2 * Copyright (c) 2018 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
26 #import <TargetConditionals.h>
27 #import <Foundation/Foundation.h>
29 #import "keychain/ot/OTClique.h"
30 #import "keychain/ot/OTConstants.h"
31 #import "keychain/ot/OTDefines.h"
33 #import <utilities/SecCFWrappers.h>
34 #import <utilities/debugging.h>
36 #import "keychain/SecureObjectSync/SOSCloudCircle.h"
37 #import "KeychainCircle/PairingChannel.h"
38 #import <Security/SecBase.h>
40 const NSString* kSecEntitlementPrivateOctagonEscrow = @"com.apple.private.octagon.escrow-content";
43 #import <AuthKit/AuthKit.h>
44 #import <AuthKit/AuthKit_Private.h>
45 #import <SoftLinking/SoftLinking.h>
46 #import <CloudServices/SecureBackup.h>
47 #import <CloudServices/SecureBackupConstants.h>
48 #import "keychain/ot/OTControl.h"
49 #import "keychain/ot/categories/OctagonEscrowRecoverer.h"
51 SOFT_LINK_FRAMEWORK(PrivateFrameworks, KeychainCircle);
52 SOFT_LINK_FRAMEWORK(PrivateFrameworks, CloudServices);
54 #pragma clang diagnostic push
55 #pragma clang diagnostic ignored "-Wstrict-prototypes"
56 SOFT_LINK_CLASS(KeychainCircle, KCPairingChannel);
57 SOFT_LINK_CLASS(KeychainCircle, OTPairingChannel);
58 SOFT_LINK_CLASS(CloudServices, SecureBackup);
59 SOFT_LINK_CONSTANT(CloudServices, kSecureBackupErrorDomain, NSErrorDomain);
61 #pragma clang diagnostic pop
64 OTCliqueCFUType OTCliqueCFTypeRepair = @"typeRepair";
65 OTCliqueCFUType OTCliqueCFTypePasscode = @"typePasscode";
66 OTCliqueCFUType OTCliqueCFTypeUpgrade = @"typeUpgrade";
68 OTCliqueCDPContextType OTCliqueCDPContextTypeNone = @"cdpContextTypeNone";
69 OTCliqueCDPContextType OTCliqueCDPContextTypeSignIn = @"cdpContextTypeSignIn";
70 OTCliqueCDPContextType OTCliqueCDPContextTypeRepair = @"cdpContextTypeRepair";
71 OTCliqueCDPContextType OTCliqueCDPContextTypeFinishPasscodeChange = @"cdpContextTypeFinishPasscodeChange";
72 OTCliqueCDPContextType OTCliqueCDPContextTypeRecoveryKeyGenerate = @"cdpContextTypeRecoveryKeyGenerate";
73 OTCliqueCDPContextType OTCliqueCDPContextTypeRecoveryKeyNew = @"cdpContextTypeRecoveryKeyNew";
74 OTCliqueCDPContextType OTCliqueCDPContextTypeUpdatePasscode = @"cdpContextTypeUpdatePasscode";
76 NSString* OTCliqueStatusToString(CliqueStatus status)
80 return @"CliqueStatusIn";
81 case CliqueStatusNotIn:
82 return @"CliqueStatusNotIn";
83 case CliqueStatusPending:
84 return @"CliqueStatusPending";
85 case CliqueStatusAbsent:
86 return @"CliqueStatusAbsent";
87 case CliqueStatusNoCloudKitAccount:
88 return @"CliqueStatusNoCloudKitAccount";
89 case CliqueStatusError:
90 return @"CliqueStatusError";
93 CliqueStatus OTCliqueStatusFromString(NSString* str)
95 if([str isEqualToString: @"CliqueStatusIn"]) {
96 return CliqueStatusIn;
97 } else if([str isEqualToString: @"CliqueStatusNotIn"]) {
98 return CliqueStatusNotIn;
99 } else if([str isEqualToString: @"CliqueStatusPending"]) {
100 return CliqueStatusPending;
101 } else if([str isEqualToString: @"CliqueStatusAbsent"]) {
102 return CliqueStatusAbsent;
103 } else if([str isEqualToString: @"CliqueStatusNoCloudKitAccount"]) {
104 return CliqueStatusNoCloudKitAccount;
105 } else if([str isEqualToString: @"CliqueStatusError"]) {
106 return CliqueStatusError;
109 return CliqueStatusError;
113 @implementation OTConfigurationContext
114 - (OTControl* _Nullable)makeOTControl:(NSError**)error
117 if (self.otControl) {
118 return self.otControl;
120 return [OTControl controlObject:true error:error];
127 @implementation OTBottleIDs
130 @implementation OTOperationConfiguration
132 - (instancetype)init {
133 if ((self = [super init]) == nil) {
136 _timeoutWaitForCKAccount = 10 * NSEC_PER_SEC;
137 _qualityOfService = NSQualityOfServiceDefault;
138 _discretionaryNetwork = NO;
139 _useCachedAccountStatus = NO;
143 + (BOOL)supportsSecureCoding {
147 - (void)encodeWithCoder:(nonnull NSCoder *)coder {
148 [coder encodeObject:@(_timeoutWaitForCKAccount) forKey:@"timeoutWaitForCKAccount"];
149 [coder encodeObject:@(_qualityOfService) forKey:@"qualityOfService"];
150 [coder encodeObject:@(_discretionaryNetwork) forKey:@"discretionaryNetwork"];
151 [coder encodeObject:@(_useCachedAccountStatus) forKey:@"useCachedAccountStatus"];
154 - (nullable instancetype)initWithCoder:(nonnull NSCoder *)coder {
155 _timeoutWaitForCKAccount = [[coder decodeObjectOfClass:[NSNumber class] forKey:@"timeoutWaitForCKAccount"] unsignedLongLongValue];
156 _qualityOfService = [[coder decodeObjectOfClass:[NSNumber class] forKey:@"qualityOfService"] integerValue];
157 _discretionaryNetwork = [[coder decodeObjectOfClass:[NSNumber class] forKey:@"discretionaryNetwork"] boolValue];
158 _useCachedAccountStatus = [[coder decodeObjectOfClass:[NSNumber class] forKey:@"useCachedAccountStatus"] boolValue];
165 @interface OTClique ()
166 @property (nonatomic, copy) NSString* cliqueMemberIdentifier;
167 @property (nonatomic, strong) OTConfigurationContext *ctx;
168 @property (nonatomic, strong) NSMutableDictionary *defaults;
171 @implementation OTClique
173 + (BOOL)platformSupportsSOS
175 return OctagonPlatformSupportsSOS();
178 // defaults write com.apple.security.octagon enable -bool YES
179 -(BOOL)isOctagonPairingEnabled {
180 BOOL nsDefaults = self.defaults[OTDefaultsOctagonEnable] ? [self.defaults[OTDefaultsOctagonEnable] boolValue] : OctagonIsEnabled();
181 secnotice("octagon", "pairing is %@", nsDefaults ? @"on" : @"off");
185 - (void)setPairingDefault:(BOOL)defaults
187 self.defaults[OTDefaultsOctagonEnable] = @(defaults);
190 - (void)removePairingDefault
192 [self.defaults removeObjectForKey:OTDefaultsOctagonEnable];
195 - (instancetype)initWithContextData:(OTConfigurationContext *)ctx error:(NSError * __autoreleasing *)error
200 _ctx = [[OTConfigurationContext alloc]init];
201 _ctx.context = ctx.context ?: OTDefaultContext;
202 _ctx.dsid = [ctx.dsid copy];
203 _ctx.altDSID = [ctx.altDSID copy];
204 _ctx.analytics = ctx.analytics;
205 _ctx.otControl = ctx.otControl;
207 self.defaults = [NSMutableDictionary dictionary];
211 NSAssert(false, @"OTClique is not implemented on this platform");
216 - (NSString* _Nullable)cliqueMemberIdentifier
219 __block NSString* retPeerID = nil;
221 if(OctagonIsEnabled()) {
222 NSError* localError = nil;
223 OTControl* control = [self makeOTControl:&localError];
225 secerror("octagon: Failed to create OTControl: %@", localError);
229 [control fetchEgoPeerID:nil
230 context:self.ctx.context
231 reply:^(NSString* peerID, NSError* error) {
233 secerror("octagon: Failed to fetch octagon peer ID: %@", error);
237 secnotice("clique", "cliqueMemberIdentifier(octagon) received %@", retPeerID);
240 if(OctagonPlatformSupportsSOS()) {
241 CFErrorRef error = NULL;
242 SOSPeerInfoRef me = SOSCCCopyMyPeerInfo(&error);
243 retPeerID = (NSString*)CFBridgingRelease(CFRetainSafe(SOSPeerInfoGetPeerID(me)));
247 secnotice("clique", "cliqueMemberIdentifier complete: %@", retPeerID);
255 - (OTControl* _Nullable)makeOTControl:(NSError**)error
257 return [self.ctx makeOTControl:error];
260 - (BOOL)establish:(NSError**)error
262 secnotice("clique-establish", "establish started");
264 OTControl* control = [self makeOTControl:error];
269 __block BOOL success = NO;
270 __block NSError* localError = nil;
272 [control establish:nil context:self.ctx.context altDSID:self.ctx.altDSID reply:^(NSError * _Nullable operationError) {
275 secnotice("clique-establish", "reenact establish returned an error: %@", operationError);
277 success = !!operationError;
278 localError = operationError;
281 if(localError && error) {
284 secnotice("clique-establish", "establish complete: %@", success ? @"YES" : @"NO");
289 - (BOOL)resetAndEstablish:(NSError**)error
291 secnotice("clique-resetandestablish", "resetAndEstablish started");
293 OTControl* control = [self makeOTControl:error];
299 __block BOOL success = NO;
300 __block NSError* localError = nil;
301 [control resetAndEstablish:nil context:self.ctx.context altDSID:self.ctx.altDSID reply:^(NSError * _Nullable operationError) {
304 secnotice("clique-resetandestablish", "resetAndEstablish returned an error: %@", operationError);
306 success = !!operationError;
307 localError = operationError;
310 if(localError && error) {
314 secnotice("clique-resetandestablish", "establish complete: %@", success ? @"YES" : @"NO");
320 + (OTClique*)newFriendsWithContextData:(OTConfigurationContext*)data error:(NSError * __autoreleasing *)error
323 secnotice("clique-newfriends", "makeNewFriends invoked using context: %@, dsid: %@", data.context, data.dsid);
326 OTClique* clique = [[OTClique alloc] initWithContextData:data error:error];
328 if(OctagonIsEnabled()) {
329 NSError* localError = nil;
330 [clique resetAndEstablish:&localError];
333 secnotice("clique-newfriends", "account reset failed: %@", localError);
339 secnotice("clique-newfriends", "Octagon account reset succeeded");
343 if(OctagonPlatformSupportsSOS()) {
344 CFErrorRef resetError = NULL;
345 NSData* analyticsData = nil;
347 NSError* encodingError = nil;
348 analyticsData = [NSKeyedArchiver archivedDataWithRootObject:data.analytics requiringSecureCoding:YES error:&encodingError];
351 secnotice("clique-newfriends", "newFriendsWithContextData: unable to serialize analytics: %@", encodingError);
356 result = SOSCCResetToEmptyWithAnalytics((__bridge CFDataRef)analyticsData, &resetError);
358 result = SOSCCResetToEmpty(&resetError);
361 if(!result || resetError){
362 secnotice("clique-newfriends", "newFriendsWithContextData: resetToOffering failed: %@", resetError);
364 *error = CFBridgingRelease(resetError);
368 secnotice("clique-newfriends", "newFriendsWithContextData: reset the SOS circle");
370 secnotice("clique-newfriends", "newFriendsWithContextData: SOS disabled on this platform");
372 secnotice("clique-newfriends", "makeNewFriends complete");
378 *error = [NSError errorWithDomain:NSOSStatusErrorDomain code:errSecUnimplemented userInfo:nil];
383 + (OTClique* _Nullable)performEscrowRecoveryWithContextData:(OTConfigurationContext*)data
384 escrowArguments:(NSDictionary*)sbdRecoveryArguments
385 error:(NSError**)error
388 secnotice("clique-recovery", "attempting an escrow recovery for context:%@, altdsid:%@", data.context, data.altDSID);
390 id<OctagonEscrowRecovererPrococol> sb = data.sbd ?: [[getSecureBackupClass() alloc] init];
392 NSDictionary* recoveredInformation = nil;
393 NSError* recoverError = [sb recoverWithInfo:sbdRecoveryArguments results:&recoveredInformation];
396 secnotice("clique-recovery", "sbd escrow recovery failed: %@", recoverError);
397 if(OctagonPlatformSupportsSOS()) {
398 if(recoverError.code == 17 /* kSecureBackupRestoringLegacyBackupKeychainError */ && [recoverError.domain isEqualToString:getkSecureBackupErrorDomain()]) { /* XXX */
399 secnotice("clique-recovery", "Can't restore legacy backup with no keybag. Resetting SOS to offering");
400 CFErrorRef blowItAwayError = NULL;
401 bool successfulReset = SOSCCResetToOffering(&blowItAwayError);
402 if(!successfulReset || blowItAwayError) {
403 secerror("clique-recovery: failed to reset to offering:%@", blowItAwayError);
405 secnotice("clique-recovery", "resetting SOS circle successful");
409 *error = recoverError;
415 *error = recoverError;
421 NSError* localError = nil;
422 OTClique* clique = [[OTClique alloc] initWithContextData:data
425 if(!clique || localError) {
426 secnotice("clique-recovery", "unable to create otclique: %@", localError);
433 OTControl* control = [clique makeOTControl:&localError];
435 secnotice("clique-recovery", "unable to create otcontrol: %@", localError);
442 NSString *bottleID = recoveredInformation[@"bottleID"];
443 NSString *isValid = recoveredInformation[@"bottleValid"];
444 NSData *bottledPeerEntropy = recoveredInformation[@"EscrowServiceEscrowData"][@"BottledPeerEntropy"];
445 bool shouldResetOctagon = false;
447 if(bottledPeerEntropy && bottleID && [isValid isEqualToString:@"valid"]){
448 secnotice("clique-recovery", "recovering from bottle: %@", bottleID);
449 __block NSError* restoreBottleError = nil;
452 [control restore:OTCKContainerName
453 contextID:data.context
454 bottleSalt:data.altDSID
455 entropy:bottledPeerEntropy
457 reply:^(NSError * _Nullable restoreError) {
459 secnotice("clique-recovery", "restore bottle errored: %@", restoreError);
461 secnotice("clique-recovery", "restoring bottle succeeded");
463 restoreBottleError = restoreError;
466 if(restoreBottleError) {
468 *error = restoreBottleError;
473 shouldResetOctagon = true;
476 if(OctagonPlatformSupportsSOS()) {
477 secnotice("clique-recovery", "attempting joinAfterRestore");
478 [clique joinAfterRestore:&localError];
479 secnotice("clique-recovery", "joinAfterRestore: %@", localError);
482 if(shouldResetOctagon) {
483 secnotice("clique-recovery", "bottle %@ is not valid, resetting octagon", bottleID);
484 NSError* resetError = nil;
485 [clique resetAndEstablish:&resetError];
487 secnotice("clique-recovery", "failed to reset octagon: %@", resetError);
489 secnotice("clique-recovery", "reset octagon succeeded");
493 secnotice("clique-recovery", "recovery complete: %@", clique);
498 *error = [NSError errorWithDomain:NSOSStatusErrorDomain code:errSecUnimplemented userInfo:nil];
505 - (KCPairingChannel *)setupPairingChannelAsInitiator:(KCPairingChannelContext *)ctx
508 return [getKCPairingChannelClass() pairingChannelInitiator:ctx];
514 - (KCPairingChannel * _Nullable)setupPairingChannelAsInitator:(KCPairingChannelContext *)ctx error:(NSError * __autoreleasing *)error
519 return [self setupPairingChannelAsInitiator:ctx];
522 - (KCPairingChannel *)setupPairingChannelAsAcceptor:(KCPairingChannelContext *)ctx
525 return [getKCPairingChannelClass() pairingChannelAcceptor:ctx];
531 - (KCPairingChannel * _Nullable)setupPairingChannelAsAcceptor:(KCPairingChannelContext *)ctx error:(NSError * __autoreleasing *)error
537 return [self setupPairingChannelAsAcceptor:ctx];
541 - (CliqueStatus)_fetchCliqueStatus:(OTOperationConfiguration *)configuration error:(NSError * __autoreleasing *)error
544 __block CliqueStatus sosStatus = CliqueStatusError;
545 __block CliqueStatus octagonStatus = CliqueStatusError;
547 // Octagon is supreme.
549 if(OctagonIsEnabled()) {
550 OTControl* control = [self makeOTControl:error];
552 secnotice("clique-status", "cliqueStatus noOTControl");
553 return CliqueStatusError;
556 __block NSError* localError = nil;
557 [control fetchCliqueStatus:nil context:self.ctx.context configuration:configuration reply:^(CliqueStatus cliqueStatus, NSError * _Nullable fetchError) {
559 octagonStatus = CliqueStatusError;
560 localError = fetchError;
561 secnotice("clique-status", "octagon clique status errored: %@", fetchError);
563 octagonStatus = cliqueStatus;
567 if(OctagonAuthoritativeTrustIsEnabled() || !OctagonPlatformSupportsSOS()) {
568 secnotice("clique-status", "cliqueStatus(%{public}scached)(context:%@, altDSID:%@) returning %@ (error: %@)",
569 configuration.useCachedAccountStatus ? "" : "non-",
570 self.ctx.context, self.ctx.altDSID,
571 OTCliqueStatusToString(octagonStatus), localError);
572 if (localError && error) {
575 return octagonStatus;
579 if(OctagonPlatformSupportsSOS()) {
580 CFErrorRef circleStatusError = NULL;
581 sosStatus = kSOSCCError;
582 if(configuration.useCachedAccountStatus){
583 sosStatus = SOSCCThisDeviceIsInCircle(&circleStatusError);
585 sosStatus = SOSCCThisDeviceIsInCircleNonCached(&circleStatusError);
587 secnotice("clique-status", "sos clique status is %d (%@)", (int)sosStatus, circleStatusError);
590 *error = (NSError*)CFBridgingRelease(circleStatusError);
592 CFBridgingRelease(circleStatusError);
595 secnotice("clique-status", "cliqueStatus(%{public}scached)(context:%@, altDSID:%@) complete: %@",
596 configuration.useCachedAccountStatus ? "" : "non-",
597 self.ctx.context, self.ctx.altDSID,
598 OTCliqueStatusToString(octagonStatus));
599 return octagonStatus;
602 *error = [NSError errorWithDomain:NSOSStatusErrorDomain code:errSecUnimplemented userInfo:nil];
604 return (CliqueStatus)kSOSCCError;
608 // Don't change rules for CoreCDP, and preserve legacy behavior for now
609 // preserve old behavior until CoreCDP can move to -fetchCliqueStatus:error:
610 #define LEGACY_WAITING_BEHAVIOR (TARGET_OS_OSX || TARGET_OS_IOS)
612 - (CliqueStatus)fetchCliqueStatus:(OTOperationConfiguration *)configuration error:(NSError * __autoreleasing * _Nonnull)error
614 return [self _fetchCliqueStatus:configuration error:error];
617 - (CliqueStatus)fetchCliqueStatus:(NSError * __autoreleasing *)error
619 OTOperationConfiguration *configuration = [[OTOperationConfiguration alloc] init];
620 #if LEGACY_WAITING_BEHAVIOR
621 configuration.timeoutWaitForCKAccount = 0;
623 return [self _fetchCliqueStatus:configuration error:error];
626 - (CliqueStatus)cachedCliqueStatus:(BOOL)usedCached error:(NSError * __autoreleasing *)error
628 OTOperationConfiguration *configuration = [[OTOperationConfiguration alloc] init];
629 #if LEGACY_WAITING_BEHAVIOR
630 configuration.timeoutWaitForCKAccount = 0;
633 configuration.useCachedAccountStatus = YES;
635 return [self _fetchCliqueStatus:configuration error:error];
639 - (BOOL)removeFriendsInClique:(NSArray<NSString*>*)friendIdentifiers error:(NSError * __autoreleasing *)error
642 secnotice("clique-removefriends", "removeFriendsInClique invoked using context:%@, altdsid:%@", self.ctx.context, self.ctx.altDSID);
644 // Annoying: we must sort friendIdentifiers into octagon/sos lists.
645 NSMutableArray<NSString*>* octagonIdentifiers = [NSMutableArray array];
646 NSMutableArray<NSString*>* sosIdentifiers = [NSMutableArray array];
648 for(NSString* friendIdentifier in friendIdentifiers) {
649 if([friendIdentifier hasPrefix:@"SHA256:"]) {
650 [octagonIdentifiers addObject: friendIdentifier];
652 [sosIdentifiers addObject: friendIdentifier];
656 // Ensure that we don't have any peers on the wrong platform
657 if(!OctagonIsEnabled() && octagonIdentifiers.count > 0) {
658 NSError *localError = [NSError errorWithDomain:NSOSStatusErrorDomain
659 code:errSecUnimplemented
660 userInfo:@{NSLocalizedDescriptionKey: @"Octagon is disabled; can't distrust any Octagon peers"}];
661 secnotice("clique-removefriends", "removeFriendsInClique failed:%@", localError);
668 if(!OctagonPlatformSupportsSOS() && sosIdentifiers.count > 0) {
669 NSError *localError = [NSError errorWithDomain:NSOSStatusErrorDomain
670 code:errSecUnimplemented
671 userInfo:@{NSLocalizedDescriptionKey: @"SOS is not available on this platform; can't distrust any SOS peers"}];
672 secnotice("clique-removefriends", "removeFriendsInClique failed:%@", localError);
680 __block NSError* localError = nil;
683 if(OctagonIsEnabled() && octagonIdentifiers.count > 0) {
684 OTControl* control = [self makeOTControl:error];
689 secnotice("clique-removefriends", "octagon: removing octagon friends: %@", octagonIdentifiers);
691 [control removeFriendsInClique:nil
692 context:self.ctx.context
693 peerIDs:octagonIdentifiers
694 reply:^(NSError* replyError) {
696 secnotice("clique-removefriends", "removeFriendsInClique failed: unable to remove friends: %@", replyError);
697 localError = replyError;
699 secnotice("clique-removefriends", "octagon: friends removed: %@", octagonIdentifiers);
704 if(OctagonPlatformSupportsSOS() && sosIdentifiers.count > 0) {
705 CFErrorRef removeFriendError = NULL;
706 NSData* analyticsData = nil;
708 secnotice("clique-removefriends", "removing sos friends: %@", sosIdentifiers);
710 if(self.ctx.analytics){
711 NSError* encodingError = nil;
712 analyticsData = [NSKeyedArchiver archivedDataWithRootObject:self.ctx.analytics requiringSecureCoding:YES error:&encodingError];
716 result = SOSCCRemovePeersFromCircleWithAnalytics((__bridge CFArrayRef)friendIdentifiers, (__bridge CFDataRef)analyticsData, &removeFriendError);
718 result = SOSCCRemovePeersFromCircle((__bridge CFArrayRef)friendIdentifiers, &removeFriendError);
721 if(removeFriendError) {
722 secnotice("clique-removefriends", "removeFriendsInClique failed: unable to remove friends: %@", removeFriendError);
723 localError = CFBridgingRelease(removeFriendError);
727 if(error && localError) {
730 secnotice("clique-removefriends", "removeFriendsInClique complete: %d", result);
732 return result && localError == nil;
738 - (BOOL)leaveClique:(NSError * __autoreleasing *)error
741 secnotice("clique-leaveClique", "leaveClique invoked using context:%@, altdsid:%@", self.ctx.context, self.ctx.altDSID);
742 CFErrorRef removeThisDeviceError = NULL;
745 if(OctagonIsEnabled()) {
746 OTControl* control = [self makeOTControl:error];
751 __block NSError* localError = nil;
752 [control leaveClique:nil context:self.ctx.context reply:^(NSError * _Nullable leaveError) {
754 secnotice("clique-leaveClique", "leaveClique errored: %@", leaveError);
755 localError = leaveError;
757 secnotice("clique-leaveClique", "leaveClique success.");
764 result = !localError;
767 if(OctagonPlatformSupportsSOS()) {
768 NSData* analyticsData = nil;
770 if(self.ctx.analytics) {
771 NSError* encodingError = nil;
772 analyticsData = [NSKeyedArchiver archivedDataWithRootObject:self.ctx.analytics requiringSecureCoding:YES error:&encodingError];
774 secnotice("clique-leaveClique", "leaveClique unable to archive analytics object: %@", encodingError);
779 result &= SOSCCRemoveThisDeviceFromCircleWithAnalytics((__bridge CFDataRef)analyticsData, &removeThisDeviceError);
781 result &= SOSCCRemoveThisDeviceFromCircle(&removeThisDeviceError);
785 *error = (NSError*)CFBridgingRelease(removeThisDeviceError);
787 CFBridgingRelease(removeThisDeviceError);
790 secnotice("clique-leaveClique", "leaveClique complete: %d", result);
792 return result ? YES : NO;
798 - (NSDictionary<NSString*,NSString*>* _Nullable)peerDeviceNamesByPeerID:(NSError * __autoreleasing *)error
801 secnotice("clique", "peerDeviceNamesByPeerID invoked using context:%@, altdsid:%@", self.ctx.context, self.ctx.altDSID);
803 NSMutableDictionary<NSString*, NSString*>* retPeers = [NSMutableDictionary dictionary];
805 if(OctagonIsEnabled()) {
806 OTControl* control = [self makeOTControl:error];
811 __block NSError* localError = nil;
812 __block NSDictionary<NSString*, NSString*>* localPeers = nil;
814 [control peerDeviceNamesByPeerID:nil context:OTDefaultContext reply:^(NSDictionary<NSString*,NSString*>* peers, NSError* controlError) {
816 secnotice("clique", "peerDeviceNamesByPeerID errored: %@", controlError);
818 secnotice("clique", "peerDeviceNamesByPeerID succeeded: %@", peers);
820 localError = controlError;
824 if(error && localError) {
830 [retPeers addEntriesFromDictionary:localPeers];
831 secnotice("clique", "Received %lu Octagon peers", (unsigned long)localPeers.count);
834 if(OctagonPlatformSupportsSOS()) {
835 CFErrorRef peerErrorRef = NULL;
836 NSMutableDictionary<NSString*,NSString*>* peerMapping = [NSMutableDictionary dictionary];
837 NSArray* arrayOfPeerRefs = CFBridgingRelease(SOSCCCopyPeerPeerInfo(&peerErrorRef));
839 [arrayOfPeerRefs enumerateObjectsUsingBlock:^(id peerRef, NSUInteger idx, BOOL * stop) {
840 SOSPeerInfoRef peer = (__bridge SOSPeerInfoRef)peerRef;
842 [peerMapping setObject:(__bridge NSString*)SOSPeerInfoGetPeerName(peer) forKey:(__bridge NSString*)SOSPeerInfoGetPeerID(peer)];
847 *error = (NSError*)CFBridgingRelease(peerErrorRef);
849 CFBridgingRelease(peerErrorRef);
852 [retPeers addEntriesFromDictionary:peerMapping];
853 secnotice("clique", "Received %lu SOS peers", (unsigned long)peerMapping.count);
862 - (BOOL)joinAfterRestore:(NSError * __autoreleasing *)error
864 secnotice("clique-recovery", "joinAfterRestore for context:%@, altdsid:%@", self.ctx.context, self.ctx.altDSID);
865 CFErrorRef restoreError = NULL;
867 bool res = SOSCCRequestToJoinCircleAfterRestore(&restoreError);
869 *error = (NSError*)CFBridgingRelease(restoreError);
871 CFBridgingRelease(restoreError);
873 secnotice("clique-recovery", "joinAfterRestore complete: %d %@", res, error ? *error : @"no error pointer provided");
877 - (BOOL)safariPasswordSyncingEnabled:(NSError **)error
879 secnotice("clique-safari", "safariPasswordSyncingEnabled for context:%@, altdsid:%@", self.ctx.context, self.ctx.altDSID);
881 CFErrorRef viewErrorRef = NULL;
883 SOSViewResultCode result = SOSCCView(kSOSViewAutofillPasswords, kSOSCCViewQuery, &viewErrorRef);
885 BOOL viewMember = result == kSOSCCViewMember;
887 *error = (NSError*)CFBridgingRelease(viewErrorRef);
889 CFBridgingRelease(viewErrorRef);
892 secnotice("clique-safari", "safariPasswordSyncingEnabled complete: %@", viewMember ? @"YES" : @"NO");
897 - (BOOL)isLastFriend:(NSError **)error
899 secnotice("clique-isLastFriend", "is last friend");
903 - (BOOL)waitForInitialSync:(NSError *__autoreleasing*)error
905 secnotice("clique-legacy", "waitForInitialSync for context:%@, altdsid:%@", self.ctx.context, self.ctx.altDSID);
906 CFErrorRef initialSyncErrorRef = NULL;
908 if(self.ctx.analytics){
909 NSError* encodingError = nil;
910 NSData* analyticsData = [NSKeyedArchiver archivedDataWithRootObject:self.ctx.analytics requiringSecureCoding:YES error:&encodingError];
911 if(!encodingError && analyticsData){
912 result = SOSCCWaitForInitialSyncWithAnalytics((__bridge CFDataRef)analyticsData, &initialSyncErrorRef);
914 result = SOSCCWaitForInitialSync(&initialSyncErrorRef);
917 result = SOSCCWaitForInitialSync(&initialSyncErrorRef);
920 BOOL initialSyncResult = (result == true);
922 *error = (NSError*)CFBridgingRelease(initialSyncErrorRef);
924 CFBridgingRelease(initialSyncErrorRef);
926 secnotice("clique-legacy", "waitForInitialSync waited: %d %@", initialSyncResult, error ? *error : @"no error pointer provided");
927 return initialSyncResult;
930 - (NSArray*)copyViewUnawarePeerInfo:(NSError *__autoreleasing*)error
932 secnotice("clique-legacy", "copyViewUnawarePeerInfo for context:%@, altdsid:%@", self.ctx.context, self.ctx.altDSID);
933 CFErrorRef copyViewUnawarePeerInfoErrorRef = NULL;
934 CFArrayRef peerListRef = SOSCCCopyViewUnawarePeerInfo(©ViewUnawarePeerInfoErrorRef);
936 NSArray* peerList = (peerListRef ? (NSArray*)(CFBridgingRelease(peerListRef)) : nil);
938 *error = (NSError*)CFBridgingRelease(copyViewUnawarePeerInfoErrorRef);
940 CFBridgingRelease(copyViewUnawarePeerInfoErrorRef);
945 - (BOOL)viewSet:(NSSet*)enabledViews disabledViews:(NSSet*)disabledViews
947 secnotice("clique-legacy", "viewSet for context:%@, altdsid:%@", self.ctx.context, self.ctx.altDSID);
949 if(self.ctx.analytics){
950 NSError* encodingError = nil;
951 NSData* analyticsData = [NSKeyedArchiver archivedDataWithRootObject:self.ctx.analytics requiringSecureCoding:YES error:&encodingError];
952 if(!encodingError && analyticsData){
953 result = SOSCCViewSetWithAnalytics((__bridge CFSetRef)enabledViews, (__bridge CFSetRef)disabledViews, (__bridge CFDataRef)analyticsData);
955 result = SOSCCViewSet((__bridge CFSetRef)enabledViews, (__bridge CFSetRef)disabledViews);
958 result = SOSCCViewSet((__bridge CFSetRef)enabledViews, (__bridge CFSetRef)disabledViews);
961 BOOL viewSetResult = (result == true);
962 return viewSetResult;
965 - (BOOL)setUserCredentialsAndDSID:(NSString*)userLabel
966 password:(NSData*)userPassword
967 error:(NSError *__autoreleasing*)error
969 secnotice("clique-legacy", "setUserCredentialsAndDSID for context:%@, altdsid:%@", self.ctx.context, self.ctx.altDSID);
970 CFErrorRef setCredentialsErrorRef = NULL;
972 if(self.ctx.analytics){
973 NSError* encodingError = nil;
974 NSData* analyticsData = [NSKeyedArchiver archivedDataWithRootObject:self.ctx.analytics requiringSecureCoding:YES error:&encodingError];
975 if(!encodingError && analyticsData){
976 result = SOSCCSetUserCredentialsAndDSIDWithAnalytics((__bridge CFStringRef)userLabel,
977 (__bridge CFDataRef)userPassword,
978 (__bridge CFStringRef)self.ctx.dsid,
979 (__bridge CFDataRef)analyticsData,
980 &setCredentialsErrorRef);
982 result = SOSCCSetUserCredentialsAndDSID((__bridge CFStringRef)userLabel,
983 (__bridge CFDataRef)userPassword,
984 (__bridge CFStringRef)self.ctx.dsid,
985 &setCredentialsErrorRef);
988 result = SOSCCSetUserCredentialsAndDSID((__bridge CFStringRef)userLabel,
989 (__bridge CFDataRef)userPassword,
990 (__bridge CFStringRef)self.ctx.dsid,
991 &setCredentialsErrorRef);
994 BOOL setCredentialsResult = (result == true);
996 *error = (NSError*)CFBridgingRelease(setCredentialsErrorRef);
998 CFBridgingRelease(setCredentialsErrorRef);
1000 secnotice("clique-legacy", "setUserCredentialsAndDSID results: %d %@", setCredentialsResult, setCredentialsErrorRef);
1001 return setCredentialsResult;
1004 - (BOOL)tryUserCredentialsAndDSID:(NSString*)userLabel
1005 password:(NSData*)userPassword
1006 error:(NSError *__autoreleasing*)error
1008 secnotice("clique-legacy", "tryUserCredentialsAndDSID for context:%@, altdsid:%@", self.ctx.context, self.ctx.altDSID);
1009 CFErrorRef tryCredentialsErrorRef = NULL;
1010 bool result = SOSCCTryUserCredentialsAndDSID((__bridge CFStringRef)userLabel,
1011 (__bridge CFDataRef)userPassword,
1012 (__bridge CFStringRef)self.ctx.dsid,
1013 &tryCredentialsErrorRef);
1015 BOOL tryCredentialsResult = (result == true);
1017 *error = (NSError*)CFBridgingRelease(tryCredentialsErrorRef);
1019 CFBridgingRelease(tryCredentialsErrorRef);
1021 secnotice("clique-legacy", "tryUserCredentialsAndDSID results: %d %@", tryCredentialsResult, tryCredentialsErrorRef);
1022 return tryCredentialsResult;
1026 - (NSArray*)copyPeerPeerInfo:(NSError *__autoreleasing*)error
1028 secnotice("clique-legacy", "copyPeerPeerInfo for context:%@, altdsid:%@", self.ctx.context, self.ctx.altDSID);
1029 CFErrorRef copyPeerErrorRef = NULL;
1030 CFArrayRef result = SOSCCCopyPeerPeerInfo(©PeerErrorRef);
1032 NSArray* peerList = (result ? (NSArray*)(CFBridgingRelease(result)) : nil);
1035 *error = (NSError*)CFBridgingRelease(copyPeerErrorRef);
1037 CFBridgingRelease(copyPeerErrorRef);
1039 secnotice("clique-legacy", "copyPeerPeerInfo results: %@", peerList);
1045 - (BOOL)peersHaveViewsEnabled:(NSArray<NSString*>*)viewNames error:(NSError *__autoreleasing*)error
1047 secnotice("clique-legacy", "peersHaveViewsEnabled for context:%@, altdsid:%@", self.ctx.context, self.ctx.altDSID);
1048 CFErrorRef viewsEnabledErrorRef = NULL;
1049 BOOL viewsEnabledResult = NO;
1051 CFBooleanRef result = SOSCCPeersHaveViewsEnabled((__bridge CFArrayRef)viewNames, &viewsEnabledErrorRef);
1053 viewsEnabledResult = CFBooleanGetValue(result);
1056 *error = (NSError*)CFBridgingRelease(viewsEnabledErrorRef);
1058 CFBridgingRelease(viewsEnabledErrorRef);
1060 secnotice("clique-legacy", "peersHaveViewsEnabled results: %@", viewsEnabledResult ? @"YES" : @"NO");
1062 return viewsEnabledResult;
1065 - (BOOL)requestToJoinCircle:(NSError *__autoreleasing*)error
1067 bool result = false;
1068 CFErrorRef joinErrorRef = NULL;
1071 secnotice("clique-legacy", "requestToJoinCircle for context:%@, altdsid:%@", self.ctx.context, self.ctx.altDSID);
1073 if(OctagonIsEnabled()) {
1074 NSError* localError = nil;
1075 [self resetAndEstablish:&localError];
1078 secnotice("clique-legacy", "account reset failed: %@", localError);
1080 *error = localError;
1084 secnotice("clique-legacy", "account reset succeeded");
1087 // If we didn't early-exit, and we aren't going to invoke SOS below, we succeeded.
1088 if(!OctagonPlatformSupportsSOS()) {
1089 secnotice("clique-legacy", "sos requestToJoinCircle results: %d %@", result, joinErrorRef);
1095 if(OctagonPlatformSupportsSOS()) {
1096 NSData* analyticsData = nil;
1097 if(self.ctx.analytics){
1098 NSError* encodingError = nil;
1099 analyticsData = [NSKeyedArchiver archivedDataWithRootObject:self.ctx.analytics requiringSecureCoding:YES error:&encodingError];
1103 result = SOSCCRequestToJoinCircleWithAnalytics((__bridge CFDataRef)analyticsData, &joinErrorRef);
1105 result = SOSCCRequestToJoinCircle(&joinErrorRef);
1108 secnotice("clique-legacy", "sos requestToJoinCircle complete: %d %@", result, joinErrorRef);
1112 *error = (NSError*)CFBridgingRelease(joinErrorRef);
1114 CFBridgingRelease(joinErrorRef);
1116 return result ? YES : NO;
1119 - (BOOL)accountUserKeyAvailable
1121 secnotice("clique-legacy", "accountUserKeyAvailable for context:%@, altdsid:%@", self.ctx.context, self.ctx.altDSID);
1122 BOOL canAuthenticate = (BOOL)SOSCCCanAuthenticate(NULL);
1123 if (canAuthenticate == NO) {
1124 secnotice("clique-legacy", "Security requires credentials...");
1126 return canAuthenticate;
1129 // MARK: SBD interfaces
1130 + (OTBottleIDs* _Nullable)findOptimalBottleIDsWithContextData:(OTConfigurationContext*)data
1131 error:(NSError**)error
1134 secnotice("clique-findbottle", "finding optimal bottles for context:%@, altdsid:%@", data.context, data.altDSID);
1136 if(OctagonIsEnabled()) {
1137 __block NSError* localError = nil;
1138 __block NSArray<NSString*>* localViableBottleIDs = nil;
1139 __block NSArray<NSString*>* localPartiallyViableBottleIDs = nil;
1141 OTControl *control = [data makeOTControl:&localError];
1143 secnotice("clique-findbottle", "unable to create otcontrol: %@", localError);
1145 *error = localError;
1149 [control fetchAllViableBottles:OTCKContainerName
1150 context:data.context
1151 reply:^(NSArray<NSString *> * _Nullable sortedBottleIDs,
1152 NSArray<NSString*> * _Nullable sortedPartialBottleIDs,
1153 NSError * _Nullable fetchError) {
1155 secnotice("clique-findbottle", "findOptimalBottleIDsWithContextData errored: %@", fetchError);
1157 secnotice("clique-findbottle", "findOptimalBottleIDsWithContextData succeeded: %@, %@", sortedBottleIDs, sortedPartialBottleIDs);
1159 localError = fetchError;
1160 localViableBottleIDs = sortedBottleIDs;
1161 localPartiallyViableBottleIDs = sortedPartialBottleIDs;
1164 if(error && localError) {
1165 *error = localError;
1167 OTBottleIDs* bottleIDs = [[OTBottleIDs alloc] init];
1168 bottleIDs.preferredBottleIDs = localViableBottleIDs;
1169 bottleIDs.partialRecoveryBottleIDs = localPartiallyViableBottleIDs;
1171 secnotice("clique-findbottle", "findOptimalBottleIDsWithContextData complete");
1175 // With octagon off, fail with 'unimplemented'
1177 *error = [NSError errorWithDomain:NSOSStatusErrorDomain
1178 code:errSecUnimplemented
1179 userInfo:@{NSLocalizedDescriptionKey: @"optimal bottle IDs unimplemented"}];
1185 *error = [NSError errorWithDomain:NSOSStatusErrorDomain code:errSecUnimplemented userInfo:nil];
1191 + (OTClique* _Nullable)recoverWithContextData:(OTConfigurationContext*)data
1192 bottleID:(NSString*)bottleID
1193 escrowedEntropy:(NSData*)entropy
1194 error:(NSError**)error
1197 secnotice("octagon", "replaced by performEscrowRecoveryWithContextData:escrowArguments:error: remove call");
1201 *error = [NSError errorWithDomain:NSOSStatusErrorDomain code:errSecUnimplemented userInfo:nil];
1207 // used by sbd to fill in the escrow record
1208 // TODO: what extra entitlement do you need to call this?
1209 - (void)fetchEscrowContents:(void (^)(NSData* _Nullable entropy,
1210 NSString* _Nullable bottleID,
1211 NSData* _Nullable signingPublicKey,
1212 NSError* _Nullable error))reply
1215 secnotice("clique-fetchescrow", "fetching entropy for bottling for context:%@, altdsid:%@", self.ctx.context, self.ctx.altDSID);
1217 if(OctagonIsEnabled()) {
1218 NSError* controlError = nil;
1219 OTControl* control = [self makeOTControl:&controlError];
1221 reply(nil, nil, nil, controlError);
1224 [control fetchEscrowContents:OTCKContainerName
1225 contextID:self.ctx.context
1226 reply:^(NSData * _Nullable entropy,
1227 NSString * _Nullable bottleID,
1228 NSData * _Nullable signingPublicKey,
1229 NSError * _Nullable error) {
1231 secnotice("clique-fetchescrow", "fetchEscrowContents errored: %@", error);
1233 secnotice("clique-fetchescrow","fetchEscrowContents succeeded");
1235 reply (entropy, bottleID, signingPublicKey, error);
1240 // With octagon off, fail with 'unimplemented'
1241 reply(nil, nil, nil, [NSError errorWithDomain:NSOSStatusErrorDomain
1242 code:errSecUnimplemented
1243 userInfo:@{NSLocalizedDescriptionKey: @"fetchEscrowRecordContents unimplemented"}]);
1246 reply(nil, nil, nil, [NSError errorWithDomain:NSOSStatusErrorDomain code:errSecUnimplemented userInfo:nil]);
1250 + (void)setNewRecoveryKeyWithData:(OTConfigurationContext *)ctx
1251 recoveryKey:(NSString*)recoveryKey reply:(nonnull void (^)(SecRecoveryKey *rk, NSError *error))reply
1254 secnotice("octagon-setrecoverykey", "setNewRecoveryKeyWithData invoked for context: %@", ctx.context);
1255 //set the recovery key for SOS
1256 NSError* createRecoveryKeyError = nil;
1257 NSMutableDictionary *userInfo = [NSMutableDictionary new];
1258 NSError* retError = nil;
1260 SecRecoveryKey *rk = SecRKCreateRecoveryKeyWithError(recoveryKey, &createRecoveryKeyError);
1262 secerror("octagon-setrecoverykey, SecRKCreateRecoveryKeyWithError() failed: %@", createRecoveryKeyError);
1263 userInfo[NSLocalizedDescriptionKey] = @"SecRKCreateRecoveryKeyWithError() failed";
1264 userInfo[NSUnderlyingErrorKey] = createRecoveryKeyError;
1265 retError = [NSError errorWithDomain:getkSecureBackupErrorDomain() code:kSecureBackupInternalError userInfo:userInfo];
1266 reply(nil, retError);
1269 if(OctagonPlatformSupportsSOS()) {
1270 CFErrorRef registerError = nil;
1271 if (!SecRKRegisterBackupPublicKey(rk, ®isterError)) {
1272 secerror("octagon-setrecoverykey, SecRKRegisterBackupPublicKey() failed: %@", registerError);
1273 NSError *underlyingError = CFBridgingRelease(registerError);
1274 userInfo[NSLocalizedDescriptionKey] = @"SecRKRegisterBackupPublicKey() failed";
1275 userInfo[NSUnderlyingErrorKey] = underlyingError;
1276 retError = [NSError errorWithDomain:getkSecureBackupErrorDomain() code:kSecureBackupInternalError userInfo:userInfo];
1277 reply(nil,retError);
1280 secnotice("octagon-setrecoverykey", "successfully registered recovery key for SOS");
1284 //set the recovery key for Octagon
1285 if(OctagonRecoveryKeyIsEnabled()) {
1286 NSError* controlError = nil;
1287 OTControl* control = [ctx makeOTControl:&controlError];
1289 secnotice("octagon-setrecoverykey", "failed to fetch OTControl object: %@", controlError);
1290 reply(nil, controlError);
1293 [control createRecoveryKey:OTCKContainerName contextID:ctx.context recoveryKey:recoveryKey reply:^(NSError * createError) {
1295 secerror("octagon-setrecoverykey, failed to create octagon recovery key");
1296 reply(nil, createError);
1299 secnotice("octagon-setrecoverykey", "successfully set octagon recovery key");
1306 reply(nil, [NSError errorWithDomain:NSOSStatusErrorDomain code:errSecUnimplemented userInfo:nil]);
1310 + (void)recoverOctagonUsingData:(OTConfigurationContext *)ctx
1311 recoveryKey:(NSString*)recoveryKey
1312 reply:(void(^)(NSError* _Nullable error))reply
1315 if(OctagonRecoveryKeyIsEnabled()) {
1316 NSError* controlError = nil;
1317 OTControl* control = [ctx makeOTControl:&controlError];
1319 secnotice("clique-recoverykey", "join using recovery key");
1322 secnotice("clique-recoverykey", "failed to fetch OTControl object: %@", controlError);
1323 reply(controlError);
1326 [control joinWithRecoveryKey:OTCKContainerName contextID:ctx.context recoveryKey:recoveryKey reply:^(NSError *joinError) {
1328 secnotice("clique-recoverykey", "failed to join using recovery key: %@", joinError);
1332 secnotice("clique-recoverykey", "successfully joined using recovery key");
1338 reply([NSError errorWithDomain:NSOSStatusErrorDomain code:errSecUnimplemented userInfo:nil]);
1342 - (void)performedCDPStateMachineRun:(OTCliqueCDPContextType)type
1343 success:(BOOL)success
1344 error:(NSError * _Nullable)error
1345 reply:(void(^)(NSError* _Nullable error))reply
1348 NSError* controlError = nil;
1349 OTControl* control = [self makeOTControl:&controlError];
1351 secnotice("clique-cdp-sm", "octagon, failed to fetch OTControl object: %@", controlError);
1352 reply(controlError);
1356 [control postCDPFollowupResult:success type:type error:error containerName:OTCKContainerName contextName:OTDefaultContext reply:^(NSError *postError) {
1358 secnotice("clique-cdp-sm", "failed to post %@ result: %@ ", type, postError);
1363 secnotice("clique-cdp-sm", "posted success: %@", type);
1365 secnotice("clique-cdp-sm", "posted error: %@: %@", type, error);
1370 reply([NSError errorWithDomain:NSOSStatusErrorDomain code:errSecUnimplemented userInfo:nil]);
1374 - (BOOL)waitForOctagonUpgrade:(NSError** _Nullable)error
1377 OTControl* control = nil;
1379 if (!OctagonIsEnabled()) {
1380 secnotice("clique-waitforoctagonupgrade", "cannot upgrade, octagon is not enabled");
1382 *error = [NSError errorWithDomain:NSOSStatusErrorDomain code:errSecUnimplemented userInfo:@{NSLocalizedDescriptionKey: @"Octagon is not enabled"}];
1387 NSError *controlError = nil;
1388 control = [self makeOTControl:&controlError];
1390 secnotice("clique-waitforoctagonupgrade", "octagon, failed to fetch OTControl object: %@", controlError);
1392 *error = controlError;
1397 __block BOOL ret = NO;
1398 __block NSError* blockError = nil;
1400 [control waitForOctagonUpgrade:OTCKContainerName context:OTDefaultContext reply:^(NSError *postError) {
1402 secnotice("clique-waitforoctagonupgrade", "error from control: %@", postError);
1403 blockError = postError;
1406 secnotice("clique-waitforoctagonupgrade", "successfully upgraded to octagon");
1411 if (blockError && error) {
1412 *error = blockError;
1418 *error = [NSError errorWithDomain:NSOSStatusErrorDomain code:errSecUnimplemented userInfo:nil];
1424 - (void)performedFailureCDPStateMachineRun:(OTCliqueCDPContextType)type
1425 error:(NSError * _Nullable)error
1426 reply:(void(^)(NSError* _Nullable error))reply
1428 [self performedCDPStateMachineRun:type success:NO error:error reply:reply];
1431 - (void)performedSuccessfulCDPStateMachineRun:(OTCliqueCDPContextType)type
1432 reply:(void(^)(NSError* _Nullable error))reply
1434 [self performedCDPStateMachineRun:type success:YES error:nil reply:reply];