1  /*
  2   * Copyright (c) 2015 Apple Inc. All Rights Reserved.
  3   *
  4   * @APPLE_LICENSE_HEADER_START@
  5   *
  6   * This file contains Original Code and/or Modifications of Original Code
  7   * as defined in and that are subject to the Apple Public Source License
  8   * Version 2.0 (the 'License'). You may not use this file except in
  9   * compliance with the License. Please obtain a copy of the License at
 10   * http://www.opensource.apple.com/apsl/ and read it before using this
 11   * file.
 12   *
 13   * The Original Code and all software distributed under the License are
 14   * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 15   * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 16   * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 17   * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 18   * Please see the License for the specific language governing rights and
 19   * limitations under the License.
 20   *
 21   * @APPLE_LICENSE_HEADER_END@
 22   */
 23  
 24  #include "keychain/securityd/SecItemBackupServer.h"
 25  #include "keychain/securityd/SecItemServer.h"
 26  #include "keychain/SecureObjectSync/SOSEnginePriv.h"
 27  #include "keychain/SecureObjectSync/SOSPeer.h"
 28  #include <Security/SecureObjectSync/SOSBackupSliceKeyBag.h>
 29  #include <Security/SecureObjectSync/SOSViews.h>
 30  #include <unistd.h>
 31  
 32  #include "keychain/securityd/SecDbItem.h"
 33  #include <utilities/der_plist.h>
 34  
 35  static bool withDataSourceAndEngine(CFErrorRef *error, void (^action)(SOSDataSourceRef ds, SOSEngineRef engine)) {
 36      bool ok = false;
 37      SOSDataSourceFactoryRef dsf = SecItemDataSourceFactoryGetDefault();
 38      SOSDataSourceRef ds = SOSDataSourceFactoryCreateDataSource(dsf, kSecAttrAccessibleWhenUnlocked, error);
 39      if (ds) {
 40          SOSEngineRef engine = SOSDataSourceGetSharedEngine(ds, error);
 41          if (engine) {
 42              action(ds, engine);
 43              ok = true;
 44          }
 45          ok &= SOSDataSourceRelease(ds, error);
 46      }
 47      return ok;
 48  }
 49  
 50  int SecServerItemBackupHandoffFD(CFStringRef backupName, CFErrorRef *error) {
 51      __block int fd = -1;
 52      if (!withDataSourceAndEngine(error, ^(SOSDataSourceRef ds, SOSEngineRef engine) {
 53          SOSEngineForPeerID(engine, backupName, error, ^(SOSTransactionRef txn, SOSPeerRef peer) {
 54              fd = SOSPeerHandoffFD(peer, error);
 55          });
 56      }) && fd >= 0) {
 57          close(fd);
 58          fd = -1;
 59      }
 60      return fd;
 61  }
 62  
 63  bool SecServerItemBackupSetConfirmedManifest(CFStringRef backupName, CFDataRef keybagDigest, CFDataRef manifestData, CFErrorRef *error) {
 64      __block bool ok = true;
 65      ok &= withDataSourceAndEngine(error, ^(SOSDataSourceRef ds, SOSEngineRef engine) {
 66          ok = SOSEngineSetPeerConfirmedManifest(engine, backupName, keybagDigest, manifestData, error);
 67      });
 68      return ok;
 69  }
 70  
 71  CFArrayRef SecServerItemBackupCopyNames(CFErrorRef *error) {
 72      __block CFArrayRef names = NULL;
 73      if (!withDataSourceAndEngine(error, ^(SOSDataSourceRef ds, SOSEngineRef engine) {
 74          names = SOSEngineCopyBackupPeerNames(engine, error);
 75      })) {
 76          CFReleaseNull(names);
 77      }
 78      return names;
 79  }
 80  
 81  CFStringRef SecServerItemBackupEnsureCopyView(CFStringRef viewName, CFErrorRef *error) {
 82      __block CFStringRef name = NULL;
 83      if(!withDataSourceAndEngine(error, ^(SOSDataSourceRef ds, SOSEngineRef engine) {
 84          name = SOSEngineEnsureCopyBackupPeerForView(engine, viewName, error);
 85      })) {
 86          CFReleaseNull(name);
 87      }
 88      return name;
 89  }
 90  
 91  // TODO Move to datasource and remove dsRestoreObject
 92  static bool SOSDataSourceWithBackup(SOSDataSourceRef ds, CFDataRef backup, keybag_handle_t bag_handle, CFErrorRef *error, void(^with)(SOSObjectRef item)) {
 93      __block bool ok = true;
 94      CFPropertyListRef plist = CFPropertyListCreateWithDERData(kCFAllocatorDefault, backup, kCFPropertyListImmutable, NULL, error);
 95      CFDictionaryRef bdict = asDictionary(plist, error);
 96      ok = (bdict != NULL);
 97      if (ok) CFDictionaryForEach(bdict, ^(const void *key, const void *value) {
 98          CFStringRef className = asString(key, error);
 99          if (className) {
100              const SecDbClass *cls = kc_class_with_name(className);
101              if (cls) {
102                  CFArrayRef items = asArray(value, error);
103                  CFDataRef edata;
104                  if (items) CFArrayForEachC(items, edata) {
105                      SOSObjectRef item = (SOSObjectRef)SecDbItemCreateWithEncryptedData(kCFAllocatorDefault, cls, edata, bag_handle, error);
106                      if (item) {
107                          with(item);
108                          CFRelease(item);
109                      } else {
110                          ok = false;
111                      }
112                  } else {
113                      ok = false;
114                  }
115              } else {
116                  ok &= SecError(errSecDecode, error, CFSTR("bad class %@ in backup"), className);
117              }
118          } else {
119              ok = false;
120          }
121      });
122      CFReleaseSafe(plist);
123      return ok;
124  }
125  
126  bool SecServerItemBackupRestore(CFStringRef backupName, CFStringRef peerID, CFDataRef keybag, CFDataRef secret, CFDataRef backup, CFErrorRef *error) {
127      // TODO: Decrypt and merge items in backup to dataSource
128  
129      __block bool ok = false; // return false if the bag_handle code fails.
130      CFDataRef aksKeybag = NULL;
131      CFMutableSetRef viewSet = NULL;
132      SOSBackupSliceKeyBagRef backupSliceKeyBag = NULL;
133      keybag_handle_t bag_handle = bad_keybag_handle;
134  
135      require(asData(secret, error), xit);
136      require(backupSliceKeyBag = SOSBackupSliceKeyBagCreateFromData(kCFAllocatorDefault, keybag, error), xit);
137  
138      if (peerID) {
139          bag_handle = SOSBSKBLoadAndUnlockWithPeerIDAndSecret(backupSliceKeyBag, peerID, secret, error);
140      } else {
141          if (SOSBSKBIsDirect(backupSliceKeyBag)) {
142              bag_handle = SOSBSKBLoadAndUnlockWithDirectSecret(backupSliceKeyBag, secret, error);
143          } else {
144              bag_handle = SOSBSKBLoadAndUnlockWithWrappingSecret(backupSliceKeyBag, secret, error);
145          }
146      }
147      require(bag_handle != bad_keybag_handle, xit);
148  
149      // TODO: How do we know which views we are allow to restore
150      //viewSet = SOSAccountCopyRestorableViews();
151  
152      ok = true; // Start from original code start point - otherwise begin in this nest of stuff
153      ok &= withDataSourceAndEngine(error, ^(SOSDataSourceRef ds, SOSEngineRef engine) {
154          ok &= SOSDataSourceWith(ds, error, ^(SOSTransactionRef txn, bool *commit) {
155              ok &= SOSDataSourceWithBackup(ds, backup, bag_handle, error, ^(SOSObjectRef item) {
156                  //if (SOSDataSourceIsInViewSet(item, viewSet)) {
157                      SOSObjectRef mergedItem = NULL;
158                      if (SOSDataSourceMergeObject(ds, txn, item, &mergedItem, error)) {
159                          // if mergedItem == item then it was restored otherwise it was rejected by the conflict resolver.
160                          CFReleaseSafe(mergedItem);
161                      }
162                  //}
163              });
164          });
165      });
166  
167  xit:
168      if (bag_handle != bad_keybag_handle)
169          ok &= ks_close_keybag(bag_handle, error);
170  
171      CFReleaseSafe(backupSliceKeyBag);
172      CFReleaseSafe(aksKeybag);
173      CFReleaseSafe(viewSet);
174  
175      return ok;
176  }
177  
178  
179  
180