Botan 3.11.0
Crypto and TLS for C&
Public Member Functions | Static Public Member Functions | List of all members
Botan::RTSS_Share Class Referencefinal

#include <tss.h>

Public Member Functions

const secure_vector< uint8_t > & data () const
bool initialized () const
 RTSS_Share ()=default
 RTSS_Share (const uint8_t data[], size_t len)
 RTSS_Share (std::string_view hex_input)
uint8_t share_id () const
size_t size () const
std::string to_string () const

Static Public Member Functions

static secure_vector< uint8_t > reconstruct (const std::vector< RTSS_Share > &shares)
static std::vector< RTSS_Sharesplit (uint8_t M, uint8_t N, const uint8_t secret[], uint16_t secret_len, const std::vector< uint8_t > &identifier, std::string_view hash_fn, RandomNumberGenerator &rng)
static std::vector< RTSS_Sharesplit (uint8_t M, uint8_t N, const uint8_t secret[], uint16_t secret_len, const uint8_t identifier[16], RandomNumberGenerator &rng)

Detailed Description

A split secret, using the format from draft-mcgrew-tss-03

Definition at line 22 of file tss.h.

Constructor & Destructor Documentation

◆ RTSS_Share() [1/3]

Botan::RTSS_Share::RTSS_Share ( )
default

References data(), and RTSS_Share().

Referenced by RTSS_Share().

◆ RTSS_Share() [2/3]

Botan::RTSS_Share::RTSS_Share ( std::string_view hex_input)
explicit
Parameters
hex_inputthe share encoded in hexadecimal

Definition at line 95 of file tss.cpp.

95 {
96 m_contents = hex_decode_locked(hex_input);
97}
Botan::hex_decode_locked
secure_vector< uint8_t > hex_decode_locked(const char input[], size_t input_length, bool ignore_ws)
Definition hex.cpp:135

References Botan::hex_decode_locked().

◆ RTSS_Share() [3/3]

Botan::RTSS_Share::RTSS_Share ( const uint8_t data[],
size_t len )
Parameters
datathe shared data
lenthe length of data

Definition at line 99 of file tss.cpp.

99 {
100 m_contents.assign(bin, bin + len);
101}

Member Function Documentation

◆ data()

const secure_vector< uint8_t > & Botan::RTSS_Share::data ( ) const
inline
Returns
binary representation

Definition at line 77 of file tss.h.

77{ return m_contents; }

Referenced by RTSS_Share().

◆ initialized()

bool Botan::RTSS_Share::initialized ( ) const
inline
Returns
if this TSS share was initialized or not

Definition at line 97 of file tss.h.

97{ return (!m_contents.empty()); }

Referenced by share_id().

◆ reconstruct()

secure_vector< uint8_t > Botan::RTSS_Share::reconstruct ( const std::vector< RTSS_Share > & shares)
static
Parameters
sharesthe list of shares

Definition at line 201 of file tss.cpp.

201 {
202 if(shares.size() <= 1) {
203 throw Decoding_Error("Insufficient shares to do TSS reconstruction");
204 }
205
206 for(size_t i = 0; i != shares.size(); ++i) {
207 if(shares[i].size() < RTSS_HEADER_SIZE + 1) {
208 throw Decoding_Error("Missing or malformed RTSS header");
209 }
210
211 if(shares[i].share_id() == 0) {
212 throw Decoding_Error("Invalid (id = 0) RTSS share detected");
213 }
214
215 if(i > 0) {
216 if(shares[i].size() != shares[0].size()) {
217 throw Decoding_Error("Different sized RTSS shares detected");
218 }
219
220 if(!CT::is_equal(shares[0].m_contents.data(), shares[i].m_contents.data(), RTSS_HEADER_SIZE).as_bool()) {
221 throw Decoding_Error("Different RTSS headers detected");
222 }
223 }
224 }
225
226 const uint8_t N = shares[0].m_contents[17];
227
228 if(shares.size() < N) {
229 throw Decoding_Error("Insufficient shares to do TSS reconstruction");
230 }
231
232 const uint16_t share_len = make_uint16(shares[0].m_contents[18], shares[0].m_contents[19]);
233
234 const uint8_t hash_id = shares[0].m_contents[16];
235 auto hash = get_rtss_hash_by_id(hash_id);
236 const size_t hash_len = (hash ? hash->output_length() : 0);
237
238 if(shares[0].size() != RTSS_HEADER_SIZE + share_len) {
239 /*
240 * This second (laxer) check accommodates a bug in TSS that was
241 * fixed in 2.9.0 - previous versions used the length of the
242 * *secret* here, instead of the length of the *share*, which is
243 * precisely 1 + hash_len longer.
244 */
245 if(shares[0].size() <= RTSS_HEADER_SIZE + 1 + hash_len) {
246 throw Decoding_Error("Bad RTSS length field in header");
247 }
248 }
249
250 std::vector<uint8_t> V(shares.size());
251 secure_vector<uint8_t> recovered;
252
253 for(size_t i = RTSS_HEADER_SIZE + 1; i != shares[0].size(); ++i) {
254 for(size_t j = 0; j != V.size(); ++j) {
255 V[j] = shares[j].m_contents[i];
256 }
257
258 uint8_t r = 0;
259 for(size_t k = 0; k != shares.size(); ++k) {
260 // L_i function:
261 uint8_t r2 = 1;
262 for(size_t l = 0; l != shares.size(); ++l) {
263 if(k == l) {
264 continue;
265 }
266
267 const uint8_t share_k = shares[k].share_id();
268 const uint8_t share_l = shares[l].share_id();
269
270 if(share_k == share_l) {
271 throw Decoding_Error("Duplicate shares found in RTSS recovery");
272 }
273
274 const uint8_t div = RTSS_EXP[(255 + RTSS_LOG[share_l] - RTSS_LOG[share_k ^ share_l]) % 255];
275
276 r2 = gfp_mul(r2, div);
277 }
278
279 r ^= gfp_mul(V[k], r2);
280 }
281 recovered.push_back(r);
282 }
283
284 if(hash) {
285 if(recovered.size() < hash->output_length()) {
286 throw Decoding_Error("RTSS recovered value too short to be valid");
287 }
288
289 const size_t secret_len = recovered.size() - hash->output_length();
290
291 hash->update(recovered.data(), secret_len);
292 secure_vector<uint8_t> hash_check = hash->final();
293
294 if(!CT::is_equal(hash_check.data(), &recovered[secret_len], hash->output_length()).as_bool()) {
295 throw Decoding_Error("RTSS hash check failed");
296 }
297
298 // remove the trailing hash value
299 recovered.resize(secret_len);
300 }
301
302 return recovered;
303}
Botan::RTSS_Share::share_id
uint8_t share_id() const
Definition tss.cpp:103
Botan::RTSS_Share::size
size_t size() const
Definition tss.h:92
Botan::CT::is_equal
constexpr CT::Mask< T > is_equal(const T x[], const T y[], size_t len)
Definition ct_utils.h:798
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:68
Botan::make_uint16
constexpr uint16_t make_uint16(uint8_t i0, uint8_t i1)
Definition loadstor.h:92

References Botan::CT::is_equal(), Botan::make_uint16(), share_id(), and size().

◆ share_id()

uint8_t Botan::RTSS_Share::share_id ( ) const
Returns
share identifier

Definition at line 103 of file tss.cpp.

103 {
104 if(!initialized()) {
105 throw Invalid_State("RTSS_Share::share_id not initialized");
106 }
107
108 if(m_contents.size() < RTSS_HEADER_SIZE + 1) {
109 throw Decoding_Error("RTSS_Share::share_id invalid share data");
110 }
111
112 return m_contents[20];
113}
Botan::RTSS_Share::initialized
bool initialized() const
Definition tss.h:97

References initialized().

Referenced by reconstruct().

◆ size()

size_t Botan::RTSS_Share::size ( ) const
inline
Returns
size of this share in bytes

Definition at line 92 of file tss.h.

92{ return m_contents.size(); }

Referenced by reconstruct().

◆ split() [1/2]

std::vector< RTSS_Share > Botan::RTSS_Share::split ( uint8_t M,
uint8_t N,
const uint8_t secret[],
uint16_t secret_len,
const std::vector< uint8_t > & identifier,
std::string_view hash_fn,
RandomNumberGenerator & rng )
static
Parameters
Mthe number of shares needed to reconstruct
Nthe number of shares generated
secretthe secret to split
secret_lenthe length of the secret
identifierthe share identifier
hash_fnthe hash function to use for a checksum ("None", "SHA-1", "SHA-256")
rngthe random number generator to use

Definition at line 124 of file tss.cpp.

130 {
131 if(M <= 1 || N <= 1 || M > N || N >= 255) {
132 throw Invalid_Argument("RTSS_Share::split: Invalid N or M");
133 }
134
135 if(identifier.size() > 16) {
136 throw Invalid_Argument("RTSS_Share::split Invalid identifier size");
137 }
138
139 const uint8_t hash_id = rtss_hash_id(hash_fn);
140
141 std::unique_ptr<HashFunction> hash;
142 if(hash_id > 0) {
143 hash = HashFunction::create_or_throw(hash_fn);
144 }
145
146 // secret = S || H(S)
147 secure_vector<uint8_t> secret(S, S + S_len);
148 if(hash) {
149 secret += hash->process(S, S_len);
150 }
151
152 if(secret.size() >= 0xFFFE) {
153 throw Encoding_Error("RTSS_Share::split secret too large for TSS format");
154 }
155
156 // +1 byte for the share ID
157 const uint16_t share_len = static_cast<uint16_t>(secret.size() + 1);
158
159 secure_vector<uint8_t> share_header(RTSS_HEADER_SIZE);
160 copy_mem(share_header.data(), identifier.data(), identifier.size());
161 share_header[16] = hash_id;
162 share_header[17] = M;
163 share_header[18] = get_byte<0>(share_len);
164 share_header[19] = get_byte<1>(share_len);
165
166 // Create RTSS header in each share
167 std::vector<RTSS_Share> shares(N);
168
169 for(uint8_t i = 0; i != N; ++i) {
170 shares[i].m_contents.reserve(share_header.size() + share_len);
171 shares[i].m_contents = share_header;
172 }
173
174 // Choose sequential values for X starting from 1
175 for(uint8_t i = 0; i != N; ++i) {
176 shares[i].m_contents.push_back(i + 1);
177 }
178
179 for(const uint8_t secret_byte : secret) {
180 std::vector<uint8_t> coefficients(M - 1);
181 rng.randomize(coefficients.data(), coefficients.size());
182
183 for(uint8_t j = 0; j != N; ++j) {
184 const uint8_t X = j + 1;
185
186 uint8_t sum = secret_byte;
187 uint8_t X_i = X;
188
189 for(const uint8_t cb : coefficients) {
190 sum ^= gfp_mul(X_i, cb);
191 X_i = gfp_mul(X_i, X);
192 }
193
194 shares[j].m_contents.push_back(sum);
195 }
196 }
197
198 return shares;
199}
Botan::HashFunction::create_or_throw
static std::unique_ptr< HashFunction > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition hash.cpp:308
Botan::get_byte
constexpr uint8_t get_byte(T input)
Definition loadstor.h:79
Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:144

References Botan::copy_mem(), Botan::HashFunction::create_or_throw(), Botan::get_byte(), and Botan::RandomNumberGenerator::randomize().

◆ split() [2/2]

std::vector< RTSS_Share > Botan::RTSS_Share::split ( uint8_t M,
uint8_t N,
const uint8_t secret[],
uint16_t secret_len,
const uint8_t identifier[16],
RandomNumberGenerator & rng )
static
Parameters
Mthe number of shares needed to reconstruct
Nthe number of shares generated
secretthe secret to split
secret_lenthe length of the secret
identifierthe 16 byte share identifier
rngthe random number generator to use

Definition at line 119 of file tss.cpp.

120 {
121 return RTSS_Share::split(M, N, S, S_len, std::vector<uint8_t>(identifier, identifier + 16), "SHA-256", rng);
122}
Botan::RTSS_Share::split
static std::vector< RTSS_Share > split(uint8_t M, uint8_t N, const uint8_t secret[], uint16_t secret_len, const uint8_t identifier[16], RandomNumberGenerator &rng)
Definition tss.cpp:119

References split().

Referenced by split().

◆ to_string()

std::string Botan::RTSS_Share::to_string ( ) const
Returns
hex representation

Definition at line 115 of file tss.cpp.

115 {
116 return hex_encode(m_contents.data(), m_contents.size());
117}
Botan::hex_encode
void hex_encode(char output[], const uint8_t input[], size_t input_length, bool uppercase)
Definition hex.cpp:34

References Botan::hex_encode().

The documentation for this class was generated from the following files:
Generated by doxygen 1.15.0