| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright (c) 2009-2010 The Chromium OS Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 // Crypto - class for handling the keyset key management functions relating to |
| 6 // cryptohome. This includes wrapping/unwrapping the vault keyset (and |
| 7 // supporting functions) and setting/clearing the user keyring for use with |
| 8 // ecryptfs. |
| 9 |
| 10 #ifndef CRYPTOHOME_CRYPTO_H_ |
| 11 #define CRYPTOHOME_CRYPTO_H_ |
| 12 |
| 13 #include <base/basictypes.h> |
| 14 #include <base/file_path.h> |
| 15 |
| 16 #include "secure_blob.h" |
| 17 #include "vault_keyset.h" |
| 18 |
| 19 namespace cryptohome { |
| 20 |
| 21 // Default entropy source is used to seed openssl's random number generator |
| 22 extern const std::string kDefaultEntropySource; |
| 23 |
| 24 class Crypto : public EntropySource { |
| 25 public: |
| 26 |
| 27 // Default constructor, using the default entropy source |
| 28 Crypto(); |
| 29 |
| 30 virtual ~Crypto(); |
| 31 |
| 32 // Returns random bytes of the given length |
| 33 // |
| 34 // Parameters |
| 35 // rand (OUT) - Where to store the random bytes |
| 36 // length - The number of random bytes to store in rand |
| 37 void GetSecureRandom(unsigned char *rand, int length) const; |
| 38 |
| 39 // Unwraps an encrypted vault keyset. The vault keyset should be the output |
| 40 // of WrapVaultKeyset(). |
| 41 // |
| 42 // Parameters |
| 43 // wrapped_keyset - The blob containing the encrypted keyset |
| 44 // vault_wrapper - The passkey wrapper used to unwrap the keyset |
| 45 // vault_keyset (OUT) - The unwrapped vault keyset on success |
| 46 bool UnwrapVaultKeyset(const chromeos::Blob& wrapped_keyset, |
| 47 const chromeos::Blob& vault_wrapper, |
| 48 VaultKeyset* vault_keyset) const; |
| 49 |
| 50 // Wraps (encrypts) the vault keyset with the given wrapper |
| 51 // |
| 52 // Parameters |
| 53 // vault_keyset - The VaultKeyset to encrypt |
| 54 // vault_wrapper - The passkey wrapper used to wrap the keyset |
| 55 // vault_wrapper_salt - The salt to use for the vault wrapper when wrapping |
| 56 // the keyset |
| 57 // wrapped_keyset - On success, the encrypted vault keyset |
| 58 bool WrapVaultKeyset(const VaultKeyset& vault_keyset, |
| 59 const SecureBlob& vault_wrapper, |
| 60 const SecureBlob& vault_wrapper_salt, |
| 61 SecureBlob* wrapped_keyset) const; |
| 62 |
| 63 // Converts the passkey to a symmetric key used to decrypt the user's |
| 64 // cryptohome key. |
| 65 // |
| 66 // Parameters |
| 67 // passkey - The passkey (hash, currently) to create the key from |
| 68 // salt - The salt used in creating the key |
| 69 // iters - The hash iterations to use in generating the key |
| 70 // wrapper (OUT) - The wrapper |
| 71 void PasskeyToWrapper(const chromeos::Blob& passkey, |
| 72 const chromeos::Blob& salt, int iters, |
| 73 SecureBlob* wrapper) const; |
| 74 |
| 75 // Gets an existing salt, or creates one if it doesn't exist |
| 76 // |
| 77 // Parameters |
| 78 // path - The path to the salt file |
| 79 // length - The length of the new salt if it needs to be created |
| 80 // force - If true, forces creation of a new salt even if the file exists |
| 81 // salt (OUT) - The salt |
| 82 bool GetOrCreateSalt(const FilePath& path, int length, bool force, |
| 83 SecureBlob* salt) const; |
| 84 |
| 85 // Adds the specified key to the ecryptfs keyring so that the cryptohome can |
| 86 // be mounted. Clears the user keyring first. |
| 87 // |
| 88 // Parameters |
| 89 // vault_keyset - The keyset to add |
| 90 // key_signature (OUT) - The signature of the cryptohome key that should be |
| 91 // used in subsequent calls to mount(2) |
| 92 // fnek_signature (OUT) - The signature of the cryptohome filename |
| 93 // encryption key that should be used in subsequent calls to mount(2) |
| 94 bool AddKeyset(const VaultKeyset& vault_keyset, |
| 95 std::string* key_signature, |
| 96 std::string* fnek_signature) const; |
| 97 |
| 98 // Clears the user's kernel keyring |
| 99 void ClearKeyset() const; |
| 100 |
| 101 // Encodes a binary blob to hex-ascii |
| 102 // |
| 103 // Parameters |
| 104 // blob - The binary blob to convert |
| 105 // buffer (IN/OUT) - Where to store the converted blob |
| 106 // buffer_length - The size of the buffer |
| 107 static void AsciiEncodeToBuffer(const chromeos::Blob& blob, char* buffer, |
| 108 int buffer_length); |
| 109 |
| 110 // Converts a null-terminated password to a passkey (ascii-encoded first half |
| 111 // of the salted SHA1 hash of the password). |
| 112 // |
| 113 // Parameters |
| 114 // password - The password to convert |
| 115 // salt - The salt used during hashing |
| 116 // passkey (OUT) - The passkey |
| 117 static void PasswordToPasskey(const char *password, |
| 118 const chromeos::Blob& salt, |
| 119 SecureBlob* passkey); |
| 120 |
| 121 // Overrides the default the entropy source |
| 122 void set_entropy_source(const std::string& entropy_source) { |
| 123 entropy_source_ = entropy_source; |
| 124 } |
| 125 |
| 126 private: |
| 127 // Adds the specified key to the user keyring |
| 128 // |
| 129 // Parameters |
| 130 // key - The key to add |
| 131 // key_sig - The key's (ascii) signature |
| 132 // salt - The salt |
| 133 bool PushVaultKey(const SecureBlob& key, const std::string& key_sig, |
| 134 const SecureBlob& salt) const; |
| 135 |
| 136 std::string entropy_source_; |
| 137 |
| 138 DISALLOW_COPY_AND_ASSIGN(Crypto); |
| 139 }; |
| 140 |
| 141 } // namespace cryptohome |
| 142 |
| 143 #endif // CRYPTOHOME_CRYPTO_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2645008:
Update on feedback, update dbus API, add unit tests. TEST=manual,unit,BVT BUG=3628 323 (Closed)
Base URL: ssh://git@chromiumos-git/cryptohome.git