You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1083 lines
30 KiB
1083 lines
30 KiB
#include "global.hxx"
|
|
|
|
// crypto defs
|
|
#include <wincrypt.h>
|
|
#include "randlib.h"
|
|
|
|
#include "pfxhelp.h"
|
|
|
|
#include "pfxcmn.h"
|
|
#include "pfxcrypt.h"
|
|
|
|
#include "sha.h"
|
|
#include "shacomm.h"
|
|
#include "rc2.h"
|
|
#include "modes.h"
|
|
#include "des.h"
|
|
#include "tripldes.h"
|
|
|
|
// constants used in PKCS5-like key derivation
|
|
#define DERIVE_ENCRYPT_DECRYPT 0x1
|
|
#define DERIVE_INITIAL_VECTOR 0x2
|
|
#define DERIVE_INTEGRITY_KEY 0x3
|
|
|
|
#define HMAC_K_PADSIZE 64
|
|
|
|
BOOL FMyPrimitiveSHA(
|
|
PBYTE pbData,
|
|
DWORD cbData,
|
|
BYTE rgbHash[A_SHA_DIGEST_LEN])
|
|
{
|
|
BOOL fRet = FALSE;
|
|
A_SHA_CTX sSHAHash;
|
|
|
|
|
|
A_SHAInit(&sSHAHash);
|
|
A_SHAUpdate(&sSHAHash, (BYTE *) pbData, cbData);
|
|
A_SHAFinal(&sSHAHash, rgbHash);
|
|
|
|
fRet = TRUE;
|
|
//Ret:
|
|
|
|
return fRet;
|
|
}
|
|
|
|
BOOL FMyPrimitiveHMACParam(
|
|
PBYTE pbKeyMaterial,
|
|
DWORD cbKeyMaterial,
|
|
PBYTE pbData,
|
|
DWORD cbData,
|
|
BYTE rgbHMAC[A_SHA_DIGEST_LEN])
|
|
{
|
|
BOOL fRet = FALSE;
|
|
|
|
BYTE rgbKipad[HMAC_K_PADSIZE];
|
|
BYTE rgbKopad[HMAC_K_PADSIZE];
|
|
|
|
// truncate
|
|
if (cbKeyMaterial > HMAC_K_PADSIZE)
|
|
cbKeyMaterial = HMAC_K_PADSIZE;
|
|
|
|
|
|
ZeroMemory(rgbKipad, HMAC_K_PADSIZE);
|
|
CopyMemory(rgbKipad, pbKeyMaterial, cbKeyMaterial);
|
|
|
|
ZeroMemory(rgbKopad, HMAC_K_PADSIZE);
|
|
CopyMemory(rgbKopad, pbKeyMaterial, cbKeyMaterial);
|
|
|
|
|
|
|
|
BYTE rgbHMACTmp[HMAC_K_PADSIZE+A_SHA_DIGEST_LEN];
|
|
|
|
// assert we're a multiple
|
|
assert( (HMAC_K_PADSIZE % sizeof(DWORD)) == 0);
|
|
|
|
// Kipad, Kopad are padded sMacKey. Now XOR across...
|
|
for(DWORD dwBlock=0; dwBlock<HMAC_K_PADSIZE/sizeof(DWORD); dwBlock++)
|
|
{
|
|
((DWORD*)rgbKipad)[dwBlock] ^= 0x36363636;
|
|
((DWORD*)rgbKopad)[dwBlock] ^= 0x5C5C5C5C;
|
|
}
|
|
|
|
|
|
// prepend Kipad to data, Hash to get H1
|
|
{
|
|
// do this inline, don't call MyPrimitiveSHA since it would require data copy
|
|
A_SHA_CTX sSHAHash;
|
|
BYTE HashVal[A_SHA_DIGEST_LEN];
|
|
|
|
A_SHAInit(&sSHAHash);
|
|
A_SHAUpdate(&sSHAHash, rgbKipad, HMAC_K_PADSIZE);
|
|
A_SHAUpdate(&sSHAHash, pbData, cbData);
|
|
|
|
// Finish off the hash
|
|
A_SHAFinal(&sSHAHash, HashVal);
|
|
|
|
// prepend Kopad to H1, hash to get HMAC
|
|
CopyMemory(rgbHMACTmp, rgbKopad, HMAC_K_PADSIZE);
|
|
CopyMemory(rgbHMACTmp+HMAC_K_PADSIZE, HashVal, A_SHA_DIGEST_LEN);
|
|
}
|
|
|
|
if (!FMyPrimitiveSHA(
|
|
rgbHMACTmp,
|
|
sizeof(rgbHMACTmp),
|
|
rgbHMAC))
|
|
goto Ret;
|
|
|
|
fRet = TRUE;
|
|
Ret:
|
|
|
|
return fRet;
|
|
}
|
|
|
|
static
|
|
BOOL
|
|
CopyPassword(
|
|
BYTE *pbLocation,
|
|
LPCWSTR szPassword,
|
|
DWORD dwMaxBytes
|
|
)
|
|
{
|
|
DWORD i = 0;
|
|
DWORD cbWideChars = WSZ_BYTECOUNT(szPassword);
|
|
BYTE *pbWideChars = (BYTE *) szPassword;
|
|
|
|
while ((i<cbWideChars) && (i<dwMaxBytes))
|
|
{
|
|
pbLocation[i] = pbWideChars[i+1];
|
|
pbLocation[i+1] = pbWideChars[i];
|
|
i+=2;
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
//+ --------------------------------------------------------------
|
|
// in NSCP's initial implementation of PFX020, this
|
|
// is the algorithm they used to derive a key from a password.
|
|
// We include it so we can interoperate.
|
|
BOOL NSCPDeriveKey(
|
|
LPCWSTR szPassword,
|
|
PBYTE pbPrivacySalt,
|
|
DWORD cbPrivacySalt,
|
|
int iPKCS5Iterations,
|
|
PBYTE pbPKCS5Salt,
|
|
DWORD cbPKCS5Salt,
|
|
PBYTE pbDerivedMaterial,
|
|
DWORD cbDerivedMaterial)
|
|
{
|
|
BOOL fRet = FALSE;
|
|
BYTE rgbPKCS5Key[A_SHA_DIGEST_LEN];
|
|
|
|
DWORD cbVirtualPW = cbPrivacySalt + WSZ_BYTECOUNT(szPassword);
|
|
PBYTE pbVirtualPW = (PBYTE)SSAlloc(cbVirtualPW);
|
|
if (pbVirtualPW == NULL)
|
|
goto Ret;
|
|
|
|
// Virtual PW = (salt | szPW)
|
|
CopyMemory(pbVirtualPW, pbPrivacySalt, cbPrivacySalt);
|
|
CopyPassword(&pbVirtualPW[cbPrivacySalt], szPassword, WSZ_BYTECOUNT(szPassword));
|
|
|
|
// use PKCS#5 to generate initial bit stream (seed)
|
|
if (!PKCS5_GenKey(
|
|
iPKCS5Iterations,
|
|
pbVirtualPW, cbVirtualPW,
|
|
pbPKCS5Salt, cbPKCS5Salt,
|
|
rgbPKCS5Key))
|
|
goto Ret;
|
|
|
|
if (cbDerivedMaterial > sizeof(rgbPKCS5Key))
|
|
{
|
|
// P_hash (secret, seed) = HMAC_hash (secret, A(0) + seed),
|
|
// HMAC_hash (secret, A(1) + seed),
|
|
// HMAC_hash (secret, A(2) + seed),
|
|
// HMAC_hash (secret, A(3) + seed) ...
|
|
// where
|
|
// A(0) = seed
|
|
// A(i) = HMAC_hash(secret, A(i-1))
|
|
// seed = PKCS5 salt for PKCS5 PBE param
|
|
// secret = normal PKCS5 hashed key
|
|
|
|
if (!P_Hash (
|
|
rgbPKCS5Key,
|
|
sizeof(rgbPKCS5Key),
|
|
|
|
pbPKCS5Salt,
|
|
cbPKCS5Salt,
|
|
|
|
pbDerivedMaterial, // output
|
|
cbDerivedMaterial, // # of output bytes requested
|
|
TRUE) ) // NSCP compat mode?
|
|
goto Ret;
|
|
}
|
|
else
|
|
{
|
|
// we already have enough bits to satisfy the request
|
|
CopyMemory(pbDerivedMaterial, rgbPKCS5Key, cbDerivedMaterial);
|
|
}
|
|
|
|
fRet = TRUE;
|
|
Ret:
|
|
if (pbVirtualPW)
|
|
SSFree(pbVirtualPW);
|
|
|
|
return fRet;
|
|
}
|
|
|
|
|
|
static
|
|
BYTE
|
|
AddWithCarry(
|
|
BYTE byte1,
|
|
BYTE byte2,
|
|
BYTE *carry // IN and OUT
|
|
)
|
|
{
|
|
BYTE tempCarry = *carry;
|
|
|
|
if (((DWORD)byte1 + (DWORD)byte2 + (DWORD)tempCarry) >= 256) {
|
|
*carry = 1;
|
|
}
|
|
else {
|
|
*carry = 0;
|
|
}
|
|
|
|
|
|
return (byte1 + byte2 + tempCarry);
|
|
}
|
|
|
|
// 512 bits = ? bytes
|
|
#define SHA_INTERNAL_BLOCKLEN (512/8)
|
|
#define SHA_V_LENGTH (512/8)
|
|
|
|
//+ --------------------------------------------------------------
|
|
// In PKCS12 v1.0 Draft, this is the way they describe to
|
|
// derive a key from a password.
|
|
BOOL
|
|
PKCS12DeriveKey(
|
|
LPCWSTR szPassword,
|
|
BYTE bID,
|
|
|
|
int iIterations,
|
|
PBYTE pbSalt,
|
|
DWORD cbSalt,
|
|
|
|
PBYTE pbDerivedMaterial,
|
|
DWORD cbDerivedMaterial)
|
|
{
|
|
#if DBG
|
|
if (iIterations>1)
|
|
OutputDebugString("Perf hit: iterating key derivation! (pfxcrypt:PKCS12DeriveKey())\n");
|
|
#endif
|
|
BOOL fRet = FALSE;
|
|
|
|
BYTE rgSaltPwd[2*SHA_INTERNAL_BLOCKLEN];
|
|
DWORD cbSaltPwd;
|
|
BYTE rgDiversifier[SHA_INTERNAL_BLOCKLEN];
|
|
BYTE B[SHA_V_LENGTH];
|
|
DWORD i;
|
|
DWORD cbPassword = WSZ_BYTECOUNT(szPassword);
|
|
BYTE bCarry;
|
|
DWORD vBlocks;
|
|
|
|
A_SHA_CTX sSHAHash;
|
|
|
|
// construct D
|
|
FillMemory(rgDiversifier, sizeof(rgDiversifier), bID);
|
|
|
|
// concat salt to create string of length 64*(cb/64) bytes
|
|
|
|
// copy salt (multiple) times, don't copy the last time
|
|
for (i=0; i<(SHA_INTERNAL_BLOCKLEN-cbSalt); i+=cbSalt)
|
|
{
|
|
CopyMemory(&rgSaltPwd[i], pbSalt, cbSalt);
|
|
}
|
|
// do final copy (assert we have less than cbSalt bytes left to copy)
|
|
assert(cbSalt >= (SHA_INTERNAL_BLOCKLEN - (i%SHA_INTERNAL_BLOCKLEN)) );
|
|
CopyMemory(&rgSaltPwd[i], pbSalt, (SHA_INTERNAL_BLOCKLEN-(i%SHA_INTERNAL_BLOCKLEN)));
|
|
|
|
|
|
// if the password is not NULL, concat pwd to create string of length 64*(cbPwd/64) bytes
|
|
// copy pwd (multiple) times, don't copy the last time
|
|
if (szPassword)
|
|
{
|
|
// truncate if necessary
|
|
if (cbPassword > SHA_INTERNAL_BLOCKLEN)
|
|
cbPassword = SHA_INTERNAL_BLOCKLEN;
|
|
|
|
for (i=SHA_INTERNAL_BLOCKLEN; i<( (2*SHA_INTERNAL_BLOCKLEN)-cbPassword); i+=cbPassword)
|
|
{
|
|
// use CopyPassword because bytes need to be swapped
|
|
CopyPassword(&rgSaltPwd[i], szPassword, cbPassword);
|
|
}
|
|
// do final copy (assert we have less than cbSalt bytes left to copy)
|
|
assert(cbPassword >= (SHA_INTERNAL_BLOCKLEN - (i%SHA_INTERNAL_BLOCKLEN)) );
|
|
CopyPassword(&rgSaltPwd[i], szPassword, (SHA_INTERNAL_BLOCKLEN-(i%SHA_INTERNAL_BLOCKLEN)));
|
|
|
|
cbSaltPwd = sizeof(rgSaltPwd);
|
|
}
|
|
else
|
|
{
|
|
cbSaltPwd = sizeof(rgSaltPwd) / 2;
|
|
}
|
|
|
|
|
|
// concat S|P
|
|
// done, available in rgSaltPwd
|
|
|
|
|
|
// set c = cbDerivedMaterial/A_SHA_DIGEST_LEN
|
|
//assert(0 == cbDerivedMaterial%A_SHA_DIGEST_LEN);
|
|
|
|
// compute working size >= output size
|
|
DWORD cBlocks = (DWORD)((cbDerivedMaterial/A_SHA_DIGEST_LEN) +1);
|
|
DWORD cbTmpBuf = cBlocks * A_SHA_DIGEST_LEN;
|
|
PBYTE pbTmpBuf = (PBYTE)LocalAlloc(LPTR, cbTmpBuf);
|
|
if (pbTmpBuf == NULL)
|
|
goto Ret;
|
|
|
|
// now do only full blocks
|
|
for (i=0; i< cBlocks; i++)
|
|
{
|
|
int iIter;
|
|
int iCount;
|
|
A_SHAInit(&sSHAHash);
|
|
|
|
for (iIter=0; iIter<iIterations; iIter++)
|
|
{
|
|
// Tmp = Hash(D | I);
|
|
if (iIter==0)
|
|
{
|
|
A_SHAUpdate(&sSHAHash, rgDiversifier, sizeof(rgDiversifier));
|
|
A_SHAUpdate(&sSHAHash, rgSaltPwd, cbSaltPwd);
|
|
}
|
|
else
|
|
{
|
|
// rehash last output
|
|
A_SHAUpdate(&sSHAHash, &pbTmpBuf[i*A_SHA_DIGEST_LEN], A_SHA_DIGEST_LEN);
|
|
}
|
|
|
|
// spit iteration output to final buffer
|
|
A_SHAFinal(&sSHAHash, &pbTmpBuf[i*A_SHA_DIGEST_LEN]);
|
|
}
|
|
|
|
// concat A[x] | A[x] | ... and truncate to get 64 bytes
|
|
iCount = 0;
|
|
while (iCount+A_SHA_DIGEST_LEN <= sizeof(B)) {
|
|
CopyMemory(&B[iCount], &pbTmpBuf[i*A_SHA_DIGEST_LEN], A_SHA_DIGEST_LEN);
|
|
iCount += A_SHA_DIGEST_LEN;
|
|
}
|
|
CopyMemory(&B[iCount], &pbTmpBuf[i*A_SHA_DIGEST_LEN], sizeof(B) % A_SHA_DIGEST_LEN);
|
|
|
|
|
|
// modify I by setting Ij += (B + 1) (mod 2^512)
|
|
for (vBlocks = 0; vBlocks < cbSaltPwd; vBlocks += SHA_V_LENGTH) {
|
|
bCarry = 1;
|
|
for (iCount = SHA_V_LENGTH-1; iCount >= 0; iCount--)
|
|
{
|
|
rgSaltPwd[iCount+vBlocks] = AddWithCarry(rgSaltPwd[iCount+vBlocks], B[iCount], &bCarry);
|
|
}
|
|
}
|
|
}
|
|
|
|
// copy from (larger) working buffer to output buffer
|
|
CopyMemory(pbDerivedMaterial, pbTmpBuf, cbDerivedMaterial);
|
|
|
|
fRet = TRUE;
|
|
Ret:
|
|
if (pbTmpBuf)
|
|
LocalFree(pbTmpBuf);
|
|
|
|
return fRet;
|
|
}
|
|
|
|
//+ --------------------------------------------------------------
|
|
// in NSCP's initial implementation of PFX020, this
|
|
// is the algorithm they used to decrypt data. This uses the
|
|
// key derivation code above.
|
|
// We include it so we can interoperate.
|
|
BOOL NSCPPasswordDecryptData(
|
|
int iEncrType,
|
|
|
|
LPCWSTR szPassword,
|
|
|
|
PBYTE pbPrivacySalt, // privacy salt
|
|
DWORD cbPrivacySalt,
|
|
|
|
int iPKCS5Iterations, // pkcs5 data
|
|
PBYTE pbPKCS5Salt,
|
|
DWORD cbPKCS5Salt,
|
|
|
|
PBYTE* ppbData, // in/out
|
|
DWORD* pcbData)
|
|
{
|
|
BOOL fRet = FALSE;
|
|
|
|
BYTE rgbDerivedKeyMatl[40]; // 320 bits is enough for 128 bit key, 64 bit IV
|
|
DWORD cbNeeded;
|
|
|
|
if (iEncrType == RC2_40)
|
|
cbNeeded = (40/8)+RC2_BLOCKLEN; // key + IV
|
|
else
|
|
cbNeeded = 0;
|
|
|
|
// make next muliple of SHA dig len
|
|
if (cbNeeded % A_SHA_DIGEST_LEN)
|
|
{
|
|
cbNeeded += (A_SHA_DIGEST_LEN - (cbNeeded % A_SHA_DIGEST_LEN));
|
|
}
|
|
|
|
assert(0 == (cbNeeded % A_SHA_DIGEST_LEN));
|
|
assert(cbNeeded <= sizeof(rgbDerivedKeyMatl));
|
|
|
|
if (!NSCPDeriveKey(
|
|
szPassword,
|
|
pbPrivacySalt,
|
|
cbPrivacySalt,
|
|
iPKCS5Iterations,
|
|
pbPKCS5Salt,
|
|
cbPKCS5Salt,
|
|
rgbDerivedKeyMatl,
|
|
cbNeeded) )
|
|
goto Ret;
|
|
|
|
// NOW decrypt data
|
|
if (iEncrType == RC2_40)
|
|
{
|
|
DWORD dwDataPos;
|
|
DWORD cbToBeDec = *pcbData;
|
|
WORD rc2Table[RC2_TABLESIZE];
|
|
BYTE rc2Fdbk [RC2_BLOCKLEN];
|
|
|
|
assert( (40/8) <= sizeof(rgbDerivedKeyMatl));
|
|
assert( 0 == cbToBeDec % RC2_BLOCKLEN ); // must be even multiple
|
|
|
|
// key setup
|
|
RC2Key(rc2Table, rgbDerivedKeyMatl, (40/8)); // take first 40 bits of keying material
|
|
CopyMemory(rc2Fdbk, &rgbDerivedKeyMatl[cbNeeded - sizeof(rc2Fdbk)], sizeof(rc2Fdbk)); // fdbk is last chunk
|
|
|
|
// decryption
|
|
for (dwDataPos=0; cbToBeDec > 0; dwDataPos+=RC2_BLOCKLEN, cbToBeDec -= RC2_BLOCKLEN)
|
|
{
|
|
BYTE rgbDec[RC2_BLOCKLEN];
|
|
|
|
CBC(
|
|
RC2,
|
|
RC2_BLOCKLEN,
|
|
rgbDec,
|
|
&(*ppbData)[dwDataPos],
|
|
rc2Table,
|
|
DECRYPT,
|
|
rc2Fdbk);
|
|
|
|
CopyMemory(&(*ppbData)[dwDataPos], rgbDec, RC2_BLOCKLEN);
|
|
}
|
|
}
|
|
else
|
|
goto Ret;
|
|
|
|
|
|
|
|
fRet = TRUE;
|
|
|
|
Ret:
|
|
return fRet;
|
|
}
|
|
|
|
|
|
|
|
//+ --------------------------------------------------------------
|
|
// in the PKCS12 v1.0 Draft, this is how they describe how to
|
|
// encrypt data.
|
|
BOOL PFXPasswordEncryptData(
|
|
int iEncrType,
|
|
LPCWSTR szPassword,
|
|
|
|
int iPKCS5Iterations, // pkcs5 data
|
|
PBYTE pbPKCS5Salt,
|
|
DWORD cbPKCS5Salt,
|
|
|
|
PBYTE* ppbData,
|
|
DWORD* pcbData)
|
|
{
|
|
BOOL fRet = FALSE;
|
|
BOOL fIsBlockCipher = FALSE;
|
|
DWORD cbToBeEnc;
|
|
|
|
BYTE rgbDerivedKey[A_SHA_DIGEST_LEN*2]; // 320 bits is enough for 256 bit key
|
|
BYTE rgbDerivedIV[A_SHA_DIGEST_LEN*2]; // 320 bits is enough for 256 bit IV
|
|
DWORD cbKeyNeeded, cbIVNeeded, cbBlockLen;
|
|
|
|
if (iEncrType == RC2_40)
|
|
{
|
|
cbKeyNeeded = (40/8); // key
|
|
cbIVNeeded = RC2_BLOCKLEN; // IV
|
|
cbBlockLen = RC2_BLOCKLEN;
|
|
fIsBlockCipher = TRUE;
|
|
}
|
|
else if (iEncrType == TripleDES)
|
|
{
|
|
cbKeyNeeded = (64/8) * 3;
|
|
cbIVNeeded = DES_BLOCKLEN;
|
|
cbBlockLen = DES_BLOCKLEN;
|
|
fIsBlockCipher = TRUE;
|
|
}
|
|
else
|
|
{
|
|
cbKeyNeeded = 0;
|
|
cbIVNeeded = 0;
|
|
cbBlockLen = 0;
|
|
}
|
|
|
|
// make next muliple of SHA dig len
|
|
if (cbKeyNeeded % A_SHA_DIGEST_LEN)
|
|
cbKeyNeeded += (A_SHA_DIGEST_LEN - (cbKeyNeeded % A_SHA_DIGEST_LEN));
|
|
|
|
if (cbIVNeeded % A_SHA_DIGEST_LEN)
|
|
cbIVNeeded += (A_SHA_DIGEST_LEN - (cbIVNeeded % A_SHA_DIGEST_LEN));
|
|
|
|
assert(0 == (cbKeyNeeded % A_SHA_DIGEST_LEN));
|
|
assert(0 == (cbIVNeeded % A_SHA_DIGEST_LEN));
|
|
|
|
assert(cbKeyNeeded <= sizeof(rgbDerivedKey));
|
|
assert(cbIVNeeded <= sizeof(rgbDerivedIV));
|
|
|
|
|
|
if (!PKCS12DeriveKey(
|
|
szPassword,
|
|
DERIVE_ENCRYPT_DECRYPT,
|
|
iPKCS5Iterations,
|
|
pbPKCS5Salt,
|
|
cbPKCS5Salt,
|
|
rgbDerivedKey,
|
|
cbKeyNeeded) )
|
|
goto Ret;
|
|
|
|
if (!PKCS12DeriveKey(
|
|
szPassword,
|
|
DERIVE_INITIAL_VECTOR,
|
|
iPKCS5Iterations,
|
|
pbPKCS5Salt,
|
|
cbPKCS5Salt,
|
|
rgbDerivedIV,
|
|
cbIVNeeded) )
|
|
goto Ret;
|
|
|
|
if (fIsBlockCipher)
|
|
{
|
|
PBYTE pTemp = *ppbData;
|
|
|
|
// extend buffer to multiple of blocklen
|
|
cbToBeEnc = *pcbData;
|
|
cbToBeEnc += cbBlockLen - (cbToBeEnc%cbBlockLen); // {1..BLOCKLEN}
|
|
#pragma prefast(suppress:308, "the pointer was saved above (PREfast bug 506)")
|
|
*ppbData = (PBYTE)SSReAlloc(*ppbData, cbToBeEnc);
|
|
if (NULL == *ppbData)
|
|
{
|
|
SSFree(pTemp);
|
|
goto Ret;
|
|
}
|
|
|
|
// pad remaining bytes with length
|
|
FillMemory(&((*ppbData)[*pcbData]), cbToBeEnc-(*pcbData), (BYTE)(cbToBeEnc-(*pcbData)));
|
|
*pcbData = cbToBeEnc;
|
|
|
|
assert( cbBlockLen <= sizeof(rgbDerivedKey));
|
|
assert( 0 == cbToBeEnc % cbBlockLen ); // must be even multiple
|
|
}
|
|
|
|
// NOW encrypt data
|
|
if (iEncrType == RC2_40)
|
|
{
|
|
DWORD dwDataPos;
|
|
WORD rc2Table[RC2_TABLESIZE];
|
|
BYTE rc2Fdbk [RC2_BLOCKLEN];
|
|
|
|
// already done: extend buffer, add PKCS byte padding
|
|
|
|
// key setup
|
|
RC2Key(rc2Table, rgbDerivedKey, (40/8)); // take first 40 bits of keying material
|
|
CopyMemory(rc2Fdbk, rgbDerivedIV, sizeof(rc2Fdbk));
|
|
|
|
// decryption
|
|
for (dwDataPos=0; cbToBeEnc > 0; dwDataPos+=RC2_BLOCKLEN, cbToBeEnc -= RC2_BLOCKLEN)
|
|
{
|
|
BYTE rgbEnc[RC2_BLOCKLEN];
|
|
|
|
CBC(
|
|
RC2,
|
|
RC2_BLOCKLEN,
|
|
rgbEnc,
|
|
&(*ppbData)[dwDataPos],
|
|
rc2Table,
|
|
ENCRYPT,
|
|
rc2Fdbk);
|
|
|
|
CopyMemory(&(*ppbData)[dwDataPos], rgbEnc, sizeof(rgbEnc));
|
|
}
|
|
}
|
|
else if (iEncrType == TripleDES)
|
|
{
|
|
DWORD dwDataPos;
|
|
DES3TABLE des3Table;
|
|
BYTE des3Fdbk [DES_BLOCKLEN];
|
|
|
|
// already done: extend buffer, add PKCS byte padding
|
|
|
|
// key setup
|
|
tripledes3key(&des3Table, rgbDerivedKey);
|
|
CopyMemory(des3Fdbk, rgbDerivedIV, sizeof(des3Fdbk)); // fdbk is last chunk
|
|
|
|
for (dwDataPos=0; cbToBeEnc > 0; dwDataPos+=DES_BLOCKLEN, cbToBeEnc -= DES_BLOCKLEN)
|
|
{
|
|
BYTE rgbEnc[DES_BLOCKLEN];
|
|
|
|
CBC(
|
|
tripledes,
|
|
DES_BLOCKLEN,
|
|
rgbEnc,
|
|
&(*ppbData)[dwDataPos],
|
|
(void *) &des3Table,
|
|
ENCRYPT,
|
|
des3Fdbk);
|
|
|
|
CopyMemory(&(*ppbData)[dwDataPos], rgbEnc, DES_BLOCKLEN);
|
|
}
|
|
}
|
|
else
|
|
goto Ret;
|
|
|
|
fRet = TRUE;
|
|
|
|
Ret:
|
|
return fRet;
|
|
}
|
|
|
|
//+ --------------------------------------------------------------
|
|
// in the PKCS12 v1.0 Draft, this is how they describe how to
|
|
// decrypt data.
|
|
BOOL PFXPasswordDecryptData(
|
|
int iEncrType,
|
|
LPCWSTR szPassword,
|
|
|
|
int iPKCS5Iterations, // pkcs5 data
|
|
PBYTE pbPKCS5Salt,
|
|
DWORD cbPKCS5Salt,
|
|
|
|
PBYTE* ppbData,
|
|
DWORD* pcbData)
|
|
{
|
|
BOOL fRet = FALSE;
|
|
BOOL fIsBlockCipher = FALSE;
|
|
|
|
BYTE rgbDerivedKey[A_SHA_DIGEST_LEN*2]; // 320 bits is enough for 256 bit key
|
|
BYTE rgbDerivedIV[A_SHA_DIGEST_LEN*2]; // 320 bits is enough for 256 bit IV
|
|
DWORD cbKeyNeeded, cbIVNeeded, cbBlockLen;
|
|
|
|
if (iEncrType == RC2_40)
|
|
{
|
|
cbKeyNeeded = (40/8); // key
|
|
cbIVNeeded = RC2_BLOCKLEN; // IV
|
|
cbBlockLen = RC2_BLOCKLEN;
|
|
fIsBlockCipher = TRUE;
|
|
}
|
|
else if (iEncrType == TripleDES)
|
|
{
|
|
cbKeyNeeded = (64/8) * 3;
|
|
cbIVNeeded = DES_BLOCKLEN;
|
|
cbBlockLen = DES_BLOCKLEN;
|
|
fIsBlockCipher = TRUE;
|
|
}
|
|
else
|
|
{
|
|
cbKeyNeeded = 0;
|
|
cbIVNeeded = 0;
|
|
cbBlockLen = 0;
|
|
}
|
|
|
|
// make next muliple of SHA dig len
|
|
if (cbKeyNeeded % A_SHA_DIGEST_LEN)
|
|
cbKeyNeeded += (A_SHA_DIGEST_LEN - (cbKeyNeeded % A_SHA_DIGEST_LEN));
|
|
|
|
if (cbIVNeeded % A_SHA_DIGEST_LEN)
|
|
cbIVNeeded += (A_SHA_DIGEST_LEN - (cbIVNeeded % A_SHA_DIGEST_LEN));
|
|
|
|
assert(0 == (cbKeyNeeded % A_SHA_DIGEST_LEN));
|
|
assert(0 == (cbIVNeeded % A_SHA_DIGEST_LEN));
|
|
|
|
assert(cbKeyNeeded <= sizeof(rgbDerivedKey));
|
|
assert(cbIVNeeded <= sizeof(rgbDerivedIV));
|
|
|
|
|
|
if (!PKCS12DeriveKey(
|
|
szPassword,
|
|
DERIVE_ENCRYPT_DECRYPT,
|
|
iPKCS5Iterations,
|
|
pbPKCS5Salt,
|
|
cbPKCS5Salt,
|
|
rgbDerivedKey,
|
|
cbKeyNeeded) )
|
|
goto Ret;
|
|
|
|
if (!PKCS12DeriveKey(
|
|
szPassword,
|
|
DERIVE_INITIAL_VECTOR,
|
|
iPKCS5Iterations,
|
|
pbPKCS5Salt,
|
|
cbPKCS5Salt,
|
|
rgbDerivedIV,
|
|
cbIVNeeded) )
|
|
goto Ret;
|
|
|
|
// NOW decrypt data
|
|
if (iEncrType == RC2_40)
|
|
{
|
|
BYTE rgbDec[RC2_BLOCKLEN];
|
|
|
|
DWORD dwDataPos;
|
|
DWORD cbToBeDec = *pcbData;
|
|
WORD rc2Table[RC2_TABLESIZE];
|
|
BYTE rc2Fdbk [RC2_BLOCKLEN];
|
|
|
|
assert( (40/8) <= sizeof(rgbDerivedKey));
|
|
assert( 0 == cbToBeDec % RC2_BLOCKLEN ); // must be even multiple
|
|
|
|
// key setup
|
|
RC2Key(rc2Table, rgbDerivedKey, (40/8)); // take first 40 bits of keying material
|
|
CopyMemory(rc2Fdbk, rgbDerivedIV, sizeof(rc2Fdbk));
|
|
|
|
// decryption
|
|
for (dwDataPos=0; cbToBeDec > 0; dwDataPos+=RC2_BLOCKLEN, cbToBeDec -= RC2_BLOCKLEN)
|
|
{
|
|
CBC(
|
|
RC2,
|
|
RC2_BLOCKLEN,
|
|
rgbDec,
|
|
&(*ppbData)[dwDataPos],
|
|
rc2Table,
|
|
DECRYPT,
|
|
rc2Fdbk);
|
|
|
|
CopyMemory(&(*ppbData)[dwDataPos], rgbDec, sizeof(rgbDec));
|
|
}
|
|
}
|
|
else if (iEncrType == TripleDES) {
|
|
DWORD dwDataPos;
|
|
DWORD cbToBeDec = *pcbData;
|
|
DES3TABLE des3Table;
|
|
BYTE des3Fdbk [DES_BLOCKLEN];
|
|
|
|
|
|
// key setup
|
|
tripledes3key(&des3Table, rgbDerivedKey);
|
|
CopyMemory(des3Fdbk, rgbDerivedIV, sizeof(des3Fdbk)); // fdbk is last chunk
|
|
|
|
for (dwDataPos=0; cbToBeDec > 0; dwDataPos += DES_BLOCKLEN, cbToBeDec -= DES_BLOCKLEN)
|
|
{
|
|
BYTE rgbDec[DES_BLOCKLEN];
|
|
|
|
CBC(
|
|
tripledes,
|
|
DES_BLOCKLEN,
|
|
rgbDec,
|
|
&(*ppbData)[dwDataPos],
|
|
(void *) &des3Table,
|
|
DECRYPT,
|
|
des3Fdbk);
|
|
|
|
CopyMemory(&(*ppbData)[dwDataPos], rgbDec, DES_BLOCKLEN);
|
|
}
|
|
}
|
|
else
|
|
goto Ret;
|
|
|
|
// Remove padding
|
|
if (fIsBlockCipher)
|
|
{
|
|
PBYTE pTemp = *ppbData;
|
|
|
|
// last byte of decr is pad byte
|
|
BYTE iPadBytes;
|
|
iPadBytes = (*ppbData)[*pcbData-1];
|
|
if (iPadBytes > cbBlockLen)
|
|
goto Ret;
|
|
|
|
#pragma prefast(suppress:308, "the pointer was saved above (PREfast bug 506)")
|
|
*ppbData = (PBYTE)SSReAlloc( (*ppbData), *pcbData - iPadBytes);
|
|
if (NULL == *ppbData)
|
|
{
|
|
SSFree(pTemp);
|
|
goto Ret;
|
|
}
|
|
*pcbData -= iPadBytes;
|
|
}
|
|
|
|
fRet = TRUE;
|
|
|
|
Ret:
|
|
return fRet;
|
|
}
|
|
|
|
//+ --------------------------------------------------------------
|
|
// in the PKCS12 v1.0 Draft, this is how they describe how to
|
|
// generate a checksum that will prove data integrid.
|
|
BOOL FGenerateMAC(
|
|
|
|
LPCWSTR szPassword,
|
|
|
|
PBYTE pbPKCS5Salt,
|
|
DWORD cbPKCS5Salt,
|
|
DWORD iterationCount,
|
|
|
|
PBYTE pbData, // pb data
|
|
DWORD cbData, // cb data
|
|
BYTE rgbMAC[]) // output
|
|
{
|
|
// UNDONE UNDONE: Use RSABase
|
|
|
|
BOOL fRet = FALSE;
|
|
BYTE rgbDerivedKey[A_SHA_DIGEST_LEN]; // 160 bits is enough for a MAC key
|
|
DWORD cbKeyNeeded = A_SHA_DIGEST_LEN;
|
|
|
|
assert(0 == (cbKeyNeeded % A_SHA_DIGEST_LEN));
|
|
assert(cbKeyNeeded <= sizeof(rgbDerivedKey));
|
|
|
|
if (!PKCS12DeriveKey(
|
|
szPassword,
|
|
DERIVE_INTEGRITY_KEY,
|
|
iterationCount, // no other way to determine iterations: HARDCODE
|
|
pbPKCS5Salt,
|
|
cbPKCS5Salt,
|
|
rgbDerivedKey,
|
|
cbKeyNeeded) )
|
|
goto Ret;
|
|
|
|
if (!FMyPrimitiveHMACParam(
|
|
rgbDerivedKey,
|
|
cbKeyNeeded,
|
|
pbData,
|
|
cbData,
|
|
rgbMAC))
|
|
goto Ret;
|
|
|
|
fRet = TRUE;
|
|
Ret:
|
|
|
|
return fRet;
|
|
}
|
|
|
|
/////////////////////////////////////////////////////////////////
|
|
// begin tls1key.cpp
|
|
/*-----------------------------------------------------------------------------
|
|
* Copyright (C) Microsoft Corporation, 1995 - 1999
|
|
* All rights reserved.
|
|
*----------------------------------------------------------------------------*/
|
|
|
|
// the original PKCS5 algorithm for generating a key from a password
|
|
BOOL PKCS5_GenKey
|
|
(
|
|
int iIterations,
|
|
PBYTE pbPW,
|
|
DWORD cbPW,
|
|
PBYTE pbSalt,
|
|
DWORD cbSalt,
|
|
BYTE rgbPKCS5Key[A_SHA_DIGEST_LEN]
|
|
)
|
|
{
|
|
BOOL fRet = FALSE;
|
|
|
|
int i;
|
|
DWORD cbTmp = cbSalt + cbPW;
|
|
PBYTE pbTmp = (PBYTE) SSAlloc(cbTmp);
|
|
if (pbTmp == NULL)
|
|
goto Ret;
|
|
|
|
|
|
// pbTmp is ( PW | Salt )
|
|
CopyMemory(pbTmp, pbPW, cbPW);
|
|
CopyMemory(&pbTmp[cbPW], pbSalt, cbSalt);
|
|
|
|
for (i=0; i<iIterations; i++)
|
|
{
|
|
if (i == 0) {
|
|
if (!FMyPrimitiveSHA(
|
|
pbTmp, // in
|
|
cbTmp, // in
|
|
rgbPKCS5Key))
|
|
goto Ret;
|
|
|
|
}
|
|
else {
|
|
if (!FMyPrimitiveSHA(
|
|
rgbPKCS5Key, // in
|
|
A_SHA_DIGEST_LEN, // in
|
|
rgbPKCS5Key))
|
|
goto Ret;
|
|
}
|
|
}
|
|
|
|
fRet = TRUE;
|
|
Ret:
|
|
SSFree(pbTmp);
|
|
return fRet;
|
|
}
|
|
|
|
//+ ---------------------------------------------------------------------
|
|
// the P_Hash algorithm from TLS that was used in NSCP's PFX020 version
|
|
// to derive a key from a password. It is included here for completeness.
|
|
|
|
// NSCP made some implementation errors when they coded this up; to interop,
|
|
// use the fNSCPInteropMode parameter. The real P_Hash algorithm is used
|
|
// when fNSCPInteropMode is FALSE.
|
|
BOOL P_Hash
|
|
(
|
|
PBYTE pbSecret,
|
|
DWORD cbSecret,
|
|
|
|
PBYTE pbSeed,
|
|
DWORD cbSeed,
|
|
|
|
PBYTE pbKeyOut, //Buffer to copy the result...
|
|
DWORD cbKeyOut, //# of bytes of key length they want as output.
|
|
|
|
BOOL fNSCPInteropMode
|
|
)
|
|
{
|
|
BOOL fRet = FALSE;
|
|
BYTE rgbDigest[A_SHA_DIGEST_LEN];
|
|
DWORD iKey;
|
|
|
|
PBYTE pbAofiDigest = (PBYTE)SSAlloc(cbSeed + A_SHA_DIGEST_LEN);
|
|
if (pbAofiDigest == NULL)
|
|
goto Ret;
|
|
|
|
ZeroMemory(pbAofiDigest, cbSeed+A_SHA_DIGEST_LEN);
|
|
|
|
// First, we define a data expansion function, P_hash(secret, data)
|
|
// which uses a single hash function to expand a secret and seed into
|
|
// an arbitrary quantity of output:
|
|
|
|
// P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
|
|
// HMAC_hash(secret, A(2) + seed) +
|
|
// HMAC_hash(secret, A(3) + seed) + ...
|
|
|
|
// Where + indicates concatenation.
|
|
|
|
// A() is defined as:
|
|
// A(0) = seed
|
|
// A(i) = HMAC_hash(secret, A(i-1))
|
|
|
|
|
|
if (fNSCPInteropMode)
|
|
{
|
|
// NSCP interop mode: 7/7/97
|
|
// nscp leaves (A_SHA_DIGEST_LEN-cbSeed) bytes zeroed between
|
|
// the seed and the appended seed. For interop, do derivation this way
|
|
|
|
// Also, they use A(0) to derive key bytes, whereas TLS spec
|
|
// specifies to wait for A(1).
|
|
CopyMemory(pbAofiDigest, pbSeed, cbSeed);
|
|
}
|
|
else
|
|
{
|
|
// build A(1)
|
|
if (!FMyPrimitiveHMACParam(pbSecret, cbSecret, pbSeed, cbSeed, pbAofiDigest))
|
|
goto Ret;
|
|
}
|
|
|
|
|
|
// create Aofi: ( A(i) | seed )
|
|
CopyMemory(&pbAofiDigest[A_SHA_DIGEST_LEN], pbSeed, cbSeed);
|
|
|
|
// make sure that cbKeyOut is a multiple of A_SHA_DIGEST_LEN
|
|
if ((cbKeyOut % A_SHA_DIGEST_LEN) != 0)
|
|
{
|
|
goto Ret;
|
|
}
|
|
|
|
for (iKey=0; cbKeyOut; iKey++)
|
|
{
|
|
// build Digest = HMAC(key | A(i) | seed);
|
|
if (!FMyPrimitiveHMACParam(pbSecret, cbSecret, pbAofiDigest, cbSeed + A_SHA_DIGEST_LEN, rgbDigest))
|
|
goto Ret;
|
|
|
|
// append to pbKeyOut
|
|
CopyMemory(pbKeyOut, rgbDigest, A_SHA_DIGEST_LEN);
|
|
|
|
pbKeyOut += A_SHA_DIGEST_LEN;
|
|
cbKeyOut -= A_SHA_DIGEST_LEN;
|
|
|
|
// build A(i) = HMAC(key, A(i-1))
|
|
if (!FMyPrimitiveHMACParam(pbSecret, cbSecret, pbAofiDigest, A_SHA_DIGEST_LEN, pbAofiDigest))
|
|
goto Ret;
|
|
}
|
|
|
|
fRet = TRUE;
|
|
|
|
Ret:
|
|
if (pbAofiDigest)
|
|
SSFree(pbAofiDigest);
|
|
|
|
return fRet;
|
|
}
|
|
|
|
|
|
|
|
#if DBG
|
|
|
|
// test vector for real P_Hash
|
|
BOOL FTestPHASH_and_HMAC()
|
|
{
|
|
BYTE rgbKey[] = {0x33, 0x62, 0xf9, 0x42, 0x43};
|
|
CHAR szPwd[] = "My Password";
|
|
|
|
BYTE rgbKeyOut[7*A_SHA_DIGEST_LEN];
|
|
static BYTE rgbTestVectorOutput[] = {
|
|
0x24, 0xF2, 0x98, 0x75, 0xE1, 0x90, 0x6D, 0x49,
|
|
0x96, 0x5B, 0x87, 0xB8, 0xBC, 0xD3, 0x11, 0x6C,
|
|
0x13, 0xDC, 0xBD, 0xC2, 0x7E, 0x56, 0xD0, 0x3C,
|
|
0xAC, 0xCD, 0x86, 0x58, 0x31, 0x67, 0x7B, 0x23,
|
|
0x19, 0x6E, 0x36, 0x65, 0xBF, 0x9F, 0x3D, 0x03,
|
|
0x5A, 0x9C, 0x6E, 0xD7, 0xEB, 0x3E, 0x5A, 0xE6,
|
|
0x05, 0x86, 0x84, 0x5A, 0xC3, 0x97, 0xFC, 0x17,
|
|
0xF5, 0xF0, 0xF5, 0x16, 0x67, 0xAD, 0x7C, 0xED,
|
|
0x65, 0xDC, 0x0B, 0x99, 0x58, 0x5D, 0xCA, 0x66,
|
|
0x28, 0xAD, 0xA5, 0x39, 0x54, 0x44, 0x36, 0x13,
|
|
0x91, 0xCE, 0xE9, 0x73, 0x23, 0x43, 0x2E, 0xEC,
|
|
0xA2, 0xC3, 0xE7, 0xFA, 0x74, 0xA7, 0xB6, 0x75,
|
|
0x77, 0xF5, 0xF5, 0x16, 0xC2, 0xEE, 0xED, 0x7A,
|
|
0x21, 0x86, 0x1D, 0x84, 0x6F, 0xC6, 0x03, 0xF3,
|
|
0xCC, 0x77, 0x02, 0xFA, 0x76, 0x46, 0x64, 0x57,
|
|
0xBB, 0x56, 0x3A, 0xF7, 0x7E, 0xB4, 0xD6, 0x52,
|
|
0x72, 0x8C, 0x34, 0xF1, 0xA4, 0x1E, 0xA7, 0xA6,
|
|
0xCD, 0xBD, 0x3C, 0x16, 0x4D, 0x79, 0x20, 0x50 };
|
|
|
|
P_Hash(
|
|
rgbKey, sizeof(rgbKey),
|
|
(PBYTE)szPwd, strlen(szPwd),
|
|
rgbKeyOut, sizeof(rgbKeyOut), FALSE);
|
|
|
|
if (0 != memcmp(rgbKeyOut, rgbTestVectorOutput, sizeof(rgbKeyOut)) )
|
|
{
|
|
OutputDebugString("ERROR: phash vector test invalid!!!\n");
|
|
return FALSE;
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
// test vector for NSCP P_Hash
|
|
BOOL F_NSCP_TestPHASH_and_HMAC()
|
|
{
|
|
BYTE rgbKey[] = { 0xc9, 0xc1, 0x69, 0x6e, 0x30, 0xa8, 0x91, 0x0d,
|
|
0x12, 0x19, 0x48, 0xef, 0x23, 0xac, 0x5b, 0x1f,
|
|
0x2e, 0xc4, 0x0e, 0xc2 };
|
|
|
|
BYTE rgbSalt[] = { 0x1a, 0xb5, 0xf1, 0x1a, 0x5b, 0x6a, 0x6a, 0x5e };
|
|
|
|
BYTE rgbKeyOut[7*A_SHA_DIGEST_LEN];
|
|
static BYTE rgbTestVectorOutput[] = {
|
|
0x52, 0x7c, 0xbf, 0x90, 0xb1, 0xa1, 0xd0, 0xbf,
|
|
0x21, 0x56, 0x34, 0xf2, 0x1f, 0x5c, 0x98, 0xcf,
|
|
0x55, 0x95, 0xb1, 0x35, 0x65, 0xe3, 0x31, 0x44,
|
|
0x78, 0xc5, 0x41, 0xa9, 0x2a, 0x14, 0x80, 0x19,
|
|
0x56, 0x86, 0xa4, 0x71, 0x07, 0x24, 0x2d, 0x64 };
|
|
|
|
assert(sizeof(rgbKeyOut) > sizeof(rgbTestVectorOutput));
|
|
|
|
P_Hash(
|
|
rgbKey, sizeof(rgbKey),
|
|
rgbSalt, sizeof(rgbSalt),
|
|
rgbKeyOut, sizeof(rgbTestVectorOutput),
|
|
TRUE);
|
|
|
|
if (0 != memcmp(rgbKeyOut, rgbTestVectorOutput, sizeof(rgbTestVectorOutput)) )
|
|
{
|
|
OutputDebugString("ERROR: NSCP phash vector test invalid!!!\n");
|
|
return FALSE;
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
#endif // DBG
|