/*
- This file is part of GNUnet.
- (C) 2001, 2002, 2003, 2004, 2005, 2006, 2009 Christian Grothoff (and other contributing authors)
-
- GNUnet is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published
- by the Free Software Foundation; either version 2, or (at your
- option) any later version.
-
- GNUnet is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with GNUnet; see the file COPYING. If not, write to the
- Free Software Foundation, Inc., 59 Temple Place - Suite 330,
- Boston, MA 02111-1307, USA.
+ This file is part of GNUnet
+ Copyright (C) 2014,2016 GNUnet e.V.
+
+ GNUnet is free software; you can redistribute it and/or modify it under the
+ terms of the GNU General Public License as published by the Free Software
+ Foundation; either version 3, or (at your option) any later version.
+
+ GNUnet is distributed in the hope that it will be useful, but WITHOUT ANY
+ WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+ A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along with
+ GNUnet; see the file COPYING. If not, If not, see <http://www.gnu.org/licenses/>
*/
/**
* @file util/crypto_rsa.c
- * @brief public key cryptography (RSA) with libgcrypt
+ * @brief Chaum-style Blind signatures based on RSA
+ * @author Sree Harsha Totakura <sreeharsha@totakura.in>
* @author Christian Grothoff
- *
- * Note that the code locks often needlessly on the gcrypt-locking api.
- * One would think that simple MPI operations should not require locking
- * (since only global operations on the random pool must be locked,
- * strictly speaking). But libgcrypt does sometimes require locking in
- * unexpected places, so the safe solution is to always lock even if it
- * is not required. The performance impact is minimal anyway.
+ * @author Jeffrey Burdges <burdges@gnunet.org>
*/
-
#include "platform.h"
#include <gcrypt.h>
-#include "gnunet_common.h"
-#include "gnunet_util_lib.h"
-
-#define LOG(kind,...) GNUNET_log_from (kind, "util", __VA_ARGS__)
-
-#define LOG_STRERROR(kind,syscall) GNUNET_log_from_strerror (kind, "util", syscall)
+#include "gnunet_crypto_lib.h"
-#define LOG_STRERROR_FILE(kind,syscall,filename) GNUNET_log_from_strerror_file (kind, "util", syscall, filename)
+#define LOG(kind,...) GNUNET_log_from (kind, "util-crypto-rsa", __VA_ARGS__)
/**
* The private information of an RSA key pair.
- * NOTE: this must match the definition in crypto_ksk.c and gnunet-rsa.c!
*/
struct GNUNET_CRYPTO_RsaPrivateKey
{
+ /**
+ * Libgcrypt S-expression for the RSA private key.
+ */
gcry_sexp_t sexp;
};
-#define HOSTKEY_LEN 2048
-
-#define EXTRA_CHECKS ALLOW_EXTRA_CHECKS
-
-
/**
- * Log an error message at log-level 'level' that indicates
- * a failure of the command 'cmd' with the message given
- * by gcry_strerror(rc).
+ * The public information of an RSA key pair.
*/
-#define LOG_GCRY(level, cmd, rc) do { LOG(level, _("`%s' failed at %s:%d with error: %s\n"), cmd, __FILE__, __LINE__, gcry_strerror(rc)); } while(0);
+struct GNUNET_CRYPTO_RsaPublicKey
+{
+ /**
+ * Libgcrypt S-expression for the RSA public key.
+ */
+ gcry_sexp_t sexp;
+};
+
/**
- * If target != size, move target bytes to the
- * end of the size-sized buffer and zero out the
- * first target-size bytes.
+ * @brief an RSA signature
*/
-static void
-adjust (unsigned char *buf, size_t size, size_t target)
+struct GNUNET_CRYPTO_RsaSignature
{
- if (size < target)
- {
- memmove (&buf[target - size], buf, size);
- memset (buf, 0, target - size);
- }
-}
+ /**
+ * Libgcrypt S-expression for the RSA signature.
+ */
+ gcry_sexp_t sexp;
+};
/**
- * Free memory occupied by hostkey
- * @param hostkey pointer to the memory to free
+ * @brief RSA blinding key
*/
-void
-GNUNET_CRYPTO_rsa_key_free (struct GNUNET_CRYPTO_RsaPrivateKey *hostkey)
+struct RsaBlindingKey
{
- gcry_sexp_release (hostkey->sexp);
- GNUNET_free (hostkey);
-}
+ /**
+ * Random value used for blinding.
+ */
+ gcry_mpi_t r;
+};
/**
- * FIXME: document!
+ * Extract values from an S-expression.
+ *
+ * @param array where to store the result(s)
+ * @param sexp S-expression to parse
+ * @param topname top-level name in the S-expression that is of interest
+ * @param elems names of the elements to extract
+ * @return 0 on success
*/
static int
-key_from_sexp (gcry_mpi_t * array, gcry_sexp_t sexp, const char *topname,
+key_from_sexp (gcry_mpi_t *array,
+ gcry_sexp_t sexp,
+ const char *topname,
const char *elems)
{
- gcry_sexp_t list, l2;
+ gcry_sexp_t list;
+ gcry_sexp_t l2;
const char *s;
- int i, idx;
+ unsigned int i;
+ unsigned int idx;
- list = gcry_sexp_find_token (sexp, topname, 0);
- if (!list)
- {
+ if (! (list = gcry_sexp_find_token (sexp, topname, 0)))
return 1;
- }
l2 = gcry_sexp_cadr (list);
gcry_sexp_release (list);
list = l2;
- if (!list)
- {
+ if (! list)
return 2;
- }
-
idx = 0;
for (s = elems; *s; s++, idx++)
{
- l2 = gcry_sexp_find_token (list, s, 1);
- if (!l2)
+ if (! (l2 = gcry_sexp_find_token (list, s, 1)))
{
for (i = 0; i < idx; i++)
{
}
array[idx] = gcry_sexp_nth_mpi (l2, 1, GCRYMPI_FMT_USG);
gcry_sexp_release (l2);
- if (!array[idx])
+ if (! array[idx])
{
for (i = 0; i < idx; i++)
{
return 0;
}
+
/**
- * Extract the public key of the host.
- * @param priv the private key
- * @param pub where to write the public key
+ * Create a new private key. Caller must free return value.
+ *
+ * @param len length of the key in bits (i.e. 2048)
+ * @return fresh private key
*/
-void
-GNUNET_CRYPTO_rsa_key_get_public (const struct GNUNET_CRYPTO_RsaPrivateKey
- *priv,
- struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded
- *pub)
+struct GNUNET_CRYPTO_RsaPrivateKey *
+GNUNET_CRYPTO_rsa_private_key_create (unsigned int len)
{
- gcry_mpi_t skey[2];
- size_t size;
- int rc;
+ struct GNUNET_CRYPTO_RsaPrivateKey *ret;
+ gcry_sexp_t s_key;
+ gcry_sexp_t s_keyparam;
- rc = key_from_sexp (skey, priv->sexp, "public-key", "ne");
- if (rc)
- rc = key_from_sexp (skey, priv->sexp, "private-key", "ne");
- if (rc)
- rc = key_from_sexp (skey, priv->sexp, "rsa", "ne");
- GNUNET_assert (0 == rc);
- pub->len =
- htons (sizeof (struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded) -
- sizeof (pub->padding));
- pub->sizen = htons (GNUNET_CRYPTO_RSA_DATA_ENCODING_LENGTH);
- pub->padding = 0;
- size = GNUNET_CRYPTO_RSA_DATA_ENCODING_LENGTH;
GNUNET_assert (0 ==
- gcry_mpi_print (GCRYMPI_FMT_USG, &pub->key[0], size, &size,
- skey[0]));
- adjust (&pub->key[0], size, GNUNET_CRYPTO_RSA_DATA_ENCODING_LENGTH);
- size = GNUNET_CRYPTO_RSA_KEY_LENGTH - GNUNET_CRYPTO_RSA_DATA_ENCODING_LENGTH;
+ gcry_sexp_build (&s_keyparam,
+ NULL,
+ "(genkey(rsa(nbits %d)))",
+ len));
GNUNET_assert (0 ==
- gcry_mpi_print (GCRYMPI_FMT_USG,
- &pub->key
- [GNUNET_CRYPTO_RSA_DATA_ENCODING_LENGTH], size,
- &size, skey[1]));
- adjust (&pub->key[GNUNET_CRYPTO_RSA_DATA_ENCODING_LENGTH], size,
- GNUNET_CRYPTO_RSA_KEY_LENGTH -
- GNUNET_CRYPTO_RSA_DATA_ENCODING_LENGTH);
- gcry_mpi_release (skey[0]);
- gcry_mpi_release (skey[1]);
+ gcry_pk_genkey (&s_key,
+ s_keyparam));
+ gcry_sexp_release (s_keyparam);
+#if EXTRA_CHECKS
+ GNUNET_assert (0 ==
+ gcry_pk_testkey (s_key));
+#endif
+ ret = GNUNET_new (struct GNUNET_CRYPTO_RsaPrivateKey);
+ ret->sexp = s_key;
+ return ret;
}
/**
- * Convert a public key to a string.
+ * Free memory occupied by the private key.
*
- * @param pub key to convert
- * @return string representing 'pub'
+ * @param key pointer to the memory to free
*/
-char *
-GNUNET_CRYPTO_rsa_public_key_to_string (struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded *pub)
+void
+GNUNET_CRYPTO_rsa_private_key_free (struct GNUNET_CRYPTO_RsaPrivateKey *key)
{
- char *pubkeybuf;
- size_t keylen = (sizeof (struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded)) * 8;
- char *end;
-
- if (keylen % 5 > 0)
- keylen += 5 - keylen % 5;
- keylen /= 5;
- pubkeybuf = GNUNET_malloc (keylen + 1);
- end = GNUNET_STRINGS_data_to_string ((unsigned char *) pub,
- sizeof (struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded),
- pubkeybuf,
- keylen);
- if (NULL == end)
- {
- GNUNET_free (pubkeybuf);
- return NULL;
- }
- *end = '\0';
- return pubkeybuf;
+ gcry_sexp_release (key->sexp);
+ GNUNET_free (key);
}
/**
- * Convert a string representing a public key to a public key.
+ * Encode the private key in a format suitable for
+ * storing it into a file.
*
- * @param enc encoded public key
- * @param enclen number of bytes in enc (without 0-terminator)
- * @param pub where to store the public key
- * @return GNUNET_OK on success
+ * @param key the private key
+ * @param[out] buffer set to a buffer with the encoded key
+ * @return size of memory allocated in @a buffer
*/
-int
-GNUNET_CRYPTO_rsa_public_key_from_string (const char *enc,
- size_t enclen,
- struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded *pub)
+size_t
+GNUNET_CRYPTO_rsa_private_key_encode (const struct GNUNET_CRYPTO_RsaPrivateKey *key,
+ char **buffer)
{
- size_t keylen = (sizeof (struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded)) * 8;
-
- if (keylen % 5 > 0)
- keylen += 5 - keylen % 5;
- keylen /= 5;
- if (enclen != keylen)
- return GNUNET_SYSERR;
-
- if (GNUNET_OK != GNUNET_STRINGS_string_to_data (enc, enclen,
- (unsigned char*) pub,
- sizeof (struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded)))
- return GNUNET_SYSERR;
- if ( (ntohs (pub->len) != sizeof (struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded)) ||
- (ntohs (pub->padding) != 0) ||
- (ntohs (pub->sizen) != GNUNET_CRYPTO_RSA_DATA_ENCODING_LENGTH) )
- return GNUNET_SYSERR;
- return GNUNET_OK;
+ size_t n;
+ char *b;
+
+ n = gcry_sexp_sprint (key->sexp,
+ GCRYSEXP_FMT_DEFAULT,
+ NULL,
+ 0);
+ b = GNUNET_malloc (n);
+ GNUNET_assert ((n - 1) == /* since the last byte is \0 */
+ gcry_sexp_sprint (key->sexp,
+ GCRYSEXP_FMT_DEFAULT,
+ b,
+ n));
+ *buffer = b;
+ return n;
}
/**
- * Internal: publicKey => RSA-Key.
+ * Decode the private key from the data-format back
+ * to the "normal", internal format.
*
- * Note that the return type is not actually a private
- * key but rather an sexpression for the public key!
+ * @param buf the buffer where the private key data is stored
+ * @param len the length of the data in @a buf
+ * @return NULL on error
*/
-static struct GNUNET_CRYPTO_RsaPrivateKey *
-public2PrivateKey (const struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded
- *publicKey)
+struct GNUNET_CRYPTO_RsaPrivateKey *
+GNUNET_CRYPTO_rsa_private_key_decode (const char *buf,
+ size_t len)
{
- struct GNUNET_CRYPTO_RsaPrivateKey *ret;
- gcry_sexp_t result;
- gcry_mpi_t n;
- gcry_mpi_t e;
- size_t size;
- size_t erroff;
- int rc;
-
- if ((ntohs (publicKey->sizen) != GNUNET_CRYPTO_RSA_DATA_ENCODING_LENGTH) ||
- (ntohs (publicKey->len) !=
- sizeof (struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded) -
- sizeof (publicKey->padding)))
+ struct GNUNET_CRYPTO_RsaPrivateKey *key;
+ key = GNUNET_new (struct GNUNET_CRYPTO_RsaPrivateKey);
+ if (0 !=
+ gcry_sexp_new (&key->sexp,
+ buf,
+ len,
+ 0))
{
- GNUNET_break (0);
- return NULL;
- }
- size = GNUNET_CRYPTO_RSA_DATA_ENCODING_LENGTH;
- rc = gcry_mpi_scan (&n, GCRYMPI_FMT_USG, &publicKey->key[0], size, &size);
- if (rc)
- {
- LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_mpi_scan", rc);
- return NULL;
- }
- size = GNUNET_CRYPTO_RSA_KEY_LENGTH - GNUNET_CRYPTO_RSA_DATA_ENCODING_LENGTH;
- rc = gcry_mpi_scan (&e, GCRYMPI_FMT_USG,
- &publicKey->key[GNUNET_CRYPTO_RSA_DATA_ENCODING_LENGTH],
- size, &size);
- if (rc)
- {
- LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_mpi_scan", rc);
- gcry_mpi_release (n);
+ LOG (GNUNET_ERROR_TYPE_WARNING,
+ "Decoded private key is not valid\n");
+ GNUNET_free (key);
return NULL;
}
- rc = gcry_sexp_build (&result, &erroff, "(public-key(rsa(n %m)(e %m)))", n,
- e);
- gcry_mpi_release (n);
- gcry_mpi_release (e);
- if (rc)
+ if (0 != gcry_pk_testkey (key->sexp))
{
- LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc); /* erroff gives more info */
+ LOG (GNUNET_ERROR_TYPE_WARNING,
+ "Decoded private key is not valid\n");
+ GNUNET_CRYPTO_rsa_private_key_free (key);
return NULL;
}
- ret = GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_RsaPrivateKey));
- ret->sexp = result;
- return ret;
+ return key;
}
/**
- * Encode the private key in a format suitable for
- * storing it into a file.
- * @returns encoding of the private key.
- * The first 4 bytes give the size of the array, as usual.
+ * Extract the public key of the given private key.
+ *
+ * @param priv the private key
+ * @retur NULL on error, otherwise the public key
*/
-struct GNUNET_CRYPTO_RsaPrivateKeyBinaryEncoded *
-GNUNET_CRYPTO_rsa_encode_key (const struct GNUNET_CRYPTO_RsaPrivateKey *hostkey)
+struct GNUNET_CRYPTO_RsaPublicKey *
+GNUNET_CRYPTO_rsa_private_key_get_public (const struct GNUNET_CRYPTO_RsaPrivateKey *priv)
{
- struct GNUNET_CRYPTO_RsaPrivateKeyBinaryEncoded *retval;
- gcry_mpi_t pkv[6];
- void *pbu[6];
- size_t sizes[6];
+ struct GNUNET_CRYPTO_RsaPublicKey *pub;
+ gcry_mpi_t ne[2];
int rc;
- int i;
- int size;
+ gcry_sexp_t result;
-#if EXTRA_CHECKS
- if (gcry_pk_testkey (hostkey->sexp))
+ rc = key_from_sexp (ne, priv->sexp, "public-key", "ne");
+ if (0 != rc)
+ rc = key_from_sexp (ne, priv->sexp, "private-key", "ne");
+ if (0 != rc)
+ rc = key_from_sexp (ne, priv->sexp, "rsa", "ne");
+ if (0 != rc)
{
- GNUNET_break (0);
+ GNUNET_break_op (0);
return NULL;
}
-#endif
+ rc = gcry_sexp_build (&result,
+ NULL,
+ "(public-key(rsa(n %m)(e %m)))",
+ ne[0],
+ ne[1]);
+ gcry_mpi_release (ne[0]);
+ gcry_mpi_release (ne[1]);
+ pub = GNUNET_new (struct GNUNET_CRYPTO_RsaPublicKey);
+ pub->sexp = result;
+ return pub;
+}
- memset (pkv, 0, sizeof (gcry_mpi_t) * 6);
- rc = key_from_sexp (pkv, hostkey->sexp, "private-key", "nedpqu");
- if (rc)
- rc = key_from_sexp (pkv, hostkey->sexp, "rsa", "nedpqu");
- if (rc)
- rc = key_from_sexp (pkv, hostkey->sexp, "private-key", "nedpq");
- if (rc)
- rc = key_from_sexp (pkv, hostkey->sexp, "rsa", "nedpq");
- if (rc)
- rc = key_from_sexp (pkv, hostkey->sexp, "private-key", "ned");
- if (rc)
- rc = key_from_sexp (pkv, hostkey->sexp, "rsa", "ned");
- GNUNET_assert (0 == rc);
- size = sizeof (struct GNUNET_CRYPTO_RsaPrivateKeyBinaryEncoded);
- for (i = 0; i < 6; i++)
- {
- if (pkv[i] != NULL)
- {
- GNUNET_assert (0 ==
- gcry_mpi_aprint (GCRYMPI_FMT_USG,
- (unsigned char **) &pbu[i], &sizes[i],
- pkv[i]));
- size += sizes[i];
- }
- else
- {
- pbu[i] = NULL;
- sizes[i] = 0;
- }
- }
- GNUNET_assert (size < 65536);
- retval = GNUNET_malloc (size);
- retval->len = htons (size);
- i = 0;
- retval->sizen = htons (sizes[0]);
- memcpy (&((char *) (&retval[1]))[i], pbu[0], sizes[0]);
- i += sizes[0];
- retval->sizee = htons (sizes[1]);
- memcpy (&((char *) (&retval[1]))[i], pbu[1], sizes[1]);
- i += sizes[1];
- retval->sized = htons (sizes[2]);
- memcpy (&((char *) (&retval[1]))[i], pbu[2], sizes[2]);
- i += sizes[2];
- /* swap p and q! */
- retval->sizep = htons (sizes[4]);
- memcpy (&((char *) (&retval[1]))[i], pbu[4], sizes[4]);
- i += sizes[4];
- retval->sizeq = htons (sizes[3]);
- memcpy (&((char *) (&retval[1]))[i], pbu[3], sizes[3]);
- i += sizes[3];
- retval->sizedmp1 = htons (0);
- retval->sizedmq1 = htons (0);
- memcpy (&((char *) (&retval[1]))[i], pbu[5], sizes[5]);
- for (i = 0; i < 6; i++)
- {
- if (pkv[i] != NULL)
- gcry_mpi_release (pkv[i]);
- if (pbu[i] != NULL)
- free (pbu[i]);
- }
- return retval;
+
+/**
+ * Free memory occupied by the public key.
+ *
+ * @param key pointer to the memory to free
+ */
+void
+GNUNET_CRYPTO_rsa_public_key_free (struct GNUNET_CRYPTO_RsaPublicKey *key)
+{
+ gcry_sexp_release (key->sexp);
+ GNUNET_free (key);
}
/**
- * Decode the private key from the file-format back
- * to the "normal", internal format.
+ * Encode the public key in a format suitable for
+ * storing it into a file.
*
- * @param buf the buffer where the private key data is stored
- * @param len the length of the data in 'buffer'
+ * @param key the private key
+ * @param[out] buffer set to a buffer with the encoded key
+ * @return size of memory allocated in @a buffer
*/
-struct GNUNET_CRYPTO_RsaPrivateKey *
-GNUNET_CRYPTO_rsa_decode_key (const char *buf, uint16_t len)
+size_t
+GNUNET_CRYPTO_rsa_public_key_encode (const struct GNUNET_CRYPTO_RsaPublicKey *key,
+ char **buffer)
{
- struct GNUNET_CRYPTO_RsaPrivateKey *ret;
- const struct GNUNET_CRYPTO_RsaPrivateKeyBinaryEncoded *encoding =
- (const struct GNUNET_CRYPTO_RsaPrivateKeyBinaryEncoded *) buf;
- gcry_sexp_t res;
- gcry_mpi_t n, e, d, p, q, u;
- int rc;
- size_t size;
- int pos;
- uint16_t enc_len;
+ size_t n;
+ char *b;
+
+ n = gcry_sexp_sprint (key->sexp,
+ GCRYSEXP_FMT_ADVANCED,
+ NULL,
+ 0);
+ b = GNUNET_malloc (n);
+ GNUNET_assert ((n -1) == /* since the last byte is \0 */
+ gcry_sexp_sprint (key->sexp,
+ GCRYSEXP_FMT_ADVANCED,
+ b,
+ n));
+ *buffer = b;
+ return n;
+}
- enc_len = ntohs (encoding->len);
- if (len != enc_len)
- return NULL;
- pos = 0;
- size = ntohs (encoding->sizen);
- rc = gcry_mpi_scan (&n, GCRYMPI_FMT_USG,
- &((const unsigned char *) (&encoding[1]))[pos], size,
- &size);
- pos += ntohs (encoding->sizen);
- if (rc)
- {
- LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_mpi_scan", rc);
- return NULL;
- }
- size = ntohs (encoding->sizee);
- rc = gcry_mpi_scan (&e, GCRYMPI_FMT_USG,
- &((const unsigned char *) (&encoding[1]))[pos], size,
- &size);
- pos += ntohs (encoding->sizee);
- if (rc)
+/**
+ * Compute hash over the public key.
+ *
+ * @param key public key to hash
+ * @param hc where to store the hash code
+ */
+void
+GNUNET_CRYPTO_rsa_public_key_hash (const struct GNUNET_CRYPTO_RsaPublicKey *key,
+ struct GNUNET_HashCode *hc)
+{
+ char *buf;
+ size_t buf_size;
+
+ buf_size = GNUNET_CRYPTO_rsa_public_key_encode (key,
+ &buf);
+ GNUNET_CRYPTO_hash (buf,
+ buf_size,
+ hc);
+ GNUNET_free (buf);
+}
+
+
+/**
+ * Decode the public key from the data-format back
+ * to the "normal", internal format.
+ *
+ * @param buf the buffer where the public key data is stored
+ * @param len the length of the data in @a buf
+ * @return NULL on error
+ */
+struct GNUNET_CRYPTO_RsaPublicKey *
+GNUNET_CRYPTO_rsa_public_key_decode (const char *buf,
+ size_t len)
+{
+ struct GNUNET_CRYPTO_RsaPublicKey *key;
+ gcry_mpi_t n;
+ int ret;
+
+ key = GNUNET_new (struct GNUNET_CRYPTO_RsaPublicKey);
+ if (0 !=
+ gcry_sexp_new (&key->sexp,
+ buf,
+ len,
+ 0))
{
- LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_mpi_scan", rc);
- gcry_mpi_release (n);
+ GNUNET_break_op (0);
+ GNUNET_free (key);
return NULL;
}
- size = ntohs (encoding->sized);
- rc = gcry_mpi_scan (&d, GCRYMPI_FMT_USG,
- &((const unsigned char *) (&encoding[1]))[pos], size,
- &size);
- pos += ntohs (encoding->sized);
- if (rc)
+ /* verify that this is an RSA public key */
+ ret = key_from_sexp (&n, key->sexp, "public-key", "n");
+ if (0 != ret)
+ ret = key_from_sexp (&n, key->sexp, "rsa", "n");
+ if (0 != ret)
{
- LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_mpi_scan", rc);
- gcry_mpi_release (n);
- gcry_mpi_release (e);
+ /* this is no public RSA key */
+ GNUNET_break (0);
+ gcry_sexp_release (key->sexp);
+ GNUNET_free (key);
return NULL;
}
- /* swap p and q! */
- size = ntohs (encoding->sizep);
- if (size > 0)
- {
- rc = gcry_mpi_scan (&q, GCRYMPI_FMT_USG,
- &((const unsigned char *) (&encoding[1]))[pos], size,
- &size);
- pos += ntohs (encoding->sizep);
- if (rc)
- {
- LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_mpi_scan", rc);
- gcry_mpi_release (n);
- gcry_mpi_release (e);
- gcry_mpi_release (d);
- return NULL;
- }
- }
- else
- q = NULL;
- size = ntohs (encoding->sizeq);
- if (size > 0)
- {
- rc = gcry_mpi_scan (&p, GCRYMPI_FMT_USG,
- &((const unsigned char *) (&encoding[1]))[pos], size,
- &size);
- pos += ntohs (encoding->sizeq);
- if (rc)
- {
- LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_mpi_scan", rc);
- gcry_mpi_release (n);
- gcry_mpi_release (e);
- gcry_mpi_release (d);
- if (q != NULL)
- gcry_mpi_release (q);
- return NULL;
- }
- }
- else
- p = NULL;
- pos += ntohs (encoding->sizedmp1);
- pos += ntohs (encoding->sizedmq1);
- size =
- ntohs (encoding->len) - sizeof (struct GNUNET_CRYPTO_RsaPrivateKeyBinaryEncoded) - pos;
- if (size > 0)
- {
- rc = gcry_mpi_scan (&u, GCRYMPI_FMT_USG,
- &((const unsigned char *) (&encoding[1]))[pos], size,
- &size);
- if (rc)
- {
- LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_mpi_scan", rc);
- gcry_mpi_release (n);
- gcry_mpi_release (e);
- gcry_mpi_release (d);
- if (p != NULL)
- gcry_mpi_release (p);
- if (q != NULL)
- gcry_mpi_release (q);
- return NULL;
- }
- }
- else
- u = NULL;
-
- if ((p != NULL) && (q != NULL) && (u != NULL))
- {
- rc = gcry_sexp_build (&res, &size, /* erroff */
- "(private-key(rsa(n %m)(e %m)(d %m)(p %m)(q %m)(u %m)))",
- n, e, d, p, q, u);
- }
- else
- {
- if ((p != NULL) && (q != NULL))
- {
- rc = gcry_sexp_build (&res, &size, /* erroff */
- "(private-key(rsa(n %m)(e %m)(d %m)(p %m)(q %m)))",
- n, e, d, p, q);
- }
- else
- {
- rc = gcry_sexp_build (&res, &size, /* erroff */
- "(private-key(rsa(n %m)(e %m)(d %m)))", n, e, d);
- }
- }
gcry_mpi_release (n);
- gcry_mpi_release (e);
- gcry_mpi_release (d);
- if (p != NULL)
- gcry_mpi_release (p);
- if (q != NULL)
- gcry_mpi_release (q);
- if (u != NULL)
- gcry_mpi_release (u);
-
- if (rc)
- LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
-#if EXTRA_CHECKS
- if (gcry_pk_testkey (res))
- {
- LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_pk_testkey", rc);
- return NULL;
- }
-#endif
- ret = GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_RsaPrivateKey));
- ret->sexp = res;
- return ret;
+ return key;
}
/**
- * Create a new private key. Caller must free return value.
+ * Test for malicious RSA key.
*
- * @return fresh private key
+ * Assuming n is an RSA modulous and r is generated using a call to
+ * GNUNET_CRYPTO_kdf_mod_mpi, if gcd(r,n) != 1 then n must be a
+ * malicious RSA key designed to deanomize the user.
+ *
+ * @param r KDF result
+ * @param n RSA modulus
+ * @return True if gcd(r,n) = 1, False means RSA key is malicious
*/
-static struct GNUNET_CRYPTO_RsaPrivateKey *
-rsa_key_create ()
+static int
+rsa_gcd_validate(gcry_mpi_t r, gcry_mpi_t n)
{
- struct GNUNET_CRYPTO_RsaPrivateKey *ret;
- gcry_sexp_t s_key;
- gcry_sexp_t s_keyparam;
+ gcry_mpi_t g;
+ int t;
- GNUNET_assert (0 ==
- gcry_sexp_build (&s_keyparam, NULL,
- "(genkey(rsa(nbits %d)(rsa-use-e 3:257)))",
- HOSTKEY_LEN));
- GNUNET_assert (0 == gcry_pk_genkey (&s_key, s_keyparam));
- gcry_sexp_release (s_keyparam);
-#if EXTRA_CHECKS
- GNUNET_assert (0 == gcry_pk_testkey (s_key));
-#endif
- ret = GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_RsaPrivateKey));
- ret->sexp = s_key;
- return ret;
+ g = gcry_mpi_new (0);
+ t = gcry_mpi_gcd(g,r,n);
+ gcry_mpi_release (g);
+ return t;
}
/**
- * Try to read the private key from the given file.
+ * Create a blinding key
*
- * @param filename file to read the key from
- * @return NULL on error
+ * @param len length of the key in bits (i.e. 2048)
+ * @param bks pre-secret to use to derive the blinding key
+ * @return the newly created blinding key, NULL if RSA key is malicious
*/
-static struct GNUNET_CRYPTO_RsaPrivateKey *
-try_read_key (const char *filename)
+static struct RsaBlindingKey *
+rsa_blinding_key_derive (const struct GNUNET_CRYPTO_RsaPublicKey *pkey,
+ const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks)
{
- struct GNUNET_CRYPTO_RsaPrivateKey *ret;
- struct GNUNET_CRYPTO_RsaPrivateKeyBinaryEncoded *enc;
- struct GNUNET_DISK_FileHandle *fd;
- OFF_T fs;
- uint16_t len;
-
- if (GNUNET_YES != GNUNET_DISK_file_test (filename))
- return NULL;
+ char *xts = "Blinding KDF extrator HMAC key"; /* Trusts bks' randomness more */
+ struct RsaBlindingKey *blind;
+ gcry_mpi_t n;
- /* hostkey file exists already, read it! */
- if (NULL == (fd = GNUNET_DISK_file_open (filename, GNUNET_DISK_OPEN_READ,
- GNUNET_DISK_PERM_NONE)))
- {
- LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_ERROR, "open", filename);
- return NULL;
- }
- if (GNUNET_OK != (GNUNET_DISK_file_handle_size (fd, &fs)))
- {
- LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_ERROR, "stat", filename);
- (void) GNUNET_DISK_file_close (fd);
- return NULL;
- }
- if (0 == fs)
- {
- GNUNET_break (GNUNET_OK == GNUNET_DISK_file_close (fd));
- return NULL;
- }
- if (fs > UINT16_MAX)
- {
- LOG (GNUNET_ERROR_TYPE_ERROR,
- _("File `%s' does not contain a valid private key (too long, %llu bytes). Deleting it.\n"),
- filename,
- (unsigned long long) fs);
- GNUNET_break (GNUNET_OK == GNUNET_DISK_file_close (fd));
- if (0 != UNLINK (filename))
- LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "unlink", filename);
- return NULL;
+ blind = GNUNET_new (struct RsaBlindingKey);
+ GNUNET_assert( NULL != blind );
+
+ /* Extract the composite n from the RSA public key */
+ GNUNET_assert( 0 == key_from_sexp (&n, pkey->sexp, "rsa", "n") );
+ /* Assert that it at least looks like an RSA key */
+ GNUNET_assert( 0 == gcry_mpi_get_flag(n, GCRYMPI_FLAG_OPAQUE) );
+
+ GNUNET_CRYPTO_kdf_mod_mpi (&blind->r,
+ n,
+ xts, strlen(xts),
+ bks, sizeof(*bks),
+ "Blinding KDF");
+ if (0 == rsa_gcd_validate(blind->r, n)) {
+ GNUNET_free (blind);
+ blind = NULL;
}
- enc = GNUNET_malloc (fs);
- GNUNET_break (fs == GNUNET_DISK_file_read (fd, enc, fs));
- len = ntohs (enc->len);
- ret = NULL;
- if ((len != fs) ||
- (NULL == (ret = GNUNET_CRYPTO_rsa_decode_key ((char *) enc, len))))
- {
- LOG (GNUNET_ERROR_TYPE_ERROR,
- _("File `%s' does not contain a valid private key (failed decode, %llu bytes). Deleting it.\n"),
- filename,
- (unsigned long long) fs);
- GNUNET_break (GNUNET_OK == GNUNET_DISK_file_close (fd));
- if (0 != UNLINK (filename))
- LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "unlink", filename);
- GNUNET_free (enc);
- return NULL;
- }
- GNUNET_free (enc);
+ gcry_mpi_release (n);
+ return blind;
+}
+
- GNUNET_break (GNUNET_OK == GNUNET_DISK_file_close (fd));
- return ret;
+/*
+We originally added GNUNET_CRYPTO_kdf_mod_mpi for the benifit of the
+previous routine.
+
+There was previously a call to GNUNET_CRYPTO_kdf in
+ bkey = rsa_blinding_key_derive (len, bks);
+that gives exactly len bits where
+ len = GNUNET_CRYPTO_rsa_public_key_len (pkey);
+
+Now r = 2^(len-1)/pkey.n is the probability that a set high bit being
+okay, meaning bkey < pkey.n. It follows that (1-r)/2 of the time bkey >
+pkey.n making the effective bkey be
+ bkey mod pkey.n = bkey - pkey.n
+so the effective bkey has its high bit set with probability r/2.
+
+We expect r to be close to 1/2 if the exchange is honest, but the
+exchange can choose r otherwise.
+
+In blind signing, the exchange sees
+ B = bkey * S mod pkey.n
+On deposit, the exchange sees S so they can compute bkey' = B/S mod
+pkey.n for all B they recorded to see if bkey' has it's high bit set.
+Also, note the exchange can compute 1/S efficiently since they know the
+factors of pkey.n.
+
+I suppose that happens with probability r/(1+r) if its the wrong B, not
+completely sure. If otoh we've the right B, then we've the probability
+r/2 of a set high bit in the effective bkey.
+
+Interestingly, r^2-r has a maximum at the default r=1/2 anyways, giving
+the wrong and right probabilities 1/3 and 1/4, respectively.
+
+I feared this gives the exchange a meaningful fraction of a bit of
+information per coin involved in the transaction. It sounds damaging if
+numerous coins were involved. And it could run across transactions in
+some scenarios.
+
+We fixed this by using a more uniform deterministic pseudo-random number
+generator for blinding factors. I do not believe this to be a problem
+for the rsa_full_domain_hash routine, but better safe than sorry.
+*/
+
+
+/**
+ * Compare the values of two signatures.
+ *
+ * @param s1 one signature
+ * @param s2 the other signature
+ * @return 0 if the two are equal
+ */
+int
+GNUNET_CRYPTO_rsa_signature_cmp (struct GNUNET_CRYPTO_RsaSignature *s1,
+ struct GNUNET_CRYPTO_RsaSignature *s2)
+{
+ char *b1;
+ char *b2;
+ size_t z1;
+ size_t z2;
+ int ret;
+
+ z1 = GNUNET_CRYPTO_rsa_signature_encode (s1,
+ &b1);
+ z2 = GNUNET_CRYPTO_rsa_signature_encode (s2,
+ &b2);
+ if (z1 != z2)
+ ret = 1;
+ else
+ ret = memcmp (b1,
+ b2,
+ z1);
+ GNUNET_free (b1);
+ GNUNET_free (b2);
+ return ret;
}
/**
- * Wait for a short time (we're trying to lock a file or want
- * to give another process a shot at finishing a disk write, etc.).
- * Sleeps for 100ms (as that should be long enough for virtually all
- * modern systems to context switch and allow another process to do
- * some 'real' work).
+ * Compare the values of two public keys.
+ *
+ * @param p1 one public key
+ * @param p2 the other public key
+ * @return 0 if the two are equal
*/
-static void
-short_wait ()
+int
+GNUNET_CRYPTO_rsa_public_key_cmp (struct GNUNET_CRYPTO_RsaPublicKey *p1,
+ struct GNUNET_CRYPTO_RsaPublicKey *p2)
{
- struct GNUNET_TIME_Relative timeout;
+ char *b1;
+ char *b2;
+ size_t z1;
+ size_t z2;
+ int ret;
+
+ z1 = GNUNET_CRYPTO_rsa_public_key_encode (p1,
+ &b1);
+ z2 = GNUNET_CRYPTO_rsa_public_key_encode (p2,
+ &b2);
+ if (z1 != z2)
+ ret = 1;
+ else
+ ret = memcmp (b1,
+ b2,
+ z1);
+ GNUNET_free (b1);
+ GNUNET_free (b2);
+ return ret;
+}
- timeout = GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MILLISECONDS, 100);
- (void) GNUNET_NETWORK_socket_select (NULL, NULL, NULL, timeout);
+
+/**
+ * Compare the values of two private keys.
+ *
+ * @param p1 one private key
+ * @param p2 the other private key
+ * @return 0 if the two are equal
+ */
+int
+GNUNET_CRYPTO_rsa_private_key_cmp (struct GNUNET_CRYPTO_RsaPrivateKey *p1,
+ struct GNUNET_CRYPTO_RsaPrivateKey *p2)
+{
+ char *b1;
+ char *b2;
+ size_t z1;
+ size_t z2;
+ int ret;
+
+ z1 = GNUNET_CRYPTO_rsa_private_key_encode (p1,
+ &b1);
+ z2 = GNUNET_CRYPTO_rsa_private_key_encode (p2,
+ &b2);
+ if (z1 != z2)
+ ret = 1;
+ else
+ ret = memcmp (b1,
+ b2,
+ z1);
+ GNUNET_free (b1);
+ GNUNET_free (b2);
+ return ret;
}
/**
- * Create a new private key by reading it from a file. If the
- * files does not exist, create a new key and write it to the
- * file. Caller must free return value. Note that this function
- * can not guarantee that another process might not be trying
- * the same operation on the same file at the same time.
- * If the contents of the file
- * are invalid the old file is deleted and a fresh key is
- * created.
+ * Obtain the length of the RSA key in bits.
*
- * @return new private key, NULL on error (for example,
- * permission denied)
+ * @param key the public key to introspect
+ * @return length of the key in bits
*/
-struct GNUNET_CRYPTO_RsaPrivateKey *
-GNUNET_CRYPTO_rsa_key_create_from_file (const char *filename)
+unsigned int
+GNUNET_CRYPTO_rsa_public_key_len (const struct GNUNET_CRYPTO_RsaPublicKey *key)
{
- struct GNUNET_CRYPTO_RsaPrivateKey *ret;
- struct GNUNET_CRYPTO_RsaPrivateKeyBinaryEncoded *enc;
- uint16_t len;
- struct GNUNET_DISK_FileHandle *fd;
- unsigned int cnt;
- int ec;
- uint64_t fs;
- struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded pub;
- struct GNUNET_PeerIdentity pid;
-
- if (GNUNET_SYSERR == GNUNET_DISK_directory_create_for_file (filename))
- return NULL;
- while (GNUNET_YES != GNUNET_DISK_file_test (filename))
- {
- fd = GNUNET_DISK_file_open (filename,
- GNUNET_DISK_OPEN_WRITE | GNUNET_DISK_OPEN_CREATE
- | GNUNET_DISK_OPEN_FAILIFEXISTS,
- GNUNET_DISK_PERM_USER_READ |
- GNUNET_DISK_PERM_USER_WRITE);
- if (NULL == fd)
- {
- if (errno == EEXIST)
- {
- if (GNUNET_YES != GNUNET_DISK_file_test (filename))
- {
- /* must exist but not be accessible, fail for good! */
- if (0 != ACCESS (filename, R_OK))
- LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_ERROR, "access", filename);
- else
- GNUNET_break (0); /* what is going on!? */
- return NULL;
- }
- continue;
- }
- LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_ERROR, "open", filename);
- return NULL;
- }
- cnt = 0;
+ gcry_mpi_t n;
+ unsigned int rval;
- while (GNUNET_YES !=
- GNUNET_DISK_file_lock (fd, 0,
- sizeof (struct GNUNET_CRYPTO_RsaPrivateKeyBinaryEncoded),
- GNUNET_YES))
- {
- short_wait ();
- if (0 == ++cnt % 10)
- {
- ec = errno;
- LOG (GNUNET_ERROR_TYPE_ERROR,
- _("Could not acquire lock on file `%s': %s...\n"), filename,
- STRERROR (ec));
- }
- }
- LOG (GNUNET_ERROR_TYPE_INFO,
- _("Creating a new private key. This may take a while.\n"));
- ret = rsa_key_create ();
- GNUNET_assert (ret != NULL);
- enc = GNUNET_CRYPTO_rsa_encode_key (ret);
- GNUNET_assert (enc != NULL);
- GNUNET_assert (ntohs (enc->len) ==
- GNUNET_DISK_file_write (fd, enc, ntohs (enc->len)));
- GNUNET_free (enc);
-
- GNUNET_DISK_file_sync (fd);
- if (GNUNET_YES !=
- GNUNET_DISK_file_unlock (fd, 0,
- sizeof (struct GNUNET_CRYPTO_RsaPrivateKeyBinaryEncoded)))
- LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "fcntl", filename);
- GNUNET_assert (GNUNET_YES == GNUNET_DISK_file_close (fd));
- GNUNET_CRYPTO_rsa_key_get_public (ret, &pub);
- GNUNET_CRYPTO_hash (&pub, sizeof (pub), &pid.hashPubKey);
- LOG (GNUNET_ERROR_TYPE_INFO,
- _("I am host `%s'. Stored new private key in `%s'.\n"),
- GNUNET_i2s (&pid), filename);
- return ret;
- }
- /* hostkey file exists already, read it! */
- fd = GNUNET_DISK_file_open (filename, GNUNET_DISK_OPEN_READ,
- GNUNET_DISK_PERM_NONE);
- if (NULL == fd)
- {
- LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_ERROR, "open", filename);
- return NULL;
- }
- cnt = 0;
- while (1)
- {
- if (GNUNET_YES !=
- GNUNET_DISK_file_lock (fd, 0,
- sizeof (struct GNUNET_CRYPTO_RsaPrivateKeyBinaryEncoded),
- GNUNET_NO))
- {
- if (0 == ++cnt % 60)
- {
- ec = errno;
- LOG (GNUNET_ERROR_TYPE_ERROR,
- _("Could not acquire lock on file `%s': %s...\n"), filename,
- STRERROR (ec));
- LOG (GNUNET_ERROR_TYPE_ERROR,
- _
- ("This may be ok if someone is currently generating a hostkey.\n"));
- }
- short_wait ();
- continue;
- }
- if (GNUNET_YES != GNUNET_DISK_file_test (filename))
- {
- /* eh, what!? File we opened is now gone!? */
- LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "stat", filename);
- if (GNUNET_YES !=
- GNUNET_DISK_file_unlock (fd, 0,
- sizeof (struct GNUNET_CRYPTO_RsaPrivateKeyBinaryEncoded)))
- LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "fcntl", filename);
- GNUNET_assert (GNUNET_OK == GNUNET_DISK_file_close (fd));
-
- return NULL;
- }
- if (GNUNET_OK != GNUNET_DISK_file_size (filename, &fs, GNUNET_YES, GNUNET_YES))
- fs = 0;
- if (fs < sizeof (struct GNUNET_CRYPTO_RsaPrivateKeyBinaryEncoded))
- {
- /* maybe we got the read lock before the hostkey generating
- * process had a chance to get the write lock; give it up! */
- if (GNUNET_YES !=
- GNUNET_DISK_file_unlock (fd, 0,
- sizeof (struct GNUNET_CRYPTO_RsaPrivateKeyBinaryEncoded)))
- LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "fcntl", filename);
- if (0 == ++cnt % 10)
- {
- LOG (GNUNET_ERROR_TYPE_ERROR,
- _
- ("When trying to read hostkey file `%s' I found %u bytes but I need at least %u.\n"),
- filename, (unsigned int) fs,
- (unsigned int) sizeof (struct GNUNET_CRYPTO_RsaPrivateKeyBinaryEncoded));
- LOG (GNUNET_ERROR_TYPE_ERROR,
- _
- ("This may be ok if someone is currently generating a hostkey.\n"));
- }
- short_wait (); /* wait a bit longer! */
- continue;
- }
- break;
- }
- enc = GNUNET_malloc (fs);
- GNUNET_assert (fs == GNUNET_DISK_file_read (fd, enc, fs));
- len = ntohs (enc->len);
- ret = NULL;
- if ((len != fs) ||
- (NULL == (ret = GNUNET_CRYPTO_rsa_decode_key ((char *) enc, len))))
- {
- LOG (GNUNET_ERROR_TYPE_ERROR,
- _("File `%s' does not contain a valid private key. Deleting it.\n"),
- filename);
- if (0 != UNLINK (filename))
- {
- LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "unlink", filename);
- }
- }
- GNUNET_free (enc);
- if (GNUNET_YES !=
- GNUNET_DISK_file_unlock (fd, 0,
- sizeof (struct GNUNET_CRYPTO_RsaPrivateKeyBinaryEncoded)))
- LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "fcntl", filename);
- GNUNET_assert (GNUNET_YES == GNUNET_DISK_file_close (fd));
- if (ret != NULL)
- {
- GNUNET_CRYPTO_rsa_key_get_public (ret, &pub);
- GNUNET_CRYPTO_hash (&pub, sizeof (pub), &pid.hashPubKey);
- LOG (GNUNET_ERROR_TYPE_INFO,
- _("I am host `%s'. Read private key from `%s'.\n"), GNUNET_i2s (&pid),
- filename);
+ if (0 != key_from_sexp (&n, key->sexp, "rsa", "n"))
+ { /* Not an RSA public key */
+ GNUNET_break (0);
+ return 0;
}
- return ret;
+ rval = gcry_mpi_get_nbits (n);
+ gcry_mpi_release (n);
+ return rval;
}
/**
- * Handle to cancel private key generation and state for the
- * key generation operation.
+ * Destroy a blinding key
+ *
+ * @param bkey the blinding key to destroy
*/
-struct GNUNET_CRYPTO_RsaKeyGenerationContext
+static void
+rsa_blinding_key_free (struct RsaBlindingKey *bkey)
{
-
- /**
- * Continuation to call upon completion.
- */
- GNUNET_CRYPTO_RsaKeyCallback cont;
+ gcry_mpi_release (bkey->r);
+ GNUNET_free (bkey);
+}
- /**
- * Closure for 'cont'.
- */
- void *cont_cls;
- /**
- * Name of the file.
- */
- char *filename;
+/**
+ * Print an MPI to a newly created buffer
+ *
+ * @param v MPI to print.
+ * @param[out] newly allocated buffer containing the result
+ * @return number of bytes stored in @a buffer
+ */
+static size_t
+numeric_mpi_alloc_n_print (gcry_mpi_t v,
+ char **buffer)
+{
+ size_t n;
+ char *b;
+ size_t rsize;
+
+ gcry_mpi_print (GCRYMPI_FMT_USG,
+ NULL,
+ 0,
+ &n,
+ v);
+ b = GNUNET_malloc (n);
+ GNUNET_assert (0 ==
+ gcry_mpi_print (GCRYMPI_FMT_USG,
+ (unsigned char *) b,
+ n,
+ &rsize,
+ v));
+ *buffer = b;
+ return n;
+}
- /**
- * Handle to the helper process which does the key generation.
- */
- struct GNUNET_OS_Process *gnunet_rsa;
-
- /**
- * Handle to 'stdout' of gnunet-rsa. We 'read' on stdout to detect
- * process termination (instead of messing with SIGCHLD).
- */
- struct GNUNET_DISK_PipeHandle *gnunet_rsa_out;
- /**
- * Location where we store the private key if it already existed.
- * (if this is used, 'filename', 'gnunet_rsa' and 'gnunet_rsa_out' will
- * not be used).
- */
- struct GNUNET_CRYPTO_RsaPrivateKey *pk;
-
- /**
- * Task reading from 'gnunet_rsa_out' to wait for process termination.
- */
- GNUNET_SCHEDULER_TaskIdentifier read_task;
-
-};
+/**
+ * Computes a full domain hash seeded by the given public key.
+ * This gives a measure of provable security to the Taler exchange
+ * against one-more forgery attacks. See:
+ * https://eprint.iacr.org/2001/002.pdf
+ * http://www.di.ens.fr/~pointche/Documents/Papers/2001_fcA.pdf
+ *
+ * @param hash initial hash of the message to sign
+ * @param pkey the public key of the signer
+ * @param rsize If not NULL, the number of bytes actually stored in buffer
+ * @return MPI value set to the FDH, NULL if RSA key is malicious
+ */
+static gcry_mpi_t
+rsa_full_domain_hash (const struct GNUNET_CRYPTO_RsaPublicKey *pkey,
+ const struct GNUNET_HashCode *hash)
+{
+ gcry_mpi_t r,n;
+ char *xts;
+ size_t xts_len;
+ int ok;
+
+ /* Extract the composite n from the RSA public key */
+ GNUNET_assert( 0 == key_from_sexp (&n, pkey->sexp, "rsa", "n") );
+ /* Assert that it at least looks like an RSA key */
+ GNUNET_assert( 0 == gcry_mpi_get_flag(n, GCRYMPI_FLAG_OPAQUE) );
+
+ /* We key with the public denomination key as a homage to RSA-PSS by *
+ * Mihir Bellare and Phillip Rogaway. Doing this lowers the degree *
+ * of the hypothetical polyomial-time attack on RSA-KTI created by a *
+ * polynomial-time one-more forgary attack. Yey seeding! */
+ xts_len = GNUNET_CRYPTO_rsa_public_key_encode (pkey, &xts);
+
+ GNUNET_CRYPTO_kdf_mod_mpi (&r,
+ n,
+ xts, xts_len,
+ hash, sizeof(*hash),
+ "RSA-FDA FTpsW!");
+ GNUNET_free (xts);
+
+ ok = rsa_gcd_validate(r,n);
+ gcry_mpi_release (n);
+ if (ok)
+ return r;
+ gcry_mpi_release (r);
+ return NULL;
+}
/**
- * Task called upon shutdown or process termination of 'gnunet-rsa' during
- * RSA key generation. Check where we are and perform the appropriate
- * action.
+ * Blinds the given message with the given blinding key
*
- * @param cls the 'struct GNUNET_CRYPTO_RsaKeyGenerationContext'
- * @param tc scheduler context
+ * @param hash hash of the message to sign
+ * @param bkey the blinding key
+ * @param pkey the public key of the signer
+ * @param[out] buf set to a buffer with the blinded message to be signed
+ * @param[out] buf_size number of bytes stored in @a buf
+ * @return GNUNET_YES if successful, GNUNET_NO if RSA key is malicious
*/
-static void
-check_key_generation_completion (void *cls,
- const struct GNUNET_SCHEDULER_TaskContext *tc)
+int
+GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode *hash,
+ const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks,
+ struct GNUNET_CRYPTO_RsaPublicKey *pkey,
+ char **buf, size_t *buf_size)
{
- struct GNUNET_CRYPTO_RsaKeyGenerationContext *gc = cls;
- struct GNUNET_CRYPTO_RsaPrivateKey *pk;
-
- gc->read_task = GNUNET_SCHEDULER_NO_TASK;
- if (0 != (tc->reason & GNUNET_SCHEDULER_REASON_SHUTDOWN))
- {
- gc->cont (gc->cont_cls, NULL, _("interrupted by shutdown"));
- GNUNET_CRYPTO_rsa_key_create_stop (gc);
- return;
- }
- GNUNET_assert (GNUNET_OK ==
- GNUNET_OS_process_wait (gc->gnunet_rsa));
- GNUNET_OS_process_destroy (gc->gnunet_rsa);
- gc->gnunet_rsa = NULL;
- if (NULL == (pk = try_read_key (gc->filename)))
+ struct RsaBlindingKey *bkey;
+ gcry_mpi_t data;
+ gcry_mpi_t ne[2];
+ gcry_mpi_t r_e;
+ gcry_mpi_t data_r_e;
+ int ret;
+
+ GNUNET_assert (buf != NULL && buf_size != NULL);
+ ret = key_from_sexp (ne, pkey->sexp, "public-key", "ne");
+ if (0 != ret)
+ ret = key_from_sexp (ne, pkey->sexp, "rsa", "ne");
+ if (0 != ret)
{
GNUNET_break (0);
- gc->cont (gc->cont_cls, NULL, _("gnunet-rsa failed"));
- GNUNET_CRYPTO_rsa_key_create_stop (gc);
- return;
+ *buf = NULL;
+ *buf_size = 0;
+ return 0;
+ }
+
+ data = rsa_full_domain_hash (pkey, hash);
+ if (NULL == data)
+ goto rsa_gcd_validate_failure;
+
+ bkey = rsa_blinding_key_derive (pkey, bks);
+ if (NULL == bkey) {
+ gcry_mpi_release (data);
+ goto rsa_gcd_validate_failure;
}
- gc->cont (gc->cont_cls, pk, NULL);
- GNUNET_DISK_pipe_close (gc->gnunet_rsa_out);
- GNUNET_free (gc->filename);
- GNUNET_free (gc);
+
+ r_e = gcry_mpi_new (0);
+ gcry_mpi_powm (r_e,
+ bkey->r,
+ ne[1],
+ ne[0]);
+ data_r_e = gcry_mpi_new (0);
+ gcry_mpi_mulm (data_r_e,
+ data,
+ r_e,
+ ne[0]);
+ gcry_mpi_release (data);
+ gcry_mpi_release (ne[0]);
+ gcry_mpi_release (ne[1]);
+ gcry_mpi_release (r_e);
+ rsa_blinding_key_free (bkey);
+
+ *buf_size = numeric_mpi_alloc_n_print (data_r_e, buf);
+ gcry_mpi_release (data_r_e);
+ return GNUNET_YES;
+
+rsa_gcd_validate_failure:
+ /* We know the RSA key is malicious here, so warn the wallet. */
+ /* GNUNET_break_op (0); */
+ gcry_mpi_release (ne[0]);
+ gcry_mpi_release (ne[1]);
+ *buf = NULL;
+ *buf_size = 0;
+ return GNUNET_NO;
}
/**
- * Return the private RSA key which already existed on disk
- * (asynchronously) to the caller.
+ * Convert an MPI to an S-expression suitable for signature operations.
*
- * @param cls the 'struct GNUNET_CRYPTO_RsaKeyGenerationContext'
- * @param tc scheduler context (unused)
+ * @param value pointer to the data to convert
+ * @return converted s-expression
*/
-static void
-async_return_key (void *cls,
- const struct GNUNET_SCHEDULER_TaskContext *tc)
+static gcry_sexp_t
+mpi_to_sexp (gcry_mpi_t value)
{
- struct GNUNET_CRYPTO_RsaKeyGenerationContext *gc = cls;
+ gcry_sexp_t data = NULL;
- gc->cont (gc->cont_cls,
- gc->pk,
- NULL);
- GNUNET_free (gc);
+ GNUNET_assert (0 ==
+ gcry_sexp_build (&data,
+ NULL,
+ "(data (flags raw) (value %M))",
+ value));
+ return data;
}
/**
- * Create a new private key by reading it from a file. If the files
- * does not exist, create a new key and write it to the file. If the
- * contents of the file are invalid the old file is deleted and a
- * fresh key is created.
+ * Sign the given MPI.
*
- * @param filename name of file to use for storage
- * @param cont function to call when done (or on errors)
- * @param cont_cls closure for 'cont'
- * @return handle to abort operation, NULL on fatal errors (cont will not be called if NULL is returned)
+ * @param key private key to use for the signing
+ * @param value the MPI to sign
+ * @return NULL on error, signature on success
*/
-struct GNUNET_CRYPTO_RsaKeyGenerationContext *
-GNUNET_CRYPTO_rsa_key_create_start (const char *filename,
- GNUNET_CRYPTO_RsaKeyCallback cont,
- void *cont_cls)
+static struct GNUNET_CRYPTO_RsaSignature *
+rsa_sign_mpi (const struct GNUNET_CRYPTO_RsaPrivateKey *key,
+ gcry_mpi_t value)
{
- struct GNUNET_CRYPTO_RsaKeyGenerationContext *gc;
- struct GNUNET_CRYPTO_RsaPrivateKey *pk;
- const char *weak_random;
+ struct GNUNET_CRYPTO_RsaSignature *sig;
+ gcry_sexp_t data;
+ gcry_sexp_t result;
+ int rc;
- if (NULL != (pk = try_read_key (filename)))
- {
- /* quick happy ending: key already exists! */
- gc = GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_RsaKeyGenerationContext));
- gc->pk = pk;
- gc->cont = cont;
- gc->cont_cls = cont_cls;
- gc->read_task = GNUNET_SCHEDULER_add_now (&async_return_key,
- gc);
- return gc;
- }
- gc = GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_RsaKeyGenerationContext));
- gc->filename = GNUNET_strdup (filename);
- gc->cont = cont;
- gc->cont_cls = cont_cls;
- gc->gnunet_rsa_out = GNUNET_DISK_pipe (GNUNET_NO,
- GNUNET_NO,
- GNUNET_NO,
- GNUNET_YES);
- if (NULL == gc->gnunet_rsa_out)
+ data = mpi_to_sexp (value);
+
+ if (0 !=
+ (rc = gcry_pk_sign (&result,
+ data,
+ key->sexp)))
{
- GNUNET_log_strerror (GNUNET_ERROR_TYPE_WARNING, "pipe");
- GNUNET_free (gc->filename);
- GNUNET_free (gc);
+ LOG (GNUNET_ERROR_TYPE_WARNING,
+ _("RSA signing failed at %s:%d: %s\n"),
+ __FILE__,
+ __LINE__,
+ gcry_strerror (rc));
+ GNUNET_break (0);
return NULL;
}
- weak_random = NULL;
- if (GNUNET_YES ==
- GNUNET_CRYPTO_random_is_weak ())
- weak_random = "-w";
- gc->gnunet_rsa = GNUNET_OS_start_process (GNUNET_NO,
- GNUNET_OS_INHERIT_STD_ERR,
- NULL,
- gc->gnunet_rsa_out,
- "gnunet-rsa",
- "gnunet-rsa",
- gc->filename,
- weak_random,
- NULL);
- if (NULL == gc->gnunet_rsa)
+
+ /* Lenstra protection was first added to libgcrypt 1.6.4
+ * with commit c17f84bd02d7ee93845e92e20f6ddba814961588.
+ */
+#if GCRYPT_VERSION_NUMBER < 0x010604
+ /* verify signature (guards against Lenstra's attack with fault injection...) */
+ struct GNUNET_CRYPTO_RsaPublicKey *public_key = GNUNET_CRYPTO_rsa_private_key_get_public (key);
+ if (0 !=
+ gcry_pk_verify (result,
+ data,
+ public_key->sexp))
{
- GNUNET_log_strerror (GNUNET_ERROR_TYPE_WARNING, "fork");
- GNUNET_DISK_pipe_close (gc->gnunet_rsa_out);
- GNUNET_free (gc->filename);
- GNUNET_free (gc);
+ GNUNET_break (0);
+ GNUNET_CRYPTO_rsa_public_key_free (public_key);
+ gcry_sexp_release (data);
+ gcry_sexp_release (result);
return NULL;
}
- GNUNET_assert (GNUNET_OK ==
- GNUNET_DISK_pipe_close_end (gc->gnunet_rsa_out,
- GNUNET_DISK_PIPE_END_WRITE));
- gc->read_task = GNUNET_SCHEDULER_add_read_file (GNUNET_TIME_UNIT_FOREVER_REL,
- GNUNET_DISK_pipe_handle (gc->gnunet_rsa_out,
- GNUNET_DISK_PIPE_END_READ),
- &check_key_generation_completion,
- gc);
- return gc;
+ GNUNET_CRYPTO_rsa_public_key_free (public_key);
+#endif
+
+ /* return signature */
+ gcry_sexp_release (data);
+ sig = GNUNET_new (struct GNUNET_CRYPTO_RsaSignature);
+ sig->sexp = result;
+ return sig;
}
/**
- * Abort RSA key generation.
+ * Sign a blinded value, which must be a full domain hash of a message.
*
- * @param gc key generation context to abort
+ * @param key private key to use for the signing
+ * @param msg the message to sign
+ * @param msg_len number of bytes in @a msg to sign
+ * @return NULL on error, signature on success
*/
-void
-GNUNET_CRYPTO_rsa_key_create_stop (struct GNUNET_CRYPTO_RsaKeyGenerationContext *gc)
+struct GNUNET_CRYPTO_RsaSignature *
+GNUNET_CRYPTO_rsa_sign_blinded (const struct GNUNET_CRYPTO_RsaPrivateKey *key,
+ const void *msg,
+ size_t msg_len)
{
- if (GNUNET_SCHEDULER_NO_TASK != gc->read_task)
- {
- GNUNET_SCHEDULER_cancel (gc->read_task);
- gc->read_task = GNUNET_SCHEDULER_NO_TASK;
- }
- if (NULL != gc->gnunet_rsa)
- {
- (void) GNUNET_OS_process_kill (gc->gnunet_rsa, SIGKILL);
- GNUNET_break (GNUNET_OK ==
- GNUNET_OS_process_wait (gc->gnunet_rsa));
- GNUNET_OS_process_destroy (gc->gnunet_rsa);
- GNUNET_DISK_pipe_close (gc->gnunet_rsa_out);
- }
+ gcry_mpi_t v = NULL;
+ struct GNUNET_CRYPTO_RsaSignature *sig;
- if (NULL != gc->filename)
- {
- if (0 != UNLINK (gc->filename))
- GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_WARNING, "unlink", gc->filename);
- GNUNET_free (gc->filename);
- }
- if (NULL != gc->pk)
- GNUNET_CRYPTO_rsa_key_free (gc->pk);
- GNUNET_free (gc);
+ GNUNET_assert (0 ==
+ gcry_mpi_scan (&v,
+ GCRYMPI_FMT_USG,
+ msg,
+ msg_len,
+ NULL));
+
+ sig = rsa_sign_mpi (key, v);
+ gcry_mpi_release (v);
+ return sig;
}
/**
- * Setup a hostkey file for a peer given the name of the
- * configuration file (!). This function is used so that
- * at a later point code can be certain that reading a
- * hostkey is fast (for example in time-dependent testcases).
+ * Create and sign a full domain hash of a message.
*
- * @param cfg_name name of the configuration file to use
+ * @param key private key to use for the signing
+ * @param hash the hash of the message to sign
+ * @return NULL on error, including a malicious RSA key, signature on success
+ */
+struct GNUNET_CRYPTO_RsaSignature *
+GNUNET_CRYPTO_rsa_sign_fdh (const struct GNUNET_CRYPTO_RsaPrivateKey *key,
+ const struct GNUNET_HashCode *hash)
+{
+ struct GNUNET_CRYPTO_RsaPublicKey *pkey;
+ gcry_mpi_t v = NULL;
+ struct GNUNET_CRYPTO_RsaSignature *sig;
+
+ pkey = GNUNET_CRYPTO_rsa_private_key_get_public (key);
+ v = rsa_full_domain_hash (pkey, hash);
+ GNUNET_CRYPTO_rsa_public_key_free (pkey);
+ if (NULL == v) /* rsa_gcd_validate failed meaning */
+ return NULL; /* our *own* RSA key is malicious. */
+
+ sig = rsa_sign_mpi (key, v);
+ gcry_mpi_release (v);
+ return sig;
+}
+
+
+/**
+ * Free memory occupied by signature.
+ *
+ * @param sig memory to freee
*/
void
-GNUNET_CRYPTO_setup_hostkey (const char *cfg_name)
+GNUNET_CRYPTO_rsa_signature_free (struct GNUNET_CRYPTO_RsaSignature *sig)
{
- struct GNUNET_CONFIGURATION_Handle *cfg;
- struct GNUNET_CRYPTO_RsaPrivateKey *pk;
- char *fn;
-
- cfg = GNUNET_CONFIGURATION_create ();
- (void) GNUNET_CONFIGURATION_load (cfg, cfg_name);
- if (GNUNET_OK ==
- GNUNET_CONFIGURATION_get_value_filename (cfg, "GNUNETD", "HOSTKEY", &fn))
- {
- pk = GNUNET_CRYPTO_rsa_key_create_from_file (fn);
- if (NULL != pk)
- GNUNET_CRYPTO_rsa_key_free (pk);
- GNUNET_free (fn);
- }
- GNUNET_CONFIGURATION_destroy (cfg);
+ gcry_sexp_release (sig->sexp);
+ GNUNET_free (sig);
}
/**
- * Encrypt a block with the public key of another host that uses the
- * same cipher.
+ * Encode the given signature in a format suitable for storing it into a file.
*
- * @param block the block to encrypt
- * @param size the size of block
- * @param publicKey the encoded public key used to encrypt
- * @param target where to store the encrypted block
- * @returns GNUNET_SYSERR on error, GNUNET_OK if ok
+ * @param sig the signature
+ * @param[out] buffer set to a buffer with the encoded key
+ * @return size of memory allocated in @a buffer
*/
-int
-GNUNET_CRYPTO_rsa_encrypt (const void *block, size_t size,
- const struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded
- *publicKey,
- struct GNUNET_CRYPTO_RsaEncryptedData *target)
+size_t
+GNUNET_CRYPTO_rsa_signature_encode (const struct GNUNET_CRYPTO_RsaSignature *sig,
+ char **buffer)
{
- gcry_sexp_t result;
- gcry_sexp_t data;
- struct GNUNET_CRYPTO_RsaPrivateKey *pubkey;
- gcry_mpi_t val;
- gcry_mpi_t rval;
- size_t isize;
- size_t erroff;
+ size_t n;
+ char *b;
+
+ n = gcry_sexp_sprint (sig->sexp,
+ GCRYSEXP_FMT_ADVANCED,
+ NULL,
+ 0);
+ b = GNUNET_malloc (n);
+ GNUNET_assert ((n - 1) == /* since the last byte is \0 */
+ gcry_sexp_sprint (sig->sexp,
+ GCRYSEXP_FMT_ADVANCED,
+ b,
+ n));
+ *buffer = b;
+ return n;
+}
- GNUNET_assert (size <= sizeof (struct GNUNET_HashCode));
- pubkey = public2PrivateKey (publicKey);
- if (pubkey == NULL)
- return GNUNET_SYSERR;
- isize = size;
- GNUNET_assert (0 ==
- gcry_mpi_scan (&val, GCRYMPI_FMT_USG, block, isize, &isize));
- GNUNET_assert (0 ==
- gcry_sexp_build (&data, &erroff,
- "(data (flags pkcs1)(value %m))", val));
- gcry_mpi_release (val);
- GNUNET_assert (0 == gcry_pk_encrypt (&result, data, pubkey->sexp));
- gcry_sexp_release (data);
- GNUNET_CRYPTO_rsa_key_free (pubkey);
- GNUNET_assert (0 == key_from_sexp (&rval, result, "rsa", "a"));
- gcry_sexp_release (result);
- isize = sizeof (struct GNUNET_CRYPTO_RsaEncryptedData);
- GNUNET_assert (0 ==
- gcry_mpi_print (GCRYMPI_FMT_USG, (unsigned char *) target,
- isize, &isize, rval));
- gcry_mpi_release (rval);
- adjust (&target->encoding[0], isize,
- sizeof (struct GNUNET_CRYPTO_RsaEncryptedData));
- return GNUNET_OK;
+/**
+ * Decode the signature from the data-format back to the "normal", internal
+ * format.
+ *
+ * @param buf the buffer where the public key data is stored
+ * @param len the length of the data in @a buf
+ * @return NULL on error
+ */
+struct GNUNET_CRYPTO_RsaSignature *
+GNUNET_CRYPTO_rsa_signature_decode (const char *buf,
+ size_t len)
+{
+ struct GNUNET_CRYPTO_RsaSignature *sig;
+ int ret;
+ gcry_mpi_t s;
+
+ sig = GNUNET_new (struct GNUNET_CRYPTO_RsaSignature);
+ if (0 !=
+ gcry_sexp_new (&sig->sexp,
+ buf,
+ len,
+ 0))
+ {
+ GNUNET_break_op (0);
+ GNUNET_free (sig);
+ return NULL;
+ }
+ /* verify that this is an RSA signature */
+ ret = key_from_sexp (&s, sig->sexp, "sig-val", "s");
+ if (0 != ret)
+ ret = key_from_sexp (&s, sig->sexp, "rsa", "s");
+ if (0 != ret)
+ {
+ /* this is no RSA Signature */
+ GNUNET_break_op (0);
+ gcry_sexp_release (sig->sexp);
+ GNUNET_free (sig);
+ return NULL;
+ }
+ gcry_mpi_release (s);
+ return sig;
}
/**
- * Decrypt a given block with the hostkey.
+ * Duplicate the given public key
*
- * @param key the key with which to decrypt this block
- * @param block the data to decrypt, encoded as returned by encrypt
- * @param result pointer to a location where the result can be stored
- * @param max the maximum number of bits to store for the result, if
- * the decrypted block is bigger, an error is returned
- * @return the size of the decrypted block, -1 on error
+ * @param key the public key to duplicate
+ * @return the duplicate key; NULL upon error
*/
-ssize_t
-GNUNET_CRYPTO_rsa_decrypt (const struct GNUNET_CRYPTO_RsaPrivateKey * key,
- const struct GNUNET_CRYPTO_RsaEncryptedData * block,
- void *result, size_t max)
+struct GNUNET_CRYPTO_RsaPublicKey *
+GNUNET_CRYPTO_rsa_public_key_dup (const struct GNUNET_CRYPTO_RsaPublicKey *key)
{
- gcry_sexp_t resultsexp;
- gcry_sexp_t data;
+ struct GNUNET_CRYPTO_RsaPublicKey *dup;
+ gcry_sexp_t dup_sexp;
size_t erroff;
- size_t size;
- gcry_mpi_t val;
- unsigned char *endp;
- unsigned char *tmp;
-#if EXTRA_CHECKS
- GNUNET_assert (0 == gcry_pk_testkey (key->sexp));
-#endif
- size = sizeof (struct GNUNET_CRYPTO_RsaEncryptedData);
- GNUNET_assert (0 ==
- gcry_mpi_scan (&val, GCRYMPI_FMT_USG, &block->encoding[0],
- size, &size));
- GNUNET_assert (0 ==
- gcry_sexp_build (&data, &erroff, "(enc-val(flags)(rsa(a %m)))",
- val));
- gcry_mpi_release (val);
- GNUNET_assert (0 == gcry_pk_decrypt (&resultsexp, data, key->sexp));
- gcry_sexp_release (data);
- /* resultsexp has format "(value %m)" */
- GNUNET_assert (NULL !=
- (val = gcry_sexp_nth_mpi (resultsexp, 1, GCRYMPI_FMT_USG)));
- gcry_sexp_release (resultsexp);
- tmp = GNUNET_malloc (max + HOSTKEY_LEN / 8);
- size = max + HOSTKEY_LEN / 8;
- GNUNET_assert (0 == gcry_mpi_print (GCRYMPI_FMT_USG, tmp, size, &size, val));
- gcry_mpi_release (val);
- endp = tmp;
- endp += (size - max);
- size = max;
- memcpy (result, endp, size);
- GNUNET_free (tmp);
- return size;
+ /* check if we really are exporting a public key */
+ dup_sexp = gcry_sexp_find_token (key->sexp, "public-key", 0);
+ GNUNET_assert (NULL != dup_sexp);
+ gcry_sexp_release (dup_sexp);
+ /* copy the sexp */
+ GNUNET_assert (0 == gcry_sexp_build (&dup_sexp, &erroff, "%S", key->sexp));
+ dup = GNUNET_new (struct GNUNET_CRYPTO_RsaPublicKey);
+ dup->sexp = dup_sexp;
+ return dup;
}
/**
- * Sign a given block.
+ * Unblind a blind-signed signature. The signature should have been generated
+ * with #GNUNET_CRYPTO_rsa_sign() using a hash that was blinded with
+ * #GNUNET_CRYPTO_rsa_blind().
*
- * @param key private key to use for the signing
- * @param purpose what to sign (size, purpose)
- * @param sig where to write the signature
- * @return GNUNET_SYSERR on error, GNUNET_OK on success
+ * @param sig the signature made on the blinded signature purpose
+ * @param bks the blinding key secret used to blind the signature purpose
+ * @param pkey the public key of the signer
+ * @return unblinded signature on success, NULL if RSA key is bad or malicious.
*/
-int
-GNUNET_CRYPTO_rsa_sign (const struct GNUNET_CRYPTO_RsaPrivateKey *key,
- const struct GNUNET_CRYPTO_RsaSignaturePurpose *purpose,
- struct GNUNET_CRYPTO_RsaSignature *sig)
+struct GNUNET_CRYPTO_RsaSignature *
+GNUNET_CRYPTO_rsa_unblind (struct GNUNET_CRYPTO_RsaSignature *sig,
+ const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks,
+ struct GNUNET_CRYPTO_RsaPublicKey *pkey)
{
- gcry_sexp_t result;
- gcry_sexp_t data;
- size_t ssize;
- gcry_mpi_t rval;
- struct GNUNET_HashCode hc;
- char *buff;
- int bufSize;
-
- GNUNET_CRYPTO_hash (purpose, ntohl (purpose->size), &hc);
-#define FORMATSTRING "(4:data(5:flags5:pkcs1)(4:hash6:sha51264:0123456789012345678901234567890123456789012345678901234567890123))"
- bufSize = strlen (FORMATSTRING) + 1;
- buff = GNUNET_malloc (bufSize);
- memcpy (buff, FORMATSTRING, bufSize);
- memcpy (&buff
- [bufSize -
- strlen
- ("0123456789012345678901234567890123456789012345678901234567890123))")
- - 1], &hc, sizeof (struct GNUNET_HashCode));
- GNUNET_assert (0 == gcry_sexp_new (&data, buff, bufSize, 0));
- GNUNET_free (buff);
- GNUNET_assert (0 == gcry_pk_sign (&result, data, key->sexp));
- gcry_sexp_release (data);
- GNUNET_assert (0 == key_from_sexp (&rval, result, "rsa", "s"));
- gcry_sexp_release (result);
- ssize = sizeof (struct GNUNET_CRYPTO_RsaSignature);
+ struct RsaBlindingKey *bkey;
+ gcry_mpi_t n;
+ gcry_mpi_t s;
+ gcry_mpi_t r_inv;
+ gcry_mpi_t ubsig;
+ int ret;
+ struct GNUNET_CRYPTO_RsaSignature *sret;
+
+ ret = key_from_sexp (&n, pkey->sexp, "public-key", "n");
+ if (0 != ret)
+ ret = key_from_sexp (&n, pkey->sexp, "rsa", "n");
+ if (0 != ret)
+ {
+ GNUNET_break_op (0);
+ return NULL;
+ }
+ ret = key_from_sexp (&s, sig->sexp, "sig-val", "s");
+ if (0 != ret)
+ ret = key_from_sexp (&s, sig->sexp, "rsa", "s");
+ if (0 != ret)
+ {
+ gcry_mpi_release (n);
+ GNUNET_break_op (0);
+ return NULL;
+ }
+
+ bkey = rsa_blinding_key_derive (pkey, bks);
+ if (NULL == bkey)
+ {
+ /* RSA key is malicious since rsa_gcd_validate failed here.
+ * It should have failed during GNUNET_CRYPTO_rsa_blind too though,
+ * so the exchange is being malicious in an unfamilair way, maybe
+ * just trying to crash us. */
+ GNUNET_break_op (0);
+ gcry_mpi_release (n);
+ gcry_mpi_release (s);
+ return NULL;
+ }
+
+ r_inv = gcry_mpi_new (0);
+ if (1 !=
+ gcry_mpi_invm (r_inv,
+ bkey->r,
+ n))
+ {
+ /* We cannot find r mod n, so gcd(r,n) != 1, which should get *
+ * caught above, but we handle it the same here. */
+ GNUNET_break_op (0);
+ gcry_mpi_release (r_inv);
+ rsa_blinding_key_free (bkey);
+ gcry_mpi_release (n);
+ gcry_mpi_release (s);
+ return NULL;
+ }
+
+ ubsig = gcry_mpi_new (0);
+ gcry_mpi_mulm (ubsig, s, r_inv, n);
+ gcry_mpi_release (n);
+ gcry_mpi_release (r_inv);
+ gcry_mpi_release (s);
+ rsa_blinding_key_free (bkey);
+
+ sret = GNUNET_new (struct GNUNET_CRYPTO_RsaSignature);
GNUNET_assert (0 ==
- gcry_mpi_print (GCRYMPI_FMT_USG, (unsigned char *) sig, ssize,
- &ssize, rval));
- gcry_mpi_release (rval);
- adjust (sig->sig, ssize, sizeof (struct GNUNET_CRYPTO_RsaSignature));
- return GNUNET_OK;
+ gcry_sexp_build (&sret->sexp,
+ NULL,
+ "(sig-val (rsa (s %M)))",
+ ubsig));
+ gcry_mpi_release (ubsig);
+ return sret;
}
/**
- * Verify signature.
+ * Verify whether the given hash corresponds to the given signature and
+ * the signature is valid with respect to the given public key.
*
- * @param purpose what is the purpose that the signature should have?
- * @param validate block to validate (size, purpose, data)
+ * @param hash hash of the message to verify to match the @a sig
* @param sig signature that is being validated
- * @param publicKey public key of the signer
- * @returns GNUNET_OK if ok, GNUNET_SYSERR if invalid
+ * @param pkey public key of the signer
+ * @returns #GNUNET_YES if ok, #GNUNET_NO if RSA key is malicious, #GNUNET_SYSERR if signature is invalid
*/
int
-GNUNET_CRYPTO_rsa_verify (uint32_t purpose,
- const struct GNUNET_CRYPTO_RsaSignaturePurpose
- *validate,
+GNUNET_CRYPTO_rsa_verify (const struct GNUNET_HashCode *hash,
const struct GNUNET_CRYPTO_RsaSignature *sig,
- const struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded
- *publicKey)
+ const struct GNUNET_CRYPTO_RsaPublicKey *pkey)
{
gcry_sexp_t data;
- gcry_sexp_t sigdata;
- size_t size;
- gcry_mpi_t val;
- struct GNUNET_CRYPTO_RsaPrivateKey *hostkey;
- struct GNUNET_HashCode hc;
- char *buff;
- int bufSize;
- size_t erroff;
+ gcry_mpi_t r;
int rc;
- if (purpose != ntohl (validate->purpose))
- return GNUNET_SYSERR; /* purpose mismatch */
- GNUNET_CRYPTO_hash (validate, ntohl (validate->size), &hc);
- size = sizeof (struct GNUNET_CRYPTO_RsaSignature);
- GNUNET_assert (0 ==
- gcry_mpi_scan (&val, GCRYMPI_FMT_USG,
- (const unsigned char *) sig, size, &size));
- GNUNET_assert (0 ==
- gcry_sexp_build (&sigdata, &erroff, "(sig-val(rsa(s %m)))",
- val));
- gcry_mpi_release (val);
- bufSize = strlen (FORMATSTRING) + 1;
- buff = GNUNET_malloc (bufSize);
- memcpy (buff, FORMATSTRING, bufSize);
- memcpy (&buff
- [strlen (FORMATSTRING) -
- strlen
- ("0123456789012345678901234567890123456789012345678901234567890123))")],
- &hc, sizeof (struct GNUNET_HashCode));
- GNUNET_assert (0 == gcry_sexp_new (&data, buff, bufSize, 0));
- GNUNET_free (buff);
- hostkey = public2PrivateKey (publicKey);
- if (hostkey == NULL)
- {
- gcry_sexp_release (data);
- gcry_sexp_release (sigdata);
- return GNUNET_SYSERR;
+ r = rsa_full_domain_hash (pkey, hash);
+ if (NULL == r) {
+ GNUNET_break_op (0);
+ /* RSA key is malicious since rsa_gcd_validate failed here.
+ * It should have failed during GNUNET_CRYPTO_rsa_blind too though,
+ * so the exchange is being malicious in an unfamilair way, maybe
+ * just trying to crash us. Arguably, we've only an internal error
+ * though because we should've detected this in our previous call
+ * to GNUNET_CRYPTO_rsa_unblind. */
+ return GNUNET_NO;
}
- rc = gcry_pk_verify (sigdata, data, hostkey->sexp);
- GNUNET_CRYPTO_rsa_key_free (hostkey);
+
+ data = mpi_to_sexp(r);
+ gcry_mpi_release (r);
+
+ rc = gcry_pk_verify (sig->sexp,
+ data,
+ pkey->sexp);
gcry_sexp_release (data);
- gcry_sexp_release (sigdata);
- if (rc)
+ if (0 != rc)
{
LOG (GNUNET_ERROR_TYPE_WARNING,
- _("RSA signature verification failed at %s:%d: %s\n"), __FILE__,
- __LINE__, gcry_strerror (rc));
+ _("RSA signature verification failed at %s:%d: %s\n"),
+ __FILE__,
+ __LINE__,
+ gcry_strerror (rc));
return GNUNET_SYSERR;
}
return GNUNET_OK;
}
-/* end of crypto_rsa.c */
+/**
+ * Duplicate the given private key
+ *
+ * @param key the private key to duplicate
+ * @return the duplicate key; NULL upon error
+ */
+struct GNUNET_CRYPTO_RsaPrivateKey *
+GNUNET_CRYPTO_rsa_private_key_dup (const struct GNUNET_CRYPTO_RsaPrivateKey *key)
+{
+ struct GNUNET_CRYPTO_RsaPrivateKey *dup;
+ gcry_sexp_t dup_sexp;
+ size_t erroff;
+
+ /* check if we really are exporting a private key */
+ dup_sexp = gcry_sexp_find_token (key->sexp, "private-key", 0);
+ GNUNET_assert (NULL != dup_sexp);
+ gcry_sexp_release (dup_sexp);
+ /* copy the sexp */
+ GNUNET_assert (0 == gcry_sexp_build (&dup_sexp, &erroff, "%S", key->sexp));
+ dup = GNUNET_new (struct GNUNET_CRYPTO_RsaPrivateKey);
+ dup->sexp = dup_sexp;
+ return dup;
+}
+
+
+/**
+ * Duplicate the given private key
+ *
+ * @param key the private key to duplicate
+ * @return the duplicate key; NULL upon error
+ */
+struct GNUNET_CRYPTO_RsaSignature *
+GNUNET_CRYPTO_rsa_signature_dup (const struct GNUNET_CRYPTO_RsaSignature *sig)
+{
+ struct GNUNET_CRYPTO_RsaSignature *dup;
+ gcry_sexp_t dup_sexp;
+ size_t erroff;
+ gcry_mpi_t s;
+ int ret;
+
+ /* verify that this is an RSA signature */
+ ret = key_from_sexp (&s, sig->sexp, "sig-val", "s");
+ if (0 != ret)
+ ret = key_from_sexp (&s, sig->sexp, "rsa", "s");
+ GNUNET_assert (0 == ret);
+ gcry_mpi_release (s);
+ /* copy the sexp */
+ GNUNET_assert (0 == gcry_sexp_build (&dup_sexp, &erroff, "%S", sig->sexp));
+ dup = GNUNET_new (struct GNUNET_CRYPTO_RsaSignature);
+ dup->sexp = dup_sexp;
+ return dup;
+}
+
+
+/* end of util/rsa.c */
projects / oweals / gnunet.git / blobdiff