+++ /dev/null
-#include "SOSForerunnerSession.h"
-#include "SOSAccountDer.c"
-#include "SOSPlatform.h"
-
-#include <CoreFoundation/CFRuntime.h>
-#include <utilities/SecCFWrappers.h>
-#include <utilities/SecCFError.h>
-#include <Security/SecureObjectSync/SOSInternal.h>
-#include <corecrypto/ccsrp.h>
-#include <corecrypto/ccsha2.h>
-#include <corecrypto/ccdh_gp.h>
-#include <corecrypto/ccder.h>
-#include <corecrypto/ccaes.h>
-#include <corecrypto/ccmode.h>
-#include <corecrypto/cchkdf.h>
-#include <CommonCrypto/CommonRandomSPI.h>
-#include <os/assumes.h>
-#include <AssertMacros.h>
-
-#pragma mark Definitions
-#define FR_VERSION 1llu
-#define FR_MAGIC_REQUEST 0x67756d70llu
-#define FR_MAGIC_CHALLENGE 0x67756d71llu
-#define FR_MAGIC_RESPONSE 0x67756d72llu
-#define FR_MAGIC_HSA2 0x67756d73llu
-#define FR_SALT_LEN 32llu
-
-#define FR_Z_SZ_HKDF_V1 32
-#define FR_Z_SZ_V1 16
-#define FR_Z_FROM_REQUESTOR "requestor2acceptor"
-#define FR_Z_FROM_ACCEPTOR "acceptor2requestor"
-
-#define FR_TAG_SIZE_V1 CCAES_KEY_SIZE_128
-#define FR_SIDECAR_SIZE_V1 (sizeof(uint64_t) + FR_TAG_SIZE_V1)
-
-// The initialization vector has three parts.
-// |<-------- DSID -------->|<- X ->|<------ counter ------>|
-// 64 bits 8 bits 56 bits
-//
-// The DSID is known to each end and supplied to each session object at create-
-// time. X is either 0x0a or 0x0b, depending on whether the message came from an
-// acceptor or requestor session, respectively. These values are static and
-// known to each end. The counter starts at zero on each end and is incremented
-// for each packet generated. It is sent as a sidecar along with the encrypted
-// data blob, and it is then used to construct the IV for decryption along with
-// the other two (known) components. Its value can not exceed 2^56 - 1.
-#define FR_IV_SIZE_V1 (sizeof(uint64_t) + sizeof(uint64_t))
-#define FR_IV_X_ACCEPT_V1 (0x0a)
-#define FR_IV_X_REQUEST_V1 (0x0b)
-#define FR_IV_X_SIZE_V1 (1)
-#define FR_IV_CNT_MAX_V1 ((0x100000000000000llu) - 1)
-#define FR_IV_CNT_SIZE_V1 (7)
-
-#define FR_MAX_ACCEPTOR_TRIES 2
-
-#define print_paddedline(stream, pad, fmt, ...) do { \
- size_t i = 0; \
- for (i = 0; i < pad; i++) { \
- fprintf((stream), "\t"); \
- } \
-\
- fprintf((stream), fmt "\n", ## __VA_ARGS__); \
-} while (0);
-
-#pragma mark Utilities
-__unused static void
-_print_blob(FILE *stream, size_t pad, const char *name,
- uint8_t *buff, size_t sz, size_t len2print)
-{
- size_t nb2w = 0;
- if (len2print && len2print < sz) {
- nb2w = len2print;
- } else {
- nb2w = sz;
- }
-
- if (nb2w == 0) {
- print_paddedline(stream, pad, "%s = (null)\n", name);
- } else {
- size_t i = 0; \
- for (i = 0; i < pad; i++) {
- fprintf(stream, "\t");
- }
-
- fprintf(stream, "%s = 0x", name);
-
- uint8_t *buffp = buff;
- for (i = 0; i < nb2w; i++) {
- fprintf(stream, "%2.2x", buffp[i]);
- }
-
- if (len2print && sz > len2print) {
- fprintf(stream, "...");
- }
-
- fprintf(stream, "\n");
- }
-}
-
-#pragma mark CoreCrypto Helpers
-static uint8_t *
-_ccder_shim_encode_octet_string(size_t len, const uint8_t *start,
- const uint8_t *der, uint8_t *der_end)
-{
- der_end = ccder_encode_body(len, start, der, der_end);
- der_end = ccder_encode_tl(CCDER_OCTET_STRING, len, der, der_end);
- require_action_quiet(der_end, xit, {
- os_hardware_trap();
- });
-
-xit:
- return der_end;
-}
-
-static uint8_t *
-_ccder_shim_decode_octect_string(size_t *len, const uint8_t **start,
- const uint8_t *der, const uint8_t *der_end)
-{
- der = ccder_decode_tl(CCDER_OCTET_STRING, len, der, der_end);
- if (der && start) {
- *start = der;
- der += *len;
- }
-
- return (uint8_t *)der;
-}
-
-static ccsrp_ctx *
-_ccsrp_shim_alloc(const struct ccdigest_info *di, ccdh_const_gp_t gp)
-{
- ccsrp_ctx *srp = NULL;
- int error = -1;
-
- // CoreCrypto wants these to be 8-byte aligned. malloc(3) and friends return
- // memory that is suitable for use as AltiVec/SSE data types, so they are
- // good for this interface.
- srp = malloc(ccsrp_sizeof_srp(di, gp));
- require_action_quiet(srp, xit, {
- error = errno;
- });
-
- if (!((uintptr_t)srp & 7) == 0) {
- os_hardware_trap();
- }
-
- ccsrp_ctx_init(srp, di, gp);
- error = 0;
-
-xit:
- if (error) {
- free(srp);
- srp = NULL;
- }
-
- return srp;
-}
-
-static void
-_derive_sending_key(ccsrp_ctx *srp, const char *info, uint8_t *Z, size_t Z_len)
-{
- const struct ccdigest_info *di = ccsha256_di();
- const uint8_t *K = NULL;
- size_t K_len = 0;
- uint8_t Z2[FR_Z_SZ_HKDF_V1];
- int error = -1;
-
- if (Z_len < FR_Z_SZ_V1) {
- os_hardware_trap();
- }
-
- K = ccsrp_get_session_key(srp, &K_len);
-
- error = cchkdf(di, K_len, K, 0, NULL, strlen(info), info, sizeof(Z2), Z2);
- os_assert_zero(error);
-
- // Only use first 16 bytes for AEAD.
- memcpy(Z, Z2, FR_Z_SZ_V1);
-}
-
-static void
-_construct_iv_v1(const uint8_t iv[FR_IV_SIZE_V1], uint64_t dsid,
- uint8_t x, uint64_t cnt)
-{
- uint8_t *cur_iv = (uint8_t *)iv;
-
- if (!(x == FR_IV_X_ACCEPT_V1 || x == FR_IV_X_REQUEST_V1)) {
- os_hardware_trap();
- }
-
- dsid = OSSwapHostToBigInt64(dsid);
- memcpy(cur_iv, &dsid, sizeof(dsid));
- cur_iv += sizeof(dsid);
-
- // No need to swap; it's just one byte.
- memcpy(cur_iv, &x, sizeof(x));
- cur_iv += sizeof(x);
-
- if (cnt > FR_IV_CNT_MAX_V1) {
- os_hardware_trap();
- }
-
- cnt = OSSwapHostToBigInt64(cnt);
- memcpy(cur_iv, &cnt, FR_IV_CNT_SIZE_V1);
-}
-
-static uint8_t *
-_encrypt_data_v1(const uint8_t *unenc, size_t unenc_len,
- uint64_t dsid, uint8_t x, uint64_t cnt,
- uint8_t *key, size_t key_len, size_t *enc_len)
-{
- uint8_t *enc = NULL;
- int error = -1;
-
- uint8_t *enc_cur = NULL;
- size_t enc_len2 = 0;
- const struct ccmode_gcm *mode = ccaes_gcm_encrypt_mode();
- ccgcm_ctx_decl(mode->size, gcm);
- uint8_t iv[FR_IV_SIZE_V1];
-
- enc_len2 += FR_SIDECAR_SIZE_V1;
- enc_len2 += unenc_len;
-
- enc = malloc(enc_len2);
- require_action_quiet(enc, xit, {
- error = errno;
- });
-
- enc_cur = enc;
-
- ccgcm_init(mode, gcm, key_len, key);
- _construct_iv_v1(iv, dsid, x, cnt);
- ccgcm_set_iv(mode, gcm, FR_IV_SIZE_V1, iv);
- ccgcm_gmac(mode, gcm, 0, NULL);
-
- if (cnt > FR_IV_CNT_MAX_V1) {
- os_hardware_trap();
- }
-
- cnt = OSSwapHostToBigInt64(cnt);
- memcpy(enc_cur, &cnt, sizeof(cnt));
- enc_cur += sizeof(cnt);
-
- ccgcm_update(mode, gcm, unenc_len, unenc, enc_cur);
- enc_cur += unenc_len;
-
- ccgcm_finalize(mode, gcm, FR_TAG_SIZE_V1, enc_cur);
- error = 0;
-
-xit:
- ccgcm_ctx_clear(ccgcm_context_size(mode), gcm);
-
- if (error) {
- free(enc);
- enc = NULL;
- } else {
- *enc_len = enc_len2;
- }
-
- return enc;
-}
-
-static uint8_t *
-_decrypt_data_v1(const uint8_t *enc, size_t enc_len,
- uint64_t dsid, uint8_t x, uint8_t *key, size_t key_len, size_t *dec_len)
-{
- uint8_t *dec = NULL;
- int error = -1;
- int ret = -1;
-
- size_t dec_len2 = 0;
- const struct ccmode_gcm *mode = ccaes_gcm_decrypt_mode();
- ccgcm_ctx_decl(mode->size, gcm);
- const uint8_t *enc_cur = NULL;
- uint64_t cnt = 0;
- uint8_t iv[FR_IV_SIZE_V1];
- uint8_t tag[FR_TAG_SIZE_V1];
-
- enc_cur = enc;
-
- // At minimum, the encrypted data must contain the tag and counter.
- require_action_quiet(enc_len >= FR_SIDECAR_SIZE_V1, xit, {
- error = EINVAL;
- });
- dec_len2 = enc_len - FR_SIDECAR_SIZE_V1;
-
- dec = malloc(dec_len2);
- require_action_quiet(dec, xit, {
- error = errno;
- });
-
- memcpy(&cnt, enc_cur, sizeof(cnt));
- cnt = OSSwapBigToHostConstInt64(cnt);
- require_action_quiet(cnt <= FR_IV_CNT_MAX_V1, xit, {
- error = ERANGE;
- });
- enc_cur += sizeof(cnt);
-
- ccgcm_init(mode, gcm, key_len, key);
-
- _construct_iv_v1(iv, dsid, x, cnt);
- ccgcm_set_iv(mode, gcm, FR_IV_SIZE_V1, iv);
- ccgcm_gmac(mode, gcm, 0, NULL);
-
- ccgcm_update(mode, gcm, dec_len2, enc_cur, dec);
- enc_cur += dec_len2;
-
- ccgcm_finalize(mode, gcm, FR_TAG_SIZE_V1, tag);
-
- ret = cc_cmp_safe(FR_TAG_SIZE_V1, enc_cur, tag);
- require_action_quiet(ret == 0, xit, {
- error = EINVAL;
- });
-
- error = 0;
-
-xit:
- ccgcm_ctx_clear(ccgcm_context_size(mode), gcm);
-
- if (error) {
- free(dec);
- dec = NULL;
- } else {
- *dec_len = dec_len2;
- }
-
- return dec;
-}
-
-#pragma mark Protocol Messages
-static size_t
-_version_and_magic_size(void)
-{
- return ccder_sizeof_uint64(FR_VERSION) +
- ccder_sizeof_uint64(FR_MAGIC_REQUEST);
-}
-
-static uint8_t *
-_stamp_version_and_magic(uint8_t *der, uint8_t *der_end, uint64_t which)
-{
- uint8_t *der_end2 = der_end;
-
- der_end2 = ccder_encode_uint64(which, der, der_end2);
- der_end2 = ccder_encode_uint64(FR_VERSION, der, der_end2);
-
- return der_end2;
-}
-
-static uint8_t *
-_validate_blob(const uint8_t *der, uint8_t *der_end, uint64_t which, int *error)
-{
- uint64_t magic = 0;
- uint64_t version = 0;
-
- der = ccder_decode_uint64(&version, der, der_end);
- if (version != FR_VERSION) {
- *error = EPROTO;
- return NULL;
- }
-
- der = ccder_decode_uint64(&magic, der, der_end);
- if (magic != which) {
- *error = EBADRPC;
- return NULL;
- }
-
- return (uint8_t *)der;
-}
-
-static uint8_t *
-_create_request_v1(const uint8_t *A_bytes, size_t A_len,
- size_t *der_len, int *error)
-{
- uint8_t *der = NULL;
- uint8_t *der_end = NULL;
- int error2 = -1;
- size_t needed = 0;
-
- needed += _version_and_magic_size();
- needed += ccder_sizeof(CCDER_OCTET_STRING, A_len);
-
- der = malloc(needed);
- require_action_quiet(der, xit, {
- error2 = errno;
- });
-
- der_end = der + needed;
-
- // DER encoding happens back-to-front, so stash the end value and pass to
- // subsequent invocations of the API. In practical terms, if the buffer
- // length is large enough, these encoding calls should not fail, so don't
- // bother to check the return value since we've gone through the trouble of
- // sizing the buffer above.
- der_end = _ccder_shim_encode_octet_string(A_len, A_bytes, der, der_end);
- der_end = _stamp_version_and_magic(der, der_end, FR_MAGIC_REQUEST);
- require_action_quiet(der_end, xit, {
- os_hardware_trap();
- });
-
- *der_len = needed;
- error2 = 0;
-
-xit:
- if (error2) {
- free(der);
- der = NULL;
- }
-
- return der;
-}
-
-static bool
-_decode_request_v1(ccsrp_ctx *ctx, uint8_t **A_bytes, size_t *A_len,
- uint8_t *der, size_t der_len, int *error)
-{
- bool result = false;
- int error2 = -1;
- uint8_t *A_bytes2 = NULL;
- size_t A_len2 = 0;
- uint8_t *der_end = der + der_len;
-
- der = _validate_blob(der, der_end, FR_MAGIC_REQUEST, &error2);
- require_quiet(der, xit);
-
- der = _ccder_shim_decode_octect_string(&A_len2,
- (const uint8_t **)&A_bytes2, der, der_end);
- require_action_quiet(der, xit, {
- error2 = EINVAL;
- });
-
- require_action_quiet(A_len2 == ccsrp_ctx_sizeof_n(ctx), xit, {
- error2 = ERANGE;
- });
-
- result = true;
-
-xit:
- if (result) {
- *A_bytes = A_bytes2;
- *A_len = A_len2;
- } else {
- *error = error2;
- }
-
- return result;
-}
-
-static uint8_t *
-_create_challenge_v1(const uint8_t *B_bytes, size_t B_len,
- const uint8_t *salt, size_t salt_len, size_t *der_len, int *error)
-{
- uint8_t *der = NULL;
- int error2 = -1;
-
- uint8_t *der_end = NULL;
-
- size_t needed = 0;
-
- needed += _version_and_magic_size();
- needed += ccder_sizeof(CCDER_OCTET_STRING, B_len);
- needed += ccder_sizeof(CCDER_OCTET_STRING, salt_len);
-
- der = malloc(needed);
- require_action_quiet(der, xit, {
- error2 = errno;
- });
-
- der_end = der + needed;
-
- der_end = _ccder_shim_encode_octet_string(salt_len, salt, der, der_end);
- der_end = _ccder_shim_encode_octet_string(B_len, B_bytes, der, der_end);
- der_end = _stamp_version_and_magic(der, der_end, FR_MAGIC_CHALLENGE);
- require_action_quiet(der_end, xit, {
- os_hardware_trap();
- });
-
- *der_len = needed;
- error2 = 0;
-
-xit:
- if (error2) {
- *error = error2;
-
- free(der);
- der = NULL;
- }
-
- return der;
-}
-
-static bool
-_decode_challenge_v1(ccsrp_ctx *srp, uint8_t **B_bytes, size_t *B_len,
- uint8_t **salt, size_t *salt_len, uint8_t *der, size_t der_len,
- int *error)
-{
- bool result = false;
- int error2 = -1;
-
- uint8_t *B_bytes2 = NULL;
- size_t B_len2 = 0;
- uint8_t *salt2 = NULL;
- size_t salt_len2 = 0;
- uint8_t *der_end = der + der_len;
-
- der = _validate_blob(der, der_end, FR_MAGIC_CHALLENGE, &error2);
- require_quiet(der, xit);
-
- der = _ccder_shim_decode_octect_string(&B_len2, (const uint8_t **)&B_bytes2,
- der, der_end);
- require_action_quiet(B_bytes, xit, {
- error2 = EINVAL;
- });
-
- require_action_quiet(B_len2 == ccsrp_ctx_sizeof_n(srp), xit, {
- error2 = ERANGE;
- });
-
- der = _ccder_shim_decode_octect_string(&salt_len2, (const uint8_t **)&salt2,
- der, der_end);
- require_action_quiet(der, xit, {
- error2 = EINVAL;
- });
-
- require_action_quiet(salt_len2 == FR_SALT_LEN, xit, {
- error2 = ERANGE;
- });
-
- result = true;
-
-xit:
- if (result) {
- *B_bytes = B_bytes2;
- *B_len = B_len2;
- *salt = salt2;
- *salt_len = salt_len2;
- } else {
- *error = error2;
- }
-
- return result;
-}
-
-static uint8_t *
-_create_response_v1(const uint8_t *M1_bytes, size_t M1_len,
- const uint8_t *I_bytes, size_t I_len, size_t *der_len,
- int *error)
-{
- uint8_t *der = NULL;
- int error2 = -1;
-
- uint8_t *der_end = NULL;
- size_t needed = 0;
-
- needed += _version_and_magic_size();
- needed += ccder_sizeof(CCDER_OCTET_STRING, M1_len);
- needed += ccder_sizeof(CCDER_OCTET_STRING, I_len);
-
- der = malloc(needed);
- require_action_quiet(der, xit, {
- error2 = errno;
- });
-
- der_end = der + needed;
- der_end = _ccder_shim_encode_octet_string(I_len, I_bytes, der, der_end);
- der_end = _ccder_shim_encode_octet_string(M1_len, M1_bytes, der, der_end);
- der_end = _stamp_version_and_magic(der, der_end, FR_MAGIC_RESPONSE);
- require_action_quiet(der_end, xit, {
- os_hardware_trap();
- });
-
- *der_len = needed;
- error2 = 0;
-
-xit:
- if (error2) {
- *error = error2;
-
- free(der);
- der = NULL;
- }
-
- return der;
-}
-
-static bool
-_decode_response_v1(ccsrp_ctx *srp, uint8_t **M_bytes, size_t *M_len,
- uint8_t **I_bytes, size_t *I_len,
- uint8_t *der, size_t der_len, int *error)
-{
- bool result = false;
- int error2 = -1;
-
- uint8_t *M_bytes2 = NULL;
- size_t M_len2 = 0;
- uint8_t *I_bytes2 = NULL;
- size_t I_len2 = 0;
- uint8_t *der_end = der + der_len;
-
- der = _validate_blob(der, der_end, FR_MAGIC_RESPONSE, &error2);
- require_quiet(der, xit);
-
- der = _ccder_shim_decode_octect_string(&M_len2, (const uint8_t **)&M_bytes2,
- der, der_end);
- require_action_quiet(der, xit, {
- error2 = EINVAL;
- });
-
- require_action_quiet(M_len2 == ccsrp_session_size(srp), xit, {
- error2 = ERANGE;
- });
-
- der = _ccder_shim_decode_octect_string(&I_len2,
- (const uint8_t **)&I_bytes2, der, der_end);
- require_action_quiet(der, xit, {
- error2 = EINVAL;
- });
-
- result = true;
-
-xit:
- if (result) {
- *M_bytes = M_bytes2;
- *M_len = M_len2;
-
- *I_bytes = I_bytes2;
- *I_len = I_len2;
- } else {
- *error = error2;
- }
-
- return result;
-}
-
-static uint8_t *
-_create_hsa2_v1(uint8_t *hsa2code, size_t hsa2code_len,
- uint8_t *HAMK_bytes, size_t HAMK_len, size_t *der_len, int *error)
-{
- uint8_t *der = NULL;
- int error2 = -1;
-
- uint8_t *der_end = NULL;
- size_t needed = 0;
-
- needed += _version_and_magic_size();
- needed += ccder_sizeof(CCDER_OCTET_STRING, hsa2code_len);
- needed += ccder_sizeof(CCDER_OCTET_STRING, HAMK_len);
-
- der = malloc(needed);
- require_action_quiet(der, xit, {
- error2 = errno;
- });
-
- der_end = der + needed;
- der_end = _ccder_shim_encode_octet_string(HAMK_len, HAMK_bytes,
- der, der_end);
- der_end = _ccder_shim_encode_octet_string(hsa2code_len, hsa2code,
- der, der_end);
- der_end = _stamp_version_and_magic(der, der_end, FR_MAGIC_HSA2);
- require_action_quiet(der_end, xit, {
- os_hardware_trap();
- });
-
- *der_len = needed;
- error2 = 0;
-
-xit:
- if (error2) {
- *error = error2;
-
- free(der);
- der = NULL;
- }
-
- return der;
-}
-
-static bool
-_decode_hsa2_v1(ccsrp_ctx *srp, uint8_t **hsa2_bytes, size_t *hsa2_len,
- uint8_t **HAMK_bytes, size_t *HAMK_len, uint8_t *der, size_t der_len,
- int *error)
-{
- bool result = false;
- int error2 = -1;
-
- uint8_t *hsa2_bytes2 = NULL;
- size_t hsa2_len2 = 0;
- uint8_t *HAMK_bytes2 = NULL;
- size_t HAMK_len2 = 0;
- uint8_t *der_end = der + der_len;
-
- der = _validate_blob(der, der_end, FR_MAGIC_HSA2, &error2);
- require_quiet(der, xit);
-
- der = _ccder_shim_decode_octect_string(&hsa2_len2,
- (const uint8_t **)&hsa2_bytes2, der, der_end);
- require_action_quiet(der, xit, {
- error2 = EINVAL;
- });
-
- der = _ccder_shim_decode_octect_string(&HAMK_len2,
- (const uint8_t **)&HAMK_bytes2, der, der_end);
- require_action_quiet(der, xit, {
- error2 = EINVAL;
- });
-
- require_action_quiet(HAMK_len2 == ccsrp_session_size(srp), xit, {
- error2 = ERANGE;
- });
-
- result = true;
-
-xit:
- if (result) {
- *hsa2_bytes = hsa2_bytes2;
- *hsa2_len = hsa2_len2;
-
- *HAMK_bytes = HAMK_bytes2;
- *HAMK_len = HAMK_len2;
- } else {
- *error = error2;
- }
-
- return result;
-}
-
-#pragma mark Requesting Session
-struct __OpaqueSOSForerunnerRequestorSession {
- CFRuntimeBase __cf;
-
- ccsrp_ctx *rs_srp;
- uint64_t rs_dsid;
- uint64_t rs_packet_cnt;
-
- uint8_t rs_Z_r2a[FR_Z_SZ_V1];
- uint8_t rs_Z_a2r[FR_Z_SZ_V1];
-
- CFStringRef rsUsername;
-};
-
-static void
-_SOSForerunnerRequestorSessionClassInit(CFTypeRef session)
-{
- SOSForerunnerRequestorSessionRef self = (void *)session;
- size_t howmuch2zero = sizeof(*self) - sizeof(self->__cf);
- uint8_t *start = (uint8_t *)self + sizeof(self->__cf);
-
- bzero(start, howmuch2zero);
-}
-
-static void
-_SOSForerunnerRequestorSessionClassFinalize(CFTypeRef session)
-{
- SOSForerunnerRequestorSessionRef self = (void *)session;
-
- free(self->rs_srp);
- CFReleaseNull(self->rsUsername);
-}
-
-static CFRuntimeClass _SOSForerunnerRequestorSessionClass = {
- .version = 0,
- .className = "forerunner requestor session",
- .init = _SOSForerunnerRequestorSessionClassInit,
- .copy = NULL,
- .finalize = _SOSForerunnerRequestorSessionClassFinalize,
- .equal = NULL,
- .hash = NULL,
- .copyFormattingDesc = NULL,
- .copyDebugDesc = NULL,
-};
-
-#pragma mark Requestor Class Methods
-CFTypeID
-SOSForerunnerRequestorSessionGetTypeID(void)
-{
- static dispatch_once_t once = 0;
- static CFTypeID tid = 0;
-
- dispatch_once(&once, ^{
- tid = _CFRuntimeRegisterClass(
- (const CFRuntimeClass * const)
- &_SOSForerunnerRequestorSessionClass);
- if (tid == _kCFRuntimeNotATypeID) {
- os_hardware_trap();
- }
- });
-
- return tid;
-}
-
-#pragma mark Requestor Public Methods
-SOSForerunnerRequestorSessionRef
-SOSForerunnerRequestorSessionCreate(CFAllocatorRef allocator,
- CFStringRef username, uint64_t dsid)
-{
- SOSForerunnerRequestorSessionRef self = NULL;
- int error = -1;
- const size_t xtra = sizeof(*self) - sizeof(self->__cf);
- const struct ccdigest_info *di = ccsha256_di();
- ccdh_const_gp_t gp = ccsrp_gp_rfc5054_3072();
-
- self = (void *)_CFRuntimeCreateInstance(allocator,
- SOSForerunnerRequestorSessionGetTypeID(), xtra, NULL);
- require_action_quiet(self, xit, {
- error = ENOMEM;
- });
-
- self->rsUsername = CFRetain(username);
- self->rs_srp = _ccsrp_shim_alloc(di, gp);
- self->rs_dsid = dsid;
- require_action_quiet(self->rs_srp, xit, {
- error = ENOMEM;
- });
-
- error = 0;
-
-xit:
- if (error) {
- CFReleaseNull(self);
- self = NULL;
- }
-
- return self;
-}
-
-CFDataRef
-SOSFRSCopyRequestPacket(SOSForerunnerRequestorSessionRef self,
- CFErrorRef *cferror)
-{
- CFDataRef request = NULL;
- int error = -1;
-
- uint8_t A_bytes[ccsrp_exchange_size(self->rs_srp)];
- size_t A_len = ccsrp_exchange_size(self->rs_srp);
- uint8_t *der = NULL;
- size_t der_len = 0;
-
- error = ccsrp_client_start_authentication(self->rs_srp,
- ccDRBGGetRngState(), A_bytes);
- require_action_quiet(error == 0, xit, {
- (void)SecCoreCryptoError(error, cferror, CFSTR("failed to start SRP"));
- });
-
- der = _create_request_v1(A_bytes, A_len, &der_len, &error);
- require_action_quiet(der, xit, {
- // Yes, I know, let's report an allocation error by trying to allocate a
- // bloated pseudo-exception.
- (void)SecPOSIXError(error, cferror,
- CFSTR("failed to allocate response data"));
- });
-
- request = CFDataCreateWithBytesNoCopy(NULL, der, der_len,
- kCFAllocatorMalloc);
- require_action_quiet(request, xit, {
- error = ENOMEM;
- (void)SecPOSIXError(error, cferror,
- CFSTR("failed to allocate request data"));
- });
-
-xit:
- if (error) {
- if (request) {
- CFRelease(request);
- request = NULL;
- } else {
- free(der);
- }
- }
-
- return request;
-}
-
-CFDataRef
-SOSFRSCopyResponsePacket(SOSForerunnerRequestorSessionRef self,
- CFDataRef challenge, CFStringRef secret, CFDictionaryRef peerInfo,
- CFErrorRef *cferror)
-{
- CFDataRef response = NULL;
- int error = -1;
-
- char *username_str = NULL;
- char *secret_str = NULL;
-
- // Challenge.
- bool result = false;
- uint8_t *der = NULL;
- uint8_t *salt = NULL;
- size_t salt_len = 0;
- uint8_t *B_bytes = NULL;
- size_t B_len = 0;
-
- // Response.
- uint8_t *resp_der = NULL;
- size_t resp_der_len = 0;
- uint8_t M1_bytes[ccsrp_session_size(self->rs_srp)];
- size_t M1_len = ccsrp_session_size(self->rs_srp);
-
-#if CONFIG_ARM_AUTOACCEPT
- SOSPeerInfoRef peer = NULL;
- CFDataRef cfI = NULL;
-#else // CONFIG_ARM_AUTOACCEPT
- const uint8_t fakeI[] = {
- 'A',
- 'B',
- 'C',
- 'D',
- 'E',
- 'F',
- };
-#endif // CONFIG_ARM_AUTOACCEPT
-
- const uint8_t *I_bytes = NULL;
- size_t I_len = 0;
- uint8_t *I_enc_bytes = NULL;
- size_t I_enc_len = 0;
-
- der = (UInt8 *)CFDataGetBytePtr(challenge);
-
- username_str = CFStringToCString(self->rsUsername);
- require_quiet(username_str, xit);
-
- secret_str = CFStringToCString(secret);
- require_quiet(secret_str, xit);
-
- result = _decode_challenge_v1(self->rs_srp, &B_bytes, &B_len,
- &salt, &salt_len, der, CFDataGetLength(challenge), &error);
- require_action_quiet(result, xit, {
- (void)SecCoreCryptoError(error, cferror,
- CFSTR("failed to decode challenge"));
- });
-
- // Do not include the null terminator in the length of the secret -- for the
- // purposes of this challenge, it's just a blob of data.
- error = ccsrp_client_process_challenge(self->rs_srp, username_str,
- strlen(secret_str), secret_str, salt_len, salt,
- B_bytes, M1_bytes);
- require_action_quiet(error == 0, xit, {
- (void)SecCoreCryptoError(error, cferror,
- CFSTR("failed to process challenge"));
- });
-
- _derive_sending_key(self->rs_srp, FR_Z_FROM_REQUESTOR,
- self->rs_Z_r2a, sizeof(self->rs_Z_r2a));
-
-#if CONFIG_ARM_AUTOACCEPT
- peer = SOSCCCopyMyPeerInfo(cferror);
- require_quiet(peer, xit);
-
- cfI = SOSPeerInfoGetAutoAcceptInfo(peer);
- require_action_quiet(cfI, xit, {
- error = ENOENT;
- (void)SecPOSIXError(error, cferror,
- CFSTR("failed to obtain auto-accept info"));
- });
-
- I_bytes = CFDataGetBytePtr(cfI);
- I_len = CFDataGetLength(cfI);
-#else // CONFIG_ARM_AUTOACCEPT
- I_bytes = fakeI;
- I_len = sizeof(fakeI);
-#endif // CONFIG_ARM_AUTOACCEPT
-
- I_enc_bytes = _encrypt_data_v1(I_bytes, I_len,
- self->rs_dsid, FR_IV_X_REQUEST_V1, self->rs_packet_cnt,
- self->rs_Z_r2a, sizeof(self->rs_Z_r2a), &I_enc_len);
- require_action_quiet(I_enc_bytes, xit, {
- error = ENOMEM;
- });
-
- self->rs_packet_cnt++;
-
- resp_der = _create_response_v1(M1_bytes, M1_len, I_enc_bytes, I_enc_len,
- &resp_der_len, &error);
- require_action_quiet(resp_der, xit, {
- (void)SecCoreCryptoError(error, cferror,
- CFSTR("failed to create response"));
- });
-
- response = CFDataCreateWithBytesNoCopy(NULL, resp_der, resp_der_len,
- kCFAllocatorMalloc);
- require_action_quiet(response, xit, {
- error = ENOMEM;
- (void)SecCoreCryptoError(error, cferror,
- CFSTR("failed to create response"));
- });
-
- error = 0;
-
-xit:
- free(username_str);
- free(secret_str);
-
- if (error) {
- if (response) {
- CFRelease(response);
- response = NULL;
- } else {
- free(resp_der);
- }
- }
-
- return response;
-}
-
-CFDataRef
-SOSFRSCopyHSA2CodeFromPacket(SOSForerunnerRequestorSessionRef self,
- CFDataRef hsa2packet, CFErrorRef *cferror)
-{
- CFDataRef cfhsa2 = NULL;
- int error = -1;
-
- bool result = false;
- uint8_t *der = NULL;
- size_t der_len = 0;
- uint8_t *hsa2_enc_bytes = NULL;
- size_t hsa2_enc_len = 0;
- uint8_t *hsa2_bytes = NULL;
- size_t hsa2_len = 0;
- uint8_t *HAMK_bytes = NULL;
- size_t HAMK_len = 0;
-
- der = (UInt8 *)CFDataGetBytePtr(hsa2packet);
- der_len = CFDataGetLength(hsa2packet);
-
- result = _decode_hsa2_v1(self->rs_srp, &hsa2_enc_bytes, &hsa2_enc_len,
- &HAMK_bytes, &HAMK_len, der, der_len, &error);
- require_quiet(result, xit);
-
- result = ccsrp_client_verify_session(self->rs_srp, HAMK_bytes);
- require_action_quiet(result, xit, {
- (void)SecPOSIXError(EBADMSG, cferror,
- CFSTR("failed to verify session"));
- });
-
- _derive_sending_key(self->rs_srp, FR_Z_FROM_ACCEPTOR,
- self->rs_Z_a2r, sizeof(self->rs_Z_a2r));
-
- hsa2_bytes = _decrypt_data_v1(hsa2_enc_bytes, hsa2_enc_len,
- self->rs_dsid, FR_IV_X_ACCEPT_V1,
- self->rs_Z_a2r, sizeof(self->rs_Z_a2r), &hsa2_len);
- require_action_quiet(hsa2_bytes, xit, {
- error = EINVAL;
- });
-
- cfhsa2 = CFDataCreateWithBytesNoCopy(NULL, hsa2_bytes, hsa2_len,
- kCFAllocatorMalloc);
- require_action_quiet(cfhsa2, xit, {
- error = ENOMEM;
- });
-
- error = 0;
-
-xit:
- if (error) {
- if (cfhsa2) {
- CFRelease(cfhsa2);
- cfhsa2 = NULL;
- } else {
- free(hsa2_bytes);
- }
- }
-
- return cfhsa2;
-}
-
-CFDataRef
-SOSFRSCopyDecryptedData(SOSForerunnerRequestorSessionRef self,
- CFDataRef encrypted)
-{
- CFDataRef decrypted = NULL;
- int error = -1;
-
- const uint8_t *enc = CFDataGetBytePtr(encrypted);
- size_t enc_len = CFDataGetLength(encrypted);
- uint8_t *dec = NULL;
- size_t dec_len = 0;
-
- dec = _decrypt_data_v1(enc, enc_len,
- self->rs_dsid, FR_IV_X_ACCEPT_V1,
- self->rs_Z_a2r, sizeof(self->rs_Z_a2r), &dec_len);
- require_action_quiet(dec, xit, {
- error = EINVAL;
- });
-
- decrypted = CFDataCreateWithBytesNoCopy(NULL, dec, dec_len,
- kCFAllocatorMalloc);
- require_action_quiet(decrypted, xit, {
- error = ENOMEM;
- });
-
- error = 0;
-
-xit:
- if (error) {
- if (decrypted) {
- CFRelease(decrypted);
- decrypted = NULL;
- } else {
- free(dec);
- }
- }
-
- return decrypted;
-}
-
-#pragma mark Acceptor Session
-struct __OpaqueSOSForerunnerAcceptorSession {
- CFRuntimeBase __cf;
-
- ccsrp_ctx *as_srp;
- uint64_t as_dsid;
- uint64_t as_accept_cnt;
- uint64_t as_packet_cnt;
-
- uint8_t as_Z_a2r[FR_Z_SZ_V1];
- uint8_t as_Z_r2a[FR_Z_SZ_V1];
-
- CFStringRef asUsername;
- CFDataRef asCircleSecret;
-};
-
-static void
-_SOSForerunnerAcceptorSessionClassInit(CFTypeRef session)
-{
- SOSForerunnerAcceptorSessionRef self = (void *)session;
- size_t howmuch2zero = sizeof(*self) - sizeof(self->__cf);
- uint8_t *start = (uint8_t *)self + sizeof(self->__cf);
-
- bzero(start, howmuch2zero);
-}
-
-static void
-_SOSForerunnerAcceptorSessionClassFinalize(CFTypeRef session)
-{
- SOSForerunnerAcceptorSessionRef self = (void *)session;
-
- free(self->as_srp);
- CFRelease(self->asUsername);
- CFRelease(self->asCircleSecret);
-}
-
-static CFRuntimeClass _SOSForerunnerAcceptorSessionClass = {
- .version = 0,
- .className = "forerunner acceptor session",
- .init = _SOSForerunnerAcceptorSessionClassInit,
- .copy = NULL,
- .finalize = _SOSForerunnerAcceptorSessionClassFinalize,
- .equal = NULL,
- .hash = NULL,
- .copyFormattingDesc = NULL,
- .copyDebugDesc = NULL,
-};
-
-#pragma mark Acceptor Class Methods
-CFTypeID
-SOSForerunnerAcceptorSessionGetTypeID(void)
-{
- static dispatch_once_t once = 0;
- static CFTypeID tid = 0;
-
- dispatch_once(&once, ^{
- tid = _CFRuntimeRegisterClass(
- (const CFRuntimeClass * const)
- &_SOSForerunnerAcceptorSessionClass);
- if (tid == _kCFRuntimeNotATypeID) {
- os_hardware_trap();
- }
- });
-
- return tid;
-}
-
-#pragma mark Acceptor Public Methods
-SOSForerunnerAcceptorSessionRef
-SOSForerunnerAcceptorSessionCreate(CFAllocatorRef allocator,
- CFStringRef username, uint64_t dsid, CFStringRef circleSecret)
-{
- SOSForerunnerAcceptorSessionRef self = NULL;
- int error = -1;
-
- size_t xtra = sizeof(*self) - sizeof(self->__cf);
- char *secret = NULL;
- const struct ccdigest_info *di = ccsha256_di();
- ccdh_const_gp_t gp = ccsrp_gp_rfc5054_3072();
-
- self = (void *)_CFRuntimeCreateInstance(allocator,
- SOSForerunnerAcceptorSessionGetTypeID(), xtra, NULL);
- require_action_quiet(self, xit, {
- error = ENOMEM;
- });
-
- self->as_srp = _ccsrp_shim_alloc(di, gp);
- require_action_quiet(self, xit, {
- error = ENOMEM;
- });
-
- self->as_dsid = dsid;
-
- secret = CFStringToCString(circleSecret);
- require_action_quiet(secret, xit, {
- error = ENOMEM;
- });
-
- // We don't care about the null terminating byte.
- self->asCircleSecret = CFDataCreateWithBytesNoCopy(NULL,
- (const UInt8 *)secret, strlen(secret), kCFAllocatorMalloc);
- require_action_quiet(self->asCircleSecret, xit, {
- error = ENOMEM;
- });
-
- self->asUsername = CFRetain(username);
- error = 0;
-
-xit:
- if (error) {
- if (self && !self->asCircleSecret) {
- free(secret);
- }
-
- CFReleaseNull(self);
- self = NULL;
- }
-
- return self;
-}
-
-CFDataRef
-SOSFASCopyChallengePacket(SOSForerunnerAcceptorSessionRef self,
- CFDataRef requestorPacket, CFErrorRef *cferror)
-{
- CFDataRef challenge = NULL;
- int error = -1;
- int ret = -1;
-
- bool decoded = false;
- char *username_str = NULL;
- uint8_t verifier[ccsrp_ctx_sizeof_n(self->as_srp)];
- uint8_t salt[FR_SALT_LEN];
-
- uint8_t *der = NULL;
- uint8_t *challenge_der = NULL;
- size_t challenge_len = 0;
-
- uint8_t *A_bytes = NULL;
- size_t A_len = 0;
- uint8_t B_bytes[ccsrp_exchange_size(self->as_srp)];
- size_t B_len = ccsrp_exchange_size(self->as_srp);
-
- der = (uint8_t *)CFDataGetBytePtr(requestorPacket);
- decoded = _decode_request_v1(self->as_srp, &A_bytes, &A_len,
- der, CFDataGetLength(requestorPacket), &error);
- require_action_quiet(decoded, xit, {
- (void)SecCoreCryptoError(error, cferror, CFSTR("bad request packet"));
- });
-
- username_str = CFStringToCString(self->asUsername);
- ret = SecRandomCopyBytes(NULL, sizeof(salt), salt);
- require_action_quiet(ret == 0, xit, {
- error = errno;
- (void)SecPOSIXError(error, cferror, CFSTR("failed to generate salt"));
- });
-
- error = ccsrp_generate_verifier(self->as_srp, username_str,
- CFDataGetLength(self->asCircleSecret),
- CFDataGetBytePtr(self->asCircleSecret), sizeof(salt), salt,
- verifier);
- require_action_quiet(error == 0, xit, {
- (void)SecCoreCryptoError(error, cferror,
- CFSTR("failed to generate SRP verifier"));
- });
-
- error = ccsrp_server_start_authentication(self->as_srp, ccDRBGGetRngState(),
- username_str, sizeof(salt), salt, verifier, A_bytes, B_bytes);
- require_action_quiet(error == 0, xit, {
- (void)SecCoreCryptoError(error, cferror,
- CFSTR("could not start server SRP"));
- });
-
- challenge_der = _create_challenge_v1(B_bytes, B_len,
- salt, sizeof(salt), &challenge_len, &error);
- require_action_quiet(challenge_der, xit, {
- (void)SecPOSIXError(error, cferror,
- CFSTR("could not construct challenge"));
- });
-
- challenge = CFDataCreateWithBytesNoCopy(NULL, challenge_der, challenge_len,
- kCFAllocatorMalloc);
- error = 0;
-
-xit:
- if (error) {
- if (challenge) {
- CFRelease(challenge);
- challenge = NULL;
- } else {
- free(challenge_der);
- }
- }
-
- free(username_str);
-
- return challenge;
-}
-
-CFDataRef
-SOSFASCopyHSA2Packet(SOSForerunnerAcceptorSessionRef self,
- CFDataRef responsePacket, CFDataRef hsa2code, CFErrorRef *cferror)
-{
- CFDataRef hsa2 = NULL;
- int error = -1;
-
- // Response.
- const uint8_t *der = CFDataGetBytePtr(responsePacket);
- size_t der_len = CFDataGetLength(responsePacket);
- uint8_t *M_bytes = NULL;
- size_t M_len = 0;
- uint8_t *I_enc_bytes = NULL;
- size_t I_enc_len = 0;
- uint8_t *I_bytes = NULL;
- size_t I_len = 0;
- uint8_t HAMK_bytes[ccsrp_session_size(self->as_srp)];
-
- // HSA2 packet.
- uint8_t *hsa2_bytes = NULL;
- size_t hsa2_len = 0;
- uint8_t *hsa2_enc_bytes = NULL;
- size_t hsa2_enc_len = 0;
- uint8_t *hsa2_packet_bytes = NULL;
- size_t hsa2_packet_len = 0;
-
- bool result = false;
-#if CONFIG_ARM_AUTOACCEPT
- CFDataRef cfI = NULL;
-#endif // CONFIG_ARM_AUTOACCEPT
-
- result = _decode_response_v1(self->as_srp, &M_bytes, &M_len,
- &I_enc_bytes, &I_enc_len, (uint8_t *)der, der_len, &error);
- require_action_quiet(result, xit, {
- (void)SecPOSIXError(error, cferror, CFSTR("bad response"));
- });
-
- result = ccsrp_server_verify_session(self->as_srp, M_bytes, HAMK_bytes);
- require_action_quiet(result, xit, {
- if (self->as_accept_cnt > FR_MAX_ACCEPTOR_TRIES) {
- error = EBADMSG;
- } else {
- error = EAGAIN;
- self->as_accept_cnt++;
- }
-
- (void)SecPOSIXError(error, cferror,
- CFSTR("session verification failed"));
- });
-
- _derive_sending_key(self->as_srp, FR_Z_FROM_ACCEPTOR,
- self->as_Z_a2r, sizeof(self->as_Z_a2r));
-
- hsa2_bytes = (uint8_t *)CFDataGetBytePtr(hsa2code);
- hsa2_len = CFDataGetLength(hsa2code);
-
- hsa2_enc_bytes = _encrypt_data_v1(hsa2_bytes, hsa2_len,
- self->as_dsid, FR_IV_X_ACCEPT_V1, self->as_packet_cnt,
- self->as_Z_a2r, sizeof(self->as_Z_a2r), &hsa2_enc_len);
- require_action_quiet(hsa2_enc_bytes, xit, {
- error = ENOMEM;
- });
-
- self->as_packet_cnt++;
-
- hsa2_packet_bytes = _create_hsa2_v1(hsa2_enc_bytes, hsa2_enc_len,
- HAMK_bytes, sizeof(HAMK_bytes), &hsa2_packet_len, &error);
- require_quiet(hsa2_packet_bytes, xit);
-
- hsa2 = CFDataCreateWithBytesNoCopy(NULL, hsa2_packet_bytes, hsa2_packet_len,
- kCFAllocatorMalloc);
- require_action_quiet(hsa2, xit, {
- error = ENOMEM;
- (void)SecPOSIXError(error, cferror,
- CFSTR("could not create hsa2 packet"));
- });
-
- _derive_sending_key(self->as_srp, FR_Z_FROM_REQUESTOR,
- self->as_Z_r2a, sizeof(self->as_Z_r2a));
-
- I_bytes = _decrypt_data_v1(I_enc_bytes, I_enc_len,
- self->as_dsid, FR_IV_X_REQUEST_V1,
- self->as_Z_r2a, sizeof(self->as_Z_r2a), &I_len);
- require_action_quiet(I_bytes, xit, {
- error = EINVAL;
- });
-
-#if CONFIG_ARM_AUTOACCEPT
- cfI = CFDataCreateWithBytesNoCopy(NULL, I_bytes, I_len, kCFAllocatorMalloc);
- require_action_quiet(cfI, xit, {
- error = ENOMEM;
- (void)SecPOSIXError(error, cferror,
- CFSTR("could not create identity data"));
- });
-
- result = SOSCCSetAutoAcceptInfo(cfI, cferror);
- require_quiet(result, xit);
-#endif // CONFIG_ARM_AUTOACCEPT
-
- error = 0;
-
-xit:
- if (error) {
- if (hsa2) {
- CFRelease(hsa2);
- hsa2 = NULL;
- } else {
- free(hsa2_packet_bytes);
- }
- }
-
- free(hsa2_enc_bytes);
-
-#if CONFIG_ARM_AUTOACCEPT
- if (cfI) {
- CFRelease(cfI);
- } else {
- free(I_bytes);
- }
-#else // CONFIG_ARM_AUTOACCEPT
- free(I_bytes);
-#endif // CONFIG_ARM_AUTOACCEPT
-
- return hsa2;
-}
-
-CFDataRef
-SOSFASCopyEncryptedData(SOSForerunnerAcceptorSessionRef self, CFDataRef data)
-{
- CFDataRef encrypted = NULL;
- int error = -1;
-
- uint8_t *enc = NULL;
- size_t enc_len = 0;
-
- enc = _encrypt_data_v1(CFDataGetBytePtr(data), CFDataGetLength(data),
- self->as_dsid, FR_IV_X_ACCEPT_V1, self->as_packet_cnt,
- self->as_Z_a2r, sizeof(self->as_Z_a2r), &enc_len);
- require_action_quiet(enc, xit, {
- error = EINVAL;
- });
-
- encrypted = CFDataCreateWithBytesNoCopy(NULL, enc, enc_len,
- kCFAllocatorMalloc);
- require_action_quiet(encrypted, xit, {
- error = ENOMEM;
- });
-
- error = 0;
-
-xit:
- if (error) {
- if (encrypted) {
- CFRelease(encrypted);
- encrypted = NULL;
- } else {
- free(enc);
- }
- }
-
- return encrypted;
-}
projects / apple / security.git / blobdiff