str0m-wincrypto 0.5.0

Supporting crate for str0m
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109

//! HMAC implementations using Windows CNG.

use dimpl::crypto::HmacProvider;

use windows::Win32::Security::Cryptography::BCRYPT_HASH_HANDLE;
use windows::Win32::Security::Cryptography::BCRYPT_HMAC_SHA256_ALG_HANDLE;
use windows::Win32::Security::Cryptography::BCRYPT_HMAC_SHA384_ALG_HANDLE;
use windows::Win32::Security::Cryptography::BCryptCreateHash;
use windows::Win32::Security::Cryptography::BCryptFinishHash;
use windows::Win32::Security::Cryptography::BCryptHashData;
use windows::core::Owned;

use crate::WinCryptoError;

#[derive(Debug)]
pub(super) struct WinCngHmacProvider;

impl HmacProvider for WinCngHmacProvider {
    fn hmac(
        &self,
        hash: dimpl::HashAlgorithm,
        key: &[u8],
        data: &[u8],
        out: &mut [u8],
    ) -> Result<usize, String> {
        match hash {
            dimpl::HashAlgorithm::SHA256 => {
                let result = win_hmac_sha256(key, data).map_err(|err| format!("{err:?}"))?;
                let hmac_len = result.len();
                out[0..hmac_len].copy_from_slice(&result);
                if hmac_len <= out.len() {
                    out[0..hmac_len].copy_from_slice(&result);
                    Ok(hmac_len)
                } else {
                    Err(format!(
                        "Output buffer too small for SHA256. Needed: {hmac_len}, Was: {}",
                        out.len()
                    ))
                }
            }
            dimpl::HashAlgorithm::SHA384 => {
                let result = win_hmac_sha384(key, data).map_err(|err| format!("{err:?}"))?;
                let hmac_len = result.len();
                if hmac_len <= out.len() {
                    out[0..hmac_len].copy_from_slice(&result);
                    Ok(hmac_len)
                } else {
                    Err(format!(
                        "Output buffer too small for SHA384. Needed: {hmac_len}, Was: {}",
                        out.len()
                    ))
                }
            }
            _ => Err(format!("Unsupported HMAC Hash: {hash:?}")),
        }
    }
}

pub(super) static HMAC_PROVIDER: WinCngHmacProvider = WinCngHmacProvider;

pub(super) fn win_hmac_sha256(key: &[u8], data: &[u8]) -> Result<[u8; 32], WinCryptoError> {
    let mut hash = [0u8; 32];
    // SAFETY: Microsoft Learn documents `BCryptCreateHash`,
    // `BCryptHashData`, and `BCryptFinishHash` as borrowing the handle, key,
    // input, and output buffers only for the duration of each call; all of
    // them outlive this block.
    // Docs: https://learn.microsoft.com/windows/win32/api/bcrypt/nf-bcrypt-bcryptcreatehash
    // Docs: https://learn.microsoft.com/windows/win32/api/bcrypt/nf-bcrypt-bcrypthashdata
    // Docs: https://learn.microsoft.com/windows/win32/api/bcrypt/nf-bcrypt-bcryptfinishhash
    unsafe {
        let mut hash_handle = Owned::new(BCRYPT_HASH_HANDLE::default());
        WinCryptoError::from_ntstatus(BCryptCreateHash(
            BCRYPT_HMAC_SHA256_ALG_HANDLE,
            &mut *hash_handle,
            None,
            Some(key),
            0,
        ))?;

        WinCryptoError::from_ntstatus(BCryptHashData(*hash_handle, data, 0))?;
        WinCryptoError::from_ntstatus(BCryptFinishHash(*hash_handle, &mut hash, 0))?;
    }
    Ok(hash)
}

pub(super) fn win_hmac_sha384(key: &[u8], data: &[u8]) -> Result<[u8; 48], WinCryptoError> {
    let mut hash = [0u8; 48];
    // SAFETY: Microsoft Learn documents `BCryptCreateHash`,
    // `BCryptHashData`, and `BCryptFinishHash` as borrowing the handle, key,
    // input, and output buffers only for the duration of each call; all of
    // them outlive this block.
    // Docs: https://learn.microsoft.com/windows/win32/api/bcrypt/nf-bcrypt-bcryptcreatehash
    // Docs: https://learn.microsoft.com/windows/win32/api/bcrypt/nf-bcrypt-bcrypthashdata
    // Docs: https://learn.microsoft.com/windows/win32/api/bcrypt/nf-bcrypt-bcryptfinishhash
    unsafe {
        let mut hash_handle = Owned::new(BCRYPT_HASH_HANDLE::default());
        WinCryptoError::from_ntstatus(BCryptCreateHash(
            BCRYPT_HMAC_SHA384_ALG_HANDLE,
            &mut *hash_handle,
            None,
            Some(key),
            0,
        ))?;

        WinCryptoError::from_ntstatus(BCryptHashData(*hash_handle, data, 0))?;
        WinCryptoError::from_ntstatus(BCryptFinishHash(*hash_handle, &mut hash, 0))?;
    }
    Ok(hash)
}