Use predefined bcrypt alg handles

Yubico · Oct 14, 2021 · d230099 · d230099
1 parent 1155fe7
commit d230099
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 59 deletions.
diff --git a/common/hash.c b/common/hash.c
@@ -65,25 +65,25 @@ const EVP_MD *get_hash(hash_t hash) {
 
 #else
 
-LPCWSTR get_hash(hash_t hash) {
+BCRYPT_ALG_HANDLE get_hash(hash_t hash, bool hmac) {
   switch (hash) {
     case _NONE:
       return NULL;
 
     case _SHA1:
-      return BCRYPT_SHA1_ALGORITHM;
+      return hmac ? BCRYPT_HMAC_SHA1_ALG_HANDLE : BCRYPT_SHA1_ALG_HANDLE;
 
     case _SHA256:
-      return BCRYPT_SHA256_ALGORITHM;
+      return hmac ? BCRYPT_HMAC_SHA256_ALG_HANDLE : BCRYPT_SHA256_ALG_HANDLE;
 
     case _SHA384:
-      return BCRYPT_SHA384_ALGORITHM;
+      return hmac ? BCRYPT_HMAC_SHA384_ALG_HANDLE : BCRYPT_SHA384_ALG_HANDLE;
 
     case _SHA512:
-      return BCRYPT_SHA512_ALGORITHM;
+      return hmac ? BCRYPT_HMAC_SHA512_ALG_HANDLE : BCRYPT_SHA512_ALG_HANDLE;
 
     default:
-      return NULL;
+      return 0;
   }
 }
 
@@ -127,24 +127,18 @@ bool hash_bytes(const uint8_t *in, size_t len, hash_t hash, uint8_t *out,
 
   bool res = false;
   NTSTATUS status = 0;
-  LPCWSTR alg = NULL;
   BCRYPT_ALG_HANDLE hAlg = 0;
   BCRYPT_HASH_HANDLE hHash = 0;
   DWORD cbHashObj = 0;
   DWORD cbHash = 0;
   DWORD cbData = 0;
   PBYTE pbHashObj = NULL;
 
-  alg = get_hash(hash);
-  if (alg == NULL) {
+  hAlg = get_hash(hash, false);
+  if (hAlg == 0) {
     return false;
   }
 
-  if (!BCRYPT_SUCCESS(status =
-                        BCryptOpenAlgorithmProvider(&hAlg, alg, NULL, 0))) {
-    goto cleanup;
-  }
-
   if (!BCRYPT_SUCCESS(status = BCryptGetProperty(hAlg, BCRYPT_OBJECT_LENGTH,
                                                  (PBYTE) &cbHashObj,
                                                  sizeof(DWORD), &cbData, 0))) {
@@ -189,9 +183,6 @@ bool hash_bytes(const uint8_t *in, size_t len, hash_t hash, uint8_t *out,
   if (hHash) {
     BCryptDestroyHash(hHash);
   }
-  if (hAlg) {
-    BCryptCloseAlgorithmProvider(hAlg, 0);
-  }
 
   return res;
 
@@ -204,7 +195,6 @@ bool hash_create(_hash_ctx **ctx, hash_t hash) {
 
 #ifdef _WIN32_BCRYPT
   NTSTATUS status = 0;
-  LPCWSTR alg = NULL;
   DWORD cbHashObj = 0;
   DWORD cbHash = 0;
   DWORD cbData = 0;
@@ -227,12 +217,7 @@ bool hash_create(_hash_ctx **ctx, hash_t hash) {
   insecure_memzero(ctx_temp, sizeof(_hash_ctx));
 
 #ifdef _WIN32_BCRYPT
-  if (!(alg = get_hash(hash))) {
-    goto cleanup;
-  }
-
-  if (!BCRYPT_SUCCESS(status = BCryptOpenAlgorithmProvider(&(ctx_temp->hAlg),
-                                                           alg, NULL, 0))) {
+  if (!(ctx_temp->hAlg = get_hash(hash, false))) {
     goto cleanup;
   }
 
@@ -293,9 +278,6 @@ bool hash_create(_hash_ctx **ctx, hash_t hash) {
     if (ctx_temp->pbHashObj) {
       free(ctx_temp->pbHashObj);
     }
-    if (ctx_temp->hAlg) {
-      BCryptCloseAlgorithmProvider(ctx_temp->hAlg, 0);
-    }
 #endif
     free(ctx_temp);
   }
@@ -415,9 +397,6 @@ bool hash_destroy(_hash_ctx *ctx) {
   if (ctx->pbHashObj) {
     free(ctx->pbHashObj);
   }
-  if (ctx->hAlg) {
-    BCryptCloseAlgorithmProvider(ctx->hAlg, 0);
-  }
 #else
   if (ctx->mdctx) {
     EVP_MD_CTX_destroy(ctx->mdctx);

diff --git a/common/hash.h b/common/hash.h
@@ -62,7 +62,7 @@ const YH_INTERNAL EVP_MD *get_hash(hash_t hash);
 #else
 #include <windows.h>
 #include <bcrypt.h>
-LPCWSTR YH_INTERNAL get_hash(hash_t hash);
+BCRYPT_ALG_HANDLE YH_INTERNAL get_hash(hash_t hash, bool hmac);
 #endif
 
 #ifdef __cplusplus

diff --git a/common/pkcs5.c b/common/pkcs5.c
@@ -30,16 +30,9 @@ bool pkcs5_pbkdf2_hmac(const uint8_t *password, size_t cb_password,
 
 #ifdef _WIN32_BCRYPT
   NTSTATUS status = 0;
-  LPCWSTR alg = NULL;
   BCRYPT_ALG_HANDLE hAlg = 0;
 
-  if (!(alg = get_hash(hash))) {
-    goto cleanup;
-  }
-
-  if (!BCRYPT_SUCCESS(
-        status = BCryptOpenAlgorithmProvider(&hAlg, alg, NULL,
-                                             BCRYPT_ALG_HANDLE_HMAC_FLAG))) {
+  if (!(hAlg = get_hash(hash, true))) {
     goto cleanup;
   }
 
@@ -55,10 +48,6 @@ bool pkcs5_pbkdf2_hmac(const uint8_t *password, size_t cb_password,
 
 cleanup:
 
-  if (hAlg) {
-    BCryptCloseAlgorithmProvider(hAlg, 0);
-  }
-
 #else
   const EVP_MD *md = NULL;
 

diff --git a/common/rand.c b/common/rand.c
@@ -25,25 +25,11 @@
 #endif
 
 bool rand_generate(uint8_t *buf, size_t cb_buf) {
-
 #ifdef _WIN32_BCRYPT
-  NTSTATUS status = STATUS_SUCCESS;
-
-  BCRYPT_ALG_HANDLE hAlg = 0;
-
-  if (!BCRYPT_SUCCESS(
-        status =
-          BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_RNG_ALGORITHM, NULL, 0))) {
-    return false;
-  }
-
-  status = BCryptGenRandom(hAlg, buf, (ULONG) cb_buf, 0);
-  BCryptCloseAlgorithmProvider(hAlg, 0);
-
+  NTSTATUS status =
+    BCryptGenRandom(BCRYPT_RNG_ALG_HANDLE, buf, (ULONG) cb_buf, 0);
   return BCRYPT_SUCCESS(status);
-
 #else
   return (1 == RAND_bytes(buf, cb_buf));
-
 #endif
 }