10 files changed, 918 insertions, 135 deletions

diff --git a/src/util/.gitignore b/src/util/.gitignore
index 51eab71db..0e3449fed 100644
--- a/src/util/.gitignore
+++ b/src/util/.gitignore
@@ -36,6 +36,7 @@ test_crypto_ecdh_eddsa
 test_crypto_ecdhe
 test_crypto_ecdsa
 test_crypto_eddsa
+test_crypto_edx25519
 test_crypto_hash
 test_crypto_hash_context
 test_crypto_hkdf
diff --git a/src/util/Makefile.am b/src/util/Makefile.am
index 406d42b1e..9cb7da15b 100644
--- a/src/util/Makefile.am
+++ b/src/util/Makefile.am
@@ -66,6 +66,7 @@ libgnunetutil_la_SOURCES = \
   crypto_ecc_gnsrecord.c \
   $(DLOG) \
   crypto_ecc_setup.c \
+  crypto_edx25519.c \
   crypto_hash.c \
   crypto_hash_file.c \
   crypto_hkdf.c \
@@ -297,6 +298,7 @@ check_PROGRAMS = \
  test_crypto_ecdhe \
  test_crypto_ecdh_eddsa \
  test_crypto_ecdh_ecdsa \
+ test_crypto_edx25519 \
  $(DLOG_TEST) \
  test_crypto_hash \
  test_crypto_hash_context \
@@ -470,6 +472,12 @@ test_crypto_eddsa_LDADD = \
  libgnunetutil.la \
  $(LIBGCRYPT_LIBS)
 
+test_crypto_edx25519_SOURCES = \
+ test_crypto_edx25519.c
+test_crypto_edx25519_LDADD = \
+ libgnunetutil.la \
+ $(LIBGCRYPT_LIBS)
+
 test_crypto_ecc_dlog_SOURCES = \
  test_crypto_ecc_dlog.c
 test_crypto_ecc_dlog_LDADD = \
diff --git a/src/util/crypto_ecc_gnsrecord.c b/src/util/crypto_ecc_gnsrecord.c
index ce41a4699..0ee0570c0 100644
--- a/src/util/crypto_ecc_gnsrecord.c
+++ b/src/util/crypto_ecc_gnsrecord.c
@@ -68,28 +68,15 @@ derive_h (const void *pub,
 }
 
 
-/**
- * This is a signature function for EdDSA which takes the
- * secret scalar sk instead of the private seed which is
- * usually the case for crypto APIs. We require this functionality
- * in order to use derived private keys for signatures we
- * cannot calculate the inverse of a sk to find the seed
- * efficiently.
- *
- * The resulting signature is a standard EdDSA signature
- * which can be verified using the usual APIs.
- *
- * @param sk the secret scalar
- * @param purp the signature purpose
- * @param sig the resulting signature
- */
-void
-GNUNET_CRYPTO_eddsa_sign_with_scalar (
-  const struct GNUNET_CRYPTO_EddsaPrivateScalar *priv,
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_eddsa_sign_derived (
+  const struct GNUNET_CRYPTO_EddsaPrivateKey *pkey,
+  const char *label,
+  const char *context,
   const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose,
   struct GNUNET_CRYPTO_EddsaSignature *sig)
 {
-
+  struct GNUNET_CRYPTO_EddsaPrivateScalar priv;
   crypto_hash_sha512_state hs;
   unsigned char sk[64];
   unsigned char r[64];
@@ -98,6 +85,14 @@ GNUNET_CRYPTO_eddsa_sign_with_scalar (
   unsigned char zk[32];
   unsigned char tmp[32];
 
+  /**
+   * Derive the private key
+   */
+  GNUNET_CRYPTO_eddsa_private_key_derive (pkey,
+                                          label,
+                                          context,
+                                          &priv);
+
   crypto_hash_sha512_init (&hs);
 
   /**
@@ -108,7 +103,7 @@ GNUNET_CRYPTO_eddsa_sign_with_scalar (
    * sk[0..31] = h * SHA512 (d)[0..31]
    * sk[32..63] = SHA512 (d)[32..63]
    */
-  memcpy (sk, priv->s, 64);
+  memcpy (sk, priv.s, 64);
 
   /**
    * Calculate the derived zone key zk' from the
@@ -172,8 +167,28 @@ GNUNET_CRYPTO_eddsa_sign_with_scalar (
   sodium_memzero (sk, sizeof (sk));
   sodium_memzero (r, sizeof (r));
   sodium_memzero (r_mod, sizeof (r_mod));
+  return GNUNET_OK;
 }
 
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_ecdsa_sign_derived (
+  const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
+  const char *label,
+  const char *context,
+  const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose,
+  struct GNUNET_CRYPTO_EcdsaSignature *sig)
+{
+  struct GNUNET_CRYPTO_EcdsaPrivateKey *key;
+  enum GNUNET_GenericReturnValue res;
+  key = GNUNET_CRYPTO_ecdsa_private_key_derive (priv,
+                                                label,
+                                                context);
+  res = GNUNET_CRYPTO_ecdsa_sign_ (key,
+                                   purpose,
+                                   sig);
+  GNUNET_free (key);
+  return res;
+}
 
 struct GNUNET_CRYPTO_EcdsaPrivateKey *
 GNUNET_CRYPTO_ecdsa_private_key_derive (
diff --git a/src/util/crypto_edx25519.c b/src/util/crypto_edx25519.c
new file mode 100644
index 000000000..26b45407e
--- /dev/null
+++ b/src/util/crypto_edx25519.c
@@ -0,0 +1,418 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2022 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file util/crypto_edx25519.c
+ * @brief An variant of EdDSA which allows for iterative derivation of key pairs.
+ * @author Özgür Kesim
+ * @author Christian Grothoff
+ * @author Florian Dold
+ * @author Martin Schanzenbach
+ */
+#include "platform.h"
+#include <gcrypt.h>
+#include <sodium.h>
+#include "gnunet_crypto_lib.h"
+#include "gnunet_strings_lib.h"
+
+#define CURVE "Ed25519"
+
+void
+GNUNET_CRYPTO_edx25519_key_clear (struct GNUNET_CRYPTO_Edx25519PrivateKey *pk)
+{
+  memset (pk, 0, sizeof(struct GNUNET_CRYPTO_Edx25519PrivateKey));
+}
+
+
+void
+GNUNET_CRYPTO_edx25519_key_create_from_seed (
+  const void *seed,
+  size_t seedsize,
+  struct GNUNET_CRYPTO_Edx25519PrivateKey *pk)
+{
+
+  GNUNET_static_assert (sizeof(*pk) == sizeof(struct GNUNET_HashCode));
+  GNUNET_CRYPTO_hash (seed,
+                      seedsize,
+                      (struct GNUNET_HashCode *) pk);
+
+  /* Clamp the first half of the key. The second half is used in the signature
+   * process. */
+  pk->a[0] &= 248;
+  pk->a[31] &= 127;
+  pk->a[31] |= 64;
+}
+
+
+void
+GNUNET_CRYPTO_edx25519_key_create (
+  struct GNUNET_CRYPTO_Edx25519PrivateKey *pk)
+{
+  char seed[256 / 8];
+  GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_NONCE,
+                              seed,
+                              sizeof (seed));
+  GNUNET_CRYPTO_edx25519_key_create_from_seed (seed,
+                                               sizeof(seed),
+                                               pk);
+}
+
+
+void
+GNUNET_CRYPTO_edx25519_key_get_public (
+  const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv,
+  struct GNUNET_CRYPTO_Edx25519PublicKey *pub)
+{
+  crypto_scalarmult_ed25519_base_noclamp (pub->q_y,
+                                          priv->a);
+}
+
+
+/**
+ * This function operates the basically same way as the signature function for
+ * EdDSA. But instead of expanding a private seed (which is usually the case
+ * for crypto APIs) and using the resulting scalars, it takes the scalars
+ * directly from Edx25519PrivateKey.  We require this functionality in order to
+ * use derived private keys for signatures.
+ *
+ * The resulting signature is a standard EdDSA signature
+ * which can be verified using the usual APIs.
+ *
+ * @param priv the private key (containing two scalars .a and .b)
+ * @param purp the signature purpose
+ * @param sig the resulting signature
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_edx25519_sign_ (
+  const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv,
+  const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose,
+  struct GNUNET_CRYPTO_Edx25519Signature *sig)
+{
+
+  crypto_hash_sha512_state hs;
+  unsigned char r[64];
+  unsigned char hram[64];
+  unsigned char P[32];
+  unsigned char r_mod[64];
+  unsigned char R[32];
+  unsigned char tmp[32];
+
+  crypto_hash_sha512_init (&hs);
+
+  /**
+   * Calculate the public key P from the private scalar in the key.
+   */
+  crypto_scalarmult_ed25519_base_noclamp (P,
+                                          priv->a);
+
+  /**
+   * Calculate r:
+   * r = SHA512 (b ∥ M)
+   * where M is our message (purpose).
+   */
+  crypto_hash_sha512_update (&hs,
+                             priv->b,
+                             sizeof(priv->b));
+  crypto_hash_sha512_update (&hs,
+                             (uint8_t*) purpose,
+                             ntohl (purpose->size));
+  crypto_hash_sha512_final (&hs,
+                            r);
+
+  /**
+   * Temporarily put P into S
+   */
+  memcpy (sig->s, P, 32);
+
+  /**
+   * Reduce the scalar value r
+   */
+  crypto_core_ed25519_scalar_reduce (r_mod, r);
+
+  /**
+   * Calculate R := r * G of the signature
+   */
+  crypto_scalarmult_ed25519_base_noclamp (R, r_mod);
+  memcpy (sig->r, R, sizeof (R));
+
+  /**
+   * Calculate
+   * hram := SHA512 (R ∥ P ∥ M)
+   */
+  crypto_hash_sha512_init (&hs);
+  crypto_hash_sha512_update (&hs, (uint8_t*) sig, 64);
+  crypto_hash_sha512_update (&hs, (uint8_t*) purpose,
+                             ntohl (purpose->size));
+  crypto_hash_sha512_final (&hs, hram);
+
+  /**
+   * Reduce the resulting scalar value
+   */
+  unsigned char hram_mod[64];
+  crypto_core_ed25519_scalar_reduce (hram_mod, hram);
+
+  /**
+   * Calculate
+   * S := r + hram * s mod L
+   */
+  crypto_core_ed25519_scalar_mul (tmp, hram_mod, priv->a);
+  crypto_core_ed25519_scalar_add (sig->s, tmp, r_mod);
+
+  sodium_memzero (r, sizeof (r));
+  sodium_memzero (r_mod, sizeof (r_mod));
+
+  return GNUNET_OK;
+}
+
+
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_edx25519_verify_ (
+  uint32_t purpose,
+  const struct GNUNET_CRYPTO_EccSignaturePurpose *validate,
+  const struct GNUNET_CRYPTO_Edx25519Signature *sig,
+  const struct GNUNET_CRYPTO_Edx25519PublicKey *pub)
+{
+  const unsigned char *m = (const void *) validate;
+  size_t mlen = ntohl (validate->size);
+  const unsigned char *s = (const void *) sig;
+
+  int res;
+
+  if (purpose != ntohl (validate->purpose))
+    return GNUNET_SYSERR; /* purpose mismatch */
+
+  res = crypto_sign_verify_detached (s, m, mlen, pub->q_y);
+  return (res == 0) ? GNUNET_OK : GNUNET_SYSERR;
+}
+
+
+/**
+ * Derive the 'h' value for key derivation, where
+ * 'h = H(P ∥ seed) mod n' and 'n' is the size of the cyclic subroup.
+ *
+ * @param pub public key for deriviation
+ * @param seed seed for key the deriviation
+ * @param seedsize the size of the seed
+ * @param n The value for the modulus 'n'
+ * @param[out] phc if not NULL, the output of H() will be written into
+ * return h_mod_n (allocated by this function)
+ */
+static gcry_mpi_t
+derive_h_mod_n (
+  const struct GNUNET_CRYPTO_Edx25519PublicKey *pub,
+  const void *seed,
+  size_t seedsize,
+  const gcry_mpi_t n,
+  struct GNUNET_HashCode *phc)
+{
+  static const char *const salt = "edx2559-derivation";
+  struct GNUNET_HashCode hc;
+  gcry_mpi_t h;
+  gcry_mpi_t h_mod_n;
+
+  if (NULL == phc)
+    phc = &hc;
+
+  GNUNET_CRYPTO_kdf (phc, sizeof(*phc),
+                     salt, strlen (salt),
+                     pub, sizeof(*pub),
+                     seed, seedsize,
+                     NULL, 0);
+
+  /* calculate h_mod_n = h % n */
+  GNUNET_CRYPTO_mpi_scan_unsigned (&h,
+                                   (unsigned char *) phc,
+                                   sizeof(*phc));
+  h_mod_n = gcry_mpi_new (256);
+  gcry_mpi_mod (h_mod_n, h, n);
+
+#ifdef CHECK_RARE_CASES
+  /**
+   * Note that the following cases would be problematic:
+   *    1.) h == 0 mod n
+   *    2.) h == 1 mod n
+   *    3.) [h] * P == E
+   * We assume that the probalities for these cases to occur are neglegible.
+   */
+  GNUNET_assert (! gcry_mpi_cmp_ui (h_mod_n, 0));
+  GNUNET_assert (! gcry_mpi_cmp_ui (h_mod_n, 1));
+#endif
+
+  gcry_mpi_release(h);
+  return h_mod_n;
+}
+
+
+void
+GNUNET_CRYPTO_edx25519_private_key_derive (
+  const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv,
+  const void *seed,
+  size_t seedsize,
+  struct GNUNET_CRYPTO_Edx25519PrivateKey *result)
+{
+  struct GNUNET_CRYPTO_Edx25519PublicKey pub;
+  struct GNUNET_HashCode hc;
+  uint8_t a[32];
+  gcry_ctx_t ctx;
+  gcry_mpi_t h_mod_n;
+  gcry_mpi_t x;
+  gcry_mpi_t n;
+  gcry_mpi_t a1;
+  gcry_mpi_t a2;
+  gcry_mpi_t ap; // a'
+
+  GNUNET_CRYPTO_edx25519_key_get_public (priv, &pub);
+
+  /**
+   * Libsodium does not offer an API with arbitrary arithmetic.
+   * Hence we have to use libgcrypt here.
+   */
+  GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, "Ed25519"));
+
+  /**
+   * Get our modulo
+   */
+  n = gcry_mpi_ec_get_mpi ("n", ctx, 1);
+  GNUNET_assert (NULL != n);
+
+  /**
+   * Get h mod n
+   */
+  h_mod_n = derive_h_mod_n (&pub,
+                            seed,
+                            seedsize,
+                            n,
+                            &hc);
+
+  /* Convert priv->a scalar to big endian for libgcrypt */
+  for (size_t i = 0; i < 32; i++)
+    a[i] = priv->a[31 - i];
+
+  /**
+   * dc now contains the private scalar "a".
+   * We carefully remove the clamping and derive a'.
+   * Calculate:
+   * a1 := a / 8
+   * a2 := h * a1 mod n
+   * a' := a2 * 8 mod n
+   */
+  GNUNET_CRYPTO_mpi_scan_unsigned (&x, a, sizeof(a)); // a
+  a1 = gcry_mpi_new (256);
+  gcry_mpi_t eight = gcry_mpi_set_ui (NULL, 8);
+  gcry_mpi_div (a1, NULL, x, eight, 0); // a1 := a / 8
+  a2 = gcry_mpi_new (256);
+  gcry_mpi_mulm (a2, h_mod_n, a1, n); // a2 := h * a1 mod n
+  ap = gcry_mpi_new (256);
+  gcry_mpi_mul (ap, a2, eight); // a' := a2 * 8
+
+#ifdef CHECK_RARE_CASES
+  /* The likelihood for a' == 0 or a' == 1 is neglegible */
+  GNUNET_assert (! gcry_mpi_cmp_ui (ap, 0));
+  GNUNET_assert (! gcry_mpi_cmp_ui (ap, 1));
+#endif
+
+  gcry_mpi_release (h_mod_n);
+  gcry_mpi_release (eight);
+  gcry_mpi_release (x);
+  gcry_mpi_release (n);
+  gcry_mpi_release (a1);
+  gcry_mpi_release (a2);
+  gcry_ctx_release (ctx);
+  GNUNET_CRYPTO_mpi_print_unsigned (a, sizeof(a), ap);
+  gcry_mpi_release (ap);
+
+  /**
+   * We hash the derived "h" parameter with the other half of the expanded
+   * private key (that is: priv->b). This ensures that for signature
+   * generation, the "R" is derived from the same derivation path as "h" and is
+   * not reused.
+   */
+  {
+    crypto_hash_sha256_state hs;
+    crypto_hash_sha256_init (&hs);
+    crypto_hash_sha256_update (&hs, priv->b, sizeof(priv->b));
+    crypto_hash_sha256_update (&hs, (unsigned char*) &hc, sizeof (hc));
+    crypto_hash_sha256_final (&hs, result->b);
+  }
+
+  /* Convert to little endian for libsodium */
+  for (size_t i = 0; i < 32; i++)
+    result->a[i] = a[31 - i];
+
+  sodium_memzero (a, sizeof(a));
+}
+
+
+void
+GNUNET_CRYPTO_edx25519_public_key_derive (
+  const struct GNUNET_CRYPTO_Edx25519PublicKey *pub,
+  const void *seed,
+  size_t seedsize,
+  struct GNUNET_CRYPTO_Edx25519PublicKey *result)
+{
+  gcry_ctx_t ctx;
+  gcry_mpi_t q_y;
+  gcry_mpi_t n;
+  gcry_mpi_t h_mod_n;
+  gcry_mpi_point_t q;
+  gcry_mpi_point_t v;
+
+  GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, "Ed25519"));
+
+  /* obtain point 'q' from original public key.  The provided 'q' is
+     compressed thus we first store it in the context and then get it
+     back as a (decompresssed) point.  */
+  q_y = gcry_mpi_set_opaque_copy (NULL,
+                                  pub->q_y,
+                                  8 * sizeof(pub->q_y));
+  GNUNET_assert (NULL != q_y);
+  GNUNET_assert (0 == gcry_mpi_ec_set_mpi ("q", q_y, ctx));
+  gcry_mpi_release (q_y);
+  q = gcry_mpi_ec_get_point ("q", ctx, 0);
+  GNUNET_assert (q);
+
+  /**
+   * Get h mod n
+   */
+  n = gcry_mpi_ec_get_mpi ("n", ctx, 1);
+  GNUNET_assert (NULL != n);
+  GNUNET_assert (NULL != pub);
+  h_mod_n = derive_h_mod_n (pub,
+                            seed,
+                            seedsize,
+                            n,
+                            NULL /* We don't need hc here */);
+
+  /* calculate v = h_mod_n * q */
+  v = gcry_mpi_point_new (0);
+  gcry_mpi_ec_mul (v, h_mod_n, q, ctx);
+  gcry_mpi_release (h_mod_n);
+  gcry_mpi_release (n);
+  gcry_mpi_point_release (q);
+
+  /* convert point 'v' to public key that we return */
+  GNUNET_assert (0 == gcry_mpi_ec_set_point ("q", v, ctx));
+  gcry_mpi_point_release (v);
+  q_y = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0);
+  GNUNET_assert (q_y);
+  GNUNET_CRYPTO_mpi_print_unsigned (result->q_y, sizeof(result->q_y), q_y);
+  gcry_mpi_release (q_y);
+  gcry_ctx_release (ctx);
+}
diff --git a/src/util/crypto_hkdf.c b/src/util/crypto_hkdf.c
index 4e4496819..838e37d8d 100644
--- a/src/util/crypto_hkdf.c
+++ b/src/util/crypto_hkdf.c
@@ -74,16 +74,21 @@
  * @return HMAC, freed by caller via gcry_md_close/_reset
  */
 static const void *
-doHMAC (gcry_md_hd_t mac, const void *key, size_t key_len, const void *buf,
+doHMAC (gcry_md_hd_t mac,
+        const void *key,
+        size_t key_len,
+        const void *buf,
         size_t buf_len)
 {
-  if (GPG_ERR_NO_ERROR != gcry_md_setkey (mac, key, key_len))
+  if (GPG_ERR_NO_ERROR !=
+      gcry_md_setkey (mac, key, key_len))
   {
     GNUNET_break (0);
     return NULL;
   }
-  gcry_md_write (mac, buf, buf_len);
-
+  gcry_md_write (mac,
+                 buf,
+                 buf_len);
   return (const void *) gcry_md_read (mac, 0);
 }
 
@@ -98,9 +103,13 @@ doHMAC (gcry_md_hd_t mac, const void *key, size_t key_len, const void *buf,
  * @param prk result buffer (allocated by caller; at least gcry_md_dlen() bytes)
  * @return #GNUNET_YES on success
  */
-static int
-getPRK (gcry_md_hd_t mac, const void *xts, size_t xts_len, const void *skm,
-        size_t skm_len, void *prk)
+static enum GNUNET_GenericReturnValue
+getPRK (gcry_md_hd_t mac,
+        const void *xts,
+        size_t xts_len,
+        const void *skm,
+        size_t skm_len,
+        void *prk)
 {
   const void *ret;
   size_t dlen;
@@ -114,9 +123,10 @@ getPRK (gcry_md_hd_t mac, const void *xts, size_t xts_len, const void *skm,
    * salt - optional salt value (a non-secret random value);
    * if not provided, it is set to a string of HashLen zeros. */
 
-  if (xts_len == 0)
+  if (0 == xts_len)
   {
     char zero_salt[dlen];
+    
     memset (zero_salt, 0, dlen);
     ret = doHMAC (mac, zero_salt, dlen, skm, skm_len);
   }
@@ -124,22 +134,23 @@ getPRK (gcry_md_hd_t mac, const void *xts, size_t xts_len, const void *skm,
   {
     ret = doHMAC (mac, xts, xts_len, skm, skm_len);
   }
-  if (ret == NULL)
+  if (NULL == ret)
     return GNUNET_SYSERR;
-  GNUNET_memcpy (prk, ret, dlen);
-
+  GNUNET_memcpy (prk,
+                 ret,
+                 dlen);
   return GNUNET_YES;
 }
 
 
 #if DEBUG_HKDF
 static void
-dump (const char *src, const void *p, unsigned int l)
+dump (const char *src,
+      const void *p,
+      unsigned int l)
 {
-  unsigned int i;
-
   printf ("\n%s: ", src);
-  for (i = 0; i < l; i++)
+  for (unsigned int i = 0; i < l; i++)
   {
     printf ("%2x", (int) ((const unsigned char *) p)[i]);
   }
@@ -150,23 +161,16 @@ dump (const char *src, const void *p, unsigned int l)
 #endif
 
 
-/**
- * @brief Derive key
- * @param result buffer for the derived key, allocated by caller
- * @param out_len desired length of the derived key
- * @param xtr_algo hash algorithm for the extraction phase, GCRY_MD_...
- * @param prf_algo hash algorithm for the expansion phase, GCRY_MD_...
- * @param xts salt
- * @param xts_len length of @a xts
- * @param skm source key material
- * @param skm_len length of @a skm
- * @param argp va_list of void * & size_t pairs for context chunks
- * @return #GNUNET_YES on success
- */
-int
-GNUNET_CRYPTO_hkdf_v (void *result, size_t out_len, int xtr_algo, int prf_algo,
-                      const void *xts, size_t xts_len, const void *skm,
-                      size_t skm_len, va_list argp)
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_hkdf_v (void *result,
+                      size_t out_len,
+                      int xtr_algo,
+                      int prf_algo,
+                      const void *xts,
+                      size_t xts_len,
+                      const void *skm,
+                      size_t skm_len,
+                      va_list argp)
 {
   gcry_md_hd_t xtr;
   gcry_md_hd_t prf;
@@ -186,10 +190,14 @@ GNUNET_CRYPTO_hkdf_v (void *result, size_t out_len, int xtr_algo, int prf_algo,
   if (0 == k)
     return GNUNET_SYSERR;
   if (GPG_ERR_NO_ERROR !=
-      gcry_md_open (&xtr, xtr_algo, GCRY_MD_FLAG_HMAC))
+      gcry_md_open (&xtr,
+                    xtr_algo,
+                    GCRY_MD_FLAG_HMAC))
     return GNUNET_SYSERR;
   if (GPG_ERR_NO_ERROR !=
-      gcry_md_open (&prf, prf_algo, GCRY_MD_FLAG_HMAC))
+      gcry_md_open (&prf,
+                    prf_algo,
+                    GCRY_MD_FLAG_HMAC))
   {
     gcry_md_close (xtr);
     return GNUNET_SYSERR;
@@ -221,7 +229,8 @@ GNUNET_CRYPTO_hkdf_v (void *result, size_t out_len, int xtr_algo, int prf_algo,
   }
 
   memset (result, 0, out_len);
-  if (getPRK (xtr, xts, xts_len, skm, skm_len, prk) != GNUNET_YES)
+  if (GNUNET_YES !=
+      getPRK (xtr, xts, xts_len, skm, skm_len, prk))
     goto hkdf_error;
 #if DEBUG_HKDF
   dump ("PRK", prk, xtr_len);
@@ -276,7 +285,7 @@ GNUNET_CRYPTO_hkdf_v (void *result, size_t out_len, int xtr_algo, int prf_algo,
       dump ("K(i+1)", plain, plain_len);
 #endif
       hc = doHMAC (prf, prk, xtr_len, plain, plain_len);
-      if (hc == NULL)
+      if (NULL == hc)
       {
         GNUNET_free (plain);
         goto hkdf_error;
@@ -327,32 +336,31 @@ hkdf_ok:
 }
 
 
-/**
- * @brief Derive key
- * @param result buffer for the derived key, allocated by caller
- * @param out_len desired length of the derived key
- * @param xtr_algo hash algorithm for the extraction phase, GCRY_MD_...
- * @param prf_algo hash algorithm for the expansion phase, GCRY_MD_...
- * @param xts salt
- * @param xts_len length of @a xts
- * @param skm source key material
- * @param skm_len length of @a skm
- * @return #GNUNET_YES on success
- */
-int
-GNUNET_CRYPTO_hkdf (void *result, size_t out_len, int xtr_algo, int prf_algo,
-                    const void *xts, size_t xts_len, const void *skm,
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_hkdf (void *result,
+                    size_t out_len,
+                    int xtr_algo,
+                    int prf_algo,
+                    const void *xts,
+                    size_t xts_len,
+                    const void *skm,
                     size_t skm_len, ...)
 {
   va_list argp;
-  int ret;
+  enum GNUNET_GenericReturnValue ret;
 
   va_start (argp, skm_len);
   ret =
-    GNUNET_CRYPTO_hkdf_v (result, out_len, xtr_algo, prf_algo, xts, xts_len,
-                          skm, skm_len, argp);
+    GNUNET_CRYPTO_hkdf_v (result,
+                          out_len,
+                          xtr_algo,
+                          prf_algo,
+                          xts,
+                          xts_len,
+                          skm,
+                          skm_len,
+                          argp);
   va_end (argp);
-
   return ret;
 }
 
diff --git a/src/util/crypto_kdf.c b/src/util/crypto_kdf.c
index 0dc734549..f577e0f7a 100644
--- a/src/util/crypto_kdf.c
+++ b/src/util/crypto_kdf.c
@@ -32,18 +32,8 @@
 
 #define LOG(kind, ...) GNUNET_log_from (kind, "util-crypto-kdf", __VA_ARGS__)
 
-/**
- * @brief Derive key
- * @param result buffer for the derived key, allocated by caller
- * @param out_len desired length of the derived key
- * @param xts salt
- * @param xts_len length of @a xts
- * @param skm source key material
- * @param skm_len length of @a skm
- * @param argp va_list of void * & size_t pairs for context chunks
- * @return #GNUNET_YES on success
- */
-int
+
+enum GNUNET_GenericReturnValue
 GNUNET_CRYPTO_kdf_v (void *result,
                      size_t out_len,
                      const void *xts,
@@ -62,7 +52,7 @@ GNUNET_CRYPTO_kdf_v (void *result,
    * hash function."
    *
    * http://eprint.iacr.org/2010/264
-   *///
+   */
   return GNUNET_CRYPTO_hkdf_v (result,
                                out_len,
                                GCRY_MD_SHA512,
@@ -75,18 +65,7 @@ GNUNET_CRYPTO_kdf_v (void *result,
 }
 
 
-/**
- * @brief Derive key
- * @param result buffer for the derived key, allocated by caller
- * @param out_len desired length of the derived key
- * @param xts salt
- * @param xts_len length of @a xts
- * @param skm source key material
- * @param skm_len length of @a skm
- * @param ... void * & size_t pairs for context chunks
- * @return #GNUNET_YES on success
- */
-int
+enum GNUNET_GenericReturnValue
 GNUNET_CRYPTO_kdf (void *result,
                    size_t out_len,
                    const void *xts,
@@ -111,18 +90,6 @@ GNUNET_CRYPTO_kdf (void *result,
 }
 
 
-/**
- * Deterministically generate a pseudo-random number uniformly from the
- * integers modulo a libgcrypt mpi.
- *
- * @param[out] r MPI value set to the FDH
- * @param n MPI to work modulo
- * @param xts salt
- * @param xts_len length of @a xts
- * @param skm source key material
- * @param skm_len length of @a skm
- * @param ctx context string
- */
 void
 GNUNET_CRYPTO_kdf_mod_mpi (gcry_mpi_t *r,
                            gcry_mpi_t n,
@@ -137,32 +104,34 @@ GNUNET_CRYPTO_kdf_mod_mpi (gcry_mpi_t *r,
 
   nbits = gcry_mpi_get_nbits (n);
   /* GNUNET_assert (nbits > 512); */
-
   ctr = 0;
   while (1)
   {
     /* Ain't clear if n is always divisible by 8 */
-    uint8_t buf[ (nbits - 1) / 8 + 1 ];
+    size_t bsize = (nbits - 1) / 8 + 1;
+    uint8_t buf[bsize];
     uint16_t ctr_nbo = htons (ctr);
 
     rc = GNUNET_CRYPTO_kdf (buf,
-                            sizeof(buf),
+                            bsize,
                             xts, xts_len,
                             skm, skm_len,
                             ctx, strlen (ctx),
                             &ctr_nbo, sizeof(ctr_nbo),
                             NULL, 0);
     GNUNET_assert (GNUNET_YES == rc);
-
     rc = gcry_mpi_scan (r,
                         GCRYMPI_FMT_USG,
                         (const unsigned char *) buf,
-                        sizeof(buf),
+                        bsize,
                         &rsize);
-    GNUNET_assert (0 == rc);  /* Allocation error? */
-
-    gcry_mpi_clear_highbit (*r, nbits);
-    GNUNET_assert (0 == gcry_mpi_test_bit (*r, nbits));
+    GNUNET_assert (GPG_ERR_NO_ERROR == rc);  /* Allocation error? */
+    GNUNET_assert (rsize == bsize);
+    gcry_mpi_clear_highbit (*r,
+                            nbits);
+    GNUNET_assert (0 ==
+                   gcry_mpi_test_bit (*r,
+                                      nbits));
     ++ctr;
     /* We reject this FDH if either *r > n and retry with another ctr */
     if (0 > gcry_mpi_cmp (*r, n))
diff --git a/src/util/crypto_rsa.c b/src/util/crypto_rsa.c
index 43e6eedac..4b8e5a5ce 100644
--- a/src/util/crypto_rsa.c
+++ b/src/util/crypto_rsa.c
@@ -497,7 +497,8 @@ GNUNET_CRYPTO_rsa_public_key_decode (const char *buf,
  * @return True if gcd(r,n) = 1, False means RSA key is malicious
  */
 static int
-rsa_gcd_validate (gcry_mpi_t r, gcry_mpi_t n)
+rsa_gcd_validate (gcry_mpi_t r,
+                  gcry_mpi_t n)
 {
   gcry_mpi_t g;
   int t;
@@ -520,29 +521,34 @@ static struct RsaBlindingKey *
 rsa_blinding_key_derive (const struct GNUNET_CRYPTO_RsaPublicKey *pkey,
                          const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks)
 {
-  char *xts = "Blinding KDF extractor HMAC key";  /* Trusts bks' randomness more */
+  const char *xts = "Blinding KDF extractor HMAC key";  /* Trusts bks' randomness more */
   struct RsaBlindingKey *blind;
   gcry_mpi_t n;
 
   blind = GNUNET_new (struct RsaBlindingKey);
-  GNUNET_assert (NULL != blind);
 
   /* Extract the composite n from the RSA public key */
-  GNUNET_assert (0 == key_from_sexp (&n, pkey->sexp, "rsa", "n"));
+  GNUNET_assert (0 ==
+                 key_from_sexp (&n,
+                                pkey->sexp,
+                                "rsa",
+                                "n"));
   /* Assert that it at least looks like an RSA key */
-  GNUNET_assert (0 == gcry_mpi_get_flag (n, GCRYMPI_FLAG_OPAQUE));
-
+  GNUNET_assert (0 ==
+                 gcry_mpi_get_flag (n,
+                                    GCRYMPI_FLAG_OPAQUE));
   GNUNET_CRYPTO_kdf_mod_mpi (&blind->r,
                              n,
                              xts, strlen (xts),
                              bks, sizeof(*bks),
                              "Blinding KDF");
-  if (0 == rsa_gcd_validate (blind->r, n))
+  if (0 == rsa_gcd_validate (blind->r,
+                             n))
   {
+    gcry_mpi_release (blind->r);
     GNUNET_free (blind);
     blind = NULL;
   }
-
   gcry_mpi_release (n);
   return blind;
 }
@@ -760,8 +766,9 @@ rsa_full_domain_hash (const struct GNUNET_CRYPTO_RsaPublicKey *pkey,
   /* We key with the public denomination key as a homage to RSA-PSS by  *
   * Mihir Bellare and Phillip Rogaway.  Doing this lowers the degree   *
   * of the hypothetical polyomial-time attack on RSA-KTI created by a  *
-  * polynomial-time one-more forgary attack.  Yey seeding!             */
-  xts_len = GNUNET_CRYPTO_rsa_public_key_encode (pkey, &xts);
+  * polynomial-time one-more forgary attack.  Yey seeding!       */
+  xts_len = GNUNET_CRYPTO_rsa_public_key_encode (pkey,
+                                                 &xts);
 
   GNUNET_CRYPTO_kdf_mod_mpi (&r,
                              n,
@@ -769,7 +776,6 @@ rsa_full_domain_hash (const struct GNUNET_CRYPTO_RsaPublicKey *pkey,
                              hash, sizeof(*hash),
                              "RSA-FDA FTpsW!");
   GNUNET_free (xts);
-
   ok = rsa_gcd_validate (r, n);
   gcry_mpi_release (n);
   if (ok)
diff --git a/src/util/test_crypto_eddsa.c b/src/util/test_crypto_eddsa.c
index 459619ff2..e9573a307 100644
--- a/src/util/test_crypto_eddsa.c
+++ b/src/util/test_crypto_eddsa.c
@@ -130,9 +130,11 @@ testDeriveSignVerify (void)
     return GNUNET_SYSERR;
   }
 
-  GNUNET_CRYPTO_eddsa_sign_with_scalar (&dpriv,
-                                        &purp,
-                                        &sig);
+  GNUNET_CRYPTO_eddsa_sign_derived (&key,
+                                    "test-derive",
+                                    "test-CTX",
+                                    &purp,
+                                    &sig);
   if (GNUNET_SYSERR ==
       GNUNET_CRYPTO_eddsa_verify_ (GNUNET_SIGNATURE_PURPOSE_TEST,
                                    &purp,
diff --git a/src/util/test_crypto_edx25519.c b/src/util/test_crypto_edx25519.c
new file mode 100644
index 000000000..ead6f0bb9
--- /dev/null
+++ b/src/util/test_crypto_edx25519.c
@@ -0,0 +1,326 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2022 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+
+ */
+/**
+ * @file util/test_crypto_edx25519.c
+ * @brief testcase for ECC public key crypto for edx25519
+ * @author Özgür Kesim
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_signatures.h"
+#include <gcrypt.h>
+
+#define ITER 25
+
+#define KEYFILE "/tmp/test-gnunet-crypto-edx25519.key"
+
+#define PERF GNUNET_YES
+
+
+static struct GNUNET_CRYPTO_Edx25519PrivateKey key;
+
+
+static int
+testSignVerify (void)
+{
+  struct GNUNET_CRYPTO_Edx25519Signature sig;
+  struct GNUNET_CRYPTO_EccSignaturePurpose purp;
+  struct GNUNET_CRYPTO_Edx25519PublicKey pkey;
+  struct GNUNET_TIME_Absolute start;
+  int ok = GNUNET_OK;
+
+  fprintf (stderr, "%s", "W");
+  GNUNET_CRYPTO_edx25519_key_get_public (&key,
+                                         &pkey);
+  start = GNUNET_TIME_absolute_get ();
+  purp.size = htonl (sizeof(struct GNUNET_CRYPTO_EccSignaturePurpose));
+  purp.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_TEST);
+
+  for (unsigned int i = 0; i < ITER; i++)
+  {
+    fprintf (stderr, "%s", "."); fflush (stderr);
+    if (GNUNET_SYSERR == GNUNET_CRYPTO_edx25519_sign_ (&key,
+                                                       &purp,
+                                                       &sig))
+    {
+      fprintf (stderr,
+               "GNUNET_CRYPTO_edx25519_sign returned SYSERR\n");
+      ok = GNUNET_SYSERR;
+      continue;
+    }
+    if (GNUNET_SYSERR ==
+        GNUNET_CRYPTO_edx25519_verify_ (GNUNET_SIGNATURE_PURPOSE_TEST,
+                                        &purp,
+                                        &sig,
+                                        &pkey))
+    {
+      fprintf (stderr,
+               "GNUNET_CRYPTO_edx25519_verify failed!\n");
+      ok = GNUNET_SYSERR;
+      continue;
+    }
+    if (GNUNET_SYSERR !=
+        GNUNET_CRYPTO_edx25519_verify_ (
+          GNUNET_SIGNATURE_PURPOSE_TRANSPORT_PONG_OWN,
+          &purp,
+          &sig,
+          &pkey))
+    {
+      fprintf (stderr,
+               "GNUNET_CRYPTO_edx25519_verify failed to fail!\n");
+      ok = GNUNET_SYSERR;
+      continue;
+    }
+  }
+  fprintf (stderr, "\n");
+  printf ("%d EdDSA sign/verify operations %s\n",
+          ITER,
+          GNUNET_STRINGS_relative_time_to_string (
+            GNUNET_TIME_absolute_get_duration (start),
+            GNUNET_YES));
+  return ok;
+}
+
+
+static int
+testDeriveSignVerify (void)
+{
+  struct GNUNET_CRYPTO_EccSignaturePurpose purp;
+  struct GNUNET_CRYPTO_Edx25519Signature sig;
+  struct GNUNET_CRYPTO_Edx25519PrivateKey dkey;
+  struct GNUNET_CRYPTO_Edx25519PublicKey pub;
+  struct GNUNET_CRYPTO_Edx25519PublicKey dpub;
+  struct GNUNET_CRYPTO_Edx25519PublicKey dpub2;
+
+  GNUNET_CRYPTO_edx25519_key_get_public (&key, &pub);
+  GNUNET_CRYPTO_edx25519_private_key_derive (&key,
+                                             "test-derive",
+                                             sizeof("test-derive"),
+                                             &dkey);
+  GNUNET_CRYPTO_edx25519_public_key_derive (&pub,
+                                            "test-derive",
+                                            sizeof("test-derive"),
+                                            &dpub);
+  GNUNET_CRYPTO_edx25519_key_get_public (&dkey, &dpub2);
+
+  if (0 != GNUNET_memcmp (&dpub.q_y, &dpub2.q_y))
+  {
+    fprintf (stderr, "key deriviation failed\n");
+    return GNUNET_SYSERR;
+  }
+
+  purp.size = htonl (sizeof(struct GNUNET_CRYPTO_EccSignaturePurpose));
+  purp.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_TEST);
+
+  GNUNET_CRYPTO_edx25519_sign_ (&dkey,
+                                &purp,
+                                &sig);
+
+  if (GNUNET_SYSERR ==
+      GNUNET_CRYPTO_edx25519_verify_ (GNUNET_SIGNATURE_PURPOSE_TEST,
+                                      &purp,
+                                      &sig,
+                                      &dpub))
+  {
+    fprintf (stderr,
+             "GNUNET_CRYPTO_edx25519_verify failed after derivation!\n");
+    return GNUNET_SYSERR;
+  }
+
+  if (GNUNET_SYSERR !=
+      GNUNET_CRYPTO_edx25519_verify_ (GNUNET_SIGNATURE_PURPOSE_TEST,
+                                      &purp,
+                                      &sig,
+                                      &pub))
+  {
+    fprintf (stderr,
+             "GNUNET_CRYPTO_edx25519_verify failed to fail after derivation!\n");
+    return GNUNET_SYSERR;
+  }
+
+  if (GNUNET_SYSERR !=
+      GNUNET_CRYPTO_edx25519_verify_ (
+        GNUNET_SIGNATURE_PURPOSE_TRANSPORT_PONG_OWN,
+        &purp,
+        &sig,
+        &dpub))
+  {
+    fprintf (stderr,
+             "GNUNET_CRYPTO_edx25519_verify failed to fail after derivation!\n");
+    return GNUNET_SYSERR;
+  }
+  return GNUNET_OK;
+}
+
+
+#if PERF
+static int
+testSignPerformance ()
+{
+  struct GNUNET_CRYPTO_EccSignaturePurpose purp;
+  struct GNUNET_CRYPTO_Edx25519Signature sig;
+  struct GNUNET_CRYPTO_Edx25519PublicKey pkey;
+  struct GNUNET_TIME_Absolute start;
+  int ok = GNUNET_OK;
+
+  purp.size = htonl (sizeof(struct GNUNET_CRYPTO_EccSignaturePurpose));
+  purp.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_TEST);
+  fprintf (stderr, "%s", "W");
+  GNUNET_CRYPTO_edx25519_key_get_public (&key,
+                                         &pkey);
+  start = GNUNET_TIME_absolute_get ();
+  for (unsigned int i = 0; i < ITER; i++)
+  {
+    fprintf (stderr, "%s", ".");
+    fflush (stderr);
+    if (GNUNET_SYSERR ==
+        GNUNET_CRYPTO_edx25519_sign_ (&key,
+                                      &purp,
+                                      &sig))
+    {
+      fprintf (stderr, "%s", "GNUNET_CRYPTO_edx25519_sign returned SYSERR\n");
+      ok = GNUNET_SYSERR;
+      continue;
+    }
+  }
+  fprintf (stderr, "\n");
+  printf ("%d EdDSA sign operations %s\n",
+          ITER,
+          GNUNET_STRINGS_relative_time_to_string (
+            GNUNET_TIME_absolute_get_duration (start),
+            GNUNET_YES));
+  return ok;
+}
+
+
+#endif
+
+
+#if 0 /* not implemented */
+static int
+testCreateFromFile (void)
+{
+  struct GNUNET_CRYPTO_Edx25519PublicKey p1;
+  struct GNUNET_CRYPTO_Edx25519PublicKey p2;
+
+  /* do_create == GNUNET_YES and non-existing file MUST return GNUNET_YES */
+  GNUNET_assert (0 == unlink (KEYFILE) || ENOENT == errno);
+  GNUNET_assert (GNUNET_YES ==
+                 GNUNET_CRYPTO_edx25519_key_from_file (KEYFILE,
+                                                       GNUNET_YES,
+                                                       &key));
+  GNUNET_CRYPTO_edx25519_key_get_public (&key,
+                                         &p1);
+
+  /* do_create == GNUNET_YES and _existing_ file MUST return GNUNET_NO */
+  GNUNET_assert (GNUNET_NO ==
+                 GNUNET_CRYPTO_edx25519_key_from_file (KEYFILE,
+                                                       GNUNET_YES,
+                                                       &key));
+  GNUNET_CRYPTO_edx25519_key_get_public (&key,
+                                         &p2);
+  GNUNET_assert (0 ==
+                 GNUNET_memcmp (&p1,
+                                &p2));
+
+  /* do_create == GNUNET_NO and non-existing file MUST return GNUNET_SYSERR */
+  GNUNET_assert (0 == unlink (KEYFILE));
+  GNUNET_assert (GNUNET_SYSERR ==
+                 GNUNET_CRYPTO_edx25519_key_from_file (KEYFILE,
+                                                       GNUNET_NO,
+                                                       &key));
+  return GNUNET_OK;
+}
+
+
+#endif
+
+
+static void
+perf_keygen (void)
+{
+  struct GNUNET_TIME_Absolute start;
+  struct GNUNET_CRYPTO_Edx25519PrivateKey pk;
+
+  fprintf (stderr, "%s", "W");
+  start = GNUNET_TIME_absolute_get ();
+  for (unsigned int i = 0; i < 10; i++)
+  {
+    fprintf (stderr, ".");
+    fflush (stderr);
+    GNUNET_CRYPTO_edx25519_key_create (&pk);
+  }
+  fprintf (stderr, "\n");
+  printf ("10 EdDSA keys created in %s\n",
+          GNUNET_STRINGS_relative_time_to_string (
+            GNUNET_TIME_absolute_get_duration (start), GNUNET_YES));
+}
+
+
+int
+main (int argc, char *argv[])
+{
+  int failure_count = 0;
+
+  if (! gcry_check_version ("1.6.0"))
+  {
+    fprintf (stderr,
+             "libgcrypt has not the expected version (version %s is required).\n",
+             "1.6.0");
+    return 0;
+  }
+  if (getenv ("GNUNET_GCRYPT_DEBUG"))
+    gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1u, 0);
+  GNUNET_log_setup ("test-crypto-edx25519",
+                    "WARNING",
+                    NULL);
+  GNUNET_CRYPTO_edx25519_key_create (&key);
+  if (GNUNET_OK != testDeriveSignVerify ())
+  {
+    failure_count++;
+    fprintf (stderr,
+             "\n\n%d TESTS FAILED!\n\n", failure_count);
+    return -1;
+  }
+#if PERF
+  if (GNUNET_OK != testSignPerformance ())
+    failure_count++;
+#endif
+  if (GNUNET_OK != testSignVerify ())
+    failure_count++;
+#if 0 /* not implemented */
+  if (GNUNET_OK != testCreateFromFile ())
+    failure_count++;
+#endif
+  perf_keygen ();
+
+  if (0 != failure_count)
+  {
+    fprintf (stderr,
+             "\n\n%d TESTS FAILED!\n\n",
+             failure_count);
+    return -1;
+  }
+  return 0;
+}
+
+
+/* end of test_crypto_edx25519.c */
diff --git a/src/util/time.c b/src/util/time.c
index 68a6937a0..cf072aebf 100644
--- a/src/util/time.c
+++ b/src/util/time.c
@@ -58,6 +58,22 @@ GNUNET_TIME_get_offset ()
 }
 
 
+bool
+GNUNET_TIME_absolute_approx_eq (struct GNUNET_TIME_Absolute a1,
+                                struct GNUNET_TIME_Absolute a2,
+                                struct GNUNET_TIME_Relative t)
+{
+  struct GNUNET_TIME_Relative delta;
+
+  delta = GNUNET_TIME_relative_min (
+    GNUNET_TIME_absolute_get_difference (a1, a2),
+    GNUNET_TIME_absolute_get_difference (a2, a1));
+  return GNUNET_TIME_relative_cmp (delta,
+                                   <=,
+                                   t);
+}
+
+
 struct GNUNET_TIME_Timestamp
 GNUNET_TIME_absolute_to_timestamp (struct GNUNET_TIME_Absolute at)
 {
@@ -370,6 +386,20 @@ GNUNET_TIME_timestamp_min (struct GNUNET_TIME_Timestamp t1,
 }
 
 
+struct GNUNET_TIME_Absolute
+GNUNET_TIME_absolute_round_down (struct GNUNET_TIME_Absolute at,
+                                 struct GNUNET_TIME_Relative rt)
+{
+  struct GNUNET_TIME_Absolute ret;
+
+  GNUNET_assert (! GNUNET_TIME_relative_is_zero (rt));
+  ret.abs_value_us
+    = at.abs_value_us
+    - at.abs_value_us % rt.rel_value_us;
+  return ret;
+}
+
+
 struct GNUNET_TIME_Relative
 GNUNET_TIME_absolute_get_remaining (struct GNUNET_TIME_Absolute future)
 {