Crypto plug-in: Difference between revisions

From NSIS Wiki
Jump to navigationJump to search
m (SHA2 result)
 
(18 intermediate revisions by 7 users not shown)
Line 1: Line 1:
[[Category:Plugins]]
{{PageAuthor|GAG}}
{{PageAuthor|GAG}}
{{PageAuthor|Anders}}
== Plug-in Info ==
* '''Version:''' 1.4
* '''Type:''' Runtime plug-in (Ansi & Unicode)
* '''Minimum OS:''' Win95.OSR2 (IE3+), WinNT4 (IE3+)
* '''Minimum NSIS version:''' 2.45
* '''License:''' Freeware
* '''Download:''' <attach>Crypto.zip</attach>


== Links ==
<div style="background-color:#FFB3B3;border:1px solid #FF1111;color:#A20000;padding:0.4em"><b>Version 1.2 and earlier fails on Windows Server with the NTE_BAD_KEYSET error and should not be used!</b></div>
[[File:Zip.gif]] [http://forums.winamp.com/attachment.php?postid=1346355 cryptoplg11.zip] (43 KB) (plugin dll + readme + examples)<BR>
[[File:Zip.gif]] [http://forums.winamp.com/attachment.php?s=&postid=1346396 hashcalc.zip] (30 KB) (Calculates the hash for Strings or specified files)


[http://forums.winamp.com/showthread.php?postid=1346355 Forum Thread]


== Introduction ==
== Introduction ==
'''Version:''' 1.1.


This plugin provides you cryptographic interface using [http://en.wikipedia.org/wiki/Cryptographic_Application_Programming_Interface CryptoAPI].
This plug-in allows you to generate cryptographic hashes and random numbers. It uses the [https://msdn.microsoft.com/en-us/library/ms867086.aspx Microsoft Cryptography API] (MS-CAPI).  
Using this plugin you can get common cryptographic hashes like MD5, SHA1, MD2, MD4.
 
 
 
== Supported hash algorithms ==
 
MD2, MD4, MD5, SHA1, SHA2, SHA2-384, SHA2-512.
 
The SHA-2 family is only supported on [https://blogs.technet.microsoft.com/pki/2010/09/30/sha2-and-windows/ Windows XP.SP3], Windows 2003 with KB938397, and Vista or higher.


[http://msdn2.microsoft.com/en-us/library/ms937738.aspx Method used for the hash]


Plugin DLL size: 3 660 bytes (not packed), 2 886 bytes (upx packed)


== How to use ==
== Examples ==


=== String Hash ===
=== String hash ===


<highlight-nsis>
<highlight-nsis>
Crypto::HashData "MD5" "String to be hashed"
Crypto::HashData "SHA1" "The quick brown fox jumps over the lazy dog"
Pop $0
Pop $0
DetailPrint Hash=$0 ; 2FD4E1C67A2D28FCED849EE1BB76E7391B93EB12
</highlight-nsis>
</highlight-nsis>
Supported algorithms: MD5|SHA1|MD2|MD4


=== File Hash ===
<highlight-nsis>
<highlight-nsis>
Crypto::HashFile "MD5" "$WINDIR\notepad.exe"
!include LogicLib.nsh
ClearErrors
Crypto::HashData "SHA2" "How vexingly quick daft zebras jump"
Pop $0
Pop $0
${If} ${Errors}
DetailPrint "SHA2 not supported, cannot calculate hash!"
${Else}
DetailPrint "$0" ; 2202BB2E270ED226682C2855AE94144ED192ADB10B5AE9DE93ED4E0A425EA0B6
${EndIf}
</highlight-nsis>
</highlight-nsis>
Supported algorithms: MD5|SHA1|MD2|MD4


=== Implemented in software ===
 
==== Quick Example ====
=== File hash ===
Calculate the hash of the file you want checked using the Hash Calculator ([http://forums.winamp.com/attachment.php?s=&postid=1346396 hashcalc.zip]).
From there I was able to use Crypto to ensure that notepad hasn't changed:
<highlight-nsis>
<highlight-nsis>
Crypto::HashFile "MD5" "$WINDIR\notepad.exe"
!include LogicLib.nsh
ClearErrors
Crypto::HashFile "MD5" "$ExePath"
Pop $0
Pop $0
StrCmp $0 "FF7F14FDA901090E337488A1900E3660" +3
${If} ${Errors}
MessageBox MB_OK|MB_TOPMOST|MB_SETFOREGROUND|MB_ICONSTOP "ERROR: notepad.exe has been changed!!!"
DetailPrint "Unable to compute the hash!"
Quit
${Else}
DetailPrint "MD5 of myself is $0"
${EndIf}
</highlight-nsis>
 
 
=== Random number generator ===
<highlight-nsis>
Crypto::RNG
Pop $0 ; $0 now contains 100 bytes of random data in hex format
StrCpy $0 "0x$0" 18 ; Extract the first 8 bytes
DetailPrint "64-bit random number: $0"
</highlight-nsis>
</highlight-nsis>
'''Detailed Explanation:''' (of the code above)<BR>
''Crypto::HashFile "MD5" "$WINDIR\notepad.exe"''<BR>
This generates the hash of notepad.exe and then pushes that hash into a stack (which is in memory reserved by NSIS).<BR>
''Pop $0''<BR>
Then the returned hash is "popped" off of the stack and then thrown into the user defined variable ''$0''.<BR>
''StrCmp $0 "FF7F14FDA901090E337488A1900E3660" +3''<BR>
The user defined variable ''$0'' and ''"FF7F14FDA901090E337488A1900E3660"'' (which is the hash generated by [http://forums.winamp.com/attachment.php?s=&postid=1346396 hashcalc.zip]) are then compared.  If they are equal then ''+3'' means to go plus three commands down.  Therefore ''MessageBox'' and ''Quit'' commands are skipped.  If they aren't equal then it continues to the next command (or +1)<BR>
''MessageBox MB_OK|MB_TOPMOST|MB_SETFOREGROUND|MB_ICONSTOP "ERROR: notepad.exe has been changed!!!"''<BR>
''Quit''<BR>
Since the two checksums don't match, show the user an error and then exit the program.


==== Software Example ====
'''File:''' [[File:Zip.gif]] [http://forums.winamp.com/attachment.php?s=&postid=2221660 uharc sfx examples.zip] (95 KB)<BR>
'''Short Description:''' This is a real world implementation of the Crypto plugin.  It does an MD5 on the extractor right before extracting the archive, this ensures that the extractor isn't tampered with and the user isn't tricked into giving their password away.


===== How can a file be tampered with and why? =====
Lets say someone really wants that password.  Well they (or malware) can replace the extractor (uharc.exe) with a dummy exe file with the same name that takes all the arguments given to it and puts them into a text file to be read by the evil doer.  Well since the password is one of the arguments passed off to extract the archive then you can see where this would be a problem.  The advantage to having an MD5 checksum of a file is to ensure that it is not changed (or replaced).  Whether it be changed for malicious purpose or simply a corrupted file.


===== Another use for checksums =====
== History ==
If you are managing your software then you can make your update process even faster. If you create an MD5 checksum of all the files that are currently installed on the system, then you can compare those checksums with the checksums of all the files that are in your patchAnything that doesn't match will be installed (or reinstalled) and all the checksums that match will simply be skipped. This way your installer doesn't have to take the time to install all the files, only the ones that need to be updated.
 
[[Category:Plugins]]
1.4 - 20160412 - Anders
* Added RNG
 
 
1.3 - 20160406 - [[User:Anders|Anders]]
* Rewritten from scratch
* Supports SHA-2 on systems with PROV_RSA_AES
* Sets the error flag on errors
 
 
[http://nsis.sourceforge.net/mediawiki/index.php?title=Crypto_plug-in&oldid=23970 1.2 - November 25, 2013 - GAG]
* <strike>Fixed CryptAcquireContext NTE_BAD_KEYSET (0x80090016) and NTE_KEYSET_ENTRY_BAD (0x8009001A) errors</strike>
* Technical note: original Crypto.dll was unpacked and patched (CryptAcquireContext call parameters patched; corresponding relocation records removed; version information updated)
 
 
1.1 - May 6, 2004 - GAG
* Created Hash Calculator example
* Improved documentation
 
 
1.0 - April 7, 2004 - GAG
* Initial release
* Supported algorithms: MD5|SHA1|MD2|MD4|MAC
 
 
 
== Links ==
* [http://forums.winamp.com/showthread.php?p=2977435 Forum thread]
* [[File:Zip.gif]] [http://forums.winamp.com/attachment.php?attachmentid=50873&d=1385414389 hashcalc12.zip] (31.2 KB) (Calculates hashes of strings or files)<BR>

Latest revision as of 12:10, 26 May 2017

Author: GAG (talk, contrib)


Author: Anders (talk, contrib)


Plug-in Info

  • Version: 1.4
  • Type: Runtime plug-in (Ansi & Unicode)
  • Minimum OS: Win95.OSR2 (IE3+), WinNT4 (IE3+)
  • Minimum NSIS version: 2.45
  • License: Freeware
  • Download: Crypto.zip (3 KB)


Version 1.2 and earlier fails on Windows Server with the NTE_BAD_KEYSET error and should not be used!


Introduction

This plug-in allows you to generate cryptographic hashes and random numbers. It uses the Microsoft Cryptography API (MS-CAPI).


Supported hash algorithms

MD2, MD4, MD5, SHA1, SHA2, SHA2-384, SHA2-512.

The SHA-2 family is only supported on Windows XP.SP3, Windows 2003 with KB938397, and Vista or higher.


Examples

String hash

Crypto::HashData "SHA1" "The quick brown fox jumps over the lazy dog"
Pop $0
DetailPrint Hash=$0 ; 2FD4E1C67A2D28FCED849EE1BB76E7391B93EB12
!include LogicLib.nsh
ClearErrors
Crypto::HashData "SHA2" "How vexingly quick daft zebras jump"
Pop $0
${If} ${Errors}
	DetailPrint "SHA2 not supported, cannot calculate hash!"
${Else}
	DetailPrint "$0" ; 2202BB2E270ED226682C2855AE94144ED192ADB10B5AE9DE93ED4E0A425EA0B6
${EndIf}


File hash

!include LogicLib.nsh
ClearErrors
Crypto::HashFile "MD5" "$ExePath"
Pop $0
${If} ${Errors}
	DetailPrint "Unable to compute the hash!"
${Else}
	DetailPrint "MD5 of myself is $0"
${EndIf}


Random number generator

Crypto::RNG
Pop $0 ; $0 now contains 100 bytes of random data in hex format
StrCpy $0 "0x$0" 18 ; Extract the first 8 bytes
DetailPrint "64-bit random number: $0"


History

1.4 - 20160412 - Anders

  • Added RNG


1.3 - 20160406 - Anders

  • Rewritten from scratch
  • Supports SHA-2 on systems with PROV_RSA_AES
  • Sets the error flag on errors


1.2 - November 25, 2013 - GAG

  • Fixed CryptAcquireContext NTE_BAD_KEYSET (0x80090016) and NTE_KEYSET_ENTRY_BAD (0x8009001A) errors
  • Technical note: original Crypto.dll was unpacked and patched (CryptAcquireContext call parameters patched; corresponding relocation records removed; version information updated)


1.1 - May 6, 2004 - GAG

  • Created Hash Calculator example
  • Improved documentation


1.0 - April 7, 2004 - GAG

  • Initial release
  • Supported algorithms: MD5|SHA1|MD2|MD4|MAC


Links

Retrieved from "https://nsis.sourceforge.io/mediawiki/index.php?title=Crypto_plug-in&oldid=24947"