GNUnet 0.25.2-11-g84e94e98c
 
Loading...
Searching...
No Matches
crypto_hpke.c
Go to the documentation of this file.
1/*
2 This file is part of GNUnet.
3 Copyright (C) 2024 GNUnet e.V.
4
5 GNUnet is free software: you can redistribute it and/or modify it
6 under the terms of the GNU Affero General Public License as published
7 by the Free Software Foundation, either version 3 of the License,
8 or (at your option) any later version.
9
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Affero General Public License for more details.
14
15 You should have received a copy of the GNU Affero General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
17
18 SPDX-License-Identifier: AGPL3.0-or-later
19 */
20
26#include "platform.h"
27#include "gnunet_common.h"
28#include <sodium.h>
29#include <stdint.h>
30#include "gnunet_util_lib.h"
31#include "sodium/crypto_scalarmult.h"
32#include "sodium/crypto_scalarmult_curve25519.h"
33#include "sodium/utils.h"
34
50static enum GNUNET_GenericReturnValue
51labeled_extract (const char *ctx_str,
52 const void *salt, size_t salt_len,
53 const void *label, size_t label_len,
54 const void *ikm, size_t ikm_len,
55 const uint8_t *suite_id, size_t suite_id_len,
56 struct GNUNET_ShortHashCode *prk)
57{
58 size_t labeled_ikm_len = strlen (ctx_str) + suite_id_len
59 + label_len + ikm_len;
60 uint8_t labeled_ikm[labeled_ikm_len];
61 uint8_t *tmp = labeled_ikm;
62
63 // labeled_ikm = concat("HPKE-v1", suite_id, label, ikm)
64 memcpy (tmp, ctx_str, strlen (ctx_str));
65 tmp += strlen (ctx_str);
66 memcpy (tmp, suite_id, suite_id_len);
67 tmp += suite_id_len;
68 memcpy (tmp, label, label_len);
69 tmp += label_len;
70 memcpy (tmp, ikm, ikm_len);
71 // return Extract(salt, labeled_ikm)
72 return GNUNET_CRYPTO_hkdf_extract (prk,
73 salt, salt_len,
74 labeled_ikm, labeled_ikm_len);
75}
76
77
93static enum GNUNET_GenericReturnValue
94labeled_expand (const char *ctx_str,
95 const struct GNUNET_ShortHashCode *prk,
96 const char *label, size_t label_len,
97 const void *info, size_t info_len,
98 const uint8_t *suite_id, size_t suite_id_len,
99 void *out_buf,
100 uint16_t out_len)
101{
102 uint8_t labeled_info[2 + strlen (ctx_str) + suite_id_len + label_len
103 + info_len];
104 uint8_t *tmp = labeled_info;
105 uint16_t out_len_nbo = htons (out_len);
106
107 // labeled_info = concat(I2OSP(L, 2), "HPKE-v1", suite_id,
108 // label, info)
109 memcpy (tmp, &out_len_nbo, 2);
110 tmp += 2;
111 memcpy (tmp, ctx_str, strlen (ctx_str));
112 tmp += strlen (ctx_str);
113 memcpy (tmp, suite_id, suite_id_len);
114 tmp += suite_id_len;
115 memcpy (tmp, label, label_len);
116 tmp += label_len;
117 memcpy (tmp, info, info_len);
118 return GNUNET_CRYPTO_hkdf_expand (out_buf, out_len, prk,
119 labeled_info, sizeof labeled_info, NULL);
120}
121
122
123static enum GNUNET_GenericReturnValue
124GNUNET_CRYPTO_hpke_labeled_extract_and_expand (const void *dh,
125 size_t dh_len,
126 const char *extract_ctx,
127 const char *expand_ctx,
128 const void*extract_lbl, size_t
129 extract_lbl_len,
130 const void*expand_lbl, size_t
131 expand_lbl_len,
132 const uint8_t *kem_context,
133 size_t kem_context_len,
134 const uint8_t *suite_id, size_t
135 suite_id_len,
136 struct GNUNET_ShortHashCode *
137 shared_secret)
138{
139 struct GNUNET_ShortHashCode prk;
140 // eae_prk = LabeledExtract("", "eae_prk", dh)
141 labeled_extract (extract_ctx,
142 NULL, 0,
143 extract_lbl, extract_lbl_len,
144 dh, dh_len,
145 suite_id, suite_id_len,
146 &prk);
147 return labeled_expand (expand_ctx,
148 &prk,
149 expand_lbl, expand_lbl_len,
150 kem_context, kem_context_len,
151 suite_id, suite_id_len,
152 shared_secret, sizeof *shared_secret);
153}
154
155
156// DHKEM(X25519, HKDF-256): kem_id = 32
157// concat("KEM", I2OSP(kem_id, 2))
158static uint8_t GNUNET_CRYPTO_HPKE_KEM_SUITE_ID[] = { 'K', 'E', 'M',
159 0x00, 0x20 };
160
161// DHKEM(X25519Elligator, HKDF-256): kem_id = 0x0022
162// concat("KEM", I2OSP(kem_id, 2))
163static uint8_t GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID[] = { 'K', 'E', 'M',
164 0x00, 0x22 };
165
166static enum GNUNET_GenericReturnValue
167kem_encaps_norand (uint8_t *suite_id, size_t suite_id_len,
168 const struct GNUNET_CRYPTO_HpkePublicKey *pkR,
169 const struct GNUNET_CRYPTO_HpkeEncapsulation *c,
170 const struct GNUNET_CRYPTO_HpkePrivateKey *skE,
171 struct GNUNET_ShortHashCode *shared_secret)
172{
173 struct GNUNET_CRYPTO_HpkePublicKey dh;
174 uint8_t kem_context[sizeof *c + sizeof pkR->ecdhe_key];
175
176 // dh = DH(skE, pkR)
177 if (GNUNET_OK != GNUNET_CRYPTO_ecdh_x25519 (
178 &skE->ecdhe_key,
179 &pkR->ecdhe_key,
180 &dh.ecdhe_key))
181 {
182 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
183 "HPKE KEM encaps: Validation error\n");
184 return GNUNET_SYSERR; // ValidationError
185 }
186 // enc = SerializePublicKey(pkE) is a NOP, see Section 7.1.1
187 // pkRm = SerializePublicKey(pkR) is a NOP, see Section 7.1.1
188 // kem_context = concat(enc, pkRm)
189 memcpy (kem_context, c, sizeof *c);
190 memcpy (kem_context + sizeof *c,
191 &pkR->ecdhe_key,
192 sizeof pkR->ecdhe_key);
193 // shared_secret = ExtractAndExpand(dh, kem_context)
194 return GNUNET_CRYPTO_hpke_labeled_extract_and_expand (
195 &dh.ecdhe_key, sizeof dh.ecdhe_key,
196 "HPKE-v1",
197 "HPKE-v1",
198 "eae_prk", strlen ("eae_prk"),
199 "shared_secret", strlen ("shared_secret"),
200 kem_context, sizeof kem_context,
201 suite_id, suite_id_len,
202 shared_secret);
203}
204
205
206enum GNUNET_GenericReturnValue
207GNUNET_CRYPTO_hpke_kem_encaps_norand (
208 const struct GNUNET_CRYPTO_HpkePublicKey *pkR,
209 struct GNUNET_CRYPTO_HpkeEncapsulation *enc,
210 const struct GNUNET_CRYPTO_HpkePrivateKey *skE,
211 struct GNUNET_ShortHashCode *shared_secret)
212{
213 struct GNUNET_CRYPTO_EcdhePublicKey ecdh_pk;
214 // enc = SerializePublicKey(pkE) is a NOP, see Section 7.1.1
215 GNUNET_CRYPTO_ecdhe_key_get_public (
216 &skE->ecdhe_key,
217 &ecdh_pk);
218 GNUNET_memcpy (enc,
219 ecdh_pk.q_y,
220 sizeof ecdh_pk.q_y);
221 return kem_encaps_norand (GNUNET_CRYPTO_HPKE_KEM_SUITE_ID,
222 sizeof GNUNET_CRYPTO_HPKE_KEM_SUITE_ID,
223 pkR, enc, skE, shared_secret);
224}
225
226
227enum GNUNET_GenericReturnValue
228GNUNET_CRYPTO_hpke_kem_encaps (const struct GNUNET_CRYPTO_HpkePublicKey *
229 pub,
230 struct GNUNET_CRYPTO_HpkeEncapsulation *c,
231 struct GNUNET_ShortHashCode *shared_secret)
232{
233 struct GNUNET_CRYPTO_HpkePrivateKey skE;
234 // skE, pkE = GenerateKeyPair()
235 GNUNET_CRYPTO_ecdhe_key_create (&skE.ecdhe_key);
236
237 return GNUNET_CRYPTO_hpke_kem_encaps_norand (pub, c, &skE, shared_secret);
238}
239
240
241enum GNUNET_GenericReturnValue
242GNUNET_CRYPTO_eddsa_kem_encaps (const struct GNUNET_CRYPTO_EddsaPublicKey *pub,
243 struct GNUNET_CRYPTO_HpkeEncapsulation *c,
244 struct GNUNET_ShortHashCode *shared_secret)
245{
246 struct GNUNET_CRYPTO_HpkePublicKey pkR;
247
248 // This maps the ed25519 point to X25519
249 if (0 != crypto_sign_ed25519_pk_to_curve25519 (pkR.ecdhe_key.q_y,
250 pub->q_y))
251 return GNUNET_SYSERR;
252
253 return GNUNET_CRYPTO_hpke_kem_encaps (&pkR, c, shared_secret);
254}
255
256
257enum GNUNET_GenericReturnValue
258GNUNET_CRYPTO_hpke_kem_decaps (const struct GNUNET_CRYPTO_HpkePrivateKey *
259 skR,
260 const struct GNUNET_CRYPTO_HpkeEncapsulation *c,
261 struct GNUNET_ShortHashCode *shared_secret)
262{
263 struct GNUNET_CRYPTO_HpkePublicKey dh;
264 uint8_t kem_context[sizeof *c + crypto_scalarmult_curve25519_BYTES];
265 uint8_t pkR[crypto_scalarmult_BYTES];
266
267 // pkE = DeserializePublicKey(enc) is a NOP, see Section 7.1.1
268 // dh = DH(skR, pkE)
269 if (GNUNET_OK !=
270 GNUNET_CRYPTO_x25519_ecdh (&skR->ecdhe_key,
271 (struct GNUNET_CRYPTO_EcdhePublicKey*) c,
272 &dh.ecdhe_key))
273 return GNUNET_SYSERR; // ValidationError
274
275 // pkRm = DeserializePublicKey(pk(skR)) is a NOP, see Section 7.1.1
276 crypto_scalarmult_curve25519_base (pkR,
277 skR->ecdhe_key.d);
278 // kem_context = concat(enc, pkRm)
279 memcpy (kem_context, c, sizeof *c);
280 memcpy (kem_context + sizeof *c, pkR, sizeof pkR);
281 // shared_secret = ExtractAndExpand(dh, kem_context)
282 return GNUNET_CRYPTO_hpke_labeled_extract_and_expand (
283 &dh.ecdhe_key, sizeof dh.ecdhe_key,
284 "HPKE-v1",
285 "HPKE-v1",
286 "eae_prk", strlen ("eae_prk"),
287 "shared_secret", strlen ("shared_secret"),
288 kem_context, sizeof kem_context,
289 GNUNET_CRYPTO_HPKE_KEM_SUITE_ID,
290 sizeof GNUNET_CRYPTO_HPKE_KEM_SUITE_ID,
291 shared_secret);
292}
293
294
295// FIXME use Ed -> Curve conversion???
296enum GNUNET_GenericReturnValue
297GNUNET_CRYPTO_eddsa_kem_decaps (const struct
298 GNUNET_CRYPTO_EddsaPrivateKey *priv,
299 const struct GNUNET_CRYPTO_HpkeEncapsulation *c,
300 struct GNUNET_ShortHashCode *shared_secret)
301{
302 struct GNUNET_CRYPTO_HpkePrivateKey skR;
303
304 // This maps the ed25519 point to X25519
305 if (0 != crypto_sign_ed25519_sk_to_curve25519 (skR.ecdhe_key.d,
306 priv->d))
307 return GNUNET_SYSERR;
308 return GNUNET_CRYPTO_hpke_kem_decaps (&skR, c, shared_secret);
309
310}
311
312
313enum GNUNET_GenericReturnValue
314GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand (
315 uint8_t random_tweak,
316 const struct GNUNET_CRYPTO_HpkePublicKey *pkR,
317 struct GNUNET_CRYPTO_HpkeEncapsulation *c,
318 const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *skE,
319 struct GNUNET_ShortHashCode *shared_secret)
320{
321 struct GNUNET_CRYPTO_HpkePublicKey pkE;
322 struct GNUNET_CRYPTO_HpkePrivateKey skE_hpke;
323 // skE, pkE = GenerateElligatorKeyPair()
324 // enc = SerializePublicKey(pkE) == c is the elligator representative
325 GNUNET_CRYPTO_ecdhe_elligator_key_get_public_norand (
326 random_tweak,
327 skE,
328 &pkE.ecdhe_key,
329 (struct GNUNET_CRYPTO_ElligatorRepresentative*) c);
330
331 GNUNET_memcpy (&skE_hpke.ecdhe_key,
332 skE,
333 sizeof *skE);
334 return kem_encaps_norand (GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID,
335 sizeof GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID,
336 pkR,
337 c,
338 &skE_hpke,
339 shared_secret);
340}
341
342
343enum GNUNET_GenericReturnValue
344GNUNET_CRYPTO_hpke_elligator_kem_encaps (
345 const struct GNUNET_CRYPTO_HpkePublicKey *pkR,
346 struct GNUNET_CRYPTO_HpkeEncapsulation *c,
347 struct GNUNET_ShortHashCode *shared_secret)
348{
349 uint8_t random_tweak;
350 struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey skE;
351
352 GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_NONCE,
353 &random_tweak,
354 sizeof(uint8_t));
355
356 // skE, pkE = GenerateElligatorKeyPair()
357 GNUNET_CRYPTO_ecdhe_elligator_key_create (&skE);
358
359 return GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand (random_tweak, pkR, c,
360 &skE, shared_secret);
361}
362
363
364enum GNUNET_GenericReturnValue
365GNUNET_CRYPTO_hpke_elligator_kem_decaps (
366 const struct GNUNET_CRYPTO_HpkePrivateKey *skR,
367 const struct GNUNET_CRYPTO_HpkeEncapsulation *c,
368 struct GNUNET_ShortHashCode *shared_secret)
369{
370 struct GNUNET_CRYPTO_HpkePublicKey pkE;
371 struct GNUNET_CRYPTO_HpkePublicKey dh;
372 const struct GNUNET_CRYPTO_ElligatorRepresentative *r;
373 uint8_t kem_context[sizeof *r + crypto_scalarmult_curve25519_BYTES];
374 uint8_t pkR[crypto_scalarmult_BYTES];
375
376 r = (struct GNUNET_CRYPTO_ElligatorRepresentative*) c;
377 // pkE = DeserializePublicKey(enc) Elligator deserialize!
378 GNUNET_CRYPTO_ecdhe_elligator_decoding (
379 &pkE.ecdhe_key,
380 NULL,
381 r);
382 // dh = DH(skR, pkE)
383 GNUNET_assert (GNUNET_OK ==
384 GNUNET_CRYPTO_x25519_ecdh (
385 &skR->ecdhe_key,
386 &pkE.ecdhe_key,
387 &dh.ecdhe_key));
388 // pkRm = DeserializePublicKey(pk(skR)) is a NOP, see Section 7.1.1
389 crypto_scalarmult_curve25519_base (pkR,
390 skR->ecdhe_key.d);
391 memcpy (kem_context, r, sizeof *r);
392 memcpy (kem_context + sizeof *r, pkR, sizeof pkR);
393 // shared_secret = ExtractAndExpand(dh, kem_context)
394 return GNUNET_CRYPTO_hpke_labeled_extract_and_expand (
395 &dh.ecdhe_key, sizeof dh.ecdhe_key,
396 "HPKE-v1",
397 "HPKE-v1",
398 "eae_prk", strlen ("eae_prk"),
399 "shared_secret", strlen ("shared_secret"),
400 kem_context, sizeof kem_context,
401 GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID,
402 sizeof GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID,
403 shared_secret);
404}
405
406
407static enum GNUNET_GenericReturnValue
408verify_psk_inputs (enum GNUNET_CRYPTO_HpkeMode mode,
409 const uint8_t *psk, size_t psk_len,
410 const uint8_t *psk_id, size_t psk_id_len)
411{
412 bool got_psk;
413 bool got_psk_id;
414
415 got_psk = (0 != psk_len);
416 got_psk_id = (0 != psk_id_len);
417
418 if (got_psk != got_psk_id)
419 {
420 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
421 "Inconsistent PSK inputs\n");
422 return GNUNET_SYSERR;
423 }
424
425 if (got_psk &&
426 ((GNUNET_CRYPTO_HPKE_MODE_BASE == mode) ||
427 (GNUNET_CRYPTO_HPKE_MODE_AUTH == mode)))
428 {
429 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
430 "PSK input provided when not needed\n");
431 return GNUNET_SYSERR;
432 }
433 if (! got_psk &&
434 ((GNUNET_CRYPTO_HPKE_MODE_PSK == mode) ||
435 (GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK == mode)))
436 {
437 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
438 "Missing required PSK input\n");
439 return GNUNET_SYSERR;
440 }
441 return GNUNET_OK;
442}
443
444
445static enum GNUNET_GenericReturnValue
446key_schedule (enum GNUNET_CRYPTO_HpkeRole role,
447 enum GNUNET_CRYPTO_HpkeMode mode,
448 const struct GNUNET_ShortHashCode *shared_secret,
449 const uint8_t *info, size_t info_len,
450 const uint8_t *psk, size_t psk_len,
451 const uint8_t *psk_id, size_t psk_id_len,
452 struct GNUNET_CRYPTO_HpkeContext *ctx)
453{
454 struct GNUNET_ShortHashCode psk_id_hash;
455 struct GNUNET_ShortHashCode info_hash;
456 struct GNUNET_ShortHashCode secret;
457 uint8_t key_schedule_context[1 + sizeof info_hash * 2];
458 uint8_t suite_id[4 + 3 * 2];
459 uint16_t kem_id = htons (32); // FIXME hardcode as constant
460 uint16_t kdf_id = htons (1); // HKDF-256 FIXME hardcode as constant
461 uint16_t aead_id = htons (3); // ChaCha20Poly1305 FIXME hardcode as constant
462
463 // DHKEM(X25519, HKDF-256): kem_id = 32
464 // concat("KEM", I2OSP(kem_id, 2))
465 memcpy (suite_id, "HPKE", 4);
466 memcpy (suite_id + 4, &kem_id, 2);
467 memcpy (suite_id + 6, &kdf_id, 2);
468 memcpy (suite_id + 8, &aead_id, 2);
469
470 if (GNUNET_OK != verify_psk_inputs (mode, psk, psk_len, psk_id, psk_id_len))
471 return GNUNET_SYSERR;
472
473 if (GNUNET_OK != labeled_extract ("HPKE-v1", NULL, 0,
474 "psk_id_hash", strlen ("psk_id_hash"),
475 psk_id, psk_id_len,
476 suite_id, sizeof suite_id, &psk_id_hash))
477 return GNUNET_SYSERR;
478 if (GNUNET_OK != labeled_extract ("HPKE-v1", NULL, 0,
479 "info_hash", strlen ("info_hash"),
480 info, info_len,
481 suite_id, sizeof suite_id, &info_hash))
482 return GNUNET_SYSERR;
483 memcpy (key_schedule_context, &mode, 1);
484 memcpy (key_schedule_context + 1, &psk_id_hash, sizeof psk_id_hash);
485 memcpy (key_schedule_context + 1 + sizeof psk_id_hash,
486 &info_hash, sizeof info_hash);
487 if (GNUNET_OK != labeled_extract ("HPKE-v1",
488 shared_secret, sizeof *shared_secret,
489 "secret", strlen ("secret"),
490 psk, psk_len,
491 suite_id, sizeof suite_id, &secret))
492 return GNUNET_SYSERR;
493 // key = LabeledExpand(secret, "key", key_schedule_context, Nk)
494 // Note: Nk == sizeof ctx->key
495 if (GNUNET_OK != labeled_expand ("HPKE-v1",
496 &secret,
497 "key", strlen ("key"),
498 &key_schedule_context,
499 sizeof key_schedule_context,
500 suite_id, sizeof suite_id,
501 ctx->key, sizeof ctx->key))
502 return GNUNET_SYSERR;
503 // base_nonce = LabeledExpand(secret, "base_nonce",
504 // key_schedule_context, Nn)
505 if (GNUNET_OK != labeled_expand ("HPKE-v1",
506 &secret,
507 "base_nonce", strlen ("base_nonce"),
508 &key_schedule_context,
509 sizeof key_schedule_context,
510 suite_id, sizeof suite_id,
511 ctx->base_nonce, sizeof ctx->base_nonce))
512 return GNUNET_SYSERR;
513 // exporter_secret = LabeledExpand(secret, "exp",
514 // key_schedule_context, Nh)
515 if (GNUNET_OK != labeled_expand ("HPKE-v1",
516 &secret,
517 "exp", strlen ("exp"),
518 &key_schedule_context,
519 sizeof key_schedule_context,
520 suite_id, sizeof suite_id,
521 &ctx->exporter_secret,
522 sizeof ctx->exporter_secret))
523 return GNUNET_SYSERR;
524 ctx->seq = 0;
525 ctx->role = role;
526 return GNUNET_OK;
527}
528
529
530enum GNUNET_GenericReturnValue
531GNUNET_CRYPTO_hpke_sender_setup2 (
532 enum GNUNET_CRYPTO_HpkeKem kem,
533 enum GNUNET_CRYPTO_HpkeMode mode,
534 struct GNUNET_CRYPTO_HpkePrivateKey *skE,
535 struct GNUNET_CRYPTO_HpkePrivateKey *skS,
536 const struct GNUNET_CRYPTO_HpkePublicKey *pkR,
537 const uint8_t *info, size_t info_len,
538 const uint8_t *psk, size_t psk_len,
539 const uint8_t *psk_id, size_t psk_id_len,
540 struct GNUNET_CRYPTO_HpkeEncapsulation *enc,
541 struct GNUNET_CRYPTO_HpkeContext *ctx)
542{
543 struct GNUNET_ShortHashCode shared_secret;
544
545 switch (mode)
546 {
547 case GNUNET_CRYPTO_HPKE_MODE_BASE:
548 case GNUNET_CRYPTO_HPKE_MODE_PSK:
549 if (kem == GNUNET_CRYPTO_HPKE_KEM_DH_X25519_HKDF256)
550 {
551 if (GNUNET_OK != GNUNET_CRYPTO_hpke_kem_encaps_norand (pkR, enc, skE,
552 &shared_secret))
553 return GNUNET_SYSERR;
554 break;
555 }
556 else if (kem ==
557 GNUNET_CRYPTO_HPKE_KEM_DH_X25519ELLIGATOR_HKDF256)
558 {
559 uint8_t random_tweak;
560 GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_NONCE,
561 &random_tweak,
562 sizeof(uint8_t));
563 if (GNUNET_OK !=
564 GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand (random_tweak,
565 pkR,
566 enc,
567 (struct
568 GNUNET_CRYPTO_ElligatorEcdhePrivateKey
569 *) skE,
570 &shared_secret))
571 return GNUNET_SYSERR;
572 }
573 break;
574 default:
575 return GNUNET_SYSERR;
576 }
577 if (GNUNET_OK != key_schedule (GNUNET_CRYPTO_HPKE_ROLE_S,
578 mode,
579 &shared_secret,
580 info, info_len,
581 psk, psk_len,
582 psk_id, psk_id_len,
583 ctx))
584 return GNUNET_SYSERR;
585 return GNUNET_OK;
586}
587
588
589enum GNUNET_GenericReturnValue
590GNUNET_CRYPTO_hpke_sender_setup (const struct
591 GNUNET_CRYPTO_HpkePublicKey *pkR,
592 const uint8_t *info, size_t info_len,
593 struct GNUNET_CRYPTO_HpkeEncapsulation *enc,
594 struct GNUNET_CRYPTO_HpkeContext *ctx)
595{
596 struct GNUNET_CRYPTO_HpkePrivateKey sk;
597 // skE, pkE = GenerateKeyPair()
598 GNUNET_CRYPTO_ecdhe_key_create (&sk.ecdhe_key);
599
600 return GNUNET_CRYPTO_hpke_sender_setup2 (
601 GNUNET_CRYPTO_HPKE_KEM_DH_X25519_HKDF256,
602 GNUNET_CRYPTO_HPKE_MODE_BASE,
603 &sk, NULL,
604 pkR, info, info_len,
605 NULL, 0,
606 NULL, 0,
607 enc,
608 ctx);
609}
610
611
612enum GNUNET_GenericReturnValue
613GNUNET_CRYPTO_hpke_receiver_setup2 (
614 enum GNUNET_CRYPTO_HpkeKem kem,
615 enum GNUNET_CRYPTO_HpkeMode mode,
616 const struct GNUNET_CRYPTO_HpkeEncapsulation *enc,
617 const struct GNUNET_CRYPTO_HpkePrivateKey *skR,
618 const struct GNUNET_CRYPTO_HpkePublicKey *pkS,
619 const uint8_t *info, size_t info_len,
620 const uint8_t *psk, size_t psk_len,
621 const uint8_t *psk_id, size_t psk_id_len,
622 struct GNUNET_CRYPTO_HpkeContext *ctx)
623{
624 struct GNUNET_ShortHashCode shared_secret;
625
626 switch (mode)
627 {
628 case GNUNET_CRYPTO_HPKE_MODE_BASE:
629 case GNUNET_CRYPTO_HPKE_MODE_PSK:
630 if (kem == GNUNET_CRYPTO_HPKE_KEM_DH_X25519_HKDF256)
631 {
632 if (GNUNET_OK != GNUNET_CRYPTO_hpke_kem_decaps (skR, enc,
633 &shared_secret))
634 return GNUNET_SYSERR;
635 }
636 else if (kem ==
637 GNUNET_CRYPTO_HPKE_KEM_DH_X25519ELLIGATOR_HKDF256)
638 {
639 if (GNUNET_OK != GNUNET_CRYPTO_hpke_elligator_kem_decaps (skR,
640 enc,
641 &shared_secret))
642 return GNUNET_SYSERR;
643 }
644 break;
645 default:
646 return GNUNET_SYSERR;
647 }
648 if (GNUNET_OK != key_schedule (GNUNET_CRYPTO_HPKE_ROLE_R,
649 mode,
650 &shared_secret,
651 info, info_len,
652 psk, psk_len,
653 psk_id, psk_id_len,
654 ctx))
655 return GNUNET_SYSERR;
656 return GNUNET_OK;
657}
658
659
660enum GNUNET_GenericReturnValue
661GNUNET_CRYPTO_hpke_receiver_setup (
662 const struct GNUNET_CRYPTO_HpkeEncapsulation *enc,
663 const struct GNUNET_CRYPTO_HpkePrivateKey *skR,
664 const uint8_t *info, size_t info_len,
665 struct GNUNET_CRYPTO_HpkeContext *ctx)
666{
667 return GNUNET_CRYPTO_hpke_receiver_setup2 (
668 GNUNET_CRYPTO_HPKE_KEM_DH_X25519_HKDF256,
669 GNUNET_CRYPTO_HPKE_MODE_BASE,
670 enc, skR, NULL,
671 info, info_len,
672 NULL, 0, NULL, 0, ctx);
673}
674
675
676static enum GNUNET_GenericReturnValue
677increment_seq (struct GNUNET_CRYPTO_HpkeContext *ctx)
678{
679 if (ctx->seq >= UINT64_MAX)
680 {
681 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "MessageLimitReached\n");
682 return GNUNET_SYSERR;
683 }
684 ctx->seq = GNUNET_htonll (GNUNET_ntohll (ctx->seq) + 1);
685 return GNUNET_OK;
686}
687
688
689static void
690compute_nonce (struct GNUNET_CRYPTO_HpkeContext *ctx,
691 uint8_t *nonce)
692{
693 size_t offset = GNUNET_CRYPTO_HPKE_NONCE_LEN - sizeof ctx->seq;
694 int j = 0;
695 for (int i = 0; i < GNUNET_CRYPTO_HPKE_NONCE_LEN; i++)
696 {
697 // FIXME correct byte order?
698 if (i < offset)
699 memset (&nonce[i], ctx->base_nonce[i], 1);
700 else
701 nonce[i] = ctx->base_nonce[i] ^ ((uint8_t*) &ctx->seq)[j++];
702 }
703}
704
705
706enum GNUNET_GenericReturnValue
707GNUNET_CRYPTO_hpke_seal (struct GNUNET_CRYPTO_HpkeContext *ctx,
708 const uint8_t*aad, size_t aad_len,
709 const uint8_t *pt, size_t pt_len,
710 uint8_t *ct, unsigned long long *ct_len_p)
711{
712 uint8_t comp_nonce[GNUNET_CRYPTO_HPKE_NONCE_LEN];
713 if (ctx->role != GNUNET_CRYPTO_HPKE_ROLE_S)
714 {
715 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
716 "HPKE: Wrong role; called as receiver (%d)!\n",
717 ctx->role);
718 return GNUNET_SYSERR;
719 }
720 compute_nonce (ctx, comp_nonce);
721 crypto_aead_chacha20poly1305_ietf_encrypt (ct, ct_len_p,
722 pt, pt_len,
723 aad, aad_len,
724 NULL,
725 comp_nonce,
726 ctx->key);
727 if (GNUNET_OK != increment_seq (ctx))
728 {
729 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
730 "HPKE: Seq increment failed!\n");
731 return GNUNET_SYSERR;
732 }
733 return GNUNET_OK;
734}
735
736
737enum GNUNET_GenericReturnValue
738GNUNET_CRYPTO_hpke_open (struct GNUNET_CRYPTO_HpkeContext *ctx,
739 const uint8_t*aad, size_t aad_len,
740 const uint8_t *ct, size_t ct_len,
741 uint8_t *pt, unsigned long long *pt_len)
742{
743 uint8_t comp_nonce[GNUNET_CRYPTO_HPKE_NONCE_LEN];
744 if (ctx->role != GNUNET_CRYPTO_HPKE_ROLE_R)
745 {
746 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
747 "HPKE: Wrong role; called as sender (%d)!\n",
748 ctx->role);
749 return GNUNET_SYSERR;
750 }
751 compute_nonce (ctx, comp_nonce);
752 if (0 != crypto_aead_chacha20poly1305_ietf_decrypt (pt, pt_len,
753 NULL,
754 ct, ct_len,
755 aad, aad_len,
756 comp_nonce,
757 ctx->key))
758 {
759 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "OpenError\n");
760 return GNUNET_SYSERR;
761 }
762 if (GNUNET_OK != increment_seq (ctx))
763 {
764 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
765 "HPKE: Seq increment failed!\n");
766 return GNUNET_SYSERR;
767 }
768 return GNUNET_OK;
769}
770
771
772enum GNUNET_GenericReturnValue
773GNUNET_CRYPTO_hpke_seal_oneshot (const struct
774 GNUNET_CRYPTO_HpkePublicKey *pkR,
775 const uint8_t *info, size_t info_len,
776 const uint8_t*aad, size_t aad_len,
777 const uint8_t *pt, size_t pt_len,
778 uint8_t *ct, unsigned long long *ct_len_p)
779{
780 struct GNUNET_CRYPTO_HpkeContext ctx;
781 struct GNUNET_CRYPTO_HpkeEncapsulation *enc;
782 uint8_t *ct_off;
783
784 enc = (struct GNUNET_CRYPTO_HpkeEncapsulation*) ct;
785 ct_off = (uint8_t*) &enc[1];
786 if (GNUNET_OK != GNUNET_CRYPTO_hpke_sender_setup (pkR,
787 info, info_len,
788 enc, &ctx))
789 {
790 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
791 "HPKE: Sender setup failed!\n");
792 return GNUNET_SYSERR;
793 }
794 return GNUNET_CRYPTO_hpke_seal (&ctx,
795 aad, aad_len,
796 pt, pt_len,
797 ct_off,
798 ct_len_p);
799}
800
801
802enum GNUNET_GenericReturnValue
803GNUNET_CRYPTO_hpke_open_oneshot (
804 const struct GNUNET_CRYPTO_HpkePrivateKey *skR,
805 const uint8_t *info, size_t info_len,
806 const uint8_t*aad, size_t aad_len,
807 const uint8_t *ct, size_t ct_len,
808 uint8_t *pt, unsigned long long *pt_len_p)
809{
810 struct GNUNET_CRYPTO_HpkeContext ctx;
811 struct GNUNET_CRYPTO_HpkeEncapsulation *enc;
812 uint8_t *ct_off;
813
814 enc = (struct GNUNET_CRYPTO_HpkeEncapsulation*) ct;
815 ct_off = (uint8_t*) &enc[1];
816 if (GNUNET_OK != GNUNET_CRYPTO_hpke_receiver_setup (enc, skR,
817 info, info_len,
818 &ctx))
819 {
820 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
821 "HPKE: Receiver setup failed!\n");
822 return GNUNET_SYSERR;
823 }
824 return GNUNET_CRYPTO_hpke_open (&ctx,
825 aad, aad_len,
826 ct_off,
827 ct_len - sizeof *enc,
828 pt,
829 pt_len_p);
830}
831
832
833enum GNUNET_GenericReturnValue
834GNUNET_CRYPTO_hpke_pk_to_x25519 (const struct GNUNET_CRYPTO_BlindablePublicKey *
835 pk,
836 struct GNUNET_CRYPTO_HpkePublicKey *
837 x25519)
838{
839 switch (ntohl (pk->type))
840 {
841 case GNUNET_PUBLIC_KEY_TYPE_ECDSA:
842 if (0 != crypto_sign_ed25519_pk_to_curve25519 (x25519->ecdhe_key.q_y,
843 pk->ecdsa_key.q_y))
844 return GNUNET_SYSERR;
845 return GNUNET_OK;
846 case GNUNET_PUBLIC_KEY_TYPE_EDDSA:
847 if (0 != crypto_sign_ed25519_pk_to_curve25519 (x25519->ecdhe_key.q_y,
848 pk->eddsa_key.q_y))
849 return GNUNET_SYSERR;
850 return GNUNET_OK;
851 default:
852 return GNUNET_SYSERR;
853 }
854 return GNUNET_SYSERR;
855
856}
857
858
859enum GNUNET_GenericReturnValue
860GNUNET_CRYPTO_hpke_sk_to_x25519 (const struct
861 GNUNET_CRYPTO_BlindablePrivateKey *sk,
862 struct GNUNET_CRYPTO_HpkePrivateKey *
863 x25519)
864{
865 switch (ntohl (sk->type))
866 {
867 case GNUNET_PUBLIC_KEY_TYPE_ECDSA:
868 memcpy (x25519->ecdhe_key.d,
869 sk->ecdsa_key.d,
870 sizeof sk->ecdsa_key.d);
871 return GNUNET_OK;
872 case GNUNET_PUBLIC_KEY_TYPE_EDDSA:
873 if (0 != crypto_sign_ed25519_sk_to_curve25519 (x25519->ecdhe_key.d,
874 sk->eddsa_key.d))
875 return GNUNET_SYSERR;
876 return GNUNET_OK;
877 default:
878 return GNUNET_SYSERR;
879 }
880 return GNUNET_SYSERR;
881
882}
compute_nonce
static void compute_nonce(struct GNUNET_CRYPTO_HpkeContext *ctx, uint8_t *nonce)
Definition crypto_hpke.c:690
key_schedule
static enum GNUNET_GenericReturnValue key_schedule(enum GNUNET_CRYPTO_HpkeRole role, enum GNUNET_CRYPTO_HpkeMode mode, const struct GNUNET_ShortHashCode *shared_secret, const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len, struct GNUNET_CRYPTO_HpkeContext *ctx)
Definition crypto_hpke.c:446
increment_seq
static enum GNUNET_GenericReturnValue increment_seq(struct GNUNET_CRYPTO_HpkeContext *ctx)
Definition crypto_hpke.c:677
labeled_extract
static enum GNUNET_GenericReturnValue labeled_extract(const char *ctx_str, const void *salt, size_t salt_len, const void *label, size_t label_len, const void *ikm, size_t ikm_len, const uint8_t *suite_id, size_t suite_id_len, struct GNUNET_ShortHashCode *prk)
A RFC9180 inspired labeled extract.
Definition crypto_hpke.c:51
verify_psk_inputs
static enum GNUNET_GenericReturnValue verify_psk_inputs(enum GNUNET_CRYPTO_HpkeMode mode, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len)
Definition crypto_hpke.c:408
GNUNET_CRYPTO_HPKE_KEM_SUITE_ID
static uint8_t GNUNET_CRYPTO_HPKE_KEM_SUITE_ID[]
Definition crypto_hpke.c:158
GNUNET_CRYPTO_hpke_labeled_extract_and_expand
static enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_labeled_extract_and_expand(const void *dh, size_t dh_len, const char *extract_ctx, const char *expand_ctx, const void *extract_lbl, size_t extract_lbl_len, const void *expand_lbl, size_t expand_lbl_len, const uint8_t *kem_context, size_t kem_context_len, const uint8_t *suite_id, size_t suite_id_len, struct GNUNET_ShortHashCode *shared_secret)
Definition crypto_hpke.c:124
labeled_expand
static enum GNUNET_GenericReturnValue labeled_expand(const char *ctx_str, const struct GNUNET_ShortHashCode *prk, const char *label, size_t label_len, const void *info, size_t info_len, const uint8_t *suite_id, size_t suite_id_len, void *out_buf, uint16_t out_len)
A RFC9180 inspired labeled extract.
Definition crypto_hpke.c:94
kem_encaps_norand
static enum GNUNET_GenericReturnValue kem_encaps_norand(uint8_t *suite_id, size_t suite_id_len, const struct GNUNET_CRYPTO_HpkePublicKey *pkR, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_HpkePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
Definition crypto_hpke.c:167
GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID
static uint8_t GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID[]
Definition crypto_hpke.c:163
ctx
static struct GNUNET_FS_Handle * ctx
Definition gnunet-download.c:40
enc
static OpusEncoder * enc
OPUS encoder.
Definition gnunet-helper-audio-record.c:206
pk
struct GNUNET_CRYPTO_BlindablePrivateKey pk
Private key from command line option, or NULL.
Definition gnunet-identity.c:126
pub
static struct GNUNET_CRYPTO_EddsaPublicKey pub
Definition gnunet-scrypt.c:47
salt
static struct GNUNET_CRYPTO_PowSalt salt
Salt for PoW calculations.
Definition gnunet-scrypt.c:34
info
#define info
ikm
static unsigned char ikm[256/8]
The initial key material for the peer.
Definition gnunet-service-pils.c:78
gnunet_common.h
commonly used definitions; globals in this file are exempt from the rule that the module name ("commo...
mode
static enum @49 mode
Should we do a PUT (mode = 0) or GET (mode = 1);.
gnunet_util_lib.h
GNUNET_CRYPTO_ecdhe_key_create
void GNUNET_CRYPTO_ecdhe_key_create(struct GNUNET_CRYPTO_EcdhePrivateKey *pk)
Create a new private key.
Definition crypto_ecc.c:454
GNUNET_CRYPTO_eddsa_kem_decaps
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_kem_decaps(const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
Decapsulate a key for a private EdDSA key.
Definition crypto_hpke.c:297
GNUNET_CRYPTO_x25519_ecdh
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_x25519_ecdh(const struct GNUNET_CRYPTO_EcdhePrivateKey *sk, const struct GNUNET_CRYPTO_EcdhePublicKey *pk, struct GNUNET_CRYPTO_EcdhePublicKey *dh)
Derive key material from a ECDH public key and a private X25519 key.
Definition crypto_ecc.c:767
GNUNET_CRYPTO_ecdhe_elligator_key_create
void GNUNET_CRYPTO_ecdhe_elligator_key_create(struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *sk)
Generates a private key for Curve25519.
Definition crypto_elligator.c:680
GNUNET_CRYPTO_hpke_elligator_kem_encaps
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_encaps(const struct GNUNET_CRYPTO_HpkePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
Carries out ecdh encapsulation with given public key and the private key from a freshly created ephem...
Definition crypto_hpke.c:344
GNUNET_CRYPTO_hpke_kem_decaps
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_decaps(const struct GNUNET_CRYPTO_HpkePrivateKey *skR, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
Decapsulate a key for a private X25519 key.
Definition crypto_hpke.c:258
GNUNET_CRYPTO_random_block
void GNUNET_CRYPTO_random_block(enum GNUNET_CRYPTO_Quality mode, void *buffer, size_t length)
Fill block with a random values.
Definition crypto_random.c:133
GNUNET_CRYPTO_hpke_kem_encaps_norand
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_encaps_norand(const struct GNUNET_CRYPTO_HpkePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *enc, const struct GNUNET_CRYPTO_HpkePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
Deterministic variant of GNUNET_CRYPTO_hpke_kem_encaps.
Definition crypto_hpke.c:207
GNUNET_CRYPTO_hpke_elligator_kem_decaps
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_decaps(const struct GNUNET_CRYPTO_HpkePrivateKey *skR, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
Carries out ecdh decapsulation with own private key and the representative of the received public key...
Definition crypto_hpke.c:365
GNUNET_CRYPTO_ecdhe_elligator_decoding
void GNUNET_CRYPTO_ecdhe_elligator_decoding(struct GNUNET_CRYPTO_EcdhePublicKey *point, bool *high_y, const struct GNUNET_CRYPTO_ElligatorRepresentative *representative)
Clears the most significant bit and second most significant bit of the serialized representaive befor...
Definition crypto_elligator.c:508
GNUNET_CRYPTO_ecdhe_elligator_key_get_public_norand
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdhe_elligator_key_get_public_norand(uint8_t random_tweak, const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *sk, struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_CRYPTO_ElligatorRepresentative *repr)
Generates a valid public key for elligator's inverse map by adding a lower order point to a prime ord...
Definition crypto_elligator.c:639
GNUNET_CRYPTO_hpke_kem_encaps
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_encaps(const struct GNUNET_CRYPTO_HpkePublicKey *pub, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
Encapsulate key material for a X25519 public key.
Definition crypto_hpke.c:228
GNUNET_CRYPTO_ecdh_x25519
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdh_x25519(const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, const struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_CRYPTO_EcdhePublicKey *dh)
Derive key material from a EdDSA public key and a private ECDH key.
Definition crypto_ecc.c:783
GNUNET_CRYPTO_eddsa_kem_encaps
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_kem_encaps(const struct GNUNET_CRYPTO_EddsaPublicKey *pub, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
Encapsulate key material for a EdDSA public key.
Definition crypto_hpke.c:242
GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand(uint8_t random_tweak, const struct GNUNET_CRYPTO_HpkePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
Carries out ecdh encapsulation with given public key and the private key from a freshly created ephem...
Definition crypto_hpke.c:314
GNUNET_CRYPTO_ecdhe_key_get_public
void GNUNET_CRYPTO_ecdhe_key_get_public(const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, struct GNUNET_CRYPTO_EcdhePublicKey *pub)
Extract the public key for the given private key.
Definition crypto_ecc.c:217
GNUNET_CRYPTO_QUALITY_NONCE
@ GNUNET_CRYPTO_QUALITY_NONCE
Randomness for IVs etc.
Definition gnunet_crypto_lib.h:104
GNUNET_CRYPTO_hkdf_extract
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hkdf_extract(struct GNUNET_ShortHashCode *prk, const void *salt, size_t salt_len, const void *ikm, size_t ikm_len)
HKDF-Extract using SHA256.
Definition crypto_hkdf.c:224
GNUNET_CRYPTO_hkdf_expand
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hkdf_expand(void *result, size_t out_len, const struct GNUNET_ShortHashCode *prk,...)
HKDF-Expand using SHA256.
Definition crypto_hkdf.c:156
GNUNET_CRYPTO_HpkeKem
GNUNET_CRYPTO_HpkeKem
HPKE KEM identifier TODO: Elligator KEM was requested at IANA; Number is currently a placeholder.
Definition gnunet_crypto_lib.h:2227
GNUNET_log
#define GNUNET_log(kind,...)
Definition gnunet_common.h:551
GNUNET_CRYPTO_hpke_seal
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_seal(struct GNUNET_CRYPTO_HpkeContext *ctx, const uint8_t *aad, size_t aad_len, const uint8_t *pt, size_t pt_len, uint8_t *ct, unsigned long long *ct_len_p)
RFC9180 HPKE encryption.
Definition crypto_hpke.c:707
GNUNET_CRYPTO_hpke_sender_setup
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_sender_setup(const struct GNUNET_CRYPTO_HpkePublicKey *pkR, const uint8_t *info, size_t info_len, struct GNUNET_CRYPTO_HpkeEncapsulation *enc, struct GNUNET_CRYPTO_HpkeContext *ctx)
RFC9180 HPKE encryption.
Definition crypto_hpke.c:590
GNUNET_CRYPTO_hpke_seal_oneshot
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_seal_oneshot(const struct GNUNET_CRYPTO_HpkePublicKey *pkR, const uint8_t *info, size_t info_len, const uint8_t *aad, size_t aad_len, const uint8_t *pt, size_t pt_len, uint8_t *ct, unsigned long long *ct_len_p)
RFC9180 HPKE encryption.
Definition crypto_hpke.c:773
GNUNET_ntohll
uint64_t GNUNET_ntohll(uint64_t n)
Convert unsigned 64-bit integer to host byte order.
Definition common_endian.c:54
GNUNET_CRYPTO_hpke_sk_to_x25519
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_sk_to_x25519(const struct GNUNET_CRYPTO_BlindablePrivateKey *sk, struct GNUNET_CRYPTO_HpkePrivateKey *x25519)
Convert a GNUnet identity key to a key sutiable for HPKE (X25519)
Definition crypto_hpke.c:860
GNUNET_CRYPTO_hpke_open_oneshot
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_open_oneshot(const struct GNUNET_CRYPTO_HpkePrivateKey *skR, const uint8_t *info, size_t info_len, const uint8_t *aad, size_t aad_len, const uint8_t *ct, size_t ct_len, uint8_t *pt, unsigned long long *pt_len_p)
RFC9180 HPKE encryption.
Definition crypto_hpke.c:803
GNUNET_CRYPTO_hpke_open
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_open(struct GNUNET_CRYPTO_HpkeContext *ctx, const uint8_t *aad, size_t aad_len, const uint8_t *ct, size_t ct_len, uint8_t *pt, unsigned long long *pt_len)
RFC9180 HPKE encryption.
Definition crypto_hpke.c:738
GNUNET_CRYPTO_hpke_sender_setup2
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_sender_setup2(enum GNUNET_CRYPTO_HpkeKem kem, enum GNUNET_CRYPTO_HpkeMode mode, struct GNUNET_CRYPTO_HpkePrivateKey *skE, struct GNUNET_CRYPTO_HpkePrivateKey *skS, const struct GNUNET_CRYPTO_HpkePublicKey *pkR, const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len, struct GNUNET_CRYPTO_HpkeEncapsulation *enc, struct GNUNET_CRYPTO_HpkeContext *ctx)
RFC9180 HPKE encryption.
Definition crypto_hpke.c:531
GNUNET_CRYPTO_hpke_receiver_setup2
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_receiver_setup2(enum GNUNET_CRYPTO_HpkeKem kem, enum GNUNET_CRYPTO_HpkeMode mode, const struct GNUNET_CRYPTO_HpkeEncapsulation *enc, const struct GNUNET_CRYPTO_HpkePrivateKey *skR, const struct GNUNET_CRYPTO_HpkePublicKey *pkS, const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len, struct GNUNET_CRYPTO_HpkeContext *ctx)
RFC9180 HPKE encryption.
Definition crypto_hpke.c:613
GNUNET_htonll
uint64_t GNUNET_htonll(uint64_t n)
Convert unsigned 64-bit integer to network byte order.
Definition common_endian.c:37
GNUNET_CRYPTO_HPKE_NONCE_LEN
#define GNUNET_CRYPTO_HPKE_NONCE_LEN
Definition gnunet_crypto_lib.h:2173
GNUNET_memcpy
#define GNUNET_memcpy(dst, src, n)
Call memcpy() but check for n being 0 first.
Definition gnunet_common.h:1320
GNUNET_CRYPTO_hpke_receiver_setup
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_receiver_setup(const struct GNUNET_CRYPTO_HpkeEncapsulation *enc, const struct GNUNET_CRYPTO_HpkePrivateKey *skR, const uint8_t *info, size_t info_len, struct GNUNET_CRYPTO_HpkeContext *ctx)
RFC9180 HPKE encryption.
Definition crypto_hpke.c:661
GNUNET_CRYPTO_HpkeMode
GNUNET_CRYPTO_HpkeMode
HPKE RFC 9180.
Definition gnunet_crypto_lib.h:2162
GNUNET_GenericReturnValue
GNUNET_GenericReturnValue
Named constants for return values.
Definition gnunet_common.h:111
GNUNET_CRYPTO_hpke_pk_to_x25519
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_pk_to_x25519(const struct GNUNET_CRYPTO_BlindablePublicKey *pk, struct GNUNET_CRYPTO_HpkePublicKey *x25519)
Convert a GNUnet identity key to a key sutiable for HPKE (X25519)
Definition crypto_hpke.c:834
GNUNET_CRYPTO_HpkeRole
GNUNET_CRYPTO_HpkeRole
Role of the HPKE participant.
Definition gnunet_crypto_lib.h:2193
GNUNET_CRYPTO_HPKE_KEM_DH_X25519_HKDF256
@ GNUNET_CRYPTO_HPKE_KEM_DH_X25519_HKDF256
Definition gnunet_crypto_lib.h:2229
GNUNET_CRYPTO_HPKE_KEM_DH_X25519ELLIGATOR_HKDF256
@ GNUNET_CRYPTO_HPKE_KEM_DH_X25519ELLIGATOR_HKDF256
Definition gnunet_crypto_lib.h:2231
GNUNET_PUBLIC_KEY_TYPE_EDDSA
@ GNUNET_PUBLIC_KEY_TYPE_EDDSA
EDDSA identity.
Definition gnunet_crypto_lib.h:391
GNUNET_PUBLIC_KEY_TYPE_ECDSA
@ GNUNET_PUBLIC_KEY_TYPE_ECDSA
The identity type.
Definition gnunet_crypto_lib.h:385
GNUNET_CRYPTO_HPKE_MODE_PSK
@ GNUNET_CRYPTO_HPKE_MODE_PSK
Definition gnunet_crypto_lib.h:2164
GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK
@ GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK
Definition gnunet_crypto_lib.h:2166
GNUNET_CRYPTO_HPKE_MODE_BASE
@ GNUNET_CRYPTO_HPKE_MODE_BASE
Definition gnunet_crypto_lib.h:2163
GNUNET_CRYPTO_HPKE_MODE_AUTH
@ GNUNET_CRYPTO_HPKE_MODE_AUTH
Definition gnunet_crypto_lib.h:2165
GNUNET_OK
@ GNUNET_OK
Definition gnunet_common.h:114
GNUNET_SYSERR
@ GNUNET_SYSERR
Definition gnunet_common.h:112
GNUNET_CRYPTO_HPKE_ROLE_R
@ GNUNET_CRYPTO_HPKE_ROLE_R
Definition gnunet_crypto_lib.h:2195
GNUNET_CRYPTO_HPKE_ROLE_S
@ GNUNET_CRYPTO_HPKE_ROLE_S
Definition gnunet_crypto_lib.h:2197
GNUNET_assert
#define GNUNET_assert(cond)
Use this for fatal errors that cannot be handled.
Definition gnunet_common.h:960
GNUNET_ERROR_TYPE_ERROR
@ GNUNET_ERROR_TYPE_ERROR
Definition gnunet_common.h:417
GNUNET_CRYPTO_BlindablePrivateKey
A private key for an identity as per LSD0001.
Definition gnunet_crypto_lib.h:400
GNUNET_CRYPTO_BlindablePrivateKey::ecdsa_key
struct GNUNET_CRYPTO_EcdsaPrivateKey ecdsa_key
An ECDSA identity key.
Definition gnunet_crypto_lib.h:413
GNUNET_CRYPTO_BlindablePrivateKey::type
uint32_t type
Type of public key.
Definition gnunet_crypto_lib.h:406
GNUNET_CRYPTO_BlindablePrivateKey::eddsa_key
struct GNUNET_CRYPTO_EddsaPrivateKey eddsa_key
AN EdDSA identtiy key.
Definition gnunet_crypto_lib.h:418
GNUNET_CRYPTO_BlindablePublicKey
An identity key as per LSD0001.
Definition gnunet_crypto_lib.h:427
GNUNET_CRYPTO_EcdhePrivateKey::d
unsigned char d[256/8]
d is a value mod n, where n has at most 256 bits.
Definition gnunet_crypto_lib.h:258
GNUNET_CRYPTO_EcdhePublicKey
Public ECC key (always for Curve25519) encoded in a format suitable for network transmission and encr...
Definition gnunet_crypto_lib.h:240
GNUNET_CRYPTO_EcdhePublicKey::q_y
unsigned char q_y[256/8]
Q consists of an x- and a y-value, each mod p (256 bits), given here in affine coordinates and Ed2551...
Definition gnunet_crypto_lib.h:245
GNUNET_CRYPTO_EcdsaPrivateKey::d
unsigned char d[256/8]
d is a value mod n, where n has at most 256 bits.
Definition gnunet_crypto_lib.h:270
GNUNET_CRYPTO_EddsaPrivateKey
Private ECC key encoded for transmission.
Definition gnunet_crypto_lib.h:278
GNUNET_CRYPTO_EddsaPrivateKey::d
unsigned char d[256/8]
d is a value mod n, where n has at most 256 bits.
Definition gnunet_crypto_lib.h:282
GNUNET_CRYPTO_EddsaPublicKey
Public ECC key (always for curve Ed25519) encoded in a format suitable for network transmission and E...
Definition gnunet_crypto_lib.h:202
GNUNET_CRYPTO_EddsaPublicKey::q_y
unsigned char q_y[256/8]
Point Q consists of a y-value mod p (256 bits); the x-value is always positive.
Definition gnunet_crypto_lib.h:208
GNUNET_CRYPTO_ElligatorEcdhePrivateKey
Special private ECC key generated by GNUNET_CRYPTO_ecdhe_elligator_key_create.
Definition gnunet_crypto_lib.h:357
GNUNET_CRYPTO_ElligatorRepresentative
Elligator representative (always for Curve25519)
Definition gnunet_crypto_lib.h:368
GNUNET_CRYPTO_ElligatorRepresentative::r
uint8_t r[256/8]
Represents an element of Curve25519 finite field.
Definition gnunet_crypto_lib.h:373
GNUNET_CRYPTO_HpkeContext
HPKE crypto context.
Definition gnunet_crypto_lib.h:2205
GNUNET_CRYPTO_HpkeEncapsulation
HPKE DHKEM encapsulation (X25519) See RFC 9180.
Definition gnunet_crypto_lib.h:2240
GNUNET_CRYPTO_HpkePrivateKey
A public key used for decryption.
Definition gnunet_crypto_lib.h:454
GNUNET_CRYPTO_HpkePrivateKey::ecdhe_key
struct GNUNET_CRYPTO_EcdhePrivateKey ecdhe_key
An ECDHE/X25519 key.
Definition gnunet_crypto_lib.h:466
GNUNET_CRYPTO_HpkePublicKey
A public key used for encryption.
Definition gnunet_crypto_lib.h:477
GNUNET_CRYPTO_HpkePublicKey::ecdhe_key
struct GNUNET_CRYPTO_EcdhePublicKey ecdhe_key
An ECDHE/X25519 key.
Definition gnunet_crypto_lib.h:489
GNUNET_ShortHashCode
A 256-bit hashcode.
Definition gnunet_common.h:297