OLD | NEW |
| (Empty) |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "crypto/hmac.h" | |
6 | |
7 #include <windows.h> | |
8 #include <stddef.h> | |
9 | |
10 #include <algorithm> | |
11 #include <vector> | |
12 | |
13 #include "base/logging.h" | |
14 #include "crypto/scoped_capi_types.h" | |
15 #include "crypto/third_party/nss/chromium-blapi.h" | |
16 #include "crypto/third_party/nss/chromium-sha256.h" | |
17 #include "crypto/wincrypt_shim.h" | |
18 | |
19 namespace crypto { | |
20 | |
21 namespace { | |
22 | |
23 // Implementation of HMAC-SHA-256: | |
24 // | |
25 // SHA-256 is supported in Windows XP SP3 or later. We still need to support | |
26 // Windows XP SP2, so unfortunately we have to implement HMAC-SHA-256 here. | |
27 | |
28 enum { | |
29 SHA256_BLOCK_SIZE = 64 // Block size (in bytes) of the input to SHA-256. | |
30 }; | |
31 | |
32 // NSS doesn't accept size_t for text size, divide the data into smaller | |
33 // chunks as needed. | |
34 void Wrapped_SHA256_Update(SHA256Context* ctx, const unsigned char* text, | |
35 size_t text_len) { | |
36 const unsigned int kChunkSize = 1 << 30; | |
37 while (text_len > kChunkSize) { | |
38 SHA256_Update(ctx, text, kChunkSize); | |
39 text += kChunkSize; | |
40 text_len -= kChunkSize; | |
41 } | |
42 SHA256_Update(ctx, text, (unsigned int)text_len); | |
43 } | |
44 | |
45 // See FIPS 198: The Keyed-Hash Message Authentication Code (HMAC). | |
46 void ComputeHMACSHA256(const unsigned char* key, size_t key_len, | |
47 const unsigned char* text, size_t text_len, | |
48 unsigned char* output, size_t output_len) { | |
49 SHA256Context ctx; | |
50 | |
51 // Pre-process the key, if necessary. | |
52 unsigned char key0[SHA256_BLOCK_SIZE]; | |
53 if (key_len > SHA256_BLOCK_SIZE) { | |
54 SHA256_Begin(&ctx); | |
55 Wrapped_SHA256_Update(&ctx, key, key_len); | |
56 SHA256_End(&ctx, key0, NULL, SHA256_LENGTH); | |
57 memset(key0 + SHA256_LENGTH, 0, SHA256_BLOCK_SIZE - SHA256_LENGTH); | |
58 } else { | |
59 memcpy(key0, key, key_len); | |
60 if (key_len < SHA256_BLOCK_SIZE) | |
61 memset(key0 + key_len, 0, SHA256_BLOCK_SIZE - key_len); | |
62 } | |
63 | |
64 unsigned char padded_key[SHA256_BLOCK_SIZE]; | |
65 unsigned char inner_hash[SHA256_LENGTH]; | |
66 | |
67 // XOR key0 with ipad. | |
68 for (int i = 0; i < SHA256_BLOCK_SIZE; ++i) | |
69 padded_key[i] = key0[i] ^ 0x36; | |
70 | |
71 // Compute the inner hash. | |
72 SHA256_Begin(&ctx); | |
73 SHA256_Update(&ctx, padded_key, SHA256_BLOCK_SIZE); | |
74 Wrapped_SHA256_Update(&ctx, text, text_len); | |
75 SHA256_End(&ctx, inner_hash, NULL, SHA256_LENGTH); | |
76 | |
77 // XOR key0 with opad. | |
78 for (int i = 0; i < SHA256_BLOCK_SIZE; ++i) | |
79 padded_key[i] = key0[i] ^ 0x5c; | |
80 | |
81 // Compute the outer hash. | |
82 SHA256_Begin(&ctx); | |
83 SHA256_Update(&ctx, padded_key, SHA256_BLOCK_SIZE); | |
84 SHA256_Update(&ctx, inner_hash, SHA256_LENGTH); | |
85 SHA256_End(&ctx, output, NULL, (unsigned int) output_len); | |
86 } | |
87 | |
88 } // namespace | |
89 | |
90 struct HMACPlatformData { | |
91 ~HMACPlatformData() { | |
92 if (!raw_key_.empty()) { | |
93 SecureZeroMemory(&raw_key_[0], raw_key_.size()); | |
94 } | |
95 | |
96 // Destroy the key before releasing the provider. | |
97 key_.reset(); | |
98 } | |
99 | |
100 ScopedHCRYPTPROV provider_; | |
101 ScopedHCRYPTKEY key_; | |
102 | |
103 // For HMAC-SHA-256 only. | |
104 std::vector<unsigned char> raw_key_; | |
105 }; | |
106 | |
107 HMAC::HMAC(HashAlgorithm hash_alg) | |
108 : hash_alg_(hash_alg), plat_(new HMACPlatformData()) { | |
109 // Only SHA-1 and SHA-256 hash algorithms are supported now. | |
110 DCHECK(hash_alg_ == SHA1 || hash_alg_ == SHA256); | |
111 } | |
112 | |
113 bool HMAC::Init(const unsigned char* key, size_t key_length) { | |
114 if (plat_->provider_ || plat_->key_ || !plat_->raw_key_.empty()) { | |
115 // Init must not be called more than once on the same HMAC object. | |
116 NOTREACHED(); | |
117 return false; | |
118 } | |
119 | |
120 if (hash_alg_ == SHA256) { | |
121 plat_->raw_key_.assign(key, key + key_length); | |
122 return true; | |
123 } | |
124 | |
125 if (!CryptAcquireContext(plat_->provider_.receive(), NULL, NULL, | |
126 PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) { | |
127 NOTREACHED(); | |
128 return false; | |
129 } | |
130 | |
131 // This code doesn't work on Win2k because PLAINTEXTKEYBLOB and | |
132 // CRYPT_IPSEC_HMAC_KEY are not supported on Windows 2000. PLAINTEXTKEYBLOB | |
133 // allows the import of an unencrypted key. For Win2k support, a cubmbersome | |
134 // exponent-of-one key procedure must be used: | |
135 // http://support.microsoft.com/kb/228786/en-us | |
136 // CRYPT_IPSEC_HMAC_KEY allows keys longer than 16 bytes. | |
137 | |
138 struct KeyBlob { | |
139 BLOBHEADER header; | |
140 DWORD key_size; | |
141 BYTE key_data[1]; | |
142 }; | |
143 size_t key_blob_size = std::max(offsetof(KeyBlob, key_data) + key_length, | |
144 sizeof(KeyBlob)); | |
145 std::vector<BYTE> key_blob_storage = std::vector<BYTE>(key_blob_size); | |
146 KeyBlob* key_blob = reinterpret_cast<KeyBlob*>(&key_blob_storage[0]); | |
147 key_blob->header.bType = PLAINTEXTKEYBLOB; | |
148 key_blob->header.bVersion = CUR_BLOB_VERSION; | |
149 key_blob->header.reserved = 0; | |
150 key_blob->header.aiKeyAlg = CALG_RC2; | |
151 key_blob->key_size = static_cast<DWORD>(key_length); | |
152 memcpy(key_blob->key_data, key, key_length); | |
153 | |
154 if (!CryptImportKey(plat_->provider_, &key_blob_storage[0], | |
155 (DWORD)key_blob_storage.size(), 0, | |
156 CRYPT_IPSEC_HMAC_KEY, plat_->key_.receive())) { | |
157 NOTREACHED(); | |
158 return false; | |
159 } | |
160 | |
161 // Destroy the copy of the key. | |
162 SecureZeroMemory(key_blob->key_data, key_length); | |
163 | |
164 return true; | |
165 } | |
166 | |
167 HMAC::~HMAC() { | |
168 } | |
169 | |
170 bool HMAC::Sign(const base::StringPiece& data, | |
171 unsigned char* digest, | |
172 size_t digest_length) const { | |
173 if (hash_alg_ == SHA256) { | |
174 if (plat_->raw_key_.empty()) | |
175 return false; | |
176 ComputeHMACSHA256(&plat_->raw_key_[0], plat_->raw_key_.size(), | |
177 reinterpret_cast<const unsigned char*>(data.data()), | |
178 data.size(), digest, digest_length); | |
179 return true; | |
180 } | |
181 | |
182 if (!plat_->provider_ || !plat_->key_) | |
183 return false; | |
184 | |
185 if (hash_alg_ != SHA1) { | |
186 NOTREACHED(); | |
187 return false; | |
188 } | |
189 | |
190 ScopedHCRYPTHASH hash; | |
191 if (!CryptCreateHash(plat_->provider_, CALG_HMAC, plat_->key_, 0, | |
192 hash.receive())) | |
193 return false; | |
194 | |
195 HMAC_INFO hmac_info; | |
196 memset(&hmac_info, 0, sizeof(hmac_info)); | |
197 hmac_info.HashAlgid = CALG_SHA1; | |
198 if (!CryptSetHashParam(hash, HP_HMAC_INFO, | |
199 reinterpret_cast<BYTE*>(&hmac_info), 0)) | |
200 return false; | |
201 | |
202 if (!CryptHashData(hash, reinterpret_cast<const BYTE*>(data.data()), | |
203 static_cast<DWORD>(data.size()), 0)) | |
204 return false; | |
205 | |
206 DWORD sha1_size = static_cast<DWORD>(digest_length); | |
207 return !!CryptGetHashParam(hash, HP_HASHVAL, digest, &sha1_size, 0); | |
208 } | |
209 | |
210 } // namespace crypto | |
OLD | NEW |