OLD | NEW |
1 // Copyright 2012 The Chromium Authors. All rights reserved. | 1 // Copyright 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef COMPONENTS_SYNC_CORE_IMPL_SYNC_ENCRYPTION_HANDLER_IMPL_H_ | 5 #ifndef COMPONENTS_SYNC_CORE_IMPL_SYNC_ENCRYPTION_HANDLER_IMPL_H_ |
6 #define COMPONENTS_SYNC_CORE_IMPL_SYNC_ENCRYPTION_HANDLER_IMPL_H_ | 6 #define COMPONENTS_SYNC_CORE_IMPL_SYNC_ENCRYPTION_HANDLER_IMPL_H_ |
7 | 7 |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
54 | 54 |
55 // SyncEncryptionHandler implementation. | 55 // SyncEncryptionHandler implementation. |
56 void AddObserver(Observer* observer) override; | 56 void AddObserver(Observer* observer) override; |
57 void RemoveObserver(Observer* observer) override; | 57 void RemoveObserver(Observer* observer) override; |
58 void Init() override; | 58 void Init() override; |
59 void SetEncryptionPassphrase(const std::string& passphrase, | 59 void SetEncryptionPassphrase(const std::string& passphrase, |
60 bool is_explicit) override; | 60 bool is_explicit) override; |
61 void SetDecryptionPassphrase(const std::string& passphrase) override; | 61 void SetDecryptionPassphrase(const std::string& passphrase) override; |
62 void EnableEncryptEverything() override; | 62 void EnableEncryptEverything() override; |
63 bool IsEncryptEverythingEnabled() const override; | 63 bool IsEncryptEverythingEnabled() const override; |
64 PassphraseType GetPassphraseType() const override; | |
65 | 64 |
66 // NigoriHandler implementation. | 65 // NigoriHandler implementation. |
67 // Note: all methods are invoked while the caller holds a transaction. | 66 // Note: all methods are invoked while the caller holds a transaction. |
68 void ApplyNigoriUpdate(const sync_pb::NigoriSpecifics& nigori, | 67 void ApplyNigoriUpdate(const sync_pb::NigoriSpecifics& nigori, |
69 syncable::BaseTransaction* const trans) override; | 68 syncable::BaseTransaction* const trans) override; |
70 void UpdateNigoriFromEncryptedTypes( | 69 void UpdateNigoriFromEncryptedTypes( |
71 sync_pb::NigoriSpecifics* nigori, | 70 sync_pb::NigoriSpecifics* nigori, |
72 syncable::BaseTransaction* const trans) const override; | 71 syncable::BaseTransaction* const trans) const override; |
73 bool NeedKeystoreKey(syncable::BaseTransaction* const trans) const override; | 72 bool NeedKeystoreKey(syncable::BaseTransaction* const trans) const override; |
74 bool SetKeystoreKeys( | 73 bool SetKeystoreKeys( |
75 const google::protobuf::RepeatedPtrField<google::protobuf::string>& keys, | 74 const google::protobuf::RepeatedPtrField<google::protobuf::string>& keys, |
76 syncable::BaseTransaction* const trans) override; | 75 syncable::BaseTransaction* const trans) override; |
77 // Can be called from any thread. | 76 // Can be called from any thread. |
78 ModelTypeSet GetEncryptedTypes( | 77 ModelTypeSet GetEncryptedTypes( |
79 syncable::BaseTransaction* const trans) const override; | 78 syncable::BaseTransaction* const trans) const override; |
| 79 PassphraseType GetPassphraseType( |
| 80 syncable::BaseTransaction* const trans) const override; |
80 | 81 |
81 // Unsafe getters. Use only if sync is not up and running and there is no risk | 82 // Unsafe getters. Use only if sync is not up and running and there is no risk |
82 // of other threads calling this. | 83 // of other threads calling this. |
83 Cryptographer* GetCryptographerUnsafe(); | 84 Cryptographer* GetCryptographerUnsafe(); |
84 ModelTypeSet GetEncryptedTypesUnsafe(); | 85 ModelTypeSet GetEncryptedTypesUnsafe(); |
85 | 86 |
86 bool MigratedToKeystore(); | 87 bool MigratedToKeystore(); |
87 base::Time migration_time() const; | 88 base::Time migration_time() const; |
88 base::Time custom_passphrase_time() const; | 89 base::Time custom_passphrase_time() const; |
89 | 90 |
(...skipping 30 matching lines...) Expand all Loading... |
120 FRIEND_TEST_ALL_PREFIXES(SyncEncryptionHandlerImplTest, | 121 FRIEND_TEST_ALL_PREFIXES(SyncEncryptionHandlerImplTest, |
121 MigrateOnEncryptEverythingKeystorePassphrase); | 122 MigrateOnEncryptEverythingKeystorePassphrase); |
122 FRIEND_TEST_ALL_PREFIXES(SyncEncryptionHandlerImplTest, | 123 FRIEND_TEST_ALL_PREFIXES(SyncEncryptionHandlerImplTest, |
123 ReceiveMigratedNigoriWithOldPassphrase); | 124 ReceiveMigratedNigoriWithOldPassphrase); |
124 | 125 |
125 // Container for members that require thread safety protection. All members | 126 // Container for members that require thread safety protection. All members |
126 // that can be accessed from more than one thread should be held here and | 127 // that can be accessed from more than one thread should be held here and |
127 // accessed via UnlockVault(..) and UnlockVaultMutable(..), which enforce | 128 // accessed via UnlockVault(..) and UnlockVaultMutable(..), which enforce |
128 // that a transaction is held. | 129 // that a transaction is held. |
129 struct Vault { | 130 struct Vault { |
130 Vault(Encryptor* encryptor, ModelTypeSet encrypted_types); | 131 Vault(Encryptor* encryptor, |
| 132 ModelTypeSet encrypted_types, |
| 133 PassphraseType passphrase_type); |
131 ~Vault(); | 134 ~Vault(); |
132 | 135 |
133 // Sync's cryptographer. Used for encrypting and decrypting sync data. | 136 // Sync's cryptographer. Used for encrypting and decrypting sync data. |
134 Cryptographer cryptographer; | 137 Cryptographer cryptographer; |
135 // The set of types that require encryption. | 138 // The set of types that require encryption. |
136 ModelTypeSet encrypted_types; | 139 ModelTypeSet encrypted_types; |
| 140 // The current state of the passphrase required to decrypt the encryption |
| 141 // keys stored in the nigori node. |
| 142 PassphraseType passphrase_type; |
137 | 143 |
138 private: | 144 private: |
139 DISALLOW_COPY_AND_ASSIGN(Vault); | 145 DISALLOW_COPY_AND_ASSIGN(Vault); |
140 }; | 146 }; |
141 | 147 |
142 // Iterate over all encrypted types ensuring each entry is properly encrypted. | 148 // Iterate over all encrypted types ensuring each entry is properly encrypted. |
143 void ReEncryptEverything(WriteTransaction* trans); | 149 void ReEncryptEverything(WriteTransaction* trans); |
144 | 150 |
145 // Updates internal and cryptographer state. | 151 // Updates internal and cryptographer state. |
146 // | 152 // |
(...skipping 72 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
219 | 225 |
220 // Helper method for determining if migration of a nigori node should be | 226 // Helper method for determining if migration of a nigori node should be |
221 // triggered or not. | 227 // triggered or not. |
222 // Conditions for triggering migration: | 228 // Conditions for triggering migration: |
223 // 1. Cryptographer has no pending keys | 229 // 1. Cryptographer has no pending keys |
224 // 2. Nigori node isn't already properly migrated or we need to rotate keys. | 230 // 2. Nigori node isn't already properly migrated or we need to rotate keys. |
225 // 3. Keystore key is available. | 231 // 3. Keystore key is available. |
226 // Note: if the nigori node is migrated but has an invalid state, will return | 232 // Note: if the nigori node is migrated but has an invalid state, will return |
227 // true (e.g. node has KEYSTORE_PASSPHRASE, local is CUSTOM_PASSPHRASE). | 233 // true (e.g. node has KEYSTORE_PASSPHRASE, local is CUSTOM_PASSPHRASE). |
228 bool ShouldTriggerMigration(const sync_pb::NigoriSpecifics& nigori, | 234 bool ShouldTriggerMigration(const sync_pb::NigoriSpecifics& nigori, |
229 const Cryptographer& cryptographer) const; | 235 const Cryptographer& cryptographer, |
| 236 PassphraseType passphrase_type) const; |
230 | 237 |
231 // Performs the actual migration of the |nigori_node| to support keystore | 238 // Performs the actual migration of the |nigori_node| to support keystore |
232 // encryption iff ShouldTriggerMigration(..) returns true. | 239 // encryption iff ShouldTriggerMigration(..) returns true. |
233 bool AttemptToMigrateNigoriToKeystore(WriteTransaction* trans, | 240 bool AttemptToMigrateNigoriToKeystore(WriteTransaction* trans, |
234 WriteNode* nigori_node); | 241 WriteNode* nigori_node); |
235 | 242 |
236 // Fill |encrypted_blob| with the keystore decryptor token if | 243 // Fill |encrypted_blob| with the keystore decryptor token if |
237 // |encrypted_blob|'s contents didn't already contain the key. | 244 // |encrypted_blob|'s contents didn't already contain the key. |
238 // The keystore decryptor token is the serialized current default encryption | 245 // The keystore decryptor token is the serialized current default encryption |
239 // key, encrypted with the keystore key. | 246 // key, encrypted with the keystore key. |
(...skipping 16 matching lines...) Expand all Loading... |
256 const std::string& keystore_key, | 263 const std::string& keystore_key, |
257 const sync_pb::EncryptedData& keystore_bootstrap, | 264 const sync_pb::EncryptedData& keystore_bootstrap, |
258 Cryptographer* cryptographer); | 265 Cryptographer* cryptographer); |
259 | 266 |
260 // Helper to enable encrypt everything, notifying observers if necessary. | 267 // Helper to enable encrypt everything, notifying observers if necessary. |
261 // Will not perform re-encryption. | 268 // Will not perform re-encryption. |
262 void EnableEncryptEverythingImpl(syncable::BaseTransaction* const trans); | 269 void EnableEncryptEverythingImpl(syncable::BaseTransaction* const trans); |
263 | 270 |
264 // If an explicit passphrase is in use, returns the time at which it was set | 271 // If an explicit passphrase is in use, returns the time at which it was set |
265 // (if known). Else return base::Time(). | 272 // (if known). Else return base::Time(). |
266 base::Time GetExplicitPassphraseTime() const; | 273 base::Time GetExplicitPassphraseTime(PassphraseType passphrase_type) const; |
267 | 274 |
268 // Notify observers when a custom passphrase is set by this device. | 275 // Notify observers when a custom passphrase is set by this device. |
269 void NotifyObserversOfLocalCustomPassphrase(WriteTransaction* trans); | 276 void NotifyObserversOfLocalCustomPassphrase(WriteTransaction* trans); |
270 | 277 |
271 base::ThreadChecker thread_checker_; | 278 base::ThreadChecker thread_checker_; |
272 | 279 |
273 base::ObserverList<SyncEncryptionHandler::Observer> observers_; | 280 base::ObserverList<SyncEncryptionHandler::Observer> observers_; |
274 | 281 |
275 // The current user share (for creating transactions). | 282 // The current user share (for creating transactions). |
276 UserShare* user_share_; | 283 UserShare* user_share_; |
277 | 284 |
278 // Container for all data that can be accessed from multiple threads. Do not | 285 // Container for all data that can be accessed from multiple threads. Do not |
279 // access this object directly. Instead access it via UnlockVault(..) and | 286 // access this object directly. Instead access it via UnlockVault(..) and |
280 // UnlockVaultMutable(..). | 287 // UnlockVaultMutable(..). |
281 Vault vault_unsafe_; | 288 Vault vault_unsafe_; |
282 | 289 |
283 // Sync encryption state that is only modified and accessed from the sync | 290 // Sync encryption state that is only modified and accessed from the sync |
284 // thread. | 291 // thread. |
285 // Whether all current and future types should be encrypted. | 292 // Whether all current and future types should be encrypted. |
286 bool encrypt_everything_; | 293 bool encrypt_everything_; |
287 // The current state of the passphrase required to decrypt the encryption | |
288 // keys stored in the nigori node. | |
289 PassphraseType passphrase_type_; | |
290 | 294 |
291 // The current keystore key provided by the server. | 295 // The current keystore key provided by the server. |
292 std::string keystore_key_; | 296 std::string keystore_key_; |
293 | 297 |
294 // The set of old keystore keys. Every time a key rotation occurs, the server | 298 // The set of old keystore keys. Every time a key rotation occurs, the server |
295 // sends down all previous keystore keys as well as the new key. We preserve | 299 // sends down all previous keystore keys as well as the new key. We preserve |
296 // the old keys so that when we re-encrypt we can ensure they're all added to | 300 // the old keys so that when we re-encrypt we can ensure they're all added to |
297 // the keybag (and to detect that a key rotation has occurred). | 301 // the keybag (and to detect that a key rotation has occurred). |
298 std::vector<std::string> old_keystore_keys_; | 302 std::vector<std::string> old_keystore_keys_; |
299 | 303 |
(...skipping 11 matching lines...) Expand all Loading... |
311 base::Time custom_passphrase_time_; | 315 base::Time custom_passphrase_time_; |
312 | 316 |
313 base::WeakPtrFactory<SyncEncryptionHandlerImpl> weak_ptr_factory_; | 317 base::WeakPtrFactory<SyncEncryptionHandlerImpl> weak_ptr_factory_; |
314 | 318 |
315 DISALLOW_COPY_AND_ASSIGN(SyncEncryptionHandlerImpl); | 319 DISALLOW_COPY_AND_ASSIGN(SyncEncryptionHandlerImpl); |
316 }; | 320 }; |
317 | 321 |
318 } // namespace syncer | 322 } // namespace syncer |
319 | 323 |
320 #endif // COMPONENTS_SYNC_CORE_IMPL_SYNC_ENCRYPTION_HANDLER_IMPL_H_ | 324 #endif // COMPONENTS_SYNC_CORE_IMPL_SYNC_ENCRYPTION_HANDLER_IMPL_H_ |
OLD | NEW |