mozilla-mobile · garvankeeley · Jan 8, 2020 · Jan 6, 2020 · Jan 8, 2020
diff --git a/Cartfile b/Cartfile
@@ -16,7 +16,7 @@ github "Leanplum/Leanplum-iOS-SDK"          ~> 2.6.0
 github "mozilla-services/shavar-prod-lists" "master"
 
 # Use release version of application-services
-github "mozilla/application-services"      "v0.47.0"
+github "mozilla/application-services"      "v0.48.0"
 
 # Use interim binary version of application-services
 # binary "https://circleci.com/api/v1.1/project/github/mozilla/application-services/2862/artifacts/0/dist/mozilla.app-services.json" ~> 0.0.1-snapshot # mozilla/application-services@fb5c540e99133980911216055425688f22a27be2
diff --git a/Cartfile.resolved b/Cartfile.resolved
@@ -15,5 +15,5 @@ github "kif-framework/KIF" "v3.7.8"
 github "mozilla-mobile/MappaMundi" "1d17845e4bd6077d790aca5a2b4a468f19567934"
 github "mozilla-mobile/telemetry-ios" "v1.1.2"
 github "mozilla-services/shavar-prod-lists" "08fd0d2edda7e4029a738be20bb5c9cd9ef278c3"
-github "mozilla/application-services" "v0.47.0"
+github "mozilla/application-services" "v0.48.0"
 github "swisspol/GCDWebServer" "3.5.3"
diff --git a/ClientTests/MockProfile.swift b/ClientTests/MockProfile.swift
@@ -122,7 +122,9 @@ open class MockProfile: Client.Profile {
         files = MockFiles()
         syncManager = MockSyncManager()
         let loginsDatabasePath = URL(fileURLWithPath: (try! files.getAndEnsureDirectory()), isDirectory: true).appendingPathComponent("\(databasePrefix)_logins.db").path
-        logins = RustLogins(databasePath: loginsDatabasePath, encryptionKey: "AAAAAAAA")
+        let encryptionKey = "AAAAAAAA"
+        let salt = RustLogins.setupPlaintextHeaderAndGetSalt(databasePath: loginsDatabasePath, encryptionKey: encryptionKey)
+        logins = RustLogins(databasePath: loginsDatabasePath, encryptionKey: encryptionKey, salt: salt)
         db = BrowserDB(filename: "\(databasePrefix).db", schema: BrowserSchema(), files: files)
         readingListDB = BrowserDB(filename: "\(databasePrefix)_ReadingList.db", schema: ReadingListSchema(), files: files)
         let placesDatabasePath = URL(fileURLWithPath: (try! files.getAndEnsureDirectory()), isDirectory: true).appendingPathComponent("\(databasePrefix)_places.db").path

diff --git a/Providers/Profile.swift b/Providers/Profile.swift
@@ -551,7 +551,19 @@ open class BrowserProfile: Profile {
 
     lazy var logins: RustLogins = {
         let databasePath = URL(fileURLWithPath: (try! files.getAndEnsureDirectory()), isDirectory: true).appendingPathComponent("logins.db").path
-        return RustLogins(databasePath: databasePath, encryptionKey: BrowserProfile.loginsKey)
+
+        let salt: String
+        let key = "sqlcipher.key.logins.salt"
+        let keychain = KeychainWrapper.sharedAppContainerKeychain
+        keychain.ensureStringItemAccessibility(.afterFirstUnlock, forKey: key)
+        if keychain.hasValue(forKey: key), let val = keychain.string(forKey: key) {
+            salt = val
+        } else {
+            salt = RustLogins.setupPlaintextHeaderAndGetSalt(databasePath: databasePath, encryptionKey: BrowserProfile.loginsKey)
+            keychain.set(salt, forKey: key, withAccessibility: .afterFirstUnlock)
+        }
+
+        return RustLogins(databasePath: databasePath, encryptionKey: BrowserProfile.loginsKey, salt: salt)
     }()
 
     static var isChinaEdition: Bool = {

diff --git a/Storage/Rust/RustLogins.swift b/Storage/Rust/RustLogins.swift
@@ -85,6 +85,7 @@ public class LoginRecordError: MaybeErrorType {
 public class RustLogins {
     let databasePath: String
     let encryptionKey: String
+    let salt: String
 
     let queue: DispatchQueue
     let storage: LoginsStorage
@@ -93,17 +94,37 @@ public class RustLogins {
 
     private var didAttemptToMoveToBackup = false
 
-    public init(databasePath: String, encryptionKey: String) {
+    public init(databasePath: String, encryptionKey: String, salt: String) {
         self.databasePath = databasePath
         self.encryptionKey = encryptionKey
+        self.salt = salt
 
         self.queue =  DispatchQueue(label: "RustLogins queue: \(databasePath)", attributes: [])
         self.storage = LoginsStorage(databasePath: databasePath)
     }
 
+    // Migrate and return the salt, or create a new salt
+    // Also, in the event of an error, returns a new salt.
+    public static func setupPlaintextHeaderAndGetSalt(databasePath: String, encryptionKey: String) -> String {
+        do {
+            if FileManager.default.fileExists(atPath: databasePath) {
+                let db = LoginsStorage(databasePath: databasePath)
+                let salt = try db.getDbSaltForKey(key: encryptionKey)
+                try db.migrateToPlaintextHeader(key: encryptionKey, salt: salt)
+                return salt
+            }
+        } catch {
+            print(error)
+            Sentry.shared.send(message: "setupPlaintextHeaderAndGetSalt failed", tag: SentryTag.rustLogins, severity: .error, description: error.localizedDescription)
+        }
+        let saltOf32Chars = UUID().uuidString.replacingOccurrences(of: "-", with: "")
+        return saltOf32Chars
+    }
+
+    // Open the db, and if it fails, it moves the db and creates a new db file and opens it.
     private func open() -> NSError? {
         do {
-            try storage.unlock(withEncryptionKey: encryptionKey)
+            try storage.unlockWithKeyAndSalt(key: encryptionKey, salt: salt)
             isOpen = true
             return nil
         } catch let err as NSError {

diff --git a/StorageTests/RustLoginsTests.swift b/StorageTests/RustLoginsTests.swift
@@ -18,7 +18,8 @@ class RustLoginsTests: XCTestCase {
         try? files.remove("testlogins.db")
 
         let encryptionKey = Bytes.generateRandomBytes(256).base64EncodedString
-        logins = RustLogins(databasePath: databasePath, encryptionKey: encryptionKey)
+        let salt = RustLogins.setupPlaintextHeaderAndGetSalt(databasePath: databasePath, encryptionKey: encryptionKey)
+        logins = RustLogins(databasePath: databasePath, encryptionKey: encryptionKey, salt: salt)
         _ = logins.reopenIfClosed()
     }