[apple/security.git] / sec / Security / SecOTRSessionAKE.c

//
//  SecOTRSession.c
//  libsecurity_libSecOTR
//
//  Created by Mitch Adler on 2/22/11.
//  Copyright 2011 Apple Inc. All rights reserved.
//

#include "SecOTRSession.h"

#include "SecOTRMath.h"
#include "SecOTRIdentityPriv.h"
#include "SecOTRSessionPriv.h"
#include "SecOTRPackets.h"
#include "SecOTRPacketData.h"
#include "SecOTRDHKey.h"

#include <utilities/SecCFWrappers.h>

#include <CoreFoundation/CFRuntime.h>
#include <CoreFoundation/CFString.h>

#include <Security/SecBase.h>
#include <Security/SecRandom.h>

#include <AssertMacros.h>

#include <corecrypto/cchmac.h>
#include <corecrypto/ccsha2.h>

#include <string.h>

static void SecOTRInitMyDHKeys(SecOTRSessionRef session)
{
    CFReleaseNull(session->_myKey);
    session->_myKey = SecOTRFullDHKCreate(kCFAllocatorDefault);
    CFReleaseNull(session->_myNextKey);
    session->_myNextKey = SecOTRFullDHKCreate(kCFAllocatorDefault);
    session->_keyID = 1;
    
    bzero(session->_keyCache, sizeof(session->_keyCache));
}

OSStatus SecOTRSAppendStartPacket(SecOTRSessionRef session, CFMutableDataRef appendPacket)
{
    __block OSStatus result = errSecSuccess;

    dispatch_sync(session->_queue, ^{
        session->_state = kAwaitingDHKey;

        // Generate r and x and calculate gx:
        SecOTRInitMyDHKeys(session);

        CFMutableDataRef destinationMessage;
        if (session->_textOutput) {
            destinationMessage = CFDataCreateMutable(kCFAllocatorDefault, 0);
        } else {
            destinationMessage = appendPacket;
        }


        result = SecRandomCopyBytes(kSecRandomDefault, sizeof(session->_r), session->_r);
        if (result == errSecSuccess) {
            SecOTRAppendDHMessage(session, destinationMessage);
            if (session->_textOutput) {
                SecOTRPrepareOutgoingBytes(destinationMessage, appendPacket);
                CFReleaseSafe(destinationMessage);
            }
        }
    });

    return result;
}

OSStatus SecOTRSAppendRestartPacket(SecOTRSessionRef session, CFMutableDataRef appendPacket)
{
    __block OSStatus result = errSecSuccess;

    dispatch_sync(session->_queue, ^{
        if (!session->_myKey) {
            secerror("_myKey is NULL, avoiding crash");
            result = errSecDecode;
            return;
        }
        CFMutableDataRef destinationMessage;
        if (session->_textOutput) {
            destinationMessage = CFDataCreateMutable(kCFAllocatorDefault, 0);
        } else {
            destinationMessage = appendPacket;
        }

        session->_state = kAwaitingDHKey;
        CFReleaseNull(session->_receivedDHMessage);
        CFReleaseNull(session->_receivedDHKeyMessage);
        
        SecOTRAppendDHMessage(session, destinationMessage);
        if (session->_textOutput) {
            SecOTRPrepareOutgoingBytes(destinationMessage, appendPacket);
            CFReleaseSafe(destinationMessage);
        }
    });

    return result;
}

static const uint8_t* FindGXHash(CFDataRef dhPacket)
{
    const uint8_t* messageBytes = CFDataGetBytePtr(dhPacket);
    size_t remainingBytes = (size_t)CFDataGetLength(dhPacket);
    
    OTRMessageType messageType;
    
    require_noerr(ReadHeader(&messageBytes, &remainingBytes, &messageType), fail);
    require(messageType == kDHMessage, fail);
    
    uint32_t egxiLength = 0;
    require_noerr(ReadLong(&messageBytes, &remainingBytes, & egxiLength), fail);
    require(egxiLength <= remainingBytes, fail);
    messageBytes += egxiLength;
    remainingBytes -= egxiLength;
    
    uint32_t dataLength = 0;
    require_noerr(ReadLong(&messageBytes, &remainingBytes, &dataLength), fail);
    require(dataLength <= remainingBytes, fail);
    require(dataLength == CCSHA256_OUTPUT_SIZE, fail);
    
    return messageBytes;
    
fail:
    return NULL;
}

static bool SecOTRMyGXHashIsBigger(SecOTRSessionRef session, CFDataRef dhCommitMessage)
{
    bool mineIsBigger = false;

    CFMutableDataRef myDHCommitMessage = CFDataCreateMutable(kCFAllocatorDefault, 0);
    
    SecOTRAppendDHMessage(session, myDHCommitMessage);
    
    const uint8_t* myHash = FindGXHash(myDHCommitMessage);
    const uint8_t* theirHash = FindGXHash(dhCommitMessage);
    
    require(myHash, fail);
    require(theirHash, fail);
    
    mineIsBigger = 0 < memcmp(myHash, theirHash, CCSHA256_OUTPUT_SIZE);
    
fail:
    CFReleaseNull(myDHCommitMessage);
    return mineIsBigger;
}

static OSStatus SecOTRSProcessDHMessage(SecOTRSessionRef session,
                                        CFDataRef incomingPacket,
                                        CFMutableDataRef negotiationResponse)
{
    OSStatus result = errSecParam;

    switch (session->_state) {
        case kAwaitingDHKey:
            // Compare hash values.
            if (SecOTRMyGXHashIsBigger(session, incomingPacket)) {
                // If we're bigger we resend to force them to deal.
                CFReleaseNull(session->_receivedDHMessage);
                SecOTRAppendDHMessage(session, negotiationResponse);
                result = errSecSuccess;
                break;
            } // Else intentionally fall through to idle
        case kAwaitingSignature:
        case kIdle:
        case kDone:
            // Generate a new X and GX..
            SecOTRInitMyDHKeys(session);
            // If we were already waiting on reveal, then just send the packet again
        case kAwaitingRevealSignature:
            SecOTRAppendDHKeyMessage(session, negotiationResponse);

            // Keep the packet for use later.
            CFReleaseNull(session->_receivedDHMessage);
            session->_receivedDHMessage = CFDataCreateCopy(kCFAllocatorDefault, incomingPacket);
            
            session->_state = kAwaitingRevealSignature;
            result = errSecSuccess;
            break;
        default:
            result = errSecInteractionNotAllowed;
            break;
    }

    return result;
}

static OSStatus SecOTRSetupTheirKeyFrom(SecOTRSessionRef session, const uint8_t**data, size_t*size)
{
    SecOTRPublicDHKeyRef tempKey = SecOTRPublicDHKCreateFromSerialization(kCFAllocatorDefault, data, size);
    require(tempKey != NULL, fail);
    session->_theirKey = tempKey;
    session->_theirKeyID = 1;
    
    return errSecSuccess;

fail:
    return errSecDecode;
}

static OSStatus SecOTRSExtractTheirPublicDHKey(SecOTRSessionRef session, CFDataRef dhPacket)
{
    OSStatus result = errSecParam;

    const uint8_t *messageBytes = CFDataGetBytePtr(dhPacket);
    size_t messageSize = (size_t)CFDataGetLength(dhPacket);
    OTRMessageType messageType = kDHMessage; // Suppress warning.
    
    ReadHeader(&messageBytes, &messageSize, &messageType);
    require(messageType == kDHKeyMessage, exit);
    
    result = SecOTRSetupTheirKeyFrom(session, &messageBytes, &messageSize);

exit:
    return result;
}


static OSStatus SecOTRSProcessDHKeyMessage(SecOTRSessionRef session,
                                        CFDataRef incomingPacket,
                                        CFMutableDataRef negotiationResponse)
{
    OSStatus result = errSecUnimplemented;
    
    result = SecOTRSExtractTheirPublicDHKey(session, incomingPacket);
    require_noerr(result, exit);

    switch (session->_state) {
        case kAwaitingDHKey:
            CFReleaseNull(session->_receivedDHKeyMessage);
            SecOTRAppendRevealSignatureMessage(session, negotiationResponse);
            session->_state = kAwaitingSignature;
            session->_receivedDHKeyMessage = CFDataCreateCopy(kCFAllocatorDefault, incomingPacket);
            CFRetain(incomingPacket);
            result = errSecSuccess;
            break;
        case kAwaitingSignature:
            if (CFEqualSafe(incomingPacket, session->_receivedDHKeyMessage))
                SecOTRAppendRevealSignatureMessage(session, negotiationResponse);
            result = errSecSuccess;
            break;
        case kIdle:
        case kDone:
        case kAwaitingRevealSignature:
            result = errSecSuccess;
            break;
        default:
            result = errSecInteractionNotAllowed;
            break;
    }

exit:
    return result;
}


static OSStatus SecOTRSExtractR(SecOTRSessionRef session,
                                const uint8_t **messageBytes,
                                size_t *messageSize)
{
    OSStatus result = errSecDecode;

    OTRMessageType messageType = kDHMessage; // Suppress warning
    
    ReadHeader(messageBytes, messageSize, &messageType);
    require(messageType == kRevealSignatureMessage, exit);
    
    {
        uint32_t rSize = 0;
        ReadLong(messageBytes, messageSize, &rSize);
        require(rSize == kOTRAuthKeyBytes, exit);
    }
    
    memcpy(session->_r, *messageBytes, kOTRAuthKeyBytes);
    
    *messageBytes += kOTRAuthKeyBytes;
    *messageSize -= kOTRAuthKeyBytes;
    
    result = errSecSuccess;
exit:
    return result;
}

static OSStatus FindEncGYInDHPacket(SecOTRSessionRef session,
                                      const uint8_t **dhMessageBytesPtr,
                                      size_t *messageSizePtr,
                                      size_t* encGYBufferSize)
{
    OSStatus result = errSecParam;
    require_action(*encGYBufferSize >= kExponentiationBytes + 4, exit, result = errSecParam);
    
    OTRMessageType messageType;
    result = ReadHeader(dhMessageBytesPtr, messageSizePtr, &messageType);
    require_noerr(result, exit);
    require_action(messageType == kDHMessage, exit, result = errSecDecode);
    
    uint32_t readEncSize;
    result = ReadLong(dhMessageBytesPtr, messageSizePtr, &readEncSize);
    require_noerr(result, exit);

    *encGYBufferSize = readEncSize;
exit:
    // Don't bother erasing the public gy decrypted, it's public after all.
    return result;
    
}

static OSStatus SecOTRSExtractRAndTheirDHKey(SecOTRSessionRef session,
                                     const uint8_t **messageBytes,
                                     size_t *messageSize)
{
    OSStatus result = errSecDecode;
    
    require(session->_receivedDHMessage != NULL, exit);
    result = SecOTRSExtractR(session, messageBytes, messageSize);
    require_noerr(result, exit);
    
    uint8_t gxiDecrypted[kExponentiationBytes + 4];
    const uint8_t *gxiDecryptedBuffer = gxiDecrypted;
    
    const uint8_t* dhMessageBytes = CFDataGetBytePtr(session->_receivedDHMessage);
    size_t dhMessageSize = (size_t)CFDataGetLength(session->_receivedDHMessage);
    
    size_t encGYSize = sizeof(gxiDecrypted);
    result = FindEncGYInDHPacket(session, &dhMessageBytes, &dhMessageSize, &encGYSize);
    require_noerr(result, exit);
    require_action(encGYSize <= kExponentiationBytes + 4, exit, result = errSecDecode);
    
    AES_CTR_IV0_Transform(sizeof(session->_r), session->_r, encGYSize, dhMessageBytes, gxiDecrypted);

    result = SecOTRSetupTheirKeyFrom(session, &gxiDecryptedBuffer, &encGYSize);

exit:
    // Don't bother erasing the public gy decrypted, it's public after all.
    return result;
}

static OSStatus SecVerifySignatureAndMac(SecOTRSessionRef session,
                                         bool usePrimes,
                                         const uint8_t **signatureAndMacBytes,
                                         size_t *signatureAndMacSize)
{
    OSStatus result = errSecDecode;
    
    uint8_t m1[kOTRAuthMACKeyBytes];
    uint8_t m2[kOTRAuthMACKeyBytes];
    uint8_t c[kOTRAuthKeyBytes];
    
    {
        cc_unit s[kExponentiationUnits];
        
        SecPDHKeyGenerateS(session->_myKey, session->_theirKey, s);
        // Derive M1, M2 and C, either prime or normal versions.
        DeriveOTR256BitsFromS(usePrimes ? kM1Prime : kM1,
                              kExponentiationUnits, s, sizeof(m1), m1);
        DeriveOTR256BitsFromS(usePrimes ? kM2Prime : kM2,
                              kExponentiationUnits, s, sizeof(m2), m2);
        DeriveOTR128BitPairFromS(kCs,
                                 kExponentiationUnits, s,
                                 sizeof(c),usePrimes ? NULL : c,
                                 sizeof(c), usePrimes ? c : NULL);
        bzero(s, sizeof(s));
    }
    
    cchmac_di_decl(ccsha256_di(), mBContext);

    cchmac_init(ccsha256_di(), mBContext, sizeof(m1), m1);

    {
        CFMutableDataRef toHash = CFDataCreateMutable(kCFAllocatorDefault, 0);
        
        SecPDHKAppendSerialization(session->_theirKey, toHash);
        SecFDHKAppendPublicSerialization(session->_myKey, toHash);
        
        cchmac_update(ccsha256_di(), mBContext, (size_t)CFDataGetLength(toHash), CFDataGetBytePtr(toHash));
        
        CFReleaseNull(toHash);
    }
    
    const uint8_t* encSigDataBlobStart = *signatureAndMacBytes;
    
    uint32_t xbSize = 0;
    result = ReadLong(signatureAndMacBytes, signatureAndMacSize, &xbSize);
    require_noerr(result, exit);
    require(xbSize > 4, exit);
    require(xbSize <= *signatureAndMacSize, exit);
    
    uint8_t signatureMac[CCSHA256_OUTPUT_SIZE];
    cchmac(ccsha256_di(), sizeof(m2), m2, xbSize + 4, encSigDataBlobStart, signatureMac);
    
    require(xbSize + kSHA256HMAC160Bytes <= *signatureAndMacSize, exit);
    const uint8_t *macStart = *signatureAndMacBytes + xbSize;

    // check the outer hmac
    require(0 == memcmp(macStart, signatureMac, kSHA256HMAC160Bytes), exit);
           

    {
        uint8_t xb[xbSize];
        // Decrypt and copy the signature block
        AES_CTR_IV0_Transform(sizeof(c), c, xbSize, *signatureAndMacBytes, xb);

        const uint8_t* signaturePacket = xb;
        size_t signaturePacketSize = xbSize;
        
        uint16_t pubKeyType;
        result = ReadShort(&signaturePacket, &signaturePacketSize, &pubKeyType);
        require_noerr(result, exit);
        require_action(pubKeyType == 0xF000, exit, result = errSecUnimplemented);

        uint32_t pubKeySize;
        result = ReadLong(&signaturePacket, &signaturePacketSize, &pubKeySize);
        require_noerr(result, exit);
        require_action(pubKeySize <= signaturePacketSize, exit, result = errSecDecode);
        require(((CFIndex)pubKeySize) >= 0, exit);
        
        // Add the signature and keyid to the hash.
        // PUBKEY of our type is 2 bytes of type, 2 bytes of size and size bytes.
        // Key ID is 4 bytes.
        cchmac_update(ccsha256_di(), mBContext, 2 + 4 + pubKeySize + 4, xb);
        
        uint8_t mb[CCSHA256_OUTPUT_SIZE];
        cchmac_final(ccsha256_di(), mBContext, mb);

        // Make reference to the deflated key
        require_action(SecOTRPIEqualToBytes(session->_them, signaturePacket, (CFIndex)pubKeySize), exit, result = errSecAuthFailed);

        signaturePacket += pubKeySize;
        signaturePacketSize -= pubKeySize;
       
        result = ReadLong(&signaturePacket, &signaturePacketSize, &session->_theirKeyID);
        require_noerr(result, exit);

        uint32_t sigSize;
        result = ReadLong(&signaturePacket, &signaturePacketSize, &sigSize);
        require_noerr(result, exit);
        require_action(sigSize <= signaturePacketSize, exit, result = errSecDecode);
        
        bool bresult = SecOTRPIVerifySignature(session->_them, mb, sizeof(mb), signaturePacket, sigSize, NULL);
        result = bresult ? errSecSuccess : errSecDecode;
        require_noerr(result, exit);
        
    }

exit:
    bzero(m1, sizeof(m1));
    bzero(m2, sizeof(m2));
    bzero(c, sizeof(c));
    
    return result;
}

static OSStatus SecOTRSProcessRevealSignatureMessage(SecOTRSessionRef session,
                                        CFDataRef incomingPacket,
                                        CFMutableDataRef negotiationResponse)
{
    OSStatus result = errSecParam;
    
    require_action_quiet(session->_state == kAwaitingRevealSignature, exit, result = errSecSuccess);

    const uint8_t *messageBytes = CFDataGetBytePtr(incomingPacket);
    size_t messageSize = (size_t)CFDataGetLength(incomingPacket);

    result = SecOTRSExtractRAndTheirDHKey(session, &messageBytes, &messageSize);
    require_noerr(result, exit);

    result = SecVerifySignatureAndMac(session, false, &messageBytes, &messageSize);
    require_noerr(result, exit);

    SecOTRAppendSignatureMessage(session, negotiationResponse);

    session->_state = kDone;
    result = errSecSuccess;
exit:
    return result;
}

static OSStatus SecOTRSProcessSignatureMessage(SecOTRSessionRef session,
                                        CFDataRef incomingPacket,
                                        CFMutableDataRef negotiationResponse)
{
    OSStatus result = errSecParam;

    require_action_quiet(session->_state == kAwaitingSignature, exit, result = errSecSuccess);

    const uint8_t *messageBytes = CFDataGetBytePtr(incomingPacket);
    size_t messageSize = (size_t)CFDataGetLength(incomingPacket);
    
    OTRMessageType messageType;
    result = ReadHeader(&messageBytes, &messageSize, &messageType);
    require_noerr(result, exit);
    require_action(messageType == kSignatureMessage, exit, result = errSecDecode);
    
    result = SecVerifySignatureAndMac(session, true, &messageBytes, &messageSize);
    require_noerr(result, exit);

    CFReleaseNull(session->_receivedDHKeyMessage);
    session->_state = kDone;

    result = errSecSuccess;
exit:
    return result;
}

OSStatus SecOTRSProcessPacket(SecOTRSessionRef session,
                              CFDataRef incomingPacket,
                              CFMutableDataRef negotiationResponse)
{
    __block OSStatus result = errSecParam;

    require(CFDataGetLength(incomingPacket) > 0, fail);
    dispatch_sync(session->_queue, ^{
        CFMutableDataRef decodedBytes = CFDataCreateMutable(kCFAllocatorDefault, 0);
        SecOTRGetIncomingBytes(incomingPacket, decodedBytes);

        const uint8_t* bytes = CFDataGetBytePtr(decodedBytes);
        size_t size = CFDataGetLength(decodedBytes);

        OTRMessageType packetType = kInvalidMessage;
        if (ReadHeader(&bytes, &size, &packetType))
            packetType = kInvalidMessage;

        CFMutableDataRef destinationMessage;
        if (session->_textOutput) {
            destinationMessage = CFDataCreateMutable(kCFAllocatorDefault, 0);
        } else {
            destinationMessage = negotiationResponse;
        }

        switch (packetType) {
            case kDHMessage:
                result = SecOTRSProcessDHMessage(session, decodedBytes, destinationMessage);
                break;
            case kDHKeyMessage:
                result = SecOTRSProcessDHKeyMessage(session, decodedBytes, destinationMessage);
                break;
            case kRevealSignatureMessage:
                result = SecOTRSProcessRevealSignatureMessage(session, decodedBytes, destinationMessage);
                break;
            case kSignatureMessage:
                result = SecOTRSProcessSignatureMessage(session, decodedBytes, destinationMessage);
                break;
            default:
                result = errSecDecode;
                break;
        };
        
        if (result != errSecSuccess) {
            secnotice("session", "Error %d processing packet type %d, session state %d, keyid %d, myKey %p, myNextKey %p, theirKeyId %d, theirKey %p, theirPreviousKey %p, bytes %@", (int)result, packetType, session->_state, session->_keyID, session->_myKey, session->_myNextKey, session->_theirKeyID, session->_theirKey, session->_theirPreviousKey, decodedBytes);
        }
        
        if (session->_textOutput) {
            SecOTRPrepareOutgoingBytes(destinationMessage, negotiationResponse);
            CFReleaseSafe(destinationMessage);
        }
        CFReleaseSafe(decodedBytes);
    });
    
fail:
    return result;
}
Commit	Line	Data
427c49bc A	1	//
	2	// SecOTRSession.c
	3	// libsecurity_libSecOTR
	4	//
	5	// Created by Mitch Adler on 2/22/11.
	6	// Copyright 2011 Apple Inc. All rights reserved.
	7	//
	8
	9	#include "SecOTRSession.h"
	10
	11	#include "SecOTRMath.h"
	12	#include "SecOTRIdentityPriv.h"
	13	#include "SecOTRSessionPriv.h"
	14	#include "SecOTRPackets.h"
	15	#include "SecOTRPacketData.h"
	16	#include "SecOTRDHKey.h"
	17
	18	#include <utilities/SecCFWrappers.h>
	19
	20	#include <CoreFoundation/CFRuntime.h>
	21	#include <CoreFoundation/CFString.h>
	22
	23	#include <Security/SecBase.h>
	24	#include <Security/SecRandom.h>
	25
	26	#include <AssertMacros.h>
	27
	28	#include <corecrypto/cchmac.h>
	29	#include <corecrypto/ccsha2.h>
	30
	31	#include <string.h>
	32
	33	static void SecOTRInitMyDHKeys(SecOTRSessionRef session)
	34	{
	35	CFReleaseNull(session->_myKey);
	36	session->_myKey = SecOTRFullDHKCreate(kCFAllocatorDefault);
	37	CFReleaseNull(session->_myNextKey);
	38	session->_myNextKey = SecOTRFullDHKCreate(kCFAllocatorDefault);
	39	session->_keyID = 1;
	40
	41	bzero(session->_keyCache, sizeof(session->_keyCache));
	42	}
	43
	44	OSStatus SecOTRSAppendStartPacket(SecOTRSessionRef session, CFMutableDataRef appendPacket)
	45	{
	46	__block OSStatus result = errSecSuccess;
	47
	48	dispatch_sync(session->_queue, ^{
	49	session->_state = kAwaitingDHKey;
	50
	51	// Generate r and x and calculate gx:
	52	SecOTRInitMyDHKeys(session);
	53
	54	CFMutableDataRef destinationMessage;
	55	if (session->_textOutput) {
	56	destinationMessage = CFDataCreateMutable(kCFAllocatorDefault, 0);
	57	} else {
	58	destinationMessage = appendPacket;
	59	}
	60
	61
	62	result = SecRandomCopyBytes(kSecRandomDefault, sizeof(session->_r), session->_r);
	63	if (result == errSecSuccess) {
	64	SecOTRAppendDHMessage(session, destinationMessage);
65	if (session->_textOutput) {
66	SecOTRPrepareOutgoingBytes(destinationMessage, appendPacket);
67	CFReleaseSafe(destinationMessage);
68	}
69	}
70	});
71
72	return result;
73	}
74
75	OSStatus SecOTRSAppendRestartPacket(SecOTRSessionRef session, CFMutableDataRef appendPacket)
76	{
77	__block OSStatus result = errSecSuccess;
78
79	dispatch_sync(session->_queue, ^{
80	if (!session->_myKey) {
81	secerror("_myKey is NULL, avoiding crash");
82	result = errSecDecode;
83	return;
84	}
85	CFMutableDataRef destinationMessage;
86	if (session->_textOutput) {
87	destinationMessage = CFDataCreateMutable(kCFAllocatorDefault, 0);
88	} else {
89	destinationMessage = appendPacket;
90	}
91
92	session->_state = kAwaitingDHKey;
93	CFReleaseNull(session->_receivedDHMessage);
94	CFReleaseNull(session->_receivedDHKeyMessage);
95
96	SecOTRAppendDHMessage(session, destinationMessage);
97	if (session->_textOutput) {
98	SecOTRPrepareOutgoingBytes(destinationMessage, appendPacket);
99	CFReleaseSafe(destinationMessage);
100	}
101	});
102
103	return result;
104	}
105
106	static const uint8_t* FindGXHash(CFDataRef dhPacket)
107	{
108	const uint8_t* messageBytes = CFDataGetBytePtr(dhPacket);
109	size_t remainingBytes = (size_t)CFDataGetLength(dhPacket);
110
111	OTRMessageType messageType;
112
113	require_noerr(ReadHeader(&messageBytes, &remainingBytes, &messageType), fail);
114	require(messageType == kDHMessage, fail);
115
116	uint32_t egxiLength = 0;
117	require_noerr(ReadLong(&messageBytes, &remainingBytes, & egxiLength), fail);
118	require(egxiLength <= remainingBytes, fail);
119	messageBytes += egxiLength;
120	remainingBytes -= egxiLength;
121
122	uint32_t dataLength = 0;
123	require_noerr(ReadLong(&messageBytes, &remainingBytes, &dataLength), fail);
124	require(dataLength <= remainingBytes, fail);
125	require(dataLength == CCSHA256_OUTPUT_SIZE, fail);
126
127	return messageBytes;
128
129	fail:
130	return NULL;
131	}
132
133	static bool SecOTRMyGXHashIsBigger(SecOTRSessionRef session, CFDataRef dhCommitMessage)
134	{
135	bool mineIsBigger = false;
136
137	CFMutableDataRef myDHCommitMessage = CFDataCreateMutable(kCFAllocatorDefault, 0);
138
139	SecOTRAppendDHMessage(session, myDHCommitMessage);
140
141	const uint8_t* myHash = FindGXHash(myDHCommitMessage);
142	const uint8_t* theirHash = FindGXHash(dhCommitMessage);
143
144	require(myHash, fail);
145	require(theirHash, fail);
146
147	mineIsBigger = 0 < memcmp(myHash, theirHash, CCSHA256_OUTPUT_SIZE);
148
149	fail:
150	CFReleaseNull(myDHCommitMessage);
151	return mineIsBigger;
152	}
153
154	static OSStatus SecOTRSProcessDHMessage(SecOTRSessionRef session,
155	CFDataRef incomingPacket,
156	CFMutableDataRef negotiationResponse)
157	{
158	OSStatus result = errSecParam;
159
160	switch (session->_state) {
161	case kAwaitingDHKey:
162	// Compare hash values.
163	if (SecOTRMyGXHashIsBigger(session, incomingPacket)) {
164	// If we're bigger we resend to force them to deal.
165	CFReleaseNull(session->_receivedDHMessage);
166	SecOTRAppendDHMessage(session, negotiationResponse);
167	result = errSecSuccess;
168	break;
169	} // Else intentionally fall through to idle
170	case kAwaitingSignature:
171	case kIdle:
172	case kDone:
173	// Generate a new X and GX..
174	SecOTRInitMyDHKeys(session);
175	// If we were already waiting on reveal, then just send the packet again
176	case kAwaitingRevealSignature:
177	SecOTRAppendDHKeyMessage(session, negotiationResponse);
178
179	// Keep the packet for use later.
180	CFReleaseNull(session->_receivedDHMessage);
181	session->_receivedDHMessage = CFDataCreateCopy(kCFAllocatorDefault, incomingPacket);
182
183	session->_state = kAwaitingRevealSignature;
184	result = errSecSuccess;
185	break;
186	default:
187	result = errSecInteractionNotAllowed;
188	break;
189	}
190
191	return result;
192	}
193
194	static OSStatus SecOTRSetupTheirKeyFrom(SecOTRSessionRef session, const uint8_t*data, size_tsize)
195	{
196	SecOTRPublicDHKeyRef tempKey = SecOTRPublicDHKCreateFromSerialization(kCFAllocatorDefault, data, size);
197	require(tempKey != NULL, fail);
198	session->_theirKey = tempKey;
199	session->_theirKeyID = 1;
200
201	return errSecSuccess;
202
203	fail:
204	return errSecDecode;
205	}
206
207	static OSStatus SecOTRSExtractTheirPublicDHKey(SecOTRSessionRef session, CFDataRef dhPacket)
208	{
209	OSStatus result = errSecParam;
210
211	const uint8_t *messageBytes = CFDataGetBytePtr(dhPacket);
212	size_t messageSize = (size_t)CFDataGetLength(dhPacket);
213	OTRMessageType messageType = kDHMessage; // Suppress warning.
214
215	ReadHeader(&messageBytes, &messageSize, &messageType);
216	require(messageType == kDHKeyMessage, exit);
217
218	result = SecOTRSetupTheirKeyFrom(session, &messageBytes, &messageSize);
219
220	exit:
221	return result;
222	}
223
224
225	static OSStatus SecOTRSProcessDHKeyMessage(SecOTRSessionRef session,
226	CFDataRef incomingPacket,
227	CFMutableDataRef negotiationResponse)
228	{
229	OSStatus result = errSecUnimplemented;
230
231	result = SecOTRSExtractTheirPublicDHKey(session, incomingPacket);
232	require_noerr(result, exit);
233
234	switch (session->_state) {
235	case kAwaitingDHKey:
236	CFReleaseNull(session->_receivedDHKeyMessage);
237	SecOTRAppendRevealSignatureMessage(session, negotiationResponse);
238	session->_state = kAwaitingSignature;
239	session->_receivedDHKeyMessage = CFDataCreateCopy(kCFAllocatorDefault, incomingPacket);
240	CFRetain(incomingPacket);
241	result = errSecSuccess;
242	break;
243	case kAwaitingSignature:
244	if (CFEqualSafe(incomingPacket, session->_receivedDHKeyMessage))
245	SecOTRAppendRevealSignatureMessage(session, negotiationResponse);
246	result = errSecSuccess;
247	break;
248	case kIdle:
249	case kDone:
250	case kAwaitingRevealSignature:
251	result = errSecSuccess;
252	break;
253	default:
254	result = errSecInteractionNotAllowed;
255	break;
256	}
257
258	exit:
259	return result;
260	}
261
262
263	static OSStatus SecOTRSExtractR(SecOTRSessionRef session,
264	const uint8_t **messageBytes,
265	size_t *messageSize)
266	{
267	OSStatus result = errSecDecode;
268
269	OTRMessageType messageType = kDHMessage; // Suppress warning
270
271	ReadHeader(messageBytes, messageSize, &messageType);
272	require(messageType == kRevealSignatureMessage, exit);
273
274	{
275	uint32_t rSize = 0;
276	ReadLong(messageBytes, messageSize, &rSize);
277	require(rSize == kOTRAuthKeyBytes, exit);
278	}
279
280	memcpy(session->_r, *messageBytes, kOTRAuthKeyBytes);
281
282	*messageBytes += kOTRAuthKeyBytes;
283	*messageSize -= kOTRAuthKeyBytes;
284
285	result = errSecSuccess;
286	exit:
287	return result;
288	}
289
290	static OSStatus FindEncGYInDHPacket(SecOTRSessionRef session,
291	const uint8_t **dhMessageBytesPtr,
292	size_t *messageSizePtr,
293	size_t* encGYBufferSize)
294	{
295	OSStatus result = errSecParam;
296	require_action(*encGYBufferSize >= kExponentiationBytes + 4, exit, result = errSecParam);
297
298	OTRMessageType messageType;
299	result = ReadHeader(dhMessageBytesPtr, messageSizePtr, &messageType);
300	require_noerr(result, exit);
301	require_action(messageType == kDHMessage, exit, result = errSecDecode);
302
303	uint32_t readEncSize;
304	result = ReadLong(dhMessageBytesPtr, messageSizePtr, &readEncSize);
305	require_noerr(result, exit);
306
307	*encGYBufferSize = readEncSize;
308	exit:
309	// Don't bother erasing the public gy decrypted, it's public after all.
310	return result;
311
312	}
313
314	static OSStatus SecOTRSExtractRAndTheirDHKey(SecOTRSessionRef session,
315	const uint8_t **messageBytes,
316	size_t *messageSize)
317	{
318	OSStatus result = errSecDecode;
319
320	require(session->_receivedDHMessage != NULL, exit);
321	result = SecOTRSExtractR(session, messageBytes, messageSize);
322	require_noerr(result, exit);
323
324	uint8_t gxiDecrypted[kExponentiationBytes + 4];
325	const uint8_t *gxiDecryptedBuffer = gxiDecrypted;
326
327	const uint8_t* dhMessageBytes = CFDataGetBytePtr(session->_receivedDHMessage);
328	size_t dhMessageSize = (size_t)CFDataGetLength(session->_receivedDHMessage);
329
330	size_t encGYSize = sizeof(gxiDecrypted);
331	result = FindEncGYInDHPacket(session, &dhMessageBytes, &dhMessageSize, &encGYSize);
332	require_noerr(result, exit);
333	require_action(encGYSize <= kExponentiationBytes + 4, exit, result = errSecDecode);
334
335	AES_CTR_IV0_Transform(sizeof(session->_r), session->_r, encGYSize, dhMessageBytes, gxiDecrypted);
336
337	result = SecOTRSetupTheirKeyFrom(session, &gxiDecryptedBuffer, &encGYSize);
338
339	exit:
340	// Don't bother erasing the public gy decrypted, it's public after all.
341	return result;
342	}
343
344	static OSStatus SecVerifySignatureAndMac(SecOTRSessionRef session,
345	bool usePrimes,
346	const uint8_t **signatureAndMacBytes,
347	size_t *signatureAndMacSize)
348	{
349	OSStatus result = errSecDecode;
350
351	uint8_t m1[kOTRAuthMACKeyBytes];
352	uint8_t m2[kOTRAuthMACKeyBytes];
353	uint8_t c[kOTRAuthKeyBytes];
354
355	{
356	cc_unit s[kExponentiationUnits];
357
358	SecPDHKeyGenerateS(session->_myKey, session->_theirKey, s);
359	// Derive M1, M2 and C, either prime or normal versions.
360	DeriveOTR256BitsFromS(usePrimes ? kM1Prime : kM1,
361	kExponentiationUnits, s, sizeof(m1), m1);
362	DeriveOTR256BitsFromS(usePrimes ? kM2Prime : kM2,
363	kExponentiationUnits, s, sizeof(m2), m2);
364	DeriveOTR128BitPairFromS(kCs,
365	kExponentiationUnits, s,
366	sizeof(c),usePrimes ? NULL : c,
367	sizeof(c), usePrimes ? c : NULL);
368	bzero(s, sizeof(s));
369	}
370
371	cchmac_di_decl(ccsha256_di(), mBContext);
372
373	cchmac_init(ccsha256_di(), mBContext, sizeof(m1), m1);
374
375	{
376	CFMutableDataRef toHash = CFDataCreateMutable(kCFAllocatorDefault, 0);
377
378	SecPDHKAppendSerialization(session->_theirKey, toHash);
379	SecFDHKAppendPublicSerialization(session->_myKey, toHash);
380
381	cchmac_update(ccsha256_di(), mBContext, (size_t)CFDataGetLength(toHash), CFDataGetBytePtr(toHash));
382
383	CFReleaseNull(toHash);
384	}
385
386	const uint8_t* encSigDataBlobStart = *signatureAndMacBytes;
387
388	uint32_t xbSize = 0;
389	result = ReadLong(signatureAndMacBytes, signatureAndMacSize, &xbSize);
390	require_noerr(result, exit);
391	require(xbSize > 4, exit);
392	require(xbSize <= *signatureAndMacSize, exit);
393
394	uint8_t signatureMac[CCSHA256_OUTPUT_SIZE];
395	cchmac(ccsha256_di(), sizeof(m2), m2, xbSize + 4, encSigDataBlobStart, signatureMac);
396
397	require(xbSize + kSHA256HMAC160Bytes <= *signatureAndMacSize, exit);
398	const uint8_t macStart = signatureAndMacBytes + xbSize;
399
400	// check the outer hmac
401	require(0 == memcmp(macStart, signatureMac, kSHA256HMAC160Bytes), exit);
402
403
404	{
405	uint8_t xb[xbSize];
406	// Decrypt and copy the signature block
407	AES_CTR_IV0_Transform(sizeof(c), c, xbSize, *signatureAndMacBytes, xb);
408
409	const uint8_t* signaturePacket = xb;
410	size_t signaturePacketSize = xbSize;
411
412	uint16_t pubKeyType;
413	result = ReadShort(&signaturePacket, &signaturePacketSize, &pubKeyType);
414	require_noerr(result, exit);
415	require_action(pubKeyType == 0xF000, exit, result = errSecUnimplemented);
416
417	uint32_t pubKeySize;
418	result = ReadLong(&signaturePacket, &signaturePacketSize, &pubKeySize);
419	require_noerr(result, exit);
420	require_action(pubKeySize <= signaturePacketSize, exit, result = errSecDecode);
421	require(((CFIndex)pubKeySize) >= 0, exit);
422
423	// Add the signature and keyid to the hash.
424	// PUBKEY of our type is 2 bytes of type, 2 bytes of size and size bytes.
425	// Key ID is 4 bytes.
426	cchmac_update(ccsha256_di(), mBContext, 2 + 4 + pubKeySize + 4, xb);
427
428	uint8_t mb[CCSHA256_OUTPUT_SIZE];
429	cchmac_final(ccsha256_di(), mBContext, mb);
430
431	// Make reference to the deflated key
432	require_action(SecOTRPIEqualToBytes(session->_them, signaturePacket, (CFIndex)pubKeySize), exit, result = errSecAuthFailed);
433
434	signaturePacket += pubKeySize;
435	signaturePacketSize -= pubKeySize;
436
437	result = ReadLong(&signaturePacket, &signaturePacketSize, &session->_theirKeyID);
438	require_noerr(result, exit);
439
440	uint32_t sigSize;
441	result = ReadLong(&signaturePacket, &signaturePacketSize, &sigSize);
442	require_noerr(result, exit);
443	require_action(sigSize <= signaturePacketSize, exit, result = errSecDecode);
444
445	bool bresult = SecOTRPIVerifySignature(session->_them, mb, sizeof(mb), signaturePacket, sigSize, NULL);
446	result = bresult ? errSecSuccess : errSecDecode;
447	require_noerr(result, exit);
448
449	}
450
451	exit:
452	bzero(m1, sizeof(m1));
453	bzero(m2, sizeof(m2));
454	bzero(c, sizeof(c));
455
456	return result;
457	}
458
459	static OSStatus SecOTRSProcessRevealSignatureMessage(SecOTRSessionRef session,
460	CFDataRef incomingPacket,
461	CFMutableDataRef negotiationResponse)
462	{
463	OSStatus result = errSecParam;
464
465	require_action_quiet(session->_state == kAwaitingRevealSignature, exit, result = errSecSuccess);
466
467	const uint8_t *messageBytes = CFDataGetBytePtr(incomingPacket);
468	size_t messageSize = (size_t)CFDataGetLength(incomingPacket);
469
470	result = SecOTRSExtractRAndTheirDHKey(session, &messageBytes, &messageSize);
471	require_noerr(result, exit);
472
473	result = SecVerifySignatureAndMac(session, false, &messageBytes, &messageSize);
474	require_noerr(result, exit);
475
476	SecOTRAppendSignatureMessage(session, negotiationResponse);
477
478	session->_state = kDone;
479	result = errSecSuccess;
480	exit:
481	return result;
482	}
483
484	static OSStatus SecOTRSProcessSignatureMessage(SecOTRSessionRef session,
485	CFDataRef incomingPacket,
486	CFMutableDataRef negotiationResponse)
487	{
488	OSStatus result = errSecParam;
489
490	require_action_quiet(session->_state == kAwaitingSignature, exit, result = errSecSuccess);
491
492	const uint8_t *messageBytes = CFDataGetBytePtr(incomingPacket);
493	size_t messageSize = (size_t)CFDataGetLength(incomingPacket);
494
495	OTRMessageType messageType;
496	result = ReadHeader(&messageBytes, &messageSize, &messageType);
497	require_noerr(result, exit);
498	require_action(messageType == kSignatureMessage, exit, result = errSecDecode);
499
500	result = SecVerifySignatureAndMac(session, true, &messageBytes, &messageSize);
501	require_noerr(result, exit);
502
503	CFReleaseNull(session->_receivedDHKeyMessage);
504	session->_state = kDone;
505
506	result = errSecSuccess;
507	exit:
508	return result;
509	}
510
511	OSStatus SecOTRSProcessPacket(SecOTRSessionRef session,
512	CFDataRef incomingPacket,
513	CFMutableDataRef negotiationResponse)
514	{
515	__block OSStatus result = errSecParam;
516
517	require(CFDataGetLength(incomingPacket) > 0, fail);
518	dispatch_sync(session->_queue, ^{
519	CFMutableDataRef decodedBytes = CFDataCreateMutable(kCFAllocatorDefault, 0);
520	SecOTRGetIncomingBytes(incomingPacket, decodedBytes);
521
522	const uint8_t* bytes = CFDataGetBytePtr(decodedBytes);
523	size_t size = CFDataGetLength(decodedBytes);
524
525	OTRMessageType packetType = kInvalidMessage;
526	if (ReadHeader(&bytes, &size, &packetType))
527	packetType = kInvalidMessage;
528
529	CFMutableDataRef destinationMessage;
530	if (session->_textOutput) {
531	destinationMessage = CFDataCreateMutable(kCFAllocatorDefault, 0);
532	} else {
533	destinationMessage = negotiationResponse;
534	}
535
536	switch (packetType) {
537	case kDHMessage:
538	result = SecOTRSProcessDHMessage(session, decodedBytes, destinationMessage);
539	break;
540	case kDHKeyMessage:
541	result = SecOTRSProcessDHKeyMessage(session, decodedBytes, destinationMessage);
542	break;
543	case kRevealSignatureMessage:
544	result = SecOTRSProcessRevealSignatureMessage(session, decodedBytes, destinationMessage);
545	break;
546	case kSignatureMessage:
547	result = SecOTRSProcessSignatureMessage(session, decodedBytes, destinationMessage);
548	break;
549	default:
550	result = errSecDecode;
551	break;
552	};
553
554	if (result != errSecSuccess) {
555	secnotice("session", "Error %d processing packet type %d, session state %d, keyid %d, myKey %p, myNextKey %p, theirKeyId %d, theirKey %p, theirPreviousKey %p, bytes %@", (int)result, packetType, session->_state, session->_keyID, session->_myKey, session->_myNextKey, session->_theirKeyID, session->_theirKey, session->_theirPreviousKey, decodedBytes);
556	}
557
558	if (session->_textOutput) {
559	SecOTRPrepareOutgoingBytes(destinationMessage, negotiationResponse);
560	CFReleaseSafe(destinationMessage);
561	}
562	CFReleaseSafe(decodedBytes);
563	});
564
565	fail:
566	return result;
567	}