more work on new blind signing API

5 files changed, 165 insertions, 77 deletions

diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h
index 31472f7a1..44db5f466 100644
--- a/src/include/gnunet_crypto_lib.h
+++ b/src/include/gnunet_crypto_lib.h
@@ -3158,9 +3158,19 @@ struct GNUNET_CRYPTO_CsBlindedMessage
   struct GNUNET_CRYPTO_CsC c[2];
 
   /**
-   * Public nonce used to generate the R-values.
+   * Nonce used in initial request.
    */
   struct GNUNET_CRYPTO_CsSessionNonce nonce;
+
+};
+
+
+/**
+ * Pair of Public R values for Cs denominations
+ */
+struct GNUNET_CRYPTO_CSPublicRPairP
+{
+  struct GNUNET_CRYPTO_CsRPublic r_pub[2];
 };
 
 
@@ -3174,9 +3184,8 @@ struct GNUNET_CRYPTO_CsBlindedMessage
  * @param msg the message to blind in preparation for signing
  * @param msg_len length of message msg
  * @param[out] blinded_c array of the two blinded c's
- * @param[out] blinded_r_pub array of the two blinded R
+ * @param[out] r_pub_blind array of the two blinded R
  */
-// FIXME: function signature can probably be improved...
 void
 GNUNET_CRYPTO_cs_calc_blinded_c (
   const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
@@ -3185,7 +3194,7 @@ GNUNET_CRYPTO_cs_calc_blinded_c (
   const void *msg,
   size_t msg_len,
   struct GNUNET_CRYPTO_CsC blinded_c[2],
-  struct GNUNET_CRYPTO_CsRPublic blinded_r_pub[2]);
+  struct GNUNET_CRYPTO_CSPublicRPairP *r_pub_blind);
 
 
 /**
@@ -3471,15 +3480,6 @@ struct GNUNET_CRYPTO_BlindedMessage
 
 
 /**
- * Pair of Public R values for Cs denominations
- */
-struct GNUNET_CRYPTO_CSPublicRPairP
-{
-  struct GNUNET_CRYPTO_CsRPublic r_pub[2];
-};
-
-
-/**
  * Secret r for Cs denominations
  */
 struct GNUNET_CRYPTO_CSPrivateRPairP
@@ -3520,6 +3520,35 @@ struct GNUNET_CRYPTO_BlindingInputValues
 
 
 /**
+ * Nonce used to deterministiacally derive input values
+ * used in multi-round blind signature protocols.
+ */
+union GNUNET_CRYPTO_BlindSessionNonce
+{
+  /**
+   * Nonce used when signing with CS.
+   */
+  struct GNUNET_CRYPTO_CsSessionNonce cs_nonce;
+};
+
+
+/**
+ * Compute blinding input values for a given @a nonce and
+ * @a salt.
+ *
+ * @param bsign_priv private key to compute input values for
+ * @param nonce session nonce to derive input values from
+ * @param salt salt to include in derivation logic
+ * @return blinding input values 
+ */
+struct GNUNET_CRYPTO_BlindingInputValues *
+GNUNET_CRYPTO_get_blinding_input_values (
+  const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv,
+  const union GNUNET_CRYPTO_BlindSessionNonce *nonce,
+  const char *salt);
+
+
+/**
  * Decrement reference counter of a @a bsign_pub, and free it if it reaches zero.
  *
  * @param[in] bsign_pub key to free
@@ -3585,8 +3614,6 @@ GNUNET_CRYPTO_blinded_message_incref (
  */
 struct GNUNET_CRYPTO_BlindSignPublicKey *
 GNUNET_CRYPTO_bsign_pub_incref (struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub);
-
-
 /**
  * Increment reference counter of the given @a bsign_priv.
  *
@@ -3733,6 +3760,8 @@ union GNUNET_CRYPTO_BlindingSecretP
  *
  * @param bsign_pub public key to blind for
  * @param bks blinding secret to use
+ * @param nonce nonce used to obtain @a alg_values
+ *        can be NULL if input values are not used for the cipher
  * @param message message to sign
  * @param message_size number of bytes in @a message
  * @param alg_values algorithm specific values to blind the @a message
@@ -3742,6 +3771,7 @@ struct GNUNET_CRYPTO_BlindedMessage *
 GNUNET_CRYPTO_message_blind_to_sign (
   const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub,
   const union GNUNET_CRYPTO_BlindingSecretP *bks,
+  const union GNUNET_CRYPTO_BlindSessionNonce *nonce,
   const void *message,
   size_t message_size,
   const struct GNUNET_CRYPTO_BlindingInputValues *alg_values);
@@ -3751,7 +3781,8 @@ GNUNET_CRYPTO_message_blind_to_sign (
  * Create blind signature.
  *
  * @param bsign_priv private key to use for signing
- * @param salt salt value to use for the HKDF
+ * @param salt salt value to use for the HKDF,
+ *        can be NULL if input values are not used for the cipher
  * @param blinded_message the already blinded message to sign
  * @return blind signature with RC=1, NULL on failure
  */
diff --git a/src/lib/util/crypto_blind_sign.c b/src/lib/util/crypto_blind_sign.c
index bf6fbc119..469f6f5b8 100644
--- a/src/lib/util/crypto_blind_sign.c
+++ b/src/lib/util/crypto_blind_sign.c
@@ -388,10 +388,51 @@ GNUNET_CRYPTO_blind_sign_keys_create_va (
 }
 
 
+struct GNUNET_CRYPTO_BlindingInputValues *
+GNUNET_CRYPTO_get_blinding_input_values (
+  const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv,
+  const union GNUNET_CRYPTO_BlindSessionNonce *nonce,
+  const char *salt)
+{
+  struct GNUNET_CRYPTO_BlindingInputValues *biv;
+
+  biv = GNUNET_new (struct GNUNET_CRYPTO_BlindingInputValues);
+  biv->cipher = bsign_priv->cipher;
+  biv->rc = 1;
+  switch (bsign_priv->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    GNUNET_free (biv);
+    return NULL;
+  case GNUNET_CRYPTO_BSA_RSA:
+    return biv;
+  case GNUNET_CRYPTO_BSA_CS:
+    {
+      struct GNUNET_CRYPTO_CsRSecret cspriv[2];
+
+      GNUNET_CRYPTO_cs_r_derive (&nonce->cs_nonce,
+                                 salt,
+                                 &bsign_priv->details.cs_private_key,
+                                 cspriv);
+      GNUNET_CRYPTO_cs_r_get_public (&cspriv[0],
+                                     &biv->details.cs_values.r_pub[0]);
+      GNUNET_CRYPTO_cs_r_get_public (&cspriv[1],
+                                     &biv->details.cs_values.r_pub[1]);
+      return biv;
+    }
+  }
+  GNUNET_break (0);
+  GNUNET_free (biv);
+  return NULL;
+}
+
+
 struct GNUNET_CRYPTO_BlindedMessage *
 GNUNET_CRYPTO_message_blind_to_sign (
   const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub,
   const union GNUNET_CRYPTO_BlindingSecretP *bks,
+  const union GNUNET_CRYPTO_BlindSessionNonce *nonce,
   const void *message,
   size_t message_size,
   const struct GNUNET_CRYPTO_BlindingInputValues *alg_values)
@@ -426,6 +467,12 @@ GNUNET_CRYPTO_message_blind_to_sign (
       struct GNUNET_CRYPTO_CSPublicRPairP blinded_r_pub;
       struct GNUNET_CRYPTO_CsBlindingSecret bs[2];
 
+      if (NULL == nonce)
+      {
+        GNUNET_break_op (0);
+        GNUNET_free (bm);
+        return NULL;
+      }
       GNUNET_CRYPTO_cs_blinding_secrets_derive (&bks->nonce,
                                                 bs);
       GNUNET_CRYPTO_cs_calc_blinded_c (
@@ -435,10 +482,9 @@ GNUNET_CRYPTO_message_blind_to_sign (
         message,
         message_size,
         bm->details.cs_blinded_message.c,
-        blinded_r_pub.r_pub);
+        &blinded_r_pub);
+      bm->details.cs_blinded_message.nonce = nonce->cs_nonce;
       (void) blinded_r_pub;
-      // FIXME: bs->details.cs_blinded_message.nonce
-      // is NOT initialized here. Not elegant!
       return bm;
     }
   }
@@ -562,7 +608,7 @@ GNUNET_CRYPTO_blind_sig_unblind (
         message,
         message_size,
         c,
-        r_pub_blind.r_pub);
+        &r_pub_blind);
       b = blinded_sig->details.blinded_cs_answer.b;
       ub_sig->details.cs_signature.r_point
         = r_pub_blind.r_pub[b];
diff --git a/src/lib/util/crypto_cs.c b/src/lib/util/crypto_cs.c
index 2ff7c70ce..049f63062 100644
--- a/src/lib/util/crypto_cs.c
+++ b/src/lib/util/crypto_cs.c
@@ -158,8 +158,12 @@ cs_full_domain_hash (const struct GNUNET_CRYPTO_CsRPublic *r_dash,
   // SHA-512 hash of R' and message
   size_t r_m_concat_len = sizeof(struct GNUNET_CRYPTO_CsRPublic) + msg_len;
   char r_m_concat[r_m_concat_len];
-  memcpy (r_m_concat, r_dash, sizeof(struct GNUNET_CRYPTO_CsRPublic));
-  memcpy (r_m_concat + sizeof(struct GNUNET_CRYPTO_CsRPublic), msg, msg_len);
+  memcpy (r_m_concat,
+          r_dash,
+          sizeof(struct GNUNET_CRYPTO_CsRPublic));
+  memcpy (r_m_concat + sizeof(struct GNUNET_CRYPTO_CsRPublic),
+          msg,
+          msg_len);
   struct GNUNET_HashCode prehash;
 
   GNUNET_CRYPTO_hash (r_m_concat,
@@ -215,18 +219,21 @@ calc_r_dash (const struct GNUNET_CRYPTO_CsBlindingSecret *bs,
                    alpha_mul_base.y,
                    bs->alpha.d));
   struct GNUNET_CRYPTO_Cs25519Point beta_mul_pub;
-  GNUNET_assert (0 == crypto_scalarmult_ed25519_noclamp (beta_mul_pub.y,
-                                                         bs->beta.d,
-                                                         pub->point.y));
+  GNUNET_assert (0 ==
+                 crypto_scalarmult_ed25519_noclamp (
+                   beta_mul_pub.y,
+                   bs->beta.d,
+                   pub->point.y));
   struct GNUNET_CRYPTO_Cs25519Point alpha_mul_base_plus_beta_mul_pub;
   GNUNET_assert (0 == crypto_core_ed25519_add (
                    alpha_mul_base_plus_beta_mul_pub.y,
                    alpha_mul_base.y,
                    beta_mul_pub.y));
-  GNUNET_assert (0 == crypto_core_ed25519_add (blinded_r_pub->point.y,
-                                               r_pub->point.y,
-                                               alpha_mul_base_plus_beta_mul_pub.
-                                               y));
+  GNUNET_assert (0 ==
+                 crypto_core_ed25519_add (
+                   blinded_r_pub->point.y,
+                   r_pub->point.y,
+                   alpha_mul_base_plus_beta_mul_pub.y));
 }
 
 
@@ -238,19 +245,33 @@ GNUNET_CRYPTO_cs_calc_blinded_c (
   const void *msg,
   size_t msg_len,
   struct GNUNET_CRYPTO_CsC blinded_c[2],
-  struct GNUNET_CRYPTO_CsRPublic blinded_r_pub[2])
+  struct GNUNET_CRYPTO_CSPublicRPairP *r_pub_blind)
 {
-  // for i 0/1: R'i = Ri + alpha i*G + beta i*pub
-  calc_r_dash (&bs[0], &r_pub[0], pub, &blinded_r_pub[0]);
-  calc_r_dash (&bs[1], &r_pub[1], pub, &blinded_r_pub[1]);
-
-  // for i 0/1: c'i = H(R'i, msg)
+  /* for i 0/1: R'i = Ri + alpha i*G + beta i*pub */
+  calc_r_dash (&bs[0],
+               &r_pub[0],
+               pub,
+               &r_pub_blind->r_pub[0]);
+  calc_r_dash (&bs[1],
+               &r_pub[1],
+               pub,
+               &r_pub_blind->r_pub[1]);
+
+  /* for i 0/1: c'i = H(R'i, msg) */
   struct GNUNET_CRYPTO_CsC c_dash_0;
   struct GNUNET_CRYPTO_CsC c_dash_1;
-  cs_full_domain_hash (&blinded_r_pub[0], msg, msg_len, pub, &c_dash_0);
-  cs_full_domain_hash (&blinded_r_pub[1], msg, msg_len, pub, &c_dash_1);
+  cs_full_domain_hash (&r_pub_blind->r_pub[0],
+                       msg,
+                       msg_len,
+                       pub,
+                       &c_dash_0);
+  cs_full_domain_hash (&r_pub_blind->r_pub[1],
+                       msg,
+                       msg_len,
+                       pub,
+                       &c_dash_1);
 
-  // for i 0/1: ci = c'i + beta i mod p
+  /* for i 0/1: ci = c'i + beta i mod p */
   crypto_core_ed25519_scalar_add (blinded_c[0].scalar.d,
                                   c_dash_0.scalar.d,
                                   bs[0].beta.d);
diff --git a/src/lib/util/test_crypto_blind.c b/src/lib/util/test_crypto_blind.c
index 726516bc2..d7efd79ea 100644
--- a/src/lib/util/test_crypto_blind.c
+++ b/src/lib/util/test_crypto_blind.c
@@ -34,13 +34,12 @@ main (int argc,
 {
   struct GNUNET_CRYPTO_BlindSignPrivateKey *priv;
   struct GNUNET_CRYPTO_BlindSignPublicKey *pub;
-  struct GNUNET_CRYPTO_BlindingInputValues biv;
+  struct GNUNET_CRYPTO_BlindingInputValues *biv;
   struct GNUNET_CRYPTO_BlindedMessage *bm;
   struct GNUNET_CRYPTO_BlindedSignature *bsig;
   struct GNUNET_CRYPTO_UnblindedSignature *sig;
   union GNUNET_CRYPTO_BlindingSecretP bsec;
-  struct GNUNET_CRYPTO_CsSessionNonce nonce;
-  struct GNUNET_CRYPTO_CsRSecret cspriv[2];
+  union GNUNET_CRYPTO_BlindSessionNonce nonce;
 
   GNUNET_log_setup ("test-crypto-blind",
                     "WARNING",
@@ -55,21 +54,15 @@ main (int argc,
                  GNUNET_CRYPTO_blind_sign_keys_create (&priv,
                                                        &pub,
                                                        GNUNET_CRYPTO_BSA_CS));
-  biv.cipher  = GNUNET_CRYPTO_BSA_CS;
-  GNUNET_CRYPTO_cs_r_derive (&nonce,
-                             "salt",
-                             &priv->details.cs_private_key,
-                             cspriv);
-  GNUNET_CRYPTO_cs_r_get_public (&cspriv[0],
-                                 &biv.details.cs_values.r_pub[0]);
-  GNUNET_CRYPTO_cs_r_get_public (&cspriv[1],
-                                 &biv.details.cs_values.r_pub[1]);
+  biv = GNUNET_CRYPTO_get_blinding_input_values (priv,
+                                                 &nonce,
+                                                 "salt");
   bm = GNUNET_CRYPTO_message_blind_to_sign (pub,
                                             &bsec,
+                                            &nonce,
                                             "hello",
                                             5,
-                                            &biv);
-  bm->details.cs_blinded_message.nonce = nonce; // FIXME: ugly!
+                                            biv);
   bsig = GNUNET_CRYPTO_blind_sign (priv,
                                    "salt",
                                    bm);
@@ -77,7 +70,7 @@ main (int argc,
                                          &bsec,
                                          "hello",
                                          5,
-                                         &biv,
+                                         biv,
                                          pub);
   GNUNET_assert (GNUNET_OK ==
                  GNUNET_CRYPTO_blind_sig_verify (pub,
diff --git a/src/lib/util/test_crypto_cs.c b/src/lib/util/test_crypto_cs.c
index 5b3aac778..ee68db72f 100644
--- a/src/lib/util/test_crypto_cs.c
+++ b/src/lib/util/test_crypto_cs.c
@@ -216,7 +216,7 @@ test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
                     const void *msg,
                     size_t msg_len,
                     struct GNUNET_CRYPTO_CsC blinded_cs[2],
-                    struct GNUNET_CRYPTO_CsRPublic blinded_r_pub[2])
+                    struct GNUNET_CRYPTO_CSPublicRPairP *blinded_r_pub)
 {
   /* TEST 1
    * Check that the blinded c's and blinded r's
@@ -227,10 +227,8 @@ test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
           &blinded_cs[0],
           sizeof(struct GNUNET_CRYPTO_CsC) * 2);
 
-  struct GNUNET_CRYPTO_CsRPublic other_blinded_r_pub[2];
-  memcpy (&other_blinded_r_pub[0],
-          &blinded_r_pub[0],
-          sizeof(struct GNUNET_CRYPTO_CsRPublic) * 2);
+  struct GNUNET_CRYPTO_CSPublicRPairP other_blinded_pub;
+  other_blinded_pub = *blinded_r_pub;
 
   GNUNET_CRYPTO_cs_calc_blinded_c (bs,
                                    r_pub,
@@ -243,9 +241,9 @@ test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
   GNUNET_assert (0 != memcmp (&other_blinded_c[0],
                               &blinded_cs[0],
                               sizeof(struct GNUNET_CRYPTO_CsC) * 2));
-  GNUNET_assert (0 != memcmp (&other_blinded_r_pub[0],
-                              &blinded_r_pub[0],
-                              sizeof(struct GNUNET_CRYPTO_CsRPublic) * 2));
+  GNUNET_assert (0 !=
+                 GNUNET_memcmp (&other_blinded_pub,
+                                blinded_r_pub));
 
   /* TEST 2
    * Check if R' - aG -bX = R for b = 0
@@ -270,7 +268,7 @@ test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
     GNUNET_assert (0 ==
                    crypto_core_ed25519_sub (
                      r_min_aG.y,
-                     blinded_r_pub[b].point.y,
+                     blinded_r_pub->r_pub[b].point.y,
                      aG.y));
     GNUNET_assert (0 == crypto_core_ed25519_sub (
                      res.point.y,
@@ -289,10 +287,10 @@ test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
    */
   GNUNET_assert (1 ==
                  crypto_core_ed25519_is_valid_point (
-                   blinded_r_pub[0].point.y));
+                   blinded_r_pub->r_pub[0].point.y));
   GNUNET_assert (1 ==
                  crypto_core_ed25519_is_valid_point (
-                   blinded_r_pub[1].point.y));
+                   blinded_r_pub->r_pub[1].point.y));
 
   /* TEST 4
    * Check if function gives the same result for the same input.
@@ -300,9 +298,7 @@ test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
   memcpy (&other_blinded_c[0],
           &blinded_cs[0],
           sizeof(struct GNUNET_CRYPTO_CsC) * 2);
-  memcpy (&other_blinded_r_pub[0],
-          &blinded_r_pub[0],
-          sizeof(struct GNUNET_CRYPTO_CsRPublic) * 2);
+  other_blinded_pub = *blinded_r_pub;
 
   for (unsigned int i = 0; i<ITER; i++)
   {
@@ -313,12 +309,13 @@ test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
                                      msg_len,
                                      blinded_cs,
                                      blinded_r_pub);
-    GNUNET_assert (0 == memcmp (&other_blinded_c[0],
-                                &blinded_cs[0],
-                                sizeof(struct GNUNET_CRYPTO_CsC) * 2));
-    GNUNET_assert (0 == memcmp (&other_blinded_r_pub[0],
-                                &blinded_r_pub[0],
-                                sizeof(struct GNUNET_CRYPTO_CsRPublic) * 2));
+    GNUNET_assert (0 ==
+                   memcmp (&other_blinded_c[0],
+                           &blinded_cs[0],
+                           sizeof(struct GNUNET_CRYPTO_CsC) * 2));
+    GNUNET_assert (0 ==
+                   GNUNET_memcmp (&other_blinded_pub,
+                                  blinded_r_pub));
   }
 }
 
@@ -563,12 +560,12 @@ main (int argc,
   // calculate blinded c's
   struct GNUNET_CRYPTO_CsBlindedMessage bm; 
   struct GNUNET_CRYPTO_CsC blinded_cs[2];
-  struct GNUNET_CRYPTO_CsRPublic blinded_r_pubs[2];
+  struct GNUNET_CRYPTO_CSPublicRPairP blinded_r_pubs;
 
   memset (blinded_cs,
           42,
           sizeof (blinded_cs));
-  memset (blinded_r_pubs,
+  memset (&blinded_r_pubs,
           42,
           sizeof (blinded_r_pubs));
   test_calc_blindedc (blindingsecrets,
@@ -577,7 +574,7 @@ main (int argc,
                       message,
                       message_len,
                       blinded_cs,
-                      blinded_r_pubs);
+                      &blinded_r_pubs);
 
   // ---------- actions performed by signer
   // sign blinded c's and get b and s in return
@@ -614,7 +611,7 @@ main (int argc,
 
   // verify unblinded signature
   struct GNUNET_CRYPTO_CsSignature signature;
-  signature.r_point = blinded_r_pubs[blinded_s.b];
+  signature.r_point = blinded_r_pubs.r_pub[blinded_s.b];
   signature.s_scalar = sig_scalar;
   test_verify (&signature,
                &pub,