Add a lock to the managed user settings page and require authentication for unlocking.

chrome/browser/managed_mode/managed_user_passphrase.cc

Index: chrome/browser/managed_mode/managed_user_passphrase.cc
diff --git a/chrome/browser/managed_mode/managed_user_passphrase.cc b/chrome/browser/managed_mode/managed_user_passphrase.cc
new file mode 100644
index 0000000000000000000000000000000000000000..c39396628a62f223e7d510905dd5c7d284833fb3
--- /dev/null
+++ b/chrome/browser/managed_mode/managed_user_passphrase.cc
@@ -0,0 +1,61 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/managed_mode/managed_user_passphrase.h"
+
+#include "base/base64.h"
+#include "base/logging.h"
+#include "base/string_util.h"
+#include "crypto/encryptor.h"
+#include "crypto/random.h"
+#include "crypto/symmetric_key.h"
+
+const int kNumberOfIterations = 1;

[Pam (message me for reviews), 2013/01/14 15:37:50]

I know it seems obvious, but please give a brief comment explaining what this is
used for.

[Adrian Kuegel, 2013/01/19 01:21:32]

Done.

+const int kDerivedKeySize = 128;
+const int kSaltSize = 33;
+
+ManagedUserPassphrase::ManagedUserPassphrase(const std::string& salt)
+    : salt_(salt) {
+  if (salt_.empty())
+    GenerateRandomSalt();
+}
+
+ManagedUserPassphrase::~ManagedUserPassphrase() {
+}
+
+std::string ManagedUserPassphrase::GetSalt() {
+  return salt_;
+}
+
+void ManagedUserPassphrase::GenerateRandomSalt() {
+  std::string bytes;
+  crypto::RandBytes(WriteInto(&bytes, kSaltSize), kSaltSize);
+  bool success = base::Base64Encode(bytes, &salt_);
+  DCHECK(success);
+}
+
+void ManagedUserPassphrase::GenerateHashFromPassphrase(
+    const std::string& passphrase,
+    std::string* encoded_passphrase_hash) const {
+  std::string passphrase_hash;
+  GetPassphraseHash(passphrase, &passphrase_hash);
+  bool success = base::Base64Encode(passphrase_hash, encoded_passphrase_hash);
+  DCHECK(success);
+}
+
+void ManagedUserPassphrase::GetPassphraseHash(
+    const std::string& passphrase,
+    std::string* passphrase_hash) const {
+  DCHECK(passphrase_hash);
+  // Create a hash from the user-provided passphrase and our hard-coded salt.
+  scoped_ptr<crypto::SymmetricKey> encryption_key(
+      crypto::SymmetricKey::DeriveKeyFromPassword(
+          crypto::SymmetricKey::AES,
+          passphrase,
+          salt_,
+          kNumberOfIterations,
+          kDerivedKeySize));

[Pam (message me for reviews), 2013/01/14 15:37:50]

These are reversed from the order they were in as literal numbers. Is that a
deliberate change?

[Adrian Kuegel, 2013/01/19 01:21:32]

I had the order wrong first, Bernhard found the bug and told me offline. So the
new order is a deliberate change.

+  bool success = encryption_key->GetRawKey(passphrase_hash);
+  DCHECK(success);
+}