diff options
author | Jack Lloyd <[email protected]> | 2017-11-26 22:11:07 -0500 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2017-11-26 22:11:07 -0500 |
commit | 2fd7930984f57b203e2d412f62fc1849dcc61784 (patch) | |
tree | 9ca33fde7047cb1c782c454a1afc1ab5419c2023 /src/lib | |
parent | 4d506eb8bcfba4a706a63fa36a3e0398450ee1d7 (diff) | |
parent | 9df1c8dab0c3b7218cbf40d743d73e9bd36c24cd (diff) |
Merge GH #1302 Add PSK database interface
Diffstat (limited to 'src/lib')
-rw-r--r-- | src/lib/psk_db/info.txt | 10 | ||||
-rw-r--r-- | src/lib/psk_db/psk_db.cpp | 104 | ||||
-rw-r--r-- | src/lib/psk_db/psk_db.h | 146 | ||||
-rw-r--r-- | src/lib/psk_db/psk_db_sql.cpp | 69 | ||||
-rw-r--r-- | src/lib/psk_db/psk_db_sql.h | 34 | ||||
-rw-r--r-- | src/lib/utils/database.h | 2 | ||||
-rw-r--r-- | src/lib/utils/sqlite3/sqlite3.cpp | 13 | ||||
-rw-r--r-- | src/lib/utils/sqlite3/sqlite3.h | 1 |
8 files changed, 378 insertions, 1 deletions
diff --git a/src/lib/psk_db/info.txt b/src/lib/psk_db/info.txt new file mode 100644 index 000000000..814a30471 --- /dev/null +++ b/src/lib/psk_db/info.txt @@ -0,0 +1,10 @@ +<defines> +PSK_DB -> 20171119 +</defines> + +<requires> +aes +hmac +sha2_32 +nist_keywrap +</requires> diff --git a/src/lib/psk_db/psk_db.cpp b/src/lib/psk_db/psk_db.cpp new file mode 100644 index 000000000..af59d2954 --- /dev/null +++ b/src/lib/psk_db/psk_db.cpp @@ -0,0 +1,104 @@ +/* +* (C) 2017 Jack Lloyd +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#include <botan/psk_db.h> +#include <botan/nist_keywrap.h> +#include <botan/base64.h> +#include <botan/mac.h> +#include <botan/block_cipher.h> + +namespace Botan { + +Encrypted_PSK_Database::Encrypted_PSK_Database(const secure_vector<uint8_t>& master_key) + { + m_cipher = BlockCipher::create_or_throw("AES-256"); + m_hmac = MessageAuthenticationCode::create_or_throw("HMAC(SHA-256)"); + m_hmac->set_key(master_key); + + m_cipher->set_key(m_hmac->process("wrap")); + m_hmac->set_key(m_hmac->process("hmac")); + } + +Encrypted_PSK_Database::~Encrypted_PSK_Database() + { + // for ~unique_ptr + } + +std::set<std::string> Encrypted_PSK_Database::list_names() const + { + const std::set<std::string> encrypted_names = kv_get_all(); + + std::set<std::string> names; + + for(std::string enc_name : encrypted_names) + { + try + { + const secure_vector<uint8_t> raw_name = base64_decode(enc_name); + const secure_vector<uint8_t> name_bits = + nist_key_unwrap_padded(raw_name.data(), raw_name.size(), *m_cipher); + + std::string pt_name(cast_uint8_ptr_to_char(name_bits.data()), name_bits.size()); + names.insert(pt_name); + } + catch(Integrity_Failure&) + { + } + } + + return names; + } + +void Encrypted_PSK_Database::remove(const std::string& name) + { + const std::vector<uint8_t> wrapped_name = + nist_key_wrap_padded(cast_char_ptr_to_uint8(name.data()), + name.size(), + *m_cipher); + + this->kv_del(base64_encode(wrapped_name)); + } + +secure_vector<uint8_t> Encrypted_PSK_Database::get(const std::string& name) const + { + const std::vector<uint8_t> wrapped_name = + nist_key_wrap_padded(cast_char_ptr_to_uint8(name.data()), + name.size(), + *m_cipher); + + const std::string val_base64 = kv_get(base64_encode(wrapped_name)); + + if(val_base64.empty()) + throw Invalid_Argument("Named PSK not located"); + + const secure_vector<uint8_t> val = base64_decode(val_base64); + + std::unique_ptr<BlockCipher> wrap_cipher(m_cipher->clone()); + wrap_cipher->set_key(m_hmac->process(wrapped_name)); + + return nist_key_unwrap_padded(val.data(), val.size(), *wrap_cipher); + } + +void Encrypted_PSK_Database::set(const std::string& name, const uint8_t val[], size_t len) + { + /* + * Both as a basic precaution wrt key seperation, and specifically to prevent + * cut-and-paste attacks against the database, each PSK is encrypted with a + * distinct key which is derived by hashing the wrapped key name with HMAC. + */ + const std::vector<uint8_t> wrapped_name = + nist_key_wrap_padded(cast_char_ptr_to_uint8(name.data()), + name.size(), + *m_cipher); + + std::unique_ptr<BlockCipher> wrap_cipher(m_cipher->clone()); + wrap_cipher->set_key(m_hmac->process(wrapped_name)); + const std::vector<uint8_t> wrapped_key = nist_key_wrap_padded(val, len, *wrap_cipher); + + this->kv_set(base64_encode(wrapped_name), base64_encode(wrapped_key)); + } + +} diff --git a/src/lib/psk_db/psk_db.h b/src/lib/psk_db/psk_db.h new file mode 100644 index 000000000..fb20e9437 --- /dev/null +++ b/src/lib/psk_db/psk_db.h @@ -0,0 +1,146 @@ +/* +* (C) 2017 Jack Lloyd +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#ifndef BOTAN_PSK_DB_H_ +#define BOTAN_PSK_DB_H_ + +#include <botan/secmem.h> +#include <memory> +#include <string> +#include <set> + +namespace Botan { + +class BlockCipher; +class MessageAuthenticationCode; + +/** +* This is an interface to a generic PSK (pre-shared key) database. +* It might be implemented as a plaintext storage or via some mechanism +* that encrypts the keys and/or values. +*/ +class BOTAN_PUBLIC_API(2,4) PSK_Database + { + public: + /** + * Return the set of names for which get() will return a value. + */ + virtual std::set<std::string> list_names() const = 0; + + /** + * Return the value associated with the specified @param name, or otherwise + * throw an exception. + */ + virtual secure_vector<uint8_t> get(const std::string& name) const = 0; + + /** + * Set a value that can later be accessed with get(). + * If name already exists in the database, the old value will be overwritten. + */ + virtual void set(const std::string& name, const uint8_t psk[], size_t psk_len) = 0; + + /** + * Remove a PSK from the database + */ + virtual void remove(const std::string& name) = 0; + + /** + * Returns if the values in the PSK database are encrypted. If + * false, saved values are being stored in plaintext. + */ + virtual bool is_encrypted() const = 0; + + /** + * Get a PSK in the form of a string (eg if the PSK is a password) + */ + std::string get_str(const std::string& name) const + { + secure_vector<uint8_t> psk = get(name); + return std::string(reinterpret_cast<const char*>(psk.data()), psk.size()); + } + + void set_str(const std::string& name, const std::string& psk) + { + set(name, reinterpret_cast<const uint8_t*>(psk.data()), psk.size()); + } + + template<typename Alloc> + void set_vec(const std::string& name, + const std::vector<uint8_t, Alloc>& psk) + + { + set(name, psk.data(), psk.size()); + } + + virtual ~PSK_Database() = default; + }; + +/** +* A mixin for an encrypted PSK database. +* Both keys and values are encrypted with NIST AES-256 key wrapping. +* Values are padded to obscure their length before encryption, allowing +* it to be used as a password vault. +* +* Subclasses must implement the virtual calls to handle storing and +* getting raw (base64 encoded) values. +*/ +class BOTAN_PUBLIC_API(2,4) Encrypted_PSK_Database : public PSK_Database + { + public: + /** + * @param master_key specifies the master key used to encrypt all + * keys and value. It can be of any length, but should be at least 256 bits. + * + * Subkeys for the cryptographic algorithms used are derived from this + * master key. No key stretching is performed; if encrypting a PSK database + * using a password, it is recommended to use PBKDF2 to derive the database + * master key. + */ + Encrypted_PSK_Database(const secure_vector<uint8_t>& master_key); + + ~Encrypted_PSK_Database(); + + std::set<std::string> list_names() const override; + + secure_vector<uint8_t> get(const std::string& name) const override; + + void set(const std::string& name, const uint8_t psk[], size_t psk_len) override; + + void remove(const std::string& name) override; + + bool is_encrypted() const override { return true; } + + protected: + /** + * Save a encrypted (name.value) pair to the database. Both will be base64 encoded strings. + */ + virtual void kv_set(const std::string& index, const std::string& value) = 0; + + /** + * Get a value previously saved with set_raw_value. Should return an empty + * string if index is not found. + */ + virtual std::string kv_get(const std::string& index) const = 0; + + /** + * Remove an index + */ + virtual void kv_del(const std::string& index) = 0; + + /** + * Return all indexes in the table. + */ + virtual std::set<std::string> kv_get_all() const = 0; + + private: + std::unique_ptr<BlockCipher> m_cipher; + std::unique_ptr<MessageAuthenticationCode> m_hmac; + secure_vector<uint8_t> m_wrap_key; + }; + +} + +#endif diff --git a/src/lib/psk_db/psk_db_sql.cpp b/src/lib/psk_db/psk_db_sql.cpp new file mode 100644 index 000000000..3a43e7380 --- /dev/null +++ b/src/lib/psk_db/psk_db_sql.cpp @@ -0,0 +1,69 @@ +/* +* (C) 2017 Jack Lloyd +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#include <botan/psk_db_sql.h> + +namespace Botan { + +Encrypted_PSK_Database_SQL::Encrypted_PSK_Database_SQL(const secure_vector<uint8_t>& master_key, + std::shared_ptr<SQL_Database> db, + const std::string& table_name) : + Encrypted_PSK_Database(master_key), + m_db(db), + m_table_name(table_name) + { + m_db->create_table( + "create table if not exists " + m_table_name + + "(psk_name TEXT PRIMARY KEY, psk_value TEXT)"); + } + +void Encrypted_PSK_Database_SQL::kv_del(const std::string& name) + { + auto stmt = m_db->new_statement("delete from " + m_table_name + " where psk_name=?1"); + stmt->bind(1, name); + stmt->spin(); + } + +void Encrypted_PSK_Database_SQL::kv_set(const std::string& name, const std::string& value) + { + auto stmt = m_db->new_statement("insert or replace into " + m_table_name + " values(?1, ?2)"); + + stmt->bind(1, name); + stmt->bind(2, value); + + stmt->spin(); + } + +std::string Encrypted_PSK_Database_SQL::kv_get(const std::string& name) const + { + auto stmt = m_db->new_statement("select psk_value from " + m_table_name + + " where psk_name = ?1"); + + stmt->bind(1, name); + + while(stmt->step()) + { + return stmt->get_str(0); + } + return ""; + } + +std::set<std::string> Encrypted_PSK_Database_SQL::kv_get_all() const + { + std::set<std::string> names; + + auto stmt = m_db->new_statement("select psk_name from " + m_table_name); + + while(stmt->step()) + { + names.insert(stmt->get_str(0)); + } + + return names; + } + +} + diff --git a/src/lib/psk_db/psk_db_sql.h b/src/lib/psk_db/psk_db_sql.h new file mode 100644 index 000000000..fddadfc30 --- /dev/null +++ b/src/lib/psk_db/psk_db_sql.h @@ -0,0 +1,34 @@ +/* +* (C) 2017 Jack Lloyd +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#ifndef BOTAN_PSK_DB_SQL_H_ +#define BOTAN_PSK_DB_SQL_H_ + +#include <botan/psk_db.h> +#include <botan/database.h> + +namespace Botan { + +class BOTAN_PUBLIC_API(2,4) Encrypted_PSK_Database_SQL : public Encrypted_PSK_Database + { + public: + Encrypted_PSK_Database_SQL(const secure_vector<uint8_t>& master_key, + std::shared_ptr<SQL_Database> db, + const std::string& table_name); + + private: + void kv_set(const std::string& index, const std::string& value) override; + std::string kv_get(const std::string& index) const override; + void kv_del(const std::string& index) override; + std::set<std::string> kv_get_all() const override; + + std::shared_ptr<SQL_Database> m_db; + const std::string m_table_name; + }; + +} + +#endif diff --git a/src/lib/utils/database.h b/src/lib/utils/database.h index a90e9fbfd..21a207445 100644 --- a/src/lib/utils/database.h +++ b/src/lib/utils/database.h @@ -43,6 +43,8 @@ class BOTAN_PUBLIC_API(2,0) SQL_Database /* Get output */ virtual std::pair<const uint8_t*, size_t> get_blob(int column) = 0; + virtual std::string get_str(int column) = 0; + virtual size_t get_size_t(int column) = 0; /* Run to completion */ diff --git a/src/lib/utils/sqlite3/sqlite3.cpp b/src/lib/utils/sqlite3/sqlite3.cpp index 09a964a46..a1fdfaa21 100644 --- a/src/lib/utils/sqlite3/sqlite3.cpp +++ b/src/lib/utils/sqlite3/sqlite3.cpp @@ -7,6 +7,7 @@ #include <botan/sqlite3.h> #include <botan/exceptn.h> +#include <botan/mem_ops.h> #include <sqlite3.h> namespace Botan { @@ -108,7 +109,7 @@ void Sqlite3_Database::Sqlite3_Statement::bind(int column, const uint8_t* p, siz std::pair<const uint8_t*, size_t> Sqlite3_Database::Sqlite3_Statement::get_blob(int column) { - BOTAN_ASSERT(::sqlite3_column_type(m_stmt, 0) == SQLITE_BLOB, + BOTAN_ASSERT(::sqlite3_column_type(m_stmt, column) == SQLITE_BLOB, "Return value is a blob"); const void* session_blob = ::sqlite3_column_blob(m_stmt, column); @@ -120,6 +121,16 @@ std::pair<const uint8_t*, size_t> Sqlite3_Database::Sqlite3_Statement::get_blob( static_cast<size_t>(session_blob_size)); } +std::string Sqlite3_Database::Sqlite3_Statement::get_str(int column) + { + BOTAN_ASSERT(::sqlite3_column_type(m_stmt, column) == SQLITE_TEXT, + "Return value is text"); + + const unsigned char* str = ::sqlite3_column_text(m_stmt, column); + + return std::string(cast_uint8_ptr_to_char(str)); + } + size_t Sqlite3_Database::Sqlite3_Statement::get_size_t(int column) { BOTAN_ASSERT(::sqlite3_column_type(m_stmt, column) == SQLITE_INTEGER, diff --git a/src/lib/utils/sqlite3/sqlite3.h b/src/lib/utils/sqlite3/sqlite3.h index 3f11b60e2..08a0f0ae7 100644 --- a/src/lib/utils/sqlite3/sqlite3.h +++ b/src/lib/utils/sqlite3/sqlite3.h @@ -38,6 +38,7 @@ class BOTAN_PUBLIC_API(2,0) Sqlite3_Database final : public SQL_Database void bind(int column, const uint8_t* data, size_t len) override; std::pair<const uint8_t*, size_t> get_blob(int column) override; + std::string get_str(int column) override; size_t get_size_t(int column) override; size_t spin() override; |