]> git.saurik.com Git - apple/security.git/blob - keychain/SecureObjectSync/SOSAccountPriv.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-59754.41.1.tar.gz
[apple/security.git] / keychain / SecureObjectSync / SOSAccountPriv.h
1 //
2 // SOSAccountPriv.h
3 // Security
4 //
5
6 #ifndef SOSAccountPriv_h
7 #define SOSAccountPriv_h
8
9 #import <Foundation/Foundation.h>
10
11 #include <CoreFoundation/CoreFoundation.h>
12 #include <CoreFoundation/CFRuntime.h>
13 #include <utilities/SecCFWrappers.h>
14 #include <utilities/SecCFError.h>
15 #include <utilities/SecAKSWrappers.h>
16
17 #include <Security/SecKeyPriv.h>
18
19 #include <Security/der_plist.h>
20 #include <utilities/der_plist_internal.h>
21 #include <corecrypto/ccder.h>
22
23 #include <AssertMacros.h>
24
25 #import <notify.h>
26
27 #include "keychain/SecureObjectSync/SOSInternal.h"
28
29 #include "keychain/SecureObjectSync/SOSCircle.h"
30 #include "keychain/SecureObjectSync/SOSCircleV2.h"
31 #include "keychain/SecureObjectSync/SOSRing.h"
32 #include "keychain/SecureObjectSync/SOSRingUtils.h"
33 #include <Security/SecureObjectSync/SOSCloudCircle.h>
34 #include "keychain/securityd/SOSCloudCircleServer.h"
35 #include "keychain/SecureObjectSync/SOSEngine.h"
36 #include "keychain/SecureObjectSync/SOSPeer.h"
37 #include "keychain/SecureObjectSync/SOSFullPeerInfo.h"
38 #include <Security/SecureObjectSync/SOSPeerInfo.h>
39
40 #include "keychain/SecureObjectSync/SOSPeerInfoInternal.h"
41 #include "keychain/SecureObjectSync/SOSUserKeygen.h"
42 #include "keychain/SecureObjectSync/SOSTransportCircle.h"
43
44 #include <utilities/iCloudKeychainTrace.h>
45
46 #include <Security/SecItemPriv.h>
47
48
49 extern const CFStringRef kSOSUnsyncedViewsKey;
50 extern const CFStringRef kSOSPendingEnableViewsToBeSetKey;
51 extern const CFStringRef kSOSPendingDisableViewsToBeSetKey;
52 extern const CFStringRef kSOSRecoveryKey;
53 extern const CFStringRef kSOSAccountUUID;
54 extern const CFStringRef kSOSAccountPeerNegotiationTimeouts;
55 extern const CFStringRef kSOSRecoveryRing;
56 extern const CFStringRef kSOSEscrowRecord;
57 extern const CFStringRef kSOSAccountName;
58 extern const CFStringRef kSOSTestV2Settings;
59 extern const CFStringRef kSOSRateLimitingCounters;
60 extern const CFStringRef kSOSAccountPeerLastSentTimestamp;
61 extern const CFStringRef kSOSAccountRenegotiationRetryCount;
62 extern const CFStringRef kSOSInitialSyncTimeoutV0;
63
64 typedef void (^SOSAccountSaveBlock)(CFDataRef flattenedAccount, CFErrorRef flattenFailError);
65
66 @class SOSMessageKVS;
67 @class CKKeyParameter;
68 @class SOSAccountTrustClassic;
69 @class SOSKVSCircleStorageTransport;
70 @class SOSCircleStorageTransport;
71 @class SOSCKCircleStorage;
72
73 @interface SOSAccount : NSObject <SOSControlProtocol>
74
75 @property (nonatomic, retain) NSDictionary *gestalt;
76 @property (nonatomic, retain) NSData *backup_key;
77 @property (nonatomic, retain) NSString *deviceID;
78
79 @property (nonatomic, retain) SOSAccountTrustClassic *trust;
80
81 @property (nonatomic, retain) dispatch_queue_t queue;
82 @property (nonatomic, retain) dispatch_source_t user_private_timer;
83 @property (nonatomic) SecKeyRef accountPrivateKey;
84
85 @property (nonatomic) SOSDataSourceFactoryRef factory;
86
87 @property (nonatomic, retain) NSData *_password_tmp;
88 @property (nonatomic, assign) BOOL isListeningForSync;
89 @property (nonatomic, assign) int lock_notification_token;
90 @property (nonatomic, retain) CKKeyParameter* key_transport;
91 @property (nonatomic, retain) SOSKVSCircleStorageTransport* circle_transport;
92 @property (nonatomic, retain) SOSMessageKVS* kvs_message_transport;
93 @property (nonatomic, retain) SOSCKCircleStorage* ck_storage;
94
95
96 @property (nonatomic, assign) BOOL circle_rings_retirements_need_attention;
97 @property (nonatomic, assign) BOOL engine_peer_state_needs_repair;
98 @property (nonatomic, assign) BOOL key_interests_need_updating;
99 @property (nonatomic, assign) BOOL need_backup_peers_created_after_backup_key_set;
100
101
102 @property (nonatomic, retain) NSMutableArray *change_blocks;
103
104 @property (nonatomic, retain) NSMutableDictionary *waitForInitialSync_blocks;
105
106 @property (nonatomic, retain) NSData* accountKeyDerivationParameters;
107
108 @property (nonatomic, assign) BOOL accountKeyIsTrusted;
109 @property (nonatomic) SecKeyRef accountKey;
110 @property (nonatomic) SecKeyRef previousAccountKey;
111 @property (nonatomic) SecKeyRef peerPublicKey;
112
113 @property (copy) SOSAccountSaveBlock saveBlock;
114
115
116 // Identity access properties, all delegated to the trust object
117 @property (readonly, nonatomic) BOOL hasPeerInfo;
118 @property (readonly, nonatomic) SOSPeerInfoRef peerInfo;
119 @property (readonly, nonatomic) SOSFullPeerInfoRef fullPeerInfo;
120 @property (readonly, nonatomic) NSString* peerID;
121
122 @property (nonatomic, assign) BOOL notifyCircleChangeOnExit;
123 @property (nonatomic, assign) BOOL notifyViewChangeOnExit;
124 @property (nonatomic, assign) BOOL notifyBackupOnExit;
125
126 @property (nonatomic, retain) NSUserDefaults* settings;
127
128 @property (nonatomic) SecKeyRef octagonSigningFullKeyRef;
129 @property (nonatomic) SecKeyRef octagonEncryptionFullKeyRef;
130
131 @property (nonatomic, assign) BOOL accountIsChanging;
132
133
134 -(id) init NS_UNAVAILABLE;
135 -(id) initWithGestalt:(CFDictionaryRef)gestalt factory:(SOSDataSourceFactoryRef)factory;
136
137 - (void)startStateMachine;
138
139 void SOSAccountAddSyncablePeerBlock(SOSAccount* a,
140 CFStringRef ds_name,
141 SOSAccountSyncablePeersBlock changeBlock);
142
143 -(bool) ensureFactoryCircles;
144 -(void) ensureOctagonPeerKeys;
145
146 -(void) flattenToSaveBlock;
147
148 -(void) ghostBustSchedule;
149 + (SOSAccountGhostBustingOptions) ghostBustGetRampSettings;
150 - (bool) ghostBustCheckDate;
151
152 #if OCTAGON
153 - (void)triggerBackupForPeers:(NSArray<NSString*>*)backupPeer;
154 - (void)triggerRingUpdate;
155 #endif
156
157
158 void SOSAccountSetToNew(SOSAccount* a);
159
160 bool SOSAccountIsMyPeerActive(SOSAccount* account, CFErrorRef* error);
161
162 // MARK: In Sync checking
163 typedef bool (^SOSAccountWaitForInitialSyncBlock)(SOSAccount* account);
164
165 CF_RETURNS_RETAINED CFStringRef SOSAccountCallWhenInSync(SOSAccount* account, SOSAccountWaitForInitialSyncBlock syncBlock);
166 bool SOSAccountUnregisterCallWhenInSync(SOSAccount* account, CFStringRef id);
167
168 bool SOSAccountHandleOutOfSyncUpdate(SOSAccount* account, CFSetRef oldOOSViews, CFSetRef newOOSViews);
169
170 void SOSAccountEnsureSyncChecking(SOSAccount* account);
171 void SOSAccountCancelSyncChecking(SOSAccount* account);
172 void SOSAccountInitializeInitialSync(SOSAccount* account);
173 CFMutableSetRef SOSAccountCopyOutstandingViews(SOSAccount* account);
174 CFSetRef SOSAccountCopyEnabledViews(SOSAccount* account);
175 void SOSAccountNotifyEngines(SOSAccount* account);
176 CFMutableSetRef SOSAccountCopyOutstandingViews(SOSAccount* account);
177 bool SOSAccountIsViewOutstanding(SOSAccount* account, CFStringRef view);
178 CFMutableSetRef SOSAccountCopyIntersectionWithOustanding(SOSAccount* account, CFSetRef inSet);
179 bool SOSAccountIntersectsWithOutstanding(SOSAccount* account, CFSetRef views);
180 bool SOSAccountHasOustandingViews(SOSAccount* account);
181 bool SOSAccountHasCompletedInitialSync(SOSAccount* account);
182 bool SOSAccountHasCompletedRequiredBackupSync(SOSAccount* account);
183 CFMutableSetRef SOSAccountCopyOutstandingViews(SOSAccount* account);
184 bool SOSAccountSyncingV0(SOSAccount* account);
185
186 // MARK: DER Stuff
187
188
189 size_t der_sizeof_fullpeer_or_null(SOSFullPeerInfoRef data, CFErrorRef* error);
190
191 uint8_t* der_encode_fullpeer_or_null(SOSFullPeerInfoRef data, CFErrorRef* error, const uint8_t* der, uint8_t* der_end);
192
193 const uint8_t* der_decode_fullpeer_or_null(CFAllocatorRef allocator, SOSFullPeerInfoRef* data,
194 CFErrorRef* error,
195 const uint8_t* der, const uint8_t* der_end);
196
197
198 size_t der_sizeof_public_bytes(SecKeyRef publicKey, CFErrorRef* error);
199
200 uint8_t* der_encode_public_bytes(SecKeyRef publicKey, CFErrorRef* error, const uint8_t* der, uint8_t* der_end);
201
202 const uint8_t* der_decode_public_bytes(CFAllocatorRef allocator, CFIndex algorithmID, SecKeyRef* publicKey, CFErrorRef* error, const uint8_t* der, const uint8_t* der_end);
203
204
205 // Update
206 -(SOSCCStatus) getCircleStatus:(CFErrorRef*) error;
207 -(bool) isInCircle:(CFErrorRef *)error;
208
209 bool SOSAccountHandleCircleMessage(SOSAccount* account,
210 CFStringRef circleName, CFDataRef encodedCircleMessage, CFErrorRef *error);
211
212 CF_RETURNS_RETAINED
213 CFDictionaryRef SOSAccountHandleRetirementMessages(SOSAccount* account, CFDictionaryRef circle_retirement_messages, CFErrorRef *error);
214
215 bool SOSAccountHandleUpdateCircle(SOSAccount* account,
216 SOSCircleRef prospective_circle,
217 bool writeUpdate,
218 CFErrorRef *error);
219
220
221 // My Peer
222 bool SOSAccountHasFullPeerInfo(SOSAccount* account, CFErrorRef* error);
223
224 bool SOSAccountIsMyPeerInBackupAndCurrentInView(SOSAccount* account, CFStringRef viewname);
225 bool SOSAccountUpdateOurPeerInBackup(SOSAccount* account, SOSRingRef oldRing, CFErrorRef *error);
226 bool SOSAccountIsPeerInBackupAndCurrentInView(SOSAccount* account, SOSPeerInfoRef testPeer, CFStringRef viewname);
227 bool SOSDeleteV0Keybag(CFErrorRef *error);
228 bool SOSAccountUpdatePeerInfo(SOSAccount* account, CFStringRef updateDescription, CFErrorRef *error, bool (^update)(SOSFullPeerInfoRef fpi, CFErrorRef *error));
229 bool SOSAccountUpdatePeerInfoAndPush(SOSAccount* account, CFStringRef updateDescription, CFErrorRef *error,
230 bool (^update)(SOSPeerInfoRef pi, CFErrorRef *error));
231
232 // Currently permitted backup rings.
233 void SOSAccountForEachBackupRingName(SOSAccount* account, void (^operation)(CFStringRef value));
234 void SOSAccountForEachRingName(SOSAccount* account, void (^operation)(CFStringRef value));
235 void SOSAccountForEachBackupView(SOSAccount* account, void (^operation)(const void *value));
236 SOSRingRef SOSAccountCreateBackupRingForView(SOSAccount* account, CFStringRef ringBackupViewName, CFErrorRef *error);
237
238
239 // My Circle
240 bool SOSAccountHasCircle(SOSAccount* account, CFErrorRef* error);
241 SOSCircleRef CF_RETURNS_RETAINED SOSAccountEnsureCircle(SOSAccount* a, CFStringRef name, CFErrorRef *error);
242
243 void AppendCircleKeyName(CFMutableArrayRef array, CFStringRef name);
244
245 CFStringRef SOSInterestListCopyDescription(CFArrayRef interests);
246
247
248 // FullPeerInfos - including Cloud Identity
249 SOSFullPeerInfoRef CopyCloudKeychainIdentity(SOSPeerInfoRef cloudPeer, CFErrorRef *error);
250
251 bool SOSAccountIsAccountIdentity(SOSAccount* account, SOSPeerInfoRef peer_info, CFErrorRef *error);
252 bool SOSAccountFullPeerInfoVerify(SOSAccount* account, SecKeyRef privKey, CFErrorRef *error);
253 CF_RETURNS_RETAINED SOSPeerInfoRef GenerateNewCloudIdentityPeerInfo(CFErrorRef *error);
254
255 void SOSiCloudIdentityPrivateKeyForEach(void (^complete)(SecKeyRef privKey));
256
257 // Credentials
258 bool SOSAccountHasPublicKey(SOSAccount* account, CFErrorRef* error);
259 bool SOSAccountPublishCloudParameters(SOSAccount* account, CFErrorRef* error);
260 bool SOSAccountRetrieveCloudParameters(SOSAccount* account, SecKeyRef *newKey,
261 CFDataRef derparms,
262 CFDataRef *newParameters, CFErrorRef* error);
263
264 //DSID
265 void SOSAccountAssertDSID(SOSAccount* account, CFStringRef dsid);
266
267 //
268 // Key extraction
269 //
270
271 SecKeyRef SOSAccountCopyDeviceKey(SOSAccount* account, CFErrorRef *error);
272 SecKeyRef CF_RETURNS_RETAINED GeneratePermanentFullECKey(int keySize, CFStringRef name, CFErrorRef* error);
273
274 // Testing
275 void SOSAccountSetLastDepartureReason(SOSAccount* account, enum DepartureReason reason);
276 void SOSAccountSetUserPublicTrustedForTesting(SOSAccount* account);
277
278 void SOSAccountPurgeIdentity(SOSAccount*);
279 bool sosAccountLeaveCircle(SOSAccount* account, SOSCircleRef circle, CFErrorRef* error);
280
281 bool SOSAccountForEachRing(SOSAccount* account, SOSRingRef (^action)(CFStringRef name, SOSRingRef ring));
282 bool SOSAccountUpdateBackUp(SOSAccount* account, CFStringRef viewname, CFErrorRef *error);
283 void SOSAccountEnsureRecoveryRing(SOSAccount* account);
284
285 bool SOSAccountEnsurePeerRegistration(SOSAccount* account, CFErrorRef *error);
286
287 extern const CFStringRef kSOSUnsyncedViewsKey;
288 extern const CFStringRef kSOSPendingEnableViewsToBeSetKey;
289 extern const CFStringRef kSOSPendingDisableViewsToBeSetKey;
290 extern const CFStringRef kSOSRecoveryKey;
291
292 typedef enum{
293 kSOSTransportNone = 0,
294 kSOSTransportIDS = 1,
295 kSOSTransportKVS = 2,
296 kSOSTransportFuture = 3,
297 kSOSTransportPresent = 4
298 }TransportType;
299
300 SOSPeerInfoRef SOSAccountCopyPeerWithID(SOSAccount* account, CFStringRef peerid, CFErrorRef *error);
301
302 bool SOSAccountSetValue(SOSAccount* account, CFStringRef key, CFTypeRef value, CFErrorRef *error);
303 bool SOSAccountClearValue(SOSAccount* account, CFStringRef key, CFErrorRef *error);
304 CFTypeRef SOSAccountGetValue(SOSAccount* account, CFStringRef key, CFErrorRef *error);
305
306 bool SOSAccountAddEscrowToPeerInfo(SOSAccount* account, SOSFullPeerInfoRef myPeer, CFErrorRef *error);
307 void SOSAccountRemoveRing(SOSAccount* a, CFStringRef ringName);
308 SOSRingRef SOSAccountCopyRingNamed(SOSAccount* a, CFStringRef ringName, CFErrorRef *error);
309 bool SOSAccountUpdateRingFromRemote(SOSAccount* account, SOSRingRef newRing, CFErrorRef *error);
310 bool SOSAccountUpdateRing(SOSAccount* account, SOSRingRef newRing, CFErrorRef *error);
311 bool SOSAccountRemoveBackupPeers(SOSAccount* account, CFArrayRef peerIDs, CFErrorRef *error);
312 bool SOSAccountUpdateNamedRing(SOSAccount* account, CFStringRef ringName, CFErrorRef *error,
313 SOSRingRef (^create)(CFStringRef ringName, CFErrorRef *error),
314 SOSRingRef (^copyModified)(SOSRingRef existing, CFErrorRef *error));
315
316 //
317 // MARK: Backup translation functions
318 //
319
320 CFStringRef SOSBackupCopyRingNameForView(CFStringRef viewName);
321 bool SOSAccountUpdateBackupRing(SOSAccount* account, CFStringRef viewName, CFErrorRef *error,
322 SOSRingRef (^modify)(SOSRingRef existing, CFErrorRef *error));
323 //
324 // Security tool test/debug functions
325 //
326 bool SOSAccountPostDebugScope(SOSAccount* account, CFTypeRef scope, CFErrorRef *error);
327
328 bool SOSAccountCheckForAlwaysOnViews(SOSAccount* account);
329 // UUID, no setter just getter and ensuring value.
330 void SOSAccountEnsureUUID(SOSAccount* account);
331 CFStringRef CF_RETURNS_RETAINED SOSAccountCopyUUID(SOSAccount* account);
332 const uint8_t* der_decode_cloud_parameters(CFAllocatorRef allocator,
333 CFIndex algorithmID, SecKeyRef* publicKey,
334 CFDataRef *parameters,
335 CFErrorRef* error,
336 const uint8_t* der, const uint8_t* der_end);
337
338 /*
339 * HSA2/piggybacking
340 */
341
342 CFDataRef SOSPiggyBackBlobCopyEncodedData(SOSGenCountRef gencount, SecKeyRef pubKey, CFDataRef signature, CFErrorRef *error);
343
344 #if __OBJC__
345 NSData *SOSPiggyCreateInitialSyncData(NSArray<NSData*> *identities, NSArray<NSDictionary *>* tlks);
346 NSDictionary * SOSPiggyCopyInitialSyncData(const uint8_t** der, const uint8_t *der_end);
347 NSArray<NSDictionary*>* SOSAccountSortTLKS(NSArray<NSDictionary*>* tlks);
348 #endif
349
350 bool SOSAccountCleanupAllKVSKeys(SOSAccount* account, CFErrorRef* error);
351
352 @end
353
354 @interface SOSAccount (Persistence)
355
356 +(instancetype) accountFromData: (NSData*) data
357 factory: (SOSDataSourceFactoryRef) factory
358 error: (NSError**) error;
359 +(instancetype) accountFromDER: (const uint8_t**) der
360 end: (const uint8_t*) der_end
361 factory: (SOSDataSourceFactoryRef) factory
362 error: (NSError**) error;
363
364 -(NSData*) encodedData: (NSError**) error;
365
366
367 @end
368
369 #endif /* SOSAccount_h */
mirror of Security