GNUnet 0.22.2
crypto_hpke.c
Go to the documentation of this file.
1/*
2 This file is part of GNUnet.
3 Copyright (C) 2024 GNUnet e.V.
4
5 GNUnet is free software: you can redistribute it and/or modify it
6 under the terms of the GNU Affero General Public License as published
7 by the Free Software Foundation, either version 3 of the License,
8 or (at your option) any later version.
9
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Affero General Public License for more details.
14
15 You should have received a copy of the GNU Affero General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
17
18 SPDX-License-Identifier: AGPL3.0-or-later
19 */
20
26#include "platform.h"
27#include "gnunet_common.h"
28#include <sodium.h>
29#include <stdint.h>
30#include "gnunet_util_lib.h"
31#include "sodium/crypto_scalarmult.h"
32#include "sodium/crypto_scalarmult_curve25519.h"
33#include "sodium/utils.h"
34
50static enum GNUNET_GenericReturnValue
51labeled_extract (const char *ctx_str,
52 const void *salt, size_t salt_len,
53 const void *label, size_t label_len,
54 const void *ikm, size_t ikm_len,
55 const uint8_t *suite_id, size_t suite_id_len,
56 struct GNUNET_ShortHashCode *prk)
57{
58 size_t labeled_ikm_len = strlen (ctx_str) + suite_id_len
59 + label_len + ikm_len;
60 uint8_t labeled_ikm[labeled_ikm_len];
61 uint8_t *tmp = labeled_ikm;
62
63 // labeled_ikm = concat("HPKE-v1", suite_id, label, ikm)
64 memcpy (tmp, ctx_str, strlen (ctx_str));
65 tmp += strlen (ctx_str);
66 memcpy (tmp, suite_id, suite_id_len);
67 tmp += suite_id_len;
68 memcpy (tmp, label, label_len);
69 tmp += label_len;
70 memcpy (tmp, ikm, ikm_len);
71 // return Extract(salt, labeled_ikm)
72 return GNUNET_CRYPTO_hkdf_extract (prk,
73 salt, salt_len,
74 labeled_ikm, labeled_ikm_len);
75}
76
77
93static enum GNUNET_GenericReturnValue
94labeled_expand (const char *ctx_str,
95 const struct GNUNET_ShortHashCode *prk,
96 const char *label, size_t label_len,
97 const void *info, size_t info_len,
98 const uint8_t *suite_id, size_t suite_id_len,
99 void *out_buf,
100 uint16_t out_len)
101{
102 uint8_t labeled_info[2 + strlen (ctx_str) + suite_id_len + label_len
103 + info_len];
104 uint8_t *tmp = labeled_info;
105 uint16_t out_len_nbo = htons (out_len);
106
107 // labeled_info = concat(I2OSP(L, 2), "HPKE-v1", suite_id,
108 // label, info)
109 memcpy (tmp, &out_len_nbo, 2);
110 tmp += 2;
111 memcpy (tmp, ctx_str, strlen (ctx_str));
112 tmp += strlen (ctx_str);
113 memcpy (tmp, suite_id, suite_id_len);
114 tmp += suite_id_len;
115 memcpy (tmp, label, label_len);
116 tmp += label_len;
117 memcpy (tmp, info, info_len);
118 return GNUNET_CRYPTO_hkdf_expand (out_buf, out_len, prk,
119 labeled_info, sizeof labeled_info, NULL);
120}
121
122
123static enum GNUNET_GenericReturnValue
124GNUNET_CRYPTO_hpke_labeled_extract_and_expand (const void *dh,
125 size_t dh_len,
126 const char *extract_ctx,
127 const char *expand_ctx,
128 const void*extract_lbl, size_t
129 extract_lbl_len,
130 const void*expand_lbl, size_t
131 expand_lbl_len,
132 const uint8_t *kem_context,
133 size_t kem_context_len,
134 const uint8_t *suite_id, size_t
135 suite_id_len,
136 struct GNUNET_ShortHashCode *
137 shared_secret)
138{
139 struct GNUNET_ShortHashCode prk;
140 // eae_prk = LabeledExtract("", "eae_prk", dh)
141 labeled_extract (extract_ctx,
142 NULL, 0,
143 extract_lbl, extract_lbl_len,
144 dh, dh_len,
145 suite_id, suite_id_len,
146 &prk);
147 return labeled_expand (expand_ctx,
148 &prk,
149 expand_lbl, expand_lbl_len,
150 kem_context, kem_context_len,
151 suite_id, suite_id_len,
152 shared_secret, sizeof *shared_secret);
153}
154
155
156// DHKEM(X25519, HKDF-256): kem_id = 32
157// concat("KEM", I2OSP(kem_id, 2))
158static uint8_t GNUNET_CRYPTO_HPKE_KEM_SUITE_ID[] = { 'K', 'E', 'M',
159 0x00, 0x20 };
160
161// DHKEM(X25519Elligator, HKDF-256): kem_id = 0x0030
162// concat("KEM", I2OSP(kem_id, 2))
163static uint8_t GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID[] = { 'K', 'E', 'M',
164 0x00, 0x30 };
165static enum GNUNET_GenericReturnValue
166authkem_encaps_norand (uint8_t *suite_id, size_t suite_id_len,
167 const struct GNUNET_CRYPTO_EcdhePublicKey *pkR,
168 const struct GNUNET_CRYPTO_EcdhePrivateKey *skS,
169 struct GNUNET_CRYPTO_HpkeEncapsulation *c,
170 const struct GNUNET_CRYPTO_EcdhePrivateKey *skE,
171 struct GNUNET_ShortHashCode *shared_secret)
172{
173 struct GNUNET_CRYPTO_EcdhePublicKey dh[2];
174 struct GNUNET_CRYPTO_EcdhePublicKey pkS;
175 uint8_t kem_context[sizeof *c + sizeof *pkR + sizeof pkS];
176
177 // skE, pkE = GenerateKeyPair()
178 GNUNET_CRYPTO_ecdhe_key_get_public (skE,
179 (struct GNUNET_CRYPTO_EcdhePublicKey*) c);
180
181 // dh = DH(skE, pkR)
182 if (GNUNET_OK != GNUNET_CRYPTO_ecdh_x25519 (skE, pkR,
183 &dh[0]))
184 return GNUNET_SYSERR; // ValidationError
185 // dh = DH(skS, pkR)
186 if (GNUNET_OK != GNUNET_CRYPTO_ecdh_x25519 (skS, pkR,
187 &dh[1]))
188 return GNUNET_SYSERR; // ValidationError
189 // enc = SerializePublicKey(pkE) is a NOP, see Section 7.1.1
190 // pkRm = SerializePublicKey(pkR) is a NOP, see Section 7.1.1
191 // pkSm = SerializePublicKey(pk(skS)) is a NOP, see Section 7.1.1
192 GNUNET_CRYPTO_ecdhe_key_get_public (skS,
193 &pkS);
194 // kem_context = concat(enc, pkRm, pkSm)
195 memcpy (kem_context, c, sizeof *c);
196 memcpy (kem_context + sizeof *c, pkR, sizeof *pkR);
197 memcpy (kem_context + sizeof *c + sizeof *pkR, &pkS, sizeof pkS);
198 // shared_secret = ExtractAndExpand(dh, kem_context)
199 return GNUNET_CRYPTO_hpke_labeled_extract_and_expand (
200 dh, sizeof (struct GNUNET_CRYPTO_EcdhePublicKey) * 2,
201 "HPKE-v1",
202 "HPKE-v1",
203 "eae_prk", strlen ("eae_prk"),
204 "shared_secret", strlen ("shared_secret"),
205 kem_context, sizeof kem_context,
206 suite_id, suite_id_len,
207 shared_secret);
208}
209
210
211enum GNUNET_GenericReturnValue
212GNUNET_CRYPTO_hpke_authkem_encaps_norand (
213 const struct GNUNET_CRYPTO_EcdhePublicKey *pkR,
214 const struct GNUNET_CRYPTO_EcdhePrivateKey *skS,
215 struct GNUNET_CRYPTO_HpkeEncapsulation *c,
216 const struct GNUNET_CRYPTO_EcdhePrivateKey *skE,
217 struct GNUNET_ShortHashCode *shared_secret)
218{
219 // enc = SerializePublicKey(pkE) is a NOP, see Section 7.1.1
220 GNUNET_CRYPTO_ecdhe_key_get_public (
221 skE,
222 (struct GNUNET_CRYPTO_EcdhePublicKey*) c);
223 return authkem_encaps_norand (GNUNET_CRYPTO_HPKE_KEM_SUITE_ID,
224 sizeof GNUNET_CRYPTO_HPKE_KEM_SUITE_ID,
225 pkR, skS, c, skE, shared_secret);
226}
227
228
229enum GNUNET_GenericReturnValue
230GNUNET_CRYPTO_hpke_authkem_encaps (
231 const struct GNUNET_CRYPTO_EcdhePublicKey *pkR,
232 const struct GNUNET_CRYPTO_EcdhePrivateKey *skS,
233 struct GNUNET_CRYPTO_HpkeEncapsulation *c,
234 struct GNUNET_ShortHashCode *shared_secret)
235{
236 struct GNUNET_CRYPTO_EcdhePrivateKey skE;
237 // skE, pkE = GenerateKeyPair()
238 GNUNET_CRYPTO_ecdhe_key_create (&skE);
239
240 return GNUNET_CRYPTO_hpke_authkem_encaps_norand (pkR, skS, c, &skE,
241 shared_secret);
242}
243
244
245static enum GNUNET_GenericReturnValue
246kem_encaps_norand (uint8_t *suite_id, size_t suite_id_len,
247 const struct GNUNET_CRYPTO_EcdhePublicKey *pkR,
248 const struct GNUNET_CRYPTO_HpkeEncapsulation *c,
249 const struct GNUNET_CRYPTO_EcdhePrivateKey *skE,
250 struct GNUNET_ShortHashCode *shared_secret)
251{
252 struct GNUNET_CRYPTO_EcdhePublicKey dh;
253 uint8_t kem_context[sizeof *c + sizeof *pkR];
254
255 // dh = DH(skE, pkR)
256 if (GNUNET_OK != GNUNET_CRYPTO_ecdh_x25519 (skE, pkR,
257 &dh))
258 {
259 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
260 "HPKE KEM encaps: Validation error\n");
261 return GNUNET_SYSERR; // ValidationError
262 }
263 // enc = SerializePublicKey(pkE) is a NOP, see Section 7.1.1
264 // pkRm = SerializePublicKey(pkR) is a NOP, see Section 7.1.1
265 // kem_context = concat(enc, pkRm)
266 memcpy (kem_context, c, sizeof *c);
267 memcpy (kem_context + sizeof *c, pkR, sizeof *pkR);
268 // shared_secret = ExtractAndExpand(dh, kem_context)
269 return GNUNET_CRYPTO_hpke_labeled_extract_and_expand (
270 &dh, sizeof dh,
271 "HPKE-v1",
272 "HPKE-v1",
273 "eae_prk", strlen ("eae_prk"),
274 "shared_secret", strlen ("shared_secret"),
275 kem_context, sizeof kem_context,
276 suite_id, suite_id_len,
277 shared_secret);
278}
279
280
281enum GNUNET_GenericReturnValue
282GNUNET_CRYPTO_hpke_kem_encaps_norand (
283 const struct GNUNET_CRYPTO_EcdhePublicKey *pkR,
284 struct GNUNET_CRYPTO_HpkeEncapsulation *enc,
285 const struct GNUNET_CRYPTO_EcdhePrivateKey *skE,
286 struct GNUNET_ShortHashCode *shared_secret)
287{
288 // enc = SerializePublicKey(pkE) is a NOP, see Section 7.1.1
289 GNUNET_CRYPTO_ecdhe_key_get_public (
290 skE,
291 (struct GNUNET_CRYPTO_EcdhePublicKey*) enc);
292 return kem_encaps_norand (GNUNET_CRYPTO_HPKE_KEM_SUITE_ID,
293 sizeof GNUNET_CRYPTO_HPKE_KEM_SUITE_ID,
294 pkR, enc, skE, shared_secret);
295}
296
297
298enum GNUNET_GenericReturnValue
299GNUNET_CRYPTO_hpke_kem_encaps (const struct GNUNET_CRYPTO_EcdhePublicKey *pub,
300 struct GNUNET_CRYPTO_HpkeEncapsulation *c,
301 struct GNUNET_ShortHashCode *shared_secret)
302{
303 struct GNUNET_CRYPTO_EcdhePrivateKey skE;
304 // skE, pkE = GenerateKeyPair()
305 GNUNET_CRYPTO_ecdhe_key_create (&skE);
306
307 return GNUNET_CRYPTO_hpke_kem_encaps_norand (pub, c, &skE, shared_secret);
308}
309
310
311enum GNUNET_GenericReturnValue
312GNUNET_CRYPTO_eddsa_kem_encaps (const struct GNUNET_CRYPTO_EddsaPublicKey *pub,
313 struct GNUNET_CRYPTO_HpkeEncapsulation *c,
314 struct GNUNET_ShortHashCode *shared_secret)
315{
316 struct GNUNET_CRYPTO_EcdhePublicKey pkR;
317
318 // This maps the ed25519 point to X25519
319 if (0 != crypto_sign_ed25519_pk_to_curve25519 (pkR.q_y, pub->q_y))
320 return GNUNET_SYSERR;
321
322 return GNUNET_CRYPTO_hpke_kem_encaps (&pkR, c, shared_secret);
323}
324
325
326enum GNUNET_GenericReturnValue
327GNUNET_CRYPTO_hpke_authkem_decaps (
328 const struct GNUNET_CRYPTO_EcdhePrivateKey *skR,
329 const struct GNUNET_CRYPTO_EcdhePublicKey *pkS,
330 const struct GNUNET_CRYPTO_HpkeEncapsulation *c,
331 struct GNUNET_ShortHashCode *shared_secret)
332{
333 struct GNUNET_CRYPTO_EcdhePublicKey dh[2];
334 uint8_t pkR[crypto_scalarmult_BYTES];
335 uint8_t kem_context[sizeof *c + sizeof pkR + sizeof *pkS];
336
337 // pkE = DeserializePublicKey(enc) is a NOP, see Section 7.1.1
338 // dh = DH(skE, pkR)
339 if (GNUNET_OK != GNUNET_CRYPTO_ecdh_x25519 (skR,
340 (struct
341 GNUNET_CRYPTO_EcdhePublicKey*) c,
342 &dh[0]))
343 return GNUNET_SYSERR; // ValidationError
344 // dh = DH(skS, pkR)
345 if (GNUNET_OK != GNUNET_CRYPTO_ecdh_x25519 (skR, pkS,
346 &dh[1]))
347 return GNUNET_SYSERR; // ValidationError
348 // pkRm = DeserializePublicKey(pk(skR)) is a NOP, see Section 7.1.1
349 crypto_scalarmult_curve25519_base (pkR, skR->d);
350 // kem_context = concat(enc, pkRm)
351 memcpy (kem_context, c, sizeof *c);
352 memcpy (kem_context + sizeof *c, pkR, sizeof pkR);
353 memcpy (kem_context + sizeof *c + sizeof pkR,
354 pkS, sizeof *pkS);
355 // shared_secret = ExtractAndExpand(dh, kem_context)
356 return GNUNET_CRYPTO_hpke_labeled_extract_and_expand (
357 dh, sizeof (struct GNUNET_CRYPTO_EcdhePublicKey) * 2,
358 "HPKE-v1",
359 "HPKE-v1",
360 "eae_prk", strlen ("eae_prk"),
361 "shared_secret", strlen ("shared_secret"),
362 kem_context, sizeof kem_context,
363 GNUNET_CRYPTO_HPKE_KEM_SUITE_ID,
364 sizeof GNUNET_CRYPTO_HPKE_KEM_SUITE_ID,
365 shared_secret);
366}
367
368
369enum GNUNET_GenericReturnValue
370GNUNET_CRYPTO_hpke_kem_decaps (const struct GNUNET_CRYPTO_EcdhePrivateKey *skR,
371 const struct GNUNET_CRYPTO_HpkeEncapsulation *c,
372 struct GNUNET_ShortHashCode *shared_secret)
373{
374 struct GNUNET_CRYPTO_EcdhePublicKey dh;
375 uint8_t kem_context[sizeof *c + crypto_scalarmult_curve25519_BYTES];
376 uint8_t pkR[crypto_scalarmult_BYTES];
377
378 // pkE = DeserializePublicKey(enc) is a NOP, see Section 7.1.1
379 // dh = DH(skR, pkE)
380 if (GNUNET_OK !=
381 GNUNET_CRYPTO_x25519_ecdh (skR,
382 (struct GNUNET_CRYPTO_EcdhePublicKey*) c,
383 &dh))
384 return GNUNET_SYSERR; // ValidationError
385
386 // pkRm = DeserializePublicKey(pk(skR)) is a NOP, see Section 7.1.1
387 crypto_scalarmult_curve25519_base (pkR, skR->d);
388 // kem_context = concat(enc, pkRm)
389 memcpy (kem_context, c, sizeof *c);
390 memcpy (kem_context + sizeof *c, pkR, sizeof pkR);
391 // shared_secret = ExtractAndExpand(dh, kem_context)
392 return GNUNET_CRYPTO_hpke_labeled_extract_and_expand (
393 &dh, sizeof dh,
394 "HPKE-v1",
395 "HPKE-v1",
396 "eae_prk", strlen ("eae_prk"),
397 "shared_secret", strlen ("shared_secret"),
398 kem_context, sizeof kem_context,
399 GNUNET_CRYPTO_HPKE_KEM_SUITE_ID,
400 sizeof GNUNET_CRYPTO_HPKE_KEM_SUITE_ID,
401 shared_secret);
402}
403
404
405// FIXME use Ed -> Curve conversion???
406enum GNUNET_GenericReturnValue
407GNUNET_CRYPTO_eddsa_kem_decaps (const struct
408 GNUNET_CRYPTO_EddsaPrivateKey *priv,
409 const struct GNUNET_CRYPTO_HpkeEncapsulation *c,
410 struct GNUNET_ShortHashCode *shared_secret)
411{
412 struct GNUNET_CRYPTO_EcdhePrivateKey skR;
413
414 // This maps the ed25519 point to X25519
415 if (0 != crypto_sign_ed25519_sk_to_curve25519 (skR.d, priv->d))
416 return GNUNET_SYSERR;
417 return GNUNET_CRYPTO_hpke_kem_decaps (&skR, c, shared_secret);
418
419}
420
421
422enum GNUNET_GenericReturnValue
423GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand (
424 uint8_t random_tweak,
425 const struct GNUNET_CRYPTO_EcdhePublicKey *pkR,
426 struct GNUNET_CRYPTO_HpkeEncapsulation *c,
427 const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *skE,
428 struct GNUNET_ShortHashCode *shared_secret)
429{
430 struct GNUNET_CRYPTO_EcdhePublicKey pkE;
431 // skE, pkE = GenerateElligatorKeyPair()
432 // enc = SerializePublicKey(pkE) == c is the elligator representative
433 GNUNET_CRYPTO_ecdhe_elligator_key_get_public_norand (random_tweak,
434 skE,
435 &pkE,
436 (struct
437 GNUNET_CRYPTO_ElligatorRepresentative
438 *) c);
439
440 return kem_encaps_norand (GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID,
441 sizeof GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID,
442 pkR, c, (const struct
443 GNUNET_CRYPTO_EcdhePrivateKey*) skE,
444 shared_secret);
445}
446
447
448enum GNUNET_GenericReturnValue
449GNUNET_CRYPTO_hpke_elligator_kem_encaps (
450 const struct GNUNET_CRYPTO_EcdhePublicKey *pkR,
451 struct GNUNET_CRYPTO_HpkeEncapsulation *c,
452 struct GNUNET_ShortHashCode *shared_secret)
453{
454 uint8_t random_tweak;
455 struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey skE;
456
457 GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_NONCE,
458 &random_tweak,
459 sizeof(uint8_t));
460
461 // skE, pkE = GenerateElligatorKeyPair()
462 GNUNET_CRYPTO_ecdhe_elligator_key_create (&skE);
463
464 return GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand (random_tweak, pkR, c,
465 &skE, shared_secret);
466}
467
468
469enum GNUNET_GenericReturnValue
470GNUNET_CRYPTO_hpke_elligator_kem_decaps (
471 const struct GNUNET_CRYPTO_EcdhePrivateKey *skR,
472 const struct GNUNET_CRYPTO_HpkeEncapsulation *c,
473 struct GNUNET_ShortHashCode *shared_secret)
474{
475 struct GNUNET_CRYPTO_EcdhePublicKey pkE;
476 struct GNUNET_CRYPTO_EcdhePublicKey dh;
477 const struct GNUNET_CRYPTO_ElligatorRepresentative *r;
478 uint8_t kem_context[sizeof *r + crypto_scalarmult_curve25519_BYTES];
479 uint8_t pkR[crypto_scalarmult_BYTES];
480
481 r = (struct GNUNET_CRYPTO_ElligatorRepresentative*) c;
482 // pkE = DeserializePublicKey(enc) Elligator deserialize!
483 GNUNET_CRYPTO_ecdhe_elligator_decoding (&pkE, NULL, r);
484 // dh = DH(skR, pkE)
485 GNUNET_assert (GNUNET_OK == GNUNET_CRYPTO_x25519_ecdh (skR, &pkE,
486 &dh));
487 // pkRm = DeserializePublicKey(pk(skR)) is a NOP, see Section 7.1.1
488 crypto_scalarmult_curve25519_base (pkR, skR->d);
489 memcpy (kem_context, r, sizeof *r);
490 memcpy (kem_context + sizeof *r, pkR, sizeof pkR);
491 // shared_secret = ExtractAndExpand(dh, kem_context)
492 return GNUNET_CRYPTO_hpke_labeled_extract_and_expand (
493 &dh, sizeof dh,
494 "HPKE-v1",
495 "HPKE-v1",
496 "eae_prk", strlen ("eae_prk"),
497 "shared_secret", strlen ("shared_secret"),
498 kem_context, sizeof kem_context,
499 GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID,
500 sizeof GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID,
501 shared_secret);
502}
503
504
505enum GNUNET_GenericReturnValue
506GNUNET_CRYPTO_hpke_elligator_authkem_encaps_norand (
507 const struct GNUNET_CRYPTO_EcdhePublicKey *pkR,
508 const struct GNUNET_CRYPTO_EcdhePrivateKey *skS,
509 struct GNUNET_CRYPTO_HpkeEncapsulation *c,
510 const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *skE,
511 struct GNUNET_ShortHashCode *shared_secret)
512{
513 struct GNUNET_CRYPTO_EcdhePublicKey pkE;
514 // skE, pkE = GenerateElligatorKeyPair()
515 // enc = SerializePublicKey(pkE) == c is the elligator representative
516 GNUNET_CRYPTO_ecdhe_elligator_key_get_public (
517 skE, &pkE,
518 (struct GNUNET_CRYPTO_ElligatorRepresentative*) c);
519
520 return authkem_encaps_norand (GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID,
521 sizeof GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID
522 ,
523 pkR, skS, c,
524 (const struct
525 GNUNET_CRYPTO_EcdhePrivateKey*) skE,
526 shared_secret);
527}
528
529
530enum GNUNET_GenericReturnValue
531GNUNET_CRYPTO_hpke_elligator_authkem_encaps (
532 const struct GNUNET_CRYPTO_EcdhePublicKey *pkR,
533 const struct GNUNET_CRYPTO_EcdhePrivateKey *skS,
534 struct GNUNET_CRYPTO_HpkeEncapsulation *c,
535 struct GNUNET_ShortHashCode *shared_secret)
536{
537 struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey skE;
538 // skE, pkE = GenerateElligatorKeyPair()
539 GNUNET_CRYPTO_ecdhe_elligator_key_create (&skE);
540
541 return GNUNET_CRYPTO_hpke_elligator_authkem_encaps_norand (pkR, skS, c, &skE,
542 shared_secret);
543}
544
545
546static enum GNUNET_GenericReturnValue
547verify_psk_inputs (enum GNUNET_CRYPTO_HpkeMode mode,
548 const uint8_t *psk, size_t psk_len,
549 const uint8_t *psk_id, size_t psk_id_len)
550{
551 bool got_psk;
552 bool got_psk_id;
553
554 got_psk = (0 != psk_len);
555 got_psk_id = (0 != psk_id_len);
556
557 if (got_psk != got_psk_id)
558 {
559 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
560 "Inconsistent PSK inputs\n");
561 return GNUNET_SYSERR;
562 }
563
564 if (got_psk &&
565 ((GNUNET_CRYPTO_HPKE_MODE_BASE == mode) ||
566 (GNUNET_CRYPTO_HPKE_MODE_AUTH == mode)))
567 {
568 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
569 "PSK input provided when not needed\n");
570 return GNUNET_SYSERR;
571 }
572 if (! got_psk &&
573 ((GNUNET_CRYPTO_HPKE_MODE_PSK == mode) ||
574 (GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK == mode)))
575 {
576 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
577 "Missing required PSK input\n");
578 return GNUNET_SYSERR;
579 }
580 return GNUNET_OK;
581}
582
583
584static enum GNUNET_GenericReturnValue
585key_schedule (enum GNUNET_CRYPTO_HpkeRole role,
586 enum GNUNET_CRYPTO_HpkeMode mode,
587 const struct GNUNET_ShortHashCode *shared_secret,
588 const uint8_t *info, size_t info_len,
589 const uint8_t *psk, size_t psk_len,
590 const uint8_t *psk_id, size_t psk_id_len,
591 struct GNUNET_CRYPTO_HpkeContext *ctx)
592{
593 struct GNUNET_ShortHashCode psk_id_hash;
594 struct GNUNET_ShortHashCode info_hash;
595 struct GNUNET_ShortHashCode secret;
596 uint8_t key_schedule_context[1 + sizeof info_hash * 2];
597 uint8_t suite_id[strlen ("HPKE") + 6];
598 uint16_t kem_id = htons (32); // FIXME hardcode as constant
599 uint16_t kdf_id = htons (1); // HKDF-256 FIXME hardcode as constant
600 uint16_t aead_id = htons (3); // ChaCha20Poly1305 FIXME hardcode as constant
601
602 // DHKEM(X25519, HKDF-256): kem_id = 32
603 // concat("KEM", I2OSP(kem_id, 2))
604 memcpy (suite_id, "HPKE", 4);
605 memcpy (suite_id + 4, &kem_id, 2);
606 memcpy (suite_id + 6, &kdf_id, 2);
607 memcpy (suite_id + 8, &aead_id, 2);
608
609 if (GNUNET_OK != verify_psk_inputs (mode, psk, psk_len, psk_id, psk_id_len))
610 return GNUNET_SYSERR;
611
612 if (GNUNET_OK != labeled_extract ("HPKE-v1", NULL, 0,
613 "psk_id_hash", strlen ("psk_id_hash"),
614 psk_id, psk_id_len,
615 suite_id, sizeof suite_id, &psk_id_hash))
616 return GNUNET_SYSERR;
617 if (GNUNET_OK != labeled_extract ("HPKE-v1", NULL, 0,
618 "info_hash", strlen ("info_hash"),
619 info, info_len,
620 suite_id, sizeof suite_id, &info_hash))
621 return GNUNET_SYSERR;
622 memcpy (key_schedule_context, &mode, 1);
623 memcpy (key_schedule_context + 1, &psk_id_hash, sizeof psk_id_hash);
624 memcpy (key_schedule_context + 1 + sizeof psk_id_hash,
625 &info_hash, sizeof info_hash);
626 if (GNUNET_OK != labeled_extract ("HPKE-v1",
627 shared_secret, sizeof *shared_secret,
628 "secret", strlen ("secret"),
629 psk, psk_len,
630 suite_id, sizeof suite_id, &secret))
631 return GNUNET_SYSERR;
632 // key = LabeledExpand(secret, "key", key_schedule_context, Nk)
633 // Note: Nk == sizeof ctx->key
634 if (GNUNET_OK != labeled_expand ("HPKE-v1",
635 &secret,
636 "key", strlen ("key"),
637 &key_schedule_context,
638 sizeof key_schedule_context,
639 suite_id, sizeof suite_id,
640 ctx->key, sizeof ctx->key))
641 return GNUNET_SYSERR;
642 // base_nonce = LabeledExpand(secret, "base_nonce",
643 // key_schedule_context, Nn)
644 if (GNUNET_OK != labeled_expand ("HPKE-v1",
645 &secret,
646 "base_nonce", strlen ("base_nonce"),
647 &key_schedule_context,
648 sizeof key_schedule_context,
649 suite_id, sizeof suite_id,
650 ctx->base_nonce, sizeof ctx->base_nonce))
651 return GNUNET_SYSERR;
652 // exporter_secret = LabeledExpand(secret, "exp",
653 // key_schedule_context, Nh)
654 if (GNUNET_OK != labeled_expand ("HPKE-v1",
655 &secret,
656 "exp", strlen ("exp"),
657 &key_schedule_context,
658 sizeof key_schedule_context,
659 suite_id, sizeof suite_id,
660 &ctx->exporter_secret,
661 sizeof ctx->exporter_secret))
662 return GNUNET_SYSERR;
663 ctx->seq = 0;
664 ctx->role = role;
665 return GNUNET_OK;
666}
667
668
669enum GNUNET_GenericReturnValue
670GNUNET_CRYPTO_hpke_sender_setup2 (
671 enum GNUNET_CRYPTO_HpkeKem kem,
672 enum GNUNET_CRYPTO_HpkeMode mode,
673 struct GNUNET_CRYPTO_EcdhePrivateKey *skE,
674 struct GNUNET_CRYPTO_EcdhePrivateKey *skS,
675 const struct GNUNET_CRYPTO_EcdhePublicKey *pkR,
676 const uint8_t *info, size_t info_len,
677 const uint8_t *psk, size_t psk_len,
678 const uint8_t *psk_id, size_t psk_id_len,
679 struct GNUNET_CRYPTO_HpkeEncapsulation *enc,
680 struct GNUNET_CRYPTO_HpkeContext *ctx)
681{
682 struct GNUNET_ShortHashCode shared_secret;
683
684 switch (mode)
685 {
686 case GNUNET_CRYPTO_HPKE_MODE_BASE:
687 case GNUNET_CRYPTO_HPKE_MODE_PSK:
688 if (kem == GNUNET_CRYPTO_HPKE_KEM_DH_X25519_HKDF256)
689 {
690 if (GNUNET_OK != GNUNET_CRYPTO_hpke_kem_encaps_norand (pkR, enc, skE,
691 &shared_secret))
692 return GNUNET_SYSERR;
693 break;
694 }
695 else if (kem ==
696 GNUNET_CRYPTO_HPKE_KEM_DH_X25519ELLIGATOR_HKDF256)
697 {
698 uint8_t random_tweak;
699 GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_NONCE,
700 &random_tweak,
701 sizeof(uint8_t));
702 if (GNUNET_OK !=
703 GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand (random_tweak,
704 pkR,
705 enc,
706 (struct
707 GNUNET_CRYPTO_ElligatorEcdhePrivateKey
708 *) skE,
709 &shared_secret))
710 return GNUNET_SYSERR;
711 }
712 break;
713 case GNUNET_CRYPTO_HPKE_MODE_AUTH:
714 case GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK:
715 if (NULL == skS)
716 return GNUNET_SYSERR;
717 if (GNUNET_OK != GNUNET_CRYPTO_hpke_authkem_encaps_norand (pkR, skS,
718 enc, skE,
719 &shared_secret))
720 return GNUNET_SYSERR;
721 break;
722 default:
723 return GNUNET_SYSERR;
724 }
725 if (GNUNET_OK != key_schedule (GNUNET_CRYPTO_HPKE_ROLE_S,
726 mode,
727 &shared_secret,
728 info, info_len,
729 psk, psk_len,
730 psk_id, psk_id_len,
731 ctx))
732 return GNUNET_SYSERR;
733 return GNUNET_OK;
734}
735
736
737enum GNUNET_GenericReturnValue
738GNUNET_CRYPTO_hpke_sender_setup (const struct GNUNET_CRYPTO_EcdhePublicKey *pkR,
739 const uint8_t *info, size_t info_len,
740 struct GNUNET_CRYPTO_HpkeEncapsulation *enc,
741 struct GNUNET_CRYPTO_HpkeContext *ctx)
742{
743 struct GNUNET_CRYPTO_EcdhePrivateKey sk;
744 // skE, pkE = GenerateKeyPair()
745 GNUNET_CRYPTO_ecdhe_key_create (&sk);
746
747 return GNUNET_CRYPTO_hpke_sender_setup2 (
748 GNUNET_CRYPTO_HPKE_KEM_DH_X25519_HKDF256,
749 GNUNET_CRYPTO_HPKE_MODE_BASE,
750 &sk, NULL,
751 pkR, info, info_len,
752 NULL, 0,
753 NULL, 0,
754 enc,
755 ctx);
756}
757
758
759enum GNUNET_GenericReturnValue
760GNUNET_CRYPTO_hpke_receiver_setup2 (
761 enum GNUNET_CRYPTO_HpkeKem kem,
762 enum GNUNET_CRYPTO_HpkeMode mode,
763 const struct GNUNET_CRYPTO_HpkeEncapsulation *enc,
764 const struct GNUNET_CRYPTO_EcdhePrivateKey *skR,
765 const struct GNUNET_CRYPTO_EcdhePublicKey *pkS,
766 const uint8_t *info, size_t info_len,
767 const uint8_t *psk, size_t psk_len,
768 const uint8_t *psk_id, size_t psk_id_len,
769 struct GNUNET_CRYPTO_HpkeContext *ctx)
770{
771 struct GNUNET_ShortHashCode shared_secret;
772
773 switch (mode)
774 {
775 case GNUNET_CRYPTO_HPKE_MODE_BASE:
776 case GNUNET_CRYPTO_HPKE_MODE_PSK:
777 if (kem == GNUNET_CRYPTO_HPKE_KEM_DH_X25519_HKDF256)
778 {
779 if (GNUNET_OK != GNUNET_CRYPTO_hpke_kem_decaps (skR, enc,
780 &shared_secret))
781 return GNUNET_SYSERR;
782 }
783 else if (kem ==
784 GNUNET_CRYPTO_HPKE_KEM_DH_X25519ELLIGATOR_HKDF256)
785 {
786 if (GNUNET_OK != GNUNET_CRYPTO_hpke_elligator_kem_decaps (skR,
787 enc,
788 &shared_secret))
789 return GNUNET_SYSERR;
790 }
791 break;
792 case GNUNET_CRYPTO_HPKE_MODE_AUTH:
793 case GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK:
794 if (NULL == pkS)
795 return GNUNET_SYSERR;
796 if (GNUNET_OK != GNUNET_CRYPTO_hpke_authkem_decaps (skR, pkS,
797 enc,
798 &shared_secret))
799 return GNUNET_SYSERR;
800 break;
801 default:
802 return GNUNET_SYSERR;
803 }
804 if (GNUNET_OK != key_schedule (GNUNET_CRYPTO_HPKE_ROLE_R,
805 mode,
806 &shared_secret,
807 info, info_len,
808 psk, psk_len,
809 psk_id, psk_id_len,
810 ctx))
811 return GNUNET_SYSERR;
812 return GNUNET_OK;
813}
814
815
816enum GNUNET_GenericReturnValue
817GNUNET_CRYPTO_hpke_receiver_setup (
818 const struct GNUNET_CRYPTO_HpkeEncapsulation *enc,
819 const struct GNUNET_CRYPTO_EcdhePrivateKey *skR,
820 const uint8_t *info, size_t info_len,
821 struct GNUNET_CRYPTO_HpkeContext *ctx)
822{
823 return GNUNET_CRYPTO_hpke_receiver_setup2 (
824 GNUNET_CRYPTO_HPKE_KEM_DH_X25519_HKDF256,
825 GNUNET_CRYPTO_HPKE_MODE_BASE,
826 enc, skR, NULL,
827 info, info_len,
828 NULL, 0, NULL, 0, ctx);
829}
830
831
832static enum GNUNET_GenericReturnValue
833increment_seq (struct GNUNET_CRYPTO_HpkeContext *ctx)
834{
835 if (ctx->seq >= UINT64_MAX)
836 {
837 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "MessageLimitReached\n");
838 return GNUNET_SYSERR;
839 }
840 ctx->seq = GNUNET_htonll (GNUNET_ntohll (ctx->seq) + 1);
841 return GNUNET_OK;
842}
843
844
845static void
846compute_nonce (struct GNUNET_CRYPTO_HpkeContext *ctx,
847 uint8_t *nonce)
848{
849 size_t offset = GNUNET_CRYPTO_HPKE_NONCE_LEN - sizeof ctx->seq;
850 int j = 0;
851 for (int i = 0; i < GNUNET_CRYPTO_HPKE_NONCE_LEN; i++)
852 {
853 // FIXME correct byte order?
854 if (i < offset)
855 memset (&nonce[i], ctx->base_nonce[i], 1);
856 else
857 nonce[i] = ctx->base_nonce[i] ^ ((uint8_t*) &ctx->seq)[j++];
858 }
859}
860
861
862enum GNUNET_GenericReturnValue
863GNUNET_CRYPTO_hpke_seal (struct GNUNET_CRYPTO_HpkeContext *ctx,
864 const uint8_t*aad, size_t aad_len,
865 const uint8_t *pt, size_t pt_len,
866 uint8_t *ct, unsigned long long *ct_len_p)
867{
868 uint8_t comp_nonce[GNUNET_CRYPTO_HPKE_NONCE_LEN];
869 if (ctx->role != GNUNET_CRYPTO_HPKE_ROLE_S)
870 {
871 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
872 "HPKE: Wrong role; called as receiver (%d)!\n",
873 ctx->role);
874 return GNUNET_SYSERR;
875 }
876 compute_nonce (ctx, comp_nonce);
877 crypto_aead_chacha20poly1305_ietf_encrypt (ct, ct_len_p,
878 pt, pt_len,
879 aad, aad_len,
880 NULL,
881 comp_nonce,
882 ctx->key);
883 if (GNUNET_OK != increment_seq (ctx))
884 {
885 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
886 "HPKE: Seq increment failed!\n");
887 return GNUNET_SYSERR;
888 }
889 return GNUNET_OK;
890}
891
892
893enum GNUNET_GenericReturnValue
894GNUNET_CRYPTO_hpke_open (struct GNUNET_CRYPTO_HpkeContext *ctx,
895 const uint8_t*aad, size_t aad_len,
896 const uint8_t *ct, size_t ct_len,
897 uint8_t *pt, unsigned long long *pt_len)
898{
899 uint8_t comp_nonce[GNUNET_CRYPTO_HPKE_NONCE_LEN];
900 if (ctx->role != GNUNET_CRYPTO_HPKE_ROLE_R)
901 {
902 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
903 "HPKE: Wrong role; called as sender (%d)!\n",
904 ctx->role);
905 return GNUNET_SYSERR;
906 }
907 compute_nonce (ctx, comp_nonce);
908 if (0 != crypto_aead_chacha20poly1305_ietf_decrypt (pt, pt_len,
909 NULL,
910 ct, ct_len,
911 aad, aad_len,
912 comp_nonce,
913 ctx->key))
914 {
915 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "OpenError\n");
916 return GNUNET_SYSERR;
917 }
918 if (GNUNET_OK != increment_seq (ctx))
919 {
920 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
921 "HPKE: Seq increment failed!\n");
922 return GNUNET_SYSERR;
923 }
924 return GNUNET_OK;
925}
926
927
928enum GNUNET_GenericReturnValue
929GNUNET_CRYPTO_hpke_seal_oneshot (const struct GNUNET_CRYPTO_EcdhePublicKey *pkR,
930 const uint8_t *info, size_t info_len,
931 const uint8_t*aad, size_t aad_len,
932 const uint8_t *pt, size_t pt_len,
933 uint8_t *ct, unsigned long long *ct_len_p)
934{
935 struct GNUNET_CRYPTO_HpkeContext ctx;
936 struct GNUNET_CRYPTO_HpkeEncapsulation *enc;
937 uint8_t *ct_off;
938
939 enc = (struct GNUNET_CRYPTO_HpkeEncapsulation*) ct;
940 ct_off = (uint8_t*) &enc[1];
941 if (GNUNET_OK != GNUNET_CRYPTO_hpke_sender_setup (pkR,
942 info, info_len,
943 enc, &ctx))
944 {
945 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
946 "HPKE: Sender setup failed!\n");
947 return GNUNET_SYSERR;
948 }
949 return GNUNET_CRYPTO_hpke_seal (&ctx,
950 aad, aad_len,
951 pt, pt_len,
952 ct_off,
953 ct_len_p);
954}
955
956
957enum GNUNET_GenericReturnValue
958GNUNET_CRYPTO_hpke_open_oneshot (
959 const struct GNUNET_CRYPTO_EcdhePrivateKey *skR,
960 const uint8_t *info, size_t info_len,
961 const uint8_t*aad, size_t aad_len,
962 const uint8_t *ct, size_t ct_len,
963 uint8_t *pt, unsigned long long *pt_len_p)
964{
965 struct GNUNET_CRYPTO_HpkeContext ctx;
966 struct GNUNET_CRYPTO_HpkeEncapsulation *enc;
967 uint8_t *ct_off;
968
969 enc = (struct GNUNET_CRYPTO_HpkeEncapsulation*) ct;
970 ct_off = (uint8_t*) &enc[1];
971 if (GNUNET_OK != GNUNET_CRYPTO_hpke_receiver_setup (enc, skR,
972 info, info_len,
973 &ctx))
974 {
975 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
976 "HPKE: Receiver setup failed!\n");
977 return GNUNET_SYSERR;
978 }
979 return GNUNET_CRYPTO_hpke_open (&ctx,
980 aad, aad_len,
981 ct_off,
982 ct_len - sizeof *enc,
983 pt,
984 pt_len_p);
985}
986
987
988enum GNUNET_GenericReturnValue
989GNUNET_CRYPTO_hpke_pk_to_x25519 (const struct GNUNET_CRYPTO_PublicKey *pk,
990 struct GNUNET_CRYPTO_EcdhePublicKey *x25519)
991{
992 switch (ntohl (pk->type))
993 {
994 case GNUNET_PUBLIC_KEY_TYPE_ECDSA:
995 if (0 != crypto_sign_ed25519_pk_to_curve25519 (x25519->q_y,
996 pk->ecdsa_key.q_y))
997 return GNUNET_SYSERR;
998 return GNUNET_OK;
999 case GNUNET_PUBLIC_KEY_TYPE_EDDSA:
1000 if (0 != crypto_sign_ed25519_pk_to_curve25519 (x25519->q_y,
1001 pk->eddsa_key.q_y))
1002 return GNUNET_SYSERR;
1003 return GNUNET_OK;
1004 default:
1005 return GNUNET_SYSERR;
1006 }
1007 return GNUNET_SYSERR;
1008
1009}
1010
1011
1012enum GNUNET_GenericReturnValue
1013GNUNET_CRYPTO_hpke_sk_to_x25519 (const struct GNUNET_CRYPTO_PrivateKey *sk,
1014 struct GNUNET_CRYPTO_EcdhePrivateKey *x25519)
1015{
1016 switch (ntohl (sk->type))
1017 {
1018 case GNUNET_PUBLIC_KEY_TYPE_ECDSA:
1019 memcpy (x25519->d, sk->ecdsa_key.d,
1020 sizeof sk->ecdsa_key.d);
1021 return GNUNET_OK;
1022 case GNUNET_PUBLIC_KEY_TYPE_EDDSA:
1023 if (0 != crypto_sign_ed25519_sk_to_curve25519 (x25519->d,
1024 sk->eddsa_key.d))
1025 return GNUNET_SYSERR;
1026 return GNUNET_OK;
1027 default:
1028 return GNUNET_SYSERR;
1029 }
1030 return GNUNET_SYSERR;
1031
1032}
authkem_encaps_norand
static enum GNUNET_GenericReturnValue authkem_encaps_norand(uint8_t *suite_id, size_t suite_id_len, const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const struct GNUNET_CRYPTO_EcdhePrivateKey *skS, struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_EcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
Definition: crypto_hpke.c:166
compute_nonce
static void compute_nonce(struct GNUNET_CRYPTO_HpkeContext *ctx, uint8_t *nonce)
Definition: crypto_hpke.c:846
key_schedule
static enum GNUNET_GenericReturnValue key_schedule(enum GNUNET_CRYPTO_HpkeRole role, enum GNUNET_CRYPTO_HpkeMode mode, const struct GNUNET_ShortHashCode *shared_secret, const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len, struct GNUNET_CRYPTO_HpkeContext *ctx)
Definition: crypto_hpke.c:585
increment_seq
static enum GNUNET_GenericReturnValue increment_seq(struct GNUNET_CRYPTO_HpkeContext *ctx)
Definition: crypto_hpke.c:833
labeled_extract
static enum GNUNET_GenericReturnValue labeled_extract(const char *ctx_str, const void *salt, size_t salt_len, const void *label, size_t label_len, const void *ikm, size_t ikm_len, const uint8_t *suite_id, size_t suite_id_len, struct GNUNET_ShortHashCode *prk)
A RFC9180 inspired labeled extract.
Definition: crypto_hpke.c:51
kem_encaps_norand
static enum GNUNET_GenericReturnValue kem_encaps_norand(uint8_t *suite_id, size_t suite_id_len, const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_EcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
Definition: crypto_hpke.c:246
verify_psk_inputs
static enum GNUNET_GenericReturnValue verify_psk_inputs(enum GNUNET_CRYPTO_HpkeMode mode, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len)
Definition: crypto_hpke.c:547
GNUNET_CRYPTO_HPKE_KEM_SUITE_ID
static uint8_t GNUNET_CRYPTO_HPKE_KEM_SUITE_ID[]
Definition: crypto_hpke.c:158
GNUNET_CRYPTO_hpke_labeled_extract_and_expand
static enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_labeled_extract_and_expand(const void *dh, size_t dh_len, const char *extract_ctx, const char *expand_ctx, const void *extract_lbl, size_t extract_lbl_len, const void *expand_lbl, size_t expand_lbl_len, const uint8_t *kem_context, size_t kem_context_len, const uint8_t *suite_id, size_t suite_id_len, struct GNUNET_ShortHashCode *shared_secret)
Definition: crypto_hpke.c:124
labeled_expand
static enum GNUNET_GenericReturnValue labeled_expand(const char *ctx_str, const struct GNUNET_ShortHashCode *prk, const char *label, size_t label_len, const void *info, size_t info_len, const uint8_t *suite_id, size_t suite_id_len, void *out_buf, uint16_t out_len)
A RFC9180 inspired labeled extract.
Definition: crypto_hpke.c:94
GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID
static uint8_t GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID[]
Definition: crypto_hpke.c:163
ctx
static struct GNUNET_FS_Handle * ctx
Definition: gnunet-download.c:40
enc
static OpusEncoder * enc
OPUS encoder.
Definition: gnunet-helper-audio-record.c:206
pk
struct GNUNET_CRYPTO_PrivateKey pk
Private key from command line option, or NULL.
Definition: gnunet-identity.c:126
pub
static struct GNUNET_CRYPTO_EddsaPublicKey pub
Definition: gnunet-scrypt.c:47
salt
static struct GNUNET_CRYPTO_PowSalt salt
Salt for PoW calculations.
Definition: gnunet-scrypt.c:34
info
#define info
gnunet_common.h
commonly used definitions; globals in this file are exempt from the rule that the module name ("commo...
mode
static enum @44 mode
Should we do a PUT (mode = 0) or GET (mode = 1);.
gnunet_util_lib.h
GNUNET_CRYPTO_hpke_kem_encaps_norand
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_encaps_norand(const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *enc, const struct GNUNET_CRYPTO_EcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
Deterministic variant of GNUNET_CRYPTO_hpke_kem_encaps.
Definition: crypto_hpke.c:282
GNUNET_CRYPTO_ecdhe_key_create
void GNUNET_CRYPTO_ecdhe_key_create(struct GNUNET_CRYPTO_EcdhePrivateKey *pk)
Create a new private key.
Definition: crypto_ecc.c:454
GNUNET_CRYPTO_hpke_authkem_encaps_norand
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_authkem_encaps_norand(const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const struct GNUNET_CRYPTO_EcdhePrivateKey *skS, struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_EcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
Encapsulate authenticated key material for a X25519 public key.
Definition: crypto_hpke.c:212
GNUNET_CRYPTO_eddsa_kem_decaps
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_kem_decaps(const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
Decapsulate a key for a private EdDSA key.
Definition: crypto_hpke.c:407
GNUNET_CRYPTO_ecdhe_elligator_key_get_public
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdhe_elligator_key_get_public(const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *sk, struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_CRYPTO_ElligatorRepresentative *repr)
Generates a valid public key for elligator's inverse map by adding a lower order point to a prime ord...
Definition: crypto_elligator.c:662
GNUNET_CRYPTO_x25519_ecdh
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_x25519_ecdh(const struct GNUNET_CRYPTO_EcdhePrivateKey *sk, const struct GNUNET_CRYPTO_EcdhePublicKey *pk, struct GNUNET_CRYPTO_EcdhePublicKey *dh)
Derive key material from a ECDH public key and a private X25519 key.
Definition: crypto_ecc.c:767
GNUNET_CRYPTO_ecdhe_elligator_key_create
void GNUNET_CRYPTO_ecdhe_elligator_key_create(struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *sk)
Generates a private key for Curve25519.
Definition: crypto_elligator.c:680
GNUNET_CRYPTO_hpke_elligator_kem_decaps
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_decaps(const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
Carries out ecdh decapsulation with own private key and the representative of the received public key...
Definition: crypto_hpke.c:470
GNUNET_CRYPTO_hpke_kem_encaps
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_encaps(const struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
Encapsulate key material for a X25519 public key.
Definition: crypto_hpke.c:299
GNUNET_CRYPTO_random_block
void GNUNET_CRYPTO_random_block(enum GNUNET_CRYPTO_Quality mode, void *buffer, size_t length)
Fill block with a random values.
Definition: crypto_random.c:133
GNUNET_CRYPTO_hpke_authkem_decaps
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_authkem_decaps(const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const struct GNUNET_CRYPTO_EcdhePublicKey *pkS, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
Decapsulate a key for a private X25519 key.
Definition: crypto_hpke.c:327
GNUNET_CRYPTO_hpke_kem_decaps
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_decaps(const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
Decapsulate a key for a private X25519 key.
Definition: crypto_hpke.c:370
GNUNET_CRYPTO_ecdhe_elligator_decoding
void GNUNET_CRYPTO_ecdhe_elligator_decoding(struct GNUNET_CRYPTO_EcdhePublicKey *point, bool *high_y, const struct GNUNET_CRYPTO_ElligatorRepresentative *representative)
Clears the most significant bit and second most significant bit of the serialized representaive befor...
Definition: crypto_elligator.c:508
GNUNET_CRYPTO_ecdhe_elligator_key_get_public_norand
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdhe_elligator_key_get_public_norand(uint8_t random_tweak, const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *sk, struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_CRYPTO_ElligatorRepresentative *repr)
Generates a valid public key for elligator's inverse map by adding a lower order point to a prime ord...
Definition: crypto_elligator.c:639
GNUNET_CRYPTO_hpke_elligator_kem_encaps
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_encaps(const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
Carries out ecdh encapsulation with given public key and the private key from a freshly created ephem...
Definition: crypto_hpke.c:449
GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand(uint8_t random_tweak, const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
Carries out ecdh encapsulation with given public key and the private key from a freshly created ephem...
Definition: crypto_hpke.c:423
GNUNET_CRYPTO_ecdh_x25519
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdh_x25519(const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, const struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_CRYPTO_EcdhePublicKey *dh)
Derive key material from a EdDSA public key and a private ECDH key.
Definition: crypto_ecc.c:783
GNUNET_CRYPTO_eddsa_kem_encaps
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_kem_encaps(const struct GNUNET_CRYPTO_EddsaPublicKey *pub, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
Encapsulate key material for a EdDSA public key.
Definition: crypto_hpke.c:312
GNUNET_CRYPTO_hpke_authkem_encaps
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_authkem_encaps(const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const struct GNUNET_CRYPTO_EcdhePrivateKey *skS, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
Encapsulate authenticated key material for a X25519 public key.
Definition: crypto_hpke.c:230
GNUNET_CRYPTO_ecdhe_key_get_public
void GNUNET_CRYPTO_ecdhe_key_get_public(const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, struct GNUNET_CRYPTO_EcdhePublicKey *pub)
Extract the public key for the given private key.
Definition: crypto_ecc.c:217
GNUNET_CRYPTO_hpke_elligator_authkem_encaps_norand
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_authkem_encaps_norand(const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const struct GNUNET_CRYPTO_EcdhePrivateKey *skS, struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
Encapsulate authenticated key material for a X25519 public key.
Definition: crypto_hpke.c:506
GNUNET_CRYPTO_hpke_elligator_authkem_encaps
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_authkem_encaps(const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const struct GNUNET_CRYPTO_EcdhePrivateKey *skS, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
Encapsulate authenticated key material for a X25519 public key.
Definition: crypto_hpke.c:531
GNUNET_CRYPTO_QUALITY_NONCE
@ GNUNET_CRYPTO_QUALITY_NONCE
Randomness for IVs etc.
Definition: gnunet_crypto_lib.h:103
GNUNET_CRYPTO_hkdf_extract
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hkdf_extract(struct GNUNET_ShortHashCode *prk, const void *salt, size_t salt_len, const void *ikm, size_t ikm_len)
HKDF-Extract using SHA256.
Definition: crypto_hkdf.c:224
GNUNET_CRYPTO_hkdf_expand
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hkdf_expand(void *result, size_t out_len, const struct GNUNET_ShortHashCode *prk,...)
HKDF-Expand using SHA256.
Definition: crypto_hkdf.c:156
GNUNET_CRYPTO_hpke_open_oneshot
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_open_oneshot(const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const uint8_t *info, size_t info_len, const uint8_t *aad, size_t aad_len, const uint8_t *ct, size_t ct_len, uint8_t *pt, unsigned long long *pt_len_p)
RFC9180 HPKE encryption.
Definition: crypto_hpke.c:958
GNUNET_CRYPTO_hpke_sender_setup2
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_sender_setup2(enum GNUNET_CRYPTO_HpkeKem kem, enum GNUNET_CRYPTO_HpkeMode mode, struct GNUNET_CRYPTO_EcdhePrivateKey *skE, struct GNUNET_CRYPTO_EcdhePrivateKey *skS, const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len, struct GNUNET_CRYPTO_HpkeEncapsulation *enc, struct GNUNET_CRYPTO_HpkeContext *ctx)
RFC9180 HPKE encryption.
Definition: crypto_hpke.c:670
GNUNET_CRYPTO_HpkeKem
GNUNET_CRYPTO_HpkeKem
Definition: gnunet_crypto_lib.h:2156
GNUNET_log
#define GNUNET_log(kind,...)
Definition: gnunet_common.h:548
GNUNET_CRYPTO_hpke_seal_oneshot
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_seal_oneshot(const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const uint8_t *info, size_t info_len, const uint8_t *aad, size_t aad_len, const uint8_t *pt, size_t pt_len, uint8_t *ct, unsigned long long *ct_len_p)
RFC9180 HPKE encryption.
Definition: crypto_hpke.c:929
GNUNET_CRYPTO_hpke_seal
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_seal(struct GNUNET_CRYPTO_HpkeContext *ctx, const uint8_t *aad, size_t aad_len, const uint8_t *pt, size_t pt_len, uint8_t *ct, unsigned long long *ct_len_p)
RFC9180 HPKE encryption.
Definition: crypto_hpke.c:863
GNUNET_ntohll
uint64_t GNUNET_ntohll(uint64_t n)
Convert unsigned 64-bit integer to host byte order.
Definition: common_endian.c:54
GNUNET_CRYPTO_hpke_open
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_open(struct GNUNET_CRYPTO_HpkeContext *ctx, const uint8_t *aad, size_t aad_len, const uint8_t *ct, size_t ct_len, uint8_t *pt, unsigned long long *pt_len)
RFC9180 HPKE encryption.
Definition: crypto_hpke.c:894
GNUNET_htonll
uint64_t GNUNET_htonll(uint64_t n)
Convert unsigned 64-bit integer to network byte order.
Definition: common_endian.c:37
GNUNET_CRYPTO_HPKE_NONCE_LEN
#define GNUNET_CRYPTO_HPKE_NONCE_LEN
Definition: gnunet_crypto_lib.h:2124
GNUNET_CRYPTO_hpke_sk_to_x25519
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_sk_to_x25519(const struct GNUNET_CRYPTO_PrivateKey *sk, struct GNUNET_CRYPTO_EcdhePrivateKey *x25519)
Convert a GNUnet identity key to a key sutiable for HPKE (X25519)
Definition: crypto_hpke.c:1013
GNUNET_CRYPTO_HpkeMode
GNUNET_CRYPTO_HpkeMode
HPKE RFC 9180.
Definition: gnunet_crypto_lib.h:2113
GNUNET_CRYPTO_hpke_pk_to_x25519
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_pk_to_x25519(const struct GNUNET_CRYPTO_PublicKey *pk, struct GNUNET_CRYPTO_EcdhePublicKey *x25519)
Convert a GNUnet identity key to a key sutiable for HPKE (X25519)
Definition: crypto_hpke.c:989
GNUNET_GenericReturnValue
GNUNET_GenericReturnValue
Named constants for return values.
Definition: gnunet_common.h:108
GNUNET_CRYPTO_hpke_receiver_setup
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_receiver_setup(const struct GNUNET_CRYPTO_HpkeEncapsulation *enc, const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const uint8_t *info, size_t info_len, struct GNUNET_CRYPTO_HpkeContext *ctx)
RFC9180 HPKE encryption.
Definition: crypto_hpke.c:817
GNUNET_CRYPTO_hpke_receiver_setup2
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_receiver_setup2(enum GNUNET_CRYPTO_HpkeKem kem, enum GNUNET_CRYPTO_HpkeMode mode, const struct GNUNET_CRYPTO_HpkeEncapsulation *enc, const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const struct GNUNET_CRYPTO_EcdhePublicKey *pkS, const uint8_t *info, size_t info_len, const uint8_t *psk, size_t psk_len, const uint8_t *psk_id, size_t psk_id_len, struct GNUNET_CRYPTO_HpkeContext *ctx)
RFC9180 HPKE encryption.
Definition: crypto_hpke.c:760
GNUNET_CRYPTO_hpke_sender_setup
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_sender_setup(const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const uint8_t *info, size_t info_len, struct GNUNET_CRYPTO_HpkeEncapsulation *enc, struct GNUNET_CRYPTO_HpkeContext *ctx)
RFC9180 HPKE encryption.
Definition: crypto_hpke.c:738
GNUNET_CRYPTO_HpkeRole
GNUNET_CRYPTO_HpkeRole
Definition: gnunet_crypto_lib.h:2141
GNUNET_CRYPTO_HPKE_KEM_DH_X25519_HKDF256
@ GNUNET_CRYPTO_HPKE_KEM_DH_X25519_HKDF256
Definition: gnunet_crypto_lib.h:2157
GNUNET_CRYPTO_HPKE_KEM_DH_X25519ELLIGATOR_HKDF256
@ GNUNET_CRYPTO_HPKE_KEM_DH_X25519ELLIGATOR_HKDF256
Definition: gnunet_crypto_lib.h:2158
GNUNET_PUBLIC_KEY_TYPE_EDDSA
@ GNUNET_PUBLIC_KEY_TYPE_EDDSA
EDDSA identity.
Definition: gnunet_crypto_lib.h:391
GNUNET_PUBLIC_KEY_TYPE_ECDSA
@ GNUNET_PUBLIC_KEY_TYPE_ECDSA
The identity type.
Definition: gnunet_crypto_lib.h:385
GNUNET_CRYPTO_HPKE_MODE_PSK
@ GNUNET_CRYPTO_HPKE_MODE_PSK
Definition: gnunet_crypto_lib.h:2115
GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK
@ GNUNET_CRYPTO_HPKE_MODE_AUTH_PSK
Definition: gnunet_crypto_lib.h:2117
GNUNET_CRYPTO_HPKE_MODE_BASE
@ GNUNET_CRYPTO_HPKE_MODE_BASE
Definition: gnunet_crypto_lib.h:2114
GNUNET_CRYPTO_HPKE_MODE_AUTH
@ GNUNET_CRYPTO_HPKE_MODE_AUTH
Definition: gnunet_crypto_lib.h:2116
GNUNET_OK
@ GNUNET_OK
Definition: gnunet_common.h:111
GNUNET_SYSERR
@ GNUNET_SYSERR
Definition: gnunet_common.h:109
GNUNET_CRYPTO_HPKE_ROLE_R
@ GNUNET_CRYPTO_HPKE_ROLE_R
Definition: gnunet_crypto_lib.h:2142
GNUNET_CRYPTO_HPKE_ROLE_S
@ GNUNET_CRYPTO_HPKE_ROLE_S
Definition: gnunet_crypto_lib.h:2143
GNUNET_assert
#define GNUNET_assert(cond)
Use this for fatal errors that cannot be handled.
Definition: gnunet_common.h:956
GNUNET_ERROR_TYPE_ERROR
@ GNUNET_ERROR_TYPE_ERROR
Definition: gnunet_common.h:414
GNUNET_CRYPTO_EcdhePrivateKey
Private ECC key encoded for transmission.
Definition: gnunet_crypto_lib.h:254
GNUNET_CRYPTO_EcdhePrivateKey::d
unsigned char d[256/8]
d is a value mod n, where n has at most 256 bits.
Definition: gnunet_crypto_lib.h:258
GNUNET_CRYPTO_EcdhePublicKey
Public ECC key (always for Curve25519) encoded in a format suitable for network transmission and encr...
Definition: gnunet_crypto_lib.h:240
GNUNET_CRYPTO_EcdhePublicKey::q_y
unsigned char q_y[256/8]
Q consists of an x- and a y-value, each mod p (256 bits), given here in affine coordinates and Ed2551...
Definition: gnunet_crypto_lib.h:245
GNUNET_CRYPTO_EcdsaPrivateKey::d
unsigned char d[256/8]
d is a value mod n, where n has at most 256 bits.
Definition: gnunet_crypto_lib.h:270
GNUNET_CRYPTO_EddsaPrivateKey
Private ECC key encoded for transmission.
Definition: gnunet_crypto_lib.h:278
GNUNET_CRYPTO_EddsaPrivateKey::d
unsigned char d[256/8]
d is a value mod n, where n has at most 256 bits.
Definition: gnunet_crypto_lib.h:282
GNUNET_CRYPTO_EddsaPublicKey
Public ECC key (always for curve Ed25519) encoded in a format suitable for network transmission and E...
Definition: gnunet_crypto_lib.h:201
GNUNET_CRYPTO_EddsaPublicKey::q_y
unsigned char q_y[256/8]
Point Q consists of a y-value mod p (256 bits); the x-value is always positive.
Definition: gnunet_crypto_lib.h:207
GNUNET_CRYPTO_ElligatorEcdhePrivateKey
Special private ECC key generated by GNUNET_CRYPTO_ecdhe_elligator_key_create.
Definition: gnunet_crypto_lib.h:357
GNUNET_CRYPTO_ElligatorRepresentative
Elligator representative (always for Curve25519)
Definition: gnunet_crypto_lib.h:368
GNUNET_CRYPTO_ElligatorRepresentative::r
uint8_t r[256/8]
Represents an element of Curve25519 finite field.
Definition: gnunet_crypto_lib.h:373
GNUNET_CRYPTO_HpkeContext
Definition: gnunet_crypto_lib.h:2147
GNUNET_CRYPTO_HpkeEncapsulation
HPKE DHKEM encapsulation (X25519) See RFC 9180.
Definition: gnunet_crypto_lib.h:2167
GNUNET_CRYPTO_PrivateKey
A private key for an identity as per LSD0001.
Definition: gnunet_crypto_lib.h:400
GNUNET_CRYPTO_PrivateKey::type
uint32_t type
Type of public key.
Definition: gnunet_crypto_lib.h:406
GNUNET_CRYPTO_PrivateKey::eddsa_key
struct GNUNET_CRYPTO_EddsaPrivateKey eddsa_key
AN EdDSA identtiy key.
Definition: gnunet_crypto_lib.h:418
GNUNET_CRYPTO_PrivateKey::ecdsa_key
struct GNUNET_CRYPTO_EcdsaPrivateKey ecdsa_key
An ECDSA identity key.
Definition: gnunet_crypto_lib.h:413
GNUNET_CRYPTO_PublicKey
An identity key as per LSD0001.
Definition: gnunet_crypto_lib.h:427
GNUNET_ShortHashCode
A 256-bit hashcode.
Definition: gnunet_common.h:294