4 files changed, 118 insertions, 61 deletions
diff --git a/src/lib/util/crypto_blind_sign.c b/src/lib/util/crypto_blind_sign.c
index bf6fbc119..469f6f5b8 100644
--- a/src/lib/util/crypto_blind_sign.c
+++ b/src/lib/util/crypto_blind_sign.c
@@ -388,10 +388,51 @@ GNUNET_CRYPTO_blind_sign_keys_create_va (
 }
+struct GNUNET_CRYPTO_BlindingInputValues *
+GNUNET_CRYPTO_get_blinding_input_values (
+  const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv,
+  const union GNUNET_CRYPTO_BlindSessionNonce *nonce,
+  const char *salt)
+{
+  struct GNUNET_CRYPTO_BlindingInputValues *biv;
+  biv = GNUNET_new (struct GNUNET_CRYPTO_BlindingInputValues);
+  biv->cipher = bsign_priv->cipher;
+  biv->rc = 1;
+  switch (bsign_priv->cipher)
+  {
+  case GNUNET_CRYPTO_BSA_INVALID:
+    GNUNET_break (0);
+    GNUNET_free (biv);
+    return NULL;
+  case GNUNET_CRYPTO_BSA_RSA:
+    return biv;
+  case GNUNET_CRYPTO_BSA_CS:
+    {
+      struct GNUNET_CRYPTO_CsRSecret cspriv[2];
+      GNUNET_CRYPTO_cs_r_derive (&nonce->cs_nonce,
+                                 salt,
+                                 &bsign_priv->details.cs_private_key,
+                                 cspriv);
+      GNUNET_CRYPTO_cs_r_get_public (&cspriv[0],
+                                     &biv->details.cs_values.r_pub[0]);
+      GNUNET_CRYPTO_cs_r_get_public (&cspriv[1],
+                                     &biv->details.cs_values.r_pub[1]);
+      return biv;
+    }
+  }
+  GNUNET_break (0);
+  GNUNET_free (biv);
+  return NULL;
+}
 struct GNUNET_CRYPTO_BlindedMessage *
 GNUNET_CRYPTO_message_blind_to_sign (
  const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub,
  const union GNUNET_CRYPTO_BlindingSecretP *bks,
+  const union GNUNET_CRYPTO_BlindSessionNonce *nonce,
  const void *message,
  size_t message_size,
  const struct GNUNET_CRYPTO_BlindingInputValues *alg_values)
@@ -426,6 +467,12 @@ GNUNET_CRYPTO_message_blind_to_sign (
      struct GNUNET_CRYPTO_CSPublicRPairP blinded_r_pub;
      struct GNUNET_CRYPTO_CsBlindingSecret bs[2];
+      if (NULL == nonce)
+      {
+        GNUNET_break_op (0);
+        GNUNET_free (bm);
+        return NULL;
+      }
      GNUNET_CRYPTO_cs_blinding_secrets_derive (&bks->nonce,
                                                bs);
      GNUNET_CRYPTO_cs_calc_blinded_c (
@@ -435,10 +482,9 @@ GNUNET_CRYPTO_message_blind_to_sign (
        message,
        message_size,
        bm->details.cs_blinded_message.c,
-        blinded_r_pub.r_pub);
+        &blinded_r_pub);
+      bm->details.cs_blinded_message.nonce = nonce->cs_nonce;
      (void) blinded_r_pub;
-      // FIXME: bs->details.cs_blinded_message.nonce
-      // is NOT initialized here. Not elegant!
      return bm;
    }
  }
@@ -562,7 +608,7 @@ GNUNET_CRYPTO_blind_sig_unblind (
        message,
        message_size,
        c,
-        r_pub_blind.r_pub);
+        &r_pub_blind);
      b = blinded_sig->details.blinded_cs_answer.b;
      ub_sig->details.cs_signature.r_point
        = r_pub_blind.r_pub[b];
diff --git a/src/lib/util/crypto_cs.c b/src/lib/util/crypto_cs.c
index 2ff7c70ce..049f63062 100644
--- a/src/lib/util/crypto_cs.c
+++ b/src/lib/util/crypto_cs.c
@@ -158,8 +158,12 @@ cs_full_domain_hash (const struct GNUNET_CRYPTO_CsRPublic *r_dash,
  // SHA-512 hash of R' and message
  size_t r_m_concat_len = sizeof(struct GNUNET_CRYPTO_CsRPublic) + msg_len;
  char r_m_concat[r_m_concat_len];
-  memcpy (r_m_concat, r_dash, sizeof(struct GNUNET_CRYPTO_CsRPublic));
+  memcpy (r_m_concat,
-  memcpy (r_m_concat + sizeof(struct GNUNET_CRYPTO_CsRPublic), msg, msg_len);
+          r_dash,
+          sizeof(struct GNUNET_CRYPTO_CsRPublic));
+  memcpy (r_m_concat + sizeof(struct GNUNET_CRYPTO_CsRPublic),
+          msg,
+          msg_len);
  struct GNUNET_HashCode prehash;
  GNUNET_CRYPTO_hash (r_m_concat,
@@ -215,18 +219,21 @@ calc_r_dash (const struct GNUNET_CRYPTO_CsBlindingSecret *bs,
                   alpha_mul_base.y,
                   bs->alpha.d));
  struct GNUNET_CRYPTO_Cs25519Point beta_mul_pub;
-  GNUNET_assert (0 == crypto_scalarmult_ed25519_noclamp (beta_mul_pub.y,
+  GNUNET_assert (0 ==
-                                                         bs->beta.d,
+                 crypto_scalarmult_ed25519_noclamp (
-                                                         pub->point.y));
+                   beta_mul_pub.y,
+                   bs->beta.d,
+                   pub->point.y));
  struct GNUNET_CRYPTO_Cs25519Point alpha_mul_base_plus_beta_mul_pub;
  GNUNET_assert (0 == crypto_core_ed25519_add (
                   alpha_mul_base_plus_beta_mul_pub.y,
                   alpha_mul_base.y,
                   beta_mul_pub.y));
-  GNUNET_assert (0 == crypto_core_ed25519_add (blinded_r_pub->point.y,
+  GNUNET_assert (0 ==
-                                               r_pub->point.y,
+                 crypto_core_ed25519_add (
-                                               alpha_mul_base_plus_beta_mul_pub.
+                   blinded_r_pub->point.y,
-                                               y));
+                   r_pub->point.y,
+                   alpha_mul_base_plus_beta_mul_pub.y));
 }
@@ -238,19 +245,33 @@ GNUNET_CRYPTO_cs_calc_blinded_c (
  const void *msg,
  size_t msg_len,
  struct GNUNET_CRYPTO_CsC blinded_c[2],
-  struct GNUNET_CRYPTO_CsRPublic blinded_r_pub[2])
+  struct GNUNET_CRYPTO_CSPublicRPairP *r_pub_blind)
 {
-  // for i 0/1: R'i = Ri + alpha i*G + beta i*pub
+  /* for i 0/1: R'i = Ri + alpha i*G + beta i*pub */
-  calc_r_dash (&bs[0], &r_pub[0], pub, &blinded_r_pub[0]);
+  calc_r_dash (&bs[0],
-  calc_r_dash (&bs[1], &r_pub[1], pub, &blinded_r_pub[1]);
+               &r_pub[0],
+               pub,
-  // for i 0/1: c'i = H(R'i, msg)
+               &r_pub_blind->r_pub[0]);
+  calc_r_dash (&bs[1],
+               &r_pub[1],
+               pub,
+               &r_pub_blind->r_pub[1]);
+  /* for i 0/1: c'i = H(R'i, msg) */
  struct GNUNET_CRYPTO_CsC c_dash_0;
  struct GNUNET_CRYPTO_CsC c_dash_1;
-  cs_full_domain_hash (&blinded_r_pub[0], msg, msg_len, pub, &c_dash_0);
+  cs_full_domain_hash (&r_pub_blind->r_pub[0],
-  cs_full_domain_hash (&blinded_r_pub[1], msg, msg_len, pub, &c_dash_1);
+                       msg,
+                       msg_len,
+                       pub,
+                       &c_dash_0);
+  cs_full_domain_hash (&r_pub_blind->r_pub[1],
+                       msg,
+                       msg_len,
+                       pub,
+                       &c_dash_1);
-  // for i 0/1: ci = c'i + beta i mod p
+  /* for i 0/1: ci = c'i + beta i mod p */
  crypto_core_ed25519_scalar_add (blinded_c[0].scalar.d,
                                  c_dash_0.scalar.d,
                                  bs[0].beta.d);
diff --git a/src/lib/util/test_crypto_blind.c b/src/lib/util/test_crypto_blind.c
index 726516bc2..d7efd79ea 100644
--- a/src/lib/util/test_crypto_blind.c
+++ b/src/lib/util/test_crypto_blind.c
@@ -34,13 +34,12 @@ main (int argc,
 {
  struct GNUNET_CRYPTO_BlindSignPrivateKey *priv;
  struct GNUNET_CRYPTO_BlindSignPublicKey *pub;
-  struct GNUNET_CRYPTO_BlindingInputValues biv;
+  struct GNUNET_CRYPTO_BlindingInputValues *biv;
  struct GNUNET_CRYPTO_BlindedMessage *bm;
  struct GNUNET_CRYPTO_BlindedSignature *bsig;
  struct GNUNET_CRYPTO_UnblindedSignature *sig;
  union GNUNET_CRYPTO_BlindingSecretP bsec;
-  struct GNUNET_CRYPTO_CsSessionNonce nonce;
+  union GNUNET_CRYPTO_BlindSessionNonce nonce;
-  struct GNUNET_CRYPTO_CsRSecret cspriv[2];
  GNUNET_log_setup ("test-crypto-blind",
                    "WARNING",
@@ -55,21 +54,15 @@ main (int argc,
                 GNUNET_CRYPTO_blind_sign_keys_create (&priv,
                                                       &pub,
                                                       GNUNET_CRYPTO_BSA_CS));
-  biv.cipher  = GNUNET_CRYPTO_BSA_CS;
+  biv = GNUNET_CRYPTO_get_blinding_input_values (priv,
-  GNUNET_CRYPTO_cs_r_derive (&nonce,
+                                                 &nonce,
-                             "salt",
+                                                 "salt");
-                             &priv->details.cs_private_key,
-                             cspriv);
-  GNUNET_CRYPTO_cs_r_get_public (&cspriv[0],
-                                 &biv.details.cs_values.r_pub[0]);
-  GNUNET_CRYPTO_cs_r_get_public (&cspriv[1],
-                                 &biv.details.cs_values.r_pub[1]);
  bm = GNUNET_CRYPTO_message_blind_to_sign (pub,
                                            &bsec,
+                                            &nonce,
                                            "hello",
                                            5,
-                                            &biv);
+                                            biv);
-  bm->details.cs_blinded_message.nonce = nonce; // FIXME: ugly!
  bsig = GNUNET_CRYPTO_blind_sign (priv,
                                   "salt",
                                   bm);
@@ -77,7 +70,7 @@ main (int argc,
                                         &bsec,
                                         "hello",
                                         5,
-                                         &biv,
+                                         biv,
                                         pub);
  GNUNET_assert (GNUNET_OK ==
                 GNUNET_CRYPTO_blind_sig_verify (pub,
diff --git a/src/lib/util/test_crypto_cs.c b/src/lib/util/test_crypto_cs.c
index 5b3aac778..ee68db72f 100644
--- a/src/lib/util/test_crypto_cs.c
+++ b/src/lib/util/test_crypto_cs.c
@@ -216,7 +216,7 @@ test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
                    const void *msg,
                    size_t msg_len,
                    struct GNUNET_CRYPTO_CsC blinded_cs[2],
-                    struct GNUNET_CRYPTO_CsRPublic blinded_r_pub[2])
+                    struct GNUNET_CRYPTO_CSPublicRPairP *blinded_r_pub)
 {
  /* TEST 1
   * Check that the blinded c's and blinded r's
@@ -227,10 +227,8 @@ test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
          &blinded_cs[0],
          sizeof(struct GNUNET_CRYPTO_CsC) * 2);
-  struct GNUNET_CRYPTO_CsRPublic other_blinded_r_pub[2];
+  struct GNUNET_CRYPTO_CSPublicRPairP other_blinded_pub;
-  memcpy (&other_blinded_r_pub[0],
+  other_blinded_pub = *blinded_r_pub;
-          &blinded_r_pub[0],
-          sizeof(struct GNUNET_CRYPTO_CsRPublic) * 2);
  GNUNET_CRYPTO_cs_calc_blinded_c (bs,
                                   r_pub,
@@ -243,9 +241,9 @@ test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
  GNUNET_assert (0 != memcmp (&other_blinded_c[0],
                              &blinded_cs[0],
                              sizeof(struct GNUNET_CRYPTO_CsC) * 2));
-  GNUNET_assert (0 != memcmp (&other_blinded_r_pub[0],
+  GNUNET_assert (0 !=
-                              &blinded_r_pub[0],
+                 GNUNET_memcmp (&other_blinded_pub,
-                              sizeof(struct GNUNET_CRYPTO_CsRPublic) * 2));
+                                blinded_r_pub));
  /* TEST 2
   * Check if R' - aG -bX = R for b = 0
@@ -270,7 +268,7 @@ test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
    GNUNET_assert (0 ==
                   crypto_core_ed25519_sub (
                     r_min_aG.y,
-                     blinded_r_pub[b].point.y,
+                     blinded_r_pub->r_pub[b].point.y,
                     aG.y));
    GNUNET_assert (0 == crypto_core_ed25519_sub (
                     res.point.y,
@@ -289,10 +287,10 @@ test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
   */
  GNUNET_assert (1 ==
                 crypto_core_ed25519_is_valid_point (
-                   blinded_r_pub[0].point.y));
+                   blinded_r_pub->r_pub[0].point.y));
  GNUNET_assert (1 ==
                 crypto_core_ed25519_is_valid_point (
-                   blinded_r_pub[1].point.y));
+                   blinded_r_pub->r_pub[1].point.y));
  /* TEST 4
   * Check if function gives the same result for the same input.
@@ -300,9 +298,7 @@ test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
  memcpy (&other_blinded_c[0],
          &blinded_cs[0],
          sizeof(struct GNUNET_CRYPTO_CsC) * 2);
-  memcpy (&other_blinded_r_pub[0],
+  other_blinded_pub = *blinded_r_pub;
-          &blinded_r_pub[0],
-          sizeof(struct GNUNET_CRYPTO_CsRPublic) * 2);
  for (unsigned int i = 0; i<ITER; i++)
  {
@@ -313,12 +309,13 @@ test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
                                     msg_len,
                                     blinded_cs,
                                     blinded_r_pub);
-    GNUNET_assert (0 == memcmp (&other_blinded_c[0],
+    GNUNET_assert (0 ==
-                                &blinded_cs[0],
+                   memcmp (&other_blinded_c[0],
-                                sizeof(struct GNUNET_CRYPTO_CsC) * 2));
+                           &blinded_cs[0],
-    GNUNET_assert (0 == memcmp (&other_blinded_r_pub[0],
+                           sizeof(struct GNUNET_CRYPTO_CsC) * 2));
-                                &blinded_r_pub[0],
+    GNUNET_assert (0 ==
-                                sizeof(struct GNUNET_CRYPTO_CsRPublic) * 2));
+                   GNUNET_memcmp (&other_blinded_pub,
+                                  blinded_r_pub));
  }
 }
@@ -563,12 +560,12 @@ main (int argc,
  // calculate blinded c's
  struct GNUNET_CRYPTO_CsBlindedMessage bm; 
  struct GNUNET_CRYPTO_CsC blinded_cs[2];
-  struct GNUNET_CRYPTO_CsRPublic blinded_r_pubs[2];
+  struct GNUNET_CRYPTO_CSPublicRPairP blinded_r_pubs;
  memset (blinded_cs,
          42,
          sizeof (blinded_cs));
-  memset (blinded_r_pubs,
+  memset (&blinded_r_pubs,
          42,
          sizeof (blinded_r_pubs));
  test_calc_blindedc (blindingsecrets,
@@ -577,7 +574,7 @@ main (int argc,
                      message,
                      message_len,
                      blinded_cs,
-                      blinded_r_pubs);
+                      &blinded_r_pubs);
  // ---------- actions performed by signer
  // sign blinded c's and get b and s in return
@@ -614,7 +611,7 @@ main (int argc,
  // verify unblinded signature
  struct GNUNET_CRYPTO_CsSignature signature;
-  signature.r_point = blinded_r_pubs[blinded_s.b];
+  signature.r_point = blinded_r_pubs.r_pub[blinded_s.b];
  signature.s_scalar = sig_scalar;
  test_verify (&signature,
               &pub,

diff --git a/src/lib/util/crypto_blind_sign.c b/src/lib/util/crypto_blind_sign.c index bf6fbc119..469f6f5b8 100644 --- a/src/lib/util/crypto_blind_sign.c +++ b/src/lib/util/crypto_blind_sign.c
@@ -388,10 +388,51 @@ GNUNET_CRYPTO_blind_sign_keys_create_va (
388	}	388	}
389		389
390		390
		391	struct GNUNET_CRYPTO_BlindingInputValues *
		392	GNUNET_CRYPTO_get_blinding_input_values (
		393	const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv,
		394	const union GNUNET_CRYPTO_BlindSessionNonce *nonce,
		395	const char *salt)
		396	{
		397	struct GNUNET_CRYPTO_BlindingInputValues *biv;
		398
		399	biv = GNUNET_new (struct GNUNET_CRYPTO_BlindingInputValues);
		400	biv->cipher = bsign_priv->cipher;
		401	biv->rc = 1;
		402	switch (bsign_priv->cipher)
		403	{
		404	case GNUNET_CRYPTO_BSA_INVALID:
		405	GNUNET_break (0);
		406	GNUNET_free (biv);
		407	return NULL;
		408	case GNUNET_CRYPTO_BSA_RSA:
		409	return biv;
		410	case GNUNET_CRYPTO_BSA_CS:
		411	{
		412	struct GNUNET_CRYPTO_CsRSecret cspriv[2];
		413
		414	GNUNET_CRYPTO_cs_r_derive (&nonce->cs_nonce,
		415	salt,
		416	&bsign_priv->details.cs_private_key,
		417	cspriv);
		418	GNUNET_CRYPTO_cs_r_get_public (&cspriv[0],
		419	&biv->details.cs_values.r_pub[0]);
		420	GNUNET_CRYPTO_cs_r_get_public (&cspriv[1],
		421	&biv->details.cs_values.r_pub[1]);
		422	return biv;
		423	}
		424	}
		425	GNUNET_break (0);
		426	GNUNET_free (biv);
		427	return NULL;
		428	}
		429
		430
391	struct GNUNET_CRYPTO_BlindedMessage *	431	struct GNUNET_CRYPTO_BlindedMessage *
392	GNUNET_CRYPTO_message_blind_to_sign (	432	GNUNET_CRYPTO_message_blind_to_sign (
393	const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub,	433	const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub,
394	const union GNUNET_CRYPTO_BlindingSecretP *bks,	434	const union GNUNET_CRYPTO_BlindingSecretP *bks,
		435	const union GNUNET_CRYPTO_BlindSessionNonce *nonce,
395	const void *message,	436	const void *message,
396	size_t message_size,	437	size_t message_size,
397	const struct GNUNET_CRYPTO_BlindingInputValues *alg_values)	438	const struct GNUNET_CRYPTO_BlindingInputValues *alg_values)
@@ -426,6 +467,12 @@ GNUNET_CRYPTO_message_blind_to_sign (
426	struct GNUNET_CRYPTO_CSPublicRPairP blinded_r_pub;	467	struct GNUNET_CRYPTO_CSPublicRPairP blinded_r_pub;
427	struct GNUNET_CRYPTO_CsBlindingSecret bs[2];	468	struct GNUNET_CRYPTO_CsBlindingSecret bs[2];
428		469
		470	if (NULL == nonce)
		471	{
		472	GNUNET_break_op (0);
		473	GNUNET_free (bm);
		474	return NULL;
		475	}
429	GNUNET_CRYPTO_cs_blinding_secrets_derive (&bks->nonce,	476	GNUNET_CRYPTO_cs_blinding_secrets_derive (&bks->nonce,
430	bs);	477	bs);
431	GNUNET_CRYPTO_cs_calc_blinded_c (	478	GNUNET_CRYPTO_cs_calc_blinded_c (
@@ -435,10 +482,9 @@ GNUNET_CRYPTO_message_blind_to_sign (
435	message,	482	message,
436	message_size,	483	message_size,
437	bm->details.cs_blinded_message.c,	484	bm->details.cs_blinded_message.c,
438	blinded_r_pub.r_pub);	485	&blinded_r_pub);
		486	bm->details.cs_blinded_message.nonce = nonce->cs_nonce;
439	(void) blinded_r_pub;	487	(void) blinded_r_pub;
440	// FIXME: bs->details.cs_blinded_message.nonce
441	// is NOT initialized here. Not elegant!
442	return bm;	488	return bm;
443	}	489	}
444	}	490	}
@@ -562,7 +608,7 @@ GNUNET_CRYPTO_blind_sig_unblind (
562	message,	608	message,
563	message_size,	609	message_size,
564	c,	610	c,
565	r_pub_blind.r_pub);	611	&r_pub_blind);
566	b = blinded_sig->details.blinded_cs_answer.b;	612	b = blinded_sig->details.blinded_cs_answer.b;
567	ub_sig->details.cs_signature.r_point	613	ub_sig->details.cs_signature.r_point
568	= r_pub_blind.r_pub[b];	614	= r_pub_blind.r_pub[b];


diff --git a/src/lib/util/crypto_cs.c b/src/lib/util/crypto_cs.c index 2ff7c70ce..049f63062 100644 --- a/src/lib/util/crypto_cs.c +++ b/src/lib/util/crypto_cs.c
@@ -158,8 +158,12 @@ cs_full_domain_hash (const struct GNUNET_CRYPTO_CsRPublic *r_dash,
158	// SHA-512 hash of R' and message	158	// SHA-512 hash of R' and message
159	size_t r_m_concat_len = sizeof(struct GNUNET_CRYPTO_CsRPublic) + msg_len;	159	size_t r_m_concat_len = sizeof(struct GNUNET_CRYPTO_CsRPublic) + msg_len;
160	char r_m_concat[r_m_concat_len];	160	char r_m_concat[r_m_concat_len];
161	memcpy (r_m_concat, r_dash, sizeof(struct GNUNET_CRYPTO_CsRPublic));	161	memcpy (r_m_concat,
162	memcpy (r_m_concat + sizeof(struct GNUNET_CRYPTO_CsRPublic), msg, msg_len);	162	r_dash,
		163	sizeof(struct GNUNET_CRYPTO_CsRPublic));
		164	memcpy (r_m_concat + sizeof(struct GNUNET_CRYPTO_CsRPublic),
		165	msg,
		166	msg_len);
163	struct GNUNET_HashCode prehash;	167	struct GNUNET_HashCode prehash;
164		168
165	GNUNET_CRYPTO_hash (r_m_concat,	169	GNUNET_CRYPTO_hash (r_m_concat,
@@ -215,18 +219,21 @@ calc_r_dash (const struct GNUNET_CRYPTO_CsBlindingSecret *bs,
215	alpha_mul_base.y,	219	alpha_mul_base.y,
216	bs->alpha.d));	220	bs->alpha.d));
217	struct GNUNET_CRYPTO_Cs25519Point beta_mul_pub;	221	struct GNUNET_CRYPTO_Cs25519Point beta_mul_pub;
218	GNUNET_assert (0 == crypto_scalarmult_ed25519_noclamp (beta_mul_pub.y,	222	GNUNET_assert (0 ==
219	bs->beta.d,	223	crypto_scalarmult_ed25519_noclamp (
220	pub->point.y));	224	beta_mul_pub.y,
		225	bs->beta.d,
		226	pub->point.y));
221	struct GNUNET_CRYPTO_Cs25519Point alpha_mul_base_plus_beta_mul_pub;	227	struct GNUNET_CRYPTO_Cs25519Point alpha_mul_base_plus_beta_mul_pub;
222	GNUNET_assert (0 == crypto_core_ed25519_add (	228	GNUNET_assert (0 == crypto_core_ed25519_add (
223	alpha_mul_base_plus_beta_mul_pub.y,	229	alpha_mul_base_plus_beta_mul_pub.y,
224	alpha_mul_base.y,	230	alpha_mul_base.y,
225	beta_mul_pub.y));	231	beta_mul_pub.y));
226	GNUNET_assert (0 == crypto_core_ed25519_add (blinded_r_pub->point.y,	232	GNUNET_assert (0 ==
227	r_pub->point.y,	233	crypto_core_ed25519_add (
228	alpha_mul_base_plus_beta_mul_pub.	234	blinded_r_pub->point.y,
229	y));	235	r_pub->point.y,
		236	alpha_mul_base_plus_beta_mul_pub.y));
230	}	237	}
231		238
232		239
@@ -238,19 +245,33 @@ GNUNET_CRYPTO_cs_calc_blinded_c (
238	const void *msg,	245	const void *msg,
239	size_t msg_len,	246	size_t msg_len,
240	struct GNUNET_CRYPTO_CsC blinded_c[2],	247	struct GNUNET_CRYPTO_CsC blinded_c[2],
241	struct GNUNET_CRYPTO_CsRPublic blinded_r_pub[2])	248	struct GNUNET_CRYPTO_CSPublicRPairP *r_pub_blind)
242	{	249	{
243	// for i 0/1: R'i = Ri + alpha iG + beta ipub	250	/* for i 0/1: R'i = Ri + alpha iG + beta ipub */
244	calc_r_dash (&bs[0], &r_pub[0], pub, &blinded_r_pub[0]);	251	calc_r_dash (&bs[0],
245	calc_r_dash (&bs[1], &r_pub[1], pub, &blinded_r_pub[1]);	252	&r_pub[0],
246		253	pub,
247	// for i 0/1: c'i = H(R'i, msg)	254	&r_pub_blind->r_pub[0]);
		255	calc_r_dash (&bs[1],
		256	&r_pub[1],
		257	pub,
		258	&r_pub_blind->r_pub[1]);
		259
		260	/* for i 0/1: c'i = H(R'i, msg) */
248	struct GNUNET_CRYPTO_CsC c_dash_0;	261	struct GNUNET_CRYPTO_CsC c_dash_0;
249	struct GNUNET_CRYPTO_CsC c_dash_1;	262	struct GNUNET_CRYPTO_CsC c_dash_1;
250	cs_full_domain_hash (&blinded_r_pub[0], msg, msg_len, pub, &c_dash_0);	263	cs_full_domain_hash (&r_pub_blind->r_pub[0],
251	cs_full_domain_hash (&blinded_r_pub[1], msg, msg_len, pub, &c_dash_1);	264	msg,
		265	msg_len,
		266	pub,
		267	&c_dash_0);
		268	cs_full_domain_hash (&r_pub_blind->r_pub[1],
		269	msg,
		270	msg_len,
		271	pub,
		272	&c_dash_1);
252		273
253	// for i 0/1: ci = c'i + beta i mod p	274	/* for i 0/1: ci = c'i + beta i mod p */
254	crypto_core_ed25519_scalar_add (blinded_c[0].scalar.d,	275	crypto_core_ed25519_scalar_add (blinded_c[0].scalar.d,
255	c_dash_0.scalar.d,	276	c_dash_0.scalar.d,
256	bs[0].beta.d);	277	bs[0].beta.d);


diff --git a/src/lib/util/test_crypto_blind.c b/src/lib/util/test_crypto_blind.c index 726516bc2..d7efd79ea 100644 --- a/src/lib/util/test_crypto_blind.c +++ b/src/lib/util/test_crypto_blind.c
@@ -34,13 +34,12 @@ main (int argc,
34	{	34	{
35	struct GNUNET_CRYPTO_BlindSignPrivateKey *priv;	35	struct GNUNET_CRYPTO_BlindSignPrivateKey *priv;
36	struct GNUNET_CRYPTO_BlindSignPublicKey *pub;	36	struct GNUNET_CRYPTO_BlindSignPublicKey *pub;
37	struct GNUNET_CRYPTO_BlindingInputValues biv;	37	struct GNUNET_CRYPTO_BlindingInputValues *biv;
38	struct GNUNET_CRYPTO_BlindedMessage *bm;	38	struct GNUNET_CRYPTO_BlindedMessage *bm;
39	struct GNUNET_CRYPTO_BlindedSignature *bsig;	39	struct GNUNET_CRYPTO_BlindedSignature *bsig;
40	struct GNUNET_CRYPTO_UnblindedSignature *sig;	40	struct GNUNET_CRYPTO_UnblindedSignature *sig;
41	union GNUNET_CRYPTO_BlindingSecretP bsec;	41	union GNUNET_CRYPTO_BlindingSecretP bsec;
42	struct GNUNET_CRYPTO_CsSessionNonce nonce;	42	union GNUNET_CRYPTO_BlindSessionNonce nonce;
43	struct GNUNET_CRYPTO_CsRSecret cspriv[2];
44		43
45	GNUNET_log_setup ("test-crypto-blind",	44	GNUNET_log_setup ("test-crypto-blind",
46	"WARNING",	45	"WARNING",
@@ -55,21 +54,15 @@ main (int argc,
55	GNUNET_CRYPTO_blind_sign_keys_create (&priv,	54	GNUNET_CRYPTO_blind_sign_keys_create (&priv,
56	&pub,	55	&pub,
57	GNUNET_CRYPTO_BSA_CS));	56	GNUNET_CRYPTO_BSA_CS));
58	biv.cipher = GNUNET_CRYPTO_BSA_CS;	57	biv = GNUNET_CRYPTO_get_blinding_input_values (priv,
59	GNUNET_CRYPTO_cs_r_derive (&nonce,	58	&nonce,
60	"salt",	59	"salt");
61	&priv->details.cs_private_key,
62	cspriv);
63	GNUNET_CRYPTO_cs_r_get_public (&cspriv[0],
64	&biv.details.cs_values.r_pub[0]);
65	GNUNET_CRYPTO_cs_r_get_public (&cspriv[1],
66	&biv.details.cs_values.r_pub[1]);
67	bm = GNUNET_CRYPTO_message_blind_to_sign (pub,	60	bm = GNUNET_CRYPTO_message_blind_to_sign (pub,
68	&bsec,	61	&bsec,
		62	&nonce,
69	"hello",	63	"hello",
70	5,	64	5,
71	&biv);	65	biv);
72	bm->details.cs_blinded_message.nonce = nonce; // FIXME: ugly!
73	bsig = GNUNET_CRYPTO_blind_sign (priv,	66	bsig = GNUNET_CRYPTO_blind_sign (priv,
74	"salt",	67	"salt",
75	bm);	68	bm);
@@ -77,7 +70,7 @@ main (int argc,
77	&bsec,	70	&bsec,
78	"hello",	71	"hello",
79	5,	72	5,
80	&biv,	73	biv,
81	pub);	74	pub);
82	GNUNET_assert (GNUNET_OK ==	75	GNUNET_assert (GNUNET_OK ==
83	GNUNET_CRYPTO_blind_sig_verify (pub,	76	GNUNET_CRYPTO_blind_sig_verify (pub,


diff --git a/src/lib/util/test_crypto_cs.c b/src/lib/util/test_crypto_cs.c index 5b3aac778..ee68db72f 100644 --- a/src/lib/util/test_crypto_cs.c +++ b/src/lib/util/test_crypto_cs.c
@@ -216,7 +216,7 @@ test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
216	const void *msg,	216	const void *msg,
217	size_t msg_len,	217	size_t msg_len,
218	struct GNUNET_CRYPTO_CsC blinded_cs[2],	218	struct GNUNET_CRYPTO_CsC blinded_cs[2],
219	struct GNUNET_CRYPTO_CsRPublic blinded_r_pub[2])	219	struct GNUNET_CRYPTO_CSPublicRPairP *blinded_r_pub)
220	{	220	{
221	/* TEST 1	221	/* TEST 1
222	* Check that the blinded c's and blinded r's	222	* Check that the blinded c's and blinded r's
@@ -227,10 +227,8 @@ test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
227	&blinded_cs[0],	227	&blinded_cs[0],
228	sizeof(struct GNUNET_CRYPTO_CsC) * 2);	228	sizeof(struct GNUNET_CRYPTO_CsC) * 2);
229		229
230	struct GNUNET_CRYPTO_CsRPublic other_blinded_r_pub[2];	230	struct GNUNET_CRYPTO_CSPublicRPairP other_blinded_pub;
231	memcpy (&other_blinded_r_pub[0],	231	other_blinded_pub = *blinded_r_pub;
232	&blinded_r_pub[0],
233	sizeof(struct GNUNET_CRYPTO_CsRPublic) * 2);
234		232
235	GNUNET_CRYPTO_cs_calc_blinded_c (bs,	233	GNUNET_CRYPTO_cs_calc_blinded_c (bs,
236	r_pub,	234	r_pub,
@@ -243,9 +241,9 @@ test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
243	GNUNET_assert (0 != memcmp (&other_blinded_c[0],	241	GNUNET_assert (0 != memcmp (&other_blinded_c[0],
244	&blinded_cs[0],	242	&blinded_cs[0],
245	sizeof(struct GNUNET_CRYPTO_CsC) * 2));	243	sizeof(struct GNUNET_CRYPTO_CsC) * 2));
246	GNUNET_assert (0 != memcmp (&other_blinded_r_pub[0],	244	GNUNET_assert (0 !=
247	&blinded_r_pub[0],	245	GNUNET_memcmp (&other_blinded_pub,
248	sizeof(struct GNUNET_CRYPTO_CsRPublic) * 2));	246	blinded_r_pub));
249		247
250	/* TEST 2	248	/* TEST 2
251	* Check if R' - aG -bX = R for b = 0	249	* Check if R' - aG -bX = R for b = 0
@@ -270,7 +268,7 @@ test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
270	GNUNET_assert (0 ==	268	GNUNET_assert (0 ==
271	crypto_core_ed25519_sub (	269	crypto_core_ed25519_sub (
272	r_min_aG.y,	270	r_min_aG.y,
273	blinded_r_pub[b].point.y,	271	blinded_r_pub->r_pub[b].point.y,
274	aG.y));	272	aG.y));
275	GNUNET_assert (0 == crypto_core_ed25519_sub (	273	GNUNET_assert (0 == crypto_core_ed25519_sub (
276	res.point.y,	274	res.point.y,
@@ -289,10 +287,10 @@ test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
289	*/	287	*/
290	GNUNET_assert (1 ==	288	GNUNET_assert (1 ==
291	crypto_core_ed25519_is_valid_point (	289	crypto_core_ed25519_is_valid_point (
292	blinded_r_pub[0].point.y));	290	blinded_r_pub->r_pub[0].point.y));
293	GNUNET_assert (1 ==	291	GNUNET_assert (1 ==
294	crypto_core_ed25519_is_valid_point (	292	crypto_core_ed25519_is_valid_point (
295	blinded_r_pub[1].point.y));	293	blinded_r_pub->r_pub[1].point.y));
296		294
297	/* TEST 4	295	/* TEST 4
298	* Check if function gives the same result for the same input.	296	* Check if function gives the same result for the same input.
@@ -300,9 +298,7 @@ test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
300	memcpy (&other_blinded_c[0],	298	memcpy (&other_blinded_c[0],
301	&blinded_cs[0],	299	&blinded_cs[0],
302	sizeof(struct GNUNET_CRYPTO_CsC) * 2);	300	sizeof(struct GNUNET_CRYPTO_CsC) * 2);
303	memcpy (&other_blinded_r_pub[0],	301	other_blinded_pub = *blinded_r_pub;
304	&blinded_r_pub[0],
305	sizeof(struct GNUNET_CRYPTO_CsRPublic) * 2);
306		302
307	for (unsigned int i = 0; i<ITER; i++)	303	for (unsigned int i = 0; i<ITER; i++)
308	{	304	{
@@ -313,12 +309,13 @@ test_calc_blindedc (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2],
313	msg_len,	309	msg_len,
314	blinded_cs,	310	blinded_cs,
315	blinded_r_pub);	311	blinded_r_pub);
316	GNUNET_assert (0 == memcmp (&other_blinded_c[0],	312	GNUNET_assert (0 ==
317	&blinded_cs[0],	313	memcmp (&other_blinded_c[0],
318	sizeof(struct GNUNET_CRYPTO_CsC) * 2));	314	&blinded_cs[0],
319	GNUNET_assert (0 == memcmp (&other_blinded_r_pub[0],	315	sizeof(struct GNUNET_CRYPTO_CsC) * 2));
320	&blinded_r_pub[0],	316	GNUNET_assert (0 ==
321	sizeof(struct GNUNET_CRYPTO_CsRPublic) * 2));	317	GNUNET_memcmp (&other_blinded_pub,
		318	blinded_r_pub));
322	}	319	}
323	}	320	}
324		321
@@ -563,12 +560,12 @@ main (int argc,
563	// calculate blinded c's	560	// calculate blinded c's
564	struct GNUNET_CRYPTO_CsBlindedMessage bm;	561	struct GNUNET_CRYPTO_CsBlindedMessage bm;
565	struct GNUNET_CRYPTO_CsC blinded_cs[2];	562	struct GNUNET_CRYPTO_CsC blinded_cs[2];
566	struct GNUNET_CRYPTO_CsRPublic blinded_r_pubs[2];	563	struct GNUNET_CRYPTO_CSPublicRPairP blinded_r_pubs;
567		564
568	memset (blinded_cs,	565	memset (blinded_cs,
569	42,	566	42,
570	sizeof (blinded_cs));	567	sizeof (blinded_cs));
571	memset (blinded_r_pubs,	568	memset (&blinded_r_pubs,
572	42,	569	42,
573	sizeof (blinded_r_pubs));	570	sizeof (blinded_r_pubs));
574	test_calc_blindedc (blindingsecrets,	571	test_calc_blindedc (blindingsecrets,
@@ -577,7 +574,7 @@ main (int argc,
577	message,	574	message,
578	message_len,	575	message_len,
579	blinded_cs,	576	blinded_cs,
580	blinded_r_pubs);	577	&blinded_r_pubs);
581		578
582	// ---------- actions performed by signer	579	// ---------- actions performed by signer
583	// sign blinded c's and get b and s in return	580	// sign blinded c's and get b and s in return
@@ -614,7 +611,7 @@ main (int argc,
614		611
615	// verify unblinded signature	612	// verify unblinded signature
616	struct GNUNET_CRYPTO_CsSignature signature;	613	struct GNUNET_CRYPTO_CsSignature signature;
617	signature.r_point = blinded_r_pubs[blinded_s.b];	614	signature.r_point = blinded_r_pubs.r_pub[blinded_s.b];
618	signature.s_scalar = sig_scalar;	615	signature.s_scalar = sig_scalar;
619	test_verify (&signature,	616	test_verify (&signature,
620	&pub,	617	&pub,