1 // Copyright 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "chrome/browser/signin/local_auth.h" 6 7 #include "base/base64.h" 8 #include "base/logging.h" 9 #include "base/memory/scoped_ptr.h" 10 #include "base/metrics/histogram.h" 11 #include "base/prefs/pref_service.h" 12 #include "base/strings/string_util.h" 13 #include "chrome/browser/browser_process.h" 14 #include "chrome/browser/profiles/profile.h" 15 #include "chrome/browser/profiles/profile_manager.h" 16 #include "chrome/common/pref_names.h" 17 #include "components/os_crypt/os_crypt.h" 18 #include "components/pref_registry/pref_registry_syncable.h" 19 #include "crypto/random.h" 20 #include "crypto/secure_util.h" 21 #include "crypto/symmetric_key.h" 22 23 namespace { 24 25 // WARNING: Changing these values will make it impossible to do off-line 26 // authentication until the next successful on-line authentication. To change 27 // these safely, change the "encoding" version below and make verification 28 // handle multiple values. 29 const char kHash1Encoding = '1'; 30 const unsigned kHash1Bits = 256; 31 const unsigned kHash1Bytes = kHash1Bits / 8; 32 const unsigned kHash1IterationCount = 100000; 33 34 std::string CreateSecurePasswordHash(const std::string& salt, 35 const std::string& password, 36 char encoding) { 37 DCHECK_EQ(kHash1Bytes, salt.length()); 38 DCHECK_EQ(kHash1Encoding, encoding); // Currently support only one method. 39 40 base::Time start_time = base::Time::Now(); 41 42 // Library call to create secure password hash as SymmetricKey (uses PBKDF2). 43 scoped_ptr<crypto::SymmetricKey> password_key( 44 crypto::SymmetricKey::DeriveKeyFromPassword( 45 crypto::SymmetricKey::AES, 46 password, salt, 47 kHash1IterationCount, kHash1Bits)); 48 std::string password_hash; 49 const bool success = password_key->GetRawKey(&password_hash); 50 DCHECK(success); 51 DCHECK_EQ(kHash1Bytes, password_hash.length()); 52 53 UMA_HISTOGRAM_TIMES("PasswordHash.CreateTime", 54 base::Time::Now() - start_time); 55 56 return password_hash; 57 } 58 59 std::string EncodePasswordHashRecord(const std::string& record, 60 char encoding) { 61 DCHECK_EQ(kHash1Encoding, encoding); // Currently support only one method. 62 63 // Encrypt the hash using the OS account-password protection (if available). 64 std::string encoded; 65 const bool success = OSCrypt::EncryptString(record, &encoded); 66 DCHECK(success); 67 68 // Convert binary record to text for preference database. 69 std::string encoded64; 70 base::Base64Encode(encoded, &encoded64); 71 72 // Stuff the "encoding" value into the first byte. 73 encoded64.insert(0, &encoding, sizeof(encoding)); 74 75 return encoded64; 76 } 77 78 bool DecodePasswordHashRecord(const std::string& encoded, 79 std::string* decoded, 80 char* encoding) { 81 // Extract the "encoding" value from the first byte and validate. 82 if (encoded.length() < 1) 83 return false; 84 *encoding = encoded[0]; 85 if (*encoding != kHash1Encoding) 86 return false; 87 88 // Stored record is base64; convert to binary. 89 std::string unbase64; 90 if (!base::Base64Decode(encoded.substr(1), &unbase64)) 91 return false; 92 93 // Decrypt the record using the OS account-password protection (if available). 94 return OSCrypt::DecryptString(unbase64, decoded); 95 } 96 97 size_t GetProfileInfoIndexOfProfile(const Profile* profile) { 98 DCHECK(profile); 99 100 ProfileInfoCache& info = 101 g_browser_process->profile_manager()->GetProfileInfoCache(); 102 return info.GetIndexOfProfileWithPath(profile->GetPath()); 103 } 104 105 } // namespace 106 107 namespace chrome { 108 109 void RegisterLocalAuthPrefs(user_prefs::PrefRegistrySyncable* registry) { 110 registry->RegisterStringPref( 111 prefs::kGoogleServicesPasswordHash, 112 std::string(), 113 user_prefs::PrefRegistrySyncable::UNSYNCABLE_PREF); 114 } 115 116 void SetLocalAuthCredentials(size_t info_index, 117 const std::string& password) { 118 if (info_index == std::string::npos) { 119 NOTREACHED(); 120 return; 121 } 122 DCHECK(password.length()); 123 124 // Salt should be random data, as long as the hash length, and different with 125 // every save. 126 std::string salt_str; 127 crypto::RandBytes(WriteInto(&salt_str, kHash1Bytes + 1), kHash1Bytes); 128 DCHECK_EQ(kHash1Bytes, salt_str.length()); 129 130 // Perform secure hash of password for storage. 131 std::string password_hash = CreateSecurePasswordHash( 132 salt_str, password, kHash1Encoding); 133 DCHECK_EQ(kHash1Bytes, password_hash.length()); 134 135 // Group all fields into a single record for storage; 136 std::string record; 137 record.append(salt_str); 138 record.append(password_hash); 139 140 // Encode it and store it. 141 std::string encoded = EncodePasswordHashRecord(record, kHash1Encoding); 142 ProfileInfoCache& info = 143 g_browser_process->profile_manager()->GetProfileInfoCache(); 144 info.SetLocalAuthCredentialsOfProfileAtIndex(info_index, encoded); 145 } 146 147 void SetLocalAuthCredentials(const Profile* profile, 148 const std::string& password) { 149 SetLocalAuthCredentials(GetProfileInfoIndexOfProfile(profile), password); 150 } 151 152 bool ValidateLocalAuthCredentials(size_t info_index, 153 const std::string& password) { 154 if (info_index == std::string::npos) { 155 NOTREACHED(); 156 return false; 157 } 158 159 std::string record; 160 char encoding; 161 162 ProfileInfoCache& info = 163 g_browser_process->profile_manager()->GetProfileInfoCache(); 164 165 std::string encodedhash = 166 info.GetLocalAuthCredentialsOfProfileAtIndex(info_index); 167 if (encodedhash.length() == 0 && password.length() == 0) 168 return true; 169 if (!DecodePasswordHashRecord(encodedhash, &record, &encoding)) 170 return false; 171 172 std::string password_hash; 173 const char* password_saved; 174 const char* password_check; 175 size_t password_length; 176 177 if (encoding == '1') { 178 // Validate correct length; extract salt and password hash. 179 if (record.length() != 2 * kHash1Bytes) 180 return false; 181 std::string salt_str(record.data(), kHash1Bytes); 182 password_saved = record.data() + kHash1Bytes; 183 password_hash = CreateSecurePasswordHash(salt_str, password, encoding); 184 password_check = password_hash.data(); 185 password_length = kHash1Bytes; 186 } else { 187 // unknown encoding 188 return false; 189 } 190 191 return crypto::SecureMemEqual(password_saved, password_check, 192 password_length); 193 } 194 195 bool ValidateLocalAuthCredentials(const Profile* profile, 196 const std::string& password) { 197 return ValidateLocalAuthCredentials(GetProfileInfoIndexOfProfile(profile), 198 password); 199 } 200 201 } // namespace chrome 202