1 files changed, 713 insertions, 0 deletions
diff --git a/src/lib/util/crypto_blind_sign.c b/src/lib/util/crypto_blind_sign.c
new file mode 100644
index 000000000..ac611cf4f
--- /dev/null
+++ b/src/lib/util/crypto_blind_sign.c
@@ -0,0 +1,713 @@
+/*
+  This file is part of GNUNET
+  Copyright (C) 2021, 2022, 2023 GNUnet e.V.
+  GNUNET is free software; you can redistribute it and/or modify it under the
+  terms of the GNU General Public License as published by the Free Software
+  Foundation; either version 3, or (at your option) any later version.
+  GNUNET is distributed in the hope that it will be useful, but WITHOUT ANY
+  WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+  A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+  You should have received a copy of the GNU General Public License along with
+  GNUNET; see the file COPYING.  If not, see <http://www.gnu.org/licenses/>
+*/
+/**
+ * @file crypto_blind_sign.c
+ * @brief blind signatures (abstraction over RSA or CS)
+ * @author Christian Grothoff
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+void
+GNUNET_CRYPTO_blinding_input_values_decref (
+  struct GNUNET_CRYPTO_BlindingInputValues *bm)
+{
+  GNUNET_assert (bm->rc > 0);
+  bm->rc--;
+  if (0 != bm->rc)
+    return;
+  switch (bm->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    break;
+  case GNUNET_CRYPTO_BSA_RSA:
+    bm->cipher = GNUNET_CRYPTO_BSA_INVALID;
+    break;
+  case GNUNET_CRYPTO_BSA_CS:
+    bm->cipher = GNUNET_CRYPTO_BSA_INVALID;
+    break;
+  }
+  GNUNET_free (bm);
+}
+void
+GNUNET_CRYPTO_blind_sign_priv_decref (struct
+                                      GNUNET_CRYPTO_BlindSignPrivateKey *
+                                      bsign_priv)
+{
+  GNUNET_assert (bsign_priv->rc > 0);
+  bsign_priv->rc--;
+  if (0 != bsign_priv->rc)
+    return;
+  switch (bsign_priv->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    break;
+  case GNUNET_CRYPTO_BSA_RSA:
+    if (NULL != bsign_priv->details.rsa_private_key)
+    {
+      GNUNET_CRYPTO_rsa_private_key_free (bsign_priv->details.rsa_private_key);
+      bsign_priv->details.rsa_private_key = NULL;
+    }
+    bsign_priv->cipher = GNUNET_CRYPTO_BSA_INVALID;
+    break;
+  case GNUNET_CRYPTO_BSA_CS:
+    bsign_priv->cipher = GNUNET_CRYPTO_BSA_INVALID;
+    break;
+  }
+  GNUNET_free (bsign_priv);
+}
+void
+GNUNET_CRYPTO_blind_sign_pub_decref (struct
+                                     GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub)
+{
+  GNUNET_assert (bsign_pub->rc > 0);
+  bsign_pub->rc--;
+  if (0 != bsign_pub->rc)
+    return;
+  switch (bsign_pub->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    break;
+  case GNUNET_CRYPTO_BSA_RSA:
+    if (NULL != bsign_pub->details.rsa_public_key)
+    {
+      GNUNET_CRYPTO_rsa_public_key_free (bsign_pub->details.rsa_public_key);
+      bsign_pub->details.rsa_public_key = NULL;
+    }
+    bsign_pub->cipher = GNUNET_CRYPTO_BSA_INVALID;
+    break;
+  case GNUNET_CRYPTO_BSA_CS:
+    break;
+  }
+  GNUNET_free (bsign_pub);
+}
+void
+GNUNET_CRYPTO_unblinded_sig_decref (struct
+                                    GNUNET_CRYPTO_UnblindedSignature *ub_sig)
+{
+  GNUNET_assert (ub_sig->rc > 0);
+  ub_sig->rc--;
+  if (0 != ub_sig->rc)
+    return;
+  switch (ub_sig->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    break;
+  case GNUNET_CRYPTO_BSA_RSA:
+    if (NULL != ub_sig->details.rsa_signature)
+    {
+      GNUNET_CRYPTO_rsa_signature_free (ub_sig->details.rsa_signature);
+      ub_sig->details.rsa_signature = NULL;
+    }
+    ub_sig->cipher = GNUNET_CRYPTO_BSA_INVALID;
+    break;
+  case GNUNET_CRYPTO_BSA_CS:
+    ub_sig->cipher = GNUNET_CRYPTO_BSA_INVALID;
+    break;
+  }
+  GNUNET_free (ub_sig);
+}
+void
+GNUNET_CRYPTO_blinded_sig_decref (
+  struct GNUNET_CRYPTO_BlindedSignature *blind_sig)
+{
+  GNUNET_assert (blind_sig->rc > 0);
+  blind_sig->rc--;
+  if (0 != blind_sig->rc)
+    return;
+  switch (blind_sig->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    break;
+  case GNUNET_CRYPTO_BSA_RSA:
+    if (NULL != blind_sig->details.blinded_rsa_signature)
+    {
+      GNUNET_CRYPTO_rsa_signature_free (
+        blind_sig->details.blinded_rsa_signature);
+      blind_sig->details.blinded_rsa_signature = NULL;
+    }
+    blind_sig->cipher = GNUNET_CRYPTO_BSA_INVALID;
+    break;
+  case GNUNET_CRYPTO_BSA_CS:
+    blind_sig->cipher = GNUNET_CRYPTO_BSA_INVALID;
+    break;
+  }
+  GNUNET_free (blind_sig);
+}
+void
+GNUNET_CRYPTO_blinded_message_decref (
+  struct GNUNET_CRYPTO_BlindedMessage *bm)
+{
+  GNUNET_assert (bm->rc > 0);
+  bm->rc--;
+  if (0 != bm->rc)
+    return;
+  switch (bm->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    break;
+  case GNUNET_CRYPTO_BSA_RSA:
+    GNUNET_free (bm->details.rsa_blinded_message.blinded_msg);
+    break;
+  case GNUNET_CRYPTO_BSA_CS:
+    break;
+  }
+  GNUNET_free (bm);
+}
+struct GNUNET_CRYPTO_BlindedMessage *
+GNUNET_CRYPTO_blinded_message_incref (
+  struct GNUNET_CRYPTO_BlindedMessage *bm)
+{
+  bm->rc++;
+  return bm;
+}
+struct GNUNET_CRYPTO_BlindingInputValues *
+GNUNET_CRYPTO_blinding_input_values_incref (
+  struct GNUNET_CRYPTO_BlindingInputValues *bm)
+{
+  bm->rc++;
+  return bm;
+}
+struct GNUNET_CRYPTO_BlindSignPublicKey *
+GNUNET_CRYPTO_bsign_pub_incref (
+  struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub)
+{
+  bsign_pub->rc++;
+  return bsign_pub;
+}
+struct GNUNET_CRYPTO_BlindSignPrivateKey *
+GNUNET_CRYPTO_bsign_priv_incref (
+  struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv)
+{
+  bsign_priv->rc++;
+  return bsign_priv;
+}
+struct GNUNET_CRYPTO_UnblindedSignature *
+GNUNET_CRYPTO_ub_sig_incref (struct GNUNET_CRYPTO_UnblindedSignature *ub_sig)
+{
+  ub_sig->rc++;
+  return ub_sig;
+}
+struct GNUNET_CRYPTO_BlindedSignature *
+GNUNET_CRYPTO_blind_sig_incref (
+  struct GNUNET_CRYPTO_BlindedSignature *blind_sig)
+{
+  blind_sig->rc++;
+  return blind_sig;
+}
+int
+GNUNET_CRYPTO_bsign_pub_cmp (
+  const struct GNUNET_CRYPTO_BlindSignPublicKey *bp1,
+  const struct GNUNET_CRYPTO_BlindSignPublicKey *bp2)
+{
+  if (bp1->cipher != bp2->cipher)
+    return (bp1->cipher > bp2->cipher) ? 1 : -1;
+  switch (bp1->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    return 0;
+  case GNUNET_CRYPTO_BSA_RSA:
+    return GNUNET_memcmp (&bp1->pub_key_hash,
+                          &bp2->pub_key_hash);
+  case GNUNET_CRYPTO_BSA_CS:
+    return GNUNET_memcmp (&bp1->pub_key_hash,
+                          &bp2->pub_key_hash);
+  }
+  GNUNET_assert (0);
+  return -2;
+}
+int
+GNUNET_CRYPTO_ub_sig_cmp (
+  const struct GNUNET_CRYPTO_UnblindedSignature *sig1,
+  const struct GNUNET_CRYPTO_UnblindedSignature *sig2)
+{
+  if (sig1->cipher != sig2->cipher)
+    return (sig1->cipher > sig2->cipher) ? 1 : -1;
+  switch (sig1->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    return 0;
+  case GNUNET_CRYPTO_BSA_RSA:
+    return GNUNET_CRYPTO_rsa_signature_cmp (sig1->details.rsa_signature,
+                                            sig2->details.rsa_signature);
+  case GNUNET_CRYPTO_BSA_CS:
+    return GNUNET_memcmp (&sig1->details.cs_signature,
+                          &sig2->details.cs_signature);
+  }
+  GNUNET_assert (0);
+  return -2;
+}
+int
+GNUNET_CRYPTO_blind_sig_cmp (
+  const struct GNUNET_CRYPTO_BlindedSignature *sig1,
+  const struct GNUNET_CRYPTO_BlindedSignature *sig2)
+{
+  if (sig1->cipher != sig2->cipher)
+    return (sig1->cipher > sig2->cipher) ? 1 : -1;
+  switch (sig1->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    return 0;
+  case GNUNET_CRYPTO_BSA_RSA:
+    return GNUNET_CRYPTO_rsa_signature_cmp (sig1->details.blinded_rsa_signature,
+                                            sig2->details.blinded_rsa_signature);
+  case GNUNET_CRYPTO_BSA_CS:
+    return GNUNET_memcmp (&sig1->details.blinded_cs_answer,
+                          &sig2->details.blinded_cs_answer);
+  }
+  GNUNET_assert (0);
+  return -2;
+}
+int
+GNUNET_CRYPTO_blinded_message_cmp (
+  const struct GNUNET_CRYPTO_BlindedMessage *bp1,
+  const struct GNUNET_CRYPTO_BlindedMessage *bp2)
+{
+  if (bp1->cipher != bp2->cipher)
+    return (bp1->cipher > bp2->cipher) ? 1 : -1;
+  switch (bp1->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    return 0;
+  case GNUNET_CRYPTO_BSA_RSA:
+    if (bp1->details.rsa_blinded_message.blinded_msg_size !=
+        bp2->details.rsa_blinded_message.blinded_msg_size)
+      return (bp1->details.rsa_blinded_message.blinded_msg_size >
+              bp2->details.rsa_blinded_message.blinded_msg_size) ? 1 : -1;
+    return memcmp (bp1->details.rsa_blinded_message.blinded_msg,
+                   bp2->details.rsa_blinded_message.blinded_msg,
+                   bp1->details.rsa_blinded_message.blinded_msg_size);
+  case GNUNET_CRYPTO_BSA_CS:
+    return GNUNET_memcmp (&bp1->details.cs_blinded_message,
+                          &bp2->details.cs_blinded_message);
+  }
+  GNUNET_assert (0);
+  return -2;
+}
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_blind_sign_keys_create (
+  struct GNUNET_CRYPTO_BlindSignPrivateKey **bsign_priv,
+  struct GNUNET_CRYPTO_BlindSignPublicKey **bsign_pub,
+  enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher,
+  ...)
+{
+  enum GNUNET_GenericReturnValue ret;
+  va_list ap;
+  va_start (ap,
+            cipher);
+  ret = GNUNET_CRYPTO_blind_sign_keys_create_va (bsign_priv,
+                                                 bsign_pub,
+                                                 cipher,
+                                                 ap);
+  va_end (ap);
+  return ret;
+}
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_blind_sign_keys_create_va (
+  struct GNUNET_CRYPTO_BlindSignPrivateKey **bsign_priv,
+  struct GNUNET_CRYPTO_BlindSignPublicKey **bsign_pub,
+  enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher,
+  va_list ap)
+{
+  struct GNUNET_CRYPTO_BlindSignPrivateKey *priv;
+  struct GNUNET_CRYPTO_BlindSignPublicKey *pub;
+  priv = GNUNET_new (struct GNUNET_CRYPTO_BlindSignPrivateKey);
+  priv->rc = 1;
+  priv->cipher = cipher;
+  *bsign_priv = priv;
+  pub = GNUNET_new (struct GNUNET_CRYPTO_BlindSignPublicKey);
+  pub->rc = 1;
+  pub->cipher = cipher;
+  *bsign_pub = pub;
+  switch (cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    break;
+  case GNUNET_CRYPTO_BSA_RSA:
+    {
+      unsigned int bits;
+      bits = va_arg (ap,
+                     unsigned int);
+      if (bits < 512)
+      {
+        GNUNET_break (0);
+        break;
+      }
+      priv->details.rsa_private_key
+        = GNUNET_CRYPTO_rsa_private_key_create (bits);
+    }
+    if (NULL == priv->details.rsa_private_key)
+    {
+      GNUNET_break (0);
+      break;
+    }
+    pub->details.rsa_public_key
+      = GNUNET_CRYPTO_rsa_private_key_get_public (
+          priv->details.rsa_private_key);
+    GNUNET_CRYPTO_rsa_public_key_hash (pub->details.rsa_public_key,
+                                       &pub->pub_key_hash);
+    return GNUNET_OK;
+  case GNUNET_CRYPTO_BSA_CS:
+    GNUNET_CRYPTO_cs_private_key_generate (&priv->details.cs_private_key);
+    GNUNET_CRYPTO_cs_private_key_get_public (
+      &priv->details.cs_private_key,
+      &pub->details.cs_public_key);
+    GNUNET_CRYPTO_hash (&pub->details.cs_public_key,
+                        sizeof(pub->details.cs_public_key),
+                        &pub->pub_key_hash);
+    return GNUNET_OK;
+  }
+  GNUNET_free (priv);
+  GNUNET_free (pub);
+  *bsign_priv = NULL;
+  *bsign_pub = NULL;
+  return GNUNET_SYSERR;
+}
+struct GNUNET_CRYPTO_BlindingInputValues *
+GNUNET_CRYPTO_get_blinding_input_values (
+  const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv,
+  const union GNUNET_CRYPTO_BlindSessionNonce *nonce,
+  const char *salt)
+{
+  struct GNUNET_CRYPTO_BlindingInputValues *biv;
+  biv = GNUNET_new (struct GNUNET_CRYPTO_BlindingInputValues);
+  biv->cipher = bsign_priv->cipher;
+  biv->rc = 1;
+  switch (bsign_priv->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    GNUNET_free (biv);
+    return NULL;
+  case GNUNET_CRYPTO_BSA_RSA:
+    return biv;
+  case GNUNET_CRYPTO_BSA_CS:
+    {
+      struct GNUNET_CRYPTO_CsRSecret cspriv[2];
+      GNUNET_CRYPTO_cs_r_derive (&nonce->cs_nonce,
+                                 salt,
+                                 &bsign_priv->details.cs_private_key,
+                                 cspriv);
+      GNUNET_CRYPTO_cs_r_get_public (&cspriv[0],
+                                     &biv->details.cs_values.r_pub[0]);
+      GNUNET_CRYPTO_cs_r_get_public (&cspriv[1],
+                                     &biv->details.cs_values.r_pub[1]);
+      return biv;
+    }
+  }
+  GNUNET_break (0);
+  GNUNET_free (biv);
+  return NULL;
+}
+struct GNUNET_CRYPTO_BlindedMessage *
+GNUNET_CRYPTO_message_blind_to_sign (
+  const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub,
+  const union GNUNET_CRYPTO_BlindingSecretP *bks,
+  const union GNUNET_CRYPTO_BlindSessionNonce *nonce,
+  const void *message,
+  size_t message_size,
+  const struct GNUNET_CRYPTO_BlindingInputValues *alg_values)
+{
+  struct GNUNET_CRYPTO_BlindedMessage *bm;
+  bm = GNUNET_new (struct GNUNET_CRYPTO_BlindedMessage);
+  bm->cipher = bsign_pub->cipher;
+  bm->rc = 1;
+  switch (bsign_pub->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    GNUNET_free (bm);
+    return NULL;
+  case GNUNET_CRYPTO_BSA_RSA:
+    if (GNUNET_YES !=
+        GNUNET_CRYPTO_rsa_blind (
+          message,
+          message_size,
+          &bks->rsa_bks,
+          bsign_pub->details.rsa_public_key,
+          &bm->details.rsa_blinded_message))
+    {
+      GNUNET_break (0);
+      GNUNET_free (bm);
+      return NULL;
+    }
+    return bm;
+  case GNUNET_CRYPTO_BSA_CS:
+    {
+      struct GNUNET_CRYPTO_CSPublicRPairP blinded_r_pub;
+      struct GNUNET_CRYPTO_CsBlindingSecret bs[2];
+      if (NULL == nonce)
+      {
+        GNUNET_break_op (0);
+        GNUNET_free (bm);
+        return NULL;
+      }
+      GNUNET_CRYPTO_cs_blinding_secrets_derive (&bks->nonce,
+                                                bs);
+      GNUNET_CRYPTO_cs_calc_blinded_c (
+        bs,
+        alg_values->details.cs_values.r_pub,
+        &bsign_pub->details.cs_public_key,
+        message,
+        message_size,
+        bm->details.cs_blinded_message.c,
+        &blinded_r_pub);
+      bm->details.cs_blinded_message.nonce = nonce->cs_nonce;
+      (void) blinded_r_pub;
+      return bm;
+    }
+  }
+  GNUNET_break (0);
+  return NULL;
+}
+struct GNUNET_CRYPTO_BlindedSignature *
+GNUNET_CRYPTO_blind_sign (
+  const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv,
+  const char *salt,
+  const struct GNUNET_CRYPTO_BlindedMessage *blinded_message)
+{
+  struct GNUNET_CRYPTO_BlindedSignature *blind_sig;
+  if (blinded_message->cipher != bsign_priv->cipher)
+  {
+    GNUNET_break (0);
+    return NULL;
+  }
+  blind_sig = GNUNET_new (struct GNUNET_CRYPTO_BlindedSignature);
+  blind_sig->cipher = bsign_priv->cipher;
+  blind_sig->rc = 1;
+  switch (bsign_priv->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    GNUNET_free (blind_sig);
+    return NULL;
+  case GNUNET_CRYPTO_BSA_RSA:
+    blind_sig->details.blinded_rsa_signature
+      = GNUNET_CRYPTO_rsa_sign_blinded (
+          bsign_priv->details.rsa_private_key,
+          &blinded_message->details.rsa_blinded_message);
+    if (NULL == blind_sig->details.blinded_rsa_signature)
+    {
+      GNUNET_break (0);
+      GNUNET_free (blind_sig);
+      return NULL;
+    }
+    return blind_sig;
+  case GNUNET_CRYPTO_BSA_CS:
+    {
+      struct GNUNET_CRYPTO_CsRSecret r[2];
+      GNUNET_CRYPTO_cs_r_derive (
+        &blinded_message->details.cs_blinded_message.nonce,
+        salt,
+        &bsign_priv->details.cs_private_key,
+        r);
+      GNUNET_CRYPTO_cs_sign_derive (
+        &bsign_priv->details.cs_private_key,
+        r,
+        &blinded_message->details.cs_blinded_message,
+        &blind_sig->details.blinded_cs_answer);
+    }
+    return blind_sig;
+  }
+  GNUNET_break (0);
+  return NULL;
+}
+struct GNUNET_CRYPTO_UnblindedSignature *
+GNUNET_CRYPTO_blind_sig_unblind (
+  const struct GNUNET_CRYPTO_BlindedSignature *blinded_sig,
+  const union GNUNET_CRYPTO_BlindingSecretP *bks,
+  const void *message,
+  size_t message_size,
+  const struct GNUNET_CRYPTO_BlindingInputValues *alg_values,
+  const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub)
+{
+  struct GNUNET_CRYPTO_UnblindedSignature *ub_sig;
+  if (blinded_sig->cipher != bsign_pub->cipher)
+  {
+    GNUNET_break (0);
+    return NULL;
+  }
+  if (blinded_sig->cipher != alg_values->cipher)
+  {
+    GNUNET_break (0);
+    return NULL;
+  }
+  ub_sig = GNUNET_new (struct GNUNET_CRYPTO_UnblindedSignature);
+  ub_sig->cipher = blinded_sig->cipher;
+  ub_sig->rc = 1;
+  switch (bsign_pub->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    GNUNET_free (ub_sig);
+    return NULL;
+  case GNUNET_CRYPTO_BSA_RSA:
+    ub_sig->details.rsa_signature
+      = GNUNET_CRYPTO_rsa_unblind (
+          blinded_sig->details.blinded_rsa_signature,
+          &bks->rsa_bks,
+          bsign_pub->details.rsa_public_key);
+    if (NULL == ub_sig->details.rsa_signature)
+    {
+      GNUNET_break (0);
+      GNUNET_free (ub_sig);
+      return NULL;
+    }
+    return ub_sig;
+  case GNUNET_CRYPTO_BSA_CS:
+    {
+      struct GNUNET_CRYPTO_CsBlindingSecret bs[2];
+      struct GNUNET_CRYPTO_CsC c[2];
+      struct GNUNET_CRYPTO_CSPublicRPairP r_pub_blind;
+      unsigned int b;
+      GNUNET_CRYPTO_cs_blinding_secrets_derive (&bks->nonce,
+                                                bs);
+      GNUNET_CRYPTO_cs_calc_blinded_c (
+        bs,
+        alg_values->details.cs_values.r_pub,
+        &bsign_pub->details.cs_public_key,
+        message,
+        message_size,
+        c,
+        &r_pub_blind);
+      b = blinded_sig->details.blinded_cs_answer.b;
+      ub_sig->details.cs_signature.r_point
+        = r_pub_blind.r_pub[b];
+      GNUNET_CRYPTO_cs_unblind (
+        &blinded_sig->details.blinded_cs_answer.s_scalar,
+        &bs[b],
+        &ub_sig->details.cs_signature.s_scalar);
+      return ub_sig;
+    }
+  }
+  GNUNET_break (0);
+  GNUNET_free (ub_sig);
+  return NULL;
+}
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_blind_sig_verify (
+  const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub,
+  const struct GNUNET_CRYPTO_UnblindedSignature *ub_sig,
+  const void *message,
+  size_t message_size)
+{
+  if (bsign_pub->cipher != ub_sig->cipher)
+  {
+    GNUNET_break (0);
+    return GNUNET_SYSERR;
+  }
+  switch (bsign_pub->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    return GNUNET_NO;
+  case GNUNET_CRYPTO_BSA_RSA:
+    if (GNUNET_OK !=
+        GNUNET_CRYPTO_rsa_verify (message,
+                                  message_size,
+                                  ub_sig->details.rsa_signature,
+                                  bsign_pub->details.rsa_public_key))
+    {
+      GNUNET_break_op (0);
+      return GNUNET_NO;
+    }
+    return GNUNET_YES;
+  case GNUNET_CRYPTO_BSA_CS:
+    if (GNUNET_OK !=
+        GNUNET_CRYPTO_cs_verify (&ub_sig->details.cs_signature,
+                                 &bsign_pub->details.cs_public_key,
+                                 message,
+                                 message_size))
+    {
+      GNUNET_break_op (0);
+      return GNUNET_NO;
+    }
+    return GNUNET_YES;
+  }
+  GNUNET_break (0);
+  return GNUNET_NO;
+}
+/* end of crypto_blind_sign.c */

diff --git a/src/lib/util/crypto_blind_sign.c b/src/lib/util/crypto_blind_sign.c new file mode 100644 index 000000000..ac611cf4f --- /dev/null +++ b/src/lib/util/crypto_blind_sign.c
@@ -0,0 +1,713 @@
	1	/*
	2	This file is part of GNUNET
	3	Copyright (C) 2021, 2022, 2023 GNUnet e.V.
	4
	5	GNUNET is free software; you can redistribute it and/or modify it under the
	6	terms of the GNU General Public License as published by the Free Software
	7	Foundation; either version 3, or (at your option) any later version.
	8
	9	GNUNET is distributed in the hope that it will be useful, but WITHOUT ANY
	10	WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
	11	A PARTICULAR PURPOSE. See the GNU General Public License for more details.
	12
	13	You should have received a copy of the GNU General Public License along with
	14	GNUNET; see the file COPYING. If not, see <http://www.gnu.org/licenses/>
	15	*/
	16	/**
	17	* @file crypto_blind_sign.c
	18	* @brief blind signatures (abstraction over RSA or CS)
	19	* @author Christian Grothoff
	20	*/
	21	#include "platform.h"
	22	#include "gnunet_util_lib.h"
	23
	24
	25	void
	26	GNUNET_CRYPTO_blinding_input_values_decref (
	27	struct GNUNET_CRYPTO_BlindingInputValues *bm)
	28	{
	29	GNUNET_assert (bm->rc > 0);
	30	bm->rc--;
	31	if (0 != bm->rc)
	32	return;
	33	switch (bm->cipher)
	34	{
	35	case GNUNET_CRYPTO_BSA_INVALID:
	36	GNUNET_break (0);
	37	break;
	38	case GNUNET_CRYPTO_BSA_RSA:
	39	bm->cipher = GNUNET_CRYPTO_BSA_INVALID;
	40	break;
	41	case GNUNET_CRYPTO_BSA_CS:
	42	bm->cipher = GNUNET_CRYPTO_BSA_INVALID;
	43	break;
	44	}
	45	GNUNET_free (bm);
	46	}
	47
	48
	49	void
	50	GNUNET_CRYPTO_blind_sign_priv_decref (struct
	51	GNUNET_CRYPTO_BlindSignPrivateKey *
	52	bsign_priv)
	53	{
	54	GNUNET_assert (bsign_priv->rc > 0);
	55	bsign_priv->rc--;
	56	if (0 != bsign_priv->rc)
	57	return;
	58	switch (bsign_priv->cipher)
	59	{
	60	case GNUNET_CRYPTO_BSA_INVALID:
	61	GNUNET_break (0);
	62	break;
	63	case GNUNET_CRYPTO_BSA_RSA:
	64	if (NULL != bsign_priv->details.rsa_private_key)
	65	{
	66	GNUNET_CRYPTO_rsa_private_key_free (bsign_priv->details.rsa_private_key);
	67	bsign_priv->details.rsa_private_key = NULL;
	68	}
	69	bsign_priv->cipher = GNUNET_CRYPTO_BSA_INVALID;
	70	break;
	71	case GNUNET_CRYPTO_BSA_CS:
	72	bsign_priv->cipher = GNUNET_CRYPTO_BSA_INVALID;
	73	break;
	74	}
	75	GNUNET_free (bsign_priv);
	76	}
	77
	78
	79	void
	80	GNUNET_CRYPTO_blind_sign_pub_decref (struct
	81	GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub)
	82	{
	83	GNUNET_assert (bsign_pub->rc > 0);
	84	bsign_pub->rc--;
	85	if (0 != bsign_pub->rc)
	86	return;
	87	switch (bsign_pub->cipher)
	88	{
	89	case GNUNET_CRYPTO_BSA_INVALID:
	90	GNUNET_break (0);
	91	break;
	92	case GNUNET_CRYPTO_BSA_RSA:
	93	if (NULL != bsign_pub->details.rsa_public_key)
	94	{
	95	GNUNET_CRYPTO_rsa_public_key_free (bsign_pub->details.rsa_public_key);
	96	bsign_pub->details.rsa_public_key = NULL;
	97	}
	98	bsign_pub->cipher = GNUNET_CRYPTO_BSA_INVALID;
	99	break;
	100	case GNUNET_CRYPTO_BSA_CS:
	101	break;
	102	}
	103	GNUNET_free (bsign_pub);
	104	}
	105
	106
	107	void
	108	GNUNET_CRYPTO_unblinded_sig_decref (struct
	109	GNUNET_CRYPTO_UnblindedSignature *ub_sig)
	110	{
	111	GNUNET_assert (ub_sig->rc > 0);
	112	ub_sig->rc--;
	113	if (0 != ub_sig->rc)
	114	return;
	115	switch (ub_sig->cipher)
	116	{
	117	case GNUNET_CRYPTO_BSA_INVALID:
	118	GNUNET_break (0);
	119	break;
	120	case GNUNET_CRYPTO_BSA_RSA:
	121	if (NULL != ub_sig->details.rsa_signature)
	122	{
	123	GNUNET_CRYPTO_rsa_signature_free (ub_sig->details.rsa_signature);
	124	ub_sig->details.rsa_signature = NULL;
	125	}
	126	ub_sig->cipher = GNUNET_CRYPTO_BSA_INVALID;
	127	break;
	128	case GNUNET_CRYPTO_BSA_CS:
	129	ub_sig->cipher = GNUNET_CRYPTO_BSA_INVALID;
	130	break;
	131	}
	132	GNUNET_free (ub_sig);
	133	}
	134
	135
	136	void
	137	GNUNET_CRYPTO_blinded_sig_decref (
	138	struct GNUNET_CRYPTO_BlindedSignature *blind_sig)
	139	{
	140	GNUNET_assert (blind_sig->rc > 0);
	141	blind_sig->rc--;
	142	if (0 != blind_sig->rc)
	143	return;
	144	switch (blind_sig->cipher)
	145	{
	146	case GNUNET_CRYPTO_BSA_INVALID:
	147	GNUNET_break (0);
	148	break;
	149	case GNUNET_CRYPTO_BSA_RSA:
	150	if (NULL != blind_sig->details.blinded_rsa_signature)
	151	{
	152	GNUNET_CRYPTO_rsa_signature_free (
	153	blind_sig->details.blinded_rsa_signature);
	154	blind_sig->details.blinded_rsa_signature = NULL;
	155	}
	156	blind_sig->cipher = GNUNET_CRYPTO_BSA_INVALID;
	157	break;
	158	case GNUNET_CRYPTO_BSA_CS:
	159	blind_sig->cipher = GNUNET_CRYPTO_BSA_INVALID;
	160	break;
	161	}
	162	GNUNET_free (blind_sig);
	163	}
	164
	165
	166	void
	167	GNUNET_CRYPTO_blinded_message_decref (
	168	struct GNUNET_CRYPTO_BlindedMessage *bm)
	169	{
	170	GNUNET_assert (bm->rc > 0);
	171	bm->rc--;
	172	if (0 != bm->rc)
	173	return;
	174	switch (bm->cipher)
	175	{
	176	case GNUNET_CRYPTO_BSA_INVALID:
	177	GNUNET_break (0);
	178	break;
	179	case GNUNET_CRYPTO_BSA_RSA:
	180	GNUNET_free (bm->details.rsa_blinded_message.blinded_msg);
	181	break;
	182	case GNUNET_CRYPTO_BSA_CS:
	183	break;
	184	}
	185	GNUNET_free (bm);
	186	}
	187
	188
	189	struct GNUNET_CRYPTO_BlindedMessage *
	190	GNUNET_CRYPTO_blinded_message_incref (
	191	struct GNUNET_CRYPTO_BlindedMessage *bm)
	192	{
	193	bm->rc++;
	194	return bm;
	195	}
	196
	197
	198	struct GNUNET_CRYPTO_BlindingInputValues *
	199	GNUNET_CRYPTO_blinding_input_values_incref (
	200	struct GNUNET_CRYPTO_BlindingInputValues *bm)
	201	{
	202	bm->rc++;
	203	return bm;
	204	}
	205
	206
	207	struct GNUNET_CRYPTO_BlindSignPublicKey *
	208	GNUNET_CRYPTO_bsign_pub_incref (
	209	struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub)
	210	{
	211	bsign_pub->rc++;
	212	return bsign_pub;
	213	}
	214
	215
	216	struct GNUNET_CRYPTO_BlindSignPrivateKey *
	217	GNUNET_CRYPTO_bsign_priv_incref (
	218	struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv)
	219	{
	220	bsign_priv->rc++;
	221	return bsign_priv;
	222	}
	223
	224
	225	struct GNUNET_CRYPTO_UnblindedSignature *
	226	GNUNET_CRYPTO_ub_sig_incref (struct GNUNET_CRYPTO_UnblindedSignature *ub_sig)
	227	{
	228	ub_sig->rc++;
	229	return ub_sig;
	230	}
	231
	232
	233	struct GNUNET_CRYPTO_BlindedSignature *
	234	GNUNET_CRYPTO_blind_sig_incref (
	235	struct GNUNET_CRYPTO_BlindedSignature *blind_sig)
	236	{
	237	blind_sig->rc++;
	238	return blind_sig;
	239	}
	240
	241
	242	int
	243	GNUNET_CRYPTO_bsign_pub_cmp (
	244	const struct GNUNET_CRYPTO_BlindSignPublicKey *bp1,
	245	const struct GNUNET_CRYPTO_BlindSignPublicKey *bp2)
	246	{
	247	if (bp1->cipher != bp2->cipher)
	248	return (bp1->cipher > bp2->cipher) ? 1 : -1;
	249	switch (bp1->cipher)
	250	{
	251	case GNUNET_CRYPTO_BSA_INVALID:
	252	GNUNET_break (0);
	253	return 0;
	254	case GNUNET_CRYPTO_BSA_RSA:
	255	return GNUNET_memcmp (&bp1->pub_key_hash,
	256	&bp2->pub_key_hash);
	257	case GNUNET_CRYPTO_BSA_CS:
	258	return GNUNET_memcmp (&bp1->pub_key_hash,
	259	&bp2->pub_key_hash);
	260	}
	261	GNUNET_assert (0);
	262	return -2;
	263	}
	264
	265
	266	int
	267	GNUNET_CRYPTO_ub_sig_cmp (
	268	const struct GNUNET_CRYPTO_UnblindedSignature *sig1,
	269	const struct GNUNET_CRYPTO_UnblindedSignature *sig2)
	270	{
	271	if (sig1->cipher != sig2->cipher)
	272	return (sig1->cipher > sig2->cipher) ? 1 : -1;
	273	switch (sig1->cipher)
	274	{
	275	case GNUNET_CRYPTO_BSA_INVALID:
	276	GNUNET_break (0);
	277	return 0;
	278	case GNUNET_CRYPTO_BSA_RSA:
	279	return GNUNET_CRYPTO_rsa_signature_cmp (sig1->details.rsa_signature,
	280	sig2->details.rsa_signature);
	281	case GNUNET_CRYPTO_BSA_CS:
	282	return GNUNET_memcmp (&sig1->details.cs_signature,
	283	&sig2->details.cs_signature);
	284	}
	285	GNUNET_assert (0);
	286	return -2;
	287	}
	288
	289
	290	int
	291	GNUNET_CRYPTO_blind_sig_cmp (
	292	const struct GNUNET_CRYPTO_BlindedSignature *sig1,
	293	const struct GNUNET_CRYPTO_BlindedSignature *sig2)
	294	{
	295	if (sig1->cipher != sig2->cipher)
	296	return (sig1->cipher > sig2->cipher) ? 1 : -1;
	297	switch (sig1->cipher)
	298	{
	299	case GNUNET_CRYPTO_BSA_INVALID:
	300	GNUNET_break (0);
	301	return 0;
	302	case GNUNET_CRYPTO_BSA_RSA:
	303	return GNUNET_CRYPTO_rsa_signature_cmp (sig1->details.blinded_rsa_signature,
	304	sig2->details.blinded_rsa_signature);
	305	case GNUNET_CRYPTO_BSA_CS:
	306	return GNUNET_memcmp (&sig1->details.blinded_cs_answer,
	307	&sig2->details.blinded_cs_answer);
	308	}
	309	GNUNET_assert (0);
	310	return -2;
	311	}
	312
	313
	314	int
	315	GNUNET_CRYPTO_blinded_message_cmp (
	316	const struct GNUNET_CRYPTO_BlindedMessage *bp1,
	317	const struct GNUNET_CRYPTO_BlindedMessage *bp2)
	318	{
	319	if (bp1->cipher != bp2->cipher)
	320	return (bp1->cipher > bp2->cipher) ? 1 : -1;
	321	switch (bp1->cipher)
	322	{
	323	case GNUNET_CRYPTO_BSA_INVALID:
	324	GNUNET_break (0);
	325	return 0;
	326	case GNUNET_CRYPTO_BSA_RSA:
	327	if (bp1->details.rsa_blinded_message.blinded_msg_size !=
	328	bp2->details.rsa_blinded_message.blinded_msg_size)
	329	return (bp1->details.rsa_blinded_message.blinded_msg_size >
	330	bp2->details.rsa_blinded_message.blinded_msg_size) ? 1 : -1;
	331	return memcmp (bp1->details.rsa_blinded_message.blinded_msg,
	332	bp2->details.rsa_blinded_message.blinded_msg,
	333	bp1->details.rsa_blinded_message.blinded_msg_size);
	334	case GNUNET_CRYPTO_BSA_CS:
	335	return GNUNET_memcmp (&bp1->details.cs_blinded_message,
	336	&bp2->details.cs_blinded_message);
	337	}
	338	GNUNET_assert (0);
	339	return -2;
	340	}
	341
	342
	343	enum GNUNET_GenericReturnValue
	344	GNUNET_CRYPTO_blind_sign_keys_create (
	345	struct GNUNET_CRYPTO_BlindSignPrivateKey **bsign_priv,
	346	struct GNUNET_CRYPTO_BlindSignPublicKey **bsign_pub,
	347	enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher,
	348	...)
	349	{
	350	enum GNUNET_GenericReturnValue ret;
	351	va_list ap;
	352
	353	va_start (ap,
	354	cipher);
	355	ret = GNUNET_CRYPTO_blind_sign_keys_create_va (bsign_priv,
	356	bsign_pub,
	357	cipher,
	358	ap);
	359	va_end (ap);
	360	return ret;
	361	}
	362
	363
	364	enum GNUNET_GenericReturnValue
	365	GNUNET_CRYPTO_blind_sign_keys_create_va (
	366	struct GNUNET_CRYPTO_BlindSignPrivateKey **bsign_priv,
	367	struct GNUNET_CRYPTO_BlindSignPublicKey **bsign_pub,
	368	enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher,
	369	va_list ap)
	370	{
	371	struct GNUNET_CRYPTO_BlindSignPrivateKey *priv;
	372	struct GNUNET_CRYPTO_BlindSignPublicKey *pub;
	373
	374	priv = GNUNET_new (struct GNUNET_CRYPTO_BlindSignPrivateKey);
	375	priv->rc = 1;
	376	priv->cipher = cipher;
	377	*bsign_priv = priv;
	378	pub = GNUNET_new (struct GNUNET_CRYPTO_BlindSignPublicKey);
	379	pub->rc = 1;
	380	pub->cipher = cipher;
	381	*bsign_pub = pub;
	382	switch (cipher)
	383	{
	384	case GNUNET_CRYPTO_BSA_INVALID:
	385	GNUNET_break (0);
	386	break;
	387	case GNUNET_CRYPTO_BSA_RSA:
	388	{
	389	unsigned int bits;
	390
	391	bits = va_arg (ap,
	392	unsigned int);
	393	if (bits < 512)
	394	{
	395	GNUNET_break (0);
	396	break;
	397	}
	398	priv->details.rsa_private_key
	399	= GNUNET_CRYPTO_rsa_private_key_create (bits);
	400	}
	401	if (NULL == priv->details.rsa_private_key)
	402	{
	403	GNUNET_break (0);
	404	break;
	405	}
	406	pub->details.rsa_public_key
	407	= GNUNET_CRYPTO_rsa_private_key_get_public (
	408	priv->details.rsa_private_key);
	409	GNUNET_CRYPTO_rsa_public_key_hash (pub->details.rsa_public_key,
	410	&pub->pub_key_hash);
	411	return GNUNET_OK;
	412	case GNUNET_CRYPTO_BSA_CS:
	413	GNUNET_CRYPTO_cs_private_key_generate (&priv->details.cs_private_key);
	414	GNUNET_CRYPTO_cs_private_key_get_public (
	415	&priv->details.cs_private_key,
	416	&pub->details.cs_public_key);
	417	GNUNET_CRYPTO_hash (&pub->details.cs_public_key,
	418	sizeof(pub->details.cs_public_key),
	419	&pub->pub_key_hash);
	420	return GNUNET_OK;
	421	}
	422	GNUNET_free (priv);
	423	GNUNET_free (pub);
	424	*bsign_priv = NULL;
	425	*bsign_pub = NULL;
	426	return GNUNET_SYSERR;
	427	}
	428
	429
	430	struct GNUNET_CRYPTO_BlindingInputValues *
	431	GNUNET_CRYPTO_get_blinding_input_values (
	432	const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv,
	433	const union GNUNET_CRYPTO_BlindSessionNonce *nonce,
	434	const char *salt)
	435	{
	436	struct GNUNET_CRYPTO_BlindingInputValues *biv;
	437
	438	biv = GNUNET_new (struct GNUNET_CRYPTO_BlindingInputValues);
	439	biv->cipher = bsign_priv->cipher;
	440	biv->rc = 1;
	441	switch (bsign_priv->cipher)
	442	{
	443	case GNUNET_CRYPTO_BSA_INVALID:
	444	GNUNET_break (0);
	445	GNUNET_free (biv);
	446	return NULL;
	447	case GNUNET_CRYPTO_BSA_RSA:
	448	return biv;
	449	case GNUNET_CRYPTO_BSA_CS:
	450	{
	451	struct GNUNET_CRYPTO_CsRSecret cspriv[2];
	452
	453	GNUNET_CRYPTO_cs_r_derive (&nonce->cs_nonce,
	454	salt,
	455	&bsign_priv->details.cs_private_key,
	456	cspriv);
	457	GNUNET_CRYPTO_cs_r_get_public (&cspriv[0],
	458	&biv->details.cs_values.r_pub[0]);
	459	GNUNET_CRYPTO_cs_r_get_public (&cspriv[1],
	460	&biv->details.cs_values.r_pub[1]);
	461	return biv;
	462	}
	463	}
	464	GNUNET_break (0);
	465	GNUNET_free (biv);
	466	return NULL;
	467	}
	468
	469
	470	struct GNUNET_CRYPTO_BlindedMessage *
	471	GNUNET_CRYPTO_message_blind_to_sign (
	472	const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub,
	473	const union GNUNET_CRYPTO_BlindingSecretP *bks,
	474	const union GNUNET_CRYPTO_BlindSessionNonce *nonce,
	475	const void *message,
	476	size_t message_size,
	477	const struct GNUNET_CRYPTO_BlindingInputValues *alg_values)
	478	{
	479	struct GNUNET_CRYPTO_BlindedMessage *bm;
	480
	481	bm = GNUNET_new (struct GNUNET_CRYPTO_BlindedMessage);
	482	bm->cipher = bsign_pub->cipher;
	483	bm->rc = 1;
	484	switch (bsign_pub->cipher)
	485	{
	486	case GNUNET_CRYPTO_BSA_INVALID:
	487	GNUNET_break (0);
	488	GNUNET_free (bm);
	489	return NULL;
	490	case GNUNET_CRYPTO_BSA_RSA:
	491	if (GNUNET_YES !=
	492	GNUNET_CRYPTO_rsa_blind (
	493	message,
	494	message_size,
	495	&bks->rsa_bks,
	496	bsign_pub->details.rsa_public_key,
	497	&bm->details.rsa_blinded_message))
	498	{
	499	GNUNET_break (0);
	500	GNUNET_free (bm);
	501	return NULL;
	502	}
	503	return bm;
	504	case GNUNET_CRYPTO_BSA_CS:
	505	{
	506	struct GNUNET_CRYPTO_CSPublicRPairP blinded_r_pub;
	507	struct GNUNET_CRYPTO_CsBlindingSecret bs[2];
	508
	509	if (NULL == nonce)
	510	{
	511	GNUNET_break_op (0);
	512	GNUNET_free (bm);
	513	return NULL;
	514	}
	515	GNUNET_CRYPTO_cs_blinding_secrets_derive (&bks->nonce,
	516	bs);
	517	GNUNET_CRYPTO_cs_calc_blinded_c (
	518	bs,
	519	alg_values->details.cs_values.r_pub,
	520	&bsign_pub->details.cs_public_key,
	521	message,
	522	message_size,
	523	bm->details.cs_blinded_message.c,
	524	&blinded_r_pub);
	525	bm->details.cs_blinded_message.nonce = nonce->cs_nonce;
	526	(void) blinded_r_pub;
	527	return bm;
	528	}
	529	}
	530	GNUNET_break (0);
	531	return NULL;
	532	}
	533
	534
	535	struct GNUNET_CRYPTO_BlindedSignature *
	536	GNUNET_CRYPTO_blind_sign (
	537	const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv,
	538	const char *salt,
	539	const struct GNUNET_CRYPTO_BlindedMessage *blinded_message)
	540	{
	541	struct GNUNET_CRYPTO_BlindedSignature *blind_sig;
	542
	543	if (blinded_message->cipher != bsign_priv->cipher)
	544	{
	545	GNUNET_break (0);
	546	return NULL;
	547	}
	548
	549	blind_sig = GNUNET_new (struct GNUNET_CRYPTO_BlindedSignature);
	550	blind_sig->cipher = bsign_priv->cipher;
	551	blind_sig->rc = 1;
	552	switch (bsign_priv->cipher)
	553	{
	554	case GNUNET_CRYPTO_BSA_INVALID:
	555	GNUNET_break (0);
	556	GNUNET_free (blind_sig);
	557	return NULL;
	558	case GNUNET_CRYPTO_BSA_RSA:
	559	blind_sig->details.blinded_rsa_signature
	560	= GNUNET_CRYPTO_rsa_sign_blinded (
	561	bsign_priv->details.rsa_private_key,
	562	&blinded_message->details.rsa_blinded_message);
	563	if (NULL == blind_sig->details.blinded_rsa_signature)
	564	{
	565	GNUNET_break (0);
	566	GNUNET_free (blind_sig);
	567	return NULL;
	568	}
	569	return blind_sig;
	570	case GNUNET_CRYPTO_BSA_CS:
	571	{
	572	struct GNUNET_CRYPTO_CsRSecret r[2];
	573
	574	GNUNET_CRYPTO_cs_r_derive (
	575	&blinded_message->details.cs_blinded_message.nonce,
	576	salt,
	577	&bsign_priv->details.cs_private_key,
	578	r);
	579	GNUNET_CRYPTO_cs_sign_derive (
	580	&bsign_priv->details.cs_private_key,
	581	r,
	582	&blinded_message->details.cs_blinded_message,
	583	&blind_sig->details.blinded_cs_answer);
	584	}
	585	return blind_sig;
	586	}
	587	GNUNET_break (0);
	588	return NULL;
	589	}
	590
	591
	592	struct GNUNET_CRYPTO_UnblindedSignature *
	593	GNUNET_CRYPTO_blind_sig_unblind (
	594	const struct GNUNET_CRYPTO_BlindedSignature *blinded_sig,
	595	const union GNUNET_CRYPTO_BlindingSecretP *bks,
	596	const void *message,
	597	size_t message_size,
	598	const struct GNUNET_CRYPTO_BlindingInputValues *alg_values,
	599	const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub)
	600	{
	601	struct GNUNET_CRYPTO_UnblindedSignature *ub_sig;
	602
	603	if (blinded_sig->cipher != bsign_pub->cipher)
	604	{
	605	GNUNET_break (0);
	606	return NULL;
	607	}
	608	if (blinded_sig->cipher != alg_values->cipher)
	609	{
	610	GNUNET_break (0);
	611	return NULL;
	612	}
	613	ub_sig = GNUNET_new (struct GNUNET_CRYPTO_UnblindedSignature);
	614	ub_sig->cipher = blinded_sig->cipher;
	615	ub_sig->rc = 1;
	616	switch (bsign_pub->cipher)
	617	{
	618	case GNUNET_CRYPTO_BSA_INVALID:
	619	GNUNET_break (0);
	620	GNUNET_free (ub_sig);
	621	return NULL;
	622	case GNUNET_CRYPTO_BSA_RSA:
	623	ub_sig->details.rsa_signature
	624	= GNUNET_CRYPTO_rsa_unblind (
	625	blinded_sig->details.blinded_rsa_signature,
	626	&bks->rsa_bks,
	627	bsign_pub->details.rsa_public_key);
	628	if (NULL == ub_sig->details.rsa_signature)
	629	{
	630	GNUNET_break (0);
	631	GNUNET_free (ub_sig);
	632	return NULL;
	633	}
	634	return ub_sig;
	635	case GNUNET_CRYPTO_BSA_CS:
	636	{
	637	struct GNUNET_CRYPTO_CsBlindingSecret bs[2];
	638	struct GNUNET_CRYPTO_CsC c[2];
	639	struct GNUNET_CRYPTO_CSPublicRPairP r_pub_blind;
	640	unsigned int b;
	641
	642	GNUNET_CRYPTO_cs_blinding_secrets_derive (&bks->nonce,
	643	bs);
	644	GNUNET_CRYPTO_cs_calc_blinded_c (
	645	bs,
	646	alg_values->details.cs_values.r_pub,
	647	&bsign_pub->details.cs_public_key,
	648	message,
	649	message_size,
	650	c,
	651	&r_pub_blind);
	652	b = blinded_sig->details.blinded_cs_answer.b;
	653	ub_sig->details.cs_signature.r_point
	654	= r_pub_blind.r_pub[b];
	655	GNUNET_CRYPTO_cs_unblind (
	656	&blinded_sig->details.blinded_cs_answer.s_scalar,
	657	&bs[b],
	658	&ub_sig->details.cs_signature.s_scalar);
	659	return ub_sig;
	660	}
	661	}
	662	GNUNET_break (0);
	663	GNUNET_free (ub_sig);
	664	return NULL;
	665	}
	666
	667
	668	enum GNUNET_GenericReturnValue
	669	GNUNET_CRYPTO_blind_sig_verify (
	670	const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub,
	671	const struct GNUNET_CRYPTO_UnblindedSignature *ub_sig,
	672	const void *message,
	673	size_t message_size)
	674	{
	675	if (bsign_pub->cipher != ub_sig->cipher)
	676	{
	677	GNUNET_break (0);
	678	return GNUNET_SYSERR;
	679	}
	680	switch (bsign_pub->cipher)
	681	{
	682	case GNUNET_CRYPTO_BSA_INVALID:
	683	GNUNET_break (0);
	684	return GNUNET_NO;
	685	case GNUNET_CRYPTO_BSA_RSA:
	686	if (GNUNET_OK !=
	687	GNUNET_CRYPTO_rsa_verify (message,
	688	message_size,
	689	ub_sig->details.rsa_signature,
	690	bsign_pub->details.rsa_public_key))
	691	{
	692	GNUNET_break_op (0);
	693	return GNUNET_NO;
	694	}
	695	return GNUNET_YES;
	696	case GNUNET_CRYPTO_BSA_CS:
	697	if (GNUNET_OK !=
	698	GNUNET_CRYPTO_cs_verify (&ub_sig->details.cs_signature,
	699	&bsign_pub->details.cs_public_key,
	700	message,
	701	message_size))
	702	{
	703	GNUNET_break_op (0);
	704	return GNUNET_NO;
	705	}
	706	return GNUNET_YES;
	707	}
	708	GNUNET_break (0);
	709	return GNUNET_NO;
	710	}
	711
	712
	713	/* end of crypto_blind_sign.c */