Add methods to store/retrieve encrypted user (using argon2 for hash)

author: dec05eba <dec05eba@protonmail.com> 2018-05-15 18:24:50 +0200
committer: dec05eba <dec05eba@protonmail.com> 2020-08-18 23:25:46 +0200
commit: e52be3a6b82025b6795b73d448381953821d18bb (patch)
tree: c7dfaf9e2ed9020d5c6a595f803f501c4f20de54 /src
parent: 0f95a9de53f23db735b7f1d1ecdb7acdd59bba0d (diff)
3 files changed, 81 insertions, 52 deletions
diff --git a/src/Database.cpp b/src/Database.cpp
index 5eedc7a..17773ed 100644
--- a/src/Database.cpp
+++ b/src/Database.cpp
@@ -654,4 +654,14 @@ namespace odhtdb
         }
         return true;
     }
+    
+    void Database::storeUserPasswordEncrypted(const Hash &nodeHash, const std::string &username, const std::string &password, const Signature::KeyPair &keyPair)
+    {
+        return databaseStorage.storeUserPasswordEncrypted(nodeHash, username, password, keyPair);
+    }
+        
+    vector<NodeUserKeyPair> Database::getStoredUserNodeDataDecrypted(const std::string &username, const std::string &password)
+    {
+        return databaseStorage.getStoredUserNodeDataDecrypted(username, password);
+    }
 }
diff --git a/src/DatabaseStorage.cpp b/src/DatabaseStorage.cpp
index d5053c5..66d6d89 100644
--- a/src/DatabaseStorage.cpp
+++ b/src/DatabaseStorage.cpp
@@ -5,8 +5,6 @@
 #include "../include/odhtdb/PasswordHash.hpp"
 #include "../include/odhtdb/Log.hpp"
 #include "../include/odhtdb/Database.hpp"
-#include "../include/odhtdb/sql/SqlQuery.hpp"
-#include "../include/odhtdb/sql/SqlExec.hpp"
 #include <cstring>
 #include <chrono>
 #include <boost/filesystem/convenience.hpp>
@@ -101,6 +99,8 @@ namespace odhtdb
             throw DatabaseStorageException(errMsg);
         }
         
+        // TODO: GroupId (and maybe other fields) have to be unique, but by malicious intervention group id can be copied from one node and then used when creating another one.
+        // This will result in error for users that are part of the other Node, meaning not all users...
         sqlite_exec_checked(sqliteDb, 
                             "CREATE TABLE IF NOT EXISTS Node(id INTEGER PRIMARY KEY, nodeHash BLOB UNIQUE NOT NULL, timestamp INTEGER NOT NULL, creatorPublicKey BLOB NOT NULL, adminGroupId BLOB NOT NULL);"
                             "CREATE TABLE IF NOT EXISTS NodeUser(id INTEGER PRIMARY KEY, node BLOB NOT NULL, publicKey BLOB NOT NULL, latestActionCounter INTEGER NOT NULL, FOREIGN KEY(node) REFERENCES Node(nodeHash));"
@@ -109,15 +109,17 @@ namespace odhtdb
                             "CREATE TABLE IF NOT EXISTS NodeAddDataAdditional(id INTEGER PRIMARY KEY, nodeAddDataId INTEGER NOT NULL, data BLOB NOT NULL, FOREIGN KEY(nodeAddDataId) REFERENCES NodeAddData(id));"
                             "CREATE TABLE IF NOT EXISTS NodeAddUserData(id INTEGER PRIMARY KEY, nodeAddDataId INTEGER NOT NULL, userToAddPublicKey BLOB NOT NULL, groupId BLOB NOT NULL, FOREIGN KEY(nodeAddDataId) REFERENCES NodeAddData(id));"
                             "CREATE TABLE IF NOT EXISTS NodeDecryptionKey(node BLOB UNIQUE NOT NULL, decryptionKey BLOB NOT NULL);"
-                            "CREATE TABLE IF NOT EXISTS NodeUserGroupAssoc(node BLOB NOT NULL, userPublicKey BLOB NOT NULL, groupId BLOB NOT NULL, FOREIGN KEY(node) REFERENCES Node(nodeHash), FOREIGN KEY(userPublicKey) REFERENCES NodeUser(publicKey), FOREIGN KEY(groupId) REFERENCES NodeGroup(groupId));"
+                            "CREATE TABLE IF NOT EXISTS NodeUserGroupAssoc(node BLOB NOT NULL, userPublicKey BLOB NOT NULL, groupId BLOB NOT NULL, FOREIGN KEY(node, userPublicKey) REFERENCES NodeUser(node, publicKey), FOREIGN KEY(groupId) REFERENCES NodeGroup(groupId));"
                             
                             "CREATE TABLE IF NOT EXISTS NodeRaw(node INTEGER NOT NULL, data BLOB NOT NULL, FOREIGN KEY(node) REFERENCES Node(id));"
                             "CREATE TABLE IF NOT EXISTS NodeAddDataRaw(nodeId INTEGER NOT NULL, nodeAddDataId INTEGER NOT NULL, data BLOB NOT NULL, FOREIGN KEY(nodeId) REFERENCES Node(id), FOREIGN KEY(nodeAddDataId) REFERENCES NodeAddData(id));"
                             
                             "CREATE TABLE IF NOT EXISTS NodeUserActionGap(id INTEGER PRIMARY KEY, nodeUserId INTEGER NOT NULL, start INTEGER NOT NULL, range INTEGER NOT NULL, FOREIGN KEY(nodeUserId) REFERENCES NodeUser(id));"
+                            "CREATE TABLE IF NOT EXISTS NodeEncryptedUserData(node INTEGER NOT NULL, username BLOB NOT NULL, userPublicKey BLOB NOT NULL, nonce BLOB NOT NULL, userPrivateKeyEncrypted BLOB NOT NULL, FOREIGN KEY(node, userPublicKey) REFERENCES NodeUser(node, publicKey));"
                             
                             "CREATE UNIQUE INDEX IF NOT EXISTS UniqueUserInNode ON NodeUser(node, publicKey);"
-                            "CREATE UNIQUE INDEX IF NOT EXISTS UniqueUserGroupAssoc ON NodeUserGroupAssoc(node, userPublicKey, groupId);");
+                            "CREATE UNIQUE INDEX IF NOT EXISTS UniqueUserGroupAssoc ON NodeUserGroupAssoc(node, userPublicKey, groupId);"
+                            "CREATE UNIQUE INDEX IF NOT EXISTS UniqueEncryptedUserDataInNode ON NodeEncryptedUserData(node, username);");
         
         sqlite_prepare_checked(sqliteDb, "INSERT INTO Node(nodeHash, timestamp, creatorPublicKey, adminGroupId) VALUES(?, ?, ?, ?)", &insertNodeStmt);
         sqlite_prepare_checked(sqliteDb, "INSERT INTO NodeUser(node, publicKey, latestActionCounter) VALUES(?, ?, 0)", &insertUserStmt);
@@ -781,7 +783,7 @@ namespace odhtdb
     void DatabaseStorage::fetchNodeUserLatestActionCounter(const Hash &nodeHash, FetchNodeUserLatestActionCounterCallbackFunc callbackFunc)
     {
         SqlQuery query(sqliteDb, "SELECT publicKey, latestActionCounter FROM NodeUser WHERE node = ?", { DataView(nodeHash.getData(), nodeHash.getSize()) });
-        while(!query.next())
+        while(query.next())
         {
             const DataView userPublicKey = query.getBlob(0);
             u64 latestActionCounter = query.getInt64(1);
@@ -833,67 +835,74 @@ namespace odhtdb
         }
         return query.getInt64(0);
     }
-#if 0
-    bool DatabaseStorage::storeLocalUser(const string &username, const Signature::KeyPair &keyPair, const string &password)
+    
+    void DatabaseStorage::storeUserPasswordEncrypted(const Hash &nodeHash, const std::string &username, const std::string &password, const Signature::KeyPair &keyPair)
     {
-        auto it = nameLocalUsersMap.find(username);
-        if(it != nameLocalUsersMap.end())
-            return false;
-        
         OwnedMemory hashedPassword = hashPassword(DataView((void*)password.data(), password.size()), DataView((void*)passwordSalt, PASSWORD_SALT_LEN));
-        DataView privateKeyView((void*)keyPair.getPrivateKey().getData(), PRIVATE_KEY_NUM_BYTES);
         DataView hashedPasswordView(hashedPassword.data, hashedPassword.size);
+        DataView privateKeyView((void*)keyPair.getPrivateKey().getData(), PRIVATE_KEY_NUM_BYTES);
         Encryption encryptedPrivateKey(privateKeyView, {}, hashedPasswordView);
         
-        EncryptedPrivateKey userEncryptedPrivateKey;
-        memcpy(userEncryptedPrivateKey.nonce, encryptedPrivateKey.getNonce().data, ENCRYPTION_NONCE_BYTE_SIZE);
-        assert(sizeof(userEncryptedPrivateKey.encryptedPrivateKey) == encryptedPrivateKey.getCipherText().size);
-        memcpy(userEncryptedPrivateKey.encryptedPrivateKey, encryptedPrivateKey.getCipherText().data, encryptedPrivateKey.getCipherText().size);
+        SqlQuery query(sqliteDb, "SELECT nonce, userPrivateKeyEncrypted FROM NodeEncryptedUserData WHERE username = ?", 
+                       { DataView((void*)username.data(), username.size()) });
         
-        LocalUserEncrypted *localUserEncrypted = LocalUserEncrypted::create(keyPair.getPublicKey(), userEncryptedPrivateKey);
-        nameLocalUsersMap[username] = localUserEncrypted;
-        
-        sibs::SafeSerializer serializer;
-        serializer.add((u8)username.size());
-        serializer.add((const u8*)username.data(), username.size());
-        serializer.add((const u8*)keyPair.getPublicKey().getData(), PUBLIC_KEY_NUM_BYTES);
-        serializer.add((const u8*)encryptedPrivateKey.getNonce().data, ENCRYPTION_NONCE_BYTE_SIZE);
-        serializer.add((const u8*)encryptedPrivateKey.getCipherText().data, ENCRYPTION_CHECKSUM_BYTE_SIZE + PRIVATE_KEY_NUM_BYTES);
+        if(query.next())
+        {
+            const DataView storedNonce = query.getBlob(0);
+            const DataView storedPrivateKeyEncrypted = query.getBlob(1);
+            try
+            {
+                Decryption decryptedStoredPrivateKey(storedPrivateKeyEncrypted, storedNonce, hashedPasswordView);
+            }
+            catch(DecryptionException &e)
+            {
+                throw DatabaseStorageWrongPassword(e.what());
+            }
+        }
         
-        fileAppend(localUsersFilePath, DataView(serializer.getBuffer().data(), serializer.getBuffer().size()));
-        return true;
+        SqlExec sqlExec(sqliteDb, "INSERT INTO NodeEncryptedUserData(node, username, userPublicKey, nonce, userPrivateKeyEncrypted) VALUES(?, ?, ?, ?, ?)");
+        sqlExec.execWithArgs({
+            DataView(nodeHash.getData(), nodeHash.getSize()),
+            DataView((void*)username.data(), username.size()),
+            DataView((void*)keyPair.getPublicKey().getData(), PUBLIC_KEY_NUM_BYTES),
+            encryptedPrivateKey.getNonce(),
+            encryptedPrivateKey.getCipherText()
+        });
     }
     
-    Signature::KeyPair DatabaseStorage::decryptLocalEncryptedUser(const string &username, const string &password)
+    vector<NodeUserKeyPair> DatabaseStorage::getStoredUserNodeDataDecrypted(const std::string &username, const std::string &password)
     {
-        auto localUserIt = nameLocalUsersMap.find(username);
-        if(localUserIt == nameLocalUsersMap.end())
-        {
-            string errMsg = "User ";
-            errMsg += username;
-            errMsg += " does not exist in local storage";
-            throw DatabaseStorageNoSuchLocalStorageUser(errMsg);
-        }
+        OwnedMemory hashedPassword = hashPassword(DataView((void*)password.data(), password.size()), DataView((void*)passwordSalt, PASSWORD_SALT_LEN));
+        DataView hashedPasswordView(hashedPassword.data, hashedPassword.size);
         
-        DataView passwordView((void*)password.data(), password.size());
-        DataView saltView((void*)passwordSalt, PASSWORD_SALT_LEN);
-        try
-        {
-            auto privateKey = localUserIt->second->getPrivateKey().decrypt(passwordView, saltView);
-            Signature::KeyPair keyPair(localUserIt->second->getPublicKey(), privateKey);
-            return keyPair;
-        }
-        catch(DecryptionException &e)
+        vector<NodeUserKeyPair> result;
+        SqlQuery query(sqliteDb, "SELECT node, userPublicKey, nonce, userPrivateKeyEncrypted FROM NodeEncryptedUserData WHERE username = ?", { DataView((void*)username.data(), username.size()) });
+        while(query.next())
         {
-            string errMsg = "Wrong password provided for user ";
-            errMsg += username;
-            errMsg += " in local storage (";
-            errMsg += e.what();
-            errMsg += ")";
-            throw DatabaseStorageWrongPassword(errMsg);
+            Hash nodeHash;
+            const DataView storedNodeHash = query.getBlob(0);
+            memcpy(nodeHash.getData(), storedNodeHash.data, HASH_BYTE_SIZE);
+            
+            const DataView storedUserPublicKey = query.getBlob(1);
+            Signature::PublicKey userPublicKey((const char*)storedUserPublicKey.data, storedUserPublicKey.size);
+            const DataView storedNonce = query.getBlob(2);
+            const DataView storedPrivateKeyEncrypted = query.getBlob(3);
+            try
+            {
+                // TODO: We can bypass decrypting several times by storing several nodes private key user the same field (as a blob)
+                Decryption decryptedStoredPrivateKey(storedPrivateKeyEncrypted, storedNonce, hashedPasswordView);
+                Signature::PrivateKey userPrivateKey((const char*)decryptedStoredPrivateKey.getDecryptedText().data, decryptedStoredPrivateKey.getDecryptedText().size);
+                Signature::KeyPair keyPair(userPublicKey, userPrivateKey);
+                result.push_back({ nodeHash, keyPair });
+            }
+            catch(DecryptionException &e)
+            {
+                throw DatabaseStorageWrongPassword(e.what());
+            }
         }
+        return result;
     }
-#endif
+    
     pair<bool, shared_ptr<OwnedMemory>> DatabaseStorage::getNodeDecryptionKey(const Hash &nodeHash)
     {
         sqlite3_reset(getNodeDecryptionKeyStmt);
diff --git a/src/Signature.cpp b/src/Signature.cpp
index ba3ebde..3d75f24 100644
--- a/src/Signature.cpp
+++ b/src/Signature.cpp
@@ -105,6 +105,16 @@ namespace odhtdb
             return *this;
         }
         
+        bool PrivateKey::operator==(const PrivateKey &other) const
+        {
+            return memcmp(data, other.data, PRIVATE_KEY_NUM_BYTES) == 0;
+        }
+        
+        bool PrivateKey::operator!=(const PrivateKey &other) const
+        {
+            return !operator==(other);
+        }
+        
         string PrivateKey::sign(const DataView &dataToSign) const
         {
             string result;
author	dec05eba <dec05eba@protonmail.com>	2018-05-15 18:24:50 +0200
committer	dec05eba <dec05eba@protonmail.com>	2020-08-18 23:25:46 +0200
commit	e52be3a6b82025b6795b73d448381953821d18bb (patch)
tree	c7dfaf9e2ed9020d5c6a595f803f501c4f20de54 /src
parent	0f95a9de53f23db735b7f1d1ecdb7acdd59bba0d (diff)