summaryrefslogtreecommitdiffstats
path: root/chromeos/cryptohome
diff options
context:
space:
mode:
authorsatorux@chromium.org <satorux@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2013-10-09 00:24:48 +0000
committersatorux@chromium.org <satorux@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2013-10-09 00:24:48 +0000
commitc09491e4f7e6db6c79dc93a26328a33122fde321 (patch)
tree8a9cb9e25ac37e793dc63e6b06c39c0ad01dedd9 /chromeos/cryptohome
parent62207594a8e0824af64d2081ce3c32c5b07ba401 (diff)
downloadchromium_src-c09491e4f7e6db6c79dc93a26328a33122fde321.zip
chromium_src-c09491e4f7e6db6c79dc93a26328a33122fde321.tar.gz
chromium_src-c09491e4f7e6db6c79dc93a26328a33122fde321.tar.bz2
cryptohome: Move Encrypt/DecryptWithSystemSalt() out of CryptohomeLibrary
The implementation in CryptohomeLibrary is moved to CryptohomeTokenEncryptor as-is, except that CryptohomeLibrary::GetCachedSystemSalt() is called at the beginning of LoadSystemSaltKey(): bool CryptohomeTokenEncryptor::LoadSystemSaltKey() { if (system_salt_.empty()) system_salt_ = CryptohomeLibrary::Get()->GetCachedSystemSalt(); BUG=303474, 298605 TEST=none R=davidroche@chromium.org, hashimoto@chromium.org Review URL: https://codereview.chromium.org/25975002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@227631 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chromeos/cryptohome')
-rw-r--r--chromeos/cryptohome/cryptohome_library.cc119
-rw-r--r--chromeos/cryptohome/cryptohome_library.h15
-rw-r--r--chromeos/cryptohome/mock_cryptohome_library.cc14
-rw-r--r--chromeos/cryptohome/mock_cryptohome_library.h35
4 files changed, 11 insertions, 172 deletions
diff --git a/chromeos/cryptohome/cryptohome_library.cc b/chromeos/cryptohome/cryptohome_library.cc
index 721f932..29745ca 100644
--- a/chromeos/cryptohome/cryptohome_library.cc
+++ b/chromeos/cryptohome/cryptohome_library.cc
@@ -14,17 +14,12 @@
#include "chromeos/dbus/cryptohome_client.h"
#include "chromeos/dbus/dbus_method_call_status.h"
#include "chromeos/dbus/dbus_thread_manager.h"
-#include "crypto/encryptor.h"
-#include "crypto/nss_util.h"
-#include "crypto/sha2.h"
-#include "crypto/symmetric_key.h"
namespace chromeos {
namespace {
const char kStubSystemSalt[] = "stub_system_salt";
-const size_t kNonceSize = 16;
} // namespace
@@ -42,33 +37,8 @@ class CryptohomeLibraryImpl : public CryptohomeLibrary {
return system_salt_;
}
- virtual std::string EncryptWithSystemSalt(const std::string& token) OVERRIDE {
- // Don't care about token encryption while debugging.
- if (!base::SysInfo::IsRunningOnChromeOS())
- return token;
-
- if (!LoadSystemSaltKey()) {
- LOG(WARNING) << "System salt key is not available for encrypt.";
- return std::string();
- }
- return EncryptTokenWithKey(system_salt_key_.get(),
- system_salt_,
- token);
- }
-
- virtual std::string DecryptWithSystemSalt(
- const std::string& encrypted_token_hex) OVERRIDE {
- // Don't care about token encryption while debugging.
- if (!base::SysInfo::IsRunningOnChromeOS())
- return encrypted_token_hex;
-
- if (!LoadSystemSaltKey()) {
- LOG(WARNING) << "System salt key is not available for decrypt.";
- return std::string();
- }
- return DecryptTokenWithKey(system_salt_key_.get(),
- system_salt_,
- encrypted_token_hex);
+ virtual std::string GetCachedSystemSalt() OVERRIDE {
+ return system_salt_;
}
private:
@@ -85,104 +55,25 @@ class CryptohomeLibraryImpl : public CryptohomeLibrary {
reinterpret_cast<const void*>(salt.data()), salt.size()));
}
- // TODO: should this use the system salt for both the password and the salt
- // value, or should this use a separate salt value?
- bool LoadSystemSaltKey() {
- if (system_salt_.empty())
- return false;
- if (!system_salt_key_.get())
- system_salt_key_.reset(PassphraseToKey(system_salt_, system_salt_));
- return system_salt_key_.get();
- }
-
- crypto::SymmetricKey* PassphraseToKey(const std::string& passphrase,
- const std::string& salt) {
- return crypto::SymmetricKey::DeriveKeyFromPassword(
- crypto::SymmetricKey::AES, passphrase, salt, 1000, 256);
- }
-
-
- // Encrypts (AES) the token given |key| and |salt|.
- std::string EncryptTokenWithKey(crypto::SymmetricKey* key,
- const std::string& salt,
- const std::string& token) {
- crypto::Encryptor encryptor;
- if (!encryptor.Init(key, crypto::Encryptor::CTR, std::string())) {
- LOG(WARNING) << "Failed to initialize Encryptor.";
- return std::string();
- }
- std::string nonce = salt.substr(0, kNonceSize);
- std::string encoded_token;
- CHECK(encryptor.SetCounter(nonce));
- if (!encryptor.Encrypt(token, &encoded_token)) {
- LOG(WARNING) << "Failed to encrypt token.";
- return std::string();
- }
-
- return StringToLowerASCII(base::HexEncode(
- reinterpret_cast<const void*>(encoded_token.data()),
- encoded_token.size()));
- }
-
- // Decrypts (AES) hex encoded encrypted token given |key| and |salt|.
- std::string DecryptTokenWithKey(crypto::SymmetricKey* key,
- const std::string& salt,
- const std::string& encrypted_token_hex) {
- std::vector<uint8> encrypted_token_bytes;
- if (!base::HexStringToBytes(encrypted_token_hex, &encrypted_token_bytes)) {
- LOG(WARNING) << "Corrupt encrypted token found.";
- return std::string();
- }
-
- std::string encrypted_token(
- reinterpret_cast<char*>(encrypted_token_bytes.data()),
- encrypted_token_bytes.size());
- crypto::Encryptor encryptor;
- if (!encryptor.Init(key, crypto::Encryptor::CTR, std::string())) {
- LOG(WARNING) << "Failed to initialize Encryptor.";
- return std::string();
- }
-
- std::string nonce = salt.substr(0, kNonceSize);
- std::string token;
- CHECK(encryptor.SetCounter(nonce));
- if (!encryptor.Decrypt(encrypted_token, &token)) {
- LOG(WARNING) << "Failed to decrypt token.";
- return std::string();
- }
- return token;
- }
-
std::string system_salt_;
- // A key based on the system salt. Useful for encrypting device-level
- // data for which we have no additional credentials.
- scoped_ptr<crypto::SymmetricKey> system_salt_key_;
DISALLOW_COPY_AND_ASSIGN(CryptohomeLibraryImpl);
};
class CryptohomeLibraryStubImpl : public CryptohomeLibrary {
public:
- CryptohomeLibraryStubImpl()
- : locked_(false) {}
+ CryptohomeLibraryStubImpl() {}
virtual ~CryptohomeLibraryStubImpl() {}
virtual std::string GetSystemSalt() OVERRIDE {
return kStubSystemSalt;
}
- virtual std::string EncryptWithSystemSalt(const std::string& token) OVERRIDE {
- return token;
- }
-
- virtual std::string DecryptWithSystemSalt(
- const std::string& encrypted_token_hex) OVERRIDE {
- return encrypted_token_hex;
+ virtual std::string GetCachedSystemSalt() OVERRIDE {
+ return kStubSystemSalt;
}
private:
- std::map<std::string, std::string> install_attrs_;
- bool locked_;
DISALLOW_COPY_AND_ASSIGN(CryptohomeLibraryStubImpl);
};
diff --git a/chromeos/cryptohome/cryptohome_library.h b/chromeos/cryptohome/cryptohome_library.h
index 2de89b4..b427ae2 100644
--- a/chromeos/cryptohome/cryptohome_library.h
+++ b/chromeos/cryptohome/cryptohome_library.h
@@ -36,17 +36,14 @@ class CHROMEOS_EXPORT CryptohomeLibrary {
// Returns system hash in hex encoded ascii format. Note: this may return
// an empty string (e.g. if cryptohome is not running). It is up to the
// calling function to try again after a delay if desired.
+ //
+ // TODO(hashimoto): Make it asynchronous. crbug.com/141009.
virtual std::string GetSystemSalt() = 0;
- // Encrypts |token| with the system salt key (stable for the lifetime
- // of the device). Useful to avoid storing plain text in place like
- // Local State.
- virtual std::string EncryptWithSystemSalt(const std::string& token) = 0;
-
- // Decrypts |token| with the system salt key (stable for the lifetime
- // of the device).
- virtual std::string DecryptWithSystemSalt(
- const std::string& encrypted_token_hex) = 0;
+ // Returns system hash in hex encoded ascii format, cached by a prior call
+ // to GetSystemSalt(). Note: this may return an empty string (e.g. if
+ // GetSystemSalt() is not yet called).
+ virtual std::string GetCachedSystemSalt() = 0;
protected:
CryptohomeLibrary();
diff --git a/chromeos/cryptohome/mock_cryptohome_library.cc b/chromeos/cryptohome/mock_cryptohome_library.cc
deleted file mode 100644
index 1916f9e..0000000
--- a/chromeos/cryptohome/mock_cryptohome_library.cc
+++ /dev/null
@@ -1,14 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "chromeos/cryptohome/mock_cryptohome_library.h"
-
-namespace chromeos {
-
-MockCryptohomeLibrary::MockCryptohomeLibrary() {
-}
-
-MockCryptohomeLibrary::~MockCryptohomeLibrary() {}
-
-} // namespace chromeos
diff --git a/chromeos/cryptohome/mock_cryptohome_library.h b/chromeos/cryptohome/mock_cryptohome_library.h
deleted file mode 100644
index 5a08ac0..0000000
--- a/chromeos/cryptohome/mock_cryptohome_library.h
+++ /dev/null
@@ -1,35 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef CHROMEOS_CRYPTOHOME_MOCK_CRYPTOHOME_LIBRARY_H_
-#define CHROMEOS_CRYPTOHOME_MOCK_CRYPTOHOME_LIBRARY_H_
-
-#include <string>
-
-#include "base/basictypes.h"
-#include "chromeos/cryptohome/cryptohome_library.h"
-#include "testing/gmock/include/gmock/gmock.h"
-
-using ::testing::Invoke;
-using ::testing::WithArgs;
-using ::testing::_;
-
-namespace chromeos {
-
-class MockCryptohomeLibrary : public CryptohomeLibrary {
- public:
- MockCryptohomeLibrary();
- virtual ~MockCryptohomeLibrary();
- MOCK_METHOD0(GetSystemSalt, std::string(void));
-
- MOCK_METHOD1(EncryptWithSystemSalt, std::string(const std::string&));
- MOCK_METHOD1(DecryptWithSystemSalt, std::string(const std::string&));
-
- private:
- DISALLOW_COPY_AND_ASSIGN(MockCryptohomeLibrary);
-};
-
-} // namespace chromeos
-
-#endif // CHROMEOS_CRYPTOHOME_MOCK_CRYPTOHOME_LIBRARY_H_