diff options
Diffstat (limited to 'src/util/crypto_kdf.c')
-rw-r--r-- | src/util/crypto_kdf.c | 144 |
1 files changed, 0 insertions, 144 deletions
diff --git a/src/util/crypto_kdf.c b/src/util/crypto_kdf.c deleted file mode 100644 index f577e0f7a..000000000 --- a/src/util/crypto_kdf.c +++ /dev/null | |||
@@ -1,144 +0,0 @@ | |||
1 | /* | ||
2 | This file is part of GNUnet. | ||
3 | Copyright (C) 2010 GNUnet e.V. | ||
4 | |||
5 | GNUnet is free software: you can redistribute it and/or modify it | ||
6 | under the terms of the GNU Affero General Public License as published | ||
7 | by the Free Software Foundation, either version 3 of the License, | ||
8 | or (at your option) any later version. | ||
9 | |||
10 | GNUnet is distributed in the hope that it will be useful, but | ||
11 | WITHOUT ANY WARRANTY; without even the implied warranty of | ||
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
13 | Affero General Public License for more details. | ||
14 | |||
15 | You should have received a copy of the GNU Affero General Public License | ||
16 | along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
17 | |||
18 | SPDX-License-Identifier: AGPL3.0-or-later | ||
19 | */ | ||
20 | |||
21 | /** | ||
22 | * @file src/util/crypto_kdf.c | ||
23 | * @brief Key derivation | ||
24 | * @author Nils Durner | ||
25 | * @author Jeffrey Burdges <burdges@gnunet.org> | ||
26 | */ | ||
27 | |||
28 | #include <gcrypt.h> | ||
29 | |||
30 | #include "platform.h" | ||
31 | #include "gnunet_crypto_lib.h" | ||
32 | |||
33 | #define LOG(kind, ...) GNUNET_log_from (kind, "util-crypto-kdf", __VA_ARGS__) | ||
34 | |||
35 | |||
36 | enum GNUNET_GenericReturnValue | ||
37 | GNUNET_CRYPTO_kdf_v (void *result, | ||
38 | size_t out_len, | ||
39 | const void *xts, | ||
40 | size_t xts_len, | ||
41 | const void *skm, | ||
42 | size_t skm_len, | ||
43 | va_list argp) | ||
44 | { | ||
45 | /* | ||
46 | * "Finally, we point out to a particularly advantageous instantiation using | ||
47 | * HMAC-SHA512 as XTR and HMAC-SHA256 in PRF* (in which case the output from SHA-512 is | ||
48 | * truncated to 256 bits). This makes sense in two ways: First, the extraction part is where we need a | ||
49 | * stronger hash function due to the unconventional demand from the hash function in the extraction | ||
50 | * setting. Second, as shown in Section 6, using HMAC with a truncated output as an extractor | ||
51 | * allows to prove the security of HKDF under considerably weaker assumptions on the underlying | ||
52 | * hash function." | ||
53 | * | ||
54 | * http://eprint.iacr.org/2010/264 | ||
55 | */ | ||
56 | return GNUNET_CRYPTO_hkdf_v (result, | ||
57 | out_len, | ||
58 | GCRY_MD_SHA512, | ||
59 | GCRY_MD_SHA256, | ||
60 | xts, | ||
61 | xts_len, | ||
62 | skm, | ||
63 | skm_len, | ||
64 | argp); | ||
65 | } | ||
66 | |||
67 | |||
68 | enum GNUNET_GenericReturnValue | ||
69 | GNUNET_CRYPTO_kdf (void *result, | ||
70 | size_t out_len, | ||
71 | const void *xts, | ||
72 | size_t xts_len, | ||
73 | const void *skm, | ||
74 | size_t skm_len, ...) | ||
75 | { | ||
76 | va_list argp; | ||
77 | int ret; | ||
78 | |||
79 | va_start (argp, skm_len); | ||
80 | ret = GNUNET_CRYPTO_kdf_v (result, | ||
81 | out_len, | ||
82 | xts, | ||
83 | xts_len, | ||
84 | skm, | ||
85 | skm_len, | ||
86 | argp); | ||
87 | va_end (argp); | ||
88 | |||
89 | return ret; | ||
90 | } | ||
91 | |||
92 | |||
93 | void | ||
94 | GNUNET_CRYPTO_kdf_mod_mpi (gcry_mpi_t *r, | ||
95 | gcry_mpi_t n, | ||
96 | const void *xts, size_t xts_len, | ||
97 | const void *skm, size_t skm_len, | ||
98 | const char *ctx) | ||
99 | { | ||
100 | gcry_error_t rc; | ||
101 | unsigned int nbits; | ||
102 | size_t rsize; | ||
103 | uint16_t ctr; | ||
104 | |||
105 | nbits = gcry_mpi_get_nbits (n); | ||
106 | /* GNUNET_assert (nbits > 512); */ | ||
107 | ctr = 0; | ||
108 | while (1) | ||
109 | { | ||
110 | /* Ain't clear if n is always divisible by 8 */ | ||
111 | size_t bsize = (nbits - 1) / 8 + 1; | ||
112 | uint8_t buf[bsize]; | ||
113 | uint16_t ctr_nbo = htons (ctr); | ||
114 | |||
115 | rc = GNUNET_CRYPTO_kdf (buf, | ||
116 | bsize, | ||
117 | xts, xts_len, | ||
118 | skm, skm_len, | ||
119 | ctx, strlen (ctx), | ||
120 | &ctr_nbo, sizeof(ctr_nbo), | ||
121 | NULL, 0); | ||
122 | GNUNET_assert (GNUNET_YES == rc); | ||
123 | rc = gcry_mpi_scan (r, | ||
124 | GCRYMPI_FMT_USG, | ||
125 | (const unsigned char *) buf, | ||
126 | bsize, | ||
127 | &rsize); | ||
128 | GNUNET_assert (GPG_ERR_NO_ERROR == rc); /* Allocation error? */ | ||
129 | GNUNET_assert (rsize == bsize); | ||
130 | gcry_mpi_clear_highbit (*r, | ||
131 | nbits); | ||
132 | GNUNET_assert (0 == | ||
133 | gcry_mpi_test_bit (*r, | ||
134 | nbits)); | ||
135 | ++ctr; | ||
136 | /* We reject this FDH if either *r > n and retry with another ctr */ | ||
137 | if (0 > gcry_mpi_cmp (*r, n)) | ||
138 | break; | ||
139 | gcry_mpi_release (*r); | ||
140 | } | ||
141 | } | ||
142 | |||
143 | |||
144 | /* end of crypto_kdf.c */ | ||