]> git.saurik.com Git - apple/security.git/blob - OSX/Breadcrumb/SecBreadcrumb.c
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-57740.60.18.tar.gz
[apple/security.git] / OSX / Breadcrumb / SecBreadcrumb.c
1 /*
2 * Copyright (c) 2014 - 2016 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 #include <Security/Security.h>
25 #include <Security/SecBreadcrumb.h>
26 #include <Security/SecRandom.h>
27
28 #include <corecrypto/ccaes.h>
29 #include <corecrypto/ccpbkdf2.h>
30 #include <corecrypto/ccmode.h>
31 #include <corecrypto/ccmode_factory.h>
32 #include <corecrypto/ccsha2.h>
33
34 #include <CommonCrypto/CommonRandomSPI.h>
35
36 #import "SecCFAllocator.h"
37
38 #define CFReleaseNull(CF) ({ __typeof__(CF) *const _pcf = &(CF), _cf = *_pcf; (_cf ? (*_pcf) = ((__typeof__(CF))0), (CFRelease(_cf), ((__typeof__(CF))0)) : _cf); })
39
40 static const int kKeySize = CCAES_KEY_SIZE_128;
41 static const int kSaltSize = 20;
42 static const int kIterations = 5000;
43 static const CFIndex tagLen = 16;
44 static const CFIndex ivLen = 16;
45 static const uint8_t BCversion1 = 1;
46 static const uint8_t BCversion2 = 2;
47 static const ssize_t paddingSize = 256;
48 static const ssize_t maxSize = 1024;
49
50 Boolean
51 SecBreadcrumbCreateFromPassword(CFStringRef inPassword,
52 CFDataRef *outBreadcrumb,
53 CFDataRef *outEncryptedKey,
54 CFErrorRef *outError)
55 {
56 const struct ccmode_ecb *ecb = ccaes_ecb_encrypt_mode();
57 const struct ccmode_gcm *gcm = ccaes_gcm_encrypt_mode();
58 const struct ccdigest_info *di = ccsha256_di();
59 uint8_t iv[ivLen];
60 CFMutableDataRef key, npw;
61 CFDataRef pw;
62
63 *outBreadcrumb = NULL;
64 *outEncryptedKey = NULL;
65 if (outError)
66 *outError = NULL;
67
68 key = CFDataCreateMutable(SecCFAllocatorZeroize(), 0);
69 if (key == NULL)
70 return false;
71
72 CFDataSetLength(key, kKeySize + kSaltSize + 4);
73 if (SecRandomCopyBytes(kSecRandomDefault, CFDataGetLength(key) - 4, CFDataGetMutableBytePtr(key)) != 0) {
74 CFReleaseNull(key);
75 return false;
76 }
77 if (SecRandomCopyBytes(kSecRandomDefault, ivLen, iv) != 0) {
78 CFReleaseNull(key);
79 return false;
80 }
81
82 uint32_t size = htonl(kIterations);
83 memcpy(CFDataGetMutableBytePtr(key) + kKeySize + kSaltSize, &size, sizeof(size));
84
85 /*
86 * Create data for password
87 */
88
89 pw = CFStringCreateExternalRepresentation(SecCFAllocatorZeroize(), inPassword, kCFStringEncodingUTF8, 0);
90 if (pw == NULL) {
91 CFReleaseNull(key);
92 return false;
93 }
94
95 const CFIndex passwordLength = CFDataGetLength(pw);
96
97 if (passwordLength > maxSize) {
98 CFReleaseNull(pw);
99 CFReleaseNull(key);
100 return false;
101 }
102
103 CFIndex paddedSize = passwordLength + paddingSize - (passwordLength % paddingSize);
104 const CFIndex outLength = 1 + ivLen + 4 + paddedSize + tagLen;
105
106 npw = CFDataCreateMutable(NULL, outLength);
107 if (npw == NULL) {
108 CFReleaseNull(pw);
109 CFReleaseNull(key);
110 return false;
111 }
112 CFDataSetLength(npw, outLength);
113
114 memset(CFDataGetMutableBytePtr(npw), 0, outLength);
115 CFDataGetMutableBytePtr(npw)[0] = BCversion2;
116 memcpy(CFDataGetMutableBytePtr(npw) + 1, iv, ivLen);
117 size = htonl(passwordLength);
118 memcpy(CFDataGetMutableBytePtr(npw) + 1 + ivLen, &size, sizeof(size));
119 memcpy(CFDataGetMutableBytePtr(npw) + 1 + ivLen + 4, CFDataGetBytePtr(pw), passwordLength);
120
121 /*
122 * Now create a GCM encrypted password using the random key
123 */
124
125 ccgcm_ctx_decl(gcm->size, ctx);
126 ccgcm_init(gcm, ctx, kKeySize, CFDataGetMutableBytePtr(key));
127 ccgcm_set_iv(gcm, ctx, ivLen, iv);
128 ccgcm_gmac(gcm, ctx, 1, CFDataGetMutableBytePtr(npw));
129 ccgcm_update(gcm, ctx, outLength - tagLen - ivLen - 1, CFDataGetMutableBytePtr(npw) + 1 + ivLen, CFDataGetMutableBytePtr(npw) + 1 + ivLen);
130 ccgcm_finalize(gcm, ctx, tagLen, CFDataGetMutableBytePtr(npw) + outLength - tagLen);
131 ccgcm_ctx_clear(gcm->size, ctx);
132
133 /*
134 * Wrapping key is PBKDF2(sha256) over password
135 */
136
137 if (di->output_size < kKeySize) abort();
138
139 uint8_t rawkey[di->output_size];
140
141 if (ccpbkdf2_hmac(di, CFDataGetLength(pw), CFDataGetBytePtr(pw),
142 kSaltSize, CFDataGetMutableBytePtr(key) + kKeySize,
143 kIterations,
144 sizeof(rawkey), rawkey) != 0)
145 abort();
146
147 /*
148 * Wrap the random key with one round of ECB cryto
149 */
150
151 ccecb_ctx_decl(ccecb_context_size(ecb), ecbkey);
152 ccecb_init(ecb, ecbkey, kKeySize, rawkey);
153 ccecb_update(ecb, ecbkey, 1, CFDataGetMutableBytePtr(key), CFDataGetMutableBytePtr(key));
154 ccecb_ctx_clear(ccecb_context_size(ecb), ecbkey);
155
156 /*
157 *
158 */
159
160 memset(rawkey, 0, sizeof(rawkey));
161 CFReleaseNull(pw);
162
163 *outBreadcrumb = npw;
164 *outEncryptedKey = key;
165
166 return true;
167 }
168
169
170 Boolean
171 SecBreadcrumbCopyPassword(CFStringRef inPassword,
172 CFDataRef inBreadcrumb,
173 CFDataRef inEncryptedKey,
174 CFStringRef *outPassword,
175 CFErrorRef *outError)
176 {
177 const struct ccmode_ecb *ecb = ccaes_ecb_decrypt_mode();
178 const struct ccdigest_info *di = ccsha256_di();
179 CFMutableDataRef gcmkey, oldpw;
180 CFIndex outLength;
181 CFDataRef pw;
182 uint32_t size;
183
184 *outPassword = NULL;
185 if (outError)
186 *outError = NULL;
187
188 if (CFDataGetLength(inEncryptedKey) < kKeySize + kSaltSize + 4) {
189 return false;
190 }
191
192 if (CFDataGetBytePtr(inBreadcrumb)[0] == BCversion1) {
193 if (CFDataGetLength(inBreadcrumb) < 1 + 4 + paddingSize + tagLen)
194 return false;
195
196 outLength = CFDataGetLength(inBreadcrumb) - 1 - tagLen;
197 } else if (CFDataGetBytePtr(inBreadcrumb)[0] == BCversion2) {
198 if (CFDataGetLength(inBreadcrumb) < 1 + ivLen + 4 + paddingSize + tagLen)
199 return false;
200 outLength = CFDataGetLength(inBreadcrumb) - 1 - ivLen - tagLen;
201 } else {
202 return false;
203 }
204
205 gcmkey = CFDataCreateMutableCopy(SecCFAllocatorZeroize(), 0, inEncryptedKey);
206 if (gcmkey == NULL) {
207 return false;
208 }
209
210 if ((outLength % 16) != 0 && outLength < 4) {
211 CFReleaseNull(gcmkey);
212 return false;
213 }
214
215 oldpw = CFDataCreateMutable(SecCFAllocatorZeroize(), outLength);
216 if (oldpw == NULL) {
217 CFReleaseNull(gcmkey);
218 return false;
219 }
220 CFDataSetLength(oldpw, outLength);
221
222 /*
223 * Create data for password
224 */
225
226 pw = CFStringCreateExternalRepresentation(SecCFAllocatorZeroize(), inPassword, kCFStringEncodingUTF8, 0);
227 if (pw == NULL) {
228 CFReleaseNull(oldpw);
229 CFReleaseNull(gcmkey);
230 return false;
231 }
232
233 /*
234 * Wrapping key is HMAC(sha256) over password
235 */
236
237 if (di->output_size < kKeySize) abort();
238
239 uint8_t rawkey[di->output_size];
240
241 memcpy(&size, CFDataGetMutableBytePtr(gcmkey) + kKeySize + kSaltSize, sizeof(size));
242 size = ntohl(size);
243
244 if (ccpbkdf2_hmac(di, CFDataGetLength(pw), CFDataGetBytePtr(pw),
245 kSaltSize, CFDataGetMutableBytePtr(gcmkey) + kKeySize,
246 size,
247 sizeof(rawkey), rawkey) != 0)
248 abort();
249
250 CFReleaseNull(pw);
251
252 /*
253 * Unwrap the random key with one round of ECB cryto
254 */
255
256 ccecb_ctx_decl(ccecb_context_size(ecb), ecbkey);
257 ccecb_init(ecb, ecbkey, kKeySize, rawkey);
258 ccecb_update(ecb, ecbkey, 1, CFDataGetMutableBytePtr(gcmkey), CFDataGetMutableBytePtr(gcmkey));
259 ccecb_ctx_clear(ccecb_context_size(ecb), ecbkey);
260 /*
261 * GCM unwrap
262 */
263
264 uint8_t tag[tagLen];
265
266 if (CFDataGetBytePtr(inBreadcrumb)[0] == BCversion1) {
267 memcpy(tag, CFDataGetBytePtr(inBreadcrumb) + 1 + outLength, tagLen);
268
269 ccgcm_one_shot_legacy(ccaes_gcm_decrypt_mode(), kKeySize, CFDataGetMutableBytePtr(gcmkey), 0, NULL, 1, CFDataGetBytePtr(inBreadcrumb),
270 outLength, CFDataGetBytePtr(inBreadcrumb) + 1, CFDataGetMutableBytePtr(oldpw), tagLen, tag);
271 if (memcmp(tag, CFDataGetBytePtr(inBreadcrumb) + 1 + outLength, tagLen) != 0) {
272 CFReleaseNull(oldpw);
273 CFReleaseNull(gcmkey);
274 return false;
275 }
276
277 } else {
278 const uint8_t *iv = CFDataGetBytePtr(inBreadcrumb) + 1;
279 int res;
280 memcpy(tag, CFDataGetBytePtr(inBreadcrumb) + 1 + ivLen + outLength, tagLen);
281
282 res = ccgcm_one_shot(ccaes_gcm_decrypt_mode(), kKeySize, CFDataGetMutableBytePtr(gcmkey),
283 ivLen, iv,
284 1, CFDataGetBytePtr(inBreadcrumb),
285 outLength, CFDataGetBytePtr(inBreadcrumb) + 1 + ivLen, CFDataGetMutableBytePtr(oldpw),
286 tagLen, tag);
287 if (res) {
288 CFReleaseNull(oldpw);
289 CFReleaseNull(gcmkey);
290 return false;
291 }
292 }
293
294 CFReleaseNull(gcmkey);
295
296
297 memcpy(&size, CFDataGetMutableBytePtr(oldpw), sizeof(size));
298 size = ntohl(size);
299 if ((ssize_t) size > outLength - 4) {
300 CFReleaseNull(oldpw);
301 return false;
302 }
303 memmove(CFDataGetMutableBytePtr(oldpw), CFDataGetMutableBytePtr(oldpw) + 4, size);
304 CFDataSetLength(oldpw, size);
305
306 *outPassword = CFStringCreateFromExternalRepresentation(SecCFAllocatorZeroize(), oldpw, kCFStringEncodingUTF8);
307 CFReleaseNull(oldpw);
308
309 return true;
310 }
311
312 CFDataRef
313 SecBreadcrumbCreateNewEncryptedKey(CFStringRef oldPassword,
314 CFStringRef newPassword,
315 CFDataRef encryptedKey,
316 CFErrorRef *outError)
317 {
318 const struct ccmode_ecb *enc = ccaes_ecb_encrypt_mode();
319 const struct ccmode_ecb *dec = ccaes_ecb_decrypt_mode();
320 const struct ccdigest_info *di = ccsha256_di();
321 CFMutableDataRef newEncryptedKey;
322 CFDataRef newpw = NULL, oldpw = NULL;
323 uint8_t rawkey[di->output_size];
324
325 if (CFDataGetLength(encryptedKey) < kKeySize + kSaltSize + 4) {
326 return NULL;
327 }
328
329 newEncryptedKey = CFDataCreateMutableCopy(SecCFAllocatorZeroize(), 0, encryptedKey);
330 if (newEncryptedKey == NULL) {
331 return NULL;
332 }
333
334 oldpw = CFStringCreateExternalRepresentation(SecCFAllocatorZeroize(), oldPassword, kCFStringEncodingUTF8, 0);
335 if (oldpw == NULL) {
336 CFReleaseNull(newEncryptedKey);
337 return false;
338 }
339
340 newpw = CFStringCreateExternalRepresentation(SecCFAllocatorZeroize(), newPassword, kCFStringEncodingUTF8, 0);
341 if (newpw == NULL) {
342 CFReleaseNull(newEncryptedKey);
343 CFReleaseNull(oldpw);
344 return false;
345 }
346
347 if (di->output_size < kKeySize) abort();
348
349 /*
350 * Unwrap with new key
351 */
352
353 uint32_t iter;
354
355 memcpy(&iter, CFDataGetMutableBytePtr(newEncryptedKey) + kKeySize + kSaltSize, sizeof(iter));
356 iter = ntohl(iter);
357
358 if (ccpbkdf2_hmac(di, CFDataGetLength(oldpw), CFDataGetBytePtr(oldpw),
359 kSaltSize, CFDataGetMutableBytePtr(newEncryptedKey) + kKeySize,
360 iter,
361 sizeof(rawkey), rawkey) != 0)
362 abort();
363
364 CFReleaseNull(oldpw);
365
366
367 ccecb_ctx_decl(dec->size, deckey);
368 ccecb_init(dec, deckey, kKeySize, rawkey);
369 ccecb_update(dec, deckey, 1, CFDataGetMutableBytePtr(newEncryptedKey), CFDataGetMutableBytePtr(newEncryptedKey));
370 ccecb_ctx_clear(ccecb_context_size(dec), deckey);
371
372 memset(rawkey, 0, sizeof(rawkey));
373
374 /*
375 * Re-wrap with new key
376 */
377
378 if (ccpbkdf2_hmac(di, CFDataGetLength(newpw), CFDataGetBytePtr(newpw),
379 kSaltSize, CFDataGetMutableBytePtr(newEncryptedKey) + kKeySize,
380 iter,
381 sizeof(rawkey), rawkey) != 0)
382 abort();
383
384 CFReleaseNull(newpw);
385
386
387 ccecb_ctx_decl(enc->size, enckey);
388 ccecb_init(enc, enckey, kKeySize, rawkey);
389 ccecb_update(enc, enckey, 1, CFDataGetMutableBytePtr(newEncryptedKey), CFDataGetMutableBytePtr(newEncryptedKey));
390 ccecb_ctx_clear(ccecb_context_size(enc), enckey);
391
392 memset(rawkey, 0, sizeof(rawkey));
393
394 return newEncryptedKey;
395 }
mirror of Security