/*
* Copyright (c) 2012-2014 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
//
// IDSProxy.m
// ids-xpc
//
#import <Foundation/NSArray.h>
#import <Foundation/Foundation.h>
#import <Security/SecBasePriv.h>
#import <Security/SecItemPriv.h>
#import <utilities/debugging.h>
#import <notify.h>
#include <Security/CKBridge/SOSCloudKeychainConstants.h>
#include <Security/SecureObjectSync/SOSARCDefines.h>
#include <Security/SecureObjectSync/SOSCloudCircle.h>
#include <Security/SecureObjectSync/SOSCloudCircleInternal.h>
#import <IDS/IDS.h>
#import <os/activity.h>
#include <utilities/SecAKSWrappers.h>
#include <utilities/SecCFWrappers.h>
#include <utilities/SecCFRelease.h>
#include <AssertMacros.h>
#import "IDSProxy.h"
#import "KeychainSyncingOverIDSProxy+ReceiveMessage.h"
#import "KeychainSyncingOverIDSProxy+SendMessage.h"
#import "KeychainSyncingOverIDSProxy+Throttle.h"
#import "IDSPersistentState.h"
#define kSecServerKeychainChangedNotification "com.apple.security.keychainchanged"
#define kSecServerPeerInfoAvailable "com.apple.security.fpiAvailable"
#define IDSServiceNameKeychainSync "com.apple.private.alloy.keychainsync"
static NSString *kMonitorState = @"MonitorState";
static NSString *kExportUnhandledMessages = @"UnhandledMessages";
static NSString *kMessagesInFlight = @"MessagesInFlight";
static const char *kStreamName = "com.apple.notifyd.matching";
static NSString *const kIDSMessageRecipientPeerID = @"RecipientPeerID";
static NSString *const kIDSMessageRecipientDeviceID = @"RecipientDeviceID";
static NSString *const kIDSMessageUseACKModel = @"UsesAckModel";
NSString *const IDSSendMessageOptionForceEncryptionOffKey = @"IDSSendMessageOptionForceEncryptionOff";
static const int64_t kRetryTimerLeeway = (NSEC_PER_MSEC * 250); // 250ms leeway for handling unhandled messages.
static const int64_t kMinMessageRetryDelay = (NSEC_PER_SEC * 8);
CFIndex kSOSErrorPeerNotFound = 1032;
CFIndex SECD_RUN_AS_ROOT_ERROR = 1041;
#define IDSPROXYSCOPE "IDSProxy"
@implementation KeychainSyncingOverIDSProxy
@synthesize deviceID = deviceID;
@synthesize deviceIDFromAuthToken = deviceIDFromAuthToken;
+ (KeychainSyncingOverIDSProxy *) idsProxy
{
static KeychainSyncingOverIDSProxy *idsProxy;
if (!idsProxy) {
static dispatch_once_t onceToken;
dispatch_once(&onceToken, ^{
idsProxy = [[self alloc] init];
});
}
return idsProxy;
}
-(NSDictionary*) exportState
{
return @{ kMonitorState:_monitor,
kExportUnhandledMessages:_unhandledMessageBuffer,
kMessagesInFlight:_messagesInFlight
};
}
-(NSDictionary*) retrievePendingMessages
{
return [KeychainSyncingOverIDSProxy idsProxy].messagesInFlight;
}
- (void)persistState
{
[KeychainSyncingOverIDSProxyPersistentState setUnhandledMessages:[self exportState]];
}
- (void) sendPersistedMessagesAgain
{
NSMutableDictionary *copy = [NSMutableDictionary dictionaryWithDictionary:_messagesInFlight];
if(copy && [copy count] > 0){
[copy enumerateKeysAndObjectsUsingBlock:^(id _Nonnull key, id _Nonnull obj, BOOL * _Nonnull stop) {
NSDictionary* idsMessage = (NSDictionary*)obj;
NSString *uniqueMessageID = (NSString*)key;
NSString *peerID = (NSString*)[idsMessage objectForKey:kIDSMessageRecipientPeerID];
if(!peerID){
[self->_messagesInFlight removeObjectForKey:key];
return;
}
NSString *ID = (NSString*)[idsMessage objectForKey:kIDSMessageRecipientDeviceID];
if(!ID){
[self->_messagesInFlight removeObjectForKey:key];
return;
}
[self->_messagesInFlight removeObjectForKey:key];
secnotice("IDS Transport", "sending this message: if([self sendIDSMessage:idsMessage name:ID peer:peerID]){
NSString *useAckModel = [idsMessage objectForKey:kIDSMessageUseACKModel];
if([useAckModel compare:@"YES"] == NSOrderedSame){
secnotice("IDS Transport", "setting timer!");
[self setMessageTimer:uniqueMessageID deviceID:ID message:idsMessage];
}
}
}];
}
}
- (void) importIDSState: (NSMutableDictionary*) state
{
_unhandledMessageBuffer = state[kExportUnhandledMessages];
if(!_unhandledMessageBuffer)
_unhandledMessageBuffer = [NSMutableDictionary dictionary];
_monitor = state[kMonitorState];
if(_monitor == nil)
_monitor = [NSMutableDictionary dictionary];
_messagesInFlight = state[kMessagesInFlight];
if(_messagesInFlight == nil)
_messagesInFlight = [NSMutableDictionary dictionary];
}
- (id)init
{
if (self = [super init])
{
secnotice("event", "
_isIDSInitDone = false;
_service = nil;
_calloutQueue = dispatch_queue_create("IDSCallout", DISPATCH_QUEUE_SERIAL);
_unhandledMessageBuffer = [ [NSMutableDictionary alloc] initWithCapacity: 0];
_pingTimers = [ [NSMutableDictionary alloc] initWithCapacity: 0];
_messagesInFlight = [ [NSMutableDictionary alloc] initWithCapacity: 0];
deviceIDFromAuthToken = [ [NSMutableDictionary alloc] initWithCapacity: 0];
_peerNextSendCache = [ [NSMutableDictionary alloc] initWithCapacity: 0];
_listOfDevices = [[NSMutableArray alloc] initWithCapacity:0];
_isSecDRunningAsRoot = false;
_doesSecDHavePeer = true;
secdebug(IDSPROXYSCOPE, "
[self doIDSInitialization];
if(_isIDSInitDone)
[self doSetIDSDeviceID];
// Register for lock state changes
xpc_set_event_stream_handler(kStreamName, dispatch_get_main_queue(),
^(xpc_object_t notification){
[self streamEvent:notification];
});
_retryTimer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, dispatch_get_main_queue());
dispatch_source_set_timer(_retryTimer, DISPATCH_TIME_FOREVER, DISPATCH_TIME_FOREVER, kRetryTimerLeeway);
dispatch_source_set_event_handler(_retryTimer, ^{
[self timerFired];
});
dispatch_resume(_retryTimer);
[self importIDSState: [KeychainSyncingOverIDSProxyPersistentState idsState]];
if([_messagesInFlight count ] > 0)
_sendRestoredMessages = true;
int notificationToken;
notify_register_dispatch(kSecServerKeychainChangedNotification, ¬ificationToken, dispatch_get_main_queue(),
^ (int token __unused)
{
secinfo("backoff", "keychain changed, wiping backoff monitor state");
self->_monitor = [NSMutableDictionary dictionary];
});
int peerInfo;
notify_register_dispatch(kSecServerPeerInfoAvailable, &peerInfo, dispatch_get_main_queue(),
^ (int token __unused)
{
secinfo("IDS Transport", "secd has a peer info");
if(self->_doesSecDHavePeer == false){
self->_doesSecDHavePeer = true;
[self doSetIDSDeviceID];
}
});
[self updateUnlockedSinceBoot];
[self updateIsLocked];
if (!_isLocked)
[self keybagDidUnlock];
}
return self;
}
- (void)streamEvent:(xpc_object_t)notification
{
#if (!TARGET_IPHONE_SIMULATOR)
const char *notificationName = xpc_dictionary_get_string(notification, "Notification");
if (!notificationName) {
} else if (strcmp(notificationName, kUserKeybagStateChangeNotification)==0) {
return [self keybagStateChange];
}
const char *eventName = xpc_dictionary_get_string(notification, "XPCEventName");
char *desc = xpc_copy_description(notification);
secnotice("event", " if (desc)
free((void *)desc);
#endif
}
- (void) keybagDidLock
{
secnotice("IDS Transport", "}
- (void) keybagDidUnlock
{
secnotice("IDS Transport", " [self handleAllPendingMessage];
}
- (BOOL) updateUnlockedSinceBoot
{
CFErrorRef aksError = NULL;
if (!SecAKSGetHasBeenUnlocked(&_unlockedSinceBoot, &aksError)) {
secerror(" CFReleaseSafe(aksError);
return NO;
}
return YES;
}
- (BOOL) updateIsLocked
{
CFErrorRef aksError = NULL;
if (!SecAKSGetIsLocked(&_isLocked, &aksError)) {
secerror(" CFReleaseSafe(aksError);
return NO;
}
secerror("updateIsLocked: if (!_isLocked)
_unlockedSinceBoot = YES;
return YES;
}
- (void) keybagStateChange
{
os_activity_initiate("keybagStateChanged", OS_ACTIVITY_FLAG_DEFAULT, ^{
secerror("keybagStateChange! was locked: BOOL wasLocked = self->_isLocked;
if ([self updateIsLocked]) {
if (wasLocked == self->_isLocked)
secdebug("IDS Transport", " else if (self->_isLocked)
[self keybagDidLock];
else
[self keybagDidUnlock];
}
});
}
- (void)timerFired
{
if(_unhandledMessageBuffer)
secnotice("IDS Transport", "
if(_isLocked)
_retryTimerScheduled = NO;
else if([_unhandledMessageBuffer count] == 0)
_retryTimerScheduled = NO;
else if (_retryTimerScheduled && !_isLocked)
[self handleAllPendingMessage];
else
[[KeychainSyncingOverIDSProxy idsProxy] scheduleRetryRequestTimer];
}
- (void)scheduleRetryRequestTimer
{
secnotice("IDS Transport", "scheduling unhandled messages timer");
dispatch_source_set_timer(_retryTimer, dispatch_time(DISPATCH_TIME_NOW, kMinMessageRetryDelay), DISPATCH_TIME_FOREVER, kRetryTimerLeeway);
_retryTimerScheduled = YES;
}
- (void)doIDSInitialization
{
dispatch_async(self.calloutQueue, ^{
secnotice("IDS Transport", "doIDSInitialization!");
self->_service = [[IDSService alloc] initWithService: @IDSServiceNameKeychainSync];
if( self->_service == nil ){
self->_isIDSInitDone = false;
secerror("Could not create ids service");
}
else{
secnotice("IDS Transport", "IDS Transport Successfully set up IDS!");
[self->_service addDelegate:self queue: dispatch_get_main_queue()];
self->_isIDSInitDone = true;
if(self->_isSecDRunningAsRoot == false)
[self doSetIDSDeviceID];
NSArray *ListOfIDSDevices = [self->_service devices];
self.listOfDevices = ListOfIDSDevices;
for(NSUInteger i = 0; i < [ self.listOfDevices count ]; i++){
IDSDevice *device = self.listOfDevices[i];
NSString *authToken = IDSCopyIDForDevice(device);
[self.deviceIDFromAuthToken setObject:device.uniqueID forKey:authToken];
}
}
});
}
- (void) doSetIDSDeviceID
{
NSInteger code = 0;
NSString *errorMessage = nil;
if(!_isIDSInitDone){
[self doIDSInitialization];
}
_setIDSDeviceID = YES;
if(_isSecDRunningAsRoot != false)
{
errorMessage = @"cannot set IDS device ID, secd is running as root";
code = SECD_RUN_AS_ROOT_ERROR;
secerror("Setting device ID error:
}
else if(_doesSecDHavePeer != true)
{
errorMessage = @"cannot set IDS deviceID, secd does not have a full peer info for account";
code = kSOSErrorPeerNotFound;
secerror("Setting device ID error:
}
else if(!_isIDSInitDone){
errorMessage = @"KeychainSyncingOverIDSProxy can't set up the IDS service";
code = kSecIDSErrorNotRegistered;
secerror("Setting device ID error: }
else if(_isLocked){
errorMessage = @"KeychainSyncingOverIDSProxy can't set device ID, device is locked";
code = kSecIDSErrorDeviceIsLocked;
secerror("Setting device ID error: }
else{
[self calloutWith:^(NSMutableDictionary *pending, bool handlePendingMesssages, bool doSetDeviceID, dispatch_queue_t queue, void(^done)(NSMutableDictionary *, bool, bool)) {
CFErrorRef localError = NULL;
bool handledSettingID = false;
NSString *ID = IDSCopyLocalDeviceUniqueID();
self->deviceID = ID;
if(ID){
handledSettingID = SOSCCSetDeviceID((__bridge CFStringRef) ID, &localError);
if(!handledSettingID && localError != NULL){
if(CFErrorGetCode(localError) == SECD_RUN_AS_ROOT_ERROR){
secerror("SETTING RUN AS ROOT ERROR: self->_isSecDRunningAsRoot = true;
}
else if (CFErrorIsMalfunctioningKeybagError(localError)) {
secnotice("IDS Transport", "system is unavailable, cannot set device ID, error: self->_isLocked = true;
}
else if (CFErrorGetCode(localError) == kSOSErrorPeerNotFound && CFStringCompare(CFErrorGetDomain(localError), kSOSErrorDomain, 0) == 0){
secnotice("IDS Transport","securityd does not have a peer yet , error: self->_doesSecDHavePeer = false;
}
}
else
self->_setIDSDeviceID = NO;
CFReleaseNull(localError);
dispatch_async(queue, ^{
done(nil, NO, YES);
});
} else {
dispatch_async(queue, ^{
done(nil, NO, NO);
});
}
if(errorMessage != nil){
secerror("Setting device ID error: KeychainSyncingOverIDSProxy could not retrieve device ID from keychain, code: }
}];
}
}
- (void) calloutWith: (void(^)(NSMutableDictionary *pending, bool handlePendingMesssages, bool doSetDeviceID, dispatch_queue_t queue, void(^done)(NSMutableDictionary *handledMessages, bool handledPendingMessage, bool handledSettingDeviceID))) callout
{
// In KeychainSyncingOverIDSProxy serial queue
dispatch_queue_t idsproxy_queue = dispatch_get_main_queue();
// dispatch_get_global_queue - well-known global concurrent queue
// dispatch_get_main_queue - default queue that is bound to the main thread
xpc_transaction_begin();
dispatch_async(_calloutQueue, ^{
__block NSMutableDictionary *myPending;
__block bool myHandlePendingMessage;
__block bool myDoSetDeviceID;
__block bool wasLocked;
dispatch_sync(idsproxy_queue, ^{
myPending = [self->_unhandledMessageBuffer copy];
myHandlePendingMessage = self->_handleAllPendingMessages;
myDoSetDeviceID = self->_setIDSDeviceID;
wasLocked = self->_isLocked;
self->_inCallout = YES;
self->_shadowHandleAllPendingMessages = NO;
});
callout(myPending, myHandlePendingMessage, myDoSetDeviceID, idsproxy_queue, ^(NSMutableDictionary *handledMessages, bool handledPendingMessage, bool handledSetDeviceID) {
secdebug("event", "
// In IDSKeychainSyncingProxy's serial queue
self->_inCallout = NO;
// Update setting device id
self->_setIDSDeviceID = ((myDoSetDeviceID && !handledSetDeviceID));
self->_shadowDoSetIDSDeviceID = NO;
xpc_transaction_end();
});
});
}
- (void) sendKeysCallout: (NSMutableDictionary*(^)(NSMutableDictionary* pending, NSError** error)) handleMessages {
[self calloutWith: ^(NSMutableDictionary *pending, bool handlePendingMesssages, bool doSetDeviceID, dispatch_queue_t queue, void(^done)(NSMutableDictionary *, bool, bool)) {
NSError* error = NULL;
NSMutableDictionary* handled = handleMessages(pending, &error);
dispatch_async(queue, ^{
if (!handled && error) {
secerror(" }
done(handled, NO, NO);
});
}];
}
NSString* createErrorString(NSString* format, ...)
{
va_list va;
va_start(va, format);
NSString* errorString = ([[NSString alloc] initWithFormat:format arguments:va]);
va_end(va);
return errorString;
}
@end