1 files changed, 188 insertions, 189 deletions
diff --git a/src/util/crypto_ecc_dlog.c b/src/util/crypto_ecc_dlog.c
index 07777e377..8b4344b25 100644
--- a/src/util/crypto_ecc_dlog.c
+++ b/src/util/crypto_ecc_dlog.c
@@ -11,12 +11,12 @@
     WITHOUT ANY WARRANTY; without even the implied warranty of
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
     Affero General Public License for more details.
-    
     You should have received a copy of the GNU Affero General Public License
     along with this program.  If not, see <http://www.gnu.org/licenses/>.
     SPDX-License-Identifier: AGPL3.0-or-later
-*/
+ */
 /**
 * @file util/crypto_ecc_dlog.c
@@ -44,27 +44,26 @@
 *
 */
 static void
-extract_pk (gcry_mpi_point_t pt,
+extract_pk(gcry_mpi_point_t pt,
-            gcry_ctx_t ctx,
+           gcry_ctx_t ctx,
-            struct GNUNET_PeerIdentity *pid)
+           struct GNUNET_PeerIdentity *pid)
 {
  gcry_mpi_t q_y;
-  GNUNET_assert (0 == gcry_mpi_ec_set_point ("q", pt, ctx));
+  GNUNET_assert(0 == gcry_mpi_ec_set_point("q", pt, ctx));
-  q_y = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0);
+  q_y = gcry_mpi_ec_get_mpi("q@eddsa", ctx, 0);
-  GNUNET_assert (q_y);
+  GNUNET_assert(q_y);
-  GNUNET_CRYPTO_mpi_print_unsigned (pid->public_key.q_y,
+  GNUNET_CRYPTO_mpi_print_unsigned(pid->public_key.q_y,
-                                    sizeof (pid->public_key.q_y),
+                                   sizeof(pid->public_key.q_y),
-                                    q_y);
+                                   q_y);
-  gcry_mpi_release (q_y);
+  gcry_mpi_release(q_y);
 }
 /**
 * Internal structure used to cache pre-calculated values for DLOG calculation.
 */
-struct GNUNET_CRYPTO_EccDlogContext
+struct GNUNET_CRYPTO_EccDlogContext {
-{
  /**
   * Maximum absolute value the calculation supports.
   */
@@ -87,7 +86,6 @@ struct GNUNET_CRYPTO_EccDlogContext
   * Context to use for operations on the elliptic curve.
   */
  gcry_ctx_t ctx;
 };
@@ -99,19 +97,19 @@ struct GNUNET_CRYPTO_EccDlogContext
 * @param[out] bin binary point representation
 */
 void
-GNUNET_CRYPTO_ecc_point_to_bin (struct GNUNET_CRYPTO_EccDlogContext *edc,
+GNUNET_CRYPTO_ecc_point_to_bin(struct GNUNET_CRYPTO_EccDlogContext *edc,
-                                gcry_mpi_point_t point,
+                               gcry_mpi_point_t point,
-                                struct GNUNET_CRYPTO_EccPoint *bin)
+                               struct GNUNET_CRYPTO_EccPoint *bin)
 {
  gcry_mpi_t q_y;
-  GNUNET_assert (0 == gcry_mpi_ec_set_point ("q", point, edc->ctx));
+  GNUNET_assert(0 == gcry_mpi_ec_set_point("q", point, edc->ctx));
-  q_y = gcry_mpi_ec_get_mpi ("q@eddsa", edc->ctx, 0);
+  q_y = gcry_mpi_ec_get_mpi("q@eddsa", edc->ctx, 0);
-  GNUNET_assert (q_y);
+  GNUNET_assert(q_y);
-  GNUNET_CRYPTO_mpi_print_unsigned (bin->q_y,
+  GNUNET_CRYPTO_mpi_print_unsigned(bin->q_y,
-                                    sizeof (bin->q_y),
+                                   sizeof(bin->q_y),
-                                    q_y);
+                                   q_y);
-  gcry_mpi_release (q_y);
+  gcry_mpi_release(q_y);
 }
@@ -123,26 +121,26 @@ GNUNET_CRYPTO_ecc_point_to_bin (struct GNUNET_CRYPTO_EccDlogContext *edc,
 * @return computational representation
 */
 gcry_mpi_point_t
-GNUNET_CRYPTO_ecc_bin_to_point (struct GNUNET_CRYPTO_EccDlogContext *edc,
+GNUNET_CRYPTO_ecc_bin_to_point(struct GNUNET_CRYPTO_EccDlogContext *edc,
-                                const struct GNUNET_CRYPTO_EccPoint *bin)
+                               const struct GNUNET_CRYPTO_EccPoint *bin)
 {
  gcry_sexp_t pub_sexpr;
  gcry_ctx_t ctx;
  gcry_mpi_point_t q;
-  (void) edc;
+  (void)edc;
-  if (0 != gcry_sexp_build (&pub_sexpr, NULL,
+  if (0 != gcry_sexp_build(&pub_sexpr, NULL,
-                            "(public-key(ecc(curve " CURVE ")(q %b)))",
+                           "(public-key(ecc(curve " CURVE ")(q %b)))",
-                            (int) sizeof (bin->q_y),
+                           (int)sizeof(bin->q_y),
-                            bin->q_y))
+                           bin->q_y))
-  {
+    {
-    GNUNET_break (0);
+      GNUNET_break(0);
-    return NULL;
+      return NULL;
-  }
+    }
-  GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, pub_sexpr, NULL));
+  GNUNET_assert(0 == gcry_mpi_ec_new(&ctx, pub_sexpr, NULL));
-  gcry_sexp_release (pub_sexpr);
+  gcry_sexp_release(pub_sexpr);
-  q = gcry_mpi_ec_get_point ("q", ctx, 0);
+  q = gcry_mpi_ec_get_point("q", ctx, 0);
-  gcry_ctx_release (ctx);
+  gcry_ctx_release(ctx);
  return q;
 }
@@ -155,11 +153,11 @@ GNUNET_CRYPTO_ecc_bin_to_point (struct GNUNET_CRYPTO_EccDlogContext *edc,
 * @return NULL on error
 */
 struct GNUNET_CRYPTO_EccDlogContext *
-GNUNET_CRYPTO_ecc_dlog_prepare (unsigned int max,
+GNUNET_CRYPTO_ecc_dlog_prepare(unsigned int max,
-                                unsigned int mem)
+                               unsigned int mem)
 {
  struct GNUNET_CRYPTO_EccDlogContext *edc;
-  unsigned int K = ((max + (mem-1)) / mem);
+  unsigned int K = ((max + (mem - 1)) / mem);
  gcry_mpi_point_t g;
  struct GNUNET_PeerIdentity key;
  gcry_mpi_point_t gKi;
@@ -167,50 +165,50 @@ GNUNET_CRYPTO_ecc_dlog_prepare (unsigned int max,
  gcry_mpi_t n;
  unsigned int i;
-  GNUNET_assert (max < INT32_MAX);
+  GNUNET_assert(max < INT32_MAX);
-  edc = GNUNET_new (struct GNUNET_CRYPTO_EccDlogContext);
+  edc = GNUNET_new(struct GNUNET_CRYPTO_EccDlogContext);
  edc->max = max;
  edc->mem = mem;
-  edc->map = GNUNET_CONTAINER_multipeermap_create (mem * 2,
+  edc->map = GNUNET_CONTAINER_multipeermap_create(mem * 2,
-                                                   GNUNET_NO);
+                                                  GNUNET_NO);
-  GNUNET_assert (0 == gcry_mpi_ec_new (&edc->ctx,
+  GNUNET_assert(0 == gcry_mpi_ec_new(&edc->ctx,
-                                       NULL,
+                                     NULL,
-                                       CURVE));
+                                     CURVE));
-  g = gcry_mpi_ec_get_point ("g", edc->ctx, 0);
+  g = gcry_mpi_ec_get_point("g", edc->ctx, 0);
-  GNUNET_assert (NULL != g);
+  GNUNET_assert(NULL != g);
-  fact = gcry_mpi_new (0);
+  fact = gcry_mpi_new(0);
-  gKi = gcry_mpi_point_new (0);
+  gKi = gcry_mpi_point_new(0);
-  for (i=0;i<=mem;i++)
+  for (i = 0; i <= mem; i++)
-  {
+    {
-    gcry_mpi_set_ui (fact, i * K);
+      gcry_mpi_set_ui(fact, i * K);
-    gcry_mpi_ec_mul (gKi, fact, g, edc->ctx);
+      gcry_mpi_ec_mul(gKi, fact, g, edc->ctx);
-    extract_pk (gKi, edc->ctx, &key);
+      extract_pk(gKi, edc->ctx, &key);
-    GNUNET_assert (GNUNET_OK ==
+      GNUNET_assert(GNUNET_OK ==
-                   GNUNET_CONTAINER_multipeermap_put (edc->map,
+                    GNUNET_CONTAINER_multipeermap_put(edc->map,
-                                                      &key,
+                                                      &key,
-                                                      (void*) (long) i + max,
+                                                      (void*)(long)i + max,
-                                                      GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));
+                                                      GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));
-  }
+    }
  /* negative values */
-  n = gcry_mpi_ec_get_mpi ("n", edc->ctx, 1);
+  n = gcry_mpi_ec_get_mpi("n", edc->ctx, 1);
-  for (i=1;i<mem;i++)
+  for (i = 1; i < mem; i++)
-  {
+    {
-    gcry_mpi_set_ui (fact, i * K);
+      gcry_mpi_set_ui(fact, i * K);
-    gcry_mpi_sub (fact, n, fact);
+      gcry_mpi_sub(fact, n, fact);
-    gcry_mpi_ec_mul (gKi, fact, g, edc->ctx);
+      gcry_mpi_ec_mul(gKi, fact, g, edc->ctx);
-    extract_pk (gKi, edc->ctx, &key);
+      extract_pk(gKi, edc->ctx, &key);
-    GNUNET_assert (GNUNET_OK ==
+      GNUNET_assert(GNUNET_OK ==
-                   GNUNET_CONTAINER_multipeermap_put (edc->map,
+                    GNUNET_CONTAINER_multipeermap_put(edc->map,
-                                                      &key,
+                                                      &key,
-                                                      (void*) (long) max - i,
+                                                      (void*)(long)max - i,
-                                                      GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));
+                                                      GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));
-  }
+    }
-  gcry_mpi_release (fact);
+  gcry_mpi_release(fact);
-  gcry_mpi_release (n);
+  gcry_mpi_release(n);
-  gcry_mpi_point_release (gKi);
+  gcry_mpi_point_release(gKi);
-  gcry_mpi_point_release (g);
+  gcry_mpi_point_release(g);
  return edc;
 }
@@ -223,10 +221,10 @@ GNUNET_CRYPTO_ecc_dlog_prepare (unsigned int max,
 * @return INT_MAX if dlog failed, otherwise the factor
 */
 int
-GNUNET_CRYPTO_ecc_dlog (struct GNUNET_CRYPTO_EccDlogContext *edc,
+GNUNET_CRYPTO_ecc_dlog(struct GNUNET_CRYPTO_EccDlogContext *edc,
-                        gcry_mpi_point_t input)
+                       gcry_mpi_point_t input)
 {
-  unsigned int K = ((edc->max + (edc->mem-1)) / edc->mem);
+  unsigned int K = ((edc->max + (edc->mem - 1)) / edc->mem);
  gcry_mpi_point_t g;
  struct GNUNET_PeerIdentity key;
  gcry_mpi_point_t q;
@@ -234,36 +232,36 @@ GNUNET_CRYPTO_ecc_dlog (struct GNUNET_CRYPTO_EccDlogContext *edc,
  int res;
  void *retp;
-  g = gcry_mpi_ec_get_point ("g", edc->ctx, 0);
+  g = gcry_mpi_ec_get_point("g", edc->ctx, 0);
-  GNUNET_assert (NULL != g);
+  GNUNET_assert(NULL != g);
-  q = gcry_mpi_point_new (0);
+  q = gcry_mpi_point_new(0);
  res = INT_MAX;
-  for (i=0;i<=edc->max/edc->mem;i++)
+  for (i = 0; i <= edc->max / edc->mem; i++)
-  {
-    if (0 == i)
-      extract_pk (input, edc->ctx, &key);
-    else
-      extract_pk (q, edc->ctx, &key);
-    retp = GNUNET_CONTAINER_multipeermap_get (edc->map,
-                                              &key);
-    if (NULL != retp)
    {
-      res = (((long) retp) - edc->max) * K - i;
+      if (0 == i)
-      /* we continue the loop here to make the implementation
+        extract_pk(input, edc->ctx, &key);
-         "constant-time". If we do not care about this, we could just
+      else
-         'break' here and do fewer operations... */
+        extract_pk(q, edc->ctx, &key);
+      retp = GNUNET_CONTAINER_multipeermap_get(edc->map,
+                                               &key);
+      if (NULL != retp)
+        {
+          res = (((long)retp) - edc->max) * K - i;
+          /* we continue the loop here to make the implementation
+             "constant-time". If we do not care about this, we could just
+             'break' here and do fewer operations... */
+        }
+      if (i == edc->max / edc->mem)
+        break;
+      /* q = q + g */
+      if (0 == i)
+        gcry_mpi_ec_add(q, input, g, edc->ctx);
+      else
+        gcry_mpi_ec_add(q, q, g, edc->ctx);
    }
-    if (i == edc->max/edc->mem)
+  gcry_mpi_point_release(g);
-      break;
+  gcry_mpi_point_release(q);
-    /* q = q + g */
-    if (0 == i)
-      gcry_mpi_ec_add (q, input, g, edc->ctx);
-    else
-      gcry_mpi_ec_add (q, q, g, edc->ctx);
-  }
-  gcry_mpi_point_release (g);
-  gcry_mpi_point_release (q);
  return res;
 }
@@ -276,29 +274,30 @@ GNUNET_CRYPTO_ecc_dlog (struct GNUNET_CRYPTO_EccDlogContext *edc,
 * @return random value mod n.
 */
 gcry_mpi_t
-GNUNET_CRYPTO_ecc_random_mod_n (struct GNUNET_CRYPTO_EccDlogContext *edc)
+GNUNET_CRYPTO_ecc_random_mod_n(struct GNUNET_CRYPTO_EccDlogContext *edc)
 {
  gcry_mpi_t n;
  unsigned int highbit;
  gcry_mpi_t r;
-  n = gcry_mpi_ec_get_mpi ("n", edc->ctx, 1);
+  n = gcry_mpi_ec_get_mpi("n", edc->ctx, 1);
  /* check public key for number of bits, bail out if key is all zeros */
  highbit = 256; /* Curve25519 */
-  while ( (! gcry_mpi_test_bit (n, highbit)) &&
+  while ((!gcry_mpi_test_bit(n, highbit)) &&
-          (0 != highbit) )
+         (0 != highbit))
    highbit--;
-  GNUNET_assert (0 != highbit);
+  GNUNET_assert(0 != highbit);
  /* generate fact < n (without bias) */
-  GNUNET_assert (NULL != (r = gcry_mpi_new (0)));
+  GNUNET_assert(NULL != (r = gcry_mpi_new(0)));
-  do {
+  do
-    gcry_mpi_randomize (r,
+    {
-                        highbit + 1,
+      gcry_mpi_randomize(r,
-                        GCRY_STRONG_RANDOM);
+                         highbit + 1,
-  }
+                         GCRY_STRONG_RANDOM);
-  while (gcry_mpi_cmp (r, n) >= 0);
+    }
-  gcry_mpi_release (n);
+  while (gcry_mpi_cmp(r, n) >= 0);
+  gcry_mpi_release(n);
  return r;
 }
@@ -309,11 +308,11 @@ GNUNET_CRYPTO_ecc_random_mod_n (struct GNUNET_CRYPTO_EccDlogContext *edc)
 * @param edc dlog context
 */
 void
-GNUNET_CRYPTO_ecc_dlog_release (struct GNUNET_CRYPTO_EccDlogContext *edc)
+GNUNET_CRYPTO_ecc_dlog_release(struct GNUNET_CRYPTO_EccDlogContext *edc)
 {
-  gcry_ctx_release (edc->ctx);
+  gcry_ctx_release(edc->ctx);
-  GNUNET_CONTAINER_multipeermap_destroy (edc->map);
+  GNUNET_CONTAINER_multipeermap_destroy(edc->map);
-  GNUNET_free (edc);
+  GNUNET_free(edc);
 }
@@ -331,32 +330,32 @@ GNUNET_CRYPTO_ecc_dlog_release (struct GNUNET_CRYPTO_EccDlogContext *edc)
 *         must be freed using #GNUNET_CRYPTO_ecc_free()
 */
 gcry_mpi_point_t
-GNUNET_CRYPTO_ecc_dexp (struct GNUNET_CRYPTO_EccDlogContext *edc,
+GNUNET_CRYPTO_ecc_dexp(struct GNUNET_CRYPTO_EccDlogContext *edc,
-                        int val)
+                       int val)
 {
  gcry_mpi_t fact;
  gcry_mpi_t n;
  gcry_mpi_point_t g;
  gcry_mpi_point_t r;
-  g = gcry_mpi_ec_get_point ("g", edc->ctx, 0);
+  g = gcry_mpi_ec_get_point("g", edc->ctx, 0);
-  GNUNET_assert (NULL != g);
+  GNUNET_assert(NULL != g);
-  fact = gcry_mpi_new (0);
+  fact = gcry_mpi_new(0);
  if (val < 0)
-  {
+    {
-    n = gcry_mpi_ec_get_mpi ("n", edc->ctx, 1);
+      n = gcry_mpi_ec_get_mpi("n", edc->ctx, 1);
-    gcry_mpi_set_ui (fact, - val);
+      gcry_mpi_set_ui(fact, -val);
-    gcry_mpi_sub (fact, n, fact);
+      gcry_mpi_sub(fact, n, fact);
-    gcry_mpi_release (n);
+      gcry_mpi_release(n);
-  }
+    }
  else
-  {
+    {
-    gcry_mpi_set_ui (fact, val);
+      gcry_mpi_set_ui(fact, val);
-  }
+    }
-  r = gcry_mpi_point_new (0);
+  r = gcry_mpi_point_new(0);
-  gcry_mpi_ec_mul (r, fact, g, edc->ctx);
+  gcry_mpi_ec_mul(r, fact, g, edc->ctx);
-  gcry_mpi_release (fact);
+  gcry_mpi_release(fact);
-  gcry_mpi_point_release (g);
+  gcry_mpi_point_release(g);
  return r;
 }
@@ -371,17 +370,17 @@ GNUNET_CRYPTO_ecc_dexp (struct GNUNET_CRYPTO_EccDlogContext *edc,
 *         must be freed using #GNUNET_CRYPTO_ecc_free()
 */
 gcry_mpi_point_t
-GNUNET_CRYPTO_ecc_dexp_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc,
+GNUNET_CRYPTO_ecc_dexp_mpi(struct GNUNET_CRYPTO_EccDlogContext *edc,
-                            gcry_mpi_t val)
+                           gcry_mpi_t val)
 {
  gcry_mpi_point_t g;
  gcry_mpi_point_t r;
-  g = gcry_mpi_ec_get_point ("g", edc->ctx, 0);
+  g = gcry_mpi_ec_get_point("g", edc->ctx, 0);
-  GNUNET_assert (NULL != g);
+  GNUNET_assert(NULL != g);
-  r = gcry_mpi_point_new (0);
+  r = gcry_mpi_point_new(0);
-  gcry_mpi_ec_mul (r, val, g, edc->ctx);
+  gcry_mpi_ec_mul(r, val, g, edc->ctx);
-  gcry_mpi_point_release (g);
+  gcry_mpi_point_release(g);
  return r;
 }
@@ -395,14 +394,14 @@ GNUNET_CRYPTO_ecc_dexp_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc,
 * @return @a a + @a b, must be freed using #GNUNET_CRYPTO_ecc_free()
 */
 gcry_mpi_point_t
-GNUNET_CRYPTO_ecc_add (struct GNUNET_CRYPTO_EccDlogContext *edc,
+GNUNET_CRYPTO_ecc_add(struct GNUNET_CRYPTO_EccDlogContext *edc,
-                       gcry_mpi_point_t a,
+                      gcry_mpi_point_t a,
-                       gcry_mpi_point_t b)
+                      gcry_mpi_point_t b)
 {
  gcry_mpi_point_t r;
-  r = gcry_mpi_point_new (0);
+  r = gcry_mpi_point_new(0);
-  gcry_mpi_ec_add (r, a, b, edc->ctx);
+  gcry_mpi_ec_add(r, a, b, edc->ctx);
  return r;
 }
@@ -417,14 +416,14 @@ GNUNET_CRYPTO_ecc_add (struct GNUNET_CRYPTO_EccDlogContext *edc,
 *         must be freed using #GNUNET_CRYPTO_ecc_free()
 */
 gcry_mpi_point_t
-GNUNET_CRYPTO_ecc_pmul_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc,
+GNUNET_CRYPTO_ecc_pmul_mpi(struct GNUNET_CRYPTO_EccDlogContext *edc,
-                            gcry_mpi_point_t p,
+                           gcry_mpi_point_t p,
-                            gcry_mpi_t val)
+                           gcry_mpi_t val)
 {
  gcry_mpi_point_t r;
-  r = gcry_mpi_point_new (0);
+  r = gcry_mpi_point_new(0);
-  gcry_mpi_ec_mul (r, val, p, edc->ctx);
+  gcry_mpi_ec_mul(r, val, p, edc->ctx);
  return r;
 }
@@ -439,31 +438,31 @@ GNUNET_CRYPTO_ecc_pmul_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc,
 * @param[out] r_inv set to the additive inverse of @a r
 */
 void
-GNUNET_CRYPTO_ecc_rnd (struct GNUNET_CRYPTO_EccDlogContext *edc,
+GNUNET_CRYPTO_ecc_rnd(struct GNUNET_CRYPTO_EccDlogContext *edc,
-                       gcry_mpi_point_t *r,
+                      gcry_mpi_point_t *r,
-                       gcry_mpi_point_t *r_inv)
+                      gcry_mpi_point_t *r_inv)
 {
  gcry_mpi_t fact;
  gcry_mpi_t n;
  gcry_mpi_point_t g;
-  fact = GNUNET_CRYPTO_ecc_random_mod_n (edc);
+  fact = GNUNET_CRYPTO_ecc_random_mod_n(edc);
  /* calculate 'r' */
-  g = gcry_mpi_ec_get_point ("g", edc->ctx, 0);
+  g = gcry_mpi_ec_get_point("g", edc->ctx, 0);
-  GNUNET_assert (NULL != g);
+  GNUNET_assert(NULL != g);
-  *r = gcry_mpi_point_new (0);
+  *r = gcry_mpi_point_new(0);
-  gcry_mpi_ec_mul (*r, fact, g, edc->ctx);
+  gcry_mpi_ec_mul(*r, fact, g, edc->ctx);
  /* calculate 'r_inv' */
-  n = gcry_mpi_ec_get_mpi ("n", edc->ctx, 1);
+  n = gcry_mpi_ec_get_mpi("n", edc->ctx, 1);
-  gcry_mpi_sub (fact, n, fact); /* fact = n - fact = - fact */
+  gcry_mpi_sub(fact, n, fact);  /* fact = n - fact = - fact */
-  *r_inv = gcry_mpi_point_new (0);
+  *r_inv = gcry_mpi_point_new(0);
-  gcry_mpi_ec_mul (*r_inv, fact, g, edc->ctx);
+  gcry_mpi_ec_mul(*r_inv, fact, g, edc->ctx);
-  gcry_mpi_release (n);
+  gcry_mpi_release(n);
-  gcry_mpi_release (fact);
+  gcry_mpi_release(fact);
-  gcry_mpi_point_release (g);
+  gcry_mpi_point_release(g);
 }
@@ -476,17 +475,17 @@ GNUNET_CRYPTO_ecc_rnd (struct GNUNET_CRYPTO_EccDlogContext *edc,
 * @param[out] r_inv set to the multiplicative inverse of @a r
 */
 void
-GNUNET_CRYPTO_ecc_rnd_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc,
+GNUNET_CRYPTO_ecc_rnd_mpi(struct GNUNET_CRYPTO_EccDlogContext *edc,
-                           gcry_mpi_t *r,
+                          gcry_mpi_t *r,
-                           gcry_mpi_t *r_inv)
+                          gcry_mpi_t *r_inv)
 {
  gcry_mpi_t n;
-  *r = GNUNET_CRYPTO_ecc_random_mod_n (edc);
+  *r = GNUNET_CRYPTO_ecc_random_mod_n(edc);
  /* r_inv = n - r = - r */
-  *r_inv = gcry_mpi_new (0);
+  *r_inv = gcry_mpi_new(0);
-  n = gcry_mpi_ec_get_mpi ("n", edc->ctx, 1);
+  n = gcry_mpi_ec_get_mpi("n", edc->ctx, 1);
-  gcry_mpi_sub (*r_inv, n, *r);
+  gcry_mpi_sub(*r_inv, n, *r);
 }
@@ -496,9 +495,9 @@ GNUNET_CRYPTO_ecc_rnd_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc,
 * @param p point to free
 */
 void
-GNUNET_CRYPTO_ecc_free (gcry_mpi_point_t p)
+GNUNET_CRYPTO_ecc_free(gcry_mpi_point_t p)
 {
-  gcry_mpi_point_release (p);
+  gcry_mpi_point_release(p);
 }

diff --git a/src/util/crypto_ecc_dlog.c b/src/util/crypto_ecc_dlog.c index 07777e377..8b4344b25 100644 --- a/src/util/crypto_ecc_dlog.c +++ b/src/util/crypto_ecc_dlog.c
@@ -11,12 +11,12 @@
11	WITHOUT ANY WARRANTY; without even the implied warranty of	11	WITHOUT ANY WARRANTY; without even the implied warranty of
12	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU	12	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13	Affero General Public License for more details.	13	Affero General Public License for more details.
14		14
15	You should have received a copy of the GNU Affero General Public License	15	You should have received a copy of the GNU Affero General Public License
16	along with this program. If not, see <http://www.gnu.org/licenses/>.	16	along with this program. If not, see <http://www.gnu.org/licenses/>.
17		17
18	SPDX-License-Identifier: AGPL3.0-or-later	18	SPDX-License-Identifier: AGPL3.0-or-later
19	*/	19	*/
20		20
21	/**	21	/**
22	* @file util/crypto_ecc_dlog.c	22	* @file util/crypto_ecc_dlog.c
@@ -44,27 +44,26 @@
44	*	44	*
45	*/	45	*/
46	static void	46	static void
47	extract_pk (gcry_mpi_point_t pt,	47	extract_pk(gcry_mpi_point_t pt,
48	gcry_ctx_t ctx,	48	gcry_ctx_t ctx,
49	struct GNUNET_PeerIdentity *pid)	49	struct GNUNET_PeerIdentity *pid)
50	{	50	{
51	gcry_mpi_t q_y;	51	gcry_mpi_t q_y;
52		52
53	GNUNET_assert (0 == gcry_mpi_ec_set_point ("q", pt, ctx));	53	GNUNET_assert(0 == gcry_mpi_ec_set_point("q", pt, ctx));
54	q_y = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0);	54	q_y = gcry_mpi_ec_get_mpi("q@eddsa", ctx, 0);
55	GNUNET_assert (q_y);	55	GNUNET_assert(q_y);
56	GNUNET_CRYPTO_mpi_print_unsigned (pid->public_key.q_y,	56	GNUNET_CRYPTO_mpi_print_unsigned(pid->public_key.q_y,
57	sizeof (pid->public_key.q_y),	57	sizeof(pid->public_key.q_y),
58	q_y);	58	q_y);
59	gcry_mpi_release (q_y);	59	gcry_mpi_release(q_y);
60	}	60	}
61		61
62		62
63	/**	63	/**
64	* Internal structure used to cache pre-calculated values for DLOG calculation.	64	* Internal structure used to cache pre-calculated values for DLOG calculation.
65	*/	65	*/
66	struct GNUNET_CRYPTO_EccDlogContext	66	struct GNUNET_CRYPTO_EccDlogContext {
67	{
68	/**	67	/**
69	* Maximum absolute value the calculation supports.	68	* Maximum absolute value the calculation supports.
70	*/	69	*/
@@ -87,7 +86,6 @@ struct GNUNET_CRYPTO_EccDlogContext
87	* Context to use for operations on the elliptic curve.	86	* Context to use for operations on the elliptic curve.
88	*/	87	*/
89	gcry_ctx_t ctx;	88	gcry_ctx_t ctx;
90
91	};	89	};
92		90
93		91
@@ -99,19 +97,19 @@ struct GNUNET_CRYPTO_EccDlogContext
99	* @param[out] bin binary point representation	97	* @param[out] bin binary point representation
100	*/	98	*/
101	void	99	void
102	GNUNET_CRYPTO_ecc_point_to_bin (struct GNUNET_CRYPTO_EccDlogContext *edc,	100	GNUNET_CRYPTO_ecc_point_to_bin(struct GNUNET_CRYPTO_EccDlogContext *edc,
103	gcry_mpi_point_t point,	101	gcry_mpi_point_t point,
104	struct GNUNET_CRYPTO_EccPoint *bin)	102	struct GNUNET_CRYPTO_EccPoint *bin)
105	{	103	{
106	gcry_mpi_t q_y;	104	gcry_mpi_t q_y;
107		105
108	GNUNET_assert (0 == gcry_mpi_ec_set_point ("q", point, edc->ctx));	106	GNUNET_assert(0 == gcry_mpi_ec_set_point("q", point, edc->ctx));
109	q_y = gcry_mpi_ec_get_mpi ("q@eddsa", edc->ctx, 0);	107	q_y = gcry_mpi_ec_get_mpi("q@eddsa", edc->ctx, 0);
110	GNUNET_assert (q_y);	108	GNUNET_assert(q_y);
111	GNUNET_CRYPTO_mpi_print_unsigned (bin->q_y,	109	GNUNET_CRYPTO_mpi_print_unsigned(bin->q_y,
112	sizeof (bin->q_y),	110	sizeof(bin->q_y),
113	q_y);	111	q_y);
114	gcry_mpi_release (q_y);	112	gcry_mpi_release(q_y);
115	}	113	}
116		114
117		115
@@ -123,26 +121,26 @@ GNUNET_CRYPTO_ecc_point_to_bin (struct GNUNET_CRYPTO_EccDlogContext *edc,
123	* @return computational representation	121	* @return computational representation
124	*/	122	*/
125	gcry_mpi_point_t	123	gcry_mpi_point_t
126	GNUNET_CRYPTO_ecc_bin_to_point (struct GNUNET_CRYPTO_EccDlogContext *edc,	124	GNUNET_CRYPTO_ecc_bin_to_point(struct GNUNET_CRYPTO_EccDlogContext *edc,
127	const struct GNUNET_CRYPTO_EccPoint *bin)	125	const struct GNUNET_CRYPTO_EccPoint *bin)
128	{	126	{
129	gcry_sexp_t pub_sexpr;	127	gcry_sexp_t pub_sexpr;
130	gcry_ctx_t ctx;	128	gcry_ctx_t ctx;
131	gcry_mpi_point_t q;	129	gcry_mpi_point_t q;
132		130
133	(void) edc;	131	(void)edc;
134	if (0 != gcry_sexp_build (&pub_sexpr, NULL,	132	if (0 != gcry_sexp_build(&pub_sexpr, NULL,
135	"(public-key(ecc(curve " CURVE ")(q %b)))",	133	"(public-key(ecc(curve " CURVE ")(q %b)))",
136	(int) sizeof (bin->q_y),	134	(int)sizeof(bin->q_y),
137	bin->q_y))	135	bin->q_y))
138	{	136	{
139	GNUNET_break (0);	137	GNUNET_break(0);
140	return NULL;	138	return NULL;
141	}	139	}
142	GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, pub_sexpr, NULL));	140	GNUNET_assert(0 == gcry_mpi_ec_new(&ctx, pub_sexpr, NULL));
143	gcry_sexp_release (pub_sexpr);	141	gcry_sexp_release(pub_sexpr);
144	q = gcry_mpi_ec_get_point ("q", ctx, 0);	142	q = gcry_mpi_ec_get_point("q", ctx, 0);
145	gcry_ctx_release (ctx);	143	gcry_ctx_release(ctx);
146	return q;	144	return q;
147	}	145	}
148		146
@@ -155,11 +153,11 @@ GNUNET_CRYPTO_ecc_bin_to_point (struct GNUNET_CRYPTO_EccDlogContext *edc,
155	* @return NULL on error	153	* @return NULL on error
156	*/	154	*/
157	struct GNUNET_CRYPTO_EccDlogContext *	155	struct GNUNET_CRYPTO_EccDlogContext *
158	GNUNET_CRYPTO_ecc_dlog_prepare (unsigned int max,	156	GNUNET_CRYPTO_ecc_dlog_prepare(unsigned int max,
159	unsigned int mem)	157	unsigned int mem)
160	{	158	{
161	struct GNUNET_CRYPTO_EccDlogContext *edc;	159	struct GNUNET_CRYPTO_EccDlogContext *edc;
162	unsigned int K = ((max + (mem-1)) / mem);	160	unsigned int K = ((max + (mem - 1)) / mem);
163	gcry_mpi_point_t g;	161	gcry_mpi_point_t g;
164	struct GNUNET_PeerIdentity key;	162	struct GNUNET_PeerIdentity key;
165	gcry_mpi_point_t gKi;	163	gcry_mpi_point_t gKi;
@@ -167,50 +165,50 @@ GNUNET_CRYPTO_ecc_dlog_prepare (unsigned int max,
167	gcry_mpi_t n;	165	gcry_mpi_t n;
168	unsigned int i;	166	unsigned int i;
169		167
170	GNUNET_assert (max < INT32_MAX);	168	GNUNET_assert(max < INT32_MAX);
171	edc = GNUNET_new (struct GNUNET_CRYPTO_EccDlogContext);	169	edc = GNUNET_new(struct GNUNET_CRYPTO_EccDlogContext);
172	edc->max = max;	170	edc->max = max;
173	edc->mem = mem;	171	edc->mem = mem;
174		172
175	edc->map = GNUNET_CONTAINER_multipeermap_create (mem * 2,	173	edc->map = GNUNET_CONTAINER_multipeermap_create(mem * 2,
176	GNUNET_NO);	174	GNUNET_NO);
177		175
178	GNUNET_assert (0 == gcry_mpi_ec_new (&edc->ctx,	176	GNUNET_assert(0 == gcry_mpi_ec_new(&edc->ctx,
179	NULL,	177	NULL,
180	CURVE));	178	CURVE));
181	g = gcry_mpi_ec_get_point ("g", edc->ctx, 0);	179	g = gcry_mpi_ec_get_point("g", edc->ctx, 0);
182	GNUNET_assert (NULL != g);	180	GNUNET_assert(NULL != g);
183	fact = gcry_mpi_new (0);	181	fact = gcry_mpi_new(0);
184	gKi = gcry_mpi_point_new (0);	182	gKi = gcry_mpi_point_new(0);
185	for (i=0;i<=mem;i++)	183	for (i = 0; i <= mem; i++)
186	{	184	{
187	gcry_mpi_set_ui (fact, i * K);	185	gcry_mpi_set_ui(fact, i * K);
188	gcry_mpi_ec_mul (gKi, fact, g, edc->ctx);	186	gcry_mpi_ec_mul(gKi, fact, g, edc->ctx);
189	extract_pk (gKi, edc->ctx, &key);	187	extract_pk(gKi, edc->ctx, &key);
190	GNUNET_assert (GNUNET_OK ==	188	GNUNET_assert(GNUNET_OK ==
191	GNUNET_CONTAINER_multipeermap_put (edc->map,	189	GNUNET_CONTAINER_multipeermap_put(edc->map,
192	&key,	190	&key,
193	(void*) (long) i + max,	191	(void*)(long)i + max,
194	GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));	192	GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));
195	}	193	}
196	/* negative values */	194	/* negative values */
197	n = gcry_mpi_ec_get_mpi ("n", edc->ctx, 1);	195	n = gcry_mpi_ec_get_mpi("n", edc->ctx, 1);
198	for (i=1;i<mem;i++)	196	for (i = 1; i < mem; i++)
199	{	197	{
200	gcry_mpi_set_ui (fact, i * K);	198	gcry_mpi_set_ui(fact, i * K);
201	gcry_mpi_sub (fact, n, fact);	199	gcry_mpi_sub(fact, n, fact);
202	gcry_mpi_ec_mul (gKi, fact, g, edc->ctx);	200	gcry_mpi_ec_mul(gKi, fact, g, edc->ctx);
203	extract_pk (gKi, edc->ctx, &key);	201	extract_pk(gKi, edc->ctx, &key);
204	GNUNET_assert (GNUNET_OK ==	202	GNUNET_assert(GNUNET_OK ==
205	GNUNET_CONTAINER_multipeermap_put (edc->map,	203	GNUNET_CONTAINER_multipeermap_put(edc->map,
206	&key,	204	&key,
207	(void*) (long) max - i,	205	(void*)(long)max - i,
208	GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));	206	GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));
209	}	207	}
210	gcry_mpi_release (fact);	208	gcry_mpi_release(fact);
211	gcry_mpi_release (n);	209	gcry_mpi_release(n);
212	gcry_mpi_point_release (gKi);	210	gcry_mpi_point_release(gKi);
213	gcry_mpi_point_release (g);	211	gcry_mpi_point_release(g);
214	return edc;	212	return edc;
215	}	213	}
216		214
@@ -223,10 +221,10 @@ GNUNET_CRYPTO_ecc_dlog_prepare (unsigned int max,
223	* @return INT_MAX if dlog failed, otherwise the factor	221	* @return INT_MAX if dlog failed, otherwise the factor
224	*/	222	*/
225	int	223	int
226	GNUNET_CRYPTO_ecc_dlog (struct GNUNET_CRYPTO_EccDlogContext *edc,	224	GNUNET_CRYPTO_ecc_dlog(struct GNUNET_CRYPTO_EccDlogContext *edc,
227	gcry_mpi_point_t input)	225	gcry_mpi_point_t input)
228	{	226	{
229	unsigned int K = ((edc->max + (edc->mem-1)) / edc->mem);	227	unsigned int K = ((edc->max + (edc->mem - 1)) / edc->mem);
230	gcry_mpi_point_t g;	228	gcry_mpi_point_t g;
231	struct GNUNET_PeerIdentity key;	229	struct GNUNET_PeerIdentity key;
232	gcry_mpi_point_t q;	230	gcry_mpi_point_t q;
@@ -234,36 +232,36 @@ GNUNET_CRYPTO_ecc_dlog (struct GNUNET_CRYPTO_EccDlogContext *edc,
234	int res;	232	int res;
235	void *retp;	233	void *retp;
236		234
237	g = gcry_mpi_ec_get_point ("g", edc->ctx, 0);	235	g = gcry_mpi_ec_get_point("g", edc->ctx, 0);
238	GNUNET_assert (NULL != g);	236	GNUNET_assert(NULL != g);
239	q = gcry_mpi_point_new (0);	237	q = gcry_mpi_point_new(0);
240		238
241	res = INT_MAX;	239	res = INT_MAX;
242	for (i=0;i<=edc->max/edc->mem;i++)	240	for (i = 0; i <= edc->max / edc->mem; i++)
243	{
244	if (0 == i)
245	extract_pk (input, edc->ctx, &key);
246	else
247	extract_pk (q, edc->ctx, &key);
248	retp = GNUNET_CONTAINER_multipeermap_get (edc->map,
249	&key);
250	if (NULL != retp)
251	{	241	{
252	res = (((long) retp) - edc->max) * K - i;	242	if (0 == i)
253	/* we continue the loop here to make the implementation	243	extract_pk(input, edc->ctx, &key);
254	"constant-time". If we do not care about this, we could just	244	else
255	'break' here and do fewer operations... */	245	extract_pk(q, edc->ctx, &key);
		246	retp = GNUNET_CONTAINER_multipeermap_get(edc->map,
		247	&key);
		248	if (NULL != retp)
		249	{
		250	res = (((long)retp) - edc->max) * K - i;
		251	/* we continue the loop here to make the implementation
		252	"constant-time". If we do not care about this, we could just
		253	'break' here and do fewer operations... */
		254	}
		255	if (i == edc->max / edc->mem)
		256	break;
		257	/* q = q + g */
		258	if (0 == i)
		259	gcry_mpi_ec_add(q, input, g, edc->ctx);
		260	else
		261	gcry_mpi_ec_add(q, q, g, edc->ctx);
256	}	262	}
257	if (i == edc->max/edc->mem)	263	gcry_mpi_point_release(g);
258	break;	264	gcry_mpi_point_release(q);
259	/* q = q + g */
260	if (0 == i)
261	gcry_mpi_ec_add (q, input, g, edc->ctx);
262	else
263	gcry_mpi_ec_add (q, q, g, edc->ctx);
264	}
265	gcry_mpi_point_release (g);
266	gcry_mpi_point_release (q);
267		265
268	return res;	266	return res;
269	}	267	}
@@ -276,29 +274,30 @@ GNUNET_CRYPTO_ecc_dlog (struct GNUNET_CRYPTO_EccDlogContext *edc,
276	* @return random value mod n.	274	* @return random value mod n.
277	*/	275	*/
278	gcry_mpi_t	276	gcry_mpi_t
279	GNUNET_CRYPTO_ecc_random_mod_n (struct GNUNET_CRYPTO_EccDlogContext *edc)	277	GNUNET_CRYPTO_ecc_random_mod_n(struct GNUNET_CRYPTO_EccDlogContext *edc)
280	{	278	{
281	gcry_mpi_t n;	279	gcry_mpi_t n;
282	unsigned int highbit;	280	unsigned int highbit;
283	gcry_mpi_t r;	281	gcry_mpi_t r;
284		282
285	n = gcry_mpi_ec_get_mpi ("n", edc->ctx, 1);	283	n = gcry_mpi_ec_get_mpi("n", edc->ctx, 1);
286		284
287	/* check public key for number of bits, bail out if key is all zeros */	285	/* check public key for number of bits, bail out if key is all zeros */
288	highbit = 256; /* Curve25519 */	286	highbit = 256; /* Curve25519 */
289	while ( (! gcry_mpi_test_bit (n, highbit)) &&	287	while ((!gcry_mpi_test_bit(n, highbit)) &&
290	(0 != highbit) )	288	(0 != highbit))
291	highbit--;	289	highbit--;
292	GNUNET_assert (0 != highbit);	290	GNUNET_assert(0 != highbit);
293	/* generate fact < n (without bias) */	291	/* generate fact < n (without bias) */
294	GNUNET_assert (NULL != (r = gcry_mpi_new (0)));	292	GNUNET_assert(NULL != (r = gcry_mpi_new(0)));
295	do {	293	do
296	gcry_mpi_randomize (r,	294	{
297	highbit + 1,	295	gcry_mpi_randomize(r,
298	GCRY_STRONG_RANDOM);	296	highbit + 1,
299	}	297	GCRY_STRONG_RANDOM);
300	while (gcry_mpi_cmp (r, n) >= 0);	298	}
301	gcry_mpi_release (n);	299	while (gcry_mpi_cmp(r, n) >= 0);
		300	gcry_mpi_release(n);
302	return r;	301	return r;
303	}	302	}
304		303
@@ -309,11 +308,11 @@ GNUNET_CRYPTO_ecc_random_mod_n (struct GNUNET_CRYPTO_EccDlogContext *edc)
309	* @param edc dlog context	308	* @param edc dlog context
310	*/	309	*/
311	void	310	void
312	GNUNET_CRYPTO_ecc_dlog_release (struct GNUNET_CRYPTO_EccDlogContext *edc)	311	GNUNET_CRYPTO_ecc_dlog_release(struct GNUNET_CRYPTO_EccDlogContext *edc)
313	{	312	{
314	gcry_ctx_release (edc->ctx);	313	gcry_ctx_release(edc->ctx);
315	GNUNET_CONTAINER_multipeermap_destroy (edc->map);	314	GNUNET_CONTAINER_multipeermap_destroy(edc->map);
316	GNUNET_free (edc);	315	GNUNET_free(edc);
317	}	316	}
318		317
319		318
@@ -331,32 +330,32 @@ GNUNET_CRYPTO_ecc_dlog_release (struct GNUNET_CRYPTO_EccDlogContext *edc)
331	* must be freed using #GNUNET_CRYPTO_ecc_free()	330	* must be freed using #GNUNET_CRYPTO_ecc_free()
332	*/	331	*/
333	gcry_mpi_point_t	332	gcry_mpi_point_t
334	GNUNET_CRYPTO_ecc_dexp (struct GNUNET_CRYPTO_EccDlogContext *edc,	333	GNUNET_CRYPTO_ecc_dexp(struct GNUNET_CRYPTO_EccDlogContext *edc,
335	int val)	334	int val)
336	{	335	{
337	gcry_mpi_t fact;	336	gcry_mpi_t fact;
338	gcry_mpi_t n;	337	gcry_mpi_t n;
339	gcry_mpi_point_t g;	338	gcry_mpi_point_t g;
340	gcry_mpi_point_t r;	339	gcry_mpi_point_t r;
341		340
342	g = gcry_mpi_ec_get_point ("g", edc->ctx, 0);	341	g = gcry_mpi_ec_get_point("g", edc->ctx, 0);
343	GNUNET_assert (NULL != g);	342	GNUNET_assert(NULL != g);
344	fact = gcry_mpi_new (0);	343	fact = gcry_mpi_new(0);
345	if (val < 0)	344	if (val < 0)
346	{	345	{
347	n = gcry_mpi_ec_get_mpi ("n", edc->ctx, 1);	346	n = gcry_mpi_ec_get_mpi("n", edc->ctx, 1);
348	gcry_mpi_set_ui (fact, - val);	347	gcry_mpi_set_ui(fact, -val);
349	gcry_mpi_sub (fact, n, fact);	348	gcry_mpi_sub(fact, n, fact);
350	gcry_mpi_release (n);	349	gcry_mpi_release(n);
351	}	350	}
352	else	351	else
353	{	352	{
354	gcry_mpi_set_ui (fact, val);	353	gcry_mpi_set_ui(fact, val);
355	}	354	}
356	r = gcry_mpi_point_new (0);	355	r = gcry_mpi_point_new(0);
357	gcry_mpi_ec_mul (r, fact, g, edc->ctx);	356	gcry_mpi_ec_mul(r, fact, g, edc->ctx);
358	gcry_mpi_release (fact);	357	gcry_mpi_release(fact);
359	gcry_mpi_point_release (g);	358	gcry_mpi_point_release(g);
360	return r;	359	return r;
361	}	360	}
362		361
@@ -371,17 +370,17 @@ GNUNET_CRYPTO_ecc_dexp (struct GNUNET_CRYPTO_EccDlogContext *edc,
371	* must be freed using #GNUNET_CRYPTO_ecc_free()	370	* must be freed using #GNUNET_CRYPTO_ecc_free()
372	*/	371	*/
373	gcry_mpi_point_t	372	gcry_mpi_point_t
374	GNUNET_CRYPTO_ecc_dexp_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc,	373	GNUNET_CRYPTO_ecc_dexp_mpi(struct GNUNET_CRYPTO_EccDlogContext *edc,
375	gcry_mpi_t val)	374	gcry_mpi_t val)
376	{	375	{
377	gcry_mpi_point_t g;	376	gcry_mpi_point_t g;
378	gcry_mpi_point_t r;	377	gcry_mpi_point_t r;
379		378
380	g = gcry_mpi_ec_get_point ("g", edc->ctx, 0);	379	g = gcry_mpi_ec_get_point("g", edc->ctx, 0);
381	GNUNET_assert (NULL != g);	380	GNUNET_assert(NULL != g);
382	r = gcry_mpi_point_new (0);	381	r = gcry_mpi_point_new(0);
383	gcry_mpi_ec_mul (r, val, g, edc->ctx);	382	gcry_mpi_ec_mul(r, val, g, edc->ctx);
384	gcry_mpi_point_release (g);	383	gcry_mpi_point_release(g);
385	return r;	384	return r;
386	}	385	}
387		386
@@ -395,14 +394,14 @@ GNUNET_CRYPTO_ecc_dexp_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc,
395	* @return @a a + @a b, must be freed using #GNUNET_CRYPTO_ecc_free()	394	* @return @a a + @a b, must be freed using #GNUNET_CRYPTO_ecc_free()
396	*/	395	*/
397	gcry_mpi_point_t	396	gcry_mpi_point_t
398	GNUNET_CRYPTO_ecc_add (struct GNUNET_CRYPTO_EccDlogContext *edc,	397	GNUNET_CRYPTO_ecc_add(struct GNUNET_CRYPTO_EccDlogContext *edc,
399	gcry_mpi_point_t a,	398	gcry_mpi_point_t a,
400	gcry_mpi_point_t b)	399	gcry_mpi_point_t b)
401	{	400	{
402	gcry_mpi_point_t r;	401	gcry_mpi_point_t r;
403		402
404	r = gcry_mpi_point_new (0);	403	r = gcry_mpi_point_new(0);
405	gcry_mpi_ec_add (r, a, b, edc->ctx);	404	gcry_mpi_ec_add(r, a, b, edc->ctx);
406	return r;	405	return r;
407	}	406	}
408		407
@@ -417,14 +416,14 @@ GNUNET_CRYPTO_ecc_add (struct GNUNET_CRYPTO_EccDlogContext *edc,
417	* must be freed using #GNUNET_CRYPTO_ecc_free()	416	* must be freed using #GNUNET_CRYPTO_ecc_free()
418	*/	417	*/
419	gcry_mpi_point_t	418	gcry_mpi_point_t
420	GNUNET_CRYPTO_ecc_pmul_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc,	419	GNUNET_CRYPTO_ecc_pmul_mpi(struct GNUNET_CRYPTO_EccDlogContext *edc,
421	gcry_mpi_point_t p,	420	gcry_mpi_point_t p,
422	gcry_mpi_t val)	421	gcry_mpi_t val)
423	{	422	{
424	gcry_mpi_point_t r;	423	gcry_mpi_point_t r;
425		424
426	r = gcry_mpi_point_new (0);	425	r = gcry_mpi_point_new(0);
427	gcry_mpi_ec_mul (r, val, p, edc->ctx);	426	gcry_mpi_ec_mul(r, val, p, edc->ctx);
428	return r;	427	return r;
429	}	428	}
430		429
@@ -439,31 +438,31 @@ GNUNET_CRYPTO_ecc_pmul_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc,
439	* @param[out] r_inv set to the additive inverse of @a r	438	* @param[out] r_inv set to the additive inverse of @a r
440	*/	439	*/
441	void	440	void
442	GNUNET_CRYPTO_ecc_rnd (struct GNUNET_CRYPTO_EccDlogContext *edc,	441	GNUNET_CRYPTO_ecc_rnd(struct GNUNET_CRYPTO_EccDlogContext *edc,
443	gcry_mpi_point_t *r,	442	gcry_mpi_point_t *r,
444	gcry_mpi_point_t *r_inv)	443	gcry_mpi_point_t *r_inv)
445	{	444	{
446	gcry_mpi_t fact;	445	gcry_mpi_t fact;
447	gcry_mpi_t n;	446	gcry_mpi_t n;
448	gcry_mpi_point_t g;	447	gcry_mpi_point_t g;
449		448
450	fact = GNUNET_CRYPTO_ecc_random_mod_n (edc);	449	fact = GNUNET_CRYPTO_ecc_random_mod_n(edc);
451		450
452	/* calculate 'r' */	451	/* calculate 'r' */
453	g = gcry_mpi_ec_get_point ("g", edc->ctx, 0);	452	g = gcry_mpi_ec_get_point("g", edc->ctx, 0);
454	GNUNET_assert (NULL != g);	453	GNUNET_assert(NULL != g);
455	*r = gcry_mpi_point_new (0);	454	*r = gcry_mpi_point_new(0);
456	gcry_mpi_ec_mul (*r, fact, g, edc->ctx);	455	gcry_mpi_ec_mul(*r, fact, g, edc->ctx);
457		456
458	/* calculate 'r_inv' */	457	/* calculate 'r_inv' */
459	n = gcry_mpi_ec_get_mpi ("n", edc->ctx, 1);	458	n = gcry_mpi_ec_get_mpi("n", edc->ctx, 1);
460	gcry_mpi_sub (fact, n, fact); /* fact = n - fact = - fact */	459	gcry_mpi_sub(fact, n, fact); /* fact = n - fact = - fact */
461	*r_inv = gcry_mpi_point_new (0);	460	*r_inv = gcry_mpi_point_new(0);
462	gcry_mpi_ec_mul (*r_inv, fact, g, edc->ctx);	461	gcry_mpi_ec_mul(*r_inv, fact, g, edc->ctx);
463		462
464	gcry_mpi_release (n);	463	gcry_mpi_release(n);
465	gcry_mpi_release (fact);	464	gcry_mpi_release(fact);
466	gcry_mpi_point_release (g);	465	gcry_mpi_point_release(g);
467	}	466	}
468		467
469		468
@@ -476,17 +475,17 @@ GNUNET_CRYPTO_ecc_rnd (struct GNUNET_CRYPTO_EccDlogContext *edc,
476	* @param[out] r_inv set to the multiplicative inverse of @a r	475	* @param[out] r_inv set to the multiplicative inverse of @a r
477	*/	476	*/
478	void	477	void
479	GNUNET_CRYPTO_ecc_rnd_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc,	478	GNUNET_CRYPTO_ecc_rnd_mpi(struct GNUNET_CRYPTO_EccDlogContext *edc,
480	gcry_mpi_t *r,	479	gcry_mpi_t *r,
481	gcry_mpi_t *r_inv)	480	gcry_mpi_t *r_inv)
482	{	481	{
483	gcry_mpi_t n;	482	gcry_mpi_t n;
484		483
485	*r = GNUNET_CRYPTO_ecc_random_mod_n (edc);	484	*r = GNUNET_CRYPTO_ecc_random_mod_n(edc);
486	/* r_inv = n - r = - r */	485	/* r_inv = n - r = - r */
487	*r_inv = gcry_mpi_new (0);	486	*r_inv = gcry_mpi_new(0);
488	n = gcry_mpi_ec_get_mpi ("n", edc->ctx, 1);	487	n = gcry_mpi_ec_get_mpi("n", edc->ctx, 1);
489	gcry_mpi_sub (r_inv, n, r);	488	gcry_mpi_sub(r_inv, n, r);
490	}	489	}
491		490
492		491
@@ -496,9 +495,9 @@ GNUNET_CRYPTO_ecc_rnd_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc,
496	* @param p point to free	495	* @param p point to free
497	*/	496	*/
498	void	497	void
499	GNUNET_CRYPTO_ecc_free (gcry_mpi_point_t p)	498	GNUNET_CRYPTO_ecc_free(gcry_mpi_point_t p)
500	{	499	{
501	gcry_mpi_point_release (p);	500	gcry_mpi_point_release(p);
502	}	501	}
503		502
504		503