aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Grothoff <christian@grothoff.org>2019-12-07 14:37:44 +0100
committerChristian Grothoff <christian@grothoff.org>2019-12-07 14:37:44 +0100
commita6b9d2e1879a4072dbece09f37d3bec672ec4a09 (patch)
treebc2bef9a206e070dbb1cbcf90870862feebc0ffe
parent7bb0b3291244286a114e652949a181e31f70364f (diff)
downloadgnunet-a6b9d2e1879a4072dbece09f37d3bec672ec4a09.tar.gz
gnunet-a6b9d2e1879a4072dbece09f37d3bec672ec4a09.zip
fix #3795/5968/5398
Diffstat
-rw-r--r--src/util/crypto_ecc.c578
-rw-r--r--src/util/crypto_pow.c14
-rw-r--r--src/util/crypto_rsa.c101
3 files changed, 2 insertions, 691 deletions
diff --git a/src/util/crypto_ecc.c b/src/util/crypto_ecc.c
index f9efcf6e7..bd7c425d4 100644
--- a/src/util/crypto_ecc.c
+++ b/src/util/crypto_ecc.c
@@ -33,8 +33,6 @@
33 33
34#define EXTRA_CHECKS 0 34#define EXTRA_CHECKS 0
35 35
36#define NEW_CRYPTO 0
37
38 36
39/** 37/**
40 * Name of the curve we are using. Note that we have hard-coded 38 * Name of the curve we are using. Note that we have hard-coded
@@ -164,80 +162,6 @@ decode_private_ecdsa_key (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv)
164} 162}
165 163
166 164
167#if !NEW_CRYPTO
168/**
169 * Convert the given private key from the network format to the
170 * S-expression that can be used by libgcrypt.
171 *
172 * @param priv private key to decode
173 * @return NULL on error
174 */
175static gcry_sexp_t
176decode_private_eddsa_key (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv)
177{
178 gcry_sexp_t result;
179 int rc;
180
181 rc = gcry_sexp_build (&result,
182 NULL,
183 "(private-key(ecc(curve \"" CURVE "\")"
184 "(flags eddsa)(d %b)))",
185 (int) sizeof(priv->d),
186 priv->d);
187 if (0 != rc)
188 {
189 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
190 GNUNET_assert (0);
191 }
192#if EXTRA_CHECKS
193 if (0 != (rc = gcry_pk_testkey (result)))
194 {
195 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_pk_testkey", rc);
196 GNUNET_assert (0);
197 }
198#endif
199 return result;
200}
201#endif /* !NEW_CRYPTO */
202
203
204#if !NEW_CRYPTO
205/**
206 * Convert the given private key from the network format to the
207 * S-expression that can be used by libgcrypt.
208 *
209 * @param priv private key to decode
210 * @return NULL on error
211 */
212static gcry_sexp_t
213decode_private_ecdhe_key (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv)
214{
215 gcry_sexp_t result;
216 int rc;
217
218 rc = gcry_sexp_build (&result,
219 NULL,
220 "(private-key(ecc(curve \"" CURVE "\")"
221 "(d %b)))",
222 (int) sizeof(priv->d),
223 priv->d);
224 if (0 != rc)
225 {
226 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
227 GNUNET_assert (0);
228 }
229#if EXTRA_CHECKS
230 if (0 != (rc = gcry_pk_testkey (result)))
231 {
232 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_pk_testkey", rc);
233 GNUNET_assert (0);
234 }
235#endif
236 return result;
237}
238#endif /* !NEW_CRYPTO */
239
240
241/** 165/**
242 * Extract the public key for the given private key. 166 * Extract the public key for the given private key.
243 * 167 *
@@ -280,29 +204,9 @@ GNUNET_CRYPTO_eddsa_key_get_public (
280 const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, 204 const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
281 struct GNUNET_CRYPTO_EddsaPublicKey *pub) 205 struct GNUNET_CRYPTO_EddsaPublicKey *pub)
282{ 206{
283#if NEW_CRYPTO
284 BENCHMARK_START (eddsa_key_get_public); 207 BENCHMARK_START (eddsa_key_get_public);
285 GNUNET_TWEETNACL_sign_pk_from_seed (pub->q_y, priv->d); 208 GNUNET_TWEETNACL_sign_pk_from_seed (pub->q_y, priv->d);
286 BENCHMARK_END (eddsa_key_get_public); 209 BENCHMARK_END (eddsa_key_get_public);
287#else
288 gcry_sexp_t sexp;
289 gcry_ctx_t ctx;
290 gcry_mpi_t q;
291
292 BENCHMARK_START (eddsa_key_get_public);
293
294 sexp = decode_private_eddsa_key (priv);
295 GNUNET_assert (NULL != sexp);
296 GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, sexp, NULL));
297 gcry_sexp_release (sexp);
298 q = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0);
299 GNUNET_assert (q);
300 GNUNET_CRYPTO_mpi_print_unsigned (pub->q_y, sizeof(pub->q_y), q);
301 gcry_mpi_release (q);
302 gcry_ctx_release (ctx);
303
304 BENCHMARK_END (eddsa_key_get_public);
305#endif
306} 210}
307 211
308 212
@@ -317,29 +221,9 @@ GNUNET_CRYPTO_ecdhe_key_get_public (
317 const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, 221 const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
318 struct GNUNET_CRYPTO_EcdhePublicKey *pub) 222 struct GNUNET_CRYPTO_EcdhePublicKey *pub)
319{ 223{
320#if NEW_CRYPTO
321 BENCHMARK_START (ecdhe_key_get_public); 224 BENCHMARK_START (ecdhe_key_get_public);
322 GNUNET_TWEETNACL_scalarmult_curve25519_base (pub->q_y, priv->d); 225 GNUNET_TWEETNACL_scalarmult_curve25519_base (pub->q_y, priv->d);
323 BENCHMARK_END (ecdhe_key_get_public); 226 BENCHMARK_END (ecdhe_key_get_public);
324#else
325 gcry_sexp_t sexp;
326 gcry_ctx_t ctx;
327 gcry_mpi_t q;
328
329 BENCHMARK_START (ecdhe_key_get_public);
330
331 sexp = decode_private_ecdhe_key (priv);
332 GNUNET_assert (NULL != sexp);
333 GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, sexp, NULL));
334 gcry_sexp_release (sexp);
335 q = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0);
336 GNUNET_assert (q);
337 GNUNET_CRYPTO_mpi_print_unsigned (pub->q_y, sizeof(pub->q_y), q);
338 gcry_mpi_release (q);
339 gcry_ctx_release (ctx);
340
341 BENCHMARK_END (ecdhe_key_get_public);
342#endif
343} 227}
344 228
345 229
@@ -650,62 +534,12 @@ GNUNET_CRYPTO_ecdhe_key_create ()
650int 534int
651GNUNET_CRYPTO_ecdhe_key_create2 (struct GNUNET_CRYPTO_EcdhePrivateKey *pk) 535GNUNET_CRYPTO_ecdhe_key_create2 (struct GNUNET_CRYPTO_EcdhePrivateKey *pk)
652{ 536{
653#if NEW_CRYPTO
654 BENCHMARK_START (ecdhe_key_create); 537 BENCHMARK_START (ecdhe_key_create);
655 GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_NONCE, 538 GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_NONCE,
656 pk, 539 pk,
657 sizeof (struct GNUNET_CRYPTO_EcdhePrivateKey)); 540 sizeof (struct GNUNET_CRYPTO_EcdhePrivateKey));
658 BENCHMARK_END (ecdhe_key_create); 541 BENCHMARK_END (ecdhe_key_create);
659 return GNUNET_OK; 542 return GNUNET_OK;
660#else
661 gcry_sexp_t priv_sexp;
662 gcry_sexp_t s_keyparam;
663 gcry_mpi_t d;
664 int rc;
665
666 BENCHMARK_START (ecdhe_key_create);
667
668 /* NOTE: For libgcrypt >= 1.7, we do not need the 'eddsa' flag here,
669 but should also be harmless. For libgcrypt < 1.7, using 'eddsa'
670 disables an expensive key testing routine. We do not want to run
671 the expensive check for ECDHE, as we generate TONS of keys to
672 use for a very short time. */if (0 != (rc = gcry_sexp_build (&s_keyparam,
673 NULL,
674 "(genkey(ecc(curve \"" CURVE "\")"
675 "(flags eddsa no-keytest)))")))
676 {
677 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
678 return GNUNET_SYSERR;
679 }
680 if (0 != (rc = gcry_pk_genkey (&priv_sexp, s_keyparam)))
681 {
682 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_pk_genkey", rc);
683 gcry_sexp_release (s_keyparam);
684 return GNUNET_SYSERR;
685 }
686 gcry_sexp_release (s_keyparam);
687#if EXTRA_CHECKS
688 if (0 != (rc = gcry_pk_testkey (priv_sexp)))
689 {
690 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_pk_testkey", rc);
691 gcry_sexp_release (priv_sexp);
692 return GNUNET_SYSERR;
693 }
694#endif
695 if (0 != (rc = key_from_sexp (&d, priv_sexp, "private-key", "d")))
696 {
697 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "key_from_sexp", rc);
698 gcry_sexp_release (priv_sexp);
699 return GNUNET_SYSERR;
700 }
701 gcry_sexp_release (priv_sexp);
702 GNUNET_CRYPTO_mpi_print_unsigned (pk->d, sizeof(pk->d), d);
703 gcry_mpi_release (d);
704
705 BENCHMARK_END (ecdhe_key_create);
706
707 return GNUNET_OK;
708#endif
709} 543}
710 544
711 545
@@ -773,7 +607,6 @@ GNUNET_CRYPTO_ecdsa_key_create ()
773struct GNUNET_CRYPTO_EddsaPrivateKey * 607struct GNUNET_CRYPTO_EddsaPrivateKey *
774GNUNET_CRYPTO_eddsa_key_create () 608GNUNET_CRYPTO_eddsa_key_create ()
775{ 609{
776#if NEW_CRYPTO
777 struct GNUNET_CRYPTO_EddsaPrivateKey *priv; 610 struct GNUNET_CRYPTO_EddsaPrivateKey *priv;
778 611
779 BENCHMARK_START (eddsa_key_create); 612 BENCHMARK_START (eddsa_key_create);
@@ -784,65 +617,6 @@ GNUNET_CRYPTO_eddsa_key_create ()
784 BENCHMARK_END (eddsa_key_create); 617 BENCHMARK_END (eddsa_key_create);
785 618
786 return priv; 619 return priv;
787#else
788 struct GNUNET_CRYPTO_EddsaPrivateKey *priv;
789 gcry_sexp_t priv_sexp;
790 gcry_sexp_t s_keyparam;
791 gcry_mpi_t d;
792 int rc;
793
794 BENCHMARK_START (eddsa_key_create);
795
796#if CRYPTO_BUG
797 again:
798#endif
799 if (0 != (rc = gcry_sexp_build (&s_keyparam,
800 NULL,
801 "(genkey(ecc(curve \"" CURVE "\")"
802 "(flags eddsa)))")))
803 {
804 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
805 return NULL;
806 }
807 if (0 != (rc = gcry_pk_genkey (&priv_sexp, s_keyparam)))
808 {
809 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_pk_genkey", rc);
810 gcry_sexp_release (s_keyparam);
811 return NULL;
812 }
813 gcry_sexp_release (s_keyparam);
814#if EXTRA_CHECKS
815 if (0 != (rc = gcry_pk_testkey (priv_sexp)))
816 {
817 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_pk_testkey", rc);
818 gcry_sexp_release (priv_sexp);
819 return NULL;
820 }
821#endif
822 if (0 != (rc = key_from_sexp (&d, priv_sexp, "private-key", "d")))
823 {
824 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "key_from_sexp", rc);
825 gcry_sexp_release (priv_sexp);
826 return NULL;
827 }
828 gcry_sexp_release (priv_sexp);
829 priv = GNUNET_new (struct GNUNET_CRYPTO_EddsaPrivateKey);
830 GNUNET_CRYPTO_mpi_print_unsigned (priv->d, sizeof(priv->d), d);
831 gcry_mpi_release (d);
832
833#if CRYPTO_BUG
834 if (GNUNET_OK != check_eddsa_key (priv))
835 {
836 GNUNET_break (0);
837 GNUNET_free (priv);
838 goto again;
839 }
840#endif
841
842 BENCHMARK_END (eddsa_key_create);
843
844 return priv;
845#endif
846} 620}
847 621
848 622
@@ -871,52 +645,6 @@ GNUNET_CRYPTO_ecdsa_key_get_anonymous ()
871} 645}
872 646
873 647
874#if !NEW_CRYPTO
875/**
876 * Convert the data specified in the given purpose argument to an
877 * S-expression suitable for signature operations.
878 *
879 * @param purpose data to convert
880 * @return converted s-expression
881 */
882static gcry_sexp_t
883data_to_eddsa_value (const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose)
884{
885 gcry_sexp_t data;
886 int rc;
887
888/* SEE #5398 */
889#if 1
890 struct GNUNET_HashCode hc;
891
892 GNUNET_CRYPTO_hash (purpose, ntohl (purpose->size), &hc);
893 if (0 != (rc = gcry_sexp_build (&data,
894 NULL,
895 "(data(flags eddsa)(hash-algo %s)(value %b))",
896 "sha512",
897 (int) sizeof(hc),
898 &hc)))
899 {
900 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
901 return NULL;
902 }
903#else
904 if (0 != (rc = gcry_sexp_build (&data,
905 NULL,
906 "(data(flags eddsa)(hash-algo %s)(value %b))",
907 "sha512",
908 ntohl (purpose->size),
909 purpose)))
910 {
911 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
912 return NULL;
913 }
914#endif
915 return data;
916}
917#endif /* !NEW_CRYPTO */
918
919
920/** 648/**
921 * Convert the data specified in the given purpose argument to an 649 * Convert the data specified in the given purpose argument to an
922 * S-expression suitable for signature operations. 650 * S-expression suitable for signature operations.
@@ -1034,7 +762,6 @@ GNUNET_CRYPTO_eddsa_sign (
1034 struct GNUNET_CRYPTO_EddsaSignature *sig) 762 struct GNUNET_CRYPTO_EddsaSignature *sig)
1035{ 763{
1036 764
1037#if NEW_CRYPTO
1038 size_t mlen = ntohl (purpose->size); 765 size_t mlen = ntohl (purpose->size);
1039 unsigned char sk[GNUNET_TWEETNACL_SIGN_SECRETKEYBYTES]; 766 unsigned char sk[GNUNET_TWEETNACL_SIGN_SECRETKEYBYTES];
1040 int res; 767 int res;
@@ -1047,50 +774,6 @@ GNUNET_CRYPTO_eddsa_sign (
1047 sk); 774 sk);
1048 BENCHMARK_END (eddsa_sign); 775 BENCHMARK_END (eddsa_sign);
1049 return (res == 0) ? GNUNET_OK : GNUNET_SYSERR; 776 return (res == 0) ? GNUNET_OK : GNUNET_SYSERR;
1050#else
1051
1052 gcry_sexp_t priv_sexp;
1053 gcry_sexp_t sig_sexp;
1054 gcry_sexp_t data;
1055 int rc;
1056 gcry_mpi_t rs[2];
1057
1058 BENCHMARK_START (eddsa_sign);
1059
1060 priv_sexp = decode_private_eddsa_key (priv);
1061 data = data_to_eddsa_value (purpose);
1062 if (0 != (rc = gcry_pk_sign (&sig_sexp, data, priv_sexp)))
1063 {
1064 LOG (GNUNET_ERROR_TYPE_WARNING,
1065 _ ("EdDSA signing failed at %s:%d: %s\n"),
1066 __FILE__,
1067 __LINE__,
1068 gcry_strerror (rc));
1069 gcry_sexp_release (data);
1070 gcry_sexp_release (priv_sexp);
1071 return GNUNET_SYSERR;
1072 }
1073 gcry_sexp_release (priv_sexp);
1074 gcry_sexp_release (data);
1075
1076 /* extract 'r' and 's' values from sexpression 'sig_sexp' and store in
1077 'signature' */
1078 if (0 != (rc = key_from_sexp (rs, sig_sexp, "sig-val", "rs")))
1079 {
1080 GNUNET_break (0);
1081 gcry_sexp_release (sig_sexp);
1082 return GNUNET_SYSERR;
1083 }
1084 gcry_sexp_release (sig_sexp);
1085 GNUNET_CRYPTO_mpi_print_unsigned (sig->r, sizeof(sig->r), rs[0]);
1086 GNUNET_CRYPTO_mpi_print_unsigned (sig->s, sizeof(sig->s), rs[1]);
1087 gcry_mpi_release (rs[0]);
1088 gcry_mpi_release (rs[1]);
1089
1090 BENCHMARK_END (eddsa_sign);
1091
1092 return GNUNET_OK;
1093#endif
1094} 777}
1095 778
1096 779
@@ -1178,7 +861,6 @@ GNUNET_CRYPTO_eddsa_verify (
1178 const struct GNUNET_CRYPTO_EddsaSignature *sig, 861 const struct GNUNET_CRYPTO_EddsaSignature *sig,
1179 const struct GNUNET_CRYPTO_EddsaPublicKey *pub) 862 const struct GNUNET_CRYPTO_EddsaPublicKey *pub)
1180{ 863{
1181#if NEW_CRYPTO
1182 unsigned char *m = (void *) validate; 864 unsigned char *m = (void *) validate;
1183 size_t mlen = ntohl (validate->size); 865 size_t mlen = ntohl (validate->size);
1184 unsigned char *s = (void *) sig; 866 unsigned char *s = (void *) sig;
@@ -1192,59 +874,6 @@ GNUNET_CRYPTO_eddsa_verify (
1192 res = GNUNET_TWEETNACL_sign_detached_verify (s, m, mlen, pub->q_y); 874 res = GNUNET_TWEETNACL_sign_detached_verify (s, m, mlen, pub->q_y);
1193 BENCHMARK_END (eddsa_verify); 875 BENCHMARK_END (eddsa_verify);
1194 return (res == 0) ? GNUNET_OK : GNUNET_SYSERR; 876 return (res == 0) ? GNUNET_OK : GNUNET_SYSERR;
1195#else
1196 gcry_sexp_t data;
1197 gcry_sexp_t sig_sexpr;
1198 gcry_sexp_t pub_sexpr;
1199 int rc;
1200
1201 BENCHMARK_START (eddsa_verify);
1202
1203 if (purpose != ntohl (validate->purpose))
1204 return GNUNET_SYSERR; /* purpose mismatch */
1205
1206 /* build s-expression for signature */
1207 if (0 != (rc = gcry_sexp_build (&sig_sexpr,
1208 NULL,
1209 "(sig-val(eddsa(r %b)(s %b)))",
1210 (int) sizeof(sig->r),
1211 sig->r,
1212 (int) sizeof(sig->s),
1213 sig->s)))
1214 {
1215 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
1216 return GNUNET_SYSERR;
1217 }
1218 data = data_to_eddsa_value (validate);
1219 if (0 != (rc = gcry_sexp_build (&pub_sexpr,
1220 NULL,
1221 "(public-key(ecc(curve " CURVE
1222 ")(flags eddsa)(q %b)))",
1223 (int) sizeof(pub->q_y),
1224 pub->q_y)))
1225 {
1226 gcry_sexp_release (data);
1227 gcry_sexp_release (sig_sexpr);
1228 return GNUNET_SYSERR;
1229 }
1230 rc = gcry_pk_verify (sig_sexpr, data, pub_sexpr);
1231 gcry_sexp_release (pub_sexpr);
1232 gcry_sexp_release (data);
1233 gcry_sexp_release (sig_sexpr);
1234 if (0 != rc)
1235 {
1236 LOG (GNUNET_ERROR_TYPE_INFO,
1237 _ ("EdDSA signature verification of type %u failed at %s:%d: %s\n"),
1238 (unsigned int) purpose,
1239 __FILE__,
1240 __LINE__,
1241 gcry_strerror (rc));
1242 BENCHMARK_END (eddsa_verify);
1243 return GNUNET_SYSERR;
1244 }
1245 BENCHMARK_END (eddsa_verify);
1246 return GNUNET_OK;
1247#endif
1248} 877}
1249 878
1250 879
@@ -1261,68 +890,10 @@ GNUNET_CRYPTO_ecc_ecdh (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
1261 const struct GNUNET_CRYPTO_EcdhePublicKey *pub, 890 const struct GNUNET_CRYPTO_EcdhePublicKey *pub,
1262 struct GNUNET_HashCode *key_material) 891 struct GNUNET_HashCode *key_material)
1263{ 892{
1264#if NEW_CRYPTO
1265 uint8_t p[GNUNET_TWEETNACL_SCALARMULT_BYTES]; 893 uint8_t p[GNUNET_TWEETNACL_SCALARMULT_BYTES];
1266 GNUNET_TWEETNACL_scalarmult_curve25519 (p, priv->d, pub->q_y); 894 GNUNET_TWEETNACL_scalarmult_curve25519 (p, priv->d, pub->q_y);
1267 GNUNET_CRYPTO_hash (p, GNUNET_TWEETNACL_SCALARMULT_BYTES, key_material); 895 GNUNET_CRYPTO_hash (p, GNUNET_TWEETNACL_SCALARMULT_BYTES, key_material);
1268 return GNUNET_OK; 896 return GNUNET_OK;
1269#else
1270 gcry_mpi_point_t result;
1271 gcry_mpi_point_t q;
1272 gcry_mpi_t d;
1273 gcry_ctx_t ctx;
1274 gcry_sexp_t pub_sexpr;
1275 gcry_mpi_t result_x;
1276 unsigned char xbuf[256 / 8];
1277 size_t rsize;
1278
1279 BENCHMARK_START (ecc_ecdh);
1280
1281 /* first, extract the q = dP value from the public key */
1282 if (0 != gcry_sexp_build (&pub_sexpr,
1283 NULL,
1284 "(public-key(ecc(curve " CURVE ")(q %b)))",
1285 (int) sizeof(pub->q_y),
1286 pub->q_y))
1287 return GNUNET_SYSERR;
1288 GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, pub_sexpr, NULL));
1289 gcry_sexp_release (pub_sexpr);
1290 q = gcry_mpi_ec_get_point ("q", ctx, 0);
1291
1292 /* second, extract the d value from our private key */
1293 GNUNET_CRYPTO_mpi_scan_unsigned (&d, priv->d, sizeof(priv->d));
1294
1295 /* then call the 'multiply' function, to compute the product */
1296 result = gcry_mpi_point_new (0);
1297 gcry_mpi_ec_mul (result, d, q, ctx);
1298 gcry_mpi_point_release (q);
1299 gcry_mpi_release (d);
1300
1301 /* finally, convert point to string for hashing */
1302 result_x = gcry_mpi_new (256);
1303 if (gcry_mpi_ec_get_affine (result_x, NULL, result, ctx))
1304 {
1305 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "get_affine failed", 0);
1306 gcry_mpi_point_release (result);
1307 gcry_ctx_release (ctx);
1308 return GNUNET_SYSERR;
1309 }
1310 gcry_mpi_point_release (result);
1311 gcry_ctx_release (ctx);
1312
1313 rsize = sizeof(xbuf);
1314 GNUNET_assert (! gcry_mpi_get_flag (result_x, GCRYMPI_FLAG_OPAQUE));
1315 /* result_x can be negative here, so we do not use 'GNUNET_CRYPTO_mpi_print_unsigned'
1316 as that does not include the sign bit; x should be a 255-bit
1317 value, so with the sign it should fit snugly into the 256-bit
1318 xbuf */
1319 GNUNET_assert (
1320 0 == gcry_mpi_print (GCRYMPI_FMT_STD, xbuf, rsize, &rsize, result_x));
1321 GNUNET_CRYPTO_hash (xbuf, rsize, key_material);
1322 gcry_mpi_release (result_x);
1323 BENCHMARK_END (ecc_ecdh);
1324 return GNUNET_OK;
1325#endif
1326} 897}
1327 898
1328 899
@@ -1469,73 +1040,6 @@ GNUNET_CRYPTO_ecdsa_public_key_derive (
1469} 1040}
1470 1041
1471 1042
1472#if !NEW_CRYPTO
1473/**
1474 * Reverse the sequence of the bytes in @a buffer
1475 *
1476 * @param[in|out] buffer buffer to invert
1477 * @param length number of bytes in @a buffer
1478 */
1479static void
1480reverse_buffer (unsigned char *buffer, size_t length)
1481{
1482 unsigned char tmp;
1483 size_t i;
1484
1485 for (i = 0; i < length / 2; i++)
1486 {
1487 tmp = buffer[i];
1488 buffer[i] = buffer[length - 1 - i];
1489 buffer[length - 1 - i] = tmp;
1490 }
1491}
1492
1493
1494/**
1495 * Convert the secret @a d of an EdDSA key to the
1496 * value that is actually used in the EdDSA computation.
1497 *
1498 * @param d secret input
1499 * @return value used for the calculation in EdDSA
1500 */
1501static gcry_mpi_t
1502eddsa_d_to_a (gcry_mpi_t d)
1503{
1504 unsigned char rawmpi[32]; /* 256-bit value */
1505 size_t rawmpilen;
1506 unsigned char digest[64]; /* 512-bit hash value */
1507 gcry_buffer_t hvec[2];
1508 unsigned int b;
1509 gcry_mpi_t a;
1510
1511 b = 256 / 8; /* number of bytes in `d` */
1512
1513 /* Note that we clear DIGEST so we can use it as input to left pad
1514 the key with zeroes for hashing. */
1515 memset (digest, 0, sizeof digest);
1516 memset (hvec, 0, sizeof hvec);
1517 rawmpilen = sizeof(rawmpi);
1518 GNUNET_assert (
1519 0 == gcry_mpi_print (GCRYMPI_FMT_USG, rawmpi, rawmpilen, &rawmpilen, d));
1520 hvec[0].data = digest;
1521 hvec[0].off = 0;
1522 hvec[0].len = b > rawmpilen ? (b - rawmpilen) : 0;
1523 hvec[1].data = rawmpi;
1524 hvec[1].off = 0;
1525 hvec[1].len = rawmpilen;
1526 GNUNET_assert (
1527 0 == gcry_md_hash_buffers (GCRY_MD_SHA512, 0 /* flags */, digest, hvec, 2));
1528 /* Compute the A value. */
1529 reverse_buffer (digest, 32); /* Only the first half of the hash. */
1530 digest[0] = (digest[0] & 0x7f) | 0x40;
1531 digest[31] &= 0xf8;
1532
1533 GNUNET_CRYPTO_mpi_scan_unsigned (&a, digest, 32);
1534 return a;
1535}
1536#endif
1537
1538
1539/** 1043/**
1540 * Take point from ECDH and convert it to key material. 1044 * Take point from ECDH and convert it to key material.
1541 * 1045 *
@@ -1590,10 +1094,10 @@ GNUNET_CRYPTO_eddsa_ecdh (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
1590 const struct GNUNET_CRYPTO_EcdhePublicKey *pub, 1094 const struct GNUNET_CRYPTO_EcdhePublicKey *pub,
1591 struct GNUNET_HashCode *key_material) 1095 struct GNUNET_HashCode *key_material)
1592{ 1096{
1593#if NEW_CRYPTO
1594 struct GNUNET_HashCode hc; 1097 struct GNUNET_HashCode hc;
1595 uint8_t a[GNUNET_TWEETNACL_SCALARMULT_BYTES]; 1098 uint8_t a[GNUNET_TWEETNACL_SCALARMULT_BYTES];
1596 uint8_t p[GNUNET_TWEETNACL_SCALARMULT_BYTES]; 1099 uint8_t p[GNUNET_TWEETNACL_SCALARMULT_BYTES];
1100
1597 GNUNET_CRYPTO_hash (priv, 1101 GNUNET_CRYPTO_hash (priv,
1598 sizeof (struct GNUNET_CRYPTO_EcdsaPrivateKey), 1102 sizeof (struct GNUNET_CRYPTO_EcdsaPrivateKey),
1599 &hc); 1103 &hc);
@@ -1603,47 +1107,6 @@ GNUNET_CRYPTO_eddsa_ecdh (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
1603 GNUNET_TWEETNACL_SCALARMULT_BYTES, 1107 GNUNET_TWEETNACL_SCALARMULT_BYTES,
1604 key_material); 1108 key_material);
1605 return GNUNET_OK; 1109 return GNUNET_OK;
1606#else
1607 gcry_mpi_point_t result;
1608 gcry_mpi_point_t q;
1609 gcry_mpi_t d;
1610 gcry_mpi_t a;
1611 gcry_ctx_t ctx;
1612 gcry_sexp_t pub_sexpr;
1613 int ret;
1614
1615 BENCHMARK_START (eddsa_ecdh);
1616
1617 /* first, extract the q = dP value from the public key */
1618 if (0 != gcry_sexp_build (&pub_sexpr,
1619 NULL,
1620 "(public-key(ecc(curve " CURVE ")(q %b)))",
1621 (int) sizeof(pub->q_y),
1622 pub->q_y))
1623 return GNUNET_SYSERR;
1624 GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, pub_sexpr, NULL));
1625 gcry_sexp_release (pub_sexpr);
1626 q = gcry_mpi_ec_get_point ("q", ctx, 0);
1627
1628 /* second, extract the d value from our private key */
1629 GNUNET_CRYPTO_mpi_scan_unsigned (&d, priv->d, sizeof(priv->d));
1630
1631 /* NOW, because this is EdDSA, HASH 'd' first! */
1632 a = eddsa_d_to_a (d);
1633 gcry_mpi_release (d);
1634
1635 /* then call the 'multiply' function, to compute the product */
1636 result = gcry_mpi_point_new (0);
1637 gcry_mpi_ec_mul (result, a, q, ctx);
1638 gcry_mpi_point_release (q);
1639 gcry_mpi_release (a);
1640
1641 ret = point_to_hash (result, ctx, key_material);
1642 gcry_mpi_point_release (result);
1643 gcry_ctx_release (ctx);
1644 BENCHMARK_END (eddsa_ecdh);
1645 return ret;
1646#endif
1647} 1110}
1648 1111
1649 1112
@@ -1715,50 +1178,13 @@ GNUNET_CRYPTO_ecdh_eddsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
1715 const struct GNUNET_CRYPTO_EddsaPublicKey *pub, 1178 const struct GNUNET_CRYPTO_EddsaPublicKey *pub,
1716 struct GNUNET_HashCode *key_material) 1179 struct GNUNET_HashCode *key_material)
1717{ 1180{
1718#if NEW_CRYPTO
1719 uint8_t p[GNUNET_TWEETNACL_SCALARMULT_BYTES]; 1181 uint8_t p[GNUNET_TWEETNACL_SCALARMULT_BYTES];
1720 uint8_t curve25510_pk[GNUNET_TWEETNACL_SIGN_PUBLICBYTES]; 1182 uint8_t curve25510_pk[GNUNET_TWEETNACL_SIGN_PUBLICBYTES];
1183
1721 GNUNET_TWEETNACL_sign_ed25519_pk_to_curve25519 (curve25510_pk, pub->q_y); 1184 GNUNET_TWEETNACL_sign_ed25519_pk_to_curve25519 (curve25510_pk, pub->q_y);
1722 GNUNET_TWEETNACL_scalarmult_curve25519 (p, priv->d, curve25510_pk); 1185 GNUNET_TWEETNACL_scalarmult_curve25519 (p, priv->d, curve25510_pk);
1723 GNUNET_CRYPTO_hash (p, GNUNET_TWEETNACL_SCALARMULT_BYTES, key_material); 1186 GNUNET_CRYPTO_hash (p, GNUNET_TWEETNACL_SCALARMULT_BYTES, key_material);
1724 return GNUNET_OK; 1187 return GNUNET_OK;
1725#else
1726 gcry_mpi_point_t result;
1727 gcry_mpi_point_t q;
1728 gcry_mpi_t d;
1729 gcry_ctx_t ctx;
1730 gcry_sexp_t pub_sexpr;
1731 int ret;
1732
1733 BENCHMARK_START (ecdh_eddsa);
1734
1735 /* first, extract the q = dP value from the public key */
1736 if (0 != gcry_sexp_build (&pub_sexpr,
1737 NULL,
1738 "(public-key(ecc(curve " CURVE ")(q %b)))",
1739 (int) sizeof(pub->q_y),
1740 pub->q_y))
1741 return GNUNET_SYSERR;
1742 GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, pub_sexpr, NULL));
1743 gcry_sexp_release (pub_sexpr);
1744 q = gcry_mpi_ec_get_point ("q", ctx, 0);
1745
1746 /* second, extract the d value from our private key */
1747 GNUNET_CRYPTO_mpi_scan_unsigned (&d, priv->d, sizeof(priv->d));
1748
1749 /* then call the 'multiply' function, to compute the product */
1750 result = gcry_mpi_point_new (0);
1751 gcry_mpi_ec_mul (result, d, q, ctx);
1752 gcry_mpi_point_release (q);
1753 gcry_mpi_release (d);
1754
1755 /* finally, convert point to string for hashing */
1756 ret = point_to_hash (result, ctx, key_material);
1757 gcry_mpi_point_release (result);
1758 gcry_ctx_release (ctx);
1759 BENCHMARK_END (ecdh_eddsa);
1760 return ret;
1761#endif
1762} 1188}
1763 1189
1764 1190
diff --git a/src/util/crypto_pow.c b/src/util/crypto_pow.c
index af6837e03..be575e537 100644
--- a/src/util/crypto_pow.c
+++ b/src/util/crypto_pow.c
@@ -27,8 +27,6 @@
27#include "gnunet_crypto_lib.h" 27#include "gnunet_crypto_lib.h"
28#include <gcrypt.h> 28#include <gcrypt.h>
29 29
30/* FIXME: change to 1 for #3795 / 0.12! */
31#define NEW_CRYPTO 0
32 30
33/** 31/**
34 * Calculate the 'proof-of-work' hash (an expensive hash). 32 * Calculate the 'proof-of-work' hash (an expensive hash).
@@ -46,7 +44,6 @@ GNUNET_CRYPTO_pow_hash (const char *salt,
46 size_t buf_len, 44 size_t buf_len,
47 struct GNUNET_HashCode *result) 45 struct GNUNET_HashCode *result)
48{ 46{
49#if NEW_CRYPTO
50 struct GNUNET_CRYPTO_SymmetricInitializationVector iv; 47 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
51 struct GNUNET_CRYPTO_SymmetricSessionKey skey; 48 struct GNUNET_CRYPTO_SymmetricSessionKey skey;
52 char rbuf[buf_len]; 49 char rbuf[buf_len];
@@ -81,17 +78,6 @@ GNUNET_CRYPTO_pow_hash (const char *salt,
81 2 /* iterations; keep cost of individual op small */, 78 2 /* iterations; keep cost of individual op small */,
82 sizeof(struct GNUNET_HashCode), 79 sizeof(struct GNUNET_HashCode),
83 result)); 80 result));
84#else
85 GNUNET_break (0 == gcry_kdf_derive (buf,
86 buf_len,
87 GCRY_KDF_SCRYPT,
88 1 /* subalgo */,
89 salt,
90 strlen (salt),
91 2 /* iterations; keep cost of individual op small */,
92 sizeof(struct GNUNET_HashCode),
93 result));
94#endif
95} 81}
96 82
97 83
diff --git a/src/util/crypto_rsa.c b/src/util/crypto_rsa.c
index 08bdeb2ca..2ac4fcf8a 100644
--- a/src/util/crypto_rsa.c
+++ b/src/util/crypto_rsa.c
@@ -32,8 +32,6 @@
32 32
33#define LOG(kind, ...) GNUNET_log_from (kind, "util-crypto-rsa", __VA_ARGS__) 33#define LOG(kind, ...) GNUNET_log_from (kind, "util-crypto-rsa", __VA_ARGS__)
34 34
35/* Flip for #5968 */
36#define NEW_CRYPTO 0
37 35
38/** 36/**
39 * The private information of an RSA key pair. 37 * The private information of an RSA key pair.
@@ -349,7 +347,6 @@ GNUNET_CRYPTO_rsa_public_key_encode (const struct
349 GNUNET_CRYPTO_RsaPublicKey *key, 347 GNUNET_CRYPTO_RsaPublicKey *key,
350 char **buffer) 348 char **buffer)
351{ 349{
352#if NEW_CRYPTO
353 gcry_mpi_t ne[2]; 350 gcry_mpi_t ne[2];
354 size_t n_size; 351 size_t n_size;
355 size_t e_size; 352 size_t e_size;
@@ -411,23 +408,6 @@ GNUNET_CRYPTO_rsa_public_key_encode (const struct
411 gcry_mpi_release (ne[0]); 408 gcry_mpi_release (ne[0]);
412 gcry_mpi_release (ne[1]); 409 gcry_mpi_release (ne[1]);
413 return buf_size; 410 return buf_size;
414#else
415 size_t n;
416 char *b;
417
418 n = gcry_sexp_sprint (key->sexp,
419 GCRYSEXP_FMT_ADVANCED,
420 NULL,
421 0);
422 b = GNUNET_malloc (n);
423 GNUNET_assert ((n - 1) == /* since the last byte is \0 */
424 gcry_sexp_sprint (key->sexp,
425 GCRYSEXP_FMT_ADVANCED,
426 b,
427 n));
428 *buffer = b;
429 return n;
430#endif
431} 411}
432 412
433 413
@@ -466,7 +446,6 @@ GNUNET_CRYPTO_rsa_public_key_decode (const char *buf,
466 size_t len) 446 size_t len)
467{ 447{
468 struct GNUNET_CRYPTO_RsaPublicKey *key; 448 struct GNUNET_CRYPTO_RsaPublicKey *key;
469#if NEW_CRYPTO
470 struct GNUNET_CRYPTO_RsaPublicKeyHeaderP hdr; 449 struct GNUNET_CRYPTO_RsaPublicKeyHeaderP hdr;
471 size_t e_size; 450 size_t e_size;
472 size_t n_size; 451 size_t n_size;
@@ -526,37 +505,6 @@ GNUNET_CRYPTO_rsa_public_key_decode (const char *buf,
526 key = GNUNET_new (struct GNUNET_CRYPTO_RsaPublicKey); 505 key = GNUNET_new (struct GNUNET_CRYPTO_RsaPublicKey);
527 key->sexp = data; 506 key->sexp = data;
528 return key; 507 return key;
529#else
530 gcry_mpi_t n;
531 int ret;
532
533
534 key = GNUNET_new (struct GNUNET_CRYPTO_RsaPublicKey);
535 if (0 !=
536 gcry_sexp_new (&key->sexp,
537 buf,
538 len,
539 0))
540 {
541 GNUNET_break_op (0);
542 GNUNET_free (key);
543 return NULL;
544 }
545 /* verify that this is an RSA public key */
546 ret = key_from_sexp (&n, key->sexp, "public-key", "n");
547 if (0 != ret)
548 ret = key_from_sexp (&n, key->sexp, "rsa", "n");
549 if (0 != ret)
550 {
551 /* this is no public RSA key */
552 GNUNET_break (0);
553 gcry_sexp_release (key->sexp);
554 GNUNET_free (key);
555 return NULL;
556 }
557 gcry_mpi_release (n);
558 return key;
559#endif
560} 508}
561 509
562 510
@@ -1128,7 +1076,6 @@ GNUNET_CRYPTO_rsa_signature_encode (const struct
1128 GNUNET_CRYPTO_RsaSignature *sig, 1076 GNUNET_CRYPTO_RsaSignature *sig,
1129 char **buffer) 1077 char **buffer)
1130{ 1078{
1131#if NEW_CRYPTO
1132 gcry_mpi_t s; 1079 gcry_mpi_t s;
1133 size_t buf_size; 1080 size_t buf_size;
1134 size_t rsize; 1081 size_t rsize;
@@ -1160,23 +1107,6 @@ GNUNET_CRYPTO_rsa_signature_encode (const struct
1160 GNUNET_assert (rsize == buf_size); 1107 GNUNET_assert (rsize == buf_size);
1161 *buffer = (char *) buf; 1108 *buffer = (char *) buf;
1162 return buf_size; 1109 return buf_size;
1163#else
1164 size_t n;
1165 char *b;
1166
1167 n = gcry_sexp_sprint (sig->sexp,
1168 GCRYSEXP_FMT_ADVANCED,
1169 NULL,
1170 0);
1171 b = GNUNET_malloc (n);
1172 GNUNET_assert ((n - 1) == /* since the last byte is \0 */
1173 gcry_sexp_sprint (sig->sexp,
1174 GCRYSEXP_FMT_ADVANCED,
1175 b,
1176 n));
1177 *buffer = b;
1178 return n;
1179#endif
1180} 1110}
1181 1111
1182 1112
@@ -1193,7 +1123,6 @@ GNUNET_CRYPTO_rsa_signature_decode (const char *buf,
1193 size_t len) 1123 size_t len)
1194{ 1124{
1195 struct GNUNET_CRYPTO_RsaSignature *sig; 1125 struct GNUNET_CRYPTO_RsaSignature *sig;
1196#if NEW_CRYPTO
1197 gcry_mpi_t s; 1126 gcry_mpi_t s;
1198 gcry_sexp_t data; 1127 gcry_sexp_t data;
1199 1128
@@ -1222,36 +1151,6 @@ GNUNET_CRYPTO_rsa_signature_decode (const char *buf,
1222 sig = GNUNET_new (struct GNUNET_CRYPTO_RsaSignature); 1151 sig = GNUNET_new (struct GNUNET_CRYPTO_RsaSignature);
1223 sig->sexp = data; 1152 sig->sexp = data;
1224 return sig; 1153 return sig;
1225#else
1226 int ret;
1227 gcry_mpi_t s;
1228
1229 sig = GNUNET_new (struct GNUNET_CRYPTO_RsaSignature);
1230 if (0 !=
1231 gcry_sexp_new (&sig->sexp,
1232 buf,
1233 len,
1234 0))
1235 {
1236 GNUNET_break_op (0);
1237 GNUNET_free (sig);
1238 return NULL;
1239 }
1240 /* verify that this is an RSA signature */
1241 ret = key_from_sexp (&s, sig->sexp, "sig-val", "s");
1242 if (0 != ret)
1243 ret = key_from_sexp (&s, sig->sexp, "rsa", "s");
1244 if (0 != ret)
1245 {
1246 /* this is no RSA Signature */
1247 GNUNET_break_op (0);
1248 gcry_sexp_release (sig->sexp);
1249 GNUNET_free (sig);
1250 return NULL;
1251 }
1252 gcry_mpi_release (s);
1253#endif
1254 return sig;
1255} 1154}
1256 1155
1257 1156
generated by cgit v1.2.3 (git 2.39.1) at 2024-04-19 12:51:43 +0000