diff options
Diffstat (limited to 'src/include/gnunet_crypto_lib.h')
-rw-r--r-- | src/include/gnunet_crypto_lib.h | 1686 |
1 files changed, 1618 insertions, 68 deletions
diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h index 2737ee0e9..50937324d 100644 --- a/src/include/gnunet_crypto_lib.h +++ b/src/include/gnunet_crypto_lib.h | |||
@@ -1,6 +1,6 @@ | |||
1 | /* | 1 | /* |
2 | This file is part of GNUnet. | 2 | This file is part of GNUnet. |
3 | Copyright (C) 2001-2013 GNUnet e.V. | 3 | Copyright (C) 2001-2023 GNUnet e.V. |
4 | 4 | ||
5 | GNUnet is free software: you can redistribute it and/or modify it | 5 | GNUnet is free software: you can redistribute it and/or modify it |
6 | under the terms of the GNU Affero General Public License as published | 6 | under the terms of the GNU Affero General Public License as published |
@@ -19,6 +19,10 @@ | |||
19 | */ | 19 | */ |
20 | 20 | ||
21 | /** | 21 | /** |
22 | * @addtogroup libgnunetutil | ||
23 | * Multi-function utilities library for GNUnet programs | ||
24 | * @{ | ||
25 | * | ||
22 | * @file include/gnunet_crypto_lib.h | 26 | * @file include/gnunet_crypto_lib.h |
23 | * @brief cryptographic primitives for GNUnet | 27 | * @brief cryptographic primitives for GNUnet |
24 | * | 28 | * |
@@ -40,6 +44,10 @@ | |||
40 | * @see [Documentation](https://gnunet.org/crypto-api) | 44 | * @see [Documentation](https://gnunet.org/crypto-api) |
41 | */ | 45 | */ |
42 | 46 | ||
47 | #if ! defined (__GNUNET_UTIL_LIB_H_INSIDE__) | ||
48 | #error "Only <gnunet_util_lib.h> can be included directly." | ||
49 | #endif | ||
50 | |||
43 | #ifndef GNUNET_CRYPTO_LIB_H | 51 | #ifndef GNUNET_CRYPTO_LIB_H |
44 | #define GNUNET_CRYPTO_LIB_H | 52 | #define GNUNET_CRYPTO_LIB_H |
45 | 53 | ||
@@ -50,6 +58,7 @@ extern "C" { | |||
50 | #endif | 58 | #endif |
51 | #endif | 59 | #endif |
52 | 60 | ||
61 | |||
53 | #include <stdbool.h> | 62 | #include <stdbool.h> |
54 | #include <sodium.h> | 63 | #include <sodium.h> |
55 | 64 | ||
@@ -58,7 +67,6 @@ extern "C" { | |||
58 | */ | 67 | */ |
59 | struct GNUNET_PeerIdentity; | 68 | struct GNUNET_PeerIdentity; |
60 | 69 | ||
61 | #include "gnunet_common.h" | ||
62 | #include <gcrypt.h> | 70 | #include <gcrypt.h> |
63 | 71 | ||
64 | 72 | ||
@@ -340,6 +348,117 @@ struct GNUNET_CRYPTO_Edx25519Signature | |||
340 | unsigned char s[256 / 8]; | 348 | unsigned char s[256 / 8]; |
341 | }; | 349 | }; |
342 | 350 | ||
351 | /** | ||
352 | * Elligator representative (always for Curve25519) | ||
353 | */ | ||
354 | struct GNUNET_CRYPTO_ElligatorRepresentative | ||
355 | { | ||
356 | /** | ||
357 | * Represents an element of Curve25519 finite field. | ||
358 | * Always smaller than 2 ^ 254 - 10 -> Needs to be serialized into a random-looking byte stream before transmission. | ||
359 | */ | ||
360 | unsigned char r[256 / 8]; | ||
361 | }; | ||
362 | |||
363 | /** | ||
364 | * Key type for the generic public key union | ||
365 | */ | ||
366 | enum GNUNET_CRYPTO_KeyType | ||
367 | { | ||
368 | /** | ||
369 | * The identity type. The value is the same as the | ||
370 | * PKEY record type. | ||
371 | */ | ||
372 | GNUNET_PUBLIC_KEY_TYPE_ECDSA = 65536, | ||
373 | |||
374 | /** | ||
375 | * EDDSA identity. The value is the same as the EDKEY | ||
376 | * record type. | ||
377 | */ | ||
378 | GNUNET_PUBLIC_KEY_TYPE_EDDSA = 65556 | ||
379 | }; | ||
380 | |||
381 | /** | ||
382 | * A private key for an identity as per LSD0001. | ||
383 | * Note that these types are NOT packed and MUST NOT be used in RPC | ||
384 | * messages. Use the respective serialization functions. | ||
385 | */ | ||
386 | struct GNUNET_CRYPTO_PrivateKey | ||
387 | { | ||
388 | /** | ||
389 | * Type of public key. | ||
390 | * Defined by the GNS zone type value. | ||
391 | * In NBO. | ||
392 | */ | ||
393 | uint32_t type; | ||
394 | |||
395 | union | ||
396 | { | ||
397 | /** | ||
398 | * An ECDSA identity key. | ||
399 | */ | ||
400 | struct GNUNET_CRYPTO_EcdsaPrivateKey ecdsa_key; | ||
401 | |||
402 | /** | ||
403 | * AN EdDSA identtiy key | ||
404 | */ | ||
405 | struct GNUNET_CRYPTO_EddsaPrivateKey eddsa_key; | ||
406 | }; | ||
407 | }; | ||
408 | |||
409 | |||
410 | /** | ||
411 | * An identity key as per LSD0001. | ||
412 | */ | ||
413 | struct GNUNET_CRYPTO_PublicKey | ||
414 | { | ||
415 | /** | ||
416 | * Type of public key. | ||
417 | * Defined by the GNS zone type value. | ||
418 | * In NBO. | ||
419 | */ | ||
420 | uint32_t type; | ||
421 | |||
422 | union | ||
423 | { | ||
424 | /** | ||
425 | * An ECDSA identity key. | ||
426 | */ | ||
427 | struct GNUNET_CRYPTO_EcdsaPublicKey ecdsa_key; | ||
428 | |||
429 | /** | ||
430 | * AN EdDSA identtiy key | ||
431 | */ | ||
432 | struct GNUNET_CRYPTO_EddsaPublicKey eddsa_key; | ||
433 | }; | ||
434 | }; | ||
435 | |||
436 | |||
437 | /** | ||
438 | * An identity signature as per LSD0001. | ||
439 | */ | ||
440 | struct GNUNET_CRYPTO_Signature | ||
441 | { | ||
442 | /** | ||
443 | * Type of signature. | ||
444 | * Defined by the GNS zone type value. | ||
445 | * In NBO. | ||
446 | */ | ||
447 | uint32_t type; | ||
448 | |||
449 | union | ||
450 | { | ||
451 | /** | ||
452 | * An ECDSA signature | ||
453 | */ | ||
454 | struct GNUNET_CRYPTO_EcdsaSignature ecdsa_signature; | ||
455 | |||
456 | /** | ||
457 | * AN EdDSA signature | ||
458 | */ | ||
459 | struct GNUNET_CRYPTO_EddsaSignature eddsa_signature; | ||
460 | }; | ||
461 | }; | ||
343 | 462 | ||
344 | /** | 463 | /** |
345 | * @brief type for session keys | 464 | * @brief type for session keys |
@@ -553,17 +672,33 @@ struct GNUNET_CRYPTO_CsSignature | |||
553 | * Schnorr signatures are composed of a scalar s and a curve point | 672 | * Schnorr signatures are composed of a scalar s and a curve point |
554 | */ | 673 | */ |
555 | struct GNUNET_CRYPTO_CsS s_scalar; | 674 | struct GNUNET_CRYPTO_CsS s_scalar; |
675 | |||
676 | /** | ||
677 | * Curve point of the Schnorr signature. | ||
678 | */ | ||
556 | struct GNUNET_CRYPTO_CsRPublic r_point; | 679 | struct GNUNET_CRYPTO_CsRPublic r_point; |
557 | }; | 680 | }; |
558 | 681 | ||
559 | 682 | ||
560 | /** | 683 | /** |
561 | * Nonce | 684 | * Nonce for the session, picked by client, |
685 | * shared with the signer. | ||
686 | */ | ||
687 | struct GNUNET_CRYPTO_CsSessionNonce | ||
688 | { | ||
689 | /*a nonce*/ | ||
690 | unsigned char snonce[256 / 8]; | ||
691 | }; | ||
692 | |||
693 | |||
694 | /** | ||
695 | * Nonce for computing blinding factors. Not | ||
696 | * shared with the signer. | ||
562 | */ | 697 | */ |
563 | struct GNUNET_CRYPTO_CsNonce | 698 | struct GNUNET_CRYPTO_CsBlindingNonce |
564 | { | 699 | { |
565 | /*a nonce*/ | 700 | /*a nonce*/ |
566 | unsigned char nonce[256 / 8]; | 701 | unsigned char bnonce[256 / 8]; |
567 | }; | 702 | }; |
568 | 703 | ||
569 | 704 | ||
@@ -655,7 +790,7 @@ GNUNET_CRYPTO_zero_keys (void *buffer, size_t length); | |||
655 | * Fill block with a random values. | 790 | * Fill block with a random values. |
656 | * | 791 | * |
657 | * @param mode desired quality of the random number | 792 | * @param mode desired quality of the random number |
658 | * @param buffer the buffer to fill | 793 | * @param[out] buffer the buffer to fill |
659 | * @param length buffer length | 794 | * @param length buffer length |
660 | */ | 795 | */ |
661 | void | 796 | void |
@@ -672,7 +807,7 @@ GNUNET_CRYPTO_random_block (enum GNUNET_CRYPTO_Quality mode, | |||
672 | * here is not a completely random number. | 807 | * here is not a completely random number. |
673 | * | 808 | * |
674 | * @param mode desired quality of the random number | 809 | * @param mode desired quality of the random number |
675 | * @param uuid the value to fill | 810 | * @param[out] uuid the value to fill |
676 | */ | 811 | */ |
677 | void | 812 | void |
678 | GNUNET_CRYPTO_random_timeflake (enum GNUNET_CRYPTO_Quality mode, | 813 | GNUNET_CRYPTO_random_timeflake (enum GNUNET_CRYPTO_Quality mode, |
@@ -693,7 +828,7 @@ GNUNET_CRYPTO_random_u32 (enum GNUNET_CRYPTO_Quality mode, uint32_t i); | |||
693 | 828 | ||
694 | /** | 829 | /** |
695 | * @ingroup crypto | 830 | * @ingroup crypto |
696 | * Random on unsigned 64-bit values. | 831 | * Generate a random unsigned 64-bit value. |
697 | * | 832 | * |
698 | * @param mode desired quality of the random number | 833 | * @param mode desired quality of the random number |
699 | * @param max value returned will be in range [0,@a max) (exclusive) | 834 | * @param max value returned will be in range [0,@a max) (exclusive) |
@@ -1427,7 +1562,7 @@ enum GNUNET_GenericReturnValue | |||
1427 | GNUNET_CRYPTO_eddsa_private_key_from_string ( | 1562 | GNUNET_CRYPTO_eddsa_private_key_from_string ( |
1428 | const char *enc, | 1563 | const char *enc, |
1429 | size_t enclen, | 1564 | size_t enclen, |
1430 | struct GNUNET_CRYPTO_EddsaPrivateKey *pub); | 1565 | struct GNUNET_CRYPTO_EddsaPrivateKey *priv); |
1431 | 1566 | ||
1432 | 1567 | ||
1433 | /** | 1568 | /** |
@@ -1554,6 +1689,9 @@ GNUNET_CRYPTO_edx25519_key_create_from_seed ( | |||
1554 | /** | 1689 | /** |
1555 | * @ingroup crypto | 1690 | * @ingroup crypto |
1556 | * Create a new private key. Clear with #GNUNET_CRYPTO_ecdhe_key_clear(). | 1691 | * Create a new private key. Clear with #GNUNET_CRYPTO_ecdhe_key_clear(). |
1692 | * This is X25519 DH (RFC 7748 Section 5) and corresponds to | ||
1693 | * X25519(a,9). | ||
1694 | * See #GNUNET_CRYPTO_ecc_ecdh for the DH function. | ||
1557 | * | 1695 | * |
1558 | * @param[out] pk set to fresh private key; | 1696 | * @param[out] pk set to fresh private key; |
1559 | */ | 1697 | */ |
@@ -1631,12 +1769,49 @@ GNUNET_CRYPTO_eddsa_setup_hostkey (const char *cfg_name); | |||
1631 | * @return #GNUNET_OK on success, #GNUNET_SYSERR if the identity | 1769 | * @return #GNUNET_OK on success, #GNUNET_SYSERR if the identity |
1632 | * could not be retrieved | 1770 | * could not be retrieved |
1633 | */ | 1771 | */ |
1634 | int | 1772 | enum GNUNET_GenericReturnValue |
1635 | GNUNET_CRYPTO_get_peer_identity (const struct GNUNET_CONFIGURATION_Handle *cfg, | 1773 | GNUNET_CRYPTO_get_peer_identity (const struct GNUNET_CONFIGURATION_Handle *cfg, |
1636 | struct GNUNET_PeerIdentity *dst); | 1774 | struct GNUNET_PeerIdentity *dst); |
1637 | 1775 | ||
1638 | 1776 | ||
1639 | /** | 1777 | /** |
1778 | * @ingroup crypto | ||
1779 | * Sign a given block with a specific purpose using the host's peer identity. | ||
1780 | * | ||
1781 | * @param cfg configuration to use | ||
1782 | * @param purpose what to sign (size, purpose) | ||
1783 | * @param sig where to write the signature | ||
1784 | * @return #GNUNET_OK on success, #GNUNET_SYSERR if the identity | ||
1785 | * could not be retrieved | ||
1786 | */ | ||
1787 | enum GNUNET_GenericReturnValue | ||
1788 | GNUNET_CRYPTO_sign_by_peer_identity (const struct | ||
1789 | GNUNET_CONFIGURATION_Handle *cfg, | ||
1790 | const struct | ||
1791 | GNUNET_CRYPTO_EccSignaturePurpose *purpose, | ||
1792 | struct GNUNET_CRYPTO_EddsaSignature *sig); | ||
1793 | |||
1794 | |||
1795 | /** | ||
1796 | * @ingroup crypto | ||
1797 | * Verify a given signature with a peer's identity. | ||
1798 | * | ||
1799 | * @param purpose what is the purpose that the signature should have? | ||
1800 | * @param validate block to validate (size, purpose, data) | ||
1801 | * @param sig signature that is being validated | ||
1802 | * @param identity the peer's identity to verify | ||
1803 | * @return #GNUNET_OK if ok, #GNUNET_SYSERR if invalid | ||
1804 | */ | ||
1805 | enum GNUNET_GenericReturnValue | ||
1806 | GNUNET_CRYPTO_verify_peer_identity (uint32_t purpose, | ||
1807 | const struct | ||
1808 | GNUNET_CRYPTO_EccSignaturePurpose *validate, | ||
1809 | const struct | ||
1810 | GNUNET_CRYPTO_EddsaSignature *sig, | ||
1811 | const struct GNUNET_PeerIdentity *identity); | ||
1812 | |||
1813 | |||
1814 | /** | ||
1640 | * Internal structure used to cache pre-calculated values for DLOG calculation. | 1815 | * Internal structure used to cache pre-calculated values for DLOG calculation. |
1641 | */ | 1816 | */ |
1642 | struct GNUNET_CRYPTO_EccDlogContext; | 1817 | struct GNUNET_CRYPTO_EccDlogContext; |
@@ -1679,7 +1854,7 @@ GNUNET_CRYPTO_ecc_dlog_prepare (unsigned int max, | |||
1679 | * Calculate ECC discrete logarithm for small factors. | 1854 | * Calculate ECC discrete logarithm for small factors. |
1680 | * Opposite of #GNUNET_CRYPTO_ecc_dexp(). | 1855 | * Opposite of #GNUNET_CRYPTO_ecc_dexp(). |
1681 | * | 1856 | * |
1682 | * @param dlc precalculated values, determine range of factors | 1857 | * @param edc precalculated values, determine range of factors |
1683 | * @param input point on the curve to factor | 1858 | * @param input point on the curve to factor |
1684 | * @return INT_MAX if dlog failed, otherwise the factor | 1859 | * @return INT_MAX if dlog failed, otherwise the factor |
1685 | */ | 1860 | */ |
@@ -1802,6 +1977,9 @@ GNUNET_CRYPTO_ecc_scalar_from_int (int64_t val, | |||
1802 | /** | 1977 | /** |
1803 | * @ingroup crypto | 1978 | * @ingroup crypto |
1804 | * Derive key material from a public and a private ECC key. | 1979 | * Derive key material from a public and a private ECC key. |
1980 | * This is X25519 DH (RFC 7748 Section 5) and corresponds to | ||
1981 | * H(X25519(b,X25519(a,9))) where b := priv, pub := X25519(a,9), | ||
1982 | * and a := #GNUNET_CRYPTO_ecdhe_key_create(). | ||
1805 | * | 1983 | * |
1806 | * @param priv private key to use for the ECDH (x) | 1984 | * @param priv private key to use for the ECDH (x) |
1807 | * @param pub public key to use for the ECDH (yG) | 1985 | * @param pub public key to use for the ECDH (yG) |
@@ -1818,6 +1996,10 @@ GNUNET_CRYPTO_ecc_ecdh (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, | |||
1818 | * @ingroup crypto | 1996 | * @ingroup crypto |
1819 | * Derive key material from a ECDH public key and a private EdDSA key. | 1997 | * Derive key material from a ECDH public key and a private EdDSA key. |
1820 | * Dual to #GNUNET_CRRYPTO_ecdh_eddsa. | 1998 | * Dual to #GNUNET_CRRYPTO_ecdh_eddsa. |
1999 | * This uses the Ed25519 private seed as X25519 seed. | ||
2000 | * As such, this also is a X25519 DH (see #GNUNET_CRYPTO_ecc_ecdh). | ||
2001 | * NOTE: Whenever you can get away with it, use separate key pairs | ||
2002 | * for signing and encryption (DH)! | ||
1821 | * | 2003 | * |
1822 | * @param priv private key from EdDSA to use for the ECDH (x) | 2004 | * @param priv private key from EdDSA to use for the ECDH (x) |
1823 | * @param pub public key to use for the ECDH (yG) | 2005 | * @param pub public key to use for the ECDH (yG) |
@@ -1829,6 +2011,122 @@ GNUNET_CRYPTO_eddsa_ecdh (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, | |||
1829 | const struct GNUNET_CRYPTO_EcdhePublicKey *pub, | 2011 | const struct GNUNET_CRYPTO_EcdhePublicKey *pub, |
1830 | struct GNUNET_HashCode *key_material); | 2012 | struct GNUNET_HashCode *key_material); |
1831 | 2013 | ||
2014 | /** | ||
2015 | * @ingroup crypto | ||
2016 | * Decapsulate a key for a private EdDSA key. | ||
2017 | * Dual to #GNUNET_CRRYPTO_eddsa_kem_encaps. | ||
2018 | * | ||
2019 | * @param priv private key from EdDSA to use for the ECDH (x) | ||
2020 | * @param c the encapsulated key | ||
2021 | * @param key_material where to write the key material H(h(x)yG) | ||
2022 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2023 | */ | ||
2024 | enum GNUNET_GenericReturnValue | ||
2025 | GNUNET_CRYPTO_eddsa_kem_decaps (const struct | ||
2026 | GNUNET_CRYPTO_EddsaPrivateKey *priv, | ||
2027 | const struct GNUNET_CRYPTO_EcdhePublicKey *c, | ||
2028 | struct GNUNET_HashCode *key_material); | ||
2029 | |||
2030 | /** | ||
2031 | * @ingroup crypto | ||
2032 | * Encapsulate key material for a EdDSA public key. | ||
2033 | * Dual to #GNUNET_CRRYPTO_eddsa_kem_decaps. | ||
2034 | * | ||
2035 | * @param priv private key to use for the ECDH (y) | ||
2036 | * @param c public key from EdDSA to use for the ECDH (X=h(x)G) | ||
2037 | * @param key_material where to write the key material H(yX)=H(h(x)yG) | ||
2038 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2039 | */ | ||
2040 | enum GNUNET_GenericReturnValue | ||
2041 | GNUNET_CRYPTO_eddsa_kem_encaps (const struct GNUNET_CRYPTO_EddsaPublicKey *pub, | ||
2042 | struct GNUNET_CRYPTO_EcdhePublicKey *c, | ||
2043 | struct GNUNET_HashCode *key_material); | ||
2044 | |||
2045 | /** | ||
2046 | * This is the encapsulated key of our FO-KEM. | ||
2047 | */ | ||
2048 | struct GNUNET_CRYPTO_FoKemC | ||
2049 | { | ||
2050 | /* The output of the FO-OWTF F(x) */ | ||
2051 | struct GNUNET_HashCode y; | ||
2052 | |||
2053 | /* The ephemeral public key from the DH in the KEM */ | ||
2054 | struct GNUNET_CRYPTO_EcdhePublicKey pub; | ||
2055 | }; | ||
2056 | |||
2057 | /** | ||
2058 | * @ingroup crypto | ||
2059 | * Encapsulate key material using a CCA-secure KEM. | ||
2060 | * The KEM is using a OWTF with image oracle constructed from | ||
2061 | * a Fujusaki-Okamoto transformation using ElGamal (DH plus XOR OTP). | ||
2062 | * Dual to #GNUNET_CRRYPTO_eddsa_fo_kem_decaps. | ||
2063 | * | ||
2064 | * @param pub public key to encapsulated for | ||
2065 | * @param[out] c the encapsulation | ||
2066 | * @param[out] key_material the encapsulated key | ||
2067 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2068 | */ | ||
2069 | enum GNUNET_GenericReturnValue | ||
2070 | GNUNET_CRYPTO_eddsa_fo_kem_encaps ( | ||
2071 | const struct GNUNET_CRYPTO_EddsaPublicKey *pub, | ||
2072 | struct GNUNET_CRYPTO_FoKemC *c, | ||
2073 | struct GNUNET_HashCode *key_material); | ||
2074 | |||
2075 | |||
2076 | /** | ||
2077 | * @ingroup crypto | ||
2078 | * Decapsulate key material using a CCA-secure KEM. | ||
2079 | * The KEM is using a OWTF with image oracle constructed from | ||
2080 | * a Fujusaki-Okamoto transformation using ElGamal (DH plus XOR OTP). | ||
2081 | * Dual to #GNUNET_CRRYPTO_eddsa_fo_kem_encaps. | ||
2082 | * | ||
2083 | * @param priv private key this encapsulation is for | ||
2084 | * @param c the encapsulation | ||
2085 | * @param[out] key_material the encapsulated key | ||
2086 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2087 | */ | ||
2088 | enum GNUNET_GenericReturnValue | ||
2089 | GNUNET_CRYPTO_eddsa_fo_kem_decaps (const struct | ||
2090 | GNUNET_CRYPTO_EddsaPrivateKey *priv, | ||
2091 | const struct GNUNET_CRYPTO_FoKemC *c, | ||
2092 | struct GNUNET_HashCode *key_material); | ||
2093 | |||
2094 | /** | ||
2095 | * @ingroup crypto | ||
2096 | * Encapsulate key material using a CCA-secure KEM. | ||
2097 | * The KEM is using a OWTF with image oracle constructed from | ||
2098 | * a Fujusaki-Okamoto transformation using ElGamal (DH plus XOR OTP). | ||
2099 | * Dual to #GNUNET_CRRYPTO_eddsa_fo_kem_decaps. | ||
2100 | * | ||
2101 | * @param pub public key to encapsulated for | ||
2102 | * @param[out] c the encapsulation | ||
2103 | * @param[out] key_material the encapsulated key | ||
2104 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2105 | */ | ||
2106 | enum GNUNET_GenericReturnValue | ||
2107 | GNUNET_CRYPTO_ecdsa_fo_kem_encaps (const struct | ||
2108 | GNUNET_CRYPTO_EcdsaPublicKey *pub, | ||
2109 | struct GNUNET_CRYPTO_FoKemC *c, | ||
2110 | struct GNUNET_HashCode *key_material); | ||
2111 | |||
2112 | |||
2113 | /** | ||
2114 | * @ingroup crypto | ||
2115 | * Decapsulate key material using a CCA-secure KEM. | ||
2116 | * The KEM is using a OWTF with image oracle constructed from | ||
2117 | * a Fujusaki-Okamoto transformation using ElGamal (DH plus XOR OTP). | ||
2118 | * Dual to #GNUNET_CRRYPTO_eddsa_fo_kem_encaps. | ||
2119 | * | ||
2120 | * @param priv private key this encapsulation is for | ||
2121 | * @param c the encapsulation | ||
2122 | * @param[out] key_material the encapsulated key | ||
2123 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2124 | */ | ||
2125 | enum GNUNET_GenericReturnValue | ||
2126 | GNUNET_CRYPTO_ecdsa_fo_kem_decaps (const struct | ||
2127 | GNUNET_CRYPTO_EcdsaPrivateKey *priv, | ||
2128 | struct GNUNET_CRYPTO_FoKemC *c, | ||
2129 | struct GNUNET_HashCode *key_material); | ||
1832 | 2130 | ||
1833 | /** | 2131 | /** |
1834 | * @ingroup crypto | 2132 | * @ingroup crypto |
@@ -1850,6 +2148,10 @@ GNUNET_CRYPTO_ecdsa_ecdh (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, | |||
1850 | * @ingroup crypto | 2148 | * @ingroup crypto |
1851 | * Derive key material from a EdDSA public key and a private ECDH key. | 2149 | * Derive key material from a EdDSA public key and a private ECDH key. |
1852 | * Dual to #GNUNET_CRRYPTO_eddsa_ecdh. | 2150 | * Dual to #GNUNET_CRRYPTO_eddsa_ecdh. |
2151 | * This converts the Edwards25519 public key @a pub to a Curve25519 | ||
2152 | * public key before computing a X25519 DH (see #GNUNET_CRYPTO_ecc_ecdh). | ||
2153 | * NOTE: Whenever you can get away with it, use separate key pairs | ||
2154 | * for signing and encryption (DH)! | ||
1853 | * | 2155 | * |
1854 | * @param priv private key to use for the ECDH (y) | 2156 | * @param priv private key to use for the ECDH (y) |
1855 | * @param pub public key from EdDSA to use for the ECDH (X=h(x)G) | 2157 | * @param pub public key from EdDSA to use for the ECDH (X=h(x)G) |
@@ -1861,6 +2163,7 @@ GNUNET_CRYPTO_ecdh_eddsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, | |||
1861 | const struct GNUNET_CRYPTO_EddsaPublicKey *pub, | 2163 | const struct GNUNET_CRYPTO_EddsaPublicKey *pub, |
1862 | struct GNUNET_HashCode *key_material); | 2164 | struct GNUNET_HashCode *key_material); |
1863 | 2165 | ||
2166 | |||
1864 | /** | 2167 | /** |
1865 | * @ingroup crypto | 2168 | * @ingroup crypto |
1866 | * Derive key material from a EcDSA public key and a private ECDH key. | 2169 | * Derive key material from a EcDSA public key and a private ECDH key. |
@@ -1945,6 +2248,21 @@ GNUNET_CRYPTO_ecdsa_sign_ ( | |||
1945 | const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, | 2248 | const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, |
1946 | struct GNUNET_CRYPTO_EcdsaSignature *sig); | 2249 | struct GNUNET_CRYPTO_EcdsaSignature *sig); |
1947 | 2250 | ||
2251 | /** | ||
2252 | * @brief | ||
2253 | * | ||
2254 | * @param priv | ||
2255 | * @param data | ||
2256 | * @param size | ||
2257 | * @param sig | ||
2258 | * @return enum GNUNET_GenericReturnValue | ||
2259 | */ | ||
2260 | enum GNUNET_GenericReturnValue | ||
2261 | GNUNET_CRYPTO_eddsa_sign_raw ( | ||
2262 | const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, | ||
2263 | void *data, | ||
2264 | size_t size, | ||
2265 | struct GNUNET_CRYPTO_EddsaSignature *sig); | ||
1948 | 2266 | ||
1949 | /** | 2267 | /** |
1950 | * @ingroup crypto | 2268 | * @ingroup crypto |
@@ -2220,7 +2538,7 @@ GNUNET_CRYPTO_ecdsa_public_key_derive ( | |||
2220 | * @param label label to use for key deriviation | 2538 | * @param label label to use for key deriviation |
2221 | * @param context additional context to use for HKDF of 'h'; | 2539 | * @param context additional context to use for HKDF of 'h'; |
2222 | * typically the name of the subsystem/application | 2540 | * typically the name of the subsystem/application |
2223 | * @param purp the signature purpose | 2541 | * @param purpose the signature purpose |
2224 | * @param sig the resulting signature | 2542 | * @param sig the resulting signature |
2225 | * @return GNUNET_OK on success | 2543 | * @return GNUNET_OK on success |
2226 | */ | 2544 | */ |
@@ -2285,7 +2603,7 @@ GNUNET_CRYPTO_eddsa_public_key_derive ( | |||
2285 | * @param label label to use for key deriviation | 2603 | * @param label label to use for key deriviation |
2286 | * @param context additional context to use for HKDF of 'h'; | 2604 | * @param context additional context to use for HKDF of 'h'; |
2287 | * typically the name of the subsystem/application | 2605 | * typically the name of the subsystem/application |
2288 | * @param purp the signature purpose | 2606 | * @param purpose the signature purpose |
2289 | * @param sig the resulting signature | 2607 | * @param sig the resulting signature |
2290 | * @return GNUNET_OK on success | 2608 | * @return GNUNET_OK on success |
2291 | */ | 2609 | */ |
@@ -2348,6 +2666,97 @@ GNUNET_CRYPTO_edx25519_public_key_derive ( | |||
2348 | 2666 | ||
2349 | 2667 | ||
2350 | /** | 2668 | /** |
2669 | * @ingroup crypto | ||
2670 | * Clears the most significant bit and second most significant bit of the serialized representaive before applying elligator direct map. | ||
2671 | * | ||
2672 | * @param representative serialized elligator representative of an element of Curves25519's finite field | ||
2673 | * @param point destination for the calculated point on the curve | ||
2674 | * @param high_y bool pointed to will be set to 'true' if corresponding y-coordinate is > 2 ^ 254 - 10, otherwise 0. Can be set to NULL if not needed. | ||
2675 | */ | ||
2676 | void | ||
2677 | GNUNET_CRYPTO_ecdhe_elligator_decoding ( | ||
2678 | struct GNUNET_CRYPTO_EcdhePublicKey *point, | ||
2679 | bool *high_y, | ||
2680 | const struct GNUNET_CRYPTO_ElligatorRepresentative *representative); | ||
2681 | |||
2682 | /** | ||
2683 | * @ingroup crypto | ||
2684 | * Encodes a point on Curve25519 to a an element of the underlying finite field. | ||
2685 | * This transformation is deterministic. | ||
2686 | * | ||
2687 | * @param r storage for the calculated representative | ||
2688 | * @param pub a point on the curve | ||
2689 | * @param high_y encodes if y-coordinate is > 2 ^254 - 10, which determines the representative value out of two | ||
2690 | * @return 'true' if the given point can be encoded into a representative. Otherwise 'false' is returned and the content of the representative storage is undefined | ||
2691 | */ | ||
2692 | bool | ||
2693 | GNUNET_CRYPTO_ecdhe_elligator_encoding ( | ||
2694 | struct GNUNET_CRYPTO_ElligatorRepresentative *r, | ||
2695 | const struct GNUNET_CRYPTO_EcdhePublicKey *pub, | ||
2696 | bool high_y); | ||
2697 | |||
2698 | |||
2699 | /** | ||
2700 | * @ingroup crypto | ||
2701 | * Generates a valid public key for elligator's inverse map by adding a lower order point to a prime order point. | ||
2702 | * Following Method 1 in description https://elligator.org/key-exchange section Step 2: Generate a “special” public key. | ||
2703 | * | ||
2704 | * @param pub valid public key for elligator inverse map | ||
2705 | * @param pk private key for generating valid public key | ||
2706 | * @return GNUNET_OK on success | ||
2707 | */ | ||
2708 | enum GNUNET_GenericReturnValue | ||
2709 | GNUNET_CRYPTO_ecdhe_elligator_generate_public_key ( | ||
2710 | struct GNUNET_CRYPTO_EcdhePublicKey *pub, | ||
2711 | struct GNUNET_CRYPTO_EcdhePrivateKey *pk); | ||
2712 | |||
2713 | |||
2714 | /** | ||
2715 | * @ingroup crypto | ||
2716 | * Generates a private key for Curve25519 and the elligator representative of the corresponding public key. | ||
2717 | * | ||
2718 | * @param repr representative of the public key | ||
2719 | * @param pk Curve25519 private key | ||
2720 | */ | ||
2721 | void | ||
2722 | GNUNET_CRYPTO_ecdhe_elligator_key_create ( | ||
2723 | struct GNUNET_CRYPTO_ElligatorRepresentative *repr, | ||
2724 | struct GNUNET_CRYPTO_EcdhePrivateKey *pk); | ||
2725 | |||
2726 | /** | ||
2727 | * @ingroup crypto | ||
2728 | * Carries out ecdh encapsulation with given public key and the private key from a freshly created ephemeral key pair. | ||
2729 | * Following the terminology in https://eprint.iacr.org/2021/509.pdf. | ||
2730 | * | ||
2731 | * @param pub given edwards curve public key (X) | ||
2732 | * @param r representative of ephemeral public key A to use for the ECDH (direct_map(r)=A=aG) | ||
2733 | * @param key_material where to write the key material H(aX)=H(x(aG)) | ||
2734 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2735 | */ | ||
2736 | enum GNUNET_GenericReturnValue | ||
2737 | GNUNET_CRYPTO_eddsa_elligator_kem_encaps ( | ||
2738 | const struct GNUNET_CRYPTO_EddsaPublicKey *pub, | ||
2739 | struct GNUNET_CRYPTO_ElligatorRepresentative *r, | ||
2740 | struct GNUNET_HashCode *key_material); | ||
2741 | |||
2742 | /** | ||
2743 | * @ingroup crypto | ||
2744 | * Carries out ecdh decapsulation with own private key and the representative of the received public key. | ||
2745 | * Following the terminology in https://eprint.iacr.org/2021/509.pdf. | ||
2746 | * | ||
2747 | * @param priv own private key (x) | ||
2748 | * @param r received representative r, from which we can obtain the public key A (direct_map(r)=A=aG) | ||
2749 | * @param key_material where to write the key material H(xA)=H(a(xG)) | ||
2750 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2751 | */ | ||
2752 | enum GNUNET_GenericReturnValue | ||
2753 | GNUNET_CRYPTO_eddsa_elligator_kem_decaps ( | ||
2754 | const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, | ||
2755 | const struct GNUNET_CRYPTO_ElligatorRepresentative *r, | ||
2756 | struct GNUNET_HashCode *key_material); | ||
2757 | |||
2758 | |||
2759 | /** | ||
2351 | * Output the given MPI value to the given buffer in network | 2760 | * Output the given MPI value to the given buffer in network |
2352 | * byte order. The MPI @a val may not be negative. | 2761 | * byte order. The MPI @a val may not be negative. |
2353 | * | 2762 | * |
@@ -2413,7 +2822,7 @@ GNUNET_CRYPTO_paillier_encrypt ( | |||
2413 | * @param private_key Private key to use for decryption. | 2822 | * @param private_key Private key to use for decryption. |
2414 | * @param public_key Public key to use for decryption. | 2823 | * @param public_key Public key to use for decryption. |
2415 | * @param ciphertext Ciphertext to decrypt. | 2824 | * @param ciphertext Ciphertext to decrypt. |
2416 | * @param[out] m Decryption of @a ciphertext with @private_key. | 2825 | * @param[out] m Decryption of @a ciphertext with @a private_key. |
2417 | */ | 2826 | */ |
2418 | void | 2827 | void |
2419 | GNUNET_CRYPTO_paillier_decrypt ( | 2828 | GNUNET_CRYPTO_paillier_decrypt ( |
@@ -2424,7 +2833,8 @@ GNUNET_CRYPTO_paillier_decrypt ( | |||
2424 | 2833 | ||
2425 | 2834 | ||
2426 | /** | 2835 | /** |
2427 | * Compute a ciphertext that represents the sum of the plaintext in @a x1 and @a x2 | 2836 | * Compute a ciphertext that represents the sum of the plaintext in @a c1 |
2837 | * and @a c2 | ||
2428 | * | 2838 | * |
2429 | * Note that this operation can only be done a finite number of times | 2839 | * Note that this operation can only be done a finite number of times |
2430 | * before an overflow occurs. | 2840 | * before an overflow occurs. |
@@ -2561,8 +2971,9 @@ GNUNET_CRYPTO_rsa_private_key_get_public ( | |||
2561 | * @param hc where to store the hash code | 2971 | * @param hc where to store the hash code |
2562 | */ | 2972 | */ |
2563 | void | 2973 | void |
2564 | GNUNET_CRYPTO_rsa_public_key_hash (const struct GNUNET_CRYPTO_RsaPublicKey *key, | 2974 | GNUNET_CRYPTO_rsa_public_key_hash ( |
2565 | struct GNUNET_HashCode *hc); | 2975 | const struct GNUNET_CRYPTO_RsaPublicKey *key, |
2976 | struct GNUNET_HashCode *hc); | ||
2566 | 2977 | ||
2567 | 2978 | ||
2568 | /** | 2979 | /** |
@@ -2667,53 +3078,83 @@ GNUNET_CRYPTO_rsa_public_key_cmp (const struct GNUNET_CRYPTO_RsaPublicKey *p1, | |||
2667 | 3078 | ||
2668 | 3079 | ||
2669 | /** | 3080 | /** |
3081 | * @brief RSA Parameters to create blinded signature | ||
3082 | */ | ||
3083 | struct GNUNET_CRYPTO_RsaBlindedMessage | ||
3084 | { | ||
3085 | /** | ||
3086 | * Blinded message to be signed | ||
3087 | * Note: is malloc()'ed! | ||
3088 | */ | ||
3089 | void *blinded_msg; | ||
3090 | |||
3091 | /** | ||
3092 | * Size of the @e blinded_msg to be signed. | ||
3093 | */ | ||
3094 | size_t blinded_msg_size; | ||
3095 | }; | ||
3096 | |||
3097 | |||
3098 | /** | ||
2670 | * Blinds the given message with the given blinding key | 3099 | * Blinds the given message with the given blinding key |
2671 | * | 3100 | * |
2672 | * @param hash hash of the message to sign | 3101 | * @param message the message to sign |
2673 | * @param bkey the blinding key | 3102 | * @param message_size number of bytes in @a message |
3103 | * @param bks the blinding key | ||
2674 | * @param pkey the public key of the signer | 3104 | * @param pkey the public key of the signer |
2675 | * @param[out] buf set to a buffer with the blinded message to be signed | 3105 | * @param[out] bm set to the blinded message |
2676 | * @param[out] buf_size number of bytes stored in @a buf | ||
2677 | * @return #GNUNET_YES if successful, #GNUNET_NO if RSA key is malicious | 3106 | * @return #GNUNET_YES if successful, #GNUNET_NO if RSA key is malicious |
2678 | */ | 3107 | */ |
2679 | int | 3108 | enum GNUNET_GenericReturnValue |
2680 | GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode *hash, | 3109 | GNUNET_CRYPTO_rsa_blind (const void *message, |
3110 | size_t message_size, | ||
2681 | const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks, | 3111 | const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks, |
2682 | struct GNUNET_CRYPTO_RsaPublicKey *pkey, | 3112 | struct GNUNET_CRYPTO_RsaPublicKey *pkey, |
2683 | void **buf, | 3113 | struct GNUNET_CRYPTO_RsaBlindedMessage *bm); |
2684 | size_t *buf_size); | ||
2685 | 3114 | ||
2686 | 3115 | ||
2687 | /** | 3116 | /** |
2688 | * Sign a blinded value, which must be a full domain hash of a message. | 3117 | * Sign a blinded value, which must be a full domain hash of a message. |
2689 | * | 3118 | * |
2690 | * @param key private key to use for the signing | 3119 | * @param key private key to use for the signing |
2691 | * @param msg the (blinded) message to sign | 3120 | * @param bm the (blinded) message to sign |
2692 | * @param msg_len number of bytes in @a msg to sign | ||
2693 | * @return NULL on error, signature on success | 3121 | * @return NULL on error, signature on success |
2694 | */ | 3122 | */ |
2695 | struct GNUNET_CRYPTO_RsaSignature * | 3123 | struct GNUNET_CRYPTO_RsaSignature * |
2696 | GNUNET_CRYPTO_rsa_sign_blinded (const struct GNUNET_CRYPTO_RsaPrivateKey *key, | 3124 | GNUNET_CRYPTO_rsa_sign_blinded (const struct GNUNET_CRYPTO_RsaPrivateKey *key, |
2697 | const void *msg, | 3125 | const struct |
2698 | size_t msg_len); | 3126 | GNUNET_CRYPTO_RsaBlindedMessage *bm); |
2699 | 3127 | ||
2700 | 3128 | ||
2701 | /** | 3129 | /** |
2702 | * Create and sign a full domain hash of a message. | 3130 | * Create and sign a full domain hash of a message. |
2703 | * | 3131 | * |
2704 | * @param key private key to use for the signing | 3132 | * @param key private key to use for the signing |
2705 | * @param hash the hash of the message to sign | 3133 | * @param message the message to sign |
3134 | * @param message_size number of bytes in @a message | ||
2706 | * @return NULL on error, including a malicious RSA key, signature on success | 3135 | * @return NULL on error, including a malicious RSA key, signature on success |
2707 | */ | 3136 | */ |
2708 | struct GNUNET_CRYPTO_RsaSignature * | 3137 | struct GNUNET_CRYPTO_RsaSignature * |
2709 | GNUNET_CRYPTO_rsa_sign_fdh (const struct GNUNET_CRYPTO_RsaPrivateKey *key, | 3138 | GNUNET_CRYPTO_rsa_sign_fdh (const struct GNUNET_CRYPTO_RsaPrivateKey *key, |
2710 | const struct GNUNET_HashCode *hash); | 3139 | const void *message, |
3140 | size_t message_size); | ||
3141 | |||
3142 | |||
3143 | /** | ||
3144 | * Free memory occupied by blinded message. Only frees contents, not | ||
3145 | * @a bm itself. | ||
3146 | * | ||
3147 | * @param[in] bm memory to free | ||
3148 | */ | ||
3149 | void | ||
3150 | GNUNET_CRYPTO_rsa_blinded_message_free ( | ||
3151 | struct GNUNET_CRYPTO_RsaBlindedMessage *bm); | ||
2711 | 3152 | ||
2712 | 3153 | ||
2713 | /** | 3154 | /** |
2714 | * Free memory occupied by signature. | 3155 | * Free memory occupied by signature. |
2715 | * | 3156 | * |
2716 | * @param sig memory to free | 3157 | * @param[in] sig memory to free |
2717 | */ | 3158 | */ |
2718 | void | 3159 | void |
2719 | GNUNET_CRYPTO_rsa_signature_free (struct GNUNET_CRYPTO_RsaSignature *sig); | 3160 | GNUNET_CRYPTO_rsa_signature_free (struct GNUNET_CRYPTO_RsaSignature *sig); |
@@ -2741,8 +3182,9 @@ GNUNET_CRYPTO_rsa_signature_encode ( | |||
2741 | * @return NULL on error | 3182 | * @return NULL on error |
2742 | */ | 3183 | */ |
2743 | struct GNUNET_CRYPTO_RsaSignature * | 3184 | struct GNUNET_CRYPTO_RsaSignature * |
2744 | GNUNET_CRYPTO_rsa_signature_decode (const void *buf, | 3185 | GNUNET_CRYPTO_rsa_signature_decode ( |
2745 | size_t buf_size); | 3186 | const void *buf, |
3187 | size_t buf_size); | ||
2746 | 3188 | ||
2747 | 3189 | ||
2748 | /** | 3190 | /** |
@@ -2752,7 +3194,8 @@ GNUNET_CRYPTO_rsa_signature_decode (const void *buf, | |||
2752 | * @return the duplicate key; NULL upon error | 3194 | * @return the duplicate key; NULL upon error |
2753 | */ | 3195 | */ |
2754 | struct GNUNET_CRYPTO_RsaSignature * | 3196 | struct GNUNET_CRYPTO_RsaSignature * |
2755 | GNUNET_CRYPTO_rsa_signature_dup (const struct GNUNET_CRYPTO_RsaSignature *sig); | 3197 | GNUNET_CRYPTO_rsa_signature_dup ( |
3198 | const struct GNUNET_CRYPTO_RsaSignature *sig); | ||
2756 | 3199 | ||
2757 | 3200 | ||
2758 | /** | 3201 | /** |
@@ -2775,13 +3218,15 @@ GNUNET_CRYPTO_rsa_unblind (const struct GNUNET_CRYPTO_RsaSignature *sig, | |||
2775 | * Verify whether the given hash corresponds to the given signature and the | 3218 | * Verify whether the given hash corresponds to the given signature and the |
2776 | * signature is valid with respect to the given public key. | 3219 | * signature is valid with respect to the given public key. |
2777 | * | 3220 | * |
2778 | * @param hash the message to verify to match the @a sig | 3221 | * @param message the message to sign |
3222 | * @param message_size number of bytes in @a message | ||
2779 | * @param sig signature that is being validated | 3223 | * @param sig signature that is being validated |
2780 | * @param public_key public key of the signer | 3224 | * @param public_key public key of the signer |
2781 | * @returns #GNUNET_YES if ok, #GNUNET_NO if RSA key is malicious, #GNUNET_SYSERR if signature | 3225 | * @returns #GNUNET_YES if ok, #GNUNET_NO if RSA key is malicious, #GNUNET_SYSERR if signature |
2782 | */ | 3226 | */ |
2783 | enum GNUNET_GenericReturnValue | 3227 | enum GNUNET_GenericReturnValue |
2784 | GNUNET_CRYPTO_rsa_verify (const struct GNUNET_HashCode *hash, | 3228 | GNUNET_CRYPTO_rsa_verify (const void *message, |
3229 | size_t message_size, | ||
2785 | const struct GNUNET_CRYPTO_RsaSignature *sig, | 3230 | const struct GNUNET_CRYPTO_RsaSignature *sig, |
2786 | const struct GNUNET_CRYPTO_RsaPublicKey *public_key); | 3231 | const struct GNUNET_CRYPTO_RsaPublicKey *public_key); |
2787 | 3232 | ||
@@ -2821,10 +3266,11 @@ GNUNET_CRYPTO_cs_private_key_get_public ( | |||
2821 | * @param[out] r array containing derived secrets r0 and r1 | 3266 | * @param[out] r array containing derived secrets r0 and r1 |
2822 | */ | 3267 | */ |
2823 | void | 3268 | void |
2824 | GNUNET_CRYPTO_cs_r_derive (const struct GNUNET_CRYPTO_CsNonce *nonce, | 3269 | GNUNET_CRYPTO_cs_r_derive ( |
2825 | const char *seed, | 3270 | const struct GNUNET_CRYPTO_CsSessionNonce *nonce, |
2826 | const struct GNUNET_CRYPTO_CsPrivateKey *lts, | 3271 | const char *seed, |
2827 | struct GNUNET_CRYPTO_CsRSecret r[2]); | 3272 | const struct GNUNET_CRYPTO_CsPrivateKey *lts, |
3273 | struct GNUNET_CRYPTO_CsRSecret r[2]); | ||
2828 | 3274 | ||
2829 | 3275 | ||
2830 | /** | 3276 | /** |
@@ -2834,27 +3280,57 @@ GNUNET_CRYPTO_cs_r_derive (const struct GNUNET_CRYPTO_CsNonce *nonce, | |||
2834 | * @param[out] r_pub where to write the public key | 3280 | * @param[out] r_pub where to write the public key |
2835 | */ | 3281 | */ |
2836 | void | 3282 | void |
2837 | GNUNET_CRYPTO_cs_r_get_public (const struct GNUNET_CRYPTO_CsRSecret *r_priv, | 3283 | GNUNET_CRYPTO_cs_r_get_public ( |
2838 | struct GNUNET_CRYPTO_CsRPublic *r_pub); | 3284 | const struct GNUNET_CRYPTO_CsRSecret *r_priv, |
3285 | struct GNUNET_CRYPTO_CsRPublic *r_pub); | ||
3286 | |||
2839 | 3287 | ||
2840 | /** | 3288 | /** |
2841 | * Derives new random blinding factors. | 3289 | * Derives new random blinding factors. |
2842 | * In original papers blinding factors are generated randomly | 3290 | * In original papers blinding factors are generated randomly |
2843 | * To provide abort-idempotency, blinding factors need to be derived but still need to be UNPREDICTABLE | 3291 | * To provide abort-idempotency, blinding factors need to be derived but still need to be UNPREDICTABLE. |
2844 | * To ensure unpredictability a new nonce has to be used. | 3292 | * To ensure unpredictability a new nonce has to be used. |
2845 | * Uses HKDF internally | 3293 | * Uses HKDF internally. |
2846 | * | 3294 | * |
2847 | * @param blind_seed is the blinding seed to derive blinding factors | 3295 | * @param blind_seed is the blinding seed to derive blinding factors |
2848 | * @param[out] bs array containing the two derived blinding secrets | 3296 | * @param[out] bs array containing the two derived blinding secrets |
2849 | */ | 3297 | */ |
2850 | void | 3298 | void |
2851 | GNUNET_CRYPTO_cs_blinding_secrets_derive ( | 3299 | GNUNET_CRYPTO_cs_blinding_secrets_derive ( |
2852 | const struct GNUNET_CRYPTO_CsNonce *blind_seed, | 3300 | const struct GNUNET_CRYPTO_CsBlindingNonce *blind_seed, |
2853 | struct GNUNET_CRYPTO_CsBlindingSecret bs[2]); | 3301 | struct GNUNET_CRYPTO_CsBlindingSecret bs[2]); |
2854 | 3302 | ||
2855 | 3303 | ||
2856 | /** | 3304 | /** |
2857 | * Calculate two blinded c's | 3305 | * @brief CS Parameters derived from the message |
3306 | * during blinding to create blinded signature | ||
3307 | */ | ||
3308 | struct GNUNET_CRYPTO_CsBlindedMessage | ||
3309 | { | ||
3310 | /** | ||
3311 | * The Clause Schnorr c_0 and c_1 containing the blinded message | ||
3312 | */ | ||
3313 | struct GNUNET_CRYPTO_CsC c[2]; | ||
3314 | |||
3315 | /** | ||
3316 | * Nonce used in initial request. | ||
3317 | */ | ||
3318 | struct GNUNET_CRYPTO_CsSessionNonce nonce; | ||
3319 | |||
3320 | }; | ||
3321 | |||
3322 | |||
3323 | /** | ||
3324 | * Pair of Public R values for Cs denominations | ||
3325 | */ | ||
3326 | struct GNUNET_CRYPTO_CSPublicRPairP | ||
3327 | { | ||
3328 | struct GNUNET_CRYPTO_CsRPublic r_pub[2]; | ||
3329 | }; | ||
3330 | |||
3331 | |||
3332 | /** | ||
3333 | * Calculate two blinded c's. | ||
2858 | * Comment: One would be insecure due to Wagner's algorithm solving ROS | 3334 | * Comment: One would be insecure due to Wagner's algorithm solving ROS |
2859 | * | 3335 | * |
2860 | * @param bs array of the two blinding factor structs each containing alpha and beta | 3336 | * @param bs array of the two blinding factor structs each containing alpha and beta |
@@ -2863,7 +3339,7 @@ GNUNET_CRYPTO_cs_blinding_secrets_derive ( | |||
2863 | * @param msg the message to blind in preparation for signing | 3339 | * @param msg the message to blind in preparation for signing |
2864 | * @param msg_len length of message msg | 3340 | * @param msg_len length of message msg |
2865 | * @param[out] blinded_c array of the two blinded c's | 3341 | * @param[out] blinded_c array of the two blinded c's |
2866 | * @param[out] blinded_r_pub array of the two blinded R | 3342 | * @param[out] r_pub_blind array of the two blinded R |
2867 | */ | 3343 | */ |
2868 | void | 3344 | void |
2869 | GNUNET_CRYPTO_cs_calc_blinded_c ( | 3345 | GNUNET_CRYPTO_cs_calc_blinded_c ( |
@@ -2873,32 +3349,49 @@ GNUNET_CRYPTO_cs_calc_blinded_c ( | |||
2873 | const void *msg, | 3349 | const void *msg, |
2874 | size_t msg_len, | 3350 | size_t msg_len, |
2875 | struct GNUNET_CRYPTO_CsC blinded_c[2], | 3351 | struct GNUNET_CRYPTO_CsC blinded_c[2], |
2876 | struct GNUNET_CRYPTO_CsRPublic blinded_r_pub[2]); | 3352 | struct GNUNET_CRYPTO_CSPublicRPairP *r_pub_blind); |
2877 | 3353 | ||
2878 | 3354 | ||
2879 | /** | 3355 | /** |
2880 | * Sign a blinded c | 3356 | * The Sign Answer for Clause Blind Schnorr signature. |
2881 | * This function derives b from a nonce and a longterm secret | 3357 | * The sign operation returns a parameter @param b and the signature |
2882 | * In original papers b is generated randomly | 3358 | * scalar @param s_scalar. |
3359 | */ | ||
3360 | struct GNUNET_CRYPTO_CsBlindSignature | ||
3361 | { | ||
3362 | /** | ||
3363 | * To make ROS problem harder, the signer chooses an unpredictable b and | ||
3364 | * only calculates signature of c_b | ||
3365 | */ | ||
3366 | unsigned int b; | ||
3367 | |||
3368 | /** | ||
3369 | * The blinded s scalar calculated from c_b | ||
3370 | */ | ||
3371 | struct GNUNET_CRYPTO_CsBlindS s_scalar; | ||
3372 | }; | ||
3373 | |||
3374 | |||
3375 | /** | ||
3376 | * Sign a blinded @a c. | ||
3377 | * This function derives b from a nonce and a longterm secret. | ||
3378 | * In the original papers b is generated randomly. | ||
2883 | * To provide abort-idempotency, b needs to be derived but still need to be UNPREDICTABLE. | 3379 | * To provide abort-idempotency, b needs to be derived but still need to be UNPREDICTABLE. |
2884 | * To ensure unpredictability a new nonce has to be used for every signature | 3380 | * To ensure unpredictability a new nonce has to be used for every signature. |
2885 | * HKDF is used internally for derivation | 3381 | * HKDF is used internally for derivation. |
2886 | * r0 and r1 can be derived prior by using GNUNET_CRYPTO_cs_r_derive | 3382 | * r0 and r1 can be derived prior by using GNUNET_CRYPTO_cs_r_derive. |
2887 | * | 3383 | * |
2888 | * @param priv private key to use for the signing and as LTS in HKDF | 3384 | * @param priv private key to use for the signing and as LTS in HKDF |
2889 | * @param r array of the two secret nonce from the signer | 3385 | * @param r array of the two secret inputs from the signer |
2890 | * @param c array of the two blinded c to sign c_b | 3386 | * @param bm blinded message, including array of the two blinded c to sign c_b and the random nonce |
2891 | * @param nonce is a random nonce | 3387 | * @param[out] cs_blind_sig where to write the blind signature |
2892 | * @param[out] blinded_signature_scalar where to write the signature | ||
2893 | * @return 0 or 1 for b (see Clause Blind Signature Scheme) | ||
2894 | */ | 3388 | */ |
2895 | unsigned int | 3389 | void |
2896 | GNUNET_CRYPTO_cs_sign_derive ( | 3390 | GNUNET_CRYPTO_cs_sign_derive ( |
2897 | const struct GNUNET_CRYPTO_CsPrivateKey *priv, | 3391 | const struct GNUNET_CRYPTO_CsPrivateKey *priv, |
2898 | const struct GNUNET_CRYPTO_CsRSecret r[2], | 3392 | const struct GNUNET_CRYPTO_CsRSecret r[2], |
2899 | const struct GNUNET_CRYPTO_CsC c[2], | 3393 | const struct GNUNET_CRYPTO_CsBlindedMessage *bm, |
2900 | const struct GNUNET_CRYPTO_CsNonce *nonce, | 3394 | struct GNUNET_CRYPTO_CsBlindSignature *cs_blind_sig); |
2901 | struct GNUNET_CRYPTO_CsBlindS *blinded_signature_scalar); | ||
2902 | 3395 | ||
2903 | 3396 | ||
2904 | /** | 3397 | /** |
@@ -2926,12 +3419,1066 @@ GNUNET_CRYPTO_cs_unblind ( | |||
2926 | * @returns #GNUNET_YES on success, #GNUNET_SYSERR if signature invalid | 3419 | * @returns #GNUNET_YES on success, #GNUNET_SYSERR if signature invalid |
2927 | */ | 3420 | */ |
2928 | enum GNUNET_GenericReturnValue | 3421 | enum GNUNET_GenericReturnValue |
2929 | GNUNET_CRYPTO_cs_verify (const struct GNUNET_CRYPTO_CsSignature *sig, | 3422 | GNUNET_CRYPTO_cs_verify ( |
2930 | const struct GNUNET_CRYPTO_CsPublicKey *pub, | 3423 | const struct GNUNET_CRYPTO_CsSignature *sig, |
2931 | const void *msg, | 3424 | const struct GNUNET_CRYPTO_CsPublicKey *pub, |
2932 | size_t msg_len); | 3425 | const void *msg, |
3426 | size_t msg_len); | ||
2933 | 3427 | ||
2934 | 3428 | ||
3429 | /** | ||
3430 | * Types of public keys used for blind signatures. | ||
3431 | */ | ||
3432 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm | ||
3433 | { | ||
3434 | |||
3435 | /** | ||
3436 | * Invalid type of signature. | ||
3437 | */ | ||
3438 | GNUNET_CRYPTO_BSA_INVALID = 0, | ||
3439 | |||
3440 | /** | ||
3441 | * RSA blind signature. | ||
3442 | */ | ||
3443 | GNUNET_CRYPTO_BSA_RSA = 1, | ||
3444 | |||
3445 | /** | ||
3446 | * Clause Blind Schnorr signature. | ||
3447 | */ | ||
3448 | GNUNET_CRYPTO_BSA_CS = 2 | ||
3449 | }; | ||
3450 | |||
3451 | |||
3452 | /** | ||
3453 | * @brief Type of (unblinded) signatures. | ||
3454 | */ | ||
3455 | struct GNUNET_CRYPTO_UnblindedSignature | ||
3456 | { | ||
3457 | |||
3458 | /** | ||
3459 | * Type of the signature. | ||
3460 | */ | ||
3461 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; | ||
3462 | |||
3463 | /** | ||
3464 | * Reference counter. | ||
3465 | */ | ||
3466 | unsigned int rc; | ||
3467 | |||
3468 | /** | ||
3469 | * Details, depending on @e cipher. | ||
3470 | */ | ||
3471 | union | ||
3472 | { | ||
3473 | /** | ||
3474 | * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. | ||
3475 | */ | ||
3476 | struct GNUNET_CRYPTO_CsSignature cs_signature; | ||
3477 | |||
3478 | /** | ||
3479 | * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher. | ||
3480 | */ | ||
3481 | struct GNUNET_CRYPTO_RsaSignature *rsa_signature; | ||
3482 | |||
3483 | } details; | ||
3484 | |||
3485 | }; | ||
3486 | |||
3487 | |||
3488 | /** | ||
3489 | * @brief Type for *blinded* signatures. | ||
3490 | * Must be unblinded before it becomes valid. | ||
3491 | */ | ||
3492 | struct GNUNET_CRYPTO_BlindedSignature | ||
3493 | { | ||
3494 | |||
3495 | /** | ||
3496 | * Type of the signature. | ||
3497 | */ | ||
3498 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; | ||
3499 | |||
3500 | /** | ||
3501 | * Reference counter. | ||
3502 | */ | ||
3503 | unsigned int rc; | ||
3504 | |||
3505 | /** | ||
3506 | * Details, depending on @e cipher. | ||
3507 | */ | ||
3508 | union | ||
3509 | { | ||
3510 | /** | ||
3511 | * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. | ||
3512 | * At this point only the blinded s scalar is used. | ||
3513 | * The final signature consisting of r,s is built after unblinding. | ||
3514 | */ | ||
3515 | struct GNUNET_CRYPTO_CsBlindSignature blinded_cs_answer; | ||
3516 | |||
3517 | /** | ||
3518 | * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher. | ||
3519 | */ | ||
3520 | struct GNUNET_CRYPTO_RsaSignature *blinded_rsa_signature; | ||
3521 | |||
3522 | } details; | ||
3523 | |||
3524 | }; | ||
3525 | |||
3526 | |||
3527 | /** | ||
3528 | * @brief Type of public signing keys for blind signatures. | ||
3529 | */ | ||
3530 | struct GNUNET_CRYPTO_BlindSignPublicKey | ||
3531 | { | ||
3532 | |||
3533 | /** | ||
3534 | * Type of the public key. | ||
3535 | */ | ||
3536 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; | ||
3537 | |||
3538 | /** | ||
3539 | * Reference counter. | ||
3540 | */ | ||
3541 | unsigned int rc; | ||
3542 | |||
3543 | /** | ||
3544 | * Hash of the public key. | ||
3545 | */ | ||
3546 | struct GNUNET_HashCode pub_key_hash; | ||
3547 | |||
3548 | /** | ||
3549 | * Details, depending on @e cipher. | ||
3550 | */ | ||
3551 | union | ||
3552 | { | ||
3553 | /** | ||
3554 | * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. | ||
3555 | */ | ||
3556 | struct GNUNET_CRYPTO_CsPublicKey cs_public_key; | ||
3557 | |||
3558 | /** | ||
3559 | * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher. | ||
3560 | */ | ||
3561 | struct GNUNET_CRYPTO_RsaPublicKey *rsa_public_key; | ||
3562 | |||
3563 | } details; | ||
3564 | }; | ||
3565 | |||
3566 | |||
3567 | /** | ||
3568 | * @brief Type of private signing keys for blind signing. | ||
3569 | */ | ||
3570 | struct GNUNET_CRYPTO_BlindSignPrivateKey | ||
3571 | { | ||
3572 | |||
3573 | /** | ||
3574 | * Type of the public key. | ||
3575 | */ | ||
3576 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; | ||
3577 | |||
3578 | /** | ||
3579 | * Reference counter. | ||
3580 | */ | ||
3581 | unsigned int rc; | ||
3582 | |||
3583 | /** | ||
3584 | * Details, depending on @e cipher. | ||
3585 | */ | ||
3586 | union | ||
3587 | { | ||
3588 | /** | ||
3589 | * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. | ||
3590 | */ | ||
3591 | struct GNUNET_CRYPTO_CsPrivateKey cs_private_key; | ||
3592 | |||
3593 | /** | ||
3594 | * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher. | ||
3595 | */ | ||
3596 | struct GNUNET_CRYPTO_RsaPrivateKey *rsa_private_key; | ||
3597 | |||
3598 | } details; | ||
3599 | }; | ||
3600 | |||
3601 | |||
3602 | /** | ||
3603 | * @brief Blinded message ready for blind signing. | ||
3604 | */ | ||
3605 | struct GNUNET_CRYPTO_BlindedMessage | ||
3606 | { | ||
3607 | /** | ||
3608 | * Type of the sign blinded message | ||
3609 | */ | ||
3610 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; | ||
3611 | |||
3612 | /** | ||
3613 | * Reference counter. | ||
3614 | */ | ||
3615 | unsigned int rc; | ||
3616 | |||
3617 | /** | ||
3618 | * Details, depending on @e cipher. | ||
3619 | */ | ||
3620 | union | ||
3621 | { | ||
3622 | /** | ||
3623 | * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. | ||
3624 | */ | ||
3625 | struct GNUNET_CRYPTO_CsBlindedMessage cs_blinded_message; | ||
3626 | |||
3627 | /** | ||
3628 | * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher. | ||
3629 | */ | ||
3630 | struct GNUNET_CRYPTO_RsaBlindedMessage rsa_blinded_message; | ||
3631 | |||
3632 | } details; | ||
3633 | }; | ||
3634 | |||
3635 | |||
3636 | /** | ||
3637 | * Secret r for Cs denominations | ||
3638 | */ | ||
3639 | struct GNUNET_CRYPTO_CSPrivateRPairP | ||
3640 | { | ||
3641 | struct GNUNET_CRYPTO_CsRSecret r[2]; | ||
3642 | }; | ||
3643 | |||
3644 | |||
3645 | /** | ||
3646 | * @brief Input needed for blinding a message. | ||
3647 | */ | ||
3648 | struct GNUNET_CRYPTO_BlindingInputValues | ||
3649 | { | ||
3650 | |||
3651 | /** | ||
3652 | * Type of the signature. | ||
3653 | */ | ||
3654 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; | ||
3655 | |||
3656 | /** | ||
3657 | * Reference counter. | ||
3658 | */ | ||
3659 | unsigned int rc; | ||
3660 | |||
3661 | /** | ||
3662 | * Details, depending on @e cipher. | ||
3663 | */ | ||
3664 | union | ||
3665 | { | ||
3666 | /** | ||
3667 | * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. | ||
3668 | */ | ||
3669 | struct GNUNET_CRYPTO_CSPublicRPairP cs_values; | ||
3670 | |||
3671 | } details; | ||
3672 | |||
3673 | }; | ||
3674 | |||
3675 | |||
3676 | /** | ||
3677 | * Nonce used to deterministiacally derive input values | ||
3678 | * used in multi-round blind signature protocols. | ||
3679 | */ | ||
3680 | union GNUNET_CRYPTO_BlindSessionNonce | ||
3681 | { | ||
3682 | /** | ||
3683 | * Nonce used when signing with CS. | ||
3684 | */ | ||
3685 | struct GNUNET_CRYPTO_CsSessionNonce cs_nonce; | ||
3686 | }; | ||
3687 | |||
3688 | |||
3689 | /** | ||
3690 | * Compute blinding input values for a given @a nonce and | ||
3691 | * @a salt. | ||
3692 | * | ||
3693 | * @param bsign_priv private key to compute input values for | ||
3694 | * @param nonce session nonce to derive input values from | ||
3695 | * @param salt salt to include in derivation logic | ||
3696 | * @return blinding input values | ||
3697 | */ | ||
3698 | struct GNUNET_CRYPTO_BlindingInputValues * | ||
3699 | GNUNET_CRYPTO_get_blinding_input_values ( | ||
3700 | const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv, | ||
3701 | const union GNUNET_CRYPTO_BlindSessionNonce *nonce, | ||
3702 | const char *salt); | ||
3703 | |||
3704 | |||
3705 | /** | ||
3706 | * Decrement reference counter of a @a bsign_pub, and free it if it reaches zero. | ||
3707 | * | ||
3708 | * @param[in] bsign_pub key to free | ||
3709 | */ | ||
3710 | void | ||
3711 | GNUNET_CRYPTO_blind_sign_pub_decref ( | ||
3712 | struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub); | ||
3713 | |||
3714 | |||
3715 | /** | ||
3716 | * Decrement reference counter of a @a bsign_priv, and free it if it reaches zero. | ||
3717 | * | ||
3718 | * @param[in] bsign_priv key to free | ||
3719 | */ | ||
3720 | void | ||
3721 | GNUNET_CRYPTO_blind_sign_priv_decref ( | ||
3722 | struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv); | ||
3723 | |||
3724 | |||
3725 | /** | ||
3726 | * Decrement reference counter of a @a ub_sig, and free it if it reaches zero. | ||
3727 | * | ||
3728 | * @param[in] ub_sig signature to free | ||
3729 | */ | ||
3730 | void | ||
3731 | GNUNET_CRYPTO_unblinded_sig_decref ( | ||
3732 | struct GNUNET_CRYPTO_UnblindedSignature *ub_sig); | ||
3733 | |||
3734 | |||
3735 | /** | ||
3736 | * Decrement reference counter of a @a blind_sig, and free it if it reaches zero. | ||
3737 | * | ||
3738 | * @param[in] blind_sig signature to free | ||
3739 | */ | ||
3740 | void | ||
3741 | GNUNET_CRYPTO_blinded_sig_decref ( | ||
3742 | struct GNUNET_CRYPTO_BlindedSignature *blind_sig); | ||
3743 | |||
3744 | |||
3745 | /** | ||
3746 | * Decrement reference counter of a @a bm, and free it if it reaches zero. | ||
3747 | * | ||
3748 | * @param[in] bm blinded message to free | ||
3749 | */ | ||
3750 | void | ||
3751 | GNUNET_CRYPTO_blinded_message_decref ( | ||
3752 | struct GNUNET_CRYPTO_BlindedMessage *bm); | ||
3753 | |||
3754 | |||
3755 | /** | ||
3756 | * Increment reference counter of the given @a bm. | ||
3757 | * | ||
3758 | * @param[in,out] bm blinded message to increment reference counter for | ||
3759 | * @return alias of @a bm with RC incremented | ||
3760 | */ | ||
3761 | struct GNUNET_CRYPTO_BlindedMessage * | ||
3762 | GNUNET_CRYPTO_blinded_message_incref ( | ||
3763 | struct GNUNET_CRYPTO_BlindedMessage *bm); | ||
3764 | |||
3765 | |||
3766 | /** | ||
3767 | * Increment reference counter of the given @a bi. | ||
3768 | * | ||
3769 | * @param[in,out] bi blinding input values to increment reference counter for | ||
3770 | * @return alias of @a bi with RC incremented | ||
3771 | */ | ||
3772 | struct GNUNET_CRYPTO_BlindingInputValues * | ||
3773 | GNUNET_CRYPTO_blinding_input_values_incref ( | ||
3774 | struct GNUNET_CRYPTO_BlindingInputValues *bm); | ||
3775 | |||
3776 | |||
3777 | /** | ||
3778 | * Decrement reference counter of the given @a bi, and free it if it reaches | ||
3779 | * zero. | ||
3780 | * | ||
3781 | * @param[in,out] bi blinding input values to decrement reference counter for | ||
3782 | */ | ||
3783 | void | ||
3784 | GNUNET_CRYPTO_blinding_input_values_decref ( | ||
3785 | struct GNUNET_CRYPTO_BlindingInputValues *bm); | ||
3786 | |||
3787 | |||
3788 | /** | ||
3789 | * Increment reference counter of the given @a bsign_pub. | ||
3790 | * | ||
3791 | * @param[in,out] bsign_pub public key to increment reference counter for | ||
3792 | * @return alias of @a bsign_pub with RC incremented | ||
3793 | */ | ||
3794 | struct GNUNET_CRYPTO_BlindSignPublicKey * | ||
3795 | GNUNET_CRYPTO_bsign_pub_incref ( | ||
3796 | struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub); | ||
3797 | |||
3798 | |||
3799 | /** | ||
3800 | * Increment reference counter of the given @a bsign_priv. | ||
3801 | * | ||
3802 | * @param[in,out] bsign_priv private key to increment reference counter for | ||
3803 | * @return alias of @a bsign_priv with RC incremented | ||
3804 | */ | ||
3805 | struct GNUNET_CRYPTO_BlindSignPrivateKey * | ||
3806 | GNUNET_CRYPTO_bsign_priv_incref ( | ||
3807 | struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv); | ||
3808 | |||
3809 | |||
3810 | /** | ||
3811 | * Increment reference counter of the given @a ub_sig. | ||
3812 | * | ||
3813 | * @param[in,out] ub_sig signature to increment reference counter for | ||
3814 | * @return alias of @a ub_sig with RC incremented | ||
3815 | */ | ||
3816 | struct GNUNET_CRYPTO_UnblindedSignature * | ||
3817 | GNUNET_CRYPTO_ub_sig_incref (struct GNUNET_CRYPTO_UnblindedSignature *ub_sig); | ||
3818 | |||
3819 | |||
3820 | /** | ||
3821 | * Increment reference counter of the given @a blind_sig. | ||
3822 | * | ||
3823 | * @param[in,out] blind_sig signature to increment reference counter for | ||
3824 | * @return alias of @a blind_sig with RC incremented | ||
3825 | */ | ||
3826 | struct GNUNET_CRYPTO_BlindedSignature * | ||
3827 | GNUNET_CRYPTO_blind_sig_incref ( | ||
3828 | struct GNUNET_CRYPTO_BlindedSignature *blind_sig); | ||
3829 | |||
3830 | |||
3831 | /** | ||
3832 | * Compare two denomination public keys. | ||
3833 | * | ||
3834 | * @param bp1 first key | ||
3835 | * @param bp2 second key | ||
3836 | * @return 0 if the keys are equal, otherwise -1 or 1 | ||
3837 | */ | ||
3838 | int | ||
3839 | GNUNET_CRYPTO_bsign_pub_cmp ( | ||
3840 | const struct GNUNET_CRYPTO_BlindSignPublicKey *bp1, | ||
3841 | const struct GNUNET_CRYPTO_BlindSignPublicKey *bp2); | ||
3842 | |||
3843 | |||
3844 | /** | ||
3845 | * Compare two denomination signatures. | ||
3846 | * | ||
3847 | * @param sig1 first signature | ||
3848 | * @param sig2 second signature | ||
3849 | * @return 0 if the keys are equal, otherwise -1 or 1 | ||
3850 | */ | ||
3851 | int | ||
3852 | GNUNET_CRYPTO_ub_sig_cmp (const struct GNUNET_CRYPTO_UnblindedSignature *sig1, | ||
3853 | const struct GNUNET_CRYPTO_UnblindedSignature *sig2); | ||
3854 | |||
3855 | |||
3856 | /** | ||
3857 | * Compare two blinded denomination signatures. | ||
3858 | * | ||
3859 | * @param sig1 first signature | ||
3860 | * @param sig2 second signature | ||
3861 | * @return 0 if the keys are equal, otherwise -1 or 1 | ||
3862 | */ | ||
3863 | int | ||
3864 | GNUNET_CRYPTO_blind_sig_cmp ( | ||
3865 | const struct GNUNET_CRYPTO_BlindedSignature *sig1, | ||
3866 | const struct GNUNET_CRYPTO_BlindedSignature *sig2); | ||
3867 | |||
3868 | |||
3869 | /** | ||
3870 | * Compare two blinded messages. | ||
3871 | * | ||
3872 | * @param bp1 first blinded message | ||
3873 | * @param bp2 second blinded message | ||
3874 | * @return 0 if the keys are equal, otherwise -1 or 1 | ||
3875 | */ | ||
3876 | int | ||
3877 | GNUNET_CRYPTO_blinded_message_cmp ( | ||
3878 | const struct GNUNET_CRYPTO_BlindedMessage *bp1, | ||
3879 | const struct GNUNET_CRYPTO_BlindedMessage *bp2); | ||
3880 | |||
3881 | |||
3882 | /** | ||
3883 | * Initialize public-private key pair for blind signatures. | ||
3884 | * | ||
3885 | * For #GNUNET_CRYPTO_BSA_RSA, an additional "unsigned int" | ||
3886 | * argument with the number of bits for 'n' (e.g. 2048) must | ||
3887 | * be passed. | ||
3888 | * | ||
3889 | * @param[out] bsign_priv where to write the private key with RC 1 | ||
3890 | * @param[out] bsign_pub where to write the public key with RC 1 | ||
3891 | * @param cipher which type of cipher to use | ||
3892 | * @param ... RSA key size (eg. 2048/3072/4096) | ||
3893 | * @return #GNUNET_OK on success, #GNUNET_NO if parameterst were invalid | ||
3894 | */ | ||
3895 | enum GNUNET_GenericReturnValue | ||
3896 | GNUNET_CRYPTO_blind_sign_keys_create ( | ||
3897 | struct GNUNET_CRYPTO_BlindSignPrivateKey **bsign_priv, | ||
3898 | struct GNUNET_CRYPTO_BlindSignPublicKey **bsign_pub, | ||
3899 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher, | ||
3900 | ...); | ||
3901 | |||
3902 | |||
3903 | /** | ||
3904 | * Initialize public-private key pair for blind signatures. | ||
3905 | * | ||
3906 | * For #GNUNET_CRYPTO_BSA_RSA, an additional "unsigned int" | ||
3907 | * argument with the number of bits for 'n' (e.g. 2048) must | ||
3908 | * be passed. | ||
3909 | * | ||
3910 | * @param[out] bsign_priv where to write the private key with RC 1 | ||
3911 | * @param[out] bsign_pub where to write the public key with RC 1 | ||
3912 | * @param cipher which type of cipher to use | ||
3913 | * @param ap RSA key size (eg. 2048/3072/4096) | ||
3914 | * @return #GNUNET_OK on success, #GNUNET_NO if parameterst were invalid | ||
3915 | */ | ||
3916 | enum GNUNET_GenericReturnValue | ||
3917 | GNUNET_CRYPTO_blind_sign_keys_create_va ( | ||
3918 | struct GNUNET_CRYPTO_BlindSignPrivateKey **bsign_priv, | ||
3919 | struct GNUNET_CRYPTO_BlindSignPublicKey **bsign_pub, | ||
3920 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher, | ||
3921 | va_list ap); | ||
3922 | |||
3923 | |||
3924 | /** | ||
3925 | * @brief Type of blinding secrets. Must be exactly 32 bytes (DB). | ||
3926 | */ | ||
3927 | union GNUNET_CRYPTO_BlindingSecretP | ||
3928 | { | ||
3929 | /** | ||
3930 | * Clause Schnorr nonce. | ||
3931 | */ | ||
3932 | struct GNUNET_CRYPTO_CsBlindingNonce nonce; | ||
3933 | |||
3934 | /** | ||
3935 | * Variant for RSA for blind signatures. | ||
3936 | */ | ||
3937 | struct GNUNET_CRYPTO_RsaBlindingKeySecret rsa_bks; | ||
3938 | }; | ||
3939 | |||
3940 | |||
3941 | /** | ||
3942 | * Blind message for blind signing with @a dk using blinding secret @a coin_bks. | ||
3943 | * | ||
3944 | * @param bsign_pub public key to blind for | ||
3945 | * @param bks blinding secret to use | ||
3946 | * @param nonce nonce used to obtain @a alg_values | ||
3947 | * can be NULL if input values are not used for the cipher | ||
3948 | * @param message message to sign | ||
3949 | * @param message_size number of bytes in @a message | ||
3950 | * @param alg_values algorithm specific values to blind the @a message | ||
3951 | * @return blinded message to give to signer, NULL on error | ||
3952 | */ | ||
3953 | struct GNUNET_CRYPTO_BlindedMessage * | ||
3954 | GNUNET_CRYPTO_message_blind_to_sign ( | ||
3955 | const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub, | ||
3956 | const union GNUNET_CRYPTO_BlindingSecretP *bks, | ||
3957 | const union GNUNET_CRYPTO_BlindSessionNonce *nonce, | ||
3958 | const void *message, | ||
3959 | size_t message_size, | ||
3960 | const struct GNUNET_CRYPTO_BlindingInputValues *alg_values); | ||
3961 | |||
3962 | |||
3963 | /** | ||
3964 | * Create blind signature. | ||
3965 | * | ||
3966 | * @param bsign_priv private key to use for signing | ||
3967 | * @param salt salt value to use for the HKDF, | ||
3968 | * can be NULL if input values are not used for the cipher | ||
3969 | * @param blinded_message the already blinded message to sign | ||
3970 | * @return blind signature with RC=1, NULL on failure | ||
3971 | */ | ||
3972 | struct GNUNET_CRYPTO_BlindedSignature * | ||
3973 | GNUNET_CRYPTO_blind_sign ( | ||
3974 | const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv, | ||
3975 | const char *salt, | ||
3976 | const struct GNUNET_CRYPTO_BlindedMessage *blinded_message); | ||
3977 | |||
3978 | |||
3979 | /** | ||
3980 | * Unblind blind signature. | ||
3981 | * | ||
3982 | * @param blinded_sig the blind signature | ||
3983 | * @param bks blinding secret to use | ||
3984 | * @param message message that was supposedly signed | ||
3985 | * @param message_size number of bytes in @a message | ||
3986 | * @param alg_values algorithm specific values | ||
3987 | * @param bsign_pub public key used for signing | ||
3988 | * @return unblinded signature with RC=1, NULL on error | ||
3989 | */ | ||
3990 | struct GNUNET_CRYPTO_UnblindedSignature * | ||
3991 | GNUNET_CRYPTO_blind_sig_unblind ( | ||
3992 | const struct GNUNET_CRYPTO_BlindedSignature *blinded_sig, | ||
3993 | const union GNUNET_CRYPTO_BlindingSecretP *bks, | ||
3994 | const void *message, | ||
3995 | size_t message_size, | ||
3996 | const struct GNUNET_CRYPTO_BlindingInputValues *alg_values, | ||
3997 | const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub); | ||
3998 | |||
3999 | |||
4000 | /** | ||
4001 | * Verify signature made blindly. | ||
4002 | * | ||
4003 | * @param bsign_pub public key | ||
4004 | * @param ub_sig signature made blindly with the private key | ||
4005 | * @param message message that was supposedly signed | ||
4006 | * @param message_size number of bytes in @a message | ||
4007 | * @return #GNUNET_OK if the signature is valid | ||
4008 | */ | ||
4009 | enum GNUNET_GenericReturnValue | ||
4010 | GNUNET_CRYPTO_blind_sig_verify ( | ||
4011 | const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub, | ||
4012 | const struct GNUNET_CRYPTO_UnblindedSignature *ub_sig, | ||
4013 | const void *message, | ||
4014 | size_t message_size); | ||
4015 | |||
4016 | |||
4017 | /** | ||
4018 | * Get the compacted length of a #GNUNET_CRYPTO_PublicKey. | ||
4019 | * Compacted means that it returns the minimum number of bytes this | ||
4020 | * key is long, as opposed to the union structure inside | ||
4021 | * #GNUNET_CRYPTO_PublicKey. | ||
4022 | * Useful for compact serializations. | ||
4023 | * | ||
4024 | * @param key the key. | ||
4025 | * @return -1 on error, else the compacted length of the key. | ||
4026 | */ | ||
4027 | ssize_t | ||
4028 | GNUNET_CRYPTO_public_key_get_length (const struct | ||
4029 | GNUNET_CRYPTO_PublicKey *key); | ||
4030 | |||
4031 | /** | ||
4032 | * Reads a #GNUNET_CRYPTO_PublicKey from a compact buffer. | ||
4033 | * The buffer has to contain at least the compacted length of | ||
4034 | * a #GNUNET_CRYPTO_PublicKey in bytes. | ||
4035 | * If the buffer is too small, the function returns -1 as error. | ||
4036 | * If the buffer does not contain a valid key, it returns -2 as error. | ||
4037 | * | ||
4038 | * @param buffer the buffer | ||
4039 | * @param len the length of buffer | ||
4040 | * @param key the key | ||
4041 | * @param the amount of bytes read from the buffer | ||
4042 | * @return #GNUNET_SYSERR on error | ||
4043 | */ | ||
4044 | enum GNUNET_GenericReturnValue | ||
4045 | GNUNET_CRYPTO_read_public_key_from_buffer ( | ||
4046 | const void *buffer, | ||
4047 | size_t len, | ||
4048 | struct GNUNET_CRYPTO_PublicKey *key, | ||
4049 | size_t *read); | ||
4050 | |||
4051 | /** | ||
4052 | * Get the compacted length of a #GNUNET_CRYPTO_PrivateKey. | ||
4053 | * Compacted means that it returns the minimum number of bytes this | ||
4054 | * key is long, as opposed to the union structure inside | ||
4055 | * #GNUNET_CRYPTO_PrivateKey. | ||
4056 | * Useful for compact serializations. | ||
4057 | * | ||
4058 | * @param key the key. | ||
4059 | * @return -1 on error, else the compacted length of the key. | ||
4060 | */ | ||
4061 | ssize_t | ||
4062 | GNUNET_CRYPTO_private_key_get_length ( | ||
4063 | const struct GNUNET_CRYPTO_PrivateKey *key); | ||
4064 | |||
4065 | |||
4066 | /** | ||
4067 | * Writes a #GNUNET_CRYPTO_PublicKey to a compact buffer. | ||
4068 | * The buffer requires space for at least the compacted length of | ||
4069 | * a #GNUNET_CRYPTO_PublicKey in bytes. | ||
4070 | * If the buffer is too small, the function returns -1 as error. | ||
4071 | * If the key is not valid, it returns -2 as error. | ||
4072 | * | ||
4073 | * @param key the key | ||
4074 | * @param buffer the buffer | ||
4075 | * @param len the length of buffer | ||
4076 | * @return -1 or -2 on error, else the amount of bytes written to the buffer | ||
4077 | */ | ||
4078 | ssize_t | ||
4079 | GNUNET_CRYPTO_write_public_key_to_buffer (const struct | ||
4080 | GNUNET_CRYPTO_PublicKey *key, | ||
4081 | void*buffer, | ||
4082 | size_t len); | ||
4083 | |||
4084 | |||
4085 | /** | ||
4086 | * Reads a #GNUNET_CRYPTO_PrivateKey from a compact buffer. | ||
4087 | * The buffer has to contain at least the compacted length of | ||
4088 | * a #GNUNET_CRYPTO_PrivateKey in bytes. | ||
4089 | * If the buffer is too small, the function returns GNUNET_SYSERR as error. | ||
4090 | * | ||
4091 | * @param buffer the buffer | ||
4092 | * @param len the length of buffer | ||
4093 | * @param key the key | ||
4094 | * @param the amount of bytes read from the buffer | ||
4095 | * @return #GNUNET_SYSERR on error | ||
4096 | */ | ||
4097 | enum GNUNET_GenericReturnValue | ||
4098 | GNUNET_CRYPTO_read_private_key_from_buffer ( | ||
4099 | const void*buffer, | ||
4100 | size_t len, | ||
4101 | struct GNUNET_CRYPTO_PrivateKey *key, | ||
4102 | size_t *read); | ||
4103 | |||
4104 | |||
4105 | /** | ||
4106 | * Writes a #GNUNET_CRYPTO_PrivateKey to a compact buffer. | ||
4107 | * The buffer requires space for at least the compacted length of | ||
4108 | * a #GNUNET_CRYPTO_PrivateKey in bytes. | ||
4109 | * If the buffer is too small, the function returns -1 as error. | ||
4110 | * If the key is not valid, it returns -2 as error. | ||
4111 | * | ||
4112 | * @param key the key | ||
4113 | * @param buffer the buffer | ||
4114 | * @param len the length of buffer | ||
4115 | * @return -1 or -2 on error, else the amount of bytes written to the buffer | ||
4116 | */ | ||
4117 | ssize_t | ||
4118 | GNUNET_CRYPTO_write_private_key_to_buffer ( | ||
4119 | const struct GNUNET_CRYPTO_PrivateKey *key, | ||
4120 | void*buffer, | ||
4121 | size_t len); | ||
4122 | |||
4123 | |||
4124 | /** | ||
4125 | * Get the compacted length of a #GNUNET_CRYPTO_Signature. | ||
4126 | * Compacted means that it returns the minimum number of bytes this | ||
4127 | * signature is long, as opposed to the union structure inside | ||
4128 | * #GNUNET_CRYPTO_Signature. | ||
4129 | * Useful for compact serializations. | ||
4130 | * | ||
4131 | * @param sig the signature. | ||
4132 | * @return -1 on error, else the compacted length of the signature. | ||
4133 | */ | ||
4134 | ssize_t | ||
4135 | GNUNET_CRYPTO_signature_get_length ( | ||
4136 | const struct GNUNET_CRYPTO_Signature *sig); | ||
4137 | |||
4138 | |||
4139 | /** | ||
4140 | * Get the compacted length of a signature by type. | ||
4141 | * Compacted means that it returns the minimum number of bytes this | ||
4142 | * signature is long, as opposed to the union structure inside | ||
4143 | * #GNUNET_CRYPTO_Signature. | ||
4144 | * Useful for compact serializations. | ||
4145 | * | ||
4146 | * @param sig the signature. | ||
4147 | * @return -1 on error, else the compacted length of the signature. | ||
4148 | */ | ||
4149 | ssize_t | ||
4150 | GNUNET_CRYPTO_signature_get_raw_length_by_type (uint32_t type); | ||
4151 | |||
4152 | |||
4153 | /** | ||
4154 | * Reads a #GNUNET_CRYPTO_Signature from a compact buffer. | ||
4155 | * The buffer has to contain at least the compacted length of | ||
4156 | * a #GNUNET_CRYPTO_Signature in bytes. | ||
4157 | * If the buffer is too small, the function returns -1 as error. | ||
4158 | * If the buffer does not contain a valid key, it returns -2 as error. | ||
4159 | * | ||
4160 | * @param sig the signature | ||
4161 | * @param buffer the buffer | ||
4162 | * @param len the length of buffer | ||
4163 | * @return -1 or -2 on error, else the amount of bytes read from the buffer | ||
4164 | */ | ||
4165 | ssize_t | ||
4166 | GNUNET_CRYPTO_read_signature_from_buffer ( | ||
4167 | struct GNUNET_CRYPTO_Signature *sig, | ||
4168 | const void*buffer, | ||
4169 | size_t len); | ||
4170 | |||
4171 | |||
4172 | /** | ||
4173 | * Writes a #GNUNET_CRYPTO_Signature to a compact buffer. | ||
4174 | * The buffer requires space for at least the compacted length of | ||
4175 | * a #GNUNET_CRYPTO_Signature in bytes. | ||
4176 | * If the buffer is too small, the function returns -1 as error. | ||
4177 | * If the key is not valid, it returns -2 as error. | ||
4178 | * | ||
4179 | * @param sig the signature | ||
4180 | * @param buffer the buffer | ||
4181 | * @param len the length of buffer | ||
4182 | * @return -1 or -2 on error, else the amount of bytes written to the buffer | ||
4183 | */ | ||
4184 | ssize_t | ||
4185 | GNUNET_CRYPTO_write_signature_to_buffer ( | ||
4186 | const struct GNUNET_CRYPTO_Signature *sig, | ||
4187 | void*buffer, | ||
4188 | size_t len); | ||
4189 | |||
4190 | |||
4191 | /** | ||
4192 | * @brief Sign a given block. | ||
4193 | * | ||
4194 | * The @a purpose data is the beginning of the data of which the signature is | ||
4195 | * to be created. The `size` field in @a purpose must correctly indicate the | ||
4196 | * number of bytes of the data structure, including its header. If possible, | ||
4197 | * use #GNUNET_CRYPTO_sign() instead of this function. | ||
4198 | * | ||
4199 | * @param priv private key to use for the signing | ||
4200 | * @param purpose what to sign (size, purpose) | ||
4201 | * @param[out] sig where to write the signature | ||
4202 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
4203 | */ | ||
4204 | enum GNUNET_GenericReturnValue | ||
4205 | GNUNET_CRYPTO_sign_ ( | ||
4206 | const struct GNUNET_CRYPTO_PrivateKey *priv, | ||
4207 | const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, | ||
4208 | struct GNUNET_CRYPTO_Signature *sig); | ||
4209 | |||
4210 | /** | ||
4211 | * @brief Sign a given block. | ||
4212 | * | ||
4213 | * The @a purpose data is the beginning of the data of which the signature is | ||
4214 | * to be created. The `size` field in @a purpose must correctly indicate the | ||
4215 | * number of bytes of the data structure, including its header. | ||
4216 | * The signature payload and length depends on the key type. | ||
4217 | * | ||
4218 | * @param priv private key to use for the signing | ||
4219 | * @param purpose what to sign (size, purpose) | ||
4220 | * @param[out] sig where to write the signature | ||
4221 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
4222 | */ | ||
4223 | enum GNUNET_GenericReturnValue | ||
4224 | GNUNET_CRYPTO_sign_raw_ ( | ||
4225 | const struct GNUNET_CRYPTO_PrivateKey *priv, | ||
4226 | const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, | ||
4227 | unsigned char *sig); | ||
4228 | |||
4229 | |||
4230 | /** | ||
4231 | * @brief Sign a given block with #GNUNET_CRYPTO_PrivateKey. | ||
4232 | * | ||
4233 | * The @a ps data must be a fixed-size struct for which the signature is to be | ||
4234 | * created. The `size` field in @a ps->purpose must correctly indicate the | ||
4235 | * number of bytes of the data structure, including its header. | ||
4236 | * | ||
4237 | * @param priv private key to use for the signing | ||
4238 | * @param ps packed struct with what to sign, MUST begin with a purpose | ||
4239 | * @param[out] sig where to write the signature | ||
4240 | */ | ||
4241 | #define GNUNET_CRYPTO_sign(priv,ps,sig) do { \ | ||
4242 | /* check size is set correctly */ \ | ||
4243 | GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \ | ||
4244 | /* check 'ps' begins with the purpose */ \ | ||
4245 | GNUNET_static_assert (((void*) (ps)) == \ | ||
4246 | ((void*) &(ps)->purpose)); \ | ||
4247 | GNUNET_assert (GNUNET_OK == \ | ||
4248 | GNUNET_CRYPTO_sign_ (priv, \ | ||
4249 | &(ps)->purpose, \ | ||
4250 | sig)); \ | ||
4251 | } while (0) | ||
4252 | |||
4253 | |||
4254 | /** | ||
4255 | * @brief Verify a given signature. | ||
4256 | * | ||
4257 | * The @a validate data is the beginning of the data of which the signature | ||
4258 | * is to be verified. The `size` field in @a validate must correctly indicate | ||
4259 | * the number of bytes of the data structure, including its header. If @a | ||
4260 | * purpose does not match the purpose given in @a validate (the latter must be | ||
4261 | * in big endian), signature verification fails. If possible, | ||
4262 | * use #GNUNET_CRYPTO_signature_verify() instead of this function (only if @a validate | ||
4263 | * is not fixed-size, you must use this function directly). | ||
4264 | * | ||
4265 | * @param purpose what is the purpose that the signature should have? | ||
4266 | * @param validate block to validate (size, purpose, data) | ||
4267 | * @param sig signature that is being validated | ||
4268 | * @param pub public key of the signer | ||
4269 | * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid | ||
4270 | */ | ||
4271 | enum GNUNET_GenericReturnValue | ||
4272 | GNUNET_CRYPTO_signature_verify_ ( | ||
4273 | uint32_t purpose, | ||
4274 | const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, | ||
4275 | const struct GNUNET_CRYPTO_Signature *sig, | ||
4276 | const struct GNUNET_CRYPTO_PublicKey *pub); | ||
4277 | |||
4278 | /** | ||
4279 | * @brief Verify a given signature. | ||
4280 | * | ||
4281 | * The @a validate data is the beginning of the data of which the signature | ||
4282 | * is to be verified. The `size` field in @a validate must correctly indicate | ||
4283 | * the number of bytes of the data structure, including its header. If @a | ||
4284 | * purpose does not match the purpose given in @a validate (the latter must be | ||
4285 | * in big endian), signature verification fails. | ||
4286 | * | ||
4287 | * @param purpose what is the purpose that the signature should have? | ||
4288 | * @param validate block to validate (size, purpose, data) | ||
4289 | * @param sig signature that is being validated | ||
4290 | * @param pub public key of the signer | ||
4291 | * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid | ||
4292 | */ | ||
4293 | enum GNUNET_GenericReturnValue | ||
4294 | GNUNET_CRYPTO_signature_verify_raw_ ( | ||
4295 | uint32_t purpose, | ||
4296 | const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, | ||
4297 | const unsigned char *sig, | ||
4298 | const struct GNUNET_CRYPTO_PublicKey *pub); | ||
4299 | |||
4300 | |||
4301 | /** | ||
4302 | * @brief Verify a given signature with #GNUNET_CRYPTO_PublicKey. | ||
4303 | * | ||
4304 | * The @a ps data must be a fixed-size struct for which the signature is to be | ||
4305 | * created. The `size` field in @a ps->purpose must correctly indicate the | ||
4306 | * number of bytes of the data structure, including its header. | ||
4307 | * | ||
4308 | * @param purp purpose of the signature, must match 'ps->purpose.purpose' | ||
4309 | * (except in host byte order) | ||
4310 | * @param ps packed struct with what to sign, MUST begin with a purpose | ||
4311 | * @param sig where to read the signature from | ||
4312 | * @param pub public key to use for the verifying | ||
4313 | */ | ||
4314 | #define GNUNET_CRYPTO_signature_verify(purp,ps,sig,pub) ({ \ | ||
4315 | /* check size is set correctly */ \ | ||
4316 | GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \ | ||
4317 | /* check 'ps' begins with the purpose */ \ | ||
4318 | GNUNET_static_assert (((void*) (ps)) == \ | ||
4319 | ((void*) &(ps)->purpose)); \ | ||
4320 | GNUNET_CRYPTO_signature_verify_ (purp, \ | ||
4321 | &(ps)->purpose, \ | ||
4322 | sig, \ | ||
4323 | pub); \ | ||
4324 | }) | ||
4325 | |||
4326 | |||
4327 | /** | ||
4328 | * Encrypt a block with #GNUNET_CRYPTO_PublicKey and derives a | ||
4329 | * #GNUNET_CRYPTO_EcdhePublicKey which is required for decryption | ||
4330 | * using ecdh to derive a symmetric key. | ||
4331 | * | ||
4332 | * @param block the block to encrypt | ||
4333 | * @param size the size of the @a block | ||
4334 | * @param pub public key to use for ecdh | ||
4335 | * @param ecc where to write the ecc public key | ||
4336 | * @param result the output parameter in which to store the encrypted result | ||
4337 | * can be the same or overlap with @c block | ||
4338 | * @returns the size of the encrypted block, -1 for errors. | ||
4339 | * Due to the use of CFB and therefore an effective stream cipher, | ||
4340 | * this size should be the same as @c len. | ||
4341 | */ | ||
4342 | ssize_t | ||
4343 | GNUNET_CRYPTO_encrypt_old (const void *block, | ||
4344 | size_t size, | ||
4345 | const struct GNUNET_CRYPTO_PublicKey *pub, | ||
4346 | struct GNUNET_CRYPTO_EcdhePublicKey *ecc, | ||
4347 | void *result); | ||
4348 | |||
4349 | |||
4350 | /** | ||
4351 | * Decrypt a given block with #GNUNET_CRYPTO_PrivateKey and a given | ||
4352 | * #GNUNET_CRYPTO_EcdhePublicKey using ecdh to derive a symmetric key. | ||
4353 | * | ||
4354 | * @param block the data to decrypt, encoded as returned by encrypt | ||
4355 | * @param size the size of the @a block to decrypt | ||
4356 | * @param priv private key to use for ecdh | ||
4357 | * @param ecc the ecc public key | ||
4358 | * @param result address to store the result at | ||
4359 | * can be the same or overlap with @c block | ||
4360 | * @return -1 on failure, size of decrypted block on success. | ||
4361 | * Due to the use of CFB and therefore an effective stream cipher, | ||
4362 | * this size should be the same as @c size. | ||
4363 | */ | ||
4364 | ssize_t | ||
4365 | GNUNET_CRYPTO_decrypt_old ( | ||
4366 | const void *block, | ||
4367 | size_t size, | ||
4368 | const struct GNUNET_CRYPTO_PrivateKey *priv, | ||
4369 | const struct GNUNET_CRYPTO_EcdhePublicKey *ecc, | ||
4370 | void *result); | ||
4371 | |||
4372 | #define GNUNET_CRYPTO_ENCRYPT_OVERHEAD_BYTES (crypto_secretbox_MACBYTES \ | ||
4373 | + sizeof (struct \ | ||
4374 | GNUNET_CRYPTO_FoKemC)) | ||
4375 | |||
4376 | /** | ||
4377 | * Encrypt a block with #GNUNET_CRYPTO_PublicKey and derives a | ||
4378 | * #GNUNET_CRYPTO_EcdhePublicKey which is required for decryption | ||
4379 | * using ecdh to derive a symmetric key. | ||
4380 | * | ||
4381 | * Note that the result buffer for the ciphertext must be the length of | ||
4382 | * the message to encrypt plus #GNUNET_CRYPTO_ENCRYPT_OVERHEAD_BYTES. | ||
4383 | * | ||
4384 | * @param block the block to encrypt | ||
4385 | * @param size the size of the @a block | ||
4386 | * @param pub public key to encrypt for | ||
4387 | * @param result the output parameter in which to store the encrypted result | ||
4388 | * can be the same or overlap with @c block | ||
4389 | * @returns GNUNET_OK on success. | ||
4390 | */ | ||
4391 | enum GNUNET_GenericReturnValue | ||
4392 | GNUNET_CRYPTO_encrypt (const void *block, | ||
4393 | size_t size, | ||
4394 | const struct GNUNET_CRYPTO_PublicKey *pub, | ||
4395 | void *result, | ||
4396 | size_t result_size); | ||
4397 | |||
4398 | |||
4399 | /** | ||
4400 | * Decrypt a given block with #GNUNET_CRYPTO_PrivateKey and a given | ||
4401 | * #GNUNET_CRYPTO_EcdhePublicKey using ecdh to derive a symmetric key. | ||
4402 | * | ||
4403 | * @param block the data to decrypt, encoded as returned by encrypt | ||
4404 | * @param size the size of the @a block to decrypt | ||
4405 | * @param priv private key to use for ecdh | ||
4406 | * @param result address to store the result at | ||
4407 | * can be the same or overlap with @c block | ||
4408 | * @returns GNUNET_OK on success. | ||
4409 | */ | ||
4410 | enum GNUNET_GenericReturnValue | ||
4411 | GNUNET_CRYPTO_decrypt (const void *block, | ||
4412 | size_t size, | ||
4413 | const struct GNUNET_CRYPTO_PrivateKey *priv, | ||
4414 | void *result, | ||
4415 | size_t result_size); | ||
4416 | |||
4417 | |||
4418 | /** | ||
4419 | * Creates a (Base32) string representation of the public key. | ||
4420 | * The resulting string encodes a compacted representation of the key. | ||
4421 | * See also #GNUNET_CRYPTO_key_get_length. | ||
4422 | * | ||
4423 | * @param key the key. | ||
4424 | * @return the string representation of the key, or NULL on error. | ||
4425 | */ | ||
4426 | char * | ||
4427 | GNUNET_CRYPTO_public_key_to_string ( | ||
4428 | const struct GNUNET_CRYPTO_PublicKey *key); | ||
4429 | |||
4430 | |||
4431 | /** | ||
4432 | * Creates a (Base32) string representation of the private key. | ||
4433 | * The resulting string encodes a compacted representation of the key. | ||
4434 | * See also #GNUNET_CRYPTO_key_get_length. | ||
4435 | * | ||
4436 | * @param key the key. | ||
4437 | * @return the string representation of the key, or NULL on error. | ||
4438 | */ | ||
4439 | char * | ||
4440 | GNUNET_CRYPTO_private_key_to_string ( | ||
4441 | const struct GNUNET_CRYPTO_PrivateKey *key); | ||
4442 | |||
4443 | |||
4444 | /** | ||
4445 | * Parses a (Base32) string representation of the public key. | ||
4446 | * See also #GNUNET_CRYPTO_public_key_to_string. | ||
4447 | * | ||
4448 | * @param str the encoded key. | ||
4449 | * @param key where to write the key. | ||
4450 | * @return GNUNET_SYSERR on error. | ||
4451 | */ | ||
4452 | enum GNUNET_GenericReturnValue | ||
4453 | GNUNET_CRYPTO_public_key_from_string (const char*str, | ||
4454 | struct GNUNET_CRYPTO_PublicKey *key); | ||
4455 | |||
4456 | |||
4457 | /** | ||
4458 | * Parses a (Base32) string representation of the private key. | ||
4459 | * See also #GNUNET_CRYPTO_private_key_to_string. | ||
4460 | * | ||
4461 | * @param str the encoded key. | ||
4462 | * @param key where to write the key. | ||
4463 | * @return GNUNET_SYSERR on error. | ||
4464 | */ | ||
4465 | enum GNUNET_GenericReturnValue | ||
4466 | GNUNET_CRYPTO_private_key_from_string (const char*str, | ||
4467 | struct GNUNET_CRYPTO_PrivateKey *key); | ||
4468 | |||
4469 | |||
4470 | /** | ||
4471 | * Retrieves the public key representation of a private key. | ||
4472 | * | ||
4473 | * @param privkey the private key. | ||
4474 | * @param key the public key result. | ||
4475 | * @return GNUNET_SYSERR on error. | ||
4476 | */ | ||
4477 | enum GNUNET_GenericReturnValue | ||
4478 | GNUNET_CRYPTO_key_get_public (const struct | ||
4479 | GNUNET_CRYPTO_PrivateKey *privkey, | ||
4480 | struct GNUNET_CRYPTO_PublicKey *key); | ||
4481 | |||
2935 | #if 0 /* keep Emacsens' auto-indent happy */ | 4482 | #if 0 /* keep Emacsens' auto-indent happy */ |
2936 | { | 4483 | { |
2937 | #endif | 4484 | #endif |
@@ -2942,4 +4489,7 @@ GNUNET_CRYPTO_cs_verify (const struct GNUNET_CRYPTO_CsSignature *sig, | |||
2942 | 4489 | ||
2943 | /* ifndef GNUNET_CRYPTO_LIB_H */ | 4490 | /* ifndef GNUNET_CRYPTO_LIB_H */ |
2944 | #endif | 4491 | #endif |
4492 | |||
4493 | /** @} */ /* end of group addition */ | ||
4494 | |||
2945 | /* end of gnunet_crypto_lib.h */ | 4495 | /* end of gnunet_crypto_lib.h */ |