diff options
author | Christian Grothoff <christian@grothoff.org> | 2016-05-24 18:14:04 +0000 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2016-05-24 18:14:04 +0000 |
commit | 425065e903d0eb1a4a1faeaf183401fa49e9560b (patch) | |
tree | a64ed547fb3154917743692a65c4bdf38e330c6a /src/util/crypto_rsa.c | |
parent | b2bbad6a70f3d7e089b14f282dd8e6a4dfe6ce46 (diff) | |
download | gnunet-425065e903d0eb1a4a1faeaf183401fa49e9560b.tar.gz gnunet-425065e903d0eb1a4a1faeaf183401fa49e9560b.zip |
fixing #4483: optimize blinding key storage/transmission
Diffstat (limited to 'src/util/crypto_rsa.c')
-rw-r--r-- | src/util/crypto_rsa.c | 125 |
1 files changed, 47 insertions, 78 deletions
diff --git a/src/util/crypto_rsa.c b/src/util/crypto_rsa.c index 3686b02db..581754bb4 100644 --- a/src/util/crypto_rsa.c +++ b/src/util/crypto_rsa.c | |||
@@ -67,7 +67,7 @@ struct GNUNET_CRYPTO_RsaSignature | |||
67 | /** | 67 | /** |
68 | * @brief RSA blinding key | 68 | * @brief RSA blinding key |
69 | */ | 69 | */ |
70 | struct GNUNET_CRYPTO_RsaBlindingKey | 70 | struct RsaBlindingKey |
71 | { | 71 | { |
72 | /** | 72 | /** |
73 | * Random value used for blinding. | 73 | * Random value used for blinding. |
@@ -396,39 +396,40 @@ GNUNET_CRYPTO_rsa_public_key_decode (const char *buf, | |||
396 | * Create a blinding key | 396 | * Create a blinding key |
397 | * | 397 | * |
398 | * @param len length of the key in bits (i.e. 2048) | 398 | * @param len length of the key in bits (i.e. 2048) |
399 | * @param bks pre-secret to use to derive the blinding key | ||
399 | * @return the newly created blinding key | 400 | * @return the newly created blinding key |
400 | */ | 401 | */ |
401 | struct GNUNET_CRYPTO_RsaBlindingKey * | 402 | static struct RsaBlindingKey * |
402 | GNUNET_CRYPTO_rsa_blinding_key_create (unsigned int len) | 403 | rsa_blinding_key_derive (unsigned int len, |
404 | const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks) | ||
403 | { | 405 | { |
404 | struct GNUNET_CRYPTO_RsaBlindingKey *blind; | 406 | struct RsaBlindingKey *blind; |
407 | uint8_t buf[len / 8]; | ||
408 | int rc; | ||
409 | size_t rsize; | ||
405 | 410 | ||
406 | blind = GNUNET_new (struct GNUNET_CRYPTO_RsaBlindingKey); | 411 | blind = GNUNET_new (struct RsaBlindingKey); |
407 | blind->r = gcry_mpi_new (len); | 412 | /* FIXME: #4483: actually derive key from bks! - Jeff, |
408 | gcry_mpi_randomize (blind->r, | 413 | check that you're happy with this!*/ |
409 | len, | 414 | GNUNET_assert (GNUNET_YES == |
410 | GCRY_STRONG_RANDOM); | 415 | GNUNET_CRYPTO_kdf (buf, |
416 | sizeof (buf), | ||
417 | "blinding-kdf", | ||
418 | strlen ("blinding-kdf"), | ||
419 | bks, | ||
420 | sizeof (*bks), | ||
421 | NULL, 0)); | ||
422 | rc = gcry_mpi_scan (&blind->r, | ||
423 | GCRYMPI_FMT_USG, | ||
424 | (const unsigned char *) buf, | ||
425 | sizeof (buf), | ||
426 | &rsize); | ||
427 | GNUNET_assert (0 == rc); | ||
411 | return blind; | 428 | return blind; |
412 | } | 429 | } |
413 | 430 | ||
414 | 431 | ||
415 | /** | 432 | /** |
416 | * Compare the values of two blinding keys. | ||
417 | * | ||
418 | * @param b1 one key | ||
419 | * @param b2 the other key | ||
420 | * @return 0 if the two are equal | ||
421 | */ | ||
422 | int | ||
423 | GNUNET_CRYPTO_rsa_blinding_key_cmp (struct GNUNET_CRYPTO_RsaBlindingKey *b1, | ||
424 | struct GNUNET_CRYPTO_RsaBlindingKey *b2) | ||
425 | { | ||
426 | return gcry_mpi_cmp (b1->r, | ||
427 | b2->r); | ||
428 | } | ||
429 | |||
430 | |||
431 | /** | ||
432 | * Compare the values of two signatures. | 433 | * Compare the values of two signatures. |
433 | * | 434 | * |
434 | * @param s1 one signature | 435 | * @param s1 one signature |
@@ -558,8 +559,8 @@ GNUNET_CRYPTO_rsa_public_key_len (const struct GNUNET_CRYPTO_RsaPublicKey *key) | |||
558 | * | 559 | * |
559 | * @param bkey the blinding key to destroy | 560 | * @param bkey the blinding key to destroy |
560 | */ | 561 | */ |
561 | void | 562 | static void |
562 | GNUNET_CRYPTO_rsa_blinding_key_free (struct GNUNET_CRYPTO_RsaBlindingKey *bkey) | 563 | rsa_blinding_key_free (struct RsaBlindingKey *bkey) |
563 | { | 564 | { |
564 | gcry_mpi_release (bkey->r); | 565 | gcry_mpi_release (bkey->r); |
565 | GNUNET_free (bkey); | 566 | GNUNET_free (bkey); |
@@ -575,7 +576,7 @@ GNUNET_CRYPTO_rsa_blinding_key_free (struct GNUNET_CRYPTO_RsaBlindingKey *bkey) | |||
575 | */ | 576 | */ |
576 | static size_t | 577 | static size_t |
577 | numeric_mpi_alloc_n_print (gcry_mpi_t v, | 578 | numeric_mpi_alloc_n_print (gcry_mpi_t v, |
578 | char **buffer) | 579 | char **buffer) |
579 | { | 580 | { |
580 | size_t n; | 581 | size_t n; |
581 | char *b; | 582 | char *b; |
@@ -599,53 +600,6 @@ numeric_mpi_alloc_n_print (gcry_mpi_t v, | |||
599 | 600 | ||
600 | 601 | ||
601 | /** | 602 | /** |
602 | * Encode the blinding key in a format suitable for | ||
603 | * storing it into a file. | ||
604 | * | ||
605 | * @param bkey the blinding key | ||
606 | * @param[out] buffer set to a buffer with the encoded key | ||
607 | * @return size of memory allocated in @a buffer | ||
608 | */ | ||
609 | size_t | ||
610 | GNUNET_CRYPTO_rsa_blinding_key_encode (const struct GNUNET_CRYPTO_RsaBlindingKey *bkey, | ||
611 | char **buffer) | ||
612 | { | ||
613 | return numeric_mpi_alloc_n_print (bkey->r, buffer); | ||
614 | } | ||
615 | |||
616 | |||
617 | /** | ||
618 | * Decode the blinding key from the data-format back | ||
619 | * to the "normal", internal format. | ||
620 | * | ||
621 | * @param buf the buffer where the public key data is stored | ||
622 | * @param len the length of the data in @a buf | ||
623 | * @return NULL on error | ||
624 | */ | ||
625 | struct GNUNET_CRYPTO_RsaBlindingKey * | ||
626 | GNUNET_CRYPTO_rsa_blinding_key_decode (const char *buf, | ||
627 | size_t len) | ||
628 | { | ||
629 | struct GNUNET_CRYPTO_RsaBlindingKey *bkey; | ||
630 | size_t rsize; | ||
631 | |||
632 | bkey = GNUNET_new (struct GNUNET_CRYPTO_RsaBlindingKey); | ||
633 | if (0 != | ||
634 | gcry_mpi_scan (&bkey->r, | ||
635 | GCRYMPI_FMT_USG, | ||
636 | (const unsigned char *) buf, | ||
637 | len, | ||
638 | &rsize)) | ||
639 | { | ||
640 | GNUNET_break_op (0); | ||
641 | GNUNET_free (bkey); | ||
642 | return NULL; | ||
643 | } | ||
644 | return bkey; | ||
645 | } | ||
646 | |||
647 | |||
648 | /** | ||
649 | * Computes a full domain hash seeded by the given public key. | 603 | * Computes a full domain hash seeded by the given public key. |
650 | * This gives a measure of provable security to the Taler exchange | 604 | * This gives a measure of provable security to the Taler exchange |
651 | * against one-more forgery attacks. See: | 605 | * against one-more forgery attacks. See: |
@@ -658,6 +612,7 @@ GNUNET_CRYPTO_rsa_blinding_key_decode (const char *buf, | |||
658 | * @param rsize If not NULL, the number of bytes actually stored in buffer | 612 | * @param rsize If not NULL, the number of bytes actually stored in buffer |
659 | * @return libgcrypt error that to represent an allocation failure | 613 | * @return libgcrypt error that to represent an allocation failure |
660 | */ | 614 | */ |
615 | /* FIXME: exported symbol without proper prefix... */ | ||
661 | gcry_error_t | 616 | gcry_error_t |
662 | rsa_full_domain_hash (gcry_mpi_t *r, | 617 | rsa_full_domain_hash (gcry_mpi_t *r, |
663 | const struct GNUNET_HashCode *hash, | 618 | const struct GNUNET_HashCode *hash, |
@@ -754,10 +709,11 @@ rsa_full_domain_hash (gcry_mpi_t *r, | |||
754 | */ | 709 | */ |
755 | size_t | 710 | size_t |
756 | GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode *hash, | 711 | GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode *hash, |
757 | struct GNUNET_CRYPTO_RsaBlindingKey *bkey, | 712 | const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks, |
758 | struct GNUNET_CRYPTO_RsaPublicKey *pkey, | 713 | struct GNUNET_CRYPTO_RsaPublicKey *pkey, |
759 | char **buffer) | 714 | char **buffer) |
760 | { | 715 | { |
716 | struct RsaBlindingKey *bkey; | ||
761 | gcry_mpi_t data; | 717 | gcry_mpi_t data; |
762 | gcry_mpi_t ne[2]; | 718 | gcry_mpi_t ne[2]; |
763 | gcry_mpi_t r_e; | 719 | gcry_mpi_t r_e; |
@@ -766,6 +722,7 @@ GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode *hash, | |||
766 | size_t n; | 722 | size_t n; |
767 | gcry_error_t rc; | 723 | gcry_error_t rc; |
768 | int ret; | 724 | int ret; |
725 | unsigned int len; | ||
769 | 726 | ||
770 | ret = key_from_sexp (ne, pkey->sexp, "public-key", "ne"); | 727 | ret = key_from_sexp (ne, pkey->sexp, "public-key", "ne"); |
771 | if (0 != ret) | 728 | if (0 != ret) |
@@ -786,6 +743,9 @@ GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode *hash, | |||
786 | *buffer = NULL; | 743 | *buffer = NULL; |
787 | return 0; | 744 | return 0; |
788 | } | 745 | } |
746 | len = GNUNET_CRYPTO_rsa_public_key_len (pkey); | ||
747 | bkey = rsa_blinding_key_derive (len, | ||
748 | bks); | ||
789 | r_e = gcry_mpi_new (0); | 749 | r_e = gcry_mpi_new (0); |
790 | gcry_mpi_powm (r_e, | 750 | gcry_mpi_powm (r_e, |
791 | bkey->r, | 751 | bkey->r, |
@@ -800,6 +760,7 @@ GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode *hash, | |||
800 | gcry_mpi_release (ne[0]); | 760 | gcry_mpi_release (ne[0]); |
801 | gcry_mpi_release (ne[1]); | 761 | gcry_mpi_release (ne[1]); |
802 | gcry_mpi_release (r_e); | 762 | gcry_mpi_release (r_e); |
763 | rsa_blinding_key_free (bkey); | ||
803 | 764 | ||
804 | n = numeric_mpi_alloc_n_print (data_r_e, buffer); | 765 | n = numeric_mpi_alloc_n_print (data_r_e, buffer); |
805 | gcry_mpi_release (data_r_e); | 766 | gcry_mpi_release (data_r_e); |
@@ -1051,21 +1012,23 @@ GNUNET_CRYPTO_rsa_public_key_dup (const struct GNUNET_CRYPTO_RsaPublicKey *key) | |||
1051 | * #GNUNET_CRYPTO_rsa_blind(). | 1012 | * #GNUNET_CRYPTO_rsa_blind(). |
1052 | * | 1013 | * |
1053 | * @param sig the signature made on the blinded signature purpose | 1014 | * @param sig the signature made on the blinded signature purpose |
1054 | * @param bkey the blinding key used to blind the signature purpose | 1015 | * @param bks the blinding key secret used to blind the signature purpose |
1055 | * @param pkey the public key of the signer | 1016 | * @param pkey the public key of the signer |
1056 | * @return unblinded signature on success, NULL on error | 1017 | * @return unblinded signature on success, NULL on error |
1057 | */ | 1018 | */ |
1058 | struct GNUNET_CRYPTO_RsaSignature * | 1019 | struct GNUNET_CRYPTO_RsaSignature * |
1059 | GNUNET_CRYPTO_rsa_unblind (struct GNUNET_CRYPTO_RsaSignature *sig, | 1020 | GNUNET_CRYPTO_rsa_unblind (struct GNUNET_CRYPTO_RsaSignature *sig, |
1060 | struct GNUNET_CRYPTO_RsaBlindingKey *bkey, | 1021 | const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks, |
1061 | struct GNUNET_CRYPTO_RsaPublicKey *pkey) | 1022 | struct GNUNET_CRYPTO_RsaPublicKey *pkey) |
1062 | { | 1023 | { |
1024 | struct RsaBlindingKey *bkey; | ||
1063 | gcry_mpi_t n; | 1025 | gcry_mpi_t n; |
1064 | gcry_mpi_t s; | 1026 | gcry_mpi_t s; |
1065 | gcry_mpi_t r_inv; | 1027 | gcry_mpi_t r_inv; |
1066 | gcry_mpi_t ubsig; | 1028 | gcry_mpi_t ubsig; |
1067 | int ret; | 1029 | int ret; |
1068 | struct GNUNET_CRYPTO_RsaSignature *sret; | 1030 | struct GNUNET_CRYPTO_RsaSignature *sret; |
1031 | unsigned int len; | ||
1069 | 1032 | ||
1070 | ret = key_from_sexp (&n, pkey->sexp, "public-key", "n"); | 1033 | ret = key_from_sexp (&n, pkey->sexp, "public-key", "n"); |
1071 | if (0 != ret) | 1034 | if (0 != ret) |
@@ -1084,6 +1047,10 @@ GNUNET_CRYPTO_rsa_unblind (struct GNUNET_CRYPTO_RsaSignature *sig, | |||
1084 | GNUNET_break_op (0); | 1047 | GNUNET_break_op (0); |
1085 | return NULL; | 1048 | return NULL; |
1086 | } | 1049 | } |
1050 | len = GNUNET_CRYPTO_rsa_public_key_len (pkey); | ||
1051 | bkey = rsa_blinding_key_derive (len, | ||
1052 | bks); | ||
1053 | |||
1087 | r_inv = gcry_mpi_new (0); | 1054 | r_inv = gcry_mpi_new (0); |
1088 | if (1 != | 1055 | if (1 != |
1089 | gcry_mpi_invm (r_inv, | 1056 | gcry_mpi_invm (r_inv, |
@@ -1094,6 +1061,7 @@ GNUNET_CRYPTO_rsa_unblind (struct GNUNET_CRYPTO_RsaSignature *sig, | |||
1094 | gcry_mpi_release (n); | 1061 | gcry_mpi_release (n); |
1095 | gcry_mpi_release (r_inv); | 1062 | gcry_mpi_release (r_inv); |
1096 | gcry_mpi_release (s); | 1063 | gcry_mpi_release (s); |
1064 | rsa_blinding_key_free (bkey); | ||
1097 | return NULL; | 1065 | return NULL; |
1098 | } | 1066 | } |
1099 | ubsig = gcry_mpi_new (0); | 1067 | ubsig = gcry_mpi_new (0); |
@@ -1101,6 +1069,7 @@ GNUNET_CRYPTO_rsa_unblind (struct GNUNET_CRYPTO_RsaSignature *sig, | |||
1101 | gcry_mpi_release (n); | 1069 | gcry_mpi_release (n); |
1102 | gcry_mpi_release (r_inv); | 1070 | gcry_mpi_release (r_inv); |
1103 | gcry_mpi_release (s); | 1071 | gcry_mpi_release (s); |
1072 | rsa_blinding_key_free (bkey); | ||
1104 | 1073 | ||
1105 | sret = GNUNET_new (struct GNUNET_CRYPTO_RsaSignature); | 1074 | sret = GNUNET_new (struct GNUNET_CRYPTO_RsaSignature); |
1106 | GNUNET_assert (0 == | 1075 | GNUNET_assert (0 == |