archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 827363a95b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '827363a95b'
${ noResults }
windows-server-2003/ds/security/cryptoapi/secstor/common/primitiv.cpp

510 lines
14 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*
  2. File: primitiv.cpp
  4. Title: Cryptographic Primitives for Protected Storage
  5. Author: Matt Thomlinson
  6. Date: 11/22/96
  8. With the help of the rsa32 library, this module manufactures
  9. actually _usable_ primitives.
  11. Since CryptoAPI base provider may call us, we can't use
  12. CryptXXX primitives (circular dependencies may result).
  16. Functions in this module:
  18. FMyMakeDESKey
  19. Given key material, does necessary DES key setup. Has the
  20. side effect of stashing the keying material in the DESKey
  21. structure.
  23. FMyPrimitiveSHA
  24. Given pbData/cbData, runs SHA1 Init-Update-Final and returns
  25. the hash buffer.
  27. FMyPrimitiveDESEncrypt
  28. Given a ppbBlock/pcbBlock/DESKey structure, DES CBC (with an
  29. IV of 0)encrypts the block with the DESKey passed in. DESKey
  30. must be passed in with key setup already done. Note that this
  31. call might realloc ppbBlock since the encrypted length must be
  32. a multiple of the blocksize.
  34. FMyPrimitiveDESDecrypt
  35. Given a pbBlock/pcbBlock/DESKey structure, decrypts the
  36. block with the given (prepared) DESKey. Note that pbBlock
  37. will not be realloced, since the output buffer is always
  38. smaller than or the same size as the encrypted buffer.
  40. FMyPrimitiveDeriveKey
  41. Derives a DES key from multiple input buffers in
  42. the following manner:
  44. FMyMakeDESKey( SHA1(Salt | OtherData) )
  46. FMyOldPrimitiveHMAC (non-interoperable, buggy version of HMAC)
  47. FMyPrimitiveHMAC
  48. Derives a quality HMAC (Keyed message-authentication code) for
  49. passed-in data and prepared DESKey. The HMAC is computed in
  50. the following (standard HMAC) manner:
  52. KoPad = KiPad = DESKey key setup buffer
  53. XOR(KoPad, 0x5c5c5c5c)
  54. XOR(KiPad, 0x36363636)
  55. HMAC = SHA1(KoPad | SHA1(KiPad | Data))
  58. */
  60. #include <windows.h>
  62. // crypto defs
  63. #include <wincrypt.h>
  65. #include "sha.h"
  66. #include "des.h"
  67. #include "modes.h"
  68. #include "randlib.h"
  70. // others
  71. #include "primitiv.h"
  72. #include "debug.h"
  75. #define OLD_MAC_K_PADSIZE 16
  76. #define HMAC_K_PADSIZE 64
  79. BOOL FMyMakeDESKey(
  80. PDESKEY pDESKey,
  81. BYTE* pbKeyMaterial)
  82. {
  83. CopyMemory(pDESKey->rgbKey, pbKeyMaterial, DES_BLOCKLEN);
  85. // assumes pbKeyMaterial is at least DES_BLOCKLEN bytes
  86. deskey(&pDESKey->sKeyTable, pbKeyMaterial); // takes material, runs DES table setup
  87. return TRUE;
  88. }
  91. BOOL FMyPrimitiveSHA(
  92. PBYTE pbData,
  93. DWORD cbData,
  94. BYTE rgbHash[A_SHA_DIGEST_LEN])
  95. {
  96. A_SHA_CTX sSHAHash;
  99. A_SHAInit(&sSHAHash);
  100. A_SHAUpdate(&sSHAHash, (BYTE *) pbData, cbData);
  101. A_SHAFinal(&sSHAHash, rgbHash);
  103. return TRUE;
  104. }
  106. BOOL FMyPrimitiveDESDecrypt(
  107. PBYTE pbBlock, // in out
  108. DWORD *pcbBlock, // in out
  109. DESKEY sDESKey) // in
  110. {
  111. BOOL fRet = FALSE;
  113. DWORD dwDataLen = *pcbBlock;
  114. DWORD i;
  116. if (dwDataLen % DES_BLOCKLEN)
  117. {
  118. SetLastError((DWORD) NTE_BAD_DATA);
  119. return FALSE;
  120. }
  122. BYTE rgbBuf[DES_BLOCKLEN];
  124. BYTE rgbFeedBack[DES_BLOCKLEN];
  125. ZeroMemory(rgbFeedBack, DES_BLOCKLEN);
  127. // pump the data through the decryption, including padding
  128. // NOTE: the total length is a multiple of BlockLen
  130. for (DWORD BytePos = 0; (BytePos + DES_BLOCKLEN) <= dwDataLen; BytePos += DES_BLOCKLEN)
  131. {
  132. // put the encrypted text into a temp buffer
  133. CopyMemory(rgbBuf, pbBlock + BytePos, DES_BLOCKLEN);
  135. CBC(des, DES_BLOCKLEN, pbBlock + BytePos, rgbBuf, &sDESKey.sKeyTable,
  136. DECRYPT, rgbFeedBack);
  137. }
  139. // ## NOTE: if the pad is wrong, the user's buffer is hosed, because
  140. // ## we've decrypted into the user's buffer -- can we re-encrypt it?
  142. //
  143. // if dwPadVal is wrong, we've failed to decrypt correctly. Bad key?
  144. //
  146. DWORD dwPadVal = (DWORD) *(pbBlock + dwDataLen - 1);
  147. if (dwPadVal == 0 || dwPadVal > DES_BLOCKLEN)
  148. {
  149. SetLastError((DWORD) NTE_BAD_DATA);
  150. goto Ret;
  151. }
  153. // Make sure all the (rest of the) pad bytes are correct.
  154. for (i=1; i<dwPadVal; i++)
  155. {
  156. if ((pbBlock)[dwDataLen - (i + 1)] != dwPadVal)
  157. {
  158. SetLastError((DWORD) NTE_BAD_DATA);
  159. goto Ret;
  160. }
  161. }
  163. // update the length
  164. *pcbBlock -= dwPadVal;
  166. fRet = TRUE;
  167. Ret:
  168. return fRet;
  169. }
  171. BOOL FMyPrimitiveDESEncrypt(
  172. PBYTE* ppbBlock, // in out
  173. DWORD *pcbBlock, // in out
  174. DESKEY sDESKey) // in
  175. {
  176. BOOL fRet = FALSE;
  177. DWORD dwDataLen = *pcbBlock;
  179. PBYTE pTemp;
  181. DWORD cbPartial = (*pcbBlock % DES_BLOCKLEN);
  183. DWORD dwPadVal = DES_BLOCKLEN - cbPartial;
  184. if (dwPadVal != 0)
  185. {
  186. *pcbBlock += dwPadVal;
  188. pTemp = (PBYTE)SSReAlloc(*ppbBlock, *pcbBlock);
  190. if (NULL == pTemp) {
  192. return FALSE;
  194. }
  196. *ppbBlock = pTemp;
  197. }
  199. // now we're a multiple of DES_BLOCKLEN
  200. SS_ASSERT((*pcbBlock % DES_BLOCKLEN) == 0);
  202. if (dwPadVal)
  203. {
  204. // Fill the pad with a value equal to the
  205. // length of the padding, so decrypt will
  206. // know the length of the original data
  207. // and as a simple integrity check.
  209. FillMemory(*ppbBlock + dwDataLen, (int)dwPadVal, (size_t)dwPadVal);
  210. }
  212. // allocate memory for a temporary buffer
  213. BYTE rgbBuf[DES_BLOCKLEN];
  215. BYTE rgbFeedBack[DES_BLOCKLEN];
  216. ZeroMemory(rgbFeedBack, DES_BLOCKLEN);
  218. PBYTE pbData = *ppbBlock;
  220. // pump the full blocks of data through
  221. for (dwDataLen = *pcbBlock; dwDataLen>0; dwDataLen-=DES_BLOCKLEN, pbData+=DES_BLOCKLEN)
  222. {
  223. SS_ASSERT(dwDataLen >= DES_BLOCKLEN);
  225. // put the plaintext into a temporary
  226. // buffer, then encrypt the data
  227. // back into the caller's buffer
  229. CopyMemory(rgbBuf, pbData, DES_BLOCKLEN);
  231. CBC(des, DES_BLOCKLEN, pbData, rgbBuf, &sDESKey.sKeyTable,
  232. ENCRYPT, rgbFeedBack);
  233. }
  235. fRet = TRUE;
  236. //Ret:
  237. return fRet;
  238. }
  241. BOOL FMyPrimitiveDeriveKey(
  242. PBYTE pbSalt,
  243. DWORD cbSalt,
  244. PBYTE pbOtherData,
  245. DWORD cbOtherData,
  246. DESKEY* pDesKey)
  247. {
  248. BOOL fRet = FALSE;
  250. A_SHA_CTX sSHAHash;
  251. BYTE HashVal[A_SHA_DIGEST_LEN];
  253. /*
  254. PBYTE pbToBeHashed = (PBYTE)SSAlloc(cbSalt+cbOtherData);
  255. if(pbToBeHashed == NULL) return FALSE;
  257. CopyMemory(pbToBeHashed, pbSalt, cbSalt);
  258. CopyMemory((PBYTE)((DWORD)pbToBeHashed+cbSalt), pbOtherData, cbOtherData);
  260. // hash data
  261. BYTE rgbHash[A_SHA_DIGEST_LEN];
  262. if (!FMyPrimitiveSHA(pbToBeHashed, cbSalt+cbOtherData, rgbHash))
  263. goto Ret;
  264. */
  265. // NEW: put hashing code inline: saves alloc, copy, free
  266. A_SHAInit(&sSHAHash);
  267. A_SHAUpdate(&sSHAHash, (BYTE *) pbSalt, cbSalt);
  268. A_SHAUpdate(&sSHAHash, (BYTE *) pbOtherData, cbOtherData);
  269. A_SHAFinal(&sSHAHash, HashVal);
  271. // now all data hashed, derive a session key
  272. SS_ASSERT(sizeof(HashVal) >= DES_BLOCKLEN);
  273. if (!FMyMakeDESKey(pDesKey, HashVal))
  274. goto Ret;
  276. ZeroMemory( HashVal, sizeof(HashVal) );
  278. fRet = TRUE;
  279. Ret:
  280. return fRet;
  281. }
  284. BOOL FMyOldPrimitiveHMAC(
  285. DESKEY sMacKey,
  286. PBYTE pbData,
  287. DWORD cbData,
  288. BYTE rgbHMAC[A_SHA_DIGEST_LEN])
  289. {
  290. BOOL fRet = FALSE;
  292. BYTE rgbKipad[OLD_MAC_K_PADSIZE];
  293. BYTE rgbKopad[OLD_MAC_K_PADSIZE];
  295. ZeroMemory(rgbKipad, OLD_MAC_K_PADSIZE);
  296. CopyMemory(rgbKipad, &sMacKey.rgbKey, DES_BLOCKLEN);
  298. CopyMemory(rgbKopad, rgbKipad, sizeof(rgbKipad));
  301. BYTE rgbHMACTmp[OLD_MAC_K_PADSIZE+A_SHA_DIGEST_LEN];
  304. // assert we're a multiple
  305. SS_ASSERT( (OLD_MAC_K_PADSIZE % sizeof(DWORD)) == 0);
  307. // Kipad, Kopad are padded sMacKey. Now XOR across...
  308. for(DWORD dwBlock=0; dwBlock<OLD_MAC_K_PADSIZE/sizeof(DWORD); dwBlock++)
  309. {
  310. ((DWORD*)rgbKipad)[dwBlock] ^= 0x36363636;
  311. ((DWORD*)rgbKopad)[dwBlock] ^= 0x5C5C5C5C;
  312. }
  315. // prepend Kipad to data, Hash to get H1
  316. {
  317. // do this inline, don't call MyPrimitiveSHA since it would require data copy
  318. A_SHA_CTX sSHAHash;
  319. BYTE HashVal[A_SHA_DIGEST_LEN];
  321. A_SHAInit(&sSHAHash);
  322. A_SHAUpdate(&sSHAHash, pbData, cbData);
  323. A_SHAUpdate(&sSHAHash, rgbKipad, OLD_MAC_K_PADSIZE);
  324. // Finish off the hash
  325. A_SHAFinal(&sSHAHash, HashVal);
  327. // prepend Kopad to H1, hash to get HMAC
  328. CopyMemory(rgbHMACTmp, rgbKopad, OLD_MAC_K_PADSIZE);
  329. CopyMemory(rgbHMACTmp+OLD_MAC_K_PADSIZE, HashVal, A_SHA_DIGEST_LEN);
  330. }
  332. if (!FMyPrimitiveSHA(
  333. rgbHMACTmp,
  334. sizeof(rgbHMACTmp),
  335. rgbHMAC))
  336. goto Ret;
  338. fRet = TRUE;
  339. Ret:
  341. return fRet;
  342. }
  345. BOOL FMyPrimitiveHMAC(
  346. DESKEY sMacKey,
  347. PBYTE pbData,
  348. DWORD cbData,
  349. BYTE rgbHMAC[A_SHA_DIGEST_LEN])
  350. {
  351. return FMyPrimitiveHMACParam(
  352. sMacKey.rgbKey,
  353. DES_BLOCKLEN,
  354. pbData,
  355. cbData,
  356. rgbHMAC);
  357. }
  359. BOOL FMyPrimitiveHMACParam(
  360. PBYTE pbKeyMaterial,
  361. DWORD cbKeyMaterial,
  362. PBYTE pbData,
  363. DWORD cbData,
  364. BYTE rgbHMAC[A_SHA_DIGEST_LEN] // output buffer
  365. )
  366. {
  367. BOOL fRet = FALSE;
  369. BYTE rgbKipad[HMAC_K_PADSIZE];
  370. BYTE rgbKopad[HMAC_K_PADSIZE];
  372. // truncate
  373. if (cbKeyMaterial > HMAC_K_PADSIZE)
  374. cbKeyMaterial = HMAC_K_PADSIZE;
  377. ZeroMemory(rgbKipad, HMAC_K_PADSIZE);
  378. CopyMemory(rgbKipad, pbKeyMaterial, cbKeyMaterial);
  380. ZeroMemory(rgbKopad, HMAC_K_PADSIZE);
  381. CopyMemory(rgbKopad, pbKeyMaterial, cbKeyMaterial);
  385. BYTE rgbHMACTmp[HMAC_K_PADSIZE+A_SHA_DIGEST_LEN];
  387. // assert we're a multiple
  388. SS_ASSERT( (HMAC_K_PADSIZE % sizeof(DWORD)) == 0);
  390. // Kipad, Kopad are padded sMacKey. Now XOR across...
  391. for(DWORD dwBlock=0; dwBlock<HMAC_K_PADSIZE/sizeof(DWORD); dwBlock++)
  392. {
  393. ((DWORD*)rgbKipad)[dwBlock] ^= 0x36363636;
  394. ((DWORD*)rgbKopad)[dwBlock] ^= 0x5C5C5C5C;
  395. }
  398. // prepend Kipad to data, Hash to get H1
  399. {
  400. // do this inline, don't call MyPrimitiveSHA since it would require data copy
  401. A_SHA_CTX sSHAHash;
  402. BYTE HashVal[A_SHA_DIGEST_LEN];
  404. A_SHAInit(&sSHAHash);
  405. A_SHAUpdate(&sSHAHash, rgbKipad, HMAC_K_PADSIZE);
  406. A_SHAUpdate(&sSHAHash, pbData, cbData);
  408. // Finish off the hash
  409. A_SHAFinal(&sSHAHash, HashVal);
  411. // prepend Kopad to H1, hash to get HMAC
  412. CopyMemory(rgbHMACTmp, rgbKopad, HMAC_K_PADSIZE);
  413. CopyMemory(rgbHMACTmp+HMAC_K_PADSIZE, HashVal, A_SHA_DIGEST_LEN);
  414. }
  416. // final hash: output value into passed-in buffer
  417. if (!FMyPrimitiveSHA(
  418. rgbHMACTmp,
  419. sizeof(rgbHMACTmp),
  420. rgbHMAC))
  421. goto Ret;
  423. fRet = TRUE;
  424. Ret:
  426. return fRet;
  427. }
  429. /////////////////////////////////////////////////////////////////////////
  430. // PKCS5DervivePBKDF2_SHA
  431. //
  432. // Performs a PKCS #5 Iterative key derivation (type 2)
  433. // using HMAC_SHA as the primitive hashing function
  434. /////////////////////////////////////////////////////////////////////////
  436. BOOL PKCS5DervivePBKDF2(
  437. PBYTE pbKeyMaterial,
  438. DWORD cbKeyMaterial,
  439. PBYTE pbSalt,
  440. DWORD cbSalt,
  441. DWORD KeyGenAlg,
  442. DWORD cIterationCount,
  443. DWORD iBlockIndex,
  444. BYTE rgbPKCS5Key[A_SHA_DIGEST_LEN] // output buffer
  445. )
  447. {
  449. DWORD i,j;
  450. A_SHA_CTX sSHAHash;
  451. BYTE rgbPKCS5Temp[A_SHA_DIGEST_LEN];
  452. BYTE rgbTempData[PBKDF2_MAX_SALT_SIZE + 4];
  454. if((cIterationCount <1) ||
  455. (NULL == pbKeyMaterial) ||
  456. (NULL == pbSalt) ||
  457. (0 == cbKeyMaterial) ||
  458. (0 == cbSalt) ||
  459. (cbSalt > PBKDF2_MAX_SALT_SIZE) ||
  460. (KeyGenAlg != CALG_HMAC))
  461. {
  462. return FALSE;
  463. }
  465. //
  466. // Add in the block index
  467. //
  468. CopyMemory(rgbTempData, pbSalt, cbSalt);
  469. rgbTempData[cbSalt] = 0;
  470. rgbTempData[cbSalt+1] = 0;
  471. rgbTempData[cbSalt+2] = 0;
  472. rgbTempData[cbSalt+3] = (BYTE)(iBlockIndex & 0xff);
  474. //
  475. // Perfom the initial iteration, which is
  476. // HMAC_SHA1(KeyMaterial, Salt || cBlockIndex)
  477. //
  478. if(!FMyPrimitiveHMACParam(pbKeyMaterial,
  479. cbKeyMaterial,
  480. rgbTempData,
  481. cbSalt+4,
  482. rgbPKCS5Key))
  483. return FALSE;
  487. //
  488. // Perform additional iterations
  489. // HMAC_SHA1(KeyMaterial, last)
  490. //
  493. for (i=1; i<cIterationCount; i++)
  494. {
  495. if(!FMyPrimitiveHMACParam(pbKeyMaterial,
  496. cbKeyMaterial,
  497. rgbPKCS5Key,
  498. A_SHA_DIGEST_LEN,
  499. rgbPKCS5Temp))
  500. return FALSE;
  501. // xor back into the primary key.
  502. for(j=0; j < (A_SHA_DIGEST_LEN / 4); j++)
  503. {
  504. ((DWORD *)rgbPKCS5Key)[j] ^= ((DWORD *)rgbPKCS5Temp)[j];
  505. }
  506. }
  508. return TRUE;
  509. }