1 files changed, 170 insertions, 26 deletions
diff --git a/src/util/crypto_ecc.c b/src/util/crypto_ecc.c
index 7f9e3c070..11c3e50d4 100644
--- a/src/util/crypto_ecc.c
+++ b/src/util/crypto_ecc.c
@@ -61,10 +61,11 @@
 #define LOG(kind, ...) GNUNET_log_from (kind, "util-crypto-ecc", __VA_ARGS__)
 #define LOG_STRERROR(kind, syscall) \
-  GNUNET_log_from_strerror (kind, "util-crypto-ecc", syscall)
+        GNUNET_log_from_strerror (kind, "util-crypto-ecc", syscall)
 #define LOG_STRERROR_FILE(kind, syscall, filename) \
-  GNUNET_log_from_strerror_file (kind, "util-crypto-ecc", syscall, filename)
+        GNUNET_log_from_strerror_file (kind, "util-crypto-ecc", syscall, \
+                                       filename)
 /**
 * Log an error message at log-level 'level' that indicates
@@ -72,15 +73,15 @@
 * by gcry_strerror(rc).
 */
 #define LOG_GCRY(level, cmd, rc)                      \
-  do                                                  \
+        do                                                  \
-  {                                                   \
+        {                                                   \
-    LOG (level,                                       \
+          LOG (level,                                       \
-         _ ("`%s' failed at %s:%d with error: %s\n"), \
+               _ ("`%s' failed at %s:%d with error: %s\n"), \
-         cmd,                                         \
+               cmd,                                         \
-         __FILE__,                                    \
+               __FILE__,                                    \
-         __LINE__,                                    \
+               __LINE__,                                    \
-         gcry_strerror (rc));                         \
+               gcry_strerror (rc));                         \
-  } while (0)
+        } while (0)
 /**
@@ -513,9 +514,7 @@ data_to_ecdsa_value (const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose)
 {
  gcry_sexp_t data;
  int rc;
+  /* Unlike EdDSA, libgcrypt expects a hash for ECDSA. */
-/* See #5398 */
-#if 1
  struct GNUNET_HashCode hc;
  GNUNET_CRYPTO_hash (purpose, ntohl (purpose->size), &hc);
@@ -529,18 +528,6 @@ data_to_ecdsa_value (const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose)
    LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
    return NULL;
  }
-#else
-  if (0 != (rc = gcry_sexp_build (&data,
-                                  NULL,
-                                  "(data(flags rfc6979)(hash %s %b))",
-                                  "sha512",
-                                  ntohl (purpose->size),
-                                  purpose)))
-  {
-    LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
-    return NULL;
-  }
-#endif
  return data;
 }
@@ -594,6 +581,7 @@ GNUNET_CRYPTO_ecdsa_sign_ (
  return GNUNET_OK;
 }
 enum GNUNET_GenericReturnValue
 GNUNET_CRYPTO_eddsa_sign_raw (
  const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
@@ -758,6 +746,16 @@ GNUNET_CRYPTO_eddsa_ecdh (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
 enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_eddsa_kem_decaps (const struct
+                                GNUNET_CRYPTO_EddsaPrivateKey *priv,
+                                const struct GNUNET_CRYPTO_EcdhePublicKey *c,
+                                struct GNUNET_HashCode *key_material)
+{
+  return GNUNET_CRYPTO_eddsa_ecdh (priv, c, key_material);
+}
+enum GNUNET_GenericReturnValue
 GNUNET_CRYPTO_ecdsa_ecdh (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
                          const struct GNUNET_CRYPTO_EcdhePublicKey *pub,
                          struct GNUNET_HashCode *key_material)
@@ -793,6 +791,152 @@ GNUNET_CRYPTO_ecdh_eddsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
 enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_eddsa_kem_encaps (const struct GNUNET_CRYPTO_EddsaPublicKey *pub,
+                                struct GNUNET_CRYPTO_EcdhePublicKey *c,
+                                struct GNUNET_HashCode *key_material)
+{
+  struct GNUNET_CRYPTO_EcdhePrivateKey sk;
+  GNUNET_CRYPTO_ecdhe_key_create (&sk);
+  GNUNET_CRYPTO_ecdhe_key_get_public (&sk, c);
+  return GNUNET_CRYPTO_ecdh_eddsa (&sk, pub, key_material);
+}
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_ecdsa_fo_kem_encaps (const struct
+                                   GNUNET_CRYPTO_EcdsaPublicKey *pub,
+                                   struct GNUNET_CRYPTO_FoKemC *c,
+                                   struct GNUNET_HashCode *key_material)
+{
+  struct GNUNET_HashCode x;
+  struct GNUNET_HashCode ux;
+  struct GNUNET_HashCode w;
+  struct GNUNET_CRYPTO_EcdhePrivateKey sk;
+  // This is the input to the FO OWTF
+  GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_NONCE, &x, sizeof(x));
+  // We build our OWTF using a FO-transformation of ElGamal:
+  // U(x)
+  GNUNET_CRYPTO_hash (&x, sizeof (x), &ux);
+  GNUNET_memcpy (&sk, &ux, sizeof (sk));
+  // B := g^U(x)
+  GNUNET_CRYPTO_ecdhe_key_get_public (&sk, &c->pub);
+  if (GNUNET_SYSERR == GNUNET_CRYPTO_ecdh_ecdsa (&sk, pub, &w))
+    return -1;
+  // w xor x (one-time pad)
+  GNUNET_CRYPTO_hash_xor (&w, &x, &c->y);
+  // k := H(x) FIXME: U and H must be different?
+  GNUNET_memcpy (key_material, &ux, sizeof (ux));
+  return GNUNET_OK;
+}
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_eddsa_fo_kem_encaps (const struct
+                                   GNUNET_CRYPTO_EddsaPublicKey *pub,
+                                   struct GNUNET_CRYPTO_FoKemC *c,
+                                   struct GNUNET_HashCode *key_material)
+{
+  struct GNUNET_HashCode x;
+  struct GNUNET_HashCode ux;
+  struct GNUNET_HashCode w;
+  struct GNUNET_CRYPTO_EcdhePrivateKey sk;
+  enum GNUNET_GenericReturnValue ret;
+  // This is the input to the FO OWTF
+  GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_NONCE, &x, sizeof(x));
+  // We build our OWTF using a FO-transformation of ElGamal:
+  // U(x)
+  GNUNET_CRYPTO_hash (&x, sizeof (x), &ux);
+  GNUNET_memcpy (&sk, &ux, sizeof (sk));
+  // B := g^U(x)
+  GNUNET_CRYPTO_ecdhe_key_get_public (&sk, &c->pub);
+  ret = GNUNET_CRYPTO_ecdh_eddsa (&sk, pub, &w);
+  if (GNUNET_OK != ret)
+    return ret;
+  // w xor x (one-time pad)
+  GNUNET_CRYPTO_hash_xor (&w, &x, &c->y);
+  // k := H(x) FIXME: U and H must be different?
+  GNUNET_memcpy (key_material, &ux, sizeof (ux));
+  return GNUNET_OK;
+}
+static enum GNUNET_GenericReturnValue
+fo_kem_decaps (const struct GNUNET_HashCode *w,
+               const struct GNUNET_CRYPTO_FoKemC *c,
+               struct GNUNET_HashCode *key_material)
+{
+  struct GNUNET_HashCode x;
+  struct GNUNET_HashCode ux;
+  struct GNUNET_CRYPTO_EcdhePrivateKey sk;
+  struct GNUNET_CRYPTO_EcdhePublicKey pub_test;
+  // w xor x (one-time pad)
+  GNUNET_CRYPTO_hash_xor (w, &c->y, &x);
+  // We build our OWTF using a FO-transformation of ElGamal:
+  // U(x)
+  GNUNET_CRYPTO_hash (&x, sizeof (x), &ux);
+  GNUNET_memcpy (&sk, &ux, sizeof (sk));
+  // B := g^U(x)
+  GNUNET_CRYPTO_ecdhe_key_get_public (&sk, &pub_test);
+  if (0 != memcmp (&pub_test, &c->pub, sizeof (c->pub)))
+    return GNUNET_SYSERR; // Reject
+  // k := H(x) FIXME: U and H must be different?
+  GNUNET_memcpy (key_material, &ux, sizeof (ux));
+  return GNUNET_OK;
+}
+/**
+ * This implementation is not testes/publicly exposed yet
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_eddsa_fo_kem_decaps (const struct
+                                   GNUNET_CRYPTO_EddsaPrivateKey *priv,
+                                   const struct GNUNET_CRYPTO_FoKemC *c,
+                                   struct GNUNET_HashCode *key_material)
+{
+  struct GNUNET_HashCode w;
+  enum GNUNET_GenericReturnValue ret;
+  ret = GNUNET_CRYPTO_eddsa_ecdh (priv, &c->pub, &w);
+  if (GNUNET_OK != ret)
+    return ret;
+  return fo_kem_decaps (&w, c, key_material);
+}
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_ecdsa_fo_kem_decaps (const struct
+                                   GNUNET_CRYPTO_EcdsaPrivateKey *priv,
+                                   struct GNUNET_CRYPTO_FoKemC *c,
+                                   struct GNUNET_HashCode *key_material)
+{
+  struct GNUNET_HashCode w;
+  enum GNUNET_GenericReturnValue ret;
+  ret = GNUNET_CRYPTO_ecdsa_ecdh (priv, &c->pub, &w);
+  if (GNUNET_OK != ret)
+    return ret;
+  return fo_kem_decaps (&w, c, key_material);
+}
+enum GNUNET_GenericReturnValue
 GNUNET_CRYPTO_ecdh_ecdsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
                          const struct GNUNET_CRYPTO_EcdsaPublicKey *pub,
                          struct GNUNET_HashCode *key_material)

diff --git a/src/util/crypto_ecc.c b/src/util/crypto_ecc.c index 7f9e3c070..11c3e50d4 100644 --- a/src/util/crypto_ecc.c +++ b/src/util/crypto_ecc.c
@@ -61,10 +61,11 @@
61	#define LOG(kind, ...) GNUNET_log_from (kind, "util-crypto-ecc", __VA_ARGS__)	61	#define LOG(kind, ...) GNUNET_log_from (kind, "util-crypto-ecc", __VA_ARGS__)
62		62
63	#define LOG_STRERROR(kind, syscall) \	63	#define LOG_STRERROR(kind, syscall) \
64	GNUNET_log_from_strerror (kind, "util-crypto-ecc", syscall)	64	GNUNET_log_from_strerror (kind, "util-crypto-ecc", syscall)
65		65
66	#define LOG_STRERROR_FILE(kind, syscall, filename) \	66	#define LOG_STRERROR_FILE(kind, syscall, filename) \
67	GNUNET_log_from_strerror_file (kind, "util-crypto-ecc", syscall, filename)	67	GNUNET_log_from_strerror_file (kind, "util-crypto-ecc", syscall, \
		68	filename)
68		69
69	/**	70	/**
70	* Log an error message at log-level 'level' that indicates	71	* Log an error message at log-level 'level' that indicates
@@ -72,15 +73,15 @@
72	* by gcry_strerror(rc).	73	* by gcry_strerror(rc).
73	*/	74	*/
74	#define LOG_GCRY(level, cmd, rc) \	75	#define LOG_GCRY(level, cmd, rc) \
75	do \	76	do \
76	{ \	77	{ \
77	LOG (level, \	78	LOG (level, \
78	_ ("`%s' failed at %s:%d with error: %s\n"), \	79	_ ("`%s' failed at %s:%d with error: %s\n"), \
79	cmd, \	80	cmd, \
80	__FILE__, \	81	__FILE__, \
81	__LINE__, \	82	__LINE__, \
82	gcry_strerror (rc)); \	83	gcry_strerror (rc)); \
83	} while (0)	84	} while (0)
84		85
85		86
86	/**	87	/**
@@ -513,9 +514,7 @@ data_to_ecdsa_value (const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose)
513	{	514	{
514	gcry_sexp_t data;	515	gcry_sexp_t data;
515	int rc;	516	int rc;
516		517	/* Unlike EdDSA, libgcrypt expects a hash for ECDSA. */
517	/* See #5398 */
518	#if 1
519	struct GNUNET_HashCode hc;	518	struct GNUNET_HashCode hc;
520		519
521	GNUNET_CRYPTO_hash (purpose, ntohl (purpose->size), &hc);	520	GNUNET_CRYPTO_hash (purpose, ntohl (purpose->size), &hc);
@@ -529,18 +528,6 @@ data_to_ecdsa_value (const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose)
529	LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);	528	LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
530	return NULL;	529	return NULL;
531	}	530	}
532	#else
533	if (0 != (rc = gcry_sexp_build (&data,
534	NULL,
535	"(data(flags rfc6979)(hash %s %b))",
536	"sha512",
537	ntohl (purpose->size),
538	purpose)))
539	{
540	LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
541	return NULL;
542	}
543	#endif
544	return data;	531	return data;
545	}	532	}
546		533
@@ -594,6 +581,7 @@ GNUNET_CRYPTO_ecdsa_sign_ (
594	return GNUNET_OK;	581	return GNUNET_OK;
595	}	582	}
596		583
		584
597	enum GNUNET_GenericReturnValue	585	enum GNUNET_GenericReturnValue
598	GNUNET_CRYPTO_eddsa_sign_raw (	586	GNUNET_CRYPTO_eddsa_sign_raw (
599	const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,	587	const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
@@ -758,6 +746,16 @@ GNUNET_CRYPTO_eddsa_ecdh (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
758		746
759		747
760	enum GNUNET_GenericReturnValue	748	enum GNUNET_GenericReturnValue
		749	GNUNET_CRYPTO_eddsa_kem_decaps (const struct
		750	GNUNET_CRYPTO_EddsaPrivateKey *priv,
		751	const struct GNUNET_CRYPTO_EcdhePublicKey *c,
		752	struct GNUNET_HashCode *key_material)
		753	{
		754	return GNUNET_CRYPTO_eddsa_ecdh (priv, c, key_material);
		755	}
		756
		757
		758	enum GNUNET_GenericReturnValue
761	GNUNET_CRYPTO_ecdsa_ecdh (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,	759	GNUNET_CRYPTO_ecdsa_ecdh (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
762	const struct GNUNET_CRYPTO_EcdhePublicKey *pub,	760	const struct GNUNET_CRYPTO_EcdhePublicKey *pub,
763	struct GNUNET_HashCode *key_material)	761	struct GNUNET_HashCode *key_material)
@@ -793,6 +791,152 @@ GNUNET_CRYPTO_ecdh_eddsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
793		791
794		792
795	enum GNUNET_GenericReturnValue	793	enum GNUNET_GenericReturnValue
		794	GNUNET_CRYPTO_eddsa_kem_encaps (const struct GNUNET_CRYPTO_EddsaPublicKey *pub,
		795	struct GNUNET_CRYPTO_EcdhePublicKey *c,
		796	struct GNUNET_HashCode *key_material)
		797	{
		798	struct GNUNET_CRYPTO_EcdhePrivateKey sk;
		799
		800	GNUNET_CRYPTO_ecdhe_key_create (&sk);
		801	GNUNET_CRYPTO_ecdhe_key_get_public (&sk, c);
		802	return GNUNET_CRYPTO_ecdh_eddsa (&sk, pub, key_material);
		803	}
		804
		805
		806	enum GNUNET_GenericReturnValue
		807	GNUNET_CRYPTO_ecdsa_fo_kem_encaps (const struct
		808	GNUNET_CRYPTO_EcdsaPublicKey *pub,
		809	struct GNUNET_CRYPTO_FoKemC *c,
		810	struct GNUNET_HashCode *key_material)
		811	{
		812	struct GNUNET_HashCode x;
		813	struct GNUNET_HashCode ux;
		814	struct GNUNET_HashCode w;
		815	struct GNUNET_CRYPTO_EcdhePrivateKey sk;
		816
		817	// This is the input to the FO OWTF
		818	GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_NONCE, &x, sizeof(x));
		819
		820	// We build our OWTF using a FO-transformation of ElGamal:
		821	// U(x)
		822	GNUNET_CRYPTO_hash (&x, sizeof (x), &ux);
		823	GNUNET_memcpy (&sk, &ux, sizeof (sk));
		824
		825	// B := g^U(x)
		826	GNUNET_CRYPTO_ecdhe_key_get_public (&sk, &c->pub);
		827
		828	if (GNUNET_SYSERR == GNUNET_CRYPTO_ecdh_ecdsa (&sk, pub, &w))
		829	return -1;
		830	// w xor x (one-time pad)
		831	GNUNET_CRYPTO_hash_xor (&w, &x, &c->y);
		832
		833	// k := H(x) FIXME: U and H must be different?
		834	GNUNET_memcpy (key_material, &ux, sizeof (ux));
		835	return GNUNET_OK;
		836	}
		837
		838
		839	enum GNUNET_GenericReturnValue
		840	GNUNET_CRYPTO_eddsa_fo_kem_encaps (const struct
		841	GNUNET_CRYPTO_EddsaPublicKey *pub,
		842	struct GNUNET_CRYPTO_FoKemC *c,
		843	struct GNUNET_HashCode *key_material)
		844	{
		845	struct GNUNET_HashCode x;
		846	struct GNUNET_HashCode ux;
		847	struct GNUNET_HashCode w;
		848	struct GNUNET_CRYPTO_EcdhePrivateKey sk;
		849	enum GNUNET_GenericReturnValue ret;
		850
		851	// This is the input to the FO OWTF
		852	GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_NONCE, &x, sizeof(x));
		853
		854	// We build our OWTF using a FO-transformation of ElGamal:
		855	// U(x)
		856	GNUNET_CRYPTO_hash (&x, sizeof (x), &ux);
		857	GNUNET_memcpy (&sk, &ux, sizeof (sk));
		858
		859	// B := g^U(x)
		860	GNUNET_CRYPTO_ecdhe_key_get_public (&sk, &c->pub);
		861
		862	ret = GNUNET_CRYPTO_ecdh_eddsa (&sk, pub, &w);
		863	if (GNUNET_OK != ret)
		864	return ret;
		865	// w xor x (one-time pad)
		866	GNUNET_CRYPTO_hash_xor (&w, &x, &c->y);
		867
		868	// k := H(x) FIXME: U and H must be different?
		869	GNUNET_memcpy (key_material, &ux, sizeof (ux));
		870	return GNUNET_OK;
		871	}
		872
		873
		874	static enum GNUNET_GenericReturnValue
		875	fo_kem_decaps (const struct GNUNET_HashCode *w,
		876	const struct GNUNET_CRYPTO_FoKemC *c,
		877	struct GNUNET_HashCode *key_material)
		878	{
		879	struct GNUNET_HashCode x;
		880	struct GNUNET_HashCode ux;
		881	struct GNUNET_CRYPTO_EcdhePrivateKey sk;
		882	struct GNUNET_CRYPTO_EcdhePublicKey pub_test;
		883
		884	// w xor x (one-time pad)
		885	GNUNET_CRYPTO_hash_xor (w, &c->y, &x);
		886
		887	// We build our OWTF using a FO-transformation of ElGamal:
		888	// U(x)
		889	GNUNET_CRYPTO_hash (&x, sizeof (x), &ux);
		890	GNUNET_memcpy (&sk, &ux, sizeof (sk));
		891
		892	// B := g^U(x)
		893	GNUNET_CRYPTO_ecdhe_key_get_public (&sk, &pub_test);
		894
		895	if (0 != memcmp (&pub_test, &c->pub, sizeof (c->pub)))
		896	return GNUNET_SYSERR; // Reject
		897
		898	// k := H(x) FIXME: U and H must be different?
		899	GNUNET_memcpy (key_material, &ux, sizeof (ux));
		900	return GNUNET_OK;
		901	}
		902
		903
		904	/**
		905	* This implementation is not testes/publicly exposed yet
		906	*/
		907	enum GNUNET_GenericReturnValue
		908	GNUNET_CRYPTO_eddsa_fo_kem_decaps (const struct
		909	GNUNET_CRYPTO_EddsaPrivateKey *priv,
		910	const struct GNUNET_CRYPTO_FoKemC *c,
		911	struct GNUNET_HashCode *key_material)
		912	{
		913	struct GNUNET_HashCode w;
		914	enum GNUNET_GenericReturnValue ret;
		915
		916	ret = GNUNET_CRYPTO_eddsa_ecdh (priv, &c->pub, &w);
		917	if (GNUNET_OK != ret)
		918	return ret;
		919	return fo_kem_decaps (&w, c, key_material);
		920	}
		921
		922
		923	enum GNUNET_GenericReturnValue
		924	GNUNET_CRYPTO_ecdsa_fo_kem_decaps (const struct
		925	GNUNET_CRYPTO_EcdsaPrivateKey *priv,
		926	struct GNUNET_CRYPTO_FoKemC *c,
		927	struct GNUNET_HashCode *key_material)
		928	{
		929	struct GNUNET_HashCode w;
		930	enum GNUNET_GenericReturnValue ret;
		931
		932	ret = GNUNET_CRYPTO_ecdsa_ecdh (priv, &c->pub, &w);
		933	if (GNUNET_OK != ret)
		934	return ret;
		935	return fo_kem_decaps (&w, c, key_material);
		936	}
		937
		938
		939	enum GNUNET_GenericReturnValue
796	GNUNET_CRYPTO_ecdh_ecdsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,	940	GNUNET_CRYPTO_ecdh_ecdsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
797	const struct GNUNET_CRYPTO_EcdsaPublicKey *pub,	941	const struct GNUNET_CRYPTO_EcdsaPublicKey *pub,
798	struct GNUNET_HashCode *key_material)	942	struct GNUNET_HashCode *key_material)