blob: 75db80294b253d0e3e8d2b3ae94d128f48f5f30a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
{-# LANGUAGE OverloadedStrings, MultiParamTypeClasses #-}
{- Copyright 2016 Joey Hess <id@joeyh.name>
-
- Licensed under the GNU AGPL version 3 or higher.
-}
module Shard where
import Types
import Tunables
import ExpensiveHash
import Cost
import qualified Crypto.SecretSharing.Internal as SS
import qualified Data.ByteString as B
import qualified Data.ByteString.Lazy as BL
import qualified Raaz.Core.Encode as Raaz
import qualified Raaz.Hash.Sha256 as Raaz
import qualified Data.Text as T
import qualified Data.Text.Encoding as E
import Data.Monoid
import Control.DeepSeq
data ShardIdents = ShardIdents
{ getIdents :: [StorableObjectIdent]
, identsCreationCost :: Cost CreationOp
, identsBruteForceCalc :: CostCalc BruteForceOp UnknownName
}
instance NFData ShardIdents where
rnf = rnf . getIdents
instance HasCreationCost ShardIdents where
getCreationCost = identsCreationCost
instance Bruteforceable ShardIdents UnknownName where
getBruteCostCalc = identsBruteForceCalc
-- | Generates identifiers to use for storing shards.
--
-- This is an expensive operation, to make it difficult for an attacker
-- to brute force known/guessed names and find matching shards.
-- The keyid or filename is used as a salt, both to avoid collisions
-- when the same name is chosen for multiple keys, and to prevent the
-- attacker from using a rainbow table from names to expensivehashes.
shardIdents :: Tunables -> Name -> SecretKeySource -> ShardIdents
shardIdents tunables (Name name) keyid =
ShardIdents idents creationcost bruteforcecalc
where
(ExpensiveHash creationcost basename) =
expensiveHash hashtunables (Salt keyid) name
mk n = StorableObjectIdent $ Raaz.toByteString $ mksha $
E.encodeUtf8 $ basename <> T.pack (show n)
mksha :: B.ByteString -> Raaz.Base16
mksha = Raaz.encode . Raaz.sha256
idents = map mk [1..totalObjects (shardParams tunables)]
bruteforcecalc = bruteForceLinearSearch creationcost
hashtunables = nameGenerationHash $ nameGenerationTunable tunables
genShards :: EncryptedSecretKey -> Tunables -> IO [Shard]
genShards (EncryptedSecretKey esk _) tunables = do
shares <- SS.encode
(neededObjects $ shardParams tunables)
(totalObjects $ shardParams tunables)
(BL.fromStrict esk)
return $ map (\(n, share) -> Shard n (StorableObject $ encodeShare share))
(zip [1..] shares)
combineShards :: Tunables -> [Shard] -> Either String EncryptedSecretKey
combineShards tunables shards
| null shards =
Left "No shards could be downloaded. Perhaps you entered the wrong name or password?"
| length shards < neededObjects (shardParams tunables) =
Left "Not enough are shards currently available to reconstruct your data."
| otherwise = Right $ mk $ SS.decode $ map decodeshard shards
where
mk b = EncryptedSecretKey (BL.toStrict b) unknownCostCalc
decodeshard (Shard sharenum so) = decodeShare sharenum sharesneeded $
fromStorableObject so
sharesneeded = neededObjects $ shardParams tunables
-- | This efficient encoding relies on the share using a finite field of
-- size 256, so it maps directly to bytes.
--
-- Note that this does not include the share number in the encoded
-- bytestring. This prevents an attacker from partitioning their shards
-- by share number.
encodeShare :: SS.Share -> B.ByteString
encodeShare = B.pack . map (fromIntegral . SS.shareValue) . SS.theShare
decodeShare :: Int -> Int -> B.ByteString -> SS.Share
decodeShare sharenum sharesneeded = SS.Share . map mk . B.unpack
where
mk w = SS.ByteShare
{ SS.shareId = sharenum
, SS.reconstructionThreshold = sharesneeded
, SS.shareValue = fromIntegral w
}
|
