diff options
author | Jeff Burdges <burdges@gnunet.org> | 2016-03-20 14:44:36 +0000 |
---|---|---|
committer | Jeff Burdges <burdges@gnunet.org> | 2016-03-20 14:44:36 +0000 |
commit | 60de5f48cbfc3868570284e91415ca7e06c390e1 (patch) | |
tree | 3e75dfd8c6a3400b1641655d0e96104420535d42 /src/util/test_crypto_rsa.c | |
parent | 157f9a2bc96a0b1594effe78158894e59e03a033 (diff) | |
download | gnunet-60de5f48cbfc3868570284e91415ca7e06c390e1.tar.gz gnunet-60de5f48cbfc3868570284e91415ca7e06c390e1.zip |
Implement a Full Domain Hash (FDH) for RSA signatures and blind signatures
This gives a measure of provable security to the Taler exchange/mint
against hypothetical one-more forgery attacks. See:
https://eprint.iacr.org/2001/002.pdf
http://www.di.ens.fr/~pointche/Documents/Papers/2001_fcA.pdf
We seed the FDH with the denomination keys as as a homage to RSA-PSS.
This may slightly improves the exchanges's resistance to a violation
of RSA-KTI and against insiders who can influence the choice of RSA
keys but cannot actually exfiltrate them.
Adopting FDH fixes a bug when using 512 bit RSA keys as well.
Diffstat (limited to 'src/util/test_crypto_rsa.c')
-rw-r--r-- | src/util/test_crypto_rsa.c | 33 |
1 files changed, 25 insertions, 8 deletions
diff --git a/src/util/test_crypto_rsa.c b/src/util/test_crypto_rsa.c index 7580062df..9bd2e6ae5 100644 --- a/src/util/test_crypto_rsa.c +++ b/src/util/test_crypto_rsa.c | |||
@@ -20,11 +20,19 @@ | |||
20 | * @author Sree Harsha Totakura <sreeharsha@totakura.in> | 20 | * @author Sree Harsha Totakura <sreeharsha@totakura.in> |
21 | */ | 21 | */ |
22 | #include "platform.h" | 22 | #include "platform.h" |
23 | #include <gcrypt.h> | ||
23 | #include "gnunet_util_lib.h" | 24 | #include "gnunet_util_lib.h" |
24 | 25 | ||
25 | #define KEY_SIZE 1024 | 26 | #define KEY_SIZE 1024 |
26 | 27 | ||
27 | 28 | ||
29 | gcry_error_t | ||
30 | rsa_full_domain_hash (gcry_mpi_t *r, | ||
31 | const struct GNUNET_HashCode *hash, | ||
32 | const struct GNUNET_CRYPTO_rsa_PublicKey *pkey, | ||
33 | size_t *rsize); | ||
34 | |||
35 | |||
28 | int | 36 | int |
29 | main (int argc, | 37 | main (int argc, |
30 | char *argv[]) | 38 | char *argv[]) |
@@ -42,6 +50,7 @@ main (int argc, | |||
42 | struct GNUNET_HashCode hash; | 50 | struct GNUNET_HashCode hash; |
43 | char *blind_buf; | 51 | char *blind_buf; |
44 | size_t bsize; | 52 | size_t bsize; |
53 | gcry_mpi_t v; | ||
45 | 54 | ||
46 | GNUNET_log_setup ("test-rsa", "WARNING", NULL); | 55 | GNUNET_log_setup ("test-rsa", "WARNING", NULL); |
47 | GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_WEAK, | 56 | GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_WEAK, |
@@ -55,11 +64,13 @@ main (int argc, | |||
55 | GNUNET_assert (NULL != priv_copy); | 64 | GNUNET_assert (NULL != priv_copy); |
56 | GNUNET_assert (0 == GNUNET_CRYPTO_rsa_private_key_cmp (priv, priv_copy)); | 65 | GNUNET_assert (0 == GNUNET_CRYPTO_rsa_private_key_cmp (priv, priv_copy)); |
57 | pub = GNUNET_CRYPTO_rsa_private_key_get_public (priv); | 66 | pub = GNUNET_CRYPTO_rsa_private_key_get_public (priv); |
67 | |||
58 | /* Encoding */ | 68 | /* Encoding */ |
59 | size_t size; | 69 | size_t size; |
60 | char *enc; | 70 | char *enc; |
61 | enc = NULL; | 71 | enc = NULL; |
62 | size = GNUNET_CRYPTO_rsa_private_key_encode (priv, &enc); | 72 | size = GNUNET_CRYPTO_rsa_private_key_encode (priv, &enc); |
73 | |||
63 | /* Decoding */ | 74 | /* Decoding */ |
64 | GNUNET_CRYPTO_rsa_private_key_free (priv); | 75 | GNUNET_CRYPTO_rsa_private_key_free (priv); |
65 | priv = NULL; | 76 | priv = NULL; |
@@ -71,10 +82,17 @@ main (int argc, | |||
71 | (void) fprintf (stderr, "The above warning is expected.\n"); | 82 | (void) fprintf (stderr, "The above warning is expected.\n"); |
72 | GNUNET_free (enc); | 83 | GNUNET_free (enc); |
73 | 84 | ||
85 | /* test full domain hash size */ | ||
86 | GNUNET_assert (0 == rsa_full_domain_hash (&v, &hash, pub, NULL)); | ||
87 | GNUNET_assert (gcry_mpi_get_nbits(v) < KEY_SIZE); | ||
88 | gcry_mpi_clear_highbit (v, gcry_mpi_get_nbits(v)-1); /* clear the set high bit */ | ||
89 | GNUNET_assert (gcry_mpi_get_nbits(v) > 3*KEY_SIZE/4); | ||
90 | /* This test necessarily randomly fails with probability 2^(3 - KEY_SIZE/4) */ | ||
91 | gcry_mpi_release(v); | ||
92 | |||
74 | /* try ordinary sig first */ | 93 | /* try ordinary sig first */ |
75 | sig = GNUNET_CRYPTO_rsa_sign (priv, | 94 | sig = GNUNET_CRYPTO_rsa_sign_fdh (priv, |
76 | &hash, | 95 | &hash); |
77 | sizeof (hash)); | ||
78 | sig_copy = GNUNET_CRYPTO_rsa_signature_dup (sig); | 96 | sig_copy = GNUNET_CRYPTO_rsa_signature_dup (sig); |
79 | GNUNET_assert (NULL != sig); | 97 | GNUNET_assert (NULL != sig); |
80 | GNUNET_assert (0 == GNUNET_CRYPTO_rsa_signature_cmp (sig, sig_copy)); | 98 | GNUNET_assert (0 == GNUNET_CRYPTO_rsa_signature_cmp (sig, sig_copy)); |
@@ -91,7 +109,6 @@ main (int argc, | |||
91 | (void) fprintf (stderr, "The above warning is expected.\n"); | 109 | (void) fprintf (stderr, "The above warning is expected.\n"); |
92 | GNUNET_CRYPTO_rsa_signature_free (sig); | 110 | GNUNET_CRYPTO_rsa_signature_free (sig); |
93 | 111 | ||
94 | |||
95 | /* test blind signing */ | 112 | /* test blind signing */ |
96 | bkey = GNUNET_CRYPTO_rsa_blinding_key_create (KEY_SIZE); | 113 | bkey = GNUNET_CRYPTO_rsa_blinding_key_create (KEY_SIZE); |
97 | bsize = GNUNET_CRYPTO_rsa_blind (&hash, | 114 | bsize = GNUNET_CRYPTO_rsa_blind (&hash, |
@@ -99,16 +116,16 @@ main (int argc, | |||
99 | pub, | 116 | pub, |
100 | &blind_buf); | 117 | &blind_buf); |
101 | GNUNET_assert (0 != bsize); | 118 | GNUNET_assert (0 != bsize); |
102 | bsig = GNUNET_CRYPTO_rsa_sign (priv, | 119 | bsig = GNUNET_CRYPTO_rsa_sign_blinded (priv, |
103 | blind_buf, | 120 | blind_buf, |
104 | bsize); | 121 | bsize); |
105 | GNUNET_free (blind_buf); | 122 | GNUNET_free (blind_buf); |
106 | sig = GNUNET_CRYPTO_rsa_unblind (bsig, | 123 | sig = GNUNET_CRYPTO_rsa_unblind (bsig, |
107 | bkey, | 124 | bkey, |
108 | pub); | 125 | pub); |
109 | GNUNET_CRYPTO_rsa_signature_free (bsig); | 126 | GNUNET_CRYPTO_rsa_signature_free (bsig); |
110 | GNUNET_assert (GNUNET_OK == | 127 | GNUNET_assert (GNUNET_OK == |
111 | GNUNET_CRYPTO_rsa_verify (&hash, sig, pub)); | 128 | GNUNET_CRYPTO_rsa_verify (&hash, sig, pub)); |
112 | GNUNET_CRYPTO_rsa_signature_free (sig); | 129 | GNUNET_CRYPTO_rsa_signature_free (sig); |
113 | GNUNET_CRYPTO_rsa_signature_free (sig_copy); | 130 | GNUNET_CRYPTO_rsa_signature_free (sig_copy); |
114 | GNUNET_CRYPTO_rsa_private_key_free (priv); | 131 | GNUNET_CRYPTO_rsa_private_key_free (priv); |