OSX/utilities/src/SecAKSWrappers.h

   1 /*
   2  * Copyright (c) 2013-2014 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24
  25 #ifndef _SECAKSWRAPPERS_H_
  26 #define _SECAKSWRAPPERS_H_
  27
  28 #include <TargetConditionals.h>
  29 #include <utilities/SecCFError.h>
  30 #include <AssertMacros.h>
  31 #include <dispatch/dispatch.h>
  32
  33 #include <CoreFoundation/CFData.h>
  34
  35 #ifdef USE_KEYSTORE
  36 #define TARGET_HAS_KEYSTORE USE_KEYSTORE
  37 #else
  38
  39 #if RC_HORIZON
  40   #define TARGET_HAS_KEYSTORE 0
  41 #elif TARGET_OS_SIMULATOR
  42   #define TARGET_HAS_KEYSTORE 0
  43 #elif TARGET_OS_OSX
  44   #if TARGET_CPU_X86
  45     #define TARGET_HAS_KEYSTORE 0
  46   #else
  47     #define TARGET_HAS_KEYSTORE 1
  48   #endif
  49 #elif TARGET_OS_IPHONE
  50   #define TARGET_HAS_KEYSTORE 1
  51 #else
  52   #error "unknown keystore status for this platform"
  53 #endif
  54
  55 #endif // USE_KEYSTORE
  56
  57 #if !TARGET_HAS_KEYSTORE
  58
  59 #include <IOKit/IOReturn.h>
  60
  61 // Make the compiler happy so this will compile.
  62 #define device_keybag_handle 0
  63 #define session_keybag_handle 0
  64
  65 #define bad_keybag_handle -1
  66
  67 enum keybag_state {
  68     keybag_state_unlocked = 0,
  69     keybag_state_locked = 1 << 0,
  70     keybag_state_no_pin = 1 << 1,
  71     keybag_state_been_unlocked = 1 << 2,
  72 };
  73 typedef uint32_t keybag_state_t;
  74 typedef int32_t keybag_handle_t;
  75
  76 static kern_return_t aks_get_lock_state(keybag_handle_t handle, keybag_state_t *state) {
  77     if (state) *state = keybag_state_no_pin & keybag_state_been_unlocked;
  78     return kIOReturnSuccess;
  79 }
  80
  81 #else
  82
  83 #include <libaks.h>
  84
  85 #endif
  86
  87 //
  88 // MARK: User lock state
  89 //
  90
  91 enum {
  92     user_keybag_handle = TARGET_OS_EMBEDDED ? device_keybag_handle : session_keybag_handle,
  93 };
  94
  95 extern const char * const kUserKeybagStateChangeNotification;
  96
  97 static inline bool SecAKSGetLockedState(keybag_state_t *state, CFErrorRef* error)
  98 {
  99     kern_return_t status = aks_get_lock_state(user_keybag_handle, state);
 100
 101     return SecKernError(status, error, CFSTR("aks_get_lock_state failed: %d"), status);
 102 }
 103
 104 // returns true if any of the bits in bits is set in the current state of the user bag
 105 static inline bool SecAKSLockedAnyStateBitIsSet(bool* isSet, keybag_state_t bits, CFErrorRef* error)
 106 {
 107     keybag_state_t state;
 108     bool success = SecAKSGetLockedState(&state, error);
 109
 110     require_quiet(success, exit);
 111
 112     if (isSet)
 113         *isSet = (state & bits);
 114
 115 exit:
 116     return success;
 117
 118 }
 119
 120 static inline bool SecAKSGetIsLocked(bool* isLocked, CFErrorRef* error)
 121 {
 122     return SecAKSLockedAnyStateBitIsSet(isLocked, keybag_state_locked, error);
 123 }
 124
 125 static inline bool SecAKSGetIsUnlocked(bool* isUnlocked, CFErrorRef* error)
 126 {
 127     bool isLocked = false;
 128     bool success = SecAKSGetIsLocked(&isLocked, error);
 129
 130     if (success && isUnlocked)
 131         *isUnlocked = !isLocked;
 132
 133     return success;
 134 }
 135
 136 static inline bool SecAKSGetHasBeenUnlocked(bool* hasBeenUnlocked, CFErrorRef* error)
 137 {
 138     return SecAKSLockedAnyStateBitIsSet(hasBeenUnlocked, keybag_state_been_unlocked, error);
 139 }
 140
 141 bool SecAKSDoWhileUserBagLocked(CFErrorRef *error, dispatch_block_t action);
 142 //
 143 // if you can't use the block version above, use these.
 144 // !!!!!Remember to balance them!!!!!!
 145 //
 146 bool SecAKSUnLockUserKeybag(CFErrorRef *error);
 147 bool SecAKSLockUserKeybag(uint64_t timeout, CFErrorRef *error);
 148
 149
 150 CFDataRef SecAKSCopyBackupBagWithSecret(size_t size, uint8_t *secret, CFErrorRef *error);
 151
 152 #endif