Move chromeos::CryptohomeLibrary::HashPassword to chromeos::ParallelAuthenticator

This is a part of effort to remove CrosLibrary and its belongings. BUG=126719 TEST=None Review URL: https://chromiumcodereview.appspot.com/10701075 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@146055 0039d316-1c4b-4281-b951-d872f2087c98

Move chromeos::CryptohomeLibrary::HashPassword to chromeos::ParallelAuthenticator
This is a part of effort to remove CrosLibrary and its belongings. BUG=126719 TEST=None Review URL: https://chromiumcodereview.appspot.com/10701075 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@146055 0039d316-1c4b-4281-b951-d872f2087c98
3b69e733 · hashimoto@chromium.org · 2616ea05 · 3b69e733 · 3b69e733 · 3b69e733
Commit 3b69e733 authored Jul 11, 2012 by hashimoto@chromium.org
5 changed files
--- a/chrome/browser/chromeos/cros/cryptohome_library.cc
+++ b/chrome/browser/chromeos/cros/cryptohome_library.cc
@@ -11,12 +11,10 @@
 #include "base/string_util.h"
 #include "chromeos/dbus/cryptohome_client.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
-#include "crypto/sha2.h"

 namespace {

 const char kStubSystemSalt[] = "stub_system_salt";
-const int kPassHashLen = 32;

 }

@@ -127,21 +125,6 @@ class CryptohomeLibraryImpl : public CryptohomeLibrary {
    return result;
  }

-  virtual std::string HashPassword(const std::string& password) OVERRIDE {
-    // Get salt, ascii encode, update sha with that, then update with ascii
-    // of password, then end.
-    std::string ascii_salt = GetSystemSalt();
-    char passhash_buf[kPassHashLen];
-
-    // Hash salt and password
-    crypto::SHA256HashString(ascii_salt + password,
-                             &passhash_buf, sizeof(passhash_buf));
-
-    return StringToLowerASCII(base::HexEncode(
-        reinterpret_cast<const void*>(passhash_buf),
-        sizeof(passhash_buf) / 2));
-  }
-
  virtual std::string GetSystemSalt() OVERRIDE {
    LoadSystemSalt();  // no-op if it's already loaded.
    return StringToLowerASCII(base::HexEncode(
@@ -234,12 +217,6 @@ class CryptohomeLibraryStubImpl : public CryptohomeLibrary {
    return !locked_;
  }

-  virtual std::string HashPassword(const std::string& password) OVERRIDE {
-    return StringToLowerASCII(base::HexEncode(
-            reinterpret_cast<const void*>(password.data()),
-            password.length()));
-  }
-
  virtual std::string GetSystemSalt() OVERRIDE {
    return kStubSystemSalt;
  }

--- a/chrome/browser/chromeos/cros/cryptohome_library.h
+++ b/chrome/browser/chromeos/cros/cryptohome_library.h
@@ -54,9 +54,6 @@ class CryptohomeLibrary {
  virtual bool InstallAttributesIsInvalid() = 0;
  virtual bool InstallAttributesIsFirstInstall() = 0;

-  // Returns hash of |password|, salted with the system salt.
-  virtual std::string HashPassword(const std::string& password) = 0;
-
  // Returns system hash in hex encoded ascii format.
  virtual std::string GetSystemSalt() = 0;


--- a/chrome/browser/chromeos/cros/mock_cryptohome_library.h
+++ b/chrome/browser/chromeos/cros/mock_cryptohome_library.h
@@ -23,7 +23,6 @@ class MockCryptohomeLibrary : public CryptohomeLibrary {
  MockCryptohomeLibrary();
  virtual ~MockCryptohomeLibrary();
  MOCK_METHOD0(IsMounted, bool(void));
-  MOCK_METHOD1(HashPassword, std::string(const std::string& password));
  MOCK_METHOD0(GetSystemSalt, std::string(void));

  MOCK_METHOD0(TpmIsReady, bool(void));

--- a/chrome/browser/chromeos/login/parallel_authenticator.cc
+++ b/chrome/browser/chromeos/login/parallel_authenticator.cc
@@ -9,6 +9,7 @@
 #include "base/file_path.h"
 #include "base/file_util.h"
 #include "base/logging.h"
+#include "base/string_number_conversions.h"
 #include "base/string_util.h"
 #include "chrome/browser/chromeos/boot_times_loader.h"
 #include "chrome/browser/chromeos/cros/cert_library.h"
@@ -27,6 +28,7 @@
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/notification_service.h"
+#include "crypto/sha2.h"
 #include "third_party/cros_system_api/dbus/service_constants.h"

 using content::BrowserThread;
@@ -38,6 +40,9 @@ namespace {
 // Milliseconds until we timeout our attempt to hit ClientLogin.
 const int kClientLoginTimeoutMs = 10000;

+// Length of password hashed with SHA-256.
+const int kPasswordHashLength = 32;
+
 // Records status and calls resolver->Resolve().
 void TriggerResolve(AuthAttemptState* attempt,
                    AuthAttemptStateResolver* resolver,
@@ -162,6 +167,26 @@ bool WasConnectionIssue(const LoginFailure& online_outcome) {
           GoogleServiceAuthError::REQUEST_CANCELED));
 }

+// Returns hash of |password|, salted with the system salt.
+std::string HashPassword(const std::string& password) {
+  // Get salt, ascii encode, update sha with that, then update with ascii
+  // of password, then end.
+  std::string ascii_salt =
+      CrosLibrary::Get()->GetCryptohomeLibrary()->GetSystemSalt();
+  char passhash_buf[kPasswordHashLength];
+
+  // Hash salt and password
+  crypto::SHA256HashString(ascii_salt + password,
+                           &passhash_buf, sizeof(passhash_buf));
+
+  // Only want the top half for 'weak' hashing so that the passphrase is not
+  // immediately exposed even if the output is reversed.
+  const int encoded_length = sizeof(passhash_buf) / 2;
+
+  return StringToLowerASCII(base::HexEncode(
+      reinterpret_cast<const void*>(passhash_buf), encoded_length));
+}
+
 }  // namespace

 ParallelAuthenticator::ParallelAuthenticator(LoginStatusConsumer* consumer)
@@ -193,7 +218,7 @@ void ParallelAuthenticator::AuthenticateToLogin(
      new AuthAttemptState(
          canonicalized,
          password,
-          CrosLibrary::Get()->GetCryptohomeLibrary()->HashPassword(password),
+          HashPassword(password),
          login_token,
          login_captcha,
          !UserManager::Get()->IsKnownUser(canonicalized)));
@@ -230,7 +255,7 @@ void ParallelAuthenticator::CompleteLogin(Profile* profile,
      new AuthAttemptState(
          canonicalized,
          password,
-          CrosLibrary::Get()->GetCryptohomeLibrary()->HashPassword(password),
+          HashPassword(password),
          !UserManager::Get()->IsKnownUser(canonicalized)));
  {
    // Reset the verified flag.
@@ -270,7 +295,7 @@ void ParallelAuthenticator::AuthenticateToUnlock(const std::string& username,
  current_state_.reset(
      new AuthAttemptState(
          gaia::CanonicalizeEmail(username),
-          CrosLibrary::Get()->GetCryptohomeLibrary()->HashPassword(password)));
+          HashPassword(password)));
  check_key_attempted_ = true;
  BrowserThread::PostTask(
      BrowserThread::UI, FROM_HERE,
@@ -367,8 +392,7 @@ void ParallelAuthenticator::RecordOAuthCheckFailure(

 void ParallelAuthenticator::RecoverEncryptedData(
    const std::string& old_password) {
-  std::string old_hash =
-      CrosLibrary::Get()->GetCryptohomeLibrary()->HashPassword(old_password);
+  std::string old_hash = HashPassword(old_password);
  migrate_attempted_ = true;
  current_state_->ResetCryptohomeStatus();
  BrowserThread::PostTask(
@@ -432,7 +456,7 @@ void ParallelAuthenticator::RetryAuth(Profile* profile,
      new AuthAttemptState(
          gaia::CanonicalizeEmail(username),
          password,
-          CrosLibrary::Get()->GetCryptohomeLibrary()->HashPassword(password),
+          HashPassword(password),
          login_token,
          login_captcha,
          false /* not a new user */));

--- a/chrome/browser/chromeos/login/parallel_authenticator_unittest.cc
+++ b/chrome/browser/chromeos/login/parallel_authenticator_unittest.cc
@@ -490,7 +490,7 @@ TEST_F(ParallelAuthenticatorTest, DriveDataRecover) {
  EXPECT_CALL(*mock_caller_, AsyncMount(username_, hash_ascii_, false, _))
      .Times(1)
      .RetiresOnSaturation();
-  EXPECT_CALL(*mock_cryptohome_library_, HashPassword(_))
+  EXPECT_CALL(*mock_cryptohome_library_, GetSystemSalt())
      .WillOnce(Return(std::string()))
      .RetiresOnSaturation();

@@ -511,7 +511,7 @@ TEST_F(ParallelAuthenticatorTest, DriveDataRecoverButFail) {
  EXPECT_CALL(*mock_caller_, AsyncMigrateKey(username_, _, hash_ascii_, _))
      .Times(1)
      .RetiresOnSaturation();
-  EXPECT_CALL(*mock_cryptohome_library_, HashPassword(_))
+  EXPECT_CALL(*mock_cryptohome_library_, GetSystemSalt())
      .WillOnce(Return(std::string()))
      .RetiresOnSaturation();

@@ -628,7 +628,7 @@ TEST_F(ParallelAuthenticatorTest, DriveOfflineLoginGetNewPassword) {
                                              _))
      .Times(1)
      .RetiresOnSaturation();
-  EXPECT_CALL(*mock_cryptohome_library_, HashPassword(_))
+  EXPECT_CALL(*mock_cryptohome_library_, GetSystemSalt())
      .WillOnce(Return(std::string()))
      .RetiresOnSaturation();

@@ -666,7 +666,7 @@ TEST_F(ParallelAuthenticatorTest, DriveOfflineLoginGetNewPassword) {
 TEST_F(ParallelAuthenticatorTest, DriveOfflineLoginGetCaptchad) {
  ExpectLoginSuccess(username_, password_, true);
  FailOnLoginFailure();
-  EXPECT_CALL(*mock_cryptohome_library_, HashPassword(_))
+  EXPECT_CALL(*mock_cryptohome_library_, GetSystemSalt())
      .WillOnce(Return(std::string()))
      .RetiresOnSaturation();

@@ -748,7 +748,7 @@ TEST_F(ParallelAuthenticatorTest, DriveUnlock) {
  EXPECT_CALL(*mock_caller_, AsyncCheckKey(username_, _, _))
      .Times(1)
      .RetiresOnSaturation();
-  EXPECT_CALL(*mock_cryptohome_library_, HashPassword(_))
+  EXPECT_CALL(*mock_cryptohome_library_, GetSystemSalt())
      .WillOnce(Return(std::string()))
      .RetiresOnSaturation();