Index: chromeos/cryptohome/cryptohome_library.cc |
diff --git a/chromeos/cryptohome/cryptohome_library.cc b/chromeos/cryptohome/cryptohome_library.cc |
index 721f932aa4ae5beb59a92cd253beaceddd29b62e..29745ca444e5f8b89f32d5e6b149d0cec6898fd8 100644 |
--- a/chromeos/cryptohome/cryptohome_library.cc |
+++ b/chromeos/cryptohome/cryptohome_library.cc |
@@ -14,17 +14,12 @@ |
#include "chromeos/dbus/cryptohome_client.h" |
#include "chromeos/dbus/dbus_method_call_status.h" |
#include "chromeos/dbus/dbus_thread_manager.h" |
-#include "crypto/encryptor.h" |
-#include "crypto/nss_util.h" |
-#include "crypto/sha2.h" |
-#include "crypto/symmetric_key.h" |
namespace chromeos { |
namespace { |
const char kStubSystemSalt[] = "stub_system_salt"; |
-const size_t kNonceSize = 16; |
} // namespace |
@@ -42,33 +37,8 @@ class CryptohomeLibraryImpl : public CryptohomeLibrary { |
return system_salt_; |
} |
- virtual std::string EncryptWithSystemSalt(const std::string& token) OVERRIDE { |
- // Don't care about token encryption while debugging. |
- if (!base::SysInfo::IsRunningOnChromeOS()) |
- return token; |
- |
- if (!LoadSystemSaltKey()) { |
- LOG(WARNING) << "System salt key is not available for encrypt."; |
- return std::string(); |
- } |
- return EncryptTokenWithKey(system_salt_key_.get(), |
- system_salt_, |
- token); |
- } |
- |
- virtual std::string DecryptWithSystemSalt( |
- const std::string& encrypted_token_hex) OVERRIDE { |
- // Don't care about token encryption while debugging. |
- if (!base::SysInfo::IsRunningOnChromeOS()) |
- return encrypted_token_hex; |
- |
- if (!LoadSystemSaltKey()) { |
- LOG(WARNING) << "System salt key is not available for decrypt."; |
- return std::string(); |
- } |
- return DecryptTokenWithKey(system_salt_key_.get(), |
- system_salt_, |
- encrypted_token_hex); |
+ virtual std::string GetCachedSystemSalt() OVERRIDE { |
+ return system_salt_; |
} |
private: |
@@ -85,104 +55,25 @@ class CryptohomeLibraryImpl : public CryptohomeLibrary { |
reinterpret_cast<const void*>(salt.data()), salt.size())); |
} |
- // TODO: should this use the system salt for both the password and the salt |
- // value, or should this use a separate salt value? |
- bool LoadSystemSaltKey() { |
- if (system_salt_.empty()) |
- return false; |
- if (!system_salt_key_.get()) |
- system_salt_key_.reset(PassphraseToKey(system_salt_, system_salt_)); |
- return system_salt_key_.get(); |
- } |
- |
- crypto::SymmetricKey* PassphraseToKey(const std::string& passphrase, |
- const std::string& salt) { |
- return crypto::SymmetricKey::DeriveKeyFromPassword( |
- crypto::SymmetricKey::AES, passphrase, salt, 1000, 256); |
- } |
- |
- |
- // Encrypts (AES) the token given |key| and |salt|. |
- std::string EncryptTokenWithKey(crypto::SymmetricKey* key, |
- const std::string& salt, |
- const std::string& token) { |
- crypto::Encryptor encryptor; |
- if (!encryptor.Init(key, crypto::Encryptor::CTR, std::string())) { |
- LOG(WARNING) << "Failed to initialize Encryptor."; |
- return std::string(); |
- } |
- std::string nonce = salt.substr(0, kNonceSize); |
- std::string encoded_token; |
- CHECK(encryptor.SetCounter(nonce)); |
- if (!encryptor.Encrypt(token, &encoded_token)) { |
- LOG(WARNING) << "Failed to encrypt token."; |
- return std::string(); |
- } |
- |
- return StringToLowerASCII(base::HexEncode( |
- reinterpret_cast<const void*>(encoded_token.data()), |
- encoded_token.size())); |
- } |
- |
- // Decrypts (AES) hex encoded encrypted token given |key| and |salt|. |
- std::string DecryptTokenWithKey(crypto::SymmetricKey* key, |
- const std::string& salt, |
- const std::string& encrypted_token_hex) { |
- std::vector<uint8> encrypted_token_bytes; |
- if (!base::HexStringToBytes(encrypted_token_hex, &encrypted_token_bytes)) { |
- LOG(WARNING) << "Corrupt encrypted token found."; |
- return std::string(); |
- } |
- |
- std::string encrypted_token( |
- reinterpret_cast<char*>(encrypted_token_bytes.data()), |
- encrypted_token_bytes.size()); |
- crypto::Encryptor encryptor; |
- if (!encryptor.Init(key, crypto::Encryptor::CTR, std::string())) { |
- LOG(WARNING) << "Failed to initialize Encryptor."; |
- return std::string(); |
- } |
- |
- std::string nonce = salt.substr(0, kNonceSize); |
- std::string token; |
- CHECK(encryptor.SetCounter(nonce)); |
- if (!encryptor.Decrypt(encrypted_token, &token)) { |
- LOG(WARNING) << "Failed to decrypt token."; |
- return std::string(); |
- } |
- return token; |
- } |
- |
std::string system_salt_; |
- // A key based on the system salt. Useful for encrypting device-level |
- // data for which we have no additional credentials. |
- scoped_ptr<crypto::SymmetricKey> system_salt_key_; |
DISALLOW_COPY_AND_ASSIGN(CryptohomeLibraryImpl); |
}; |
class CryptohomeLibraryStubImpl : public CryptohomeLibrary { |
public: |
- CryptohomeLibraryStubImpl() |
- : locked_(false) {} |
+ CryptohomeLibraryStubImpl() {} |
virtual ~CryptohomeLibraryStubImpl() {} |
virtual std::string GetSystemSalt() OVERRIDE { |
return kStubSystemSalt; |
} |
- virtual std::string EncryptWithSystemSalt(const std::string& token) OVERRIDE { |
- return token; |
- } |
- |
- virtual std::string DecryptWithSystemSalt( |
- const std::string& encrypted_token_hex) OVERRIDE { |
- return encrypted_token_hex; |
+ virtual std::string GetCachedSystemSalt() OVERRIDE { |
+ return kStubSystemSalt; |
} |
private: |
- std::map<std::string, std::string> install_attrs_; |
- bool locked_; |
DISALLOW_COPY_AND_ASSIGN(CryptohomeLibraryStubImpl); |
}; |