GNUnet 0.25.2-11-g84e94e98c
 
Loading...
Searching...
No Matches
Functions | Variables
crypto_hpke.c File Reference

Hybrid Public Key Encryption (HPKE) and Key encapsulation mechanisms (KEMs) More...

#include "platform.h"
#include "gnunet_common.h"
#include <sodium.h>
#include <stdint.h>
#include "gnunet_util_lib.h"
#include "sodium/crypto_scalarmult.h"
#include "sodium/crypto_scalarmult_curve25519.h"
#include "sodium/utils.h"
Include dependency graph for crypto_hpke.c:

Go to the source code of this file.

Functions

static enum GNUNET_GenericReturnValue labeled_extract (const char *ctx_str, const void *salt, size_t salt_len, const void *label, size_t label_len, const void *ikm, size_t ikm_len, const uint8_t *suite_id, size_t suite_id_len, struct GNUNET_ShortHashCode *prk)
 A RFC9180 inspired labeled extract.
 
static enum GNUNET_GenericReturnValue labeled_expand (const char *ctx_str, const struct GNUNET_ShortHashCode *prk, const char *label, size_t label_len, const void *info, size_t info_len, const uint8_t *suite_id, size_t suite_id_len, void *out_buf, uint16_t out_len)
 A RFC9180 inspired labeled extract.
 
static enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_labeled_extract_and_expand (const void *dh, size_t dh_len, const char *extract_ctx, const char *expand_ctx, const void *extract_lbl, size_t extract_lbl_len, const void *expand_lbl, size_t expand_lbl_len, const uint8_t *kem_context, size_t kem_context_len, const uint8_t *suite_id, size_t suite_id_len, struct GNUNET_ShortHashCode *shared_secret)
 
static enum GNUNET_GenericReturnValue kem_encaps_norand (uint8_t *suite_id, size_t suite_id_len, const struct GNUNET_CRYPTO_HpkePublicKey *pkR, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_HpkePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_encaps_norand (const struct GNUNET_CRYPTO_HpkePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *enc, const struct GNUNET_CRYPTO_HpkePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
 Deterministic variant of GNUNET_CRYPTO_hpke_kem_encaps.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_encaps (const struct GNUNET_CRYPTO_HpkePublicKey *pub, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Encapsulate key material for a X25519 public key.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_kem_encaps (const struct GNUNET_CRYPTO_EddsaPublicKey *pub, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Encapsulate key material for a EdDSA public key.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_decaps (const struct GNUNET_CRYPTO_HpkePrivateKey *skR, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Decapsulate a key for a private X25519 key.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_kem_decaps (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Decapsulate a key for a private EdDSA key.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand (uint8_t random_tweak, const struct GNUNET_CRYPTO_HpkePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
 Carries out ecdh encapsulation with given public key and the private key from a freshly created ephemeral key pair.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_encaps (const struct GNUNET_CRYPTO_HpkePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Carries out ecdh encapsulation with given public key and the private key from a freshly created ephemeral key pair.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_decaps (const struct GNUNET_CRYPTO_HpkePrivateKey *skR, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Carries out ecdh decapsulation with own private key and the representative of the received public key.
 
static enum GNUNET_GenericReturnValue verify_psk_inputs (enum GNUNET_CRYPTO_HpkeMode mode, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len)
 
static enum GNUNET_GenericReturnValue key_schedule (enum GNUNET_CRYPTO_HpkeRole role, enum GNUNET_CRYPTO_HpkeMode mode, const struct GNUNET_ShortHashCode *shared_secret, const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len, struct GNUNET_CRYPTO_HpkeContext *ctx)
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_sender_setup2 (enum GNUNET_CRYPTO_HpkeKem kem, enum GNUNET_CRYPTO_HpkeMode mode, struct GNUNET_CRYPTO_HpkePrivateKey *skE, struct GNUNET_CRYPTO_HpkePrivateKey *skS, const struct GNUNET_CRYPTO_HpkePublicKey *pkR, const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len, struct GNUNET_CRYPTO_HpkeEncapsulation *enc, struct GNUNET_CRYPTO_HpkeContext *ctx)
 RFC9180 HPKE encryption.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_sender_setup (const struct GNUNET_CRYPTO_HpkePublicKey *pkR, const uint8_t *info, size_t info_len, struct GNUNET_CRYPTO_HpkeEncapsulation *enc, struct GNUNET_CRYPTO_HpkeContext *ctx)
 RFC9180 HPKE encryption.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_receiver_setup2 (enum GNUNET_CRYPTO_HpkeKem kem, enum GNUNET_CRYPTO_HpkeMode mode, const struct GNUNET_CRYPTO_HpkeEncapsulation *enc, const struct GNUNET_CRYPTO_HpkePrivateKey *skR, const struct GNUNET_CRYPTO_HpkePublicKey *pkS, const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len, struct GNUNET_CRYPTO_HpkeContext *ctx)
 RFC9180 HPKE encryption.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_receiver_setup (const struct GNUNET_CRYPTO_HpkeEncapsulation *enc, const struct GNUNET_CRYPTO_HpkePrivateKey *skR, const uint8_t *info, size_t info_len, struct GNUNET_CRYPTO_HpkeContext *ctx)
 RFC9180 HPKE encryption.
 
static enum GNUNET_GenericReturnValue increment_seq (struct GNUNET_CRYPTO_HpkeContext *ctx)
 
static void compute_nonce (struct GNUNET_CRYPTO_HpkeContext *ctx, uint8_t *nonce)
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_seal (struct GNUNET_CRYPTO_HpkeContext *ctx, const uint8_t *aad, size_t aad_len, const uint8_t *pt, size_t pt_len, uint8_t *ct, unsigned long long *ct_len_p)
 RFC9180 HPKE encryption.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_open (struct GNUNET_CRYPTO_HpkeContext *ctx, const uint8_t *aad, size_t aad_len, const uint8_t *ct, size_t ct_len, uint8_t *pt, unsigned long long *pt_len)
 RFC9180 HPKE encryption.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_seal_oneshot (const struct GNUNET_CRYPTO_HpkePublicKey *pkR, const uint8_t *info, size_t info_len, const uint8_t *aad, size_t aad_len, const uint8_t *pt, size_t pt_len, uint8_t *ct, unsigned long long *ct_len_p)
 RFC9180 HPKE encryption.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_open_oneshot (const struct GNUNET_CRYPTO_HpkePrivateKey *skR, const uint8_t *info, size_t info_len, const uint8_t *aad, size_t aad_len, const uint8_t *ct, size_t ct_len, uint8_t *pt, unsigned long long *pt_len_p)
 RFC9180 HPKE encryption.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_pk_to_x25519 (const struct GNUNET_CRYPTO_BlindablePublicKey *pk, struct GNUNET_CRYPTO_HpkePublicKey *x25519)
 Convert a GNUnet identity key to a key sutiable for HPKE (X25519)
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_sk_to_x25519 (const struct GNUNET_CRYPTO_BlindablePrivateKey *sk, struct GNUNET_CRYPTO_HpkePrivateKey *x25519)
 Convert a GNUnet identity key to a key sutiable for HPKE (X25519)
 

Variables

static uint8_t GNUNET_CRYPTO_HPKE_KEM_SUITE_ID []
 
static uint8_t GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID []
 

Detailed Description

Hybrid Public Key Encryption (HPKE) and Key encapsulation mechanisms (KEMs)

Author
Martin Schanzenbach

Definition in file crypto_hpke.c.

Function Documentation

◆ labeled_extract()

static enum GNUNET_GenericReturnValue labeled_extract ( const char *  ctx_str,
const void *  salt,
size_t  salt_len,
const void *  label,
size_t  label_len,
const void *  ikm,
size_t  ikm_len,
const uint8_t *  suite_id,
size_t  suite_id_len,
struct GNUNET_ShortHashCode prk 
)
static

A RFC9180 inspired labeled extract.

Parameters
ctx_strthe context to label with (c string)
saltthe extract salt
salt_lensalt length in bytes
labelthe label to label with
label_lenlabel length in bytes
ikminitial keying material
ikm_lenikm length in bytes
suite_idthe suite ID
suite_id_lensuite_id length in bytes
prkthe resulting extracted PRK
Returns
GNUNET_OK on success

Definition at line 51 of file crypto_hpke.c.

57{
58 size_t labeled_ikm_len = strlen (ctx_str) + suite_id_len
59 + label_len + ikm_len;
60 uint8_t labeled_ikm[labeled_ikm_len];
61 uint8_t *tmp = labeled_ikm;
62
63 // labeled_ikm = concat("HPKE-v1", suite_id, label, ikm)
64 memcpy (tmp, ctx_str, strlen (ctx_str));
65 tmp += strlen (ctx_str);
66 memcpy (tmp, suite_id, suite_id_len);
67 tmp += suite_id_len;
68 memcpy (tmp, label, label_len);
69 tmp += label_len;
70 memcpy (tmp, ikm, ikm_len);
71 // return Extract(salt, labeled_ikm)
72 return GNUNET_CRYPTO_hkdf_extract (prk,
73 salt, salt_len,
74 labeled_ikm, labeled_ikm_len);
75}
salt
static struct GNUNET_CRYPTO_PowSalt salt
Salt for PoW calculations.
Definition gnunet-scrypt.c:34
ikm
static unsigned char ikm[256/8]
The initial key material for the peer.
Definition gnunet-service-pils.c:78
GNUNET_CRYPTO_hkdf_extract
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hkdf_extract(struct GNUNET_ShortHashCode *prk, const void *salt, size_t salt_len, const void *ikm, size_t ikm_len)
HKDF-Extract using SHA256.
Definition crypto_hkdf.c:224

References GNUNET_CRYPTO_hkdf_extract(), ikm, and salt.

Referenced by GNUNET_CRYPTO_hpke_labeled_extract_and_expand(), and key_schedule().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ labeled_expand()

static enum GNUNET_GenericReturnValue labeled_expand ( const char *  ctx_str,
const struct GNUNET_ShortHashCode prk,
const char *  label,
size_t  label_len,
const void *  info,
size_t  info_len,
const uint8_t *  suite_id,
size_t  suite_id_len,
void *  out_buf,
uint16_t  out_len 
)
static

A RFC9180 inspired labeled extract.

Parameters
ctx_strthe context to label with (c string)
prkthe extracted PRK
labelthe label to label with
label_lenlabel length in bytes
infocontext info
info_leninfo in bytes
suite_idthe suite ID
suite_id_lensuite_id length in bytes
out_bufoutput buffer, must be allocated
out_lenout_buf length in bytes
Returns
GNUNET_OK on success

Definition at line 94 of file crypto_hpke.c.

101{
102 uint8_t labeled_info[2 + strlen (ctx_str) + suite_id_len + label_len
103 + info_len];
104 uint8_t *tmp = labeled_info;
105 uint16_t out_len_nbo = htons (out_len);
106
107 // labeled_info = concat(I2OSP(L, 2), "HPKE-v1", suite_id,
108 // label, info)
109 memcpy (tmp, &out_len_nbo, 2);
110 tmp += 2;
111 memcpy (tmp, ctx_str, strlen (ctx_str));
112 tmp += strlen (ctx_str);
113 memcpy (tmp, suite_id, suite_id_len);
114 tmp += suite_id_len;
115 memcpy (tmp, label, label_len);
116 tmp += label_len;
117 memcpy (tmp, info, info_len);
118 return GNUNET_CRYPTO_hkdf_expand (out_buf, out_len, prk,
119 labeled_info, sizeof labeled_info, NULL);
120}
info
#define info
GNUNET_CRYPTO_hkdf_expand
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hkdf_expand(void *result, size_t out_len, const struct GNUNET_ShortHashCode *prk,...)
HKDF-Expand using SHA256.
Definition crypto_hkdf.c:156

References GNUNET_CRYPTO_hkdf_expand(), and info.

Referenced by GNUNET_CRYPTO_hpke_labeled_extract_and_expand(), and key_schedule().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_hpke_labeled_extract_and_expand()

static enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_labeled_extract_and_expand ( const void *  dh,
size_t  dh_len,
const char *  extract_ctx,
const char *  expand_ctx,
const void *  extract_lbl,
size_t  extract_lbl_len,
const void *  expand_lbl,
size_t  expand_lbl_len,
const uint8_t *  kem_context,
size_t  kem_context_len,
const uint8_t *  suite_id,
size_t  suite_id_len,
struct GNUNET_ShortHashCode shared_secret 
)
static

Definition at line 124 of file crypto_hpke.c.

138{
139 struct GNUNET_ShortHashCode prk;
140 // eae_prk = LabeledExtract("", "eae_prk", dh)
141 labeled_extract (extract_ctx,
142 NULL, 0,
143 extract_lbl, extract_lbl_len,
144 dh, dh_len,
145 suite_id, suite_id_len,
146 &prk);
147 return labeled_expand (expand_ctx,
148 &prk,
149 expand_lbl, expand_lbl_len,
150 kem_context, kem_context_len,
151 suite_id, suite_id_len,
152 shared_secret, sizeof *shared_secret);
153}
labeled_extract
static enum GNUNET_GenericReturnValue labeled_extract(const char *ctx_str, const void *salt, size_t salt_len, const void *label, size_t label_len, const void *ikm, size_t ikm_len, const uint8_t *suite_id, size_t suite_id_len, struct GNUNET_ShortHashCode *prk)
A RFC9180 inspired labeled extract.
Definition crypto_hpke.c:51
labeled_expand
static enum GNUNET_GenericReturnValue labeled_expand(const char *ctx_str, const struct GNUNET_ShortHashCode *prk, const char *label, size_t label_len, const void *info, size_t info_len, const uint8_t *suite_id, size_t suite_id_len, void *out_buf, uint16_t out_len)
A RFC9180 inspired labeled extract.
Definition crypto_hpke.c:94
GNUNET_ShortHashCode
A 256-bit hashcode.
Definition gnunet_common.h:297

References labeled_expand(), and labeled_extract().

Referenced by GNUNET_CRYPTO_hpke_elligator_kem_decaps(), GNUNET_CRYPTO_hpke_kem_decaps(), and kem_encaps_norand().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ kem_encaps_norand()

static enum GNUNET_GenericReturnValue kem_encaps_norand ( uint8_t *  suite_id,
size_t  suite_id_len,
const struct GNUNET_CRYPTO_HpkePublicKey pkR,
const struct GNUNET_CRYPTO_HpkeEncapsulation c,
const struct GNUNET_CRYPTO_HpkePrivateKey skE,
struct GNUNET_ShortHashCode shared_secret 
)
static

Definition at line 167 of file crypto_hpke.c.

172{
173 struct GNUNET_CRYPTO_HpkePublicKey dh;
174 uint8_t kem_context[sizeof *c + sizeof pkR->ecdhe_key];
175
176 // dh = DH(skE, pkR)
177 if (GNUNET_OK != GNUNET_CRYPTO_ecdh_x25519 (
178 &skE->ecdhe_key,
179 &pkR->ecdhe_key,
180 &dh.ecdhe_key))
181 {
182 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
183 "HPKE KEM encaps: Validation error\n");
184 return GNUNET_SYSERR; // ValidationError
185 }
186 // enc = SerializePublicKey(pkE) is a NOP, see Section 7.1.1
187 // pkRm = SerializePublicKey(pkR) is a NOP, see Section 7.1.1
188 // kem_context = concat(enc, pkRm)
189 memcpy (kem_context, c, sizeof *c);
190 memcpy (kem_context + sizeof *c,
191 &pkR->ecdhe_key,
192 sizeof pkR->ecdhe_key);
193 // shared_secret = ExtractAndExpand(dh, kem_context)
194 return GNUNET_CRYPTO_hpke_labeled_extract_and_expand (
195 &dh.ecdhe_key, sizeof dh.ecdhe_key,
196 "HPKE-v1",
197 "HPKE-v1",
198 "eae_prk", strlen ("eae_prk"),
199 "shared_secret", strlen ("shared_secret"),
200 kem_context, sizeof kem_context,
201 suite_id, suite_id_len,
202 shared_secret);
203}
GNUNET_CRYPTO_hpke_labeled_extract_and_expand
static enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_labeled_extract_and_expand(const void *dh, size_t dh_len, const char *extract_ctx, const char *expand_ctx, const void *extract_lbl, size_t extract_lbl_len, const void *expand_lbl, size_t expand_lbl_len, const uint8_t *kem_context, size_t kem_context_len, const uint8_t *suite_id, size_t suite_id_len, struct GNUNET_ShortHashCode *shared_secret)
Definition crypto_hpke.c:124
GNUNET_CRYPTO_ecdh_x25519
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdh_x25519(const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, const struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_CRYPTO_EcdhePublicKey *dh)
Derive key material from a EdDSA public key and a private ECDH key.
Definition crypto_ecc.c:783
GNUNET_log
#define GNUNET_log(kind,...)
Definition gnunet_common.h:551
GNUNET_OK
@ GNUNET_OK
Definition gnunet_common.h:114
GNUNET_SYSERR
@ GNUNET_SYSERR
Definition gnunet_common.h:112
GNUNET_ERROR_TYPE_ERROR
@ GNUNET_ERROR_TYPE_ERROR
Definition gnunet_common.h:417
GNUNET_CRYPTO_HpkePrivateKey::ecdhe_key
struct GNUNET_CRYPTO_EcdhePrivateKey ecdhe_key
An ECDHE/X25519 key.
Definition gnunet_crypto_lib.h:466
GNUNET_CRYPTO_HpkePublicKey
A public key used for encryption.
Definition gnunet_crypto_lib.h:477
GNUNET_CRYPTO_HpkePublicKey::ecdhe_key
struct GNUNET_CRYPTO_EcdhePublicKey ecdhe_key
An ECDHE/X25519 key.
Definition gnunet_crypto_lib.h:489

References GNUNET_CRYPTO_HpkePrivateKey::ecdhe_key, GNUNET_CRYPTO_HpkePublicKey::ecdhe_key, GNUNET_CRYPTO_ecdh_x25519(), GNUNET_CRYPTO_hpke_labeled_extract_and_expand(), GNUNET_ERROR_TYPE_ERROR, GNUNET_log, GNUNET_OK, and GNUNET_SYSERR.

Referenced by GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand(), and GNUNET_CRYPTO_hpke_kem_encaps_norand().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ verify_psk_inputs()

static enum GNUNET_GenericReturnValue verify_psk_inputs ( enum GNUNET_CRYPTO_HpkeMode  mode,
const uint8_t *  psk,
size_t  psk_len,
const uint8_t *  psk_id,
size_t  psk_id_len 
)
static

Definition at line 408 of file crypto_hpke.c.

411{
412 bool got_psk;
413 bool got_psk_id;
414
415 got_psk = (0 != psk_len);
416 got_psk_id = (0 != psk_id_len);
417
418 if (got_psk != got_psk_id)
419 {
420 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
421 "Inconsistent PSK inputs\n");
422 return GNUNET_SYSERR;
423 }
424
425 if (got_psk &&
426 ((GNUNET_CRYPTO_HPKE_MODE_BASE == mode) ||
427 (GNUNET_CRYPTO_HPKE_MODE_AUTH == mode)))
428 {
429 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
430 "PSK input provided when not needed\n");
431 return GNUNET_SYSERR;
432 }
433 if (! got_psk &&
434 ((GNUNET_CRYPTO_HPKE_MODE_PSK == mode) ||
435 (GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK == mode)))
436 {
437 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
438 "Missing required PSK input\n");
439 return GNUNET_SYSERR;
440 }
441 return GNUNET_OK;
442}
mode
static enum @49 mode
Should we do a PUT (mode = 0) or GET (mode = 1);.
GNUNET_CRYPTO_HPKE_MODE_PSK
@ GNUNET_CRYPTO_HPKE_MODE_PSK
Definition gnunet_crypto_lib.h:2164
GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK
@ GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK
Definition gnunet_crypto_lib.h:2166
GNUNET_CRYPTO_HPKE_MODE_BASE
@ GNUNET_CRYPTO_HPKE_MODE_BASE
Definition gnunet_crypto_lib.h:2163
GNUNET_CRYPTO_HPKE_MODE_AUTH
@ GNUNET_CRYPTO_HPKE_MODE_AUTH
Definition gnunet_crypto_lib.h:2165

References GNUNET_CRYPTO_HPKE_MODE_AUTH, GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK, GNUNET_CRYPTO_HPKE_MODE_BASE, GNUNET_CRYPTO_HPKE_MODE_PSK, GNUNET_ERROR_TYPE_ERROR, GNUNET_log, GNUNET_OK, GNUNET_SYSERR, and mode.

Referenced by key_schedule().

Here is the caller graph for this function:

◆ key_schedule()

static enum GNUNET_GenericReturnValue key_schedule ( enum GNUNET_CRYPTO_HpkeRole  role,
enum GNUNET_CRYPTO_HpkeMode  mode,
const struct GNUNET_ShortHashCode shared_secret,
const uint8_t *  info,
size_t  info_len,
const uint8_t *  psk,
size_t  psk_len,
const uint8_t *  psk_id,
size_t  psk_id_len,
struct GNUNET_CRYPTO_HpkeContext ctx 
)
static

Definition at line 446 of file crypto_hpke.c.

453{
454 struct GNUNET_ShortHashCode psk_id_hash;
455 struct GNUNET_ShortHashCode info_hash;
456 struct GNUNET_ShortHashCode secret;
457 uint8_t key_schedule_context[1 + sizeof info_hash * 2];
458 uint8_t suite_id[4 + 3 * 2];
459 uint16_t kem_id = htons (32); // FIXME hardcode as constant
460 uint16_t kdf_id = htons (1); // HKDF-256 FIXME hardcode as constant
461 uint16_t aead_id = htons (3); // ChaCha20Poly1305 FIXME hardcode as constant
462
463 // DHKEM(X25519, HKDF-256): kem_id = 32
464 // concat("KEM", I2OSP(kem_id, 2))
465 memcpy (suite_id, "HPKE", 4);
466 memcpy (suite_id + 4, &kem_id, 2);
467 memcpy (suite_id + 6, &kdf_id, 2);
468 memcpy (suite_id + 8, &aead_id, 2);
469
470 if (GNUNET_OK != verify_psk_inputs (mode, psk, psk_len, psk_id, psk_id_len))
471 return GNUNET_SYSERR;
472
473 if (GNUNET_OK != labeled_extract ("HPKE-v1", NULL, 0,
474 "psk_id_hash", strlen ("psk_id_hash"),
475 psk_id, psk_id_len,
476 suite_id, sizeof suite_id, &psk_id_hash))
477 return GNUNET_SYSERR;
478 if (GNUNET_OK != labeled_extract ("HPKE-v1", NULL, 0,
479 "info_hash", strlen ("info_hash"),
480 info, info_len,
481 suite_id, sizeof suite_id, &info_hash))
482 return GNUNET_SYSERR;
483 memcpy (key_schedule_context, &mode, 1);
484 memcpy (key_schedule_context + 1, &psk_id_hash, sizeof psk_id_hash);
485 memcpy (key_schedule_context + 1 + sizeof psk_id_hash,
486 &info_hash, sizeof info_hash);
487 if (GNUNET_OK != labeled_extract ("HPKE-v1",
488 shared_secret, sizeof *shared_secret,
489 "secret", strlen ("secret"),
490 psk, psk_len,
491 suite_id, sizeof suite_id, &secret))
492 return GNUNET_SYSERR;
493 // key = LabeledExpand(secret, "key", key_schedule_context, Nk)
494 // Note: Nk == sizeof ctx->key
495 if (GNUNET_OK != labeled_expand ("HPKE-v1",
496 &secret,
497 "key", strlen ("key"),
498 &key_schedule_context,
499 sizeof key_schedule_context,
500 suite_id, sizeof suite_id,
501 ctx->key, sizeof ctx->key))
502 return GNUNET_SYSERR;
503 // base_nonce = LabeledExpand(secret, "base_nonce",
504 // key_schedule_context, Nn)
505 if (GNUNET_OK != labeled_expand ("HPKE-v1",
506 &secret,
507 "base_nonce", strlen ("base_nonce"),
508 &key_schedule_context,
509 sizeof key_schedule_context,
510 suite_id, sizeof suite_id,
511 ctx->base_nonce, sizeof ctx->base_nonce))
512 return GNUNET_SYSERR;
513 // exporter_secret = LabeledExpand(secret, "exp",
514 // key_schedule_context, Nh)
515 if (GNUNET_OK != labeled_expand ("HPKE-v1",
516 &secret,
517 "exp", strlen ("exp"),
518 &key_schedule_context,
519 sizeof key_schedule_context,
520 suite_id, sizeof suite_id,
521 &ctx->exporter_secret,
522 sizeof ctx->exporter_secret))
523 return GNUNET_SYSERR;
524 ctx->seq = 0;
525 ctx->role = role;
526 return GNUNET_OK;
527}
verify_psk_inputs
static enum GNUNET_GenericReturnValue verify_psk_inputs(enum GNUNET_CRYPTO_HpkeMode mode, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len)
Definition crypto_hpke.c:408
ctx
static struct GNUNET_FS_Handle * ctx
Definition gnunet-download.c:40

References ctx, GNUNET_OK, GNUNET_SYSERR, info, labeled_expand(), labeled_extract(), mode, and verify_psk_inputs().

Referenced by GNUNET_CRYPTO_hpke_receiver_setup2(), and GNUNET_CRYPTO_hpke_sender_setup2().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ increment_seq()

static enum GNUNET_GenericReturnValue increment_seq ( struct GNUNET_CRYPTO_HpkeContext ctx)
static

Definition at line 677 of file crypto_hpke.c.

678{
679 if (ctx->seq >= UINT64_MAX)
680 {
681 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "MessageLimitReached\n");
682 return GNUNET_SYSERR;
683 }
684 ctx->seq = GNUNET_htonll (GNUNET_ntohll (ctx->seq) + 1);
685 return GNUNET_OK;
686}
GNUNET_ntohll
uint64_t GNUNET_ntohll(uint64_t n)
Convert unsigned 64-bit integer to host byte order.
Definition common_endian.c:54
GNUNET_htonll
uint64_t GNUNET_htonll(uint64_t n)
Convert unsigned 64-bit integer to network byte order.
Definition common_endian.c:37

References ctx, GNUNET_ERROR_TYPE_ERROR, GNUNET_htonll(), GNUNET_log, GNUNET_ntohll(), GNUNET_OK, and GNUNET_SYSERR.

Referenced by GNUNET_CRYPTO_hpke_open(), and GNUNET_CRYPTO_hpke_seal().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ compute_nonce()

static void compute_nonce ( struct GNUNET_CRYPTO_HpkeContext ctx,
uint8_t *  nonce 
)
static

Definition at line 690 of file crypto_hpke.c.

692{
693 size_t offset = GNUNET_CRYPTO_HPKE_NONCE_LEN - sizeof ctx->seq;
694 int j = 0;
695 for (int i = 0; i < GNUNET_CRYPTO_HPKE_NONCE_LEN; i++)
696 {
697 // FIXME correct byte order?
698 if (i < offset)
699 memset (&nonce[i], ctx->base_nonce[i], 1);
700 else
701 nonce[i] = ctx->base_nonce[i] ^ ((uint8_t*) &ctx->seq)[j++];
702 }
703}
GNUNET_CRYPTO_HPKE_NONCE_LEN
#define GNUNET_CRYPTO_HPKE_NONCE_LEN
Definition gnunet_crypto_lib.h:2173

References ctx, and GNUNET_CRYPTO_HPKE_NONCE_LEN.

Referenced by GNUNET_CRYPTO_hpke_open(), and GNUNET_CRYPTO_hpke_seal().

Here is the caller graph for this function:

Variable Documentation

◆ GNUNET_CRYPTO_HPKE_KEM_SUITE_ID

uint8_t GNUNET_CRYPTO_HPKE_KEM_SUITE_ID[]
static
Initial value:
= { 'K', 'E', 'M',
0x00, 0x20 }

Definition at line 158 of file crypto_hpke.c.

158 { 'K', 'E', 'M',
159 0x00, 0x20 };

Referenced by GNUNET_CRYPTO_hpke_kem_decaps(), and GNUNET_CRYPTO_hpke_kem_encaps_norand().

◆ GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID

uint8_t GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID[]
static
Initial value:
= { 'K', 'E', 'M',
0x00, 0x22 }

Definition at line 163 of file crypto_hpke.c.

163 { 'K', 'E', 'M',
164 0x00, 0x22 };

Referenced by GNUNET_CRYPTO_hpke_elligator_kem_decaps(), and GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand().