components/rappor/byte_vector_utils.cc - Issue 49753002: RAPPOR implementation

Side by Side Diff: components/rappor/byte_vector_utils.cc

Issue 49753002: RAPPOR implementation (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: NIST test vector Created 6 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
(Empty)
	1 // Copyright 2014 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "components/rappor/byte_vector_utils.h"

	6

	7 #include <string>

	8

	9 #include "base/logging.h"

	10 #include "base/rand_util.h"

	11 #include "base/strings/string_number_conversions.h"

	12 #include "crypto/random.h"

	13

	14 namespace rappor {

	15

	16 namespace {

	17

	18 // Reinterpets a ByteVector as a StringPiece.

	19 base::StringPiece ByteVectorAsStringPiece(const ByteVector& lhs) {

	20 return base::StringPiece(reinterpret_cast<const char *>(&lhs[0]), lhs.size());
	Ilya Sherman 2014/02/13 23:23:08 So, reinterpret_cast is generally not safe. The o So, reinterpret_cast is generally not safe. The only guarantee is that if you reinterpret_cast from type A to type B and then back to type A again, you get the same result as you started with. The state after casting to type B is undefined. In contrast, I think the explicit call to the std::string constructor on line 25 is safe. Can you use a similar safe pattern here as well? (FWIW, I think that std::string safely implicitly converts to base::StringPiece -- in fact, I think that's the whole point of base::StringPiece -- so you can safely return an std::string from this method rather than a base::StringPiece.) Steven Holte 2014/02/14 02:53:29 The whole point of making this function was to avo Show quoted text On 2014/02/13 23:23:08, Ilya Sherman wrote: > So, reinterpret_cast is generally not safe. The only guarantee is that if you > reinterpret_cast from type A to type B and then back to type A again, you get > the same result as you started with. The state after casting to type B is > undefined. > > In contrast, I think the explicit call to the std::string constructor on line 25 > is safe. Can you use a similar safe pattern here as well? (FWIW, I think that > std::string safely implicitly converts to base::StringPiece -- in fact, I think > that's the whole point of base::StringPiece -- so you can safely return an > std::string from this method rather than a base::StringPiece.) The whole point of making this function was to avoid the extra copy involved when creating a std::string, w. From a practical standpoint, I think reinterpeting an unsigned char* to a signed char* is pretty safe. According to http://stackoverflow.com/questions/15078638/can-i-turn-unsigned-char-into-cha... the standard says that this doesn't violate strict-aliasing rules, but we aren't gauranteed about the interpretation of the value being the "same". If this actually occurred, we should get test failures, at least from the HmacByteVectorGenerator and HmacNist tests. Ilya Sherman 2014/02/14 05:23:09 Hmm, alright, I'm convinced. Seems I need to brus Show quoted text On 2014/02/14 02:53:29, Steven Holte wrote: > On 2014/02/13 23:23:08, Ilya Sherman wrote: > > So, reinterpret_cast is generally not safe. The only guarantee is that if you > > reinterpret_cast from type A to type B and then back to type A again, you get > > the same result as you started with. The state after casting to type B is > > undefined. > > > > In contrast, I think the explicit call to the std::string constructor on line > 25 > > is safe. Can you use a similar safe pattern here as well? (FWIW, I think > that > > std::string safely implicitly converts to base::StringPiece -- in fact, I > think > > that's the whole point of base::StringPiece -- so you can safely return an > > std::string from this method rather than a base::StringPiece.) > > The whole point of making this function was to avoid the extra copy involved > when creating a std::string, w. From a practical standpoint, I think > reinterpeting an unsigned char* to a signed char* is pretty safe. According to > http://stackoverflow.com/questions/15078638/can-i-turn-unsigned-char-into-cha... > the standard says that this doesn't violate strict-aliasing rules, but we aren't > gauranteed about the interpretation of the value being the "same". If this > actually occurred, we should get test failures, at least from the > HmacByteVectorGenerator and HmacNist tests. Hmm, alright, I'm convinced. Seems I need to brush up on my C++ miscellany :)
	21 }

	22

	23 // Concatenates parameters together as a string.

	24 std::string Concat(const ByteVector& value, char c, const std::string& data) {

	25 return std::string(value.begin(), value.end()) + c + data;

	26 }

	27

	28 // Performs the operation: K = HMAC(K, data)

	29 // The input "K" is passed by initializing \|hmac\| with it.

	30 // The output "K" is returned by initializing \|result\| with it.

	31 // Returns false on an error.

	32 bool HMAC_Rotate(const crypto::HMAC& hmac,

	33 const std::string& data,

	34 crypto::HMAC* result) {

	35 ByteVector key(hmac.DigestLength());

	36 if (!hmac.Sign(data, &key[0], key.size()))

	37 return false;

	38 return result->Init(ByteVectorAsStringPiece(key));

	39 }

	40

	41 // Performs the operation: V = HMAC(K, V)

	42 // The input "K" is passed by initializing \|hmac\| with it.

	43 // "V" is read from and written to \|value\|.

	44 // Returns false on an error.

	45 bool HMAC_Rehash(const crypto::HMAC& hmac, ByteVector* value) {

	46 return hmac.Sign(ByteVectorAsStringPiece(*value),

	47 &(*value)[0], value->size());

	48 }

	49

	50 // Implements (Key, V) = HMAC_DRBG_Update(provided_data, Key, V)

	51 // "V" is read from and written to \|value\|.

	52 // The input "Key" is passed by initializing \|hmac1\| with it.

	53 // The output "Key" is returned by initializing \|out_hmac\| with it.

	54 // Returns false on an error.

	55 bool HMAC_DRBG_Update(const std::string& provided_data,

	56 const crypto::HMAC& hmac1,

	57 ByteVector* value,

	58 crypto::HMAC* out_hmac) {

	59 // HMAC_DRBG Update Process

	60 crypto::HMAC temp_hmac(crypto::HMAC::SHA256);

	61 crypto::HMAC* hmac2 = provided_data.size() > 0 ? &temp_hmac : out_hmac;

	62 // 1. K = HMAC(K, V \|\| 0x00 \|\| provided_data)

	63 if (!HMAC_Rotate(hmac1, Concat(*value, 0x00, provided_data), hmac2))

	64 return false;

	65 // 2. V = HMAC(K, V)

	66 if (!HMAC_Rehash(*hmac2, value))

	67 return false;

	68 // 3. If (provided_data = Null), then return K and V.

	69 if (hmac2 == out_hmac)

	70 return true;

	71 // 4. K = HMAC(K, V \|\| 0x01 \|\| provided_data)

	72 if (!HMAC_Rotate(hmac2, Concat(value, 0x01, provided_data), out_hmac))

	73 return false;

	74 // 5. V = HMAC(K, V)

	75 return HMAC_Rehash(*out_hmac, value);

	76 }

	77

	78 } // namespace

	79

	80 ByteVector* ByteVectorOr(const ByteVector& lhs, ByteVector* rhs) {

	81 DCHECK_EQ(lhs.size(), rhs->size());

	82 for (size_t i = 0, len = lhs.size(); i < len; ++i) {

	83 (rhs)[i] = lhs[i] \| (rhs)[i];

	84 }

	85 return rhs;

	86 }

	87

	88 ByteVector* ByteVectorMerge(const ByteVector& mask,

	89 const ByteVector& lhs,

	90 ByteVector* rhs) {

	91 DCHECK_EQ(lhs.size(), rhs->size());

	92 for (size_t i = 0, len = lhs.size(); i < len; ++i) {

	93 (rhs)[i] = (lhs[i] & ~mask[i]) \| ((rhs)[i] & mask[i]);

	94 }

	95 return rhs;

	96 }

	97

	98 int CountBits(const ByteVector& vector) {

	99 int bit_count = 0;

	100 for (size_t i = 0; i < vector.size(); ++i) {

	101 uint8_t byte = vector[i];

	102 for (int j = 0; j < 8 ; ++j) {

	103 if (byte & (1 << j))

	104 bit_count++;

	105 }

	106 }

	107 return bit_count;

	108 }

	109

	110 ByteVectorGenerator::ByteVectorGenerator(size_t byte_count)

	111 : byte_count_(byte_count) {}

	112

	113 ByteVectorGenerator::~ByteVectorGenerator() {}

	114

	115 ByteVector ByteVectorGenerator::GetRandomByteVector() {

	116 ByteVector bytes(byte_count_);

	117 crypto::RandBytes(&bytes[0], bytes.size());

	118 return bytes;

	119 }

	120

	121 ByteVector ByteVectorGenerator::GetWeightedRandomByteVector(

	122 Probability probability) {

	123 ByteVector bytes = GetRandomByteVector();

	124 switch (probability) {

	125 case PROBABILITY_75:

	126 return *ByteVectorOr(GetRandomByteVector(), &bytes);

	127 case PROBABILITY_50:

	128 return bytes;

	129 }

	130 NOTREACHED();

	131 return bytes;

	132 }

	133

	134 HmacByteVectorGenerator::HmacByteVectorGenerator(

	135 size_t byte_count,

	136 const std::string& entropy_input,

	137 const std::string& personalization_string)

	138 : ByteVectorGenerator(byte_count),

	139 hmac_(crypto::HMAC::SHA256),

	140 value_(hmac_.DigestLength(), 0x01),

	141 generated_bytes_(0) {

	142 // HMAC_DRBG Instantiate Process

	143 // 1. seed_material = entropy_input + nonce + personalization_string

	144 // Note: We are using the 8.6.7 interpretation, where the entropy_input and

	145 // nonce are acquired at the same time from the same source.

	146 DCHECK_EQ(kEntropyInputSize, entropy_input.size());

	147 std::string seed_material(entropy_input + personalization_string);

	148 // 2. Key = 0x00 00...00

	149 crypto::HMAC hmac1(crypto::HMAC::SHA256);

	150 if (!hmac1.Init(std::string(hmac_.DigestLength(), 0x00)))

	151 NOTREACHED();

	152 // 3. V = 0x01 01...01

	153 // (value_ in initializer list)

	154

	155 // 4. (Key, V) = HMAC_DRBG_Update(seed_material, Key, V)

	156 if (!HMAC_DRBG_Update(seed_material, hmac1, &value_, &hmac_))

	157 NOTREACHED();

	158 }

	159

	160 HmacByteVectorGenerator::~HmacByteVectorGenerator() {}

	161

	162 HmacByteVectorGenerator::HmacByteVectorGenerator(

	163 const HmacByteVectorGenerator& prev_request)

	164 : ByteVectorGenerator(prev_request.byte_count()),

	165 hmac_(crypto::HMAC::SHA256),

	166 value_(prev_request.value_),

	167 generated_bytes_(0) {

	168 if (!HMAC_DRBG_Update("", prev_request.hmac_, &value_, &hmac_))

	169 NOTREACHED();

	170 }

	171

	172 // HMAC_DRBG requires entropy input to be security_strength bits long,

	173 // and nonce to be at least 1/2 security_strength bits long. We

	174 // generate them both as a single "extra strong" entropy input.

	175 // max_security_strength for SHA256 is 256 bits.

	176 const size_t HmacByteVectorGenerator::kEntropyInputSize = (256 / 8) * 3 / 2;

	177

	178 // static

	179 std::string HmacByteVectorGenerator::GenerateEntropyInput() {

	180 return base::RandBytesAsString(kEntropyInputSize);

	181 }

	182

	183 ByteVector HmacByteVectorGenerator::GetRandomByteVector() {

	184 const size_t digest_length = hmac_.DigestLength();

	185 DCHECK_EQ(value_.size(), digest_length);

	186 ByteVector bytes(byte_count());

	187 uint8_t* data = &bytes[0];

	188 size_t bytes_to_go = byte_count();

	189 while (bytes_to_go > 0) {

	190 size_t requested_byte_in_digest = generated_bytes_ % digest_length;

	191 if (requested_byte_in_digest == 0) {

	192 // Do step 4.1 of the HMAC_DRBG Generate Process for more bits.

	193 // V = HMAC(Key, V)

	194 if (!HMAC_Rehash(hmac_, &value_))

	195 NOTREACHED();

	196 }

	197 size_t n = std::min(bytes_to_go,

	198 digest_length - requested_byte_in_digest);

	199 memcpy(data, &value_[requested_byte_in_digest], n);

	200 data += n;

	201 bytes_to_go -= n;

	202 generated_bytes_ += n;

	203 // Check max_number_of_bits_per_request from 10.1 Table 2

	204 // max_number_of_bits_per_request == 2^19 bits == 2^16 bytes

	205 DCHECK_LT(generated_bytes_, 1U << 16);

	206 }

	207 return bytes;

	208 }

	209

	210 } // namespace rappor

OLD	NEW