Implement HMAC-SHA-256.

R=albertb
BUG=none
TEST=added new HMAC unit tests
Review URL: http://codereview.chromium.org/1513012

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@43522 0039d316-1c4b-4281-b951-d872f2087c98

4 files changed, 178 insertions, 20 deletions

diff --git a/base/hmac_mac.cc b/base/hmac_mac.cc
index bbc9330..97dcbf5 100644
--- a/base/hmac_mac.cc
+++ b/base/hmac_mac.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2008 The Chromium Authors. All rights reserved.
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -16,8 +16,8 @@ struct HMACPlatformData {
 
 HMAC::HMAC(HashAlgorithm hash_alg)
     : hash_alg_(hash_alg), plat_(new HMACPlatformData()) {
-  // Only SHA-1 digest is supported now.
-  DCHECK(hash_alg_ == SHA1);
+  // Only SHA-1 and SHA-256 hash algorithms are supported now.
+  DCHECK(hash_alg_ == SHA1 || hash_alg_ == SHA256);
 }
 
 bool HMAC::Init(const unsigned char *key, int key_length) {
@@ -49,6 +49,10 @@ bool HMAC::Sign(const std::string& data,
       algorithm = kCCHmacAlgSHA1;
       algorithm_digest_length = CC_SHA1_DIGEST_LENGTH;
       break;
+    case SHA256:
+      algorithm = kCCHmacAlgSHA256;
+      algorithm_digest_length = CC_SHA256_DIGEST_LENGTH;
+      break;
     default:
       NOTREACHED();
       return false;
diff --git a/base/hmac_nss.cc b/base/hmac_nss.cc
index b3c0c67..2ca4f67 100644
--- a/base/hmac_nss.cc
+++ b/base/hmac_nss.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2008 The Chromium Authors. All rights reserved.
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -32,6 +32,7 @@ HMAC::HMAC(HashAlgorithm hash_alg)
       break;
     default:
       NOTREACHED() << "Unsupported hash algorithm";
+      break;
   }
 }
 
diff --git a/base/hmac_unittest.cc b/base/hmac_unittest.cc
index 56b811a..480c771 100644
--- a/base/hmac_unittest.cc
+++ b/base/hmac_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -7,7 +7,8 @@
 #include "base/hmac.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
-static const int kDigestSize = 20;
+static const int kSHA1DigestSize = 20;
+static const int kSHA256DigestSize = 32;
 
 TEST(HMACTest, HmacSafeBrowsingResponseTest) {
   const int kKeySize = 16;
@@ -18,7 +19,7 @@ TEST(HMACTest, HmacSafeBrowsingResponseTest) {
         0x96, 0x78, 0x70, 0x8e, 0xa1, 0x9d, 0x3b, 0x40 };
 
   // Expected HMAC result using kMessage and kClientKey.
-  const unsigned char kReceivedHmac[kDigestSize] =
+  const unsigned char kReceivedHmac[kSHA1DigestSize] =
       { 0xb9, 0x3c, 0xd6, 0xf0, 0x49, 0x47, 0xe2, 0x52,
         0x59, 0x7a, 0xbd, 0x1f, 0x2b, 0x4c, 0x83, 0xad,
         0x86, 0xd2, 0x48, 0x85 };
@@ -53,10 +54,10 @@ TEST(HMACTest, HmacSafeBrowsingResponseTest) {
 
   base::HMAC hmac(base::HMAC::SHA1);
   ASSERT_TRUE(hmac.Init(kClientKey, kKeySize));
-  unsigned char calculated_hmac[kDigestSize];
+  unsigned char calculated_hmac[kSHA1DigestSize];
 
-  EXPECT_TRUE(hmac.Sign(message_data, calculated_hmac, kDigestSize));
-  EXPECT_EQ(memcmp(kReceivedHmac, calculated_hmac, kDigestSize), 0);
+  EXPECT_TRUE(hmac.Sign(message_data, calculated_hmac, kSHA1DigestSize));
+  EXPECT_EQ(0, memcmp(kReceivedHmac, calculated_hmac, kSHA1DigestSize));
 }
 
 // Test cases from RFC 2202 section 3
@@ -124,12 +125,83 @@ TEST(HMACTest, RFC2202TestCases) {
     ASSERT_TRUE(hmac.Init(reinterpret_cast<const unsigned char*>(cases[i].key),
                           cases[i].key_len));
     std::string data_string(cases[i].data, cases[i].data_len);
-    unsigned char digest[kDigestSize];
-    EXPECT_TRUE(hmac.Sign(data_string, digest, kDigestSize));
-    EXPECT_EQ(memcmp(cases[i].digest, digest, kDigestSize), 0);
+    unsigned char digest[kSHA1DigestSize];
+    EXPECT_TRUE(hmac.Sign(data_string, digest, kSHA1DigestSize));
+    EXPECT_EQ(0, memcmp(cases[i].digest, digest, kSHA1DigestSize));
   }
 }
 
+// TODO(wtc): add other test vectors from RFC 4231.
+TEST(HMACTest, RFC4231TestCase6) {
+  unsigned char key[131];
+  for (size_t i = 0; i < sizeof(key); ++i)
+    key[i] = 0xaa;
+
+  std::string data = "Test Using Larger Than Block-Size Key - Hash Key First";
+  ASSERT_EQ(54U, data.size());
+
+  static unsigned char kKnownHMACSHA256[] = {
+    0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f,
+    0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f,
+    0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14,
+    0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54
+  };
+
+  base::HMAC hmac(base::HMAC::SHA256);
+  ASSERT_TRUE(hmac.Init(key, sizeof(key)));
+  unsigned char calculated_hmac[kSHA256DigestSize];
+
+  EXPECT_TRUE(hmac.Sign(data, calculated_hmac, kSHA256DigestSize));
+  EXPECT_EQ(0, memcmp(kKnownHMACSHA256, calculated_hmac, kSHA256DigestSize));
+}
+
+// Based on NSS's FIPS HMAC power-up self-test.
+TEST(HMACTest, NSSFIPSPowerUpSelfTest) {
+  static const char kKnownMessage[] =
+      "The test message for the MD2, MD5, and SHA-1 hashing algorithms.";
+
+  static const unsigned char kKnownSecretKey[] = {
+    0x46, 0x69, 0x72, 0x65, 0x66, 0x6f, 0x78, 0x20,
+    0x61, 0x6e, 0x64, 0x20, 0x54, 0x68, 0x75, 0x6e,
+    0x64, 0x65, 0x72, 0x42, 0x69, 0x72, 0x64, 0x20,
+    0x61, 0x72, 0x65, 0x20, 0x61, 0x77, 0x65, 0x73,
+    0x6f, 0x6d, 0x65, 0x21, 0x00
+  };
+
+  static const size_t kKnownSecretKeySize = sizeof(kKnownSecretKey);
+
+  // HMAC-SHA-1 known answer (20 bytes).
+  static const unsigned char kKnownHMACSHA1[] = {
+    0xd5, 0x85, 0xf6, 0x5b, 0x39, 0xfa, 0xb9, 0x05,
+    0x3b, 0x57, 0x1d, 0x61, 0xe7, 0xb8, 0x84, 0x1e,
+    0x5d, 0x0e, 0x1e, 0x11
+  };
+
+  // HMAC-SHA-256 known answer (32 bytes).
+  static const unsigned char kKnownHMACSHA256[] = {
+    0x05, 0x75, 0x9a, 0x9e, 0x70, 0x5e, 0xe7, 0x44,
+    0xe2, 0x46, 0x4b, 0x92, 0x22, 0x14, 0x22, 0xe0,
+    0x1b, 0x92, 0x8a, 0x0c, 0xfe, 0xf5, 0x49, 0xe9,
+    0xa7, 0x1b, 0x56, 0x7d, 0x1d, 0x29, 0x40, 0x48
+  };
+
+  std::string message_data(kKnownMessage);
+
+  base::HMAC hmac(base::HMAC::SHA1);
+  ASSERT_TRUE(hmac.Init(kKnownSecretKey, kKnownSecretKeySize));
+  unsigned char calculated_hmac[kSHA1DigestSize];
+
+  EXPECT_TRUE(hmac.Sign(message_data, calculated_hmac, kSHA1DigestSize));
+  EXPECT_EQ(0, memcmp(kKnownHMACSHA1, calculated_hmac, kSHA1DigestSize));
+
+  base::HMAC hmac2(base::HMAC::SHA256);
+  ASSERT_TRUE(hmac2.Init(kKnownSecretKey, kKnownSecretKeySize));
+  unsigned char calculated_hmac2[kSHA256DigestSize];
+
+  EXPECT_TRUE(hmac2.Sign(message_data, calculated_hmac2, kSHA256DigestSize));
+  EXPECT_EQ(0, memcmp(kKnownHMACSHA256, calculated_hmac2, kSHA256DigestSize));
+}
+
 TEST(HMACTest, HMACObjectReuse) {
   const char *key =
       "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
@@ -157,8 +229,8 @@ TEST(HMACTest, HMACObjectReuse) {
   ASSERT_TRUE(hmac.Init(reinterpret_cast<const unsigned char*>(key), key_len));
   for (size_t i = 0; i < ARRAYSIZE_UNSAFE(cases); ++i) {
     std::string data_string(cases[i].data, cases[i].data_len);
-    unsigned char digest[kDigestSize];
-    EXPECT_TRUE(hmac.Sign(data_string, digest, kDigestSize));
-    EXPECT_EQ(memcmp(cases[i].digest, digest, kDigestSize), 0);
+    unsigned char digest[kSHA1DigestSize];
+    EXPECT_TRUE(hmac.Sign(data_string, digest, kSHA1DigestSize));
+    EXPECT_EQ(0, memcmp(cases[i].digest, digest, kSHA1DigestSize));
   }
 }
diff --git a/base/hmac_win.cc b/base/hmac_win.cc
index 2b2e9cc..03f81db 100644
--- a/base/hmac_win.cc
+++ b/base/hmac_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -11,29 +11,98 @@
 #include <vector>
 
 #include "base/logging.h"
+#include "base/third_party/nss/blapi.h"
+#include "base/third_party/nss/sha256.h"
 
 namespace base {
 
+namespace {
+
+// Implementation of HMAC-SHA-256:
+//
+// SHA-256 is supported in Windows XP SP3 or later.  We still need to support
+// Windows XP SP2, so unfortunately we have to implement HMAC-SHA-256 here.
+
+enum {
+  SHA256_BLOCK_SIZE = 64  // Block size (in bytes) of the input to SHA-256.
+};
+
+// See FIPS 198: The Keyed-Hash Message Authentication Code (HMAC).
+void ComputeHMACSHA256(const unsigned char* key, size_t key_len,
+                       const unsigned char* text, size_t text_len,
+                       unsigned char* output, size_t output_len) {
+  SHA256Context ctx;
+
+  // Pre-process the key, if necessary.
+  unsigned char key0[SHA256_BLOCK_SIZE];
+  if (key_len > SHA256_BLOCK_SIZE) {
+    SHA256_Begin(&ctx);
+    SHA256_Update(&ctx, key, key_len);
+    SHA256_End(&ctx, key0, NULL, SHA256_LENGTH);
+    memset(key0 + SHA256_LENGTH, 0, SHA256_BLOCK_SIZE - SHA256_LENGTH);
+  } else {
+    memcpy(key0, key, key_len);
+    memset(key0 + key_len, 0, SHA256_BLOCK_SIZE - key_len);
+  }
+
+  unsigned char padded_key[SHA256_BLOCK_SIZE];
+  unsigned char inner_hash[SHA256_LENGTH];
+
+  // XOR key0 with ipad.
+  for (int i = 0; i < SHA256_BLOCK_SIZE; ++i)
+    padded_key[i] = key0[i] ^ 0x36;
+
+  // Compute the inner hash.
+  SHA256_Begin(&ctx);
+  SHA256_Update(&ctx, padded_key, SHA256_BLOCK_SIZE);
+  SHA256_Update(&ctx, text, text_len);
+  SHA256_End(&ctx, inner_hash, NULL, SHA256_LENGTH);
+
+  // XOR key0 with opad.
+  for (int i = 0; i < SHA256_BLOCK_SIZE; ++i)
+    padded_key[i] = key0[i] ^ 0x5c;
+
+  // Compute the outer hash.
+  SHA256_Begin(&ctx);
+  SHA256_Update(&ctx, padded_key, SHA256_BLOCK_SIZE);
+  SHA256_Update(&ctx, inner_hash, SHA256_LENGTH);
+  SHA256_End(&ctx, output, NULL, output_len);
+}
+
+}  // namespace
+
 struct HMACPlatformData {
+  HMACPlatformData() : provider_(0), hash_(0), hkey_(0) {}
+
   // Windows Crypt API resources.
   HCRYPTPROV provider_;
   HCRYPTHASH hash_;
   HCRYPTKEY hkey_;
+
+  // For HMAC-SHA-256 only.
+  std::vector<unsigned char> raw_key_;
 };
 
 HMAC::HMAC(HashAlgorithm hash_alg)
     : hash_alg_(hash_alg), plat_(new HMACPlatformData()) {
-  // Only SHA-1 digest is supported now.
-  DCHECK(hash_alg_ == SHA1);
+  // Only SHA-1 and SHA-256 hash algorithms are supported now.
+  DCHECK(hash_alg_ == SHA1 || hash_alg_ == SHA256);
 }
 
 bool HMAC::Init(const unsigned char *key, int key_length) {
-  if (plat_->provider_ || plat_->hkey_) {
+  if (plat_->provider_ || plat_->hkey_ || !plat_->raw_key_.empty()) {
     // Init must not be called more than once on the same HMAC object.
     NOTREACHED();
     return false;
   }
 
+  if (hash_alg_ == SHA256) {
+    if (key_length < SHA256_LENGTH / 2)
+      return false;  // Key is too short.
+    plat_->raw_key_.assign(key, key + key_length);
+    return true;
+  }
+
   if (!CryptAcquireContext(&plat_->provider_, NULL, NULL,
                            PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) {
     NOTREACHED();
@@ -79,6 +148,9 @@ bool HMAC::Init(const unsigned char *key, int key_length) {
 }
 
 HMAC::~HMAC() {
+  if (!plat_->raw_key_.empty())
+    SecureZeroMemory(&plat_->raw_key_[0], plat_->raw_key_.size());
+
   BOOL ok;
   if (plat_->hkey_) {
     ok = CryptDestroyKey(plat_->hkey_);
@@ -97,6 +169,15 @@ HMAC::~HMAC() {
 bool HMAC::Sign(const std::string& data,
                 unsigned char* digest,
                 int digest_length) {
+  if (hash_alg_ == SHA256) {
+    if (plat_->raw_key_.empty())
+      return false;
+    ComputeHMACSHA256(&plat_->raw_key_[0], plat_->raw_key_.size(),
+                      reinterpret_cast<const unsigned char*>(data.data()),
+                      data.size(), digest, digest_length);
+    return true;
+  }
+
   if (!plat_->provider_ || !plat_->hkey_)
     return false;