keychain/SecureObjectSync/SOSAccountPriv.h

   1 //
   2 //  SOSAccountPriv.h
   3 //  Security
   4 //
   5
   6 #ifndef SOSAccountPriv_h
   7 #define SOSAccountPriv_h
   8
   9 #import <Foundation/Foundation.h>
  10
  11 #include <CoreFoundation/CoreFoundation.h>
  12 #include <CoreFoundation/CFRuntime.h>
  13 #include <utilities/SecCFWrappers.h>
  14 #include <utilities/SecCFError.h>
  15 #include <utilities/SecAKSWrappers.h>
  16
  17 #include <Security/SecKeyPriv.h>
  18
  19 #include <Security/der_plist.h>
  20 #include <utilities/der_plist_internal.h>
  21 #include <corecrypto/ccder.h>
  22
  23 #include <AssertMacros.h>
  24 #include <assert.h>
  25
  26 #import <notify.h>
  27
  28 #include "keychain/SecureObjectSync/SOSInternal.h"
  29
  30 #include "keychain/SecureObjectSync/SOSCircle.h"
  31 #include "keychain/SecureObjectSync/SOSCircleV2.h"
  32 #include "keychain/SecureObjectSync/SOSRing.h"
  33 #include "keychain/SecureObjectSync/SOSRingUtils.h"
  34 #include <Security/SecureObjectSync/SOSCloudCircle.h>
  35 #include "keychain/securityd/SOSCloudCircleServer.h"
  36 #include "keychain/SecureObjectSync/SOSEngine.h"
  37 #include "keychain/SecureObjectSync/SOSPeer.h"
  38 #include "keychain/SecureObjectSync/SOSFullPeerInfo.h"
  39 #include <Security/SecureObjectSync/SOSPeerInfo.h>
  40
  41 #include "keychain/SecureObjectSync/SOSPeerInfoInternal.h"
  42 #include "keychain/SecureObjectSync/SOSUserKeygen.h"
  43 #include "keychain/SecureObjectSync/SOSTransportCircle.h"
  44
  45 #include <utilities/iCloudKeychainTrace.h>
  46
  47 #include <Security/SecItemPriv.h>
  48
  49
  50 extern const CFStringRef kSOSUnsyncedViewsKey;
  51 extern const CFStringRef kSOSPendingEnableViewsToBeSetKey;
  52 extern const CFStringRef kSOSPendingDisableViewsToBeSetKey;
  53 extern const CFStringRef kSOSRecoveryKey;
  54 extern const CFStringRef kSOSAccountUUID;
  55 extern const CFStringRef kSOSAccountPeerNegotiationTimeouts;
  56 extern const CFStringRef kSOSRecoveryRing;
  57 extern const CFStringRef kSOSEscrowRecord;
  58 extern const CFStringRef kSOSAccountName;
  59 extern const CFStringRef kSOSTestV2Settings;
  60 extern const CFStringRef kSOSRateLimitingCounters;
  61 extern const CFStringRef kSOSAccountPeerLastSentTimestamp;
  62 extern const CFStringRef kSOSAccountRenegotiationRetryCount;
  63 extern const CFStringRef kSOSInitialSyncTimeoutV0;
  64
  65 typedef void (^SOSAccountSaveBlock)(CFDataRef flattenedAccount, CFErrorRef flattenFailError);
  66
  67 @class SOSMessageKVS;
  68 @class CKKeyParameter;
  69 @class SOSAccountTrustClassic;
  70 @class SOSKVSCircleStorageTransport;
  71 @class SOSCircleStorageTransport;
  72 @class SOSCKCircleStorage;
  73
  74 @interface SOSAccount : NSObject <SOSControlProtocol>
  75
  76 @property   (nonatomic, retain)     NSDictionary                *gestalt;
  77 @property   (nonatomic, retain)     NSData                      *backup_key;
  78 @property   (nonatomic, retain)     NSString                    *deviceID;
  79
  80 @property   (nonatomic, retain)     SOSAccountTrustClassic      *trust;
  81
  82 @property   (nonatomic, retain)     dispatch_queue_t            queue;
  83 @property   (nonatomic, retain)     dispatch_source_t           user_private_timer;
  84 @property   (nonatomic)             SecKeyRef                   accountPrivateKey;
  85
  86 @property   (nonatomic)             SOSDataSourceFactoryRef     factory;
  87
  88 @property   (nonatomic, retain)     NSData                      *_password_tmp;
  89 @property   (nonatomic, assign)     BOOL                        isListeningForSync;
  90 @property   (nonatomic, assign)     int                         lock_notification_token;
  91 @property   (nonatomic, retain)     CKKeyParameter*             key_transport;
  92 @property   (nonatomic, retain)     SOSKVSCircleStorageTransport*  circle_transport;
  93 @property   (nonatomic, retain)     SOSMessageKVS*              kvs_message_transport;
  94 @property   (nonatomic, retain)     SOSCKCircleStorage*         ck_storage;
  95
  96
  97 @property   (nonatomic, assign)     BOOL                        circle_rings_retirements_need_attention;
  98 @property   (nonatomic, assign)     BOOL                        engine_peer_state_needs_repair;
  99 @property   (nonatomic, assign)     BOOL                        key_interests_need_updating;
 100
 101 @property   (nonatomic, retain)     NSMutableArray               *change_blocks;
 102
 103 @property   (nonatomic, retain)     NSMutableDictionary          *waitForInitialSync_blocks;
 104
 105 @property   (nonatomic, retain)     NSData*                     accountKeyDerivationParamters;
 106
 107 @property   (nonatomic, assign)     BOOL                        accountKeyIsTrusted;
 108 @property   (nonatomic)             SecKeyRef                   accountKey;
 109 @property   (nonatomic)             SecKeyRef                   previousAccountKey;
 110
 111 @property   (copy)                  SOSAccountSaveBlock         saveBlock;
 112
 113
 114 // Identity access properties, all delegated to the trust object
 115 @property   (readonly, nonatomic)   BOOL                        hasPeerInfo;
 116 @property   (readonly, nonatomic)   SOSPeerInfoRef              peerInfo;
 117 @property   (readonly, nonatomic)   SOSFullPeerInfoRef          fullPeerInfo;
 118 @property   (readonly, nonatomic)   NSString*                   peerID;
 119
 120 @property   (nonatomic, assign)     BOOL                        notifyCircleChangeOnExit;
 121 @property   (nonatomic, assign)     BOOL                        notifyViewChangeOnExit;
 122 @property   (nonatomic, assign)     BOOL                        notifyBackupOnExit;
 123
 124 @property   (nonatomic, retain)     NSUserDefaults*              settings;
 125
 126
 127
 128 -(id) init NS_UNAVAILABLE;
 129 -(id) initWithGestalt:(CFDictionaryRef)gestalt factory:(SOSDataSourceFactoryRef)factory;
 130
 131 //- (void)startStateMachine;
 132
 133 void SOSAccountAddSyncablePeerBlock(SOSAccount*  a,
 134                                     CFStringRef ds_name,
 135                                     SOSAccountSyncablePeersBlock changeBlock);
 136
 137 -(bool) ensureFactoryCircles;
 138 -(void) ensureOctagonPeerKeys;
 139
 140 -(void) flattenToSaveBlock;
 141
 142 -(void) ghostBustSchedule;
 143 + (SOSAccountGhostBustingOptions) ghostBustGetRampSettings;
 144 - (bool) ghostBustCheckDate;
 145
 146 #if OCTAGON
 147 - (void)triggerBackupForPeers:(NSArray<NSString*>*)backupPeer;
 148 #endif
 149
 150
 151 void SOSAccountSetToNew(SOSAccount*  a);
 152
 153 bool SOSAccountIsMyPeerActive(SOSAccount* account, CFErrorRef* error);
 154
 155 // MARK: In Sync checking
 156 typedef bool (^SOSAccountWaitForInitialSyncBlock)(SOSAccount*  account);
 157
 158 CF_RETURNS_RETAINED CFStringRef SOSAccountCallWhenInSync(SOSAccount* account, SOSAccountWaitForInitialSyncBlock syncBlock);
 159 bool SOSAccountUnregisterCallWhenInSync(SOSAccount* account, CFStringRef id);
 160
 161 bool SOSAccountHandleOutOfSyncUpdate(SOSAccount* account, CFSetRef oldOOSViews, CFSetRef newOOSViews);
 162
 163 void SOSAccountEnsureSyncChecking(SOSAccount* account);
 164 void SOSAccountCancelSyncChecking(SOSAccount* account);
 165 void SOSAccountInitializeInitialSync(SOSAccount* account);
 166 CFMutableSetRef SOSAccountCopyOutstandingViews(SOSAccount* account);
 167 CFSetRef SOSAccountCopyEnabledViews(SOSAccount* account);
 168 void SOSAccountNotifyEngines(SOSAccount* account);
 169 CFMutableSetRef SOSAccountCopyOutstandingViews(SOSAccount* account);
 170 bool SOSAccountIsViewOutstanding(SOSAccount* account, CFStringRef view);
 171 CFMutableSetRef SOSAccountCopyIntersectionWithOustanding(SOSAccount* account, CFSetRef inSet);
 172 bool SOSAccountIntersectsWithOutstanding(SOSAccount* account, CFSetRef views);
 173 bool SOSAccountHasOustandingViews(SOSAccount* account);
 174 bool SOSAccountHasCompletedInitialSync(SOSAccount* account);
 175 bool SOSAccountHasCompletedRequiredBackupSync(SOSAccount* account);
 176 CFMutableSetRef SOSAccountCopyOutstandingViews(SOSAccount* account);
 177 bool SOSAccountSyncingV0(SOSAccount* account);
 178
 179 // MARK: DER Stuff
 180
 181
 182 size_t der_sizeof_fullpeer_or_null(SOSFullPeerInfoRef data, CFErrorRef* error);
 183
 184 uint8_t* der_encode_fullpeer_or_null(SOSFullPeerInfoRef data, CFErrorRef* error, const uint8_t* der, uint8_t* der_end);
 185
 186 const uint8_t* der_decode_fullpeer_or_null(CFAllocatorRef allocator, SOSFullPeerInfoRef* data,
 187                                            CFErrorRef* error,
 188                                            const uint8_t* der, const uint8_t* der_end);
 189
 190
 191 size_t der_sizeof_public_bytes(SecKeyRef publicKey, CFErrorRef* error);
 192
 193 uint8_t* der_encode_public_bytes(SecKeyRef publicKey, CFErrorRef* error, const uint8_t* der, uint8_t* der_end);
 194
 195 const uint8_t* der_decode_public_bytes(CFAllocatorRef allocator, CFIndex algorithmID, SecKeyRef* publicKey, CFErrorRef* error, const uint8_t* der, const uint8_t* der_end);
 196
 197
 198 // Update
 199 -(SOSCCStatus) getCircleStatus:(CFErrorRef*) error;
 200 -(bool) isInCircle:(CFErrorRef *)error;
 201
 202 bool SOSAccountHandleCircleMessage(SOSAccount* account,
 203                                    CFStringRef circleName, CFDataRef encodedCircleMessage, CFErrorRef *error);
 204
 205 CF_RETURNS_RETAINED
 206 CFDictionaryRef SOSAccountHandleRetirementMessages(SOSAccount* account, CFDictionaryRef circle_retirement_messages, CFErrorRef *error);
 207
 208 void SOSAccountRecordRetiredPeersInCircle(SOSAccount* account);
 209
 210 bool SOSAccountHandleUpdateCircle(SOSAccount* account,
 211                                   SOSCircleRef prospective_circle,
 212                                   bool writeUpdate,
 213                                   CFErrorRef *error);
 214
 215
 216 // My Peer
 217 bool SOSAccountHasFullPeerInfo(SOSAccount* account, CFErrorRef* error);
 218
 219 bool SOSAccountIsMyPeerInBackupAndCurrentInView(SOSAccount* account, CFStringRef viewname);
 220 bool SOSAccountUpdateOurPeerInBackup(SOSAccount* account, SOSRingRef oldRing, CFErrorRef *error);
 221 bool SOSAccountIsPeerInBackupAndCurrentInView(SOSAccount* account, SOSPeerInfoRef testPeer, CFStringRef viewname);
 222 bool SOSDeleteV0Keybag(CFErrorRef *error);
 223 bool SOSAccountUpdatePeerInfo(SOSAccount* account, CFStringRef updateDescription, CFErrorRef *error, bool (^update)(SOSFullPeerInfoRef fpi, CFErrorRef *error));
 224 bool SOSAccountUpdatePeerInfoAndPush(SOSAccount* account, CFStringRef updateDescription, CFErrorRef *error,
 225                                      bool (^update)(SOSPeerInfoRef pi, CFErrorRef *error));
 226
 227 // Currently permitted backup rings.
 228 void SOSAccountForEachBackupRingName(SOSAccount* account, void (^operation)(CFStringRef value));
 229 void SOSAccountForEachRingName(SOSAccount* account, void (^operation)(CFStringRef value));
 230 void SOSAccountForEachBackupView(SOSAccount* account,  void (^operation)(const void *value));
 231 SOSRingRef SOSAccountCreateBackupRingForView(SOSAccount* account, CFStringRef ringBackupViewName, CFErrorRef *error);
 232
 233
 234 // My Circle
 235 bool SOSAccountHasCircle(SOSAccount* account, CFErrorRef* error);
 236 SOSCircleRef CF_RETURNS_RETAINED SOSAccountEnsureCircle(SOSAccount* a, CFStringRef name, CFErrorRef *error);
 237
 238 void AppendCircleKeyName(CFMutableArrayRef array, CFStringRef name);
 239
 240 CFStringRef SOSInterestListCopyDescription(CFArrayRef interests);
 241
 242
 243 // FullPeerInfos - including Cloud Identity
 244 SOSFullPeerInfoRef CopyCloudKeychainIdentity(SOSPeerInfoRef cloudPeer, CFErrorRef *error);
 245
 246 bool SOSAccountIsAccountIdentity(SOSAccount* account, SOSPeerInfoRef peer_info, CFErrorRef *error);
 247 bool SOSAccountFullPeerInfoVerify(SOSAccount* account, SecKeyRef privKey, CFErrorRef *error);
 248 CF_RETURNS_RETAINED SOSPeerInfoRef GenerateNewCloudIdentityPeerInfo(CFErrorRef *error);
 249
 250 // Credentials
 251 bool SOSAccountHasPublicKey(SOSAccount* account, CFErrorRef* error);
 252 bool SOSAccountPublishCloudParameters(SOSAccount* account, CFErrorRef* error);
 253 bool SOSAccountRetrieveCloudParameters(SOSAccount* account, SecKeyRef *newKey,
 254                                        CFDataRef derparms,
 255                                        CFDataRef *newParameters, CFErrorRef* error);
 256
 257 //DSID
 258 void SOSAccountAssertDSID(SOSAccount* account, CFStringRef dsid);
 259
 260 //
 261 // Key extraction
 262 //
 263
 264 SecKeyRef SOSAccountCopyDeviceKey(SOSAccount* account, CFErrorRef *error);
 265 SecKeyRef CF_RETURNS_RETAINED GeneratePermanentFullECKey(int keySize, CFStringRef name, CFErrorRef* error);
 266
 267 // Testing
 268 void SOSAccountSetLastDepartureReason(SOSAccount* account, enum DepartureReason reason);
 269 void SOSAccountSetUserPublicTrustedForTesting(SOSAccount* account);
 270
 271 void SOSAccountPurgeIdentity(SOSAccount*);
 272 bool sosAccountLeaveCircle(SOSAccount* account, SOSCircleRef circle, NSData* parentData, CFErrorRef* error);
 273
 274 bool SOSAccountForEachRing(SOSAccount* account, SOSRingRef (^action)(CFStringRef name, SOSRingRef ring));
 275 bool SOSAccountUpdateBackUp(SOSAccount* account, CFStringRef viewname, CFErrorRef *error);
 276 void SOSAccountEnsureRecoveryRing(SOSAccount* account);
 277 bool SOSAccountEnsureInBackupRings(SOSAccount* account);
 278
 279 bool SOSAccountEnsurePeerRegistration(SOSAccount* account, CFErrorRef *error);
 280
 281 extern const CFStringRef kSOSUnsyncedViewsKey;
 282 extern const CFStringRef kSOSPendingEnableViewsToBeSetKey;
 283 extern const CFStringRef kSOSPendingDisableViewsToBeSetKey;
 284 extern const CFStringRef kSOSRecoveryKey;
 285
 286 typedef enum{
 287     kSOSTransportNone = 0,
 288     kSOSTransportIDS = 1,
 289     kSOSTransportKVS = 2,
 290     kSOSTransportFuture = 3,
 291     kSOSTransportPresent = 4
 292 }TransportType;
 293
 294 SOSPeerInfoRef SOSAccountCopyPeerWithID(SOSAccount* account, CFStringRef peerid, CFErrorRef *error);
 295
 296 bool SOSAccountSetValue(SOSAccount* account, CFStringRef key, CFTypeRef value, CFErrorRef *error);
 297 bool SOSAccountClearValue(SOSAccount* account, CFStringRef key, CFErrorRef *error);
 298 CFTypeRef SOSAccountGetValue(SOSAccount* account, CFStringRef key, CFErrorRef *error);
 299
 300 bool SOSAccountAddEscrowToPeerInfo(SOSAccount* account, SOSFullPeerInfoRef myPeer, CFErrorRef *error);
 301 void SOSAccountRemoveRing(SOSAccount* a, CFStringRef ringName);
 302 SOSRingRef SOSAccountCopyRingNamed(SOSAccount* a, CFStringRef ringName, CFErrorRef *error);
 303 bool SOSAccountUpdateRingFromRemote(SOSAccount* account, SOSRingRef newRing, CFErrorRef *error);
 304 bool SOSAccountUpdateRing(SOSAccount* account, SOSRingRef newRing, CFErrorRef *error);
 305 bool SOSAccountRemoveBackupPeers(SOSAccount* account, CFArrayRef peerIDs, CFErrorRef *error);
 306 bool SOSAccountUpdateNamedRing(SOSAccount* account, CFStringRef ringName, CFErrorRef *error,
 307                                SOSRingRef (^create)(CFStringRef ringName, CFErrorRef *error),
 308                                SOSRingRef (^copyModified)(SOSRingRef existing, CFErrorRef *error));
 309
 310 //
 311 // MARK: Backup translation functions
 312 //
 313
 314 CFStringRef SOSBackupCopyRingNameForView(CFStringRef viewName);
 315 bool SOSAccountUpdateBackupRing(SOSAccount*  account, CFStringRef viewName, CFErrorRef *error,
 316                                 SOSRingRef (^modify)(SOSRingRef existing, CFErrorRef *error));
 317 //
 318 // Security tool test/debug functions
 319 //
 320 bool SOSAccountPostDebugScope(SOSAccount*  account, CFTypeRef scope, CFErrorRef *error);
 321
 322 bool SOSAccountCheckForAlwaysOnViews(SOSAccount* account);
 323 // UUID, no setter just getter and ensuring value.
 324 void SOSAccountEnsureUUID(SOSAccount* account);
 325 CFStringRef CF_RETURNS_RETAINED SOSAccountCopyUUID(SOSAccount* account);
 326 const uint8_t* der_decode_cloud_parameters(CFAllocatorRef allocator,
 327                                            CFIndex algorithmID, SecKeyRef* publicKey,
 328                                            CFDataRef *parameters,
 329                                            CFErrorRef* error,
 330                                            const uint8_t* der, const uint8_t* der_end);
 331
 332 /*
 333  * HSA2/piggybacking
 334  */
 335
 336 CFDataRef SOSPiggyBackBlobCopyEncodedData(SOSGenCountRef gencount, SecKeyRef pubKey, CFDataRef signature, CFErrorRef *error);
 337
 338 #if __OBJC__
 339 NSData *SOSPiggyCreateInitialSyncData(NSArray<NSData*> *identities, NSArray<NSDictionary *>* tlks);
 340 NSDictionary * SOSPiggyCopyInitialSyncData(const uint8_t** der, const uint8_t *der_end);
 341 NSArray<NSDictionary*>* SOSAccountSortTLKS(NSArray<NSDictionary*>* tlks);
 342 #endif
 343
 344 bool SOSAccountCleanupAllKVSKeys(SOSAccount* account, CFErrorRef* error);
 345
 346 @end
 347
 348 @interface SOSAccount (Persistence)
 349
 350 +(instancetype) accountFromData: (NSData*) data
 351                         factory: (SOSDataSourceFactoryRef) factory
 352                           error: (NSError**) error;
 353 +(instancetype) accountFromDER: (const uint8_t**) der
 354                            end: (const uint8_t*) der_end
 355                        factory: (SOSDataSourceFactoryRef) factory
 356                          error: (NSError**) error;
 357
 358 -(NSData*) encodedData: (NSError**) error;
 359
 360
 361 @end
 362
 363 #endif /* SOSAccount_h */