Chromium Code Reviews Chromium Code Reviews
Issue 11299236:
This moves the ONC parsing code into chromeos/network/onc (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/network_settings/onc_utils.h" | 5 #include "chromeos/network/onc/onc_utils.h" |
| 6 | 6 |
| 7 #include "base/base64.h" | 7 #include "base/base64.h" |
| 8 #include "base/json/json_reader.h" | 8 #include "base/json/json_reader.h" |
| 9 #include "base/values.h" | 9 #include "base/values.h" |
| 10 #include "chrome/browser/chromeos/cros/onc_constants.h" | 10 #include "chromeos/network/onc/onc_constants.h" |
| 11 #include "crypto/encryptor.h" | 11 #include "crypto/encryptor.h" |
| 12 #include "crypto/hmac.h" | 12 #include "crypto/hmac.h" |
| 13 #include "crypto/symmetric_key.h" | 13 #include "crypto/symmetric_key.h" |
| 14 #include "grit/generated_resources.h" | |
| 15 #include "ui/base/l10n/l10n_util.h" | |
| 16 | 14 |
| 17 namespace chromeos { | 15 namespace chromeos { |
| 18 namespace onc { | 16 namespace onc { |
| 19 | 17 |
| 18 const char kResultSuccess[] = "Success"; | |
| 19 const char kErrorNotAJsonDictionary[] = "Not a JSON dictionary"; | |
| 20 const char kErrorEncryptedOncMalformed[] = "Encrypted ONC malformed"; | |
| 21 const char kErrorEncryptedOncUnsupportedEncryption[] = | |
| 22 "Encrypted ONC unsupported encryption"; | |
| 23 const char kErrorEncryptedOncUnableToDecrypt[] = | |
| 24 "Encrypted ONC unable to decrypt"; | |
| 25 const char kErrorEncryptedOncTooManyIterations[] = | |
| 26 "Encrypted ONC too many iterations"; | |
| 27 const char kErrorEncryptedOncUnableToDecode[] = | |
| 28 "Encrypted ONC unable to decode"; | |
| 29 const char kErrorPropertyDictionaryMalformed[] = | |
| 30 "Property dictionary malformed"; | |
| 31 | |
| 20 scoped_ptr<base::DictionaryValue> ReadDictionaryFromJson( | 32 scoped_ptr<base::DictionaryValue> ReadDictionaryFromJson( |
| 21 const std::string& json, | 33 const std::string& json, |
| 22 std::string* error) { | 34 std::string* error) { |
| 23 base::Value* root = base::JSONReader::ReadAndReturnError( | 35 base::Value* root = base::JSONReader::ReadAndReturnError( |
| 24 json, base::JSON_ALLOW_TRAILING_COMMAS, NULL, error); | 36 json, base::JSON_ALLOW_TRAILING_COMMAS, NULL, error); |
| 25 | 37 |
| 26 base::DictionaryValue* dict_ptr = NULL; | 38 base::DictionaryValue* dict_ptr = NULL; |
| 27 if (root != NULL && !root->GetAsDictionary(&dict_ptr)) { | 39 if (root != NULL && !root->GetAsDictionary(&dict_ptr)) { |
| 28 if (error) { | 40 if (error) |
| 29 *error = l10n_util::GetStringUTF8( | 41 *error = kErrorNotAJsonDictionary; |
| 30 IDS_NETWORK_CONFIG_ERROR_NETWORK_NOT_A_JSON_DICTIONARY); | |
| 31 } | |
| 32 delete root; | 42 delete root; |
| 33 } | 43 } |
| 34 | 44 |
| 45 if (error) | |
| 46 *error = kResultSuccess; | |
| 35 return make_scoped_ptr(dict_ptr); | 47 return make_scoped_ptr(dict_ptr); |
| 36 } | 48 } |
| 37 | 49 |
| 38 scoped_ptr<base::DictionaryValue> Decrypt(const std::string& passphrase, | 50 scoped_ptr<base::DictionaryValue> Decrypt(const std::string& passphrase, |
| 39 const base::DictionaryValue& root, | 51 const base::DictionaryValue& root, |
| 40 std::string* error) { | 52 std::string* error) { |
| 41 const int kKeySizeInBits = 256; | 53 const int kKeySizeInBits = 256; |
| 42 const int kMaxIterationCount = 500000; | 54 const int kMaxIterationCount = 500000; |
| 43 std::string onc_type; | 55 std::string onc_type; |
| 44 std::string initial_vector; | 56 std::string initial_vector; |
| 45 std::string salt; | 57 std::string salt; |
| 46 std::string cipher; | 58 std::string cipher; |
| 47 std::string stretch_method; | 59 std::string stretch_method; |
| 48 std::string hmac_method; | 60 std::string hmac_method; |
| 49 std::string hmac; | 61 std::string hmac; |
| 50 int iterations; | 62 int iterations; |
| 51 std::string ciphertext; | 63 std::string ciphertext; |
| 52 | 64 |
| 53 if (!root.GetString(encrypted::kCiphertext, &ciphertext) || | 65 if (!root.GetString(encrypted::kCiphertext, &ciphertext) || |
| 54 !root.GetString(encrypted::kCipher, &cipher) || | 66 !root.GetString(encrypted::kCipher, &cipher) || |
| 55 !root.GetString(encrypted::kHMAC, &hmac) || | 67 !root.GetString(encrypted::kHMAC, &hmac) || |
| 56 !root.GetString(encrypted::kHMACMethod, &hmac_method) || | 68 !root.GetString(encrypted::kHMACMethod, &hmac_method) || |
| 57 !root.GetString(encrypted::kIV, &initial_vector) || | 69 !root.GetString(encrypted::kIV, &initial_vector) || |
| 58 !root.GetInteger(encrypted::kIterations, &iterations) || | 70 !root.GetInteger(encrypted::kIterations, &iterations) || |
| 59 !root.GetString(encrypted::kSalt, &salt) || | 71 !root.GetString(encrypted::kSalt, &salt) || |
| 60 !root.GetString(encrypted::kStretch, &stretch_method) || | 72 !root.GetString(encrypted::kStretch, &stretch_method) || |
| 61 !root.GetString(encrypted::kType, &onc_type) || | 73 !root.GetString(encrypted::kType, &onc_type) || |
| 62 onc_type != kEncryptedConfiguration) { | 74 onc_type != kEncryptedConfiguration) { |
| 63 *error = l10n_util::GetStringUTF8( | 75 if (error) |
| 64 IDS_NETWORK_CONFIG_ERROR_ENCRYPTED_ONC_MALFORMED); | 76 *error = kErrorEncryptedOncMalformed; |
| 65 return scoped_ptr<base::DictionaryValue>(); | 77 return scoped_ptr<base::DictionaryValue>(); |
| 66 } | 78 } |
| 67 | 79 |
| 68 if (hmac_method != encrypted::kSHA1 || | 80 if (hmac_method != encrypted::kSHA1 || |
| 69 cipher != encrypted::kAES256 || | 81 cipher != encrypted::kAES256 || |
| 70 stretch_method != encrypted::kPBKDF2) { | 82 stretch_method != encrypted::kPBKDF2) { |
| 71 *error = l10n_util::GetStringUTF8( | 83 if (error) |
| 72 IDS_NETWORK_CONFIG_ERROR_ENCRYPTED_ONC_UNSUPPORTED_ENCRYPTION); | 84 *error = kErrorEncryptedOncUnsupportedEncryption; |
| 73 return scoped_ptr<base::DictionaryValue>(); | 85 return scoped_ptr<base::DictionaryValue>(); |
| 74 } | 86 } |
| 75 | 87 |
| 76 // Make sure iterations != 0, since that's not valid. | 88 // Make sure iterations != 0, since that's not valid. |
| 77 if (iterations == 0) { | 89 if (iterations == 0) { |
| 78 *error = l10n_util::GetStringUTF8( | 90 if (error) |
| 79 IDS_NETWORK_CONFIG_ERROR_ENCRYPTED_ONC_UNABLE_TO_DECRYPT); | 91 *error = kErrorEncryptedOncUnableToDecrypt; |
| 80 return scoped_ptr<base::DictionaryValue>(); | 92 return scoped_ptr<base::DictionaryValue>(); |
| 81 } | 93 } |
| 82 | 94 |
| 83 // Simply a sanity check to make sure we can't lock up the machine | 95 // Simply a sanity check to make sure we can't lock up the machine |
| 84 // for too long with a huge number (or a negative number). | 96 // for too long with a huge number (or a negative number). |
| 85 if (iterations < 0 || iterations > kMaxIterationCount) { | 97 if (iterations < 0 || iterations > kMaxIterationCount) { |
| 86 *error = l10n_util::GetStringUTF8( | 98 if (error) |
| 87 IDS_NETWORK_CONFIG_ERROR_ENCRYPTED_ONC_TOO_MANY_ITERATIONS); | 99 *error = kErrorEncryptedOncTooManyIterations; |
| 88 return scoped_ptr<base::DictionaryValue>(); | 100 return scoped_ptr<base::DictionaryValue>(); |
| 89 } | 101 } |
| 90 | 102 |
| 91 if (!base::Base64Decode(salt, &salt)) { | 103 if (!base::Base64Decode(salt, &salt)) { |
| 92 *error = l10n_util::GetStringUTF8( | 104 if (error) |
| 93 IDS_NETWORK_CONFIG_ERROR_ENCRYPTED_ONC_UNABLE_TO_DECODE); | 105 *error = kErrorEncryptedOncUnableToDecode; |
| 94 return scoped_ptr<base::DictionaryValue>(); | 106 return scoped_ptr<base::DictionaryValue>(); |
| 95 } | 107 } |
| 96 | 108 |
| 97 scoped_ptr<crypto::SymmetricKey> key( | 109 scoped_ptr<crypto::SymmetricKey> key( |
| 98 crypto::SymmetricKey::DeriveKeyFromPassword(crypto::SymmetricKey::AES, | 110 crypto::SymmetricKey::DeriveKeyFromPassword(crypto::SymmetricKey::AES, |
| 99 passphrase, | 111 passphrase, |
| 100 salt, | 112 salt, |
| 101 iterations, | 113 iterations, |
| 102 kKeySizeInBits)); | 114 kKeySizeInBits)); |
| 103 | 115 |
| 104 if (!base::Base64Decode(initial_vector, &initial_vector)) { | 116 if (!base::Base64Decode(initial_vector, &initial_vector)) { |
| 105 *error = l10n_util::GetStringUTF8( | 117 if (error) |
| 106 IDS_NETWORK_CONFIG_ERROR_ENCRYPTED_ONC_UNABLE_TO_DECODE); | 118 *error = kErrorEncryptedOncUnableToDecode; |
| 107 return scoped_ptr<base::DictionaryValue>(); | 119 return scoped_ptr<base::DictionaryValue>(); |
| 108 } | 120 } |
| 109 if (!base::Base64Decode(ciphertext, &ciphertext)) { | 121 if (!base::Base64Decode(ciphertext, &ciphertext)) { |
| 110 *error = l10n_util::GetStringUTF8( | 122 if (error) |
| 111 IDS_NETWORK_CONFIG_ERROR_ENCRYPTED_ONC_UNABLE_TO_DECODE); | 123 *error = kErrorEncryptedOncUnableToDecode; |
| 112 return scoped_ptr<base::DictionaryValue>(); | 124 return scoped_ptr<base::DictionaryValue>(); |
| 113 } | 125 } |
| 114 if (!base::Base64Decode(hmac, &hmac)) { | 126 if (!base::Base64Decode(hmac, &hmac)) { |
| 115 *error = l10n_util::GetStringUTF8( | 127 if (error) |
| 116 IDS_NETWORK_CONFIG_ERROR_ENCRYPTED_ONC_UNABLE_TO_DECODE); | 128 *error = kErrorEncryptedOncUnableToDecode; |
| 117 return scoped_ptr<base::DictionaryValue>(); | 129 return scoped_ptr<base::DictionaryValue>(); |
| 118 } | 130 } |
| 119 | 131 |
| 120 crypto::HMAC hmac_verifier(crypto::HMAC::SHA1); | 132 crypto::HMAC hmac_verifier(crypto::HMAC::SHA1); |
| 121 if (!hmac_verifier.Init(key.get()) || | 133 if (!hmac_verifier.Init(key.get()) || |
| 122 !hmac_verifier.Verify(ciphertext, hmac)) { | 134 !hmac_verifier.Verify(ciphertext, hmac)) { |
| 123 *error = l10n_util::GetStringUTF8( | 135 if (error) |
| 124 IDS_NETWORK_CONFIG_ERROR_ENCRYPTED_ONC_UNABLE_TO_DECRYPT); | 136 *error = kErrorEncryptedOncUnableToDecrypt; |
| 125 return scoped_ptr<base::DictionaryValue>(); | 137 return scoped_ptr<base::DictionaryValue>(); |
| 126 } | 138 } |
| 127 | 139 |
| 128 crypto::Encryptor decryptor; | 140 crypto::Encryptor decryptor; |
| 129 if (!decryptor.Init(key.get(), crypto::Encryptor::CBC, initial_vector)) { | 141 if (!decryptor.Init(key.get(), crypto::Encryptor::CBC, initial_vector)) { |
| 130 *error = l10n_util::GetStringUTF8( | 142 if (error) |
| 131 IDS_NETWORK_CONFIG_ERROR_ENCRYPTED_ONC_UNABLE_TO_DECRYPT); | 143 *error = kErrorEncryptedOncUnableToDecrypt; |
| 132 return scoped_ptr<base::DictionaryValue>(); | 144 return scoped_ptr<base::DictionaryValue>(); |
| 133 } | 145 } |
| 134 | 146 |
| 135 std::string plaintext; | 147 std::string plaintext; |
| 136 if (!decryptor.Decrypt(ciphertext, &plaintext)) { | 148 if (!decryptor.Decrypt(ciphertext, &plaintext)) { |
| 137 *error = l10n_util::GetStringUTF8( | 149 if (error) |
| 138 IDS_NETWORK_CONFIG_ERROR_ENCRYPTED_ONC_UNABLE_TO_DECRYPT); | 150 *error = kErrorEncryptedOncUnableToDecrypt; |
| 139 return scoped_ptr<base::DictionaryValue>(); | 151 return scoped_ptr<base::DictionaryValue>(); |
| 140 } | 152 } |
| 141 | 153 |
| 142 scoped_ptr<base::DictionaryValue> new_root = | 154 scoped_ptr<base::DictionaryValue> new_root = |
| 143 ReadDictionaryFromJson(plaintext, error); | 155 ReadDictionaryFromJson(plaintext, error); |
| 144 if (new_root.get() == NULL && error->empty()) { | 156 if (new_root.get() == NULL && error->empty()) { |
| 145 *error = l10n_util::GetStringUTF8( | 157 if (error) |
| 146 IDS_NETWORK_CONFIG_ERROR_NETWORK_PROP_DICT_MALFORMED); | 158 *error = kErrorPropertyDictionaryMalformed; |
|
pneubeck (no reviews)
2012/12/04 10:43:56
If we go on using prefixes for the constants, than
Greg Spencer (Chromium)
2012/12/07 18:12:27
Constant went away.
| |
| 147 } | 159 } |
| 160 | |
| 161 if (error) | |
| 162 *error = kResultSuccess; | |
|
pneubeck (no reviews)
2012/12/04 10:43:56
That overwrites the json error, as there is no ret
Greg Spencer (Chromium)
2012/12/07 18:12:27
good catch. Added return from last if.
| |
| 148 return new_root.Pass(); | 163 return new_root.Pass(); |
| 149 } | 164 } |
| 150 | 165 |
| 151 } // chromeos | 166 } // chromeos |
| 152 } // onc | 167 } // onc |
| OLD | NEW |
