aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/tls
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2015-11-13 15:34:52 -0500
committerJack Lloyd <[email protected]>2015-11-13 15:34:52 -0500
commit81edfc8221b9da94ac1a453e78bf57a5a739b4ce (patch)
tree14ae41bfae45495ccfc2b5d1efe2b01b28a2c849 /src/lib/tls
parent309252789ec3d3b29a7cd30f7d3095fe38e02fa2 (diff)
Add remove_all to TLS session manager interface
DB::spin now returns the number of rows affected
Diffstat (limited to 'src/lib/tls')
-rw-r--r--src/lib/tls/sessions_sql/tls_session_manager_sql.cpp56
-rw-r--r--src/lib/tls/sessions_sql/tls_session_manager_sql.h4
-rw-r--r--src/lib/tls/tls_session.cpp19
-rw-r--r--src/lib/tls/tls_session_manager.h11
-rw-r--r--src/lib/tls/tls_session_manager_memory.cpp11
5 files changed, 57 insertions, 44 deletions
diff --git a/src/lib/tls/sessions_sql/tls_session_manager_sql.cpp b/src/lib/tls/sessions_sql/tls_session_manager_sql.cpp
index ed207972e..9f025374e 100644
--- a/src/lib/tls/sessions_sql/tls_session_manager_sql.cpp
+++ b/src/lib/tls/sessions_sql/tls_session_manager_sql.cpp
@@ -16,27 +16,6 @@ namespace Botan {
namespace TLS {
-namespace {
-
-SymmetricKey derive_key(const std::string& passphrase,
- const byte salt[],
- size_t salt_len,
- size_t iterations,
- size_t& check_val)
- {
- std::unique_ptr<PBKDF> pbkdf(get_pbkdf("PBKDF2(SHA-512)"));
-
- secure_vector<byte> x = pbkdf->derive_key(32 + 2,
- passphrase,
- salt, salt_len,
- iterations).bits_of();
-
- check_val = make_u16bit(x[0], x[1]);
- return SymmetricKey(&x[2], x.size() - 2);
- }
-
-}
-
Session_Manager_SQL::Session_Manager_SQL(std::shared_ptr<SQL_Database> db,
const std::string& passphrase,
RandomNumberGenerator& rng,
@@ -67,6 +46,8 @@ Session_Manager_SQL::Session_Manager_SQL(std::shared_ptr<SQL_Database> db,
const size_t salts = m_db->row_count("tls_sessions_metadata");
+ std::unique_ptr<PBKDF> pbkdf(get_pbkdf("PBKDF2(SHA-512)"));
+
if(salts == 1)
{
// existing db
@@ -78,12 +59,13 @@ Session_Manager_SQL::Session_Manager_SQL(std::shared_ptr<SQL_Database> db,
const size_t iterations = stmt->get_size_t(1);
const size_t check_val_db = stmt->get_size_t(2);
- size_t check_val_created;
- m_session_key = derive_key(passphrase,
- salt.first,
- salt.second,
- iterations,
- check_val_created);
+ secure_vector<byte> x = pbkdf->pbkdf_iterations(32 + 2,
+ passphrase,
+ salt.first, salt.second,
+ iterations);
+
+ const size_t check_val_created = make_u16bit(x[0], x[1]);
+ m_session_key.assign(x.begin() + 2, x.end());
if(check_val_created != check_val_db)
throw std::runtime_error("Session database password not valid");
@@ -98,11 +80,17 @@ Session_Manager_SQL::Session_Manager_SQL(std::shared_ptr<SQL_Database> db,
// new database case
std::vector<byte> salt = unlock(rng.random_vec(16));
- const size_t iterations = 256 * 1024;
- size_t check_val = 0;
+ size_t iterations = 0;
- m_session_key = derive_key(passphrase, salt.data(), salt.size(),
- iterations, check_val);
+ secure_vector<byte> x = pbkdf->pbkdf_timed(32 + 2,
+ passphrase,
+ salt.data(), salt.size(),
+ std::chrono::milliseconds(100),
+ iterations);
+
+ printf("pbkdf iter %d\n", iterations);
+ size_t check_val = make_u16bit(x[0], x[1]);
+ m_session_key.assign(x.begin() + 2, x.end());
auto stmt = m_db->new_statement("insert into tls_sessions_metadata values(?1, ?2, ?3)");
@@ -174,6 +162,12 @@ void Session_Manager_SQL::remove_entry(const std::vector<byte>& session_id)
stmt->spin();
}
+size_t Session_Manager_SQL::remove_all()
+ {
+ auto stmt = m_db->new_statement("delete from tls_sessions");
+ return stmt->spin();
+ }
+
void Session_Manager_SQL::save(const Session& session)
{
auto stmt = m_db->new_statement("insert or replace into tls_sessions"
diff --git a/src/lib/tls/sessions_sql/tls_session_manager_sql.h b/src/lib/tls/sessions_sql/tls_session_manager_sql.h
index 081c42e74..24e2be7c3 100644
--- a/src/lib/tls/sessions_sql/tls_session_manager_sql.h
+++ b/src/lib/tls/sessions_sql/tls_session_manager_sql.h
@@ -56,6 +56,8 @@ class BOTAN_DLL Session_Manager_SQL : public Session_Manager
void remove_entry(const std::vector<byte>& session_id) override;
+ size_t remove_all() override;
+
void save(const Session& session_data) override;
std::chrono::seconds session_lifetime() const override
@@ -65,7 +67,7 @@ class BOTAN_DLL Session_Manager_SQL : public Session_Manager
void prune_session_cache();
std::shared_ptr<SQL_Database> m_db;
- SymmetricKey m_session_key;
+ secure_vector<byte> m_session_key;
RandomNumberGenerator& m_rng;
size_t m_max_sessions;
std::chrono::seconds m_session_lifetime;
diff --git a/src/lib/tls/tls_session.cpp b/src/lib/tls/tls_session.cpp
index 8cb1a2aa7..7089a70f0 100644
--- a/src/lib/tls/tls_session.cpp
+++ b/src/lib/tls/tls_session.cpp
@@ -11,8 +11,7 @@
#include <botan/asn1_str.h>
#include <botan/pem.h>
#include <botan/aead.h>
-#include <botan/sha2_32.h>
-#include <botan/hmac.h>
+#include <botan/mac.h>
namespace Botan {
@@ -162,10 +161,10 @@ Session::encrypt(const SymmetricKey& key, RandomNumberGenerator& rng) const
const secure_vector<byte> bits = this->DER_encode();
// Support any length key for input
- HMAC hmac(new SHA_256);
- hmac.set_key(key);
- hmac.update(nonce);
- aead->set_key(hmac.final());
+ std::unique_ptr<MessageAuthenticationCode> hmac(MessageAuthenticationCode::create("HMAC(SHA-256)"));
+ hmac->set_key(key);
+ hmac->update(nonce);
+ aead->set_key(hmac->final());
secure_vector<byte> buf = nonce;
buf += bits;
@@ -185,10 +184,10 @@ Session Session::decrypt(const byte in[], size_t in_len, const SymmetricKey& key
throw Decoding_Error("Encrypted session too short to be valid");
// Support any length key for input
- HMAC hmac(new SHA_256);
- hmac.set_key(key);
- hmac.update(in, nonce_len); // nonce bytes
- aead->set_key(hmac.final());
+ std::unique_ptr<MessageAuthenticationCode> hmac(MessageAuthenticationCode::create("HMAC(SHA-256)"));
+ hmac->set_key(key);
+ hmac->update(in, nonce_len); // nonce bytes
+ aead->set_key(hmac->final());
aead->start(in, nonce_len);
secure_vector<byte> buf(in + nonce_len, in + in_len);
diff --git a/src/lib/tls/tls_session_manager.h b/src/lib/tls/tls_session_manager.h
index c7aa1960b..5ab151c26 100644
--- a/src/lib/tls/tls_session_manager.h
+++ b/src/lib/tls/tls_session_manager.h
@@ -55,6 +55,11 @@ class BOTAN_DLL Session_Manager
virtual void remove_entry(const std::vector<byte>& session_id) = 0;
/**
+ * Remove all sessions from the cache, return number of sessions deleted
+ */
+ virtual size_t remove_all() = 0;
+
+ /**
* Save a session on a best effort basis; the manager may not in
* fact be able to save the session for whatever reason; this is
* not an error. Caller cannot assume that calling save followed
@@ -89,6 +94,8 @@ class BOTAN_DLL Session_Manager_Noop : public Session_Manager
void remove_entry(const std::vector<byte>&) override {}
+ size_t remove_all() override { return 0; }
+
void save(const Session&) override {}
std::chrono::seconds session_lifetime() const override
@@ -120,6 +127,8 @@ class BOTAN_DLL Session_Manager_In_Memory : public Session_Manager
void remove_entry(const std::vector<byte>& session_id) override;
+ size_t remove_all();
+
void save(const Session& session_data) override;
std::chrono::seconds session_lifetime() const override
@@ -136,7 +145,7 @@ class BOTAN_DLL Session_Manager_In_Memory : public Session_Manager
std::chrono::seconds m_session_lifetime;
RandomNumberGenerator& m_rng;
- SymmetricKey m_session_key;
+ secure_vector<byte> m_session_key;
std::map<std::string, std::vector<byte>> m_sessions; // hex(session_id) -> session
std::map<Server_Information, std::string> m_info_sessions;
diff --git a/src/lib/tls/tls_session_manager_memory.cpp b/src/lib/tls/tls_session_manager_memory.cpp
index 2c836290b..37019c943 100644
--- a/src/lib/tls/tls_session_manager_memory.cpp
+++ b/src/lib/tls/tls_session_manager_memory.cpp
@@ -20,7 +20,7 @@ Session_Manager_In_Memory::Session_Manager_In_Memory(
m_max_sessions(max_sessions),
m_session_lifetime(session_lifetime),
m_rng(rng),
- m_session_key(m_rng, 32)
+ m_session_key(m_rng.random_vec(32))
{}
bool Session_Manager_In_Memory::load_from_session_str(
@@ -95,6 +95,15 @@ void Session_Manager_In_Memory::remove_entry(
m_sessions.erase(i);
}
+size_t Session_Manager_In_Memory::remove_all()
+ {
+ const size_t removed = m_sessions.size();
+ m_info_sessions.clear();
+ m_sessions.clear();
+ m_session_key = m_rng.random_vec(32);
+ return removed;
+ }
+
void Session_Manager_In_Memory::save(const Session& session)
{
std::lock_guard<std::mutex> lock(m_mutex);