Add a Key class

chrome/browser/chromeos/login/auth/parallel_authenticator.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/login/auth/parallel_authenticator.h"
 
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "base/files/file_path.h"
 #include "base/logging.h"
-#include "base/strings/string_number_conversions.h"
-#include "base/strings/string_util.h"
 #include "chrome/browser/chrome_notification_types.h"
 #include "chrome/browser/chromeos/boot_times_loader.h"
 #include "chrome/browser/chromeos/login/auth/authentication_notification_details.h"
+#include "chrome/browser/chromeos/login/auth/key.h"
 #include "chrome/browser/chromeos/login/auth/login_status_consumer.h"
 #include "chrome/browser/chromeos/login/auth/user_context.h"
 #include "chrome/browser/chromeos/login/users/user.h"
 #include "chrome/browser/chromeos/login/users/user_manager.h"
 #include "chrome/browser/chromeos/ownership/owner_settings_service_factory.h"
 #include "chrome/browser/chromeos/settings/cros_settings.h"
 #include "chrome/common/chrome_switches.h"
 #include "chromeos/cryptohome/async_method_caller.h"
 #include "chromeos/cryptohome/system_salt_getter.h"
 #include "chromeos/dbus/cryptohome_client.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/login/login_state.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/notification_service.h"
-#include "crypto/sha2.h"
 #include "third_party/cros_system_api/dbus/service_constants.h"
 
 using content::BrowserThread;
 
 namespace chromeos {
 
 namespace {
 
-// Length of password hashed with SHA-256.
-const int kPasswordHashLength = 32;
+// Hashes |key| with |system_salt| if it its type is KEY_TYPE_PASSWORD_PLAIN.
+// Returns the keys unmodified otherwise.
+scoped_ptr<Key> TransformKeyIfNeeded(const Key& key,
+                                     const std::string& system_salt) {
+  scoped_ptr<Key> result(new Key(key));
+  if (result->GetKeyType() == Key::KEY_TYPE_PASSWORD_PLAIN)
+    result->Transform(Key::KEY_TYPE_SALTED_SHA256_TOP_HALF, system_salt);
+
+  return result.Pass();
+}
 
 // Records status and calls resolver->Resolve().
 void TriggerResolve(AuthAttemptState* attempt,
                     scoped_refptr<ParallelAuthenticator> resolver,
                     bool success,
                     cryptohome::MountError return_code) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   attempt->RecordCryptohomeStatus(success, return_code);
   resolver->Resolve();
 }
@@ skipping 26 matching lines @@
 void Mount(AuthAttemptState* attempt,
            scoped_refptr<ParallelAuthenticator> resolver,
            int flags,
            const std::string& system_salt) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   chromeos::BootTimesLoader::Get()->AddLoginTimeMarker(
       "CryptohomeMount-Start", false);
   // Set state that username_hash is requested here so that test implementation
   // that returns directly would not generate 2 OnLoginSucces() calls.
   attempt->UsernameHashRequested();
+
+  scoped_ptr<Key> key =
+      TransformKeyIfNeeded(*attempt->user_context.GetKey(), system_salt);
   cryptohome::AsyncMethodCaller::GetInstance()->AsyncMount(
       attempt->user_context.GetUserID(),
-      ParallelAuthenticator::HashPassword(attempt->user_context.GetPassword(),
-                                          system_salt),
+      key->GetSecret(),
       flags,
       base::Bind(&TriggerResolveWithLoginTimeMarker,
                  "CryptohomeMount-End",
                  attempt,
                  resolver));
   cryptohome::AsyncMethodCaller::GetInstance()->AsyncGetSanitizedUsername(
       attempt->user_context.GetUserID(),
       base::Bind(&TriggerResolveHash,
                  attempt,
                  resolver));
@@ skipping 51 matching lines @@
 void Migrate(AuthAttemptState* attempt,
              scoped_refptr<ParallelAuthenticator> resolver,
              bool passing_old_hash,
              const std::string& old_password,
              const std::string& system_salt) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   chromeos::BootTimesLoader::Get()->AddLoginTimeMarker(
       "CryptohomeMigrate-Start", false);
   cryptohome::AsyncMethodCaller* caller =
       cryptohome::AsyncMethodCaller::GetInstance();
+
+  // TODO(bartfab): Retrieve the hashing algorithm and salt to use for |old_key|
+  // from cryptohomed.
+  scoped_ptr<Key> old_key =
+      TransformKeyIfNeeded(Key(old_password), system_salt);
+  scoped_ptr<Key> new_key =
+      TransformKeyIfNeeded(*attempt->user_context.GetKey(), system_salt);
   if (passing_old_hash) {
-    caller->AsyncMigrateKey(
-        attempt->user_context.GetUserID(),
-        ParallelAuthenticator::HashPassword(old_password, system_salt),
-        ParallelAuthenticator::HashPassword(attempt->user_context.GetPassword(),
-                                            system_salt),
-        base::Bind(&TriggerResolveWithLoginTimeMarker,
-                   "CryptohomeMount-End",
-                   attempt,
-                   resolver));
+    caller->AsyncMigrateKey(attempt->user_context.GetUserID(),
+                            old_key->GetSecret(),
+                            new_key->GetSecret(),
+                            base::Bind(&TriggerResolveWithLoginTimeMarker,
+                                       "CryptohomeMount-End",
+                                       attempt,
+                                       resolver));
   } else {
-    caller->AsyncMigrateKey(
-        attempt->user_context.GetUserID(),
-        ParallelAuthenticator::HashPassword(attempt->user_context.GetPassword(),
-                                            system_salt),
-        ParallelAuthenticator::HashPassword(old_password, system_salt),
-        base::Bind(&TriggerResolveWithLoginTimeMarker,
-                   "CryptohomeMount-End",
-                   attempt,
-                   resolver));
+    caller->AsyncMigrateKey(attempt->user_context.GetUserID(),
+                            new_key->GetSecret(),
+                            old_key->GetSecret(),
+                            base::Bind(&TriggerResolveWithLoginTimeMarker,
+                                       "CryptohomeMount-End",
+                                       attempt,
+                                       resolver));
   }
 }
 
 // Calls cryptohome's remove method.
 void Remove(AuthAttemptState* attempt,
             scoped_refptr<ParallelAuthenticator> resolver) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   chromeos::BootTimesLoader::Get()->AddLoginTimeMarker(
       "CryptohomeRemove-Start", false);
   cryptohome::AsyncMethodCaller::GetInstance()->AsyncRemove(
       attempt->user_context.GetUserID(),
       base::Bind(&TriggerResolveWithLoginTimeMarker,
                  "CryptohomeRemove-End",
                  attempt,
                  resolver));
 }
 
 // Calls cryptohome's key check method.
 void CheckKey(AuthAttemptState* attempt,
               scoped_refptr<ParallelAuthenticator> resolver,
               const std::string& system_salt) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
+  scoped_ptr<Key> key =
+      TransformKeyIfNeeded(*attempt->user_context.GetKey(), system_salt);
   cryptohome::AsyncMethodCaller::GetInstance()->AsyncCheckKey(
       attempt->user_context.GetUserID(),
-      ParallelAuthenticator::HashPassword(attempt->user_context.GetPassword(),
-                                          system_salt),
+      key->GetSecret(),
       base::Bind(&TriggerResolve, attempt, resolver));
 }
 
 }  // namespace
 
 ParallelAuthenticator::ParallelAuthenticator(LoginStatusConsumer* consumer)
     : Authenticator(consumer),
       migrate_attempted_(false),
       remove_attempted_(false),
       resync_attempted_(false),
@@ skipping 435 matching lines @@
                                   this,
                                   LoginFailure(LoginFailure::OWNER_REQUIRED)));
       break;
     }
     default:
       NOTREACHED();
       break;
   }
 }
 
-// static.
-std::string ParallelAuthenticator::HashPassword(const std::string& password,
-                                                const std::string& ascii_salt) {
-  // Update sha with ascii encoded salt, then update with ascii of password,
-  // then end.
-  // TODO(stevenjb/nkostylev): Handle empty system salt gracefully.
-  CHECK(!ascii_salt.empty());
-  char passhash_buf[kPasswordHashLength];
-
-  // Hash salt and password
-  crypto::SHA256HashString(ascii_salt + password,
-                           &passhash_buf, sizeof(passhash_buf));
-
-  // Only want the top half for 'weak' hashing so that the passphrase is not
-  // immediately exposed even if the output is reversed.
-  const int encoded_length = sizeof(passhash_buf) / 2;
-
-  return StringToLowerASCII(base::HexEncode(
-      reinterpret_cast<const void*>(passhash_buf), encoded_length));
-}
-
 ParallelAuthenticator::~ParallelAuthenticator() {}
 
 ParallelAuthenticator::AuthState ParallelAuthenticator::ResolveState() {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   // If we haven't mounted the user's home dir yet or
   // haven't got sanitized username value, we can't be done.
   // We never get past here if any of these two cryptohome ops is still pending.
   // This is an important invariant.
   if (!current_state_->cryptohome_complete() ||
       !current_state_->username_hash_obtained()) {
@@ skipping 126 matching lines @@
   Resolve();
 }
 
 void ParallelAuthenticator::SetOwnerState(bool owner_check_finished,
                                           bool check_result) {
   owner_is_verified_ = owner_check_finished;
   user_can_login_ = check_result;
 }
 
 }  // namespace chromeos