secretsharing 1.0.0 → 2.0.1

data/gemfiles/Gemfile.ci

@@ -5,3 +5,5 @@ gem 'rake'
 gem 'minitest'
 gem 'highline'
 gem 'mocha'
+gem 'rbnacl-libsodium'
+gem 'rbnacl'

data/lib/secretsharing.rb

@@ -14,8 +14,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require 'openssl'
-require 'digest/sha1'
+require 'rbnacl/libsodium'
+require 'rbnacl'
 require 'base64'
 require 'multi_json'
 

data/lib/secretsharing/shamir.rb

@@ -17,39 +17,127 @@
 module SecretSharing
   # Module for common methods shared across Container, Secret, or Share
   module Shamir
-    # FIXME : Needs focused tests
-    # Creates a random number of a certain bitlength, optionally ensuring
-    # the bitlength by setting the highest bit to 1.
-    def get_random_number(bitlength)
-      byte_length = (bitlength / 8.0).ceil
-      rand_hex    = OpenSSL::Random.random_bytes(byte_length).each_byte.to_a.map { |a| sprintf('%02x', a) }.join('')
-      rand        = OpenSSL::BN.new(rand_hex, 16)
-
-      begin
-        rand.mask_bits!(bitlength)
-      rescue OpenSSL::BNError
-        # never mind if there was an error, this just means
-        # rand was already smaller than 2^bitlength - 1
+    # Create a random number of a specified Byte length
+    # returns Bignum
+    def get_random_number(bytes)
+      RbNaCl::Util.bin2hex(RbNaCl::Random.random_bytes(bytes).to_s).to_i(16)
+    end
+
+    # Creates a random number of a exact bitlength
+    # returns Bignum
+    def get_random_number_with_bitlength(bits)
+      byte_length = (bits / 8.0).ceil + 10
+      random_num = get_random_number(byte_length)
+      random_num_bin_str = random_num.to_s(2) # Get 1's and 0's
+
+      # Slice off only the bits we require, convert Bits to Numeric (Bignum)
+      random_num_bin_str.slice(0, bits).to_i(2)
+    end
+
+    # Supports #miller_rabin_prime?
+    def mod_exp(n, e, mod)
+      fail ArgumentError, 'negative exponent' if e < 0
+      prod = 1
+      base = n % mod
+
+      until e.zero?
+        prod = (prod * base) % mod if e.odd?
+        e >>= 1
+        base = (base * base) % mod
       end
 
-      rand.set_bit!(bitlength)
-      rand
+      prod
+    end
+
+    # An implementation of the miller-rabin primality test.
+    # See : http://primes.utm.edu/prove/merged.html
+    # See : http://rosettacode.org/wiki/Miller-Rabin_primality_test#Ruby
+    # See : https://crypto.stackexchange.com/questions/71/how-can-i-generate-large-prime-numbers-for-rsa
+    # See : https://en.wikipedia.org/wiki/Miller%E2%80%93Rabin_primality_test
+    #
+    # Example : p primes = (3..1000).step(2).find_all {|i| miller_rabin_prime?(i,10)}
+    def miller_rabin_prime?(n, g = 1000)
+      return false if n == 1
+      return true if n == 2
+
+      d = n - 1
+      s = 0
+
+      while d.even?
+        d /= 2
+        s += 1
+      end
+
+      g.times do
+        a = 2 + rand(n - 4)
+        x = mod_exp(a, d, n) # x = (a**d) % n
+        next if x == 1 || x == n - 1
+        (1..s - 1).each do
+          x = mod_exp(x, 2, n) # x = (x**2) % n
+          return false if x == 1
+          break if x == n - 1
+        end
+        return false if x != n - 1
+      end
+
+      true # probably
+    end
+
+    # Finds a random prime number of *at least* bitlength
+    # Validate primeness using the miller-rabin primality test.
+    # Increment through odd numbers to test candidates until a good prime is found.
+    def get_prime_number(bitlength)
+      prime_cand = get_random_number_with_bitlength(bitlength + 1)
+      prime_cand += 1 if prime_cand.even?
+
+      # loop, adding 2 to keep it odd, until prime_cand is prime.
+      (prime_cand += 2) until miller_rabin_prime?(prime_cand)
+
+      prime_cand
     end
 
     # FIXME : Needs focused tests
 
     # Evaluate the polynomial at x.
     def evaluate_polynomial_at(x, coefficients, prime)
-      result = OpenSSL::BN.new('0')
+      result = 0
 
       coefficients.each_with_index do |c, i|
-        result += c * OpenSSL::BN.new(x.to_s)**i
+        result += c * (x**i)
         result %= prime
       end
 
       result
     end
 
+    def extended_gcd(a, b)
+      last_remainder = a.abs
+      remainder      = b.abs
+      x              = 0
+      last_x         = 1
+      y              = 1
+      last_y         = 0
+
+      until remainder.zero?
+        # rubocop:disable Style/ParallelAssignment
+        last_remainder, (quotient, remainder) = remainder, last_remainder.divmod(remainder)
+        x, last_x = last_x - quotient * x, x
+        y, last_y = last_y - quotient * y, y
+        # rubocop:enable Style/ParallelAssignment
+      end
+
+      [last_remainder, last_x * (a < 0 ? -1 : 1)]
+    end
+
+    # Calculate the Modular Inverse.
+    # See : http://rosettacode.org/wiki/Modular_inverse#Ruby
+    # Based on pseudo code from http://en.wikipedia.org/wiki/Extended_Euclidean_algorithm#Iterative_method_2
+    def invmod(e, et)
+      g, x = extended_gcd(e, et)
+      fail ArgumentError, 'Teh maths are broken!' if g != 1
+      x % et
+    end
+
     # FIXME : Needs focused tests
 
     # Part of the Lagrange interpolation.
@@ -62,35 +150,14 @@ module SecretSharing
       other_shares = shares.reject { |s| s.x == x }
 
       results = other_shares.map do |s|
-        minus_xi = OpenSSL::BN.new("#{-s.x}")
-        one_over_xj_minus_xi = OpenSSL::BN.new("#{x - s.x}").mod_inverse(prime)
-        minus_xi.mod_mul(one_over_xj_minus_xi, prime)
-      end
-
-      results.reduce { |a, e| a.mod_mul(e, prime) }
-    end
-
-    # FIXME : Needs focused tests
-
-    # Backported for Ruby 1.8.7, REE, JRuby, Rubinious
-    def usafe_decode64(str)
-      str = str.strip
-      return Base64.urlsafe_decode64(str) if Base64.respond_to?(:urlsafe_decode64)
-
-      if str.include?('\n')
-        fail(ArgumentError, 'invalid base64')
-      else
-        Base64.decode64(str)
+        minus_xi = -s.x
+        # was OpenSSL::BN#mod_inverse
+        one_over_xj_minus_xi = invmod(x - s.x, prime)
+        # was OpenSSL::BN#mod_mul : (self * other) % m
+        (minus_xi * one_over_xj_minus_xi) % prime
       end
-    end
-
-    # FIXME : Needs focused tests
 
-    # Backported for Ruby 1.8.7, REE, JRuby, Rubinious
-    def usafe_encode64(bin)
-      bin = bin.strip
-      return Base64.urlsafe_encode64(bin) if Base64.respond_to?(:urlsafe_encode64)
-      Base64.encode64(bin).tr("\n", '')
+      results.reduce { |a, e| (a * e) % prime }
     end
   end # module Shamir
 end # module SecretSharing

data/lib/secretsharing/shamir/secret.rb

@@ -21,14 +21,13 @@ module SecretSharing
     # argument when creating a new SecretSharing::Shamir::Container or
     # can be the output from a Container that has successfully decoded shares.
     # A new Secret take 0 or 1 args. Zero args means the Secret will be initialized
-    # with a random OpenSSL::BN object with the Secret::DEFAULT_BITLENGTH. If a
-    # single argument is passed it can be one of two object types, String or
-    # OpenSSL::BN.  If a String it is expected to be a specially encoded String
+    # with a random Numeric object with the Secret::DEFAULT_BITLENGTH. If a
+    # single argument is passed it can be a String, or Integer.
+    # If its a String, its expected to be of a special encoding
     # that was generated as the output of calling #to_s on another Secret object.
-    # If the object type is OpenSSL::BN it can represent a number up to 4096 num_bits
-    # in length as reported by OpenSSL::BN#num_bits.
+    # If the object type is an Integer it can be up to 4096 bits in length.
     #
-    # All secrets are internally represented as an OpenSSL::BN which can be retrieved
+    # All secrets are internally represented as a Numeric which can be retrieved
     # in its raw form using #secret.
     #
     class Secret
@@ -38,13 +37,15 @@ module SecretSharing
 
       MAX_BITLENGTH = 4096
 
-      attr_accessor :secret, :bitlength, :hmac
+      attr_accessor :bitlength, :hmac
+      attr_reader :secret
 
       # FIXME : allow instantiating a secret with any random number bitlength you choose.
 
+      # rubocop:disable Metrics/PerceivedComplexity
       def initialize(opts = {})
         opts = {
-          :secret => get_random_number(256)
+          :secret => get_random_number(32) # 32 Bytes, 256 Bits
         }.merge!(opts)
 
         # override with options
@@ -57,27 +58,39 @@ module SecretSharing
         end
 
         # FIXME : Do we really need the ability for a String arg to re-instantiate a Secret?
-        # FIXME : If its a String, shouldn't it be able to be an arbitrary String converted to/from OpenSSL::BN?
+        # FIXME : If its a String, shouldn't it be able to be an arbitrary String converted to/from a Number?
 
         if opts[:secret].is_a?(String)
-          # Decode a Base64.urlsafe_encode64 String which contains a Base 36 encoded Bignum back into an OpenSSL::BN
+          # Decode a Base64.urlsafe_encode64 String which contains a Base 36 encoded Bignum back into a Bignum
           # See : Secret#to_s for forward encoding method.
-          decoded_secret = usafe_decode64(opts[:secret])
-          fail ArgumentError, 'invalid base64 (returned nil or empty String)' if decoded_secret.empty?
-          @secret = OpenSSL::BN.new(decoded_secret.to_i(36).to_s)
+          stripped_secret = opts[:secret].strip
+          fail ArgumentError, 'invalid secret (empty String)' if stripped_secret.empty?
+          decoded_secret = Base64.urlsafe_decode64(stripped_secret)
+          fail ArgumentError, 'invalid secret (base64 decode returned nil or empty String)' if decoded_secret.empty?
+          int_secret = decoded_secret.to_i(36)
+          fail ArgumentError, 'invalid secret (not an Integer)' unless int_secret.is_a?(Integer)
+          fail ArgumentError, 'invalid secret (Integer bit length < 100)' unless int_secret.bit_length > 100
+          @secret = int_secret
         end
 
         @secret = opts[:secret] if @secret.nil?
-        fail ArgumentError, "Secret must be an OpenSSL::BN, not a '#{@secret.class}'" unless @secret.is_a?(OpenSSL::BN)
-        @bitlength = @secret.num_bits
+        fail ArgumentError, "Secret must be an Integer, not a '#{@secret.class}'" unless @secret.is_a?(Integer)
+
+        # Get the number of binary bits in this secret's value.
+        @bitlength = @secret.bit_length
+
         fail ArgumentError, "Secret must have a bitlength less than or equal to #{MAX_BITLENGTH}" if @bitlength > MAX_BITLENGTH
 
         generate_hmac
       end
+      # rubocop:enable Metrics/PerceivedComplexity
 
-      # Secrets are equal if the OpenSSL::BN in @secret is the same.
+      # Secrets are equal if the Numeric in @secret is the same.
+      # Do secure constant-time comparison of the objects.
       def ==(other)
-        other == @secret
+        other_secret_hash = RbNaCl::Hash.blake2b(other.secret.to_s, digest_size: 32)
+        own_secret_hash   = RbNaCl::Hash.blake2b(@secret.to_s, digest_size: 32)
+        RbNaCl::Util.verify32(other_secret_hash, own_secret_hash)
       end
 
       # Set a new secret forces regeneration of the HMAC
@@ -87,36 +100,43 @@ module SecretSharing
       end
 
       def secret?
-        @secret.is_a?(OpenSSL::BN)
+        @secret.is_a?(Integer)
       end
 
       def to_s
-        # Convert the OpenSSL::BN secret to an Bignum which has a #to_s(36) method
         # Convert the Bignum to a Base 36 encoded String
         # Wrap the Base 36 encoded String as a URL safe Base 64 encoded String
         # Combined this should result in a relatively compact and portable String
-        usafe_encode64(@secret.to_i.to_s(36))
+        Base64.urlsafe_encode64(@secret.to_s(36))
       end
 
+      # See : generate_hmac
       def valid_hmac?
-        return false if !@secret.is_a?(OpenSSL::BN) || @hmac.to_s.empty? || @secret.to_s.empty?
-
-        hmac_key  = @secret.to_s
-        hmac_data = OpenSSL::Digest::SHA256.new(@secret.to_s).hexdigest
-
-        @hmac == OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new, hmac_key, hmac_data)
+        return false if !@secret.is_a?(Integer) || @hmac.to_s.empty? || @secret.to_s.empty?
+        hash = RbNaCl::Hash.sha512(@secret.to_s)
+        key = hash[0, 32]
+        authenticator = RbNaCl::Util.hex2bin(@hmac)
+        msg = hash[33, 64]
+        begin
+          RbNaCl::HMAC::SHA256.verify(key, authenticator, msg)
+        rescue
+          false
+        end
       end
 
       private
 
-      # The HMAC uses the raw secret itself as the HMAC key, and the SHA256 of the secret as the data.
-      # This allows later regeneration of the HMAC to confirm that the restored secret is in fact
-      # identical to what was originally split into shares.
+      # SHA512 over @secret returns a 64 Byte array. Use the first 32 bytes
+      # as the HMAC key, and the last 32 bytes as the message.
+      #
+      # This will allow a point of comparison between the original secret that
+      # was split into shares, and the secret that was retrieved by combining shares.
       def generate_hmac
         return false if @secret.to_s.empty?
-        hmac_key  = @secret.to_s
-        hmac_data = OpenSSL::Digest::SHA256.new(@secret.to_s).hexdigest
-        @hmac     = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new, hmac_key, hmac_data)
+        hash = RbNaCl::Hash.sha512(@secret.to_s)
+        key = hash[0, 32]
+        msg = hash[33, 64]
+        @hmac = RbNaCl::Util.bin2hex(RbNaCl::HMAC::SHA256.auth(key, msg))
       end
     end # class Secret
   end # module Shamir

data/lib/secretsharing/shamir/share.rb

@@ -54,19 +54,20 @@ module SecretSharing
         end
       end
 
+      # Do secure constant-time comparison of the objects.
       def ==(other)
-        other.to_s == to_s
+        other_share_hash = RbNaCl::Hash.blake2b(other.to_s, digest_size: 32)
+        own_share_hash   = RbNaCl::Hash.blake2b(to_s, digest_size: 32)
+        RbNaCl::Util.verify32(other_share_hash, own_share_hash)
       end
 
-      # FIXME : Add an HMAC which 'signs' all of the attributes of the hash and which gets verified on re-hydration to make sure
-      # that none of the attributes changed?
-
       def to_hash
         [:version, :hmac, :k, :n, :x, :y, :prime, :prime_bitlength].reduce({}) do |h, element|
           if [:hmac].include?(element)
+            # hmac value is a String
             h.merge(element => send(element))
           else
-            # everything else is an Integer/Bignum
+            # everything else can be coerced to an Integer
             h.merge(element => send(element).to_i)
           end
         end
@@ -77,7 +78,7 @@ module SecretSharing
       end
 
       def to_s
-        usafe_encode64(to_json)
+        Base64.urlsafe_encode64(to_json)
       end
 
       # Creates the shares by computing random coefficients for a polynomial
@@ -87,25 +88,23 @@ module SecretSharing
         coefficients          = []
         coefficients[0]       = secret.secret
 
-        # round up to next nibble
+        # compute random coefficients
+        (1..k - 1).each { |x| coefficients[x] = get_random_number_with_bitlength(secret.bitlength) }
+
+        # Round up to the next nibble (half-byte)
         next_nibble_bitlength = secret.bitlength + (4 - (secret.bitlength % 4))
         prime_bitlength       = next_nibble_bitlength + 1
-        prime                 = OpenSSL::BN.generate_prime(prime_bitlength)
-
-        # FIXME : Why does generate_prime always return 35879 for bitlength 1-15
-        # OpenSSL::BN::generate_prime(1).to_i
-        # => 35879
-        # Do we need to make sure that prime_bitlength is not shorter than 64 bits?
-        # See : https://www.mail-archive.com/openssl-dev@openssl.org/msg18835.html
-        # See : http://ardoino.com/2005/11/maths-openssl-primes-random/
-        # See : http://www.openssl.org/docs/apps/genrsa.html  "Therefore the number of bits should not be less that 64."
-
-        # compute random coefficients
-        (1..k - 1).each { |x| coefficients[x] = get_random_number(secret.bitlength) }
+        prime                 = get_prime_number(prime_bitlength)
 
         (1..n).each do |x|
           p_x = evaluate_polynomial_at(x, coefficients, prime)
-          new_share = new(:x => x, :y => p_x, :prime => prime, :prime_bitlength => prime_bitlength, :k => k, :n => n, :hmac => secret.hmac)
+          new_share = new(:x => x,
+                          :y => p_x,
+                          :prime => prime,
+                          :prime_bitlength => prime_bitlength,
+                          :k => k,
+                          :n => n,
+                          :hmac => secret.hmac)
           shares[x - 1] = new_share
         end
         shares
@@ -115,11 +114,13 @@ module SecretSharing
       def self.recover_secret(shares)
         return false unless shares.length >= shares[0].k
 
-        # All Shares must have the same HMAC or they were derived from different Secrets
+        # All Shares must have the same HMAC if derived from same Secret
         hmacs = shares.map(&:hmac).uniq
-        fail ArgumentError, 'Share mismatch. Not all Shares have a common HMAC.' unless hmacs.size == 1
+        unless hmacs.size == 1
+          fail ArgumentError, 'Share mismatch. Not all Shares have a common HMAC.'
+        end
 
-        secret = SecretSharing::Shamir::Secret.new(:secret => OpenSSL::BN.new('0'))
+        secret = SecretSharing::Shamir::Secret.new(:secret => 0)
 
         shares.each do |share|
           l_x = lagrange(share.x, shares)
@@ -139,7 +140,7 @@ module SecretSharing
       private
 
       def unpack_share(share)
-        decoded  = usafe_decode64(share)
+        decoded  = Base64.urlsafe_decode64(share)
         h        = MultiJson.load(decoded, :symbolize_keys => true)
 
         @version         = h[:version].to_i                unless h[:version].nil?
@@ -147,8 +148,8 @@ module SecretSharing
         @k               = h[:k].to_i                      unless h[:k].nil?
         @n               = h[:n].to_i                      unless h[:n].nil?
         @x               = h[:x].to_i                      unless h[:x].nil?
-        @y               = OpenSSL::BN.new(h[:y].to_s)     unless h[:y].nil?
-        @prime           = OpenSSL::BN.new(h[:prime].to_s) unless h[:prime].nil?
+        @y               = h[:y].to_i                      unless h[:y].nil?
+        @prime           = h[:prime].to_i                  unless h[:prime].nil?
         @prime_bitlength = h[:prime_bitlength].to_i        unless h[:prime_bitlength].nil?
       end
     end # class Share