archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/ds/security/protocols/schannel/spbase/tls1key.c

537 lines
14 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*-----------------------------------------------------------------------------
  2. * Copyright (C) Microsoft Corporation, 1995 - 1996.
  3. * All rights reserved.
  4. *
  5. * Owner : ramas
  6. * Date : 5/03/97
  7. * description : Main Crypto functions for TLS1
  8. *----------------------------------------------------------------------------*/
  10. #include <spbase.h>
  12. #define DEB_TLS1KEYS 0x01000000
  15. //+---------------------------------------------------------------------------
  16. //
  17. // Function: Tls1MakeWriteSessionKeys
  18. //
  19. // Synopsis:
  20. //
  21. // Arguments: [pContext] -- Schannel context.
  22. //
  23. // History: 10-10-97 jbanes Added server-side CAPI integration.
  24. //
  25. // Notes:
  26. //
  27. //----------------------------------------------------------------------------
  28. SP_STATUS
  29. Tls1MakeWriteSessionKeys(PSPContext pContext)
  30. {
  31. BOOL fClient;
  33. // Determine if we're a client or a server.
  34. fClient = (0 != (pContext->RipeZombie->fProtocol & SP_PROT_TLS1_CLIENT));
  36. if(pContext->hWriteKey)
  37. {
  38. if(!CryptDestroyKey(pContext->hWriteKey))
  39. {
  40. SP_LOG_RESULT(GetLastError());
  41. }
  42. }
  43. pContext->hWriteProv = pContext->RipeZombie->hMasterProv;
  44. pContext->hWriteKey = pContext->hPendingWriteKey;
  45. pContext->hPendingWriteKey = 0;
  47. if(pContext->hWriteMAC)
  48. {
  49. if(!CryptDestroyKey(pContext->hWriteMAC))
  50. {
  51. SP_LOG_RESULT(GetLastError());
  52. }
  53. }
  54. pContext->hWriteMAC = pContext->hPendingWriteMAC;
  55. pContext->hPendingWriteMAC = 0;
  57. return PCT_ERR_OK;
  58. }
  61. //+---------------------------------------------------------------------------
  62. //
  63. // Function: Tls1MakeReadSessionKeys
  64. //
  65. // Synopsis:
  66. //
  67. // Arguments: [pContext] -- Schannel context.
  68. //
  69. // History: 10-10-97 jbanes Added server-side CAPI integration.
  70. //
  71. // Notes:
  72. //
  73. //----------------------------------------------------------------------------
  74. SP_STATUS
  75. Tls1MakeReadSessionKeys(PSPContext pContext)
  76. {
  77. BOOL fClient;
  79. // Determine if we're a client or a server.
  80. fClient = (0 != (pContext->RipeZombie->fProtocol & SP_PROT_TLS1_CLIENT));
  82. if(pContext->hReadKey)
  83. {
  84. if(!CryptDestroyKey(pContext->hReadKey))
  85. {
  86. SP_LOG_RESULT(GetLastError());
  87. }
  88. }
  89. pContext->hReadProv = pContext->RipeZombie->hMasterProv;
  90. pContext->hReadKey = pContext->hPendingReadKey;
  91. pContext->hPendingReadKey = 0;
  93. if(pContext->hReadMAC)
  94. {
  95. if(!CryptDestroyKey(pContext->hReadMAC))
  96. {
  97. SP_LOG_RESULT(GetLastError());
  98. }
  99. }
  100. pContext->hReadMAC = pContext->hPendingReadMAC;
  101. pContext->hPendingReadMAC = 0;
  103. return PCT_ERR_OK;
  104. }
  106. //+---------------------------------------------------------------------------
  107. //
  108. // Function: Tls1ComputeMac
  109. //
  110. // Synopsis:
  111. //
  112. // Arguments: [pContext] --
  113. // [hSecret] --
  114. // [dwSequence] --
  115. // [pClean] --
  116. // [cContentType] --
  117. // [pbMac] --
  118. // [cbMac]
  119. //
  120. // History: 10-03-97 jbanes Created.
  121. //
  122. // Notes:
  123. //
  124. //----------------------------------------------------------------------------
  125. SP_STATUS
  126. Tls1ComputeMac(
  127. PSPContext pContext,
  128. BOOL fReadMac,
  129. PSPBuffer pClean,
  130. CHAR cContentType,
  131. PBYTE pbMac,
  132. DWORD cbMac)
  133. {
  134. HCRYPTHASH hHash;
  135. HMAC_INFO HmacInfo;
  136. PBYTE pbData;
  137. DWORD cbData;
  138. DWORD cbDataReverse;
  139. DWORD dwReverseSequence;
  140. UCHAR rgbData1[15];
  141. PUCHAR pbData1;
  142. DWORD cbData1;
  143. HCRYPTPROV hProv;
  144. HCRYPTKEY hSecret;
  145. DWORD dwSequence;
  146. PHashInfo pHashInfo;
  148. pbData = pClean->pvBuffer;
  149. cbData = pClean->cbData;
  150. if(cbData & 0xFFFF0000)
  151. {
  152. return SP_LOG_RESULT(PCT_INT_INTERNAL_ERROR);
  153. }
  155. if(fReadMac)
  156. {
  157. hProv = pContext->hReadProv;
  158. hSecret = pContext->hReadMAC;
  159. dwSequence = pContext->ReadCounter;
  160. pHashInfo = pContext->pReadHashInfo;
  161. }
  162. else
  163. {
  164. hProv = pContext->hWriteProv;
  165. hSecret = pContext->hWriteMAC;
  166. dwSequence = pContext->WriteCounter;
  167. pHashInfo = pContext->pWriteHashInfo;
  168. }
  170. if(!hProv)
  171. {
  172. return SP_LOG_RESULT(PCT_INT_INTERNAL_ERROR);
  173. }
  175. // Create hash object.
  176. if(!CryptCreateHash(hProv,
  177. CALG_HMAC,
  178. hSecret,
  179. 0,
  180. &hHash))
  181. {
  182. SP_LOG_RESULT(GetLastError());
  183. return PCT_INT_INTERNAL_ERROR;
  184. }
  186. // Specify hash algorithm.
  187. ZeroMemory(&HmacInfo, sizeof(HMAC_INFO));
  188. HmacInfo.HashAlgid = pHashInfo->aiHash;
  189. if(!CryptSetHashParam(hHash,
  190. HP_HMAC_INFO,
  191. (PBYTE)&HmacInfo,
  192. 0))
  193. {
  194. SP_LOG_RESULT(GetLastError());
  195. CryptDestroyHash(hHash);
  196. return PCT_INT_INTERNAL_ERROR;
  197. }
  199. // Build data to be hashed.
  200. cbData1 = 2 * sizeof(DWORD) + // sequence number (64-bit)
  201. 1 + // content type
  202. 2 + // protocol version
  203. 2; // message length
  204. SP_ASSERT(cbData1 <= sizeof(rgbData1));
  206. pbData1 = rgbData1;
  208. ZeroMemory(pbData1, sizeof(DWORD));
  209. pbData1 += sizeof(DWORD);
  210. dwReverseSequence = htonl(dwSequence);
  211. CopyMemory(pbData1, &dwReverseSequence, sizeof(DWORD));
  212. pbData1 += sizeof(DWORD);
  214. *pbData1++ = cContentType;
  216. *pbData1++ = SSL3_CLIENT_VERSION_MSB;
  217. *pbData1++ = TLS1_CLIENT_VERSION_LSB;
  219. cbDataReverse = (cbData >> 8) | (cbData << 8);
  220. CopyMemory(pbData1, &cbDataReverse, 2);
  222. // Hash data.
  223. if(!CryptHashData(hHash, rgbData1, cbData1, 0))
  224. {
  225. SP_LOG_RESULT(GetLastError());
  226. CryptDestroyHash(hHash);
  227. return PCT_INT_INTERNAL_ERROR;
  228. }
  229. if(!CryptHashData(hHash, pbData, cbData, 0))
  230. {
  231. SP_LOG_RESULT(GetLastError());
  232. CryptDestroyHash(hHash);
  233. return PCT_INT_INTERNAL_ERROR;
  234. }
  236. // Get hash value.
  237. if(!CryptGetHashParam(hHash,
  238. HP_HASHVAL,
  239. pbMac,
  240. &cbMac,
  241. 0))
  242. {
  243. SP_LOG_RESULT(GetLastError());
  244. CryptDestroyHash(hHash);
  245. return PCT_INT_INTERNAL_ERROR;
  246. }
  247. SP_ASSERT(cbMac == pHashInfo->cbCheckSum);
  249. #if DBG
  250. DebugLog((DEB_TLS1KEYS, " TLS1 MAC Output"));
  251. DBG_HEX_STRING(DEB_TLS1KEYS, pbMac, cbMac);
  252. #endif
  254. CryptDestroyHash(hHash);
  256. return PCT_ERR_OK;
  257. }
  259. #define HMAC_K_PADSIZE 64
  261. BOOL MyPrimitiveSHA(
  262. PBYTE pbData,
  263. DWORD cbData,
  264. BYTE rgbHash[A_SHA_DIGEST_LEN])
  265. {
  266. BOOL fRet = FALSE;
  267. A_SHA_CTX sSHAHash;
  270. A_SHAInit(&sSHAHash);
  271. A_SHAUpdate(&sSHAHash, (BYTE *) pbData, cbData);
  272. A_SHAFinal(&sSHAHash, rgbHash);
  274. fRet = TRUE;
  275. //Ret:
  277. return fRet;
  278. }
  280. BOOL MyPrimitiveMD5(
  281. PBYTE pbData,
  282. DWORD cbData,
  283. BYTE rgbHash[MD5DIGESTLEN])
  284. {
  285. BOOL fRet = FALSE;
  286. MD5_CTX sMD5Hash;
  289. MD5Init(&sMD5Hash);
  290. MD5Update(&sMD5Hash, (BYTE *) pbData, cbData);
  291. MD5Final(&sMD5Hash);
  292. memcpy(rgbHash, sMD5Hash.digest, MD5DIGESTLEN);
  294. fRet = TRUE;
  295. //Ret:
  297. return fRet;
  298. }
  300. BOOL MyPrimitiveHMACParam(
  301. PBYTE pbKeyMaterial,
  302. DWORD cbKeyMaterial,
  303. PBYTE pbData,
  304. DWORD cbData,
  305. ALG_ID Algid,
  306. BYTE rgbHMAC[A_SHA_DIGEST_LEN])
  307. {
  308. BYTE rgbHMACTmp[HMAC_K_PADSIZE+A_SHA_DIGEST_LEN];
  309. BOOL fRet = FALSE;
  311. BYTE rgbKipad[HMAC_K_PADSIZE];
  312. BYTE rgbKopad[HMAC_K_PADSIZE];
  313. DWORD dwBlock;
  315. // truncate
  316. if (cbKeyMaterial > HMAC_K_PADSIZE)
  317. cbKeyMaterial = HMAC_K_PADSIZE;
  320. ZeroMemory(rgbKipad, HMAC_K_PADSIZE);
  321. CopyMemory(rgbKipad, pbKeyMaterial, cbKeyMaterial);
  323. ZeroMemory(rgbKopad, HMAC_K_PADSIZE);
  324. CopyMemory(rgbKopad, pbKeyMaterial, cbKeyMaterial);
  326. // Kipad, Kopad are padded sMacKey. Now XOR across...
  327. for(dwBlock=0; dwBlock<HMAC_K_PADSIZE/sizeof(DWORD); dwBlock++)
  328. {
  329. ((DWORD*)rgbKipad)[dwBlock] ^= 0x36363636;
  330. ((DWORD*)rgbKopad)[dwBlock] ^= 0x5C5C5C5C;
  331. }
  333. // prepend Kipad to data, Hash to get H1
  334. if (CALG_SHA1 == Algid)
  335. {
  336. // do this inline since it would require data copy
  337. A_SHA_CTX sSHAHash;
  338. BYTE HashVal[A_SHA_DIGEST_LEN];
  340. A_SHAInit(&sSHAHash);
  341. A_SHAUpdate(&sSHAHash, rgbKipad, HMAC_K_PADSIZE);
  342. A_SHAUpdate(&sSHAHash, pbData, cbData);
  344. // Finish off the hash
  345. A_SHAFinal(&sSHAHash, HashVal);
  347. // prepend Kopad to H1, hash to get HMAC
  348. CopyMemory(rgbHMACTmp, rgbKopad, HMAC_K_PADSIZE);
  349. CopyMemory(rgbHMACTmp+HMAC_K_PADSIZE, HashVal, A_SHA_DIGEST_LEN);
  351. if (!MyPrimitiveSHA(
  352. rgbHMACTmp,
  353. HMAC_K_PADSIZE + A_SHA_DIGEST_LEN,
  354. rgbHMAC))
  355. goto Ret;
  356. }
  357. else
  358. {
  359. // do this inline since it would require data copy
  360. MD5_CTX sMD5Hash;
  362. MD5Init(&sMD5Hash);
  363. MD5Update(&sMD5Hash, rgbKipad, HMAC_K_PADSIZE);
  364. MD5Update(&sMD5Hash, pbData, cbData);
  365. MD5Final(&sMD5Hash);
  367. // prepend Kopad to H1, hash to get HMAC
  368. CopyMemory(rgbHMACTmp, rgbKopad, HMAC_K_PADSIZE);
  369. CopyMemory(rgbHMACTmp+HMAC_K_PADSIZE, sMD5Hash.digest, MD5DIGESTLEN);
  371. if (!MyPrimitiveMD5(
  372. rgbHMACTmp,
  373. HMAC_K_PADSIZE + MD5DIGESTLEN,
  374. rgbHMAC))
  375. goto Ret;
  376. }
  378. fRet = TRUE;
  379. Ret:
  381. return fRet;
  382. }
  384. //+ ---------------------------------------------------------------------
  385. // the P_Hash algorithm from TLS
  386. BOOL P_Hash
  387. (
  388. PBYTE pbSecret,
  389. DWORD cbSecret,
  391. PBYTE pbSeed,
  392. DWORD cbSeed,
  394. ALG_ID Algid,
  396. PBYTE pbKeyOut, //Buffer to copy the result...
  397. DWORD cbKeyOut //# of bytes of key length they want as output.
  398. )
  399. {
  400. BOOL fRet = FALSE;
  401. BYTE rgbDigest[A_SHA_DIGEST_LEN];
  402. DWORD iKey;
  403. DWORD cbHash;
  405. PBYTE pbAofiDigest = NULL;
  407. SafeAllocaAllocate(pbAofiDigest, cbSeed + A_SHA_DIGEST_LEN);
  408. if (NULL == pbAofiDigest)
  409. goto Ret;
  411. if (CALG_SHA1 == Algid)
  412. {
  413. cbHash = A_SHA_DIGEST_LEN;
  414. }
  415. else
  416. {
  417. cbHash = MD5DIGESTLEN;
  418. }
  420. // First, we define a data expansion function, P_hash(secret, data)
  421. // which uses a single hash function to expand a secret and seed into
  422. // an arbitrary quantity of output:
  424. // P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
  425. // HMAC_hash(secret, A(2) + seed) +
  426. // HMAC_hash(secret, A(3) + seed) + ...
  428. // Where + indicates concatenation.
  430. // A() is defined as:
  431. // A(0) = seed
  432. // A(i) = HMAC_hash(secret, A(i-1))
  435. // build A(1)
  436. if (!MyPrimitiveHMACParam(pbSecret, cbSecret, pbSeed, cbSeed,
  437. Algid, pbAofiDigest))
  438. goto Ret;
  440. // create Aofi: ( A(i) | seed )
  441. CopyMemory(&pbAofiDigest[cbHash], pbSeed, cbSeed);
  443. for (iKey=0; cbKeyOut; iKey++)
  444. {
  445. // build Digest = HMAC(key | A(i) | seed);
  446. if (!MyPrimitiveHMACParam(pbSecret, cbSecret, pbAofiDigest,
  447. cbSeed + cbHash, Algid, rgbDigest))
  448. goto Ret;
  450. // append to pbKeyOut
  451. if(cbKeyOut < cbHash)
  452. {
  453. CopyMemory(pbKeyOut, rgbDigest, cbKeyOut);
  454. break;
  455. }
  456. else
  457. {
  458. CopyMemory(pbKeyOut, rgbDigest, cbHash);
  459. pbKeyOut += cbHash;
  460. }
  462. cbKeyOut -= cbHash;
  464. // build A(i) = HMAC(key, A(i-1))
  465. if (!MyPrimitiveHMACParam(pbSecret, cbSecret, pbAofiDigest, cbHash,
  466. Algid, pbAofiDigest))
  467. goto Ret;
  468. }
  470. fRet = TRUE;
  471. Ret:
  472. if (pbAofiDigest)
  473. SafeAllocaFree(pbAofiDigest);
  475. return fRet;
  476. }
  478. BOOL PRF(
  479. PBYTE pbSecret,
  480. DWORD cbSecret,
  482. PBYTE pbLabel,
  483. DWORD cbLabel,
  485. PBYTE pbSeed,
  486. DWORD cbSeed,
  488. PBYTE pbKeyOut, //Buffer to copy the result...
  489. DWORD cbKeyOut //# of bytes of key length they want as output.
  490. )
  491. {
  492. BYTE *pbBuff = NULL;
  493. BYTE *pbLabelAndSeed = NULL;
  494. DWORD cbLabelAndSeed;
  495. DWORD cbOdd;
  496. DWORD cbHalfSecret;
  497. DWORD i;
  498. BOOL fRet = FALSE;
  500. cbOdd = cbSecret % 2;
  501. cbHalfSecret = cbSecret / 2;
  503. cbLabelAndSeed = cbLabel + cbSeed;
  504. SafeAllocaAllocate(pbLabelAndSeed, cbLabelAndSeed);
  505. if (NULL == pbLabelAndSeed)
  506. goto Ret;
  507. SafeAllocaAllocate(pbBuff, cbKeyOut);
  508. if (NULL == pbBuff)
  509. goto Ret;
  511. // copy label and seed into one buffer
  512. memcpy(pbLabelAndSeed, pbLabel, cbLabel);
  513. memcpy(pbLabelAndSeed + cbLabel, pbSeed, cbSeed);
  515. // Use P_hash to calculate MD5 half
  516. if (!P_Hash(pbSecret, cbHalfSecret + cbOdd, pbLabelAndSeed,
  517. cbLabelAndSeed, CALG_MD5, pbKeyOut, cbKeyOut))
  518. goto Ret;
  520. // Use P_hash to calculate SHA half
  521. if (!P_Hash(pbSecret + cbHalfSecret, cbHalfSecret + cbOdd, pbLabelAndSeed,
  522. cbLabelAndSeed, CALG_SHA1, pbBuff, cbKeyOut))
  523. goto Ret;
  525. // XOR the two halves
  526. for (i=0;i<cbKeyOut;i++)
  527. {
  528. pbKeyOut[i] = pbKeyOut[i] ^ pbBuff[i];
  529. }
  530. fRet = TRUE;
  531. Ret:
  532. if (pbBuff)
  533. SafeAllocaFree(pbBuff);
  534. if (pbLabelAndSeed)
  535. SafeAllocaFree(pbLabelAndSeed);
  536. return fRet;
  537. }