OLD | NEW |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/chromeos/settings/token_encryptor.h" | 5 #include "chrome/browser/chromeos/settings/token_encryptor.h" |
6 | 6 |
7 #include <vector> | 7 #include <vector> |
8 | 8 |
9 #include "base/logging.h" | 9 #include "base/logging.h" |
10 #include "base/strings/string_number_conversions.h" | 10 #include "base/strings/string_number_conversions.h" |
11 #include "base/strings/string_util.h" | 11 #include "base/strings/string_util.h" |
12 #include "base/sys_info.h" | 12 #include "base/sys_info.h" |
13 #include "chromeos/cryptohome/system_salt_getter.h" | 13 #include "chromeos/cryptohome/system_salt_getter.h" |
14 #include "crypto/encryptor.h" | 14 #include "crypto/encryptor.h" |
15 #include "crypto/nss_util.h" | 15 #include "crypto/nss_util.h" |
16 #include "crypto/sha2.h" | 16 #include "crypto/sha2.h" |
17 #include "crypto/symmetric_key.h" | 17 #include "crypto/symmetric_key.h" |
18 | 18 |
19 namespace chromeos { | 19 namespace chromeos { |
20 | 20 |
21 namespace { | 21 namespace { |
22 const size_t kNonceSize = 16; | 22 const size_t kNonceSize = 16; |
23 } // namespace | 23 } // namespace |
24 | 24 |
25 CryptohomeTokenEncryptor::CryptohomeTokenEncryptor() { | 25 CryptohomeTokenEncryptor::CryptohomeTokenEncryptor( |
| 26 const std::string& system_salt) |
| 27 : system_salt_(system_salt) { |
| 28 DCHECK(!system_salt.empty()); |
| 29 // TODO(davidroche): should this use the system salt for both the password |
| 30 // and the salt value, or should this use a separate salt value? |
| 31 system_salt_key_.reset(PassphraseToKey(system_salt_, system_salt_)); |
26 } | 32 } |
27 | 33 |
28 CryptohomeTokenEncryptor::~CryptohomeTokenEncryptor() { | 34 CryptohomeTokenEncryptor::~CryptohomeTokenEncryptor() { |
29 } | 35 } |
30 | 36 |
31 std::string CryptohomeTokenEncryptor::EncryptWithSystemSalt( | 37 std::string CryptohomeTokenEncryptor::EncryptWithSystemSalt( |
32 const std::string& token) { | 38 const std::string& token) { |
33 // Don't care about token encryption while debugging. | 39 // Don't care about token encryption while debugging. |
34 if (!base::SysInfo::IsRunningOnChromeOS()) | 40 if (!base::SysInfo::IsRunningOnChromeOS()) |
35 return token; | 41 return token; |
36 | 42 |
37 if (!LoadSystemSaltKey()) { | 43 if (!system_salt_key_) { |
38 LOG(WARNING) << "System salt key is not available for encrypt."; | 44 LOG(WARNING) << "System salt key is not available for encrypt."; |
39 return std::string(); | 45 return std::string(); |
40 } | 46 } |
41 return EncryptTokenWithKey(system_salt_key_.get(), | 47 return EncryptTokenWithKey(system_salt_key_.get(), |
42 system_salt_, | 48 system_salt_, |
43 token); | 49 token); |
44 } | 50 } |
45 | 51 |
46 std::string CryptohomeTokenEncryptor::DecryptWithSystemSalt( | 52 std::string CryptohomeTokenEncryptor::DecryptWithSystemSalt( |
47 const std::string& encrypted_token_hex) { | 53 const std::string& encrypted_token_hex) { |
48 // Don't care about token encryption while debugging. | 54 // Don't care about token encryption while debugging. |
49 if (!base::SysInfo::IsRunningOnChromeOS()) | 55 if (!base::SysInfo::IsRunningOnChromeOS()) |
50 return encrypted_token_hex; | 56 return encrypted_token_hex; |
51 | 57 |
52 if (!LoadSystemSaltKey()) { | 58 if (!system_salt_key_) { |
53 LOG(WARNING) << "System salt key is not available for decrypt."; | 59 LOG(WARNING) << "System salt key is not available for decrypt."; |
54 return std::string(); | 60 return std::string(); |
55 } | 61 } |
56 return DecryptTokenWithKey(system_salt_key_.get(), | 62 return DecryptTokenWithKey(system_salt_key_.get(), |
57 system_salt_, | 63 system_salt_, |
58 encrypted_token_hex); | 64 encrypted_token_hex); |
59 } | 65 } |
60 | 66 |
61 // TODO: should this use the system salt for both the password and the salt | |
62 // value, or should this use a separate salt value? | |
63 bool CryptohomeTokenEncryptor::LoadSystemSaltKey() { | |
64 // Assume the system salt should be obtained beforehand at login time. | |
65 if (system_salt_.empty()) | |
66 system_salt_ = SystemSaltGetter::Get()->GetCachedSystemSalt(); | |
67 if (system_salt_.empty()) | |
68 return false; | |
69 if (!system_salt_key_.get()) | |
70 system_salt_key_.reset(PassphraseToKey(system_salt_, system_salt_)); | |
71 return system_salt_key_.get(); | |
72 } | |
73 | |
74 crypto::SymmetricKey* CryptohomeTokenEncryptor::PassphraseToKey( | 67 crypto::SymmetricKey* CryptohomeTokenEncryptor::PassphraseToKey( |
75 const std::string& passphrase, | 68 const std::string& passphrase, |
76 const std::string& salt) { | 69 const std::string& salt) { |
77 return crypto::SymmetricKey::DeriveKeyFromPassword( | 70 return crypto::SymmetricKey::DeriveKeyFromPassword( |
78 crypto::SymmetricKey::AES, passphrase, salt, 1000, 256); | 71 crypto::SymmetricKey::AES, passphrase, salt, 1000, 256); |
79 } | 72 } |
80 | 73 |
81 std::string CryptohomeTokenEncryptor::EncryptTokenWithKey( | 74 std::string CryptohomeTokenEncryptor::EncryptTokenWithKey( |
82 crypto::SymmetricKey* key, | 75 crypto::SymmetricKey* key, |
83 const std::string& salt, | 76 const std::string& salt, |
(...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
123 std::string token; | 116 std::string token; |
124 CHECK(encryptor.SetCounter(nonce)); | 117 CHECK(encryptor.SetCounter(nonce)); |
125 if (!encryptor.Decrypt(encrypted_token, &token)) { | 118 if (!encryptor.Decrypt(encrypted_token, &token)) { |
126 LOG(WARNING) << "Failed to decrypt token."; | 119 LOG(WARNING) << "Failed to decrypt token."; |
127 return std::string(); | 120 return std::string(); |
128 } | 121 } |
129 return token; | 122 return token; |
130 } | 123 } |
131 | 124 |
132 } // namespace chromeos | 125 } // namespace chromeos |
OLD | NEW |