Botan 3.3.0
Crypto and TLS for C&
psk_db.cpp
Go to the documentation of this file.
1/*
2* (C) 2017 Jack Lloyd
3*
4* Botan is released under the Simplified BSD License (see license.txt)
5*/
6
7#include <botan/psk_db.h>
8
9#include <botan/base64.h>
10#include <botan/block_cipher.h>
11#include <botan/exceptn.h>
12#include <botan/mac.h>
13#include <botan/mem_ops.h>
14#include <botan/nist_keywrap.h>
15
16namespace Botan {
17
18std::string PSK_Database::get_str(std::string_view name) const {
19 secure_vector<uint8_t> psk = this->get(name);
20 return std::string(cast_uint8_ptr_to_char(psk.data()), psk.size());
21}
22
23void PSK_Database::set_str(std::string_view name, std::string_view psk) {
24 this->set(name, cast_char_ptr_to_uint8(psk.data()), psk.size());
25}
26
28 m_cipher = BlockCipher::create_or_throw("AES-256");
29 m_hmac = MessageAuthenticationCode::create_or_throw("HMAC(SHA-256)");
30 m_hmac->set_key(master_key);
31
32 m_cipher->set_key(m_hmac->process("wrap"));
33 m_hmac->set_key(m_hmac->process("hmac"));
34}
35
37
38std::set<std::string> Encrypted_PSK_Database::list_names() const {
39 const std::set<std::string> encrypted_names = kv_get_all();
40
41 std::set<std::string> names;
42
43 for(const auto& enc_name : encrypted_names) {
44 try {
45 const secure_vector<uint8_t> raw_name = base64_decode(enc_name);
46 const secure_vector<uint8_t> name_bits = nist_key_unwrap_padded(raw_name.data(), raw_name.size(), *m_cipher);
47
48 std::string pt_name(cast_uint8_ptr_to_char(name_bits.data()), name_bits.size());
49 names.insert(pt_name);
51 }
52
53 return names;
54}
55
56void Encrypted_PSK_Database::remove(std::string_view name) {
57 const std::vector<uint8_t> wrapped_name =
58 nist_key_wrap_padded(cast_char_ptr_to_uint8(name.data()), name.size(), *m_cipher);
59
60 this->kv_del(base64_encode(wrapped_name));
61}
62
64 const std::vector<uint8_t> wrapped_name =
65 nist_key_wrap_padded(cast_char_ptr_to_uint8(name.data()), name.size(), *m_cipher);
66
67 const std::string val_base64 = kv_get(base64_encode(wrapped_name));
68
69 if(val_base64.empty()) {
70 throw Invalid_Argument("Named PSK not located");
71 }
72
73 const secure_vector<uint8_t> val = base64_decode(val_base64);
74
75 auto wrap_cipher = m_cipher->new_object();
76 wrap_cipher->set_key(m_hmac->process(wrapped_name));
77
78 return nist_key_unwrap_padded(val.data(), val.size(), *wrap_cipher);
79}
80
81void Encrypted_PSK_Database::set(std::string_view name, const uint8_t val[], size_t len) {
82 /*
83 * Both as a basic precaution wrt key seperation, and specifically to prevent
84 * cut-and-paste attacks against the database, each PSK is encrypted with a
85 * distinct key which is derived by hashing the wrapped key name with HMAC.
86 */
87 const std::vector<uint8_t> wrapped_name =
88 nist_key_wrap_padded(cast_char_ptr_to_uint8(name.data()), name.size(), *m_cipher);
89
90 auto wrap_cipher = m_cipher->new_object();
91 wrap_cipher->set_key(m_hmac->process(wrapped_name));
92 const std::vector<uint8_t> wrapped_key = nist_key_wrap_padded(val, len, *wrap_cipher);
93
94 this->kv_set(base64_encode(wrapped_name), base64_encode(wrapped_key));
95}
96
97} // namespace Botan
static std::unique_ptr< BlockCipher > create_or_throw(std::string_view algo_spec, std::string_view provider="")
virtual void kv_set(std::string_view index, std::string_view value)=0
virtual void kv_del(std::string_view index)=0
virtual std::string kv_get(std::string_view index) const =0
secure_vector< uint8_t > get(std::string_view name) const override
Definition psk_db.cpp:63
Encrypted_PSK_Database(const secure_vector< uint8_t > &master_key)
Definition psk_db.cpp:27
std::set< std::string > list_names() const override
Definition psk_db.cpp:38
virtual std::set< std::string > kv_get_all() const =0
void remove(std::string_view name) override
Definition psk_db.cpp:56
void set(std::string_view name, const uint8_t psk[], size_t psk_len) override
Definition psk_db.cpp:81
static std::unique_ptr< MessageAuthenticationCode > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition mac.cpp:148
void set_str(std::string_view name, std::string_view psk)
Definition psk_db.cpp:23
virtual void set(std::string_view name, const uint8_t psk[], size_t psk_len)=0
std::string get_str(std::string_view name) const
Definition psk_db.cpp:18
virtual secure_vector< uint8_t > get(std::string_view name) const =0
std::string name
size_t base64_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition base64.cpp:146
size_t base64_decode(uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws)
Definition base64.cpp:154
std::vector< uint8_t > nist_key_wrap_padded(const uint8_t input[], size_t input_len, const BlockCipher &bc)
secure_vector< uint8_t > nist_key_unwrap_padded(const uint8_t input[], size_t input_len, const BlockCipher &bc)
const char * cast_uint8_ptr_to_char(const uint8_t *b)
Definition mem_ops.h:276
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61
const uint8_t * cast_char_ptr_to_uint8(const char *s)
Definition mem_ops.h:272