Page MenuHomePhabricator
Differential D4846

Check for the case of database encrypted with key that is lost
ClosedPublic
Actions

Authored by marcin on Aug 16 2022, 2:30 AM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Apr 29, 5:47 PM
Unknown Object (File)
Mon, Apr 29, 5:47 PM
Unknown Object (File)
Mon, Apr 29, 5:47 PM
Unknown Object (File)
Mon, Apr 29, 5:47 PM
Unknown Object (File)
Mon, Apr 29, 5:47 PM
Unknown Object (File)
Mon, Apr 29, 5:47 PM
Unknown Object (File)
Mon, Apr 29, 1:35 AM
Unknown Object (File)
Apr 18 2024, 2:07 PM
View All Files
Subscribers
abosh
adrian
ashoat
atul

Details

Reviewers
tomek
jon
ashoat
Commits
rCOMM0dbcf0262f50: Check for the case of database encrypted with key that is lost
Summary

Previous version of "validate_encryption" function ignored the case of database that is actually encrypted but with encryption key that is no longer available. If the database is unencrypted then we can attempt encryption process. If the database is encrypted with encryption key that is not longer available then encryption process will be constantly failing and app becomes useless. We didn’t encounter such a case yet but now that we want to create new encryption key every time user logs out we need to be prepared for such unfortunate scenario.

Test Plan

Uninstall the app. Comment out code that retrieves encryption key from secure store and hardcode some random 64-character hex string. Build the app. Kill the app, bring encryption key retrieval back and bud the app again (remember not to uninstall it at tis stage!!!). Without changes from this differential app will be constantly crashing on every launch. With changes from this differential app will work correctly.

Diff Detail

Repository
rCOMM Comm
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

marcin created this revision.Aug 16 2022, 2:30 AM
Herald added subscribers: abosh, atul, adrian, ashoat. · View Herald TranscriptAug 16 2022, 2:30 AM
marcin updated this revision to Diff 15642.Aug 16 2022, 2:31 AM

Rebase to update commit with differential link

marcin added a parent revision: D4664: Ensure new encryption key is generated every time iOS/Android application creates database for the first time.Aug 16 2022, 2:32 AM
marcin added a child revision: D4728: Introduce and implement 'clearSensitiveData' method in DetabaseQueryExecutor and SQLiteQueryExecutor.
marcin edited the test plan for this revision. (Show Details)Aug 16 2022, 2:37 AM
Harbormaster completed remote builds in B11374: Diff 15641.Aug 16 2022, 2:39 AM
Harbormaster completed remote builds in B11375: Diff 15642.
marcin requested review of this revision.Aug 16 2022, 2:41 AM
marcin edited the test plan for this revision. (Show Details)Aug 16 2022, 2:59 AM
tomek requested changes to this revision.Aug 22 2022, 6:52 AM
tomek added a reviewer: ashoat.

This logic seems to be correct, but it is hard to follow it. Could you refactor this code so that it becomes more readable? Things to consider:

  1. We check if db is not encrypted, then if it is encrypted, then use the result of 2nd check and then of the 1st. Readability suffers if we compute something and use it a lot later.
  2. It's hard to notice a difference between first check and 2nd check. Maybe we can create some functions for them? Or we can consider creating a function with common part?

Adding @ashoat because deleting the db is something serious, but we don't have any other option when a key is missing. Also there should be a backup somewhere, so I think this approach makes sense, but wanted to make sure.

native/cpp/CommonCpp/DatabaseManagers/SQLiteQueryExecutor.cpp
362 ↗(On Diff #15642)

Shouldn't we check the content of this error? Are there any other scenarios which result with this error that are not related to encryption?

This revision now requires changes to proceed.Aug 22 2022, 6:52 AM
ashoat added a comment.Aug 22 2022, 7:19 PM

Agree with @tomek

marcin added a comment.Aug 25 2022, 4:07 AM
In D4846#141932, @tomek wrote:

This logic seems to be correct, but it is hard to follow it. Could you refactor this code so that it becomes more readable? Things to consider:

  1. We check if db is not encrypted, then if it is encrypted, then use the result of 2nd check and then of the 1st. Readability suffers if we compute something and use it a lot later.

A remedy for this is to change the order of checks. Fist we check if the database is correctly encrypted with current encryption key (by running some select with encryption key being set). If this check fails then we advance to the second check where we try some select on database without setting encryption key first. If the second succeeds we continue with encryption process. If it fails then database is encrypted with encryption key that is no longer available and must be deleted.

  1. It's hard to notice a difference between first check and 2nd check. Maybe we can create some functions for them? Or we can consider creating a function with common part?

I will consider both options and introduce one of them.

marcin updated this revision to Diff 15983.Aug 25 2022, 6:12 AM

Refactor for readability and code redundance reduction

Harbormaster completed remote builds in B11620: Diff 15983.Aug 25 2022, 6:24 AM
marcin added inline comments.Aug 25 2022, 7:33 AM
native/cpp/CommonCpp/DatabaseManagers/SQLiteQueryExecutor.cpp
362 ↗(On Diff #15642)

There are 28 error code for sqlite3_exec. The one we are actually looking for is: https://www.sqlite.org/rescode.html#notadb. It is reasonable to check for this particular code and throw in the case of others. But if we do so then we must update the code that was landed 7 moths ago which checks whether encryption key is correct. But there is one thing to note here. SQLCipher documentation does not specify https://www.sqlite.org/rescode.html#notadb. It was error code I was always seeing when testing, so it is my guess that https://www.sqlite.org/rescode.html#notadb is a code returned when running select on encrypted database without correct encryption key set.

marcin removed a child revision: D4728: Introduce and implement 'clearSensitiveData' method in DetabaseQueryExecutor and SQLiteQueryExecutor.Aug 26 2022, 4:56 AM
marcin added a child revision: D4957: Introduce utility function to temporarily attach thread to JVM.
ashoat resigned from this revision.Aug 26 2022, 11:21 AM

Defer to @tomek, but this generally looks good

native/cpp/CommonCpp/DatabaseManagers/SQLiteQueryExecutor.cpp
329 ↗(On Diff #15983)

Link the docs

tomek requested changes to this revision.Aug 29 2022, 3:47 AM
tomek added inline comments.
native/cpp/CommonCpp/DatabaseManagers/SQLiteQueryExecutor.cpp
337–340 ↗(On Diff #15983)

If we have a pattern if (sth) return false; else return true; we can simplify it by returning !sth directly.

381–387 ↗(On Diff #15983)

Is this logic correct? Here, if the database exists and is encrypted by a lost key, we delete the file so that in the subsequent code the file doesn't exist. This is a different behavior comparing to what we do in lines 368-371 where we exit if the db file doesn't exist.

This revision now requires changes to proceed.Aug 29 2022, 3:47 AM
Herald added a reviewer: jon. · View Herald TranscriptAug 29 2022, 3:47 AM
marcin added inline comments.Aug 29 2022, 5:22 AM
native/cpp/CommonCpp/DatabaseManagers/SQLiteQueryExecutor.cpp
381–387 ↗(On Diff #15983)

It is not incorrect but indeed inconsistent. When we exit in 368-371 we continue to execute the body of SQLiteQueryExecutor->migrate() which calls set_encryption_key and then sqlite3_open(...). This creates new database that is encrypted from the beginning. Here we do not exit but call sqlite3_open(...) (which creates new unencrypted database) and run encrypting code. The logic is not incorrect since we exit validate_encryption function with new encrypted database. But we should be consistent here end return after deleting database. Then we will exit validate_encryption without any database and let rest of SQLiteQueryExecutor->migrate() create new encrypted one.

marcin updated this revision to Diff 16056.Aug 29 2022, 5:38 AM

Return if needed to delete database. Simplify return statement in 'is_database_queryable'.

Harbormaster completed remote builds in B11680: Diff 16056.Aug 29 2022, 5:48 AM
tomek accepted this revision.Aug 29 2022, 9:20 AM
This revision is now accepted and ready to land.Aug 29 2022, 9:20 AM
marcin added inline comments.Aug 30 2022, 4:32 AM
native/cpp/CommonCpp/DatabaseManagers/SQLiteQueryExecutor.cpp
329 ↗(On Diff #15983)

https://www.zetetic.net/sqlcipher/sqlcipher-api/#testing-the-key
We used this way of encryption key correctness validation in D2874

marcin updated this revision to Diff 16305.Sep 5 2022, 4:56 AM

Rebase on master

Harbormaster completed remote builds in B11873: Diff 16305.Sep 5 2022, 5:05 AM
Closed by commit rCOMM0dbcf0262f50: Check for the case of database encrypted with key that is lost (authored by marcin). · Explain WhySep 5 2022, 7:03 AM
This revision was automatically updated to reflect the committed changes.
marcin added a commit: rCOMM0dbcf0262f50: Check for the case of database encrypted with key that is lost.
ashoat added inline comments.Sep 15 2022, 5:59 AM
native/cpp/CommonCpp/DatabaseManagers/SQLiteQueryExecutor.cpp
329 ↗(On Diff #15983)

Should have clarified that I wanted you to link the docs from the code comment

Revision Contents
Changeset List

PathSize
native/
cpp/
CommonCpp/
DatabaseManagers/
45 lines

Diff 16320

View Options

native/cpp/CommonCpp/DatabaseManagers/SQLiteQueryExecutor.cpp

Loading...