OLD | NEW |
| (Empty) |
1 // Copyright (c) 2009-2010 The Chromium OS Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #ifndef PAM_OFFLINE_AUTHENTICATOR_H_ | |
6 #define PAM_OFFLINE_AUTHENTICATOR_H_ | |
7 | |
8 #include "base/basictypes.h" | |
9 #include "pam_offline/credentials.h" | |
10 #include "pam_offline/utils.h" | |
11 | |
12 namespace pam_offline { | |
13 | |
14 // System salt and user dirs start here. | |
15 extern const std::string kDefaultShadowRoot; | |
16 | |
17 class Authenticator { | |
18 | |
19 public: | |
20 // Initializes the authenticator with the default shadow root of | |
21 // "/home/.shadow/". | |
22 Authenticator(); | |
23 | |
24 // Initializes the authenticator with an alternative shadow root. The | |
25 // shadow_root should point to a directory with the system salt and | |
26 // obfuscated user directories. | |
27 // | |
28 // Parameters | |
29 // shadow_root - A local file system path containing the system salt | |
30 // and obfuscated user directories. | |
31 // | |
32 explicit Authenticator(const std::string &shadow_root); | |
33 | |
34 ~Authenticator(); | |
35 | |
36 // Loads the system salt, and anything else that might need to be done. | |
37 // This *must* be called before other methods. | |
38 // | |
39 // Returns false if the initialization fails for some reason. May also | |
40 // spew LOG messages on failure. | |
41 bool Init(); | |
42 | |
43 // Returns the system salt | |
44 Blob GetSystemSalt() const; | |
45 | |
46 // "Wraps" the hashed password using the same algorithm as | |
47 // cryptohome::password_to_wrapper. This encodes the hashed_password in a | |
48 // master key specific salt, resulting in the passphrase for the master | |
49 // key. | |
50 // | |
51 // Parameters | |
52 // master_salt_file - The local filesystem path to the salt file for the | |
53 // master password that you intend to decrypt. | |
54 // hashed_password - The user's hashed password, as returned by | |
55 // Credentials::GetPasswordWeakHash. | |
56 // iters - The number of wrap iterations to perform. Should be the same | |
57 // number that were used by the cryptohome script to create the passphrase. | |
58 // | |
59 std::string IteratedWrapHashedPassword(const std::string &master_salt_file, | |
60 const std::string &hashed_password, | |
61 const int iters) const; | |
62 | |
63 // Same as above, except with a default iters of 1. | |
64 std::string WrapHashedPassword(const std::string &master_salt_file, | |
65 const std::string &hashed_password) const; | |
66 | |
67 bool TestDecrypt(const std::string passphrase, | |
68 const Blob salt, | |
69 const Blob cipher_text) const; | |
70 | |
71 // Attempts to decrypt a single master key. | |
72 // | |
73 // Parameters | |
74 // master_key_file - The full local filesystem path to the master key. | |
75 // hashed_password - The hashed password (as returned by | |
76 // Credentials.GetPasswordWeakHash) | |
77 // | |
78 bool TestOneMasterKey(const std::string &master_key_file, | |
79 const std::string &hashed_password) const; | |
80 | |
81 // Enumerates all of the master keys (master.0, master.1, etc), looking | |
82 // for that can be successfully decrypted with the given credentials. | |
83 // | |
84 // Parameters | |
85 // credentials - An object representing the user's credentials. | |
86 // | |
87 bool TestAllMasterKeys(const Credentials &credentials) const; | |
88 | |
89 private: | |
90 std::string shadow_root_; | |
91 Blob system_salt_; | |
92 | |
93 DISALLOW_COPY_AND_ASSIGN(Authenticator); | |
94 }; | |
95 | |
96 } // namespace pam_offline | |
97 | |
98 #endif // PAM_OFFLINE_AUTHENTICATOR_H_ | |
OLD | NEW |