mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1421501 - add vendored libprio from https://github.com/mozilla/libprio r=fkiefer 

MozReview-Commit-ID: LjbKuuFAMAv

--HG--
extra : rebase_source : 208e008a3ff09d1f0a5575b81bf31262d9968cac
This commit is contained in:
Robert Helmer 2018-06-20 17:21:01 -07:00
Родитель 1eb4a76ba4
Коммит 353ff80190
51 изменённых файлов: 15420 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

373
third_party/prio/LICENSE поставляемый Normal file
Просмотреть файл

@ -0,0 +1,373 @@
Mozilla Public License Version 2.0
==================================
1. Definitions
--------------
1.1. "Contributor"
means each individual or legal entity that creates, contributes to
the creation of, or owns Covered Software.
1.2. "Contributor Version"
means the combination of the Contributions of others (if any) used
by a Contributor and that particular Contributor's Contribution.
1.3. "Contribution"
means Covered Software of a particular Contributor.
1.4. "Covered Software"
means Source Code Form to which the initial Contributor has attached
the notice in Exhibit A, the Executable Form of such Source Code
Form, and Modifications of such Source Code Form, in each case
including portions thereof.
1.5. "Incompatible With Secondary Licenses"
means
(a) that the initial Contributor has attached the notice described
in Exhibit B to the Covered Software; or
(b) that the Covered Software was made available under the terms of
version 1.1 or earlier of the License, but not also under the
terms of a Secondary License.
1.6. "Executable Form"
means any form of the work other than Source Code Form.
1.7. "Larger Work"
means a work that combines Covered Software with other material, in
a separate file or files, that is not Covered Software.
1.8. "License"
means this document.
1.9. "Licensable"
means having the right to grant, to the maximum extent possible,
whether at the time of the initial grant or subsequently, any and
all of the rights conveyed by this License.
1.10. "Modifications"
means any of the following:
(a) any file in Source Code Form that results from an addition to,
deletion from, or modification of the contents of Covered
Software; or
(b) any new file in Source Code Form that contains any Covered
Software.
1.11. "Patent Claims" of a Contributor
means any patent claim(s), including without limitation, method,
process, and apparatus claims, in any patent Licensable by such
Contributor that would be infringed, but for the grant of the
License, by the making, using, selling, offering for sale, having
made, import, or transfer of either its Contributions or its
Contributor Version.
1.12. "Secondary License"
means either the GNU General Public License, Version 2.0, the GNU
Lesser General Public License, Version 2.1, the GNU Affero General
Public License, Version 3.0, or any later versions of those
licenses.
1.13. "Source Code Form"
means the form of the work preferred for making modifications.
1.14. "You" (or "Your")
means an individual or a legal entity exercising rights under this
License. For legal entities, "You" includes any entity that
controls, is controlled by, or is under common control with You. For
purposes of this definition, "control" means (a) the power, direct
or indirect, to cause the direction or management of such entity,
whether by contract or otherwise, or (b) ownership of more than
fifty percent (50%) of the outstanding shares or beneficial
ownership of such entity.
2. License Grants and Conditions
--------------------------------
2.1. Grants
Each Contributor hereby grants You a world-wide, royalty-free,
non-exclusive license:
(a) under intellectual property rights (other than patent or trademark)
Licensable by such Contributor to use, reproduce, make available,
modify, display, perform, distribute, and otherwise exploit its
Contributions, either on an unmodified basis, with Modifications, or
as part of a Larger Work; and
(b) under Patent Claims of such Contributor to make, use, sell, offer
for sale, have made, import, and otherwise transfer either its
Contributions or its Contributor Version.
2.2. Effective Date
The licenses granted in Section 2.1 with respect to any Contribution
become effective for each Contribution on the date the Contributor first
distributes such Contribution.
2.3. Limitations on Grant Scope
The licenses granted in this Section 2 are the only rights granted under
this License. No additional rights or licenses will be implied from the
distribution or licensing of Covered Software under this License.
Notwithstanding Section 2.1(b) above, no patent license is granted by a
Contributor:
(a) for any code that a Contributor has removed from Covered Software;
or
(b) for infringements caused by: (i) Your and any other third party's
modifications of Covered Software, or (ii) the combination of its
Contributions with other software (except as part of its Contributor
Version); or
(c) under Patent Claims infringed by Covered Software in the absence of
its Contributions.
This License does not grant any rights in the trademarks, service marks,
or logos of any Contributor (except as may be necessary to comply with
the notice requirements in Section 3.4).
2.4. Subsequent Licenses
No Contributor makes additional grants as a result of Your choice to
distribute the Covered Software under a subsequent version of this
License (see Section 10.2) or under the terms of a Secondary License (if
permitted under the terms of Section 3.3).
2.5. Representation
Each Contributor represents that the Contributor believes its
Contributions are its original creation(s) or it has sufficient rights
to grant the rights to its Contributions conveyed by this License.
2.6. Fair Use
This License is not intended to limit any rights You have under
applicable copyright doctrines of fair use, fair dealing, or other
equivalents.
2.7. Conditions
Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
in Section 2.1.
3. Responsibilities
-------------------
3.1. Distribution of Source Form
All distribution of Covered Software in Source Code Form, including any
Modifications that You create or to which You contribute, must be under
the terms of this License. You must inform recipients that the Source
Code Form of the Covered Software is governed by the terms of this
License, and how they can obtain a copy of this License. You may not
attempt to alter or restrict the recipients' rights in the Source Code
Form.
3.2. Distribution of Executable Form
If You distribute Covered Software in Executable Form then:
(a) such Covered Software must also be made available in Source Code
Form, as described in Section 3.1, and You must inform recipients of
the Executable Form how they can obtain a copy of such Source Code
Form by reasonable means in a timely manner, at a charge no more
than the cost of distribution to the recipient; and
(b) You may distribute such Executable Form under the terms of this
License, or sublicense it under different terms, provided that the
license for the Executable Form does not attempt to limit or alter
the recipients' rights in the Source Code Form under this License.
3.3. Distribution of a Larger Work
You may create and distribute a Larger Work under terms of Your choice,
provided that You also comply with the requirements of this License for
the Covered Software. If the Larger Work is a combination of Covered
Software with a work governed by one or more Secondary Licenses, and the
Covered Software is not Incompatible With Secondary Licenses, this
License permits You to additionally distribute such Covered Software
under the terms of such Secondary License(s), so that the recipient of
the Larger Work may, at their option, further distribute the Covered
Software under the terms of either this License or such Secondary
License(s).
3.4. Notices
You may not remove or alter the substance of any license notices
(including copyright notices, patent notices, disclaimers of warranty,
or limitations of liability) contained within the Source Code Form of
the Covered Software, except that You may alter any license notices to
the extent required to remedy known factual inaccuracies.
3.5. Application of Additional Terms
You may choose to offer, and to charge a fee for, warranty, support,
indemnity or liability obligations to one or more recipients of Covered
Software. However, You may do so only on Your own behalf, and not on
behalf of any Contributor. You must make it absolutely clear that any
such warranty, support, indemnity, or liability obligation is offered by
You alone, and You hereby agree to indemnify every Contributor for any
liability incurred by such Contributor as a result of warranty, support,
indemnity or liability terms You offer. You may include additional
disclaimers of warranty and limitations of liability specific to any
jurisdiction.
4. Inability to Comply Due to Statute or Regulation
---------------------------------------------------
If it is impossible for You to comply with any of the terms of this
License with respect to some or all of the Covered Software due to
statute, judicial order, or regulation then You must: (a) comply with
the terms of this License to the maximum extent possible; and (b)
describe the limitations and the code they affect. Such description must
be placed in a text file included with all distributions of the Covered
Software under this License. Except to the extent prohibited by statute
or regulation, such description must be sufficiently detailed for a
recipient of ordinary skill to be able to understand it.
5. Termination
--------------
5.1. The rights granted under this License will terminate automatically
if You fail to comply with any of its terms. However, if You become
compliant, then the rights granted under this License from a particular
Contributor are reinstated (a) provisionally, unless and until such
Contributor explicitly and finally terminates Your grants, and (b) on an
ongoing basis, if such Contributor fails to notify You of the
non-compliance by some reasonable means prior to 60 days after You have
come back into compliance. Moreover, Your grants from a particular
Contributor are reinstated on an ongoing basis if such Contributor
notifies You of the non-compliance by some reasonable means, this is the
first time You have received notice of non-compliance with this License
from such Contributor, and You become compliant prior to 30 days after
Your receipt of the notice.
5.2. If You initiate litigation against any entity by asserting a patent
infringement claim (excluding declaratory judgment actions,
counter-claims, and cross-claims) alleging that a Contributor Version
directly or indirectly infringes any patent, then the rights granted to
You by any and all Contributors for the Covered Software under Section
2.1 of this License shall terminate.
5.3. In the event of termination under Sections 5.1 or 5.2 above, all
end user license agreements (excluding distributors and resellers) which
have been validly granted by You or Your distributors under this License
prior to termination shall survive termination.
************************************************************************
* *
* 6. Disclaimer of Warranty *
* ------------------------- *
* *
* Covered Software is provided under this License on an "as is" *
* basis, without warranty of any kind, either expressed, implied, or *
* statutory, including, without limitation, warranties that the *
* Covered Software is free of defects, merchantable, fit for a *
* particular purpose or non-infringing. The entire risk as to the *
* quality and performance of the Covered Software is with You. *
* Should any Covered Software prove defective in any respect, You *
* (not any Contributor) assume the cost of any necessary servicing, *
* repair, or correction. This disclaimer of warranty constitutes an *
* essential part of this License. No use of any Covered Software is *
* authorized under this License except under this disclaimer. *
* *
************************************************************************
************************************************************************
* *
* 7. Limitation of Liability *
* -------------------------- *
* *
* Under no circumstances and under no legal theory, whether tort *
* (including negligence), contract, or otherwise, shall any *
* Contributor, or anyone who distributes Covered Software as *
* permitted above, be liable to You for any direct, indirect, *
* special, incidental, or consequential damages of any character *
* including, without limitation, damages for lost profits, loss of *
* goodwill, work stoppage, computer failure or malfunction, or any *
* and all other commercial damages or losses, even if such party *
* shall have been informed of the possibility of such damages. This *
* limitation of liability shall not apply to liability for death or *
* personal injury resulting from such party's negligence to the *
* extent applicable law prohibits such limitation. Some *
* jurisdictions do not allow the exclusion or limitation of *
* incidental or consequential damages, so this exclusion and *
* limitation may not apply to You. *
* *
************************************************************************
8. Litigation
-------------
Any litigation relating to this License may be brought only in the
courts of a jurisdiction where the defendant maintains its principal
place of business and such litigation shall be governed by laws of that
jurisdiction, without reference to its conflict-of-law provisions.
Nothing in this Section shall prevent a party's ability to bring
cross-claims or counter-claims.
9. Miscellaneous
----------------
This License represents the complete agreement concerning the subject
matter hereof. If any provision of this License is held to be
unenforceable, such provision shall be reformed only to the extent
necessary to make it enforceable. Any law or regulation which provides
that the language of a contract shall be construed against the drafter
shall not be used to construe this License against a Contributor.
10. Versions of the License
---------------------------
10.1. New Versions
Mozilla Foundation is the license steward. Except as provided in Section
10.3, no one other than the license steward has the right to modify or
publish new versions of this License. Each version will be given a
distinguishing version number.
10.2. Effect of New Versions
You may distribute the Covered Software under the terms of the version
of the License under which You originally received the Covered Software,
or under the terms of any subsequent version published by the license
steward.
10.3. Modified Versions
If you create software not governed by this License, and you want to
create a new license for such software, you may create and use a
modified version of this License if you rename the license and remove
any references to the name of the license steward (except to note that
such modified license differs from this License).
10.4. Distributing Source Code Form that is Incompatible With Secondary
Licenses
If You choose to distribute Source Code Form that is Incompatible With
Secondary Licenses under the terms of this version of the License, the
notice described in Exhibit B of this License must be attached.
Exhibit A - Source Code Form License Notice
-------------------------------------------
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
If it is not possible or desirable to put the notice in a particular
file, then You may include the notice in a location (such as a LICENSE
file in a relevant directory) where a recipient would be likely to look
for such a notice.
You may add additional accurate notices of copyright ownership.
Exhibit B - "Incompatible With Secondary Licenses" Notice
---------------------------------------------------------
This Source Code Form is "Incompatible With Secondary Licenses", as
defined by the Mozilla Public License, v. 2.0.

17
third_party/prio/README-mozilla поставляемый Normal file
Просмотреть файл

@ -0,0 +1,17 @@
This directory contains the Prio source from the upstream repo:
https://github.com/mozilla/libprio
Current version: 1.0 [commit c1c6afd1683e27d823f39eb8fbe4b8469cc5bbf6]
UPDATING:
Our in-tree copy of Prio does not depend on any generated files from the
upstream build system. Therefore, it should be sufficient to simply overwrite
the in-tree files one the updated ones from upstream to perform updates.
To simplify this, the in-tree copy can be updated by running
sh update.sh
from within the third_party/libprio directory.
If the collection of source files changes, manual updates to moz.build may be
needed as we don't use the upstream makefiles.

136
third_party/prio/README.md поставляемый Normal file
Просмотреть файл

@ -0,0 +1,136 @@
# libprio - A Prio library in C using NSS
**Warning:**
We do our best to write bug-free code, but I have no doubt
that there are scary bugs, side-channel attacks, and memory leaks
lurking herein.
**Important:**
We have not yet implemented the items
described in the "Security-Critical TODOs" section below.
Without these features, do not use the code in a production environment.
## Overview
This is an implementation of the core cryptographic routines
for the [Prio system](https://crypto.stanford.edu/prio/)
for the private computation of aggregate statistics:
> "Prio: Private, Robust, and Scalable Computation of Aggregate Statistics"<br>
> by Henry Corrigan-Gibbs and Dan Boneh<br>
> USENIX Symposium on Networked Systems Design and Implementation<br>
> March 2017
>
> Available online at:
> https://crypto.stanford.edu/prio/
**Usage scenario.**
The library implements the cryptographic routines necessary
for the following application scenario:
Each client holds a vector of boolean values.
Each client uses the library to encode her private vector into two
encoded packets&mdash;one for server A and one for server B.
After receiving shares from a client, the servers can use the routines
implemented here to check whether the client-provided packets are
well formed.
(Without this check, a single malicious client can corrupt the
output of the computation.)
After collecting data packets from many clients, the servers
can combine their state to learn how many clients had the
*i*th bit of their data vector set to `true` and how many
clients had the *i*th bit of their data vector set to `false`.
As long as at least one of the two servers is honest
(i.e., runs the correct code),
the servers learn *nothing else* about the clients' data,
under standard cryptographic assumptions.
For example, the *i*th bit of the data vector could indicate
whether the client ever visited the *i*th-ranked website
in the Alexa Top 500.
The servers would learn how many clients visited each of the
Top 500 websites *without learning* which clients visited
which websites.
**Efficiency considerations.**
The code makes no use of public-key crypto, so it should
be relatively fast.
When each a data packet is of length *N*,
all arithmetic is modulo a prime *p* (we use an 87-bit prime by default),
and "elements" are integers modulo *p*,
the dominant costs of the system are:
* **Client compute:** O(*N* log *N*) multiplications
* **Client-to-server communication:** 2*N* + O(1) elements<br>
* **Server compute:** O(*N* log *N*) multiplications to check each packet<br>
(NOTE: Using an optimization we haven't yet implemented, we can
drop this cost to O(*N*) multiplications per packet.)
* **Server-to-server communication:** O(1) elements
* **Server storage:** O(*N*) elements
## Running the code
You must first install
[NSS/NSPR](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS),
[scons](http://scons.org/), and
[msgpack-c](https://github.com/msgpack/msgpack-c) version 2.1.5 (or newer?).
On Ubuntu, you can instal NSS and scons with:
$ sudo apt install scons libnspr4-dev libnss3-dev
and you will have to download [msgpack-c 2.1.5 or newer here](https://github.com/msgpack/msgpack-c/releases),
since the Ubuntu packages for msgpack are far out of date.
For macOS using Homebrew:
$ brew install nss nspr scons msgpack
$ export LDFLAGS="-L/usr/local/opt/nss/lib"
$ export CPPFLAGS="-I/usr/local/opt/nss/include -I/usr/local/opt/nspr/include/nspr"
To compile the code, run:
$ scons
To run the test suite, execute:
$ build/ptest/ptest -v
To print debug messages while compiling:
$ scons VERBOSE=1
To compile with debug symbols, run:
$ scons BUILDTYPE=DEBUG
To clean up the object and binary files, run:
$ scons -c
The files in this directory are:
````
/build - Binaries, object files, etc.
/include - Exported header files
(Note: The public header is <mprio.h> since
NSPR already has a file called <prio.h>.)
/mpi - NSS MPI bignum library
/pclient - Example code that uses the Prio library
/prio - Prio library core code
/ptest - Tests and test runner
````
## Optimizations and features not yet implemented
* **Server compute.**
By using a fast polynomial interpolation-and-evaluation
routine, we can reduce the cost of checking a single client
request from O(*N* log *N*) multiplications down to O(*N*)
multiplications, for a data packet of *N* items.
* **Differential privacy.**
It would be very straightforward to add some small amount of
noise to the final statistics to provide differential privacy.
If this would be useful, I can add it.
* **Misc.**
There are TODO notes scattered throughout code indicating
places for potential performance optimizations.

41
third_party/prio/SConstruct поставляемый Normal file
Просмотреть файл

@ -0,0 +1,41 @@
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
import os
import SCons
opts = Variables()
opts.AddVariables(
BoolVariable("DEBUG", "Make debug build", 1),
BoolVariable("VERBOSE", "Show full build information", 0))
env = Environment(options = opts,
ENV = os.environ)
if "CFLAGS" in os.environ:
env.Append(CFLAGS = SCons.Util.CLVar(os.getenv("CFLAGS")))
if "CPPFLAGS" in os.environ:
env.Append(CPPFLAGS = SCons.Util.CLVar(os.getenv("CPPFLAGS")))
if "CXXFLAGS" in os.environ:
env.Append(CXXFLAGS = SCons.Util.CLVar(os.getenv("CXXFLAGS")))
if "LDFLAGS" in os.environ:
env.Append(LINKFLAGS = SCons.Util.CLVar(os.getenv("LDFLAGS")))
if env["DEBUG"]:
print "DEBUG MODE!"
env.Append(CPPFLAGS = [ "-g", "-DDEBUG"])
env.Append(LIBS = ["mprio", "mpi", "nss3", "nspr4"], \
LIBPATH = ['#build/prio', "#build/mpi"],
CFLAGS = [ "-Wall", "-Werror", "-Wextra", "-O3", "-std=c99",
"-I/usr/include/nspr", "-Impi", "-DDO_PR_CLEANUP"])
env.Append(CPPPATH = ["#include", "#."])
Export('env')
SConscript('browser-test/SConscript', variant_dir='build/browser-test')
SConscript('mpi/SConscript', variant_dir='build/mpi')
SConscript('pclient/SConscript', variant_dir='build/pclient')
SConscript('prio/SConscript', variant_dir='build/prio')
SConscript('ptest/SConscript', variant_dir='build/ptest')

19
third_party/prio/browser-test/SConscript поставляемый Normal file
Просмотреть файл

@ -0,0 +1,19 @@
import sys
Import('env')
prio_env = env.Clone()
src = [
"main.c",
]
libs = [
"mprio",
"msgpackc",
]
prio_env.Append(LIBS = libs)
prio_env.Install("encode-once.js")
prio_env.Program("browser-test", src)

45
third_party/prio/browser-test/encode-once.js поставляемый Normal file
Просмотреть файл

@ -0,0 +1,45 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
ChromeUtils.import('resource://gre/modules/Services.jsm');
let [publicKeyA, publicKeyB, batchID, param1, param2, param3] = arguments;
Services.prefs.setStringPref('prio.publicKeyA', publicKeyA);
Services.prefs.setStringPref('prio.publicKeyB', publicKeyB);
async function test() {
let params = {
'browserIsUserDefault': Number(param1),
'safeModeUsage': Number(param2),
'startupCrashDetected': Number(param3)
};
try {
let result = await PrioEncoder.encode(batchID, params);
const toTypedArray = byteString => {
let u8Array = new Uint8Array(byteString.length);
for (let i in byteString) {
u8Array[i] = byteString.charCodeAt(i);
}
return u8Array;
}
const toHexString = bytes =>
bytes.reduce((str, byte) => str + byte.toString(16).padStart(2, '0') + ',', '');
console.log(toHexString(toTypedArray(result.a)) + '$' + toHexString(toTypedArray(result.b)));
console.log('');
} catch(e) {
console.log('Failure.', e);
console.log(v);
}
}
test().then();

319
third_party/prio/browser-test/main.c поставляемый Normal file
Просмотреть файл

@ -0,0 +1,319 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#define _GNU_SOURCE
#include <mprio.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "prio/encrypt.h"
#include "prio/util.h"
static void
init_data (bool *data, int datalen)
{
// The client's data submission is an arbitrary boolean vector.
for (int i=0; i < datalen; i++) {
// Arbitrary data
data[i] = rand () % 2;
}
}
static SECStatus
read_string_from_hex (unsigned char **str_out, unsigned int *strLen,
const char *input, const char **new_input)
{
SECStatus rv = SECSuccess;
*strLen = 0;
int read = 0;
int outCount = 0;
const char *inp = input;
while (true) {
unsigned char byte = '\0';
const int retval = sscanf(inp, "%02hhx,%n", &byte, &read);
if (retval < 1 || read != 3) {
break;
}
inp += read;
(*str_out)[outCount] = byte;
outCount++;
*strLen = *strLen + 1;
}
if (new_input)
*new_input = inp + 1;
return rv;
}
static SECStatus
read_browser_reply (FILE *infile,
unsigned char **for_server_a, unsigned int *aLen,
unsigned char **for_server_b, unsigned int *bLen)
{
SECStatus rv = SECFailure;
char *raw_input = NULL;
size_t rawLen = 0;
puts ("Getting line of input.");
P_CHECKCB (getline (&raw_input, &rawLen, infile) > 0);
puts ("Got line of input.");
P_CHECKA (*for_server_a = malloc (rawLen * sizeof (unsigned char)));
P_CHECKA (*for_server_b = malloc (rawLen * sizeof (unsigned char)));
*aLen = 0;
*bLen = 0;
P_CHECKCB (rawLen > 14);
// Header is 14 chars long
const char *new_input;
puts ("Reading string A");
P_CHECKC (read_string_from_hex (for_server_a, aLen, raw_input + 14, &new_input));
puts ("Read string A");
// Skip over for_server_a string and one-char delimeter
puts ("Reading string B");
P_CHECKC (read_string_from_hex (for_server_b, bLen, new_input, NULL));
puts ("Read string B");
cleanup:
if (raw_input) free (raw_input);
return rv;
}
static int
verify_full (const char *path_to_xpcshell, int pathlen)
{
SECStatus rv = SECSuccess;
PublicKey pkA = NULL;
PublicKey pkB = NULL;
PrivateKey skA = NULL;
PrivateKey skB = NULL;
PrioConfig cfg = NULL;
PrioServer sA = NULL;
PrioServer sB = NULL;
PrioVerifier vA = NULL;
PrioVerifier vB = NULL;
PrioPacketVerify1 p1A = NULL;
PrioPacketVerify1 p1B = NULL;
PrioPacketVerify2 p2A = NULL;
PrioPacketVerify2 p2B = NULL;
PrioTotalShare tA = NULL;
PrioTotalShare tB = NULL;
FILE *shell = NULL;
int cmdlen = pathlen + 2*CURVE25519_KEY_LEN_HEX + 128;
char cmd[cmdlen];
memset (cmd, 0, cmdlen);
unsigned char *for_server_a = NULL;
unsigned char *for_server_b = NULL;
const int seed = rand ();
srand (seed);
printf ("Using srand seed %d\n", seed);
// Number of different boolean data fields we collect.
const int ndata = 3;
//unsigned char batch_id_str[] = "abcde";
unsigned char batch_id_str[32];
memset (batch_id_str, 0, sizeof batch_id_str);
snprintf ((char *)batch_id_str, sizeof batch_id_str, "%d", rand());
bool data_items[ndata];
unsigned long output[ndata];
init_data (data_items, ndata);
// Initialize NSS random number generator.
P_CHECKC (Prio_init ());
// Generate keypairs for servers
P_CHECKC (Keypair_new (&skA, &pkA));
P_CHECKC (Keypair_new (&skB, &pkB));
// Export public keys to hex and print to stdout
unsigned char pk_hexA[CURVE25519_KEY_LEN_HEX+1];
unsigned char pk_hexB[CURVE25519_KEY_LEN_HEX+1];
P_CHECKC (PublicKey_export_hex (pkA, pk_hexA));
P_CHECKC (PublicKey_export_hex (pkB, pk_hexB));
snprintf (cmd, cmdlen, "%s %s %s %s %s %d %d %d",
path_to_xpcshell, "encode-once.js",
pk_hexA, pk_hexB, batch_id_str,
data_items[0], data_items[1], data_items[2]);
printf ("> %s\n", cmd);
P_CHECKA (shell = popen(cmd, "r"));
puts("Ran command.");
// Use the default configuration parameters.
P_CHECKA (cfg = PrioConfig_new (ndata, pkA, pkB, batch_id_str,
strlen ((char *)batch_id_str)));
PrioPRGSeed server_secret;
P_CHECKC (PrioPRGSeed_randomize (&server_secret));
// Initialize two server objects. The role of the servers need not
// be symmetric. In a deployment, we envision that:
// * Server A is the main telemetry server that is always online.
// Clients send their encrypted data packets to Server A and
// Server A stores them.
// * Server B only comes online when the two servers want to compute
// the final aggregate statistics.
P_CHECKA (sA = PrioServer_new (cfg, PRIO_SERVER_A, skA, server_secret));
P_CHECKA (sB = PrioServer_new (cfg, PRIO_SERVER_B, skB, server_secret));
// Initialize empty verifier objects
P_CHECKA (vA = PrioVerifier_new (sA));
P_CHECKA (vB = PrioVerifier_new (sB));
// Initialize shares of final aggregate statistics
P_CHECKA (tA = PrioTotalShare_new ());
P_CHECKA (tB = PrioTotalShare_new ());
// Initialize shares of verification packets
P_CHECKA (p1A = PrioPacketVerify1_new ());
P_CHECKA (p1B = PrioPacketVerify1_new ());
P_CHECKA (p2A = PrioPacketVerify2_new ());
P_CHECKA (p2B = PrioPacketVerify2_new ());
// I. CLIENT DATA SUBMISSION.
//
// Read in the client data packets
unsigned int aLen = 0, bLen = 0;
puts ("Reading...");
P_CHECKC (read_browser_reply (shell, &for_server_a, &aLen, &for_server_b, &bLen));
printf ("Read reply from browser. LenA: %u, LenB: %u\n", aLen, bLen);
// II. VALIDATION PROTOCOL. (at servers)
//
// The servers now run a short 2-step protocol to check each
// client's packet:
// 1) Servers A and B broadcast one message (PrioPacketVerify1)
// to each other.
// 2) Servers A and B broadcast another message (PrioPacketVerify2)
// to each other.
// 3) Servers A and B can both determine whether the client's data
// submission is well-formed (in which case they add it to their
// running total of aggregate statistics) or ill-formed
// (in which case they ignore it).
// These messages must be sent over an authenticated channel, so
// that each server is assured that every received message came
// from its peer.
// Set up a Prio verifier object.
P_CHECKC (PrioVerifier_set_data (vA, for_server_a, aLen));
P_CHECKC (PrioVerifier_set_data (vB, for_server_b, bLen));
puts("Imported data.");
// Both servers produce a packet1. Server A sends p1A to Server B
// and vice versa.
P_CHECKC (PrioPacketVerify1_set_data (p1A, vA));
P_CHECKC (PrioPacketVerify1_set_data (p1B, vB));
puts("Set data.");
// Both servers produce a packet2. Server A sends p2A to Server B
// and vice versa.
P_CHECKC (PrioPacketVerify2_set_data(p2A, vA, p1A, p1B));
P_CHECKC (PrioPacketVerify2_set_data(p2B, vB, p1A, p1B));
// Using p2A and p2B, the servers can determine whether the request
// is valid. (In fact, only Server A needs to perform this
// check, since Server A can just tell Server B whether the check
// succeeded or failed.)
puts ("Checking validity.");
P_CHECKC (PrioVerifier_isValid (vA, p2A, p2B));
P_CHECKC (PrioVerifier_isValid (vB, p2A, p2B));
puts ("Are valid.");
// If we get here, the client packet is valid, so add it to the aggregate
// statistic counter for both servers.
P_CHECKC (PrioServer_aggregate (sA, vA));
P_CHECKC (PrioServer_aggregate (sB, vB));
// The servers repeat the steps above for each client submission.
// III. PRODUCTION OF AGGREGATE STATISTICS.
//
// After collecting aggregates from MANY clients, the servers can compute
// their shares of the aggregate statistics.
//
// Server B can send tB to Server A.
P_CHECKC (PrioTotalShare_set_data (tA, sA));
P_CHECKC (PrioTotalShare_set_data (tB, sB));
// Once Server A has tA and tB, it can learn the aggregate statistics
// in the clear.
P_CHECKC (PrioTotalShare_final (cfg, output, tA, tB));
for (int i=0; i < ndata; i++) {
//printf("output[%d] = %lu\n", i, output[i]);
//printf("data[%d] = %d\n", i, (int)data_items[i]);
P_CHECKCB (output[i] == data_items[i]);
}
puts ("Success!");
cleanup:
if (rv != SECSuccess) {
fprintf (stderr, "Warning: unexpected failure.\n");
}
if (for_server_a) free (for_server_a);
if (for_server_b) free (for_server_b);
PrioTotalShare_clear (tA);
PrioTotalShare_clear (tB);
PrioPacketVerify2_clear (p2A);
PrioPacketVerify2_clear (p2B);
PrioPacketVerify1_clear (p1A);
PrioPacketVerify1_clear (p1B);
PrioVerifier_clear (vA);
PrioVerifier_clear (vB);
PrioServer_clear (sA);
PrioServer_clear (sB);
PrioConfig_clear (cfg);
PublicKey_clear (pkA);
PublicKey_clear (pkB);
PrivateKey_clear (skA);
PrivateKey_clear (skB);
Prio_clear ();
return !(rv == SECSuccess);
}
int
main (int argc, char **argv)
{
puts("== Prio browser test utility. ==");
puts("(Note: Expects to be run in the same directory as encode-once.js.)");
if (argc != 2) {
fprintf (stderr, "Usage ./%s <path_to_xpcshell>\n", argv[0]);
return 1;
}
return verify_full (argv[1], strlen (argv[1]));
}

273
third_party/prio/include/mprio.h поставляемый Normal file
Просмотреть файл

@ -0,0 +1,273 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef __PRIO_H__
#define __PRIO_H__
#ifdef __cplusplus
extern "C" {
#endif
#include <msgpack.h>
#include <nss/blapit.h>
#include <nss/pk11pub.h>
#include <nss/seccomon.h>
#include <stdbool.h>
#include <stddef.h>
/* Seed for a pseudo-random generator (PRG). */
#define PRG_SEED_LENGTH AES_128_KEY_LENGTH
typedef unsigned char PrioPRGSeed[PRG_SEED_LENGTH];
/* Length of a raw curve25519 public key, in bytes. */
#define CURVE25519_KEY_LEN 32
/* Length of a hex-encoded curve25519 public key, in bytes. */
#define CURVE25519_KEY_LEN_HEX 64
/*
* Type for each of the two servers.
*/
typedef enum {
PRIO_SERVER_A,
PRIO_SERVER_B
} PrioServerId;
/*
* Opaque types
*/
typedef struct prio_config *PrioConfig;
typedef const struct prio_config *const_PrioConfig;
typedef struct prio_server *PrioServer;
typedef const struct prio_server *const_PrioServer;
typedef struct prio_verifier *PrioVerifier;
typedef const struct prio_verifier *const_PrioVerifier;
typedef struct prio_packet_verify1 *PrioPacketVerify1;
typedef const struct prio_packet_verify1 *const_PrioPacketVerify1;
typedef struct prio_packet_verify2 *PrioPacketVerify2;
typedef const struct prio_packet_verify2 *const_PrioPacketVerify2;
typedef struct prio_total_share *PrioTotalShare;
typedef const struct prio_total_share *const_PrioTotalShare;
typedef SECKEYPublicKey *PublicKey;
typedef const SECKEYPublicKey *const_PublicKey;
typedef SECKEYPrivateKey *PrivateKey;
typedef const SECKEYPrivateKey *const_PrivateKey;
/*
* Initialize and clear random number generator state.
* You must call Prio_init() before using the library.
* To avoid memory leaks, call Prio_clear() afterwards.
*/
SECStatus Prio_init ();
void Prio_clear();
/*
* PrioConfig holds the system parameters. The two relevant things determined
* by the config object are:
* (1) the number of data fields we are collecting, and
* (2) the modulus we use for modular arithmetic.
* The default configuration uses an 87-bit modulus.
*
* The `batch_id` field specifies which "batch" of aggregate statistics we are
* computing. For example, if the aggregate statistics are computed every 24
* hours, the `batch_id` might be set to an encoding of the date. The clients
* and servers must all use the same `batch_id` for each run of the protocol.
* Each set of aggregate statistics should use a different `batch_id`.
*
* `PrioConfig_new` does not keep a pointer to the `batch_id` string that the
* caller passes in, so you may free the `batch_id` string as soon as
* `PrioConfig_new` returns.
*/
PrioConfig PrioConfig_new (int n_fields, PublicKey server_a, PublicKey server_b,
const unsigned char *batch_id, unsigned int batch_id_len);
void PrioConfig_clear (PrioConfig cfg);
int PrioConfig_numDataFields (const_PrioConfig cfg);
/*
* Create a PrioConfig object with no encryption keys. This routine is
* useful for testing, but PrioClient_encode() will always fail when used with
* this config.
*/
PrioConfig PrioConfig_newTest (int n_fields);
/*
* We use the PublicKey and PrivateKey objects for public-key encryption. Each
* Prio server has an associated public key, and the clients use these keys to
* encrypt messages to the servers.
*/
SECStatus Keypair_new (PrivateKey *pvtkey, PublicKey *pubkey);
/*
* Import a new curve25519 public key from the raw bytes given. The key passed in
* as `data` should be of length `CURVE25519_KEY_LEN`. This function allocates
* a new PublicKey object, which the caller must free using `PublicKey_clear`.
*/
SECStatus PublicKey_import (PublicKey *pk, const unsigned char *data, unsigned int dataLen);
/*
* Import a new curve25519 public key from a hex string that contains only the
* characters 0-9a-fA-F. The hex string passed in as `hex_data` should be of
* length `CURVE25519_KEY_LEN_HEX`. This function allocates a new PublicKey
* object, which the caller must free using `PublicKey_clear`.
*/
SECStatus PublicKey_import_hex (PublicKey *pk, const unsigned char *hex_data,
unsigned int dataLen);
/*
* Export a curve25519 public key as a raw byte-array.
*/
SECStatus PublicKey_export (const_PublicKey pk, unsigned char data[CURVE25519_KEY_LEN]);
/*
* Export a curve25519 public key as a NULL-terminated hex string.
*/
SECStatus PublicKey_export_hex (const_PublicKey pk,
unsigned char data[CURVE25519_KEY_LEN_HEX+1]);
void PublicKey_clear (PublicKey pubkey);
void PrivateKey_clear (PrivateKey pvtkey);
/*
* PrioPacketClient_encode
*
* Takes as input a pointer to an array (`data_in`) of boolean values
* whose length is equal to the number of data fields specified in
* the config. It then encodes the data for servers A and B into a
* string.
*
* NOTE: The caller must free() the strings `for_server_a` and
* `for_server_b` to avoid memory leaks.
*/
SECStatus
PrioClient_encode (const_PrioConfig cfg, const bool *data_in,
unsigned char **for_server_a, unsigned int *aLen,
unsigned char **for_server_b, unsigned int *bLen);
/*
* Generate a new PRG seed using the NSS global randomness source.
* Use this routine to initialize the secret that the two Prio servers
* share.
*/
SECStatus PrioPRGSeed_randomize (PrioPRGSeed *seed);
/*
* The PrioServer object holds the state of the Prio servers.
* Pass in the _same_ secret PRGSeed when initializing the two servers.
* The PRGSeed must remain secret to the two servers.
*/
PrioServer PrioServer_new (const_PrioConfig cfg, PrioServerId server_idx,
PrivateKey server_priv, const PrioPRGSeed server_shared_secret);
void PrioServer_clear (PrioServer s);
/*
* After receiving a client packet, each of the servers generate
* a PrioVerifier object that they use to check whether the client's
* encoded packet is well formed.
*/
PrioVerifier PrioVerifier_new (PrioServer s);
void PrioVerifier_clear (PrioVerifier v);
/*
* Read in encrypted data from the client, decrypt it, and prepare to check the
* request for validity.
*/
SECStatus PrioVerifier_set_data (PrioVerifier v,
unsigned char *data, unsigned int dataLen);
/*
* Generate the first packet that servers need to exchange to verify the
* client's submission. This should be sent over a TLS connection between the
* servers.
*/
PrioPacketVerify1 PrioPacketVerify1_new (void);
void PrioPacketVerify1_clear (PrioPacketVerify1 p1);
SECStatus PrioPacketVerify1_set_data (PrioPacketVerify1 p1,
const_PrioVerifier v);
SECStatus PrioPacketVerify1_write (const_PrioPacketVerify1 p,
msgpack_packer *pk);
SECStatus PrioPacketVerify1_read (PrioPacketVerify1 p,
msgpack_unpacker *upk, const_PrioConfig cfg);
/*
* Generate the second packet that the servers need to exchange to verify the
* client's submission. The routine takes as input the PrioPacketVerify1
* packets from both server A and server B.
*
* This should be sent over a TLS connection between the servers.
*/
PrioPacketVerify2 PrioPacketVerify2_new (void);
void PrioPacketVerify2_clear (PrioPacketVerify2 p);
SECStatus PrioPacketVerify2_set_data (PrioPacketVerify2 p2, const_PrioVerifier v,
const_PrioPacketVerify1 p1A, const_PrioPacketVerify1 p1B);
SECStatus PrioPacketVerify2_write (const_PrioPacketVerify2 p,
msgpack_packer *pk);
SECStatus PrioPacketVerify2_read (PrioPacketVerify2 p,
msgpack_unpacker *upk, const_PrioConfig cfg);
/*
* Use the PrioPacketVerify2s from both servers to check whether
* the client's submission is well formed.
*/
SECStatus PrioVerifier_isValid (const_PrioVerifier v,
const_PrioPacketVerify2 pA, const_PrioPacketVerify2 pB);
/*
* Each of the two servers calls this routine to aggregate the data
* submission from a client that is included in the PrioVerifier object.
*
* IMPORTANT: This routine does *not* check the validity of the client's
* data packet. The servers must execute the verification checks
* above before aggregating any client data.
*/
SECStatus PrioServer_aggregate (PrioServer s, PrioVerifier v);
/*
* After the servers have aggregated data packets from "enough" clients
* (this determines the anonymity set size), each server runs this routine
* to get a share of the aggregate statistics.
*/
PrioTotalShare PrioTotalShare_new (void);
void PrioTotalShare_clear (PrioTotalShare t);
SECStatus PrioTotalShare_set_data (PrioTotalShare t, const_PrioServer s);
SECStatus PrioTotalShare_write (const_PrioTotalShare t,
msgpack_packer *pk);
SECStatus PrioTotalShare_read (PrioTotalShare t,
msgpack_unpacker *upk, const_PrioConfig cfg);
/*
* Read the output data into an array of unsigned longs. You should
* be sure that each data value can fit into a single long and that
* the pointer `output` points to a buffer large enough to store
* one long per data field.
*/
SECStatus PrioTotalShare_final (const_PrioConfig cfg, unsigned long *output,
const_PrioTotalShare tA, const_PrioTotalShare tB);
#endif /* __PRIO_H__ */
#ifdef __cplusplus
}
#endif

18
third_party/prio/pclient/SConscript поставляемый Normal file
Просмотреть файл

@ -0,0 +1,18 @@
import sys
Import('env')
prio_env = env.Clone()
src = [
"main.c",
]
libs = [
"mprio",
"msgpackc",
]
prio_env.Append(LIBS = libs)
prio_env.Program("pclient", src)

229
third_party/prio/pclient/main.c поставляемый Normal file
Просмотреть файл

@ -0,0 +1,229 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#include <mprio.h>
#include <stdio.h>
#include <stdlib.h>
#include "prio/util.h"
int
verify_full (void)
{
SECStatus rv = SECSuccess;
PublicKey pkA = NULL;
PublicKey pkB = NULL;
PrivateKey skA = NULL;
PrivateKey skB = NULL;
PrioConfig cfg = NULL;
PrioServer sA = NULL;
PrioServer sB = NULL;
PrioVerifier vA = NULL;
PrioVerifier vB = NULL;
PrioPacketVerify1 p1A = NULL;
PrioPacketVerify1 p1B = NULL;
PrioPacketVerify2 p2A = NULL;
PrioPacketVerify2 p2B = NULL;
PrioTotalShare tA = NULL;
PrioTotalShare tB = NULL;
unsigned char *for_server_a = NULL;
unsigned char *for_server_b = NULL;
const unsigned char *batch_id = (unsigned char *)"prio_batch_2018-04-17";
const unsigned int batch_id_len = strlen ((char *)batch_id);
// Initialize NSS random number generator.
P_CHECKC (Prio_init ());
// Number of different boolean data fields we collect.
const int ndata = 100;
// Number of clients to simulate.
const int nclients = 10;
// New scope to avoid goto weirdness
{
bool data_items[ndata];
// Generate keypairs for servers
P_CHECKC (Keypair_new (&skA, &pkA));
P_CHECKC (Keypair_new (&skB, &pkB));
// Use the default configuration parameters.
P_CHECKA (cfg = PrioConfig_new (ndata, pkA, pkB, batch_id, batch_id_len));
PrioPRGSeed server_secret;
P_CHECKC (PrioPRGSeed_randomize (&server_secret));
// Initialize two server objects. The role of the servers need not
// be symmetric. In a deployment, we envision that:
// * Server A is the main telemetry server that is always online.
// Clients send their encrypted data packets to Server A and
// Server A stores them.
// * Server B only comes online when the two servers want to compute
// the final aggregate statistics.
P_CHECKA (sA = PrioServer_new (cfg, PRIO_SERVER_A, skA, server_secret));
P_CHECKA (sB = PrioServer_new (cfg, PRIO_SERVER_B, skB, server_secret));
// Initialize empty verifier objects
P_CHECKA (vA = PrioVerifier_new (sA));
P_CHECKA (vB = PrioVerifier_new (sB));
// Initialize shares of final aggregate statistics
P_CHECKA (tA = PrioTotalShare_new ());
P_CHECKA (tB = PrioTotalShare_new ());
// Initialize shares of verification packets
P_CHECKA (p1A = PrioPacketVerify1_new ());
P_CHECKA (p1B = PrioPacketVerify1_new ());
P_CHECKA (p2A = PrioPacketVerify2_new ());
P_CHECKA (p2B = PrioPacketVerify2_new ());
// Generate client data packets.
for (int c=0; c < nclients; c++) {
// The client's data submission is an arbitrary boolean vector.
for (int i=0; i < ndata; i++) {
// Arbitrary data
data_items[i] = (i % 3 == 1) || (c % 5 == 3);
}
// I. CLIENT DATA SUBMISSION.
//
// Construct the client data packets.
unsigned int aLen, bLen;
P_CHECKC (PrioClient_encode (cfg, data_items,
&for_server_a, &aLen, &for_server_b, &bLen));
// The Prio servers A and B can come online later (e.g., at the end of
// each day) to download the encrypted telemetry packets from the
// telemetry server and run the protocol that computes the aggregate
// statistics. In this way, the client only needs to send a
// single message (the pair of encrypted ClientPacketData packets)
// to a single server (the telemetry-data-collection server).
// THE CLIENT'S JOB IS DONE. The rest of the processing just takes place
// between the two servers A and B.
// II. VALIDATION PROTOCOL. (at servers)
//
// The servers now run a short 2-step protocol to check each
// client's packet:
// 1) Servers A and B broadcast one message (PrioPacketVerify1)
// to each other.
// 2) Servers A and B broadcast another message (PrioPacketVerify2)
// to each other.
// 3) Servers A and B can both determine whether the client's data
// submission is well-formed (in which case they add it to their
// running total of aggregate statistics) or ill-formed
// (in which case they ignore it).
// These messages must be sent over an authenticated channel, so
// that each server is assured that every received message came
// from its peer.
// Set up a Prio verifier object.
P_CHECKC (PrioVerifier_set_data (vA, for_server_a, aLen));
P_CHECKC (PrioVerifier_set_data (vB, for_server_b, bLen));
// Both servers produce a packet1. Server A sends p1A to Server B
// and vice versa.
P_CHECKC (PrioPacketVerify1_set_data (p1A, vA));
P_CHECKC (PrioPacketVerify1_set_data (p1B, vB));
// Both servers produce a packet2. Server A sends p2A to Server B
// and vice versa.
P_CHECKC (PrioPacketVerify2_set_data(p2A, vA, p1A, p1B));
P_CHECKC (PrioPacketVerify2_set_data(p2B, vB, p1A, p1B));
// Using p2A and p2B, the servers can determine whether the request
// is valid. (In fact, only Server A needs to perform this
// check, since Server A can just tell Server B whether the check
// succeeded or failed.)
P_CHECKC (PrioVerifier_isValid (vA, p2A, p2B));
P_CHECKC (PrioVerifier_isValid (vB, p2A, p2B));
// If we get here, the client packet is valid, so add it to the aggregate
// statistic counter for both servers.
P_CHECKC (PrioServer_aggregate (sA, vA));
P_CHECKC (PrioServer_aggregate (sB, vB));
free (for_server_a);
free (for_server_b);
for_server_a = NULL;
for_server_b = NULL;
}
// The servers repeat the steps above for each client submission.
// III. PRODUCTION OF AGGREGATE STATISTICS.
//
// After collecting aggregates from MANY clients, the servers can compute
// their shares of the aggregate statistics.
//
// Server B can send tB to Server A.
P_CHECKC (PrioTotalShare_set_data (tA, sA));
P_CHECKC (PrioTotalShare_set_data (tB, sB));
// Once Server A has tA and tB, it can learn the aggregate statistics
// in the clear.
unsigned long output[ndata];
P_CHECKC (PrioTotalShare_final (cfg, output, tA, tB));
// Now the output[i] contains a counter that indicates how many clients
// submitted TRUE for data value i. We print out this data.
for (int i=0; i < ndata; i++)
printf("output[%d] = %lu\n", i, output[i]);
}
cleanup:
if (rv != SECSuccess) {
fprintf (stderr, "Warning: unexpected failure.\n");
}
if (for_server_a) free (for_server_a);
if (for_server_b) free (for_server_b);
PrioTotalShare_clear (tA);
PrioTotalShare_clear (tB);
PrioPacketVerify2_clear (p2A);
PrioPacketVerify2_clear (p2B);
PrioPacketVerify1_clear (p1A);
PrioPacketVerify1_clear (p1B);
PrioVerifier_clear (vA);
PrioVerifier_clear (vB);
PrioServer_clear (sA);
PrioServer_clear (sB);
PrioConfig_clear (cfg);
PublicKey_clear (pkA);
PublicKey_clear (pkB);
PrivateKey_clear (skA);
PrivateKey_clear (skB);
Prio_clear ();
return !(rv == SECSuccess);
}
int
main (void)
{
puts ("This utility demonstrates how to invoke the Prio API.");
return verify_full ();
}

29
third_party/prio/prio/SConscript поставляемый Normal file
Просмотреть файл

@ -0,0 +1,29 @@
import os
Import('env')
penv = env.Clone()
src = [
"client.c",
"config.c",
"encrypt.c",
"mparray.c",
"poly.c",
"rand.c",
"prg.c",
"server.c",
"serial.c",
"share.c",
]
libs = [
"msgpackc"
]
# Enable mp_print()
penv.Append(CFLAGS = ['-DMP_IOFUNC'])
penv.Append(LIBS = libs)
penv.StaticLibrary("mprio", src)

353
third_party/prio/prio/client.c поставляемый Normal file
Просмотреть файл

@ -0,0 +1,353 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include <mpi.h>
#include <mprio.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "client.h"
#include "config.h"
#include "encrypt.h"
#include "poly.h"
#include "rand.h"
#include "serial.h"
#include "share.h"
#include "util.h"
// Let the points of data_in be [x1, x2, x3, ... ].
// We construct the polynomial f such that
// (a) f(0) = random,
// (b) f(i) = x_i for all i >= 1,
// (c) degree(f)+1 is a power of two.
// We then evaluate f at the 2N-th roots of unity
// and we return these evaluations as `evals_out`
// and we return f(0) as `const_term`.
static SECStatus
data_polynomial_evals(const_PrioConfig cfg, const_MPArray data_in,
MPArray evals_out, mp_int *const_term)
{
SECStatus rv = SECSuccess;
const mp_int *mod = &cfg->modulus;
MPArray points_f = NULL;
MPArray poly_f = NULL;
// Number of multiplication gates in the Valid() circuit.
const int mul_gates = cfg->num_data_fields;
// Little n is the number of points on the polynomials.
// The constant term is randomized, so it's (mul_gates + 1).
const int n = mul_gates + 1;
// Big N is n rounded up to a power of two.
const int N = next_power_of_two (n);
P_CHECKA (points_f = MPArray_new (N));
P_CHECKA (poly_f = MPArray_new (N));
// Set constant term f(0) to random
P_CHECKC (rand_int (&points_f->data[0], mod));
MP_CHECKC (mp_copy (&points_f->data[0], const_term));
// Set other values of f(x)
for (int i=1; i<n; i++) {
MP_CHECKC (mp_copy (&data_in->data[i-1], &points_f->data[i]));
}
// Interpolate through the Nth roots of unity
P_CHECKC (poly_fft(poly_f, points_f, cfg, true));
// Evaluate at all 2N-th roots of unity.
// To do so, first resize the eval arrays and fill upper
// values with zeros.
P_CHECKC (MPArray_resize (poly_f, 2*N));
P_CHECKC (MPArray_resize (evals_out, 2*N));
// Evaluate at the 2N-th roots of unity
P_CHECKC (poly_fft(evals_out, poly_f, cfg, false));
cleanup:
MPArray_clear (points_f);
MPArray_clear (poly_f);
return rv;
}
static SECStatus
share_polynomials (const_PrioConfig cfg, const_MPArray data_in,
PrioPacketClient pA, PrioPacketClient pB, PRG prgB)
{
SECStatus rv = SECSuccess;
const mp_int *mod = &cfg->modulus;
const_MPArray points_f = data_in;
mp_int f0, g0;
MP_DIGITS (&f0) = NULL;
MP_DIGITS (&g0) = NULL;
MPArray points_g = NULL;
MPArray evals_f_2N = NULL;
MPArray evals_g_2N = NULL;
P_CHECKA (points_g = MPArray_dup (points_f));
P_CHECKA (evals_f_2N = MPArray_new (0));
P_CHECKA (evals_g_2N = MPArray_new (0));
MP_CHECKC (mp_init (&f0));
MP_CHECKC (mp_init (&g0));
for (int i=0; i<points_f->len; i++) {
// For each input value x_i, we compute x_i * (x_i-1).
// f(i) = x_i
// g(i) = x_i - 1
MP_CHECKC (mp_sub_d (&points_g->data[i], 1, &points_g->data[i]));
MP_CHECKC (mp_mod (&points_g->data[i], mod, &points_g->data[i]));
}
P_CHECKC (data_polynomial_evals(cfg, points_f, evals_f_2N, &f0));
P_CHECKC (data_polynomial_evals(cfg, points_g, evals_g_2N, &g0));
// The values f(0) and g(0) are set to random values.
// We must send to each server a share of the points
// f(0), g(0), and h(0) = f(0)*g(0)
P_CHECKC (share_int (cfg, &f0, &pA->f0_share, &pB->f0_share));
P_CHECKC (share_int (cfg, &g0, &pA->g0_share, &pB->g0_share));
// Compute h(0) = f(0)*g(0).
MP_CHECKC (mp_mulmod (&f0, &g0, mod, &f0));
// Give one share of h(0) to each server.
P_CHECKC (share_int (cfg, &f0, &pA->h0_share, &pB->h0_share));
//const int lenN = (evals_f_2N->len/2);
//P_CHECKC (MPArray_resize (pA->shares.A.h_points, lenN));
// We need to send to the servers the evaluations of
// f(r) * g(r)
// for all 2N-th roots of unity r that are not also
// N-th roots of unity.
//
// For each such root r, compute h(r) = f(r)*g(r) and
// send a share of this value to each server.
int j = 0;
for (int i = 1; i < evals_f_2N->len; i += 2) {
MP_CHECKC (mp_mulmod (&evals_f_2N->data[i], &evals_g_2N->data[i], mod, &f0));
P_CHECKC (PRG_share_int (prgB, &pA->shares.A.h_points->data[j], &f0, cfg));
j++;
}
cleanup:
MPArray_clear (evals_f_2N);
MPArray_clear (evals_g_2N);
MPArray_clear (points_g);
mp_clear (&f0);
mp_clear (&g0);
return rv;
}
PrioPacketClient
PrioPacketClient_new (const_PrioConfig cfg, PrioServerId for_server)
{
SECStatus rv = SECSuccess;
const int data_len = cfg->num_data_fields;
PrioPacketClient p = NULL;
p = malloc (sizeof (*p));
if (!p) return NULL;
p->for_server = for_server;
p->triple = NULL;
MP_DIGITS (&p->f0_share) = NULL;
MP_DIGITS (&p->g0_share) = NULL;
MP_DIGITS (&p->h0_share) = NULL;
switch (p->for_server) {
case PRIO_SERVER_A:
p->shares.A.data_shares = NULL;
p->shares.A.h_points = NULL;
break;
case PRIO_SERVER_B:
memset (p->shares.B.seed, 0, PRG_SEED_LENGTH);
break;
default:
// Should never get here
rv = SECFailure;
goto cleanup;
}
MP_CHECKC (mp_init (&p->f0_share));
MP_CHECKC (mp_init (&p->g0_share));
MP_CHECKC (mp_init (&p->h0_share));
P_CHECKA (p->triple = BeaverTriple_new ());
if (p->for_server == PRIO_SERVER_A) {
const int num_h_points = PrioConfig_hPoints (cfg);
P_CHECKA (p->shares.A.data_shares = MPArray_new (data_len));
P_CHECKA (p->shares.A.h_points = MPArray_new (num_h_points));
}
cleanup:
if (rv != SECSuccess) {
PrioPacketClient_clear (p);
return NULL;
}
return p;
}
SECStatus
PrioPacketClient_set_data (const_PrioConfig cfg, const bool *data_in,
PrioPacketClient pA, PrioPacketClient pB)
{
MPArray client_data = NULL;
PRG prgB = NULL;
SECStatus rv = SECSuccess;
const int data_len = cfg->num_data_fields;
if (!data_in) return SECFailure;
P_CHECKC (PrioPRGSeed_randomize (&pB->shares.B.seed));
P_CHECKA (prgB = PRG_new (pB->shares.B.seed));
P_CHECKC (BeaverTriple_set_rand (cfg, pA->triple, pB->triple));
P_CHECKA (client_data = MPArray_new_bool (data_len, data_in));
P_CHECKC (PRG_share_array (prgB, pA->shares.A.data_shares,
client_data, cfg));
P_CHECKC (share_polynomials (cfg, client_data, pA, pB, prgB));
cleanup:
MPArray_clear (client_data);
PRG_clear (prgB);
return rv;
}
void
PrioPacketClient_clear (PrioPacketClient p)
{
if (p == NULL) return;
if (p->for_server == PRIO_SERVER_A) {
MPArray_clear (p->shares.A.h_points);
MPArray_clear (p->shares.A.data_shares);
}
BeaverTriple_clear (p->triple);
mp_clear (&p->f0_share);
mp_clear (&p->g0_share);
mp_clear (&p->h0_share);
free (p);
}
bool
PrioPacketClient_areEqual (const_PrioPacketClient p1,
const_PrioPacketClient p2)
{
if (!BeaverTriple_areEqual (p1->triple, p2->triple)) return false;
if (mp_cmp (&p1->f0_share, &p2->f0_share)) return false;
if (mp_cmp (&p1->g0_share, &p2->g0_share)) return false;
if (mp_cmp (&p1->h0_share, &p2->h0_share)) return false;
if (p1->for_server != p2->for_server) return false;
switch (p1->for_server) {
case PRIO_SERVER_A:
if (!MPArray_areEqual (p1->shares.A.data_shares,
p2->shares.A.data_shares)) return false;
if (!MPArray_areEqual (p1->shares.A.h_points,
p2->shares.A.h_points)) return false;
break;
case PRIO_SERVER_B:
if (memcmp (p1->shares.B.seed, p2->shares.B.seed,
PRG_SEED_LENGTH)) return false;
break;
default:
// Should never get here.
return false;
}
return true;
}
SECStatus
PrioClient_encode (const_PrioConfig cfg, const bool *data_in,
unsigned char **for_server_a, unsigned int *aLen,
unsigned char **for_server_b, unsigned int *bLen)
{
SECStatus rv = SECSuccess;
PrioPacketClient pA = NULL;
PrioPacketClient pB = NULL;
*for_server_a = NULL;
*for_server_b = NULL;
P_CHECKA (pA = PrioPacketClient_new (cfg, PRIO_SERVER_A));
P_CHECKA (pB = PrioPacketClient_new (cfg, PRIO_SERVER_B));
msgpack_sbuffer sbufA, sbufB;
msgpack_packer packerA, packerB;
msgpack_sbuffer_init (&sbufA);
msgpack_sbuffer_init (&sbufB);
msgpack_packer_init (&packerA, &sbufA, msgpack_sbuffer_write);
msgpack_packer_init (&packerB, &sbufB, msgpack_sbuffer_write);
P_CHECKC (PrioPacketClient_set_data (cfg, data_in, pA, pB));
P_CHECKC (serial_write_packet_client (&packerA, pA, cfg));
P_CHECKC (serial_write_packet_client (&packerB, pB, cfg));
P_CHECKC (PublicKey_encryptSize (sbufA.size, aLen));
P_CHECKC (PublicKey_encryptSize (sbufB.size, bLen));
P_CHECKA (*for_server_a = malloc (*aLen));
P_CHECKA (*for_server_b = malloc (*bLen));
unsigned int writtenA;
unsigned int writtenB;
P_CHECKC (PublicKey_encrypt (cfg->server_a_pub, *for_server_a, &writtenA, *aLen,
(unsigned char *)sbufA.data, sbufA.size));
P_CHECKC (PublicKey_encrypt (cfg->server_b_pub, *for_server_b, &writtenB, *bLen,
(unsigned char *)sbufB.data, sbufB.size));
P_CHECKCB (writtenA == *aLen);
P_CHECKCB (writtenB == *bLen);
cleanup:
if (rv != SECSuccess) {
if (*for_server_a) free (*for_server_a);
if (*for_server_b) free (*for_server_b);
*for_server_a = NULL;
*for_server_b = NULL;
}
PrioPacketClient_clear (pA);
PrioPacketClient_clear (pB);
msgpack_sbuffer_destroy (&sbufA);
msgpack_sbuffer_destroy (&sbufB);
return rv;
}
SECStatus
PrioPacketClient_decrypt (PrioPacketClient p, const_PrioConfig cfg,
PrivateKey server_priv, const unsigned char *data_in, unsigned int data_len)
{
SECStatus rv = SECSuccess;
msgpack_unpacker upk;
P_CHECKCB (msgpack_unpacker_init (&upk, data_len));
// Decrypt the ciphertext into dec_buf
unsigned int bytes_decrypted;
P_CHECKC (PrivateKey_decrypt (server_priv,
(unsigned char *)msgpack_unpacker_buffer (&upk), &bytes_decrypted,
data_len, data_in, data_len));
msgpack_unpacker_buffer_consumed (&upk, bytes_decrypted);
P_CHECKC (serial_read_packet_client (&upk, p, cfg));
cleanup:
msgpack_unpacker_destroy (&upk);
return rv;
}

74
third_party/prio/prio/client.h поставляемый Normal file
Просмотреть файл

@ -0,0 +1,74 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#ifndef __CLIENT_H__
#define __CLIENT_H__
#include "mparray.h"
#include "prg.h"
#include "share.h"
/*
* The PrioPacketClient object holds the encoded client data.
* The client sends one packet to server A and one packet to
* server B. The `for_server` parameter determines which server
* the packet is for.
*/
typedef struct prio_packet_client *PrioPacketClient;
typedef const struct prio_packet_client *const_PrioPacketClient;
struct server_a_data {
// These values are only set for server A.
MPArray data_shares;
MPArray h_points;
};
struct server_b_data {
// This value is only used for server B.
//
// We use a pseudo-random generator to compress the secret-shared data
// values. See Appendix I of the Prio paper (the paragraph starting
// "Optimization: PRG secret sharing.") for details on this.
PrioPRGSeed seed;
};
/*
* The data that a Prio client sends to each server.
*/
struct prio_packet_client {
// TODO: Can also use a PRG to avoid need for sending Beaver triple shares.
// Since this optimization only saves ~30 bytes of communication, we haven't
// bothered implementing it yet.
BeaverTriple triple;
mp_int f0_share, g0_share, h0_share;
PrioServerId for_server;
union {
struct server_a_data A;
struct server_b_data B;
} shares;
};
PrioPacketClient PrioPacketClient_new (const_PrioConfig cfg, PrioServerId for_server);
void PrioPacketClient_clear (PrioPacketClient p);
SECStatus PrioPacketClient_set_data (const_PrioConfig cfg, const bool *data_in,
PrioPacketClient for_server_a, PrioPacketClient for_server_b);
SECStatus PrioPacketClient_decrypt (PrioPacketClient p,
const_PrioConfig cfg, PrivateKey server_priv,
const unsigned char *data_in, unsigned int data_len);
bool PrioPacketClient_areEqual (const_PrioPacketClient p1,
const_PrioPacketClient p2);
#endif /* __CLIENT_H__ */

132
third_party/prio/prio/config.c поставляемый Normal file
Просмотреть файл

@ -0,0 +1,132 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#include <mprio.h>
#include <stdlib.h>
#include "config.h"
#include "params.h"
#include "mparray.h"
#include "rand.h"
#include "util.h"
// The PrioConfig object stores "2^k-th roots of unity" modulo
// the prime modulus we use for all arithmetic. We use
// these roots to perform fast FFT-style polynomial
// interpolation and evaluation.
//
// In particular, we use a prime modulus p such that
// p = (2^k)q + 1.
// The roots are integers such that r^{2^k} = 1 mod p.
static SECStatus
initialize_roots (MPArray arr, const char *values[])
{
// TODO: Read in only the number of roots of unity we need.
// Right now we read in all 4096 roots whether or not we use
// them all.
for (int i=0; i < arr->len; i++) {
MP_CHECK (mp_read_radix (&arr->data[i], values[i], 16));
}
return SECSuccess;
}
PrioConfig
PrioConfig_new (int n_fields, PublicKey server_a, PublicKey server_b,
const unsigned char *batch_id, unsigned int batch_id_len)
{
SECStatus rv = SECSuccess;
PrioConfig cfg = malloc (sizeof (*cfg));
if (!cfg)
return NULL;
cfg->batch_id = NULL;
cfg->batch_id_len = batch_id_len;
cfg->server_a_pub = server_a;
cfg->server_b_pub = server_b;
cfg->num_data_fields = n_fields;
cfg->n_roots = 1 << Generator2Order;
MP_DIGITS(&cfg->modulus) = NULL;
MP_DIGITS(&cfg->inv2) = NULL;
cfg->roots = NULL;
cfg->rootsInv = NULL;
if (cfg->num_data_fields >= cfg->n_roots) {
rv = SECFailure;
goto cleanup;
}
P_CHECKA (cfg->batch_id = malloc (batch_id_len));
strncpy ((char *)cfg->batch_id, (char *)batch_id, batch_id_len);
MP_CHECKC (mp_init (&cfg->modulus));
MP_CHECKC (mp_read_radix (&cfg->modulus, Modulus, 16));
// Compute 2^{-1} modulo M
MP_CHECKC (mp_init (&cfg->inv2));
mp_set (&cfg->inv2, 2);
MP_CHECKC (mp_invmod (&cfg->inv2, &cfg->modulus, &cfg->inv2));
P_CHECKA (cfg->roots = MPArray_new (cfg->n_roots));
P_CHECKA (cfg->rootsInv = MPArray_new (cfg->n_roots));
MP_CHECKC (initialize_roots (cfg->roots, Roots));
MP_CHECKC (initialize_roots (cfg->rootsInv, RootsInv));
cleanup:
if (rv != SECSuccess) {
PrioConfig_clear (cfg);
return NULL;
}
return cfg;
}
PrioConfig
PrioConfig_newTest (int nFields)
{
return PrioConfig_new (nFields, NULL, NULL,
(unsigned char *)"testBatch", 9);
}
void
PrioConfig_clear (PrioConfig cfg)
{
if (!cfg) return;
if (cfg->batch_id) free (cfg->batch_id);
MPArray_clear (cfg->roots);
MPArray_clear (cfg->rootsInv);
mp_clear (&cfg->modulus);
mp_clear (&cfg->inv2);
free (cfg);
}
int
PrioConfig_numDataFields (const_PrioConfig cfg)
{
return cfg->num_data_fields;
}
SECStatus
Prio_init (void)
{
return rand_init ();
}
void
Prio_clear (void)
{
rand_clear ();
}
int PrioConfig_hPoints (const_PrioConfig cfg)
{
const int mul_gates = cfg->num_data_fields + 1;
const int N = next_power_of_two (mul_gates);
return N;
}

36
third_party/prio/prio/config.h поставляемый Normal file
Просмотреть файл

@ -0,0 +1,36 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#ifndef __CONFIG_H__
#define __CONFIG_H__
#include <mpi.h>
#include "mparray.h"
struct prio_config {
int num_data_fields;
unsigned char *batch_id;
unsigned int batch_id_len;
PublicKey server_a_pub;
PublicKey server_b_pub;
mp_int modulus;
mp_int inv2;
int n_roots;
MPArray roots;
MPArray rootsInv;
};
int PrioConfig_hPoints (const_PrioConfig cfg);
#endif /* __CONFIG_H__ */

21
third_party/prio/prio/debug.h поставляемый Normal file
Просмотреть файл

@ -0,0 +1,21 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#ifndef __DEBUG_H__
#define __DEBUG_H__
#include <stdio.h>
#ifdef DEBUG
#define PRIO_DEBUG(msg) do { fprintf(stderr, "Error: %s\n", msg); } while(false);
#else
#define PRIO_DEBUG(msg) ;
#endif
#endif /* __DEBUG_H__ */

355
third_party/prio/prio/encrypt.c поставляемый Normal file
Просмотреть файл

@ -0,0 +1,355 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#include <nss/keyhi.h>
#include <nss/keythi.h>
#include <nss/pk11pub.h>
#include <prerror.h>
#include "encrypt.h"
#include "prio/rand.h"
#include "prio/util.h"
// Use curve25519
#define CURVE_OID_TAG SEC_OID_CURVE25519
// Use 96-bit IV
#define GCM_IV_LEN_BYTES 12
// Use 128-bit auth tag
#define GCM_TAG_LEN_BYTES 16
#define PRIO_TAG "PrioPacket"
#define AAD_LEN (strlen (PRIO_TAG) + CURVE25519_KEY_LEN + GCM_IV_LEN_BYTES)
// The all-zeros curve25519 public key, as DER-encoded SKPI blob.
static const uint8_t curve25519_spki_zeros[] = {
0x30, 0x39, 0x30, 0x14, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x09, 0x2b,
0x06, 0x01, 0x04, 0x01, 0xda, 0x47, 0x0f, 0x01, 0x03, 0x21,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00,
};
static inline uint8_t
hex_to_int (char h)
{
return (h > '9') ? toupper (h) - 'A' + 10 : (h - '0');
}
static inline unsigned char
int_to_hex (uint8_t i)
{
return (i > 0x09) ? ((i - 10) + 'A') : i + '0';
}
static SECStatus
derive_dh_secret (PK11SymKey **shared_secret, PrivateKey priv, PublicKey pub)
{
if (priv == NULL) return SECFailure;
if (pub == NULL) return SECFailure;
if (shared_secret == NULL) return SECFailure;
SECStatus rv = SECSuccess;
*shared_secret = NULL;
P_CHECKA (*shared_secret = PK11_PubDeriveWithKDF (priv, pub, PR_FALSE,
NULL, NULL, CKM_ECDH1_DERIVE, CKM_AES_GCM,
CKA_ENCRYPT | CKA_DECRYPT, 16,
CKD_SHA256_KDF, NULL, NULL));
cleanup:
return rv;
}
SECStatus
PublicKey_import (PublicKey *pk, const unsigned char *data, unsigned int dataLen)
{
SECStatus rv = SECSuccess;
CERTSubjectPublicKeyInfo *pkinfo = NULL;
*pk = NULL;
if (dataLen != CURVE25519_KEY_LEN)
return SECFailure;
unsigned char key_bytes[dataLen];
memcpy (key_bytes, data, dataLen);
const int spki_len = sizeof (curve25519_spki_zeros);
uint8_t spki_data[spki_len];
memcpy (spki_data, curve25519_spki_zeros, spki_len);
SECItem spki_item = { siBuffer, spki_data, spki_len };
// Import the all-zeros curve25519 public key.
P_CHECKA (pkinfo = SECKEY_DecodeDERSubjectPublicKeyInfo (&spki_item));
P_CHECKA (*pk = SECKEY_ExtractPublicKey (pkinfo));
// Overwrite the all-zeros public key with the 32-byte curve25519 public key
// given as input.
memcpy ((*pk)->u.ec.publicValue.data, data, CURVE25519_KEY_LEN);
cleanup:
if (pkinfo)
SECKEY_DestroySubjectPublicKeyInfo (pkinfo);
if (rv != SECSuccess)
PublicKey_clear (*pk);
return rv;
}
SECStatus
PublicKey_import_hex (PublicKey *pk, const unsigned char *hex_data, unsigned int dataLen)
{
unsigned char raw_bytes[CURVE25519_KEY_LEN];
if (dataLen != CURVE25519_KEY_LEN_HEX)
return SECFailure;
for (unsigned int i=0; i<dataLen; i++) {
if (!isxdigit (hex_data[i]))
return SECFailure;
}
const unsigned char *p = hex_data;
for (unsigned int i=0; i<CURVE25519_KEY_LEN; i++) {
uint8_t d0 = hex_to_int (p[0]);
uint8_t d1 = hex_to_int (p[1]);
raw_bytes[i] = (d0 << 4) | d1;
p += 2;
}
return PublicKey_import (pk, raw_bytes, CURVE25519_KEY_LEN);
}
SECStatus
PublicKey_export (const_PublicKey pk, unsigned char data[CURVE25519_KEY_LEN])
{
if (pk == NULL) return SECFailure;
memcpy (data, pk->u.ec.publicValue.data, CURVE25519_KEY_LEN);
return SECSuccess;
}
SECStatus
PublicKey_export_hex (const_PublicKey pk, unsigned char data[(2*CURVE25519_KEY_LEN)+1])
{
unsigned char raw_data[CURVE25519_KEY_LEN];
if (PublicKey_export (pk, raw_data) != SECSuccess)
return SECFailure;
const unsigned char *p = raw_data;
for (unsigned int i=0; i<CURVE25519_KEY_LEN; i++) {
unsigned char bytel = p[0] & 0x0f;
unsigned char byteu = (p[0] & 0xf0) >> 4;
data[2*i] = int_to_hex (byteu);
data[2*i + 1] = int_to_hex (bytel);
p++;
}
data[2*CURVE25519_KEY_LEN] = '\0';
return SECSuccess;
}
SECStatus
Keypair_new (PrivateKey *pvtkey, PublicKey *pubkey)
{
if (pvtkey == NULL) return SECFailure;
if (pubkey == NULL) return SECFailure;
SECStatus rv = SECSuccess;
SECOidData *oid_data = NULL;
*pubkey = NULL;
*pvtkey = NULL;
SECKEYECParams ecp;
ecp.data = NULL;
PK11SlotInfo *slot = NULL;
P_CHECKA (oid_data = SECOID_FindOIDByTag (CURVE_OID_TAG));
const int oid_struct_len = 2 + oid_data->oid.len;
P_CHECKA (ecp.data = malloc (oid_struct_len));
ecp.len = oid_struct_len;
ecp.type = siDEROID;
ecp.data[0] = SEC_ASN1_OBJECT_ID;
ecp.data[1] = oid_data->oid.len;
memcpy (&ecp.data[2], oid_data->oid.data, oid_data->oid.len);
P_CHECKA (slot = PK11_GetInternalSlot ());
P_CHECKA (*pvtkey = PK11_GenerateKeyPair(slot, CKM_EC_KEY_PAIR_GEN, &ecp,
(SECKEYPublicKey **)pubkey, PR_FALSE, PR_FALSE, NULL));
cleanup:
if (ecp.data)
free (ecp.data);
if (rv != SECSuccess) {
PublicKey_clear (*pubkey);
PrivateKey_clear (*pvtkey);
}
return rv;
}
void
PublicKey_clear (PublicKey pubkey)
{
if (pubkey)
SECKEY_DestroyPublicKey(pubkey);
}
void
PrivateKey_clear (PrivateKey pvtkey)
{
if (pvtkey)
SECKEY_DestroyPrivateKey(pvtkey);
}
const SECItem *
PublicKey_toBytes (const_PublicKey pubkey)
{
return &pubkey->u.ec.publicValue;
}
SECStatus
PublicKey_encryptSize (unsigned int inputLen, unsigned int *outputLen)
{
if (outputLen == NULL || inputLen >= MAX_ENCRYPT_LEN)
return SECFailure;
// public key, IV, tag, and input
*outputLen = CURVE25519_KEY_LEN + GCM_IV_LEN_BYTES + GCM_TAG_LEN_BYTES + inputLen;
return SECSuccess;
}
static void
set_gcm_params (SECItem *paramItem, CK_GCM_PARAMS *param, unsigned char *nonce,
const_PublicKey pubkey, unsigned char *aadBuf)
{
int offset = 0;
memcpy (aadBuf, PRIO_TAG, strlen (PRIO_TAG));
offset += strlen (PRIO_TAG);
memcpy (aadBuf + offset, PublicKey_toBytes (pubkey)->data, CURVE25519_KEY_LEN);
offset += CURVE25519_KEY_LEN;
memcpy (aadBuf + offset, nonce, GCM_IV_LEN_BYTES);
param->pIv = nonce;
param->ulIvLen = GCM_IV_LEN_BYTES;
param->pAAD = aadBuf;
param->ulAADLen = AAD_LEN;
param->ulTagBits = GCM_TAG_LEN_BYTES * 8;
paramItem->type = siBuffer;
paramItem->data = (void *)param;
paramItem->len = sizeof (*param);
}
SECStatus
PublicKey_encrypt (PublicKey pubkey,
unsigned char *output,
unsigned int *outputLen,
unsigned int maxOutputLen,
const unsigned char *input, unsigned int inputLen)
{
if (pubkey == NULL)
return SECFailure;
if (inputLen >= MAX_ENCRYPT_LEN)
return SECFailure;
unsigned int needLen;
if (PublicKey_encryptSize (inputLen, &needLen) != SECSuccess)
return SECFailure;
if (maxOutputLen < needLen)
return SECFailure;
SECStatus rv = SECSuccess;
PublicKey eph_pub = NULL;
PrivateKey eph_priv = NULL;
PK11SymKey *aes_key = NULL;
unsigned char nonce[GCM_IV_LEN_BYTES];
unsigned char aadBuf[AAD_LEN];
P_CHECKC (rand_bytes (nonce, GCM_IV_LEN_BYTES));
P_CHECKC (Keypair_new (&eph_priv, &eph_pub));
P_CHECKC (derive_dh_secret (&aes_key, eph_priv, pubkey));
CK_GCM_PARAMS param;
SECItem paramItem;
set_gcm_params (&paramItem, &param, nonce, eph_pub, aadBuf);
const SECItem *pk = PublicKey_toBytes (eph_pub);
P_CHECKCB (pk->len == CURVE25519_KEY_LEN);
memcpy (output, pk->data, pk->len);
memcpy (output + CURVE25519_KEY_LEN, param.pIv, param.ulIvLen);
const int offset = CURVE25519_KEY_LEN + param.ulIvLen;
P_CHECKC (PK11_Encrypt (aes_key, CKM_AES_GCM, &paramItem, output + offset,
outputLen, maxOutputLen - offset, input, inputLen));
*outputLen = *outputLen + CURVE25519_KEY_LEN + GCM_IV_LEN_BYTES;
cleanup:
PublicKey_clear (eph_pub);
PrivateKey_clear (eph_priv);
if (aes_key)
PK11_FreeSymKey (aes_key);
return rv;
}
SECStatus
PrivateKey_decrypt (PrivateKey privkey,
unsigned char *output,
unsigned int *outputLen,
unsigned int maxOutputLen,
const unsigned char *input, unsigned int inputLen)
{
PK11SymKey *aes_key = NULL;
PublicKey eph_pub = NULL;
unsigned char aad_buf[AAD_LEN];
if (privkey == NULL)
return SECFailure;
SECStatus rv = SECSuccess;
unsigned int headerLen;
if (PublicKey_encryptSize (0, &headerLen) != SECSuccess)
return SECFailure;
if (inputLen < headerLen)
return SECFailure;
const unsigned int msglen = inputLen - headerLen;
if (maxOutputLen < msglen || msglen >= MAX_ENCRYPT_LEN)
return SECFailure;
P_CHECKC (PublicKey_import (&eph_pub, input, CURVE25519_KEY_LEN));
unsigned char nonce[GCM_IV_LEN_BYTES];
memcpy (nonce, input + CURVE25519_KEY_LEN, GCM_IV_LEN_BYTES);
SECItem paramItem;
CK_GCM_PARAMS param;
set_gcm_params (&paramItem, &param, nonce, eph_pub, aad_buf);
P_CHECKC (derive_dh_secret (&aes_key, privkey, eph_pub));
const int offset = CURVE25519_KEY_LEN + GCM_IV_LEN_BYTES;
P_CHECKC (PK11_Decrypt (aes_key, CKM_AES_GCM, &paramItem, output,
outputLen, maxOutputLen, input + offset, inputLen - offset));
cleanup:
PublicKey_clear (eph_pub);
if (aes_key)
PK11_FreeSymKey (aes_key);
return rv;
}

74
third_party/prio/prio/encrypt.h поставляемый Normal file
Просмотреть файл

@ -0,0 +1,74 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#ifndef __ENCRYPT_H__
#define __ENCRYPT_H__
#include <limits.h>
#include <mprio.h>
/*******
* These functions attempt to implement CCA-secure public-key encryption using
* the NSS library. We use hashed-ElGamal encryption with Curve25519 as the
* underlying group and AES128-GCM as the bulk encryption mode of operation.
*
* I make no guarantees that I am using NSS correctly or that this encryption
* scheme is actually CCA secure. As far as I can tell, NSS does not provide
* any public-key hybrid encryption scheme out of the box, so I had to cook my
* own. If you want to be really safe, you should use the NaCl Box routines
* to implement these functions.
*/
/*
* Messages encrypted using this library must be smaller than MAX_ENCRYPT_LEN.
* Enforcing this length limit helps avoid integer overflow.
*/
#define MAX_ENCRYPT_LEN (INT_MAX >> 3)
/*
* Write the number of bytes needed to store a ciphertext that encrypts a
* plaintext message of length `inputLen` and authenticated data of length
* `adLen` into the variable pointed to by `outputLen`. If `inputLen`
* is too large (larger than `MAX_ENCRYPT_LEN`), this function returns
* an error.
*/
SECStatus PublicKey_encryptSize (unsigned int inputLen, unsigned int *outputLen);
/*
* Generate a new keypair for public-key encryption.
*/
SECStatus Keypair_new (PrivateKey *pvtkey, PublicKey *pubkey);
/*
* Encrypt an arbitrary bitstring to the specified public key. The buffer
* `output` should be large enough to store the ciphertext. Use the
* `PublicKey_encryptSize()` function above to figure out how large of a buffer
* you need.
*
* The value `inputLen` must be smaller than `MAX_ENCRYPT_LEN`.
*/
SECStatus PublicKey_encrypt (PublicKey pubkey,
unsigned char *output,
unsigned int *outputLen,
unsigned int maxOutputLen,
const unsigned char *input, unsigned int inputLen);
/*
* Decrypt an arbitrary bitstring using the specified private key. The output
* buffer should be at least 16 bytes larger than the plaintext you expect. If
* `outputLen` >= `inputLen`, you should be safe.
*/
SECStatus PrivateKey_decrypt (PrivateKey privkey,
unsigned char *output,
unsigned int *outputLen,
unsigned int maxOutputLen,
const unsigned char *input, unsigned int inputLen);
#endif /* __ENCRYPT_H__ */

90
third_party/prio/prio/gen_params.py поставляемый Normal file
Просмотреть файл

@ -0,0 +1,90 @@
"""
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
"""
# Has a subgroup of order 2^19
modulus = int('0x8000000000000000080001', 16)
# Generates the subgroup of order 2^19
gen19 = int('0x2597c14f48d5b65ed8dcca', 16)
# We want a generator of order 2^12, so compute
# gen19^(2^7) = gen19^128 (mod p)
gen12 = gen19
for i in range(7):
gen12 *= gen12
gen12 %= modulus
#print gen12
# Sanity check
rootsL = [1] * 2**12
rootsInvL = [1] * 2**12
for i in range(1, 2**12):
rootsL[i] = (rootsL[i-1] * gen12) % modulus
assert ((rootsL[2**12 - 1] * gen12) % modulus) == 1
gen12inv = rootsL[2**12 - 1]
for i in range(1, 2**12):
rootsInvL[i] = (rootsInvL[i-1] * gen12inv) % modulus
assert rootsInvL[i] != 1
assert ((rootsInvL[2**12 - 1] * gen12inv) % modulus) == 1
rootsL = map(lambda x: ' "%x"' % x, rootsL)
rootsInvL = map(lambda x: ' "%x"' % x, rootsInvL)
roots = ",\n".join(rootsL)
rootsInv = ",\n".join(rootsInvL)
output = """
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/****
* NOTE: This file was auto-generated from gen_params.py.
* Do not edit this file. Instead, edit the script.
*/
#ifndef __PARAMS_H__
#define __PARAMS_H__
// A prime modulus p.
static const char *Modulus = "%(modulus)x";
// A generator g of a subgroup of Z*_p.
// static const char *Generator = "%(generator)x";
// The generator g generates a subgroup of
// order 2^IntGen2Order in Z*_p.
static const int Generator2Order = %(twoorder)d;
static const char *Roots[] = {
%(roots)s
};
static const char *RootsInv[] = {
%(rootsInv)s
};
#endif /* __PARAMS_H__ */
""" % {
'modulus': modulus,
'generator': gen12,
'twoorder': 12,
'roots': roots,
'rootsInv': rootsInv,
}
print output

196
third_party/prio/prio/mparray.c поставляемый Normal file
Просмотреть файл

@ -0,0 +1,196 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#include <mprio.h>
#include <stdlib.h>
#include "config.h"
#include "mparray.h"
#include "share.h"
#include "util.h"
MPArray
MPArray_new (int len)
{
SECStatus rv = SECSuccess;
MPArray arr = malloc (sizeof *arr);
if (!arr)
return NULL;
arr->data = NULL;
arr->len = len;
P_CHECKA(arr->data = calloc (len, sizeof (mp_int)));
// Initialize these to NULL so that we can figure
// out which allocations failed (if any)
for (int i=0; i<len; i++) {
MP_DIGITS (&arr->data[i]) = NULL;
}
for (int i=0; i<len; i++) {
MP_CHECKC (mp_init(&arr->data[i]));
}
cleanup:
if (rv != SECSuccess) {
MPArray_clear (arr);
return NULL;
}
return arr;
}
MPArray
MPArray_new_bool (int len, const bool *data_in)
{
MPArray arr = MPArray_new (len);
if (arr == NULL) return NULL;
for (int i=0; i<len; i++) {
mp_set (&arr->data[i], data_in[i]);
}
return arr;
}
SECStatus
MPArray_resize (MPArray arr, int newlen)
{
SECStatus rv = SECSuccess;
const int oldlen = arr->len;
if (oldlen == newlen)
return rv;
// TODO: Use realloc for this?
mp_int *newdata = calloc (newlen, sizeof (mp_int));
if (newdata == NULL)
return SECFailure;
for (int i = 0; i < newlen; i++) {
MP_DIGITS (&newdata[i]) = NULL;
}
// Initialize new array
for (int i = 0; i < newlen; i++) {
MP_CHECKC (mp_init (&newdata[i]));
}
// Copy old data into new array
for (int i = 0; i < newlen && i < oldlen; i++) {
MP_CHECKC (mp_copy (&arr->data[i], &newdata[i]));
}
// Free old data
for (int i = 0; i < oldlen; i++) {
mp_clear (&arr->data[i]);
}
free (arr->data);
arr->data = newdata;
arr->len = newlen;
cleanup:
if (rv != SECSuccess) {
for (int i=0; i < newlen; i++) {
mp_clear (&newdata[i]);
}
free (newdata);
}
return rv;
}
MPArray
MPArray_dup (const_MPArray src)
{
MPArray dst = MPArray_new (src->len);
if (!dst) return NULL;
SECStatus rv = MPArray_copy (dst, src);
if (rv == SECSuccess) {
return dst;
} else {
MPArray_clear (dst);
return NULL;
}
}
SECStatus
MPArray_copy (MPArray dst, const_MPArray src)
{
if (dst->len != src->len)
return SECFailure;
for (int i=0; i<src->len; i++) {
if (mp_copy(&src->data[i], &dst->data[i]) != MP_OKAY) {
return SECFailure;
}
}
return SECSuccess;
}
SECStatus
MPArray_set_share (MPArray arrA, MPArray arrB,
const_MPArray src, const_PrioConfig cfg)
{
SECStatus rv = SECSuccess;
if (arrA->len != src->len || arrB->len != src->len)
return SECFailure;
const int len = src->len;
for (int i=0; i < len; i++) {
P_CHECK(share_int (cfg, &src->data[i], &arrA->data[i], &arrB->data[i]));
}
return rv;
}
void
MPArray_clear (MPArray arr)
{
if (arr == NULL) return;
if (arr->data != NULL) {
for (int i=0; i<arr->len; i++) {
mp_clear(&arr->data[i]);
}
free (arr->data);
}
free (arr);
}
SECStatus
MPArray_addmod (MPArray dst, const_MPArray to_add, const mp_int *mod)
{
if (dst->len != to_add->len)
return SECFailure;
for (int i=0; i<dst->len; i++) {
MP_CHECK (mp_addmod (&dst->data[i], &to_add->data[i], mod, &dst->data[i]));
}
return SECSuccess;
}
bool
MPArray_areEqual (const_MPArray arr1, const_MPArray arr2)
{
if (arr1->len != arr2->len) return false;
for (int i=0; i<arr1->len; i++) {
if (mp_cmp (&arr1->data[i], &arr2->data[i]))
return false;
}
return true;
}

71
third_party/prio/prio/mparray.h поставляемый Normal file
Просмотреть файл

@ -0,0 +1,71 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#ifndef __MPARRAY_H__
#define __MPARRAY_H__
#include <mpi.h>
#include <mprio.h>
struct mparray {
int len;
mp_int *data;
};
typedef struct mparray *MPArray;
typedef const struct mparray *const_MPArray;
/*
* Initialize an array of `mp_int`s of the given length.
*/
MPArray MPArray_new (int len);
void MPArray_clear (MPArray arr);
/*
* Copies secret sharing of data from src into arrays
* arrA and arrB. The lengths of the three input arrays
* must be identical.
*/
SECStatus MPArray_set_share (MPArray arrA, MPArray arrB,
const_MPArray src, const_PrioConfig cfg);
/*
* Initializes array with 0/1 values specified in boolean array `data_in`
*/
MPArray MPArray_new_bool (int len, const bool *data_in);
/*
* Expands or shrinks the MPArray to the desired size. If shrinking,
* will clear the values on the end of array.
*/
SECStatus MPArray_resize (MPArray arr, int newlen);
/*
* Initializes dst and creates a duplicate of the array in src.
*/
MPArray MPArray_dup (const_MPArray src);
/*
* Copies array from src to dst. Arrays must have the same length.
*/
SECStatus MPArray_copy (MPArray dst, const_MPArray src);
/* For each index i into the array, set:
* dst[i] = dst[i] + to_add[i] (modulo mod)
*/
SECStatus MPArray_addmod (MPArray dst, const_MPArray to_add,
const mp_int *mod);
/*
* Return true iff the two arrays are equal in length
* and contents. This comparison is NOT constant time.
*/
bool MPArray_areEqual (const_MPArray arr1, const_MPArray arr2);
#endif /* __MPARRAY_H__ */

8226
third_party/prio/prio/params.h поставляемый Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

188
third_party/prio/prio/poly.c поставляемый Normal file
Просмотреть файл

@ -0,0 +1,188 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#include <mprio.h>
#include "config.h"
#include "poly.h"
#include "util.h"
/*
* A nice exposition of the recursive FFT/DFT algorithm we implement
* is in the book:
*
* "Modern Computer Algebra"
* by Von zur Gathen and Gerhard.
* Cambridge University Press, 2013.
*
* They present this algorithm as Algorithm 8.14.
*/
static SECStatus
fft_recurse (mp_int *out, const mp_int *mod, int n,
const mp_int *roots, const mp_int *ys,
mp_int *tmp, mp_int *ySub, mp_int *rootsSub)
{
if (n == 1) {
MP_CHECK (mp_copy (&ys[0], &out[0]));
return SECSuccess;
}
// Recurse on the first half
for (int i=0; i<n/2; i++) {
MP_CHECK (mp_addmod (&ys[i], &ys[i+(n/2)], mod, &ySub[i]));
MP_CHECK (mp_copy (&roots[2*i], &rootsSub[i]));
}
MP_CHECK (fft_recurse (tmp, mod, n/2, rootsSub, ySub, &tmp[n/2], &ySub[n/2], &rootsSub[n/2]));
for (int i=0; i<n/2; i++) {
MP_CHECK (mp_copy (&tmp[i], &out[2*i]));
}
// Recurse on the second half
for (int i=0; i<n/2; i++) {
MP_CHECK (mp_submod (&ys[i], &ys[i+(n/2)], mod, &ySub[i]));
MP_CHECK (mp_mulmod (&ySub[i], &roots[i], mod, &ySub[i]));
}
MP_CHECK (fft_recurse (tmp, mod, n/2, rootsSub, ySub, &tmp[n/2], &ySub[n/2], &rootsSub[n/2]));
for (int i=0; i<n/2; i++) {
MP_CHECK (mp_copy (&tmp[i], &out[2*i + 1]));
}
return SECSuccess;
}
static SECStatus
fft_interpolate_raw (mp_int *out,
const mp_int *ys, int nPoints, const mp_int *roots,
const mp_int *mod, bool invert)
{
SECStatus rv = SECSuccess;
mp_int tmp[nPoints];
mp_int ySub[nPoints];
mp_int rootsSub[nPoints];
for (int i=0; i<nPoints;i++) {
MP_DIGITS (&tmp[i]) = NULL;
MP_DIGITS (&ySub[i]) = NULL;
MP_DIGITS (&rootsSub[i]) = NULL;
}
mp_int n_inverse;
MP_DIGITS (&n_inverse) = NULL;
for (int i=0; i<nPoints;i++) {
MP_CHECKC (mp_init (&tmp[i]));
MP_CHECKC (mp_init (&ySub[i]));
MP_CHECKC (mp_init (&rootsSub[i]));
}
MP_CHECK (fft_recurse(out, mod, nPoints, roots, ys, tmp, ySub, rootsSub));
if (invert) {
MP_CHECKC (mp_init (&n_inverse));
mp_set (&n_inverse, nPoints);
MP_CHECKC (mp_invmod (&n_inverse, mod, &n_inverse));
for (int i=0; i<nPoints;i++) {
MP_CHECKC (mp_mulmod(&out[i], &n_inverse, mod, &out[i]));
}
}
cleanup:
mp_clear (&n_inverse);
for (int i=0; i<nPoints;i++) {
mp_clear(&tmp[i]);
mp_clear(&ySub[i]);
mp_clear(&rootsSub[i]);
}
return rv;
}
/*
* The PrioConfig object has a list of N-th roots of unity for large N.
* This routine returns the n-th roots of unity for n < N, where n is
* a power of two. If the `invert` flag is set, it returns the inverses
* of the n-th roots of unity.
*/
SECStatus
poly_fft_get_roots (mp_int *roots_out, int n_points, const_PrioConfig cfg, bool invert)
{
if (n_points > cfg->n_roots)
return SECFailure;
const mp_int *roots_in = invert ? cfg->rootsInv->data : cfg->roots->data;
const int step_size = cfg->n_roots / n_points;
for (int i=0; i < n_points; i++) {
roots_out[i] = roots_in[i * step_size];
}
return SECSuccess;
}
SECStatus
poly_fft (MPArray points_out, const_MPArray points_in,
const_PrioConfig cfg, bool invert)
{
SECStatus rv = SECSuccess;
const int n_points = points_in->len;
if (points_out->len != points_in->len)
return SECFailure;
if (n_points > cfg->n_roots)
return SECFailure;
if (cfg->n_roots % n_points != 0)
return SECFailure;
mp_int scaled_roots[n_points];
P_CHECK (poly_fft_get_roots (scaled_roots, n_points, cfg, invert));
MP_CHECK (fft_interpolate_raw (points_out->data, points_in->data, n_points,
scaled_roots, &cfg->modulus, invert));
return SECSuccess;
}
SECStatus
poly_eval (mp_int *value, const_MPArray coeffs, const mp_int *eval_at,
const_PrioConfig cfg)
{
SECStatus rv = SECSuccess;
const int n = coeffs->len;
// Use Horner's method to evaluate the polynomial at the point
// `eval_at`
mp_copy (&coeffs->data[n-1], value);
for (int i=n-2; i >= 0; i--) {
MP_CHECK (mp_mulmod (value, eval_at, &cfg->modulus, value));
MP_CHECK (mp_addmod (value, &coeffs->data[i], &cfg->modulus, value));
}
return rv;
}
SECStatus
poly_interp_evaluate (mp_int *value, const_MPArray poly_points,
const mp_int *eval_at, const_PrioConfig cfg)
{
SECStatus rv;
MPArray coeffs = NULL;
const int N = poly_points->len;
mp_int roots[N];
P_CHECKA (coeffs = MPArray_new (N));
P_CHECKC (poly_fft_get_roots (roots, N, cfg, false));
// Interpolate polynomial through roots of unity
P_CHECKC (poly_fft (coeffs, poly_points, cfg, true))
P_CHECKC (poly_eval (value, coeffs, eval_at, cfg));
cleanup:
MPArray_clear (coeffs);
return rv;
}

59
third_party/prio/prio/poly.h поставляемый Normal file
Просмотреть файл

@ -0,0 +1,59 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#ifndef _FFT__H
#define _FFT__H
#include <mpi.h>
#include <mprio.h>
#include <stdbool.h>
#include "mparray.h"
/*
* Compute the FFT or inverse FFT of the array in `points_in`.
* The length of the input and output arrays must be a multiple
* of two and must be no longer than the number of precomputed
* roots in the PrioConfig object passed in.
*/
SECStatus poly_fft(MPArray points_out, const_MPArray points_in,
const_PrioConfig cfg, bool invert);
/*
* Get an array
* (r^0, r^1, r^2, ... )
* where r is an n-th root of unity, for n a power of two
* less than cfg->n_roots.
*
* Do NOT mp_clear() the mp_ints stored in roots_out.
* These are owned by the PrioConfig object.
*/
SECStatus poly_fft_get_roots (mp_int *roots_out, int n_points,
const_PrioConfig cfg, bool invert);
/*
* Evaluate the polynomial specified by the coefficients
* at the point `eval_at` and return the result as `value`.
*/
SECStatus poly_eval (mp_int *value, const_MPArray coeffs,
const mp_int *eval_at, const_PrioConfig cfg);
/*
* Interpolate the polynomial through the points
* (x_1, y_1), ..., (x_N, y_N),
* where x_i is an N-th root of unity and the y_i values are
* specified by `poly_points`. Evaluate the resulting polynomial
* at the point `eval_at`. Return the result as `value`.
*/
SECStatus poly_interp_evaluate (mp_int *value, const_MPArray poly_points,
const mp_int *eval_at, const_PrioConfig cfg);
#endif

156
third_party/prio/prio/prg.c поставляемый Normal file
Просмотреть файл

@ -0,0 +1,156 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#include <mprio.h>
#include <nss/blapit.h>
#include <nss/pk11pub.h>
#include <string.h>
#include "prg.h"
#include "rand.h"
#include "share.h"
#include "util.h"
struct prg {
PK11SlotInfo *slot;
PK11SymKey *key;
PK11Context *ctx;
};
SECStatus
PrioPRGSeed_randomize (PrioPRGSeed *key)
{
return rand_bytes ((unsigned char *)key, PRG_SEED_LENGTH);
}
PRG
PRG_new (const PrioPRGSeed key_in)
{
PRG prg = malloc (sizeof (struct prg));
if (!prg) return NULL;
prg->slot = NULL;
prg->key = NULL;
prg->ctx = NULL;
SECStatus rv = SECSuccess;
const CK_MECHANISM_TYPE cipher = CKM_AES_CTR;
P_CHECKA (prg->slot = PK11_GetInternalSlot ());
// Create a mutable copy of the key.
PrioPRGSeed key_mut;
memcpy (key_mut, key_in, PRG_SEED_LENGTH);
SECItem keyItem = {siBuffer, key_mut, PRG_SEED_LENGTH};
// The IV can be all zeros since we only encrypt once with
// each AES key.
CK_AES_CTR_PARAMS param = {128, {}};
SECItem paramItem = {siBuffer, (void *)&param, sizeof(CK_AES_CTR_PARAMS)};
P_CHECKA (prg->key = PK11_ImportSymKey (prg->slot, cipher, PK11_OriginUnwrap,
CKA_ENCRYPT, &keyItem, NULL));
P_CHECKA (prg->ctx = PK11_CreateContextBySymKey(cipher, CKA_ENCRYPT,
prg->key, &paramItem));
cleanup:
if (rv != SECSuccess) {
PRG_clear (prg);
prg = NULL;
}
return prg;
}
void
PRG_clear (PRG prg)
{
if (!prg) return;
if (prg->key)
PK11_FreeSymKey (prg->key);
if (prg->slot)
PK11_FreeSlot (prg->slot);
if (prg->ctx)
PK11_DestroyContext (prg->ctx, PR_TRUE);
free (prg);
}
static SECStatus
PRG_get_bytes_internal (void *prg_vp, unsigned char *bytes, size_t len)
{
PRG prg = (PRG)prg_vp;
unsigned char in[len];
memset (in, 0, len);
int outlen;
SECStatus rv = PK11_CipherOp (prg->ctx, bytes, &outlen, len, in, len);
return (rv != SECSuccess || (size_t)outlen != len) ? SECFailure: SECSuccess;
}
SECStatus
PRG_get_bytes (PRG prg, unsigned char *bytes, size_t len)
{
return PRG_get_bytes_internal ((void *)prg, bytes, len);
}
SECStatus
PRG_get_int (PRG prg, mp_int *out, const mp_int *max)
{
return rand_int_rng (out, max, &PRG_get_bytes_internal, (void *)prg);
}
SECStatus
PRG_get_array (PRG prg, MPArray dst, const mp_int *mod)
{
SECStatus rv;
for (int i=0; i<dst->len; i++) {
P_CHECK (PRG_get_int (prg, &dst->data[i], mod));
}
return SECSuccess;
}
SECStatus
PRG_share_int (PRG prgB, mp_int *shareA, const mp_int *src, const_PrioConfig cfg)
{
SECStatus rv = SECSuccess;
mp_int tmp;
MP_DIGITS (&tmp) = NULL;
MP_CHECKC (mp_init (&tmp));
P_CHECKC (PRG_get_int (prgB, &tmp, &cfg->modulus));
MP_CHECKC (mp_submod (src, &tmp, &cfg->modulus, shareA));
cleanup:
mp_clear (&tmp);
return rv;
}
SECStatus
PRG_share_array (PRG prgB, MPArray arrA,
const_MPArray src, const_PrioConfig cfg)
{
SECStatus rv = SECSuccess;
if (arrA->len != src->len)
return SECFailure;
const int len = src->len;
for (int i=0; i < len; i++) {
P_CHECK(PRG_share_int (prgB, &arrA->data[i], &src->data[i], cfg));
}
return rv;
}

62
third_party/prio/prio/prg.h поставляемый Normal file
Просмотреть файл

@ -0,0 +1,62 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#ifndef __PRG_H__
#define __PRG_H__
#include <mpi.h>
#include <nss/blapit.h>
#include <stdlib.h>
#include "config.h"
typedef struct prg *PRG;
typedef const struct prg *const_PRG;
/*
* Initialize or destroy a pseudo-random generator.
*/
PRG PRG_new (const PrioPRGSeed key);
void PRG_clear (PRG prg);
/*
* Produce the next bytes of output from the PRG.
*/
SECStatus PRG_get_bytes (PRG prg, unsigned char *bytes, size_t len);
/*
* Use the PRG output to sample a big integer x in the range
* 0 <= x < max.
*/
SECStatus PRG_get_int (PRG prg, mp_int *out, const mp_int *max);
/*
* Use secret sharing to split the int src into two shares.
* Use PRG to generate the value `shareB`.
* The mp_ints must be initialized.
*/
SECStatus PRG_share_int (PRG prg, mp_int *shareA, const mp_int *src,
const_PrioConfig cfg);
/*
* Set each item in the array to a pseudorandom value in the range
* [0, mod), where the values are generated using the PRG.
*/
SECStatus PRG_get_array (PRG prg, MPArray arr, const mp_int *mod);
/*
* Secret shares the array in `src` into `arrA` using randomness
* provided by `prgB`. The arrays `src` and `arrA` must be the same
* length.
*/
SECStatus PRG_share_array (PRG prgB, MPArray arrA,
const_MPArray src, const_PrioConfig cfg);
#endif /* __PRG_H__ */

132
third_party/prio/prio/rand.c поставляемый Normal file
Просмотреть файл

@ -0,0 +1,132 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#include <limits.h>
#include <mprio.h>
#include <nss/nss.h>
#include <nss/pk11pub.h>
#include <nspr/prinit.h>
#include "debug.h"
#include "rand.h"
#include "util.h"
#define CHUNK_SIZE 8192
static NSSInitContext *prioGlobalContext = NULL;
SECStatus
rand_init (void)
{
if (prioGlobalContext)
return SECSuccess;
prioGlobalContext = NSS_InitContext ("", "", "", "", NULL,
NSS_INIT_READONLY |
NSS_INIT_NOCERTDB |
NSS_INIT_NOMODDB |
NSS_INIT_FORCEOPEN |
NSS_INIT_NOROOTINIT);
return (prioGlobalContext != NULL) ? SECSuccess : SECFailure;
}
static SECStatus
rand_bytes_internal (void *user_data, unsigned char *out, size_t n_bytes)
{
// No pointer should ever be passed in.
if (user_data != NULL)
return SECFailure;
if (!NSS_IsInitialized ()) {
PRIO_DEBUG ("NSS not initialized. Call rand_init() first.");
return SECFailure;
}
SECStatus rv = SECFailure;
int to_go = n_bytes;
unsigned char *cp = out;
while (to_go) {
int to_gen = MIN (CHUNK_SIZE, to_go);
if ((rv = PK11_GenerateRandom (cp, to_gen)) != SECSuccess)
{
PRIO_DEBUG ("Error calling PK11_GenerateRandom");
return SECFailure;
}
cp += CHUNK_SIZE;
to_go -= to_gen;
}
return rv;
}
SECStatus
rand_bytes (unsigned char *out, size_t n_bytes)
{
return rand_bytes_internal (NULL, out, n_bytes);
}
SECStatus
rand_int (mp_int *out, const mp_int *max)
{
return rand_int_rng (out, max, &rand_bytes_internal, NULL);
}
SECStatus
rand_int_rng (mp_int *out, const mp_int *max,
RandBytesFunc rng_func, void *user_data)
{
SECStatus rv = SECSuccess;
// Ensure max value is > 0
if (mp_cmp_z (max) == 0)
return SECFailure;
// Compute max-1, which tells us the largest
// value we will ever need to generate.
MP_CHECK (mp_sub_d (max, 1, out));
const int nbytes = mp_unsigned_octet_size (out);
// Figure out how many MSBs we need to get in the
// most-significant byte.
unsigned char max_bytes[nbytes];
MP_CHECK (mp_to_fixlen_octets (out, max_bytes, nbytes));
const unsigned char mask = msb_mask (max_bytes[0]);
// Buffer to store the pseudo-random bytes
unsigned char buf[nbytes];
do {
// Use rejection sampling to find a value strictly less than max.
P_CHECK (rng_func (user_data, buf, nbytes));
// Mask off high-order bits that we will never need.
P_CHECK (rng_func (user_data, &buf[0], 1));
if (mask) buf[0] &= mask;
MP_CHECK (mp_read_unsigned_octets (out, buf, nbytes));
} while (mp_cmp (out, max) != -1);
return 0;
}
void
rand_clear (void)
{
if (prioGlobalContext) {
NSS_ShutdownContext (prioGlobalContext);
#ifdef DO_PR_CLEANUP
PR_Cleanup ();
#endif
}
prioGlobalContext = NULL;
}

54
third_party/prio/prio/rand.h поставляемый Normal file
Просмотреть файл

@ -0,0 +1,54 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#ifndef __RAND_H__
#define __RAND_H__
#include <mpi.h>
#include <nss/seccomon.h>
#include <stdlib.h>
/*
* Typedef for function pointer. A function pointer of type RandBytesFunc
* points to a function that fills the buffer `out` of with `len` random bytes.
*/
typedef SECStatus (*RandBytesFunc) (void *user_data, unsigned char *out, size_t len);
/*
* Initialize or cleanup the global random number generator
* state that NSS uses.
*/
SECStatus rand_init (void);
void rand_clear (void);
/*
* Generate the specified number of random bytes using the
* NSS random number generator.
*/
SECStatus rand_bytes (unsigned char *out, size_t n_bytes);
/*
* Generate a random number x such that
* 0 <= x < max
* using the NSS random number generator.
*/
SECStatus rand_int (mp_int *out, const mp_int *max);
/*
* Generate a random number x such that
* 0 <= x < max
* using the specified randomness generator.
*
* The pointer user_data is passed to RandBytesFung `rng` as a first
* argument.
*/
SECStatus rand_int_rng (mp_int *out, const mp_int *max,
RandBytesFunc rng, void *user_data);
#endif /* __RAND_H__ */

442
third_party/prio/prio/serial.c поставляемый Normal file
Просмотреть файл

@ -0,0 +1,442 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#include <mprio.h>
#include <msgpack.h>
#include "client.h"
#include "serial.h"
#include "server.h"
#include "share.h"
#include "util.h"
#define MSGPACK_OK 0
static SECStatus
serial_write_mp_int (msgpack_packer *pk, const mp_int *n)
{
SECStatus rv = SECSuccess;
unsigned int n_size = mp_unsigned_octet_size (n);
unsigned char data[n_size];
MP_CHECK (mp_to_fixlen_octets (n, data, n_size));
P_CHECK (msgpack_pack_str (pk, n_size));
P_CHECK (msgpack_pack_str_body (pk, data, n_size));
return rv;
}
static SECStatus
object_to_mp_int (msgpack_object *obj, mp_int *n, const mp_int *max)
{
SECStatus rv = SECSuccess;
P_CHECKCB (obj != NULL);
P_CHECKCB (obj->type == MSGPACK_OBJECT_STR);
P_CHECKCB (n != NULL);
msgpack_object_str s = obj->via.str;
P_CHECKCB (s.ptr != NULL);
MP_CHECKC (mp_read_unsigned_octets (n, (unsigned char *)s.ptr, s.size));
P_CHECKCB (mp_cmp_z (n) >= 0);
P_CHECKCB (mp_cmp (n, max) < 0);
cleanup:
return rv;
}
static SECStatus
serial_read_mp_int (msgpack_unpacker *upk, mp_int *n, const mp_int *max)
{
SECStatus rv = SECSuccess;
P_CHECKCB (upk != NULL);
P_CHECKCB (n != NULL);
P_CHECKCB (max != NULL);
msgpack_unpacked res;
msgpack_unpacked_init (&res);
UP_CHECK (msgpack_unpacker_next (upk, &res))
msgpack_object obj = res.data;
P_CHECKC (object_to_mp_int (&obj, n, max));
cleanup:
msgpack_unpacked_destroy (&res);
return rv;
}
static SECStatus
serial_read_int (msgpack_unpacker *upk, int *n)
{
SECStatus rv = SECSuccess;
P_CHECKCB (upk != NULL);
P_CHECKCB (n != NULL);
msgpack_unpacked res;
msgpack_unpacked_init (&res);
UP_CHECK (msgpack_unpacker_next (upk, &res))
msgpack_object obj = res.data;
P_CHECKCB (obj.type == MSGPACK_OBJECT_POSITIVE_INTEGER);
*n = obj.via.i64;
cleanup:
msgpack_unpacked_destroy (&res);
return rv;
}
static SECStatus
serial_write_mp_array (msgpack_packer *pk, const_MPArray arr)
{
SECStatus rv = SECSuccess;
P_CHECKCB (pk != NULL);
P_CHECKCB (arr != NULL);
P_CHECK (msgpack_pack_array (pk, arr->len));
for (int i = 0; i < arr->len; i++) {
P_CHECK (serial_write_mp_int (pk, &arr->data[i]));
}
cleanup:
return rv;
}
static SECStatus
serial_read_mp_array (msgpack_unpacker *upk, MPArray arr, size_t len, const mp_int
*max)
{
SECStatus rv = SECSuccess;
P_CHECKCB (upk != NULL);
P_CHECKCB (arr != NULL);
P_CHECKCB (max != NULL);
msgpack_unpacked res;
msgpack_unpacked_init (&res);
UP_CHECK (msgpack_unpacker_next (upk, &res))
msgpack_object obj = res.data;
P_CHECKCB (obj.type == MSGPACK_OBJECT_ARRAY);
msgpack_object_array objarr = obj.via.array;
P_CHECKCB (objarr.size == len);
P_CHECKC (MPArray_resize (arr, len));
for (unsigned int i=0; i<len; i++) {
P_CHECKC (object_to_mp_int (&objarr.ptr[i], &arr->data[i], max));
}
cleanup:
msgpack_unpacked_destroy (&res);
return rv;
}
static SECStatus
serial_write_beaver_triple (msgpack_packer *pk, const_BeaverTriple t)
{
SECStatus rv = SECSuccess;
P_CHECKCB (pk != NULL);
P_CHECKCB (t != NULL);
P_CHECK (serial_write_mp_int (pk, &t->a));
P_CHECK (serial_write_mp_int (pk, &t->b));
P_CHECK (serial_write_mp_int (pk, &t->c));
cleanup:
return rv;
}
static SECStatus
serial_read_beaver_triple (msgpack_unpacker *pk, BeaverTriple t, const mp_int *max)
{
SECStatus rv = SECSuccess;
P_CHECKCB (pk != NULL);
P_CHECKCB (t != NULL);
P_CHECKCB (max != NULL);
P_CHECK (serial_read_mp_int (pk, &t->a, max));
P_CHECK (serial_read_mp_int (pk, &t->b, max));
P_CHECK (serial_read_mp_int (pk, &t->c, max));
cleanup:
return rv;
}
static SECStatus
serial_write_server_a_data (msgpack_packer *pk, const struct server_a_data *A)
{
SECStatus rv = SECSuccess;
P_CHECKCB (pk != NULL);
P_CHECKCB (A != NULL);
P_CHECK (serial_write_mp_array (pk, A->data_shares));
P_CHECK (serial_write_mp_array (pk, A->h_points));
cleanup:
return rv;
}
static SECStatus
serial_read_server_a_data (msgpack_unpacker *upk, struct server_a_data *A,
const_PrioConfig cfg)
{
SECStatus rv = SECSuccess;
P_CHECKCB (upk != NULL);
P_CHECKCB (A != NULL);
P_CHECK (serial_read_mp_array (upk, A->data_shares, cfg->num_data_fields,
&cfg->modulus));
P_CHECK (serial_read_mp_array (upk, A->h_points, PrioConfig_hPoints (cfg),
&cfg->modulus));
cleanup:
return rv;
}
static SECStatus
serial_write_prg_seed (msgpack_packer *pk, const PrioPRGSeed *seed)
{
SECStatus rv = SECSuccess;
P_CHECKCB (pk != NULL);
P_CHECKCB (seed != NULL);
P_CHECK (msgpack_pack_str (pk, PRG_SEED_LENGTH));
P_CHECK (msgpack_pack_str_body (pk, seed, PRG_SEED_LENGTH));
cleanup:
return rv;
}
static SECStatus
serial_read_prg_seed (msgpack_unpacker *upk, PrioPRGSeed *seed)
{
SECStatus rv = SECSuccess;
P_CHECKCB (upk != NULL);
P_CHECKCB (seed != NULL);
msgpack_unpacked res;
msgpack_unpacked_init (&res);
UP_CHECK (msgpack_unpacker_next (upk, &res))
msgpack_object obj = res.data;
P_CHECKCB (obj.type == MSGPACK_OBJECT_STR);
msgpack_object_str s = obj.via.str;
P_CHECKCB (s.size == PRG_SEED_LENGTH);
memcpy (seed, s.ptr, PRG_SEED_LENGTH);
cleanup:
msgpack_unpacked_destroy (&res);
return rv;
}
static SECStatus
serial_write_server_b_data (msgpack_packer *pk, const struct server_b_data *B)
{
SECStatus rv = SECSuccess;
P_CHECKCB (pk != NULL);
P_CHECKCB (B != NULL);
rv = serial_write_prg_seed (pk, &B->seed);
cleanup:
return rv;
}
static SECStatus
serial_read_server_b_data (msgpack_unpacker *upk, struct server_b_data *B)
{
SECStatus rv = SECSuccess;
P_CHECKCB (upk != NULL);
P_CHECKCB (B != NULL);
rv =serial_read_prg_seed (upk, &B->seed);
cleanup:
return rv;
}
SECStatus
serial_write_packet_client (msgpack_packer *pk, const_PrioPacketClient p,
const_PrioConfig cfg)
{
SECStatus rv = SECSuccess;
P_CHECKCB (pk != NULL);
P_CHECKCB (p != NULL);
P_CHECK (msgpack_pack_str (pk, cfg->batch_id_len));
P_CHECK (msgpack_pack_str_body (pk, cfg->batch_id, cfg->batch_id_len));
P_CHECK (serial_write_beaver_triple (pk, p->triple));
P_CHECK (serial_write_mp_int (pk, &p->f0_share));
P_CHECK (serial_write_mp_int (pk, &p->g0_share));
P_CHECK (serial_write_mp_int (pk, &p->h0_share));
P_CHECK (msgpack_pack_int (pk, p->for_server));
switch (p->for_server) {
case PRIO_SERVER_A:
P_CHECK (serial_write_server_a_data (pk, &p->shares.A));
break;
case PRIO_SERVER_B:
P_CHECK (serial_write_server_b_data (pk, &p->shares.B));
break;
default:
return SECFailure;
}
cleanup:
return rv;
}
SECStatus
serial_read_server_id (msgpack_unpacker *upk, PrioServerId *s)
{
SECStatus rv = SECSuccess;
P_CHECKCB (upk != NULL);
P_CHECKCB (s != NULL);
int serv;
P_CHECK (serial_read_int (upk, &serv));
P_CHECKCB (serv == PRIO_SERVER_A || serv == PRIO_SERVER_B);
*s = serv;
cleanup:
return rv;
}
SECStatus
serial_read_packet_client (msgpack_unpacker *upk, PrioPacketClient p,
const_PrioConfig cfg)
{
SECStatus rv = SECSuccess;
P_CHECKCB (upk != NULL);
P_CHECKCB (p != NULL);
msgpack_unpacked res;
msgpack_unpacked_init (&res);
UP_CHECK (msgpack_unpacker_next (upk, &res))
msgpack_object obj = res.data;
P_CHECKCB (obj.type == MSGPACK_OBJECT_STR);
msgpack_object_str s = obj.via.str;
P_CHECKCB (s.size == cfg->batch_id_len);
P_CHECKCB (!memcmp (s.ptr, (char *)cfg->batch_id, cfg->batch_id_len));
P_CHECK (serial_read_beaver_triple (upk, p->triple, &cfg->modulus));
P_CHECK (serial_read_mp_int (upk, &p->f0_share, &cfg->modulus));
P_CHECK (serial_read_mp_int (upk, &p->g0_share, &cfg->modulus));
P_CHECK (serial_read_mp_int (upk, &p->h0_share, &cfg->modulus));
P_CHECK (serial_read_server_id (upk, &p->for_server));
switch (p->for_server) {
case PRIO_SERVER_A:
P_CHECK (serial_read_server_a_data (upk, &p->shares.A, cfg));
break;
case PRIO_SERVER_B:
P_CHECK (serial_read_server_b_data (upk, &p->shares.B));
break;
default:
return SECFailure;
}
cleanup:
msgpack_unpacked_destroy (&res);
return rv;
}
SECStatus
PrioPacketVerify1_write (const_PrioPacketVerify1 p, msgpack_packer *pk)
{
SECStatus rv = SECSuccess;
P_CHECKCB (pk != NULL);
P_CHECKCB (p != NULL);
P_CHECK (serial_write_mp_int (pk, &p->share_d));
P_CHECK (serial_write_mp_int (pk, &p->share_e));
cleanup:
return rv;
}
SECStatus
PrioPacketVerify1_read (PrioPacketVerify1 p, msgpack_unpacker *upk,
const_PrioConfig cfg)
{
SECStatus rv = SECSuccess;
P_CHECKCB (upk != NULL);
P_CHECKCB (p != NULL);
P_CHECK (serial_read_mp_int (upk, &p->share_d, &cfg->modulus));
P_CHECK (serial_read_mp_int (upk, &p->share_e, &cfg->modulus));
cleanup:
return rv;
}
SECStatus
PrioPacketVerify2_write (const_PrioPacketVerify2 p, msgpack_packer *pk)
{
SECStatus rv = SECSuccess;
P_CHECKCB (pk != NULL);
P_CHECKCB (p != NULL);
P_CHECK (serial_write_mp_int (pk, &p->share_out));
cleanup:
return rv;
}
SECStatus
PrioPacketVerify2_read (PrioPacketVerify2 p, msgpack_unpacker *upk,
const_PrioConfig cfg)
{
SECStatus rv = SECSuccess;
P_CHECKCB (upk != NULL);
P_CHECKCB (p != NULL);
P_CHECK (serial_read_mp_int (upk, &p->share_out, &cfg->modulus));
cleanup:
return rv;
}
SECStatus
PrioTotalShare_write (const_PrioTotalShare t, msgpack_packer *pk)
{
SECStatus rv = SECSuccess;
P_CHECKCB (t != NULL);
P_CHECKCB (pk != NULL);
P_CHECK (msgpack_pack_int (pk, t->idx));
P_CHECK (serial_write_mp_array (pk, t->data_shares));
cleanup:
return rv;
}
SECStatus
PrioTotalShare_read (PrioTotalShare t, msgpack_unpacker *upk,
const_PrioConfig cfg)
{
SECStatus rv = SECSuccess;
P_CHECKCB (t != NULL);
P_CHECKCB (upk != NULL);
P_CHECK (serial_read_server_id (upk, &t->idx));
P_CHECK (serial_read_mp_array (upk, t->data_shares, cfg->num_data_fields,
&cfg->modulus));
cleanup:
return rv;
}

21
third_party/prio/prio/serial.h поставляемый Normal file
Просмотреть файл

@ -0,0 +1,21 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#ifndef __SERIAL_H__
#define __SERIAL_H__
#include <mprio.h>
SECStatus serial_write_packet_client (msgpack_packer *pk, const_PrioPacketClient p,
const_PrioConfig cfg);
SECStatus serial_read_packet_client (msgpack_unpacker *upk, PrioPacketClient p,
const_PrioConfig cfg);
#endif /* __SERIAL_H__ */

481
third_party/prio/prio/server.c поставляемый Normal file
Просмотреть файл

@ -0,0 +1,481 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#include <mpi.h>
#include <mprio.h>
#include <stdio.h>
#include <stdlib.h>
#include "client.h"
#include "prg.h"
#include "poly.h"
#include "mparray.h"
#include "server.h"
#include "util.h"
PrioServer
PrioServer_new (const_PrioConfig cfg, PrioServerId server_idx,
PrivateKey server_priv, const PrioPRGSeed seed)
{
SECStatus rv = SECSuccess;
PrioServer s = malloc (sizeof (*s));
if (!s) return NULL;
s->cfg = cfg;
s->idx = server_idx;
s->priv_key = server_priv;
s->data_shares = NULL;
s->prg = NULL;
P_CHECKA (s->data_shares = MPArray_new (s->cfg->num_data_fields));
P_CHECKA (s->prg = PRG_new (seed));
cleanup:
if (rv != SECSuccess) {
PrioServer_clear (s);
return NULL;
}
return s;
}
void
PrioServer_clear (PrioServer s)
{
if (!s) return;
PRG_clear (s->prg);
MPArray_clear (s->data_shares);
free(s);
}
SECStatus
PrioServer_aggregate (PrioServer s, PrioVerifier v)
{
MPArray arr = NULL;
switch (s->idx) {
case PRIO_SERVER_A:
arr = v->clientp->shares.A.data_shares;
break;
case PRIO_SERVER_B:
arr = v->data_sharesB;
break;
default:
// Should never get here
return SECFailure;
}
return MPArray_addmod (s->data_shares, arr, &s->cfg->modulus);
}
PrioTotalShare
PrioTotalShare_new (void)
{
PrioTotalShare t = malloc (sizeof (*t));
if (!t) return NULL;
t->data_shares = MPArray_new (0);
if (!t->data_shares) {
free (t);
return NULL;
}
return t;
}
void
PrioTotalShare_clear (PrioTotalShare t)
{
if (!t) return;
MPArray_clear (t->data_shares);
free (t);
}
SECStatus
PrioTotalShare_set_data (PrioTotalShare t, const_PrioServer s)
{
t->idx = s->idx;
SECStatus rv = SECSuccess;
P_CHECK (MPArray_resize (t->data_shares, s->data_shares->len));
P_CHECK (MPArray_copy (t->data_shares, s->data_shares));
return rv;
}
SECStatus
PrioTotalShare_final (const_PrioConfig cfg,
unsigned long *output,
const_PrioTotalShare tA, const_PrioTotalShare tB)
{
if (tA->data_shares->len != cfg->num_data_fields)
return SECFailure;
if (tA->data_shares->len != tB->data_shares->len)
return SECFailure;
if (tA->idx != PRIO_SERVER_A || tB->idx != PRIO_SERVER_B)
return SECFailure;
SECStatus rv = SECSuccess;
mp_int tmp;
MP_DIGITS (&tmp) = NULL;
MP_CHECKC (mp_init (&tmp));
for (int i=0; i<cfg->num_data_fields; i++) {
MP_CHECKC (mp_addmod(&tA->data_shares->data[i], &tB->data_shares->data[i],
&cfg->modulus, &tmp));
output[i] = tmp.dp[0];
}
cleanup:
mp_clear (&tmp);
return rv;
}
inline static mp_int *
get_data_share (const_PrioVerifier v, int i) {
switch (v->s->idx) {
case PRIO_SERVER_A:
return &v->clientp->shares.A.data_shares->data[i];
case PRIO_SERVER_B:
return &v->data_sharesB->data[i];
}
// Should never get here
return NULL;
}
inline static mp_int *
get_h_share (const_PrioVerifier v, int i) {
switch (v->s->idx) {
case PRIO_SERVER_A:
return &v->clientp->shares.A.h_points->data[i];
case PRIO_SERVER_B:
return &v->h_pointsB->data[i];
}
// Should never get here
return NULL;
}
/*
* Build shares of the polynomials f, g, and h used in the Prio verification
* routine and evalute these polynomials at a random point determined
* by the shared secret. Store the evaluations in the verifier object.
*/
static SECStatus
compute_shares (PrioVerifier v, const_PrioPacketClient p)
{
SECStatus rv;
const int n = v->s->cfg->num_data_fields + 1;
const int N = next_power_of_two (n);
mp_int eval_at;
MP_DIGITS (&eval_at) = NULL;
MPArray points_f = NULL;
MPArray points_g = NULL;
MPArray points_h = NULL;
MP_CHECKC (mp_init (&eval_at));
P_CHECKA (points_f = MPArray_new (N));
P_CHECKA (points_g = MPArray_new (N));
P_CHECKA (points_h = MPArray_new (2*N));
// Use PRG to generate random point
MP_CHECKC (PRG_get_int (v->s->prg, &eval_at, &v->s->cfg->modulus));
// Reduce value into the field we're using. This
// doesn't yield exactly a uniformly random point,
// but for values this large, it will be close
// enough.
MP_CHECKC (mp_mod (&eval_at, &v->s->cfg->modulus, &eval_at));
// Client sends us the values of f(0) and g(0)
MP_CHECKC (mp_copy(&p->f0_share, &points_f->data[0]));
MP_CHECKC (mp_copy(&p->g0_share, &points_g->data[0]));
MP_CHECKC (mp_copy(&p->h0_share, &points_h->data[0]));
for (int i=1; i<n; i++) {
// [f](i) = i-th data share
const mp_int *data_i_minus_1 = get_data_share(v, i-1);
MP_CHECKC (mp_copy(data_i_minus_1, &points_f->data[i]));
// [g](i) = i-th data share minus 1
// Only need to shift the share for 0-th server
MP_CHECKC (mp_copy(&points_f->data[i], &points_g->data[i]));
if (!v->s->idx) {
MP_CHECKC (mp_sub_d(&points_g->data[i], 1, &points_g->data[i]));
MP_CHECKC (mp_mod(&points_g->data[i], &v->s->cfg->modulus, &points_g->data[i]));
}
}
int j = 0;
for (int i=1; i<2*N; i+=2) {
const mp_int *h_point_j = get_h_share (v, j++);
MP_CHECKC (mp_copy(h_point_j, &points_h->data[i]));
}
P_CHECKC (poly_interp_evaluate (&v->share_fR, points_f, &eval_at, v->s->cfg));
P_CHECKC (poly_interp_evaluate (&v->share_gR, points_g, &eval_at, v->s->cfg));
P_CHECKC (poly_interp_evaluate (&v->share_hR, points_h, &eval_at, v->s->cfg));
cleanup:
MPArray_clear (points_f);
MPArray_clear (points_g);
MPArray_clear (points_h);
mp_clear (&eval_at);
return rv;
}
PrioVerifier PrioVerifier_new (PrioServer s)
{
SECStatus rv = SECSuccess;
PrioVerifier v = malloc (sizeof *v);
if (!v) return NULL;
v->s = s;
v->clientp = NULL;
v->data_sharesB = NULL;
v->h_pointsB = NULL;
MP_DIGITS (&v->share_fR) = NULL;
MP_DIGITS (&v->share_gR) = NULL;
MP_DIGITS (&v->share_hR) = NULL;
MP_CHECKC (mp_init (&v->share_fR));
MP_CHECKC (mp_init (&v->share_gR));
MP_CHECKC (mp_init (&v->share_hR));
P_CHECKA (v->clientp = PrioPacketClient_new (s->cfg, s->idx));
const int N = next_power_of_two (s->cfg->num_data_fields + 1);
if (v->s->idx == PRIO_SERVER_B) {
P_CHECKA (v->data_sharesB = MPArray_new (v->s->cfg->num_data_fields));
P_CHECKA (v->h_pointsB = MPArray_new (N));
}
cleanup:
if (rv != SECSuccess) {
PrioVerifier_clear (v);
return NULL;
}
return v;
}
SECStatus
PrioVerifier_set_data (PrioVerifier v, unsigned char *data, unsigned int data_len)
{
SECStatus rv = SECSuccess;
PRG prgB = NULL;
P_CHECKC (PrioPacketClient_decrypt (v->clientp, v->s->cfg,
v->s->priv_key, data, data_len));
PrioPacketClient p = v->clientp;
if (p->for_server != v->s->idx)
return SECFailure;
const int N = next_power_of_two (v->s->cfg->num_data_fields + 1);
if (v->s->idx == PRIO_SERVER_A) {
// Check that packet has the correct number of data fields
if (p->shares.A.data_shares->len != v->s->cfg->num_data_fields)
return SECFailure;
if (p->shares.A.h_points->len != N)
return SECFailure;
}
if (v->s->idx == PRIO_SERVER_B) {
P_CHECKA (prgB = PRG_new (v->clientp->shares.B.seed));
P_CHECKC (PRG_get_array (prgB, v->data_sharesB, &v->s->cfg->modulus));
P_CHECKC (PRG_get_array (prgB, v->h_pointsB, &v->s->cfg->modulus));
}
// TODO: This can be done much faster by using the combined
// interpolate-and-evaluate optimization described in the
// Prio paper.
//
// Compute share of f(r), g(r), h(r)
P_CHECKC (compute_shares (v, p));
cleanup:
PRG_clear (prgB);
return rv;
}
void PrioVerifier_clear (PrioVerifier v)
{
if (v == NULL) return;
PrioPacketClient_clear (v->clientp);
MPArray_clear (v->data_sharesB);
MPArray_clear (v->h_pointsB);
mp_clear (&v->share_fR);
mp_clear (&v->share_gR);
mp_clear (&v->share_hR);
free (v);
}
PrioPacketVerify1
PrioPacketVerify1_new (void)
{
SECStatus rv = SECSuccess;
PrioPacketVerify1 p = malloc (sizeof *p);
if (!p) return NULL;
MP_DIGITS (&p->share_d) = NULL;
MP_DIGITS (&p->share_e) = NULL;
MP_CHECKC (mp_init (&p->share_d));
MP_CHECKC (mp_init (&p->share_e));
cleanup:
if (rv != SECSuccess) {
PrioPacketVerify1_clear (p);
return NULL;
}
return p;
}
void
PrioPacketVerify1_clear (PrioPacketVerify1 p)
{
if (!p) return;
mp_clear (&p->share_d);
mp_clear (&p->share_e);
free (p);
}
SECStatus
PrioPacketVerify1_set_data (PrioPacketVerify1 p1, const_PrioVerifier v)
{
// See the Prio paper for details on how this works.
// Appendix C descrives the MPC protocol used here.
SECStatus rv = SECSuccess;
// Compute corrections.
// [d] = [f(r)] - [a]
MP_CHECK (mp_sub (&v->share_fR, &v->clientp->triple->a, &p1->share_d));
MP_CHECK (mp_mod (&p1->share_d, &v->s->cfg->modulus, &p1->share_d));
// [e] = [g(r)] - [b]
MP_CHECK (mp_sub (&v->share_gR, &v->clientp->triple->b, &p1->share_e));
MP_CHECK (mp_mod (&p1->share_e, &v->s->cfg->modulus, &p1->share_e));
return rv;
}
PrioPacketVerify2
PrioPacketVerify2_new (void)
{
SECStatus rv = SECSuccess;
PrioPacketVerify2 p = malloc (sizeof *p);
if (!p) return NULL;
MP_DIGITS (&p->share_out) = NULL;
MP_CHECKC (mp_init (&p->share_out));
cleanup:
if (rv != SECSuccess) {
PrioPacketVerify2_clear (p);
return NULL;
}
return p;
}
void
PrioPacketVerify2_clear (PrioPacketVerify2 p)
{
if (!p) return;
mp_clear (&p->share_out);
free (p);
}
SECStatus
PrioPacketVerify2_set_data (PrioPacketVerify2 p2, const_PrioVerifier v,
const_PrioPacketVerify1 p1A, const_PrioPacketVerify1 p1B)
{
SECStatus rv = SECSuccess;
mp_int d, e, tmp;
MP_DIGITS (&d) = NULL;
MP_DIGITS (&e) = NULL;
MP_DIGITS (&tmp) = NULL;
MP_CHECKC (mp_init (&d));
MP_CHECKC (mp_init (&e));
MP_CHECKC (mp_init (&tmp));
const mp_int *mod = &v->s->cfg->modulus;
// Compute share of f(r)*g(r)
// [f(r)*g(r)] = [d*e/2] + d[b] + e[a] + [c]
// Compute d
MP_CHECKC (mp_addmod (&p1A->share_d, &p1B->share_d, mod, &d));
// Compute e
MP_CHECKC (mp_addmod (&p1A->share_e, &p1B->share_e, mod, &e));
// Compute d*e
MP_CHECKC (mp_mulmod (&d, &e, mod, &p2->share_out));
// out = d*e/2
MP_CHECKC (mp_mulmod (&p2->share_out, &v->s->cfg->inv2,
mod, &p2->share_out));
// Compute d[b]
MP_CHECKC (mp_mulmod (&d, &v->clientp->triple->b, mod, &tmp));
// out = d*e/2 + d[b]
MP_CHECKC (mp_addmod (&p2->share_out, &tmp, mod, &p2->share_out));
// Compute e[a]
MP_CHECKC (mp_mulmod (&e, &v->clientp->triple->a, mod, &tmp));
// out = d*e/2 + d[b] + e[a]
MP_CHECKC (mp_addmod (&p2->share_out, &tmp, mod, &p2->share_out));
// out = d*e/2 + d[b] + e[a] + [c]
MP_CHECKC (mp_addmod (&p2->share_out, &v->clientp->triple->c, mod, &p2->share_out));
// We want to compute f(r)*g(r) - h(r),
// so subtract off [h(r)]:
// out = d*e/2 + d[b] + e[a] + [c] - [h(r)]
MP_CHECKC (mp_sub (&p2->share_out, &v->share_hR, &p2->share_out));
MP_CHECKC (mp_mod (&p2->share_out, mod, &p2->share_out));
cleanup:
mp_clear (&d);
mp_clear (&e);
mp_clear (&tmp);
return rv;
}
int
PrioVerifier_isValid (const_PrioVerifier v,
const_PrioPacketVerify2 pA, const_PrioPacketVerify2 pB)
{
SECStatus rv = SECSuccess;
mp_int res;
MP_DIGITS (&res) = NULL;
MP_CHECKC (mp_init (&res));
// Add up the shares of the output wire value and
// ensure that the sum is equal to zero, which indicates
// that
// f(r) * g(r) == h(r).
MP_CHECKC (mp_addmod (&pA->share_out, &pB->share_out,
&v->s->cfg->modulus, &res));
rv = (mp_cmp_d (&res, 0) == 0) ? SECSuccess : SECFailure;
cleanup:
mp_clear (&res);
return rv;
}

60
third_party/prio/prio/server.h поставляемый Normal file
Просмотреть файл

@ -0,0 +1,60 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#ifndef __SERVER_H__
#define __SERVER_H__
#include "mparray.h"
#include "prg.h"
#include "share.h"
struct prio_total_share {
PrioServerId idx;
MPArray data_shares;
};
struct prio_server {
const_PrioConfig cfg;
PrioServerId idx;
// Sever's private decryption key
PrivateKey priv_key;
// The accumulated data values from the clients.
MPArray data_shares;
// PRG used to generate randomness for checking the client
// data packets. Both servers initialize this PRG with the
// same shared seed.
PRG prg;
};
struct prio_verifier {
PrioServer s;
PrioPacketClient clientp;
MPArray data_sharesB;
MPArray h_pointsB;
mp_int share_fR;
mp_int share_gR;
mp_int share_hR;
mp_int share_out;
};
struct prio_packet_verify1 {
mp_int share_d;
mp_int share_e;
};
struct prio_packet_verify2 {
mp_int share_out;
};
#endif /* __SERVER_H__ */

108
third_party/prio/prio/share.c поставляемый Normal file
Просмотреть файл

@ -0,0 +1,108 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#include <mprio.h>
#include "rand.h"
#include "share.h"
#include "util.h"
SECStatus
share_int (const struct prio_config *cfg, const mp_int *src,
mp_int *shareA, mp_int *shareB)
{
SECStatus rv;
P_CHECK (rand_int (shareA, &cfg->modulus));
MP_CHECK (mp_submod (src, shareA, &cfg->modulus, shareB));
return rv;
}
BeaverTriple
BeaverTriple_new (void)
{
BeaverTriple triple = malloc (sizeof *triple);
if (!triple)
return NULL;
MP_DIGITS (&triple->a) = NULL;
MP_DIGITS (&triple->b) = NULL;
MP_DIGITS (&triple->c) = NULL;
SECStatus rv = SECSuccess;
MP_CHECKC (mp_init (&triple->a));
MP_CHECKC (mp_init (&triple->b));
MP_CHECKC (mp_init (&triple->c));
cleanup:
if (rv != SECSuccess) {
BeaverTriple_clear (triple);
return NULL;
}
return triple;
}
void
BeaverTriple_clear (BeaverTriple triple)
{
if (!triple) return;
mp_clear (&triple->a);
mp_clear (&triple->b);
mp_clear (&triple->c);
free (triple);
}
SECStatus
BeaverTriple_set_rand (const struct prio_config *cfg,
struct beaver_triple *triple_1,
struct beaver_triple *triple_2)
{
SECStatus rv = SECSuccess;
// TODO: Can shorten this code using share_int()
// We need that
// (a1 + a2)(b1 + b2) = c1 + c2 (mod p)
P_CHECK (rand_int (&triple_1->a, &cfg->modulus));
P_CHECK (rand_int (&triple_1->b, &cfg->modulus));
P_CHECK (rand_int (&triple_2->a, &cfg->modulus));
P_CHECK (rand_int (&triple_2->b, &cfg->modulus));
// We are trying to be a little clever here to avoid the use of temp
// variables.
// c1 = a1 + a2
MP_CHECK (mp_addmod (&triple_1->a, &triple_2->a, &cfg->modulus, &triple_1->c));
// c2 = b1 + b2
MP_CHECK (mp_addmod (&triple_1->b, &triple_2->b, &cfg->modulus, &triple_2->c));
// c1 = c1 * c2 = (a1 + a2) (b1 + b2)
MP_CHECK (mp_mulmod (&triple_1->c, &triple_2->c, &cfg->modulus, &triple_1->c));
// Set c2 to random blinding value
MP_CHECK (rand_int (&triple_2->c, &cfg->modulus));
// c1 = c1 - c2
MP_CHECK (mp_submod (&triple_1->c, &triple_2->c, &cfg->modulus, &triple_1->c));
// Now we should have random tuples satisfying:
// (a1 + a2) (b1 + b2) = c1 + c2
return rv;
}
bool
BeaverTriple_areEqual (const_BeaverTriple t1, const_BeaverTriple t2)
{
return (mp_cmp (&t1->a, &t2->a) == 0 &&
mp_cmp (&t1->b, &t2->b) == 0 &&
mp_cmp (&t1->c, &t2->c) == 0);
}

51
third_party/prio/prio/share.h поставляемый Normal file
Просмотреть файл

@ -0,0 +1,51 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#ifndef __SHARE_H__
#define __SHARE_H__
#include <mpi.h>
#include "config.h"
struct beaver_triple {
mp_int a;
mp_int b;
mp_int c;
};
typedef struct beaver_triple *BeaverTriple;
typedef const struct beaver_triple *const_BeaverTriple;
/*
* Use secret sharing to split the int src into two shares.
* The mp_ints must be initialized.
*/
SECStatus share_int (const_PrioConfig cfg, const mp_int *src,
mp_int *shareA, mp_int *shareB);
/*
* Prio uses Beaver triples to implement one step of the
* client data validation routine. A Beaver triple is just
* a sharing of random values a, b, c such that
* a * b = c
*/
BeaverTriple BeaverTriple_new (void);
void BeaverTriple_clear (BeaverTriple t);
SECStatus BeaverTriple_set_rand (const_PrioConfig cfg,
BeaverTriple triple_a,
BeaverTriple triple_b);
bool BeaverTriple_areEqual (const_BeaverTriple t1, const_BeaverTriple t2);
#endif /* __SHARE_H__ */

102
third_party/prio/prio/util.h поставляемый Normal file
Просмотреть файл

@ -0,0 +1,102 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#ifndef __UTIL_H__
#define __UTIL_H__
#include <mpi.h>
#include <mprio.h>
// Minimum of two values
#define MIN(a, b) ((a) < (b) ? (a) : (b))
// Check a Prio error code and return failure if the call fails.
#define P_CHECK(s) \
do { \
if((rv = (s)) != SECSuccess) \
return rv; \
} while(0);
// Check an allocation that should not return NULL. If the allocation returns
// NULL, set the return value and jump to the cleanup label to free memory.
#define P_CHECKA(s) \
do { \
if((s) == NULL) {\
rv = SECFailure;\
goto cleanup;\
}\
} while(0);
// Check a Prio library call that should return SECSuccess. If it doesn't,
// jump to the cleanup label.
#define P_CHECKC(s) \
do { \
if((rv = (s)) != SECSuccess) { \
goto cleanup; \
}\
} while(0);
// Check a boolean that should be true. If it not,
// jump to the cleanup label.
#define P_CHECKCB(s) \
do { \
if(!(s)) { \
rv = SECFailure; \
goto cleanup; \
}\
} while(0);
// Check an MPI library call and return failure if it fails.
#define MP_CHECK(s) do { if((s) != MP_OKAY) return SECFailure; } while(0);
// Check a msgpack object unpacked correctly
#define UP_CHECK(s) do { int r = (s); if(r != MSGPACK_UNPACK_SUCCESS &&\
r != MSGPACK_UNPACK_EXTRA_BYTES) \
return SECFailure; } while(0);
// Check an MPI library call. If it fails, set the return code and jump
// to the cleanup label.
#define MP_CHECKC(s) \
do { \
if((s) != MP_OKAY) { \
rv = SECFailure; \
goto cleanup; \
}\
} while(0);
inline int
next_power_of_two (int val)
{
int i = val;
int out = 0;
for ( ; i > 0; i >>= 1) {
out++;
}
int pow = 1 << out;
return (pow > 1 && pow/2 == val) ? val : pow;
}
/*
* Return a mask that masks out all of the zero bits
*/
inline unsigned char
msb_mask (unsigned char val)
{
unsigned char mask;
for (mask = 0x00; (val & mask) != val; mask = (mask << 1) + 1);
return mask;
}
/*
* Specify that a parameter should be unused.
*/
#define UNUSED(x) (void)(x)
#endif /* __UTIL_H__ */

30
third_party/prio/ptest/MUTEST_LICENSE поставляемый Normal file
Просмотреть файл

@ -0,0 +1,30 @@
I don't like licenses, because I don't like having to worry about all this
legal stuff just for a simple piece of software I don't really mind anyone
using. But I also believe that it's important that people share and give back;
so I'm placing this work under the following license.
BOLA - Buena Onda License Agreement (v1.0)
------------------------------------------
This work is provided 'as-is', without any express or implied warranty. In no
event will the authors be held liable for any damages arising from the use of
this work.
To all effects and purposes, this work is to be considered Public Domain.
However, if you want to be "Buena onda", you should:
1. Not take credit for it, and give proper recognition to the authors.
2. Share your modifications, so everybody benefits from them.
4. Do something nice for the authors.
5. Help someone who needs it: sign up for some volunteer work or help your
neighbour paint the house.
6. Don't waste. Anything, but specially energy that comes from natural
non-renewable resources. Extra points if you discover or invent something
to replace them.
7. Be tolerant. Everything that's good in nature comes from cooperation.
The order is important, and the further you go the more "Buena onda" you are.
Make the world a better place: be "Buena onda".

44
third_party/prio/ptest/SConscript поставляемый Normal file
Просмотреть файл

@ -0,0 +1,44 @@
import sys
Import('env')
prio_env = env.Clone()
test_srcs = [
"mutest.c",
"client_test.c",
"example_test.c",
"encrypt_test.c",
"fft_test.c",
"mpi_test.c",
"prg_test.c",
"rand_test.c",
"serial_test.c",
"server_test.c",
"share_test.c",
]
libs = [
"nss3",
"mpi",
"mprio",
"msgpackc"
]
# Run the mutest script to generate the test harness code
bld = Builder(action = 'ptest/mkmutest ptest/mutest.h $SOURCES | $CC -c -xc -o $TARGET -')
prio_env.Append(BUILDERS = {'MkMutest' : bld})
prio_env.Append(LIBS = libs)
# Enable mpi print
prio_env.Append(CFLAGS = ['-DMP_IOFUNC'])
# Copy the mutest scripts to the build dir
prio_env.Install("mkmutest")
prio_env.Install("mutest.h")
test_objs = prio_env.Object(test_srcs)
test_main = prio_env.MkMutest(test_objs)
prio_env.Program("ptest", [test_main] + test_objs)

160
third_party/prio/ptest/client_test.c поставляемый Normal file
Просмотреть файл

@ -0,0 +1,160 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#include <mprio.h>
#include "prio/client.h"
#include "prio/server.h"
#include "prio/util.h"
#include "mutest.h"
void
mu_test_client__new (void)
{
SECStatus rv = SECSuccess;
PrioConfig cfg = NULL;
PrioPacketClient pA = NULL;
PrioPacketClient pB = NULL;
P_CHECKA (cfg = PrioConfig_newTest(23));
P_CHECKA (pA = PrioPacketClient_new (cfg, PRIO_SERVER_A));
P_CHECKA (pB = PrioPacketClient_new (cfg, PRIO_SERVER_B));
{
const int ndata = PrioConfig_numDataFields (cfg);
bool data_items[ndata];
for (int i=0; i < ndata; i++) {
// Arbitrary data
data_items[i] = (i % 3 == 1) || (i % 5 == 3);
}
P_CHECKC (PrioPacketClient_set_data (cfg, data_items, pA, pB));
}
cleanup:
mu_check (rv == SECSuccess);
PrioPacketClient_clear (pA);
PrioPacketClient_clear (pB);
PrioConfig_clear (cfg);
}
void
test_client_agg (int nclients)
{
SECStatus rv = SECSuccess;
PublicKey pkA = NULL;
PublicKey pkB = NULL;
PrivateKey skA = NULL;
PrivateKey skB = NULL;
PrioConfig cfg = NULL;
PrioServer sA = NULL;
PrioServer sB = NULL;
PrioTotalShare tA = NULL;
PrioTotalShare tB = NULL;
PrioVerifier vA = NULL;
PrioVerifier vB = NULL;
unsigned char *for_a = NULL;
unsigned char *for_b = NULL;
const unsigned char *batch_id = (unsigned char *)"test_batch";
unsigned int batch_id_len = strlen ((char *)batch_id);
PrioPRGSeed seed;
P_CHECKC (PrioPRGSeed_randomize (&seed));
P_CHECKC (Keypair_new (&skA, &pkA));
P_CHECKC (Keypair_new (&skB, &pkB));
P_CHECKA (cfg = PrioConfig_new (133, pkA, pkB, batch_id, batch_id_len));
P_CHECKA (sA = PrioServer_new (cfg, 0, skA, seed));
P_CHECKA (sB = PrioServer_new (cfg, 1, skB, seed));
P_CHECKA (tA = PrioTotalShare_new ());
P_CHECKA (tB = PrioTotalShare_new ());
P_CHECKA (vA = PrioVerifier_new (sA));
P_CHECKA (vB = PrioVerifier_new (sB));
const int ndata = PrioConfig_numDataFields (cfg);
{
bool data_items[ndata];
for (int i=0; i < ndata; i++) {
// Arbitrary data
data_items[i] = (i % 3 == 1) || (i % 5 == 3);
}
for (int i=0; i < nclients; i++) {
unsigned int aLen, bLen;
P_CHECKC (PrioClient_encode (cfg, data_items, &for_a, &aLen,
&for_b, &bLen));
P_CHECKC (PrioVerifier_set_data (vA, for_a, aLen));
P_CHECKC (PrioVerifier_set_data (vB, for_b, bLen));
mu_check (PrioServer_aggregate (sA, vA) == SECSuccess);
mu_check (PrioServer_aggregate (sB, vB) == SECSuccess);
free (for_a);
free (for_b);
for_a = NULL;
for_b = NULL;
}
mu_check (PrioTotalShare_set_data (tA, sA) == SECSuccess);
mu_check (PrioTotalShare_set_data (tB, sB) == SECSuccess);
unsigned long output[ndata];
mu_check (PrioTotalShare_final (cfg, output, tA, tB) == SECSuccess);
for (int i=0; i < ndata; i++) {
unsigned long v = ((i % 3 == 1) || (i % 5 == 3));
mu_check (output[i] == v*nclients);
}
}
//rv = SECFailure;
//goto cleanup;
cleanup:
mu_check (rv == SECSuccess);
if (for_a) free (for_a);
if (for_b) free (for_b);
PublicKey_clear (pkA);
PublicKey_clear (pkB);
PrivateKey_clear (skA);
PrivateKey_clear (skB);
PrioVerifier_clear (vA);
PrioVerifier_clear (vB);
PrioTotalShare_clear (tA);
PrioTotalShare_clear (tB);
PrioServer_clear (sA);
PrioServer_clear (sB);
PrioConfig_clear (cfg);
}
void
mu_test_client__agg_1 (void)
{
test_client_agg (1);
}
void
mu_test_client__agg_2 (void)
{
test_client_agg (2);
}
void
mu_test_client__agg_10 (void)
{
test_client_agg (10);
}

228
third_party/prio/ptest/encrypt_test.c поставляемый Normal file
Просмотреть файл

@ -0,0 +1,228 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#include <nspr.h>
#include <nss/nss.h>
#include <nss/secoidt.h>
#include <nss/keyhi.h>
#include <nss/pk11pub.h>
#include <nss/cert.h>
#include "mutest.h"
#include "prio/encrypt.h"
#include "prio/rand.h"
#include "prio/util.h"
void
mu_test_keygen (void)
{
SECStatus rv = SECSuccess;
PublicKey pubkey = NULL;
PrivateKey pvtkey = NULL;
P_CHECKC (Keypair_new (&pvtkey, &pubkey));
mu_check (SECKEY_PublicKeyStrength (pubkey) == 32);
cleanup:
mu_check (rv == SECSuccess);
PublicKey_clear (pubkey);
PrivateKey_clear (pvtkey);
return;
}
void
test_encrypt_once (int bad, unsigned int inlen)
{
SECStatus rv = SECSuccess;
PublicKey pubkey = NULL;
PrivateKey pvtkey = NULL;
PublicKey pubkey2 = NULL;
PrivateKey pvtkey2 = NULL;
unsigned char *bytes_in = NULL;
unsigned char *bytes_enc = NULL;
unsigned char *bytes_dec = NULL;
unsigned int enclen;
P_CHECKC (PublicKey_encryptSize (inlen, &enclen));
unsigned int declen = enclen;
P_CHECKA (bytes_in = malloc (inlen));
P_CHECKA (bytes_enc = malloc (enclen));
P_CHECKA (bytes_dec= malloc (enclen));
P_CHECKC (rand_bytes (bytes_in, inlen));
memset (bytes_dec, 0, declen);
unsigned int encryptedBytes;
P_CHECKC (Keypair_new (&pvtkey, &pubkey));
P_CHECKC (Keypair_new (&pvtkey2, &pubkey2));
P_CHECKC (PublicKey_encrypt (pubkey, bytes_enc,
&encryptedBytes, enclen,
bytes_in, inlen));
mu_check (encryptedBytes == enclen);
if (bad == 1)
enclen = 30;
if (bad == 2) {
bytes_enc[4] = 6;
bytes_enc[5] = 0;
}
if (bad == 3) {
bytes_enc[40] = 6;
bytes_enc[41] = 0;
}
unsigned int decryptedBytes;
PrivateKey key_to_use = (bad == 4) ? pvtkey2 : pvtkey;
P_CHECKC (PrivateKey_decrypt (key_to_use, bytes_dec, &decryptedBytes, declen,
bytes_enc, enclen));
mu_check (decryptedBytes == inlen);
mu_check (!strncmp ((char *)bytes_in, (char *)bytes_dec, inlen));
cleanup:
mu_check (bad ? (rv == SECFailure) : (rv == SECSuccess));
if (bytes_in) free (bytes_in);
if (bytes_enc) free (bytes_enc);
if (bytes_dec) free (bytes_dec);
PublicKey_clear (pubkey);
PrivateKey_clear (pvtkey);
PublicKey_clear (pubkey2);
PrivateKey_clear (pvtkey2);
return;
}
void
mu_test_encrypt_good (void)
{
test_encrypt_once (0, 100);
}
void
mu_test_encrypt_good_long (void)
{
test_encrypt_once (0, 1000000);
}
void
mu_test_encrypt_too_short (void)
{
test_encrypt_once (1, 87);
}
void
mu_test_encrypt_garbage (void)
{
test_encrypt_once (2, 10023);
}
void
mu_test_encrypt_garbage2 (void)
{
test_encrypt_once (3, 8123);
}
void
mu_test_decrypt_wrong_key (void)
{
test_encrypt_once (4, 81230);
}
void
mu_test_export (void)
{
SECStatus rv = SECSuccess;
PublicKey pubkey = NULL;
unsigned char raw_bytes[CURVE25519_KEY_LEN];
unsigned char raw_bytes2[CURVE25519_KEY_LEN];
for (int i=0; i< CURVE25519_KEY_LEN; i++) {
raw_bytes[i] = (3*i+7) % 0xFF;
}
P_CHECKC (PublicKey_import (&pubkey, raw_bytes, CURVE25519_KEY_LEN));
P_CHECKC (PublicKey_export (pubkey, raw_bytes2));
for (int i=0; i< CURVE25519_KEY_LEN; i++) {
mu_check (raw_bytes[i] == raw_bytes2[i]);
}
cleanup:
mu_check (rv == SECSuccess);
PublicKey_clear (pubkey);
return;
}
void
mu_test_export_hex (void)
{
SECStatus rv = SECSuccess;
PublicKey pubkey = NULL;
const unsigned char hex_bytes[2*CURVE25519_KEY_LEN] = \
"102030405060708090A0B0C0D0E0F00000FFEEDDCCBBAA998877665544332211";
const unsigned char hex_bytesl[2*CURVE25519_KEY_LEN] = \
"102030405060708090a0B0C0D0E0F00000FfeEddcCbBaa998877665544332211";
const unsigned char raw_bytes_should[CURVE25519_KEY_LEN] = {
0x10, 0x20, 0x30, 0x40, 0x50, 0x60, 0x70, 0x80,
0x90, 0xA0, 0xB0, 0xC0, 0xD0, 0xE0, 0xF0, 0x00,
0x00, 0xFF, 0xEE, 0xDD, 0xCC, 0xBB, 0xAA, 0x99,
0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
unsigned char raw_bytes[CURVE25519_KEY_LEN];
unsigned char hex_bytes2[2*CURVE25519_KEY_LEN+1];
// Make sure that invalid lengths are rejected.
mu_check (PublicKey_import_hex (&pubkey, hex_bytes,
2*CURVE25519_KEY_LEN-1) == SECFailure);
mu_check (PublicKey_import_hex (&pubkey, hex_bytes,
2*CURVE25519_KEY_LEN+1) == SECFailure);
// Import a key in upper-case hex
P_CHECKC (PublicKey_import_hex (&pubkey, hex_bytes, 2*CURVE25519_KEY_LEN));
P_CHECKC (PublicKey_export (pubkey, raw_bytes));
PublicKey_clear (pubkey);
pubkey = NULL;
for (int i=0; i<CURVE25519_KEY_LEN; i++) {
mu_check (raw_bytes[i] == raw_bytes_should[i]);
}
// Import a key in mixed-case hex
P_CHECKC (PublicKey_import_hex (&pubkey, hex_bytesl, 2*CURVE25519_KEY_LEN));
P_CHECKC (PublicKey_export (pubkey, raw_bytes));
PublicKey_clear (pubkey);
pubkey = NULL;
for (int i=0; i<CURVE25519_KEY_LEN; i++) {
mu_check (raw_bytes[i] == raw_bytes_should[i]);
}
mu_check (PublicKey_import (&pubkey, raw_bytes_should,
CURVE25519_KEY_LEN-1) == SECFailure);
mu_check (PublicKey_import (&pubkey, raw_bytes_should,
CURVE25519_KEY_LEN+1) == SECFailure);
// Import a raw key and export as hex
P_CHECKC (PublicKey_import (&pubkey, raw_bytes_should, CURVE25519_KEY_LEN));
P_CHECKC (PublicKey_export_hex (pubkey, hex_bytes2));
for (int i=0; i<2*CURVE25519_KEY_LEN; i++) {
mu_check (hex_bytes[i] == hex_bytes2[i]);
}
mu_ensure (hex_bytes2[2*CURVE25519_KEY_LEN] == '\0');
cleanup:
mu_check (rv == SECSuccess);
PublicKey_clear (pubkey);
return;
}

21
third_party/prio/ptest/example_test.c поставляемый Normal file
Просмотреть файл

@ -0,0 +1,21 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
//#include <stdio.h>
#include "mutest.h"
void
mu_test_example (void)
{
mu_check (1);
}

170
third_party/prio/ptest/fft_test.c поставляемый Normal file
Просмотреть файл

@ -0,0 +1,170 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#include <mpi.h>
#include <mprio.h>
#include <stdio.h>
#include "mutest.h"
#include "prio/config.h"
#include "prio/mparray.h"
#include "prio/poly.h"
#include "prio/util.h"
void
mu_test__fft_one (void)
{
SECStatus rv = SECSuccess;
PrioConfig cfg = NULL;
MPArray points_in = NULL;
MPArray points_out = NULL;
P_CHECKA (cfg = PrioConfig_newTest (123));
P_CHECKA (points_in = MPArray_new (1));
P_CHECKA (points_out = MPArray_new (1));
mp_set (&points_in->data[0], 3);
mu_check (poly_fft (points_out, points_in, cfg, false) == SECSuccess);
mu_check (mp_cmp_d(&points_in->data[0], 3) == 0);
mu_check (mp_cmp_d(&points_out->data[0], 3) == 0);
cleanup:
mu_check (rv == SECSuccess);
MPArray_clear (points_in);
MPArray_clear (points_out);
PrioConfig_clear (cfg);
}
void
mu_test__fft_roots (void)
{
SECStatus rv = SECSuccess;
PrioConfig cfg = NULL;
mp_int tmp;
MP_DIGITS (&tmp) = NULL;
P_CHECKA (cfg = PrioConfig_newTest (90));
MP_CHECKC (mp_init (&tmp));
mp_int roots[4];
poly_fft_get_roots (roots, 4, cfg, false);
for (int i=0; i<4; i++) {
mp_exptmod_d(&roots[i], 4, &cfg->modulus, &tmp);
mu_check (mp_cmp_d( &tmp, 1) == 0);
}
cleanup:
mu_check (rv == SECSuccess);
mp_clear (&tmp);
PrioConfig_clear (cfg);
}
void
mu_test__fft_simple (void)
{
SECStatus rv = SECSuccess;
const int nPoints = 4;
PrioConfig cfg = NULL;
MPArray points_in = NULL;
MPArray points_out = NULL;
mp_int should_be, tmp;
mp_int roots[nPoints];
MP_DIGITS (&should_be) = NULL;
MP_DIGITS (&tmp) = NULL;
for (int i=0; i<nPoints; i++) {
MP_DIGITS (&roots[i]) = NULL;
}
P_CHECKA (cfg = PrioConfig_newTest (140));
P_CHECKA (points_in = MPArray_new (nPoints));
P_CHECKA (points_out = MPArray_new (nPoints));
MP_CHECKC (mp_init (&should_be));
MP_CHECKC (mp_init (&tmp));
poly_fft_get_roots (roots, nPoints, cfg, false);
mp_set (&points_in->data[0], 3);
mp_set (&points_in->data[1], 8);
mp_set (&points_in->data[2], 7);
mp_set (&points_in->data[3], 9);
mu_check (poly_fft (points_out, points_in, cfg, false) == SECSuccess);
for (int i=0; i<nPoints; i++) {
mp_set (&should_be, 0);
for (int j=0; j<nPoints; j++) {
mu_check (mp_exptmod_d(&roots[i], j, &cfg->modulus, &tmp) == MP_OKAY);
mu_check (mp_mulmod(&tmp, &points_in->data[j], &cfg->modulus, &tmp) == MP_OKAY);
mu_check (mp_addmod(&should_be, &tmp, &cfg->modulus, &should_be) == MP_OKAY);
}
/*
puts("Should be:");
mp_print(&should_be, stdout);
puts("");
mp_print(&points_out[i], stdout);
puts("");
*/
mu_check (mp_cmp (&should_be, &points_out->data[i]) == 0);
}
cleanup:
mu_check (rv == SECSuccess);
mp_clear (&tmp);
mp_clear (&should_be);
MPArray_clear (points_in);
MPArray_clear (points_out);
PrioConfig_clear (cfg);
}
void
mu_test__fft_invert (void)
{
SECStatus rv = SECSuccess;
const int nPoints = 8;
PrioConfig cfg = NULL;
MPArray points_in = NULL;
MPArray points_out = NULL;
MPArray points_out2 = NULL;
mp_int roots[nPoints];
P_CHECKA (cfg = PrioConfig_newTest (91));
P_CHECKA (points_in = MPArray_new (nPoints));
P_CHECKA (points_out = MPArray_new (nPoints));
P_CHECKA (points_out2 = MPArray_new (nPoints));
poly_fft_get_roots (roots, nPoints, cfg, false);
mp_set (&points_in->data[0], 3);
mp_set (&points_in->data[1], 8);
mp_set (&points_in->data[2], 7);
mp_set (&points_in->data[3], 9);
mp_set (&points_in->data[4], 123);
mp_set (&points_in->data[5], 123123987);
mp_set (&points_in->data[6], 2);
mp_set (&points_in->data[7], 0);
mu_check (poly_fft(points_out, points_in, cfg, false) == SECSuccess);
mu_check (poly_fft(points_out2, points_out, cfg, true) == SECSuccess);
for (int i=0; i<nPoints; i++) {
mu_check (mp_cmp (&points_out2->data[i], &points_in->data[i]) == 0);
}
cleanup:
mu_check (rv == SECSuccess);
MPArray_clear (points_in);
MPArray_clear (points_out);
MPArray_clear (points_out2);
PrioConfig_clear (cfg);
}

65
third_party/prio/ptest/mkmutest поставляемый Executable file
Просмотреть файл

@ -0,0 +1,65 @@
#!/usr/bin/env bash
#
# This file is part of mutest, a simple micro unit testing framework for C.
#
# mutest was written by Leandro Lucarella <llucax@gmail.com> and is released
# under the BOLA license, please see the LICENSE file or visit:
# http://blitiri.com.ar/p/bola/
#
# This is a simple script to generate a C file that runs all the test suites
# present in .o files passed as arguments.
#
# Please, read the README file for more details.
#
# the trick here is getting all the test cases present in an object file using
# nm. All the tests must take and return void, start with "mutest_" and, of
# course, should not be static, which leads to a small limitation: all test
# cases must have unique names, even across test suites.
# the first argument should be mutest.h
if [ -z "$1" ]
then
echo "Too few arguments" >&2
echo "Usage: $0 mutest_h_location [object files...]" >&2
exit 1
fi
mutest_h="$1"
shift
echo "#include \"$mutest_h\""
echo "void mu_run_suites() {"
echo
for file in "$@"
do
pr_file=`echo "$file" | sed 's/\"/\\\\\"/g'`
suite=`basename "$file" .o | sed 's/\"/\\\\\"/g'`
#symbols=`nm "$file" | egrep '^[[:xdigit:]]{8} T mu_\w+$' | cut -c12-`
symbols=`nm "$file" | egrep ' T _mu_\w+$' | cut -c21-`
symbols+=`nm "$file" | egrep ' T mu_\w+$' | cut -c20-`
tests=`echo "$symbols" | egrep '^mu_test'`
inits=`echo "$symbols" | egrep '^mu_init'`
terms=`echo "$symbols" | egrep '^mu_term'`
echo -e '\tdo {'
echo -e '\t\tmutest_suite_name = "'"$suite"'";'
echo -e '\t\tmu_print(MU_SUITE, "\\nRunning suite '"'$suite'"'\\n");'
for init in $inits
do
echo -e "\\t\\tmu_run_init($init);"
done
for testcase in $tests
do
echo -e "\t\tmu_run_case($testcase);"
done
for term in $terms
do
echo -e "\t\tmu_run_term($term);"
done
echo -e "\t\tif (mutest_suite_failed) ++mutest_failed_suites;"
echo -e "\t\telse ++mutest_passed_suites;"
echo -e "\t\tmutest_suite_failed = 0;"
echo -e '\t} while (0);'
echo
done
echo "}"

38
third_party/prio/ptest/mpi_test.c поставляемый Normal file
Просмотреть файл

@ -0,0 +1,38 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#include <mpi.h>
#include "mutest.h"
void
mu_test_mpi__add (void)
{
mp_int a;
mp_int b;
mp_int c;
mu_check (mp_init (&a) == MP_OKAY);
mu_check (mp_init (&b) == MP_OKAY);
mu_check (mp_init (&c) == MP_OKAY);
mp_set (&a, 10);
mp_set (&b, 7);
mp_add (&a, &b, &c);
mp_set (&a, 17);
mu_check (mp_cmp (&a, &c) == 0);
mp_clear (&a);
mp_clear (&b);
mp_clear (&c);
}

94
third_party/prio/ptest/mutest.c поставляемый Normal file
Просмотреть файл

@ -0,0 +1,94 @@
/*
* This file is part of mutest, a simple micro unit testing framework for C.
*
* mutest was written by Leandro Lucarella <llucax@gmail.com> and is released
* under the BOLA license, please see the LICENSE file or visit:
* http://blitiri.com.ar/p/bola/
*
* This is the main program, it runs all the test suites and shows the
* results. The main work (of running the test suite) is done by the (usually)
* synthesized mu_run_suites() function, which can be generated using the
* mkmutest script (or written manually).
*
* Please, read the README file for more details.
*/
#include <mprio.h>
#include <stdio.h> /* printf(), fprintf() */
#include <string.h> /* strncmp() */
#include "mutest.h" /* MU_* constants, mu_print() */
/*
* note that all global variables are public because they need to be accessed
* from other modules, like the test suites or the module implementing
* mu_run_suites()
*/
/* globals for managing test suites */
const char* mutest_suite_name;
int mutest_failed_suites;
int mutest_passed_suites;
int mutest_skipped_suites;
int mutest_suite_failed;
/* globals for managing test cases */
const char* mutest_case_name;
int mutest_failed_cases;
int mutest_passed_cases;
int mutest_case_failed;
/* globals for managing checks */
int mutest_failed_checks;
int mutest_passed_checks;
/* verbosity level, see mutest.h */
int mutest_verbose_level = 1; /* exported for use in test suites */
/*
* only -v is supported right now, both "-v -v" and "-vv" are accepted for
* increasing the verbosity by 2.
*/
void parse_args(__attribute__((unused)) int argc, char* argv[]) {
while (*++argv) {
if (strncmp(*argv, "-v", 2) == 0) {
++mutest_verbose_level;
char* c = (*argv) + 1;
while (*++c) {
if (*c != 'v')
break;
++mutest_verbose_level;
}
}
}
}
int main(int argc, char* argv[]) {
Prio_init ();
parse_args(argc, argv);
mu_run_suites();
Prio_clear ();
mu_print(MU_SUMMARY, "\n"
"Tests done:\n"
"\t%d test suite(s) passed, %d failed, %d skipped.\n"
"\t%d test case(s) passed, %d failed.\n"
"\t%d check(s) passed, %d failed.\n"
"\n",
mutest_passed_suites, mutest_failed_suites,
mutest_skipped_suites,
mutest_passed_cases, mutest_failed_cases,
mutest_passed_checks, mutest_failed_checks);
return (mutest_failed_suites + mutest_skipped_suites) ? 1 : 0;
}

248
third_party/prio/ptest/mutest.h поставляемый Normal file
Просмотреть файл

@ -0,0 +1,248 @@
/*
* This file is part of mutest, a simple micro unit testing framework for C.
*
* mutest was written by Leandro Lucarella <llucax@gmail.com> and is released
* under the BOLA license, please see the LICENSE file or visit:
* http://blitiri.com.ar/p/bola/
*
* This header file should be included in the source files that will make up
* a test suite. It's used for both C and Python implementation, but when
* using the Python implementation you should define the MUTEST_PY macro.
* If you implement your mu_run_suites() function yourself, you probably will
* need to include this header too (see mkmutest).
*
* Please, read the README file for more details.
*/
#include <stdio.h> /* fprintf() */
#ifdef __cplusplus
extern "C" {
#endif
/* verbosity level (each level shows all the previous levels too) */
enum {
MU_QUIET = 0, /* be completely quiet */
MU_ERROR, /* shows errors only */
MU_SUMMARY, /* shows a summary */
MU_SUITE, /* shows test suites progress */
MU_CASE, /* shows test cases progress */
MU_CHECK /* shows the current running check */
};
/* print a message according to the verbosity level */
#define mu_print(level, ...) \
do { \
if (mutest_verbose_level >= level) { \
if (mutest_verbose_level == MU_ERROR) \
fprintf(stderr, __VA_ARGS__); \
else \
fprintf(stdout, __VA_ARGS__); \
} \
} while (0)
/* print an error message */
#define mu_printerr(name, action) \
mu_print(MU_ERROR, __FILE__ ":%d: " name " failed, "\
action " test case\n", __LINE__);
/* modify the internal state so a failure gets counted */
#define mutest_count_err ++mutest_failed_checks; mutest_case_failed = 1;
/* modify the internal state so a success gets counted */
#define mutest_count_suc ++mutest_passed_checks;
#ifdef __cplusplus
#include <exception>
/* print an error message triggered by a C++ exception */
#define mu_printex(name, action, ex) \
mu_print(MU_ERROR, __FILE__ ":%d: " name " failed, " \
"exception thrown (%s), " action \
" test case\n", __LINE__, ex);
#define mutest_try try {
#define mutest_catch(name, action, final) \
} catch (const std::exception& e) { \
mutest_count_err \
mu_printex(name, action, e.what()); \
final; \
} catch (...) { \
mutest_count_err \
mu_printex(name, action, "[unknown]"); \
final; \
}
#else /* !__cplusplus */
#define mutest_try
#define mutest_catch(name, action, exp)
#endif /* __cplusplus */
/* check that an expression evaluates to true, continue if the check fails */
#define mu_check_base(exp, name, action, final) \
do { \
mu_print(MU_CHECK, "\t\t* Checking " name "(" #exp ")...\n"); \
mutest_try \
if (exp) mutest_count_suc \
else { \
mutest_count_err \
mu_printerr(name "(" #exp ")", action); \
final; \
} \
mutest_catch(name, action, final) \
} while (0)
/* check that an expression evaluates to true, continue if the check fails */
#define mu_check(exp) mu_check_base(exp, "mu_check", "resuming", continue)
/*
* ensure that an expression evaluates to true, abort the current test
* case if the check fails
*/
#define mu_ensure(exp) mu_check_base(exp, "mu_ensure", "aborting", return)
#ifdef __cplusplus
#define mu_echeck_base(ex, exp, name, action, final) \
do { \
mu_print(MU_CHECK, "\t\t* Checking " name "(" #ex ", " #exp \
")...\n"); \
try { \
exp; \
mutest_count_err \
mu_printerr(name "(" #ex ", " #exp ")", \
"no exception thrown, " action); \
final; \
} catch (const ex& e) { \
mutest_count_suc \
} catch (const std::exception& e) { \
mutest_count_err \
mu_printex(name "(" #ex ", " #exp ")", action, \
e.what()); \
final; \
} catch (...) { \
mutest_count_err \
mu_printex(name "(" #ex ", " #exp ")", action, \
"[unknown]"); \
final; \
} \
} while (0)
/*
* check that an expression throws a particular exception, continue if the
* check fails
*/
#define mu_echeck(ex, exp) \
mu_echeck_base(ex, exp, "mu_echeck", "resuming", continue)
/*
* ensure that an expression throws a particular exception, abort the current
* test case if the check fails
*/
#define mu_eensure(ex, exp) \
mu_echeck_base(ex, exp, "mu_eensure", "aborting", return)
#endif /* __cplusplus */
#ifndef MUTEST_PY /* we are using the C implementation */
/*
* this function implements the test suites execution, you should generate
* a module with this function using mkmutest, or take a look to that script
* if you want to implement your own customized version */
void mu_run_suites();
/* macro for running a single initialization function */
#ifndef mu_run_init
#define mu_run_init(name) \
{ \
int name(); \
int r; \
mu_print(MU_CASE, "\t+ Executing initialization function " \
"'" #name "'...\n"); \
if ((r = name())) { \
mu_print(MU_ERROR, "%s:" #name ": initialization " \
"function failed (returned %d), " \
"skipping test suite...\n", \
mutest_suite_name, r); \
++mutest_skipped_suites; \
break; \
} \
} do { } while (0)
#endif /* mu_run_init */
/* macro for running a single test case */
#ifndef mu_run_case
#define mu_run_case(name) \
do { \
mu_print(MU_CASE, "\t* Executing test case '" #name "'...\n");\
mutest_case_name = #name; \
void name(); \
name(); \
if (mutest_case_failed) { \
++mutest_failed_cases; \
mutest_suite_failed = 1; \
} else ++mutest_passed_cases; \
mutest_case_failed = 0; \
} while (0)
#endif /* mu_run_case */
/* macro for running a single termination function */
#ifndef mu_run_term
#define mu_run_term(name) \
do { \
mu_print(MU_CASE, "\t- Executing termination function '" \
#name "'...\n"); \
void name(); \
name(); \
} while (0)
#endif /* mu_run_term */
/*
* mutest exported variables for internal use, do not use directly unless you
* know what you're doing.
*/
extern const char* mutest_suite_name;
extern int mutest_failed_suites;
extern int mutest_passed_suites;
extern int mutest_skipped_suites;
extern int mutest_suite_failed;
/* test cases */
extern const char* mutest_case_name;
extern int mutest_failed_cases;
extern int mutest_passed_cases;
extern int mutest_case_failed;
/* checks */
extern int mutest_failed_checks;
extern int mutest_passed_checks;
/* verbosity */
extern int mutest_verbose_level;
#else /* MUTEST_PY is defined, using the Python implementation */
/* this increments when the "API" changes, it's just for sanity check */
int mutest_api_version = 1;
int mutest_case_failed; /* unused, for C implementation compatibility */
int mutest_passed_checks;
int mutest_failed_checks;
void mutest_reset_counters() {
mutest_passed_checks = 0;
mutest_failed_checks = 0;
}
int mutest_verbose_level = MU_ERROR;
void mutest_set_verbose_level(int val) {
mutest_verbose_level = val;
}
#endif /* MUTEST_PY */
#ifdef __cplusplus
}
#endif

345
third_party/prio/ptest/prg_test.c поставляемый Normal file
Просмотреть файл

@ -0,0 +1,345 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#include <mpi.h>
#include "mutest.h"
#include "prio/prg.h"
#include "prio/util.h"
void
mu_test__prg_simple (void)
{
SECStatus rv = SECSuccess;
PrioPRGSeed key;
PRG prg = NULL;
P_CHECKC (PrioPRGSeed_randomize (&key));
P_CHECKA (prg = PRG_new (key));
cleanup:
mu_check (rv == SECSuccess);
PRG_clear (prg);
}
void
mu_test__prg_repeat (void)
{
SECStatus rv = SECSuccess;
const int buflen = 10000;
unsigned char buf1[buflen];
unsigned char buf2[buflen];
PrioPRGSeed key;
PRG prg1 = NULL;
PRG prg2 = NULL;
buf1[3] = 'a';
buf2[3] = 'b';
P_CHECKC (PrioPRGSeed_randomize (&key));
P_CHECKA (prg1 = PRG_new (key));
P_CHECKA (prg2 = PRG_new (key));
P_CHECKC (PRG_get_bytes (prg1, buf1, buflen));
P_CHECKC (PRG_get_bytes (prg2, buf2, buflen));
bool all_zero = true;
for (int i=0; i<buflen; i++) {
mu_check (buf1[i] == buf2[i]);
if (buf1[i]) all_zero = false;
}
mu_check (!all_zero);
cleanup:
mu_check (rv == SECSuccess);
PRG_clear (prg1);
PRG_clear (prg2);
}
void
mu_test__prg_repeat_int (void)
{
SECStatus rv = SECSuccess;
const int tries = 10000;
mp_int max;
mp_int out1;
mp_int out2;
MP_DIGITS (&max) = NULL;
MP_DIGITS (&out1) = NULL;
MP_DIGITS (&out2) = NULL;
PrioPRGSeed key;
PRG prg1 = NULL;
PRG prg2 = NULL;
P_CHECKC (PrioPRGSeed_randomize (&key));
P_CHECKA (prg1 = PRG_new (key));
P_CHECKA (prg2 = PRG_new (key));
MP_CHECKC (mp_init (&max));
MP_CHECKC (mp_init (&out1));
MP_CHECKC (mp_init (&out2));
for (int i=0; i<tries; i++) {
mp_set (&max, i+1);
P_CHECKC (PRG_get_int (prg1, &out1, &max));
P_CHECKC (PRG_get_int (prg2, &out2, &max));
mu_check (mp_cmp (&out1, &out2) == 0);
}
cleanup:
mu_check (rv == SECSuccess);
PRG_clear (prg1);
PRG_clear (prg2);
mp_clear (&max);
mp_clear (&out1);
mp_clear (&out2);
}
void
test_prg_once (int limit)
{
SECStatus rv = SECSuccess;
PrioPRGSeed key;
mp_int max;
mp_int out;
PRG prg = NULL;
MP_DIGITS (&max) = NULL;
MP_DIGITS (&out) = NULL;
P_CHECKC (PrioPRGSeed_randomize (&key));
P_CHECKA (prg = PRG_new (key));
MP_CHECKC (mp_init (&max));
MP_CHECKC (mp_init (&out));
mp_set (&max, limit);
P_CHECKC (PRG_get_int (prg, &out, &max));
mu_check (mp_cmp_d (&out, limit) == -1);
mu_check (mp_cmp_z (&out) > -1);
cleanup:
mu_check (rv == SECSuccess);
mp_clear (&max);
mp_clear (&out);
PRG_clear (prg);
}
void
mu_test_prg__multiple_of_8 (void)
{
test_prg_once (256);
test_prg_once (256*256);
}
void
mu_test_prg__near_multiple_of_8 (void)
{
test_prg_once (256+1);
test_prg_once (256*256+1);
}
void
mu_test_prg__odd (void)
{
test_prg_once (39);
test_prg_once (123);
test_prg_once (993123);
}
void
mu_test_prg__large (void)
{
test_prg_once (1231239933);
}
void
mu_test_prg__bit(void)
{
test_prg_once (1);
for (int i = 0; i < 100; i++)
test_prg_once (2);
}
void
test_prg_distribution (int limit)
{
int bins[limit];
SECStatus rv = SECSuccess;
PrioPRGSeed key;
mp_int max;
mp_int out;
PRG prg = NULL;
MP_DIGITS (&max) = NULL;
MP_DIGITS (&out) = NULL;
P_CHECKC (PrioPRGSeed_randomize (&key));
P_CHECKA (prg = PRG_new (key));
MP_CHECKC (mp_init (&max));
MP_CHECKC (mp_init (&out));
mp_set (&max, limit);
for (int i = 0; i < limit; i++) {
bins[i] = 0;
}
for (int i = 0; i < limit*limit; i++) {
P_CHECKC (PRG_get_int (prg, &out, &max));
mu_check (mp_cmp_d (&out, limit) == -1);
mu_check (mp_cmp_z (&out) > -1);
unsigned char ival[2] = {0x00, 0x00};
MP_CHECKC (mp_to_fixlen_octets (&out, ival, 2));
if (ival[1] + 256*ival[0] < limit) {
bins[ival[1] + 256*ival[0]] += 1;
} else {
mu_check (false);
}
}
for (int i = 0; i < limit; i++) {
mu_check (bins[i] > limit/2);
}
cleanup:
mu_check (rv == SECSuccess);
mp_clear (&max);
mp_clear (&out);
PRG_clear (prg);
}
void
mu_test__prg_distribution123 (void)
{
test_prg_distribution(123);
}
void
mu_test__prg_distribution257 (void)
{
test_prg_distribution(257);
}
void
mu_test__prg_distribution259 (void)
{
test_prg_distribution(259);
}
void
test_prg_distribution_large (mp_int *max)
{
const int limit = 16;
int bins[limit];
SECStatus rv = SECSuccess;
PrioPRGSeed key;
mp_int out;
PRG prg = NULL;
MP_DIGITS (&out) = NULL;
P_CHECKC (PrioPRGSeed_randomize (&key));
P_CHECKA (prg = PRG_new (key));
MP_CHECKC (mp_init (&out));
for (int i = 0; i < limit; i++) {
bins[i] = 0;
}
for (int i = 0; i < 100*limit*limit; i++) {
MP_CHECKC (PRG_get_int (prg, &out, max));
mu_check (mp_cmp (&out, max) == -1);
mu_check (mp_cmp_z (&out) > -1);
unsigned long res;
MP_CHECKC (mp_mod_d (&out, limit, &res));
bins[res] += 1;
}
for (int i = 0; i < limit; i++) {
mu_check (bins[i] > limit/2);
}
cleanup:
mu_check (rv == SECSuccess);
mp_clear (&out);
PRG_clear (prg);
}
void
mu_test__prg_distribution_large (void)
{
SECStatus rv = SECSuccess;
mp_int max;
MP_DIGITS (&max) = NULL;
MP_CHECKC (mp_init (&max));
char bytes[] = "FF1230985198451798EDC8123";
MP_CHECKC (mp_read_radix (&max, bytes, 16));
test_prg_distribution_large (&max);
cleanup:
mu_check (rv == SECSuccess);
mp_clear (&max);
}
void
mu_test__prg_share_arr (void)
{
SECStatus rv = SECSuccess;
PrioConfig cfg = NULL;
MPArray arr = NULL;
MPArray arr_share = NULL;
PRG prg = NULL;
PrioPRGSeed seed;
P_CHECKA (cfg = PrioConfig_newTest (72));
P_CHECKC (PrioPRGSeed_randomize (&seed));
P_CHECKA (arr = MPArray_new (10));
P_CHECKA (arr_share = MPArray_new (10));
P_CHECKA (prg = PRG_new (seed));
for (int i=0; i<10; i++) {
mp_set (&arr->data[i], i);
}
P_CHECKC (PRG_share_array (prg, arr_share, arr, cfg));
// Reset PRG
PRG_clear (prg);
P_CHECKA (prg = PRG_new (seed));
// Read pseudorandom values into arr
P_CHECKC (PRG_get_array (prg, arr, &cfg->modulus));
for (int i=0; i<10; i++) {
MP_CHECKC (mp_addmod (&arr->data[i], &arr_share->data[i],
&cfg->modulus, &arr->data[i]));
mu_check (mp_cmp_d (&arr->data[i], i) == 0);
}
cleanup:
mu_check (rv == SECSuccess);
PRG_clear (prg);
MPArray_clear (arr);
MPArray_clear (arr_share);
PrioConfig_clear (cfg);
}

194
third_party/prio/ptest/rand_test.c поставляемый Normal file
Просмотреть файл

@ -0,0 +1,194 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#include <mpi.h>
#include "mutest.h"
#include "prio/rand.h"
#include "prio/util.h"
void
mu_test__util_msb_mast (void)
{
mu_check (msb_mask (0x01) == 0x01);
mu_check (msb_mask (0x02) == 0x03);
mu_check (msb_mask (0x0C) == 0x0F);
mu_check (msb_mask (0x1C) == 0x1F);
mu_check (msb_mask (0xFF) == 0xFF);
}
void
test_rand_once (int limit)
{
mp_int max;
mp_int out;
mu_check (mp_init (&max) == MP_OKAY);
mu_check (mp_init (&out) == MP_OKAY);
mp_set (&max, limit);
mu_check (rand_int (&out, &max) == MP_OKAY);
mu_check (mp_cmp_d (&out, limit) == -1);
mu_check (mp_cmp_z (&out) > -1);
mp_clear (&max);
mp_clear (&out);
}
void
mu_test_rand__multiple_of_8 (void)
{
test_rand_once (256);
test_rand_once (256*256);
}
void
mu_test_rand__near_multiple_of_8 (void)
{
test_rand_once (256+1);
test_rand_once (256*256+1);
}
void
mu_test_rand__odd (void)
{
test_rand_once (39);
test_rand_once (123);
test_rand_once (993123);
}
void
mu_test_rand__large (void)
{
test_rand_once (1231239933);
}
void
mu_test_rand__bit(void)
{
test_rand_once (1);
for (int i = 0; i < 100; i++)
test_rand_once (2);
}
void
test_rand_distribution (int limit)
{
SECStatus rv = SECSuccess;
int bins[limit];
mp_int max;
mp_int out;
MP_DIGITS (&max) = NULL;
MP_DIGITS (&out) = NULL;
MP_CHECKC (mp_init (&max));
MP_CHECKC (mp_init (&out));
mp_set (&max, limit);
for (int i = 0; i < limit; i++) {
bins[i] = 0;
}
for (int i = 0; i < limit*limit; i++) {
mu_check (rand_int (&out, &max) == MP_OKAY);
mu_check (mp_cmp_d (&out, limit) == -1);
mu_check (mp_cmp_z (&out) > -1);
unsigned char ival[2] = {0x00, 0x00};
MP_CHECKC (mp_to_fixlen_octets (&out, ival, 2));
if (ival[1] + 256*ival[0] < limit) {
bins[ival[1] + 256*ival[0]] += 1;
} else {
mu_check (false);
}
}
for (int i = 0; i < limit; i++) {
mu_check (bins[i] > limit/2);
}
cleanup:
mu_check (rv == SECSuccess);
mp_clear (&max);
mp_clear (&out);
}
void
mu_test__rand_distribution123 (void)
{
test_rand_distribution(123);
}
void
mu_test__rand_distribution257 (void)
{
test_rand_distribution(257);
}
void
mu_test__rand_distribution259 (void)
{
test_rand_distribution(259);
}
void
test_rand_distribution_large (mp_int *max)
{
SECStatus rv = SECSuccess;
int limit = 16;
int bins[limit];
mp_int out;
MP_DIGITS (&out) = NULL;
MP_CHECKC (mp_init (&out));
for (int i = 0; i < limit; i++) {
bins[i] = 0;
}
for (int i = 0; i < 100*limit*limit; i++) {
MP_CHECKC (rand_int (&out, max));
mu_check (mp_cmp (&out, max) == -1);
mu_check (mp_cmp_z (&out) > -1);
unsigned long res;
MP_CHECKC (mp_mod_d (&out, limit, &res));
bins[res] += 1;
}
for (int i = 0; i < limit; i++) {
mu_check (bins[i] > limit/2);
}
cleanup:
mu_check (rv == SECSuccess);
mp_clear (&out);
}
void
mu_test__rand_distribution_large (void)
{
SECStatus rv = SECSuccess;
mp_int max;
MP_DIGITS (&max) = NULL;
MP_CHECKC (mp_init (&max));
char bytes[] = "FF1230985198451798EDC8123";
MP_CHECKC (mp_read_radix (&max, bytes, 16));
test_rand_distribution_large (&max);
cleanup:
mu_check (rv == SECSuccess);
mp_clear (&max);
}

319
third_party/prio/ptest/serial_test.c поставляемый Normal file
Просмотреть файл

@ -0,0 +1,319 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#include <mprio.h>
#include <msgpack.h>
#include <string.h>
#include "mutest.h"
#include "prio/client.h"
#include "prio/config.h"
#include "prio/serial.h"
#include "prio/server.h"
#include "prio/util.h"
SECStatus
gen_client_packets (const_PrioConfig cfg, PrioPacketClient pA, PrioPacketClient pB)
{
SECStatus rv = SECSuccess;
const int ndata = cfg->num_data_fields;
bool data_items[ndata];
for (int i=0; i < ndata; i++) {
data_items[i] = (i % 3 == 1) || (i % 5 == 3);
}
P_CHECKC (PrioPacketClient_set_data (cfg, data_items, pA, pB));
cleanup:
return rv;
}
void serial_client (int bad)
{
SECStatus rv = SECSuccess;
PrioConfig cfg = NULL;
PrioConfig cfg2 = NULL;
PrioPacketClient pA = NULL;
PrioPacketClient pB = NULL;
PrioPacketClient qA = NULL;
PrioPacketClient qB = NULL;
const unsigned char *batch_id1 = (unsigned char *)"my_test_prio_batch1";
const unsigned char *batch_id2 = (unsigned char *)"my_test_prio_batch2";
const unsigned int batch_id_len = strlen ((char *)batch_id1);
msgpack_sbuffer sbufA, sbufB;
msgpack_packer pkA, pkB;
msgpack_unpacker upkA, upkB;
msgpack_sbuffer_init (&sbufA);
msgpack_packer_init (&pkA, &sbufA, msgpack_sbuffer_write);
msgpack_sbuffer_init (&sbufB);
msgpack_packer_init (&pkB, &sbufB, msgpack_sbuffer_write);
P_CHECKA (cfg = PrioConfig_new (100, NULL, NULL, batch_id1, batch_id_len));
P_CHECKA (cfg2 = PrioConfig_new (100, NULL, NULL, batch_id2, batch_id_len));
P_CHECKA (pA = PrioPacketClient_new (cfg, PRIO_SERVER_A));
P_CHECKA (pB = PrioPacketClient_new (cfg, PRIO_SERVER_B));
P_CHECKA (qA = PrioPacketClient_new (cfg, PRIO_SERVER_A));
P_CHECKA (qB = PrioPacketClient_new (cfg, PRIO_SERVER_B));
P_CHECKC (gen_client_packets (cfg, pA, pB));
P_CHECKC (serial_write_packet_client (&pkA, pA, cfg));
P_CHECKC (serial_write_packet_client (&pkB, pB, cfg));
if (bad == 1) {
sbufA.size = 1;
}
if (bad == 2) {
memset (sbufA.data, 0, sbufA.size);
}
const int size_a = sbufA.size;
const int size_b = sbufB.size;
P_CHECKCB (msgpack_unpacker_init (&upkA, 0));
P_CHECKCB (msgpack_unpacker_init (&upkB, 0));
P_CHECKCB (msgpack_unpacker_reserve_buffer (&upkA, size_a));
P_CHECKCB (msgpack_unpacker_reserve_buffer (&upkB, size_b));
memcpy (msgpack_unpacker_buffer (&upkA), sbufA.data, size_a);
memcpy (msgpack_unpacker_buffer (&upkB), sbufB.data, size_b);
msgpack_unpacker_buffer_consumed (&upkA, size_a);
msgpack_unpacker_buffer_consumed (&upkB, size_b);
P_CHECKC (serial_read_packet_client (&upkA, qA, cfg));
P_CHECKC (serial_read_packet_client (&upkB, qB, (bad == 3) ? cfg2 : cfg));
if (!bad) {
mu_check (PrioPacketClient_areEqual (pA, qA));
mu_check (PrioPacketClient_areEqual (pB, qB));
mu_check (!PrioPacketClient_areEqual (pB, qA));
mu_check (!PrioPacketClient_areEqual (pA, qB));
}
cleanup:
PrioPacketClient_clear (pA);
PrioPacketClient_clear (pB);
PrioPacketClient_clear (qA);
PrioPacketClient_clear (qB);
PrioConfig_clear (cfg);
PrioConfig_clear (cfg2);
msgpack_sbuffer_destroy (&sbufA);
msgpack_sbuffer_destroy (&sbufB);
msgpack_unpacker_destroy (&upkA);
msgpack_unpacker_destroy (&upkB);
mu_check (bad ? rv == SECFailure : rv == SECSuccess);
}
void mu_test__serial_client (void)
{
serial_client (0);
}
void mu_test__serial_client_bad1 (void)
{
serial_client (1);
}
void mu_test__serial_client_bad2 (void)
{
serial_client (2);
}
void mu_test__serial_client_bad3 (void)
{
serial_client (3);
}
void test_verify1 (int bad)
{
SECStatus rv = SECSuccess;
PrioPacketVerify1 v1 = NULL;
PrioPacketVerify1 v2 = NULL;
PrioConfig cfg = NULL;
P_CHECKA (cfg = PrioConfig_newTest (1));
P_CHECKA (v1 = PrioPacketVerify1_new());
P_CHECKA (v2 = PrioPacketVerify1_new());
mp_set (&v1->share_d, 4);
mp_set (&v1->share_e, 10);
msgpack_sbuffer sbuf;
msgpack_packer pk;
msgpack_unpacker upk;
msgpack_sbuffer_init (&sbuf);
msgpack_packer_init (&pk, &sbuf, msgpack_sbuffer_write);
P_CHECKC (PrioPacketVerify1_write (v1, &pk));
if (bad == 1) {
mp_set (&cfg->modulus, 6);
}
P_CHECKCB (msgpack_unpacker_init (&upk, 0));
P_CHECKCB (msgpack_unpacker_reserve_buffer (&upk, sbuf.size));
memcpy (msgpack_unpacker_buffer (&upk), sbuf.data, sbuf.size);
msgpack_unpacker_buffer_consumed (&upk, sbuf.size);
P_CHECKC (PrioPacketVerify1_read (v2, &upk, cfg));
mu_check (!mp_cmp (&v1->share_d, &v2->share_d));
mu_check (!mp_cmp (&v1->share_e, &v2->share_e));
mu_check (!mp_cmp_d (&v2->share_d, 4));
mu_check (!mp_cmp_d (&v2->share_e, 10));
cleanup:
mu_check (bad ? rv == SECFailure : rv == SECSuccess);
PrioConfig_clear (cfg);
PrioPacketVerify1_clear (v1);
PrioPacketVerify1_clear (v2);
msgpack_unpacker_destroy (&upk);
msgpack_sbuffer_destroy (&sbuf);
}
void mu_test_verify1_good (void)
{
test_verify1 (0);
}
void mu_test_verify1_bad (void)
{
test_verify1 (1);
}
void test_verify2 (int bad)
{
SECStatus rv = SECSuccess;
PrioPacketVerify2 v1 = NULL;
PrioPacketVerify2 v2 = NULL;
PrioConfig cfg = NULL;
P_CHECKA (cfg = PrioConfig_newTest (1));
P_CHECKA (v1 = PrioPacketVerify2_new());
P_CHECKA (v2 = PrioPacketVerify2_new());
mp_set (&v1->share_out, 4);
msgpack_sbuffer sbuf;
msgpack_packer pk;
msgpack_unpacker upk;
msgpack_sbuffer_init (&sbuf);
msgpack_packer_init (&pk, &sbuf, msgpack_sbuffer_write);
P_CHECKC (PrioPacketVerify2_write (v1, &pk));
if (bad == 1) {
mp_set (&cfg->modulus, 4);
}
P_CHECKCB (msgpack_unpacker_init (&upk, 0));
P_CHECKCB (msgpack_unpacker_reserve_buffer (&upk, sbuf.size));
memcpy (msgpack_unpacker_buffer (&upk), sbuf.data, sbuf.size);
msgpack_unpacker_buffer_consumed (&upk, sbuf.size);
P_CHECKC (PrioPacketVerify2_read (v2, &upk, cfg));
mu_check (!mp_cmp (&v1->share_out, &v2->share_out));
mu_check (!mp_cmp_d (&v2->share_out, 4));
cleanup:
mu_check (bad ? rv == SECFailure : rv == SECSuccess);
PrioConfig_clear (cfg);
PrioPacketVerify2_clear (v1);
PrioPacketVerify2_clear (v2);
msgpack_unpacker_destroy (&upk);
msgpack_sbuffer_destroy (&sbuf);
}
void mu_test_verify2_good (void)
{
test_verify2 (0);
}
void mu_test_verify2_bad (void)
{
test_verify2 (1);
}
void test_total_share (int bad)
{
SECStatus rv = SECSuccess;
PrioTotalShare t1 = NULL;
PrioTotalShare t2 = NULL;
PrioConfig cfg = NULL;
P_CHECKA (cfg = PrioConfig_newTest ((bad == 2 ? 4 : 3)));
P_CHECKA (t1 = PrioTotalShare_new ());
P_CHECKA (t2 = PrioTotalShare_new ());
t1->idx = PRIO_SERVER_A;
P_CHECKC (MPArray_resize (t1->data_shares, 3));
mp_set (&t1->data_shares->data[0], 10);
mp_set (&t1->data_shares->data[1], 20);
mp_set (&t1->data_shares->data[2], 30);
msgpack_sbuffer sbuf;
msgpack_packer pk;
msgpack_unpacker upk;
msgpack_sbuffer_init (&sbuf);
msgpack_packer_init (&pk, &sbuf, msgpack_sbuffer_write);
P_CHECKC (PrioTotalShare_write (t1, &pk));
if (bad == 1) {
mp_set (&cfg->modulus, 4);
}
P_CHECKCB (msgpack_unpacker_init (&upk, 0));
P_CHECKCB (msgpack_unpacker_reserve_buffer (&upk, sbuf.size));
memcpy (msgpack_unpacker_buffer (&upk), sbuf.data, sbuf.size);
msgpack_unpacker_buffer_consumed (&upk, sbuf.size);
P_CHECKC (PrioTotalShare_read (t2, &upk, cfg));
mu_check (t1->idx == t2->idx);
mu_check (MPArray_areEqual (t1->data_shares, t2->data_shares));
cleanup:
mu_check (bad ? rv == SECFailure : rv == SECSuccess);
PrioConfig_clear (cfg);
PrioTotalShare_clear (t1);
PrioTotalShare_clear (t2);
msgpack_unpacker_destroy (&upk);
msgpack_sbuffer_destroy (&sbuf);
}
void mu_test_total_good (void)
{
test_total_share (0);
}
void mu_test_total_bad1 (void)
{
test_total_share (1);
}
void mu_test_total_bad2 (void)
{
test_total_share (2);
}

298
third_party/prio/ptest/server_test.c поставляемый Normal file
Просмотреть файл

@ -0,0 +1,298 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#include <mpi.h>
#include <mprio.h>
#include "mutest.h"
#include "prio/client.h"
#include "prio/server.h"
#include "prio/server.c"
void mu_test__eval_poly (void)
{
SECStatus rv = SECSuccess;
PrioConfig cfg = NULL;
MPArray coeffs = NULL;
mp_int eval_at, out;
MP_DIGITS (&eval_at) = NULL;
MP_DIGITS (&out) = NULL;
P_CHECKA (cfg = PrioConfig_newTest (54));
P_CHECKA (coeffs = MPArray_new (3));
mp_set (&coeffs->data[0], 2);
mp_set (&coeffs->data[1], 8);
mp_set (&coeffs->data[2], 3);
MP_CHECKC (mp_init (&eval_at));
MP_CHECKC (mp_init (&out));
mp_set (&eval_at, 7);
const int val = 3*7*7 + 8*7 + 2;
mu_check (poly_eval (&out, coeffs, &eval_at, cfg) == SECSuccess);
mu_check (mp_cmp_d (&out, val) == 0);
cleanup:
mu_check (rv == SECSuccess);
mp_clear (&out);
mp_clear (&eval_at);
MPArray_clear (coeffs);
PrioConfig_clear (cfg);
}
void
mu_test__verify_new (void)
{
SECStatus rv = SECSuccess;
PublicKey pkA = NULL;
PublicKey pkB = NULL;
PrivateKey skA = NULL;
PrivateKey skB = NULL;
PrioConfig cfg = NULL;
PrioServer sA = NULL;
PrioServer sB = NULL;
PrioVerifier vA = NULL;
PrioVerifier vB = NULL;
unsigned char *for_a = NULL;
unsigned char *for_b = NULL;
mp_int fR, gR, hR;
MP_DIGITS (&fR) = NULL;
MP_DIGITS (&gR) = NULL;
MP_DIGITS (&hR) = NULL;
PrioPRGSeed seed;
P_CHECKC (PrioPRGSeed_randomize (&seed));
P_CHECKC (Keypair_new (&skA, &pkA));
P_CHECKC (Keypair_new (&skB, &pkB));
P_CHECKA (cfg = PrioConfig_new (214, pkA, pkB,
(unsigned char *)"testbatch", 9));
const int ndata = PrioConfig_numDataFields (cfg);
{
bool data_items[ndata];
for (int i=0; i < ndata; i++) {
// Arbitrary data
data_items[i] = (i % 3 == 1) || (i % 5 == 3);
}
P_CHECKA (sA = PrioServer_new (cfg, 0, skA, seed));
P_CHECKA (sB = PrioServer_new (cfg, 1, skB, seed));
unsigned int aLen, bLen;
P_CHECKC (PrioClient_encode (cfg, data_items, &for_a, &aLen, &for_b, &bLen));
MP_CHECKC (mp_init (&fR));
MP_CHECKC (mp_init (&gR));
MP_CHECKC (mp_init (&hR));
P_CHECKA (vA = PrioVerifier_new (sA));
P_CHECKA (vB = PrioVerifier_new (sB));
P_CHECKC (PrioVerifier_set_data (vA, for_a, aLen));
P_CHECKC (PrioVerifier_set_data (vB, for_b, bLen));
PrioPacketClient pA = vA->clientp;
PrioPacketClient pB = vB->clientp;
MP_CHECKC (mp_addmod (&pA->f0_share, &pB->f0_share, &cfg->modulus, &fR));
MP_CHECKC (mp_addmod (&pA->g0_share, &pB->g0_share, &cfg->modulus, &gR));
MP_CHECKC (mp_addmod (&pA->h0_share, &pB->h0_share, &cfg->modulus, &hR));
MP_CHECKC (mp_mulmod (&fR, &gR, &cfg->modulus, &fR));
mu_check (mp_cmp (&fR, &hR) == 0);
MP_CHECKC (mp_addmod (&vA->share_fR, &vB->share_fR, &cfg->modulus, &fR));
MP_CHECKC (mp_addmod (&vA->share_gR, &vB->share_gR, &cfg->modulus, &gR));
MP_CHECKC (mp_addmod (&vA->share_hR, &vB->share_hR, &cfg->modulus, &hR));
MP_CHECKC (mp_mulmod (&fR, &gR, &cfg->modulus, &fR));
//puts ("fR");
//mp_print (&fR, stdout);
//puts ("hR");
//mp_print (&hR, stdout);
mu_check (mp_cmp (&fR, &hR) == 0);
}
cleanup:
mu_check (rv == SECSuccess);
if (for_a) free (for_a);
if (for_b) free (for_b);
mp_clear (&fR);
mp_clear (&gR);
mp_clear (&hR);
PrioVerifier_clear (vA);
PrioVerifier_clear (vB);
PrioServer_clear (sA);
PrioServer_clear (sB);
PrioConfig_clear (cfg);
PublicKey_clear (pkA);
PublicKey_clear (pkB);
PrivateKey_clear (skA);
PrivateKey_clear (skB);
}
void
verify_full (int tweak)
{
SECStatus rv = SECSuccess;
PublicKey pkA = NULL;
PublicKey pkB = NULL;
PrivateKey skA = NULL;
PrivateKey skB = NULL;
PrioConfig cfg = NULL;
PrioServer sA = NULL;
PrioServer sB = NULL;
PrioVerifier vA = NULL;
PrioVerifier vB = NULL;
PrioPacketVerify1 p1A = NULL;
PrioPacketVerify1 p1B = NULL;
PrioPacketVerify2 p2A = NULL;
PrioPacketVerify2 p2B = NULL;
unsigned char *for_a = NULL;
unsigned char *for_b = NULL;
mp_int fR, gR, hR;
MP_DIGITS (&fR) = NULL;
MP_DIGITS (&gR) = NULL;
MP_DIGITS (&hR) = NULL;
PrioPRGSeed seed;
P_CHECKC (PrioPRGSeed_randomize (&seed));
P_CHECKC (Keypair_new (&skA, &pkA));
P_CHECKC (Keypair_new (&skB, &pkB));
P_CHECKA (cfg = PrioConfig_new (47, pkA, pkB, (unsigned char *)"test4", 5));
const int ndata = PrioConfig_numDataFields (cfg);
{
bool data_items[ndata];
for (int i=0; i < ndata; i++) {
// Arbitrary data
data_items[i] = (i % 3 == 1) || (i % 5 == 3);
}
P_CHECKA (sA = PrioServer_new (cfg, 0, skA, seed));
P_CHECKA (sB = PrioServer_new (cfg, 1, skB, seed));
unsigned int aLen, bLen;
P_CHECKC (PrioClient_encode (cfg, data_items, &for_a, &aLen, &for_b, &bLen));
if (tweak == 5) {
for_a[3] = 3;
for_a[4] = 4;
}
P_CHECKA (vA = PrioVerifier_new (sA));
P_CHECKA (vB = PrioVerifier_new (sB));
P_CHECKC (PrioVerifier_set_data (vA, for_a, aLen));
P_CHECKC (PrioVerifier_set_data (vB, for_b, bLen));
if (tweak == 3) {
mp_add_d (&vA->share_fR, 1, &vA->share_fR);
}
if (tweak == 4) {
mp_add_d (&vB->share_gR, 1, &vB->share_gR);
}
P_CHECKA (p1A = PrioPacketVerify1_new ());
P_CHECKA (p1B = PrioPacketVerify1_new ());
P_CHECKC (PrioPacketVerify1_set_data (p1A, vA));
P_CHECKC (PrioPacketVerify1_set_data (p1B, vB));
if (tweak == 1) {
mp_add_d (&p1B->share_d, 1, &p1B->share_d);
}
P_CHECKA (p2A = PrioPacketVerify2_new ());
P_CHECKA (p2B = PrioPacketVerify2_new ());
P_CHECKC (PrioPacketVerify2_set_data (p2A, vA, p1A, p1B));
P_CHECKC (PrioPacketVerify2_set_data (p2B, vB, p1A, p1B));
if (tweak == 2) {
mp_add_d (&p2A->share_out, 1, &p2B->share_out);
}
int shouldBe = tweak ? SECFailure : SECSuccess;
mu_check (PrioVerifier_isValid (vA, p2A, p2B) == shouldBe);
mu_check (PrioVerifier_isValid (vB, p2A, p2B) == shouldBe);
}
cleanup:
if (!tweak) {
mu_check (rv == SECSuccess);
}
if (for_a) free (for_a);
if (for_b) free (for_b);
PrioPacketVerify2_clear (p2A);
PrioPacketVerify2_clear (p2B);
PrioPacketVerify1_clear (p1A);
PrioPacketVerify1_clear (p1B);
PrioVerifier_clear (vA);
PrioVerifier_clear (vB);
PrioServer_clear (sA);
PrioServer_clear (sB);
PrioConfig_clear (cfg);
PublicKey_clear (pkA);
PublicKey_clear (pkB);
PrivateKey_clear (skA);
PrivateKey_clear (skB);
}
void
mu_test__verify_full_good (void)
{
verify_full (0);
}
void
mu_test__verify_full_bad1 (void)
{
verify_full (1);
}
void
mu_test__verify_full_bad2 (void)
{
verify_full (2);
}
void
mu_test__verify_full_bad3 (void)
{
verify_full (3);
}
void
mu_test__verify_full_bad4 (void)
{
verify_full (4);
}
void
mu_test__verify_full_bad5 (void)
{
verify_full (5);
}

91
third_party/prio/ptest/share_test.c поставляемый Normal file
Просмотреть файл

@ -0,0 +1,91 @@
/*
* Copyright (c) 2018, Henry Corrigan-Gibbs
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#include <mpi.h>
#include <mprio.h>
#include "prio/client.h"
#include "prio/config.h"
#include "prio/mparray.h"
#include "prio/share.h"
#include "prio/util.h"
#include "mutest.h"
void
mu_test_share (void)
{
SECStatus rv = SECSuccess;
PrioConfig cfg = NULL;
mp_int a, b, c;
BeaverTriple t1 = NULL, t2 = NULL;
MP_DIGITS (&a) = NULL;
MP_DIGITS (&b) = NULL;
MP_DIGITS (&c) = NULL;
P_CHECKA (cfg = PrioConfig_newTest (93));
P_CHECKA (t1 = BeaverTriple_new ());
P_CHECKA (t2 = BeaverTriple_new ());
mu_check (BeaverTriple_set_rand (cfg, t1, t2) == SECSuccess);
MP_CHECKC (mp_init (&a));
MP_CHECKC (mp_init (&b));
MP_CHECKC (mp_init (&c));
mu_check (mp_addmod (&t1->a, &t2->a, &cfg->modulus, &a) == MP_OKAY);
mu_check (mp_addmod (&t1->b, &t2->b, &cfg->modulus, &b) == MP_OKAY);
mu_check (mp_addmod (&t1->c, &t2->c, &cfg->modulus, &c) == MP_OKAY);
mu_check (mp_mulmod (&a, &b, &cfg->modulus, &a) == MP_OKAY);
mu_check (mp_cmp (&a, &c) == 0);
cleanup:
mu_check (rv == SECSuccess);
mp_clear (&a);
mp_clear (&b);
mp_clear (&c);
PrioConfig_clear (cfg);
BeaverTriple_clear (t1);
BeaverTriple_clear (t2);
}
void
mu_test_arr (void)
{
SECStatus rv = SECSuccess;
MPArray arr = NULL;
MPArray arr2 = NULL;
P_CHECKA (arr = MPArray_new (10));
P_CHECKA (arr2 = MPArray_new (7));
for (int i=0; i<10; i++) {
mp_set (&arr->data[i], i);
}
P_CHECKC (MPArray_resize (arr, 15));
for (int i=10; i<15; i++) {
mu_check (mp_cmp_d (&arr->data[i], 0) == 0);
mp_set (&arr->data[i], i);
}
P_CHECKC (MPArray_resize (arr, 7));
for (int i=10; i<7; i++) {
mu_check (mp_cmp_d (&arr->data[i], i) == 0);
}
P_CHECKC (MPArray_copy (arr2, arr));
for (int i=10; i<7; i++) {
mu_check (mp_cmp (&arr->data[i], &arr2->data[i]) == 0);
}
cleanup:
mu_check (rv == SECSuccess);
MPArray_clear (arr);
MPArray_clear (arr2);
}

32
third_party/prio/update.sh поставляемый Normal file
Просмотреть файл

@ -0,0 +1,32 @@
#!/bin/sh
# Script to update the mozilla in-tree copy of the Prio library.
# Run this within the /third_party/prio directory of the source tree.
MY_TEMP_DIR=`mktemp -d -t libprio_update.XXXXXX` || exit 1
VERSION=1.8.7
git clone https://github.com/mozilla/libprio ${MY_TEMP_DIR}/libprio
git -C ${MY_TEMP_DIR}/libprio checkout ${VERSION}
COMMIT=$(git -C ${MY_TEMP_DIR}/libprio rev-parse HEAD)
perl -p -i -e "s/(\d+\.)(\d+\.)(\d+)/${VERSION}/" README-mozilla;
perl -p -i -e "s/\[commit [0-9a-f]{40}\]/[commit ${COMMIT}]/" README-mozilla;
FILES="LICENSE README.md SConstruct browser-test include pclient prio ptest"
for f in $FILES; do
rm -rf $f
mv ${MY_TEMP_DIR}/libprio/$f $f
done
rm -rf ${MY_TEMP_DIR}
hg revert -r . moz.build
hg addremove
echo "###"
echo "### Updated Prio to $COMMIT."
echo "### Remember to verify and commit the changes to source control!"
echo "###"