Home | History | Annotate | Download | only in crypto 
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "crypto/hmac.h"
      6 
      7 #include <windows.h>
      8 #include <stddef.h>
      9 
     10 #include <algorithm>
     11 #include <vector>
     12 
     13 #include "base/logging.h"
     14 #include "crypto/scoped_capi_types.h"
     15 #include "crypto/third_party/nss/chromium-blapi.h"
     16 #include "crypto/third_party/nss/chromium-sha256.h"
     17 #include "crypto/wincrypt_shim.h"
     18 
     19 namespace crypto {
     20 
     21 namespace {
     22 
     23 // Implementation of HMAC-SHA-256:
     24 //
     25 // SHA-256 is supported in Windows XP SP3 or later.  We still need to support
     26 // Windows XP SP2, so unfortunately we have to implement HMAC-SHA-256 here.
     27 
     28 enum {
     29   SHA256_BLOCK_SIZE = 64  // Block size (in bytes) of the input to SHA-256.
     30 };
     31 
     32 // NSS doesn't accept size_t for text size, divide the data into smaller
     33 // chunks as needed.
     34 void Wrapped_SHA256_Update(SHA256Context* ctx, const unsigned char* text,
     35                            size_t text_len) {
     36   const unsigned int kChunkSize = 1 << 30;
     37   while (text_len > kChunkSize) {
     38     SHA256_Update(ctx, text, kChunkSize);
     39     text += kChunkSize;
     40     text_len -= kChunkSize;
     41   }
     42   SHA256_Update(ctx, text, (unsigned int)text_len);
     43 }
     44 
     45 // See FIPS 198: The Keyed-Hash Message Authentication Code (HMAC).
     46 void ComputeHMACSHA256(const unsigned char* key, size_t key_len,
     47                        const unsigned char* text, size_t text_len,
     48                        unsigned char* output, size_t output_len) {
     49   SHA256Context ctx;
     50 
     51   // Pre-process the key, if necessary.
     52   unsigned char key0[SHA256_BLOCK_SIZE];
     53   if (key_len > SHA256_BLOCK_SIZE) {
     54     SHA256_Begin(&ctx);
     55     Wrapped_SHA256_Update(&ctx, key, key_len);
     56     SHA256_End(&ctx, key0, NULL, SHA256_LENGTH);
     57     memset(key0 + SHA256_LENGTH, 0, SHA256_BLOCK_SIZE - SHA256_LENGTH);
     58   } else {
     59     memcpy(key0, key, key_len);
     60     if (key_len < SHA256_BLOCK_SIZE)
     61       memset(key0 + key_len, 0, SHA256_BLOCK_SIZE - key_len);
     62   }
     63 
     64   unsigned char padded_key[SHA256_BLOCK_SIZE];
     65   unsigned char inner_hash[SHA256_LENGTH];
     66 
     67   // XOR key0 with ipad.
     68   for (int i = 0; i < SHA256_BLOCK_SIZE; ++i)
     69     padded_key[i] = key0[i] ^ 0x36;
     70 
     71   // Compute the inner hash.
     72   SHA256_Begin(&ctx);
     73   SHA256_Update(&ctx, padded_key, SHA256_BLOCK_SIZE);
     74   Wrapped_SHA256_Update(&ctx, text, text_len);
     75   SHA256_End(&ctx, inner_hash, NULL, SHA256_LENGTH);
     76 
     77   // XOR key0 with opad.
     78   for (int i = 0; i < SHA256_BLOCK_SIZE; ++i)
     79     padded_key[i] = key0[i] ^ 0x5c;
     80 
     81   // Compute the outer hash.
     82   SHA256_Begin(&ctx);
     83   SHA256_Update(&ctx, padded_key, SHA256_BLOCK_SIZE);
     84   SHA256_Update(&ctx, inner_hash, SHA256_LENGTH);
     85   SHA256_End(&ctx, output, NULL, (unsigned int) output_len);
     86 }
     87 
     88 }  // namespace
     89 
     90 struct HMACPlatformData {
     91   ~HMACPlatformData() {
     92     if (!raw_key_.empty()) {
     93       SecureZeroMemory(&raw_key_[0], raw_key_.size());
     94     }
     95 
     96     // Destroy the key before releasing the provider.
     97     key_.reset();
     98   }
     99 
    100   ScopedHCRYPTPROV provider_;
    101   ScopedHCRYPTKEY key_;
    102 
    103   // For HMAC-SHA-256 only.
    104   std::vector<unsigned char> raw_key_;
    105 };
    106 
    107 HMAC::HMAC(HashAlgorithm hash_alg)
    108     : hash_alg_(hash_alg), plat_(new HMACPlatformData()) {
    109   // Only SHA-1 and SHA-256 hash algorithms are supported now.
    110   DCHECK(hash_alg_ == SHA1 || hash_alg_ == SHA256);
    111 }
    112 
    113 bool HMAC::Init(const unsigned char* key, size_t key_length) {
    114   if (plat_->provider_ || plat_->key_ || !plat_->raw_key_.empty()) {
    115     // Init must not be called more than once on the same HMAC object.
    116     NOTREACHED();
    117     return false;
    118   }
    119 
    120   if (hash_alg_ == SHA256) {
    121     plat_->raw_key_.assign(key, key + key_length);
    122     return true;
    123   }
    124 
    125   if (!CryptAcquireContext(plat_->provider_.receive(), NULL, NULL,
    126                            PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) {
    127     NOTREACHED();
    128     return false;
    129   }
    130 
    131   // This code doesn't work on Win2k because PLAINTEXTKEYBLOB and
    132   // CRYPT_IPSEC_HMAC_KEY are not supported on Windows 2000.  PLAINTEXTKEYBLOB
    133   // allows the import of an unencrypted key.  For Win2k support, a cubmbersome
    134   // exponent-of-one key procedure must be used:
    135   //     http://support.microsoft.com/kb/228786/en-us
    136   // CRYPT_IPSEC_HMAC_KEY allows keys longer than 16 bytes.
    137 
    138   struct KeyBlob {
    139     BLOBHEADER header;
    140     DWORD key_size;
    141     BYTE key_data[1];
    142   };
    143   size_t key_blob_size = std::max(offsetof(KeyBlob, key_data) + key_length,
    144                                   sizeof(KeyBlob));
    145   std::vector<BYTE> key_blob_storage = std::vector<BYTE>(key_blob_size);
    146   KeyBlob* key_blob = reinterpret_cast<KeyBlob*>(&key_blob_storage[0]);
    147   key_blob->header.bType = PLAINTEXTKEYBLOB;
    148   key_blob->header.bVersion = CUR_BLOB_VERSION;
    149   key_blob->header.reserved = 0;
    150   key_blob->header.aiKeyAlg = CALG_RC2;
    151   key_blob->key_size = static_cast<DWORD>(key_length);
    152   memcpy(key_blob->key_data, key, key_length);
    153 
    154   if (!CryptImportKey(plat_->provider_, &key_blob_storage[0],
    155                       (DWORD)key_blob_storage.size(), 0,
    156                       CRYPT_IPSEC_HMAC_KEY, plat_->key_.receive())) {
    157     NOTREACHED();
    158     return false;
    159   }
    160 
    161   // Destroy the copy of the key.
    162   SecureZeroMemory(key_blob->key_data, key_length);
    163 
    164   return true;
    165 }
    166 
    167 HMAC::~HMAC() {
    168 }
    169 
    170 bool HMAC::Sign(const base::StringPiece& data,
    171                 unsigned char* digest,
    172                 size_t digest_length) const {
    173   if (hash_alg_ == SHA256) {
    174     if (plat_->raw_key_.empty())
    175       return false;
    176     ComputeHMACSHA256(&plat_->raw_key_[0], plat_->raw_key_.size(),
    177                       reinterpret_cast<const unsigned char*>(data.data()),
    178                       data.size(), digest, digest_length);
    179     return true;
    180   }
    181 
    182   if (!plat_->provider_ || !plat_->key_)
    183     return false;
    184 
    185   if (hash_alg_ != SHA1) {
    186     NOTREACHED();
    187     return false;
    188   }
    189 
    190   ScopedHCRYPTHASH hash;
    191   if (!CryptCreateHash(plat_->provider_, CALG_HMAC, plat_->key_, 0,
    192                        hash.receive()))
    193     return false;
    194 
    195   HMAC_INFO hmac_info;
    196   memset(&hmac_info, 0, sizeof(hmac_info));
    197   hmac_info.HashAlgid = CALG_SHA1;
    198   if (!CryptSetHashParam(hash, HP_HMAC_INFO,
    199                          reinterpret_cast<BYTE*>(&hmac_info), 0))
    200     return false;
    201 
    202   if (!CryptHashData(hash, reinterpret_cast<const BYTE*>(data.data()),
    203                      static_cast<DWORD>(data.size()), 0))
    204     return false;
    205 
    206   DWORD sha1_size = static_cast<DWORD>(digest_length);
    207   return !!CryptGetHashParam(hash, HP_HASHVAL, digest, &sha1_size, 0);
    208 }
    209 
    210 }  // namespace crypto
    211