[apple/security.git] / OSX / Breadcrumb / SecBreadcrumb.c


#include <Security/Security.h>
#include <Security/SecBreadcrumb.h>
#include <Security/SecRandom.h>

#include <corecrypto/ccaes.h>
#include <corecrypto/ccpbkdf2.h>
#include <corecrypto/ccmode.h>
#include <corecrypto/ccmode_factory.h>
#include <corecrypto/ccsha2.h>

#include <CommonCrypto/CommonRandomSPI.h>

#define CFReleaseNull(CF) ({ __typeof__(CF) *const _pcf = &(CF), _cf = *_pcf; (_cf ? (*_pcf) = ((__typeof__(CF))0), (CFRelease(_cf), ((__typeof__(CF))0)) : _cf); })

static const int kKeySize = CCAES_KEY_SIZE_128;
static const int kSaltSize = 20;
static const int kIterations = 5000;
static const CFIndex tagLen = 16;
static const CFIndex ivLen = 16;
static const uint8_t BCversion1 = 1;
static const uint8_t BCversion2 = 2;
static const size_t paddingSize = 256;
static const size_t maxSize = 1024;

Boolean
SecBreadcrumbCreateFromPassword(CFStringRef inPassword,
                                CFDataRef *outBreadcrumb,
                                CFDataRef *outEncryptedKey,
                                CFErrorRef *outError)
{
    const struct ccmode_ecb *ecb = ccaes_ecb_encrypt_mode();
    const struct ccmode_gcm *gcm = ccaes_gcm_encrypt_mode();
    const struct ccdigest_info *di = ccsha256_di();
    uint8_t iv[ivLen];
    CFMutableDataRef key, npw;
    CFDataRef pw;
    
    *outBreadcrumb = NULL;
    *outEncryptedKey = NULL;
    if (outError)
        *outError = NULL;
    
    key = CFDataCreateMutable(NULL, 0);
    if (key == NULL)
        return false;
    
    CFDataSetLength(key, kKeySize + kSaltSize + 4);
    if (SecRandomCopyBytes(kSecRandomDefault, CFDataGetLength(key) - 4, CFDataGetMutableBytePtr(key)) != 0) {
        CFReleaseNull(key);
        return false;
    }
    if (SecRandomCopyBytes(kSecRandomDefault, ivLen, iv) != 0) {
        CFReleaseNull(key);
        return false;
    }

    uint32_t size = htonl(kIterations);
    memcpy(CFDataGetMutableBytePtr(key) + kKeySize + kSaltSize, &size, sizeof(size));
    
    /*
     * Create data for password
     */
    
    pw = CFStringCreateExternalRepresentation(NULL, inPassword, kCFStringEncodingUTF8, 0);
    if (pw == NULL) {
        CFReleaseNull(key);
        return false;
    }

    const CFIndex passwordLength = CFDataGetLength(pw);
    
    if (passwordLength > maxSize) {
        CFReleaseNull(pw);
        CFReleaseNull(key);
        return false;
    }

    CFIndex paddedSize = passwordLength + paddingSize - (passwordLength % paddingSize);
    const CFIndex outLength = 1 + ivLen + 4 + paddedSize + tagLen;
    
    npw = CFDataCreateMutable(NULL, outLength);
    if (npw == NULL) {
        CFReleaseNull(pw);
        CFReleaseNull(key);
        return false;
    }
    CFDataSetLength(npw, outLength);

    memset(CFDataGetMutableBytePtr(npw), 0, outLength);
    CFDataGetMutableBytePtr(npw)[0] = BCversion2;
    memcpy(CFDataGetMutableBytePtr(npw) + 1, iv, ivLen);
    size = htonl(passwordLength);
    memcpy(CFDataGetMutableBytePtr(npw) + 1 + ivLen, &size, sizeof(size));
    memcpy(CFDataGetMutableBytePtr(npw) + 1 + ivLen + 4, CFDataGetBytePtr(pw), passwordLength);
    
    /*
     * Now create a GCM encrypted password using the random key
     */
    
    ccgcm_ctx_decl(gcm->size, ctx);
    ccgcm_init(gcm, ctx, kKeySize, CFDataGetMutableBytePtr(key));
    ccgcm_set_iv(gcm, ctx, ivLen, iv);
    ccgcm_gmac(gcm, ctx, 1, CFDataGetMutableBytePtr(npw));
    ccgcm_update(gcm, ctx, outLength - tagLen - ivLen - 1, CFDataGetMutableBytePtr(npw) + 1 + ivLen, CFDataGetMutableBytePtr(npw) + 1 + ivLen);
    ccgcm_finalize(gcm, ctx, tagLen, CFDataGetMutableBytePtr(npw) + outLength - tagLen);
    ccgcm_ctx_clear(gcm->size, ctx);
    
    /*
     * Wrapping key is PBKDF2(sha256) over password
     */
    
    if (di->output_size < kKeySize) abort();
    
    uint8_t rawkey[di->output_size];
    
    if (ccpbkdf2_hmac(di, CFDataGetLength(pw), CFDataGetBytePtr(pw),
                      kSaltSize, CFDataGetMutableBytePtr(key) + kKeySize,
                      kIterations,
                      sizeof(rawkey), rawkey) != 0)
        abort();
    
    /*
     * Wrap the random key with one round of ECB cryto
     */

    ccecb_ctx_decl(ccecb_context_size(ecb), ecbkey);
    ccecb_init(ecb, ecbkey, kKeySize, rawkey);
    ccecb_update(ecb, ecbkey, 1, CFDataGetMutableBytePtr(key), CFDataGetMutableBytePtr(key));
    ccecb_ctx_clear(ccecb_context_size(ecb), ecbkey);

    /*
     *
     */
    
    memset(rawkey, 0, sizeof(rawkey));
    CFReleaseNull(pw);
    
    *outBreadcrumb = npw;
    *outEncryptedKey = key;
    
    return true;
}


Boolean
SecBreadcrumbCopyPassword(CFStringRef inPassword,
                          CFDataRef inBreadcrumb,
                          CFDataRef inEncryptedKey,
                          CFStringRef *outPassword,
                          CFErrorRef *outError)
{
    const struct ccmode_ecb *ecb = ccaes_ecb_decrypt_mode();
    const struct ccdigest_info *di = ccsha256_di();
    CFMutableDataRef gcmkey, oldpw;
    CFIndex outLength;
    CFDataRef pw;
    uint32_t size;
    
    *outPassword = NULL;
    if (outError)
        *outError = NULL;
    
    if (CFDataGetLength(inEncryptedKey) < kKeySize + kSaltSize + 4) {
        return false;
    }
    
    if (CFDataGetBytePtr(inBreadcrumb)[0] == BCversion1) {
        if (CFDataGetLength(inBreadcrumb) < 1 + 4 + paddingSize + tagLen)
            return false;

        outLength = CFDataGetLength(inBreadcrumb) - 1 - tagLen;
    } else if (CFDataGetBytePtr(inBreadcrumb)[0] == BCversion2) {
        if (CFDataGetLength(inBreadcrumb) < 1 + ivLen + 4 + paddingSize + tagLen)
            return false;
        outLength = CFDataGetLength(inBreadcrumb) - 1 - ivLen - tagLen;
    } else {
        return false;
    }
    
    gcmkey = CFDataCreateMutableCopy(NULL, 0, inEncryptedKey);
    if (gcmkey == NULL) {
        return false;
    }
    
    if ((outLength % 16) != 0 && outLength < 4) {
        CFReleaseNull(gcmkey);
        return false;
    }

    oldpw = CFDataCreateMutable(NULL, outLength);
    if (oldpw == NULL) {
        CFReleaseNull(gcmkey);
        return false;
    }
    CFDataSetLength(oldpw, outLength);

    /*
     * Create data for password
     */
    
    pw = CFStringCreateExternalRepresentation(NULL, inPassword, kCFStringEncodingUTF8, 0);
    if (pw == NULL) {
        CFReleaseNull(oldpw);
        CFReleaseNull(gcmkey);
        return false;
    }
    
    /*
     * Wrapping key is HMAC(sha256) over password
     */

    if (di->output_size < kKeySize) abort();
    
    uint8_t rawkey[di->output_size];
    
    memcpy(&size, CFDataGetMutableBytePtr(gcmkey) + kKeySize + kSaltSize, sizeof(size));
    size = ntohl(size);
    
    if (ccpbkdf2_hmac(di, CFDataGetLength(pw), CFDataGetBytePtr(pw),
                      kSaltSize, CFDataGetMutableBytePtr(gcmkey) + kKeySize,
                      size,
                      sizeof(rawkey), rawkey) != 0)
        abort();

    CFReleaseNull(pw);
    
    /*
     * Unwrap the random key with one round of ECB cryto
     */

    ccecb_ctx_decl(ccecb_context_size(ecb), ecbkey);
    ccecb_init(ecb, ecbkey, kKeySize, rawkey);
    ccecb_update(ecb, ecbkey, 1, CFDataGetMutableBytePtr(gcmkey), CFDataGetMutableBytePtr(gcmkey));
    ccecb_ctx_clear(ccecb_context_size(ecb), ecbkey);
    /*
     * GCM unwrap
     */

    uint8_t tag[tagLen];

    if (CFDataGetBytePtr(inBreadcrumb)[0] == BCversion1) {
        memcpy(tag, CFDataGetBytePtr(inBreadcrumb) + 1 + outLength, tagLen);

        ccgcm_one_shot_legacy(ccaes_gcm_decrypt_mode(), kKeySize,  CFDataGetMutableBytePtr(gcmkey), 0, NULL, 1, CFDataGetBytePtr(inBreadcrumb),
                              outLength, CFDataGetBytePtr(inBreadcrumb) + 1, CFDataGetMutableBytePtr(oldpw), tagLen, tag);
        if (memcmp(tag, CFDataGetBytePtr(inBreadcrumb) + 1 + outLength, tagLen) != 0) {
            CFReleaseNull(oldpw);
            return false;
        }

    } else {
        const uint8_t *iv = CFDataGetBytePtr(inBreadcrumb) + 1;
        int res;
        memcpy(tag, CFDataGetBytePtr(inBreadcrumb) + 1 + ivLen + outLength, tagLen);

        res = ccgcm_one_shot(ccaes_gcm_decrypt_mode(), kKeySize, CFDataGetMutableBytePtr(gcmkey),
                             ivLen, iv,
                             1, CFDataGetBytePtr(inBreadcrumb),
                             outLength, CFDataGetBytePtr(inBreadcrumb) + 1 + ivLen, CFDataGetMutableBytePtr(oldpw),
                             tagLen, tag);
        if (res) {
            CFReleaseNull(oldpw);
            return false;
        }
    }

    CFReleaseNull(gcmkey);
    

    memcpy(&size, CFDataGetMutableBytePtr(oldpw), sizeof(size));
    size = ntohl(size);
    if (size > outLength - 4) {
        CFReleaseNull(oldpw);
        return false;
    }
    memmove(CFDataGetMutableBytePtr(oldpw), CFDataGetMutableBytePtr(oldpw) + 4, size);
    CFDataSetLength(oldpw, size);
    
    *outPassword = CFStringCreateFromExternalRepresentation(NULL, oldpw, kCFStringEncodingUTF8);
    CFReleaseNull(oldpw);

    return true;
}

CFDataRef
SecBreadcrumbCreateNewEncryptedKey(CFStringRef oldPassword,
                                   CFStringRef newPassword,
                                   CFDataRef encryptedKey,
                                   CFErrorRef *outError)
{
    const struct ccmode_ecb *enc = ccaes_ecb_encrypt_mode();
    const struct ccmode_ecb *dec = ccaes_ecb_decrypt_mode();
    const struct ccdigest_info *di = ccsha256_di();
    CFMutableDataRef newEncryptedKey;
    CFDataRef newpw = NULL, oldpw = NULL;
    uint8_t rawkey[di->output_size];
    
    if (CFDataGetLength(encryptedKey) < kKeySize + kSaltSize + 4) {
        return NULL;
    }

    newEncryptedKey = CFDataCreateMutableCopy(NULL, 0, encryptedKey);
    if (newEncryptedKey == NULL) {
        return NULL;
    }
    
    oldpw = CFStringCreateExternalRepresentation(NULL, oldPassword, kCFStringEncodingUTF8, 0);
    if (oldpw == NULL) {
        CFReleaseNull(newEncryptedKey);
        return false;
    }

    newpw = CFStringCreateExternalRepresentation(NULL, newPassword, kCFStringEncodingUTF8, 0);
    if (newpw == NULL) {
        CFReleaseNull(newEncryptedKey);
        CFReleaseNull(oldpw);
        return false;
    }

    if (di->output_size < kKeySize) abort();
    
    /*
     * Unwrap with new key
     */

    uint32_t iter;
    
    memcpy(&iter, CFDataGetMutableBytePtr(newEncryptedKey) + kKeySize + kSaltSize, sizeof(iter));
    iter = ntohl(iter);
    
    if (ccpbkdf2_hmac(di, CFDataGetLength(oldpw), CFDataGetBytePtr(oldpw),
                      kSaltSize, CFDataGetMutableBytePtr(newEncryptedKey) + kKeySize,
                      iter,
                      sizeof(rawkey), rawkey) != 0)
        abort();
    
    CFReleaseNull(oldpw);

    
    ccecb_ctx_decl(dec->size, deckey);
    ccecb_init(dec, deckey, kKeySize, rawkey);
    ccecb_update(dec, deckey, 1, CFDataGetMutableBytePtr(newEncryptedKey), CFDataGetMutableBytePtr(newEncryptedKey));
    ccecb_ctx_clear(ccecb_context_size(dec), deckey);

    memset(rawkey, 0, sizeof(rawkey));
   
    /*
     * Re-wrap with new key
     */
   
    if (ccpbkdf2_hmac(di, CFDataGetLength(newpw), CFDataGetBytePtr(newpw),
                      kSaltSize, CFDataGetMutableBytePtr(newEncryptedKey) + kKeySize,
                      iter,
                      sizeof(rawkey), rawkey) != 0)
        abort();
    
    CFReleaseNull(newpw);

    
    ccecb_ctx_decl(enc->size, enckey);
    ccecb_init(enc, enckey, kKeySize, rawkey);
    ccecb_update(enc, enckey, 1, CFDataGetMutableBytePtr(newEncryptedKey), CFDataGetMutableBytePtr(newEncryptedKey));
    ccecb_ctx_clear(ccecb_context_size(enc), enckey);

    memset(rawkey, 0, sizeof(rawkey));

    return newEncryptedKey;
}
Commit	Line	Data
d8f41ccd A	1
	2	#include <Security/Security.h>
	3	#include <Security/SecBreadcrumb.h>
	4	#include <Security/SecRandom.h>
	5
	6	#include <corecrypto/ccaes.h>
	7	#include <corecrypto/ccpbkdf2.h>
	8	#include <corecrypto/ccmode.h>
	9	#include <corecrypto/ccmode_factory.h>
	10	#include <corecrypto/ccsha2.h>
	11
	12	#include <CommonCrypto/CommonRandomSPI.h>
	13
	14	#define CFReleaseNull(CF) ({ __typeof__(CF) const _pcf = &(CF), _cf = _pcf; (_cf ? (*_pcf) = ((__typeof__(CF))0), (CFRelease(_cf), ((__typeof__(CF))0)) : _cf); })
	15
	16	static const int kKeySize = CCAES_KEY_SIZE_128;
	17	static const int kSaltSize = 20;
	18	static const int kIterations = 5000;
	19	static const CFIndex tagLen = 16;
fa7225c8 A	20	static const CFIndex ivLen = 16;
	21	static const uint8_t BCversion1 = 1;
	22	static const uint8_t BCversion2 = 2;
d8f41ccd A	23	static const size_t paddingSize = 256;
	24	static const size_t maxSize = 1024;
	25
	26	Boolean
	27	SecBreadcrumbCreateFromPassword(CFStringRef inPassword,
	28	CFDataRef *outBreadcrumb,
	29	CFDataRef *outEncryptedKey,
	30	CFErrorRef *outError)
	31	{
	32	const struct ccmode_ecb *ecb = ccaes_ecb_encrypt_mode();
5c19dc3a	33	const struct ccmode_gcm *gcm = ccaes_gcm_encrypt_mode();
d8f41ccd	34	const struct ccdigest_info *di = ccsha256_di();
fa7225c8	35	uint8_t iv[ivLen];
d8f41ccd A	36	CFMutableDataRef key, npw;
	37	CFDataRef pw;
	38
	39	*outBreadcrumb = NULL;
	40	*outEncryptedKey = NULL;
	41	if (outError)
	42	*outError = NULL;
	43
	44	key = CFDataCreateMutable(NULL, 0);
	45	if (key == NULL)
	46	return false;
	47
	48	CFDataSetLength(key, kKeySize + kSaltSize + 4);
fa7225c8 A	49	if (SecRandomCopyBytes(kSecRandomDefault, CFDataGetLength(key) - 4, CFDataGetMutableBytePtr(key)) != 0) {
	50	CFReleaseNull(key);
	51	return false;
	52	}
	53	if (SecRandomCopyBytes(kSecRandomDefault, ivLen, iv) != 0) {
	54	CFReleaseNull(key);
	55	return false;
	56	}
	57
d8f41ccd A	58	uint32_t size = htonl(kIterations);
	59	memcpy(CFDataGetMutableBytePtr(key) + kKeySize + kSaltSize, &size, sizeof(size));
	60
	61	/*
	62	* Create data for password
	63	*/
	64
	65	pw = CFStringCreateExternalRepresentation(NULL, inPassword, kCFStringEncodingUTF8, 0);
	66	if (pw == NULL) {
	67	CFReleaseNull(key);
	68	return false;
	69	}
	70
	71	const CFIndex passwordLength = CFDataGetLength(pw);
	72
	73	if (passwordLength > maxSize) {
	74	CFReleaseNull(pw);
	75	CFReleaseNull(key);
	76	return false;
	77	}
	78
	79	CFIndex paddedSize = passwordLength + paddingSize - (passwordLength % paddingSize);
fa7225c8	80	const CFIndex outLength = 1 + ivLen + 4 + paddedSize + tagLen;
d8f41ccd A	81
	82	npw = CFDataCreateMutable(NULL, outLength);
	83	if (npw == NULL) {
	84	CFReleaseNull(pw);
	85	CFReleaseNull(key);
	86	return false;
	87	}
	88	CFDataSetLength(npw, outLength);
	89
	90	memset(CFDataGetMutableBytePtr(npw), 0, outLength);
fa7225c8 A	91	CFDataGetMutableBytePtr(npw)[0] = BCversion2;
fa7225c8 A	92	memcpy(CFDataGetMutableBytePtr(npw) + 1, iv, ivLen);
d8f41ccd	93	size = htonl(passwordLength);
fa7225c8 A	94	memcpy(CFDataGetMutableBytePtr(npw) + 1 + ivLen, &size, sizeof(size));
fa7225c8 A	95	memcpy(CFDataGetMutableBytePtr(npw) + 1 + ivLen + 4, CFDataGetBytePtr(pw), passwordLength);
d8f41ccd A	96
	97	/*
	98	* Now create a GCM encrypted password using the random key
	99	*/
	100
5c19dc3a A	101	ccgcm_ctx_decl(gcm->size, ctx);
5c19dc3a A	102	ccgcm_init(gcm, ctx, kKeySize, CFDataGetMutableBytePtr(key));
fa7225c8	103	ccgcm_set_iv(gcm, ctx, ivLen, iv);
5c19dc3a	104	ccgcm_gmac(gcm, ctx, 1, CFDataGetMutableBytePtr(npw));
fa7225c8	105	ccgcm_update(gcm, ctx, outLength - tagLen - ivLen - 1, CFDataGetMutableBytePtr(npw) + 1 + ivLen, CFDataGetMutableBytePtr(npw) + 1 + ivLen);
5c19dc3a A	106	ccgcm_finalize(gcm, ctx, tagLen, CFDataGetMutableBytePtr(npw) + outLength - tagLen);
5c19dc3a A	107	ccgcm_ctx_clear(gcm->size, ctx);
d8f41ccd A	108
	109	/*
	110	* Wrapping key is PBKDF2(sha256) over password
	111	*/
	112
	113	if (di->output_size < kKeySize) abort();
	114
	115	uint8_t rawkey[di->output_size];
	116
	117	if (ccpbkdf2_hmac(di, CFDataGetLength(pw), CFDataGetBytePtr(pw),
	118	kSaltSize, CFDataGetMutableBytePtr(key) + kKeySize,
	119	kIterations,
	120	sizeof(rawkey), rawkey) != 0)
	121	abort();
	122
	123	/*
	124	* Wrap the random key with one round of ECB cryto
	125	*/
	126
5c19dc3a A	127	ccecb_ctx_decl(ccecb_context_size(ecb), ecbkey);
	128	ccecb_init(ecb, ecbkey, kKeySize, rawkey);
	129	ccecb_update(ecb, ecbkey, 1, CFDataGetMutableBytePtr(key), CFDataGetMutableBytePtr(key));
	130	ccecb_ctx_clear(ccecb_context_size(ecb), ecbkey);
	131
d8f41ccd A	132	/*
	133	*
	134	*/
	135
	136	memset(rawkey, 0, sizeof(rawkey));
	137	CFReleaseNull(pw);
	138
	139	*outBreadcrumb = npw;
	140	*outEncryptedKey = key;
	141
	142	return true;
	143	}
	144
	145
	146	Boolean
	147	SecBreadcrumbCopyPassword(CFStringRef inPassword,
	148	CFDataRef inBreadcrumb,
	149	CFDataRef inEncryptedKey,
	150	CFStringRef *outPassword,
	151	CFErrorRef *outError)
	152	{
	153	const struct ccmode_ecb *ecb = ccaes_ecb_decrypt_mode();
d8f41ccd A	154	const struct ccdigest_info *di = ccsha256_di();
d8f41ccd A	155	CFMutableDataRef gcmkey, oldpw;
fa7225c8	156	CFIndex outLength;
d8f41ccd A	157	CFDataRef pw;
	158	uint32_t size;
	159
	160	*outPassword = NULL;
	161	if (outError)
	162	*outError = NULL;
	163
	164	if (CFDataGetLength(inEncryptedKey) < kKeySize + kSaltSize + 4) {
	165	return false;
	166	}
	167
fa7225c8 A	168	if (CFDataGetBytePtr(inBreadcrumb)[0] == BCversion1) {
	169	if (CFDataGetLength(inBreadcrumb) < 1 + 4 + paddingSize + tagLen)
	170	return false;
	171
	172	outLength = CFDataGetLength(inBreadcrumb) - 1 - tagLen;
	173	} else if (CFDataGetBytePtr(inBreadcrumb)[0] == BCversion2) {
	174	if (CFDataGetLength(inBreadcrumb) < 1 + ivLen + 4 + paddingSize + tagLen)
	175	return false;
	176	outLength = CFDataGetLength(inBreadcrumb) - 1 - ivLen - tagLen;
	177	} else {
d8f41ccd A	178	return false;
	179	}
	180
	181	gcmkey = CFDataCreateMutableCopy(NULL, 0, inEncryptedKey);
	182	if (gcmkey == NULL) {
	183	return false;
	184	}
	185
d8f41ccd A	186	if ((outLength % 16) != 0 && outLength < 4) {
	187	CFReleaseNull(gcmkey);
	188	return false;
	189	}
	190
	191	oldpw = CFDataCreateMutable(NULL, outLength);
	192	if (oldpw == NULL) {
	193	CFReleaseNull(gcmkey);
	194	return false;
	195	}
	196	CFDataSetLength(oldpw, outLength);
d8f41ccd A	197
	198	/*
	199	* Create data for password
	200	*/
	201
	202	pw = CFStringCreateExternalRepresentation(NULL, inPassword, kCFStringEncodingUTF8, 0);
	203	if (pw == NULL) {
	204	CFReleaseNull(oldpw);
	205	CFReleaseNull(gcmkey);
	206	return false;
	207	}
	208
	209	/*
	210	* Wrapping key is HMAC(sha256) over password
	211	*/
	212
	213	if (di->output_size < kKeySize) abort();
	214
	215	uint8_t rawkey[di->output_size];
	216
	217	memcpy(&size, CFDataGetMutableBytePtr(gcmkey) + kKeySize + kSaltSize, sizeof(size));
	218	size = ntohl(size);
	219
	220	if (ccpbkdf2_hmac(di, CFDataGetLength(pw), CFDataGetBytePtr(pw),
	221	kSaltSize, CFDataGetMutableBytePtr(gcmkey) + kKeySize,
	222	size,
	223	sizeof(rawkey), rawkey) != 0)
	224	abort();
	225
	226	CFReleaseNull(pw);
	227
	228	/*
	229	* Unwrap the random key with one round of ECB cryto
	230	*/
	231
5c19dc3a A	232	ccecb_ctx_decl(ccecb_context_size(ecb), ecbkey);
	233	ccecb_init(ecb, ecbkey, kKeySize, rawkey);
	234	ccecb_update(ecb, ecbkey, 1, CFDataGetMutableBytePtr(gcmkey), CFDataGetMutableBytePtr(gcmkey));
	235	ccecb_ctx_clear(ccecb_context_size(ecb), ecbkey);
d8f41ccd A	236	/*
	237	* GCM unwrap
	238	*/
fa7225c8	239
d8f41ccd	240	uint8_t tag[tagLen];
fa7225c8 A	241
	242	if (CFDataGetBytePtr(inBreadcrumb)[0] == BCversion1) {
	243	memcpy(tag, CFDataGetBytePtr(inBreadcrumb) + 1 + outLength, tagLen);
	244
	245	ccgcm_one_shot_legacy(ccaes_gcm_decrypt_mode(), kKeySize, CFDataGetMutableBytePtr(gcmkey), 0, NULL, 1, CFDataGetBytePtr(inBreadcrumb),
	246	outLength, CFDataGetBytePtr(inBreadcrumb) + 1, CFDataGetMutableBytePtr(oldpw), tagLen, tag);
	247	if (memcmp(tag, CFDataGetBytePtr(inBreadcrumb) + 1 + outLength, tagLen) != 0) {
	248	CFReleaseNull(oldpw);
	249	return false;
	250	}
	251
	252	} else {
	253	const uint8_t *iv = CFDataGetBytePtr(inBreadcrumb) + 1;
	254	int res;
	255	memcpy(tag, CFDataGetBytePtr(inBreadcrumb) + 1 + ivLen + outLength, tagLen);
	256
	257	res = ccgcm_one_shot(ccaes_gcm_decrypt_mode(), kKeySize, CFDataGetMutableBytePtr(gcmkey),
	258	ivLen, iv,
	259	1, CFDataGetBytePtr(inBreadcrumb),
	260	outLength, CFDataGetBytePtr(inBreadcrumb) + 1 + ivLen, CFDataGetMutableBytePtr(oldpw),
	261	tagLen, tag);
	262	if (res) {
	263	CFReleaseNull(oldpw);
	264	return false;
	265	}
d8f41ccd	266	}
fa7225c8 A	267
fa7225c8 A	268	CFReleaseNull(gcmkey);
d8f41ccd	269
fa7225c8	270
d8f41ccd A	271	memcpy(&size, CFDataGetMutableBytePtr(oldpw), sizeof(size));
	272	size = ntohl(size);
	273	if (size > outLength - 4) {
	274	CFReleaseNull(oldpw);
	275	return false;
	276	}
	277	memmove(CFDataGetMutableBytePtr(oldpw), CFDataGetMutableBytePtr(oldpw) + 4, size);
	278	CFDataSetLength(oldpw, size);
	279
	280	*outPassword = CFStringCreateFromExternalRepresentation(NULL, oldpw, kCFStringEncodingUTF8);
	281	CFReleaseNull(oldpw);
	282
	283	return true;
	284	}
	285
	286	CFDataRef
	287	SecBreadcrumbCreateNewEncryptedKey(CFStringRef oldPassword,
	288	CFStringRef newPassword,
	289	CFDataRef encryptedKey,
	290	CFErrorRef *outError)
	291	{
	292	const struct ccmode_ecb *enc = ccaes_ecb_encrypt_mode();
	293	const struct ccmode_ecb *dec = ccaes_ecb_decrypt_mode();
	294	const struct ccdigest_info *di = ccsha256_di();
	295	CFMutableDataRef newEncryptedKey;
	296	CFDataRef newpw = NULL, oldpw = NULL;
	297	uint8_t rawkey[di->output_size];
	298
	299	if (CFDataGetLength(encryptedKey) < kKeySize + kSaltSize + 4) {
	300	return NULL;
	301	}
	302
	303	newEncryptedKey = CFDataCreateMutableCopy(NULL, 0, encryptedKey);
	304	if (newEncryptedKey == NULL) {
	305	return NULL;
	306	}
	307
	308	oldpw = CFStringCreateExternalRepresentation(NULL, oldPassword, kCFStringEncodingUTF8, 0);
	309	if (oldpw == NULL) {
	310	CFReleaseNull(newEncryptedKey);
	311	return false;
	312	}
	313
	314	newpw = CFStringCreateExternalRepresentation(NULL, newPassword, kCFStringEncodingUTF8, 0);
	315	if (newpw == NULL) {
	316	CFReleaseNull(newEncryptedKey);
	317	CFReleaseNull(oldpw);
	318	return false;
	319	}
	320
	321	if (di->output_size < kKeySize) abort();
	322
	323	/*
	324	* Unwrap with new key
	325	*/
	326
	327	uint32_t iter;
	328
	329	memcpy(&iter, CFDataGetMutableBytePtr(newEncryptedKey) + kKeySize + kSaltSize, sizeof(iter));
	330	iter = ntohl(iter);
	331
	332	if (ccpbkdf2_hmac(di, CFDataGetLength(oldpw), CFDataGetBytePtr(oldpw),
	333	kSaltSize, CFDataGetMutableBytePtr(newEncryptedKey) + kKeySize,
	334	iter,
335	sizeof(rawkey), rawkey) != 0)
336	abort();
337
338	CFReleaseNull(oldpw);
339
340
341	ccecb_ctx_decl(dec->size, deckey);
5c19dc3a A	342	ccecb_init(dec, deckey, kKeySize, rawkey);
	343	ccecb_update(dec, deckey, 1, CFDataGetMutableBytePtr(newEncryptedKey), CFDataGetMutableBytePtr(newEncryptedKey));
	344	ccecb_ctx_clear(ccecb_context_size(dec), deckey);
d8f41ccd A	345
	346	memset(rawkey, 0, sizeof(rawkey));
	347
	348	/*
	349	* Re-wrap with new key
	350	*/
	351
	352	if (ccpbkdf2_hmac(di, CFDataGetLength(newpw), CFDataGetBytePtr(newpw),
	353	kSaltSize, CFDataGetMutableBytePtr(newEncryptedKey) + kKeySize,
	354	iter,
	355	sizeof(rawkey), rawkey) != 0)
	356	abort();
	357
	358	CFReleaseNull(newpw);
	359
	360
	361	ccecb_ctx_decl(enc->size, enckey);
5c19dc3a A	362	ccecb_init(enc, enckey, kKeySize, rawkey);
	363	ccecb_update(enc, enckey, 1, CFDataGetMutableBytePtr(newEncryptedKey), CFDataGetMutableBytePtr(newEncryptedKey));
	364	ccecb_ctx_clear(ccecb_context_size(enc), enckey);
d8f41ccd A	365
	366	memset(rawkey, 0, sizeof(rawkey));
	367
	368	return newEncryptedKey;
	369	}