2 // SOSAccountTrustClassicExpansion.m
7 #import <Foundation/Foundation.h>
8 #import "Security/SecureObjectSync/SOSAccount.h"
9 #import "Security/SecureObjectSync/SOSAccountTrustClassic.h"
10 #import "Security/SecureObjectSync/SOSAccountTrustClassic+Expansion.h"
11 #import "Security/SecureObjectSync/SOSAccountTrustClassic+Retirement.h"
12 #import "Security/SecureObjectSync/SOSAccountTrustClassic+Circle.h"
13 #import "Security/SecureObjectSync/SOSViews.h"
14 #import "Security/SecureObjectSync/SOSPeerInfoV2.h"
15 #import "Security/SecureObjectSync/SOSTransportCircleKVS.h"
16 #import "keychain/Signin Metrics/SFSignInAnalytics.h"
18 @implementation SOSAccountTrustClassic (Expansion)
29 static const char * __unused actionstring[] = {
30 "accept", "countersign", "leave", "revert", "modify", "ignore",
33 static NSString* kSOSRingKey = @"trusted_rings";
36 // Generic Calls to Expansion Dictionary
38 -(CFTypeRef) getValueFromExpansion:(CFStringRef)key err:(CFErrorRef*)error
40 if (!self.expansion) {
43 return (__bridge CFTypeRef)([self.expansion objectForKey:(__bridge NSString*)key]);
46 -(bool) ensureExpansion:(CFErrorRef *)error
48 if (!self.expansion) {
49 self.expansion = [NSMutableDictionary dictionary];
52 return SecAllocationError((__bridge CFTypeRef)(self.expansion), error, CFSTR("Can't Alloc Account Expansion dictionary"));
55 -(bool) clearValueFromExpansion:(CFStringRef) key err:(CFErrorRef *)error
57 bool success = [self ensureExpansion:error];
59 require_quiet(success, errOut);
61 [self.expansion removeObjectForKey: (__bridge NSString*)(key)];
66 -(bool) setValueInExpansion:(CFStringRef) key value:(CFTypeRef) value err:(CFErrorRef *)error {
67 if (value == NULL) return [self clearValueFromExpansion:key err:error];
69 bool success = [self ensureExpansion:error];
70 require_quiet(success, errOut);
72 [self.expansion setObject:(__bridge id _Nonnull)(value) forKey:(__bridge NSString*)key];
78 -(bool) valueSetContainsValue:(CFStringRef) key value:(CFTypeRef) value
80 CFSetRef foundSet = asSet([self getValueFromExpansion:key err:NULL], NULL);
81 return foundSet && CFSetContainsValue(foundSet, value);
84 -(void) valueUnionWith:(CFStringRef) key valuesToUnion:(CFSetRef) valuesToUnion
86 CFMutableSetRef unionedSet = CFSetCreateMutableCopy(kCFAllocatorDefault, 0, valuesToUnion);
87 CFSetRef foundSet = asSet([self getValueFromExpansion:key err:NULL], NULL);
89 CFSetUnion(unionedSet, foundSet);
91 [self setValueInExpansion:key value:unionedSet err:NULL];
92 CFReleaseNull(unionedSet);
95 -(void) valueSubtractFrom:(CFStringRef) key valuesToSubtract:(CFSetRef) valuesToSubtract
97 CFSetRef foundSet = asSet([self getValueFromExpansion:key err:NULL], NULL);
99 CFMutableSetRef subtractedSet = CFSetCreateMutableCopy(kCFAllocatorDefault, 0, foundSet);
100 CFSetSubtract(subtractedSet, valuesToSubtract);
101 [self setValueInExpansion:key value:subtractedSet err:NULL];
102 CFReleaseNull(subtractedSet);
107 -(void) pendEnableViewSet:(CFSetRef) enabledViews
109 if(CFSetGetValue(enabledViews, kSOSViewKeychainV0) != NULL) secnotice("viewChange", "Warning, attempting to Add KeychainV0");
111 [self valueUnionWith:kSOSPendingEnableViewsToBeSetKey valuesToUnion:enabledViews];
112 [self valueSubtractFrom:kSOSPendingDisableViewsToBeSetKey valuesToSubtract:enabledViews];
116 -(bool) updateV2Dictionary:(SOSAccount*)account v2:(CFDictionaryRef) newV2Dict
118 if(!newV2Dict) return true;
120 [self setValueInExpansion:kSOSTestV2Settings value:newV2Dict err:NULL];
122 if (self.trustedCircle && self.fullPeerInfo
123 && SOSFullPeerInfoUpdateV2Dictionary(self.fullPeerInfo, newV2Dict, NULL)) {
124 [self modifyCircle:account.circle_transport err:NULL action:^(SOSCircleRef circle_to_change) {
125 secnotice("circleChange", "Calling SOSCircleUpdatePeerInfo for gestalt change");
126 return SOSCircleUpdatePeerInfo(circle_to_change, account.peerInfo);
136 -(bool) forEachRing:(RingNameBlock)block
139 __block bool changed = false;
140 __block CFStringRef ringname = NULL;
141 __block CFDataRef ringder = NULL;
142 __block SOSRingRef ring = NULL;
143 __block SOSRingRef newring = NULL;
144 __block CFDataRef newringder = NULL;
146 CFMutableDictionaryRef rings = [self getRings:NULL];
147 CFMutableDictionaryRef ringscopy = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
149 CFReleaseNull(ringscopy);
153 CFReleaseNull(ringscopy);
156 CFDictionaryForEach(rings, ^(const void *key, const void *value) {
157 ringname = (CFStringRef) key;
158 ringder = CFDataCreateCopy(kCFAllocatorDefault, (CFDataRef) value);
159 CFDictionaryAddValue(ringscopy, key, ringder);
160 ring = SOSRingCreateFromData(NULL, ringder);
161 newring = block(ringname, ring);
163 newringder = SOSRingCopyEncodedData(newring, NULL);
164 CFDictionaryReplaceValue(ringscopy, key, newringder);
165 CFReleaseNull(newringder);
169 CFReleaseNull(ringder);
170 CFReleaseNull(newring);
173 [self setRings:ringscopy];
177 CFReleaseNull(ringscopy);
181 -(bool) resetAllRings:(SOSAccount*)account err:(CFErrorRef *)error
183 __block bool retval = true;
184 CFMutableSetRef ringList = CFSetCreateMutableForCFTypes(kCFAllocatorDefault);
186 CFReleaseNull(ringList);
190 [self forEachRing: ^SOSRingRef(CFStringRef name, SOSRingRef ring) {
191 CFSetAddValue(ringList, name);
192 return NULL; // just using this to grab names.
195 CFSetForEach(ringList, ^(const void *value) {
196 CFStringRef ringName = (CFStringRef) value;
197 retval = retval && [self resetRing:account ringName:ringName err:error];
200 CFReleaseNull(ringList);
204 -(bool) resetAccountToEmpty:(SOSAccount*)account transport: (SOSCircleStorageTransport*)circleTransport err:(CFErrorRef*) error
207 __block bool result = true;
209 result &= [self resetAllRings:account err:error];
211 self.fullPeerInfo = nil;
213 self.departureCode = kSOSWithdrewMembership;
214 secnotice("circleOps", "Reset Circle to empty by client request");
216 result &= [self modifyCircle:circleTransport err:error action:^bool(SOSCircleRef circle) {
217 result = SOSCircleResetToEmpty(circle, error);
222 secerror("error: %@", error ? *error : NULL);
227 -(bool) resetAccountToEmptyWithAnalytics:(SOSAccount*)account transport: (SOSCircleStorageTransport*)circleTransport parentEvent:(NSData*)parentEvent err:(CFErrorRef*) error
229 __block bool result = true;
231 NSError* localError = nil;
232 SFSignInAnalytics* parent = [NSKeyedUnarchiver unarchivedObjectOfClass:[SFSignInAnalytics class] fromData:parentEvent error:&localError];
234 CFErrorRef resetError = NULL;
235 SFSignInAnalytics *resetAllRingsEvent = [parent newSubTaskForEvent:@"resetAllRingsEvent"];
236 result &= [self resetAllRings:account err:&resetError];
238 [resetAllRingsEvent logRecoverableError:(__bridge NSError*)resetError];
239 secerror("reset all rings error: %@", resetError);
243 CFReleaseNull(resetError);
246 [resetAllRingsEvent stopWithAttributes:nil];
248 self.fullPeerInfo = nil;
250 self.departureCode = kSOSWithdrewMembership;
251 secnotice("circleOps", "Reset Circle to empty by client request");
253 SFSignInAnalytics *resetCircleToEmptyEvent = [parent newSubTaskForEvent:@"resetCircleToEmptyEvent"];
254 result &= [self modifyCircle:circleTransport err:error action:^bool(SOSCircleRef circle) {
255 result = SOSCircleResetToEmpty(circle, error);
258 [resetCircleToEmptyEvent stopWithAttributes:nil];
261 secerror("error: %@", error ? *error : NULL);
266 -(void) setRings:(CFMutableDictionaryRef) newrings
268 [self.expansion setObject:(__bridge NSMutableDictionary*)newrings forKey:(kSOSRingKey)];
271 -(bool) checkForRings:(CFErrorRef*)error
273 __block bool retval = true;
274 CFMutableDictionaryRef rings = [self getRings:NULL];
275 if(rings && isDictionary(rings)) {
276 [self forEachRing:^SOSRingRef(CFStringRef ringname, SOSRingRef ring) {
278 if(!SOSRingIsStable(ring)) {
280 secnotice("ring", "Ring %@ not stable", ringname);
286 SOSCreateError(kSOSErrorNotReady, CFSTR("Rings not present"), NULL, error);
292 -(bool) setRing:(SOSRingRef) addRing ringName:(CFStringRef) ringName err:(CFErrorRef*)error
294 require_quiet(addRing, errOut);
295 CFMutableDictionaryRef rings = [self getRings:NULL];
296 require_action_quiet(rings, errOut, SOSCreateError(kSOSErrorNoRing, CFSTR("No Rings found"), NULL, error));
297 CFDataRef ringder = SOSRingCopyEncodedData(addRing, error);
298 require_quiet(ringder, errOut);
299 CFDictionarySetValue(rings, ringName, ringder);
300 CFReleaseNull(ringder);
306 static bool SOSAccountBackupSliceKeyBagNeedsFix(SOSAccount* account, SOSBackupSliceKeyBagRef bskb) {
308 if (SOSBSKBIsDirect(bskb) || account.backup_key == NULL)
311 CFSetRef peers = SOSBSKBGetPeers(bskb);
313 /* first scan for retired peers, and kick'em out!*/
314 SOSAccountIsPeerRetired(account, peers);
316 bool needsFix = true;
318 SOSPeerInfoRef myPeer = account.peerInfo;
320 SOSPeerInfoRef meInBag = (SOSPeerInfoRef) CFSetGetValue(peers, myPeer);
321 CFDataRef myBK = SOSPeerInfoCopyBackupKey(myPeer);
322 CFDataRef meInBagBK = SOSPeerInfoCopyBackupKey(meInBag);
323 needsFix = !(meInBag && CFEqualSafe(myBK,
326 CFReleaseNull(meInBagBK);
329 CFDataRef rkbg = SOSAccountCopyRecoveryPublic(kCFAllocatorDefault, account, NULL);
330 if(rkbg) needsFix |= !SOSBKSBPrefixedKeyIsInKeyBag(bskb, bskbRkbgPrefix, rkbg);
331 else needsFix |= SOSBSKBHasRecoveryKey(bskb); // if we don't have a recovery key - the bskb shouldn't
337 -(bool) handleUpdateRing:(SOSAccount*)account prospectiveRing:(SOSRingRef)prospectiveRing transport:(SOSKVSCircleStorageTransport*)circleTransport userPublicKey:(SecKeyRef)userPublic writeUpdate:(bool)writeUpdate err:(CFErrorRef *)error
340 bool haveOldRing = true;
342 const char * __unused localRemote = writeUpdate ? "local": "remote";
343 SOSFullPeerInfoRef fpi = self.fullPeerInfo;
344 SOSPeerInfoRef pi = SOSFullPeerInfoGetPeerInfo(fpi);
345 CFStringRef peerID = SOSPeerInfoGetPeerID(pi);
346 bool peerActive = (fpi && pi && peerID && [self isInCircleOnly:NULL]);
347 SOSRingRef newRing = NULL;
348 SOSRingRef oldRing = NULL;
350 require_quiet(SOSAccountHasPublicKey(account, error), errOut);
352 secdebug("ringSigning", "start:[%s] %@", localRemote, prospectiveRing);
355 require_action_quiet(prospectiveRing, errOut,
356 SOSCreateError(kSOSErrorIncompatibleCircle, CFSTR("No Ring to work with"), NULL, error));
358 require_action_quiet(SOSRingIsStable(prospectiveRing), errOut, SOSCreateError(kSOSErrorIncompatibleCircle, CFSTR("You give rings a bad name"), NULL, error));
360 // We should at least have a sane ring system in the account object
361 require_quiet([self checkForRings:error], errOut);
363 CFStringRef ringName = SOSRingGetName(prospectiveRing);
364 oldRing = [self copyRing:ringName err:NULL];
366 newRing = CFRetainSafe(prospectiveRing); // TODO: SOSAccountCloneRingWithRetirement(account, prospectiveRing, error);
368 ringAction_t ringAction = ignore;
370 bool userTrustedoldRing = true;
372 CFSetRef peers = SOSCircleCopyPeers(self.trustedCircle, kCFAllocatorDefault);
374 SecKeyRef oldKey = userPublic;
377 oldRing = CFRetainSafe(newRing);
380 SOSConcordanceStatus concstat = SOSRingConcordanceTrust(fpi, peers, oldRing, newRing, oldKey, userPublic, peerID, error);
381 CFReleaseNull(peers);
383 CFStringRef concStr = NULL;
385 case kSOSConcordanceTrusted:
386 ringAction = countersign;
387 concStr = CFSTR("Trusted");
389 case kSOSConcordanceGenOld:
390 ringAction = userTrustedoldRing ? revert : ignore;
391 concStr = CFSTR("Generation Old");
393 case kSOSConcordanceBadUserSig:
394 case kSOSConcordanceBadPeerSig:
395 ringAction = userTrustedoldRing ? revert : accept;
396 concStr = CFSTR("Bad Signature");
398 case kSOSConcordanceNoUserSig:
399 ringAction = userTrustedoldRing ? revert : accept;
400 concStr = CFSTR("No User Signature");
402 case kSOSConcordanceNoPeerSig:
403 ringAction = accept; // We might like this one eventually but don't countersign.
404 concStr = CFSTR("No trusted peer signature");
405 secnotice("signing", "##### No trusted peer signature found, accepting hoping for concordance later %@", newRing);
407 case kSOSConcordanceNoPeer:
409 concStr = CFSTR("No trusted peer left");
411 case kSOSConcordanceNoUserKey:
412 secerror("##### No User Public Key Available, this shouldn't ever happen!!!");
416 case kSOSConcordanceMissingMe:
417 case kSOSConcordanceImNotWorthy:
419 concStr = CFSTR("Incorrect membership for me");
421 case kSOSConcordanceInvalidMembership:
422 ringAction = userTrustedoldRing ? revert : ignore;
423 concStr = CFSTR("Invalid Ring Membership");
426 secerror("##### Bad Error Return from ConcordanceTrust");
433 secdebug("ringSigning", "Decided on action [%s] based on concordance state [%@] and [%s] circle.",
434 actionstring[ringAction], concStr, userTrustedoldRing ? "trusted" : "untrusted");
436 SOSRingRef ringToPush = NULL;
437 bool iWasInOldRing = peerID && SOSRingHasPeerID(oldRing, peerID);
438 bool iAmInNewRing = peerID && SOSRingHasPeerID(newRing, peerID);
439 bool ringIsBackup = SOSRingGetType(newRing) == kSOSRingBackup;
440 bool ringIsRecovery = SOSRingGetType(newRing) == kSOSRingRecovery;
442 if (ringIsBackup && peerActive) {
443 if (ringAction == accept || ringAction == countersign) {
444 CFErrorRef localError = NULL;
445 SOSBackupSliceKeyBagRef bskb = SOSRingCopyBackupSliceKeyBag(newRing, &localError);
448 secnotice("ringSigning", "Backup ring with no backup slice keybag (%@)", localError);
449 } else if (SOSAccountBackupSliceKeyBagNeedsFix(account, bskb)) {
452 CFReleaseSafe(localError);
456 if (ringAction == modify) {
457 CFErrorRef updateError = NULL;
458 [self setRing:newRing ringName:ringName err:error];
460 if(SOSAccountUpdateOurPeerInBackup(account, newRing, &updateError)) {
461 secdebug("signing", "Modified backup ring to include us");
463 secerror("Could not add ourselves to the backup: (%@)", updateError);
465 CFReleaseSafe(updateError);
467 // Fall through to normal modify handling.
471 if (ringIsRecovery && peerActive && (ringAction == modify)) {
472 [self setRing:newRing ringName:ringName err:error];
476 if (ringAction == modify) {
480 if (ringAction == leave) {
482 if ([self leaveRing:circleTransport ring:newRing err:error]){
483 ringToPush = newRing;
485 secdebug("ringSigning", "Can't leave ring %@", oldRing);
490 // We are not in this ring, but we need to update account with it, since we got it from cloud
495 if (ringAction == countersign) {
497 if (SOSRingPeerTrusted(newRing, fpi, NULL)) {
498 secdebug("ringSigning", "Already concur with: %@", newRing);
500 CFErrorRef signingError = NULL;
502 if (fpi && SOSRingConcordanceSign(newRing, fpi, &signingError)) {
503 ringToPush = newRing;
505 secerror("Failed to concordance sign, error: %@ Old: %@ New: %@", signingError, oldRing, newRing);
508 CFReleaseSafe(signingError);
511 secdebug("ringSigning", "Not countersigning, not in ring: %@", newRing);
516 if (ringAction == accept) {
517 if (iWasInOldRing && !iAmInNewRing) {
519 // Don't destroy evidence of other code determining reason for leaving.
520 //if(!SOSAccountHasLeft(account)) account.departure_code = kSOSMembershipRevoked;
521 // TODO: LeaveReason for rings
524 if (pi && SOSRingHasRejection(newRing, peerID)) {
525 // TODO: ReasonForLeaving for rings
526 SOSRingRemoveRejection(newRing, peerID);
529 [self setRing:newRing ringName:ringName err:error];
531 if (pi && account.accountKeyIsTrusted
532 && SOSRingHasApplicant(oldRing, peerID)
533 && SOSRingCountPeers(newRing) > 0
534 && !iAmInNewRing && !SOSRingHasApplicant(newRing, peerID)) {
535 // We weren't rejected (above would have set me to NULL.
536 // We were applying and we weren't accepted.
537 // Our application is declared lost, let us reapply.
539 if (SOSRingApply(newRing, userPublic, fpi, NULL))
540 if(peerActive) writeUpdate = true;
543 if (pi && SOSRingHasPeerID(oldRing, peerID)) {
544 [self cleanupRetirementTickets:account circle:self.trustedCircle time:RETIREMENT_FINALIZATION_SECONDS err:NULL];
548 account.circle_rings_retirements_need_attention = true;
551 ringToPush = newRing;
552 secnotice("circleop", "Setting account.key_interests_need_updating to true in handleUpdateRing");
553 account.key_interests_need_updating = true;
557 * In the revert section we'll guard the KVS idea of circles by rejecting "bad" new rings
558 * and pushing our current view of the ring (oldRing). We'll only do this if we actually
559 * are a member of oldRing - never for an empty ring.
562 if (ringAction == revert) {
563 if(haveOldRing && peerActive && SOSRingHasPeerID(oldRing, peerID)) {
564 secdebug("ringSigning", "%@, Rejecting: %@ re-publishing %@", concStr, newRing, oldRing);
565 ringToPush = oldRing;
567 secdebug("ringSigning", "%@, Rejecting: %@ Have no old circle - would reset", concStr, newRing);
572 if (ringToPush != NULL) {
573 secdebug("ringSigning", "Pushing:[%s] %@", localRemote, ringToPush);
574 CFDataRef ringData = SOSRingCopyEncodedData(ringToPush, error);
576 success &= [circleTransport kvsRingPostRing:SOSRingGetName(ringToPush) ring:ringData err:error];
580 CFReleaseNull(ringData);
582 CFReleaseNull(oldRing);
583 CFReleaseNull(newRing);
586 CFReleaseNull(oldRing);
587 CFReleaseNull(newRing);
592 -(SOSRingRef) copyRing:(CFStringRef)ringName err:(CFErrorRef *)error
594 CFMutableDictionaryRef rings = [self getRings:error];
595 require_action_quiet(rings, errOut, SOSCreateError(kSOSErrorNoRing, CFSTR("No Rings found"), NULL, error));
596 CFTypeRef ringder = CFDictionaryGetValue(rings, ringName);
597 require_action_quiet(ringder, errOut, SOSCreateErrorWithFormat(kSOSErrorNoRing, NULL, error, NULL, CFSTR("No Ring found %@"), ringName));
598 SOSRingRef ring = SOSRingCreateFromData(NULL, ringder);
599 return (SOSRingRef) ring;
605 -(CFMutableDictionaryRef) getRings:(CFErrorRef *)error
607 CFMutableDictionaryRef rings = (__bridge CFMutableDictionaryRef) [self.expansion objectForKey:kSOSRingKey];
609 [self addRingDictionary];
610 rings = [self getRings:error];
616 -(bool) resetRing:(SOSAccount*)account ringName:(CFStringRef) ringName err:(CFErrorRef *)error
620 SOSRingRef ring = [self copyRing:ringName err:error];
621 SOSRingRef newring = SOSRingCreate(ringName, NULL, SOSRingGetType(ring), error);
622 SOSRingGenerationCreateWithBaseline(newring, ring);
623 SOSBackupRingSetViews(newring, self.fullPeerInfo, SOSBackupRingGetViews(ring, NULL), error);
624 require_quiet(newring, errOut);
626 retval = SOSAccountUpdateRing(account, newring, error);
629 CFReleaseNull(newring);
633 -(bool) leaveRing:(SOSKVSCircleStorageTransport*)circle_transport ring:(SOSRingRef) ring err:(CFErrorRef*) error
635 SOSFullPeerInfoRef fpi = self.fullPeerInfo;
636 if(!fpi) return false;
637 SOSPeerInfoRef pi = SOSFullPeerInfoGetPeerInfo(fpi);
638 CFStringRef peerID = SOSPeerInfoGetPeerID(pi);
640 CFErrorRef localError = NULL;
643 bool writeRing = false;
644 bool writePeerInfo = false;
646 if(SOSRingHasPeerID(ring, peerID)) {
647 writePeerInfo = true;
650 if(writePeerInfo || writeRing) {
651 SOSRingWithdraw(ring, NULL, fpi, error);
655 CFDataRef ring_data = SOSRingCopyEncodedData(ring, error);
658 [circle_transport kvsRingPostRing:SOSRingGetName(ring) ring:ring_data err:NULL];
660 CFReleaseNull(ring_data);
663 CFReleaseNull(localError);
projects / apple / security.git / blob