Make CryptohomeAuthenticator's Login*() methods work with pre-hashed keys

chromeos/login/auth/cryptohome_authenticator.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chromeos/login/auth/cryptohome_authenticator.h"
 
+#include "base/basictypes.h"
 #include "base/bind.h"
 #include "base/files/file_path.h"
 #include "base/location.h"
 #include "base/logging.h"
 #include "chromeos/cryptohome/async_method_caller.h"
 #include "chromeos/cryptohome/cryptohome_parameters.h"
 #include "chromeos/cryptohome/homedir_methods.h"
 #include "chromeos/cryptohome/system_salt_getter.h"
 #include "chromeos/dbus/cryptohome_client.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/login/auth/auth_status_consumer.h"
 #include "chromeos/login/auth/key.h"
 #include "chromeos/login/auth/user_context.h"
 #include "chromeos/login/login_state.h"
 #include "chromeos/login/user_names.h"
 #include "chromeos/login_event_recorder.h"
 #include "components/user_manager/user_type.h"
 #include "third_party/cros_system_api/dbus/service_constants.h"
 
 namespace chromeos {
 
 namespace {
 
 // The label used for the key derived from the user's GAIA credentials.
 const char kCryptohomeGAIAKeyLabel[] = "gaia";
 
+// The name under which the type of key generated from the user's GAIA
+// credentials is stored.
+const char kKeyProviderDataTypeName[] = "type";
+
+// The name under which the salt used to generate a key from the user's GAIA
+// credentials is stored.
+const char kKeyProviderDataSaltName[] = "salt";
+
 // Hashes |key| with |system_salt| if it its type is KEY_TYPE_PASSWORD_PLAIN.
 // Returns the keys unmodified otherwise.
 scoped_ptr<Key> TransformKeyIfNeeded(const Key& key,
                                      const std::string& system_salt) {
   scoped_ptr<Key> result(new Key(key));
   if (result->GetKeyType() == Key::KEY_TYPE_PASSWORD_PLAIN)
     result->Transform(Key::KEY_TYPE_SALTED_SHA256_TOP_HALF, system_salt);
 
   return result.Pass();
 }
@@ skipping 23 matching lines @@
 void TriggerResolveWithLoginTimeMarker(
     const std::string& marker_name,
     AuthAttemptState* attempt,
     scoped_refptr<CryptohomeAuthenticator> resolver,
     bool success,
     cryptohome::MountError return_code) {
   chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker(marker_name, false);
   TriggerResolve(attempt, resolver, success, return_code);
 }
 
-void TriggerResolveWithHashAndLoginTimeMarker(
-    const std::string& marker_name,
-    AuthAttemptState* attempt,
-    scoped_refptr<CryptohomeAuthenticator> resolver,
-    bool success,
-    cryptohome::MountError return_code,
-    const std::string& mount_hash) {
-  chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker(marker_name, false);
+// Records an error in accessing the user's cryptohome with the given key and
+// calls resolver->Resolve() after adding a login time marker.
+void RecordKeyErrorAndResolve(AuthAttemptState* attempt,
+                              scoped_refptr<CryptohomeAuthenticator> resolver) {
+  chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker("CryptohomeMount-End",
+                                                          false);
+  attempt->RecordCryptohomeStatus(false /* success */,
+                                  cryptohome::MOUNT_ERROR_KEY_FAILURE);
+  resolver->Resolve();
+}
+
+// Callback invoked when cryptohome's MountEx() method has finished.
+void OnMount(AuthAttemptState* attempt,
+             scoped_refptr<CryptohomeAuthenticator> resolver,
+             bool success,
+             cryptohome::MountError return_code,
+             const std::string& mount_hash) {
+  chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker("CryptohomeMount-End",
+                                                          false);
   attempt->RecordCryptohomeStatus(success, return_code);
   if (success)
     attempt->RecordUsernameHash(mount_hash);
   else
     attempt->RecordUsernameHashFailed();
   resolver->Resolve();
 }
 
-// Calls cryptohome's mount method.
-void Mount(AuthAttemptState* attempt,
-           scoped_refptr<CryptohomeAuthenticator> resolver,
-           bool ephemeral,
-           bool create_if_nonexistent,
-           const std::string& system_salt) {
-  chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker(
-      "CryptohomeMount-Start", false);
+// Calls cryptohome's MountEx() method. The key in |attempt->user_context| must
+// not be a plain text password. If the user provided a plain text password,
+// that password must be transformed to another key type (by salted hashing)
+// before calling this method.
+void DoMount(AuthAttemptState* attempt,
+             scoped_refptr<CryptohomeAuthenticator> resolver,
+             bool ephemeral,
+             bool create_if_nonexistent) {
+  const Key* key = attempt->user_context.GetKey();
+  // If the |key| is a plain text password, crash rather than attempting to
+  // mount the cryptohome with a plain text password.
+  CHECK_NE(Key::KEY_TYPE_PASSWORD_PLAIN, key->GetKeyType());
+
   // Set state that username_hash is requested here so that test implementation
   // that returns directly would not generate 2 OnLoginSucces() calls.
   attempt->UsernameHashRequested();
 
-  scoped_ptr<Key> key =
-      TransformKeyIfNeeded(*attempt->user_context.GetKey(), system_salt);
   // Set the authentication's key label to an empty string, which is a wildcard
   // allowing any key to match. This is necessary because cryptohomes created by
   // Chrome OS M38 and older will have a legacy key with no label while those
   // created by Chrome OS M39 and newer will have a key with the label
   // kCryptohomeGAIAKeyLabel.
   const cryptohome::KeyDefinition auth_key(key->GetSecret(),
                                            std::string(),
                                            cryptohome::PRIV_DEFAULT);
   cryptohome::MountParameters mount(ephemeral);
   if (create_if_nonexistent) {
     mount.create_keys.push_back(cryptohome::KeyDefinition(
         key->GetSecret(),
         kCryptohomeGAIAKeyLabel,
         cryptohome::PRIV_DEFAULT));
   }
 
   cryptohome::HomedirMethods::GetInstance()->MountEx(
       cryptohome::Identification(attempt->user_context.GetUserID()),
       cryptohome::Authorization(auth_key),
       mount,
-      base::Bind(&TriggerResolveWithHashAndLoginTimeMarker,
-                 "CryptohomeMount-End",
+      base::Bind(&OnMount, attempt, resolver));
+}
+
+// Callback invoked when the system salt has been retrieved. Transforms the key
+// in |attempt->user_context| using Chrome's default hashing algorithm and the
+// system salt, then calls MountEx().
+void OnGetSystemSalt(AuthAttemptState* attempt,
+                    scoped_refptr<CryptohomeAuthenticator> resolver,
+                    bool ephemeral,
+                    bool create_if_nonexistent,
+                    const std::string& system_salt) {
+  DCHECK_EQ(Key::KEY_TYPE_PASSWORD_PLAIN,
+            attempt->user_context.GetKey()->GetKeyType());
+
+  attempt->user_context.GetKey()->Transform(
+      Key::KEY_TYPE_SALTED_SHA256_TOP_HALF,
+      system_salt);
+
+  DoMount(attempt, resolver, ephemeral, create_if_nonexistent);
+}
+
+// Callback invoked when cryptohome's GetKeyDataEx() method has finished.
+// * If GetKeyDataEx() returned metadata indicating the hashing algorithm and
+//   salt that were used to generate the key for this user's cryptohome,
+//   transforms the key in |attempt->user_context| with the same parameters.
+// * Otherwise, starts the retrieval of the system salt so that the key in
+//   |attempt->user_context| can be transformed with Chrome's default hashing
+//   algorithm and the system salt.
+// The resulting key is then passed to cryptohome's MountEx().
+void OnGetKeyDataEx(AuthAttemptState* attempt,
+                    scoped_refptr<CryptohomeAuthenticator> resolver,
+                    bool ephemeral,
+                    bool create_if_nonexistent,
+                    bool success,
+                    cryptohome::MountError return_code,
+                    ScopedVector<cryptohome::RetrievedKeyData> key_data) {
+  if (success) {
+    if (key_data.size() == 1) {
+      cryptohome::RetrievedKeyData* key_data_entry = key_data.front();
+      DCHECK_EQ(kCryptohomeGAIAKeyLabel, key_data_entry->label);
+
+      // Extract the key type and salt from |key_data|, if present.
+      scoped_ptr<int64> type;
+      scoped_ptr<std::string> salt;
+      for (ScopedVector<cryptohome::RetrievedKeyData::ProviderData>::
+               const_iterator it = key_data_entry->provider_data.begin();
+           it != key_data_entry->provider_data.end(); ++it) {
+        if ((*it)->name == kKeyProviderDataTypeName) {
+          if ((*it)->number)
+            type.reset(new int64(*(*it)->number));
+          else
+            NOTREACHED();
+        } else if ((*it)->name == kKeyProviderDataSaltName) {
+          if ((*it)->bytes)
+            salt.reset(new std::string(*(*it)->bytes));
+          else
+            NOTREACHED();
+        }
+      }
+
+      if (type) {
+        if (*type < 0 || *type >= Key::KEY_TYPE_COUNT) {
+          LOG(ERROR) << "Invalid key type: " << *type;
+          RecordKeyErrorAndResolve(attempt, resolver);
+          return;
+        }
+
+        if (!salt) {
+          LOG(ERROR) << "Missing salt.";
+          RecordKeyErrorAndResolve(attempt, resolver);
+          return;
+        }
+
+        attempt->user_context.GetKey()->Transform(
+            static_cast<Key::KeyType>(*type),
+            *salt);
+        DoMount(attempt, resolver, ephemeral, create_if_nonexistent);
+        return;
+      }
+    } else {
+      LOG(ERROR) << "GetKeyDataEx() returned " << key_data.size()
+                 << " entries.";
+    }
+  }
+
+  SystemSaltGetter::Get()->GetSystemSalt(base::Bind(&OnGetSystemSalt,
+                                                    attempt,
+                                                    resolver,
+                                                    ephemeral,
+                                                    create_if_nonexistent));
+}
+
+// Starts the process that will mount a user's cryptohome.
+// * If the key in |attempt->user_context| is not a plain text password,
+//   cryptohome's MountEx() method is called directly with the key.
+// * Otherwise, the key must be transformed (by salted hashing) before being
+//   passed to MountEx(). In that case, cryptohome's GetKeyDataEx() method is
+//   called to retrieve metadata indicating the hashing algorithm and salt that
+//   were used to generate the key for this user's cryptohome and the key is
+//   transformed accordingly before calling MountEx().
+void StartMount(AuthAttemptState* attempt,
+                scoped_refptr<CryptohomeAuthenticator> resolver,
+                bool ephemeral,
+                bool create_if_nonexistent) {
+  chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker(
+      "CryptohomeMount-Start", false);
+
+  if (attempt->user_context.GetKey()->GetKeyType() !=
+          Key::KEY_TYPE_PASSWORD_PLAIN) {
+    DoMount(attempt, resolver, ephemeral, create_if_nonexistent);
+    return;
+  }
+
+  cryptohome::HomedirMethods::GetInstance()->GetKeyDataEx(
+      cryptohome::Identification(attempt->user_context.GetUserID()),
+      kCryptohomeGAIAKeyLabel,
+      base::Bind(&OnGetKeyDataEx,
                  attempt,
-                 resolver));
+                 resolver,
+                 ephemeral,
+                 create_if_nonexistent));
 }
 
 // Calls cryptohome's mount method for guest and also get the user hash from
 // cryptohome.
 void MountGuestAndGetHash(AuthAttemptState* attempt,
                           scoped_refptr<CryptohomeAuthenticator> resolver) {
   attempt->UsernameHashRequested();
   cryptohome::AsyncMethodCaller::GetInstance()->AsyncMountGuest(
       base::Bind(&TriggerResolveWithLoginTimeMarker,
                  "CryptohomeMount-End",
@@ skipping 105 matching lines @@
     const UserContext& user_context) {
   authentication_profile_ = profile;
   current_state_.reset(new AuthAttemptState(user_context,
                                             user_manager::USER_TYPE_REGULAR,
                                             false,  // unlock
                                             false,  // online_complete
                                             !IsKnownUser(user_context)));
   // Reset the verified flag.
   owner_is_verified_ = false;
 
-  SystemSaltGetter::Get()->GetSystemSalt(
-      base::Bind(&Mount,
-                 current_state_.get(),
-                 scoped_refptr<CryptohomeAuthenticator>(this),
-                 false /* ephemeral */,
-                 false /* create_if_nonexistent */));
+  StartMount(current_state_.get(),
+             scoped_refptr<CryptohomeAuthenticator>(this),
+             false /* ephemeral */,
+             false /* create_if_nonexistent */);
 }
 
 void CryptohomeAuthenticator::CompleteLogin(Profile* profile,
                                             const UserContext& user_context) {
   authentication_profile_ = profile;
   current_state_.reset(new AuthAttemptState(user_context,
                                             user_manager::USER_TYPE_REGULAR,
                                             true,   // unlock
                                             false,  // online_complete
                                             !IsKnownUser(user_context)));
 
   // Reset the verified flag.
   owner_is_verified_ = false;
 
-  SystemSaltGetter::Get()->GetSystemSalt(
-      base::Bind(&Mount,
-                 current_state_.get(),
-                 scoped_refptr<CryptohomeAuthenticator>(this),
-                 false /* ephemeral */,
-                 false /* create_if_nonexistent */));
+  StartMount(current_state_.get(),
+             scoped_refptr<CryptohomeAuthenticator>(this),
+             false /* ephemeral */,
+             false /* create_if_nonexistent */);
 
   // For login completion from extension, we just need to resolve the current
   // auth attempt state, the rest of OAuth related tasks will be done in
   // parallel.
   task_runner_->PostTask(
       FROM_HERE,
       base::Bind(&CryptohomeAuthenticator::ResolveLoginCompletionStatus, this));
 }
 
 void CryptohomeAuthenticator::AuthenticateToUnlock(
@@ skipping 14 matching lines @@
 void CryptohomeAuthenticator::LoginAsSupervisedUser(
     const UserContext& user_context) {
   DCHECK(task_runner_->RunsTasksOnCurrentThread());
   // TODO(nkostylev): Pass proper value for |user_is_new| or remove (not used).
   current_state_.reset(new AuthAttemptState(user_context,
                                             user_manager::USER_TYPE_SUPERVISED,
                                             false,    // unlock
                                             false,    // online_complete
                                             false));  // user_is_new
   remove_user_data_on_failure_ = false;
-  SystemSaltGetter::Get()->GetSystemSalt(
-      base::Bind(&Mount,
-                 current_state_.get(),
-                 scoped_refptr<CryptohomeAuthenticator>(this),
-                 false /* ephemeral */,
-                 false /* create_if_nonexistent */));
+  StartMount(current_state_.get(),
+             scoped_refptr<CryptohomeAuthenticator>(this),
+             false /* ephemeral */,
+             false /* create_if_nonexistent */);
 }
 
 void CryptohomeAuthenticator::LoginRetailMode() {
   DCHECK(task_runner_->RunsTasksOnCurrentThread());
   // Note: |kRetailModeUserEMail| is used in other places to identify a retail
   // mode session.
   current_state_.reset(
       new AuthAttemptState(UserContext(chromeos::login::kRetailModeUserName),
                            user_manager::USER_TYPE_RETAIL_MODE,
                            false,    // unlock
@@ skipping 23 matching lines @@
     const UserContext& user_context) {
   DCHECK(task_runner_->RunsTasksOnCurrentThread());
   current_state_.reset(
       new AuthAttemptState(user_context,
                            user_manager::USER_TYPE_PUBLIC_ACCOUNT,
                            false,    // unlock
                            false,    // online_complete
                            false));  // user_is_new
   remove_user_data_on_failure_ = false;
   ephemeral_mount_attempted_ = true;
-  SystemSaltGetter::Get()->GetSystemSalt(
-      base::Bind(&Mount,
-                 current_state_.get(),
-                 scoped_refptr<CryptohomeAuthenticator>(this),
-                 true /* ephemeral */,
-                 true /* create_if_nonexistent */));
+  StartMount(current_state_.get(),
+             scoped_refptr<CryptohomeAuthenticator>(this),
+             true /* ephemeral */,
+             true /* create_if_nonexistent */);
 }
 
 void CryptohomeAuthenticator::LoginAsKioskAccount(
     const std::string& app_user_id,
     bool use_guest_mount) {
   DCHECK(task_runner_->RunsTasksOnCurrentThread());
 
   const std::string user_id =
       use_guest_mount ? chromeos::login::kGuestUserName : app_user_id;
   current_state_.reset(new AuthAttemptState(UserContext(user_id),
@@ skipping 182 matching lines @@
       remove_user_data_on_failure_ = false;
       task_runner_->PostTask(FROM_HERE,
                              base::Bind(&CryptohomeAuthenticator::OnAuthFailure,
                                         this,
                                         *delayed_login_failure_));
       break;
     case CREATE_NEW:
       create_if_nonexistent = true;
     case RECOVER_MOUNT:
       current_state_->ResetCryptohomeStatus();
-      SystemSaltGetter::Get()->GetSystemSalt(
-          base::Bind(&Mount,
-                     current_state_.get(),
-                     scoped_refptr<CryptohomeAuthenticator>(this),
-                     false /*ephemeral*/,
-                     create_if_nonexistent));
+      StartMount(current_state_.get(),
+                 scoped_refptr<CryptohomeAuthenticator>(this),
+                 false /*ephemeral*/,
+                 create_if_nonexistent);
       break;
     case NEED_OLD_PW:
       task_runner_->PostTask(
           FROM_HERE,
           base::Bind(&CryptohomeAuthenticator::OnPasswordChangeDetected, this));
       break;
     case ONLINE_FAILED:
     case NEED_NEW_PW:
     case HAVE_NEW_PW:
       NOTREACHED() << "Using obsolete ClientLogin code path.";
@@ skipping 200 matching lines @@
   Resolve();
 }
 
 void CryptohomeAuthenticator::SetOwnerState(bool owner_check_finished,
                                             bool check_result) {
   owner_is_verified_ = owner_check_finished;
   user_can_login_ = check_result;
 }
 
 }  // namespace chromeos