 Chromium Code Reviews
 Chromium Code Reviews Issue 24734007:
  Encrypt all stored cookies on selected operating systems.  (Closed) 
  Base URL: svn://svn.chromium.org/chrome/trunk/src
    
  
    Issue 24734007:
  Encrypt all stored cookies on selected operating systems.  (Closed) 
  Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: content/browser/net/sqlite_persistent_cookie_store.cc | 
| diff --git a/content/browser/net/sqlite_persistent_cookie_store.cc b/content/browser/net/sqlite_persistent_cookie_store.cc | 
| index 517a8c18a1646d10af600c125a9e1b00d754d606..bdc25a24f8ce60ce34f4229420afdccc1d887069 100644 | 
| --- a/content/browser/net/sqlite_persistent_cookie_store.cc | 
| +++ b/content/browser/net/sqlite_persistent_cookie_store.cc | 
| @@ -27,6 +27,7 @@ | 
| #include "base/threading/sequenced_worker_pool.h" | 
| #include "base/time/time.h" | 
| #include "content/public/browser/browser_thread.h" | 
| +#include "content/public/browser/cookie_crypto_delegate.h" | 
| #include "content/public/browser/cookie_store_factory.h" | 
| #include "net/base/registry_controlled_domains/registry_controlled_domain.h" | 
| #include "net/cookies/canonical_cookie.h" | 
| @@ -74,7 +75,8 @@ class SQLitePersistentCookieStore::Backend | 
| const scoped_refptr<base::SequencedTaskRunner>& client_task_runner, | 
| const scoped_refptr<base::SequencedTaskRunner>& background_task_runner, | 
| bool restore_old_session_cookies, | 
| - quota::SpecialStoragePolicy* special_storage_policy) | 
| + quota::SpecialStoragePolicy* special_storage_policy, | 
| + CookieCryptoDelegate* crypto_delegate) | 
| : path_(path), | 
| num_pending_(0), | 
| force_keep_session_state_(false), | 
| @@ -86,7 +88,8 @@ class SQLitePersistentCookieStore::Backend | 
| client_task_runner_(client_task_runner), | 
| background_task_runner_(background_task_runner), | 
| num_priority_waiting_(0), | 
| - total_priority_requests_(0) {} | 
| + total_priority_requests_(0), | 
| + crypto_(crypto_delegate) {} | 
| // Creates or loads the SQLite database. | 
| void Load(const LoadedCallback& loaded_callback); | 
| @@ -269,6 +272,9 @@ class SQLitePersistentCookieStore::Backend | 
| // The cumulative duration of time when |num_priority_waiting_| was greater | 
| // than 1. | 
| base::TimeDelta priority_wait_duration_; | 
| + // Class with functions that do cryptographic operations (for protecting | 
| + // cookies stored persistently). | 
| + scoped_ptr<CookieCryptoDelegate> crypto_; | 
| DISALLOW_COPY_AND_ASSIGN(Backend); | 
| }; | 
| @@ -277,6 +283,9 @@ namespace { | 
| // Version number of the database. | 
| // | 
| +// Version 7 adds encrypted values. Old values will continue to be used but | 
| +// all new values written will be encrypted on selected operating systems. | 
| +// | 
| // Version 6 adds cookie priorities. This allows developers to influence the | 
| // order in which cookies are evicted in order to meet domain cookie limits. | 
| // | 
| @@ -293,7 +302,7 @@ namespace { | 
| // Version 3 updated the database to include the last access time, so we can | 
| // expire them in decreasing order of use when we've reached the maximum | 
| // number of cookies. | 
| -const int kCurrentVersionNumber = 6; | 
| +const int kCurrentVersionNumber = 7; | 
| const int kCompatibleVersionNumber = 5; | 
| // Possible values for the 'priority' column. | 
| @@ -367,10 +376,11 @@ bool InitTable(sql::Connection* db) { | 
| "expires_utc INTEGER NOT NULL," | 
| "secure INTEGER NOT NULL," | 
| "httponly INTEGER NOT NULL," | 
| - "last_access_utc INTEGER NOT NULL, " | 
| - "has_expires INTEGER NOT NULL DEFAULT 1, " | 
| + "last_access_utc INTEGER NOT NULL," | 
| + "has_expires INTEGER NOT NULL DEFAULT 1," | 
| "persistent INTEGER NOT NULL DEFAULT 1," | 
| - "priority INTEGER NOT NULL DEFAULT %d)", | 
| + "priority INTEGER NOT NULL DEFAULT %d," | 
| + "encrypted_value BLOB NOT NULL)", | 
| CookiePriorityToDBCookiePriority(net::COOKIE_PRIORITY_DEFAULT))); | 
| if (!db->Execute(stmt.c_str())) | 
| return false; | 
| @@ -679,15 +689,16 @@ bool SQLitePersistentCookieStore::Backend::LoadCookiesForDomains( | 
| if (restore_old_session_cookies_) { | 
| smt.Assign(db_->GetCachedStatement( | 
| SQL_FROM_HERE, | 
| - "SELECT creation_utc, host_key, name, value, path, expires_utc, " | 
| - "secure, httponly, last_access_utc, has_expires, persistent, priority " | 
| - "FROM cookies WHERE host_key = ?")); | 
| + "SELECT creation_utc, host_key, name, value, encrypted_value, path, " | 
| + "expires_utc, secure, httponly, last_access_utc, has_expires, " | 
| + "persistent, priority FROM cookies WHERE host_key = ?")); | 
| } else { | 
| smt.Assign(db_->GetCachedStatement( | 
| SQL_FROM_HERE, | 
| - "SELECT creation_utc, host_key, name, value, path, expires_utc, " | 
| - "secure, httponly, last_access_utc, has_expires, persistent, priority " | 
| - "FROM cookies WHERE host_key = ? AND persistent = 1")); | 
| + "SELECT creation_utc, host_key, name, value, encrypted_value, path, " | 
| + "expires_utc, secure, httponly, last_access_utc, has_expires, " | 
| + "persistent, priority FROM cookies WHERE host_key = ? " | 
| + "AND persistent = 1")); | 
| } | 
| if (!smt.is_valid()) { | 
| smt.Clear(); // Disconnect smt_ref from db_. | 
| @@ -701,20 +712,28 @@ bool SQLitePersistentCookieStore::Backend::LoadCookiesForDomains( | 
| for (; it != domains.end(); ++it) { | 
| smt.BindString(0, *it); | 
| while (smt.Step()) { | 
| + std::string value; | 
| + std::string encrypted_value = smt.ColumnString(4); | 
| + DCHECK(encrypted_value.empty() || crypto_.get() != NULL); | 
| 
Scott Hess - ex-Googler
2013/10/08 17:35:55
I can see that this condition corresponds to failu
 
bcwhite
2013/10/08 18:23:36
I like it.  Done.
 | 
| + if (!encrypted_value.empty() && crypto_.get()) { | 
| + crypto_->DecryptString(encrypted_value, &value); | 
| + } else { | 
| + value = smt.ColumnString(3); | 
| + } | 
| scoped_ptr<net::CanonicalCookie> cc(new net::CanonicalCookie( | 
| // The "source" URL is not used with persisted cookies. | 
| GURL(), // Source | 
| smt.ColumnString(2), // name | 
| - smt.ColumnString(3), // value | 
| + value, // value | 
| smt.ColumnString(1), // domain | 
| - smt.ColumnString(4), // path | 
| + smt.ColumnString(5), // path | 
| Time::FromInternalValue(smt.ColumnInt64(0)), // creation_utc | 
| - Time::FromInternalValue(smt.ColumnInt64(5)), // expires_utc | 
| - Time::FromInternalValue(smt.ColumnInt64(8)), // last_access_utc | 
| - smt.ColumnInt(6) != 0, // secure | 
| - smt.ColumnInt(7) != 0, // httponly | 
| + Time::FromInternalValue(smt.ColumnInt64(6)), // expires_utc | 
| + Time::FromInternalValue(smt.ColumnInt64(9)), // last_access_utc | 
| + smt.ColumnInt(7) != 0, // secure | 
| + smt.ColumnInt(8) != 0, // httponly | 
| DBCookiePriorityToCookiePriority( | 
| - static_cast<DBCookiePriority>(smt.ColumnInt(11))))); // priority | 
| + static_cast<DBCookiePriority>(smt.ColumnInt(12))))); // priority | 
| 
Scott Hess - ex-Googler
2013/10/08 17:35:55
Not a review comment, just a suggestion that you m
 
bcwhite
2013/10/08 18:23:36
I've put "encrypted_value" next to "value" just be
 
Scott Hess - ex-Googler
2013/10/08 19:13:51
It's all synthetic all the way down, SQLite and th
 | 
| DLOG_IF(WARNING, | 
| cc->CreationDate() > Time::Now()) << L"CreationDate too recent"; | 
| cookies_per_origin_[CookieOrigin(cc->Domain(), cc->IsSecure())]++; | 
| @@ -837,6 +856,27 @@ bool SQLitePersistentCookieStore::Backend::EnsureDatabaseVersion() { | 
| base::TimeTicks::Now() - start_time); | 
| } | 
| + if (cur_version == 6) { | 
| + const base::TimeTicks start_time = base::TimeTicks::Now(); | 
| + sql::Transaction transaction(db_.get()); | 
| + if (!transaction.Begin()) | 
| + return false; | 
| + // Alter the table to add empty "encrypted value" column. | 
| + std::string stmt(base::StringPrintf( | 
| + "ALTER TABLE cookies ADD COLUMN encrypted_value BLOB DEFAULT ''")); | 
| 
Scott Hess - ex-Googler
2013/10/08 17:35:55
There's really no reason to StringPrintf() this, i
 
bcwhite
2013/10/08 18:23:36
True.  I'd just copied it from above.  Done.
 | 
| + if (!db_->Execute(stmt.c_str())) { | 
| + LOG(WARNING) << "Unable to update cookie database to version 7."; | 
| + return false; | 
| + } | 
| + ++cur_version; | 
| + meta_table_.SetVersionNumber(cur_version); | 
| + meta_table_.SetCompatibleVersionNumber( | 
| + std::min(cur_version, kCompatibleVersionNumber)); | 
| + transaction.Commit(); | 
| + UMA_HISTOGRAM_TIMES("Cookie.TimeDatabaseMigrationToV7", | 
| + base::TimeTicks::Now() - start_time); | 
| 
Scott Hess - ex-Googler
2013/10/08 17:35:55
I think it's interesting that we're histogramming
 
erikwright (departed)
2013/10/08 18:41:53
I'll take a look at how useful this actually is. I
 
Scott Hess - ex-Googler
2013/10/08 19:13:51
If it is kept, then obviously a histograms.xml cha
 | 
| + } | 
| + | 
| // Put future migration cases here. | 
| if (cur_version < kCurrentVersionNumber) { | 
| @@ -921,10 +961,10 @@ void SQLitePersistentCookieStore::Backend::Commit() { | 
| return; | 
| sql::Statement add_smt(db_->GetCachedStatement(SQL_FROM_HERE, | 
| - "INSERT INTO cookies (creation_utc, host_key, name, value, path, " | 
| - "expires_utc, secure, httponly, last_access_utc, has_expires, " | 
| - "persistent, priority) " | 
| - "VALUES (?,?,?,?,?,?,?,?,?,?,?,?)")); | 
| + "INSERT INTO cookies (creation_utc, host_key, name, value, " | 
| + "encrypted_value, path, expires_utc, secure, httponly, last_access_utc, " | 
| + "has_expires, persistent, priority) " | 
| + "VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?)")); | 
| 
Scott Hess - ex-Googler
2013/10/08 17:35:55
My earlier comment about ordering also applies her
 | 
| if (!add_smt.is_valid()) | 
| return; | 
| @@ -954,16 +994,27 @@ void SQLitePersistentCookieStore::Backend::Commit() { | 
| add_smt.BindInt64(0, po->cc().CreationDate().ToInternalValue()); | 
| add_smt.BindString(1, po->cc().Domain()); | 
| add_smt.BindString(2, po->cc().Name()); | 
| - add_smt.BindString(3, po->cc().Value()); | 
| - add_smt.BindString(4, po->cc().Path()); | 
| - add_smt.BindInt64(5, po->cc().ExpiryDate().ToInternalValue()); | 
| - add_smt.BindInt(6, po->cc().IsSecure()); | 
| - add_smt.BindInt(7, po->cc().IsHttpOnly()); | 
| - add_smt.BindInt64(8, po->cc().LastAccessDate().ToInternalValue()); | 
| - add_smt.BindInt(9, po->cc().IsPersistent()); | 
| + if (crypto_.get()) { | 
| + std::string encrypted_value; | 
| + add_smt.BindString(3, std::string()); // value | 
| 
Scott Hess - ex-Googler
2013/10/08 17:35:55
BindCString(3, "");
 
bcwhite
2013/10/08 18:23:36
Done.
 | 
| + crypto_->EncryptString(po->cc().Value(), &encrypted_value); | 
| + // BindBlob() calls sqlite3_bind_blob() with SQLITE_TRANSIENT and so | 
| + // immediately makes an internal copy of the data. | 
| 
Scott Hess - ex-Googler
2013/10/08 17:35:55
I think you can trim this to "BindBlob() makes a c
 
bcwhite
2013/10/08 18:23:36
Done.
 | 
| + add_smt.BindBlob(4, encrypted_value.data(), | 
| + static_cast<int>(encrypted_value.length())); | 
| + } else { | 
| + add_smt.BindString(3, po->cc().Value()); | 
| + add_smt.BindBlob(4, "", 0); // encrypted_value | 
| 
Scott Hess - ex-Googler
2013/10/08 17:35:55
With the CREATE change, I think this should be Bin
 | 
| + } | 
| + add_smt.BindString(5, po->cc().Path()); | 
| + add_smt.BindInt64(6, po->cc().ExpiryDate().ToInternalValue()); | 
| + add_smt.BindInt(7, po->cc().IsSecure()); | 
| + add_smt.BindInt(8, po->cc().IsHttpOnly()); | 
| + add_smt.BindInt64(9, po->cc().LastAccessDate().ToInternalValue()); | 
| add_smt.BindInt(10, po->cc().IsPersistent()); | 
| + add_smt.BindInt(11, po->cc().IsPersistent()); | 
| add_smt.BindInt( | 
| - 11, CookiePriorityToDBCookiePriority(po->cc().Priority())); | 
| + 12, CookiePriorityToDBCookiePriority(po->cc().Priority())); | 
| if (!add_smt.Run()) | 
| NOTREACHED() << "Could not add a cookie to the DB."; | 
| break; | 
| @@ -1149,12 +1200,14 @@ SQLitePersistentCookieStore::SQLitePersistentCookieStore( | 
| const scoped_refptr<base::SequencedTaskRunner>& client_task_runner, | 
| const scoped_refptr<base::SequencedTaskRunner>& background_task_runner, | 
| bool restore_old_session_cookies, | 
| - quota::SpecialStoragePolicy* special_storage_policy) | 
| + quota::SpecialStoragePolicy* special_storage_policy, | 
| + CookieCryptoDelegate* crypto_delegate) | 
| : backend_(new Backend(path, | 
| client_task_runner, | 
| background_task_runner, | 
| restore_old_session_cookies, | 
| - special_storage_policy)) { | 
| + special_storage_policy, | 
| + crypto_delegate)) { | 
| } | 
| void SQLitePersistentCookieStore::Load(const LoadedCallback& loaded_callback) { | 
| @@ -1199,7 +1252,8 @@ net::CookieStore* CreatePersistentCookieStore( | 
| bool restore_old_session_cookies, | 
| quota::SpecialStoragePolicy* storage_policy, | 
| net::CookieMonster::Delegate* cookie_monster_delegate, | 
| - const scoped_refptr<base::SequencedTaskRunner>& background_task_runner) { | 
| + const scoped_refptr<base::SequencedTaskRunner>& background_task_runner, | 
| + CookieCryptoDelegate* crypto_delegate) { | 
| SQLitePersistentCookieStore* persistent_store = | 
| new SQLitePersistentCookieStore( | 
| path, | 
| @@ -1208,7 +1262,8 @@ net::CookieStore* CreatePersistentCookieStore( | 
| BrowserThread::GetBlockingPool()->GetSequencedTaskRunner( | 
| BrowserThread::GetBlockingPool()->GetSequenceToken()), | 
| restore_old_session_cookies, | 
| - storage_policy); | 
| + storage_policy, | 
| + crypto_delegate); | 
| net::CookieMonster* cookie_monster = | 
| new net::CookieMonster(persistent_store, cookie_monster_delegate); |