GNUnet 0.22.2
Functions | Variables
crypto_hpke.c File Reference

Hybrid Public Key Encryption (HPKE) and Key encapsulation mechanisms (KEMs) More...

#include "platform.h"
#include "gnunet_common.h"
#include <sodium.h>
#include <stdint.h>
#include "gnunet_util_lib.h"
#include "sodium/crypto_scalarmult.h"
#include "sodium/crypto_scalarmult_curve25519.h"
#include "sodium/utils.h"
Include dependency graph for crypto_hpke.c:

Go to the source code of this file.

Functions

static enum GNUNET_GenericReturnValue labeled_extract (const char *ctx_str, const void *salt, size_t salt_len, const void *label, size_t label_len, const void *ikm, size_t ikm_len, const uint8_t *suite_id, size_t suite_id_len, struct GNUNET_ShortHashCode *prk)
 A RFC9180 inspired labeled extract. More...
 
static enum GNUNET_GenericReturnValue labeled_expand (const char *ctx_str, const struct GNUNET_ShortHashCode *prk, const char *label, size_t label_len, const void *info, size_t info_len, const uint8_t *suite_id, size_t suite_id_len, void *out_buf, uint16_t out_len)
 A RFC9180 inspired labeled extract. More...
 
static enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_labeled_extract_and_expand (const void *dh, size_t dh_len, const char *extract_ctx, const char *expand_ctx, const void *extract_lbl, size_t extract_lbl_len, const void *expand_lbl, size_t expand_lbl_len, const uint8_t *kem_context, size_t kem_context_len, const uint8_t *suite_id, size_t suite_id_len, struct GNUNET_ShortHashCode *shared_secret)
 
static enum GNUNET_GenericReturnValue authkem_encaps_norand (uint8_t *suite_id, size_t suite_id_len, const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const struct GNUNET_CRYPTO_EcdhePrivateKey *skS, struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_EcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_authkem_encaps_norand (const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const struct GNUNET_CRYPTO_EcdhePrivateKey *skS, struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_EcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
 Encapsulate authenticated key material for a X25519 public key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_authkem_encaps (const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const struct GNUNET_CRYPTO_EcdhePrivateKey *skS, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Encapsulate authenticated key material for a X25519 public key. More...
 
static enum GNUNET_GenericReturnValue kem_encaps_norand (uint8_t *suite_id, size_t suite_id_len, const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_EcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_encaps_norand (const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *enc, const struct GNUNET_CRYPTO_EcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
 Deterministic variant of GNUNET_CRYPTO_hpke_kem_encaps. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_encaps (const struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Encapsulate key material for a X25519 public key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_kem_encaps (const struct GNUNET_CRYPTO_EddsaPublicKey *pub, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Encapsulate key material for a EdDSA public key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_authkem_decaps (const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const struct GNUNET_CRYPTO_EcdhePublicKey *pkS, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Decapsulate a key for a private X25519 key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_decaps (const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Decapsulate a key for a private X25519 key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_kem_decaps (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Decapsulate a key for a private EdDSA key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand (uint8_t random_tweak, const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
 Carries out ecdh encapsulation with given public key and the private key from a freshly created ephemeral key pair. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_encaps (const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Carries out ecdh encapsulation with given public key and the private key from a freshly created ephemeral key pair. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_decaps (const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Carries out ecdh decapsulation with own private key and the representative of the received public key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_authkem_encaps_norand (const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const struct GNUNET_CRYPTO_EcdhePrivateKey *skS, struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
 Encapsulate authenticated key material for a X25519 public key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_authkem_encaps (const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const struct GNUNET_CRYPTO_EcdhePrivateKey *skS, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Encapsulate authenticated key material for a X25519 public key. More...
 
static enum GNUNET_GenericReturnValue verify_psk_inputs (enum GNUNET_CRYPTO_HpkeMode mode, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len)
 
static enum GNUNET_GenericReturnValue key_schedule (enum GNUNET_CRYPTO_HpkeRole role, enum GNUNET_CRYPTO_HpkeMode mode, const struct GNUNET_ShortHashCode *shared_secret, const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len, struct GNUNET_CRYPTO_HpkeContext *ctx)
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_sender_setup2 (enum GNUNET_CRYPTO_HpkeKem kem, enum GNUNET_CRYPTO_HpkeMode mode, struct GNUNET_CRYPTO_EcdhePrivateKey *skE, struct GNUNET_CRYPTO_EcdhePrivateKey *skS, const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len, struct GNUNET_CRYPTO_HpkeEncapsulation *enc, struct GNUNET_CRYPTO_HpkeContext *ctx)
 RFC9180 HPKE encryption. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_sender_setup (const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const uint8_t *info, size_t info_len, struct GNUNET_CRYPTO_HpkeEncapsulation *enc, struct GNUNET_CRYPTO_HpkeContext *ctx)
 RFC9180 HPKE encryption. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_receiver_setup2 (enum GNUNET_CRYPTO_HpkeKem kem, enum GNUNET_CRYPTO_HpkeMode mode, const struct GNUNET_CRYPTO_HpkeEncapsulation *enc, const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const struct GNUNET_CRYPTO_EcdhePublicKey *pkS, const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len, struct GNUNET_CRYPTO_HpkeContext *ctx)
 RFC9180 HPKE encryption. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_receiver_setup (const struct GNUNET_CRYPTO_HpkeEncapsulation *enc, const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const uint8_t *info, size_t info_len, struct GNUNET_CRYPTO_HpkeContext *ctx)
 RFC9180 HPKE encryption. More...
 
static enum GNUNET_GenericReturnValue increment_seq (struct GNUNET_CRYPTO_HpkeContext *ctx)
 
static void compute_nonce (struct GNUNET_CRYPTO_HpkeContext *ctx, uint8_t *nonce)
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_seal (struct GNUNET_CRYPTO_HpkeContext *ctx, const uint8_t *aad, size_t aad_len, const uint8_t *pt, size_t pt_len, uint8_t *ct, unsigned long long *ct_len_p)
 RFC9180 HPKE encryption. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_open (struct GNUNET_CRYPTO_HpkeContext *ctx, const uint8_t *aad, size_t aad_len, const uint8_t *ct, size_t ct_len, uint8_t *pt, unsigned long long *pt_len)
 RFC9180 HPKE encryption. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_seal_oneshot (const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const uint8_t *info, size_t info_len, const uint8_t *aad, size_t aad_len, const uint8_t *pt, size_t pt_len, uint8_t *ct, unsigned long long *ct_len_p)
 RFC9180 HPKE encryption. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_open_oneshot (const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const uint8_t *info, size_t info_len, const uint8_t *aad, size_t aad_len, const uint8_t *ct, size_t ct_len, uint8_t *pt, unsigned long long *pt_len_p)
 RFC9180 HPKE encryption. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_pk_to_x25519 (const struct GNUNET_CRYPTO_PublicKey *pk, struct GNUNET_CRYPTO_EcdhePublicKey *x25519)
 Convert a GNUnet identity key to a key sutiable for HPKE (X25519) More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_sk_to_x25519 (const struct GNUNET_CRYPTO_PrivateKey *sk, struct GNUNET_CRYPTO_EcdhePrivateKey *x25519)
 Convert a GNUnet identity key to a key sutiable for HPKE (X25519) More...
 

Variables

static uint8_t GNUNET_CRYPTO_HPKE_KEM_SUITE_ID []
 
static uint8_t GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID []
 

Detailed Description

Hybrid Public Key Encryption (HPKE) and Key encapsulation mechanisms (KEMs)

Author
Martin Schanzenbach

Definition in file crypto_hpke.c.

Function Documentation

◆ labeled_extract()

static enum GNUNET_GenericReturnValue labeled_extract ( const char *  ctx_str,
const void *  salt,
size_t  salt_len,
const void *  label,
size_t  label_len,
const void *  ikm,
size_t  ikm_len,
const uint8_t *  suite_id,
size_t  suite_id_len,
struct GNUNET_ShortHashCode prk 
)
static

A RFC9180 inspired labeled extract.

Parameters
ctx_strthe context to label with (c string)
saltthe extract salt
salt_lensalt length in bytes
labelthe label to label with
label_lenlabel length in bytes
ikminitial keying material
ikm_lenikm length in bytes
suite_idthe suite ID
suite_id_lensuite_id length in bytes
prkthe resulting extracted PRK
Returns
GNUNET_OK on success

Definition at line 51 of file crypto_hpke.c.

57{
58 size_t labeled_ikm_len = strlen (ctx_str) + suite_id_len
59 + label_len + ikm_len;
60 uint8_t labeled_ikm[labeled_ikm_len];
61 uint8_t *tmp = labeled_ikm;
62
63 // labeled_ikm = concat("HPKE-v1", suite_id, label, ikm)
64 memcpy (tmp, ctx_str, strlen (ctx_str));
65 tmp += strlen (ctx_str);
66 memcpy (tmp, suite_id, suite_id_len);
67 tmp += suite_id_len;
68 memcpy (tmp, label, label_len);
69 tmp += label_len;
70 memcpy (tmp, ikm, ikm_len);
71 // return Extract(salt, labeled_ikm)
72 return GNUNET_CRYPTO_hkdf_extract (prk,
73 salt, salt_len,
74 labeled_ikm, labeled_ikm_len);
75}
salt
static struct GNUNET_CRYPTO_PowSalt salt
Salt for PoW calculations.
Definition: gnunet-scrypt.c:34
GNUNET_CRYPTO_hkdf_extract
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hkdf_extract(struct GNUNET_ShortHashCode *prk, const void *salt, size_t salt_len, const void *ikm, size_t ikm_len)
HKDF-Extract using SHA256.
Definition: crypto_hkdf.c:224

References GNUNET_CRYPTO_hkdf_extract(), and salt.

Referenced by GNUNET_CRYPTO_hpke_labeled_extract_and_expand(), and key_schedule().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ labeled_expand()

static enum GNUNET_GenericReturnValue labeled_expand ( const char *  ctx_str,
const struct GNUNET_ShortHashCode prk,
const char *  label,
size_t  label_len,
const void *  info,
size_t  info_len,
const uint8_t *  suite_id,
size_t  suite_id_len,
void *  out_buf,
uint16_t  out_len 
)
static

A RFC9180 inspired labeled extract.

Parameters
ctx_strthe context to label with (c string)
prkthe extracted PRK
labelthe label to label with
label_lenlabel length in bytes
infocontext info
info_leninfo in bytes
suite_idthe suite ID
suite_id_lensuite_id length in bytes
out_bufoutput buffer, must be allocated
out_lenout_buf length in bytes
Returns
GNUNET_OK on success

Definition at line 94 of file crypto_hpke.c.

101{
102 uint8_t labeled_info[2 + strlen (ctx_str) + suite_id_len + label_len
103 + info_len];
104 uint8_t *tmp = labeled_info;
105 uint16_t out_len_nbo = htons (out_len);
106
107 // labeled_info = concat(I2OSP(L, 2), "HPKE-v1", suite_id,
108 // label, info)
109 memcpy (tmp, &out_len_nbo, 2);
110 tmp += 2;
111 memcpy (tmp, ctx_str, strlen (ctx_str));
112 tmp += strlen (ctx_str);
113 memcpy (tmp, suite_id, suite_id_len);
114 tmp += suite_id_len;
115 memcpy (tmp, label, label_len);
116 tmp += label_len;
117 memcpy (tmp, info, info_len);
118 return GNUNET_CRYPTO_hkdf_expand (out_buf, out_len, prk,
119 labeled_info, sizeof labeled_info, NULL);
120}
info
#define info
GNUNET_CRYPTO_hkdf_expand
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hkdf_expand(void *result, size_t out_len, const struct GNUNET_ShortHashCode *prk,...)
HKDF-Expand using SHA256.
Definition: crypto_hkdf.c:156

References GNUNET_CRYPTO_hkdf_expand(), and info.

Referenced by GNUNET_CRYPTO_hpke_labeled_extract_and_expand(), and key_schedule().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_hpke_labeled_extract_and_expand()

static enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_labeled_extract_and_expand ( const void *  dh,
size_t  dh_len,
const char *  extract_ctx,
const char *  expand_ctx,
const void *  extract_lbl,
size_t  extract_lbl_len,
const void *  expand_lbl,
size_t  expand_lbl_len,
const uint8_t *  kem_context,
size_t  kem_context_len,
const uint8_t *  suite_id,
size_t  suite_id_len,
struct GNUNET_ShortHashCode shared_secret 
)
static

Definition at line 124 of file crypto_hpke.c.

138{
139 struct GNUNET_ShortHashCode prk;
140 // eae_prk = LabeledExtract("", "eae_prk", dh)
141 labeled_extract (extract_ctx,
142 NULL, 0,
143 extract_lbl, extract_lbl_len,
144 dh, dh_len,
145 suite_id, suite_id_len,
146 &prk);
147 return labeled_expand (expand_ctx,
148 &prk,
149 expand_lbl, expand_lbl_len,
150 kem_context, kem_context_len,
151 suite_id, suite_id_len,
152 shared_secret, sizeof *shared_secret);
153}
labeled_extract
static enum GNUNET_GenericReturnValue labeled_extract(const char *ctx_str, const void *salt, size_t salt_len, const void *label, size_t label_len, const void *ikm, size_t ikm_len, const uint8_t *suite_id, size_t suite_id_len, struct GNUNET_ShortHashCode *prk)
A RFC9180 inspired labeled extract.
Definition: crypto_hpke.c:51
labeled_expand
static enum GNUNET_GenericReturnValue labeled_expand(const char *ctx_str, const struct GNUNET_ShortHashCode *prk, const char *label, size_t label_len, const void *info, size_t info_len, const uint8_t *suite_id, size_t suite_id_len, void *out_buf, uint16_t out_len)
A RFC9180 inspired labeled extract.
Definition: crypto_hpke.c:94
GNUNET_ShortHashCode
A 256-bit hashcode.
Definition: gnunet_common.h:294

References labeled_expand(), and labeled_extract().

Referenced by authkem_encaps_norand(), GNUNET_CRYPTO_hpke_authkem_decaps(), GNUNET_CRYPTO_hpke_elligator_kem_decaps(), GNUNET_CRYPTO_hpke_kem_decaps(), and kem_encaps_norand().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ authkem_encaps_norand()

static enum GNUNET_GenericReturnValue authkem_encaps_norand ( uint8_t *  suite_id,
size_t  suite_id_len,
const struct GNUNET_CRYPTO_EcdhePublicKey pkR,
const struct GNUNET_CRYPTO_EcdhePrivateKey skS,
struct GNUNET_CRYPTO_HpkeEncapsulation c,
const struct GNUNET_CRYPTO_EcdhePrivateKey skE,
struct GNUNET_ShortHashCode shared_secret 
)
static

Definition at line 166 of file crypto_hpke.c.

172{
173 struct GNUNET_CRYPTO_EcdhePublicKey dh[2];
174 struct GNUNET_CRYPTO_EcdhePublicKey pkS;
175 uint8_t kem_context[sizeof *c + sizeof *pkR + sizeof pkS];
176
177 // skE, pkE = GenerateKeyPair()
178 GNUNET_CRYPTO_ecdhe_key_get_public (skE,
179 (struct GNUNET_CRYPTO_EcdhePublicKey*) c);
180
181 // dh = DH(skE, pkR)
182 if (GNUNET_OK != GNUNET_CRYPTO_ecdh_x25519 (skE, pkR,
183 &dh[0]))
184 return GNUNET_SYSERR; // ValidationError
185 // dh = DH(skS, pkR)
186 if (GNUNET_OK != GNUNET_CRYPTO_ecdh_x25519 (skS, pkR,
187 &dh[1]))
188 return GNUNET_SYSERR; // ValidationError
189 // enc = SerializePublicKey(pkE) is a NOP, see Section 7.1.1
190 // pkRm = SerializePublicKey(pkR) is a NOP, see Section 7.1.1
191 // pkSm = SerializePublicKey(pk(skS)) is a NOP, see Section 7.1.1
192 GNUNET_CRYPTO_ecdhe_key_get_public (skS,
193 &pkS);
194 // kem_context = concat(enc, pkRm, pkSm)
195 memcpy (kem_context, c, sizeof *c);
196 memcpy (kem_context + sizeof *c, pkR, sizeof *pkR);
197 memcpy (kem_context + sizeof *c + sizeof *pkR, &pkS, sizeof pkS);
198 // shared_secret = ExtractAndExpand(dh, kem_context)
199 return GNUNET_CRYPTO_hpke_labeled_extract_and_expand (
200 dh, sizeof (struct GNUNET_CRYPTO_EcdhePublicKey) * 2,
201 "HPKE-v1",
202 "HPKE-v1",
203 "eae_prk", strlen ("eae_prk"),
204 "shared_secret", strlen ("shared_secret"),
205 kem_context, sizeof kem_context,
206 suite_id, suite_id_len,
207 shared_secret);
208}
GNUNET_CRYPTO_hpke_labeled_extract_and_expand
static enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_labeled_extract_and_expand(const void *dh, size_t dh_len, const char *extract_ctx, const char *expand_ctx, const void *extract_lbl, size_t extract_lbl_len, const void *expand_lbl, size_t expand_lbl_len, const uint8_t *kem_context, size_t kem_context_len, const uint8_t *suite_id, size_t suite_id_len, struct GNUNET_ShortHashCode *shared_secret)
Definition: crypto_hpke.c:124
GNUNET_CRYPTO_ecdh_x25519
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdh_x25519(const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, const struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_CRYPTO_EcdhePublicKey *dh)
Derive key material from a EdDSA public key and a private ECDH key.
Definition: crypto_ecc.c:783
GNUNET_CRYPTO_ecdhe_key_get_public
void GNUNET_CRYPTO_ecdhe_key_get_public(const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, struct GNUNET_CRYPTO_EcdhePublicKey *pub)
Extract the public key for the given private key.
Definition: crypto_ecc.c:217
GNUNET_OK
@ GNUNET_OK
Definition: gnunet_common.h:111
GNUNET_SYSERR
@ GNUNET_SYSERR
Definition: gnunet_common.h:109
GNUNET_CRYPTO_EcdhePublicKey
Public ECC key (always for Curve25519) encoded in a format suitable for network transmission and encr...
Definition: gnunet_crypto_lib.h:240

References GNUNET_CRYPTO_ecdh_x25519(), GNUNET_CRYPTO_ecdhe_key_get_public(), GNUNET_CRYPTO_hpke_labeled_extract_and_expand(), GNUNET_OK, and GNUNET_SYSERR.

Referenced by GNUNET_CRYPTO_hpke_authkem_encaps_norand(), and GNUNET_CRYPTO_hpke_elligator_authkem_encaps_norand().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ kem_encaps_norand()

static enum GNUNET_GenericReturnValue kem_encaps_norand ( uint8_t *  suite_id,
size_t  suite_id_len,
const struct GNUNET_CRYPTO_EcdhePublicKey pkR,
const struct GNUNET_CRYPTO_HpkeEncapsulation c,
const struct GNUNET_CRYPTO_EcdhePrivateKey skE,
struct GNUNET_ShortHashCode shared_secret 
)
static

Definition at line 246 of file crypto_hpke.c.

251{
252 struct GNUNET_CRYPTO_EcdhePublicKey dh;
253 uint8_t kem_context[sizeof *c + sizeof *pkR];
254
255 // dh = DH(skE, pkR)
256 if (GNUNET_OK != GNUNET_CRYPTO_ecdh_x25519 (skE, pkR,
257 &dh))
258 {
259 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
260 "HPKE KEM encaps: Validation error\n");
261 return GNUNET_SYSERR; // ValidationError
262 }
263 // enc = SerializePublicKey(pkE) is a NOP, see Section 7.1.1
264 // pkRm = SerializePublicKey(pkR) is a NOP, see Section 7.1.1
265 // kem_context = concat(enc, pkRm)
266 memcpy (kem_context, c, sizeof *c);
267 memcpy (kem_context + sizeof *c, pkR, sizeof *pkR);
268 // shared_secret = ExtractAndExpand(dh, kem_context)
269 return GNUNET_CRYPTO_hpke_labeled_extract_and_expand (
270 &dh, sizeof dh,
271 "HPKE-v1",
272 "HPKE-v1",
273 "eae_prk", strlen ("eae_prk"),
274 "shared_secret", strlen ("shared_secret"),
275 kem_context, sizeof kem_context,
276 suite_id, suite_id_len,
277 shared_secret);
278}
GNUNET_log
#define GNUNET_log(kind,...)
Definition: gnunet_common.h:548
GNUNET_ERROR_TYPE_ERROR
@ GNUNET_ERROR_TYPE_ERROR
Definition: gnunet_common.h:414

References GNUNET_CRYPTO_ecdh_x25519(), GNUNET_CRYPTO_hpke_labeled_extract_and_expand(), GNUNET_ERROR_TYPE_ERROR, GNUNET_log, GNUNET_OK, and GNUNET_SYSERR.

Referenced by GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand(), and GNUNET_CRYPTO_hpke_kem_encaps_norand().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ verify_psk_inputs()

static enum GNUNET_GenericReturnValue verify_psk_inputs ( enum GNUNET_CRYPTO_HpkeMode  mode,
const uint8_t *  psk,
size_t  psk_len,
const uint8_t *  psk_id,
size_t  psk_id_len 
)
static

Definition at line 547 of file crypto_hpke.c.

550{
551 bool got_psk;
552 bool got_psk_id;
553
554 got_psk = (0 != psk_len);
555 got_psk_id = (0 != psk_id_len);
556
557 if (got_psk != got_psk_id)
558 {
559 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
560 "Inconsistent PSK inputs\n");
561 return GNUNET_SYSERR;
562 }
563
564 if (got_psk &&
565 ((GNUNET_CRYPTO_HPKE_MODE_BASE == mode) ||
566 (GNUNET_CRYPTO_HPKE_MODE_AUTH == mode)))
567 {
568 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
569 "PSK input provided when not needed\n");
570 return GNUNET_SYSERR;
571 }
572 if (! got_psk &&
573 ((GNUNET_CRYPTO_HPKE_MODE_PSK == mode) ||
574 (GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK == mode)))
575 {
576 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
577 "Missing required PSK input\n");
578 return GNUNET_SYSERR;
579 }
580 return GNUNET_OK;
581}
mode
static enum @44 mode
Should we do a PUT (mode = 0) or GET (mode = 1);.
GNUNET_CRYPTO_HPKE_MODE_PSK
@ GNUNET_CRYPTO_HPKE_MODE_PSK
Definition: gnunet_crypto_lib.h:2115
GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK
@ GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK
Definition: gnunet_crypto_lib.h:2117
GNUNET_CRYPTO_HPKE_MODE_BASE
@ GNUNET_CRYPTO_HPKE_MODE_BASE
Definition: gnunet_crypto_lib.h:2114
GNUNET_CRYPTO_HPKE_MODE_AUTH
@ GNUNET_CRYPTO_HPKE_MODE_AUTH
Definition: gnunet_crypto_lib.h:2116

References GNUNET_CRYPTO_HPKE_MODE_AUTH, GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK, GNUNET_CRYPTO_HPKE_MODE_BASE, GNUNET_CRYPTO_HPKE_MODE_PSK, GNUNET_ERROR_TYPE_ERROR, GNUNET_log, GNUNET_OK, GNUNET_SYSERR, and mode.

Referenced by key_schedule().

Here is the caller graph for this function:

◆ key_schedule()

static enum GNUNET_GenericReturnValue key_schedule ( enum GNUNET_CRYPTO_HpkeRole  role,
enum GNUNET_CRYPTO_HpkeMode  mode,
const struct GNUNET_ShortHashCode shared_secret,
const uint8_t *  info,
size_t  info_len,
const uint8_t *  psk,
size_t  psk_len,
const uint8_t *  psk_id,
size_t  psk_id_len,
struct GNUNET_CRYPTO_HpkeContext ctx 
)
static

Definition at line 585 of file crypto_hpke.c.

592{
593 struct GNUNET_ShortHashCode psk_id_hash;
594 struct GNUNET_ShortHashCode info_hash;
595 struct GNUNET_ShortHashCode secret;
596 uint8_t key_schedule_context[1 + sizeof info_hash * 2];
597 uint8_t suite_id[strlen ("HPKE") + 6];
598 uint16_t kem_id = htons (32); // FIXME hardcode as constant
599 uint16_t kdf_id = htons (1); // HKDF-256 FIXME hardcode as constant
600 uint16_t aead_id = htons (3); // ChaCha20Poly1305 FIXME hardcode as constant
601
602 // DHKEM(X25519, HKDF-256): kem_id = 32
603 // concat("KEM", I2OSP(kem_id, 2))
604 memcpy (suite_id, "HPKE", 4);
605 memcpy (suite_id + 4, &kem_id, 2);
606 memcpy (suite_id + 6, &kdf_id, 2);
607 memcpy (suite_id + 8, &aead_id, 2);
608
609 if (GNUNET_OK != verify_psk_inputs (mode, psk, psk_len, psk_id, psk_id_len))
610 return GNUNET_SYSERR;
611
612 if (GNUNET_OK != labeled_extract ("HPKE-v1", NULL, 0,
613 "psk_id_hash", strlen ("psk_id_hash"),
614 psk_id, psk_id_len,
615 suite_id, sizeof suite_id, &psk_id_hash))
616 return GNUNET_SYSERR;
617 if (GNUNET_OK != labeled_extract ("HPKE-v1", NULL, 0,
618 "info_hash", strlen ("info_hash"),
619 info, info_len,
620 suite_id, sizeof suite_id, &info_hash))
621 return GNUNET_SYSERR;
622 memcpy (key_schedule_context, &mode, 1);
623 memcpy (key_schedule_context + 1, &psk_id_hash, sizeof psk_id_hash);
624 memcpy (key_schedule_context + 1 + sizeof psk_id_hash,
625 &info_hash, sizeof info_hash);
626 if (GNUNET_OK != labeled_extract ("HPKE-v1",
627 shared_secret, sizeof *shared_secret,
628 "secret", strlen ("secret"),
629 psk, psk_len,
630 suite_id, sizeof suite_id, &secret))
631 return GNUNET_SYSERR;
632 // key = LabeledExpand(secret, "key", key_schedule_context, Nk)
633 // Note: Nk == sizeof ctx->key
634 if (GNUNET_OK != labeled_expand ("HPKE-v1",
635 &secret,
636 "key", strlen ("key"),
637 &key_schedule_context,
638 sizeof key_schedule_context,
639 suite_id, sizeof suite_id,
640 ctx->key, sizeof ctx->key))
641 return GNUNET_SYSERR;
642 // base_nonce = LabeledExpand(secret, "base_nonce",
643 // key_schedule_context, Nn)
644 if (GNUNET_OK != labeled_expand ("HPKE-v1",
645 &secret,
646 "base_nonce", strlen ("base_nonce"),
647 &key_schedule_context,
648 sizeof key_schedule_context,
649 suite_id, sizeof suite_id,
650 ctx->base_nonce, sizeof ctx->base_nonce))
651 return GNUNET_SYSERR;
652 // exporter_secret = LabeledExpand(secret, "exp",
653 // key_schedule_context, Nh)
654 if (GNUNET_OK != labeled_expand ("HPKE-v1",
655 &secret,
656 "exp", strlen ("exp"),
657 &key_schedule_context,
658 sizeof key_schedule_context,
659 suite_id, sizeof suite_id,
660 &ctx->exporter_secret,
661 sizeof ctx->exporter_secret))
662 return GNUNET_SYSERR;
663 ctx->seq = 0;
664 ctx->role = role;
665 return GNUNET_OK;
666}
verify_psk_inputs
static enum GNUNET_GenericReturnValue verify_psk_inputs(enum GNUNET_CRYPTO_HpkeMode mode, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len)
Definition: crypto_hpke.c:547
ctx
static struct GNUNET_FS_Handle * ctx
Definition: gnunet-download.c:40

References ctx, GNUNET_OK, GNUNET_SYSERR, info, labeled_expand(), labeled_extract(), mode, and verify_psk_inputs().

Referenced by GNUNET_CRYPTO_hpke_receiver_setup2(), and GNUNET_CRYPTO_hpke_sender_setup2().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ increment_seq()

static enum GNUNET_GenericReturnValue increment_seq ( struct GNUNET_CRYPTO_HpkeContext ctx)
static

Definition at line 833 of file crypto_hpke.c.

834{
835 if (ctx->seq >= UINT64_MAX)
836 {
837 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "MessageLimitReached\n");
838 return GNUNET_SYSERR;
839 }
840 ctx->seq = GNUNET_htonll (GNUNET_ntohll (ctx->seq) + 1);
841 return GNUNET_OK;
842}
GNUNET_ntohll
uint64_t GNUNET_ntohll(uint64_t n)
Convert unsigned 64-bit integer to host byte order.
Definition: common_endian.c:54
GNUNET_htonll
uint64_t GNUNET_htonll(uint64_t n)
Convert unsigned 64-bit integer to network byte order.
Definition: common_endian.c:37

References ctx, GNUNET_ERROR_TYPE_ERROR, GNUNET_htonll(), GNUNET_log, GNUNET_ntohll(), GNUNET_OK, and GNUNET_SYSERR.

Referenced by GNUNET_CRYPTO_hpke_open(), and GNUNET_CRYPTO_hpke_seal().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ compute_nonce()

static void compute_nonce ( struct GNUNET_CRYPTO_HpkeContext ctx,
uint8_t *  nonce 
)
static

Definition at line 846 of file crypto_hpke.c.

848{
849 size_t offset = GNUNET_CRYPTO_HPKE_NONCE_LEN - sizeof ctx->seq;
850 int j = 0;
851 for (int i = 0; i < GNUNET_CRYPTO_HPKE_NONCE_LEN; i++)
852 {
853 // FIXME correct byte order?
854 if (i < offset)
855 memset (&nonce[i], ctx->base_nonce[i], 1);
856 else
857 nonce[i] = ctx->base_nonce[i] ^ ((uint8_t*) &ctx->seq)[j++];
858 }
859}
GNUNET_CRYPTO_HPKE_NONCE_LEN
#define GNUNET_CRYPTO_HPKE_NONCE_LEN
Definition: gnunet_crypto_lib.h:2124

References ctx, and GNUNET_CRYPTO_HPKE_NONCE_LEN.

Referenced by GNUNET_CRYPTO_hpke_open(), and GNUNET_CRYPTO_hpke_seal().

Here is the caller graph for this function:

Variable Documentation

◆ GNUNET_CRYPTO_HPKE_KEM_SUITE_ID

uint8_t GNUNET_CRYPTO_HPKE_KEM_SUITE_ID[]
static
Initial value:
= { 'K', 'E', 'M',
0x00, 0x20 }

Definition at line 158 of file crypto_hpke.c.

Referenced by GNUNET_CRYPTO_hpke_authkem_decaps(), GNUNET_CRYPTO_hpke_authkem_encaps_norand(), GNUNET_CRYPTO_hpke_kem_decaps(), and GNUNET_CRYPTO_hpke_kem_encaps_norand().

◆ GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID

uint8_t GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID[]
static
Initial value:
= { 'K', 'E', 'M',
0x00, 0x30 }

Definition at line 163 of file crypto_hpke.c.

Referenced by GNUNET_CRYPTO_hpke_elligator_authkem_encaps_norand(), GNUNET_CRYPTO_hpke_elligator_kem_decaps(), and GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand().