const char* const OURS_PRV_ALIAS = "ours_private";
const char* const OURS_PUB_ALIAS = "ours_public";
+ char label[] = "label";
+ char context[] = "context";
+
+ ckmc_param_list_h ecdh_params = nullptr;
+ ckmc_param_list_h kbkdf_params = nullptr;
+ ckmc_raw_buffer_s* label_buf = nullptr;
+ ckmc_raw_buffer_s* context_buf = nullptr;
+
ckmc_policy_s unexportable { nullptr, false };
ckmc_policy_s exportable { nullptr, true };
return -1;
// set ECDH params
- ckmc_param_list_h ecdh_params;
ret = ckmc_param_list_new(&ecdh_params);
if (ret != CKMC_ERROR_NONE)
- return -1;
+ goto exit;
ret = ckmc_param_list_set_integer(ecdh_params, CKMC_PARAM_ALGO_TYPE, CKMC_ALGO_ECDH);
if (ret != CKMC_ERROR_NONE)
- return -1;
+ goto exit;
ret = ckmc_param_list_set_buffer(ecdh_params, CKMC_PARAM_ECDH_PUBKEY, peers_public);
if (ret != CKMC_ERROR_NONE)
- return -1;
+ goto exit;
// derive shared secret
ret = ckmc_key_derive(ecdh_params, OURS_PRV_ALIAS, nullptr, SECRET_ALIAS, unexportable);
if (ret != CKMC_ERROR_NONE)
- return -1;
+ goto exit;
// set KBKDF params
- ckmc_param_list_h kbkdf_params;
ret = ckmc_param_list_new(&kbkdf_params);
if (ret != CKMC_ERROR_NONE)
- return -1;
+ goto exit;
ret = ckmc_param_list_set_integer(kbkdf_params, CKMC_PARAM_ALGO_TYPE, CKMC_ALGO_KBKDF);
if (ret != CKMC_ERROR_NONE)
- return -1;
+ goto exit;
ret = ckmc_param_list_set_integer(kbkdf_params, CKMC_PARAM_KDF_PRF, CKMC_KDF_PRF_HMAC_SHA256);
if (ret != CKMC_ERROR_NONE)
- return -1;
+ goto exit;
ret = ckmc_param_list_set_integer(kbkdf_params, CKMC_PARAM_KBKDF_MODE, CKMC_KBKDF_MODE_COUNTER);
if (ret != CKMC_ERROR_NONE)
- return -1;
+ goto exit;
ret = ckmc_param_list_set_integer(kbkdf_params,
CKMC_PARAM_KBKDF_COUNTER_LOCATION,
CKMC_KBKDF_COUNTER_BEFORE_FIXED);
if (ret != CKMC_ERROR_NONE)
- return -1;
+ goto exit;
- char label[] = "label";
- ckmc_raw_buffer_s* label_buf = nullptr;
ret = ckmc_buffer_new(reinterpret_cast<unsigned char*>(label), strlen(label), &label_buf);
if (ret != CKMC_ERROR_NONE)
- return -1;
+ goto exit;
ret = ckmc_param_list_set_buffer(kbkdf_params, CKMC_PARAM_KBKDF_LABEL, label_buf);
- ckmc_buffer_free(label_buf);
if (ret != CKMC_ERROR_NONE)
- return -1;
+ goto exit;
- char context[] = "context";
- ckmc_raw_buffer_s* context_buf = nullptr;
ret = ckmc_buffer_new(reinterpret_cast<unsigned char*>(context), strlen(context), &context_buf);
if (ret != CKMC_ERROR_NONE)
- return -1;
+ goto exit;
ret = ckmc_param_list_set_buffer(kbkdf_params, CKMC_PARAM_KBKDF_CONTEXT, context_buf);
- ckmc_buffer_free(context_buf);
if (ret != CKMC_ERROR_NONE)
- return -1;
+ goto exit;
ret = ckmc_param_list_set_integer(kbkdf_params, CKMC_PARAM_KDF_LEN, 32);
if (ret != CKMC_ERROR_NONE)
- return -1;
+ goto exit;
// derive symmetric key
ret = ckmc_key_derive(kbkdf_params, SECRET_ALIAS, nullptr, KEY_ALIAS, unexportable);
- if (ret != CKMC_ERROR_NONE)
- return -1;
-
- // remove shared secret
- ret = ckmc_remove_key(SECRET_ALIAS);
- if (ret != CKMC_ERROR_NONE)
- return -1;
- return 0;
+exit:
+ ckmc_remove_alias(OURS_PRV_ALIAS);
+ ckmc_remove_alias(OURS_PUB_ALIAS);
+ ckmc_param_list_free(ecdh_params);
+ ckmc_buffer_free(label_buf);
+ ckmc_buffer_free(context_buf);
+ ckmc_param_list_free(kbkdf_params);
+ ckmc_remove_alias(SECRET_ALIAS);
+ return ret;
}
//! [KEY_DERIVE example]
void DescriptorSet::purge()
{
- for (auto it : m_descriptors)
+ for (auto& it : m_descriptors)
close(it.first);
m_descriptors.clear();
int ret = 0;
ckmc_key_s *wrapped_key = nullptr;
CKM::RawBuffer wrappedKey;
- CKM::KeyType keyType;
+ CKM::KeyType keyType = CKM::KeyType::KEY_NONE;
auto mgr = CKM::Manager::create();
ret = to_ckmc_error(mgr->exportWrappedKey(*ca,
AliasSupport wrapping_helper(wrappingKeyAlias);
AliasSupport wrapped_helper(wrappedKeyAlias);
- DataType *dataTypeKey = nullptr;
+ DataType dataTypeKey;
int retCode = Request(*this,
LogicCommand::EXPORT_WRAPPED_KEY,
if (retCode != CKM_API_SUCCESS)
return retCode;
- if (dataTypeKey->isSKey()) {
+ if (dataTypeKey.isSKey()) {
keyType = KeyType::KEY_AES;
- } else if (dataTypeKey->isKeyPrivate()) {
+ } else if (dataTypeKey.isKeyPrivate()) {
keyType = KeyType::KEY_RSA_PRIVATE;
} else {
return CKM_API_ERROR_INVALID_FORMAT;
namespace {
#ifdef OVERRIDE_SOCKET_TIMEOUT
-const time_t SOCKET_TIMEOUT = OVERRIDE_SOCKET_TIMEOUT;
+const std::chrono::seconds SOCKET_TIMEOUT(OVERRIDE_SOCKET_TIMEOUT);
#else // OVERRIDE_SOCKET_TIMEOUT
-const time_t SOCKET_TIMEOUT = 1000;
+const std::chrono::seconds SOCKET_TIMEOUT(1000);
#endif // OVERRIDE_SOCKET_TIMEOUT
int getCredentialsFromSocket(int sock, CKM::Credentials &cred)
return 0;
}
-time_t monotonicNow() {
- struct timespec now;
- if (clock_gettime(CLOCK_MONOTONIC_RAW, &now) == -1) {
- int err = errno;
- LogError("Can't access monotonic clock, error: " << CKM::GetErrnoString(err));
- return 0;
- }
- return now.tv_sec;
+std::chrono::time_point<std::chrono::steady_clock> monotonicNow() {
+ return std::chrono::steady_clock::now();
}
} // namespace anonymous
LogDebug("No usable timeout found.");
ptrTimeout = NULL; // select will wait without timeout
} else {
- time_t currentTime = monotonicNow();
+ auto currentTime = monotonicNow();
auto &pqTimeout = m_socketDescriptionVector[m_timeoutQueue.front()].timeout;
// 0 means that select won't block and socket will be closed ;-)
ptrTimeout->tv_sec =
- currentTime < pqTimeout ? pqTimeout - currentTime : 0;
+ currentTime < pqTimeout ?
+ std::chrono::duration_cast<std::chrono::seconds>(pqTimeout - currentTime).count() :
+ 0;
ptrTimeout->tv_usec = 0;
}
#include <mutex>
#include <thread>
#include <functional>
-#include <ctime>
+#include <chrono>
#include <dpl/exception.h>
InterfaceID interfaceID;
GenericSocketService *service;
- time_t timeout;
+ std::chrono::time_point<std::chrono::steady_clock> timeout;
RawBuffer rawBuffer;
int counter;
std::string cynaraPrivilege;
SocketDescription() :
interfaceID(-1),
service(nullptr),
- timeout(0),
counter(0),
m_flags(0) {}
const Name &name,
const ClientId &owner)
{
- PermissionMask permission;
+ PermissionMask permission = Permission::NONE;
auto [dbOp, retCode] = begin(cred, name, owner);
if (retCode == CKM_API_SUCCESS)
permission = toPermissionMask(dbOp.database().getPermissionRow(name, owner, cred.client));
second.m_domainKEK = NULL;
}
-bool KeyProvider::isInitialized()
+bool KeyProvider::isInitialized() const
{
return m_isInitialized;
}
-RawBuffer KeyProvider::getPureDomainKEK()
+RawBuffer KeyProvider::getPureDomainKEK() const
{
if (!m_isInitialized)
ThrowErr(Exc::InternalError, "Object not initialized!");
return RawBuffer(m_domainKEK->key, m_domainKEK->key + m_domainKEK->info.keyLength);
}
-RawBuffer KeyProvider::getWrappedDomainKEK(const Password &password)
+RawBuffer KeyProvider::getWrappedDomainKEK(const Password &password) const
{
if (!m_isInitialized)
ThrowErr(Exc::InternalError, "Object not initialized!");
return wrapDomainKEK(*m_domainKEK, password);
}
-RawBuffer KeyProvider::getPureDEK(const RawBuffer &wrappedDEKbuffer)
+RawBuffer KeyProvider::getPureDEK(const RawBuffer &wrappedDEKbuffer) const
{
if (!m_isInitialized)
ThrowErr(Exc::InternalError, "Object not initialized!");
return RawBuffer(DEK.key, DEK.key + DEK.info.keyLength);
}
-RawBuffer KeyProvider::generateDEK(const std::string &client)
+RawBuffer KeyProvider::generateDEK(const std::string &client) const
{
if (!m_isInitialized)
ThrowErr(Exc::InternalError, "Object not initialized!");
struct DomainKEKInfo : KeyInfo {
DomainKEKInfo() = default;
- DomainKEKInfo(const KeyInfo& info) : KeyInfo(info) {}
+ explicit DomainKEKInfo(const KeyInfo& info) : KeyInfo(info) {}
uint32_t version;
uint32_t backend;
};
KeyProvider &operator=(const KeyProvider &) = delete;
KeyProvider &operator=(KeyProvider &&);
- bool isInitialized();
+ bool isInitialized() const;
// Returns Key used to decrypt database.
- RawBuffer getPureDomainKEK();
+ RawBuffer getPureDomainKEK() const;
// Returns Key in form used to store key in file
- RawBuffer getWrappedDomainKEK(const Password &password);
+ RawBuffer getWrappedDomainKEK(const Password &password) const;
// Unwraps (decrypts) a DEK using a key derived from DomainKEK and data stored in wrapped key
// info. It returns the DEK in unencrypted form.
- RawBuffer getPureDEK(const RawBuffer &wrappedDEKbuffer);
+ RawBuffer getPureDEK(const RawBuffer &wrappedDEKbuffer) const;
// Generates a random DEK and encrypts it using a key derived from DomainKEK and custom client
// string (not to be confused with ClientId). The function returns the DEK in wrapped
// (encrypted) form. The function is used to produce a key for database encryption as well as
// application keys.
- RawBuffer generateDEK(const std::string &client);
+ RawBuffer generateDEK(const std::string &client) const;
// First run of application for some user. DomainKEK was not created yet. We must create one.
// This key will be used to encrypt user database.
DataType::BINARY_DATA));
BOOST_REQUIRE((migration_names / migration_owners) == ret_list.size());
- for (auto it : ret_list)
+ for (auto& it : ret_list)
BOOST_REQUIRE(it.first == current_owner);
ret_list.clear();
readFd(desc, fd[0], revents);
descriptors.remove(desc);
- descriptors.add(fd2[1], POLLOUT, [&](int desc, short revents) {
+ descriptors.add(fd2[1], POLLOUT, [&](int desc2, short revents) {
callback2 = true;
- writeFd(desc, fd2[1], revents);
- descriptors.remove(desc);
+ writeFd(desc2, fd2[1], revents);
+ descriptors.remove(desc2);
});
});