Beispiel #1
0
        private byte[]? ChangeKeyImpl(ReadOnlySpan <byte> key)
        {
            byte[]? modifiedKey = null;

            // If _blockSize is -1 the key isn't going to be extractable by the object holder,
            // so there's no point in recalculating it in managed code.
            if (key.Length > _blockSize && _blockSize > 0)
            {
                // Perform RFC 2104, section 2 key adjustment.
                modifiedKey = _hashAlgorithmId switch
                {
                    HashAlgorithmNames.SHA256 => SHA256.HashData(key),
                    HashAlgorithmNames.SHA384 => SHA384.HashData(key),
                    HashAlgorithmNames.SHA512 => SHA512.HashData(key),
                    HashAlgorithmNames.SHA1 => SHA1.HashData(key),
                    HashAlgorithmNames.MD5 when Helpers.HasMD5 => MD5.HashData(key),
                    _ => throw new CryptographicException(SR.Format(SR.Cryptography_UnknownHashAlgorithm, _hashAlgorithmId)),
                };
            }

            HashProvider?oldHashProvider = _hMacProvider;

            _hMacProvider = null !;
            oldHashProvider?.Dispose(true);
            _hMacProvider = HashProviderDispenser.CreateMacProvider(_hashAlgorithmId, key);

            return(modifiedKey);
        }
Beispiel #2
0
        internal static byte[] HashData(HashAlgorithmName hashAlgorithm, Stream source)
        {
            if (hashAlgorithm == HashAlgorithmName.SHA256)
            {
                return(SHA256.HashData(source));
            }
            else if (hashAlgorithm == HashAlgorithmName.SHA1)
            {
                return(SHA1.HashData(source));
            }
            else if (hashAlgorithm == HashAlgorithmName.SHA512)
            {
                return(SHA512.HashData(source));
            }
            else if (hashAlgorithm == HashAlgorithmName.SHA384)
            {
                return(SHA384.HashData(source));
            }
            else if (Helpers.HasMD5 && hashAlgorithm == HashAlgorithmName.MD5)
            {
                return(MD5.HashData(source));
            }

            throw new CryptographicException(SR.Format(SR.Cryptography_UnknownHashAlgorithm, hashAlgorithm.Name));
        }
Beispiel #3
0
        public static void When_check_empty()
        {
            var expected = Sha256.Parse(Sha256TestVectors.Empty);

            // Empty Array singleton
            Sha256 actual = s_sha256.HashData(Array.Empty <byte>());

            Assert.Equal(expected, actual);
            Assert.Equal(expected.GetHashCode(), actual.GetHashCode());

            // Empty Array
            actual = s_sha256.HashData(new byte[0]);
            Assert.Equal(expected, actual);
            Assert.Equal(expected.GetHashCode(), actual.GetHashCode());

            // Empty default ArraySegment
            actual = s_sha256.HashData(default(ArraySegment <byte>));
            Assert.Equal(expected, actual);
            Assert.Equal(expected.GetHashCode(), actual.GetHashCode());

            // Empty new ArraySegment
            actual = s_sha256.HashData(new ArraySegment <byte>(new byte[0], 0, 0));
            Assert.Equal(expected, actual);
            Assert.Equal(expected.GetHashCode(), actual.GetHashCode());

            // Empty default Span
            actual = s_sha256.HashData(default(Span <byte>));
            Assert.Equal(expected, actual);
            Assert.Equal(expected.GetHashCode(), actual.GetHashCode());

            // Empty new Span
            actual = s_sha256.HashData(new Span <byte>(new byte[0], 0, 0));
            Assert.Equal(expected, actual);
            Assert.Equal(expected.GetHashCode(), actual.GetHashCode());

            // Empty default ReadOnlySpan
            actual = s_sha256.HashData(default(ReadOnlySpan <byte>));
            Assert.Equal(expected, actual);
            Assert.Equal(expected.GetHashCode(), actual.GetHashCode());

            // Empty new ReadOnlySpan
            actual = s_sha256.HashData(new ReadOnlySpan <byte>(new byte[0], 0, 0));
            Assert.Equal(expected, actual);
            Assert.Equal(expected.GetHashCode(), actual.GetHashCode());

            // Empty String
            actual = s_sha256.HashData(string.Empty);
            Assert.Equal(expected, actual);
            Assert.Equal(expected.GetHashCode(), actual.GetHashCode());
        }
Beispiel #4
0
        private static unsafe void FillKeyDerivation(
            ReadOnlySpan <byte> password,
            ReadOnlySpan <byte> salt,
            int iterations,
            string hashAlgorithmName,
            Span <byte> destination)
        {
            SafeBCryptKeyHandle keyHandle;
            int hashBlockSizeBytes = GetHashBlockSize(hashAlgorithmName);

            // stackalloc 0 to let compiler know this cannot escape.
            scoped Span <byte>         clearSpan;
            scoped ReadOnlySpan <byte> symmetricKeyMaterial;
            int symmetricKeyMaterialLength;

            if (password.IsEmpty)
            {
                // CNG won't accept a null pointer for the password.
                symmetricKeyMaterial       = stackalloc byte[1];
                symmetricKeyMaterialLength = 0;
                clearSpan = default;
            }
            else if (password.Length <= hashBlockSizeBytes)
            {
                // Password is small enough to use as-is.
                symmetricKeyMaterial       = password;
                symmetricKeyMaterialLength = password.Length;
                clearSpan = default;
            }
            else
            {
                // RFC 2104: "The key for HMAC can be of any length (keys longer than B bytes are
                //     first hashed using H).
                //     We denote by B the byte-length of such
                //     blocks (B=64 for all the above mentioned examples of hash functions)
                //
                // Windows' PBKDF2 will do this up to a point. To ensure we accept arbitrary inputs for
                // PBKDF2, we do the hashing ourselves.
                Span <byte> hashBuffer = stackalloc byte[512 / 8]; // 64 bytes is SHA512, the largest digest handled.
                int         hashBufferSize;

                switch (hashAlgorithmName)
                {
                case HashAlgorithmNames.SHA1:
                    hashBufferSize = SHA1.HashData(password, hashBuffer);
                    break;

                case HashAlgorithmNames.SHA256:
                    hashBufferSize = SHA256.HashData(password, hashBuffer);
                    break;

                case HashAlgorithmNames.SHA384:
                    hashBufferSize = SHA384.HashData(password, hashBuffer);
                    break;

                case HashAlgorithmNames.SHA512:
                    hashBufferSize = SHA512.HashData(password, hashBuffer);
                    break;

                default:
                    Debug.Fail($"Unexpected hash algorithm '{hashAlgorithmName}'");
                    throw new CryptographicException();
                }

                clearSpan                  = hashBuffer.Slice(0, hashBufferSize);
                symmetricKeyMaterial       = clearSpan;
                symmetricKeyMaterialLength = hashBufferSize;
            }

            Debug.Assert(symmetricKeyMaterial.Length > 0);

            NTSTATUS generateKeyStatus;

            if (Interop.BCrypt.PseudoHandlesSupported)
            {
                fixed(byte *pSymmetricKeyMaterial = symmetricKeyMaterial)
                {
                    generateKeyStatus = Interop.BCrypt.BCryptGenerateSymmetricKey(
                        (nuint)BCryptAlgPseudoHandle.BCRYPT_PBKDF2_ALG_HANDLE,
                        out keyHandle,
                        pbKeyObject: IntPtr.Zero,
                        cbKeyObject: 0,
                        pSymmetricKeyMaterial,
                        symmetricKeyMaterialLength,
                        dwFlags: 0);
                }
            }
            else
            {
                if (s_pbkdf2AlgorithmHandle is null)
                {
                    NTSTATUS openStatus = Interop.BCrypt.BCryptOpenAlgorithmProvider(
                        out SafeBCryptAlgorithmHandle pbkdf2AlgorithmHandle,
                        Internal.NativeCrypto.BCryptNative.AlgorithmName.Pbkdf2,
                        null,
                        BCryptOpenAlgorithmProviderFlags.None);

                    if (openStatus != NTSTATUS.STATUS_SUCCESS)
                    {
                        pbkdf2AlgorithmHandle.Dispose();
                        CryptographicOperations.ZeroMemory(clearSpan);
                        throw Interop.BCrypt.CreateCryptographicException(openStatus);
                    }

                    // This might race, and that's okay. Worst case the algorithm is opened
                    // more than once, and the ones that lost will get cleaned up during collection.
                    Interlocked.CompareExchange(ref s_pbkdf2AlgorithmHandle, pbkdf2AlgorithmHandle, null);
                }

                fixed(byte *pSymmetricKeyMaterial = symmetricKeyMaterial)
                {
                    generateKeyStatus = Interop.BCrypt.BCryptGenerateSymmetricKey(
                        s_pbkdf2AlgorithmHandle,
                        out keyHandle,
                        pbKeyObject: IntPtr.Zero,
                        cbKeyObject: 0,
                        pSymmetricKeyMaterial,
                        symmetricKeyMaterialLength,
                        dwFlags: 0);
                }
            }

            CryptographicOperations.ZeroMemory(clearSpan);

            if (generateKeyStatus != NTSTATUS.STATUS_SUCCESS)
            {
                keyHandle.Dispose();
                throw Interop.BCrypt.CreateCryptographicException(generateKeyStatus);
            }

            Debug.Assert(!keyHandle.IsInvalid);

            ulong kdfIterations = (ulong)iterations; // Previously asserted to be positive.

            using (keyHandle)
                fixed(char *pHashAlgorithmName = hashAlgorithmName)
                fixed(byte *pSalt        = salt)
                fixed(byte *pDestination = destination)
                {
                    Span <BCryptBuffer> buffers = stackalloc BCryptBuffer[3];

                    buffers[0].BufferType = CngBufferDescriptors.KDF_ITERATION_COUNT;
                    buffers[0].pvBuffer   = (IntPtr)(&kdfIterations);
                    buffers[0].cbBuffer   = sizeof(ulong);

                    buffers[1].BufferType = CngBufferDescriptors.KDF_SALT;
                    buffers[1].pvBuffer   = (IntPtr)pSalt;
                    buffers[1].cbBuffer   = salt.Length;

                    buffers[2].BufferType = CngBufferDescriptors.KDF_HASH_ALGORITHM;
                    buffers[2].pvBuffer   = (IntPtr)pHashAlgorithmName;

                    // C# spec: "A char* value produced by fixing a string instance always points to a null-terminated string"
                    buffers[2].cbBuffer = checked ((hashAlgorithmName.Length + 1) * sizeof(char)); // Add null terminator.

                    fixed(BCryptBuffer *pBuffers = buffers)
                    {
                        Interop.BCrypt.BCryptBufferDesc bufferDesc;
                        bufferDesc.ulVersion = Interop.BCrypt.BCRYPTBUFFER_VERSION;
                        bufferDesc.cBuffers  = buffers.Length;
                        bufferDesc.pBuffers  = (IntPtr)pBuffers;

                        NTSTATUS deriveStatus = Interop.BCrypt.BCryptKeyDerivation(
                            keyHandle,
                            &bufferDesc,
                            pDestination,
                            destination.Length,
                            out uint resultLength,
                            dwFlags: 0);

                        if (deriveStatus != NTSTATUS.STATUS_SUCCESS)
                        {
                            throw Interop.BCrypt.CreateCryptographicException(deriveStatus);
                        }

                        if (destination.Length != resultLength)
                        {
                            Debug.Fail("PBKDF2 resultLength != destination.Length");
                            throw new CryptographicException();
                        }
                    }
                }
        }