2 * Copyright (c) 2017 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
26 #import <Foundation/NSXPCConnection_Private.h>
29 #import <Security/SecItemPriv.h>
30 #import <Security/SecXPCHelper.h>
32 #import "keychain/ot/OTClique.h"
33 #import "keychain/ot/OTControl.h"
34 #import "keychain/ot/OTDefines.h"
35 #import "keychain/ot/OTControlProtocol.h"
36 #import "keychain/ot/OctagonControlServer.h"
38 #include <security_utilities/debugging.h>
41 #import <SecurityFoundation/SFKey.h>
44 @interface OTControl ()
45 @property NSXPCConnection *connection;
49 @implementation OTControl
51 - (instancetype)initWithConnection:(NSXPCConnection*)connection sync:(bool)sync {
52 if(self = [super init]) {
53 _connection = connection;
60 [self.connection invalidate];
63 - (NSXPCConnection<OTControlProtocol>*)getConnection:(void (^)(NSError *error))handler
66 return [self.connection synchronousRemoteObjectProxyWithErrorHandler: handler];
68 return [self.connection remoteObjectProxyWithErrorHandler: handler];
72 - (void)restore:(NSString *)contextID dsid:(NSString *)dsid secret:(NSData*)secret escrowRecordID:(NSString*)escrowRecordID
73 reply:(void (^)(NSData* signingKeyData, NSData* encryptionKeyData, NSError* _Nullable error))reply
75 [[self getConnection: ^(NSError* error) {
76 reply(nil, nil, error);
77 }] restore:contextID dsid:dsid secret:secret escrowRecordID:escrowRecordID reply:^(NSData* signingKeyData, NSData* encryptionKeyData, NSError *error) {
78 reply(signingKeyData, encryptionKeyData, error);
82 -(void)reset:(void (^)(BOOL result, NSError* _Nullable error))reply
84 [[self getConnection: ^(NSError* error) {
86 }] reset:^(BOOL result, NSError * _Nullable error) {
91 - (void)signingKey:(void (^)(NSData* result, NSError* _Nullable error))reply
93 [self octagonSigningPublicKey:reply];
96 - (void)octagonSigningPublicKey:(nonnull void (^)(NSData * _Nullable, NSError * _Nullable))reply {
97 [[self getConnection: ^(NSError* error) {
99 }] octagonSigningPublicKey:^(NSData *signingKey, NSError * _Nullable error) {
100 reply(signingKey, error);
105 - (void)encryptionKey:(void (^)(NSData* result, NSError* _Nullable error))reply
107 [self octagonEncryptionPublicKey:reply];
110 - (void)octagonEncryptionPublicKey:(nonnull void (^)(NSData * _Nullable, NSError * _Nullable))reply
112 [[self getConnection: ^(NSError* error) {
114 }] octagonEncryptionPublicKey:^(NSData *encryptionKey, NSError * _Nullable error) {
115 reply(encryptionKey, error);
119 - (void)listOfRecords:(void (^)(NSArray* list, NSError* _Nullable error))reply
121 [self listOfEligibleBottledPeerRecords:reply];
124 - (void)listOfEligibleBottledPeerRecords:(nonnull void (^)(NSArray * _Nullable, NSError * _Nullable))reply
126 [[self getConnection: ^(NSError* error) {
128 }] listOfEligibleBottledPeerRecords:^(NSArray *list, NSError * _Nullable error) {
134 - (void)signIn:(NSString*)altDSID container:(NSString* _Nullable)container context:(NSString*)contextID reply:(void (^)(NSError * _Nullable error))reply
136 [[self getConnection: ^(NSError* error) {
138 }] signIn:altDSID container:container context:contextID reply:^(NSError * _Nullable error) {
143 - (void)signOut:(NSString* _Nullable)container context:(NSString*)contextID reply:(void (^)(NSError * _Nullable error))reply
145 [[self getConnection: ^(NSError* error) {
147 }] signOut:container context:contextID reply:^(NSError * _Nullable error) {
152 - (void)notifyIDMSTrustLevelChangeForContainer:(NSString* _Nullable)container context:(NSString*)contextID reply:(void (^)(NSError * _Nullable error))reply
154 [[self getConnection: ^(NSError* error) {
156 }] notifyIDMSTrustLevelChangeForContainer:container context:contextID reply:^(NSError * _Nullable error) {
161 - (void)handleIdentityChangeForSigningKey:(SFECKeyPair* _Nonnull)peerSigningKey
162 ForEncryptionKey:(SFECKeyPair* _Nonnull)encryptionKey
163 ForPeerID:(NSString*)peerID
164 reply:(void (^)(BOOL result,
165 NSError* _Nullable error))reply
168 [[self getConnection: ^(NSError* error) {
170 }] handleIdentityChangeForSigningKey:peerSigningKey ForEncryptionKey:encryptionKey ForPeerID:peerID reply:^(BOOL result, NSError* _Nullable error) {
171 reply(result, error);
178 - (void)rpcEpochWithConfiguration:(OTJoiningConfiguration*)config
179 reply:(void (^)(uint64_t epoch,
180 NSError * _Nullable error))reply
183 [[self getConnection: ^(NSError* error) {
185 }] rpcEpochWithConfiguration:config reply:^(uint64_t epoch,
186 NSError * _Nullable error) {
194 - (void)rpcPrepareIdentityAsApplicantWithConfiguration:(OTJoiningConfiguration*)config
195 reply:(void (^)(NSString * _Nullable peerID,
196 NSData * _Nullable permanentInfo,
197 NSData * _Nullable permanentInfoSig,
198 NSData * _Nullable stableInfo,
199 NSData * _Nullable stableInfoSig,
200 NSError * _Nullable error))reply
203 [[self getConnection: ^(NSError* error) {
204 reply(nil, nil, nil, nil, nil, error);
205 }] rpcPrepareIdentityAsApplicantWithConfiguration:config reply:^(NSString* pID, NSData* pI, NSData* piSig, NSData* si, NSData* siSig, NSError* e) {
206 reply(pID, pI, piSig, si, siSig, e);
209 reply(NULL, NULL, NULL, NULL, NULL, NULL);
213 - (void)rpcVoucherWithConfiguration:(OTJoiningConfiguration*)config
214 peerID:(NSString*)peerID
215 permanentInfo:(NSData *)permanentInfo
216 permanentInfoSig:(NSData *)permanentInfoSig
217 stableInfo:(NSData *)stableInfo
218 stableInfoSig:(NSData *)stableInfoSig
219 reply:(void (^)(NSData* voucher, NSData* voucherSig, NSError * _Nullable error))reply
222 [[self getConnection: ^(NSError* error) {
223 reply(nil, nil, error);
224 }] rpcVoucherWithConfiguration:config peerID:peerID permanentInfo:permanentInfo permanentInfoSig:permanentInfoSig stableInfo:stableInfo stableInfoSig:stableInfoSig reply:^(NSData* voucher, NSData* voucherSig, NSError * _Nullable error) {
225 reply(voucher, voucherSig, error);
228 reply(NULL, NULL, NULL);
232 - (void)rpcJoinWithConfiguration:(OTJoiningConfiguration*)config
233 vouchData:(NSData*)vouchData
234 vouchSig:(NSData*)vouchSig
235 reply:(void (^)(NSError * _Nullable error))reply
238 [[self getConnection: ^(NSError* error) {
240 }] rpcJoinWithConfiguration:config vouchData:vouchData vouchSig:vouchSig reply:^(NSError* e) {
248 - (void)preflightBottledPeer:(NSString*)contextID
250 reply:(void (^)(NSData* _Nullable entropy,
251 NSString* _Nullable bottleID,
252 NSData* _Nullable signingPublicKey,
253 NSError* _Nullable error))reply
255 [[self getConnection: ^(NSError* error) {
256 reply(nil, nil, nil, error);
257 }] preflightBottledPeer:contextID dsid:dsid reply:^(NSData* _Nullable entropy,
258 NSString* _Nullable bottleID,
259 NSData* _Nullable signingPublicKey,
260 NSError* _Nullable error) {
261 reply(entropy, bottleID, signingPublicKey, error);
265 - (void)launchBottledPeer:(NSString*)contextID
266 bottleID:(NSString*)bottleID
267 reply:(void (^ _Nullable)(NSError* _Nullable))reply
269 [[self getConnection: ^(NSError* error) {
271 }] launchBottledPeer:contextID bottleID:bottleID reply:^(NSError * _Nullable error) {
276 - (void)scrubBottledPeer:(NSString*)contextID
277 bottleID:(NSString*)bottleID
278 reply:(void (^ _Nullable)(NSError* _Nullable))reply
280 [[self getConnection: ^(NSError* error) {
282 }] scrubBottledPeer:contextID bottleID:bottleID reply:reply];
285 - (void)status:(NSString* _Nullable)container
286 context:(NSString*)context
287 reply:(void (^)(NSDictionary* _Nullable result, NSError* _Nullable error))reply
289 [[self getConnection: ^(NSError* error) {
291 }] status:container context:context reply:reply];
294 - (void)fetchEgoPeerID:(NSString* _Nullable)container
295 context:(NSString*)context
296 reply:(void (^)(NSString* _Nullable peerID, NSError* _Nullable error))reply
298 [[self getConnection: ^(NSError* error) {
300 }] fetchEgoPeerID:container context:context reply:reply];
303 - (void)fetchCliqueStatus:(NSString* _Nullable)container
304 context:(NSString*)context
305 configuration:(OTOperationConfiguration*)configuration
306 reply:(void (^)(CliqueStatus cliqueStatus, NSError* _Nullable error))reply
308 [[self getConnection: ^(NSError* error) {
309 reply(CliqueStatusError, error);
310 }] fetchCliqueStatus:container context:context configuration:configuration reply:reply];
313 - (void)fetchTrustStatus:(NSString* _Nullable)container
314 context:(NSString*)context
315 configuration:(OTOperationConfiguration *)configuration
316 reply:(void (^)(CliqueStatus status, NSString* peerID, NSNumber * _Nullable numberOfOctagonPeers, BOOL isExcluded, NSError * _Nullable error))reply
318 [[self getConnection: ^(NSError* error) {
319 reply(CliqueStatusError, false, NULL, false, error);
320 }] fetchTrustStatus:container context:context configuration:configuration reply:reply];
323 - (void)startOctagonStateMachine:(NSString* _Nullable)container
324 context:(NSString*)context
325 reply:(void (^)(NSError* _Nullable error))reply
327 [[self getConnection: ^(NSError* error) {
329 }] startOctagonStateMachine:container context:context reply:reply];
332 - (void)resetAndEstablish:(NSString* _Nullable)container
333 context:(NSString*)context
334 altDSID:(NSString*)altDSID
335 resetReason:(CuttlefishResetReason)resetReason
336 reply:(void (^)(NSError* _Nullable error))reply
338 [[self getConnection: ^(NSError* error) {
340 }] resetAndEstablish:container context:context altDSID:altDSID resetReason:resetReason reply:reply];
343 - (void)establish:(NSString* _Nullable)container
344 context:(NSString*)context
345 altDSID:(NSString*)altDSID
346 reply:(void (^)(NSError* _Nullable error))reply
348 [[self getConnection: ^(NSError* error) {
350 }] establish:container context:context altDSID:altDSID reply:reply];
353 - (void)leaveClique:(NSString* _Nullable)container
354 context:(NSString*)context
355 reply:(void (^)(NSError* _Nullable error))reply
357 [[self getConnection: ^(NSError* error) {
359 }] leaveClique:container context:context reply:reply];
362 - (void)removeFriendsInClique:(NSString* _Nullable)container
363 context:(NSString*)context
364 peerIDs:(NSArray<NSString*>*)peerIDs
365 reply:(void (^)(NSError* _Nullable error))reply
367 [[self getConnection: ^(NSError* error) {
369 }] removeFriendsInClique:container context:context peerIDs:peerIDs reply:reply];
372 - (void)peerDeviceNamesByPeerID:(NSString* _Nullable)container
373 context:(NSString*)context
374 reply:(void (^)(NSDictionary<NSString*, NSString*>* _Nullable peers, NSError* _Nullable error))reply
376 [[self getConnection: ^(NSError* error) {
378 }] peerDeviceNamesByPeerID:container context:context reply:reply];
381 - (void)fetchAllViableBottles:(NSString* _Nullable)container
382 context:(NSString*)context
383 reply:(void (^)(NSArray<NSString*>* _Nullable sortedBottleIDs, NSArray<NSString*> * _Nullable sortedPartialBottleIDs, NSError* _Nullable error))reply
385 [[self getConnection:^(NSError *error) {
386 reply(nil, nil, error);
387 }] fetchAllViableBottles:container context:context reply:reply];
390 -(void)restore:(NSString* _Nullable)containerName
391 contextID:(NSString *)contextID
392 bottleSalt:(NSString *)bottleSalt
393 entropy:(NSData *)entropy
394 bottleID:(NSString *)bottleID
395 reply:(void (^)(NSError * _Nullable))reply
397 [[self getConnection:^(NSError *error) {
399 }] restore:containerName contextID:contextID bottleSalt:bottleSalt entropy:entropy bottleID:bottleID reply:reply];
402 - (void)fetchEscrowContents:(NSString* _Nullable)containerName
403 contextID:(NSString *)contextID
404 reply:(void (^)(NSData* _Nullable entropy,
405 NSString* _Nullable bottleID,
406 NSData* _Nullable signingPublicKey,
407 NSError* _Nullable error))reply
409 [[self getConnection:^(NSError *error) {
410 reply(nil, nil, nil, error);
411 }] fetchEscrowContents:containerName contextID:contextID reply:reply];
414 - (void) createRecoveryKey:(NSString* _Nullable)containerName
415 contextID:(NSString *)contextID
416 recoveryKey:(NSString *)recoveryKey
417 reply:(void (^)( NSError * error))reply
419 [[self getConnection:^(NSError *error) {
421 }] createRecoveryKey:containerName contextID:contextID recoveryKey:recoveryKey reply:reply];
424 - (void) joinWithRecoveryKey:(NSString* _Nullable)containerName
425 contextID:(NSString *)contextID
426 recoveryKey:(NSString*)recoveryKey
427 reply:(void (^)(NSError * _Nullable))reply
429 [[self getConnection:^(NSError *error) {
431 }] joinWithRecoveryKey:containerName contextID:contextID recoveryKey:recoveryKey reply:reply];
434 - (void)healthCheck:(NSString *)container
435 context:(NSString *)context
436 skipRateLimitingCheck:(BOOL)skipRateLimitingCheck
437 reply:(void (^)(NSError *_Nullable error))reply
439 [[self getConnection: ^(NSError* error) {
441 }] healthCheck:container context:context skipRateLimitingCheck:skipRateLimitingCheck reply:reply];
444 - (void)attemptSosUpgrade:(NSString* _Nullable)container
445 context:(NSString*)context
446 reply:(void (^)(NSError* _Nullable error))reply
448 [[self getConnection: ^(NSError* error) {
450 }] attemptSosUpgrade:container context:context reply:reply];
453 - (void)waitForOctagonUpgrade:(NSString* _Nullable)container
454 context:(NSString*)context
455 reply:(void (^)(NSError* _Nullable error))reply
457 [[self getConnection: ^(NSError* error) {
459 }] waitForOctagonUpgrade:container context:context reply:reply];
462 - (void)postCDPFollowupResult:(BOOL)success
463 type:(OTCliqueCDPContextType)type
464 error:(NSError * _Nullable)error
465 containerName:(NSString* _Nullable)containerName
466 contextName:(NSString *)contextName
467 reply:(void (^)(NSError* _Nullable error))reply
469 [[self getConnection: ^(NSError* connectionError) {
470 reply(connectionError);
471 }] postCDPFollowupResult:success type:type error:[SecXPCHelper cleanseErrorForXPC:error] containerName:containerName contextName:contextName reply:reply];
474 - (void)tapToRadar:(NSString *)action
475 description:(NSString *)description
476 radar:(NSString *)radar
477 reply:(void (^)(NSError* _Nullable error))reply
479 [[self getConnection: ^(NSError* connectionError) {
480 reply(connectionError);
481 }] tapToRadar:action description:description radar:radar reply:reply];
484 - (void)refetchCKKSPolicy:(NSString* _Nullable)container
485 contextID:(NSString*)contextID
486 reply:(void (^)(NSError* _Nullable error))reply
488 [[self getConnection: ^(NSError* error) {
490 }] refetchCKKSPolicy:container contextID:contextID reply:reply];
493 - (void)setCDPEnabled:(NSString* _Nullable)containerName
494 contextID:(NSString*)contextID
495 reply:(void (^)(NSError* _Nullable error))reply
497 [[self getConnection: ^(NSError* connectionError) {
498 reply(connectionError);
499 }] setCDPEnabled:containerName contextID:contextID reply:reply];
502 - (void)getCDPStatus:(NSString* _Nullable)containerName
503 contextID:(NSString*)contextID
504 reply:(void (^)(OTCDPStatus status, NSError* _Nullable error))reply
506 [[self getConnection: ^(NSError* connectionError) {
507 reply(OTCDPStatusUnknown, connectionError);
508 }] getCDPStatus:containerName contextID:contextID reply:reply];
511 + (OTControl*)controlObject:(NSError* __autoreleasing *)error {
512 return [OTControl controlObject:false error:error];
515 + (OTControl*)controlObject:(bool)sync error:(NSError**)error
517 NSXPCConnection* connection = [[NSXPCConnection alloc] initWithMachServiceName:@(kSecuritydOctagonServiceName) options:0];
519 if (connection == nil) {
521 *error = [NSError errorWithDomain:NSOSStatusErrorDomain code:errSecInternalError userInfo:@{NSLocalizedDescriptionKey: @"Couldn't create connection (no reason given)"}];
526 NSXPCInterface *interface = OTSetupControlProtocol([NSXPCInterface interfaceWithProtocol:@protocol(OTControlProtocol)]);
527 connection.remoteObjectInterface = interface;
530 OTControl* c = [[OTControl alloc] initWithConnection:connection sync:sync];