| OLD | NEW |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sync/util/cryptographer.h" | 5 #include "sync/util/cryptographer.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 | 8 |
| 9 #include "base/base64.h" | 9 #include "base/base64.h" |
| 10 #include "base/logging.h" | 10 #include "base/logging.h" |
| 11 #include "sync/protocol/nigori_specifics.pb.h" | 11 #include "sync/protocol/nigori_specifics.pb.h" |
| 12 #include "sync/util/encryptor.h" | 12 #include "sync/util/encryptor.h" |
| 13 | 13 |
| 14 namespace syncer { | 14 namespace syncer { |
| 15 | 15 |
| 16 const char kNigoriTag[] = "google_chrome_nigori"; | 16 const char kNigoriTag[] = "google_chrome_nigori"; |
| 17 | 17 |
| 18 // We name a particular Nigori instance (ie. a triplet consisting of a hostname, | 18 // We name a particular Nigori instance (ie. a triplet consisting of a hostname, |
| 19 // a username, and a password) by calling Permute on this string. Since the | 19 // a username, and a password) by calling Permute on this string. Since the |
| 20 // output of Permute is always the same for a given triplet, clients will always | 20 // output of Permute is always the same for a given triplet, clients will always |
| 21 // assign the same name to a particular triplet. | 21 // assign the same name to a particular triplet. |
| 22 const char kNigoriKeyName[] = "nigori-key"; | 22 const char kNigoriKeyName[] = "nigori-key"; |
| 23 | 23 |
| 24 Cryptographer::Cryptographer(Encryptor* encryptor) | 24 Cryptographer::Cryptographer(Encryptor* encryptor) |
| 25 : encryptor_(encryptor), | 25 : encryptor_(encryptor) { |
| 26 default_nigori_(NULL), | |
| 27 keystore_nigori_(NULL) { | |
| 28 DCHECK(encryptor); | 26 DCHECK(encryptor); |
| 29 } | 27 } |
| 30 | 28 |
| 31 Cryptographer::~Cryptographer() {} | 29 Cryptographer::~Cryptographer() {} |
| 32 | 30 |
| 33 | 31 |
| 34 void Cryptographer::Bootstrap(const std::string& restored_bootstrap_token) { | 32 void Cryptographer::Bootstrap(const std::string& restored_bootstrap_token) { |
| 35 if (is_initialized()) { | 33 if (is_initialized()) { |
| 36 NOTREACHED(); | 34 NOTREACHED(); |
| 37 return; | 35 return; |
| 38 } | 36 } |
| 39 | 37 |
| 40 scoped_ptr<Nigori> nigori(UnpackBootstrapToken(restored_bootstrap_token)); | 38 scoped_ptr<Nigori> nigori(UnpackBootstrapToken(restored_bootstrap_token)); |
| 41 if (nigori.get()) | 39 if (nigori.get()) |
| 42 AddKeyImpl(nigori.release(), false); | 40 AddKeyImpl(nigori.Pass()); |
| 43 } | |
| 44 | |
| 45 void Cryptographer::BootstrapKeystoreKey( | |
| 46 const std::string& restored_bootstrap_token) { | |
| 47 if (keystore_nigori_) { | |
| 48 NOTREACHED(); | |
| 49 return; | |
| 50 } | |
| 51 | |
| 52 scoped_ptr<Nigori> nigori(UnpackBootstrapToken(restored_bootstrap_token)); | |
| 53 if (nigori.get()) | |
| 54 AddKeyImpl(nigori.release(), true); | |
| 55 } | 41 } |
| 56 | 42 |
| 57 bool Cryptographer::CanDecrypt(const sync_pb::EncryptedData& data) const { | 43 bool Cryptographer::CanDecrypt(const sync_pb::EncryptedData& data) const { |
| 58 return nigoris_.end() != nigoris_.find(data.key_name()); | 44 return nigoris_.end() != nigoris_.find(data.key_name()); |
| 59 } | 45 } |
| 60 | 46 |
| 61 bool Cryptographer::CanDecryptUsingDefaultKey( | 47 bool Cryptographer::CanDecryptUsingDefaultKey( |
| 62 const sync_pb::EncryptedData& data) const { | 48 const sync_pb::EncryptedData& data) const { |
| 63 return default_nigori_ && (data.key_name() == default_nigori_->first); | 49 return !default_nigori_name_.empty() && |
| 50 data.key_name() == default_nigori_name_; |
| 64 } | 51 } |
| 65 | 52 |
| 66 bool Cryptographer::Encrypt( | 53 bool Cryptographer::Encrypt( |
| 67 const ::google::protobuf::MessageLite& message, | 54 const ::google::protobuf::MessageLite& message, |
| 68 sync_pb::EncryptedData* encrypted) const { | 55 sync_pb::EncryptedData* encrypted) const { |
| 69 DCHECK(encrypted); | 56 DCHECK(encrypted); |
| 70 if (!default_nigori_) { | 57 if (default_nigori_name_.empty()) { |
| 71 LOG(ERROR) << "Cryptographer not ready, failed to encrypt."; | 58 LOG(ERROR) << "Cryptographer not ready, failed to encrypt."; |
| 72 return false; | 59 return false; |
| 73 } | 60 } |
| 61 NigoriMap::const_iterator default_nigori = |
| 62 nigoris_.find(default_nigori_name_); |
| 63 if (default_nigori == nigoris_.end()) { |
| 64 LOG(ERROR) << "Corrupt default key."; |
| 65 return false; |
| 66 } |
| 74 | 67 |
| 75 std::string serialized; | 68 std::string serialized; |
| 76 if (!message.SerializeToString(&serialized)) { | 69 if (!message.SerializeToString(&serialized)) { |
| 77 LOG(ERROR) << "Message is invalid/missing a required field."; | 70 LOG(ERROR) << "Message is invalid/missing a required field."; |
| 78 return false; | 71 return false; |
| 79 } | 72 } |
| 80 | 73 |
| 81 if (CanDecryptUsingDefaultKey(*encrypted)) { | 74 if (CanDecryptUsingDefaultKey(*encrypted)) { |
| 82 const std::string& original_serialized = DecryptToString(*encrypted); | 75 const std::string& original_serialized = DecryptToString(*encrypted); |
| 83 if (original_serialized == serialized) { | 76 if (original_serialized == serialized) { |
| 84 DVLOG(2) << "Re-encryption unnecessary, encrypted data already matches."; | 77 DVLOG(2) << "Re-encryption unnecessary, encrypted data already matches."; |
| 85 return true; | 78 return true; |
| 86 } | 79 } |
| 87 } | 80 } |
| 88 | 81 |
| 89 encrypted->set_key_name(default_nigori_->first); | 82 encrypted->set_key_name(default_nigori_name_); |
| 90 if (!default_nigori_->second->Encrypt(serialized, | 83 if (!default_nigori->second->Encrypt(serialized, |
| 91 encrypted->mutable_blob())) { | 84 encrypted->mutable_blob())) { |
| 92 LOG(ERROR) << "Failed to encrypt data."; | 85 LOG(ERROR) << "Failed to encrypt data."; |
| 93 return false; | 86 return false; |
| 94 } | 87 } |
| 95 return true; | 88 return true; |
| 96 } | 89 } |
| 97 | 90 |
| 98 bool Cryptographer::Decrypt(const sync_pb::EncryptedData& encrypted, | 91 bool Cryptographer::Decrypt(const sync_pb::EncryptedData& encrypted, |
| 99 ::google::protobuf::MessageLite* message) const { | 92 ::google::protobuf::MessageLite* message) const { |
| 100 DCHECK(message); | 93 DCHECK(message); |
| 101 std::string plaintext = DecryptToString(encrypted); | 94 std::string plaintext = DecryptToString(encrypted); |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 140 | 133 |
| 141 bool Cryptographer::AddKey(const KeyParams& params) { | 134 bool Cryptographer::AddKey(const KeyParams& params) { |
| 142 // Create the new Nigori and make it the default encryptor. | 135 // Create the new Nigori and make it the default encryptor. |
| 143 scoped_ptr<Nigori> nigori(new Nigori); | 136 scoped_ptr<Nigori> nigori(new Nigori); |
| 144 if (!nigori->InitByDerivation(params.hostname, | 137 if (!nigori->InitByDerivation(params.hostname, |
| 145 params.username, | 138 params.username, |
| 146 params.password)) { | 139 params.password)) { |
| 147 NOTREACHED(); // Invalid username or password. | 140 NOTREACHED(); // Invalid username or password. |
| 148 return false; | 141 return false; |
| 149 } | 142 } |
| 150 return AddKeyImpl(nigori.release(), false); | 143 return AddKeyImpl(nigori.Pass()); |
| 151 } | 144 } |
| 152 | 145 |
| 153 bool Cryptographer::AddKeyFromBootstrapToken( | 146 bool Cryptographer::AddKeyFromBootstrapToken( |
| 154 const std::string restored_bootstrap_token) { | 147 const std::string restored_bootstrap_token) { |
| 155 // Create the new Nigori and make it the default encryptor. | 148 // Create the new Nigori and make it the default encryptor. |
| 156 scoped_ptr<Nigori> nigori(UnpackBootstrapToken(restored_bootstrap_token)); | 149 scoped_ptr<Nigori> nigori(UnpackBootstrapToken(restored_bootstrap_token)); |
| 157 if (!nigori.get()) | 150 if (!nigori.get()) |
| 158 return false; | 151 return false; |
| 159 return AddKeyImpl(nigori.release(), false); | 152 return AddKeyImpl(nigori.Pass()); |
| 160 } | 153 } |
| 161 | 154 |
| 162 bool Cryptographer::AddKeyImpl(Nigori* initialized_nigori, | 155 bool Cryptographer::AddKeyImpl(scoped_ptr<Nigori> initialized_nigori) { |
| 163 bool is_keystore_key) { | |
| 164 scoped_ptr<Nigori> nigori(initialized_nigori); | |
| 165 std::string name; | 156 std::string name; |
| 166 if (!nigori->Permute(Nigori::Password, kNigoriKeyName, &name)) { | 157 if (!initialized_nigori->Permute(Nigori::Password, kNigoriKeyName, &name)) { |
| 167 NOTREACHED(); | 158 NOTREACHED(); |
| 168 return false; | 159 return false; |
| 169 } | 160 } |
| 170 nigoris_[name] = make_linked_ptr(nigori.release()); | 161 nigoris_[name] = make_linked_ptr(initialized_nigori.release()); |
| 171 if (is_keystore_key) | 162 default_nigori_name_ = name; |
| 172 keystore_nigori_ = &*nigoris_.find(name); | |
| 173 else | |
| 174 default_nigori_ = &*nigoris_.find(name); | |
| 175 return true; | 163 return true; |
| 176 } | 164 } |
| 177 | 165 |
| 178 void Cryptographer::InstallKeys(const sync_pb::EncryptedData& encrypted) { | 166 void Cryptographer::InstallKeys(const sync_pb::EncryptedData& encrypted) { |
| 179 DCHECK(CanDecrypt(encrypted)); | 167 DCHECK(CanDecrypt(encrypted)); |
| 180 | 168 |
| 181 sync_pb::NigoriKeyBag bag; | 169 sync_pb::NigoriKeyBag bag; |
| 182 if (!Decrypt(encrypted, &bag)) | 170 if (!Decrypt(encrypted, &bag)) |
| 183 return; | 171 return; |
| 184 InstallKeyBag(bag); | 172 InstallKeyBag(bag); |
| 185 } | 173 } |
| 186 | 174 |
| 187 void Cryptographer::SetDefaultKey(const std::string& key_name) { | 175 void Cryptographer::SetDefaultKey(const std::string& key_name) { |
| 188 DCHECK(nigoris_.end() != nigoris_.find(key_name)); | 176 DCHECK(nigoris_.end() != nigoris_.find(key_name)); |
| 189 default_nigori_ = &*nigoris_.find(key_name); | 177 default_nigori_name_ = key_name; |
| 190 } | 178 } |
| 191 | 179 |
| 192 void Cryptographer::SetPendingKeys(const sync_pb::EncryptedData& encrypted) { | 180 void Cryptographer::SetPendingKeys(const sync_pb::EncryptedData& encrypted) { |
| 193 DCHECK(!CanDecrypt(encrypted)); | 181 DCHECK(!CanDecrypt(encrypted)); |
| 194 DCHECK(!encrypted.blob().empty()); | 182 DCHECK(!encrypted.blob().empty()); |
| 195 pending_keys_.reset(new sync_pb::EncryptedData(encrypted)); | 183 pending_keys_.reset(new sync_pb::EncryptedData(encrypted)); |
| 196 } | 184 } |
| 197 | 185 |
| 198 const sync_pb::EncryptedData& Cryptographer::GetPendingKeys() const { | 186 const sync_pb::EncryptedData& Cryptographer::GetPendingKeys() const { |
| 199 DCHECK(has_pending_keys()); | 187 DCHECK(has_pending_keys()); |
| (...skipping 13 matching lines...) Expand all Loading... |
| 213 if (!nigori.Decrypt(pending_keys_->blob(), &plaintext)) | 201 if (!nigori.Decrypt(pending_keys_->blob(), &plaintext)) |
| 214 return false; | 202 return false; |
| 215 | 203 |
| 216 sync_pb::NigoriKeyBag bag; | 204 sync_pb::NigoriKeyBag bag; |
| 217 if (!bag.ParseFromString(plaintext)) { | 205 if (!bag.ParseFromString(plaintext)) { |
| 218 NOTREACHED(); | 206 NOTREACHED(); |
| 219 return false; | 207 return false; |
| 220 } | 208 } |
| 221 InstallKeyBag(bag); | 209 InstallKeyBag(bag); |
| 222 const std::string& new_default_key_name = pending_keys_->key_name(); | 210 const std::string& new_default_key_name = pending_keys_->key_name(); |
| 223 DCHECK(nigoris_.end() != nigoris_.find(new_default_key_name)); | 211 SetDefaultKey(new_default_key_name); |
| 224 default_nigori_ = &*nigoris_.find(new_default_key_name); | |
| 225 pending_keys_.reset(); | 212 pending_keys_.reset(); |
| 226 return true; | 213 return true; |
| 227 } | 214 } |
| 228 | 215 |
| 229 bool Cryptographer::GetBootstrapToken(std::string* token) const { | 216 bool Cryptographer::GetBootstrapToken(std::string* token) const { |
| 230 DCHECK(token); | 217 DCHECK(token); |
| 231 if (!is_initialized()) | 218 if (!is_initialized()) |
| 232 return false; | 219 return false; |
| 233 | 220 |
| 234 return PackBootstrapToken(default_nigori_->second.get(), token); | 221 NigoriMap::const_iterator default_nigori = |
| 235 } | 222 nigoris_.find(default_nigori_name_); |
| 236 | 223 if (default_nigori == nigoris_.end()) |
| 237 bool Cryptographer::GetKeystoreKeyBootstrapToken( | |
| 238 std::string* token) const { | |
| 239 DCHECK(token); | |
| 240 if (!HasKeystoreKey()) | |
| 241 return false; | 224 return false; |
| 242 | 225 return PackBootstrapToken(default_nigori->second.get(), token); |
| 243 return PackBootstrapToken(keystore_nigori_->second.get(), token); | |
| 244 } | 226 } |
| 245 | 227 |
| 246 bool Cryptographer::PackBootstrapToken(const Nigori* nigori, | 228 bool Cryptographer::PackBootstrapToken(const Nigori* nigori, |
| 247 std::string* pack_into) const { | 229 std::string* pack_into) const { |
| 248 DCHECK(pack_into); | 230 DCHECK(pack_into); |
| 249 DCHECK(nigori); | 231 DCHECK(nigori); |
| 250 | 232 |
| 251 sync_pb::NigoriKey key; | 233 sync_pb::NigoriKey key; |
| 252 if (!nigori->ExportKeys(key.mutable_user_key(), | 234 if (!nigori->ExportKeys(key.mutable_user_key(), |
| 253 key.mutable_encryption_key(), | 235 key.mutable_encryption_key(), |
| (...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 300 scoped_ptr<Nigori> nigori(new Nigori); | 282 scoped_ptr<Nigori> nigori(new Nigori); |
| 301 if (!nigori->InitByImport(key.user_key(), key.encryption_key(), | 283 if (!nigori->InitByImport(key.user_key(), key.encryption_key(), |
| 302 key.mac_key())) { | 284 key.mac_key())) { |
| 303 NOTREACHED(); | 285 NOTREACHED(); |
| 304 return NULL; | 286 return NULL; |
| 305 } | 287 } |
| 306 | 288 |
| 307 return nigori.release(); | 289 return nigori.release(); |
| 308 } | 290 } |
| 309 | 291 |
| 310 bool Cryptographer::SetKeystoreKey(const std::string& keystore_key) { | |
| 311 if (keystore_key.empty()) | |
| 312 return false; | |
| 313 KeyParams params = {"localhost", "dummy", keystore_key}; | |
| 314 | |
| 315 // Create the new Nigori and make it the default keystore encryptor. | |
| 316 scoped_ptr<Nigori> nigori(new Nigori); | |
| 317 if (!nigori->InitByDerivation(params.hostname, | |
| 318 params.username, | |
| 319 params.password)) { | |
| 320 NOTREACHED(); // Invalid username or password. | |
| 321 return false; | |
| 322 } | |
| 323 | |
| 324 return AddKeyImpl(nigori.release(), true); | |
| 325 } | |
| 326 | |
| 327 bool Cryptographer::HasKeystoreKey() const { | |
| 328 return keystore_nigori_ != NULL; | |
| 329 } | |
| 330 | |
| 331 void Cryptographer::InstallKeyBag(const sync_pb::NigoriKeyBag& bag) { | 292 void Cryptographer::InstallKeyBag(const sync_pb::NigoriKeyBag& bag) { |
| 332 int key_size = bag.key_size(); | 293 int key_size = bag.key_size(); |
| 333 for (int i = 0; i < key_size; ++i) { | 294 for (int i = 0; i < key_size; ++i) { |
| 334 const sync_pb::NigoriKey key = bag.key(i); | 295 const sync_pb::NigoriKey key = bag.key(i); |
| 335 // Only use this key if we don't already know about it. | 296 // Only use this key if we don't already know about it. |
| 336 if (nigoris_.end() == nigoris_.find(key.name())) { | 297 if (nigoris_.end() == nigoris_.find(key.name())) { |
| 337 scoped_ptr<Nigori> new_nigori(new Nigori); | 298 scoped_ptr<Nigori> new_nigori(new Nigori); |
| 338 if (!new_nigori->InitByImport(key.user_key(), | 299 if (!new_nigori->InitByImport(key.user_key(), |
| 339 key.encryption_key(), | 300 key.encryption_key(), |
| 340 key.mac_key())) { | 301 key.mac_key())) { |
| 341 NOTREACHED(); | 302 NOTREACHED(); |
| 342 continue; | 303 continue; |
| 343 } | 304 } |
| 344 nigoris_[key.name()] = make_linked_ptr(new_nigori.release()); | 305 nigoris_[key.name()] = make_linked_ptr(new_nigori.release()); |
| 345 } | 306 } |
| 346 } | 307 } |
| 347 } | 308 } |
| 348 | 309 |
| 349 } // namespace syncer | 310 } // namespace syncer |
| OLD | NEW |