Reland "Cut down /crypto and switch what is left of it to boringssl".

crypto/symmetric_key_win.cc

-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "crypto/symmetric_key.h"
-
-#include <vector>
-
-// TODO(wtc): replace scoped_array by std::vector.
-#include "base/memory/scoped_ptr.h"
-#include "base/sys_byteorder.h"
-
-namespace crypto {
-
-namespace {
-
-// The following is a non-public Microsoft header documented in MSDN under
-// CryptImportKey / CryptExportKey. Following the header is the byte array of
-// the actual plaintext key.
-struct PlaintextBlobHeader {
-  BLOBHEADER hdr;
-  DWORD cbKeySize;
-};
-
-// CryptoAPI makes use of three distinct ALG_IDs for AES, rather than just
-// CALG_AES (which exists, but depending on the functions you are calling, may
-// result in function failure, whereas the subtype would succeed).
-ALG_ID GetAESAlgIDForKeySize(size_t key_size_in_bits) {
-  // Only AES-128/-192/-256 is supported in CryptoAPI.
-  switch (key_size_in_bits) {
-    case 128:
-      return CALG_AES_128;
-    case 192:
-      return CALG_AES_192;
-    case 256:
-      return CALG_AES_256;
-    default:
-      NOTREACHED();
-      return 0;
-  }
-};
-
-// Imports a raw/plaintext key of |key_size| stored in |*key_data| into a new
-// key created for the specified |provider|. |alg| contains the algorithm of
-// the key being imported.
-// If |key_data| is intended to be used as an HMAC key, then |alg| should be
-// CALG_HMAC.
-// If successful, returns true and stores the imported key in |*key|.
-// TODO(wtc): use this function in hmac_win.cc.
-bool ImportRawKey(HCRYPTPROV provider,
-                  ALG_ID alg,
-                  const void* key_data, size_t key_size,
-                  ScopedHCRYPTKEY* key) {
-  DCHECK_GT(key_size, 0);
-
-  DWORD actual_size =
-      static_cast<DWORD>(sizeof(PlaintextBlobHeader) + key_size);
-  std::vector<BYTE> tmp_data(actual_size);
-  BYTE* actual_key = &tmp_data[0];
-  memcpy(actual_key + sizeof(PlaintextBlobHeader), key_data, key_size);
-  PlaintextBlobHeader* key_header =
-      reinterpret_cast<PlaintextBlobHeader*>(actual_key);
-  memset(key_header, 0, sizeof(PlaintextBlobHeader));
-
-  key_header->hdr.bType = PLAINTEXTKEYBLOB;
-  key_header->hdr.bVersion = CUR_BLOB_VERSION;
-  key_header->hdr.aiKeyAlg = alg;
-
-  key_header->cbKeySize = static_cast<DWORD>(key_size);
-
-  HCRYPTKEY unsafe_key = NULL;
-  DWORD flags = CRYPT_EXPORTABLE;
-  if (alg == CALG_HMAC) {
-    // Though it may appear odd that IPSEC and RC2 are being used, this is
-    // done in accordance with Microsoft's FIPS 140-2 Security Policy for the
-    // RSA Enhanced Provider, as the approved means of using arbitrary HMAC
-    // key material.
-    key_header->hdr.aiKeyAlg = CALG_RC2;
-    flags |= CRYPT_IPSEC_HMAC_KEY;
-  }
-
-  BOOL ok =
-      CryptImportKey(provider, actual_key, actual_size, 0, flags, &unsafe_key);
-
-  // Clean up the temporary copy of key, regardless of whether it was imported
-  // sucessfully or not.
-  SecureZeroMemory(actual_key, actual_size);
-
-  if (!ok)
-    return false;
-
-  key->reset(unsafe_key);
-  return true;
-}
-
-// Attempts to generate a random AES key of |key_size_in_bits|. Returns true
-// if generation is successful, storing the generated key in |*key| and the
-// key provider (CSP) in |*provider|.
-bool GenerateAESKey(size_t key_size_in_bits,
-                    ScopedHCRYPTPROV* provider,
-                    ScopedHCRYPTKEY* key) {
-  DCHECK(provider);
-  DCHECK(key);
-
-  ALG_ID alg = GetAESAlgIDForKeySize(key_size_in_bits);
-  if (alg == 0)
-    return false;
-
-  ScopedHCRYPTPROV safe_provider;
-  // Note: The only time NULL is safe to be passed as pszContainer is when
-  // dwFlags contains CRYPT_VERIFYCONTEXT, as all keys generated and/or used
-  // will be treated as ephemeral keys and not persisted.
-  BOOL ok = CryptAcquireContext(safe_provider.receive(), NULL, NULL,
-                                PROV_RSA_AES, CRYPT_VERIFYCONTEXT);
-  if (!ok)
-    return false;
-
-  ScopedHCRYPTKEY safe_key;
-  // In the FIPS 140-2 Security Policy for CAPI on XP/Vista+, Microsoft notes
-  // that CryptGenKey makes use of the same functionality exposed via
-  // CryptGenRandom. The reason this is being used, as opposed to
-  // CryptGenRandom and CryptImportKey is for compliance with the security
-  // policy
-  ok = CryptGenKey(safe_provider.get(), alg, CRYPT_EXPORTABLE,
-                   safe_key.receive());
-  if (!ok)
-    return false;
-
-  key->swap(safe_key);
-  provider->swap(safe_provider);
-
-  return true;
-}
-
-// Returns true if the HMAC key size meets the requirement of FIPS 198
-// Section 3.  |alg| is the hash function used in the HMAC.
-bool CheckHMACKeySize(size_t key_size_in_bits, ALG_ID alg) {
-  DWORD hash_size = 0;
-  switch (alg) {
-    case CALG_SHA1:
-      hash_size = 20;
-      break;
-    case CALG_SHA_256:
-      hash_size = 32;
-      break;
-    case CALG_SHA_384:
-      hash_size = 48;
-      break;
-    case CALG_SHA_512:
-      hash_size = 64;
-      break;
-  }
-  if (hash_size == 0)
-    return false;
-
-  // An HMAC key must be >= L/2, where L is the output size of the hash
-  // function being used.
-  return (key_size_in_bits >= (hash_size / 2 * 8) &&
-         (key_size_in_bits % 8) == 0);
-}
-
-// Attempts to generate a random, |key_size_in_bits|-long HMAC key, for use
-// with the hash function |alg|.
-// |key_size_in_bits| must be >= 1/2 the hash size of |alg| for security.
-// Returns true if generation is successful, storing the generated key in
-// |*key| and the key provider (CSP) in |*provider|.
-bool GenerateHMACKey(size_t key_size_in_bits,
-                     ALG_ID alg,
-                     ScopedHCRYPTPROV* provider,
-                     ScopedHCRYPTKEY* key,
-                     scoped_ptr<BYTE[]>* raw_key) {
-  DCHECK(provider);
-  DCHECK(key);
-  DCHECK(raw_key);
-
-  if (!CheckHMACKeySize(key_size_in_bits, alg))
-    return false;
-
-  ScopedHCRYPTPROV safe_provider;
-  // See comment in GenerateAESKey as to why NULL is acceptable for the
-  // container name.
-  BOOL ok = CryptAcquireContext(safe_provider.receive(), NULL, NULL,
-                                PROV_RSA_FULL, CRYPT_VERIFYCONTEXT);
-  if (!ok)
-    return false;
-
-  DWORD key_size_in_bytes = static_cast<DWORD>(key_size_in_bits / 8);
-  scoped_ptr<BYTE[]> random(new BYTE[key_size_in_bytes]);
-  ok = CryptGenRandom(safe_provider, key_size_in_bytes, random.get());
-  if (!ok)
-    return false;
-
-  ScopedHCRYPTKEY safe_key;
-  bool rv = ImportRawKey(safe_provider, CALG_HMAC, random.get(),
-                         key_size_in_bytes, &safe_key);
-  if (rv) {
-    key->swap(safe_key);
-    provider->swap(safe_provider);
-    raw_key->swap(random);
-  }
-
-  SecureZeroMemory(random.get(), key_size_in_bytes);
-  return rv;
-}
-
-// Attempts to create an HMAC hash instance using the specified |provider|
-// and |key|. The inner hash function will be |hash_alg|. If successful,
-// returns true and stores the hash in |*hash|.
-// TODO(wtc): use this function in hmac_win.cc.
-bool CreateHMACHash(HCRYPTPROV provider,
-                    HCRYPTKEY key,
-                    ALG_ID hash_alg,
-                    ScopedHCRYPTHASH* hash) {
-  ScopedHCRYPTHASH safe_hash;
-  BOOL ok = CryptCreateHash(provider, CALG_HMAC, key, 0, safe_hash.receive());
-  if (!ok)
-    return false;
-
-  HMAC_INFO hmac_info;
-  memset(&hmac_info, 0, sizeof(hmac_info));
-  hmac_info.HashAlgid = hash_alg;
-
-  ok = CryptSetHashParam(safe_hash, HP_HMAC_INFO,
-                         reinterpret_cast<const BYTE*>(&hmac_info), 0);
-  if (!ok)
-    return false;
-
-  hash->swap(safe_hash);
-  return true;
-}
-
-// Computes a block of the derived key using the PBKDF2 function F for the
-// specified |block_index| using the PRF |hash|, writing the output to
-// |output_buf|.
-// |output_buf| must have enough space to accomodate the output of the PRF
-// specified by |hash|.
-// Returns true if the block was successfully computed.
-bool ComputePBKDF2Block(HCRYPTHASH hash,
-                        DWORD hash_size,
-                        const std::string& salt,
-                        size_t iterations,
-                        uint32 block_index,
-                        BYTE* output_buf) {
-  // From RFC 2898:
-  // 3. <snip> The function F is defined as the exclusive-or sum of the first
-  //    c iterates of the underlying pseudorandom function PRF applied to the
-  //    password P and the concatenation of the salt S and the block index i:
-  //      F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c
-  //    where
-  //      U_1 = PRF(P, S || INT (i))
-  //      U_2 = PRF(P, U_1)
-  //      ...
-  //      U_c = PRF(P, U_{c-1})
-  ScopedHCRYPTHASH safe_hash;
-  BOOL ok = CryptDuplicateHash(hash, NULL, 0, safe_hash.receive());
-  if (!ok)
-    return false;
-
-  // Iteration U_1: Compute PRF for S.
-  ok = CryptHashData(safe_hash, reinterpret_cast<const BYTE*>(salt.data()),
-                     static_cast<DWORD>(salt.size()), 0);
-  if (!ok)
-    return false;
-
-  // Iteration U_1: and append (big-endian) INT (i).
-  uint32 big_endian_block_index = base::HostToNet32(block_index);
-  ok = CryptHashData(safe_hash,
-                     reinterpret_cast<BYTE*>(&big_endian_block_index),
-                     sizeof(big_endian_block_index), 0);
-
-  std::vector<BYTE> hash_value(hash_size);
-
-  DWORD size = hash_size;
-  ok = CryptGetHashParam(safe_hash, HP_HASHVAL, &hash_value[0], &size, 0);
-  if (!ok  || size != hash_size)
-    return false;
-
-  memcpy(output_buf, &hash_value[0], hash_size);
-
-  // Iteration 2 - c: Compute U_{iteration} by applying the PRF to
-  // U_{iteration - 1}, then xor the resultant hash with |output|, which
-  // contains U_1 ^ U_2 ^ ... ^ U_{iteration - 1}.
-  for (size_t iteration = 2; iteration <= iterations; ++iteration) {
-    safe_hash.reset();
-    ok = CryptDuplicateHash(hash, NULL, 0, safe_hash.receive());
-    if (!ok)
-      return false;
-
-    ok = CryptHashData(safe_hash, &hash_value[0], hash_size, 0);
-    if (!ok)
-      return false;
-
-    size = hash_size;
-    ok = CryptGetHashParam(safe_hash, HP_HASHVAL, &hash_value[0], &size, 0);
-    if (!ok || size != hash_size)
-      return false;
-
-    for (int i = 0; i < hash_size; ++i)
-      output_buf[i] ^= hash_value[i];
-  }
-
-  return true;
-}
-
-}  // namespace
-
-SymmetricKey::~SymmetricKey() {
-  // TODO(wtc): create a "secure" string type that zeroes itself in the
-  // destructor.
-  if (!raw_key_.empty())
-    SecureZeroMemory(const_cast<char *>(raw_key_.data()), raw_key_.size());
-}
-
-// static
-SymmetricKey* SymmetricKey::GenerateRandomKey(Algorithm algorithm,
-                                              size_t key_size_in_bits) {
-  DCHECK_GE(key_size_in_bits, 8);
-
-  ScopedHCRYPTPROV provider;
-  ScopedHCRYPTKEY key;
-
-  bool ok = false;
-  scoped_ptr<BYTE[]> raw_key;
-
-  switch (algorithm) {
-    case AES:
-      ok = GenerateAESKey(key_size_in_bits, &provider, &key);
-      break;
-    case HMAC_SHA1:
-      ok = GenerateHMACKey(key_size_in_bits, CALG_SHA1, &provider,
-                           &key, &raw_key);
-      break;
-  }
-
-  if (!ok) {
-    NOTREACHED();
-    return NULL;
-  }
-
-  size_t key_size_in_bytes = key_size_in_bits / 8;
-  if (raw_key == NULL)
-    key_size_in_bytes = 0;
-
-  SymmetricKey* result = new SymmetricKey(provider.release(),
-                                          key.release(),
-                                          raw_key.get(),
-                                          key_size_in_bytes);
-  if (raw_key != NULL)
-    SecureZeroMemory(raw_key.get(), key_size_in_bytes);
-
-  return result;
-}
-
-// static
-SymmetricKey* SymmetricKey::DeriveKeyFromPassword(Algorithm algorithm,
-                                                  const std::string& password,
-                                                  const std::string& salt,
-                                                  size_t iterations,
-                                                  size_t key_size_in_bits) {
-  // CryptoAPI lacks routines to perform PBKDF2 derivation as specified
-  // in RFC 2898, so it must be manually implemented. Only HMAC-SHA1 is
-  // supported as the PRF.
-
-  // While not used until the end, sanity-check the input before proceeding
-  // with the expensive computation.
-  DWORD provider_type = 0;
-  ALG_ID alg = 0;
-  switch (algorithm) {
-    case AES:
-      provider_type = PROV_RSA_AES;
-      alg = GetAESAlgIDForKeySize(key_size_in_bits);
-      break;
-    case HMAC_SHA1:
-      provider_type = PROV_RSA_FULL;
-      alg = CALG_HMAC;
-      break;
-    default:
-      NOTREACHED();
-      break;
-  }
-  if (provider_type == 0 || alg == 0)
-    return NULL;
-
-  ScopedHCRYPTPROV provider;
-  BOOL ok = CryptAcquireContext(provider.receive(), NULL, NULL, provider_type,
-                                CRYPT_VERIFYCONTEXT);
-  if (!ok)
-    return NULL;
-
-  // Convert the user password into a key suitable to be fed into the PRF
-  // function.
-  ScopedHCRYPTKEY password_as_key;
-  BYTE* password_as_bytes =
-      const_cast<BYTE*>(reinterpret_cast<const BYTE*>(password.data()));
-  if (!ImportRawKey(provider, CALG_HMAC, password_as_bytes,
-                    password.size(), &password_as_key))
-    return NULL;
-
-  // Configure the PRF function. Only HMAC variants are supported, with the
-  // only hash function supported being SHA1.
-  // TODO(rsleevi): Support SHA-256 on XP SP3+.
-  ScopedHCRYPTHASH prf;
-  if (!CreateHMACHash(provider, password_as_key, CALG_SHA1, &prf))
-    return NULL;
-
-  DWORD hLen = 0;
-  DWORD param_size = sizeof(hLen);
-  ok = CryptGetHashParam(prf, HP_HASHSIZE,
-                         reinterpret_cast<BYTE*>(&hLen), &param_size, 0);
-  if (!ok || hLen == 0)
-    return NULL;
-
-  // 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and stop.
-  size_t dkLen = key_size_in_bits / 8;
-  DCHECK_GT(dkLen, 0);
-
-  if ((dkLen / hLen) > 0xFFFFFFFF) {
-    DLOG(ERROR) << "Derived key too long.";
-    return NULL;
-  }
-
-  // 2. Let l be the number of hLen-octet blocks in the derived key,
-  //    rounding up, and let r be the number of octets in the last
-  //    block:
-  size_t L = (dkLen + hLen - 1) / hLen;
-  DCHECK_GT(L, 0);
-
-  size_t total_generated_size = L * hLen;
-  std::vector<BYTE> generated_key(total_generated_size);
-  BYTE* block_offset = &generated_key[0];
-
-  // 3. For each block of the derived key apply the function F defined below
-  //    to the password P, the salt S, the iteration count c, and the block
-  //    index to compute the block:
-  //    T_1 = F (P, S, c, 1)
-  //    T_2 = F (P, S, c, 2)
-  //    ...
-  //    T_l = F (P, S, c, l)
-  // <snip>
-  // 4. Concatenate the blocks and extract the first dkLen octets to produce
-  //    a derived key DK:
-  //    DK = T_1 || T_2 || ... || T_l<0..r-1>
-  for (uint32 block_index = 1; block_index <= L; ++block_index) {
-    if (!ComputePBKDF2Block(prf, hLen, salt, iterations, block_index,
-                            block_offset))
-        return NULL;
-    block_offset += hLen;
-  }
-
-  // Convert the derived key bytes into a key handle for the desired algorithm.
-  ScopedHCRYPTKEY key;
-  if (!ImportRawKey(provider, alg, &generated_key[0], dkLen, &key))
-    return NULL;
-
-  SymmetricKey* result = new SymmetricKey(provider.release(), key.release(),
-                                          &generated_key[0], dkLen);
-
-  SecureZeroMemory(&generated_key[0], total_generated_size);
-
-  return result;
-}
-
-// static
-SymmetricKey* SymmetricKey::Import(Algorithm algorithm,
-                                   const std::string& raw_key) {
-  DWORD provider_type = 0;
-  ALG_ID alg = 0;
-  switch (algorithm) {
-    case AES:
-      provider_type = PROV_RSA_AES;
-      alg = GetAESAlgIDForKeySize(raw_key.size() * 8);
-      break;
-    case HMAC_SHA1:
-      provider_type = PROV_RSA_FULL;
-      alg = CALG_HMAC;
-      break;
-    default:
-      NOTREACHED();
-      break;
-  }
-  if (provider_type == 0 || alg == 0)
-    return NULL;
-
-  ScopedHCRYPTPROV provider;
-  BOOL ok = CryptAcquireContext(provider.receive(), NULL, NULL, provider_type,
-                                CRYPT_VERIFYCONTEXT);
-  if (!ok)
-    return NULL;
-
-  ScopedHCRYPTKEY key;
-  if (!ImportRawKey(provider, alg, raw_key.data(), raw_key.size(), &key))
-    return NULL;
-
-  return new SymmetricKey(provider.release(), key.release(),
-                          raw_key.data(), raw_key.size());
-}
-
-bool SymmetricKey::GetRawKey(std::string* raw_key) {
-  // Short circuit for when the key was supplied to the constructor.
-  if (!raw_key_.empty()) {
-    *raw_key = raw_key_;
-    return true;
-  }
-
-  DWORD size = 0;
-  BOOL ok = CryptExportKey(key_, 0, PLAINTEXTKEYBLOB, 0, NULL, &size);
-  if (!ok)
-    return false;
-
-  std::vector<BYTE> result(size);
-
-  ok = CryptExportKey(key_, 0, PLAINTEXTKEYBLOB, 0, &result[0], &size);
-  if (!ok)
-    return false;
-
-  PlaintextBlobHeader* header =
-      reinterpret_cast<PlaintextBlobHeader*>(&result[0]);
-  raw_key->assign(reinterpret_cast<char*>(&result[sizeof(*header)]),
-                  header->cbKeySize);
-
-  SecureZeroMemory(&result[0], size);
-
-  return true;
-}
-
-SymmetricKey::SymmetricKey(HCRYPTPROV provider,
-                           HCRYPTKEY key,
-                           const void* key_data, size_t key_size_in_bytes)
-    : provider_(provider), key_(key) {
-  if (key_data) {
-    raw_key_.assign(reinterpret_cast<const char*>(key_data),
-                    key_size_in_bytes);
-  }
-}
-
-}  // namespace crypto