]> git.saurik.com Git - apple/security.git/blob - keychain/ot/OTConstants.m
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Security-59754.41.1.tar.gz
[apple/security.git] / keychain / ot / OTConstants.m
1 /*
2 * Copyright (c) 2017 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 #include <TargetConditionals.h>
25 #if TARGET_OS_IOS
26 #include <MobileGestalt.h>
27 #endif
28
29 #import <os/feature_private.h>
30
31 #import "keychain/ot/OTConstants.h"
32 #import "utilities/debugging.h"
33
34 NSErrorDomain const OctagonErrorDomain = @"com.apple.security.octagon";
35
36 NSString* OTDefaultContext = @"defaultContext";
37 NSString* OTDefaultsDomain = @"com.apple.security.octagon";
38 NSString* OTDefaultsOctagonEnable = @"enable";
39
40 NSString* OTProtocolPairing = @"OctagonPairing";
41 NSString* OTProtocolPiggybacking = @"OctagonPiggybacking";
42
43 const char * OTTrustStatusChangeNotification = "com.apple.security.octagon.trust-status-change";
44
45 NSString* const CuttlefishErrorDomain = @"CuttlefishError";
46 NSString* const CuttlefishErrorRetryAfterKey = @"retryafter";
47
48 NSString* OTEscrowRecordPrefix = @"com.apple.icdp.record.";
49
50 // I don't recommend using this command, but it does describe the plist that will enable this feature:
51 //
52 // defaults write /System/Library/FeatureFlags/Domain/Security octagon -dict Enabled -bool YES
53 //
54 static bool OctagonEnabledOverrideSet = false;
55 static bool OctagonEnabledOverride = false;
56
57 static bool OctagonRecoveryKeyEnabledOverrideSet = false;
58 static bool OctagonRecoveryKeyEnabledOverride = false;
59
60 static bool OctagonAuthoritativeTrustEnabledOverrideSet = false;
61 static bool OctagonAuthoritativeTrustEnabledOverride = false;
62
63 static bool OctagonSOSFeatureIsEnabledOverrideSet = false;
64 static bool OctagonSOSFeatureIsEnabledOverride = false;
65
66 static bool OctagonOptimizationIsEnabledOverrideSet = false;
67 static bool OctagonOptimizationIsEnabledOverride = false;
68
69 static bool OctagonEscrowRecordFetchIsEnabledOverrideSet = false;
70 static bool OctagonEscrowRecordFetchIsEnabledOverride = false;
71
72 static bool SecKVSOnCloudKitIsEnabledOverrideSet = false;
73 static bool SecKVSOnCloudKitIsEnabledOverride = false;
74
75 static bool SecErrorNestedErrorCappingIsEnabledOverrideSet = false;
76 static bool SecErrorNestedErrorCappingIsEnabledOverride = false;
77
78 bool OctagonIsEnabled(void)
79 {
80 if(OctagonEnabledOverrideSet) {
81 secnotice("octagon", "Octagon is %@ (overridden)", OctagonEnabledOverride ? @"enabled" : @"disabled");
82 return OctagonEnabledOverride;
83 }
84
85 static bool octagonEnabled = false;
86 static dispatch_once_t onceToken;
87 dispatch_once(&onceToken, ^{
88 octagonEnabled = os_feature_enabled(Security, octagon);
89 secnotice("octagon", "Octagon is %@ (via feature flags)", octagonEnabled ? @"enabled" : @"disabled");
90 });
91
92 return octagonEnabled;
93 }
94
95 void OctagonSetIsEnabled(BOOL value)
96 {
97 OctagonEnabledOverrideSet = true;
98 OctagonEnabledOverride = value;
99 }
100
101 static bool OctagonOverridePlatformSOS = false;
102 static bool OctagonPlatformSOSOverrideValue = false;
103 static bool OctagonPlatformSOSUpgrade = false;
104
105 BOOL OctagonPlatformSupportsSOS(void)
106 {
107 if(OctagonOverridePlatformSOS) {
108 return OctagonPlatformSOSOverrideValue ? YES : NO;
109 }
110
111 #if TARGET_OS_OSX
112 return YES;
113 #elif TARGET_OS_IOS
114 static bool isSOSCapable = false;
115
116 static dispatch_once_t onceToken;
117 dispatch_once(&onceToken, ^{
118 // Only iPhones, iPads, and iPods support SOS.
119 CFStringRef deviceClass = MGCopyAnswer(kMGQDeviceClass, NULL);
120
121 isSOSCapable = deviceClass && (CFEqual(deviceClass, kMGDeviceClassiPhone) ||
122 CFEqual(deviceClass, kMGDeviceClassiPad) ||
123 CFEqual(deviceClass, kMGDeviceClassiPod));
124
125 if(deviceClass) {
126 CFRelease(deviceClass);
127 } else {
128 secerror("octagon: Unable to determine device class. Guessing SOS status as Not Supported");
129 isSOSCapable = false;
130 }
131
132 secnotice("octagon", "SOS is %@ on this platform" , isSOSCapable ? @"supported" : @"not supported");
133 });
134
135 return isSOSCapable ? YES : NO;
136 #else
137 return NO;
138 #endif
139 }
140
141 void OctagonSetPlatformSupportsSOS(BOOL value)
142 {
143 OctagonPlatformSOSOverrideValue = value;
144 OctagonOverridePlatformSOS = YES;
145 }
146
147 void OctagonSetSOSUpgrade(BOOL value)
148 {
149 OctagonPlatformSOSUpgrade = value;
150 }
151
152 BOOL OctagonPerformSOSUpgrade()
153 {
154 if(OctagonPlatformSOSUpgrade){
155 return OctagonPlatformSOSUpgrade;
156 }
157 return os_feature_enabled(Security, octagonSOSupgrade);
158 }
159
160 BOOL OctagonRecoveryKeyIsEnabled(void)
161 {
162 if(OctagonRecoveryKeyEnabledOverrideSet) {
163 secnotice("octagon", "Octagon RecoveryKey is %@ (overridden)", OctagonRecoveryKeyEnabledOverride ? @"enabled" : @"disabled");
164 return OctagonRecoveryKeyEnabledOverride;
165 }
166
167 static bool octagonRecoveryKeyEnabled = false;
168 static dispatch_once_t onceToken;
169 dispatch_once(&onceToken, ^{
170 octagonRecoveryKeyEnabled = os_feature_enabled(Security, recoverykey);
171 secnotice("octagon", "Octagon is %@ (via feature flags)", octagonRecoveryKeyEnabled ? @"enabled" : @"disabled");
172 });
173
174 return octagonRecoveryKeyEnabled;
175 }
176
177 void OctagonRecoveryKeySetIsEnabled(BOOL value)
178 {
179 OctagonRecoveryKeyEnabledOverrideSet = true;
180 OctagonRecoveryKeyEnabledOverride = value;
181 }
182
183
184 BOOL OctagonAuthoritativeTrustIsEnabled(void)
185 {
186 if(OctagonAuthoritativeTrustEnabledOverrideSet) {
187 secnotice("octagon", "Authoritative Octagon Trust is %@ (overridden)", OctagonAuthoritativeTrustEnabledOverride ? @"enabled" : @"disabled");
188 return OctagonAuthoritativeTrustEnabledOverride;
189 }
190
191 static bool octagonAuthoritativeTrustEnabled = false;
192 static dispatch_once_t onceToken;
193 dispatch_once(&onceToken, ^{
194 octagonAuthoritativeTrustEnabled = os_feature_enabled(Security, octagonTrust);
195 secnotice("octagon", "Authoritative Octagon Trust is %@ (via feature flags)", octagonAuthoritativeTrustEnabled ? @"enabled" : @"disabled");
196 });
197
198 return octagonAuthoritativeTrustEnabled;
199 }
200
201 void OctagonAuthoritativeTrustSetIsEnabled(BOOL value)
202 {
203 OctagonAuthoritativeTrustEnabledOverrideSet = true;
204 OctagonAuthoritativeTrustEnabledOverride = value;
205 }
206
207 BOOL OctagonIsSOSFeatureEnabled(void)
208 {
209 if(OctagonSOSFeatureIsEnabledOverrideSet) {
210 secnotice("octagon", "SOS Feature is %@ (overridden)", OctagonSOSFeatureIsEnabledOverride ? @"enabled" : @"disabled");
211 return OctagonSOSFeatureIsEnabledOverride;
212 }
213
214 static bool sosEnabled = true;
215 static dispatch_once_t onceToken;
216 dispatch_once(&onceToken, ^{
217 sosEnabled = os_feature_enabled(Security, EnableSecureObjectSync);
218 secnotice("octagon", "SOS Feature is %@ (via feature flags)", sosEnabled ? @"enabled" : @"disabled");
219 });
220
221 return sosEnabled;
222 }
223
224 void OctagonSetSOSFeatureEnabled(BOOL value)
225 {
226 OctagonSOSFeatureIsEnabledOverrideSet = true;
227 OctagonSOSFeatureIsEnabledOverride = value;
228 }
229
230 //feature flag for enabling/disabling performance enhancements
231 BOOL OctagonIsOptimizationEnabled(void)
232 {
233 if(OctagonOptimizationIsEnabledOverrideSet) {
234 secnotice("octagon", "Octagon Optimization is %@ (overridden)", OctagonOptimizationIsEnabledOverride ? @"enabled" : @"disabled");
235 return OctagonOptimizationIsEnabledOverride;
236 }
237
238 static bool optimizationEnabled = true;
239 static dispatch_once_t onceToken;
240 dispatch_once(&onceToken, ^{
241 optimizationEnabled = os_feature_enabled(Security, OctagonOptimization);
242 secnotice("octagon", "Octagon Optimization is %@ (via feature flags)", optimizationEnabled ? @"enabled" : @"disabled");
243 });
244
245 return optimizationEnabled;
246 }
247
248 void OctagonSetOptimizationEnabled(BOOL value)
249 {
250 OctagonOptimizationIsEnabledOverrideSet = true;
251 OctagonOptimizationIsEnabledOverride = value;
252 }
253
254
255 //feature flag for checking if escrow record fetching is enabled
256 BOOL OctagonIsEscrowRecordFetchEnabled(void)
257 {
258 if(OctagonEscrowRecordFetchIsEnabledOverrideSet) {
259 secnotice("octagon", "Octagon Escrow Record Fetching is %@ (overridden)", OctagonEscrowRecordFetchIsEnabledOverride ? @"enabled" : @"disabled");
260 return OctagonEscrowRecordFetchIsEnabledOverride;
261 }
262
263 static bool escrowRecordFetchingEnabled = true;
264 static dispatch_once_t onceToken;
265 dispatch_once(&onceToken, ^{
266 escrowRecordFetchingEnabled = os_feature_enabled(Security, OctagonEscrowRecordFetch);
267 secnotice("octagon", "Octagon Escrow Record Fetching is %@ (via feature flags)", escrowRecordFetchingEnabled ? @"enabled" : @"disabled");
268 });
269
270 return escrowRecordFetchingEnabled;
271 }
272
273 void OctagonSetEscrowRecordFetchEnabled(BOOL value)
274 {
275 OctagonEscrowRecordFetchIsEnabledOverrideSet = true;
276 OctagonEscrowRecordFetchIsEnabledOverride = value;
277 }
278
279 //feature flag for checking kvs on cloudkit enablement
280 BOOL SecKVSOnCloudKitIsEnabled(void)
281 {
282 if(SecKVSOnCloudKitIsEnabledOverrideSet) {
283 secnotice("octagon", "KVS on CloudKit is %@ (overridden)", SecKVSOnCloudKitIsEnabledOverride ? @"enabled" : @"disabled");
284 return SecKVSOnCloudKitIsEnabledOverride;
285 }
286
287 static bool kvsOnCloudKitEnabled = true;
288 static dispatch_once_t onceToken;
289 dispatch_once(&onceToken, ^{
290 kvsOnCloudKitEnabled = os_feature_enabled(KVS, KVSOnCloudKitForAll);
291 secnotice("octagon", "KVS on CloudKit is %@ (via feature flags)", kvsOnCloudKitEnabled ? @"enabled" : @"disabled");
292 });
293
294 return kvsOnCloudKitEnabled;
295 }
296
297 void SecKVSOnCloudKitSetOverrideIsEnabled(BOOL value)
298 {
299 SecKVSOnCloudKitIsEnabledOverrideSet = true;
300 SecKVSOnCloudKitIsEnabledOverride = value;
301 }
302
303 //feature flag for checking whether or not we should cap the number of nested errors
304 bool SecErrorIsNestedErrorCappingEnabled(void)
305 {
306 if(SecErrorNestedErrorCappingIsEnabledOverrideSet) {
307 secnotice("octagon", "SecError Nested Error Capping is %@ (overridden)", SecErrorNestedErrorCappingIsEnabledOverride ? @"enabled" : @"disabled");
308 return SecErrorNestedErrorCappingIsEnabledOverride;
309 }
310
311 static bool errorCappingEnabled = true;
312 static dispatch_once_t onceToken;
313 dispatch_once(&onceToken, ^{
314 errorCappingEnabled = os_feature_enabled(Security, SecErrorNestedErrorCapping);
315 secnotice("octagon", "SecError Nested Error Capping is %@ (via feature flags)", errorCappingEnabled ? @"enabled" : @"disabled");
316 });
317
318 return errorCappingEnabled;
319 }
320
321 void SecErrorSetOverrideNestedErrorCappingIsEnabled(BOOL value)
322 {
323 SecErrorNestedErrorCappingIsEnabledOverrideSet = true;
324 SecErrorNestedErrorCappingIsEnabledOverride = value;
325 }
mirror of Security