LCOV - code coverage report
Current view: top level - util - crypto.c (source / functions) Hit Total Coverage
Test: rcoverage.info Lines: 53 65 81.5 %
Date: 2017-11-25 11:31:41 Functions: 10 11 90.9 %

          Line data    Source code
       1             : /*
       2             :   This file is part of TALER
       3             :   Copyright (C) 2014, 2015 GNUnet e.V.
       4             : 
       5             :   TALER is free software; you can redistribute it and/or modify it under the
       6             :   terms of the GNU General Public License as published by the Free Software
       7             :   Foundation; either version 3, or (at your option) any later version.
       8             : 
       9             :   TALER is distributed in the hope that it will be useful, but WITHOUT ANY
      10             :   WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
      11             :   A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
      12             : 
      13             :   You should have received a copy of the GNU General Public License along with
      14             :   TALER; see the file COPYING.  If not, see <http://www.gnu.org/licenses/>
      15             : */
      16             : /**
      17             :  * @file util/crypto.c
      18             :  * @brief Cryptographic utility functions
      19             :  * @author Sree Harsha Totakura <sreeharsha@totakura.in>
      20             :  * @author Florian Dold
      21             :  * @author Benedikt Mueller
      22             :  * @author Christian Grothoff
      23             :  */
      24             : #include "platform.h"
      25             : 
      26             : #if HAVE_GNUNET_GNUNET_UTIL_TALER_WALLET_LIB_H
      27             : #include "taler_util_wallet.h"
      28             : #endif
      29             : #if HAVE_GNUNET_GNUNET_UTIL_LIB_H
      30             : #include "taler_util.h"
      31             : #endif
      32             : #include <gcrypt.h>
      33             : 
      34             : 
      35             : /**
      36             :  * Function called by libgcrypt on serious errors.
      37             :  * Prints an error message and aborts the process.
      38             :  *
      39             :  * @param cls NULL
      40             :  * @param wtf unknown
      41             :  * @param msg error message
      42             :  */
      43             : static void
      44           0 : fatal_error_handler (void *cls,
      45             :                      int wtf,
      46             :                      const char *msg)
      47             : {
      48           0 :   fprintf (stderr,
      49             :            "Fatal error in libgcrypt: %s\n",
      50             :            msg);
      51           0 :   abort();
      52             : }
      53             : 
      54             : 
      55             : /**
      56             :  * Initialize libgcrypt.
      57             :  */
      58             : void  __attribute__ ((constructor))
      59          66 : TALER_gcrypt_init ()
      60             : {
      61          66 :   gcry_set_fatalerror_handler (&fatal_error_handler,
      62             :                                NULL);
      63          66 :   if (! gcry_check_version (NEED_LIBGCRYPT_VERSION))
      64             :   {
      65           0 :     fprintf (stderr,
      66             :              "libgcrypt version mismatch\n");
      67           0 :     abort ();
      68             :   }
      69             :   /* Disable secure memory.  */
      70          66 :   gcry_control (GCRYCTL_DISABLE_SECMEM, 0);
      71          66 :   gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
      72          66 : }
      73             : 
      74             : 
      75             : /**
      76             :  * Check if a coin is valid; that is, whether the denomination key exists,
      77             :  * is not expired, and the signature is correct.
      78             :  *
      79             :  * @param coin_public_info the coin public info to check for validity
      80             :  * @return #GNUNET_YES if the coin is valid,
      81             :  *         #GNUNET_NO if it is invalid
      82             :  *         #GNUNET_SYSERR if an internal error occured
      83             :  */
      84             : int
      85          27 : TALER_test_coin_valid (const struct TALER_CoinPublicInfo *coin_public_info)
      86             : {
      87             :   struct GNUNET_HashCode c_hash;
      88             : 
      89          27 :   GNUNET_CRYPTO_hash (&coin_public_info->coin_pub,
      90             :                       sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey),
      91             :                       &c_hash);
      92          27 :   if (GNUNET_OK !=
      93          27 :       GNUNET_CRYPTO_rsa_verify (&c_hash,
      94          27 :                                 coin_public_info->denom_sig.rsa_signature,
      95          27 :                                 coin_public_info->denom_pub.rsa_public_key))
      96             :   {
      97           0 :     GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
      98             :                 "coin signature is invalid\n");
      99           0 :     return GNUNET_NO;
     100             :   }
     101          27 :   return GNUNET_YES;
     102             : }
     103             : 
     104             : 
     105             : /**
     106             :  * Given the coin and the transfer private keys, compute the
     107             :  * transfer secret.  (Technically, we only need one of the two
     108             :  * private keys, but the caller currently trivially only has
     109             :  * the two private keys, so we derive one of the public keys
     110             :  * internally to this function.)
     111             :  *
     112             :  * @param coin_priv coin key
     113             :  * @param trans_priv transfer private key
     114             :  * @param[out] ts computed transfer secret
     115             :  */
     116             : void
     117           7 : TALER_link_derive_transfer_secret (const struct TALER_CoinSpendPrivateKeyP *coin_priv,
     118             :                                    const struct TALER_TransferPrivateKeyP *trans_priv,
     119             :                                    struct TALER_TransferSecretP *ts)
     120             : {
     121             :   struct TALER_CoinSpendPublicKeyP coin_pub;
     122             : 
     123           7 :   GNUNET_CRYPTO_eddsa_key_get_public (&coin_priv->eddsa_priv,
     124             :                                       &coin_pub.eddsa_pub);
     125           7 :   GNUNET_assert (GNUNET_OK ==
     126             :                  GNUNET_CRYPTO_ecdh_eddsa (&trans_priv->ecdhe_priv,
     127             :                                            &coin_pub.eddsa_pub,
     128             :                                            &ts->key));
     129             : 
     130           7 : }
     131             : 
     132             : 
     133             : /**
     134             :  * Decrypt the shared @a secret from the information in the
     135             :  * @a trans_priv and @a coin_pub.
     136             :  *
     137             :  * @param trans_priv transfer private key
     138             :  * @param coin_pub coin public key
     139             :  * @param[out] transfer_secret set to the shared secret
     140             :  */
     141             : void
     142           5 : TALER_link_reveal_transfer_secret (const struct TALER_TransferPrivateKeyP *trans_priv,
     143             :                                    const struct TALER_CoinSpendPublicKeyP *coin_pub,
     144             :                                    struct TALER_TransferSecretP *transfer_secret)
     145             : {
     146           5 :   GNUNET_assert (GNUNET_OK ==
     147             :                  GNUNET_CRYPTO_ecdh_eddsa (&trans_priv->ecdhe_priv,
     148             :                                            &coin_pub->eddsa_pub,
     149             :                                            &transfer_secret->key));
     150           5 : }
     151             : 
     152             : 
     153             : /**
     154             :  * Decrypt the shared @a secret from the information in the
     155             :  * @a trans_priv and @a coin_pub.
     156             :  *
     157             :  * @param trans_pub transfer private key
     158             :  * @param coin_priv coin public key
     159             :  * @param[out] transfer_secret set to the shared secret
     160             :  */
     161             : void
     162          18 : TALER_link_recover_transfer_secret (const struct TALER_TransferPublicKeyP *trans_pub,
     163             :                                     const struct TALER_CoinSpendPrivateKeyP *coin_priv,
     164             :                                     struct TALER_TransferSecretP *transfer_secret)
     165             : {
     166          18 :   GNUNET_assert (GNUNET_OK ==
     167             :                  GNUNET_CRYPTO_eddsa_ecdh (&coin_priv->eddsa_priv,
     168             :                                            &trans_pub->ecdhe_pub,
     169             :                                            &transfer_secret->key));
     170          18 : }
     171             : 
     172             : 
     173             : /**
     174             :  * Set the bits in the private EdDSA key so that they match
     175             :  * the specification.
     176             :  *
     177             :  * @param[in,out] pk private key to patch
     178             :  */
     179             : static void
     180         198 : patch_private_key (struct GNUNET_CRYPTO_EddsaPrivateKey *pk)
     181             : {
     182         198 :   uint8_t *p = (uint8_t *) pk;
     183             : 
     184             :   /* Taken from like 170-172 of libgcrypt/cipher/ecc.c
     185             :    * We note that libgcrypt stores the private key in the reverse order
     186             :    * from many Ed25519 implementatons. */
     187         198 :   p[0] &= 0x7f;  /* Clear bit 255. */
     188         198 :   p[0] |= 0x40;  /* Set bit 254.   */
     189         198 :   p[31] &= 0xf8; /* Clear bits 2..0 so that d mod 8 == 0  */
     190             : 
     191             :   /* FIXME: Run GNUNET_CRYPTO_ecdhe_key_create several times and inspect
     192             :    * the output to verify that the same bits are set and cleared.
     193             :    * Is it worth also adding a test case that runs gcry_pk_testkey on
     194             :    * this key after first parsing it into libgcrypt's s-expression mess
     195             :    * ala decode_private_eddsa_key from gnunet/src/util/crypto_ecc.c?
     196             :    * It'd run check_secret_key but not test_keys from libgcrypt/cipher/ecc.c */
     197         198 : }
     198             : 
     199             : 
     200             : /**
     201             :  * Setup information for a fresh coin.
     202             :  *
     203             :  * @param secret_seed seed to use for KDF to derive coin keys
     204             :  * @param coin_num_salt number of the coin to include in KDF
     205             :  * @param[out] ps value to initialize
     206             :  */
     207             : void
     208         189 : TALER_planchet_setup_refresh (const struct TALER_TransferSecretP *secret_seed,
     209             :                               unsigned int coin_num_salt,
     210             :                               struct TALER_PlanchetSecretsP *ps)
     211             : {
     212         189 :   uint32_t be_salt = htonl (coin_num_salt);
     213             : 
     214         189 :   GNUNET_assert (GNUNET_OK ==
     215             :                  GNUNET_CRYPTO_kdf (ps,
     216             :                                     sizeof (*ps),
     217             :                                     &be_salt,
     218             :                                     sizeof (be_salt),
     219             :                                     secret_seed,
     220             :                                     sizeof (*secret_seed),
     221             :                                     "taler-coin-derivation",
     222             :                                     strlen ("taler-coin-derivation"),
     223             :                                     NULL, 0));
     224         189 :   patch_private_key (&ps->coin_priv.eddsa_priv);
     225         189 : }
     226             : 
     227             : 
     228             : /**
     229             :  * Setup information for a fresh coin.
     230             :  *
     231             :  * @param[out] ps value to initialize
     232             :  */
     233             : void
     234           9 : TALER_planchet_setup_random (struct TALER_PlanchetSecretsP *ps)
     235             : {
     236           9 :   GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_STRONG,
     237             :                               ps,
     238             :                               sizeof (*ps));
     239           9 :   patch_private_key (&ps->coin_priv.eddsa_priv);
     240           9 : }
     241             : 
     242             : 
     243             : /**
     244             :  * Prepare a planchet for tipping.  Creates and blinds a coin.
     245             :  *
     246             :  * @param dk denomination key for the coin to be created
     247             :  * @param ps secret planchet internals (for #TALER_planchet_to_coin)
     248             :  * @param[out] pd set to the planchet detail for TALER_MERCHANT_tip_pickup() and
     249             :  *               other withdraw operations
     250             :  * @return #GNUNET_OK on success
     251             :  */
     252             : int
     253         213 : TALER_planchet_prepare (const struct TALER_DenominationPublicKey *dk,
     254             :                         const struct TALER_PlanchetSecretsP *ps,
     255             :                         struct TALER_PlanchetDetail *pd)
     256             : {
     257             :   struct TALER_CoinSpendPublicKeyP coin_pub;
     258             : 
     259         213 :   GNUNET_CRYPTO_eddsa_key_get_public (&ps->coin_priv.eddsa_priv,
     260             :                                       &coin_pub.eddsa_pub);
     261         213 :   GNUNET_CRYPTO_hash (&coin_pub.eddsa_pub,
     262             :                       sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey),
     263             :                       &pd->c_hash);
     264         213 :   if (GNUNET_YES !=
     265         213 :       GNUNET_CRYPTO_rsa_blind (&pd->c_hash,
     266             :                                &ps->blinding_key.bks,
     267             :                                dk->rsa_public_key,
     268             :                                &pd->coin_ev,
     269             :                                &pd->coin_ev_size))
     270             :   {
     271           0 :     GNUNET_break_op (0);
     272           0 :     return GNUNET_SYSERR;
     273             :   }
     274         213 :   GNUNET_CRYPTO_rsa_public_key_hash (dk->rsa_public_key,
     275             :                                      &pd->denom_pub_hash);
     276         213 :   return GNUNET_OK;
     277             : }
     278             : 
     279             : 
     280             : /**
     281             :  * Obtain a coin from the planchet's secrets and the blind signature
     282             :  * of the exchange.
     283             :  *
     284             :  * @param dk denomination key, must match what was given to #TALER_planchet_prepare()
     285             :  * @param blind_sig blind signature from the exchange
     286             :  * @param ps secrets from #TALER_planchet_prepare()
     287             :  * @param c_hash hash of the coin's public key for verification of the signature
     288             :  * @param[out] coin set to the details of the fresh coin
     289             :  * @return #GNUNET_OK on success
     290             :  */
     291             : int
     292          41 : TALER_planchet_to_coin (const struct TALER_DenominationPublicKey *dk,
     293             :                         const struct GNUNET_CRYPTO_RsaSignature *blind_sig,
     294             :                         const struct TALER_PlanchetSecretsP *ps,
     295             :                         const struct GNUNET_HashCode *c_hash,
     296             :                         struct TALER_FreshCoin *coin)
     297             : {
     298             :   struct GNUNET_CRYPTO_RsaSignature *sig;
     299             : 
     300          41 :   sig = GNUNET_CRYPTO_rsa_unblind (blind_sig,
     301             :                                    &ps->blinding_key.bks,
     302             :                                    dk->rsa_public_key);
     303          41 :   if (GNUNET_OK !=
     304          41 :       GNUNET_CRYPTO_rsa_verify (c_hash,
     305             :                                 sig,
     306          41 :                                 dk->rsa_public_key))
     307             :   {
     308           0 :     GNUNET_break_op (0);
     309           0 :     GNUNET_CRYPTO_rsa_signature_free (sig);
     310           0 :     return GNUNET_SYSERR;
     311             :   }
     312          41 :   coin->sig.rsa_signature = sig;
     313          41 :   coin->coin_priv = ps->coin_priv;
     314          41 :   return GNUNET_OK;
     315             : }
     316             : 
     317             : /* end of crypto.c */

Generated by: LCOV version 1.13