, kSOSAccountName, user_account, NULL);
 421 errOut:
 422     CFReleaseNull(parameters);
 423     CFReleaseNull(user_private);
 424     secnotice("circleop", "Setting account.key_interests_need_updating to true in SOSAccountAssertUserCredentials");
 425     account.key_interests_need_updating = true;
 426     return account.accountKeyIsTrusted;
 427 }
 428
 429
 430 bool SOSAccountTryUserCredentials(SOSAccount* account, CFStringRef user_account, CFDataRef user_password, CFErrorRef *error) {
 431     bool success = sosAccountValidatePasswordOrFail(account, user_password, error);
 432     if(success) {
 433         SOSAccountStashAccountKey(account);
 434         SOSAccountSetValue(account, kSOSAccountName, user_account, NULL);
 435     }
 436     secnotice("circleop", "Setting account.key_interests_need_updating to true in SOSAccountTryUserCredentials");
 437     account.key_interests_need_updating = true;
 438     return success;
 439 }
 440
 441 bool SOSAccountTryUserPrivateKey(SOSAccount* account, SecKeyRef user_private, CFErrorRef *error) {
 442     bool retval = SOSAccountValidateAccountCredential(account, user_private, error);
 443     if(!retval) {
 444         secnotice("circleOps", "Failed to accept provided user_private as credential");
 445         return retval;
 446     }
 447     sosAccountSetTrustedCredentials(account, NULL, user_private, account.accountKeyIsTrusted);
 448     SOSAccountStashAccountKey(account);
 449     secnotice("circleop", "Setting account.key_interests_need_updating to true in SOSAccountTryUserPrivateKey");
 450     account.key_interests_need_updating = true;
 451     secnotice("circleOps", "Accepted provided user_private as credential");
 452     return retval;
 453 }
 454
 455 bool SOSAccountRetryUserCredentials(SOSAccount* account) {
 456     CFDataRef cachedPassword = SOSAccountGetCachedPassword(account, NULL);
 457     if (cachedPassword == NULL)
 458         return false;
 459     /*
 460      * SOSAccountTryUserCredentials reset the cached password internally,
 461      * so we must have a retain of the password over SOSAccountTryUserCredentials().
 462      */
 463     CFRetain(cachedPassword);
 464     bool res = SOSAccountTryUserCredentials(account, NULL, cachedPassword, NULL);
 465     CFRelease(cachedPassword);
 466     return res;
 467 }
 468
 469
 470