Keychain fixes

Author: TaeHagen

Cargo.lock

@@ -20,7 +20,7 @@ regex = "1.9.3"
 tokio-rustls = "0.24.1"
 rustls = "0.21.6"
 rustls-pemfile = "1.0.3"
-rand = "0.8.5"
+rand = { version = "0.8.5", features = ["min_const_gen"] }
 libflate = "2.0.0"
 thiserror = "1.0.47"
 async-recursion = "1.0.4"

Cargo.toml

@@ -731,7 +731,7 @@ impl<P: AnisetteProvider> CircleClientSession<P> {
             return Err(PushError::WrongStep(request.step))
         }
 
-        let step2: CircleStep1 = rasn::der::decode(&base64_decode(request.pake.as_ref().unwrap())).expect("failed to decode circlestep1");
+        let step2: CircleStep1 = rasn::der::decode(&base64_decode(request.pake.as_ref().expect("No Pake!"))).expect("failed to decode circlestep1");
         let body: CircleStep1Body = rasn::der::decode(step2.body.as_ref()).expect("failed to decode circlestep1body");
 
         let verifier: SrpClientVerifier<Sha256> = self.srp_client
@@ -758,6 +758,10 @@ impl<P: AnisetteProvider> CircleClientSession<P> {
 
     pub async fn handle_circle_request(&mut self, request: &IdmsCircleMessage) -> Result<Option<LoginState>, PushError> {
         if let Some(ec) = &request.ec {
+            if *ec == -9003 {
+                // bad password
+                return Err(PushError::Bad2FaCode);
+            }
             return Err(PushError::IdmsCircleError(*ec))
         }
         let Some(pake) = &request.pake else { return Err(PushError::IdmsCircleError(50)) };

src/auth.rs

@@ -186,41 +186,50 @@ impl CloudKitOp for SaveRecordOperation {
 }
 
 impl SaveRecordOperation {
-    pub fn new<R: CloudKitRecord>(id: RecordIdentifier, record: R, key: Option<&PCSKeys>, update: bool) -> Self {
-        let mut pcs_key_id: Option<Vec<u8>> = None;
-        let mut protection_info: Option<ProtectionInfo> = None;
-        let mut pcs_key: Option<PCSKey> = None;
-
-        if let Some(key) = key {
-            if let Some(global) = &key.default_record_key {
-                pcs_key_id = Some(global.key_id().unwrap()[..4].to_vec());
-                pcs_key = Some(global.clone());
-            } else {
-                // create a key for this record
-                let record_protection = PCSShareProtection::create(&key.zone_keys[0], &[]).unwrap();
-                let der = rasn::der::encode(&record_protection).unwrap();
-                protection_info = Some(ProtectionInfo { 
-                    protection_info_tag: Some(encode_hex(&sha1(&der)).to_uppercase()),
-                    protection_info: Some(der), 
-                });
-            }
-        }
+    // new with a *custom* record protection entry
+    pub fn new_protected<R: CloudKitRecord>(id: RecordIdentifier, record: R, key: &PCSKeys, update: Option<String>) -> (Self, String) {
+        // create a key for this record
+        let record_protection = PCSShareProtection::create(&key.zone_keys[0], &[]).unwrap();
+        let der = rasn::der::encode(&record_protection).unwrap();
+        let tag = encode_hex(&sha1(&der)).to_uppercase();
+        let protection_info = Some(ProtectionInfo { 
+            protection_info_tag: Some(tag.clone()),
+            protection_info: Some(der), 
+        });
+        let pcs_key = key.decode_record_protection(protection_info.as_ref().unwrap()).expect("Failed to decode record protection");
+
+        (Self(cloudkit_proto::RecordSaveRequest {
+            record: Some(cloudkit_proto::Record {
+                record_identifier: Some(id.clone()),
+                r#type: Some(cloudkit_proto::record::Type {
+                    name: Some(R::record_type().to_string())
+                }),
+                record_field: record.to_record_encrypted(Some((&pcs_key, &id))),
+                protection_info,
+                ..Default::default()
+            }),
+            merge: Some(true),
+            save_semantics: Some(if update.is_some() { 3 } else { 2 }),
+            record_protection_info_tag: update,
+            zone_protection_info_tag: key.zone_protection_tag.clone(),
+        }), tag)
+    }
 
+    pub fn new<R: CloudKitRecord>(id: RecordIdentifier, record: R, key: Option<&PCSKeys>, update: bool) -> Self {
         Self(cloudkit_proto::RecordSaveRequest {
             record: Some(cloudkit_proto::Record {
                 record_identifier: Some(id.clone()),
                 r#type: Some(cloudkit_proto::record::Type {
                     name: Some(R::record_type().to_string())
                 }),
-                record_field: record.to_record_encrypted(pcs_key.as_ref().map(|k| (k, &id))),
-                pcs_key: pcs_key_id,
-                protection_info,
+                record_field: record.to_record_encrypted(key.map(|k| (k.default_record_key.as_ref().expect("No default record key?"), &id))),
+                pcs_key: key.map(|k| k.default_record_key.as_ref().expect("No default record key?").key_id().unwrap()[..4].to_vec()),
                 ..Default::default()
             }),
             merge: Some(true),
             save_semantics: Some(if update { 3 } else { 2 }),
-            record_protection_info_tag: None,
-            zone_protection_info_tag: None,
+            record_protection_info_tag: key.and_then(|k| k.record_prot_tag.clone()),
+            zone_protection_info_tag: key.and_then(|k| k.zone_protection_tag.clone()),
         })
     }
 }
@@ -469,6 +478,15 @@ impl FetchRecordChangesOperation {
     }
 }
 
+pub fn should_reset(error: Option<&PushError>) -> bool {
+    matches!(error, Some(PushError::CloudKitError(cloudkit_proto::response_operation::Result { error: Some(cloudkit_proto::response_operation::result::Error {
+            client_error: Some(cloudkit_proto::response_operation::result::error::Client {
+                r#type: Some(errortype)
+            }),
+            ..
+        }), .. })) if *errortype == cloudkit_proto::response_operation::result::error::client::Code::FullResetNeeded as i32)
+}
+
 pub struct FunctionInvokeOperation(pub cloudkit_proto::FunctionInvokeRequest);
 impl CloudKitOp for FunctionInvokeOperation {
     type Response = Vec<u8>;
@@ -749,16 +767,12 @@ pub struct QueryResult<T: CloudKitRecord> {
 #[derive(Clone)]
 pub struct PCSKeys {
     zone_keys: Vec<CompactECKey<Private>>,
+    zone_protection_tag: Option<String>,
     default_record_key: Option<PCSKey>,
+    pub record_prot_tag: Option<String>,
 }
 
 impl PCSKeys {
-    fn new(keys: Vec<CompactECKey<Private>>) -> Self {
-        Self {
-            zone_keys: keys,
-            default_record_key: None,
-        }
-    }
 
     fn decode_record_protection(&self, protection: &ProtectionInfo) -> Result<PCSKey, PushError> {
         let record_protection: PCSShareProtection = rasn::der::decode(protection.protection_info()).expect("Bad record protection?");
@@ -837,8 +851,15 @@ impl<'t, T: AnisetteProvider> CloudKitOpenContainer<'t, T> {
 
         let (_parent_key, keys) = zone_protection.decrypt_with_keychain(&data, pcs_service)?;
 
-        let mut keys = PCSKeys::new(keys);
-        
+        let mut keys = PCSKeys {
+            zone_keys: keys,
+            zone_protection_tag: zone.protection_info.as_ref().unwrap().protection_info_tag.clone(),
+            default_record_key: None,
+            record_prot_tag: if let Some(record_protection_info) = &zone.record_protection_info {
+                record_protection_info.protection_info_tag.clone()
+            } else { None },
+        };
+
         if let Some(record_protection_info) = &zone.record_protection_info {
             keys.default_record_key = Some(keys.decode_record_protection(record_protection_info)?);
         }

src/cloudkit.rs

@@ -175,4 +175,6 @@ pub enum PushError {
     ShareKeyNotFound,
     #[error("BatchError {0}")]
     BatchError(Arc<PushError>),
+    #[error("Invalid 2fa code!")]
+    Bad2FaCode,
 }

src/error.rs

@@ -2,7 +2,7 @@ use std::{collections::{BTreeMap, HashMap}, io::{Cursor, Read}, sync::Arc};
 
 use aes_gcm::{AesGcm, Nonce};
 use cloudkit_derive::CloudKitRecord;
-use cloudkit_proto::{ot_bottle::OtAuthenticatedCiphertext, record::{reference, Field, Reference}, request_operation::header::IsolationLevel, view_keys::ViewKey, Bottle, CloudKitRecord, CuttlefishChange, CuttlefishChanges, CuttlefishEstablshRequest, CuttlefishFetchChangesRequest, CuttlefishFetchChangesResponse, CuttlefishFetchRecoverableTlkSharesRequest, CuttlefishFetchRecoverableTlkSharesResponse, CuttlefishFetchViableBottleRequest, CuttlefishFetchViableBottleResponse, CuttlefishJoinWithVoucherRequest, CuttlefishJoinWithVoucherResponse, CuttlefishPeer, CuttlefishResetRequest, CuttlefishResetResponse, CuttlefishSerializedKey, CuttlefishUpdateTrustRequest, CuttlefishUpdateTrustResponse, EscrowData, EscrowMeta, FunctionInvokeResponse, OtBottle, OtInternalBottle, OtPrivateKey, PeerDynamicInfo, PeerPermanentInfo, PeerStableInfo, Record, RecordZoneIdentifier, ResponseOperation, SignedInfo, TlkShare, ViewKeys, Voucher};
+use cloudkit_proto::{ot_bottle::OtAuthenticatedCiphertext, record::{reference, Field, Reference}, request_operation::header::IsolationLevel, response_operation, view_keys::ViewKey, Bottle, CloudKitRecord, CuttlefishChange, CuttlefishChanges, CuttlefishEstablshRequest, CuttlefishFetchChangesRequest, CuttlefishFetchChangesResponse, CuttlefishFetchRecoverableTlkSharesRequest, CuttlefishFetchRecoverableTlkSharesResponse, CuttlefishFetchViableBottleRequest, CuttlefishFetchViableBottleResponse, CuttlefishJoinWithVoucherRequest, CuttlefishJoinWithVoucherResponse, CuttlefishPeer, CuttlefishResetRequest, CuttlefishResetResponse, CuttlefishSerializedKey, CuttlefishUpdateTrustRequest, CuttlefishUpdateTrustResponse, EscrowData, EscrowMeta, FunctionInvokeResponse, OtBottle, OtInternalBottle, OtPrivateKey, PeerDynamicInfo, PeerPermanentInfo, PeerStableInfo, Record, RecordZoneIdentifier, ResponseOperation, SignedInfo, TlkShare, ViewKeys, Voucher};
 use deku::{DekuContainerWrite, DekuRead, DekuUpdate, DekuWrite};
 use hkdf::Hkdf;
 use icloud_auth::AppleAccount;
@@ -25,7 +25,7 @@ use aes_gcm::KeyInit;
 use aes_siv::{siv::CmacSiv, Aes256SivAead};
 
 use cloudkit_proto::CuttlefishEstablishResponse;
-use crate::{cloudkit::{record_identifier, SaveRecordOperation, ZoneDeleteOperation, ZoneSaveOperation}, pcs::PCSKey};
+use crate::{cloudkit::{record_identifier, should_reset, SaveRecordOperation, ZoneDeleteOperation, ZoneSaveOperation}, pcs::PCSKey};
 use aes::{cipher::{consts::{U12, U16, U32}, Unsigned}, Aes128, Aes256};
 use sha2::{digest::FixedOutputReset, Digest, Sha256, Sha384};
 use srp::{client::{SrpClient, SrpClientVerifier}, groups::G_2048, server::SrpServer};
@@ -1048,16 +1048,36 @@ impl<P: AnisetteProvider> KeychainClient<P> {
     }
 
     pub async fn is_in_clique(&self) -> bool {
-        let _ = self.sync_changes().await;
+        let _ = self.sync_trust().await;
         self.state.read().await.user_identity.as_ref().map(|u| u.is_in_clique()).unwrap_or(false)
     }
 
-    pub async fn sync_changes(&self) -> Result<(), PushError> {
-        info!("Syncing changes!");
+    async fn sync_changes(&self) -> Result<(), PushError> {
         let token = self.state.read().await.state_token.clone();
-        let CuttlefishFetchChangesResponse { changes: Some(changes) } = self.invoke_cuttlefish("fetchChanges", CuttlefishFetchChangesRequest {
+
+        let result = self.invoke_cuttlefish("fetchChanges", CuttlefishFetchChangesRequest {
             sync_token: token
-        }).await? else { return Ok(()) };
+        }).await;
+        let changes: CuttlefishFetchChangesResponse = match result {
+            Ok(changes) => changes,
+            Err(PushError::CloudKitError(e)) => {
+                info!("result {e:?}");
+                if matches!(&e.error, Some(error) if error.error_description() == ".changeTokenExpired") {
+                    info!("Change token reset, locking");
+                    // someone reset our clique...
+                    let mut lock = self.state.write().await;
+                    info!("Change token reset, locked");
+                    lock.state_token = None;
+                    lock.state.clear();
+                    self.invoke_cuttlefish("fetchChanges", CuttlefishFetchChangesRequest {
+                        sync_token: None
+                    }).await?
+                } else { return Err(PushError::CloudKitError(e)) }
+            }
+            Err(e) => return Err(e),
+        };
+
+        let CuttlefishFetchChangesResponse { changes: Some(changes) } = changes else { return Ok(()) };
 
         let mut state = self.state.write().await;
         self.apply_changes(changes, &mut state);
@@ -1136,9 +1156,16 @@ impl<P: AnisetteProvider> KeychainClient<P> {
         let security_container = self.get_security_container().await?;
 
         let mut state = self.state.write().await;
-        let item = security_container.perform_operations_checked(&CloudKitSession::new(), 
+        let mut result = security_container.perform_operations_checked(&CloudKitSession::new(), 
             &zones.iter().map(|zone| FetchRecordChangesOperation::new(security_container.private_zone(zone.to_string()), 
-                state.items.get(*zone).and_then(|z| z.change_tag.clone()).map(|z| z.into()), &ALL_ASSETS)).collect::<Vec<_>>(), IsolationLevel::Zone).await?;
+                state.items.get(*zone).and_then(|z| z.change_tag.clone()).map(|z| z.into()), &ALL_ASSETS)).collect::<Vec<_>>(), IsolationLevel::Zone).await;
+        if should_reset(result.as_ref().err()) {
+            state.items.clear();
+            result = security_container.perform_operations_checked(&CloudKitSession::new(), 
+                &zones.iter().map(|zone| FetchRecordChangesOperation::new(security_container.private_zone(zone.to_string()), 
+                    state.items.get(*zone).and_then(|z| z.change_tag.clone()).map(|z| z.into()), &ALL_ASSETS)).collect::<Vec<_>>(), IsolationLevel::Zone).await;
+        }
+        let item = result?;
 
         let state = &mut *state;
 
@@ -1291,6 +1318,16 @@ impl<P: AnisetteProvider> KeychainClient<P> {
         info!("Syncing trust!");
 
         let mut state = self.state.write().await;
+
+        if !state.state.contains_key(&state.user_identity.as_ref().unwrap().identifier) {
+            info!("We are not in the clique!");
+            state.user_identity.as_mut().unwrap().current_state = PeerDynamicInfo {
+                clock: Some(0),
+                ..Default::default()
+            };
+            return Ok(());
+        }
+
         if self.fast_forward_trust(&mut state)? {
             let identity = state.user_identity.as_ref().unwrap();
             if let CuttlefishUpdateTrustResponse { changes: Some(changes) } = self.invoke_cuttlefish("updateTrust", CuttlefishUpdateTrustRequest {
@@ -1784,9 +1821,14 @@ impl<P: AnisetteProvider> KeychainClient<P> {
         let machine_id = anisette_lock.get_headers().await?.get("X-Apple-I-MD-M").unwrap().clone();
         drop(anisette_lock);
 
-        // TODO: delete old bottles
-        // self.delete(&format!("com.apple.icdp.record.{}", user_identity_ref.identifier.clone())).await?;
-        self.enroll(password, &bottle_label, &machine_id, &escrow_bottle.timestamp, bottle_id, escrowed_signing_key, &plist_to_bin(&escrow_bottle)?).await?;
+        if let Err(e) = self.enroll(password, &bottle_label, &machine_id, &escrow_bottle.timestamp, bottle_id.clone(), escrowed_signing_key.clone(), &plist_to_bin(&escrow_bottle)?).await {
+            if let PushError::EscrowError(_) = &e {
+                self.delete(&bottle_label).await?;
+                self.enroll(password, &bottle_label, &machine_id, &escrow_bottle.timestamp, bottle_id, escrowed_signing_key, &plist_to_bin(&escrow_bottle)?).await?;
+            } else {
+                return Err(e)
+            }
+        }
 
         Ok(bottle)
     }

src/keychain.rs

@@ -50,7 +50,19 @@ impl RelayConfig {
             data = data.header("X-Beeper-Access-Token", token.clone());
         }
 
-        let result: VersionsResp = data.send().await?.json().await?;
+        let result = data.send().await?;
+
+        match result.status().as_u16() {
+            200 => {},
+            404 => {
+                return Err(PushError::DeviceNotFound)
+            },
+            _status => {
+                return Err(PushError::RelayError(_status, result.text().await?))
+            }
+        }
+
+        let result: VersionsResp = result.json().await?;
 
         Ok(result.versions)
     }