diff options
Diffstat (limited to 'comm/third_party/botan/src/lib/psk_db')
| -rw-r--r-- | comm/third_party/botan/src/lib/psk_db/info.txt | 11 | ||||
| -rw-r--r-- | comm/third_party/botan/src/lib/psk_db/psk_db.cpp | 105 | ||||
| -rw-r--r-- | comm/third_party/botan/src/lib/psk_db/psk_db.h | 166 | ||||
| -rw-r--r-- | comm/third_party/botan/src/lib/psk_db/psk_db_sql.cpp | 75 | ||||
| -rw-r--r-- | comm/third_party/botan/src/lib/psk_db/psk_db_sql.h | 13 |
5 files changed, 370 insertions, 0 deletions
diff --git a/comm/third_party/botan/src/lib/psk_db/info.txt b/comm/third_party/botan/src/lib/psk_db/info.txt new file mode 100644 index 0000000000..4b1d0747ed --- /dev/null +++ b/comm/third_party/botan/src/lib/psk_db/info.txt @@ -0,0 +1,11 @@ +<defines> +PSK_DB -> 20171119 +</defines> + +<requires> +aes +hmac +base64 +sha2_32 +nist_keywrap +</requires> diff --git a/comm/third_party/botan/src/lib/psk_db/psk_db.cpp b/comm/third_party/botan/src/lib/psk_db/psk_db.cpp new file mode 100644 index 0000000000..59fa768934 --- /dev/null +++ b/comm/third_party/botan/src/lib/psk_db/psk_db.cpp @@ -0,0 +1,105 @@ +/* +* (C) 2017 Jack Lloyd +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#include <botan/psk_db.h> +#include <botan/exceptn.h> +#include <botan/nist_keywrap.h> +#include <botan/base64.h> +#include <botan/mac.h> +#include <botan/block_cipher.h> + +namespace Botan { + +Encrypted_PSK_Database::Encrypted_PSK_Database(const secure_vector<uint8_t>& master_key) + { + m_cipher = BlockCipher::create_or_throw("AES-256"); + m_hmac = MessageAuthenticationCode::create_or_throw("HMAC(SHA-256)"); + m_hmac->set_key(master_key); + + m_cipher->set_key(m_hmac->process("wrap")); + m_hmac->set_key(m_hmac->process("hmac")); + } + +Encrypted_PSK_Database::~Encrypted_PSK_Database() + { + // for ~unique_ptr + } + +std::set<std::string> Encrypted_PSK_Database::list_names() const + { + const std::set<std::string> encrypted_names = kv_get_all(); + + std::set<std::string> names; + + for(std::string enc_name : encrypted_names) + { + try + { + const secure_vector<uint8_t> raw_name = base64_decode(enc_name); + const secure_vector<uint8_t> name_bits = + nist_key_unwrap_padded(raw_name.data(), raw_name.size(), *m_cipher); + + std::string pt_name(cast_uint8_ptr_to_char(name_bits.data()), name_bits.size()); + names.insert(pt_name); + } + catch(Invalid_Authentication_Tag&) + { + } + } + + return names; + } + +void Encrypted_PSK_Database::remove(const std::string& name) + { + const std::vector<uint8_t> wrapped_name = + nist_key_wrap_padded(cast_char_ptr_to_uint8(name.data()), + name.size(), + *m_cipher); + + this->kv_del(base64_encode(wrapped_name)); + } + +secure_vector<uint8_t> Encrypted_PSK_Database::get(const std::string& name) const + { + const std::vector<uint8_t> wrapped_name = + nist_key_wrap_padded(cast_char_ptr_to_uint8(name.data()), + name.size(), + *m_cipher); + + const std::string val_base64 = kv_get(base64_encode(wrapped_name)); + + if(val_base64.empty()) + throw Invalid_Argument("Named PSK not located"); + + const secure_vector<uint8_t> val = base64_decode(val_base64); + + std::unique_ptr<BlockCipher> wrap_cipher(m_cipher->clone()); + wrap_cipher->set_key(m_hmac->process(wrapped_name)); + + return nist_key_unwrap_padded(val.data(), val.size(), *wrap_cipher); + } + +void Encrypted_PSK_Database::set(const std::string& name, const uint8_t val[], size_t len) + { + /* + * Both as a basic precaution wrt key seperation, and specifically to prevent + * cut-and-paste attacks against the database, each PSK is encrypted with a + * distinct key which is derived by hashing the wrapped key name with HMAC. + */ + const std::vector<uint8_t> wrapped_name = + nist_key_wrap_padded(cast_char_ptr_to_uint8(name.data()), + name.size(), + *m_cipher); + + std::unique_ptr<BlockCipher> wrap_cipher(m_cipher->clone()); + wrap_cipher->set_key(m_hmac->process(wrapped_name)); + const std::vector<uint8_t> wrapped_key = nist_key_wrap_padded(val, len, *wrap_cipher); + + this->kv_set(base64_encode(wrapped_name), base64_encode(wrapped_key)); + } + +} diff --git a/comm/third_party/botan/src/lib/psk_db/psk_db.h b/comm/third_party/botan/src/lib/psk_db/psk_db.h new file mode 100644 index 0000000000..06358935c1 --- /dev/null +++ b/comm/third_party/botan/src/lib/psk_db/psk_db.h @@ -0,0 +1,166 @@ +/* +* (C) 2017 Jack Lloyd +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#ifndef BOTAN_PSK_DB_H_ +#define BOTAN_PSK_DB_H_ + +#include <botan/secmem.h> +#include <memory> +#include <string> +#include <set> + +namespace Botan { + +class BlockCipher; +class MessageAuthenticationCode; + +/** +* This is an interface to a generic PSK (pre-shared key) database. +* It might be implemented as a plaintext storage or via some mechanism +* that encrypts the keys and/or values. +*/ +class BOTAN_PUBLIC_API(2,4) PSK_Database + { + public: + /** + * Return the set of names for which get() will return a value. + */ + virtual std::set<std::string> list_names() const = 0; + + /** + * Return the value associated with the specified @param name or otherwise + * throw an exception. + */ + virtual secure_vector<uint8_t> get(const std::string& name) const = 0; + + /** + * Set a value that can later be accessed with get(). + * If name already exists in the database, the old value will be overwritten. + */ + virtual void set(const std::string& name, const uint8_t psk[], size_t psk_len) = 0; + + /** + * Remove a PSK from the database + */ + virtual void remove(const std::string& name) = 0; + + /** + * Returns if the values in the PSK database are encrypted. If + * false, saved values are being stored in plaintext. + */ + virtual bool is_encrypted() const = 0; + + /** + * Get a PSK in the form of a string (eg if the PSK is a password) + */ + std::string get_str(const std::string& name) const + { + secure_vector<uint8_t> psk = get(name); + return std::string(cast_uint8_ptr_to_char(psk.data()), psk.size()); + } + + void set_str(const std::string& name, const std::string& psk) + { + set(name, cast_char_ptr_to_uint8(psk.data()), psk.size()); + } + + template<typename Alloc> + void set_vec(const std::string& name, + const std::vector<uint8_t, Alloc>& psk) + + { + set(name, psk.data(), psk.size()); + } + + virtual ~PSK_Database() = default; + }; + +/** +* A mixin for an encrypted PSK database. +* Both keys and values are encrypted with NIST AES-256 key wrapping. +* Values are padded to obscure their length before encryption, allowing +* it to be used as a password vault. +* +* Subclasses must implement the virtual calls to handle storing and +* getting raw (base64 encoded) values. +*/ +class BOTAN_PUBLIC_API(2,4) Encrypted_PSK_Database : public PSK_Database + { + public: + /** + * @param master_key specifies the master key used to encrypt all + * keys and value. It can be of any length, but should be at least 256 bits. + * + * Subkeys for the cryptographic algorithms used are derived from this + * master key. No key stretching is performed; if encrypting a PSK database + * using a password, it is recommended to use PBKDF2 to derive the database + * master key. + */ + Encrypted_PSK_Database(const secure_vector<uint8_t>& master_key); + + ~Encrypted_PSK_Database(); + + std::set<std::string> list_names() const override; + + secure_vector<uint8_t> get(const std::string& name) const override; + + void set(const std::string& name, const uint8_t psk[], size_t psk_len) override; + + void remove(const std::string& name) override; + + bool is_encrypted() const override { return true; } + + protected: + /** + * Save a encrypted (name.value) pair to the database. Both will be base64 encoded strings. + */ + virtual void kv_set(const std::string& index, const std::string& value) = 0; + + /** + * Get a value previously saved with set_raw_value. Should return an empty + * string if index is not found. + */ + virtual std::string kv_get(const std::string& index) const = 0; + + /** + * Remove an index + */ + virtual void kv_del(const std::string& index) = 0; + + /** + * Return all indexes in the table. + */ + virtual std::set<std::string> kv_get_all() const = 0; + + private: + std::unique_ptr<BlockCipher> m_cipher; + std::unique_ptr<MessageAuthenticationCode> m_hmac; + secure_vector<uint8_t> m_wrap_key; + }; + +class SQL_Database; + +class BOTAN_PUBLIC_API(2,4) Encrypted_PSK_Database_SQL : public Encrypted_PSK_Database + { + public: + Encrypted_PSK_Database_SQL(const secure_vector<uint8_t>& master_key, + std::shared_ptr<SQL_Database> db, + const std::string& table_name); + + ~Encrypted_PSK_Database_SQL(); + private: + void kv_set(const std::string& index, const std::string& value) override; + std::string kv_get(const std::string& index) const override; + void kv_del(const std::string& index) override; + std::set<std::string> kv_get_all() const override; + + std::shared_ptr<SQL_Database> m_db; + const std::string m_table_name; + }; + +} + +#endif diff --git a/comm/third_party/botan/src/lib/psk_db/psk_db_sql.cpp b/comm/third_party/botan/src/lib/psk_db/psk_db_sql.cpp new file mode 100644 index 0000000000..92dcb5f1dc --- /dev/null +++ b/comm/third_party/botan/src/lib/psk_db/psk_db_sql.cpp @@ -0,0 +1,75 @@ +/* +* (C) 2017 Jack Lloyd +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#include <botan/psk_db.h> +#include <botan/database.h> + +namespace Botan { + +Encrypted_PSK_Database_SQL::Encrypted_PSK_Database_SQL(const secure_vector<uint8_t>& master_key, + std::shared_ptr<SQL_Database> db, + const std::string& table_name) : + Encrypted_PSK_Database(master_key), + m_db(db), + m_table_name(table_name) + { + m_db->create_table( + "create table if not exists " + m_table_name + + "(psk_name TEXT PRIMARY KEY, psk_value TEXT)"); + } + +Encrypted_PSK_Database_SQL::~Encrypted_PSK_Database_SQL() + { + /* for ~unique_ptr */ + } + +void Encrypted_PSK_Database_SQL::kv_del(const std::string& name) + { + auto stmt = m_db->new_statement("delete from " + m_table_name + " where psk_name=?1"); + stmt->bind(1, name); + stmt->spin(); + } + +void Encrypted_PSK_Database_SQL::kv_set(const std::string& name, const std::string& value) + { + auto stmt = m_db->new_statement("insert or replace into " + m_table_name + " values(?1, ?2)"); + + stmt->bind(1, name); + stmt->bind(2, value); + + stmt->spin(); + } + +std::string Encrypted_PSK_Database_SQL::kv_get(const std::string& name) const + { + auto stmt = m_db->new_statement("select psk_value from " + m_table_name + + " where psk_name = ?1"); + + stmt->bind(1, name); + + while(stmt->step()) + { + return stmt->get_str(0); + } + return ""; + } + +std::set<std::string> Encrypted_PSK_Database_SQL::kv_get_all() const + { + std::set<std::string> names; + + auto stmt = m_db->new_statement("select psk_name from " + m_table_name); + + while(stmt->step()) + { + names.insert(stmt->get_str(0)); + } + + return names; + } + +} + diff --git a/comm/third_party/botan/src/lib/psk_db/psk_db_sql.h b/comm/third_party/botan/src/lib/psk_db/psk_db_sql.h new file mode 100644 index 0000000000..170ca674c5 --- /dev/null +++ b/comm/third_party/botan/src/lib/psk_db/psk_db_sql.h @@ -0,0 +1,13 @@ +/* +* (C) 2017 Jack Lloyd +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#ifndef BOTAN_PSK_DB_SQL_H_ +#define BOTAN_PSK_DB_SQL_H_ + +#include <botan/psk_db.h> +BOTAN_DEPRECATED_HEADER(psk_db_sql.h) + +#endif |