1 files changed, 0 insertions, 445 deletions
diff --git a/src/util/crypto_ecc_gnsrecord.c b/src/util/crypto_ecc_gnsrecord.c
deleted file mode 100644
index ce41a4699..000000000
--- a/src/util/crypto_ecc_gnsrecord.c
+++ /dev/null
@@ -1,445 +0,0 @@
-/*
-     This file is part of GNUnet.
-     Copyright (C) 2012, 2013, 2015 GNUnet e.V.
-     GNUnet is free software: you can redistribute it and/or modify it
-     under the terms of the GNU Affero General Public License as published
-     by the Free Software Foundation, either version 3 of the License,
-     or (at your option) any later version.
-     GNUnet is distributed in the hope that it will be useful, but
-     WITHOUT ANY WARRANTY; without even the implied warranty of
-     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-     Affero General Public License for more details.
-     You should have received a copy of the GNU Affero General Public License
-     along with this program.  If not, see <http://www.gnu.org/licenses/>.
-     SPDX-License-Identifier: AGPL3.0-or-later
- */
-/**
- * @file util/crypto_ecc_gnsrecord.c
- * @brief public key cryptography (ECC) for GNS records (LSD0001)
- * @author Christian Grothoff
- * @author Florian Dold
- * @author Martin Schanzenbach
- */
-#include "platform.h"
-#include <gcrypt.h>
-#include <sodium.h>
-#include "gnunet_crypto_lib.h"
-#include "gnunet_strings_lib.h"
-#define CURVE "Ed25519"
-/**
- * Derive the 'h' value for key derivation, where
- * 'h = H(l,P)'.
- *
- * @param pub public key for deriviation
- * @param pubsize the size of the public key
- * @param label label for deriviation
- * @param context additional context to use for HKDF of 'h';
- *        typically the name of the subsystem/application
- * @param hc where to write the result
- */
-void
-derive_h (const void *pub,
-          size_t pubsize,
-          const char *label,
-          const char *context,
-          struct GNUNET_HashCode *hc)
-{
-  static const char *const salt = "key-derivation";
-  GNUNET_CRYPTO_kdf (hc,
-                     sizeof(*hc),
-                     salt,
-                     strlen (salt),
-                     pub,
-                     pubsize,
-                     label,
-                     strlen (label),
-                     context,
-                     strlen (context),
-                     NULL,
-                     0);
-}
-/**
- * This is a signature function for EdDSA which takes the
- * secret scalar sk instead of the private seed which is
- * usually the case for crypto APIs. We require this functionality
- * in order to use derived private keys for signatures we
- * cannot calculate the inverse of a sk to find the seed
- * efficiently.
- *
- * The resulting signature is a standard EdDSA signature
- * which can be verified using the usual APIs.
- *
- * @param sk the secret scalar
- * @param purp the signature purpose
- * @param sig the resulting signature
- */
-void
-GNUNET_CRYPTO_eddsa_sign_with_scalar (
-  const struct GNUNET_CRYPTO_EddsaPrivateScalar *priv,
-  const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose,
-  struct GNUNET_CRYPTO_EddsaSignature *sig)
-{
-  crypto_hash_sha512_state hs;
-  unsigned char sk[64];
-  unsigned char r[64];
-  unsigned char hram[64];
-  unsigned char R[32];
-  unsigned char zk[32];
-  unsigned char tmp[32];
-  crypto_hash_sha512_init (&hs);
-  /**
-   * Instead of expanding the private here, we already
-   * have the secret scalar as input. Use it.
-   * Note that sk is not plain SHA512 (d).
-   * sk[0..31] contains the derived private scalar
-   * sk[0..31] = h * SHA512 (d)[0..31]
-   * sk[32..63] = SHA512 (d)[32..63]
-   */
-  memcpy (sk, priv->s, 64);
-  /**
-   * Calculate the derived zone key zk' from the
-   * derived private scalar.
-   */
-  crypto_scalarmult_ed25519_base_noclamp (zk,
-                                          sk);
-  /**
-   * Calculate r:
-   * r = SHA512 (sk[32..63] | M)
-   * where M is our message (purpose).
-   * Note that sk[32..63] is the other half of the
-   * expansion from the original, non-derived private key
-   * "d".
-   */
-  crypto_hash_sha512_update (&hs, sk + 32, 32);
-  crypto_hash_sha512_update (&hs, (uint8_t*) purpose, ntohl (purpose->size));
-  crypto_hash_sha512_final (&hs, r);
-  /**
-   * Temporarily put zk into S
-   */
-  memcpy (sig->s, zk, 32);
-  /**
-   * Reduce the scalar value r
-   */
-  unsigned char r_mod[64];
-  crypto_core_ed25519_scalar_reduce (r_mod, r);
-  /**
-   * Calculate R := r * G of the signature
-   */
-  crypto_scalarmult_ed25519_base_noclamp (R, r_mod);
-  memcpy (sig->r, R, sizeof (R));
-  /**
-   * Calculate
-   * hram := SHA512 (R | zk' | M)
-   */
-  crypto_hash_sha512_init (&hs);
-  crypto_hash_sha512_update (&hs, (uint8_t*) sig, 64);
-  crypto_hash_sha512_update (&hs, (uint8_t*) purpose,
-                             ntohl (purpose->size));
-  crypto_hash_sha512_final (&hs, hram);
-  /**
-   * Reduce the resulting scalar value
-   */
-  unsigned char hram_mod[64];
-  crypto_core_ed25519_scalar_reduce (hram_mod, hram);
-  /**
-   * Calculate
-   * S := r + hram * s mod L
-   */
-  crypto_core_ed25519_scalar_mul (tmp, hram_mod, sk);
-  crypto_core_ed25519_scalar_add (sig->s, tmp, r_mod);
-  sodium_memzero (sk, sizeof (sk));
-  sodium_memzero (r, sizeof (r));
-  sodium_memzero (r_mod, sizeof (r_mod));
-}
-struct GNUNET_CRYPTO_EcdsaPrivateKey *
-GNUNET_CRYPTO_ecdsa_private_key_derive (
-  const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
-  const char *label,
-  const char *context)
-{
-  struct GNUNET_CRYPTO_EcdsaPublicKey pub;
-  struct GNUNET_CRYPTO_EcdsaPrivateKey *ret;
-  struct GNUNET_HashCode hc;
-  uint8_t dc[32];
-  gcry_mpi_t h;
-  gcry_mpi_t x;
-  gcry_mpi_t d;
-  gcry_mpi_t n;
-  gcry_ctx_t ctx;
-  GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, CURVE));
-  n = gcry_mpi_ec_get_mpi ("n", ctx, 1);
-  GNUNET_CRYPTO_ecdsa_key_get_public (priv, &pub);
-  derive_h (&pub, sizeof (pub), label, context, &hc);
-  GNUNET_CRYPTO_mpi_scan_unsigned (&h, (unsigned char *) &hc, sizeof(hc));
-  /* Convert to big endian for libgcrypt */
-  for (size_t i = 0; i < 32; i++)
-    dc[i] = priv->d[31 - i];
-  GNUNET_CRYPTO_mpi_scan_unsigned (&x, dc, sizeof(dc));
-  d = gcry_mpi_new (256);
-  gcry_mpi_mulm (d, h, x, n);
-  gcry_mpi_release (h);
-  gcry_mpi_release (x);
-  gcry_mpi_release (n);
-  gcry_ctx_release (ctx);
-  ret = GNUNET_new (struct GNUNET_CRYPTO_EcdsaPrivateKey);
-  GNUNET_CRYPTO_mpi_print_unsigned (dc, sizeof(dc), d);
-  /* Convert to big endian for libgcrypt */
-  for (size_t i = 0; i < 32; i++)
-    ret->d[i] = dc[31 - i];
-  sodium_memzero (dc, sizeof(dc));
-  gcry_mpi_release (d);
-  return ret;
-}
-void
-GNUNET_CRYPTO_ecdsa_public_key_derive (
-  const struct GNUNET_CRYPTO_EcdsaPublicKey *pub,
-  const char *label,
-  const char *context,
-  struct GNUNET_CRYPTO_EcdsaPublicKey *result)
-{
-  struct GNUNET_HashCode hc;
-  gcry_ctx_t ctx;
-  gcry_mpi_t q_y;
-  gcry_mpi_t h;
-  gcry_mpi_t n;
-  gcry_mpi_t h_mod_n;
-  gcry_mpi_point_t q;
-  gcry_mpi_point_t v;
-  GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, CURVE));
-  /* obtain point 'q' from original public key.  The provided 'q' is
-     compressed thus we first store it in the context and then get it
-     back as a (decompresssed) point.  */
-  q_y = gcry_mpi_set_opaque_copy (NULL, pub->q_y, 8 * sizeof(pub->q_y));
-  GNUNET_assert (NULL != q_y);
-  GNUNET_assert (0 == gcry_mpi_ec_set_mpi ("q", q_y, ctx));
-  gcry_mpi_release (q_y);
-  q = gcry_mpi_ec_get_point ("q", ctx, 0);
-  GNUNET_assert (q);
-  /* calculate h_mod_n = h % n */
-  derive_h (pub, sizeof (*pub), label, context, &hc);
-  GNUNET_CRYPTO_mpi_scan_unsigned (&h, (unsigned char *) &hc, sizeof(hc));
-  n = gcry_mpi_ec_get_mpi ("n", ctx, 1);
-  h_mod_n = gcry_mpi_new (256);
-  gcry_mpi_mod (h_mod_n, h, n);
-  /* calculate v = h_mod_n * q */
-  v = gcry_mpi_point_new (0);
-  gcry_mpi_ec_mul (v, h_mod_n, q, ctx);
-  gcry_mpi_release (h_mod_n);
-  gcry_mpi_release (h);
-  gcry_mpi_release (n);
-  gcry_mpi_point_release (q);
-  /* convert point 'v' to public key that we return */
-  GNUNET_assert (0 == gcry_mpi_ec_set_point ("q", v, ctx));
-  gcry_mpi_point_release (v);
-  q_y = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0);
-  GNUNET_assert (q_y);
-  GNUNET_CRYPTO_mpi_print_unsigned (result->q_y, sizeof(result->q_y), q_y);
-  gcry_mpi_release (q_y);
-  gcry_ctx_release (ctx);
-}
-void
-GNUNET_CRYPTO_eddsa_private_key_derive (
-  const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
-  const char *label,
-  const char *context,
-  struct GNUNET_CRYPTO_EddsaPrivateScalar *result)
-{
-  struct GNUNET_CRYPTO_EddsaPublicKey pub;
-  struct GNUNET_HashCode hc;
-  uint8_t dc[32];
-  unsigned char sk[64];
-  gcry_mpi_t h;
-  gcry_mpi_t h_mod_n;
-  gcry_mpi_t x;
-  gcry_mpi_t d;
-  gcry_mpi_t n;
-  gcry_mpi_t a1;
-  gcry_mpi_t a2;
-  gcry_ctx_t ctx;
-  /**
-   * Libsodium does not offer an API with arbitrary arithmetic.
-   * Hence we have to use libgcrypt here.
-   */
-  GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, "Ed25519"));
-  /**
-   * Get our modulo
-   */
-  n = gcry_mpi_ec_get_mpi ("n", ctx, 1);
-  GNUNET_CRYPTO_eddsa_key_get_public (priv, &pub);
-  /**
-   * This is the standard private key expansion in Ed25519.
-   * The first 32 octets are used as a little-endian private
-   * scalar.
-   * We derive this scalar using our "h".
-   */
-  crypto_hash_sha512 (sk, priv->d, 32);
-  sk[0] &= 248;
-  sk[31] &= 127;
-  sk[31] |= 64;
-  /**
-   * Get h mod n
-   */
-  derive_h (&pub, sizeof (pub), label, context, &hc);
-  GNUNET_CRYPTO_mpi_scan_unsigned (&h, (unsigned char *) &hc, sizeof(hc));
-  h_mod_n = gcry_mpi_new (256);
-  gcry_mpi_mod (h_mod_n, h, n);
-  /* Convert scalar to big endian for libgcrypt */
-  for (size_t i = 0; i < 32; i++)
-    dc[i] = sk[31 - i];
-  /**
-   * dc now contains the private scalar "a".
-   * We carefully remove the clamping and derive a'.
-   * Calculate:
-   * a1 := a / 8
-   * a2 := h * a1 mod n
-   * a' := a2 * 8 mod n
-   */
-  GNUNET_CRYPTO_mpi_scan_unsigned (&x, dc, sizeof(dc)); // a
-  a1 = gcry_mpi_new (256);
-  gcry_mpi_t eight = gcry_mpi_set_ui (NULL, 8);
-  gcry_mpi_div (a1, NULL, x, eight, 0); // a1 := a / 8
-  a2 = gcry_mpi_new (256);
-  gcry_mpi_mulm (a2, h_mod_n, a1, n); // a2 := h * a1 mod n
-  d = gcry_mpi_new (256);
-  gcry_mpi_mul (d, a2, eight); // a' := a2 * 8
-  gcry_mpi_release (h);
-  gcry_mpi_release (x);
-  gcry_mpi_release (n);
-  gcry_mpi_release (a1);
-  gcry_mpi_release (a2);
-  gcry_ctx_release (ctx);
-  GNUNET_CRYPTO_mpi_print_unsigned (dc, sizeof(dc), d);
-  /**
-   * We hash the derived "h" parameter with the
-   * other half of the expanded private key. This ensures
-   * that for signature generation, the "R" is derived from
-   * the same derivation path as "h" and is not reused.
-   */
-  crypto_hash_sha256_state hs;
-  crypto_hash_sha256_init (&hs);
-  crypto_hash_sha256_update (&hs, sk + 32, 32);
-  crypto_hash_sha256_update (&hs, (unsigned char*) &hc, sizeof (hc));
-  crypto_hash_sha256_final (&hs, result->s + 32);
-  //memcpy (result->s, sk, sizeof (sk));
-  /* Convert to little endian for libsodium */
-  for (size_t i = 0; i < 32; i++)
-    result->s[i] = dc[31 - i];
-  sodium_memzero (dc, sizeof(dc));
-  gcry_mpi_release (d);
-}
-void
-GNUNET_CRYPTO_eddsa_public_key_derive (
-  const struct GNUNET_CRYPTO_EddsaPublicKey *pub,
-  const char *label,
-  const char *context,
-  struct GNUNET_CRYPTO_EddsaPublicKey *result)
-{
-  struct GNUNET_HashCode hc;
-  gcry_ctx_t ctx;
-  gcry_mpi_t q_y;
-  gcry_mpi_t h;
-  gcry_mpi_t n;
-  gcry_mpi_t h_mod_n;
-  gcry_mpi_point_t q;
-  gcry_mpi_point_t v;
-  GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, "Ed25519"));
-  /* obtain point 'q' from original public key.  The provided 'q' is
-     compressed thus we first store it in the context and then get it
-     back as a (decompresssed) point.  */
-  q_y = gcry_mpi_set_opaque_copy (NULL, pub->q_y, 8 * sizeof(pub->q_y));
-  GNUNET_assert (NULL != q_y);
-  GNUNET_assert (0 == gcry_mpi_ec_set_mpi ("q", q_y, ctx));
-  gcry_mpi_release (q_y);
-  q = gcry_mpi_ec_get_point ("q", ctx, 0);
-  GNUNET_assert (q);
-  /* calculate h_mod_n = h % n */
-  derive_h (pub, sizeof (*pub), label, context, &hc);
-  GNUNET_CRYPTO_mpi_scan_unsigned (&h, (unsigned char *) &hc, sizeof(hc));
-  n = gcry_mpi_ec_get_mpi ("n", ctx, 1);
-  h_mod_n = gcry_mpi_new (256);
-  gcry_mpi_mod (h_mod_n, h, n);
-  /* calculate v = h_mod_n * q */
-  v = gcry_mpi_point_new (0);
-  gcry_mpi_ec_mul (v, h_mod_n, q, ctx);
-  gcry_mpi_release (h_mod_n);
-  gcry_mpi_release (h);
-  gcry_mpi_release (n);
-  gcry_mpi_point_release (q);
-  /* convert point 'v' to public key that we return */
-  GNUNET_assert (0 == gcry_mpi_ec_set_point ("q", v, ctx));
-  gcry_mpi_point_release (v);
-  q_y = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0);
-  GNUNET_assert (q_y);
-  GNUNET_CRYPTO_mpi_print_unsigned (result->q_y, sizeof(result->q_y), q_y);
-  gcry_mpi_release (q_y);
-  gcry_ctx_release (ctx);
-}
-void
-GNUNET_CRYPTO_eddsa_key_get_public_from_scalar (
-  const struct GNUNET_CRYPTO_EddsaPrivateScalar *priv,
-  struct GNUNET_CRYPTO_EddsaPublicKey *pkey)
-{
-  unsigned char sk[32];
-  memcpy (sk, priv->s, 32);
-  /**
-   * Calculate the derived zone key zk' from the
-   * derived private scalar.
-   */
-  crypto_scalarmult_ed25519_base_noclamp (pkey->q_y,
-                                          sk);
-}

diff --git a/src/util/crypto_ecc_gnsrecord.c b/src/util/crypto_ecc_gnsrecord.c deleted file mode 100644 index ce41a4699..000000000 --- a/src/util/crypto_ecc_gnsrecord.c +++ /dev/null
@@ -1,445 +0,0 @@
1	/*
2	This file is part of GNUnet.
3	Copyright (C) 2012, 2013, 2015 GNUnet e.V.
4
5	GNUnet is free software: you can redistribute it and/or modify it
6	under the terms of the GNU Affero General Public License as published
7	by the Free Software Foundation, either version 3 of the License,
8	or (at your option) any later version.
9
10	GNUnet is distributed in the hope that it will be useful, but
11	WITHOUT ANY WARRANTY; without even the implied warranty of
12	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13	Affero General Public License for more details.
14
15	You should have received a copy of the GNU Affero General Public License
16	along with this program. If not, see <http://www.gnu.org/licenses/>.
17
18	SPDX-License-Identifier: AGPL3.0-or-later
19	*/
20
21	/**
22	* @file util/crypto_ecc_gnsrecord.c
23	* @brief public key cryptography (ECC) for GNS records (LSD0001)
24	* @author Christian Grothoff
25	* @author Florian Dold
26	* @author Martin Schanzenbach
27	*/
28	#include "platform.h"
29	#include <gcrypt.h>
30	#include <sodium.h>
31	#include "gnunet_crypto_lib.h"
32	#include "gnunet_strings_lib.h"
33
34	#define CURVE "Ed25519"
35
36	/**
37	* Derive the 'h' value for key derivation, where
38	* 'h = H(l,P)'.
39	*
40	* @param pub public key for deriviation
41	* @param pubsize the size of the public key
42	* @param label label for deriviation
43	* @param context additional context to use for HKDF of 'h';
44	* typically the name of the subsystem/application
45	* @param hc where to write the result
46	*/
47	void
48	derive_h (const void *pub,
49	size_t pubsize,
50	const char *label,
51	const char *context,
52	struct GNUNET_HashCode *hc)
53	{
54	static const char *const salt = "key-derivation";
55
56	GNUNET_CRYPTO_kdf (hc,
57	sizeof(*hc),
58	salt,
59	strlen (salt),
60	pub,
61	pubsize,
62	label,
63	strlen (label),
64	context,
65	strlen (context),
66	NULL,
67	0);
68	}
69
70
71	/**
72	* This is a signature function for EdDSA which takes the
73	* secret scalar sk instead of the private seed which is
74	* usually the case for crypto APIs. We require this functionality
75	* in order to use derived private keys for signatures we
76	* cannot calculate the inverse of a sk to find the seed
77	* efficiently.
78	*
79	* The resulting signature is a standard EdDSA signature
80	* which can be verified using the usual APIs.
81	*
82	* @param sk the secret scalar
83	* @param purp the signature purpose
84	* @param sig the resulting signature
85	*/
86	void
87	GNUNET_CRYPTO_eddsa_sign_with_scalar (
88	const struct GNUNET_CRYPTO_EddsaPrivateScalar *priv,
89	const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose,
90	struct GNUNET_CRYPTO_EddsaSignature *sig)
91	{
92
93	crypto_hash_sha512_state hs;
94	unsigned char sk[64];
95	unsigned char r[64];
96	unsigned char hram[64];
97	unsigned char R[32];
98	unsigned char zk[32];
99	unsigned char tmp[32];
100
101	crypto_hash_sha512_init (&hs);
102
103	/**
104	* Instead of expanding the private here, we already
105	* have the secret scalar as input. Use it.
106	* Note that sk is not plain SHA512 (d).
107	* sk[0..31] contains the derived private scalar
108	* sk[0..31] = h * SHA512 (d)[0..31]
109	* sk[32..63] = SHA512 (d)[32..63]
110	*/
111	memcpy (sk, priv->s, 64);
112
113	/**
114	* Calculate the derived zone key zk' from the
115	* derived private scalar.
116	*/
117	crypto_scalarmult_ed25519_base_noclamp (zk,
118	sk);
119
120	/**
121	* Calculate r:
122	* r = SHA512 (sk[32..63] \| M)
123	* where M is our message (purpose).
124	* Note that sk[32..63] is the other half of the
125	* expansion from the original, non-derived private key
126	* "d".
127	*/
128	crypto_hash_sha512_update (&hs, sk + 32, 32);
129	crypto_hash_sha512_update (&hs, (uint8_t*) purpose, ntohl (purpose->size));
130	crypto_hash_sha512_final (&hs, r);
131
132	/**
133	* Temporarily put zk into S
134	*/
135	memcpy (sig->s, zk, 32);
136
137	/**
138	* Reduce the scalar value r
139	*/
140	unsigned char r_mod[64];
141	crypto_core_ed25519_scalar_reduce (r_mod, r);
142
143	/**
144	* Calculate R := r * G of the signature
145	*/
146	crypto_scalarmult_ed25519_base_noclamp (R, r_mod);
147	memcpy (sig->r, R, sizeof (R));
148
149	/**
150	* Calculate
151	* hram := SHA512 (R \| zk' \| M)
152	*/
153	crypto_hash_sha512_init (&hs);
154	crypto_hash_sha512_update (&hs, (uint8_t*) sig, 64);
155	crypto_hash_sha512_update (&hs, (uint8_t*) purpose,
156	ntohl (purpose->size));
157	crypto_hash_sha512_final (&hs, hram);
158
159	/**
160	* Reduce the resulting scalar value
161	*/
162	unsigned char hram_mod[64];
163	crypto_core_ed25519_scalar_reduce (hram_mod, hram);
164
165	/**
166	* Calculate
167	* S := r + hram * s mod L
168	*/
169	crypto_core_ed25519_scalar_mul (tmp, hram_mod, sk);
170	crypto_core_ed25519_scalar_add (sig->s, tmp, r_mod);
171
172	sodium_memzero (sk, sizeof (sk));
173	sodium_memzero (r, sizeof (r));
174	sodium_memzero (r_mod, sizeof (r_mod));
175	}
176
177
178	struct GNUNET_CRYPTO_EcdsaPrivateKey *
179	GNUNET_CRYPTO_ecdsa_private_key_derive (
180	const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
181	const char *label,
182	const char *context)
183	{
184	struct GNUNET_CRYPTO_EcdsaPublicKey pub;
185	struct GNUNET_CRYPTO_EcdsaPrivateKey *ret;
186	struct GNUNET_HashCode hc;
187	uint8_t dc[32];
188	gcry_mpi_t h;
189	gcry_mpi_t x;
190	gcry_mpi_t d;
191	gcry_mpi_t n;
192	gcry_ctx_t ctx;
193
194	GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, CURVE));
195
196	n = gcry_mpi_ec_get_mpi ("n", ctx, 1);
197	GNUNET_CRYPTO_ecdsa_key_get_public (priv, &pub);
198
199	derive_h (&pub, sizeof (pub), label, context, &hc);
200	GNUNET_CRYPTO_mpi_scan_unsigned (&h, (unsigned char *) &hc, sizeof(hc));
201
202	/* Convert to big endian for libgcrypt */
203	for (size_t i = 0; i < 32; i++)
204	dc[i] = priv->d[31 - i];
205	GNUNET_CRYPTO_mpi_scan_unsigned (&x, dc, sizeof(dc));
206	d = gcry_mpi_new (256);
207	gcry_mpi_mulm (d, h, x, n);
208	gcry_mpi_release (h);
209	gcry_mpi_release (x);
210	gcry_mpi_release (n);
211	gcry_ctx_release (ctx);
212	ret = GNUNET_new (struct GNUNET_CRYPTO_EcdsaPrivateKey);
213	GNUNET_CRYPTO_mpi_print_unsigned (dc, sizeof(dc), d);
214	/* Convert to big endian for libgcrypt */
215	for (size_t i = 0; i < 32; i++)
216	ret->d[i] = dc[31 - i];
217	sodium_memzero (dc, sizeof(dc));
218	gcry_mpi_release (d);
219	return ret;
220	}
221
222
223	void
224	GNUNET_CRYPTO_ecdsa_public_key_derive (
225	const struct GNUNET_CRYPTO_EcdsaPublicKey *pub,
226	const char *label,
227	const char *context,
228	struct GNUNET_CRYPTO_EcdsaPublicKey *result)
229	{
230	struct GNUNET_HashCode hc;
231	gcry_ctx_t ctx;
232	gcry_mpi_t q_y;
233	gcry_mpi_t h;
234	gcry_mpi_t n;
235	gcry_mpi_t h_mod_n;
236	gcry_mpi_point_t q;
237	gcry_mpi_point_t v;
238
239	GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, CURVE));
240
241	/* obtain point 'q' from original public key. The provided 'q' is
242	compressed thus we first store it in the context and then get it
243	back as a (decompresssed) point. */
244	q_y = gcry_mpi_set_opaque_copy (NULL, pub->q_y, 8 * sizeof(pub->q_y));
245	GNUNET_assert (NULL != q_y);
246	GNUNET_assert (0 == gcry_mpi_ec_set_mpi ("q", q_y, ctx));
247	gcry_mpi_release (q_y);
248	q = gcry_mpi_ec_get_point ("q", ctx, 0);
249	GNUNET_assert (q);
250
251	/* calculate h_mod_n = h % n */
252	derive_h (pub, sizeof (*pub), label, context, &hc);
253	GNUNET_CRYPTO_mpi_scan_unsigned (&h, (unsigned char *) &hc, sizeof(hc));
254	n = gcry_mpi_ec_get_mpi ("n", ctx, 1);
255	h_mod_n = gcry_mpi_new (256);
256	gcry_mpi_mod (h_mod_n, h, n);
257	/* calculate v = h_mod_n * q */
258	v = gcry_mpi_point_new (0);
259	gcry_mpi_ec_mul (v, h_mod_n, q, ctx);
260	gcry_mpi_release (h_mod_n);
261	gcry_mpi_release (h);
262	gcry_mpi_release (n);
263	gcry_mpi_point_release (q);
264
265	/* convert point 'v' to public key that we return */
266	GNUNET_assert (0 == gcry_mpi_ec_set_point ("q", v, ctx));
267	gcry_mpi_point_release (v);
268	q_y = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0);
269	GNUNET_assert (q_y);
270	GNUNET_CRYPTO_mpi_print_unsigned (result->q_y, sizeof(result->q_y), q_y);
271	gcry_mpi_release (q_y);
272	gcry_ctx_release (ctx);
273	}
274
275
276	void
277	GNUNET_CRYPTO_eddsa_private_key_derive (
278	const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
279	const char *label,
280	const char *context,
281	struct GNUNET_CRYPTO_EddsaPrivateScalar *result)
282	{
283	struct GNUNET_CRYPTO_EddsaPublicKey pub;
284	struct GNUNET_HashCode hc;
285	uint8_t dc[32];
286	unsigned char sk[64];
287	gcry_mpi_t h;
288	gcry_mpi_t h_mod_n;
289	gcry_mpi_t x;
290	gcry_mpi_t d;
291	gcry_mpi_t n;
292	gcry_mpi_t a1;
293	gcry_mpi_t a2;
294	gcry_ctx_t ctx;
295
296	/**
297	* Libsodium does not offer an API with arbitrary arithmetic.
298	* Hence we have to use libgcrypt here.
299	*/
300	GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, "Ed25519"));
301
302	/**
303	* Get our modulo
304	*/
305	n = gcry_mpi_ec_get_mpi ("n", ctx, 1);
306	GNUNET_CRYPTO_eddsa_key_get_public (priv, &pub);
307
308	/**
309	* This is the standard private key expansion in Ed25519.
310	* The first 32 octets are used as a little-endian private
311	* scalar.
312	* We derive this scalar using our "h".
313	*/
314	crypto_hash_sha512 (sk, priv->d, 32);
315	sk[0] &= 248;
316	sk[31] &= 127;
317	sk[31] \|= 64;
318
319	/**
320	* Get h mod n
321	*/
322	derive_h (&pub, sizeof (pub), label, context, &hc);
323	GNUNET_CRYPTO_mpi_scan_unsigned (&h, (unsigned char *) &hc, sizeof(hc));
324	h_mod_n = gcry_mpi_new (256);
325	gcry_mpi_mod (h_mod_n, h, n);
326	/* Convert scalar to big endian for libgcrypt */
327	for (size_t i = 0; i < 32; i++)
328	dc[i] = sk[31 - i];
329
330	/**
331	* dc now contains the private scalar "a".
332	* We carefully remove the clamping and derive a'.
333	* Calculate:
334	* a1 := a / 8
335	* a2 := h * a1 mod n
336	* a' := a2 * 8 mod n
337	*/
338	GNUNET_CRYPTO_mpi_scan_unsigned (&x, dc, sizeof(dc)); // a
339	a1 = gcry_mpi_new (256);
340	gcry_mpi_t eight = gcry_mpi_set_ui (NULL, 8);
341	gcry_mpi_div (a1, NULL, x, eight, 0); // a1 := a / 8
342	a2 = gcry_mpi_new (256);
343	gcry_mpi_mulm (a2, h_mod_n, a1, n); // a2 := h * a1 mod n
344	d = gcry_mpi_new (256);
345	gcry_mpi_mul (d, a2, eight); // a' := a2 * 8
346	gcry_mpi_release (h);
347	gcry_mpi_release (x);
348	gcry_mpi_release (n);
349	gcry_mpi_release (a1);
350	gcry_mpi_release (a2);
351	gcry_ctx_release (ctx);
352	GNUNET_CRYPTO_mpi_print_unsigned (dc, sizeof(dc), d);
353	/**
354	* We hash the derived "h" parameter with the
355	* other half of the expanded private key. This ensures
356	* that for signature generation, the "R" is derived from
357	* the same derivation path as "h" and is not reused.
358	*/
359	crypto_hash_sha256_state hs;
360	crypto_hash_sha256_init (&hs);
361	crypto_hash_sha256_update (&hs, sk + 32, 32);
362	crypto_hash_sha256_update (&hs, (unsigned char*) &hc, sizeof (hc));
363	crypto_hash_sha256_final (&hs, result->s + 32);
364	//memcpy (result->s, sk, sizeof (sk));
365	/* Convert to little endian for libsodium */
366	for (size_t i = 0; i < 32; i++)
367	result->s[i] = dc[31 - i];
368
369	sodium_memzero (dc, sizeof(dc));
370	gcry_mpi_release (d);
371	}
372
373
374	void
375	GNUNET_CRYPTO_eddsa_public_key_derive (
376	const struct GNUNET_CRYPTO_EddsaPublicKey *pub,
377	const char *label,
378	const char *context,
379	struct GNUNET_CRYPTO_EddsaPublicKey *result)
380	{
381	struct GNUNET_HashCode hc;
382	gcry_ctx_t ctx;
383	gcry_mpi_t q_y;
384	gcry_mpi_t h;
385	gcry_mpi_t n;
386	gcry_mpi_t h_mod_n;
387	gcry_mpi_point_t q;
388	gcry_mpi_point_t v;
389
390	GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, "Ed25519"));
391
392	/* obtain point 'q' from original public key. The provided 'q' is
393	compressed thus we first store it in the context and then get it
394	back as a (decompresssed) point. */
395	q_y = gcry_mpi_set_opaque_copy (NULL, pub->q_y, 8 * sizeof(pub->q_y));
396	GNUNET_assert (NULL != q_y);
397	GNUNET_assert (0 == gcry_mpi_ec_set_mpi ("q", q_y, ctx));
398	gcry_mpi_release (q_y);
399	q = gcry_mpi_ec_get_point ("q", ctx, 0);
400	GNUNET_assert (q);
401
402	/* calculate h_mod_n = h % n */
403	derive_h (pub, sizeof (*pub), label, context, &hc);
404	GNUNET_CRYPTO_mpi_scan_unsigned (&h, (unsigned char *) &hc, sizeof(hc));
405
406	n = gcry_mpi_ec_get_mpi ("n", ctx, 1);
407	h_mod_n = gcry_mpi_new (256);
408	gcry_mpi_mod (h_mod_n, h, n);
409
410	/* calculate v = h_mod_n * q */
411	v = gcry_mpi_point_new (0);
412	gcry_mpi_ec_mul (v, h_mod_n, q, ctx);
413	gcry_mpi_release (h_mod_n);
414	gcry_mpi_release (h);
415	gcry_mpi_release (n);
416	gcry_mpi_point_release (q);
417
418	/* convert point 'v' to public key that we return */
419	GNUNET_assert (0 == gcry_mpi_ec_set_point ("q", v, ctx));
420	gcry_mpi_point_release (v);
421	q_y = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0);
422	GNUNET_assert (q_y);
423	GNUNET_CRYPTO_mpi_print_unsigned (result->q_y, sizeof(result->q_y), q_y);
424	gcry_mpi_release (q_y);
425	gcry_ctx_release (ctx);
426
427	}
428
429
430	void
431	GNUNET_CRYPTO_eddsa_key_get_public_from_scalar (
432	const struct GNUNET_CRYPTO_EddsaPrivateScalar *priv,
433	struct GNUNET_CRYPTO_EddsaPublicKey *pkey)
434	{
435	unsigned char sk[32];
436
437	memcpy (sk, priv->s, 32);
438
439	/**
440	* Calculate the derived zone key zk' from the
441	* derived private scalar.
442	*/
443	crypto_scalarmult_ed25519_base_noclamp (pkey->q_y,
444	sk);
445	}