diff options
| author | Christian Grothoff <christian@grothoff.org> | 2016-05-24 18:14:04 +0000 |
|---|---|---|
| committer | Christian Grothoff <christian@grothoff.org> | 2016-05-24 18:14:04 +0000 |
| commit | 425065e903d0eb1a4a1faeaf183401fa49e9560b (patch) | |
| tree | a64ed547fb3154917743692a65c4bdf38e330c6a /src/util/crypto_rsa.c | |
| parent | b2bbad6a70f3d7e089b14f282dd8e6a4dfe6ce46 (diff) | |
| download | gnunet-425065e903d0eb1a4a1faeaf183401fa49e9560b.tar.gz gnunet-425065e903d0eb1a4a1faeaf183401fa49e9560b.zip | |
fixing #4483: optimize blinding key storage/transmission
Diffstat (limited to 'src/util/crypto_rsa.c')
| -rw-r--r-- | src/util/crypto_rsa.c | 125 |
1 files changed, 47 insertions, 78 deletions
diff --git a/src/util/crypto_rsa.c b/src/util/crypto_rsa.c index 3686b02db..581754bb4 100644 --- a/src/util/crypto_rsa.c +++ b/src/util/crypto_rsa.c | |||
| @@ -67,7 +67,7 @@ struct GNUNET_CRYPTO_RsaSignature | |||
| 67 | /** | 67 | /** |
| 68 | * @brief RSA blinding key | 68 | * @brief RSA blinding key |
| 69 | */ | 69 | */ |
| 70 | struct GNUNET_CRYPTO_RsaBlindingKey | 70 | struct RsaBlindingKey |
| 71 | { | 71 | { |
| 72 | /** | 72 | /** |
| 73 | * Random value used for blinding. | 73 | * Random value used for blinding. |
| @@ -396,39 +396,40 @@ GNUNET_CRYPTO_rsa_public_key_decode (const char *buf, | |||
| 396 | * Create a blinding key | 396 | * Create a blinding key |
| 397 | * | 397 | * |
| 398 | * @param len length of the key in bits (i.e. 2048) | 398 | * @param len length of the key in bits (i.e. 2048) |
| 399 | * @param bks pre-secret to use to derive the blinding key | ||
| 399 | * @return the newly created blinding key | 400 | * @return the newly created blinding key |
| 400 | */ | 401 | */ |
| 401 | struct GNUNET_CRYPTO_RsaBlindingKey * | 402 | static struct RsaBlindingKey * |
| 402 | GNUNET_CRYPTO_rsa_blinding_key_create (unsigned int len) | 403 | rsa_blinding_key_derive (unsigned int len, |
| 404 | const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks) | ||
| 403 | { | 405 | { |
| 404 | struct GNUNET_CRYPTO_RsaBlindingKey *blind; | 406 | struct RsaBlindingKey *blind; |
| 407 | uint8_t buf[len / 8]; | ||
| 408 | int rc; | ||
| 409 | size_t rsize; | ||
| 405 | 410 | ||
| 406 | blind = GNUNET_new (struct GNUNET_CRYPTO_RsaBlindingKey); | 411 | blind = GNUNET_new (struct RsaBlindingKey); |
| 407 | blind->r = gcry_mpi_new (len); | 412 | /* FIXME: #4483: actually derive key from bks! - Jeff, |
| 408 | gcry_mpi_randomize (blind->r, | 413 | check that you're happy with this!*/ |
| 409 | len, | 414 | GNUNET_assert (GNUNET_YES == |
| 410 | GCRY_STRONG_RANDOM); | 415 | GNUNET_CRYPTO_kdf (buf, |
| 416 | sizeof (buf), | ||
| 417 | "blinding-kdf", | ||
| 418 | strlen ("blinding-kdf"), | ||
| 419 | bks, | ||
| 420 | sizeof (*bks), | ||
| 421 | NULL, 0)); | ||
| 422 | rc = gcry_mpi_scan (&blind->r, | ||
| 423 | GCRYMPI_FMT_USG, | ||
| 424 | (const unsigned char *) buf, | ||
| 425 | sizeof (buf), | ||
| 426 | &rsize); | ||
| 427 | GNUNET_assert (0 == rc); | ||
| 411 | return blind; | 428 | return blind; |
| 412 | } | 429 | } |
| 413 | 430 | ||
| 414 | 431 | ||
| 415 | /** | 432 | /** |
| 416 | * Compare the values of two blinding keys. | ||
| 417 | * | ||
| 418 | * @param b1 one key | ||
| 419 | * @param b2 the other key | ||
| 420 | * @return 0 if the two are equal | ||
| 421 | */ | ||
| 422 | int | ||
| 423 | GNUNET_CRYPTO_rsa_blinding_key_cmp (struct GNUNET_CRYPTO_RsaBlindingKey *b1, | ||
| 424 | struct GNUNET_CRYPTO_RsaBlindingKey *b2) | ||
| 425 | { | ||
| 426 | return gcry_mpi_cmp (b1->r, | ||
| 427 | b2->r); | ||
| 428 | } | ||
| 429 | |||
| 430 | |||
| 431 | /** | ||
| 432 | * Compare the values of two signatures. | 433 | * Compare the values of two signatures. |
| 433 | * | 434 | * |
| 434 | * @param s1 one signature | 435 | * @param s1 one signature |
| @@ -558,8 +559,8 @@ GNUNET_CRYPTO_rsa_public_key_len (const struct GNUNET_CRYPTO_RsaPublicKey *key) | |||
| 558 | * | 559 | * |
| 559 | * @param bkey the blinding key to destroy | 560 | * @param bkey the blinding key to destroy |
| 560 | */ | 561 | */ |
| 561 | void | 562 | static void |
| 562 | GNUNET_CRYPTO_rsa_blinding_key_free (struct GNUNET_CRYPTO_RsaBlindingKey *bkey) | 563 | rsa_blinding_key_free (struct RsaBlindingKey *bkey) |
| 563 | { | 564 | { |
| 564 | gcry_mpi_release (bkey->r); | 565 | gcry_mpi_release (bkey->r); |
| 565 | GNUNET_free (bkey); | 566 | GNUNET_free (bkey); |
| @@ -575,7 +576,7 @@ GNUNET_CRYPTO_rsa_blinding_key_free (struct GNUNET_CRYPTO_RsaBlindingKey *bkey) | |||
| 575 | */ | 576 | */ |
| 576 | static size_t | 577 | static size_t |
| 577 | numeric_mpi_alloc_n_print (gcry_mpi_t v, | 578 | numeric_mpi_alloc_n_print (gcry_mpi_t v, |
| 578 | char **buffer) | 579 | char **buffer) |
| 579 | { | 580 | { |
| 580 | size_t n; | 581 | size_t n; |
| 581 | char *b; | 582 | char *b; |
| @@ -599,53 +600,6 @@ numeric_mpi_alloc_n_print (gcry_mpi_t v, | |||
| 599 | 600 | ||
| 600 | 601 | ||
| 601 | /** | 602 | /** |
| 602 | * Encode the blinding key in a format suitable for | ||
| 603 | * storing it into a file. | ||
| 604 | * | ||
| 605 | * @param bkey the blinding key | ||
| 606 | * @param[out] buffer set to a buffer with the encoded key | ||
| 607 | * @return size of memory allocated in @a buffer | ||
| 608 | */ | ||
| 609 | size_t | ||
| 610 | GNUNET_CRYPTO_rsa_blinding_key_encode (const struct GNUNET_CRYPTO_RsaBlindingKey *bkey, | ||
| 611 | char **buffer) | ||
| 612 | { | ||
| 613 | return numeric_mpi_alloc_n_print (bkey->r, buffer); | ||
| 614 | } | ||
| 615 | |||
| 616 | |||
| 617 | /** | ||
| 618 | * Decode the blinding key from the data-format back | ||
| 619 | * to the "normal", internal format. | ||
| 620 | * | ||
| 621 | * @param buf the buffer where the public key data is stored | ||
| 622 | * @param len the length of the data in @a buf | ||
| 623 | * @return NULL on error | ||
| 624 | */ | ||
| 625 | struct GNUNET_CRYPTO_RsaBlindingKey * | ||
| 626 | GNUNET_CRYPTO_rsa_blinding_key_decode (const char *buf, | ||
| 627 | size_t len) | ||
| 628 | { | ||
| 629 | struct GNUNET_CRYPTO_RsaBlindingKey *bkey; | ||
| 630 | size_t rsize; | ||
| 631 | |||
| 632 | bkey = GNUNET_new (struct GNUNET_CRYPTO_RsaBlindingKey); | ||
| 633 | if (0 != | ||
| 634 | gcry_mpi_scan (&bkey->r, | ||
| 635 | GCRYMPI_FMT_USG, | ||
| 636 | (const unsigned char *) buf, | ||
| 637 | len, | ||
| 638 | &rsize)) | ||
| 639 | { | ||
| 640 | GNUNET_break_op (0); | ||
| 641 | GNUNET_free (bkey); | ||
| 642 | return NULL; | ||
| 643 | } | ||
| 644 | return bkey; | ||
| 645 | } | ||
| 646 | |||
| 647 | |||
| 648 | /** | ||
| 649 | * Computes a full domain hash seeded by the given public key. | 603 | * Computes a full domain hash seeded by the given public key. |
| 650 | * This gives a measure of provable security to the Taler exchange | 604 | * This gives a measure of provable security to the Taler exchange |
| 651 | * against one-more forgery attacks. See: | 605 | * against one-more forgery attacks. See: |
| @@ -658,6 +612,7 @@ GNUNET_CRYPTO_rsa_blinding_key_decode (const char *buf, | |||
| 658 | * @param rsize If not NULL, the number of bytes actually stored in buffer | 612 | * @param rsize If not NULL, the number of bytes actually stored in buffer |
| 659 | * @return libgcrypt error that to represent an allocation failure | 613 | * @return libgcrypt error that to represent an allocation failure |
| 660 | */ | 614 | */ |
| 615 | /* FIXME: exported symbol without proper prefix... */ | ||
| 661 | gcry_error_t | 616 | gcry_error_t |
| 662 | rsa_full_domain_hash (gcry_mpi_t *r, | 617 | rsa_full_domain_hash (gcry_mpi_t *r, |
| 663 | const struct GNUNET_HashCode *hash, | 618 | const struct GNUNET_HashCode *hash, |
| @@ -754,10 +709,11 @@ rsa_full_domain_hash (gcry_mpi_t *r, | |||
| 754 | */ | 709 | */ |
| 755 | size_t | 710 | size_t |
| 756 | GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode *hash, | 711 | GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode *hash, |
| 757 | struct GNUNET_CRYPTO_RsaBlindingKey *bkey, | 712 | const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks, |
| 758 | struct GNUNET_CRYPTO_RsaPublicKey *pkey, | 713 | struct GNUNET_CRYPTO_RsaPublicKey *pkey, |
| 759 | char **buffer) | 714 | char **buffer) |
| 760 | { | 715 | { |
| 716 | struct RsaBlindingKey *bkey; | ||
| 761 | gcry_mpi_t data; | 717 | gcry_mpi_t data; |
| 762 | gcry_mpi_t ne[2]; | 718 | gcry_mpi_t ne[2]; |
| 763 | gcry_mpi_t r_e; | 719 | gcry_mpi_t r_e; |
| @@ -766,6 +722,7 @@ GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode *hash, | |||
| 766 | size_t n; | 722 | size_t n; |
| 767 | gcry_error_t rc; | 723 | gcry_error_t rc; |
| 768 | int ret; | 724 | int ret; |
| 725 | unsigned int len; | ||
| 769 | 726 | ||
| 770 | ret = key_from_sexp (ne, pkey->sexp, "public-key", "ne"); | 727 | ret = key_from_sexp (ne, pkey->sexp, "public-key", "ne"); |
| 771 | if (0 != ret) | 728 | if (0 != ret) |
| @@ -786,6 +743,9 @@ GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode *hash, | |||
| 786 | *buffer = NULL; | 743 | *buffer = NULL; |
| 787 | return 0; | 744 | return 0; |
| 788 | } | 745 | } |
| 746 | len = GNUNET_CRYPTO_rsa_public_key_len (pkey); | ||
| 747 | bkey = rsa_blinding_key_derive (len, | ||
| 748 | bks); | ||
| 789 | r_e = gcry_mpi_new (0); | 749 | r_e = gcry_mpi_new (0); |
| 790 | gcry_mpi_powm (r_e, | 750 | gcry_mpi_powm (r_e, |
| 791 | bkey->r, | 751 | bkey->r, |
| @@ -800,6 +760,7 @@ GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode *hash, | |||
| 800 | gcry_mpi_release (ne[0]); | 760 | gcry_mpi_release (ne[0]); |
| 801 | gcry_mpi_release (ne[1]); | 761 | gcry_mpi_release (ne[1]); |
| 802 | gcry_mpi_release (r_e); | 762 | gcry_mpi_release (r_e); |
| 763 | rsa_blinding_key_free (bkey); | ||
| 803 | 764 | ||
| 804 | n = numeric_mpi_alloc_n_print (data_r_e, buffer); | 765 | n = numeric_mpi_alloc_n_print (data_r_e, buffer); |
| 805 | gcry_mpi_release (data_r_e); | 766 | gcry_mpi_release (data_r_e); |
| @@ -1051,21 +1012,23 @@ GNUNET_CRYPTO_rsa_public_key_dup (const struct GNUNET_CRYPTO_RsaPublicKey *key) | |||
| 1051 | * #GNUNET_CRYPTO_rsa_blind(). | 1012 | * #GNUNET_CRYPTO_rsa_blind(). |
| 1052 | * | 1013 | * |
| 1053 | * @param sig the signature made on the blinded signature purpose | 1014 | * @param sig the signature made on the blinded signature purpose |
| 1054 | * @param bkey the blinding key used to blind the signature purpose | 1015 | * @param bks the blinding key secret used to blind the signature purpose |
| 1055 | * @param pkey the public key of the signer | 1016 | * @param pkey the public key of the signer |
| 1056 | * @return unblinded signature on success, NULL on error | 1017 | * @return unblinded signature on success, NULL on error |
| 1057 | */ | 1018 | */ |
| 1058 | struct GNUNET_CRYPTO_RsaSignature * | 1019 | struct GNUNET_CRYPTO_RsaSignature * |
| 1059 | GNUNET_CRYPTO_rsa_unblind (struct GNUNET_CRYPTO_RsaSignature *sig, | 1020 | GNUNET_CRYPTO_rsa_unblind (struct GNUNET_CRYPTO_RsaSignature *sig, |
| 1060 | struct GNUNET_CRYPTO_RsaBlindingKey *bkey, | 1021 | const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks, |
| 1061 | struct GNUNET_CRYPTO_RsaPublicKey *pkey) | 1022 | struct GNUNET_CRYPTO_RsaPublicKey *pkey) |
| 1062 | { | 1023 | { |
| 1024 | struct RsaBlindingKey *bkey; | ||
| 1063 | gcry_mpi_t n; | 1025 | gcry_mpi_t n; |
| 1064 | gcry_mpi_t s; | 1026 | gcry_mpi_t s; |
| 1065 | gcry_mpi_t r_inv; | 1027 | gcry_mpi_t r_inv; |
| 1066 | gcry_mpi_t ubsig; | 1028 | gcry_mpi_t ubsig; |
| 1067 | int ret; | 1029 | int ret; |
| 1068 | struct GNUNET_CRYPTO_RsaSignature *sret; | 1030 | struct GNUNET_CRYPTO_RsaSignature *sret; |
| 1031 | unsigned int len; | ||
| 1069 | 1032 | ||
| 1070 | ret = key_from_sexp (&n, pkey->sexp, "public-key", "n"); | 1033 | ret = key_from_sexp (&n, pkey->sexp, "public-key", "n"); |
| 1071 | if (0 != ret) | 1034 | if (0 != ret) |
| @@ -1084,6 +1047,10 @@ GNUNET_CRYPTO_rsa_unblind (struct GNUNET_CRYPTO_RsaSignature *sig, | |||
| 1084 | GNUNET_break_op (0); | 1047 | GNUNET_break_op (0); |
| 1085 | return NULL; | 1048 | return NULL; |
| 1086 | } | 1049 | } |
| 1050 | len = GNUNET_CRYPTO_rsa_public_key_len (pkey); | ||
| 1051 | bkey = rsa_blinding_key_derive (len, | ||
| 1052 | bks); | ||
| 1053 | |||
| 1087 | r_inv = gcry_mpi_new (0); | 1054 | r_inv = gcry_mpi_new (0); |
| 1088 | if (1 != | 1055 | if (1 != |
| 1089 | gcry_mpi_invm (r_inv, | 1056 | gcry_mpi_invm (r_inv, |
| @@ -1094,6 +1061,7 @@ GNUNET_CRYPTO_rsa_unblind (struct GNUNET_CRYPTO_RsaSignature *sig, | |||
| 1094 | gcry_mpi_release (n); | 1061 | gcry_mpi_release (n); |
| 1095 | gcry_mpi_release (r_inv); | 1062 | gcry_mpi_release (r_inv); |
| 1096 | gcry_mpi_release (s); | 1063 | gcry_mpi_release (s); |
| 1064 | rsa_blinding_key_free (bkey); | ||
| 1097 | return NULL; | 1065 | return NULL; |
| 1098 | } | 1066 | } |
| 1099 | ubsig = gcry_mpi_new (0); | 1067 | ubsig = gcry_mpi_new (0); |
| @@ -1101,6 +1069,7 @@ GNUNET_CRYPTO_rsa_unblind (struct GNUNET_CRYPTO_RsaSignature *sig, | |||
| 1101 | gcry_mpi_release (n); | 1069 | gcry_mpi_release (n); |
| 1102 | gcry_mpi_release (r_inv); | 1070 | gcry_mpi_release (r_inv); |
| 1103 | gcry_mpi_release (s); | 1071 | gcry_mpi_release (s); |
| 1072 | rsa_blinding_key_free (bkey); | ||
| 1104 | 1073 | ||
| 1105 | sret = GNUNET_new (struct GNUNET_CRYPTO_RsaSignature); | 1074 | sret = GNUNET_new (struct GNUNET_CRYPTO_RsaSignature); |
| 1106 | GNUNET_assert (0 == | 1075 | GNUNET_assert (0 == |