SOSAccountCredentials.m [plain text]
/*
* Copyright (c) 2013-2014 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
#include <stdio.h>
#include <AssertMacros.h>
#include "SOSAccountPriv.h"
#include "SOSPeerInfoCollections.h"
#include "SOSTransport.h"
#import <Security/SecureObjectSync/SOSAccountTrust.h>
#import <Security/SecureObjectSync/SOSAccountTrustClassic+Circle.h>
#define kPublicKeyAvailable "com.apple.security.publickeyavailable"
//
// MARK: User Credential management
//
// List of things to do
// Update myFullPeerInfo in circle if needed
// Fix iCloud Identity if needed
// Gen sign if private key changed
bool SOSAccountGenerationSignatureUpdate(SOSAccount* account, CFErrorRef *error) {
bool result = false;
SecKeyRef priv_key = SOSAccountGetPrivateCredential(account, error);
require_quiet(priv_key, bail);
[account.trust generationSignatureUpdateWith:account key:priv_key];
result = true;
bail:
return result;
}
/* this one is meant to be local - not published over KVS. */
static bool SOSAccountPeerSignatureUpdate(SOSAccount* account, SecKeyRef privKey, CFErrorRef *error) {
SOSFullPeerInfoRef identity = NULL;
SOSAccountTrustClassic *trust = account.trust;
identity = trust.fullPeerInfo;
return identity && SOSFullPeerInfoUpgradeSignatures(identity, privKey, error);
}
void SOSAccountPurgePrivateCredential(SOSAccount* account)
{
secnotice("circleOps", "Purging private account credential");
if(account.accountPrivateKey)
{
account.accountPrivateKey = NULL;
}
if(account._password_tmp)
{
account._password_tmp = NULL;
}
if (account.user_private_timer) {
dispatch_source_cancel(account.user_private_timer);
account.user_private_timer = NULL;
xpc_transaction_end();
}
if (account.lock_notification_token != NOTIFY_TOKEN_INVALID) {
notify_cancel(account.lock_notification_token);
account.lock_notification_token = NOTIFY_TOKEN_INVALID;
}
}
static void SOSAccountSetTrustedUserPublicKey(SOSAccount* account, bool public_was_trusted, SecKeyRef privKey)
{
if (!privKey) return;
SecKeyRef publicKey = SecKeyCreatePublicFromPrivate(privKey);
if (account.accountKey && account.accountKeyIsTrusted && CFEqual(publicKey, account.accountKey)) {
CFReleaseNull(publicKey);
return;
}
if(public_was_trusted && account.accountKey) {
account.previousAccountKey = account.accountKey;
}
account.accountKey = publicKey;
account.accountKeyIsTrusted = true;
if(!account.previousAccountKey) {
account.previousAccountKey = account.accountKey;
}
CFReleaseNull(publicKey);
secnotice("circleOps", "trusting new public key: notify_post(kPublicKeyAvailable);
}
void SOSAccountSetUnTrustedUserPublicKey(SOSAccount* account, SecKeyRef publicKey) {
if(account.accountKeyIsTrusted && account.accountKey) {
secnotice("circleOps", "Moving : account.previousAccountKey = account.accountKey;
}
account.accountKey = publicKey;
account.accountKeyIsTrusted = false;
if(!account.previousAccountKey) {
account.previousAccountKey = account.accountKey;
}
secnotice("circleOps", "not trusting new public key: }
static void SOSAccountSetPrivateCredential(SOSAccount* account, SecKeyRef private, CFDataRef password) {
if (!private)
return SOSAccountPurgePrivateCredential(account);
secnotice("circleOps", "setting new private credential");
account.accountPrivateKey = private;
if (password) {
account._password_tmp = [[NSData alloc] initWithData:(__bridge NSData * _Nonnull)(password)];
} else {
account._password_tmp = NULL;
}
bool resume_timer = false;
if (!account.user_private_timer) {
xpc_transaction_begin();
resume_timer = true;
account.user_private_timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, account.queue);
dispatch_source_set_event_handler(account.user_private_timer, ^{
secnotice("keygen", "Timing out, purging private account credential");
SOSAccountPurgePrivateCredential(account);
});
int lockNotification;
notify_register_dispatch(kUserKeybagStateChangeNotification, &lockNotification, account.queue, ^(int token) {
bool locked = false;
CFErrorRef lockCheckError = NULL;
if (!SecAKSGetIsLocked(&locked, &lockCheckError)) {
secerror("Checking for locked after change failed: }
if (locked) {
SOSAccountPurgePrivateCredential(account);
}
});
[account setLock_notification_token:lockNotification];
}
SOSAccountRestartPrivateCredentialTimer(account);
if (resume_timer)
dispatch_resume(account.user_private_timer);
}
void SOSAccountRestartPrivateCredentialTimer(SOSAccount* account)
{
if (account.user_private_timer) {
// (Re)set the timer's fire time to now + 10 minutes with a 5 second fuzz factor.
dispatch_time_t purgeTime = dispatch_time(DISPATCH_TIME_NOW, (int64_t)(10 * 60 * NSEC_PER_SEC));
dispatch_source_set_timer(account.user_private_timer, purgeTime, DISPATCH_TIME_FOREVER, (int64_t)(5 * NSEC_PER_SEC));
}
}
SecKeyRef SOSAccountGetPrivateCredential(SOSAccount* account, CFErrorRef* error)
{
if (account.accountPrivateKey == NULL) {
SOSCreateError(kSOSErrorPrivateKeyAbsent, CFSTR("Private Key not available - failed to prompt user recently"), NULL, error);
}
return account.accountPrivateKey;
}
CFDataRef SOSAccountGetCachedPassword(SOSAccount* account, CFErrorRef* error)
{
if (account._password_tmp == NULL) {
secnotice("circleOps", "Password cache expired");
}
return (__bridge CFDataRef)(account._password_tmp);
}
static NSString *SOSUserCredentialAccount = @"SOSUserCredential";
static NSString *SOSUserCredentialAccessGroup = @"com.apple.security.sos-usercredential";
__unused static void SOSAccountDeleteStashedAccountKey(SOSAccount* account)
{
NSString *dsid = (__bridge NSString *)SOSAccountGetValue(account, kSOSDSIDKey, NULL);
if (dsid == NULL)
return;
NSDictionary * attributes = @{
(__bridge id)kSecClass : (__bridge id)kSecClassInternetPassword,
(__bridge id)kSecAttrAccount : SOSUserCredentialAccount,
(__bridge id)kSecAttrServer : dsid,
(__bridge id)kSecAttrAccessGroup : SOSUserCredentialAccessGroup,
};
(void)SecItemDelete((__bridge CFDictionaryRef)attributes);
}
void SOSAccountStashAccountKey(SOSAccount* account)
{
OSStatus status;
SecKeyRef user_private = account.accountPrivateKey;
NSData *data = CFBridgingRelease(SecKeyCopyExternalRepresentation(user_private, NULL));
if (data == NULL){
return;
}
NSDictionary *attributes = @{
(__bridge id)kSecClass : (__bridge id)kSecClassInternetPassword,
(__bridge id)kSecAttrAccount : SOSUserCredentialAccount,
(__bridge id)kSecAttrIsInvisible : @YES,
(__bridge id)kSecAttrAccessible : (__bridge id)kSecAttrAccessibleWhenUnlocked,
(__bridge id)kSecAttrAccessGroup : SOSUserCredentialAccessGroup,
(__bridge id)kSecAttrSysBound : @(kSecSecAttrSysBoundPreserveDuringRestore),
(__bridge id)kSecValueData : data,
};
status = SecItemAdd((__bridge CFDictionaryRef)attributes, NULL);
if (status == errSecDuplicateItem) {
attributes = @{
(__bridge id)kSecClass : (__bridge id)kSecClassInternetPassword,
(__bridge id)kSecAttrAccount : SOSUserCredentialAccount,
(__bridge id)kSecAttrAccessGroup : SOSUserCredentialAccessGroup,
(__bridge id)kSecAttrNoLegacy : @YES,
};
status = SecItemUpdate((__bridge CFDictionaryRef)attributes, (__bridge CFDictionaryRef)@{
(__bridge id)kSecValueData : data,
(__bridge id)kSecAttrSysBound : @(kSecSecAttrSysBoundPreserveDuringRestore)
});
if (status) {
secnotice("circleOps", "Failed to update user private key to keychain: }
} else if (status != 0) {
secnotice("circleOps", "Failed to add user private key to keychain: }
if(status == 0) {
secnotice("circleOps", "Stored user private key stashed local keychain");
}
return;
}
SecKeyRef SOSAccountCopyStashedUserPrivateKey(SOSAccount* account, CFErrorRef *error)
{
SecKeyRef key = NULL;
CFDataRef data = NULL;
OSStatus status;
NSDictionary *attributes = @{
(__bridge id)kSecClass : (__bridge id)kSecClassInternetPassword,
(__bridge id)kSecAttrAccount : SOSUserCredentialAccount,
(__bridge id)kSecAttrAccessGroup : SOSUserCredentialAccessGroup,
(__bridge id)kSecReturnData : @YES,
(__bridge id)kSecMatchLimit : (__bridge id)kSecMatchLimitOne,
};
status = SecItemCopyMatching((__bridge CFDictionaryRef)attributes, (CFTypeRef *)&data);
if (status) {
SecError(status, error, CFSTR("Failed fetching account credential: return NULL;
}
NSDictionary *keyAttributes = @{
(__bridge id)kSecAttrKeyClass : (__bridge id)kSecAttrKeyClassPrivate,
(__bridge id)kSecAttrKeyType : (__bridge id)kSecAttrKeyTypeEC,
};
key = SecKeyCreateWithData(data, (__bridge CFDictionaryRef)keyAttributes, error);
CFReleaseNull(data);
return key;
}
SecKeyRef SOSAccountGetTrustedPublicCredential(SOSAccount* account, CFErrorRef* error)
{
if (account.accountKey == NULL || account.accountKeyIsTrusted == false) {
SOSCreateError(kSOSErrorPublicKeyAbsent, CFSTR("Public Key isn't available. The iCloud Password must be provided to the syncing subsystem to repair this."), NULL, error);
return NULL;
}
return account.accountKey;
}
bool SOSAccountHasPublicKey(SOSAccount* account, CFErrorRef* error)
{
return SOSAccountGetTrustedPublicCredential(account, error);
}
static void sosAccountSetTrustedCredentials(SOSAccount* account, CFDataRef user_password, SecKeyRef user_private, bool public_was_trusted) {
if(!SOSAccountFullPeerInfoVerify(account, user_private, NULL)){
(void) SOSAccountPeerSignatureUpdate(account, user_private, NULL);
}
SOSAccountSetTrustedUserPublicKey(account, public_was_trusted, user_private);
SOSAccountSetPrivateCredential(account, user_private, user_password);
SOSAccountCheckForAlwaysOnViews(account);
}
static SecKeyRef sosAccountCreateKeyIfPasswordIsCorrect(SOSAccount* account, CFDataRef user_password, CFErrorRef *error) {
SecKeyRef user_private = NULL;
require_quiet(account.accountKey && account.accountKeyDerivationParamters, errOut);
user_private = SOSUserKeygen(user_password, (__bridge CFDataRef)(account.accountKeyDerivationParamters), error);
require_quiet(user_private, errOut);
require_action_quiet(SOSAccountValidateAccountCredential(account, user_private, error), errOut, CFReleaseNull(user_private));
errOut:
return user_private;
}
static bool sosAccountValidatePasswordOrFail(SOSAccount* account, CFDataRef user_password, CFErrorRef *error) {
SecKeyRef privKey = sosAccountCreateKeyIfPasswordIsCorrect(account, user_password, error);
if(!privKey) {
if(account.accountKeyDerivationParamters) debugDumpUserParameters(CFSTR("sosAccountValidatePasswordOrFail"), (__bridge CFDataRef)(account.accountKeyDerivationParamters));
SOSCreateError(kSOSErrorWrongPassword, CFSTR("Could not create correct key with password."), NULL, error);
return false;
}
sosAccountSetTrustedCredentials(account, user_password, privKey, account.accountKeyIsTrusted);
CFReleaseNull(privKey);
return true;
}
void SOSAccountSetParameters(SOSAccount* account, CFDataRef parameters) {
account.accountKeyDerivationParamters = (__bridge NSData *) parameters;
}
bool SOSAccountValidateAccountCredential(SOSAccount* account, SecKeyRef accountPrivateKey, CFErrorRef *error)
{
SecKeyRef publicCandidate = NULL;
bool res = false;
publicCandidate = SecKeyCreatePublicFromPrivate(accountPrivateKey);
require_action_quiet(CFEqualSafe(account.accountKey, publicCandidate), fail,
SOSCreateErrorWithFormat(kSOSErrorWrongPassword, NULL, error, NULL, CFSTR("account private key no doesn't match validated public key: candidate:
res = true;
fail:
CFReleaseNull(publicCandidate);
return res;
}
bool SOSAccountAssertStashedAccountCredential(SOSAccount* account, CFErrorRef *error)
{
SecKeyRef accountPrivateKey = NULL, publicCandidate = NULL;
bool result = false;
require_action(account.accountKey, fail, SOSCreateError(kSOSErrorWrongPassword, CFSTR("account public key missing, can't check stashed copy"), NULL, error));
require_action(account.accountKeyIsTrusted, fail, SOSCreateError(kSOSErrorWrongPassword, CFSTR("public key no not valid, can't check stashed copy"), NULL, error));
accountPrivateKey = SOSAccountCopyStashedUserPrivateKey(account, error);
require_action_quiet(accountPrivateKey, fail, secnotice("circleOps", "Looked for a stashed private key, didn't find one"));
require(SOSAccountValidateAccountCredential(account, accountPrivateKey, error), fail);
sosAccountSetTrustedCredentials(account, NULL, accountPrivateKey, true);
result = true;
fail:
CFReleaseSafe(publicCandidate);
CFReleaseSafe(accountPrivateKey);
return result;
}
bool SOSAccountAssertUserCredentials(SOSAccount* account, CFStringRef user_account, CFDataRef user_password, CFErrorRef *error)
{
bool public_was_trusted = account.accountKeyIsTrusted;
account.accountKeyIsTrusted = false;
SecKeyRef user_private = NULL;
CFDataRef parameters = NULL;
// if this succeeds, skip to the end. Success will update account.accountKeyIsTrusted by side-effect.
require_quiet(!sosAccountValidatePasswordOrFail(account, user_password, error), recordCred);
// We may or may not have parameters here.
// In any case we tried using them and they didn't match
// So forget all that and start again, assume we're the first to push anything useful.
if (CFDataGetLength(user_password) > 20) {
secwarning("Long password (>20 byte utf8) being used to derive account key – this may be a PET by mistake!!");
}
parameters = SOSUserKeyCreateGenerateParameters(error);
require_quiet(user_private = SOSUserKeygen(user_password, parameters, error), errOut);
SOSAccountSetParameters(account, parameters);
sosAccountSetTrustedCredentials(account, user_password, user_private, public_was_trusted);
CFErrorRef publishError = NULL;
if (!SOSAccountPublishCloudParameters(account, &publishError)) {
secerror("Failed to publish new cloud parameters: }
CFReleaseNull(publishError);
recordCred:
SOSAccountStashAccountKey(account);
SOSAccountSetValue(account, kSOSAccountName, user_account, NULL);
errOut:
CFReleaseNull(parameters);
CFReleaseNull(user_private);
secnotice("circleop", "Setting account.key_interests_need_updating to true in SOSAccountAssertUserCredentials");
account.key_interests_need_updating = true;
return account.accountKeyIsTrusted;
}
bool SOSAccountTryUserCredentials(SOSAccount* account, CFStringRef user_account, CFDataRef user_password, CFErrorRef *error) {
bool success = sosAccountValidatePasswordOrFail(account, user_password, error);
if(success) {
SOSAccountStashAccountKey(account);
SOSAccountSetValue(account, kSOSAccountName, user_account, NULL);
}
secnotice("circleop", "Setting account.key_interests_need_updating to true in SOSAccountTryUserCredentials");
account.key_interests_need_updating = true;
return success;
}
bool SOSAccountTryUserPrivateKey(SOSAccount* account, SecKeyRef user_private, CFErrorRef *error) {
bool retval = SOSAccountValidateAccountCredential(account, user_private, error);
if(!retval) {
secnotice("circleOps", "Failed to accept provided user_private as credential");
return retval;
}
sosAccountSetTrustedCredentials(account, NULL, user_private, account.accountKeyIsTrusted);
SOSAccountStashAccountKey(account);
secnotice("circleop", "Setting account.key_interests_need_updating to true in SOSAccountTryUserPrivateKey");
account.key_interests_need_updating = true;
secnotice("circleOps", "Accepted provided user_private as credential");
return retval;
}
bool SOSAccountRetryUserCredentials(SOSAccount* account) {
CFDataRef cachedPassword = SOSAccountGetCachedPassword(account, NULL);
if (cachedPassword == NULL)
return false;
/*
* SOSAccountTryUserCredentials reset the cached password internally,
* so we must have a retain of the password over SOSAccountTryUserCredentials().
*/
CFRetain(cachedPassword);
bool res = SOSAccountTryUserCredentials(account, NULL, cachedPassword, NULL);
CFRelease(cachedPassword);
return res;
}