OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "components/rappor/byte_vector_utils.h" | |
6 | |
7 #include <string> | |
8 | |
9 #include "base/logging.h" | |
10 #include "base/rand_util.h" | |
11 #include "base/strings/string_number_conversions.h" | |
12 #include "crypto/random.h" | |
13 | |
14 namespace rappor { | |
15 | |
16 namespace { | |
17 | |
18 // Reinterpets a ByteVector as a StringPiece. | |
19 base::StringPiece ByteVectorAsStringPiece(const ByteVector& lhs) { | |
20 return base::StringPiece(reinterpret_cast<const char *>(&lhs[0]), lhs.size()); | |
Ilya Sherman
2014/02/13 23:23:08
So, reinterpret_cast is generally not safe. The o
Steven Holte
2014/02/14 02:53:29
The whole point of making this function was to avo
Ilya Sherman
2014/02/14 05:23:09
Hmm, alright, I'm convinced. Seems I need to brus
| |
21 } | |
22 | |
23 // Concatenates parameters together as a string. | |
24 std::string Concat(const ByteVector& value, char c, const std::string& data) { | |
25 return std::string(value.begin(), value.end()) + c + data; | |
26 } | |
27 | |
28 // Performs the operation: K = HMAC(K, data) | |
29 // The input "K" is passed by initializing |hmac| with it. | |
30 // The output "K" is returned by initializing |result| with it. | |
31 // Returns false on an error. | |
32 bool HMAC_Rotate(const crypto::HMAC& hmac, | |
33 const std::string& data, | |
34 crypto::HMAC* result) { | |
35 ByteVector key(hmac.DigestLength()); | |
36 if (!hmac.Sign(data, &key[0], key.size())) | |
37 return false; | |
38 return result->Init(ByteVectorAsStringPiece(key)); | |
39 } | |
40 | |
41 // Performs the operation: V = HMAC(K, V) | |
42 // The input "K" is passed by initializing |hmac| with it. | |
43 // "V" is read from and written to |value|. | |
44 // Returns false on an error. | |
45 bool HMAC_Rehash(const crypto::HMAC& hmac, ByteVector* value) { | |
46 return hmac.Sign(ByteVectorAsStringPiece(*value), | |
47 &(*value)[0], value->size()); | |
48 } | |
49 | |
50 // Implements (Key, V) = HMAC_DRBG_Update(provided_data, Key, V) | |
51 // "V" is read from and written to |value|. | |
52 // The input "Key" is passed by initializing |hmac1| with it. | |
53 // The output "Key" is returned by initializing |out_hmac| with it. | |
54 // Returns false on an error. | |
55 bool HMAC_DRBG_Update(const std::string& provided_data, | |
56 const crypto::HMAC& hmac1, | |
57 ByteVector* value, | |
58 crypto::HMAC* out_hmac) { | |
59 // HMAC_DRBG Update Process | |
60 crypto::HMAC temp_hmac(crypto::HMAC::SHA256); | |
61 crypto::HMAC* hmac2 = provided_data.size() > 0 ? &temp_hmac : out_hmac; | |
62 // 1. K = HMAC(K, V || 0x00 || provided_data) | |
63 if (!HMAC_Rotate(hmac1, Concat(*value, 0x00, provided_data), hmac2)) | |
64 return false; | |
65 // 2. V = HMAC(K, V) | |
66 if (!HMAC_Rehash(*hmac2, value)) | |
67 return false; | |
68 // 3. If (provided_data = Null), then return K and V. | |
69 if (hmac2 == out_hmac) | |
70 return true; | |
71 // 4. K = HMAC(K, V || 0x01 || provided_data) | |
72 if (!HMAC_Rotate(*hmac2, Concat(*value, 0x01, provided_data), out_hmac)) | |
73 return false; | |
74 // 5. V = HMAC(K, V) | |
75 return HMAC_Rehash(*out_hmac, value); | |
76 } | |
77 | |
78 } // namespace | |
79 | |
80 ByteVector* ByteVectorOr(const ByteVector& lhs, ByteVector* rhs) { | |
81 DCHECK_EQ(lhs.size(), rhs->size()); | |
82 for (size_t i = 0, len = lhs.size(); i < len; ++i) { | |
83 (*rhs)[i] = lhs[i] | (*rhs)[i]; | |
84 } | |
85 return rhs; | |
86 } | |
87 | |
88 ByteVector* ByteVectorMerge(const ByteVector& mask, | |
89 const ByteVector& lhs, | |
90 ByteVector* rhs) { | |
91 DCHECK_EQ(lhs.size(), rhs->size()); | |
92 for (size_t i = 0, len = lhs.size(); i < len; ++i) { | |
93 (*rhs)[i] = (lhs[i] & ~mask[i]) | ((*rhs)[i] & mask[i]); | |
94 } | |
95 return rhs; | |
96 } | |
97 | |
98 int CountBits(const ByteVector& vector) { | |
99 int bit_count = 0; | |
100 for (size_t i = 0; i < vector.size(); ++i) { | |
101 uint8_t byte = vector[i]; | |
102 for (int j = 0; j < 8 ; ++j) { | |
103 if (byte & (1 << j)) | |
104 bit_count++; | |
105 } | |
106 } | |
107 return bit_count; | |
108 } | |
109 | |
110 ByteVectorGenerator::ByteVectorGenerator(size_t byte_count) | |
111 : byte_count_(byte_count) {} | |
112 | |
113 ByteVectorGenerator::~ByteVectorGenerator() {} | |
114 | |
115 ByteVector ByteVectorGenerator::GetRandomByteVector() { | |
116 ByteVector bytes(byte_count_); | |
117 crypto::RandBytes(&bytes[0], bytes.size()); | |
118 return bytes; | |
119 } | |
120 | |
121 ByteVector ByteVectorGenerator::GetWeightedRandomByteVector( | |
122 Probability probability) { | |
123 ByteVector bytes = GetRandomByteVector(); | |
124 switch (probability) { | |
125 case PROBABILITY_75: | |
126 return *ByteVectorOr(GetRandomByteVector(), &bytes); | |
127 case PROBABILITY_50: | |
128 return bytes; | |
129 } | |
130 NOTREACHED(); | |
131 return bytes; | |
132 } | |
133 | |
134 HmacByteVectorGenerator::HmacByteVectorGenerator( | |
135 size_t byte_count, | |
136 const std::string& entropy_input, | |
137 const std::string& personalization_string) | |
138 : ByteVectorGenerator(byte_count), | |
139 hmac_(crypto::HMAC::SHA256), | |
140 value_(hmac_.DigestLength(), 0x01), | |
141 generated_bytes_(0) { | |
142 // HMAC_DRBG Instantiate Process | |
143 // 1. seed_material = entropy_input + nonce + personalization_string | |
144 // Note: We are using the 8.6.7 interpretation, where the entropy_input and | |
145 // nonce are acquired at the same time from the same source. | |
146 DCHECK_EQ(kEntropyInputSize, entropy_input.size()); | |
147 std::string seed_material(entropy_input + personalization_string); | |
148 // 2. Key = 0x00 00...00 | |
149 crypto::HMAC hmac1(crypto::HMAC::SHA256); | |
150 if (!hmac1.Init(std::string(hmac_.DigestLength(), 0x00))) | |
151 NOTREACHED(); | |
152 // 3. V = 0x01 01...01 | |
153 // (value_ in initializer list) | |
154 | |
155 // 4. (Key, V) = HMAC_DRBG_Update(seed_material, Key, V) | |
156 if (!HMAC_DRBG_Update(seed_material, hmac1, &value_, &hmac_)) | |
157 NOTREACHED(); | |
158 } | |
159 | |
160 HmacByteVectorGenerator::~HmacByteVectorGenerator() {} | |
161 | |
162 HmacByteVectorGenerator::HmacByteVectorGenerator( | |
163 const HmacByteVectorGenerator& prev_request) | |
164 : ByteVectorGenerator(prev_request.byte_count()), | |
165 hmac_(crypto::HMAC::SHA256), | |
166 value_(prev_request.value_), | |
167 generated_bytes_(0) { | |
168 if (!HMAC_DRBG_Update("", prev_request.hmac_, &value_, &hmac_)) | |
169 NOTREACHED(); | |
170 } | |
171 | |
172 // HMAC_DRBG requires entropy input to be security_strength bits long, | |
173 // and nonce to be at least 1/2 security_strength bits long. We | |
174 // generate them both as a single "extra strong" entropy input. | |
175 // max_security_strength for SHA256 is 256 bits. | |
176 const size_t HmacByteVectorGenerator::kEntropyInputSize = (256 / 8) * 3 / 2; | |
177 | |
178 // static | |
179 std::string HmacByteVectorGenerator::GenerateEntropyInput() { | |
180 return base::RandBytesAsString(kEntropyInputSize); | |
181 } | |
182 | |
183 ByteVector HmacByteVectorGenerator::GetRandomByteVector() { | |
184 const size_t digest_length = hmac_.DigestLength(); | |
185 DCHECK_EQ(value_.size(), digest_length); | |
186 ByteVector bytes(byte_count()); | |
187 uint8_t* data = &bytes[0]; | |
188 size_t bytes_to_go = byte_count(); | |
189 while (bytes_to_go > 0) { | |
190 size_t requested_byte_in_digest = generated_bytes_ % digest_length; | |
191 if (requested_byte_in_digest == 0) { | |
192 // Do step 4.1 of the HMAC_DRBG Generate Process for more bits. | |
193 // V = HMAC(Key, V) | |
194 if (!HMAC_Rehash(hmac_, &value_)) | |
195 NOTREACHED(); | |
196 } | |
197 size_t n = std::min(bytes_to_go, | |
198 digest_length - requested_byte_in_digest); | |
199 memcpy(data, &value_[requested_byte_in_digest], n); | |
200 data += n; | |
201 bytes_to_go -= n; | |
202 generated_bytes_ += n; | |
203 // Check max_number_of_bits_per_request from 10.1 Table 2 | |
204 // max_number_of_bits_per_request == 2^19 bits == 2^16 bytes | |
205 DCHECK_LT(generated_bytes_, 1U << 16); | |
206 } | |
207 return bytes; | |
208 } | |
209 | |
210 } // namespace rappor | |
OLD | NEW |