]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/journal/fsprg.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #2618 from zonque/busproxy-removal
[thirdparty/systemd.git] / src / journal / fsprg.c
1 /*
2 * fsprg v0.1 - (seekable) forward-secure pseudorandom generator
3 * Copyright (C) 2012 B. Poettering
4 * Contact: fsprg@point-at-infinity.org
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
19 * 02110-1301 USA
20 */
21
22 /*
23 * See "Practical Secure Logging: Seekable Sequential Key Generators"
24 * by G. A. Marson, B. Poettering for details:
25 *
26 * http://eprint.iacr.org/2013/397
27 */
28
29 #include <gcrypt.h>
30 #include <string.h>
31
32 #include "fsprg.h"
33 #include "gcrypt-util.h"
34
35 #define ISVALID_SECPAR(secpar) (((secpar) % 16 == 0) && ((secpar) >= 16) && ((secpar) <= 16384))
36 #define VALIDATE_SECPAR(secpar) assert(ISVALID_SECPAR(secpar));
37
38 #define RND_HASH GCRY_MD_SHA256
39 #define RND_GEN_P 0x01
40 #define RND_GEN_Q 0x02
41 #define RND_GEN_X 0x03
42
43 /******************************************************************************/
44
45 static void mpi_export(void *buf, size_t buflen, const gcry_mpi_t x) {
46 unsigned len;
47 size_t nwritten;
48
49 assert(gcry_mpi_cmp_ui(x, 0) >= 0);
50 len = (gcry_mpi_get_nbits(x) + 7) / 8;
51 assert(len <= buflen);
52 memzero(buf, buflen);
53 gcry_mpi_print(GCRYMPI_FMT_USG, buf + (buflen - len), len, &nwritten, x);
54 assert(nwritten == len);
55 }
56
57 static gcry_mpi_t mpi_import(const void *buf, size_t buflen) {
58 gcry_mpi_t h;
59 unsigned len;
60
61 gcry_mpi_scan(&h, GCRYMPI_FMT_USG, buf, buflen, NULL);
62 len = (gcry_mpi_get_nbits(h) + 7) / 8;
63 assert(len <= buflen);
64 assert(gcry_mpi_cmp_ui(h, 0) >= 0);
65
66 return h;
67 }
68
69 static void uint64_export(void *buf, size_t buflen, uint64_t x) {
70 assert(buflen == 8);
71 ((uint8_t*) buf)[0] = (x >> 56) & 0xff;
72 ((uint8_t*) buf)[1] = (x >> 48) & 0xff;
73 ((uint8_t*) buf)[2] = (x >> 40) & 0xff;
74 ((uint8_t*) buf)[3] = (x >> 32) & 0xff;
75 ((uint8_t*) buf)[4] = (x >> 24) & 0xff;
76 ((uint8_t*) buf)[5] = (x >> 16) & 0xff;
77 ((uint8_t*) buf)[6] = (x >> 8) & 0xff;
78 ((uint8_t*) buf)[7] = (x >> 0) & 0xff;
79 }
80
81 _pure_ static uint64_t uint64_import(const void *buf, size_t buflen) {
82 assert(buflen == 8);
83 return
84 (uint64_t)(((uint8_t*) buf)[0]) << 56 |
85 (uint64_t)(((uint8_t*) buf)[1]) << 48 |
86 (uint64_t)(((uint8_t*) buf)[2]) << 40 |
87 (uint64_t)(((uint8_t*) buf)[3]) << 32 |
88 (uint64_t)(((uint8_t*) buf)[4]) << 24 |
89 (uint64_t)(((uint8_t*) buf)[5]) << 16 |
90 (uint64_t)(((uint8_t*) buf)[6]) << 8 |
91 (uint64_t)(((uint8_t*) buf)[7]) << 0;
92 }
93
94 /* deterministically generate from seed/idx a string of buflen pseudorandom bytes */
95 static void det_randomize(void *buf, size_t buflen, const void *seed, size_t seedlen, uint32_t idx) {
96 gcry_md_hd_t hd, hd2;
97 size_t olen, cpylen;
98 uint32_t ctr;
99
100 olen = gcry_md_get_algo_dlen(RND_HASH);
101 gcry_md_open(&hd, RND_HASH, 0);
102 gcry_md_write(hd, seed, seedlen);
103 gcry_md_putc(hd, (idx >> 24) & 0xff);
104 gcry_md_putc(hd, (idx >> 16) & 0xff);
105 gcry_md_putc(hd, (idx >> 8) & 0xff);
106 gcry_md_putc(hd, (idx >> 0) & 0xff);
107
108 for (ctr = 0; buflen; ctr++) {
109 gcry_md_copy(&hd2, hd);
110 gcry_md_putc(hd2, (ctr >> 24) & 0xff);
111 gcry_md_putc(hd2, (ctr >> 16) & 0xff);
112 gcry_md_putc(hd2, (ctr >> 8) & 0xff);
113 gcry_md_putc(hd2, (ctr >> 0) & 0xff);
114 gcry_md_final(hd2);
115 cpylen = (buflen < olen) ? buflen : olen;
116 memcpy(buf, gcry_md_read(hd2, RND_HASH), cpylen);
117 gcry_md_close(hd2);
118 buf += cpylen;
119 buflen -= cpylen;
120 }
121 gcry_md_close(hd);
122 }
123
124 /* deterministically generate from seed/idx a prime of length `bits' that is 3 (mod 4) */
125 static gcry_mpi_t genprime3mod4(int bits, const void *seed, size_t seedlen, uint32_t idx) {
126 size_t buflen = bits / 8;
127 uint8_t buf[buflen];
128 gcry_mpi_t p;
129
130 assert(bits % 8 == 0);
131 assert(buflen > 0);
132
133 det_randomize(buf, buflen, seed, seedlen, idx);
134 buf[0] |= 0xc0; /* set upper two bits, so that n=pq has maximum size */
135 buf[buflen - 1] |= 0x03; /* set lower two bits, to have result 3 (mod 4) */
136
137 p = mpi_import(buf, buflen);
138 while (gcry_prime_check(p, 0))
139 gcry_mpi_add_ui(p, p, 4);
140
141 return p;
142 }
143
144 /* deterministically generate from seed/idx a quadratic residue (mod n) */
145 static gcry_mpi_t gensquare(const gcry_mpi_t n, const void *seed, size_t seedlen, uint32_t idx, unsigned secpar) {
146 size_t buflen = secpar / 8;
147 uint8_t buf[buflen];
148 gcry_mpi_t x;
149
150 det_randomize(buf, buflen, seed, seedlen, idx);
151 buf[0] &= 0x7f; /* clear upper bit, so that we have x < n */
152 x = mpi_import(buf, buflen);
153 assert(gcry_mpi_cmp(x, n) < 0);
154 gcry_mpi_mulm(x, x, x, n);
155 return x;
156 }
157
158 /* compute 2^m (mod phi(p)), for a prime p */
159 static gcry_mpi_t twopowmodphi(uint64_t m, const gcry_mpi_t p) {
160 gcry_mpi_t phi, r;
161 int n;
162
163 phi = gcry_mpi_new(0);
164 gcry_mpi_sub_ui(phi, p, 1);
165
166 /* count number of used bits in m */
167 for (n = 0; (1ULL << n) <= m; n++)
168 ;
169
170 r = gcry_mpi_new(0);
171 gcry_mpi_set_ui(r, 1);
172 while (n) { /* square and multiply algorithm for fast exponentiation */
173 n--;
174 gcry_mpi_mulm(r, r, r, phi);
175 if (m & ((uint64_t)1 << n)) {
176 gcry_mpi_add(r, r, r);
177 if (gcry_mpi_cmp(r, phi) >= 0)
178 gcry_mpi_sub(r, r, phi);
179 }
180 }
181
182 gcry_mpi_release(phi);
183 return r;
184 }
185
186 /* Decompose $x \in Z_n$ into $(xp,xq) \in Z_p \times Z_q$ using Chinese Remainder Theorem */
187 static void CRT_decompose(gcry_mpi_t *xp, gcry_mpi_t *xq, const gcry_mpi_t x, const gcry_mpi_t p, const gcry_mpi_t q) {
188 *xp = gcry_mpi_new(0);
189 *xq = gcry_mpi_new(0);
190 gcry_mpi_mod(*xp, x, p);
191 gcry_mpi_mod(*xq, x, q);
192 }
193
194 /* Compose $(xp,xq) \in Z_p \times Z_q$ into $x \in Z_n$ using Chinese Remainder Theorem */
195 static void CRT_compose(gcry_mpi_t *x, const gcry_mpi_t xp, const gcry_mpi_t xq, const gcry_mpi_t p, const gcry_mpi_t q) {
196 gcry_mpi_t a, u;
197
198 a = gcry_mpi_new(0);
199 u = gcry_mpi_new(0);
200 *x = gcry_mpi_new(0);
201 gcry_mpi_subm(a, xq, xp, q);
202 gcry_mpi_invm(u, p, q);
203 gcry_mpi_mulm(a, a, u, q); /* a = (xq - xp) / p (mod q) */
204 gcry_mpi_mul(*x, p, a);
205 gcry_mpi_add(*x, *x, xp); /* x = p * ((xq - xp) / p mod q) + xp */
206 gcry_mpi_release(a);
207 gcry_mpi_release(u);
208 }
209
210 /******************************************************************************/
211
212 size_t FSPRG_mskinbytes(unsigned _secpar) {
213 VALIDATE_SECPAR(_secpar);
214 return 2 + 2 * (_secpar / 2) / 8; /* to store header,p,q */
215 }
216
217 size_t FSPRG_mpkinbytes(unsigned _secpar) {
218 VALIDATE_SECPAR(_secpar);
219 return 2 + _secpar / 8; /* to store header,n */
220 }
221
222 size_t FSPRG_stateinbytes(unsigned _secpar) {
223 VALIDATE_SECPAR(_secpar);
224 return 2 + 2 * _secpar / 8 + 8; /* to store header,n,x,epoch */
225 }
226
227 static void store_secpar(void *buf, uint16_t secpar) {
228 secpar = secpar / 16 - 1;
229 ((uint8_t*) buf)[0] = (secpar >> 8) & 0xff;
230 ((uint8_t*) buf)[1] = (secpar >> 0) & 0xff;
231 }
232
233 static uint16_t read_secpar(const void *buf) {
234 uint16_t secpar;
235 secpar =
236 (uint16_t)(((uint8_t*) buf)[0]) << 8 |
237 (uint16_t)(((uint8_t*) buf)[1]) << 0;
238 return 16 * (secpar + 1);
239 }
240
241 void FSPRG_GenMK(void *msk, void *mpk, const void *seed, size_t seedlen, unsigned _secpar) {
242 uint8_t iseed[FSPRG_RECOMMENDED_SEEDLEN];
243 gcry_mpi_t n, p, q;
244 uint16_t secpar;
245
246 VALIDATE_SECPAR(_secpar);
247 secpar = _secpar;
248
249 initialize_libgcrypt(false);
250
251 if (!seed) {
252 gcry_randomize(iseed, FSPRG_RECOMMENDED_SEEDLEN, GCRY_STRONG_RANDOM);
253 seed = iseed;
254 seedlen = FSPRG_RECOMMENDED_SEEDLEN;
255 }
256
257 p = genprime3mod4(secpar / 2, seed, seedlen, RND_GEN_P);
258 q = genprime3mod4(secpar / 2, seed, seedlen, RND_GEN_Q);
259
260 if (msk) {
261 store_secpar(msk + 0, secpar);
262 mpi_export(msk + 2 + 0 * (secpar / 2) / 8, (secpar / 2) / 8, p);
263 mpi_export(msk + 2 + 1 * (secpar / 2) / 8, (secpar / 2) / 8, q);
264 }
265
266 if (mpk) {
267 n = gcry_mpi_new(0);
268 gcry_mpi_mul(n, p, q);
269 assert(gcry_mpi_get_nbits(n) == secpar);
270
271 store_secpar(mpk + 0, secpar);
272 mpi_export(mpk + 2, secpar / 8, n);
273
274 gcry_mpi_release(n);
275 }
276
277 gcry_mpi_release(p);
278 gcry_mpi_release(q);
279 }
280
281 void FSPRG_GenState0(void *state, const void *mpk, const void *seed, size_t seedlen) {
282 gcry_mpi_t n, x;
283 uint16_t secpar;
284
285 initialize_libgcrypt(false);
286
287 secpar = read_secpar(mpk + 0);
288 n = mpi_import(mpk + 2, secpar / 8);
289 x = gensquare(n, seed, seedlen, RND_GEN_X, secpar);
290
291 memcpy(state, mpk, 2 + secpar / 8);
292 mpi_export(state + 2 + 1 * secpar / 8, secpar / 8, x);
293 memzero(state + 2 + 2 * secpar / 8, 8);
294
295 gcry_mpi_release(n);
296 gcry_mpi_release(x);
297 }
298
299 void FSPRG_Evolve(void *state) {
300 gcry_mpi_t n, x;
301 uint16_t secpar;
302 uint64_t epoch;
303
304 initialize_libgcrypt(false);
305
306 secpar = read_secpar(state + 0);
307 n = mpi_import(state + 2 + 0 * secpar / 8, secpar / 8);
308 x = mpi_import(state + 2 + 1 * secpar / 8, secpar / 8);
309 epoch = uint64_import(state + 2 + 2 * secpar / 8, 8);
310
311 gcry_mpi_mulm(x, x, x, n);
312 epoch++;
313
314 mpi_export(state + 2 + 1 * secpar / 8, secpar / 8, x);
315 uint64_export(state + 2 + 2 * secpar / 8, 8, epoch);
316
317 gcry_mpi_release(n);
318 gcry_mpi_release(x);
319 }
320
321 uint64_t FSPRG_GetEpoch(const void *state) {
322 uint16_t secpar;
323 secpar = read_secpar(state + 0);
324 return uint64_import(state + 2 + 2 * secpar / 8, 8);
325 }
326
327 void FSPRG_Seek(void *state, uint64_t epoch, const void *msk, const void *seed, size_t seedlen) {
328 gcry_mpi_t p, q, n, x, xp, xq, kp, kq, xm;
329 uint16_t secpar;
330
331 initialize_libgcrypt(false);
332
333 secpar = read_secpar(msk + 0);
334 p = mpi_import(msk + 2 + 0 * (secpar / 2) / 8, (secpar / 2) / 8);
335 q = mpi_import(msk + 2 + 1 * (secpar / 2) / 8, (secpar / 2) / 8);
336
337 n = gcry_mpi_new(0);
338 gcry_mpi_mul(n, p, q);
339
340 x = gensquare(n, seed, seedlen, RND_GEN_X, secpar);
341 CRT_decompose(&xp, &xq, x, p, q); /* split (mod n) into (mod p) and (mod q) using CRT */
342
343 kp = twopowmodphi(epoch, p); /* compute 2^epoch (mod phi(p)) */
344 kq = twopowmodphi(epoch, q); /* compute 2^epoch (mod phi(q)) */
345
346 gcry_mpi_powm(xp, xp, kp, p); /* compute x^(2^epoch) (mod p) */
347 gcry_mpi_powm(xq, xq, kq, q); /* compute x^(2^epoch) (mod q) */
348
349 CRT_compose(&xm, xp, xq, p, q); /* combine (mod p) and (mod q) to (mod n) using CRT */
350
351 store_secpar(state + 0, secpar);
352 mpi_export(state + 2 + 0 * secpar / 8, secpar / 8, n);
353 mpi_export(state + 2 + 1 * secpar / 8, secpar / 8, xm);
354 uint64_export(state + 2 + 2 * secpar / 8, 8, epoch);
355
356 gcry_mpi_release(p);
357 gcry_mpi_release(q);
358 gcry_mpi_release(n);
359 gcry_mpi_release(x);
360 gcry_mpi_release(xp);
361 gcry_mpi_release(xq);
362 gcry_mpi_release(kp);
363 gcry_mpi_release(kq);
364 gcry_mpi_release(xm);
365 }
366
367 void FSPRG_GetKey(const void *state, void *key, size_t keylen, uint32_t idx) {
368 uint16_t secpar;
369
370 initialize_libgcrypt(false);
371
372 secpar = read_secpar(state + 0);
373 det_randomize(key, keylen, state + 2, 2 * secpar / 8 + 8, idx);
374 }
Unnamed repository; edit this file 'description' to name the repository.