2 * Copyright (c) 2010-2014 Florian Forster
4 * Permission is hereby granted, free of charge, to any person obtaining a copy
5 * of this software and associated documentation files (the "Software"), to deal
6 * in the Software without restriction, including without limitation the rights
7 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
8 * copies of the Software, and to permit persons to whom the Software is
9 * furnished to do so, subject to the following conditions:
11 * The above copyright notice and this permission notice shall be included in
12 * all copies or substantial portions of the Software.
14 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
17 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
18 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
19 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
30 * Creating a HCRYPTKEY from a plain text password is probably the most tricky
31 * part when calculating an RFC2104 HMAC using Microsoft CryptoAPI. The
32 * examples provided at the MSDN website encourage you to use "CryptDeriveKey",
33 * which doesn't do the conditional hashing required by HMAC. (That is, it
34 * might. The documentation on any of the functions is so vague that it's well
35 * possible the elegant solution is just not documented nor demonstrated.
37 static HCRYPTKEY create_hmac_key_exact (HCRYPTPROV hProv,
38 BYTE *pbKey, DWORD dwKeySize)
40 /* Layout of the memory expected when importing a plain text blob is
41 * documented at the "CryptImportKey" under "Remarks". The four bytes
42 * following the PUBLICKEYSTRUC structure hold the size of the key, then
43 * follows the key itself. */
44 struct plain_text_data_s
50 HCRYPTKEY ret_key = 0;
53 data_size = sizeof (*data) + dwKeySize;
54 data = (struct plain_text_data_s *) malloc (data_size);
57 memset (data, 0, data_size);
59 /* The key is not encrypted. */
60 data->blob.bType = PLAINTEXTKEYBLOB;
61 data->blob.bVersion = CUR_BLOB_VERSION;
62 data->blob.reserved = 0;
63 /* The "CryptImportKey" page explicitly states that "RC2" is to be used for
64 * HMAC keys. What anyone might have been thinking, I don't know. */
65 data->blob.aiKeyAlg = CALG_RC2;
67 /* Copy the key to the memory right behind the struct. "memcpy" should only
68 * add memory protection crap *after* the region written to, so the blob
69 * shouldn't be destroyed. We play it save, though, and set the key size
70 * last. Should problems arise, we should switch to a loop just to be sure. */
71 memcpy (data + 1, pbKey, dwKeySize);
72 data->key_size = dwKeySize;
74 /* Actually convert our memory region to this mysterious key structure.
75 * The "CRYPT_IPSEC_HMAC_KEY" is required to allow RC2 keys longer than
76 * 16 byte. Again, this is documented on the "CryptImportKey" page as a
78 status = CryptImportKey (hProv, (BYTE *) data,
79 /* dwDataLen = */ sizeof (*data) + data->key_size,
81 /* flags = */ CRYPT_IPSEC_HMAC_KEY,
91 } /* HCRYPTKEY create_hmac_key_exact */
93 /* If the key of the HMAC is larger than the hash size, use the hash of the
94 * key instead of using the key directly. */
95 static HCRYPTKEY create_hmac_key_hashed (HCRYPTPROV hProv,
96 BYTE *pbKey, DWORD dwKeySize,
97 DWORD dwHashSize, HCRYPTHASH hHash)
101 DWORD hash_data_size;
104 assert (dwKeySize > dwHashSize);
106 status = CryptHashData (hHash, pbKey, dwKeySize, /* dwFlags = */ 0);
110 hash_data = (BYTE *) malloc (dwHashSize);
111 if (hash_data == NULL)
113 memset (hash_data, 0, dwHashSize);
114 hash_data_size = dwHashSize;
116 status = CryptGetHashParam (hHash, HP_HASHVAL,
117 hash_data, &hash_data_size, /* flags = */ 0);
124 assert (hash_data_size == dwHashSize);
126 key = create_hmac_key_exact (hProv, hash_data, hash_data_size);
130 } /* HCRYPTKEY create_hmac_key_hashed */
132 /* If the key is short enough, it is (right-)padded with zeros and otherwise
134 static HCRYPTKEY create_hmac_key_padded (HCRYPTPROV hProv,
135 BYTE *pbKey, DWORD dwKeySize,
142 assert (dwKeySize <= dwHashSize);
144 if (dwKeySize == dwHashSize)
145 return (create_hmac_key_exact (hProv, pbKey, dwKeySize));
147 padded_key = (BYTE *) malloc (dwHashSize);
148 if (padded_key == NULL)
151 /* Copy the key and right-pad with zeros. Don't use "memcpy" here because
152 * the fucked up version of VS will corrupt memory. */
153 for (i = 0; i < dwHashSize; i++)
154 padded_key[i] = (i < dwKeySize) ? pbKey[i] : 0;
156 key = create_hmac_key_exact (hProv, padded_key, dwHashSize);
160 } /* HCRYPTKEY create_hmac_key_padded */
162 static HCRYPTKEY create_hmac_key (HCRYPTPROV hProv,
164 BYTE *pbKey, DWORD dwKeySize)
172 /* Allocate a hash object to determine the hash size. */
173 status = CryptCreateHash (hProv, Algid,
176 /* out phHash = */ &hash);
180 param_size = (DWORD) sizeof (hash_size);
181 status = CryptGetHashParam (hash, HP_HASHSIZE,
182 (BYTE *) &hash_size, ¶m_size,
186 CryptDestroyHash (hash);
190 /* Determine whether we need to calculate the hash of the key or if
191 * padding is sufficient. */
192 if (dwKeySize > hash_size)
193 key = create_hmac_key_hashed (hProv, pbKey, dwKeySize, hash_size, hash);
195 key = create_hmac_key_padded (hProv, pbKey, dwKeySize, hash_size);
197 CryptDestroyHash (hash);
199 } /* HCRYPTKEY create_hmac_key */
201 BOOL CreateHMAC (HCRYPTPROV hProv,
203 BYTE *pbKey, DWORD dwKeySize,
213 hmac_key = create_hmac_key (hProv, Algid, pbKey, dwKeySize);
217 status = CryptCreateHash (hProv, CALG_HMAC, hmac_key,
218 /* flags = */ dwFlags,
222 CryptDestroyKey (hmac_key);
226 memset (&hmac_info, 0, sizeof (hmac_info));
227 hmac_info.HashAlgid = Algid;
228 hmac_info.pbInnerString = NULL;
229 hmac_info.cbInnerString = 0;
230 hmac_info.pbOuterString = NULL;
231 hmac_info.cbOuterString = 0;
233 status = CryptSetHashParam (hash, HP_HMAC_INFO, (BYTE *) &hmac_info,
237 CryptDestroyHash (hash);
238 CryptDestroyKey (hmac_key);
245 } /* BOOL CreateHMAC */
247 BOOL DestroyHMAC (HCRYPTHASH hHash, HCRYPTKEY hKey)
250 CryptDestroyHash (hHash);
253 CryptDestroyKey (hKey);
256 } /* BOOL DestroyHMAC */
258 /* vim: set ts=4 sw=4 noet : */