1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "crypto/hmac.h" 6 7 #include <windows.h> 8 #include <stddef.h> 9 10 #include <algorithm> 11 #include <vector> 12 13 #include "base/logging.h" 14 #include "crypto/scoped_capi_types.h" 15 #include "crypto/third_party/nss/chromium-blapi.h" 16 #include "crypto/third_party/nss/chromium-sha256.h" 17 #include "crypto/wincrypt_shim.h" 18 19 namespace crypto { 20 21 namespace { 22 23 // Implementation of HMAC-SHA-256: 24 // 25 // SHA-256 is supported in Windows XP SP3 or later. We still need to support 26 // Windows XP SP2, so unfortunately we have to implement HMAC-SHA-256 here. 27 28 enum { 29 SHA256_BLOCK_SIZE = 64 // Block size (in bytes) of the input to SHA-256. 30 }; 31 32 // NSS doesn't accept size_t for text size, divide the data into smaller 33 // chunks as needed. 34 void Wrapped_SHA256_Update(SHA256Context* ctx, const unsigned char* text, 35 size_t text_len) { 36 const unsigned int kChunkSize = 1 << 30; 37 while (text_len > kChunkSize) { 38 SHA256_Update(ctx, text, kChunkSize); 39 text += kChunkSize; 40 text_len -= kChunkSize; 41 } 42 SHA256_Update(ctx, text, (unsigned int)text_len); 43 } 44 45 // See FIPS 198: The Keyed-Hash Message Authentication Code (HMAC). 46 void ComputeHMACSHA256(const unsigned char* key, size_t key_len, 47 const unsigned char* text, size_t text_len, 48 unsigned char* output, size_t output_len) { 49 SHA256Context ctx; 50 51 // Pre-process the key, if necessary. 52 unsigned char key0[SHA256_BLOCK_SIZE]; 53 if (key_len > SHA256_BLOCK_SIZE) { 54 SHA256_Begin(&ctx); 55 Wrapped_SHA256_Update(&ctx, key, key_len); 56 SHA256_End(&ctx, key0, NULL, SHA256_LENGTH); 57 memset(key0 + SHA256_LENGTH, 0, SHA256_BLOCK_SIZE - SHA256_LENGTH); 58 } else { 59 memcpy(key0, key, key_len); 60 if (key_len < SHA256_BLOCK_SIZE) 61 memset(key0 + key_len, 0, SHA256_BLOCK_SIZE - key_len); 62 } 63 64 unsigned char padded_key[SHA256_BLOCK_SIZE]; 65 unsigned char inner_hash[SHA256_LENGTH]; 66 67 // XOR key0 with ipad. 68 for (int i = 0; i < SHA256_BLOCK_SIZE; ++i) 69 padded_key[i] = key0[i] ^ 0x36; 70 71 // Compute the inner hash. 72 SHA256_Begin(&ctx); 73 SHA256_Update(&ctx, padded_key, SHA256_BLOCK_SIZE); 74 Wrapped_SHA256_Update(&ctx, text, text_len); 75 SHA256_End(&ctx, inner_hash, NULL, SHA256_LENGTH); 76 77 // XOR key0 with opad. 78 for (int i = 0; i < SHA256_BLOCK_SIZE; ++i) 79 padded_key[i] = key0[i] ^ 0x5c; 80 81 // Compute the outer hash. 82 SHA256_Begin(&ctx); 83 SHA256_Update(&ctx, padded_key, SHA256_BLOCK_SIZE); 84 SHA256_Update(&ctx, inner_hash, SHA256_LENGTH); 85 SHA256_End(&ctx, output, NULL, (unsigned int) output_len); 86 } 87 88 } // namespace 89 90 struct HMACPlatformData { 91 ~HMACPlatformData() { 92 if (!raw_key_.empty()) { 93 SecureZeroMemory(&raw_key_[0], raw_key_.size()); 94 } 95 96 // Destroy the key before releasing the provider. 97 key_.reset(); 98 } 99 100 ScopedHCRYPTPROV provider_; 101 ScopedHCRYPTKEY key_; 102 103 // For HMAC-SHA-256 only. 104 std::vector<unsigned char> raw_key_; 105 }; 106 107 HMAC::HMAC(HashAlgorithm hash_alg) 108 : hash_alg_(hash_alg), plat_(new HMACPlatformData()) { 109 // Only SHA-1 and SHA-256 hash algorithms are supported now. 110 DCHECK(hash_alg_ == SHA1 || hash_alg_ == SHA256); 111 } 112 113 bool HMAC::Init(const unsigned char* key, size_t key_length) { 114 if (plat_->provider_ || plat_->key_ || !plat_->raw_key_.empty()) { 115 // Init must not be called more than once on the same HMAC object. 116 NOTREACHED(); 117 return false; 118 } 119 120 if (hash_alg_ == SHA256) { 121 plat_->raw_key_.assign(key, key + key_length); 122 return true; 123 } 124 125 if (!CryptAcquireContext(plat_->provider_.receive(), NULL, NULL, 126 PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) { 127 NOTREACHED(); 128 return false; 129 } 130 131 // This code doesn't work on Win2k because PLAINTEXTKEYBLOB and 132 // CRYPT_IPSEC_HMAC_KEY are not supported on Windows 2000. PLAINTEXTKEYBLOB 133 // allows the import of an unencrypted key. For Win2k support, a cubmbersome 134 // exponent-of-one key procedure must be used: 135 // http://support.microsoft.com/kb/228786/en-us 136 // CRYPT_IPSEC_HMAC_KEY allows keys longer than 16 bytes. 137 138 struct KeyBlob { 139 BLOBHEADER header; 140 DWORD key_size; 141 BYTE key_data[1]; 142 }; 143 size_t key_blob_size = std::max(offsetof(KeyBlob, key_data) + key_length, 144 sizeof(KeyBlob)); 145 std::vector<BYTE> key_blob_storage = std::vector<BYTE>(key_blob_size); 146 KeyBlob* key_blob = reinterpret_cast<KeyBlob*>(&key_blob_storage[0]); 147 key_blob->header.bType = PLAINTEXTKEYBLOB; 148 key_blob->header.bVersion = CUR_BLOB_VERSION; 149 key_blob->header.reserved = 0; 150 key_blob->header.aiKeyAlg = CALG_RC2; 151 key_blob->key_size = static_cast<DWORD>(key_length); 152 memcpy(key_blob->key_data, key, key_length); 153 154 if (!CryptImportKey(plat_->provider_, &key_blob_storage[0], 155 (DWORD)key_blob_storage.size(), 0, 156 CRYPT_IPSEC_HMAC_KEY, plat_->key_.receive())) { 157 NOTREACHED(); 158 return false; 159 } 160 161 // Destroy the copy of the key. 162 SecureZeroMemory(key_blob->key_data, key_length); 163 164 return true; 165 } 166 167 HMAC::~HMAC() { 168 } 169 170 bool HMAC::Sign(const base::StringPiece& data, 171 unsigned char* digest, 172 size_t digest_length) const { 173 if (hash_alg_ == SHA256) { 174 if (plat_->raw_key_.empty()) 175 return false; 176 ComputeHMACSHA256(&plat_->raw_key_[0], plat_->raw_key_.size(), 177 reinterpret_cast<const unsigned char*>(data.data()), 178 data.size(), digest, digest_length); 179 return true; 180 } 181 182 if (!plat_->provider_ || !plat_->key_) 183 return false; 184 185 if (hash_alg_ != SHA1) { 186 NOTREACHED(); 187 return false; 188 } 189 190 ScopedHCRYPTHASH hash; 191 if (!CryptCreateHash(plat_->provider_, CALG_HMAC, plat_->key_, 0, 192 hash.receive())) 193 return false; 194 195 HMAC_INFO hmac_info; 196 memset(&hmac_info, 0, sizeof(hmac_info)); 197 hmac_info.HashAlgid = CALG_SHA1; 198 if (!CryptSetHashParam(hash, HP_HMAC_INFO, 199 reinterpret_cast<BYTE*>(&hmac_info), 0)) 200 return false; 201 202 if (!CryptHashData(hash, reinterpret_cast<const BYTE*>(data.data()), 203 static_cast<DWORD>(data.size()), 0)) 204 return false; 205 206 DWORD sha1_size = static_cast<DWORD>(digest_length); 207 return !!CryptGetHashParam(hash, HP_HASHVAL, digest, &sha1_size, 0); 208 } 209 210 } // namespace crypto 211