| blob | ec9cfa04d75a44c9704fd33d35b0cdfcc094dadc |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
7 #include <vector>
9 // TODO(wtc): replace scoped_array by std::vector.
17 // The following is a non-public Microsoft header documented in MSDN under
18 // CryptImportKey / CryptExportKey. Following the header is the byte array of
19 // the actual plaintext key.
21 BLOBHEADER hdr;
22 DWORD cbKeySize;
23 };
25 // CryptoAPI makes use of three distinct ALG_IDs for AES, rather than just
26 // CALG_AES (which exists, but depending on the functions you are calling, may
27 // result in function failure, whereas the subtype would succeed).
29 // Only AES-128/-192/-256 is supported in CryptoAPI.
40 }
41 };
43 // Imports a raw/plaintext key of |key_size| stored in |*key_data| into a new
44 // key created for the specified |provider|. |alg| contains the algorithm of
45 // the key being imported.
46 // If |key_data| is intended to be used as an HMAC key, then |alg| should be
47 // CALG_HMAC.
48 // If successful, returns true and stores the imported key in |*key|.
49 // TODO(wtc): use this function in hmac_win.cc.
51 ALG_ID alg,
56 DWORD actual_size =
74 // Though it may appear odd that IPSEC and RC2 are being used, this is
75 // done in accordance with Microsoft's FIPS 140-2 Security Policy for the
76 // RSA Enhanced Provider, as the approved means of using arbitrary HMAC
77 // key material.
80 }
82 BOOL ok =
85 // Clean up the temporary copy of key, regardless of whether it was imported
86 // sucessfully or not.
94 }
96 // Attempts to generate a random AES key of |key_size_in_bits|. Returns true
97 // if generation is successful, storing the generated key in |*key| and the
98 // key provider (CSP) in |*provider|.
109 ScopedHCRYPTPROV safe_provider;
110 // Note: The only time NULL is safe to be passed as pszContainer is when
111 // dwFlags contains CRYPT_VERIFYCONTEXT, as all keys generated and/or used
112 // will be treated as ephemeral keys and not persisted.
118 ScopedHCRYPTKEY safe_key;
119 // In the FIPS 140-2 Security Policy for CAPI on XP/Vista+, Microsoft notes
120 // that CryptGenKey makes use of the same functionality exposed via
121 // CryptGenRandom. The reason this is being used, as opposed to
122 // CryptGenRandom and CryptImportKey is for compliance with the security
123 // policy
133 }
135 // Returns true if the HMAC key size meets the requirement of FIPS 198
136 // Section 3. |alg| is the hash function used in the HMAC.
152 }
156 // An HMAC key must be >= L/2, where L is the output size of the hash
157 // function being used.
160 }
162 // Attempts to generate a random, |key_size_in_bits|-long HMAC key, for use
163 // with the hash function |alg|.
164 // |key_size_in_bits| must be >= 1/2 the hash size of |alg| for security.
165 // Returns true if generation is successful, storing the generated key in
166 // |*key| and the key provider (CSP) in |*provider|.
168 ALG_ID alg,
179 ScopedHCRYPTPROV safe_provider;
180 // See comment in GenerateAESKey as to why NULL is acceptable for the
181 // container name.
193 ScopedHCRYPTKEY safe_key;
200 }
204 }
206 // Attempts to create an HMAC hash instance using the specified |provider|
207 // and |key|. The inner hash function will be |hash_alg|. If successful,
208 // returns true and stores the hash in |*hash|.
209 // TODO(wtc): use this function in hmac_win.cc.
211 HCRYPTKEY key,
212 ALG_ID hash_alg,
214 ScopedHCRYPTHASH safe_hash;
219 HMAC_INFO hmac_info;
230 }
232 // Computes a block of the derived key using the PBKDF2 function F for the
233 // specified |block_index| using the PRF |hash|, writing the output to
234 // |output_buf|.
235 // |output_buf| must have enough space to accomodate the output of the PRF
236 // specified by |hash|.
237 // Returns true if the block was successfully computed.
239 DWORD hash_size,
242 uint32 block_index,
244 // From RFC 2898:
245 // 3. <snip> The function F is defined as the exclusive-or sum of the first
246 // c iterates of the underlying pseudorandom function PRF applied to the
247 // password P and the concatenation of the salt S and the block index i:
248 // F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c
249 // where
250 // U_1 = PRF(P, S || INT (i))
251 // U_2 = PRF(P, U_1)
252 // ...
253 // U_c = PRF(P, U_{c-1})
254 ScopedHCRYPTHASH safe_hash;
259 // Iteration U_1: Compute PRF for S.
265 // Iteration U_1: and append (big-endian) INT (i).
280 // Iteration 2 - c: Compute U_{iteration} by applying the PRF to
281 // U_{iteration - 1}, then xor the resultant hash with |output|, which
282 // contains U_1 ^ U_2 ^ ... ^ U_{iteration - 1}.
300 }
303 }
308 // TODO(wtc): create a "secure" string type that zeroes itself in the
309 // destructor.
312 }
314 // static
319 ScopedHCRYPTPROV provider;
320 ScopedHCRYPTKEY key;
333 }
338 }
347 key_size_in_bytes);
352 }
354 // static
360 // CryptoAPI lacks routines to perform PBKDF2 derivation as specified
361 // in RFC 2898, so it must be manually implemented. Only HMAC-SHA1 is
362 // supported as the PRF.
364 // While not used until the end, sanity-check the input before proceeding
365 // with the expensive computation.
380 }
384 ScopedHCRYPTPROV provider;
386 CRYPT_VERIFYCONTEXT);
390 // Convert the user password into a key suitable to be fed into the PRF
391 // function.
392 ScopedHCRYPTKEY password_as_key;
399 // Configure the PRF function. Only HMAC variants are supported, with the
400 // only hash function supported being SHA1.
401 // TODO(rsleevi): Support SHA-256 on XP SP3+.
402 ScopedHCRYPTHASH prf;
413 // 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and stop.
420 }
422 // 2. Let l be the number of hLen-octet blocks in the derived key,
423 // rounding up, and let r be the number of octets in the last
424 // block:
432 // 3. For each block of the derived key apply the function F defined below
433 // to the password P, the salt S, the iteration count c, and the block
434 // index to compute the block:
435 // T_1 = F (P, S, c, 1)
436 // T_2 = F (P, S, c, 2)
437 // ...
438 // T_l = F (P, S, c, l)
439 // <snip>
440 // 4. Concatenate the blocks and extract the first dkLen octets to produce
441 // a derived key DK:
442 // DK = T_1 || T_2 || ... || T_l<0..r-1>
445 block_offset))
448 }
450 // Convert the derived key bytes into a key handle for the desired algorithm.
451 ScopedHCRYPTKEY key;
461 }
463 // static
480 }
484 ScopedHCRYPTPROV provider;
486 CRYPT_VERIFYCONTEXT);
490 ScopedHCRYPTKEY key;
496 }
499 // Short circuit for when the key was supplied to the constructor.
503 }
524 }
527 HCRYPTKEY key,
532 key_size_in_bytes);
533 }
534 }