Encrypt all stored cookies on selected operating systems.

content/browser/net/sqlite_persistent_cookie_store.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/net/sqlite_persistent_cookie_store.h"
 
 #include <list>
 #include <map>
 #include <set>
 #include <utility>
 
 #include "base/basictypes.h"
 #include "base/bind.h"
 #include "base/callback.h"
 #include "base/file_util.h"
 #include "base/files/file_path.h"
 #include "base/location.h"
 #include "base/logging.h"
 #include "base/memory/ref_counted.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/metrics/field_trial.h"
 #include "base/metrics/histogram.h"
 #include "base/sequenced_task_runner.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/synchronization/lock.h"
 #include "base/threading/sequenced_worker_pool.h"
 #include "base/time/time.h"
 #include "content/public/browser/browser_thread.h"
+#include "content/public/browser/cookie_crypto_delegate.h"
 #include "content/public/browser/cookie_store_factory.h"
 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 #include "net/cookies/canonical_cookie.h"
 #include "net/cookies/cookie_constants.h"
 #include "net/cookies/cookie_util.h"
 #include "sql/error_delegate_util.h"
 #include "sql/meta_table.h"
 #include "sql/statement.h"
 #include "sql/transaction.h"
 #include "third_party/sqlite/sqlite3.h"
@@ skipping 27 matching lines @@
 // disk on the BG runner every 30 seconds, 512 operations, or call to Flush(),
 // whichever occurs first.
 class SQLitePersistentCookieStore::Backend
     : public base::RefCountedThreadSafe<SQLitePersistentCookieStore::Backend> {
  public:
   Backend(
       const base::FilePath& path,
       const scoped_refptr<base::SequencedTaskRunner>& client_task_runner,
       const scoped_refptr<base::SequencedTaskRunner>& background_task_runner,
       bool restore_old_session_cookies,
-      quota::SpecialStoragePolicy* special_storage_policy)
+      quota::SpecialStoragePolicy* special_storage_policy,
+      CookieCryptoDelegate* crypto_delegate)
       : path_(path),
         num_pending_(0),
         force_keep_session_state_(false),
         initialized_(false),
         corruption_detected_(false),
         restore_old_session_cookies_(restore_old_session_cookies),
         special_storage_policy_(special_storage_policy),
         num_cookies_read_(0),
         client_task_runner_(client_task_runner),
         background_task_runner_(background_task_runner),
         num_priority_waiting_(0),
-        total_priority_requests_(0) {}
+        total_priority_requests_(0),
+        crypto_(crypto_delegate) {}
 
   // Creates or loads the SQLite database.
   void Load(const LoadedCallback& loaded_callback);
 
   // Loads cookies for the domain key (eTLD+1).
   void LoadCookiesForKey(const std::string& domain,
       const LoadedCallback& loaded_callback);
 
   // Batch a cookie addition.
   void AddCookie(const net::CanonicalCookie& cc);
@@ skipping 162 matching lines @@
   // starting/completing priority loads or completing the total load).
   base::Lock metrics_lock_;
   int num_priority_waiting_;
   // The total number of priority requests.
   int total_priority_requests_;
   // The time when |num_priority_waiting_| incremented to 1.
   base::Time current_priority_wait_start_;
   // The cumulative duration of time when |num_priority_waiting_| was greater
   // than 1.
   base::TimeDelta priority_wait_duration_;
+  // Class with functions that do cryptographic operations (for protecting
+  // cookies stored persistently).
+  scoped_ptr<CookieCryptoDelegate> crypto_;
 
   DISALLOW_COPY_AND_ASSIGN(Backend);
 };
 
 namespace {
 
 // Version number of the database.
 //
+// Version 7 adds encrypted values.  Old values will continue to be used but
+// all new values written will be encrypted on selected operating systems.
+//
 // Version 6 adds cookie priorities. This allows developers to influence the
 // order in which cookies are evicted in order to meet domain cookie limits.
 //
 // Version 5 adds the columns has_expires and is_persistent, so that the
 // database can store session cookies as well as persistent cookies. Databases
 // of version 5 are incompatible with older versions of code. If a database of
 // version 5 is read by older code, session cookies will be treated as normal
 // cookies. Currently, these fields are written, but not read anymore.
 //
 // In version 4, we migrated the time epoch.  If you open the DB with an older
 // version on Mac or Linux, the times will look wonky, but the file will likely
 // be usable. On Windows version 3 and 4 are the same.
 //
 // Version 3 updated the database to include the last access time, so we can
 // expire them in decreasing order of use when we've reached the maximum
 // number of cookies.
-const int kCurrentVersionNumber = 6;
+const int kCurrentVersionNumber = 7;
 const int kCompatibleVersionNumber = 5;
 
 // Possible values for the 'priority' column.
 enum DBCookiePriority {
   kCookiePriorityLow = 0,
   kCookiePriorityMedium = 1,
   kCookiePriorityHigh = 2,
 };
 
 DBCookiePriority CookiePriorityToDBCookiePriority(net::CookiePriority value) {
@@ skipping 53 matching lines @@
     std::string stmt(base::StringPrintf(
         "CREATE TABLE cookies ("
             "creation_utc INTEGER NOT NULL UNIQUE PRIMARY KEY,"
             "host_key TEXT NOT NULL,"
             "name TEXT NOT NULL,"
             "value TEXT NOT NULL,"
             "path TEXT NOT NULL,"
             "expires_utc INTEGER NOT NULL,"
             "secure INTEGER NOT NULL,"
             "httponly INTEGER NOT NULL,"
-            "last_access_utc INTEGER NOT NULL, "
-            "has_expires INTEGER NOT NULL DEFAULT 1, "
+            "last_access_utc INTEGER NOT NULL,"
+            "has_expires INTEGER NOT NULL DEFAULT 1,"
             "persistent INTEGER NOT NULL DEFAULT 1,"
-            "priority INTEGER NOT NULL DEFAULT %d)",
+            "priority INTEGER NOT NULL DEFAULT %d,"
+            "encrypted_value BLOB NOT NULL)",
         CookiePriorityToDBCookiePriority(net::COOKIE_PRIORITY_DEFAULT)));
     if (!db->Execute(stmt.c_str()))
       return false;
   }
 
   // Older code created an index on creation_utc, which is already
   // primary key for the table.
   if (!db->Execute("DROP INDEX IF EXISTS cookie_times"))
     return false;
 
@@ skipping 288 matching lines @@
 }
 
 bool SQLitePersistentCookieStore::Backend::LoadCookiesForDomains(
   const std::set<std::string>& domains) {
   DCHECK(background_task_runner_->RunsTasksOnCurrentThread());
 
   sql::Statement smt;
   if (restore_old_session_cookies_) {
     smt.Assign(db_->GetCachedStatement(
         SQL_FROM_HERE,
-        "SELECT creation_utc, host_key, name, value, path, expires_utc, "
-        "secure, httponly, last_access_utc, has_expires, persistent, priority "
-        "FROM cookies WHERE host_key = ?"));
+        "SELECT creation_utc, host_key, name, value, encrypted_value, path, "
+        "expires_utc, secure, httponly, last_access_utc, has_expires, "
+        "persistent, priority FROM cookies WHERE host_key = ?"));
   } else {
     smt.Assign(db_->GetCachedStatement(
         SQL_FROM_HERE,
-        "SELECT creation_utc, host_key, name, value, path, expires_utc, "
-        "secure, httponly, last_access_utc, has_expires, persistent, priority "
-        "FROM cookies WHERE host_key = ? AND persistent = 1"));
+        "SELECT creation_utc, host_key, name, value, encrypted_value, path, "
+        "expires_utc, secure, httponly, last_access_utc, has_expires, "
+        "persistent, priority FROM cookies WHERE host_key = ? "
+        "AND persistent = 1"));
   }
   if (!smt.is_valid()) {
     smt.Clear();  // Disconnect smt_ref from db_.
     meta_table_.Reset();
     db_.reset();
     return false;
   }
 
   std::vector<net::CanonicalCookie*> cookies;
   std::set<std::string>::const_iterator it = domains.begin();
   for (; it != domains.end(); ++it) {
     smt.BindString(0, *it);
     while (smt.Step()) {
+      std::string value;
+      std::string encrypted_value = smt.ColumnString(4);
+      DCHECK(encrypted_value.empty() || crypto_.get() != NULL);

[Scott Hess - ex-Googler, 2013/10/08 17:35:55]

I can see that this condition corresponds to failures in the following
condition, but I have to think hard about it.  IMHO putting
DCHECK(encrypted_value.empty()) in the else clause would more clearly indicate
the invariant, especially if you put a symmetric
DCHECK(smt.ColumnString(3).empty()) in the if() case.

[I'm willing to be overridden.]

[bcwhite, 2013/10/08 18:23:36]

I like it.  Done.

+      if (!encrypted_value.empty() && crypto_.get()) {
+        crypto_->DecryptString(encrypted_value, &value);
+      } else {
+        value = smt.ColumnString(3);
+      }
       scoped_ptr<net::CanonicalCookie> cc(new net::CanonicalCookie(
           // The "source" URL is not used with persisted cookies.
           GURL(),                                         // Source
           smt.ColumnString(2),                            // name
-          smt.ColumnString(3),                            // value
+          value,                                          // value
           smt.ColumnString(1),                            // domain
-          smt.ColumnString(4),                            // path
+          smt.ColumnString(5),                            // path
           Time::FromInternalValue(smt.ColumnInt64(0)),    // creation_utc
-          Time::FromInternalValue(smt.ColumnInt64(5)),    // expires_utc
-          Time::FromInternalValue(smt.ColumnInt64(8)),    // last_access_utc
-          smt.ColumnInt(6) != 0,                          // secure
-          smt.ColumnInt(7) != 0,                          // httponly
+          Time::FromInternalValue(smt.ColumnInt64(6)),    // expires_utc
+          Time::FromInternalValue(smt.ColumnInt64(9)),    // last_access_utc
+          smt.ColumnInt(7) != 0,                          // secure
+          smt.ColumnInt(8) != 0,                          // httponly
           DBCookiePriorityToCookiePriority(
-              static_cast<DBCookiePriority>(smt.ColumnInt(11)))));  // priority
+              static_cast<DBCookiePriority>(smt.ColumnInt(12)))));  // priority

[Scott Hess - ex-Googler, 2013/10/08 17:35:55]

Not a review comment, just a suggestion that you might not have considered: SQL
doesn't care what order things are in, so if you want to put encrypted_value at
the _end_ of the SELECT statement at column 12, that would reduce the changes in
here.  It would also reduce the changes to the SELECT statement, too.

[bcwhite, 2013/10/08 18:23:36]

I've put "encrypted_value" next to "value" just because they're closely related
but if you feel it would be clearer to have it at the end (where it is not
created) and keep the other indices the same, I don't mind.

[Scott Hess - ex-Googler, 2013/10/08 19:13:51]

It's all synthetic all the way down, SQLite and the indices don't care what they
are or whether they are related.  Changing the indices is a mechanical change,
if you're happy with doing it, fine, but there's nothing intrinsic to the
overall change which requires it.  The advantage of not-changing is that you
only have to worry about the newly-added index being correct.

[Queue and discard discussion of building an inherently less brittle
sql::Statement API.]

       DLOG_IF(WARNING,
               cc->CreationDate() > Time::Now()) << L"CreationDate too recent";
       cookies_per_origin_[CookieOrigin(cc->Domain(), cc->IsSecure())]++;
       cookies.push_back(cc.release());
       ++num_cookies_read_;
     }
     smt.Reset(true);
   }
   {
     base::AutoLock locked(lock_);
@@ skipping 102 matching lines @@
     }
     ++cur_version;
     meta_table_.SetVersionNumber(cur_version);
     meta_table_.SetCompatibleVersionNumber(
         std::min(cur_version, kCompatibleVersionNumber));
     transaction.Commit();
     UMA_HISTOGRAM_TIMES("Cookie.TimeDatabaseMigrationToV6",
                         base::TimeTicks::Now() - start_time);
   }
 
+  if (cur_version == 6) {
+    const base::TimeTicks start_time = base::TimeTicks::Now();
+    sql::Transaction transaction(db_.get());
+    if (!transaction.Begin())
+      return false;
+    // Alter the table to add empty "encrypted value" column.
+    std::string stmt(base::StringPrintf(
+        "ALTER TABLE cookies ADD COLUMN encrypted_value BLOB DEFAULT ''"));

[Scott Hess - ex-Googler, 2013/10/08 17:35:55]

There's really no reason to StringPrintf() this, in fact there's no reason to
put it in a std::string.

[bcwhite, 2013/10/08 18:23:36]

True.  I'd just copied it from above.  Done.

+    if (!db_->Execute(stmt.c_str())) {
+      LOG(WARNING) << "Unable to update cookie database to version 7.";
+      return false;
+    }
+    ++cur_version;
+    meta_table_.SetVersionNumber(cur_version);
+    meta_table_.SetCompatibleVersionNumber(
+        std::min(cur_version, kCompatibleVersionNumber));
+    transaction.Commit();
+    UMA_HISTOGRAM_TIMES("Cookie.TimeDatabaseMigrationToV7",
+                        base::TimeTicks::Now() - start_time);

[Scott Hess - ex-Googler, 2013/10/08 17:35:55]

I think it's interesting that we're histogramming time-to-migrate for a trivial
schema-only change, but we didn't histogram time-to-migrate for the data
migration from v3 to v4.  I guess that's local style, but AFAICT these last few
migrations should be constant cost.

[erikwright (departed), 2013/10/08 18:41:53]

I'll take a look at how useful this actually is. I'm not sure when/why we
started doing it. Probably a younger, greener me asked for it.

[Scott Hess - ex-Googler, 2013/10/08 19:13:51]

If it is kept, then obviously a histograms.xml change is in order.  Nothing
worse than a histogram which is impossible to look at.

+  }
+
   // Put future migration cases here.
 
   if (cur_version < kCurrentVersionNumber) {
     UMA_HISTOGRAM_COUNTS_100("Cookie.CorruptMetaTable", 1);
 
     meta_table_.Reset();
     db_.reset(new sql::Connection);
     if (!base::DeleteFile(path_, false) ||
         !db_->Open(path_) ||
         !meta_table_.Init(
@@ skipping 64 matching lines @@
     base::AutoLock locked(lock_);
     pending_.swap(ops);
     num_pending_ = 0;
   }
 
   // Maybe an old timer fired or we are already Close()'ed.
   if (!db_.get() || ops.empty())
     return;
 
   sql::Statement add_smt(db_->GetCachedStatement(SQL_FROM_HERE,
-      "INSERT INTO cookies (creation_utc, host_key, name, value, path, "
-      "expires_utc, secure, httponly, last_access_utc, has_expires, "
-      "persistent, priority) "
-      "VALUES (?,?,?,?,?,?,?,?,?,?,?,?)"));
+      "INSERT INTO cookies (creation_utc, host_key, name, value, "
+      "encrypted_value, path, expires_utc, secure, httponly, last_access_utc, "
+      "has_expires, persistent, priority) "
+      "VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?)"));

[Scott Hess - ex-Googler, 2013/10/08 17:35:55]

My earlier comment about ordering also applies here - you can put the new column
at the end of the list, and just bind it at the new location.

   if (!add_smt.is_valid())
     return;
 
   sql::Statement update_access_smt(db_->GetCachedStatement(SQL_FROM_HERE,
       "UPDATE cookies SET last_access_utc=? WHERE creation_utc=?"));
   if (!update_access_smt.is_valid())
     return;
 
   sql::Statement del_smt(db_->GetCachedStatement(SQL_FROM_HERE,
                          "DELETE FROM cookies WHERE creation_utc=?"));
   if (!del_smt.is_valid())
     return;
 
   sql::Transaction transaction(db_.get());
   if (!transaction.Begin())
     return;
 
   for (PendingOperationsList::iterator it = ops.begin();
        it != ops.end(); ++it) {
     // Free the cookies as we commit them to the database.
     scoped_ptr<PendingOperation> po(*it);
     switch (po->op()) {
       case PendingOperation::COOKIE_ADD:
         cookies_per_origin_[
             CookieOrigin(po->cc().Domain(), po->cc().IsSecure())]++;
         add_smt.Reset(true);
         add_smt.BindInt64(0, po->cc().CreationDate().ToInternalValue());
         add_smt.BindString(1, po->cc().Domain());
         add_smt.BindString(2, po->cc().Name());
-        add_smt.BindString(3, po->cc().Value());
-        add_smt.BindString(4, po->cc().Path());
-        add_smt.BindInt64(5, po->cc().ExpiryDate().ToInternalValue());
-        add_smt.BindInt(6, po->cc().IsSecure());
-        add_smt.BindInt(7, po->cc().IsHttpOnly());
-        add_smt.BindInt64(8, po->cc().LastAccessDate().ToInternalValue());
-        add_smt.BindInt(9, po->cc().IsPersistent());
+        if (crypto_.get()) {
+          std::string encrypted_value;
+          add_smt.BindString(3, std::string());  // value

[Scott Hess - ex-Googler, 2013/10/08 17:35:55]

BindCString(3, "");

[bcwhite, 2013/10/08 18:23:36]

Done.

+          crypto_->EncryptString(po->cc().Value(), &encrypted_value);
+          // BindBlob() calls sqlite3_bind_blob() with SQLITE_TRANSIENT and so
+          // immediately makes an internal copy of the data.

[Scott Hess - ex-Googler, 2013/10/08 17:35:55]

I think you can trim this to "BindBlob() makes a copy of the blob".  The
internal SQLite stuff really isn't informative.

It occurs to me that statement_unittest.cc maybe should test these assumptions. 
There is probably code which doesn't realize it depends on them...

[bcwhite, 2013/10/08 18:23:36]

Done.

+          add_smt.BindBlob(4, encrypted_value.data(),
+                           static_cast<int>(encrypted_value.length()));
+        } else {
+          add_smt.BindString(3, po->cc().Value());
+          add_smt.BindBlob(4, "", 0);  // encrypted_value

[Scott Hess - ex-Googler, 2013/10/08 17:35:55]

With the CREATE change, I think this should be BindNull() and let the DEFAULT
handle it.

+        }
+        add_smt.BindString(5, po->cc().Path());
+        add_smt.BindInt64(6, po->cc().ExpiryDate().ToInternalValue());
+        add_smt.BindInt(7, po->cc().IsSecure());
+        add_smt.BindInt(8, po->cc().IsHttpOnly());
+        add_smt.BindInt64(9, po->cc().LastAccessDate().ToInternalValue());
         add_smt.BindInt(10, po->cc().IsPersistent());
+        add_smt.BindInt(11, po->cc().IsPersistent());
         add_smt.BindInt(
-            11, CookiePriorityToDBCookiePriority(po->cc().Priority()));
+            12, CookiePriorityToDBCookiePriority(po->cc().Priority()));
         if (!add_smt.Run())
           NOTREACHED() << "Could not add a cookie to the DB.";
         break;
 
       case PendingOperation::COOKIE_UPDATEACCESS:
         update_access_smt.Reset(true);
         update_access_smt.BindInt64(0,
             po->cc().LastAccessDate().ToInternalValue());
         update_access_smt.BindInt64(1,
             po->cc().CreationDate().ToInternalValue());
@@ skipping 165 matching lines @@
     LOG(WARNING) << "Failed to post task from " << origin.ToString()
                  << " to client_task_runner_.";
   }
 }
 
 SQLitePersistentCookieStore::SQLitePersistentCookieStore(
     const base::FilePath& path,
     const scoped_refptr<base::SequencedTaskRunner>& client_task_runner,
     const scoped_refptr<base::SequencedTaskRunner>& background_task_runner,
     bool restore_old_session_cookies,
-    quota::SpecialStoragePolicy* special_storage_policy)
+    quota::SpecialStoragePolicy* special_storage_policy,
+    CookieCryptoDelegate* crypto_delegate)
     : backend_(new Backend(path,
                            client_task_runner,
                            background_task_runner,
                            restore_old_session_cookies,
-                           special_storage_policy)) {
+                           special_storage_policy,
+                           crypto_delegate)) {
 }
 
 void SQLitePersistentCookieStore::Load(const LoadedCallback& loaded_callback) {
   backend_->Load(loaded_callback);
 }
 
 void SQLitePersistentCookieStore::LoadCookiesForKey(
     const std::string& key,
     const LoadedCallback& loaded_callback) {
   backend_->LoadCookiesForKey(key, loaded_callback);
@@ skipping 24 matching lines @@
   backend_->Close();
   // We release our reference to the Backend, though it will probably still have
   // a reference if the background runner has not run Close() yet.
 }
 
 net::CookieStore* CreatePersistentCookieStore(
     const base::FilePath& path,
     bool restore_old_session_cookies,
     quota::SpecialStoragePolicy* storage_policy,
     net::CookieMonster::Delegate* cookie_monster_delegate,
-    const scoped_refptr<base::SequencedTaskRunner>& background_task_runner) {
+    const scoped_refptr<base::SequencedTaskRunner>& background_task_runner,
+    CookieCryptoDelegate* crypto_delegate) {
   SQLitePersistentCookieStore* persistent_store =
       new SQLitePersistentCookieStore(
           path,
           BrowserThread::GetMessageLoopProxyForThread(BrowserThread::IO),
           background_task_runner.get() ? background_task_runner :
               BrowserThread::GetBlockingPool()->GetSequencedTaskRunner(
                   BrowserThread::GetBlockingPool()->GetSequenceToken()),
           restore_old_session_cookies,
-          storage_policy);
+          storage_policy,
+          crypto_delegate);
   net::CookieMonster* cookie_monster =
       new net::CookieMonster(persistent_store, cookie_monster_delegate);
 
   const std::string cookie_priority_experiment_group =
       base::FieldTrialList::FindFullName("CookieRetentionPriorityStudy");
   cookie_monster->SetPriorityAwareGarbageCollection(
       cookie_priority_experiment_group == "ExperimentOn");
 
   return cookie_monster;
 }
 
 }  // namespace content