Torne (Richard Coles) | 5821806 | 2012-11-14 11:43:16 +0000 | [diff] [blame] | 1 | // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 | // Use of this source code is governed by a BSD-style license that can be |
| 3 | // found in the LICENSE file. |
| 4 | |
| 5 | #include "crypto/hmac.h" |
| 6 | |
| 7 | #include <windows.h> |
| 8 | #include <wincrypt.h> |
| 9 | |
| 10 | #include <algorithm> |
| 11 | #include <vector> |
| 12 | |
| 13 | #include "base/logging.h" |
| 14 | #include "crypto/scoped_capi_types.h" |
| 15 | #include "crypto/third_party/nss/chromium-blapi.h" |
| 16 | #include "crypto/third_party/nss/chromium-sha256.h" |
| 17 | |
| 18 | namespace crypto { |
| 19 | |
| 20 | namespace { |
| 21 | |
| 22 | // Implementation of HMAC-SHA-256: |
| 23 | // |
| 24 | // SHA-256 is supported in Windows XP SP3 or later. We still need to support |
| 25 | // Windows XP SP2, so unfortunately we have to implement HMAC-SHA-256 here. |
| 26 | |
| 27 | enum { |
| 28 | SHA256_BLOCK_SIZE = 64 // Block size (in bytes) of the input to SHA-256. |
| 29 | }; |
| 30 | |
| 31 | // NSS doesn't accept size_t for text size, divide the data into smaller |
| 32 | // chunks as needed. |
| 33 | void Wrapped_SHA256_Update(SHA256Context* ctx, const unsigned char* text, |
| 34 | size_t text_len) { |
| 35 | const unsigned int kChunkSize = 1 << 30; |
| 36 | while (text_len > kChunkSize) { |
| 37 | SHA256_Update(ctx, text, kChunkSize); |
| 38 | text += kChunkSize; |
| 39 | text_len -= kChunkSize; |
| 40 | } |
| 41 | SHA256_Update(ctx, text, (unsigned int)text_len); |
| 42 | } |
| 43 | |
| 44 | // See FIPS 198: The Keyed-Hash Message Authentication Code (HMAC). |
| 45 | void ComputeHMACSHA256(const unsigned char* key, size_t key_len, |
| 46 | const unsigned char* text, size_t text_len, |
| 47 | unsigned char* output, size_t output_len) { |
| 48 | SHA256Context ctx; |
| 49 | |
| 50 | // Pre-process the key, if necessary. |
| 51 | unsigned char key0[SHA256_BLOCK_SIZE]; |
| 52 | if (key_len > SHA256_BLOCK_SIZE) { |
| 53 | SHA256_Begin(&ctx); |
| 54 | Wrapped_SHA256_Update(&ctx, key, key_len); |
| 55 | SHA256_End(&ctx, key0, NULL, SHA256_LENGTH); |
| 56 | memset(key0 + SHA256_LENGTH, 0, SHA256_BLOCK_SIZE - SHA256_LENGTH); |
| 57 | } else { |
| 58 | memcpy(key0, key, key_len); |
| 59 | if (key_len < SHA256_BLOCK_SIZE) |
| 60 | memset(key0 + key_len, 0, SHA256_BLOCK_SIZE - key_len); |
| 61 | } |
| 62 | |
| 63 | unsigned char padded_key[SHA256_BLOCK_SIZE]; |
| 64 | unsigned char inner_hash[SHA256_LENGTH]; |
| 65 | |
| 66 | // XOR key0 with ipad. |
| 67 | for (int i = 0; i < SHA256_BLOCK_SIZE; ++i) |
| 68 | padded_key[i] = key0[i] ^ 0x36; |
| 69 | |
| 70 | // Compute the inner hash. |
| 71 | SHA256_Begin(&ctx); |
| 72 | SHA256_Update(&ctx, padded_key, SHA256_BLOCK_SIZE); |
| 73 | Wrapped_SHA256_Update(&ctx, text, text_len); |
| 74 | SHA256_End(&ctx, inner_hash, NULL, SHA256_LENGTH); |
| 75 | |
| 76 | // XOR key0 with opad. |
| 77 | for (int i = 0; i < SHA256_BLOCK_SIZE; ++i) |
| 78 | padded_key[i] = key0[i] ^ 0x5c; |
| 79 | |
| 80 | // Compute the outer hash. |
| 81 | SHA256_Begin(&ctx); |
| 82 | SHA256_Update(&ctx, padded_key, SHA256_BLOCK_SIZE); |
| 83 | SHA256_Update(&ctx, inner_hash, SHA256_LENGTH); |
| 84 | SHA256_End(&ctx, output, NULL, (unsigned int) output_len); |
| 85 | } |
| 86 | |
| 87 | } // namespace |
| 88 | |
| 89 | struct HMACPlatformData { |
| 90 | ~HMACPlatformData() { |
| 91 | if (!raw_key_.empty()) { |
| 92 | SecureZeroMemory(&raw_key_[0], raw_key_.size()); |
| 93 | } |
| 94 | |
| 95 | // Destroy the key before releasing the provider. |
| 96 | key_.reset(); |
| 97 | } |
| 98 | |
| 99 | ScopedHCRYPTPROV provider_; |
| 100 | ScopedHCRYPTKEY key_; |
| 101 | |
| 102 | // For HMAC-SHA-256 only. |
| 103 | std::vector<unsigned char> raw_key_; |
| 104 | }; |
| 105 | |
| 106 | HMAC::HMAC(HashAlgorithm hash_alg) |
| 107 | : hash_alg_(hash_alg), plat_(new HMACPlatformData()) { |
| 108 | // Only SHA-1 and SHA-256 hash algorithms are supported now. |
| 109 | DCHECK(hash_alg_ == SHA1 || hash_alg_ == SHA256); |
| 110 | } |
| 111 | |
Torne (Richard Coles) | 2a99a7e | 2013-03-28 15:31:22 +0000 | [diff] [blame] | 112 | bool HMAC::Init(const unsigned char* key, size_t key_length) { |
Torne (Richard Coles) | 5821806 | 2012-11-14 11:43:16 +0000 | [diff] [blame] | 113 | if (plat_->provider_ || plat_->key_ || !plat_->raw_key_.empty()) { |
| 114 | // Init must not be called more than once on the same HMAC object. |
| 115 | NOTREACHED(); |
| 116 | return false; |
| 117 | } |
| 118 | |
| 119 | if (hash_alg_ == SHA256) { |
| 120 | plat_->raw_key_.assign(key, key + key_length); |
| 121 | return true; |
| 122 | } |
| 123 | |
| 124 | if (!CryptAcquireContext(plat_->provider_.receive(), NULL, NULL, |
| 125 | PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) { |
| 126 | NOTREACHED(); |
| 127 | return false; |
| 128 | } |
| 129 | |
| 130 | // This code doesn't work on Win2k because PLAINTEXTKEYBLOB and |
| 131 | // CRYPT_IPSEC_HMAC_KEY are not supported on Windows 2000. PLAINTEXTKEYBLOB |
| 132 | // allows the import of an unencrypted key. For Win2k support, a cubmbersome |
| 133 | // exponent-of-one key procedure must be used: |
| 134 | // http://support.microsoft.com/kb/228786/en-us |
| 135 | // CRYPT_IPSEC_HMAC_KEY allows keys longer than 16 bytes. |
| 136 | |
| 137 | struct KeyBlob { |
| 138 | BLOBHEADER header; |
| 139 | DWORD key_size; |
| 140 | BYTE key_data[1]; |
| 141 | }; |
| 142 | size_t key_blob_size = std::max(offsetof(KeyBlob, key_data) + key_length, |
| 143 | sizeof(KeyBlob)); |
| 144 | std::vector<BYTE> key_blob_storage = std::vector<BYTE>(key_blob_size); |
| 145 | KeyBlob* key_blob = reinterpret_cast<KeyBlob*>(&key_blob_storage[0]); |
| 146 | key_blob->header.bType = PLAINTEXTKEYBLOB; |
| 147 | key_blob->header.bVersion = CUR_BLOB_VERSION; |
| 148 | key_blob->header.reserved = 0; |
| 149 | key_blob->header.aiKeyAlg = CALG_RC2; |
Torne (Richard Coles) | 2a99a7e | 2013-03-28 15:31:22 +0000 | [diff] [blame] | 150 | key_blob->key_size = static_cast<DWORD>(key_length); |
Torne (Richard Coles) | 5821806 | 2012-11-14 11:43:16 +0000 | [diff] [blame] | 151 | memcpy(key_blob->key_data, key, key_length); |
| 152 | |
| 153 | if (!CryptImportKey(plat_->provider_, &key_blob_storage[0], |
| 154 | (DWORD)key_blob_storage.size(), 0, |
| 155 | CRYPT_IPSEC_HMAC_KEY, plat_->key_.receive())) { |
| 156 | NOTREACHED(); |
| 157 | return false; |
| 158 | } |
| 159 | |
| 160 | // Destroy the copy of the key. |
| 161 | SecureZeroMemory(key_blob->key_data, key_length); |
| 162 | |
| 163 | return true; |
| 164 | } |
| 165 | |
| 166 | HMAC::~HMAC() { |
| 167 | } |
| 168 | |
| 169 | bool HMAC::Sign(const base::StringPiece& data, |
| 170 | unsigned char* digest, |
Torne (Richard Coles) | 2a99a7e | 2013-03-28 15:31:22 +0000 | [diff] [blame] | 171 | size_t digest_length) const { |
Torne (Richard Coles) | 5821806 | 2012-11-14 11:43:16 +0000 | [diff] [blame] | 172 | if (hash_alg_ == SHA256) { |
| 173 | if (plat_->raw_key_.empty()) |
| 174 | return false; |
| 175 | ComputeHMACSHA256(&plat_->raw_key_[0], plat_->raw_key_.size(), |
| 176 | reinterpret_cast<const unsigned char*>(data.data()), |
| 177 | data.size(), digest, digest_length); |
| 178 | return true; |
| 179 | } |
| 180 | |
| 181 | if (!plat_->provider_ || !plat_->key_) |
| 182 | return false; |
| 183 | |
| 184 | if (hash_alg_ != SHA1) { |
| 185 | NOTREACHED(); |
| 186 | return false; |
| 187 | } |
| 188 | |
| 189 | ScopedHCRYPTHASH hash; |
| 190 | if (!CryptCreateHash(plat_->provider_, CALG_HMAC, plat_->key_, 0, |
| 191 | hash.receive())) |
| 192 | return false; |
| 193 | |
| 194 | HMAC_INFO hmac_info; |
| 195 | memset(&hmac_info, 0, sizeof(hmac_info)); |
| 196 | hmac_info.HashAlgid = CALG_SHA1; |
| 197 | if (!CryptSetHashParam(hash, HP_HMAC_INFO, |
| 198 | reinterpret_cast<BYTE*>(&hmac_info), 0)) |
| 199 | return false; |
| 200 | |
| 201 | if (!CryptHashData(hash, reinterpret_cast<const BYTE*>(data.data()), |
| 202 | static_cast<DWORD>(data.size()), 0)) |
| 203 | return false; |
| 204 | |
Torne (Richard Coles) | 2a99a7e | 2013-03-28 15:31:22 +0000 | [diff] [blame] | 205 | DWORD sha1_size = static_cast<DWORD>(digest_length); |
Torne (Richard Coles) | 5821806 | 2012-11-14 11:43:16 +0000 | [diff] [blame] | 206 | return !!CryptGetHashParam(hash, HP_HASHVAL, digest, &sha1_size, 0); |
| 207 | } |
| 208 | |
| 209 | } // namespace crypto |