keychain/ot/OTConstants.m

   1 /*
   2  * Copyright (c) 2017 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 #include <TargetConditionals.h>
  25 #if TARGET_OS_IOS
  26 #include <MobileGestalt.h>
  27 #endif
  28
  29 #import <os/feature_private.h>
  30
  31 #import "keychain/ot/OTConstants.h"
  32 #import "utilities/debugging.h"
  33
  34 NSString* const OctagonErrorDomain = @"com.apple.security.octagon";
  35
  36 NSString* OTDefaultContext = @"defaultContext";
  37 NSString* OTDefaultsDomain = @"com.apple.security.octagon";
  38 NSString* OTDefaultsOctagonEnable = @"enable";
  39
  40 NSString* OTProtocolPairing = @"OctagonPairing";
  41 NSString* OTProtocolPiggybacking = @"OctagonPiggybacking";
  42
  43 const char * OTTrustStatusChangeNotification = "com.apple.security.octagon.trust-status-change";
  44
  45 // I don't recommend using this command, but it does describe the plist that will enable this feature:
  46 //
  47 //  defaults write /System/Library/FeatureFlags/Domain/Security octagon -dict Enabled -bool YES
  48 //
  49 static bool OctagonEnabledOverrideSet = false;
  50 static bool OctagonEnabledOverride = false;
  51
  52 static bool OctagonRecoveryKeyEnabledOverrideSet = false;
  53 static bool OctagonRecoveryKeyEnabledOverride = false;
  54
  55 static bool OctagonAuthoritativeTrustEnabledOverrideSet = false;
  56 static bool OctagonAuthoritativeTrustEnabledOverride = false;
  57
  58 bool OctagonIsEnabled(void)
  59 {
  60     if(OctagonEnabledOverrideSet) {
  61         secnotice("octagon", "Octagon is %@ (overridden)", OctagonEnabledOverride ? @"enabled" : @"disabled");
  62         return OctagonEnabledOverride;
  63     }
  64
  65     static bool octagonEnabled = false;
  66     static dispatch_once_t onceToken;
  67     dispatch_once(&onceToken, ^{
  68         octagonEnabled = os_feature_enabled(Security, octagon);
  69         secnotice("octagon", "Octagon is %@ (via feature flags)", octagonEnabled ? @"enabled" : @"disabled");
  70     });
  71
  72     return octagonEnabled;
  73 }
  74
  75 void OctagonSetIsEnabled(BOOL value)
  76 {
  77     OctagonEnabledOverrideSet = true;
  78     OctagonEnabledOverride = value;
  79 }
  80
  81 static bool OctagonOverridePlatformSOS = false;
  82 static bool OctagonPlatformSOSOverrideValue = false;
  83 static bool OctagonPlatformSOSUpgrade = false;
  84
  85 BOOL OctagonPlatformSupportsSOS(void)
  86 {
  87     if(OctagonOverridePlatformSOS) {
  88         return OctagonPlatformSOSOverrideValue ? YES : NO;
  89     }
  90
  91 #if TARGET_OS_OSX
  92     return YES;
  93 #elif TARGET_OS_IOS
  94     static bool isSOSCapable = false;
  95
  96     static dispatch_once_t onceToken;
  97     dispatch_once(&onceToken, ^{
  98         // Only iPhones, iPads, and iPods support SOS.
  99         CFStringRef deviceClass = MGCopyAnswer(kMGQDeviceClass, NULL);
 100
 101         isSOSCapable = deviceClass && (CFEqual(deviceClass, kMGDeviceClassiPhone) ||
 102                                        CFEqual(deviceClass, kMGDeviceClassiPad) ||
 103                                        CFEqual(deviceClass, kMGDeviceClassiPod));
 104
 105         if(deviceClass) {
 106             CFRelease(deviceClass);
 107         } else {
 108             secerror("octagon: Unable to determine device class. Guessing SOS status as Not Supported");
 109             isSOSCapable = false;
 110         }
 111
 112         secnotice("octagon", "SOS is %@ on this platform" , isSOSCapable ? @"supported" : @"not supported");
 113     });
 114
 115     return isSOSCapable ? YES : NO;
 116 #else
 117     return NO;
 118 #endif
 119 }
 120
 121 void OctagonSetPlatformSupportsSOS(BOOL value)
 122 {
 123     OctagonPlatformSOSOverrideValue = value;
 124     OctagonOverridePlatformSOS = YES;
 125 }
 126
 127 void OctagonSetSOSUpgrade(BOOL value)
 128 {
 129     OctagonPlatformSOSUpgrade = value;
 130 }
 131
 132 BOOL OctagonPerformSOSUpgrade()
 133 {
 134     if(OctagonPlatformSOSUpgrade){
 135         return OctagonPlatformSOSUpgrade;
 136     }
 137     return os_feature_enabled(Security, octagonSOSupgrade);
 138 }
 139
 140 BOOL OctagonRecoveryKeyIsEnabled(void)
 141 {
 142     if(OctagonRecoveryKeyEnabledOverrideSet) {
 143         secnotice("octagon", "Octagon RecoveryKey is %@ (overridden)", OctagonRecoveryKeyEnabledOverride ? @"enabled" : @"disabled");
 144         return OctagonRecoveryKeyEnabledOverride;
 145     }
 146
 147     static bool octagonRecoveryKeyEnabled = false;
 148     static dispatch_once_t onceToken;
 149     dispatch_once(&onceToken, ^{
 150         octagonRecoveryKeyEnabled = os_feature_enabled(Security, recoverykey);
 151         secnotice("octagon", "Octagon is %@ (via feature flags)", octagonRecoveryKeyEnabled ? @"enabled" : @"disabled");
 152     });
 153
 154     return octagonRecoveryKeyEnabled;
 155 }
 156
 157 void OctagonRecoveryKeySetIsEnabled(BOOL value)
 158 {
 159     OctagonRecoveryKeyEnabledOverrideSet = true;
 160     OctagonRecoveryKeyEnabledOverride = value;
 161 }
 162
 163
 164 BOOL OctagonAuthoritativeTrustIsEnabled(void)
 165 {
 166     if(OctagonAuthoritativeTrustEnabledOverrideSet) {
 167         secnotice("octagon", "Authoritative Octagon Trust is %@ (overridden)", OctagonAuthoritativeTrustEnabledOverride ? @"enabled" : @"disabled");
 168         return OctagonAuthoritativeTrustEnabledOverride;
 169     }
 170
 171     static bool octagonAuthoritativeTrustEnabled = false;
 172     static dispatch_once_t onceToken;
 173     dispatch_once(&onceToken, ^{
 174         octagonAuthoritativeTrustEnabled = os_feature_enabled(Security, octagonTrust);
 175         secnotice("octagon", "Authoritative Octagon Trust is %@ (via feature flags)", octagonAuthoritativeTrustEnabled ? @"enabled" : @"disabled");
 176     });
 177
 178     return octagonAuthoritativeTrustEnabled;
 179 }
 180
 181 void OctagonAuthoritativeTrustSetIsEnabled(BOOL value)
 182 {
 183     OctagonAuthoritativeTrustEnabledOverrideSet = true;
 184     OctagonAuthoritativeTrustEnabledOverride = value;
 185 }