--- /dev/null
+/*
+ * Copyright (c) 2012-2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+/*
+ * SOSCircle.c - Implementation of the secure object syncing transport
+ */
+
+#include <AssertMacros.h>
+
+#include <CoreFoundation/CFArray.h>
+#include <Security/SecureObjectSync/SOSCircle.h>
+#include <Security/SecureObjectSync/SOSCloudCircleInternal.h>
+#include <Security/SecureObjectSync/SOSInternal.h>
+#include <Security/SecureObjectSync/SOSEngine.h>
+#include <Security/SecureObjectSync/SOSPeer.h>
+#include <Security/SecureObjectSync/SOSPeerInfoInternal.h>
+#include <Security/SecureObjectSync/SOSGenCount.h>
+#include <Security/SecureObjectSync/SOSPeerInfoCollections.h>
+#include <Security/SecureObjectSync/SOSGenCount.h>
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/SecFramework.h>
+
+#include <Security/SecKey.h>
+#include <Security/SecKeyPriv.h>
+
+#include <utilities/SecCFWrappers.h>
+#include <Security/SecureObjectSync/SOSCirclePriv.h>
+
+//#include "ckdUtilities.h"
+
+#include <corecrypto/ccder.h>
+#include <corecrypto/ccdigest.h>
+#include <corecrypto/ccsha2.h>
+
+#include <stdlib.h>
+#include <assert.h>
+
+CFGiblisWithCompareFor(SOSCircle);
+
+SOSCircleRef SOSCircleCreate(CFAllocatorRef allocator, CFStringRef name, CFErrorRef *error) {
+ SOSCircleRef c = CFTypeAllocate(SOSCircle, struct __OpaqueSOSCircle, allocator);
+ int64_t gen = 1;
+
+ assert(name);
+
+ c->name = CFStringCreateCopy(allocator, name);
+ c->generation = CFNumberCreate(allocator, kCFNumberSInt64Type, &gen);
+ c->peers = CFSetCreateMutableForSOSPeerInfosByID(allocator);
+ c->applicants = CFSetCreateMutableForSOSPeerInfosByID(allocator);
+ c->rejected_applicants = CFSetCreateMutableForSOSPeerInfosByID(allocator);
+ c->signatures = CFDictionaryCreateMutableForCFTypes(allocator);
+ return c;
+}
+
+static CFNumberRef SOSCircleGenerationCopy(CFNumberRef generation) {
+ int64_t value;
+ CFAllocatorRef allocator = CFGetAllocator(generation);
+ CFNumberGetValue(generation, kCFNumberSInt64Type, &value);
+ return CFNumberCreate(allocator, kCFNumberSInt64Type, &value);
+}
+
+static CFMutableSetRef CFSetOfPeerInfoDeepCopy(CFAllocatorRef allocator, CFSetRef peerInfoSet)
+{
+ __block CFMutableSetRef result = CFSetCreateMutableForSOSPeerInfosByID(allocator);
+ CFSetForEach(peerInfoSet, ^(const void *value) {
+ SOSPeerInfoRef pi = (SOSPeerInfoRef) value;
+ CFErrorRef localError = NULL;
+ SOSPeerInfoRef copiedPeer = SOSPeerInfoCreateCopy(allocator, pi, &localError);
+ if (copiedPeer) {
+ CFSetAddValue(result, copiedPeer);
+ } else {
+ secerror("Failed to copy peer: %@ (%@)", pi, localError);
+ }
+ CFReleaseSafe(copiedPeer);
+ CFReleaseSafe(localError);
+ });
+ return result;
+}
+
+SOSCircleRef SOSCircleCopyCircle(CFAllocatorRef allocator, SOSCircleRef otherCircle, CFErrorRef *error)
+{
+ SOSCircleRef c = CFTypeAllocate(SOSCircle, struct __OpaqueSOSCircle, allocator);
+
+ assert(otherCircle);
+ c->name = CFStringCreateCopy(allocator, otherCircle->name);
+ c->generation = SOSCircleGenerationCopy(otherCircle->generation);
+
+ c->peers = CFSetOfPeerInfoDeepCopy(allocator, otherCircle->peers);
+ c->applicants = CFSetOfPeerInfoDeepCopy(allocator, otherCircle->applicants);
+ c->rejected_applicants = CFSetOfPeerInfoDeepCopy(allocator, otherCircle->rejected_applicants);
+
+ c->signatures = CFDictionaryCreateMutableCopy(allocator, 0, otherCircle->signatures);
+
+ return c;
+}
+
+static Boolean SOSCircleCompare(CFTypeRef lhs, CFTypeRef rhs) {
+ if (CFGetTypeID(lhs) != SOSCircleGetTypeID()
+ || CFGetTypeID(rhs) != SOSCircleGetTypeID())
+ return false;
+
+ SOSCircleRef left = SOSCircleConvertAndAssertStable(lhs);
+ SOSCircleRef right = SOSCircleConvertAndAssertStable(rhs);
+
+ // TODO: we should be doing set equality for peers and applicants.
+ return NULL != left && NULL != right
+ && CFEqualSafe(left->generation, right->generation)
+ && SOSPeerInfoSetContainsIdenticalPeers(left->peers, right->peers)
+ && SOSPeerInfoSetContainsIdenticalPeers(left->applicants, right->applicants)
+ && SOSPeerInfoSetContainsIdenticalPeers(left->rejected_applicants, right->rejected_applicants)
+ && CFEqualSafe(left->signatures, right->signatures);
+}
+
+static CFMutableArrayRef CFSetCopyValuesCFArray(CFSetRef set)
+{
+ CFIndex count = CFSetGetCount(set);
+
+ CFMutableArrayRef result = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
+ if (count > 0) {
+ const void * values[count];
+ CFSetGetValues(set, values);
+ for (int current = 0; current < count; ++current) {
+ CFArrayAppendValue(result, values[current]);
+ }
+ }
+
+ return result;
+}
+
+static bool SOSCircleDigestArray(const struct ccdigest_info *di, CFMutableArrayRef array, void *hash_result, CFErrorRef *error)
+{
+ __block bool success = true;
+ ccdigest_di_decl(di, array_digest);
+ const void * a_digest = array_digest;
+
+ ccdigest_init(di, array_digest);
+ CFArraySortValues(array, CFRangeMake(0, CFArrayGetCount(array)), SOSPeerInfoCompareByID, SOSPeerCmpPubKeyHash);
+ CFArrayForEach(array, ^(const void *peer) {
+ if (!SOSPeerInfoUpdateDigestWithPublicKeyBytes((SOSPeerInfoRef)peer, di, a_digest, error))
+ success = false;
+ });
+ ccdigest_final(di, array_digest, hash_result);
+
+ return success;
+}
+
+static bool SOSCircleDigestSet(const struct ccdigest_info *di, CFMutableSetRef set, void *hash_result, CFErrorRef *error)
+{
+ CFMutableArrayRef values = CFSetCopyValuesCFArray(set);
+
+ bool result = SOSCircleDigestArray(di, values, hash_result, error);
+
+ CFReleaseSafe(values);
+
+ return result;
+}
+
+
+static bool SOSCircleHash(const struct ccdigest_info *di, SOSCircleRef circle, void *hash_result, CFErrorRef *error) {
+ ccdigest_di_decl(di, circle_digest);
+ ccdigest_init(di, circle_digest);
+ int64_t gen = SOSCircleGetGenerationSint(circle);
+ ccdigest_update(di, circle_digest, sizeof(gen), &gen);
+
+ SOSCircleDigestSet(di, circle->peers, hash_result, error);
+ ccdigest_update(di, circle_digest, di->output_size, hash_result);
+ ccdigest_final(di, circle_digest, hash_result);
+ return true;
+}
+
+static bool SOSCircleSetSignature(SOSCircleRef circle, SecKeyRef pubkey, CFDataRef signature, CFErrorRef *error) {
+ bool result = false;
+
+ CFStringRef pubKeyID = SOSCopyIDOfKey(pubkey, error);
+ require_quiet(pubKeyID, fail);
+ CFDictionarySetValue(circle->signatures, pubKeyID, signature);
+ result = true;
+
+fail:
+ CFReleaseSafe(pubKeyID);
+ return result;
+}
+
+static bool SOSCircleRemoveSignatures(SOSCircleRef circle, CFErrorRef *error) {
+ CFDictionaryRemoveAllValues(circle->signatures);
+ return true;
+}
+
+static CFDataRef SOSCircleGetSignature(SOSCircleRef circle, SecKeyRef pubkey, CFErrorRef *error) {
+ CFStringRef pubKeyID = SOSCopyIDOfKey(pubkey, error);
+ CFDataRef result = NULL;
+ require_quiet(pubKeyID, fail);
+
+ CFTypeRef value = (CFDataRef)CFDictionaryGetValue(circle->signatures, pubKeyID);
+
+ if (isData(value)) result = (CFDataRef) value;
+
+fail:
+ CFReleaseSafe(pubKeyID);
+ return result;
+}
+
+bool SOSCircleSign(SOSCircleRef circle, SecKeyRef privKey, CFErrorRef *error) {
+ if (!privKey) return false; // Really assertion but not always true for now.
+ CFAllocatorRef allocator = CFGetAllocator(circle);
+ uint8_t tmp[4096];
+ size_t tmplen = 4096;
+ const struct ccdigest_info *di = ccsha256_di();
+ uint8_t hash_result[di->output_size];
+
+ SOSCircleHash(di, circle, hash_result, error);
+ OSStatus stat = SecKeyRawSign(privKey, kSecPaddingNone, hash_result, di->output_size, tmp, &tmplen);
+ if(stat) {
+ // TODO - Create a CFErrorRef;
+ secerror("Bad Circle SecKeyRawSign, stat: %ld", (long)stat);
+ SOSCreateError(kSOSErrorBadFormat, CFSTR("Bad Circle SecKeyRawSign"), (error != NULL) ? *error : NULL, error);
+ return false;
+ };
+ CFDataRef signature = CFDataCreate(allocator, tmp, tmplen);
+ SecKeyRef publicKey = SecKeyCreatePublicFromPrivate(privKey);
+ SOSCircleSetSignature(circle, publicKey, signature, error);
+ CFReleaseNull(publicKey);
+ CFRelease(signature);
+ return true;
+}
+
+static bool SOSCircleConcordanceRingSign(SOSCircleRef circle, SecKeyRef privKey, CFErrorRef *error) {
+ secnotice("Development", "SOSCircleEnsureRingConsistency requires ring signing op", NULL);
+ return true;
+}
+
+
+bool SOSCircleVerifySignatureExists(SOSCircleRef circle, SecKeyRef pubKey, CFErrorRef *error) {
+ if(!pubKey) {
+ // TODO ErrorRef
+ secerror("SOSCircleVerifySignatureExists no pubKey");
+ SOSCreateError(kSOSErrorBadFormat, CFSTR("SOSCircleVerifySignatureExists no pubKey"), (error != NULL) ? *error : NULL, error);
+ return false;
+ }
+ CFDataRef signature = SOSCircleGetSignature(circle, pubKey, error);
+ return NULL != signature;
+}
+
+bool SOSCircleVerify(SOSCircleRef circle, SecKeyRef pubKey, CFErrorRef *error) {
+ const struct ccdigest_info *di = ccsha256_di();
+ uint8_t hash_result[di->output_size];
+
+ SOSCircleHash(di, circle, hash_result, error);
+
+ CFDataRef signature = SOSCircleGetSignature(circle, pubKey, error);
+ if(!signature) return false;
+
+ return SecKeyRawVerify(pubKey, kSecPaddingNone, hash_result, di->output_size,
+ CFDataGetBytePtr(signature), CFDataGetLength(signature)) == errSecSuccess;
+}
+
+bool SOSCircleVerifyPeerSigned(SOSCircleRef circle, SOSPeerInfoRef peer, CFErrorRef *error) {
+ SecKeyRef pub_key = SOSPeerInfoCopyPubKey(peer);
+ bool result = SOSCircleVerify(circle, pub_key, error);
+ CFReleaseSafe(pub_key);
+ return result;
+}
+
+static void CFSetRemoveAllPassing(CFMutableSetRef set, bool (^test)(const void *) ){
+ CFMutableArrayRef toBeRemoved = CFArrayCreateMutable(kCFAllocatorDefault, 0, NULL);
+
+ CFSetForEach(set, ^(const void *value) {
+ if (test(value))
+ CFArrayAppendValue(toBeRemoved, value);
+ });
+
+ CFArrayForEach(toBeRemoved, ^(const void *value) {
+ CFSetRemoveValue(set, value);
+ });
+ CFReleaseNull(toBeRemoved);
+}
+
+static void SOSCircleRejectNonValidApplicants(SOSCircleRef circle, SecKeyRef pubkey) {
+ CFMutableSetRef applicants = SOSCircleCopyApplicants(circle, NULL);
+ CFSetForEach(applicants, ^(const void *value) {
+ SOSPeerInfoRef pi = (SOSPeerInfoRef) value;
+ if(!SOSPeerInfoApplicationVerify(pi, pubkey, NULL)) {
+ CFSetTransferObject(pi, circle->applicants, circle->rejected_applicants);
+ }
+ });
+ CFReleaseNull(applicants);
+}
+
+static SOSPeerInfoRef SOSCircleCopyPeerInfo(SOSCircleRef circle, CFStringRef peer_id, CFErrorRef *error) {
+ __block SOSPeerInfoRef result = NULL;
+
+ CFSetForEach(circle->peers, ^(const void *value) {
+ if (result == NULL) {
+ SOSPeerInfoRef tpi = (SOSPeerInfoRef)value;
+ if (CFEqual(SOSPeerInfoGetPeerID(tpi), peer_id))
+ result = tpi;
+ }
+ });
+
+ CFRetainSafe(result);
+ return result;
+}
+
+static bool SOSCircleUpgradePeerInfo(SOSCircleRef circle, SecKeyRef user_approver, SOSFullPeerInfoRef peerinfo) {
+ bool retval = false;
+ SecKeyRef userPubKey = SecKeyCreatePublicFromPrivate(user_approver);
+ SOSPeerInfoRef fpi_pi = SOSFullPeerInfoGetPeerInfo(peerinfo);
+ SOSPeerInfoRef pi = SOSCircleCopyPeerInfo(circle, SOSPeerInfoGetPeerID(fpi_pi), NULL);
+ require_quiet(pi, out);
+ require_quiet(SOSPeerInfoApplicationVerify(pi, userPubKey, NULL), re_sign);
+ CFReleaseNull(userPubKey);
+ CFReleaseNull(pi);
+ return true;
+
+re_sign:
+ secnotice("circle", "SOSCircleGenerationSign: Upgraded peer's Application Signature");
+ SecKeyRef device_key = SOSFullPeerInfoCopyDeviceKey(peerinfo, NULL);
+ require_quiet(device_key, out);
+ SOSPeerInfoRef new_pi = SOSPeerInfoCopyAsApplication(pi, user_approver, device_key, NULL);
+ if(SOSCircleUpdatePeerInfo(circle, new_pi))
+ retval = true;
+ CFReleaseNull(new_pi);
+ CFReleaseNull(device_key);
+out:
+ CFReleaseNull(userPubKey);
+ CFReleaseNull(pi);
+ return retval;
+}
+
+static bool SOSCircleEnsureRingConsistency(SOSCircleRef circle, CFErrorRef *error) {
+ secnotice("Development", "SOSCircleEnsureRingConsistency requires ring membership and generation count consistency check", NULL);
+ return true;
+}
+
+bool SOSCircleSignOldStyleResetToOfferingCircle(SOSCircleRef circle, SOSFullPeerInfoRef peerinfo, SecKeyRef user_approver, CFErrorRef *error){
+
+ SecKeyRef ourKey = SOSFullPeerInfoCopyDeviceKey(peerinfo, error);
+ SecKeyRef publicKey = NULL;
+ require_quiet(ourKey, fail);
+
+ // Check if we're using an invalid peerinfo for this op. There are cases where we might not be "upgraded".
+ require_quiet(SOSCircleUpgradePeerInfo(circle, user_approver, peerinfo), fail);
+ SOSCircleRemoveRetired(circle, error); // Prune off retirees since we're signing this one
+ CFSetRemoveAllValues(circle->rejected_applicants); // Dump rejects so we clean them up sometime.
+ publicKey = SecKeyCreatePublicFromPrivate(user_approver);
+ SOSCircleRejectNonValidApplicants(circle, publicKey);
+ require_quiet(SOSCircleEnsureRingConsistency(circle, error), fail);
+ require_quiet(SOSCircleRemoveSignatures(circle, error), fail);
+ require_quiet(SOSCircleSign(circle, user_approver, error), fail);
+ require_quiet(SOSCircleSign(circle, ourKey, error), fail);
+
+ CFReleaseNull(ourKey);
+ CFReleaseNull(publicKey);
+ return true;
+
+fail:
+ CFReleaseNull(ourKey);
+ CFReleaseNull(publicKey);
+ return false;
+}
+
+
+bool SOSCircleGenerationSign(SOSCircleRef circle, SecKeyRef user_approver, SOSFullPeerInfoRef peerinfo, CFErrorRef *error) {
+ SecKeyRef ourKey = SOSFullPeerInfoCopyDeviceKey(peerinfo, error);
+ SecKeyRef publicKey = NULL;
+ require_quiet(ourKey, fail);
+
+ // Check if we're using an invalid peerinfo for this op. There are cases where we might not be "upgraded".
+ require_quiet(SOSCircleUpgradePeerInfo(circle, user_approver, peerinfo), fail);
+ SOSCircleRemoveRetired(circle, error); // Prune off retirees since we're signing this one
+ CFSetRemoveAllValues(circle->rejected_applicants); // Dump rejects so we clean them up sometime.
+ publicKey = SecKeyCreatePublicFromPrivate(user_approver);
+ SOSCircleRejectNonValidApplicants(circle, publicKey);
+ SOSCircleGenerationIncrement(circle);
+ require_quiet(SOSCircleEnsureRingConsistency(circle, error), fail);
+ require_quiet(SOSCircleRemoveSignatures(circle, error), fail);
+ require_quiet(SOSCircleSign(circle, user_approver, error), fail);
+ require_quiet(SOSCircleSign(circle, ourKey, error), fail);
+
+ CFReleaseNull(ourKey);
+ CFReleaseNull(publicKey);
+ return true;
+
+fail:
+ CFReleaseNull(ourKey);
+ CFReleaseNull(publicKey);
+ return false;
+}
+
+bool SOSCircleGenerationUpdate(SOSCircleRef circle, SecKeyRef user_approver, SOSFullPeerInfoRef peerinfo, CFErrorRef *error) {
+
+ return SOSCircleGenerationSign(circle, user_approver, peerinfo, error);
+
+#if 0
+ bool success = false;
+
+ SecKeyRef ourKey = SOSFullPeerInfoCopyDeviceKey(peerinfo, error);
+ require_quiet(ourKey, fail);
+
+ require_quiet(SOSCircleSign(circle, user_approver, error), fail);
+ require_quiet(SOSCircleSign(circle, ourKey, error), fail);
+
+ success = true;
+
+fail:
+ CFReleaseNull(ourKey);
+ return success;
+#endif
+}
+
+bool SOSCircleConcordanceSign(SOSCircleRef circle, SOSFullPeerInfoRef peerinfo, CFErrorRef *error) {
+ bool success = false;
+ SecKeyRef ourKey = SOSFullPeerInfoCopyDeviceKey(peerinfo, error);
+ require_quiet(ourKey, exit);
+
+ success = SOSCircleSign(circle, ourKey, error);
+ SOSCircleConcordanceRingSign(circle, ourKey, error);
+
+exit:
+ CFReleaseNull(ourKey);
+ return success;
+}
+
+static inline SOSConcordanceStatus CheckPeerStatus(SOSCircleRef circle, SOSPeerInfoRef peer, SecKeyRef user_public_key, CFErrorRef *error) {
+ SOSConcordanceStatus result = kSOSConcordanceNoPeer;
+ SecKeyRef pubKey = SOSPeerInfoCopyPubKey(peer);
+
+ require_action_quiet(SOSCircleHasActiveValidPeer(circle, peer, user_public_key, error), exit, result = kSOSConcordanceNoPeer);
+ require_action_quiet(SOSCircleVerifySignatureExists(circle, pubKey, error), exit, result = kSOSConcordanceNoPeerSig);
+ require_action_quiet(SOSCircleVerify(circle, pubKey, error), exit, result = kSOSConcordanceBadPeerSig);
+
+ result = kSOSConcordanceTrusted;
+
+exit:
+ CFReleaseNull(pubKey);
+ return result;
+}
+
+static inline SOSConcordanceStatus CombineStatus(SOSConcordanceStatus status1, SOSConcordanceStatus status2)
+{
+ if (status1 == kSOSConcordanceTrusted || status2 == kSOSConcordanceTrusted)
+ return kSOSConcordanceTrusted;
+
+ if (status1 == kSOSConcordanceBadPeerSig || status2 == kSOSConcordanceBadPeerSig)
+ return kSOSConcordanceBadPeerSig;
+
+ if (status1 == kSOSConcordanceNoPeerSig || status2 == kSOSConcordanceNoPeerSig)
+ return kSOSConcordanceNoPeerSig;
+
+ return status1;
+}
+
+static inline bool SOSCircleIsEmpty(SOSCircleRef circle) {
+ return SOSCircleCountPeers(circle) == 0;
+}
+
+static inline bool SOSCircleIsOffering(SOSCircleRef circle) {
+ return SOSCircleCountPeers(circle) == 1;
+}
+
+static inline bool SOSCircleHasDegenerateGeneration(SOSCircleRef deGenCircle){
+ int testPtr;
+ CFNumberRef genCountTest = SOSCircleGetGeneration(deGenCircle);
+ CFNumberGetValue(genCountTest, kCFNumberCFIndexType, &testPtr);
+ return (testPtr== 0);
+}
+
+
+static inline bool SOSCircleIsDegenerateReset(SOSCircleRef deGenCircle){
+ return SOSCircleHasDegenerateGeneration(deGenCircle) && SOSCircleIsEmpty(deGenCircle);
+}
+
+
+__unused static inline bool SOSCircleIsResignOffering(SOSCircleRef circle, SecKeyRef pubkey) {
+ return SOSCircleCountActiveValidPeers(circle, pubkey) == 1;
+}
+
+static inline SOSConcordanceStatus GetSignersStatus(SOSCircleRef signers_circle, SOSCircleRef status_circle,
+ SecKeyRef user_pubKey, SOSPeerInfoRef exclude, CFErrorRef *error) {
+ CFStringRef excluded_id = exclude ? SOSPeerInfoGetPeerID(exclude) : NULL;
+
+ __block SOSConcordanceStatus status = kSOSConcordanceNoPeer;
+ SOSCircleForEachActivePeer(signers_circle, ^(SOSPeerInfoRef peer) {
+ SOSConcordanceStatus peerStatus = CheckPeerStatus(status_circle, peer, user_pubKey, error);
+
+ if (peerStatus == kSOSConcordanceNoPeerSig &&
+ (CFEqualSafe(SOSPeerInfoGetPeerID(peer), excluded_id) || SOSPeerInfoIsCloudIdentity(peer)))
+ peerStatus = kSOSConcordanceNoPeer;
+
+ status = CombineStatus(status, peerStatus); // TODO: Use multiple error gathering.
+ });
+
+ return status;
+}
+
+// Is proposed older than current?
+static inline bool isOlderGeneration(SOSCircleRef current, SOSCircleRef proposed) {
+ return CFNumberCompare(current->generation, proposed->generation, NULL) == kCFCompareGreaterThan;
+}
+
+static inline bool SOSCircleIsValidReset(SOSCircleRef current, SOSCircleRef proposed) {
+ return (!isOlderGeneration(current, proposed)) && SOSCircleIsEmpty(proposed); // is current older or equal to proposed and is proposed empty
+}
+
+
+bool SOSCircleSharedTrustedPeers(SOSCircleRef current, SOSCircleRef proposed, SOSPeerInfoRef me) {
+ __block bool retval = false;
+ SOSCircleForEachPeer(current, ^(SOSPeerInfoRef peer) {
+ if(!CFEqual(me, peer) && SOSCircleHasPeer(proposed, peer, NULL)) retval = true;
+ });
+ return retval;
+}
+
+
+SOSConcordanceStatus SOSCircleConcordanceTrust(SOSCircleRef known_circle, SOSCircleRef proposed_circle,
+ SecKeyRef known_pubkey, SecKeyRef user_pubkey,
+ SOSPeerInfoRef me, CFErrorRef *error) {
+ if(user_pubkey == NULL) {
+ SOSCreateError(kSOSErrorPublicKeyAbsent, CFSTR("Concordance with no public key"), NULL, error);
+ return kSOSConcordanceNoUserKey; //TODO: - needs to return an error
+ }
+
+ if(SOSCircleIsDegenerateReset(proposed_circle)) {
+ return kSOSConcordanceTrusted;
+ }
+
+ if (SOSCircleIsValidReset(known_circle, proposed_circle)) {
+ return kSOSConcordanceTrusted;
+ }
+
+ if(!SOSCircleVerifySignatureExists(proposed_circle, user_pubkey, error)) {
+ SOSCreateError(kSOSErrorBadSignature, CFSTR("No public signature"), (error != NULL) ? *error : NULL, error);
+ return kSOSConcordanceNoUserSig;
+ }
+
+ if(!SOSCircleVerify(proposed_circle, user_pubkey, error)) {
+ SOSCreateError(kSOSErrorBadSignature, CFSTR("Bad public signature"), (error != NULL) ? *error : NULL, error);
+ debugDumpCircle(CFSTR("proposed_circle"), proposed_circle);
+ return kSOSConcordanceBadUserSig;
+ }
+
+ if (SOSCircleIsEmpty(known_circle)) {
+ return GetSignersStatus(proposed_circle, proposed_circle, user_pubkey, NULL, error);
+ }
+
+ if(SOSCircleHasDegenerateGeneration(proposed_circle) && SOSCircleIsOffering(proposed_circle)){
+ return GetSignersStatus(proposed_circle, proposed_circle, user_pubkey, NULL, error);
+ }
+
+ if(isOlderGeneration(known_circle, proposed_circle)) {
+ SOSCreateError(kSOSErrorReplay, CFSTR("Bad generation"), NULL, error);
+ debugDumpCircle(CFSTR("isOlderGeneration known_circle"), known_circle);
+ debugDumpCircle(CFSTR("isOlderGeneration proposed_circle"), proposed_circle);
+ return kSOSConcordanceGenOld;
+ }
+
+ if(SOSCircleIsOffering(proposed_circle)){
+ return GetSignersStatus(proposed_circle, proposed_circle, user_pubkey, NULL, error);
+ }
+
+ return GetSignersStatus(known_circle, proposed_circle, user_pubkey, me, error);
+}
+
+
+static void SOSCircleDestroy(CFTypeRef aObj) {
+ SOSCircleRef c = (SOSCircleRef) aObj;
+
+ CFReleaseNull(c->name);
+ CFReleaseNull(c->generation);
+ CFReleaseNull(c->peers);
+ CFReleaseNull(c->applicants);
+ CFReleaseNull(c->rejected_applicants);
+ CFReleaseNull(c->signatures);
+}
+
+static CFMutableStringRef defaultDescription(CFTypeRef aObj){
+ SOSCircleRef c = (SOSCircleRef) aObj;
+
+ CFMutableStringRef description = CFStringCreateMutable(kCFAllocatorDefault, 0);
+
+ SOSGenerationCountWithDescription(c->generation, ^(CFStringRef genDescription) {
+ CFStringAppendFormat(description, NULL, CFSTR("<SOSCircle@%p: '%@' %@ P:["), c, c->name, genDescription);
+ });
+
+ __block CFStringRef separator = CFSTR("");
+ SOSCircleForEachActivePeer(c, ^(SOSPeerInfoRef peer) {
+ CFStringRef sig = NULL;
+ if (SOSCircleVerifyPeerSigned(c, peer, NULL)) {
+ sig = CFSTR("√");
+ } else {
+ SecKeyRef pub_key = SOSPeerInfoCopyPubKey(peer);
+ CFDataRef signature = SOSCircleGetSignature(c, pub_key, NULL);
+ sig = (signature == NULL) ? CFSTR("-") : CFSTR("?");
+ CFReleaseNull(pub_key);
+ }
+
+ CFStringAppendFormat(description, NULL, CFSTR("%@%@ %@"), separator, peer, sig);
+ separator = CFSTR(",");
+ });
+
+ //applicants
+ CFStringAppend(description, CFSTR("], A:["));
+ separator = CFSTR("");
+ if(CFSetGetCount(c->applicants) == 0 )
+ CFStringAppendFormat(description, NULL, CFSTR("-"));
+ else{
+
+ SOSCircleForEachApplicant(c, ^(SOSPeerInfoRef peer) {
+ CFStringAppendFormat(description, NULL, CFSTR("%@%@"), separator, peer);
+ separator = CFSTR(",");
+ });
+ }
+
+ //rejected
+ CFStringAppend(description, CFSTR("], R:["));
+ separator = CFSTR("");
+ if(CFSetGetCount(c->rejected_applicants) == 0)
+ CFStringAppendFormat(description, NULL, CFSTR("-"));
+ else{
+ CFSetForEach(c->rejected_applicants, ^(const void *value) {
+ SOSPeerInfoRef peer = (SOSPeerInfoRef) value;
+ CFStringAppendFormat(description, NULL, CFSTR("%@%@"), separator, peer);
+ separator = CFSTR(",");
+ });
+ }
+ CFStringAppend(description, CFSTR("]>"));
+ return description;
+
+}
+static CFMutableStringRef descriptionWithFormatOptions(CFTypeRef aObj, CFDictionaryRef formatOptions){
+ SOSCircleRef c = (SOSCircleRef) aObj;
+
+ CFMutableStringRef description = CFStringCreateMutable(kCFAllocatorDefault, 0);
+
+ if(CFDictionaryContainsKey(formatOptions, CFSTR("SyncD"))) {
+ CFStringRef generationDescription = SOSGenerationCountCopyDescription(c->generation);
+ CFStringAppendFormat(description, NULL, CFSTR("<C: gen:'%@' %@>\n"), generationDescription, c->name);
+ CFReleaseNull(generationDescription);
+ __block CFStringRef separator = CFSTR("\t\t");
+ SOSCircleForEachActivePeer(c, ^(SOSPeerInfoRef peer) {
+ CFStringRef sig = NULL;
+ if (SOSCircleVerifyPeerSigned(c, peer, NULL)) {
+ sig = CFSTR("√");
+ } else {
+ SecKeyRef pub_key = SOSPeerInfoCopyPubKey(peer);
+ CFDataRef signature = SOSCircleGetSignature(c, pub_key, NULL);
+ sig = (signature == NULL) ? CFSTR("-") : CFSTR("?");
+ CFReleaseNull(pub_key);
+ }
+
+ CFStringAppendFormat(description, formatOptions, CFSTR("%@%@ %@"), separator, peer, sig);
+ separator = CFSTR("\n\t\t");
+ });
+ CFStringAppend(description, CFSTR("\n\t\t<A:["));
+ separator = CFSTR("");
+
+ //applicants list
+ if(CFSetGetCount(c->applicants) == 0 )
+ CFStringAppendFormat(description, NULL, CFSTR("-"));
+ else{
+
+ SOSCircleForEachApplicant(c, ^(SOSPeerInfoRef peer) {
+ CFStringAppendFormat(description, formatOptions, CFSTR("%@A: %@"), separator, peer);
+ separator = CFSTR("\n\t\t\t");
+ });
+ }
+ //rejected list
+ CFStringAppend(description, CFSTR("]> \n\t\t<R:["));
+ separator = CFSTR("");
+ if(CFSetGetCount(c->rejected_applicants) == 0)
+ CFStringAppendFormat(description, NULL, CFSTR("-"));
+ else{
+ CFSetForEach(c->rejected_applicants, ^(const void *value) {
+ SOSPeerInfoRef peer = (SOSPeerInfoRef) value;
+ CFStringAppendFormat(description, formatOptions, CFSTR("%@R: %@"), separator, peer);
+ separator = CFSTR("\n\t\t");
+ });
+ }
+ CFStringAppend(description, CFSTR("]>"));
+ }
+
+ else{
+ CFReleaseNull(description);
+ description = defaultDescription(aObj);
+ }
+
+ return description;
+
+}
+
+
+static CFStringRef SOSCircleCopyFormatDescription(CFTypeRef aObj, CFDictionaryRef formatOptions) {
+ SOSCircleRef c = (SOSCircleRef) aObj;
+ SOSCircleAssertStable(c);
+ CFMutableStringRef description = NULL;
+
+ if(formatOptions != NULL){
+ description = descriptionWithFormatOptions(aObj, formatOptions);
+ }
+ else{
+ description = defaultDescription(aObj);
+ }
+ return description;
+}
+
+CFStringRef SOSCircleGetName(SOSCircleRef circle) {
+ assert(circle);
+ assert(circle->name);
+ return circle->name;
+}
+
+const char *SOSCircleGetNameC(SOSCircleRef circle) {
+ CFStringRef name = SOSCircleGetName(circle);
+ if (!name)
+ return strdup("");
+ return CFStringToCString(name);
+}
+
+CFNumberRef SOSCircleGetGeneration(SOSCircleRef circle) {
+ assert(circle);
+ assert(circle->generation);
+ return circle->generation;
+}
+
+void SOSCircleSetGeneration(SOSCircleRef circle, CFNumberRef gencount) {
+ assert(circle);
+ CFReleaseNull(circle->generation);
+ circle->generation = CFRetainSafe(gencount);
+}
+
+int64_t SOSCircleGetGenerationSint(SOSCircleRef circle) {
+ CFNumberRef gen = SOSCircleGetGeneration(circle);
+ int64_t value;
+ if(!gen) return 0;
+ CFNumberGetValue(gen, kCFNumberSInt64Type, &value);
+ return value;
+}
+
+void SOSCircleGenerationSetValue(SOSCircleRef circle, int64_t value)
+{
+ CFAllocatorRef allocator = CFGetAllocator(circle->generation);
+ CFAssignRetained(circle->generation, CFNumberCreate(allocator, kCFNumberSInt64Type, &value));
+}
+
+
+static int64_t GenerationSetHighBits(int64_t value, int32_t high_31)
+{
+ value &= 0xFFFFFFFF; // Keep the low 32 bits.
+ value |= ((int64_t) high_31) << 32;
+
+ return value;
+}
+
+
+void SOSCircleGenerationIncrement(SOSCircleRef circle) {
+ int64_t value = SOSCircleGetGenerationSint(circle);
+
+ if ((value >> 32) == 0) {
+ uint32_t seconds = CFAbsoluteTimeGetCurrent(); // seconds
+ value = GenerationSetHighBits(value, (seconds >> 1));
+ }
+
+ value++;
+
+ SOSCircleGenerationSetValue(circle, value);
+}
+
+int SOSCircleCountPeers(SOSCircleRef circle) {
+ SOSCircleAssertStable(circle);
+ __block int count = 0;
+ SOSCircleForEachPeer(circle, ^(SOSPeerInfoRef peer) {
+ ++count;
+ });
+ return count;
+}
+
+int SOSCircleCountActivePeers(SOSCircleRef circle) {
+ SOSCircleAssertStable(circle);
+ __block int count = 0;
+ SOSCircleForEachActivePeer(circle, ^(SOSPeerInfoRef peer) {
+ ++count;
+ });
+ return count;
+}
+
+int SOSCircleCountActiveValidPeers(SOSCircleRef circle, SecKeyRef pubkey) {
+ SOSCircleAssertStable(circle);
+ __block int count = 0;
+ SOSCircleForEachActiveValidPeer(circle, pubkey, ^(SOSPeerInfoRef peer) {
+ ++count;
+ });
+ return count;
+}
+
+int SOSCircleCountRetiredPeers(SOSCircleRef circle) {
+ SOSCircleAssertStable(circle);
+ __block int count = 0;
+ SOSCircleForEachRetiredPeer(circle, ^(SOSPeerInfoRef peer) {
+ ++count;
+ });
+ return count;
+}
+
+int SOSCircleCountApplicants(SOSCircleRef circle) {
+ SOSCircleAssertStable(circle);
+
+ return (int)CFSetGetCount(circle->applicants);
+}
+
+bool SOSCircleHasApplicant(SOSCircleRef circle, SOSPeerInfoRef peerInfo, CFErrorRef *error) {
+ SOSCircleAssertStable(circle);
+
+ return CFSetContainsValue(circle->applicants, peerInfo);
+}
+
+CFMutableSetRef SOSCircleCopyApplicants(SOSCircleRef circle, CFAllocatorRef allocator) {
+ SOSCircleAssertStable(circle);
+
+ return CFSetCreateMutableCopy(allocator, 0, circle->applicants);
+}
+
+int SOSCircleCountRejectedApplicants(SOSCircleRef circle) {
+ SOSCircleAssertStable(circle);
+
+ return (int)CFSetGetCount(circle->rejected_applicants);
+}
+
+bool SOSCircleHasRejectedApplicant(SOSCircleRef circle, SOSPeerInfoRef peerInfo, CFErrorRef *error) {
+ SOSCircleAssertStable(circle);
+ return CFSetContainsValue(circle->rejected_applicants, peerInfo);
+}
+
+SOSPeerInfoRef SOSCircleCopyRejectedApplicant(SOSCircleRef circle, SOSPeerInfoRef peerInfo, CFErrorRef *error) {
+ SOSCircleAssertStable(circle);
+ return CFRetainSafe((SOSPeerInfoRef)CFSetGetValue(circle->rejected_applicants, peerInfo));
+}
+
+CFMutableArrayRef SOSCircleCopyRejectedApplicants(SOSCircleRef circle, CFAllocatorRef allocator) {
+ SOSCircleAssertStable(circle);
+
+ return CFSetCopyValuesCFArray(circle->rejected_applicants);
+}
+
+bool SOSCircleHasPeerWithID(SOSCircleRef circle, CFStringRef peerid, CFErrorRef *error) {
+ SOSCircleAssertStable(circle);
+ __block bool found = false;
+ SOSCircleForEachPeer(circle, ^(SOSPeerInfoRef peer) {
+ if(peerid && peer && CFEqualSafe(peerid, SOSPeerInfoGetPeerID(peer))) found = true;
+ });
+ return found;
+}
+
+SOSPeerInfoRef SOSCircleCopyPeerWithID(SOSCircleRef circle, CFStringRef peerid, CFErrorRef *error) {
+ SOSCircleAssertStable(circle);
+ __block SOSPeerInfoRef found = NULL;
+ SOSCircleForEachPeer(circle, ^(SOSPeerInfoRef peer) {
+ if(peerid && peer && CFEqualSafe(peerid, SOSPeerInfoGetPeerID(peer))) found = peer;
+ });
+ return found ? SOSPeerInfoCreateCopy(kCFAllocatorDefault, found, NULL) : NULL;
+}
+
+bool SOSCircleHasPeer(SOSCircleRef circle, SOSPeerInfoRef peerInfo, CFErrorRef *error) {
+ if(!peerInfo) return false;
+ return SOSCircleHasPeerWithID(circle, SOSPeerInfoGetPeerID(peerInfo), error);
+}
+
+bool SOSCircleHasActivePeerWithID(SOSCircleRef circle, CFStringRef peerid, CFErrorRef *error) {
+ SOSCircleAssertStable(circle);
+ __block bool found = false;
+ SOSCircleForEachActivePeer(circle, ^(SOSPeerInfoRef peer) {
+ if(peerid && peer && CFEqualSafe(peerid, SOSPeerInfoGetPeerID(peer))) found = true;
+ });
+ return found;
+}
+
+bool SOSCircleHasActivePeer(SOSCircleRef circle, SOSPeerInfoRef peerInfo, CFErrorRef *error) {
+ if(!peerInfo) return false;
+ return SOSCircleHasActivePeerWithID(circle, SOSPeerInfoGetPeerID(peerInfo), error);
+}
+
+bool SOSCircleHasActiveValidPeerWithID(SOSCircleRef circle, CFStringRef peerid, SecKeyRef user_public_key, CFErrorRef *error) {
+ SOSCircleAssertStable(circle);
+ __block bool found = false;
+ SOSCircleForEachActivePeer(circle, ^(SOSPeerInfoRef peer) {
+ if(peerid && peer && CFEqualSafe(peerid, SOSPeerInfoGetPeerID(peer)) && SOSPeerInfoApplicationVerify(peer, user_public_key, NULL)) found = true;
+ });
+ return found;
+}
+
+bool SOSCircleHasActiveValidPeer(SOSCircleRef circle, SOSPeerInfoRef peerInfo, SecKeyRef user_public_key, CFErrorRef *error) {
+ if(!peerInfo) return false;
+ return SOSCircleHasActiveValidPeerWithID(circle, SOSPeerInfoGetPeerID(peerInfo), user_public_key, error);
+}
+
+
+bool SOSCircleResetToEmpty(SOSCircleRef circle, CFErrorRef *error) {
+ CFSetRemoveAllValues(circle->applicants);
+ CFSetRemoveAllValues(circle->rejected_applicants);
+ CFSetRemoveAllValues(circle->peers);
+ CFDictionaryRemoveAllValues(circle->signatures);
+
+ int64_t old_value = SOSCircleGetGenerationSint(circle);
+
+ SOSCircleGenerationSetValue(circle, 0);
+ SOSCircleGenerationIncrement(circle); // Increment to get high bits set.
+
+ int64_t new_value = SOSCircleGetGenerationSint(circle);
+
+ if (new_value <= old_value) {
+ int64_t new_new_value = GenerationSetHighBits(new_value, (old_value >> 32) + 1);
+ SOSCircleGenerationSetValue(circle, new_new_value);
+ }
+
+ return true;
+}
+
+bool SOSCircleResetToOffering(SOSCircleRef circle, SecKeyRef user_privkey, SOSFullPeerInfoRef requestor, CFErrorRef *error){
+
+ return SOSCircleResetToEmpty(circle, error)
+ && SOSCircleRequestAdmission(circle, user_privkey, requestor, error)
+ && SOSCircleAcceptRequest(circle, user_privkey, requestor, SOSFullPeerInfoGetPeerInfo(requestor), error);
+}
+
+bool SOSCircleRemoveRetired(SOSCircleRef circle, CFErrorRef *error) {
+ CFSetRemoveAllPassing(circle->peers, ^ bool (const void *element) {
+ SOSPeerInfoRef peer = (SOSPeerInfoRef) element;
+
+ return SOSPeerInfoIsRetirementTicket(peer);
+ });
+
+ return true;
+}
+
+static bool SOSCircleRecordAdmissionRequest(SOSCircleRef circle, SecKeyRef user_pubkey, SOSPeerInfoRef requestorPeerInfo, CFErrorRef *error) {
+ SOSCircleAssertStable(circle);
+
+ bool isPeer = SOSCircleHasPeer(circle, requestorPeerInfo, error);
+
+ require_action_quiet(!isPeer, fail, SOSCreateError(kSOSErrorAlreadyPeer, CFSTR("Cannot request admission when already a peer"), NULL, error));
+
+ CFSetTransferObject(requestorPeerInfo, circle->rejected_applicants, circle->applicants);
+
+ return true;
+
+fail:
+ return false;
+
+}
+
+bool SOSCircleRequestReadmission(SOSCircleRef circle, SecKeyRef user_pubkey, SOSPeerInfoRef peer, CFErrorRef *error) {
+ bool success = false;
+
+ require_quiet(SOSPeerInfoApplicationVerify(peer, user_pubkey, error), fail);
+ success = SOSCircleRecordAdmissionRequest(circle, user_pubkey, peer, error);
+fail:
+ return success;
+}
+
+bool SOSCircleRequestAdmission(SOSCircleRef circle, SecKeyRef user_privkey, SOSFullPeerInfoRef requestor, CFErrorRef *error) {
+ bool success = false;
+
+ SecKeyRef user_pubkey = SecKeyCreatePublicFromPrivate(user_privkey);
+ require_action_quiet(user_pubkey, fail, SOSCreateError(kSOSErrorBadKey, CFSTR("No public key for key"), NULL, error));
+
+ require(SOSFullPeerInfoPromoteToApplication(requestor, user_privkey, error), fail);
+
+ success = SOSCircleRecordAdmissionRequest(circle, user_pubkey, SOSFullPeerInfoGetPeerInfo(requestor), error);
+fail:
+ CFReleaseNull(user_pubkey);
+ return success;
+}
+
+static bool sosCircleUpdatePeerInfoSet(CFMutableSetRef theSet, SOSPeerInfoRef replacement_peer_info) {
+ CFTypeRef old = NULL;
+ if(!replacement_peer_info) return false;
+ if(!(old = CFSetGetValue(theSet, replacement_peer_info))) return false;
+ if(CFEqualSafe(old, replacement_peer_info)) return false;
+ CFSetReplaceValue(theSet, replacement_peer_info);
+ return true;
+}
+
+bool SOSCircleUpdatePeerInfo(SOSCircleRef circle, SOSPeerInfoRef replacement_peer_info) {
+ if(sosCircleUpdatePeerInfoSet(circle->peers, replacement_peer_info)) return true;
+ if(sosCircleUpdatePeerInfoSet(circle->applicants, replacement_peer_info)) return true;
+ if(sosCircleUpdatePeerInfoSet(circle->rejected_applicants, replacement_peer_info)) return true;
+ return false;
+}
+
+bool SOSCircleRemovePeer(SOSCircleRef circle, SecKeyRef user_privkey, SOSFullPeerInfoRef requestor, SOSPeerInfoRef peer_to_remove, CFErrorRef *error) {
+ SOSPeerInfoRef requestor_peer_info = SOSFullPeerInfoGetPeerInfo(requestor);
+
+ if (SOSCircleHasApplicant(circle, peer_to_remove, error)) {
+ return SOSCircleRejectRequest(circle, requestor, peer_to_remove, error);
+ }
+
+ if (!SOSCircleHasPeer(circle, requestor_peer_info, error)) {
+ SOSCreateError(kSOSErrorAlreadyPeer, CFSTR("Must be peer to remove peer"), NULL, error);
+ return false;
+ }
+
+ CFSetRemoveValue(circle->peers, peer_to_remove);
+
+ SOSCircleGenerationSign(circle, user_privkey, requestor, error);
+
+ return true;
+}
+
+bool SOSCircleAcceptRequest(SOSCircleRef circle, SecKeyRef user_privkey, SOSFullPeerInfoRef device_approver, SOSPeerInfoRef peerInfo, CFErrorRef *error) {
+ SOSCircleAssertStable(circle);
+
+ SecKeyRef publicKey = NULL;
+ bool result = false;
+
+ require_action_quiet(CFSetContainsValue(circle->applicants, peerInfo), fail,
+ SOSCreateError(kSOSErrorNotApplicant, CFSTR("Cannot accept non-applicant"), NULL, error));
+
+ publicKey = SecKeyCreatePublicFromPrivate(user_privkey);
+ require_quiet(SOSPeerInfoApplicationVerify(peerInfo, publicKey, error), fail);
+
+ CFSetTransferObject(peerInfo, circle->applicants, circle->peers);
+
+ result = SOSCircleGenerationSign(circle, user_privkey, device_approver, error);
+
+fail:
+ CFReleaseNull(publicKey);
+ return result;
+}
+
+bool SOSCircleWithdrawRequest(SOSCircleRef circle, SOSPeerInfoRef peerInfo, CFErrorRef *error) {
+ SOSCircleAssertStable(circle);
+
+ CFSetRemoveValue(circle->applicants, peerInfo);
+
+ return true;
+}
+
+bool SOSCircleRemoveRejectedPeer(SOSCircleRef circle, SOSPeerInfoRef peerInfo, CFErrorRef *error) {
+ SOSCircleAssertStable(circle);
+
+ CFSetRemoveValue(circle->rejected_applicants, peerInfo);
+
+ return true;
+}
+
+
+bool SOSCircleRejectRequest(SOSCircleRef circle, SOSFullPeerInfoRef device_rejector,
+ SOSPeerInfoRef peerInfo, CFErrorRef *error) {
+ SOSCircleAssertStable(circle);
+
+ if (CFEqual(SOSPeerInfoGetPeerID(peerInfo), SOSPeerInfoGetPeerID(SOSFullPeerInfoGetPeerInfo(device_rejector))))
+ return SOSCircleWithdrawRequest(circle, peerInfo, error);
+
+ if (!CFSetContainsValue(circle->applicants, peerInfo)) {
+ SOSCreateError(kSOSErrorNotApplicant, CFSTR("Cannot reject non-applicant"), NULL, error);
+ return false;
+ }
+
+ CFSetTransferObject(peerInfo, circle->applicants, circle->rejected_applicants);
+
+ // TODO: Maybe we sign the rejection with device_rejector.
+
+ return true;
+}
+
+bool SOSCircleAcceptRequests(SOSCircleRef circle, SecKeyRef user_privkey, SOSFullPeerInfoRef device_approver,
+ CFErrorRef *error) {
+ // Returns true if we accepted someone and therefore have to post the circle back to KVS
+ __block bool result = false;
+
+ SOSCircleForEachApplicant(circle, ^(SOSPeerInfoRef peer) {
+ if (!SOSCircleAcceptRequest(circle, user_privkey, device_approver, peer, error)) {
+ secnotice("circle", "error in SOSCircleAcceptRequest\n");
+ } else {
+ secnotice("circle", "Accepted peer: %@", peer);
+ result = true;
+ }
+ });
+
+ if (result) {
+ SOSCircleGenerationSign(circle, user_privkey, device_approver, error);
+ secnotice("circle", "Countersigned accepted requests");
+ }
+
+ return result;
+}
+
+bool SOSCirclePeerSigUpdate(SOSCircleRef circle, SecKeyRef userPrivKey, SOSFullPeerInfoRef fpi,
+ CFErrorRef *error) {
+ // Returns true if we accepted someone and therefore have to post the circle back to KVS
+ __block bool result = false;
+ SecKeyRef userPubKey = SecKeyCreatePublicFromPrivate(userPrivKey);
+
+ // We're going to remove any applicants using a mismatched user key.
+ SOSCircleForEachApplicant(circle, ^(SOSPeerInfoRef peer) {
+ if(!SOSPeerInfoApplicationVerify(peer, userPubKey, NULL)) {
+ if(!SOSCircleRejectRequest(circle, fpi, peer, NULL)) {
+ // do we care?
+ }
+ }
+ });
+
+ result = SOSCircleUpdatePeerInfo(circle, SOSFullPeerInfoGetPeerInfo(fpi));
+
+ if (result) {
+ SOSCircleGenerationSign(circle, userPrivKey, fpi, error);
+ secnotice("circle", "Generation signed updated signatures on peerinfo");
+ }
+
+ return result;
+}
+
+static inline void SOSCircleForEachPeerMatching(SOSCircleRef circle,
+ void (^action)(SOSPeerInfoRef peer),
+ bool (^condition)(SOSPeerInfoRef peer)) {
+ CFSetForEach(circle->peers, ^(const void *value) {
+ SOSPeerInfoRef peer = (SOSPeerInfoRef) value;
+ if (condition(peer))
+ action(peer);
+ });
+}
+
+static inline bool isHiddenPeer(SOSPeerInfoRef peer) {
+ return SOSPeerInfoIsRetirementTicket(peer) || SOSPeerInfoIsCloudIdentity(peer);
+}
+
+void SOSCircleForEachPeer(SOSCircleRef circle, void (^action)(SOSPeerInfoRef peer)) {
+ SOSCircleForEachPeerMatching(circle, action, ^bool(SOSPeerInfoRef peer) {
+ return !isHiddenPeer(peer);
+ });
+}
+
+void SOSCircleForEachRetiredPeer(SOSCircleRef circle, void (^action)(SOSPeerInfoRef peer)) {
+ SOSCircleForEachPeerMatching(circle, action, ^bool(SOSPeerInfoRef peer) {
+ return SOSPeerInfoIsRetirementTicket(peer);
+ });
+}
+
+void SOSCircleForEachActivePeer(SOSCircleRef circle, void (^action)(SOSPeerInfoRef peer)) {
+ SOSCircleForEachPeerMatching(circle, action, ^bool(SOSPeerInfoRef peer) {
+ return true;
+ });
+}
+
+void SOSCircleForEachActiveValidPeer(SOSCircleRef circle, SecKeyRef user_public_key, void (^action)(SOSPeerInfoRef peer)) {
+ SOSCircleForEachPeerMatching(circle, action, ^bool(SOSPeerInfoRef peer) {
+ return SOSPeerInfoApplicationVerify(peer, user_public_key, NULL);
+ });
+}
+
+void SOSCircleForEachValidPeer(SOSCircleRef circle, SecKeyRef user_public_key, void (^action)(SOSPeerInfoRef peer)) {
+ SOSCircleForEachPeerMatching(circle, action, ^bool(SOSPeerInfoRef peer) {
+ return !isHiddenPeer(peer) && SOSPeerInfoApplicationVerify(peer, user_public_key, NULL);
+ });
+}
+
+void SOSCircleForEachApplicant(SOSCircleRef circle, void (^action)(SOSPeerInfoRef peer)) {
+ CFSetForEach(circle->applicants, ^(const void*value) { action((SOSPeerInfoRef) value); } );
+}
+
+
+CFMutableSetRef SOSCircleCopyPeers(SOSCircleRef circle, CFAllocatorRef allocator) {
+ SOSCircleAssertStable(circle);
+
+ CFMutableSetRef result = CFSetCreateMutableForSOSPeerInfosByID(allocator);
+
+ SOSCircleForEachPeer(circle, ^(SOSPeerInfoRef peer) {
+ CFSetAddValue(result, peer);
+ });
+
+ return result;
+}
+
+bool SOSCircleAppendConcurringPeers(SOSCircleRef circle, CFMutableArrayRef appendHere, CFErrorRef *error) {
+ SOSCircleForEachActivePeer(circle, ^(SOSPeerInfoRef peer) {
+ CFErrorRef localError = NULL;
+ if (SOSCircleVerifyPeerSigned(circle, peer, &localError)) {
+ SOSPeerInfoRef peerInfo = SOSPeerInfoCreateCopy(kCFAllocatorDefault, peer, error);
+ CFArrayAppendValue(appendHere, peerInfo);
+ CFRelease(peerInfo);
+ } else if (error != NULL) {
+ secerror("Error checking concurrence: %@", localError);
+ }
+ CFReleaseNull(localError);
+ });
+
+ return true;
+}
+
+CFMutableArrayRef SOSCircleCopyConcurringPeers(SOSCircleRef circle, CFErrorRef* error) {
+ SOSCircleAssertStable(circle);
+
+ CFMutableArrayRef concurringPeers = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
+
+ if (!SOSCircleAppendConcurringPeers(circle, concurringPeers, error))
+ CFReleaseNull(concurringPeers);
+
+ return concurringPeers;
+}
+
+SOSFullPeerInfoRef SOSCircleCopyiCloudFullPeerInfoRef(SOSCircleRef circle, CFErrorRef *error) {
+ __block SOSFullPeerInfoRef cloud_full_peer = NULL;
+ __block CFErrorRef searchError = NULL;
+ SOSCircleForEachActivePeer(circle, ^(SOSPeerInfoRef peer) {
+ if (SOSPeerInfoIsCloudIdentity(peer)) {
+ if (cloud_full_peer == NULL) {
+ if (searchError) {
+ secerror("More than one cloud identity found, first had error, trying new one.");
+ }
+ CFReleaseNull(searchError);
+ cloud_full_peer = SOSFullPeerInfoCreateCloudIdentity(kCFAllocatorDefault, peer, &searchError);
+ if (!cloud_full_peer) {
+ secnotice("icloud-identity", "Failed to make FullPeer for iCloud Identity: %@ (%@)", cloud_full_peer, searchError);
+ }
+ } else {
+ secerror("Additional cloud identity found in circle after successful creation: %@", circle);
+ }
+ }
+ });
+ // If we didn't find one at all, report the error.
+ if (cloud_full_peer == NULL && searchError == NULL) {
+ SOSErrorCreate(kSOSErrorNoiCloudPeer, &searchError, NULL, CFSTR("No iCloud identity PeerInfo found in circle"));
+ secnotice("icloud-identity", "No iCloud identity PeerInfo found in circle");
+ }
+ if (error) {
+ CFTransferRetained(*error, searchError);
+ }
+ CFReleaseNull(searchError);
+ return cloud_full_peer;
+}
+
+void debugDumpCircle(CFStringRef message, SOSCircleRef circle) {
+ CFErrorRef error;
+
+ secinfo("circledebug", "%@: %@", message, circle);
+ if (!circle)
+ return;
+
+ CFDataRef derdata = SOSCircleCopyEncodedData(circle, kCFAllocatorDefault, &error);
+ if (derdata) {
+ CFStringRef hex = CFDataCopyHexString(derdata);
+ secinfo("circledebug", "Full contents: %@", hex);
+ if (hex) CFRelease(hex);
+ CFRelease(derdata);
+ }
+}
projects / apple / security.git / blobdiff