aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2017-11-26 22:11:07 -0500
committerJack Lloyd <[email protected]>2017-11-26 22:11:07 -0500
commit2fd7930984f57b203e2d412f62fc1849dcc61784 (patch)
tree9ca33fde7047cb1c782c454a1afc1ab5419c2023
parent4d506eb8bcfba4a706a63fa36a3e0398450ee1d7 (diff)
parent9df1c8dab0c3b7218cbf40d743d73e9bd36c24cd (diff)
Merge GH #1302 Add PSK database interface
-rw-r--r--doc/manual/cli.rst36
-rw-r--r--doc/manual/contents.rst1
-rw-r--r--doc/manual/psk_db.rst108
-rw-r--r--src/cli/psk.cpp86
-rw-r--r--src/lib/psk_db/info.txt10
-rw-r--r--src/lib/psk_db/psk_db.cpp104
-rw-r--r--src/lib/psk_db/psk_db.h146
-rw-r--r--src/lib/psk_db/psk_db_sql.cpp69
-rw-r--r--src/lib/psk_db/psk_db_sql.h34
-rw-r--r--src/lib/utils/database.h2
-rw-r--r--src/lib/utils/sqlite3/sqlite3.cpp13
-rw-r--r--src/lib/utils/sqlite3/sqlite3.h1
-rw-r--r--src/tests/test_psk_db.cpp248
13 files changed, 853 insertions, 5 deletions
diff --git a/doc/manual/cli.rst b/doc/manual/cli.rst
index 71e3b17c6..72e3d3b31 100644
--- a/doc/manual/cli.rst
+++ b/doc/manual/cli.rst
@@ -14,15 +14,16 @@ The CLI offers access to the following functionalities:
- TLS server/client
- Primality testing, prime factorization and prime sampling
+.. highlight:: sh
+
General Command Usage
---------------------------------
-All commands follow the predefined syntax
-
-.. code-block:: sh
+All commands follow the predefined syntax::
$ botan <command> <command-options>
-and are listed whith their available arguments when botan is called with an invalid or without a command.
+and are listed with their available arguments when ``botan`` is called
+with an unknown command, or without any command, or with ``--help``.
Hash
----------------
@@ -128,6 +129,33 @@ Number Theory
``gen_prime --count=1 bits``
Samples *count* primes with a length of *bits* bits.
+PSK Database
+--------------------
+
+Only available if sqlite3 support was compiled in.
+
+``psk_set db db_key name psk``
+
+ Using the PSK database named db and encrypting under the (hex) key ``db_key``,
+ save the provided psk (also hex) under ``name``::
+
+ $ botan psk_set psk.db deadba55 bunny f00fee
+
+``psk_get db db_key name``
+
+ Get back a value saved with ``psk_set``::
+
+ $ botan psk_get psk.db deadba55 bunny
+ f00fee
+
+``psk_list db db_key``
+
+ List all values saved to the database under the given key::
+
+ $ botan psk_list psk.db deadba55
+ bunny
+
+
Miscellaneous Commands
-------------------------------------
``version --full``
diff --git a/doc/manual/contents.rst b/doc/manual/contents.rst
index 0c9ac4b7f..48e6edbfe 100644
--- a/doc/manual/contents.rst
+++ b/doc/manual/contents.rst
@@ -27,6 +27,7 @@ Contents
passhash
cryptobox
srp
+ psk_db
fpe
compression
pkcs11
diff --git a/doc/manual/psk_db.rst b/doc/manual/psk_db.rst
new file mode 100644
index 000000000..2668c6bad
--- /dev/null
+++ b/doc/manual/psk_db.rst
@@ -0,0 +1,108 @@
+PSK Database
+======================
+
+.. versionadded:: 2.4.0
+
+Many applications need to store pre-shared keys (hereafter PSKs) for
+authentication purposes.
+
+An abstract interface to PSK stores is provided in ``psk_db.h``
+
+.. cpp:class:: PSK_Database
+
+ .. cpp:function:: bool is_encrypted() const
+
+ Returns true if (at least) the PSKs themselves are encrypted. Returns
+ false if PSKs are stored in plaintext.
+
+ .. cpp:function:: std::set<std::string> list_names() const
+
+ Return the set of valid names stored in the database, ie values for which
+ ``get`` will return a value.
+
+ .. cpp:function:: void set(const std::string& name, const uint8_t psk[], size_t psk_len)
+
+ Save a PSK. If ``name`` already exists, the current value will be
+ overwritten.
+
+ .. cpp:function:: secure_vector<uint8_t> get(const std::string& name) const
+
+ Return a value saved with ``set``. Throws an exception if ``name`` doesn't
+ exist.
+
+ .. cpp:function:: void remove(const std::string& name)
+
+ Remove ``name`` from the database. If ``name`` doesn't exist, ignores the request.
+
+ .. cpp::function:: std::string get_str(const std::string& name) const
+
+ Like ``get`` but casts the return value to a string.
+
+ .. cpp:function:: void set_str(const std::string& name, const std::string& psk)
+
+ Like ``set`` but accepts the psk as a string (eg for a password).
+
+ .. cpp:function:: template<typename Alloc> void set_vec(const std::string& name, \
+ const std::vector<uint8_t, Alloc>& psk)
+
+ Like ``set`` but accepting a vector.
+
+The same header also provides a specific instantiation of ``PSK_Database`` which
+encrypts both names and PSKs. It must be subclassed to provide the storage.
+
+.. cpp:class:: Encrypted_PSK_Database : public PSK_Database
+
+ .. cpp:function:: Encrypted_PSK_Database(const secure_vector<uint8_t>& master_key)
+
+ Initializes or opens a PSK database. The master key is used the secure the
+ contents. It may be of any length. If encrypting PSKs under a passphrase,
+ use a suitable key derivation scheme (such as PBKDF2) to derive the secret
+ key. If the master key is lost, all PSKs stored are unrecoverable.
+
+ Both names and values are encrypted using NIST key wrapping (see NIST
+ SP800-38F) with AES-256. First the master key is used with HMAC(SHA-256)
+ to derive two 256-bit keys, one for encrypting all names and the other to
+ key an instance of HMAC(SHA-256). Values are each encrypted under an
+ individual key created by hashing the encrypted name with HMAC. This
+ associates the encrypted key with the name, and prevents an attacker with
+ write access to the data store from taking an encrypted key associated
+ with one entity and copying it to another entity.
+
+ Names and PSKs are both padded to the next multiple of 8 bytes, providing
+ some obfuscation of the length.
+
+ One artifact of the names being encrypted is that is is possible to use
+ multiple different master keys with the same underlying storage. Each
+ master key will be responsible for a subset of the keys. An attacker who
+ knows one of the keys will be able to tell there are other values
+ encrypted under another key.
+
+ .. cpp:function:: virtual void kv_set(const std::string& index, const std::string& value) = 0
+
+ Save an encrypted value. Both ``index`` and ``value`` will be non-empty
+ base64 encoded strings.
+
+ .. cpp:function:: virtual std::string kv_get(const std::string& index) const = 0
+
+ Return a value saved with ``kv_set``, or return the empty string.
+
+ .. cpp:function:: virtual void kv_del(const std::string& index) = 0
+
+ Remove a value saved with ``kv_set``.
+
+ .. cpp:function:: virtual std::set<std::string> kv_get_all() const = 0
+
+ Return all active names (ie values for which ``kv_get`` will return a
+ non-empty string).
+
+A subclass of ``Encrypted_PSK_Database`` which stores data in a SQL database
+is also available. This class is declared in ``psk_db_sql.h``:
+
+.. cpp:class:: Encrypted_PSK_Database_SQL : public Encrypted_PSK_Database
+
+ .. cpp:function:: Encrypted_PSK_Database_SQL(const secure_vector<uint8_t>& master_key, \
+ std::shared_ptr<SQL_Database> db, \
+ const std::string& table_name)
+
+ Creates or uses the named table in ``db``. The SQL schema of the table is
+ ``(psk_name TEXT PRIMARY KEY, psk_value TEXT)``.
diff --git a/src/cli/psk.cpp b/src/cli/psk.cpp
new file mode 100644
index 000000000..d244acd8d
--- /dev/null
+++ b/src/cli/psk.cpp
@@ -0,0 +1,86 @@
+/*
+* (C) 2017 Jack Lloyd
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#include "cli.h"
+
+#if defined(BOTAN_HAS_PSK_DB) && defined(BOTAN_HAS_SQLITE3)
+
+#include <botan/psk_db_sql.h>
+#include <botan/sqlite3.h>
+#include <botan/hex.h>
+
+namespace Botan_CLI {
+
+class PSK_Tool_Base : public Command
+ {
+ public:
+ PSK_Tool_Base(const std::string& spec) : Command(spec) {}
+
+ void go() override
+ {
+ const std::string db_filename = get_arg("db");
+ const Botan::secure_vector<uint8_t> db_key = Botan::hex_decode_locked(get_arg("db_key"));
+
+ std::shared_ptr<Botan::SQL_Database> db = std::make_shared<Botan::Sqlite3_Database>(db_filename);
+ Botan::Encrypted_PSK_Database_SQL psk(db_key, db, "psk");
+
+ psk_operation(psk);
+ }
+
+ private:
+ virtual void psk_operation(Botan::PSK_Database& db) = 0;
+ };
+
+class PSK_Tool_Set final : public PSK_Tool_Base
+ {
+ public:
+ PSK_Tool_Set() : PSK_Tool_Base("psk_set db db_key name psk") {}
+
+ private:
+ void psk_operation(Botan::PSK_Database& db) override
+ {
+ const std::string name = get_arg("name");
+ Botan::secure_vector<uint8_t> key = Botan::hex_decode_locked(get_arg("psk"));
+ db.set_vec(name, key);
+ }
+ };
+
+class PSK_Tool_Get final : public PSK_Tool_Base
+ {
+ public:
+ PSK_Tool_Get() : PSK_Tool_Base("psk_get db db_key name") {}
+
+ private:
+ void psk_operation(Botan::PSK_Database& db) override
+ {
+ const std::string name = get_arg("name");
+ const Botan::secure_vector<uint8_t> val = db.get(name);
+ output() << Botan::hex_encode(val) << "\n";
+ }
+ };
+
+class PSK_Tool_List final : public PSK_Tool_Base
+ {
+ public:
+ PSK_Tool_List() : PSK_Tool_Base("psk_list db db_key") {}
+
+ private:
+ void psk_operation(Botan::PSK_Database& db) override
+ {
+ const std::set<std::string> names = db.list_names();
+
+ for(std::string name : names)
+ output() << name << "\n";
+ }
+ };
+
+BOTAN_REGISTER_COMMAND("psk_set", PSK_Tool_Set);
+BOTAN_REGISTER_COMMAND("psk_get", PSK_Tool_Get);
+BOTAN_REGISTER_COMMAND("psk_list", PSK_Tool_List);
+
+}
+
+#endif
diff --git a/src/lib/psk_db/info.txt b/src/lib/psk_db/info.txt
new file mode 100644
index 000000000..814a30471
--- /dev/null
+++ b/src/lib/psk_db/info.txt
@@ -0,0 +1,10 @@
+<defines>
+PSK_DB -> 20171119
+</defines>
+
+<requires>
+aes
+hmac
+sha2_32
+nist_keywrap
+</requires>
diff --git a/src/lib/psk_db/psk_db.cpp b/src/lib/psk_db/psk_db.cpp
new file mode 100644
index 000000000..af59d2954
--- /dev/null
+++ b/src/lib/psk_db/psk_db.cpp
@@ -0,0 +1,104 @@
+/*
+* (C) 2017 Jack Lloyd
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#include <botan/psk_db.h>
+#include <botan/nist_keywrap.h>
+#include <botan/base64.h>
+#include <botan/mac.h>
+#include <botan/block_cipher.h>
+
+namespace Botan {
+
+Encrypted_PSK_Database::Encrypted_PSK_Database(const secure_vector<uint8_t>& master_key)
+ {
+ m_cipher = BlockCipher::create_or_throw("AES-256");
+ m_hmac = MessageAuthenticationCode::create_or_throw("HMAC(SHA-256)");
+ m_hmac->set_key(master_key);
+
+ m_cipher->set_key(m_hmac->process("wrap"));
+ m_hmac->set_key(m_hmac->process("hmac"));
+ }
+
+Encrypted_PSK_Database::~Encrypted_PSK_Database()
+ {
+ // for ~unique_ptr
+ }
+
+std::set<std::string> Encrypted_PSK_Database::list_names() const
+ {
+ const std::set<std::string> encrypted_names = kv_get_all();
+
+ std::set<std::string> names;
+
+ for(std::string enc_name : encrypted_names)
+ {
+ try
+ {
+ const secure_vector<uint8_t> raw_name = base64_decode(enc_name);
+ const secure_vector<uint8_t> name_bits =
+ nist_key_unwrap_padded(raw_name.data(), raw_name.size(), *m_cipher);
+
+ std::string pt_name(cast_uint8_ptr_to_char(name_bits.data()), name_bits.size());
+ names.insert(pt_name);
+ }
+ catch(Integrity_Failure&)
+ {
+ }
+ }
+
+ return names;
+ }
+
+void Encrypted_PSK_Database::remove(const std::string& name)
+ {
+ const std::vector<uint8_t> wrapped_name =
+ nist_key_wrap_padded(cast_char_ptr_to_uint8(name.data()),
+ name.size(),
+ *m_cipher);
+
+ this->kv_del(base64_encode(wrapped_name));
+ }
+
+secure_vector<uint8_t> Encrypted_PSK_Database::get(const std::string& name) const
+ {
+ const std::vector<uint8_t> wrapped_name =
+ nist_key_wrap_padded(cast_char_ptr_to_uint8(name.data()),
+ name.size(),
+ *m_cipher);
+
+ const std::string val_base64 = kv_get(base64_encode(wrapped_name));
+
+ if(val_base64.empty())
+ throw Invalid_Argument("Named PSK not located");
+
+ const secure_vector<uint8_t> val = base64_decode(val_base64);
+
+ std::unique_ptr<BlockCipher> wrap_cipher(m_cipher->clone());
+ wrap_cipher->set_key(m_hmac->process(wrapped_name));
+
+ return nist_key_unwrap_padded(val.data(), val.size(), *wrap_cipher);
+ }
+
+void Encrypted_PSK_Database::set(const std::string& name, const uint8_t val[], size_t len)
+ {
+ /*
+ * Both as a basic precaution wrt key seperation, and specifically to prevent
+ * cut-and-paste attacks against the database, each PSK is encrypted with a
+ * distinct key which is derived by hashing the wrapped key name with HMAC.
+ */
+ const std::vector<uint8_t> wrapped_name =
+ nist_key_wrap_padded(cast_char_ptr_to_uint8(name.data()),
+ name.size(),
+ *m_cipher);
+
+ std::unique_ptr<BlockCipher> wrap_cipher(m_cipher->clone());
+ wrap_cipher->set_key(m_hmac->process(wrapped_name));
+ const std::vector<uint8_t> wrapped_key = nist_key_wrap_padded(val, len, *wrap_cipher);
+
+ this->kv_set(base64_encode(wrapped_name), base64_encode(wrapped_key));
+ }
+
+}
diff --git a/src/lib/psk_db/psk_db.h b/src/lib/psk_db/psk_db.h
new file mode 100644
index 000000000..fb20e9437
--- /dev/null
+++ b/src/lib/psk_db/psk_db.h
@@ -0,0 +1,146 @@
+/*
+* (C) 2017 Jack Lloyd
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#ifndef BOTAN_PSK_DB_H_
+#define BOTAN_PSK_DB_H_
+
+#include <botan/secmem.h>
+#include <memory>
+#include <string>
+#include <set>
+
+namespace Botan {
+
+class BlockCipher;
+class MessageAuthenticationCode;
+
+/**
+* This is an interface to a generic PSK (pre-shared key) database.
+* It might be implemented as a plaintext storage or via some mechanism
+* that encrypts the keys and/or values.
+*/
+class BOTAN_PUBLIC_API(2,4) PSK_Database
+ {
+ public:
+ /**
+ * Return the set of names for which get() will return a value.
+ */
+ virtual std::set<std::string> list_names() const = 0;
+
+ /**
+ * Return the value associated with the specified @param name, or otherwise
+ * throw an exception.
+ */
+ virtual secure_vector<uint8_t> get(const std::string& name) const = 0;
+
+ /**
+ * Set a value that can later be accessed with get().
+ * If name already exists in the database, the old value will be overwritten.
+ */
+ virtual void set(const std::string& name, const uint8_t psk[], size_t psk_len) = 0;
+
+ /**
+ * Remove a PSK from the database
+ */
+ virtual void remove(const std::string& name) = 0;
+
+ /**
+ * Returns if the values in the PSK database are encrypted. If
+ * false, saved values are being stored in plaintext.
+ */
+ virtual bool is_encrypted() const = 0;
+
+ /**
+ * Get a PSK in the form of a string (eg if the PSK is a password)
+ */
+ std::string get_str(const std::string& name) const
+ {
+ secure_vector<uint8_t> psk = get(name);
+ return std::string(reinterpret_cast<const char*>(psk.data()), psk.size());
+ }
+
+ void set_str(const std::string& name, const std::string& psk)
+ {
+ set(name, reinterpret_cast<const uint8_t*>(psk.data()), psk.size());
+ }
+
+ template<typename Alloc>
+ void set_vec(const std::string& name,
+ const std::vector<uint8_t, Alloc>& psk)
+
+ {
+ set(name, psk.data(), psk.size());
+ }
+
+ virtual ~PSK_Database() = default;
+ };
+
+/**
+* A mixin for an encrypted PSK database.
+* Both keys and values are encrypted with NIST AES-256 key wrapping.
+* Values are padded to obscure their length before encryption, allowing
+* it to be used as a password vault.
+*
+* Subclasses must implement the virtual calls to handle storing and
+* getting raw (base64 encoded) values.
+*/
+class BOTAN_PUBLIC_API(2,4) Encrypted_PSK_Database : public PSK_Database
+ {
+ public:
+ /**
+ * @param master_key specifies the master key used to encrypt all
+ * keys and value. It can be of any length, but should be at least 256 bits.
+ *
+ * Subkeys for the cryptographic algorithms used are derived from this
+ * master key. No key stretching is performed; if encrypting a PSK database
+ * using a password, it is recommended to use PBKDF2 to derive the database
+ * master key.
+ */
+ Encrypted_PSK_Database(const secure_vector<uint8_t>& master_key);
+
+ ~Encrypted_PSK_Database();
+
+ std::set<std::string> list_names() const override;
+
+ secure_vector<uint8_t> get(const std::string& name) const override;
+
+ void set(const std::string& name, const uint8_t psk[], size_t psk_len) override;
+
+ void remove(const std::string& name) override;
+
+ bool is_encrypted() const override { return true; }
+
+ protected:
+ /**
+ * Save a encrypted (name.value) pair to the database. Both will be base64 encoded strings.
+ */
+ virtual void kv_set(const std::string& index, const std::string& value) = 0;
+
+ /**
+ * Get a value previously saved with set_raw_value. Should return an empty
+ * string if index is not found.
+ */
+ virtual std::string kv_get(const std::string& index) const = 0;
+
+ /**
+ * Remove an index
+ */
+ virtual void kv_del(const std::string& index) = 0;
+
+ /**
+ * Return all indexes in the table.
+ */
+ virtual std::set<std::string> kv_get_all() const = 0;
+
+ private:
+ std::unique_ptr<BlockCipher> m_cipher;
+ std::unique_ptr<MessageAuthenticationCode> m_hmac;
+ secure_vector<uint8_t> m_wrap_key;
+ };
+
+}
+
+#endif
diff --git a/src/lib/psk_db/psk_db_sql.cpp b/src/lib/psk_db/psk_db_sql.cpp
new file mode 100644
index 000000000..3a43e7380
--- /dev/null
+++ b/src/lib/psk_db/psk_db_sql.cpp
@@ -0,0 +1,69 @@
+/*
+* (C) 2017 Jack Lloyd
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#include <botan/psk_db_sql.h>
+
+namespace Botan {
+
+Encrypted_PSK_Database_SQL::Encrypted_PSK_Database_SQL(const secure_vector<uint8_t>& master_key,
+ std::shared_ptr<SQL_Database> db,
+ const std::string& table_name) :
+ Encrypted_PSK_Database(master_key),
+ m_db(db),
+ m_table_name(table_name)
+ {
+ m_db->create_table(
+ "create table if not exists " + m_table_name +
+ "(psk_name TEXT PRIMARY KEY, psk_value TEXT)");
+ }
+
+void Encrypted_PSK_Database_SQL::kv_del(const std::string& name)
+ {
+ auto stmt = m_db->new_statement("delete from " + m_table_name + " where psk_name=?1");
+ stmt->bind(1, name);
+ stmt->spin();
+ }
+
+void Encrypted_PSK_Database_SQL::kv_set(const std::string& name, const std::string& value)
+ {
+ auto stmt = m_db->new_statement("insert or replace into " + m_table_name + " values(?1, ?2)");
+
+ stmt->bind(1, name);
+ stmt->bind(2, value);
+
+ stmt->spin();
+ }
+
+std::string Encrypted_PSK_Database_SQL::kv_get(const std::string& name) const
+ {
+ auto stmt = m_db->new_statement("select psk_value from " + m_table_name +
+ " where psk_name = ?1");
+
+ stmt->bind(1, name);
+
+ while(stmt->step())
+ {
+ return stmt->get_str(0);
+ }
+ return "";
+ }
+
+std::set<std::string> Encrypted_PSK_Database_SQL::kv_get_all() const
+ {
+ std::set<std::string> names;
+
+ auto stmt = m_db->new_statement("select psk_name from " + m_table_name);
+
+ while(stmt->step())
+ {
+ names.insert(stmt->get_str(0));
+ }
+
+ return names;
+ }
+
+}
+
diff --git a/src/lib/psk_db/psk_db_sql.h b/src/lib/psk_db/psk_db_sql.h
new file mode 100644
index 000000000..fddadfc30
--- /dev/null
+++ b/src/lib/psk_db/psk_db_sql.h
@@ -0,0 +1,34 @@
+/*
+* (C) 2017 Jack Lloyd
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#ifndef BOTAN_PSK_DB_SQL_H_
+#define BOTAN_PSK_DB_SQL_H_
+
+#include <botan/psk_db.h>
+#include <botan/database.h>
+
+namespace Botan {
+
+class BOTAN_PUBLIC_API(2,4) Encrypted_PSK_Database_SQL : public Encrypted_PSK_Database
+ {
+ public:
+ Encrypted_PSK_Database_SQL(const secure_vector<uint8_t>& master_key,
+ std::shared_ptr<SQL_Database> db,
+ const std::string& table_name);
+
+ private:
+ void kv_set(const std::string& index, const std::string& value) override;
+ std::string kv_get(const std::string& index) const override;
+ void kv_del(const std::string& index) override;
+ std::set<std::string> kv_get_all() const override;
+
+ std::shared_ptr<SQL_Database> m_db;
+ const std::string m_table_name;
+ };
+
+}
+
+#endif
diff --git a/src/lib/utils/database.h b/src/lib/utils/database.h
index a90e9fbfd..21a207445 100644
--- a/src/lib/utils/database.h
+++ b/src/lib/utils/database.h
@@ -43,6 +43,8 @@ class BOTAN_PUBLIC_API(2,0) SQL_Database
/* Get output */
virtual std::pair<const uint8_t*, size_t> get_blob(int column) = 0;
+ virtual std::string get_str(int column) = 0;
+
virtual size_t get_size_t(int column) = 0;
/* Run to completion */
diff --git a/src/lib/utils/sqlite3/sqlite3.cpp b/src/lib/utils/sqlite3/sqlite3.cpp
index 09a964a46..a1fdfaa21 100644
--- a/src/lib/utils/sqlite3/sqlite3.cpp
+++ b/src/lib/utils/sqlite3/sqlite3.cpp
@@ -7,6 +7,7 @@
#include <botan/sqlite3.h>
#include <botan/exceptn.h>
+#include <botan/mem_ops.h>
#include <sqlite3.h>
namespace Botan {
@@ -108,7 +109,7 @@ void Sqlite3_Database::Sqlite3_Statement::bind(int column, const uint8_t* p, siz
std::pair<const uint8_t*, size_t> Sqlite3_Database::Sqlite3_Statement::get_blob(int column)
{
- BOTAN_ASSERT(::sqlite3_column_type(m_stmt, 0) == SQLITE_BLOB,
+ BOTAN_ASSERT(::sqlite3_column_type(m_stmt, column) == SQLITE_BLOB,
"Return value is a blob");
const void* session_blob = ::sqlite3_column_blob(m_stmt, column);
@@ -120,6 +121,16 @@ std::pair<const uint8_t*, size_t> Sqlite3_Database::Sqlite3_Statement::get_blob(
static_cast<size_t>(session_blob_size));
}
+std::string Sqlite3_Database::Sqlite3_Statement::get_str(int column)
+ {
+ BOTAN_ASSERT(::sqlite3_column_type(m_stmt, column) == SQLITE_TEXT,
+ "Return value is text");
+
+ const unsigned char* str = ::sqlite3_column_text(m_stmt, column);
+
+ return std::string(cast_uint8_ptr_to_char(str));
+ }
+
size_t Sqlite3_Database::Sqlite3_Statement::get_size_t(int column)
{
BOTAN_ASSERT(::sqlite3_column_type(m_stmt, column) == SQLITE_INTEGER,
diff --git a/src/lib/utils/sqlite3/sqlite3.h b/src/lib/utils/sqlite3/sqlite3.h
index 3f11b60e2..08a0f0ae7 100644
--- a/src/lib/utils/sqlite3/sqlite3.h
+++ b/src/lib/utils/sqlite3/sqlite3.h
@@ -38,6 +38,7 @@ class BOTAN_PUBLIC_API(2,0) Sqlite3_Database final : public SQL_Database
void bind(int column, const uint8_t* data, size_t len) override;
std::pair<const uint8_t*, size_t> get_blob(int column) override;
+ std::string get_str(int column) override;
size_t get_size_t(int column) override;
size_t spin() override;
diff --git a/src/tests/test_psk_db.cpp b/src/tests/test_psk_db.cpp
new file mode 100644
index 000000000..f9eb9d7e8
--- /dev/null
+++ b/src/tests/test_psk_db.cpp
@@ -0,0 +1,248 @@
+/*
+* (C) 2017 Jack Lloyd
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#include "tests.h"
+
+#if defined(BOTAN_HAS_PSK_DB)
+
+#include <botan/psk_db.h>
+
+#if defined(BOTAN_HAS_SQLITE3)
+ #include <botan/psk_db_sql.h>
+ #include <botan/sqlite3.h>
+#endif
+
+namespace Botan_Tests {
+
+namespace {
+
+class Test_Map_PSK_Db : public Botan::Encrypted_PSK_Database
+ {
+ public:
+ Test_Map_PSK_Db(const Botan::secure_vector<uint8_t>& master_key) :
+ Botan::Encrypted_PSK_Database(master_key)
+ {}
+
+ void test_entry(Test::Result& result,
+ const std::string& index, const std::string& value)
+ {
+ auto i = m_vals.find(index);
+
+ if(i == m_vals.end())
+ {
+ result.test_failure("Expected to find encrypted name " + index);
+ }
+ else
+ {
+ result.test_eq("Encrypted value", i->second, value);
+ }
+ }
+
+ void kv_set(const std::string& index, const std::string& value) override
+ {
+ m_vals[index] = value;
+ }
+
+ std::string kv_get(const std::string& index) const override
+ {
+ auto i = m_vals.find(index);
+ if(i == m_vals.end())
+ return "";
+ return i->second;
+ }
+
+ void kv_del(const std::string& index) override
+ {
+ auto i = m_vals.find(index);
+ if(i != m_vals.end())
+ {
+ m_vals.erase(i);
+ }
+ }
+
+ std::set<std::string> kv_get_all() const override
+ {
+ std::set<std::string> names;
+
+ for(auto kv : m_vals)
+ {
+ names.insert(kv.first);
+ }
+
+ return names;
+ }
+
+ private:
+ std::map<std::string, std::string> m_vals;
+ };
+
+}
+
+class PSK_DB_Tests final : public Test
+ {
+ public:
+
+ std::vector<Test::Result> run() override
+ {
+ std::vector<Test::Result> results;
+
+ results.push_back(test_psk_db());
+
+#if defined(BOTAN_HAS_SQLITE3)
+ results.push_back(test_psk_sql_db());
+#endif
+
+ return results;
+ }
+
+ private:
+
+ Test::Result test_psk_db()
+ {
+ Test::Result result("PSK_DB");
+
+ const Botan::secure_vector<uint8_t> zeros(32);
+ Test_Map_PSK_Db db(zeros);
+
+ db.set_str("name", "value");
+ db.test_entry(result, "CUCJjJgWSa079ubutJQwlw==", "clYJSAf9CThuL96CP+rAfA==");
+ result.test_eq("DB read", db.get_str("name"), "value");
+
+ db.set_str("name", "value1");
+ db.test_entry(result, "CUCJjJgWSa079ubutJQwlw==", "7R8am3x/gLawOzMp5WwIJg==");
+ result.test_eq("DB read", db.get_str("name"), "value1");
+
+ db.set_str("name", "value");
+ db.test_entry(result, "CUCJjJgWSa079ubutJQwlw==", "clYJSAf9CThuL96CP+rAfA==");
+ result.test_eq("DB read", db.get_str("name"), "value");
+
+ db.set_str("name2", "value");
+ db.test_entry(result, "7CvsM7HDCZsV6VsFwWylNg==", "BqVQo4rdwOmf+ItCzEmjAg==");
+ result.test_eq("DB read", db.get_str("name2"), "value");
+
+ db.set_vec("name2", zeros);
+ db.test_entry(result, "7CvsM7HDCZsV6VsFwWylNg==", "x+I1bUF/fJYPOTvKwOihEPWGR1XGzVuyRdsw4n5gpBRzNR7LjH7vjw==");
+ result.test_eq("DB read", db.get("name2"), zeros);
+
+ // Test longer names
+ db.set_str("leroy jeeeeeeeenkins", "chicken");
+ db.test_entry(result, "KyYo272vlSjClM2F0OZBMlRYjr33ZXv2jN1oY8OfCEs=", "tCl1qShSTsXi9tA5Kpo9vg==");
+ result.test_eq("DB read", db.get_str("leroy jeeeeeeeenkins"), "chicken");
+
+ std::set<std::string> all_names = db.list_names();
+
+ result.test_eq("Expected number of names", all_names.size(), 3);
+ result.test_eq("Have expected name", all_names.count("name"), 1);
+ result.test_eq("Have expected name", all_names.count("name2"), 1);
+ result.test_eq("Have expected name", all_names.count("leroy jeeeeeeeenkins"), 1);
+
+ db.remove("name2");
+
+ all_names = db.list_names();
+
+ result.test_eq("Expected number of names", all_names.size(), 2);
+ result.test_eq("Have expected name", all_names.count("name"), 1);
+ result.test_eq("Have expected name", all_names.count("leroy jeeeeeeeenkins"), 1);
+
+ result.test_throws("exception if get called on non-existent PSK",
+ "Invalid argument Named PSK not located",
+ [&]() { db.get("name2"); });
+
+ // test that redundant remove calls accepted
+ db.remove("name2");
+
+ return result;
+ }
+
+#if defined(BOTAN_HAS_SQLITE3)
+
+ void test_entry(Test::Result& result,
+ std::shared_ptr<Botan::SQL_Database> db,
+ const std::string& table,
+ const std::string& expected_name,
+ const std::string& expected_value)
+ {
+ auto stmt = db->new_statement("select psk_value from " + table + " where psk_name='" + expected_name + "'");
+
+ bool got_it = stmt->step();
+ result.confirm("Had expected name", got_it);
+
+ if(got_it)
+ {
+ result.test_eq("Had expected value", stmt->get_str(0), expected_value);
+ }
+ }
+
+ Test::Result test_psk_sql_db()
+ {
+ Test::Result result("PSK_DB SQL");
+
+ const Botan::secure_vector<uint8_t> zeros(32);
+ const std::string table_name = "bobby";
+ std::shared_ptr<Botan::SQL_Database> sqldb = std::make_shared<Botan::Sqlite3_Database>(":memory:");
+
+ Botan::Encrypted_PSK_Database_SQL db(zeros, sqldb, table_name);
+ db.set_str("name", "value");
+
+ test_entry(result, sqldb, table_name, "CUCJjJgWSa079ubutJQwlw==", "clYJSAf9CThuL96CP+rAfA==");
+ result.test_eq("DB read", db.get_str("name"), "value");
+
+ db.set_str("name", "value1");
+ test_entry(result, sqldb, table_name, "CUCJjJgWSa079ubutJQwlw==", "7R8am3x/gLawOzMp5WwIJg==");
+ result.test_eq("DB read", db.get_str("name"), "value1");
+
+ db.set_str("name", "value");
+ test_entry(result, sqldb, table_name, "CUCJjJgWSa079ubutJQwlw==", "clYJSAf9CThuL96CP+rAfA==");
+ result.test_eq("DB read", db.get_str("name"), "value");
+
+ db.set_str("name2", "value");
+ test_entry(result, sqldb, table_name, "7CvsM7HDCZsV6VsFwWylNg==", "BqVQo4rdwOmf+ItCzEmjAg==");
+ result.test_eq("DB read", db.get_str("name2"), "value");
+
+ db.set_vec("name2", zeros);
+ test_entry(result, sqldb, table_name, "7CvsM7HDCZsV6VsFwWylNg==", "x+I1bUF/fJYPOTvKwOihEPWGR1XGzVuyRdsw4n5gpBRzNR7LjH7vjw==");
+ result.test_eq("DB read", db.get("name2"), zeros);
+
+ // Test longer names
+ db.set_str("leroy jeeeeeeeenkins", "chicken");
+ test_entry(result, sqldb, table_name, "KyYo272vlSjClM2F0OZBMlRYjr33ZXv2jN1oY8OfCEs=", "tCl1qShSTsXi9tA5Kpo9vg==");
+ result.test_eq("DB read", db.get_str("leroy jeeeeeeeenkins"), "chicken");
+
+ std::set<std::string> all_names = db.list_names();
+
+ result.test_eq("Expected number of names", all_names.size(), 3);
+ result.test_eq("Have expected name", all_names.count("name"), 1);
+ result.test_eq("Have expected name", all_names.count("name2"), 1);
+ result.test_eq("Have expected name", all_names.count("leroy jeeeeeeeenkins"), 1);
+
+ db.remove("name2");
+
+ all_names = db.list_names();
+
+ result.test_eq("Expected number of names", all_names.size(), 2);
+ result.test_eq("Have expected name", all_names.count("name"), 1);
+ result.test_eq("Have expected name", all_names.count("leroy jeeeeeeeenkins"), 1);
+
+ result.test_throws("exception if get called on non-existent PSK",
+ "Invalid argument Named PSK not located",
+ [&]() { db.get("name2"); });
+
+ // test that redundant remove calls accepted
+ db.remove("name2");
+
+
+ return result;
+ }
+#endif
+
+
+ };
+
+BOTAN_REGISTER_TEST("psk_db", PSK_DB_Tests);
+
+}
+
+#endif