1 // Copyright 2014 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "components/os_crypt/ie7_password_win.h" 6 7 #include <wincrypt.h> 8 #include <string> 9 #include <vector> 10 11 #include "base/memory/scoped_ptr.h" 12 #include "base/sha1.h" 13 #include "base/strings/string_util.h" 14 #include "base/strings/stringprintf.h" 15 16 namespace { 17 18 // Structures that IE7/IE8 use to store a username/password. 19 // Some of the fields might have been incorrectly reverse engineered. 20 struct PreHeader { 21 DWORD pre_header_size; // Size of this header structure. Always 12. 22 DWORD header_size; // Size of the real Header: sizeof(Header) + 23 // item_count * sizeof(Entry); 24 DWORD data_size; // Size of the data referenced by the entries. 25 }; 26 27 struct Header { 28 char wick[4]; // The string "WICK". I don't know what it means. 29 DWORD fixed_header_size; // The size of this structure without the entries: 30 // sizeof(Header). 31 DWORD item_count; // Number of entries. Should be even. 32 wchar_t two_letters[2]; // Two unknown bytes. 33 DWORD unknown[2]; // Two unknown DWORDs. 34 }; 35 36 struct Entry { 37 DWORD offset; // Offset where the data referenced by this entry is 38 // located. 39 FILETIME time_stamp; // Timestamp when the password got added. 40 DWORD string_length; // The length of the data string. 41 }; 42 43 // Main data structure. 44 struct PasswordEntry { 45 PreHeader pre_header; // Contains the size of the different sections. 46 Header header; // Contains the number of items. 47 Entry entry[1]; // List of entries containing a string. Even-indexed 48 // are usernames, odd are passwords. There may be 49 // several sets saved for a single url hash. 50 }; 51 } // namespace 52 53 namespace ie7_password { 54 55 bool GetUserPassFromData(const std::vector<unsigned char>& data, 56 std::vector<DecryptedCredentials>* credentials) { 57 const PasswordEntry* information = 58 reinterpret_cast<const PasswordEntry*>(&data.front()); 59 60 // Some expected values. If it's not what we expect we don't even try to 61 // understand the data. 62 if (information->pre_header.pre_header_size != sizeof(PreHeader)) 63 return false; 64 65 const int entry_count = information->header.item_count; 66 if (entry_count % 2) // Usernames and Passwords 67 return false; 68 69 if (information->header.fixed_header_size != sizeof(Header)) 70 return false; 71 72 const uint8* offset_to_data = &data[0] + 73 information->pre_header.header_size + 74 information->pre_header.pre_header_size; 75 76 for (int i = 0; i < entry_count / 2; ++i) { 77 78 const Entry* user_entry = &information->entry[2*i]; 79 const Entry* pass_entry = user_entry+1; 80 81 DecryptedCredentials c; 82 c.username = reinterpret_cast<const wchar_t*>(offset_to_data + 83 user_entry->offset); 84 c.password = reinterpret_cast<const wchar_t*>(offset_to_data + 85 pass_entry->offset); 86 credentials->push_back(c); 87 } 88 return true; 89 } 90 91 std::wstring GetUrlHash(const std::wstring& url) { 92 std::wstring lower_case_url = base::StringToLowerASCII(url); 93 // Get a data buffer out of our std::wstring to pass to SHA1HashString. 94 std::string url_buffer( 95 reinterpret_cast<const char*>(lower_case_url.c_str()), 96 (lower_case_url.size() + 1) * sizeof(wchar_t)); 97 std::string hash_bin = base::SHA1HashString(url_buffer); 98 99 std::wstring url_hash; 100 101 // Transform the buffer to an hexadecimal string. 102 unsigned char checksum = 0; 103 for (size_t i = 0; i < hash_bin.size(); ++i) { 104 // std::string gives signed chars, which mess with StringPrintf and 105 // check_sum. 106 unsigned char hash_byte = static_cast<unsigned char>(hash_bin[i]); 107 checksum += hash_byte; 108 url_hash += base::StringPrintf(L"%2.2X", static_cast<unsigned>(hash_byte)); 109 } 110 url_hash += base::StringPrintf(L"%2.2X", checksum); 111 112 return url_hash; 113 } 114 115 bool DecryptPasswords(const std::wstring& url, 116 const std::vector<unsigned char>& data, 117 std::vector<DecryptedCredentials>* credentials) { 118 std::wstring lower_case_url = base::StringToLowerASCII(url); 119 DATA_BLOB input = {0}; 120 DATA_BLOB output = {0}; 121 DATA_BLOB url_key = {0}; 122 123 input.pbData = const_cast<unsigned char*>(&data.front()); 124 input.cbData = static_cast<DWORD>((data.size()) * 125 sizeof(std::string::value_type)); 126 127 url_key.pbData = reinterpret_cast<unsigned char*>( 128 const_cast<wchar_t*>(lower_case_url.data())); 129 url_key.cbData = static_cast<DWORD>((lower_case_url.size() + 1) * 130 sizeof(std::wstring::value_type)); 131 132 if (CryptUnprotectData(&input, NULL, &url_key, NULL, NULL, 133 CRYPTPROTECT_UI_FORBIDDEN, &output)) { 134 // Now that we have the decrypted information, we need to understand it. 135 std::vector<unsigned char> decrypted_data; 136 decrypted_data.resize(output.cbData); 137 memcpy(&decrypted_data.front(), output.pbData, output.cbData); 138 139 GetUserPassFromData(decrypted_data, credentials); 140 141 LocalFree(output.pbData); 142 return true; 143 } 144 145 return false; 146 } 147 148 } // namespace ie7_password 149
