13 files changed, 663 insertions, 152 deletions

diff --git a/configure.ac b/configure.ac
index ac00bd5d6..017b4836c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1658,6 +1658,7 @@ src/vpn/vpn.conf
 src/zonemaster/Makefile
 src/zonemaster/zonemaster.conf
 src/rest/Makefile
+src/abe/Makefile
 src/identity-attribute/Makefile
 src/identity-provider/Makefile
 pkgconfig/Makefile
diff --git a/Dockerfile b/contrib/Dockerfile
index 5a193a46d..5a193a46d 100644
--- a/Dockerfile
+++ b/contrib/Dockerfile
diff --git a/docker-entrypoint.sh b/contrib/docker-entrypoint.sh
index 807d86d6f..807d86d6f 100644
--- a/docker-entrypoint.sh
+++ b/contrib/docker-entrypoint.sh
diff --git a/po/POTFILES.in b/po/POTFILES.in
index e0654d4b4..2fcb74c09 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -1,3 +1,4 @@
+src/abe/abe.c
 src/arm/arm_api.c
 src/arm/arm_monitor_api.c
 src/arm/gnunet-arm.c
diff --git a/src/Makefile.am b/src/Makefile.am
index fcdd44bfb..6d0284157 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -14,9 +14,10 @@ if HAVE_EXPERIMENTAL
   rps
 #  dv (FTBFS)
 if HAVE_ABE
-  EXP_DIR += identity-attribute \
-                                                 identity-provider \
-                                                 credential
+  EXP_DIR += abe \
+                                                 credential \
+                   identity-attribute \
+                                                 identity-provider 
 endif
 endif
 
diff --git a/src/abe/Makefile.am b/src/abe/Makefile.am
new file mode 100644
index 000000000..308e6c67c
--- /dev/null
+++ b/src/abe/Makefile.am
@@ -0,0 +1,50 @@
+# This Makefile.am is in the public domain
+AM_CPPFLAGS = -I$(top_srcdir)/src/include
+
+plugindir = $(libdir)/gnunet
+
+libexecdir= $(pkglibdir)/libexec/
+
+pkgcfgdir= $(pkgdatadir)/config.d/
+
+dist_pkgcfg_DATA = \
+  abe.conf
+
+if USE_COVERAGE
+  AM_CFLAGS = --coverage -O0
+  XLIB = -lgcov
+endif
+
+libgnunetabe_la_SOURCES = abe.c 
+
+libgnunetabe_la_LIBADD = \
+  $(GCLIBADD)\
+  $(LIBGCRYPT_LIBS) \
+  $(LTLIBICONV) \
+  $(LTLIBINTL) \
+        $(ABE_LIBADD) \
+        -lgabe \
+        -lpbc \
+        -lglib-2.0 \
+  -lltdl $(Z_LIBS) -lunistring $(XLIB)
+
+libgnunetabe_la_LDFLAGS = \
+  $(GN_LIB_LDFLAGS) \
+  -version-info 1:0:0
+
+lib_LTLIBRARIES = libgnunetabe.la
+
+if ENABLE_TEST_RUN
+AM_TESTS_ENVIRONMENT=export GNUNET_PREFIX=$${GNUNET_PREFIX:-@libdir@};export PATH=$${GNUNET_PREFIX:-@prefix@}/bin:$$PATH;unset XDG_DATA_HOME;unset XDG_CONFIG_HOME;
+TESTS = $(check_PROGRAMS)
+endif
+
+check_PROGRAMS = test_cpabe 
+
+test_cpabe_SOURCES = \
+ test_cpabe.c
+test_cpabe_LDADD = \
+ libgnunetabe.la \
+ $(top_builddir)/src/util/libgnunetutil.la
+check_PROGRAMS += \
+ test_cpabe
diff --git a/src/abe/abe.c b/src/abe/abe.c
new file mode 100644
index 000000000..d008cc522
--- /dev/null
+++ b/src/abe/abe.c
@@ -0,0 +1,417 @@
+/*
+     This file is part of GNUnet.  Copyright (C) 2001-2014 Christian Grothoff
+     (and other contributing authors)
+
+     GNUnet is free software; you can redistribute it and/or modify
+     it under the terms of the GNU General Public License as published
+     by the Free Software Foundation; either version 3, or (at your
+     option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     General Public License for more details.
+
+     You should have received a copy of the GNU General Public License
+     along with GNUnet; see the file COPYING.  If not, write to the
+     Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+     Boston, MA 02110-1301, USA.
+
+*/
+
+/**
+ * @file util/crypto_random.c
+ * @brief functions to gather random numbers
+ * @author Christian Grothoff
+ */
+
+
+#include "platform.h"
+#include <pbc/pbc.h>
+#include <gabe.h>
+
+#include "gnunet_crypto_lib.h"
+#include "gnunet_abe_lib.h"
+
+struct GNUNET_ABE_AbeMasterKey
+{
+  gabe_pub_t* pub;
+  gabe_msk_t* msk;
+};
+
+struct GNUNET_ABE_AbeKey
+{
+  gabe_pub_t* pub;
+  gabe_prv_t* prv;
+};
+
+static int
+init_aes( element_t k, int enc,
+          gcry_cipher_hd_t* handle,
+          struct GNUNET_CRYPTO_SymmetricSessionKey *key,
+          unsigned char* iv)
+{
+  int rc;
+  int key_len;
+  unsigned char* key_buf;
+  
+  key_len = element_length_in_bytes(k) < 33 ? 3 : element_length_in_bytes(k);
+  key_buf = (unsigned char*) malloc(key_len);
+  element_to_bytes(key_buf, k);
+
+  memcpy (key->aes_key, key_buf, GNUNET_CRYPTO_AES_KEY_LENGTH); 
+  GNUNET_assert (0 ==
+                 gcry_cipher_open (handle, GCRY_CIPHER_AES256,
+                                   GCRY_CIPHER_MODE_CFB, 0));
+  rc = gcry_cipher_setkey (*handle,
+                           key->aes_key,
+                           sizeof (key->aes_key));
+  GNUNET_assert ((0 == rc) || ((char) rc == GPG_ERR_WEAK_KEY));
+  memset (iv, 0, 16); //TODO make reasonable
+  rc = gcry_cipher_setiv (*handle,
+                          iv,
+                          16);
+  GNUNET_assert ((0 == rc) || ((char) rc == GPG_ERR_WEAK_KEY));
+
+  free(key_buf);
+  return rc;
+}
+
+static int
+aes_128_cbc_encrypt( char* pt,
+                     int size,
+                     element_t k,
+                     char **ct )
+{
+  gcry_cipher_hd_t handle;
+  struct GNUNET_CRYPTO_SymmetricSessionKey skey;
+  unsigned char iv[16];
+  char* buf;
+  int padding;
+  int buf_size;
+  uint8_t len[4];
+  init_aes(k, 1, &handle, &skey, iv);
+
+  /* TODO make less crufty */
+
+  /* stuff in real length (big endian) before padding */
+  len[0] = (size & 0xff000000)>>24;
+  len[1] = (size & 0xff0000)>>16;
+  len[2] = (size & 0xff00)>>8;
+  len[3] = (size & 0xff)>>0;
+  padding = 16 - ((4+size) % 16);
+  buf_size = 4 + size + padding;
+  buf = GNUNET_malloc (buf_size);
+  GNUNET_memcpy (buf, len, 4);
+  GNUNET_memcpy (buf+4, pt, size);
+  *ct = GNUNET_malloc (buf_size);
+
+  GNUNET_assert (0 == gcry_cipher_encrypt (handle, *ct, buf_size, buf, buf_size));
+  gcry_cipher_close (handle);
+  //AES_cbc_encrypt(pt->data, ct->data, pt->len, &key, iv, AES_ENCRYPT);
+  GNUNET_free (buf);
+  return buf_size;
+}
+
+static int
+aes_128_cbc_decrypt( char* ct,
+                     int size,
+                     element_t k,
+                     char **pt )
+{
+  struct GNUNET_CRYPTO_SymmetricSessionKey skey;
+  gcry_cipher_hd_t handle;
+  unsigned char iv[16];
+  char* tmp;
+  uint32_t len;
+  
+  init_aes(k, 1, &handle, &skey, iv);
+
+  tmp = GNUNET_malloc (size);
+
+  //AES_cbc_encrypt(ct->data, pt->data, ct->len, &key, iv, AES_DECRYPT);
+  GNUNET_assert (0 == gcry_cipher_decrypt (handle, tmp, size, ct, size)); 
+  gcry_cipher_close (handle);
+  /* TODO make less crufty */
+  
+  /* get real length */
+  len = 0;
+  len = len
+    | ((tmp[0])<<24) | ((tmp[1])<<16)
+    | ((tmp[2])<<8)  | ((tmp[3])<<0);
+  /* truncate any garbage from the padding */
+  *pt = GNUNET_malloc (len);
+  GNUNET_memcpy (*pt, tmp+4, len);
+  GNUNET_free (tmp);
+  return len;
+}
+
+struct GNUNET_ABE_AbeMasterKey*
+GNUNET_ABE_cpabe_create_master_key (void)
+{
+  struct GNUNET_ABE_AbeMasterKey* key;
+  key = GNUNET_new (struct GNUNET_ABE_AbeMasterKey);
+  gabe_setup(&key->pub, &key->msk);
+  GNUNET_assert (NULL != key->pub);
+  GNUNET_assert (NULL != key->msk);
+  return key;
+}
+
+void
+GNUNET_ABE_cpabe_delete_master_key (struct GNUNET_ABE_AbeMasterKey *key)
+{
+  gabe_msk_free (key->msk);
+  gabe_pub_free (key->pub);
+  //GNUNET_free (key->msk);
+  //gabe_msk_free (key->msk); //For some reason free of pub implicit?
+  GNUNET_free (key);
+}
+
+struct GNUNET_ABE_AbeKey*
+GNUNET_ABE_cpabe_create_key (struct GNUNET_ABE_AbeMasterKey *key,
+                             char **attrs)
+{
+  struct GNUNET_ABE_AbeKey *prv_key;
+  int size;
+  char *tmp;
+  
+  prv_key = GNUNET_new (struct GNUNET_ABE_AbeKey);
+  prv_key->prv = gabe_keygen(key->pub, key->msk, attrs);
+  size = gabe_pub_serialize(key->pub, &tmp);
+  prv_key->pub = gabe_pub_unserialize(tmp, size);
+  GNUNET_free (tmp);
+  GNUNET_assert (NULL != prv_key->prv);
+  return prv_key;
+}
+
+void
+GNUNET_ABE_cpabe_delete_key (struct GNUNET_ABE_AbeKey *key,
+                                int delete_pub)
+{
+  //Memory management in gabe is buggy
+  gabe_prv_free (key->prv);
+  if (GNUNET_YES == delete_pub)
+    gabe_pub_free (key->pub);
+  GNUNET_free (key);
+}
+
+ssize_t
+write_cpabe (void **result,
+             uint32_t file_len,
+             char* cph_buf,
+             int cph_buf_len,
+             char* aes_buf,
+             int aes_buf_len)
+{
+  char *ptr;
+  uint32_t *len;
+  
+  *result = GNUNET_malloc (12 + cph_buf_len + aes_buf_len);
+  ptr = *result;
+  len = (uint32_t*) ptr;
+  *len = htonl (file_len);
+  ptr += 4;
+  len = (uint32_t*) ptr;
+  *len = htonl (aes_buf_len);
+  ptr += 4;
+  memcpy (ptr, aes_buf, aes_buf_len);
+  ptr += aes_buf_len;
+  len = (uint32_t*) ptr;
+  *len = htonl (cph_buf_len);
+  ptr += 4;
+  memcpy (ptr, cph_buf, cph_buf_len);
+  return 12 + cph_buf_len + aes_buf_len;
+}
+
+ssize_t
+read_cpabe (const void *data,
+            char** cph_buf,
+            int *cph_buf_len,
+            char** aes_buf,
+            int *aes_buf_len)
+{
+  int buf_len;
+  char *ptr;
+  uint32_t *len;
+
+  ptr = (char*)data;
+  len = (uint32_t*)ptr;
+  buf_len = ntohl (*len);
+  ptr += 4;
+  len = (uint32_t*)ptr;
+  *aes_buf_len = ntohl (*len);
+  ptr += 4;
+  *aes_buf = GNUNET_malloc (*aes_buf_len);
+  memcpy(*aes_buf, ptr, *aes_buf_len);
+  ptr += *aes_buf_len;
+  len = (uint32_t*)ptr;
+  *cph_buf_len = ntohl (*len);
+  ptr += 4;
+  *cph_buf = GNUNET_malloc (*cph_buf_len);
+  memcpy(*cph_buf, ptr, *cph_buf_len);
+
+  return buf_len;
+}
+
+ssize_t
+GNUNET_ABE_cpabe_encrypt (const void *block,
+                             size_t size,
+                             const char *policy,
+                             const struct GNUNET_ABE_AbeMasterKey *key,
+                             void **result)
+{
+  gabe_cph_t* cph;
+  char* plt;
+  char* cph_buf;
+  char* aes_buf;
+  element_t m;
+  int cph_buf_len;
+  int aes_buf_len;
+  ssize_t result_len;
+
+  if( !(cph = gabe_enc(key->pub, m, (char*)policy)) )
+    return GNUNET_SYSERR;
+  cph_buf_len = gabe_cph_serialize(cph,
+                                &cph_buf);
+  gabe_cph_free(cph);
+  GNUNET_free (cph);
+  plt = GNUNET_memdup (block, size);
+  aes_buf_len = aes_128_cbc_encrypt(plt, size, m, &aes_buf);
+  GNUNET_free (plt);
+  element_clear(m);
+  result_len = write_cpabe(result, size, cph_buf, cph_buf_len, aes_buf, aes_buf_len);
+  GNUNET_free(cph_buf);
+  GNUNET_free(aes_buf);
+  return result_len;
+}
+
+ssize_t
+GNUNET_ABE_cpabe_decrypt (const void *block,
+                             size_t size,
+                             const struct GNUNET_ABE_AbeKey *key,
+                             void **result)
+{
+  char* aes_buf;
+  char* cph_buf;
+  gabe_cph_t* cph;
+  element_t m;
+  int cph_buf_size;
+  int aes_buf_size;
+  int plt_len;
+
+  read_cpabe(block, &cph_buf, &cph_buf_size, &aes_buf, &aes_buf_size);
+  cph = gabe_cph_unserialize(key->pub, cph_buf, cph_buf_size);
+  if( !gabe_dec(key->pub, key->prv, cph, m) ) {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "%s\n", gabe_error());
+    GNUNET_free (aes_buf);
+    GNUNET_free (cph_buf);
+    gabe_cph_free(cph);
+    GNUNET_free (cph);
+    element_clear (m);
+    return GNUNET_SYSERR;
+  }
+  gabe_cph_free(cph);
+  GNUNET_free (cph);
+  plt_len = aes_128_cbc_decrypt(aes_buf, aes_buf_size, m, (char**)result);
+  GNUNET_free (cph_buf);
+  GNUNET_free (aes_buf);
+  element_clear (m);
+  //freeing is buggy in gabe
+  //gabe_prv_free (prv);
+  //gabe_pub_free (pub);
+  return plt_len;
+}
+
+ssize_t
+GNUNET_ABE_cpabe_serialize_key (const struct GNUNET_ABE_AbeKey *key,
+                                   void **result)
+{
+  ssize_t len;
+  char *pub;
+  char *prv;
+  int pub_len;
+  int prv_len;
+
+  pub_len = gabe_pub_serialize (key->pub, &pub);
+  prv_len = gabe_prv_serialize (key->prv, &prv);
+
+  len = pub_len + prv_len + 12;
+  write_cpabe (result, len, pub, pub_len, prv, prv_len);
+
+  GNUNET_free (pub);
+  GNUNET_free (prv);
+
+  return len;
+}
+
+struct GNUNET_ABE_AbeKey*
+GNUNET_ABE_cpabe_deserialize_key (const void *data,
+                                     size_t len)
+{
+  struct GNUNET_ABE_AbeKey *key;
+  char *pub;
+  char *prv;
+  int prv_len;
+  int pub_len;
+
+  key = GNUNET_new (struct GNUNET_ABE_AbeKey);
+  read_cpabe (data,
+              &pub,
+              &pub_len,
+              &prv,
+              &prv_len);
+  key->pub = gabe_pub_unserialize (pub, pub_len);
+  key->prv = gabe_prv_unserialize (key->pub, prv, prv_len);
+  
+  GNUNET_free (pub);
+  GNUNET_free (prv);
+  return key;
+}
+
+ssize_t
+GNUNET_ABE_cpabe_serialize_master_key (const struct GNUNET_ABE_AbeMasterKey *key,
+                                          void **result)
+{
+  ssize_t len;
+  char *pub;
+  char *msk;
+  int pub_len;
+  int msk_len;
+
+  pub_len = gabe_pub_serialize (key->pub, &pub);
+  msk_len = gabe_msk_serialize (key->msk, &msk);
+
+  len = pub_len + msk_len + 12;
+  write_cpabe (result, len, pub, pub_len, msk, msk_len);
+
+  GNUNET_free (pub);
+  GNUNET_free (msk);
+
+  return len;
+}
+
+struct GNUNET_ABE_AbeMasterKey*
+GNUNET_ABE_cpabe_deserialize_master_key (const void *data,
+                                            size_t len)
+{
+  struct GNUNET_ABE_AbeMasterKey *key;
+  char *msk;
+  char *pub;
+  int msk_len;
+  int pub_len;
+
+  key = GNUNET_new (struct GNUNET_ABE_AbeMasterKey);
+  read_cpabe (data,
+              &pub,
+              &pub_len,
+              &msk,
+              &msk_len);
+  key->pub = gabe_pub_unserialize (pub, pub_len);
+  key->msk = gabe_msk_unserialize (key->pub, msk, msk_len);
+  
+  GNUNET_free (pub);
+  GNUNET_free (msk);
+
+  return key;
+}
diff --git a/src/util/test_crypto_abe.c b/src/abe/test_cpabe.c
index cb36dccae..9b2062b23 100644
--- a/src/util/test_crypto_abe.c
+++ b/src/abe/test_cpabe.c
@@ -25,20 +25,21 @@
  */
 #include "platform.h"
 #include "gnunet_util_lib.h"
+#include "gnunet_abe_lib.h"
 
 #define TESTSTRING "Hello World!"
 
 static int
 testAbecipher ()
 {
-  struct GNUNET_CRYPTO_AbeMasterKey *msk;
-  struct GNUNET_CRYPTO_AbeKey *key;
+  struct GNUNET_ABE_AbeMasterKey *msk;
+  struct GNUNET_ABE_AbeKey *key;
   char *result;
   char **attrs;
   int size;
   char *res;
-  msk = GNUNET_CRYPTO_cpabe_create_master_key ();
-  size = GNUNET_CRYPTO_cpabe_encrypt (TESTSTRING, strlen (TESTSTRING) + 1,
+  msk = GNUNET_ABE_cpabe_create_master_key ();
+  size = GNUNET_ABE_cpabe_encrypt (TESTSTRING, strlen (TESTSTRING) + 1,
                                       "testattr", //Policy
                                       msk,
                                       (void*)&result);
@@ -46,10 +47,10 @@ testAbecipher ()
   attrs = GNUNET_malloc (2 * sizeof (char*));
   attrs[0] = "testattr";
   attrs[1] = NULL;
-  key = GNUNET_CRYPTO_cpabe_create_key (msk,
+  key = GNUNET_ABE_cpabe_create_key (msk,
                                         attrs);
 
-  size = GNUNET_CRYPTO_cpabe_decrypt (result, size,
+  size = GNUNET_ABE_cpabe_decrypt (result, size,
                                       key,
                                       (void*)&res);
   if (strlen (TESTSTRING) + 1 != size)
diff --git a/src/identity-provider/Makefile.am b/src/identity-provider/Makefile.am
index 5c5ddaa57..adf6af3b3 100644
--- a/src/identity-provider/Makefile.am
+++ b/src/identity-provider/Makefile.am
@@ -70,6 +70,7 @@ gnunet_service_identity_provider_LDADD = \
  $(top_builddir)/src/namestore/libgnunetnamestore.la \
  $(top_builddir)/src/identity/libgnunetidentity.la \
  $(top_builddir)/src/statistics/libgnunetstatistics.la \
+ $(top_builddir)/src/abe/libgnunetabe.la \
  $(top_builddir)/src/credential/libgnunetcredential.la \
  $(top_builddir)/src/identity-attribute/libgnunetidentityattribute.la \
  libgnunetidentityprovider.la \
diff --git a/src/identity-provider/gnunet-service-identity-provider.c b/src/identity-provider/gnunet-service-identity-provider.c
index a5c178aa5..351308c3a 100644
--- a/src/identity-provider/gnunet-service-identity-provider.c
+++ b/src/identity-provider/gnunet-service-identity-provider.c
@@ -30,6 +30,7 @@
 #include "gnunet_identity_service.h"
 #include "gnunet_gnsrecord_lib.h"
 #include "gnunet_namestore_service.h"
+#include "gnunet_abe_lib.h"
 #include "gnunet_credential_service.h"
 #include "gnunet_statistics_service.h"
 #include "gnunet_gns_service.h"
@@ -205,7 +206,7 @@ struct TicketIteration
  */
 typedef void
 (*AbeBootstrapResult) (void *cls,
-                       struct GNUNET_CRYPTO_AbeMasterKey *abe_key);
+                       struct GNUNET_ABE_AbeMasterKey *abe_key);
 
 
 struct AbeBootstrapHandle
@@ -233,7 +234,7 @@ struct AbeBootstrapHandle
   /**
    * The issuer egos ABE master key
    */
-  struct GNUNET_CRYPTO_AbeMasterKey *abe_key;
+  struct GNUNET_ABE_AbeMasterKey *abe_key;
 };
 
 /**
@@ -264,7 +265,7 @@ struct AttributeIterator
   /**
    * The issuer egos ABE master key
    */
-  struct GNUNET_CRYPTO_AbeMasterKey *abe_key;
+  struct GNUNET_ABE_AbeMasterKey *abe_key;
 
   /**
    * Namestore iterator
@@ -355,7 +356,7 @@ struct AttributeStoreHandle
   /**
    * The issuer egos ABE master key
    */
-  struct GNUNET_CRYPTO_AbeMasterKey *abe_key;
+  struct GNUNET_ABE_AbeMasterKey *abe_key;
 
   /**
    * QueueEntry
@@ -423,7 +424,7 @@ struct ConsumeTicketHandle
   /**
    * The ABE key
    */
-  struct GNUNET_CRYPTO_AbeKey *key;
+  struct GNUNET_ABE_AbeKey *key;
 
   /**
    * Attributes
@@ -520,7 +521,7 @@ struct TicketRevocationHandle
   /**
    * The ABE master key
    */
-  struct GNUNET_CRYPTO_AbeMasterKey *abe_key;
+  struct GNUNET_ABE_AbeMasterKey *abe_key;
 
   /**
    * Offset
@@ -690,7 +691,7 @@ bootstrap_store_task (void *cls)
   struct GNUNET_GNSRECORD_Data rd[1];
   char *key;
 
-  rd[0].data_size = GNUNET_CRYPTO_cpabe_serialize_master_key (abh->abe_key,
+  rd[0].data_size = GNUNET_ABE_cpabe_serialize_master_key (abh->abe_key,
                                                               (void**)&key);
   rd[0].data = key;
   rd[0].record_type = GNUNET_GNSRECORD_TYPE_ABE_MASTER;
@@ -730,13 +731,13 @@ bootstrap_abe_result (void *cls,
                       const struct GNUNET_GNSRECORD_Data *rd)
 {
   struct AbeBootstrapHandle *abh = cls;
-  struct GNUNET_CRYPTO_AbeMasterKey *abe_key;
+  struct GNUNET_ABE_AbeMasterKey *abe_key;
   int i;
 
   for (i=0;i<rd_count;i++) {
     if (GNUNET_GNSRECORD_TYPE_ABE_MASTER != rd[i].record_type)
       continue;
-    abe_key = GNUNET_CRYPTO_cpabe_deserialize_master_key (rd[i].data,
+    abe_key = GNUNET_ABE_cpabe_deserialize_master_key (rd[i].data,
                                                           rd[i].data_size);
     abh->proc (abh->proc_cls, abe_key);
     GNUNET_free (abh);
@@ -744,7 +745,7 @@ bootstrap_abe_result (void *cls,
   }
 
   //No ABE master found, bootstrapping...
-  abh->abe_key = GNUNET_CRYPTO_cpabe_create_master_key ();
+  abh->abe_key = GNUNET_ABE_cpabe_create_master_key ();
   GNUNET_SCHEDULER_add_now (&bootstrap_store_task, abh);
 }
 
@@ -767,7 +768,7 @@ bootstrap_abe (const struct GNUNET_CRYPTO_EcdsaPrivateKey *identity,
   abh->identity = *identity;
   if (GNUNET_YES == recreate)
   {
-    abh->abe_key = GNUNET_CRYPTO_cpabe_create_master_key ();
+    abh->abe_key = GNUNET_ABE_cpabe_create_master_key ();
     GNUNET_SCHEDULER_add_now (&bootstrap_store_task, abh);
   } else {
     abh->ns_qe = GNUNET_NAMESTORE_records_lookup (ns_handle,
@@ -874,7 +875,7 @@ store_ticket_issue_cont (void *cls,
 int
 serialize_abe_keyinfo2 (const struct GNUNET_IDENTITY_PROVIDER_Ticket *ticket,
                         const struct GNUNET_IDENTITY_ATTRIBUTE_ClaimList *attrs,
-                        const struct GNUNET_CRYPTO_AbeKey *rp_key,
+                        const struct GNUNET_ABE_AbeKey *rp_key,
                         struct GNUNET_CRYPTO_EcdhePrivateKey **ecdh_privkey,
                         char **result)
 {
@@ -892,7 +893,7 @@ serialize_abe_keyinfo2 (const struct GNUNET_IDENTITY_PROVIDER_Ticket *ticket,
   struct GNUNET_HashCode new_key_hash;
   ssize_t enc_size;
 
-  size = GNUNET_CRYPTO_cpabe_serialize_key (rp_key,
+  size = GNUNET_ABE_cpabe_serialize_key (rp_key,
                                             (void**)&serialized_key);
   attrs_str_len = 0;
   for (le = attrs->list_head; NULL != le; le = le->next) {
@@ -951,13 +952,13 @@ serialize_abe_keyinfo2 (const struct GNUNET_IDENTITY_PROVIDER_Ticket *ticket,
 
 static void
 issue_ticket_after_abe_bootstrap (void *cls,
-                                  struct GNUNET_CRYPTO_AbeMasterKey *abe_key)
+                                  struct GNUNET_ABE_AbeMasterKey *abe_key)
 {
   struct TicketIssueHandle *ih = cls;
   struct GNUNET_IDENTITY_ATTRIBUTE_ClaimListEntry *le;
   struct GNUNET_CRYPTO_EcdhePrivateKey *ecdhe_privkey;
   struct GNUNET_GNSRECORD_Data code_record[1];
-  struct GNUNET_CRYPTO_AbeKey *rp_key;
+  struct GNUNET_ABE_AbeKey *rp_key;
   char *code_record_data;
   char **attrs;
   char *label;
@@ -983,7 +984,7 @@ issue_ticket_after_abe_bootstrap (void *cls,
     i++;
   }
   attrs[i] = NULL;
-  rp_key = GNUNET_CRYPTO_cpabe_create_key (abe_key,
+  rp_key = GNUNET_ABE_cpabe_create_key (abe_key,
                                            attrs);
 
   //TODO review this wireformat
@@ -1014,9 +1015,9 @@ issue_ticket_after_abe_bootstrap (void *cls,
   GNUNET_free (label);
   GNUNET_free (attrs);
   GNUNET_free (code_record_data);
-  GNUNET_CRYPTO_cpabe_delete_key (rp_key,
+  GNUNET_ABE_cpabe_delete_key (rp_key,
                                   GNUNET_YES);
-  GNUNET_CRYPTO_cpabe_delete_master_key (abe_key);
+  GNUNET_ABE_cpabe_delete_master_key (abe_key);
 }
 
 
@@ -1091,7 +1092,7 @@ cleanup_revoke_ticket_handle (struct TicketRevocationHandle *handle)
   if (NULL != handle->rvk_attrs)
     GNUNET_IDENTITY_ATTRIBUTE_list_destroy (handle->rvk_attrs);
   if (NULL != handle->abe_key)
-    GNUNET_CRYPTO_cpabe_delete_master_key (handle->abe_key);
+    GNUNET_ABE_cpabe_delete_master_key (handle->abe_key);
   if (NULL != handle->ns_qe)
     GNUNET_NAMESTORE_cancel (handle->ns_qe);
   if (NULL != handle->ns_it)
@@ -1183,7 +1184,7 @@ ticket_reissue_proc (void *cls,
   struct GNUNET_IDENTITY_ATTRIBUTE_ClaimListEntry *le_rollover;
   struct GNUNET_CRYPTO_EcdhePrivateKey *ecdhe_privkey;
   struct GNUNET_GNSRECORD_Data code_record[1];
-  struct GNUNET_CRYPTO_AbeKey *rp_key;
+  struct GNUNET_ABE_AbeKey *rp_key;
   char *code_record_data;
   char **attr_arr;
   char *label;
@@ -1263,7 +1264,7 @@ ticket_reissue_proc (void *cls,
     i++;
   }
   attr_arr[i] = NULL;
-  rp_key = GNUNET_CRYPTO_cpabe_create_key (rh->abe_key,
+  rp_key = GNUNET_ABE_cpabe_create_key (rh->abe_key,
                                            attr_arr);
 
   //TODO review this wireformat
@@ -1294,7 +1295,7 @@ ticket_reissue_proc (void *cls,
   GNUNET_free (label);
   GNUNET_free (attr_arr);
   GNUNET_free (code_record_data);
-  GNUNET_CRYPTO_cpabe_delete_key (rp_key, GNUNET_YES);
+  GNUNET_ABE_cpabe_delete_key (rp_key, GNUNET_YES);
 }
 
 
@@ -1362,7 +1363,7 @@ reenc_next_attribute (struct TicketRevocationHandle *rh)
   /**
    * Encrypt the attribute value and store in namestore
    */
-  enc_size = GNUNET_CRYPTO_cpabe_encrypt (buf,
+  enc_size = GNUNET_ABE_cpabe_encrypt (buf,
                                           buf_size,
                                           policy, //Policy
                                           rh->abe_key,
@@ -1463,7 +1464,7 @@ process_attributes_to_update (void *cls,
 
 static void
 get_ticket_after_abe_bootstrap (void *cls,
-                                struct GNUNET_CRYPTO_AbeMasterKey *abe_key)
+                                struct GNUNET_ABE_AbeMasterKey *abe_key)
 {
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
               "Finished ABE bootstrap\n");
@@ -1534,7 +1535,7 @@ static void
 cleanup_consume_ticket_handle (struct ConsumeTicketHandle *handle)
 {
   if (NULL != handle->key)
-    GNUNET_CRYPTO_cpabe_delete_key (handle->key,
+    GNUNET_ABE_cpabe_delete_key (handle->key,
                                     GNUNET_YES);
   if (NULL != handle->attrs)
     GNUNET_IDENTITY_ATTRIBUTE_list_destroy (handle->attrs);
@@ -1603,7 +1604,7 @@ process_parallel_lookup2 (void *cls, uint32_t rd_count,
   if (rd->record_type == GNUNET_GNSRECORD_TYPE_ID_ATTR)
   {
     decrypt_duration = GNUNET_TIME_absolute_get ();
-    attr_len = GNUNET_CRYPTO_cpabe_decrypt (rd->data + sizeof (uint32_t),
+    attr_len = GNUNET_ABE_cpabe_decrypt (rd->data + sizeof (uint32_t),
                                             rd->data_size - sizeof (uint32_t),
                                             handle->key,
                                             (void**)&data);
@@ -1745,7 +1746,7 @@ process_consume_abe_key (void *cls, uint32_t rd_count,
   scopes = GNUNET_strdup (buf);
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
               "Scopes %s\n", scopes);
-  handle->key = GNUNET_CRYPTO_cpabe_deserialize_key ((void*)(buf + strlen (scopes) + 1),
+  handle->key = GNUNET_ABE_cpabe_deserialize_key ((void*)(buf + strlen (scopes) + 1),
                                                      rd->data_size - sizeof (struct GNUNET_CRYPTO_EcdhePublicKey)
                                                      - strlen (scopes) - 1);
 
@@ -1833,7 +1834,7 @@ cleanup_as_handle (struct AttributeStoreHandle *handle)
   if (NULL != handle->claim)
     GNUNET_free (handle->claim);
   if (NULL != handle->abe_key)
-    GNUNET_CRYPTO_cpabe_delete_master_key (handle->abe_key);
+    GNUNET_ABE_cpabe_delete_master_key (handle->abe_key);
   GNUNET_free (handle);
 }
 
@@ -1897,7 +1898,7 @@ attr_store_task (void *cls)
   /**
    * Encrypt the attribute value and store in namestore
    */
-  enc_size = GNUNET_CRYPTO_cpabe_encrypt (buf,
+  enc_size = GNUNET_ABE_cpabe_encrypt (buf,
                                           buf_size,
                                           policy, //Policy
                                           as_handle->abe_key,
@@ -1931,7 +1932,7 @@ attr_store_task (void *cls)
 
 static void
 store_after_abe_bootstrap (void *cls,
-                           struct GNUNET_CRYPTO_AbeMasterKey *abe_key)
+                           struct GNUNET_ABE_AbeMasterKey *abe_key)
 {
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
               "Finished ABE bootstrap\n");
@@ -2001,7 +2002,7 @@ static void
 cleanup_iter_handle (struct AttributeIterator *ai)
 {
   if (NULL != ai->abe_key)
-    GNUNET_CRYPTO_cpabe_delete_master_key (ai->abe_key);
+    GNUNET_ABE_cpabe_delete_master_key (ai->abe_key);
   GNUNET_CONTAINER_DLL_remove (ai->client->op_head,
                                ai->client->op_tail,
                                ai);
@@ -2043,7 +2044,7 @@ attr_iter_cb (void *cls,
 {
   struct AttributeIterator *ai = cls;
   struct AttributeResultMessage *arm;
-  struct GNUNET_CRYPTO_AbeKey *key;
+  struct GNUNET_ABE_AbeKey *key;
   struct GNUNET_MQ_Envelope *env;
   ssize_t msg_extra_len;
   char* attr_ser;
@@ -2067,14 +2068,14 @@ attr_iter_cb (void *cls,
                    label, attr_ver);
   attrs[0] = policy;
   attrs[1] = 0;
-  key = GNUNET_CRYPTO_cpabe_create_key (ai->abe_key,
+  key = GNUNET_ABE_cpabe_create_key (ai->abe_key,
                                         attrs);
-  msg_extra_len = GNUNET_CRYPTO_cpabe_decrypt (rd->data+sizeof (uint32_t),
+  msg_extra_len = GNUNET_ABE_cpabe_decrypt (rd->data+sizeof (uint32_t),
                                                rd->data_size-sizeof (uint32_t),
                                                key,
                                                (void**)&attr_ser);
 
-  GNUNET_CRYPTO_cpabe_delete_key (key,
+  GNUNET_ABE_cpabe_delete_key (key,
                                   GNUNET_YES);
   //GNUNET_free (policy);
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
@@ -2092,14 +2093,14 @@ attr_iter_cb (void *cls,
                  msg_extra_len);
   GNUNET_MQ_send (ai->client->mq, env);
   GNUNET_free (attr_ser);
-  GNUNET_CRYPTO_cpabe_delete_master_key (ai->abe_key);
+  GNUNET_ABE_cpabe_delete_master_key (ai->abe_key);
   ai->abe_key = NULL;
 }
 
 
 void
 iterate_after_abe_bootstrap (void *cls,
-                             struct GNUNET_CRYPTO_AbeMasterKey *abe_key)
+                             struct GNUNET_ABE_AbeMasterKey *abe_key)
 {
   struct AttributeIterator *ai = cls;
   ai->abe_key = abe_key;
@@ -2115,7 +2116,7 @@ iterate_after_abe_bootstrap (void *cls,
 
 void
 iterate_next_after_abe_bootstrap (void *cls,
-                                  struct GNUNET_CRYPTO_AbeMasterKey *abe_key)
+                                  struct GNUNET_ABE_AbeMasterKey *abe_key)
 {
   struct AttributeIterator *ai = cls;
   ai->abe_key = abe_key;
diff --git a/src/include/gnunet_abe_lib.h b/src/include/gnunet_abe_lib.h
new file mode 100644
index 000000000..77b0f9e99
--- /dev/null
+++ b/src/include/gnunet_abe_lib.h
@@ -0,0 +1,143 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2001-2018 GNUnet e.V.
+
+     GNUnet is free software; you can redistribute it and/or modify
+     it under the terms of the GNU General Public License as published
+     by the Free Software Foundation; either version 3, or (at your
+     option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     General Public License for more details.
+
+     You should have received a copy of the GNU General Public License
+     along with GNUnet; see the file COPYING.  If not, write to the
+     Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+     Boston, MA 02110-1301, USA.
+*/
+
+/**
+ * @file include/gnunet_crypto_lib.h
+ * @brief cryptographic primitives for GNUnet
+ *
+ * @author Martin Schanzenbach
+ *
+ * @defgroup abe  ABE Crypto library: Attribute-Based Encryption operations
+ *
+ */
+#ifndef GNUNET_ABE_LIB_H
+#define GNUNET_ABE_LIB_H
+
+#ifdef __cplusplus
+extern "C"
+{
+#if 0                           /* keep Emacsens' auto-indent happy */
+}
+#endif
+#endif
+
+#include "gnunet_common.h"
+#include <gcrypt.h>
+
+/**
+ * @brief type for ABE master keys
+ */
+struct GNUNET_CRYPTO_AbeMasterKey;
+
+/**
+ * @brief type for ABE keys
+ */
+struct GNUNET_CRYPTO_AbeKey;
+
+
+
+/**
+ * @ingroup abe
+ * Create a new CP-ABE master key. Caller must free return value.
+ *
+ * @return fresh private key; free using #GNUNET_free
+ */
+struct GNUNET_ABE_AbeMasterKey *
+GNUNET_ABE_cpabe_create_master_key (void);
+void
+GNUNET_ABE_cpabe_delete_master_key (struct GNUNET_ABE_AbeMasterKey *key);
+
+/**
+ * @ingroup abe
+ * Create a new CP-ABE key. Caller must free return value.
+ *
+ * @return fresh private key; free using #GNUNET_free
+ */
+struct GNUNET_ABE_AbeKey *
+GNUNET_ABE_cpabe_create_key (struct GNUNET_ABE_AbeMasterKey *msk,
+                                char **attrs);
+void
+GNUNET_ABE_cpabe_delete_key (struct GNUNET_ABE_AbeKey *key,
+                                int delete_pub);
+
+
+/**
+ * @ingroup abe
+ * Encrypt a block using  sessionkey.
+ *
+ * @param block the block to encrypt
+ * @param size the size of the @a block
+ * @param sessionkey the key used to encrypt
+ * @param iv the initialization vector to use, use INITVALUE
+ *        for streams.
+ * @return the size of the encrypted block, -1 for errors
+ */
+ssize_t
+GNUNET_ABE_cpabe_encrypt (const void *block,
+                             size_t size,
+                             const char *policy,
+                             const struct GNUNET_ABE_AbeMasterKey *key,
+                             void **result);
+
+/**
+ * @ingroup abe
+ * Encrypt a block using  sessionkey.
+ *
+ * @param block the block to encrypt
+ * @param size the size of the @a block
+ * @param sessionkey the key used to encrypt
+ * @param iv the initialization vector to use, use INITVALUE
+ *        for streams.
+ * @return the size of the encrypted block, -1 for errors
+ */
+ssize_t
+GNUNET_ABE_cpabe_decrypt (const void *block,
+                             size_t size,
+                             const struct GNUNET_ABE_AbeKey *key,
+                             void **result);
+
+ssize_t
+GNUNET_ABE_cpabe_serialize_key (const struct GNUNET_ABE_AbeKey *key,
+                                   void **result);
+
+struct GNUNET_ABE_AbeKey*
+GNUNET_ABE_cpabe_deserialize_key (const void *data,
+                                     size_t len);
+
+ssize_t
+GNUNET_ABE_cpabe_serialize_master_key (const struct GNUNET_ABE_AbeMasterKey *key,
+                                          void **result);
+
+struct GNUNET_ABE_AbeMasterKey*
+GNUNET_ABE_cpabe_deserialize_master_key (const void *data,
+                                            size_t len);
+
+
+#if 0                           /* keep Emacsens' auto-indent happy */
+{
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+
+/* ifndef GNUNET_ABE_LIB_H */
+#endif
+/* end of gnunet_abe_lib.h */
diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h
index 2fd67ae1b..e886a561c 100644
--- a/src/include/gnunet_crypto_lib.h
+++ b/src/include/gnunet_crypto_lib.h
@@ -395,11 +395,6 @@ struct GNUNET_CRYPTO_PaillierCiphertext
   unsigned char bits[GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8];
 };
 
-/**
- * @brief type for ABE master keys
- */
-struct GNUNET_CRYPTO_AbeMasterKey;
-
 
 /* **************** Functions and Macros ************* */
 
@@ -2142,83 +2137,6 @@ GNUNET_CRYPTO_rsa_verify (const struct GNUNET_HashCode *hash,
                           const struct GNUNET_CRYPTO_RsaPublicKey *public_key);
 
 
-/**
- * @ingroup crypto
- * Create a new CP-ABE master key. Caller must free return value.
- *
- * @return fresh private key; free using #GNUNET_free
- */
-struct GNUNET_CRYPTO_AbeMasterKey *
-GNUNET_CRYPTO_cpabe_create_master_key (void);
-void
-GNUNET_CRYPTO_cpabe_delete_master_key (struct GNUNET_CRYPTO_AbeMasterKey *key);
-
-/**
- * @ingroup crypto
- * Create a new CP-ABE key. Caller must free return value.
- *
- * @return fresh private key; free using #GNUNET_free
- */
-struct GNUNET_CRYPTO_AbeKey *
-GNUNET_CRYPTO_cpabe_create_key (struct GNUNET_CRYPTO_AbeMasterKey *msk,
-                                char **attrs);
-void
-GNUNET_CRYPTO_cpabe_delete_key (struct GNUNET_CRYPTO_AbeKey *key,
-                                int delete_pub);
-
-
-/**
- * @ingroup crypto
- * Encrypt a block using  sessionkey.
- *
- * @param block the block to encrypt
- * @param size the size of the @a block
- * @param sessionkey the key used to encrypt
- * @param iv the initialization vector to use, use INITVALUE
- *        for streams.
- * @return the size of the encrypted block, -1 for errors
- */
-ssize_t
-GNUNET_CRYPTO_cpabe_encrypt (const void *block,
-                             size_t size,
-                             const char *policy,
-                             const struct GNUNET_CRYPTO_AbeMasterKey *key,
-                             void **result);
-
-/**
- * @ingroup crypto
- * Encrypt a block using  sessionkey.
- *
- * @param block the block to encrypt
- * @param size the size of the @a block
- * @param sessionkey the key used to encrypt
- * @param iv the initialization vector to use, use INITVALUE
- *        for streams.
- * @return the size of the encrypted block, -1 for errors
- */
-ssize_t
-GNUNET_CRYPTO_cpabe_decrypt (const void *block,
-                             size_t size,
-                             const struct GNUNET_CRYPTO_AbeKey *key,
-                             void **result);
-
-ssize_t
-GNUNET_CRYPTO_cpabe_serialize_key (const struct GNUNET_CRYPTO_AbeKey *key,
-                                   void **result);
-
-struct GNUNET_CRYPTO_AbeKey*
-GNUNET_CRYPTO_cpabe_deserialize_key (const void *data,
-                                     size_t len);
-
-ssize_t
-GNUNET_CRYPTO_cpabe_serialize_master_key (const struct GNUNET_CRYPTO_AbeMasterKey *key,
-                                          void **result);
-
-struct GNUNET_CRYPTO_AbeMasterKey*
-GNUNET_CRYPTO_cpabe_deserialize_master_key (const void *data,
-                                            size_t len);
-
-
 #if 0                           /* keep Emacsens' auto-indent happy */
 {
 #endif
diff --git a/src/util/Makefile.am b/src/util/Makefile.am
index cc9ff4745..eb655157d 100644
--- a/src/util/Makefile.am
+++ b/src/util/Makefile.am
@@ -119,18 +119,6 @@ libgnunetutil_la_LIBADD = \
   $(LTLIBINTL) \
   -lltdl $(Z_LIBS) -lunistring $(XLIB)
 
-if HAVE_PBC
-if HAVE_ABE
-libgnunetutil_la_SOURCES += \
-        crypto_abe.c
-libgnunetutil_la_LIBADD += \
-  $(ABE_LIBADD) \
-        -lgabe \
-        -lpbc \
-        -lglib-2.0
-endif
-endif
-
 libgnunetutil_la_LDFLAGS = \
   $(GN_LIB_LDFLAGS) \
   -version-info 13:0:0
@@ -564,17 +552,6 @@ test_speedup_SOURCES = \
 test_speedup_LDADD = \
  libgnunetutil.la
 
-if HAVE_PBC
-if HAVE_ABE
-test_crypto_abe_SOURCES = \
- test_crypto_abe.c
-test_crypto_abe_LDADD = \
- libgnunetutil.la
-check_PROGRAMS += \
- test_crypto_abe
-endif
-endif
-
 perf_crypto_hash_SOURCES = \
  perf_crypto_hash.c
 perf_crypto_hash_LDADD = \