age restriction: make seed a HashCode due to endianess and security level concerns

2022-04-26 23:34:14 +02:00 · 2022-04-26 23:34:14 +02:00 · 17a00ef22d
commit 17a00ef22d
parent 47e276e11a
8 changed files with 18 additions and 21 deletions
--- a/contrib/gana
+++ b/contrib/gana
@ -1 +1 @@
-Subproject commit fbd5974fba30cab15ef1b7454a5a609286c71508
+Subproject commit 0172bed41a8fdfc4ef2511e311441120a3d2572d
--- a/src/exchange/taler-exchange-httpd_refreshes_reveal.c
+++ b/src/exchange/taler-exchange-httpd_refreshes_reveal.c
@ -297,8 +297,6 @@ check_commitment (struct RevealContext *rctx,
           * the transfer_secret and the old age commitment. */
          if (NULL != rctx->old_age_commitment)
          {
-            uint64_t seed = (uint64_t) ts.key.bits[0]
-                            | (uint64_t) ts.key.bits[1] << 32;
            struct TALER_AgeCommitmentProof acp = {
              /* we only need the commitment, not the proof, for the call to
               * TALER_age_commitment_derive. */
@ -310,7 +308,7 @@ check_commitment (struct RevealContext *rctx,
            GNUNET_assert (GNUNET_OK ==
                           TALER_age_commitment_derive (
                             &acp,
-                             seed,
+                             &ts.key,
                             &nacp));

            TALER_age_commitment_hash (&nacp.commitment, &h);
--- a/src/include/taler_crypto_lib.h
+++ b/src/include/taler_crypto_lib.h
@ -4819,7 +4819,7 @@ TALER_age_restriction_commit (
 enum GNUNET_GenericReturnValue
 TALER_age_commitment_derive (
  const struct TALER_AgeCommitmentProof *orig,
-  const uint64_t salt,
+  const struct GNUNET_HashCode *salt,
  struct TALER_AgeCommitmentProof *derived);


--- a/src/lib/exchange_api_link.c
+++ b/src/lib/exchange_api_link.c
@ -148,15 +148,13 @@ parse_link_coin (const struct TALER_EXCHANGE_LinkHandle *lh,
  /* Derive the age commitment and calculate the hash */
  if (NULL != lh->age_commitment_proof)
  {
-    uint64_t seed  = (uint64_t) secret.key.bits[0]
-                     | (uint64_t) secret.key.bits[1] << 32;
    lci->age_commitment_proof = GNUNET_new (struct TALER_AgeCommitmentProof);
    lci->h_age_commitment = GNUNET_new (struct TALER_AgeCommitmentHash);

    GNUNET_assert (GNUNET_OK ==
                   TALER_age_commitment_derive (
                     lh->age_commitment_proof,
-                     seed,
+                     &secret.key,
                     lci->age_commitment_proof));

    TALER_age_commitment_hash (
--- a/src/lib/exchange_api_refresh_common.c
+++ b/src/lib/exchange_api_refresh_common.c
@ -185,11 +185,6 @@ TALER_EXCHANGE_get_melt_data_ (
      /* Handle age commitment, if present */
      if (NULL != md->melted_coin.age_commitment_proof)
      {
-        /* We use the first 8 bytes of the trans_sec to generate a new age
-         * commitment */
-        uint64_t age_seed = (uint64_t) trans_sec.key.bits[0]
-                            | (uint64_t) trans_sec.key.bits[1] << 32;
-
        fcd->age_commitment_proof[i] = GNUNET_new (struct
                                                   TALER_AgeCommitmentProof);
        ach = GNUNET_new (struct TALER_AgeCommitmentHash);
@ -197,7 +192,7 @@ TALER_EXCHANGE_get_melt_data_ (
        GNUNET_assert (GNUNET_OK ==
                       TALER_age_commitment_derive (
                         md->melted_coin.age_commitment_proof,
-                         age_seed,
+                         &trans_sec.key,
                         fcd->age_commitment_proof[i]));

        TALER_age_commitment_hash (
--- a/src/util/age_restriction.c
+++ b/src/util/age_restriction.c
@ -173,7 +173,7 @@ FAIL:
 enum GNUNET_GenericReturnValue
 TALER_age_commitment_derive (
  const struct TALER_AgeCommitmentProof *orig,
-  const uint64_t salt,
+  const struct GNUNET_HashCode *salt,
  struct TALER_AgeCommitmentProof *newacp)
 {
  GNUNET_assert (NULL != newacp);
@ -211,8 +211,8 @@ TALER_age_commitment_derive (
  {
    GNUNET_CRYPTO_edx25519_private_key_derive (
      &orig->proof.keys[i].priv,
-      &salt,
-      sizeof(salt),
+      salt,
+      sizeof(*salt),
      &newacp->proof.keys[i].priv);
  }
 #else
--- a/src/util/test_age_restriction.c
+++ b/src/util/test_age_restriction.c
@ -170,11 +170,13 @@ test_attestation (void)
    /* Also derive two more commitments right away */
    for (uint8_t i = 0; i<2; i++)
    {
-      uint64_t salt = GNUNET_CRYPTO_random_u64 (GNUNET_CRYPTO_QUALITY_WEAK,
-                                                UINT64_MAX);
+      struct GNUNET_HashCode salt;
+      GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_WEAK,
+                                  &salt,
+                                  sizeof (salt));
      GNUNET_assert (GNUNET_OK ==
                     TALER_age_commitment_derive (&acp[i],
-                                                  salt,
+                                                  &salt,
                                                  &acp[i + 1]));
    }

--- a/src/util/tv_age_restriction.c
+++ b/src/util/tv_age_restriction.c
@ -175,11 +175,15 @@ generate (
    /* Also derive two more commitments right away */
    for (uint8_t i = 0; i<2; i++)
    {
+      struct GNUNET_HashCode salt;
+      GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_WEAK,
+                                  &salt,
+                                  sizeof (salt));
      uint64_t salt = GNUNET_CRYPTO_random_u64 (GNUNET_CRYPTO_QUALITY_WEAK,
                                                UINT64_MAX / 2);
      GNUNET_assert (GNUNET_OK ==
                     TALER_age_commitment_derive (&acp[i],
-                                                  salt,
+                                                  &salt,
                                                  &acp[i + 1]));
    }