From 28dae509e63d445a8780450f2e9152fb68ad74b8 Mon Sep 17 00:00:00 2001 From: bartfab Date: Tue, 2 Sep 2014 07:37:50 -0700 Subject: Add new Chrome OS key type: Salted SHA256 This CL adds a new key type for Chrome OS authentication and cryptohome encryption, a base64-encoded salted SHA256 hash. This will be the first key type supported by the credentials passing API. BUG=367847 TEST=Extended unit test Review URL: https://codereview.chromium.org/515153002 Cr-Commit-Position: refs/heads/master@{#292924} --- chromeos/login/auth/key.cc | 4 ++++ chromeos/login/auth/key.h | 11 ++++++++--- chromeos/login/auth/key_unittest.cc | 19 +++++++++++++++++++ 3 files changed, 31 insertions(+), 3 deletions(-) (limited to 'chromeos') diff --git a/chromeos/login/auth/key.cc b/chromeos/login/auth/key.cc index 02733531..01c3bcf 100644 --- a/chromeos/login/auth/key.cc +++ b/chromeos/login/auth/key.cc @@ -100,6 +100,10 @@ void Key::Transform(KeyType target_key_type, const std::string& salt) { base::Base64Encode(raw_secret, &secret_); break; } + case KEY_TYPE_SALTED_SHA256: + base::Base64Encode(crypto::SHA256HashString(salt + secret_), &secret_); + break; + default: // The resulting key will be sent to cryptohomed. It should always be // hashed. If hashing fails, crash instead of sending a plain-text key. diff --git a/chromeos/login/auth/key.h b/chromeos/login/auth/key.h index 8aee6dd..969c824 100644 --- a/chromeos/login/auth/key.h +++ b/chromeos/login/auth/key.h @@ -17,11 +17,16 @@ class CHROMEOS_EXPORT Key { public: enum KeyType { // Plain text password. - KEY_TYPE_PASSWORD_PLAIN, + KEY_TYPE_PASSWORD_PLAIN = 0, // SHA256 of salt + password, first half only, lower-case hex encoded. - KEY_TYPE_SALTED_SHA256_TOP_HALF, + KEY_TYPE_SALTED_SHA256_TOP_HALF = 1, // PBKDF2 with 256 bit AES and 1234 iterations, base64 encoded. - KEY_TYPE_SALTED_PBKDF2_AES256_1234, + KEY_TYPE_SALTED_PBKDF2_AES256_1234 = 2, + // SHA256 of salt + password, base64 encoded. + KEY_TYPE_SALTED_SHA256 = 3, + + // Sentinel. Must be last. + KEY_TYPE_COUNT }; Key(); diff --git a/chromeos/login/auth/key_unittest.cc b/chromeos/login/auth/key_unittest.cc index 76e38cb..26a6c8d 100644 --- a/chromeos/login/auth/key_unittest.cc +++ b/chromeos/login/auth/key_unittest.cc @@ -44,4 +44,23 @@ TEST(KeyTest, TransformToSaltedAES2561234) { EXPECT_EQ("GUkNnvqoULf/cXbZscVUnANmLBB0ovjGZsj1sKzP5BE=", key.GetSecret()); } +TEST(KeyTest, TransformToSaltedSHA256) { + Key key(kPassword); + key.Transform(Key::KEY_TYPE_SALTED_SHA256, kSalt); + EXPECT_EQ(Key::KEY_TYPE_SALTED_SHA256, key.GetKeyType()); + EXPECT_EQ("WwGUF3Hkf6QIOAqmdXA/TyScTFDo4d+ow5xfof0zGdo=", key.GetSecret()); +} + +// The values in the KeyType enum must never change because they are stored as +// ints in the user's cryptohome key metadata. +TEST(KeyTest, KeyTypeStable) { + EXPECT_EQ(0, Key::KEY_TYPE_PASSWORD_PLAIN); + EXPECT_EQ(1, Key::KEY_TYPE_SALTED_SHA256_TOP_HALF); + EXPECT_EQ(2, Key::KEY_TYPE_SALTED_PBKDF2_AES256_1234); + EXPECT_EQ(3, Key::KEY_TYPE_SALTED_SHA256); + // The sentinel does not have to remain stable. It should be adjusted whenever + // a new key type is added. + EXPECT_EQ(4, Key::KEY_TYPE_COUNT); +} + } // namespace chromeos -- cgit v1.1