OSX/sec/SOSCircle/SecureObjectSync/SOSAccountPriv.h

   1 //
   2 //  SOSAccountPriv.h
   3 //  sec
   4 //
   5
   6 #ifndef sec_SOSAccountPriv_h
   7 #define sec_SOSAccountPriv_h
   8
   9 #include "SOSAccount.h"
  10
  11 #include <CoreFoundation/CoreFoundation.h>
  12 #include <CoreFoundation/CFRuntime.h>
  13 #include <utilities/SecCFWrappers.h>
  14 #include <utilities/SecCFError.h>
  15 #include <utilities/SecAKSWrappers.h>
  16
  17
  18 #include <Security/SecKeyPriv.h>
  19
  20 #include <utilities/der_plist.h>
  21 #include <utilities/der_plist_internal.h>
  22 #include <corecrypto/ccder.h>
  23
  24 #include <AssertMacros.h>
  25 #include <assert.h>
  26
  27 #import <notify.h>
  28
  29 #include <Security/SecureObjectSync/SOSInternal.h>
  30 #include <Security/SecureObjectSync/SOSCircle.h>
  31 #include <Security/SecureObjectSync/SOSCircleV2.h>
  32 #include <Security/SecureObjectSync/SOSRing.h>
  33 #include <Security/SecureObjectSync/SOSRingUtils.h>
  34 #include <Security/SecureObjectSync/SOSCloudCircle.h>
  35 #include <securityd/SOSCloudCircleServer.h>
  36 #include <Security/SecureObjectSync/SOSEngine.h>
  37 #include <Security/SecureObjectSync/SOSPeer.h>
  38 #include <Security/SecureObjectSync/SOSFullPeerInfo.h>
  39 #include <Security/SecureObjectSync/SOSPeerInfo.h>
  40 #include <Security/SecureObjectSync/SOSPeerInfoInternal.h>
  41 #include <Security/SecureObjectSync/SOSUserKeygen.h>
  42 #include <Security/SecureObjectSync/SOSAccountTransaction.h>
  43 #include <utilities/iCloudKeychainTrace.h>
  44
  45 #include <Security/SecItemPriv.h>
  46
  47 extern const CFStringRef kSOSRecoveryRing;
  48
  49 struct __OpaqueSOSAccount {
  50     CFRuntimeBase           _base;
  51
  52     CFDictionaryRef         gestalt;
  53
  54     CFDataRef               backup_key;
  55
  56     SOSFullPeerInfoRef      my_identity;
  57     SOSCircleRef            trusted_circle;
  58
  59     CFStringRef             deviceID;
  60
  61     CFMutableDictionaryRef  backups;
  62
  63     CFMutableSetRef         retirees;
  64
  65     bool      user_public_trusted;
  66     CFDataRef user_key_parameters;
  67     SecKeyRef user_public;
  68     SecKeyRef previous_public;
  69     enum DepartureReason    departure_code;
  70     CFMutableDictionaryRef  expansion; // All CFTypes and Keys
  71
  72     // Non-persistent data
  73     dispatch_queue_t        queue;
  74
  75     SOSDataSourceFactoryRef factory;
  76     SecKeyRef _user_private;
  77     CFDataRef _password_tmp;
  78
  79     bool isListeningForSync;
  80
  81     dispatch_source_t user_private_timer;
  82     int               lock_notification_token;
  83
  84     SOSTransportKeyParameterRef key_transport;
  85     SOSTransportCircleRef       circle_transport;
  86     SOSTransportMessageRef      kvs_message_transport;
  87     SOSTransportMessageRef      ids_message_transport;
  88
  89     //indicates if changes in circle, rings, or retirements need to be pushed
  90     bool                        circle_rings_retirements_need_attention;
  91     bool                        engine_peer_state_needs_repair;
  92     bool                        key_interests_need_updating;
  93
  94     // Live Notification
  95     CFMutableArrayRef       change_blocks;
  96     CFMutableDictionaryRef  waitForInitialSync_blocks;
  97
  98     SOSAccountSaveBlock     saveBlock;
  99 };
 100 extern const CFStringRef kSOSEscrowRecord;
 101 extern const CFStringRef kSOSTestV2Settings;
 102
 103 SOSAccountRef SOSAccountCreateBasic(CFAllocatorRef allocator,
 104                                     CFDictionaryRef gestalt,
 105                                     SOSDataSourceFactoryRef factory);
 106
 107 bool SOSAccountEnsureFactoryCircles(SOSAccountRef a);
 108
 109 void SOSAccountSetToNew(SOSAccountRef a);
 110
 111 bool SOSAccountIsMyPeerActive(SOSAccountRef account, CFErrorRef* error);
 112
 113 // MARK: Notifications
 114
 115 #define kSecServerPeerInfoAvailable "com.apple.security.fpiAvailable"
 116
 117
 118 // MARK: Getters and Setters
 119
 120 // UUID, no setter just getter and ensuring value.
 121 void SOSAccountEnsureUUID(SOSAccountRef account);
 122 CFStringRef SOSAccountCopyUUID(SOSAccountRef account);
 123
 124
 125 // MARK: Transactional
 126
 127 void SOSAccountWithTransaction_Locked(SOSAccountRef account, void (^action)(SOSAccountRef account, SOSAccountTransactionRef txn));
 128
 129 void SOSAccountWithTransaction(SOSAccountRef account, bool sync, void (^action)(SOSAccountRef account, SOSAccountTransactionRef txn));
 130 void SOSAccountWithTransactionSync(SOSAccountRef account, void (^action)(SOSAccountRef account, SOSAccountTransactionRef txn));
 131 void SOSAccountWithTransactionAsync(SOSAccountRef account, bool sync, void (^action)(SOSAccountRef account, SOSAccountTransactionRef txn));
 132
 133 void SOSAccountRecordRetiredPeersInCircle(SOSAccountRef account);
 134
 135 // MARK: In Sync checking
 136
 137 CF_RETURNS_RETAINED CFStringRef SOSAccountCallWhenInSync(SOSAccountRef account, SOSAccountWaitForInitialSyncBlock syncBlock);
 138 bool SOSAccountUnregisterCallWhenInSync(SOSAccountRef account, CFStringRef id);
 139
 140 bool SOSAccountHandleOutOfSyncUpdate(SOSAccountRef account, CFSetRef oldOOSViews, CFSetRef newOOSViews);
 141
 142 void SOSAccountUpdateOutOfSyncViews(SOSAccountTransactionRef aTxn, CFSetRef viewsInSync);
 143
 144 void SOSAccountEnsureSyncChecking(SOSAccountRef account);
 145 void SOSAccountCancelSyncChecking(SOSAccountRef account);
 146
 147 bool SOSAccountCheckForAlwaysOnViews(SOSAccountRef account);
 148
 149 CFMutableSetRef SOSAccountCopyOutstandingViews(SOSAccountRef account);
 150 CFMutableSetRef SOSAccountCopyIntersectionWithOustanding(SOSAccountRef account, CFSetRef inSet);
 151 bool SOSAccountIntersectsWithOutstanding(SOSAccountRef account, CFSetRef views);
 152 bool SOSAccountIsViewOutstanding(SOSAccountRef account, CFStringRef view);
 153 bool SOSAccountHasOustandingViews(SOSAccountRef account);
 154
 155
 156 // MARK: DER Stuff
 157
 158
 159 size_t der_sizeof_data_or_null(CFDataRef data, CFErrorRef* error);
 160
 161 uint8_t* der_encode_data_or_null(CFDataRef data, CFErrorRef* error, const uint8_t* der, uint8_t* der_end);
 162
 163 const uint8_t* der_decode_data_or_null(CFAllocatorRef allocator, CFDataRef* data,
 164                                        CFErrorRef* error,
 165                                        const uint8_t* der, const uint8_t* der_end);
 166
 167 size_t der_sizeof_fullpeer_or_null(SOSFullPeerInfoRef data, CFErrorRef* error);
 168
 169 uint8_t* der_encode_fullpeer_or_null(SOSFullPeerInfoRef data, CFErrorRef* error, const uint8_t* der, uint8_t* der_end);
 170
 171 const uint8_t* der_decode_fullpeer_or_null(CFAllocatorRef allocator, SOSFullPeerInfoRef* data,
 172                                        CFErrorRef* error,
 173                                        const uint8_t* der, const uint8_t* der_end);
 174
 175
 176 size_t der_sizeof_public_bytes(SecKeyRef publicKey, CFErrorRef* error);
 177
 178 uint8_t* der_encode_public_bytes(SecKeyRef publicKey, CFErrorRef* error, const uint8_t* der, uint8_t* der_end);
 179
 180 const uint8_t* der_decode_public_bytes(CFAllocatorRef allocator, CFIndex algorithmID, SecKeyRef* publicKey, CFErrorRef* error, const uint8_t* der, const uint8_t* der_end);
 181
 182
 183 // Persistence
 184
 185 SOSAccountRef SOSAccountCreateFromDER(CFAllocatorRef allocator,
 186                                       SOSDataSourceFactoryRef factory,
 187                                       CFErrorRef* error,
 188                                       const uint8_t** der_p, const uint8_t *der_end);
 189
 190 SOSAccountRef SOSAccountCreateFromData(CFAllocatorRef allocator, CFDataRef circleData,
 191                                        SOSDataSourceFactoryRef factory,
 192                                        CFErrorRef* error);
 193
 194 size_t SOSAccountGetDEREncodedSize(SOSAccountRef account, CFErrorRef *error);
 195
 196 uint8_t* SOSAccountEncodeToDER(SOSAccountRef account, CFErrorRef* error, const uint8_t* der, uint8_t* der_end);
 197
 198 CFDataRef SOSAccountCopyEncodedData(SOSAccountRef account, CFAllocatorRef allocator, CFErrorRef *error);
 199
 200 // Update
 201
 202 bool SOSAccountHandleCircleMessage(SOSAccountRef account,
 203                                    CFStringRef circleName, CFDataRef encodedCircleMessage, CFErrorRef *error);
 204
 205 CF_RETURNS_RETAINED
 206 CFDictionaryRef SOSAccountHandleRetirementMessages(SOSAccountRef account, CFDictionaryRef circle_retirement_messages, CFErrorRef *error);
 207
 208
 209 bool SOSAccountHandleUpdateCircle(SOSAccountRef account,
 210                                   SOSCircleRef prospective_circle,
 211                                   bool writeUpdate,
 212                                   CFErrorRef *error);
 213
 214 void SOSAccountNotifyEngines(SOSAccountRef account);
 215
 216 bool SOSAccountSyncingV0(SOSAccountRef account);
 217
 218 // My Peer
 219 bool SOSAccountHasFullPeerInfo(SOSAccountRef account, CFErrorRef* error);
 220 SOSPeerInfoRef SOSAccountGetMyPeerInfo(SOSAccountRef account);
 221 SOSFullPeerInfoRef SOSAccountGetMyFullPeerInfo(SOSAccountRef account);
 222 CFStringRef SOSAccountGetMyPeerID(SOSAccountRef a);
 223 bool SOSAccountIsMyPeerInBackupAndCurrentInView(SOSAccountRef account, CFStringRef viewname);
 224 bool SOSAccountUpdateOurPeerInBackup(SOSAccountRef account, SOSRingRef oldRing, CFErrorRef *error);
 225 bool SOSAccountIsPeerInBackupAndCurrentInView(SOSAccountRef account, SOSPeerInfoRef testPeer, CFStringRef viewname);
 226 bool SOSDeleteV0Keybag(CFErrorRef *error);
 227 void SOSAccountForEachBackupView(SOSAccountRef account,  void (^operation)(const void *value));
 228 bool SOSAccountUpdatePeerInfo(SOSAccountRef account, CFStringRef updateDescription, CFErrorRef *error, bool (^update)(SOSFullPeerInfoRef fpi, CFErrorRef *error));
 229
 230 // Currently permitted backup rings.
 231 void SOSAccountForEachRingName(SOSAccountRef account, void (^operation)(CFStringRef value));
 232
 233 // My Circle
 234 bool SOSAccountHasCircle(SOSAccountRef account, CFErrorRef* error);
 235 SOSCircleRef SOSAccountGetCircle(SOSAccountRef a, CFErrorRef *error);
 236 SOSCircleRef SOSAccountEnsureCircle(SOSAccountRef a, CFStringRef name, CFErrorRef *error);
 237
 238 bool SOSAccountUpdateCircleFromRemote(SOSAccountRef account, SOSCircleRef newCircle, CFErrorRef *error);
 239 bool SOSAccountUpdateCircle(SOSAccountRef account, SOSCircleRef newCircle, CFErrorRef *error);
 240 bool SOSAccountModifyCircle(SOSAccountRef account,
 241                             CFErrorRef* error,
 242                             bool (^action)(SOSCircleRef circle));
 243 CFSetRef SOSAccountCopyPeerSetMatching(SOSAccountRef account, bool (^action)(SOSPeerInfoRef peer));
 244
 245 void AppendCircleKeyName(CFMutableArrayRef array, CFStringRef name);
 246
 247 CFStringRef SOSInterestListCopyDescription(CFArrayRef interests);
 248
 249
 250 // FullPeerInfos - including Cloud Identity
 251 SOSFullPeerInfoRef CopyCloudKeychainIdentity(SOSPeerInfoRef cloudPeer, CFErrorRef *error);
 252
 253 SecKeyRef GeneratePermanentFullECKey(int keySize, CFStringRef name, CFErrorRef* error);
 254
 255 bool SOSAccountEnsureFullPeerAvailable(SOSAccountRef account, CFErrorRef * error);
 256
 257 bool SOSAccountIsAccountIdentity(SOSAccountRef account, SOSPeerInfoRef peer_info, CFErrorRef *error);
 258 bool SOSAccountFullPeerInfoVerify(SOSAccountRef account, SecKeyRef privKey, CFErrorRef *error);
 259 SOSPeerInfoRef GenerateNewCloudIdentityPeerInfo(CFErrorRef *error);
 260
 261 // Credentials
 262 bool SOSAccountHasPublicKey(SOSAccountRef account, CFErrorRef* error);
 263 void SOSAccountSetPreviousPublic(SOSAccountRef account);
 264 bool SOSAccountPublishCloudParameters(SOSAccountRef account, CFErrorRef* error);
 265 bool SOSAccountRetrieveCloudParameters(SOSAccountRef account, SecKeyRef *newKey,
 266                                        CFDataRef derparms,
 267                                        CFDataRef *newParameters, CFErrorRef* error);
 268
 269 //DSID
 270 void SOSAccountAssertDSID(SOSAccountRef account, CFStringRef dsid);
 271
 272 //
 273 // Key extraction
 274 //
 275
 276 SecKeyRef SOSAccountCopyDeviceKey(SOSAccountRef account, CFErrorRef *error);
 277 SecKeyRef SOSAccountCopyPublicKeyForPeer(SOSAccountRef account, CFStringRef peer_id, CFErrorRef *error);
 278
 279 // Testing
 280 void SOSAccountSetLastDepartureReason(SOSAccountRef account, enum DepartureReason reason);
 281 void SOSAccountSetUserPublicTrustedForTesting(SOSAccountRef account);
 282 void SOSAccountPeerGotInSync(SOSAccountTransactionRef aTxn, CFStringRef peerID, CFSetRef views);
 283
 284 static inline void CFArrayAppendValueIfNot(CFMutableArrayRef array, CFTypeRef value, CFTypeRef excludedValue)
 285 {
 286     if (!CFEqualSafe(value, excludedValue))
 287         CFArrayAppendValue(array, value);
 288 }
 289
 290 static inline CFMutableDictionaryRef CFDictionaryEnsureCFDictionaryAndGetCurrentValue(CFMutableDictionaryRef dict, CFTypeRef key)
 291 {
 292     CFMutableDictionaryRef result = (CFMutableDictionaryRef) CFDictionaryGetValue(dict, key);
 293
 294     if (!isDictionary(result)) {
 295         result = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
 296         CFDictionarySetValue(dict, key, result);
 297         CFReleaseSafe(result);
 298     }
 299
 300     return result;
 301 }
 302
 303 static inline CFMutableArrayRef CFDictionaryEnsureCFArrayAndGetCurrentValue(CFMutableDictionaryRef dict, CFTypeRef key)
 304 {
 305     CFMutableArrayRef result = (CFMutableArrayRef) CFDictionaryGetValue(dict, key);
 306
 307     if (!isArray(result)) {
 308         result = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
 309         CFDictionarySetValue(dict, key, result);
 310         CFReleaseSafe(result);
 311     }
 312
 313     return result;
 314 }
 315
 316 void SOSAccountPurgeIdentity(SOSAccountRef account);
 317 bool sosAccountLeaveCircle(SOSAccountRef account, SOSCircleRef circle, CFErrorRef* error);
 318 bool sosAccountLeaveRing(SOSAccountRef account, SOSRingRef ring, CFErrorRef* error);
 319 void SOSAccountAddRingDictionary(SOSAccountRef a);
 320 bool SOSAccountForEachRing(SOSAccountRef account, SOSRingRef (^action)(CFStringRef name, SOSRingRef ring));
 321 CFMutableDictionaryRef SOSAccountGetBackups(SOSAccountRef a, CFErrorRef *error);
 322 bool SOSAccountUpdateBackUp(SOSAccountRef account, CFStringRef viewname, CFErrorRef *error);
 323 bool SOSAccountEnsureInBackupRings(SOSAccountRef account);
 324
 325 bool SOSAccountEnsurePeerRegistration(SOSAccountRef account, CFErrorRef *error);
 326
 327 extern const CFStringRef kSOSDSIDKey;
 328 extern const CFStringRef SOSTransportMessageTypeIDSV2;
 329 extern const CFStringRef SOSTransportMessageTypeKVS;
 330
 331 extern const CFStringRef kSOSUnsyncedViewsKey;
 332 extern const CFStringRef kSOSPendingEnableViewsToBeSetKey;
 333 extern const CFStringRef kSOSPendingDisableViewsToBeSetKey;
 334 extern const CFStringRef kSOSRecoveryKey;
 335 extern const CFStringRef kSOSAccountUUID;
 336
 337 typedef enum{
 338     kSOSTransportNone = 0,
 339     kSOSTransportIDS = 1,
 340     kSOSTransportKVS = 2,
 341     kSOSTransportFuture = 3,
 342     kSOSTransportPresent = 4
 343 }TransportType;
 344
 345 SOSPeerInfoRef SOSAccountCopyPeerWithID(SOSAccountRef account, CFStringRef peerid, CFErrorRef *error);
 346
 347 // MARK: Value setting/clearing
 348 bool SOSAccountSetValue(SOSAccountRef account, CFStringRef key, CFTypeRef value, CFErrorRef *error);
 349 bool SOSAccountClearValue(SOSAccountRef account, CFStringRef key, CFErrorRef *error);
 350 CFTypeRef SOSAccountGetValue(SOSAccountRef account, CFStringRef key, CFErrorRef *error);
 351
 352 // MARK: Value as Set
 353 bool SOSAccountValueSetContainsValue(SOSAccountRef account, CFStringRef key, CFTypeRef value);
 354 void SOSAccountValueUnionWith(SOSAccountRef account, CFStringRef key, CFSetRef valuesToUnion);
 355 void SOSAccountValueSubtractFrom(SOSAccountRef account, CFStringRef key, CFSetRef valuesToSubtract);
 356
 357
 358 bool SOSAccountAddEscrowToPeerInfo(SOSAccountRef account, SOSFullPeerInfoRef myPeer, CFErrorRef *error);
 359 bool SOSAccountAddEscrowRecords(SOSAccountRef account, CFStringRef dsid, CFDictionaryRef record, CFErrorRef *error);
 360 bool SOSAccountCheckForRings(SOSAccountRef a, CFErrorRef *error);
 361 bool SOSAccountHandleUpdateRing(SOSAccountRef account, SOSRingRef prospective_ring, bool writeUpdate, CFErrorRef *error);
 362 SOSRingRef SOSAccountCopyRing(SOSAccountRef a, CFStringRef ringName, CFErrorRef *error);
 363 bool SOSAccountSetRing(SOSAccountRef a, SOSRingRef ring, CFStringRef ringName, CFErrorRef *error);
 364 void SOSAccountRemoveRing(SOSAccountRef a, CFStringRef ringName);
 365 SOSRingRef SOSAccountCopyRingNamed(SOSAccountRef a, CFStringRef ringName, CFErrorRef *error);
 366 SOSRingRef SOSAccountRingCreateForName(SOSAccountRef a, CFStringRef ringName, CFErrorRef *error);
 367 bool SOSAccountUpdateRingFromRemote(SOSAccountRef account, SOSRingRef newRing, CFErrorRef *error);
 368 bool SOSAccountUpdateRing(SOSAccountRef account, SOSRingRef newRing, CFErrorRef *error);
 369 bool SOSAccountModifyRing(SOSAccountRef account, CFStringRef ringName,
 370                           CFErrorRef* error,
 371                           bool (^action)(SOSRingRef ring));
 372 CFDataRef SOSAccountRingCopyPayload(SOSAccountRef account, CFStringRef ringName, CFErrorRef *error);
 373 SOSRingRef SOSAccountRingCopyWithPayload(SOSAccountRef account, CFStringRef ringName, CFDataRef payload, CFErrorRef *error);
 374 bool SOSAccountRemoveBackupPeers(SOSAccountRef account, CFArrayRef peerIDs, CFErrorRef *error);
 375 bool SOSAccountResetRing(SOSAccountRef account, CFStringRef ringName, CFErrorRef *error);
 376 bool SOSAccountResetAllRings(SOSAccountRef account, CFErrorRef *error);
 377 bool SOSAccountCheckPeerAvailability(SOSAccountRef account, CFErrorRef *error);
 378 bool SOSAccountUpdateNamedRing(SOSAccountRef account, CFStringRef ringName, CFErrorRef *error,
 379                                SOSRingRef (^create)(CFStringRef ringName, CFErrorRef *error),
 380                                SOSRingRef (^copyModified)(SOSRingRef existing, CFErrorRef *error));
 381
 382 //
 383 // MARK: Backup translation functions
 384 //
 385
 386 CFStringRef SOSBackupCopyRingNameForView(CFStringRef viewName);
 387
 388 //
 389 // Security tool test/debug functions
 390 //
 391
 392 CFDataRef SOSAccountCopyAccountStateFromKeychain(CFErrorRef *error);
 393 bool SOSAccountDeleteAccountStateFromKeychain(CFErrorRef *error);
 394 CFDataRef SOSAccountCopyEngineStateFromKeychain(CFErrorRef *error);
 395 bool SOSAccountDeleteEngineStateFromKeychain(CFErrorRef *error);
 396
 397 bool SOSAccountIsNew(SOSAccountRef account, CFErrorRef *error);
 398
 399
 400 #endif