diff options
author | Jeff Burdges <burdges@gnunet.org> | 2016-06-07 19:06:46 +0000 |
---|---|---|
committer | Jeff Burdges <burdges@gnunet.org> | 2016-06-07 19:06:46 +0000 |
commit | 1f33c505c42ac2b3d628b2b70b2da62e8f621a89 (patch) | |
tree | f0b71b8a3e1de30e3914e432c5fb43418a792a44 /src/util/crypto_rsa.c | |
parent | 8459cba759d85ef512c8400ba7622332cf5ed652 (diff) | |
download | gnunet-1f33c505c42ac2b3d628b2b70b2da62e8f621a89.tar.gz gnunet-1f33c505c42ac2b3d628b2b70b2da62e8f621a89.zip |
Abstract out previous GCD(m,n)=1 commit into a single function
This should make it easier to report properly in the wallet.
Diffstat (limited to 'src/util/crypto_rsa.c')
-rw-r--r-- | src/util/crypto_rsa.c | 41 |
1 files changed, 27 insertions, 14 deletions
diff --git a/src/util/crypto_rsa.c b/src/util/crypto_rsa.c index c09daa412..cddb87bf7 100644 --- a/src/util/crypto_rsa.c +++ b/src/util/crypto_rsa.c | |||
@@ -393,6 +393,31 @@ GNUNET_CRYPTO_rsa_public_key_decode (const char *buf, | |||
393 | 393 | ||
394 | 394 | ||
395 | /** | 395 | /** |
396 | * Test for malicious RSA key. | ||
397 | * | ||
398 | * Assuming n is an RSA modulous and r is generated using a call to | ||
399 | * GNUNET_CRYPTO_kdf_mod_mpi, if gcd(r,n) != 1 then n must be a | ||
400 | * malicious RSA key designed to deanomize the user. | ||
401 | * | ||
402 | * @param r KDF result | ||
403 | * @param n RSA modulus | ||
404 | * @return Asserts gcd(r,n) = 1 | ||
405 | */ | ||
406 | static int | ||
407 | rsa_gcd_validate(gcry_mpi_t r, gcry_mpi_t n) | ||
408 | { | ||
409 | gcry_mpi_t g; | ||
410 | int t; | ||
411 | |||
412 | g = gcry_mpi_new (0); | ||
413 | t = gcry_mpi_gcd(g,r,n); | ||
414 | gcry_mpi_release (g); | ||
415 | GNUNET_assert( t ); | ||
416 | return t; | ||
417 | } | ||
418 | |||
419 | |||
420 | /** | ||
396 | * Create a blinding key | 421 | * Create a blinding key |
397 | * | 422 | * |
398 | * @param len length of the key in bits (i.e. 2048) | 423 | * @param len length of the key in bits (i.e. 2048) |
@@ -406,7 +431,6 @@ rsa_blinding_key_derive (const struct GNUNET_CRYPTO_RsaPublicKey *pkey, | |||
406 | char *xts = "Blinding KDF extrator HMAC key"; /* Trusts bks' randomness more */ | 431 | char *xts = "Blinding KDF extrator HMAC key"; /* Trusts bks' randomness more */ |
407 | struct RsaBlindingKey *blind; | 432 | struct RsaBlindingKey *blind; |
408 | gcry_mpi_t n; | 433 | gcry_mpi_t n; |
409 | gcry_mpi_t g; | ||
410 | 434 | ||
411 | blind = GNUNET_new (struct RsaBlindingKey); | 435 | blind = GNUNET_new (struct RsaBlindingKey); |
412 | 436 | ||
@@ -419,12 +443,7 @@ rsa_blinding_key_derive (const struct GNUNET_CRYPTO_RsaPublicKey *pkey, | |||
419 | xts, strlen(xts), | 443 | xts, strlen(xts), |
420 | bks, sizeof(*bks), | 444 | bks, sizeof(*bks), |
421 | "Blinding KDF"); | 445 | "Blinding KDF"); |
422 | 446 | rsa_gcd_validate(blind->r,n); | |
423 | /* If gcd(*r,n) != 1 then n must be a malicious fake RSA key | ||
424 | designed to deanomize the user. */ | ||
425 | g = gcry_mpi_new (0); | ||
426 | GNUNET_assert( gcry_mpi_gcd(g,blind->r,n) ); | ||
427 | gcry_mpi_release (g); | ||
428 | 447 | ||
429 | gcry_mpi_release (n); | 448 | gcry_mpi_release (n); |
430 | return blind; | 449 | return blind; |
@@ -661,7 +680,6 @@ rsa_full_domain_hash (gcry_mpi_t *r, | |||
661 | gcry_mpi_t n; | 680 | gcry_mpi_t n; |
662 | char *xts; | 681 | char *xts; |
663 | size_t xts_len; | 682 | size_t xts_len; |
664 | gcry_mpi_t g; | ||
665 | 683 | ||
666 | /* Extract the composite n from the RSA public key */ | 684 | /* Extract the composite n from the RSA public key */ |
667 | GNUNET_assert( 0 == key_from_sexp (&n, pkey->sexp, "rsa", "n") ); | 685 | GNUNET_assert( 0 == key_from_sexp (&n, pkey->sexp, "rsa", "n") ); |
@@ -678,14 +696,9 @@ rsa_full_domain_hash (gcry_mpi_t *r, | |||
678 | xts, xts_len, | 696 | xts, xts_len, |
679 | hash, sizeof(*hash), | 697 | hash, sizeof(*hash), |
680 | "RSA-FDA FTpsW!"); | 698 | "RSA-FDA FTpsW!"); |
681 | |||
682 | GNUNET_free (xts); | 699 | GNUNET_free (xts); |
683 | 700 | ||
684 | /* If gcd(*r,n) != 1 then n must be a malicious fake RSA key | 701 | rsa_gcd_validate(*r,n); |
685 | designed to deanomize the user. */ | ||
686 | g = gcry_mpi_new (0); | ||
687 | GNUNET_assert( gcry_mpi_gcd(g,*r,n) ); | ||
688 | gcry_mpi_release (g); | ||
689 | 702 | ||
690 | gcry_mpi_release (n); | 703 | gcry_mpi_release (n); |
691 | } | 704 | } |