commit 9a9c588a64521d1350e18b654f08783b5567b50a
parent 198cc94844665c2ffbe3fcb5ea848e6d1e8334d4
Author: Christian Grothoff <grothoff@gnunet.org>
Date: Thu, 19 Oct 2023 21:40:09 +0200
new blind signing logic
Diffstat:
9 files changed, 811 insertions(+), 178 deletions(-)
diff --git a/po/POTFILES.in b/po/POTFILES.in
@@ -156,6 +156,7 @@ src/lib/util/container_multihashmap32.c
src/lib/util/container_multipeermap.c
src/lib/util/container_multishortmap.c
src/lib/util/container_multiuuidmap.c
+src/lib/util/crypto_blind_sign.c
src/lib/util/crypto_crc.c
src/lib/util/crypto_cs.c
src/lib/util/crypto_ecc.c
diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h
@@ -2963,12 +2963,14 @@ GNUNET_CRYPTO_rsa_sign_blinded (const struct GNUNET_CRYPTO_RsaPrivateKey *key,
* Create and sign a full domain hash of a message.
*
* @param key private key to use for the signing
- * @param hash the hash of the message to sign
+ * @param message the message to sign
+ * @param message_size number of bytes in @a message
* @return NULL on error, including a malicious RSA key, signature on success
*/
struct GNUNET_CRYPTO_RsaSignature *
GNUNET_CRYPTO_rsa_sign_fdh (const struct GNUNET_CRYPTO_RsaPrivateKey *key,
- const struct GNUNET_HashCode *hash);
+ const void *message,
+ size_t message_size);
/**
diff --git a/src/lib/util/Makefile.am b/src/lib/util/Makefile.am
@@ -52,7 +52,7 @@ libgnunetutil_la_SOURCES = \
container_multiuuidmap.c \
container_multipeermap.c \
container_multihashmap32.c \
- crypto_symmetric.c \
+ crypto_blind_sign.c \
crypto_crc.c \
crypto_cs.c \
crypto_ecc.c \
@@ -70,6 +70,7 @@ libgnunetutil_la_SOURCES = \
crypto_pow.c \
crypto_random.c \
crypto_rsa.c \
+ crypto_symmetric.c \
disk.c \
disk.h \
dnsparser.c \
diff --git a/src/lib/util/crypto_blind_sign.c b/src/lib/util/crypto_blind_sign.c
@@ -0,0 +1,575 @@
+/*
+ This file is part of GNUNET
+ Copyright (C) 2021, 2022, 2023 GNUnet e.V.
+
+ GNUNET is free software; you can redistribute it and/or modify it under the
+ terms of the GNU General Public License as published by the Free Software
+ Foundation; either version 3, or (at your option) any later version.
+
+ GNUNET is distributed in the hope that it will be useful, but WITHOUT ANY
+ WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+ A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along with
+ GNUNET; see the file COPYING. If not, see <http://www.gnu.org/licenses/>
+*/
+/**
+ * @file crypto_blind_sign.c
+ * @brief blind signatures (abstraction over RSA or CS)
+ * @author Christian Grothoff
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+
+
+void
+GNUNET_CRYPTO_blind_sign_priv_decref (struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv)
+{
+ GNUNET_assert (bsign_priv->rc > 0);
+ bsign_priv->rc--;
+ if (0 != bsign_priv->rc)
+ return;
+ switch (bsign_priv->cipher)
+ {
+ case GNUNET_CRYPTO_BSA_INVALID:
+ GNUNET_break (0);
+ break;
+ case GNUNET_CRYPTO_BSA_RSA:
+ if (NULL != bsign_priv->details.rsa_private_key)
+ {
+ GNUNET_CRYPTO_rsa_private_key_free (bsign_priv->details.rsa_private_key);
+ bsign_priv->details.rsa_private_key = NULL;
+ }
+ bsign_priv->cipher = GNUNET_CRYPTO_BSA_INVALID;
+ break;
+ case GNUNET_CRYPTO_BSA_CS:
+ bsign_priv->cipher = GNUNET_CRYPTO_BSA_INVALID;
+ break;
+ }
+ GNUNET_free (bsign_priv);
+}
+
+
+void
+GNUNET_CRYPTO_blind_sign_pub_decref (struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub)
+{
+ GNUNET_assert (bsign_pub->rc > 0);
+ bsign_pub->rc--;
+ if (0 != bsign_pub->rc)
+ return;
+ switch (bsign_pub->cipher)
+ {
+ case GNUNET_CRYPTO_BSA_INVALID:
+ GNUNET_break (0);
+ break;
+ case GNUNET_CRYPTO_BSA_RSA:
+ if (NULL != bsign_pub->details.rsa_public_key)
+ {
+ GNUNET_CRYPTO_rsa_public_key_free (bsign_pub->details.rsa_public_key);
+ bsign_pub->details.rsa_public_key = NULL;
+ }
+ bsign_pub->cipher = GNUNET_CRYPTO_BSA_INVALID;
+ break;
+ case GNUNET_CRYPTO_BSA_CS:
+ break;
+ }
+ GNUNET_free (bsign_pub);
+}
+
+
+void
+GNUNET_CRYPTO_unblinded_sig_decref (struct GNUNET_CRYPTO_UnblindedSignature *ub_sig)
+{
+ GNUNET_assert (ub_sig->rc > 0);
+ ub_sig->rc--;
+ if (0 != ub_sig->rc)
+ return;
+ switch (ub_sig->cipher)
+ {
+ case GNUNET_CRYPTO_BSA_INVALID:
+ GNUNET_break (0);
+ break;
+ case GNUNET_CRYPTO_BSA_RSA:
+ if (NULL != ub_sig->details.rsa_signature)
+ {
+ GNUNET_CRYPTO_rsa_signature_free (ub_sig->details.rsa_signature);
+ ub_sig->details.rsa_signature = NULL;
+ }
+ ub_sig->cipher = GNUNET_CRYPTO_BSA_INVALID;
+ break;
+ case GNUNET_CRYPTO_BSA_CS:
+ ub_sig->cipher = GNUNET_CRYPTO_BSA_INVALID;
+ return;
+ }
+ GNUNET_free (ub_sig);
+}
+
+
+void
+GNUNET_CRYPTO_blinded_sig_decref (
+ struct GNUNET_CRYPTO_BlindedSignature *blind_sig)
+{
+ GNUNET_assert (blind_sig->rc > 0);
+ blind_sig->rc--;
+ if (0 != blind_sig->rc)
+ return;
+ switch (blind_sig->cipher)
+ {
+ case GNUNET_CRYPTO_BSA_INVALID:
+ GNUNET_break (0);
+ break;
+ case GNUNET_CRYPTO_BSA_RSA:
+ if (NULL != blind_sig->details.blinded_rsa_signature)
+ {
+ GNUNET_CRYPTO_rsa_signature_free (
+ blind_sig->details.blinded_rsa_signature);
+ blind_sig->details.blinded_rsa_signature = NULL;
+ }
+ blind_sig->cipher = GNUNET_CRYPTO_BSA_INVALID;
+ break;
+ case GNUNET_CRYPTO_BSA_CS:
+ blind_sig->cipher = GNUNET_CRYPTO_BSA_INVALID;
+ break;
+ }
+ GNUNET_free (blind_sig);
+}
+
+
+struct GNUNET_CRYPTO_BlindSignPublicKey *
+GNUNET_CRYPTO_bsign_pub_incref (struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub)
+{
+ bsign_pub->rc++;
+ return bsign_pub;
+}
+
+
+struct GNUNET_CRYPTO_BlindSignPrivateKey *
+GNUNET_CRYPTO_bsign_priv_incref (struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv)
+{
+ bsign_priv->rc++;
+ return bsign_priv;
+}
+
+
+struct GNUNET_CRYPTO_UnblindedSignature *
+GNUNET_CRYPTO_ub_sig_incref (struct GNUNET_CRYPTO_UnblindedSignature *ub_sig)
+{
+ ub_sig->rc++;
+ return ub_sig;
+}
+
+
+struct GNUNET_CRYPTO_BlindedSignature *
+GNUNET_CRYPTO_blind_sig_incref (
+ struct GNUNET_CRYPTO_BlindedSignature *blind_sig)
+{
+ blind_sig->rc++;
+ return blind_sig;
+}
+
+
+int
+GNUNET_CRYPTO_bsign_pub_cmp (
+ const struct GNUNET_CRYPTO_BlindSignPublicKey *bp1,
+ const struct GNUNET_CRYPTO_BlindSignPublicKey *bp2)
+{
+ if (bp1->cipher != bp2->cipher)
+ return (bp1->cipher > bp2->cipher) ? 1 : -1;
+ switch (bp1->cipher)
+ {
+ case GNUNET_CRYPTO_BSA_INVALID:
+ GNUNET_break (0);
+ return 0;
+ case GNUNET_CRYPTO_BSA_RSA:
+ return GNUNET_memcmp (&bp1->pub_key_hash,
+ &bp2->pub_key_hash);
+ case GNUNET_CRYPTO_BSA_CS:
+ return GNUNET_memcmp (&bp1->pub_key_hash,
+ &bp2->pub_key_hash);
+ }
+ GNUNET_assert (0);
+ return -2;
+}
+
+
+int
+GNUNET_CRYPTO_ub_sig_cmp (
+ const struct GNUNET_CRYPTO_UnblindedSignature *sig1,
+ const struct GNUNET_CRYPTO_UnblindedSignature *sig2)
+{
+ if (sig1->cipher != sig2->cipher)
+ return (sig1->cipher > sig2->cipher) ? 1 : -1;
+ switch (sig1->cipher)
+ {
+ case GNUNET_CRYPTO_BSA_INVALID:
+ GNUNET_break (0);
+ return 0;
+ case GNUNET_CRYPTO_BSA_RSA:
+ return GNUNET_CRYPTO_rsa_signature_cmp (sig1->details.rsa_signature,
+ sig2->details.rsa_signature);
+ case GNUNET_CRYPTO_BSA_CS:
+ return GNUNET_memcmp (&sig1->details.cs_signature,
+ &sig2->details.cs_signature);
+ }
+ GNUNET_assert (0);
+ return -2;
+}
+
+
+int
+GNUNET_blind_sig_cmp (
+ const struct GNUNET_CRYPTO_BlindedSignature *sig1,
+ const struct GNUNET_CRYPTO_BlindedSignature *sig2)
+{
+ if (sig1->cipher != sig2->cipher)
+ return (sig1->cipher > sig2->cipher) ? 1 : -1;
+ switch (sig1->cipher)
+ {
+ case GNUNET_CRYPTO_BSA_INVALID:
+ GNUNET_break (0);
+ return 0;
+ case GNUNET_CRYPTO_BSA_RSA:
+ return GNUNET_CRYPTO_rsa_signature_cmp (sig1->details.blinded_rsa_signature,
+ sig2->details.blinded_rsa_signature);
+ case GNUNET_CRYPTO_BSA_CS:
+ return GNUNET_memcmp (&sig1->details.blinded_cs_answer,
+ &sig2->details.blinded_cs_answer);
+ }
+ GNUNET_assert (0);
+ return -2;
+}
+
+
+int
+GNUNET_CRYPTO_blinded_message_cmp (
+ const struct GNUNET_CRYPTO_BlindedMessage *bp1,
+ const struct GNUNET_CRYPTO_BlindedMessage *bp2)
+{
+ if (bp1->cipher != bp2->cipher)
+ return (bp1->cipher > bp2->cipher) ? 1 : -1;
+ switch (bp1->cipher)
+ {
+ case GNUNET_CRYPTO_BSA_INVALID:
+ GNUNET_break (0);
+ return 0;
+ case GNUNET_CRYPTO_BSA_RSA:
+ if (bp1->details.rsa_blinded_message.blinded_msg_size !=
+ bp2->details.rsa_blinded_message.blinded_msg_size)
+ return (bp1->details.rsa_blinded_message.blinded_msg_size >
+ bp2->details.rsa_blinded_message.blinded_msg_size) ? 1 : -1;
+ return memcmp (bp1->details.rsa_blinded_message.blinded_msg,
+ bp2->details.rsa_blinded_message.blinded_msg,
+ bp1->details.rsa_blinded_message.blinded_msg_size);
+ case GNUNET_CRYPTO_BSA_CS:
+ return GNUNET_memcmp (&bp1->details.cs_blinded_message,
+ &bp2->details.cs_blinded_message);
+ }
+ GNUNET_assert (0);
+ return -2;
+}
+
+
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_blind_sign_keys_create (
+ struct GNUNET_CRYPTO_BlindSignPrivateKey **denom_priv,
+ struct GNUNET_CRYPTO_BlindSignPublicKey **denom_pub,
+ enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher,
+ ...)
+{
+ struct GNUNET_CRYPTO_BlindSignPrivateKey *priv;
+ struct GNUNET_CRYPTO_BlindSignPublicKey *pub;
+
+ priv = GNUNET_new (struct GNUNET_CRYPTO_BlindSignPrivateKey);
+ priv->rc = 1;
+ priv->cipher = cipher;
+ pub = GNUNET_new (struct GNUNET_CRYPTO_BlindSignPublicKey);
+ pub->rc = 1;
+ pub->cipher = cipher;
+ switch (cipher)
+ {
+ case GNUNET_CRYPTO_BSA_INVALID:
+ GNUNET_break (0);
+ break;
+ case GNUNET_CRYPTO_BSA_RSA:
+ {
+ va_list ap;
+ unsigned int bits;
+
+ va_start (ap,
+ cipher);
+ bits = va_arg (ap,
+ unsigned int);
+ va_end (ap);
+ if (bits < 512)
+ {
+ GNUNET_break (0);
+ break;
+ }
+ priv->details.rsa_private_key
+ = GNUNET_CRYPTO_rsa_private_key_create (bits);
+ }
+ if (NULL == priv->details.rsa_private_key)
+ {
+ GNUNET_break (0);
+ break;
+ }
+ pub->details.rsa_public_key
+ = GNUNET_CRYPTO_rsa_private_key_get_public (
+ priv->details.rsa_private_key);
+ GNUNET_CRYPTO_rsa_public_key_hash (pub->details.rsa_public_key,
+ &pub->pub_key_hash);
+ return GNUNET_OK;
+ case GNUNET_CRYPTO_BSA_CS:
+ GNUNET_CRYPTO_cs_private_key_generate (&priv->details.cs_private_key);
+ GNUNET_CRYPTO_cs_private_key_get_public (
+ &priv->details.cs_private_key,
+ &pub->details.cs_public_key);
+ GNUNET_CRYPTO_hash (&pub->details.cs_public_key,
+ sizeof(pub->details.cs_public_key),
+ &pub->pub_key_hash);
+ return GNUNET_OK;
+ }
+ GNUNET_free (priv);
+ GNUNET_free (pub);
+ *denom_priv = NULL;
+ *denom_pub = NULL;
+ return GNUNET_SYSERR;
+}
+
+
+struct GNUNET_CRYPTO_BlindedMessage *
+GNUNET_CRYPTO_message_blind_to_sign (
+ const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub,
+ const union GNUNET_CRYPTO_BlindingSecretP *bks,
+ const void *message,
+ size_t message_size,
+ const struct GNUNET_CRYPTO_BlindingInputValues *alg_values)
+{
+ struct GNUNET_CRYPTO_BlindedMessage *bm;
+
+ bm = GNUNET_new (struct GNUNET_CRYPTO_BlindedMessage);
+ bm->cipher = bsign_pub->cipher;
+ bm->rc = 1;
+ switch (bsign_pub->cipher)
+ {
+ case GNUNET_CRYPTO_BSA_INVALID:
+ GNUNET_break (0);
+ GNUNET_free (bm);
+ return NULL;
+ case GNUNET_CRYPTO_BSA_RSA:
+ if (GNUNET_YES !=
+ GNUNET_CRYPTO_rsa_blind (
+ message,
+ message_size,
+ &bks->rsa_bks,
+ bsign_pub->details.rsa_public_key,
+ &bm->details.rsa_blinded_message))
+ {
+ GNUNET_break (0);
+ GNUNET_free (bm);
+ return NULL;
+ }
+ return bm;
+ case GNUNET_CRYPTO_BSA_CS:
+ {
+ struct GNUNET_CRYPTO_CSPublicRPairP blinded_r_pub;
+ struct GNUNET_CRYPTO_CsBlindingSecret bs[2];
+
+ GNUNET_CRYPTO_cs_blinding_secrets_derive (&bks->nonce,
+ bs);
+ GNUNET_CRYPTO_cs_calc_blinded_c (
+ bs,
+ alg_values->details.cs_values.r_pub,
+ &bsign_pub->details.cs_public_key,
+ message,
+ message_size,
+ bm->details.cs_blinded_message.c,
+ blinded_r_pub.r_pub);
+ (void) blinded_r_pub;
+ // FIXME: bs->details.cs_blinded_message.nonce
+ // is NOT initialized here. Not elegant!
+ return bm;
+ }
+ }
+ GNUNET_break (0);
+ return NULL;
+}
+
+
+struct GNUNET_CRYPTO_BlindedSignature *
+GNUNET_CRYPTO_blind_sign (
+ const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv,
+ const char *salt,
+ const struct GNUNET_CRYPTO_BlindedMessage *blinded_message)
+{
+ struct GNUNET_CRYPTO_BlindedSignature *blind_sig;
+
+ if (blinded_message->cipher != bsign_priv->cipher)
+ {
+ GNUNET_break (0);
+ return NULL;
+ }
+
+ blind_sig = GNUNET_new (struct GNUNET_CRYPTO_BlindedSignature);
+ blind_sig->cipher = bsign_priv->cipher;
+ blind_sig->rc = 1;
+ switch (bsign_priv->cipher)
+ {
+ case GNUNET_CRYPTO_BSA_INVALID:
+ GNUNET_break (0);
+ GNUNET_free (blind_sig);
+ return NULL;
+ case GNUNET_CRYPTO_BSA_RSA:
+ blind_sig->details.blinded_rsa_signature
+ = GNUNET_CRYPTO_rsa_sign_blinded (
+ bsign_priv->details.rsa_private_key,
+ &blinded_message->details.rsa_blinded_message);
+ if (NULL == blind_sig->details.blinded_rsa_signature)
+ {
+ GNUNET_break (0);
+ GNUNET_free (blind_sig);
+ return NULL;
+ }
+ return blind_sig;
+ case GNUNET_CRYPTO_BSA_CS:
+ {
+ struct GNUNET_CRYPTO_CsRSecret r[2];
+
+ GNUNET_CRYPTO_cs_r_derive (
+ &blinded_message->details.cs_blinded_message.nonce,
+ salt,
+ &bsign_priv->details.cs_private_key,
+ r);
+ GNUNET_CRYPTO_cs_sign_derive (
+ &bsign_priv->details.cs_private_key,
+ r,
+ &blinded_message->details.cs_blinded_message,
+ &blind_sig->details.blinded_cs_answer);
+ }
+ return blind_sig;
+ }
+ GNUNET_break (0);
+ return NULL;
+}
+
+
+struct GNUNET_CRYPTO_UnblindedSignature *
+GNUNET_CRYPTO_blind_sig_unblind (
+ const struct GNUNET_CRYPTO_BlindedSignature *blinded_sig,
+ const union GNUNET_CRYPTO_BlindingSecretP *bks,
+ const void *message,
+ size_t message_size,
+ const struct GNUNET_CRYPTO_BlindingInputValues *alg_values,
+ const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub){
+ struct GNUNET_CRYPTO_UnblindedSignature *ub_sig;
+
+ if (blinded_sig->cipher != bsign_pub->cipher)
+ {
+ GNUNET_break (0);
+ return NULL;
+ }
+ if (blinded_sig->cipher != alg_values->cipher)
+ {
+ GNUNET_break (0);
+ return NULL;
+ }
+ ub_sig = GNUNET_new (struct GNUNET_CRYPTO_UnblindedSignature);
+ ub_sig->cipher = blinded_sig->cipher;
+ ub_sig->rc = 1;
+ switch (bsign_pub->cipher)
+ {
+ case GNUNET_CRYPTO_BSA_INVALID:
+ GNUNET_break (0);
+ GNUNET_free (ub_sig);
+ return NULL;
+ case GNUNET_CRYPTO_BSA_RSA:
+ ub_sig->details.rsa_signature
+ = GNUNET_CRYPTO_rsa_unblind (
+ blinded_sig->details.blinded_rsa_signature,
+ &bks->rsa_bks,
+ bsign_pub->details.rsa_public_key);
+ if (NULL == ub_sig->details.rsa_signature)
+ {
+ GNUNET_break (0);
+ GNUNET_free (ub_sig);
+ return NULL;
+ }
+ return ub_sig;
+ case GNUNET_CRYPTO_BSA_CS:
+ {
+ struct GNUNET_CRYPTO_CsBlindingSecret bs[2];
+ struct GNUNET_CRYPTO_CsC c[2];
+ struct GNUNET_CRYPTO_CSPublicRPairP r_pub_blind;
+ unsigned int b;
+
+ GNUNET_CRYPTO_cs_blinding_secrets_derive (&bks->nonce,
+ bs);
+ GNUNET_CRYPTO_cs_calc_blinded_c (
+ bs,
+ alg_values->details.cs_values.r_pub,
+ &bsign_pub->details.cs_public_key,
+ message,
+ message_size,
+ c,
+ r_pub_blind.r_pub);
+ b = blinded_sig->details.blinded_cs_answer.b;
+ ub_sig->details.cs_signature.r_point
+ = r_pub_blind.r_pub[b];
+ GNUNET_CRYPTO_cs_unblind (&blinded_sig->details.blinded_cs_answer.s_scalar,
+ &bs[b],
+ &ub_sig->details.cs_signature.s_scalar);
+ return ub_sig;
+ }
+ }
+ GNUNET_break (0);
+ GNUNET_free (ub_sig);
+ return NULL;
+}
+
+
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_blind_sig_verify (
+ const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub,
+ const struct GNUNET_CRYPTO_UnblindedSignature *ub_sig,
+ const void *message,
+ size_t message_size)
+{
+ if (bsign_pub->cipher != ub_sig->cipher)
+ {
+ GNUNET_break (0);
+ return GNUNET_SYSERR;
+ }
+ switch (bsign_pub->cipher)
+ {
+ case GNUNET_CRYPTO_BSA_INVALID:
+ GNUNET_break (0);
+ return GNUNET_NO;
+ case GNUNET_CRYPTO_BSA_RSA:
+ if (GNUNET_OK !=
+ GNUNET_CRYPTO_rsa_verify (message,
+ message_size,
+ ub_sig->details.rsa_signature,
+ bsign_pub->details.rsa_public_key))
+ {
+ GNUNET_break_op (0);
+ return GNUNET_NO;
+ }
+ return GNUNET_YES;
+ case GNUNET_CRYPTO_BSA_CS:
+ if (GNUNET_OK !=
+ GNUNET_CRYPTO_cs_verify (&ub_sig->details.cs_signature,
+ &bsign_pub->details.cs_public_key,
+ message,
+ message_size))
+ {
+ GNUNET_break_op (0);
+ return GNUNET_NO;
+ }
+ return GNUNET_YES;
+ }
+ GNUNET_break (0);
+ return GNUNET_NO;
+}
+
+
+/* end of crypto_blind_sign.c */
diff --git a/src/lib/util/crypto_cs.c b/src/lib/util/crypto_cs.c
@@ -1,6 +1,6 @@
/*
This file is part of GNUnet
- Copyright (C) 2014,2016,2019 GNUnet e.V.
+ Copyright (C) 2014,2016,2019, 2023 GNUnet e.V.
GNUnet is free software: you can redistribute it and/or modify it
under the terms of the GNU Affero General Public License as published
@@ -257,17 +257,17 @@ GNUNET_CRYPTO_cs_calc_blinded_c (
}
-unsigned int
+void
GNUNET_CRYPTO_cs_sign_derive (
const struct GNUNET_CRYPTO_CsPrivateKey *priv,
const struct GNUNET_CRYPTO_CsRSecret r[2],
- const struct GNUNET_CRYPTO_CsC c[2],
- const struct GNUNET_CRYPTO_CsNonce *nonce,
- struct GNUNET_CRYPTO_CsBlindS *blinded_signature_scalar)
+ const struct GNUNET_CRYPTO_CsBlindedMessage *bm,
+ struct GNUNET_CRYPTO_CsBlindSignature *cs_blind_sig)
{
+ struct GNUNET_CRYPTO_Cs25519Scalar c_b_mul_priv;
uint32_t hkdf_out;
- // derive clause session identifier b (random bit)
+ /* derive clause session identifier b (random bit) */
GNUNET_assert (GNUNET_YES ==
GNUNET_CRYPTO_hkdf (&hkdf_out,
sizeof (hkdf_out),
@@ -277,22 +277,19 @@ GNUNET_CRYPTO_cs_sign_derive (
strlen ("b"),
priv,
sizeof (*priv),
- nonce,
- sizeof (*nonce),
+ &bm->nonce,
+ sizeof (bm->nonce),
NULL,
0));
- unsigned int b = hkdf_out % 2;
+ cs_blind_sig->b = hkdf_out % 2;
- // s = r_b + c_b priv
- struct GNUNET_CRYPTO_Cs25519Scalar c_b_mul_priv;
+ /* s = r_b + c_b * priv */
crypto_core_ed25519_scalar_mul (c_b_mul_priv.d,
- c[b].scalar.d,
+ bm->c[cs_blind_sig->b].scalar.d,
priv->scalar.d);
- crypto_core_ed25519_scalar_add (blinded_signature_scalar->scalar.d,
- r[b].scalar.d,
+ crypto_core_ed25519_scalar_add (cs_blind_sig->s_scalar.scalar.d,
+ r[cs_blind_sig->b].scalar.d,
c_b_mul_priv.d);
-
- return b;
}
diff --git a/src/lib/util/crypto_rsa.c b/src/lib/util/crypto_rsa.c
@@ -1,6 +1,6 @@
/*
This file is part of GNUnet
- Copyright (C) 2014,2016,2019 GNUnet e.V.
+ Copyright (C) 2014,2016,2019,2023 GNUnet e.V.
GNUnet is free software: you can redistribute it and/or modify it
under the terms of the GNU Affero General Public License as published
@@ -178,9 +178,9 @@ GNUNET_CRYPTO_rsa_private_key_free (struct GNUNET_CRYPTO_RsaPrivateKey *key)
size_t
-GNUNET_CRYPTO_rsa_private_key_encode (const struct
- GNUNET_CRYPTO_RsaPrivateKey *key,
- void **buffer)
+GNUNET_CRYPTO_rsa_private_key_encode (
+ const struct GNUNET_CRYPTO_RsaPrivateKey *key,
+ void **buffer)
{
size_t n;
char *b;
@@ -745,24 +745,33 @@ numeric_mpi_alloc_n_print (gcry_mpi_t v,
* https://eprint.iacr.org/2001/002.pdf
* http://www.di.ens.fr/~pointche/Documents/Papers/2001_fcA.pdf
*
- * @param hash initial hash of the message to sign
+ * @param message the message to sign
+ * @param message_size number of bytes in @a message
* @param pkey the public key of the signer
* @param rsize If not NULL, the number of bytes actually stored in buffer
* @return MPI value set to the FDH, NULL if RSA key is malicious
*/
static gcry_mpi_t
rsa_full_domain_hash (const struct GNUNET_CRYPTO_RsaPublicKey *pkey,
- const struct GNUNET_HashCode *hash)
+ const void *message,
+ size_t message_size)
{
- gcry_mpi_t r, n;
+ gcry_mpi_t r;
+ gcry_mpi_t n;
void *xts;
size_t xts_len;
int ok;
/* Extract the composite n from the RSA public key */
- GNUNET_assert (0 == key_from_sexp (&n, pkey->sexp, "rsa", "n"));
+ GNUNET_assert (0 ==
+ key_from_sexp (&n,
+ pkey->sexp,
+ "rsa",
+ "n"));
/* Assert that it at least looks like an RSA key */
- GNUNET_assert (0 == gcry_mpi_get_flag (n, GCRYMPI_FLAG_OPAQUE));
+ GNUNET_assert (0 ==
+ gcry_mpi_get_flag (n,
+ GCRYMPI_FLAG_OPAQUE));
/* We key with the public denomination key as a homage to RSA-PSS by *
* Mihir Bellare and Phillip Rogaway. Doing this lowers the degree *
@@ -774,7 +783,7 @@ rsa_full_domain_hash (const struct GNUNET_CRYPTO_RsaPublicKey *pkey,
GNUNET_CRYPTO_kdf_mod_mpi (&r,
n,
xts, xts_len,
- hash, sizeof(*hash),
+ message, message_size,
"RSA-FDA FTpsW!");
GNUNET_free (xts);
ok = rsa_gcd_validate (r, n);
@@ -786,12 +795,20 @@ rsa_full_domain_hash (const struct GNUNET_CRYPTO_RsaPublicKey *pkey,
}
+void
+GNUNET_CRYPTO_rsa_blinded_message_free (
+ struct GNUNET_CRYPTO_RsaBlindedMessage *bm)
+{
+ GNUNET_free (bm->blinded_msg);
+}
+
+
enum GNUNET_GenericReturnValue
-GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode *hash,
+GNUNET_CRYPTO_rsa_blind (const void *message,
+ size_t message_size,
const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks,
struct GNUNET_CRYPTO_RsaPublicKey *pkey,
- void **buf,
- size_t *buf_size)
+ struct GNUNET_CRYPTO_RsaBlindedMessage *bm)
{
struct RsaBlindingKey *bkey;
gcry_mpi_t data;
@@ -801,31 +818,36 @@ GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode *hash,
int ret;
BENCHMARK_START (rsa_blind);
-
- GNUNET_assert (buf != NULL);
- GNUNET_assert (buf_size != NULL);
- ret = key_from_sexp (ne, pkey->sexp, "public-key", "ne");
+ ret = key_from_sexp (ne,
+ pkey->sexp,
+ "public-key",
+ "ne");
if (0 != ret)
- ret = key_from_sexp (ne, pkey->sexp, "rsa", "ne");
+ ret = key_from_sexp (ne,
+ pkey->sexp,
+ "rsa",
+ "ne");
if (0 != ret)
{
GNUNET_break (0);
- *buf = NULL;
- *buf_size = 0;
+ bm->blinded_msg = NULL;
+ bm->blinded_msg_size = 0;
+ BENCHMARK_END (rsa_blind);
return GNUNET_NO;
}
- data = rsa_full_domain_hash (pkey, hash);
+ data = rsa_full_domain_hash (pkey,
+ message,
+ message_size);
if (NULL == data)
goto rsa_gcd_validate_failure;
-
- bkey = rsa_blinding_key_derive (pkey, bks);
+ bkey = rsa_blinding_key_derive (pkey,
+ bks);
if (NULL == bkey)
{
gcry_mpi_release (data);
goto rsa_gcd_validate_failure;
}
-
r_e = gcry_mpi_new (0);
gcry_mpi_powm (r_e,
bkey->r,
@@ -842,12 +864,12 @@ GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode *hash,
gcry_mpi_release (r_e);
rsa_blinding_key_free (bkey);
- *buf_size = numeric_mpi_alloc_n_print (data_r_e,
- (char **) buf);
+ bm->blinded_msg_size
+ = numeric_mpi_alloc_n_print (data_r_e,
+ (char **) &bm->blinded_msg);
gcry_mpi_release (data_r_e);
BENCHMARK_END (rsa_blind);
-
return GNUNET_YES;
rsa_gcd_validate_failure:
@@ -855,8 +877,9 @@ rsa_gcd_validate_failure:
/* GNUNET_break_op (0); */
gcry_mpi_release (ne[0]);
gcry_mpi_release (ne[1]);
- *buf = NULL;
- *buf_size = 0;
+ bm->blinded_msg = NULL;
+ bm->blinded_msg_size = 0;
+ BENCHMARK_END (rsa_blind);
return GNUNET_NO;
}
@@ -945,22 +968,20 @@ rsa_sign_mpi (const struct GNUNET_CRYPTO_RsaPrivateKey *key,
struct GNUNET_CRYPTO_RsaSignature *
GNUNET_CRYPTO_rsa_sign_blinded (const struct GNUNET_CRYPTO_RsaPrivateKey *key,
- const void *msg,
- size_t msg_len)
+ const struct GNUNET_CRYPTO_RsaBlindedMessage *bm)
{
gcry_mpi_t v = NULL;
struct GNUNET_CRYPTO_RsaSignature *sig;
BENCHMARK_START (rsa_sign_blinded);
-
GNUNET_assert (0 ==
gcry_mpi_scan (&v,
GCRYMPI_FMT_USG,
- msg,
- msg_len,
+ bm->blinded_msg,
+ bm->blinded_msg_size,
NULL));
-
- sig = rsa_sign_mpi (key, v);
+ sig = rsa_sign_mpi (key,
+ v);
gcry_mpi_release (v);
BENCHMARK_END (rsa_sign_blinded);
return sig;
@@ -969,14 +990,17 @@ GNUNET_CRYPTO_rsa_sign_blinded (const struct GNUNET_CRYPTO_RsaPrivateKey *key,
struct GNUNET_CRYPTO_RsaSignature *
GNUNET_CRYPTO_rsa_sign_fdh (const struct GNUNET_CRYPTO_RsaPrivateKey *key,
- const struct GNUNET_HashCode *hash)
+ const void *message,
+ size_t message_size)
{
struct GNUNET_CRYPTO_RsaPublicKey *pkey;
gcry_mpi_t v = NULL;
struct GNUNET_CRYPTO_RsaSignature *sig;
pkey = GNUNET_CRYPTO_rsa_private_key_get_public (key);
- v = rsa_full_domain_hash (pkey, hash);
+ v = rsa_full_domain_hash (pkey,
+ message,
+ message_size);
GNUNET_CRYPTO_rsa_public_key_free (pkey);
if (NULL == v) /* rsa_gcd_validate failed meaning */
return NULL; /* our *own* RSA key is malicious. */
@@ -1172,7 +1196,8 @@ GNUNET_CRYPTO_rsa_unblind (const struct GNUNET_CRYPTO_RsaSignature *sig,
enum GNUNET_GenericReturnValue
-GNUNET_CRYPTO_rsa_verify (const struct GNUNET_HashCode *hash,
+GNUNET_CRYPTO_rsa_verify (const void *message,
+ size_t message_size,
const struct GNUNET_CRYPTO_RsaSignature *sig,
const struct GNUNET_CRYPTO_RsaPublicKey *pkey)
{
@@ -1182,7 +1207,9 @@ GNUNET_CRYPTO_rsa_verify (const struct GNUNET_HashCode *hash,
BENCHMARK_START (rsa_verify);
- r = rsa_full_domain_hash (pkey, hash);
+ r = rsa_full_domain_hash (pkey,
+ message,
+ message_size);
if (NULL == r)
{
GNUNET_break_op (0);
@@ -1260,4 +1287,4 @@ GNUNET_CRYPTO_rsa_signature_dup (const struct GNUNET_CRYPTO_RsaSignature *sig)
}
-/* end of util/rsa.c */
+/* end of crypto_rsa.c */
diff --git a/src/lib/util/perf_crypto_rsa.c b/src/lib/util/perf_crypto_rsa.c
@@ -45,9 +45,8 @@ eval (unsigned int len)
struct GNUNET_CRYPTO_RsaBlindingKeySecret bsec[10];
unsigned int i;
char sbuf[128];
- void *bbuf;
- size_t bbuf_len;
struct GNUNET_HashCode hc;
+ struct GNUNET_CRYPTO_RsaBlindedMessage bm;
start = GNUNET_TIME_absolute_get ();
for (i = 0; i < 10; i++)
@@ -95,17 +94,17 @@ eval (unsigned int len)
for (i = 0; i < 10; i++)
{
GNUNET_CRYPTO_rsa_blind (&hc,
+ sizeof (hc),
&bsec[i],
public_key,
- &bbuf,
- &bbuf_len);
- GNUNET_free (bbuf);
+ &bm);
+ GNUNET_CRYPTO_rsa_blinded_message_free (&bm);
}
printf ("10x %u-blinding took %s\n",
len,
GNUNET_STRINGS_relative_time_to_string (
GNUNET_TIME_absolute_get_duration (start),
- GNUNET_YES));
+ true));
GNUNET_snprintf (sbuf,
sizeof(sbuf),
"RSA %u-blinding",
@@ -116,16 +115,15 @@ eval (unsigned int len)
+ GNUNET_TIME_absolute_get_duration
(start).rel_value_us / 1000LL), "ops/ms");
GNUNET_CRYPTO_rsa_blind (&hc,
+ sizeof (hc),
&bsec[0],
public_key,
- &bbuf,
- &bbuf_len);
+ &bm);
start = GNUNET_TIME_absolute_get ();
for (i = 0; i < 10; i++)
{
sig = GNUNET_CRYPTO_rsa_sign_blinded (private_key,
- bbuf,
- bbuf_len);
+ &bm);
GNUNET_CRYPTO_rsa_signature_free (sig);
}
printf ("10x %u-signing took %s\n",
@@ -143,8 +141,7 @@ eval (unsigned int len)
+ GNUNET_TIME_absolute_get_duration
(start).rel_value_us / 1000LL), "ops/ms");
sig = GNUNET_CRYPTO_rsa_sign_blinded (private_key,
- bbuf,
- bbuf_len);
+ &bm);
start = GNUNET_TIME_absolute_get ();
for (i = 0; i < 10; i++)
{
@@ -157,7 +154,7 @@ eval (unsigned int len)
len,
GNUNET_STRINGS_relative_time_to_string (
GNUNET_TIME_absolute_get_duration (start),
- GNUNET_YES));
+ true));
GNUNET_snprintf (sbuf,
sizeof(sbuf),
"RSA %u-unblinding",
@@ -175,6 +172,7 @@ eval (unsigned int len)
{
GNUNET_assert (GNUNET_OK ==
GNUNET_CRYPTO_rsa_verify (&hc,
+ sizeof (hc),
rsig,
public_key));
}
@@ -195,7 +193,7 @@ eval (unsigned int len)
GNUNET_CRYPTO_rsa_signature_free (sig);
GNUNET_CRYPTO_rsa_public_key_free (public_key);
GNUNET_CRYPTO_rsa_private_key_free (private_key);
- GNUNET_free (bbuf);
+ GNUNET_CRYPTO_rsa_blinded_message_free (&bm);
}
diff --git a/src/lib/util/test_crypto_cs.c b/src/lib/util/test_crypto_cs.c
@@ -1,6 +1,6 @@
/*
This file is part of GNUnet
- Copyright (C) 2021,2022 GNUnet e.V.
+ Copyright (C) 2021,2022, 2023 GNUnet e.V.
GNUnet is free software: you can redistribute it and/or modify it
under the terms of the GNU Affero General Public License as published
@@ -31,6 +31,7 @@
#define ITER 25
+
static void
test_create_priv (struct GNUNET_CRYPTO_CsPrivateKey *priv)
{
@@ -39,8 +40,10 @@ test_create_priv (struct GNUNET_CRYPTO_CsPrivateKey *priv)
*/
struct GNUNET_CRYPTO_CsPrivateKey other_priv;
- other_priv = *priv;
GNUNET_CRYPTO_cs_private_key_generate (priv);
+ memset (&other_priv,
+ 42,
+ sizeof (other_priv));
GNUNET_assert (0 !=
GNUNET_memcmp (&other_priv.scalar,
&priv->scalar));
@@ -56,9 +59,11 @@ test_generate_pub (const struct GNUNET_CRYPTO_CsPrivateKey *priv,
*/
struct GNUNET_CRYPTO_CsPublicKey other_pub;
- other_pub = *pub;
GNUNET_CRYPTO_cs_private_key_get_public (priv,
pub);
+ memset (&other_pub,
+ 42,
+ sizeof (other_pub));
GNUNET_assert (0 !=
GNUNET_memcmp (&other_pub.point,
&pub->point));
@@ -176,7 +181,8 @@ test_derive_blindingsecrets (const struct GNUNET_CRYPTO_CsNonce *blind_seed,
bs,
sizeof(struct GNUNET_CRYPTO_CsBlindingSecret) * 2);
- GNUNET_CRYPTO_cs_blinding_secrets_derive (blind_seed, bs);
+ GNUNET_CRYPTO_cs_blinding_secrets_derive (blind_seed,
+ bs);
GNUNET_assert (0 !=
memcmp (other_bs,
@@ -193,7 +199,8 @@ test_derive_blindingsecrets (const struct GNUNET_CRYPTO_CsNonce *blind_seed,
sizeof(struct GNUNET_CRYPTO_CsBlindingSecret) * 2);
for (unsigned int i = 0; i<ITER; i++)
{
- GNUNET_CRYPTO_cs_blinding_secrets_derive (blind_seed, bs);
+ GNUNET_CRYPTO_cs_blinding_secrets_derive (blind_seed,
+ bs);
GNUNET_assert (0 == memcmp (&other_bs[0],
&bs[0],
sizeof(struct GNUNET_CRYPTO_CsBlindingSecret)
@@ -251,36 +258,40 @@ test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
struct GNUNET_CRYPTO_Cs25519Point r_min_aG;
struct GNUNET_CRYPTO_CsRPublic res;
- GNUNET_assert (0 == crypto_scalarmult_ed25519_base_noclamp (
+ GNUNET_assert (0 ==
+ crypto_scalarmult_ed25519_base_noclamp (
aG.y,
bs[b].alpha.d));
-
- GNUNET_assert (0 == crypto_scalarmult_ed25519_noclamp (
+ GNUNET_assert (0 ==
+ crypto_scalarmult_ed25519_noclamp (
bX.y,
bs[b].beta.d,
pub->point.y));
-
- GNUNET_assert (0 == crypto_core_ed25519_sub (
+ GNUNET_assert (0 ==
+ crypto_core_ed25519_sub (
r_min_aG.y,
blinded_r_pub[b].point.y,
aG.y));
-
GNUNET_assert (0 == crypto_core_ed25519_sub (
res.point.y,
r_min_aG.y,
bX.y));
- GNUNET_assert (0 == memcmp (&res, &r_pub[b], sizeof(struct
- GNUNET_CRYPTO_CsRPublic)));
+ GNUNET_assert (0 ==
+ memcmp (&res,
+ &r_pub[b],
+ sizeof(struct GNUNET_CRYPTO_CsRPublic)));
}
/* TEST 3
* Check that the blinded r_pubs' are valid points
*/
- GNUNET_assert (1 == crypto_core_ed25519_is_valid_point (
+ GNUNET_assert (1 ==
+ crypto_core_ed25519_is_valid_point (
blinded_r_pub[0].point.y));
- GNUNET_assert (1 == crypto_core_ed25519_is_valid_point (
+ GNUNET_assert (1 ==
+ crypto_core_ed25519_is_valid_point (
blinded_r_pub[1].point.y));
/* TEST 4
@@ -313,29 +324,25 @@ test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
static void
-test_blind_sign (unsigned int *b,
- const struct GNUNET_CRYPTO_CsPrivateKey *priv,
+test_blind_sign (const struct GNUNET_CRYPTO_CsPrivateKey *priv,
const struct GNUNET_CRYPTO_CsRSecret r[2],
- const struct GNUNET_CRYPTO_CsC c[2],
- const struct GNUNET_CRYPTO_CsNonce *nonce,
- struct GNUNET_CRYPTO_CsBlindS *blinded_s)
+ const struct GNUNET_CRYPTO_CsBlindedMessage *bm,
+ struct GNUNET_CRYPTO_CsBlindSignature *cs_blind_sig)
{
/* TEST 1
* Check that blinded_s is set
*/
- struct GNUNET_CRYPTO_CsC other_blinded_s;
- memcpy (&other_blinded_s, blinded_s, sizeof(struct GNUNET_CRYPTO_CsBlindS));
-
- *b = GNUNET_CRYPTO_cs_sign_derive (priv,
- r,
- c,
- nonce,
- blinded_s);
-
- GNUNET_assert (0 == *b || 1 == *b);
- GNUNET_assert (0 != memcmp (&other_blinded_s,
- blinded_s,
- sizeof(struct GNUNET_CRYPTO_CsBlindS)));
+ struct GNUNET_CRYPTO_CsBlindSignature other_blind_sig;
+
+ memset (&other_blind_sig,
+ 44,
+ sizeof (other_blind_sig));
+ GNUNET_CRYPTO_cs_sign_derive (priv,
+ r,
+ bm,
+ &other_blind_sig);
+ GNUNET_assert (0 == other_blind_sig.b ||
+ 1 == other_blind_sig.b);
/* TEST 2
* Check if s := rb + cbX
@@ -343,32 +350,29 @@ test_blind_sign (unsigned int *b,
*/
struct GNUNET_CRYPTO_Cs25519Scalar cb_mul_x;
struct GNUNET_CRYPTO_Cs25519Scalar s_min_rb;
-
+
crypto_core_ed25519_scalar_mul (cb_mul_x.d,
- c[*b].scalar.d,
+ bm->c[other_blind_sig.b].scalar.d,
priv->scalar.d);
-
crypto_core_ed25519_scalar_sub (s_min_rb.d,
- blinded_s->scalar.d,
- r[*b].scalar.d);
-
- GNUNET_assert (0 == memcmp (&s_min_rb, &cb_mul_x, sizeof(struct
- GNUNET_CRYPTO_Cs25519Scalar)));
+ other_blind_sig.s_scalar.scalar.d,
+ r[other_blind_sig.b].scalar.d);
+ GNUNET_assert (0 ==
+ GNUNET_memcmp (&s_min_rb,
+ &cb_mul_x));
/* TEST 3
* Check if function gives the same result for the same input.
*/
- memcpy (&other_blinded_s, blinded_s, sizeof(struct GNUNET_CRYPTO_CsBlindS));
for (unsigned int i = 0; i<ITER; i++)
{
- unsigned int other_b;
-
- other_b = GNUNET_CRYPTO_cs_sign_derive (priv, r, c, nonce, blinded_s);
-
- GNUNET_assert (other_b == *b);
- GNUNET_assert (0 == memcmp (&other_blinded_s,
- blinded_s,
- sizeof(struct GNUNET_CRYPTO_CsBlindS)));
+ GNUNET_CRYPTO_cs_sign_derive (priv,
+ r,
+ bm,
+ cs_blind_sig);
+ GNUNET_assert (0 ==
+ GNUNET_memcmp (&other_blind_sig,
+ cs_blind_sig));
}
}
@@ -386,7 +390,9 @@ test_unblinds (const struct GNUNET_CRYPTO_CsBlindS *blinded_signature_scalar,
signature_scalar,
sizeof(struct GNUNET_CRYPTO_CsS));
- GNUNET_CRYPTO_cs_unblind (blinded_signature_scalar, bs, signature_scalar);
+ GNUNET_CRYPTO_cs_unblind (blinded_signature_scalar,
+ bs,
+ signature_scalar);
GNUNET_assert (0 != memcmp (&other_signature_scalar,
signature_scalar,
@@ -431,23 +437,24 @@ test_blind_verify (const struct GNUNET_CRYPTO_CsSignature *sig,
* Test verifies the blinded signature sG == Rb + cbX
*/
struct GNUNET_CRYPTO_Cs25519Point sig_scal_mul_base;
- GNUNET_assert (0 == crypto_scalarmult_ed25519_base_noclamp (
- sig_scal_mul_base.y,
- sig->s_scalar.scalar.d));
-
struct GNUNET_CRYPTO_Cs25519Point c_mul_pub;
- GNUNET_assert (0 == crypto_scalarmult_ed25519_noclamp (c_mul_pub.y,
- c->scalar.d,
- pub->point.y));
-
struct GNUNET_CRYPTO_Cs25519Point r_add_c_mul_pub;
- GNUNET_assert (0 == crypto_core_ed25519_add (r_add_c_mul_pub.y,
- sig->r_point.point.y,
- c_mul_pub.y));
- GNUNET_assert (0 == memcmp (sig_scal_mul_base.y,
- r_add_c_mul_pub.y,
- sizeof(struct GNUNET_CRYPTO_Cs25519Point)));
+ GNUNET_assert (0 ==
+ crypto_scalarmult_ed25519_base_noclamp (
+ sig_scal_mul_base.y,
+ sig->s_scalar.scalar.d));
+ GNUNET_assert (0 ==
+ crypto_scalarmult_ed25519_noclamp (c_mul_pub.y,
+ c->scalar.d,
+ pub->point.y));
+ GNUNET_assert (0 ==
+ crypto_core_ed25519_add (r_add_c_mul_pub.y,
+ sig->r_point.point.y,
+ c_mul_pub.y));
+ GNUNET_assert (0 ==
+ GNUNET_memcmp (sig_scal_mul_base.y,
+ r_add_c_mul_pub.y));
}
@@ -490,6 +497,9 @@ main (int argc,
struct GNUNET_CRYPTO_CsPrivateKey priv;
+ GNUNET_log_setup ("test-crypto-cs",
+ "INFO",
+ NULL);
memset (&priv,
42,
sizeof (priv));
@@ -547,6 +557,7 @@ main (int argc,
blindingsecrets);
// calculate blinded c's
+ struct GNUNET_CRYPTO_CsBlindedMessage bm;
struct GNUNET_CRYPTO_CsC blinded_cs[2];
struct GNUNET_CRYPTO_CsRPublic blinded_r_pubs[2];
@@ -566,27 +577,26 @@ main (int argc,
// ---------- actions performed by signer
// sign blinded c's and get b and s in return
- unsigned int b;
- struct GNUNET_CRYPTO_CsBlindS blinded_s;
+ struct GNUNET_CRYPTO_CsBlindSignature blinded_s;
memset (&blinded_s,
42,
sizeof (blinded_s));
- test_blind_sign (&b,
- &priv,
+ bm.c[0] = blinded_cs[0];
+ bm.c[1] = blinded_cs[1];
+ bm.nonce = nonce;
+ test_blind_sign (&priv,
r_secrets,
- blinded_cs,
- &nonce,
+ &bm,
&blinded_s);
-
// verify blinded signature
struct GNUNET_CRYPTO_CsSignature blinded_signature;
- blinded_signature.r_point = r_publics[b];
- blinded_signature.s_scalar.scalar = blinded_s.scalar;
+ blinded_signature.r_point = r_publics[blinded_s.b];
+ blinded_signature.s_scalar.scalar = blinded_s.s_scalar.scalar;
test_blind_verify (&blinded_signature,
&pub,
- &blinded_cs[b]);
+ &blinded_cs[blinded_s.b]);
// ---------- actions performed by user
struct GNUNET_CRYPTO_CsS sig_scalar;
@@ -594,13 +604,13 @@ main (int argc,
memset (&sig_scalar,
42,
sizeof (sig_scalar));
- test_unblinds (&blinded_s,
- &blindingsecrets[b],
+ test_unblinds (&blinded_s.s_scalar,
+ &blindingsecrets[blinded_s.b],
&sig_scalar);
// verify unblinded signature
struct GNUNET_CRYPTO_CsSignature signature;
- signature.r_point = blinded_r_pubs[b];
+ signature.r_point = blinded_r_pubs[blinded_s.b];
signature.s_scalar = sig_scalar;
test_verify (&signature,
&pub,
diff --git a/src/lib/util/test_crypto_rsa.c b/src/lib/util/test_crypto_rsa.c
@@ -1,6 +1,6 @@
/*
This file is part of GNUnet
- Copyright (C) 2014,2015 GNUnet e.V.
+ Copyright (C) 2014, 2015, 2023 GNUnet e.V.
GNUnet is free software: you can redistribute it and/or modify it
under the terms of the GNU Affero General Public License as published
@@ -47,10 +47,10 @@ main (int argc,
struct GNUNET_CRYPTO_RsaSignature *bsig;
struct GNUNET_CRYPTO_RsaBlindingKeySecret bsec;
struct GNUNET_HashCode hash;
- void *blind_buf;
- size_t bsize;
- GNUNET_log_setup ("test-rsa", "WARNING", NULL);
+ GNUNET_log_setup ("test-crypto-rsa",
+ "WARNING",
+ NULL);
GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_WEAK,
rnd_blk,
RND_BLK_SIZE);
@@ -60,36 +60,48 @@ main (int argc,
priv = GNUNET_CRYPTO_rsa_private_key_create (KEY_SIZE);
priv_copy = GNUNET_CRYPTO_rsa_private_key_dup (priv);
GNUNET_assert (NULL != priv_copy);
- GNUNET_assert (0 == GNUNET_CRYPTO_rsa_private_key_cmp (priv, priv_copy));
+ GNUNET_assert (0 == GNUNET_CRYPTO_rsa_private_key_cmp (priv,
+ priv_copy));
pub = GNUNET_CRYPTO_rsa_private_key_get_public (priv);
/* Encoding */
size_t size;
void *enc;
enc = NULL;
- size = GNUNET_CRYPTO_rsa_private_key_encode (priv, &enc);
+ size = GNUNET_CRYPTO_rsa_private_key_encode (priv,
+ &enc);
/* Decoding */
GNUNET_CRYPTO_rsa_private_key_free (priv);
priv = NULL;
- priv = GNUNET_CRYPTO_rsa_private_key_decode (enc, size);
+ priv = GNUNET_CRYPTO_rsa_private_key_decode (enc,
+ size);
GNUNET_assert (NULL != priv);
GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_WEAK,
- enc, size);
- GNUNET_assert (NULL == GNUNET_CRYPTO_rsa_private_key_decode (enc, size));
- (void) fprintf (stderr, "The above warning is expected.\n");
+ enc,
+ size);
+ GNUNET_assert (NULL ==
+ GNUNET_CRYPTO_rsa_private_key_decode (enc,
+ size));
+ (void) fprintf (stderr,
+ "The above warning is expected.\n");
GNUNET_free (enc);
/* try ordinary sig first */
sig = GNUNET_CRYPTO_rsa_sign_fdh (priv,
- &hash);
+ &hash,
+ sizeof (hash));
sig_copy = GNUNET_CRYPTO_rsa_signature_dup (sig);
GNUNET_assert (NULL != sig);
- GNUNET_assert (0 == GNUNET_CRYPTO_rsa_signature_cmp (sig, sig_copy));
+ GNUNET_assert (0 == GNUNET_CRYPTO_rsa_signature_cmp (sig,
+ sig_copy));
pub_copy = GNUNET_CRYPTO_rsa_public_key_dup (pub);
GNUNET_assert (NULL != pub_copy);
GNUNET_assert (GNUNET_OK ==
- GNUNET_CRYPTO_rsa_verify (&hash, sig, pub_copy));
+ GNUNET_CRYPTO_rsa_verify (&hash,
+ sizeof (hash),
+ sig,
+ pub_copy));
{
void *buf;
size_t buf_size;
@@ -107,38 +119,48 @@ main (int argc,
buf_size);
GNUNET_free (buf);
GNUNET_assert (GNUNET_OK ==
- GNUNET_CRYPTO_rsa_verify (&hash, sig2, pub2));
+ GNUNET_CRYPTO_rsa_verify (&hash,
+ sizeof (hash),
+ sig2,
+ pub2));
GNUNET_CRYPTO_rsa_public_key_free (pub2);
GNUNET_CRYPTO_rsa_signature_free (sig2);
}
/* corrupt our hash and see if the signature is still valid */
- GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_WEAK, &hash,
- sizeof(struct GNUNET_HashCode));
- GNUNET_assert (GNUNET_OK != GNUNET_CRYPTO_rsa_verify (&hash,
- sig,
- pub));
- (void) fprintf (stderr, "The above warning is expected.\n");
+ GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_WEAK,
+ &hash,
+ sizeof(hash));
+ GNUNET_assert (GNUNET_OK !=
+ GNUNET_CRYPTO_rsa_verify (&hash,
+ sizeof (hash),
+ sig,
+ pub));
+ (void) fprintf (stderr,
+ "The above warning is expected.\n");
GNUNET_CRYPTO_rsa_signature_free (sig);
/* test blind signing */
GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_WEAK,
&bsec,
sizeof(bsec));
+ struct GNUNET_CRYPTO_RsaBlindedMessage bm;
GNUNET_CRYPTO_rsa_blind (&hash,
+ sizeof (hash),
&bsec,
pub,
- &blind_buf, &bsize);
- GNUNET_assert (0 != bsize);
+ &bm);
bsig = GNUNET_CRYPTO_rsa_sign_blinded (priv,
- blind_buf,
- bsize);
- GNUNET_free (blind_buf);
+ &bm);
+ GNUNET_CRYPTO_rsa_blinded_message_free (&bm);
sig = GNUNET_CRYPTO_rsa_unblind (bsig,
&bsec,
pub);
GNUNET_CRYPTO_rsa_signature_free (bsig);
GNUNET_assert (GNUNET_OK ==
- GNUNET_CRYPTO_rsa_verify (&hash, sig, pub));
+ GNUNET_CRYPTO_rsa_verify (&hash,
+ sizeof (hash),
+ sig,
+ pub));
GNUNET_CRYPTO_rsa_signature_free (sig);
GNUNET_CRYPTO_rsa_signature_free (sig_copy);
GNUNET_CRYPTO_rsa_private_key_free (priv);
