diff options
Diffstat (limited to 'src/include/gnunet_crypto_lib.h')
-rw-r--r-- | src/include/gnunet_crypto_lib.h | 2019 |
1 files changed, 1914 insertions, 105 deletions
diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h index 1ab135d80..b74bbcd1e 100644 --- a/src/include/gnunet_crypto_lib.h +++ b/src/include/gnunet_crypto_lib.h | |||
@@ -1,6 +1,6 @@ | |||
1 | /* | 1 | /* |
2 | This file is part of GNUnet. | 2 | This file is part of GNUnet. |
3 | Copyright (C) 2001-2013 GNUnet e.V. | 3 | Copyright (C) 2001-2023 GNUnet e.V. |
4 | 4 | ||
5 | GNUnet is free software: you can redistribute it and/or modify it | 5 | GNUnet is free software: you can redistribute it and/or modify it |
6 | under the terms of the GNU Affero General Public License as published | 6 | under the terms of the GNU Affero General Public License as published |
@@ -19,6 +19,10 @@ | |||
19 | */ | 19 | */ |
20 | 20 | ||
21 | /** | 21 | /** |
22 | * @addtogroup libgnunetutil | ||
23 | * Multi-function utilities library for GNUnet programs | ||
24 | * @{ | ||
25 | * | ||
22 | * @file include/gnunet_crypto_lib.h | 26 | * @file include/gnunet_crypto_lib.h |
23 | * @brief cryptographic primitives for GNUnet | 27 | * @brief cryptographic primitives for GNUnet |
24 | * | 28 | * |
@@ -40,6 +44,10 @@ | |||
40 | * @see [Documentation](https://gnunet.org/crypto-api) | 44 | * @see [Documentation](https://gnunet.org/crypto-api) |
41 | */ | 45 | */ |
42 | 46 | ||
47 | #if ! defined (__GNUNET_UTIL_LIB_H_INSIDE__) | ||
48 | #error "Only <gnunet_util_lib.h> can be included directly." | ||
49 | #endif | ||
50 | |||
43 | #ifndef GNUNET_CRYPTO_LIB_H | 51 | #ifndef GNUNET_CRYPTO_LIB_H |
44 | #define GNUNET_CRYPTO_LIB_H | 52 | #define GNUNET_CRYPTO_LIB_H |
45 | 53 | ||
@@ -50,6 +58,7 @@ extern "C" { | |||
50 | #endif | 58 | #endif |
51 | #endif | 59 | #endif |
52 | 60 | ||
61 | |||
53 | #include <stdbool.h> | 62 | #include <stdbool.h> |
54 | #include <sodium.h> | 63 | #include <sodium.h> |
55 | 64 | ||
@@ -58,7 +67,6 @@ extern "C" { | |||
58 | */ | 67 | */ |
59 | struct GNUNET_PeerIdentity; | 68 | struct GNUNET_PeerIdentity; |
60 | 69 | ||
61 | #include "gnunet_common.h" | ||
62 | #include <gcrypt.h> | 70 | #include <gcrypt.h> |
63 | 71 | ||
64 | 72 | ||
@@ -287,6 +295,170 @@ struct GNUNET_CRYPTO_EddsaPrivateScalar | |||
287 | unsigned char s[512 / 8]; | 295 | unsigned char s[512 / 8]; |
288 | }; | 296 | }; |
289 | 297 | ||
298 | /** | ||
299 | * Private ECC key material encoded for transmission. To be used only for | ||
300 | * Edx25519 signatures. An initial key corresponds to data from the key | ||
301 | * expansion and clamping in the EdDSA key generation. | ||
302 | */ | ||
303 | struct GNUNET_CRYPTO_Edx25519PrivateKey | ||
304 | { | ||
305 | /** | ||
306 | * a is a value mod n, where n has at most 256 bits. It is the first half of | ||
307 | * the seed-expansion of EdDSA and will be clamped. | ||
308 | */ | ||
309 | unsigned char a[256 / 8]; | ||
310 | |||
311 | /** | ||
312 | * b consists of 32 bytes which where originally the lower 32bytes of the key | ||
313 | * expansion. Subsequent calls to derive_private will change this value, too. | ||
314 | */ | ||
315 | unsigned char b[256 / 8]; | ||
316 | }; | ||
317 | |||
318 | |||
319 | /** | ||
320 | * Public ECC key (always for curve Ed25519) encoded in a format suitable for | ||
321 | * network transmission and Edx25519 (same as EdDSA) signatures. Refer to | ||
322 | * section 5.1.3 of rfc8032, for a thorough explanation of how this value maps | ||
323 | * to the x- and y-coordinates. | ||
324 | */ | ||
325 | struct GNUNET_CRYPTO_Edx25519PublicKey | ||
326 | { | ||
327 | /** | ||
328 | * Point Q consists of a y-value mod p (256 bits); the x-value is | ||
329 | * always positive. The point is stored in Ed25519 standard | ||
330 | * compact format. | ||
331 | */ | ||
332 | unsigned char q_y[256 / 8]; | ||
333 | }; | ||
334 | |||
335 | /** | ||
336 | * @brief an ECC signature using Edx25519 (same as in EdDSA). | ||
337 | */ | ||
338 | struct GNUNET_CRYPTO_Edx25519Signature | ||
339 | { | ||
340 | /** | ||
341 | * R value. | ||
342 | */ | ||
343 | unsigned char r[256 / 8]; | ||
344 | |||
345 | /** | ||
346 | * S value. | ||
347 | */ | ||
348 | unsigned char s[256 / 8]; | ||
349 | }; | ||
350 | |||
351 | /** | ||
352 | * Elligator representative (always for Curve25519) | ||
353 | */ | ||
354 | struct GNUNET_CRYPTO_ElligatorRepresentative | ||
355 | { | ||
356 | /** | ||
357 | * Represents an element of Curve25519 finite field. | ||
358 | * Always smaller than 2 ^ 254 - 10 -> Needs to be serialized into a random-looking byte stream before transmission. | ||
359 | */ | ||
360 | unsigned char r[256 / 8]; | ||
361 | }; | ||
362 | |||
363 | /** | ||
364 | * Key type for the generic public key union | ||
365 | */ | ||
366 | enum GNUNET_CRYPTO_KeyType | ||
367 | { | ||
368 | /** | ||
369 | * The identity type. The value is the same as the | ||
370 | * PKEY record type. | ||
371 | */ | ||
372 | GNUNET_PUBLIC_KEY_TYPE_ECDSA = 65536, | ||
373 | |||
374 | /** | ||
375 | * EDDSA identity. The value is the same as the EDKEY | ||
376 | * record type. | ||
377 | */ | ||
378 | GNUNET_PUBLIC_KEY_TYPE_EDDSA = 65556 | ||
379 | }; | ||
380 | |||
381 | /** | ||
382 | * A private key for an identity as per LSD0001. | ||
383 | * Note that these types are NOT packed and MUST NOT be used in RPC | ||
384 | * messages. Use the respective serialization functions. | ||
385 | */ | ||
386 | struct GNUNET_CRYPTO_PrivateKey | ||
387 | { | ||
388 | /** | ||
389 | * Type of public key. | ||
390 | * Defined by the GNS zone type value. | ||
391 | * In NBO. | ||
392 | */ | ||
393 | uint32_t type; | ||
394 | |||
395 | union | ||
396 | { | ||
397 | /** | ||
398 | * An ECDSA identity key. | ||
399 | */ | ||
400 | struct GNUNET_CRYPTO_EcdsaPrivateKey ecdsa_key; | ||
401 | |||
402 | /** | ||
403 | * AN EdDSA identtiy key | ||
404 | */ | ||
405 | struct GNUNET_CRYPTO_EddsaPrivateKey eddsa_key; | ||
406 | }; | ||
407 | }; | ||
408 | |||
409 | |||
410 | /** | ||
411 | * An identity key as per LSD0001. | ||
412 | */ | ||
413 | struct GNUNET_CRYPTO_PublicKey | ||
414 | { | ||
415 | /** | ||
416 | * Type of public key. | ||
417 | * Defined by the GNS zone type value. | ||
418 | * In NBO. | ||
419 | */ | ||
420 | uint32_t type; | ||
421 | |||
422 | union | ||
423 | { | ||
424 | /** | ||
425 | * An ECDSA identity key. | ||
426 | */ | ||
427 | struct GNUNET_CRYPTO_EcdsaPublicKey ecdsa_key; | ||
428 | |||
429 | /** | ||
430 | * AN EdDSA identtiy key | ||
431 | */ | ||
432 | struct GNUNET_CRYPTO_EddsaPublicKey eddsa_key; | ||
433 | }; | ||
434 | }; | ||
435 | |||
436 | |||
437 | /** | ||
438 | * An identity signature as per LSD0001. | ||
439 | */ | ||
440 | struct GNUNET_CRYPTO_Signature | ||
441 | { | ||
442 | /** | ||
443 | * Type of signature. | ||
444 | * Defined by the GNS zone type value. | ||
445 | * In NBO. | ||
446 | */ | ||
447 | uint32_t type; | ||
448 | |||
449 | union | ||
450 | { | ||
451 | /** | ||
452 | * An ECDSA signature | ||
453 | */ | ||
454 | struct GNUNET_CRYPTO_EcdsaSignature ecdsa_signature; | ||
455 | |||
456 | /** | ||
457 | * AN EdDSA signature | ||
458 | */ | ||
459 | struct GNUNET_CRYPTO_EddsaSignature eddsa_signature; | ||
460 | }; | ||
461 | }; | ||
290 | 462 | ||
291 | /** | 463 | /** |
292 | * @brief type for session keys | 464 | * @brief type for session keys |
@@ -307,7 +479,7 @@ struct GNUNET_CRYPTO_SymmetricSessionKey | |||
307 | /** | 479 | /** |
308 | * Type of a nonce used for challenges. | 480 | * Type of a nonce used for challenges. |
309 | */ | 481 | */ |
310 | struct ChallengeNonceP | 482 | struct GNUNET_CRYPTO_ChallengeNonceP |
311 | { | 483 | { |
312 | /** | 484 | /** |
313 | * The value of the nonce. Note that this is NOT a hash. | 485 | * The value of the nonce. Note that this is NOT a hash. |
@@ -500,17 +672,33 @@ struct GNUNET_CRYPTO_CsSignature | |||
500 | * Schnorr signatures are composed of a scalar s and a curve point | 672 | * Schnorr signatures are composed of a scalar s and a curve point |
501 | */ | 673 | */ |
502 | struct GNUNET_CRYPTO_CsS s_scalar; | 674 | struct GNUNET_CRYPTO_CsS s_scalar; |
675 | |||
676 | /** | ||
677 | * Curve point of the Schnorr signature. | ||
678 | */ | ||
503 | struct GNUNET_CRYPTO_CsRPublic r_point; | 679 | struct GNUNET_CRYPTO_CsRPublic r_point; |
504 | }; | 680 | }; |
505 | 681 | ||
506 | 682 | ||
507 | /** | 683 | /** |
508 | * Nonce | 684 | * Nonce for the session, picked by client, |
685 | * shared with the signer. | ||
509 | */ | 686 | */ |
510 | struct GNUNET_CRYPTO_CsNonce | 687 | struct GNUNET_CRYPTO_CsSessionNonce |
511 | { | 688 | { |
512 | /*a nonce*/ | 689 | /*a nonce*/ |
513 | unsigned char nonce[256 / 8]; | 690 | unsigned char snonce[256 / 8]; |
691 | }; | ||
692 | |||
693 | |||
694 | /** | ||
695 | * Nonce for computing blinding factors. Not | ||
696 | * shared with the signer. | ||
697 | */ | ||
698 | struct GNUNET_CRYPTO_CsBlindingNonce | ||
699 | { | ||
700 | /*a nonce*/ | ||
701 | unsigned char bnonce[256 / 8]; | ||
514 | }; | 702 | }; |
515 | 703 | ||
516 | 704 | ||
@@ -602,7 +790,7 @@ GNUNET_CRYPTO_zero_keys (void *buffer, size_t length); | |||
602 | * Fill block with a random values. | 790 | * Fill block with a random values. |
603 | * | 791 | * |
604 | * @param mode desired quality of the random number | 792 | * @param mode desired quality of the random number |
605 | * @param buffer the buffer to fill | 793 | * @param[out] buffer the buffer to fill |
606 | * @param length buffer length | 794 | * @param length buffer length |
607 | */ | 795 | */ |
608 | void | 796 | void |
@@ -619,7 +807,7 @@ GNUNET_CRYPTO_random_block (enum GNUNET_CRYPTO_Quality mode, | |||
619 | * here is not a completely random number. | 807 | * here is not a completely random number. |
620 | * | 808 | * |
621 | * @param mode desired quality of the random number | 809 | * @param mode desired quality of the random number |
622 | * @param uuid the value to fill | 810 | * @param[out] uuid the value to fill |
623 | */ | 811 | */ |
624 | void | 812 | void |
625 | GNUNET_CRYPTO_random_timeflake (enum GNUNET_CRYPTO_Quality mode, | 813 | GNUNET_CRYPTO_random_timeflake (enum GNUNET_CRYPTO_Quality mode, |
@@ -640,7 +828,7 @@ GNUNET_CRYPTO_random_u32 (enum GNUNET_CRYPTO_Quality mode, uint32_t i); | |||
640 | 828 | ||
641 | /** | 829 | /** |
642 | * @ingroup crypto | 830 | * @ingroup crypto |
643 | * Random on unsigned 64-bit values. | 831 | * Generate a random unsigned 64-bit value. |
644 | * | 832 | * |
645 | * @param mode desired quality of the random number | 833 | * @param mode desired quality of the random number |
646 | * @param max value returned will be in range [0,@a max) (exclusive) | 834 | * @param max value returned will be in range [0,@a max) (exclusive) |
@@ -903,7 +1091,7 @@ GNUNET_CRYPTO_hash_context_abort (struct GNUNET_HashContext *hc); | |||
903 | 1091 | ||
904 | /** | 1092 | /** |
905 | * Calculate HMAC of a message (RFC 2104) | 1093 | * Calculate HMAC of a message (RFC 2104) |
906 | * TODO: Shouldn' this be the standard hmac function and | 1094 | * TODO: Shouldn't this be the standard hmac function and |
907 | * the above be renamed? | 1095 | * the above be renamed? |
908 | * | 1096 | * |
909 | * @param key secret key | 1097 | * @param key secret key |
@@ -1279,6 +1467,17 @@ GNUNET_CRYPTO_eddsa_key_get_public ( | |||
1279 | const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, | 1467 | const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, |
1280 | struct GNUNET_CRYPTO_EddsaPublicKey *pub); | 1468 | struct GNUNET_CRYPTO_EddsaPublicKey *pub); |
1281 | 1469 | ||
1470 | /** | ||
1471 | * @ingroup crypto | ||
1472 | * Extract the public key for the given private key. | ||
1473 | * | ||
1474 | * @param priv the private key | ||
1475 | * @param pub where to write the public key | ||
1476 | */ | ||
1477 | void | ||
1478 | GNUNET_CRYPTO_edx25519_key_get_public ( | ||
1479 | const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv, | ||
1480 | struct GNUNET_CRYPTO_Edx25519PublicKey *pub); | ||
1282 | 1481 | ||
1283 | /** | 1482 | /** |
1284 | * @ingroup crypto | 1483 | * @ingroup crypto |
@@ -1363,7 +1562,7 @@ enum GNUNET_GenericReturnValue | |||
1363 | GNUNET_CRYPTO_eddsa_private_key_from_string ( | 1562 | GNUNET_CRYPTO_eddsa_private_key_from_string ( |
1364 | const char *enc, | 1563 | const char *enc, |
1365 | size_t enclen, | 1564 | size_t enclen, |
1366 | struct GNUNET_CRYPTO_EddsaPrivateKey *pub); | 1565 | struct GNUNET_CRYPTO_EddsaPrivateKey *priv); |
1367 | 1566 | ||
1368 | 1567 | ||
1369 | /** | 1568 | /** |
@@ -1465,7 +1664,34 @@ GNUNET_CRYPTO_eddsa_key_create (struct GNUNET_CRYPTO_EddsaPrivateKey *pk); | |||
1465 | 1664 | ||
1466 | /** | 1665 | /** |
1467 | * @ingroup crypto | 1666 | * @ingroup crypto |
1667 | * Create a new private key. | ||
1668 | * | ||
1669 | * @param[out] pk private key to initialize | ||
1670 | */ | ||
1671 | void | ||
1672 | GNUNET_CRYPTO_edx25519_key_create (struct GNUNET_CRYPTO_Edx25519PrivateKey *pk); | ||
1673 | |||
1674 | /** | ||
1675 | * @ingroup crypto | ||
1676 | * Create a new private key for Edx25519 from a given seed. After expanding | ||
1677 | * the seed, the first half of the key will be clamped according to EdDSA. | ||
1678 | * | ||
1679 | * @param seed seed input | ||
1680 | * @param seedsize size of the seed in bytes | ||
1681 | * @param[out] pk private key to initialize | ||
1682 | */ | ||
1683 | void | ||
1684 | GNUNET_CRYPTO_edx25519_key_create_from_seed ( | ||
1685 | const void *seed, | ||
1686 | size_t seedsize, | ||
1687 | struct GNUNET_CRYPTO_Edx25519PrivateKey *pk); | ||
1688 | |||
1689 | /** | ||
1690 | * @ingroup crypto | ||
1468 | * Create a new private key. Clear with #GNUNET_CRYPTO_ecdhe_key_clear(). | 1691 | * Create a new private key. Clear with #GNUNET_CRYPTO_ecdhe_key_clear(). |
1692 | * This is X25519 DH (RFC 7748 Section 5) and corresponds to | ||
1693 | * X25519(a,9). | ||
1694 | * See #GNUNET_CRYPTO_ecc_ecdh for the DH function. | ||
1469 | * | 1695 | * |
1470 | * @param[out] pk set to fresh private key; | 1696 | * @param[out] pk set to fresh private key; |
1471 | */ | 1697 | */ |
@@ -1492,6 +1718,14 @@ GNUNET_CRYPTO_eddsa_key_clear (struct GNUNET_CRYPTO_EddsaPrivateKey *pk); | |||
1492 | void | 1718 | void |
1493 | GNUNET_CRYPTO_ecdsa_key_clear (struct GNUNET_CRYPTO_EcdsaPrivateKey *pk); | 1719 | GNUNET_CRYPTO_ecdsa_key_clear (struct GNUNET_CRYPTO_EcdsaPrivateKey *pk); |
1494 | 1720 | ||
1721 | /** | ||
1722 | * @ingroup crypto | ||
1723 | * Clear memory that was used to store a private key. | ||
1724 | * | ||
1725 | * @param pk location of the key | ||
1726 | */ | ||
1727 | void | ||
1728 | GNUNET_CRYPTO_edx25519_key_clear (struct GNUNET_CRYPTO_Edx25519PrivateKey *pk); | ||
1495 | 1729 | ||
1496 | /** | 1730 | /** |
1497 | * @ingroup crypto | 1731 | * @ingroup crypto |
@@ -1502,6 +1736,15 @@ GNUNET_CRYPTO_ecdsa_key_clear (struct GNUNET_CRYPTO_EcdsaPrivateKey *pk); | |||
1502 | void | 1736 | void |
1503 | GNUNET_CRYPTO_ecdhe_key_clear (struct GNUNET_CRYPTO_EcdhePrivateKey *pk); | 1737 | GNUNET_CRYPTO_ecdhe_key_clear (struct GNUNET_CRYPTO_EcdhePrivateKey *pk); |
1504 | 1738 | ||
1739 | /** | ||
1740 | * @ingroup crypto | ||
1741 | * Clear memory that was used to store a private key. | ||
1742 | * | ||
1743 | * @param pk location of the key | ||
1744 | */ | ||
1745 | void | ||
1746 | GNUNET_CRYPTO_private_key_clear (struct GNUNET_CRYPTO_PrivateKey *pk); | ||
1747 | |||
1505 | 1748 | ||
1506 | /** | 1749 | /** |
1507 | * @ingroup crypto | 1750 | * @ingroup crypto |
@@ -1535,12 +1778,49 @@ GNUNET_CRYPTO_eddsa_setup_hostkey (const char *cfg_name); | |||
1535 | * @return #GNUNET_OK on success, #GNUNET_SYSERR if the identity | 1778 | * @return #GNUNET_OK on success, #GNUNET_SYSERR if the identity |
1536 | * could not be retrieved | 1779 | * could not be retrieved |
1537 | */ | 1780 | */ |
1538 | int | 1781 | enum GNUNET_GenericReturnValue |
1539 | GNUNET_CRYPTO_get_peer_identity (const struct GNUNET_CONFIGURATION_Handle *cfg, | 1782 | GNUNET_CRYPTO_get_peer_identity (const struct GNUNET_CONFIGURATION_Handle *cfg, |
1540 | struct GNUNET_PeerIdentity *dst); | 1783 | struct GNUNET_PeerIdentity *dst); |
1541 | 1784 | ||
1542 | 1785 | ||
1543 | /** | 1786 | /** |
1787 | * @ingroup crypto | ||
1788 | * Sign a given block with a specific purpose using the host's peer identity. | ||
1789 | * | ||
1790 | * @param cfg configuration to use | ||
1791 | * @param purpose what to sign (size, purpose) | ||
1792 | * @param sig where to write the signature | ||
1793 | * @return #GNUNET_OK on success, #GNUNET_SYSERR if the identity | ||
1794 | * could not be retrieved | ||
1795 | */ | ||
1796 | enum GNUNET_GenericReturnValue | ||
1797 | GNUNET_CRYPTO_sign_by_peer_identity (const struct | ||
1798 | GNUNET_CONFIGURATION_Handle *cfg, | ||
1799 | const struct | ||
1800 | GNUNET_CRYPTO_EccSignaturePurpose *purpose, | ||
1801 | struct GNUNET_CRYPTO_EddsaSignature *sig); | ||
1802 | |||
1803 | |||
1804 | /** | ||
1805 | * @ingroup crypto | ||
1806 | * Verify a given signature with a peer's identity. | ||
1807 | * | ||
1808 | * @param purpose what is the purpose that the signature should have? | ||
1809 | * @param validate block to validate (size, purpose, data) | ||
1810 | * @param sig signature that is being validated | ||
1811 | * @param identity the peer's identity to verify | ||
1812 | * @return #GNUNET_OK if ok, #GNUNET_SYSERR if invalid | ||
1813 | */ | ||
1814 | enum GNUNET_GenericReturnValue | ||
1815 | GNUNET_CRYPTO_verify_peer_identity (uint32_t purpose, | ||
1816 | const struct | ||
1817 | GNUNET_CRYPTO_EccSignaturePurpose *validate, | ||
1818 | const struct | ||
1819 | GNUNET_CRYPTO_EddsaSignature *sig, | ||
1820 | const struct GNUNET_PeerIdentity *identity); | ||
1821 | |||
1822 | |||
1823 | /** | ||
1544 | * Internal structure used to cache pre-calculated values for DLOG calculation. | 1824 | * Internal structure used to cache pre-calculated values for DLOG calculation. |
1545 | */ | 1825 | */ |
1546 | struct GNUNET_CRYPTO_EccDlogContext; | 1826 | struct GNUNET_CRYPTO_EccDlogContext; |
@@ -1583,7 +1863,7 @@ GNUNET_CRYPTO_ecc_dlog_prepare (unsigned int max, | |||
1583 | * Calculate ECC discrete logarithm for small factors. | 1863 | * Calculate ECC discrete logarithm for small factors. |
1584 | * Opposite of #GNUNET_CRYPTO_ecc_dexp(). | 1864 | * Opposite of #GNUNET_CRYPTO_ecc_dexp(). |
1585 | * | 1865 | * |
1586 | * @param dlc precalculated values, determine range of factors | 1866 | * @param edc precalculated values, determine range of factors |
1587 | * @param input point on the curve to factor | 1867 | * @param input point on the curve to factor |
1588 | * @return INT_MAX if dlog failed, otherwise the factor | 1868 | * @return INT_MAX if dlog failed, otherwise the factor |
1589 | */ | 1869 | */ |
@@ -1706,6 +1986,9 @@ GNUNET_CRYPTO_ecc_scalar_from_int (int64_t val, | |||
1706 | /** | 1986 | /** |
1707 | * @ingroup crypto | 1987 | * @ingroup crypto |
1708 | * Derive key material from a public and a private ECC key. | 1988 | * Derive key material from a public and a private ECC key. |
1989 | * This is X25519 DH (RFC 7748 Section 5) and corresponds to | ||
1990 | * H(X25519(b,X25519(a,9))) where b := priv, pub := X25519(a,9), | ||
1991 | * and a := #GNUNET_CRYPTO_ecdhe_key_create(). | ||
1709 | * | 1992 | * |
1710 | * @param priv private key to use for the ECDH (x) | 1993 | * @param priv private key to use for the ECDH (x) |
1711 | * @param pub public key to use for the ECDH (yG) | 1994 | * @param pub public key to use for the ECDH (yG) |
@@ -1722,6 +2005,10 @@ GNUNET_CRYPTO_ecc_ecdh (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, | |||
1722 | * @ingroup crypto | 2005 | * @ingroup crypto |
1723 | * Derive key material from a ECDH public key and a private EdDSA key. | 2006 | * Derive key material from a ECDH public key and a private EdDSA key. |
1724 | * Dual to #GNUNET_CRRYPTO_ecdh_eddsa. | 2007 | * Dual to #GNUNET_CRRYPTO_ecdh_eddsa. |
2008 | * This uses the Ed25519 private seed as X25519 seed. | ||
2009 | * As such, this also is a X25519 DH (see #GNUNET_CRYPTO_ecc_ecdh). | ||
2010 | * NOTE: Whenever you can get away with it, use separate key pairs | ||
2011 | * for signing and encryption (DH)! | ||
1725 | * | 2012 | * |
1726 | * @param priv private key from EdDSA to use for the ECDH (x) | 2013 | * @param priv private key from EdDSA to use for the ECDH (x) |
1727 | * @param pub public key to use for the ECDH (yG) | 2014 | * @param pub public key to use for the ECDH (yG) |
@@ -1733,6 +2020,122 @@ GNUNET_CRYPTO_eddsa_ecdh (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, | |||
1733 | const struct GNUNET_CRYPTO_EcdhePublicKey *pub, | 2020 | const struct GNUNET_CRYPTO_EcdhePublicKey *pub, |
1734 | struct GNUNET_HashCode *key_material); | 2021 | struct GNUNET_HashCode *key_material); |
1735 | 2022 | ||
2023 | /** | ||
2024 | * @ingroup crypto | ||
2025 | * Decapsulate a key for a private EdDSA key. | ||
2026 | * Dual to #GNUNET_CRRYPTO_eddsa_kem_encaps. | ||
2027 | * | ||
2028 | * @param priv private key from EdDSA to use for the ECDH (x) | ||
2029 | * @param c the encapsulated key | ||
2030 | * @param key_material where to write the key material H(h(x)yG) | ||
2031 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2032 | */ | ||
2033 | enum GNUNET_GenericReturnValue | ||
2034 | GNUNET_CRYPTO_eddsa_kem_decaps (const struct | ||
2035 | GNUNET_CRYPTO_EddsaPrivateKey *priv, | ||
2036 | const struct GNUNET_CRYPTO_EcdhePublicKey *c, | ||
2037 | struct GNUNET_HashCode *key_material); | ||
2038 | |||
2039 | /** | ||
2040 | * @ingroup crypto | ||
2041 | * Encapsulate key material for a EdDSA public key. | ||
2042 | * Dual to #GNUNET_CRRYPTO_eddsa_kem_decaps. | ||
2043 | * | ||
2044 | * @param priv private key to use for the ECDH (y) | ||
2045 | * @param c public key from EdDSA to use for the ECDH (X=h(x)G) | ||
2046 | * @param key_material where to write the key material H(yX)=H(h(x)yG) | ||
2047 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2048 | */ | ||
2049 | enum GNUNET_GenericReturnValue | ||
2050 | GNUNET_CRYPTO_eddsa_kem_encaps (const struct GNUNET_CRYPTO_EddsaPublicKey *pub, | ||
2051 | struct GNUNET_CRYPTO_EcdhePublicKey *c, | ||
2052 | struct GNUNET_HashCode *key_material); | ||
2053 | |||
2054 | /** | ||
2055 | * This is the encapsulated key of our FO-KEM. | ||
2056 | */ | ||
2057 | struct GNUNET_CRYPTO_FoKemC | ||
2058 | { | ||
2059 | /* The output of the FO-OWTF F(x) */ | ||
2060 | struct GNUNET_HashCode y; | ||
2061 | |||
2062 | /* The ephemeral public key from the DH in the KEM */ | ||
2063 | struct GNUNET_CRYPTO_EcdhePublicKey pub; | ||
2064 | }; | ||
2065 | |||
2066 | /** | ||
2067 | * @ingroup crypto | ||
2068 | * Encapsulate key material using a CCA-secure KEM. | ||
2069 | * The KEM is using a OWTF with image oracle constructed from | ||
2070 | * a Fujusaki-Okamoto transformation using ElGamal (DH plus XOR OTP). | ||
2071 | * Dual to #GNUNET_CRRYPTO_eddsa_fo_kem_decaps. | ||
2072 | * | ||
2073 | * @param pub public key to encapsulated for | ||
2074 | * @param[out] c the encapsulation | ||
2075 | * @param[out] key_material the encapsulated key | ||
2076 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2077 | */ | ||
2078 | enum GNUNET_GenericReturnValue | ||
2079 | GNUNET_CRYPTO_eddsa_fo_kem_encaps ( | ||
2080 | const struct GNUNET_CRYPTO_EddsaPublicKey *pub, | ||
2081 | struct GNUNET_CRYPTO_FoKemC *c, | ||
2082 | struct GNUNET_HashCode *key_material); | ||
2083 | |||
2084 | |||
2085 | /** | ||
2086 | * @ingroup crypto | ||
2087 | * Decapsulate key material using a CCA-secure KEM. | ||
2088 | * The KEM is using a OWTF with image oracle constructed from | ||
2089 | * a Fujusaki-Okamoto transformation using ElGamal (DH plus XOR OTP). | ||
2090 | * Dual to #GNUNET_CRRYPTO_eddsa_fo_kem_encaps. | ||
2091 | * | ||
2092 | * @param priv private key this encapsulation is for | ||
2093 | * @param c the encapsulation | ||
2094 | * @param[out] key_material the encapsulated key | ||
2095 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2096 | */ | ||
2097 | enum GNUNET_GenericReturnValue | ||
2098 | GNUNET_CRYPTO_eddsa_fo_kem_decaps (const struct | ||
2099 | GNUNET_CRYPTO_EddsaPrivateKey *priv, | ||
2100 | const struct GNUNET_CRYPTO_FoKemC *c, | ||
2101 | struct GNUNET_HashCode *key_material); | ||
2102 | |||
2103 | /** | ||
2104 | * @ingroup crypto | ||
2105 | * Encapsulate key material using a CCA-secure KEM. | ||
2106 | * The KEM is using a OWTF with image oracle constructed from | ||
2107 | * a Fujusaki-Okamoto transformation using ElGamal (DH plus XOR OTP). | ||
2108 | * Dual to #GNUNET_CRRYPTO_eddsa_fo_kem_decaps. | ||
2109 | * | ||
2110 | * @param pub public key to encapsulated for | ||
2111 | * @param[out] c the encapsulation | ||
2112 | * @param[out] key_material the encapsulated key | ||
2113 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2114 | */ | ||
2115 | enum GNUNET_GenericReturnValue | ||
2116 | GNUNET_CRYPTO_ecdsa_fo_kem_encaps (const struct | ||
2117 | GNUNET_CRYPTO_EcdsaPublicKey *pub, | ||
2118 | struct GNUNET_CRYPTO_FoKemC *c, | ||
2119 | struct GNUNET_HashCode *key_material); | ||
2120 | |||
2121 | |||
2122 | /** | ||
2123 | * @ingroup crypto | ||
2124 | * Decapsulate key material using a CCA-secure KEM. | ||
2125 | * The KEM is using a OWTF with image oracle constructed from | ||
2126 | * a Fujusaki-Okamoto transformation using ElGamal (DH plus XOR OTP). | ||
2127 | * Dual to #GNUNET_CRRYPTO_eddsa_fo_kem_encaps. | ||
2128 | * | ||
2129 | * @param priv private key this encapsulation is for | ||
2130 | * @param c the encapsulation | ||
2131 | * @param[out] key_material the encapsulated key | ||
2132 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2133 | */ | ||
2134 | enum GNUNET_GenericReturnValue | ||
2135 | GNUNET_CRYPTO_ecdsa_fo_kem_decaps (const struct | ||
2136 | GNUNET_CRYPTO_EcdsaPrivateKey *priv, | ||
2137 | struct GNUNET_CRYPTO_FoKemC *c, | ||
2138 | struct GNUNET_HashCode *key_material); | ||
1736 | 2139 | ||
1737 | /** | 2140 | /** |
1738 | * @ingroup crypto | 2141 | * @ingroup crypto |
@@ -1754,6 +2157,10 @@ GNUNET_CRYPTO_ecdsa_ecdh (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, | |||
1754 | * @ingroup crypto | 2157 | * @ingroup crypto |
1755 | * Derive key material from a EdDSA public key and a private ECDH key. | 2158 | * Derive key material from a EdDSA public key and a private ECDH key. |
1756 | * Dual to #GNUNET_CRRYPTO_eddsa_ecdh. | 2159 | * Dual to #GNUNET_CRRYPTO_eddsa_ecdh. |
2160 | * This converts the Edwards25519 public key @a pub to a Curve25519 | ||
2161 | * public key before computing a X25519 DH (see #GNUNET_CRYPTO_ecc_ecdh). | ||
2162 | * NOTE: Whenever you can get away with it, use separate key pairs | ||
2163 | * for signing and encryption (DH)! | ||
1757 | * | 2164 | * |
1758 | * @param priv private key to use for the ECDH (y) | 2165 | * @param priv private key to use for the ECDH (y) |
1759 | * @param pub public key from EdDSA to use for the ECDH (X=h(x)G) | 2166 | * @param pub public key from EdDSA to use for the ECDH (X=h(x)G) |
@@ -1765,6 +2172,7 @@ GNUNET_CRYPTO_ecdh_eddsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, | |||
1765 | const struct GNUNET_CRYPTO_EddsaPublicKey *pub, | 2172 | const struct GNUNET_CRYPTO_EddsaPublicKey *pub, |
1766 | struct GNUNET_HashCode *key_material); | 2173 | struct GNUNET_HashCode *key_material); |
1767 | 2174 | ||
2175 | |||
1768 | /** | 2176 | /** |
1769 | * @ingroup crypto | 2177 | * @ingroup crypto |
1770 | * Derive key material from a EcDSA public key and a private ECDH key. | 2178 | * Derive key material from a EcDSA public key and a private ECDH key. |
@@ -1849,6 +2257,21 @@ GNUNET_CRYPTO_ecdsa_sign_ ( | |||
1849 | const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, | 2257 | const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, |
1850 | struct GNUNET_CRYPTO_EcdsaSignature *sig); | 2258 | struct GNUNET_CRYPTO_EcdsaSignature *sig); |
1851 | 2259 | ||
2260 | /** | ||
2261 | * @brief | ||
2262 | * | ||
2263 | * @param priv | ||
2264 | * @param data | ||
2265 | * @param size | ||
2266 | * @param sig | ||
2267 | * @return enum GNUNET_GenericReturnValue | ||
2268 | */ | ||
2269 | enum GNUNET_GenericReturnValue | ||
2270 | GNUNET_CRYPTO_eddsa_sign_raw ( | ||
2271 | const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, | ||
2272 | void *data, | ||
2273 | size_t size, | ||
2274 | struct GNUNET_CRYPTO_EddsaSignature *sig); | ||
1852 | 2275 | ||
1853 | /** | 2276 | /** |
1854 | * @ingroup crypto | 2277 | * @ingroup crypto |
@@ -1874,6 +2297,53 @@ GNUNET_CRYPTO_ecdsa_sign_ ( | |||
1874 | sig)); \ | 2297 | sig)); \ |
1875 | } while (0) | 2298 | } while (0) |
1876 | 2299 | ||
2300 | /** | ||
2301 | * @ingroup crypto | ||
2302 | * @brief Edx25519 sign a given block. | ||
2303 | * | ||
2304 | * The @a purpose data is the beginning of the data of which the signature is | ||
2305 | * to be created. The `size` field in @a purpose must correctly indicate the | ||
2306 | * number of bytes of the data structure, including its header. If possible, | ||
2307 | * use #GNUNET_CRYPTO_edx25519_sign() instead of this function (only if @a | ||
2308 | * validate is not fixed-size, you must use this function directly). | ||
2309 | * | ||
2310 | * @param priv private key to use for the signing | ||
2311 | * @param purpose what to sign (size, purpose) | ||
2312 | * @param[out] sig where to write the signature | ||
2313 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2314 | */ | ||
2315 | enum GNUNET_GenericReturnValue | ||
2316 | GNUNET_CRYPTO_edx25519_sign_ ( | ||
2317 | const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv, | ||
2318 | const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, | ||
2319 | struct GNUNET_CRYPTO_Edx25519Signature *sig); | ||
2320 | |||
2321 | |||
2322 | /** | ||
2323 | * @ingroup crypto | ||
2324 | * @brief Edx25519 sign a given block. The resulting signature is compatible | ||
2325 | * with EdDSA. | ||
2326 | * | ||
2327 | * The @a ps data must be a fixed-size struct for which the signature is to be | ||
2328 | * created. The `size` field in @a ps->purpose must correctly indicate the | ||
2329 | * number of bytes of the data structure, including its header. | ||
2330 | * | ||
2331 | * @param priv private key to use for the signing | ||
2332 | * @param ps packed struct with what to sign, MUST begin with a purpose | ||
2333 | * @param[out] sig where to write the signature | ||
2334 | */ | ||
2335 | #define GNUNET_CRYPTO_edx25519_sign(priv,ps,sig) do { \ | ||
2336 | /* check size is set correctly */ \ | ||
2337 | GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \ | ||
2338 | /* check 'ps' begins with the purpose */ \ | ||
2339 | GNUNET_static_assert (((void*) (ps)) == \ | ||
2340 | ((void*) &(ps)->purpose)); \ | ||
2341 | GNUNET_assert (GNUNET_OK == \ | ||
2342 | GNUNET_CRYPTO_edx25519_sign_ (priv, \ | ||
2343 | &(ps)->purpose, \ | ||
2344 | sig)); \ | ||
2345 | } while (0) | ||
2346 | |||
1877 | 2347 | ||
1878 | /** | 2348 | /** |
1879 | * @ingroup crypto | 2349 | * @ingroup crypto |
@@ -1917,7 +2387,7 @@ GNUNET_CRYPTO_eddsa_verify_ ( | |||
1917 | */ | 2387 | */ |
1918 | #define GNUNET_CRYPTO_eddsa_verify(purp,ps,sig,pub) ({ \ | 2388 | #define GNUNET_CRYPTO_eddsa_verify(purp,ps,sig,pub) ({ \ |
1919 | /* check size is set correctly */ \ | 2389 | /* check size is set correctly */ \ |
1920 | GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \ | 2390 | GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \ |
1921 | /* check 'ps' begins with the purpose */ \ | 2391 | /* check 'ps' begins with the purpose */ \ |
1922 | GNUNET_static_assert (((void*) (ps)) == \ | 2392 | GNUNET_static_assert (((void*) (ps)) == \ |
1923 | ((void*) &(ps)->purpose)); \ | 2393 | ((void*) &(ps)->purpose)); \ |
@@ -1927,7 +2397,6 @@ GNUNET_CRYPTO_eddsa_verify_ ( | |||
1927 | pub); \ | 2397 | pub); \ |
1928 | }) | 2398 | }) |
1929 | 2399 | ||
1930 | |||
1931 | /** | 2400 | /** |
1932 | * @ingroup crypto | 2401 | * @ingroup crypto |
1933 | * @brief Verify ECDSA signature. | 2402 | * @brief Verify ECDSA signature. |
@@ -1982,6 +2451,58 @@ GNUNET_CRYPTO_ecdsa_verify_ ( | |||
1982 | 2451 | ||
1983 | /** | 2452 | /** |
1984 | * @ingroup crypto | 2453 | * @ingroup crypto |
2454 | * @brief Verify Edx25519 signature. | ||
2455 | * | ||
2456 | * The @a validate data is the beginning of the data of which the signature | ||
2457 | * is to be verified. The `size` field in @a validate must correctly indicate | ||
2458 | * the number of bytes of the data structure, including its header. If @a | ||
2459 | * purpose does not match the purpose given in @a validate (the latter must be | ||
2460 | * in big endian), signature verification fails. If possible, use | ||
2461 | * #GNUNET_CRYPTO_edx25519_verify() instead of this function (only if @a | ||
2462 | * validate is not fixed-size, you must use this function directly). | ||
2463 | * | ||
2464 | * @param purpose what is the purpose that the signature should have? | ||
2465 | * @param validate block to validate (size, purpose, data) | ||
2466 | * @param sig signature that is being validated | ||
2467 | * @param pub public key of the signer | ||
2468 | * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid | ||
2469 | */ | ||
2470 | enum GNUNET_GenericReturnValue | ||
2471 | GNUNET_CRYPTO_edx25519_verify_ ( | ||
2472 | uint32_t purpose, | ||
2473 | const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, | ||
2474 | const struct GNUNET_CRYPTO_Edx25519Signature *sig, | ||
2475 | const struct GNUNET_CRYPTO_Edx25519PublicKey *pub); | ||
2476 | |||
2477 | |||
2478 | /** | ||
2479 | * @ingroup crypto | ||
2480 | * @brief Verify Edx25519 signature. | ||
2481 | * | ||
2482 | * The @a ps data must be a fixed-size struct for which the signature is to be | ||
2483 | * created. The `size` field in @a ps->purpose must correctly indicate the | ||
2484 | * number of bytes of the data structure, including its header. | ||
2485 | * | ||
2486 | * @param purp purpose of the signature, must match 'ps->purpose.purpose' | ||
2487 | * (except in host byte order) | ||
2488 | * @param priv private key to use for the signing | ||
2489 | * @param ps packed struct with what to sign, MUST begin with a purpose | ||
2490 | * @param sig where to write the signature | ||
2491 | */ | ||
2492 | #define GNUNET_CRYPTO_edx25519_verify(purp,ps,sig,pub) ({ \ | ||
2493 | /* check size is set correctly */ \ | ||
2494 | GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \ | ||
2495 | /* check 'ps' begins with the purpose */ \ | ||
2496 | GNUNET_static_assert (((void*) (ps)) == \ | ||
2497 | ((void*) &(ps)->purpose)); \ | ||
2498 | GNUNET_CRYPTO_edx25519_verify_ (purp, \ | ||
2499 | &(ps)->purpose, \ | ||
2500 | sig, \ | ||
2501 | pub); \ | ||
2502 | }) | ||
2503 | |||
2504 | /** | ||
2505 | * @ingroup crypto | ||
1985 | * Derive a private key from a given private key and a label. | 2506 | * Derive a private key from a given private key and a label. |
1986 | * Essentially calculates a private key 'h = H(l,P) * d mod n' | 2507 | * Essentially calculates a private key 'h = H(l,P) * d mod n' |
1987 | * where n is the size of the ECC group and P is the public | 2508 | * where n is the size of the ECC group and P is the public |
@@ -2018,6 +2539,26 @@ GNUNET_CRYPTO_ecdsa_public_key_derive ( | |||
2018 | const char *context, | 2539 | const char *context, |
2019 | struct GNUNET_CRYPTO_EcdsaPublicKey *result); | 2540 | struct GNUNET_CRYPTO_EcdsaPublicKey *result); |
2020 | 2541 | ||
2542 | /** | ||
2543 | * This is a signature function for ECDSA which takes a | ||
2544 | * private key, derives/blinds it and signs the message. | ||
2545 | * | ||
2546 | * @param pkey original private key | ||
2547 | * @param label label to use for key deriviation | ||
2548 | * @param context additional context to use for HKDF of 'h'; | ||
2549 | * typically the name of the subsystem/application | ||
2550 | * @param purpose the signature purpose | ||
2551 | * @param sig the resulting signature | ||
2552 | * @return GNUNET_OK on success | ||
2553 | */ | ||
2554 | enum GNUNET_GenericReturnValue | ||
2555 | GNUNET_CRYPTO_ecdsa_sign_derived ( | ||
2556 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *pkey, | ||
2557 | const char *label, | ||
2558 | const char *context, | ||
2559 | const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, | ||
2560 | struct GNUNET_CRYPTO_EcdsaSignature *sig); | ||
2561 | |||
2021 | 2562 | ||
2022 | /** | 2563 | /** |
2023 | * @ingroup crypto | 2564 | * @ingroup crypto |
@@ -2063,23 +2604,23 @@ GNUNET_CRYPTO_eddsa_public_key_derive ( | |||
2063 | 2604 | ||
2064 | 2605 | ||
2065 | /** | 2606 | /** |
2066 | * This is a signature function for EdDSA which takes the | 2607 | * This is a signature function for EdDSA which takes a |
2067 | * secret scalar sk instead of the private seed which is | 2608 | * private key and derives it using the label and context |
2068 | * usually the case for crypto APIs. We require this functionality | 2609 | * before signing. |
2069 | * in order to use derived private keys for signatures we | ||
2070 | * cannot calculate the inverse of a sk to find the seed | ||
2071 | * efficiently. | ||
2072 | * | ||
2073 | * The resulting signature is a standard EdDSA signature | ||
2074 | * which can be verified using the usual APIs. | ||
2075 | * | 2610 | * |
2076 | * @param sk the secret scalar | 2611 | * @param pkey original private key |
2077 | * @param purp the signature purpose | 2612 | * @param label label to use for key deriviation |
2613 | * @param context additional context to use for HKDF of 'h'; | ||
2614 | * typically the name of the subsystem/application | ||
2615 | * @param purpose the signature purpose | ||
2078 | * @param sig the resulting signature | 2616 | * @param sig the resulting signature |
2617 | * @return GNUNET_OK on success | ||
2079 | */ | 2618 | */ |
2080 | void | 2619 | enum GNUNET_GenericReturnValue |
2081 | GNUNET_CRYPTO_eddsa_sign_with_scalar ( | 2620 | GNUNET_CRYPTO_eddsa_sign_derived ( |
2082 | const struct GNUNET_CRYPTO_EddsaPrivateScalar *priv, | 2621 | const struct GNUNET_CRYPTO_EddsaPrivateKey *pkey, |
2622 | const char *label, | ||
2623 | const char *context, | ||
2083 | const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, | 2624 | const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, |
2084 | struct GNUNET_CRYPTO_EddsaSignature *sig); | 2625 | struct GNUNET_CRYPTO_EddsaSignature *sig); |
2085 | 2626 | ||
@@ -2095,6 +2636,134 @@ GNUNET_CRYPTO_eddsa_key_get_public_from_scalar ( | |||
2095 | const struct GNUNET_CRYPTO_EddsaPrivateScalar *s, | 2636 | const struct GNUNET_CRYPTO_EddsaPrivateScalar *s, |
2096 | struct GNUNET_CRYPTO_EddsaPublicKey *pkey); | 2637 | struct GNUNET_CRYPTO_EddsaPublicKey *pkey); |
2097 | 2638 | ||
2639 | /** | ||
2640 | * @ingroup crypto | ||
2641 | * Derive a private scalar from a given private key and a label. | ||
2642 | * Essentially calculates a private key 'h = H(l,P) * d mod n' | ||
2643 | * where n is the size of the ECC group and P is the public | ||
2644 | * key associated with the private key 'd'. | ||
2645 | * | ||
2646 | * @param priv original private key | ||
2647 | * @param seed input seed | ||
2648 | * @param seedsize size of the seed | ||
2649 | * @param result derived private key | ||
2650 | */ | ||
2651 | void | ||
2652 | GNUNET_CRYPTO_edx25519_private_key_derive ( | ||
2653 | const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv, | ||
2654 | const void *seed, | ||
2655 | size_t seedsize, | ||
2656 | struct GNUNET_CRYPTO_Edx25519PrivateKey *result); | ||
2657 | |||
2658 | |||
2659 | /** | ||
2660 | * @ingroup crypto | ||
2661 | * Derive a public key from a given public key and a label. | ||
2662 | * Essentially calculates a public key 'V = H(l,P) * P'. | ||
2663 | * | ||
2664 | * @param pub original public key | ||
2665 | * @param seed input seed | ||
2666 | * @param seedsize size of the seed | ||
2667 | * @param result where to write the derived public key | ||
2668 | */ | ||
2669 | void | ||
2670 | GNUNET_CRYPTO_edx25519_public_key_derive ( | ||
2671 | const struct GNUNET_CRYPTO_Edx25519PublicKey *pub, | ||
2672 | const void *seed, | ||
2673 | size_t seedsize, | ||
2674 | struct GNUNET_CRYPTO_Edx25519PublicKey *result); | ||
2675 | |||
2676 | |||
2677 | /** | ||
2678 | * @ingroup crypto | ||
2679 | * Clears the most significant bit and second most significant bit of the serialized representaive before applying elligator direct map. | ||
2680 | * | ||
2681 | * @param representative serialized elligator representative of an element of Curves25519's finite field | ||
2682 | * @param point destination for the calculated point on the curve | ||
2683 | * @param high_y bool pointed to will be set to 'true' if corresponding y-coordinate is > 2 ^ 254 - 10, otherwise 0. Can be set to NULL if not needed. | ||
2684 | */ | ||
2685 | void | ||
2686 | GNUNET_CRYPTO_ecdhe_elligator_decoding ( | ||
2687 | struct GNUNET_CRYPTO_EcdhePublicKey *point, | ||
2688 | bool *high_y, | ||
2689 | const struct GNUNET_CRYPTO_ElligatorRepresentative *representative); | ||
2690 | |||
2691 | /** | ||
2692 | * @ingroup crypto | ||
2693 | * Encodes a point on Curve25519 to a an element of the underlying finite field. | ||
2694 | * This transformation is deterministic. | ||
2695 | * | ||
2696 | * @param r storage for the calculated representative | ||
2697 | * @param pub a point on the curve | ||
2698 | * @param high_y encodes if y-coordinate is > 2 ^254 - 10, which determines the representative value out of two | ||
2699 | * @return 'true' if the given point can be encoded into a representative. Otherwise 'false' is returned and the content of the representative storage is undefined | ||
2700 | */ | ||
2701 | bool | ||
2702 | GNUNET_CRYPTO_ecdhe_elligator_encoding ( | ||
2703 | struct GNUNET_CRYPTO_ElligatorRepresentative *r, | ||
2704 | const struct GNUNET_CRYPTO_EcdhePublicKey *pub, | ||
2705 | bool high_y); | ||
2706 | |||
2707 | |||
2708 | /** | ||
2709 | * @ingroup crypto | ||
2710 | * Generates a valid public key for elligator's inverse map by adding a lower order point to a prime order point. | ||
2711 | * Following Method 1 in description https://elligator.org/key-exchange section Step 2: Generate a “special” public key. | ||
2712 | * | ||
2713 | * @param pub valid public key for elligator inverse map | ||
2714 | * @param pk private key for generating valid public key | ||
2715 | * @return GNUNET_OK on success | ||
2716 | */ | ||
2717 | enum GNUNET_GenericReturnValue | ||
2718 | GNUNET_CRYPTO_ecdhe_elligator_generate_public_key ( | ||
2719 | struct GNUNET_CRYPTO_EcdhePublicKey *pub, | ||
2720 | struct GNUNET_CRYPTO_EcdhePrivateKey *pk); | ||
2721 | |||
2722 | |||
2723 | /** | ||
2724 | * @ingroup crypto | ||
2725 | * Generates a private key for Curve25519 and the elligator representative of the corresponding public key. | ||
2726 | * | ||
2727 | * @param repr representative of the public key | ||
2728 | * @param pk Curve25519 private key | ||
2729 | */ | ||
2730 | void | ||
2731 | GNUNET_CRYPTO_ecdhe_elligator_key_create ( | ||
2732 | struct GNUNET_CRYPTO_ElligatorRepresentative *repr, | ||
2733 | struct GNUNET_CRYPTO_EcdhePrivateKey *pk); | ||
2734 | |||
2735 | /** | ||
2736 | * @ingroup crypto | ||
2737 | * Carries out ecdh encapsulation with given public key and the private key from a freshly created ephemeral key pair. | ||
2738 | * Following the terminology in https://eprint.iacr.org/2021/509.pdf. | ||
2739 | * | ||
2740 | * @param pub given edwards curve public key (X) | ||
2741 | * @param r representative of ephemeral public key A to use for the ECDH (direct_map(r)=A=aG) | ||
2742 | * @param key_material where to write the key material H(aX)=H(x(aG)) | ||
2743 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2744 | */ | ||
2745 | enum GNUNET_GenericReturnValue | ||
2746 | GNUNET_CRYPTO_eddsa_elligator_kem_encaps ( | ||
2747 | const struct GNUNET_CRYPTO_EddsaPublicKey *pub, | ||
2748 | struct GNUNET_CRYPTO_ElligatorRepresentative *r, | ||
2749 | struct GNUNET_HashCode *key_material); | ||
2750 | |||
2751 | /** | ||
2752 | * @ingroup crypto | ||
2753 | * Carries out ecdh decapsulation with own private key and the representative of the received public key. | ||
2754 | * Following the terminology in https://eprint.iacr.org/2021/509.pdf. | ||
2755 | * | ||
2756 | * @param priv own private key (x) | ||
2757 | * @param r received representative r, from which we can obtain the public key A (direct_map(r)=A=aG) | ||
2758 | * @param key_material where to write the key material H(xA)=H(a(xG)) | ||
2759 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2760 | */ | ||
2761 | enum GNUNET_GenericReturnValue | ||
2762 | GNUNET_CRYPTO_eddsa_elligator_kem_decaps ( | ||
2763 | const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, | ||
2764 | const struct GNUNET_CRYPTO_ElligatorRepresentative *r, | ||
2765 | struct GNUNET_HashCode *key_material); | ||
2766 | |||
2098 | 2767 | ||
2099 | /** | 2768 | /** |
2100 | * Output the given MPI value to the given buffer in network | 2769 | * Output the given MPI value to the given buffer in network |
@@ -2162,7 +2831,7 @@ GNUNET_CRYPTO_paillier_encrypt ( | |||
2162 | * @param private_key Private key to use for decryption. | 2831 | * @param private_key Private key to use for decryption. |
2163 | * @param public_key Public key to use for decryption. | 2832 | * @param public_key Public key to use for decryption. |
2164 | * @param ciphertext Ciphertext to decrypt. | 2833 | * @param ciphertext Ciphertext to decrypt. |
2165 | * @param[out] m Decryption of @a ciphertext with @private_key. | 2834 | * @param[out] m Decryption of @a ciphertext with @a private_key. |
2166 | */ | 2835 | */ |
2167 | void | 2836 | void |
2168 | GNUNET_CRYPTO_paillier_decrypt ( | 2837 | GNUNET_CRYPTO_paillier_decrypt ( |
@@ -2173,7 +2842,8 @@ GNUNET_CRYPTO_paillier_decrypt ( | |||
2173 | 2842 | ||
2174 | 2843 | ||
2175 | /** | 2844 | /** |
2176 | * Compute a ciphertext that represents the sum of the plaintext in @a x1 and @a x2 | 2845 | * Compute a ciphertext that represents the sum of the plaintext in @a c1 |
2846 | * and @a c2 | ||
2177 | * | 2847 | * |
2178 | * Note that this operation can only be done a finite number of times | 2848 | * Note that this operation can only be done a finite number of times |
2179 | * before an overflow occurs. | 2849 | * before an overflow occurs. |
@@ -2310,8 +2980,9 @@ GNUNET_CRYPTO_rsa_private_key_get_public ( | |||
2310 | * @param hc where to store the hash code | 2980 | * @param hc where to store the hash code |
2311 | */ | 2981 | */ |
2312 | void | 2982 | void |
2313 | GNUNET_CRYPTO_rsa_public_key_hash (const struct GNUNET_CRYPTO_RsaPublicKey *key, | 2983 | GNUNET_CRYPTO_rsa_public_key_hash ( |
2314 | struct GNUNET_HashCode *hc); | 2984 | const struct GNUNET_CRYPTO_RsaPublicKey *key, |
2985 | struct GNUNET_HashCode *hc); | ||
2315 | 2986 | ||
2316 | 2987 | ||
2317 | /** | 2988 | /** |
@@ -2416,53 +3087,83 @@ GNUNET_CRYPTO_rsa_public_key_cmp (const struct GNUNET_CRYPTO_RsaPublicKey *p1, | |||
2416 | 3087 | ||
2417 | 3088 | ||
2418 | /** | 3089 | /** |
3090 | * @brief RSA Parameters to create blinded signature | ||
3091 | */ | ||
3092 | struct GNUNET_CRYPTO_RsaBlindedMessage | ||
3093 | { | ||
3094 | /** | ||
3095 | * Blinded message to be signed | ||
3096 | * Note: is malloc()'ed! | ||
3097 | */ | ||
3098 | void *blinded_msg; | ||
3099 | |||
3100 | /** | ||
3101 | * Size of the @e blinded_msg to be signed. | ||
3102 | */ | ||
3103 | size_t blinded_msg_size; | ||
3104 | }; | ||
3105 | |||
3106 | |||
3107 | /** | ||
2419 | * Blinds the given message with the given blinding key | 3108 | * Blinds the given message with the given blinding key |
2420 | * | 3109 | * |
2421 | * @param hash hash of the message to sign | 3110 | * @param message the message to sign |
2422 | * @param bkey the blinding key | 3111 | * @param message_size number of bytes in @a message |
3112 | * @param bks the blinding key | ||
2423 | * @param pkey the public key of the signer | 3113 | * @param pkey the public key of the signer |
2424 | * @param[out] buf set to a buffer with the blinded message to be signed | 3114 | * @param[out] bm set to the blinded message |
2425 | * @param[out] buf_size number of bytes stored in @a buf | ||
2426 | * @return #GNUNET_YES if successful, #GNUNET_NO if RSA key is malicious | 3115 | * @return #GNUNET_YES if successful, #GNUNET_NO if RSA key is malicious |
2427 | */ | 3116 | */ |
2428 | int | 3117 | enum GNUNET_GenericReturnValue |
2429 | GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode *hash, | 3118 | GNUNET_CRYPTO_rsa_blind (const void *message, |
3119 | size_t message_size, | ||
2430 | const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks, | 3120 | const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks, |
2431 | struct GNUNET_CRYPTO_RsaPublicKey *pkey, | 3121 | struct GNUNET_CRYPTO_RsaPublicKey *pkey, |
2432 | void **buf, | 3122 | struct GNUNET_CRYPTO_RsaBlindedMessage *bm); |
2433 | size_t *buf_size); | ||
2434 | 3123 | ||
2435 | 3124 | ||
2436 | /** | 3125 | /** |
2437 | * Sign a blinded value, which must be a full domain hash of a message. | 3126 | * Sign a blinded value, which must be a full domain hash of a message. |
2438 | * | 3127 | * |
2439 | * @param key private key to use for the signing | 3128 | * @param key private key to use for the signing |
2440 | * @param msg the (blinded) message to sign | 3129 | * @param bm the (blinded) message to sign |
2441 | * @param msg_len number of bytes in @a msg to sign | ||
2442 | * @return NULL on error, signature on success | 3130 | * @return NULL on error, signature on success |
2443 | */ | 3131 | */ |
2444 | struct GNUNET_CRYPTO_RsaSignature * | 3132 | struct GNUNET_CRYPTO_RsaSignature * |
2445 | GNUNET_CRYPTO_rsa_sign_blinded (const struct GNUNET_CRYPTO_RsaPrivateKey *key, | 3133 | GNUNET_CRYPTO_rsa_sign_blinded (const struct GNUNET_CRYPTO_RsaPrivateKey *key, |
2446 | const void *msg, | 3134 | const struct |
2447 | size_t msg_len); | 3135 | GNUNET_CRYPTO_RsaBlindedMessage *bm); |
2448 | 3136 | ||
2449 | 3137 | ||
2450 | /** | 3138 | /** |
2451 | * Create and sign a full domain hash of a message. | 3139 | * Create and sign a full domain hash of a message. |
2452 | * | 3140 | * |
2453 | * @param key private key to use for the signing | 3141 | * @param key private key to use for the signing |
2454 | * @param hash the hash of the message to sign | 3142 | * @param message the message to sign |
3143 | * @param message_size number of bytes in @a message | ||
2455 | * @return NULL on error, including a malicious RSA key, signature on success | 3144 | * @return NULL on error, including a malicious RSA key, signature on success |
2456 | */ | 3145 | */ |
2457 | struct GNUNET_CRYPTO_RsaSignature * | 3146 | struct GNUNET_CRYPTO_RsaSignature * |
2458 | GNUNET_CRYPTO_rsa_sign_fdh (const struct GNUNET_CRYPTO_RsaPrivateKey *key, | 3147 | GNUNET_CRYPTO_rsa_sign_fdh (const struct GNUNET_CRYPTO_RsaPrivateKey *key, |
2459 | const struct GNUNET_HashCode *hash); | 3148 | const void *message, |
3149 | size_t message_size); | ||
3150 | |||
3151 | |||
3152 | /** | ||
3153 | * Free memory occupied by blinded message. Only frees contents, not | ||
3154 | * @a bm itself. | ||
3155 | * | ||
3156 | * @param[in] bm memory to free | ||
3157 | */ | ||
3158 | void | ||
3159 | GNUNET_CRYPTO_rsa_blinded_message_free ( | ||
3160 | struct GNUNET_CRYPTO_RsaBlindedMessage *bm); | ||
2460 | 3161 | ||
2461 | 3162 | ||
2462 | /** | 3163 | /** |
2463 | * Free memory occupied by signature. | 3164 | * Free memory occupied by signature. |
2464 | * | 3165 | * |
2465 | * @param sig memory to free | 3166 | * @param[in] sig memory to free |
2466 | */ | 3167 | */ |
2467 | void | 3168 | void |
2468 | GNUNET_CRYPTO_rsa_signature_free (struct GNUNET_CRYPTO_RsaSignature *sig); | 3169 | GNUNET_CRYPTO_rsa_signature_free (struct GNUNET_CRYPTO_RsaSignature *sig); |
@@ -2490,8 +3191,9 @@ GNUNET_CRYPTO_rsa_signature_encode ( | |||
2490 | * @return NULL on error | 3191 | * @return NULL on error |
2491 | */ | 3192 | */ |
2492 | struct GNUNET_CRYPTO_RsaSignature * | 3193 | struct GNUNET_CRYPTO_RsaSignature * |
2493 | GNUNET_CRYPTO_rsa_signature_decode (const void *buf, | 3194 | GNUNET_CRYPTO_rsa_signature_decode ( |
2494 | size_t buf_size); | 3195 | const void *buf, |
3196 | size_t buf_size); | ||
2495 | 3197 | ||
2496 | 3198 | ||
2497 | /** | 3199 | /** |
@@ -2501,7 +3203,8 @@ GNUNET_CRYPTO_rsa_signature_decode (const void *buf, | |||
2501 | * @return the duplicate key; NULL upon error | 3203 | * @return the duplicate key; NULL upon error |
2502 | */ | 3204 | */ |
2503 | struct GNUNET_CRYPTO_RsaSignature * | 3205 | struct GNUNET_CRYPTO_RsaSignature * |
2504 | GNUNET_CRYPTO_rsa_signature_dup (const struct GNUNET_CRYPTO_RsaSignature *sig); | 3206 | GNUNET_CRYPTO_rsa_signature_dup ( |
3207 | const struct GNUNET_CRYPTO_RsaSignature *sig); | ||
2505 | 3208 | ||
2506 | 3209 | ||
2507 | /** | 3210 | /** |
@@ -2524,13 +3227,15 @@ GNUNET_CRYPTO_rsa_unblind (const struct GNUNET_CRYPTO_RsaSignature *sig, | |||
2524 | * Verify whether the given hash corresponds to the given signature and the | 3227 | * Verify whether the given hash corresponds to the given signature and the |
2525 | * signature is valid with respect to the given public key. | 3228 | * signature is valid with respect to the given public key. |
2526 | * | 3229 | * |
2527 | * @param hash the message to verify to match the @a sig | 3230 | * @param message the message to sign |
3231 | * @param message_size number of bytes in @a message | ||
2528 | * @param sig signature that is being validated | 3232 | * @param sig signature that is being validated |
2529 | * @param public_key public key of the signer | 3233 | * @param public_key public key of the signer |
2530 | * @returns #GNUNET_YES if ok, #GNUNET_NO if RSA key is malicious, #GNUNET_SYSERR if signature | 3234 | * @returns #GNUNET_YES if ok, #GNUNET_NO if RSA key is malicious, #GNUNET_SYSERR if signature |
2531 | */ | 3235 | */ |
2532 | enum GNUNET_GenericReturnValue | 3236 | enum GNUNET_GenericReturnValue |
2533 | GNUNET_CRYPTO_rsa_verify (const struct GNUNET_HashCode *hash, | 3237 | GNUNET_CRYPTO_rsa_verify (const void *message, |
3238 | size_t message_size, | ||
2534 | const struct GNUNET_CRYPTO_RsaSignature *sig, | 3239 | const struct GNUNET_CRYPTO_RsaSignature *sig, |
2535 | const struct GNUNET_CRYPTO_RsaPublicKey *public_key); | 3240 | const struct GNUNET_CRYPTO_RsaPublicKey *public_key); |
2536 | 3241 | ||
@@ -2551,9 +3256,9 @@ GNUNET_CRYPTO_cs_private_key_generate (struct GNUNET_CRYPTO_CsPrivateKey *priv); | |||
2551 | * @param[out] pub where to write the public key | 3256 | * @param[out] pub where to write the public key |
2552 | */ | 3257 | */ |
2553 | void | 3258 | void |
2554 | GNUNET_CRYPTO_cs_private_key_get_public (const struct | 3259 | GNUNET_CRYPTO_cs_private_key_get_public ( |
2555 | GNUNET_CRYPTO_CsPrivateKey *priv, | 3260 | const struct GNUNET_CRYPTO_CsPrivateKey *priv, |
2556 | struct GNUNET_CRYPTO_CsPublicKey *pub); | 3261 | struct GNUNET_CRYPTO_CsPublicKey *pub); |
2557 | 3262 | ||
2558 | 3263 | ||
2559 | /** | 3264 | /** |
@@ -2565,13 +3270,16 @@ GNUNET_CRYPTO_cs_private_key_get_public (const struct | |||
2565 | * Comment: Can be done in one HKDF shot and split output. | 3270 | * Comment: Can be done in one HKDF shot and split output. |
2566 | * | 3271 | * |
2567 | * @param nonce is a random nonce | 3272 | * @param nonce is a random nonce |
3273 | * @param seed seed to use in derivation | ||
2568 | * @param lts is a long-term-secret in form of a private key | 3274 | * @param lts is a long-term-secret in form of a private key |
2569 | * @param[out] r array containing derived secrets r0 and r1 | 3275 | * @param[out] r array containing derived secrets r0 and r1 |
2570 | */ | 3276 | */ |
2571 | void | 3277 | void |
2572 | GNUNET_CRYPTO_cs_r_derive (const struct GNUNET_CRYPTO_CsNonce *nonce, | 3278 | GNUNET_CRYPTO_cs_r_derive ( |
2573 | const struct GNUNET_CRYPTO_CsPrivateKey *lts, | 3279 | const struct GNUNET_CRYPTO_CsSessionNonce *nonce, |
2574 | struct GNUNET_CRYPTO_CsRSecret r[2]); | 3280 | const char *seed, |
3281 | const struct GNUNET_CRYPTO_CsPrivateKey *lts, | ||
3282 | struct GNUNET_CRYPTO_CsRSecret r[2]); | ||
2575 | 3283 | ||
2576 | 3284 | ||
2577 | /** | 3285 | /** |
@@ -2581,28 +3289,57 @@ GNUNET_CRYPTO_cs_r_derive (const struct GNUNET_CRYPTO_CsNonce *nonce, | |||
2581 | * @param[out] r_pub where to write the public key | 3289 | * @param[out] r_pub where to write the public key |
2582 | */ | 3290 | */ |
2583 | void | 3291 | void |
2584 | GNUNET_CRYPTO_cs_r_get_public (const struct GNUNET_CRYPTO_CsRSecret *r_priv, | 3292 | GNUNET_CRYPTO_cs_r_get_public ( |
2585 | struct GNUNET_CRYPTO_CsRPublic *r_pub); | 3293 | const struct GNUNET_CRYPTO_CsRSecret *r_priv, |
3294 | struct GNUNET_CRYPTO_CsRPublic *r_pub); | ||
3295 | |||
2586 | 3296 | ||
2587 | /** | 3297 | /** |
2588 | * Derives new random blinding factors. | 3298 | * Derives new random blinding factors. |
2589 | * In original papers blinding factors are generated randomly | 3299 | * In original papers blinding factors are generated randomly |
2590 | * To provide abort-idempotency, blinding factors need to be derived but still need to be UNPREDICTABLE | 3300 | * To provide abort-idempotency, blinding factors need to be derived but still need to be UNPREDICTABLE. |
2591 | * To ensure unpredictability a new nonce has to be used. | 3301 | * To ensure unpredictability a new nonce has to be used. |
2592 | * Uses HKDF internally | 3302 | * Uses HKDF internally. |
2593 | * | 3303 | * |
2594 | * @param blind_seed is the blinding seed to derive blinding factors | 3304 | * @param blind_seed is the blinding seed to derive blinding factors |
2595 | * @param[out] bs array containing the two derived blinding secrets | 3305 | * @param[out] bs array containing the two derived blinding secrets |
2596 | */ | 3306 | */ |
2597 | void | 3307 | void |
2598 | GNUNET_CRYPTO_cs_blinding_secrets_derive (const struct | 3308 | GNUNET_CRYPTO_cs_blinding_secrets_derive ( |
2599 | GNUNET_CRYPTO_CsNonce *blind_seed, | 3309 | const struct GNUNET_CRYPTO_CsBlindingNonce *blind_seed, |
2600 | struct GNUNET_CRYPTO_CsBlindingSecret | 3310 | struct GNUNET_CRYPTO_CsBlindingSecret bs[2]); |
2601 | bs[2]); | ||
2602 | 3311 | ||
2603 | 3312 | ||
2604 | /** | 3313 | /** |
2605 | * Calculate two blinded c's | 3314 | * @brief CS Parameters derived from the message |
3315 | * during blinding to create blinded signature | ||
3316 | */ | ||
3317 | struct GNUNET_CRYPTO_CsBlindedMessage | ||
3318 | { | ||
3319 | /** | ||
3320 | * The Clause Schnorr c_0 and c_1 containing the blinded message | ||
3321 | */ | ||
3322 | struct GNUNET_CRYPTO_CsC c[2]; | ||
3323 | |||
3324 | /** | ||
3325 | * Nonce used in initial request. | ||
3326 | */ | ||
3327 | struct GNUNET_CRYPTO_CsSessionNonce nonce; | ||
3328 | |||
3329 | }; | ||
3330 | |||
3331 | |||
3332 | /** | ||
3333 | * Pair of Public R values for Cs denominations | ||
3334 | */ | ||
3335 | struct GNUNET_CRYPTO_CSPublicRPairP | ||
3336 | { | ||
3337 | struct GNUNET_CRYPTO_CsRPublic r_pub[2]; | ||
3338 | }; | ||
3339 | |||
3340 | |||
3341 | /** | ||
3342 | * Calculate two blinded c's. | ||
2606 | * Comment: One would be insecure due to Wagner's algorithm solving ROS | 3343 | * Comment: One would be insecure due to Wagner's algorithm solving ROS |
2607 | * | 3344 | * |
2608 | * @param bs array of the two blinding factor structs each containing alpha and beta | 3345 | * @param bs array of the two blinding factor structs each containing alpha and beta |
@@ -2611,44 +3348,59 @@ GNUNET_CRYPTO_cs_blinding_secrets_derive (const struct | |||
2611 | * @param msg the message to blind in preparation for signing | 3348 | * @param msg the message to blind in preparation for signing |
2612 | * @param msg_len length of message msg | 3349 | * @param msg_len length of message msg |
2613 | * @param[out] blinded_c array of the two blinded c's | 3350 | * @param[out] blinded_c array of the two blinded c's |
2614 | * @param[out] blinded_r_pub array of the two blinded R | 3351 | * @param[out] r_pub_blind array of the two blinded R |
2615 | */ | 3352 | */ |
2616 | void | 3353 | void |
2617 | GNUNET_CRYPTO_cs_calc_blinded_c (const struct GNUNET_CRYPTO_CsBlindingSecret | 3354 | GNUNET_CRYPTO_cs_calc_blinded_c ( |
2618 | bs[2], | 3355 | const struct GNUNET_CRYPTO_CsBlindingSecret bs[2], |
2619 | const struct GNUNET_CRYPTO_CsRPublic r_pub[2], | 3356 | const struct GNUNET_CRYPTO_CsRPublic r_pub[2], |
2620 | const struct GNUNET_CRYPTO_CsPublicKey *pub, | 3357 | const struct GNUNET_CRYPTO_CsPublicKey *pub, |
2621 | const void *msg, | 3358 | const void *msg, |
2622 | size_t msg_len, | 3359 | size_t msg_len, |
2623 | struct GNUNET_CRYPTO_CsC blinded_c[2], | 3360 | struct GNUNET_CRYPTO_CsC blinded_c[2], |
2624 | struct GNUNET_CRYPTO_CsRPublic | 3361 | struct GNUNET_CRYPTO_CSPublicRPairP *r_pub_blind); |
2625 | blinded_r_pub[2]); | 3362 | |
3363 | |||
3364 | /** | ||
3365 | * The Sign Answer for Clause Blind Schnorr signature. | ||
3366 | * The sign operation returns a parameter @param b and the signature | ||
3367 | * scalar @param s_scalar. | ||
3368 | */ | ||
3369 | struct GNUNET_CRYPTO_CsBlindSignature | ||
3370 | { | ||
3371 | /** | ||
3372 | * To make ROS problem harder, the signer chooses an unpredictable b and | ||
3373 | * only calculates signature of c_b | ||
3374 | */ | ||
3375 | unsigned int b; | ||
3376 | |||
3377 | /** | ||
3378 | * The blinded s scalar calculated from c_b | ||
3379 | */ | ||
3380 | struct GNUNET_CRYPTO_CsBlindS s_scalar; | ||
3381 | }; | ||
2626 | 3382 | ||
2627 | 3383 | ||
2628 | /** | 3384 | /** |
2629 | * Sign a blinded c | 3385 | * Sign a blinded @a c. |
2630 | * This function derives b from a nonce and a longterm secret | 3386 | * This function derives b from a nonce and a longterm secret. |
2631 | * In original papers b is generated randomly | 3387 | * In the original papers b is generated randomly. |
2632 | * To provide abort-idempotency, b needs to be derived but still need to be UNPREDICTABLE. | 3388 | * To provide abort-idempotency, b needs to be derived but still need to be UNPREDICTABLE. |
2633 | * To ensure unpredictability a new nonce has to be used for every signature | 3389 | * To ensure unpredictability a new nonce has to be used for every signature. |
2634 | * HKDF is used internally for derivation | 3390 | * HKDF is used internally for derivation. |
2635 | * r0 and r1 can be derived prior by using GNUNET_CRYPTO_cs_r_derive | 3391 | * r0 and r1 can be derived prior by using GNUNET_CRYPTO_cs_r_derive. |
2636 | * | 3392 | * |
2637 | * @param priv private key to use for the signing and as LTS in HKDF | 3393 | * @param priv private key to use for the signing and as LTS in HKDF |
2638 | * @param r array of the two secret nonce from the signer | 3394 | * @param r array of the two secret inputs from the signer |
2639 | * @param c array of the two blinded c to sign c_b | 3395 | * @param bm blinded message, including array of the two blinded c to sign c_b and the random nonce |
2640 | * @param nonce is a random nonce | 3396 | * @param[out] cs_blind_sig where to write the blind signature |
2641 | * @param[out] blinded_signature_scalar where to write the signature | ||
2642 | * @return 0 or 1 for b (see Clause Blind Signature Scheme) | ||
2643 | */ | 3397 | */ |
2644 | unsigned int | 3398 | void |
2645 | GNUNET_CRYPTO_cs_sign_derive (const struct GNUNET_CRYPTO_CsPrivateKey *priv, | 3399 | GNUNET_CRYPTO_cs_sign_derive ( |
2646 | const struct GNUNET_CRYPTO_CsRSecret r[2], | 3400 | const struct GNUNET_CRYPTO_CsPrivateKey *priv, |
2647 | const struct GNUNET_CRYPTO_CsC c[2], | 3401 | const struct GNUNET_CRYPTO_CsRSecret r[2], |
2648 | const struct GNUNET_CRYPTO_CsNonce *nonce, | 3402 | const struct GNUNET_CRYPTO_CsBlindedMessage *bm, |
2649 | struct GNUNET_CRYPTO_CsBlindS * | 3403 | struct GNUNET_CRYPTO_CsBlindSignature *cs_blind_sig); |
2650 | blinded_signature_scalar | ||
2651 | ); | ||
2652 | 3404 | ||
2653 | 3405 | ||
2654 | /** | 3406 | /** |
@@ -2659,10 +3411,10 @@ GNUNET_CRYPTO_cs_sign_derive (const struct GNUNET_CRYPTO_CsPrivateKey *priv, | |||
2659 | * @param[out] signature_scalar where to write the unblinded signature | 3411 | * @param[out] signature_scalar where to write the unblinded signature |
2660 | */ | 3412 | */ |
2661 | void | 3413 | void |
2662 | GNUNET_CRYPTO_cs_unblind (const struct | 3414 | GNUNET_CRYPTO_cs_unblind ( |
2663 | GNUNET_CRYPTO_CsBlindS *blinded_signature_scalar, | 3415 | const struct GNUNET_CRYPTO_CsBlindS *blinded_signature_scalar, |
2664 | const struct GNUNET_CRYPTO_CsBlindingSecret *bs, | 3416 | const struct GNUNET_CRYPTO_CsBlindingSecret *bs, |
2665 | struct GNUNET_CRYPTO_CsS *signature_scalar); | 3417 | struct GNUNET_CRYPTO_CsS *signature_scalar); |
2666 | 3418 | ||
2667 | 3419 | ||
2668 | /** | 3420 | /** |
@@ -2676,12 +3428,1066 @@ GNUNET_CRYPTO_cs_unblind (const struct | |||
2676 | * @returns #GNUNET_YES on success, #GNUNET_SYSERR if signature invalid | 3428 | * @returns #GNUNET_YES on success, #GNUNET_SYSERR if signature invalid |
2677 | */ | 3429 | */ |
2678 | enum GNUNET_GenericReturnValue | 3430 | enum GNUNET_GenericReturnValue |
2679 | GNUNET_CRYPTO_cs_verify (const struct GNUNET_CRYPTO_CsSignature *sig, | 3431 | GNUNET_CRYPTO_cs_verify ( |
2680 | const struct GNUNET_CRYPTO_CsPublicKey *pub, | 3432 | const struct GNUNET_CRYPTO_CsSignature *sig, |
2681 | const void *msg, | 3433 | const struct GNUNET_CRYPTO_CsPublicKey *pub, |
2682 | size_t msg_len); | 3434 | const void *msg, |
3435 | size_t msg_len); | ||
3436 | |||
3437 | |||
3438 | /** | ||
3439 | * Types of public keys used for blind signatures. | ||
3440 | */ | ||
3441 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm | ||
3442 | { | ||
3443 | |||
3444 | /** | ||
3445 | * Invalid type of signature. | ||
3446 | */ | ||
3447 | GNUNET_CRYPTO_BSA_INVALID = 0, | ||
3448 | |||
3449 | /** | ||
3450 | * RSA blind signature. | ||
3451 | */ | ||
3452 | GNUNET_CRYPTO_BSA_RSA = 1, | ||
3453 | |||
3454 | /** | ||
3455 | * Clause Blind Schnorr signature. | ||
3456 | */ | ||
3457 | GNUNET_CRYPTO_BSA_CS = 2 | ||
3458 | }; | ||
3459 | |||
3460 | |||
3461 | /** | ||
3462 | * @brief Type of (unblinded) signatures. | ||
3463 | */ | ||
3464 | struct GNUNET_CRYPTO_UnblindedSignature | ||
3465 | { | ||
3466 | |||
3467 | /** | ||
3468 | * Type of the signature. | ||
3469 | */ | ||
3470 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; | ||
3471 | |||
3472 | /** | ||
3473 | * Reference counter. | ||
3474 | */ | ||
3475 | unsigned int rc; | ||
3476 | |||
3477 | /** | ||
3478 | * Details, depending on @e cipher. | ||
3479 | */ | ||
3480 | union | ||
3481 | { | ||
3482 | /** | ||
3483 | * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. | ||
3484 | */ | ||
3485 | struct GNUNET_CRYPTO_CsSignature cs_signature; | ||
3486 | |||
3487 | /** | ||
3488 | * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher. | ||
3489 | */ | ||
3490 | struct GNUNET_CRYPTO_RsaSignature *rsa_signature; | ||
3491 | |||
3492 | } details; | ||
3493 | |||
3494 | }; | ||
3495 | |||
3496 | |||
3497 | /** | ||
3498 | * @brief Type for *blinded* signatures. | ||
3499 | * Must be unblinded before it becomes valid. | ||
3500 | */ | ||
3501 | struct GNUNET_CRYPTO_BlindedSignature | ||
3502 | { | ||
3503 | |||
3504 | /** | ||
3505 | * Type of the signature. | ||
3506 | */ | ||
3507 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; | ||
3508 | |||
3509 | /** | ||
3510 | * Reference counter. | ||
3511 | */ | ||
3512 | unsigned int rc; | ||
3513 | |||
3514 | /** | ||
3515 | * Details, depending on @e cipher. | ||
3516 | */ | ||
3517 | union | ||
3518 | { | ||
3519 | /** | ||
3520 | * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. | ||
3521 | * At this point only the blinded s scalar is used. | ||
3522 | * The final signature consisting of r,s is built after unblinding. | ||
3523 | */ | ||
3524 | struct GNUNET_CRYPTO_CsBlindSignature blinded_cs_answer; | ||
3525 | |||
3526 | /** | ||
3527 | * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher. | ||
3528 | */ | ||
3529 | struct GNUNET_CRYPTO_RsaSignature *blinded_rsa_signature; | ||
3530 | |||
3531 | } details; | ||
3532 | |||
3533 | }; | ||
3534 | |||
3535 | |||
3536 | /** | ||
3537 | * @brief Type of public signing keys for blind signatures. | ||
3538 | */ | ||
3539 | struct GNUNET_CRYPTO_BlindSignPublicKey | ||
3540 | { | ||
3541 | |||
3542 | /** | ||
3543 | * Type of the public key. | ||
3544 | */ | ||
3545 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; | ||
3546 | |||
3547 | /** | ||
3548 | * Reference counter. | ||
3549 | */ | ||
3550 | unsigned int rc; | ||
3551 | |||
3552 | /** | ||
3553 | * Hash of the public key. | ||
3554 | */ | ||
3555 | struct GNUNET_HashCode pub_key_hash; | ||
3556 | |||
3557 | /** | ||
3558 | * Details, depending on @e cipher. | ||
3559 | */ | ||
3560 | union | ||
3561 | { | ||
3562 | /** | ||
3563 | * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. | ||
3564 | */ | ||
3565 | struct GNUNET_CRYPTO_CsPublicKey cs_public_key; | ||
3566 | |||
3567 | /** | ||
3568 | * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher. | ||
3569 | */ | ||
3570 | struct GNUNET_CRYPTO_RsaPublicKey *rsa_public_key; | ||
3571 | |||
3572 | } details; | ||
3573 | }; | ||
3574 | |||
3575 | |||
3576 | /** | ||
3577 | * @brief Type of private signing keys for blind signing. | ||
3578 | */ | ||
3579 | struct GNUNET_CRYPTO_BlindSignPrivateKey | ||
3580 | { | ||
3581 | |||
3582 | /** | ||
3583 | * Type of the public key. | ||
3584 | */ | ||
3585 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; | ||
3586 | |||
3587 | /** | ||
3588 | * Reference counter. | ||
3589 | */ | ||
3590 | unsigned int rc; | ||
3591 | |||
3592 | /** | ||
3593 | * Details, depending on @e cipher. | ||
3594 | */ | ||
3595 | union | ||
3596 | { | ||
3597 | /** | ||
3598 | * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. | ||
3599 | */ | ||
3600 | struct GNUNET_CRYPTO_CsPrivateKey cs_private_key; | ||
3601 | |||
3602 | /** | ||
3603 | * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher. | ||
3604 | */ | ||
3605 | struct GNUNET_CRYPTO_RsaPrivateKey *rsa_private_key; | ||
3606 | |||
3607 | } details; | ||
3608 | }; | ||
3609 | |||
3610 | |||
3611 | /** | ||
3612 | * @brief Blinded message ready for blind signing. | ||
3613 | */ | ||
3614 | struct GNUNET_CRYPTO_BlindedMessage | ||
3615 | { | ||
3616 | /** | ||
3617 | * Type of the sign blinded message | ||
3618 | */ | ||
3619 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; | ||
3620 | |||
3621 | /** | ||
3622 | * Reference counter. | ||
3623 | */ | ||
3624 | unsigned int rc; | ||
3625 | |||
3626 | /** | ||
3627 | * Details, depending on @e cipher. | ||
3628 | */ | ||
3629 | union | ||
3630 | { | ||
3631 | /** | ||
3632 | * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. | ||
3633 | */ | ||
3634 | struct GNUNET_CRYPTO_CsBlindedMessage cs_blinded_message; | ||
3635 | |||
3636 | /** | ||
3637 | * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher. | ||
3638 | */ | ||
3639 | struct GNUNET_CRYPTO_RsaBlindedMessage rsa_blinded_message; | ||
3640 | |||
3641 | } details; | ||
3642 | }; | ||
3643 | |||
3644 | |||
3645 | /** | ||
3646 | * Secret r for Cs denominations | ||
3647 | */ | ||
3648 | struct GNUNET_CRYPTO_CSPrivateRPairP | ||
3649 | { | ||
3650 | struct GNUNET_CRYPTO_CsRSecret r[2]; | ||
3651 | }; | ||
3652 | |||
3653 | |||
3654 | /** | ||
3655 | * @brief Input needed for blinding a message. | ||
3656 | */ | ||
3657 | struct GNUNET_CRYPTO_BlindingInputValues | ||
3658 | { | ||
3659 | |||
3660 | /** | ||
3661 | * Type of the signature. | ||
3662 | */ | ||
3663 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; | ||
3664 | |||
3665 | /** | ||
3666 | * Reference counter. | ||
3667 | */ | ||
3668 | unsigned int rc; | ||
3669 | |||
3670 | /** | ||
3671 | * Details, depending on @e cipher. | ||
3672 | */ | ||
3673 | union | ||
3674 | { | ||
3675 | /** | ||
3676 | * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. | ||
3677 | */ | ||
3678 | struct GNUNET_CRYPTO_CSPublicRPairP cs_values; | ||
3679 | |||
3680 | } details; | ||
3681 | |||
3682 | }; | ||
3683 | |||
3684 | |||
3685 | /** | ||
3686 | * Nonce used to deterministiacally derive input values | ||
3687 | * used in multi-round blind signature protocols. | ||
3688 | */ | ||
3689 | union GNUNET_CRYPTO_BlindSessionNonce | ||
3690 | { | ||
3691 | /** | ||
3692 | * Nonce used when signing with CS. | ||
3693 | */ | ||
3694 | struct GNUNET_CRYPTO_CsSessionNonce cs_nonce; | ||
3695 | }; | ||
3696 | |||
3697 | |||
3698 | /** | ||
3699 | * Compute blinding input values for a given @a nonce and | ||
3700 | * @a salt. | ||
3701 | * | ||
3702 | * @param bsign_priv private key to compute input values for | ||
3703 | * @param nonce session nonce to derive input values from | ||
3704 | * @param salt salt to include in derivation logic | ||
3705 | * @return blinding input values | ||
3706 | */ | ||
3707 | struct GNUNET_CRYPTO_BlindingInputValues * | ||
3708 | GNUNET_CRYPTO_get_blinding_input_values ( | ||
3709 | const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv, | ||
3710 | const union GNUNET_CRYPTO_BlindSessionNonce *nonce, | ||
3711 | const char *salt); | ||
3712 | |||
3713 | |||
3714 | /** | ||
3715 | * Decrement reference counter of a @a bsign_pub, and free it if it reaches zero. | ||
3716 | * | ||
3717 | * @param[in] bsign_pub key to free | ||
3718 | */ | ||
3719 | void | ||
3720 | GNUNET_CRYPTO_blind_sign_pub_decref ( | ||
3721 | struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub); | ||
3722 | |||
3723 | |||
3724 | /** | ||
3725 | * Decrement reference counter of a @a bsign_priv, and free it if it reaches zero. | ||
3726 | * | ||
3727 | * @param[in] bsign_priv key to free | ||
3728 | */ | ||
3729 | void | ||
3730 | GNUNET_CRYPTO_blind_sign_priv_decref ( | ||
3731 | struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv); | ||
3732 | |||
3733 | |||
3734 | /** | ||
3735 | * Decrement reference counter of a @a ub_sig, and free it if it reaches zero. | ||
3736 | * | ||
3737 | * @param[in] ub_sig signature to free | ||
3738 | */ | ||
3739 | void | ||
3740 | GNUNET_CRYPTO_unblinded_sig_decref ( | ||
3741 | struct GNUNET_CRYPTO_UnblindedSignature *ub_sig); | ||
3742 | |||
3743 | |||
3744 | /** | ||
3745 | * Decrement reference counter of a @a blind_sig, and free it if it reaches zero. | ||
3746 | * | ||
3747 | * @param[in] blind_sig signature to free | ||
3748 | */ | ||
3749 | void | ||
3750 | GNUNET_CRYPTO_blinded_sig_decref ( | ||
3751 | struct GNUNET_CRYPTO_BlindedSignature *blind_sig); | ||
3752 | |||
3753 | |||
3754 | /** | ||
3755 | * Decrement reference counter of a @a bm, and free it if it reaches zero. | ||
3756 | * | ||
3757 | * @param[in] bm blinded message to free | ||
3758 | */ | ||
3759 | void | ||
3760 | GNUNET_CRYPTO_blinded_message_decref ( | ||
3761 | struct GNUNET_CRYPTO_BlindedMessage *bm); | ||
3762 | |||
3763 | |||
3764 | /** | ||
3765 | * Increment reference counter of the given @a bm. | ||
3766 | * | ||
3767 | * @param[in,out] bm blinded message to increment reference counter for | ||
3768 | * @return alias of @a bm with RC incremented | ||
3769 | */ | ||
3770 | struct GNUNET_CRYPTO_BlindedMessage * | ||
3771 | GNUNET_CRYPTO_blinded_message_incref ( | ||
3772 | struct GNUNET_CRYPTO_BlindedMessage *bm); | ||
3773 | |||
3774 | |||
3775 | /** | ||
3776 | * Increment reference counter of the given @a bi. | ||
3777 | * | ||
3778 | * @param[in,out] bi blinding input values to increment reference counter for | ||
3779 | * @return alias of @a bi with RC incremented | ||
3780 | */ | ||
3781 | struct GNUNET_CRYPTO_BlindingInputValues * | ||
3782 | GNUNET_CRYPTO_blinding_input_values_incref ( | ||
3783 | struct GNUNET_CRYPTO_BlindingInputValues *bm); | ||
3784 | |||
3785 | |||
3786 | /** | ||
3787 | * Decrement reference counter of the given @a bi, and free it if it reaches | ||
3788 | * zero. | ||
3789 | * | ||
3790 | * @param[in,out] bi blinding input values to decrement reference counter for | ||
3791 | */ | ||
3792 | void | ||
3793 | GNUNET_CRYPTO_blinding_input_values_decref ( | ||
3794 | struct GNUNET_CRYPTO_BlindingInputValues *bm); | ||
3795 | |||
3796 | |||
3797 | /** | ||
3798 | * Increment reference counter of the given @a bsign_pub. | ||
3799 | * | ||
3800 | * @param[in,out] bsign_pub public key to increment reference counter for | ||
3801 | * @return alias of @a bsign_pub with RC incremented | ||
3802 | */ | ||
3803 | struct GNUNET_CRYPTO_BlindSignPublicKey * | ||
3804 | GNUNET_CRYPTO_bsign_pub_incref ( | ||
3805 | struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub); | ||
3806 | |||
3807 | |||
3808 | /** | ||
3809 | * Increment reference counter of the given @a bsign_priv. | ||
3810 | * | ||
3811 | * @param[in,out] bsign_priv private key to increment reference counter for | ||
3812 | * @return alias of @a bsign_priv with RC incremented | ||
3813 | */ | ||
3814 | struct GNUNET_CRYPTO_BlindSignPrivateKey * | ||
3815 | GNUNET_CRYPTO_bsign_priv_incref ( | ||
3816 | struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv); | ||
3817 | |||
3818 | |||
3819 | /** | ||
3820 | * Increment reference counter of the given @a ub_sig. | ||
3821 | * | ||
3822 | * @param[in,out] ub_sig signature to increment reference counter for | ||
3823 | * @return alias of @a ub_sig with RC incremented | ||
3824 | */ | ||
3825 | struct GNUNET_CRYPTO_UnblindedSignature * | ||
3826 | GNUNET_CRYPTO_ub_sig_incref (struct GNUNET_CRYPTO_UnblindedSignature *ub_sig); | ||
3827 | |||
3828 | |||
3829 | /** | ||
3830 | * Increment reference counter of the given @a blind_sig. | ||
3831 | * | ||
3832 | * @param[in,out] blind_sig signature to increment reference counter for | ||
3833 | * @return alias of @a blind_sig with RC incremented | ||
3834 | */ | ||
3835 | struct GNUNET_CRYPTO_BlindedSignature * | ||
3836 | GNUNET_CRYPTO_blind_sig_incref ( | ||
3837 | struct GNUNET_CRYPTO_BlindedSignature *blind_sig); | ||
3838 | |||
3839 | |||
3840 | /** | ||
3841 | * Compare two denomination public keys. | ||
3842 | * | ||
3843 | * @param bp1 first key | ||
3844 | * @param bp2 second key | ||
3845 | * @return 0 if the keys are equal, otherwise -1 or 1 | ||
3846 | */ | ||
3847 | int | ||
3848 | GNUNET_CRYPTO_bsign_pub_cmp ( | ||
3849 | const struct GNUNET_CRYPTO_BlindSignPublicKey *bp1, | ||
3850 | const struct GNUNET_CRYPTO_BlindSignPublicKey *bp2); | ||
3851 | |||
3852 | |||
3853 | /** | ||
3854 | * Compare two denomination signatures. | ||
3855 | * | ||
3856 | * @param sig1 first signature | ||
3857 | * @param sig2 second signature | ||
3858 | * @return 0 if the keys are equal, otherwise -1 or 1 | ||
3859 | */ | ||
3860 | int | ||
3861 | GNUNET_CRYPTO_ub_sig_cmp (const struct GNUNET_CRYPTO_UnblindedSignature *sig1, | ||
3862 | const struct GNUNET_CRYPTO_UnblindedSignature *sig2); | ||
3863 | |||
3864 | |||
3865 | /** | ||
3866 | * Compare two blinded denomination signatures. | ||
3867 | * | ||
3868 | * @param sig1 first signature | ||
3869 | * @param sig2 second signature | ||
3870 | * @return 0 if the keys are equal, otherwise -1 or 1 | ||
3871 | */ | ||
3872 | int | ||
3873 | GNUNET_CRYPTO_blind_sig_cmp ( | ||
3874 | const struct GNUNET_CRYPTO_BlindedSignature *sig1, | ||
3875 | const struct GNUNET_CRYPTO_BlindedSignature *sig2); | ||
3876 | |||
3877 | |||
3878 | /** | ||
3879 | * Compare two blinded messages. | ||
3880 | * | ||
3881 | * @param bp1 first blinded message | ||
3882 | * @param bp2 second blinded message | ||
3883 | * @return 0 if the keys are equal, otherwise -1 or 1 | ||
3884 | */ | ||
3885 | int | ||
3886 | GNUNET_CRYPTO_blinded_message_cmp ( | ||
3887 | const struct GNUNET_CRYPTO_BlindedMessage *bp1, | ||
3888 | const struct GNUNET_CRYPTO_BlindedMessage *bp2); | ||
3889 | |||
3890 | |||
3891 | /** | ||
3892 | * Initialize public-private key pair for blind signatures. | ||
3893 | * | ||
3894 | * For #GNUNET_CRYPTO_BSA_RSA, an additional "unsigned int" | ||
3895 | * argument with the number of bits for 'n' (e.g. 2048) must | ||
3896 | * be passed. | ||
3897 | * | ||
3898 | * @param[out] bsign_priv where to write the private key with RC 1 | ||
3899 | * @param[out] bsign_pub where to write the public key with RC 1 | ||
3900 | * @param cipher which type of cipher to use | ||
3901 | * @param ... RSA key size (eg. 2048/3072/4096) | ||
3902 | * @return #GNUNET_OK on success, #GNUNET_NO if parameterst were invalid | ||
3903 | */ | ||
3904 | enum GNUNET_GenericReturnValue | ||
3905 | GNUNET_CRYPTO_blind_sign_keys_create ( | ||
3906 | struct GNUNET_CRYPTO_BlindSignPrivateKey **bsign_priv, | ||
3907 | struct GNUNET_CRYPTO_BlindSignPublicKey **bsign_pub, | ||
3908 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher, | ||
3909 | ...); | ||
2683 | 3910 | ||
2684 | 3911 | ||
3912 | /** | ||
3913 | * Initialize public-private key pair for blind signatures. | ||
3914 | * | ||
3915 | * For #GNUNET_CRYPTO_BSA_RSA, an additional "unsigned int" | ||
3916 | * argument with the number of bits for 'n' (e.g. 2048) must | ||
3917 | * be passed. | ||
3918 | * | ||
3919 | * @param[out] bsign_priv where to write the private key with RC 1 | ||
3920 | * @param[out] bsign_pub where to write the public key with RC 1 | ||
3921 | * @param cipher which type of cipher to use | ||
3922 | * @param ap RSA key size (eg. 2048/3072/4096) | ||
3923 | * @return #GNUNET_OK on success, #GNUNET_NO if parameterst were invalid | ||
3924 | */ | ||
3925 | enum GNUNET_GenericReturnValue | ||
3926 | GNUNET_CRYPTO_blind_sign_keys_create_va ( | ||
3927 | struct GNUNET_CRYPTO_BlindSignPrivateKey **bsign_priv, | ||
3928 | struct GNUNET_CRYPTO_BlindSignPublicKey **bsign_pub, | ||
3929 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher, | ||
3930 | va_list ap); | ||
3931 | |||
3932 | |||
3933 | /** | ||
3934 | * @brief Type of blinding secrets. Must be exactly 32 bytes (DB). | ||
3935 | */ | ||
3936 | union GNUNET_CRYPTO_BlindingSecretP | ||
3937 | { | ||
3938 | /** | ||
3939 | * Clause Schnorr nonce. | ||
3940 | */ | ||
3941 | struct GNUNET_CRYPTO_CsBlindingNonce nonce; | ||
3942 | |||
3943 | /** | ||
3944 | * Variant for RSA for blind signatures. | ||
3945 | */ | ||
3946 | struct GNUNET_CRYPTO_RsaBlindingKeySecret rsa_bks; | ||
3947 | }; | ||
3948 | |||
3949 | |||
3950 | /** | ||
3951 | * Blind message for blind signing with @a dk using blinding secret @a coin_bks. | ||
3952 | * | ||
3953 | * @param bsign_pub public key to blind for | ||
3954 | * @param bks blinding secret to use | ||
3955 | * @param nonce nonce used to obtain @a alg_values | ||
3956 | * can be NULL if input values are not used for the cipher | ||
3957 | * @param message message to sign | ||
3958 | * @param message_size number of bytes in @a message | ||
3959 | * @param alg_values algorithm specific values to blind the @a message | ||
3960 | * @return blinded message to give to signer, NULL on error | ||
3961 | */ | ||
3962 | struct GNUNET_CRYPTO_BlindedMessage * | ||
3963 | GNUNET_CRYPTO_message_blind_to_sign ( | ||
3964 | const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub, | ||
3965 | const union GNUNET_CRYPTO_BlindingSecretP *bks, | ||
3966 | const union GNUNET_CRYPTO_BlindSessionNonce *nonce, | ||
3967 | const void *message, | ||
3968 | size_t message_size, | ||
3969 | const struct GNUNET_CRYPTO_BlindingInputValues *alg_values); | ||
3970 | |||
3971 | |||
3972 | /** | ||
3973 | * Create blind signature. | ||
3974 | * | ||
3975 | * @param bsign_priv private key to use for signing | ||
3976 | * @param salt salt value to use for the HKDF, | ||
3977 | * can be NULL if input values are not used for the cipher | ||
3978 | * @param blinded_message the already blinded message to sign | ||
3979 | * @return blind signature with RC=1, NULL on failure | ||
3980 | */ | ||
3981 | struct GNUNET_CRYPTO_BlindedSignature * | ||
3982 | GNUNET_CRYPTO_blind_sign ( | ||
3983 | const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv, | ||
3984 | const char *salt, | ||
3985 | const struct GNUNET_CRYPTO_BlindedMessage *blinded_message); | ||
3986 | |||
3987 | |||
3988 | /** | ||
3989 | * Unblind blind signature. | ||
3990 | * | ||
3991 | * @param blinded_sig the blind signature | ||
3992 | * @param bks blinding secret to use | ||
3993 | * @param message message that was supposedly signed | ||
3994 | * @param message_size number of bytes in @a message | ||
3995 | * @param alg_values algorithm specific values | ||
3996 | * @param bsign_pub public key used for signing | ||
3997 | * @return unblinded signature with RC=1, NULL on error | ||
3998 | */ | ||
3999 | struct GNUNET_CRYPTO_UnblindedSignature * | ||
4000 | GNUNET_CRYPTO_blind_sig_unblind ( | ||
4001 | const struct GNUNET_CRYPTO_BlindedSignature *blinded_sig, | ||
4002 | const union GNUNET_CRYPTO_BlindingSecretP *bks, | ||
4003 | const void *message, | ||
4004 | size_t message_size, | ||
4005 | const struct GNUNET_CRYPTO_BlindingInputValues *alg_values, | ||
4006 | const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub); | ||
4007 | |||
4008 | |||
4009 | /** | ||
4010 | * Verify signature made blindly. | ||
4011 | * | ||
4012 | * @param bsign_pub public key | ||
4013 | * @param ub_sig signature made blindly with the private key | ||
4014 | * @param message message that was supposedly signed | ||
4015 | * @param message_size number of bytes in @a message | ||
4016 | * @return #GNUNET_OK if the signature is valid | ||
4017 | */ | ||
4018 | enum GNUNET_GenericReturnValue | ||
4019 | GNUNET_CRYPTO_blind_sig_verify ( | ||
4020 | const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub, | ||
4021 | const struct GNUNET_CRYPTO_UnblindedSignature *ub_sig, | ||
4022 | const void *message, | ||
4023 | size_t message_size); | ||
4024 | |||
4025 | |||
4026 | /** | ||
4027 | * Get the compacted length of a #GNUNET_CRYPTO_PublicKey. | ||
4028 | * Compacted means that it returns the minimum number of bytes this | ||
4029 | * key is long, as opposed to the union structure inside | ||
4030 | * #GNUNET_CRYPTO_PublicKey. | ||
4031 | * Useful for compact serializations. | ||
4032 | * | ||
4033 | * @param key the key. | ||
4034 | * @return -1 on error, else the compacted length of the key. | ||
4035 | */ | ||
4036 | ssize_t | ||
4037 | GNUNET_CRYPTO_public_key_get_length (const struct | ||
4038 | GNUNET_CRYPTO_PublicKey *key); | ||
4039 | |||
4040 | /** | ||
4041 | * Reads a #GNUNET_CRYPTO_PublicKey from a compact buffer. | ||
4042 | * The buffer has to contain at least the compacted length of | ||
4043 | * a #GNUNET_CRYPTO_PublicKey in bytes. | ||
4044 | * If the buffer is too small, the function returns -1 as error. | ||
4045 | * If the buffer does not contain a valid key, it returns -2 as error. | ||
4046 | * | ||
4047 | * @param buffer the buffer | ||
4048 | * @param len the length of buffer | ||
4049 | * @param key the key | ||
4050 | * @param the amount of bytes read from the buffer | ||
4051 | * @return #GNUNET_SYSERR on error | ||
4052 | */ | ||
4053 | enum GNUNET_GenericReturnValue | ||
4054 | GNUNET_CRYPTO_read_public_key_from_buffer ( | ||
4055 | const void *buffer, | ||
4056 | size_t len, | ||
4057 | struct GNUNET_CRYPTO_PublicKey *key, | ||
4058 | size_t *read); | ||
4059 | |||
4060 | /** | ||
4061 | * Get the compacted length of a #GNUNET_CRYPTO_PrivateKey. | ||
4062 | * Compacted means that it returns the minimum number of bytes this | ||
4063 | * key is long, as opposed to the union structure inside | ||
4064 | * #GNUNET_CRYPTO_PrivateKey. | ||
4065 | * Useful for compact serializations. | ||
4066 | * | ||
4067 | * @param key the key. | ||
4068 | * @return -1 on error, else the compacted length of the key. | ||
4069 | */ | ||
4070 | ssize_t | ||
4071 | GNUNET_CRYPTO_private_key_get_length ( | ||
4072 | const struct GNUNET_CRYPTO_PrivateKey *key); | ||
4073 | |||
4074 | |||
4075 | /** | ||
4076 | * Writes a #GNUNET_CRYPTO_PublicKey to a compact buffer. | ||
4077 | * The buffer requires space for at least the compacted length of | ||
4078 | * a #GNUNET_CRYPTO_PublicKey in bytes. | ||
4079 | * If the buffer is too small, the function returns -1 as error. | ||
4080 | * If the key is not valid, it returns -2 as error. | ||
4081 | * | ||
4082 | * @param key the key | ||
4083 | * @param buffer the buffer | ||
4084 | * @param len the length of buffer | ||
4085 | * @return -1 or -2 on error, else the amount of bytes written to the buffer | ||
4086 | */ | ||
4087 | ssize_t | ||
4088 | GNUNET_CRYPTO_write_public_key_to_buffer (const struct | ||
4089 | GNUNET_CRYPTO_PublicKey *key, | ||
4090 | void*buffer, | ||
4091 | size_t len); | ||
4092 | |||
4093 | |||
4094 | /** | ||
4095 | * Reads a #GNUNET_CRYPTO_PrivateKey from a compact buffer. | ||
4096 | * The buffer has to contain at least the compacted length of | ||
4097 | * a #GNUNET_CRYPTO_PrivateKey in bytes. | ||
4098 | * If the buffer is too small, the function returns GNUNET_SYSERR as error. | ||
4099 | * | ||
4100 | * @param buffer the buffer | ||
4101 | * @param len the length of buffer | ||
4102 | * @param key the key | ||
4103 | * @param the amount of bytes read from the buffer | ||
4104 | * @return #GNUNET_SYSERR on error | ||
4105 | */ | ||
4106 | enum GNUNET_GenericReturnValue | ||
4107 | GNUNET_CRYPTO_read_private_key_from_buffer ( | ||
4108 | const void*buffer, | ||
4109 | size_t len, | ||
4110 | struct GNUNET_CRYPTO_PrivateKey *key, | ||
4111 | size_t *read); | ||
4112 | |||
4113 | |||
4114 | /** | ||
4115 | * Writes a #GNUNET_CRYPTO_PrivateKey to a compact buffer. | ||
4116 | * The buffer requires space for at least the compacted length of | ||
4117 | * a #GNUNET_CRYPTO_PrivateKey in bytes. | ||
4118 | * If the buffer is too small, the function returns -1 as error. | ||
4119 | * If the key is not valid, it returns -2 as error. | ||
4120 | * | ||
4121 | * @param key the key | ||
4122 | * @param buffer the buffer | ||
4123 | * @param len the length of buffer | ||
4124 | * @return -1 or -2 on error, else the amount of bytes written to the buffer | ||
4125 | */ | ||
4126 | ssize_t | ||
4127 | GNUNET_CRYPTO_write_private_key_to_buffer ( | ||
4128 | const struct GNUNET_CRYPTO_PrivateKey *key, | ||
4129 | void*buffer, | ||
4130 | size_t len); | ||
4131 | |||
4132 | |||
4133 | /** | ||
4134 | * Get the compacted length of a #GNUNET_CRYPTO_Signature. | ||
4135 | * Compacted means that it returns the minimum number of bytes this | ||
4136 | * signature is long, as opposed to the union structure inside | ||
4137 | * #GNUNET_CRYPTO_Signature. | ||
4138 | * Useful for compact serializations. | ||
4139 | * | ||
4140 | * @param sig the signature. | ||
4141 | * @return -1 on error, else the compacted length of the signature. | ||
4142 | */ | ||
4143 | ssize_t | ||
4144 | GNUNET_CRYPTO_signature_get_length ( | ||
4145 | const struct GNUNET_CRYPTO_Signature *sig); | ||
4146 | |||
4147 | |||
4148 | /** | ||
4149 | * Get the compacted length of a signature by type. | ||
4150 | * Compacted means that it returns the minimum number of bytes this | ||
4151 | * signature is long, as opposed to the union structure inside | ||
4152 | * #GNUNET_CRYPTO_Signature. | ||
4153 | * Useful for compact serializations. | ||
4154 | * | ||
4155 | * @param sig the signature. | ||
4156 | * @return -1 on error, else the compacted length of the signature. | ||
4157 | */ | ||
4158 | ssize_t | ||
4159 | GNUNET_CRYPTO_signature_get_raw_length_by_type (uint32_t type); | ||
4160 | |||
4161 | |||
4162 | /** | ||
4163 | * Reads a #GNUNET_CRYPTO_Signature from a compact buffer. | ||
4164 | * The buffer has to contain at least the compacted length of | ||
4165 | * a #GNUNET_CRYPTO_Signature in bytes. | ||
4166 | * If the buffer is too small, the function returns -1 as error. | ||
4167 | * If the buffer does not contain a valid key, it returns -2 as error. | ||
4168 | * | ||
4169 | * @param sig the signature | ||
4170 | * @param buffer the buffer | ||
4171 | * @param len the length of buffer | ||
4172 | * @return -1 or -2 on error, else the amount of bytes read from the buffer | ||
4173 | */ | ||
4174 | ssize_t | ||
4175 | GNUNET_CRYPTO_read_signature_from_buffer ( | ||
4176 | struct GNUNET_CRYPTO_Signature *sig, | ||
4177 | const void*buffer, | ||
4178 | size_t len); | ||
4179 | |||
4180 | |||
4181 | /** | ||
4182 | * Writes a #GNUNET_CRYPTO_Signature to a compact buffer. | ||
4183 | * The buffer requires space for at least the compacted length of | ||
4184 | * a #GNUNET_CRYPTO_Signature in bytes. | ||
4185 | * If the buffer is too small, the function returns -1 as error. | ||
4186 | * If the key is not valid, it returns -2 as error. | ||
4187 | * | ||
4188 | * @param sig the signature | ||
4189 | * @param buffer the buffer | ||
4190 | * @param len the length of buffer | ||
4191 | * @return -1 or -2 on error, else the amount of bytes written to the buffer | ||
4192 | */ | ||
4193 | ssize_t | ||
4194 | GNUNET_CRYPTO_write_signature_to_buffer ( | ||
4195 | const struct GNUNET_CRYPTO_Signature *sig, | ||
4196 | void*buffer, | ||
4197 | size_t len); | ||
4198 | |||
4199 | |||
4200 | /** | ||
4201 | * @brief Sign a given block. | ||
4202 | * | ||
4203 | * The @a purpose data is the beginning of the data of which the signature is | ||
4204 | * to be created. The `size` field in @a purpose must correctly indicate the | ||
4205 | * number of bytes of the data structure, including its header. If possible, | ||
4206 | * use #GNUNET_CRYPTO_sign() instead of this function. | ||
4207 | * | ||
4208 | * @param priv private key to use for the signing | ||
4209 | * @param purpose what to sign (size, purpose) | ||
4210 | * @param[out] sig where to write the signature | ||
4211 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
4212 | */ | ||
4213 | enum GNUNET_GenericReturnValue | ||
4214 | GNUNET_CRYPTO_sign_ ( | ||
4215 | const struct GNUNET_CRYPTO_PrivateKey *priv, | ||
4216 | const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, | ||
4217 | struct GNUNET_CRYPTO_Signature *sig); | ||
4218 | |||
4219 | /** | ||
4220 | * @brief Sign a given block. | ||
4221 | * | ||
4222 | * The @a purpose data is the beginning of the data of which the signature is | ||
4223 | * to be created. The `size` field in @a purpose must correctly indicate the | ||
4224 | * number of bytes of the data structure, including its header. | ||
4225 | * The signature payload and length depends on the key type. | ||
4226 | * | ||
4227 | * @param priv private key to use for the signing | ||
4228 | * @param purpose what to sign (size, purpose) | ||
4229 | * @param[out] sig where to write the signature | ||
4230 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
4231 | */ | ||
4232 | enum GNUNET_GenericReturnValue | ||
4233 | GNUNET_CRYPTO_sign_raw_ ( | ||
4234 | const struct GNUNET_CRYPTO_PrivateKey *priv, | ||
4235 | const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, | ||
4236 | unsigned char *sig); | ||
4237 | |||
4238 | |||
4239 | /** | ||
4240 | * @brief Sign a given block with #GNUNET_CRYPTO_PrivateKey. | ||
4241 | * | ||
4242 | * The @a ps data must be a fixed-size struct for which the signature is to be | ||
4243 | * created. The `size` field in @a ps->purpose must correctly indicate the | ||
4244 | * number of bytes of the data structure, including its header. | ||
4245 | * | ||
4246 | * @param priv private key to use for the signing | ||
4247 | * @param ps packed struct with what to sign, MUST begin with a purpose | ||
4248 | * @param[out] sig where to write the signature | ||
4249 | */ | ||
4250 | #define GNUNET_CRYPTO_sign(priv,ps,sig) do { \ | ||
4251 | /* check size is set correctly */ \ | ||
4252 | GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \ | ||
4253 | /* check 'ps' begins with the purpose */ \ | ||
4254 | GNUNET_static_assert (((void*) (ps)) == \ | ||
4255 | ((void*) &(ps)->purpose)); \ | ||
4256 | GNUNET_assert (GNUNET_OK == \ | ||
4257 | GNUNET_CRYPTO_sign_ (priv, \ | ||
4258 | &(ps)->purpose, \ | ||
4259 | sig)); \ | ||
4260 | } while (0) | ||
4261 | |||
4262 | |||
4263 | /** | ||
4264 | * @brief Verify a given signature. | ||
4265 | * | ||
4266 | * The @a validate data is the beginning of the data of which the signature | ||
4267 | * is to be verified. The `size` field in @a validate must correctly indicate | ||
4268 | * the number of bytes of the data structure, including its header. If @a | ||
4269 | * purpose does not match the purpose given in @a validate (the latter must be | ||
4270 | * in big endian), signature verification fails. If possible, | ||
4271 | * use #GNUNET_CRYPTO_signature_verify() instead of this function (only if @a validate | ||
4272 | * is not fixed-size, you must use this function directly). | ||
4273 | * | ||
4274 | * @param purpose what is the purpose that the signature should have? | ||
4275 | * @param validate block to validate (size, purpose, data) | ||
4276 | * @param sig signature that is being validated | ||
4277 | * @param pub public key of the signer | ||
4278 | * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid | ||
4279 | */ | ||
4280 | enum GNUNET_GenericReturnValue | ||
4281 | GNUNET_CRYPTO_signature_verify_ ( | ||
4282 | uint32_t purpose, | ||
4283 | const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, | ||
4284 | const struct GNUNET_CRYPTO_Signature *sig, | ||
4285 | const struct GNUNET_CRYPTO_PublicKey *pub); | ||
4286 | |||
4287 | /** | ||
4288 | * @brief Verify a given signature. | ||
4289 | * | ||
4290 | * The @a validate data is the beginning of the data of which the signature | ||
4291 | * is to be verified. The `size` field in @a validate must correctly indicate | ||
4292 | * the number of bytes of the data structure, including its header. If @a | ||
4293 | * purpose does not match the purpose given in @a validate (the latter must be | ||
4294 | * in big endian), signature verification fails. | ||
4295 | * | ||
4296 | * @param purpose what is the purpose that the signature should have? | ||
4297 | * @param validate block to validate (size, purpose, data) | ||
4298 | * @param sig signature that is being validated | ||
4299 | * @param pub public key of the signer | ||
4300 | * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid | ||
4301 | */ | ||
4302 | enum GNUNET_GenericReturnValue | ||
4303 | GNUNET_CRYPTO_signature_verify_raw_ ( | ||
4304 | uint32_t purpose, | ||
4305 | const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, | ||
4306 | const unsigned char *sig, | ||
4307 | const struct GNUNET_CRYPTO_PublicKey *pub); | ||
4308 | |||
4309 | |||
4310 | /** | ||
4311 | * @brief Verify a given signature with #GNUNET_CRYPTO_PublicKey. | ||
4312 | * | ||
4313 | * The @a ps data must be a fixed-size struct for which the signature is to be | ||
4314 | * created. The `size` field in @a ps->purpose must correctly indicate the | ||
4315 | * number of bytes of the data structure, including its header. | ||
4316 | * | ||
4317 | * @param purp purpose of the signature, must match 'ps->purpose.purpose' | ||
4318 | * (except in host byte order) | ||
4319 | * @param ps packed struct with what to sign, MUST begin with a purpose | ||
4320 | * @param sig where to read the signature from | ||
4321 | * @param pub public key to use for the verifying | ||
4322 | */ | ||
4323 | #define GNUNET_CRYPTO_signature_verify(purp,ps,sig,pub) ({ \ | ||
4324 | /* check size is set correctly */ \ | ||
4325 | GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \ | ||
4326 | /* check 'ps' begins with the purpose */ \ | ||
4327 | GNUNET_static_assert (((void*) (ps)) == \ | ||
4328 | ((void*) &(ps)->purpose)); \ | ||
4329 | GNUNET_CRYPTO_signature_verify_ (purp, \ | ||
4330 | &(ps)->purpose, \ | ||
4331 | sig, \ | ||
4332 | pub); \ | ||
4333 | }) | ||
4334 | |||
4335 | |||
4336 | /** | ||
4337 | * Encrypt a block with #GNUNET_CRYPTO_PublicKey and derives a | ||
4338 | * #GNUNET_CRYPTO_EcdhePublicKey which is required for decryption | ||
4339 | * using ecdh to derive a symmetric key. | ||
4340 | * | ||
4341 | * @param block the block to encrypt | ||
4342 | * @param size the size of the @a block | ||
4343 | * @param pub public key to use for ecdh | ||
4344 | * @param ecc where to write the ecc public key | ||
4345 | * @param result the output parameter in which to store the encrypted result | ||
4346 | * can be the same or overlap with @c block | ||
4347 | * @returns the size of the encrypted block, -1 for errors. | ||
4348 | * Due to the use of CFB and therefore an effective stream cipher, | ||
4349 | * this size should be the same as @c len. | ||
4350 | */ | ||
4351 | ssize_t | ||
4352 | GNUNET_CRYPTO_encrypt_old (const void *block, | ||
4353 | size_t size, | ||
4354 | const struct GNUNET_CRYPTO_PublicKey *pub, | ||
4355 | struct GNUNET_CRYPTO_EcdhePublicKey *ecc, | ||
4356 | void *result); | ||
4357 | |||
4358 | |||
4359 | /** | ||
4360 | * Decrypt a given block with #GNUNET_CRYPTO_PrivateKey and a given | ||
4361 | * #GNUNET_CRYPTO_EcdhePublicKey using ecdh to derive a symmetric key. | ||
4362 | * | ||
4363 | * @param block the data to decrypt, encoded as returned by encrypt | ||
4364 | * @param size the size of the @a block to decrypt | ||
4365 | * @param priv private key to use for ecdh | ||
4366 | * @param ecc the ecc public key | ||
4367 | * @param result address to store the result at | ||
4368 | * can be the same or overlap with @c block | ||
4369 | * @return -1 on failure, size of decrypted block on success. | ||
4370 | * Due to the use of CFB and therefore an effective stream cipher, | ||
4371 | * this size should be the same as @c size. | ||
4372 | */ | ||
4373 | ssize_t | ||
4374 | GNUNET_CRYPTO_decrypt_old ( | ||
4375 | const void *block, | ||
4376 | size_t size, | ||
4377 | const struct GNUNET_CRYPTO_PrivateKey *priv, | ||
4378 | const struct GNUNET_CRYPTO_EcdhePublicKey *ecc, | ||
4379 | void *result); | ||
4380 | |||
4381 | #define GNUNET_CRYPTO_ENCRYPT_OVERHEAD_BYTES (crypto_secretbox_MACBYTES \ | ||
4382 | + sizeof (struct \ | ||
4383 | GNUNET_CRYPTO_FoKemC)) | ||
4384 | |||
4385 | /** | ||
4386 | * Encrypt a block with #GNUNET_CRYPTO_PublicKey and derives a | ||
4387 | * #GNUNET_CRYPTO_EcdhePublicKey which is required for decryption | ||
4388 | * using ecdh to derive a symmetric key. | ||
4389 | * | ||
4390 | * Note that the result buffer for the ciphertext must be the length of | ||
4391 | * the message to encrypt plus #GNUNET_CRYPTO_ENCRYPT_OVERHEAD_BYTES. | ||
4392 | * | ||
4393 | * @param block the block to encrypt | ||
4394 | * @param size the size of the @a block | ||
4395 | * @param pub public key to encrypt for | ||
4396 | * @param result the output parameter in which to store the encrypted result | ||
4397 | * can be the same or overlap with @c block | ||
4398 | * @returns GNUNET_OK on success. | ||
4399 | */ | ||
4400 | enum GNUNET_GenericReturnValue | ||
4401 | GNUNET_CRYPTO_encrypt (const void *block, | ||
4402 | size_t size, | ||
4403 | const struct GNUNET_CRYPTO_PublicKey *pub, | ||
4404 | void *result, | ||
4405 | size_t result_size); | ||
4406 | |||
4407 | |||
4408 | /** | ||
4409 | * Decrypt a given block with #GNUNET_CRYPTO_PrivateKey and a given | ||
4410 | * #GNUNET_CRYPTO_EcdhePublicKey using ecdh to derive a symmetric key. | ||
4411 | * | ||
4412 | * @param block the data to decrypt, encoded as returned by encrypt | ||
4413 | * @param size the size of the @a block to decrypt | ||
4414 | * @param priv private key to use for ecdh | ||
4415 | * @param result address to store the result at | ||
4416 | * can be the same or overlap with @c block | ||
4417 | * @returns GNUNET_OK on success. | ||
4418 | */ | ||
4419 | enum GNUNET_GenericReturnValue | ||
4420 | GNUNET_CRYPTO_decrypt (const void *block, | ||
4421 | size_t size, | ||
4422 | const struct GNUNET_CRYPTO_PrivateKey *priv, | ||
4423 | void *result, | ||
4424 | size_t result_size); | ||
4425 | |||
4426 | |||
4427 | /** | ||
4428 | * Creates a (Base32) string representation of the public key. | ||
4429 | * The resulting string encodes a compacted representation of the key. | ||
4430 | * See also #GNUNET_CRYPTO_key_get_length. | ||
4431 | * | ||
4432 | * @param key the key. | ||
4433 | * @return the string representation of the key, or NULL on error. | ||
4434 | */ | ||
4435 | char * | ||
4436 | GNUNET_CRYPTO_public_key_to_string ( | ||
4437 | const struct GNUNET_CRYPTO_PublicKey *key); | ||
4438 | |||
4439 | |||
4440 | /** | ||
4441 | * Creates a (Base32) string representation of the private key. | ||
4442 | * The resulting string encodes a compacted representation of the key. | ||
4443 | * See also #GNUNET_CRYPTO_key_get_length. | ||
4444 | * | ||
4445 | * @param key the key. | ||
4446 | * @return the string representation of the key, or NULL on error. | ||
4447 | */ | ||
4448 | char * | ||
4449 | GNUNET_CRYPTO_private_key_to_string ( | ||
4450 | const struct GNUNET_CRYPTO_PrivateKey *key); | ||
4451 | |||
4452 | |||
4453 | /** | ||
4454 | * Parses a (Base32) string representation of the public key. | ||
4455 | * See also #GNUNET_CRYPTO_public_key_to_string. | ||
4456 | * | ||
4457 | * @param str the encoded key. | ||
4458 | * @param key where to write the key. | ||
4459 | * @return GNUNET_SYSERR on error. | ||
4460 | */ | ||
4461 | enum GNUNET_GenericReturnValue | ||
4462 | GNUNET_CRYPTO_public_key_from_string (const char*str, | ||
4463 | struct GNUNET_CRYPTO_PublicKey *key); | ||
4464 | |||
4465 | |||
4466 | /** | ||
4467 | * Parses a (Base32) string representation of the private key. | ||
4468 | * See also #GNUNET_CRYPTO_private_key_to_string. | ||
4469 | * | ||
4470 | * @param str the encoded key. | ||
4471 | * @param key where to write the key. | ||
4472 | * @return GNUNET_SYSERR on error. | ||
4473 | */ | ||
4474 | enum GNUNET_GenericReturnValue | ||
4475 | GNUNET_CRYPTO_private_key_from_string (const char*str, | ||
4476 | struct GNUNET_CRYPTO_PrivateKey *key); | ||
4477 | |||
4478 | |||
4479 | /** | ||
4480 | * Retrieves the public key representation of a private key. | ||
4481 | * | ||
4482 | * @param privkey the private key. | ||
4483 | * @param key the public key result. | ||
4484 | * @return GNUNET_SYSERR on error. | ||
4485 | */ | ||
4486 | enum GNUNET_GenericReturnValue | ||
4487 | GNUNET_CRYPTO_key_get_public (const struct | ||
4488 | GNUNET_CRYPTO_PrivateKey *privkey, | ||
4489 | struct GNUNET_CRYPTO_PublicKey *key); | ||
4490 | |||
2685 | #if 0 /* keep Emacsens' auto-indent happy */ | 4491 | #if 0 /* keep Emacsens' auto-indent happy */ |
2686 | { | 4492 | { |
2687 | #endif | 4493 | #endif |
@@ -2692,4 +4498,7 @@ GNUNET_CRYPTO_cs_verify (const struct GNUNET_CRYPTO_CsSignature *sig, | |||
2692 | 4498 | ||
2693 | /* ifndef GNUNET_CRYPTO_LIB_H */ | 4499 | /* ifndef GNUNET_CRYPTO_LIB_H */ |
2694 | #endif | 4500 | #endif |
4501 | |||
4502 | /** @} */ /* end of group addition */ | ||
4503 | |||
2695 | /* end of gnunet_crypto_lib.h */ | 4504 | /* end of gnunet_crypto_lib.h */ |