/*
* Copyright (c) 2012-2014 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
//
// SOSCloudCircle.m
//
#import <Foundation/Foundation.h>
#import <Foundation/NSXPCConnection_Private.h>
#include <stdio.h>
#include <AssertMacros.h>
#include "keychain/SecureObjectSync/SOSCloudCircle.h"
#include "keychain/SecureObjectSync/SOSCloudCircleInternal.h"
#include "keychain/SecureObjectSync/SOSCircle.h"
#include "keychain/SecureObjectSync/SOSAccount.h"
#include "keychain/SecureObjectSync/SOSFullPeerInfo.h"
#include "keychain/SecureObjectSync/SOSPeerInfoCollections.h"
#include "keychain/SecureObjectSync/SOSInternal.h"
#include "keychain/SecureObjectSync/SOSRing.h"
#include <Security/SecureObjectSync/SOSBackupSliceKeyBag.h>
#include <Security/SecureObjectSync/SOSViews.h>
#include "keychain/SecureObjectSync/SOSControlHelper.h"
#include "keychain/SecureObjectSync/SOSPeerInfoDER.h"
#include <Security/SecKeyPriv.h>
#include <Security/SecFramework.h>
#include <CoreFoundation/CFXPCBridge.h>
#include "keychain/securityd/SecItemServer.h"
#include <utilities/SecDispatchRelease.h>
#include <utilities/SecCFRelease.h>
#include <utilities/SecCFWrappers.h>
#include <utilities/SecXPCError.h>
#include <corecrypto/ccsha2.h>
#include <utilities/debugging.h>
#include <CoreFoundation/CoreFoundation.h>
#include <xpc/xpc.h>
#define MINIMIZE_INCLUDES MINIMIZE_INCLUDES
#include <ipc/securityd_client.h>
#include "keychain/securityd/spi.h"
#include <Security/SecuritydXPC.h>
const char * kSOSCCCircleChangedNotification = "com.apple.security.secureobjectsync.circlechanged";
const char * kSOSCCViewMembershipChangedNotification = "com.apple.security.secureobjectsync.viewschanged";
const char * kSOSCCInitialSyncChangedNotification = "com.apple.security.secureobjectsync.initialsyncchanged";
const char * kSOSCCHoldLockForInitialSync = "com.apple.security.secureobjectsync.holdlock";
const char * kSOSCCPeerAvailable = "com.apple.security.secureobjectsync.peeravailable";
const char * kSOSCCRecoveryKeyChanged = "com.apple.security.secureobjectsync.recoverykeychanged";
const char * kSOSCCCircleOctagonKeysChangedNotification = "com.apple.security.sosoctagonbitschanged";
#define do_if_registered(sdp, ...) if (gSecurityd && gSecurityd->sdp) { return gSecurityd->sdp(__VA_ARGS__); }
static bool xpc_dictionary_entry_is_type(xpc_object_t dictionary, const char *key, xpc_type_t type)
{
xpc_object_t value = xpc_dictionary_get_value(dictionary, key);
return value && (xpc_get_type(value) == type);
}
static void setSOSDisabledError(CFErrorRef *error) {
SecCFCreateErrorWithFormat(0, kSOSErrorDomain, NULL, error, NULL, CFSTR("SOS Disabled for this platform"));
}
SOSCCStatus SOSCCThisDeviceIsInCircle(CFErrorRef *error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return kSOSCCError;
}
SOSCCStatus retval = SOSGetCachedCircleStatus(error);
if(retval != kSOSNoCachedValue) {
secdebug("circleOps", "Retrieved cached circle value return retval;
}
return SOSCCThisDeviceIsInCircleNonCached(error);
}
SOSCCStatus SOSCCThisDeviceIsInCircleNonCached(CFErrorRef *error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return kSOSCCError;
}
sec_trace_enter_api(NULL);
sec_trace_return_api(SOSCCStatus, ^{
SOSCCStatus result = kSOSCCError;
do_if_registered(soscc_ThisDeviceIsInCircle, error);
xpc_object_t message = securityd_create_message(kSecXPCOpDeviceInCircle, error);
if (message) {
xpc_object_t response = securityd_message_with_reply_sync(message, error);
if (response && xpc_dictionary_entry_is_type(response, kSecXPCKeyResult, XPC_TYPE_INT64)) {
result = (SOSCCStatus) xpc_dictionary_get_int64(response, kSecXPCKeyResult);
} else {
result = kSOSCCError;
}
if (result < 0) {
if (response && securityd_message_no_error(response, error))
{
char *desc = xpc_copy_description(response);
SecCFCreateErrorWithFormat(0, sSecXPCErrorDomain, NULL, error, NULL, CFSTR("Remote error occurred/no info: free((void *)desc);
}
}
}
secnotice("circleOps", "Retrieved non-cached circle value
return result;
}, CFSTR("SOSCCStatus=}
static bool simple_bool_error_request(enum SecXPCOperation op, CFErrorRef* error)
{
__block bool result = false;
secdebug("sosops","enter - operation: securityd_send_sync_and_do(op, error, NULL, ^bool(xpc_object_t response, __unused CFErrorRef *error) {
result = xpc_dictionary_get_bool(response, kSecXPCKeyResult);
return result;
});
return result;
}
static bool SecXPCDictionarySetPeerInfoData(xpc_object_t message, const char *key, SOSPeerInfoRef peerInfo, CFErrorRef *error) {
bool success = false;
CFDataRef peerData = SOSPeerInfoCopyEncodedData(peerInfo, kCFAllocatorDefault, error);
if (peerData) {
success = SecXPCDictionarySetData(message, key, peerData, error);
}
CFReleaseNull(peerData);
return success;
}
static bool peer_info_to_bool_error_request(enum SecXPCOperation op, SOSPeerInfoRef peerInfo, CFErrorRef* error)
{
__block bool result = false;
secdebug("sosops","enter - operation: securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
return SecXPCDictionarySetPeerInfoData(message, kSecXPCKeyPeerInfo, peerInfo, error);
}, ^bool(xpc_object_t response, __unused CFErrorRef *error) {
result = xpc_dictionary_get_bool(response, kSecXPCKeyResult);
return result;
});
return result;
}
static CFBooleanRef cfarray_to_cfboolean_error_request(enum SecXPCOperation op, CFArrayRef views, CFErrorRef* error)
{
__block bool result = false;
secdebug("sosops","enter - operation: bool noError = securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
return SecXPCDictionarySetPList(message, kSecXPCKeyArray, views, error);
}, ^bool(xpc_object_t response, __unused CFErrorRef *error) {
result = xpc_dictionary_get_bool(response, kSecXPCKeyResult);
return true;
});
return noError ? (result ? kCFBooleanTrue : kCFBooleanFalse) : NULL;
}
static CFSetRef cfset_cfset_to_cfset_error_request(enum SecXPCOperation op, CFSetRef set1, CFSetRef set2, CFErrorRef* error)
{
__block CFSetRef result = NULL;
secdebug("sosops","enter - operation: bool noError = securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
return SecXPCDictionarySetPList(message, kSecXPCKeySet, set1, error) && SecXPCDictionarySetPList(message, kSecXPCKeySet2, set2, error);
}, ^bool(xpc_object_t response, __unused CFErrorRef *error) {
result = SecXPCDictionaryCopySet(response, kSecXPCKeyResult, error);
return result;
});
if (!noError) {
CFReleaseNull(result);
}
return result;
}
static CF_RETURNS_RETAINED CFArrayRef simple_array_error_request(enum SecXPCOperation op, CFErrorRef* error)
{
__block CFArrayRef result = NULL;
secdebug("sosops","enter - operation: if (securityd_send_sync_and_do(op, error, NULL, ^bool(xpc_object_t response, CFErrorRef *error) {
xpc_object_t temp_result = xpc_dictionary_get_value(response, kSecXPCKeyResult);
result = _CFXPCCreateCFObjectFromXPCObject(temp_result);
return result != NULL;
})) {
if (!isArray(result)) {
SOSErrorCreate(kSOSErrorUnexpectedType, error, NULL, CFSTR("Expected array, got: CFReleaseNull(result);
}
}
return result;
}
static CF_RETURNS_RETAINED CFArrayRef der_array_error_request(enum SecXPCOperation op, CFErrorRef* error)
{
__block CFArrayRef result = NULL;
secdebug("sosops","enter - operation: if (securityd_send_sync_and_do(op, error, NULL, ^bool(xpc_object_t response, CFErrorRef *error) {
size_t length = 0;
const uint8_t* bytes = xpc_dictionary_get_data(response, kSecXPCKeyResult, &length);
der_decode_plist(kCFAllocatorDefault, (CFPropertyListRef*) &result, error, bytes, bytes + length);
return result != NULL;
})) {
if (!isArray(result)) {
SOSErrorCreate(kSOSErrorUnexpectedType, error, NULL, CFSTR("Expected array, got: CFReleaseNull(result);
}
}
return result;
}
static int simple_int_error_request(enum SecXPCOperation op, CFErrorRef* error)
{
__block int result = 0;
secdebug("sosops","enter - operation: securityd_send_sync_and_do(op, error, NULL, ^bool(xpc_object_t response, __unused CFErrorRef *error) {
int64_t temp_result = xpc_dictionary_get_int64(response, kSecXPCKeyResult);
if ((temp_result >= INT32_MIN) && (temp_result <= INT32_MAX)) {
result = (int)temp_result;
}
return result;
});
return result;
}
static CF_RETURNS_RETAINED SOSPeerInfoRef peer_info_error_request(enum SecXPCOperation op, CFErrorRef* error)
{
SOSPeerInfoRef result = NULL;
__block CFDataRef data = NULL;
secdebug("sosops","enter - operation: securityd_send_sync_and_do(op, error, NULL, ^bool(xpc_object_t response, CFErrorRef *error) {
xpc_object_t temp_result = xpc_dictionary_get_value(response, kSecXPCKeyResult);
if (response && (NULL != temp_result)) {
data = _CFXPCCreateCFObjectFromXPCObject(temp_result);
}
return data != NULL;
});
if (isData(data)) {
result = SOSPeerInfoCreateFromData(kCFAllocatorDefault, error, data);
} else {
SOSErrorCreate(kSOSErrorUnexpectedType, error, NULL, CFSTR("Expected CFData, got: }
CFReleaseNull(data);
return result;
}
static CFDataRef flags_to_data_error_request(enum SecXPCOperation op, uint32_t flags, CFErrorRef *error)
{
__block CFDataRef result = NULL;
secdebug("sosops", "enter -- operation: securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
xpc_dictionary_set_uint64(message, kSecXPCKeyFlags, flags);
return true;
}, ^bool(xpc_object_t response, CFErrorRef *error) {
xpc_object_t temp_result = xpc_dictionary_get_value(response, kSecXPCKeyResult);
if (response && (NULL != temp_result)) {
result = _CFXPCCreateCFObjectFromXPCObject(temp_result);
}
return result != NULL;
});
if (!isData(result)) {
SOSErrorCreate(kSOSErrorUnexpectedType, error, NULL, CFSTR("Expected CFData, got: return NULL;
}
return result;
}
static CFDataRef data_to_error_request(enum SecXPCOperation op, CFErrorRef *error)
{
__block CFDataRef result = NULL;
secdebug("sosops", "enter -- operation: securityd_send_sync_and_do(op, error, NULL, ^bool(xpc_object_t response, CFErrorRef *error) {
xpc_object_t temp_result = xpc_dictionary_get_value(response, kSecXPCKeyResult);
if (response && (NULL != temp_result)) {
result = _CFXPCCreateCFObjectFromXPCObject(temp_result);
}
return result != NULL;
});
if (!isData(result)) {
SOSErrorCreate(kSOSErrorUnexpectedType, error, NULL, CFSTR("Expected CFData, got: return NULL;
}
return result;
}
static CFArrayRef array_of_info_error_request(enum SecXPCOperation op, CFErrorRef* error)
{
__block CFArrayRef result = NULL;
secdebug("sosops","enter - operation: securityd_send_sync_and_do(op, error, NULL, ^bool(xpc_object_t response, CFErrorRef *error) {
xpc_object_t encoded_array = xpc_dictionary_get_value(response, kSecXPCKeyResult);
if (response && (NULL != encoded_array)) {
result = CreateArrayOfPeerInfoWithXPCObject(encoded_array, error);
}
return result != NULL;
});
if (!isArray(result)) {
SOSErrorCreate(kSOSErrorUnexpectedType, error, NULL, CFSTR("Expected array, got: CFReleaseNull(result);
}
return result;
}
static CF_RETURNS_RETAINED SOSPeerInfoRef data_to_peer_info_error_request(enum SecXPCOperation op, CFDataRef secret, CFErrorRef* error)
{
__block SOSPeerInfoRef result = false;
__block CFDataRef data = NULL;
secdebug("sosops", "enter - operation: securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
xpc_object_t xsecretData = _CFXPCCreateXPCObjectFromCFObject(secret);
bool success = false;
if (xsecretData){
xpc_dictionary_set_value(message, kSecXPCKeyNewPublicBackupKey, xsecretData);
success = true;
xsecretData = nil;
}
return success;
}, ^bool(xpc_object_t response, __unused CFErrorRef *error) {
xpc_object_t temp_result = xpc_dictionary_get_value(response, kSecXPCKeyResult);
if (response && (NULL != temp_result)) {
data = _CFXPCCreateCFObjectFromXPCObject(temp_result);
}
return data != NULL;
});
if (isData(data)) {
result = SOSPeerInfoCreateFromData(kCFAllocatorDefault, error, data);
} else {
SOSErrorCreate(kSOSErrorUnexpectedType, error, NULL, CFSTR("Expected CFData, got: }
CFReleaseNull(data);
return result;
}
static bool keybag_and_bool_to_bool_error_request(enum SecXPCOperation op, CFDataRef data, bool include, CFErrorRef* error)
{
secdebug("sosops", "enter - operation: return securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
xpc_object_t xData = _CFXPCCreateXPCObjectFromCFObject(data);
bool success = false;
if (xData){
xpc_dictionary_set_value(message, kSecXPCKeyKeybag, xData);
xData = nil;
success = true;
}
xpc_dictionary_set_bool(message, kSecXPCKeyIncludeV0, include);
return success;
}, ^bool(xpc_object_t response, __unused CFErrorRef *error) {
return xpc_dictionary_get_bool(response, kSecXPCKeyResult);
});
}
static bool recovery_and_bool_to_bool_error_request(enum SecXPCOperation op, CFDataRef data, CFErrorRef* error)
{
secdebug("sosops", "enter - operation: return securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
xpc_object_t xData = NULL;
if(data) {
xData = _CFXPCCreateXPCObjectFromCFObject(data);
} else {
uint8_t zero = 0;
CFDataRef nullData = CFDataCreate(kCFAllocatorDefault, &zero, 1);
xData = _CFXPCCreateXPCObjectFromCFObject(nullData);
CFReleaseNull(nullData);
}
bool success = false;
if (xData){
xpc_dictionary_set_value(message, kSecXPCKeyRecoveryPublicKey, xData);
xData = nil;
success = true;
}
return success;
}, ^bool(xpc_object_t response, __unused CFErrorRef *error) {
return xpc_dictionary_get_bool(response, kSecXPCKeyResult);
});
}
static bool info_array_to_bool_error_request(enum SecXPCOperation op, CFArrayRef peer_infos, CFErrorRef* error)
{
__block bool result = false;
secdebug("sosops", "enter - operation: securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
xpc_object_t encoded_peers = CreateXPCObjectWithArrayOfPeerInfo(peer_infos, error);
if (encoded_peers)
xpc_dictionary_set_value(message, kSecXPCKeyPeerInfoArray, encoded_peers);
return encoded_peers != NULL;
}, ^bool(xpc_object_t response, __unused CFErrorRef *error) {
result = xpc_dictionary_get_bool(response, kSecXPCKeyResult);
return result;
});
return result;
}
static bool uint64_t_to_bool_error_request(enum SecXPCOperation op,
uint64_t number,
CFErrorRef* error)
{
__block bool result = false;
securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
xpc_dictionary_set_uint64(message, kSecXPCLimitInMinutes, number);
return true;
}, ^bool(xpc_object_t response, __unused CFErrorRef *error) {
result = xpc_dictionary_get_bool(response, kSecXPCKeyResult);
return result;
});
return result;
}
static bool cfdata_and_int_error_request_returns_bool(enum SecXPCOperation op, CFDataRef thedata,
PiggyBackProtocolVersion version, CFErrorRef *error) {
__block bool result = false;
sec_trace_enter_api(NULL);
securityd_send_sync_and_do(op, error, ^(xpc_object_t message, CFErrorRef *error) {
xpc_object_t xdata = _CFXPCCreateXPCObjectFromCFObject(thedata);
bool success = false;
if (xdata) {
xpc_dictionary_set_value(message, kSecXPCData, xdata);
xpc_dictionary_set_uint64(message, kSecXPCVersion, version);
success = true;
xdata = nil;
}
return success;
}, ^(xpc_object_t response, __unused CFErrorRef *error) {
result = xpc_dictionary_get_bool(response, kSecXPCKeyResult);
return (bool)true;
});
return result;
}
static CFDataRef cfdata_error_request_returns_cfdata(enum SecXPCOperation op, CFDataRef thedata, CFErrorRef *error) {
__block CFDataRef result = NULL;
sec_trace_enter_api(NULL);
securityd_send_sync_and_do(op, error, ^(xpc_object_t message, CFErrorRef *error) {
xpc_object_t xdata = _CFXPCCreateXPCObjectFromCFObject(thedata);
bool success = false;
if (xdata) {
xpc_dictionary_set_value(message, kSecXPCData, xdata);
success = true;
xdata = nil;
}
return success;
}, ^(xpc_object_t response, __unused CFErrorRef *error) {
xpc_object_t temp_result = xpc_dictionary_get_value(response, kSecXPCKeyResult);
if (response && (NULL != temp_result)) {
CFTypeRef object = _CFXPCCreateCFObjectFromXPCObject(temp_result);
result = copyIfData(object, error);
CFReleaseNull(object);
}
return (bool) (result != NULL);
});
return result;
}
bool SOSCCRequestToJoinCircle(CFErrorRef* error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
sec_trace_enter_api(NULL);
sec_trace_return_bool_api(^{
do_if_registered(soscc_RequestToJoinCircle, error);
return simple_bool_error_request(kSecXPCOpRequestToJoin, error);
}, NULL)
}
bool SOSCCRequestToJoinCircleAfterRestore(CFErrorRef* error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
sec_trace_enter_api(NULL);
sec_trace_return_bool_api(^{
do_if_registered(soscc_RequestToJoinCircleAfterRestore, error);
return simple_bool_error_request(kSecXPCOpRequestToJoinAfterRestore, error);
}, NULL)
}
bool SOSCCAccountHasPublicKey(CFErrorRef *error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
sec_trace_enter_api(NULL);
sec_trace_return_bool_api(^{
do_if_registered(soscc_AccountHasPublicKey, error);
return simple_bool_error_request(kSecXPCOpAccountHasPublicKey, error);
}, NULL)
}
bool SOSCCWaitForInitialSync(CFErrorRef* error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
sec_trace_enter_api(NULL);
sec_trace_return_bool_api(^{
do_if_registered(soscc_WaitForInitialSync, error);
return simple_bool_error_request(kSecXPCOpWaitForInitialSync, error);
}, NULL)
}
bool SOSCCAccountSetToNew(CFErrorRef *error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
secwarning("SOSCCAccountSetToNew called");
sec_trace_enter_api(NULL);
sec_trace_return_bool_api(^{
do_if_registered(soscc_SetToNew, error);
return simple_bool_error_request(kSecXPCOpAccountSetToNew, error);
}, NULL)
}
bool SOSCCResetToOffering(CFErrorRef* error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
secwarning("SOSCCResetToOffering called");
sec_trace_enter_api(NULL);
sec_trace_return_bool_api(^{
do_if_registered(soscc_ResetToOffering, error);
return simple_bool_error_request(kSecXPCOpResetToOffering, error);
}, NULL)
}
bool SOSCCResetToEmpty(CFErrorRef* error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
secwarning("SOSCCResetToEmpty called");
sec_trace_enter_api(NULL);
sec_trace_return_bool_api(^{
do_if_registered(soscc_ResetToEmpty, error);
return simple_bool_error_request(kSecXPCOpResetToEmpty, error);
}, NULL)
}
bool SOSCCRemovePeersFromCircle(CFArrayRef peers, CFErrorRef* error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
sec_trace_enter_api(NULL);
sec_trace_return_bool_api(^{
do_if_registered(soscc_RemovePeersFromCircle, peers, error);
return info_array_to_bool_error_request(kSecXPCOpRemovePeersFromCircle, peers, error);
}, NULL)
}
bool SOSCCRemoveThisDeviceFromCircle(CFErrorRef* error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
sec_trace_enter_api(NULL);
sec_trace_return_bool_api(^{
do_if_registered(soscc_RemoveThisDeviceFromCircle, error);
return simple_bool_error_request(kSecXPCOpRemoveThisDeviceFromCircle, error);
}, NULL)
}
bool SOSCCLoggedIntoAccount(CFErrorRef* error) {
sec_trace_enter_api(NULL);
sec_trace_return_bool_api(^{
do_if_registered(soscc_LoggedIntoAccount, error);
return simple_bool_error_request(kSecXPCOpLoggedIntoAccount, error);
}, NULL)
}
bool SOSCCLoggedOutOfAccount(CFErrorRef* error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
sec_trace_enter_api(NULL);
sec_trace_return_bool_api(^{
do_if_registered(soscc_LoggedOutOfAccount, error);
return simple_bool_error_request(kSecXPCOpLoggedOutOfAccount, error);
}, NULL)
}
bool SOSCCBailFromCircle_BestEffort(uint64_t limit_in_seconds, CFErrorRef* error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
sec_trace_enter_api(NULL);
sec_trace_return_bool_api(^{
do_if_registered(soscc_BailFromCircle, limit_in_seconds, error);
return uint64_t_to_bool_error_request(kSecXPCOpBailFromCircle, limit_in_seconds, error);
}, NULL)
}
CFArrayRef SOSCCCopyPeerPeerInfo(CFErrorRef* error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return NULL;
}
sec_trace_enter_api(NULL);
sec_trace_return_api(CFArrayRef, ^{
do_if_registered(soscc_CopyPeerInfo, error);
return array_of_info_error_request(kSecXPCOpCopyPeerPeerInfo, error);
}, CFSTR("return=}
CFArrayRef SOSCCCopyConcurringPeerPeerInfo(CFErrorRef* error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return NULL;
}
sec_trace_enter_api(NULL);
sec_trace_return_api(CFArrayRef, ^{
do_if_registered(soscc_CopyConcurringPeerInfo, error);
return array_of_info_error_request(kSecXPCOpCopyConcurringPeerPeerInfo, error);
}, CFSTR("return=}
CFArrayRef SOSCCCopyGenerationPeerInfo(CFErrorRef* error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return NULL;
}
sec_trace_enter_api(NULL);
sec_trace_return_api(CFArrayRef, ^{
do_if_registered(soscc_CopyGenerationPeerInfo, error);
return simple_array_error_request(kSecXPCOpCopyGenerationPeerInfo, error);
}, CFSTR("return=}
CFArrayRef SOSCCCopyApplicantPeerInfo(CFErrorRef* error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return NULL;
}
sec_trace_enter_api(NULL);
sec_trace_return_api(CFArrayRef, ^{
do_if_registered(soscc_CopyApplicantPeerInfo, error);
return array_of_info_error_request(kSecXPCOpCopyApplicantPeerInfo, error);
}, CFSTR("return=}
bool SOSCCValidateUserPublic(CFErrorRef* error){
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
sec_trace_enter_api(NULL);
sec_trace_return_api(bool, ^{
do_if_registered(soscc_ValidateUserPublic, error);
return simple_bool_error_request(kSecXPCOpValidateUserPublic, error);
}, NULL);
}
CFArrayRef SOSCCCopyValidPeerPeerInfo(CFErrorRef* error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return NULL;
}
sec_trace_enter_api(NULL);
sec_trace_return_api(CFArrayRef, ^{
do_if_registered(soscc_CopyValidPeerPeerInfo, error);
return array_of_info_error_request(kSecXPCOpCopyValidPeerPeerInfo, error);
}, CFSTR("return=}
CFArrayRef SOSCCCopyNotValidPeerPeerInfo(CFErrorRef* error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return NULL;
}
sec_trace_enter_api(NULL);
sec_trace_return_api(CFArrayRef, ^{
do_if_registered(soscc_CopyNotValidPeerPeerInfo, error);
return array_of_info_error_request(kSecXPCOpCopyNotValidPeerPeerInfo, error);
}, CFSTR("return=}
CFArrayRef SOSCCCopyRetirementPeerInfo(CFErrorRef* error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return NULL;
}
sec_trace_enter_api(NULL);
sec_trace_return_api(CFArrayRef, ^{
do_if_registered(soscc_CopyRetirementPeerInfo, error);
return array_of_info_error_request(kSecXPCOpCopyRetirementPeerInfo, error);
}, CFSTR("return=}
CFArrayRef SOSCCCopyViewUnawarePeerInfo(CFErrorRef* error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return NULL;
}
sec_trace_enter_api(NULL);
sec_trace_return_api(CFArrayRef, ^{
do_if_registered(soscc_CopyViewUnawarePeerInfo, error);
return array_of_info_error_request(kSecXPCOpCopyViewUnawarePeerInfo, error);
}, CFSTR("return=}
SOSPeerInfoRef SOSCCCopyMyPeerInfo(CFErrorRef *error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return NULL;
}
sec_trace_enter_api(NULL);
sec_trace_return_api(SOSPeerInfoRef, ^{
do_if_registered(soscc_CopyMyPeerInfo, error);
return peer_info_error_request(kSecXPCOpCopyMyPeerInfo, error);
}, CFSTR("return=}
static CFArrayRef SOSCCCopyEngineState(CFErrorRef* error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return NULL;
}
sec_trace_enter_api(NULL);
sec_trace_return_api(CFArrayRef, ^{
do_if_registered(soscc_CopyEngineState, error);
return der_array_error_request(kSecXPCOpCopyEngineState, error);
}, CFSTR("return=}
CFStringRef kSOSCCEngineStatePeerIDKey = CFSTR("PeerID");
CFStringRef kSOSCCEngineStateManifestCountKey = CFSTR("ManifestCount");
CFStringRef kSOSCCEngineStateSyncSetKey = CFSTR("SyncSet");
CFStringRef kSOSCCEngineStateCoderKey = CFSTR("CoderDump");
CFStringRef kSOSCCEngineStateManifestHashKey = CFSTR("ManifestHash");
void SOSCCForEachEngineStateAsStringFromArray(CFArrayRef states, void (^block)(CFStringRef oneStateString)) {
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
return;
}
CFArrayForEach(states, ^(const void *value) {
CFDictionaryRef dict = asDictionary(value, NULL);
if (dict) {
CFMutableStringRef description = CFStringCreateMutable(kCFAllocatorDefault, 0);
CFStringRef id = asString(CFDictionaryGetValue(dict, kSOSCCEngineStatePeerIDKey), NULL);
if (id) {
CFStringAppendFormat(description, NULL, CFSTR("remote } else {
CFStringAppendFormat(description, NULL, CFSTR("local "));
}
CFSetRef viewSet = asSet(CFDictionaryGetValue(dict, kSOSCCEngineStateSyncSetKey), NULL);
if (viewSet) {
CFStringSetPerformWithDescription(viewSet, ^(CFStringRef setDescription) {
CFStringAppend(description, setDescription);
});
} else {
CFStringAppendFormat(description, NULL, CFSTR("<Missing view set!>"));
}
CFStringAppendFormat(description, NULL, CFSTR(" [ CFDictionaryGetValue(dict, kSOSCCEngineStateManifestCountKey));
CFDataRef mainfestHash = asData(CFDictionaryGetValue(dict, kSOSCCEngineStateManifestHashKey), NULL);
if (mainfestHash) {
CFDataPerformWithHexString(mainfestHash, ^(CFStringRef dataString) {
CFStringAppendFormat(description, NULL, CFSTR(" });
}
CFStringRef coderDescription = asString(CFDictionaryGetValue(dict, kSOSCCEngineStateCoderKey), NULL);
if (coderDescription) {
CFStringAppendFormat(description, NULL, CFSTR(" }
block(description);
CFReleaseNull(description);
}
});
}
bool SOSCCForEachEngineStateAsString(CFErrorRef* error, void (^block)(CFStringRef oneStateString)) {
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
CFArrayRef states = SOSCCCopyEngineState(error);
if (states == NULL)
return false;
SOSCCForEachEngineStateAsStringFromArray(states, block);
CFReleaseNull(states);
return true;
}
bool SOSCCAcceptApplicants(CFArrayRef applicants, CFErrorRef* error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
sec_trace_enter_api(NULL);
sec_trace_return_bool_api(^{
do_if_registered(soscc_AcceptApplicants, applicants, error);
return info_array_to_bool_error_request(kSecXPCOpAcceptApplicants, applicants, error);
}, NULL)
}
bool SOSCCRejectApplicants(CFArrayRef applicants, CFErrorRef *error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
sec_trace_enter_api(CFSTR("applicants= sec_trace_return_bool_api(^{
do_if_registered(soscc_RejectApplicants, applicants, error);
return info_array_to_bool_error_request(kSecXPCOpRejectApplicants, applicants, error);
}, NULL)
}
static CF_RETURNS_RETAINED SOSPeerInfoRef SOSSetNewPublicBackupKey(CFDataRef pubKey, CFErrorRef *error)
{
sec_trace_enter_api(NULL);
sec_trace_return_api(SOSPeerInfoRef, ^{
do_if_registered(soscc_SetNewPublicBackupKey, pubKey, error);
return data_to_peer_info_error_request(kSecXPCOpSetNewPublicBackupKey, pubKey, error);
}, CFSTR("return=}
SOSPeerInfoRef SOSCCCopyMyPeerWithNewDeviceRecoverySecret(CFDataRef secret, CFErrorRef *error){
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return NULL;
}
secnotice("devRecovery", "Enter SOSCCCopyMyPeerWithNewDeviceRecoverySecret()");
CFDataRef publicKeyData = SOSCopyDeviceBackupPublicKey(secret, error);
secnotice("devRecovery", "SOSCopyDeviceBackupPublicKey ( SOSPeerInfoRef copiedPeer = publicKeyData ? SOSSetNewPublicBackupKey(publicKeyData, error) : NULL;
secnotice("devRecovery", "SOSSetNewPublicBackupKey ( CFReleaseNull(publicKeyData);
return copiedPeer;
}
bool SOSCCRegisterSingleRecoverySecret(CFDataRef aks_bag, bool forV0Only, CFErrorRef *error){
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
sec_trace_enter_api(NULL);
sec_trace_return_bool_api(^{
do_if_registered(soscc_RegisterSingleRecoverySecret, aks_bag, forV0Only, error);
return keybag_and_bool_to_bool_error_request(kSecXPCOpSetBagForAllSlices, aks_bag, forV0Only, error);
}, NULL);
}
bool SOSCCRegisterRecoveryPublicKey(CFDataRef recovery_key, CFErrorRef *error){
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
sec_trace_enter_api(NULL);
sec_trace_return_bool_api(^{
bool retval = false;
do_if_registered(soscc_RegisterRecoveryPublicKey, recovery_key, error);
// NULL recovery_key is handled in recovery_and_bool_to_bool_error_request now.
retval = recovery_and_bool_to_bool_error_request(kSecXPCOpRegisterRecoveryPublicKey, recovery_key, error);
return retval;
}, NULL);
}
CFDataRef SOSCCCopyRecoveryPublicKey(CFErrorRef *error){
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return NULL;
}
sec_trace_enter_api(NULL);
sec_trace_return_api(CFDataRef, ^{
do_if_registered(soscc_CopyRecoveryPublicKey, error);
return data_to_error_request(kSecXPCOpGetRecoveryPublicKey, error);
}, CFSTR("return=}
static bool label_and_password_to_bool_error_request(enum SecXPCOperation op,
CFStringRef user_label, CFDataRef user_password,
CFErrorRef* error)
{
__block bool result = false;
securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
CFStringPerformWithCString(user_label, ^(const char *utf8Str) {
xpc_dictionary_set_string(message, kSecXPCKeyUserLabel, utf8Str);
});
xpc_dictionary_set_data(message, kSecXPCKeyUserPassword, CFDataGetBytePtr(user_password), CFDataGetLength(user_password));
return true;
}, ^bool(xpc_object_t response, __unused CFErrorRef *error) {
result = xpc_dictionary_get_bool(response, kSecXPCKeyResult);
return result;
});
return result;
}
static bool label_and_password_and_dsid_to_bool_error_request(enum SecXPCOperation op,
CFStringRef user_label, CFDataRef user_password,
CFStringRef dsid, CFErrorRef* error)
{
__block bool result = false;
securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
CFStringPerformWithCString(user_label, ^(const char *utf8Str) {
xpc_dictionary_set_string(message, kSecXPCKeyUserLabel, utf8Str);
});
CFStringPerformWithCString(dsid, ^(const char *utr8StrDSID) {
xpc_dictionary_set_string(message, kSecXPCKeyDSID, utr8StrDSID);
});
xpc_dictionary_set_data(message, kSecXPCKeyUserPassword, CFDataGetBytePtr(user_password), CFDataGetLength(user_password));
return true;
}, ^bool(xpc_object_t response, __unused CFErrorRef *error) {
result = xpc_dictionary_get_bool(response, kSecXPCKeyResult);
return result;
});
return result;
}
bool SOSCCRegisterUserCredentials(CFStringRef user_label, CFDataRef user_password, CFErrorRef* error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
secnotice("circleOps", "SOSCCRegisterUserCredentials - calling SOSCCSetUserCredentials for return SOSCCSetUserCredentials(user_label, user_password, error);
}
bool SOSCCSetUserCredentials(CFStringRef user_label, CFDataRef user_password, CFErrorRef* error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
secnotice("circleOps", "SOSCCSetUserCredentials for sec_trace_enter_api(CFSTR("user_label= sec_trace_return_bool_api(^{
do_if_registered(soscc_SetUserCredentials, user_label, user_password, error);
return label_and_password_to_bool_error_request(kSecXPCOpSetUserCredentials, user_label, user_password, error);
}, NULL)
}
bool SOSCCSetUserCredentialsAndDSID(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
secnotice("circleOps", "SOSCCSetUserCredentialsAndDSID for sec_trace_enter_api(CFSTR("user_label= sec_trace_return_bool_api(^{
do_if_registered(soscc_SetUserCredentialsAndDSID, user_label, user_password, dsid, error);
bool result = false;
__block CFStringRef account_dsid = dsid;
require_action_quiet(user_label, out, SOSErrorCreate(kSOSErrorParam, error, NULL, CFSTR("user_label is nil")));
require_action_quiet(user_password, out, SOSErrorCreate(kSOSErrorParam, error, NULL, CFSTR("user_password is nil")));
if(account_dsid == NULL){
account_dsid = CFSTR("");
}
return label_and_password_and_dsid_to_bool_error_request(kSecXPCOpSetUserCredentialsAndDSID, user_label, user_password, account_dsid, error);
out:
return result;
}, NULL)
}
static bool SOSCCTryUserCredentialsAndDSID_internal(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error) {
sec_trace_return_bool_api(^{
do_if_registered(soscc_TryUserCredentials, user_label, user_password, dsid, error);
bool result = false;
__block CFStringRef account_dsid = dsid;
require_action_quiet(user_label, out, SOSErrorCreate(kSOSErrorParam, error, NULL, CFSTR("user_label is nil")));
require_action_quiet(user_password, out, SOSErrorCreate(kSOSErrorParam, error, NULL, CFSTR("user_password is nil")));
if(account_dsid == NULL){
account_dsid = CFSTR("");
}
return label_and_password_and_dsid_to_bool_error_request(kSecXPCOpTryUserCredentials, user_label, user_password, account_dsid, error);
out:
return result;
}, NULL)
}
bool SOSCCTryUserCredentialsAndDSID(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
secnotice("sosops", "SOSCCTryUserCredentialsAndDSID!! require_action_quiet(user_label, out, SOSErrorCreate(kSOSErrorParam, error, NULL, CFSTR("user_label is nil")));
require_action_quiet(user_password, out, SOSErrorCreate(kSOSErrorParam, error, NULL, CFSTR("user_password is nil")));
CFStringRef account_dsid = (dsid != NULL) ? dsid: CFSTR("");
return SOSCCTryUserCredentialsAndDSID_internal(user_label, user_password, account_dsid, error);
out:
return false;
}
bool SOSCCTryUserCredentials(CFStringRef user_label, CFDataRef user_password, CFErrorRef* error) {
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
return SOSCCTryUserCredentialsAndDSID_internal(user_label, user_password, NULL, error);
}
bool SOSCCCanAuthenticate(CFErrorRef* error) {
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
sec_trace_enter_api(NULL);
sec_trace_return_bool_api(^{
do_if_registered(soscc_CanAuthenticate, error);
return simple_bool_error_request(kSecXPCOpCanAuthenticate, error);
}, NULL)
}
bool SOSCCPurgeUserCredentials(CFErrorRef* error) {
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
sec_trace_enter_api(NULL);
sec_trace_return_bool_api(^{
do_if_registered(soscc_PurgeUserCredentials, error);
return simple_bool_error_request(kSecXPCOpPurgeUserCredentials, error);
}, NULL)
}
enum DepartureReason SOSCCGetLastDepartureReason(CFErrorRef *error) {
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return kSOSDepartureReasonError;
}
sec_trace_enter_api(NULL);
sec_trace_return_api(enum DepartureReason, ^{
do_if_registered(soscc_GetLastDepartureReason, error);
return (enum DepartureReason) simple_int_error_request(kSecXPCOpGetLastDepartureReason, error);
}, NULL)
}
bool SOSCCSetLastDepartureReason(enum DepartureReason reason, CFErrorRef *error) {
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
sec_trace_enter_api(NULL);
sec_trace_return_api(bool, ^{
do_if_registered(soscc_SetLastDepartureReason, reason, error);
return securityd_send_sync_and_do(kSecXPCOpSetLastDepartureReason, error,
^bool(xpc_object_t message, CFErrorRef *error) {
xpc_dictionary_set_int64(message, kSecXPCKeyReason, reason);
return true;
},
^bool(xpc_object_t response, __unused CFErrorRef *error) {
return xpc_dictionary_get_bool(response, kSecXPCKeyResult);
}
);
}, NULL)
}
bool SOSCCProcessEnsurePeerRegistration(CFErrorRef* error){
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
secnotice("updates", "enter SOSCCProcessEnsurePeerRegistration");
sec_trace_enter_api(NULL);
sec_trace_return_bool_api(^{
do_if_registered(soscc_EnsurePeerRegistration, error);
return simple_bool_error_request(soscc_EnsurePeerRegistration_id, error);
}, NULL)
}
CFSetRef /* CFString */ SOSCCProcessSyncWithPeers(CFSetRef peers, CFSetRef backupPeers, CFErrorRef* error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return NULL;
}
sec_trace_enter_api(NULL);
sec_trace_return_api(CFSetRef, ^{
do_if_registered(soscc_ProcessSyncWithPeers, peers, backupPeers, error);
return cfset_cfset_to_cfset_error_request(kSecXPCOpProcessSyncWithPeers, peers, backupPeers, error);
}, NULL)
}
SyncWithAllPeersReason SOSCCProcessSyncWithAllPeers(CFErrorRef* error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return kSyncWithAllPeersOtherFail;
}
sec_trace_enter_api(NULL);
sec_trace_return_api(SyncWithAllPeersReason, ^{
do_if_registered(soscc_ProcessSyncWithAllPeers, error);
return (SyncWithAllPeersReason) simple_int_error_request(kSecXPCOpProcessSyncWithAllPeers, error);
}, NULL)
}
CFStringRef SOSCCGetStatusDescription(SOSCCStatus status)
{
switch (status) {
case kSOSCCInCircle:
return CFSTR("InCircle");
case kSOSCCNotInCircle:
return CFSTR("NotInCircle");
case kSOSCCRequestPending:
return CFSTR("RequestPending");
case kSOSCCCircleAbsent:
return CFSTR("CircleAbsent");
case kSOSCCError:
return CFSTR("InternalError");
default:
return CFSTR("Unknown Status");
};
}
CFStringRef SOSCCGetViewResultDescription(SOSViewResultCode vrc)
{
switch (vrc) {
case kSOSCCGeneralViewError:
return CFSTR("GeneralViewError");
case kSOSCCViewMember:
return CFSTR("ViewMember");
case kSOSCCViewNotMember:
return CFSTR("ViewNotMember");
case kSOSCCViewNotQualified:
return CFSTR("ViewNotQualified");
case kSOSCCNoSuchView:
return CFSTR("ViewUndefined");
default:
return CFSTR("Unknown View Status");
};
}
static int64_t name_action_to_code_request(enum SecXPCOperation op, uint16_t error_result,
CFStringRef name, uint64_t action, CFErrorRef *error) {
__block int64_t result = error_result;
securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
CFStringPerformWithCString(name, ^(const char *utf8Str) {
xpc_dictionary_set_string(message, kSecXPCKeyViewName, utf8Str);
});
xpc_dictionary_set_int64(message, kSecXPCKeyViewActionCode, action);
return true;
}, ^bool(xpc_object_t response, __unused CFErrorRef *error) {
if (response && xpc_dictionary_entry_is_type(response, kSecXPCKeyResult, XPC_TYPE_INT64)) {
result = xpc_dictionary_get_int64(response, kSecXPCKeyResult);
}
return result != error_result;
});
return result;
}
SOSViewResultCode SOSCCView(CFStringRef view, SOSViewActionCode actionCode, CFErrorRef *error) {
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return kSOSCCGeneralViewError;
}
if(SOSVisibleKeychainNotAllowed() && (actionCode == kSOSCCViewEnable) && view && SOSViewsIsV0Subview(view)) {
secnotice("views", "Cannot enable visible keychain views due to profile restrictions");
return false;
}
if(actionCode == kSOSCCViewQuery) {
uint64_t circleStat = SOSGetCachedCircleBitmask();
if(circleStat & CC_STATISVALID) {
SOSViewResultCode retval = kSOSCCViewNotMember;
CFSetRef enabledViews = SOSCreateCachedViewStatus();
if(enabledViews) {
if(CFSetContainsValue(enabledViews, view)) {
retval = kSOSCCViewMember;
} else {
retval = kSOSCCViewNotMember;
}
CFReleaseNull(enabledViews);
}
return retval;
}
}
sec_trace_enter_api(NULL);
sec_trace_return_api(SOSViewResultCode, ^{
do_if_registered(soscc_View, view, actionCode, error);
return (SOSViewResultCode) name_action_to_code_request(kSecXPCOpView, kSOSCCGeneralViewError, view, actionCode, error);
}, CFSTR("SOSViewResultCode=}
bool SOSCCViewSet(CFSetRef enabledViews, CFSetRef disabledViews) {
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
return false;
}
if(SOSVisibleKeychainNotAllowed() && enabledViews && CFSetGetCount(enabledViews) && SOSViewSetIntersectsV0(enabledViews)) {
secnotice("views", "Cannot enable visible keychain views due to profile restrictions");
return false;
}
CFErrorRef *error = NULL;
__block bool result = false;
sec_trace_enter_api(NULL);
sec_trace_return_bool_api(^{
do_if_registered(soscc_ViewSet, enabledViews, disabledViews);
return securityd_send_sync_and_do(kSecXPCOpViewSet, error, ^bool(xpc_object_t message, CFErrorRef *error) {
xpc_object_t enabledSetXpc = CreateXPCObjectWithCFSetRef(enabledViews, error);
xpc_object_t disabledSetXpc = CreateXPCObjectWithCFSetRef(disabledViews, error);
if (enabledSetXpc) xpc_dictionary_set_value(message, kSecXPCKeyEnabledViewsKey, enabledSetXpc);
if (disabledSetXpc) xpc_dictionary_set_value(message, kSecXPCKeyDisabledViewsKey, disabledSetXpc);
return (enabledSetXpc != NULL) || (disabledSetXpc != NULL) ;
}, ^bool(xpc_object_t response, __unused CFErrorRef *error) {
result = xpc_dictionary_get_bool(response, kSecXPCKeyResult);
return result;
});
}, NULL)
}
static CFStringRef copyViewNames(size_t n, CFStringRef *views) {
CFMutableStringRef retval = CFStringCreateMutable(kCFAllocatorDefault, 0);
CFStringAppend(retval, CFSTR("|"));
for(size_t i = 0; i < n; i++) {
CFStringAppend(retval, views[i]);
CFStringAppend(retval, CFSTR("|"));
}
return retval;
}
static bool sosIsViewSetSyncing(size_t n, CFStringRef *views) {
__block bool retval = true;
CFErrorRef error = NULL;
if(n == 0 || views == NULL) return false;
CFStringRef viewString = copyViewNames(n, views);
SOSCCStatus cstatus = SOSCCThisDeviceIsInCircle(&error);
if(cstatus != kSOSCCInCircle) {
secnotice("viewCheck", "Checking view / circle status for retval = false;
}
if(retval == true) {
// use cached values if valid
uint64_t circleStat = SOSGetCachedCircleBitmask();
if(circleStat & CC_STATISVALID) {
CFSetRef enabledViews = SOSCreateCachedViewStatus();
if(enabledViews) {
for(size_t i = 0; i < n; i++) {
if(!CFSetContainsValue(enabledViews, views[i])) {
retval = false;
}
}
CFReleaseNull(enabledViews);
CFReleaseNull(viewString);
return retval;
}
}
// make the individual calls otherwise.
for(size_t i = 0; i < n; i++) {
SOSViewResultCode vstatus = SOSCCView(views[i], kSOSCCViewQuery, &error);
if(vstatus != kSOSCCViewMember) {
secnotice("viewCheck", "Checking view / circle status for SOSCCGetStatusDescription(cstatus), SOSCCGetViewResultDescription(vstatus), error);
retval = false;
}
}
}
if(retval == true) {
secnotice("viewCheck", "Checking view / circle status for }
CFReleaseNull(error);
CFReleaseNull(viewString);
return retval;
}
bool SOSCCIsIcloudKeychainSyncing(void) {
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
return false; // should we lie since CKKS is syncing - or forward?
}
CFStringRef views[] = { kSOSViewWiFi, kSOSViewAutofillPasswords, kSOSViewSafariCreditCards, kSOSViewOtherSyncable };
return sosIsViewSetSyncing(sizeof(views)/sizeof(views[0]), views);
}
bool SOSCCIsSafariSyncing(void) {
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
return false;
}
CFStringRef views[] = { kSOSViewAutofillPasswords, kSOSViewSafariCreditCards };
return sosIsViewSetSyncing(sizeof(views)/sizeof(views[0]), views);
}
bool SOSCCIsAppleTVSyncing(void) {
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
return false;
}
CFStringRef views[] = { kSOSViewAppleTV };
return sosIsViewSetSyncing(sizeof(views)/sizeof(views[0]), views);
}
bool SOSCCIsHomeKitSyncing(void) {
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
return false;
}
CFStringRef views[] = { kSOSViewHomeKit };
return sosIsViewSetSyncing(sizeof(views)/sizeof(views[0]), views);
}
bool SOSCCIsWiFiSyncing(void) {
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
return false;
}
CFStringRef views[] = { kSOSViewWiFi };
return sosIsViewSetSyncing(sizeof(views)/sizeof(views[0]), views);
}
bool SOSCCIsContinuityUnlockSyncing(void) {
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
return false;
}
CFStringRef views[] = { kSOSViewContinuityUnlock };
return sosIsViewSetSyncing(sizeof(views)/sizeof(views[0]), views);
}
SOSPeerInfoRef SOSCCCopyApplication(CFErrorRef *error) {
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return NULL;
}
secnotice("hsa2PB", "enter SOSCCCopyApplication applicant");
sec_trace_enter_api(NULL);
sec_trace_return_api(SOSPeerInfoRef, ^{
do_if_registered(soscc_CopyApplicant, error);
return peer_info_error_request(kSecXPCOpCopyApplication, error);
}, CFSTR("return=}
bool SOSCCCleanupKVSKeys(CFErrorRef *error) {
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
secnotice("cleanup-keys", "enter SOSCCCleanupKVSKeys");
sec_trace_enter_api(NULL);
sec_trace_return_bool_api(^{
do_if_registered(soscc_SOSCCCleanupKVSKeys, error);
return simple_bool_error_request(kSecXPCOpKVSKeyCleanup, error);
}, NULL)
return false;
}
CFDataRef SOSCCCopyCircleJoiningBlob(SOSPeerInfoRef applicant, CFErrorRef *error) {
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return NULL;
}
secnotice("hsa2PB", "enter SOSCCCopyCircleJoiningBlob approver");
sec_trace_enter_api(NULL);
sec_trace_return_api(CFDataRef, ^{
CFDataRef result = NULL;
do_if_registered(soscc_CopyCircleJoiningBlob, applicant, error);
CFDataRef piData = SOSPeerInfoCopyEncodedData(applicant, kCFAllocatorDefault, error);
result = cfdata_error_request_returns_cfdata(kSecXPCOpCopyCircleJoiningBlob, piData, error);
CFReleaseNull(piData);
return result;
}, CFSTR("return=}
CFDataRef SOSCCCopyInitialSyncData(SOSInitialSyncFlags flags, CFErrorRef *error) {
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return NULL;
}
secnotice("circleJoin", "enter SOSCCCopyInitialSyncData approver");
sec_trace_enter_api(NULL);
sec_trace_return_api(CFDataRef, ^{
do_if_registered(soscc_CopyInitialSyncData, flags, error);
return flags_to_data_error_request(kSecXPCOpCopyInitialSyncBlob, flags, error);
}, CFSTR("return=}
bool SOSCCJoinWithCircleJoiningBlob(CFDataRef joiningBlob, PiggyBackProtocolVersion version, CFErrorRef *error) {
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
secnotice("hsa2PB", "enter SOSCCJoinWithCircleJoiningBlob applicant");
sec_trace_enter_api(NULL);
sec_trace_return_bool_api(^{
do_if_registered(soscc_JoinWithCircleJoiningBlob, joiningBlob, version, error);
return cfdata_and_int_error_request_returns_bool(kSecXPCOpJoinWithCircleJoiningBlob, joiningBlob, version, error);
}, NULL)
}
CFBooleanRef SOSCCPeersHaveViewsEnabled(CFArrayRef viewNames, CFErrorRef *error) {
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return FALSE;
}
secnotice("view-enabled", "enter SOSCCPeersHaveViewsEnabled");
sec_trace_enter_api(NULL);
sec_trace_return_api(CFBooleanRef, ^{
do_if_registered(soscc_SOSCCPeersHaveViewsEnabled, viewNames, error);
return cfarray_to_cfboolean_error_request(kSecXPCOpPeersHaveViewsEnabled, viewNames, error);
}, CFSTR("return=}
bool SOSCCMessageFromPeerIsPending(SOSPeerInfoRef peer, CFErrorRef *error) {
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
secnotice("pending-check", "enter SOSCCMessageFromPeerIsPending");
sec_trace_return_bool_api(^{
do_if_registered(soscc_SOSCCMessageFromPeerIsPending, peer, error);
return peer_info_to_bool_error_request(kSecXPCOpMessageFromPeerIsPending, peer, error);
}, NULL)
}
bool SOSCCSendToPeerIsPending(SOSPeerInfoRef peer, CFErrorRef *error) {
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return false;
}
sec_trace_return_bool_api(^{
do_if_registered(soscc_SOSCCSendToPeerIsPending, peer, error);
return peer_info_to_bool_error_request(kSecXPCOpSendToPeerIsPending, peer, error);
}, NULL)
}
/*
* SecSOSStatus interfaces
*/
@interface SecSOSStatus : NSObject {
NSXPCConnection* _connection;
}
@property NSXPCConnection *connection;
@end
@implementation SecSOSStatus
@synthesize connection = _connection;
- (instancetype) init
{
if ((self = [super init]) == NULL)
return NULL;
NSXPCInterface *interface = [NSXPCInterface interfaceWithProtocol:@protocol(SOSControlProtocol)];
_SOSControlSetupInterface(interface);
self.connection = [[NSXPCConnection alloc] initWithMachServiceName:@(kSecuritydSOSServiceName) options:0];
if (self.connection == NULL){
return NULL;
}
self.connection.remoteObjectInterface = interface;
[self.connection resume];
return self;
}
@end
static id<SOSControlProtocol>
SOSCCGetStatusObject(CFErrorRef *error)
{
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(error);
return nil;
}
if (gSecurityd && gSecurityd->soscc_status)
return (__bridge id<SOSControlProtocol>)gSecurityd->soscc_status();
static SecSOSStatus *control;
static dispatch_once_t onceToken;
dispatch_once(&onceToken, ^{
control = [[SecSOSStatus alloc] init];
});
return control.connection.remoteObjectProxy;
}
static id<SOSControlProtocol>
SOSCCGetSynchronousStatusObject(CFErrorRef *cferror) {
IF_SOS_DISABLED {
secdebug("circleOps", "SOS disabled for this platform");
setSOSDisabledError(cferror);
return nil;
}
if (gSecurityd && gSecurityd->soscc_status)
return (__bridge id<SOSControlProtocol>)gSecurityd->soscc_status();
static SecSOSStatus *control;
static dispatch_once_t onceToken;
dispatch_once(&onceToken, ^{
control = [[SecSOSStatus alloc] init];
});
__block NSError *localError = nil;
id <SOSControlProtocol> synchronousRemoteObject = [control.connection synchronousRemoteObjectProxyWithErrorHandler:^(NSError *error) {
secnotice("ghostbust", "An error occurred on the xpc connection to setup the background session: if(error) {
localError = error;
}
}];
if(cferror && localError) {
*cferror = (__bridge CFErrorRef)(localError);
}
return synchronousRemoteObject;
}
void
SOSCCAccountGetPublicKey(void (^reply)(BOOL trusted, NSData *data, NSError *error))
{
CFErrorRef error = NULL;
id<SOSControlProtocol> status = SOSCCGetStatusObject(&error);
if (status == NULL) {
reply(false, NULL, (__bridge NSError *)error);
CFReleaseNull(error);
return;
}
[status userPublicKey:reply];
}
void
SOSCCAccountGetAccountPrivateCredential(void (^complete)(NSData *data, NSError *error))
{
CFErrorRef error = NULL;
id<SOSControlProtocol> status = SOSCCGetStatusObject(&error);
if (status == NULL) {
complete(NULL, (__bridge NSError *)error);
CFReleaseNull(error);
return;
}
[status validatedStashedAccountCredential:complete];
}
void
SOSCCAccountGetKeyCircleGeneration(void (^reply)(NSData *data, NSError *error))
{
SOSCCAccountGetPublicKey(^(BOOL __unused trusted, NSData *data, NSError *error){
if (data == NULL) {
reply(data, error);
} else {
NSMutableData *digest = [NSMutableData dataWithLength:CCSHA256_OUTPUT_SIZE];
ccdigest(ccsha256_di(), [data length], [data bytes], [digest mutableBytes]);
reply(digest, error);
}
});
}
NSString *
SOSCCCircleHash(NSError **error)
{
CFErrorRef cferror = NULL;
id<SOSControlProtocol> status = SOSCCGetSynchronousStatusObject(&cferror);
if (status == NULL) {
if (error) {
*error = (__bridge NSError *)cferror;
}
CFReleaseNull(cferror);
return NULL;
}
__block NSString *hash = NULL;
[status circleHash:^(NSString *circleHash, NSError *error) {
hash = circleHash;
}];
return hash;
}
void
SOSCCGhostBust(SOSAccountGhostBustingOptions options, void (^complete)(bool ghostsBusted, NSError *error)) {
CFErrorRef error = NULL;
id<SOSControlProtocol> status = SOSCCGetSynchronousStatusObject(&error);
if (status == NULL) {
complete(false, (__bridge NSError *)error);
CFReleaseNull(error);
return;
}
secnotice("ghostbust", "API Called");
[status ghostBust:options complete:^(bool ghostBusted, NSError *error) {
secnotice("ghostbust", "API returned: complete(ghostBusted, error);
}];
}
void SOSCCGhostBustTriggerTimed(SOSAccountGhostBustingOptions options, void (^complete)(bool ghostsBusted, NSError *error)) {
CFErrorRef error = NULL;
id<SOSControlProtocol> status = SOSCCGetSynchronousStatusObject(&error);
if (status == NULL) {
complete(false, (__bridge NSError *)error);
CFReleaseNull(error);
return;
}
secnotice("ghostbust", "API Trigger Timed Called");
[status ghostBustTriggerTimed:options complete:^(bool ghostBusted, NSError *error) {
secnotice("ghostbust", "API Trigger Timed returned: complete(ghostBusted, error);
}];
}
void SOSCCGhostBustInfo(void (^complete)(NSData *json, NSError *error)) {
CFErrorRef error = NULL;
id<SOSControlProtocol> status = SOSCCGetSynchronousStatusObject(&error);
if (status == NULL) {
complete(false, (__bridge NSError *)error);
CFReleaseNull(error);
return;
}
secnotice("ghostbust", "API Info Called");
[status ghostBustInfo:^(NSData *json, NSError *error) {
secnotice("ghostbust", "API Info returned");
complete(json, error);
}];
}