]> git.saurik.com Git - apple/security.git/blob - keychain/ckks/CKKSLockStateTracker.m
Security-59754.41.1.tar.gz
[apple/security.git] / keychain / ckks / CKKSLockStateTracker.m
1 /*
2 * Copyright (c) 2017 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 #if OCTAGON
25
26 #include <notify.h>
27 #include <dispatch/dispatch.h>
28 #include <utilities/SecAKSWrappers.h>
29
30 #import "keychain/ckks/CKKS.h"
31 #import "keychain/ckks/CKKSResultOperation.h"
32 #import "keychain/ckks/CKKSGroupOperation.h"
33 #import "keychain/ckks/CKKSLockStateTracker.h"
34 #import "keychain/ot/ObjCImprovements.h"
35
36 @interface CKKSLockStateTracker ()
37 @property bool queueIsLocked;
38 @property dispatch_queue_t queue;
39 @property NSOperationQueue* operationQueue;
40 @property NSHashTable<id<CKKSLockStateNotification>> *observers;
41 @property (assign) int notify_token;
42
43 @property (nullable) NSDate* lastUnlockedTime;
44
45 @end
46
47 @implementation CKKSLockStateTracker
48
49 - (instancetype)init {
50 if((self = [super init])) {
51 _queue = dispatch_queue_create("lock-state-tracker", DISPATCH_QUEUE_SERIAL_WITH_AUTORELEASE_POOL);
52 _operationQueue = [[NSOperationQueue alloc] init];
53
54 _notify_token = NOTIFY_TOKEN_INVALID;
55 _queueIsLocked = true;
56 _observers = [NSHashTable weakObjectsHashTable];
57 [self resetUnlockDependency];
58
59 WEAKIFY(self);
60
61 // If this is a live server, register with notify
62 if(!SecCKKSTestsEnabled()) {
63 notify_register_dispatch(kUserKeybagStateChangeNotification, &_notify_token, _queue, ^(int t) {
64 STRONGIFY(self);
65 [self _onqueueRecheck];
66 });
67 }
68
69 dispatch_async(_queue, ^{
70 STRONGIFY(self);
71 [self _onqueueRecheck];
72 });
73 }
74 return self;
75 }
76
77 - (void)dealloc {
78 if (_notify_token != NOTIFY_TOKEN_INVALID) {
79 notify_cancel(_notify_token);
80 }
81 }
82
83 - (bool)isLocked {
84 // if checking close after launch ``isLocked'' needs to be blocked on the initial fetch operation
85 __block bool locked;
86 dispatch_sync(_queue, ^{
87 locked = self->_queueIsLocked;
88 });
89 return locked;
90 }
91
92 - (NSDate*)lastUnlockTime {
93 // If unlocked, the last unlock time is now. Otherwise, used the cached value.
94 __block NSDate* date = nil;
95 dispatch_sync(self.queue, ^{
96 if(self.queueIsLocked) {
97 date = self.lastUnlockedTime;
98 } else {
99 date = [NSDate date];
100 self.lastUnlockedTime = date;
101 }
102 });
103 return date;
104 }
105
106 -(NSString*)description {
107 bool isLocked = self.isLocked;
108 return [NSString stringWithFormat: @"<CKKSLockStateTracker: %@ last:%@>",
109 isLocked ? @"locked" : @"unlocked",
110 isLocked ? self.lastUnlockedTime : @"now"];
111 }
112
113 -(void)resetUnlockDependency {
114 if(self.unlockDependency == nil || ![self.unlockDependency isPending]) {
115 CKKSResultOperation* op = [CKKSResultOperation named:@"keybag-unlocked-dependency" withBlock: ^{
116 ckksinfo_global("ckks", "Keybag unlocked");
117 }];
118 op.descriptionErrorCode = CKKSResultDescriptionPendingUnlock;
119 self.unlockDependency = op;
120 }
121 }
122
123 +(bool)queryAKSLocked {
124 CFErrorRef aksError = NULL;
125 bool locked = true;
126
127 if(!SecAKSGetIsLocked(&locked, &aksError)) {
128 ckkserror_global("ckks", "error querying lock state: %@", aksError);
129 CFReleaseNull(aksError);
130 }
131
132 return locked;
133 }
134
135 -(void)_onqueueRecheck {
136 dispatch_assert_queue(self.queue);
137
138 static bool first = true;
139 bool wasLocked = self.queueIsLocked;
140 self.queueIsLocked = [CKKSLockStateTracker queryAKSLocked];
141
142 if(wasLocked != self.queueIsLocked || first) {
143 first = false;
144 if(self.queueIsLocked) {
145 // We're locked now.
146 [self resetUnlockDependency];
147
148 if(wasLocked) {
149 self.lastUnlockedTime = [NSDate date];
150 }
151 } else {
152 [self.operationQueue addOperation: self.unlockDependency];
153 self.unlockDependency = nil;
154 self.lastUnlockedTime = [NSDate date];
155 }
156
157 bool isUnlocked = (self.queueIsLocked == false);
158 for (id<CKKSLockStateNotification> observer in _observers) {
159 __strong typeof(observer) strongObserver = observer;
160 if (strongObserver == nil) {
161 return;
162 }
163 dispatch_async(dispatch_get_global_queue(QOS_CLASS_DEFAULT, 0), ^{
164 [strongObserver lockStateChangeNotification:isUnlocked];
165 });
166 }
167 }
168 }
169
170 -(void)recheck {
171 dispatch_sync(self.queue, ^{
172 [self _onqueueRecheck];
173 });
174 }
175
176 - (bool)lockedError:(NSError *)error
177 {
178 bool isLockedError = error.code == errSecInteractionNotAllowed &&
179 ([error.domain isEqualToString:@"securityd"] || [error.domain isEqualToString:(__bridge NSString*)kSecErrorDomain]);
180 return isLockedError;
181 }
182
183 - (bool)checkErrorChainForLockState:(NSError*)error
184 {
185 while(error != nil) {
186 if([self lockedError:error]) {
187 return true;
188 }
189
190 error = error.userInfo[NSUnderlyingErrorKey];
191 }
192
193 return false;
194 }
195
196 -(bool)isLockedError:(NSError *)error {
197 bool isLockedError = [self checkErrorChainForLockState:error];
198
199 /*
200 * If we are locked, and the the current lock state track disagree, lets double check
201 * if we are actually locked since we might have missed a lock state notification,
202 * and cause spinning to happen.
203 *
204 * We don't update the local variable, since the error code was a locked error.
205 */
206 if (isLockedError) {
207 dispatch_sync(self.queue, ^{
208 if (self.queueIsLocked == false) {
209 [self _onqueueRecheck];
210 }
211 });
212 }
213 return isLockedError;
214 }
215
216 -(void)addLockStateObserver:(id<CKKSLockStateNotification>)object
217 {
218 dispatch_async(self.queue, ^{
219 [self->_observers addObject:object];
220 bool isUnlocked = (self.queueIsLocked == false);
221 dispatch_async(dispatch_get_global_queue(QOS_CLASS_DEFAULT, 0), ^{
222 [object lockStateChangeNotification:isUnlocked];
223 });
224 });
225 }
226
227 + (CKKSLockStateTracker*)globalTracker
228 {
229 static CKKSLockStateTracker* tracker;
230 static dispatch_once_t onceToken;
231 dispatch_once(&onceToken, ^{
232 tracker = [[CKKSLockStateTracker alloc] init];
233 });
234 return tracker;
235 }
236
237
238 @end
239
240 #endif // OCTAGON