Hash pin using existing hash algorithm
Pin is hashed differently than password in PinStorage.
This CL updates LockScreenController to hash pin using its existing hash algorithm.
Bug: 721524
Change-Id: I90f8691aee7fb4dfe179df4fab5de7f6a0ee6c2a
Reviewed-on: https://chromium-review.googlesource.com/653857
Reviewed-by: Xiyuan Xia <xiyuan@chromium.org>
Reviewed-by: Jacob Dufault <jdufault@chromium.org>
Reviewed-by: James Cook <jamescook@chromium.org>
Commit-Queue: Xiaoyin Hu <xiaoyinh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#500473}
diff --git a/ash/login/lock_screen_controller.cc b/ash/login/lock_screen_controller.cc
index 1fd35c7..ce47c88 100644
--- a/ash/login/lock_screen_controller.cc
+++ b/ash/login/lock_screen_controller.cc
@@ -5,15 +5,45 @@
#include "ash/login/lock_screen_controller.h"
#include "ash/login/ui/lock_screen.h"
+#include "ash/public/cpp/ash_pref_names.h"
+#include "ash/session/session_controller.h"
+#include "ash/shell.h"
+#include "base/strings/string_number_conversions.h"
#include "chromeos/cryptohome/system_salt_getter.h"
#include "chromeos/login/auth/user_context.h"
+#include "components/prefs/pref_registry_simple.h"
+#include "components/prefs/pref_service.h"
namespace ash {
-LockScreenController::LockScreenController() = default;
+namespace {
+std::string CalculateHash(const std::string& password,
+ const std::string& salt,
+ chromeos::Key::KeyType key_type) {
+ chromeos::Key key(password);
+ key.Transform(key_type, salt);
+ return key.GetSecret();
+}
+
+} // namespace
+
+LockScreenController::LockScreenController() = default;
LockScreenController::~LockScreenController() = default;
+// static
+void LockScreenController::RegisterProfilePrefs(PrefRegistrySimple* registry,
+ bool for_test) {
+ if (for_test) {
+ // There is no remote pref service, so pretend that ash owns the pref.
+ registry->RegisterStringPref(prefs::kQuickUnlockPinSalt, "");
+ return;
+ }
+
+ // Pref is owned by chrome and flagged as PUBLIC.
+ registry->RegisterForeignPref(prefs::kQuickUnlockPinSalt);
+}
+
void LockScreenController::BindRequest(mojom::LockScreenRequest request) {
bindings_.AddBinding(this, std::move(request));
}
@@ -62,7 +92,10 @@
void LockScreenController::SetPinEnabledForUser(const AccountId& account_id,
bool is_enabled) {
- ash::LockScreen::Get()->SetPinEnabledForUser(account_id, is_enabled);
+ // Chrome will update pin pod state every time user tries to authenticate.
+ // LockScreen is destroyed in the case of authentication success.
+ if (ash::LockScreen::IsShown())
+ ash::LockScreen::Get()->SetPinEnabledForUser(account_id, is_enabled);
}
void LockScreenController::AuthenticateUser(
@@ -140,13 +173,22 @@
bool authenticated_by_pin,
mojom::LockScreenClient::AuthenticateUserCallback callback,
const std::string& system_salt) {
- // Hash password before sending through mojo.
- // TODO(xiaoyinh): Pin is hashed differently by using a different salt and
- // a different hash algorithm. Update this part in PinStorage.
- chromeos::Key key(password);
- key.Transform(chromeos::Key::KEY_TYPE_SALTED_SHA256_TOP_HALF, system_salt);
- lock_screen_client_->AuthenticateUser(
- account_id, key.GetSecret(), authenticated_by_pin, std::move(callback));
+ int dummy_value;
+ bool is_pin =
+ authenticated_by_pin && base::StringToInt(password, &dummy_value);
+ std::string hashed_password = CalculateHash(
+ password, system_salt, chromeos::Key::KEY_TYPE_SALTED_SHA256_TOP_HALF);
+
+ PrefService* prefs =
+ Shell::Get()->session_controller()->GetLastActiveUserPrefService();
+ if (is_pin && prefs) {
+ hashed_password =
+ CalculateHash(password, prefs->GetString(prefs::kQuickUnlockPinSalt),
+ chromeos::Key::KEY_TYPE_SALTED_PBKDF2_AES256_1234);
+ }
+
+ lock_screen_client_->AuthenticateUser(account_id, hashed_password, is_pin,
+ std::move(callback));
}
void LockScreenController::OnGetSystemSalt(const std::string& system_salt) {