gnunet_crypto_lib.h (147324B)
1 /* 2 This file is part of GNUnet. 3 Copyright (C) 2001-2023 GNUnet e.V. 4 5 GNUnet is free software: you can redistribute it and/or modify it 6 under the terms of the GNU Affero General Public License as published 7 by the Free Software Foundation, either version 3 of the License, 8 or (at your option) any later version. 9 10 GNUnet is distributed in the hope that it will be useful, but 11 WITHOUT ANY WARRANTY; without even the implied warranty of 12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 Affero General Public License for more details. 14 15 You should have received a copy of the GNU Affero General Public License 16 along with this program. If not, see <http://www.gnu.org/licenses/>. 17 18 SPDX-License-Identifier: AGPL3.0-or-later 19 */ 20 21 /** 22 * @addtogroup libgnunetutil 23 * Multi-function utilities library for GNUnet programs 24 * @{ 25 * 26 * @file include/gnunet_crypto_lib.h 27 * @brief cryptographic primitives for GNUnet 28 * 29 * @author Christian Grothoff 30 * @author Krista Bennett 31 * @author Gerd Knorr <kraxel@bytesex.org> 32 * @author Ioana Patrascu 33 * @author Tzvetan Horozov 34 * @author Jeffrey Burdges <burdges@gnunet.org> 35 * 36 * @defgroup crypto Crypto library: cryptographic operations 37 * Provides cryptographic primitives. 38 * 39 * @see [Documentation](https://gnunet.org/crypto-api) 40 * 41 * @defgroup hash Crypto library: hash operations 42 * Provides hashing and operations on hashes. 43 * 44 * @see [Documentation](https://gnunet.org/crypto-api) 45 */ 46 47 #if ! defined (__GNUNET_UTIL_LIB_H_INSIDE__) 48 #error "Only <gnunet_util_lib.h> can be included directly." 49 #endif 50 51 #ifndef GNUNET_CRYPTO_LIB_H 52 #define GNUNET_CRYPTO_LIB_H 53 54 #ifdef __cplusplus 55 extern "C" { 56 #if 0 /* keep Emacsens' auto-indent happy */ 57 } 58 #endif 59 #endif 60 61 62 #include <stdbool.h> 63 #include <sodium.h> 64 65 /** 66 * The identity of the host (wraps the signing key of the peer). 67 */ 68 struct GNUNET_PeerIdentity; 69 70 #include <gcrypt.h> 71 72 73 /** 74 * Maximum length of an ECC signature. 75 * Note: round up to multiple of 8 minus 2 for alignment. 76 */ 77 #define GNUNET_CRYPTO_ECC_SIGNATURE_DATA_ENCODING_LENGTH 126 78 79 80 /** 81 * Desired quality level for random numbers. 82 * @ingroup crypto 83 */ 84 enum GNUNET_CRYPTO_Quality 85 { 86 /** 87 * No good quality of the operation is needed (i.e., 88 * random numbers can be pseudo-random). 89 * @ingroup crypto 90 */ 91 GNUNET_CRYPTO_QUALITY_WEAK, 92 93 /** 94 * High-quality operations are desired. 95 * @ingroup crypto 96 */ 97 GNUNET_CRYPTO_QUALITY_STRONG, 98 99 /** 100 * Randomness for IVs etc. is required. 101 * @ingroup crypto 102 */ 103 GNUNET_CRYPTO_QUALITY_NONCE 104 }; 105 106 107 /** 108 * @brief length of the sessionkey in bytes (256 BIT sessionkey) 109 */ 110 #define GNUNET_CRYPTO_AES_KEY_LENGTH (256 / 8) 111 112 /** 113 * Length of a hash value 114 */ 115 #define GNUNET_CRYPTO_HASH_LENGTH (512 / 8) 116 117 /** 118 * How many characters (without 0-terminator) are our ASCII-encoded 119 * public keys (ECDSA/EDDSA/ECDHE). 120 */ 121 #define GNUNET_CRYPTO_PKEY_ASCII_LENGTH 52 122 123 /** 124 * @brief 0-terminated ASCII encoding of a struct GNUNET_HashCode. 125 */ 126 struct GNUNET_CRYPTO_HashAsciiEncoded 127 { 128 unsigned char encoding[104]; 129 }; 130 131 132 GNUNET_NETWORK_STRUCT_BEGIN 133 134 135 /** 136 * @brief header of what an ECC signature signs 137 * this must be followed by "size - 8" bytes of 138 * the actual signed data 139 */ 140 struct GNUNET_CRYPTO_EccSignaturePurpose 141 { 142 /** 143 * How many bytes does this signature sign? 144 * (including this purpose header); in network 145 * byte order (!). 146 */ 147 uint32_t size GNUNET_PACKED; 148 149 /** 150 * What does this signature vouch for? This 151 * must contain a GNUNET_SIGNATURE_PURPOSE_XXX 152 * constant (from gnunet_signatures.h). In 153 * network byte order! 154 */ 155 uint32_t purpose GNUNET_PACKED; 156 }; 157 158 159 /** 160 * @brief an ECC signature using EdDSA. 161 * See cr.yp.to/papers.html#ed25519 162 */ 163 struct GNUNET_CRYPTO_EddsaSignature 164 { 165 /** 166 * R value. 167 */ 168 unsigned char r[256 / 8]; 169 170 /** 171 * S value. 172 */ 173 unsigned char s[256 / 8]; 174 }; 175 176 177 /** 178 * @brief an ECC signature using ECDSA 179 */ 180 struct GNUNET_CRYPTO_EcdsaSignature 181 { 182 /** 183 * R value. 184 */ 185 unsigned char r[256 / 8]; 186 187 /** 188 * S value. 189 */ 190 unsigned char s[256 / 8]; 191 }; 192 193 194 /** 195 * Public ECC key (always for curve Ed25519) encoded in a format 196 * suitable for network transmission and EdDSA signatures. Refer 197 * to section 5.1.3 of rfc8032, for a thorough explanation of how 198 * this value maps to the x- and y-coordinates. 199 */ 200 struct GNUNET_CRYPTO_EddsaPublicKey 201 { 202 /** 203 * Point Q consists of a y-value mod p (256 bits); the x-value is 204 * always positive. The point is stored in Ed25519 standard 205 * compact format. 206 */ 207 unsigned char q_y[256 / 8]; 208 }; 209 210 211 /** 212 * Public ECC key (always for Curve25519) encoded in a format suitable 213 * for network transmission and ECDSA signatures. 214 */ 215 struct GNUNET_CRYPTO_EcdsaPublicKey 216 { 217 /** 218 * Q consists of an x- and a y-value, each mod p (256 bits), given 219 * here in affine coordinates and Ed25519 standard compact format. 220 */ 221 unsigned char q_y[256 / 8]; 222 }; 223 224 225 /** 226 * The identity of the host (wraps the signing key of the peer). 227 */ 228 struct GNUNET_PeerIdentity 229 { 230 struct GNUNET_CRYPTO_EddsaPublicKey public_key; 231 }; 232 233 234 /** 235 * Public ECC key (always for Curve25519) encoded in a format suitable 236 * for network transmission and encryption (ECDH), 237 * See http://cr.yp.to/ecdh.html 238 */ 239 struct GNUNET_CRYPTO_EcdhePublicKey 240 { 241 /** 242 * Q consists of an x- and a y-value, each mod p (256 bits), given 243 * here in affine coordinates and Ed25519 standard compact format. 244 */ 245 unsigned char q_y[256 / 8]; 246 }; 247 248 249 /** 250 * Private ECC key encoded for transmission. To be used only for ECDH 251 * key exchange (ECDHE to be precise). 252 */ 253 struct GNUNET_CRYPTO_EcdhePrivateKey 254 { 255 /** 256 * d is a value mod n, where n has at most 256 bits. 257 */ 258 unsigned char d[256 / 8]; 259 }; 260 261 /** 262 * Private ECC key encoded for transmission. To be used only for ECDSA 263 * signatures. 264 */ 265 struct GNUNET_CRYPTO_EcdsaPrivateKey 266 { 267 /** 268 * d is a value mod n, where n has at most 256 bits. 269 */ 270 unsigned char d[256 / 8]; 271 }; 272 273 /** 274 * Private ECC key encoded for transmission. To be used only for EdDSA 275 * signatures. 276 */ 277 struct GNUNET_CRYPTO_EddsaPrivateKey 278 { 279 /** 280 * d is a value mod n, where n has at most 256 bits. 281 */ 282 unsigned char d[256 / 8]; 283 }; 284 285 286 /** 287 * Private ECC scalar encoded for transmission. To be used only for EdDSA 288 * signatures. 289 */ 290 struct GNUNET_CRYPTO_EddsaPrivateScalar 291 { 292 /** 293 * s is the expandedprivate 512-bit scalar of a private key. 294 */ 295 unsigned char s[512 / 8]; 296 }; 297 298 /** 299 * Private ECC key material encoded for transmission. To be used only for 300 * Edx25519 signatures. An initial key corresponds to data from the key 301 * expansion and clamping in the EdDSA key generation. 302 */ 303 struct GNUNET_CRYPTO_Edx25519PrivateKey 304 { 305 /** 306 * a is a value mod n, where n has at most 256 bits. It is the first half of 307 * the seed-expansion of EdDSA and will be clamped. 308 */ 309 unsigned char a[256 / 8]; 310 311 /** 312 * b consists of 32 bytes which where originally the lower 32bytes of the key 313 * expansion. Subsequent calls to derive_private will change this value, too. 314 */ 315 unsigned char b[256 / 8]; 316 }; 317 318 319 /** 320 * Public ECC key (always for curve Ed25519) encoded in a format suitable for 321 * network transmission and Edx25519 (same as EdDSA) signatures. Refer to 322 * section 5.1.3 of rfc8032, for a thorough explanation of how this value maps 323 * to the x- and y-coordinates. 324 */ 325 struct GNUNET_CRYPTO_Edx25519PublicKey 326 { 327 /** 328 * Point Q consists of a y-value mod p (256 bits); the x-value is 329 * always positive. The point is stored in Ed25519 standard 330 * compact format. 331 */ 332 unsigned char q_y[256 / 8]; 333 }; 334 335 /** 336 * @brief an ECC signature using Edx25519 (same as in EdDSA). 337 */ 338 struct GNUNET_CRYPTO_Edx25519Signature 339 { 340 /** 341 * R value. 342 */ 343 unsigned char r[256 / 8]; 344 345 /** 346 * S value. 347 */ 348 unsigned char s[256 / 8]; 349 }; 350 351 /** 352 * Special private ECC key generated by GNUNET_CRYPTO_ecdhe_elligator_key_create. 353 * To be used only for the Elligator KEM. 354 * Encoded for transmission. 355 */ 356 struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey 357 { 358 /** 359 * d is a value mod n, where n has at most 256 bits. 360 */ 361 unsigned char d[256 / 8]; 362 }; 363 364 /** 365 * Elligator representative (always for Curve25519) 366 */ 367 struct GNUNET_CRYPTO_ElligatorRepresentative 368 { 369 /** 370 * Represents an element of Curve25519 finite field. 371 * Always smaller than 2 ^ 254 - 10 -> Needs to be serialized into a random-looking byte stream before transmission. 372 */ 373 uint8_t r[256 / 8]; 374 }; 375 376 /** 377 * Key type for the generic public key union 378 */ 379 enum GNUNET_CRYPTO_KeyType 380 { 381 /** 382 * The identity type. The value is the same as the 383 * PKEY record type. 384 */ 385 GNUNET_PUBLIC_KEY_TYPE_ECDSA = 65536, 386 387 /** 388 * EDDSA identity. The value is the same as the EDKEY 389 * record type. 390 */ 391 GNUNET_PUBLIC_KEY_TYPE_EDDSA = 65556 392 }; 393 394 /** 395 * A private key for an identity as per LSD0001. 396 * Note that these types are NOT packed and MUST NOT be used in RPC 397 * messages. Use the respective serialization functions. 398 */ 399 struct GNUNET_CRYPTO_PrivateKey 400 { 401 /** 402 * Type of public key. 403 * Defined by the GNS zone type value. 404 * In NBO. 405 */ 406 uint32_t type; 407 408 union 409 { 410 /** 411 * An ECDSA identity key. 412 */ 413 struct GNUNET_CRYPTO_EcdsaPrivateKey ecdsa_key; 414 415 /** 416 * AN EdDSA identtiy key 417 */ 418 struct GNUNET_CRYPTO_EddsaPrivateKey eddsa_key; 419 }; 420 }; 421 422 423 /** 424 * An identity key as per LSD0001. 425 */ 426 struct GNUNET_CRYPTO_PublicKey 427 { 428 /** 429 * Type of public key. 430 * Defined by the GNS zone type value. 431 * In NBO. 432 */ 433 uint32_t type; 434 435 union 436 { 437 /** 438 * An ECDSA identity key. 439 */ 440 struct GNUNET_CRYPTO_EcdsaPublicKey ecdsa_key; 441 442 /** 443 * AN EdDSA identtiy key 444 */ 445 struct GNUNET_CRYPTO_EddsaPublicKey eddsa_key; 446 }; 447 }; 448 449 450 /** 451 * An identity signature as per LSD0001. 452 */ 453 struct GNUNET_CRYPTO_Signature 454 { 455 /** 456 * Type of signature. 457 * Defined by the GNS zone type value. 458 * In NBO. 459 */ 460 uint32_t type; 461 462 union 463 { 464 /** 465 * An ECDSA signature 466 */ 467 struct GNUNET_CRYPTO_EcdsaSignature ecdsa_signature; 468 469 /** 470 * AN EdDSA signature 471 */ 472 struct GNUNET_CRYPTO_EddsaSignature eddsa_signature; 473 }; 474 }; 475 476 /** 477 * @brief type for session keys 478 */ 479 struct GNUNET_CRYPTO_SymmetricSessionKey 480 { 481 /** 482 * Actual key for AES. 483 */ 484 unsigned char aes_key[GNUNET_CRYPTO_AES_KEY_LENGTH]; 485 486 /** 487 * Actual key for TwoFish. 488 */ 489 unsigned char twofish_key[GNUNET_CRYPTO_AES_KEY_LENGTH]; 490 }; 491 492 /** 493 * Type of a nonce used for challenges. 494 */ 495 struct GNUNET_CRYPTO_ChallengeNonceP 496 { 497 /** 498 * The value of the nonce. Note that this is NOT a hash. 499 */ 500 struct GNUNET_ShortHashCode value; 501 }; 502 503 GNUNET_NETWORK_STRUCT_END 504 505 /** 506 * @brief IV for sym cipher 507 * 508 * NOTE: must be smaller (!) in size than the 509 * `struct GNUNET_HashCode`. 510 */ 511 struct GNUNET_CRYPTO_SymmetricInitializationVector 512 { 513 unsigned char aes_iv[GNUNET_CRYPTO_AES_KEY_LENGTH / 2]; 514 515 unsigned char twofish_iv[GNUNET_CRYPTO_AES_KEY_LENGTH / 2]; 516 }; 517 518 519 /** 520 * @brief type for (message) authentication keys 521 */ 522 struct GNUNET_CRYPTO_AuthKey 523 { 524 unsigned char key[GNUNET_CRYPTO_HASH_LENGTH]; 525 }; 526 527 528 /** 529 * Size of paillier plain texts and public keys. 530 * Private keys and ciphertexts are twice this size. 531 */ 532 #define GNUNET_CRYPTO_PAILLIER_BITS 2048 533 534 535 /** 536 * Paillier public key. 537 */ 538 struct GNUNET_CRYPTO_PaillierPublicKey 539 { 540 /** 541 * N value. 542 */ 543 unsigned char n[GNUNET_CRYPTO_PAILLIER_BITS / 8]; 544 }; 545 546 547 /** 548 * Paillier private key. 549 */ 550 struct GNUNET_CRYPTO_PaillierPrivateKey 551 { 552 /** 553 * Lambda-component of the private key. 554 */ 555 unsigned char lambda[GNUNET_CRYPTO_PAILLIER_BITS / 8]; 556 /** 557 * Mu-component of the private key. 558 */ 559 unsigned char mu[GNUNET_CRYPTO_PAILLIER_BITS / 8]; 560 }; 561 562 563 /** 564 * Paillier ciphertext. 565 */ 566 struct GNUNET_CRYPTO_PaillierCiphertext 567 { 568 /** 569 * Guaranteed minimum number of homomorphic operations with this ciphertext, 570 * in network byte order (NBO). 571 */ 572 int32_t remaining_ops GNUNET_PACKED; 573 574 /** 575 * The bits of the ciphertext. 576 */ 577 unsigned char bits[GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8]; 578 }; 579 580 581 /** 582 * Curve25519 Scalar 583 */ 584 struct GNUNET_CRYPTO_Cs25519Scalar 585 { 586 /** 587 * 32 byte scalar 588 */ 589 unsigned char d[crypto_core_ed25519_SCALARBYTES]; 590 }; 591 592 593 /** 594 * Curve25519 point 595 */ 596 struct GNUNET_CRYPTO_Cs25519Point 597 { 598 /** 599 * This is a point on the Curve25519. 600 * The x coordinate can be restored using the y coordinate 601 */ 602 unsigned char y[crypto_core_ed25519_BYTES]; 603 }; 604 605 606 /** 607 * The private information of an Schnorr key pair. 608 */ 609 struct GNUNET_CRYPTO_CsPrivateKey 610 { 611 struct GNUNET_CRYPTO_Cs25519Scalar scalar; 612 }; 613 614 615 /** 616 * The public information of an Schnorr key pair. 617 */ 618 struct GNUNET_CRYPTO_CsPublicKey 619 { 620 struct GNUNET_CRYPTO_Cs25519Point point; 621 }; 622 623 624 /** 625 * Secret used for blinding (alpha and beta). 626 */ 627 struct GNUNET_CRYPTO_CsBlindingSecret 628 { 629 struct GNUNET_CRYPTO_Cs25519Scalar alpha; 630 struct GNUNET_CRYPTO_Cs25519Scalar beta; 631 }; 632 633 634 /** 635 * the private r used in the signature 636 */ 637 struct GNUNET_CRYPTO_CsRSecret 638 { 639 struct GNUNET_CRYPTO_Cs25519Scalar scalar; 640 }; 641 642 643 /** 644 * the public R (derived from r) used in c 645 */ 646 struct GNUNET_CRYPTO_CsRPublic 647 { 648 struct GNUNET_CRYPTO_Cs25519Point point; 649 }; 650 651 652 /** 653 * Schnorr c to be signed 654 */ 655 struct GNUNET_CRYPTO_CsC 656 { 657 struct GNUNET_CRYPTO_Cs25519Scalar scalar; 658 }; 659 660 661 /** 662 * s in the signature 663 */ 664 struct GNUNET_CRYPTO_CsS 665 { 666 struct GNUNET_CRYPTO_Cs25519Scalar scalar; 667 }; 668 669 670 /** 671 * blinded s in the signature 672 */ 673 struct GNUNET_CRYPTO_CsBlindS 674 { 675 struct GNUNET_CRYPTO_Cs25519Scalar scalar; 676 }; 677 678 679 /** 680 * CS Signtature containing scalar s and point R 681 */ 682 struct GNUNET_CRYPTO_CsSignature 683 { 684 /** 685 * Schnorr signatures are composed of a scalar s and a curve point 686 */ 687 struct GNUNET_CRYPTO_CsS s_scalar; 688 689 /** 690 * Curve point of the Schnorr signature. 691 */ 692 struct GNUNET_CRYPTO_CsRPublic r_point; 693 }; 694 695 696 /** 697 * Nonce for the session, picked by client, 698 * shared with the signer. 699 */ 700 struct GNUNET_CRYPTO_CsSessionNonce 701 { 702 /*a nonce*/ 703 unsigned char snonce[256 / 8]; 704 }; 705 706 707 /** 708 * Nonce for computing blinding factors. Not 709 * shared with the signer. 710 */ 711 struct GNUNET_CRYPTO_CsBlindingNonce 712 { 713 /*a nonce*/ 714 unsigned char bnonce[256 / 8]; 715 }; 716 717 718 /* **************** Functions and Macros ************* */ 719 720 /** 721 * @ingroup crypto 722 * Seed a weak random generator. Only #GNUNET_CRYPTO_QUALITY_WEAK-mode generator 723 * can be seeded. 724 * 725 * @param seed the seed to use 726 */ 727 void 728 GNUNET_CRYPTO_seed_weak_random (int32_t seed); 729 730 731 /** 732 * @ingroup hash 733 * Calculate the checksum of a buffer in one step. 734 * 735 * @param buf buffer to calculate CRC over 736 * @param len number of bytes in @a buf 737 * @return crc8 value 738 */ 739 uint8_t 740 GNUNET_CRYPTO_crc8_n (const void *buf, size_t len); 741 742 743 /** 744 * Perform an incremental step in a CRC16 (for TCP/IP) calculation. 745 * 746 * @param sum current sum, initially 0 747 * @param buf buffer to calculate CRC over (must be 16-bit aligned) 748 * @param len number of bytes in @a buf, must be multiple of 2 749 * @return updated crc sum (must be subjected to #GNUNET_CRYPTO_crc16_finish to get actual crc16) 750 */ 751 uint32_t 752 GNUNET_CRYPTO_crc16_step (uint32_t sum, const void *buf, size_t len); 753 754 755 /** 756 * Convert results from GNUNET_CRYPTO_crc16_step to final crc16. 757 * 758 * @param sum cumulative sum 759 * @return crc16 value 760 */ 761 uint16_t 762 GNUNET_CRYPTO_crc16_finish (uint32_t sum); 763 764 765 /** 766 * @ingroup hash 767 * Calculate the checksum of a buffer in one step. 768 * 769 * @param buf buffer to calculate CRC over (must be 16-bit aligned) 770 * @param len number of bytes in @a buf, must be multiple of 2 771 * @return crc16 value 772 */ 773 uint16_t 774 GNUNET_CRYPTO_crc16_n (const void *buf, size_t len); 775 776 777 /** 778 * @ingroup hash 779 * Compute the CRC32 checksum for the first len 780 * bytes of the buffer. 781 * 782 * @param buf the data over which we're taking the CRC 783 * @param len the length of the buffer @a buf in bytes 784 * @return the resulting CRC32 checksum 785 */ 786 int32_t 787 GNUNET_CRYPTO_crc32_n (const void *buf, size_t len); 788 789 /** 790 * @ingroup crypto 791 * Zero out @a buffer, securely against compiler optimizations. 792 * Used to delete key material. 793 * 794 * @param buffer the buffer to zap 795 * @param length buffer length 796 */ 797 void 798 GNUNET_CRYPTO_zero_keys (void *buffer, size_t length); 799 800 801 /** 802 * @ingroup crypto 803 * Fill block with a random values. 804 * 805 * @param mode desired quality of the random number 806 * @param[out] buffer the buffer to fill 807 * @param length buffer length 808 */ 809 void 810 GNUNET_CRYPTO_random_block (enum GNUNET_CRYPTO_Quality mode, 811 void *buffer, 812 size_t length); 813 814 815 /** 816 * @ingroup crypto 817 * Fill UUID with a timeflake pseudo-random value. Note that 818 * timeflakes use only 80 bits of randomness and 48 bits 819 * to encode a timestamp in milliseconds. So what we return 820 * here is not a completely random number. 821 * 822 * @param mode desired quality of the random number 823 * @param[out] uuid the value to fill 824 */ 825 void 826 GNUNET_CRYPTO_random_timeflake (enum GNUNET_CRYPTO_Quality mode, 827 struct GNUNET_Uuid *uuid); 828 829 830 /** 831 * @ingroup crypto 832 * Produce a random value. 833 * 834 * @param mode desired quality of the random number 835 * @param i the upper limit (exclusive) for the random number 836 * @return a random value in the interval [0,@a i) (exclusive). 837 */ 838 uint32_t 839 GNUNET_CRYPTO_random_u32 (enum GNUNET_CRYPTO_Quality mode, uint32_t i); 840 841 842 /** 843 * @ingroup crypto 844 * Generate a random unsigned 64-bit value. 845 * 846 * @param mode desired quality of the random number 847 * @param max value returned will be in range [0,@a max) (exclusive) 848 * @return random 64-bit number 849 */ 850 uint64_t 851 GNUNET_CRYPTO_random_u64 (enum GNUNET_CRYPTO_Quality mode, uint64_t max); 852 853 854 /** 855 * @ingroup crypto 856 * Get an array with a random permutation of the 857 * numbers 0...n-1. 858 * @param mode #GNUNET_CRYPTO_QUALITY_STRONG if the strong (but expensive) PRNG should be used, 859 * #GNUNET_CRYPTO_QUALITY_WEAK or #GNUNET_CRYPTO_QUALITY_NONCE otherwise 860 * @param n the size of the array 861 * @return the permutation array (allocated from heap) 862 */ 863 unsigned int * 864 GNUNET_CRYPTO_random_permute (enum GNUNET_CRYPTO_Quality mode, unsigned int n); 865 866 867 /** 868 * @ingroup crypto 869 * Create a new random session key. 870 * 871 * @param key key to initialize 872 */ 873 void 874 GNUNET_CRYPTO_symmetric_create_session_key ( 875 struct GNUNET_CRYPTO_SymmetricSessionKey *key); 876 877 878 /** 879 * @ingroup crypto 880 * Encrypt a block using a symmetric sessionkey. 881 * 882 * @param block the block to encrypt 883 * @param size the size of the @a block 884 * @param sessionkey the key used to encrypt 885 * @param iv the initialization vector to use, use INITVALUE 886 * for streams. 887 * @return the size of the encrypted block, -1 for errors 888 */ 889 ssize_t 890 GNUNET_CRYPTO_symmetric_encrypt ( 891 const void *block, 892 size_t size, 893 const struct GNUNET_CRYPTO_SymmetricSessionKey *sessionkey, 894 const struct GNUNET_CRYPTO_SymmetricInitializationVector *iv, 895 void *result); 896 897 898 /** 899 * @ingroup crypto 900 * Decrypt a given block using a symmetric sessionkey. 901 * 902 * @param block the data to decrypt, encoded as returned by encrypt 903 * @param size how big is the block? 904 * @param sessionkey the key used to decrypt 905 * @param iv the initialization vector to use 906 * @param result address to store the result at 907 * @return -1 on failure, size of decrypted block on success 908 */ 909 ssize_t 910 GNUNET_CRYPTO_symmetric_decrypt ( 911 const void *block, 912 size_t size, 913 const struct GNUNET_CRYPTO_SymmetricSessionKey *sessionkey, 914 const struct GNUNET_CRYPTO_SymmetricInitializationVector *iv, 915 void *result); 916 917 918 /** 919 * @ingroup crypto 920 * @brief Derive an IV 921 * @param iv initialization vector 922 * @param skey session key 923 * @param salt salt for the derivation 924 * @param salt_len size of the @a salt 925 * @param ... pairs of void * & size_t for context chunks, terminated by NULL 926 */ 927 void 928 GNUNET_CRYPTO_symmetric_derive_iv ( 929 struct GNUNET_CRYPTO_SymmetricInitializationVector *iv, 930 const struct GNUNET_CRYPTO_SymmetricSessionKey *skey, 931 const void *salt, 932 size_t salt_len, 933 ...); 934 935 936 /** 937 * @brief Derive an IV 938 * @param iv initialization vector 939 * @param skey session key 940 * @param salt salt for the derivation 941 * @param salt_len size of the @a salt 942 * @param argp pairs of void * & size_t for context chunks, terminated by NULL 943 */ 944 void 945 GNUNET_CRYPTO_symmetric_derive_iv_v ( 946 struct GNUNET_CRYPTO_SymmetricInitializationVector *iv, 947 const struct GNUNET_CRYPTO_SymmetricSessionKey *skey, 948 const void *salt, 949 size_t salt_len, 950 va_list argp); 951 952 953 /** 954 * @ingroup hash 955 * Convert hash to ASCII encoding. 956 * @param block the hash code 957 * @param result where to store the encoding (struct GNUNET_CRYPTO_HashAsciiEncoded can be 958 * safely cast to char*, a '\\0' termination is set). 959 */ 960 void 961 GNUNET_CRYPTO_hash_to_enc (const struct GNUNET_HashCode *block, 962 struct GNUNET_CRYPTO_HashAsciiEncoded *result); 963 964 965 /** 966 * @ingroup hash 967 * Convert ASCII encoding back to a 'struct GNUNET_HashCode' 968 * 969 * @param enc the encoding 970 * @param enclen number of characters in @a enc (without 0-terminator, which can be missing) 971 * @param result where to store the hash code 972 * @return #GNUNET_OK on success, #GNUNET_SYSERR if result has the wrong encoding 973 */ 974 enum GNUNET_GenericReturnValue 975 GNUNET_CRYPTO_hash_from_string2 (const char *enc, 976 size_t enclen, 977 struct GNUNET_HashCode *result); 978 979 980 /** 981 * @ingroup hash 982 * Convert ASCII encoding back to `struct GNUNET_HashCode` 983 * 984 * @param enc the encoding 985 * @param result where to store the hash code 986 * @return #GNUNET_OK on success, #GNUNET_SYSERR if result has the wrong encoding 987 */ 988 #define GNUNET_CRYPTO_hash_from_string(enc, result) \ 989 GNUNET_CRYPTO_hash_from_string2 (enc, strlen (enc), result) 990 991 992 /** 993 * @ingroup hash 994 * 995 * Compute the distance between 2 hashcodes. The 996 * computation must be fast, not involve @a a[0] or @a a[4] (they're used 997 * elsewhere), and be somewhat consistent. And of course, the result 998 * should be a positive number. 999 * 1000 * @param a some hash code 1001 * @param b some hash code 1002 * @return number between 0 and UINT32_MAX 1003 */ 1004 uint32_t 1005 GNUNET_CRYPTO_hash_distance_u32 (const struct GNUNET_HashCode *a, 1006 const struct GNUNET_HashCode *b); 1007 1008 1009 /** 1010 * @ingroup hash 1011 * Compute hash of a given block. 1012 * 1013 * @param block the data to hash 1014 * @param size size of the @a block 1015 * @param ret pointer to where to write the hashcode 1016 */ 1017 void 1018 GNUNET_CRYPTO_hash (const void *block, 1019 size_t size, 1020 struct GNUNET_HashCode *ret); 1021 1022 1023 /** 1024 * Value for a salt for #GNUNET_CRYPTO_pow_hash(). 1025 */ 1026 struct GNUNET_CRYPTO_PowSalt 1027 { 1028 char salt[crypto_pwhash_argon2id_SALTBYTES]; 1029 }; 1030 1031 1032 /** 1033 * Calculate the 'proof-of-work' hash (an expensive hash). 1034 * 1035 * @param salt salt for the hash. Must be crypto_pwhash_argon2id_SALTBYTES long. 1036 * @param buf data to hash 1037 * @param buf_len number of bytes in @a buf 1038 * @param result where to write the resulting hash 1039 */ 1040 void 1041 GNUNET_CRYPTO_pow_hash (const struct GNUNET_CRYPTO_PowSalt *salt, 1042 const void *buf, 1043 size_t buf_len, 1044 struct GNUNET_HashCode *result); 1045 1046 1047 /** 1048 * Context for cumulative hashing. 1049 */ 1050 struct GNUNET_HashContext; 1051 1052 1053 /** 1054 * Start incremental hashing operation. 1055 * 1056 * @return context for incremental hash computation 1057 */ 1058 struct GNUNET_HashContext * 1059 GNUNET_CRYPTO_hash_context_start (void); 1060 1061 1062 /** 1063 * Make a copy of the hash computation. 1064 * 1065 * @param hc hash context to use (to continue hashing independently) 1066 * @return copy of @a hc 1067 */ 1068 struct GNUNET_HashContext * 1069 GNUNET_CRYPTO_hash_context_copy (const struct GNUNET_HashContext *hc); 1070 1071 1072 /** 1073 * Add data to be hashed. 1074 * 1075 * @param hc cumulative hash context 1076 * @param buf data to add 1077 * @param size number of bytes in @a buf 1078 */ 1079 void 1080 GNUNET_CRYPTO_hash_context_read (struct GNUNET_HashContext *hc, 1081 const void *buf, 1082 size_t size); 1083 1084 1085 /** 1086 * Finish the hash computation. 1087 * 1088 * @param hc hash context to use, is freed in the process 1089 * @param r_hash where to write the latest / final hash code 1090 */ 1091 void 1092 GNUNET_CRYPTO_hash_context_finish (struct GNUNET_HashContext *hc, 1093 struct GNUNET_HashCode *r_hash); 1094 1095 1096 /** 1097 * Abort hashing, do not bother calculating final result. 1098 * 1099 * @param hc hash context to destroy 1100 */ 1101 void 1102 GNUNET_CRYPTO_hash_context_abort (struct GNUNET_HashContext *hc); 1103 1104 1105 /** 1106 * Calculate HMAC of a message (RFC 2104) 1107 * TODO: Shouldn't this be the standard hmac function and 1108 * the above be renamed? 1109 * 1110 * @param key secret key 1111 * @param key_len secret key length 1112 * @param plaintext input plaintext 1113 * @param plaintext_len length of @a plaintext 1114 * @param hmac where to store the hmac 1115 */ 1116 void 1117 GNUNET_CRYPTO_hmac_raw (const void *key, 1118 size_t key_len, 1119 const void *plaintext, 1120 size_t plaintext_len, 1121 struct GNUNET_HashCode *hmac); 1122 1123 1124 /** 1125 * @ingroup hash 1126 * Calculate HMAC of a message (RFC 2104) 1127 * 1128 * @param key secret key 1129 * @param plaintext input plaintext 1130 * @param plaintext_len length of @a plaintext 1131 * @param hmac where to store the hmac 1132 */ 1133 void 1134 GNUNET_CRYPTO_hmac (const struct GNUNET_CRYPTO_AuthKey *key, 1135 const void *plaintext, 1136 size_t plaintext_len, 1137 struct GNUNET_HashCode *hmac); 1138 1139 1140 /** 1141 * Function called once the hash computation over the 1142 * specified file has completed. 1143 * 1144 * @param cls closure 1145 * @param res resulting hash, NULL on error 1146 */ 1147 typedef void 1148 (*GNUNET_CRYPTO_HashCompletedCallback) ( 1149 void *cls, 1150 const struct GNUNET_HashCode *res); 1151 1152 1153 /** 1154 * Handle to file hashing operation. 1155 */ 1156 struct GNUNET_CRYPTO_FileHashContext; 1157 1158 1159 /** 1160 * @ingroup hash 1161 * Compute the hash of an entire file. 1162 * 1163 * @param priority scheduling priority to use 1164 * @param filename name of file to hash 1165 * @param blocksize number of bytes to process in one task 1166 * @param callback function to call upon completion 1167 * @param callback_cls closure for @a callback 1168 * @return NULL on (immediate) error 1169 */ 1170 struct GNUNET_CRYPTO_FileHashContext * 1171 GNUNET_CRYPTO_hash_file (enum GNUNET_SCHEDULER_Priority priority, 1172 const char *filename, 1173 size_t blocksize, 1174 GNUNET_CRYPTO_HashCompletedCallback callback, 1175 void *callback_cls); 1176 1177 1178 /** 1179 * Cancel a file hashing operation. 1180 * 1181 * @param fhc operation to cancel (callback must not yet have been invoked) 1182 */ 1183 void 1184 GNUNET_CRYPTO_hash_file_cancel (struct GNUNET_CRYPTO_FileHashContext *fhc); 1185 1186 1187 /** 1188 * @ingroup hash 1189 * Create a random hash code. 1190 * 1191 * @param mode desired quality level 1192 * @param result hash code that is randomized 1193 */ 1194 void 1195 GNUNET_CRYPTO_hash_create_random (enum GNUNET_CRYPTO_Quality mode, 1196 struct GNUNET_HashCode *result); 1197 1198 1199 /** 1200 * @ingroup hash 1201 * compute @a result = @a b - @a a 1202 * 1203 * @param a some hash code 1204 * @param b some hash code 1205 * @param result set to @a b - @a a 1206 */ 1207 void 1208 GNUNET_CRYPTO_hash_difference (const struct GNUNET_HashCode *a, 1209 const struct GNUNET_HashCode *b, 1210 struct GNUNET_HashCode *result); 1211 1212 1213 /** 1214 * @ingroup hash 1215 * compute @a result = @a a + @a delta 1216 * 1217 * @param a some hash code 1218 * @param delta some hash code 1219 * @param result set to @a a + @a delta 1220 */ 1221 void 1222 GNUNET_CRYPTO_hash_sum (const struct GNUNET_HashCode *a, 1223 const struct GNUNET_HashCode *delta, 1224 struct GNUNET_HashCode *result); 1225 1226 1227 /** 1228 * @ingroup hash 1229 * compute result = a ^ b 1230 * 1231 * @param a some hash code 1232 * @param b some hash code 1233 * @param result set to @a a ^ @a b 1234 */ 1235 void 1236 GNUNET_CRYPTO_hash_xor (const struct GNUNET_HashCode *a, 1237 const struct GNUNET_HashCode *b, 1238 struct GNUNET_HashCode *result); 1239 1240 1241 /** 1242 * Count the number of leading 0 bits in @a h. 1243 * 1244 * @param h a hash 1245 * @return number of leading 0 bits in @a h 1246 */ 1247 unsigned int 1248 GNUNET_CRYPTO_hash_count_leading_zeros (const struct GNUNET_HashCode *h); 1249 1250 1251 /** 1252 * Count the number of tailing 0 bits in @a h. 1253 * 1254 * @param h a hash 1255 * @return number of tailing 0 bits in @a h 1256 */ 1257 unsigned int 1258 GNUNET_CRYPTO_hash_count_tailing_zeros (const struct GNUNET_HashCode *h); 1259 1260 1261 /** 1262 * @ingroup hash 1263 * Convert a hashcode into a key. 1264 * 1265 * @param hc hash code that serves to generate the key 1266 * @param skey set to a valid session key 1267 * @param iv set to a valid initialization vector 1268 */ 1269 void 1270 GNUNET_CRYPTO_hash_to_aes_key ( 1271 const struct GNUNET_HashCode *hc, 1272 struct GNUNET_CRYPTO_SymmetricSessionKey *skey, 1273 struct GNUNET_CRYPTO_SymmetricInitializationVector *iv); 1274 1275 1276 /** 1277 * @ingroup hash 1278 * Compare function for HashCodes, producing a total ordering 1279 * of all hashcodes. 1280 * 1281 * @param h1 some hash code 1282 * @param h2 some hash code 1283 * @return 1 if @a h1 > @a h2, -1 if @a h1 < @a h2 and 0 if @a h1 == @a h2. 1284 */ 1285 int 1286 GNUNET_CRYPTO_hash_cmp (const struct GNUNET_HashCode *h1, 1287 const struct GNUNET_HashCode *h2); 1288 1289 1290 /** 1291 * @ingroup hash 1292 * Find out which of the two GNUNET_CRYPTO_hash codes is closer to target 1293 * in the XOR metric (Kademlia). 1294 * 1295 * @param h1 some hash code 1296 * @param h2 some hash code 1297 * @param target some hash code 1298 * @return -1 if @a h1 is closer, 1 if @a h2 is closer and 0 if @a h1== @a h2. 1299 */ 1300 int 1301 GNUNET_CRYPTO_hash_xorcmp (const struct GNUNET_HashCode *h1, 1302 const struct GNUNET_HashCode *h2, 1303 const struct GNUNET_HashCode *target); 1304 1305 1306 /** 1307 * @ingroup hash 1308 * @brief Derive an authentication key 1309 * @param key authentication key 1310 * @param rkey root key 1311 * @param salt salt 1312 * @param salt_len size of the salt 1313 * @param argp pair of void * & size_t for context chunks, terminated by NULL 1314 */ 1315 void 1316 GNUNET_CRYPTO_hmac_derive_key_v ( 1317 struct GNUNET_CRYPTO_AuthKey *key, 1318 const struct GNUNET_CRYPTO_SymmetricSessionKey *rkey, 1319 const void *salt, 1320 size_t salt_len, 1321 va_list argp); 1322 1323 1324 /** 1325 * @ingroup hash 1326 * @brief Derive an authentication key 1327 * @param key authentication key 1328 * @param rkey root key 1329 * @param salt salt 1330 * @param salt_len size of the salt 1331 * @param ... pair of void * & size_t for context chunks, terminated by NULL 1332 */ 1333 void 1334 GNUNET_CRYPTO_hmac_derive_key ( 1335 struct GNUNET_CRYPTO_AuthKey *key, 1336 const struct GNUNET_CRYPTO_SymmetricSessionKey *rkey, 1337 const void *salt, 1338 size_t salt_len, 1339 ...); 1340 1341 1342 /** 1343 * @ingroup hash 1344 * @brief HKDF-Extract using SHA256. RFC 5869 1345 * @param prk the PRK 1346 * @param salt salt 1347 * @param salt_len length of @a xts 1348 * @param ikm source key material 1349 * @param ikm_len length of @a skm 1350 * @return #GNUNET_YES on success 1351 */ 1352 enum GNUNET_GenericReturnValue 1353 GNUNET_CRYPTO_hkdf_extract (struct GNUNET_ShortHashCode *prk, 1354 const void *salt, 1355 size_t salt_len, 1356 const void *ikm, 1357 size_t ikm_len); 1358 1359 /** 1360 * @ingroup hash 1361 * @brief HKDF-Expand using SHA256. RFC 5869 1362 * @param result buffer for the derived key, allocated by caller 1363 * @param out_len desired length of the derived key 1364 * @param ... pair of void * & size_t for context chunks, terminated by NULL 1365 * @return #GNUNET_YES on success 1366 */ 1367 enum GNUNET_GenericReturnValue 1368 GNUNET_CRYPTO_hkdf_expand (void *result, 1369 size_t out_len, 1370 const struct GNUNET_ShortHashCode *prk, 1371 ...); 1372 1373 /** 1374 * @ingroup hash 1375 * @brief HKDF-Expand using SHA256. See #GNUNET_CRYPTO_hkdf_expand 1376 * @param result buffer for the derived key, allocated by caller 1377 * @param out_len desired length of the derived key 1378 * @param argp va_list of void * & size_t pairs for context chunks 1379 * @return #GNUNET_YES on success 1380 */ 1381 enum GNUNET_GenericReturnValue 1382 GNUNET_CRYPTO_hkdf_expand_v (void *result, 1383 size_t out_len, 1384 const struct GNUNET_ShortHashCode *prk, 1385 va_list argp); 1386 1387 1388 /** 1389 * @ingroup hash 1390 * @brief A peculiar HKDF instantiation that tried to mimic Truncated NMAC. 1391 * But, what it actually does is HKDF-Extract with SHA512 and instead of 1392 * truncating the PRK, it uses it as a 64 byte key in the HKDF-Expand 1393 * phase with SHA256. 1394 * (Truncated NMAC would require us to, well, truncate it to 32 byte.) 1395 * ONLY USE FOR COMPATIBILITY WITH OLDER KEY DERIVATIONS. 1396 * Use the more standard #GNUNET_CRYPTO_hkdf_extract and 1397 * #GNUNET_CRYPTO_HKDF_expand instead! 1398 * 1399 * @param result buffer for the derived key, allocated by caller 1400 * @param out_len desired length of the derived key 1401 * @param xts salt 1402 * @param xts_len length of @a xts 1403 * @param skm source key material 1404 * @param skm_len length of @a skm 1405 * @param ... pair of void * & size_t for context chunks, terminated by NULL 1406 * @return #GNUNET_YES on success 1407 */ 1408 enum GNUNET_GenericReturnValue 1409 GNUNET_CRYPTO_hkdf_gnunet (void *result, 1410 size_t out_len, 1411 const void *xts, 1412 size_t xts_len, 1413 const void *skm, 1414 size_t skm_len, 1415 ...); 1416 1417 1418 /** 1419 * @ingroup hash 1420 * @brief Derive key. See #GNUNET_CRYPTO_hkdf_gnunet 1421 * @param result buffer for the derived key, allocated by caller 1422 * @param out_len desired length of the derived key 1423 * @param xts salt 1424 * @param xts_len length of @a xts 1425 * @param skm source key material 1426 * @param skm_len length of @a skm 1427 * @param argp va_list of void * & size_t pairs for context chunks 1428 * @return #GNUNET_YES on success 1429 */ 1430 enum GNUNET_GenericReturnValue 1431 GNUNET_CRYPTO_hkdf_gnunet_v (void *result, 1432 size_t out_len, 1433 const void *xts, 1434 size_t xts_len, 1435 const void *skm, 1436 size_t skm_len, 1437 va_list argp); 1438 1439 1440 /** 1441 * @brief Derive key 1442 * @param result buffer for the derived key, allocated by caller 1443 * @param out_len desired length of the derived key 1444 * @param xts salt 1445 * @param xts_len length of @a xts 1446 * @param skm source key material 1447 * @param skm_len length of @a skm 1448 * @param argp va_list of void * & size_t pairs for context chunks 1449 * @return #GNUNET_YES on success 1450 */ 1451 enum GNUNET_GenericReturnValue 1452 GNUNET_CRYPTO_kdf_v (void *result, 1453 size_t out_len, 1454 const void *xts, 1455 size_t xts_len, 1456 const void *skm, 1457 size_t skm_len, 1458 va_list argp); 1459 1460 1461 /** 1462 * Deterministically generate a pseudo-random number uniformly from the 1463 * integers modulo a libgcrypt mpi. 1464 * 1465 * @param[out] r MPI value set to the FDH 1466 * @param n MPI to work modulo 1467 * @param xts salt 1468 * @param xts_len length of @a xts 1469 * @param skm source key material 1470 * @param skm_len length of @a skm 1471 * @param ctx context string 1472 */ 1473 void 1474 GNUNET_CRYPTO_kdf_mod_mpi (gcry_mpi_t *r, 1475 gcry_mpi_t n, 1476 const void *xts, 1477 size_t xts_len, 1478 const void *skm, 1479 size_t skm_len, 1480 const char *ctx); 1481 1482 1483 /** 1484 * @ingroup hash 1485 * @brief Derive key 1486 * @param result buffer for the derived key, allocated by caller 1487 * @param out_len desired length of the derived key 1488 * @param xts salt 1489 * @param xts_len length of @a xts 1490 * @param skm source key material 1491 * @param skm_len length of @a skm 1492 * @param ... void * & size_t pairs for context chunks 1493 * @return #GNUNET_YES on success 1494 */ 1495 enum GNUNET_GenericReturnValue 1496 GNUNET_CRYPTO_kdf (void *result, 1497 size_t out_len, 1498 const void *xts, 1499 size_t xts_len, 1500 const void *skm, 1501 size_t skm_len, 1502 ...); 1503 1504 1505 /** 1506 * @ingroup crypto 1507 * Extract the public key for the given private key. 1508 * 1509 * @param priv the special elligator private key 1510 * @param pub where to write the public key 1511 */ 1512 void 1513 GNUNET_CRYPTO_ecdsa_key_get_public ( 1514 const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, 1515 struct GNUNET_CRYPTO_EcdsaPublicKey *pub); 1516 1517 /** 1518 * @ingroup crypto 1519 * Extract the public key for the given private key. 1520 * 1521 * @param priv the private key 1522 * @param pub where to write the public key 1523 */ 1524 void 1525 GNUNET_CRYPTO_eddsa_key_get_public ( 1526 const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, 1527 struct GNUNET_CRYPTO_EddsaPublicKey *pub); 1528 1529 /** 1530 * @ingroup crypto 1531 * Extract the public key for the given private key. 1532 * 1533 * @param priv the private key 1534 * @param pub where to write the public key 1535 */ 1536 void 1537 GNUNET_CRYPTO_edx25519_key_get_public ( 1538 const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv, 1539 struct GNUNET_CRYPTO_Edx25519PublicKey *pub); 1540 1541 /** 1542 * @ingroup crypto 1543 * Extract the public key for the given private key. 1544 * 1545 * @param priv the private key 1546 * @param pub where to write the public key 1547 */ 1548 void 1549 GNUNET_CRYPTO_ecdhe_key_get_public ( 1550 const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, 1551 struct GNUNET_CRYPTO_EcdhePublicKey *pub); 1552 1553 1554 /** 1555 * Convert a public key to a string. 1556 * 1557 * @param pub key to convert 1558 * @return string representing @a pub 1559 */ 1560 char * 1561 GNUNET_CRYPTO_ecdsa_public_key_to_string ( 1562 const struct GNUNET_CRYPTO_EcdsaPublicKey *pub); 1563 1564 /** 1565 * Convert a private key to a string. 1566 * 1567 * @param priv key to convert 1568 * @return string representing @a priv 1569 */ 1570 char * 1571 GNUNET_CRYPTO_ecdsa_private_key_to_string ( 1572 const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv); 1573 1574 1575 /** 1576 * Convert a private key to a string. 1577 * 1578 * @param priv key to convert 1579 * @return string representing @a pub 1580 */ 1581 char * 1582 GNUNET_CRYPTO_eddsa_private_key_to_string ( 1583 const struct GNUNET_CRYPTO_EddsaPrivateKey *priv); 1584 1585 1586 /** 1587 * Convert a public key to a string. 1588 * 1589 * @param pub key to convert 1590 * @return string representing @a pub 1591 */ 1592 char * 1593 GNUNET_CRYPTO_eddsa_public_key_to_string ( 1594 const struct GNUNET_CRYPTO_EddsaPublicKey *pub); 1595 1596 1597 /** 1598 * Convert a string representing a public key to a public key. 1599 * 1600 * @param enc encoded public key 1601 * @param enclen number of bytes in @a enc (without 0-terminator) 1602 * @param pub where to store the public key 1603 * @return #GNUNET_OK on success 1604 */ 1605 enum GNUNET_GenericReturnValue 1606 GNUNET_CRYPTO_ecdsa_public_key_from_string ( 1607 const char *enc, 1608 size_t enclen, 1609 struct GNUNET_CRYPTO_EcdsaPublicKey *pub); 1610 1611 1612 /** 1613 * Convert a string representing a private key to a private key. 1614 * 1615 * @param enc encoded public key 1616 * @param enclen number of bytes in @a enc (without 0-terminator) 1617 * @param priv where to store the private key 1618 * @return #GNUNET_OK on success 1619 */ 1620 enum GNUNET_GenericReturnValue 1621 GNUNET_CRYPTO_eddsa_private_key_from_string ( 1622 const char *enc, 1623 size_t enclen, 1624 struct GNUNET_CRYPTO_EddsaPrivateKey *priv); 1625 1626 1627 /** 1628 * Convert a string representing a public key to a public key. 1629 * 1630 * @param enc encoded public key 1631 * @param enclen number of bytes in @a enc (without 0-terminator) 1632 * @param pub where to store the public key 1633 * @return #GNUNET_OK on success 1634 */ 1635 enum GNUNET_GenericReturnValue 1636 GNUNET_CRYPTO_eddsa_public_key_from_string ( 1637 const char *enc, 1638 size_t enclen, 1639 struct GNUNET_CRYPTO_EddsaPublicKey *pub); 1640 1641 1642 /** 1643 * @ingroup crypto 1644 * @brief Create a new private key by reading it from a file. 1645 * 1646 * If the files does not exist and @a do_create is set, creates a new key and 1647 * write it to the file. 1648 * 1649 * If the contents of the file are invalid, an error is returned. 1650 * 1651 * @param filename name of file to use to store the key 1652 * @param do_create should a file be created? 1653 * @param[out] pkey set to the private key from @a filename on success 1654 * @return #GNUNET_OK on success, #GNUNET_NO if @a do_create was set but 1655 * we found an existing file, #GNUNET_SYSERR on failure 1656 */ 1657 enum GNUNET_GenericReturnValue 1658 GNUNET_CRYPTO_ecdsa_key_from_file (const char *filename, 1659 int do_create, 1660 struct GNUNET_CRYPTO_EcdsaPrivateKey *pkey); 1661 1662 1663 /** 1664 * @ingroup crypto 1665 * @brief Create a new private key by reading it from a file. 1666 * 1667 * If the files does not exist and @a do_create is set, creates a new key and 1668 * write it to the file. 1669 * 1670 * If the contents of the file are invalid, an error is returned. 1671 * 1672 * @param filename name of file to use to store the key 1673 * @param do_create should a file be created? 1674 * @param[out] pkey set to the private key from @a filename on success 1675 * @return #GNUNET_OK on success, #GNUNET_NO if @a do_create was set but 1676 * we found an existing file, #GNUNET_SYSERR on failure 1677 */ 1678 enum GNUNET_GenericReturnValue 1679 GNUNET_CRYPTO_eddsa_key_from_file (const char *filename, 1680 int do_create, 1681 struct GNUNET_CRYPTO_EddsaPrivateKey *pkey); 1682 1683 1684 /** 1685 * Forward declaration to simplify #include-structure. 1686 */ 1687 struct GNUNET_CONFIGURATION_Handle; 1688 1689 1690 /** 1691 * @ingroup crypto 1692 * Create a new private key by reading our peer's key from 1693 * the file specified in the configuration. 1694 * 1695 * @param cfg the configuration to use 1696 * @return new private key, NULL on error (for example, 1697 * permission denied); free using #GNUNET_free 1698 */ 1699 struct GNUNET_CRYPTO_EddsaPrivateKey * 1700 GNUNET_CRYPTO_eddsa_key_create_from_configuration ( 1701 const struct GNUNET_CONFIGURATION_Handle *cfg); 1702 1703 1704 /** 1705 * @ingroup crypto 1706 * Create a new private key. 1707 * 1708 * @param[out] pk private key to initialize 1709 */ 1710 void 1711 GNUNET_CRYPTO_ecdsa_key_create (struct GNUNET_CRYPTO_EcdsaPrivateKey *pk); 1712 1713 1714 /** 1715 * @ingroup crypto 1716 * Create a new private key. 1717 * 1718 * @param[out] pk private key to initialize 1719 */ 1720 void 1721 GNUNET_CRYPTO_eddsa_key_create (struct GNUNET_CRYPTO_EddsaPrivateKey *pk); 1722 1723 1724 /** 1725 * @ingroup crypto 1726 * Create a new private key. 1727 * 1728 * @param[out] pk private key to initialize 1729 */ 1730 void 1731 GNUNET_CRYPTO_edx25519_key_create (struct GNUNET_CRYPTO_Edx25519PrivateKey *pk); 1732 1733 /** 1734 * @ingroup crypto 1735 * Create a new private key for Edx25519 from a given seed. After expanding 1736 * the seed, the first half of the key will be clamped according to EdDSA. 1737 * 1738 * @param seed seed input 1739 * @param seedsize size of the seed in bytes 1740 * @param[out] pk private key to initialize 1741 */ 1742 void 1743 GNUNET_CRYPTO_edx25519_key_create_from_seed ( 1744 const void *seed, 1745 size_t seedsize, 1746 struct GNUNET_CRYPTO_Edx25519PrivateKey *pk); 1747 1748 /** 1749 * @ingroup crypto 1750 * Create a new private key. Clear with #GNUNET_CRYPTO_ecdhe_key_clear(). 1751 * This is X25519 DH (RFC 7748 Section 5) and corresponds to 1752 * X25519(a,9). 1753 * See #GNUNET_CRYPTO_ecc_ecdh for the DH function. 1754 * 1755 * @param[out] pk set to fresh private key; 1756 */ 1757 void 1758 GNUNET_CRYPTO_ecdhe_key_create (struct GNUNET_CRYPTO_EcdhePrivateKey *pk); 1759 1760 1761 /** 1762 * @ingroup crypto 1763 * Clear memory that was used to store a private key. 1764 * 1765 * @param pk location of the key 1766 */ 1767 void 1768 GNUNET_CRYPTO_eddsa_key_clear (struct GNUNET_CRYPTO_EddsaPrivateKey *pk); 1769 1770 1771 /** 1772 * @ingroup crypto 1773 * Clear memory that was used to store a private key. 1774 * 1775 * @param pk location of the key 1776 */ 1777 void 1778 GNUNET_CRYPTO_ecdsa_key_clear (struct GNUNET_CRYPTO_EcdsaPrivateKey *pk); 1779 1780 /** 1781 * @ingroup crypto 1782 * Clear memory that was used to store a private key. 1783 * 1784 * @param pk location of the key 1785 */ 1786 void 1787 GNUNET_CRYPTO_edx25519_key_clear (struct GNUNET_CRYPTO_Edx25519PrivateKey *pk); 1788 1789 /** 1790 * @ingroup crypto 1791 * Clear memory that was used to store a private key. 1792 * 1793 * @param pk location of the key 1794 */ 1795 void 1796 GNUNET_CRYPTO_ecdhe_key_clear (struct GNUNET_CRYPTO_EcdhePrivateKey *pk); 1797 1798 /** 1799 * @ingroup crypto 1800 * Clear memory that was used to store a private key. 1801 * 1802 * @param pk location of the key 1803 */ 1804 void 1805 GNUNET_CRYPTO_private_key_clear (struct GNUNET_CRYPTO_PrivateKey *pk); 1806 1807 1808 /** 1809 * @ingroup crypto 1810 * Get the shared private key we use for anonymous users. 1811 * 1812 * @return "anonymous" private key; do not free 1813 */ 1814 const struct GNUNET_CRYPTO_EcdsaPrivateKey * 1815 GNUNET_CRYPTO_ecdsa_key_get_anonymous (void); 1816 1817 1818 /** 1819 * @ingroup crypto 1820 * Setup a hostkey file for a peer given the name of the 1821 * configuration file (!). This function is used so that 1822 * at a later point code can be certain that reading a 1823 * hostkey is fast (for example in time-dependent testcases). 1824 * 1825 * @param cfg_name name of the configuration file to use 1826 */ 1827 void 1828 GNUNET_CRYPTO_eddsa_setup_hostkey (const char *cfg_name); 1829 1830 1831 /** 1832 * @ingroup crypto 1833 * Retrieve the identity of the host's peer. 1834 * 1835 * @param cfg configuration to use 1836 * @param dst pointer to where to write the peer identity 1837 * @return #GNUNET_OK on success, #GNUNET_SYSERR if the identity 1838 * could not be retrieved 1839 */ 1840 enum GNUNET_GenericReturnValue 1841 GNUNET_CRYPTO_get_peer_identity (const struct GNUNET_CONFIGURATION_Handle *cfg, 1842 struct GNUNET_PeerIdentity *dst); 1843 1844 1845 /** 1846 * @ingroup crypto 1847 * Sign a given block with a specific purpose using the host's peer identity. 1848 * 1849 * @param cfg configuration to use 1850 * @param purpose what to sign (size, purpose) 1851 * @param sig where to write the signature 1852 * @return #GNUNET_OK on success, #GNUNET_SYSERR if the identity 1853 * could not be retrieved 1854 */ 1855 enum GNUNET_GenericReturnValue 1856 GNUNET_CRYPTO_sign_by_peer_identity (const struct 1857 GNUNET_CONFIGURATION_Handle *cfg, 1858 const struct 1859 GNUNET_CRYPTO_EccSignaturePurpose *purpose, 1860 struct GNUNET_CRYPTO_EddsaSignature *sig); 1861 1862 1863 /** 1864 * @ingroup crypto 1865 * Verify a given signature with a peer's identity. 1866 * 1867 * @param purpose what is the purpose that the signature should have? 1868 * @param validate block to validate (size, purpose, data) 1869 * @param sig signature that is being validated 1870 * @param identity the peer's identity to verify 1871 * @return #GNUNET_OK if ok, #GNUNET_SYSERR if invalid 1872 */ 1873 enum GNUNET_GenericReturnValue 1874 GNUNET_CRYPTO_verify_peer_identity (uint32_t purpose, 1875 const struct 1876 GNUNET_CRYPTO_EccSignaturePurpose *validate, 1877 const struct 1878 GNUNET_CRYPTO_EddsaSignature *sig, 1879 const struct GNUNET_PeerIdentity *identity); 1880 1881 1882 /** 1883 * Internal structure used to cache pre-calculated values for DLOG calculation. 1884 */ 1885 struct GNUNET_CRYPTO_EccDlogContext; 1886 1887 1888 /** 1889 * Point on a curve (always for Curve25519) encoded in a format suitable 1890 * for network transmission (ECDH), see http://cr.yp.to/ecdh.html. 1891 */ 1892 struct GNUNET_CRYPTO_EccPoint 1893 { 1894 /** 1895 * Q consists of an x- and a y-value, each mod p (256 bits), given 1896 * here in affine coordinates and Ed25519 standard compact format. 1897 */ 1898 unsigned char v[256 / 8]; 1899 }; 1900 1901 /** 1902 * A ECC scalar for use in point multiplications 1903 */ 1904 struct GNUNET_CRYPTO_EccScalar 1905 { 1906 unsigned char v[256 / 8]; 1907 }; 1908 1909 /** 1910 * Do pre-calculation for ECC discrete logarithm for small factors. 1911 * 1912 * @param max maximum value the factor can be 1913 * @param mem memory to use (should be smaller than @a max), must not be zero. 1914 * @return NULL on error 1915 */ 1916 struct GNUNET_CRYPTO_EccDlogContext * 1917 GNUNET_CRYPTO_ecc_dlog_prepare (unsigned int max, 1918 unsigned int mem); 1919 1920 1921 /** 1922 * Calculate ECC discrete logarithm for small factors. 1923 * Opposite of #GNUNET_CRYPTO_ecc_dexp(). 1924 * 1925 * @param edc precalculated values, determine range of factors 1926 * @param input point on the curve to factor 1927 * @return INT_MAX if dlog failed, otherwise the factor 1928 */ 1929 int 1930 GNUNET_CRYPTO_ecc_dlog (struct GNUNET_CRYPTO_EccDlogContext *edc, 1931 const struct GNUNET_CRYPTO_EccPoint *input); 1932 1933 1934 /** 1935 * Multiply the generator g of the elliptic curve by @a val 1936 * to obtain the point on the curve representing @a val. 1937 * Afterwards, point addition will correspond to integer 1938 * addition. #GNUNET_CRYPTO_ecc_dlog() can be used to 1939 * convert a point back to an integer (as long as the 1940 * integer is smaller than the MAX of the @a edc context). 1941 * 1942 * @param val value to encode into a point 1943 * @param r where to write the point (must be allocated) 1944 */ 1945 void 1946 GNUNET_CRYPTO_ecc_dexp (int val, 1947 struct GNUNET_CRYPTO_EccPoint*r); 1948 1949 1950 /** 1951 * Multiply the generator g of the elliptic curve by @a val 1952 * to obtain the point on the curve representing @a val. 1953 * 1954 * @param val (positive) value to encode into a point 1955 * @param r where to write the point (must be allocated) 1956 * @return #GNUNET_OK on success. 1957 */ 1958 enum GNUNET_GenericReturnValue 1959 GNUNET_CRYPTO_ecc_dexp_mpi (const struct GNUNET_CRYPTO_EccScalar *val, 1960 struct GNUNET_CRYPTO_EccPoint *r); 1961 1962 1963 /** 1964 * Multiply the point @a p on the elliptic curve by @a val. 1965 * 1966 * @param p point to multiply 1967 * @param val (positive) value to encode into a point 1968 * @param r where to write the point (must be allocated) 1969 * @return #GNUNET_OK on success. 1970 */ 1971 enum GNUNET_GenericReturnValue 1972 GNUNET_CRYPTO_ecc_pmul_mpi (const struct GNUNET_CRYPTO_EccPoint *p, 1973 const struct GNUNET_CRYPTO_EccScalar *val, 1974 struct GNUNET_CRYPTO_EccPoint *r); 1975 1976 1977 /** 1978 * Add two points on the elliptic curve. 1979 * 1980 * @param a some value 1981 * @param b some value 1982 * @param r where to write the point (must be allocated) 1983 * @return #GNUNET_OK on success. 1984 */ 1985 enum GNUNET_GenericReturnValue 1986 GNUNET_CRYPTO_ecc_add (const struct GNUNET_CRYPTO_EccPoint *a, 1987 const struct GNUNET_CRYPTO_EccPoint *b, 1988 struct GNUNET_CRYPTO_EccPoint *r); 1989 1990 1991 /** 1992 * Obtain a random point on the curve and its 1993 * additive inverse. 1994 * 1995 * @param[out] r set to a random point on the curve 1996 * @param[out] r_inv set to the additive inverse of @a r 1997 * @return #GNUNET_OK on success. 1998 */ 1999 enum GNUNET_GenericReturnValue 2000 GNUNET_CRYPTO_ecc_rnd (struct GNUNET_CRYPTO_EccPoint *r, 2001 struct GNUNET_CRYPTO_EccPoint *r_inv); 2002 2003 2004 /** 2005 * Obtain a random scalar for point multiplication on the curve and 2006 * its additive inverse. 2007 * 2008 * @param[out] r set to a random scalar on the curve 2009 * @param[out] r_neg set to the negation of @a 2010 */ 2011 void 2012 GNUNET_CRYPTO_ecc_rnd_mpi (struct GNUNET_CRYPTO_EccScalar *r, 2013 struct GNUNET_CRYPTO_EccScalar *r_neg); 2014 2015 2016 /** 2017 * Generate a random value mod n. 2018 * 2019 * @param[out] r random value mod n. 2020 */ 2021 void 2022 GNUNET_CRYPTO_ecc_random_mod_n (struct GNUNET_CRYPTO_EccScalar*r); 2023 2024 2025 /** 2026 * Release precalculated values. 2027 * 2028 * @param dlc dlog context 2029 */ 2030 void 2031 GNUNET_CRYPTO_ecc_dlog_release (struct GNUNET_CRYPTO_EccDlogContext *dlc); 2032 2033 2034 /** 2035 * Create a scalar from int value. 2036 * 2037 * @param val the int value 2038 * @param[out] r where to write the salar 2039 */ 2040 void 2041 GNUNET_CRYPTO_ecc_scalar_from_int (int64_t val, 2042 struct GNUNET_CRYPTO_EccScalar *r); 2043 2044 2045 /** 2046 * @ingroup crypto 2047 * Derive key material from a public and a private ECC key. 2048 * This is X25519 DH (RFC 7748 Section 5) and corresponds to 2049 * H(X25519(b,X25519(a,9))) where b := priv, pub := X25519(a,9), 2050 * and a := #GNUNET_CRYPTO_ecdhe_key_create(). 2051 * 2052 * @param priv private key to use for the ECDH (x) 2053 * @param pub public key to use for the ECDH (yG) 2054 * @param key_material where to write the key material (xyG) 2055 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 2056 */ 2057 enum GNUNET_GenericReturnValue 2058 GNUNET_CRYPTO_ecc_ecdh (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, 2059 const struct GNUNET_CRYPTO_EcdhePublicKey *pub, 2060 struct GNUNET_HashCode *key_material); 2061 2062 2063 /** 2064 * @ingroup crypto 2065 * Derive key material from a ECDH public key and a private EdDSA key. 2066 * Dual to #GNUNET_CRRYPTO_ecdh_eddsa. 2067 * This uses the Ed25519 private seed as X25519 seed. 2068 * As such, this also is a X25519 DH (see #GNUNET_CRYPTO_ecc_ecdh). 2069 * NOTE: Whenever you can get away with it, use separate key pairs 2070 * for signing and encryption (DH)! 2071 * 2072 * @param priv private key from EdDSA to use for the ECDH (x) 2073 * @param pub public key to use for the ECDH (yG) 2074 * @param key_material where to write the key material H(h(x)yG) 2075 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 2076 */ 2077 enum GNUNET_GenericReturnValue 2078 GNUNET_CRYPTO_eddsa_ecdh (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, 2079 const struct GNUNET_CRYPTO_EcdhePublicKey *pub, 2080 struct GNUNET_HashCode *key_material); 2081 2082 2083 /** 2084 * @ingroup crypto 2085 * Derive key material from a ECDH public key and a private X25519 key. 2086 * Dual to #GNUNET_CRRYPTO_ecdh_x25519. 2087 * NOTE: Whenever you can get away with it, use separate key pairs 2088 * for signing and encryption (DH)! 2089 * 2090 * @param sk private key from X25519 to use for the ECDH (x) 2091 * @param pk public key to use for the ECDH (yG) 2092 * @param additional_data this is fed into HKDF-Extract along with 2093 the ECDH shared secret 2094 * @param ad_len Length of the additional data 2095 * @param dh the DH shared secret (NOTE: Derive key from this before use!) 2096 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 2097 */ 2098 enum GNUNET_GenericReturnValue 2099 GNUNET_CRYPTO_x25519_ecdh (const struct GNUNET_CRYPTO_EcdhePrivateKey *sk, 2100 const struct GNUNET_CRYPTO_EcdhePublicKey *pk, 2101 struct GNUNET_CRYPTO_EcdhePublicKey *dh); 2102 2103 2104 /** HPKE RFC 9180 **/ 2105 2106 /** 2107 * The HPKE Mode 2108 * "PSK" stands for "Pre-Shared Key". 2109 * The "AUTH" variants use an authenticating KEM 2110 * construction. 2111 */ 2112 enum GNUNET_CRYPTO_HpkeMode 2113 { 2114 GNUNET_CRYPTO_HPKE_MODE_BASE = 0x00, 2115 GNUNET_CRYPTO_HPKE_MODE_PSK = 0x01, 2116 GNUNET_CRYPTO_HPKE_MODE_AUTH = 0x02, 2117 GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK = 0x03 2118 }; 2119 2120 // Nt 2121 #define GNUNET_CRYPTO_HPKE_AEAD_ID 0x0003 2122 2123 // Nn 2124 #define GNUNET_CRYPTO_HPKE_NONCE_LEN 12 2125 2126 // Nk 2127 #define GNUNET_CRYPTO_HPKE_KEY_LEN 32 2128 2129 // Nt 2130 #define GNUNET_CRYPTO_HPKE_TAG_LEN 16 2131 2132 // Overhead required for ciphertext 2133 #define GNUNET_CRYPTO_HPKE_SEAL_OVERHEAD_BYTES GNUNET_CRYPTO_HPKE_TAG_LEN 2134 2135 // Overhead required for ciphertext 2136 #define GNUNET_CRYPTO_HPKE_SEAL_ONESHOT_OVERHEAD_BYTES \ 2137 GNUNET_CRYPTO_HPKE_SEAL_OVERHEAD_BYTES \ 2138 + sizeof (struct GNUNET_CRYPTO_HpkeEncapsulation) 2139 2140 enum GNUNET_CRYPTO_HpkeRole 2141 { 2142 GNUNET_CRYPTO_HPKE_ROLE_R = 0, 2143 GNUNET_CRYPTO_HPKE_ROLE_S = 1 2144 }; 2145 2146 struct GNUNET_CRYPTO_HpkeContext 2147 { 2148 enum GNUNET_CRYPTO_HpkeRole role; 2149 uint8_t key[GNUNET_CRYPTO_HPKE_KEY_LEN]; 2150 uint8_t base_nonce[GNUNET_CRYPTO_HPKE_NONCE_LEN]; 2151 uint64_t seq; 2152 struct GNUNET_ShortHashCode exporter_secret; 2153 }; 2154 2155 enum GNUNET_CRYPTO_HpkeKem 2156 { 2157 GNUNET_CRYPTO_HPKE_KEM_DH_X25519_HKDF256 = 0x0020, 2158 GNUNET_CRYPTO_HPKE_KEM_DH_X25519ELLIGATOR_HKDF256 = 0x0030, 2159 }; 2160 2161 2162 /** 2163 * HPKE DHKEM encapsulation (X25519) 2164 * See RFC 9180 2165 */ 2166 struct GNUNET_CRYPTO_HpkeEncapsulation 2167 { 2168 /** 2169 * Q consists of an x- and a y-value, each mod p (256 bits), given 2170 * here in affine coordinates and Ed25519 standard compact format. 2171 */ 2172 unsigned char q_y[256 / 8]; 2173 }; 2174 2175 2176 /** 2177 * Convert a GNUnet identity key to a key sutiable for HPKE (X25519) 2178 * 2179 * @param sk the private key 2180 * @param x25519 the new key 2181 * @return GNUNET_OK on success 2182 */ 2183 enum GNUNET_GenericReturnValue 2184 GNUNET_CRYPTO_hpke_sk_to_x25519 (const struct GNUNET_CRYPTO_PrivateKey *sk, 2185 struct GNUNET_CRYPTO_EcdhePrivateKey *x25519); 2186 2187 2188 /** 2189 * Convert a GNUnet identity key to a key sutiable for HPKE (X25519) 2190 * 2191 * @param pk the public key 2192 * @param x25519 the new key 2193 * @return GNUNET_OK on success 2194 */ 2195 enum GNUNET_GenericReturnValue 2196 GNUNET_CRYPTO_hpke_pk_to_x25519 (const struct GNUNET_CRYPTO_PublicKey *pk, 2197 struct GNUNET_CRYPTO_EcdhePublicKey *x25519); 2198 2199 /** 2200 * @ingroup crypto 2201 * Decapsulate a key for a private X25519 key. 2202 * Dual to #GNUNET_CRYPTO_hpke_kem_encaps. 2203 * Use #GNUNET_CRYPTO_hkdf_expand to derive further context-specific 2204 * keys from the key material. 2205 * 2206 * @param priv private key from X25519 to use for the ECDH (x) 2207 * @param c the encapsulated key 2208 * @param prk where to write the key material 2209 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 2210 */ 2211 enum GNUNET_GenericReturnValue 2212 GNUNET_CRYPTO_hpke_kem_decaps (const struct 2213 GNUNET_CRYPTO_EcdhePrivateKey *priv, 2214 const struct GNUNET_CRYPTO_HpkeEncapsulation *c, 2215 struct GNUNET_ShortHashCode *prk); 2216 2217 /** 2218 * @ingroup crypto 2219 * Encapsulate key material for a X25519 public key. 2220 * Dual to #GNUNET_CRYPTO_hpke_kem_decaps. 2221 * Use #GNUNET_CRYPTO_hkdf_expand to derive further context-specific 2222 * keys from the key material. 2223 * 2224 * @param pkR public key of receiver 2225 * @param c public key from X25519 to use for the ECDH (X=h(x)G) 2226 * @param prk where to write the key material 2227 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 2228 */ 2229 enum GNUNET_GenericReturnValue 2230 GNUNET_CRYPTO_hpke_kem_encaps (const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, 2231 struct GNUNET_CRYPTO_HpkeEncapsulation *c, 2232 struct GNUNET_ShortHashCode *prk); 2233 2234 /** 2235 * @ingroup crypto 2236 * Deterministic variant of #GNUNET_CRYPTO_hpke_kem_encaps. 2237 * Use #GNUNET_CRYPTO_hkdf_expand to derive further context-specific 2238 * keys from the key material. 2239 * 2240 * @param pkR public key of receiver 2241 * @param c public key from X25519 to use for the ECDH (X=h(x)G) 2242 * @param skE ephemeral private key from X25519 to use 2243 * @param prk where to write the key material 2244 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 2245 */ 2246 enum GNUNET_GenericReturnValue 2247 GNUNET_CRYPTO_hpke_kem_encaps_norand (const struct 2248 GNUNET_CRYPTO_EcdhePublicKey *pkR, 2249 struct GNUNET_CRYPTO_HpkeEncapsulation *c, 2250 const struct 2251 GNUNET_CRYPTO_EcdhePrivateKey *skE, 2252 struct GNUNET_ShortHashCode *prk); 2253 2254 /** 2255 * @ingroup crypto 2256 * Encapsulate authenticated key material for a X25519 public key. 2257 * Deterministic variant of #GNUNET_CRYPTO_hpke_authkem_encaps. 2258 * Dual to #GNUNET_CRYPTO_hpke_authkem_decaps. 2259 * Use #GNUNET_CRYPTO_hkdf_expand to derive further context-specific 2260 * keys from the key material. 2261 * 2262 * @param pkR public key of receiver 2263 * @param skS secret of the authenticating sender 2264 * @param c public key from X25519 to use for the ECDH (X=h(x)G) 2265 * @param shared_secret where to write the key material 2266 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 2267 */ 2268 enum GNUNET_GenericReturnValue 2269 GNUNET_CRYPTO_hpke_authkem_encaps_norand ( 2270 const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, 2271 const struct GNUNET_CRYPTO_EcdhePrivateKey *skS, 2272 struct GNUNET_CRYPTO_HpkeEncapsulation *c, 2273 const struct GNUNET_CRYPTO_EcdhePrivateKey *skE, 2274 struct GNUNET_ShortHashCode *shared_secret); 2275 2276 /** 2277 * @ingroup crypto 2278 * Encapsulate authenticated key material for a X25519 public key. 2279 * Dual to #GNUNET_CRYPTO_hpke_kem_encaps. 2280 * Use #GNUNET_CRYPTO_hkdf_expand to derive further context-specific 2281 * keys from the key material. 2282 * 2283 * @param pkR public key of receiver 2284 * @param skS secret of the authenticating sender 2285 * @param c public key from X25519 to use for the ECDH (X=h(x)G) 2286 * @param shared_secret where to write the key material 2287 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 2288 */ 2289 enum GNUNET_GenericReturnValue 2290 GNUNET_CRYPTO_hpke_authkem_encaps ( 2291 const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, 2292 const struct GNUNET_CRYPTO_EcdhePrivateKey *skS, 2293 struct GNUNET_CRYPTO_HpkeEncapsulation *c, 2294 struct GNUNET_ShortHashCode *shared_secret); 2295 2296 2297 /** 2298 * @ingroup crypto 2299 * Decapsulate a key for a private X25519 key. 2300 * Dual to #GNUNET_CRYPTO_hpke_authkem_encaps. 2301 * Use #GNUNET_CRYPTO_hkdf_expand to derive further context-specific 2302 * keys from the key material. 2303 * 2304 * @param skR secret key of receiver 2305 * @param pkS public key of the authenticating sender 2306 * @param c the encapsulated key 2307 * @param shared_secret where to write the key material 2308 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 2309 */ 2310 enum GNUNET_GenericReturnValue 2311 GNUNET_CRYPTO_hpke_authkem_decaps ( 2312 const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, 2313 const struct GNUNET_CRYPTO_EcdhePublicKey *pkS, 2314 const struct GNUNET_CRYPTO_HpkeEncapsulation *c, 2315 struct GNUNET_ShortHashCode *shared_secret); 2316 2317 2318 /** 2319 * @ingroup crypto 2320 * Carries out ecdh encapsulation with given public key and the private key from a freshly created ephemeral key pair. 2321 * Following the terminology in https://eprint.iacr.org/2021/509.pdf. 2322 * Use #GNUNET_CRYPTO_hkdf_expand to derive further context-specific 2323 * keys from the key material. 2324 * 2325 * @param random_tweak random 8-bit value used as seed 2326 * @param pkR public key of receiver 2327 * @param c representative of ephemeral public key A to use for the ECDH (direct_map(r)=A=aG) 2328 * @param skE special elligator ephemeral private key from X25519 to use 2329 * @param shared_secret where to write the key material HKDF-Extract(r||aX)=HKDF-Extract(r||x(aG)) 2330 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 2331 */ 2332 enum GNUNET_GenericReturnValue 2333 GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand ( 2334 uint8_t random_tweak, 2335 const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, 2336 struct GNUNET_CRYPTO_HpkeEncapsulation *c, 2337 const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *skE, 2338 struct GNUNET_ShortHashCode *shared_secret); 2339 2340 /** 2341 * @ingroup crypto 2342 * Carries out ecdh encapsulation with given public key and the private key from a freshly created ephemeral key pair. 2343 * Following the terminology in https://eprint.iacr.org/2021/509.pdf. 2344 * Use #GNUNET_CRYPTO_hkdf_expand to derive further context-specific 2345 * keys from the key material. 2346 * 2347 * @param pkR Receiver public key (X) 2348 * @param c representative of ephemeral public key A to use for the ECDH (direct_map(r)=A=aG) 2349 * @param shared_secret where to write the key material HKDF-Extract(r||aX)=HKDF-Extract(r||x(aG)) 2350 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 2351 */ 2352 enum GNUNET_GenericReturnValue 2353 GNUNET_CRYPTO_hpke_elligator_kem_encaps ( 2354 const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, 2355 struct GNUNET_CRYPTO_HpkeEncapsulation *c, 2356 struct GNUNET_ShortHashCode *shared_secret); 2357 2358 /** 2359 * @ingroup crypto 2360 * Carries out ecdh decapsulation with own private key and the representative of the received public key. 2361 * Following the terminology in https://eprint.iacr.org/2021/509.pdf. 2362 * Use #GNUNET_CRYPTO_hkdf_expand to derive further context-specific 2363 * keys from the key material. 2364 * 2365 * @param skR sender private key (x) 2366 * @param r received representative r, from which we can obtain the public key A (direct_map(r)=A=aG) 2367 * @param shared_secret where to write the key material HKDF-Extract(r||aX)=HKDF-Extract(r||x(aG)) 2368 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 2369 */ 2370 enum GNUNET_GenericReturnValue 2371 GNUNET_CRYPTO_hpke_elligator_kem_decaps ( 2372 const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, 2373 const struct GNUNET_CRYPTO_HpkeEncapsulation *c, 2374 struct GNUNET_ShortHashCode *shared_secret); 2375 2376 /** 2377 * @ingroup crypto 2378 * Encapsulate authenticated key material for a X25519 public key. 2379 * Elligator variant. 2380 * Deterministic variant of #GNUNET_CRYPTO_hpke_authkem_encaps. 2381 * Dual to #GNUNET_CRYPTO_hpke_authkem_decaps. 2382 * Use #GNUNET_CRYPTO_hkdf_expand to derive further context-specific 2383 * keys from the key material. 2384 * 2385 * @param pkR public key of receiver 2386 * @param skS secret of the authenticating sender 2387 * @param c public key from X25519 to use for the ECDH (X=h(x)G) 2388 * @param shared_secret where to write the key material 2389 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 2390 */ 2391 enum GNUNET_GenericReturnValue 2392 GNUNET_CRYPTO_hpke_elligator_authkem_encaps_norand ( 2393 const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, 2394 const struct GNUNET_CRYPTO_EcdhePrivateKey *skS, 2395 struct GNUNET_CRYPTO_HpkeEncapsulation *c, 2396 const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *skE, 2397 struct GNUNET_ShortHashCode *shared_secret); 2398 2399 /** 2400 * @ingroup crypto 2401 * Encapsulate authenticated key material for a X25519 public key. 2402 * Elligator variant. 2403 * Dual to #GNUNET_CRYPTO_hpke_kem_encaps. 2404 * Use #GNUNET_CRYPTO_hkdf_expand to derive further context-specific 2405 * keys from the key material. 2406 * 2407 * @param pkR public key of receiver 2408 * @param skS secret of the authenticating sender 2409 * @param c public key from X25519 to use for the ECDH (X=h(x)G) 2410 * @param shared_secret where to write the key material 2411 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 2412 */ 2413 enum GNUNET_GenericReturnValue 2414 GNUNET_CRYPTO_hpke_elligator_authkem_encaps ( 2415 const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, 2416 const struct GNUNET_CRYPTO_EcdhePrivateKey *skS, 2417 struct GNUNET_CRYPTO_HpkeEncapsulation *c, 2418 struct GNUNET_ShortHashCode *shared_secret); 2419 2420 2421 /** 2422 * @ingroup crypto 2423 * Decapsulate a key for a private X25519 key. 2424 * Elligator variant. 2425 * Dual to #GNUNET_CRYPTO_hpke_authkem_encaps. 2426 * Use #GNUNET_CRYPTO_hkdf_expand to derive further context-specific 2427 * keys from the key material. 2428 * 2429 * @param skR private key from X25519 to use for the ECDH (x) 2430 * @param pkS public key of the authenticating sender 2431 * @param c the encapsulated key 2432 * @param shared_secret where to write the key material 2433 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 2434 */ 2435 enum GNUNET_GenericReturnValue 2436 GNUNET_CRYPTO_hpke_elligator_authkem_decaps ( 2437 const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, 2438 const struct GNUNET_CRYPTO_EcdhePublicKey *pkS, 2439 const struct GNUNET_CRYPTO_HpkeEncapsulation *c, 2440 struct GNUNET_ShortHashCode *shared_secret); 2441 2442 /** 2443 * @ingroup crypto 2444 * Decapsulate a key for a private EdDSA key. 2445 * Dual to #GNUNET_CRRYPTO_eddsa_kem_encaps. 2446 * Use #GNUNET_CRYPTO_hkdf_expand to derive further context-specific 2447 * keys from the key material. 2448 * 2449 * @param priv private key from EdDSA to use for the ECDH (x) 2450 * @param c the encapsulated key 2451 * @param prk where to write the key material HKDF-Extract(c||aX)=HKDF-Extract(c||x(aG)) 2452 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 2453 */ 2454 enum GNUNET_GenericReturnValue 2455 GNUNET_CRYPTO_eddsa_kem_decaps (const struct 2456 GNUNET_CRYPTO_EddsaPrivateKey *priv, 2457 const struct GNUNET_CRYPTO_HpkeEncapsulation *c, 2458 struct GNUNET_ShortHashCode *prk); 2459 2460 /** 2461 * @ingroup crypto 2462 * Encapsulate key material for a EdDSA public key. 2463 * Dual to #GNUNET_CRRYPTO_eddsa_kem_decaps. 2464 * Use #GNUNET_CRYPTO_hkdf_expand to derive further context-specific 2465 * keys from the key material. 2466 * 2467 * @param priv private key to use for the ECDH (y) 2468 * @param c public key from EdDSA to use for the ECDH (X=h(x)G) 2469 * @param prk where to write the key material HKDF-Extract(c||aX)=HKDF-Extract(c||x(aG)) 2470 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 2471 */ 2472 enum GNUNET_GenericReturnValue 2473 GNUNET_CRYPTO_eddsa_kem_encaps (const struct GNUNET_CRYPTO_EddsaPublicKey *pub, 2474 struct GNUNET_CRYPTO_HpkeEncapsulation *c, 2475 struct GNUNET_ShortHashCode *prk); 2476 2477 2478 /** 2479 * RFC9180 HPKE encryption. 2480 * This sets the encryption context up for a sender of 2481 * encrypted messages. 2482 * Algorithm: DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305 2483 * 2484 * The encapsulation "enc" must be exchanged with the receiver. 2485 * From then on, encrypted messages can be created and sent using "ctx" 2486 * 2487 * @param pkR the X25519 receiver public key 2488 * @param info the info context separator 2489 * @param info_len length of info in bytes 2490 * @param enc the encapsulation to exchange with the other party 2491 * @param ctx the encryption context allocated by caller 2492 * @return GNUNET_OK on success 2493 */ 2494 enum GNUNET_GenericReturnValue 2495 GNUNET_CRYPTO_hpke_sender_setup (const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, 2496 const uint8_t *info, size_t info_len, 2497 struct GNUNET_CRYPTO_HpkeEncapsulation *enc, 2498 struct GNUNET_CRYPTO_HpkeContext *ctx); 2499 2500 /** 2501 * RFC9180 HPKE encryption. 2502 * This sets the encryption context up for a sender of 2503 * encrypted messages. 2504 * Algorithm: DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305 2505 * 2506 * The encapsulation "enc" must be exchanged with the receiver. 2507 * From then on, encrypted messages can be created and sent using "ctx" 2508 * 2509 * @param kem the HPKE KEM to use 2510 * @param mode the HPKE mode 2511 * @param skE the X25519 ephemeral key to use as encapsulation 2512 * @param skR the X25519 sender private key (may be null for non-Auth modes) 2513 * @param info the info context separator 2514 * @param info_len length of info in bytes 2515 * @param psk the pre-shared key (must not be set non-PSK modes) 2516 * @param psk_len length of psk in bytes 2517 * @param psk_id the ID of the pre-shared key (must be set of psk is set) 2518 * @param psk_id_len length of psk_id in bytes 2519 * @param enc the encapsulation to exchange with the other party 2520 * @param ctx the encryption context allocated by caller 2521 * @return GNUNET_OK on success 2522 */ 2523 enum GNUNET_GenericReturnValue 2524 GNUNET_CRYPTO_hpke_sender_setup2 ( 2525 enum GNUNET_CRYPTO_HpkeKem kem, 2526 enum GNUNET_CRYPTO_HpkeMode mode, 2527 struct GNUNET_CRYPTO_EcdhePrivateKey *skE, 2528 struct GNUNET_CRYPTO_EcdhePrivateKey *skS, 2529 const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, 2530 const uint8_t *info, size_t info_len, 2531 const uint8_t *psk, size_t psk_len, 2532 const uint8_t *psk_id, size_t psk_id_len, 2533 struct GNUNET_CRYPTO_HpkeEncapsulation *enc, 2534 struct GNUNET_CRYPTO_HpkeContext *ctx); 2535 2536 /** 2537 * RFC9180 HPKE encryption. 2538 * This sets the encryption context up for a receiver of 2539 * encrypted messages. 2540 * Algorithm: DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305 2541 * 2542 * The encapsulation "enc" must be exchanged with the receiver. 2543 * From then on, encrypted messages can be decrypted using "ctx" 2544 * 2545 * @param kem the HPKE KEM to use 2546 * @param mode the HPKE mode 2547 * @param enc the encapsulation from the sender 2548 * @param skR the X25519 receiver secret key 2549 * @param pkS the X25519 sender public key (may be NULL for non-Auth modes) 2550 * @param info the info context separator 2551 * @param info_len length of info in bytes 2552 * @param psk the pre-shared key (must not be set non-PSK modes) 2553 * @param psk_len length of psk in bytes 2554 * @param psk_id the ID of the pre-shared key (must be set of psk is set) 2555 * @param psk_id_len length of psk_id in bytes 2556 * @param ctx the encryption context allocated by caller 2557 * @return GNUNET_OK on success 2558 */ 2559 enum GNUNET_GenericReturnValue 2560 GNUNET_CRYPTO_hpke_receiver_setup2 ( 2561 enum GNUNET_CRYPTO_HpkeKem kem, 2562 enum GNUNET_CRYPTO_HpkeMode mode, 2563 const struct GNUNET_CRYPTO_HpkeEncapsulation *enc, 2564 const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, 2565 const struct GNUNET_CRYPTO_EcdhePublicKey *pkS, 2566 const uint8_t *info, size_t info_len, 2567 const uint8_t *psk, size_t psk_len, 2568 const uint8_t *psk_id, size_t psk_id_len, 2569 struct GNUNET_CRYPTO_HpkeContext *ctx); 2570 2571 2572 /** 2573 * RFC9180 HPKE encryption. 2574 * This sets the encryption context up for a receiver of 2575 * encrypted messages. 2576 * Algorithm: DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305 2577 * 2578 * The encapsulation "enc" must be exchanged with the receiver. 2579 * From then on, encrypted messages can be decrypted using "ctx" 2580 * 2581 * @param enc the encapsulation from the sender 2582 * @param skR the X25519 receiver secret key 2583 * @param info the info context separator 2584 * @param info_len length of info in bytes 2585 * @param ctx the encryption context allocated by caller 2586 * @return GNUNET_OK on success 2587 */ 2588 enum GNUNET_GenericReturnValue 2589 GNUNET_CRYPTO_hpke_receiver_setup ( 2590 const struct GNUNET_CRYPTO_HpkeEncapsulation *enc, 2591 const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, 2592 const uint8_t *info, 2593 size_t info_len, 2594 struct GNUNET_CRYPTO_HpkeContext *ctx); 2595 2596 /** 2597 * RFC9180 HPKE encryption. 2598 * Encrypt messages in a context. 2599 * Algorithm: DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305 2600 * 2601 * The encapsulation "enc" must be exchanged with the receiver. 2602 * From then on, encrypted messages can be decrypted using "ctx" 2603 * 2604 * @param ctx the encryption context 2605 * @param aad addition authenticated data to send (not encrypted) 2606 * @param aad_len length of aad in bytes 2607 * @param pt plaintext data to encrypt 2608 * @param pt_len length of pt in bytes 2609 * @param ct ciphertext to send (to be allocated by caller) 2610 * @param ct_len[out] length of written bytes in ct. may be NULL 2611 * @return GNUNET_OK on success 2612 */ 2613 enum GNUNET_GenericReturnValue 2614 GNUNET_CRYPTO_hpke_seal (struct GNUNET_CRYPTO_HpkeContext *ctx, 2615 const uint8_t *aad, 2616 size_t aad_len, 2617 const uint8_t *pt, 2618 size_t pt_len, 2619 uint8_t *ct, 2620 unsigned long long *ct_len); 2621 2622 2623 /** 2624 * RFC9180 HPKE encryption. 2625 * Encrypt messages in a context. 2626 * Algorithm: DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305 2627 * 2628 * The encapsulation "enc" must be exchanged with the receiver. 2629 * From then on, encrypted messages can be decrypted using "ctx" 2630 * 2631 * @param pkR the X25519 receiver secret key 2632 * @param info the info context separator 2633 * @param info_len length of info in bytes 2634 * @param aad addition authenticated data to send (not encrypted) 2635 * @param aad_len length of aad in bytes 2636 * @param pt plaintext data to encrypt 2637 * @param pt_len length of pt in bytes 2638 * @param ct ciphertext to send (to be allocated by caller) 2639 * @param ct_len[out] length of written bytes in ct. may be NULL 2640 * @return GNUNET_OK on success 2641 */ 2642 enum GNUNET_GenericReturnValue 2643 GNUNET_CRYPTO_hpke_seal_oneshot (const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, 2644 const uint8_t *info, size_t info_len, 2645 const uint8_t*aad, size_t aad_len, 2646 const uint8_t *pt, size_t pt_len, 2647 uint8_t *ct, unsigned long long *ct_len); 2648 2649 2650 /** 2651 * RFC9180 HPKE encryption. 2652 * Decrypt messages in a context. 2653 * Algorithm: DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305 2654 * 2655 * The encapsulation "enc" must be exchanged with the receiver. 2656 * From then on, encrypted messages can be decrypted using "ctx" 2657 * 2658 * @param ctx the encryption context 2659 * @param aad addition authenticated data to send (not encrypted) 2660 * @param aad_len length of aad in bytes 2661 * @param ct ciphertext to decrypt 2662 * @param ct_len length of ct in bytes 2663 * @param pt plaintext (to be allocated by caller) 2664 * @param pt_len length of written bytes in pt. May be NULL 2665 * @return GNUNET_OK on success 2666 */ 2667 enum GNUNET_GenericReturnValue 2668 GNUNET_CRYPTO_hpke_open (struct GNUNET_CRYPTO_HpkeContext *ctx, 2669 const uint8_t*aad, size_t aad_len, 2670 const uint8_t *ct, size_t ct_len, 2671 uint8_t *pt, unsigned long long *pt_len_p); 2672 2673 2674 /** 2675 * RFC9180 HPKE encryption. 2676 * Decrypt messages in a context. 2677 * Algorithm: DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305 2678 * 2679 * The encapsulation "enc" must be exchanged with the receiver. 2680 * From then on, encrypted messages can be decrypted using "ctx" 2681 * 2682 * @param skR the X25519 receiver secret key 2683 * @param info the info context separator 2684 * @param info_len length of info in bytes 2685 * @param aad addition authenticated data to send (not encrypted) 2686 * @param aad_len length of aad in bytes 2687 * @param ct ciphertext to decrypt 2688 * @param ct_len length of ct in bytes 2689 * @param pt plaintext (to be allocated by caller) 2690 * @param pt_len length of written bytes in pt. May be NULL 2691 * @return GNUNET_OK on success 2692 */ 2693 enum GNUNET_GenericReturnValue 2694 GNUNET_CRYPTO_hpke_open_oneshot ( 2695 const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, 2696 const uint8_t *info, size_t info_len, 2697 const uint8_t*aad, size_t aad_len, 2698 const uint8_t *ct, size_t ct_len, 2699 uint8_t *pt, unsigned long long *pt_len); 2700 2701 2702 /** HPKE END **/ 2703 2704 /** 2705 * @ingroup crypto 2706 * Derive key material from a ECDH public key and a private ECDSA key. 2707 * Dual to #GNUNET_CRRYPTO_ecdh_ecdsa. 2708 * 2709 * @param priv private key from ECDSA to use for the ECDH (x) 2710 * @param pub public key to use for the ECDH (yG) 2711 * @param key_material where to write the key material H(h(x)yG) 2712 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 2713 */ 2714 enum GNUNET_GenericReturnValue 2715 GNUNET_CRYPTO_ecdsa_ecdh (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, 2716 const struct GNUNET_CRYPTO_EcdhePublicKey *pub, 2717 struct GNUNET_HashCode *key_material); 2718 2719 2720 /** 2721 * @ingroup crypto 2722 * Derive key material from a EdDSA public key and a private ECDH key. 2723 * Dual to #GNUNET_CRRYPTO_eddsa_ecdh. 2724 * This converts the Edwards25519 public key @a pub to a Curve25519 2725 * public key before computing a X25519 DH (see #GNUNET_CRYPTO_ecc_ecdh). 2726 * The resulting X25519 secret is then derived to a key using 2727 * SHA-512. 2728 * NOTE: Whenever you can get away with it, use separate key pairs 2729 * for signing and encryption (DH)! 2730 * 2731 * @param priv private key to use for the ECDH (y) 2732 * @param pub public key from EdDSA to use for the ECDH (X=h(x)G) 2733 * @param key_material where to write the key material H(yX)=H(h(x)yG) 2734 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 2735 */ 2736 enum GNUNET_GenericReturnValue 2737 GNUNET_CRYPTO_ecdh_eddsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, 2738 const struct GNUNET_CRYPTO_EddsaPublicKey *pub, 2739 struct GNUNET_HashCode *key_material); 2740 2741 2742 /** 2743 * @ingroup crypto 2744 * Derive key material from a EdDSA public key and a private ECDH key. 2745 * Dual to #GNUNET_CRRYPTO_x25519_ecdh. 2746 * NOTE: Whenever you can get away with it, use separate key pairs 2747 * for signing and encryption (DH)! 2748 * 2749 * @param priv private key to use for the ECDH (y) 2750 * @param pub public key from EdDSA to use for the ECDH (X=h(x)G) 2751 * @param dh the DH shared secret (NOTE: Derive key from this before use!) 2752 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 2753 */ 2754 enum GNUNET_GenericReturnValue 2755 GNUNET_CRYPTO_ecdh_x25519 (const struct GNUNET_CRYPTO_EcdhePrivateKey * 2756 priv, 2757 const struct GNUNET_CRYPTO_EcdhePublicKey *pub, 2758 struct GNUNET_CRYPTO_EcdhePublicKey *dh); 2759 2760 /** 2761 * @ingroup crypto 2762 * Derive key material from a EcDSA public key and a private ECDH key. 2763 * Dual to #GNUNET_CRRYPTO_ecdsa_ecdh. 2764 * 2765 * @param priv private key to use for the ECDH (y) 2766 * @param pub public key from ECDSA to use for the ECDH (X=h(x)G) 2767 * @param key_material where to write the key material H(yX)=H(h(x)yG) 2768 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 2769 */ 2770 enum GNUNET_GenericReturnValue 2771 GNUNET_CRYPTO_ecdh_ecdsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, 2772 const struct GNUNET_CRYPTO_EcdsaPublicKey *pub, 2773 struct GNUNET_HashCode *key_material); 2774 2775 2776 /** 2777 * @ingroup crypto 2778 * @brief EdDSA sign a given block. 2779 * 2780 * The @a purpose data is the beginning of the data of which the signature is 2781 * to be created. The `size` field in @a purpose must correctly indicate the 2782 * number of bytes of the data structure, including its header. If possible, 2783 * use #GNUNET_CRYPTO_eddsa_sign() instead of this function (only if @a validate 2784 * is not fixed-size, you must use this function directly). 2785 * 2786 * @param priv private key to use for the signing 2787 * @param purpose what to sign (size, purpose) 2788 * @param[out] sig where to write the signature 2789 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 2790 */ 2791 enum GNUNET_GenericReturnValue 2792 GNUNET_CRYPTO_eddsa_sign_ ( 2793 const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, 2794 const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, 2795 struct GNUNET_CRYPTO_EddsaSignature *sig); 2796 2797 2798 /** 2799 * @ingroup crypto 2800 * @brief EdDSA sign a given block. 2801 * 2802 * The @a ps data must be a fixed-size struct for which the signature is to be 2803 * created. The `size` field in @a ps->purpose must correctly indicate the 2804 * number of bytes of the data structure, including its header. 2805 * 2806 * @param priv private key to use for the signing 2807 * @param ps packed struct with what to sign, MUST begin with a purpose 2808 * @param[out] sig where to write the signature 2809 */ 2810 #define GNUNET_CRYPTO_eddsa_sign(priv,ps,sig) do { \ 2811 /* check size is set correctly */ \ 2812 GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*ps)); \ 2813 /* check 'ps' begins with the purpose */ \ 2814 GNUNET_static_assert (((void*) (ps)) == \ 2815 ((void*) &(ps)->purpose)); \ 2816 GNUNET_assert (GNUNET_OK == \ 2817 GNUNET_CRYPTO_eddsa_sign_ (priv, \ 2818 &(ps)->purpose, \ 2819 sig)); \ 2820 } while (0) 2821 2822 2823 /** 2824 * @ingroup crypto 2825 * @brief ECDSA Sign a given block. 2826 * 2827 * The @a purpose data is the beginning of the data of which the signature is 2828 * to be created. The `size` field in @a purpose must correctly indicate the 2829 * number of bytes of the data structure, including its header. If possible, 2830 * use #GNUNET_CRYPTO_ecdsa_sign() instead of this function (only if @a validate 2831 * is not fixed-size, you must use this function directly). 2832 * 2833 * @param priv private key to use for the signing 2834 * @param purpose what to sign (size, purpose) 2835 * @param[out] sig where to write the signature 2836 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 2837 */ 2838 enum GNUNET_GenericReturnValue 2839 GNUNET_CRYPTO_ecdsa_sign_ ( 2840 const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, 2841 const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, 2842 struct GNUNET_CRYPTO_EcdsaSignature *sig); 2843 2844 /** 2845 * @brief 2846 * 2847 * @param priv 2848 * @param data 2849 * @param size 2850 * @param sig 2851 * @return enum GNUNET_GenericReturnValue 2852 */ 2853 enum GNUNET_GenericReturnValue 2854 GNUNET_CRYPTO_eddsa_sign_raw ( 2855 const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, 2856 void *data, 2857 size_t size, 2858 struct GNUNET_CRYPTO_EddsaSignature *sig); 2859 2860 /** 2861 * @ingroup crypto 2862 * @brief ECDSA sign a given block. 2863 * 2864 * The @a ps data must be a fixed-size struct for which the signature is to be 2865 * created. The `size` field in @a ps->purpose must correctly indicate the 2866 * number of bytes of the data structure, including its header. 2867 * 2868 * @param priv private key to use for the signing 2869 * @param ps packed struct with what to sign, MUST begin with a purpose 2870 * @param[out] sig where to write the signature 2871 */ 2872 #define GNUNET_CRYPTO_ecdsa_sign(priv,ps,sig) do { \ 2873 /* check size is set correctly */ \ 2874 GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \ 2875 /* check 'ps' begins with the purpose */ \ 2876 GNUNET_static_assert (((void*) (ps)) == \ 2877 ((void*) &(ps)->purpose)); \ 2878 GNUNET_assert (GNUNET_OK == \ 2879 GNUNET_CRYPTO_ecdsa_sign_ (priv, \ 2880 &(ps)->purpose, \ 2881 sig)); \ 2882 } while (0) 2883 2884 /** 2885 * @ingroup crypto 2886 * @brief Edx25519 sign a given block. 2887 * 2888 * The @a purpose data is the beginning of the data of which the signature is 2889 * to be created. The `size` field in @a purpose must correctly indicate the 2890 * number of bytes of the data structure, including its header. If possible, 2891 * use #GNUNET_CRYPTO_edx25519_sign() instead of this function (only if @a 2892 * validate is not fixed-size, you must use this function directly). 2893 * 2894 * @param priv private key to use for the signing 2895 * @param purpose what to sign (size, purpose) 2896 * @param[out] sig where to write the signature 2897 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 2898 */ 2899 enum GNUNET_GenericReturnValue 2900 GNUNET_CRYPTO_edx25519_sign_ ( 2901 const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv, 2902 const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, 2903 struct GNUNET_CRYPTO_Edx25519Signature *sig); 2904 2905 2906 /** 2907 * @ingroup crypto 2908 * @brief Edx25519 sign a given block. The resulting signature is compatible 2909 * with EdDSA. 2910 * 2911 * The @a ps data must be a fixed-size struct for which the signature is to be 2912 * created. The `size` field in @a ps->purpose must correctly indicate the 2913 * number of bytes of the data structure, including its header. 2914 * 2915 * @param priv private key to use for the signing 2916 * @param ps packed struct with what to sign, MUST begin with a purpose 2917 * @param[out] sig where to write the signature 2918 */ 2919 #define GNUNET_CRYPTO_edx25519_sign(priv,ps,sig) do { \ 2920 /* check size is set correctly */ \ 2921 GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \ 2922 /* check 'ps' begins with the purpose */ \ 2923 GNUNET_static_assert (((void*) (ps)) == \ 2924 ((void*) &(ps)->purpose)); \ 2925 GNUNET_assert (GNUNET_OK == \ 2926 GNUNET_CRYPTO_edx25519_sign_ (priv, \ 2927 &(ps)->purpose, \ 2928 sig)); \ 2929 } while (0) 2930 2931 2932 /** 2933 * @ingroup crypto 2934 * @brief Verify EdDSA signature. 2935 * 2936 * The @a validate data is the beginning of the data of which the signature 2937 * is to be verified. The `size` field in @a validate must correctly indicate 2938 * the number of bytes of the data structure, including its header. If @a 2939 * purpose does not match the purpose given in @a validate (the latter must be 2940 * in big endian), signature verification fails. If possible, 2941 * use #GNUNET_CRYPTO_eddsa_verify() instead of this function (only if @a validate 2942 * is not fixed-size, you must use this function directly). 2943 * 2944 * @param purpose what is the purpose that the signature should have? 2945 * @param validate block to validate (size, purpose, data) 2946 * @param sig signature that is being validated 2947 * @param pub public key of the signer 2948 * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid 2949 */ 2950 enum GNUNET_GenericReturnValue 2951 GNUNET_CRYPTO_eddsa_verify_ ( 2952 uint32_t purpose, 2953 const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, 2954 const struct GNUNET_CRYPTO_EddsaSignature *sig, 2955 const struct GNUNET_CRYPTO_EddsaPublicKey *pub); 2956 2957 2958 /** 2959 * @ingroup crypto 2960 * @brief Verify EdDSA signature. 2961 * 2962 * The @a ps data must be a fixed-size struct for which the signature is to be 2963 * created. The `size` field in @a ps->purpose must correctly indicate the 2964 * number of bytes of the data structure, including its header. 2965 * 2966 * @param purp purpose of the signature, must match 'ps->purpose.purpose' 2967 * (except in host byte order) 2968 * @param priv private key to use for the signing 2969 * @param ps packed struct with what to sign, MUST begin with a purpose 2970 * @param sig where to write the signature 2971 */ 2972 #define GNUNET_CRYPTO_eddsa_verify(purp,ps,sig,pub) ({ \ 2973 /* check size is set correctly */ \ 2974 GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \ 2975 /* check 'ps' begins with the purpose */ \ 2976 GNUNET_static_assert (((void*) (ps)) == \ 2977 ((void*) &(ps)->purpose)); \ 2978 GNUNET_CRYPTO_eddsa_verify_ (purp, \ 2979 &(ps)->purpose, \ 2980 sig, \ 2981 pub); \ 2982 }) 2983 2984 /** 2985 * @ingroup crypto 2986 * @brief Verify ECDSA signature. 2987 * 2988 * The @a validate data is the beginning of the data of which the signature is 2989 * to be verified. The `size` field in @a validate must correctly indicate the 2990 * number of bytes of the data structure, including its header. If @a purpose 2991 * does not match the purpose given in @a validate (the latter must be in big 2992 * endian), signature verification fails. If possible, use 2993 * #GNUNET_CRYPTO_eddsa_verify() instead of this function (only if @a validate 2994 * is not fixed-size, you must use this function directly). 2995 * 2996 * @param purpose what is the purpose that the signature should have? 2997 * @param validate block to validate (size, purpose, data) 2998 * @param sig signature that is being validated 2999 * @param pub public key of the signer 3000 * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid 3001 */ 3002 enum GNUNET_GenericReturnValue 3003 GNUNET_CRYPTO_ecdsa_verify_ ( 3004 uint32_t purpose, 3005 const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, 3006 const struct GNUNET_CRYPTO_EcdsaSignature *sig, 3007 const struct GNUNET_CRYPTO_EcdsaPublicKey *pub); 3008 3009 3010 /** 3011 * @ingroup crypto 3012 * @brief Verify ECDSA signature. 3013 * 3014 * The @a ps data must be a fixed-size struct for which the signature is to be 3015 * created. The `size` field in @a ps->purpose must correctly indicate the 3016 * number of bytes of the data structure, including its header. 3017 * 3018 * @param purp purpose of the signature, must match 'ps->purpose.purpose' 3019 * (except in host byte order) 3020 * @param priv private key to use for the signing 3021 * @param ps packed struct with what to sign, MUST begin with a purpose 3022 * @param sig where to write the signature 3023 */ 3024 #define GNUNET_CRYPTO_ecdsa_verify(purp,ps,sig,pub) ({ \ 3025 /* check size is set correctly */ \ 3026 GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \ 3027 /* check 'ps' begins with the purpose */ \ 3028 GNUNET_static_assert (((void*) (ps)) == \ 3029 ((void*) &(ps)->purpose)); \ 3030 GNUNET_CRYPTO_ecdsa_verify_ (purp, \ 3031 &(ps)->purpose, \ 3032 sig, \ 3033 pub); \ 3034 }) 3035 3036 /** 3037 * @ingroup crypto 3038 * @brief Verify Edx25519 signature. 3039 * 3040 * The @a validate data is the beginning of the data of which the signature 3041 * is to be verified. The `size` field in @a validate must correctly indicate 3042 * the number of bytes of the data structure, including its header. If @a 3043 * purpose does not match the purpose given in @a validate (the latter must be 3044 * in big endian), signature verification fails. If possible, use 3045 * #GNUNET_CRYPTO_edx25519_verify() instead of this function (only if @a 3046 * validate is not fixed-size, you must use this function directly). 3047 * 3048 * @param purpose what is the purpose that the signature should have? 3049 * @param validate block to validate (size, purpose, data) 3050 * @param sig signature that is being validated 3051 * @param pub public key of the signer 3052 * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid 3053 */ 3054 enum GNUNET_GenericReturnValue 3055 GNUNET_CRYPTO_edx25519_verify_ ( 3056 uint32_t purpose, 3057 const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, 3058 const struct GNUNET_CRYPTO_Edx25519Signature *sig, 3059 const struct GNUNET_CRYPTO_Edx25519PublicKey *pub); 3060 3061 3062 /** 3063 * @ingroup crypto 3064 * @brief Verify Edx25519 signature. 3065 * 3066 * The @a ps data must be a fixed-size struct for which the signature is to be 3067 * created. The `size` field in @a ps->purpose must correctly indicate the 3068 * number of bytes of the data structure, including its header. 3069 * 3070 * @param purp purpose of the signature, must match 'ps->purpose.purpose' 3071 * (except in host byte order) 3072 * @param priv private key to use for the signing 3073 * @param ps packed struct with what to sign, MUST begin with a purpose 3074 * @param sig where to write the signature 3075 */ 3076 #define GNUNET_CRYPTO_edx25519_verify(purp,ps,sig,pub) ({ \ 3077 /* check size is set correctly */ \ 3078 GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \ 3079 /* check 'ps' begins with the purpose */ \ 3080 GNUNET_static_assert (((void*) (ps)) == \ 3081 ((void*) &(ps)->purpose)); \ 3082 GNUNET_CRYPTO_edx25519_verify_ (purp, \ 3083 &(ps)->purpose, \ 3084 sig, \ 3085 pub); \ 3086 }) 3087 3088 /** 3089 * @ingroup crypto 3090 * Derive a private key from a given private key and a label. 3091 * Essentially calculates a private key 'h = H(l,P) * d mod n' 3092 * where n is the size of the ECC group and P is the public 3093 * key associated with the private key 'd'. 3094 * 3095 * @param priv original private key 3096 * @param label label to use for key deriviation 3097 * @param context additional context to use for HKDF of 'h'; 3098 * typically the name of the subsystem/application 3099 * @return derived private key 3100 */ 3101 struct GNUNET_CRYPTO_EcdsaPrivateKey * 3102 GNUNET_CRYPTO_ecdsa_private_key_derive ( 3103 const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, 3104 const char *label, 3105 const char *context); 3106 3107 3108 /** 3109 * @ingroup crypto 3110 * Derive a public key from a given public key and a label. 3111 * Essentially calculates a public key 'V = H(l,P) * P'. 3112 * 3113 * @param pub original public key 3114 * @param label label to use for key deriviation 3115 * @param context additional context to use for HKDF of 'h'. 3116 * typically the name of the subsystem/application 3117 * @param result where to write the derived public key 3118 */ 3119 void 3120 GNUNET_CRYPTO_ecdsa_public_key_derive ( 3121 const struct GNUNET_CRYPTO_EcdsaPublicKey *pub, 3122 const char *label, 3123 const char *context, 3124 struct GNUNET_CRYPTO_EcdsaPublicKey *result); 3125 3126 /** 3127 * This is a signature function for ECDSA which takes a 3128 * private key, derives/blinds it and signs the message. 3129 * 3130 * @param pkey original private key 3131 * @param label label to use for key deriviation 3132 * @param context additional context to use for HKDF of 'h'; 3133 * typically the name of the subsystem/application 3134 * @param purpose the signature purpose 3135 * @param sig the resulting signature 3136 * @return GNUNET_OK on success 3137 */ 3138 enum GNUNET_GenericReturnValue 3139 GNUNET_CRYPTO_ecdsa_sign_derived ( 3140 const struct GNUNET_CRYPTO_EcdsaPrivateKey *pkey, 3141 const char *label, 3142 const char *context, 3143 const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, 3144 struct GNUNET_CRYPTO_EcdsaSignature *sig); 3145 3146 3147 /** 3148 * @ingroup crypto 3149 * Derive a private scalar from a given private key and a label. 3150 * Essentially calculates a private key 'h = H(l,P) * d mod n' 3151 * where n is the size of the ECC group and P is the public 3152 * key associated with the private key 'd'. 3153 * The result is the derived private _scalar_, not the private 3154 * key as for EdDSA we cannot derive before we hash the 3155 * private key. 3156 * 3157 * @param priv original private key 3158 * @param label label to use for key deriviation 3159 * @param context additional context to use for HKDF of 'h'; 3160 * typically the name of the subsystem/application 3161 * @param result derived private scalar 3162 */ 3163 void 3164 GNUNET_CRYPTO_eddsa_private_key_derive ( 3165 const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, 3166 const char *label, 3167 const char *context, 3168 struct GNUNET_CRYPTO_EddsaPrivateScalar *result); 3169 3170 3171 /** 3172 * @ingroup crypto 3173 * Derive a public key from a given public key and a label. 3174 * Essentially calculates a public key 'V = H(l,P) * P'. 3175 * 3176 * @param pub original public key 3177 * @param label label to use for key deriviation 3178 * @param context additional context to use for HKDF of 'h'. 3179 * typically the name of the subsystem/application 3180 * @param result where to write the derived public key 3181 */ 3182 void 3183 GNUNET_CRYPTO_eddsa_public_key_derive ( 3184 const struct GNUNET_CRYPTO_EddsaPublicKey *pub, 3185 const char *label, 3186 const char *context, 3187 struct GNUNET_CRYPTO_EddsaPublicKey *result); 3188 3189 3190 /** 3191 * This is a signature function for EdDSA which takes a 3192 * private key and derives it using the label and context 3193 * before signing. 3194 * 3195 * @param pkey original private key 3196 * @param label label to use for key deriviation 3197 * @param context additional context to use for HKDF of 'h'; 3198 * typically the name of the subsystem/application 3199 * @param purpose the signature purpose 3200 * @param sig the resulting signature 3201 * @return GNUNET_OK on success 3202 */ 3203 enum GNUNET_GenericReturnValue 3204 GNUNET_CRYPTO_eddsa_sign_derived ( 3205 const struct GNUNET_CRYPTO_EddsaPrivateKey *pkey, 3206 const char *label, 3207 const char *context, 3208 const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, 3209 struct GNUNET_CRYPTO_EddsaSignature *sig); 3210 3211 3212 /** 3213 * Extract the public key of the given private scalar. 3214 * 3215 * @param s the private scalar 3216 * @param pkey the resulting public key 3217 */ 3218 void 3219 GNUNET_CRYPTO_eddsa_key_get_public_from_scalar ( 3220 const struct GNUNET_CRYPTO_EddsaPrivateScalar *s, 3221 struct GNUNET_CRYPTO_EddsaPublicKey *pkey); 3222 3223 /** 3224 * @ingroup crypto 3225 * Derive a private scalar from a given private key and a label. 3226 * Essentially calculates a private key 'h = H(l,P) * d mod n' 3227 * where n is the size of the ECC group and P is the public 3228 * key associated with the private key 'd'. 3229 * 3230 * @param priv original private key 3231 * @param seed input seed 3232 * @param seedsize size of the seed 3233 * @param result derived private key 3234 */ 3235 void 3236 GNUNET_CRYPTO_edx25519_private_key_derive ( 3237 const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv, 3238 const void *seed, 3239 size_t seedsize, 3240 struct GNUNET_CRYPTO_Edx25519PrivateKey *result); 3241 3242 3243 /** 3244 * @ingroup crypto 3245 * Derive a public key from a given public key and a label. 3246 * Essentially calculates a public key 'V = H(l,P) * P'. 3247 * 3248 * @param pub original public key 3249 * @param seed input seed 3250 * @param seedsize size of the seed 3251 * @param result where to write the derived public key 3252 */ 3253 void 3254 GNUNET_CRYPTO_edx25519_public_key_derive ( 3255 const struct GNUNET_CRYPTO_Edx25519PublicKey *pub, 3256 const void *seed, 3257 size_t seedsize, 3258 struct GNUNET_CRYPTO_Edx25519PublicKey *result); 3259 3260 3261 /** 3262 * @ingroup crypto 3263 * Clears the most significant bit and second most significant bit of the serialized representaive before applying elligator direct map. 3264 * 3265 * @param representative serialized elligator representative of an element of Curves25519's finite field 3266 * @param point destination for the calculated point on the curve 3267 * @param high_y bool pointed to will be set to 'true' if corresponding y-coordinate is > 2 ^ 254 - 10, otherwise 0. Can be set to NULL if not needed. 3268 */ 3269 void 3270 GNUNET_CRYPTO_ecdhe_elligator_decoding ( 3271 struct GNUNET_CRYPTO_EcdhePublicKey *point, 3272 bool *high_y, 3273 const struct GNUNET_CRYPTO_ElligatorRepresentative *representative); 3274 3275 3276 /** 3277 * @ingroup crypto 3278 * Encodes a point on Curve25519 to a an element of the underlying finite field. 3279 * This transformation is deterministic. 3280 * 3281 * @param random_tweak random 8-bit value used as seed 3282 * @param r storage for the calculated representative 3283 * @param pub a point on the curve 3284 * @return 'true' if the given point can be encoded into a representative. Otherwise 'false' is returned and the content of the representative storage is undefined 3285 */ 3286 bool 3287 GNUNET_CRYPTO_ecdhe_elligator_encoding ( 3288 uint8_t random_tweak, 3289 struct GNUNET_CRYPTO_ElligatorRepresentative *r, 3290 const struct GNUNET_CRYPTO_EcdhePublicKey *pub); 3291 3292 3293 /** 3294 * @ingroup crypto 3295 * Generates a valid public key for elligator's inverse map by adding a lower order point to a prime order point. 3296 * Following Method 1 in description https://elligator.org/key-exchange section Step 2: Generate a “special” public key. 3297 * 3298 * @param random_tweak random 8-bit value used as seed 3299 * @param sk private key for generating valid public key 3300 * @param pub valid public key for elligator inverse map 3301 * @param repr storage for a calculated representative 3302 * @return GNUNET_OK on success 3303 */ 3304 enum GNUNET_GenericReturnValue 3305 GNUNET_CRYPTO_ecdhe_elligator_key_get_public_norand ( 3306 uint8_t random_tweak, 3307 const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *sk, 3308 struct GNUNET_CRYPTO_EcdhePublicKey *pub, 3309 struct GNUNET_CRYPTO_ElligatorRepresentative *repr); 3310 3311 /** 3312 * @ingroup crypto 3313 * Generates a valid public key for elligator's inverse map by adding a lower order point to a prime order point. 3314 * Following Method 1 in description https://elligator.org/key-exchange section Step 2: Generate a “special” public key. 3315 * 3316 * @param sk private key for generating valid public key 3317 * @param pub valid public key for elligator inverse map 3318 * @param repr storage for a calculated representative 3319 * @return GNUNET_OK on success 3320 */ 3321 enum GNUNET_GenericReturnValue 3322 GNUNET_CRYPTO_ecdhe_elligator_key_get_public ( 3323 const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *sk, 3324 struct GNUNET_CRYPTO_EcdhePublicKey *pub, 3325 struct GNUNET_CRYPTO_ElligatorRepresentative *repr); 3326 3327 3328 /** 3329 * @ingroup crypto 3330 * Generates a private key for Curve25519. 3331 * 3332 * @param sk Curve25519 private key 3333 */ 3334 void 3335 GNUNET_CRYPTO_ecdhe_elligator_key_create ( 3336 struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *sk); 3337 3338 3339 /** 3340 * Output the given MPI value to the given buffer in network 3341 * byte order. The MPI @a val may not be negative. 3342 * 3343 * @param buf where to output to 3344 * @param size number of bytes in @a buf 3345 * @param val value to write to @a buf 3346 */ 3347 void 3348 GNUNET_CRYPTO_mpi_print_unsigned (void *buf, 3349 size_t size, 3350 gcry_mpi_t val); 3351 3352 3353 /** 3354 * Convert data buffer into MPI value. 3355 * The buffer is interpreted as network 3356 * byte order, unsigned integer. 3357 * 3358 * @param result where to store MPI value (allocated) 3359 * @param data raw data (GCRYMPI_FMT_USG) 3360 * @param size number of bytes in @a data 3361 */ 3362 void 3363 GNUNET_CRYPTO_mpi_scan_unsigned (gcry_mpi_t *result, 3364 const void *data, 3365 size_t size); 3366 3367 3368 /** 3369 * Create a freshly generated paillier public key. 3370 * 3371 * @param[out] public_key Where to store the public key? 3372 * @param[out] private_key Where to store the private key? 3373 */ 3374 void 3375 GNUNET_CRYPTO_paillier_create ( 3376 struct GNUNET_CRYPTO_PaillierPublicKey *public_key, 3377 struct GNUNET_CRYPTO_PaillierPrivateKey *private_key); 3378 3379 3380 /** 3381 * Encrypt a plaintext with a paillier public key. 3382 * 3383 * @param public_key Public key to use. 3384 * @param m Plaintext to encrypt. 3385 * @param desired_ops How many homomorphic ops the caller intends to use 3386 * @param[out] ciphertext Encryption of @a plaintext with @a public_key. 3387 * @return guaranteed number of supported homomorphic operations >= 1, 3388 * or desired_ops, in case that is lower, 3389 * or -1 if less than one homomorphic operation is possible 3390 */ 3391 int 3392 GNUNET_CRYPTO_paillier_encrypt ( 3393 const struct GNUNET_CRYPTO_PaillierPublicKey *public_key, 3394 const gcry_mpi_t m, 3395 int desired_ops, 3396 struct GNUNET_CRYPTO_PaillierCiphertext *ciphertext); 3397 3398 3399 /** 3400 * Decrypt a paillier ciphertext with a private key. 3401 * 3402 * @param private_key Private key to use for decryption. 3403 * @param public_key Public key to use for decryption. 3404 * @param ciphertext Ciphertext to decrypt. 3405 * @param[out] m Decryption of @a ciphertext with @a private_key. 3406 */ 3407 void 3408 GNUNET_CRYPTO_paillier_decrypt ( 3409 const struct GNUNET_CRYPTO_PaillierPrivateKey *private_key, 3410 const struct GNUNET_CRYPTO_PaillierPublicKey *public_key, 3411 const struct GNUNET_CRYPTO_PaillierCiphertext *ciphertext, 3412 gcry_mpi_t m); 3413 3414 3415 /** 3416 * Compute a ciphertext that represents the sum of the plaintext in @a c1 3417 * and @a c2 3418 * 3419 * Note that this operation can only be done a finite number of times 3420 * before an overflow occurs. 3421 * 3422 * @param public_key Public key to use for encryption. 3423 * @param c1 Paillier cipher text. 3424 * @param c2 Paillier cipher text. 3425 * @param[out] result Result of the homomorphic operation. 3426 * @return #GNUNET_OK if the result could be computed, 3427 * #GNUNET_SYSERR if no more homomorphic operations are remaining. 3428 */ 3429 int 3430 GNUNET_CRYPTO_paillier_hom_add ( 3431 const struct GNUNET_CRYPTO_PaillierPublicKey *public_key, 3432 const struct GNUNET_CRYPTO_PaillierCiphertext *c1, 3433 const struct GNUNET_CRYPTO_PaillierCiphertext *c2, 3434 struct GNUNET_CRYPTO_PaillierCiphertext *result); 3435 3436 3437 /** 3438 * Get the number of remaining supported homomorphic operations. 3439 * 3440 * @param c Paillier cipher text. 3441 * @return the number of remaining homomorphic operations 3442 */ 3443 int 3444 GNUNET_CRYPTO_paillier_hom_get_remaining ( 3445 const struct GNUNET_CRYPTO_PaillierCiphertext *c); 3446 3447 3448 /* ********* Chaum-style RSA-based blind signatures ******************* */ 3449 3450 3451 /** 3452 * The private information of an RSA key pair. 3453 */ 3454 struct GNUNET_CRYPTO_RsaPrivateKey; 3455 3456 /** 3457 * The public information of an RSA key pair. 3458 */ 3459 struct GNUNET_CRYPTO_RsaPublicKey; 3460 3461 /** 3462 * Constant-size pre-secret for blinding key generation. 3463 */ 3464 struct GNUNET_CRYPTO_RsaBlindingKeySecret 3465 { 3466 /** 3467 * Bits used to generate the blinding key. 256 bits 3468 * of entropy is enough. 3469 */ 3470 uint32_t pre_secret[8] GNUNET_PACKED; 3471 }; 3472 3473 /** 3474 * @brief an RSA signature 3475 */ 3476 struct GNUNET_CRYPTO_RsaSignature; 3477 3478 3479 /** 3480 * Create a new private key. Caller must free return value. 3481 * 3482 * @param len length of the key in bits (e.g. 2048) 3483 * @return fresh private key 3484 */ 3485 struct GNUNET_CRYPTO_RsaPrivateKey * 3486 GNUNET_CRYPTO_rsa_private_key_create (unsigned int len); 3487 3488 3489 /** 3490 * Free memory occupied by the private key. 3491 * 3492 * @param key pointer to the memory to free 3493 */ 3494 void 3495 GNUNET_CRYPTO_rsa_private_key_free (struct GNUNET_CRYPTO_RsaPrivateKey *key); 3496 3497 3498 /** 3499 * Encode the private key in a format suitable for 3500 * storing it into a file. 3501 * 3502 * @param key the private key 3503 * @param[out] buffer set to a buffer with the encoded key 3504 * @return size of memory allocatedin @a buffer 3505 */ 3506 size_t 3507 GNUNET_CRYPTO_rsa_private_key_encode ( 3508 const struct GNUNET_CRYPTO_RsaPrivateKey *key, 3509 void **buffer); 3510 3511 3512 /** 3513 * Decode the private key from the data-format back 3514 * to the "normal", internal format. 3515 * 3516 * @param buf the buffer where the private key data is stored 3517 * @param buf_size the size of the data in @a buf 3518 * @return NULL on error 3519 */ 3520 struct GNUNET_CRYPTO_RsaPrivateKey * 3521 GNUNET_CRYPTO_rsa_private_key_decode (const void *buf, 3522 size_t buf_size); 3523 3524 3525 /** 3526 * Duplicate the given private key 3527 * 3528 * @param key the private key to duplicate 3529 * @return the duplicate key; NULL upon error 3530 */ 3531 struct GNUNET_CRYPTO_RsaPrivateKey * 3532 GNUNET_CRYPTO_rsa_private_key_dup ( 3533 const struct GNUNET_CRYPTO_RsaPrivateKey *key); 3534 3535 3536 /** 3537 * Extract the public key of the given private key. 3538 * 3539 * @param priv the private key 3540 * @return NULL on error, otherwise the public key 3541 */ 3542 struct GNUNET_CRYPTO_RsaPublicKey * 3543 GNUNET_CRYPTO_rsa_private_key_get_public ( 3544 const struct GNUNET_CRYPTO_RsaPrivateKey *priv); 3545 3546 3547 /** 3548 * Compute hash over the public key. 3549 * 3550 * @param key public key to hash 3551 * @param hc where to store the hash code 3552 */ 3553 void 3554 GNUNET_CRYPTO_rsa_public_key_hash ( 3555 const struct GNUNET_CRYPTO_RsaPublicKey *key, 3556 struct GNUNET_HashCode *hc); 3557 3558 3559 /** 3560 * Check if @a key is well-formed. 3561 * 3562 * @return true if @a key is well-formed. 3563 */ 3564 bool 3565 GNUNET_CRYPTO_rsa_public_key_check ( 3566 const struct GNUNET_CRYPTO_RsaPublicKey *key); 3567 3568 /** 3569 * Obtain the length of the RSA key in bits. 3570 * 3571 * @param key the public key to introspect 3572 * @return length of the key in bits 3573 */ 3574 unsigned int 3575 GNUNET_CRYPTO_rsa_public_key_len (const struct GNUNET_CRYPTO_RsaPublicKey *key); 3576 3577 3578 /** 3579 * Free memory occupied by the public key. 3580 * 3581 * @param key pointer to the memory to free 3582 */ 3583 void 3584 GNUNET_CRYPTO_rsa_public_key_free (struct GNUNET_CRYPTO_RsaPublicKey *key); 3585 3586 3587 /** 3588 * Encode the public key in a format suitable for 3589 * storing it into a file. 3590 * 3591 * @param key the private key 3592 * @param[out] buffer set to a buffer with the encoded key 3593 * @return size of memory allocated in @a buffer 3594 */ 3595 size_t 3596 GNUNET_CRYPTO_rsa_public_key_encode ( 3597 const struct GNUNET_CRYPTO_RsaPublicKey *key, 3598 void **buffer); 3599 3600 3601 /** 3602 * Decode the public key from the data-format back 3603 * to the "normal", internal format. 3604 * 3605 * @param buf the buffer where the public key data is stored 3606 * @param len the length of the data in @a buf 3607 * @return NULL on error 3608 */ 3609 struct GNUNET_CRYPTO_RsaPublicKey * 3610 GNUNET_CRYPTO_rsa_public_key_decode (const char *buf, 3611 size_t len); 3612 3613 3614 /** 3615 * Duplicate the given public key 3616 * 3617 * @param key the public key to duplicate 3618 * @return the duplicate key; NULL upon error 3619 */ 3620 struct GNUNET_CRYPTO_RsaPublicKey * 3621 GNUNET_CRYPTO_rsa_public_key_dup (const struct GNUNET_CRYPTO_RsaPublicKey *key); 3622 3623 3624 /** 3625 * Compare the values of two signatures. 3626 * 3627 * @param s1 one signature 3628 * @param s2 the other signature 3629 * @return 0 if the two are equal 3630 */ 3631 int 3632 GNUNET_CRYPTO_rsa_signature_cmp (const struct GNUNET_CRYPTO_RsaSignature *s1, 3633 const struct GNUNET_CRYPTO_RsaSignature *s2); 3634 3635 /** 3636 * Compare the values of two private keys. 3637 * 3638 * @param p1 one private key 3639 * @param p2 the other private key 3640 * @return 0 if the two are equal 3641 */ 3642 int 3643 GNUNET_CRYPTO_rsa_private_key_cmp ( 3644 const struct GNUNET_CRYPTO_RsaPrivateKey *p1, 3645 const struct GNUNET_CRYPTO_RsaPrivateKey *p2); 3646 3647 3648 /** 3649 * Compare the values of two public keys. 3650 * 3651 * @param p1 one public key 3652 * @param p2 the other public key 3653 * @return 0 if the two are equal 3654 */ 3655 int 3656 GNUNET_CRYPTO_rsa_public_key_cmp (const struct GNUNET_CRYPTO_RsaPublicKey *p1, 3657 const struct GNUNET_CRYPTO_RsaPublicKey *p2); 3658 3659 3660 /** 3661 * @brief RSA Parameters to create blinded signature 3662 */ 3663 struct GNUNET_CRYPTO_RsaBlindedMessage 3664 { 3665 /** 3666 * Blinded message to be signed 3667 * Note: is malloc()'ed! 3668 */ 3669 void *blinded_msg; 3670 3671 /** 3672 * Size of the @e blinded_msg to be signed. 3673 */ 3674 size_t blinded_msg_size; 3675 }; 3676 3677 3678 /** 3679 * Blinds the given message with the given blinding key 3680 * 3681 * @param message the message to sign 3682 * @param message_size number of bytes in @a message 3683 * @param bks the blinding key 3684 * @param pkey the public key of the signer 3685 * @param[out] bm set to the blinded message 3686 * @return #GNUNET_YES if successful, #GNUNET_NO if RSA key is malicious 3687 */ 3688 enum GNUNET_GenericReturnValue 3689 GNUNET_CRYPTO_rsa_blind (const void *message, 3690 size_t message_size, 3691 const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks, 3692 struct GNUNET_CRYPTO_RsaPublicKey *pkey, 3693 struct GNUNET_CRYPTO_RsaBlindedMessage *bm); 3694 3695 3696 /** 3697 * Sign a blinded value, which must be a full domain hash of a message. 3698 * 3699 * @param key private key to use for the signing 3700 * @param bm the (blinded) message to sign 3701 * @return NULL on error, signature on success 3702 */ 3703 struct GNUNET_CRYPTO_RsaSignature * 3704 GNUNET_CRYPTO_rsa_sign_blinded (const struct GNUNET_CRYPTO_RsaPrivateKey *key, 3705 const struct 3706 GNUNET_CRYPTO_RsaBlindedMessage *bm); 3707 3708 3709 /** 3710 * Create and sign a full domain hash of a message. 3711 * 3712 * @param key private key to use for the signing 3713 * @param message the message to sign 3714 * @param message_size number of bytes in @a message 3715 * @return NULL on error, including a malicious RSA key, signature on success 3716 */ 3717 struct GNUNET_CRYPTO_RsaSignature * 3718 GNUNET_CRYPTO_rsa_sign_fdh (const struct GNUNET_CRYPTO_RsaPrivateKey *key, 3719 const void *message, 3720 size_t message_size); 3721 3722 3723 /** 3724 * Free memory occupied by blinded message. Only frees contents, not 3725 * @a bm itself. 3726 * 3727 * @param[in] bm memory to free 3728 */ 3729 void 3730 GNUNET_CRYPTO_rsa_blinded_message_free ( 3731 struct GNUNET_CRYPTO_RsaBlindedMessage *bm); 3732 3733 3734 /** 3735 * Free memory occupied by signature. 3736 * 3737 * @param[in] sig memory to free 3738 */ 3739 void 3740 GNUNET_CRYPTO_rsa_signature_free (struct GNUNET_CRYPTO_RsaSignature *sig); 3741 3742 3743 /** 3744 * Encode the given signature in a format suitable for storing it into a file. 3745 * 3746 * @param sig the signature 3747 * @param[out] buffer set to a buffer with the encoded key 3748 * @return size of memory allocated in @a buffer 3749 */ 3750 size_t 3751 GNUNET_CRYPTO_rsa_signature_encode ( 3752 const struct GNUNET_CRYPTO_RsaSignature *sig, 3753 void **buffer); 3754 3755 3756 /** 3757 * Decode the signature from the data-format back to the "normal", internal 3758 * format. 3759 * 3760 * @param buf the buffer where the public key data is stored 3761 * @param buf_size the number of bytes of the data in @a buf 3762 * @return NULL on error 3763 */ 3764 struct GNUNET_CRYPTO_RsaSignature * 3765 GNUNET_CRYPTO_rsa_signature_decode ( 3766 const void *buf, 3767 size_t buf_size); 3768 3769 3770 /** 3771 * Duplicate the given rsa signature 3772 * 3773 * @param sig the signature to duplicate 3774 * @return the duplicate key; NULL upon error 3775 */ 3776 struct GNUNET_CRYPTO_RsaSignature * 3777 GNUNET_CRYPTO_rsa_signature_dup ( 3778 const struct GNUNET_CRYPTO_RsaSignature *sig); 3779 3780 3781 /** 3782 * Unblind a blind-signed signature. The signature should have been generated 3783 * with #GNUNET_CRYPTO_rsa_sign() using a hash that was blinded with 3784 * #GNUNET_CRYPTO_rsa_blind(). 3785 * 3786 * @param sig the signature made on the blinded signature purpose 3787 * @param bks the blinding key secret used to blind the signature purpose 3788 * @param pkey the public key of the signer 3789 * @return unblinded signature on success, NULL if RSA key is bad or malicious. 3790 */ 3791 struct GNUNET_CRYPTO_RsaSignature * 3792 GNUNET_CRYPTO_rsa_unblind (const struct GNUNET_CRYPTO_RsaSignature *sig, 3793 const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks, 3794 struct GNUNET_CRYPTO_RsaPublicKey *pkey); 3795 3796 3797 /** 3798 * Verify whether the given hash corresponds to the given signature and the 3799 * signature is valid with respect to the given public key. 3800 * 3801 * @param message the message to sign 3802 * @param message_size number of bytes in @a message 3803 * @param sig signature that is being validated 3804 * @param public_key public key of the signer 3805 * @returns #GNUNET_YES if ok, #GNUNET_NO if RSA key is malicious, #GNUNET_SYSERR if signature 3806 */ 3807 enum GNUNET_GenericReturnValue 3808 GNUNET_CRYPTO_rsa_verify (const void *message, 3809 size_t message_size, 3810 const struct GNUNET_CRYPTO_RsaSignature *sig, 3811 const struct GNUNET_CRYPTO_RsaPublicKey *public_key); 3812 3813 3814 /** 3815 * Create a new random private key. 3816 * 3817 * @param[out] priv where to write the fresh private key 3818 */ 3819 void 3820 GNUNET_CRYPTO_cs_private_key_generate (struct GNUNET_CRYPTO_CsPrivateKey *priv); 3821 3822 3823 /** 3824 * Extract the public key of the given private key. 3825 * 3826 * @param priv the private key 3827 * @param[out] pub where to write the public key 3828 */ 3829 void 3830 GNUNET_CRYPTO_cs_private_key_get_public ( 3831 const struct GNUNET_CRYPTO_CsPrivateKey *priv, 3832 struct GNUNET_CRYPTO_CsPublicKey *pub); 3833 3834 3835 /** 3836 * Derive a new secret r pair r0 and r1. 3837 * In original papers r is generated randomly 3838 * To provide abort-idempotency, r needs to be derived but still needs to be UNPREDICTABLE 3839 * To ensure unpredictability a new nonce should be used when a new r needs to be derived. 3840 * Uses HKDF internally. 3841 * Comment: Can be done in one HKDF shot and split output. 3842 * 3843 * @param nonce is a random nonce 3844 * @param seed seed to use in derivation 3845 * @param lts is a long-term-secret in form of a private key 3846 * @param[out] r array containing derived secrets r0 and r1 3847 */ 3848 void 3849 GNUNET_CRYPTO_cs_r_derive ( 3850 const struct GNUNET_CRYPTO_CsSessionNonce *nonce, 3851 const char *seed, 3852 const struct GNUNET_CRYPTO_CsPrivateKey *lts, 3853 struct GNUNET_CRYPTO_CsRSecret r[2]); 3854 3855 3856 /** 3857 * Extract the public R of the given secret r. 3858 * 3859 * @param r_priv the private key 3860 * @param[out] r_pub where to write the public key 3861 */ 3862 void 3863 GNUNET_CRYPTO_cs_r_get_public ( 3864 const struct GNUNET_CRYPTO_CsRSecret *r_priv, 3865 struct GNUNET_CRYPTO_CsRPublic *r_pub); 3866 3867 3868 /** 3869 * Derives new random blinding factors. 3870 * In original papers blinding factors are generated randomly 3871 * To provide abort-idempotency, blinding factors need to be derived but still need to be UNPREDICTABLE. 3872 * To ensure unpredictability a new nonce has to be used. 3873 * Uses HKDF internally. 3874 * 3875 * @param blind_seed is the blinding seed to derive blinding factors 3876 * @param[out] bs array containing the two derived blinding secrets 3877 */ 3878 void 3879 GNUNET_CRYPTO_cs_blinding_secrets_derive ( 3880 const struct GNUNET_CRYPTO_CsBlindingNonce *blind_seed, 3881 struct GNUNET_CRYPTO_CsBlindingSecret bs[2]); 3882 3883 3884 /** 3885 * @brief CS Parameters derived from the message 3886 * during blinding to create blinded signature 3887 */ 3888 struct GNUNET_CRYPTO_CsBlindedMessage 3889 { 3890 /** 3891 * The Clause Schnorr c_0 and c_1 containing the blinded message 3892 */ 3893 struct GNUNET_CRYPTO_CsC c[2]; 3894 3895 /** 3896 * Nonce used in initial request. 3897 */ 3898 struct GNUNET_CRYPTO_CsSessionNonce nonce; 3899 3900 }; 3901 3902 3903 /** 3904 * Pair of Public R values for Cs denominations 3905 */ 3906 struct GNUNET_CRYPTO_CSPublicRPairP 3907 { 3908 struct GNUNET_CRYPTO_CsRPublic r_pub[2]; 3909 }; 3910 3911 3912 /** 3913 * Calculate two blinded c's. 3914 * Comment: One would be insecure due to Wagner's algorithm solving ROS 3915 * 3916 * @param bs array of the two blinding factor structs each containing alpha and beta 3917 * @param r_pub array of the two signer's nonce R 3918 * @param pub the public key of the signer 3919 * @param msg the message to blind in preparation for signing 3920 * @param msg_len length of message msg 3921 * @param[out] blinded_c array of the two blinded c's 3922 * @param[out] r_pub_blind array of the two blinded R 3923 */ 3924 void 3925 GNUNET_CRYPTO_cs_calc_blinded_c ( 3926 const struct GNUNET_CRYPTO_CsBlindingSecret bs[2], 3927 const struct GNUNET_CRYPTO_CsRPublic r_pub[2], 3928 const struct GNUNET_CRYPTO_CsPublicKey *pub, 3929 const void *msg, 3930 size_t msg_len, 3931 struct GNUNET_CRYPTO_CsC blinded_c[2], 3932 struct GNUNET_CRYPTO_CSPublicRPairP *r_pub_blind); 3933 3934 3935 /** 3936 * The Sign Answer for Clause Blind Schnorr signature. 3937 * The sign operation returns a parameter @param b and the signature 3938 * scalar @param s_scalar. 3939 */ 3940 struct GNUNET_CRYPTO_CsBlindSignature 3941 { 3942 /** 3943 * To make ROS problem harder, the signer chooses an unpredictable b and 3944 * only calculates signature of c_b 3945 */ 3946 unsigned int b; 3947 3948 /** 3949 * The blinded s scalar calculated from c_b 3950 */ 3951 struct GNUNET_CRYPTO_CsBlindS s_scalar; 3952 }; 3953 3954 3955 /** 3956 * Sign a blinded @a c. 3957 * This function derives b from a nonce and a longterm secret. 3958 * In the original papers b is generated randomly. 3959 * To provide abort-idempotency, b needs to be derived but still need to be UNPREDICTABLE. 3960 * To ensure unpredictability a new nonce has to be used for every signature. 3961 * HKDF is used internally for derivation. 3962 * r0 and r1 can be derived prior by using GNUNET_CRYPTO_cs_r_derive. 3963 * 3964 * @param priv private key to use for the signing and as LTS in HKDF 3965 * @param r array of the two secret inputs from the signer 3966 * @param bm blinded message, including array of the two blinded c to sign c_b and the random nonce 3967 * @param[out] cs_blind_sig where to write the blind signature 3968 */ 3969 void 3970 GNUNET_CRYPTO_cs_sign_derive ( 3971 const struct GNUNET_CRYPTO_CsPrivateKey *priv, 3972 const struct GNUNET_CRYPTO_CsRSecret r[2], 3973 const struct GNUNET_CRYPTO_CsBlindedMessage *bm, 3974 struct GNUNET_CRYPTO_CsBlindSignature *cs_blind_sig); 3975 3976 3977 /** 3978 * Unblind a blind-signed signature using a c that was blinded 3979 * 3980 * @param blinded_signature_scalar the signature made on the blinded c 3981 * @param bs the blinding factors used in the blinding 3982 * @param[out] signature_scalar where to write the unblinded signature 3983 */ 3984 void 3985 GNUNET_CRYPTO_cs_unblind ( 3986 const struct GNUNET_CRYPTO_CsBlindS *blinded_signature_scalar, 3987 const struct GNUNET_CRYPTO_CsBlindingSecret *bs, 3988 struct GNUNET_CRYPTO_CsS *signature_scalar); 3989 3990 3991 /** 3992 * Verify whether the given message corresponds to the given signature and the 3993 * signature is valid with respect to the given public key. 3994 * 3995 * @param sig signature that is being validated 3996 * @param pub public key of the signer 3997 * @param msg is the message that should be signed by @a sig (message is used to calculate c) 3998 * @param msg_len is the message length 3999 * @returns #GNUNET_YES on success, #GNUNET_SYSERR if signature invalid 4000 */ 4001 enum GNUNET_GenericReturnValue 4002 GNUNET_CRYPTO_cs_verify ( 4003 const struct GNUNET_CRYPTO_CsSignature *sig, 4004 const struct GNUNET_CRYPTO_CsPublicKey *pub, 4005 const void *msg, 4006 size_t msg_len); 4007 4008 4009 /** 4010 * Types of public keys used for blind signatures. 4011 */ 4012 enum GNUNET_CRYPTO_BlindSignatureAlgorithm 4013 { 4014 4015 /** 4016 * Invalid type of signature. 4017 */ 4018 GNUNET_CRYPTO_BSA_INVALID = 0, 4019 4020 /** 4021 * RSA blind signature. 4022 */ 4023 GNUNET_CRYPTO_BSA_RSA = 1, 4024 4025 /** 4026 * Clause Blind Schnorr signature. 4027 */ 4028 GNUNET_CRYPTO_BSA_CS = 2 4029 }; 4030 4031 4032 /** 4033 * @brief Type of (unblinded) signatures. 4034 */ 4035 struct GNUNET_CRYPTO_UnblindedSignature 4036 { 4037 4038 /** 4039 * Type of the signature. 4040 */ 4041 enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; 4042 4043 /** 4044 * Reference counter. 4045 */ 4046 unsigned int rc; 4047 4048 /** 4049 * Details, depending on @e cipher. 4050 */ 4051 union 4052 { 4053 /** 4054 * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. 4055 */ 4056 struct GNUNET_CRYPTO_CsSignature cs_signature; 4057 4058 /** 4059 * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher. 4060 */ 4061 struct GNUNET_CRYPTO_RsaSignature *rsa_signature; 4062 4063 } details; 4064 4065 }; 4066 4067 4068 /** 4069 * @brief Type for *blinded* signatures. 4070 * Must be unblinded before it becomes valid. 4071 */ 4072 struct GNUNET_CRYPTO_BlindedSignature 4073 { 4074 4075 /** 4076 * Type of the signature. 4077 */ 4078 enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; 4079 4080 /** 4081 * Reference counter. 4082 */ 4083 unsigned int rc; 4084 4085 /** 4086 * Details, depending on @e cipher. 4087 */ 4088 union 4089 { 4090 /** 4091 * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. 4092 * At this point only the blinded s scalar is used. 4093 * The final signature consisting of r,s is built after unblinding. 4094 */ 4095 struct GNUNET_CRYPTO_CsBlindSignature blinded_cs_answer; 4096 4097 /** 4098 * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher. 4099 */ 4100 struct GNUNET_CRYPTO_RsaSignature *blinded_rsa_signature; 4101 4102 } details; 4103 4104 }; 4105 4106 4107 /** 4108 * @brief Type of public signing keys for blind signatures. 4109 */ 4110 struct GNUNET_CRYPTO_BlindSignPublicKey 4111 { 4112 4113 /** 4114 * Type of the public key. 4115 */ 4116 enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; 4117 4118 /** 4119 * Reference counter. 4120 */ 4121 unsigned int rc; 4122 4123 /** 4124 * Hash of the public key. 4125 */ 4126 struct GNUNET_HashCode pub_key_hash; 4127 4128 /** 4129 * Details, depending on @e cipher. 4130 */ 4131 union 4132 { 4133 /** 4134 * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. 4135 */ 4136 struct GNUNET_CRYPTO_CsPublicKey cs_public_key; 4137 4138 /** 4139 * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher. 4140 */ 4141 struct GNUNET_CRYPTO_RsaPublicKey *rsa_public_key; 4142 4143 } details; 4144 }; 4145 4146 4147 /** 4148 * @brief Type of private signing keys for blind signing. 4149 */ 4150 struct GNUNET_CRYPTO_BlindSignPrivateKey 4151 { 4152 4153 /** 4154 * Type of the public key. 4155 */ 4156 enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; 4157 4158 /** 4159 * Reference counter. 4160 */ 4161 unsigned int rc; 4162 4163 /** 4164 * Details, depending on @e cipher. 4165 */ 4166 union 4167 { 4168 /** 4169 * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. 4170 */ 4171 struct GNUNET_CRYPTO_CsPrivateKey cs_private_key; 4172 4173 /** 4174 * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher. 4175 */ 4176 struct GNUNET_CRYPTO_RsaPrivateKey *rsa_private_key; 4177 4178 } details; 4179 }; 4180 4181 4182 /** 4183 * @brief Blinded message ready for blind signing. 4184 */ 4185 struct GNUNET_CRYPTO_BlindedMessage 4186 { 4187 /** 4188 * Type of the sign blinded message 4189 */ 4190 enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; 4191 4192 /** 4193 * Reference counter. 4194 */ 4195 unsigned int rc; 4196 4197 /** 4198 * Details, depending on @e cipher. 4199 */ 4200 union 4201 { 4202 /** 4203 * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. 4204 */ 4205 struct GNUNET_CRYPTO_CsBlindedMessage cs_blinded_message; 4206 4207 /** 4208 * If we use #GNUNET_CRYPTO_BSA_RSA in @a cipher. 4209 */ 4210 struct GNUNET_CRYPTO_RsaBlindedMessage rsa_blinded_message; 4211 4212 } details; 4213 }; 4214 4215 4216 /** 4217 * Secret r for Cs denominations 4218 */ 4219 struct GNUNET_CRYPTO_CSPrivateRPairP 4220 { 4221 struct GNUNET_CRYPTO_CsRSecret r[2]; 4222 }; 4223 4224 4225 /** 4226 * @brief Input needed for blinding a message. 4227 */ 4228 struct GNUNET_CRYPTO_BlindingInputValues 4229 { 4230 4231 /** 4232 * Type of the signature. 4233 */ 4234 enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher; 4235 4236 /** 4237 * Reference counter. 4238 */ 4239 unsigned int rc; 4240 4241 /** 4242 * Details, depending on @e cipher. 4243 */ 4244 union 4245 { 4246 /** 4247 * If we use #GNUNET_CRYPTO_BSA_CS in @a cipher. 4248 */ 4249 struct GNUNET_CRYPTO_CSPublicRPairP cs_values; 4250 4251 } details; 4252 4253 }; 4254 4255 4256 /** 4257 * Nonce used to deterministiacally derive input values 4258 * used in multi-round blind signature protocols. 4259 */ 4260 union GNUNET_CRYPTO_BlindSessionNonce 4261 { 4262 /** 4263 * Nonce used when signing with CS. 4264 */ 4265 struct GNUNET_CRYPTO_CsSessionNonce cs_nonce; 4266 }; 4267 4268 4269 /** 4270 * Compute blinding input values for a given @a nonce and 4271 * @a salt. 4272 * 4273 * @param bsign_priv private key to compute input values for 4274 * @param nonce session nonce to derive input values from 4275 * @param salt salt to include in derivation logic 4276 * @return blinding input values 4277 */ 4278 struct GNUNET_CRYPTO_BlindingInputValues * 4279 GNUNET_CRYPTO_get_blinding_input_values ( 4280 const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv, 4281 const union GNUNET_CRYPTO_BlindSessionNonce *nonce, 4282 const char *salt); 4283 4284 4285 /** 4286 * Decrement reference counter of a @a bsign_pub, and free it if it reaches zero. 4287 * 4288 * @param[in] bsign_pub key to free 4289 */ 4290 void 4291 GNUNET_CRYPTO_blind_sign_pub_decref ( 4292 struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub); 4293 4294 4295 /** 4296 * Decrement reference counter of a @a bsign_priv, and free it if it reaches zero. 4297 * 4298 * @param[in] bsign_priv key to free 4299 */ 4300 void 4301 GNUNET_CRYPTO_blind_sign_priv_decref ( 4302 struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv); 4303 4304 4305 /** 4306 * Decrement reference counter of a @a ub_sig, and free it if it reaches zero. 4307 * 4308 * @param[in] ub_sig signature to free 4309 */ 4310 void 4311 GNUNET_CRYPTO_unblinded_sig_decref ( 4312 struct GNUNET_CRYPTO_UnblindedSignature *ub_sig); 4313 4314 4315 /** 4316 * Decrement reference counter of a @a blind_sig, and free it if it reaches zero. 4317 * 4318 * @param[in] blind_sig signature to free 4319 */ 4320 void 4321 GNUNET_CRYPTO_blinded_sig_decref ( 4322 struct GNUNET_CRYPTO_BlindedSignature *blind_sig); 4323 4324 4325 /** 4326 * Decrement reference counter of a @a bm, and free it if it reaches zero. 4327 * 4328 * @param[in] bm blinded message to free 4329 */ 4330 void 4331 GNUNET_CRYPTO_blinded_message_decref ( 4332 struct GNUNET_CRYPTO_BlindedMessage *bm); 4333 4334 4335 /** 4336 * Increment reference counter of the given @a bm. 4337 * 4338 * @param[in,out] bm blinded message to increment reference counter for 4339 * @return alias of @a bm with RC incremented 4340 */ 4341 struct GNUNET_CRYPTO_BlindedMessage * 4342 GNUNET_CRYPTO_blinded_message_incref ( 4343 struct GNUNET_CRYPTO_BlindedMessage *bm); 4344 4345 4346 /** 4347 * Increment reference counter of the given @a bi. 4348 * 4349 * @param[in,out] bi blinding input values to increment reference counter for 4350 * @return alias of @a bi with RC incremented 4351 */ 4352 struct GNUNET_CRYPTO_BlindingInputValues * 4353 GNUNET_CRYPTO_blinding_input_values_incref ( 4354 struct GNUNET_CRYPTO_BlindingInputValues *bm); 4355 4356 4357 /** 4358 * Decrement reference counter of the given @a bi, and free it if it reaches 4359 * zero. 4360 * 4361 * @param[in,out] bi blinding input values to decrement reference counter for 4362 */ 4363 void 4364 GNUNET_CRYPTO_blinding_input_values_decref ( 4365 struct GNUNET_CRYPTO_BlindingInputValues *bm); 4366 4367 4368 /** 4369 * Increment reference counter of the given @a bsign_pub. 4370 * 4371 * @param[in,out] bsign_pub public key to increment reference counter for 4372 * @return alias of @a bsign_pub with RC incremented 4373 */ 4374 struct GNUNET_CRYPTO_BlindSignPublicKey * 4375 GNUNET_CRYPTO_bsign_pub_incref ( 4376 struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub); 4377 4378 4379 /** 4380 * Increment reference counter of the given @a bsign_priv. 4381 * 4382 * @param[in,out] bsign_priv private key to increment reference counter for 4383 * @return alias of @a bsign_priv with RC incremented 4384 */ 4385 struct GNUNET_CRYPTO_BlindSignPrivateKey * 4386 GNUNET_CRYPTO_bsign_priv_incref ( 4387 struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv); 4388 4389 4390 /** 4391 * Increment reference counter of the given @a ub_sig. 4392 * 4393 * @param[in,out] ub_sig signature to increment reference counter for 4394 * @return alias of @a ub_sig with RC incremented 4395 */ 4396 struct GNUNET_CRYPTO_UnblindedSignature * 4397 GNUNET_CRYPTO_ub_sig_incref (struct GNUNET_CRYPTO_UnblindedSignature *ub_sig); 4398 4399 4400 /** 4401 * Increment reference counter of the given @a blind_sig. 4402 * 4403 * @param[in,out] blind_sig signature to increment reference counter for 4404 * @return alias of @a blind_sig with RC incremented 4405 */ 4406 struct GNUNET_CRYPTO_BlindedSignature * 4407 GNUNET_CRYPTO_blind_sig_incref ( 4408 struct GNUNET_CRYPTO_BlindedSignature *blind_sig); 4409 4410 4411 /** 4412 * Compare two denomination public keys. 4413 * 4414 * @param bp1 first key 4415 * @param bp2 second key 4416 * @return 0 if the keys are equal, otherwise -1 or 1 4417 */ 4418 int 4419 GNUNET_CRYPTO_bsign_pub_cmp ( 4420 const struct GNUNET_CRYPTO_BlindSignPublicKey *bp1, 4421 const struct GNUNET_CRYPTO_BlindSignPublicKey *bp2); 4422 4423 4424 /** 4425 * Compare two denomination signatures. 4426 * 4427 * @param sig1 first signature 4428 * @param sig2 second signature 4429 * @return 0 if the keys are equal, otherwise -1 or 1 4430 */ 4431 int 4432 GNUNET_CRYPTO_ub_sig_cmp (const struct GNUNET_CRYPTO_UnblindedSignature *sig1, 4433 const struct GNUNET_CRYPTO_UnblindedSignature *sig2); 4434 4435 4436 /** 4437 * Compare two blinded denomination signatures. 4438 * 4439 * @param sig1 first signature 4440 * @param sig2 second signature 4441 * @return 0 if the keys are equal, otherwise -1 or 1 4442 */ 4443 int 4444 GNUNET_CRYPTO_blind_sig_cmp ( 4445 const struct GNUNET_CRYPTO_BlindedSignature *sig1, 4446 const struct GNUNET_CRYPTO_BlindedSignature *sig2); 4447 4448 4449 /** 4450 * Compare two blinded messages. 4451 * 4452 * @param bp1 first blinded message 4453 * @param bp2 second blinded message 4454 * @return 0 if the keys are equal, otherwise -1 or 1 4455 */ 4456 int 4457 GNUNET_CRYPTO_blinded_message_cmp ( 4458 const struct GNUNET_CRYPTO_BlindedMessage *bp1, 4459 const struct GNUNET_CRYPTO_BlindedMessage *bp2); 4460 4461 4462 /** 4463 * Initialize public-private key pair for blind signatures. 4464 * 4465 * For #GNUNET_CRYPTO_BSA_RSA, an additional "unsigned int" 4466 * argument with the number of bits for 'n' (e.g. 2048) must 4467 * be passed. 4468 * 4469 * @param[out] bsign_priv where to write the private key with RC 1 4470 * @param[out] bsign_pub where to write the public key with RC 1 4471 * @param cipher which type of cipher to use 4472 * @param ... RSA key size (eg. 2048/3072/4096) 4473 * @return #GNUNET_OK on success, #GNUNET_NO if parameterst were invalid 4474 */ 4475 enum GNUNET_GenericReturnValue 4476 GNUNET_CRYPTO_blind_sign_keys_create ( 4477 struct GNUNET_CRYPTO_BlindSignPrivateKey **bsign_priv, 4478 struct GNUNET_CRYPTO_BlindSignPublicKey **bsign_pub, 4479 enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher, 4480 ...); 4481 4482 4483 /** 4484 * Initialize public-private key pair for blind signatures. 4485 * 4486 * For #GNUNET_CRYPTO_BSA_RSA, an additional "unsigned int" 4487 * argument with the number of bits for 'n' (e.g. 2048) must 4488 * be passed. 4489 * 4490 * @param[out] bsign_priv where to write the private key with RC 1 4491 * @param[out] bsign_pub where to write the public key with RC 1 4492 * @param cipher which type of cipher to use 4493 * @param ap RSA key size (eg. 2048/3072/4096) 4494 * @return #GNUNET_OK on success, #GNUNET_NO if parameterst were invalid 4495 */ 4496 enum GNUNET_GenericReturnValue 4497 GNUNET_CRYPTO_blind_sign_keys_create_va ( 4498 struct GNUNET_CRYPTO_BlindSignPrivateKey **bsign_priv, 4499 struct GNUNET_CRYPTO_BlindSignPublicKey **bsign_pub, 4500 enum GNUNET_CRYPTO_BlindSignatureAlgorithm cipher, 4501 va_list ap); 4502 4503 4504 /** 4505 * @brief Type of blinding secrets. Must be exactly 32 bytes (DB). 4506 */ 4507 union GNUNET_CRYPTO_BlindingSecretP 4508 { 4509 /** 4510 * Clause Schnorr nonce. 4511 */ 4512 struct GNUNET_CRYPTO_CsBlindingNonce nonce; 4513 4514 /** 4515 * Variant for RSA for blind signatures. 4516 */ 4517 struct GNUNET_CRYPTO_RsaBlindingKeySecret rsa_bks; 4518 }; 4519 4520 4521 /** 4522 * Blind message for blind signing with @a dk using blinding secret @a coin_bks. 4523 * 4524 * @param bsign_pub public key to blind for 4525 * @param bks blinding secret to use 4526 * @param nonce nonce used to obtain @a alg_values 4527 * can be NULL if input values are not used for the cipher 4528 * @param message message to sign 4529 * @param message_size number of bytes in @a message 4530 * @param alg_values algorithm specific values to blind the @a message 4531 * @return blinded message to give to signer, NULL on error 4532 */ 4533 struct GNUNET_CRYPTO_BlindedMessage * 4534 GNUNET_CRYPTO_message_blind_to_sign ( 4535 const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub, 4536 const union GNUNET_CRYPTO_BlindingSecretP *bks, 4537 const union GNUNET_CRYPTO_BlindSessionNonce *nonce, 4538 const void *message, 4539 size_t message_size, 4540 const struct GNUNET_CRYPTO_BlindingInputValues *alg_values); 4541 4542 4543 /** 4544 * Create blind signature. 4545 * 4546 * @param bsign_priv private key to use for signing 4547 * @param salt salt value to use for the HKDF, 4548 * can be NULL if input values are not used for the cipher 4549 * @param blinded_message the already blinded message to sign 4550 * @return blind signature with RC=1, NULL on failure 4551 */ 4552 struct GNUNET_CRYPTO_BlindedSignature * 4553 GNUNET_CRYPTO_blind_sign ( 4554 const struct GNUNET_CRYPTO_BlindSignPrivateKey *bsign_priv, 4555 const char *salt, 4556 const struct GNUNET_CRYPTO_BlindedMessage *blinded_message); 4557 4558 4559 /** 4560 * Unblind blind signature. 4561 * 4562 * @param blinded_sig the blind signature 4563 * @param bks blinding secret to use 4564 * @param message message that was supposedly signed 4565 * @param message_size number of bytes in @a message 4566 * @param alg_values algorithm specific values 4567 * @param bsign_pub public key used for signing 4568 * @return unblinded signature with RC=1, NULL on error 4569 */ 4570 struct GNUNET_CRYPTO_UnblindedSignature * 4571 GNUNET_CRYPTO_blind_sig_unblind ( 4572 const struct GNUNET_CRYPTO_BlindedSignature *blinded_sig, 4573 const union GNUNET_CRYPTO_BlindingSecretP *bks, 4574 const void *message, 4575 size_t message_size, 4576 const struct GNUNET_CRYPTO_BlindingInputValues *alg_values, 4577 const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub); 4578 4579 4580 /** 4581 * Verify signature made blindly. 4582 * 4583 * @param bsign_pub public key 4584 * @param ub_sig signature made blindly with the private key 4585 * @param message message that was supposedly signed 4586 * @param message_size number of bytes in @a message 4587 * @return #GNUNET_OK if the signature is valid 4588 */ 4589 enum GNUNET_GenericReturnValue 4590 GNUNET_CRYPTO_blind_sig_verify ( 4591 const struct GNUNET_CRYPTO_BlindSignPublicKey *bsign_pub, 4592 const struct GNUNET_CRYPTO_UnblindedSignature *ub_sig, 4593 const void *message, 4594 size_t message_size); 4595 4596 4597 /** 4598 * Get the compacted length of a #GNUNET_CRYPTO_PublicKey. 4599 * Compacted means that it returns the minimum number of bytes this 4600 * key is long, as opposed to the union structure inside 4601 * #GNUNET_CRYPTO_PublicKey. 4602 * Useful for compact serializations. 4603 * 4604 * @param key the key. 4605 * @return -1 on error, else the compacted length of the key. 4606 */ 4607 ssize_t 4608 GNUNET_CRYPTO_public_key_get_length (const struct 4609 GNUNET_CRYPTO_PublicKey *key); 4610 4611 /** 4612 * Reads a #GNUNET_CRYPTO_PublicKey from a compact buffer. 4613 * The buffer has to contain at least the compacted length of 4614 * a #GNUNET_CRYPTO_PublicKey in bytes. 4615 * If the buffer is too small, the function returns -1 as error. 4616 * If the buffer does not contain a valid key, it returns -2 as error. 4617 * 4618 * @param buffer the buffer 4619 * @param len the length of buffer 4620 * @param key the key 4621 * @param the amount of bytes read from the buffer 4622 * @return #GNUNET_SYSERR on error 4623 */ 4624 enum GNUNET_GenericReturnValue 4625 GNUNET_CRYPTO_read_public_key_from_buffer ( 4626 const void *buffer, 4627 size_t len, 4628 struct GNUNET_CRYPTO_PublicKey *key, 4629 size_t *read); 4630 4631 /** 4632 * Get the compacted length of a #GNUNET_CRYPTO_PrivateKey. 4633 * Compacted means that it returns the minimum number of bytes this 4634 * key is long, as opposed to the union structure inside 4635 * #GNUNET_CRYPTO_PrivateKey. 4636 * Useful for compact serializations. 4637 * 4638 * @param key the key. 4639 * @return -1 on error, else the compacted length of the key. 4640 */ 4641 ssize_t 4642 GNUNET_CRYPTO_private_key_get_length ( 4643 const struct GNUNET_CRYPTO_PrivateKey *key); 4644 4645 4646 /** 4647 * Writes a #GNUNET_CRYPTO_PublicKey to a compact buffer. 4648 * The buffer requires space for at least the compacted length of 4649 * a #GNUNET_CRYPTO_PublicKey in bytes. 4650 * If the buffer is too small, the function returns -1 as error. 4651 * If the key is not valid, it returns -2 as error. 4652 * 4653 * @param key the key 4654 * @param buffer the buffer 4655 * @param len the length of buffer 4656 * @return -1 or -2 on error, else the amount of bytes written to the buffer 4657 */ 4658 ssize_t 4659 GNUNET_CRYPTO_write_public_key_to_buffer (const struct 4660 GNUNET_CRYPTO_PublicKey *key, 4661 void*buffer, 4662 size_t len); 4663 4664 4665 /** 4666 * Reads a #GNUNET_CRYPTO_PrivateKey from a compact buffer. 4667 * The buffer has to contain at least the compacted length of 4668 * a #GNUNET_CRYPTO_PrivateKey in bytes. 4669 * If the buffer is too small, the function returns GNUNET_SYSERR as error. 4670 * 4671 * @param buffer the buffer 4672 * @param len the length of buffer 4673 * @param key the key 4674 * @param the amount of bytes read from the buffer 4675 * @return #GNUNET_SYSERR on error 4676 */ 4677 enum GNUNET_GenericReturnValue 4678 GNUNET_CRYPTO_read_private_key_from_buffer ( 4679 const void*buffer, 4680 size_t len, 4681 struct GNUNET_CRYPTO_PrivateKey *key, 4682 size_t *read); 4683 4684 4685 /** 4686 * Writes a #GNUNET_CRYPTO_PrivateKey to a compact buffer. 4687 * The buffer requires space for at least the compacted length of 4688 * a #GNUNET_CRYPTO_PrivateKey in bytes. 4689 * If the buffer is too small, the function returns -1 as error. 4690 * If the key is not valid, it returns -2 as error. 4691 * 4692 * @param key the key 4693 * @param buffer the buffer 4694 * @param len the length of buffer 4695 * @return -1 or -2 on error, else the amount of bytes written to the buffer 4696 */ 4697 ssize_t 4698 GNUNET_CRYPTO_write_private_key_to_buffer ( 4699 const struct GNUNET_CRYPTO_PrivateKey *key, 4700 void*buffer, 4701 size_t len); 4702 4703 4704 /** 4705 * Get the compacted length of a #GNUNET_CRYPTO_Signature. 4706 * Compacted means that it returns the minimum number of bytes this 4707 * signature is long, as opposed to the union structure inside 4708 * #GNUNET_CRYPTO_Signature. 4709 * Useful for compact serializations. 4710 * 4711 * @param sig the signature. 4712 * @return -1 on error, else the compacted length of the signature. 4713 */ 4714 ssize_t 4715 GNUNET_CRYPTO_signature_get_length ( 4716 const struct GNUNET_CRYPTO_Signature *sig); 4717 4718 4719 /** 4720 * Get the compacted length of a signature by type. 4721 * Compacted means that it returns the minimum number of bytes this 4722 * signature is long, as opposed to the union structure inside 4723 * #GNUNET_CRYPTO_Signature. 4724 * Useful for compact serializations. 4725 * 4726 * @param sig the signature. 4727 * @return -1 on error, else the compacted length of the signature. 4728 */ 4729 ssize_t 4730 GNUNET_CRYPTO_signature_get_raw_length_by_type (uint32_t type); 4731 4732 4733 /** 4734 * Reads a #GNUNET_CRYPTO_Signature from a compact buffer. 4735 * The buffer has to contain at least the compacted length of 4736 * a #GNUNET_CRYPTO_Signature in bytes. 4737 * If the buffer is too small, the function returns -1 as error. 4738 * If the buffer does not contain a valid key, it returns -2 as error. 4739 * 4740 * @param sig the signature 4741 * @param buffer the buffer 4742 * @param len the length of buffer 4743 * @return -1 or -2 on error, else the amount of bytes read from the buffer 4744 */ 4745 ssize_t 4746 GNUNET_CRYPTO_read_signature_from_buffer ( 4747 struct GNUNET_CRYPTO_Signature *sig, 4748 const void*buffer, 4749 size_t len); 4750 4751 4752 /** 4753 * Writes a #GNUNET_CRYPTO_Signature to a compact buffer. 4754 * The buffer requires space for at least the compacted length of 4755 * a #GNUNET_CRYPTO_Signature in bytes. 4756 * If the buffer is too small, the function returns -1 as error. 4757 * If the key is not valid, it returns -2 as error. 4758 * 4759 * @param sig the signature 4760 * @param buffer the buffer 4761 * @param len the length of buffer 4762 * @return -1 or -2 on error, else the amount of bytes written to the buffer 4763 */ 4764 ssize_t 4765 GNUNET_CRYPTO_write_signature_to_buffer ( 4766 const struct GNUNET_CRYPTO_Signature *sig, 4767 void*buffer, 4768 size_t len); 4769 4770 4771 /** 4772 * @brief Sign a given block. 4773 * 4774 * The @a purpose data is the beginning of the data of which the signature is 4775 * to be created. The `size` field in @a purpose must correctly indicate the 4776 * number of bytes of the data structure, including its header. If possible, 4777 * use #GNUNET_CRYPTO_sign() instead of this function. 4778 * 4779 * @param priv private key to use for the signing 4780 * @param purpose what to sign (size, purpose) 4781 * @param[out] sig where to write the signature 4782 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 4783 */ 4784 enum GNUNET_GenericReturnValue 4785 GNUNET_CRYPTO_sign_ ( 4786 const struct GNUNET_CRYPTO_PrivateKey *priv, 4787 const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, 4788 struct GNUNET_CRYPTO_Signature *sig); 4789 4790 /** 4791 * @brief Sign a given block. 4792 * 4793 * The @a purpose data is the beginning of the data of which the signature is 4794 * to be created. The `size` field in @a purpose must correctly indicate the 4795 * number of bytes of the data structure, including its header. 4796 * The signature payload and length depends on the key type. 4797 * 4798 * @param priv private key to use for the signing 4799 * @param purpose what to sign (size, purpose) 4800 * @param[out] sig where to write the signature 4801 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success 4802 */ 4803 enum GNUNET_GenericReturnValue 4804 GNUNET_CRYPTO_sign_raw_ ( 4805 const struct GNUNET_CRYPTO_PrivateKey *priv, 4806 const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, 4807 unsigned char *sig); 4808 4809 4810 /** 4811 * @brief Sign a given block with #GNUNET_CRYPTO_PrivateKey. 4812 * 4813 * The @a ps data must be a fixed-size struct for which the signature is to be 4814 * created. The `size` field in @a ps->purpose must correctly indicate the 4815 * number of bytes of the data structure, including its header. 4816 * 4817 * @param priv private key to use for the signing 4818 * @param ps packed struct with what to sign, MUST begin with a purpose 4819 * @param[out] sig where to write the signature 4820 */ 4821 #define GNUNET_CRYPTO_sign(priv,ps,sig) do { \ 4822 /* check size is set correctly */ \ 4823 GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \ 4824 /* check 'ps' begins with the purpose */ \ 4825 GNUNET_static_assert (((void*) (ps)) == \ 4826 ((void*) &(ps)->purpose)); \ 4827 GNUNET_assert (GNUNET_OK == \ 4828 GNUNET_CRYPTO_sign_ (priv, \ 4829 &(ps)->purpose, \ 4830 sig)); \ 4831 } while (0) 4832 4833 4834 /** 4835 * @brief Verify a given signature. 4836 * 4837 * The @a validate data is the beginning of the data of which the signature 4838 * is to be verified. The `size` field in @a validate must correctly indicate 4839 * the number of bytes of the data structure, including its header. If @a 4840 * purpose does not match the purpose given in @a validate (the latter must be 4841 * in big endian), signature verification fails. If possible, 4842 * use #GNUNET_CRYPTO_signature_verify() instead of this function (only if @a validate 4843 * is not fixed-size, you must use this function directly). 4844 * 4845 * @param purpose what is the purpose that the signature should have? 4846 * @param validate block to validate (size, purpose, data) 4847 * @param sig signature that is being validated 4848 * @param pub public key of the signer 4849 * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid 4850 */ 4851 enum GNUNET_GenericReturnValue 4852 GNUNET_CRYPTO_signature_verify_ ( 4853 uint32_t purpose, 4854 const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, 4855 const struct GNUNET_CRYPTO_Signature *sig, 4856 const struct GNUNET_CRYPTO_PublicKey *pub); 4857 4858 /** 4859 * @brief Verify a given signature. 4860 * 4861 * The @a validate data is the beginning of the data of which the signature 4862 * is to be verified. The `size` field in @a validate must correctly indicate 4863 * the number of bytes of the data structure, including its header. If @a 4864 * purpose does not match the purpose given in @a validate (the latter must be 4865 * in big endian), signature verification fails. 4866 * 4867 * @param purpose what is the purpose that the signature should have? 4868 * @param validate block to validate (size, purpose, data) 4869 * @param sig signature that is being validated 4870 * @param pub public key of the signer 4871 * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid 4872 */ 4873 enum GNUNET_GenericReturnValue 4874 GNUNET_CRYPTO_signature_verify_raw_ ( 4875 uint32_t purpose, 4876 const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, 4877 const unsigned char *sig, 4878 const struct GNUNET_CRYPTO_PublicKey *pub); 4879 4880 4881 /** 4882 * @brief Verify a given signature with #GNUNET_CRYPTO_PublicKey. 4883 * 4884 * The @a ps data must be a fixed-size struct for which the signature is to be 4885 * created. The `size` field in @a ps->purpose must correctly indicate the 4886 * number of bytes of the data structure, including its header. 4887 * 4888 * @param purp purpose of the signature, must match 'ps->purpose.purpose' 4889 * (except in host byte order) 4890 * @param ps packed struct with what to sign, MUST begin with a purpose 4891 * @param sig where to read the signature from 4892 * @param pub public key to use for the verifying 4893 */ 4894 #define GNUNET_CRYPTO_signature_verify(purp,ps,sig,pub) ({ \ 4895 /* check size is set correctly */ \ 4896 GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \ 4897 /* check 'ps' begins with the purpose */ \ 4898 GNUNET_static_assert (((void*) (ps)) == \ 4899 ((void*) &(ps)->purpose)); \ 4900 GNUNET_CRYPTO_signature_verify_ (purp, \ 4901 &(ps)->purpose, \ 4902 sig, \ 4903 pub); \ 4904 }) 4905 4906 4907 /** 4908 * Creates a (Base32) string representation of the public key. 4909 * The resulting string encodes a compacted representation of the key. 4910 * See also #GNUNET_CRYPTO_key_get_length. 4911 * 4912 * @param key the key. 4913 * @return the string representation of the key, or NULL on error. 4914 */ 4915 char * 4916 GNUNET_CRYPTO_public_key_to_string ( 4917 const struct GNUNET_CRYPTO_PublicKey *key); 4918 4919 4920 /** 4921 * Creates a (Base32) string representation of the private key. 4922 * The resulting string encodes a compacted representation of the key. 4923 * See also #GNUNET_CRYPTO_key_get_length. 4924 * 4925 * @param key the key. 4926 * @return the string representation of the key, or NULL on error. 4927 */ 4928 char * 4929 GNUNET_CRYPTO_private_key_to_string ( 4930 const struct GNUNET_CRYPTO_PrivateKey *key); 4931 4932 4933 /** 4934 * Parses a (Base32) string representation of the public key. 4935 * See also #GNUNET_CRYPTO_public_key_to_string. 4936 * 4937 * @param str the encoded key. 4938 * @param key where to write the key. 4939 * @return GNUNET_SYSERR on error. 4940 */ 4941 enum GNUNET_GenericReturnValue 4942 GNUNET_CRYPTO_public_key_from_string (const char*str, 4943 struct GNUNET_CRYPTO_PublicKey *key); 4944 4945 4946 /** 4947 * Parses a (Base32) string representation of the private key. 4948 * See also #GNUNET_CRYPTO_private_key_to_string. 4949 * 4950 * @param str the encoded key. 4951 * @param key where to write the key. 4952 * @return GNUNET_SYSERR on error. 4953 */ 4954 enum GNUNET_GenericReturnValue 4955 GNUNET_CRYPTO_private_key_from_string (const char*str, 4956 struct GNUNET_CRYPTO_PrivateKey *key); 4957 4958 4959 /** 4960 * Retrieves the public key representation of a private key. 4961 * 4962 * @param privkey the private key. 4963 * @param key the public key result. 4964 * @return GNUNET_SYSERR on error. 4965 */ 4966 enum GNUNET_GenericReturnValue 4967 GNUNET_CRYPTO_key_get_public (const struct 4968 GNUNET_CRYPTO_PrivateKey *privkey, 4969 struct GNUNET_CRYPTO_PublicKey *key); 4970 4971 #if 0 /* keep Emacsens' auto-indent happy */ 4972 { 4973 #endif 4974 #ifdef __cplusplus 4975 } 4976 #endif 4977 4978 4979 /* ifndef GNUNET_CRYPTO_LIB_H */ 4980 #endif 4981 4982 /** @} */ /* end of group addition */ 4983 4984 /* end of gnunet_crypto_lib.h */