Chaum-style Blind signatures based on RSA. More...

#include "platform.h"
#include <gcrypt.h>
#include "gnunet_crypto_lib.h"
#include "benchmark.h"

Include dependency graph for crypto_rsa.c:

Data Structures
struct	GNUNET_CRYPTO_RsaPrivateKey
	The private information of an RSA key pair. More...

struct	GNUNET_CRYPTO_RsaPublicKey
	The public information of an RSA key pair. More...

struct	GNUNET_CRYPTO_RsaSignature
	an RSA signature More...

struct	RsaBlindingKey
	RSA blinding key. More...

struct	GNUNET_CRYPTO_RsaPublicKeyHeaderP
	Format of the header of a serialized RSA public key. More...

Macros
#define	LOG(kind, ...) GNUNET_log_from (kind, "util-crypto-rsa", __VA_ARGS__)

Functions
static int	key_from_sexp (gcry_mpi_t array, gcry_sexp_t sexp, const char topname, const char *elems)
	Extract values from an S-expression. More...

struct GNUNET_CRYPTO_RsaPrivateKey *	GNUNET_CRYPTO_rsa_private_key_create (unsigned int len)
	Create a new private key. More...

void	GNUNET_CRYPTO_rsa_private_key_free (struct GNUNET_CRYPTO_RsaPrivateKey *key)
	Free memory occupied by the private key. More...

size_t	GNUNET_CRYPTO_rsa_private_key_encode (const struct GNUNET_CRYPTO_RsaPrivateKey key, void *buffer)
	Encode the private key in a format suitable for storing it into a file. More...

struct GNUNET_CRYPTO_RsaPrivateKey *	GNUNET_CRYPTO_rsa_private_key_decode (const void *buf, size_t buf_size)
	Decode the private key from the data-format back to the "normal", internal format. More...

struct GNUNET_CRYPTO_RsaPublicKey *	GNUNET_CRYPTO_rsa_private_key_get_public (const struct GNUNET_CRYPTO_RsaPrivateKey *priv)
	Extract the public key of the given private key. More...

void	GNUNET_CRYPTO_rsa_public_key_free (struct GNUNET_CRYPTO_RsaPublicKey *key)
	Free memory occupied by the public key. More...

GNUNET_NETWORK_STRUCT_END size_t	GNUNET_CRYPTO_rsa_public_key_encode (const struct GNUNET_CRYPTO_RsaPublicKey key, void *buffer)
	Encode the public key in a format suitable for storing it into a file. More...

void	GNUNET_CRYPTO_rsa_public_key_hash (const struct GNUNET_CRYPTO_RsaPublicKey key, struct GNUNET_HashCode hc)
	Compute hash over the public key. More...

struct GNUNET_CRYPTO_RsaPublicKey *	GNUNET_CRYPTO_rsa_public_key_decode (const char *buf, size_t len)
	Decode the public key from the data-format back to the "normal", internal format. More...

static int	rsa_gcd_validate (gcry_mpi_t r, gcry_mpi_t n)
	Test for malicious RSA key. More...

static struct RsaBlindingKey *	rsa_blinding_key_derive (const struct GNUNET_CRYPTO_RsaPublicKey pkey, const struct GNUNET_CRYPTO_RsaBlindingKeySecret bks)
	Create a blinding key. More...

int	GNUNET_CRYPTO_rsa_signature_cmp (struct GNUNET_CRYPTO_RsaSignature s1, struct GNUNET_CRYPTO_RsaSignature s2)
	Compare the values of two signatures. More...

int	GNUNET_CRYPTO_rsa_public_key_cmp (struct GNUNET_CRYPTO_RsaPublicKey p1, struct GNUNET_CRYPTO_RsaPublicKey p2)
	Compare the values of two public keys. More...

int	GNUNET_CRYPTO_rsa_private_key_cmp (struct GNUNET_CRYPTO_RsaPrivateKey p1, struct GNUNET_CRYPTO_RsaPrivateKey p2)
	Compare the values of two private keys. More...

unsigned int	GNUNET_CRYPTO_rsa_public_key_len (const struct GNUNET_CRYPTO_RsaPublicKey *key)
	Obtain the length of the RSA key in bits. More...

static void	rsa_blinding_key_free (struct RsaBlindingKey *bkey)
	Destroy a blinding key. More...

static size_t	numeric_mpi_alloc_n_print (gcry_mpi_t v, char **buffer)
	Print an MPI to a newly created buffer. More...

static gcry_mpi_t	rsa_full_domain_hash (const struct GNUNET_CRYPTO_RsaPublicKey pkey, const struct GNUNET_HashCode hash)
	Computes a full domain hash seeded by the given public key. More...

int	GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode hash, const struct GNUNET_CRYPTO_RsaBlindingKeySecret bks, struct GNUNET_CRYPTO_RsaPublicKey pkey, void buf, size_t buf_size)
	Blinds the given message with the given blinding key. More...

static gcry_sexp_t	mpi_to_sexp (gcry_mpi_t value)
	Convert an MPI to an S-expression suitable for signature operations. More...

static struct GNUNET_CRYPTO_RsaSignature *	rsa_sign_mpi (const struct GNUNET_CRYPTO_RsaPrivateKey *key, gcry_mpi_t value)
	Sign the given MPI. More...

struct GNUNET_CRYPTO_RsaSignature *	GNUNET_CRYPTO_rsa_sign_blinded (const struct GNUNET_CRYPTO_RsaPrivateKey key, const void msg, size_t msg_len)
	Sign a blinded value, which must be a full domain hash of a message. More...

struct GNUNET_CRYPTO_RsaSignature *	GNUNET_CRYPTO_rsa_sign_fdh (const struct GNUNET_CRYPTO_RsaPrivateKey key, const struct GNUNET_HashCode hash)
	Create and sign a full domain hash of a message. More...

void	GNUNET_CRYPTO_rsa_signature_free (struct GNUNET_CRYPTO_RsaSignature *sig)
	Free memory occupied by signature. More...

size_t	GNUNET_CRYPTO_rsa_signature_encode (const struct GNUNET_CRYPTO_RsaSignature sig, void *buffer)
	Encode the given signature in a format suitable for storing it into a file. More...

struct GNUNET_CRYPTO_RsaSignature *	GNUNET_CRYPTO_rsa_signature_decode (const void *buf, size_t buf_size)
	Decode the signature from the data-format back to the "normal", internal format. More...

struct GNUNET_CRYPTO_RsaPublicKey *	GNUNET_CRYPTO_rsa_public_key_dup (const struct GNUNET_CRYPTO_RsaPublicKey *key)
	Duplicate the given public key. More...

struct GNUNET_CRYPTO_RsaSignature *	GNUNET_CRYPTO_rsa_unblind (const struct GNUNET_CRYPTO_RsaSignature sig, const struct GNUNET_CRYPTO_RsaBlindingKeySecret bks, struct GNUNET_CRYPTO_RsaPublicKey *pkey)
	Unblind a blind-signed signature. More...

int	GNUNET_CRYPTO_rsa_verify (const struct GNUNET_HashCode hash, const struct GNUNET_CRYPTO_RsaSignature sig, const struct GNUNET_CRYPTO_RsaPublicKey *pkey)
	Verify whether the given hash corresponds to the given signature and the signature is valid with respect to the given public key. More...

struct GNUNET_CRYPTO_RsaPrivateKey *	GNUNET_CRYPTO_rsa_private_key_dup (const struct GNUNET_CRYPTO_RsaPrivateKey *key)
	Duplicate the given private key. More...

struct GNUNET_CRYPTO_RsaSignature *	GNUNET_CRYPTO_rsa_signature_dup (const struct GNUNET_CRYPTO_RsaSignature *sig)
	Duplicate the given private key. More...

Detailed Description

Chaum-style Blind signatures based on RSA.

Author: Sree Harsha Totakura sreeh.nosp@m.arsh.nosp@m.a@tot.nosp@m.akur.nosp@m.a.in; Christian Grothoff; Jeffrey Burdges burdg.nosp@m.es@g.nosp@m.nunet.nosp@m..org

Definition in file crypto_rsa.c.

Macro Definition Documentation

◆ LOG

#define LOG	(	kind,
		...
	)	GNUNET_log_from (kind, "util-crypto-rsa", __VA_ARGS__)

Definition at line 33 of file crypto_rsa.c.

Referenced by GNUNET_CRYPTO_rsa_private_key_decode(), GNUNET_CRYPTO_rsa_verify(), and rsa_sign_mpi().

Function Documentation

◆ key_from_sexp()

static int key_from_sexp	(	gcry_mpi_t *	array,
		gcry_sexp_t	sexp,
		const char *	topname,
		const char *	elems
	)

static

Extract values from an S-expression.

Parameters

array	where to store the result(s)
sexp	S-expression to parse
topname	top-level name in the S-expression that is of interest
elems	names of the elements to extract

Returns: 0 on success

Definition at line 94 of file crypto_rsa.c.

References list.

Referenced by GNUNET_CRYPTO_rsa_blind(), GNUNET_CRYPTO_rsa_private_key_get_public(), GNUNET_CRYPTO_rsa_public_key_encode(), GNUNET_CRYPTO_rsa_public_key_len(), GNUNET_CRYPTO_rsa_signature_dup(), GNUNET_CRYPTO_rsa_signature_encode(), GNUNET_CRYPTO_rsa_unblind(), rsa_blinding_key_derive(), and rsa_full_domain_hash().

 {
   gcry_sexp_t list;
   gcry_sexp_t l2;
   const char *s;
   unsigned int idx;
 
   if (! (list = gcry_sexp_find_token (sexp, topname, 0)))
     return 1;
   l2 = gcry_sexp_cadr (list);
   gcry_sexp_release (list);
   list = l2;
   if (! list)
     return 2;
   idx = 0;
   for (s = elems; *s; s++, idx++)
   {
     if (! (l2 = gcry_sexp_find_token (list, s, 1)))
     {
       for (unsigned int i = 0; i < idx; i++)
       {
         gcry_free (array[i]);
         array[i] = NULL;
       }
       gcry_sexp_release (list);
       return 3;                 /* required parameter not found */
     }
     array[idx] = gcry_sexp_nth_mpi (l2, 1, GCRYMPI_FMT_USG);
     gcry_sexp_release (l2);
     if (! array[idx])
     {
       for (unsigned int i = 0; i < idx; i++)
       {
         gcry_free (array[i]);
         array[i] = NULL;
       }
       gcry_sexp_release (list);
       return 4;                 /* required parameter is invalid */
     }
   }
   gcry_sexp_release (list);
   return 0;
 }

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_rsa_private_key_create()

struct GNUNET_CRYPTO_RsaPrivateKey* GNUNET_CRYPTO_rsa_private_key_create ( unsigned int len )

Create a new private key.

Caller must free return value.

Parameters

len	length of the key in bits (i.e. 2048)

Returns: fresh private key

Definition at line 149 of file crypto_rsa.c.

References BENCHMARK_END, BENCHMARK_START, GNUNET_assert, GNUNET_new, ret, and GNUNET_CRYPTO_RsaPrivateKey::sexp.

Referenced by run().

 {
   struct GNUNET_CRYPTO_RsaPrivateKey *ret;
   gcry_sexp_t s_key;
   gcry_sexp_t s_keyparam;
 
   BENCHMARK_START (rsa_private_key_create);
 
   GNUNET_assert (0 ==
                  gcry_sexp_build (&s_keyparam,
                                   NULL,
                                   "(genkey(rsa(nbits %d)))",
                                   len));
   GNUNET_assert (0 ==
                  gcry_pk_genkey (&s_key,
                                  s_keyparam));
   gcry_sexp_release (s_keyparam);
 #if EXTRA_CHECKS
   GNUNET_assert (0 ==
                  gcry_pk_testkey (s_key));
 #endif
   ret = GNUNET_new (struct GNUNET_CRYPTO_RsaPrivateKey);
   ret->sexp = s_key;
   BENCHMARK_END (rsa_private_key_create);
   return ret;
 }

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_rsa_private_key_free()

void GNUNET_CRYPTO_rsa_private_key_free ( struct GNUNET_CRYPTO_RsaPrivateKey * key )

Free memory occupied by the private key.

Parameters

key	pointer to the memory to free

Definition at line 183 of file crypto_rsa.c.

References GNUNET_free, and GNUNET_CRYPTO_RsaPrivateKey::sexp.

Referenced by GNUNET_CRYPTO_rsa_private_key_decode(), and run().

 {
   gcry_sexp_release (key->sexp);
   GNUNET_free (key);
 }

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_rsa_private_key_encode()

size_t GNUNET_CRYPTO_rsa_private_key_encode	(	const struct GNUNET_CRYPTO_RsaPrivateKey *	key,
		void **	buffer
	)

Encode the private key in a format suitable for storing it into a file.

Parameters

	key	the private key
[out]	buffer	set to a buffer with the encoded key

Returns: size of memory allocated in buffer

Definition at line 199 of file crypto_rsa.c.

References testconfigure::b, GNUNET_assert, GNUNET_malloc, and GNUNET_CRYPTO_RsaPrivateKey::sexp.

Referenced by GNUNET_CRYPTO_rsa_private_key_cmp().

 {
   size_t n;
   char *b;
 
   n = gcry_sexp_sprint (key->sexp,
                         GCRYSEXP_FMT_DEFAULT,
                         NULL,
                         0);
   b = GNUNET_malloc (n);
   GNUNET_assert ((n - 1) ==      /* since the last byte is \0 */
                  gcry_sexp_sprint (key->sexp,
                                    GCRYSEXP_FMT_DEFAULT,
                                    b,
                                    n));
   *buffer = b;
   return n;
 }

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_rsa_private_key_decode()

struct GNUNET_CRYPTO_RsaPrivateKey* GNUNET_CRYPTO_rsa_private_key_decode	(	const void *	buf,
		size_t	buf_size
	)

Decode the private key from the data-format back to the "normal", internal format.

Parameters

buf	the buffer where the private key data is stored
buf_size	the size of the data in buf

Returns: NULL on error

Definition at line 230 of file crypto_rsa.c.

References GNUNET_CRYPTO_rsa_private_key_free(), GNUNET_ERROR_TYPE_WARNING, GNUNET_free, GNUNET_new, key, LOG, and GNUNET_CRYPTO_RsaPrivateKey::sexp.

 {
   struct GNUNET_CRYPTO_RsaPrivateKey *key;
 
   key = GNUNET_new (struct GNUNET_CRYPTO_RsaPrivateKey);
   if (0 !=
       gcry_sexp_new (&key->sexp,
                      buf,
                      buf_size,
                      0))
   {
     LOG (GNUNET_ERROR_TYPE_WARNING,
          "Decoded private key is not valid\n");
     GNUNET_free (key);
     return NULL;
   }
   if (0 != gcry_pk_testkey (key->sexp))
   {
     LOG (GNUNET_ERROR_TYPE_WARNING,
          "Decoded private key is not valid\n");
     GNUNET_CRYPTO_rsa_private_key_free (key);
     return NULL;
   }
   return key;
 }

Here is the call graph for this function:

◆ GNUNET_CRYPTO_rsa_private_key_get_public()

struct GNUNET_CRYPTO_RsaPublicKey* GNUNET_CRYPTO_rsa_private_key_get_public ( const struct GNUNET_CRYPTO_RsaPrivateKey * priv )

Extract the public key of the given private key.

Parameters

priv	the private key NULL on error, otherwise the public key

Definition at line 265 of file crypto_rsa.c.

References BENCHMARK_END, BENCHMARK_START, GNUNET_break_op, GNUNET_new, key_from_sexp(), pub, result, GNUNET_CRYPTO_RsaPrivateKey::sexp, and GNUNET_CRYPTO_RsaPublicKey::sexp.

Referenced by GNUNET_CRYPTO_rsa_sign_fdh(), rsa_sign_mpi(), and run().

 {
   struct GNUNET_CRYPTO_RsaPublicKey *pub;
   gcry_mpi_t ne[2];
   int rc;
   gcry_sexp_t result;
 
   BENCHMARK_START (rsa_private_key_get_public);
 
   rc = key_from_sexp (ne, priv->sexp, "public-key", "ne");
   if (0 != rc)
     rc = key_from_sexp (ne, priv->sexp, "private-key", "ne");
   if (0 != rc)
     rc = key_from_sexp (ne, priv->sexp, "rsa", "ne");
   if (0 != rc)
   {
     GNUNET_break_op (0);
     return NULL;
   }
   rc = gcry_sexp_build (&result,
                         NULL,
                         "(public-key(rsa(n %m)(e %m)))",
                         ne[0],
                         ne[1]);
   gcry_mpi_release (ne[0]);
   gcry_mpi_release (ne[1]);
   pub = GNUNET_new (struct GNUNET_CRYPTO_RsaPublicKey);
   pub->sexp = result;
   BENCHMARK_END (rsa_private_key_get_public);
   return pub;
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_rsa_public_key_free()

void GNUNET_CRYPTO_rsa_public_key_free ( struct GNUNET_CRYPTO_RsaPublicKey * key )

Free memory occupied by the public key.

Parameters

key	pointer to the memory to free

Definition at line 305 of file crypto_rsa.c.

References GNUNET_free, GNUNET_NETWORK_STRUCT_BEGIN, and GNUNET_CRYPTO_RsaPublicKey::sexp.

Referenced by clean_rsa_pub(), clean_rsa_public_key(), GNUNET_CRYPTO_rsa_sign_fdh(), rsa_sign_mpi(), and run().

 {
   gcry_sexp_release (key->sexp);
   GNUNET_free (key);
 }

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_rsa_public_key_encode()

GNUNET_NETWORK_STRUCT_END size_t GNUNET_CRYPTO_rsa_public_key_encode	(	const struct GNUNET_CRYPTO_RsaPublicKey *	key,
		void **	buffer
	)

Encode the public key in a format suitable for storing it into a file.

Parameters

	key	the private key
[out]	buffer	set to a buffer with the encoded key

Returns: size of memory allocated in buffer

Definition at line 346 of file crypto_rsa.c.

References buf, GNUNET_assert, GNUNET_break, GNUNET_malloc, key_from_sexp(), GNUNET_CRYPTO_RsaPublicKeyHeaderP::modulus_length, GNUNET_CRYPTO_RsaPublicKeyHeaderP::public_exponent_length, ret, and GNUNET_CRYPTO_RsaPublicKey::sexp.

Referenced by bind_rsa_pub(), GNUNET_CRYPTO_rsa_public_key_cmp(), GNUNET_CRYPTO_rsa_public_key_hash(), GNUNET_JSON_from_rsa_public_key(), my_conv_rsa_public_key(), qconv_rsa_public_key(), rsa_full_domain_hash(), and run().

 {
   gcry_mpi_t ne[2];
   size_t n_size;
   size_t e_size;
   size_t rsize;
   size_t buf_size;
   char *buf;
   struct GNUNET_CRYPTO_RsaPublicKeyHeaderP hdr;
   int ret;
 
   ret = key_from_sexp (ne, key->sexp, "public-key", "ne");
   if (0 != ret)
     ret = key_from_sexp (ne, key->sexp, "rsa", "ne");
   if (0 != ret)
   {
     GNUNET_break (0);
     *buffer = NULL;
     return 0;
   }
   gcry_mpi_print (GCRYMPI_FMT_USG,
                   NULL,
                   0,
                   &n_size,
                   ne[0]);
   gcry_mpi_print (GCRYMPI_FMT_USG,
                   NULL,
                   0,
                   &e_size,
                   ne[1]);
   if ( (e_size > UINT16_MAX) ||
        (n_size > UINT16_MAX) )
   {
     GNUNET_break (0);
     *buffer = NULL;
     gcry_mpi_release (ne[0]);
     gcry_mpi_release (ne[1]);
     return 0;
   }
   buf_size = n_size + e_size + sizeof (hdr);
   buf = GNUNET_malloc (buf_size);
   hdr.modulus_length = htons ((uint16_t) n_size);
   hdr.public_exponent_length = htons ((uint16_t) e_size);
   memcpy (buf, &hdr, sizeof (hdr));
   GNUNET_assert (0 ==
                  gcry_mpi_print (GCRYMPI_FMT_USG,
                                  (unsigned char *) &buf[sizeof (hdr)],
                                  n_size,
                                  &rsize,
                                  ne[0]));
 
   GNUNET_assert (0 ==
                  gcry_mpi_print (GCRYMPI_FMT_USG,
                                  (unsigned char *) &buf[sizeof (hdr) + n_size],
                                  e_size,
                                  &rsize,
                                  ne[1]));
   *buffer = buf;
   gcry_mpi_release (ne[0]);
   gcry_mpi_release (ne[1]);
   return buf_size;
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_rsa_public_key_hash()

void GNUNET_CRYPTO_rsa_public_key_hash	(	const struct GNUNET_CRYPTO_RsaPublicKey *	key,
		struct GNUNET_HashCode *	hc
	)

Compute hash over the public key.

Parameters

key	public key to hash
hc	where to store the hash code

Definition at line 419 of file crypto_rsa.c.

References buf, GNUNET_CRYPTO_hash(), GNUNET_CRYPTO_rsa_public_key_encode(), and GNUNET_free.

 {
   void *buf;
   size_t buf_size;
 
   buf_size = GNUNET_CRYPTO_rsa_public_key_encode (key,
                                                   &buf);
   GNUNET_CRYPTO_hash (buf,
                       buf_size,
                       hc);
   GNUNET_free (buf);
 }

Here is the call graph for this function:

◆ GNUNET_CRYPTO_rsa_public_key_decode()

struct GNUNET_CRYPTO_RsaPublicKey* GNUNET_CRYPTO_rsa_public_key_decode	(	const char *	buf,
		size_t	len
	)

Decode the public key from the data-format back to the "normal", internal format.

Parameters

buf	the buffer where the public key data is stored
len	the length of the data in buf

Returns: NULL on error

Definition at line 443 of file crypto_rsa.c.

References data, e, GNUNET_break, GNUNET_break_op, GNUNET_new, key, GNUNET_CRYPTO_RsaPublicKeyHeaderP::modulus_length, GNUNET_CRYPTO_RsaPublicKeyHeaderP::public_exponent_length, and GNUNET_CRYPTO_RsaPublicKey::sexp.

Referenced by extract_rsa_pub(), extract_rsa_public_key(), parse_rsa_public_key(), and post_extract_rsa_public_key().

 {
   struct GNUNET_CRYPTO_RsaPublicKey *key;
   struct GNUNET_CRYPTO_RsaPublicKeyHeaderP hdr;
   size_t e_size;
   size_t n_size;
   gcry_mpi_t n;
   gcry_mpi_t e;
   gcry_sexp_t data;
 
   if (len < sizeof (hdr))
   {
     GNUNET_break_op (0);
     return NULL;
   }
   memcpy (&hdr, buf, sizeof (hdr));
   n_size = ntohs (hdr.modulus_length);
   e_size = ntohs (hdr.public_exponent_length);
   if (len != sizeof (hdr) + e_size + n_size)
   {
     GNUNET_break_op (0);
     return NULL;
   }
   if (0 !=
       gcry_mpi_scan (&n,
                      GCRYMPI_FMT_USG,
                      &buf[sizeof (hdr)],
                      n_size,
                      NULL))
   {
     GNUNET_break_op (0);
     return NULL;
   }
   if (0 !=
       gcry_mpi_scan (&e,
                      GCRYMPI_FMT_USG,
                      &buf[sizeof (hdr) + n_size],
                      e_size,
                      NULL))
   {
     GNUNET_break_op (0);
     gcry_mpi_release (n);
     return NULL;
   }
 
   if (0 !=
       gcry_sexp_build (&data,
                        NULL,
                        "(public-key(rsa(n %m)(e %m)))",
                        n,
                        e))
   {
     GNUNET_break (0);
     gcry_mpi_release (n);
     gcry_mpi_release (e);
     return NULL;
   }
   gcry_mpi_release (n);
   gcry_mpi_release (e);
   key = GNUNET_new (struct GNUNET_CRYPTO_RsaPublicKey);
   key->sexp = data;
   return key;
 }

Here is the caller graph for this function:

◆ rsa_gcd_validate()

static int rsa_gcd_validate	(	gcry_mpi_t	r,
		gcry_mpi_t	n
	)

static

Test for malicious RSA key.

Assuming n is an RSA modulous and r is generated using a call to GNUNET_CRYPTO_kdf_mod_mpi, if gcd(r,n) != 1 then n must be a malicious RSA key designed to deanomize the user.

Parameters

r	KDF result
n	RSA modulus

Returns: True if gcd(r,n) = 1, False means RSA key is malicious

Definition at line 521 of file crypto_rsa.c.

References t.

Referenced by rsa_blinding_key_derive(), and rsa_full_domain_hash().

 {
   gcry_mpi_t g;
   int t;
 
   g = gcry_mpi_new (0);
   t = gcry_mpi_gcd (g, r, n);
   gcry_mpi_release (g);
   return t;
 }

Here is the caller graph for this function:

◆ rsa_blinding_key_derive()

static struct RsaBlindingKey* rsa_blinding_key_derive	(	const struct GNUNET_CRYPTO_RsaPublicKey *	pkey,
		const struct GNUNET_CRYPTO_RsaBlindingKeySecret *	bks
	)

static

Create a blinding key.

Parameters

len	length of the key in bits (i.e. 2048)
bks	pre-secret to use to derive the blinding key

Returns: the newly created blinding key, NULL if RSA key is malicious

Definition at line 541 of file crypto_rsa.c.

References GNUNET_assert, GNUNET_CRYPTO_kdf_mod_mpi(), GNUNET_free, GNUNET_new, key_from_sexp(), RsaBlindingKey::r, rsa_gcd_validate(), and GNUNET_CRYPTO_RsaPublicKey::sexp.

Referenced by GNUNET_CRYPTO_rsa_blind(), and GNUNET_CRYPTO_rsa_unblind().

 {
   char *xts = "Blinding KDF extrator HMAC key";  /* Trusts bks' randomness more */
   struct RsaBlindingKey *blind;
   gcry_mpi_t n;
 
   blind = GNUNET_new (struct RsaBlindingKey);
   GNUNET_assert (NULL != blind);
 
   /* Extract the composite n from the RSA public key */
   GNUNET_assert (0 == key_from_sexp (&n, pkey->sexp, "rsa", "n"));
   /* Assert that it at least looks like an RSA key */
   GNUNET_assert (0 == gcry_mpi_get_flag (n, GCRYMPI_FLAG_OPAQUE));
 
   GNUNET_CRYPTO_kdf_mod_mpi (&blind->r,
                              n,
                              xts, strlen (xts),
                              bks, sizeof(*bks),
                              "Blinding KDF");
   if (0 == rsa_gcd_validate (blind->r, n))
   {
     GNUNET_free (blind);
     blind = NULL;
   }
 
   gcry_mpi_release (n);
   return blind;
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_rsa_signature_cmp()

int GNUNET_CRYPTO_rsa_signature_cmp	(	struct GNUNET_CRYPTO_RsaSignature *	s1,
		struct GNUNET_CRYPTO_RsaSignature *	s2
	)

Compare the values of two signatures.

Parameters

s1	one signature
s2	the other signature

Returns: 0 if the two are equal

Definition at line 623 of file crypto_rsa.c.

References GNUNET_CRYPTO_rsa_signature_encode(), GNUNET_free, and ret.

 {
   void *b1;
   void *b2;
   size_t z1;
   size_t z2;
   int ret;
 
   z1 = GNUNET_CRYPTO_rsa_signature_encode (s1,
                                            &b1);
   z2 = GNUNET_CRYPTO_rsa_signature_encode (s2,
                                            &b2);
   if (z1 != z2)
     ret = 1;
   else
     ret = memcmp (b1,
                   b2,
                   z1);
   GNUNET_free (b1);
   GNUNET_free (b2);
   return ret;
 }

Here is the call graph for this function:

◆ GNUNET_CRYPTO_rsa_public_key_cmp()

int GNUNET_CRYPTO_rsa_public_key_cmp	(	struct GNUNET_CRYPTO_RsaPublicKey *	p1,
		struct GNUNET_CRYPTO_RsaPublicKey *	p2
	)

Compare the values of two public keys.

Parameters

p1	one public key
p2	the other public key

Returns: 0 if the two are equal

Definition at line 656 of file crypto_rsa.c.

References GNUNET_CRYPTO_rsa_public_key_encode(), GNUNET_free, and ret.

 {
   void *b1;
   void *b2;
   size_t z1;
   size_t z2;
   int ret;
 
   z1 = GNUNET_CRYPTO_rsa_public_key_encode (p1,
                                             &b1);
   z2 = GNUNET_CRYPTO_rsa_public_key_encode (p2,
                                             &b2);
   if (z1 != z2)
     ret = 1;
   else
     ret = memcmp (b1,
                   b2,
                   z1);
   GNUNET_free (b1);
   GNUNET_free (b2);
   return ret;
 }

Here is the call graph for this function:

◆ GNUNET_CRYPTO_rsa_private_key_cmp()

int GNUNET_CRYPTO_rsa_private_key_cmp	(	struct GNUNET_CRYPTO_RsaPrivateKey *	p1,
		struct GNUNET_CRYPTO_RsaPrivateKey *	p2
	)

Compare the values of two private keys.

Parameters

p1	one private key
p2	the other private key

Returns: 0 if the two are equal

Definition at line 689 of file crypto_rsa.c.

References GNUNET_CRYPTO_rsa_private_key_encode(), GNUNET_free, and ret.

 {
   void *b1;
   void *b2;
   size_t z1;
   size_t z2;
   int ret;
 
   z1 = GNUNET_CRYPTO_rsa_private_key_encode (p1,
                                              &b1);
   z2 = GNUNET_CRYPTO_rsa_private_key_encode (p2,
                                              &b2);
   if (z1 != z2)
     ret = 1;
   else
     ret = memcmp (b1,
                   b2,
                   z1);
   GNUNET_free (b1);
   GNUNET_free (b2);
   return ret;
 }

Here is the call graph for this function:

◆ GNUNET_CRYPTO_rsa_public_key_len()

unsigned int GNUNET_CRYPTO_rsa_public_key_len ( const struct GNUNET_CRYPTO_RsaPublicKey * key )

Obtain the length of the RSA key in bits.

Parameters

key	the public key to introspect

Returns: length of the key in bits

Definition at line 721 of file crypto_rsa.c.

References GNUNET_break, key_from_sexp(), and GNUNET_CRYPTO_RsaPublicKey::sexp.

 {
   gcry_mpi_t n;
   unsigned int rval;
 
   if (0 != key_from_sexp (&n, key->sexp, "rsa", "n"))
   {   /* Not an RSA public key */
     GNUNET_break (0);
     return 0;
   }
   rval = gcry_mpi_get_nbits (n);
   gcry_mpi_release (n);
   return rval;
 }

Here is the call graph for this function:

◆ rsa_blinding_key_free()

static void rsa_blinding_key_free ( struct RsaBlindingKey * bkey )

static

Destroy a blinding key.

Parameters

bkey	the blinding key to destroy

Definition at line 743 of file crypto_rsa.c.

References GNUNET_free, and RsaBlindingKey::r.

Referenced by GNUNET_CRYPTO_rsa_blind(), and GNUNET_CRYPTO_rsa_unblind().

 {
   gcry_mpi_release (bkey->r);
   GNUNET_free (bkey);
 }

Here is the caller graph for this function:

◆ numeric_mpi_alloc_n_print()

static size_t numeric_mpi_alloc_n_print	(	gcry_mpi_t	v,
		char **	buffer
	)

static

Print an MPI to a newly created buffer.

Parameters

	v	MPI to print.
[out]	newly	allocated buffer containing the result

Returns: number of bytes stored in buffer

Definition at line 758 of file crypto_rsa.c.

References testconfigure::b, GNUNET_assert, and GNUNET_malloc.

Referenced by GNUNET_CRYPTO_rsa_blind().

 {
   size_t n;
   char *b;
   size_t rsize;
 
   gcry_mpi_print (GCRYMPI_FMT_USG,
                   NULL,
                   0,
                   &n,
                   v);
   b = GNUNET_malloc (n);
   GNUNET_assert (0 ==
                  gcry_mpi_print (GCRYMPI_FMT_USG,
                                  (unsigned char *) b,
                                  n,
                                  &rsize,
                                  v));
   *buffer = b;
   return n;
 }

Here is the caller graph for this function:

◆ rsa_full_domain_hash()

static gcry_mpi_t rsa_full_domain_hash	(	const struct GNUNET_CRYPTO_RsaPublicKey *	pkey,
		const struct GNUNET_HashCode *	hash
	)

static

Computes a full domain hash seeded by the given public key.

This gives a measure of provable security to the Taler exchange against one-more forgery attacks. See: https://eprint.iacr.org/2001/002.pdf http://www.di.ens.fr/~pointche/Documents/Papers/2001_fcA.pdf

Parameters

hash	initial hash of the message to sign
pkey	the public key of the signer
rsize	If not NULL, the number of bytes actually stored in buffer

Returns: MPI value set to the FDH, NULL if RSA key is malicious

Definition at line 795 of file crypto_rsa.c.

References GNUNET_assert, GNUNET_CRYPTO_kdf_mod_mpi(), GNUNET_CRYPTO_rsa_public_key_encode(), GNUNET_free, key_from_sexp(), ok, RsaBlindingKey::r, rsa_gcd_validate(), and GNUNET_CRYPTO_RsaPublicKey::sexp.

Referenced by GNUNET_CRYPTO_rsa_blind(), GNUNET_CRYPTO_rsa_sign_fdh(), and GNUNET_CRYPTO_rsa_verify().

 {
   gcry_mpi_t r, n;
   void *xts;
   size_t xts_len;
   int ok;
 
   /* Extract the composite n from the RSA public key */
   GNUNET_assert (0 == key_from_sexp (&n, pkey->sexp, "rsa", "n"));
   /* Assert that it at least looks like an RSA key */
   GNUNET_assert (0 == gcry_mpi_get_flag (n, GCRYMPI_FLAG_OPAQUE));
 
   /* We key with the public denomination key as a homage to RSA-PSS by  *
   * Mihir Bellare and Phillip Rogaway.  Doing this lowers the degree   *
   * of the hypothetical polyomial-time attack on RSA-KTI created by a  *
   * polynomial-time one-more forgary attack.  Yey seeding!             */
   xts_len = GNUNET_CRYPTO_rsa_public_key_encode (pkey, &xts);
 
   GNUNET_CRYPTO_kdf_mod_mpi (&r,
                              n,
                              xts, xts_len,
                              hash, sizeof(*hash),
                              "RSA-FDA FTpsW!");
   GNUNET_free (xts);
 
   ok = rsa_gcd_validate (r, n);
   gcry_mpi_release (n);
   if (ok)
     return r;
   gcry_mpi_release (r);
   return NULL;
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_rsa_blind()

int GNUNET_CRYPTO_rsa_blind	(	const struct GNUNET_HashCode *	hash,
		const struct GNUNET_CRYPTO_RsaBlindingKeySecret *	bks,
		struct GNUNET_CRYPTO_RsaPublicKey *	pkey,
		void **	buf,
		size_t *	buf_size
	)

Blinds the given message with the given blinding key.

Parameters

	hash	hash of the message to sign
	bkey	the blinding key
	pkey	the public key of the signer
[out]	buf	set to a buffer with the blinded message to be signed
[out]	buf_size	number of bytes stored in buf

Returns: GNUNET_YES if successful, GNUNET_NO if RSA key is malicious

Definition at line 841 of file crypto_rsa.c.

References BENCHMARK_END, BENCHMARK_START, data, GNUNET_assert, GNUNET_break, GNUNET_NO, GNUNET_YES, key_from_sexp(), numeric_mpi_alloc_n_print(), RsaBlindingKey::r, ret, rsa_blinding_key_derive(), rsa_blinding_key_free(), rsa_full_domain_hash(), and GNUNET_CRYPTO_RsaPublicKey::sexp.

Referenced by run().

 {
   struct RsaBlindingKey *bkey;
   gcry_mpi_t data;
   gcry_mpi_t ne[2];
   gcry_mpi_t r_e;
   gcry_mpi_t data_r_e;
   int ret;
 
   BENCHMARK_START (rsa_blind);
 
   GNUNET_assert (buf != NULL);
   GNUNET_assert (buf_size != NULL);
   ret = key_from_sexp (ne, pkey->sexp, "public-key", "ne");
   if (0 != ret)
     ret = key_from_sexp (ne, pkey->sexp, "rsa", "ne");
   if (0 != ret)
   {
     GNUNET_break (0);
     *buf = NULL;
     *buf_size = 0;
     return 0;
   }
 
   data = rsa_full_domain_hash (pkey, hash);
   if (NULL == data)
     goto rsa_gcd_validate_failure;
 
   bkey = rsa_blinding_key_derive (pkey, bks);
   if (NULL == bkey)
   {
     gcry_mpi_release (data);
     goto rsa_gcd_validate_failure;
   }
 
   r_e = gcry_mpi_new (0);
   gcry_mpi_powm (r_e,
                  bkey->r,
                  ne[1],
                  ne[0]);
   data_r_e = gcry_mpi_new (0);
   gcry_mpi_mulm (data_r_e,
                  data,
                  r_e,
                  ne[0]);
   gcry_mpi_release (data);
   gcry_mpi_release (ne[0]);
   gcry_mpi_release (ne[1]);
   gcry_mpi_release (r_e);
   rsa_blinding_key_free (bkey);
 
   *buf_size = numeric_mpi_alloc_n_print (data_r_e,
                                          (char **) buf);
   gcry_mpi_release (data_r_e);
 
   BENCHMARK_END (rsa_blind);
 
   return GNUNET_YES;
 
 rsa_gcd_validate_failure:
   /* We know the RSA key is malicious here, so warn the wallet. */
   /* GNUNET_break_op (0); */
   gcry_mpi_release (ne[0]);
   gcry_mpi_release (ne[1]);
   *buf = NULL;
   *buf_size = 0;
   return GNUNET_NO;
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ mpi_to_sexp()

static gcry_sexp_t mpi_to_sexp ( gcry_mpi_t value )

static

Convert an MPI to an S-expression suitable for signature operations.

Parameters

value pointer to the data to convert

Returns: converted s-expression

Definition at line 922 of file crypto_rsa.c.

References data, and GNUNET_assert.

Referenced by GNUNET_CRYPTO_rsa_verify(), and rsa_sign_mpi().

 {
   gcry_sexp_t data = NULL;
 
   GNUNET_assert (0 ==
                  gcry_sexp_build (&data,
                                   NULL,
                                   "(data (flags raw) (value %M))",
                                   value));
   return data;
 }

Here is the caller graph for this function:

◆ rsa_sign_mpi()

static struct GNUNET_CRYPTO_RsaSignature* rsa_sign_mpi	(	const struct GNUNET_CRYPTO_RsaPrivateKey *	key,
		gcry_mpi_t	value
	)

static

Sign the given MPI.

Parameters

key	private key to use for the signing
value	the MPI to sign

Returns: NULL on error, signature on success

Definition at line 943 of file crypto_rsa.c.

References _, data, GNUNET_break, GNUNET_CRYPTO_rsa_private_key_get_public(), GNUNET_CRYPTO_rsa_public_key_free(), GNUNET_ERROR_TYPE_WARNING, GNUNET_new, LOG, mpi_to_sexp(), result, GNUNET_CRYPTO_RsaPrivateKey::sexp, GNUNET_CRYPTO_RsaPublicKey::sexp, and GNUNET_CRYPTO_RsaSignature::sexp.

Referenced by GNUNET_CRYPTO_rsa_sign_blinded(), and GNUNET_CRYPTO_rsa_sign_fdh().

 {
   struct GNUNET_CRYPTO_RsaSignature *sig;
   gcry_sexp_t data;
   gcry_sexp_t result;
   int rc;
 
   data = mpi_to_sexp (value);
 
   if (0 !=
       (rc = gcry_pk_sign (&result,
                           data,
                           key->sexp)))
   {
     LOG (GNUNET_ERROR_TYPE_WARNING,
          _ ("RSA signing failed at %s:%d: %s\n"),
          __FILE__,
          __LINE__,
          gcry_strerror (rc));
     GNUNET_break (0);
     return NULL;
   }
 
   /* Lenstra protection was first added to libgcrypt 1.6.4
    * with commit c17f84bd02d7ee93845e92e20f6ddba814961588.
    */
 #if GCRYPT_VERSION_NUMBER < 0x010604
   /* verify signature (guards against Lenstra's attack with fault injection...) */
   struct GNUNET_CRYPTO_RsaPublicKey *public_key =
     GNUNET_CRYPTO_rsa_private_key_get_public (key);
   if (0 !=
       gcry_pk_verify (result,
                       data,
                       public_key->sexp))
   {
     GNUNET_break (0);
     GNUNET_CRYPTO_rsa_public_key_free (public_key);
     gcry_sexp_release (data);
     gcry_sexp_release (result);
     return NULL;
   }
   GNUNET_CRYPTO_rsa_public_key_free (public_key);
 #endif
 
   /* return signature */
   gcry_sexp_release (data);
   sig = GNUNET_new (struct GNUNET_CRYPTO_RsaSignature);
   sig->sexp = result;
   return sig;
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_rsa_sign_blinded()

struct GNUNET_CRYPTO_RsaSignature* GNUNET_CRYPTO_rsa_sign_blinded	(	const struct GNUNET_CRYPTO_RsaPrivateKey *	key,
		const void *	msg,
		size_t	msg_len
	)

Sign a blinded value, which must be a full domain hash of a message.

Parameters

key	private key to use for the signing
msg	the message to sign
msg_len	number of bytes in msg to sign

Returns: NULL on error, signature on success

Definition at line 1005 of file crypto_rsa.c.

References BENCHMARK_END, BENCHMARK_START, GNUNET_assert, and rsa_sign_mpi().

Referenced by run().

 {
   gcry_mpi_t v = NULL;
   struct GNUNET_CRYPTO_RsaSignature *sig;
 
   BENCHMARK_START (rsa_sign_blinded);
 
   GNUNET_assert (0 ==
                  gcry_mpi_scan (&v,
                                 GCRYMPI_FMT_USG,
                                 msg,
                                 msg_len,
                                 NULL));
 
   sig = rsa_sign_mpi (key, v);
   gcry_mpi_release (v);
   BENCHMARK_END (rsa_sign_blinded);
   return sig;
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_rsa_sign_fdh()

struct GNUNET_CRYPTO_RsaSignature* GNUNET_CRYPTO_rsa_sign_fdh	(	const struct GNUNET_CRYPTO_RsaPrivateKey *	key,
		const struct GNUNET_HashCode *	hash
	)

Create and sign a full domain hash of a message.

Parameters

key	private key to use for the signing
hash	the hash of the message to sign

Returns: NULL on error, including a malicious RSA key, signature on success

Definition at line 1036 of file crypto_rsa.c.

References GNUNET_CRYPTO_rsa_private_key_get_public(), GNUNET_CRYPTO_rsa_public_key_free(), pkey, rsa_full_domain_hash(), and rsa_sign_mpi().

 {
   struct GNUNET_CRYPTO_RsaPublicKey *pkey;
   gcry_mpi_t v = NULL;
   struct GNUNET_CRYPTO_RsaSignature *sig;
 
   pkey = GNUNET_CRYPTO_rsa_private_key_get_public (key);
   v = rsa_full_domain_hash (pkey, hash);
   GNUNET_CRYPTO_rsa_public_key_free (pkey);
   if (NULL == v)   /* rsa_gcd_validate failed meaning */
     return NULL;   /* our *own* RSA key is malicious. */
 
   sig = rsa_sign_mpi (key, v);
   gcry_mpi_release (v);
   return sig;
 }

Here is the call graph for this function:

◆ GNUNET_CRYPTO_rsa_signature_free()

void GNUNET_CRYPTO_rsa_signature_free ( struct GNUNET_CRYPTO_RsaSignature * sig )

Free memory occupied by signature.

Parameters

sig	memory to freee

Definition at line 1061 of file crypto_rsa.c.

References GNUNET_free, and GNUNET_CRYPTO_RsaSignature::sexp.

Referenced by clean_rsa_sig(), clean_rsa_signature(), and run().

 {
   gcry_sexp_release (sig->sexp);
   GNUNET_free (sig);
 }

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_rsa_signature_encode()

size_t GNUNET_CRYPTO_rsa_signature_encode	(	const struct GNUNET_CRYPTO_RsaSignature *	sig,
		void **	buffer
	)

Encode the given signature in a format suitable for storing it into a file.

Parameters

	sig	the signature
[out]	buffer	set to a buffer with the encoded key

Returns: size of memory allocated in buffer

Definition at line 1076 of file crypto_rsa.c.

References buf, GNUNET_assert, GNUNET_malloc, key_from_sexp(), ret, and GNUNET_CRYPTO_RsaSignature::sexp.

Referenced by bind_rsa_sig(), GNUNET_CRYPTO_rsa_signature_cmp(), GNUNET_JSON_from_rsa_signature(), my_conv_rsa_signature(), qconv_rsa_signature(), and run().

 {
   gcry_mpi_t s;
   size_t buf_size;
   size_t rsize;
   unsigned char *buf;
   int ret;
 
   ret = key_from_sexp (&s,
                        sig->sexp,
                        "sig-val",
                        "s");
   if (0 != ret)
     ret = key_from_sexp (&s,
                          sig->sexp,
                          "rsa",
                          "s");
   GNUNET_assert (0 == ret);
   gcry_mpi_print (GCRYMPI_FMT_USG,
                   NULL,
                   0,
                   &buf_size,
                   s);
   buf = GNUNET_malloc (buf_size);
   GNUNET_assert (0 ==
                  gcry_mpi_print (GCRYMPI_FMT_USG,
                                  buf,
                                  buf_size,
                                  &rsize,
                                  s));
   GNUNET_assert (rsize == buf_size);
   *buffer = (void *) buf;
   gcry_mpi_release (s);
   return buf_size;
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_rsa_signature_decode()

struct GNUNET_CRYPTO_RsaSignature* GNUNET_CRYPTO_rsa_signature_decode	(	const void *	buf,
		size_t	buf_size
	)

Decode the signature from the data-format back to the "normal", internal format.

Parameters

buf	the buffer where the public key data is stored
buf_size	the size of the data in buf

Returns: NULL on error

Definition at line 1124 of file crypto_rsa.c.

References data, GNUNET_break, GNUNET_break_op, GNUNET_new, and GNUNET_CRYPTO_RsaSignature::sexp.

Referenced by extract_rsa_sig(), extract_rsa_signature(), parse_rsa_signature(), and post_extract_rsa_signature().

 {
   struct GNUNET_CRYPTO_RsaSignature *sig;
   gcry_mpi_t s;
   gcry_sexp_t data;
 
   if (0 !=
       gcry_mpi_scan (&s,
                      GCRYMPI_FMT_USG,
                      buf,
                      buf_size,
                      NULL))
   {
     GNUNET_break_op (0);
     return NULL;
   }
 
   if (0 !=
       gcry_sexp_build (&data,
                        NULL,
                        "(sig-val(rsa(s %M)))",
                        s))
   {
     GNUNET_break (0);
     gcry_mpi_release (s);
     return NULL;
   }
   gcry_mpi_release (s);
   sig = GNUNET_new (struct GNUNET_CRYPTO_RsaSignature);
   sig->sexp = data;
   return sig;
 }

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_rsa_public_key_dup()

struct GNUNET_CRYPTO_RsaPublicKey* GNUNET_CRYPTO_rsa_public_key_dup ( const struct GNUNET_CRYPTO_RsaPublicKey * key )

Duplicate the given public key.

Parameters

key	the public key to duplicate

Returns: the duplicate key; NULL upon error

Definition at line 1166 of file crypto_rsa.c.

References GNUNET_assert, GNUNET_new, and GNUNET_CRYPTO_RsaPublicKey::sexp.

 {
   struct GNUNET_CRYPTO_RsaPublicKey *dup;
   gcry_sexp_t dup_sexp;
   size_t erroff;
 
   /* check if we really are exporting a public key */
   dup_sexp = gcry_sexp_find_token (key->sexp, "public-key", 0);
   GNUNET_assert (NULL != dup_sexp);
   gcry_sexp_release (dup_sexp);
   /* copy the sexp */
   GNUNET_assert (0 == gcry_sexp_build (&dup_sexp, &erroff, "%S", key->sexp));
   dup = GNUNET_new (struct GNUNET_CRYPTO_RsaPublicKey);
   dup->sexp = dup_sexp;
   return dup;
 }

◆ GNUNET_CRYPTO_rsa_unblind()

struct GNUNET_CRYPTO_RsaSignature* GNUNET_CRYPTO_rsa_unblind	(	const struct GNUNET_CRYPTO_RsaSignature *	sig,
		const struct GNUNET_CRYPTO_RsaBlindingKeySecret *	bks,
		struct GNUNET_CRYPTO_RsaPublicKey *	pkey
	)

Unblind a blind-signed signature.

The signature should have been generated with #GNUNET_CRYPTO_rsa_sign() using a hash that was blinded with GNUNET_CRYPTO_rsa_blind().

Parameters

sig	the signature made on the blinded signature purpose
bks	the blinding key secret used to blind the signature purpose
pkey	the public key of the signer

Returns: unblinded signature on success, NULL if RSA key is bad or malicious.

Definition at line 1195 of file crypto_rsa.c.

References BENCHMARK_END, BENCHMARK_START, GNUNET_assert, GNUNET_break_op, GNUNET_new, key_from_sexp(), RsaBlindingKey::r, ret, rsa_blinding_key_derive(), rsa_blinding_key_free(), GNUNET_CRYPTO_RsaPublicKey::sexp, and GNUNET_CRYPTO_RsaSignature::sexp.

Referenced by run().

 {
   struct RsaBlindingKey *bkey;
   gcry_mpi_t n;
   gcry_mpi_t s;
   gcry_mpi_t r_inv;
   gcry_mpi_t ubsig;
   int ret;
   struct GNUNET_CRYPTO_RsaSignature *sret;
 
   BENCHMARK_START (rsa_unblind);
 
   ret = key_from_sexp (&n, pkey->sexp, "public-key", "n");
   if (0 != ret)
     ret = key_from_sexp (&n, pkey->sexp, "rsa", "n");
   if (0 != ret)
   {
     GNUNET_break_op (0);
     return NULL;
   }
   ret = key_from_sexp (&s, sig->sexp, "sig-val", "s");
   if (0 != ret)
     ret = key_from_sexp (&s, sig->sexp, "rsa", "s");
   if (0 != ret)
   {
     gcry_mpi_release (n);
     GNUNET_break_op (0);
     return NULL;
   }
 
   bkey = rsa_blinding_key_derive (pkey, bks);
   if (NULL == bkey)
   {
     /* RSA key is malicious since rsa_gcd_validate failed here.
      * It should have failed during GNUNET_CRYPTO_rsa_blind too though,
      * so the exchange is being malicious in an unfamilair way, maybe
      * just trying to crash us.  */
     GNUNET_break_op (0);
     gcry_mpi_release (n);
     gcry_mpi_release (s);
     return NULL;
   }
 
   r_inv = gcry_mpi_new (0);
   if (1 !=
       gcry_mpi_invm (r_inv,
                      bkey->r,
                      n))
   {
     /* We cannot find r mod n, so gcd(r,n) != 1, which should get *
     * caught above, but we handle it the same here.              */
     GNUNET_break_op (0);
     gcry_mpi_release (r_inv);
     rsa_blinding_key_free (bkey);
     gcry_mpi_release (n);
     gcry_mpi_release (s);
     return NULL;
   }
 
   ubsig = gcry_mpi_new (0);
   gcry_mpi_mulm (ubsig, s, r_inv, n);
   gcry_mpi_release (n);
   gcry_mpi_release (r_inv);
   gcry_mpi_release (s);
   rsa_blinding_key_free (bkey);
 
   sret = GNUNET_new (struct GNUNET_CRYPTO_RsaSignature);
   GNUNET_assert (0 ==
                  gcry_sexp_build (&sret->sexp,
                                   NULL,
                                   "(sig-val (rsa (s %M)))",
                                   ubsig));
   gcry_mpi_release (ubsig);
   BENCHMARK_END (rsa_unblind);
   return sret;
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_rsa_verify()

int GNUNET_CRYPTO_rsa_verify	(	const struct GNUNET_HashCode *	hash,
		const struct GNUNET_CRYPTO_RsaSignature *	sig,
		const struct GNUNET_CRYPTO_RsaPublicKey *	pkey
	)

Verify whether the given hash corresponds to the given signature and the signature is valid with respect to the given public key.

Parameters

hash	hash of the message to verify to match the sig
sig	signature that is being validated
pkey	public key of the signer

Returns: GNUNET_YES if ok, GNUNET_NO if RSA key is malicious, GNUNET_SYSERR if signature is invalid

Definition at line 1285 of file crypto_rsa.c.

References _, BENCHMARK_END, BENCHMARK_START, data, GNUNET_break_op, GNUNET_ERROR_TYPE_WARNING, GNUNET_NO, GNUNET_OK, GNUNET_SYSERR, LOG, mpi_to_sexp(), rsa_full_domain_hash(), GNUNET_CRYPTO_RsaPublicKey::sexp, and GNUNET_CRYPTO_RsaSignature::sexp.

Referenced by run().

 {
   gcry_sexp_t data;
   gcry_mpi_t r;
   int rc;
 
   BENCHMARK_START (rsa_verify);
 
   r = rsa_full_domain_hash (pkey, hash);
   if (NULL == r)
   {
     GNUNET_break_op (0);
     /* RSA key is malicious since rsa_gcd_validate failed here.
      * It should have failed during GNUNET_CRYPTO_rsa_blind too though,
      * so the exchange is being malicious in an unfamilair way, maybe
      * just trying to crash us.  Arguably, we've only an internal error
      * though because we should've detected this in our previous call
      * to GNUNET_CRYPTO_rsa_unblind. */return GNUNET_NO;
   }
 
   data = mpi_to_sexp (r);
   gcry_mpi_release (r);
 
   rc = gcry_pk_verify (sig->sexp,
                        data,
                        pkey->sexp);
   gcry_sexp_release (data);
   if (0 != rc)
   {
     LOG (GNUNET_ERROR_TYPE_WARNING,
          _ ("RSA signature verification failed at %s:%d: %s\n"),
          __FILE__,
          __LINE__,
          gcry_strerror (rc));
     return GNUNET_SYSERR;
     BENCHMARK_END (rsa_verify);
   }
   BENCHMARK_END (rsa_verify);
   return GNUNET_OK;
 }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_rsa_private_key_dup()

struct GNUNET_CRYPTO_RsaPrivateKey* GNUNET_CRYPTO_rsa_private_key_dup ( const struct GNUNET_CRYPTO_RsaPrivateKey * key )

Duplicate the given private key.

Parameters

key	the private key to duplicate

Returns: the duplicate key; NULL upon error

Definition at line 1336 of file crypto_rsa.c.

References GNUNET_assert, GNUNET_new, and GNUNET_CRYPTO_RsaPrivateKey::sexp.

 {
   struct GNUNET_CRYPTO_RsaPrivateKey *dup;
   gcry_sexp_t dup_sexp;
   size_t erroff;
 
   /* check if we really are exporting a private key */
   dup_sexp = gcry_sexp_find_token (key->sexp, "private-key", 0);
   GNUNET_assert (NULL != dup_sexp);
   gcry_sexp_release (dup_sexp);
   /* copy the sexp */
   GNUNET_assert (0 == gcry_sexp_build (&dup_sexp, &erroff, "%S", key->sexp));
   dup = GNUNET_new (struct GNUNET_CRYPTO_RsaPrivateKey);
   dup->sexp = dup_sexp;
   return dup;
 }

◆ GNUNET_CRYPTO_rsa_signature_dup()

struct GNUNET_CRYPTO_RsaSignature* GNUNET_CRYPTO_rsa_signature_dup ( const struct GNUNET_CRYPTO_RsaSignature * sig )

Duplicate the given private key.

Duplicate the given rsa signature.

Parameters

key	the private key to duplicate

Returns: the duplicate key; NULL upon error

Definition at line 1362 of file crypto_rsa.c.

References GNUNET_assert, GNUNET_new, key_from_sexp(), ret, and GNUNET_CRYPTO_RsaSignature::sexp.

 {
   struct GNUNET_CRYPTO_RsaSignature *dup;
   gcry_sexp_t dup_sexp;
   size_t erroff;
   gcry_mpi_t s;
   int ret;
 
   /* verify that this is an RSA signature */
   ret = key_from_sexp (&s, sig->sexp, "sig-val", "s");
   if (0 != ret)
     ret = key_from_sexp (&s, sig->sexp, "rsa", "s");
   GNUNET_assert (0 == ret);
   gcry_mpi_release (s);
   /* copy the sexp */
   GNUNET_assert (0 == gcry_sexp_build (&dup_sexp, &erroff, "%S", sig->sexp));
   dup = GNUNET_new (struct GNUNET_CRYPTO_RsaSignature);
   dup->sexp = dup_sexp;
   return dup;
 }

Here is the call graph for this function:

Data Structures

Macros

Functions

Detailed Description

Macro Definition Documentation

◆ LOG

Function Documentation

◆ key_from_sexp()

◆ GNUNET_CRYPTO_rsa_private_key_create()

◆ GNUNET_CRYPTO_rsa_private_key_free()

◆ GNUNET_CRYPTO_rsa_private_key_encode()

◆ GNUNET_CRYPTO_rsa_private_key_decode()

◆ GNUNET_CRYPTO_rsa_private_key_get_public()

◆ GNUNET_CRYPTO_rsa_public_key_free()

◆ GNUNET_CRYPTO_rsa_public_key_encode()

◆ GNUNET_CRYPTO_rsa_public_key_hash()

◆ GNUNET_CRYPTO_rsa_public_key_decode()

◆ rsa_gcd_validate()

◆ rsa_blinding_key_derive()

◆ GNUNET_CRYPTO_rsa_signature_cmp()

◆ GNUNET_CRYPTO_rsa_public_key_cmp()

◆ GNUNET_CRYPTO_rsa_private_key_cmp()

◆ GNUNET_CRYPTO_rsa_public_key_len()

◆ rsa_blinding_key_free()

◆ numeric_mpi_alloc_n_print()

◆ rsa_full_domain_hash()

◆ GNUNET_CRYPTO_rsa_blind()

◆ mpi_to_sexp()

◆ rsa_sign_mpi()

◆ GNUNET_CRYPTO_rsa_sign_blinded()

◆ GNUNET_CRYPTO_rsa_sign_fdh()

◆ GNUNET_CRYPTO_rsa_signature_free()

◆ GNUNET_CRYPTO_rsa_signature_encode()

◆ GNUNET_CRYPTO_rsa_signature_decode()

◆ GNUNET_CRYPTO_rsa_public_key_dup()

◆ GNUNET_CRYPTO_rsa_unblind()

◆ GNUNET_CRYPTO_rsa_verify()

◆ GNUNET_CRYPTO_rsa_private_key_dup()

◆ GNUNET_CRYPTO_rsa_signature_dup()