GNUnet 0.26.2-45-gb0324da85
 
Loading...
Searching...
No Matches
Functions | Variables
crypto_hpke.c File Reference

Hybrid Public Key Encryption (HPKE) and Key encapsulation mechanisms (KEMs) More...

#include "platform.h"
#include "gnunet_common.h"
#include <sodium.h>
#include <stdint.h>
#include "gnunet_util_lib.h"
#include "sodium/crypto_scalarmult.h"
#include "sodium/crypto_scalarmult_curve25519.h"
#include "sodium/utils.h"
Include dependency graph for crypto_hpke.c:

Go to the source code of this file.

Functions

static enum GNUNET_GenericReturnValue labeled_extract (const char *ctx_str, const void *salt, size_t salt_len, const void *label, size_t label_len, const void *ikm, size_t ikm_len, const uint8_t *suite_id, size_t suite_id_len, struct GNUNET_ShortHashCode *prk)
 A RFC9180 inspired labeled extract.
 
static enum GNUNET_GenericReturnValue labeled_expand (const char *ctx_str, const struct GNUNET_ShortHashCode *prk, const char *label, size_t label_len, const void *info, size_t info_len, const uint8_t *suite_id, size_t suite_id_len, void *out_buf, uint16_t out_len)
 A RFC9180 inspired labeled extract.
 
static enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_labeled_extract_and_expand (const void *dh, size_t dh_len, const char *extract_ctx, const char *expand_ctx, const void *extract_lbl, size_t extract_lbl_len, const void *expand_lbl, size_t expand_lbl_len, const uint8_t *kem_context, size_t kem_context_len, const uint8_t *suite_id, size_t suite_id_len, struct GNUNET_ShortHashCode *shared_secret)
 
static enum GNUNET_GenericReturnValue kem_encaps_norand (uint8_t *suite_id, size_t suite_id_len, const struct GNUNET_CRYPTO_HpkePublicKey *pkR, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_HpkePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_encaps_norand (const struct GNUNET_CRYPTO_HpkePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *enc, const struct GNUNET_CRYPTO_HpkePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
 Deterministic variant of GNUNET_CRYPTO_hpke_kem_encaps.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_encaps (const struct GNUNET_CRYPTO_HpkePublicKey *pub, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Encapsulate key material for a X25519 public key.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_kem_encaps (const struct GNUNET_CRYPTO_EddsaPublicKey *pub, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Encapsulate key material for a EdDSA public key.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_decaps (const struct GNUNET_CRYPTO_HpkePrivateKey *skR, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Decapsulate a key for a private X25519 key.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_kem_decaps (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Decapsulate a key for a private EdDSA key.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand (uint8_t random_tweak, const struct GNUNET_CRYPTO_HpkePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
 Carries out ecdh encapsulation with given public key and the private key from a freshly created ephemeral key pair.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_encaps (const struct GNUNET_CRYPTO_HpkePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Carries out ecdh encapsulation with given public key and the private key from a freshly created ephemeral key pair.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_decaps (const struct GNUNET_CRYPTO_HpkePrivateKey *skR, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Carries out ecdh decapsulation with own private key and the representative of the received public key.
 
static enum GNUNET_GenericReturnValue verify_psk_inputs (enum GNUNET_CRYPTO_HpkeMode mode, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len)
 
static enum GNUNET_GenericReturnValue key_schedule (enum GNUNET_CRYPTO_HpkeRole role, enum GNUNET_CRYPTO_HpkeMode mode, const struct GNUNET_ShortHashCode *shared_secret, const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len, struct GNUNET_CRYPTO_HpkeContext *ctx)
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_sender_setup2 (enum GNUNET_CRYPTO_HpkeKem kem, enum GNUNET_CRYPTO_HpkeMode mode, struct GNUNET_CRYPTO_HpkePrivateKey *skE, struct GNUNET_CRYPTO_HpkePrivateKey *skS, const struct GNUNET_CRYPTO_HpkePublicKey *pkR, const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len, struct GNUNET_CRYPTO_HpkeEncapsulation *enc, struct GNUNET_CRYPTO_HpkeContext *ctx)
 RFC9180 HPKE encryption.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_sender_setup (const struct GNUNET_CRYPTO_HpkePublicKey *pkR, const uint8_t *info, size_t info_len, struct GNUNET_CRYPTO_HpkeEncapsulation *enc, struct GNUNET_CRYPTO_HpkeContext *ctx)
 RFC9180 HPKE encryption.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_receiver_setup2 (enum GNUNET_CRYPTO_HpkeKem kem, enum GNUNET_CRYPTO_HpkeMode mode, const struct GNUNET_CRYPTO_HpkeEncapsulation *enc, const struct GNUNET_CRYPTO_HpkePrivateKey *skR, const struct GNUNET_CRYPTO_HpkePublicKey *pkS, const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len, struct GNUNET_CRYPTO_HpkeContext *ctx)
 RFC9180 HPKE encryption.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_receiver_setup (const struct GNUNET_CRYPTO_HpkeEncapsulation *enc, const struct GNUNET_CRYPTO_HpkePrivateKey *skR, const uint8_t *info, size_t info_len, struct GNUNET_CRYPTO_HpkeContext *ctx)
 RFC9180 HPKE encryption.
 
static enum GNUNET_GenericReturnValue increment_seq (struct GNUNET_CRYPTO_HpkeContext *ctx)
 
static void compute_nonce (struct GNUNET_CRYPTO_HpkeContext *ctx, uint8_t *nonce)
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_seal (struct GNUNET_CRYPTO_HpkeContext *ctx, const uint8_t *aad, size_t aad_len, const uint8_t *pt, size_t pt_len, uint8_t *ct, unsigned long long *ct_len_p)
 RFC9180 HPKE encryption.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_open (struct GNUNET_CRYPTO_HpkeContext *ctx, const uint8_t *aad, size_t aad_len, const uint8_t *ct, size_t ct_len, uint8_t *pt, unsigned long long *pt_len)
 RFC9180 HPKE encryption.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_seal_oneshot (const struct GNUNET_CRYPTO_HpkePublicKey *pkR, const uint8_t *info, size_t info_len, const uint8_t *aad, size_t aad_len, const uint8_t *pt, size_t pt_len, uint8_t *ct, unsigned long long *ct_len_p)
 RFC9180 HPKE encryption.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_open_oneshot (const struct GNUNET_CRYPTO_HpkePrivateKey *skR, const uint8_t *info, size_t info_len, const uint8_t *aad, size_t aad_len, const uint8_t *ct, size_t ct_len, uint8_t *pt, unsigned long long *pt_len_p)
 RFC9180 HPKE encryption.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_pk_to_x25519 (const struct GNUNET_CRYPTO_BlindablePublicKey *pk, struct GNUNET_CRYPTO_HpkePublicKey *x25519)
 Convert a GNUnet identity key to a key sutiable for HPKE (X25519)
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_sk_to_x25519 (const struct GNUNET_CRYPTO_BlindablePrivateKey *sk, struct GNUNET_CRYPTO_HpkePrivateKey *x25519)
 Convert a GNUnet identity key to a key sutiable for HPKE (X25519)
 
ssize_t GNUNET_CRYPTO_hpke_pk_get_length (const struct GNUNET_CRYPTO_HpkePublicKey *key)
 Get the compacted length of a GNUNET_CRYPTO_HpkePublicKey.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_read_hpke_pk_from_buffer (const void *buffer, size_t len, struct GNUNET_CRYPTO_HpkePublicKey *key, size_t *read)
 Reads a GNUNET_CRYPTO_HpkePublicKey from a compact buffer.
 
ssize_t GNUNET_CRYPTO_write_hpke_pk_to_buffer (const struct GNUNET_CRYPTO_HpkePublicKey *key, void *buffer, size_t len)
 Writes a GNUNET_CRYPTO_HpkePublicKey to a compact buffer.
 
void GNUNET_CRYPTO_hpke_sk_clear (struct GNUNET_CRYPTO_HpkePrivateKey *key)
 Clear memory that was used to store a GNUNET_CRYPTO_HpkePrivateKey.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_sk_create2 (enum GNUNET_CRYPTO_HpkeKeyType type, const char *ikm, size_t ikm_len, struct GNUNET_CRYPTO_HpkePrivateKey *sk)
 Create a new GNUNET_CRYPTO_HpkePrivateKey of specific type.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_sk_create (enum GNUNET_CRYPTO_HpkeKeyType type, struct GNUNET_CRYPTO_HpkePrivateKey *pk)
 Create a new GNUNET_CRYPTO_HpkePrivateKey of specific type.
 
ssize_t GNUNET_CRYPTO_hpke_sk_get_length (const struct GNUNET_CRYPTO_HpkePrivateKey *key)
 Get the compacted length of a GNUNET_CRYPTO_HpkePrivateKey.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_read_hpke_sk_from_buffer (const void *buffer, size_t len, struct GNUNET_CRYPTO_HpkePrivateKey *key, size_t *read)
 Reads a GNUNET_CRYPTO_HpkePrivateKey from a compact buffer.
 
ssize_t GNUNET_CRYPTO_write_hpke_sk_to_buffer (const struct GNUNET_CRYPTO_HpkePrivateKey *key, void *buffer, size_t len)
 Writes a GNUNET_CRYPTO_HpkePrivateKey to a compact buffer.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_sk_get_public (const struct GNUNET_CRYPTO_HpkePrivateKey *privkey, struct GNUNET_CRYPTO_HpkePublicKey *key)
 Retrieves the GNUNET_CRYPTO_HpkePublicKey representation of a GNUNET_CRYPTO_HpkePrivateKey.
 

Variables

static uint8_t GNUNET_CRYPTO_HPKE_KEM_SUITE_ID []
 
static uint8_t GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID []
 

Detailed Description

Hybrid Public Key Encryption (HPKE) and Key encapsulation mechanisms (KEMs)

Author
Martin Schanzenbach

Definition in file crypto_hpke.c.

Function Documentation

◆ labeled_extract()

static enum GNUNET_GenericReturnValue labeled_extract ( const char *  ctx_str,
const void *  salt,
size_t  salt_len,
const void *  label,
size_t  label_len,
const void *  ikm,
size_t  ikm_len,
const uint8_t *  suite_id,
size_t  suite_id_len,
struct GNUNET_ShortHashCode prk 
)
static

A RFC9180 inspired labeled extract.

Parameters
ctx_strthe context to label with (c string)
saltthe extract salt
salt_lensalt length in bytes
labelthe label to label with
label_lenlabel length in bytes
ikminitial keying material
ikm_lenikm length in bytes
suite_idthe suite ID
suite_id_lensuite_id length in bytes
prkthe resulting extracted PRK
Returns
GNUNET_OK on success

Definition at line 51 of file crypto_hpke.c.

57{
58 size_t labeled_ikm_len = strlen (ctx_str) + suite_id_len
59 + label_len + ikm_len;
60 uint8_t labeled_ikm[labeled_ikm_len];
61 uint8_t *tmp = labeled_ikm;
62
63 // labeled_ikm = concat("HPKE-v1", suite_id, label, ikm)
64 memcpy (tmp, ctx_str, strlen (ctx_str));
65 tmp += strlen (ctx_str);
66 memcpy (tmp, suite_id, suite_id_len);
67 tmp += suite_id_len;
68 memcpy (tmp, label, label_len);
69 tmp += label_len;
70 memcpy (tmp, ikm, ikm_len);
71 // return Extract(salt, labeled_ikm)
72 return GNUNET_CRYPTO_hkdf_extract (prk,
73 salt, salt_len,
74 labeled_ikm, labeled_ikm_len);
75}
salt
static struct GNUNET_CRYPTO_PowSalt salt
Salt for PoW calculations.
Definition gnunet-scrypt.c:34
ikm
static unsigned char ikm[256/8]
The initial key material for the peer.
Definition gnunet-service-pils.c:78
GNUNET_CRYPTO_hkdf_extract
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hkdf_extract(struct GNUNET_ShortHashCode *prk, const void *salt, size_t salt_len, const void *ikm, size_t ikm_len)
HKDF-Extract using SHA256.
Definition crypto_hkdf.c:182

References GNUNET_CRYPTO_hkdf_extract(), ikm, and salt.

Referenced by GNUNET_CRYPTO_hpke_labeled_extract_and_expand(), GNUNET_CRYPTO_hpke_sk_create2(), and key_schedule().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ labeled_expand()

static enum GNUNET_GenericReturnValue labeled_expand ( const char *  ctx_str,
const struct GNUNET_ShortHashCode prk,
const char *  label,
size_t  label_len,
const void *  info,
size_t  info_len,
const uint8_t *  suite_id,
size_t  suite_id_len,
void *  out_buf,
uint16_t  out_len 
)
static

A RFC9180 inspired labeled extract.

Parameters
ctx_strthe context to label with (c string)
prkthe extracted PRK
labelthe label to label with
label_lenlabel length in bytes
infocontext info
info_leninfo in bytes
suite_idthe suite ID
suite_id_lensuite_id length in bytes
out_bufoutput buffer, must be allocated
out_lenout_buf length in bytes
Returns
GNUNET_OK on success

Definition at line 94 of file crypto_hpke.c.

101{
102 uint8_t labeled_info[2 + strlen (ctx_str) + suite_id_len + label_len
103 + info_len];
104 uint8_t *tmp = labeled_info;
105 uint16_t out_len_nbo = htons (out_len);
106
107 // labeled_info = concat(I2OSP(L, 2), "HPKE-v1", suite_id,
108 // label, info)
109 memcpy (tmp, &out_len_nbo, 2);
110 tmp += 2;
111 memcpy (tmp, ctx_str, strlen (ctx_str));
112 tmp += strlen (ctx_str);
113 memcpy (tmp, suite_id, suite_id_len);
114 tmp += suite_id_len;
115 memcpy (tmp, label, label_len);
116 tmp += label_len;
117 memcpy (tmp, info, info_len);
118 return GNUNET_CRYPTO_hkdf_expand (
119 out_buf,
120 out_len,
121 prk,
122 GNUNET_CRYPTO_kdf_arg (labeled_info,
123 sizeof labeled_info));
124}
info
#define info
GNUNET_CRYPTO_hkdf_expand
#define GNUNET_CRYPTO_hkdf_expand(result, out_len, prk,...)
HKDF-Expand using SHA256.
Definition gnunet_crypto_lib.h:1490
GNUNET_CRYPTO_kdf_arg
#define GNUNET_CRYPTO_kdf_arg(d, s)
Definition gnunet_crypto_lib.h:1376

References GNUNET_CRYPTO_hkdf_expand, GNUNET_CRYPTO_kdf_arg, and info.

Referenced by GNUNET_CRYPTO_hpke_labeled_extract_and_expand(), GNUNET_CRYPTO_hpke_sk_create2(), and key_schedule().

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_hpke_labeled_extract_and_expand()

static enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_labeled_extract_and_expand ( const void *  dh,
size_t  dh_len,
const char *  extract_ctx,
const char *  expand_ctx,
const void *  extract_lbl,
size_t  extract_lbl_len,
const void *  expand_lbl,
size_t  expand_lbl_len,
const uint8_t *  kem_context,
size_t  kem_context_len,
const uint8_t *  suite_id,
size_t  suite_id_len,
struct GNUNET_ShortHashCode shared_secret 
)
static

Definition at line 128 of file crypto_hpke.c.

142{
143 struct GNUNET_ShortHashCode prk;
144 // eae_prk = LabeledExtract("", "eae_prk", dh)
145 labeled_extract (extract_ctx,
146 NULL, 0,
147 extract_lbl, extract_lbl_len,
148 dh, dh_len,
149 suite_id, suite_id_len,
150 &prk);
151 return labeled_expand (expand_ctx,
152 &prk,
153 expand_lbl, expand_lbl_len,
154 kem_context, kem_context_len,
155 suite_id, suite_id_len,
156 shared_secret, sizeof *shared_secret);
157}
labeled_extract
static enum GNUNET_GenericReturnValue labeled_extract(const char *ctx_str, const void *salt, size_t salt_len, const void *label, size_t label_len, const void *ikm, size_t ikm_len, const uint8_t *suite_id, size_t suite_id_len, struct GNUNET_ShortHashCode *prk)
A RFC9180 inspired labeled extract.
Definition crypto_hpke.c:51
labeled_expand
static enum GNUNET_GenericReturnValue labeled_expand(const char *ctx_str, const struct GNUNET_ShortHashCode *prk, const char *label, size_t label_len, const void *info, size_t info_len, const uint8_t *suite_id, size_t suite_id_len, void *out_buf, uint16_t out_len)
A RFC9180 inspired labeled extract.
Definition crypto_hpke.c:94
GNUNET_ShortHashCode
A 256-bit hashcode.
Definition gnunet_common.h:297

References labeled_expand(), and labeled_extract().

Referenced by GNUNET_CRYPTO_hpke_elligator_kem_decaps(), GNUNET_CRYPTO_hpke_kem_decaps(), and kem_encaps_norand().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ kem_encaps_norand()

static enum GNUNET_GenericReturnValue kem_encaps_norand ( uint8_t *  suite_id,
size_t  suite_id_len,
const struct GNUNET_CRYPTO_HpkePublicKey pkR,
const struct GNUNET_CRYPTO_HpkeEncapsulation c,
const struct GNUNET_CRYPTO_HpkePrivateKey skE,
struct GNUNET_ShortHashCode shared_secret 
)
static

Definition at line 171 of file crypto_hpke.c.

176{
177 struct GNUNET_CRYPTO_HpkePublicKey dh;
178 uint8_t kem_context[sizeof *c + sizeof pkR->ecdhe_key];
179
180 // dh = DH(skE, pkR)
181 if (GNUNET_OK != GNUNET_CRYPTO_ecdh_x25519 (
182 &skE->ecdhe_key,
183 &pkR->ecdhe_key,
184 &dh.ecdhe_key))
185 {
186 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
187 "HPKE KEM encaps: Validation error\n");
188 return GNUNET_SYSERR; // ValidationError
189 }
190 // enc = SerializePublicKey(pkE) is a NOP, see Section 7.1.1
191 // pkRm = SerializePublicKey(pkR) is a NOP, see Section 7.1.1
192 // kem_context = concat(enc, pkRm)
193 memcpy (kem_context, c, sizeof *c);
194 memcpy (kem_context + sizeof *c,
195 &pkR->ecdhe_key,
196 sizeof pkR->ecdhe_key);
197 // shared_secret = ExtractAndExpand(dh, kem_context)
198 return GNUNET_CRYPTO_hpke_labeled_extract_and_expand (
199 &dh.ecdhe_key, sizeof dh.ecdhe_key,
200 "HPKE-v1",
201 "HPKE-v1",
202 "eae_prk", strlen ("eae_prk"),
203 "shared_secret", strlen ("shared_secret"),
204 kem_context, sizeof kem_context,
205 suite_id, suite_id_len,
206 shared_secret);
207}
GNUNET_CRYPTO_hpke_labeled_extract_and_expand
static enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_labeled_extract_and_expand(const void *dh, size_t dh_len, const char *extract_ctx, const char *expand_ctx, const void *extract_lbl, size_t extract_lbl_len, const void *expand_lbl, size_t expand_lbl_len, const uint8_t *kem_context, size_t kem_context_len, const uint8_t *suite_id, size_t suite_id_len, struct GNUNET_ShortHashCode *shared_secret)
Definition crypto_hpke.c:128
GNUNET_CRYPTO_ecdh_x25519
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdh_x25519(const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, const struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_CRYPTO_EcdhePublicKey *dh)
Derive key material from a EdDSA public key and a private ECDH key.
Definition crypto_ecc.c:783
GNUNET_log
#define GNUNET_log(kind,...)
Definition gnunet_common.h:551
GNUNET_OK
@ GNUNET_OK
Definition gnunet_common.h:114
GNUNET_SYSERR
@ GNUNET_SYSERR
Definition gnunet_common.h:112
GNUNET_ERROR_TYPE_ERROR
@ GNUNET_ERROR_TYPE_ERROR
Definition gnunet_common.h:417
GNUNET_CRYPTO_HpkePrivateKey::ecdhe_key
struct GNUNET_CRYPTO_EcdhePrivateKey ecdhe_key
An ECDHE/X25519 key.
Definition gnunet_crypto_lib.h:477
GNUNET_CRYPTO_HpkePublicKey
A public key used for encryption.
Definition gnunet_crypto_lib.h:488
GNUNET_CRYPTO_HpkePublicKey::ecdhe_key
struct GNUNET_CRYPTO_EcdhePublicKey ecdhe_key
An ECDHE/X25519 key.
Definition gnunet_crypto_lib.h:500

References GNUNET_CRYPTO_HpkePrivateKey::ecdhe_key, GNUNET_CRYPTO_HpkePublicKey::ecdhe_key, GNUNET_CRYPTO_ecdh_x25519(), GNUNET_CRYPTO_hpke_labeled_extract_and_expand(), GNUNET_ERROR_TYPE_ERROR, GNUNET_log, GNUNET_OK, and GNUNET_SYSERR.

Referenced by GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand(), and GNUNET_CRYPTO_hpke_kem_encaps_norand().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ verify_psk_inputs()

static enum GNUNET_GenericReturnValue verify_psk_inputs ( enum GNUNET_CRYPTO_HpkeMode  mode,
const uint8_t *  psk,
size_t  psk_len,
const uint8_t *  psk_id,
size_t  psk_id_len 
)
static

Definition at line 412 of file crypto_hpke.c.

415{
416 bool got_psk;
417 bool got_psk_id;
418
419 got_psk = (0 != psk_len);
420 got_psk_id = (0 != psk_id_len);
421
422 if (got_psk != got_psk_id)
423 {
424 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
425 "Inconsistent PSK inputs\n");
426 return GNUNET_SYSERR;
427 }
428
429 if (got_psk &&
430 ((GNUNET_CRYPTO_HPKE_MODE_BASE == mode) ||
431 (GNUNET_CRYPTO_HPKE_MODE_AUTH == mode)))
432 {
433 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
434 "PSK input provided when not needed\n");
435 return GNUNET_SYSERR;
436 }
437 if (! got_psk &&
438 ((GNUNET_CRYPTO_HPKE_MODE_PSK == mode) ||
439 (GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK == mode)))
440 {
441 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
442 "Missing required PSK input\n");
443 return GNUNET_SYSERR;
444 }
445 return GNUNET_OK;
446}
mode
static enum @52 mode
Should we do a PUT (mode = 0) or GET (mode = 1);.
GNUNET_CRYPTO_HPKE_MODE_PSK
@ GNUNET_CRYPTO_HPKE_MODE_PSK
Definition gnunet_crypto_lib.h:2152
GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK
@ GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK
Definition gnunet_crypto_lib.h:2154
GNUNET_CRYPTO_HPKE_MODE_BASE
@ GNUNET_CRYPTO_HPKE_MODE_BASE
Definition gnunet_crypto_lib.h:2151
GNUNET_CRYPTO_HPKE_MODE_AUTH
@ GNUNET_CRYPTO_HPKE_MODE_AUTH
Definition gnunet_crypto_lib.h:2153

References GNUNET_CRYPTO_HPKE_MODE_AUTH, GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK, GNUNET_CRYPTO_HPKE_MODE_BASE, GNUNET_CRYPTO_HPKE_MODE_PSK, GNUNET_ERROR_TYPE_ERROR, GNUNET_log, GNUNET_OK, GNUNET_SYSERR, and mode.

Referenced by key_schedule().

Here is the caller graph for this function:

◆ key_schedule()

static enum GNUNET_GenericReturnValue key_schedule ( enum GNUNET_CRYPTO_HpkeRole  role,
enum GNUNET_CRYPTO_HpkeMode  mode,
const struct GNUNET_ShortHashCode shared_secret,
const uint8_t *  info,
size_t  info_len,
const uint8_t *  psk,
size_t  psk_len,
const uint8_t *  psk_id,
size_t  psk_id_len,
struct GNUNET_CRYPTO_HpkeContext ctx 
)
static

Definition at line 450 of file crypto_hpke.c.

457{
458 struct GNUNET_ShortHashCode psk_id_hash;
459 struct GNUNET_ShortHashCode info_hash;
460 struct GNUNET_ShortHashCode secret;
461 uint8_t key_schedule_context[1 + sizeof info_hash * 2];
462 uint8_t suite_id[4 + 3 * 2];
463 uint16_t kem_id = htons (32); // FIXME hardcode as constant
464 uint16_t kdf_id = htons (1); // HKDF-256 FIXME hardcode as constant
465 uint16_t aead_id = htons (3); // ChaCha20Poly1305 FIXME hardcode as constant
466
467 // DHKEM(X25519, HKDF-256): kem_id = 32
468 // concat("KEM", I2OSP(kem_id, 2))
469 memcpy (suite_id, "HPKE", 4);
470 memcpy (suite_id + 4, &kem_id, 2);
471 memcpy (suite_id + 6, &kdf_id, 2);
472 memcpy (suite_id + 8, &aead_id, 2);
473
474 if (GNUNET_OK != verify_psk_inputs (mode, psk, psk_len, psk_id, psk_id_len))
475 return GNUNET_SYSERR;
476
477 if (GNUNET_OK != labeled_extract ("HPKE-v1", NULL, 0,
478 "psk_id_hash", strlen ("psk_id_hash"),
479 psk_id, psk_id_len,
480 suite_id, sizeof suite_id, &psk_id_hash))
481 return GNUNET_SYSERR;
482 if (GNUNET_OK != labeled_extract ("HPKE-v1", NULL, 0,
483 "info_hash", strlen ("info_hash"),
484 info, info_len,
485 suite_id, sizeof suite_id, &info_hash))
486 return GNUNET_SYSERR;
487 memcpy (key_schedule_context, &mode, 1);
488 memcpy (key_schedule_context + 1, &psk_id_hash, sizeof psk_id_hash);
489 memcpy (key_schedule_context + 1 + sizeof psk_id_hash,
490 &info_hash, sizeof info_hash);
491 if (GNUNET_OK != labeled_extract ("HPKE-v1",
492 shared_secret, sizeof *shared_secret,
493 "secret", strlen ("secret"),
494 psk, psk_len,
495 suite_id, sizeof suite_id, &secret))
496 return GNUNET_SYSERR;
497 // key = LabeledExpand(secret, "key", key_schedule_context, Nk)
498 // Note: Nk == sizeof ctx->key
499 if (GNUNET_OK != labeled_expand ("HPKE-v1",
500 &secret,
501 "key", strlen ("key"),
502 &key_schedule_context,
503 sizeof key_schedule_context,
504 suite_id, sizeof suite_id,
505 ctx->key, sizeof ctx->key))
506 return GNUNET_SYSERR;
507 // base_nonce = LabeledExpand(secret, "base_nonce",
508 // key_schedule_context, Nn)
509 if (GNUNET_OK != labeled_expand ("HPKE-v1",
510 &secret,
511 "base_nonce", strlen ("base_nonce"),
512 &key_schedule_context,
513 sizeof key_schedule_context,
514 suite_id, sizeof suite_id,
515 ctx->base_nonce, sizeof ctx->base_nonce))
516 return GNUNET_SYSERR;
517 // exporter_secret = LabeledExpand(secret, "exp",
518 // key_schedule_context, Nh)
519 if (GNUNET_OK != labeled_expand ("HPKE-v1",
520 &secret,
521 "exp", strlen ("exp"),
522 &key_schedule_context,
523 sizeof key_schedule_context,
524 suite_id, sizeof suite_id,
525 &ctx->exporter_secret,
526 sizeof ctx->exporter_secret))
527 return GNUNET_SYSERR;
528 ctx->seq = 0;
529 ctx->role = role;
530 return GNUNET_OK;
531}
verify_psk_inputs
static enum GNUNET_GenericReturnValue verify_psk_inputs(enum GNUNET_CRYPTO_HpkeMode mode, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len)
Definition crypto_hpke.c:412
ctx
static struct GNUNET_FS_Handle * ctx
Definition gnunet-download.c:40

References ctx, GNUNET_OK, GNUNET_SYSERR, info, labeled_expand(), labeled_extract(), mode, and verify_psk_inputs().

Referenced by GNUNET_CRYPTO_hpke_receiver_setup2(), and GNUNET_CRYPTO_hpke_sender_setup2().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ increment_seq()

static enum GNUNET_GenericReturnValue increment_seq ( struct GNUNET_CRYPTO_HpkeContext ctx)
static

Definition at line 681 of file crypto_hpke.c.

682{
683 if (ctx->seq >= UINT64_MAX)
684 {
685 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "MessageLimitReached\n");
686 return GNUNET_SYSERR;
687 }
688 ctx->seq = GNUNET_htonll (GNUNET_ntohll (ctx->seq) + 1);
689 return GNUNET_OK;
690}
GNUNET_ntohll
uint64_t GNUNET_ntohll(uint64_t n)
Convert unsigned 64-bit integer to host byte order.
Definition common_endian.c:54
GNUNET_htonll
uint64_t GNUNET_htonll(uint64_t n)
Convert unsigned 64-bit integer to network byte order.
Definition common_endian.c:37

References ctx, GNUNET_ERROR_TYPE_ERROR, GNUNET_htonll(), GNUNET_log, GNUNET_ntohll(), GNUNET_OK, and GNUNET_SYSERR.

Referenced by GNUNET_CRYPTO_hpke_open(), and GNUNET_CRYPTO_hpke_seal().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ compute_nonce()

static void compute_nonce ( struct GNUNET_CRYPTO_HpkeContext ctx,
uint8_t *  nonce 
)
static

Definition at line 694 of file crypto_hpke.c.

696{
697 size_t offset = GNUNET_CRYPTO_HPKE_NONCE_LEN - sizeof ctx->seq;
698 int j = 0;
699 for (int i = 0; i < GNUNET_CRYPTO_HPKE_NONCE_LEN; i++)
700 {
701 // FIXME correct byte order?
702 if (i < offset)
703 memset (&nonce[i], ctx->base_nonce[i], 1);
704 else
705 nonce[i] = ctx->base_nonce[i] ^ ((uint8_t*) &ctx->seq)[j++];
706 }
707}
GNUNET_CRYPTO_HPKE_NONCE_LEN
#define GNUNET_CRYPTO_HPKE_NONCE_LEN
Definition gnunet_crypto_lib.h:2161

References ctx, and GNUNET_CRYPTO_HPKE_NONCE_LEN.

Referenced by GNUNET_CRYPTO_hpke_open(), and GNUNET_CRYPTO_hpke_seal().

Here is the caller graph for this function:

Variable Documentation

◆ GNUNET_CRYPTO_HPKE_KEM_SUITE_ID

uint8_t GNUNET_CRYPTO_HPKE_KEM_SUITE_ID[]
static
Initial value:
= { 'K', 'E', 'M',
0x00, 0x20 }

Definition at line 162 of file crypto_hpke.c.

162 { 'K', 'E', 'M',
163 0x00, 0x20 };

Referenced by GNUNET_CRYPTO_hpke_kem_decaps(), GNUNET_CRYPTO_hpke_kem_encaps_norand(), and GNUNET_CRYPTO_hpke_sk_create2().

◆ GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID

uint8_t GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID[]
static
Initial value:
= { 'K', 'E', 'M',
0x00, 0x22 }

Definition at line 167 of file crypto_hpke.c.

167 { 'K', 'E', 'M',
168 0x00, 0x22 };

Referenced by GNUNET_CRYPTO_hpke_elligator_kem_decaps(), and GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand().