diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/lib/tls/sessions_sql/tls_session_manager_sql.cpp | 56 | ||||
-rw-r--r-- | src/lib/tls/sessions_sql/tls_session_manager_sql.h | 4 | ||||
-rw-r--r-- | src/lib/tls/tls_session.cpp | 19 | ||||
-rw-r--r-- | src/lib/tls/tls_session_manager.h | 11 | ||||
-rw-r--r-- | src/lib/tls/tls_session_manager_memory.cpp | 11 | ||||
-rw-r--r-- | src/lib/utils/database.h | 2 | ||||
-rw-r--r-- | src/lib/utils/sqlite3/sqlite3.cpp | 10 | ||||
-rw-r--r-- | src/lib/utils/sqlite3/sqlite3.h | 2 |
8 files changed, 67 insertions, 48 deletions
diff --git a/src/lib/tls/sessions_sql/tls_session_manager_sql.cpp b/src/lib/tls/sessions_sql/tls_session_manager_sql.cpp index ed207972e..9f025374e 100644 --- a/src/lib/tls/sessions_sql/tls_session_manager_sql.cpp +++ b/src/lib/tls/sessions_sql/tls_session_manager_sql.cpp @@ -16,27 +16,6 @@ namespace Botan { namespace TLS { -namespace { - -SymmetricKey derive_key(const std::string& passphrase, - const byte salt[], - size_t salt_len, - size_t iterations, - size_t& check_val) - { - std::unique_ptr<PBKDF> pbkdf(get_pbkdf("PBKDF2(SHA-512)")); - - secure_vector<byte> x = pbkdf->derive_key(32 + 2, - passphrase, - salt, salt_len, - iterations).bits_of(); - - check_val = make_u16bit(x[0], x[1]); - return SymmetricKey(&x[2], x.size() - 2); - } - -} - Session_Manager_SQL::Session_Manager_SQL(std::shared_ptr<SQL_Database> db, const std::string& passphrase, RandomNumberGenerator& rng, @@ -67,6 +46,8 @@ Session_Manager_SQL::Session_Manager_SQL(std::shared_ptr<SQL_Database> db, const size_t salts = m_db->row_count("tls_sessions_metadata"); + std::unique_ptr<PBKDF> pbkdf(get_pbkdf("PBKDF2(SHA-512)")); + if(salts == 1) { // existing db @@ -78,12 +59,13 @@ Session_Manager_SQL::Session_Manager_SQL(std::shared_ptr<SQL_Database> db, const size_t iterations = stmt->get_size_t(1); const size_t check_val_db = stmt->get_size_t(2); - size_t check_val_created; - m_session_key = derive_key(passphrase, - salt.first, - salt.second, - iterations, - check_val_created); + secure_vector<byte> x = pbkdf->pbkdf_iterations(32 + 2, + passphrase, + salt.first, salt.second, + iterations); + + const size_t check_val_created = make_u16bit(x[0], x[1]); + m_session_key.assign(x.begin() + 2, x.end()); if(check_val_created != check_val_db) throw std::runtime_error("Session database password not valid"); @@ -98,11 +80,17 @@ Session_Manager_SQL::Session_Manager_SQL(std::shared_ptr<SQL_Database> db, // new database case std::vector<byte> salt = unlock(rng.random_vec(16)); - const size_t iterations = 256 * 1024; - size_t check_val = 0; + size_t iterations = 0; - m_session_key = derive_key(passphrase, salt.data(), salt.size(), - iterations, check_val); + secure_vector<byte> x = pbkdf->pbkdf_timed(32 + 2, + passphrase, + salt.data(), salt.size(), + std::chrono::milliseconds(100), + iterations); + + printf("pbkdf iter %d\n", iterations); + size_t check_val = make_u16bit(x[0], x[1]); + m_session_key.assign(x.begin() + 2, x.end()); auto stmt = m_db->new_statement("insert into tls_sessions_metadata values(?1, ?2, ?3)"); @@ -174,6 +162,12 @@ void Session_Manager_SQL::remove_entry(const std::vector<byte>& session_id) stmt->spin(); } +size_t Session_Manager_SQL::remove_all() + { + auto stmt = m_db->new_statement("delete from tls_sessions"); + return stmt->spin(); + } + void Session_Manager_SQL::save(const Session& session) { auto stmt = m_db->new_statement("insert or replace into tls_sessions" diff --git a/src/lib/tls/sessions_sql/tls_session_manager_sql.h b/src/lib/tls/sessions_sql/tls_session_manager_sql.h index 081c42e74..24e2be7c3 100644 --- a/src/lib/tls/sessions_sql/tls_session_manager_sql.h +++ b/src/lib/tls/sessions_sql/tls_session_manager_sql.h @@ -56,6 +56,8 @@ class BOTAN_DLL Session_Manager_SQL : public Session_Manager void remove_entry(const std::vector<byte>& session_id) override; + size_t remove_all() override; + void save(const Session& session_data) override; std::chrono::seconds session_lifetime() const override @@ -65,7 +67,7 @@ class BOTAN_DLL Session_Manager_SQL : public Session_Manager void prune_session_cache(); std::shared_ptr<SQL_Database> m_db; - SymmetricKey m_session_key; + secure_vector<byte> m_session_key; RandomNumberGenerator& m_rng; size_t m_max_sessions; std::chrono::seconds m_session_lifetime; diff --git a/src/lib/tls/tls_session.cpp b/src/lib/tls/tls_session.cpp index 8cb1a2aa7..7089a70f0 100644 --- a/src/lib/tls/tls_session.cpp +++ b/src/lib/tls/tls_session.cpp @@ -11,8 +11,7 @@ #include <botan/asn1_str.h> #include <botan/pem.h> #include <botan/aead.h> -#include <botan/sha2_32.h> -#include <botan/hmac.h> +#include <botan/mac.h> namespace Botan { @@ -162,10 +161,10 @@ Session::encrypt(const SymmetricKey& key, RandomNumberGenerator& rng) const const secure_vector<byte> bits = this->DER_encode(); // Support any length key for input - HMAC hmac(new SHA_256); - hmac.set_key(key); - hmac.update(nonce); - aead->set_key(hmac.final()); + std::unique_ptr<MessageAuthenticationCode> hmac(MessageAuthenticationCode::create("HMAC(SHA-256)")); + hmac->set_key(key); + hmac->update(nonce); + aead->set_key(hmac->final()); secure_vector<byte> buf = nonce; buf += bits; @@ -185,10 +184,10 @@ Session Session::decrypt(const byte in[], size_t in_len, const SymmetricKey& key throw Decoding_Error("Encrypted session too short to be valid"); // Support any length key for input - HMAC hmac(new SHA_256); - hmac.set_key(key); - hmac.update(in, nonce_len); // nonce bytes - aead->set_key(hmac.final()); + std::unique_ptr<MessageAuthenticationCode> hmac(MessageAuthenticationCode::create("HMAC(SHA-256)")); + hmac->set_key(key); + hmac->update(in, nonce_len); // nonce bytes + aead->set_key(hmac->final()); aead->start(in, nonce_len); secure_vector<byte> buf(in + nonce_len, in + in_len); diff --git a/src/lib/tls/tls_session_manager.h b/src/lib/tls/tls_session_manager.h index c7aa1960b..5ab151c26 100644 --- a/src/lib/tls/tls_session_manager.h +++ b/src/lib/tls/tls_session_manager.h @@ -55,6 +55,11 @@ class BOTAN_DLL Session_Manager virtual void remove_entry(const std::vector<byte>& session_id) = 0; /** + * Remove all sessions from the cache, return number of sessions deleted + */ + virtual size_t remove_all() = 0; + + /** * Save a session on a best effort basis; the manager may not in * fact be able to save the session for whatever reason; this is * not an error. Caller cannot assume that calling save followed @@ -89,6 +94,8 @@ class BOTAN_DLL Session_Manager_Noop : public Session_Manager void remove_entry(const std::vector<byte>&) override {} + size_t remove_all() override { return 0; } + void save(const Session&) override {} std::chrono::seconds session_lifetime() const override @@ -120,6 +127,8 @@ class BOTAN_DLL Session_Manager_In_Memory : public Session_Manager void remove_entry(const std::vector<byte>& session_id) override; + size_t remove_all(); + void save(const Session& session_data) override; std::chrono::seconds session_lifetime() const override @@ -136,7 +145,7 @@ class BOTAN_DLL Session_Manager_In_Memory : public Session_Manager std::chrono::seconds m_session_lifetime; RandomNumberGenerator& m_rng; - SymmetricKey m_session_key; + secure_vector<byte> m_session_key; std::map<std::string, std::vector<byte>> m_sessions; // hex(session_id) -> session std::map<Server_Information, std::string> m_info_sessions; diff --git a/src/lib/tls/tls_session_manager_memory.cpp b/src/lib/tls/tls_session_manager_memory.cpp index 2c836290b..37019c943 100644 --- a/src/lib/tls/tls_session_manager_memory.cpp +++ b/src/lib/tls/tls_session_manager_memory.cpp @@ -20,7 +20,7 @@ Session_Manager_In_Memory::Session_Manager_In_Memory( m_max_sessions(max_sessions), m_session_lifetime(session_lifetime), m_rng(rng), - m_session_key(m_rng, 32) + m_session_key(m_rng.random_vec(32)) {} bool Session_Manager_In_Memory::load_from_session_str( @@ -95,6 +95,15 @@ void Session_Manager_In_Memory::remove_entry( m_sessions.erase(i); } +size_t Session_Manager_In_Memory::remove_all() + { + const size_t removed = m_sessions.size(); + m_info_sessions.clear(); + m_sessions.clear(); + m_session_key = m_rng.random_vec(32); + return removed; + } + void Session_Manager_In_Memory::save(const Session& session) { std::lock_guard<std::mutex> lock(m_mutex); diff --git a/src/lib/utils/database.h b/src/lib/utils/database.h index 03a3174d6..bacbedd1e 100644 --- a/src/lib/utils/database.h +++ b/src/lib/utils/database.h @@ -36,7 +36,7 @@ class BOTAN_DLL SQL_Database virtual size_t get_size_t(int column) = 0; /* Run to completion */ - virtual void spin() = 0; + virtual size_t spin() = 0; /* Maybe update */ virtual bool step() = 0; diff --git a/src/lib/utils/sqlite3/sqlite3.cpp b/src/lib/utils/sqlite3/sqlite3.cpp index be3c2b227..267d7530a 100644 --- a/src/lib/utils/sqlite3/sqlite3.cpp +++ b/src/lib/utils/sqlite3/sqlite3.cpp @@ -125,9 +125,15 @@ size_t Sqlite3_Database::Sqlite3_Statement::get_size_t(int column) return static_cast<size_t>(sessions_int); } -void Sqlite3_Database::Sqlite3_Statement::spin() +size_t Sqlite3_Database::Sqlite3_Statement::spin() { - while(step()) {} + size_t steps = 0; + while(step()) + { + ++steps; + } + + return steps; } bool Sqlite3_Database::Sqlite3_Statement::step() diff --git a/src/lib/utils/sqlite3/sqlite3.h b/src/lib/utils/sqlite3/sqlite3.h index 8495a1d1b..067b94e85 100644 --- a/src/lib/utils/sqlite3/sqlite3.h +++ b/src/lib/utils/sqlite3/sqlite3.h @@ -39,7 +39,7 @@ class BOTAN_DLL Sqlite3_Database : public SQL_Database std::pair<const byte*, size_t> get_blob(int column) override; size_t get_size_t(int column) override; - void spin() override; + size_t spin() override; bool step() override; Sqlite3_Statement(sqlite3* db, const std::string& base_sql); |