2 * Copyright (c) 2017 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
24 #include <TargetConditionals.h>
26 #include <MobileGestalt.h>
29 #import <os/feature_private.h>
31 #import "keychain/ot/OTConstants.h"
32 #import "utilities/debugging.h"
34 NSString* const OctagonErrorDomain = @"com.apple.security.octagon";
36 NSString* OTDefaultContext = @"defaultContext";
37 NSString* OTDefaultsDomain = @"com.apple.security.octagon";
38 NSString* OTDefaultsOctagonEnable = @"enable";
40 NSString* OTProtocolPairing = @"OctagonPairing";
41 NSString* OTProtocolPiggybacking = @"OctagonPiggybacking";
43 const char * OTTrustStatusChangeNotification = "com.apple.security.octagon.trust-status-change";
45 // I don't recommend using this command, but it does describe the plist that will enable this feature:
47 // defaults write /System/Library/FeatureFlags/Domain/Security octagon -dict Enabled -bool YES
49 static bool OctagonEnabledOverrideSet = false;
50 static bool OctagonEnabledOverride = false;
52 static bool OctagonRecoveryKeyEnabledOverrideSet = false;
53 static bool OctagonRecoveryKeyEnabledOverride = false;
55 static bool OctagonAuthoritativeTrustEnabledOverrideSet = false;
56 static bool OctagonAuthoritativeTrustEnabledOverride = false;
58 bool OctagonIsEnabled(void)
60 if(OctagonEnabledOverrideSet) {
61 secnotice("octagon", "Octagon is %@ (overridden)", OctagonEnabledOverride ? @"enabled" : @"disabled");
62 return OctagonEnabledOverride;
65 static bool octagonEnabled = false;
66 static dispatch_once_t onceToken;
67 dispatch_once(&onceToken, ^{
68 octagonEnabled = os_feature_enabled(Security, octagon);
69 secnotice("octagon", "Octagon is %@ (via feature flags)", octagonEnabled ? @"enabled" : @"disabled");
72 return octagonEnabled;
75 void OctagonSetIsEnabled(BOOL value)
77 OctagonEnabledOverrideSet = true;
78 OctagonEnabledOverride = value;
81 static bool OctagonOverridePlatformSOS = false;
82 static bool OctagonPlatformSOSOverrideValue = false;
83 static bool OctagonPlatformSOSUpgrade = false;
85 BOOL OctagonPlatformSupportsSOS(void)
87 if(OctagonOverridePlatformSOS) {
88 return OctagonPlatformSOSOverrideValue ? YES : NO;
94 static bool isSOSCapable = false;
96 static dispatch_once_t onceToken;
97 dispatch_once(&onceToken, ^{
98 // Only iPhones, iPads, and iPods support SOS.
99 CFStringRef deviceClass = MGCopyAnswer(kMGQDeviceClass, NULL);
101 isSOSCapable = deviceClass && (CFEqual(deviceClass, kMGDeviceClassiPhone) ||
102 CFEqual(deviceClass, kMGDeviceClassiPad) ||
103 CFEqual(deviceClass, kMGDeviceClassiPod));
106 CFRelease(deviceClass);
108 secerror("octagon: Unable to determine device class. Guessing SOS status as Not Supported");
109 isSOSCapable = false;
112 secnotice("octagon", "SOS is %@ on this platform" , isSOSCapable ? @"supported" : @"not supported");
115 return isSOSCapable ? YES : NO;
121 void OctagonSetPlatformSupportsSOS(BOOL value)
123 OctagonPlatformSOSOverrideValue = value;
124 OctagonOverridePlatformSOS = YES;
127 void OctagonSetSOSUpgrade(BOOL value)
129 OctagonPlatformSOSUpgrade = value;
132 BOOL OctagonPerformSOSUpgrade()
134 if(OctagonPlatformSOSUpgrade){
135 return OctagonPlatformSOSUpgrade;
137 return os_feature_enabled(Security, octagonSOSupgrade);
140 BOOL OctagonRecoveryKeyIsEnabled(void)
142 if(OctagonRecoveryKeyEnabledOverrideSet) {
143 secnotice("octagon", "Octagon RecoveryKey is %@ (overridden)", OctagonRecoveryKeyEnabledOverride ? @"enabled" : @"disabled");
144 return OctagonRecoveryKeyEnabledOverride;
147 static bool octagonRecoveryKeyEnabled = false;
148 static dispatch_once_t onceToken;
149 dispatch_once(&onceToken, ^{
150 octagonRecoveryKeyEnabled = os_feature_enabled(Security, recoverykey);
151 secnotice("octagon", "Octagon is %@ (via feature flags)", octagonRecoveryKeyEnabled ? @"enabled" : @"disabled");
154 return octagonRecoveryKeyEnabled;
157 void OctagonRecoveryKeySetIsEnabled(BOOL value)
159 OctagonRecoveryKeyEnabledOverrideSet = true;
160 OctagonRecoveryKeyEnabledOverride = value;
164 BOOL OctagonAuthoritativeTrustIsEnabled(void)
166 if(OctagonAuthoritativeTrustEnabledOverrideSet) {
167 secnotice("octagon", "Authoritative Octagon Trust is %@ (overridden)", OctagonAuthoritativeTrustEnabledOverride ? @"enabled" : @"disabled");
168 return OctagonAuthoritativeTrustEnabledOverride;
171 static bool octagonAuthoritativeTrustEnabled = false;
172 static dispatch_once_t onceToken;
173 dispatch_once(&onceToken, ^{
174 octagonAuthoritativeTrustEnabled = os_feature_enabled(Security, octagonTrust);
175 secnotice("octagon", "Authoritative Octagon Trust is %@ (via feature flags)", octagonAuthoritativeTrustEnabled ? @"enabled" : @"disabled");
178 return octagonAuthoritativeTrustEnabled;
181 void OctagonAuthoritativeTrustSetIsEnabled(BOOL value)
183 OctagonAuthoritativeTrustEnabledOverrideSet = true;
184 OctagonAuthoritativeTrustEnabledOverride = value;