-//
-// SecOTRPackets.c
-// libsecurity_libSecOTR
-//
-// Created by Mitch Adler on 2/23/11.
-// Copyright 2011 Apple Inc. All rights reserved.
-//
-
-#include "SecOTRSessionPriv.h"
-#include "SecOTRPackets.h"
-
-#include "SecOTR.h"
-#include "SecOTRIdentityPriv.h"
-
-//*****************************************#include "SecCFWrappers.h"
-#include "SecOTRPacketData.h"
-#include "SecOTRDHKey.h"
-
-#ifdef USECOMMONCRYPTO
-#include <CommonCrypto/CommonHMAC.h>
-#endif
-
-#include <corecrypto/ccn.h>
-#include <corecrypto/ccdigest.h>
-
-#include <corecrypto/ccaes.h>
-#include <corecrypto/ccmode.h>
-#include <corecrypto/ccmode_factory.h>
-#include <corecrypto/cchmac.h>
-#include <corecrypto/ccsha2.h>
-
-//
-// Crypto functions
-//
-
-static inline void AppendSHA256HMAC(CFMutableDataRef appendTo,
- size_t keybytes,
- const uint8_t* key,
- size_t howMuch,
- const uint8_t* from)
-{
- uint8_t *to = CFDataIncreaseLengthAndGetMutableBytes(appendTo, CCSHA256_OUTPUT_SIZE);
-
-#ifdef USECOMMONCRYPTO
- CCHmac(kCCHmacAlgSHA256, key, keybytes, from, howMuch, to);
-#else
- cchmac(ccsha256_di(), keybytes, key, howMuch, from, to);
-#endif
-}
-
-// First 160 bits of the HMAC
-static inline void AppendSHA256HMAC_160(CFMutableDataRef appendTo,
- size_t keySize,
- const uint8_t* key,
- size_t howMuch,
- const uint8_t* from)
-{
- AppendSHA256HMAC(appendTo, keySize, key, howMuch, from);
- const CFIndex bytesToRemove = CCSHA256_OUTPUT_SIZE - kSHA256HMAC160Bytes;
- const CFRange rangeToDelete = CFRangeMake(CFDataGetLength(appendTo) - bytesToRemove, bytesToRemove);
-
- CFDataDeleteBytes(appendTo, rangeToDelete);
-}
-
-static inline void DeriveAndAppendSHA256HMAC(CFMutableDataRef appendTo,
- cc_size sN,
- const cc_unit* s,
- KeyType whichKey,
- size_t howMuch,
- const uint8_t* from)
-{
- size_t localKeySize = CCSHA256_OUTPUT_SIZE;
- uint8_t localKey[localKeySize];
-
- DeriveOTR256BitsFromS(whichKey, sN, s, localKeySize, localKey);
-
- AppendSHA256HMAC(appendTo, localKeySize, localKey, howMuch, from);
-
- bzero(localKey, localKeySize);
-}
-
-static inline void DeriveAndAppendSHA256HMAC_160(CFMutableDataRef appendTo,
- cc_size sN,
- const cc_unit* s,
- KeyType whichKey,
- size_t howMuch,
- const uint8_t* from)
-{
- size_t localKeySize = CCSHA256_OUTPUT_SIZE;
- uint8_t localKey[localKeySize];
-
- DeriveOTR256BitsFromS(whichKey, sN, s, localKeySize, localKey);
-
- AppendSHA256HMAC_160(appendTo, localKeySize, localKey, howMuch, from);
-
- bzero(localKey, sizeof(localKey));
-}
-
-//
-// Message creators
-//
-
-void SecOTRAppendDHMessage(SecOTRSessionRef session,
- CFMutableDataRef appendTo)
-{
- //
- // Message Type: kDHMessage (0x02)
- // AES_CTR(r, 0) of G^X MPI
- // SHA256(gxmpi)
- //
-
- if(!session) return;
- CFMutableDataRef gxmpi = CFDataCreateMutable(kCFAllocatorDefault, 0);
- if(!gxmpi) return;
-
- AppendHeader(appendTo, kDHMessage);
-
- SecFDHKAppendPublicSerialization(session->_myKey, gxmpi);
-
- size_t gxmpiSize = (size_t)CFDataGetLength(gxmpi);
- if(gxmpiSize == 0) {
- CFReleaseNull(gxmpi);
- return;
- }
- const uint8_t* gxmpiLocation = CFDataGetBytePtr(gxmpi);
-
- /* 64 bits cast: gxmpiSize is the size of the EC public key, which is hardcoded and never more than 2^32 bytes. */
- assert(gxmpiSize<UINT32_MAX); /* debug check only */
- AppendLong(appendTo, (uint32_t)gxmpiSize);
- assert(gxmpiSize<INT32_MAX);
- uint8_t* encGxmpiLocation = CFDataIncreaseLengthAndGetMutableBytes(appendTo, (CFIndex)gxmpiSize);
- AES_CTR_IV0_Transform(sizeof(session->_r), session->_r, gxmpiSize, gxmpiLocation, encGxmpiLocation);
-
- AppendLong(appendTo, CCSHA256_OUTPUT_SIZE);
- uint8_t* hashLocation = CFDataIncreaseLengthAndGetMutableBytes(appendTo, CCSHA256_OUTPUT_SIZE);
-
-#ifdef USECOMMONCRYPTO
- (void) CC_SHA256(gxmpiLocation, (uint32_t)gxmpiSize, hashLocation);
-#else
- ccdigest(ccsha256_di(), gxmpiSize, gxmpiLocation, hashLocation);
-#endif
- CFReleaseNull(gxmpi);
-}
-
-void SecOTRAppendDHKeyMessage(SecOTRSessionRef session,
- CFMutableDataRef appendTo)
-{
- //
- // Message Type: kDHKeyMessage (0x0A)
- // G^X Data MPI
- //
-
- AppendHeader(appendTo, kDHKeyMessage);
- SecFDHKAppendPublicSerialization(session->_myKey, appendTo);
-}
-
-static uint8_t* AppendEncryptedSignature(SecOTRSessionRef session,
- const cc_unit* s,
- bool usePrime,
- CFMutableDataRef appendTo)
-{
- CFMutableDataRef signature = CFDataCreateMutable(kCFAllocatorDefault, 0);
- CFMutableDataRef mbData = CFDataCreateMutable(kCFAllocatorDefault, 0);
- CFMutableDataRef mb = CFDataCreateMutable(kCFAllocatorDefault, 0);
-
- SecFDHKAppendPublicSerialization(session->_myKey, mbData);
- SecPDHKAppendSerialization(session->_theirKey, mbData);
-
- CFIndex publicKeyOffset = CFDataGetLength(mbData);
-
- SecOTRPublicIdentityRef myPublic = SecOTRPublicIdentityCopyFromPrivate(kCFAllocatorDefault, session->_me, NULL);
- AppendPublicKey(mbData, myPublic);
- CFReleaseNull(myPublic);
-
- AppendLong(mbData, session->_keyID);
-
- DeriveAndAppendSHA256HMAC(mb,
- kExponentiationUnits, s,
- usePrime ? kM1Prime : kM1,
- (size_t)CFDataGetLength(mbData), CFDataGetBytePtr(mbData));
-
- CFDataDeleteBytes(mbData, CFRangeMake(0, publicKeyOffset));
-
- CFMutableDataRef xb = mbData; mbData = NULL;
- SecOTRFIAppendSignature(session->_me, mb, signature, NULL);
- CFReleaseNull(mb);
-
- AppendCFDataAsDATA(xb, signature);
- CFReleaseNull(signature);
-
- CFIndex dataLength = CFDataGetLength(xb);
-
- CFIndex signatureStartIndex = CFDataGetLength(appendTo);
- /* 64 bits cast: We are appending the signature we just generated, which is never bigger than 2^32 bytes. */
- assert(((unsigned long)dataLength)<=UINT32_MAX); /* debug check, correct as long as CFIndex is a signed long */
- AppendLong(appendTo, (uint32_t)dataLength);
- uint8_t *destination = CFDataIncreaseLengthAndGetMutableBytes(appendTo, dataLength);
-
- uint8_t c[kOTRAuthKeyBytes];
- DeriveOTR128BitPairFromS(kCs, kExponentiationUnits, s,
- sizeof(c), usePrime ? NULL : c,
- sizeof(c), usePrime ? c : NULL);
-
- AES_CTR_IV0_Transform(sizeof(c), c,
- (size_t)dataLength, CFDataGetBytePtr(xb),
- destination);
- bzero(c, sizeof(c));
- CFReleaseNull(xb);
-
- return CFDataGetMutableBytePtr(appendTo) + signatureStartIndex;
-}
-
-
-static void AppendMACedEncryptedSignature(SecOTRSessionRef session,
- bool usePrime,
- CFMutableDataRef appendTo)
-{
-
- cc_unit s[kExponentiationUnits];
-
- SecPDHKeyGenerateS(session->_myKey, session->_theirKey, s);
-
- CFIndex signatureStartOffset = CFDataGetLength(appendTo);
- const uint8_t *signatureStart = AppendEncryptedSignature(session, s, usePrime, appendTo);
- size_t signatureSize = (size_t)CFDataGetLength(appendTo) - (size_t)signatureStartOffset;
-
-
- DeriveAndAppendSHA256HMAC_160(appendTo,
- kExponentiationUnits, s,
- usePrime ? kM2Prime : kM2,
- signatureSize, signatureStart);
- bzero(s, sizeof(s));
-}
-
-
-void SecOTRAppendRevealSignatureMessage(SecOTRSessionRef session,
- CFMutableDataRef appendTo)
-{
- //
- // Message Type: kRevealSignatureMessage (0x11)
- // G^X Data MPI
- //
-
- AppendHeader(appendTo, kRevealSignatureMessage);
-
- AppendLong(appendTo, kOTRAuthKeyBytes);
- uint8_t* keyPosition = CFDataIncreaseLengthAndGetMutableBytes(appendTo, kOTRAuthKeyBytes);
- memcpy(keyPosition, session->_r, kOTRAuthKeyBytes);
-
- AppendMACedEncryptedSignature(session, false, appendTo);
-}
-
-void SecOTRAppendSignatureMessage(SecOTRSessionRef session,
- CFMutableDataRef appendTo)
-{
- //
- // Message Type: kSignatureMessage (0x12)
- // G^X Data MPI
- //
-
- AppendHeader(appendTo, kSignatureMessage);
- AppendMACedEncryptedSignature(session, true, appendTo);
-}
-
projects / apple / security.git / blobdiff