diff options
author | tg(x) <*@tg-x.net> | 2017-02-24 20:10:42 +0100 |
---|---|---|
committer | tg(x) <*@tg-x.net> | 2017-02-24 20:10:42 +0100 |
commit | cb1165ecfc5c89c22aa4a6fffb72e27e0bde43a3 (patch) | |
tree | 401701a61ae8245f212364df7b44b228a9f4c225 /src/util/crypto_rsa.c | |
parent | 435ef0a62ffe830ccee159f430157cfc8cc6a3d4 (diff) | |
download | gnunet-cb1165ecfc5c89c22aa4a6fffb72e27e0bde43a3.tar.gz gnunet-cb1165ecfc5c89c22aa4a6fffb72e27e0bde43a3.zip |
util: add component name to LOG macros; util/client: log incoming message type/size/source for gnunet-logread
Diffstat (limited to 'src/util/crypto_rsa.c')
-rw-r--r-- | src/util/crypto_rsa.c | 38 |
1 files changed, 19 insertions, 19 deletions
diff --git a/src/util/crypto_rsa.c b/src/util/crypto_rsa.c index 443d597e4..7a108c21b 100644 --- a/src/util/crypto_rsa.c +++ b/src/util/crypto_rsa.c | |||
@@ -25,7 +25,7 @@ | |||
25 | #include <gcrypt.h> | 25 | #include <gcrypt.h> |
26 | #include "gnunet_crypto_lib.h" | 26 | #include "gnunet_crypto_lib.h" |
27 | 27 | ||
28 | #define LOG(kind,...) GNUNET_log_from (kind, "util", __VA_ARGS__) | 28 | #define LOG(kind,...) GNUNET_log_from (kind, "util-crypto-rsa", __VA_ARGS__) |
29 | 29 | ||
30 | 30 | ||
31 | /** | 31 | /** |
@@ -430,7 +430,7 @@ rsa_blinding_key_derive (const struct GNUNET_CRYPTO_RsaPublicKey *pkey, | |||
430 | char *xts = "Blinding KDF extrator HMAC key"; /* Trusts bks' randomness more */ | 430 | char *xts = "Blinding KDF extrator HMAC key"; /* Trusts bks' randomness more */ |
431 | struct RsaBlindingKey *blind; | 431 | struct RsaBlindingKey *blind; |
432 | gcry_mpi_t n; | 432 | gcry_mpi_t n; |
433 | 433 | ||
434 | blind = GNUNET_new (struct RsaBlindingKey); | 434 | blind = GNUNET_new (struct RsaBlindingKey); |
435 | GNUNET_assert( NULL != blind ); | 435 | GNUNET_assert( NULL != blind ); |
436 | 436 | ||
@@ -454,25 +454,25 @@ rsa_blinding_key_derive (const struct GNUNET_CRYPTO_RsaPublicKey *pkey, | |||
454 | } | 454 | } |
455 | 455 | ||
456 | 456 | ||
457 | /* | 457 | /* |
458 | We originally added GNUNET_CRYPTO_kdf_mod_mpi for the benifit of the | 458 | We originally added GNUNET_CRYPTO_kdf_mod_mpi for the benifit of the |
459 | previous routine. | 459 | previous routine. |
460 | 460 | ||
461 | There was previously a call to GNUNET_CRYPTO_kdf in | 461 | There was previously a call to GNUNET_CRYPTO_kdf in |
462 | bkey = rsa_blinding_key_derive (len, bks); | 462 | bkey = rsa_blinding_key_derive (len, bks); |
463 | that gives exactly len bits where | 463 | that gives exactly len bits where |
464 | len = GNUNET_CRYPTO_rsa_public_key_len (pkey); | 464 | len = GNUNET_CRYPTO_rsa_public_key_len (pkey); |
465 | 465 | ||
466 | Now r = 2^(len-1)/pkey.n is the probability that a set high bit being | 466 | Now r = 2^(len-1)/pkey.n is the probability that a set high bit being |
467 | okay, meaning bkey < pkey.n. It follows that (1-r)/2 of the time bkey > | 467 | okay, meaning bkey < pkey.n. It follows that (1-r)/2 of the time bkey > |
468 | pkey.n making the effective bkey be | 468 | pkey.n making the effective bkey be |
469 | bkey mod pkey.n = bkey - pkey.n | 469 | bkey mod pkey.n = bkey - pkey.n |
470 | so the effective bkey has its high bit set with probability r/2. | 470 | so the effective bkey has its high bit set with probability r/2. |
471 | 471 | ||
472 | We expect r to be close to 1/2 if the exchange is honest, but the | 472 | We expect r to be close to 1/2 if the exchange is honest, but the |
473 | exchange can choose r otherwise. | 473 | exchange can choose r otherwise. |
474 | 474 | ||
475 | In blind signing, the exchange sees | 475 | In blind signing, the exchange sees |
476 | B = bkey * S mod pkey.n | 476 | B = bkey * S mod pkey.n |
477 | On deposit, the exchange sees S so they can compute bkey' = B/S mod | 477 | On deposit, the exchange sees S so they can compute bkey' = B/S mod |
478 | pkey.n for all B they recorded to see if bkey' has it's high bit set. | 478 | pkey.n for all B they recorded to see if bkey' has it's high bit set. |
@@ -489,7 +489,7 @@ the wrong and right probabilities 1/3 and 1/4, respectively. | |||
489 | I feared this gives the exchange a meaningful fraction of a bit of | 489 | I feared this gives the exchange a meaningful fraction of a bit of |
490 | information per coin involved in the transaction. It sounds damaging if | 490 | information per coin involved in the transaction. It sounds damaging if |
491 | numerous coins were involved. And it could run across transactions in | 491 | numerous coins were involved. And it could run across transactions in |
492 | some scenarios. | 492 | some scenarios. |
493 | 493 | ||
494 | We fixed this by using a more uniform deterministic pseudo-random number | 494 | We fixed this by using a more uniform deterministic pseudo-random number |
495 | generator for blinding factors. I do not believe this to be a problem | 495 | generator for blinding factors. I do not believe this to be a problem |
@@ -748,7 +748,7 @@ GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode *hash, | |||
748 | } | 748 | } |
749 | 749 | ||
750 | data = rsa_full_domain_hash (pkey, hash); | 750 | data = rsa_full_domain_hash (pkey, hash); |
751 | if (NULL == data) | 751 | if (NULL == data) |
752 | goto rsa_gcd_validate_failure; | 752 | goto rsa_gcd_validate_failure; |
753 | 753 | ||
754 | bkey = rsa_blinding_key_derive (pkey, bks); | 754 | bkey = rsa_blinding_key_derive (pkey, bks); |
@@ -771,7 +771,7 @@ GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode *hash, | |||
771 | gcry_mpi_release (ne[0]); | 771 | gcry_mpi_release (ne[0]); |
772 | gcry_mpi_release (ne[1]); | 772 | gcry_mpi_release (ne[1]); |
773 | gcry_mpi_release (r_e); | 773 | gcry_mpi_release (r_e); |
774 | rsa_blinding_key_free (bkey); | 774 | rsa_blinding_key_free (bkey); |
775 | 775 | ||
776 | *buf_size = numeric_mpi_alloc_n_print (data_r_e, buf); | 776 | *buf_size = numeric_mpi_alloc_n_print (data_r_e, buf); |
777 | gcry_mpi_release (data_r_e); | 777 | gcry_mpi_release (data_r_e); |
@@ -917,7 +917,7 @@ GNUNET_CRYPTO_rsa_sign_fdh (const struct GNUNET_CRYPTO_RsaPrivateKey *key, | |||
917 | GNUNET_CRYPTO_rsa_public_key_free (pkey); | 917 | GNUNET_CRYPTO_rsa_public_key_free (pkey); |
918 | if (NULL == v) /* rsa_gcd_validate failed meaning */ | 918 | if (NULL == v) /* rsa_gcd_validate failed meaning */ |
919 | return NULL; /* our *own* RSA key is malicious. */ | 919 | return NULL; /* our *own* RSA key is malicious. */ |
920 | 920 | ||
921 | sig = rsa_sign_mpi (key, v); | 921 | sig = rsa_sign_mpi (key, v); |
922 | gcry_mpi_release (v); | 922 | gcry_mpi_release (v); |
923 | return sig; | 923 | return sig; |
@@ -1077,11 +1077,11 @@ GNUNET_CRYPTO_rsa_unblind (struct GNUNET_CRYPTO_RsaSignature *sig, | |||
1077 | } | 1077 | } |
1078 | 1078 | ||
1079 | bkey = rsa_blinding_key_derive (pkey, bks); | 1079 | bkey = rsa_blinding_key_derive (pkey, bks); |
1080 | if (NULL == bkey) | 1080 | if (NULL == bkey) |
1081 | { | 1081 | { |
1082 | /* RSA key is malicious since rsa_gcd_validate failed here. | 1082 | /* RSA key is malicious since rsa_gcd_validate failed here. |
1083 | * It should have failed during GNUNET_CRYPTO_rsa_blind too though, | 1083 | * It should have failed during GNUNET_CRYPTO_rsa_blind too though, |
1084 | * so the exchange is being malicious in an unfamilair way, maybe | 1084 | * so the exchange is being malicious in an unfamilair way, maybe |
1085 | * just trying to crash us. */ | 1085 | * just trying to crash us. */ |
1086 | GNUNET_break_op (0); | 1086 | GNUNET_break_op (0); |
1087 | gcry_mpi_release (n); | 1087 | gcry_mpi_release (n); |
@@ -1096,10 +1096,10 @@ GNUNET_CRYPTO_rsa_unblind (struct GNUNET_CRYPTO_RsaSignature *sig, | |||
1096 | n)) | 1096 | n)) |
1097 | { | 1097 | { |
1098 | /* We cannot find r mod n, so gcd(r,n) != 1, which should get * | 1098 | /* We cannot find r mod n, so gcd(r,n) != 1, which should get * |
1099 | * caught above, but we handle it the same here. */ | 1099 | * caught above, but we handle it the same here. */ |
1100 | GNUNET_break_op (0); | 1100 | GNUNET_break_op (0); |
1101 | gcry_mpi_release (r_inv); | 1101 | gcry_mpi_release (r_inv); |
1102 | rsa_blinding_key_free (bkey); | 1102 | rsa_blinding_key_free (bkey); |
1103 | gcry_mpi_release (n); | 1103 | gcry_mpi_release (n); |
1104 | gcry_mpi_release (s); | 1104 | gcry_mpi_release (s); |
1105 | return NULL; | 1105 | return NULL; |
@@ -1144,11 +1144,11 @@ GNUNET_CRYPTO_rsa_verify (const struct GNUNET_HashCode *hash, | |||
1144 | r = rsa_full_domain_hash (pkey, hash); | 1144 | r = rsa_full_domain_hash (pkey, hash); |
1145 | if (NULL == r) { | 1145 | if (NULL == r) { |
1146 | GNUNET_break_op (0); | 1146 | GNUNET_break_op (0); |
1147 | /* RSA key is malicious since rsa_gcd_validate failed here. | 1147 | /* RSA key is malicious since rsa_gcd_validate failed here. |
1148 | * It should have failed during GNUNET_CRYPTO_rsa_blind too though, | 1148 | * It should have failed during GNUNET_CRYPTO_rsa_blind too though, |
1149 | * so the exchange is being malicious in an unfamilair way, maybe | 1149 | * so the exchange is being malicious in an unfamilair way, maybe |
1150 | * just trying to crash us. Arguably, we've only an internal error | 1150 | * just trying to crash us. Arguably, we've only an internal error |
1151 | * though because we should've detected this in our previous call | 1151 | * though because we should've detected this in our previous call |
1152 | * to GNUNET_CRYPTO_rsa_unblind. */ | 1152 | * to GNUNET_CRYPTO_rsa_unblind. */ |
1153 | return GNUNET_NO; | 1153 | return GNUNET_NO; |
1154 | } | 1154 | } |