diff options
Diffstat (limited to 'src/util/crypto_kdf.c')
-rw-r--r-- | src/util/crypto_kdf.c | 175 |
1 files changed, 0 insertions, 175 deletions
diff --git a/src/util/crypto_kdf.c b/src/util/crypto_kdf.c deleted file mode 100644 index 0dc734549..000000000 --- a/src/util/crypto_kdf.c +++ /dev/null | |||
@@ -1,175 +0,0 @@ | |||
1 | /* | ||
2 | This file is part of GNUnet. | ||
3 | Copyright (C) 2010 GNUnet e.V. | ||
4 | |||
5 | GNUnet is free software: you can redistribute it and/or modify it | ||
6 | under the terms of the GNU Affero General Public License as published | ||
7 | by the Free Software Foundation, either version 3 of the License, | ||
8 | or (at your option) any later version. | ||
9 | |||
10 | GNUnet is distributed in the hope that it will be useful, but | ||
11 | WITHOUT ANY WARRANTY; without even the implied warranty of | ||
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
13 | Affero General Public License for more details. | ||
14 | |||
15 | You should have received a copy of the GNU Affero General Public License | ||
16 | along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
17 | |||
18 | SPDX-License-Identifier: AGPL3.0-or-later | ||
19 | */ | ||
20 | |||
21 | /** | ||
22 | * @file src/util/crypto_kdf.c | ||
23 | * @brief Key derivation | ||
24 | * @author Nils Durner | ||
25 | * @author Jeffrey Burdges <burdges@gnunet.org> | ||
26 | */ | ||
27 | |||
28 | #include <gcrypt.h> | ||
29 | |||
30 | #include "platform.h" | ||
31 | #include "gnunet_crypto_lib.h" | ||
32 | |||
33 | #define LOG(kind, ...) GNUNET_log_from (kind, "util-crypto-kdf", __VA_ARGS__) | ||
34 | |||
35 | /** | ||
36 | * @brief Derive key | ||
37 | * @param result buffer for the derived key, allocated by caller | ||
38 | * @param out_len desired length of the derived key | ||
39 | * @param xts salt | ||
40 | * @param xts_len length of @a xts | ||
41 | * @param skm source key material | ||
42 | * @param skm_len length of @a skm | ||
43 | * @param argp va_list of void * & size_t pairs for context chunks | ||
44 | * @return #GNUNET_YES on success | ||
45 | */ | ||
46 | int | ||
47 | GNUNET_CRYPTO_kdf_v (void *result, | ||
48 | size_t out_len, | ||
49 | const void *xts, | ||
50 | size_t xts_len, | ||
51 | const void *skm, | ||
52 | size_t skm_len, | ||
53 | va_list argp) | ||
54 | { | ||
55 | /* | ||
56 | * "Finally, we point out to a particularly advantageous instantiation using | ||
57 | * HMAC-SHA512 as XTR and HMAC-SHA256 in PRF* (in which case the output from SHA-512 is | ||
58 | * truncated to 256 bits). This makes sense in two ways: First, the extraction part is where we need a | ||
59 | * stronger hash function due to the unconventional demand from the hash function in the extraction | ||
60 | * setting. Second, as shown in Section 6, using HMAC with a truncated output as an extractor | ||
61 | * allows to prove the security of HKDF under considerably weaker assumptions on the underlying | ||
62 | * hash function." | ||
63 | * | ||
64 | * http://eprint.iacr.org/2010/264 | ||
65 | */// | ||
66 | return GNUNET_CRYPTO_hkdf_v (result, | ||
67 | out_len, | ||
68 | GCRY_MD_SHA512, | ||
69 | GCRY_MD_SHA256, | ||
70 | xts, | ||
71 | xts_len, | ||
72 | skm, | ||
73 | skm_len, | ||
74 | argp); | ||
75 | } | ||
76 | |||
77 | |||
78 | /** | ||
79 | * @brief Derive key | ||
80 | * @param result buffer for the derived key, allocated by caller | ||
81 | * @param out_len desired length of the derived key | ||
82 | * @param xts salt | ||
83 | * @param xts_len length of @a xts | ||
84 | * @param skm source key material | ||
85 | * @param skm_len length of @a skm | ||
86 | * @param ... void * & size_t pairs for context chunks | ||
87 | * @return #GNUNET_YES on success | ||
88 | */ | ||
89 | int | ||
90 | GNUNET_CRYPTO_kdf (void *result, | ||
91 | size_t out_len, | ||
92 | const void *xts, | ||
93 | size_t xts_len, | ||
94 | const void *skm, | ||
95 | size_t skm_len, ...) | ||
96 | { | ||
97 | va_list argp; | ||
98 | int ret; | ||
99 | |||
100 | va_start (argp, skm_len); | ||
101 | ret = GNUNET_CRYPTO_kdf_v (result, | ||
102 | out_len, | ||
103 | xts, | ||
104 | xts_len, | ||
105 | skm, | ||
106 | skm_len, | ||
107 | argp); | ||
108 | va_end (argp); | ||
109 | |||
110 | return ret; | ||
111 | } | ||
112 | |||
113 | |||
114 | /** | ||
115 | * Deterministically generate a pseudo-random number uniformly from the | ||
116 | * integers modulo a libgcrypt mpi. | ||
117 | * | ||
118 | * @param[out] r MPI value set to the FDH | ||
119 | * @param n MPI to work modulo | ||
120 | * @param xts salt | ||
121 | * @param xts_len length of @a xts | ||
122 | * @param skm source key material | ||
123 | * @param skm_len length of @a skm | ||
124 | * @param ctx context string | ||
125 | */ | ||
126 | void | ||
127 | GNUNET_CRYPTO_kdf_mod_mpi (gcry_mpi_t *r, | ||
128 | gcry_mpi_t n, | ||
129 | const void *xts, size_t xts_len, | ||
130 | const void *skm, size_t skm_len, | ||
131 | const char *ctx) | ||
132 | { | ||
133 | gcry_error_t rc; | ||
134 | unsigned int nbits; | ||
135 | size_t rsize; | ||
136 | uint16_t ctr; | ||
137 | |||
138 | nbits = gcry_mpi_get_nbits (n); | ||
139 | /* GNUNET_assert (nbits > 512); */ | ||
140 | |||
141 | ctr = 0; | ||
142 | while (1) | ||
143 | { | ||
144 | /* Ain't clear if n is always divisible by 8 */ | ||
145 | uint8_t buf[ (nbits - 1) / 8 + 1 ]; | ||
146 | uint16_t ctr_nbo = htons (ctr); | ||
147 | |||
148 | rc = GNUNET_CRYPTO_kdf (buf, | ||
149 | sizeof(buf), | ||
150 | xts, xts_len, | ||
151 | skm, skm_len, | ||
152 | ctx, strlen (ctx), | ||
153 | &ctr_nbo, sizeof(ctr_nbo), | ||
154 | NULL, 0); | ||
155 | GNUNET_assert (GNUNET_YES == rc); | ||
156 | |||
157 | rc = gcry_mpi_scan (r, | ||
158 | GCRYMPI_FMT_USG, | ||
159 | (const unsigned char *) buf, | ||
160 | sizeof(buf), | ||
161 | &rsize); | ||
162 | GNUNET_assert (0 == rc); /* Allocation error? */ | ||
163 | |||
164 | gcry_mpi_clear_highbit (*r, nbits); | ||
165 | GNUNET_assert (0 == gcry_mpi_test_bit (*r, nbits)); | ||
166 | ++ctr; | ||
167 | /* We reject this FDH if either *r > n and retry with another ctr */ | ||
168 | if (0 > gcry_mpi_cmp (*r, n)) | ||
169 | break; | ||
170 | gcry_mpi_release (*r); | ||
171 | } | ||
172 | } | ||
173 | |||
174 | |||
175 | /* end of crypto_kdf.c */ | ||