]> git.saurik.com Git - apple/security.git/blob - keychain/ot/OTControl.m
Security-59306.61.1.tar.gz
[apple/security.git] / keychain / ot / OTControl.m
1 /*
2 * Copyright (c) 2017 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 #if __OBJC2__
25
26 #import <Foundation/NSXPCConnection_Private.h>
27 #import <xpc/xpc.h>
28
29 #import <Security/SecItemPriv.h>
30 #import <Security/SecXPCHelper.h>
31
32 #import "keychain/ot/OTClique.h"
33 #import "keychain/ot/OTControl.h"
34 #import "keychain/ot/OTDefines.h"
35 #import "keychain/ot/OTControlProtocol.h"
36 #import "keychain/ot/OctagonControlServer.h"
37
38 #include <security_utilities/debugging.h>
39
40 #if OCTAGON
41 #import <SecurityFoundation/SFKey.h>
42 #endif
43
44 @interface OTControl ()
45 @property NSXPCConnection *connection;
46 @property bool sync;
47 @end
48
49 @implementation OTControl
50
51 - (instancetype)initWithConnection:(NSXPCConnection*)connection sync:(bool)sync {
52 if(self = [super init]) {
53 _connection = connection;
54 _sync = sync;
55 }
56 return self;
57 }
58
59 - (void)dealloc {
60 [self.connection invalidate];
61 }
62
63 - (NSXPCConnection<OTControlProtocol>*)getConnection:(void (^)(NSError *error))handler
64 {
65 if(self.sync) {
66 return [self.connection synchronousRemoteObjectProxyWithErrorHandler: handler];
67 } else {
68 return [self.connection remoteObjectProxyWithErrorHandler: handler];
69 }
70 }
71
72 - (void)restore:(NSString *)contextID dsid:(NSString *)dsid secret:(NSData*)secret escrowRecordID:(NSString*)escrowRecordID
73 reply:(void (^)(NSData* signingKeyData, NSData* encryptionKeyData, NSError* _Nullable error))reply
74 {
75 [[self getConnection: ^(NSError* error) {
76 reply(nil, nil, error);
77 }] restore:contextID dsid:dsid secret:secret escrowRecordID:escrowRecordID reply:^(NSData* signingKeyData, NSData* encryptionKeyData, NSError *error) {
78 reply(signingKeyData, encryptionKeyData, error);
79 }];
80 }
81
82 -(void)reset:(void (^)(BOOL result, NSError* _Nullable error))reply
83 {
84 [[self getConnection: ^(NSError* error) {
85 reply(NO, error);
86 }] reset:^(BOOL result, NSError * _Nullable error) {
87 reply(result, error);
88 }];
89 }
90
91 - (void)signingKey:(void (^)(NSData* result, NSError* _Nullable error))reply
92 {
93 [self octagonSigningPublicKey:reply];
94 }
95
96 - (void)octagonSigningPublicKey:(nonnull void (^)(NSData * _Nullable, NSError * _Nullable))reply {
97 [[self getConnection: ^(NSError* error) {
98 reply(nil, error);
99 }] octagonSigningPublicKey:^(NSData *signingKey, NSError * _Nullable error) {
100 reply(signingKey, error);
101 }];
102
103 }
104
105 - (void)encryptionKey:(void (^)(NSData* result, NSError* _Nullable error))reply
106 {
107 [self octagonEncryptionPublicKey:reply];
108 }
109
110 - (void)octagonEncryptionPublicKey:(nonnull void (^)(NSData * _Nullable, NSError * _Nullable))reply
111 {
112 [[self getConnection: ^(NSError* error) {
113 reply(nil, error);
114 }] octagonEncryptionPublicKey:^(NSData *encryptionKey, NSError * _Nullable error) {
115 reply(encryptionKey, error);
116 }];
117 }
118
119 - (void)listOfRecords:(void (^)(NSArray* list, NSError* _Nullable error))reply
120 {
121 [self listOfEligibleBottledPeerRecords:reply];
122 }
123
124 - (void)listOfEligibleBottledPeerRecords:(nonnull void (^)(NSArray * _Nullable, NSError * _Nullable))reply
125 {
126 [[self getConnection: ^(NSError* error) {
127 reply(nil, error);
128 }] listOfEligibleBottledPeerRecords:^(NSArray *list, NSError * _Nullable error) {
129 reply(list, error);
130 }];
131
132 }
133
134 - (void)signIn:(NSString*)altDSID container:(NSString* _Nullable)container context:(NSString*)contextID reply:(void (^)(NSError * _Nullable error))reply
135 {
136 [[self getConnection: ^(NSError* error) {
137 reply(error);
138 }] signIn:altDSID container:container context:contextID reply:^(NSError * _Nullable error) {
139 reply(error);
140 }];
141 }
142
143 - (void)signOut:(NSString* _Nullable)container context:(NSString*)contextID reply:(void (^)(NSError * _Nullable error))reply
144 {
145 [[self getConnection: ^(NSError* error) {
146 reply(error);
147 }] signOut:container context:contextID reply:^(NSError * _Nullable error) {
148 reply(error);
149 }];
150 }
151
152 - (void)notifyIDMSTrustLevelChangeForContainer:(NSString* _Nullable)container context:(NSString*)contextID reply:(void (^)(NSError * _Nullable error))reply
153 {
154 [[self getConnection: ^(NSError* error) {
155 reply(error);
156 }] notifyIDMSTrustLevelChangeForContainer:container context:contextID reply:^(NSError * _Nullable error) {
157 reply(error);
158 }];
159 }
160
161 - (void)handleIdentityChangeForSigningKey:(SFECKeyPair* _Nonnull)peerSigningKey
162 ForEncryptionKey:(SFECKeyPair* _Nonnull)encryptionKey
163 ForPeerID:(NSString*)peerID
164 reply:(void (^)(BOOL result,
165 NSError* _Nullable error))reply
166 {
167 #if OCTAGON
168 [[self getConnection: ^(NSError* error) {
169 reply(NO, error);
170 }] handleIdentityChangeForSigningKey:peerSigningKey ForEncryptionKey:encryptionKey ForPeerID:peerID reply:^(BOOL result, NSError* _Nullable error) {
171 reply(result, error);
172 }];
173 #else
174 reply(NO, NULL);
175 #endif
176 }
177
178 - (void)rpcEpochWithConfiguration:(OTJoiningConfiguration*)config
179 reply:(void (^)(uint64_t epoch,
180 NSError * _Nullable error))reply
181 {
182 #if OCTAGON
183 [[self getConnection: ^(NSError* error) {
184 reply(0, error);
185 }] rpcEpochWithConfiguration:config reply:^(uint64_t epoch,
186 NSError * _Nullable error) {
187 reply(epoch, error);
188 }];
189 #else
190 reply(0, NULL);
191 #endif
192 }
193
194 - (void)rpcPrepareIdentityAsApplicantWithConfiguration:(OTJoiningConfiguration*)config
195 reply:(void (^)(NSString * _Nullable peerID,
196 NSData * _Nullable permanentInfo,
197 NSData * _Nullable permanentInfoSig,
198 NSData * _Nullable stableInfo,
199 NSData * _Nullable stableInfoSig,
200 NSError * _Nullable error))reply
201 {
202 #if OCTAGON
203 [[self getConnection: ^(NSError* error) {
204 reply(nil, nil, nil, nil, nil, error);
205 }] rpcPrepareIdentityAsApplicantWithConfiguration:config reply:^(NSString* pID, NSData* pI, NSData* piSig, NSData* si, NSData* siSig, NSError* e) {
206 reply(pID, pI, piSig, si, siSig, e);
207 }];
208 #else
209 reply(NULL, NULL, NULL, NULL, NULL, NULL);
210 #endif
211 }
212
213 - (void)rpcVoucherWithConfiguration:(OTJoiningConfiguration*)config
214 peerID:(NSString*)peerID
215 permanentInfo:(NSData *)permanentInfo
216 permanentInfoSig:(NSData *)permanentInfoSig
217 stableInfo:(NSData *)stableInfo
218 stableInfoSig:(NSData *)stableInfoSig
219 reply:(void (^)(NSData* voucher, NSData* voucherSig, NSError * _Nullable error))reply
220 {
221 #if OCTAGON
222 [[self getConnection: ^(NSError* error) {
223 reply(nil, nil, error);
224 }] rpcVoucherWithConfiguration:config peerID:peerID permanentInfo:permanentInfo permanentInfoSig:permanentInfoSig stableInfo:stableInfo stableInfoSig:stableInfoSig reply:^(NSData* voucher, NSData* voucherSig, NSError * _Nullable error) {
225 reply(voucher, voucherSig, error);
226 }];
227 #else
228 reply(NULL, NULL, NULL);
229 #endif
230 }
231
232 - (void)rpcJoinWithConfiguration:(OTJoiningConfiguration*)config
233 vouchData:(NSData*)vouchData
234 vouchSig:(NSData*)vouchSig
235 preapprovedKeys:(NSArray<NSData*>* _Nullable)preapprovedKeys
236 reply:(void (^)(NSError * _Nullable error))reply
237 {
238 #if OCTAGON
239 [[self getConnection: ^(NSError* error) {
240 reply(error);
241 }] rpcJoinWithConfiguration:config vouchData:vouchData vouchSig:vouchSig preapprovedKeys:preapprovedKeys reply:^(NSError* e) {
242 reply(e);
243 }];
244 #else
245 reply(NULL);
246 #endif
247 }
248
249 - (void)preflightBottledPeer:(NSString*)contextID
250 dsid:(NSString*)dsid
251 reply:(void (^)(NSData* _Nullable entropy,
252 NSString* _Nullable bottleID,
253 NSData* _Nullable signingPublicKey,
254 NSError* _Nullable error))reply
255 {
256 [[self getConnection: ^(NSError* error) {
257 reply(nil, nil, nil, error);
258 }] preflightBottledPeer:contextID dsid:dsid reply:^(NSData* _Nullable entropy,
259 NSString* _Nullable bottleID,
260 NSData* _Nullable signingPublicKey,
261 NSError* _Nullable error) {
262 reply(entropy, bottleID, signingPublicKey, error);
263 }];
264 }
265
266 - (void)launchBottledPeer:(NSString*)contextID
267 bottleID:(NSString*)bottleID
268 reply:(void (^ _Nullable)(NSError* _Nullable))reply
269 {
270 [[self getConnection: ^(NSError* error) {
271 reply(error);
272 }] launchBottledPeer:contextID bottleID:bottleID reply:^(NSError * _Nullable error) {
273 reply(error);
274 }];
275 }
276
277 - (void)scrubBottledPeer:(NSString*)contextID
278 bottleID:(NSString*)bottleID
279 reply:(void (^ _Nullable)(NSError* _Nullable))reply
280 {
281 [[self getConnection: ^(NSError* error) {
282 reply(error);
283 }] scrubBottledPeer:contextID bottleID:bottleID reply:reply];
284 }
285
286 - (void)status:(NSString* _Nullable)container
287 context:(NSString*)context
288 reply:(void (^)(NSDictionary* _Nullable result, NSError* _Nullable error))reply
289 {
290 [[self getConnection: ^(NSError* error) {
291 reply(nil, error);
292 }] status:container context:context reply:reply];
293 }
294
295 - (void)fetchEgoPeerID:(NSString* _Nullable)container
296 context:(NSString*)context
297 reply:(void (^)(NSString* _Nullable peerID, NSError* _Nullable error))reply
298 {
299 [[self getConnection: ^(NSError* error) {
300 reply(nil, error);
301 }] fetchEgoPeerID:container context:context reply:reply];
302 }
303
304 - (void)fetchCliqueStatus:(NSString* _Nullable)container
305 context:(NSString*)context
306 configuration:(OTOperationConfiguration*)configuration
307 reply:(void (^)(CliqueStatus cliqueStatus, NSError* _Nullable error))reply
308 {
309 [[self getConnection: ^(NSError* error) {
310 reply(CliqueStatusError, error);
311 }] fetchCliqueStatus:container context:context configuration:configuration reply:reply];
312 }
313
314 - (void)fetchTrustStatus:(NSString* _Nullable)container
315 context:(NSString*)context
316 configuration:(OTOperationConfiguration *)configuration
317 reply:(void (^)(CliqueStatus status, NSString* peerID, NSNumber * _Nullable numberOfOctagonPeers, BOOL isExcluded, NSError * _Nullable error))reply
318 {
319 [[self getConnection: ^(NSError* error) {
320 reply(CliqueStatusError, false, NULL, false, error);
321 }] fetchTrustStatus:container context:context configuration:configuration reply:reply];
322 }
323
324 - (void)startOctagonStateMachine:(NSString* _Nullable)container
325 context:(NSString*)context
326 reply:(void (^)(NSError* _Nullable error))reply
327 {
328 [[self getConnection: ^(NSError* error) {
329 reply(error);
330 }] startOctagonStateMachine:container context:context reply:reply];
331 }
332
333 - (void)resetAndEstablish:(NSString* _Nullable)container
334 context:(NSString*)context
335 altDSID:(NSString*)altDSID
336 resetReason:(CuttlefishResetReason)resetReason
337 reply:(void (^)(NSError* _Nullable error))reply
338 {
339 [[self getConnection: ^(NSError* error) {
340 reply(error);
341 }] resetAndEstablish:container context:context altDSID:altDSID resetReason:resetReason reply:reply];
342 }
343
344 - (void)establish:(NSString* _Nullable)container
345 context:(NSString*)context
346 altDSID:(NSString*)altDSID
347 reply:(void (^)(NSError* _Nullable error))reply
348 {
349 [[self getConnection: ^(NSError* error) {
350 reply(error);
351 }] establish:container context:context altDSID:altDSID reply:reply];
352 }
353
354 - (void)leaveClique:(NSString* _Nullable)container
355 context:(NSString*)context
356 reply:(void (^)(NSError* _Nullable error))reply
357 {
358 [[self getConnection: ^(NSError* error) {
359 reply(error);
360 }] leaveClique:container context:context reply:reply];
361 }
362
363 - (void)removeFriendsInClique:(NSString* _Nullable)container
364 context:(NSString*)context
365 peerIDs:(NSArray<NSString*>*)peerIDs
366 reply:(void (^)(NSError* _Nullable error))reply
367 {
368 [[self getConnection: ^(NSError* error) {
369 reply(error);
370 }] removeFriendsInClique:container context:context peerIDs:peerIDs reply:reply];
371 }
372
373 - (void)peerDeviceNamesByPeerID:(NSString* _Nullable)container
374 context:(NSString*)context
375 reply:(void (^)(NSDictionary<NSString*, NSString*>* _Nullable peers, NSError* _Nullable error))reply
376 {
377 [[self getConnection: ^(NSError* error) {
378 reply(nil, error);
379 }] peerDeviceNamesByPeerID:container context:context reply:reply];
380 }
381
382 - (void)fetchAllViableBottles:(NSString* _Nullable)container
383 context:(NSString*)context
384 reply:(void (^)(NSArray<NSString*>* _Nullable sortedBottleIDs, NSArray<NSString*> * _Nullable sortedPartialBottleIDs, NSError* _Nullable error))reply
385 {
386 [[self getConnection:^(NSError *error) {
387 reply(nil, nil, error);
388 }] fetchAllViableBottles:container context:context reply:reply];
389 }
390
391 -(void)restore:(NSString* _Nullable)containerName
392 contextID:(NSString *)contextID
393 bottleSalt:(NSString *)bottleSalt
394 entropy:(NSData *)entropy
395 bottleID:(NSString *)bottleID
396 reply:(void (^)(NSError * _Nullable))reply
397 {
398 [[self getConnection:^(NSError *error) {
399 reply(error);
400 }] restore:containerName contextID:contextID bottleSalt:bottleSalt entropy:entropy bottleID:bottleID reply:reply];
401 }
402
403 - (void)fetchEscrowContents:(NSString* _Nullable)containerName
404 contextID:(NSString *)contextID
405 reply:(void (^)(NSData* _Nullable entropy,
406 NSString* _Nullable bottleID,
407 NSData* _Nullable signingPublicKey,
408 NSError* _Nullable error))reply
409 {
410 [[self getConnection:^(NSError *error) {
411 reply(nil, nil, nil, error);
412 }] fetchEscrowContents:containerName contextID:contextID reply:reply];
413 }
414
415 - (void) createRecoveryKey:(NSString* _Nullable)containerName
416 contextID:(NSString *)contextID
417 recoveryKey:(NSString *)recoveryKey
418 reply:(void (^)( NSError * error))reply
419 {
420 [[self getConnection:^(NSError *error) {
421 reply(error);
422 }] createRecoveryKey:containerName contextID:contextID recoveryKey:recoveryKey reply:reply];
423 }
424
425 - (void) joinWithRecoveryKey:(NSString* _Nullable)containerName
426 contextID:(NSString *)contextID
427 recoveryKey:(NSString*)recoveryKey
428 reply:(void (^)(NSError * _Nullable))reply
429 {
430 [[self getConnection:^(NSError *error) {
431 reply(error);
432 }] joinWithRecoveryKey:containerName contextID:contextID recoveryKey:recoveryKey reply:reply];
433 }
434
435 - (void)healthCheck:(NSString *)container
436 context:(NSString *)context
437 skipRateLimitingCheck:(BOOL)skipRateLimitingCheck
438 reply:(void (^)(NSError *_Nullable error))reply
439 {
440 [[self getConnection: ^(NSError* error) {
441 reply(error);
442 }] healthCheck:container context:context skipRateLimitingCheck:skipRateLimitingCheck reply:reply];
443 }
444
445 - (void)attemptSosUpgrade:(NSString* _Nullable)container
446 context:(NSString*)context
447 reply:(void (^)(NSError* _Nullable error))reply
448 {
449 [[self getConnection: ^(NSError* error) {
450 reply(error);
451 }] attemptSosUpgrade:container context:context reply:reply];
452 }
453
454 - (void)waitForOctagonUpgrade:(NSString* _Nullable)container
455 context:(NSString*)context
456 reply:(void (^)(NSError* _Nullable error))reply
457 {
458 [[self getConnection: ^(NSError* error) {
459 reply(error);
460 }] waitForOctagonUpgrade:container context:context reply:reply];
461 }
462
463 - (void)postCDPFollowupResult:(BOOL)success
464 type:(OTCliqueCDPContextType)type
465 error:(NSError * _Nullable)error
466 containerName:(NSString* _Nullable)containerName
467 contextName:(NSString *)contextName
468 reply:(void (^)(NSError* _Nullable error))reply
469 {
470 [[self getConnection: ^(NSError* connectionError) {
471 reply(connectionError);
472 }] postCDPFollowupResult:success type:type error:[SecXPCHelper cleanseErrorForXPC:error] containerName:containerName contextName:contextName reply:reply];
473 }
474
475 - (void)tapToRadar:(NSString *)action
476 description:(NSString *)description
477 radar:(NSString *)radar
478 reply:(void (^)(NSError* _Nullable error))reply
479 {
480 [[self getConnection: ^(NSError* connectionError) {
481 reply(connectionError);
482 }] tapToRadar:action description:description radar:radar reply:reply];
483 }
484
485 + (OTControl*)controlObject:(NSError* __autoreleasing *)error {
486 return [OTControl controlObject:false error:error];
487 }
488
489 + (OTControl*)controlObject:(bool)sync error:(NSError**)error
490 {
491 NSXPCConnection* connection = [[NSXPCConnection alloc] initWithMachServiceName:@(kSecuritydOctagonServiceName) options:0];
492
493 if (connection == nil) {
494 if(error) {
495 *error = [NSError errorWithDomain:NSOSStatusErrorDomain code:errSecInternalError userInfo:@{NSLocalizedDescriptionKey: @"Couldn't create connection (no reason given)"}];
496 }
497 return nil;
498 }
499
500 NSXPCInterface *interface = OTSetupControlProtocol([NSXPCInterface interfaceWithProtocol:@protocol(OTControlProtocol)]);
501 connection.remoteObjectInterface = interface;
502 [connection resume];
503
504 OTControl* c = [[OTControl alloc] initWithConnection:connection sync:sync];
505 return c;
506 }
507
508 @end
509
510 #endif // __OBJC2__