]> git.saurik.com Git - apple/security.git/blob - OSX/sec/SOSCircle/SecureObjectSync/SOSAccountPriv.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-58286.31.2.tar.gz
[apple/security.git] / OSX / sec / SOSCircle / SecureObjectSync / SOSAccountPriv.h
1 //
2 // SOSAccountPriv.h
3 // Security
4 //
5
6 #ifndef SOSAccountPriv_h
7 #define SOSAccountPriv_h
8
9 #import <Foundation/Foundation.h>
10
11 #include <CoreFoundation/CoreFoundation.h>
12 #include <CoreFoundation/CFRuntime.h>
13 #include <utilities/SecCFWrappers.h>
14 #include <utilities/SecCFError.h>
15 #include <utilities/SecAKSWrappers.h>
16
17 #include <Security/SecKeyPriv.h>
18
19 #include <utilities/der_plist.h>
20 #include <utilities/der_plist_internal.h>
21 #include <corecrypto/ccder.h>
22
23 #include <AssertMacros.h>
24 #include <assert.h>
25
26 #import <notify.h>
27
28 #include <Security/SecureObjectSync/SOSInternal.h>
29
30 #include <Security/SecureObjectSync/SOSCircle.h>
31 #include <Security/SecureObjectSync/SOSCircleV2.h>
32 #include <Security/SecureObjectSync/SOSRing.h>
33 #include <Security/SecureObjectSync/SOSRingUtils.h>
34 #include <Security/SecureObjectSync/SOSCloudCircle.h>
35 #include <securityd/SOSCloudCircleServer.h>
36 #include <Security/SecureObjectSync/SOSEngine.h>
37 #include <Security/SecureObjectSync/SOSPeer.h>
38 #include <Security/SecureObjectSync/SOSFullPeerInfo.h>
39 #include <Security/SecureObjectSync/SOSPeerInfo.h>
40 #include <Security/SecureObjectSync/SOSPeerInfoInternal.h>
41 #include <Security/SecureObjectSync/SOSUserKeygen.h>
42 #include <Security/SecureObjectSync/SOSTransportCircle.h>
43
44 #include <utilities/iCloudKeychainTrace.h>
45
46 #include <Security/SecItemPriv.h>
47
48
49 extern const CFStringRef kSOSUnsyncedViewsKey;
50 extern const CFStringRef kSOSPendingEnableViewsToBeSetKey;
51 extern const CFStringRef kSOSPendingDisableViewsToBeSetKey;
52 extern const CFStringRef kSOSRecoveryKey;
53 extern const CFStringRef kSOSAccountUUID;
54 extern const CFStringRef kSOSAccountPeerNegotiationTimeouts;
55 extern const CFStringRef kSOSRecoveryRing;
56 extern const CFStringRef kSOSEscrowRecord;
57 extern const CFStringRef kSOSTestV2Settings;
58 extern const CFStringRef kSOSRateLimitingCounters;
59 extern const CFStringRef kSOSAccountPeerLastSentTimestamp;
60 extern const CFStringRef kSOSAccountRenegotiationRetryCount;
61 extern const CFStringRef kOTRConfigVersion;
62 extern const CFStringRef kSOSInitialSyncTimeoutV0;
63
64 #define kSecServerPeerInfoAvailable "com.apple.security.fpiAvailable"
65
66 typedef void (^SOSAccountSaveBlock)(CFDataRef flattenedAccount, CFErrorRef flattenFailError);
67
68 @class SOSMessageIDS;
69 @class SOSMessageKVS;
70 @class CKKeyParameter;
71 @class SOSAccountTrustClassic;
72 @class SOSKVSCircleStorageTransport;
73 @class SOSCircleStorageTransport;
74 @class SOSCKCircleStorage;
75
76 @interface SOSAccount : NSObject
77
78 @property (nonatomic, retain) NSDictionary *gestalt;
79 @property (nonatomic, retain) NSData *backup_key;
80 @property (nonatomic, retain) NSString *deviceID;
81
82 @property (nonatomic, retain) SOSAccountTrustClassic *trust;
83
84 @property (nonatomic, retain) dispatch_queue_t queue;
85 @property (nonatomic, retain) dispatch_source_t user_private_timer;
86 @property (nonatomic) SecKeyRef accountPrivateKey;
87
88 @property (nonatomic) SOSDataSourceFactoryRef factory;
89
90 @property (nonatomic, retain) NSData *_password_tmp;
91 @property (nonatomic, assign) BOOL isListeningForSync;
92 @property (nonatomic, assign) int lock_notification_token;
93 @property (nonatomic, retain) CKKeyParameter* key_transport;
94 @property (nonatomic) SOSKVSCircleStorageTransport* circle_transport;
95 @property (nonatomic, retain) SOSMessageKVS* kvs_message_transport;
96 @property (nonatomic, retain) SOSMessageIDS* ids_message_transport;
97 @property (nonatomic, retain) SOSCKCircleStorage* ck_storage;
98
99
100 @property (nonatomic, assign) BOOL circle_rings_retirements_need_attention;
101 @property (nonatomic, assign) BOOL engine_peer_state_needs_repair;
102 @property (nonatomic, assign) BOOL key_interests_need_updating;
103
104 @property (nonatomic, retain) NSMutableArray *change_blocks;
105
106 @property (nonatomic, retain) NSMutableDictionary *waitForInitialSync_blocks;
107 @property (nonatomic, assign) BOOL isInitialSyncing;
108
109 @property (nonatomic) NSData* accountKeyDerivationParamters;
110
111 @property (nonatomic, assign) BOOL accountKeyIsTrusted;
112 @property (nonatomic) SecKeyRef accountKey;
113 @property (nonatomic) SecKeyRef previousAccountKey;
114
115 @property (copy) SOSAccountSaveBlock saveBlock;
116
117
118 // Identity access properties, all delegated to the trust object
119 @property (readonly, nonatomic) BOOL hasPeerInfo;
120 @property (readonly, nonatomic) SOSPeerInfoRef peerInfo;
121 @property (readonly, nonatomic) SOSFullPeerInfoRef fullPeerInfo;
122 @property (readonly, nonatomic) NSString* peerID;
123
124
125 -(id) init;
126 -(id) initWithGestalt:(CFDictionaryRef)gestalt factory:(SOSDataSourceFactoryRef)factory;
127 - (xpc_endpoint_t)xpcControlEndpoint;
128
129 void SOSAccountAddSyncablePeerBlock(SOSAccount* a,
130 CFStringRef ds_name,
131 SOSAccountSyncablePeersBlock changeBlock);
132
133 -(bool) ensureFactoryCircles;
134 -(void) ensureOctagonPeerKeys;
135
136 -(void) flattenToSaveBlock;
137
138 void SOSAccountSetToNew(SOSAccount* a);
139
140 bool SOSAccountIsMyPeerActive(SOSAccount* account, CFErrorRef* error);
141
142 // MARK: In Sync checking
143 typedef bool (^SOSAccountWaitForInitialSyncBlock)(SOSAccount* account);
144
145 CF_RETURNS_RETAINED CFStringRef SOSAccountCallWhenInSync(SOSAccount* account, SOSAccountWaitForInitialSyncBlock syncBlock);
146 bool SOSAccountUnregisterCallWhenInSync(SOSAccount* account, CFStringRef id);
147
148 bool SOSAccountHandleOutOfSyncUpdate(SOSAccount* account, CFSetRef oldOOSViews, CFSetRef newOOSViews);
149
150 void SOSAccountEnsureSyncChecking(SOSAccount* account);
151 void SOSAccountCancelSyncChecking(SOSAccount* account);
152
153 CFMutableSetRef SOSAccountCopyOutstandingViews(SOSAccount* account);
154 void SOSAccountNotifyEngines(SOSAccount* account);
155 CFMutableSetRef SOSAccountCopyOutstandingViews(SOSAccount* account);
156 bool SOSAccountIsViewOutstanding(SOSAccount* account, CFStringRef view);
157 CFMutableSetRef SOSAccountCopyIntersectionWithOustanding(SOSAccount* account, CFSetRef inSet);
158 bool SOSAccountIntersectsWithOutstanding(SOSAccount* account, CFSetRef views);
159 bool SOSAccountHasOustandingViews(SOSAccount* account);
160 bool SOSAccountHasCompletedInitialSync(SOSAccount* account);
161 bool SOSAccountHasCompletedRequiredBackupSync(SOSAccount* account);
162 CFMutableSetRef SOSAccountCopyOutstandingViews(SOSAccount* account);
163 bool SOSAccountSyncingV0(SOSAccount* account);
164
165 // MARK: DER Stuff
166
167
168 size_t der_sizeof_fullpeer_or_null(SOSFullPeerInfoRef data, CFErrorRef* error);
169
170 uint8_t* der_encode_fullpeer_or_null(SOSFullPeerInfoRef data, CFErrorRef* error, const uint8_t* der, uint8_t* der_end);
171
172 const uint8_t* der_decode_fullpeer_or_null(CFAllocatorRef allocator, SOSFullPeerInfoRef* data,
173 CFErrorRef* error,
174 const uint8_t* der, const uint8_t* der_end);
175
176
177 size_t der_sizeof_public_bytes(SecKeyRef publicKey, CFErrorRef* error);
178
179 uint8_t* der_encode_public_bytes(SecKeyRef publicKey, CFErrorRef* error, const uint8_t* der, uint8_t* der_end);
180
181 const uint8_t* der_decode_public_bytes(CFAllocatorRef allocator, CFIndex algorithmID, SecKeyRef* publicKey, CFErrorRef* error, const uint8_t* der, const uint8_t* der_end);
182
183
184 // Update
185 -(SOSCCStatus) getCircleStatus:(CFErrorRef*) error;
186
187 bool SOSAccountHandleCircleMessage(SOSAccount* account,
188 CFStringRef circleName, CFDataRef encodedCircleMessage, CFErrorRef *error);
189
190 CF_RETURNS_RETAINED
191 CFDictionaryRef SOSAccountHandleRetirementMessages(SOSAccount* account, CFDictionaryRef circle_retirement_messages, CFErrorRef *error);
192
193 void SOSAccountRecordRetiredPeersInCircle(SOSAccount* account);
194
195 bool SOSAccountHandleUpdateCircle(SOSAccount* account,
196 SOSCircleRef prospective_circle,
197 bool writeUpdate,
198 CFErrorRef *error);
199
200
201 // My Peer
202 bool SOSAccountHasFullPeerInfo(SOSAccount* account, CFErrorRef* error);
203
204 bool SOSAccountIsMyPeerInBackupAndCurrentInView(SOSAccount* account, CFStringRef viewname);
205 bool SOSAccountUpdateOurPeerInBackup(SOSAccount* account, SOSRingRef oldRing, CFErrorRef *error);
206 bool SOSAccountIsPeerInBackupAndCurrentInView(SOSAccount* account, SOSPeerInfoRef testPeer, CFStringRef viewname);
207 bool SOSDeleteV0Keybag(CFErrorRef *error);
208 void SOSAccountForEachBackupView(SOSAccount* account, void (^operation)(const void *value));
209 bool SOSAccountUpdatePeerInfo(SOSAccount* account, CFStringRef updateDescription, CFErrorRef *error, bool (^update)(SOSFullPeerInfoRef fpi, CFErrorRef *error));
210 CFStringRef SOSAccountCreateCompactDescription(SOSAccount* a);
211
212 // Currently permitted backup rings.
213 void SOSAccountForEachBackupRingName(SOSAccount* account, void (^operation)(CFStringRef value));
214 void SOSAccountForEachRingName(SOSAccount* account, void (^operation)(CFStringRef value));
215
216 // My Circle
217 bool SOSAccountHasCircle(SOSAccount* account, CFErrorRef* error);
218 SOSCircleRef SOSAccountEnsureCircle(SOSAccount* a, CFStringRef name, CFErrorRef *error);
219
220 void AppendCircleKeyName(CFMutableArrayRef array, CFStringRef name);
221
222 CFStringRef SOSInterestListCopyDescription(CFArrayRef interests);
223
224
225 // FullPeerInfos - including Cloud Identity
226 SOSFullPeerInfoRef CopyCloudKeychainIdentity(SOSPeerInfoRef cloudPeer, CFErrorRef *error);
227
228 bool SOSAccountIsAccountIdentity(SOSAccount* account, SOSPeerInfoRef peer_info, CFErrorRef *error);
229 bool SOSAccountFullPeerInfoVerify(SOSAccount* account, SecKeyRef privKey, CFErrorRef *error);
230 SOSPeerInfoRef GenerateNewCloudIdentityPeerInfo(CFErrorRef *error);
231
232 // Credentials
233 bool SOSAccountHasPublicKey(SOSAccount* account, CFErrorRef* error);
234 bool SOSAccountPublishCloudParameters(SOSAccount* account, CFErrorRef* error);
235 bool SOSAccountRetrieveCloudParameters(SOSAccount* account, SecKeyRef *newKey,
236 CFDataRef derparms,
237 CFDataRef *newParameters, CFErrorRef* error);
238
239 //DSID
240 void SOSAccountAssertDSID(SOSAccount* account, CFStringRef dsid);
241
242 //
243 // Key extraction
244 //
245
246 SecKeyRef SOSAccountCopyDeviceKey(SOSAccount* account, CFErrorRef *error);
247 SecKeyRef GeneratePermanentFullECKey(int keySize, CFStringRef name, CFErrorRef* error);
248
249 // Testing
250 void SOSAccountSetLastDepartureReason(SOSAccount* account, enum DepartureReason reason);
251 void SOSAccountSetUserPublicTrustedForTesting(SOSAccount* account);
252
253 void SOSAccountPurgeIdentity(SOSAccount*);
254 bool sosAccountLeaveCircle(SOSAccount* account, SOSCircleRef circle, CFErrorRef* error);
255 bool sosAccountLeaveRing(SOSAccount* account, SOSRingRef ring, CFErrorRef* error);
256 bool SOSAccountForEachRing(SOSAccount* account, SOSRingRef (^action)(CFStringRef name, SOSRingRef ring));
257 bool SOSAccountUpdateBackUp(SOSAccount* account, CFStringRef viewname, CFErrorRef *error);
258 void SOSAccountEnsureRecoveryRing(SOSAccount* account);
259 bool SOSAccountEnsureInBackupRings(SOSAccount* account);
260
261 bool SOSAccountEnsurePeerRegistration(SOSAccount* account, CFErrorRef *error);
262
263 extern const CFStringRef kSOSUnsyncedViewsKey;
264 extern const CFStringRef kSOSPendingEnableViewsToBeSetKey;
265 extern const CFStringRef kSOSPendingDisableViewsToBeSetKey;
266 extern const CFStringRef kSOSRecoveryKey;
267
268 typedef enum{
269 kSOSTransportNone = 0,
270 kSOSTransportIDS = 1,
271 kSOSTransportKVS = 2,
272 kSOSTransportFuture = 3,
273 kSOSTransportPresent = 4
274 }TransportType;
275
276 SOSPeerInfoRef SOSAccountCopyPeerWithID(SOSAccount* account, CFStringRef peerid, CFErrorRef *error);
277
278 bool SOSAccountSetValue(SOSAccount* account, CFStringRef key, CFTypeRef value, CFErrorRef *error);
279 bool SOSAccountClearValue(SOSAccount* account, CFStringRef key, CFErrorRef *error);
280 CFTypeRef SOSAccountGetValue(SOSAccount* account, CFStringRef key, CFErrorRef *error);
281
282 bool SOSAccountAddEscrowToPeerInfo(SOSAccount* account, SOSFullPeerInfoRef myPeer, CFErrorRef *error);
283 bool SOSAccountAddEscrowRecords(SOSAccount* account, CFStringRef dsid, CFDictionaryRef record, CFErrorRef *error);
284 void SOSAccountRemoveRing(SOSAccount* a, CFStringRef ringName);
285 SOSRingRef SOSAccountCopyRingNamed(SOSAccount* a, CFStringRef ringName, CFErrorRef *error);
286 SOSRingRef SOSAccountRingCreateForName(SOSAccount* a, CFStringRef ringName, CFErrorRef *error);
287 bool SOSAccountUpdateRingFromRemote(SOSAccount* account, SOSRingRef newRing, CFErrorRef *error);
288 bool SOSAccountUpdateRing(SOSAccount* account, SOSRingRef newRing, CFErrorRef *error);
289 bool SOSAccountRemoveBackupPeers(SOSAccount* account, CFArrayRef peerIDs, CFErrorRef *error);
290 bool SOSAccountResetRing(SOSAccount* account, CFStringRef ringName, CFErrorRef *error);
291 bool SOSAccountCheckPeerAvailability(SOSAccount* account, CFErrorRef *error);
292 bool SOSAccountUpdateNamedRing(SOSAccount* account, CFStringRef ringName, CFErrorRef *error,
293 SOSRingRef (^create)(CFStringRef ringName, CFErrorRef *error),
294 SOSRingRef (^copyModified)(SOSRingRef existing, CFErrorRef *error));
295
296 //
297 // MARK: Backup translation functions
298 //
299
300 CFStringRef SOSBackupCopyRingNameForView(CFStringRef viewName);
301
302 //
303 // Security tool test/debug functions
304 //
305 bool SOSAccountPostDebugScope(SOSAccount* account, CFTypeRef scope, CFErrorRef *error);
306 CFDataRef SOSAccountCopyAccountStateFromKeychain(CFErrorRef *error);
307 bool SOSAccountDeleteAccountStateFromKeychain(CFErrorRef *error);
308 CFDataRef SOSAccountCopyEngineStateFromKeychain(CFErrorRef *error);
309 bool SOSAccountDeleteEngineStateFromKeychain(CFErrorRef *error);
310
311 bool SOSAccountIsNew(SOSAccount* account, CFErrorRef *error);
312 bool SOSAccountCheckForAlwaysOnViews(SOSAccount* account);
313 // UUID, no setter just getter and ensuring value.
314 void SOSAccountEnsureUUID(SOSAccount* account);
315 CFStringRef SOSAccountCopyUUID(SOSAccount* account);
316 const uint8_t* der_decode_cloud_parameters(CFAllocatorRef allocator,
317 CFIndex algorithmID, SecKeyRef* publicKey,
318 CFDataRef *parameters,
319 CFErrorRef* error,
320 const uint8_t* der, const uint8_t* der_end);
321
322 /*
323 * HSA2/piggybacking
324 */
325
326 CFDataRef SOSPiggyBackBlobCopyEncodedData(SOSGenCountRef gencount, SecKeyRef pubKey, CFDataRef signature, CFErrorRef *error);
327
328 #if __OBJC__
329 NSData *SOSPiggyCreateInitialSyncData(NSArray<NSData*> *identities, NSArray<NSDictionary *>* tlks);
330 NSDictionary * SOSPiggyCopyInitialSyncData(const uint8_t** der, const uint8_t *der_end);
331 NSArray<NSDictionary*>* SOSAccountSortTLKS(NSArray<NSDictionary*>* tlks);
332 #endif
333
334 bool SOSAccountCleanupAllKVSKeys(SOSAccount* account, CFErrorRef* error);
335 bool SOSAccountPopulateKVSWithBadKeys(SOSAccount* account, CFErrorRef* error);
336
337 @end
338
339 @interface SOSAccount (Persistence)
340
341 +(instancetype) accountFromData: (NSData*) data
342 factory: (SOSDataSourceFactoryRef) factory
343 error: (NSError**) error;
344 +(instancetype) accountFromDER: (const uint8_t**) der
345 end: (const uint8_t*) der_end
346 factory: (SOSDataSourceFactoryRef) factory
347 error: (NSError**) error;
348
349 -(NSData*) encodedData: (NSError**) error;
350 @end
351
352 #endif /* SOSAccount_h */
mirror of Security