From b6a14ea014dc9013de65aa640c44d51ea63b4d41 Mon Sep 17 00:00:00 2001 From: Matthew Chen Date: Thu, 20 Sep 2018 15:41:39 -0400 Subject: [PATCH] Fix the CDS version checking. --- SignalServiceKit/src/Contacts/CDSQuote.m | 1 + .../src/Contacts/ContactDiscoveryService.m | 31 +++++++++++++++---- 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/SignalServiceKit/src/Contacts/CDSQuote.m b/SignalServiceKit/src/Contacts/CDSQuote.m index 5634a1d66..c9afd359e 100644 --- a/SignalServiceKit/src/Contacts/CDSQuote.m +++ b/SignalServiceKit/src/Contacts/CDSQuote.m @@ -48,6 +48,7 @@ static const long SGX_XFRM_RESERVED = 0xFFFFFFFFFFFFFFF8L; { ByteParser *_Nullable parser = [[ByteParser alloc] initWithData:quoteData littleEndian:YES]; + // NOTE: This version is separate from and does _NOT_ match the signature body entity version. uint16_t version = parser.nextShort; if (version < 1 || version > 2) { OWSFailDebug(@"unexpected quote version: %d", (int)version); diff --git a/SignalServiceKit/src/Contacts/ContactDiscoveryService.m b/SignalServiceKit/src/Contacts/ContactDiscoveryService.m index 6254da3a5..16853d6fa 100644 --- a/SignalServiceKit/src/Contacts/ContactDiscoveryService.m +++ b/SignalServiceKit/src/Contacts/ContactDiscoveryService.m @@ -171,6 +171,7 @@ NS_ASSUME_NONNULL_BEGIN @property (nonatomic) NSData *isvEnclaveQuoteBody; @property (nonatomic) NSString *isvEnclaveQuoteStatus; @property (nonatomic) NSString *timestamp; +@property (nonatomic) NSNumber *version; @end @@ -200,6 +201,16 @@ NS_ASSUME_NONNULL_BEGIN return valueString; } +- (nullable NSNumber *)numberForKey:(NSString *)key +{ + NSNumber *_Nullable value = self[key]; + if (![value isKindOfClass:[NSNumber class]]) { + OWSFailDebug(@"couldn't parse number for key: %@", key); + return nil; + } + return value; +} + - (nullable NSData *)base64DataForKey:(NSString *)key { NSString *_Nullable valueString = self[key]; @@ -339,7 +350,6 @@ NS_ASSUME_NONNULL_BEGIN { ECKeyPair *keyPair = [Curve25519 generateKeyPair]; - // TODO: NSString *enclaveId = @"cd6cfc342937b23b1bdd3bbf9721aa5615ac9ff50a75c5527d441cd3276826c9"; TSRequest *request = [OWSRequestFactory remoteAttestationRequest:keyPair @@ -530,6 +540,12 @@ NS_ASSUME_NONNULL_BEGIN OWSFailDebug(@"isvEnclaveQuoteBody has unexpected length."); return NO; } + // NOTE: This version is separate from and does _NOT_ match the CDS quote version. + const NSUInteger kSignatureBodyVersion = 3; + if (![signatureBodyEntity.version isEqual:@(kSignatureBodyVersion)]) { + OWSFailDebug(@"signatureBodyEntity has unexpected version."); + return NO; + } if (quoteData.length < kQuoteBodyComparisonLength) { OWSFailDebug(@"quoteData has unexpected length."); return NO; @@ -542,9 +558,7 @@ NS_ASSUME_NONNULL_BEGIN return NO; } - // TODO: Before going to production, remove GROUP_OUT_OF_DATE. - if (![@"OK" isEqualToString:signatureBodyEntity.isvEnclaveQuoteStatus] - && ![@"GROUP_OUT_OF_DATE" isEqualToString:signatureBodyEntity.isvEnclaveQuoteStatus]) { + if (![@"OK" isEqualToString:signatureBodyEntity.isvEnclaveQuoteStatus]) { OWSFailDebug(@"invalid isvEnclaveQuoteStatus: %@.", signatureBodyEntity.isvEnclaveQuoteStatus); return NO; } @@ -604,11 +618,17 @@ NS_ASSUME_NONNULL_BEGIN OWSFailDebug(@"could not parse signature isvEnclaveQuoteStatus."); return nil; } + NSNumber *_Nullable version = [jsonDict numberForKey:@"version"]; + if (!version) { + OWSFailDebug(@"could not parse signature version."); + return nil; + } SignatureBodyEntity *result = [SignatureBodyEntity new]; result.isvEnclaveQuoteBody = isvEnclaveQuoteBody; result.isvEnclaveQuoteStatus = isvEnclaveQuoteStatus; result.timestamp = timestamp; + result.version = version; return result; } @@ -644,8 +664,7 @@ NS_ASSUME_NONNULL_BEGIN OWSFailDebug(@"enclave ids do not match."); return NO; } - // TODO: Reverse this condition in production. - if (!quote.isDebugQuote) { + if (quote.isDebugQuote) { OWSFailDebug(@"quote has invalid isDebugQuote value."); return NO; }