diff options
author | bartfab <bartfab@chromium.org> | 2014-09-02 07:37:50 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2014-09-02 14:42:15 +0000 |
commit | 28dae509e63d445a8780450f2e9152fb68ad74b8 (patch) | |
tree | 1aaa2fb47f3163cdae23e4177dc8b074be0ea920 /chromeos | |
parent | 0ee22a13b49e9898c070d56655542f9f4843dc8f (diff) | |
download | chromium_src-28dae509e63d445a8780450f2e9152fb68ad74b8.zip chromium_src-28dae509e63d445a8780450f2e9152fb68ad74b8.tar.gz chromium_src-28dae509e63d445a8780450f2e9152fb68ad74b8.tar.bz2 |
Add new Chrome OS key type: Salted SHA256
This CL adds a new key type for Chrome OS authentication and cryptohome
encryption, a base64-encoded salted SHA256 hash. This will be the first
key type supported by the credentials passing API.
BUG=367847
TEST=Extended unit test
Review URL: https://codereview.chromium.org/515153002
Cr-Commit-Position: refs/heads/master@{#292924}
Diffstat (limited to 'chromeos')
-rw-r--r-- | chromeos/login/auth/key.cc | 4 | ||||
-rw-r--r-- | chromeos/login/auth/key.h | 11 | ||||
-rw-r--r-- | chromeos/login/auth/key_unittest.cc | 19 |
3 files changed, 31 insertions, 3 deletions
diff --git a/chromeos/login/auth/key.cc b/chromeos/login/auth/key.cc index 02733531..01c3bcf 100644 --- a/chromeos/login/auth/key.cc +++ b/chromeos/login/auth/key.cc @@ -100,6 +100,10 @@ void Key::Transform(KeyType target_key_type, const std::string& salt) { base::Base64Encode(raw_secret, &secret_); break; } + case KEY_TYPE_SALTED_SHA256: + base::Base64Encode(crypto::SHA256HashString(salt + secret_), &secret_); + break; + default: // The resulting key will be sent to cryptohomed. It should always be // hashed. If hashing fails, crash instead of sending a plain-text key. diff --git a/chromeos/login/auth/key.h b/chromeos/login/auth/key.h index 8aee6dd..969c824 100644 --- a/chromeos/login/auth/key.h +++ b/chromeos/login/auth/key.h @@ -17,11 +17,16 @@ class CHROMEOS_EXPORT Key { public: enum KeyType { // Plain text password. - KEY_TYPE_PASSWORD_PLAIN, + KEY_TYPE_PASSWORD_PLAIN = 0, // SHA256 of salt + password, first half only, lower-case hex encoded. - KEY_TYPE_SALTED_SHA256_TOP_HALF, + KEY_TYPE_SALTED_SHA256_TOP_HALF = 1, // PBKDF2 with 256 bit AES and 1234 iterations, base64 encoded. - KEY_TYPE_SALTED_PBKDF2_AES256_1234, + KEY_TYPE_SALTED_PBKDF2_AES256_1234 = 2, + // SHA256 of salt + password, base64 encoded. + KEY_TYPE_SALTED_SHA256 = 3, + + // Sentinel. Must be last. + KEY_TYPE_COUNT }; Key(); diff --git a/chromeos/login/auth/key_unittest.cc b/chromeos/login/auth/key_unittest.cc index 76e38cb..26a6c8d 100644 --- a/chromeos/login/auth/key_unittest.cc +++ b/chromeos/login/auth/key_unittest.cc @@ -44,4 +44,23 @@ TEST(KeyTest, TransformToSaltedAES2561234) { EXPECT_EQ("GUkNnvqoULf/cXbZscVUnANmLBB0ovjGZsj1sKzP5BE=", key.GetSecret()); } +TEST(KeyTest, TransformToSaltedSHA256) { + Key key(kPassword); + key.Transform(Key::KEY_TYPE_SALTED_SHA256, kSalt); + EXPECT_EQ(Key::KEY_TYPE_SALTED_SHA256, key.GetKeyType()); + EXPECT_EQ("WwGUF3Hkf6QIOAqmdXA/TyScTFDo4d+ow5xfof0zGdo=", key.GetSecret()); +} + +// The values in the KeyType enum must never change because they are stored as +// ints in the user's cryptohome key metadata. +TEST(KeyTest, KeyTypeStable) { + EXPECT_EQ(0, Key::KEY_TYPE_PASSWORD_PLAIN); + EXPECT_EQ(1, Key::KEY_TYPE_SALTED_SHA256_TOP_HALF); + EXPECT_EQ(2, Key::KEY_TYPE_SALTED_PBKDF2_AES256_1234); + EXPECT_EQ(3, Key::KEY_TYPE_SALTED_SHA256); + // The sentinel does not have to remain stable. It should be adjusted whenever + // a new key type is added. + EXPECT_EQ(4, Key::KEY_TYPE_COUNT); +} + } // namespace chromeos |