Thread-safe version of PassphraseType.

components/sync/core_impl/sync_encryption_handler_impl.cc

 // Copyright 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/sync/core_impl/sync_encryption_handler_impl.h"
 
 #include <stddef.h>
 #include <stdint.h>
 
 #include <memory>
@@ skipping 177 matching lines @@
   }
   old_keystore_keys->resize(number_of_keystore_keys - 1);
   for (int i = 0; i < number_of_keystore_keys - 1; ++i)
     internal_list_value->GetString(i, &(*old_keystore_keys)[i]);
   return true;
 }
 
 }  // namespace
 
 SyncEncryptionHandlerImpl::Vault::Vault(Encryptor* encryptor,
-                                        ModelTypeSet encrypted_types)
-    : cryptographer(encryptor), encrypted_types(encrypted_types) {}
+                                        ModelTypeSet encrypted_types,
+                                        PassphraseType passphrase_type)
+    : cryptographer(encryptor),
+      encrypted_types(encrypted_types),
+      passphrase_type(passphrase_type) {}
 
 SyncEncryptionHandlerImpl::Vault::~Vault() {}
 
 SyncEncryptionHandlerImpl::SyncEncryptionHandlerImpl(
     UserShare* user_share,
     Encryptor* encryptor,
     const std::string& restored_key_for_bootstrapping,
     const std::string& restored_keystore_key_for_bootstrapping)
     : user_share_(user_share),
-      vault_unsafe_(encryptor, SensitiveTypes()),
+      vault_unsafe_(encryptor,
+                    SensitiveTypes(),
+                    PassphraseType::IMPLICIT_PASSPHRASE),
       encrypt_everything_(false),
-      passphrase_type_(PassphraseType::IMPLICIT_PASSPHRASE),
       nigori_overwrite_count_(0),
       weak_ptr_factory_(this) {
   // Restore the cryptographer's previous keys. Note that we don't add the
   // keystore keys into the cryptographer here, in case a migration was pending.
   vault_unsafe_.cryptographer.Bootstrap(restored_key_for_bootstrapping);
 
   // If this fails, we won't have a valid keystore key, and will simply request
   // new ones from the server on the next DownloadUpdates.
   UnpackKeystoreBootstrapToken(restored_keystore_key_for_bootstrapping,
                                encryptor, &old_keystore_keys_, &keystore_key_);
@@ skipping 19 matching lines @@
   WriteNode node(&trans);
 
   if (node.InitTypeRoot(NIGORI) != BaseNode::INIT_OK)
     return;
   if (!ApplyNigoriUpdateImpl(node.GetNigoriSpecifics(),
                              trans.GetWrappedTrans())) {
     WriteEncryptionStateToNigori(&trans);
   }
 
   UMA_HISTOGRAM_ENUMERATION(
-      "Sync.PassphraseType", static_cast<unsigned>(GetPassphraseType()),
+      "Sync.PassphraseType",
+      static_cast<unsigned>(GetPassphraseType(trans.GetWrappedTrans())),
       static_cast<unsigned>(PassphraseType::PASSPHRASE_TYPE_SIZE));
 
   bool has_pending_keys =
       UnlockVault(trans.GetWrappedTrans()).cryptographer.has_pending_keys();
   bool is_ready = UnlockVault(trans.GetWrappedTrans()).cryptographer.is_ready();
   // Log the state of the cryptographer regardless of migration state.
   UMA_HISTOGRAM_BOOLEAN("Sync.CryptographerReady", is_ready);
   UMA_HISTOGRAM_BOOLEAN("Sync.CryptographerPendingKeys", has_pending_keys);
   if (IsNigoriMigratedToKeystore(node.GetNigoriSpecifics())) {
     // This account has a nigori node that has been migrated to support
     // keystore.
     UMA_HISTOGRAM_ENUMERATION("Sync.NigoriMigrationState", MIGRATED,
                               MIGRATION_STATE_SIZE);
     if (has_pending_keys &&
-        passphrase_type_ == PassphraseType::KEYSTORE_PASSPHRASE) {
+        GetPassphraseType(trans.GetWrappedTrans()) ==
+            PassphraseType::KEYSTORE_PASSPHRASE) {
       // If this is happening, it means the keystore decryptor is either
       // undecryptable with the available keystore keys or does not match the
       // nigori keybag's encryption key. Otherwise we're simply missing the
       // keystore key.
       UMA_HISTOGRAM_BOOLEAN("Sync.KeystoreDecryptionFailed",
                             !keystore_key_.empty());
     }
   } else if (!is_ready) {
     // Migration cannot occur until the cryptographer is ready (initialized
     // with GAIA password and any pending keys resolved).
@@ skipping 75 matching lines @@
     // logged as true.
     UMA_HISTOGRAM_BOOLEAN("Sync.CustomEncryption", true);
     return;
   }
 
   std::string bootstrap_token;
   sync_pb::EncryptedData pending_keys;
   if (cryptographer->has_pending_keys())
     pending_keys = cryptographer->GetPendingKeys();
   bool success = false;
-
+  PassphraseType* passphrase_type =
+      &UnlockVaultMutable(trans.GetWrappedTrans())->passphrase_type;
   // There are six cases to handle here:
   // 1. The user has no pending keys and is setting their current GAIA password
   //    as the encryption passphrase. This happens either during first time sync
   //    with a clean profile, or after re-authenticating on a profile that was
   //    already signed in with the cryptographer ready.
   // 2. The user has no pending keys, and is overwriting an (already provided)
   //    implicit passphrase with an explicit (custom) passphrase.
   // 3. The user has pending keys for an explicit passphrase that is somehow set
   //    to their current GAIA passphrase.
   // 4. The user has pending keys encrypted with their current GAIA passphrase
   //    and the caller passes in the current GAIA passphrase.
   // 5. The user has pending keys encrypted with an older GAIA passphrase
   //    and the caller passes in the current GAIA passphrase.
   // 6. The user has previously done encryption with an explicit passphrase.
   // Furthermore, we enforce the fact that the bootstrap encryption token will
   // always be derived from the newest GAIA password if the account is using
   // an implicit passphrase (even if the data is encrypted with an old GAIA
   // password). If the account is using an explicit (custom) passphrase, the
   // bootstrap token will be derived from the most recently provided explicit
   // passphrase (that was able to decrypt the data).
-  if (!IsExplicitPassphrase(passphrase_type_)) {
+  if (!IsExplicitPassphrase(*passphrase_type)) {
     if (!cryptographer->has_pending_keys()) {
       if (cryptographer->AddKey(key_params)) {
         // Case 1 and 2. We set a new GAIA passphrase when there are no pending
         // keys (1), or overwriting an implicit passphrase with a new explicit
         // one (2) when there are no pending keys.
         if (is_explicit) {
           DVLOG(1) << "Setting explicit passphrase for encryption.";
-          passphrase_type_ = PassphraseType::CUSTOM_PASSPHRASE;
+          *passphrase_type = PassphraseType::CUSTOM_PASSPHRASE;
           custom_passphrase_time_ = base::Time::Now();
           FOR_EACH_OBSERVER(SyncEncryptionHandler::Observer, observers_,
                             OnPassphraseTypeChanged(
-                                passphrase_type_, GetExplicitPassphraseTime()));
+                                *passphrase_type,
+                                GetExplicitPassphraseTime(*passphrase_type)));
         } else {
           DVLOG(1) << "Setting implicit passphrase for encryption.";
         }
         cryptographer->GetBootstrapToken(&bootstrap_token);
 
         // With M26, sync accounts can be in only one of two encryption states:
         // 1) Encrypt only passwords with an implicit passphrase.
         // 2) Encrypt all sync datatypes with an explicit passphrase.
         // We deprecate the "EncryptAllData" and "CustomPassphrase" histograms,
         // and keep track of an account's encryption state via the
@@ skipping 33 matching lines @@
           temp_cryptographer.GetBootstrapToken(&bootstrap_token);
           // We then set the new passphrase as the default passphrase of the
           // real cryptographer, even though we have pending keys. This is safe,
           // as although Cryptographer::is_initialized() will now be true,
           // is_ready() will remain false due to having pending keys.
           cryptographer->AddKey(key_params);
           success = false;
         }
       }     // is_explicit
     }       // cryptographer->has_pending_keys()
-  } else {  // IsExplicitPassphrase(passphrase_type_) == true.
+  } else {  // IsExplicitPassphrase(passphrase_type) == true.
     // Case 6. We do not want to override a previously set explicit passphrase,
     // so we return a failure.
     DVLOG(1) << "Failing because an explicit passphrase is already set.";
     success = false;
   }
 
   DVLOG_IF(1, !success)
       << "Failure in SetEncryptionPassphrase; notifying and returning.";
   DVLOG_IF(1, success)
       << "Successfully set encryption passphrase; updating nigori and "
@@ skipping 19 matching lines @@
     NOTREACHED();
     return;
   }
 
   // Once we've migrated to keystore, we're only ever decrypting keys derived
   // from an explicit passphrase. But, for clients without a keystore key yet
   // (either not on by default or failed to download one), we still support
   // decrypting with a gaia passphrase, and therefore bypass the
   // DecryptPendingKeysWithExplicitPassphrase logic.
   if (IsNigoriMigratedToKeystore(node.GetNigoriSpecifics()) &&
-      IsExplicitPassphrase(passphrase_type_)) {
+      IsExplicitPassphrase(GetPassphraseType(trans.GetWrappedTrans()))) {
     DecryptPendingKeysWithExplicitPassphrase(passphrase, &trans, &node);
     return;
   }
 
   Cryptographer* cryptographer =
       &UnlockVaultMutable(trans.GetWrappedTrans())->cryptographer;
   if (!cryptographer->has_pending_keys()) {
     // Note that this *can* happen in a rare situation where data is
     // re-encrypted on another client while a SetDecryptionPassphrase() call is
     // in-flight on this client. It is rare enough that we choose to do nothing.
@@ skipping 13 matching lines @@
   //    passphrase, where the data is already encrypted with the newest GAIA
   //    password.
   // 8. The user is providing an old GAIA password to decrypt the pending keys.
   //    In this case, the user is using an implicit passphrase, but has changed
   //    their password since they last encrypted their data, and therefore
   //    their current GAIA password was unable to decrypt the data. This will
   //    happen when the user is setting up a new profile with a previously
   //    encrypted account (after changing passwords).
   // 9. The user is providing a previously set explicit passphrase to decrypt
   //    the pending keys.
-  if (!IsExplicitPassphrase(passphrase_type_)) {
+  if (!IsExplicitPassphrase(GetPassphraseType(trans.GetWrappedTrans()))) {
     if (cryptographer->is_initialized()) {
       // We only want to change the default encryption key to the pending
       // one if the pending keybag already contains the current default.
       // This covers the case where a different client re-encrypted
       // everything with a newer gaia passphrase (and hence the keybag
       // contains keys from all previously used gaia passphrases).
       // Otherwise, we're in a situation where the pending keys are
       // encrypted with an old gaia passphrase, while the default is the
       // current gaia passphrase. In that case, we preserve the default.
       Cryptographer temp_cryptographer(cryptographer->encryptor());
@@ skipping 85 matching lines @@
   WriteEncryptionStateToNigori(&trans);
   if (UnlockVault(trans.GetWrappedTrans()).cryptographer.is_ready())
     ReEncryptEverything(&trans);
 }
 
 bool SyncEncryptionHandlerImpl::IsEncryptEverythingEnabled() const {
   DCHECK(thread_checker_.CalledOnValidThread());
   return encrypt_everything_;
 }
 
-PassphraseType SyncEncryptionHandlerImpl::GetPassphraseType() const {
-  DCHECK(thread_checker_.CalledOnValidThread());
-  return passphrase_type_;
-}
-
 // Note: this is called from within a syncable transaction, so we need to post
 // tasks if we want to do any work that creates a new sync_api transaction.
 void SyncEncryptionHandlerImpl::ApplyNigoriUpdate(
     const sync_pb::NigoriSpecifics& nigori,
     syncable::BaseTransaction* const trans) {
   DCHECK(thread_checker_.CalledOnValidThread());
   DCHECK(trans);
   if (!ApplyNigoriUpdateImpl(nigori, trans)) {
     base::ThreadTaskRunnerHandle::Get()->PostTask(
         FROM_HERE, base::Bind(&SyncEncryptionHandlerImpl::RewriteNigori,
@@ skipping 66 matching lines @@
       !nigori.keystore_decryptor_token().blob().empty()) {
     // If the nigori is already migrated and we have pending keys, we might
     // be able to decrypt them using either the keystore decryptor token
     // or the existing keystore keys.
     DecryptPendingKeysWithKeystoreKey(
         keystore_key_, nigori.keystore_decryptor_token(), cryptographer);
   }
 
   // Note that triggering migration will have no effect if we're already
   // properly migrated with the newest keystore keys.
-  if (ShouldTriggerMigration(nigori, *cryptographer)) {
+  if (ShouldTriggerMigration(nigori, *cryptographer,
+                             GetPassphraseType(trans))) {
     base::ThreadTaskRunnerHandle::Get()->PostTask(
         FROM_HERE, base::Bind(&SyncEncryptionHandlerImpl::RewriteNigori,
                               weak_ptr_factory_.GetWeakPtr()));
   }
 
   return true;
 }
 
 ModelTypeSet SyncEncryptionHandlerImpl::GetEncryptedTypes(
     syncable::BaseTransaction* const trans) const {
   return UnlockVault(trans).encrypted_types;
 }
 
+PassphraseType SyncEncryptionHandlerImpl::GetPassphraseType(
+    syncable::BaseTransaction* const trans) const {
+  return UnlockVault(trans).passphrase_type;
+}
+
 Cryptographer* SyncEncryptionHandlerImpl::GetCryptographerUnsafe() {
   DCHECK(thread_checker_.CalledOnValidThread());
   return &vault_unsafe_.cryptographer;
 }
 
 ModelTypeSet SyncEncryptionHandlerImpl::GetEncryptedTypesUnsafe() {
   DCHECK(thread_checker_.CalledOnValidThread());
   return vault_unsafe_.encrypted_types;
 }
 
@@ skipping 113 matching lines @@
     syncable::BaseTransaction* const trans) {
   DCHECK(thread_checker_.CalledOnValidThread());
   DVLOG(1) << "Applying nigori node update.";
   bool nigori_types_need_update =
       !UpdateEncryptedTypesFromNigori(nigori, trans);
 
   if (nigori.custom_passphrase_time() != 0) {
     custom_passphrase_time_ = ProtoTimeToTime(nigori.custom_passphrase_time());
   }
   bool is_nigori_migrated = IsNigoriMigratedToKeystore(nigori);
+  PassphraseType* passphrase_type = &UnlockVaultMutable(trans)->passphrase_type;
   if (is_nigori_migrated) {
     migration_time_ = ProtoTimeToTime(nigori.keystore_migration_time());
     PassphraseType nigori_passphrase_type =
         ProtoPassphraseTypeToEnum(nigori.passphrase_type());
 
     // Only update the local passphrase state if it's a valid transition:
     // - implicit -> keystore
     // - implicit -> frozen implicit
     // - implicit -> custom
     // - keystore -> custom
     // Note: frozen implicit -> custom is not technically a valid transition,
     // but we let it through here as well in case future versions do add support
     // for this transition.
-    if (passphrase_type_ != nigori_passphrase_type &&
+    if (*passphrase_type != nigori_passphrase_type &&
         nigori_passphrase_type != PassphraseType::IMPLICIT_PASSPHRASE &&
-        (passphrase_type_ == PassphraseType::IMPLICIT_PASSPHRASE ||
+        (*passphrase_type == PassphraseType::IMPLICIT_PASSPHRASE ||
          nigori_passphrase_type == PassphraseType::CUSTOM_PASSPHRASE)) {
       DVLOG(1) << "Changing passphrase state from "
-               << PassphraseTypeToString(passphrase_type_) << " to "
+               << PassphraseTypeToString(*passphrase_type) << " to "
                << PassphraseTypeToString(nigori_passphrase_type);
-      passphrase_type_ = nigori_passphrase_type;
-      FOR_EACH_OBSERVER(SyncEncryptionHandler::Observer, observers_,
-                        OnPassphraseTypeChanged(passphrase_type_,
-                                                GetExplicitPassphraseTime()));
+      *passphrase_type = nigori_passphrase_type;
+      FOR_EACH_OBSERVER(
+          SyncEncryptionHandler::Observer, observers_,
+          OnPassphraseTypeChanged(*passphrase_type,
+                                  GetExplicitPassphraseTime(*passphrase_type)));
     }
-    if (passphrase_type_ == PassphraseType::KEYSTORE_PASSPHRASE &&
+    if (*passphrase_type == PassphraseType::KEYSTORE_PASSPHRASE &&
         encrypt_everything_) {
       // This is the case where another client that didn't support keystore
       // encryption attempted to enable full encryption. We detect it
       // and switch the passphrase type to frozen implicit passphrase instead
       // due to full encryption not being compatible with keystore passphrase.
       // Because the local passphrase type will not match the nigori passphrase
       // type, we will trigger a rewrite and subsequently a re-migration.
       DVLOG(1) << "Changing passphrase state to FROZEN_IMPLICIT_PASSPHRASE "
                << "due to full encryption.";
-      passphrase_type_ = PassphraseType::FROZEN_IMPLICIT_PASSPHRASE;
-      FOR_EACH_OBSERVER(SyncEncryptionHandler::Observer, observers_,
-                        OnPassphraseTypeChanged(passphrase_type_,
-                                                GetExplicitPassphraseTime()));
+      *passphrase_type = PassphraseType::FROZEN_IMPLICIT_PASSPHRASE;
+      FOR_EACH_OBSERVER(
+          SyncEncryptionHandler::Observer, observers_,
+          OnPassphraseTypeChanged(*passphrase_type,
+                                  GetExplicitPassphraseTime(*passphrase_type)));
     }
   } else {
     // It's possible that while we're waiting for migration a client that does
     // not have keystore encryption enabled switches to a custom passphrase.
     if (nigori.keybag_is_frozen() &&
-        passphrase_type_ != PassphraseType::CUSTOM_PASSPHRASE) {
-      passphrase_type_ = PassphraseType::CUSTOM_PASSPHRASE;
-      FOR_EACH_OBSERVER(SyncEncryptionHandler::Observer, observers_,
-                        OnPassphraseTypeChanged(passphrase_type_,
-                                                GetExplicitPassphraseTime()));
+        *passphrase_type != PassphraseType::CUSTOM_PASSPHRASE) {
+      *passphrase_type = PassphraseType::CUSTOM_PASSPHRASE;
+      FOR_EACH_OBSERVER(
+          SyncEncryptionHandler::Observer, observers_,
+          OnPassphraseTypeChanged(*passphrase_type,
+                                  GetExplicitPassphraseTime(*passphrase_type)));
     }
   }
 
   Cryptographer* cryptographer = &UnlockVaultMutable(trans)->cryptographer;
   bool nigori_needs_new_keys = false;
   if (!nigori.encryption_keybag().blob().empty()) {
     // We only update the default key if this was a new explicit passphrase.
     // Else, since it was decryptable, it must not have been a new key.
     bool need_new_default_key = false;
     if (is_nigori_migrated) {
@@ skipping 46 matching lines @@
     FOR_EACH_OBSERVER(
         SyncEncryptionHandler::Observer, observers_,
         OnPassphraseRequired(REASON_ENCRYPTION, sync_pb::EncryptedData()));
   }
 
   // Check if the current local encryption state is stricter/newer than the
   // nigori state. If so, we need to overwrite the nigori node with the local
   // state.
   bool passphrase_type_matches = true;
   if (!is_nigori_migrated) {
-    DCHECK(passphrase_type_ == PassphraseType::CUSTOM_PASSPHRASE ||
-           passphrase_type_ == PassphraseType::IMPLICIT_PASSPHRASE);
+    DCHECK(*passphrase_type == PassphraseType::CUSTOM_PASSPHRASE ||
+           *passphrase_type == PassphraseType::IMPLICIT_PASSPHRASE);
     passphrase_type_matches =
-        nigori.keybag_is_frozen() == IsExplicitPassphrase(passphrase_type_);
+        nigori.keybag_is_frozen() == IsExplicitPassphrase(*passphrase_type);
   } else {
     passphrase_type_matches =
         (ProtoPassphraseTypeToEnum(nigori.passphrase_type()) ==
-         passphrase_type_);
+         *passphrase_type);
   }
   if (!passphrase_type_matches ||
       nigori.encrypt_everything() != encrypt_everything_ ||
       nigori_types_need_update || nigori_needs_new_keys) {
     DVLOG(1) << "Triggering nigori rewrite.";
     return false;
   }
   return true;
 }
 
@@ skipping 94 matching lines @@
 }
 
 void SyncEncryptionHandlerImpl::SetCustomPassphrase(
     const std::string& passphrase,
     WriteTransaction* trans,
     WriteNode* nigori_node) {
   DCHECK(thread_checker_.CalledOnValidThread());
   DCHECK(IsNigoriMigratedToKeystore(nigori_node->GetNigoriSpecifics()));
   KeyParams key_params = {"localhost", "dummy", passphrase};
 
-  if (passphrase_type_ != PassphraseType::KEYSTORE_PASSPHRASE) {
+  if (GetPassphraseType(trans->GetWrappedTrans()) !=
+      PassphraseType::KEYSTORE_PASSPHRASE) {
     DVLOG(1) << "Failing to set a custom passphrase because one has already "
              << "been set.";
     FinishSetPassphrase(false, std::string(), trans, nigori_node);
     return;
   }
 
   Cryptographer* cryptographer =
       &UnlockVaultMutable(trans->GetWrappedTrans())->cryptographer;
   if (cryptographer->has_pending_keys()) {
     // This theoretically shouldn't happen, because the only way to have pending
     // keys after migrating to keystore support is if a custom passphrase was
     // set, which should update passpshrase_state_ and should be caught by the
     // if statement above. For the sake of safety though, we check for it in
     // case a client is misbehaving.
     LOG(ERROR) << "Failing to set custom passphrase because of pending keys.";
     FinishSetPassphrase(false, std::string(), trans, nigori_node);
     return;
   }
 
   std::string bootstrap_token;
   if (!cryptographer->AddKey(key_params)) {
     NOTREACHED() << "Failed to add key to cryptographer.";
     return;
   }
 
   DVLOG(1) << "Setting custom passphrase.";
   cryptographer->GetBootstrapToken(&bootstrap_token);
-  passphrase_type_ = PassphraseType::CUSTOM_PASSPHRASE;
+  PassphraseType* passphrase_type =
+      &UnlockVaultMutable(trans->GetWrappedTrans())->passphrase_type;
+  *passphrase_type = PassphraseType::CUSTOM_PASSPHRASE;
   custom_passphrase_time_ = base::Time::Now();
   FOR_EACH_OBSERVER(
       SyncEncryptionHandler::Observer, observers_,
-      OnPassphraseTypeChanged(passphrase_type_, GetExplicitPassphraseTime()));
+      OnPassphraseTypeChanged(*passphrase_type,
+                              GetExplicitPassphraseTime(*passphrase_type)));
   FinishSetPassphrase(true, bootstrap_token, trans, nigori_node);
 }
 
 void SyncEncryptionHandlerImpl::NotifyObserversOfLocalCustomPassphrase(
     WriteTransaction* trans) {
   WriteNode nigori_node(trans);
   BaseNode::InitByLookupResult init_result = nigori_node.InitTypeRoot(NIGORI);
   DCHECK_EQ(init_result, BaseNode::INIT_OK);
   NigoriState nigori_state;
   nigori_state.nigori_specifics = nigori_node.GetNigoriSpecifics();
   DCHECK(nigori_state.nigori_specifics.passphrase_type() ==
              sync_pb::NigoriSpecifics::CUSTOM_PASSPHRASE ||
          nigori_state.nigori_specifics.passphrase_type() ==
              sync_pb::NigoriSpecifics::FROZEN_IMPLICIT_PASSPHRASE);
   FOR_EACH_OBSERVER(SyncEncryptionHandler::Observer, observers_,
                     OnLocalSetPassphraseEncryption(nigori_state));
 }
 
 void SyncEncryptionHandlerImpl::DecryptPendingKeysWithExplicitPassphrase(
     const std::string& passphrase,
     WriteTransaction* trans,
     WriteNode* nigori_node) {
   DCHECK(thread_checker_.CalledOnValidThread());
-  DCHECK(IsExplicitPassphrase(passphrase_type_));
+  DCHECK(IsExplicitPassphrase(GetPassphraseType(trans->GetWrappedTrans())));
   KeyParams key_params = {"localhost", "dummy", passphrase};
 
   Cryptographer* cryptographer =
       &UnlockVaultMutable(trans->GetWrappedTrans())->cryptographer;
   if (!cryptographer->has_pending_keys()) {
     // Note that this *can* happen in a rare situation where data is
     // re-encrypted on another client while a SetDecryptionPassphrase() call is
     // in-flight on this client. It is rare enough that we choose to do nothing.
     NOTREACHED() << "Attempt to set decryption passphrase failed because there "
                  << "were no pending keys.";
     return;
   }
 
-  DCHECK(IsExplicitPassphrase(passphrase_type_));
+  DCHECK(IsExplicitPassphrase(GetPassphraseType(trans->GetWrappedTrans())));
   bool success = false;
   std::string bootstrap_token;
   if (cryptographer->DecryptPendingKeys(key_params)) {
     DVLOG(1) << "Explicit passphrase accepted for decryption.";
     cryptographer->GetBootstrapToken(&bootstrap_token);
     success = true;
   } else {
     DVLOG(1) << "Explicit passphrase failed to decrypt.";
     success = false;
   }
@@ skipping 51 matching lines @@
   // (in otherwords, if ShouldTriggerMigration is false).
   // Otherwise will update the nigori node with the current migrated state,
   // writing all encryption state as it does.
   if (!AttemptToMigrateNigoriToKeystore(trans, nigori_node)) {
     sync_pb::NigoriSpecifics nigori(nigori_node->GetNigoriSpecifics());
     // Does not modify nigori.encryption_keybag() if the original decrypted
     // data was the same.
     if (!cryptographer.GetKeys(nigori.mutable_encryption_keybag()))
       NOTREACHED();
     if (IsNigoriMigratedToKeystore(nigori)) {
-      DCHECK(keystore_key_.empty() || IsExplicitPassphrase(passphrase_type_));
+      DCHECK(keystore_key_.empty() ||
+             IsExplicitPassphrase(GetPassphraseType(trans->GetWrappedTrans())));
       DVLOG(1) << "Leaving nigori migration state untouched after setting"
                << " passphrase.";
     } else {
-      nigori.set_keybag_is_frozen(IsExplicitPassphrase(passphrase_type_));
+      nigori.set_keybag_is_frozen(
+          IsExplicitPassphrase(GetPassphraseType(trans->GetWrappedTrans())));
     }
     // If we set a new custom passphrase, store the timestamp.
     if (!custom_passphrase_time_.is_null()) {
       nigori.set_custom_passphrase_time(
           TimeToProtoTime(custom_passphrase_time_));
     }
     nigori_node->SetNigoriSpecifics(nigori);
   }
 
   // Must do this after OnPassphraseTypeChanged, in order to ensure the PSS
@@ skipping 31 matching lines @@
 }
 
 const SyncEncryptionHandlerImpl::Vault& SyncEncryptionHandlerImpl::UnlockVault(
     syncable::BaseTransaction* const trans) const {
   DCHECK_EQ(user_share_->directory.get(), trans->directory());
   return vault_unsafe_;
 }
 
 bool SyncEncryptionHandlerImpl::ShouldTriggerMigration(
     const sync_pb::NigoriSpecifics& nigori,
-    const Cryptographer& cryptographer) const {
+    const Cryptographer& cryptographer,
+    PassphraseType passphrase_type) const {
   DCHECK(thread_checker_.CalledOnValidThread());
   // Don't migrate if there are pending encryption keys (because data
   // encrypted with the pending keys will not be decryptable).
   if (cryptographer.has_pending_keys())
     return false;
   if (IsNigoriMigratedToKeystore(nigori)) {
     // If the nigori is already migrated but does not reflect the explicit
     // passphrase state, remigrate. Similarly, if the nigori has an explicit
     // passphrase but does not have full encryption, or the nigori has an
     // implicit passphrase but does have full encryption, re-migrate.
     // Note that this is to defend against other clients without keystore
     // encryption enabled transitioning to states that are no longer valid.
-    if (passphrase_type_ != PassphraseType::KEYSTORE_PASSPHRASE &&
+    if (passphrase_type != PassphraseType::KEYSTORE_PASSPHRASE &&
         nigori.passphrase_type() ==
             sync_pb::NigoriSpecifics::KEYSTORE_PASSPHRASE) {
       return true;
-    } else if (IsExplicitPassphrase(passphrase_type_) && !encrypt_everything_) {
+    } else if (IsExplicitPassphrase(passphrase_type) && !encrypt_everything_) {
       return true;
-    } else if (passphrase_type_ == PassphraseType::KEYSTORE_PASSPHRASE &&
+    } else if (passphrase_type == PassphraseType::KEYSTORE_PASSPHRASE &&
                encrypt_everything_) {
       return true;
     } else if (cryptographer.is_ready() &&
                !cryptographer.CanDecryptUsingDefaultKey(
                    nigori.encryption_keybag())) {
       // We need to overwrite the keybag. This might involve overwriting the
       // keystore decryptor too.
       return true;
     } else if (old_keystore_keys_.size() > 0 && !keystore_key_.empty()) {
       // Check to see if a server key rotation has happened, but the nigori
@@ skipping 21 matching lines @@
 }
 
 bool SyncEncryptionHandlerImpl::AttemptToMigrateNigoriToKeystore(
     WriteTransaction* trans,
     WriteNode* nigori_node) {
   DCHECK(thread_checker_.CalledOnValidThread());
   const sync_pb::NigoriSpecifics& old_nigori =
       nigori_node->GetNigoriSpecifics();
   Cryptographer* cryptographer =
       &UnlockVaultMutable(trans->GetWrappedTrans())->cryptographer;
-
-  if (!ShouldTriggerMigration(old_nigori, *cryptographer))
+  PassphraseType* passphrase_type =
+      &UnlockVaultMutable(trans->GetWrappedTrans())->passphrase_type;
+  if (!ShouldTriggerMigration(old_nigori, *cryptographer, *passphrase_type))
     return false;
 
   DVLOG(1) << "Starting nigori migration to keystore support.";
   sync_pb::NigoriSpecifics migrated_nigori(old_nigori);
 
-  PassphraseType new_passphrase_type = passphrase_type_;
+  PassphraseType new_passphrase_type =
+      GetPassphraseType(trans->GetWrappedTrans());
   bool new_encrypt_everything = encrypt_everything_;
-  if (encrypt_everything_ && !IsExplicitPassphrase(passphrase_type_)) {
+  if (encrypt_everything_ && !IsExplicitPassphrase(*passphrase_type)) {
     DVLOG(1) << "Switching to frozen implicit passphrase due to already having "
              << "full encryption.";
     new_passphrase_type = PassphraseType::FROZEN_IMPLICIT_PASSPHRASE;
     migrated_nigori.clear_keystore_decryptor_token();
-  } else if (IsExplicitPassphrase(passphrase_type_)) {
+  } else if (IsExplicitPassphrase(*passphrase_type)) {
     DVLOG_IF(1, !encrypt_everything_) << "Enabling encrypt everything due to "
                                       << "explicit passphrase";
     new_encrypt_everything = true;
     migrated_nigori.clear_keystore_decryptor_token();
   } else {
     DCHECK(!encrypt_everything_);
     new_passphrase_type = PassphraseType::KEYSTORE_PASSPHRASE;
     DVLOG(1) << "Switching to keystore passphrase state.";
   }
   migrated_nigori.set_encrypt_everything(new_encrypt_everything);
@@ skipping 71 matching lines @@
     migration_time_ = base::Time::Now();
   migrated_nigori.set_keystore_migration_time(TimeToProtoTime(migration_time_));
 
   if (!custom_passphrase_time_.is_null()) {
     migrated_nigori.set_custom_passphrase_time(
         TimeToProtoTime(custom_passphrase_time_));
   }
 
   FOR_EACH_OBSERVER(SyncEncryptionHandler::Observer, observers_,
                     OnCryptographerStateChanged(cryptographer));
-  if (passphrase_type_ != new_passphrase_type) {
-    passphrase_type_ = new_passphrase_type;
+  if (*passphrase_type != new_passphrase_type) {
+    *passphrase_type = new_passphrase_type;
     FOR_EACH_OBSERVER(
         SyncEncryptionHandler::Observer, observers_,
-        OnPassphraseTypeChanged(passphrase_type_, GetExplicitPassphraseTime()));
+        OnPassphraseTypeChanged(*passphrase_type,
+                                GetExplicitPassphraseTime(*passphrase_type)));
   }
 
   if (new_encrypt_everything && !encrypt_everything_) {
     EnableEncryptEverythingImpl(trans->GetWrappedTrans());
     ReEncryptEverything(trans);
   } else if (!cryptographer->CanDecryptUsingDefaultKey(
                  old_nigori.encryption_keybag())) {
     DVLOG(1) << "Rencrypting everything due to key rotation.";
     ReEncryptEverything(trans);
   }
@@ skipping 148 matching lines @@
           SyncEncryptionHandler::Observer, observers_,
           OnBootstrapTokenUpdated(bootstrap_token, PASSPHRASE_BOOTSTRAP_TOKEN));
       FOR_EACH_OBSERVER(SyncEncryptionHandler::Observer, observers_,
                         OnCryptographerStateChanged(cryptographer));
       return true;
     }
   }
   return false;
 }
 
-base::Time SyncEncryptionHandlerImpl::GetExplicitPassphraseTime() const {
-  if (passphrase_type_ == PassphraseType::FROZEN_IMPLICIT_PASSPHRASE)
+base::Time SyncEncryptionHandlerImpl::GetExplicitPassphraseTime(
+    PassphraseType passphrase_type) const {
+  if (passphrase_type == PassphraseType::FROZEN_IMPLICIT_PASSPHRASE)
     return migration_time();
-  else if (passphrase_type_ == PassphraseType::CUSTOM_PASSPHRASE)
+  else if (passphrase_type == PassphraseType::CUSTOM_PASSPHRASE)
     return custom_passphrase_time();
   return base::Time();
 }
 
 }  // namespace syncer