OSX/sec/SOSCircle/SecureObjectSync/SOSAccountPriv.h

   1 //
   2 //  SOSAccountPriv.h
   3 //  sec
   4 //
   5
   6 #ifndef sec_SOSAccountPriv_h
   7 #define sec_SOSAccountPriv_h
   8
   9 #include "SOSAccount.h"
  10
  11 #include <CoreFoundation/CoreFoundation.h>
  12 #include <CoreFoundation/CFRuntime.h>
  13 #include <utilities/SecCFWrappers.h>
  14 #include <utilities/SecCFError.h>
  15 #include <utilities/SecAKSWrappers.h>
  16
  17
  18 #include <Security/SecKeyPriv.h>
  19
  20 #include <utilities/der_plist.h>
  21 #include <utilities/der_plist_internal.h>
  22 #include <corecrypto/ccder.h>
  23
  24 #include <AssertMacros.h>
  25 #include <assert.h>
  26
  27 #import <notify.h>
  28
  29 #include <Security/SecureObjectSync/SOSInternal.h>
  30 #include <Security/SecureObjectSync/SOSCircle.h>
  31 #include <Security/SecureObjectSync/SOSCircleV2.h>
  32 #include <Security/SecureObjectSync/SOSRing.h>
  33 #include <Security/SecureObjectSync/SOSRingUtils.h>
  34 #include <Security/SecureObjectSync/SOSCloudCircle.h>
  35 #include <securityd/SOSCloudCircleServer.h>
  36 #include <Security/SecureObjectSync/SOSEngine.h>
  37 #include <Security/SecureObjectSync/SOSPeer.h>
  38 #include <Security/SecureObjectSync/SOSFullPeerInfo.h>
  39 #include <Security/SecureObjectSync/SOSPeerInfo.h>
  40 #include <Security/SecureObjectSync/SOSPeerInfoInternal.h>
  41 #include <Security/SecureObjectSync/SOSUserKeygen.h>
  42 #include <utilities/iCloudKeychainTrace.h>
  43
  44 #include <Security/SecItemPriv.h>
  45
  46
  47 struct __OpaqueSOSAccount {
  48     CFRuntimeBase           _base;
  49
  50     CFDictionaryRef         gestalt;
  51
  52     CFDataRef               backup_key;
  53
  54     SOSFullPeerInfoRef      my_identity;
  55     SOSCircleRef            trusted_circle;
  56
  57     CFMutableDictionaryRef  trusted_rings;
  58     CFMutableDictionaryRef  backups;
  59
  60     CFMutableSetRef         retirees;
  61
  62     bool      user_public_trusted;
  63     CFDataRef user_key_parameters;
  64     SecKeyRef user_public;
  65     SecKeyRef previous_public;
  66     enum DepartureReason    departure_code;
  67     CFMutableDictionaryRef  expansion; // All CFTypes and Keys
  68
  69     // Non-persistent data
  70     dispatch_queue_t        queue;
  71     CFMutableDictionaryRef  notification_cleanups;
  72
  73     SOSDataSourceFactoryRef factory;
  74     SecKeyRef _user_private;
  75     CFDataRef _password_tmp;
  76
  77     dispatch_source_t user_private_timer;
  78     int               lock_notification_token;
  79
  80     SOSTransportKeyParameterRef key_transport;
  81     SOSTransportCircleRef       circle_transport;
  82     SOSTransportMessageRef      kvs_message_transport;
  83     SOSTransportMessageRef      ids_message_transport;
  84
  85     //indicates if changes in circle, rings, or retirements need to be pushed
  86     bool                         circle_rings_retirements_need_attention;
  87
  88     // Live Notification
  89     CFMutableArrayRef       change_blocks;
  90     CFMutableDictionaryRef  waitForInitialSync_blocks;
  91 };
  92 extern const CFStringRef kSOSEscrowRecord;
  93
  94 SOSAccountRef SOSAccountCreateBasic(CFAllocatorRef allocator,
  95                                     CFDictionaryRef gestalt,
  96                                     SOSDataSourceFactoryRef factory);
  97
  98 bool SOSAccountEnsureFactoryCircles(SOSAccountRef a);
  99
 100 void SOSAccountSetToNew(SOSAccountRef a);
 101
 102 bool SOSAccountIsMyPeerActive(SOSAccountRef account, CFErrorRef* error);
 103
 104 SOSTransportMessageRef SOSAccountGetMessageTransportFor(SOSAccountRef account, SOSPeerInfoRef peerInfo);
 105
 106 // MARK: In Sync checking
 107
 108 void SOSAccountEnsureSyncChecking(SOSAccountRef account);
 109 void SOSAccountCancelSyncChecking(SOSAccountRef account);
 110 bool SOSAccountCheckHasBeenInSync(SOSAccountRef account);
 111
 112 void SOSAccountCleanupNotificationForAllPeers(SOSAccountRef account);
 113
 114
 115 // MARK: DER Stuff
 116
 117
 118 size_t der_sizeof_data_or_null(CFDataRef data, CFErrorRef* error);
 119
 120 uint8_t* der_encode_data_or_null(CFDataRef data, CFErrorRef* error, const uint8_t* der, uint8_t* der_end);
 121
 122 const uint8_t* der_decode_data_or_null(CFAllocatorRef allocator, CFDataRef* data,
 123                                        CFErrorRef* error,
 124                                        const uint8_t* der, const uint8_t* der_end);
 125
 126 size_t der_sizeof_fullpeer_or_null(SOSFullPeerInfoRef data, CFErrorRef* error);
 127
 128 uint8_t* der_encode_fullpeer_or_null(SOSFullPeerInfoRef data, CFErrorRef* error, const uint8_t* der, uint8_t* der_end);
 129
 130 const uint8_t* der_decode_fullpeer_or_null(CFAllocatorRef allocator, SOSFullPeerInfoRef* data,
 131                                        CFErrorRef* error,
 132                                        const uint8_t* der, const uint8_t* der_end);
 133
 134
 135 size_t der_sizeof_public_bytes(SecKeyRef publicKey, CFErrorRef* error);
 136
 137 uint8_t* der_encode_public_bytes(SecKeyRef publicKey, CFErrorRef* error, const uint8_t* der, uint8_t* der_end);
 138
 139 const uint8_t* der_decode_public_bytes(CFAllocatorRef allocator, CFIndex algorithmID, SecKeyRef* publicKey, CFErrorRef* error, const uint8_t* der, const uint8_t* der_end);
 140
 141
 142 // Persistence
 143
 144 SOSAccountRef SOSAccountCreateFromDER(CFAllocatorRef allocator,
 145                                       SOSDataSourceFactoryRef factory,
 146                                       CFErrorRef* error,
 147                                       const uint8_t** der_p, const uint8_t *der_end);
 148
 149 SOSAccountRef SOSAccountCreateFromData(CFAllocatorRef allocator, CFDataRef circleData,
 150                                        SOSDataSourceFactoryRef factory,
 151                                        CFErrorRef* error);
 152
 153 size_t SOSAccountGetDEREncodedSize(SOSAccountRef account, CFErrorRef *error);
 154
 155 uint8_t* SOSAccountEncodeToDER(SOSAccountRef account, CFErrorRef* error, const uint8_t* der, uint8_t* der_end);
 156
 157 CFDataRef SOSAccountCopyEncodedData(SOSAccountRef account, CFAllocatorRef allocator, CFErrorRef *error);
 158
 159 // Update
 160
 161 bool SOSAccountHandleCircleMessage(SOSAccountRef account,
 162                                    CFStringRef circleName, CFDataRef encodedCircleMessage, CFErrorRef *error);
 163
 164 CF_RETURNS_RETAINED
 165 CFDictionaryRef SOSAccountHandleRetirementMessages(SOSAccountRef account, CFDictionaryRef circle_retirement_messages, CFErrorRef *error);
 166
 167
 168 bool SOSAccountHandleUpdateCircle(SOSAccountRef account,
 169                                   SOSCircleRef prospective_circle,
 170                                   bool writeUpdate,
 171                                   CFErrorRef *error);
 172
 173 void SOSAccountNotifyEngines(SOSAccountRef account);
 174
 175 bool SOSAccountSyncingV0(SOSAccountRef account);
 176
 177 // My Peer
 178 bool SOSAccountHasFullPeerInfo(SOSAccountRef account, CFErrorRef* error);
 179 SOSPeerInfoRef SOSAccountGetMyPeerInfo(SOSAccountRef account);
 180 SOSFullPeerInfoRef SOSAccountGetMyFullPeerInfo(SOSAccountRef account);
 181 CFStringRef SOSAccountGetMyPeerID(SOSAccountRef a);
 182 bool SOSAccountIsMyPeerInBackupAndCurrentInView(SOSAccountRef account, CFStringRef viewname);
 183 bool SOSAccountUpdateOurPeerInBackup(SOSAccountRef account, SOSRingRef oldRing, CFErrorRef *error);
 184 bool SOSAccountIsPeerInBackupAndCurrentInView(SOSAccountRef account, SOSPeerInfoRef testPeer, CFStringRef viewname);
 185 bool SOSDeleteV0Keybag(CFErrorRef *error);
 186 void SOSAccountForEachBackupView(SOSAccountRef account,  void (^operation)(const void *value));
 187 bool SOSAccountUpdatePeerInfo(SOSAccountRef account, CFStringRef updateDescription, CFErrorRef *error, bool (^update)(SOSFullPeerInfoRef fpi, CFErrorRef *error));
 188
 189 // Currently permitted backup rings.
 190 void SOSAccountForEachBackupRingName(SOSAccountRef account, void (^operation)(CFStringRef value));
 191
 192 // My Circle
 193 bool SOSAccountHasCircle(SOSAccountRef account, CFErrorRef* error);
 194 SOSCircleRef SOSAccountGetCircle(SOSAccountRef a, CFErrorRef *error);
 195 SOSCircleRef SOSAccountEnsureCircle(SOSAccountRef a, CFStringRef name, CFErrorRef *error);
 196
 197 bool SOSAccountUpdateCircleFromRemote(SOSAccountRef account, SOSCircleRef newCircle, CFErrorRef *error);
 198 bool SOSAccountUpdateCircle(SOSAccountRef account, SOSCircleRef newCircle, CFErrorRef *error);
 199 bool SOSAccountModifyCircle(SOSAccountRef account,
 200                             CFErrorRef* error,
 201                             bool (^action)(SOSCircleRef circle));
 202
 203 void AppendCircleKeyName(CFMutableArrayRef array, CFStringRef name);
 204
 205 CFStringRef SOSInterestListCopyDescription(CFArrayRef interests);
 206
 207
 208 // FullPeerInfos - including Cloud Identity
 209 SOSFullPeerInfoRef CopyCloudKeychainIdentity(SOSPeerInfoRef cloudPeer, CFErrorRef *error);
 210
 211 SecKeyRef GeneratePermanentFullECKey(int keySize, CFStringRef name, CFErrorRef* error);
 212
 213 bool SOSAccountEnsureFullPeerAvailable(SOSAccountRef account, CFErrorRef * error);
 214
 215 bool SOSAccountIsAccountIdentity(SOSAccountRef account, SOSPeerInfoRef peer_info, CFErrorRef *error);
 216 bool SOSAccountFullPeerInfoVerify(SOSAccountRef account, SecKeyRef privKey, CFErrorRef *error);
 217 SOSPeerInfoRef GenerateNewCloudIdentityPeerInfo(CFErrorRef *error);
 218
 219 // Credentials
 220 bool SOSAccountHasPublicKey(SOSAccountRef account, CFErrorRef* error);
 221 void SOSAccountSetPreviousPublic(SOSAccountRef account);
 222 bool SOSAccountPublishCloudParameters(SOSAccountRef account, CFErrorRef* error);
 223 bool SOSAccountRetrieveCloudParameters(SOSAccountRef account, SecKeyRef *newKey,
 224                                        CFDataRef derparms,
 225                                        CFDataRef *newParameters, CFErrorRef* error);
 226
 227 //DSID
 228 bool SOSAccountUpdateDSID(SOSAccountRef account, CFStringRef dsid);
 229
 230 //
 231 // Key extraction
 232 //
 233
 234 SecKeyRef SOSAccountCopyDeviceKey(SOSAccountRef account, CFErrorRef *error);
 235 SecKeyRef SOSAccountCopyPublicKeyForPeer(SOSAccountRef account, CFStringRef peer_id, CFErrorRef *error);
 236
 237 // Testing
 238 void SOSAccountSetLastDepartureReason(SOSAccountRef account, enum DepartureReason reason);
 239 void SOSAccountSetUserPublicTrustedForTesting(SOSAccountRef account);
 240
 241 static inline void CFArrayAppendValueIfNot(CFMutableArrayRef array, CFTypeRef value, CFTypeRef excludedValue)
 242 {
 243     if (!CFEqualSafe(value, excludedValue))
 244         CFArrayAppendValue(array, value);
 245 }
 246
 247 static inline CFMutableDictionaryRef CFDictionaryEnsureCFDictionaryAndGetCurrentValue(CFMutableDictionaryRef dict, CFTypeRef key)
 248 {
 249     CFMutableDictionaryRef result = (CFMutableDictionaryRef) CFDictionaryGetValue(dict, key);
 250
 251     if (!isDictionary(result)) {
 252         result = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
 253         CFDictionarySetValue(dict, key, result);
 254         CFReleaseSafe(result);
 255     }
 256
 257     return result;
 258 }
 259
 260 static inline CFMutableArrayRef CFDictionaryEnsureCFArrayAndGetCurrentValue(CFMutableDictionaryRef dict, CFTypeRef key)
 261 {
 262     CFMutableArrayRef result = (CFMutableArrayRef) CFDictionaryGetValue(dict, key);
 263
 264     if (!isArray(result)) {
 265         result = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
 266         CFDictionarySetValue(dict, key, result);
 267         CFReleaseSafe(result);
 268     }
 269
 270     return result;
 271 }
 272
 273 void SOSAccountPurgeIdentity(SOSAccountRef account);
 274 bool sosAccountLeaveCircle(SOSAccountRef account, SOSCircleRef circle, CFErrorRef* error);
 275 bool sosAccountLeaveRing(SOSAccountRef account, SOSRingRef ring, CFErrorRef* error);
 276 CFMutableDictionaryRef SOSAccountGetRings(SOSAccountRef a, CFErrorRef *error);
 277 CFMutableDictionaryRef SOSAccountGetBackups(SOSAccountRef a, CFErrorRef *error);
 278 bool SOSAccountUpdateBackUp(SOSAccountRef account, CFStringRef viewname, CFErrorRef *error);
 279 bool SOSAccountEnsureBackupStarts(SOSAccountRef account);
 280
 281 bool SOSAccountEnsurePeerRegistration(SOSAccountRef account, CFErrorRef *error);
 282
 283 extern CFIndex whichTransportType;
 284 extern const CFStringRef kSOSDSIDKey;
 285 extern const CFStringRef SOSTransportMessageTypeIDS;
 286 extern const CFStringRef SOSTransportMessageTypeKVS;
 287
 288 extern const CFStringRef kSOSUnsyncedViewsKey;
 289
 290 typedef enum{
 291     kSOSTransportNone = 0,
 292     kSOSTransportIDS = 1,
 293     kSOSTransportKVS = 2,
 294     kSOSTransportFuture = 3,
 295     kSOSTransportPresent = 4
 296 }TransportType;
 297
 298 SOSPeerInfoRef SOSAccountCopyPeerWithID(SOSAccountRef account, CFStringRef peerid, CFErrorRef *error);
 299
 300 bool SOSAccountSetValue(SOSAccountRef account, const void *key, const void *value, CFErrorRef *error);
 301 bool SOSAccountClearValue(SOSAccountRef account, const void *key, CFErrorRef *error);
 302 const void *SOSAccountGetValue(SOSAccountRef account, const void *key, CFErrorRef *error);
 303
 304 bool SOSAccountAddEscrowToPeerInfo(SOSAccountRef account, SOSFullPeerInfoRef myPeer, CFErrorRef *error);
 305 bool SOSAccountAddEscrowRecords(SOSAccountRef account, CFStringRef dsid, CFDictionaryRef record, CFErrorRef *error);
 306 bool SOSAccountCheckForRings(SOSAccountRef a, CFErrorRef *error);
 307 bool SOSAccountHandleUpdateRing(SOSAccountRef account, SOSRingRef prospective_ring, bool writeUpdate, CFErrorRef *error);
 308 SOSRingRef SOSAccountGetRing(SOSAccountRef a, CFStringRef ringName, CFErrorRef *error);
 309 SOSRingRef SOSAccountRingCreateForName(SOSAccountRef a, CFStringRef ringName, CFErrorRef *error);
 310 bool SOSAccountEnsureRings(SOSAccountRef a, CFErrorRef *error);
 311 bool SOSAccountUpdateRingFromRemote(SOSAccountRef account, SOSRingRef newRing, CFErrorRef *error);
 312 bool SOSAccountUpdateRing(SOSAccountRef account, SOSRingRef newRing, CFErrorRef *error);
 313 bool SOSAccountModifyRing(SOSAccountRef account, CFStringRef ringName,
 314                           CFErrorRef* error,
 315                           bool (^action)(SOSRingRef ring));
 316 CFDataRef SOSAccountRingGetPayload(SOSAccountRef account, CFStringRef ringName, CFErrorRef *error);
 317 SOSRingRef SOSAccountRingCopyWithPayload(SOSAccountRef account, CFStringRef ringName, CFDataRef payload, CFErrorRef *error);
 318 bool SOSAccountRemoveBackupPeers(SOSAccountRef account, CFArrayRef peerIDs, CFErrorRef *error);
 319 bool SOSAccountResetRing(SOSAccountRef account, CFStringRef ringName, CFErrorRef *error);
 320 bool SOSAccountResetAllRings(SOSAccountRef account, CFErrorRef *error);
 321 bool SOSAccountCheckPeerAvailability(SOSAccountRef account, CFErrorRef *error);
 322
 323 //
 324 // MARK: Backup translation functions
 325 //
 326
 327 CFStringRef SOSBackupCopyRingNameForView(CFStringRef viewName);
 328
 329 //
 330 // Security tool test/debug functions
 331 //
 332
 333 CFDataRef SOSAccountCopyAccountStateFromKeychain(CFErrorRef *error);
 334 bool SOSAccountDeleteAccountStateFromKeychain(CFErrorRef *error);
 335 CFDataRef SOSAccountCopyEngineStateFromKeychain(CFErrorRef *error);
 336 bool SOSAccountDeleteEngineStateFromKeychain(CFErrorRef *error);
 337
 338
 339 #endif