1 files changed, 712 insertions, 0 deletions
diff --git a/src/lib/util/crypto_blind_sign.c b/src/lib/util/crypto_blind_sign.c
new file mode 100644
index 000000000..33a587acd
--- /dev/null
+++ b/src/lib/util/crypto_blind_sign.c
@@ -0,0 +1,712 @@
+/*
+  This file is part of GNUNET
+  Copyright (C) 2021, 2022, 2023 GNUnet e.V.
+  GNUNET is free software; you can redistribute it and/or modify it under the
+  terms of the GNU General Public License as published by the Free Software
+  Foundation; either version 3, or (at your option) any later version.
+  GNUNET is distributed in the hope that it will be useful, but WITHOUT ANY
+  WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+  A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+  You should have received a copy of the GNU General Public License along with
+  GNUNET; see the file COPYING.  If not, see <http://www.gnu.org/licenses/>
+*/
+/**
+ * @file crypto_blind_sign.c
+ * @brief blind signatures (abstraction over RSA or CS)
+ * @author Christian Grothoff
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+void
+GNUNET_CRYPTO_blinding_input_values_decref (
+  struct GNUNET_CRYPTO_BlindingInputValues *bm)
+{
+  GNUNET_assert (bm->rc > 0);
+  bm->rc--;
+  if (0 != bm->rc)
+    return;
+  switch (bm->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    break;
+  case GNUNET_CRYPTO_BSA_RSA:
+    bm->cipher = GNUNET_CRYPTO_BSA_INVALID;
+    break;
+  case GNUNET_CRYPTO_BSA_CS:
+    bm->cipher = GNUNET_CRYPTO_BSA_INVALID;
+    break;
+  }
+  GNUNET_free (bm);
+}
+void
+GNUNET_CRYPTO_blind_sign_priv_decref (
+  struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv)
+{
+  GNUNET_assert (bsign_priv->rc > 0);
+  bsign_priv->rc--;
+  if (0 != bsign_priv->rc)
+    return;
+  switch (bsign_priv->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    break;
+  case GNUNET_CRYPTO_BSA_RSA:
+    if (NULL != bsign_priv->details.rsa_private_key)
+    {
+      GNUNET_CRYPTO_rsa_private_key_free (bsign_priv->details.rsa_private_key);
+      bsign_priv->details.rsa_private_key = NULL;
+    }
+    bsign_priv->cipher = GNUNET_CRYPTO_BSA_INVALID;
+    break;
+  case GNUNET_CRYPTO_BSA_CS:
+    bsign_priv->cipher = GNUNET_CRYPTO_BSA_INVALID;
+    break;
+  }
+  GNUNET_free (bsign_priv);
+}
+void
+GNUNET_CRYPTO_blind_sign_pub_decref (struct
+                                     GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub)
+{
+  GNUNET_assert (bsign_pub->rc > 0);
+  bsign_pub->rc--;
+  if (0 != bsign_pub->rc)
+    return;
+  switch (bsign_pub->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    break;
+  case GNUNET_CRYPTO_BSA_RSA:
+    if (NULL != bsign_pub->details.rsa_public_key)
+    {
+      GNUNET_CRYPTO_rsa_public_key_free (bsign_pub->details.rsa_public_key);
+      bsign_pub->details.rsa_public_key = NULL;
+    }
+    bsign_pub->cipher = GNUNET_CRYPTO_BSA_INVALID;
+    break;
+  case GNUNET_CRYPTO_BSA_CS:
+    break;
+  }
+  GNUNET_free (bsign_pub);
+}
+void
+GNUNET_CRYPTO_unblinded_sig_decref (struct
+                                    GNUNET_CRYPTO_UnblindedSignature *ub_sig)
+{
+  GNUNET_assert (ub_sig->rc > 0);
+  ub_sig->rc--;
+  if (0 != ub_sig->rc)
+    return;
+  switch (ub_sig->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    break;
+  case GNUNET_CRYPTO_BSA_RSA:
+    if (NULL != ub_sig->details.rsa_signature)
+    {
+      GNUNET_CRYPTO_rsa_signature_free (ub_sig->details.rsa_signature);
+      ub_sig->details.rsa_signature = NULL;
+    }
+    ub_sig->cipher = GNUNET_CRYPTO_BSA_INVALID;
+    break;
+  case GNUNET_CRYPTO_BSA_CS:
+    ub_sig->cipher = GNUNET_CRYPTO_BSA_INVALID;
+    break;
+  }
+  GNUNET_free (ub_sig);
+}
+void
+GNUNET_CRYPTO_blinded_sig_decref (
+  struct GNUNET_CRYPTO_BlindedSignature *blind_sig)
+{
+  GNUNET_assert (blind_sig->rc > 0);
+  blind_sig->rc--;
+  if (0 != blind_sig->rc)
+    return;
+  switch (blind_sig->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    break;
+  case GNUNET_CRYPTO_BSA_RSA:
+    if (NULL != blind_sig->details.blinded_rsa_signature)
+    {
+      GNUNET_CRYPTO_rsa_signature_free (
+        blind_sig->details.blinded_rsa_signature);
+      blind_sig->details.blinded_rsa_signature = NULL;
+    }
+    blind_sig->cipher = GNUNET_CRYPTO_BSA_INVALID;
+    break;
+  case GNUNET_CRYPTO_BSA_CS:
+    blind_sig->cipher = GNUNET_CRYPTO_BSA_INVALID;
+    break;
+  }
+  GNUNET_free (blind_sig);
+}
+void
+GNUNET_CRYPTO_blinded_message_decref (
+  struct GNUNET_CRYPTO_BlindedMessage *bm)
+{
+  GNUNET_assert (bm->rc > 0);
+  bm->rc--;
+  if (0 != bm->rc)
+    return;
+  switch (bm->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    break;
+  case GNUNET_CRYPTO_BSA_RSA:
+    GNUNET_free (bm->details.rsa_blinded_message.blinded_msg);
+    break;
+  case GNUNET_CRYPTO_BSA_CS:
+    break;
+  }
+  GNUNET_free (bm);
+}
+struct GNUNET_CRYPTO_BlindedMessage *
+GNUNET_CRYPTO_blinded_message_incref (
+  struct GNUNET_CRYPTO_BlindedMessage *bm)
+{
+  bm->rc++;
+  return bm;
+}
+struct GNUNET_CRYPTO_BlindingInputValues *
+GNUNET_CRYPTO_blinding_input_values_incref (
+  struct GNUNET_CRYPTO_BlindingInputValues *bm)
+{
+  bm->rc++;
+  return bm;
+}
+struct GNUNET_CRYPTO_BlindSignPublicKey *
+GNUNET_CRYPTO_bsign_pub_incref (
+  struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub)
+{
+  bsign_pub->rc++;
+  return bsign_pub;
+}
+struct GNUNET_CRYPTO_BlindSignPrivateKey *
+GNUNET_CRYPTO_bsign_priv_incref (
+  struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv)
+{
+  bsign_priv->rc++;
+  return bsign_priv;
+}
+struct GNUNET_CRYPTO_UnblindedSignature *
+GNUNET_CRYPTO_ub_sig_incref (struct GNUNET_CRYPTO_UnblindedSignature *ub_sig)
+{
+  ub_sig->rc++;
+  return ub_sig;
+}
+struct GNUNET_CRYPTO_BlindedSignature *
+GNUNET_CRYPTO_blind_sig_incref (
+  struct GNUNET_CRYPTO_BlindedSignature *blind_sig)
+{
+  blind_sig->rc++;
+  return blind_sig;
+}
+int
+GNUNET_CRYPTO_bsign_pub_cmp (
+  const struct GNUNET_CRYPTO_BlindSignPublicKey *bp1,
+  const struct GNUNET_CRYPTO_BlindSignPublicKey *bp2)
+{
+  if (bp1->cipher != bp2->cipher)
+    return (bp1->cipher > bp2->cipher) ? 1 : -1;
+  switch (bp1->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    return 0;
+  case GNUNET_CRYPTO_BSA_RSA:
+    return GNUNET_memcmp (&bp1->pub_key_hash,
+                          &bp2->pub_key_hash);
+  case GNUNET_CRYPTO_BSA_CS:
+    return GNUNET_memcmp (&bp1->pub_key_hash,
+                          &bp2->pub_key_hash);
+  }
+  GNUNET_assert (0);
+  return -2;
+}
+int
+GNUNET_CRYPTO_ub_sig_cmp (
+  const struct GNUNET_CRYPTO_UnblindedSignature *sig1,
+  const struct GNUNET_CRYPTO_UnblindedSignature *sig2)
+{
+  if (sig1->cipher != sig2->cipher)
+    return (sig1->cipher > sig2->cipher) ? 1 : -1;
+  switch (sig1->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    return 0;
+  case GNUNET_CRYPTO_BSA_RSA:
+    return GNUNET_CRYPTO_rsa_signature_cmp (sig1->details.rsa_signature,
+                                            sig2->details.rsa_signature);
+  case GNUNET_CRYPTO_BSA_CS:
+    return GNUNET_memcmp (&sig1->details.cs_signature,
+                          &sig2->details.cs_signature);
+  }
+  GNUNET_assert (0);
+  return -2;
+}
+int
+GNUNET_CRYPTO_blind_sig_cmp (
+  const struct GNUNET_CRYPTO_BlindedSignature *sig1,
+  const struct GNUNET_CRYPTO_BlindedSignature *sig2)
+{
+  if (sig1->cipher != sig2->cipher)
+    return (sig1->cipher > sig2->cipher) ? 1 : -1;
+  switch (sig1->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    return 0;
+  case GNUNET_CRYPTO_BSA_RSA:
+    return GNUNET_CRYPTO_rsa_signature_cmp (sig1->details.blinded_rsa_signature,
+                                            sig2->details.blinded_rsa_signature);
+  case GNUNET_CRYPTO_BSA_CS:
+    return GNUNET_memcmp (&sig1->details.blinded_cs_answer,
+                          &sig2->details.blinded_cs_answer);
+  }
+  GNUNET_assert (0);
+  return -2;
+}
+int
+GNUNET_CRYPTO_blinded_message_cmp (
+  const struct GNUNET_CRYPTO_BlindedMessage *bp1,
+  const struct GNUNET_CRYPTO_BlindedMessage *bp2)
+{
+  if (bp1->cipher != bp2->cipher)
+    return (bp1->cipher > bp2->cipher) ? 1 : -1;
+  switch (bp1->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    return 0;
+  case GNUNET_CRYPTO_BSA_RSA:
+    if (bp1->details.rsa_blinded_message.blinded_msg_size !=
+        bp2->details.rsa_blinded_message.blinded_msg_size)
+      return (bp1->details.rsa_blinded_message.blinded_msg_size >
+              bp2->details.rsa_blinded_message.blinded_msg_size) ? 1 : -1;
+    return memcmp (bp1->details.rsa_blinded_message.blinded_msg,
+                   bp2->details.rsa_blinded_message.blinded_msg,
+                   bp1->details.rsa_blinded_message.blinded_msg_size);
+  case GNUNET_CRYPTO_BSA_CS:
+    return GNUNET_memcmp (&bp1->details.cs_blinded_message,
+                          &bp2->details.cs_blinded_message);
+  }
+  GNUNET_assert (0);
+  return -2;
+}
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_blind_sign_keys_create (
+  struct GNUNET_CRYPTO_BlindSignPrivateKey **bsign_priv,
+  struct GNUNET_CRYPTO_BlindSignPublicKey **bsign_pub,
+  enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher,
+  ...)
+{
+  enum GNUNET_GenericReturnValue ret;
+  va_list ap;
+  va_start (ap,
+            cipher);
+  ret = GNUNET_CRYPTO_blind_sign_keys_create_va (bsign_priv,
+                                                 bsign_pub,
+                                                 cipher,
+                                                 ap);
+  va_end (ap);
+  return ret;
+}
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_blind_sign_keys_create_va (
+  struct GNUNET_CRYPTO_BlindSignPrivateKey **bsign_priv,
+  struct GNUNET_CRYPTO_BlindSignPublicKey **bsign_pub,
+  enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher,
+  va_list ap)
+{
+  struct GNUNET_CRYPTO_BlindSignPrivateKey *priv;
+  struct GNUNET_CRYPTO_BlindSignPublicKey *pub;
+  priv = GNUNET_new (struct GNUNET_CRYPTO_BlindSignPrivateKey);
+  priv->rc = 1;
+  priv->cipher = cipher;
+  *bsign_priv = priv;
+  pub = GNUNET_new (struct GNUNET_CRYPTO_BlindSignPublicKey);
+  pub->rc = 1;
+  pub->cipher = cipher;
+  *bsign_pub = pub;
+  switch (cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    break;
+  case GNUNET_CRYPTO_BSA_RSA:
+    {
+      unsigned int bits;
+      bits = va_arg (ap,
+                     unsigned int);
+      if (bits < 512)
+      {
+        GNUNET_break (0);
+        break;
+      }
+      priv->details.rsa_private_key
+        = GNUNET_CRYPTO_rsa_private_key_create (bits);
+    }
+    if (NULL == priv->details.rsa_private_key)
+    {
+      GNUNET_break (0);
+      break;
+    }
+    pub->details.rsa_public_key
+      = GNUNET_CRYPTO_rsa_private_key_get_public (
+          priv->details.rsa_private_key);
+    GNUNET_CRYPTO_rsa_public_key_hash (pub->details.rsa_public_key,
+                                       &pub->pub_key_hash);
+    return GNUNET_OK;
+  case GNUNET_CRYPTO_BSA_CS:
+    GNUNET_CRYPTO_cs_private_key_generate (&priv->details.cs_private_key);
+    GNUNET_CRYPTO_cs_private_key_get_public (
+      &priv->details.cs_private_key,
+      &pub->details.cs_public_key);
+    GNUNET_CRYPTO_hash (&pub->details.cs_public_key,
+                        sizeof(pub->details.cs_public_key),
+                        &pub->pub_key_hash);
+    return GNUNET_OK;
+  }
+  GNUNET_free (priv);
+  GNUNET_free (pub);
+  *bsign_priv = NULL;
+  *bsign_pub = NULL;
+  return GNUNET_SYSERR;
+}
+struct GNUNET_CRYPTO_BlindingInputValues *
+GNUNET_CRYPTO_get_blinding_input_values (
+  const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv,
+  const union GNUNET_CRYPTO_BlindSessionNonce *nonce,
+  const char *salt)
+{
+  struct GNUNET_CRYPTO_BlindingInputValues *biv;
+  biv = GNUNET_new (struct GNUNET_CRYPTO_BlindingInputValues);
+  biv->cipher = bsign_priv->cipher;
+  biv->rc = 1;
+  switch (bsign_priv->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    GNUNET_free (biv);
+    return NULL;
+  case GNUNET_CRYPTO_BSA_RSA:
+    return biv;
+  case GNUNET_CRYPTO_BSA_CS:
+    {
+      struct GNUNET_CRYPTO_CsRSecret cspriv[2];
+      GNUNET_CRYPTO_cs_r_derive (&nonce->cs_nonce,
+                                 salt,
+                                 &bsign_priv->details.cs_private_key,
+                                 cspriv);
+      GNUNET_CRYPTO_cs_r_get_public (&cspriv[0],
+                                     &biv->details.cs_values.r_pub[0]);
+      GNUNET_CRYPTO_cs_r_get_public (&cspriv[1],
+                                     &biv->details.cs_values.r_pub[1]);
+      return biv;
+    }
+  }
+  GNUNET_break (0);
+  GNUNET_free (biv);
+  return NULL;
+}
+struct GNUNET_CRYPTO_BlindedMessage *
+GNUNET_CRYPTO_message_blind_to_sign (
+  const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub,
+  const union GNUNET_CRYPTO_BlindingSecretP *bks,
+  const union GNUNET_CRYPTO_BlindSessionNonce *nonce,
+  const void *message,
+  size_t message_size,
+  const struct GNUNET_CRYPTO_BlindingInputValues *alg_values)
+{
+  struct GNUNET_CRYPTO_BlindedMessage *bm;
+  bm = GNUNET_new (struct GNUNET_CRYPTO_BlindedMessage);
+  bm->cipher = bsign_pub->cipher;
+  bm->rc = 1;
+  switch (bsign_pub->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    GNUNET_free (bm);
+    return NULL;
+  case GNUNET_CRYPTO_BSA_RSA:
+    if (GNUNET_YES !=
+        GNUNET_CRYPTO_rsa_blind (
+          message,
+          message_size,
+          &bks->rsa_bks,
+          bsign_pub->details.rsa_public_key,
+          &bm->details.rsa_blinded_message))
+    {
+      GNUNET_break (0);
+      GNUNET_free (bm);
+      return NULL;
+    }
+    return bm;
+  case GNUNET_CRYPTO_BSA_CS:
+    {
+      struct GNUNET_CRYPTO_CSPublicRPairP blinded_r_pub;
+      struct GNUNET_CRYPTO_CsBlindingSecret bs[2];
+      if (NULL == nonce)
+      {
+        GNUNET_break_op (0);
+        GNUNET_free (bm);
+        return NULL;
+      }
+      GNUNET_CRYPTO_cs_blinding_secrets_derive (&bks->nonce,
+                                                bs);
+      GNUNET_CRYPTO_cs_calc_blinded_c (
+        bs,
+        alg_values->details.cs_values.r_pub,
+        &bsign_pub->details.cs_public_key,
+        message,
+        message_size,
+        bm->details.cs_blinded_message.c,
+        &blinded_r_pub);
+      bm->details.cs_blinded_message.nonce = nonce->cs_nonce;
+      (void) blinded_r_pub;
+      return bm;
+    }
+  }
+  GNUNET_break (0);
+  return NULL;
+}
+struct GNUNET_CRYPTO_BlindedSignature *
+GNUNET_CRYPTO_blind_sign (
+  const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv,
+  const char *salt,
+  const struct GNUNET_CRYPTO_BlindedMessage *blinded_message)
+{
+  struct GNUNET_CRYPTO_BlindedSignature *blind_sig;
+  if (blinded_message->cipher != bsign_priv->cipher)
+  {
+    GNUNET_break (0);
+    return NULL;
+  }
+  blind_sig = GNUNET_new (struct GNUNET_CRYPTO_BlindedSignature);
+  blind_sig->cipher = bsign_priv->cipher;
+  blind_sig->rc = 1;
+  switch (bsign_priv->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    GNUNET_free (blind_sig);
+    return NULL;
+  case GNUNET_CRYPTO_BSA_RSA:
+    blind_sig->details.blinded_rsa_signature
+      = GNUNET_CRYPTO_rsa_sign_blinded (
+          bsign_priv->details.rsa_private_key,
+          &blinded_message->details.rsa_blinded_message);
+    if (NULL == blind_sig->details.blinded_rsa_signature)
+    {
+      GNUNET_break (0);
+      GNUNET_free (blind_sig);
+      return NULL;
+    }
+    return blind_sig;
+  case GNUNET_CRYPTO_BSA_CS:
+    {
+      struct GNUNET_CRYPTO_CsRSecret r[2];
+      GNUNET_CRYPTO_cs_r_derive (
+        &blinded_message->details.cs_blinded_message.nonce,
+        salt,
+        &bsign_priv->details.cs_private_key,
+        r);
+      GNUNET_CRYPTO_cs_sign_derive (
+        &bsign_priv->details.cs_private_key,
+        r,
+        &blinded_message->details.cs_blinded_message,
+        &blind_sig->details.blinded_cs_answer);
+    }
+    return blind_sig;
+  }
+  GNUNET_break (0);
+  return NULL;
+}
+struct GNUNET_CRYPTO_UnblindedSignature *
+GNUNET_CRYPTO_blind_sig_unblind (
+  const struct GNUNET_CRYPTO_BlindedSignature *blinded_sig,
+  const union GNUNET_CRYPTO_BlindingSecretP *bks,
+  const void *message,
+  size_t message_size,
+  const struct GNUNET_CRYPTO_BlindingInputValues *alg_values,
+  const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub)
+{
+  struct GNUNET_CRYPTO_UnblindedSignature *ub_sig;
+  if (blinded_sig->cipher != bsign_pub->cipher)
+  {
+    GNUNET_break (0);
+    return NULL;
+  }
+  if (blinded_sig->cipher != alg_values->cipher)
+  {
+    GNUNET_break (0);
+    return NULL;
+  }
+  ub_sig = GNUNET_new (struct GNUNET_CRYPTO_UnblindedSignature);
+  ub_sig->cipher = blinded_sig->cipher;
+  ub_sig->rc = 1;
+  switch (bsign_pub->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    GNUNET_free (ub_sig);
+    return NULL;
+  case GNUNET_CRYPTO_BSA_RSA:
+    ub_sig->details.rsa_signature
+      = GNUNET_CRYPTO_rsa_unblind (
+          blinded_sig->details.blinded_rsa_signature,
+          &bks->rsa_bks,
+          bsign_pub->details.rsa_public_key);
+    if (NULL == ub_sig->details.rsa_signature)
+    {
+      GNUNET_break (0);
+      GNUNET_free (ub_sig);
+      return NULL;
+    }
+    return ub_sig;
+  case GNUNET_CRYPTO_BSA_CS:
+    {
+      struct GNUNET_CRYPTO_CsBlindingSecret bs[2];
+      struct GNUNET_CRYPTO_CsC c[2];
+      struct GNUNET_CRYPTO_CSPublicRPairP r_pub_blind;
+      unsigned int b;
+      GNUNET_CRYPTO_cs_blinding_secrets_derive (&bks->nonce,
+                                                bs);
+      GNUNET_CRYPTO_cs_calc_blinded_c (
+        bs,
+        alg_values->details.cs_values.r_pub,
+        &bsign_pub->details.cs_public_key,
+        message,
+        message_size,
+        c,
+        &r_pub_blind);
+      b = blinded_sig->details.blinded_cs_answer.b;
+      ub_sig->details.cs_signature.r_point
+        = r_pub_blind.r_pub[b];
+      GNUNET_CRYPTO_cs_unblind (
+        &blinded_sig->details.blinded_cs_answer.s_scalar,
+        &bs[b],
+        &ub_sig->details.cs_signature.s_scalar);
+      return ub_sig;
+    }
+  }
+  GNUNET_break (0);
+  GNUNET_free (ub_sig);
+  return NULL;
+}
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_blind_sig_verify (
+  const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub,
+  const struct GNUNET_CRYPTO_UnblindedSignature *ub_sig,
+  const void *message,
+  size_t message_size)
+{
+  if (bsign_pub->cipher != ub_sig->cipher)
+  {
+    GNUNET_break (0);
+    return GNUNET_SYSERR;
+  }
+  switch (bsign_pub->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    return GNUNET_NO;
+  case GNUNET_CRYPTO_BSA_RSA:
+    if (GNUNET_OK !=
+        GNUNET_CRYPTO_rsa_verify (message,
+                                  message_size,
+                                  ub_sig->details.rsa_signature,
+                                  bsign_pub->details.rsa_public_key))
+    {
+      GNUNET_break_op (0);
+      return GNUNET_NO;
+    }
+    return GNUNET_YES;
+  case GNUNET_CRYPTO_BSA_CS:
+    if (GNUNET_OK !=
+        GNUNET_CRYPTO_cs_verify (&ub_sig->details.cs_signature,
+                                 &bsign_pub->details.cs_public_key,
+                                 message,
+                                 message_size))
+    {
+      GNUNET_break_op (0);
+      return GNUNET_NO;
+    }
+    return GNUNET_YES;
+  }
+  GNUNET_break (0);
+  return GNUNET_NO;
+}
+/* end of crypto_blind_sign.c */

diff --git a/src/lib/util/crypto_blind_sign.c b/src/lib/util/crypto_blind_sign.c new file mode 100644 index 000000000..33a587acd --- /dev/null +++ b/src/lib/util/crypto_blind_sign.c
@@ -0,0 +1,712 @@
	1	/*
	2	This file is part of GNUNET
	3	Copyright (C) 2021, 2022, 2023 GNUnet e.V.
	4
	5	GNUNET is free software; you can redistribute it and/or modify it under the
	6	terms of the GNU General Public License as published by the Free Software
	7	Foundation; either version 3, or (at your option) any later version.
	8
	9	GNUNET is distributed in the hope that it will be useful, but WITHOUT ANY
	10	WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
	11	A PARTICULAR PURPOSE. See the GNU General Public License for more details.
	12
	13	You should have received a copy of the GNU General Public License along with
	14	GNUNET; see the file COPYING. If not, see <http://www.gnu.org/licenses/>
	15	*/
	16	/**
	17	* @file crypto_blind_sign.c
	18	* @brief blind signatures (abstraction over RSA or CS)
	19	* @author Christian Grothoff
	20	*/
	21	#include "platform.h"
	22	#include "gnunet_util_lib.h"
	23
	24
	25	void
	26	GNUNET_CRYPTO_blinding_input_values_decref (
	27	struct GNUNET_CRYPTO_BlindingInputValues *bm)
	28	{
	29	GNUNET_assert (bm->rc > 0);
	30	bm->rc--;
	31	if (0 != bm->rc)
	32	return;
	33	switch (bm->cipher)
	34	{
	35	case GNUNET_CRYPTO_BSA_INVALID:
	36	GNUNET_break (0);
	37	break;
	38	case GNUNET_CRYPTO_BSA_RSA:
	39	bm->cipher = GNUNET_CRYPTO_BSA_INVALID;
	40	break;
	41	case GNUNET_CRYPTO_BSA_CS:
	42	bm->cipher = GNUNET_CRYPTO_BSA_INVALID;
	43	break;
	44	}
	45	GNUNET_free (bm);
	46	}
	47
	48
	49	void
	50	GNUNET_CRYPTO_blind_sign_priv_decref (
	51	struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv)
	52	{
	53	GNUNET_assert (bsign_priv->rc > 0);
	54	bsign_priv->rc--;
	55	if (0 != bsign_priv->rc)
	56	return;
	57	switch (bsign_priv->cipher)
	58	{
	59	case GNUNET_CRYPTO_BSA_INVALID:
	60	GNUNET_break (0);
	61	break;
	62	case GNUNET_CRYPTO_BSA_RSA:
	63	if (NULL != bsign_priv->details.rsa_private_key)
	64	{
	65	GNUNET_CRYPTO_rsa_private_key_free (bsign_priv->details.rsa_private_key);
	66	bsign_priv->details.rsa_private_key = NULL;
	67	}
	68	bsign_priv->cipher = GNUNET_CRYPTO_BSA_INVALID;
	69	break;
	70	case GNUNET_CRYPTO_BSA_CS:
	71	bsign_priv->cipher = GNUNET_CRYPTO_BSA_INVALID;
	72	break;
	73	}
	74	GNUNET_free (bsign_priv);
	75	}
	76
	77
	78	void
	79	GNUNET_CRYPTO_blind_sign_pub_decref (struct
	80	GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub)
	81	{
	82	GNUNET_assert (bsign_pub->rc > 0);
	83	bsign_pub->rc--;
	84	if (0 != bsign_pub->rc)
	85	return;
	86	switch (bsign_pub->cipher)
	87	{
	88	case GNUNET_CRYPTO_BSA_INVALID:
	89	GNUNET_break (0);
	90	break;
	91	case GNUNET_CRYPTO_BSA_RSA:
	92	if (NULL != bsign_pub->details.rsa_public_key)
	93	{
	94	GNUNET_CRYPTO_rsa_public_key_free (bsign_pub->details.rsa_public_key);
	95	bsign_pub->details.rsa_public_key = NULL;
	96	}
	97	bsign_pub->cipher = GNUNET_CRYPTO_BSA_INVALID;
	98	break;
	99	case GNUNET_CRYPTO_BSA_CS:
	100	break;
	101	}
	102	GNUNET_free (bsign_pub);
	103	}
	104
	105
	106	void
	107	GNUNET_CRYPTO_unblinded_sig_decref (struct
	108	GNUNET_CRYPTO_UnblindedSignature *ub_sig)
	109	{
	110	GNUNET_assert (ub_sig->rc > 0);
	111	ub_sig->rc--;
	112	if (0 != ub_sig->rc)
	113	return;
	114	switch (ub_sig->cipher)
	115	{
	116	case GNUNET_CRYPTO_BSA_INVALID:
	117	GNUNET_break (0);
	118	break;
	119	case GNUNET_CRYPTO_BSA_RSA:
	120	if (NULL != ub_sig->details.rsa_signature)
	121	{
	122	GNUNET_CRYPTO_rsa_signature_free (ub_sig->details.rsa_signature);
	123	ub_sig->details.rsa_signature = NULL;
	124	}
	125	ub_sig->cipher = GNUNET_CRYPTO_BSA_INVALID;
	126	break;
	127	case GNUNET_CRYPTO_BSA_CS:
	128	ub_sig->cipher = GNUNET_CRYPTO_BSA_INVALID;
	129	break;
	130	}
	131	GNUNET_free (ub_sig);
	132	}
	133
	134
	135	void
	136	GNUNET_CRYPTO_blinded_sig_decref (
	137	struct GNUNET_CRYPTO_BlindedSignature *blind_sig)
	138	{
	139	GNUNET_assert (blind_sig->rc > 0);
	140	blind_sig->rc--;
	141	if (0 != blind_sig->rc)
	142	return;
	143	switch (blind_sig->cipher)
	144	{
	145	case GNUNET_CRYPTO_BSA_INVALID:
	146	GNUNET_break (0);
	147	break;
	148	case GNUNET_CRYPTO_BSA_RSA:
	149	if (NULL != blind_sig->details.blinded_rsa_signature)
	150	{
	151	GNUNET_CRYPTO_rsa_signature_free (
	152	blind_sig->details.blinded_rsa_signature);
	153	blind_sig->details.blinded_rsa_signature = NULL;
	154	}
	155	blind_sig->cipher = GNUNET_CRYPTO_BSA_INVALID;
	156	break;
	157	case GNUNET_CRYPTO_BSA_CS:
	158	blind_sig->cipher = GNUNET_CRYPTO_BSA_INVALID;
	159	break;
	160	}
	161	GNUNET_free (blind_sig);
	162	}
	163
	164
	165	void
	166	GNUNET_CRYPTO_blinded_message_decref (
	167	struct GNUNET_CRYPTO_BlindedMessage *bm)
	168	{
	169	GNUNET_assert (bm->rc > 0);
	170	bm->rc--;
	171	if (0 != bm->rc)
	172	return;
	173	switch (bm->cipher)
	174	{
	175	case GNUNET_CRYPTO_BSA_INVALID:
	176	GNUNET_break (0);
	177	break;
	178	case GNUNET_CRYPTO_BSA_RSA:
	179	GNUNET_free (bm->details.rsa_blinded_message.blinded_msg);
	180	break;
	181	case GNUNET_CRYPTO_BSA_CS:
	182	break;
	183	}
	184	GNUNET_free (bm);
	185	}
	186
	187
	188	struct GNUNET_CRYPTO_BlindedMessage *
	189	GNUNET_CRYPTO_blinded_message_incref (
	190	struct GNUNET_CRYPTO_BlindedMessage *bm)
	191	{
	192	bm->rc++;
	193	return bm;
	194	}
	195
	196
	197	struct GNUNET_CRYPTO_BlindingInputValues *
	198	GNUNET_CRYPTO_blinding_input_values_incref (
	199	struct GNUNET_CRYPTO_BlindingInputValues *bm)
	200	{
	201	bm->rc++;
	202	return bm;
	203	}
	204
	205
	206	struct GNUNET_CRYPTO_BlindSignPublicKey *
	207	GNUNET_CRYPTO_bsign_pub_incref (
	208	struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub)
	209	{
	210	bsign_pub->rc++;
	211	return bsign_pub;
	212	}
	213
	214
	215	struct GNUNET_CRYPTO_BlindSignPrivateKey *
	216	GNUNET_CRYPTO_bsign_priv_incref (
	217	struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv)
	218	{
	219	bsign_priv->rc++;
	220	return bsign_priv;
	221	}
	222
	223
	224	struct GNUNET_CRYPTO_UnblindedSignature *
	225	GNUNET_CRYPTO_ub_sig_incref (struct GNUNET_CRYPTO_UnblindedSignature *ub_sig)
	226	{
	227	ub_sig->rc++;
	228	return ub_sig;
	229	}
	230
	231
	232	struct GNUNET_CRYPTO_BlindedSignature *
	233	GNUNET_CRYPTO_blind_sig_incref (
	234	struct GNUNET_CRYPTO_BlindedSignature *blind_sig)
	235	{
	236	blind_sig->rc++;
	237	return blind_sig;
	238	}
	239
	240
	241	int
	242	GNUNET_CRYPTO_bsign_pub_cmp (
	243	const struct GNUNET_CRYPTO_BlindSignPublicKey *bp1,
	244	const struct GNUNET_CRYPTO_BlindSignPublicKey *bp2)
	245	{
	246	if (bp1->cipher != bp2->cipher)
	247	return (bp1->cipher > bp2->cipher) ? 1 : -1;
	248	switch (bp1->cipher)
	249	{
	250	case GNUNET_CRYPTO_BSA_INVALID:
	251	GNUNET_break (0);
	252	return 0;
	253	case GNUNET_CRYPTO_BSA_RSA:
	254	return GNUNET_memcmp (&bp1->pub_key_hash,
	255	&bp2->pub_key_hash);
	256	case GNUNET_CRYPTO_BSA_CS:
	257	return GNUNET_memcmp (&bp1->pub_key_hash,
	258	&bp2->pub_key_hash);
	259	}
	260	GNUNET_assert (0);
	261	return -2;
	262	}
	263
	264
	265	int
	266	GNUNET_CRYPTO_ub_sig_cmp (
	267	const struct GNUNET_CRYPTO_UnblindedSignature *sig1,
	268	const struct GNUNET_CRYPTO_UnblindedSignature *sig2)
	269	{
	270	if (sig1->cipher != sig2->cipher)
	271	return (sig1->cipher > sig2->cipher) ? 1 : -1;
	272	switch (sig1->cipher)
	273	{
	274	case GNUNET_CRYPTO_BSA_INVALID:
	275	GNUNET_break (0);
	276	return 0;
	277	case GNUNET_CRYPTO_BSA_RSA:
	278	return GNUNET_CRYPTO_rsa_signature_cmp (sig1->details.rsa_signature,
	279	sig2->details.rsa_signature);
	280	case GNUNET_CRYPTO_BSA_CS:
	281	return GNUNET_memcmp (&sig1->details.cs_signature,
	282	&sig2->details.cs_signature);
	283	}
	284	GNUNET_assert (0);
	285	return -2;
	286	}
	287
	288
	289	int
	290	GNUNET_CRYPTO_blind_sig_cmp (
	291	const struct GNUNET_CRYPTO_BlindedSignature *sig1,
	292	const struct GNUNET_CRYPTO_BlindedSignature *sig2)
	293	{
	294	if (sig1->cipher != sig2->cipher)
	295	return (sig1->cipher > sig2->cipher) ? 1 : -1;
	296	switch (sig1->cipher)
	297	{
	298	case GNUNET_CRYPTO_BSA_INVALID:
	299	GNUNET_break (0);
	300	return 0;
	301	case GNUNET_CRYPTO_BSA_RSA:
	302	return GNUNET_CRYPTO_rsa_signature_cmp (sig1->details.blinded_rsa_signature,
	303	sig2->details.blinded_rsa_signature);
	304	case GNUNET_CRYPTO_BSA_CS:
	305	return GNUNET_memcmp (&sig1->details.blinded_cs_answer,
	306	&sig2->details.blinded_cs_answer);
	307	}
	308	GNUNET_assert (0);
	309	return -2;
	310	}
	311
	312
	313	int
	314	GNUNET_CRYPTO_blinded_message_cmp (
	315	const struct GNUNET_CRYPTO_BlindedMessage *bp1,
	316	const struct GNUNET_CRYPTO_BlindedMessage *bp2)
	317	{
	318	if (bp1->cipher != bp2->cipher)
	319	return (bp1->cipher > bp2->cipher) ? 1 : -1;
	320	switch (bp1->cipher)
	321	{
	322	case GNUNET_CRYPTO_BSA_INVALID:
	323	GNUNET_break (0);
	324	return 0;
	325	case GNUNET_CRYPTO_BSA_RSA:
	326	if (bp1->details.rsa_blinded_message.blinded_msg_size !=
	327	bp2->details.rsa_blinded_message.blinded_msg_size)
	328	return (bp1->details.rsa_blinded_message.blinded_msg_size >
	329	bp2->details.rsa_blinded_message.blinded_msg_size) ? 1 : -1;
	330	return memcmp (bp1->details.rsa_blinded_message.blinded_msg,
	331	bp2->details.rsa_blinded_message.blinded_msg,
	332	bp1->details.rsa_blinded_message.blinded_msg_size);
	333	case GNUNET_CRYPTO_BSA_CS:
	334	return GNUNET_memcmp (&bp1->details.cs_blinded_message,
	335	&bp2->details.cs_blinded_message);
	336	}
	337	GNUNET_assert (0);
	338	return -2;
	339	}
	340
	341
	342	enum GNUNET_GenericReturnValue
	343	GNUNET_CRYPTO_blind_sign_keys_create (
	344	struct GNUNET_CRYPTO_BlindSignPrivateKey **bsign_priv,
	345	struct GNUNET_CRYPTO_BlindSignPublicKey **bsign_pub,
	346	enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher,
	347	...)
	348	{
	349	enum GNUNET_GenericReturnValue ret;
	350	va_list ap;
	351
	352	va_start (ap,
	353	cipher);
	354	ret = GNUNET_CRYPTO_blind_sign_keys_create_va (bsign_priv,
	355	bsign_pub,
	356	cipher,
	357	ap);
	358	va_end (ap);
	359	return ret;
	360	}
	361
	362
	363	enum GNUNET_GenericReturnValue
	364	GNUNET_CRYPTO_blind_sign_keys_create_va (
	365	struct GNUNET_CRYPTO_BlindSignPrivateKey **bsign_priv,
	366	struct GNUNET_CRYPTO_BlindSignPublicKey **bsign_pub,
	367	enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher,
	368	va_list ap)
	369	{
	370	struct GNUNET_CRYPTO_BlindSignPrivateKey *priv;
	371	struct GNUNET_CRYPTO_BlindSignPublicKey *pub;
	372
	373	priv = GNUNET_new (struct GNUNET_CRYPTO_BlindSignPrivateKey);
	374	priv->rc = 1;
	375	priv->cipher = cipher;
	376	*bsign_priv = priv;
	377	pub = GNUNET_new (struct GNUNET_CRYPTO_BlindSignPublicKey);
	378	pub->rc = 1;
	379	pub->cipher = cipher;
	380	*bsign_pub = pub;
	381	switch (cipher)
	382	{
	383	case GNUNET_CRYPTO_BSA_INVALID:
	384	GNUNET_break (0);
	385	break;
	386	case GNUNET_CRYPTO_BSA_RSA:
	387	{
	388	unsigned int bits;
	389
	390	bits = va_arg (ap,
	391	unsigned int);
	392	if (bits < 512)
	393	{
	394	GNUNET_break (0);
	395	break;
	396	}
	397	priv->details.rsa_private_key
	398	= GNUNET_CRYPTO_rsa_private_key_create (bits);
	399	}
	400	if (NULL == priv->details.rsa_private_key)
	401	{
	402	GNUNET_break (0);
	403	break;
	404	}
	405	pub->details.rsa_public_key
	406	= GNUNET_CRYPTO_rsa_private_key_get_public (
	407	priv->details.rsa_private_key);
	408	GNUNET_CRYPTO_rsa_public_key_hash (pub->details.rsa_public_key,
	409	&pub->pub_key_hash);
	410	return GNUNET_OK;
	411	case GNUNET_CRYPTO_BSA_CS:
	412	GNUNET_CRYPTO_cs_private_key_generate (&priv->details.cs_private_key);
	413	GNUNET_CRYPTO_cs_private_key_get_public (
	414	&priv->details.cs_private_key,
	415	&pub->details.cs_public_key);
	416	GNUNET_CRYPTO_hash (&pub->details.cs_public_key,
	417	sizeof(pub->details.cs_public_key),
	418	&pub->pub_key_hash);
	419	return GNUNET_OK;
	420	}
	421	GNUNET_free (priv);
	422	GNUNET_free (pub);
	423	*bsign_priv = NULL;
	424	*bsign_pub = NULL;
	425	return GNUNET_SYSERR;
	426	}
	427
	428
	429	struct GNUNET_CRYPTO_BlindingInputValues *
	430	GNUNET_CRYPTO_get_blinding_input_values (
	431	const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv,
	432	const union GNUNET_CRYPTO_BlindSessionNonce *nonce,
	433	const char *salt)
	434	{
	435	struct GNUNET_CRYPTO_BlindingInputValues *biv;
	436
	437	biv = GNUNET_new (struct GNUNET_CRYPTO_BlindingInputValues);
	438	biv->cipher = bsign_priv->cipher;
	439	biv->rc = 1;
	440	switch (bsign_priv->cipher)
	441	{
	442	case GNUNET_CRYPTO_BSA_INVALID:
	443	GNUNET_break (0);
	444	GNUNET_free (biv);
	445	return NULL;
	446	case GNUNET_CRYPTO_BSA_RSA:
	447	return biv;
	448	case GNUNET_CRYPTO_BSA_CS:
	449	{
	450	struct GNUNET_CRYPTO_CsRSecret cspriv[2];
	451
	452	GNUNET_CRYPTO_cs_r_derive (&nonce->cs_nonce,
	453	salt,
	454	&bsign_priv->details.cs_private_key,
	455	cspriv);
	456	GNUNET_CRYPTO_cs_r_get_public (&cspriv[0],
	457	&biv->details.cs_values.r_pub[0]);
	458	GNUNET_CRYPTO_cs_r_get_public (&cspriv[1],
	459	&biv->details.cs_values.r_pub[1]);
	460	return biv;
	461	}
	462	}
	463	GNUNET_break (0);
	464	GNUNET_free (biv);
	465	return NULL;
	466	}
	467
	468
	469	struct GNUNET_CRYPTO_BlindedMessage *
	470	GNUNET_CRYPTO_message_blind_to_sign (
	471	const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub,
	472	const union GNUNET_CRYPTO_BlindingSecretP *bks,
	473	const union GNUNET_CRYPTO_BlindSessionNonce *nonce,
	474	const void *message,
	475	size_t message_size,
	476	const struct GNUNET_CRYPTO_BlindingInputValues *alg_values)
	477	{
	478	struct GNUNET_CRYPTO_BlindedMessage *bm;
	479
	480	bm = GNUNET_new (struct GNUNET_CRYPTO_BlindedMessage);
	481	bm->cipher = bsign_pub->cipher;
	482	bm->rc = 1;
	483	switch (bsign_pub->cipher)
	484	{
	485	case GNUNET_CRYPTO_BSA_INVALID:
	486	GNUNET_break (0);
	487	GNUNET_free (bm);
	488	return NULL;
	489	case GNUNET_CRYPTO_BSA_RSA:
	490	if (GNUNET_YES !=
	491	GNUNET_CRYPTO_rsa_blind (
	492	message,
	493	message_size,
	494	&bks->rsa_bks,
	495	bsign_pub->details.rsa_public_key,
	496	&bm->details.rsa_blinded_message))
	497	{
	498	GNUNET_break (0);
	499	GNUNET_free (bm);
	500	return NULL;
	501	}
	502	return bm;
	503	case GNUNET_CRYPTO_BSA_CS:
	504	{
	505	struct GNUNET_CRYPTO_CSPublicRPairP blinded_r_pub;
	506	struct GNUNET_CRYPTO_CsBlindingSecret bs[2];
	507
	508	if (NULL == nonce)
	509	{
	510	GNUNET_break_op (0);
	511	GNUNET_free (bm);
	512	return NULL;
	513	}
	514	GNUNET_CRYPTO_cs_blinding_secrets_derive (&bks->nonce,
	515	bs);
	516	GNUNET_CRYPTO_cs_calc_blinded_c (
	517	bs,
	518	alg_values->details.cs_values.r_pub,
	519	&bsign_pub->details.cs_public_key,
	520	message,
	521	message_size,
	522	bm->details.cs_blinded_message.c,
	523	&blinded_r_pub);
	524	bm->details.cs_blinded_message.nonce = nonce->cs_nonce;
	525	(void) blinded_r_pub;
	526	return bm;
	527	}
	528	}
	529	GNUNET_break (0);
	530	return NULL;
	531	}
	532
	533
	534	struct GNUNET_CRYPTO_BlindedSignature *
	535	GNUNET_CRYPTO_blind_sign (
	536	const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv,
	537	const char *salt,
	538	const struct GNUNET_CRYPTO_BlindedMessage *blinded_message)
	539	{
	540	struct GNUNET_CRYPTO_BlindedSignature *blind_sig;
	541
	542	if (blinded_message->cipher != bsign_priv->cipher)
	543	{
	544	GNUNET_break (0);
	545	return NULL;
	546	}
	547
	548	blind_sig = GNUNET_new (struct GNUNET_CRYPTO_BlindedSignature);
	549	blind_sig->cipher = bsign_priv->cipher;
	550	blind_sig->rc = 1;
	551	switch (bsign_priv->cipher)
	552	{
	553	case GNUNET_CRYPTO_BSA_INVALID:
	554	GNUNET_break (0);
	555	GNUNET_free (blind_sig);
	556	return NULL;
	557	case GNUNET_CRYPTO_BSA_RSA:
	558	blind_sig->details.blinded_rsa_signature
	559	= GNUNET_CRYPTO_rsa_sign_blinded (
	560	bsign_priv->details.rsa_private_key,
	561	&blinded_message->details.rsa_blinded_message);
	562	if (NULL == blind_sig->details.blinded_rsa_signature)
	563	{
	564	GNUNET_break (0);
	565	GNUNET_free (blind_sig);
	566	return NULL;
	567	}
	568	return blind_sig;
	569	case GNUNET_CRYPTO_BSA_CS:
	570	{
	571	struct GNUNET_CRYPTO_CsRSecret r[2];
	572
	573	GNUNET_CRYPTO_cs_r_derive (
	574	&blinded_message->details.cs_blinded_message.nonce,
	575	salt,
	576	&bsign_priv->details.cs_private_key,
	577	r);
	578	GNUNET_CRYPTO_cs_sign_derive (
	579	&bsign_priv->details.cs_private_key,
	580	r,
	581	&blinded_message->details.cs_blinded_message,
	582	&blind_sig->details.blinded_cs_answer);
	583	}
	584	return blind_sig;
	585	}
	586	GNUNET_break (0);
	587	return NULL;
	588	}
	589
	590
	591	struct GNUNET_CRYPTO_UnblindedSignature *
	592	GNUNET_CRYPTO_blind_sig_unblind (
	593	const struct GNUNET_CRYPTO_BlindedSignature *blinded_sig,
	594	const union GNUNET_CRYPTO_BlindingSecretP *bks,
	595	const void *message,
	596	size_t message_size,
	597	const struct GNUNET_CRYPTO_BlindingInputValues *alg_values,
	598	const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub)
	599	{
	600	struct GNUNET_CRYPTO_UnblindedSignature *ub_sig;
	601
	602	if (blinded_sig->cipher != bsign_pub->cipher)
	603	{
	604	GNUNET_break (0);
	605	return NULL;
	606	}
	607	if (blinded_sig->cipher != alg_values->cipher)
	608	{
	609	GNUNET_break (0);
	610	return NULL;
	611	}
	612	ub_sig = GNUNET_new (struct GNUNET_CRYPTO_UnblindedSignature);
	613	ub_sig->cipher = blinded_sig->cipher;
	614	ub_sig->rc = 1;
	615	switch (bsign_pub->cipher)
	616	{
	617	case GNUNET_CRYPTO_BSA_INVALID:
	618	GNUNET_break (0);
	619	GNUNET_free (ub_sig);
	620	return NULL;
	621	case GNUNET_CRYPTO_BSA_RSA:
	622	ub_sig->details.rsa_signature
	623	= GNUNET_CRYPTO_rsa_unblind (
	624	blinded_sig->details.blinded_rsa_signature,
	625	&bks->rsa_bks,
	626	bsign_pub->details.rsa_public_key);
	627	if (NULL == ub_sig->details.rsa_signature)
	628	{
	629	GNUNET_break (0);
	630	GNUNET_free (ub_sig);
	631	return NULL;
	632	}
	633	return ub_sig;
	634	case GNUNET_CRYPTO_BSA_CS:
	635	{
	636	struct GNUNET_CRYPTO_CsBlindingSecret bs[2];
	637	struct GNUNET_CRYPTO_CsC c[2];
	638	struct GNUNET_CRYPTO_CSPublicRPairP r_pub_blind;
	639	unsigned int b;
	640
	641	GNUNET_CRYPTO_cs_blinding_secrets_derive (&bks->nonce,
	642	bs);
	643	GNUNET_CRYPTO_cs_calc_blinded_c (
	644	bs,
	645	alg_values->details.cs_values.r_pub,
	646	&bsign_pub->details.cs_public_key,
	647	message,
	648	message_size,
	649	c,
	650	&r_pub_blind);
	651	b = blinded_sig->details.blinded_cs_answer.b;
	652	ub_sig->details.cs_signature.r_point
	653	= r_pub_blind.r_pub[b];
	654	GNUNET_CRYPTO_cs_unblind (
	655	&blinded_sig->details.blinded_cs_answer.s_scalar,
	656	&bs[b],
	657	&ub_sig->details.cs_signature.s_scalar);
	658	return ub_sig;
	659	}
	660	}
	661	GNUNET_break (0);
	662	GNUNET_free (ub_sig);
	663	return NULL;
	664	}
	665
	666
	667	enum GNUNET_GenericReturnValue
	668	GNUNET_CRYPTO_blind_sig_verify (
	669	const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub,
	670	const struct GNUNET_CRYPTO_UnblindedSignature *ub_sig,
	671	const void *message,
	672	size_t message_size)
	673	{
	674	if (bsign_pub->cipher != ub_sig->cipher)
	675	{
	676	GNUNET_break (0);
	677	return GNUNET_SYSERR;
	678	}
	679	switch (bsign_pub->cipher)
	680	{
	681	case GNUNET_CRYPTO_BSA_INVALID:
	682	GNUNET_break (0);
	683	return GNUNET_NO;
	684	case GNUNET_CRYPTO_BSA_RSA:
	685	if (GNUNET_OK !=
	686	GNUNET_CRYPTO_rsa_verify (message,
	687	message_size,
	688	ub_sig->details.rsa_signature,
	689	bsign_pub->details.rsa_public_key))
	690	{
	691	GNUNET_break_op (0);
	692	return GNUNET_NO;
	693	}
	694	return GNUNET_YES;
	695	case GNUNET_CRYPTO_BSA_CS:
	696	if (GNUNET_OK !=
	697	GNUNET_CRYPTO_cs_verify (&ub_sig->details.cs_signature,
	698	&bsign_pub->details.cs_public_key,
	699	message,
	700	message_size))
	701	{
	702	GNUNET_break_op (0);
	703	return GNUNET_NO;
	704	}
	705	return GNUNET_YES;
	706	}
	707	GNUNET_break (0);
	708	return GNUNET_NO;
	709	}
	710
	711
	712	/* end of crypto_blind_sign.c */