Add new Chrome OS key type: Salted SHA256

This CL adds a new key type for Chrome OS authentication and cryptohome encryption, a base64-encoded salted SHA256 hash. This will be the first key type supported by the credentials passing API. BUG=367847 TEST=Extended unit test Review URL: https://codereview.chromium.org/515153002 Cr-Commit-Position: refs/heads/master@{#292924}

Add new Chrome OS key type: Salted SHA256
This CL adds a new key type for Chrome OS authentication and cryptohome encryption, a base64-encoded salted SHA256 hash. This will be the first key type supported by the credentials passing API. BUG=367847 TEST=Extended unit test Review URL: https://codereview.chromium.org/515153002 Cr-Commit-Position: refs/heads/master@{#292924}
28dae509 · bartfab · Commit bot · 0ee22a13 · 28dae509 · 28dae509
Commit 28dae509 authored Sep 02, 2014 by bartfab Committed by Commit bot Sep 02, 2014
Showing with 31 additions and 3 deletions

chromeos/login/auth/key.cc chromeos/login/auth/key.cc +4 -0

chromeos/login/auth/key.h chromeos/login/auth/key.h +8 -3

chromeos/login/auth/key_unittest.cc chromeos/login/auth/key_unittest.cc +19 -0

No files found.
--- a/chromeos/login/auth/key.cc
+++ b/chromeos/login/auth/key.cc
@@ -100,6 +100,10 @@ void Key::Transform(KeyType target_key_type, const std::string& salt) {
      base::Base64Encode(raw_secret, &secret_);
      break;
    }
+    case KEY_TYPE_SALTED_SHA256:
+      base::Base64Encode(crypto::SHA256HashString(salt + secret_), &secret_);
+      break;
+
    default:
      // The resulting key will be sent to cryptohomed. It should always be
      // hashed. If hashing fails, crash instead of sending a plain-text key.

--- a/chromeos/login/auth/key.h
+++ b/chromeos/login/auth/key.h
@@ -17,11 +17,16 @@ class CHROMEOS_EXPORT Key {
 public:
  enum KeyType {
    // Plain text password.
-    KEY_TYPE_PASSWORD_PLAIN,
+    KEY_TYPE_PASSWORD_PLAIN = 0,
    // SHA256 of salt + password, first half only, lower-case hex encoded.
-    KEY_TYPE_SALTED_SHA256_TOP_HALF,
+    KEY_TYPE_SALTED_SHA256_TOP_HALF = 1,
    // PBKDF2 with 256 bit AES and 1234 iterations, base64 encoded.
-    KEY_TYPE_SALTED_PBKDF2_AES256_1234,
+    KEY_TYPE_SALTED_PBKDF2_AES256_1234 = 2,
+    // SHA256 of salt + password, base64 encoded.
+    KEY_TYPE_SALTED_SHA256 = 3,
+
+    // Sentinel. Must be last.
+    KEY_TYPE_COUNT
  };

  Key();

--- a/chromeos/login/auth/key_unittest.cc
+++ b/chromeos/login/auth/key_unittest.cc
@@ -44,4 +44,23 @@ TEST(KeyTest, TransformToSaltedAES2561234) {
  EXPECT_EQ("GUkNnvqoULf/cXbZscVUnANmLBB0ovjGZsj1sKzP5BE=", key.GetSecret());
 }

+TEST(KeyTest, TransformToSaltedSHA256) {
+  Key key(kPassword);
+  key.Transform(Key::KEY_TYPE_SALTED_SHA256, kSalt);
+  EXPECT_EQ(Key::KEY_TYPE_SALTED_SHA256, key.GetKeyType());
+  EXPECT_EQ("WwGUF3Hkf6QIOAqmdXA/TyScTFDo4d+ow5xfof0zGdo=", key.GetSecret());
+}
+
+// The values in the KeyType enum must never change because they are stored as
+// ints in the user's cryptohome key metadata.
+TEST(KeyTest, KeyTypeStable) {
+  EXPECT_EQ(0, Key::KEY_TYPE_PASSWORD_PLAIN);
+  EXPECT_EQ(1, Key::KEY_TYPE_SALTED_SHA256_TOP_HALF);
+  EXPECT_EQ(2, Key::KEY_TYPE_SALTED_PBKDF2_AES256_1234);
+  EXPECT_EQ(3, Key::KEY_TYPE_SALTED_SHA256);
+  // The sentinel does not have to remain stable. It should be adjusted whenever
+  // a new key type is added.
+  EXPECT_EQ(4, Key::KEY_TYPE_COUNT);
+}
+
 }  // namespace chromeos