1ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen// Copyright (c) 2011 The Chromium Authors. All rights reserved. 2c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch// Use of this source code is governed by a BSD-style license that can be 3c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch// found in the LICENSE file. 4c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 5c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch#include "chrome/browser/password_manager/ie7_password.h" 6c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 7c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch#include <wincrypt.h> 8c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch#include <string> 9c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch#include <vector> 10c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 11ddb351dbec246cf1fab5ec20d2d5520909041de1Kristian Monsen#include "base/memory/scoped_ptr.h" 12c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch#include "base/sha1.h" 13c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch#include "base/string_util.h" 14c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 15c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdochnamespace { 16c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 17c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch// Structures that IE7/IE8 use to store a username/password. 18c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch// Some of the fields might have been incorrectly reverse engineered. 19c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdochstruct PreHeader { 20c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch DWORD pre_header_size; // Size of this header structure. Always 12. 21c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch DWORD header_size; // Size of the real Header: sizeof(Header) + 22c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // item_count * sizeof(Entry); 23c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch DWORD data_size; // Size of the data referenced by the entries. 24c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch}; 25c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 26c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdochstruct Header { 27c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch char wick[4]; // The string "WICK". I don't know what it means. 28c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch DWORD fixed_header_size; // The size of this structure without the entries: 29c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // sizeof(Header). 30c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch DWORD item_count; // Number of entries. It should always be 2. One for 31c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // the username, and one for the password. 32c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch wchar_t two_letters[2]; // Two unknown bytes. 33c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch DWORD unknown[2]; // Two unknown DWORDs. 34c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch}; 35c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 36c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdochstruct Entry { 37c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch DWORD offset; // Offset where the data referenced by this entry is 38c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // located. 39c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch FILETIME time_stamp; // Timestamp when the password got added. 40c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch DWORD string_length; // The length of the data string. 41c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch}; 42c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 43c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch// Main data structure. 44c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdochstruct PasswordEntry { 45c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch PreHeader pre_header; // Contains the size of the different sections. 46c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch Header header; // Contains the number of items. 47c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch Entry entry[1]; // List of entries containing a string. The first one 48c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // is the username, the second one if the password. 49c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch}; 50c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 51c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch} // namespace 52c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 53c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdochnamespace ie7_password { 54c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 55c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdochbool GetUserPassFromData(const std::vector<unsigned char>& data, 56c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch std::wstring* username, 57c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch std::wstring* password) { 58c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch const PasswordEntry* information = 59c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch reinterpret_cast<const PasswordEntry*>(&data.front()); 60c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 61c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Some expected values. If it's not what we expect we don't even try to 62c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // understand the data. 63c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch if (information->pre_header.pre_header_size != sizeof(PreHeader)) 64c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch return false; 65c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 66c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch if (information->header.item_count != 2) // Username and Password 67c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch return false; 68c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 69c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch if (information->header.fixed_header_size != sizeof(Header)) 70c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch return false; 71c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 72c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch const uint8* ptr = &data.front(); 73c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch const uint8* offset_to_data = ptr + information->pre_header.header_size + 74c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch information->pre_header.pre_header_size; 75c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 76c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch const Entry* user_entry = information->entry; 77c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch const Entry* pass_entry = user_entry+1; 78c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 79c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch *username = reinterpret_cast<const wchar_t*>(offset_to_data + 80c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch user_entry->offset); 81c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch *password = reinterpret_cast<const wchar_t*>(offset_to_data + 82c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch pass_entry->offset); 83c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch return true; 84c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch} 85c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 86c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdochstd::wstring GetUrlHash(const std::wstring& url) { 87c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch std::wstring lower_case_url = StringToLowerASCII(url); 88c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Get a data buffer out of our std::wstring to pass to SHA1HashString. 89c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch std::string url_buffer( 90c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch reinterpret_cast<const char*>(lower_case_url.c_str()), 91c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch (lower_case_url.size() + 1) * sizeof(wchar_t)); 92c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch std::string hash_bin = base::SHA1HashString(url_buffer); 93c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 94c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch std::wstring url_hash; 95c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 96c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Transform the buffer to an hexadecimal string. 97c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch unsigned char checksum = 0; 98c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch for (size_t i = 0; i < hash_bin.size(); ++i) { 99c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // std::string gives signed chars, which mess with StringPrintf and 100c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // check_sum. 101c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch unsigned char hash_byte = static_cast<unsigned char>(hash_bin[i]); 102c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch checksum += hash_byte; 103c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch url_hash += StringPrintf(L"%2.2X", static_cast<unsigned>(hash_byte)); 104c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch } 105c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch url_hash += StringPrintf(L"%2.2X", checksum); 106c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 107c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch return url_hash; 108c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch} 109c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 110c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdochbool DecryptPassword(const std::wstring& url, 111c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch const std::vector<unsigned char>& data, 112c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch std::wstring* username, std::wstring* password) { 113c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch std::wstring lower_case_url = StringToLowerASCII(url); 114c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch DATA_BLOB input = {0}; 115c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch DATA_BLOB output = {0}; 116c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch DATA_BLOB url_key = {0}; 117c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 118c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch input.pbData = const_cast<unsigned char*>(&data.front()); 119c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch input.cbData = static_cast<DWORD>((data.size()) * 120c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch sizeof(std::string::value_type)); 121c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 122c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch url_key.pbData = reinterpret_cast<unsigned char*>( 123c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch const_cast<wchar_t*>(lower_case_url.data())); 124c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch url_key.cbData = static_cast<DWORD>((lower_case_url.size() + 1) * 125c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch sizeof(std::wstring::value_type)); 126c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 127c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch if (CryptUnprotectData(&input, NULL, &url_key, NULL, NULL, 128c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch CRYPTPROTECT_UI_FORBIDDEN, &output)) { 129c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch // Now that we have the decrypted information, we need to understand it. 130c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch std::vector<unsigned char> decrypted_data; 131c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch decrypted_data.resize(output.cbData); 132c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch memcpy(&decrypted_data.front(), output.pbData, output.cbData); 133c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 134c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch GetUserPassFromData(decrypted_data, username, password); 135c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 136c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch LocalFree(output.pbData); 137c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch return true; 138c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch } 139c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 140c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch return false; 141c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch} 142c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch 143c407dc5cd9bdc5668497f21b26b09d988ab439deBen Murdoch} // namespace ie7_password 144