Google Git
Sign in
cos / mirrors / cros / chromiumos / platform2 / refs/heads/stabilize-rust-13562.B^! / .
commitdc73352d681464d3bffed1228498ce8c55a4eb92[log] [tgz]
authorHardik Goyal <hardikgoyal@google.com>Mon Oct 26 16:49:15 2020 -0700
committerCommit Bot <commit-bot@chromium.org>Thu Oct 29 03:54:37 2020 +0000
tree68deb480049c15b93159ddf3bcbac2e40e2cd59e
parent63f1b0b117d4d85f69c4bc0ab490551712ce5938 [diff]
cryptohome: Cleanup DeriveVaultKeyset for AuthBlock

BUG=chromium:728125
TEST=FEATURES=test emerge-nami cryptohome

Change-Id: I8a46f169fd9fcd3f59ba75b6cc6430cea5cee4f5
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2500634
Tested-by: Hardik Goyal <hardikgoyal@chromium.org>
Tested-by: Greg Kerr <kerrnel@chromium.org>
Reviewed-by: Greg Kerr <kerrnel@chromium.org>
Commit-Queue: Hardik Goyal <hardikgoyal@chromium.org>
Auto-Submit: Hardik Goyal <hardikgoyal@chromium.org>

diff --git a/cryptohome/crypto.cc b/cryptohome/crypto.cc
index b44c3cf..df79605 100644
--- a/cryptohome/crypto.cc
+++ b/cryptohome/crypto.cc

@@ -441,90 +441,28 @@
   PopulateError(error, CryptoError::CE_NONE);
 
   unsigned int flags = serialized.flags();
+  std::unique_ptr<AuthBlock> auth_block = DeriveAuthBlock(flags);
+  if (!auth_block) {
+    LOG(ERROR) << "Keyset wrapped with unknown method.";
+    return false;
+  }
+
+  AuthInput auth_input = {vault_key, locked_to_single_user};
+  AuthBlockState auth_state = {serialized};
+  KeyBlobs vkk_data;
+  if (!auth_block->Derive(auth_input, auth_state, &vkk_data, error)) {
+    return false;
+  }
 
   if (flags & SerializedVaultKeyset::LE_CREDENTIAL) {
-    PinWeaverAuthBlock pin_weaver_auth(le_manager_.get(), tpm_init_);
-
-    AuthInput auth_input = {vault_key};
-    AuthBlockState auth_state = {serialized};
-    KeyBlobs vkk_data;
-    if (!pin_weaver_auth.Derive(auth_input, auth_state, &vkk_data, error)) {
-      return false;
-    }
-
     // This is possible to be empty if an old version of CR50 is running.
     if (vkk_data.reset_secret.has_value() &&
         !vkk_data.reset_secret.value().empty()) {
       vault_keyset->set_reset_secret(vkk_data.reset_secret.value());
     }
-
-    return UnwrapVaultKeyset(serialized, vkk_data, vault_keyset, error);
   }
 
-  if (flags & SerializedVaultKeyset::SIGNATURE_CHALLENGE_PROTECTED) {
-    AuthInput user_input = {vault_key};
-    AuthBlockState auth_state = {serialized};
-    KeyBlobs vkk_data;
-    ChallengeCredentialAuthBlock auth_block;
-    if (!auth_block.Derive(user_input, auth_state, &vkk_data, error)) {
-      return false;
-    }
-    return UnwrapVaultKeyset(serialized, vkk_data, vault_keyset, error);
-  }
-
-  if (flags & SerializedVaultKeyset::SCRYPT_WRAPPED &&
-      flags & SerializedVaultKeyset::TPM_WRAPPED) {
-    LOG(ERROR) << "Keyset wrapped with both TPM and Scrypt?";
-    ReportCryptohomeError(cryptohome::kBothTpmAndScryptWrappedKeyset);
-
-    AuthInput auth_input = {vault_key};
-    AuthBlockState auth_state = {serialized};
-    KeyBlobs vkk_data;
-    DoubleWrappedCompatAuthBlock auth_block(tpm_, tpm_init_);
-    if (!auth_block.Derive(auth_input, auth_state, &vkk_data, error)) {
-      return false;
-    }
-    return UnwrapVaultKeyset(serialized, vkk_data, vault_keyset, error);
-  }
-
-  if (flags & SerializedVaultKeyset::TPM_WRAPPED) {
-    std::unique_ptr<AuthBlock> tpm_auth;
-    if (flags & SerializedVaultKeyset::PCR_BOUND) {
-      tpm_auth = std::make_unique<TpmBoundToPcrAuthBlock>(tpm_, tpm_init_);
-    } else {
-      tpm_auth = std::make_unique<TpmNotBoundToPcrAuthBlock>(tpm_, tpm_init_);
-    }
-
-    KeyBlobs vkk_data;
-    AuthInput auth_input;
-    auth_input.user_input = vault_key;
-    auth_input.locked_to_single_user = locked_to_single_user;
-
-    AuthBlockState auth_state = {serialized};
-    if (!tpm_auth->Derive(auth_input, auth_state, &vkk_data, error)) {
-      return false;
-    }
-
-    return UnwrapVaultKeyset(serialized, vkk_data, vault_keyset, error);
-  }
-
-  if (flags & SerializedVaultKeyset::SCRYPT_WRAPPED) {
-    KeyBlobs vkk_data;
-    AuthInput auth_input;
-    auth_input.user_input = vault_key;
-    auth_input.locked_to_single_user = locked_to_single_user;
-
-    AuthBlockState auth_state = {serialized};
-    LibScryptCompatAuthBlock auth_block;
-    if (!auth_block.Derive(auth_input, auth_state, &vkk_data, error)) {
-      return false;
-    }
-
-    return UnwrapVaultKeyset(serialized, vkk_data, vault_keyset, error);
-  }
-
-  LOG(ERROR) << "Keyset wrapped with unknown method.";
-  return false;
+  return UnwrapVaultKeyset(serialized, vkk_data, vault_keyset, error);
 }
 
 bool Crypto::GenerateEncryptedRawKeyset(const VaultKeyset& vault_keyset,
@@ -1125,4 +1063,25 @@
 #endif
 }
 
+std::unique_ptr<AuthBlock> Crypto::DeriveAuthBlock(int serialized_key_flags) {
+  if (serialized_key_flags & SerializedVaultKeyset::LE_CREDENTIAL) {
+    return std::make_unique<PinWeaverAuthBlock>(le_manager_.get(), tpm_init_);
+  } else if (serialized_key_flags &
+             SerializedVaultKeyset::SIGNATURE_CHALLENGE_PROTECTED) {
+    return std::make_unique<ChallengeCredentialAuthBlock>();
+  } else if (serialized_key_flags & SerializedVaultKeyset::SCRYPT_WRAPPED &&
+             serialized_key_flags & SerializedVaultKeyset::TPM_WRAPPED) {
+    return std::make_unique<DoubleWrappedCompatAuthBlock>(tpm_, tpm_init_);
+  } else if (serialized_key_flags & SerializedVaultKeyset::TPM_WRAPPED) {
+    if (serialized_key_flags & SerializedVaultKeyset::PCR_BOUND) {
+      return std::make_unique<TpmBoundToPcrAuthBlock>(tpm_, tpm_init_);
+    } else {
+      return std::make_unique<TpmNotBoundToPcrAuthBlock>(tpm_, tpm_init_);
+    }
+  } else if (serialized_key_flags & SerializedVaultKeyset::SCRYPT_WRAPPED) {
+    return std::make_unique<LibScryptCompatAuthBlock>();
+  }
+  return nullptr;
+}
+
 }  // namespace cryptohome

diff --git a/cryptohome/crypto.h b/cryptohome/crypto.h
index 75e2ef4..b16f022 100644
--- a/cryptohome/crypto.h
+++ b/cryptohome/crypto.h

@@ -34,6 +34,7 @@
 
 struct KeyBlobs;
 class VaultKeyset;
+class AuthBlock;
 
 extern const char kSystemSaltFile[];
 
@@ -275,6 +276,12 @@
                                 const brillo::SecureBlob& vkk_key,
                                 const brillo::SecureBlob& vkk_iv) const;
 
+  // This function serves as a factory method to return the authblock used in
+  // authentication.
+  // |serialized_key_flags| is the flag data stores in the vault keyset which
+  // helps determine the type of AuthBlock.
+  std::unique_ptr<AuthBlock> DeriveAuthBlock(int serialized_key_flags);
+
   // If set, the TPM will be used during the encryption of the vault keyset
   bool use_tpm_;