• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "chrome/browser/password_manager/ie7_password.h"
6 
7 #include <wincrypt.h>
8 #include <string>
9 #include <vector>
10 
11 #include "base/memory/scoped_ptr.h"
12 #include "base/sha1.h"
13 #include "base/string_util.h"
14 
15 namespace {
16 
17 // Structures that IE7/IE8 use to store a username/password.
18 // Some of the fields might have been incorrectly reverse engineered.
19 struct PreHeader {
20   DWORD pre_header_size;  // Size of this header structure. Always 12.
21   DWORD header_size;      // Size of the real Header: sizeof(Header) +
22                           // item_count * sizeof(Entry);
23   DWORD data_size;        // Size of the data referenced by the entries.
24 };
25 
26 struct Header {
27   char wick[4];             // The string "WICK". I don't know what it means.
28   DWORD fixed_header_size;  // The size of this structure without the entries:
29                             // sizeof(Header).
30   DWORD item_count;         // Number of entries. It should always be 2. One for
31                             // the username, and one for the password.
32   wchar_t two_letters[2];   // Two unknown bytes.
33   DWORD unknown[2];         // Two unknown DWORDs.
34 };
35 
36 struct Entry {
37   DWORD offset;         // Offset where the data referenced by this entry is
38                         // located.
39   FILETIME time_stamp;  // Timestamp when the password got added.
40   DWORD string_length;  // The length of the data string.
41 };
42 
43 // Main data structure.
44 struct PasswordEntry {
45   PreHeader pre_header;  // Contains the size of the different sections.
46   Header header;         // Contains the number of items.
47   Entry entry[1];        // List of entries containing a string. The first one
48                          // is the username, the second one if the password.
49 };
50 
51 }  // namespace
52 
53 namespace ie7_password {
54 
GetUserPassFromData(const std::vector<unsigned char> & data,std::wstring * username,std::wstring * password)55 bool GetUserPassFromData(const std::vector<unsigned char>& data,
56                          std::wstring* username,
57                          std::wstring* password) {
58   const PasswordEntry* information =
59       reinterpret_cast<const PasswordEntry*>(&data.front());
60 
61   // Some expected values. If it's not what we expect we don't even try to
62   // understand the data.
63   if (information->pre_header.pre_header_size != sizeof(PreHeader))
64     return false;
65 
66   if (information->header.item_count != 2)  // Username and Password
67     return false;
68 
69   if (information->header.fixed_header_size != sizeof(Header))
70     return false;
71 
72   const uint8* ptr = &data.front();
73   const uint8* offset_to_data = ptr + information->pre_header.header_size +
74                                 information->pre_header.pre_header_size;
75 
76   const Entry* user_entry = information->entry;
77   const Entry* pass_entry = user_entry+1;
78 
79   *username = reinterpret_cast<const wchar_t*>(offset_to_data +
80                                                user_entry->offset);
81   *password = reinterpret_cast<const wchar_t*>(offset_to_data +
82                                                pass_entry->offset);
83   return true;
84 }
85 
GetUrlHash(const std::wstring & url)86 std::wstring GetUrlHash(const std::wstring& url) {
87   std::wstring lower_case_url = StringToLowerASCII(url);
88   // Get a data buffer out of our std::wstring to pass to SHA1HashString.
89   std::string url_buffer(
90       reinterpret_cast<const char*>(lower_case_url.c_str()),
91       (lower_case_url.size() + 1) * sizeof(wchar_t));
92   std::string hash_bin = base::SHA1HashString(url_buffer);
93 
94   std::wstring url_hash;
95 
96   // Transform the buffer to an hexadecimal string.
97   unsigned char checksum = 0;
98   for (size_t i = 0; i < hash_bin.size(); ++i) {
99     // std::string gives signed chars, which mess with StringPrintf and
100     // check_sum.
101     unsigned char hash_byte = static_cast<unsigned char>(hash_bin[i]);
102     checksum += hash_byte;
103     url_hash += StringPrintf(L"%2.2X", static_cast<unsigned>(hash_byte));
104   }
105   url_hash += StringPrintf(L"%2.2X", checksum);
106 
107   return url_hash;
108 }
109 
DecryptPassword(const std::wstring & url,const std::vector<unsigned char> & data,std::wstring * username,std::wstring * password)110 bool DecryptPassword(const std::wstring& url,
111                      const std::vector<unsigned char>& data,
112                      std::wstring* username, std::wstring* password) {
113   std::wstring lower_case_url = StringToLowerASCII(url);
114   DATA_BLOB input = {0};
115   DATA_BLOB output = {0};
116   DATA_BLOB url_key = {0};
117 
118   input.pbData = const_cast<unsigned char*>(&data.front());
119   input.cbData = static_cast<DWORD>((data.size()) *
120                                     sizeof(std::string::value_type));
121 
122   url_key.pbData = reinterpret_cast<unsigned char*>(
123                       const_cast<wchar_t*>(lower_case_url.data()));
124   url_key.cbData = static_cast<DWORD>((lower_case_url.size() + 1) *
125                                       sizeof(std::wstring::value_type));
126 
127   if (CryptUnprotectData(&input, NULL, &url_key, NULL, NULL,
128                          CRYPTPROTECT_UI_FORBIDDEN, &output)) {
129     // Now that we have the decrypted information, we need to understand it.
130     std::vector<unsigned char> decrypted_data;
131     decrypted_data.resize(output.cbData);
132     memcpy(&decrypted_data.front(), output.pbData, output.cbData);
133 
134     GetUserPassFromData(decrypted_data, username, password);
135 
136     LocalFree(output.pbData);
137     return true;
138   }
139 
140   return false;
141 }
142 
143 }  // namespace ie7_password
144