| Index: sync/util/cryptographer.cc
|
| diff --git a/sync/util/cryptographer.cc b/sync/util/cryptographer.cc
|
| index 202480dd112c5c3c5650f64a4afdadd5ef86ecf6..61b5e6328e128999a523c4d43861d878955ab977 100644
|
| --- a/sync/util/cryptographer.cc
|
| +++ b/sync/util/cryptographer.cc
|
| @@ -7,6 +7,7 @@
|
| #include <algorithm>
|
|
|
| #include "base/base64.h"
|
| +#include "base/basictypes.h"
|
| #include "base/logging.h"
|
| #include "sync/protocol/nigori_specifics.pb.h"
|
| #include "sync/util/encryptor.h"
|
| @@ -35,9 +36,11 @@ void Cryptographer::Bootstrap(const std::string& restored_bootstrap_token) {
|
| return;
|
| }
|
|
|
| - scoped_ptr<Nigori> nigori(UnpackBootstrapToken(restored_bootstrap_token));
|
| - if (nigori.get())
|
| - AddKeyImpl(nigori.Pass());
|
| + std::string serialized_nigori_key =
|
| + UnpackBootstrapToken(restored_bootstrap_token);
|
| + if (serialized_nigori_key.empty())
|
| + return;
|
| + ImportNigoriKey(serialized_nigori_key);
|
| }
|
|
|
| bool Cryptographer::CanDecrypt(const sync_pb::EncryptedData& data) const {
|
| @@ -58,12 +61,6 @@ bool Cryptographer::Encrypt(
|
| LOG(ERROR) << "Cryptographer not ready, failed to encrypt.";
|
| return false;
|
| }
|
| - NigoriMap::const_iterator default_nigori =
|
| - nigoris_.find(default_nigori_name_);
|
| - if (default_nigori == nigoris_.end()) {
|
| - LOG(ERROR) << "Corrupt default key.";
|
| - return false;
|
| - }
|
|
|
| std::string serialized;
|
| if (!message.SerializeToString(&serialized)) {
|
| @@ -71,6 +68,12 @@ bool Cryptographer::Encrypt(
|
| return false;
|
| }
|
|
|
| + return EncryptString(serialized, encrypted);
|
| +}
|
| +
|
| +bool Cryptographer::EncryptString(
|
| + const std::string& serialized,
|
| + sync_pb::EncryptedData* encrypted) const {
|
| if (CanDecryptUsingDefaultKey(*encrypted)) {
|
| const std::string& original_serialized = DecryptToString(*encrypted);
|
| if (original_serialized == serialized) {
|
| @@ -79,6 +82,13 @@ bool Cryptographer::Encrypt(
|
| }
|
| }
|
|
|
| + NigoriMap::const_iterator default_nigori =
|
| + nigoris_.find(default_nigori_name_);
|
| + if (default_nigori == nigoris_.end()) {
|
| + LOG(ERROR) << "Corrupt default key.";
|
| + return false;
|
| + }
|
| +
|
| encrypted->set_key_name(default_nigori_name_);
|
| if (!default_nigori->second->Encrypt(serialized,
|
| encrypted->mutable_blob())) {
|
| @@ -140,26 +150,52 @@ bool Cryptographer::AddKey(const KeyParams& params) {
|
| NOTREACHED(); // Invalid username or password.
|
| return false;
|
| }
|
| - return AddKeyImpl(nigori.Pass());
|
| + return AddKeyImpl(nigori.Pass(), true);
|
| +}
|
| +
|
| +bool Cryptographer::AddNonDefaultKey(const KeyParams& params) {
|
| + DCHECK(is_initialized());
|
| + // Create the new Nigori and add it to the keybag.
|
| + scoped_ptr<Nigori> nigori(new Nigori);
|
| + if (!nigori->InitByDerivation(params.hostname,
|
| + params.username,
|
| + params.password)) {
|
| + NOTREACHED(); // Invalid username or password.
|
| + return false;
|
| + }
|
| + return AddKeyImpl(nigori.Pass(), false);
|
| }
|
|
|
| bool Cryptographer::AddKeyFromBootstrapToken(
|
| const std::string restored_bootstrap_token) {
|
| // Create the new Nigori and make it the default encryptor.
|
| - scoped_ptr<Nigori> nigori(UnpackBootstrapToken(restored_bootstrap_token));
|
| - if (!nigori.get())
|
| - return false;
|
| - return AddKeyImpl(nigori.Pass());
|
| + std::string serialized_nigori_key = UnpackBootstrapToken(
|
| + restored_bootstrap_token);
|
| + return ImportNigoriKey(serialized_nigori_key);
|
| }
|
|
|
| -bool Cryptographer::AddKeyImpl(scoped_ptr<Nigori> initialized_nigori) {
|
| +bool Cryptographer::AddKeyImpl(scoped_ptr<Nigori> initialized_nigori,
|
| + bool set_as_default) {
|
| std::string name;
|
| if (!initialized_nigori->Permute(Nigori::Password, kNigoriKeyName, &name)) {
|
| NOTREACHED();
|
| return false;
|
| }
|
| +
|
| nigoris_[name] = make_linked_ptr(initialized_nigori.release());
|
| - default_nigori_name_ = name;
|
| +
|
| + // Check if the key we just added can decrypt the pending keys and add them
|
| + // too if so.
|
| + if (pending_keys_.get() && CanDecrypt(*pending_keys_)) {
|
| + sync_pb::NigoriKeyBag pending_bag;
|
| + Decrypt(*pending_keys_, &pending_bag);
|
| + InstallKeyBag(pending_bag);
|
| + SetDefaultKey(pending_keys_->key_name());
|
| + pending_keys_.reset();
|
| + }
|
| +
|
| + // The just-added key takes priority over the pending keys as default.
|
| + if (set_as_default) SetDefaultKey(name);
|
| return true;
|
| }
|
|
|
| @@ -215,34 +251,9 @@ bool Cryptographer::DecryptPendingKeys(const KeyParams& params) {
|
|
|
| bool Cryptographer::GetBootstrapToken(std::string* token) const {
|
| DCHECK(token);
|
| - if (!is_initialized())
|
| - return false;
|
| -
|
| - NigoriMap::const_iterator default_nigori =
|
| - nigoris_.find(default_nigori_name_);
|
| - if (default_nigori == nigoris_.end())
|
| - return false;
|
| - return PackBootstrapToken(default_nigori->second.get(), token);
|
| -}
|
| -
|
| -bool Cryptographer::PackBootstrapToken(const Nigori* nigori,
|
| - std::string* pack_into) const {
|
| - DCHECK(pack_into);
|
| - DCHECK(nigori);
|
| -
|
| - sync_pb::NigoriKey key;
|
| - if (!nigori->ExportKeys(key.mutable_user_key(),
|
| - key.mutable_encryption_key(),
|
| - key.mutable_mac_key())) {
|
| - NOTREACHED();
|
| + std::string unencrypted_token = GetDefaultNigoriKey();
|
| + if (unencrypted_token.empty())
|
| return false;
|
| - }
|
| -
|
| - std::string unencrypted_token;
|
| - if (!key.SerializeToString(&unencrypted_token)) {
|
| - NOTREACHED();
|
| - return false;
|
| - }
|
|
|
| std::string encrypted_token;
|
| if (!encryptor_->EncryptString(unencrypted_token, &encrypted_token)) {
|
| @@ -250,43 +261,30 @@ bool Cryptographer::PackBootstrapToken(const Nigori* nigori,
|
| return false;
|
| }
|
|
|
| - if (!base::Base64Encode(encrypted_token, pack_into)) {
|
| + if (!base::Base64Encode(encrypted_token, token)) {
|
| NOTREACHED();
|
| return false;
|
| }
|
| return true;
|
| }
|
|
|
| -Nigori* Cryptographer::UnpackBootstrapToken(const std::string& token) const {
|
| +std::string Cryptographer::UnpackBootstrapToken(
|
| + const std::string& token) const {
|
| if (token.empty())
|
| - return NULL;
|
| + return "";
|
|
|
| std::string encrypted_data;
|
| if (!base::Base64Decode(token, &encrypted_data)) {
|
| DLOG(WARNING) << "Could not decode token.";
|
| - return NULL;
|
| + return "";
|
| }
|
|
|
| std::string unencrypted_token;
|
| if (!encryptor_->DecryptString(encrypted_data, &unencrypted_token)) {
|
| DLOG(WARNING) << "Decryption of bootstrap token failed.";
|
| - return NULL;
|
| + return "";
|
| }
|
| -
|
| - sync_pb::NigoriKey key;
|
| - if (!key.ParseFromString(unencrypted_token)) {
|
| - DLOG(WARNING) << "Parsing of bootstrap token failed.";
|
| - return NULL;
|
| - }
|
| -
|
| - scoped_ptr<Nigori> nigori(new Nigori);
|
| - if (!nigori->InitByImport(key.user_key(), key.encryption_key(),
|
| - key.mac_key())) {
|
| - NOTREACHED();
|
| - return NULL;
|
| - }
|
| -
|
| - return nigori.release();
|
| + return unencrypted_token;
|
| }
|
|
|
| void Cryptographer::InstallKeyBag(const sync_pb::NigoriKeyBag& bag) {
|
| @@ -307,4 +305,59 @@ void Cryptographer::InstallKeyBag(const sync_pb::NigoriKeyBag& bag) {
|
| }
|
| }
|
|
|
| +bool Cryptographer::KeybagIsStale(
|
| + const sync_pb::EncryptedData& encrypted_bag) const {
|
| + if (!is_ready())
|
| + return false;
|
| + if (encrypted_bag.blob().empty())
|
| + return true;
|
| + if (!CanDecrypt(encrypted_bag))
|
| + return false;
|
| + if (!CanDecryptUsingDefaultKey(encrypted_bag))
|
| + return true;
|
| + sync_pb::NigoriKeyBag bag;
|
| + if (!Decrypt(encrypted_bag, &bag)) {
|
| + LOG(ERROR) << "Failed to decrypt keybag for stale check. "
|
| + << "Assuming keybag is corrupted.";
|
| + return true;
|
| + }
|
| + if (static_cast<size_t>(bag.key_size()) < nigoris_.size())
|
| + return true;
|
| + return false;
|
| +}
|
| +
|
| +std::string Cryptographer::GetDefaultNigoriKey() const {
|
| + if (!is_initialized())
|
| + return "";
|
| + NigoriMap::const_iterator iter = nigoris_.find(default_nigori_name_);
|
| + if (iter == nigoris_.end())
|
| + return "";
|
| + sync_pb::NigoriKey key;
|
| + if (!iter->second->ExportKeys(key.mutable_user_key(),
|
| + key.mutable_encryption_key(),
|
| + key.mutable_mac_key()))
|
| + return "";
|
| + return key.SerializeAsString();
|
| +}
|
| +
|
| +bool Cryptographer::ImportNigoriKey(const std::string serialized_nigori_key) {
|
| + if (serialized_nigori_key.empty())
|
| + return false;
|
| +
|
| + sync_pb::NigoriKey key;
|
| + if (!key.ParseFromString(serialized_nigori_key))
|
| + return false;
|
| +
|
| + scoped_ptr<Nigori> nigori(new Nigori);
|
| + if (!nigori->InitByImport(key.user_key(), key.encryption_key(),
|
| + key.mac_key())) {
|
| + NOTREACHED();
|
| + return false;
|
| + }
|
| +
|
| + if (!AddKeyImpl(nigori.Pass(), true))
|
| + return false;
|
| + return true;
|
| +}
|
| +
|
| } // namespace syncer
|
|
|