diff options
author | Jack Lloyd <[email protected]> | 2017-11-26 22:11:07 -0500 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2017-11-26 22:11:07 -0500 |
commit | 2fd7930984f57b203e2d412f62fc1849dcc61784 (patch) | |
tree | 9ca33fde7047cb1c782c454a1afc1ab5419c2023 | |
parent | 4d506eb8bcfba4a706a63fa36a3e0398450ee1d7 (diff) | |
parent | 9df1c8dab0c3b7218cbf40d743d73e9bd36c24cd (diff) |
Merge GH #1302 Add PSK database interface
-rw-r--r-- | doc/manual/cli.rst | 36 | ||||
-rw-r--r-- | doc/manual/contents.rst | 1 | ||||
-rw-r--r-- | doc/manual/psk_db.rst | 108 | ||||
-rw-r--r-- | src/cli/psk.cpp | 86 | ||||
-rw-r--r-- | src/lib/psk_db/info.txt | 10 | ||||
-rw-r--r-- | src/lib/psk_db/psk_db.cpp | 104 | ||||
-rw-r--r-- | src/lib/psk_db/psk_db.h | 146 | ||||
-rw-r--r-- | src/lib/psk_db/psk_db_sql.cpp | 69 | ||||
-rw-r--r-- | src/lib/psk_db/psk_db_sql.h | 34 | ||||
-rw-r--r-- | src/lib/utils/database.h | 2 | ||||
-rw-r--r-- | src/lib/utils/sqlite3/sqlite3.cpp | 13 | ||||
-rw-r--r-- | src/lib/utils/sqlite3/sqlite3.h | 1 | ||||
-rw-r--r-- | src/tests/test_psk_db.cpp | 248 |
13 files changed, 853 insertions, 5 deletions
diff --git a/doc/manual/cli.rst b/doc/manual/cli.rst index 71e3b17c6..72e3d3b31 100644 --- a/doc/manual/cli.rst +++ b/doc/manual/cli.rst @@ -14,15 +14,16 @@ The CLI offers access to the following functionalities: - TLS server/client - Primality testing, prime factorization and prime sampling +.. highlight:: sh + General Command Usage --------------------------------- -All commands follow the predefined syntax - -.. code-block:: sh +All commands follow the predefined syntax:: $ botan <command> <command-options> -and are listed whith their available arguments when botan is called with an invalid or without a command. +and are listed with their available arguments when ``botan`` is called +with an unknown command, or without any command, or with ``--help``. Hash ---------------- @@ -128,6 +129,33 @@ Number Theory ``gen_prime --count=1 bits`` Samples *count* primes with a length of *bits* bits. +PSK Database +-------------------- + +Only available if sqlite3 support was compiled in. + +``psk_set db db_key name psk`` + + Using the PSK database named db and encrypting under the (hex) key ``db_key``, + save the provided psk (also hex) under ``name``:: + + $ botan psk_set psk.db deadba55 bunny f00fee + +``psk_get db db_key name`` + + Get back a value saved with ``psk_set``:: + + $ botan psk_get psk.db deadba55 bunny + f00fee + +``psk_list db db_key`` + + List all values saved to the database under the given key:: + + $ botan psk_list psk.db deadba55 + bunny + + Miscellaneous Commands ------------------------------------- ``version --full`` diff --git a/doc/manual/contents.rst b/doc/manual/contents.rst index 0c9ac4b7f..48e6edbfe 100644 --- a/doc/manual/contents.rst +++ b/doc/manual/contents.rst @@ -27,6 +27,7 @@ Contents passhash cryptobox srp + psk_db fpe compression pkcs11 diff --git a/doc/manual/psk_db.rst b/doc/manual/psk_db.rst new file mode 100644 index 000000000..2668c6bad --- /dev/null +++ b/doc/manual/psk_db.rst @@ -0,0 +1,108 @@ +PSK Database +====================== + +.. versionadded:: 2.4.0 + +Many applications need to store pre-shared keys (hereafter PSKs) for +authentication purposes. + +An abstract interface to PSK stores is provided in ``psk_db.h`` + +.. cpp:class:: PSK_Database + + .. cpp:function:: bool is_encrypted() const + + Returns true if (at least) the PSKs themselves are encrypted. Returns + false if PSKs are stored in plaintext. + + .. cpp:function:: std::set<std::string> list_names() const + + Return the set of valid names stored in the database, ie values for which + ``get`` will return a value. + + .. cpp:function:: void set(const std::string& name, const uint8_t psk[], size_t psk_len) + + Save a PSK. If ``name`` already exists, the current value will be + overwritten. + + .. cpp:function:: secure_vector<uint8_t> get(const std::string& name) const + + Return a value saved with ``set``. Throws an exception if ``name`` doesn't + exist. + + .. cpp:function:: void remove(const std::string& name) + + Remove ``name`` from the database. If ``name`` doesn't exist, ignores the request. + + .. cpp::function:: std::string get_str(const std::string& name) const + + Like ``get`` but casts the return value to a string. + + .. cpp:function:: void set_str(const std::string& name, const std::string& psk) + + Like ``set`` but accepts the psk as a string (eg for a password). + + .. cpp:function:: template<typename Alloc> void set_vec(const std::string& name, \ + const std::vector<uint8_t, Alloc>& psk) + + Like ``set`` but accepting a vector. + +The same header also provides a specific instantiation of ``PSK_Database`` which +encrypts both names and PSKs. It must be subclassed to provide the storage. + +.. cpp:class:: Encrypted_PSK_Database : public PSK_Database + + .. cpp:function:: Encrypted_PSK_Database(const secure_vector<uint8_t>& master_key) + + Initializes or opens a PSK database. The master key is used the secure the + contents. It may be of any length. If encrypting PSKs under a passphrase, + use a suitable key derivation scheme (such as PBKDF2) to derive the secret + key. If the master key is lost, all PSKs stored are unrecoverable. + + Both names and values are encrypted using NIST key wrapping (see NIST + SP800-38F) with AES-256. First the master key is used with HMAC(SHA-256) + to derive two 256-bit keys, one for encrypting all names and the other to + key an instance of HMAC(SHA-256). Values are each encrypted under an + individual key created by hashing the encrypted name with HMAC. This + associates the encrypted key with the name, and prevents an attacker with + write access to the data store from taking an encrypted key associated + with one entity and copying it to another entity. + + Names and PSKs are both padded to the next multiple of 8 bytes, providing + some obfuscation of the length. + + One artifact of the names being encrypted is that is is possible to use + multiple different master keys with the same underlying storage. Each + master key will be responsible for a subset of the keys. An attacker who + knows one of the keys will be able to tell there are other values + encrypted under another key. + + .. cpp:function:: virtual void kv_set(const std::string& index, const std::string& value) = 0 + + Save an encrypted value. Both ``index`` and ``value`` will be non-empty + base64 encoded strings. + + .. cpp:function:: virtual std::string kv_get(const std::string& index) const = 0 + + Return a value saved with ``kv_set``, or return the empty string. + + .. cpp:function:: virtual void kv_del(const std::string& index) = 0 + + Remove a value saved with ``kv_set``. + + .. cpp:function:: virtual std::set<std::string> kv_get_all() const = 0 + + Return all active names (ie values for which ``kv_get`` will return a + non-empty string). + +A subclass of ``Encrypted_PSK_Database`` which stores data in a SQL database +is also available. This class is declared in ``psk_db_sql.h``: + +.. cpp:class:: Encrypted_PSK_Database_SQL : public Encrypted_PSK_Database + + .. cpp:function:: Encrypted_PSK_Database_SQL(const secure_vector<uint8_t>& master_key, \ + std::shared_ptr<SQL_Database> db, \ + const std::string& table_name) + + Creates or uses the named table in ``db``. The SQL schema of the table is + ``(psk_name TEXT PRIMARY KEY, psk_value TEXT)``. diff --git a/src/cli/psk.cpp b/src/cli/psk.cpp new file mode 100644 index 000000000..d244acd8d --- /dev/null +++ b/src/cli/psk.cpp @@ -0,0 +1,86 @@ +/* +* (C) 2017 Jack Lloyd +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#include "cli.h" + +#if defined(BOTAN_HAS_PSK_DB) && defined(BOTAN_HAS_SQLITE3) + +#include <botan/psk_db_sql.h> +#include <botan/sqlite3.h> +#include <botan/hex.h> + +namespace Botan_CLI { + +class PSK_Tool_Base : public Command + { + public: + PSK_Tool_Base(const std::string& spec) : Command(spec) {} + + void go() override + { + const std::string db_filename = get_arg("db"); + const Botan::secure_vector<uint8_t> db_key = Botan::hex_decode_locked(get_arg("db_key")); + + std::shared_ptr<Botan::SQL_Database> db = std::make_shared<Botan::Sqlite3_Database>(db_filename); + Botan::Encrypted_PSK_Database_SQL psk(db_key, db, "psk"); + + psk_operation(psk); + } + + private: + virtual void psk_operation(Botan::PSK_Database& db) = 0; + }; + +class PSK_Tool_Set final : public PSK_Tool_Base + { + public: + PSK_Tool_Set() : PSK_Tool_Base("psk_set db db_key name psk") {} + + private: + void psk_operation(Botan::PSK_Database& db) override + { + const std::string name = get_arg("name"); + Botan::secure_vector<uint8_t> key = Botan::hex_decode_locked(get_arg("psk")); + db.set_vec(name, key); + } + }; + +class PSK_Tool_Get final : public PSK_Tool_Base + { + public: + PSK_Tool_Get() : PSK_Tool_Base("psk_get db db_key name") {} + + private: + void psk_operation(Botan::PSK_Database& db) override + { + const std::string name = get_arg("name"); + const Botan::secure_vector<uint8_t> val = db.get(name); + output() << Botan::hex_encode(val) << "\n"; + } + }; + +class PSK_Tool_List final : public PSK_Tool_Base + { + public: + PSK_Tool_List() : PSK_Tool_Base("psk_list db db_key") {} + + private: + void psk_operation(Botan::PSK_Database& db) override + { + const std::set<std::string> names = db.list_names(); + + for(std::string name : names) + output() << name << "\n"; + } + }; + +BOTAN_REGISTER_COMMAND("psk_set", PSK_Tool_Set); +BOTAN_REGISTER_COMMAND("psk_get", PSK_Tool_Get); +BOTAN_REGISTER_COMMAND("psk_list", PSK_Tool_List); + +} + +#endif diff --git a/src/lib/psk_db/info.txt b/src/lib/psk_db/info.txt new file mode 100644 index 000000000..814a30471 --- /dev/null +++ b/src/lib/psk_db/info.txt @@ -0,0 +1,10 @@ +<defines> +PSK_DB -> 20171119 +</defines> + +<requires> +aes +hmac +sha2_32 +nist_keywrap +</requires> diff --git a/src/lib/psk_db/psk_db.cpp b/src/lib/psk_db/psk_db.cpp new file mode 100644 index 000000000..af59d2954 --- /dev/null +++ b/src/lib/psk_db/psk_db.cpp @@ -0,0 +1,104 @@ +/* +* (C) 2017 Jack Lloyd +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#include <botan/psk_db.h> +#include <botan/nist_keywrap.h> +#include <botan/base64.h> +#include <botan/mac.h> +#include <botan/block_cipher.h> + +namespace Botan { + +Encrypted_PSK_Database::Encrypted_PSK_Database(const secure_vector<uint8_t>& master_key) + { + m_cipher = BlockCipher::create_or_throw("AES-256"); + m_hmac = MessageAuthenticationCode::create_or_throw("HMAC(SHA-256)"); + m_hmac->set_key(master_key); + + m_cipher->set_key(m_hmac->process("wrap")); + m_hmac->set_key(m_hmac->process("hmac")); + } + +Encrypted_PSK_Database::~Encrypted_PSK_Database() + { + // for ~unique_ptr + } + +std::set<std::string> Encrypted_PSK_Database::list_names() const + { + const std::set<std::string> encrypted_names = kv_get_all(); + + std::set<std::string> names; + + for(std::string enc_name : encrypted_names) + { + try + { + const secure_vector<uint8_t> raw_name = base64_decode(enc_name); + const secure_vector<uint8_t> name_bits = + nist_key_unwrap_padded(raw_name.data(), raw_name.size(), *m_cipher); + + std::string pt_name(cast_uint8_ptr_to_char(name_bits.data()), name_bits.size()); + names.insert(pt_name); + } + catch(Integrity_Failure&) + { + } + } + + return names; + } + +void Encrypted_PSK_Database::remove(const std::string& name) + { + const std::vector<uint8_t> wrapped_name = + nist_key_wrap_padded(cast_char_ptr_to_uint8(name.data()), + name.size(), + *m_cipher); + + this->kv_del(base64_encode(wrapped_name)); + } + +secure_vector<uint8_t> Encrypted_PSK_Database::get(const std::string& name) const + { + const std::vector<uint8_t> wrapped_name = + nist_key_wrap_padded(cast_char_ptr_to_uint8(name.data()), + name.size(), + *m_cipher); + + const std::string val_base64 = kv_get(base64_encode(wrapped_name)); + + if(val_base64.empty()) + throw Invalid_Argument("Named PSK not located"); + + const secure_vector<uint8_t> val = base64_decode(val_base64); + + std::unique_ptr<BlockCipher> wrap_cipher(m_cipher->clone()); + wrap_cipher->set_key(m_hmac->process(wrapped_name)); + + return nist_key_unwrap_padded(val.data(), val.size(), *wrap_cipher); + } + +void Encrypted_PSK_Database::set(const std::string& name, const uint8_t val[], size_t len) + { + /* + * Both as a basic precaution wrt key seperation, and specifically to prevent + * cut-and-paste attacks against the database, each PSK is encrypted with a + * distinct key which is derived by hashing the wrapped key name with HMAC. + */ + const std::vector<uint8_t> wrapped_name = + nist_key_wrap_padded(cast_char_ptr_to_uint8(name.data()), + name.size(), + *m_cipher); + + std::unique_ptr<BlockCipher> wrap_cipher(m_cipher->clone()); + wrap_cipher->set_key(m_hmac->process(wrapped_name)); + const std::vector<uint8_t> wrapped_key = nist_key_wrap_padded(val, len, *wrap_cipher); + + this->kv_set(base64_encode(wrapped_name), base64_encode(wrapped_key)); + } + +} diff --git a/src/lib/psk_db/psk_db.h b/src/lib/psk_db/psk_db.h new file mode 100644 index 000000000..fb20e9437 --- /dev/null +++ b/src/lib/psk_db/psk_db.h @@ -0,0 +1,146 @@ +/* +* (C) 2017 Jack Lloyd +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#ifndef BOTAN_PSK_DB_H_ +#define BOTAN_PSK_DB_H_ + +#include <botan/secmem.h> +#include <memory> +#include <string> +#include <set> + +namespace Botan { + +class BlockCipher; +class MessageAuthenticationCode; + +/** +* This is an interface to a generic PSK (pre-shared key) database. +* It might be implemented as a plaintext storage or via some mechanism +* that encrypts the keys and/or values. +*/ +class BOTAN_PUBLIC_API(2,4) PSK_Database + { + public: + /** + * Return the set of names for which get() will return a value. + */ + virtual std::set<std::string> list_names() const = 0; + + /** + * Return the value associated with the specified @param name, or otherwise + * throw an exception. + */ + virtual secure_vector<uint8_t> get(const std::string& name) const = 0; + + /** + * Set a value that can later be accessed with get(). + * If name already exists in the database, the old value will be overwritten. + */ + virtual void set(const std::string& name, const uint8_t psk[], size_t psk_len) = 0; + + /** + * Remove a PSK from the database + */ + virtual void remove(const std::string& name) = 0; + + /** + * Returns if the values in the PSK database are encrypted. If + * false, saved values are being stored in plaintext. + */ + virtual bool is_encrypted() const = 0; + + /** + * Get a PSK in the form of a string (eg if the PSK is a password) + */ + std::string get_str(const std::string& name) const + { + secure_vector<uint8_t> psk = get(name); + return std::string(reinterpret_cast<const char*>(psk.data()), psk.size()); + } + + void set_str(const std::string& name, const std::string& psk) + { + set(name, reinterpret_cast<const uint8_t*>(psk.data()), psk.size()); + } + + template<typename Alloc> + void set_vec(const std::string& name, + const std::vector<uint8_t, Alloc>& psk) + + { + set(name, psk.data(), psk.size()); + } + + virtual ~PSK_Database() = default; + }; + +/** +* A mixin for an encrypted PSK database. +* Both keys and values are encrypted with NIST AES-256 key wrapping. +* Values are padded to obscure their length before encryption, allowing +* it to be used as a password vault. +* +* Subclasses must implement the virtual calls to handle storing and +* getting raw (base64 encoded) values. +*/ +class BOTAN_PUBLIC_API(2,4) Encrypted_PSK_Database : public PSK_Database + { + public: + /** + * @param master_key specifies the master key used to encrypt all + * keys and value. It can be of any length, but should be at least 256 bits. + * + * Subkeys for the cryptographic algorithms used are derived from this + * master key. No key stretching is performed; if encrypting a PSK database + * using a password, it is recommended to use PBKDF2 to derive the database + * master key. + */ + Encrypted_PSK_Database(const secure_vector<uint8_t>& master_key); + + ~Encrypted_PSK_Database(); + + std::set<std::string> list_names() const override; + + secure_vector<uint8_t> get(const std::string& name) const override; + + void set(const std::string& name, const uint8_t psk[], size_t psk_len) override; + + void remove(const std::string& name) override; + + bool is_encrypted() const override { return true; } + + protected: + /** + * Save a encrypted (name.value) pair to the database. Both will be base64 encoded strings. + */ + virtual void kv_set(const std::string& index, const std::string& value) = 0; + + /** + * Get a value previously saved with set_raw_value. Should return an empty + * string if index is not found. + */ + virtual std::string kv_get(const std::string& index) const = 0; + + /** + * Remove an index + */ + virtual void kv_del(const std::string& index) = 0; + + /** + * Return all indexes in the table. + */ + virtual std::set<std::string> kv_get_all() const = 0; + + private: + std::unique_ptr<BlockCipher> m_cipher; + std::unique_ptr<MessageAuthenticationCode> m_hmac; + secure_vector<uint8_t> m_wrap_key; + }; + +} + +#endif diff --git a/src/lib/psk_db/psk_db_sql.cpp b/src/lib/psk_db/psk_db_sql.cpp new file mode 100644 index 000000000..3a43e7380 --- /dev/null +++ b/src/lib/psk_db/psk_db_sql.cpp @@ -0,0 +1,69 @@ +/* +* (C) 2017 Jack Lloyd +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#include <botan/psk_db_sql.h> + +namespace Botan { + +Encrypted_PSK_Database_SQL::Encrypted_PSK_Database_SQL(const secure_vector<uint8_t>& master_key, + std::shared_ptr<SQL_Database> db, + const std::string& table_name) : + Encrypted_PSK_Database(master_key), + m_db(db), + m_table_name(table_name) + { + m_db->create_table( + "create table if not exists " + m_table_name + + "(psk_name TEXT PRIMARY KEY, psk_value TEXT)"); + } + +void Encrypted_PSK_Database_SQL::kv_del(const std::string& name) + { + auto stmt = m_db->new_statement("delete from " + m_table_name + " where psk_name=?1"); + stmt->bind(1, name); + stmt->spin(); + } + +void Encrypted_PSK_Database_SQL::kv_set(const std::string& name, const std::string& value) + { + auto stmt = m_db->new_statement("insert or replace into " + m_table_name + " values(?1, ?2)"); + + stmt->bind(1, name); + stmt->bind(2, value); + + stmt->spin(); + } + +std::string Encrypted_PSK_Database_SQL::kv_get(const std::string& name) const + { + auto stmt = m_db->new_statement("select psk_value from " + m_table_name + + " where psk_name = ?1"); + + stmt->bind(1, name); + + while(stmt->step()) + { + return stmt->get_str(0); + } + return ""; + } + +std::set<std::string> Encrypted_PSK_Database_SQL::kv_get_all() const + { + std::set<std::string> names; + + auto stmt = m_db->new_statement("select psk_name from " + m_table_name); + + while(stmt->step()) + { + names.insert(stmt->get_str(0)); + } + + return names; + } + +} + diff --git a/src/lib/psk_db/psk_db_sql.h b/src/lib/psk_db/psk_db_sql.h new file mode 100644 index 000000000..fddadfc30 --- /dev/null +++ b/src/lib/psk_db/psk_db_sql.h @@ -0,0 +1,34 @@ +/* +* (C) 2017 Jack Lloyd +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#ifndef BOTAN_PSK_DB_SQL_H_ +#define BOTAN_PSK_DB_SQL_H_ + +#include <botan/psk_db.h> +#include <botan/database.h> + +namespace Botan { + +class BOTAN_PUBLIC_API(2,4) Encrypted_PSK_Database_SQL : public Encrypted_PSK_Database + { + public: + Encrypted_PSK_Database_SQL(const secure_vector<uint8_t>& master_key, + std::shared_ptr<SQL_Database> db, + const std::string& table_name); + + private: + void kv_set(const std::string& index, const std::string& value) override; + std::string kv_get(const std::string& index) const override; + void kv_del(const std::string& index) override; + std::set<std::string> kv_get_all() const override; + + std::shared_ptr<SQL_Database> m_db; + const std::string m_table_name; + }; + +} + +#endif diff --git a/src/lib/utils/database.h b/src/lib/utils/database.h index a90e9fbfd..21a207445 100644 --- a/src/lib/utils/database.h +++ b/src/lib/utils/database.h @@ -43,6 +43,8 @@ class BOTAN_PUBLIC_API(2,0) SQL_Database /* Get output */ virtual std::pair<const uint8_t*, size_t> get_blob(int column) = 0; + virtual std::string get_str(int column) = 0; + virtual size_t get_size_t(int column) = 0; /* Run to completion */ diff --git a/src/lib/utils/sqlite3/sqlite3.cpp b/src/lib/utils/sqlite3/sqlite3.cpp index 09a964a46..a1fdfaa21 100644 --- a/src/lib/utils/sqlite3/sqlite3.cpp +++ b/src/lib/utils/sqlite3/sqlite3.cpp @@ -7,6 +7,7 @@ #include <botan/sqlite3.h> #include <botan/exceptn.h> +#include <botan/mem_ops.h> #include <sqlite3.h> namespace Botan { @@ -108,7 +109,7 @@ void Sqlite3_Database::Sqlite3_Statement::bind(int column, const uint8_t* p, siz std::pair<const uint8_t*, size_t> Sqlite3_Database::Sqlite3_Statement::get_blob(int column) { - BOTAN_ASSERT(::sqlite3_column_type(m_stmt, 0) == SQLITE_BLOB, + BOTAN_ASSERT(::sqlite3_column_type(m_stmt, column) == SQLITE_BLOB, "Return value is a blob"); const void* session_blob = ::sqlite3_column_blob(m_stmt, column); @@ -120,6 +121,16 @@ std::pair<const uint8_t*, size_t> Sqlite3_Database::Sqlite3_Statement::get_blob( static_cast<size_t>(session_blob_size)); } +std::string Sqlite3_Database::Sqlite3_Statement::get_str(int column) + { + BOTAN_ASSERT(::sqlite3_column_type(m_stmt, column) == SQLITE_TEXT, + "Return value is text"); + + const unsigned char* str = ::sqlite3_column_text(m_stmt, column); + + return std::string(cast_uint8_ptr_to_char(str)); + } + size_t Sqlite3_Database::Sqlite3_Statement::get_size_t(int column) { BOTAN_ASSERT(::sqlite3_column_type(m_stmt, column) == SQLITE_INTEGER, diff --git a/src/lib/utils/sqlite3/sqlite3.h b/src/lib/utils/sqlite3/sqlite3.h index 3f11b60e2..08a0f0ae7 100644 --- a/src/lib/utils/sqlite3/sqlite3.h +++ b/src/lib/utils/sqlite3/sqlite3.h @@ -38,6 +38,7 @@ class BOTAN_PUBLIC_API(2,0) Sqlite3_Database final : public SQL_Database void bind(int column, const uint8_t* data, size_t len) override; std::pair<const uint8_t*, size_t> get_blob(int column) override; + std::string get_str(int column) override; size_t get_size_t(int column) override; size_t spin() override; diff --git a/src/tests/test_psk_db.cpp b/src/tests/test_psk_db.cpp new file mode 100644 index 000000000..f9eb9d7e8 --- /dev/null +++ b/src/tests/test_psk_db.cpp @@ -0,0 +1,248 @@ +/* +* (C) 2017 Jack Lloyd +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#include "tests.h" + +#if defined(BOTAN_HAS_PSK_DB) + +#include <botan/psk_db.h> + +#if defined(BOTAN_HAS_SQLITE3) + #include <botan/psk_db_sql.h> + #include <botan/sqlite3.h> +#endif + +namespace Botan_Tests { + +namespace { + +class Test_Map_PSK_Db : public Botan::Encrypted_PSK_Database + { + public: + Test_Map_PSK_Db(const Botan::secure_vector<uint8_t>& master_key) : + Botan::Encrypted_PSK_Database(master_key) + {} + + void test_entry(Test::Result& result, + const std::string& index, const std::string& value) + { + auto i = m_vals.find(index); + + if(i == m_vals.end()) + { + result.test_failure("Expected to find encrypted name " + index); + } + else + { + result.test_eq("Encrypted value", i->second, value); + } + } + + void kv_set(const std::string& index, const std::string& value) override + { + m_vals[index] = value; + } + + std::string kv_get(const std::string& index) const override + { + auto i = m_vals.find(index); + if(i == m_vals.end()) + return ""; + return i->second; + } + + void kv_del(const std::string& index) override + { + auto i = m_vals.find(index); + if(i != m_vals.end()) + { + m_vals.erase(i); + } + } + + std::set<std::string> kv_get_all() const override + { + std::set<std::string> names; + + for(auto kv : m_vals) + { + names.insert(kv.first); + } + + return names; + } + + private: + std::map<std::string, std::string> m_vals; + }; + +} + +class PSK_DB_Tests final : public Test + { + public: + + std::vector<Test::Result> run() override + { + std::vector<Test::Result> results; + + results.push_back(test_psk_db()); + +#if defined(BOTAN_HAS_SQLITE3) + results.push_back(test_psk_sql_db()); +#endif + + return results; + } + + private: + + Test::Result test_psk_db() + { + Test::Result result("PSK_DB"); + + const Botan::secure_vector<uint8_t> zeros(32); + Test_Map_PSK_Db db(zeros); + + db.set_str("name", "value"); + db.test_entry(result, "CUCJjJgWSa079ubutJQwlw==", "clYJSAf9CThuL96CP+rAfA=="); + result.test_eq("DB read", db.get_str("name"), "value"); + + db.set_str("name", "value1"); + db.test_entry(result, "CUCJjJgWSa079ubutJQwlw==", "7R8am3x/gLawOzMp5WwIJg=="); + result.test_eq("DB read", db.get_str("name"), "value1"); + + db.set_str("name", "value"); + db.test_entry(result, "CUCJjJgWSa079ubutJQwlw==", "clYJSAf9CThuL96CP+rAfA=="); + result.test_eq("DB read", db.get_str("name"), "value"); + + db.set_str("name2", "value"); + db.test_entry(result, "7CvsM7HDCZsV6VsFwWylNg==", "BqVQo4rdwOmf+ItCzEmjAg=="); + result.test_eq("DB read", db.get_str("name2"), "value"); + + db.set_vec("name2", zeros); + db.test_entry(result, "7CvsM7HDCZsV6VsFwWylNg==", "x+I1bUF/fJYPOTvKwOihEPWGR1XGzVuyRdsw4n5gpBRzNR7LjH7vjw=="); + result.test_eq("DB read", db.get("name2"), zeros); + + // Test longer names + db.set_str("leroy jeeeeeeeenkins", "chicken"); + db.test_entry(result, "KyYo272vlSjClM2F0OZBMlRYjr33ZXv2jN1oY8OfCEs=", "tCl1qShSTsXi9tA5Kpo9vg=="); + result.test_eq("DB read", db.get_str("leroy jeeeeeeeenkins"), "chicken"); + + std::set<std::string> all_names = db.list_names(); + + result.test_eq("Expected number of names", all_names.size(), 3); + result.test_eq("Have expected name", all_names.count("name"), 1); + result.test_eq("Have expected name", all_names.count("name2"), 1); + result.test_eq("Have expected name", all_names.count("leroy jeeeeeeeenkins"), 1); + + db.remove("name2"); + + all_names = db.list_names(); + + result.test_eq("Expected number of names", all_names.size(), 2); + result.test_eq("Have expected name", all_names.count("name"), 1); + result.test_eq("Have expected name", all_names.count("leroy jeeeeeeeenkins"), 1); + + result.test_throws("exception if get called on non-existent PSK", + "Invalid argument Named PSK not located", + [&]() { db.get("name2"); }); + + // test that redundant remove calls accepted + db.remove("name2"); + + return result; + } + +#if defined(BOTAN_HAS_SQLITE3) + + void test_entry(Test::Result& result, + std::shared_ptr<Botan::SQL_Database> db, + const std::string& table, + const std::string& expected_name, + const std::string& expected_value) + { + auto stmt = db->new_statement("select psk_value from " + table + " where psk_name='" + expected_name + "'"); + + bool got_it = stmt->step(); + result.confirm("Had expected name", got_it); + + if(got_it) + { + result.test_eq("Had expected value", stmt->get_str(0), expected_value); + } + } + + Test::Result test_psk_sql_db() + { + Test::Result result("PSK_DB SQL"); + + const Botan::secure_vector<uint8_t> zeros(32); + const std::string table_name = "bobby"; + std::shared_ptr<Botan::SQL_Database> sqldb = std::make_shared<Botan::Sqlite3_Database>(":memory:"); + + Botan::Encrypted_PSK_Database_SQL db(zeros, sqldb, table_name); + db.set_str("name", "value"); + + test_entry(result, sqldb, table_name, "CUCJjJgWSa079ubutJQwlw==", "clYJSAf9CThuL96CP+rAfA=="); + result.test_eq("DB read", db.get_str("name"), "value"); + + db.set_str("name", "value1"); + test_entry(result, sqldb, table_name, "CUCJjJgWSa079ubutJQwlw==", "7R8am3x/gLawOzMp5WwIJg=="); + result.test_eq("DB read", db.get_str("name"), "value1"); + + db.set_str("name", "value"); + test_entry(result, sqldb, table_name, "CUCJjJgWSa079ubutJQwlw==", "clYJSAf9CThuL96CP+rAfA=="); + result.test_eq("DB read", db.get_str("name"), "value"); + + db.set_str("name2", "value"); + test_entry(result, sqldb, table_name, "7CvsM7HDCZsV6VsFwWylNg==", "BqVQo4rdwOmf+ItCzEmjAg=="); + result.test_eq("DB read", db.get_str("name2"), "value"); + + db.set_vec("name2", zeros); + test_entry(result, sqldb, table_name, "7CvsM7HDCZsV6VsFwWylNg==", "x+I1bUF/fJYPOTvKwOihEPWGR1XGzVuyRdsw4n5gpBRzNR7LjH7vjw=="); + result.test_eq("DB read", db.get("name2"), zeros); + + // Test longer names + db.set_str("leroy jeeeeeeeenkins", "chicken"); + test_entry(result, sqldb, table_name, "KyYo272vlSjClM2F0OZBMlRYjr33ZXv2jN1oY8OfCEs=", "tCl1qShSTsXi9tA5Kpo9vg=="); + result.test_eq("DB read", db.get_str("leroy jeeeeeeeenkins"), "chicken"); + + std::set<std::string> all_names = db.list_names(); + + result.test_eq("Expected number of names", all_names.size(), 3); + result.test_eq("Have expected name", all_names.count("name"), 1); + result.test_eq("Have expected name", all_names.count("name2"), 1); + result.test_eq("Have expected name", all_names.count("leroy jeeeeeeeenkins"), 1); + + db.remove("name2"); + + all_names = db.list_names(); + + result.test_eq("Expected number of names", all_names.size(), 2); + result.test_eq("Have expected name", all_names.count("name"), 1); + result.test_eq("Have expected name", all_names.count("leroy jeeeeeeeenkins"), 1); + + result.test_throws("exception if get called on non-existent PSK", + "Invalid argument Named PSK not located", + [&]() { db.get("name2"); }); + + // test that redundant remove calls accepted + db.remove("name2"); + + + return result; + } +#endif + + + }; + +BOTAN_REGISTER_TEST("psk_db", PSK_DB_Tests); + +} + +#endif |