Index: chrome/browser/chromeos/login/auth/parallel_authenticator.cc |
diff --git a/chrome/browser/chromeos/login/auth/parallel_authenticator.cc b/chrome/browser/chromeos/login/auth/parallel_authenticator.cc |
index 099c9e0995668bad4d4265775896c18b40750969..bc4b05aba5ec0f862cebe5e15493e1def00061fe 100644 |
--- a/chrome/browser/chromeos/login/auth/parallel_authenticator.cc |
+++ b/chrome/browser/chromeos/login/auth/parallel_authenticator.cc |
@@ -8,11 +8,10 @@ |
#include "base/command_line.h" |
#include "base/files/file_path.h" |
#include "base/logging.h" |
-#include "base/strings/string_number_conversions.h" |
-#include "base/strings/string_util.h" |
#include "chrome/browser/chrome_notification_types.h" |
#include "chrome/browser/chromeos/boot_times_loader.h" |
#include "chrome/browser/chromeos/login/auth/authentication_notification_details.h" |
+#include "chrome/browser/chromeos/login/auth/key.h" |
#include "chrome/browser/chromeos/login/auth/login_status_consumer.h" |
#include "chrome/browser/chromeos/login/auth/user_context.h" |
#include "chrome/browser/chromeos/login/users/user.h" |
@@ -27,7 +26,6 @@ |
#include "chromeos/login/login_state.h" |
#include "content/public/browser/browser_thread.h" |
#include "content/public/browser/notification_service.h" |
-#include "crypto/sha2.h" |
#include "third_party/cros_system_api/dbus/service_constants.h" |
using content::BrowserThread; |
@@ -36,8 +34,16 @@ namespace chromeos { |
namespace { |
-// Length of password hashed with SHA-256. |
-const int kPasswordHashLength = 32; |
+// Hashes |key| with |system_salt| if it its type is KEY_TYPE_PASSWORD_PLAIN. |
+// Returns the keys unmodified otherwise. |
+scoped_ptr<Key> TransformKeyIfNeeded(const Key& key, |
+ const std::string& system_salt) { |
+ scoped_ptr<Key> result(new Key(key)); |
+ if (result->GetKeyType() == Key::KEY_TYPE_PASSWORD_PLAIN) |
+ result->Transform(Key::KEY_TYPE_SALTED_SHA256_TOP_HALF, system_salt); |
+ |
+ return result.Pass(); |
+} |
// Records status and calls resolver->Resolve(). |
void TriggerResolve(AuthAttemptState* attempt, |
@@ -84,10 +90,12 @@ void Mount(AuthAttemptState* attempt, |
// Set state that username_hash is requested here so that test implementation |
// that returns directly would not generate 2 OnLoginSucces() calls. |
attempt->UsernameHashRequested(); |
+ |
+ scoped_ptr<Key> key = |
+ TransformKeyIfNeeded(*attempt->user_context.GetKey(), system_salt); |
cryptohome::AsyncMethodCaller::GetInstance()->AsyncMount( |
attempt->user_context.GetUserID(), |
- ParallelAuthenticator::HashPassword(attempt->user_context.GetPassword(), |
- system_salt), |
+ key->GetSecret(), |
flags, |
base::Bind(&TriggerResolveWithLoginTimeMarker, |
"CryptohomeMount-End", |
@@ -159,26 +167,29 @@ void Migrate(AuthAttemptState* attempt, |
"CryptohomeMigrate-Start", false); |
cryptohome::AsyncMethodCaller* caller = |
cryptohome::AsyncMethodCaller::GetInstance(); |
+ |
+ // TODO(bartfab): Retrieve the hashing algorithm and salt to use for |old_key| |
+ // from cryptohomed. |
+ scoped_ptr<Key> old_key = |
+ TransformKeyIfNeeded(Key(old_password), system_salt); |
+ scoped_ptr<Key> new_key = |
+ TransformKeyIfNeeded(*attempt->user_context.GetKey(), system_salt); |
if (passing_old_hash) { |
- caller->AsyncMigrateKey( |
- attempt->user_context.GetUserID(), |
- ParallelAuthenticator::HashPassword(old_password, system_salt), |
- ParallelAuthenticator::HashPassword(attempt->user_context.GetPassword(), |
- system_salt), |
- base::Bind(&TriggerResolveWithLoginTimeMarker, |
- "CryptohomeMount-End", |
- attempt, |
- resolver)); |
+ caller->AsyncMigrateKey(attempt->user_context.GetUserID(), |
+ old_key->GetSecret(), |
+ new_key->GetSecret(), |
+ base::Bind(&TriggerResolveWithLoginTimeMarker, |
+ "CryptohomeMount-End", |
+ attempt, |
+ resolver)); |
} else { |
- caller->AsyncMigrateKey( |
- attempt->user_context.GetUserID(), |
- ParallelAuthenticator::HashPassword(attempt->user_context.GetPassword(), |
- system_salt), |
- ParallelAuthenticator::HashPassword(old_password, system_salt), |
- base::Bind(&TriggerResolveWithLoginTimeMarker, |
- "CryptohomeMount-End", |
- attempt, |
- resolver)); |
+ caller->AsyncMigrateKey(attempt->user_context.GetUserID(), |
+ new_key->GetSecret(), |
+ old_key->GetSecret(), |
+ base::Bind(&TriggerResolveWithLoginTimeMarker, |
+ "CryptohomeMount-End", |
+ attempt, |
+ resolver)); |
} |
} |
@@ -201,10 +212,11 @@ void CheckKey(AuthAttemptState* attempt, |
scoped_refptr<ParallelAuthenticator> resolver, |
const std::string& system_salt) { |
DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); |
+ scoped_ptr<Key> key = |
+ TransformKeyIfNeeded(*attempt->user_context.GetKey(), system_salt); |
cryptohome::AsyncMethodCaller::GetInstance()->AsyncCheckKey( |
attempt->user_context.GetUserID(), |
- ParallelAuthenticator::HashPassword(attempt->user_context.GetPassword(), |
- system_salt), |
+ key->GetSecret(), |
base::Bind(&TriggerResolve, attempt, resolver)); |
} |
@@ -660,27 +672,6 @@ void ParallelAuthenticator::Resolve() { |
} |
} |
-// static. |
-std::string ParallelAuthenticator::HashPassword(const std::string& password, |
- const std::string& ascii_salt) { |
- // Update sha with ascii encoded salt, then update with ascii of password, |
- // then end. |
- // TODO(stevenjb/nkostylev): Handle empty system salt gracefully. |
- CHECK(!ascii_salt.empty()); |
- char passhash_buf[kPasswordHashLength]; |
- |
- // Hash salt and password |
- crypto::SHA256HashString(ascii_salt + password, |
- &passhash_buf, sizeof(passhash_buf)); |
- |
- // Only want the top half for 'weak' hashing so that the passphrase is not |
- // immediately exposed even if the output is reversed. |
- const int encoded_length = sizeof(passhash_buf) / 2; |
- |
- return StringToLowerASCII(base::HexEncode( |
- reinterpret_cast<const void*>(passhash_buf), encoded_length)); |
-} |
- |
ParallelAuthenticator::~ParallelAuthenticator() {} |
ParallelAuthenticator::AuthState ParallelAuthenticator::ResolveState() { |