GNUnet debian-0.24.3-23-g589b01d60
crypto_hpke.c
Go to the documentation of this file.
1/*
2 This file is part of GNUnet.
3 Copyright (C) 2024 GNUnet e.V.
4
5 GNUnet is free software: you can redistribute it and/or modify it
6 under the terms of the GNU Affero General Public License as published
7 by the Free Software Foundation, either version 3 of the License,
8 or (at your option) any later version.
9
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Affero General Public License for more details.
14
15 You should have received a copy of the GNU Affero General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
17
18 SPDX-License-Identifier: AGPL3.0-or-later
19 */
20
26#include "platform.h"
27#include "gnunet_common.h"
28#include <sodium.h>
29#include <stdint.h>
30#include "gnunet_util_lib.h"
31#include "sodium/crypto_scalarmult.h"
32#include "sodium/crypto_scalarmult_curve25519.h"
33#include "sodium/utils.h"
34
51labeled_extract (const char *ctx_str,
52 const void *salt, size_t salt_len,
53 const void *label, size_t label_len,
54 const void *ikm, size_t ikm_len,
55 const uint8_t *suite_id, size_t suite_id_len,
56 struct GNUNET_ShortHashCode *prk)
57{
58 size_t labeled_ikm_len = strlen (ctx_str) + suite_id_len
59 + label_len + ikm_len;
60 uint8_t labeled_ikm[labeled_ikm_len];
61 uint8_t *tmp = labeled_ikm;
62
63 // labeled_ikm = concat("HPKE-v1", suite_id, label, ikm)
64 memcpy (tmp, ctx_str, strlen (ctx_str));
65 tmp += strlen (ctx_str);
66 memcpy (tmp, suite_id, suite_id_len);
67 tmp += suite_id_len;
68 memcpy (tmp, label, label_len);
69 tmp += label_len;
70 memcpy (tmp, ikm, ikm_len);
71 // return Extract(salt, labeled_ikm)
73 salt, salt_len,
74 labeled_ikm, labeled_ikm_len);
75}
76
77
94labeled_expand (const char *ctx_str,
95 const struct GNUNET_ShortHashCode *prk,
96 const char *label, size_t label_len,
97 const void *info, size_t info_len,
98 const uint8_t *suite_id, size_t suite_id_len,
99 void *out_buf,
100 uint16_t out_len)
101{
102 uint8_t labeled_info[2 + strlen (ctx_str) + suite_id_len + label_len
103 + info_len];
104 uint8_t *tmp = labeled_info;
105 uint16_t out_len_nbo = htons (out_len);
106
107 // labeled_info = concat(I2OSP(L, 2), "HPKE-v1", suite_id,
108 // label, info)
109 memcpy (tmp, &out_len_nbo, 2);
110 tmp += 2;
111 memcpy (tmp, ctx_str, strlen (ctx_str));
112 tmp += strlen (ctx_str);
113 memcpy (tmp, suite_id, suite_id_len);
114 tmp += suite_id_len;
115 memcpy (tmp, label, label_len);
116 tmp += label_len;
117 memcpy (tmp, info, info_len);
118 return GNUNET_CRYPTO_hkdf_expand (out_buf, out_len, prk,
119 labeled_info, sizeof labeled_info, NULL);
120}
121
122
125 size_t dh_len,
126 const char *extract_ctx,
127 const char *expand_ctx,
128 const void*extract_lbl, size_t
129 extract_lbl_len,
130 const void*expand_lbl, size_t
131 expand_lbl_len,
132 const uint8_t *kem_context,
133 size_t kem_context_len,
134 const uint8_t *suite_id, size_t
135 suite_id_len,
136 struct GNUNET_ShortHashCode *
137 shared_secret)
138{
139 struct GNUNET_ShortHashCode prk;
140 // eae_prk = LabeledExtract("", "eae_prk", dh)
141 labeled_extract (extract_ctx,
142 NULL, 0,
143 extract_lbl, extract_lbl_len,
144 dh, dh_len,
145 suite_id, suite_id_len,
146 &prk);
147 return labeled_expand (expand_ctx,
148 &prk,
149 expand_lbl, expand_lbl_len,
150 kem_context, kem_context_len,
151 suite_id, suite_id_len,
152 shared_secret, sizeof *shared_secret);
153}
154
155
156// DHKEM(X25519, HKDF-256): kem_id = 32
157// concat("KEM", I2OSP(kem_id, 2))
158static uint8_t GNUNET_CRYPTO_HPKE_KEM_SUITE_ID[] = { 'K', 'E', 'M',
159 0x00, 0x20 };
160
161// DHKEM(X25519Elligator, HKDF-256): kem_id = 0x0030
162// concat("KEM", I2OSP(kem_id, 2))
163static uint8_t GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID[] = { 'K', 'E', 'M',
164 0x00, 0x30 };
165
167kem_encaps_norand (uint8_t *suite_id, size_t suite_id_len,
168 const struct GNUNET_CRYPTO_EcdhePublicKey *pkR,
169 const struct GNUNET_CRYPTO_HpkeEncapsulation *c,
170 const struct GNUNET_CRYPTO_EcdhePrivateKey *skE,
171 struct GNUNET_ShortHashCode *shared_secret)
172{
174 uint8_t kem_context[sizeof *c + sizeof *pkR];
175
176 // dh = DH(skE, pkR)
177 if (GNUNET_OK != GNUNET_CRYPTO_ecdh_x25519 (skE, pkR,
178 &dh))
179 {
181 "HPKE KEM encaps: Validation error\n");
182 return GNUNET_SYSERR; // ValidationError
183 }
184 // enc = SerializePublicKey(pkE) is a NOP, see Section 7.1.1
185 // pkRm = SerializePublicKey(pkR) is a NOP, see Section 7.1.1
186 // kem_context = concat(enc, pkRm)
187 memcpy (kem_context, c, sizeof *c);
188 memcpy (kem_context + sizeof *c, pkR, sizeof *pkR);
189 // shared_secret = ExtractAndExpand(dh, kem_context)
191 &dh, sizeof dh,
192 "HPKE-v1",
193 "HPKE-v1",
194 "eae_prk", strlen ("eae_prk"),
195 "shared_secret", strlen ("shared_secret"),
196 kem_context, sizeof kem_context,
197 suite_id, suite_id_len,
198 shared_secret);
199}
200
201
204 const struct GNUNET_CRYPTO_EcdhePublicKey *pkR,
206 const struct GNUNET_CRYPTO_EcdhePrivateKey *skE,
207 struct GNUNET_ShortHashCode *shared_secret)
208{
209 // enc = SerializePublicKey(pkE) is a NOP, see Section 7.1.1
211 skE,
215 pkR, enc, skE, shared_secret);
216}
217
218
222 struct GNUNET_ShortHashCode *shared_secret)
223{
225 // skE, pkE = GenerateKeyPair()
227
228 return GNUNET_CRYPTO_hpke_kem_encaps_norand (pub, c, &skE, shared_secret);
229}
230
231
235 struct GNUNET_ShortHashCode *shared_secret)
236{
238
239 // This maps the ed25519 point to X25519
240 if (0 != crypto_sign_ed25519_pk_to_curve25519 (pkR.q_y, pub->q_y))
241 return GNUNET_SYSERR;
242
243 return GNUNET_CRYPTO_hpke_kem_encaps (&pkR, c, shared_secret);
244}
245
246
249 const struct GNUNET_CRYPTO_HpkeEncapsulation *c,
250 struct GNUNET_ShortHashCode *shared_secret)
251{
253 uint8_t kem_context[sizeof *c + crypto_scalarmult_curve25519_BYTES];
254 uint8_t pkR[crypto_scalarmult_BYTES];
255
256 // pkE = DeserializePublicKey(enc) is a NOP, see Section 7.1.1
257 // dh = DH(skR, pkE)
258 if (GNUNET_OK !=
261 &dh))
262 return GNUNET_SYSERR; // ValidationError
263
264 // pkRm = DeserializePublicKey(pk(skR)) is a NOP, see Section 7.1.1
265 crypto_scalarmult_curve25519_base (pkR, skR->d);
266 // kem_context = concat(enc, pkRm)
267 memcpy (kem_context, c, sizeof *c);
268 memcpy (kem_context + sizeof *c, pkR, sizeof pkR);
269 // shared_secret = ExtractAndExpand(dh, kem_context)
271 &dh, sizeof dh,
272 "HPKE-v1",
273 "HPKE-v1",
274 "eae_prk", strlen ("eae_prk"),
275 "shared_secret", strlen ("shared_secret"),
276 kem_context, sizeof kem_context,
279 shared_secret);
280}
281
282
283// FIXME use Ed -> Curve conversion???
287 const struct GNUNET_CRYPTO_HpkeEncapsulation *c,
288 struct GNUNET_ShortHashCode *shared_secret)
289{
291
292 // This maps the ed25519 point to X25519
293 if (0 != crypto_sign_ed25519_sk_to_curve25519 (skR.d, priv->d))
294 return GNUNET_SYSERR;
295 return GNUNET_CRYPTO_hpke_kem_decaps (&skR, c, shared_secret);
296
297}
298
299
302 uint8_t random_tweak,
303 const struct GNUNET_CRYPTO_EcdhePublicKey *pkR,
306 struct GNUNET_ShortHashCode *shared_secret)
307{
309 // skE, pkE = GenerateElligatorKeyPair()
310 // enc = SerializePublicKey(pkE) == c is the elligator representative
312 skE,
313 &pkE,
314 (struct
316 *) c);
317
320 pkR, c, (const struct
322 shared_secret);
323}
324
325
328 const struct GNUNET_CRYPTO_EcdhePublicKey *pkR,
330 struct GNUNET_ShortHashCode *shared_secret)
331{
332 uint8_t random_tweak;
334
336 &random_tweak,
337 sizeof(uint8_t));
338
339 // skE, pkE = GenerateElligatorKeyPair()
341
342 return GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand (random_tweak, pkR, c,
343 &skE, shared_secret);
344}
345
346
349 const struct GNUNET_CRYPTO_EcdhePrivateKey *skR,
350 const struct GNUNET_CRYPTO_HpkeEncapsulation *c,
351 struct GNUNET_ShortHashCode *shared_secret)
352{
356 uint8_t kem_context[sizeof *r + crypto_scalarmult_curve25519_BYTES];
357 uint8_t pkR[crypto_scalarmult_BYTES];
358
360 // pkE = DeserializePublicKey(enc) Elligator deserialize!
362 // dh = DH(skR, pkE)
364 &dh));
365 // pkRm = DeserializePublicKey(pk(skR)) is a NOP, see Section 7.1.1
366 crypto_scalarmult_curve25519_base (pkR, skR->d);
367 memcpy (kem_context, r, sizeof *r);
368 memcpy (kem_context + sizeof *r, pkR, sizeof pkR);
369 // shared_secret = ExtractAndExpand(dh, kem_context)
371 &dh, sizeof dh,
372 "HPKE-v1",
373 "HPKE-v1",
374 "eae_prk", strlen ("eae_prk"),
375 "shared_secret", strlen ("shared_secret"),
376 kem_context, sizeof kem_context,
379 shared_secret);
380}
381
382
385 const uint8_t *psk, size_t psk_len,
386 const uint8_t *psk_id, size_t psk_id_len)
387{
388 bool got_psk;
389 bool got_psk_id;
390
391 got_psk = (0 != psk_len);
392 got_psk_id = (0 != psk_id_len);
393
394 if (got_psk != got_psk_id)
395 {
397 "Inconsistent PSK inputs\n");
398 return GNUNET_SYSERR;
399 }
400
401 if (got_psk &&
404 {
406 "PSK input provided when not needed\n");
407 return GNUNET_SYSERR;
408 }
409 if (! got_psk &&
412 {
414 "Missing required PSK input\n");
415 return GNUNET_SYSERR;
416 }
417 return GNUNET_OK;
418}
419
420
424 const struct GNUNET_ShortHashCode *shared_secret,
425 const uint8_t *info, size_t info_len,
426 const uint8_t *psk, size_t psk_len,
427 const uint8_t *psk_id, size_t psk_id_len,
429{
430 struct GNUNET_ShortHashCode psk_id_hash;
431 struct GNUNET_ShortHashCode info_hash;
432 struct GNUNET_ShortHashCode secret;
433 uint8_t key_schedule_context[1 + sizeof info_hash * 2];
434 uint8_t suite_id[strlen ("HPKE") + 6];
435 uint16_t kem_id = htons (32); // FIXME hardcode as constant
436 uint16_t kdf_id = htons (1); // HKDF-256 FIXME hardcode as constant
437 uint16_t aead_id = htons (3); // ChaCha20Poly1305 FIXME hardcode as constant
438
439 // DHKEM(X25519, HKDF-256): kem_id = 32
440 // concat("KEM", I2OSP(kem_id, 2))
441 memcpy (suite_id, "HPKE", 4);
442 memcpy (suite_id + 4, &kem_id, 2);
443 memcpy (suite_id + 6, &kdf_id, 2);
444 memcpy (suite_id + 8, &aead_id, 2);
445
446 if (GNUNET_OK != verify_psk_inputs (mode, psk, psk_len, psk_id, psk_id_len))
447 return GNUNET_SYSERR;
448
449 if (GNUNET_OK != labeled_extract ("HPKE-v1", NULL, 0,
450 "psk_id_hash", strlen ("psk_id_hash"),
451 psk_id, psk_id_len,
452 suite_id, sizeof suite_id, &psk_id_hash))
453 return GNUNET_SYSERR;
454 if (GNUNET_OK != labeled_extract ("HPKE-v1", NULL, 0,
455 "info_hash", strlen ("info_hash"),
456 info, info_len,
457 suite_id, sizeof suite_id, &info_hash))
458 return GNUNET_SYSERR;
459 memcpy (key_schedule_context, &mode, 1);
460 memcpy (key_schedule_context + 1, &psk_id_hash, sizeof psk_id_hash);
461 memcpy (key_schedule_context + 1 + sizeof psk_id_hash,
462 &info_hash, sizeof info_hash);
463 if (GNUNET_OK != labeled_extract ("HPKE-v1",
464 shared_secret, sizeof *shared_secret,
465 "secret", strlen ("secret"),
466 psk, psk_len,
467 suite_id, sizeof suite_id, &secret))
468 return GNUNET_SYSERR;
469 // key = LabeledExpand(secret, "key", key_schedule_context, Nk)
470 // Note: Nk == sizeof ctx->key
471 if (GNUNET_OK != labeled_expand ("HPKE-v1",
472 &secret,
473 "key", strlen ("key"),
474 &key_schedule_context,
475 sizeof key_schedule_context,
476 suite_id, sizeof suite_id,
477 ctx->key, sizeof ctx->key))
478 return GNUNET_SYSERR;
479 // base_nonce = LabeledExpand(secret, "base_nonce",
480 // key_schedule_context, Nn)
481 if (GNUNET_OK != labeled_expand ("HPKE-v1",
482 &secret,
483 "base_nonce", strlen ("base_nonce"),
484 &key_schedule_context,
485 sizeof key_schedule_context,
486 suite_id, sizeof suite_id,
487 ctx->base_nonce, sizeof ctx->base_nonce))
488 return GNUNET_SYSERR;
489 // exporter_secret = LabeledExpand(secret, "exp",
490 // key_schedule_context, Nh)
491 if (GNUNET_OK != labeled_expand ("HPKE-v1",
492 &secret,
493 "exp", strlen ("exp"),
494 &key_schedule_context,
495 sizeof key_schedule_context,
496 suite_id, sizeof suite_id,
497 &ctx->exporter_secret,
498 sizeof ctx->exporter_secret))
499 return GNUNET_SYSERR;
500 ctx->seq = 0;
501 ctx->role = role;
502 return GNUNET_OK;
503}
504
505
508 enum GNUNET_CRYPTO_HpkeKem kem,
512 const struct GNUNET_CRYPTO_EcdhePublicKey *pkR,
513 const uint8_t *info, size_t info_len,
514 const uint8_t *psk, size_t psk_len,
515 const uint8_t *psk_id, size_t psk_id_len,
518{
519 struct GNUNET_ShortHashCode shared_secret;
520
521 switch (mode)
522 {
526 {
528 &shared_secret))
529 return GNUNET_SYSERR;
530 break;
531 }
532 else if (kem ==
534 {
535 uint8_t random_tweak;
537 &random_tweak,
538 sizeof(uint8_t));
539 if (GNUNET_OK !=
541 pkR,
542 enc,
543 (struct
545 *) skE,
546 &shared_secret))
547 return GNUNET_SYSERR;
548 }
549 break;
550 default:
551 return GNUNET_SYSERR;
552 }
554 mode,
555 &shared_secret,
556 info, info_len,
557 psk, psk_len,
558 psk_id, psk_id_len,
559 ctx))
560 return GNUNET_SYSERR;
561 return GNUNET_OK;
562}
563
564
567 const uint8_t *info, size_t info_len,
570{
572 // skE, pkE = GenerateKeyPair()
574
578 &sk, NULL,
579 pkR, info, info_len,
580 NULL, 0,
581 NULL, 0,
582 enc,
583 ctx);
584}
585
586
589 enum GNUNET_CRYPTO_HpkeKem kem,
592 const struct GNUNET_CRYPTO_EcdhePrivateKey *skR,
593 const struct GNUNET_CRYPTO_EcdhePublicKey *pkS,
594 const uint8_t *info, size_t info_len,
595 const uint8_t *psk, size_t psk_len,
596 const uint8_t *psk_id, size_t psk_id_len,
598{
599 struct GNUNET_ShortHashCode shared_secret;
600
601 switch (mode)
602 {
606 {
608 &shared_secret))
609 return GNUNET_SYSERR;
610 }
611 else if (kem ==
613 {
615 enc,
616 &shared_secret))
617 return GNUNET_SYSERR;
618 }
619 break;
620 default:
621 return GNUNET_SYSERR;
622 }
624 mode,
625 &shared_secret,
626 info, info_len,
627 psk, psk_len,
628 psk_id, psk_id_len,
629 ctx))
630 return GNUNET_SYSERR;
631 return GNUNET_OK;
632}
633
634
638 const struct GNUNET_CRYPTO_EcdhePrivateKey *skR,
639 const uint8_t *info, size_t info_len,
641{
645 enc, skR, NULL,
646 info, info_len,
647 NULL, 0, NULL, 0, ctx);
648}
649
650
653{
654 if (ctx->seq >= UINT64_MAX)
655 {
656 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "MessageLimitReached\n");
657 return GNUNET_SYSERR;
658 }
659 ctx->seq = GNUNET_htonll (GNUNET_ntohll (ctx->seq) + 1);
660 return GNUNET_OK;
661}
662
663
664static void
666 uint8_t *nonce)
667{
668 size_t offset = GNUNET_CRYPTO_HPKE_NONCE_LEN - sizeof ctx->seq;
669 int j = 0;
670 for (int i = 0; i < GNUNET_CRYPTO_HPKE_NONCE_LEN; i++)
671 {
672 // FIXME correct byte order?
673 if (i < offset)
674 memset (&nonce[i], ctx->base_nonce[i], 1);
675 else
676 nonce[i] = ctx->base_nonce[i] ^ ((uint8_t*) &ctx->seq)[j++];
677 }
678}
679
680
683 const uint8_t*aad, size_t aad_len,
684 const uint8_t *pt, size_t pt_len,
685 uint8_t *ct, unsigned long long *ct_len_p)
686{
687 uint8_t comp_nonce[GNUNET_CRYPTO_HPKE_NONCE_LEN];
688 if (ctx->role != GNUNET_CRYPTO_HPKE_ROLE_S)
689 {
691 "HPKE: Wrong role; called as receiver (%d)!\n",
692 ctx->role);
693 return GNUNET_SYSERR;
694 }
695 compute_nonce (ctx, comp_nonce);
696 crypto_aead_chacha20poly1305_ietf_encrypt (ct, ct_len_p,
697 pt, pt_len,
698 aad, aad_len,
699 NULL,
700 comp_nonce,
701 ctx->key);
702 if (GNUNET_OK != increment_seq (ctx))
703 {
705 "HPKE: Seq increment failed!\n");
706 return GNUNET_SYSERR;
707 }
708 return GNUNET_OK;
709}
710
711
714 const uint8_t*aad, size_t aad_len,
715 const uint8_t *ct, size_t ct_len,
716 uint8_t *pt, unsigned long long *pt_len)
717{
718 uint8_t comp_nonce[GNUNET_CRYPTO_HPKE_NONCE_LEN];
719 if (ctx->role != GNUNET_CRYPTO_HPKE_ROLE_R)
720 {
722 "HPKE: Wrong role; called as sender (%d)!\n",
723 ctx->role);
724 return GNUNET_SYSERR;
725 }
726 compute_nonce (ctx, comp_nonce);
727 if (0 != crypto_aead_chacha20poly1305_ietf_decrypt (pt, pt_len,
728 NULL,
729 ct, ct_len,
730 aad, aad_len,
731 comp_nonce,
732 ctx->key))
733 {
734 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "OpenError\n");
735 return GNUNET_SYSERR;
736 }
737 if (GNUNET_OK != increment_seq (ctx))
738 {
740 "HPKE: Seq increment failed!\n");
741 return GNUNET_SYSERR;
742 }
743 return GNUNET_OK;
744}
745
746
749 const uint8_t *info, size_t info_len,
750 const uint8_t*aad, size_t aad_len,
751 const uint8_t *pt, size_t pt_len,
752 uint8_t *ct, unsigned long long *ct_len_p)
753{
756 uint8_t *ct_off;
757
759 ct_off = (uint8_t*) &enc[1];
761 info, info_len,
762 enc, &ctx))
763 {
765 "HPKE: Sender setup failed!\n");
766 return GNUNET_SYSERR;
767 }
769 aad, aad_len,
770 pt, pt_len,
771 ct_off,
772 ct_len_p);
773}
774
775
778 const struct GNUNET_CRYPTO_EcdhePrivateKey *skR,
779 const uint8_t *info, size_t info_len,
780 const uint8_t*aad, size_t aad_len,
781 const uint8_t *ct, size_t ct_len,
782 uint8_t *pt, unsigned long long *pt_len_p)
783{
786 uint8_t *ct_off;
787
789 ct_off = (uint8_t*) &enc[1];
791 info, info_len,
792 &ctx))
793 {
795 "HPKE: Receiver setup failed!\n");
796 return GNUNET_SYSERR;
797 }
799 aad, aad_len,
800 ct_off,
801 ct_len - sizeof *enc,
802 pt,
803 pt_len_p);
804}
805
806
809 struct GNUNET_CRYPTO_EcdhePublicKey *x25519)
810{
811 switch (ntohl (pk->type))
812 {
814 if (0 != crypto_sign_ed25519_pk_to_curve25519 (x25519->q_y,
815 pk->ecdsa_key.q_y))
816 return GNUNET_SYSERR;
817 return GNUNET_OK;
819 if (0 != crypto_sign_ed25519_pk_to_curve25519 (x25519->q_y,
820 pk->eddsa_key.q_y))
821 return GNUNET_SYSERR;
822 return GNUNET_OK;
823 default:
824 return GNUNET_SYSERR;
825 }
826 return GNUNET_SYSERR;
827
828}
829
830
833 struct GNUNET_CRYPTO_EcdhePrivateKey *x25519)
834{
835 switch (ntohl (sk->type))
836 {
838 memcpy (x25519->d, sk->ecdsa_key.d,
839 sizeof sk->ecdsa_key.d);
840 return GNUNET_OK;
842 if (0 != crypto_sign_ed25519_sk_to_curve25519 (x25519->d,
843 sk->eddsa_key.d))
844 return GNUNET_SYSERR;
845 return GNUNET_OK;
846 default:
847 return GNUNET_SYSERR;
848 }
849 return GNUNET_SYSERR;
850
851}
static void compute_nonce(struct GNUNET_CRYPTO_HpkeContext *ctx, uint8_t *nonce)
Definition: crypto_hpke.c:665
static enum GNUNET_GenericReturnValue key_schedule(enum GNUNET_CRYPTO_HpkeRole role, enum GNUNET_CRYPTO_HpkeMode mode, const struct GNUNET_ShortHashCode *shared_secret, const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len, struct GNUNET_CRYPTO_HpkeContext *ctx)
Definition: crypto_hpke.c:422
static enum GNUNET_GenericReturnValue increment_seq(struct GNUNET_CRYPTO_HpkeContext *ctx)
Definition: crypto_hpke.c:652
static enum GNUNET_GenericReturnValue labeled_extract(const char *ctx_str, const void *salt, size_t salt_len, const void *label, size_t label_len, const void *ikm, size_t ikm_len, const uint8_t *suite_id, size_t suite_id_len, struct GNUNET_ShortHashCode *prk)
A RFC9180 inspired labeled extract.
Definition: crypto_hpke.c:51
static enum GNUNET_GenericReturnValue kem_encaps_norand(uint8_t *suite_id, size_t suite_id_len, const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_EcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
Definition: crypto_hpke.c:167
static enum GNUNET_GenericReturnValue verify_psk_inputs(enum GNUNET_CRYPTO_HpkeMode mode, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len)
Definition: crypto_hpke.c:384
static uint8_t GNUNET_CRYPTO_HPKE_KEM_SUITE_ID[]
Definition: crypto_hpke.c:158
static enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_labeled_extract_and_expand(const void *dh, size_t dh_len, const char *extract_ctx, const char *expand_ctx, const void *extract_lbl, size_t extract_lbl_len, const void *expand_lbl, size_t expand_lbl_len, const uint8_t *kem_context, size_t kem_context_len, const uint8_t *suite_id, size_t suite_id_len, struct GNUNET_ShortHashCode *shared_secret)
Definition: crypto_hpke.c:124
static enum GNUNET_GenericReturnValue labeled_expand(const char *ctx_str, const struct GNUNET_ShortHashCode *prk, const char *label, size_t label_len, const void *info, size_t info_len, const uint8_t *suite_id, size_t suite_id_len, void *out_buf, uint16_t out_len)
A RFC9180 inspired labeled extract.
Definition: crypto_hpke.c:94
static uint8_t GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID[]
Definition: crypto_hpke.c:163
static struct GNUNET_FS_Handle * ctx
static OpusEncoder * enc
OPUS encoder.
struct GNUNET_CRYPTO_PrivateKey pk
Private key from command line option, or NULL.
static struct GNUNET_CRYPTO_EddsaPublicKey pub
Definition: gnunet-scrypt.c:47
static struct GNUNET_CRYPTO_PowSalt salt
Salt for PoW calculations.
Definition: gnunet-scrypt.c:34
#define info
static unsigned char ikm[256/8]
The initial key material for the peer.
commonly used definitions; globals in this file are exempt from the rule that the module name ("commo...
static enum @44 mode
Should we do a PUT (mode = 0) or GET (mode = 1);.
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_encaps_norand(const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *enc, const struct GNUNET_CRYPTO_EcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
Deterministic variant of GNUNET_CRYPTO_hpke_kem_encaps.
Definition: crypto_hpke.c:203
void GNUNET_CRYPTO_ecdhe_key_create(struct GNUNET_CRYPTO_EcdhePrivateKey *pk)
Create a new private key.
Definition: crypto_ecc.c:454
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_kem_decaps(const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
Decapsulate a key for a private EdDSA key.
Definition: crypto_hpke.c:285
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_x25519_ecdh(const struct GNUNET_CRYPTO_EcdhePrivateKey *sk, const struct GNUNET_CRYPTO_EcdhePublicKey *pk, struct GNUNET_CRYPTO_EcdhePublicKey *dh)
Derive key material from a ECDH public key and a private X25519 key.
Definition: crypto_ecc.c:767
void GNUNET_CRYPTO_ecdhe_elligator_key_create(struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *sk)
Generates a private key for Curve25519.
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_decaps(const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
Carries out ecdh decapsulation with own private key and the representative of the received public key...
Definition: crypto_hpke.c:348
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_encaps(const struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
Encapsulate key material for a X25519 public key.
Definition: crypto_hpke.c:220
void GNUNET_CRYPTO_random_block(enum GNUNET_CRYPTO_Quality mode, void *buffer, size_t length)
Fill block with a random values.
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_decaps(const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
Decapsulate a key for a private X25519 key.
Definition: crypto_hpke.c:248
void GNUNET_CRYPTO_ecdhe_elligator_decoding(struct GNUNET_CRYPTO_EcdhePublicKey *point, bool *high_y, const struct GNUNET_CRYPTO_ElligatorRepresentative *representative)
Clears the most significant bit and second most significant bit of the serialized representaive befor...
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdhe_elligator_key_get_public_norand(uint8_t random_tweak, const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *sk, struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_CRYPTO_ElligatorRepresentative *repr)
Generates a valid public key for elligator's inverse map by adding a lower order point to a prime ord...
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_encaps(const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
Carries out ecdh encapsulation with given public key and the private key from a freshly created ephem...
Definition: crypto_hpke.c:327
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand(uint8_t random_tweak, const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
Carries out ecdh encapsulation with given public key and the private key from a freshly created ephem...
Definition: crypto_hpke.c:301
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdh_x25519(const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, const struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_CRYPTO_EcdhePublicKey *dh)
Derive key material from a EdDSA public key and a private ECDH key.
Definition: crypto_ecc.c:783
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_kem_encaps(const struct GNUNET_CRYPTO_EddsaPublicKey *pub, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
Encapsulate key material for a EdDSA public key.
Definition: crypto_hpke.c:233
void GNUNET_CRYPTO_ecdhe_key_get_public(const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, struct GNUNET_CRYPTO_EcdhePublicKey *pub)
Extract the public key for the given private key.
Definition: crypto_ecc.c:217
@ GNUNET_CRYPTO_QUALITY_NONCE
Randomness for IVs etc.
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hkdf_extract(struct GNUNET_ShortHashCode *prk, const void *salt, size_t salt_len, const void *ikm, size_t ikm_len)
HKDF-Extract using SHA256.
Definition: crypto_hkdf.c:224
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hkdf_expand(void *result, size_t out_len, const struct GNUNET_ShortHashCode *prk,...)
HKDF-Expand using SHA256.
Definition: crypto_hkdf.c:156
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_open_oneshot(const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const uint8_t *info, size_t info_len, const uint8_t *aad, size_t aad_len, const uint8_t *ct, size_t ct_len, uint8_t *pt, unsigned long long *pt_len_p)
RFC9180 HPKE encryption.
Definition: crypto_hpke.c:777
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_sender_setup2(enum GNUNET_CRYPTO_HpkeKem kem, enum GNUNET_CRYPTO_HpkeMode mode, struct GNUNET_CRYPTO_EcdhePrivateKey *skE, struct GNUNET_CRYPTO_EcdhePrivateKey *skS, const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len, struct GNUNET_CRYPTO_HpkeEncapsulation *enc, struct GNUNET_CRYPTO_HpkeContext *ctx)
RFC9180 HPKE encryption.
Definition: crypto_hpke.c:507
GNUNET_CRYPTO_HpkeKem
HPKE KEM identifier TODO: Elligator KEM was requested at IANA; Number is currently a placeholder.
#define GNUNET_log(kind,...)
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_seal_oneshot(const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const uint8_t *info, size_t info_len, const uint8_t *aad, size_t aad_len, const uint8_t *pt, size_t pt_len, uint8_t *ct, unsigned long long *ct_len_p)
RFC9180 HPKE encryption.
Definition: crypto_hpke.c:748
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_seal(struct GNUNET_CRYPTO_HpkeContext *ctx, const uint8_t *aad, size_t aad_len, const uint8_t *pt, size_t pt_len, uint8_t *ct, unsigned long long *ct_len_p)
RFC9180 HPKE encryption.
Definition: crypto_hpke.c:682
uint64_t GNUNET_ntohll(uint64_t n)
Convert unsigned 64-bit integer to host byte order.
Definition: common_endian.c:54
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_open(struct GNUNET_CRYPTO_HpkeContext *ctx, const uint8_t *aad, size_t aad_len, const uint8_t *ct, size_t ct_len, uint8_t *pt, unsigned long long *pt_len)
RFC9180 HPKE encryption.
Definition: crypto_hpke.c:713
uint64_t GNUNET_htonll(uint64_t n)
Convert unsigned 64-bit integer to network byte order.
Definition: common_endian.c:37
#define GNUNET_CRYPTO_HPKE_NONCE_LEN
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_sk_to_x25519(const struct GNUNET_CRYPTO_PrivateKey *sk, struct GNUNET_CRYPTO_EcdhePrivateKey *x25519)
Convert a GNUnet identity key to a key sutiable for HPKE (X25519)
Definition: crypto_hpke.c:832
GNUNET_CRYPTO_HpkeMode
HPKE RFC 9180.
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_pk_to_x25519(const struct GNUNET_CRYPTO_PublicKey *pk, struct GNUNET_CRYPTO_EcdhePublicKey *x25519)
Convert a GNUnet identity key to a key sutiable for HPKE (X25519)
Definition: crypto_hpke.c:808
GNUNET_GenericReturnValue
Named constants for return values.
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_receiver_setup(const struct GNUNET_CRYPTO_HpkeEncapsulation *enc, const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const uint8_t *info, size_t info_len, struct GNUNET_CRYPTO_HpkeContext *ctx)
RFC9180 HPKE encryption.
Definition: crypto_hpke.c:636
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_receiver_setup2(enum GNUNET_CRYPTO_HpkeKem kem, enum GNUNET_CRYPTO_HpkeMode mode, const struct GNUNET_CRYPTO_HpkeEncapsulation *enc, const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const struct GNUNET_CRYPTO_EcdhePublicKey *pkS, const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len, struct GNUNET_CRYPTO_HpkeContext *ctx)
RFC9180 HPKE encryption.
Definition: crypto_hpke.c:588
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_sender_setup(const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const uint8_t *info, size_t info_len, struct GNUNET_CRYPTO_HpkeEncapsulation *enc, struct GNUNET_CRYPTO_HpkeContext *ctx)
RFC9180 HPKE encryption.
Definition: crypto_hpke.c:566
GNUNET_CRYPTO_HpkeRole
Role of the HPKE participant.
@ GNUNET_CRYPTO_HPKE_KEM_DH_X25519_HKDF256
@ GNUNET_CRYPTO_HPKE_KEM_DH_X25519ELLIGATOR_HKDF256
@ GNUNET_PUBLIC_KEY_TYPE_EDDSA
EDDSA identity.
@ GNUNET_PUBLIC_KEY_TYPE_ECDSA
The identity type.
@ GNUNET_CRYPTO_HPKE_MODE_PSK
@ GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK
@ GNUNET_CRYPTO_HPKE_MODE_BASE
@ GNUNET_CRYPTO_HPKE_MODE_AUTH
@ GNUNET_OK
@ GNUNET_SYSERR
@ GNUNET_CRYPTO_HPKE_ROLE_R
@ GNUNET_CRYPTO_HPKE_ROLE_S
#define GNUNET_assert(cond)
Use this for fatal errors that cannot be handled.
@ GNUNET_ERROR_TYPE_ERROR
Private ECC key encoded for transmission.
unsigned char d[256/8]
d is a value mod n, where n has at most 256 bits.
Public ECC key (always for Curve25519) encoded in a format suitable for network transmission and encr...
unsigned char q_y[256/8]
Q consists of an x- and a y-value, each mod p (256 bits), given here in affine coordinates and Ed2551...
unsigned char d[256/8]
d is a value mod n, where n has at most 256 bits.
Private ECC key encoded for transmission.
unsigned char d[256/8]
d is a value mod n, where n has at most 256 bits.
Public ECC key (always for curve Ed25519) encoded in a format suitable for network transmission and E...
unsigned char q_y[256/8]
Point Q consists of a y-value mod p (256 bits); the x-value is always positive.
Special private ECC key generated by GNUNET_CRYPTO_ecdhe_elligator_key_create.
Elligator representative (always for Curve25519)
uint8_t r[256/8]
Represents an element of Curve25519 finite field.
HPKE DHKEM encapsulation (X25519) See RFC 9180.
A private key for an identity as per LSD0001.
uint32_t type
Type of public key.
struct GNUNET_CRYPTO_EddsaPrivateKey eddsa_key
AN EdDSA identtiy key.
struct GNUNET_CRYPTO_EcdsaPrivateKey ecdsa_key
An ECDSA identity key.
An identity key as per LSD0001.
A 256-bit hashcode.