| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "chrome/browser/chromeos/login/managed/supervised_user_authentication.h
" |
| 6 |
| 7 #include "base/base64.h" |
| 8 #include "base/command_line.h" |
| 9 #include "base/strings/string_number_conversions.h" |
| 10 #include "base/strings/string_util.h" |
| 11 #include "chrome/browser/chromeos/login/supervised_user_manager.h" |
| 12 #include "chromeos/chromeos_switches.h" |
| 13 #include "crypto/random.h" |
| 14 #include "crypto/symmetric_key.h" |
| 15 |
| 16 namespace chromeos { |
| 17 |
| 18 namespace { |
| 19 |
| 20 // Byte size of hash salt. |
| 21 const unsigned kSaltSize = 32; |
| 22 |
| 23 // Parameters of cryptographic hashing. |
| 24 const unsigned kNumIterations = 1234; |
| 25 const unsigned kKeySizeInBits = 256; |
| 26 |
| 27 std::string CreateSalt() { |
| 28 char result[kSaltSize]; |
| 29 crypto::RandBytes(&result, sizeof(result)); |
| 30 return StringToLowerASCII(base::HexEncode( |
| 31 reinterpret_cast<const void*>(result), |
| 32 sizeof(result))); |
| 33 } |
| 34 |
| 35 std::string BuildPasswordForHashWithSaltSchema( |
| 36 const std::string& salt, |
| 37 const std::string& plain_password) { |
| 38 scoped_ptr<crypto::SymmetricKey> key( |
| 39 crypto::SymmetricKey::DeriveKeyFromPassword( |
| 40 crypto::SymmetricKey::AES, |
| 41 plain_password, salt, |
| 42 kNumIterations, kKeySizeInBits)); |
| 43 std::string raw_result, result; |
| 44 key->GetRawKey(&raw_result); |
| 45 base::Base64Encode(raw_result, &result); |
| 46 return result; |
| 47 } |
| 48 |
| 49 } // namespace |
| 50 |
| 51 SupervisedUserAuthentication::SupervisedUserAuthentication( |
| 52 SupervisedUserManager* owner) |
| 53 : owner_(owner), |
| 54 migration_enabled_(false), |
| 55 stable_schema_(SCHEMA_PLAIN) { |
| 56 CommandLine* command_line = CommandLine::ForCurrentProcess(); |
| 57 if (command_line->HasSwitch(switches::kEnableSupervisedPasswordSync)) { |
| 58 migration_enabled_ = true; |
| 59 stable_schema_ = SCHEMA_SALT_HASHED; |
| 60 } |
| 61 } |
| 62 |
| 63 SupervisedUserAuthentication::~SupervisedUserAuthentication() {} |
| 64 |
| 65 std::string SupervisedUserAuthentication::TransformPassword( |
| 66 const std::string& user_id, |
| 67 const std::string& password) { |
| 68 int user_schema = GetPasswordSchema(user_id); |
| 69 if (user_schema == SCHEMA_PLAIN) |
| 70 return password; |
| 71 |
| 72 if (user_schema == SCHEMA_SALT_HASHED) { |
| 73 base::DictionaryValue holder; |
| 74 std::string salt; |
| 75 owner_->GetPasswordInformation(user_id, &holder); |
| 76 holder.GetStringWithoutPathExpansion(kSalt, &salt); |
| 77 DCHECK(!salt.empty()); |
| 78 return BuildPasswordForHashWithSaltSchema(salt, password); |
| 79 } |
| 80 NOTREACHED(); |
| 81 return password; |
| 82 } |
| 83 |
| 84 bool SupervisedUserAuthentication::FillDataForNewUser( |
| 85 const std::string& user_id, |
| 86 const std::string& password, |
| 87 base::DictionaryValue* password_data) { |
| 88 Schema schema = stable_schema_; |
| 89 if (schema == SCHEMA_PLAIN) |
| 90 return false; |
| 91 if (schema == SCHEMA_SALT_HASHED) { |
| 92 password_data->SetIntegerWithoutPathExpansion(kSchemaVersion, schema); |
| 93 std::string salt = CreateSalt(); |
| 94 password_data->SetStringWithoutPathExpansion(kSalt, salt); |
| 95 password_data->SetIntegerWithoutPathExpansion(kPasswordRevision, |
| 96 kMinPasswordRevision); |
| 97 password_data->SetStringWithoutPathExpansion(kEncryptedPassword, |
| 98 BuildPasswordForHashWithSaltSchema(salt, password)); |
| 99 return true; |
| 100 } |
| 101 NOTREACHED(); |
| 102 return false; |
| 103 } |
| 104 |
| 105 void SupervisedUserAuthentication::StorePasswordData( |
| 106 const std::string& user_id, |
| 107 const base::DictionaryValue& password_data) { |
| 108 DictionaryValue holder; |
| 109 owner_->GetPasswordInformation(user_id, &holder); |
| 110 const base::Value* value; |
| 111 if (password_data.GetWithoutPathExpansion(kSchemaVersion, &value)) |
| 112 holder.SetWithoutPathExpansion(kSchemaVersion, value->DeepCopy()); |
| 113 if (password_data.GetWithoutPathExpansion(kSalt, &value)) |
| 114 holder.SetWithoutPathExpansion(kSalt, value->DeepCopy()); |
| 115 if (password_data.GetWithoutPathExpansion(kPasswordRevision, &value)) |
| 116 holder.SetWithoutPathExpansion(kPasswordRevision, value->DeepCopy()); |
| 117 owner_->SetPasswordInformation(user_id, &holder); |
| 118 } |
| 119 |
| 120 bool SupervisedUserAuthentication::PasswordNeedsMigration( |
| 121 const std::string& user_id) { |
| 122 return GetPasswordSchema(user_id) < stable_schema_; |
| 123 } |
| 124 |
| 125 SupervisedUserAuthentication::Schema |
| 126 SupervisedUserAuthentication::GetPasswordSchema( |
| 127 const std::string& user_id) { |
| 128 base::DictionaryValue holder; |
| 129 |
| 130 owner_->GetPasswordInformation(user_id, &holder); |
| 131 // Default version. |
| 132 int schema_version_index; |
| 133 Schema schema_version = SCHEMA_PLAIN; |
| 134 if (holder.GetIntegerWithoutPathExpansion(kSchemaVersion, |
| 135 &schema_version_index)) { |
| 136 schema_version = static_cast<Schema>(schema_version_index); |
| 137 } |
| 138 return schema_version; |
| 139 } |
| 140 |
| 141 void SupervisedUserAuthentication::SchedulePasswordMigration( |
| 142 const std::string& supervised_user_id, |
| 143 const std::string& user_password, |
| 144 SupervisedUserLoginFlow* user_flow) { |
| 145 // TODO(antrim): Add actual migration code once cryptohome has required API. |
| 146 } |
| 147 |
| 148 } // namespace chromeos |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 101283003:
Add first implemenation for SU password sync (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src