diff options
Diffstat (limited to 'src/include/gnunet_crypto_lib.h')
-rw-r--r-- | src/include/gnunet_crypto_lib.h | 2259 |
1 files changed, 2158 insertions, 101 deletions
diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h index ae73c9d40..50937324d 100644 --- a/src/include/gnunet_crypto_lib.h +++ b/src/include/gnunet_crypto_lib.h | |||
@@ -1,6 +1,6 @@ | |||
1 | /* | 1 | /* |
2 | This file is part of GNUnet. | 2 | This file is part of GNUnet. |
3 | Copyright (C) 2001-2013 GNUnet e.V. | 3 | Copyright (C) 2001-2023 GNUnet e.V. |
4 | 4 | ||
5 | GNUnet is free software: you can redistribute it and/or modify it | 5 | GNUnet is free software: you can redistribute it and/or modify it |
6 | under the terms of the GNU Affero General Public License as published | 6 | under the terms of the GNU Affero General Public License as published |
@@ -19,6 +19,10 @@ | |||
19 | */ | 19 | */ |
20 | 20 | ||
21 | /** | 21 | /** |
22 | * @addtogroup libgnunetutil | ||
23 | * Multi-function utilities library for GNUnet programs | ||
24 | * @{ | ||
25 | * | ||
22 | * @file include/gnunet_crypto_lib.h | 26 | * @file include/gnunet_crypto_lib.h |
23 | * @brief cryptographic primitives for GNUnet | 27 | * @brief cryptographic primitives for GNUnet |
24 | * | 28 | * |
@@ -40,6 +44,10 @@ | |||
40 | * @see [Documentation](https://gnunet.org/crypto-api) | 44 | * @see [Documentation](https://gnunet.org/crypto-api) |
41 | */ | 45 | */ |
42 | 46 | ||
47 | #if ! defined (__GNUNET_UTIL_LIB_H_INSIDE__) | ||
48 | #error "Only <gnunet_util_lib.h> can be included directly." | ||
49 | #endif | ||
50 | |||
43 | #ifndef GNUNET_CRYPTO_LIB_H | 51 | #ifndef GNUNET_CRYPTO_LIB_H |
44 | #define GNUNET_CRYPTO_LIB_H | 52 | #define GNUNET_CRYPTO_LIB_H |
45 | 53 | ||
@@ -50,6 +58,8 @@ extern "C" { | |||
50 | #endif | 58 | #endif |
51 | #endif | 59 | #endif |
52 | 60 | ||
61 | |||
62 | #include <stdbool.h> | ||
53 | #include <sodium.h> | 63 | #include <sodium.h> |
54 | 64 | ||
55 | /** | 65 | /** |
@@ -57,7 +67,6 @@ extern "C" { | |||
57 | */ | 67 | */ |
58 | struct GNUNET_PeerIdentity; | 68 | struct GNUNET_PeerIdentity; |
59 | 69 | ||
60 | #include "gnunet_common.h" | ||
61 | #include <gcrypt.h> | 70 | #include <gcrypt.h> |
62 | 71 | ||
63 | 72 | ||
@@ -286,6 +295,170 @@ struct GNUNET_CRYPTO_EddsaPrivateScalar | |||
286 | unsigned char s[512 / 8]; | 295 | unsigned char s[512 / 8]; |
287 | }; | 296 | }; |
288 | 297 | ||
298 | /** | ||
299 | * Private ECC key material encoded for transmission. To be used only for | ||
300 | * Edx25519 signatures. An initial key corresponds to data from the key | ||
301 | * expansion and clamping in the EdDSA key generation. | ||
302 | */ | ||
303 | struct GNUNET_CRYPTO_Edx25519PrivateKey | ||
304 | { | ||
305 | /** | ||
306 | * a is a value mod n, where n has at most 256 bits. It is the first half of | ||
307 | * the seed-expansion of EdDSA and will be clamped. | ||
308 | */ | ||
309 | unsigned char a[256 / 8]; | ||
310 | |||
311 | /** | ||
312 | * b consists of 32 bytes which where originally the lower 32bytes of the key | ||
313 | * expansion. Subsequent calls to derive_private will change this value, too. | ||
314 | */ | ||
315 | unsigned char b[256 / 8]; | ||
316 | }; | ||
317 | |||
318 | |||
319 | /** | ||
320 | * Public ECC key (always for curve Ed25519) encoded in a format suitable for | ||
321 | * network transmission and Edx25519 (same as EdDSA) signatures. Refer to | ||
322 | * section 5.1.3 of rfc8032, for a thorough explanation of how this value maps | ||
323 | * to the x- and y-coordinates. | ||
324 | */ | ||
325 | struct GNUNET_CRYPTO_Edx25519PublicKey | ||
326 | { | ||
327 | /** | ||
328 | * Point Q consists of a y-value mod p (256 bits); the x-value is | ||
329 | * always positive. The point is stored in Ed25519 standard | ||
330 | * compact format. | ||
331 | */ | ||
332 | unsigned char q_y[256 / 8]; | ||
333 | }; | ||
334 | |||
335 | /** | ||
336 | * @brief an ECC signature using Edx25519 (same as in EdDSA). | ||
337 | */ | ||
338 | struct GNUNET_CRYPTO_Edx25519Signature | ||
339 | { | ||
340 | /** | ||
341 | * R value. | ||
342 | */ | ||
343 | unsigned char r[256 / 8]; | ||
344 | |||
345 | /** | ||
346 | * S value. | ||
347 | */ | ||
348 | unsigned char s[256 / 8]; | ||
349 | }; | ||
350 | |||
351 | /** | ||
352 | * Elligator representative (always for Curve25519) | ||
353 | */ | ||
354 | struct GNUNET_CRYPTO_ElligatorRepresentative | ||
355 | { | ||
356 | /** | ||
357 | * Represents an element of Curve25519 finite field. | ||
358 | * Always smaller than 2 ^ 254 - 10 -> Needs to be serialized into a random-looking byte stream before transmission. | ||
359 | */ | ||
360 | unsigned char r[256 / 8]; | ||
361 | }; | ||
362 | |||
363 | /** | ||
364 | * Key type for the generic public key union | ||
365 | */ | ||
366 | enum GNUNET_CRYPTO_KeyType | ||
367 | { | ||
368 | /** | ||
369 | * The identity type. The value is the same as the | ||
370 | * PKEY record type. | ||
371 | */ | ||
372 | GNUNET_PUBLIC_KEY_TYPE_ECDSA = 65536, | ||
373 | |||
374 | /** | ||
375 | * EDDSA identity. The value is the same as the EDKEY | ||
376 | * record type. | ||
377 | */ | ||
378 | GNUNET_PUBLIC_KEY_TYPE_EDDSA = 65556 | ||
379 | }; | ||
380 | |||
381 | /** | ||
382 | * A private key for an identity as per LSD0001. | ||
383 | * Note that these types are NOT packed and MUST NOT be used in RPC | ||
384 | * messages. Use the respective serialization functions. | ||
385 | */ | ||
386 | struct GNUNET_CRYPTO_PrivateKey | ||
387 | { | ||
388 | /** | ||
389 | * Type of public key. | ||
390 | * Defined by the GNS zone type value. | ||
391 | * In NBO. | ||
392 | */ | ||
393 | uint32_t type; | ||
394 | |||
395 | union | ||
396 | { | ||
397 | /** | ||
398 | * An ECDSA identity key. | ||
399 | */ | ||
400 | struct GNUNET_CRYPTO_EcdsaPrivateKey ecdsa_key; | ||
401 | |||
402 | /** | ||
403 | * AN EdDSA identtiy key | ||
404 | */ | ||
405 | struct GNUNET_CRYPTO_EddsaPrivateKey eddsa_key; | ||
406 | }; | ||
407 | }; | ||
408 | |||
409 | |||
410 | /** | ||
411 | * An identity key as per LSD0001. | ||
412 | */ | ||
413 | struct GNUNET_CRYPTO_PublicKey | ||
414 | { | ||
415 | /** | ||
416 | * Type of public key. | ||
417 | * Defined by the GNS zone type value. | ||
418 | * In NBO. | ||
419 | */ | ||
420 | uint32_t type; | ||
421 | |||
422 | union | ||
423 | { | ||
424 | /** | ||
425 | * An ECDSA identity key. | ||
426 | */ | ||
427 | struct GNUNET_CRYPTO_EcdsaPublicKey ecdsa_key; | ||
428 | |||
429 | /** | ||
430 | * AN EdDSA identtiy key | ||
431 | */ | ||
432 | struct GNUNET_CRYPTO_EddsaPublicKey eddsa_key; | ||
433 | }; | ||
434 | }; | ||
435 | |||
436 | |||
437 | /** | ||
438 | * An identity signature as per LSD0001. | ||
439 | */ | ||
440 | struct GNUNET_CRYPTO_Signature | ||
441 | { | ||
442 | /** | ||
443 | * Type of signature. | ||
444 | * Defined by the GNS zone type value. | ||
445 | * In NBO. | ||
446 | */ | ||
447 | uint32_t type; | ||
448 | |||
449 | union | ||
450 | { | ||
451 | /** | ||
452 | * An ECDSA signature | ||
453 | */ | ||
454 | struct GNUNET_CRYPTO_EcdsaSignature ecdsa_signature; | ||
455 | |||
456 | /** | ||
457 | * AN EdDSA signature | ||
458 | */ | ||
459 | struct GNUNET_CRYPTO_EddsaSignature eddsa_signature; | ||
460 | }; | ||
461 | }; | ||
289 | 462 | ||
290 | /** | 463 | /** |
291 | * @brief type for session keys | 464 | * @brief type for session keys |
@@ -306,7 +479,7 @@ struct GNUNET_CRYPTO_SymmetricSessionKey | |||
306 | /** | 479 | /** |
307 | * Type of a nonce used for challenges. | 480 | * Type of a nonce used for challenges. |
308 | */ | 481 | */ |
309 | struct ChallengeNonceP | 482 | struct GNUNET_CRYPTO_ChallengeNonceP |
310 | { | 483 | { |
311 | /** | 484 | /** |
312 | * The value of the nonce. Note that this is NOT a hash. | 485 | * The value of the nonce. Note that this is NOT a hash. |
@@ -392,6 +565,143 @@ struct GNUNET_CRYPTO_PaillierCiphertext | |||
392 | }; | 565 | }; |
393 | 566 | ||
394 | 567 | ||
568 | /** | ||
569 | * Curve25519 Scalar | ||
570 | */ | ||
571 | struct GNUNET_CRYPTO_Cs25519Scalar | ||
572 | { | ||
573 | /** | ||
574 | * 32 byte scalar | ||
575 | */ | ||
576 | unsigned char d[crypto_core_ed25519_SCALARBYTES]; | ||
577 | }; | ||
578 | |||
579 | |||
580 | /** | ||
581 | * Curve25519 point | ||
582 | */ | ||
583 | struct GNUNET_CRYPTO_Cs25519Point | ||
584 | { | ||
585 | /** | ||
586 | * This is a point on the Curve25519. | ||
587 | * The x coordinate can be restored using the y coordinate | ||
588 | */ | ||
589 | unsigned char y[crypto_core_ed25519_BYTES]; | ||
590 | }; | ||
591 | |||
592 | |||
593 | /** | ||
594 | * The private information of an Schnorr key pair. | ||
595 | */ | ||
596 | struct GNUNET_CRYPTO_CsPrivateKey | ||
597 | { | ||
598 | struct GNUNET_CRYPTO_Cs25519Scalar scalar; | ||
599 | }; | ||
600 | |||
601 | |||
602 | /** | ||
603 | * The public information of an Schnorr key pair. | ||
604 | */ | ||
605 | struct GNUNET_CRYPTO_CsPublicKey | ||
606 | { | ||
607 | struct GNUNET_CRYPTO_Cs25519Point point; | ||
608 | }; | ||
609 | |||
610 | |||
611 | /** | ||
612 | * Secret used for blinding (alpha and beta). | ||
613 | */ | ||
614 | struct GNUNET_CRYPTO_CsBlindingSecret | ||
615 | { | ||
616 | struct GNUNET_CRYPTO_Cs25519Scalar alpha; | ||
617 | struct GNUNET_CRYPTO_Cs25519Scalar beta; | ||
618 | }; | ||
619 | |||
620 | |||
621 | /** | ||
622 | * the private r used in the signature | ||
623 | */ | ||
624 | struct GNUNET_CRYPTO_CsRSecret | ||
625 | { | ||
626 | struct GNUNET_CRYPTO_Cs25519Scalar scalar; | ||
627 | }; | ||
628 | |||
629 | |||
630 | /** | ||
631 | * the public R (derived from r) used in c | ||
632 | */ | ||
633 | struct GNUNET_CRYPTO_CsRPublic | ||
634 | { | ||
635 | struct GNUNET_CRYPTO_Cs25519Point point; | ||
636 | }; | ||
637 | |||
638 | |||
639 | /** | ||
640 | * Schnorr c to be signed | ||
641 | */ | ||
642 | struct GNUNET_CRYPTO_CsC | ||
643 | { | ||
644 | struct GNUNET_CRYPTO_Cs25519Scalar scalar; | ||
645 | }; | ||
646 | |||
647 | |||
648 | /** | ||
649 | * s in the signature | ||
650 | */ | ||
651 | struct GNUNET_CRYPTO_CsS | ||
652 | { | ||
653 | struct GNUNET_CRYPTO_Cs25519Scalar scalar; | ||
654 | }; | ||
655 | |||
656 | |||
657 | /** | ||
658 | * blinded s in the signature | ||
659 | */ | ||
660 | struct GNUNET_CRYPTO_CsBlindS | ||
661 | { | ||
662 | struct GNUNET_CRYPTO_Cs25519Scalar scalar; | ||
663 | }; | ||
664 | |||
665 | |||
666 | /** | ||
667 | * CS Signtature containing scalar s and point R | ||
668 | */ | ||
669 | struct GNUNET_CRYPTO_CsSignature | ||
670 | { | ||
671 | /** | ||
672 | * Schnorr signatures are composed of a scalar s and a curve point | ||
673 | */ | ||
674 | struct GNUNET_CRYPTO_CsS s_scalar; | ||
675 | |||
676 | /** | ||
677 | * Curve point of the Schnorr signature. | ||
678 | */ | ||
679 | struct GNUNET_CRYPTO_CsRPublic r_point; | ||
680 | }; | ||
681 | |||
682 | |||
683 | /** | ||
684 | * Nonce for the session, picked by client, | ||
685 | * shared with the signer. | ||
686 | */ | ||
687 | struct GNUNET_CRYPTO_CsSessionNonce | ||
688 | { | ||
689 | /*a nonce*/ | ||
690 | unsigned char snonce[256 / 8]; | ||
691 | }; | ||
692 | |||
693 | |||
694 | /** | ||
695 | * Nonce for computing blinding factors. Not | ||
696 | * shared with the signer. | ||
697 | */ | ||
698 | struct GNUNET_CRYPTO_CsBlindingNonce | ||
699 | { | ||
700 | /*a nonce*/ | ||
701 | unsigned char bnonce[256 / 8]; | ||
702 | }; | ||
703 | |||
704 | |||
395 | /* **************** Functions and Macros ************* */ | 705 | /* **************** Functions and Macros ************* */ |
396 | 706 | ||
397 | /** | 707 | /** |
@@ -480,7 +790,7 @@ GNUNET_CRYPTO_zero_keys (void *buffer, size_t length); | |||
480 | * Fill block with a random values. | 790 | * Fill block with a random values. |
481 | * | 791 | * |
482 | * @param mode desired quality of the random number | 792 | * @param mode desired quality of the random number |
483 | * @param buffer the buffer to fill | 793 | * @param[out] buffer the buffer to fill |
484 | * @param length buffer length | 794 | * @param length buffer length |
485 | */ | 795 | */ |
486 | void | 796 | void |
@@ -497,7 +807,7 @@ GNUNET_CRYPTO_random_block (enum GNUNET_CRYPTO_Quality mode, | |||
497 | * here is not a completely random number. | 807 | * here is not a completely random number. |
498 | * | 808 | * |
499 | * @param mode desired quality of the random number | 809 | * @param mode desired quality of the random number |
500 | * @param uuid the value to fill | 810 | * @param[out] uuid the value to fill |
501 | */ | 811 | */ |
502 | void | 812 | void |
503 | GNUNET_CRYPTO_random_timeflake (enum GNUNET_CRYPTO_Quality mode, | 813 | GNUNET_CRYPTO_random_timeflake (enum GNUNET_CRYPTO_Quality mode, |
@@ -518,7 +828,7 @@ GNUNET_CRYPTO_random_u32 (enum GNUNET_CRYPTO_Quality mode, uint32_t i); | |||
518 | 828 | ||
519 | /** | 829 | /** |
520 | * @ingroup crypto | 830 | * @ingroup crypto |
521 | * Random on unsigned 64-bit values. | 831 | * Generate a random unsigned 64-bit value. |
522 | * | 832 | * |
523 | * @param mode desired quality of the random number | 833 | * @param mode desired quality of the random number |
524 | * @param max value returned will be in range [0,@a max) (exclusive) | 834 | * @param max value returned will be in range [0,@a max) (exclusive) |
@@ -781,7 +1091,7 @@ GNUNET_CRYPTO_hash_context_abort (struct GNUNET_HashContext *hc); | |||
781 | 1091 | ||
782 | /** | 1092 | /** |
783 | * Calculate HMAC of a message (RFC 2104) | 1093 | * Calculate HMAC of a message (RFC 2104) |
784 | * TODO: Shouldn' this be the standard hmac function and | 1094 | * TODO: Shouldn't this be the standard hmac function and |
785 | * the above be renamed? | 1095 | * the above be renamed? |
786 | * | 1096 | * |
787 | * @param key secret key | 1097 | * @param key secret key |
@@ -821,7 +1131,8 @@ GNUNET_CRYPTO_hmac (const struct GNUNET_CRYPTO_AuthKey *key, | |||
821 | * @param cls closure | 1131 | * @param cls closure |
822 | * @param res resulting hash, NULL on error | 1132 | * @param res resulting hash, NULL on error |
823 | */ | 1133 | */ |
824 | typedef void (*GNUNET_CRYPTO_HashCompletedCallback) ( | 1134 | typedef void |
1135 | (*GNUNET_CRYPTO_HashCompletedCallback) ( | ||
825 | void *cls, | 1136 | void *cls, |
826 | const struct GNUNET_HashCode *res); | 1137 | const struct GNUNET_HashCode *res); |
827 | 1138 | ||
@@ -915,61 +1226,38 @@ GNUNET_CRYPTO_hash_xor (const struct GNUNET_HashCode *a, | |||
915 | 1226 | ||
916 | 1227 | ||
917 | /** | 1228 | /** |
918 | * @ingroup hash | 1229 | * Count the number of leading 0 bits in @a h. |
919 | * Convert a hashcode into a key. | ||
920 | * | 1230 | * |
921 | * @param hc hash code that serves to generate the key | 1231 | * @param h a hash |
922 | * @param skey set to a valid session key | 1232 | * @return number of leading 0 bits in @a h |
923 | * @param iv set to a valid initialization vector | ||
924 | */ | 1233 | */ |
925 | void | 1234 | unsigned int |
926 | GNUNET_CRYPTO_hash_to_aes_key ( | 1235 | GNUNET_CRYPTO_hash_count_leading_zeros (const struct GNUNET_HashCode *h); |
927 | const struct GNUNET_HashCode *hc, | ||
928 | struct GNUNET_CRYPTO_SymmetricSessionKey *skey, | ||
929 | struct GNUNET_CRYPTO_SymmetricInitializationVector *iv); | ||
930 | 1236 | ||
931 | 1237 | ||
932 | /** | 1238 | /** |
933 | * @ingroup hash | 1239 | * Count the number of tailing 0 bits in @a h. |
934 | * Obtain a bit from a hashcode. | ||
935 | * | 1240 | * |
936 | * @param code the `struct GNUNET_HashCode` to index bit-wise | 1241 | * @param h a hash |
937 | * @param bit index into the hashcode, [0...159] where 0 is the leftmost bit | 1242 | * @return number of tailing 0 bits in @a h |
938 | * (bytes in code interpreted big endian) | ||
939 | * @return Bit \a bit from hashcode \a code, -1 for invalid index | ||
940 | */ | ||
941 | int | ||
942 | GNUNET_CRYPTO_hash_get_bit_ltr (const struct GNUNET_HashCode *code, | ||
943 | unsigned int bit); | ||
944 | |||
945 | |||
946 | /** | ||
947 | * Obtain a bit from a hashcode. | ||
948 | * @param code the GNUNET_CRYPTO_hash to index bit-wise | ||
949 | * @param bit index into the hashcode, [0...511] where 0 is the rightmost bit | ||
950 | * (bytes in code interpreted little endian) | ||
951 | * @return Bit \a bit from hashcode \a code, -1 for invalid index | ||
952 | */ | 1243 | */ |
953 | int | 1244 | unsigned int |
954 | GNUNET_CRYPTO_hash_get_bit_rtl (const struct GNUNET_HashCode *code, | 1245 | GNUNET_CRYPTO_hash_count_tailing_zeros (const struct GNUNET_HashCode *h); |
955 | unsigned int bit); | ||
956 | 1246 | ||
957 | 1247 | ||
958 | /** | 1248 | /** |
959 | * @ingroup hash | 1249 | * @ingroup hash |
960 | * Determine how many low order bits match in two | 1250 | * Convert a hashcode into a key. |
961 | * `struct GNUNET_HashCodes`. e.g. - 010011 and 011111 share | ||
962 | * the first two lowest order bits, and therefore the | ||
963 | * return value is two (NOT XOR distance, nor how many | ||
964 | * bits match absolutely!). | ||
965 | * | 1251 | * |
966 | * @param first the first hashcode | 1252 | * @param hc hash code that serves to generate the key |
967 | * @param second the hashcode to compare first to | 1253 | * @param skey set to a valid session key |
968 | * @return the number of bits that match | 1254 | * @param iv set to a valid initialization vector |
969 | */ | 1255 | */ |
970 | unsigned int | 1256 | void |
971 | GNUNET_CRYPTO_hash_matching_bits (const struct GNUNET_HashCode *first, | 1257 | GNUNET_CRYPTO_hash_to_aes_key ( |
972 | const struct GNUNET_HashCode *second); | 1258 | const struct GNUNET_HashCode *hc, |
1259 | struct GNUNET_CRYPTO_SymmetricSessionKey *skey, | ||
1260 | struct GNUNET_CRYPTO_SymmetricInitializationVector *iv); | ||
973 | 1261 | ||
974 | 1262 | ||
975 | /** | 1263 | /** |
@@ -1179,6 +1467,17 @@ GNUNET_CRYPTO_eddsa_key_get_public ( | |||
1179 | const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, | 1467 | const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, |
1180 | struct GNUNET_CRYPTO_EddsaPublicKey *pub); | 1468 | struct GNUNET_CRYPTO_EddsaPublicKey *pub); |
1181 | 1469 | ||
1470 | /** | ||
1471 | * @ingroup crypto | ||
1472 | * Extract the public key for the given private key. | ||
1473 | * | ||
1474 | * @param priv the private key | ||
1475 | * @param pub where to write the public key | ||
1476 | */ | ||
1477 | void | ||
1478 | GNUNET_CRYPTO_edx25519_key_get_public ( | ||
1479 | const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv, | ||
1480 | struct GNUNET_CRYPTO_Edx25519PublicKey *pub); | ||
1182 | 1481 | ||
1183 | /** | 1482 | /** |
1184 | * @ingroup crypto | 1483 | * @ingroup crypto |
@@ -1259,11 +1558,11 @@ GNUNET_CRYPTO_ecdsa_public_key_from_string ( | |||
1259 | * @param priv where to store the private key | 1558 | * @param priv where to store the private key |
1260 | * @return #GNUNET_OK on success | 1559 | * @return #GNUNET_OK on success |
1261 | */ | 1560 | */ |
1262 | int | 1561 | enum GNUNET_GenericReturnValue |
1263 | GNUNET_CRYPTO_eddsa_private_key_from_string ( | 1562 | GNUNET_CRYPTO_eddsa_private_key_from_string ( |
1264 | const char *enc, | 1563 | const char *enc, |
1265 | size_t enclen, | 1564 | size_t enclen, |
1266 | struct GNUNET_CRYPTO_EddsaPrivateKey *pub); | 1565 | struct GNUNET_CRYPTO_EddsaPrivateKey *priv); |
1267 | 1566 | ||
1268 | 1567 | ||
1269 | /** | 1568 | /** |
@@ -1317,7 +1616,7 @@ GNUNET_CRYPTO_ecdsa_key_from_file (const char *filename, | |||
1317 | * @return #GNUNET_OK on success, #GNUNET_NO if @a do_create was set but | 1616 | * @return #GNUNET_OK on success, #GNUNET_NO if @a do_create was set but |
1318 | * we found an existing file, #GNUNET_SYSERR on failure | 1617 | * we found an existing file, #GNUNET_SYSERR on failure |
1319 | */ | 1618 | */ |
1320 | int | 1619 | enum GNUNET_GenericReturnValue |
1321 | GNUNET_CRYPTO_eddsa_key_from_file (const char *filename, | 1620 | GNUNET_CRYPTO_eddsa_key_from_file (const char *filename, |
1322 | int do_create, | 1621 | int do_create, |
1323 | struct GNUNET_CRYPTO_EddsaPrivateKey *pkey); | 1622 | struct GNUNET_CRYPTO_EddsaPrivateKey *pkey); |
@@ -1365,7 +1664,34 @@ GNUNET_CRYPTO_eddsa_key_create (struct GNUNET_CRYPTO_EddsaPrivateKey *pk); | |||
1365 | 1664 | ||
1366 | /** | 1665 | /** |
1367 | * @ingroup crypto | 1666 | * @ingroup crypto |
1667 | * Create a new private key. | ||
1668 | * | ||
1669 | * @param[out] pk private key to initialize | ||
1670 | */ | ||
1671 | void | ||
1672 | GNUNET_CRYPTO_edx25519_key_create (struct GNUNET_CRYPTO_Edx25519PrivateKey *pk); | ||
1673 | |||
1674 | /** | ||
1675 | * @ingroup crypto | ||
1676 | * Create a new private key for Edx25519 from a given seed. After expanding | ||
1677 | * the seed, the first half of the key will be clamped according to EdDSA. | ||
1678 | * | ||
1679 | * @param seed seed input | ||
1680 | * @param seedsize size of the seed in bytes | ||
1681 | * @param[out] pk private key to initialize | ||
1682 | */ | ||
1683 | void | ||
1684 | GNUNET_CRYPTO_edx25519_key_create_from_seed ( | ||
1685 | const void *seed, | ||
1686 | size_t seedsize, | ||
1687 | struct GNUNET_CRYPTO_Edx25519PrivateKey *pk); | ||
1688 | |||
1689 | /** | ||
1690 | * @ingroup crypto | ||
1368 | * Create a new private key. Clear with #GNUNET_CRYPTO_ecdhe_key_clear(). | 1691 | * Create a new private key. Clear with #GNUNET_CRYPTO_ecdhe_key_clear(). |
1692 | * This is X25519 DH (RFC 7748 Section 5) and corresponds to | ||
1693 | * X25519(a,9). | ||
1694 | * See #GNUNET_CRYPTO_ecc_ecdh for the DH function. | ||
1369 | * | 1695 | * |
1370 | * @param[out] pk set to fresh private key; | 1696 | * @param[out] pk set to fresh private key; |
1371 | */ | 1697 | */ |
@@ -1392,6 +1718,14 @@ GNUNET_CRYPTO_eddsa_key_clear (struct GNUNET_CRYPTO_EddsaPrivateKey *pk); | |||
1392 | void | 1718 | void |
1393 | GNUNET_CRYPTO_ecdsa_key_clear (struct GNUNET_CRYPTO_EcdsaPrivateKey *pk); | 1719 | GNUNET_CRYPTO_ecdsa_key_clear (struct GNUNET_CRYPTO_EcdsaPrivateKey *pk); |
1394 | 1720 | ||
1721 | /** | ||
1722 | * @ingroup crypto | ||
1723 | * Clear memory that was used to store a private key. | ||
1724 | * | ||
1725 | * @param pk location of the key | ||
1726 | */ | ||
1727 | void | ||
1728 | GNUNET_CRYPTO_edx25519_key_clear (struct GNUNET_CRYPTO_Edx25519PrivateKey *pk); | ||
1395 | 1729 | ||
1396 | /** | 1730 | /** |
1397 | * @ingroup crypto | 1731 | * @ingroup crypto |
@@ -1435,12 +1769,49 @@ GNUNET_CRYPTO_eddsa_setup_hostkey (const char *cfg_name); | |||
1435 | * @return #GNUNET_OK on success, #GNUNET_SYSERR if the identity | 1769 | * @return #GNUNET_OK on success, #GNUNET_SYSERR if the identity |
1436 | * could not be retrieved | 1770 | * could not be retrieved |
1437 | */ | 1771 | */ |
1438 | int | 1772 | enum GNUNET_GenericReturnValue |
1439 | GNUNET_CRYPTO_get_peer_identity (const struct GNUNET_CONFIGURATION_Handle *cfg, | 1773 | GNUNET_CRYPTO_get_peer_identity (const struct GNUNET_CONFIGURATION_Handle *cfg, |
1440 | struct GNUNET_PeerIdentity *dst); | 1774 | struct GNUNET_PeerIdentity *dst); |
1441 | 1775 | ||
1442 | 1776 | ||
1443 | /** | 1777 | /** |
1778 | * @ingroup crypto | ||
1779 | * Sign a given block with a specific purpose using the host's peer identity. | ||
1780 | * | ||
1781 | * @param cfg configuration to use | ||
1782 | * @param purpose what to sign (size, purpose) | ||
1783 | * @param sig where to write the signature | ||
1784 | * @return #GNUNET_OK on success, #GNUNET_SYSERR if the identity | ||
1785 | * could not be retrieved | ||
1786 | */ | ||
1787 | enum GNUNET_GenericReturnValue | ||
1788 | GNUNET_CRYPTO_sign_by_peer_identity (const struct | ||
1789 | GNUNET_CONFIGURATION_Handle *cfg, | ||
1790 | const struct | ||
1791 | GNUNET_CRYPTO_EccSignaturePurpose *purpose, | ||
1792 | struct GNUNET_CRYPTO_EddsaSignature *sig); | ||
1793 | |||
1794 | |||
1795 | /** | ||
1796 | * @ingroup crypto | ||
1797 | * Verify a given signature with a peer's identity. | ||
1798 | * | ||
1799 | * @param purpose what is the purpose that the signature should have? | ||
1800 | * @param validate block to validate (size, purpose, data) | ||
1801 | * @param sig signature that is being validated | ||
1802 | * @param identity the peer's identity to verify | ||
1803 | * @return #GNUNET_OK if ok, #GNUNET_SYSERR if invalid | ||
1804 | */ | ||
1805 | enum GNUNET_GenericReturnValue | ||
1806 | GNUNET_CRYPTO_verify_peer_identity (uint32_t purpose, | ||
1807 | const struct | ||
1808 | GNUNET_CRYPTO_EccSignaturePurpose *validate, | ||
1809 | const struct | ||
1810 | GNUNET_CRYPTO_EddsaSignature *sig, | ||
1811 | const struct GNUNET_PeerIdentity *identity); | ||
1812 | |||
1813 | |||
1814 | /** | ||
1444 | * Internal structure used to cache pre-calculated values for DLOG calculation. | 1815 | * Internal structure used to cache pre-calculated values for DLOG calculation. |
1445 | */ | 1816 | */ |
1446 | struct GNUNET_CRYPTO_EccDlogContext; | 1817 | struct GNUNET_CRYPTO_EccDlogContext; |
@@ -1483,7 +1854,7 @@ GNUNET_CRYPTO_ecc_dlog_prepare (unsigned int max, | |||
1483 | * Calculate ECC discrete logarithm for small factors. | 1854 | * Calculate ECC discrete logarithm for small factors. |
1484 | * Opposite of #GNUNET_CRYPTO_ecc_dexp(). | 1855 | * Opposite of #GNUNET_CRYPTO_ecc_dexp(). |
1485 | * | 1856 | * |
1486 | * @param dlc precalculated values, determine range of factors | 1857 | * @param edc precalculated values, determine range of factors |
1487 | * @param input point on the curve to factor | 1858 | * @param input point on the curve to factor |
1488 | * @return INT_MAX if dlog failed, otherwise the factor | 1859 | * @return INT_MAX if dlog failed, otherwise the factor |
1489 | */ | 1860 | */ |
@@ -1606,6 +1977,9 @@ GNUNET_CRYPTO_ecc_scalar_from_int (int64_t val, | |||
1606 | /** | 1977 | /** |
1607 | * @ingroup crypto | 1978 | * @ingroup crypto |
1608 | * Derive key material from a public and a private ECC key. | 1979 | * Derive key material from a public and a private ECC key. |
1980 | * This is X25519 DH (RFC 7748 Section 5) and corresponds to | ||
1981 | * H(X25519(b,X25519(a,9))) where b := priv, pub := X25519(a,9), | ||
1982 | * and a := #GNUNET_CRYPTO_ecdhe_key_create(). | ||
1609 | * | 1983 | * |
1610 | * @param priv private key to use for the ECDH (x) | 1984 | * @param priv private key to use for the ECDH (x) |
1611 | * @param pub public key to use for the ECDH (yG) | 1985 | * @param pub public key to use for the ECDH (yG) |
@@ -1622,6 +1996,10 @@ GNUNET_CRYPTO_ecc_ecdh (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, | |||
1622 | * @ingroup crypto | 1996 | * @ingroup crypto |
1623 | * Derive key material from a ECDH public key and a private EdDSA key. | 1997 | * Derive key material from a ECDH public key and a private EdDSA key. |
1624 | * Dual to #GNUNET_CRRYPTO_ecdh_eddsa. | 1998 | * Dual to #GNUNET_CRRYPTO_ecdh_eddsa. |
1999 | * This uses the Ed25519 private seed as X25519 seed. | ||
2000 | * As such, this also is a X25519 DH (see #GNUNET_CRYPTO_ecc_ecdh). | ||
2001 | * NOTE: Whenever you can get away with it, use separate key pairs | ||
2002 | * for signing and encryption (DH)! | ||
1625 | * | 2003 | * |
1626 | * @param priv private key from EdDSA to use for the ECDH (x) | 2004 | * @param priv private key from EdDSA to use for the ECDH (x) |
1627 | * @param pub public key to use for the ECDH (yG) | 2005 | * @param pub public key to use for the ECDH (yG) |
@@ -1633,6 +2011,122 @@ GNUNET_CRYPTO_eddsa_ecdh (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, | |||
1633 | const struct GNUNET_CRYPTO_EcdhePublicKey *pub, | 2011 | const struct GNUNET_CRYPTO_EcdhePublicKey *pub, |
1634 | struct GNUNET_HashCode *key_material); | 2012 | struct GNUNET_HashCode *key_material); |
1635 | 2013 | ||
2014 | /** | ||
2015 | * @ingroup crypto | ||
2016 | * Decapsulate a key for a private EdDSA key. | ||
2017 | * Dual to #GNUNET_CRRYPTO_eddsa_kem_encaps. | ||
2018 | * | ||
2019 | * @param priv private key from EdDSA to use for the ECDH (x) | ||
2020 | * @param c the encapsulated key | ||
2021 | * @param key_material where to write the key material H(h(x)yG) | ||
2022 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2023 | */ | ||
2024 | enum GNUNET_GenericReturnValue | ||
2025 | GNUNET_CRYPTO_eddsa_kem_decaps (const struct | ||
2026 | GNUNET_CRYPTO_EddsaPrivateKey *priv, | ||
2027 | const struct GNUNET_CRYPTO_EcdhePublicKey *c, | ||
2028 | struct GNUNET_HashCode *key_material); | ||
2029 | |||
2030 | /** | ||
2031 | * @ingroup crypto | ||
2032 | * Encapsulate key material for a EdDSA public key. | ||
2033 | * Dual to #GNUNET_CRRYPTO_eddsa_kem_decaps. | ||
2034 | * | ||
2035 | * @param priv private key to use for the ECDH (y) | ||
2036 | * @param c public key from EdDSA to use for the ECDH (X=h(x)G) | ||
2037 | * @param key_material where to write the key material H(yX)=H(h(x)yG) | ||
2038 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2039 | */ | ||
2040 | enum GNUNET_GenericReturnValue | ||
2041 | GNUNET_CRYPTO_eddsa_kem_encaps (const struct GNUNET_CRYPTO_EddsaPublicKey *pub, | ||
2042 | struct GNUNET_CRYPTO_EcdhePublicKey *c, | ||
2043 | struct GNUNET_HashCode *key_material); | ||
2044 | |||
2045 | /** | ||
2046 | * This is the encapsulated key of our FO-KEM. | ||
2047 | */ | ||
2048 | struct GNUNET_CRYPTO_FoKemC | ||
2049 | { | ||
2050 | /* The output of the FO-OWTF F(x) */ | ||
2051 | struct GNUNET_HashCode y; | ||
2052 | |||
2053 | /* The ephemeral public key from the DH in the KEM */ | ||
2054 | struct GNUNET_CRYPTO_EcdhePublicKey pub; | ||
2055 | }; | ||
2056 | |||
2057 | /** | ||
2058 | * @ingroup crypto | ||
2059 | * Encapsulate key material using a CCA-secure KEM. | ||
2060 | * The KEM is using a OWTF with image oracle constructed from | ||
2061 | * a Fujusaki-Okamoto transformation using ElGamal (DH plus XOR OTP). | ||
2062 | * Dual to #GNUNET_CRRYPTO_eddsa_fo_kem_decaps. | ||
2063 | * | ||
2064 | * @param pub public key to encapsulated for | ||
2065 | * @param[out] c the encapsulation | ||
2066 | * @param[out] key_material the encapsulated key | ||
2067 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2068 | */ | ||
2069 | enum GNUNET_GenericReturnValue | ||
2070 | GNUNET_CRYPTO_eddsa_fo_kem_encaps ( | ||
2071 | const struct GNUNET_CRYPTO_EddsaPublicKey *pub, | ||
2072 | struct GNUNET_CRYPTO_FoKemC *c, | ||
2073 | struct GNUNET_HashCode *key_material); | ||
2074 | |||
2075 | |||
2076 | /** | ||
2077 | * @ingroup crypto | ||
2078 | * Decapsulate key material using a CCA-secure KEM. | ||
2079 | * The KEM is using a OWTF with image oracle constructed from | ||
2080 | * a Fujusaki-Okamoto transformation using ElGamal (DH plus XOR OTP). | ||
2081 | * Dual to #GNUNET_CRRYPTO_eddsa_fo_kem_encaps. | ||
2082 | * | ||
2083 | * @param priv private key this encapsulation is for | ||
2084 | * @param c the encapsulation | ||
2085 | * @param[out] key_material the encapsulated key | ||
2086 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2087 | */ | ||
2088 | enum GNUNET_GenericReturnValue | ||
2089 | GNUNET_CRYPTO_eddsa_fo_kem_decaps (const struct | ||
2090 | GNUNET_CRYPTO_EddsaPrivateKey *priv, | ||
2091 | const struct GNUNET_CRYPTO_FoKemC *c, | ||
2092 | struct GNUNET_HashCode *key_material); | ||
2093 | |||
2094 | /** | ||
2095 | * @ingroup crypto | ||
2096 | * Encapsulate key material using a CCA-secure KEM. | ||
2097 | * The KEM is using a OWTF with image oracle constructed from | ||
2098 | * a Fujusaki-Okamoto transformation using ElGamal (DH plus XOR OTP). | ||
2099 | * Dual to #GNUNET_CRRYPTO_eddsa_fo_kem_decaps. | ||
2100 | * | ||
2101 | * @param pub public key to encapsulated for | ||
2102 | * @param[out] c the encapsulation | ||
2103 | * @param[out] key_material the encapsulated key | ||
2104 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2105 | */ | ||
2106 | enum GNUNET_GenericReturnValue | ||
2107 | GNUNET_CRYPTO_ecdsa_fo_kem_encaps (const struct | ||
2108 | GNUNET_CRYPTO_EcdsaPublicKey *pub, | ||
2109 | struct GNUNET_CRYPTO_FoKemC *c, | ||
2110 | struct GNUNET_HashCode *key_material); | ||
2111 | |||
2112 | |||
2113 | /** | ||
2114 | * @ingroup crypto | ||
2115 | * Decapsulate key material using a CCA-secure KEM. | ||
2116 | * The KEM is using a OWTF with image oracle constructed from | ||
2117 | * a Fujusaki-Okamoto transformation using ElGamal (DH plus XOR OTP). | ||
2118 | * Dual to #GNUNET_CRRYPTO_eddsa_fo_kem_encaps. | ||
2119 | * | ||
2120 | * @param priv private key this encapsulation is for | ||
2121 | * @param c the encapsulation | ||
2122 | * @param[out] key_material the encapsulated key | ||
2123 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2124 | */ | ||
2125 | enum GNUNET_GenericReturnValue | ||
2126 | GNUNET_CRYPTO_ecdsa_fo_kem_decaps (const struct | ||
2127 | GNUNET_CRYPTO_EcdsaPrivateKey *priv, | ||
2128 | struct GNUNET_CRYPTO_FoKemC *c, | ||
2129 | struct GNUNET_HashCode *key_material); | ||
1636 | 2130 | ||
1637 | /** | 2131 | /** |
1638 | * @ingroup crypto | 2132 | * @ingroup crypto |
@@ -1654,6 +2148,10 @@ GNUNET_CRYPTO_ecdsa_ecdh (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, | |||
1654 | * @ingroup crypto | 2148 | * @ingroup crypto |
1655 | * Derive key material from a EdDSA public key and a private ECDH key. | 2149 | * Derive key material from a EdDSA public key and a private ECDH key. |
1656 | * Dual to #GNUNET_CRRYPTO_eddsa_ecdh. | 2150 | * Dual to #GNUNET_CRRYPTO_eddsa_ecdh. |
2151 | * This converts the Edwards25519 public key @a pub to a Curve25519 | ||
2152 | * public key before computing a X25519 DH (see #GNUNET_CRYPTO_ecc_ecdh). | ||
2153 | * NOTE: Whenever you can get away with it, use separate key pairs | ||
2154 | * for signing and encryption (DH)! | ||
1657 | * | 2155 | * |
1658 | * @param priv private key to use for the ECDH (y) | 2156 | * @param priv private key to use for the ECDH (y) |
1659 | * @param pub public key from EdDSA to use for the ECDH (X=h(x)G) | 2157 | * @param pub public key from EdDSA to use for the ECDH (X=h(x)G) |
@@ -1665,6 +2163,7 @@ GNUNET_CRYPTO_ecdh_eddsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, | |||
1665 | const struct GNUNET_CRYPTO_EddsaPublicKey *pub, | 2163 | const struct GNUNET_CRYPTO_EddsaPublicKey *pub, |
1666 | struct GNUNET_HashCode *key_material); | 2164 | struct GNUNET_HashCode *key_material); |
1667 | 2165 | ||
2166 | |||
1668 | /** | 2167 | /** |
1669 | * @ingroup crypto | 2168 | * @ingroup crypto |
1670 | * Derive key material from a EcDSA public key and a private ECDH key. | 2169 | * Derive key material from a EcDSA public key and a private ECDH key. |
@@ -1749,6 +2248,21 @@ GNUNET_CRYPTO_ecdsa_sign_ ( | |||
1749 | const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, | 2248 | const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, |
1750 | struct GNUNET_CRYPTO_EcdsaSignature *sig); | 2249 | struct GNUNET_CRYPTO_EcdsaSignature *sig); |
1751 | 2250 | ||
2251 | /** | ||
2252 | * @brief | ||
2253 | * | ||
2254 | * @param priv | ||
2255 | * @param data | ||
2256 | * @param size | ||
2257 | * @param sig | ||
2258 | * @return enum GNUNET_GenericReturnValue | ||
2259 | */ | ||
2260 | enum GNUNET_GenericReturnValue | ||
2261 | GNUNET_CRYPTO_eddsa_sign_raw ( | ||
2262 | const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, | ||
2263 | void *data, | ||
2264 | size_t size, | ||
2265 | struct GNUNET_CRYPTO_EddsaSignature *sig); | ||
1752 | 2266 | ||
1753 | /** | 2267 | /** |
1754 | * @ingroup crypto | 2268 | * @ingroup crypto |
@@ -1774,6 +2288,53 @@ GNUNET_CRYPTO_ecdsa_sign_ ( | |||
1774 | sig)); \ | 2288 | sig)); \ |
1775 | } while (0) | 2289 | } while (0) |
1776 | 2290 | ||
2291 | /** | ||
2292 | * @ingroup crypto | ||
2293 | * @brief Edx25519 sign a given block. | ||
2294 | * | ||
2295 | * The @a purpose data is the beginning of the data of which the signature is | ||
2296 | * to be created. The `size` field in @a purpose must correctly indicate the | ||
2297 | * number of bytes of the data structure, including its header. If possible, | ||
2298 | * use #GNUNET_CRYPTO_edx25519_sign() instead of this function (only if @a | ||
2299 | * validate is not fixed-size, you must use this function directly). | ||
2300 | * | ||
2301 | * @param priv private key to use for the signing | ||
2302 | * @param purpose what to sign (size, purpose) | ||
2303 | * @param[out] sig where to write the signature | ||
2304 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2305 | */ | ||
2306 | enum GNUNET_GenericReturnValue | ||
2307 | GNUNET_CRYPTO_edx25519_sign_ ( | ||
2308 | const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv, | ||
2309 | const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, | ||
2310 | struct GNUNET_CRYPTO_Edx25519Signature *sig); | ||
2311 | |||
2312 | |||
2313 | /** | ||
2314 | * @ingroup crypto | ||
2315 | * @brief Edx25519 sign a given block. The resulting signature is compatible | ||
2316 | * with EdDSA. | ||
2317 | * | ||
2318 | * The @a ps data must be a fixed-size struct for which the signature is to be | ||
2319 | * created. The `size` field in @a ps->purpose must correctly indicate the | ||
2320 | * number of bytes of the data structure, including its header. | ||
2321 | * | ||
2322 | * @param priv private key to use for the signing | ||
2323 | * @param ps packed struct with what to sign, MUST begin with a purpose | ||
2324 | * @param[out] sig where to write the signature | ||
2325 | */ | ||
2326 | #define GNUNET_CRYPTO_edx25519_sign(priv,ps,sig) do { \ | ||
2327 | /* check size is set correctly */ \ | ||
2328 | GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \ | ||
2329 | /* check 'ps' begins with the purpose */ \ | ||
2330 | GNUNET_static_assert (((void*) (ps)) == \ | ||
2331 | ((void*) &(ps)->purpose)); \ | ||
2332 | GNUNET_assert (GNUNET_OK == \ | ||
2333 | GNUNET_CRYPTO_edx25519_sign_ (priv, \ | ||
2334 | &(ps)->purpose, \ | ||
2335 | sig)); \ | ||
2336 | } while (0) | ||
2337 | |||
1777 | 2338 | ||
1778 | /** | 2339 | /** |
1779 | * @ingroup crypto | 2340 | * @ingroup crypto |
@@ -1793,7 +2354,7 @@ GNUNET_CRYPTO_ecdsa_sign_ ( | |||
1793 | * @param pub public key of the signer | 2354 | * @param pub public key of the signer |
1794 | * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid | 2355 | * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid |
1795 | */ | 2356 | */ |
1796 | int | 2357 | enum GNUNET_GenericReturnValue |
1797 | GNUNET_CRYPTO_eddsa_verify_ ( | 2358 | GNUNET_CRYPTO_eddsa_verify_ ( |
1798 | uint32_t purpose, | 2359 | uint32_t purpose, |
1799 | const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, | 2360 | const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, |
@@ -1817,7 +2378,7 @@ GNUNET_CRYPTO_eddsa_verify_ ( | |||
1817 | */ | 2378 | */ |
1818 | #define GNUNET_CRYPTO_eddsa_verify(purp,ps,sig,pub) ({ \ | 2379 | #define GNUNET_CRYPTO_eddsa_verify(purp,ps,sig,pub) ({ \ |
1819 | /* check size is set correctly */ \ | 2380 | /* check size is set correctly */ \ |
1820 | GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \ | 2381 | GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \ |
1821 | /* check 'ps' begins with the purpose */ \ | 2382 | /* check 'ps' begins with the purpose */ \ |
1822 | GNUNET_static_assert (((void*) (ps)) == \ | 2383 | GNUNET_static_assert (((void*) (ps)) == \ |
1823 | ((void*) &(ps)->purpose)); \ | 2384 | ((void*) &(ps)->purpose)); \ |
@@ -1827,7 +2388,6 @@ GNUNET_CRYPTO_eddsa_verify_ ( | |||
1827 | pub); \ | 2388 | pub); \ |
1828 | }) | 2389 | }) |
1829 | 2390 | ||
1830 | |||
1831 | /** | 2391 | /** |
1832 | * @ingroup crypto | 2392 | * @ingroup crypto |
1833 | * @brief Verify ECDSA signature. | 2393 | * @brief Verify ECDSA signature. |
@@ -1846,7 +2406,7 @@ GNUNET_CRYPTO_eddsa_verify_ ( | |||
1846 | * @param pub public key of the signer | 2406 | * @param pub public key of the signer |
1847 | * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid | 2407 | * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid |
1848 | */ | 2408 | */ |
1849 | int | 2409 | enum GNUNET_GenericReturnValue |
1850 | GNUNET_CRYPTO_ecdsa_verify_ ( | 2410 | GNUNET_CRYPTO_ecdsa_verify_ ( |
1851 | uint32_t purpose, | 2411 | uint32_t purpose, |
1852 | const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, | 2412 | const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, |
@@ -1882,6 +2442,58 @@ GNUNET_CRYPTO_ecdsa_verify_ ( | |||
1882 | 2442 | ||
1883 | /** | 2443 | /** |
1884 | * @ingroup crypto | 2444 | * @ingroup crypto |
2445 | * @brief Verify Edx25519 signature. | ||
2446 | * | ||
2447 | * The @a validate data is the beginning of the data of which the signature | ||
2448 | * is to be verified. The `size` field in @a validate must correctly indicate | ||
2449 | * the number of bytes of the data structure, including its header. If @a | ||
2450 | * purpose does not match the purpose given in @a validate (the latter must be | ||
2451 | * in big endian), signature verification fails. If possible, use | ||
2452 | * #GNUNET_CRYPTO_edx25519_verify() instead of this function (only if @a | ||
2453 | * validate is not fixed-size, you must use this function directly). | ||
2454 | * | ||
2455 | * @param purpose what is the purpose that the signature should have? | ||
2456 | * @param validate block to validate (size, purpose, data) | ||
2457 | * @param sig signature that is being validated | ||
2458 | * @param pub public key of the signer | ||
2459 | * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid | ||
2460 | */ | ||
2461 | enum GNUNET_GenericReturnValue | ||
2462 | GNUNET_CRYPTO_edx25519_verify_ ( | ||
2463 | uint32_t purpose, | ||
2464 | const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, | ||
2465 | const struct GNUNET_CRYPTO_Edx25519Signature *sig, | ||
2466 | const struct GNUNET_CRYPTO_Edx25519PublicKey *pub); | ||
2467 | |||
2468 | |||
2469 | /** | ||
2470 | * @ingroup crypto | ||
2471 | * @brief Verify Edx25519 signature. | ||
2472 | * | ||
2473 | * The @a ps data must be a fixed-size struct for which the signature is to be | ||
2474 | * created. The `size` field in @a ps->purpose must correctly indicate the | ||
2475 | * number of bytes of the data structure, including its header. | ||
2476 | * | ||
2477 | * @param purp purpose of the signature, must match 'ps->purpose.purpose' | ||
2478 | * (except in host byte order) | ||
2479 | * @param priv private key to use for the signing | ||
2480 | * @param ps packed struct with what to sign, MUST begin with a purpose | ||
2481 | * @param sig where to write the signature | ||
2482 | */ | ||
2483 | #define GNUNET_CRYPTO_edx25519_verify(purp,ps,sig,pub) ({ \ | ||
2484 | /* check size is set correctly */ \ | ||
2485 | GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \ | ||
2486 | /* check 'ps' begins with the purpose */ \ | ||
2487 | GNUNET_static_assert (((void*) (ps)) == \ | ||
2488 | ((void*) &(ps)->purpose)); \ | ||
2489 | GNUNET_CRYPTO_edx25519_verify_ (purp, \ | ||
2490 | &(ps)->purpose, \ | ||
2491 | sig, \ | ||
2492 | pub); \ | ||
2493 | }) | ||
2494 | |||
2495 | /** | ||
2496 | * @ingroup crypto | ||
1885 | * Derive a private key from a given private key and a label. | 2497 | * Derive a private key from a given private key and a label. |
1886 | * Essentially calculates a private key 'h = H(l,P) * d mod n' | 2498 | * Essentially calculates a private key 'h = H(l,P) * d mod n' |
1887 | * where n is the size of the ECC group and P is the public | 2499 | * where n is the size of the ECC group and P is the public |
@@ -1918,6 +2530,26 @@ GNUNET_CRYPTO_ecdsa_public_key_derive ( | |||
1918 | const char *context, | 2530 | const char *context, |
1919 | struct GNUNET_CRYPTO_EcdsaPublicKey *result); | 2531 | struct GNUNET_CRYPTO_EcdsaPublicKey *result); |
1920 | 2532 | ||
2533 | /** | ||
2534 | * This is a signature function for ECDSA which takes a | ||
2535 | * private key, derives/blinds it and signs the message. | ||
2536 | * | ||
2537 | * @param pkey original private key | ||
2538 | * @param label label to use for key deriviation | ||
2539 | * @param context additional context to use for HKDF of 'h'; | ||
2540 | * typically the name of the subsystem/application | ||
2541 | * @param purpose the signature purpose | ||
2542 | * @param sig the resulting signature | ||
2543 | * @return GNUNET_OK on success | ||
2544 | */ | ||
2545 | enum GNUNET_GenericReturnValue | ||
2546 | GNUNET_CRYPTO_ecdsa_sign_derived ( | ||
2547 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *pkey, | ||
2548 | const char *label, | ||
2549 | const char *context, | ||
2550 | const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, | ||
2551 | struct GNUNET_CRYPTO_EcdsaSignature *sig); | ||
2552 | |||
1921 | 2553 | ||
1922 | /** | 2554 | /** |
1923 | * @ingroup crypto | 2555 | * @ingroup crypto |
@@ -1963,23 +2595,23 @@ GNUNET_CRYPTO_eddsa_public_key_derive ( | |||
1963 | 2595 | ||
1964 | 2596 | ||
1965 | /** | 2597 | /** |
1966 | * This is a signature function for EdDSA which takes the | 2598 | * This is a signature function for EdDSA which takes a |
1967 | * secret scalar sk instead of the private seed which is | 2599 | * private key and derives it using the label and context |
1968 | * usually the case for crypto APIs. We require this functionality | 2600 | * before signing. |
1969 | * in order to use derived private keys for signatures we | ||
1970 | * cannot calculate the inverse of a sk to find the seed | ||
1971 | * efficiently. | ||
1972 | * | ||
1973 | * The resulting signature is a standard EdDSA signature | ||
1974 | * which can be verified using the usual APIs. | ||
1975 | * | 2601 | * |
1976 | * @param sk the secret scalar | 2602 | * @param pkey original private key |
1977 | * @param purp the signature purpose | 2603 | * @param label label to use for key deriviation |
2604 | * @param context additional context to use for HKDF of 'h'; | ||
2605 | * typically the name of the subsystem/application | ||
2606 | * @param purpose the signature purpose | ||
1978 | * @param sig the resulting signature | 2607 | * @param sig the resulting signature |
2608 | * @return GNUNET_OK on success | ||
1979 | */ | 2609 | */ |
1980 | void | 2610 | enum GNUNET_GenericReturnValue |
1981 | GNUNET_CRYPTO_eddsa_sign_with_scalar ( | 2611 | GNUNET_CRYPTO_eddsa_sign_derived ( |
1982 | const struct GNUNET_CRYPTO_EddsaPrivateScalar *priv, | 2612 | const struct GNUNET_CRYPTO_EddsaPrivateKey *pkey, |
2613 | const char *label, | ||
2614 | const char *context, | ||
1983 | const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, | 2615 | const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, |
1984 | struct GNUNET_CRYPTO_EddsaSignature *sig); | 2616 | struct GNUNET_CRYPTO_EddsaSignature *sig); |
1985 | 2617 | ||
@@ -1995,6 +2627,134 @@ GNUNET_CRYPTO_eddsa_key_get_public_from_scalar ( | |||
1995 | const struct GNUNET_CRYPTO_EddsaPrivateScalar *s, | 2627 | const struct GNUNET_CRYPTO_EddsaPrivateScalar *s, |
1996 | struct GNUNET_CRYPTO_EddsaPublicKey *pkey); | 2628 | struct GNUNET_CRYPTO_EddsaPublicKey *pkey); |
1997 | 2629 | ||
2630 | /** | ||
2631 | * @ingroup crypto | ||
2632 | * Derive a private scalar from a given private key and a label. | ||
2633 | * Essentially calculates a private key 'h = H(l,P) * d mod n' | ||
2634 | * where n is the size of the ECC group and P is the public | ||
2635 | * key associated with the private key 'd'. | ||
2636 | * | ||
2637 | * @param priv original private key | ||
2638 | * @param seed input seed | ||
2639 | * @param seedsize size of the seed | ||
2640 | * @param result derived private key | ||
2641 | */ | ||
2642 | void | ||
2643 | GNUNET_CRYPTO_edx25519_private_key_derive ( | ||
2644 | const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv, | ||
2645 | const void *seed, | ||
2646 | size_t seedsize, | ||
2647 | struct GNUNET_CRYPTO_Edx25519PrivateKey *result); | ||
2648 | |||
2649 | |||
2650 | /** | ||
2651 | * @ingroup crypto | ||
2652 | * Derive a public key from a given public key and a label. | ||
2653 | * Essentially calculates a public key 'V = H(l,P) * P'. | ||
2654 | * | ||
2655 | * @param pub original public key | ||
2656 | * @param seed input seed | ||
2657 | * @param seedsize size of the seed | ||
2658 | * @param result where to write the derived public key | ||
2659 | */ | ||
2660 | void | ||
2661 | GNUNET_CRYPTO_edx25519_public_key_derive ( | ||
2662 | const struct GNUNET_CRYPTO_Edx25519PublicKey *pub, | ||
2663 | const void *seed, | ||
2664 | size_t seedsize, | ||
2665 | struct GNUNET_CRYPTO_Edx25519PublicKey *result); | ||
2666 | |||
2667 | |||
2668 | /** | ||
2669 | * @ingroup crypto | ||
2670 | * Clears the most significant bit and second most significant bit of the serialized representaive before applying elligator direct map. | ||
2671 | * | ||
2672 | * @param representative serialized elligator representative of an element of Curves25519's finite field | ||
2673 | * @param point destination for the calculated point on the curve | ||
2674 | * @param high_y bool pointed to will be set to 'true' if corresponding y-coordinate is > 2 ^ 254 - 10, otherwise 0. Can be set to NULL if not needed. | ||
2675 | */ | ||
2676 | void | ||
2677 | GNUNET_CRYPTO_ecdhe_elligator_decoding ( | ||
2678 | struct GNUNET_CRYPTO_EcdhePublicKey *point, | ||
2679 | bool *high_y, | ||
2680 | const struct GNUNET_CRYPTO_ElligatorRepresentative *representative); | ||
2681 | |||
2682 | /** | ||
2683 | * @ingroup crypto | ||
2684 | * Encodes a point on Curve25519 to a an element of the underlying finite field. | ||
2685 | * This transformation is deterministic. | ||
2686 | * | ||
2687 | * @param r storage for the calculated representative | ||
2688 | * @param pub a point on the curve | ||
2689 | * @param high_y encodes if y-coordinate is > 2 ^254 - 10, which determines the representative value out of two | ||
2690 | * @return 'true' if the given point can be encoded into a representative. Otherwise 'false' is returned and the content of the representative storage is undefined | ||
2691 | */ | ||
2692 | bool | ||
2693 | GNUNET_CRYPTO_ecdhe_elligator_encoding ( | ||
2694 | struct GNUNET_CRYPTO_ElligatorRepresentative *r, | ||
2695 | const struct GNUNET_CRYPTO_EcdhePublicKey *pub, | ||
2696 | bool high_y); | ||
2697 | |||
2698 | |||
2699 | /** | ||
2700 | * @ingroup crypto | ||
2701 | * Generates a valid public key for elligator's inverse map by adding a lower order point to a prime order point. | ||
2702 | * Following Method 1 in description https://elligator.org/key-exchange section Step 2: Generate a “special” public key. | ||
2703 | * | ||
2704 | * @param pub valid public key for elligator inverse map | ||
2705 | * @param pk private key for generating valid public key | ||
2706 | * @return GNUNET_OK on success | ||
2707 | */ | ||
2708 | enum GNUNET_GenericReturnValue | ||
2709 | GNUNET_CRYPTO_ecdhe_elligator_generate_public_key ( | ||
2710 | struct GNUNET_CRYPTO_EcdhePublicKey *pub, | ||
2711 | struct GNUNET_CRYPTO_EcdhePrivateKey *pk); | ||
2712 | |||
2713 | |||
2714 | /** | ||
2715 | * @ingroup crypto | ||
2716 | * Generates a private key for Curve25519 and the elligator representative of the corresponding public key. | ||
2717 | * | ||
2718 | * @param repr representative of the public key | ||
2719 | * @param pk Curve25519 private key | ||
2720 | */ | ||
2721 | void | ||
2722 | GNUNET_CRYPTO_ecdhe_elligator_key_create ( | ||
2723 | struct GNUNET_CRYPTO_ElligatorRepresentative *repr, | ||
2724 | struct GNUNET_CRYPTO_EcdhePrivateKey *pk); | ||
2725 | |||
2726 | /** | ||
2727 | * @ingroup crypto | ||
2728 | * Carries out ecdh encapsulation with given public key and the private key from a freshly created ephemeral key pair. | ||
2729 | * Following the terminology in https://eprint.iacr.org/2021/509.pdf. | ||
2730 | * | ||
2731 | * @param pub given edwards curve public key (X) | ||
2732 | * @param r representative of ephemeral public key A to use for the ECDH (direct_map(r)=A=aG) | ||
2733 | * @param key_material where to write the key material H(aX)=H(x(aG)) | ||
2734 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2735 | */ | ||
2736 | enum GNUNET_GenericReturnValue | ||
2737 | GNUNET_CRYPTO_eddsa_elligator_kem_encaps ( | ||
2738 | const struct GNUNET_CRYPTO_EddsaPublicKey *pub, | ||
2739 | struct GNUNET_CRYPTO_ElligatorRepresentative *r, | ||
2740 | struct GNUNET_HashCode *key_material); | ||
2741 | |||
2742 | /** | ||
2743 | * @ingroup crypto | ||
2744 | * Carries out ecdh decapsulation with own private key and the representative of the received public key. | ||
2745 | * Following the terminology in https://eprint.iacr.org/2021/509.pdf. | ||
2746 | * | ||
2747 | * @param priv own private key (x) | ||
2748 | * @param r received representative r, from which we can obtain the public key A (direct_map(r)=A=aG) | ||
2749 | * @param key_material where to write the key material H(xA)=H(a(xG)) | ||
2750 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
2751 | */ | ||
2752 | enum GNUNET_GenericReturnValue | ||
2753 | GNUNET_CRYPTO_eddsa_elligator_kem_decaps ( | ||
2754 | const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, | ||
2755 | const struct GNUNET_CRYPTO_ElligatorRepresentative *r, | ||
2756 | struct GNUNET_HashCode *key_material); | ||
2757 | |||
1998 | 2758 | ||
1999 | /** | 2759 | /** |
2000 | * Output the given MPI value to the given buffer in network | 2760 | * Output the given MPI value to the given buffer in network |
@@ -2062,7 +2822,7 @@ GNUNET_CRYPTO_paillier_encrypt ( | |||
2062 | * @param private_key Private key to use for decryption. | 2822 | * @param private_key Private key to use for decryption. |
2063 | * @param public_key Public key to use for decryption. | 2823 | * @param public_key Public key to use for decryption. |
2064 | * @param ciphertext Ciphertext to decrypt. | 2824 | * @param ciphertext Ciphertext to decrypt. |
2065 | * @param[out] m Decryption of @a ciphertext with @private_key. | 2825 | * @param[out] m Decryption of @a ciphertext with @a private_key. |
2066 | */ | 2826 | */ |
2067 | void | 2827 | void |
2068 | GNUNET_CRYPTO_paillier_decrypt ( | 2828 | GNUNET_CRYPTO_paillier_decrypt ( |
@@ -2073,7 +2833,8 @@ GNUNET_CRYPTO_paillier_decrypt ( | |||
2073 | 2833 | ||
2074 | 2834 | ||
2075 | /** | 2835 | /** |
2076 | * Compute a ciphertext that represents the sum of the plaintext in @a x1 and @a x2 | 2836 | * Compute a ciphertext that represents the sum of the plaintext in @a c1 |
2837 | * and @a c2 | ||
2077 | * | 2838 | * |
2078 | * Note that this operation can only be done a finite number of times | 2839 | * Note that this operation can only be done a finite number of times |
2079 | * before an overflow occurs. | 2840 | * before an overflow occurs. |
@@ -2210,11 +2971,21 @@ GNUNET_CRYPTO_rsa_private_key_get_public ( | |||
2210 | * @param hc where to store the hash code | 2971 | * @param hc where to store the hash code |
2211 | */ | 2972 | */ |
2212 | void | 2973 | void |
2213 | GNUNET_CRYPTO_rsa_public_key_hash (const struct GNUNET_CRYPTO_RsaPublicKey *key, | 2974 | GNUNET_CRYPTO_rsa_public_key_hash ( |
2214 | struct GNUNET_HashCode *hc); | 2975 | const struct GNUNET_CRYPTO_RsaPublicKey *key, |
2976 | struct GNUNET_HashCode *hc); | ||
2215 | 2977 | ||
2216 | 2978 | ||
2217 | /** | 2979 | /** |
2980 | * Check if @a key is well-formed. | ||
2981 | * | ||
2982 | * @return true if @a key is well-formed. | ||
2983 | */ | ||
2984 | bool | ||
2985 | GNUNET_CRYPTO_rsa_public_key_check ( | ||
2986 | const struct GNUNET_CRYPTO_RsaPublicKey *key); | ||
2987 | |||
2988 | /** | ||
2218 | * Obtain the length of the RSA key in bits. | 2989 | * Obtain the length of the RSA key in bits. |
2219 | * | 2990 | * |
2220 | * @param key the public key to introspect | 2991 | * @param key the public key to introspect |
@@ -2256,7 +3027,8 @@ GNUNET_CRYPTO_rsa_public_key_encode ( | |||
2256 | * @return NULL on error | 3027 | * @return NULL on error |
2257 | */ | 3028 | */ |
2258 | struct GNUNET_CRYPTO_RsaPublicKey * | 3029 | struct GNUNET_CRYPTO_RsaPublicKey * |
2259 | GNUNET_CRYPTO_rsa_public_key_decode (const char *buf, size_t len); | 3030 | GNUNET_CRYPTO_rsa_public_key_decode (const char *buf, |
3031 | size_t len); | ||
2260 | 3032 | ||
2261 | 3033 | ||
2262 | /** | 3034 | /** |
@@ -2288,9 +3060,9 @@ GNUNET_CRYPTO_rsa_signature_cmp (const struct GNUNET_CRYPTO_RsaSignature *s1, | |||
2288 | * @return 0 if the two are equal | 3060 | * @return 0 if the two are equal |
2289 | */ | 3061 | */ |
2290 | int | 3062 | int |
2291 | GNUNET_CRYPTO_rsa_private_key_cmp (const struct GNUNET_CRYPTO_RsaPrivateKey *p1, | 3063 | GNUNET_CRYPTO_rsa_private_key_cmp ( |
2292 | const struct | 3064 | const struct GNUNET_CRYPTO_RsaPrivateKey *p1, |
2293 | GNUNET_CRYPTO_RsaPrivateKey *p2); | 3065 | const struct GNUNET_CRYPTO_RsaPrivateKey *p2); |
2294 | 3066 | ||
2295 | 3067 | ||
2296 | /** | 3068 | /** |
@@ -2306,53 +3078,83 @@ GNUNET_CRYPTO_rsa_public_key_cmp (const struct GNUNET_CRYPTO_RsaPublicKey *p1, | |||
2306 | 3078 | ||
2307 | 3079 | ||
2308 | /** | 3080 | /** |
3081 | * @brief RSA Parameters to create blinded signature | ||
3082 | */ | ||
3083 | struct GNUNET_CRYPTO_RsaBlindedMessage | ||
3084 | { | ||
3085 | /** | ||
3086 | * Blinded message to be signed | ||
3087 | * Note: is malloc()'ed! | ||
3088 | */ | ||
3089 | void *blinded_msg; | ||
3090 | |||
3091 | /** | ||
3092 | * Size of the @e blinded_msg to be signed. | ||
3093 | */ | ||
3094 | size_t blinded_msg_size; | ||
3095 | }; | ||
3096 | |||
3097 | |||
3098 | /** | ||
2309 | * Blinds the given message with the given blinding key | 3099 | * Blinds the given message with the given blinding key |
2310 | * | 3100 | * |
2311 | * @param hash hash of the message to sign | 3101 | * @param message the message to sign |
2312 | * @param bkey the blinding key | 3102 | * @param message_size number of bytes in @a message |
3103 | * @param bks the blinding key | ||
2313 | * @param pkey the public key of the signer | 3104 | * @param pkey the public key of the signer |
2314 | * @param[out] buf set to a buffer with the blinded message to be signed | 3105 | * @param[out] bm set to the blinded message |
2315 | * @param[out] buf_size number of bytes stored in @a buf | ||
2316 | * @return #GNUNET_YES if successful, #GNUNET_NO if RSA key is malicious | 3106 | * @return #GNUNET_YES if successful, #GNUNET_NO if RSA key is malicious |
2317 | */ | 3107 | */ |
2318 | int | 3108 | enum GNUNET_GenericReturnValue |
2319 | GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode *hash, | 3109 | GNUNET_CRYPTO_rsa_blind (const void *message, |
3110 | size_t message_size, | ||
2320 | const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks, | 3111 | const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks, |
2321 | struct GNUNET_CRYPTO_RsaPublicKey *pkey, | 3112 | struct GNUNET_CRYPTO_RsaPublicKey *pkey, |
2322 | void **buf, | 3113 | struct GNUNET_CRYPTO_RsaBlindedMessage *bm); |
2323 | size_t *buf_size); | ||
2324 | 3114 | ||
2325 | 3115 | ||
2326 | /** | 3116 | /** |
2327 | * Sign a blinded value, which must be a full domain hash of a message. | 3117 | * Sign a blinded value, which must be a full domain hash of a message. |
2328 | * | 3118 | * |
2329 | * @param key private key to use for the signing | 3119 | * @param key private key to use for the signing |
2330 | * @param msg the (blinded) message to sign | 3120 | * @param bm the (blinded) message to sign |
2331 | * @param msg_len number of bytes in @a msg to sign | ||
2332 | * @return NULL on error, signature on success | 3121 | * @return NULL on error, signature on success |
2333 | */ | 3122 | */ |
2334 | struct GNUNET_CRYPTO_RsaSignature * | 3123 | struct GNUNET_CRYPTO_RsaSignature * |
2335 | GNUNET_CRYPTO_rsa_sign_blinded (const struct GNUNET_CRYPTO_RsaPrivateKey *key, | 3124 | GNUNET_CRYPTO_rsa_sign_blinded (const struct GNUNET_CRYPTO_RsaPrivateKey *key, |
2336 | const void *msg, | 3125 | const struct |
2337 | size_t msg_len); | 3126 | GNUNET_CRYPTO_RsaBlindedMessage *bm); |
2338 | 3127 | ||
2339 | 3128 | ||
2340 | /** | 3129 | /** |
2341 | * Create and sign a full domain hash of a message. | 3130 | * Create and sign a full domain hash of a message. |
2342 | * | 3131 | * |
2343 | * @param key private key to use for the signing | 3132 | * @param key private key to use for the signing |
2344 | * @param hash the hash of the message to sign | 3133 | * @param message the message to sign |
3134 | * @param message_size number of bytes in @a message | ||
2345 | * @return NULL on error, including a malicious RSA key, signature on success | 3135 | * @return NULL on error, including a malicious RSA key, signature on success |
2346 | */ | 3136 | */ |
2347 | struct GNUNET_CRYPTO_RsaSignature * | 3137 | struct GNUNET_CRYPTO_RsaSignature * |
2348 | GNUNET_CRYPTO_rsa_sign_fdh (const struct GNUNET_CRYPTO_RsaPrivateKey *key, | 3138 | GNUNET_CRYPTO_rsa_sign_fdh (const struct GNUNET_CRYPTO_RsaPrivateKey *key, |
2349 | const struct GNUNET_HashCode *hash); | 3139 | const void *message, |
3140 | size_t message_size); | ||
3141 | |||
3142 | |||
3143 | /** | ||
3144 | * Free memory occupied by blinded message. Only frees contents, not | ||
3145 | * @a bm itself. | ||
3146 | * | ||
3147 | * @param[in] bm memory to free | ||
3148 | */ | ||
3149 | void | ||
3150 | GNUNET_CRYPTO_rsa_blinded_message_free ( | ||
3151 | struct GNUNET_CRYPTO_RsaBlindedMessage *bm); | ||
2350 | 3152 | ||
2351 | 3153 | ||
2352 | /** | 3154 | /** |
2353 | * Free memory occupied by signature. | 3155 | * Free memory occupied by signature. |
2354 | * | 3156 | * |
2355 | * @param sig memory to free | 3157 | * @param[in] sig memory to free |
2356 | */ | 3158 | */ |
2357 | void | 3159 | void |
2358 | GNUNET_CRYPTO_rsa_signature_free (struct GNUNET_CRYPTO_RsaSignature *sig); | 3160 | GNUNET_CRYPTO_rsa_signature_free (struct GNUNET_CRYPTO_RsaSignature *sig); |
@@ -2380,8 +3182,9 @@ GNUNET_CRYPTO_rsa_signature_encode ( | |||
2380 | * @return NULL on error | 3182 | * @return NULL on error |
2381 | */ | 3183 | */ |
2382 | struct GNUNET_CRYPTO_RsaSignature * | 3184 | struct GNUNET_CRYPTO_RsaSignature * |
2383 | GNUNET_CRYPTO_rsa_signature_decode (const void *buf, | 3185 | GNUNET_CRYPTO_rsa_signature_decode ( |
2384 | size_t buf_size); | 3186 | const void *buf, |
3187 | size_t buf_size); | ||
2385 | 3188 | ||
2386 | 3189 | ||
2387 | /** | 3190 | /** |
@@ -2391,7 +3194,8 @@ GNUNET_CRYPTO_rsa_signature_decode (const void *buf, | |||
2391 | * @return the duplicate key; NULL upon error | 3194 | * @return the duplicate key; NULL upon error |
2392 | */ | 3195 | */ |
2393 | struct GNUNET_CRYPTO_RsaSignature * | 3196 | struct GNUNET_CRYPTO_RsaSignature * |
2394 | GNUNET_CRYPTO_rsa_signature_dup (const struct GNUNET_CRYPTO_RsaSignature *sig); | 3197 | GNUNET_CRYPTO_rsa_signature_dup ( |
3198 | const struct GNUNET_CRYPTO_RsaSignature *sig); | ||
2395 | 3199 | ||
2396 | 3200 | ||
2397 | /** | 3201 | /** |
@@ -2414,17 +3218,1267 @@ GNUNET_CRYPTO_rsa_unblind (const struct GNUNET_CRYPTO_RsaSignature *sig, | |||
2414 | * Verify whether the given hash corresponds to the given signature and the | 3218 | * Verify whether the given hash corresponds to the given signature and the |
2415 | * signature is valid with respect to the given public key. | 3219 | * signature is valid with respect to the given public key. |
2416 | * | 3220 | * |
2417 | * @param hash the message to verify to match the @a sig | 3221 | * @param message the message to sign |
3222 | * @param message_size number of bytes in @a message | ||
2418 | * @param sig signature that is being validated | 3223 | * @param sig signature that is being validated |
2419 | * @param public_key public key of the signer | 3224 | * @param public_key public key of the signer |
2420 | * @returns #GNUNET_YES if ok, #GNUNET_NO if RSA key is malicious, #GNUNET_SYSERR if signature | 3225 | * @returns #GNUNET_YES if ok, #GNUNET_NO if RSA key is malicious, #GNUNET_SYSERR if signature |
2421 | */ | 3226 | */ |
2422 | enum GNUNET_GenericReturnValue | 3227 | enum GNUNET_GenericReturnValue |
2423 | GNUNET_CRYPTO_rsa_verify (const struct GNUNET_HashCode *hash, | 3228 | GNUNET_CRYPTO_rsa_verify (const void *message, |
3229 | size_t message_size, | ||
2424 | const struct GNUNET_CRYPTO_RsaSignature *sig, | 3230 | const struct GNUNET_CRYPTO_RsaSignature *sig, |
2425 | const struct GNUNET_CRYPTO_RsaPublicKey *public_key); | 3231 | const struct GNUNET_CRYPTO_RsaPublicKey *public_key); |
2426 | 3232 | ||
2427 | 3233 | ||
3234 | /** | ||
3235 | * Create a new random private key. | ||
3236 | * | ||
3237 | * @param[out] priv where to write the fresh private key | ||
3238 | */ | ||
3239 | void | ||
3240 | GNUNET_CRYPTO_cs_private_key_generate (struct GNUNET_CRYPTO_CsPrivateKey *priv); | ||
3241 | |||
3242 | |||
3243 | /** | ||
3244 | * Extract the public key of the given private key. | ||
3245 | * | ||
3246 | * @param priv the private key | ||
3247 | * @param[out] pub where to write the public key | ||
3248 | */ | ||
3249 | void | ||
3250 | GNUNET_CRYPTO_cs_private_key_get_public ( | ||
3251 | const struct GNUNET_CRYPTO_CsPrivateKey *priv, | ||
3252 | struct GNUNET_CRYPTO_CsPublicKey *pub); | ||
3253 | |||
3254 | |||
3255 | /** | ||
3256 | * Derive a new secret r pair r0 and r1. | ||
3257 | * In original papers r is generated randomly | ||
3258 | * To provide abort-idempotency, r needs to be derived but still needs to be UNPREDICTABLE | ||
3259 | * To ensure unpredictability a new nonce should be used when a new r needs to be derived. | ||
3260 | * Uses HKDF internally. | ||
3261 | * Comment: Can be done in one HKDF shot and split output. | ||
3262 | * | ||
3263 | * @param nonce is a random nonce | ||
3264 | * @param seed seed to use in derivation | ||
3265 | * @param lts is a long-term-secret in form of a private key | ||
3266 | * @param[out] r array containing derived secrets r0 and r1 | ||
3267 | */ | ||
3268 | void | ||
3269 | GNUNET_CRYPTO_cs_r_derive ( | ||
3270 | const struct GNUNET_CRYPTO_CsSessionNonce *nonce, | ||
3271 | const char *seed, | ||
3272 | const struct GNUNET_CRYPTO_CsPrivateKey *lts, | ||
3273 | struct GNUNET_CRYPTO_CsRSecret r[2]); | ||
3274 | |||
3275 | |||
3276 | /** | ||
3277 | * Extract the public R of the given secret r. | ||
3278 | * | ||
3279 | * @param r_priv the private key | ||
3280 | * @param[out] r_pub where to write the public key | ||
3281 | */ | ||
3282 | void | ||
3283 | GNUNET_CRYPTO_cs_r_get_public ( | ||
3284 | const struct GNUNET_CRYPTO_CsRSecret *r_priv, | ||
3285 | struct GNUNET_CRYPTO_CsRPublic *r_pub); | ||
3286 | |||
3287 | |||
3288 | /** | ||
3289 | * Derives new random blinding factors. | ||
3290 | * In original papers blinding factors are generated randomly | ||
3291 | * To provide abort-idempotency, blinding factors need to be derived but still need to be UNPREDICTABLE. | ||
3292 | * To ensure unpredictability a new nonce has to be used. | ||
3293 | * Uses HKDF internally. | ||
3294 | * | ||
3295 | * @param blind_seed is the blinding seed to derive blinding factors | ||
3296 | * @param[out] bs array containing the two derived blinding secrets | ||
3297 | */ | ||
3298 | void | ||
3299 | GNUNET_CRYPTO_cs_blinding_secrets_derive ( | ||
3300 | const struct GNUNET_CRYPTO_CsBlindingNonce *blind_seed, | ||
3301 | struct GNUNET_CRYPTO_CsBlindingSecret bs[2]); | ||
3302 | |||
3303 | |||
3304 | /** | ||
3305 | * @brief CS Parameters derived from the message | ||
3306 | * during blinding to create blinded signature | ||
3307 | */ | ||
3308 | struct GNUNET_CRYPTO_CsBlindedMessage | ||
3309 | { | ||
3310 | /** | ||
3311 | * The Clause Schnorr c_0 and c_1 containing the blinded message | ||
3312 | */ | ||
3313 | struct GNUNET_CRYPTO_CsC c[2]; | ||
3314 | |||
3315 | /** | ||
3316 | * Nonce used in initial request. | ||
3317 | */ | ||
3318 | struct GNUNET_CRYPTO_CsSessionNonce nonce; | ||
3319 | |||
3320 | }; | ||
3321 | |||
3322 | |||
3323 | /** | ||
3324 | * Pair of Public R values for Cs denominations | ||
3325 | */ | ||
3326 | struct GNUNET_CRYPTO_CSPublicRPairP | ||
3327 | { | ||
3328 | struct GNUNET_CRYPTO_CsRPublic r_pub[2]; | ||
3329 | }; | ||
3330 | |||
3331 | |||
3332 | /** | ||
3333 | * Calculate two blinded c's. | ||
3334 | * Comment: One would be insecure due to Wagner's algorithm solving ROS | ||
3335 | * | ||
3336 | * @param bs array of the two blinding factor structs each containing alpha and beta | ||
3337 | * @param r_pub array of the two signer's nonce R | ||
3338 | * @param pub the public key of the signer | ||
3339 | * @param msg the message to blind in preparation for signing | ||
3340 | * @param msg_len length of message msg | ||
3341 | * @param[out] blinded_c array of the two blinded c's | ||
3342 | * @param[out] r_pub_blind array of the two blinded R | ||
3343 | */ | ||
3344 | void | ||
3345 | GNUNET_CRYPTO_cs_calc_blinded_c ( | ||
3346 | const struct GNUNET_CRYPTO_CsBlindingSecret bs[2], | ||
3347 | const struct GNUNET_CRYPTO_CsRPublic r_pub[2], | ||
3348 | const struct GNUNET_CRYPTO_CsPublicKey *pub, | ||
3349 | const void *msg, | ||
3350 | size_t msg_len, | ||
3351 | struct GNUNET_CRYPTO_CsC blinded_c[2], | ||
3352 | struct GNUNET_CRYPTO_CSPublicRPairP *r_pub_blind); | ||
3353 | |||
3354 | |||
3355 | /** | ||
3356 | * The Sign Answer for Clause Blind Schnorr signature. | ||
3357 | * The sign operation returns a parameter @param b and the signature | ||
3358 | * scalar @param s_scalar. | ||
3359 | */ | ||
3360 | struct GNUNET_CRYPTO_CsBlindSignature | ||
3361 | { | ||
3362 | /** | ||
3363 | * To make ROS problem harder, the signer chooses an unpredictable b and | ||
3364 | * only calculates signature of c_b | ||
3365 | */ | ||
3366 | unsigned int b; | ||
3367 | |||
3368 | /** | ||
3369 | * The blinded s scalar calculated from c_b | ||
3370 | */ | ||
3371 | struct GNUNET_CRYPTO_CsBlindS s_scalar; | ||
3372 | }; | ||
3373 | |||
3374 | |||
3375 | /** | ||
3376 | * Sign a blinded @a c. | ||
3377 | * This function derives b from a nonce and a longterm secret. | ||
3378 | * In the original papers b is generated randomly. | ||
3379 | * To provide abort-idempotency, b needs to be derived but still need to be UNPREDICTABLE. | ||
3380 | * To ensure unpredictability a new nonce has to be used for every signature. | ||
3381 | * HKDF is used internally for derivation. | ||
3382 | * r0 and r1 can be derived prior by using GNUNET_CRYPTO_cs_r_derive. | ||
3383 | * | ||
3384 | * @param priv private key to use for the signing and as LTS in HKDF | ||
3385 | * @param r array of the two secret inputs from the signer | ||
3386 | * @param bm blinded message, including array of the two blinded c to sign c_b and the random nonce | ||
3387 | * @param[out] cs_blind_sig where to write the blind signature | ||
3388 | */ | ||
3389 | void | ||
3390 | GNUNET_CRYPTO_cs_sign_derive ( | ||
3391 | const struct GNUNET_CRYPTO_CsPrivateKey *priv, | ||
3392 | const struct GNUNET_CRYPTO_CsRSecret r[2], | ||
3393 | const struct GNUNET_CRYPTO_CsBlindedMessage *bm, | ||
3394 | struct GNUNET_CRYPTO_CsBlindSignature *cs_blind_sig); | ||
3395 | |||
3396 | |||
3397 | /** | ||
3398 | * Unblind a blind-signed signature using a c that was blinded | ||
3399 | * | ||
3400 | * @param blinded_signature_scalar the signature made on the blinded c | ||
3401 | * @param bs the blinding factors used in the blinding | ||
3402 | * @param[out] signature_scalar where to write the unblinded signature | ||
3403 | */ | ||
3404 | void | ||
3405 | GNUNET_CRYPTO_cs_unblind ( | ||
3406 | const struct GNUNET_CRYPTO_CsBlindS *blinded_signature_scalar, | ||
3407 | const struct GNUNET_CRYPTO_CsBlindingSecret *bs, | ||
3408 | struct GNUNET_CRYPTO_CsS *signature_scalar); | ||
3409 | |||
3410 | |||
3411 | /** | ||
3412 | * Verify whether the given message corresponds to the given signature and the | ||
3413 | * signature is valid with respect to the given public key. | ||
3414 | * | ||
3415 | * @param sig signature that is being validated | ||
3416 | * @param pub public key of the signer | ||
3417 | * @param msg is the message that should be signed by @a sig (message is used to calculate c) | ||
3418 | * @param msg_len is the message length | ||
3419 | * @returns #GNUNET_YES on success, #GNUNET_SYSERR if signature invalid | ||
3420 | */ | ||
3421 | enum GNUNET_GenericReturnValue | ||
3422 | GNUNET_CRYPTO_cs_verify ( | ||
3423 | const struct GNUNET_CRYPTO_CsSignature *sig, | ||
3424 | const struct GNUNET_CRYPTO_CsPublicKey *pub, | ||
3425 | const void *msg, | ||
3426 | size_t msg_len); | ||
3427 | |||
3428 | |||
3429 | /** | ||
3430 | * Types of public keys used for blind signatures. | ||
3431 | */ | ||
3432 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm | ||
3433 | { | ||
3434 | |||
3435 | /** | ||
3436 | * Invalid type of signature. | ||
3437 | */ | ||
3438 | GNUNET_CRYPTO_BSA_INVALID = 0, | ||
3439 | |||
3440 | /** | ||
3441 | * RSA blind signature. | ||
3442 | */ | ||
3443 | GNUNET_CRYPTO_BSA_RSA = 1, | ||
3444 | |||
3445 | /** | ||
3446 | * Clause Blind Schnorr signature. | ||
3447 | */ | ||
3448 | GNUNET_CRYPTO_BSA_CS = 2 | ||
3449 | }; | ||
3450 | |||
3451 | |||
3452 | /** | ||
3453 | * @brief Type of (unblinded) signatures. | ||
3454 | */ | ||
3455 | struct GNUNET_CRYPTO_UnblindedSignature | ||
3456 | { | ||
3457 | |||
3458 | /** | ||
3459 | * Type of the signature. | ||
3460 | */ | ||
3461 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; | ||
3462 | |||
3463 | /** | ||
3464 | * Reference counter. | ||
3465 | */ | ||
3466 | unsigned int rc; | ||
3467 | |||
3468 | /** | ||
3469 | * Details, depending on @e cipher. | ||
3470 | */ | ||
3471 | union | ||
3472 | { | ||
3473 | /** | ||
3474 | * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. | ||
3475 | */ | ||
3476 | struct GNUNET_CRYPTO_CsSignature cs_signature; | ||
3477 | |||
3478 | /** | ||
3479 | * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher. | ||
3480 | */ | ||
3481 | struct GNUNET_CRYPTO_RsaSignature *rsa_signature; | ||
3482 | |||
3483 | } details; | ||
3484 | |||
3485 | }; | ||
3486 | |||
3487 | |||
3488 | /** | ||
3489 | * @brief Type for *blinded* signatures. | ||
3490 | * Must be unblinded before it becomes valid. | ||
3491 | */ | ||
3492 | struct GNUNET_CRYPTO_BlindedSignature | ||
3493 | { | ||
3494 | |||
3495 | /** | ||
3496 | * Type of the signature. | ||
3497 | */ | ||
3498 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; | ||
3499 | |||
3500 | /** | ||
3501 | * Reference counter. | ||
3502 | */ | ||
3503 | unsigned int rc; | ||
3504 | |||
3505 | /** | ||
3506 | * Details, depending on @e cipher. | ||
3507 | */ | ||
3508 | union | ||
3509 | { | ||
3510 | /** | ||
3511 | * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. | ||
3512 | * At this point only the blinded s scalar is used. | ||
3513 | * The final signature consisting of r,s is built after unblinding. | ||
3514 | */ | ||
3515 | struct GNUNET_CRYPTO_CsBlindSignature blinded_cs_answer; | ||
3516 | |||
3517 | /** | ||
3518 | * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher. | ||
3519 | */ | ||
3520 | struct GNUNET_CRYPTO_RsaSignature *blinded_rsa_signature; | ||
3521 | |||
3522 | } details; | ||
3523 | |||
3524 | }; | ||
3525 | |||
3526 | |||
3527 | /** | ||
3528 | * @brief Type of public signing keys for blind signatures. | ||
3529 | */ | ||
3530 | struct GNUNET_CRYPTO_BlindSignPublicKey | ||
3531 | { | ||
3532 | |||
3533 | /** | ||
3534 | * Type of the public key. | ||
3535 | */ | ||
3536 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; | ||
3537 | |||
3538 | /** | ||
3539 | * Reference counter. | ||
3540 | */ | ||
3541 | unsigned int rc; | ||
3542 | |||
3543 | /** | ||
3544 | * Hash of the public key. | ||
3545 | */ | ||
3546 | struct GNUNET_HashCode pub_key_hash; | ||
3547 | |||
3548 | /** | ||
3549 | * Details, depending on @e cipher. | ||
3550 | */ | ||
3551 | union | ||
3552 | { | ||
3553 | /** | ||
3554 | * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. | ||
3555 | */ | ||
3556 | struct GNUNET_CRYPTO_CsPublicKey cs_public_key; | ||
3557 | |||
3558 | /** | ||
3559 | * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher. | ||
3560 | */ | ||
3561 | struct GNUNET_CRYPTO_RsaPublicKey *rsa_public_key; | ||
3562 | |||
3563 | } details; | ||
3564 | }; | ||
3565 | |||
3566 | |||
3567 | /** | ||
3568 | * @brief Type of private signing keys for blind signing. | ||
3569 | */ | ||
3570 | struct GNUNET_CRYPTO_BlindSignPrivateKey | ||
3571 | { | ||
3572 | |||
3573 | /** | ||
3574 | * Type of the public key. | ||
3575 | */ | ||
3576 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; | ||
3577 | |||
3578 | /** | ||
3579 | * Reference counter. | ||
3580 | */ | ||
3581 | unsigned int rc; | ||
3582 | |||
3583 | /** | ||
3584 | * Details, depending on @e cipher. | ||
3585 | */ | ||
3586 | union | ||
3587 | { | ||
3588 | /** | ||
3589 | * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. | ||
3590 | */ | ||
3591 | struct GNUNET_CRYPTO_CsPrivateKey cs_private_key; | ||
3592 | |||
3593 | /** | ||
3594 | * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher. | ||
3595 | */ | ||
3596 | struct GNUNET_CRYPTO_RsaPrivateKey *rsa_private_key; | ||
3597 | |||
3598 | } details; | ||
3599 | }; | ||
3600 | |||
3601 | |||
3602 | /** | ||
3603 | * @brief Blinded message ready for blind signing. | ||
3604 | */ | ||
3605 | struct GNUNET_CRYPTO_BlindedMessage | ||
3606 | { | ||
3607 | /** | ||
3608 | * Type of the sign blinded message | ||
3609 | */ | ||
3610 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; | ||
3611 | |||
3612 | /** | ||
3613 | * Reference counter. | ||
3614 | */ | ||
3615 | unsigned int rc; | ||
3616 | |||
3617 | /** | ||
3618 | * Details, depending on @e cipher. | ||
3619 | */ | ||
3620 | union | ||
3621 | { | ||
3622 | /** | ||
3623 | * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. | ||
3624 | */ | ||
3625 | struct GNUNET_CRYPTO_CsBlindedMessage cs_blinded_message; | ||
3626 | |||
3627 | /** | ||
3628 | * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher. | ||
3629 | */ | ||
3630 | struct GNUNET_CRYPTO_RsaBlindedMessage rsa_blinded_message; | ||
3631 | |||
3632 | } details; | ||
3633 | }; | ||
3634 | |||
3635 | |||
3636 | /** | ||
3637 | * Secret r for Cs denominations | ||
3638 | */ | ||
3639 | struct GNUNET_CRYPTO_CSPrivateRPairP | ||
3640 | { | ||
3641 | struct GNUNET_CRYPTO_CsRSecret r[2]; | ||
3642 | }; | ||
3643 | |||
3644 | |||
3645 | /** | ||
3646 | * @brief Input needed for blinding a message. | ||
3647 | */ | ||
3648 | struct GNUNET_CRYPTO_BlindingInputValues | ||
3649 | { | ||
3650 | |||
3651 | /** | ||
3652 | * Type of the signature. | ||
3653 | */ | ||
3654 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; | ||
3655 | |||
3656 | /** | ||
3657 | * Reference counter. | ||
3658 | */ | ||
3659 | unsigned int rc; | ||
3660 | |||
3661 | /** | ||
3662 | * Details, depending on @e cipher. | ||
3663 | */ | ||
3664 | union | ||
3665 | { | ||
3666 | /** | ||
3667 | * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. | ||
3668 | */ | ||
3669 | struct GNUNET_CRYPTO_CSPublicRPairP cs_values; | ||
3670 | |||
3671 | } details; | ||
3672 | |||
3673 | }; | ||
3674 | |||
3675 | |||
3676 | /** | ||
3677 | * Nonce used to deterministiacally derive input values | ||
3678 | * used in multi-round blind signature protocols. | ||
3679 | */ | ||
3680 | union GNUNET_CRYPTO_BlindSessionNonce | ||
3681 | { | ||
3682 | /** | ||
3683 | * Nonce used when signing with CS. | ||
3684 | */ | ||
3685 | struct GNUNET_CRYPTO_CsSessionNonce cs_nonce; | ||
3686 | }; | ||
3687 | |||
3688 | |||
3689 | /** | ||
3690 | * Compute blinding input values for a given @a nonce and | ||
3691 | * @a salt. | ||
3692 | * | ||
3693 | * @param bsign_priv private key to compute input values for | ||
3694 | * @param nonce session nonce to derive input values from | ||
3695 | * @param salt salt to include in derivation logic | ||
3696 | * @return blinding input values | ||
3697 | */ | ||
3698 | struct GNUNET_CRYPTO_BlindingInputValues * | ||
3699 | GNUNET_CRYPTO_get_blinding_input_values ( | ||
3700 | const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv, | ||
3701 | const union GNUNET_CRYPTO_BlindSessionNonce *nonce, | ||
3702 | const char *salt); | ||
3703 | |||
3704 | |||
3705 | /** | ||
3706 | * Decrement reference counter of a @a bsign_pub, and free it if it reaches zero. | ||
3707 | * | ||
3708 | * @param[in] bsign_pub key to free | ||
3709 | */ | ||
3710 | void | ||
3711 | GNUNET_CRYPTO_blind_sign_pub_decref ( | ||
3712 | struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub); | ||
3713 | |||
3714 | |||
3715 | /** | ||
3716 | * Decrement reference counter of a @a bsign_priv, and free it if it reaches zero. | ||
3717 | * | ||
3718 | * @param[in] bsign_priv key to free | ||
3719 | */ | ||
3720 | void | ||
3721 | GNUNET_CRYPTO_blind_sign_priv_decref ( | ||
3722 | struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv); | ||
3723 | |||
3724 | |||
3725 | /** | ||
3726 | * Decrement reference counter of a @a ub_sig, and free it if it reaches zero. | ||
3727 | * | ||
3728 | * @param[in] ub_sig signature to free | ||
3729 | */ | ||
3730 | void | ||
3731 | GNUNET_CRYPTO_unblinded_sig_decref ( | ||
3732 | struct GNUNET_CRYPTO_UnblindedSignature *ub_sig); | ||
3733 | |||
3734 | |||
3735 | /** | ||
3736 | * Decrement reference counter of a @a blind_sig, and free it if it reaches zero. | ||
3737 | * | ||
3738 | * @param[in] blind_sig signature to free | ||
3739 | */ | ||
3740 | void | ||
3741 | GNUNET_CRYPTO_blinded_sig_decref ( | ||
3742 | struct GNUNET_CRYPTO_BlindedSignature *blind_sig); | ||
3743 | |||
3744 | |||
3745 | /** | ||
3746 | * Decrement reference counter of a @a bm, and free it if it reaches zero. | ||
3747 | * | ||
3748 | * @param[in] bm blinded message to free | ||
3749 | */ | ||
3750 | void | ||
3751 | GNUNET_CRYPTO_blinded_message_decref ( | ||
3752 | struct GNUNET_CRYPTO_BlindedMessage *bm); | ||
3753 | |||
3754 | |||
3755 | /** | ||
3756 | * Increment reference counter of the given @a bm. | ||
3757 | * | ||
3758 | * @param[in,out] bm blinded message to increment reference counter for | ||
3759 | * @return alias of @a bm with RC incremented | ||
3760 | */ | ||
3761 | struct GNUNET_CRYPTO_BlindedMessage * | ||
3762 | GNUNET_CRYPTO_blinded_message_incref ( | ||
3763 | struct GNUNET_CRYPTO_BlindedMessage *bm); | ||
3764 | |||
3765 | |||
3766 | /** | ||
3767 | * Increment reference counter of the given @a bi. | ||
3768 | * | ||
3769 | * @param[in,out] bi blinding input values to increment reference counter for | ||
3770 | * @return alias of @a bi with RC incremented | ||
3771 | */ | ||
3772 | struct GNUNET_CRYPTO_BlindingInputValues * | ||
3773 | GNUNET_CRYPTO_blinding_input_values_incref ( | ||
3774 | struct GNUNET_CRYPTO_BlindingInputValues *bm); | ||
3775 | |||
3776 | |||
3777 | /** | ||
3778 | * Decrement reference counter of the given @a bi, and free it if it reaches | ||
3779 | * zero. | ||
3780 | * | ||
3781 | * @param[in,out] bi blinding input values to decrement reference counter for | ||
3782 | */ | ||
3783 | void | ||
3784 | GNUNET_CRYPTO_blinding_input_values_decref ( | ||
3785 | struct GNUNET_CRYPTO_BlindingInputValues *bm); | ||
3786 | |||
3787 | |||
3788 | /** | ||
3789 | * Increment reference counter of the given @a bsign_pub. | ||
3790 | * | ||
3791 | * @param[in,out] bsign_pub public key to increment reference counter for | ||
3792 | * @return alias of @a bsign_pub with RC incremented | ||
3793 | */ | ||
3794 | struct GNUNET_CRYPTO_BlindSignPublicKey * | ||
3795 | GNUNET_CRYPTO_bsign_pub_incref ( | ||
3796 | struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub); | ||
3797 | |||
3798 | |||
3799 | /** | ||
3800 | * Increment reference counter of the given @a bsign_priv. | ||
3801 | * | ||
3802 | * @param[in,out] bsign_priv private key to increment reference counter for | ||
3803 | * @return alias of @a bsign_priv with RC incremented | ||
3804 | */ | ||
3805 | struct GNUNET_CRYPTO_BlindSignPrivateKey * | ||
3806 | GNUNET_CRYPTO_bsign_priv_incref ( | ||
3807 | struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv); | ||
3808 | |||
3809 | |||
3810 | /** | ||
3811 | * Increment reference counter of the given @a ub_sig. | ||
3812 | * | ||
3813 | * @param[in,out] ub_sig signature to increment reference counter for | ||
3814 | * @return alias of @a ub_sig with RC incremented | ||
3815 | */ | ||
3816 | struct GNUNET_CRYPTO_UnblindedSignature * | ||
3817 | GNUNET_CRYPTO_ub_sig_incref (struct GNUNET_CRYPTO_UnblindedSignature *ub_sig); | ||
3818 | |||
3819 | |||
3820 | /** | ||
3821 | * Increment reference counter of the given @a blind_sig. | ||
3822 | * | ||
3823 | * @param[in,out] blind_sig signature to increment reference counter for | ||
3824 | * @return alias of @a blind_sig with RC incremented | ||
3825 | */ | ||
3826 | struct GNUNET_CRYPTO_BlindedSignature * | ||
3827 | GNUNET_CRYPTO_blind_sig_incref ( | ||
3828 | struct GNUNET_CRYPTO_BlindedSignature *blind_sig); | ||
3829 | |||
3830 | |||
3831 | /** | ||
3832 | * Compare two denomination public keys. | ||
3833 | * | ||
3834 | * @param bp1 first key | ||
3835 | * @param bp2 second key | ||
3836 | * @return 0 if the keys are equal, otherwise -1 or 1 | ||
3837 | */ | ||
3838 | int | ||
3839 | GNUNET_CRYPTO_bsign_pub_cmp ( | ||
3840 | const struct GNUNET_CRYPTO_BlindSignPublicKey *bp1, | ||
3841 | const struct GNUNET_CRYPTO_BlindSignPublicKey *bp2); | ||
3842 | |||
3843 | |||
3844 | /** | ||
3845 | * Compare two denomination signatures. | ||
3846 | * | ||
3847 | * @param sig1 first signature | ||
3848 | * @param sig2 second signature | ||
3849 | * @return 0 if the keys are equal, otherwise -1 or 1 | ||
3850 | */ | ||
3851 | int | ||
3852 | GNUNET_CRYPTO_ub_sig_cmp (const struct GNUNET_CRYPTO_UnblindedSignature *sig1, | ||
3853 | const struct GNUNET_CRYPTO_UnblindedSignature *sig2); | ||
3854 | |||
3855 | |||
3856 | /** | ||
3857 | * Compare two blinded denomination signatures. | ||
3858 | * | ||
3859 | * @param sig1 first signature | ||
3860 | * @param sig2 second signature | ||
3861 | * @return 0 if the keys are equal, otherwise -1 or 1 | ||
3862 | */ | ||
3863 | int | ||
3864 | GNUNET_CRYPTO_blind_sig_cmp ( | ||
3865 | const struct GNUNET_CRYPTO_BlindedSignature *sig1, | ||
3866 | const struct GNUNET_CRYPTO_BlindedSignature *sig2); | ||
3867 | |||
3868 | |||
3869 | /** | ||
3870 | * Compare two blinded messages. | ||
3871 | * | ||
3872 | * @param bp1 first blinded message | ||
3873 | * @param bp2 second blinded message | ||
3874 | * @return 0 if the keys are equal, otherwise -1 or 1 | ||
3875 | */ | ||
3876 | int | ||
3877 | GNUNET_CRYPTO_blinded_message_cmp ( | ||
3878 | const struct GNUNET_CRYPTO_BlindedMessage *bp1, | ||
3879 | const struct GNUNET_CRYPTO_BlindedMessage *bp2); | ||
3880 | |||
3881 | |||
3882 | /** | ||
3883 | * Initialize public-private key pair for blind signatures. | ||
3884 | * | ||
3885 | * For #GNUNET_CRYPTO_BSA_RSA, an additional "unsigned int" | ||
3886 | * argument with the number of bits for 'n' (e.g. 2048) must | ||
3887 | * be passed. | ||
3888 | * | ||
3889 | * @param[out] bsign_priv where to write the private key with RC 1 | ||
3890 | * @param[out] bsign_pub where to write the public key with RC 1 | ||
3891 | * @param cipher which type of cipher to use | ||
3892 | * @param ... RSA key size (eg. 2048/3072/4096) | ||
3893 | * @return #GNUNET_OK on success, #GNUNET_NO if parameterst were invalid | ||
3894 | */ | ||
3895 | enum GNUNET_GenericReturnValue | ||
3896 | GNUNET_CRYPTO_blind_sign_keys_create ( | ||
3897 | struct GNUNET_CRYPTO_BlindSignPrivateKey **bsign_priv, | ||
3898 | struct GNUNET_CRYPTO_BlindSignPublicKey **bsign_pub, | ||
3899 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher, | ||
3900 | ...); | ||
3901 | |||
3902 | |||
3903 | /** | ||
3904 | * Initialize public-private key pair for blind signatures. | ||
3905 | * | ||
3906 | * For #GNUNET_CRYPTO_BSA_RSA, an additional "unsigned int" | ||
3907 | * argument with the number of bits for 'n' (e.g. 2048) must | ||
3908 | * be passed. | ||
3909 | * | ||
3910 | * @param[out] bsign_priv where to write the private key with RC 1 | ||
3911 | * @param[out] bsign_pub where to write the public key with RC 1 | ||
3912 | * @param cipher which type of cipher to use | ||
3913 | * @param ap RSA key size (eg. 2048/3072/4096) | ||
3914 | * @return #GNUNET_OK on success, #GNUNET_NO if parameterst were invalid | ||
3915 | */ | ||
3916 | enum GNUNET_GenericReturnValue | ||
3917 | GNUNET_CRYPTO_blind_sign_keys_create_va ( | ||
3918 | struct GNUNET_CRYPTO_BlindSignPrivateKey **bsign_priv, | ||
3919 | struct GNUNET_CRYPTO_BlindSignPublicKey **bsign_pub, | ||
3920 | enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher, | ||
3921 | va_list ap); | ||
3922 | |||
3923 | |||
3924 | /** | ||
3925 | * @brief Type of blinding secrets. Must be exactly 32 bytes (DB). | ||
3926 | */ | ||
3927 | union GNUNET_CRYPTO_BlindingSecretP | ||
3928 | { | ||
3929 | /** | ||
3930 | * Clause Schnorr nonce. | ||
3931 | */ | ||
3932 | struct GNUNET_CRYPTO_CsBlindingNonce nonce; | ||
3933 | |||
3934 | /** | ||
3935 | * Variant for RSA for blind signatures. | ||
3936 | */ | ||
3937 | struct GNUNET_CRYPTO_RsaBlindingKeySecret rsa_bks; | ||
3938 | }; | ||
3939 | |||
3940 | |||
3941 | /** | ||
3942 | * Blind message for blind signing with @a dk using blinding secret @a coin_bks. | ||
3943 | * | ||
3944 | * @param bsign_pub public key to blind for | ||
3945 | * @param bks blinding secret to use | ||
3946 | * @param nonce nonce used to obtain @a alg_values | ||
3947 | * can be NULL if input values are not used for the cipher | ||
3948 | * @param message message to sign | ||
3949 | * @param message_size number of bytes in @a message | ||
3950 | * @param alg_values algorithm specific values to blind the @a message | ||
3951 | * @return blinded message to give to signer, NULL on error | ||
3952 | */ | ||
3953 | struct GNUNET_CRYPTO_BlindedMessage * | ||
3954 | GNUNET_CRYPTO_message_blind_to_sign ( | ||
3955 | const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub, | ||
3956 | const union GNUNET_CRYPTO_BlindingSecretP *bks, | ||
3957 | const union GNUNET_CRYPTO_BlindSessionNonce *nonce, | ||
3958 | const void *message, | ||
3959 | size_t message_size, | ||
3960 | const struct GNUNET_CRYPTO_BlindingInputValues *alg_values); | ||
3961 | |||
3962 | |||
3963 | /** | ||
3964 | * Create blind signature. | ||
3965 | * | ||
3966 | * @param bsign_priv private key to use for signing | ||
3967 | * @param salt salt value to use for the HKDF, | ||
3968 | * can be NULL if input values are not used for the cipher | ||
3969 | * @param blinded_message the already blinded message to sign | ||
3970 | * @return blind signature with RC=1, NULL on failure | ||
3971 | */ | ||
3972 | struct GNUNET_CRYPTO_BlindedSignature * | ||
3973 | GNUNET_CRYPTO_blind_sign ( | ||
3974 | const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv, | ||
3975 | const char *salt, | ||
3976 | const struct GNUNET_CRYPTO_BlindedMessage *blinded_message); | ||
3977 | |||
3978 | |||
3979 | /** | ||
3980 | * Unblind blind signature. | ||
3981 | * | ||
3982 | * @param blinded_sig the blind signature | ||
3983 | * @param bks blinding secret to use | ||
3984 | * @param message message that was supposedly signed | ||
3985 | * @param message_size number of bytes in @a message | ||
3986 | * @param alg_values algorithm specific values | ||
3987 | * @param bsign_pub public key used for signing | ||
3988 | * @return unblinded signature with RC=1, NULL on error | ||
3989 | */ | ||
3990 | struct GNUNET_CRYPTO_UnblindedSignature * | ||
3991 | GNUNET_CRYPTO_blind_sig_unblind ( | ||
3992 | const struct GNUNET_CRYPTO_BlindedSignature *blinded_sig, | ||
3993 | const union GNUNET_CRYPTO_BlindingSecretP *bks, | ||
3994 | const void *message, | ||
3995 | size_t message_size, | ||
3996 | const struct GNUNET_CRYPTO_BlindingInputValues *alg_values, | ||
3997 | const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub); | ||
3998 | |||
3999 | |||
4000 | /** | ||
4001 | * Verify signature made blindly. | ||
4002 | * | ||
4003 | * @param bsign_pub public key | ||
4004 | * @param ub_sig signature made blindly with the private key | ||
4005 | * @param message message that was supposedly signed | ||
4006 | * @param message_size number of bytes in @a message | ||
4007 | * @return #GNUNET_OK if the signature is valid | ||
4008 | */ | ||
4009 | enum GNUNET_GenericReturnValue | ||
4010 | GNUNET_CRYPTO_blind_sig_verify ( | ||
4011 | const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub, | ||
4012 | const struct GNUNET_CRYPTO_UnblindedSignature *ub_sig, | ||
4013 | const void *message, | ||
4014 | size_t message_size); | ||
4015 | |||
4016 | |||
4017 | /** | ||
4018 | * Get the compacted length of a #GNUNET_CRYPTO_PublicKey. | ||
4019 | * Compacted means that it returns the minimum number of bytes this | ||
4020 | * key is long, as opposed to the union structure inside | ||
4021 | * #GNUNET_CRYPTO_PublicKey. | ||
4022 | * Useful for compact serializations. | ||
4023 | * | ||
4024 | * @param key the key. | ||
4025 | * @return -1 on error, else the compacted length of the key. | ||
4026 | */ | ||
4027 | ssize_t | ||
4028 | GNUNET_CRYPTO_public_key_get_length (const struct | ||
4029 | GNUNET_CRYPTO_PublicKey *key); | ||
4030 | |||
4031 | /** | ||
4032 | * Reads a #GNUNET_CRYPTO_PublicKey from a compact buffer. | ||
4033 | * The buffer has to contain at least the compacted length of | ||
4034 | * a #GNUNET_CRYPTO_PublicKey in bytes. | ||
4035 | * If the buffer is too small, the function returns -1 as error. | ||
4036 | * If the buffer does not contain a valid key, it returns -2 as error. | ||
4037 | * | ||
4038 | * @param buffer the buffer | ||
4039 | * @param len the length of buffer | ||
4040 | * @param key the key | ||
4041 | * @param the amount of bytes read from the buffer | ||
4042 | * @return #GNUNET_SYSERR on error | ||
4043 | */ | ||
4044 | enum GNUNET_GenericReturnValue | ||
4045 | GNUNET_CRYPTO_read_public_key_from_buffer ( | ||
4046 | const void *buffer, | ||
4047 | size_t len, | ||
4048 | struct GNUNET_CRYPTO_PublicKey *key, | ||
4049 | size_t *read); | ||
4050 | |||
4051 | /** | ||
4052 | * Get the compacted length of a #GNUNET_CRYPTO_PrivateKey. | ||
4053 | * Compacted means that it returns the minimum number of bytes this | ||
4054 | * key is long, as opposed to the union structure inside | ||
4055 | * #GNUNET_CRYPTO_PrivateKey. | ||
4056 | * Useful for compact serializations. | ||
4057 | * | ||
4058 | * @param key the key. | ||
4059 | * @return -1 on error, else the compacted length of the key. | ||
4060 | */ | ||
4061 | ssize_t | ||
4062 | GNUNET_CRYPTO_private_key_get_length ( | ||
4063 | const struct GNUNET_CRYPTO_PrivateKey *key); | ||
4064 | |||
4065 | |||
4066 | /** | ||
4067 | * Writes a #GNUNET_CRYPTO_PublicKey to a compact buffer. | ||
4068 | * The buffer requires space for at least the compacted length of | ||
4069 | * a #GNUNET_CRYPTO_PublicKey in bytes. | ||
4070 | * If the buffer is too small, the function returns -1 as error. | ||
4071 | * If the key is not valid, it returns -2 as error. | ||
4072 | * | ||
4073 | * @param key the key | ||
4074 | * @param buffer the buffer | ||
4075 | * @param len the length of buffer | ||
4076 | * @return -1 or -2 on error, else the amount of bytes written to the buffer | ||
4077 | */ | ||
4078 | ssize_t | ||
4079 | GNUNET_CRYPTO_write_public_key_to_buffer (const struct | ||
4080 | GNUNET_CRYPTO_PublicKey *key, | ||
4081 | void*buffer, | ||
4082 | size_t len); | ||
4083 | |||
4084 | |||
4085 | /** | ||
4086 | * Reads a #GNUNET_CRYPTO_PrivateKey from a compact buffer. | ||
4087 | * The buffer has to contain at least the compacted length of | ||
4088 | * a #GNUNET_CRYPTO_PrivateKey in bytes. | ||
4089 | * If the buffer is too small, the function returns GNUNET_SYSERR as error. | ||
4090 | * | ||
4091 | * @param buffer the buffer | ||
4092 | * @param len the length of buffer | ||
4093 | * @param key the key | ||
4094 | * @param the amount of bytes read from the buffer | ||
4095 | * @return #GNUNET_SYSERR on error | ||
4096 | */ | ||
4097 | enum GNUNET_GenericReturnValue | ||
4098 | GNUNET_CRYPTO_read_private_key_from_buffer ( | ||
4099 | const void*buffer, | ||
4100 | size_t len, | ||
4101 | struct GNUNET_CRYPTO_PrivateKey *key, | ||
4102 | size_t *read); | ||
4103 | |||
4104 | |||
4105 | /** | ||
4106 | * Writes a #GNUNET_CRYPTO_PrivateKey to a compact buffer. | ||
4107 | * The buffer requires space for at least the compacted length of | ||
4108 | * a #GNUNET_CRYPTO_PrivateKey in bytes. | ||
4109 | * If the buffer is too small, the function returns -1 as error. | ||
4110 | * If the key is not valid, it returns -2 as error. | ||
4111 | * | ||
4112 | * @param key the key | ||
4113 | * @param buffer the buffer | ||
4114 | * @param len the length of buffer | ||
4115 | * @return -1 or -2 on error, else the amount of bytes written to the buffer | ||
4116 | */ | ||
4117 | ssize_t | ||
4118 | GNUNET_CRYPTO_write_private_key_to_buffer ( | ||
4119 | const struct GNUNET_CRYPTO_PrivateKey *key, | ||
4120 | void*buffer, | ||
4121 | size_t len); | ||
4122 | |||
4123 | |||
4124 | /** | ||
4125 | * Get the compacted length of a #GNUNET_CRYPTO_Signature. | ||
4126 | * Compacted means that it returns the minimum number of bytes this | ||
4127 | * signature is long, as opposed to the union structure inside | ||
4128 | * #GNUNET_CRYPTO_Signature. | ||
4129 | * Useful for compact serializations. | ||
4130 | * | ||
4131 | * @param sig the signature. | ||
4132 | * @return -1 on error, else the compacted length of the signature. | ||
4133 | */ | ||
4134 | ssize_t | ||
4135 | GNUNET_CRYPTO_signature_get_length ( | ||
4136 | const struct GNUNET_CRYPTO_Signature *sig); | ||
4137 | |||
4138 | |||
4139 | /** | ||
4140 | * Get the compacted length of a signature by type. | ||
4141 | * Compacted means that it returns the minimum number of bytes this | ||
4142 | * signature is long, as opposed to the union structure inside | ||
4143 | * #GNUNET_CRYPTO_Signature. | ||
4144 | * Useful for compact serializations. | ||
4145 | * | ||
4146 | * @param sig the signature. | ||
4147 | * @return -1 on error, else the compacted length of the signature. | ||
4148 | */ | ||
4149 | ssize_t | ||
4150 | GNUNET_CRYPTO_signature_get_raw_length_by_type (uint32_t type); | ||
4151 | |||
4152 | |||
4153 | /** | ||
4154 | * Reads a #GNUNET_CRYPTO_Signature from a compact buffer. | ||
4155 | * The buffer has to contain at least the compacted length of | ||
4156 | * a #GNUNET_CRYPTO_Signature in bytes. | ||
4157 | * If the buffer is too small, the function returns -1 as error. | ||
4158 | * If the buffer does not contain a valid key, it returns -2 as error. | ||
4159 | * | ||
4160 | * @param sig the signature | ||
4161 | * @param buffer the buffer | ||
4162 | * @param len the length of buffer | ||
4163 | * @return -1 or -2 on error, else the amount of bytes read from the buffer | ||
4164 | */ | ||
4165 | ssize_t | ||
4166 | GNUNET_CRYPTO_read_signature_from_buffer ( | ||
4167 | struct GNUNET_CRYPTO_Signature *sig, | ||
4168 | const void*buffer, | ||
4169 | size_t len); | ||
4170 | |||
4171 | |||
4172 | /** | ||
4173 | * Writes a #GNUNET_CRYPTO_Signature to a compact buffer. | ||
4174 | * The buffer requires space for at least the compacted length of | ||
4175 | * a #GNUNET_CRYPTO_Signature in bytes. | ||
4176 | * If the buffer is too small, the function returns -1 as error. | ||
4177 | * If the key is not valid, it returns -2 as error. | ||
4178 | * | ||
4179 | * @param sig the signature | ||
4180 | * @param buffer the buffer | ||
4181 | * @param len the length of buffer | ||
4182 | * @return -1 or -2 on error, else the amount of bytes written to the buffer | ||
4183 | */ | ||
4184 | ssize_t | ||
4185 | GNUNET_CRYPTO_write_signature_to_buffer ( | ||
4186 | const struct GNUNET_CRYPTO_Signature *sig, | ||
4187 | void*buffer, | ||
4188 | size_t len); | ||
4189 | |||
4190 | |||
4191 | /** | ||
4192 | * @brief Sign a given block. | ||
4193 | * | ||
4194 | * The @a purpose data is the beginning of the data of which the signature is | ||
4195 | * to be created. The `size` field in @a purpose must correctly indicate the | ||
4196 | * number of bytes of the data structure, including its header. If possible, | ||
4197 | * use #GNUNET_CRYPTO_sign() instead of this function. | ||
4198 | * | ||
4199 | * @param priv private key to use for the signing | ||
4200 | * @param purpose what to sign (size, purpose) | ||
4201 | * @param[out] sig where to write the signature | ||
4202 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
4203 | */ | ||
4204 | enum GNUNET_GenericReturnValue | ||
4205 | GNUNET_CRYPTO_sign_ ( | ||
4206 | const struct GNUNET_CRYPTO_PrivateKey *priv, | ||
4207 | const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, | ||
4208 | struct GNUNET_CRYPTO_Signature *sig); | ||
4209 | |||
4210 | /** | ||
4211 | * @brief Sign a given block. | ||
4212 | * | ||
4213 | * The @a purpose data is the beginning of the data of which the signature is | ||
4214 | * to be created. The `size` field in @a purpose must correctly indicate the | ||
4215 | * number of bytes of the data structure, including its header. | ||
4216 | * The signature payload and length depends on the key type. | ||
4217 | * | ||
4218 | * @param priv private key to use for the signing | ||
4219 | * @param purpose what to sign (size, purpose) | ||
4220 | * @param[out] sig where to write the signature | ||
4221 | * @return #GNUNET_SYSERR on error, #GNUNET_OK on success | ||
4222 | */ | ||
4223 | enum GNUNET_GenericReturnValue | ||
4224 | GNUNET_CRYPTO_sign_raw_ ( | ||
4225 | const struct GNUNET_CRYPTO_PrivateKey *priv, | ||
4226 | const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, | ||
4227 | unsigned char *sig); | ||
4228 | |||
4229 | |||
4230 | /** | ||
4231 | * @brief Sign a given block with #GNUNET_CRYPTO_PrivateKey. | ||
4232 | * | ||
4233 | * The @a ps data must be a fixed-size struct for which the signature is to be | ||
4234 | * created. The `size` field in @a ps->purpose must correctly indicate the | ||
4235 | * number of bytes of the data structure, including its header. | ||
4236 | * | ||
4237 | * @param priv private key to use for the signing | ||
4238 | * @param ps packed struct with what to sign, MUST begin with a purpose | ||
4239 | * @param[out] sig where to write the signature | ||
4240 | */ | ||
4241 | #define GNUNET_CRYPTO_sign(priv,ps,sig) do { \ | ||
4242 | /* check size is set correctly */ \ | ||
4243 | GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \ | ||
4244 | /* check 'ps' begins with the purpose */ \ | ||
4245 | GNUNET_static_assert (((void*) (ps)) == \ | ||
4246 | ((void*) &(ps)->purpose)); \ | ||
4247 | GNUNET_assert (GNUNET_OK == \ | ||
4248 | GNUNET_CRYPTO_sign_ (priv, \ | ||
4249 | &(ps)->purpose, \ | ||
4250 | sig)); \ | ||
4251 | } while (0) | ||
4252 | |||
4253 | |||
4254 | /** | ||
4255 | * @brief Verify a given signature. | ||
4256 | * | ||
4257 | * The @a validate data is the beginning of the data of which the signature | ||
4258 | * is to be verified. The `size` field in @a validate must correctly indicate | ||
4259 | * the number of bytes of the data structure, including its header. If @a | ||
4260 | * purpose does not match the purpose given in @a validate (the latter must be | ||
4261 | * in big endian), signature verification fails. If possible, | ||
4262 | * use #GNUNET_CRYPTO_signature_verify() instead of this function (only if @a validate | ||
4263 | * is not fixed-size, you must use this function directly). | ||
4264 | * | ||
4265 | * @param purpose what is the purpose that the signature should have? | ||
4266 | * @param validate block to validate (size, purpose, data) | ||
4267 | * @param sig signature that is being validated | ||
4268 | * @param pub public key of the signer | ||
4269 | * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid | ||
4270 | */ | ||
4271 | enum GNUNET_GenericReturnValue | ||
4272 | GNUNET_CRYPTO_signature_verify_ ( | ||
4273 | uint32_t purpose, | ||
4274 | const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, | ||
4275 | const struct GNUNET_CRYPTO_Signature *sig, | ||
4276 | const struct GNUNET_CRYPTO_PublicKey *pub); | ||
4277 | |||
4278 | /** | ||
4279 | * @brief Verify a given signature. | ||
4280 | * | ||
4281 | * The @a validate data is the beginning of the data of which the signature | ||
4282 | * is to be verified. The `size` field in @a validate must correctly indicate | ||
4283 | * the number of bytes of the data structure, including its header. If @a | ||
4284 | * purpose does not match the purpose given in @a validate (the latter must be | ||
4285 | * in big endian), signature verification fails. | ||
4286 | * | ||
4287 | * @param purpose what is the purpose that the signature should have? | ||
4288 | * @param validate block to validate (size, purpose, data) | ||
4289 | * @param sig signature that is being validated | ||
4290 | * @param pub public key of the signer | ||
4291 | * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid | ||
4292 | */ | ||
4293 | enum GNUNET_GenericReturnValue | ||
4294 | GNUNET_CRYPTO_signature_verify_raw_ ( | ||
4295 | uint32_t purpose, | ||
4296 | const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, | ||
4297 | const unsigned char *sig, | ||
4298 | const struct GNUNET_CRYPTO_PublicKey *pub); | ||
4299 | |||
4300 | |||
4301 | /** | ||
4302 | * @brief Verify a given signature with #GNUNET_CRYPTO_PublicKey. | ||
4303 | * | ||
4304 | * The @a ps data must be a fixed-size struct for which the signature is to be | ||
4305 | * created. The `size` field in @a ps->purpose must correctly indicate the | ||
4306 | * number of bytes of the data structure, including its header. | ||
4307 | * | ||
4308 | * @param purp purpose of the signature, must match 'ps->purpose.purpose' | ||
4309 | * (except in host byte order) | ||
4310 | * @param ps packed struct with what to sign, MUST begin with a purpose | ||
4311 | * @param sig where to read the signature from | ||
4312 | * @param pub public key to use for the verifying | ||
4313 | */ | ||
4314 | #define GNUNET_CRYPTO_signature_verify(purp,ps,sig,pub) ({ \ | ||
4315 | /* check size is set correctly */ \ | ||
4316 | GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \ | ||
4317 | /* check 'ps' begins with the purpose */ \ | ||
4318 | GNUNET_static_assert (((void*) (ps)) == \ | ||
4319 | ((void*) &(ps)->purpose)); \ | ||
4320 | GNUNET_CRYPTO_signature_verify_ (purp, \ | ||
4321 | &(ps)->purpose, \ | ||
4322 | sig, \ | ||
4323 | pub); \ | ||
4324 | }) | ||
4325 | |||
4326 | |||
4327 | /** | ||
4328 | * Encrypt a block with #GNUNET_CRYPTO_PublicKey and derives a | ||
4329 | * #GNUNET_CRYPTO_EcdhePublicKey which is required for decryption | ||
4330 | * using ecdh to derive a symmetric key. | ||
4331 | * | ||
4332 | * @param block the block to encrypt | ||
4333 | * @param size the size of the @a block | ||
4334 | * @param pub public key to use for ecdh | ||
4335 | * @param ecc where to write the ecc public key | ||
4336 | * @param result the output parameter in which to store the encrypted result | ||
4337 | * can be the same or overlap with @c block | ||
4338 | * @returns the size of the encrypted block, -1 for errors. | ||
4339 | * Due to the use of CFB and therefore an effective stream cipher, | ||
4340 | * this size should be the same as @c len. | ||
4341 | */ | ||
4342 | ssize_t | ||
4343 | GNUNET_CRYPTO_encrypt_old (const void *block, | ||
4344 | size_t size, | ||
4345 | const struct GNUNET_CRYPTO_PublicKey *pub, | ||
4346 | struct GNUNET_CRYPTO_EcdhePublicKey *ecc, | ||
4347 | void *result); | ||
4348 | |||
4349 | |||
4350 | /** | ||
4351 | * Decrypt a given block with #GNUNET_CRYPTO_PrivateKey and a given | ||
4352 | * #GNUNET_CRYPTO_EcdhePublicKey using ecdh to derive a symmetric key. | ||
4353 | * | ||
4354 | * @param block the data to decrypt, encoded as returned by encrypt | ||
4355 | * @param size the size of the @a block to decrypt | ||
4356 | * @param priv private key to use for ecdh | ||
4357 | * @param ecc the ecc public key | ||
4358 | * @param result address to store the result at | ||
4359 | * can be the same or overlap with @c block | ||
4360 | * @return -1 on failure, size of decrypted block on success. | ||
4361 | * Due to the use of CFB and therefore an effective stream cipher, | ||
4362 | * this size should be the same as @c size. | ||
4363 | */ | ||
4364 | ssize_t | ||
4365 | GNUNET_CRYPTO_decrypt_old ( | ||
4366 | const void *block, | ||
4367 | size_t size, | ||
4368 | const struct GNUNET_CRYPTO_PrivateKey *priv, | ||
4369 | const struct GNUNET_CRYPTO_EcdhePublicKey *ecc, | ||
4370 | void *result); | ||
4371 | |||
4372 | #define GNUNET_CRYPTO_ENCRYPT_OVERHEAD_BYTES (crypto_secretbox_MACBYTES \ | ||
4373 | + sizeof (struct \ | ||
4374 | GNUNET_CRYPTO_FoKemC)) | ||
4375 | |||
4376 | /** | ||
4377 | * Encrypt a block with #GNUNET_CRYPTO_PublicKey and derives a | ||
4378 | * #GNUNET_CRYPTO_EcdhePublicKey which is required for decryption | ||
4379 | * using ecdh to derive a symmetric key. | ||
4380 | * | ||
4381 | * Note that the result buffer for the ciphertext must be the length of | ||
4382 | * the message to encrypt plus #GNUNET_CRYPTO_ENCRYPT_OVERHEAD_BYTES. | ||
4383 | * | ||
4384 | * @param block the block to encrypt | ||
4385 | * @param size the size of the @a block | ||
4386 | * @param pub public key to encrypt for | ||
4387 | * @param result the output parameter in which to store the encrypted result | ||
4388 | * can be the same or overlap with @c block | ||
4389 | * @returns GNUNET_OK on success. | ||
4390 | */ | ||
4391 | enum GNUNET_GenericReturnValue | ||
4392 | GNUNET_CRYPTO_encrypt (const void *block, | ||
4393 | size_t size, | ||
4394 | const struct GNUNET_CRYPTO_PublicKey *pub, | ||
4395 | void *result, | ||
4396 | size_t result_size); | ||
4397 | |||
4398 | |||
4399 | /** | ||
4400 | * Decrypt a given block with #GNUNET_CRYPTO_PrivateKey and a given | ||
4401 | * #GNUNET_CRYPTO_EcdhePublicKey using ecdh to derive a symmetric key. | ||
4402 | * | ||
4403 | * @param block the data to decrypt, encoded as returned by encrypt | ||
4404 | * @param size the size of the @a block to decrypt | ||
4405 | * @param priv private key to use for ecdh | ||
4406 | * @param result address to store the result at | ||
4407 | * can be the same or overlap with @c block | ||
4408 | * @returns GNUNET_OK on success. | ||
4409 | */ | ||
4410 | enum GNUNET_GenericReturnValue | ||
4411 | GNUNET_CRYPTO_decrypt (const void *block, | ||
4412 | size_t size, | ||
4413 | const struct GNUNET_CRYPTO_PrivateKey *priv, | ||
4414 | void *result, | ||
4415 | size_t result_size); | ||
4416 | |||
4417 | |||
4418 | /** | ||
4419 | * Creates a (Base32) string representation of the public key. | ||
4420 | * The resulting string encodes a compacted representation of the key. | ||
4421 | * See also #GNUNET_CRYPTO_key_get_length. | ||
4422 | * | ||
4423 | * @param key the key. | ||
4424 | * @return the string representation of the key, or NULL on error. | ||
4425 | */ | ||
4426 | char * | ||
4427 | GNUNET_CRYPTO_public_key_to_string ( | ||
4428 | const struct GNUNET_CRYPTO_PublicKey *key); | ||
4429 | |||
4430 | |||
4431 | /** | ||
4432 | * Creates a (Base32) string representation of the private key. | ||
4433 | * The resulting string encodes a compacted representation of the key. | ||
4434 | * See also #GNUNET_CRYPTO_key_get_length. | ||
4435 | * | ||
4436 | * @param key the key. | ||
4437 | * @return the string representation of the key, or NULL on error. | ||
4438 | */ | ||
4439 | char * | ||
4440 | GNUNET_CRYPTO_private_key_to_string ( | ||
4441 | const struct GNUNET_CRYPTO_PrivateKey *key); | ||
4442 | |||
4443 | |||
4444 | /** | ||
4445 | * Parses a (Base32) string representation of the public key. | ||
4446 | * See also #GNUNET_CRYPTO_public_key_to_string. | ||
4447 | * | ||
4448 | * @param str the encoded key. | ||
4449 | * @param key where to write the key. | ||
4450 | * @return GNUNET_SYSERR on error. | ||
4451 | */ | ||
4452 | enum GNUNET_GenericReturnValue | ||
4453 | GNUNET_CRYPTO_public_key_from_string (const char*str, | ||
4454 | struct GNUNET_CRYPTO_PublicKey *key); | ||
4455 | |||
4456 | |||
4457 | /** | ||
4458 | * Parses a (Base32) string representation of the private key. | ||
4459 | * See also #GNUNET_CRYPTO_private_key_to_string. | ||
4460 | * | ||
4461 | * @param str the encoded key. | ||
4462 | * @param key where to write the key. | ||
4463 | * @return GNUNET_SYSERR on error. | ||
4464 | */ | ||
4465 | enum GNUNET_GenericReturnValue | ||
4466 | GNUNET_CRYPTO_private_key_from_string (const char*str, | ||
4467 | struct GNUNET_CRYPTO_PrivateKey *key); | ||
4468 | |||
4469 | |||
4470 | /** | ||
4471 | * Retrieves the public key representation of a private key. | ||
4472 | * | ||
4473 | * @param privkey the private key. | ||
4474 | * @param key the public key result. | ||
4475 | * @return GNUNET_SYSERR on error. | ||
4476 | */ | ||
4477 | enum GNUNET_GenericReturnValue | ||
4478 | GNUNET_CRYPTO_key_get_public (const struct | ||
4479 | GNUNET_CRYPTO_PrivateKey *privkey, | ||
4480 | struct GNUNET_CRYPTO_PublicKey *key); | ||
4481 | |||
2428 | #if 0 /* keep Emacsens' auto-indent happy */ | 4482 | #if 0 /* keep Emacsens' auto-indent happy */ |
2429 | { | 4483 | { |
2430 | #endif | 4484 | #endif |
@@ -2435,4 +4489,7 @@ GNUNET_CRYPTO_rsa_verify (const struct GNUNET_HashCode *hash, | |||
2435 | 4489 | ||
2436 | /* ifndef GNUNET_CRYPTO_LIB_H */ | 4490 | /* ifndef GNUNET_CRYPTO_LIB_H */ |
2437 | #endif | 4491 | #endif |
4492 | |||
4493 | /** @} */ /* end of group addition */ | ||
4494 | |||
2438 | /* end of gnunet_crypto_lib.h */ | 4495 | /* end of gnunet_crypto_lib.h */ |