GNUnet debian-0.24.3-29-g453fda2cf
 
Loading...
Searching...
No Matches
Functions | Variables
crypto_hpke.c File Reference

Hybrid Public Key Encryption (HPKE) and Key encapsulation mechanisms (KEMs) More...

#include "platform.h"
#include "gnunet_common.h"
#include <sodium.h>
#include <stdint.h>
#include "gnunet_util_lib.h"
#include "sodium/crypto_scalarmult.h"
#include "sodium/crypto_scalarmult_curve25519.h"
#include "sodium/utils.h"
Include dependency graph for crypto_hpke.c:

Go to the source code of this file.

Functions

static enum GNUNET_GenericReturnValue labeled_extract (const char *ctx_str, const void *salt, size_t salt_len, const void *label, size_t label_len, const void *ikm, size_t ikm_len, const uint8_t *suite_id, size_t suite_id_len, struct GNUNET_ShortHashCode *prk)
 A RFC9180 inspired labeled extract.
 
static enum GNUNET_GenericReturnValue labeled_expand (const char *ctx_str, const struct GNUNET_ShortHashCode *prk, const char *label, size_t label_len, const void *info, size_t info_len, const uint8_t *suite_id, size_t suite_id_len, void *out_buf, uint16_t out_len)
 A RFC9180 inspired labeled extract.
 
static enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_labeled_extract_and_expand (const void *dh, size_t dh_len, const char *extract_ctx, const char *expand_ctx, const void *extract_lbl, size_t extract_lbl_len, const void *expand_lbl, size_t expand_lbl_len, const uint8_t *kem_context, size_t kem_context_len, const uint8_t *suite_id, size_t suite_id_len, struct GNUNET_ShortHashCode *shared_secret)
 
static enum GNUNET_GenericReturnValue kem_encaps_norand (uint8_t *suite_id, size_t suite_id_len, const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_EcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_encaps_norand (const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *enc, const struct GNUNET_CRYPTO_EcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
 Deterministic variant of GNUNET_CRYPTO_hpke_kem_encaps.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_encaps (const struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Encapsulate key material for a X25519 public key.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_kem_encaps (const struct GNUNET_CRYPTO_EddsaPublicKey *pub, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Encapsulate key material for a EdDSA public key.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_decaps (const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Decapsulate a key for a private X25519 key.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_kem_decaps (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Decapsulate a key for a private EdDSA key.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand (uint8_t random_tweak, const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
 Carries out ecdh encapsulation with given public key and the private key from a freshly created ephemeral key pair.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_encaps (const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Carries out ecdh encapsulation with given public key and the private key from a freshly created ephemeral key pair.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_decaps (const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Carries out ecdh decapsulation with own private key and the representative of the received public key.
 
static enum GNUNET_GenericReturnValue verify_psk_inputs (enum GNUNET_CRYPTO_HpkeMode mode, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len)
 
static enum GNUNET_GenericReturnValue key_schedule (enum GNUNET_CRYPTO_HpkeRole role, enum GNUNET_CRYPTO_HpkeMode mode, const struct GNUNET_ShortHashCode *shared_secret, const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len, struct GNUNET_CRYPTO_HpkeContext *ctx)
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_sender_setup2 (enum GNUNET_CRYPTO_HpkeKem kem, enum GNUNET_CRYPTO_HpkeMode mode, struct GNUNET_CRYPTO_EcdhePrivateKey *skE, struct GNUNET_CRYPTO_EcdhePrivateKey *skS, const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len, struct GNUNET_CRYPTO_HpkeEncapsulation *enc, struct GNUNET_CRYPTO_HpkeContext *ctx)
 RFC9180 HPKE encryption.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_sender_setup (const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const uint8_t *info, size_t info_len, struct GNUNET_CRYPTO_HpkeEncapsulation *enc, struct GNUNET_CRYPTO_HpkeContext *ctx)
 RFC9180 HPKE encryption.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_receiver_setup2 (enum GNUNET_CRYPTO_HpkeKem kem, enum GNUNET_CRYPTO_HpkeMode mode, const struct GNUNET_CRYPTO_HpkeEncapsulation *enc, const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const struct GNUNET_CRYPTO_EcdhePublicKey *pkS, const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len, struct GNUNET_CRYPTO_HpkeContext *ctx)
 RFC9180 HPKE encryption.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_receiver_setup (const struct GNUNET_CRYPTO_HpkeEncapsulation *enc, const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const uint8_t *info, size_t info_len, struct GNUNET_CRYPTO_HpkeContext *ctx)
 RFC9180 HPKE encryption.
 
static enum GNUNET_GenericReturnValue increment_seq (struct GNUNET_CRYPTO_HpkeContext *ctx)
 
static void compute_nonce (struct GNUNET_CRYPTO_HpkeContext *ctx, uint8_t *nonce)
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_seal (struct GNUNET_CRYPTO_HpkeContext *ctx, const uint8_t *aad, size_t aad_len, const uint8_t *pt, size_t pt_len, uint8_t *ct, unsigned long long *ct_len_p)
 RFC9180 HPKE encryption.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_open (struct GNUNET_CRYPTO_HpkeContext *ctx, const uint8_t *aad, size_t aad_len, const uint8_t *ct, size_t ct_len, uint8_t *pt, unsigned long long *pt_len)
 RFC9180 HPKE encryption.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_seal_oneshot (const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const uint8_t *info, size_t info_len, const uint8_t *aad, size_t aad_len, const uint8_t *pt, size_t pt_len, uint8_t *ct, unsigned long long *ct_len_p)
 RFC9180 HPKE encryption.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_open_oneshot (const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const uint8_t *info, size_t info_len, const uint8_t *aad, size_t aad_len, const uint8_t *ct, size_t ct_len, uint8_t *pt, unsigned long long *pt_len_p)
 RFC9180 HPKE encryption.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_pk_to_x25519 (const struct GNUNET_CRYPTO_PublicKey *pk, struct GNUNET_CRYPTO_EcdhePublicKey *x25519)
 Convert a GNUnet identity key to a key sutiable for HPKE (X25519)
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_sk_to_x25519 (const struct GNUNET_CRYPTO_PrivateKey *sk, struct GNUNET_CRYPTO_EcdhePrivateKey *x25519)
 Convert a GNUnet identity key to a key sutiable for HPKE (X25519)
 

Variables

static uint8_t GNUNET_CRYPTO_HPKE_KEM_SUITE_ID []
 
static uint8_t GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID []
 

Detailed Description

Hybrid Public Key Encryption (HPKE) and Key encapsulation mechanisms (KEMs)

Author
Martin Schanzenbach

Definition in file crypto_hpke.c.

Function Documentation

◆ labeled_extract()

static enum GNUNET_GenericReturnValue labeled_extract ( const char *  ctx_str,
const void *  salt,
size_t  salt_len,
const void *  label,
size_t  label_len,
const void *  ikm,
size_t  ikm_len,
const uint8_t *  suite_id,
size_t  suite_id_len,
struct GNUNET_ShortHashCode prk 
)
static

A RFC9180 inspired labeled extract.

Parameters
ctx_strthe context to label with (c string)
saltthe extract salt
salt_lensalt length in bytes
labelthe label to label with
label_lenlabel length in bytes
ikminitial keying material
ikm_lenikm length in bytes
suite_idthe suite ID
suite_id_lensuite_id length in bytes
prkthe resulting extracted PRK
Returns
GNUNET_OK on success

Definition at line 51 of file crypto_hpke.c.

57{
58 size_t labeled_ikm_len = strlen (ctx_str) + suite_id_len
59 + label_len + ikm_len;
60 uint8_t labeled_ikm[labeled_ikm_len];
61 uint8_t *tmp = labeled_ikm;
62
63 // labeled_ikm = concat("HPKE-v1", suite_id, label, ikm)
64 memcpy (tmp, ctx_str, strlen (ctx_str));
65 tmp += strlen (ctx_str);
66 memcpy (tmp, suite_id, suite_id_len);
67 tmp += suite_id_len;
68 memcpy (tmp, label, label_len);
69 tmp += label_len;
70 memcpy (tmp, ikm, ikm_len);
71 // return Extract(salt, labeled_ikm)
72 return GNUNET_CRYPTO_hkdf_extract (prk,
73 salt, salt_len,
74 labeled_ikm, labeled_ikm_len);
75}
salt
static struct GNUNET_CRYPTO_PowSalt salt
Salt for PoW calculations.
Definition gnunet-scrypt.c:34
ikm
static unsigned char ikm[256/8]
The initial key material for the peer.
Definition gnunet-service-pils.c:78
GNUNET_CRYPTO_hkdf_extract
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hkdf_extract(struct GNUNET_ShortHashCode *prk, const void *salt, size_t salt_len, const void *ikm, size_t ikm_len)
HKDF-Extract using SHA256.
Definition crypto_hkdf.c:224

References GNUNET_CRYPTO_hkdf_extract(), ikm, and salt.

Referenced by GNUNET_CRYPTO_hpke_labeled_extract_and_expand(), and key_schedule().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ labeled_expand()

static enum GNUNET_GenericReturnValue labeled_expand ( const char *  ctx_str,
const struct GNUNET_ShortHashCode prk,
const char *  label,
size_t  label_len,
const void *  info,
size_t  info_len,
const uint8_t *  suite_id,
size_t  suite_id_len,
void *  out_buf,
uint16_t  out_len 
)
static

A RFC9180 inspired labeled extract.

Parameters
ctx_strthe context to label with (c string)
prkthe extracted PRK
labelthe label to label with
label_lenlabel length in bytes
infocontext info
info_leninfo in bytes
suite_idthe suite ID
suite_id_lensuite_id length in bytes
out_bufoutput buffer, must be allocated
out_lenout_buf length in bytes
Returns
GNUNET_OK on success

Definition at line 94 of file crypto_hpke.c.

101{
102 uint8_t labeled_info[2 + strlen (ctx_str) + suite_id_len + label_len
103 + info_len];
104 uint8_t *tmp = labeled_info;
105 uint16_t out_len_nbo = htons (out_len);
106
107 // labeled_info = concat(I2OSP(L, 2), "HPKE-v1", suite_id,
108 // label, info)
109 memcpy (tmp, &out_len_nbo, 2);
110 tmp += 2;
111 memcpy (tmp, ctx_str, strlen (ctx_str));
112 tmp += strlen (ctx_str);
113 memcpy (tmp, suite_id, suite_id_len);
114 tmp += suite_id_len;
115 memcpy (tmp, label, label_len);
116 tmp += label_len;
117 memcpy (tmp, info, info_len);
118 return GNUNET_CRYPTO_hkdf_expand (out_buf, out_len, prk,
119 labeled_info, sizeof labeled_info, NULL);
120}
info
#define info
GNUNET_CRYPTO_hkdf_expand
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hkdf_expand(void *result, size_t out_len, const struct GNUNET_ShortHashCode *prk,...)
HKDF-Expand using SHA256.
Definition crypto_hkdf.c:156

References GNUNET_CRYPTO_hkdf_expand(), and info.

Referenced by GNUNET_CRYPTO_hpke_labeled_extract_and_expand(), and key_schedule().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_hpke_labeled_extract_and_expand()

static enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_labeled_extract_and_expand ( const void *  dh,
size_t  dh_len,
const char *  extract_ctx,
const char *  expand_ctx,
const void *  extract_lbl,
size_t  extract_lbl_len,
const void *  expand_lbl,
size_t  expand_lbl_len,
const uint8_t *  kem_context,
size_t  kem_context_len,
const uint8_t *  suite_id,
size_t  suite_id_len,
struct GNUNET_ShortHashCode shared_secret 
)
static

Definition at line 124 of file crypto_hpke.c.

138{
139 struct GNUNET_ShortHashCode prk;
140 // eae_prk = LabeledExtract("", "eae_prk", dh)
141 labeled_extract (extract_ctx,
142 NULL, 0,
143 extract_lbl, extract_lbl_len,
144 dh, dh_len,
145 suite_id, suite_id_len,
146 &prk);
147 return labeled_expand (expand_ctx,
148 &prk,
149 expand_lbl, expand_lbl_len,
150 kem_context, kem_context_len,
151 suite_id, suite_id_len,
152 shared_secret, sizeof *shared_secret);
153}
labeled_extract
static enum GNUNET_GenericReturnValue labeled_extract(const char *ctx_str, const void *salt, size_t salt_len, const void *label, size_t label_len, const void *ikm, size_t ikm_len, const uint8_t *suite_id, size_t suite_id_len, struct GNUNET_ShortHashCode *prk)
A RFC9180 inspired labeled extract.
Definition crypto_hpke.c:51
labeled_expand
static enum GNUNET_GenericReturnValue labeled_expand(const char *ctx_str, const struct GNUNET_ShortHashCode *prk, const char *label, size_t label_len, const void *info, size_t info_len, const uint8_t *suite_id, size_t suite_id_len, void *out_buf, uint16_t out_len)
A RFC9180 inspired labeled extract.
Definition crypto_hpke.c:94
GNUNET_ShortHashCode
A 256-bit hashcode.
Definition gnunet_common.h:294

References labeled_expand(), and labeled_extract().

Referenced by GNUNET_CRYPTO_hpke_elligator_kem_decaps(), GNUNET_CRYPTO_hpke_kem_decaps(), and kem_encaps_norand().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ kem_encaps_norand()

static enum GNUNET_GenericReturnValue kem_encaps_norand ( uint8_t *  suite_id,
size_t  suite_id_len,
const struct GNUNET_CRYPTO_EcdhePublicKey pkR,
const struct GNUNET_CRYPTO_HpkeEncapsulation c,
const struct GNUNET_CRYPTO_EcdhePrivateKey skE,
struct GNUNET_ShortHashCode shared_secret 
)
static

Definition at line 167 of file crypto_hpke.c.

172{
173 struct GNUNET_CRYPTO_EcdhePublicKey dh;
174 uint8_t kem_context[sizeof *c + sizeof *pkR];
175
176 // dh = DH(skE, pkR)
177 if (GNUNET_OK != GNUNET_CRYPTO_ecdh_x25519 (skE, pkR,
178 &dh))
179 {
180 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
181 "HPKE KEM encaps: Validation error\n");
182 return GNUNET_SYSERR; // ValidationError
183 }
184 // enc = SerializePublicKey(pkE) is a NOP, see Section 7.1.1
185 // pkRm = SerializePublicKey(pkR) is a NOP, see Section 7.1.1
186 // kem_context = concat(enc, pkRm)
187 memcpy (kem_context, c, sizeof *c);
188 memcpy (kem_context + sizeof *c, pkR, sizeof *pkR);
189 // shared_secret = ExtractAndExpand(dh, kem_context)
190 return GNUNET_CRYPTO_hpke_labeled_extract_and_expand (
191 &dh, sizeof dh,
192 "HPKE-v1",
193 "HPKE-v1",
194 "eae_prk", strlen ("eae_prk"),
195 "shared_secret", strlen ("shared_secret"),
196 kem_context, sizeof kem_context,
197 suite_id, suite_id_len,
198 shared_secret);
199}
GNUNET_CRYPTO_hpke_labeled_extract_and_expand
static enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_labeled_extract_and_expand(const void *dh, size_t dh_len, const char *extract_ctx, const char *expand_ctx, const void *extract_lbl, size_t extract_lbl_len, const void *expand_lbl, size_t expand_lbl_len, const uint8_t *kem_context, size_t kem_context_len, const uint8_t *suite_id, size_t suite_id_len, struct GNUNET_ShortHashCode *shared_secret)
Definition crypto_hpke.c:124
GNUNET_CRYPTO_ecdh_x25519
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdh_x25519(const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, const struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_CRYPTO_EcdhePublicKey *dh)
Derive key material from a EdDSA public key and a private ECDH key.
Definition crypto_ecc.c:783
GNUNET_log
#define GNUNET_log(kind,...)
Definition gnunet_common.h:548
GNUNET_OK
@ GNUNET_OK
Definition gnunet_common.h:111
GNUNET_SYSERR
@ GNUNET_SYSERR
Definition gnunet_common.h:109
GNUNET_ERROR_TYPE_ERROR
@ GNUNET_ERROR_TYPE_ERROR
Definition gnunet_common.h:414
GNUNET_CRYPTO_EcdhePublicKey
Public ECC key (always for Curve25519) encoded in a format suitable for network transmission and encr...
Definition gnunet_crypto_lib.h:240

References GNUNET_CRYPTO_ecdh_x25519(), GNUNET_CRYPTO_hpke_labeled_extract_and_expand(), GNUNET_ERROR_TYPE_ERROR, GNUNET_log, GNUNET_OK, and GNUNET_SYSERR.

Referenced by GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand(), and GNUNET_CRYPTO_hpke_kem_encaps_norand().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ verify_psk_inputs()

static enum GNUNET_GenericReturnValue verify_psk_inputs ( enum GNUNET_CRYPTO_HpkeMode  mode,
const uint8_t *  psk,
size_t  psk_len,
const uint8_t *  psk_id,
size_t  psk_id_len 
)
static

Definition at line 384 of file crypto_hpke.c.

387{
388 bool got_psk;
389 bool got_psk_id;
390
391 got_psk = (0 != psk_len);
392 got_psk_id = (0 != psk_id_len);
393
394 if (got_psk != got_psk_id)
395 {
396 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
397 "Inconsistent PSK inputs\n");
398 return GNUNET_SYSERR;
399 }
400
401 if (got_psk &&
402 ((GNUNET_CRYPTO_HPKE_MODE_BASE == mode) ||
403 (GNUNET_CRYPTO_HPKE_MODE_AUTH == mode)))
404 {
405 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
406 "PSK input provided when not needed\n");
407 return GNUNET_SYSERR;
408 }
409 if (! got_psk &&
410 ((GNUNET_CRYPTO_HPKE_MODE_PSK == mode) ||
411 (GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK == mode)))
412 {
413 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
414 "Missing required PSK input\n");
415 return GNUNET_SYSERR;
416 }
417 return GNUNET_OK;
418}
mode
static enum @44 mode
Should we do a PUT (mode = 0) or GET (mode = 1);.
GNUNET_CRYPTO_HPKE_MODE_PSK
@ GNUNET_CRYPTO_HPKE_MODE_PSK
Definition gnunet_crypto_lib.h:2115
GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK
@ GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK
Definition gnunet_crypto_lib.h:2117
GNUNET_CRYPTO_HPKE_MODE_BASE
@ GNUNET_CRYPTO_HPKE_MODE_BASE
Definition gnunet_crypto_lib.h:2114
GNUNET_CRYPTO_HPKE_MODE_AUTH
@ GNUNET_CRYPTO_HPKE_MODE_AUTH
Definition gnunet_crypto_lib.h:2116

References GNUNET_CRYPTO_HPKE_MODE_AUTH, GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK, GNUNET_CRYPTO_HPKE_MODE_BASE, GNUNET_CRYPTO_HPKE_MODE_PSK, GNUNET_ERROR_TYPE_ERROR, GNUNET_log, GNUNET_OK, GNUNET_SYSERR, and mode.

Referenced by key_schedule().

Here is the caller graph for this function:

◆ key_schedule()

static enum GNUNET_GenericReturnValue key_schedule ( enum GNUNET_CRYPTO_HpkeRole  role,
enum GNUNET_CRYPTO_HpkeMode  mode,
const struct GNUNET_ShortHashCode shared_secret,
const uint8_t *  info,
size_t  info_len,
const uint8_t *  psk,
size_t  psk_len,
const uint8_t *  psk_id,
size_t  psk_id_len,
struct GNUNET_CRYPTO_HpkeContext ctx 
)
static

Definition at line 422 of file crypto_hpke.c.

429{
430 struct GNUNET_ShortHashCode psk_id_hash;
431 struct GNUNET_ShortHashCode info_hash;
432 struct GNUNET_ShortHashCode secret;
433 uint8_t key_schedule_context[1 + sizeof info_hash * 2];
434 uint8_t suite_id[strlen ("HPKE") + 6];
435 uint16_t kem_id = htons (32); // FIXME hardcode as constant
436 uint16_t kdf_id = htons (1); // HKDF-256 FIXME hardcode as constant
437 uint16_t aead_id = htons (3); // ChaCha20Poly1305 FIXME hardcode as constant
438
439 // DHKEM(X25519, HKDF-256): kem_id = 32
440 // concat("KEM", I2OSP(kem_id, 2))
441 memcpy (suite_id, "HPKE", 4);
442 memcpy (suite_id + 4, &kem_id, 2);
443 memcpy (suite_id + 6, &kdf_id, 2);
444 memcpy (suite_id + 8, &aead_id, 2);
445
446 if (GNUNET_OK != verify_psk_inputs (mode, psk, psk_len, psk_id, psk_id_len))
447 return GNUNET_SYSERR;
448
449 if (GNUNET_OK != labeled_extract ("HPKE-v1", NULL, 0,
450 "psk_id_hash", strlen ("psk_id_hash"),
451 psk_id, psk_id_len,
452 suite_id, sizeof suite_id, &psk_id_hash))
453 return GNUNET_SYSERR;
454 if (GNUNET_OK != labeled_extract ("HPKE-v1", NULL, 0,
455 "info_hash", strlen ("info_hash"),
456 info, info_len,
457 suite_id, sizeof suite_id, &info_hash))
458 return GNUNET_SYSERR;
459 memcpy (key_schedule_context, &mode, 1);
460 memcpy (key_schedule_context + 1, &psk_id_hash, sizeof psk_id_hash);
461 memcpy (key_schedule_context + 1 + sizeof psk_id_hash,
462 &info_hash, sizeof info_hash);
463 if (GNUNET_OK != labeled_extract ("HPKE-v1",
464 shared_secret, sizeof *shared_secret,
465 "secret", strlen ("secret"),
466 psk, psk_len,
467 suite_id, sizeof suite_id, &secret))
468 return GNUNET_SYSERR;
469 // key = LabeledExpand(secret, "key", key_schedule_context, Nk)
470 // Note: Nk == sizeof ctx->key
471 if (GNUNET_OK != labeled_expand ("HPKE-v1",
472 &secret,
473 "key", strlen ("key"),
474 &key_schedule_context,
475 sizeof key_schedule_context,
476 suite_id, sizeof suite_id,
477 ctx->key, sizeof ctx->key))
478 return GNUNET_SYSERR;
479 // base_nonce = LabeledExpand(secret, "base_nonce",
480 // key_schedule_context, Nn)
481 if (GNUNET_OK != labeled_expand ("HPKE-v1",
482 &secret,
483 "base_nonce", strlen ("base_nonce"),
484 &key_schedule_context,
485 sizeof key_schedule_context,
486 suite_id, sizeof suite_id,
487 ctx->base_nonce, sizeof ctx->base_nonce))
488 return GNUNET_SYSERR;
489 // exporter_secret = LabeledExpand(secret, "exp",
490 // key_schedule_context, Nh)
491 if (GNUNET_OK != labeled_expand ("HPKE-v1",
492 &secret,
493 "exp", strlen ("exp"),
494 &key_schedule_context,
495 sizeof key_schedule_context,
496 suite_id, sizeof suite_id,
497 &ctx->exporter_secret,
498 sizeof ctx->exporter_secret))
499 return GNUNET_SYSERR;
500 ctx->seq = 0;
501 ctx->role = role;
502 return GNUNET_OK;
503}
verify_psk_inputs
static enum GNUNET_GenericReturnValue verify_psk_inputs(enum GNUNET_CRYPTO_HpkeMode mode, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len)
Definition crypto_hpke.c:384
ctx
static struct GNUNET_FS_Handle * ctx
Definition gnunet-download.c:40

References ctx, GNUNET_OK, GNUNET_SYSERR, info, labeled_expand(), labeled_extract(), mode, and verify_psk_inputs().

Referenced by GNUNET_CRYPTO_hpke_receiver_setup2(), and GNUNET_CRYPTO_hpke_sender_setup2().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ increment_seq()

static enum GNUNET_GenericReturnValue increment_seq ( struct GNUNET_CRYPTO_HpkeContext ctx)
static

Definition at line 652 of file crypto_hpke.c.

653{
654 if (ctx->seq >= UINT64_MAX)
655 {
656 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "MessageLimitReached\n");
657 return GNUNET_SYSERR;
658 }
659 ctx->seq = GNUNET_htonll (GNUNET_ntohll (ctx->seq) + 1);
660 return GNUNET_OK;
661}
GNUNET_ntohll
uint64_t GNUNET_ntohll(uint64_t n)
Convert unsigned 64-bit integer to host byte order.
Definition common_endian.c:54
GNUNET_htonll
uint64_t GNUNET_htonll(uint64_t n)
Convert unsigned 64-bit integer to network byte order.
Definition common_endian.c:37

References ctx, GNUNET_ERROR_TYPE_ERROR, GNUNET_htonll(), GNUNET_log, GNUNET_ntohll(), GNUNET_OK, and GNUNET_SYSERR.

Referenced by GNUNET_CRYPTO_hpke_open(), and GNUNET_CRYPTO_hpke_seal().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ compute_nonce()

static void compute_nonce ( struct GNUNET_CRYPTO_HpkeContext ctx,
uint8_t *  nonce 
)
static

Definition at line 665 of file crypto_hpke.c.

667{
668 size_t offset = GNUNET_CRYPTO_HPKE_NONCE_LEN - sizeof ctx->seq;
669 int j = 0;
670 for (int i = 0; i < GNUNET_CRYPTO_HPKE_NONCE_LEN; i++)
671 {
672 // FIXME correct byte order?
673 if (i < offset)
674 memset (&nonce[i], ctx->base_nonce[i], 1);
675 else
676 nonce[i] = ctx->base_nonce[i] ^ ((uint8_t*) &ctx->seq)[j++];
677 }
678}
GNUNET_CRYPTO_HPKE_NONCE_LEN
#define GNUNET_CRYPTO_HPKE_NONCE_LEN
Definition gnunet_crypto_lib.h:2124

References ctx, and GNUNET_CRYPTO_HPKE_NONCE_LEN.

Referenced by GNUNET_CRYPTO_hpke_open(), and GNUNET_CRYPTO_hpke_seal().

Here is the caller graph for this function:

Variable Documentation

◆ GNUNET_CRYPTO_HPKE_KEM_SUITE_ID

uint8_t GNUNET_CRYPTO_HPKE_KEM_SUITE_ID[]
static
Initial value:
= { 'K', 'E', 'M',
0x00, 0x20 }

Definition at line 158 of file crypto_hpke.c.

158 { 'K', 'E', 'M',
159 0x00, 0x20 };

Referenced by GNUNET_CRYPTO_hpke_kem_decaps(), and GNUNET_CRYPTO_hpke_kem_encaps_norand().

◆ GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID

uint8_t GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID[]
static
Initial value:
= { 'K', 'E', 'M',
0x00, 0x30 }

Definition at line 163 of file crypto_hpke.c.

163 { 'K', 'E', 'M',
164 0x00, 0x30 };

Referenced by GNUNET_CRYPTO_hpke_elligator_kem_decaps(), and GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand().