2015-01-27 16:18:33 +01:00
|
|
|
/*
|
|
|
|
This file is part of TALER
|
2016-01-19 14:39:00 +01:00
|
|
|
Copyright (C) 2014, 2015 GNUnet e.V.
|
2015-01-27 16:18:33 +01:00
|
|
|
|
|
|
|
TALER is free software; you can redistribute it and/or modify it under the
|
|
|
|
terms of the GNU General Public License as published by the Free Software
|
|
|
|
Foundation; either version 3, or (at your option) any later version.
|
|
|
|
|
|
|
|
TALER is distributed in the hope that it will be useful, but WITHOUT ANY
|
|
|
|
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
|
|
|
|
A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License along with
|
2016-07-07 17:55:25 +02:00
|
|
|
TALER; see the file COPYING. If not, see <http://www.gnu.org/licenses/>
|
2015-01-27 16:18:33 +01:00
|
|
|
*/
|
|
|
|
/**
|
2015-01-28 20:53:21 +01:00
|
|
|
* @file util/crypto.c
|
2015-01-27 16:18:33 +01:00
|
|
|
* @brief Cryptographic utility functions
|
|
|
|
* @author Sree Harsha Totakura <sreeharsha@totakura.in>
|
|
|
|
* @author Florian Dold
|
|
|
|
* @author Benedikt Mueller
|
2015-01-28 20:53:21 +01:00
|
|
|
* @author Christian Grothoff
|
2015-01-27 16:18:33 +01:00
|
|
|
*/
|
|
|
|
#include "platform.h"
|
2015-06-02 12:52:05 +02:00
|
|
|
|
|
|
|
#if HAVE_GNUNET_GNUNET_UTIL_TALER_WALLET_LIB_H
|
2015-07-15 11:40:51 +02:00
|
|
|
#include "taler_util_wallet.h"
|
2015-06-02 12:52:05 +02:00
|
|
|
#endif
|
|
|
|
#if HAVE_GNUNET_GNUNET_UTIL_LIB_H
|
2015-07-15 11:40:51 +02:00
|
|
|
#include "taler_util.h"
|
2015-06-02 12:52:05 +02:00
|
|
|
#endif
|
2015-01-27 16:18:33 +01:00
|
|
|
#include <gcrypt.h>
|
|
|
|
|
|
|
|
|
2015-01-27 22:01:08 +01:00
|
|
|
/**
|
|
|
|
* Function called by libgcrypt on serious errors.
|
|
|
|
* Prints an error message and aborts the process.
|
|
|
|
*
|
|
|
|
* @param cls NULL
|
|
|
|
* @param wtf unknown
|
|
|
|
* @param msg error message
|
|
|
|
*/
|
2015-01-27 16:18:33 +01:00
|
|
|
static void
|
2015-01-27 22:01:08 +01:00
|
|
|
fatal_error_handler (void *cls,
|
|
|
|
int wtf,
|
|
|
|
const char *msg)
|
2015-01-27 16:18:33 +01:00
|
|
|
{
|
2015-05-18 18:52:52 +02:00
|
|
|
fprintf (stderr,
|
|
|
|
"Fatal error in libgcrypt: %s\n",
|
|
|
|
msg);
|
2015-01-27 16:18:33 +01:00
|
|
|
abort();
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
2015-01-27 22:01:08 +01:00
|
|
|
* Initialize libgcrypt.
|
2015-01-27 16:18:33 +01:00
|
|
|
*/
|
2015-05-17 16:46:16 +02:00
|
|
|
void __attribute__ ((constructor))
|
2015-01-27 22:01:08 +01:00
|
|
|
TALER_gcrypt_init ()
|
2015-01-27 16:18:33 +01:00
|
|
|
{
|
2015-03-22 22:14:30 +01:00
|
|
|
gcry_set_fatalerror_handler (&fatal_error_handler,
|
|
|
|
NULL);
|
2015-05-18 18:52:52 +02:00
|
|
|
if (! gcry_check_version (NEED_LIBGCRYPT_VERSION))
|
|
|
|
{
|
|
|
|
fprintf (stderr,
|
|
|
|
"libgcrypt version mismatch\n");
|
|
|
|
abort ();
|
|
|
|
}
|
2015-01-27 16:18:33 +01:00
|
|
|
/* Disable secure memory. */
|
|
|
|
gcry_control (GCRYCTL_DISABLE_SECMEM, 0);
|
|
|
|
gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
2016-08-05 16:08:19 +02:00
|
|
|
* Check if a coin is valid; that is, whether the denomination key exists,
|
|
|
|
* is not expired, and the signature is correct.
|
2015-01-27 18:49:02 +01:00
|
|
|
*
|
2016-08-05 16:08:19 +02:00
|
|
|
* @param coin_public_info the coin public info to check for validity
|
|
|
|
* @return #GNUNET_YES if the coin is valid,
|
|
|
|
* #GNUNET_NO if it is invalid
|
2017-06-04 11:30:43 +02:00
|
|
|
* #GNUNET_SYSERR if an internal error occured
|
2015-01-27 18:49:02 +01:00
|
|
|
*/
|
|
|
|
int
|
2016-08-05 16:08:19 +02:00
|
|
|
TALER_test_coin_valid (const struct TALER_CoinPublicInfo *coin_public_info)
|
2015-01-27 18:49:02 +01:00
|
|
|
{
|
2016-08-05 16:08:19 +02:00
|
|
|
struct GNUNET_HashCode c_hash;
|
2015-01-27 18:49:02 +01:00
|
|
|
|
2016-08-05 16:08:19 +02:00
|
|
|
GNUNET_CRYPTO_hash (&coin_public_info->coin_pub,
|
|
|
|
sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey),
|
|
|
|
&c_hash);
|
|
|
|
if (GNUNET_OK !=
|
|
|
|
GNUNET_CRYPTO_rsa_verify (&c_hash,
|
|
|
|
coin_public_info->denom_sig.rsa_signature,
|
|
|
|
coin_public_info->denom_pub.rsa_public_key))
|
|
|
|
{
|
|
|
|
GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
|
|
|
|
"coin signature is invalid\n");
|
|
|
|
return GNUNET_NO;
|
|
|
|
}
|
|
|
|
return GNUNET_YES;
|
2015-01-27 18:49:02 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2015-08-08 19:52:05 +02:00
|
|
|
/**
|
|
|
|
* Given the coin and the transfer private keys, compute the
|
|
|
|
* transfer secret. (Technically, we only need one of the two
|
|
|
|
* private keys, but the caller currently trivially only has
|
|
|
|
* the two private keys, so we derive one of the public keys
|
|
|
|
* internally to this function.)
|
|
|
|
*
|
|
|
|
* @param coin_priv coin key
|
|
|
|
* @param trans_priv transfer private key
|
2015-08-09 15:40:16 +02:00
|
|
|
* @param[out] ts computed transfer secret
|
2015-08-08 19:52:05 +02:00
|
|
|
*/
|
|
|
|
void
|
|
|
|
TALER_link_derive_transfer_secret (const struct TALER_CoinSpendPrivateKeyP *coin_priv,
|
|
|
|
const struct TALER_TransferPrivateKeyP *trans_priv,
|
|
|
|
struct TALER_TransferSecretP *ts)
|
|
|
|
{
|
|
|
|
struct TALER_CoinSpendPublicKeyP coin_pub;
|
|
|
|
|
|
|
|
GNUNET_CRYPTO_eddsa_key_get_public (&coin_priv->eddsa_priv,
|
|
|
|
&coin_pub.eddsa_pub);
|
|
|
|
GNUNET_assert (GNUNET_OK ==
|
|
|
|
GNUNET_CRYPTO_ecdh_eddsa (&trans_priv->ecdhe_priv,
|
|
|
|
&coin_pub.eddsa_pub,
|
|
|
|
&ts->key));
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2015-04-15 18:12:21 +02:00
|
|
|
/**
|
|
|
|
* Decrypt the shared @a secret from the information in the
|
2016-08-05 16:08:19 +02:00
|
|
|
* @a trans_priv and @a coin_pub.
|
2015-05-01 09:59:18 +02:00
|
|
|
*
|
2015-05-16 18:26:34 +02:00
|
|
|
* @param trans_priv transfer private key
|
2015-04-15 18:12:21 +02:00
|
|
|
* @param coin_pub coin public key
|
2017-04-20 07:49:56 +02:00
|
|
|
* @param[out] transfer_secret set to the shared secret
|
2015-04-15 18:12:21 +02:00
|
|
|
*/
|
2016-08-05 16:08:19 +02:00
|
|
|
void
|
|
|
|
TALER_link_reveal_transfer_secret (const struct TALER_TransferPrivateKeyP *trans_priv,
|
|
|
|
const struct TALER_CoinSpendPublicKeyP *coin_pub,
|
|
|
|
struct TALER_TransferSecretP *transfer_secret)
|
2015-04-15 18:12:21 +02:00
|
|
|
{
|
2016-08-05 16:08:19 +02:00
|
|
|
GNUNET_assert (GNUNET_OK ==
|
|
|
|
GNUNET_CRYPTO_ecdh_eddsa (&trans_priv->ecdhe_priv,
|
|
|
|
&coin_pub->eddsa_pub,
|
|
|
|
&transfer_secret->key));
|
2015-04-15 18:12:21 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2015-04-15 18:34:14 +02:00
|
|
|
/**
|
|
|
|
* Decrypt the shared @a secret from the information in the
|
2016-08-05 16:08:19 +02:00
|
|
|
* @a trans_priv and @a coin_pub.
|
2015-05-01 09:59:18 +02:00
|
|
|
*
|
2016-08-05 16:08:19 +02:00
|
|
|
* @param trans_pub transfer private key
|
|
|
|
* @param coin_priv coin public key
|
2017-04-20 07:49:56 +02:00
|
|
|
* @param[out] transfer_secret set to the shared secret
|
2015-04-15 18:34:14 +02:00
|
|
|
*/
|
2016-08-05 16:08:19 +02:00
|
|
|
void
|
|
|
|
TALER_link_recover_transfer_secret (const struct TALER_TransferPublicKeyP *trans_pub,
|
|
|
|
const struct TALER_CoinSpendPrivateKeyP *coin_priv,
|
|
|
|
struct TALER_TransferSecretP *transfer_secret)
|
2015-04-15 18:34:14 +02:00
|
|
|
{
|
2016-08-05 16:08:19 +02:00
|
|
|
GNUNET_assert (GNUNET_OK ==
|
|
|
|
GNUNET_CRYPTO_eddsa_ecdh (&coin_priv->eddsa_priv,
|
|
|
|
&trans_pub->ecdhe_pub,
|
|
|
|
&transfer_secret->key));
|
2015-04-15 18:34:14 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2017-10-31 14:02:54 +01:00
|
|
|
/**
|
|
|
|
* Set the bits in the private EdDSA key so that they match
|
|
|
|
* the specification.
|
|
|
|
*
|
|
|
|
* @param[in,out] pk private key to patch
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
patch_private_key (struct GNUNET_CRYPTO_EddsaPrivateKey *pk)
|
|
|
|
{
|
|
|
|
uint8_t *p = (uint8_t *) pk;
|
|
|
|
|
|
|
|
/* Taken from like 170-172 of libgcrypt/cipher/ecc.c
|
|
|
|
* We note that libgcrypt stores the private key in the reverse order
|
|
|
|
* from many Ed25519 implementatons. */
|
|
|
|
p[0] &= 0x7f; /* Clear bit 255. */
|
|
|
|
p[0] |= 0x40; /* Set bit 254. */
|
|
|
|
p[31] &= 0xf8; /* Clear bits 2..0 so that d mod 8 == 0 */
|
|
|
|
|
|
|
|
/* FIXME: Run GNUNET_CRYPTO_ecdhe_key_create several times and inspect
|
|
|
|
* the output to verify that the same bits are set and cleared.
|
|
|
|
* Is it worth also adding a test case that runs gcry_pk_testkey on
|
|
|
|
* this key after first parsing it into libgcrypt's s-expression mess
|
|
|
|
* ala decode_private_eddsa_key from gnunet/src/util/crypto_ecc.c?
|
|
|
|
* It'd run check_secret_key but not test_keys from libgcrypt/cipher/ecc.c */
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2015-04-15 18:12:21 +02:00
|
|
|
/**
|
2016-08-05 16:08:19 +02:00
|
|
|
* Setup information for a fresh coin.
|
2015-05-01 09:59:18 +02:00
|
|
|
*
|
2016-08-05 16:08:19 +02:00
|
|
|
* @param secret_seed seed to use for KDF to derive coin keys
|
|
|
|
* @param coin_num_salt number of the coin to include in KDF
|
2017-10-31 14:02:54 +01:00
|
|
|
* @param[out] ps value to initialize
|
2015-04-15 18:12:21 +02:00
|
|
|
*/
|
2016-08-05 16:08:19 +02:00
|
|
|
void
|
2017-10-31 12:44:17 +01:00
|
|
|
TALER_planchet_setup_refresh (const struct TALER_TransferSecretP *secret_seed,
|
2017-10-31 14:02:54 +01:00
|
|
|
unsigned int coin_num_salt,
|
|
|
|
struct TALER_PlanchetSecretsP *ps)
|
2015-04-15 18:12:21 +02:00
|
|
|
{
|
2016-08-05 16:08:19 +02:00
|
|
|
uint32_t be_salt = htonl (coin_num_salt);
|
2015-04-15 18:12:21 +02:00
|
|
|
|
2016-08-05 16:08:19 +02:00
|
|
|
GNUNET_assert (GNUNET_OK ==
|
2017-10-31 14:02:54 +01:00
|
|
|
GNUNET_CRYPTO_kdf (ps,
|
|
|
|
sizeof (*ps),
|
2016-08-05 16:08:19 +02:00
|
|
|
&be_salt,
|
|
|
|
sizeof (be_salt),
|
2016-08-08 12:43:59 +02:00
|
|
|
secret_seed,
|
|
|
|
sizeof (*secret_seed),
|
2016-08-05 16:08:19 +02:00
|
|
|
"taler-coin-derivation",
|
|
|
|
strlen ("taler-coin-derivation"),
|
|
|
|
NULL, 0));
|
2017-10-31 14:02:54 +01:00
|
|
|
patch_private_key (&ps->coin_priv.eddsa_priv);
|
|
|
|
}
|
2016-08-08 10:38:07 +02:00
|
|
|
|
|
|
|
|
2017-10-31 14:02:54 +01:00
|
|
|
/**
|
|
|
|
* Setup information for a fresh coin.
|
|
|
|
*
|
|
|
|
* @param[out] ps value to initialize
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
TALER_planchet_setup_random (struct TALER_PlanchetSecretsP *ps)
|
|
|
|
{
|
|
|
|
GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_STRONG,
|
|
|
|
ps,
|
|
|
|
sizeof (*ps));
|
|
|
|
patch_private_key (&ps->coin_priv.eddsa_priv);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Prepare a planchet for tipping. Creates and blinds a coin.
|
|
|
|
*
|
|
|
|
* @param dk denomination key for the coin to be created
|
|
|
|
* @param ps secret planchet internals (for #TALER_planchet_to_coin)
|
|
|
|
* @param[out] pd set to the planchet detail for TALER_MERCHANT_tip_pickup() and
|
|
|
|
* other withdraw operations
|
|
|
|
* @return #GNUNET_OK on success
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
TALER_planchet_prepare (const struct TALER_DenominationPublicKey *dk,
|
|
|
|
const struct TALER_PlanchetSecretsP *ps,
|
|
|
|
struct TALER_PlanchetDetail *pd)
|
|
|
|
{
|
|
|
|
struct TALER_CoinSpendPublicKeyP coin_pub;
|
|
|
|
|
|
|
|
GNUNET_CRYPTO_eddsa_key_get_public (&ps->coin_priv.eddsa_priv,
|
|
|
|
&coin_pub.eddsa_pub);
|
|
|
|
GNUNET_CRYPTO_hash (&coin_pub.eddsa_pub,
|
|
|
|
sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey),
|
|
|
|
&pd->c_hash);
|
|
|
|
if (GNUNET_YES !=
|
|
|
|
GNUNET_CRYPTO_rsa_blind (&pd->c_hash,
|
|
|
|
&ps->blinding_key.bks,
|
|
|
|
dk->rsa_public_key,
|
|
|
|
&pd->coin_ev,
|
|
|
|
&pd->coin_ev_size))
|
|
|
|
{
|
|
|
|
GNUNET_break_op (0);
|
|
|
|
return GNUNET_SYSERR;
|
|
|
|
}
|
|
|
|
GNUNET_CRYPTO_rsa_public_key_hash (dk->rsa_public_key,
|
|
|
|
&pd->denom_pub_hash);
|
|
|
|
return GNUNET_OK;
|
2015-04-15 18:12:21 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2017-10-31 14:02:54 +01:00
|
|
|
/**
|
|
|
|
* Obtain a coin from the planchet's secrets and the blind signature
|
|
|
|
* of the exchange.
|
|
|
|
*
|
|
|
|
* @param dk denomination key, must match what was given to #TALER_planchet_prepare()
|
|
|
|
* @param blind_sig blind signature from the exchange
|
|
|
|
* @param ps secrets from #TALER_planchet_prepare()
|
|
|
|
* @param c_hash hash of the coin's public key for verification of the signature
|
|
|
|
* @param[out] coin set to the details of the fresh coin
|
|
|
|
* @return #GNUNET_OK on success
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
TALER_planchet_to_coin (const struct TALER_DenominationPublicKey *dk,
|
|
|
|
const struct GNUNET_CRYPTO_RsaSignature *blind_sig,
|
|
|
|
const struct TALER_PlanchetSecretsP *ps,
|
|
|
|
const struct GNUNET_HashCode *c_hash,
|
|
|
|
struct TALER_FreshCoin *coin)
|
|
|
|
{
|
|
|
|
struct GNUNET_CRYPTO_RsaSignature *sig;
|
2016-08-05 16:08:19 +02:00
|
|
|
|
2017-10-31 14:02:54 +01:00
|
|
|
sig = GNUNET_CRYPTO_rsa_unblind (blind_sig,
|
|
|
|
&ps->blinding_key.bks,
|
|
|
|
dk->rsa_public_key);
|
|
|
|
if (GNUNET_OK !=
|
|
|
|
GNUNET_CRYPTO_rsa_verify (c_hash,
|
|
|
|
sig,
|
|
|
|
dk->rsa_public_key))
|
|
|
|
{
|
|
|
|
GNUNET_break_op (0);
|
|
|
|
GNUNET_CRYPTO_rsa_signature_free (sig);
|
|
|
|
return GNUNET_SYSERR;
|
|
|
|
}
|
|
|
|
coin->sig.rsa_signature = sig;
|
|
|
|
coin->coin_priv = ps->coin_priv;
|
|
|
|
return GNUNET_OK;
|
|
|
|
}
|
2016-08-05 16:08:19 +02:00
|
|
|
|
2015-01-27 16:18:33 +01:00
|
|
|
/* end of crypto.c */
|