Bug 600995 - Use a record's "encryption" property only as a fallback, default to the engine's value. [r=mconnor]

services/sync/modules/base_records/crypto.js

@@ -76,11 +76,11 @@ CryptoWrapper.prototype = {
     this.cleartext = null;
   },
 
-  decrypt: function CryptoWrapper_decrypt(passphrase) {
+  decrypt: function CryptoWrapper_decrypt(passphrase, keyUri) {
     let pubkey = PubKeys.getDefaultKey();
     let privkey = PrivKeys.get(pubkey.privateKeyUri);
 
-    let meta = CryptoMetas.get(this.encryption);
+    let meta = CryptoMetas.get(keyUri);
     let symkey = meta.getKey(privkey, passphrase);
 
     // Authenticate the encrypted blob with the expected HMAC

services/sync/modules/engines.js

@@ -468,7 +468,13 @@ SyncEngine.prototype = {
       handled.push(item.id);
 
       try {
-        item.decrypt(ID.get("WeaveCryptoID"));
+        // Short-circuit the key URI to the engine's one in case the WBO's
+        // might be wrong due to relative URI confusions (bug 600995).
+        try {
+          item.decrypt(ID.get("WeaveCryptoID"), this.cryptoMetaURL);
+        } catch (ex) {
+          item.decrypt(ID.get("WeaveCryptoID"), item.encryption);
+        }
         if (this._reconcile(item)) {
           count.applied++;
           this._tracker.ignoreAll = true;
@@ -763,7 +769,7 @@ SyncEngine.prototype = {
     test.sort = "newest";
     test.full = true;
     test.recordHandler = function(record) {
-      record.decrypt(ID.get("WeaveCryptoID"));
+      record.decrypt(ID.get("WeaveCryptoID"), this.cryptoMetaURL);
       canDecrypt = true;
     };
 

services/sync/modules/type_records/bookmark.js

@@ -50,7 +50,7 @@ function PlacesItem(uri, type) {
   this.type = type || "item";
 }
 PlacesItem.prototype = {
-  decrypt: function PlacesItem_decrypt(passphrase) {
+  decrypt: function PlacesItem_decrypt(passphrase, keyUri) {
     // Do the normal CryptoWrapper decrypt, but change types before returning
     let clear = CryptoWrapper.prototype.decrypt.apply(this, arguments);
 

services/sync/tests/unit/test_clients_escape.js

@@ -51,7 +51,7 @@ function run_test() {
     do_check_eq(checkCount, serialized.length);
 
     _("Making sure the record still looks like it did before");
-    record.decrypt(passphrase);
+    record.decrypt(passphrase, Clients.cryptoMetaURL);
     do_check_eq(record.id, "ascii");
     do_check_eq(record.name, "wéävê");
 

services/sync/tests/unit/test_records_crypto.js

@@ -74,9 +74,10 @@ function run_test() {
 
     log.info("Creating a record");
 
+    let cryptoUri = "http://localhost:8080/crypto/steam";
     cryptoWrap = new CryptoWrapper("http://localhost:8080/steam/resource");
-    cryptoWrap.encryption = "http://localhost:8080/crypto/steam";
-    do_check_eq(cryptoWrap.encryption, "http://localhost:8080/crypto/steam");
+    cryptoWrap.encryption = cryptoUri;
+    do_check_eq(cryptoWrap.encryption, cryptoUri);
     do_check_eq(cryptoWrap.payload.encryption, "../crypto/steam");
 
     log.info("Encrypting a record");
@@ -87,7 +88,7 @@ function run_test() {
 
     log.info("Decrypting the record");
 
-    let payload = cryptoWrap.decrypt(passphrase);
+    let payload = cryptoWrap.decrypt(passphrase, cryptoUri);
     do_check_eq(payload.stuff, "my payload here");
     do_check_neq(payload, cryptoWrap.payload); // wrap.data.payload is the encrypted one
 
@@ -96,7 +97,7 @@ function run_test() {
     cryptoWrap.cleartext.stuff = "another payload";
     cryptoWrap.encrypt(passphrase);
     let secondIV = cryptoWrap.IV;
-    payload = cryptoWrap.decrypt(passphrase);
+    payload = cryptoWrap.decrypt(passphrase, cryptoUri);
     do_check_eq(payload.stuff, "another payload");
 
     log.info("Make sure multiple encrypts use different IVs");
@@ -107,7 +108,7 @@ function run_test() {
     cryptoWrap.data.id = "other";
     let error = "";
     try {
-      cryptoWrap.decrypt(passphrase);
+      cryptoWrap.decrypt(passphrase, cryptoUri);
     }
     catch(ex) {
       error = ex;
@@ -119,7 +120,7 @@ function run_test() {
     cryptoWrap.hmac = "foo";
     error = "";
     try {
-      cryptoWrap.decrypt(passphrase);
+      cryptoWrap.decrypt(passphrase, cryptoUri);
     }
     catch(ex) {
       error = ex;

services/sync/tests/unit/test_syncengine_sync.js

@@ -48,7 +48,6 @@ SteamStore.prototype = {
 
   createRecord: function(id, uri) {
     var record = new SteamRecord(uri);
-    record.id = id;
     record.denomination = this.items[id] || "Data for new record: " + id;
     return record;
   },
@@ -125,7 +124,7 @@ function encryptPayload(cleartext) {
     cleartext = JSON.stringify(cleartext);
   }
 
-  return {encryption: "http://localhost:8080/1.0/foo/storage/crypto/steam",
+  return {encryption: "../crypto/steam",
           ciphertext: cleartext, // ciphertext == cleartext with fake crypto
           IV: "irrelevant",
           hmac: Utils.sha256HMAC(cleartext, null)};
@@ -502,6 +501,15 @@ function test_processIncoming_createFromServer() {
       'scotsman', encryptPayload({id: 'scotsman',
                                   denomination: "Flying Scotsman"}));
 
+  // Two pathological cases involving relative URIs gone wrong.
+  collection.wbos['../pathological'] = new ServerWBO(
+      '../pathological', encryptPayload({id: '../pathological',
+                                         denomination: "Pathological Case"}));
+  let wrong_keyuri = encryptPayload({id: "wrong_keyuri",
+                                     denomination: "Wrong Key URI"});
+  wrong_keyuri.encryption = "../../crypto/steam";
+  collection.wbos["wrong_keyuri"] = new ServerWBO("wrong_keyuri", wrong_keyuri);
+
   let server = sync_httpd_setup({
       "/1.0/foo/storage/crypto/steam": crypto_steam.handler(),
       "/1.0/foo/storage/steam": collection.handler(),
@@ -520,6 +528,8 @@ function test_processIncoming_createFromServer() {
     do_check_eq(engine.lastModified, null);
     do_check_eq(engine._store.items.flying, undefined);
     do_check_eq(engine._store.items.scotsman, undefined);
+    do_check_eq(engine._store.items['../pathological'], undefined);
+    do_check_eq(engine._store.items.wrong_keyuri, undefined);
 
     engine._processIncoming();
 
@@ -530,6 +540,8 @@ function test_processIncoming_createFromServer() {
     // Local records have been created from the server data.
     do_check_eq(engine._store.items.flying, "LNER Class A3 4472");
     do_check_eq(engine._store.items.scotsman, "Flying Scotsman");
+    do_check_eq(engine._store.items['../pathological'], "Pathological Case");
+    do_check_eq(engine._store.items.wrong_keyuri, "Wrong Key URI");
 
   } finally {
     server.stop(do_test_finished);