]> git.saurik.com Git - apple/security.git/blob - OSX/sec/SOSCircle/SecureObjectSync/SOSAccountRingUpdate.c
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-57740.1.18.tar.gz
[apple/security.git] / OSX / sec / SOSCircle / SecureObjectSync / SOSAccountRingUpdate.c
1 //
2 // SOSAccountRingUpdate.c
3 // sec
4 //
5 //
6
7 #include <stdio.h>
8
9 #include "SOSAccountPriv.h"
10 #include <Security/SecureObjectSync/SOSTransportCircle.h>
11 #include <Security/SecureObjectSync/SOSTransport.h>
12 #include <Security/SecureObjectSync/SOSViews.h>
13 #include <Security/SecureObjectSync/SOSRing.h>
14 #include <Security/SecureObjectSync/SOSRingUtils.h>
15 #include <Security/SecureObjectSync/SOSPeerInfoCollections.h>
16
17 #if 0
18 static inline bool SOSAccountHasLeft(SOSAccountRef account) {
19 switch(account->departure_code) {
20 case kSOSWithdrewMembership: /* Fallthrough */
21 case kSOSMembershipRevoked: /* Fallthrough */
22 case kSOSLeftUntrustedCircle:
23 return true;
24 case kSOSNeverAppliedToCircle: /* Fallthrough */
25 case kSOSNeverLeftCircle: /* Fallthrough */
26 default:
27 return false;
28 }
29 }
30 #endif
31
32 static const char * __unused concordstring[] = {
33 "kSOSConcordanceTrusted",
34 "kSOSConcordanceGenOld", // kSOSErrorReplay
35 "kSOSConcordanceNoUserSig", // kSOSErrorBadSignature
36 "kSOSConcordanceNoUserKey", // kSOSErrorNoKey
37 "kSOSConcordanceNoPeer", // kSOSErrorPeerNotFound
38 "kSOSConcordanceBadUserSig", // kSOSErrorBadSignature
39 "kSOSConcordanceBadPeerSig", // kSOSErrorBadSignature
40 "kSOSConcordanceNoPeerSig",
41 "kSOSConcordanceWeSigned",
42 "kSOSConcordanceInvalidMembership",
43 "kSOSConcordanceMissingMe",
44 "kSOSConcordanceImNotWorthy",
45 };
46
47
48 static bool SOSAccountIsPeerRetired(SOSAccountRef account, CFSetRef peers){
49 CFMutableArrayRef peerInfos = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
50 bool result = false;
51
52 CFSetForEach(peers, ^(const void *value) {
53 SOSPeerInfoRef peer = (SOSPeerInfoRef)value;
54 if(SOSPeerInfoIsRetirementTicket(peer))
55 CFArrayAppendValue(peerInfos, peer);
56 });
57 if(CFArrayGetCount(peerInfos) > 0){
58 if(!SOSAccountRemoveBackupPeers(account, peerInfos, NULL))
59 secerror("Could not remove peers: %@, from the backup", peerInfos);
60 else
61 return true;
62 }
63 else
64 result = true;
65
66 CFReleaseNull(peerInfos);
67
68 return result;
69 }
70
71 static bool SOSAccountBackupSliceKeyBagNeedsFix(SOSAccountRef account, SOSBackupSliceKeyBagRef bskb) {
72
73 if (SOSBSKBIsDirect(bskb) || account->backup_key == NULL)
74 return false;
75
76 CFSetRef peers = SOSBSKBGetPeers(bskb);
77
78 /* first scan for retired peers, and kick'em out!*/
79 SOSAccountIsPeerRetired(account, peers);
80
81 SOSPeerInfoRef myPeer = SOSAccountGetMyPeerInfo(account);
82 bool needsFix = true;
83
84 if (myPeer) {
85 SOSPeerInfoRef meInBag = (SOSPeerInfoRef) CFSetGetValue(peers, myPeer);
86 CFDataRef myBK = SOSPeerInfoCopyBackupKey(myPeer);
87 CFDataRef meInBagBK = SOSPeerInfoCopyBackupKey(meInBag);
88 needsFix = !(meInBag && CFEqualSafe(myBK,
89 meInBagBK));
90 CFReleaseNull(myBK);
91 CFReleaseNull(meInBagBK);
92 }
93
94 return needsFix;
95 }
96
97
98 typedef enum {
99 accept,
100 countersign,
101 leave,
102 revert,
103 modify,
104 ignore
105 } ringAction_t;
106
107 static const char * __unused actionstring[] = {
108 "accept", "countersign", "leave", "revert", "modify", "ignore",
109 };
110
111 bool SOSAccountHandleUpdateRing(SOSAccountRef account, SOSRingRef prospectiveRing, bool writeUpdate, CFErrorRef *error) {
112 bool success = true;
113 bool haveOldRing = true;
114 const char * __unused localRemote = writeUpdate ? "local": "remote";
115 SOSFullPeerInfoRef fpi = account->my_identity;
116 SOSPeerInfoRef pi = SOSFullPeerInfoGetPeerInfo(fpi);
117 CFStringRef peerID = SOSPeerInfoGetPeerID(pi);
118 bool peerActive = (fpi && pi && peerID && SOSAccountIsInCircle(account, NULL));
119
120
121 secdebug("ringSigning", "start:[%s] %@", localRemote, prospectiveRing);
122
123 require_quiet(SOSAccountHasPublicKey(account, error), errOut);
124
125 require_action_quiet(prospectiveRing, errOut,
126 SOSCreateError(kSOSErrorIncompatibleCircle, CFSTR("No Ring to work with"), NULL, error));
127
128 require_action_quiet(SOSRingIsStable(prospectiveRing), errOut, SOSCreateError(kSOSErrorIncompatibleCircle, CFSTR("You give rings a bad name"), NULL, error));
129
130 // We should at least have a sane ring system in the account object
131 require_quiet(SOSAccountCheckForRings(account, error), errOut);
132
133 CFStringRef ringName = SOSRingGetName(prospectiveRing);
134 SOSRingRef oldRing = SOSAccountCopyRing(account, ringName, NULL);
135
136 SOSTransportCircleRef transport = account->circle_transport;
137
138 SOSRingRef newRing = CFRetainSafe(prospectiveRing); // TODO: SOSAccountCloneRingWithRetirement(account, prospectiveRing, error);
139
140 ringAction_t ringAction = ignore;
141
142 bool userTrustedoldRing = true;
143
144 SOSCircleRef circle = SOSAccountGetCircle(account, NULL);
145 CFSetRef peers = SOSCircleCopyPeers(circle, kCFAllocatorDefault);
146
147 SecKeyRef oldKey = account->user_public;
148
149 #if 0
150 // for now user keys aren't explored.
151 // we should ask the ring if it cares about it and then do the magic to find the right user keys.
152 SecKeyRef oldKey = account->user_public;
153
154 if(SOSRingPKTrusted(oldRing, account->user_public, NULL)) oldKey = account->user_public;
155 else if(account->previous_public && SOSRingPKTrusted(oldRing, account->previous_public, NULL)) oldKey = account->previous_public;
156 bool userTrustedoldRing = (oldKey != NULL) && haveOldRing;
157
158 #endif
159
160 if (!oldRing) {
161 oldRing = CFRetainSafe(newRing);
162 }
163
164 SOSConcordanceStatus concstat = SOSRingConcordanceTrust(fpi, peers, oldRing, newRing, oldKey, account->user_public, peerID, error);
165 CFReleaseNull(peers);
166
167 CFStringRef concStr = NULL;
168 switch(concstat) {
169 case kSOSConcordanceTrusted:
170 ringAction = countersign;
171 concStr = CFSTR("Trusted");
172 break;
173 case kSOSConcordanceGenOld:
174 ringAction = userTrustedoldRing ? revert : ignore;
175 concStr = CFSTR("Generation Old");
176 break;
177 case kSOSConcordanceBadUserSig:
178 case kSOSConcordanceBadPeerSig:
179 ringAction = userTrustedoldRing ? revert : accept;
180 concStr = CFSTR("Bad Signature");
181 break;
182 case kSOSConcordanceNoUserSig:
183 ringAction = userTrustedoldRing ? revert : accept;
184 concStr = CFSTR("No User Signature");
185 break;
186 case kSOSConcordanceNoPeerSig:
187 ringAction = accept; // We might like this one eventually but don't countersign.
188 concStr = CFSTR("No trusted peer signature");
189 secnotice("signing", "##### No trusted peer signature found, accepting hoping for concordance later %@", newRing);
190 break;
191 case kSOSConcordanceNoPeer:
192 ringAction = leave;
193 concStr = CFSTR("No trusted peer left");
194 break;
195 case kSOSConcordanceNoUserKey:
196 secerror("##### No User Public Key Available, this shouldn't ever happen!!!");
197 ringAction = ignore;
198 break;
199
200 case kSOSConcordanceMissingMe:
201 case kSOSConcordanceImNotWorthy:
202 ringAction = modify;
203 concStr = CFSTR("Incorrect membership for me");
204 break;
205 case kSOSConcordanceInvalidMembership:
206 ringAction = userTrustedoldRing ? revert : ignore;
207 concStr = CFSTR("Invalid Ring Membership");
208 break;
209 default:
210 secerror("##### Bad Error Return from ConcordanceTrust");
211 ringAction = ignore;
212 break;
213 }
214
215 (void)concStr;
216
217 secdebug("ringSigning", "Decided on action [%s] based on concordance state [%s] and [%s] circle.", actionstring[ringAction], concordstring[concstat], userTrustedoldRing ? "trusted" : "untrusted");
218
219 SOSRingRef ringToPush = NULL;
220 bool iWasInOldRing = peerID && SOSRingHasPeerID(oldRing, peerID);
221 bool iAmInNewRing = peerID && SOSRingHasPeerID(newRing, peerID);
222 bool ringIsBackup = SOSRingGetType(newRing) == kSOSRingBackup;
223
224 if (ringIsBackup && peerActive) {
225 if (ringAction == accept || ringAction == countersign) {
226 CFErrorRef localError = NULL;
227 SOSBackupSliceKeyBagRef bskb = SOSRingCopyBackupSliceKeyBag(newRing, &localError);
228
229 if(!bskb) {
230 secnotice("ringSigning", "Backup ring with no backup slice keybag (%@)", localError);
231 } else if (SOSAccountBackupSliceKeyBagNeedsFix(account, bskb)) {
232 ringAction = modify;
233 }
234 CFReleaseSafe(localError);
235 CFReleaseSafe(bskb);
236 }
237
238 if (ringAction == modify) {
239 CFErrorRef updateError = NULL;
240 SOSAccountSetRing(account, newRing, ringName, error);
241
242 if(SOSAccountUpdateOurPeerInBackup(account, newRing, &updateError)) {
243 secdebug("signing", "Modified backup ring to include us");
244 } else {
245 secerror("Could not add ourselves to the backup: (%@)", updateError);
246 }
247 CFReleaseSafe(updateError);
248
249 // Fall through to normal modify handling.
250 }
251 }
252
253 if (ringAction == modify) {
254 ringAction = ignore;
255 }
256
257 if (ringAction == leave) {
258 if (iWasInOldRing) {
259 if (sosAccountLeaveRing(account, newRing, error)) {
260 ringToPush = newRing;
261 } else {
262 secdebug("ringSigning", "Can't leave ring %@", oldRing);
263 success = false;
264 }
265 ringAction = accept;
266 } else {
267 // We are not in this ring, but we need to update account with it, since we got it from cloud
268 ringAction = accept;
269 }
270 }
271
272 if (ringAction == countersign) {
273 if (iAmInNewRing) {
274 if (SOSRingPeerTrusted(newRing, fpi, NULL)) {
275 secdebug("ringSigning", "Already concur with: %@", newRing);
276 } else {
277 CFErrorRef signingError = NULL;
278
279 if (fpi && SOSRingConcordanceSign(newRing, fpi, &signingError)) {
280 ringToPush = newRing;
281 } else {
282 secerror("Failed to concordance sign, error: %@ Old: %@ New: %@", signingError, oldRing, newRing);
283 success = false;
284 }
285 CFReleaseSafe(signingError);
286 }
287 } else {
288 secdebug("ringSigning", "Not countersigning, not in ring: %@", newRing);
289 }
290 ringAction = accept;
291 }
292
293 if (ringAction == accept) {
294 if (iWasInOldRing && !iAmInNewRing) {
295
296 // Don't destroy evidence of other code determining reason for leaving.
297 //if(!SOSAccountHasLeft(account)) account->departure_code = kSOSMembershipRevoked;
298 // TODO: LeaveReason for rings
299 }
300
301 if (pi && SOSRingHasRejection(newRing, peerID)) {
302 // TODO: ReasonForLeaving for rings
303 SOSRingRemoveRejection(newRing, peerID);
304 }
305
306 SOSAccountSetRing(account, newRing, ringName, error);
307
308 if (pi && account->user_public_trusted
309 && SOSRingHasApplicant(oldRing, peerID)
310 && SOSRingCountPeers(newRing) > 0
311 && !iAmInNewRing && !SOSRingHasApplicant(newRing, peerID)) {
312 // We weren't rejected (above would have set me to NULL.
313 // We were applying and we weren't accepted.
314 // Our application is declared lost, let us reapply.
315
316 if (SOSRingApply(newRing, account->user_public, fpi, NULL))
317 if(peerActive) writeUpdate = true;
318 }
319
320 if (pi && SOSRingHasPeerID(oldRing, peerID)) {
321 SOSAccountCleanupRetirementTickets(account, RETIREMENT_FINALIZATION_SECONDS, NULL);
322 }
323
324
325 account->circle_rings_retirements_need_attention = true;
326
327 if (writeUpdate)
328 ringToPush = newRing;
329 account->key_interests_need_updating = true;
330 }
331
332 /*
333 * In the revert section we'll guard the KVS idea of circles by rejecting "bad" new rings
334 * and pushing our current view of the ring (oldRing). We'll only do this if we actually
335 * are a member of oldRing - never for an empty ring.
336 */
337
338 if (ringAction == revert) {
339 if(haveOldRing && peerActive && SOSRingHasPeerID(oldRing, peerID)) {
340 secdebug("ringSigning", "%@, Rejecting: %@ re-publishing %@", concStr, newRing, oldRing);
341 ringToPush = oldRing;
342 } else {
343 secdebug("ringSigning", "%@, Rejecting: %@ Have no old circle - would reset", concStr, newRing);
344 }
345 }
346
347
348 if (ringToPush != NULL) {
349 secdebug("ringSigning", "Pushing:[%s] %@", localRemote, ringToPush);
350 CFDataRef ringData = SOSRingCopyEncodedData(ringToPush, error);
351 if (ringData) {
352 success &= SOSTransportCircleRingPostRing(transport, SOSRingGetName(ringToPush), ringData, error);
353 } else {
354 success = false;
355 }
356 CFReleaseNull(ringData);
357 }
358 CFReleaseNull(oldRing);
359 CFReleaseSafe(newRing);
360 return success;
361 errOut:
362 return false;
363 }
mirror of Security