doxygen/psk__db_8cpp_source.html

/*

* (C) 2017 Jack Lloyd

*

* Botan is released under the Simplified BSD License (see license.txt)

*/


#include <botan/psk_db.h>


#include <botan/base64.h>

#include <botan/block_cipher.h>

#include <botan/exceptn.h>

#include <botan/mac.h>

#include <botan/mem_ops.h>

#include <botan/nist_keywrap.h>


namespace Botan {


std::string PSK_Database::get_str(std::string_view name) const {

   secure_vector<uint8_t> psk = this->get(name);

   return std::string(cast_uint8_ptr_to_char(psk.data()), psk.size());

}


void PSK_Database::set_str(std::string_view name, std::string_view psk) {

   this->set(name, cast_char_ptr_to_uint8(psk.data()), psk.size());

}


Encrypted_PSK_Database::Encrypted_PSK_Database(const secure_vector<uint8_t>& master_key) {

   m_cipher = BlockCipher::create_or_throw("AES-256");

   m_hmac = MessageAuthenticationCode::create_or_throw("HMAC(SHA-256)");

   m_hmac->set_key(master_key);


   m_cipher->set_key(m_hmac->process("wrap"));

   m_hmac->set_key(m_hmac->process("hmac"));

}


Encrypted_PSK_Database::~Encrypted_PSK_Database() = default;


std::set<std::string> Encrypted_PSK_Database::list_names() const {

   const std::set<std::string> encrypted_names = kv_get_all();


   std::set<std::string> names;


   for(const auto& enc_name : encrypted_names) {

      try {

         const secure_vector<uint8_t> raw_name = base64_decode(enc_name);

         const secure_vector<uint8_t> name_bits = nist_key_unwrap_padded(raw_name.data(), raw_name.size(), *m_cipher);


         std::string pt_name(cast_uint8_ptr_to_char(name_bits.data()), name_bits.size());

         names.insert(pt_name);

      } catch(Invalid_Authentication_Tag&) {}

   }


   return names;

}


void Encrypted_PSK_Database::remove(std::string_view name) {

   const std::vector<uint8_t> wrapped_name =

      nist_key_wrap_padded(cast_char_ptr_to_uint8(name.data()), name.size(), *m_cipher);


   this->kv_del(base64_encode(wrapped_name));

}


secure_vector<uint8_t> Encrypted_PSK_Database::get(std::string_view name) const {

   const std::vector<uint8_t> wrapped_name =

      nist_key_wrap_padded(cast_char_ptr_to_uint8(name.data()), name.size(), *m_cipher);


   const std::string val_base64 = kv_get(base64_encode(wrapped_name));


   if(val_base64.empty()) {

      throw Invalid_Argument("Named PSK not located");

   }


   const secure_vector<uint8_t> val = base64_decode(val_base64);


   auto wrap_cipher = m_cipher->new_object();

   wrap_cipher->set_key(m_hmac->process(wrapped_name));


   return nist_key_unwrap_padded(val.data(), val.size(), *wrap_cipher);

}


void Encrypted_PSK_Database::set(std::string_view name, const uint8_t val[], size_t len) {

   /*

   * Both as a basic precaution wrt key seperation, and specifically to prevent

   * cut-and-paste attacks against the database, each PSK is encrypted with a

   * distinct key which is derived by hashing the wrapped key name with HMAC.

   */

   const std::vector<uint8_t> wrapped_name =

      nist_key_wrap_padded(cast_char_ptr_to_uint8(name.data()), name.size(), *m_cipher);


   auto wrap_cipher = m_cipher->new_object();

   wrap_cipher->set_key(m_hmac->process(wrapped_name));

   const std::vector<uint8_t> wrapped_key = nist_key_wrap_padded(val, len, *wrap_cipher);


   this->kv_set(base64_encode(wrapped_name), base64_encode(wrapped_key));

}


}  // namespace Botan

Botan::BlockCipher::create_or_throw
static std::unique_ptr< BlockCipher > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition block_cipher.cpp:266

Botan::Encrypted_PSK_Database::kv_set
virtual void kv_set(std::string_view index, std::string_view value)=0

Botan::Encrypted_PSK_Database::kv_del
virtual void kv_del(std::string_view index)=0

Botan::Encrypted_PSK_Database::kv_get
virtual std::string kv_get(std::string_view index) const =0

Botan::Encrypted_PSK_Database::get
secure_vector< uint8_t > get(std::string_view name) const override
Definition psk_db.cpp:63

Botan::Encrypted_PSK_Database::Encrypted_PSK_Database
Encrypted_PSK_Database(const secure_vector< uint8_t > &master_key)
Definition psk_db.cpp:27

Botan::Encrypted_PSK_Database::list_names
std::set< std::string > list_names() const override
Definition psk_db.cpp:38

Botan::Encrypted_PSK_Database::kv_get_all
virtual std::set< std::string > kv_get_all() const =0

Botan::Encrypted_PSK_Database::remove
void remove(std::string_view name) override
Definition psk_db.cpp:56

Botan::Encrypted_PSK_Database::~Encrypted_PSK_Database
~Encrypted_PSK_Database() override

Botan::Encrypted_PSK_Database::set
void set(std::string_view name, const uint8_t psk[], size_t psk_len) override
Definition psk_db.cpp:81

Botan::Invalid_Argument
Definition exceptn.h:131

Botan::Invalid_Authentication_Tag
Definition exceptn.h:273

Botan::MessageAuthenticationCode::create_or_throw
static std::unique_ptr< MessageAuthenticationCode > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition mac.cpp:148

Botan::PSK_Database::set_str
void set_str(std::string_view name, std::string_view psk)
Definition psk_db.cpp:23

Botan::PSK_Database::set
virtual void set(std::string_view name, const uint8_t psk[], size_t psk_len)=0

Botan::PSK_Database::get_str
std::string get_str(std::string_view name) const
Definition psk_db.cpp:18

Botan::PSK_Database::get
virtual secure_vector< uint8_t > get(std::string_view name) const =0

name
std::string name
Definition commoncrypto_hash.cpp:24

Botan
Definition alg_id.cpp:13

Botan::base64_encode
size_t base64_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition base64.cpp:160

Botan::base64_decode
size_t base64_decode(uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws)
Definition base64.cpp:168

Botan::nist_key_wrap_padded
std::vector< uint8_t > nist_key_wrap_padded(const uint8_t input[], size_t input_len, const BlockCipher &bc)
Definition nist_keywrap.cpp:148

Botan::nist_key_unwrap_padded
secure_vector< uint8_t > nist_key_unwrap_padded(const uint8_t input[], size_t input_len, const BlockCipher &bc)
Definition nist_keywrap.cpp:169

Botan::cast_uint8_ptr_to_char
const char * cast_uint8_ptr_to_char(const uint8_t *b)
Definition mem_ops.h:277

Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61

Botan::cast_char_ptr_to_uint8
const uint8_t * cast_char_ptr_to_uint8(const char *s)
Definition mem_ops.h:273