diff options
Diffstat (limited to 'chromium/sync/util/cryptographer.cc')
-rw-r--r-- | chromium/sync/util/cryptographer.cc | 361 |
1 files changed, 0 insertions, 361 deletions
diff --git a/chromium/sync/util/cryptographer.cc b/chromium/sync/util/cryptographer.cc deleted file mode 100644 index 29f378125a7..00000000000 --- a/chromium/sync/util/cryptographer.cc +++ /dev/null @@ -1,361 +0,0 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "sync/util/cryptographer.h" - -#include <algorithm> - -#include "base/base64.h" -#include "base/basictypes.h" -#include "base/logging.h" -#include "sync/protocol/nigori_specifics.pb.h" -#include "sync/util/encryptor.h" - -namespace syncer { - -const char kNigoriTag[] = "google_chrome_nigori"; - -// We name a particular Nigori instance (ie. a triplet consisting of a hostname, -// a username, and a password) by calling Permute on this string. Since the -// output of Permute is always the same for a given triplet, clients will always -// assign the same name to a particular triplet. -const char kNigoriKeyName[] = "nigori-key"; - -Cryptographer::Cryptographer(Encryptor* encryptor) - : encryptor_(encryptor) { - DCHECK(encryptor); -} - -Cryptographer::~Cryptographer() {} - - -void Cryptographer::Bootstrap(const std::string& restored_bootstrap_token) { - if (is_initialized()) { - NOTREACHED(); - return; - } - - std::string serialized_nigori_key = - UnpackBootstrapToken(restored_bootstrap_token); - if (serialized_nigori_key.empty()) - return; - ImportNigoriKey(serialized_nigori_key); -} - -bool Cryptographer::CanDecrypt(const sync_pb::EncryptedData& data) const { - return nigoris_.end() != nigoris_.find(data.key_name()); -} - -bool Cryptographer::CanDecryptUsingDefaultKey( - const sync_pb::EncryptedData& data) const { - return !default_nigori_name_.empty() && - data.key_name() == default_nigori_name_; -} - -bool Cryptographer::Encrypt( - const ::google::protobuf::MessageLite& message, - sync_pb::EncryptedData* encrypted) const { - DCHECK(encrypted); - if (default_nigori_name_.empty()) { - LOG(ERROR) << "Cryptographer not ready, failed to encrypt."; - return false; - } - - std::string serialized; - if (!message.SerializeToString(&serialized)) { - LOG(ERROR) << "Message is invalid/missing a required field."; - return false; - } - - return EncryptString(serialized, encrypted); -} - -bool Cryptographer::EncryptString( - const std::string& serialized, - sync_pb::EncryptedData* encrypted) const { - if (CanDecryptUsingDefaultKey(*encrypted)) { - const std::string& original_serialized = DecryptToString(*encrypted); - if (original_serialized == serialized) { - DVLOG(2) << "Re-encryption unnecessary, encrypted data already matches."; - return true; - } - } - - NigoriMap::const_iterator default_nigori = - nigoris_.find(default_nigori_name_); - if (default_nigori == nigoris_.end()) { - LOG(ERROR) << "Corrupt default key."; - return false; - } - - encrypted->set_key_name(default_nigori_name_); - if (!default_nigori->second->Encrypt(serialized, - encrypted->mutable_blob())) { - LOG(ERROR) << "Failed to encrypt data."; - return false; - } - return true; -} - -bool Cryptographer::Decrypt(const sync_pb::EncryptedData& encrypted, - ::google::protobuf::MessageLite* message) const { - DCHECK(message); - std::string plaintext = DecryptToString(encrypted); - return message->ParseFromString(plaintext); -} - -std::string Cryptographer::DecryptToString( - const sync_pb::EncryptedData& encrypted) const { - NigoriMap::const_iterator it = nigoris_.find(encrypted.key_name()); - if (nigoris_.end() == it) { - NOTREACHED() << "Cannot decrypt message"; - return std::string(); // Caller should have called CanDecrypt(encrypt). - } - - std::string plaintext; - if (!it->second->Decrypt(encrypted.blob(), &plaintext)) { - return std::string(); - } - - return plaintext; -} - -bool Cryptographer::GetKeys(sync_pb::EncryptedData* encrypted) const { - DCHECK(encrypted); - DCHECK(!nigoris_.empty()); - - // Create a bag of all the Nigori parameters we know about. - sync_pb::NigoriKeyBag bag; - for (NigoriMap::const_iterator it = nigoris_.begin(); it != nigoris_.end(); - ++it) { - const Nigori& nigori = *it->second; - sync_pb::NigoriKey* key = bag.add_key(); - key->set_name(it->first); - nigori.ExportKeys(key->mutable_user_key(), - key->mutable_encryption_key(), - key->mutable_mac_key()); - } - - // Encrypt the bag with the default Nigori. - return Encrypt(bag, encrypted); -} - -bool Cryptographer::AddKey(const KeyParams& params) { - // Create the new Nigori and make it the default encryptor. - scoped_ptr<Nigori> nigori(new Nigori); - if (!nigori->InitByDerivation(params.hostname, - params.username, - params.password)) { - NOTREACHED(); // Invalid username or password. - return false; - } - return AddKeyImpl(nigori.Pass(), true); -} - -bool Cryptographer::AddNonDefaultKey(const KeyParams& params) { - DCHECK(is_initialized()); - // Create the new Nigori and add it to the keybag. - scoped_ptr<Nigori> nigori(new Nigori); - if (!nigori->InitByDerivation(params.hostname, - params.username, - params.password)) { - NOTREACHED(); // Invalid username or password. - return false; - } - return AddKeyImpl(nigori.Pass(), false); -} - -bool Cryptographer::AddKeyFromBootstrapToken( - const std::string restored_bootstrap_token) { - // Create the new Nigori and make it the default encryptor. - std::string serialized_nigori_key = UnpackBootstrapToken( - restored_bootstrap_token); - return ImportNigoriKey(serialized_nigori_key); -} - -bool Cryptographer::AddKeyImpl(scoped_ptr<Nigori> initialized_nigori, - bool set_as_default) { - std::string name; - if (!initialized_nigori->Permute(Nigori::Password, kNigoriKeyName, &name)) { - NOTREACHED(); - return false; - } - - nigoris_[name] = make_linked_ptr(initialized_nigori.release()); - - // Check if the key we just added can decrypt the pending keys and add them - // too if so. - if (pending_keys_.get() && CanDecrypt(*pending_keys_)) { - sync_pb::NigoriKeyBag pending_bag; - Decrypt(*pending_keys_, &pending_bag); - InstallKeyBag(pending_bag); - SetDefaultKey(pending_keys_->key_name()); - pending_keys_.reset(); - } - - // The just-added key takes priority over the pending keys as default. - if (set_as_default) SetDefaultKey(name); - return true; -} - -void Cryptographer::InstallKeys(const sync_pb::EncryptedData& encrypted) { - DCHECK(CanDecrypt(encrypted)); - - sync_pb::NigoriKeyBag bag; - if (!Decrypt(encrypted, &bag)) - return; - InstallKeyBag(bag); -} - -void Cryptographer::SetDefaultKey(const std::string& key_name) { - DCHECK(nigoris_.end() != nigoris_.find(key_name)); - default_nigori_name_ = key_name; -} - -void Cryptographer::SetPendingKeys(const sync_pb::EncryptedData& encrypted) { - DCHECK(!CanDecrypt(encrypted)); - DCHECK(!encrypted.blob().empty()); - pending_keys_.reset(new sync_pb::EncryptedData(encrypted)); -} - -const sync_pb::EncryptedData& Cryptographer::GetPendingKeys() const { - DCHECK(has_pending_keys()); - return *(pending_keys_.get()); -} - -bool Cryptographer::DecryptPendingKeys(const KeyParams& params) { - Nigori nigori; - if (!nigori.InitByDerivation(params.hostname, - params.username, - params.password)) { - NOTREACHED(); - return false; - } - - std::string plaintext; - if (!nigori.Decrypt(pending_keys_->blob(), &plaintext)) - return false; - - sync_pb::NigoriKeyBag bag; - if (!bag.ParseFromString(plaintext)) { - NOTREACHED(); - return false; - } - InstallKeyBag(bag); - const std::string& new_default_key_name = pending_keys_->key_name(); - SetDefaultKey(new_default_key_name); - pending_keys_.reset(); - return true; -} - -bool Cryptographer::GetBootstrapToken(std::string* token) const { - DCHECK(token); - std::string unencrypted_token = GetDefaultNigoriKey(); - if (unencrypted_token.empty()) - return false; - - std::string encrypted_token; - if (!encryptor_->EncryptString(unencrypted_token, &encrypted_token)) { - NOTREACHED(); - return false; - } - - base::Base64Encode(encrypted_token, token); - - return true; -} - -std::string Cryptographer::UnpackBootstrapToken( - const std::string& token) const { - if (token.empty()) - return std::string(); - - std::string encrypted_data; - if (!base::Base64Decode(token, &encrypted_data)) { - DLOG(WARNING) << "Could not decode token."; - return std::string(); - } - - std::string unencrypted_token; - if (!encryptor_->DecryptString(encrypted_data, &unencrypted_token)) { - DLOG(WARNING) << "Decryption of bootstrap token failed."; - return std::string(); - } - return unencrypted_token; -} - -void Cryptographer::InstallKeyBag(const sync_pb::NigoriKeyBag& bag) { - int key_size = bag.key_size(); - for (int i = 0; i < key_size; ++i) { - const sync_pb::NigoriKey key = bag.key(i); - // Only use this key if we don't already know about it. - if (nigoris_.end() == nigoris_.find(key.name())) { - scoped_ptr<Nigori> new_nigori(new Nigori); - if (!new_nigori->InitByImport(key.user_key(), - key.encryption_key(), - key.mac_key())) { - NOTREACHED(); - continue; - } - nigoris_[key.name()] = make_linked_ptr(new_nigori.release()); - } - } -} - -bool Cryptographer::KeybagIsStale( - const sync_pb::EncryptedData& encrypted_bag) const { - if (!is_ready()) - return false; - if (encrypted_bag.blob().empty()) - return true; - if (!CanDecrypt(encrypted_bag)) - return false; - if (!CanDecryptUsingDefaultKey(encrypted_bag)) - return true; - sync_pb::NigoriKeyBag bag; - if (!Decrypt(encrypted_bag, &bag)) { - LOG(ERROR) << "Failed to decrypt keybag for stale check. " - << "Assuming keybag is corrupted."; - return true; - } - if (static_cast<size_t>(bag.key_size()) < nigoris_.size()) - return true; - return false; -} - -std::string Cryptographer::GetDefaultNigoriKey() const { - if (!is_initialized()) - return std::string(); - NigoriMap::const_iterator iter = nigoris_.find(default_nigori_name_); - if (iter == nigoris_.end()) - return std::string(); - sync_pb::NigoriKey key; - if (!iter->second->ExportKeys(key.mutable_user_key(), - key.mutable_encryption_key(), - key.mutable_mac_key())) - return std::string(); - return key.SerializeAsString(); -} - -bool Cryptographer::ImportNigoriKey(const std::string serialized_nigori_key) { - if (serialized_nigori_key.empty()) - return false; - - sync_pb::NigoriKey key; - if (!key.ParseFromString(serialized_nigori_key)) - return false; - - scoped_ptr<Nigori> nigori(new Nigori); - if (!nigori->InitByImport(key.user_key(), key.encryption_key(), - key.mac_key())) { - NOTREACHED(); - return false; - } - - if (!AddKeyImpl(nigori.Pass(), true)) - return false; - return true; -} - -} // namespace syncer |