summaryrefslogtreecommitdiffstats
path: root/chromeos
diff options
context:
space:
mode:
authorbartfab <bartfab@chromium.org>2014-09-02 07:37:50 -0700
committerCommit bot <commit-bot@chromium.org>2014-09-02 14:42:15 +0000
commit28dae509e63d445a8780450f2e9152fb68ad74b8 (patch)
tree1aaa2fb47f3163cdae23e4177dc8b074be0ea920 /chromeos
parent0ee22a13b49e9898c070d56655542f9f4843dc8f (diff)
downloadchromium_src-28dae509e63d445a8780450f2e9152fb68ad74b8.zip
chromium_src-28dae509e63d445a8780450f2e9152fb68ad74b8.tar.gz
chromium_src-28dae509e63d445a8780450f2e9152fb68ad74b8.tar.bz2
Add new Chrome OS key type: Salted SHA256
This CL adds a new key type for Chrome OS authentication and cryptohome encryption, a base64-encoded salted SHA256 hash. This will be the first key type supported by the credentials passing API. BUG=367847 TEST=Extended unit test Review URL: https://codereview.chromium.org/515153002 Cr-Commit-Position: refs/heads/master@{#292924}
Diffstat (limited to 'chromeos')
-rw-r--r--chromeos/login/auth/key.cc4
-rw-r--r--chromeos/login/auth/key.h11
-rw-r--r--chromeos/login/auth/key_unittest.cc19
3 files changed, 31 insertions, 3 deletions
diff --git a/chromeos/login/auth/key.cc b/chromeos/login/auth/key.cc
index 02733531..01c3bcf 100644
--- a/chromeos/login/auth/key.cc
+++ b/chromeos/login/auth/key.cc
@@ -100,6 +100,10 @@ void Key::Transform(KeyType target_key_type, const std::string& salt) {
base::Base64Encode(raw_secret, &secret_);
break;
}
+ case KEY_TYPE_SALTED_SHA256:
+ base::Base64Encode(crypto::SHA256HashString(salt + secret_), &secret_);
+ break;
+
default:
// The resulting key will be sent to cryptohomed. It should always be
// hashed. If hashing fails, crash instead of sending a plain-text key.
diff --git a/chromeos/login/auth/key.h b/chromeos/login/auth/key.h
index 8aee6dd..969c824 100644
--- a/chromeos/login/auth/key.h
+++ b/chromeos/login/auth/key.h
@@ -17,11 +17,16 @@ class CHROMEOS_EXPORT Key {
public:
enum KeyType {
// Plain text password.
- KEY_TYPE_PASSWORD_PLAIN,
+ KEY_TYPE_PASSWORD_PLAIN = 0,
// SHA256 of salt + password, first half only, lower-case hex encoded.
- KEY_TYPE_SALTED_SHA256_TOP_HALF,
+ KEY_TYPE_SALTED_SHA256_TOP_HALF = 1,
// PBKDF2 with 256 bit AES and 1234 iterations, base64 encoded.
- KEY_TYPE_SALTED_PBKDF2_AES256_1234,
+ KEY_TYPE_SALTED_PBKDF2_AES256_1234 = 2,
+ // SHA256 of salt + password, base64 encoded.
+ KEY_TYPE_SALTED_SHA256 = 3,
+
+ // Sentinel. Must be last.
+ KEY_TYPE_COUNT
};
Key();
diff --git a/chromeos/login/auth/key_unittest.cc b/chromeos/login/auth/key_unittest.cc
index 76e38cb..26a6c8d 100644
--- a/chromeos/login/auth/key_unittest.cc
+++ b/chromeos/login/auth/key_unittest.cc
@@ -44,4 +44,23 @@ TEST(KeyTest, TransformToSaltedAES2561234) {
EXPECT_EQ("GUkNnvqoULf/cXbZscVUnANmLBB0ovjGZsj1sKzP5BE=", key.GetSecret());
}
+TEST(KeyTest, TransformToSaltedSHA256) {
+ Key key(kPassword);
+ key.Transform(Key::KEY_TYPE_SALTED_SHA256, kSalt);
+ EXPECT_EQ(Key::KEY_TYPE_SALTED_SHA256, key.GetKeyType());
+ EXPECT_EQ("WwGUF3Hkf6QIOAqmdXA/TyScTFDo4d+ow5xfof0zGdo=", key.GetSecret());
+}
+
+// The values in the KeyType enum must never change because they are stored as
+// ints in the user's cryptohome key metadata.
+TEST(KeyTest, KeyTypeStable) {
+ EXPECT_EQ(0, Key::KEY_TYPE_PASSWORD_PLAIN);
+ EXPECT_EQ(1, Key::KEY_TYPE_SALTED_SHA256_TOP_HALF);
+ EXPECT_EQ(2, Key::KEY_TYPE_SALTED_PBKDF2_AES256_1234);
+ EXPECT_EQ(3, Key::KEY_TYPE_SALTED_SHA256);
+ // The sentinel does not have to remain stable. It should be adjusted whenever
+ // a new key type is added.
+ EXPECT_EQ(4, Key::KEY_TYPE_COUNT);
+}
+
} // namespace chromeos