1// Copyright (c) 2011 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "chrome/browser/password_manager/ie7_password.h"
6
7#include <wincrypt.h>
8#include <string>
9#include <vector>
10
11#include "base/memory/scoped_ptr.h"
12#include "base/sha1.h"
13#include "base/string_util.h"
14
15namespace {
16
17// Structures that IE7/IE8 use to store a username/password.
18// Some of the fields might have been incorrectly reverse engineered.
19struct PreHeader {
20  DWORD pre_header_size;  // Size of this header structure. Always 12.
21  DWORD header_size;      // Size of the real Header: sizeof(Header) +
22                          // item_count * sizeof(Entry);
23  DWORD data_size;        // Size of the data referenced by the entries.
24};
25
26struct Header {
27  char wick[4];             // The string "WICK". I don't know what it means.
28  DWORD fixed_header_size;  // The size of this structure without the entries:
29                            // sizeof(Header).
30  DWORD item_count;         // Number of entries. It should always be 2. One for
31                            // the username, and one for the password.
32  wchar_t two_letters[2];   // Two unknown bytes.
33  DWORD unknown[2];         // Two unknown DWORDs.
34};
35
36struct Entry {
37  DWORD offset;         // Offset where the data referenced by this entry is
38                        // located.
39  FILETIME time_stamp;  // Timestamp when the password got added.
40  DWORD string_length;  // The length of the data string.
41};
42
43// Main data structure.
44struct PasswordEntry {
45  PreHeader pre_header;  // Contains the size of the different sections.
46  Header header;         // Contains the number of items.
47  Entry entry[1];        // List of entries containing a string. The first one
48                         // is the username, the second one if the password.
49};
50
51}  // namespace
52
53namespace ie7_password {
54
55bool GetUserPassFromData(const std::vector<unsigned char>& data,
56                         std::wstring* username,
57                         std::wstring* password) {
58  const PasswordEntry* information =
59      reinterpret_cast<const PasswordEntry*>(&data.front());
60
61  // Some expected values. If it's not what we expect we don't even try to
62  // understand the data.
63  if (information->pre_header.pre_header_size != sizeof(PreHeader))
64    return false;
65
66  if (information->header.item_count != 2)  // Username and Password
67    return false;
68
69  if (information->header.fixed_header_size != sizeof(Header))
70    return false;
71
72  const uint8* ptr = &data.front();
73  const uint8* offset_to_data = ptr + information->pre_header.header_size +
74                                information->pre_header.pre_header_size;
75
76  const Entry* user_entry = information->entry;
77  const Entry* pass_entry = user_entry+1;
78
79  *username = reinterpret_cast<const wchar_t*>(offset_to_data +
80                                               user_entry->offset);
81  *password = reinterpret_cast<const wchar_t*>(offset_to_data +
82                                               pass_entry->offset);
83  return true;
84}
85
86std::wstring GetUrlHash(const std::wstring& url) {
87  std::wstring lower_case_url = StringToLowerASCII(url);
88  // Get a data buffer out of our std::wstring to pass to SHA1HashString.
89  std::string url_buffer(
90      reinterpret_cast<const char*>(lower_case_url.c_str()),
91      (lower_case_url.size() + 1) * sizeof(wchar_t));
92  std::string hash_bin = base::SHA1HashString(url_buffer);
93
94  std::wstring url_hash;
95
96  // Transform the buffer to an hexadecimal string.
97  unsigned char checksum = 0;
98  for (size_t i = 0; i < hash_bin.size(); ++i) {
99    // std::string gives signed chars, which mess with StringPrintf and
100    // check_sum.
101    unsigned char hash_byte = static_cast<unsigned char>(hash_bin[i]);
102    checksum += hash_byte;
103    url_hash += StringPrintf(L"%2.2X", static_cast<unsigned>(hash_byte));
104  }
105  url_hash += StringPrintf(L"%2.2X", checksum);
106
107  return url_hash;
108}
109
110bool DecryptPassword(const std::wstring& url,
111                     const std::vector<unsigned char>& data,
112                     std::wstring* username, std::wstring* password) {
113  std::wstring lower_case_url = StringToLowerASCII(url);
114  DATA_BLOB input = {0};
115  DATA_BLOB output = {0};
116  DATA_BLOB url_key = {0};
117
118  input.pbData = const_cast<unsigned char*>(&data.front());
119  input.cbData = static_cast<DWORD>((data.size()) *
120                                    sizeof(std::string::value_type));
121
122  url_key.pbData = reinterpret_cast<unsigned char*>(
123                      const_cast<wchar_t*>(lower_case_url.data()));
124  url_key.cbData = static_cast<DWORD>((lower_case_url.size() + 1) *
125                                      sizeof(std::wstring::value_type));
126
127  if (CryptUnprotectData(&input, NULL, &url_key, NULL, NULL,
128                         CRYPTPROTECT_UI_FORBIDDEN, &output)) {
129    // Now that we have the decrypted information, we need to understand it.
130    std::vector<unsigned char> decrypted_data;
131    decrypted_data.resize(output.cbData);
132    memcpy(&decrypted_data.front(), output.pbData, output.cbData);
133
134    GetUserPassFromData(decrypted_data, username, password);
135
136    LocalFree(output.pbData);
137    return true;
138  }
139
140  return false;
141}
142
143}  // namespace ie7_password
144