9 files changed, 660 insertions, 131 deletions
diff --git a/src/util/.gitignore b/src/util/.gitignore
index 01ebcc834..84c13708e 100644
--- a/src/util/.gitignore
+++ b/src/util/.gitignore
@@ -1,6 +1,7 @@
 test_common_logging_dummy
 gnunet-config
 gnunet-config-diff
+gnunet-crypto-tvg
 gnunet-ecc
 gnunet-qr
 gnunet-resolver
@@ -30,6 +31,7 @@ test_container_multihashmap32
 test_container_multipeermap
 test_crypto_crc
 test_crypto_ecc_dlog
+test_crypto_ecdh_ecdsa
 test_crypto_ecdh_eddsa
 test_crypto_ecdhe
 test_crypto_ecdsa
diff --git a/src/util/Makefile.am b/src/util/Makefile.am
index 0f6251f96..fc8f424dc 100644
--- a/src/util/Makefile.am
+++ b/src/util/Makefile.am
@@ -39,6 +39,7 @@ libgnunetutil_la_SOURCES = \
  bandwidth.c \
  $(BENCHMARK) \
  bio.c \
+  buffer.c \
  client.c \
  common_allocation.c \
  common_endian.c \
@@ -138,41 +139,11 @@ libgnunetutil_la_LDFLAGS = \
  $(GN_LIB_LDFLAGS) \
  -version-info 13:2:0
-libgnunetutil_taler_wallet_la_SOURCES = \
-  common_allocation.c \
-  common_endian.c \
-  common_logging.c \
-  container_heap.c \
-  container_multihashmap.c \
-  container_multihashmap32.c \
-  crypto_symmetric.c \
-  crypto_crc.c \
-  crypto_ecc.c \
-  crypto_hash.c \
-  crypto_hkdf.c \
-  crypto_kdf.c \
-  crypto_mpi.c \
-  crypto_random.c \
-  crypto_rsa.c \
-  strings.c \
-  time.c
-libgnunetutil_taler_wallet_la_LIBADD = \
-  $(LIBGCRYPT_LIBS) \
-  -lunistring
-libgnunetutil_taler_wallet_la_LDFLAGS = \
-  $(GN_LIB_LDFLAGS) \
-  -version-info 0:0:0
 if HAVE_TESTING
  GNUNET_ECC = gnunet-ecc
  GNUNET_SCRYPT = gnunet-scrypt
 endif
-if TALER_ONLY
-lib_LTLIBRARIES = libgnunetutil_taler_wallet.la
-else
 lib_LTLIBRARIES = libgnunetutil.la
 libexec_PROGRAMS = \
@@ -182,6 +153,7 @@ libexec_PROGRAMS = \
 bin_PROGRAMS = \
 gnunet-resolver \
 gnunet-config \
+ gnunet-crypto-tvg \
 $(GNUNET_ECC) \
 $(GNUNET_SCRYPT) \
 gnunet-uri
@@ -199,8 +171,6 @@ AM_TESTS_ENVIRONMENT=export GNUNET_PREFIX=$${GNUNET_PREFIX:-@libdir@};export PAT
 TESTS = $(check_PROGRAMS)
 endif
-endif
 gnunet_timeout_SOURCES = \
 gnunet-timeout.c
@@ -220,6 +190,11 @@ gnunet_resolver_LDADD = \
  libgnunetutil.la \
  $(GN_LIBINTL)
+gnunet_crypto_tvg_SOURCES = \
+ gnunet-crypto-tvg.c
+gnunet_crypto_tvg_LDADD = \
+  libgnunetutil.la \
+  $(GN_LIBINTL) -lgcrypt
 gnunet_ecc_SOURCES = \
 gnunet-ecc.c
@@ -298,6 +273,7 @@ check_PROGRAMS = \
 test_crypto_eddsa \
 test_crypto_ecdhe \
 test_crypto_ecdh_eddsa \
+ test_crypto_ecdh_ecdsa \
 test_crypto_ecc_dlog \
 test_crypto_hash \
 test_crypto_hash_context \
@@ -476,6 +452,13 @@ test_crypto_ecdh_eddsa_LDADD = \
 libgnunetutil.la \
 $(LIBGCRYPT_LIBS)
+test_crypto_ecdh_ecdsa_SOURCES = \
+ test_crypto_ecdh_ecdsa.c
+test_crypto_ecdh_ecdsa_LDADD = \
+ libgnunetutil.la \
+ $(LIBGCRYPT_LIBS)
 test_crypto_hash_SOURCES = \
 test_crypto_hash.c
 test_crypto_hash_LDADD = \
diff --git a/src/util/buffer.c b/src/util/buffer.c
new file mode 100644
index 000000000..d89565d68
--- /dev/null
+++ b/src/util/buffer.c
@@ -0,0 +1,226 @@
+/*
+  This file is part of GNUnet
+  Copyright (C) 2020 GNUnet e.V.
+  GNUnet is free software; you can redistribute it and/or modify it under the
+  terms of the GNU Affero General Public License as published by the Free Software
+  Foundation; either version 3, or (at your option) any later version.
+  GNUnet is distributed in the hope that it will be useful, but WITHOUT ANY
+  WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+  A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more details.
+  You should have received a copy of the GNU Affero General Public License along with
+  GNUnet; see the file COPYING.  If not, see <http://www.gnu.org/licenses/>
+*/
+/**
+ * @file buffer.c
+ * @brief Common buffer management functions.
+ * @author Florian Dold
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_buffer_lib.h"
+/**
+ * Initialize a buffer with the given capacity.
+ *
+ * When a buffer is allocated with this function, a warning is logged
+ * when the buffer exceeds the initial capacity.
+ *
+ * @param buf the buffer to initialize
+ * @param capacity the capacity (in bytes) to allocate for @a buf
+ */
+void
+GNUNET_buffer_prealloc (struct GNUNET_Buffer *buf, size_t capacity)
+{
+  /* Buffer should be zero-initialized */
+  GNUNET_assert (0 == buf->mem);
+  GNUNET_assert (0 == buf->capacity);
+  GNUNET_assert (0 == buf->position);
+  buf->mem = GNUNET_malloc (capacity);
+  buf->capacity = capacity;
+  buf->warn_grow = GNUNET_YES;
+}
+/**
+ * Make sure that at least @a n bytes remaining in the buffer.
+ *
+ * @param buf buffer to potentially grow
+ * @param n number of bytes that should be available to write
+ */
+void
+GNUNET_buffer_ensure_remaining (struct GNUNET_Buffer *buf, size_t n)
+{
+  size_t new_capacity = buf->position + n;
+  if (new_capacity <= buf->capacity)
+    return;
+  /* warn if calculation of expected size was wrong */
+  GNUNET_break (GNUNET_YES != buf->warn_grow);
+  if (new_capacity < buf->capacity * 2)
+    new_capacity = buf->capacity * 2;
+  buf->capacity = new_capacity;
+  if (NULL != buf->mem)
+    buf->mem = GNUNET_realloc (buf->mem, new_capacity);
+  else
+    buf->mem = GNUNET_malloc (new_capacity);
+}
+/**
+ * Write bytes to the buffer.
+ *
+ * Grows the buffer if necessary.
+ *
+ * @param buf buffer to write to
+ * @param data data to read from
+ * @param len number of bytes to copy from @a data to @a buf
+ *
+ */
+void
+GNUNET_buffer_write (struct GNUNET_Buffer *buf, const char *data, size_t len)
+{
+  GNUNET_buffer_ensure_remaining (buf, len);
+  memcpy (buf->mem + buf->position, data, len);
+  buf->position += len;
+}
+/**
+ * Write a 0-terminated string to a buffer, excluding the 0-terminator.
+ *
+ * @param buf the buffer to write to
+ * @param str the string to write to @a buf
+ */
+void
+GNUNET_buffer_write_str (struct GNUNET_Buffer *buf, const char *str)
+{
+  size_t len = strlen (str);
+  GNUNET_buffer_write (buf, str, len);
+}
+/**
+ * Clear the buffer and return the string it contained.
+ * The caller is responsible to eventually #GNUNET_free
+ * the returned string.
+ *
+ * The returned string is always 0-terminated.
+ *
+ * @param buf the buffer to reap the string from
+ * @returns the buffer contained in the string
+ */
+char *
+GNUNET_buffer_reap_str (struct GNUNET_Buffer *buf)
+{
+  char *res;
+  /* ensure 0-termination */
+  if ( (0 == buf->position) || ('\0' != buf->mem[buf->position - 1]))
+  {
+    GNUNET_buffer_ensure_remaining (buf, 1);
+    buf->mem[buf->position++] = '\0';
+  }
+  res = buf->mem;
+  *buf = (struct GNUNET_Buffer) { 0 };
+  return res;
+}
+/**
+ * Free the backing memory of the given buffer.
+ * Does not free the memory of the buffer control structure,
+ * which is typically stack-allocated.
+ */
+void
+GNUNET_buffer_clear (struct GNUNET_Buffer *buf)
+{
+  GNUNET_free_non_null (buf->mem);
+  *buf = (struct GNUNET_Buffer) { 0 };
+}
+/**
+ * Write a path component to a buffer, ensuring that
+ * there is exactly one slash between the previous contents
+ * of the buffer and the new string.
+ *
+ * @param buf buffer to write to
+ * @param str string containing the new path component
+ */
+void
+GNUNET_buffer_write_path (struct GNUNET_Buffer *buf, const char *str)
+{
+  size_t len = strlen (str);
+  while ( (0 != len) && ('/' == str[0]) )
+  {
+    str++;
+    len--;
+  }
+  if ( (0 == buf->position) || ('/' != buf->mem[buf->position - 1]) )
+  {
+    GNUNET_buffer_ensure_remaining (buf, 1);
+    buf->mem[buf->position++] = '/';
+  }
+  GNUNET_buffer_write (buf, str, len);
+}
+/**
+ * Write a 0-terminated formatted string to a buffer, excluding the
+ * 0-terminator.
+ *
+ * Grows the buffer if necessary.
+ *
+ * @param buf the buffer to write to
+ * @param fmt format string
+ * @param ... format arguments
+ */
+void
+GNUNET_buffer_write_fstr (struct GNUNET_Buffer *buf, const char *fmt, ...)
+{
+  va_list args;
+  va_start (args, fmt);
+  GNUNET_buffer_write_vfstr (buf, fmt, args);
+  va_end (args);
+}
+/**
+ * Write a 0-terminated formatted string to a buffer, excluding the
+ * 0-terminator.
+ *
+ * Grows the buffer if necessary.
+ *
+ * @param buf the buffer to write to
+ * @param fmt format string
+ * @param args format argument list
+ */
+void
+GNUNET_buffer_write_vfstr (struct GNUNET_Buffer *buf,
+                          const char *fmt,
+                          va_list args)
+{
+  int res;
+  va_list args2;
+  va_copy (args2, args);
+  res = vsnprintf (NULL, 0, fmt, args2);
+  va_end (args2);
+  GNUNET_assert (res >= 0);
+  GNUNET_buffer_ensure_remaining (buf, res + 1);
+  va_copy (args2, args);
+  res = vsnprintf (buf->mem + buf->position, res + 1, fmt, args2);
+  va_end (args2);
+  GNUNET_assert (res >= 0);
+  buf->position += res;
+  GNUNET_assert (buf->position <= buf->capacity);
+}
diff --git a/src/util/common_logging.c b/src/util/common_logging.c
index 430f75e70..27ac88a05 100644
--- a/src/util/common_logging.c
+++ b/src/util/common_logging.c
@@ -294,7 +294,6 @@ resize_logdefs ()
 }
-#if ! TALER_WALLET_ONLY
 /**
 * Rotate logs, deleting the oldest log.
 *
@@ -403,9 +402,6 @@ setup_log_file (const struct tm *tm)
 }
-#endif
 /**
 * Utility function - adds a parsed definition to logdefs array.
 *
@@ -731,7 +727,7 @@ GNUNET_log_setup (const char *comp, const char *loglevel, const char *logfile)
  log_file_name = GNUNET_STRINGS_filename_expand (logfile);
  if (NULL == log_file_name)
    return GNUNET_SYSERR;
-#if TALER_WALLET_ONLY || defined(GNUNET_CULL_LOGGING)
+#if defined(GNUNET_CULL_LOGGING)
  /* log file option not allowed for wallet logic */
  GNUNET_assert (NULL == logfile);
  return GNUNET_OK;
@@ -1023,7 +1019,7 @@ mylog (enum GNUNET_ErrorType kind,
    }
    vsnprintf (buf, size, message, va);
-#if ! (defined(GNUNET_CULL_LOGGING) || TALER_WALLET_ONLY)
+#if ! defined(GNUNET_CULL_LOGGING)
    if (NULL != tmptr)
      (void) setup_log_file (tmptr);
 #endif
diff --git a/src/util/crypto_ecc.c b/src/util/crypto_ecc.c
index bd7c425d4..237062eb7 100644
--- a/src/util/crypto_ecc.c
+++ b/src/util/crypto_ecc.c
@@ -173,22 +173,8 @@ GNUNET_CRYPTO_ecdsa_key_get_public (
  const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
  struct GNUNET_CRYPTO_EcdsaPublicKey *pub)
 {
-  gcry_sexp_t sexp;
-  gcry_ctx_t ctx;
-  gcry_mpi_t q;
  BENCHMARK_START (ecdsa_key_get_public);
+  GNUNET_TWEETNACL_scalarmult_gnunet_ecdsa (pub->q_y, priv->d);
-  sexp = decode_private_ecdsa_key (priv);
-  GNUNET_assert (NULL != sexp);
-  GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, sexp, NULL));
-  gcry_sexp_release (sexp);
-  q = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0);
-  GNUNET_assert (NULL != q);
-  GNUNET_CRYPTO_mpi_print_unsigned (pub->q_y, sizeof(pub->q_y), q);
-  gcry_mpi_release (q);
-  gcry_ctx_release (ctx);
  BENCHMARK_END (ecdsa_key_get_public);
 }
@@ -1041,45 +1027,6 @@ GNUNET_CRYPTO_ecdsa_public_key_derive (
 /**
- * Take point from ECDH and convert it to key material.
- *
- * @param result point from ECDH
- * @param ctx ECC context
- * @param key_material[out] set to derived key material
- * @return #GNUNET_OK on success
- */
-static int
-point_to_hash (gcry_mpi_point_t result,
-               gcry_ctx_t ctx,
-               struct GNUNET_HashCode *key_material)
-{
-  gcry_mpi_t result_x;
-  unsigned char xbuf[256 / 8];
-  size_t rsize;
-  /* finally, convert point to string for hashing */
-  result_x = gcry_mpi_new (256);
-  if (gcry_mpi_ec_get_affine (result_x, NULL, result, ctx))
-  {
-    LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "get_affine failed", 0);
-    return GNUNET_SYSERR;
-  }
-  rsize = sizeof(xbuf);
-  GNUNET_assert (! gcry_mpi_get_flag (result_x, GCRYMPI_FLAG_OPAQUE));
-  /* result_x can be negative here, so we do not use 'GNUNET_CRYPTO_mpi_print_unsigned'
-     as that does not include the sign bit; x should be a 255-bit
-     value, so with the sign it should fit snugly into the 256-bit
-     xbuf */
-  GNUNET_assert (
-    0 == gcry_mpi_print (GCRYMPI_FMT_STD, xbuf, rsize, &rsize, result_x));
-  GNUNET_CRYPTO_hash (xbuf, rsize, key_material);
-  gcry_mpi_release (result_x);
-  return GNUNET_OK;
-}
-/**
 * @ingroup crypto
 * Derive key material from a ECDH public key and a private EdDSA key.
 * Dual to #GNUNET_CRRYPTO_ecdh_eddsa.
@@ -1125,41 +1072,18 @@ GNUNET_CRYPTO_ecdsa_ecdh (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
                          const struct GNUNET_CRYPTO_EcdhePublicKey *pub,
                          struct GNUNET_HashCode *key_material)
 {
-  gcry_mpi_point_t result;
+  uint8_t p[GNUNET_TWEETNACL_SCALARMULT_BYTES];
-  gcry_mpi_point_t q;
+  uint8_t d_rev[GNUNET_TWEETNACL_SCALARMULT_BYTES];
-  gcry_mpi_t d;
-  gcry_ctx_t ctx;
-  gcry_sexp_t pub_sexpr;
-  int ret;
  BENCHMARK_START (ecdsa_ecdh);
+  for (size_t i = 0; i < 32; i++)
-  /* first, extract the q = dP value from the public key */
+    d_rev[i] = priv->d[31 - i];
-  if (0 != gcry_sexp_build (&pub_sexpr,
+  GNUNET_TWEETNACL_scalarmult_curve25519 (p, d_rev, pub->q_y);
-                            NULL,
+  GNUNET_CRYPTO_hash (p,
-                            "(public-key(ecc(curve " CURVE ")(q %b)))",
+                      GNUNET_TWEETNACL_SCALARMULT_BYTES,
-                            (int) sizeof(pub->q_y),
+                      key_material);
-                            pub->q_y))
-    return GNUNET_SYSERR;
-  GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, pub_sexpr, NULL));
-  gcry_sexp_release (pub_sexpr);
-  q = gcry_mpi_ec_get_point ("q", ctx, 0);
-  /* second, extract the d value from our private key */
-  GNUNET_CRYPTO_mpi_scan_unsigned (&d, priv->d, sizeof(priv->d));
-  /* then call the 'multiply' function, to compute the product */
-  result = gcry_mpi_point_new (0);
-  gcry_mpi_ec_mul (result, d, q, ctx);
-  gcry_mpi_point_release (q);
-  gcry_mpi_release (d);
-  /* finally, convert point to string for hashing */
-  ret = point_to_hash (result, ctx, key_material);
-  gcry_mpi_point_release (result);
-  gcry_ctx_release (ctx);
  BENCHMARK_END (ecdsa_ecdh);
-  return ret;
+  return GNUNET_OK;
 }
@@ -1191,7 +1115,7 @@ GNUNET_CRYPTO_ecdh_eddsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
 /**
 * @ingroup crypto
 * Derive key material from a ECDSA public key and a private ECDH key.
- * Dual to #GNUNET_CRRYPTO_eddsa_ecdh.
+ * Dual to #GNUNET_CRYPTO_ecdsa_ecdh.
 *
 * @param priv private key to use for the ECDH (y)
 * @param pub public key from ECDSA to use for the ECDH (X=h(x)G)
@@ -1203,10 +1127,13 @@ GNUNET_CRYPTO_ecdh_ecdsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
                          const struct GNUNET_CRYPTO_EcdsaPublicKey *pub,
                          struct GNUNET_HashCode *key_material)
 {
-  return GNUNET_CRYPTO_ecdh_eddsa (priv,
+  uint8_t p[GNUNET_TWEETNACL_SCALARMULT_BYTES];
-                                   (const struct GNUNET_CRYPTO_EddsaPublicKey *)
+  uint8_t curve25510_pk[GNUNET_TWEETNACL_SIGN_PUBLICBYTES];
-                                   pub,
-                                   key_material);
+  GNUNET_TWEETNACL_sign_ed25519_pk_to_curve25519 (curve25510_pk, pub->q_y);
+  GNUNET_TWEETNACL_scalarmult_curve25519 (p, priv->d, curve25510_pk);
+  GNUNET_CRYPTO_hash (p, GNUNET_TWEETNACL_SCALARMULT_BYTES, key_material);
+  return GNUNET_OK;
 }
diff --git a/src/util/gnunet-crypto-tvg.c b/src/util/gnunet-crypto-tvg.c
new file mode 100644
index 000000000..7d151c10b
--- /dev/null
+++ b/src/util/gnunet-crypto-tvg.c
@@ -0,0 +1,278 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2020 GNUnet e.V.
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file util/gnunet-crypto-tgv.c
+ * @brief Generate test vectors for cryptographic operations.
+ * @author Florian Dold
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_signatures.h"
+#include "gnunet_testing_lib.h"
+#include <gcrypt.h>
+GNUNET_NETWORK_STRUCT_BEGIN
+/**
+ * Sample signature struct.
+ *
+ * Purpose is #GNUNET_SIGNATURE_PURPOSE_TEST
+ */
+struct TestSignatureDataPS
+{
+  struct GNUNET_CRYPTO_EccSignaturePurpose purpose;
+  uint32_t testval;
+};
+GNUNET_NETWORK_STRUCT_END
+/**
+ * Print data base32-crockford with a preceding label.
+ *
+ * @param label label to print
+ * @param data data to print
+ * @param size size of data
+ */
+static void
+display_data (char *label, void *data, size_t size)
+{
+  char *enc = GNUNET_STRINGS_data_to_string_alloc (data, size);
+  printf ("%s %s\n", label, enc);
+  GNUNET_free (enc);
+}
+/**
+ * Main function that will be run.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  {
+    struct GNUNET_HashCode hc;
+    char *str = "Hello, GNUnet";
+    GNUNET_CRYPTO_hash (str, strlen (str), &hc);
+    printf ("hash code:\n");
+    display_data ("  input", str, strlen (str));
+    display_data ("  output", &hc, sizeof (struct GNUNET_HashCode));
+  }
+  {
+    struct GNUNET_CRYPTO_EcdhePrivateKey *priv1;
+    struct GNUNET_CRYPTO_EcdhePublicKey pub1;
+    struct GNUNET_CRYPTO_EcdhePrivateKey *priv2;
+    struct GNUNET_HashCode skm;
+    priv1 = GNUNET_CRYPTO_ecdhe_key_create ();
+    priv2 = GNUNET_CRYPTO_ecdhe_key_create ();
+    GNUNET_CRYPTO_ecdhe_key_get_public (priv1, &pub1);
+    GNUNET_assert (GNUNET_OK == GNUNET_CRYPTO_ecc_ecdh (priv2, &pub1, &skm));
+    printf ("ecdhe key:\n");
+    display_data ("  priv1", priv1, sizeof (struct
+                                            GNUNET_CRYPTO_EcdhePrivateKey));
+    display_data ("  pub1", &pub1, sizeof (struct
+                                           GNUNET_CRYPTO_EcdhePublicKey));
+    display_data ("  priv2", priv2, sizeof (struct
+                                            GNUNET_CRYPTO_EcdhePrivateKey));
+    display_data ("  skm", &skm, sizeof (struct GNUNET_HashCode));
+    GNUNET_free (priv1);
+    GNUNET_free (priv2);
+  }
+  {
+    struct GNUNET_CRYPTO_EddsaPrivateKey *priv;
+    struct GNUNET_CRYPTO_EddsaPublicKey pub;
+    priv = GNUNET_CRYPTO_eddsa_key_create ();
+    GNUNET_CRYPTO_eddsa_key_get_public (priv, &pub);
+    printf ("eddsa key:\n");
+    display_data ("  priv", priv, sizeof (struct
+                                          GNUNET_CRYPTO_EddsaPrivateKey));
+    display_data ("  pub", &pub, sizeof (struct GNUNET_CRYPTO_EddsaPublicKey));
+    GNUNET_free (priv);
+  }
+  {
+    struct GNUNET_CRYPTO_EddsaPrivateKey *priv;
+    struct GNUNET_CRYPTO_EddsaPublicKey pub;
+    struct GNUNET_CRYPTO_EddsaSignature sig;
+    struct TestSignatureDataPS data = { 0 };
+    priv = GNUNET_CRYPTO_eddsa_key_create ();
+    GNUNET_CRYPTO_eddsa_key_get_public (priv, &pub);
+    data.purpose.size = htonl (sizeof (struct TestSignatureDataPS));
+    data.purpose.size = htonl (GNUNET_SIGNATURE_PURPOSE_TEST);
+    GNUNET_assert (GNUNET_OK == GNUNET_CRYPTO_eddsa_sign (priv, &data.purpose,
+                                                          &sig));
+    GNUNET_assert (GNUNET_OK == GNUNET_CRYPTO_eddsa_verify (0,
+                                                            &data.purpose,
+                                                            &sig,
+                                                            &pub));
+    printf ("eddsa sig:\n");
+    display_data ("  priv", priv, sizeof (struct
+                                          GNUNET_CRYPTO_EddsaPrivateKey));
+    display_data ("  pub", &pub, sizeof (struct GNUNET_CRYPTO_EddsaPublicKey));
+    display_data ("  data", &data, sizeof (struct TestSignatureDataPS));
+    display_data ("  sig", &sig, sizeof (struct GNUNET_CRYPTO_EddsaSignature));
+    GNUNET_free (priv);
+  }
+  {
+    size_t out_len = 64;
+    char out[out_len];
+    char *ikm = "I'm the secret input key material";
+    char *salt = "I'm very salty";
+    char *ctx = "I'm a context chunk, also known as 'info' in the RFC";
+    GNUNET_assert (GNUNET_OK == GNUNET_CRYPTO_kdf (&out,
+                                                   out_len,
+                                                   salt,
+                                                   strlen (salt),
+                                                   ikm,
+                                                   strlen (ikm),
+                                                   ctx,
+                                                   strlen (ctx),
+                                                   NULL));
+    printf ("kdf:\n");
+    display_data ("  salt", salt, strlen (salt));
+    display_data ("  ikm", ikm, strlen (ikm));
+    display_data ("  ctx", ctx, strlen (ctx));
+    printf ("  out_len %u\n", (unsigned int) out_len);
+    display_data ("  out", out, out_len);
+  }
+  {
+    struct GNUNET_CRYPTO_EcdhePrivateKey *priv_ecdhe;
+    struct GNUNET_CRYPTO_EcdhePublicKey pub_ecdhe;
+    struct GNUNET_CRYPTO_EddsaPrivateKey *priv_eddsa;
+    struct GNUNET_CRYPTO_EddsaPublicKey pub_eddsa;
+    struct GNUNET_HashCode key_material;
+    priv_ecdhe = GNUNET_CRYPTO_ecdhe_key_create ();
+    GNUNET_CRYPTO_ecdhe_key_get_public (priv_ecdhe, &pub_ecdhe);
+    priv_eddsa = GNUNET_CRYPTO_eddsa_key_create ();
+    GNUNET_CRYPTO_eddsa_key_get_public (priv_eddsa, &pub_eddsa);
+    GNUNET_CRYPTO_ecdh_eddsa (priv_ecdhe, &pub_eddsa, &key_material);
+    printf ("eddsa_ecdh:\n");
+    display_data ("  priv_ecdhe", priv_ecdhe, sizeof (struct
+                                                      GNUNET_CRYPTO_EcdhePrivateKey));
+    display_data ("  pub_ecdhe", &pub_ecdhe, sizeof (struct
+                                                     GNUNET_CRYPTO_EcdhePublicKey));
+    display_data ("  priv_eddsa", priv_eddsa, sizeof (struct
+                                                      GNUNET_CRYPTO_EddsaPrivateKey));
+    display_data ("  pub_eddsa", &pub_eddsa, sizeof (struct
+                                                     GNUNET_CRYPTO_EddsaPublicKey));
+    display_data ("  key_material", &key_material, sizeof (struct
+                                                           GNUNET_HashCode));
+  }
+  {
+    struct GNUNET_CRYPTO_RsaPrivateKey *skey;
+    struct GNUNET_CRYPTO_RsaPublicKey *pkey;
+    struct GNUNET_HashCode message_hash;
+    struct GNUNET_CRYPTO_RsaBlindingKeySecret bks;
+    struct GNUNET_CRYPTO_RsaSignature *blinded_sig;
+    struct GNUNET_CRYPTO_RsaSignature *sig;
+    char *blinded_data;
+    size_t blinded_len;
+    char *public_enc_data;
+    size_t public_enc_len;
+    char *blinded_sig_enc_data;
+    size_t blinded_sig_enc_length;
+    char *sig_enc_data;
+    size_t sig_enc_length;
+    skey = GNUNET_CRYPTO_rsa_private_key_create (2048);
+    pkey = GNUNET_CRYPTO_rsa_private_key_get_public (skey);
+    GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_WEAK, &message_hash,
+                                sizeof (struct GNUNET_HashCode));
+    GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_WEAK, &bks, sizeof (struct
+                                                                          GNUNET_CRYPTO_RsaBlindingKeySecret));
+    GNUNET_assert (GNUNET_YES == GNUNET_CRYPTO_rsa_blind (&message_hash, &bks,
+                                                          pkey, &blinded_data,
+                                                          &blinded_len));
+    blinded_sig = GNUNET_CRYPTO_rsa_sign_blinded (skey, blinded_data,
+                                                  blinded_len);
+    sig = GNUNET_CRYPTO_rsa_unblind (blinded_sig, &bks, pkey);
+    GNUNET_assert (GNUNET_YES == GNUNET_CRYPTO_rsa_verify (&message_hash, sig,
+                                                           pkey));
+    public_enc_len = GNUNET_CRYPTO_rsa_public_key_encode (pkey,
+                                                          &public_enc_data);
+    blinded_sig_enc_length = GNUNET_CRYPTO_rsa_signature_encode (blinded_sig,
+                                                                 &
+                                                                 blinded_sig_enc_data);
+    sig_enc_length = GNUNET_CRYPTO_rsa_signature_encode (sig, &sig_enc_data);
+    printf ("blind signing:\n");
+    display_data ("  message_hash", &message_hash, sizeof (struct
+                                                           GNUNET_HashCode));
+    display_data ("  rsa_public_key", public_enc_data, public_enc_len);
+    display_data ("  blinding_key_secret", &bks, sizeof (struct
+                                                         GNUNET_CRYPTO_RsaBlindingKeySecret));
+    display_data ("  blinded_message", blinded_data, blinded_len);
+    display_data ("  blinded_sig", blinded_sig_enc_data,
+                  blinded_sig_enc_length);
+    display_data ("  sig", sig_enc_data, sig_enc_length);
+    GNUNET_CRYPTO_rsa_private_key_free (skey);
+    GNUNET_CRYPTO_rsa_public_key_free (pkey);
+    GNUNET_CRYPTO_rsa_signature_free (sig);
+    GNUNET_CRYPTO_rsa_signature_free (blinded_sig);
+  }
+}
+/**
+ * The main function of the test vector generation tool.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc,
+      char *const *argv)
+{
+  const struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_OPTION_END
+  };
+  GNUNET_assert (GNUNET_OK ==
+                 GNUNET_log_setup ("gnunet-crypto-tvg",
+                                   "INFO",
+                                   NULL));
+  if (GNUNET_OK !=
+      GNUNET_PROGRAM_run (argc, argv,
+                          "gnunet-crypto-tvg",
+                          "Generate test vectors for cryptographic operations",
+                          options,
+                          &run, NULL))
+    return 1;
+  return 0;
+}
+/* end of gnunet-crypto-tvg.c */
diff --git a/src/util/test_crypto_ecdh_ecdsa.c b/src/util/test_crypto_ecdh_ecdsa.c
new file mode 100644
index 000000000..8a581ef73
--- /dev/null
+++ b/src/util/test_crypto_ecdh_ecdsa.c
@@ -0,0 +1,97 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2002-2015 GNUnet e.V.
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file util/test_crypto_ecdh_ecdsa.c
+ * @brief testcase for ECC DH key exchange with ECDSA private keys.
+ * @author Christian Grothoff
+ * @author Bart Polot
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include <gcrypt.h>
+static int
+test_ecdh ()
+{
+  struct GNUNET_CRYPTO_EcdsaPrivateKey *priv_dsa;
+  struct GNUNET_CRYPTO_EcdhePrivateKey *priv_ecdh;
+  struct GNUNET_CRYPTO_EcdsaPublicKey id1;
+  struct GNUNET_CRYPTO_EcdhePublicKey id2;
+  struct GNUNET_HashCode dh[2];
+  /* Generate keys */
+  priv_dsa = GNUNET_CRYPTO_ecdsa_key_create ();
+  GNUNET_CRYPTO_ecdsa_key_get_public (priv_dsa,
+                                      &id1);
+  for (unsigned int j = 0; j < 4; j++)
+  {
+    fprintf (stderr, ",");
+    priv_ecdh = GNUNET_CRYPTO_ecdhe_key_create ();
+    /* Extract public keys */
+    GNUNET_CRYPTO_ecdhe_key_get_public (priv_ecdh,
+                                        &id2);
+    /* Do ECDH */
+    GNUNET_assert (GNUNET_OK ==
+                   GNUNET_CRYPTO_ecdsa_ecdh (priv_dsa,
+                                             &id2,
+                                             &dh[0]));
+    GNUNET_assert (GNUNET_OK ==
+                   GNUNET_CRYPTO_ecdh_ecdsa (priv_ecdh,
+                                             &id1,
+                                             &dh[1]));
+    /* Check that both DH results are equal. */
+    GNUNET_assert (0 == memcmp (&dh[0],
+                                &dh[1],
+                                sizeof(struct GNUNET_HashCode)));
+    GNUNET_free (priv_ecdh);
+  }
+  GNUNET_free (priv_dsa);
+  return 0;
+}
+int
+main (int argc, char *argv[])
+{
+  if (! gcry_check_version ("1.6.0"))
+  {
+    fprintf (stderr,
+             _ (
+               "libgcrypt has not the expected version (version %s is required).\n"),
+             "1.6.0");
+    return 0;
+  }
+  if (getenv ("GNUNET_GCRYPT_DEBUG"))
+    gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0);
+  GNUNET_log_setup ("test-crypto-ecdh-ecdsa", "WARNING", NULL);
+  for (unsigned int i = 0; i < 4; i++)
+  {
+    fprintf (stderr,
+             ".");
+    if (0 != test_ecdh ())
+      return 1;
+  }
+  return 0;
+}
+/* end of test_crypto_ecdh_ecdsa.c */
diff --git a/src/util/tweetnacl-gnunet.c b/src/util/tweetnacl-gnunet.c
index 1c27730a4..f01667adb 100644
--- a/src/util/tweetnacl-gnunet.c
+++ b/src/util/tweetnacl-gnunet.c
@@ -424,8 +424,24 @@ GNUNET_TWEETNACL_sign_pk_from_seed (u8 *pk, const u8 *seed)
  d[31] &= 127;
  d[31] |= 64;
-  scalarbase (p,d);
+  scalarbase (p, d);
-  pack (pk,p);
+  pack (pk, p);
+}
+void
+GNUNET_TWEETNACL_scalarmult_gnunet_ecdsa (u8 *pk, const u8 *s)
+{
+  u8 d[64];
+  gf p[4];
+  // Treat s as little endian.
+  for (u32 i = 0; i < 32; i++)
+    d[i] = s[31 - i];
+  // For GNUnet, we don't normalize d
+  scalarbase (p, d);
+  pack (pk, p);
 }
 void
diff --git a/src/util/tweetnacl-gnunet.h b/src/util/tweetnacl-gnunet.h
index 239166ffc..d052d8824 100644
--- a/src/util/tweetnacl-gnunet.h
+++ b/src/util/tweetnacl-gnunet.h
@@ -47,4 +47,8 @@ GNUNET_TWEETNACL_sign_detached (uint8_t *sig,
                                const uint8_t *m,
                                uint64_t n,
                                const uint8_t *sk);
+void
+GNUNET_TWEETNACL_scalarmult_gnunet_ecdsa (uint8_t *pk, const uint8_t *s);
 #endif