keychain/ot/OTConstants.m

   1 /*
   2  * Copyright (c) 2017 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 #include <TargetConditionals.h>
  25 #if TARGET_OS_IOS
  26 #include <MobileGestalt.h>
  27 #endif
  28
  29 #import <os/feature_private.h>
  30
  31 #import "keychain/ot/OTConstants.h"
  32 #import "utilities/debugging.h"
  33
  34 NSString* const OctagonErrorDomain = @"com.apple.security.octagon";
  35
  36 NSString* OTDefaultContext = @"defaultContext";
  37 NSString* OTDefaultsDomain = @"com.apple.security.octagon";
  38 NSString* OTDefaultsOctagonEnable = @"enable";
  39
  40 NSString* OTProtocolPairing = @"OctagonPairing";
  41 NSString* OTProtocolPiggybacking = @"OctagonPiggybacking";
  42
  43 const char * OTTrustStatusChangeNotification = "com.apple.security.octagon.trust-status-change";
  44
  45 // I don't recommend using this command, but it does describe the plist that will enable this feature:
  46 //
  47 //  defaults write /System/Library/FeatureFlags/Domain/Security octagon -dict Enabled -bool YES
  48 //
  49 static bool OctagonEnabledOverrideSet = false;
  50 static bool OctagonEnabledOverride = false;
  51
  52 static bool OctagonRecoveryKeyEnabledOverrideSet = false;
  53 static bool OctagonRecoveryKeyEnabledOverride = false;
  54
  55 static bool OctagonAuthoritativeTrustEnabledOverrideSet = false;
  56 static bool OctagonAuthoritativeTrustEnabledOverride = false;
  57
  58 static bool OctagonSOSFeatureIsEnabledOverrideSet = false;
  59 static bool OctagonSOSFeatureIsEnabledOverride = false;
  60
  61 bool OctagonIsEnabled(void)
  62 {
  63     if(OctagonEnabledOverrideSet) {
  64         secnotice("octagon", "Octagon is %@ (overridden)", OctagonEnabledOverride ? @"enabled" : @"disabled");
  65         return OctagonEnabledOverride;
  66     }
  67
  68     static bool octagonEnabled = false;
  69     static dispatch_once_t onceToken;
  70     dispatch_once(&onceToken, ^{
  71         octagonEnabled = os_feature_enabled(Security, octagon);
  72         secnotice("octagon", "Octagon is %@ (via feature flags)", octagonEnabled ? @"enabled" : @"disabled");
  73     });
  74
  75     return octagonEnabled;
  76 }
  77
  78 void OctagonSetIsEnabled(BOOL value)
  79 {
  80     OctagonEnabledOverrideSet = true;
  81     OctagonEnabledOverride = value;
  82 }
  83
  84 static bool OctagonOverridePlatformSOS = false;
  85 static bool OctagonPlatformSOSOverrideValue = false;
  86 static bool OctagonPlatformSOSUpgrade = false;
  87
  88 BOOL OctagonPlatformSupportsSOS(void)
  89 {
  90     if(OctagonOverridePlatformSOS) {
  91         return OctagonPlatformSOSOverrideValue ? YES : NO;
  92     }
  93
  94 #if TARGET_OS_OSX
  95     return YES;
  96 #elif TARGET_OS_IOS
  97     static bool isSOSCapable = false;
  98
  99     static dispatch_once_t onceToken;
 100     dispatch_once(&onceToken, ^{
 101         // Only iPhones, iPads, and iPods support SOS.
 102         CFStringRef deviceClass = MGCopyAnswer(kMGQDeviceClass, NULL);
 103
 104         isSOSCapable = deviceClass && (CFEqual(deviceClass, kMGDeviceClassiPhone) ||
 105                                        CFEqual(deviceClass, kMGDeviceClassiPad) ||
 106                                        CFEqual(deviceClass, kMGDeviceClassiPod));
 107
 108         if(deviceClass) {
 109             CFRelease(deviceClass);
 110         } else {
 111             secerror("octagon: Unable to determine device class. Guessing SOS status as Not Supported");
 112             isSOSCapable = false;
 113         }
 114
 115         secnotice("octagon", "SOS is %@ on this platform" , isSOSCapable ? @"supported" : @"not supported");
 116     });
 117
 118     return isSOSCapable ? YES : NO;
 119 #else
 120     return NO;
 121 #endif
 122 }
 123
 124 void OctagonSetPlatformSupportsSOS(BOOL value)
 125 {
 126     OctagonPlatformSOSOverrideValue = value;
 127     OctagonOverridePlatformSOS = YES;
 128 }
 129
 130 void OctagonSetSOSUpgrade(BOOL value)
 131 {
 132     OctagonPlatformSOSUpgrade = value;
 133 }
 134
 135 BOOL OctagonPerformSOSUpgrade()
 136 {
 137     if(OctagonPlatformSOSUpgrade){
 138         return OctagonPlatformSOSUpgrade;
 139     }
 140     return os_feature_enabled(Security, octagonSOSupgrade);
 141 }
 142
 143 BOOL OctagonRecoveryKeyIsEnabled(void)
 144 {
 145     if(OctagonRecoveryKeyEnabledOverrideSet) {
 146         secnotice("octagon", "Octagon RecoveryKey is %@ (overridden)", OctagonRecoveryKeyEnabledOverride ? @"enabled" : @"disabled");
 147         return OctagonRecoveryKeyEnabledOverride;
 148     }
 149
 150     static bool octagonRecoveryKeyEnabled = false;
 151     static dispatch_once_t onceToken;
 152     dispatch_once(&onceToken, ^{
 153         octagonRecoveryKeyEnabled = os_feature_enabled(Security, recoverykey);
 154         secnotice("octagon", "Octagon is %@ (via feature flags)", octagonRecoveryKeyEnabled ? @"enabled" : @"disabled");
 155     });
 156
 157     return octagonRecoveryKeyEnabled;
 158 }
 159
 160 void OctagonRecoveryKeySetIsEnabled(BOOL value)
 161 {
 162     OctagonRecoveryKeyEnabledOverrideSet = true;
 163     OctagonRecoveryKeyEnabledOverride = value;
 164 }
 165
 166
 167 BOOL OctagonAuthoritativeTrustIsEnabled(void)
 168 {
 169     if(OctagonAuthoritativeTrustEnabledOverrideSet) {
 170         secnotice("octagon", "Authoritative Octagon Trust is %@ (overridden)", OctagonAuthoritativeTrustEnabledOverride ? @"enabled" : @"disabled");
 171         return OctagonAuthoritativeTrustEnabledOverride;
 172     }
 173
 174     static bool octagonAuthoritativeTrustEnabled = false;
 175     static dispatch_once_t onceToken;
 176     dispatch_once(&onceToken, ^{
 177         octagonAuthoritativeTrustEnabled = os_feature_enabled(Security, octagonTrust);
 178         secnotice("octagon", "Authoritative Octagon Trust is %@ (via feature flags)", octagonAuthoritativeTrustEnabled ? @"enabled" : @"disabled");
 179     });
 180
 181     return octagonAuthoritativeTrustEnabled;
 182 }
 183
 184 void OctagonAuthoritativeTrustSetIsEnabled(BOOL value)
 185 {
 186     OctagonAuthoritativeTrustEnabledOverrideSet = true;
 187     OctagonAuthoritativeTrustEnabledOverride = value;
 188 }
 189
 190 BOOL OctagonIsSOSFeatureEnabled(void)
 191 {
 192     if(OctagonSOSFeatureIsEnabledOverrideSet) {
 193         secnotice("octagon", "SOS Feature is %@ (overridden)", OctagonSOSFeatureIsEnabledOverride ? @"enabled" : @"disabled");
 194         return OctagonSOSFeatureIsEnabledOverrideSet;
 195     }
 196
 197     static bool sosEnabled = true;
 198     static dispatch_once_t onceToken;
 199     dispatch_once(&onceToken, ^{
 200         sosEnabled = os_feature_enabled(Security, EnableSecureObjectSync);
 201         secnotice("octagon", "SOS Feature is %@ (via feature flags)", sosEnabled ? @"enabled" : @"disabled");
 202     });
 203
 204     return sosEnabled;
 205 }
 206
 207 void OctagonSetSOSFeatureEnabled(BOOL value)
 208 {
 209     OctagonSOSFeatureIsEnabledOverrideSet = true;
 210     OctagonSOSFeatureIsEnabledOverride = value;
 211 }