Passwords are now saved in a password manager.
The password manager uses strong encryption using a key derived from the passphrase using scrypt key strengthening algorithm. This ensures encryption is performed using a strong key and that brute forcing the passphrase is time consuming. If the user loses his passphrase no recovery is possible.
This commit is contained in:
eelke
parent
2230a4bd61
commit
e36924c087
27 changed files with 605 additions and 346 deletions
|
|
@ -1,22 +1,128 @@
|
|||
#include "PasswordManager.h"
|
||||
|
||||
//#include <botan/filters.h>
|
||||
//#include <botan/pipe.h>
|
||||
//#include <botan/sha2_64.h>
|
||||
//#include <botan/hash.h>
|
||||
//#include <botan/hmac.h>
|
||||
//#include <botan/pbkdf2.h>
|
||||
//#include <botan/rng.h>
|
||||
//#include <botan/base64.h>
|
||||
//#include <botan/loadstor.h>
|
||||
//#include <botan/mem_ops.h>
|
||||
#include <QSqlQuery>
|
||||
#include <QSqlError>
|
||||
#include <QDebug>
|
||||
#include <QVariant>
|
||||
#include <botan/hash.h>
|
||||
#include <botan/auto_rng.h>
|
||||
#include <botan/base64.h>
|
||||
#include <botan/psk_db_sql.h>
|
||||
#include <botan/sqlite3.h>
|
||||
//#include <botan/psk_db_sql.h>
|
||||
#include <botan/psk_db.h>
|
||||
|
||||
//#include <botan/sqlite3.h>
|
||||
#include <botan/scrypt.h>
|
||||
#include <boost/lexical_cast.hpp>
|
||||
|
||||
namespace {
|
||||
|
||||
class SqlException : public std::runtime_error {
|
||||
public:
|
||||
QSqlError error;
|
||||
SqlException(const QSqlError &err)
|
||||
: std::runtime_error(err.text().toUtf8().data())
|
||||
, error(err)
|
||||
{}
|
||||
|
||||
};
|
||||
|
||||
class QPSK_Database : public Botan::Encrypted_PSK_Database
|
||||
{
|
||||
public:
|
||||
/**
|
||||
* @param master_key specifies the master key used to encrypt all
|
||||
* keys and value. It can be of any length, but should be at least 256 bits.
|
||||
*
|
||||
* Subkeys for the cryptographic algorithms used are derived from this
|
||||
* master key. No key stretching is performed; if encrypting a PSK database
|
||||
* using a password, it is recommended to use PBKDF2 to derive the database
|
||||
* master key.
|
||||
*/
|
||||
QPSK_Database(const Botan::secure_vector<uint8_t>& master_key, QSqlDatabase &db, const QString &table_name)
|
||||
: Encrypted_PSK_Database(master_key)
|
||||
, m_db(db)
|
||||
, m_tableName(table_name)
|
||||
{
|
||||
QSqlQuery q_create_table(m_db);
|
||||
q_create_table.prepare("CREATE TABLE IF NOT EXISTS " + table_name +
|
||||
"(psk_name TEXT PRIMARY KEY, psk_value TEXT)");
|
||||
if (!q_create_table.exec()) {
|
||||
auto err = q_create_table.lastError();
|
||||
throw SqlException(err);
|
||||
}
|
||||
}
|
||||
|
||||
protected:
|
||||
/// Save a encrypted (name.value) pair to the database. Both will be base64 encoded strings.
|
||||
virtual void kv_set(const std::string& index, const std::string& value) override
|
||||
{
|
||||
QSqlQuery q(m_db);
|
||||
q.prepare("insert or replace into " + m_tableName + " values(:name, :value)");
|
||||
q.bindValue(":name", QString::fromUtf8(index.c_str()));
|
||||
q.bindValue(":value", QString::fromUtf8(value.c_str()));
|
||||
if (!q.exec()) {
|
||||
auto err = q.lastError();
|
||||
throw SqlException(err);
|
||||
}
|
||||
}
|
||||
|
||||
/// Get a value previously saved with set_raw_value. Should return an empty
|
||||
/// string if index is not found.
|
||||
virtual std::string kv_get(const std::string& index) const override
|
||||
{
|
||||
QSqlQuery q(m_db);
|
||||
q.prepare("SELECT psk_value FROM " + m_tableName +
|
||||
" WHERE psk_name = :name");
|
||||
q.bindValue(":name", QString::fromUtf8(index.c_str()));
|
||||
if (q.exec()) {
|
||||
if (q.next()) {
|
||||
return q.value(0).toString().toUtf8().data();
|
||||
}
|
||||
}
|
||||
else {
|
||||
auto err = q.lastError();
|
||||
throw SqlException(err);
|
||||
}
|
||||
return std::string();
|
||||
}
|
||||
|
||||
/// Remove an index
|
||||
virtual void kv_del(const std::string& index) override
|
||||
{
|
||||
QSqlQuery q(m_db);
|
||||
q.prepare("DELETE FROM " + m_tableName + " WHERE psk_name=:name");
|
||||
q.bindValue(":name", QString::fromUtf8(index.c_str()));
|
||||
if (!q.exec()) {
|
||||
auto err = q.lastError();
|
||||
throw SqlException(err);
|
||||
}
|
||||
}
|
||||
|
||||
/// Return all indexes in the table.
|
||||
virtual std::set<std::string> kv_get_all() const override
|
||||
{
|
||||
QSqlQuery q(m_db);
|
||||
q.prepare("SELECT psk_name FROM " + m_tableName);
|
||||
|
||||
std::set<std::string> result;
|
||||
if (q.exec()) {
|
||||
while (q.next()) {
|
||||
result.insert(q.value(0).toString().toUtf8().data());
|
||||
}
|
||||
}
|
||||
else {
|
||||
auto err = q.lastError();
|
||||
throw SqlException(err);
|
||||
}
|
||||
return result;
|
||||
}
|
||||
private:
|
||||
QSqlDatabase &m_db;
|
||||
QString m_tableName;
|
||||
};
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
Botan::secure_vector<uint8_t> PasswordManager::KeyStrengthener::derive(const std::string &passphrase)
|
||||
|
|
@ -27,69 +133,129 @@ Botan::secure_vector<uint8_t> PasswordManager::KeyStrengthener::derive(const std
|
|||
return master_key;
|
||||
}
|
||||
|
||||
void PasswordManager::KeyStrengthener::saveParams(std::shared_ptr<Botan::Sqlite3_Database> db, const std::string &table_name)
|
||||
void PasswordManager::KeyStrengthener::saveParams(QSqlDatabase &db, const QString &table_name)
|
||||
{
|
||||
auto sc = dynamic_cast<Botan::Scrypt*>(m_hasher.get());
|
||||
size_t i1 = sc->N();
|
||||
size_t i2 = sc->r();
|
||||
size_t i3 = sc->p();
|
||||
|
||||
|
||||
auto salt_str = QString::fromUtf8(Botan::base64_encode(m_salt).c_str());
|
||||
// SAVE parameters in database
|
||||
auto stmt = db->new_statement("INSERT INTO " + table_name + "(id, algo, i1, i2, i3, ks, salt) VALUES(?1, ?2, ?3, ?4, ?5)");
|
||||
stmt->bind(1, 1);
|
||||
stmt->bind(2, "Scrypt");
|
||||
stmt->bind(3, i1);
|
||||
stmt->bind(4, i2);
|
||||
stmt->bind(5, i3);
|
||||
stmt->bind(6, m_keySize);
|
||||
stmt->bind(7, Botan::base64_encode(m_salt));
|
||||
stmt->spin();
|
||||
QSqlQuery insert_statement(db);
|
||||
insert_statement.prepare("INSERT OR REPLACE INTO " + table_name + "(id, algo, i1, i2, i3, ks, salt) "
|
||||
+ "VALUES(:id, :algo, :i1, :i2, :i3, :ks, :salt)");
|
||||
insert_statement.bindValue(":id", 1);
|
||||
insert_statement.bindValue(":algo", "Scrypt");
|
||||
insert_statement.bindValue(":i1", i1);
|
||||
insert_statement.bindValue(":i2", i2);
|
||||
insert_statement.bindValue(":i3", i3);
|
||||
insert_statement.bindValue(":ks", m_keySize);
|
||||
insert_statement.bindValue(":salt", salt_str);
|
||||
if (!insert_statement.exec()) {
|
||||
//throw std::runtime_error("PasswordManager::KeyStrengthener::saveParams failed");
|
||||
auto err = insert_statement.lastError();
|
||||
throw SqlException(err);
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// -------------------------
|
||||
|
||||
void PasswordManager::openDatabase(std::shared_ptr<Botan::Sqlite3_Database> db, std::string passphrase)
|
||||
PasswordManager::PasswordManager() = default;
|
||||
PasswordManager::~PasswordManager() = default;
|
||||
|
||||
|
||||
bool PasswordManager::initialized(QSqlDatabase& db)
|
||||
{
|
||||
// std::string psk_db_file_name;
|
||||
// auto db = std::make_shared<Botan::Sqlite3_Database>(psk_db_file_name);
|
||||
|
||||
KeyStrengthener ks;
|
||||
// if (database exists)
|
||||
if (isPskStoreInitialized(db)) {
|
||||
ks = getKeyStrengthener(db);
|
||||
}
|
||||
else {
|
||||
initializeNewPskStore(db);
|
||||
ks = createKeyStrengthener();
|
||||
ks.saveParams(db, m_secretAlgoTableName);
|
||||
}
|
||||
|
||||
Botan::secure_vector<uint8_t> master_key = ks.derive(passphrase);
|
||||
m_pskDatabase = std::make_unique<Botan::Encrypted_PSK_Database_SQL>(master_key, db, m_passwordTableName);
|
||||
return isPskStoreInitialized(db);
|
||||
}
|
||||
|
||||
bool PasswordManager::createDatabase(QSqlDatabase &db, QString passphrase)
|
||||
{
|
||||
if (!isPskStoreInitialized(db)) {
|
||||
initializeNewPskStore(db);
|
||||
auto ks = createKeyStrengthener();
|
||||
ks.saveParams(db, m_secretAlgoTableName);
|
||||
|
||||
auto master_key = ks.derive(passphrase.toUtf8().data());
|
||||
|
||||
std::unique_ptr<Botan::HashFunction> hash3(Botan::HashFunction::create("SHA-3"));
|
||||
hash3->update(master_key);
|
||||
auto mkh = QString::fromUtf8(Botan::base64_encode(hash3->final()).c_str());
|
||||
|
||||
QSqlQuery q_ins_hash(db);
|
||||
q_ins_hash.prepare("INSERT INTO " + m_secretHashTableName + "(id, hash) VALUES(:id, :hash)");
|
||||
q_ins_hash.bindValue(":id", 1);
|
||||
q_ins_hash.bindValue(":hash", mkh);
|
||||
if (!q_ins_hash.exec()) {
|
||||
auto err = q_ins_hash.lastError();
|
||||
qDebug() << err.text();
|
||||
throw SqlException(err);
|
||||
}
|
||||
|
||||
m_pskDatabase = std::make_unique<QPSK_Database>(master_key, db, m_passwordTableName);
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
bool PasswordManager::openDatabase(QSqlDatabase &db, QString passphrase)
|
||||
{
|
||||
if (isPskStoreInitialized(db)) {
|
||||
auto ks = getKeyStrengthener(db);
|
||||
|
||||
auto master_key = ks.derive(passphrase.toUtf8().data());
|
||||
std::unique_ptr<Botan::HashFunction> hash3(Botan::HashFunction::create("SHA-3"));
|
||||
hash3->update(master_key);
|
||||
auto mkh_bin = hash3->final();
|
||||
|
||||
QSqlQuery q("SELECT hash FROM " + m_secretHashTableName + " WHERE id=1", db);
|
||||
if (q.next()) {
|
||||
auto hash_b64 = q.value(0).toString().toUtf8();
|
||||
auto hash_bin = Botan::base64_decode(hash_b64.data(), static_cast<size_t>(hash_b64.size()));
|
||||
if (hash_bin == mkh_bin) {
|
||||
m_pskDatabase = std::make_unique<QPSK_Database>(master_key, db, m_passwordTableName);
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
void PasswordManager::closeDatabase()
|
||||
{
|
||||
m_pskDatabase.reset();
|
||||
}
|
||||
|
||||
bool PasswordManager::locked() const
|
||||
{
|
||||
return m_pskDatabase == nullptr;
|
||||
}
|
||||
|
||||
void PasswordManager::set(const std::string &id, const std::string &passwd)
|
||||
{
|
||||
if (m_pskDatabase) {
|
||||
|
||||
m_pskDatabase->set_str(id, passwd);
|
||||
}
|
||||
else {
|
||||
throw PasswordManagerLockedException();
|
||||
}
|
||||
}
|
||||
|
||||
std::string PasswordManager::get(const std::string &id, const std::string &passwd)
|
||||
bool PasswordManager::get(const std::string &id, std::string &password)
|
||||
{
|
||||
if (m_pskDatabase) {
|
||||
|
||||
try {
|
||||
password = m_pskDatabase->get_str(id);
|
||||
return true;
|
||||
}
|
||||
catch (const Botan::Invalid_Argument &) {
|
||||
// not present
|
||||
return false;
|
||||
}
|
||||
}
|
||||
else {
|
||||
throw PasswordManagerLockedException();
|
||||
|
|
@ -99,7 +265,7 @@ std::string PasswordManager::get(const std::string &id, const std::string &passw
|
|||
void PasswordManager::remove(const std::string &id)
|
||||
{
|
||||
if (m_pskDatabase) {
|
||||
|
||||
m_pskDatabase->remove(id);
|
||||
}
|
||||
else {
|
||||
throw PasswordManagerLockedException();
|
||||
|
|
@ -107,57 +273,100 @@ void PasswordManager::remove(const std::string &id)
|
|||
}
|
||||
|
||||
|
||||
void PasswordManager::initializeNewPskStore(std::shared_ptr<Botan::Sqlite3_Database> db)
|
||||
void PasswordManager::initializeNewPskStore(QSqlDatabase &db)
|
||||
{
|
||||
// Create tables
|
||||
// - psk_masterkey_algo
|
||||
// - psk_passwd
|
||||
std::string create_statement =
|
||||
// // Create tables
|
||||
// // - psk_masterkey_algo
|
||||
// // - psk_passwd
|
||||
{
|
||||
QSqlQuery create_tbl(db);
|
||||
create_tbl.prepare(
|
||||
"CREATE TABLE IF NOT EXISTS " + m_secretAlgoTableName + "( \n"
|
||||
" id INTEGER PRIMARY KEY \n"
|
||||
" algo TEXT \n"
|
||||
" i1 INTEGER \n"
|
||||
" i2 INTEGER \n"
|
||||
" i3 INTEGER \n"
|
||||
" ks INTEGER \n"
|
||||
" id INTEGER PRIMARY KEY, \n"
|
||||
" algo TEXT, \n"
|
||||
" i1 INTEGER, \n"
|
||||
" i2 INTEGER, \n"
|
||||
" i3 INTEGER, \n"
|
||||
" ks INTEGER, \n"
|
||||
" salt TEXT \n"
|
||||
");";
|
||||
db->create_table(create_statement);
|
||||
");");
|
||||
if (!create_tbl.exec()) {
|
||||
// auto sql_error = create_tbl.lastError();
|
||||
// throw std::runtime_error("create table failed");
|
||||
auto err = create_tbl.lastError();
|
||||
throw SqlException(err);
|
||||
}
|
||||
}
|
||||
|
||||
// db->create_table(
|
||||
QSqlQuery create_tbl(db);
|
||||
create_tbl.prepare(
|
||||
"CREATE TABLE IF NOT EXISTS " + m_secretHashTableName + "( \n"
|
||||
" id INTEGER PRIMARY KEY, \n"
|
||||
" hash TEXT \n"
|
||||
");");
|
||||
if (!create_tbl.exec()) {
|
||||
auto err = create_tbl.lastError();
|
||||
throw SqlException(err);
|
||||
}
|
||||
}
|
||||
|
||||
bool PasswordManager::isPskStoreInitialized(std::shared_ptr<Botan::Sqlite3_Database> db)
|
||||
bool PasswordManager::isPskStoreInitialized(QSqlDatabase& db)
|
||||
{
|
||||
// Is the table with the secret data present and filled?
|
||||
auto stmt = db->new_statement("SELECT name FROM sqlite_master WHERE type='table' AND name=?1");
|
||||
stmt->bind(1, m_secretAlgoTableName);
|
||||
bool ok = stmt->step();
|
||||
if (ok) {
|
||||
auto stmt = db->new_statement("SELECT algo FROM " + m_secretAlgoTableName + " WHERE id=1");
|
||||
return stmt->step();
|
||||
QSqlQuery query(db);
|
||||
query.prepare("SELECT name FROM sqlite_master WHERE type='table' AND name=:name");
|
||||
query.bindValue(":name", m_secretAlgoTableName);
|
||||
if (!query.exec()) {
|
||||
auto err = query.lastError();
|
||||
throw SqlException(err);
|
||||
}
|
||||
return false;
|
||||
if (!query.next()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
query.bindValue(":name", m_secretHashTableName);
|
||||
if (!query.exec()) {
|
||||
auto err = query.lastError();
|
||||
throw SqlException(err);
|
||||
}
|
||||
if (!query.next()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
QSqlQuery sel_algo("SELECT algo FROM " + m_secretAlgoTableName + " WHERE id=1", db);
|
||||
if (!sel_algo.next()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
QSqlQuery sel_hash("SELECT hash FROM " + m_secretHashTableName + " WHERE id=1", db);
|
||||
if (!sel_hash.next()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
PasswordManager::KeyStrengthener PasswordManager::getKeyStrengthener(std::shared_ptr<Botan::Sqlite3_Database> db)
|
||||
PasswordManager::KeyStrengthener PasswordManager::getKeyStrengthener(QSqlDatabase &db)
|
||||
{
|
||||
auto stmt = db->new_statement("SELECT algo, i1, i2, i3, ks, salt FROM " + m_secretAlgoTableName + " WHERE id=1");
|
||||
if (stmt->step()) {
|
||||
std::string algo = stmt->get_str(0);
|
||||
size_t i1 = boost::lexical_cast<size_t>(stmt->get_str(1));
|
||||
size_t i2 = boost::lexical_cast<size_t>(stmt->get_str(2));
|
||||
size_t i3 = boost::lexical_cast<size_t>(stmt->get_str(3));
|
||||
size_t ks = boost::lexical_cast<size_t>(stmt->get_str(4));
|
||||
QSqlQuery query("SELECT algo, i1, i2, i3, ks, salt FROM " + m_secretAlgoTableName + " WHERE id=1", db);
|
||||
if (query.next()) {
|
||||
std::string algo = query.value(0).toString().toUtf8().data();
|
||||
size_t i1 = query.value(1).toUInt();
|
||||
size_t i2 = query.value(2).toUInt();
|
||||
size_t i3 = query.value(3).toUInt();
|
||||
size_t ks = query.value(4).toUInt();
|
||||
auto salt = query.value(5).toString().toUtf8();
|
||||
|
||||
auto pwh_fam = Botan::PasswordHashFamily::create(algo);
|
||||
return KeyStrengthener(
|
||||
pwh_fam->from_params(i1, i2, i3),
|
||||
Botan::base64_decode(stmt->get_str(5)),
|
||||
Botan::base64_decode(salt.data(), static_cast<size_t>(salt.size())),
|
||||
ks
|
||||
);
|
||||
}
|
||||
else {
|
||||
|
||||
throw std::runtime_error("fail");
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@
|
|||
#define PASSWORDMANAGER_H
|
||||
|
||||
#include "Expected.h"
|
||||
#include <QSqlDatabase>
|
||||
#include <botan/secmem.h>
|
||||
#include <string>
|
||||
#include <memory>
|
||||
|
|
@ -16,8 +17,8 @@
|
|||
|
||||
namespace Botan {
|
||||
|
||||
class Encrypted_PSK_Database_SQL;
|
||||
class Sqlite3_Database;
|
||||
class Encrypted_PSK_Database;
|
||||
//class Sqlite3_Database;
|
||||
class PasswordHash;
|
||||
|
||||
}
|
||||
|
|
@ -41,21 +42,31 @@ public:
|
|||
Error
|
||||
};
|
||||
|
||||
PasswordManager() = default;
|
||||
PasswordManager();
|
||||
~PasswordManager();
|
||||
|
||||
void openDatabase(std::shared_ptr<Botan::Sqlite3_Database> db, std::string passphrase);
|
||||
/** Check if it has been initialized before.
|
||||
*
|
||||
* If returns false then use createDatabase to set it up
|
||||
* else use openDatabase to get access.
|
||||
*/
|
||||
bool initialized(QSqlDatabase &db);
|
||||
bool createDatabase(QSqlDatabase &db, QString passphrase);
|
||||
bool openDatabase(QSqlDatabase &db, QString passphrase);
|
||||
void closeDatabase();
|
||||
bool locked() const;
|
||||
|
||||
void set(const std::string &id, const std::string &passwd);
|
||||
std::string get(const std::string &id, const std::string &passwd);
|
||||
bool get(const std::string &id, std::string &password);
|
||||
void remove(const std::string &id);
|
||||
private:
|
||||
std::string m_passwordTableName = "psk_passwd";
|
||||
std::string m_secretAlgoTableName = "psk_masterkey_algo";
|
||||
std::unique_ptr<Botan::Encrypted_PSK_Database_SQL> m_pskDatabase;
|
||||
QString m_passwordTableName = "psk_passwd";
|
||||
QString m_secretAlgoTableName = "psk_masterkey_algo";
|
||||
QString m_secretHashTableName = "psk_masterkey_hash";
|
||||
std::unique_ptr<Botan::Encrypted_PSK_Database> m_pskDatabase;
|
||||
|
||||
bool isPskStoreInitialized(std::shared_ptr<Botan::Sqlite3_Database> db);
|
||||
void initializeNewPskStore(std::shared_ptr<Botan::Sqlite3_Database> db);
|
||||
bool isPskStoreInitialized(QSqlDatabase& db);
|
||||
void initializeNewPskStore(QSqlDatabase &db);
|
||||
|
||||
class KeyStrengthener {
|
||||
public:
|
||||
|
|
@ -74,6 +85,7 @@ private:
|
|||
, m_salt (std::move(rhs.m_salt))
|
||||
, m_keySize(rhs.m_keySize)
|
||||
{}
|
||||
|
||||
KeyStrengthener& operator=(KeyStrengthener &&rhs)
|
||||
{
|
||||
if (&rhs != this) {
|
||||
|
|
@ -85,7 +97,7 @@ private:
|
|||
}
|
||||
|
||||
Botan::secure_vector<uint8_t> derive(const std::string &passphrase);
|
||||
void saveParams(std::shared_ptr<Botan::Sqlite3_Database> db, const std::string &table_name);
|
||||
void saveParams(QSqlDatabase &db, const QString &table_name);
|
||||
private:
|
||||
std::unique_ptr<Botan::PasswordHash> m_hasher;
|
||||
Botan::secure_vector<uint8_t> m_salt;
|
||||
|
|
@ -93,7 +105,7 @@ private:
|
|||
};
|
||||
|
||||
/// Get PasswordHash from parameters in database
|
||||
KeyStrengthener getKeyStrengthener(std::shared_ptr<Botan::Sqlite3_Database> db);
|
||||
KeyStrengthener getKeyStrengthener(QSqlDatabase &db);
|
||||
KeyStrengthener createKeyStrengthener();
|
||||
|
||||
};
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@
|
|||
#-------------------------------------------------
|
||||
|
||||
QT -= gui
|
||||
QT += sql
|
||||
|
||||
TARGET = core
|
||||
TEMPLATE = lib
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue