Home | History | Annotate | Download | only in internal_api
      1 // Copyright 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "sync/internal_api/sync_encryption_handler_impl.h"
      6 
      7 #include <queue>
      8 #include <string>
      9 
     10 #include "base/base64.h"
     11 #include "base/bind.h"
     12 #include "base/json/json_string_value_serializer.h"
     13 #include "base/message_loop/message_loop.h"
     14 #include "base/metrics/histogram.h"
     15 #include "base/time/time.h"
     16 #include "base/tracked_objects.h"
     17 #include "sync/internal_api/public/read_node.h"
     18 #include "sync/internal_api/public/read_transaction.h"
     19 #include "sync/internal_api/public/user_share.h"
     20 #include "sync/internal_api/public/util/experiments.h"
     21 #include "sync/internal_api/public/util/sync_string_conversions.h"
     22 #include "sync/internal_api/public/write_node.h"
     23 #include "sync/internal_api/public/write_transaction.h"
     24 #include "sync/protocol/encryption.pb.h"
     25 #include "sync/protocol/nigori_specifics.pb.h"
     26 #include "sync/protocol/sync.pb.h"
     27 #include "sync/syncable/directory.h"
     28 #include "sync/syncable/entry.h"
     29 #include "sync/syncable/nigori_util.h"
     30 #include "sync/syncable/syncable_base_transaction.h"
     31 #include "sync/util/cryptographer.h"
     32 #include "sync/util/encryptor.h"
     33 #include "sync/util/time.h"
     34 
     35 namespace syncer {
     36 
     37 namespace {
     38 
     39 // The maximum number of times we will automatically overwrite the nigori node
     40 // because the encryption keys don't match (per chrome instantiation).
     41 // We protect ourselves against nigori rollbacks, but it's possible two
     42 // different clients might have contrasting view of what the nigori node state
     43 // should be, in which case they might ping pong (see crbug.com/119207).
     44 static const int kNigoriOverwriteLimit = 10;
     45 
     46 // Enumeration of nigori keystore migration results (for use in UMA stats).
     47 enum NigoriMigrationResult {
     48   FAILED_TO_SET_DEFAULT_KEYSTORE,
     49   FAILED_TO_SET_NONDEFAULT_KEYSTORE,
     50   FAILED_TO_EXTRACT_DECRYPTOR,
     51   FAILED_TO_EXTRACT_KEYBAG,
     52   MIGRATION_SUCCESS_KEYSTORE_NONDEFAULT,
     53   MIGRATION_SUCCESS_KEYSTORE_DEFAULT,
     54   MIGRATION_SUCCESS_FROZEN_IMPLICIT,
     55   MIGRATION_SUCCESS_CUSTOM,
     56   MIGRATION_RESULT_SIZE,
     57 };
     58 
     59 enum NigoriMigrationState {
     60   MIGRATED,
     61   NOT_MIGRATED_CRYPTO_NOT_READY,
     62   NOT_MIGRATED_NO_KEYSTORE_KEY,
     63   NOT_MIGRATED_UNKNOWN_REASON,
     64   MIGRATION_STATE_SIZE,
     65 };
     66 
     67 // The new passphrase state is sufficient to determine whether a nigori node
     68 // is migrated to support keystore encryption. In addition though, we also
     69 // want to verify the conditions for proper keystore encryption functionality.
     70 // 1. Passphrase state is set.
     71 // 2. Migration time is set.
     72 // 3. Frozen keybag is true
     73 // 4. If passphrase state is keystore, keystore_decryptor_token is set.
     74 bool IsNigoriMigratedToKeystore(const sync_pb::NigoriSpecifics& nigori) {
     75   if (!nigori.has_passphrase_type())
     76     return false;
     77   if (!nigori.has_keystore_migration_time())
     78     return false;
     79   if (!nigori.keybag_is_frozen())
     80     return false;
     81   if (nigori.passphrase_type() ==
     82           sync_pb::NigoriSpecifics::IMPLICIT_PASSPHRASE)
     83     return false;
     84   if (nigori.passphrase_type() ==
     85           sync_pb::NigoriSpecifics::KEYSTORE_PASSPHRASE &&
     86       nigori.keystore_decryptor_token().blob().empty())
     87     return false;
     88   if (!nigori.has_keystore_migration_time())
     89     return false;
     90   return true;
     91 }
     92 
     93 PassphraseType ProtoPassphraseTypeToEnum(
     94     sync_pb::NigoriSpecifics::PassphraseType type) {
     95   switch(type) {
     96     case sync_pb::NigoriSpecifics::IMPLICIT_PASSPHRASE:
     97       return IMPLICIT_PASSPHRASE;
     98     case sync_pb::NigoriSpecifics::KEYSTORE_PASSPHRASE:
     99       return KEYSTORE_PASSPHRASE;
    100     case sync_pb::NigoriSpecifics::CUSTOM_PASSPHRASE:
    101       return CUSTOM_PASSPHRASE;
    102     case sync_pb::NigoriSpecifics::FROZEN_IMPLICIT_PASSPHRASE:
    103       return FROZEN_IMPLICIT_PASSPHRASE;
    104     default:
    105       NOTREACHED();
    106       return IMPLICIT_PASSPHRASE;
    107   };
    108 }
    109 
    110 sync_pb::NigoriSpecifics::PassphraseType
    111 EnumPassphraseTypeToProto(PassphraseType type) {
    112   switch(type) {
    113     case IMPLICIT_PASSPHRASE:
    114       return sync_pb::NigoriSpecifics::IMPLICIT_PASSPHRASE;
    115     case KEYSTORE_PASSPHRASE:
    116       return sync_pb::NigoriSpecifics::KEYSTORE_PASSPHRASE;
    117     case CUSTOM_PASSPHRASE:
    118       return sync_pb::NigoriSpecifics::CUSTOM_PASSPHRASE;
    119     case FROZEN_IMPLICIT_PASSPHRASE:
    120       return sync_pb::NigoriSpecifics::FROZEN_IMPLICIT_PASSPHRASE;
    121     default:
    122       NOTREACHED();
    123       return sync_pb::NigoriSpecifics::IMPLICIT_PASSPHRASE;
    124   };
    125 }
    126 
    127 bool IsExplicitPassphrase(PassphraseType type) {
    128   return type == CUSTOM_PASSPHRASE || type == FROZEN_IMPLICIT_PASSPHRASE;
    129 }
    130 
    131 // Keystore Bootstrap Token helper methods.
    132 // The bootstrap is a base64 encoded, encrypted, ListValue of keystore key
    133 // strings, with the current keystore key as the last value in the list.
    134 std::string PackKeystoreBootstrapToken(
    135     const std::vector<std::string>& old_keystore_keys,
    136     const std::string& current_keystore_key,
    137     Encryptor* encryptor) {
    138   if (current_keystore_key.empty())
    139     return std::string();
    140 
    141   base::ListValue keystore_key_values;
    142   for (size_t i = 0; i < old_keystore_keys.size(); ++i)
    143     keystore_key_values.AppendString(old_keystore_keys[i]);
    144   keystore_key_values.AppendString(current_keystore_key);
    145 
    146   // Update the bootstrap token.
    147   // The bootstrap is a base64 encoded, encrypted, ListValue of keystore key
    148   // strings, with the current keystore key as the last value in the list.
    149   std::string serialized_keystores;
    150   JSONStringValueSerializer json(&serialized_keystores);
    151   json.Serialize(keystore_key_values);
    152   std::string encrypted_keystores;
    153   encryptor->EncryptString(serialized_keystores,
    154                            &encrypted_keystores);
    155   std::string keystore_bootstrap;
    156   base::Base64Encode(encrypted_keystores, &keystore_bootstrap);
    157   return keystore_bootstrap;
    158 }
    159 
    160 bool UnpackKeystoreBootstrapToken(
    161     const std::string& keystore_bootstrap_token,
    162     Encryptor* encryptor,
    163     std::vector<std::string>* old_keystore_keys,
    164     std::string* current_keystore_key) {
    165   if (keystore_bootstrap_token.empty())
    166     return false;
    167   std::string base64_decoded_keystore_bootstrap;
    168   if (!base::Base64Decode(keystore_bootstrap_token,
    169                           &base64_decoded_keystore_bootstrap)) {
    170     return false;
    171   }
    172   std::string decrypted_keystore_bootstrap;
    173   if (!encryptor->DecryptString(base64_decoded_keystore_bootstrap,
    174                                 &decrypted_keystore_bootstrap)) {
    175     return false;
    176   }
    177   JSONStringValueSerializer json(&decrypted_keystore_bootstrap);
    178   scoped_ptr<base::Value> deserialized_keystore_keys(
    179       json.Deserialize(NULL, NULL));
    180   if (!deserialized_keystore_keys)
    181     return false;
    182   base::ListValue* internal_list_value = NULL;
    183   if (!deserialized_keystore_keys->GetAsList(&internal_list_value))
    184     return false;
    185   int number_of_keystore_keys = internal_list_value->GetSize();
    186   if (!internal_list_value->GetString(number_of_keystore_keys - 1,
    187                                       current_keystore_key)) {
    188     return false;
    189   }
    190   old_keystore_keys->resize(number_of_keystore_keys - 1);
    191   for (int i = 0; i < number_of_keystore_keys - 1; ++i)
    192     internal_list_value->GetString(i, &(*old_keystore_keys)[i]);
    193   return true;
    194 }
    195 
    196 }  // namespace
    197 
    198 SyncEncryptionHandlerImpl::Vault::Vault(
    199     Encryptor* encryptor,
    200     ModelTypeSet encrypted_types)
    201     : cryptographer(encryptor),
    202       encrypted_types(encrypted_types) {
    203 }
    204 
    205 SyncEncryptionHandlerImpl::Vault::~Vault() {
    206 }
    207 
    208 SyncEncryptionHandlerImpl::SyncEncryptionHandlerImpl(
    209     UserShare* user_share,
    210     Encryptor* encryptor,
    211     const std::string& restored_key_for_bootstrapping,
    212     const std::string& restored_keystore_key_for_bootstrapping)
    213     : user_share_(user_share),
    214       vault_unsafe_(encryptor, SensitiveTypes()),
    215       encrypt_everything_(false),
    216       passphrase_type_(IMPLICIT_PASSPHRASE),
    217       nigori_overwrite_count_(0),
    218       weak_ptr_factory_(this) {
    219   // Restore the cryptographer's previous keys. Note that we don't add the
    220   // keystore keys into the cryptographer here, in case a migration was pending.
    221   vault_unsafe_.cryptographer.Bootstrap(restored_key_for_bootstrapping);
    222 
    223   // If this fails, we won't have a valid keystore key, and will simply request
    224   // new ones from the server on the next DownloadUpdates.
    225   UnpackKeystoreBootstrapToken(
    226       restored_keystore_key_for_bootstrapping,
    227       encryptor,
    228       &old_keystore_keys_,
    229       &keystore_key_);
    230 }
    231 
    232 SyncEncryptionHandlerImpl::~SyncEncryptionHandlerImpl() {}
    233 
    234 void SyncEncryptionHandlerImpl::AddObserver(Observer* observer) {
    235   DCHECK(thread_checker_.CalledOnValidThread());
    236   DCHECK(!observers_.HasObserver(observer));
    237   observers_.AddObserver(observer);
    238 }
    239 
    240 void SyncEncryptionHandlerImpl::RemoveObserver(Observer* observer) {
    241   DCHECK(thread_checker_.CalledOnValidThread());
    242   DCHECK(observers_.HasObserver(observer));
    243   observers_.RemoveObserver(observer);
    244 }
    245 
    246 void SyncEncryptionHandlerImpl::Init() {
    247   DCHECK(thread_checker_.CalledOnValidThread());
    248   WriteTransaction trans(FROM_HERE, user_share_);
    249   WriteNode node(&trans);
    250 
    251   if (node.InitTypeRoot(NIGORI) != BaseNode::INIT_OK)
    252     return;
    253   if (!ApplyNigoriUpdateImpl(node.GetNigoriSpecifics(),
    254                              trans.GetWrappedTrans())) {
    255     WriteEncryptionStateToNigori(&trans);
    256   }
    257 
    258   bool has_pending_keys = UnlockVault(
    259       trans.GetWrappedTrans()).cryptographer.has_pending_keys();
    260   bool is_ready = UnlockVault(
    261       trans.GetWrappedTrans()).cryptographer.is_ready();
    262   // Log the state of the cryptographer regardless of migration state.
    263   UMA_HISTOGRAM_BOOLEAN("Sync.CryptographerReady", is_ready);
    264   UMA_HISTOGRAM_BOOLEAN("Sync.CryptographerPendingKeys", has_pending_keys);
    265   if (IsNigoriMigratedToKeystore(node.GetNigoriSpecifics())) {
    266     // This account has a nigori node that has been migrated to support
    267     // keystore.
    268     UMA_HISTOGRAM_ENUMERATION("Sync.NigoriMigrationState",
    269                               MIGRATED,
    270                               MIGRATION_STATE_SIZE);
    271     if (has_pending_keys && passphrase_type_ == KEYSTORE_PASSPHRASE) {
    272       // If this is happening, it means the keystore decryptor is either
    273       // undecryptable with the available keystore keys or does not match the
    274       // nigori keybag's encryption key. Otherwise we're simply missing the
    275       // keystore key.
    276       UMA_HISTOGRAM_BOOLEAN("Sync.KeystoreDecryptionFailed",
    277                             !keystore_key_.empty());
    278     }
    279   } else if (!is_ready) {
    280     // Migration cannot occur until the cryptographer is ready (initialized
    281     // with GAIA password and any pending keys resolved).
    282     UMA_HISTOGRAM_ENUMERATION("Sync.NigoriMigrationState",
    283                               NOT_MIGRATED_CRYPTO_NOT_READY,
    284                               MIGRATION_STATE_SIZE);
    285   } else if (keystore_key_.empty()) {
    286     // The client has no keystore key, either because it is not yet enabled or
    287     // the server is not sending a valid keystore key.
    288     UMA_HISTOGRAM_ENUMERATION("Sync.NigoriMigrationState",
    289                               NOT_MIGRATED_NO_KEYSTORE_KEY,
    290                               MIGRATION_STATE_SIZE);
    291   } else {
    292     // If the above conditions have been met and the nigori node is still not
    293     // migrated, something failed in the migration process.
    294     UMA_HISTOGRAM_ENUMERATION("Sync.NigoriMigrationState",
    295                               NOT_MIGRATED_UNKNOWN_REASON,
    296                               MIGRATION_STATE_SIZE);
    297   }
    298 
    299 
    300   // Always trigger an encrypted types and cryptographer state change event at
    301   // init time so observers get the initial values.
    302   FOR_EACH_OBSERVER(
    303       Observer, observers_,
    304       OnEncryptedTypesChanged(
    305           UnlockVault(trans.GetWrappedTrans()).encrypted_types,
    306           encrypt_everything_));
    307   FOR_EACH_OBSERVER(
    308       SyncEncryptionHandler::Observer,
    309       observers_,
    310       OnCryptographerStateChanged(
    311           &UnlockVaultMutable(trans.GetWrappedTrans())->cryptographer));
    312 
    313   // If the cryptographer is not ready (either it has pending keys or we
    314   // failed to initialize it), we don't want to try and re-encrypt the data.
    315   // If we had encrypted types, the DataTypeManager will block, preventing
    316   // sync from happening until the the passphrase is provided.
    317   if (UnlockVault(trans.GetWrappedTrans()).cryptographer.is_ready())
    318     ReEncryptEverything(&trans);
    319 }
    320 
    321 void SyncEncryptionHandlerImpl::SetEncryptionPassphrase(
    322     const std::string& passphrase,
    323     bool is_explicit) {
    324   DCHECK(thread_checker_.CalledOnValidThread());
    325   // We do not accept empty passphrases.
    326   if (passphrase.empty()) {
    327     NOTREACHED() << "Cannot encrypt with an empty passphrase.";
    328     return;
    329   }
    330 
    331   // All accesses to the cryptographer are protected by a transaction.
    332   WriteTransaction trans(FROM_HERE, user_share_);
    333   KeyParams key_params = {"localhost", "dummy", passphrase};
    334   WriteNode node(&trans);
    335   if (node.InitTypeRoot(NIGORI) != BaseNode::INIT_OK) {
    336     NOTREACHED();
    337     return;
    338   }
    339 
    340   Cryptographer* cryptographer =
    341       &UnlockVaultMutable(trans.GetWrappedTrans())->cryptographer;
    342 
    343   // Once we've migrated to keystore, the only way to set a passphrase for
    344   // encryption is to set a custom passphrase.
    345   if (IsNigoriMigratedToKeystore(node.GetNigoriSpecifics())) {
    346     if (!is_explicit) {
    347       // The user is setting a new implicit passphrase. At this point we don't
    348       // care, so drop it on the floor. This is safe because if we have a
    349       // migrated nigori node, then we don't need to create an initial
    350       // encryption key.
    351       LOG(WARNING) << "Ignoring new implicit passphrase. Keystore migration "
    352                    << "already performed.";
    353       return;
    354     }
    355     // Will fail if we already have an explicit passphrase or we have pending
    356     // keys.
    357     SetCustomPassphrase(passphrase, &trans, &node);
    358 
    359     // When keystore migration occurs, the "CustomEncryption" UMA stat must be
    360     // logged as true.
    361     UMA_HISTOGRAM_BOOLEAN("Sync.CustomEncryption", true);
    362     return;
    363   }
    364 
    365   std::string bootstrap_token;
    366   sync_pb::EncryptedData pending_keys;
    367   if (cryptographer->has_pending_keys())
    368     pending_keys = cryptographer->GetPendingKeys();
    369   bool success = false;
    370 
    371   // There are six cases to handle here:
    372   // 1. The user has no pending keys and is setting their current GAIA password
    373   //    as the encryption passphrase. This happens either during first time sync
    374   //    with a clean profile, or after re-authenticating on a profile that was
    375   //    already signed in with the cryptographer ready.
    376   // 2. The user has no pending keys, and is overwriting an (already provided)
    377   //    implicit passphrase with an explicit (custom) passphrase.
    378   // 3. The user has pending keys for an explicit passphrase that is somehow set
    379   //    to their current GAIA passphrase.
    380   // 4. The user has pending keys encrypted with their current GAIA passphrase
    381   //    and the caller passes in the current GAIA passphrase.
    382   // 5. The user has pending keys encrypted with an older GAIA passphrase
    383   //    and the caller passes in the current GAIA passphrase.
    384   // 6. The user has previously done encryption with an explicit passphrase.
    385   // Furthermore, we enforce the fact that the bootstrap encryption token will
    386   // always be derived from the newest GAIA password if the account is using
    387   // an implicit passphrase (even if the data is encrypted with an old GAIA
    388   // password). If the account is using an explicit (custom) passphrase, the
    389   // bootstrap token will be derived from the most recently provided explicit
    390   // passphrase (that was able to decrypt the data).
    391   if (!IsExplicitPassphrase(passphrase_type_)) {
    392     if (!cryptographer->has_pending_keys()) {
    393       if (cryptographer->AddKey(key_params)) {
    394         // Case 1 and 2. We set a new GAIA passphrase when there are no pending
    395         // keys (1), or overwriting an implicit passphrase with a new explicit
    396         // one (2) when there are no pending keys.
    397         if (is_explicit) {
    398           DVLOG(1) << "Setting explicit passphrase for encryption.";
    399           passphrase_type_ = CUSTOM_PASSPHRASE;
    400           custom_passphrase_time_ = base::Time::Now();
    401           FOR_EACH_OBSERVER(SyncEncryptionHandler::Observer, observers_,
    402                             OnPassphraseTypeChanged(
    403                                 passphrase_type_,
    404                                 GetExplicitPassphraseTime()));
    405         } else {
    406           DVLOG(1) << "Setting implicit passphrase for encryption.";
    407         }
    408         cryptographer->GetBootstrapToken(&bootstrap_token);
    409 
    410         // With M26, sync accounts can be in only one of two encryption states:
    411         // 1) Encrypt only passwords with an implicit passphrase.
    412         // 2) Encrypt all sync datatypes with an explicit passphrase.
    413         // We deprecate the "EncryptAllData" and "CustomPassphrase" histograms,
    414         // and keep track of an account's encryption state via the
    415         // "CustomEncryption" histogram. See http://crbug.com/131478.
    416         UMA_HISTOGRAM_BOOLEAN("Sync.CustomEncryption", is_explicit);
    417 
    418         success = true;
    419       } else {
    420         NOTREACHED() << "Failed to add key to cryptographer.";
    421         success = false;
    422       }
    423     } else {  // cryptographer->has_pending_keys() == true
    424       if (is_explicit) {
    425         // This can only happen if the nigori node is updated with a new
    426         // implicit passphrase while a client is attempting to set a new custom
    427         // passphrase (race condition).
    428         DVLOG(1) << "Failing because an implicit passphrase is already set.";
    429         success = false;
    430       } else {  // is_explicit == false
    431         if (cryptographer->DecryptPendingKeys(key_params)) {
    432           // Case 4. We successfully decrypted with the implicit GAIA passphrase
    433           // passed in.
    434           DVLOG(1) << "Implicit internal passphrase accepted for decryption.";
    435           cryptographer->GetBootstrapToken(&bootstrap_token);
    436           success = true;
    437         } else {
    438           // Case 5. Encryption was done with an old GAIA password, but we were
    439           // provided with the current GAIA password. We need to generate a new
    440           // bootstrap token to preserve it. We build a temporary cryptographer
    441           // to allow us to extract these params without polluting our current
    442           // cryptographer.
    443           DVLOG(1) << "Implicit internal passphrase failed to decrypt, adding "
    444                    << "anyways as default passphrase and persisting via "
    445                    << "bootstrap token.";
    446           Cryptographer temp_cryptographer(cryptographer->encryptor());
    447           temp_cryptographer.AddKey(key_params);
    448           temp_cryptographer.GetBootstrapToken(&bootstrap_token);
    449           // We then set the new passphrase as the default passphrase of the
    450           // real cryptographer, even though we have pending keys. This is safe,
    451           // as although Cryptographer::is_initialized() will now be true,
    452           // is_ready() will remain false due to having pending keys.
    453           cryptographer->AddKey(key_params);
    454           success = false;
    455         }
    456       }  // is_explicit
    457     }  // cryptographer->has_pending_keys()
    458   } else {  // IsExplicitPassphrase(passphrase_type_) == true.
    459     // Case 6. We do not want to override a previously set explicit passphrase,
    460     // so we return a failure.
    461     DVLOG(1) << "Failing because an explicit passphrase is already set.";
    462     success = false;
    463   }
    464 
    465   DVLOG_IF(1, !success)
    466       << "Failure in SetEncryptionPassphrase; notifying and returning.";
    467   DVLOG_IF(1, success)
    468       << "Successfully set encryption passphrase; updating nigori and "
    469          "reencrypting.";
    470 
    471   FinishSetPassphrase(success, bootstrap_token, &trans, &node);
    472 }
    473 
    474 void SyncEncryptionHandlerImpl::SetDecryptionPassphrase(
    475     const std::string& passphrase) {
    476   DCHECK(thread_checker_.CalledOnValidThread());
    477   // We do not accept empty passphrases.
    478   if (passphrase.empty()) {
    479     NOTREACHED() << "Cannot decrypt with an empty passphrase.";
    480     return;
    481   }
    482 
    483   // All accesses to the cryptographer are protected by a transaction.
    484   WriteTransaction trans(FROM_HERE, user_share_);
    485   KeyParams key_params = {"localhost", "dummy", passphrase};
    486   WriteNode node(&trans);
    487   if (node.InitTypeRoot(NIGORI) != BaseNode::INIT_OK) {
    488     NOTREACHED();
    489     return;
    490   }
    491 
    492   // Once we've migrated to keystore, we're only ever decrypting keys derived
    493   // from an explicit passphrase. But, for clients without a keystore key yet
    494   // (either not on by default or failed to download one), we still support
    495   // decrypting with a gaia passphrase, and therefore bypass the
    496   // DecryptPendingKeysWithExplicitPassphrase logic.
    497   if (IsNigoriMigratedToKeystore(node.GetNigoriSpecifics()) &&
    498       IsExplicitPassphrase(passphrase_type_)) {
    499     DecryptPendingKeysWithExplicitPassphrase(passphrase, &trans, &node);
    500     return;
    501   }
    502 
    503   Cryptographer* cryptographer =
    504       &UnlockVaultMutable(trans.GetWrappedTrans())->cryptographer;
    505   if (!cryptographer->has_pending_keys()) {
    506     // Note that this *can* happen in a rare situation where data is
    507     // re-encrypted on another client while a SetDecryptionPassphrase() call is
    508     // in-flight on this client. It is rare enough that we choose to do nothing.
    509     NOTREACHED() << "Attempt to set decryption passphrase failed because there "
    510                  << "were no pending keys.";
    511     return;
    512   }
    513 
    514   std::string bootstrap_token;
    515   sync_pb::EncryptedData pending_keys;
    516   pending_keys = cryptographer->GetPendingKeys();
    517   bool success = false;
    518 
    519   // There are three cases to handle here:
    520   // 7. We're using the current GAIA password to decrypt the pending keys. This
    521   //    happens when signing in to an account with a previously set implicit
    522   //    passphrase, where the data is already encrypted with the newest GAIA
    523   //    password.
    524   // 8. The user is providing an old GAIA password to decrypt the pending keys.
    525   //    In this case, the user is using an implicit passphrase, but has changed
    526   //    their password since they last encrypted their data, and therefore
    527   //    their current GAIA password was unable to decrypt the data. This will
    528   //    happen when the user is setting up a new profile with a previously
    529   //    encrypted account (after changing passwords).
    530   // 9. The user is providing a previously set explicit passphrase to decrypt
    531   //    the pending keys.
    532   if (!IsExplicitPassphrase(passphrase_type_)) {
    533     if (cryptographer->is_initialized()) {
    534       // We only want to change the default encryption key to the pending
    535       // one if the pending keybag already contains the current default.
    536       // This covers the case where a different client re-encrypted
    537       // everything with a newer gaia passphrase (and hence the keybag
    538       // contains keys from all previously used gaia passphrases).
    539       // Otherwise, we're in a situation where the pending keys are
    540       // encrypted with an old gaia passphrase, while the default is the
    541       // current gaia passphrase. In that case, we preserve the default.
    542       Cryptographer temp_cryptographer(cryptographer->encryptor());
    543       temp_cryptographer.SetPendingKeys(cryptographer->GetPendingKeys());
    544       if (temp_cryptographer.DecryptPendingKeys(key_params)) {
    545         // Check to see if the pending bag of keys contains the current
    546         // default key.
    547         sync_pb::EncryptedData encrypted;
    548         cryptographer->GetKeys(&encrypted);
    549         if (temp_cryptographer.CanDecrypt(encrypted)) {
    550           DVLOG(1) << "Implicit user provided passphrase accepted for "
    551                    << "decryption, overwriting default.";
    552           // Case 7. The pending keybag contains the current default. Go ahead
    553           // and update the cryptographer, letting the default change.
    554           cryptographer->DecryptPendingKeys(key_params);
    555           cryptographer->GetBootstrapToken(&bootstrap_token);
    556           success = true;
    557         } else {
    558           // Case 8. The pending keybag does not contain the current default
    559           // encryption key. We decrypt the pending keys here, and in
    560           // FinishSetPassphrase, re-encrypt everything with the current GAIA
    561           // passphrase instead of the passphrase just provided by the user.
    562           DVLOG(1) << "Implicit user provided passphrase accepted for "
    563                    << "decryption, restoring implicit internal passphrase "
    564                    << "as default.";
    565           std::string bootstrap_token_from_current_key;
    566           cryptographer->GetBootstrapToken(
    567               &bootstrap_token_from_current_key);
    568           cryptographer->DecryptPendingKeys(key_params);
    569           // Overwrite the default from the pending keys.
    570           cryptographer->AddKeyFromBootstrapToken(
    571               bootstrap_token_from_current_key);
    572           success = true;
    573         }
    574       } else {  // !temp_cryptographer.DecryptPendingKeys(..)
    575         DVLOG(1) << "Implicit user provided passphrase failed to decrypt.";
    576         success = false;
    577       }  // temp_cryptographer.DecryptPendingKeys(...)
    578     } else {  // cryptographer->is_initialized() == false
    579       if (cryptographer->DecryptPendingKeys(key_params)) {
    580         // This can happpen in two cases:
    581         // - First time sync on android, where we'll never have a
    582         //   !user_provided passphrase.
    583         // - This is a restart for a client that lost their bootstrap token.
    584         // In both cases, we should go ahead and initialize the cryptographer
    585         // and persist the new bootstrap token.
    586         //
    587         // Note: at this point, we cannot distinguish between cases 7 and 8
    588         // above. This user provided passphrase could be the current or the
    589         // old. But, as long as we persist the token, there's nothing more
    590         // we can do.
    591         cryptographer->GetBootstrapToken(&bootstrap_token);
    592         DVLOG(1) << "Implicit user provided passphrase accepted, initializing"
    593                  << " cryptographer.";
    594         success = true;
    595       } else {
    596         DVLOG(1) << "Implicit user provided passphrase failed to decrypt.";
    597         success = false;
    598       }
    599     }  // cryptographer->is_initialized()
    600   } else {  // nigori_has_explicit_passphrase == true
    601     // Case 9. Encryption was done with an explicit passphrase, and we decrypt
    602     // with the passphrase provided by the user.
    603     if (cryptographer->DecryptPendingKeys(key_params)) {
    604       DVLOG(1) << "Explicit passphrase accepted for decryption.";
    605       cryptographer->GetBootstrapToken(&bootstrap_token);
    606       success = true;
    607     } else {
    608       DVLOG(1) << "Explicit passphrase failed to decrypt.";
    609       success = false;
    610     }
    611   }  // nigori_has_explicit_passphrase
    612 
    613   DVLOG_IF(1, !success)
    614       << "Failure in SetDecryptionPassphrase; notifying and returning.";
    615   DVLOG_IF(1, success)
    616       << "Successfully set decryption passphrase; updating nigori and "
    617          "reencrypting.";
    618 
    619   FinishSetPassphrase(success, bootstrap_token, &trans, &node);
    620 }
    621 
    622 void SyncEncryptionHandlerImpl::EnableEncryptEverything() {
    623   DCHECK(thread_checker_.CalledOnValidThread());
    624   WriteTransaction trans(FROM_HERE, user_share_);
    625   DVLOG(1) << "Enabling encrypt everything.";
    626   if (encrypt_everything_)
    627     return;
    628   EnableEncryptEverythingImpl(trans.GetWrappedTrans());
    629   WriteEncryptionStateToNigori(&trans);
    630   if (UnlockVault(trans.GetWrappedTrans()).cryptographer.is_ready())
    631     ReEncryptEverything(&trans);
    632 }
    633 
    634 bool SyncEncryptionHandlerImpl::EncryptEverythingEnabled() const {
    635   DCHECK(thread_checker_.CalledOnValidThread());
    636   return encrypt_everything_;
    637 }
    638 
    639 PassphraseType SyncEncryptionHandlerImpl::GetPassphraseType() const {
    640   DCHECK(thread_checker_.CalledOnValidThread());
    641   return passphrase_type_;
    642 }
    643 
    644 // Note: this is called from within a syncable transaction, so we need to post
    645 // tasks if we want to do any work that creates a new sync_api transaction.
    646 void SyncEncryptionHandlerImpl::ApplyNigoriUpdate(
    647     const sync_pb::NigoriSpecifics& nigori,
    648     syncable::BaseTransaction* const trans) {
    649   DCHECK(thread_checker_.CalledOnValidThread());
    650   DCHECK(trans);
    651   if (!ApplyNigoriUpdateImpl(nigori, trans)) {
    652     base::MessageLoop::current()->PostTask(
    653         FROM_HERE,
    654         base::Bind(&SyncEncryptionHandlerImpl::RewriteNigori,
    655                    weak_ptr_factory_.GetWeakPtr()));
    656   }
    657 
    658   FOR_EACH_OBSERVER(
    659       SyncEncryptionHandler::Observer,
    660       observers_,
    661       OnCryptographerStateChanged(
    662           &UnlockVaultMutable(trans)->cryptographer));
    663 }
    664 
    665 void SyncEncryptionHandlerImpl::UpdateNigoriFromEncryptedTypes(
    666     sync_pb::NigoriSpecifics* nigori,
    667     syncable::BaseTransaction* const trans) const {
    668   DCHECK(thread_checker_.CalledOnValidThread());
    669   syncable::UpdateNigoriFromEncryptedTypes(UnlockVault(trans).encrypted_types,
    670                                            encrypt_everything_,
    671                                            nigori);
    672 }
    673 
    674 bool SyncEncryptionHandlerImpl::NeedKeystoreKey(
    675     syncable::BaseTransaction* const trans) const {
    676   DCHECK(thread_checker_.CalledOnValidThread());
    677   return keystore_key_.empty();
    678 }
    679 
    680 bool SyncEncryptionHandlerImpl::SetKeystoreKeys(
    681     const google::protobuf::RepeatedPtrField<google::protobuf::string>& keys,
    682     syncable::BaseTransaction* const trans) {
    683   DCHECK(thread_checker_.CalledOnValidThread());
    684   if (keys.size() == 0)
    685     return false;
    686   // The last key in the vector is the current keystore key. The others are kept
    687   // around for decryption only.
    688   const std::string& raw_keystore_key = keys.Get(keys.size() - 1);
    689   if (raw_keystore_key.empty())
    690     return false;
    691 
    692   // Note: in order to Pack the keys, they must all be base64 encoded (else
    693   // JSON serialization fails).
    694   base::Base64Encode(raw_keystore_key, &keystore_key_);
    695 
    696   // Go through and save the old keystore keys. We always persist all keystore
    697   // keys the server sends us.
    698   old_keystore_keys_.resize(keys.size() - 1);
    699   for (int i = 0; i < keys.size() - 1; ++i)
    700     base::Base64Encode(keys.Get(i), &old_keystore_keys_[i]);
    701 
    702   Cryptographer* cryptographer = &UnlockVaultMutable(trans)->cryptographer;
    703 
    704   // Update the bootstrap token. If this fails, we persist an empty string,
    705   // which will force us to download the keystore keys again on the next
    706   // restart.
    707   std::string keystore_bootstrap = PackKeystoreBootstrapToken(
    708       old_keystore_keys_,
    709       keystore_key_,
    710       cryptographer->encryptor());
    711   DCHECK_EQ(keystore_bootstrap.empty(), keystore_key_.empty());
    712   FOR_EACH_OBSERVER(SyncEncryptionHandler::Observer, observers_,
    713                     OnBootstrapTokenUpdated(keystore_bootstrap,
    714                                             KEYSTORE_BOOTSTRAP_TOKEN));
    715   DVLOG(1) << "Keystore bootstrap token updated.";
    716 
    717   // If this is a first time sync, we get the encryption keys before we process
    718   // the nigori node. Just return for now, ApplyNigoriUpdate will be invoked
    719   // once we have the nigori node.
    720   syncable::Entry entry(trans, syncable::GET_TYPE_ROOT, NIGORI);
    721   if (!entry.good())
    722     return true;
    723 
    724   const sync_pb::NigoriSpecifics& nigori =
    725       entry.GetSpecifics().nigori();
    726   if (cryptographer->has_pending_keys() &&
    727       IsNigoriMigratedToKeystore(nigori) &&
    728       !nigori.keystore_decryptor_token().blob().empty()) {
    729     // If the nigori is already migrated and we have pending keys, we might
    730     // be able to decrypt them using either the keystore decryptor token
    731     // or the existing keystore keys.
    732     DecryptPendingKeysWithKeystoreKey(keystore_key_,
    733                                       nigori.keystore_decryptor_token(),
    734                                       cryptographer);
    735   }
    736 
    737   // Note that triggering migration will have no effect if we're already
    738   // properly migrated with the newest keystore keys.
    739   if (ShouldTriggerMigration(nigori, *cryptographer)) {
    740     base::MessageLoop::current()->PostTask(
    741         FROM_HERE,
    742         base::Bind(&SyncEncryptionHandlerImpl::RewriteNigori,
    743                    weak_ptr_factory_.GetWeakPtr()));
    744   }
    745 
    746   return true;
    747 }
    748 
    749 ModelTypeSet SyncEncryptionHandlerImpl::GetEncryptedTypes(
    750     syncable::BaseTransaction* const trans) const {
    751   return UnlockVault(trans).encrypted_types;
    752 }
    753 
    754 Cryptographer* SyncEncryptionHandlerImpl::GetCryptographerUnsafe() {
    755   DCHECK(thread_checker_.CalledOnValidThread());
    756   return &vault_unsafe_.cryptographer;
    757 }
    758 
    759 ModelTypeSet SyncEncryptionHandlerImpl::GetEncryptedTypesUnsafe() {
    760   DCHECK(thread_checker_.CalledOnValidThread());
    761   return vault_unsafe_.encrypted_types;
    762 }
    763 
    764 bool SyncEncryptionHandlerImpl::MigratedToKeystore() {
    765   DCHECK(thread_checker_.CalledOnValidThread());
    766   ReadTransaction trans(FROM_HERE, user_share_);
    767   ReadNode nigori_node(&trans);
    768   if (nigori_node.InitTypeRoot(NIGORI) != BaseNode::INIT_OK)
    769     return false;
    770   return IsNigoriMigratedToKeystore(nigori_node.GetNigoriSpecifics());
    771 }
    772 
    773 base::Time SyncEncryptionHandlerImpl::migration_time() const {
    774   return migration_time_;
    775 }
    776 
    777 base::Time SyncEncryptionHandlerImpl::custom_passphrase_time() const {
    778   return custom_passphrase_time_;
    779 }
    780 
    781 // This function iterates over all encrypted types.  There are many scenarios in
    782 // which data for some or all types is not currently available.  In that case,
    783 // the lookup of the root node will fail and we will skip encryption for that
    784 // type.
    785 void SyncEncryptionHandlerImpl::ReEncryptEverything(
    786     WriteTransaction* trans) {
    787   DCHECK(thread_checker_.CalledOnValidThread());
    788   DCHECK(UnlockVault(trans->GetWrappedTrans()).cryptographer.is_ready());
    789   for (ModelTypeSet::Iterator iter =
    790            UnlockVault(trans->GetWrappedTrans()).encrypted_types.First();
    791        iter.Good(); iter.Inc()) {
    792     if (iter.Get() == PASSWORDS || IsControlType(iter.Get()))
    793       continue; // These types handle encryption differently.
    794 
    795     ReadNode type_root(trans);
    796     if (type_root.InitTypeRoot(iter.Get()) != BaseNode::INIT_OK)
    797       continue; // Don't try to reencrypt if the type's data is unavailable.
    798 
    799     // Iterate through all children of this datatype.
    800     std::queue<int64> to_visit;
    801     int64 child_id = type_root.GetFirstChildId();
    802     to_visit.push(child_id);
    803     while (!to_visit.empty()) {
    804       child_id = to_visit.front();
    805       to_visit.pop();
    806       if (child_id == kInvalidId)
    807         continue;
    808 
    809       WriteNode child(trans);
    810       if (child.InitByIdLookup(child_id) != BaseNode::INIT_OK)
    811         continue;  // Possible for locally deleted items.
    812       if (child.GetIsFolder()) {
    813         to_visit.push(child.GetFirstChildId());
    814       }
    815       if (child.GetEntry()->GetUniqueServerTag().empty()) {
    816       // Rewrite the specifics of the node with encrypted data if necessary
    817       // (only rewrite the non-unique folders).
    818         child.ResetFromSpecifics();
    819       }
    820       to_visit.push(child.GetSuccessorId());
    821     }
    822   }
    823 
    824   // Passwords are encrypted with their own legacy scheme.  Passwords are always
    825   // encrypted so we don't need to check GetEncryptedTypes() here.
    826   ReadNode passwords_root(trans);
    827   if (passwords_root.InitTypeRoot(PASSWORDS) == BaseNode::INIT_OK) {
    828     int64 child_id = passwords_root.GetFirstChildId();
    829     while (child_id != kInvalidId) {
    830       WriteNode child(trans);
    831       if (child.InitByIdLookup(child_id) != BaseNode::INIT_OK) {
    832         NOTREACHED();
    833         return;
    834       }
    835       child.SetPasswordSpecifics(child.GetPasswordSpecifics());
    836       child_id = child.GetSuccessorId();
    837     }
    838   }
    839 
    840   DVLOG(1) << "Re-encrypt everything complete.";
    841 
    842   // NOTE: We notify from within a transaction.
    843   FOR_EACH_OBSERVER(SyncEncryptionHandler::Observer, observers_,
    844                     OnEncryptionComplete());
    845 }
    846 
    847 bool SyncEncryptionHandlerImpl::ApplyNigoriUpdateImpl(
    848     const sync_pb::NigoriSpecifics& nigori,
    849     syncable::BaseTransaction* const trans) {
    850   DCHECK(thread_checker_.CalledOnValidThread());
    851   DVLOG(1) << "Applying nigori node update.";
    852   bool nigori_types_need_update = !UpdateEncryptedTypesFromNigori(nigori,
    853                                                                   trans);
    854 
    855   if (nigori.custom_passphrase_time() != 0) {
    856     custom_passphrase_time_ =
    857         ProtoTimeToTime(nigori.custom_passphrase_time());
    858   }
    859   bool is_nigori_migrated = IsNigoriMigratedToKeystore(nigori);
    860   if (is_nigori_migrated) {
    861     DCHECK(nigori.has_keystore_migration_time());
    862     migration_time_ = ProtoTimeToTime(nigori.keystore_migration_time());
    863     PassphraseType nigori_passphrase_type =
    864         ProtoPassphraseTypeToEnum(nigori.passphrase_type());
    865 
    866     // Only update the local passphrase state if it's a valid transition:
    867     // - implicit -> keystore
    868     // - implicit -> frozen implicit
    869     // - implicit -> custom
    870     // - keystore -> custom
    871     // Note: frozen implicit -> custom is not technically a valid transition,
    872     // but we let it through here as well in case future versions do add support
    873     // for this transition.
    874     if (passphrase_type_ != nigori_passphrase_type &&
    875         nigori_passphrase_type != IMPLICIT_PASSPHRASE &&
    876         (passphrase_type_ == IMPLICIT_PASSPHRASE ||
    877          nigori_passphrase_type == CUSTOM_PASSPHRASE)) {
    878       DVLOG(1) << "Changing passphrase state from "
    879                << PassphraseTypeToString(passphrase_type_)
    880                << " to "
    881                << PassphraseTypeToString(nigori_passphrase_type);
    882       passphrase_type_ = nigori_passphrase_type;
    883       FOR_EACH_OBSERVER(SyncEncryptionHandler::Observer, observers_,
    884                             OnPassphraseTypeChanged(
    885                                 passphrase_type_,
    886                                 GetExplicitPassphraseTime()));
    887     }
    888     if (passphrase_type_ == KEYSTORE_PASSPHRASE && encrypt_everything_) {
    889       // This is the case where another client that didn't support keystore
    890       // encryption attempted to enable full encryption. We detect it
    891       // and switch the passphrase type to frozen implicit passphrase instead
    892       // due to full encryption not being compatible with keystore passphrase.
    893       // Because the local passphrase type will not match the nigori passphrase
    894       // type, we will trigger a rewrite and subsequently a re-migration.
    895       DVLOG(1) << "Changing passphrase state to FROZEN_IMPLICIT_PASSPHRASE "
    896                << "due to full encryption.";
    897       passphrase_type_ = FROZEN_IMPLICIT_PASSPHRASE;
    898       FOR_EACH_OBSERVER(SyncEncryptionHandler::Observer, observers_,
    899                             OnPassphraseTypeChanged(
    900                                 passphrase_type_,
    901                                 GetExplicitPassphraseTime()));
    902     }
    903   } else {
    904     // It's possible that while we're waiting for migration a client that does
    905     // not have keystore encryption enabled switches to a custom passphrase.
    906     if (nigori.keybag_is_frozen() &&
    907         passphrase_type_ != CUSTOM_PASSPHRASE) {
    908       passphrase_type_ = CUSTOM_PASSPHRASE;
    909       FOR_EACH_OBSERVER(SyncEncryptionHandler::Observer, observers_,
    910                             OnPassphraseTypeChanged(
    911                                 passphrase_type_,
    912                                 GetExplicitPassphraseTime()));
    913     }
    914   }
    915 
    916   Cryptographer* cryptographer = &UnlockVaultMutable(trans)->cryptographer;
    917   bool nigori_needs_new_keys = false;
    918   if (!nigori.encryption_keybag().blob().empty()) {
    919     // We only update the default key if this was a new explicit passphrase.
    920     // Else, since it was decryptable, it must not have been a new key.
    921     bool need_new_default_key = false;
    922     if (is_nigori_migrated) {
    923       need_new_default_key = IsExplicitPassphrase(
    924           ProtoPassphraseTypeToEnum(nigori.passphrase_type()));
    925     } else {
    926       need_new_default_key = nigori.keybag_is_frozen();
    927     }
    928     if (!AttemptToInstallKeybag(nigori.encryption_keybag(),
    929                                 need_new_default_key,
    930                                 cryptographer)) {
    931       // Check to see if we can decrypt the keybag using the keystore decryptor
    932       // token.
    933       cryptographer->SetPendingKeys(nigori.encryption_keybag());
    934       if (!nigori.keystore_decryptor_token().blob().empty() &&
    935           !keystore_key_.empty()) {
    936         if (DecryptPendingKeysWithKeystoreKey(keystore_key_,
    937                                               nigori.keystore_decryptor_token(),
    938                                               cryptographer)) {
    939           nigori_needs_new_keys =
    940               cryptographer->KeybagIsStale(nigori.encryption_keybag());
    941         } else {
    942           LOG(ERROR) << "Failed to decrypt pending keys using keystore "
    943                      << "bootstrap key.";
    944         }
    945       }
    946     } else {
    947       // Keybag was installed. We write back our local keybag into the nigori
    948       // node if the nigori node's keybag either contains less keys or
    949       // has a different default key.
    950       nigori_needs_new_keys =
    951           cryptographer->KeybagIsStale(nigori.encryption_keybag());
    952     }
    953   } else {
    954     // The nigori node has an empty encryption keybag. Attempt to write our
    955     // local encryption keys into it.
    956     LOG(WARNING) << "Nigori had empty encryption keybag.";
    957     nigori_needs_new_keys = true;
    958   }
    959 
    960   // If we've completed a sync cycle and the cryptographer isn't ready
    961   // yet or has pending keys, prompt the user for a passphrase.
    962   if (cryptographer->has_pending_keys()) {
    963     DVLOG(1) << "OnPassphraseRequired Sent";
    964     sync_pb::EncryptedData pending_keys = cryptographer->GetPendingKeys();
    965     FOR_EACH_OBSERVER(SyncEncryptionHandler::Observer, observers_,
    966                       OnPassphraseRequired(REASON_DECRYPTION,
    967                                            pending_keys));
    968   } else if (!cryptographer->is_ready()) {
    969     DVLOG(1) << "OnPassphraseRequired sent because cryptographer is not "
    970              << "ready";
    971     FOR_EACH_OBSERVER(SyncEncryptionHandler::Observer, observers_,
    972                       OnPassphraseRequired(REASON_ENCRYPTION,
    973                                            sync_pb::EncryptedData()));
    974   }
    975 
    976   // Check if the current local encryption state is stricter/newer than the
    977   // nigori state. If so, we need to overwrite the nigori node with the local
    978   // state.
    979   bool passphrase_type_matches = true;
    980   if (!is_nigori_migrated) {
    981     DCHECK(passphrase_type_ == CUSTOM_PASSPHRASE ||
    982            passphrase_type_ == IMPLICIT_PASSPHRASE);
    983     passphrase_type_matches =
    984         nigori.keybag_is_frozen() == IsExplicitPassphrase(passphrase_type_);
    985   } else {
    986     passphrase_type_matches =
    987         (ProtoPassphraseTypeToEnum(nigori.passphrase_type()) ==
    988              passphrase_type_);
    989   }
    990   if (!passphrase_type_matches ||
    991       nigori.encrypt_everything() != encrypt_everything_ ||
    992       nigori_types_need_update ||
    993       nigori_needs_new_keys) {
    994     DVLOG(1) << "Triggering nigori rewrite.";
    995     return false;
    996   }
    997   return true;
    998 }
    999 
   1000 void SyncEncryptionHandlerImpl::RewriteNigori() {
   1001   DVLOG(1) << "Writing local encryption state into nigori.";
   1002   DCHECK(thread_checker_.CalledOnValidThread());
   1003   WriteTransaction trans(FROM_HERE, user_share_);
   1004   WriteEncryptionStateToNigori(&trans);
   1005 }
   1006 
   1007 void SyncEncryptionHandlerImpl::WriteEncryptionStateToNigori(
   1008     WriteTransaction* trans) {
   1009   DCHECK(thread_checker_.CalledOnValidThread());
   1010   WriteNode nigori_node(trans);
   1011   // This can happen in tests that don't have nigori nodes.
   1012   if (nigori_node.InitTypeRoot(NIGORI) != BaseNode::INIT_OK)
   1013     return;
   1014 
   1015   sync_pb::NigoriSpecifics nigori = nigori_node.GetNigoriSpecifics();
   1016   const Cryptographer& cryptographer =
   1017       UnlockVault(trans->GetWrappedTrans()).cryptographer;
   1018 
   1019   // Will not do anything if we shouldn't or can't migrate. Otherwise
   1020   // migrates, writing the full encryption state as it does.
   1021   if (!AttemptToMigrateNigoriToKeystore(trans, &nigori_node)) {
   1022     if (cryptographer.is_ready() &&
   1023         nigori_overwrite_count_ < kNigoriOverwriteLimit) {
   1024       // Does not modify the encrypted blob if the unencrypted data already
   1025       // matches what is about to be written.
   1026       sync_pb::EncryptedData original_keys = nigori.encryption_keybag();
   1027       if (!cryptographer.GetKeys(nigori.mutable_encryption_keybag()))
   1028         NOTREACHED();
   1029 
   1030       if (nigori.encryption_keybag().SerializeAsString() !=
   1031           original_keys.SerializeAsString()) {
   1032         // We've updated the nigori node's encryption keys. In order to prevent
   1033         // a possible looping of two clients constantly overwriting each other,
   1034         // we limit the absolute number of overwrites per client instantiation.
   1035         nigori_overwrite_count_++;
   1036         UMA_HISTOGRAM_COUNTS("Sync.AutoNigoriOverwrites",
   1037                              nigori_overwrite_count_);
   1038       }
   1039 
   1040       // Note: we don't try to set keybag_is_frozen here since if that
   1041       // is lost the user can always set it again (and we don't want to clobber
   1042       // any migration state). The main goal at this point is to preserve
   1043       // the encryption keys so all data remains decryptable.
   1044     }
   1045     syncable::UpdateNigoriFromEncryptedTypes(
   1046         UnlockVault(trans->GetWrappedTrans()).encrypted_types,
   1047         encrypt_everything_,
   1048         &nigori);
   1049     if (!custom_passphrase_time_.is_null()) {
   1050       nigori.set_custom_passphrase_time(
   1051           TimeToProtoTime(custom_passphrase_time_));
   1052     }
   1053 
   1054     // If nothing has changed, this is a no-op.
   1055     nigori_node.SetNigoriSpecifics(nigori);
   1056   }
   1057 }
   1058 
   1059 bool SyncEncryptionHandlerImpl::UpdateEncryptedTypesFromNigori(
   1060     const sync_pb::NigoriSpecifics& nigori,
   1061     syncable::BaseTransaction* const trans) {
   1062   DCHECK(thread_checker_.CalledOnValidThread());
   1063   ModelTypeSet* encrypted_types = &UnlockVaultMutable(trans)->encrypted_types;
   1064   if (nigori.encrypt_everything()) {
   1065     EnableEncryptEverythingImpl(trans);
   1066     DCHECK(encrypted_types->Equals(EncryptableUserTypes()));
   1067     return true;
   1068   } else if (encrypt_everything_) {
   1069     DCHECK(encrypted_types->Equals(EncryptableUserTypes()));
   1070     return false;
   1071   }
   1072 
   1073   ModelTypeSet nigori_encrypted_types;
   1074   nigori_encrypted_types = syncable::GetEncryptedTypesFromNigori(nigori);
   1075   nigori_encrypted_types.PutAll(SensitiveTypes());
   1076 
   1077   // If anything more than the sensitive types were encrypted, and
   1078   // encrypt_everything is not explicitly set to false, we assume it means
   1079   // a client intended to enable encrypt everything.
   1080   if (!nigori.has_encrypt_everything() &&
   1081       !Difference(nigori_encrypted_types, SensitiveTypes()).Empty()) {
   1082     if (!encrypt_everything_) {
   1083       encrypt_everything_ = true;
   1084       *encrypted_types = EncryptableUserTypes();
   1085       FOR_EACH_OBSERVER(
   1086           Observer, observers_,
   1087           OnEncryptedTypesChanged(*encrypted_types, encrypt_everything_));
   1088     }
   1089     DCHECK(encrypted_types->Equals(EncryptableUserTypes()));
   1090     return false;
   1091   }
   1092 
   1093   MergeEncryptedTypes(nigori_encrypted_types, trans);
   1094   return encrypted_types->Equals(nigori_encrypted_types);
   1095 }
   1096 
   1097 void SyncEncryptionHandlerImpl::SetCustomPassphrase(
   1098     const std::string& passphrase,
   1099     WriteTransaction* trans,
   1100     WriteNode* nigori_node) {
   1101   DCHECK(thread_checker_.CalledOnValidThread());
   1102   DCHECK(IsNigoriMigratedToKeystore(nigori_node->GetNigoriSpecifics()));
   1103   KeyParams key_params = {"localhost", "dummy", passphrase};
   1104 
   1105   if (passphrase_type_ != KEYSTORE_PASSPHRASE) {
   1106     DVLOG(1) << "Failing to set a custom passphrase because one has already "
   1107              << "been set.";
   1108     FinishSetPassphrase(false, std::string(), trans, nigori_node);
   1109     return;
   1110   }
   1111 
   1112   Cryptographer* cryptographer =
   1113       &UnlockVaultMutable(trans->GetWrappedTrans())->cryptographer;
   1114   if (cryptographer->has_pending_keys()) {
   1115     // This theoretically shouldn't happen, because the only way to have pending
   1116     // keys after migrating to keystore support is if a custom passphrase was
   1117     // set, which should update passpshrase_state_ and should be caught by the
   1118     // if statement above. For the sake of safety though, we check for it in
   1119     // case a client is misbehaving.
   1120     LOG(ERROR) << "Failing to set custom passphrase because of pending keys.";
   1121     FinishSetPassphrase(false, std::string(), trans, nigori_node);
   1122     return;
   1123   }
   1124 
   1125   std::string bootstrap_token;
   1126   if (cryptographer->AddKey(key_params)) {
   1127     DVLOG(1) << "Setting custom passphrase.";
   1128     cryptographer->GetBootstrapToken(&bootstrap_token);
   1129     passphrase_type_ = CUSTOM_PASSPHRASE;
   1130     custom_passphrase_time_ = base::Time::Now();
   1131     FOR_EACH_OBSERVER(SyncEncryptionHandler::Observer, observers_,
   1132                             OnPassphraseTypeChanged(
   1133                                 passphrase_type_,
   1134                                 GetExplicitPassphraseTime()));
   1135   } else {
   1136     NOTREACHED() << "Failed to add key to cryptographer.";
   1137     return;
   1138   }
   1139   FinishSetPassphrase(true, bootstrap_token, trans, nigori_node);
   1140 }
   1141 
   1142 void SyncEncryptionHandlerImpl::DecryptPendingKeysWithExplicitPassphrase(
   1143     const std::string& passphrase,
   1144     WriteTransaction* trans,
   1145     WriteNode* nigori_node) {
   1146   DCHECK(thread_checker_.CalledOnValidThread());
   1147   DCHECK(IsExplicitPassphrase(passphrase_type_));
   1148   KeyParams key_params = {"localhost", "dummy", passphrase};
   1149 
   1150   Cryptographer* cryptographer =
   1151       &UnlockVaultMutable(trans->GetWrappedTrans())->cryptographer;
   1152   if (!cryptographer->has_pending_keys()) {
   1153     // Note that this *can* happen in a rare situation where data is
   1154     // re-encrypted on another client while a SetDecryptionPassphrase() call is
   1155     // in-flight on this client. It is rare enough that we choose to do nothing.
   1156     NOTREACHED() << "Attempt to set decryption passphrase failed because there "
   1157                  << "were no pending keys.";
   1158     return;
   1159   }
   1160 
   1161   DCHECK(IsExplicitPassphrase(passphrase_type_));
   1162   bool success = false;
   1163   std::string bootstrap_token;
   1164   if (cryptographer->DecryptPendingKeys(key_params)) {
   1165     DVLOG(1) << "Explicit passphrase accepted for decryption.";
   1166     cryptographer->GetBootstrapToken(&bootstrap_token);
   1167     success = true;
   1168   } else {
   1169     DVLOG(1) << "Explicit passphrase failed to decrypt.";
   1170     success = false;
   1171   }
   1172   if (success && !keystore_key_.empty()) {
   1173     // Should already be part of the encryption keybag, but we add it just
   1174     // in case.
   1175     KeyParams key_params = {"localhost", "dummy", keystore_key_};
   1176     cryptographer->AddNonDefaultKey(key_params);
   1177   }
   1178   FinishSetPassphrase(success, bootstrap_token, trans, nigori_node);
   1179 }
   1180 
   1181 void SyncEncryptionHandlerImpl::FinishSetPassphrase(
   1182     bool success,
   1183     const std::string& bootstrap_token,
   1184     WriteTransaction* trans,
   1185     WriteNode* nigori_node) {
   1186   DCHECK(thread_checker_.CalledOnValidThread());
   1187   FOR_EACH_OBSERVER(
   1188       SyncEncryptionHandler::Observer,
   1189       observers_,
   1190       OnCryptographerStateChanged(
   1191           &UnlockVaultMutable(trans->GetWrappedTrans())->cryptographer));
   1192 
   1193   // It's possible we need to change the bootstrap token even if we failed to
   1194   // set the passphrase (for example if we need to preserve the new GAIA
   1195   // passphrase).
   1196   if (!bootstrap_token.empty()) {
   1197     DVLOG(1) << "Passphrase bootstrap token updated.";
   1198     FOR_EACH_OBSERVER(SyncEncryptionHandler::Observer, observers_,
   1199                       OnBootstrapTokenUpdated(bootstrap_token,
   1200                                               PASSPHRASE_BOOTSTRAP_TOKEN));
   1201   }
   1202 
   1203   const Cryptographer& cryptographer =
   1204       UnlockVault(trans->GetWrappedTrans()).cryptographer;
   1205   if (!success) {
   1206     if (cryptographer.is_ready()) {
   1207       LOG(ERROR) << "Attempt to change passphrase failed while cryptographer "
   1208                  << "was ready.";
   1209     } else if (cryptographer.has_pending_keys()) {
   1210       FOR_EACH_OBSERVER(SyncEncryptionHandler::Observer, observers_,
   1211                         OnPassphraseRequired(REASON_DECRYPTION,
   1212                                              cryptographer.GetPendingKeys()));
   1213     } else {
   1214       FOR_EACH_OBSERVER(SyncEncryptionHandler::Observer, observers_,
   1215                         OnPassphraseRequired(REASON_ENCRYPTION,
   1216                                              sync_pb::EncryptedData()));
   1217     }
   1218     return;
   1219   }
   1220   DCHECK(success);
   1221   DCHECK(cryptographer.is_ready());
   1222 
   1223   // Will do nothing if we're already properly migrated or unable to migrate
   1224   // (in otherwords, if ShouldTriggerMigration is false).
   1225   // Otherwise will update the nigori node with the current migrated state,
   1226   // writing all encryption state as it does.
   1227   if (!AttemptToMigrateNigoriToKeystore(trans, nigori_node)) {
   1228     sync_pb::NigoriSpecifics nigori(nigori_node->GetNigoriSpecifics());
   1229     // Does not modify nigori.encryption_keybag() if the original decrypted
   1230     // data was the same.
   1231     if (!cryptographer.GetKeys(nigori.mutable_encryption_keybag()))
   1232       NOTREACHED();
   1233     if (IsNigoriMigratedToKeystore(nigori)) {
   1234       DCHECK(keystore_key_.empty() || IsExplicitPassphrase(passphrase_type_));
   1235       DVLOG(1) << "Leaving nigori migration state untouched after setting"
   1236                << " passphrase.";
   1237     } else {
   1238       nigori.set_keybag_is_frozen(
   1239           IsExplicitPassphrase(passphrase_type_));
   1240     }
   1241     // If we set a new custom passphrase, store the timestamp.
   1242     if (!custom_passphrase_time_.is_null()) {
   1243       nigori.set_custom_passphrase_time(
   1244           TimeToProtoTime(custom_passphrase_time_));
   1245     }
   1246     nigori_node->SetNigoriSpecifics(nigori);
   1247   }
   1248 
   1249   // Must do this after OnPassphraseTypeChanged, in order to ensure the PSS
   1250   // checks the passphrase state after it has been set.
   1251   FOR_EACH_OBSERVER(SyncEncryptionHandler::Observer, observers_,
   1252                     OnPassphraseAccepted());
   1253 
   1254   // Does nothing if everything is already encrypted.
   1255   // TODO(zea): If we just migrated and enabled encryption, this will be
   1256   // redundant. Figure out a way to not do this unnecessarily.
   1257   ReEncryptEverything(trans);
   1258 }
   1259 
   1260 void SyncEncryptionHandlerImpl::MergeEncryptedTypes(
   1261     ModelTypeSet new_encrypted_types,
   1262     syncable::BaseTransaction* const trans) {
   1263   DCHECK(thread_checker_.CalledOnValidThread());
   1264 
   1265   // Only UserTypes may be encrypted.
   1266   DCHECK(EncryptableUserTypes().HasAll(new_encrypted_types));
   1267 
   1268   ModelTypeSet* encrypted_types = &UnlockVaultMutable(trans)->encrypted_types;
   1269   if (!encrypted_types->HasAll(new_encrypted_types)) {
   1270     *encrypted_types = new_encrypted_types;
   1271     FOR_EACH_OBSERVER(
   1272         Observer, observers_,
   1273         OnEncryptedTypesChanged(*encrypted_types, encrypt_everything_));
   1274   }
   1275 }
   1276 
   1277 SyncEncryptionHandlerImpl::Vault* SyncEncryptionHandlerImpl::UnlockVaultMutable(
   1278     syncable::BaseTransaction* const trans) {
   1279   DCHECK_EQ(user_share_->directory.get(), trans->directory());
   1280   return &vault_unsafe_;
   1281 }
   1282 
   1283 const SyncEncryptionHandlerImpl::Vault& SyncEncryptionHandlerImpl::UnlockVault(
   1284     syncable::BaseTransaction* const trans) const {
   1285   DCHECK_EQ(user_share_->directory.get(), trans->directory());
   1286   return vault_unsafe_;
   1287 }
   1288 
   1289 bool SyncEncryptionHandlerImpl::ShouldTriggerMigration(
   1290     const sync_pb::NigoriSpecifics& nigori,
   1291     const Cryptographer& cryptographer) const {
   1292   DCHECK(thread_checker_.CalledOnValidThread());
   1293   // Don't migrate if there are pending encryption keys (because data
   1294   // encrypted with the pending keys will not be decryptable).
   1295   if (cryptographer.has_pending_keys())
   1296     return false;
   1297   if (IsNigoriMigratedToKeystore(nigori)) {
   1298     // If the nigori is already migrated but does not reflect the explicit
   1299     // passphrase state, remigrate. Similarly, if the nigori has an explicit
   1300     // passphrase but does not have full encryption, or the nigori has an
   1301     // implicit passphrase but does have full encryption, re-migrate.
   1302     // Note that this is to defend against other clients without keystore
   1303     // encryption enabled transitioning to states that are no longer valid.
   1304     if (passphrase_type_ != KEYSTORE_PASSPHRASE &&
   1305         nigori.passphrase_type() ==
   1306             sync_pb::NigoriSpecifics::KEYSTORE_PASSPHRASE) {
   1307       return true;
   1308     } else if (IsExplicitPassphrase(passphrase_type_) &&
   1309                !encrypt_everything_) {
   1310       return true;
   1311     } else if (passphrase_type_ == KEYSTORE_PASSPHRASE &&
   1312                encrypt_everything_) {
   1313       return true;
   1314     } else if (
   1315         cryptographer.is_ready() &&
   1316         !cryptographer.CanDecryptUsingDefaultKey(nigori.encryption_keybag())) {
   1317       // We need to overwrite the keybag. This might involve overwriting the
   1318       // keystore decryptor too.
   1319       return true;
   1320     } else if (old_keystore_keys_.size() > 0 && !keystore_key_.empty()) {
   1321       // Check to see if a server key rotation has happened, but the nigori
   1322       // node's keys haven't been rotated yet, and hence we should re-migrate.
   1323       // Note that once a key rotation has been performed, we no longer
   1324       // preserve backwards compatibility, and the keybag will therefore be
   1325       // encrypted with the current keystore key.
   1326       Cryptographer temp_cryptographer(cryptographer.encryptor());
   1327       KeyParams keystore_params = {"localhost", "dummy", keystore_key_};
   1328       temp_cryptographer.AddKey(keystore_params);
   1329       if (!temp_cryptographer.CanDecryptUsingDefaultKey(
   1330               nigori.encryption_keybag())) {
   1331         return true;
   1332       }
   1333     }
   1334     return false;
   1335   } else if (keystore_key_.empty()) {
   1336     // If we haven't already migrated, we don't want to do anything unless
   1337     // a keystore key is available (so that those clients without keystore
   1338     // encryption enabled aren't forced into new states, e.g. frozen implicit
   1339     // passphrase).
   1340     return false;
   1341   }
   1342   return true;
   1343 }
   1344 
   1345 bool SyncEncryptionHandlerImpl::AttemptToMigrateNigoriToKeystore(
   1346     WriteTransaction* trans,
   1347     WriteNode* nigori_node) {
   1348   DCHECK(thread_checker_.CalledOnValidThread());
   1349   const sync_pb::NigoriSpecifics& old_nigori =
   1350       nigori_node->GetNigoriSpecifics();
   1351   Cryptographer* cryptographer =
   1352       &UnlockVaultMutable(trans->GetWrappedTrans())->cryptographer;
   1353 
   1354   if (!ShouldTriggerMigration(old_nigori, *cryptographer))
   1355     return false;
   1356 
   1357   DVLOG(1) << "Starting nigori migration to keystore support.";
   1358   sync_pb::NigoriSpecifics migrated_nigori(old_nigori);
   1359 
   1360   PassphraseType new_passphrase_type = passphrase_type_;
   1361   bool new_encrypt_everything = encrypt_everything_;
   1362   if (encrypt_everything_ && !IsExplicitPassphrase(passphrase_type_)) {
   1363     DVLOG(1) << "Switching to frozen implicit passphrase due to already having "
   1364              << "full encryption.";
   1365     new_passphrase_type = FROZEN_IMPLICIT_PASSPHRASE;
   1366     migrated_nigori.clear_keystore_decryptor_token();
   1367   } else if (IsExplicitPassphrase(passphrase_type_)) {
   1368     DVLOG_IF(1, !encrypt_everything_) << "Enabling encrypt everything due to "
   1369                                       << "explicit passphrase";
   1370     new_encrypt_everything = true;
   1371     migrated_nigori.clear_keystore_decryptor_token();
   1372   } else {
   1373     DCHECK(!encrypt_everything_);
   1374     new_passphrase_type = KEYSTORE_PASSPHRASE;
   1375     DVLOG(1) << "Switching to keystore passphrase state.";
   1376   }
   1377   migrated_nigori.set_encrypt_everything(new_encrypt_everything);
   1378   migrated_nigori.set_passphrase_type(
   1379       EnumPassphraseTypeToProto(new_passphrase_type));
   1380   migrated_nigori.set_keybag_is_frozen(true);
   1381 
   1382   if (!keystore_key_.empty()) {
   1383     KeyParams key_params = {"localhost", "dummy", keystore_key_};
   1384     if ((old_keystore_keys_.size() > 0 &&
   1385          new_passphrase_type == KEYSTORE_PASSPHRASE) ||
   1386         !cryptographer->is_initialized()) {
   1387       // Either at least one key rotation has been performed, so we no longer
   1388       // care about backwards compatibility, or we're generating keystore-based
   1389       // encryption keys without knowing the GAIA password (and therefore the
   1390       // cryptographer is not initialized), so we can't support backwards
   1391       // compatibility. Ensure the keystore key is the default key.
   1392       DVLOG(1) << "Migrating keybag to keystore key.";
   1393       bool cryptographer_was_ready = cryptographer->is_ready();
   1394       if (!cryptographer->AddKey(key_params)) {
   1395         LOG(ERROR) << "Failed to add keystore key as default key";
   1396         UMA_HISTOGRAM_ENUMERATION("Sync.AttemptNigoriMigration",
   1397                                   FAILED_TO_SET_DEFAULT_KEYSTORE,
   1398                                   MIGRATION_RESULT_SIZE);
   1399         return false;
   1400       }
   1401       if (!cryptographer_was_ready && cryptographer->is_ready()) {
   1402         FOR_EACH_OBSERVER(
   1403             SyncEncryptionHandler::Observer,
   1404             observers_,
   1405             OnPassphraseAccepted());
   1406       }
   1407     } else {
   1408       // We're in backwards compatible mode -- either the account has an
   1409       // explicit passphrase, or we want to preserve the current GAIA-based key
   1410       // as the default because we can (there have been no key rotations since
   1411       // the migration).
   1412       DVLOG(1) << "Migrating keybag while preserving old key";
   1413       if (!cryptographer->AddNonDefaultKey(key_params)) {
   1414         LOG(ERROR) << "Failed to add keystore key as non-default key.";
   1415         UMA_HISTOGRAM_ENUMERATION("Sync.AttemptNigoriMigration",
   1416                                   FAILED_TO_SET_NONDEFAULT_KEYSTORE,
   1417                                   MIGRATION_RESULT_SIZE);
   1418         return false;
   1419       }
   1420     }
   1421   }
   1422   if (!old_keystore_keys_.empty()) {
   1423     // Go through and add all the old keystore keys as non default keys, so
   1424     // they'll be preserved in the encryption_keybag when we next write the
   1425     // nigori node.
   1426     for (std::vector<std::string>::const_iterator iter =
   1427              old_keystore_keys_.begin(); iter != old_keystore_keys_.end();
   1428          ++iter) {
   1429       KeyParams key_params = {"localhost", "dummy", *iter};
   1430       cryptographer->AddNonDefaultKey(key_params);
   1431     }
   1432   }
   1433   if (new_passphrase_type == KEYSTORE_PASSPHRASE &&
   1434       !GetKeystoreDecryptor(
   1435           *cryptographer,
   1436           keystore_key_,
   1437           migrated_nigori.mutable_keystore_decryptor_token())) {
   1438     LOG(ERROR) << "Failed to extract keystore decryptor token.";
   1439     UMA_HISTOGRAM_ENUMERATION("Sync.AttemptNigoriMigration",
   1440                               FAILED_TO_EXTRACT_DECRYPTOR,
   1441                               MIGRATION_RESULT_SIZE);
   1442     return false;
   1443   }
   1444   if (!cryptographer->GetKeys(migrated_nigori.mutable_encryption_keybag())) {
   1445     LOG(ERROR) << "Failed to extract encryption keybag.";
   1446     UMA_HISTOGRAM_ENUMERATION("Sync.AttemptNigoriMigration",
   1447                               FAILED_TO_EXTRACT_KEYBAG,
   1448                               MIGRATION_RESULT_SIZE);
   1449     return false;
   1450   }
   1451 
   1452   if (migration_time_.is_null())
   1453     migration_time_ = base::Time::Now();
   1454   migrated_nigori.set_keystore_migration_time(TimeToProtoTime(migration_time_));
   1455 
   1456   if (!custom_passphrase_time_.is_null()) {
   1457     migrated_nigori.set_custom_passphrase_time(
   1458         TimeToProtoTime(custom_passphrase_time_));
   1459   }
   1460 
   1461   FOR_EACH_OBSERVER(
   1462       SyncEncryptionHandler::Observer,
   1463       observers_,
   1464       OnCryptographerStateChanged(cryptographer));
   1465   if (passphrase_type_ != new_passphrase_type) {
   1466     passphrase_type_ = new_passphrase_type;
   1467     FOR_EACH_OBSERVER(SyncEncryptionHandler::Observer, observers_,
   1468                             OnPassphraseTypeChanged(
   1469                                 passphrase_type_,
   1470                                 GetExplicitPassphraseTime()));
   1471   }
   1472 
   1473   if (new_encrypt_everything && !encrypt_everything_) {
   1474     EnableEncryptEverythingImpl(trans->GetWrappedTrans());
   1475     ReEncryptEverything(trans);
   1476   } else if (!cryptographer->CanDecryptUsingDefaultKey(
   1477                  old_nigori.encryption_keybag())) {
   1478     DVLOG(1) << "Rencrypting everything due to key rotation.";
   1479     ReEncryptEverything(trans);
   1480   }
   1481 
   1482   DVLOG(1) << "Completing nigori migration to keystore support.";
   1483   nigori_node->SetNigoriSpecifics(migrated_nigori);
   1484 
   1485   switch (new_passphrase_type) {
   1486     case KEYSTORE_PASSPHRASE:
   1487       if (old_keystore_keys_.size() > 0) {
   1488         UMA_HISTOGRAM_ENUMERATION("Sync.AttemptNigoriMigration",
   1489                                   MIGRATION_SUCCESS_KEYSTORE_NONDEFAULT,
   1490                                   MIGRATION_RESULT_SIZE);
   1491       } else {
   1492         UMA_HISTOGRAM_ENUMERATION("Sync.AttemptNigoriMigration",
   1493                                   MIGRATION_SUCCESS_KEYSTORE_DEFAULT,
   1494                                   MIGRATION_RESULT_SIZE);
   1495       }
   1496       break;
   1497     case FROZEN_IMPLICIT_PASSPHRASE:
   1498       UMA_HISTOGRAM_ENUMERATION("Sync.AttemptNigoriMigration",
   1499                                 MIGRATION_SUCCESS_FROZEN_IMPLICIT,
   1500                                 MIGRATION_RESULT_SIZE);
   1501       break;
   1502     case CUSTOM_PASSPHRASE:
   1503       UMA_HISTOGRAM_ENUMERATION("Sync.AttemptNigoriMigration",
   1504                                 MIGRATION_SUCCESS_CUSTOM,
   1505                                 MIGRATION_RESULT_SIZE);
   1506       break;
   1507     default:
   1508       NOTREACHED();
   1509       break;
   1510   }
   1511   return true;
   1512 }
   1513 
   1514 bool SyncEncryptionHandlerImpl::GetKeystoreDecryptor(
   1515     const Cryptographer& cryptographer,
   1516     const std::string& keystore_key,
   1517     sync_pb::EncryptedData* encrypted_blob) {
   1518   DCHECK(thread_checker_.CalledOnValidThread());
   1519   DCHECK(!keystore_key.empty());
   1520   DCHECK(cryptographer.is_ready());
   1521   std::string serialized_nigori;
   1522   serialized_nigori = cryptographer.GetDefaultNigoriKeyData();
   1523   if (serialized_nigori.empty()) {
   1524     LOG(ERROR) << "Failed to get cryptographer bootstrap token.";
   1525     return false;
   1526   }
   1527   Cryptographer temp_cryptographer(cryptographer.encryptor());
   1528   KeyParams key_params = {"localhost", "dummy", keystore_key};
   1529   if (!temp_cryptographer.AddKey(key_params))
   1530     return false;
   1531   if (!temp_cryptographer.EncryptString(serialized_nigori, encrypted_blob))
   1532     return false;
   1533   return true;
   1534 }
   1535 
   1536 bool SyncEncryptionHandlerImpl::AttemptToInstallKeybag(
   1537     const sync_pb::EncryptedData& keybag,
   1538     bool update_default,
   1539     Cryptographer* cryptographer) {
   1540   if (!cryptographer->CanDecrypt(keybag))
   1541     return false;
   1542   cryptographer->InstallKeys(keybag);
   1543   if (update_default)
   1544     cryptographer->SetDefaultKey(keybag.key_name());
   1545   return true;
   1546 }
   1547 
   1548 void SyncEncryptionHandlerImpl::EnableEncryptEverythingImpl(
   1549     syncable::BaseTransaction* const trans) {
   1550   ModelTypeSet* encrypted_types = &UnlockVaultMutable(trans)->encrypted_types;
   1551   if (encrypt_everything_) {
   1552     DCHECK(encrypted_types->Equals(EncryptableUserTypes()));
   1553     return;
   1554   }
   1555   encrypt_everything_ = true;
   1556   *encrypted_types = EncryptableUserTypes();
   1557   FOR_EACH_OBSERVER(
   1558       Observer, observers_,
   1559       OnEncryptedTypesChanged(*encrypted_types, encrypt_everything_));
   1560 }
   1561 
   1562 bool SyncEncryptionHandlerImpl::DecryptPendingKeysWithKeystoreKey(
   1563     const std::string& keystore_key,
   1564     const sync_pb::EncryptedData& keystore_decryptor_token,
   1565     Cryptographer* cryptographer) {
   1566   DCHECK(cryptographer->has_pending_keys());
   1567   if (keystore_decryptor_token.blob().empty())
   1568     return false;
   1569   Cryptographer temp_cryptographer(cryptographer->encryptor());
   1570 
   1571   // First, go through and all all the old keystore keys to the temporary
   1572   // cryptographer.
   1573   for (size_t i = 0; i < old_keystore_keys_.size(); ++i) {
   1574     KeyParams old_key_params = {"localhost", "dummy", old_keystore_keys_[i]};
   1575     temp_cryptographer.AddKey(old_key_params);
   1576   }
   1577 
   1578   // Then add the current keystore key as the default key and see if we can
   1579   // decrypt.
   1580   KeyParams keystore_params = {"localhost", "dummy", keystore_key_};
   1581   if (temp_cryptographer.AddKey(keystore_params) &&
   1582       temp_cryptographer.CanDecrypt(keystore_decryptor_token)) {
   1583     // Someone else migrated the nigori for us! How generous! Go ahead and
   1584     // install both the keystore key and the new default encryption key
   1585     // (i.e. the one provided by the keystore decryptor token) into the
   1586     // cryptographer.
   1587     // The keystore decryptor token is a keystore key encrypted blob containing
   1588     // the current serialized default encryption key (and as such should be
   1589     // able to decrypt the nigori node's encryption keybag).
   1590     // Note: it's possible a key rotation has happened since the migration, and
   1591     // we're decrypting using an old keystore key. In that case we need to
   1592     // ensure we re-encrypt using the newest key.
   1593     DVLOG(1) << "Attempting to decrypt pending keys using "
   1594              << "keystore decryptor token.";
   1595     std::string serialized_nigori =
   1596         temp_cryptographer.DecryptToString(keystore_decryptor_token);
   1597 
   1598     // This will decrypt the pending keys and add them if possible. The key
   1599     // within |serialized_nigori| will be the default after.
   1600     cryptographer->ImportNigoriKey(serialized_nigori);
   1601 
   1602     if (!temp_cryptographer.CanDecryptUsingDefaultKey(
   1603             keystore_decryptor_token)) {
   1604       // The keystore decryptor token was derived from an old keystore key.
   1605       // A key rotation is necessary, so set the current keystore key as the
   1606       // default key (which will trigger a re-migration).
   1607       DVLOG(1) << "Pending keys based on old keystore key. Setting newest "
   1608                << "keystore key as default.";
   1609       cryptographer->AddKey(keystore_params);
   1610     } else {
   1611       // Theoretically the encryption keybag should already contain the keystore
   1612       // key. We explicitly add it as a safety measure.
   1613       DVLOG(1) << "Pending keys based on newest keystore key.";
   1614       cryptographer->AddNonDefaultKey(keystore_params);
   1615     }
   1616     if (cryptographer->is_ready()) {
   1617       std::string bootstrap_token;
   1618       cryptographer->GetBootstrapToken(&bootstrap_token);
   1619       DVLOG(1) << "Keystore decryptor token decrypted pending keys.";
   1620       FOR_EACH_OBSERVER(
   1621           SyncEncryptionHandler::Observer,
   1622           observers_,
   1623           OnPassphraseAccepted());
   1624       FOR_EACH_OBSERVER(
   1625           SyncEncryptionHandler::Observer,
   1626           observers_,
   1627           OnBootstrapTokenUpdated(bootstrap_token,
   1628                                   PASSPHRASE_BOOTSTRAP_TOKEN));
   1629       FOR_EACH_OBSERVER(
   1630           SyncEncryptionHandler::Observer,
   1631           observers_,
   1632           OnCryptographerStateChanged(cryptographer));
   1633       return true;
   1634     }
   1635   }
   1636   return false;
   1637 }
   1638 
   1639 base::Time SyncEncryptionHandlerImpl::GetExplicitPassphraseTime() const {
   1640   if (passphrase_type_ == FROZEN_IMPLICIT_PASSPHRASE)
   1641     return migration_time();
   1642   else if (passphrase_type_ == CUSTOM_PASSPHRASE)
   1643     return custom_passphrase_time();
   1644   return base::Time();
   1645 }
   1646 
   1647 }  // namespace browser_sync
   1648