GNUnet 0.22.2
Crypto library: cryptographic operations

Provides cryptographic primitives. More...

Collaboration diagram for Crypto library: cryptographic operations:

Macros

#define GNUNET_CRYPTO_eddsa_sign(priv, ps, sig)
 EdDSA sign a given block. More...
 
#define GNUNET_CRYPTO_ecdsa_sign(priv, ps, sig)
 ECDSA sign a given block. More...
 
#define GNUNET_CRYPTO_edx25519_sign(priv, ps, sig)
 Edx25519 sign a given block. More...
 
#define GNUNET_CRYPTO_eddsa_verify(purp, ps, sig, pub)
 Verify EdDSA signature. More...
 
#define GNUNET_CRYPTO_ecdsa_verify(purp, ps, sig, pub)
 Verify ECDSA signature. More...
 
#define GNUNET_CRYPTO_edx25519_verify(purp, ps, sig, pub)
 Verify Edx25519 signature. More...
 

Enumerations

enum  GNUNET_CRYPTO_Quality { GNUNET_CRYPTO_QUALITY_WEAK , GNUNET_CRYPTO_QUALITY_STRONG , GNUNET_CRYPTO_QUALITY_NONCE }
 Desired quality level for random numbers. More...
 

Functions

void GNUNET_CRYPTO_seed_weak_random (int32_t seed)
 Seed a weak random generator. More...
 
void GNUNET_CRYPTO_zero_keys (void *buffer, size_t length)
 Zero out buffer, securely against compiler optimizations. More...
 
void GNUNET_CRYPTO_random_block (enum GNUNET_CRYPTO_Quality mode, void *buffer, size_t length)
 Fill block with a random values. More...
 
void GNUNET_CRYPTO_random_timeflake (enum GNUNET_CRYPTO_Quality mode, struct GNUNET_Uuid *uuid)
 Fill UUID with a timeflake pseudo-random value. More...
 
uint32_t GNUNET_CRYPTO_random_u32 (enum GNUNET_CRYPTO_Quality mode, uint32_t i)
 Produce a random value. More...
 
uint64_t GNUNET_CRYPTO_random_u64 (enum GNUNET_CRYPTO_Quality mode, uint64_t max)
 Generate a random unsigned 64-bit value. More...
 
unsigned int * GNUNET_CRYPTO_random_permute (enum GNUNET_CRYPTO_Quality mode, unsigned int n)
 Get an array with a random permutation of the numbers 0...n-1. More...
 
void GNUNET_CRYPTO_symmetric_create_session_key (struct GNUNET_CRYPTO_SymmetricSessionKey *key)
 Create a new random session key. More...
 
ssize_t GNUNET_CRYPTO_symmetric_encrypt (const void *block, size_t size, const struct GNUNET_CRYPTO_SymmetricSessionKey *sessionkey, const struct GNUNET_CRYPTO_SymmetricInitializationVector *iv, void *result)
 Encrypt a block using a symmetric sessionkey. More...
 
ssize_t GNUNET_CRYPTO_symmetric_decrypt (const void *block, size_t size, const struct GNUNET_CRYPTO_SymmetricSessionKey *sessionkey, const struct GNUNET_CRYPTO_SymmetricInitializationVector *iv, void *result)
 Decrypt a given block using a symmetric sessionkey. More...
 
void GNUNET_CRYPTO_symmetric_derive_iv (struct GNUNET_CRYPTO_SymmetricInitializationVector *iv, const struct GNUNET_CRYPTO_SymmetricSessionKey *skey, const void *salt, size_t salt_len,...)
 Derive an IV. More...
 
void GNUNET_CRYPTO_ecdsa_key_get_public (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, struct GNUNET_CRYPTO_EcdsaPublicKey *pub)
 Extract the public key for the given private key. More...
 
void GNUNET_CRYPTO_eddsa_key_get_public (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, struct GNUNET_CRYPTO_EddsaPublicKey *pub)
 Extract the public key for the given private key. More...
 
void GNUNET_CRYPTO_edx25519_key_get_public (const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv, struct GNUNET_CRYPTO_Edx25519PublicKey *pub)
 Extract the public key for the given private key. More...
 
void GNUNET_CRYPTO_ecdhe_key_get_public (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, struct GNUNET_CRYPTO_EcdhePublicKey *pub)
 Extract the public key for the given private key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdsa_key_from_file (const char *filename, int do_create, struct GNUNET_CRYPTO_EcdsaPrivateKey *pkey)
 Create a new private key by reading it from a file. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_key_from_file (const char *filename, int do_create, struct GNUNET_CRYPTO_EddsaPrivateKey *pkey)
 Create a new private key by reading it from a file. More...
 
struct GNUNET_CRYPTO_EddsaPrivateKeyGNUNET_CRYPTO_eddsa_key_create_from_configuration (const struct GNUNET_CONFIGURATION_Handle *cfg)
 Create a new private key by reading our peer's key from the file specified in the configuration. More...
 
void GNUNET_CRYPTO_ecdsa_key_create (struct GNUNET_CRYPTO_EcdsaPrivateKey *pk)
 Create a new private key. More...
 
void GNUNET_CRYPTO_eddsa_key_create (struct GNUNET_CRYPTO_EddsaPrivateKey *pk)
 Create a new private key. More...
 
void GNUNET_CRYPTO_edx25519_key_create (struct GNUNET_CRYPTO_Edx25519PrivateKey *pk)
 Create a new private key. More...
 
void GNUNET_CRYPTO_edx25519_key_create_from_seed (const void *seed, size_t seedsize, struct GNUNET_CRYPTO_Edx25519PrivateKey *pk)
 Create a new private key for Edx25519 from a given seed. More...
 
void GNUNET_CRYPTO_ecdhe_key_create (struct GNUNET_CRYPTO_EcdhePrivateKey *pk)
 Create a new private key. More...
 
void GNUNET_CRYPTO_eddsa_key_clear (struct GNUNET_CRYPTO_EddsaPrivateKey *pk)
 Clear memory that was used to store a private key. More...
 
void GNUNET_CRYPTO_ecdsa_key_clear (struct GNUNET_CRYPTO_EcdsaPrivateKey *pk)
 Clear memory that was used to store a private key. More...
 
void GNUNET_CRYPTO_edx25519_key_clear (struct GNUNET_CRYPTO_Edx25519PrivateKey *pk)
 Clear memory that was used to store a private key. More...
 
void GNUNET_CRYPTO_ecdhe_key_clear (struct GNUNET_CRYPTO_EcdhePrivateKey *pk)
 Clear memory that was used to store a private key. More...
 
void GNUNET_CRYPTO_private_key_clear (struct GNUNET_CRYPTO_PrivateKey *pk)
 Clear memory that was used to store a private key. More...
 
const struct GNUNET_CRYPTO_EcdsaPrivateKeyGNUNET_CRYPTO_ecdsa_key_get_anonymous (void)
 Get the shared private key we use for anonymous users. More...
 
void GNUNET_CRYPTO_eddsa_setup_hostkey (const char *cfg_name)
 Setup a hostkey file for a peer given the name of the configuration file (!). More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_get_peer_identity (const struct GNUNET_CONFIGURATION_Handle *cfg, struct GNUNET_PeerIdentity *dst)
 Retrieve the identity of the host's peer. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_sign_by_peer_identity (const struct GNUNET_CONFIGURATION_Handle *cfg, const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, struct GNUNET_CRYPTO_EddsaSignature *sig)
 Sign a given block with a specific purpose using the host's peer identity. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_verify_peer_identity (uint32_t purpose, const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, const struct GNUNET_CRYPTO_EddsaSignature *sig, const struct GNUNET_PeerIdentity *identity)
 Verify a given signature with a peer's identity. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecc_ecdh (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, const struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_HashCode *key_material)
 Derive key material from a public and a private ECC key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_ecdh (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, const struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_HashCode *key_material)
 Derive key material from a ECDH public key and a private EdDSA key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_x25519_ecdh (const struct GNUNET_CRYPTO_EcdhePrivateKey *sk, const struct GNUNET_CRYPTO_EcdhePublicKey *pk, struct GNUNET_CRYPTO_EcdhePublicKey *dh)
 Derive key material from a ECDH public key and a private X25519 key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_decaps (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *prk)
 Decapsulate a key for a private X25519 key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_encaps (const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *prk)
 Encapsulate key material for a X25519 public key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_encaps_norand (const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_EcdhePrivateKey *skE, struct GNUNET_ShortHashCode *prk)
 Deterministic variant of GNUNET_CRYPTO_hpke_kem_encaps. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_authkem_encaps_norand (const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const struct GNUNET_CRYPTO_EcdhePrivateKey *skS, struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_EcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
 Encapsulate authenticated key material for a X25519 public key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_authkem_encaps (const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const struct GNUNET_CRYPTO_EcdhePrivateKey *skS, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Encapsulate authenticated key material for a X25519 public key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_authkem_decaps (const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const struct GNUNET_CRYPTO_EcdhePublicKey *pkS, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Decapsulate a key for a private X25519 key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand (uint8_t random_tweak, const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
 Carries out ecdh encapsulation with given public key and the private key from a freshly created ephemeral key pair. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_encaps (const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Carries out ecdh encapsulation with given public key and the private key from a freshly created ephemeral key pair. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_decaps (const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Carries out ecdh decapsulation with own private key and the representative of the received public key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_authkem_encaps_norand (const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const struct GNUNET_CRYPTO_EcdhePrivateKey *skS, struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
 Encapsulate authenticated key material for a X25519 public key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_authkem_encaps (const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const struct GNUNET_CRYPTO_EcdhePrivateKey *skS, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Encapsulate authenticated key material for a X25519 public key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_authkem_decaps (const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const struct GNUNET_CRYPTO_EcdhePublicKey *pkS, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
 Decapsulate a key for a private X25519 key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_kem_decaps (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *prk)
 Decapsulate a key for a private EdDSA key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_kem_encaps (const struct GNUNET_CRYPTO_EddsaPublicKey *pub, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *prk)
 Encapsulate key material for a EdDSA public key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdsa_ecdh (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, const struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_HashCode *key_material)
 HPKE END. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdh_eddsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, const struct GNUNET_CRYPTO_EddsaPublicKey *pub, struct GNUNET_HashCode *key_material)
 Derive key material from a EdDSA public key and a private ECDH key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdh_x25519 (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, const struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_CRYPTO_EcdhePublicKey *dh)
 Derive key material from a EdDSA public key and a private ECDH key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdh_ecdsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, const struct GNUNET_CRYPTO_EcdsaPublicKey *pub, struct GNUNET_HashCode *key_material)
 Derive key material from a EcDSA public key and a private ECDH key. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_sign_ (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, struct GNUNET_CRYPTO_EddsaSignature *sig)
 EdDSA sign a given block. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdsa_sign_ (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, struct GNUNET_CRYPTO_EcdsaSignature *sig)
 ECDSA Sign a given block. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_edx25519_sign_ (const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv, const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, struct GNUNET_CRYPTO_Edx25519Signature *sig)
 Edx25519 sign a given block. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_verify_ (uint32_t purpose, const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, const struct GNUNET_CRYPTO_EddsaSignature *sig, const struct GNUNET_CRYPTO_EddsaPublicKey *pub)
 Verify EdDSA signature. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdsa_verify_ (uint32_t purpose, const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, const struct GNUNET_CRYPTO_EcdsaSignature *sig, const struct GNUNET_CRYPTO_EcdsaPublicKey *pub)
 Verify ECDSA signature. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_edx25519_verify_ (uint32_t purpose, const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, const struct GNUNET_CRYPTO_Edx25519Signature *sig, const struct GNUNET_CRYPTO_Edx25519PublicKey *pub)
 Verify Edx25519 signature. More...
 
struct GNUNET_CRYPTO_EcdsaPrivateKeyGNUNET_CRYPTO_ecdsa_private_key_derive (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, const char *label, const char *context)
 Derive a private key from a given private key and a label. More...
 
void GNUNET_CRYPTO_ecdsa_public_key_derive (const struct GNUNET_CRYPTO_EcdsaPublicKey *pub, const char *label, const char *context, struct GNUNET_CRYPTO_EcdsaPublicKey *result)
 Derive a public key from a given public key and a label. More...
 
void GNUNET_CRYPTO_eddsa_private_key_derive (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, const char *label, const char *context, struct GNUNET_CRYPTO_EddsaPrivateScalar *result)
 Derive a private scalar from a given private key and a label. More...
 
void GNUNET_CRYPTO_eddsa_public_key_derive (const struct GNUNET_CRYPTO_EddsaPublicKey *pub, const char *label, const char *context, struct GNUNET_CRYPTO_EddsaPublicKey *result)
 Derive a public key from a given public key and a label. More...
 
void GNUNET_CRYPTO_edx25519_private_key_derive (const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv, const void *seed, size_t seedsize, struct GNUNET_CRYPTO_Edx25519PrivateKey *result)
 Derive a private scalar from a given private key and a label. More...
 
void GNUNET_CRYPTO_edx25519_public_key_derive (const struct GNUNET_CRYPTO_Edx25519PublicKey *pub, const void *seed, size_t seedsize, struct GNUNET_CRYPTO_Edx25519PublicKey *result)
 Derive a public key from a given public key and a label. More...
 
void GNUNET_CRYPTO_ecdhe_elligator_decoding (struct GNUNET_CRYPTO_EcdhePublicKey *point, bool *high_y, const struct GNUNET_CRYPTO_ElligatorRepresentative *representative)
 Clears the most significant bit and second most significant bit of the serialized representaive before applying elligator direct map. More...
 
bool GNUNET_CRYPTO_ecdhe_elligator_encoding (uint8_t random_tweak, struct GNUNET_CRYPTO_ElligatorRepresentative *r, const struct GNUNET_CRYPTO_EcdhePublicKey *pub)
 Encodes a point on Curve25519 to a an element of the underlying finite field. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdhe_elligator_key_get_public_norand (uint8_t random_tweak, const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *sk, struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_CRYPTO_ElligatorRepresentative *repr)
 Generates a valid public key for elligator's inverse map by adding a lower order point to a prime order point. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdhe_elligator_key_get_public (const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *sk, struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_CRYPTO_ElligatorRepresentative *repr)
 Generates a valid public key for elligator's inverse map by adding a lower order point to a prime order point. More...
 
void GNUNET_CRYPTO_ecdhe_elligator_key_create (struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *sk)
 Generates a private key for Curve25519. More...
 

Detailed Description

Provides cryptographic primitives.

See also
Documentation

Macro Definition Documentation

◆ GNUNET_CRYPTO_eddsa_sign

#define GNUNET_CRYPTO_eddsa_sign (   priv,
  ps,
  sig 
)
Value:
do { \
/* check size is set correctly */ \
GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*ps)); \
/* check 'ps' begins with the purpose */ \
GNUNET_static_assert (((void*) (ps)) == \
((void*) &(ps)->purpose)); \
GNUNET_assert (GNUNET_OK == \
&(ps)->purpose, \
sig)); \
} while (0)
static struct GNUNET_PEERSTORE_Handle * ps
Handle to the PEERSTORE service.
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_sign_(const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, struct GNUNET_CRYPTO_EddsaSignature *sig)
EdDSA sign a given block.
Definition: crypto_ecc.c:625
@ GNUNET_OK

EdDSA sign a given block.

The ps data must be a fixed-size struct for which the signature is to be created. The size field in ps->purpose must correctly indicate the number of bytes of the data structure, including its header.

Parameters
privprivate key to use for the signing
pspacked struct with what to sign, MUST begin with a purpose
[out]sigwhere to write the signature

Definition at line 2810 of file gnunet_crypto_lib.h.

◆ GNUNET_CRYPTO_ecdsa_sign

#define GNUNET_CRYPTO_ecdsa_sign (   priv,
  ps,
  sig 
)
Value:
do { \
/* check size is set correctly */ \
GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \
/* check 'ps' begins with the purpose */ \
GNUNET_static_assert (((void*) (ps)) == \
((void*) &(ps)->purpose)); \
GNUNET_assert (GNUNET_OK == \
&(ps)->purpose, \
sig)); \
} while (0)
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdsa_sign_(const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, struct GNUNET_CRYPTO_EcdsaSignature *sig)
ECDSA Sign a given block.
Definition: crypto_ecc.c:554

ECDSA sign a given block.

The ps data must be a fixed-size struct for which the signature is to be created. The size field in ps->purpose must correctly indicate the number of bytes of the data structure, including its header.

Parameters
privprivate key to use for the signing
pspacked struct with what to sign, MUST begin with a purpose
[out]sigwhere to write the signature

Definition at line 2872 of file gnunet_crypto_lib.h.

◆ GNUNET_CRYPTO_edx25519_sign

#define GNUNET_CRYPTO_edx25519_sign (   priv,
  ps,
  sig 
)
Value:
do { \
/* check size is set correctly */ \
GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \
/* check 'ps' begins with the purpose */ \
GNUNET_static_assert (((void*) (ps)) == \
((void*) &(ps)->purpose)); \
GNUNET_assert (GNUNET_OK == \
&(ps)->purpose, \
sig)); \
} while (0)
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_edx25519_sign_(const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv, const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, struct GNUNET_CRYPTO_Edx25519Signature *sig)
Edx25519 sign a given block.

Edx25519 sign a given block.

The resulting signature is compatible with EdDSA.

The ps data must be a fixed-size struct for which the signature is to be created. The size field in ps->purpose must correctly indicate the number of bytes of the data structure, including its header.

Parameters
privprivate key to use for the signing
pspacked struct with what to sign, MUST begin with a purpose
[out]sigwhere to write the signature

Definition at line 2919 of file gnunet_crypto_lib.h.

◆ GNUNET_CRYPTO_eddsa_verify

#define GNUNET_CRYPTO_eddsa_verify (   purp,
  ps,
  sig,
  pub 
)
Value:
({ \
/* check size is set correctly */ \
GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \
/* check 'ps' begins with the purpose */ \
GNUNET_static_assert (((void*) (ps)) == \
((void*) &(ps)->purpose)); \
GNUNET_CRYPTO_eddsa_verify_ (purp, \
&(ps)->purpose, \
sig, \
pub); \
})
static struct GNUNET_CRYPTO_EddsaPublicKey pub
Definition: gnunet-scrypt.c:47

Verify EdDSA signature.

The ps data must be a fixed-size struct for which the signature is to be created. The size field in ps->purpose must correctly indicate the number of bytes of the data structure, including its header.

Parameters
purppurpose of the signature, must match 'ps->purpose.purpose' (except in host byte order)
privprivate key to use for the signing
pspacked struct with what to sign, MUST begin with a purpose
sigwhere to write the signature

Definition at line 2972 of file gnunet_crypto_lib.h.

◆ GNUNET_CRYPTO_ecdsa_verify

#define GNUNET_CRYPTO_ecdsa_verify (   purp,
  ps,
  sig,
  pub 
)
Value:
({ \
/* check size is set correctly */ \
GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \
/* check 'ps' begins with the purpose */ \
GNUNET_static_assert (((void*) (ps)) == \
((void*) &(ps)->purpose)); \
GNUNET_CRYPTO_ecdsa_verify_ (purp, \
&(ps)->purpose, \
sig, \
pub); \
})

Verify ECDSA signature.

The ps data must be a fixed-size struct for which the signature is to be created. The size field in ps->purpose must correctly indicate the number of bytes of the data structure, including its header.

Parameters
purppurpose of the signature, must match 'ps->purpose.purpose' (except in host byte order)
privprivate key to use for the signing
pspacked struct with what to sign, MUST begin with a purpose
sigwhere to write the signature

Definition at line 3024 of file gnunet_crypto_lib.h.

◆ GNUNET_CRYPTO_edx25519_verify

#define GNUNET_CRYPTO_edx25519_verify (   purp,
  ps,
  sig,
  pub 
)
Value:
({ \
/* check size is set correctly */ \
GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps))); \
/* check 'ps' begins with the purpose */ \
GNUNET_static_assert (((void*) (ps)) == \
((void*) &(ps)->purpose)); \
GNUNET_CRYPTO_edx25519_verify_ (purp, \
&(ps)->purpose, \
sig, \
pub); \
})

Verify Edx25519 signature.

The ps data must be a fixed-size struct for which the signature is to be created. The size field in ps->purpose must correctly indicate the number of bytes of the data structure, including its header.

Parameters
purppurpose of the signature, must match 'ps->purpose.purpose' (except in host byte order)
privprivate key to use for the signing
pspacked struct with what to sign, MUST begin with a purpose
sigwhere to write the signature

Definition at line 3076 of file gnunet_crypto_lib.h.

Enumeration Type Documentation

◆ GNUNET_CRYPTO_Quality

Desired quality level for random numbers.

Enumerator
GNUNET_CRYPTO_QUALITY_WEAK 

No good quality of the operation is needed (i.e., random numbers can be pseudo-random).

GNUNET_CRYPTO_QUALITY_STRONG 

High-quality operations are desired.

GNUNET_CRYPTO_QUALITY_NONCE 

Randomness for IVs etc.

is required.

Definition at line 84 of file gnunet_crypto_lib.h.

85{
92
98
104};
@ GNUNET_CRYPTO_QUALITY_STRONG
High-quality operations are desired.
@ GNUNET_CRYPTO_QUALITY_WEAK
No good quality of the operation is needed (i.e., random numbers can be pseudo-random).
@ GNUNET_CRYPTO_QUALITY_NONCE
Randomness for IVs etc.

Function Documentation

◆ GNUNET_CRYPTO_seed_weak_random()

void GNUNET_CRYPTO_seed_weak_random ( int32_t  seed)

Seed a weak random generator.

Only GNUNET_CRYPTO_QUALITY_WEAK-mode generator can be seeded.

Parameters
seedthe seed to use

Definition at line 91 of file crypto_random.c.

92{
93#ifdef OPENBSD
94 srandom_deterministic (seed);
95#else
96 srandom (seed);
97#endif
98}
static uint8_t seed

References seed.

Referenced by __attribute__().

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_zero_keys()

void GNUNET_CRYPTO_zero_keys ( void *  buffer,
size_t  length 
)

Zero out buffer, securely against compiler optimizations.

Used to delete key material.

Parameters
bufferthe buffer to zap
lengthbuffer length

Definition at line 110 of file crypto_random.c.

111{
112#if HAVE_MEMSET_S
113 memset_s (buffer, length, 0, length);
114#elif HAVE_EXPLICIT_BZERO
115 explicit_bzero (buffer, length);
116#else
117 volatile unsigned char *p = buffer;
118 while (length--)
119 *p++ = 0;
120#endif
121}
static struct GNUNET_OS_Process * p
Helper process we started.
Definition: gnunet-uri.c:38

References p.

Referenced by delete_store_message(), and dv_key_clean().

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_random_block()

void GNUNET_CRYPTO_random_block ( enum GNUNET_CRYPTO_Quality  mode,
void *  buffer,
size_t  length 
)

Fill block with a random values.

Parameters
modedesired quality of the random number
[out]bufferthe buffer to fill
lengthbuffer length
modedesired quality of the random number
bufferthe buffer to fill
lengthbuffer length

Definition at line 133 of file crypto_random.c.

136{
137#ifdef gcry_fast_random_poll
138 static unsigned int invokeCount;
139#endif
140 switch (mode)
141 {
143 /* see http://lists.gnupg.org/pipermail/gcrypt-devel/2004-May/000613.html */
144#ifdef gcry_fast_random_poll
145 if ((invokeCount++ % 256) == 0)
146 gcry_fast_random_poll ();
147#endif
148 gcry_randomize (buffer, length, GCRY_STRONG_RANDOM);
149 return;
150
152 gcry_create_nonce (buffer, length);
153 return;
154
156 /* see http://lists.gnupg.org/pipermail/gcrypt-devel/2004-May/000613.html */
157#ifdef gcry_fast_random_poll
158 if ((invokeCount++ % 256) == 0)
159 gcry_fast_random_poll ();
160#endif
161 gcry_randomize (buffer, length, GCRY_WEAK_RANDOM);
162 return;
163
164 default:
165 GNUNET_assert (0);
166 }
167}
static enum @44 mode
Should we do a PUT (mode = 0) or GET (mode = 1);.
#define GNUNET_assert(cond)
Use this for fatal errors that cannot be handled.

References GNUNET_assert, GNUNET_CRYPTO_QUALITY_NONCE, GNUNET_CRYPTO_QUALITY_STRONG, GNUNET_CRYPTO_QUALITY_WEAK, and mode.

Referenced by client_quic_init(), connection_init(), delayed_put(), do_pad(), encapsulate_for_dv(), encode_message_body(), GCC_create(), generate_free_member_id(), get_new_connection_id_cb(), GNUNET_async_scope_fresh(), GNUNET_CRYPTO_ecdhe_elligator_key_create(), GNUNET_CRYPTO_ecdhe_elligator_key_get_public(), GNUNET_CRYPTO_ecdhe_key_create(), GNUNET_CRYPTO_ecdsa_key_create(), GNUNET_CRYPTO_eddsa_key_create(), GNUNET_CRYPTO_edx25519_key_create(), GNUNET_CRYPTO_hash_create_random(), GNUNET_CRYPTO_hpke_elligator_kem_encaps(), GNUNET_CRYPTO_hpke_sender_setup2(), GNUNET_CRYPTO_random_timeflake(), handle_validation_response(), mq_init(), output_vectors(), prepare_pending_acknowledgement(), rand_cb(), RPS_sampler_elem_reinit(), sock_read(), start_address_validation(), start_dv_learn(), and transmit_kx().

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_random_timeflake()

void GNUNET_CRYPTO_random_timeflake ( enum GNUNET_CRYPTO_Quality  mode,
struct GNUNET_Uuid uuid 
)

Fill UUID with a timeflake pseudo-random value.

Note that timeflakes use only 80 bits of randomness and 48 bits to encode a timestamp in milliseconds. So what we return here is not a completely random number.

Parameters
modedesired quality of the random number
[out]uuidthe value to fill

Note that timeflakes use only 80 bits of randomness and 48 bits to encode a timestamp in milliseconds. So what we return here is not a completely random number.

Parameters
modedesired quality of the random number
uuidthe value to fill

Definition at line 316 of file crypto_random.c.

318{
319 struct GNUNET_TIME_Absolute now;
320 uint64_t ms;
321 uint64_t be;
322 char *base;
323
325 uuid,
326 sizeof (struct GNUNET_Uuid));
328 ms = now.abs_value_us / GNUNET_TIME_UNIT_MILLISECONDS.rel_value_us;
329 be = GNUNET_htonll (ms);
330 base = (char *) &be;
331 memcpy (uuid,
332 base + 2,
333 sizeof (be) - 2);
334}
void GNUNET_CRYPTO_random_block(enum GNUNET_CRYPTO_Quality mode, void *buffer, size_t length)
Fill block with a random values.
uint64_t GNUNET_htonll(uint64_t n)
Convert unsigned 64-bit integer to network byte order.
Definition: common_endian.c:37
#define GNUNET_TIME_UNIT_MILLISECONDS
One millisecond.
struct GNUNET_TIME_Absolute GNUNET_TIME_absolute_get(void)
Get the current time.
Definition: time.c:111
Time for absolute times used by GNUnet, in microseconds.
A UUID, a 128 bit "random" value.

References GNUNET_TIME_Absolute::abs_value_us, GNUNET_CRYPTO_random_block(), GNUNET_htonll(), GNUNET_TIME_absolute_get(), GNUNET_TIME_UNIT_MILLISECONDS, and mode.

Here is the call graph for this function:

◆ GNUNET_CRYPTO_random_u32()

uint32_t GNUNET_CRYPTO_random_u32 ( enum GNUNET_CRYPTO_Quality  mode,
uint32_t  i 
)

Produce a random value.

Parameters
modedesired quality of the random number
ithe upper limit (exclusive) for the random number
Returns
a random value in the interval [0,i) (exclusive).

Produce a random value.

Parameters
modedesired quality of the random number
ithe upper limit (exclusive) for the random number
Returns
a random value in the interval [0,i[.

Definition at line 178 of file crypto_random.c.

180{
181#ifdef gcry_fast_random_poll
182 static unsigned int invokeCount;
183#endif
184 uint32_t ret;
185 uint32_t ul;
186
187 GNUNET_assert (i > 0);
188
189 switch (mode)
190 {
192 /* see http://lists.gnupg.org/pipermail/gcrypt-devel/2004-May/000613.html */
193#ifdef gcry_fast_random_poll
194 if ((invokeCount++ % 256) == 0)
195 gcry_fast_random_poll ();
196#endif
197 ul = UINT32_MAX - (UINT32_MAX % i);
198 do
199 {
200 gcry_randomize ((unsigned char *) &ret,
201 sizeof(uint32_t),
202 GCRY_STRONG_RANDOM);
203 }
204 while (ret >= ul);
205 return ret % i;
206
208 ul = UINT32_MAX - (UINT32_MAX % i);
209 do
210 {
211 gcry_create_nonce (&ret, sizeof(ret));
212 }
213 while (ret >= ul);
214 return ret % i;
215
217 ret = i * get_weak_random ();
218 if (ret >= i)
219 ret = i - 1;
220 return ret;
221
222 default:
223 GNUNET_assert (0);
224 }
225 return 0;
226}
static double get_weak_random(void)
Create a cryptographically weak pseudo-random number in the interval of 0 to 1.
Definition: crypto_random.c:84
static int ret
Final status code.
Definition: gnunet-arm.c:93

References get_weak_random(), GNUNET_assert, GNUNET_CRYPTO_QUALITY_NONCE, GNUNET_CRYPTO_QUALITY_STRONG, GNUNET_CRYPTO_QUALITY_WEAK, mode, and ret.

Referenced by __attribute__(), allocate_v4_address(), allocate_v6_address(), calculate_seed(), channel_new_cb(), compute_rand_delay(), compute_service_response(), daemon_started(), delayed_get(), delayed_put(), download_get_url(), generate_request_id(), get_any(), get_bootstrap_server(), get_delay_randomization(), get_forward_count(), get_random_literal(), get_random_peer_from_peermap(), get_randomized_delay(), get_request_socket(), get_typed(), GNUNET_BLOCK_GROUP_bf_create(), GNUNET_CONTAINER_heap_walk_get_next(), GNUNET_CONTAINER_multihashmap_get_random(), GNUNET_CONTAINER_multipeermap_get_random(), GNUNET_CONTAINER_multishortmap_get_random(), GNUNET_CONTAINER_multiuuidmap_get_random(), GNUNET_CRYPTO_random_permute(), GNUNET_FS_search_start_probe_(), GNUNET_TUN_initialize_ipv4_header(), GSC_CLIENTS_deliver_message(), GSF_pending_request_get_message_(), handle_client_evaluate(), handle_dns_request(), handle_dv_learn(), handle_flow_control(), handle_p2p_get(), handle_p2p_put(), handle_resolve_result(), join_room_run(), ogg_init(), plan(), queue(), reannounce_regex(), recursive_dns_resolution(), REGEX_TEST_generate_random_regex(), REGEX_TEST_generate_random_string(), resolve_and_cache(), route_control_message_without_fc(), route_via_neighbour(), select_peer(), send_bloomfilter(), setup_fresh_address(), setup_fresh_ping(), should_I_drop(), shuffle_answers(), start_dv_learn(), test_run(), transmit_typemap_task(), and try_open_exit().

Here is the call graph for this function:

◆ GNUNET_CRYPTO_random_u64()

uint64_t GNUNET_CRYPTO_random_u64 ( enum GNUNET_CRYPTO_Quality  mode,
uint64_t  max 
)

Generate a random unsigned 64-bit value.

Parameters
modedesired quality of the random number
maxvalue returned will be in range [0,max) (exclusive)
Returns
random 64-bit number

Definition at line 262 of file crypto_random.c.

264{
265 uint64_t ret;
266 uint64_t ul;
267
268 GNUNET_assert (max > 0);
269 switch (mode)
270 {
272 ul = UINT64_MAX - (UINT64_MAX % max);
273 do
274 {
275 gcry_randomize ((unsigned char *) &ret,
276 sizeof(uint64_t),
277 GCRY_STRONG_RANDOM);
278 }
279 while (ret >= ul);
280 return ret % max;
281
283 ul = UINT64_MAX - (UINT64_MAX % max);
284 do
285 {
286 gcry_create_nonce (&ret, sizeof(ret));
287 }
288 while (ret >= ul);
289
290 return ret % max;
291
293 ret = max * get_weak_random ();
294 if (ret >= max)
295 ret = max - 1;
296 return ret;
297
298 default:
299 GNUNET_assert (0);
300 }
301 return 0;
302}
#define max(x, y)

References get_weak_random(), GNUNET_assert, GNUNET_CRYPTO_QUALITY_NONCE, GNUNET_CRYPTO_QUALITY_STRONG, GNUNET_CRYPTO_QUALITY_WEAK, max, mode, and ret.

Referenced by activate_core_visible_dv_path(), calculate_fork_degree(), choose_exit(), dht_connected(), get_transmit_delay(), GNUNET_DHT_connect(), GNUNET_GNSRECORD_pow_start(), handle_dht_p2p_put(), handle_flow_control(), handle_validation_response(), ifc_broadcast(), namestore_flat_store_records(), namestore_postgres_store_records(), namestore_sqlite_store_records(), pick_random_dv_hops(), postgres_plugin_get_key(), postgres_plugin_put(), put_migration_continuation(), run(), sampler_get_rand_peer(), send_find_peer_message(), send_full_set(), setup_out_cipher(), sqlite_plugin_get_key(), sqlite_plugin_get_replication(), sqlite_plugin_put(), and update_next_challenge_time().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_random_permute()

unsigned int * GNUNET_CRYPTO_random_permute ( enum GNUNET_CRYPTO_Quality  mode,
unsigned int  n 
)

Get an array with a random permutation of the numbers 0...n-1.

Parameters
modeGNUNET_CRYPTO_QUALITY_STRONG if the strong (but expensive) PRNG should be used, GNUNET_CRYPTO_QUALITY_WEAK or GNUNET_CRYPTO_QUALITY_NONCE otherwise
nthe size of the array
Returns
the permutation array (allocated from heap)
Parameters
mode#GNUNET_RANDOM_QUALITY_STRONG if the strong (but expensive) PRNG should be used, #GNUNET_RANDOM_QUALITY_WEAK otherwise
nthe size of the array
Returns
the permutation array (allocated from heap)

Definition at line 238 of file crypto_random.c.

240{
241 unsigned int *ret;
242 unsigned int i;
243 unsigned int tmp;
244 uint32_t x;
245
246 GNUNET_assert (n > 0);
247 ret = GNUNET_malloc (n * sizeof(unsigned int));
248 for (i = 0; i < n; i++)
249 ret[i] = i;
250 for (i = n - 1; i > 0; i--)
251 {
252 x = GNUNET_CRYPTO_random_u32 (mode, i + 1);
253 tmp = ret[x];
254 ret[x] = ret[i];
255 ret[i] = tmp;
256 }
257 return ret;
258}
uint32_t GNUNET_CRYPTO_random_u32(enum GNUNET_CRYPTO_Quality mode, uint32_t i)
Produce a random unsigned 32-bit number modulo i.
#define GNUNET_malloc(size)
Wrapper around malloc.

References GNUNET_assert, GNUNET_CRYPTO_random_u32(), GNUNET_malloc, mode, and ret.

Referenced by compute_service_response(), and do_round().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_symmetric_create_session_key()

void GNUNET_CRYPTO_symmetric_create_session_key ( struct GNUNET_CRYPTO_SymmetricSessionKey key)

Create a new random session key.

Parameters
keykey to initialize

Create a new random session key.

Parameters
keysession key to initialize

Definition at line 42 of file crypto_symmetric.c.

45{
46 gcry_randomize (key->aes_key,
48 GCRY_STRONG_RANDOM);
49 gcry_randomize (key->twofish_key,
51 GCRY_STRONG_RANDOM);
52}
struct GNUNET_HashCode key
The key used in the DHT.
#define GNUNET_CRYPTO_AES_KEY_LENGTH
length of the sessionkey in bytes (256 BIT sessionkey)

References GNUNET_CRYPTO_AES_KEY_LENGTH, and key.

◆ GNUNET_CRYPTO_symmetric_encrypt()

ssize_t GNUNET_CRYPTO_symmetric_encrypt ( const void *  block,
size_t  size,
const struct GNUNET_CRYPTO_SymmetricSessionKey sessionkey,
const struct GNUNET_CRYPTO_SymmetricInitializationVector iv,
void *  result 
)

Encrypt a block using a symmetric sessionkey.

Parameters
blockthe block to encrypt
sizethe size of the block
sessionkeythe key used to encrypt
ivthe initialization vector to use, use INITVALUE for streams.
Returns
the size of the encrypted block, -1 for errors

Encrypt a block using a symmetric sessionkey.

Parameters
blockthe block to encrypt
sizethe size of the block
sessionkeythe key used to encrypt
ivthe initialization vector to use, use INITVALUE for streams
resultthe output parameter in which to store the encrypted result can be the same or overlap with block
Returns
the size of the encrypted block, -1 for errors. Due to the use of CFB and therefore an effective stream cipher, this size should be the same as len.

Definition at line 131 of file crypto_symmetric.c.

138{
139 gcry_cipher_hd_t handle;
140 char tmp[GNUNET_NZL(size)];
141
142 if (GNUNET_OK != setup_cipher_aes (&handle, sessionkey, iv))
143 return -1;
144 GNUNET_assert (0 == gcry_cipher_encrypt (handle, tmp, size, block, size));
145 gcry_cipher_close (handle);
146 if (GNUNET_OK != setup_cipher_twofish (&handle, sessionkey, iv))
147 return -1;
148 GNUNET_assert (0 == gcry_cipher_encrypt (handle, result, size, tmp, size));
149 gcry_cipher_close (handle);
150 memset (tmp, 0, sizeof(tmp));
151 return size;
152}
static int setup_cipher_aes(gcry_cipher_hd_t *handle, const struct GNUNET_CRYPTO_SymmetricSessionKey *sessionkey, const struct GNUNET_CRYPTO_SymmetricInitializationVector *iv)
Initialize AES cipher.
static int setup_cipher_twofish(gcry_cipher_hd_t *handle, const struct GNUNET_CRYPTO_SymmetricSessionKey *sessionkey, const struct GNUNET_CRYPTO_SymmetricInitializationVector *iv)
Initialize TWOFISH cipher.
static int result
Global testing status.
static struct GNUNET_VPN_Handle * handle
Handle to vpn service.
Definition: gnunet-vpn.c:35
#define GNUNET_NZL(l)
Macro used to avoid using 0 for the length of a variable-size array (Non-Zero-Length).
static unsigned int size
Size of the "table".
Definition: peer.c:68

References GNUNET_assert, GNUNET_NZL, GNUNET_OK, handle, result, setup_cipher_aes(), setup_cipher_twofish(), and size.

Referenced by do_encrypt(), encrypt_existing_match(), GNUNET_FS_handle_on_demand_block(), GNUNET_FS_publish_ublock_(), GNUNET_FS_tree_encoder_next(), t_ax_encrypt(), t_h_encrypt(), and try_match_block().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_symmetric_decrypt()

ssize_t GNUNET_CRYPTO_symmetric_decrypt ( const void *  block,
size_t  size,
const struct GNUNET_CRYPTO_SymmetricSessionKey sessionkey,
const struct GNUNET_CRYPTO_SymmetricInitializationVector iv,
void *  result 
)

Decrypt a given block using a symmetric sessionkey.

Parameters
blockthe data to decrypt, encoded as returned by encrypt
sizehow big is the block?
sessionkeythe key used to decrypt
ivthe initialization vector to use
resultaddress to store the result at
Returns
-1 on failure, size of decrypted block on success

Decrypt a given block using a symmetric sessionkey.

Parameters
blockthe data to decrypt, encoded as returned by encrypt
sizethe size of the block to decrypt
sessionkeythe key used to decrypt
ivthe initialization vector to use, use INITVALUE for streams
resultaddress to store the result at can be the same or overlap with block
Returns
-1 on failure, size of decrypted block on success. Due to the use of CFB and therefore an effective stream cipher, this size should be the same as size.

Definition at line 169 of file crypto_symmetric.c.

176{
177 gcry_cipher_hd_t handle;
178 char tmp[size];
179
180 if (GNUNET_OK != setup_cipher_twofish (&handle, sessionkey, iv))
181 return -1;
182 GNUNET_assert (0 == gcry_cipher_decrypt (handle, tmp, size, block, size));
183 gcry_cipher_close (handle);
184 if (GNUNET_OK != setup_cipher_aes (&handle, sessionkey, iv))
185 return -1;
186 GNUNET_assert (0 == gcry_cipher_decrypt (handle, result, size, tmp, size));
187 gcry_cipher_close (handle);
188 memset (tmp, 0, sizeof(tmp));
189 return size;
190}

References GNUNET_assert, GNUNET_OK, handle, result, setup_cipher_aes(), setup_cipher_twofish(), and size.

Referenced by do_decrypt(), GNUNET_FS_ublock_decrypt_(), process_result_with_request(), t_ax_decrypt(), t_h_decrypt(), and try_old_ax_keys().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_symmetric_derive_iv()

void GNUNET_CRYPTO_symmetric_derive_iv ( struct GNUNET_CRYPTO_SymmetricInitializationVector iv,
const struct GNUNET_CRYPTO_SymmetricSessionKey skey,
const void *  salt,
size_t  salt_len,
  ... 
)

Derive an IV.

Parameters
ivinitialization vector
skeysession key
saltsalt for the derivation
salt_lensize of the salt
...pairs of void * & size_t for context chunks, terminated by NULL

Definition at line 203 of file crypto_symmetric.c.

211{
212 va_list argp;
213
214 va_start (argp, salt_len);
215 GNUNET_CRYPTO_symmetric_derive_iv_v (iv, skey, salt, salt_len, argp);
216 va_end (argp);
217}
static struct GNUNET_CRYPTO_PowSalt salt
Salt for PoW calculations.
Definition: gnunet-scrypt.c:34
void GNUNET_CRYPTO_symmetric_derive_iv_v(struct GNUNET_CRYPTO_SymmetricInitializationVector *iv, const struct GNUNET_CRYPTO_SymmetricSessionKey *skey, const void *salt, size_t salt_len, va_list argp)
Derive an IV.

References GNUNET_CRYPTO_symmetric_derive_iv_v(), and salt.

Referenced by derive_iv(), derive_pong_iv(), t_ax_decrypt(), t_ax_encrypt(), t_h_decrypt(), t_h_encrypt(), and try_old_ax_keys().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_ecdsa_key_get_public()

void GNUNET_CRYPTO_ecdsa_key_get_public ( const struct GNUNET_CRYPTO_EcdsaPrivateKey priv,
struct GNUNET_CRYPTO_EcdsaPublicKey pub 
)

Extract the public key for the given private key.

Parameters
privthe special elligator private key
pubwhere to write the public key

Definition at line 190 of file crypto_ecc.c.

193{
194 BENCHMARK_START (ecdsa_key_get_public);
195 crypto_scalarmult_ed25519_base_noclamp (pub->q_y, priv->d);
196 BENCHMARK_END (ecdsa_key_get_public);
197}
#define BENCHMARK_START(opname)
Definition: benchmark.h:57
#define BENCHMARK_END(opname)
Definition: benchmark.h:58
unsigned char d[256/8]
d is a value mod n, where n has at most 256 bits.
unsigned char q_y[256/8]
Point Q consists of a y-value mod p (256 bits); the x-value is always positive.

References BENCHMARK_END, BENCHMARK_START, GNUNET_CRYPTO_EcdsaPrivateKey::d, pub, and GNUNET_CRYPTO_EddsaPublicKey::q_y.

Referenced by block_create2(), decrypt_block_with_keyword(), get_update_information_directory(), GNUNET_CRYPTO_ecdsa_private_key_derive(), GNUNET_CRYPTO_key_get_public(), GNUNET_FS_publish_sks(), GNUNET_FS_publish_ublock_(), GNUNET_FS_search_start_searching_(), GNUNET_FS_unindex_do_remove_kblocks_(), and process_kblock_for_unindex().

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_eddsa_key_get_public()

void GNUNET_CRYPTO_eddsa_key_get_public ( const struct GNUNET_CRYPTO_EddsaPrivateKey priv,
struct GNUNET_CRYPTO_EddsaPublicKey pub 
)

Extract the public key for the given private key.

Parameters
privthe private key
pubwhere to write the public key

Definition at line 201 of file crypto_ecc.c.

204{
205 unsigned char pk[crypto_sign_PUBLICKEYBYTES];
206 unsigned char sk[crypto_sign_SECRETKEYBYTES];
207
208 BENCHMARK_START (eddsa_key_get_public);
209 GNUNET_assert (0 == crypto_sign_seed_keypair (pk, sk, priv->d));
210 GNUNET_memcpy (pub->q_y, pk, crypto_sign_PUBLICKEYBYTES);
211 sodium_memzero (sk, crypto_sign_SECRETKEYBYTES);
212 BENCHMARK_END (eddsa_key_get_public);
213}
struct GNUNET_CRYPTO_PrivateKey pk
Private key from command line option, or NULL.
#define GNUNET_memcpy(dst, src, n)
Call memcpy() but check for n being 0 first.
unsigned char d[256/8]
d is a value mod n, where n has at most 256 bits.

References BENCHMARK_END, BENCHMARK_START, GNUNET_CRYPTO_EddsaPrivateKey::d, GNUNET_assert, GNUNET_memcpy, pk, pub, and GNUNET_CRYPTO_EddsaPublicKey::q_y.

Referenced by advertise_dns_exit(), block_create2(), checkvec(), create_keys(), GNUNET_CRYPTO_eddsa_private_key_derive(), GNUNET_CRYPTO_get_peer_identity(), GNUNET_CRYPTO_key_get_public(), GNUNET_FS_uri_loc_create(), GSC_KX_init(), init_socket(), main_init(), output_vectors(), print_key(), regex_iterator(), and run().

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_edx25519_key_get_public()

void GNUNET_CRYPTO_edx25519_key_get_public ( const struct GNUNET_CRYPTO_Edx25519PrivateKey priv,
struct GNUNET_CRYPTO_Edx25519PublicKey pub 
)

Extract the public key for the given private key.

Parameters
privthe private key
pubwhere to write the public key

Definition at line 79 of file crypto_edx25519.c.

82{
83 crypto_scalarmult_ed25519_base_noclamp (pub->q_y,
84 priv->a);
85}
unsigned char a[256/8]
a is a value mod n, where n has at most 256 bits.

References GNUNET_CRYPTO_Edx25519PrivateKey::a, pub, and GNUNET_CRYPTO_EddsaPublicKey::q_y.

Referenced by GNUNET_CRYPTO_edx25519_private_key_derive(), and output_vectors().

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_ecdhe_key_get_public()

void GNUNET_CRYPTO_ecdhe_key_get_public ( const struct GNUNET_CRYPTO_EcdhePrivateKey priv,
struct GNUNET_CRYPTO_EcdhePublicKey pub 
)

Extract the public key for the given private key.

Parameters
privthe private key
pubwhere to write the public key

Definition at line 217 of file crypto_ecc.c.

220{
221 BENCHMARK_START (ecdhe_key_get_public);
222 GNUNET_assert (0 == crypto_scalarmult_base (pub->q_y, priv->d));
223 BENCHMARK_END (ecdhe_key_get_public);
224}
unsigned char d[256/8]
d is a value mod n, where n has at most 256 bits.

References BENCHMARK_END, BENCHMARK_START, GNUNET_CRYPTO_EcdhePrivateKey::d, GNUNET_assert, pub, and GNUNET_CRYPTO_EddsaPublicKey::q_y.

Referenced by authkem_encaps_norand(), GCT_handle_kx_auth(), GCT_send(), GNUNET_CRYPTO_hpke_authkem_encaps_norand(), GNUNET_CRYPTO_hpke_kem_encaps_norand(), output_vectors(), print_examples_ecdh(), send_kx(), send_kx_auth(), and sign_ephemeral_key().

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_ecdsa_key_from_file()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdsa_key_from_file ( const char *  filename,
int  do_create,
struct GNUNET_CRYPTO_EcdsaPrivateKey pkey 
)

Create a new private key by reading it from a file.

If the files does not exist and do_create is set, creates a new key and write it to the file.

If the contents of the file are invalid, an error is returned.

Parameters
filenamename of file to use to store the key
do_createshould a file be created?
[out]pkeyset to the private key from filename on success
Returns
GNUNET_OK on success, GNUNET_NO if do_create was set but we found an existing file, GNUNET_SYSERR on failure

Definition at line 201 of file crypto_ecc_setup.c.

204{
205 if (GNUNET_OK ==
207 pkey,
208 sizeof (*pkey)))
209 {
210 /* file existed, report that we didn't create it... */
211 return (do_create) ? GNUNET_NO : GNUNET_OK;
212 }
213 else if (! do_create)
214 {
215 return GNUNET_SYSERR;
216 }
218 if (GNUNET_OK ==
220 pkey,
221 sizeof (*pkey),
223 return GNUNET_OK;
224 /* maybe another process succeeded in the meantime, try reading one more time */
225 if (GNUNET_OK ==
227 pkey,
228 sizeof (*pkey)))
229 {
230 /* file existed, report that *we* didn't create it... */
231 return GNUNET_NO;
232 }
233 /* give up */
234 return GNUNET_SYSERR;
235}
static enum GNUNET_GenericReturnValue read_from_file(const char *filename, void *buf, size_t buf_size)
Read file to buf.
static char * filename
static char * pkey
Public key of the zone to look in, in ASCII.
void GNUNET_CRYPTO_ecdsa_key_create(struct GNUNET_CRYPTO_EcdsaPrivateKey *pk)
Create a new private key.
Definition: crypto_ecc.c:465
enum GNUNET_GenericReturnValue GNUNET_DISK_fn_write(const char *fn, const void *buf, size_t buf_size, enum GNUNET_DISK_AccessPermissions mode)
Write a buffer to a file atomically.
Definition: disk.c:737
@ GNUNET_DISK_PERM_USER_READ
Owner can read.
@ GNUNET_NO
@ GNUNET_SYSERR

References filename, GNUNET_CRYPTO_ecdsa_key_create(), GNUNET_DISK_fn_write(), GNUNET_DISK_PERM_USER_READ, GNUNET_NO, GNUNET_OK, GNUNET_SYSERR, pkey, and read_from_file().

Here is the call graph for this function:

◆ GNUNET_CRYPTO_eddsa_key_from_file()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_key_from_file ( const char *  filename,
int  do_create,
struct GNUNET_CRYPTO_EddsaPrivateKey pkey 
)

Create a new private key by reading it from a file.

If the files does not exist and do_create is set, creates a new key and write it to the file.

If the contents of the file are invalid, an error is returned.

Parameters
filenamename of file to use to store the key
do_createshould a file be created?
[out]pkeyset to the private key from filename on success
Returns
GNUNET_OK on success, GNUNET_NO if do_create was set but we found an existing file, GNUNET_SYSERR on failure

If the files does not exist and do_create is set, creates a new key and write it to the file.

If the contents of the file are invalid, an error is returned.

Parameters
filenamename of file to use to store the key
do_createshould a file be created?
[out]pkeyset to the private key from filename on success
Returns
- GNUNET_OK on success,
  • GNUNET_NO if do_create was set but we found an existing file,
  • GNUNET_SYSERR on failure or if the file didn't exist and do_create was not set

Definition at line 144 of file crypto_ecc_setup.c.

147{
149
150 if (GNUNET_OK ==
152 pkey,
153 sizeof (*pkey)))
154 {
155 /* file existed, report that we didn't create it... */
156 return (do_create) ? GNUNET_NO : GNUNET_OK;
157 }
158 else if (! do_create)
159 {
160 return GNUNET_SYSERR;
161 }
162
165 pkey,
166 sizeof (*pkey),
168 if ( (GNUNET_OK == ret) ||
169 (GNUNET_SYSERR == ret) )
170 return ret;
171 /* maybe another process succeeded in the meantime, try reading one more time */
172 if (GNUNET_OK ==
174 pkey,
175 sizeof (*pkey)))
176 {
177 /* file existed, report that *we* didn't create it... */
178 return GNUNET_NO;
179 }
180 /* give up */
181 return GNUNET_SYSERR;
182}
void GNUNET_CRYPTO_eddsa_key_create(struct GNUNET_CRYPTO_EddsaPrivateKey *pk)
Create a new private key.
Definition: crypto_ecc.c:480
GNUNET_GenericReturnValue
Named constants for return values.

References filename, GNUNET_CRYPTO_eddsa_key_create(), GNUNET_DISK_fn_write(), GNUNET_DISK_PERM_USER_READ, GNUNET_NO, GNUNET_OK, GNUNET_SYSERR, pkey, read_from_file(), and ret.

Referenced by GNUNET_CRYPTO_eddsa_key_create_from_configuration(), main_init(), and run().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_eddsa_key_create_from_configuration()

struct GNUNET_CRYPTO_EddsaPrivateKey * GNUNET_CRYPTO_eddsa_key_create_from_configuration ( const struct GNUNET_CONFIGURATION_Handle cfg)

Create a new private key by reading our peer's key from the file specified in the configuration.

Parameters
cfgthe configuration to use
Returns
new private key, NULL on error (for example, permission denied); free using GNUNET_free
Parameters
cfgthe configuration to use
Returns
new private key, NULL on error (for example, permission denied)

Definition at line 247 of file crypto_ecc_setup.c.

249{
251 char *fn;
252
253 if (GNUNET_OK !=
255 "PEER",
256 "PRIVATE_KEY",
257 &fn))
258 return NULL;
262 priv))
263 {
264 GNUNET_free (fn);
265 GNUNET_free (priv);
266 return NULL;
267 }
268 GNUNET_free (fn);
269 return priv;
270}
static struct GNUNET_CONFIGURATION_Handle * cfg
Our configuration.
Definition: gnunet-arm.c:108
enum GNUNET_GenericReturnValue GNUNET_CONFIGURATION_get_value_filename(const struct GNUNET_CONFIGURATION_Handle *cfg, const char *section, const char *option, char **value)
Get a configuration value that should be the name of a file or directory.
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_key_from_file(const char *filename, int do_create, struct GNUNET_CRYPTO_EddsaPrivateKey *pkey)
Create a new private key by reading it from a file.
@ GNUNET_YES
#define GNUNET_new(type)
Allocate a struct or union of the given type.
#define GNUNET_free(ptr)
Wrapper around free.
Private ECC key encoded for transmission.

References cfg, GNUNET_CONFIGURATION_get_value_filename(), GNUNET_CRYPTO_eddsa_key_from_file(), GNUNET_free, GNUNET_new, GNUNET_OK, GNUNET_SYSERR, and GNUNET_YES.

Referenced by advertise_dns_exit(), DHTU_gnunet_init(), GNUNET_CRYPTO_get_peer_identity(), GNUNET_CRYPTO_sign_by_peer_identity(), init_socket(), and run().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_ecdsa_key_create()

void GNUNET_CRYPTO_ecdsa_key_create ( struct GNUNET_CRYPTO_EcdsaPrivateKey pk)

Create a new private key.

Parameters
[out]pkprivate key to initialize

Definition at line 465 of file crypto_ecc.c.

466{
467 BENCHMARK_START (ecdsa_key_create);
469 pk,
470 sizeof (struct GNUNET_CRYPTO_EcdsaPrivateKey));
471 pk->d[0] &= 248;
472 pk->d[31] &= 127;
473 pk->d[31] |= 64;
474
475 BENCHMARK_END (ecdsa_key_create);
476}
Private ECC key encoded for transmission.

References BENCHMARK_END, BENCHMARK_START, GNUNET_CRYPTO_QUALITY_NONCE, GNUNET_CRYPTO_random_block(), and pk.

Referenced by GNUNET_CRYPTO_ecdsa_key_from_file(), private_key_create(), run_edkey(), and run_pkey().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_eddsa_key_create()

void GNUNET_CRYPTO_eddsa_key_create ( struct GNUNET_CRYPTO_EddsaPrivateKey pk)

Create a new private key.

Parameters
[out]pkprivate key to initialize

Definition at line 480 of file crypto_ecc.c.

481{
482 BENCHMARK_START (eddsa_key_create);
483 /*
484 * We do not clamp for EdDSA, since all functions that use the private key do
485 * their own clamping (just like in libsodium). What we call "private key"
486 * here, actually corresponds to the seed in libsodium.
487 *
488 * (Contrast this to ECDSA, where functions using the private key can't clamp
489 * due to properties needed for GNS. That is a worse/unsafer API, but
490 * required for the GNS constructions to work.)
491 */
493 pk,
494 sizeof (struct GNUNET_CRYPTO_EddsaPrivateKey));
495 BENCHMARK_END (eddsa_key_create);
496}

References BENCHMARK_END, BENCHMARK_START, GNUNET_CRYPTO_QUALITY_NONCE, GNUNET_CRYPTO_random_block(), and pk.

Referenced by create_keys(), GNUNET_CRYPTO_eddsa_key_from_file(), output_vectors(), private_key_create(), and run_edkey().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_edx25519_key_create()

void GNUNET_CRYPTO_edx25519_key_create ( struct GNUNET_CRYPTO_Edx25519PrivateKey pk)

Create a new private key.

Parameters
[out]pkprivate key to initialize

Definition at line 65 of file crypto_edx25519.c.

67{
68 char seed[256 / 8];
70 seed,
71 sizeof (seed));
73 sizeof(seed),
74 pk);
75}
void GNUNET_CRYPTO_edx25519_key_create_from_seed(const void *seed, size_t seedsize, struct GNUNET_CRYPTO_Edx25519PrivateKey *pk)
Create a new private key for Edx25519 from a given seed.

References GNUNET_CRYPTO_edx25519_key_create_from_seed(), GNUNET_CRYPTO_QUALITY_NONCE, GNUNET_CRYPTO_random_block(), pk, and seed.

Referenced by output_vectors().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_edx25519_key_create_from_seed()

void GNUNET_CRYPTO_edx25519_key_create_from_seed ( const void *  seed,
size_t  seedsize,
struct GNUNET_CRYPTO_Edx25519PrivateKey pk 
)

Create a new private key for Edx25519 from a given seed.

After expanding the seed, the first half of the key will be clamped according to EdDSA.

Parameters
seedseed input
seedsizesize of the seed in bytes
[out]pkprivate key to initialize

Definition at line 45 of file crypto_edx25519.c.

49{
50
51 GNUNET_static_assert (sizeof(*pk) == sizeof(struct GNUNET_HashCode));
53 seedsize,
54 (struct GNUNET_HashCode *) pk);
55
56 /* Clamp the first half of the key. The second half is used in the signature
57 * process. */
58 pk->a[0] &= 248;
59 pk->a[31] &= 127;
60 pk->a[31] |= 64;
61}
void GNUNET_CRYPTO_hash(const void *block, size_t size, struct GNUNET_HashCode *ret)
Compute hash of a given block.
Definition: crypto_hash.c:41
#define GNUNET_static_assert(cond)
Assertion to be checked (if supported by C compiler) at compile time, otherwise checked at runtime an...
A 512-bit hashcode.

References GNUNET_CRYPTO_hash(), GNUNET_static_assert, pk, and seed.

Referenced by GNUNET_CRYPTO_edx25519_key_create().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_ecdhe_key_create()

void GNUNET_CRYPTO_ecdhe_key_create ( struct GNUNET_CRYPTO_EcdhePrivateKey pk)

Create a new private key.

Clear with GNUNET_CRYPTO_ecdhe_key_clear(). This is X25519 DH (RFC 7748 Section 5) and corresponds to X25519(a,9). See GNUNET_CRYPTO_ecc_ecdh for the DH function.

Parameters
[out]pkset to fresh private key;

Definition at line 454 of file crypto_ecc.c.

455{
456 BENCHMARK_START (ecdhe_key_create);
458 pk,
459 sizeof (struct GNUNET_CRYPTO_EcdhePrivateKey));
460 BENCHMARK_END (ecdhe_key_create);
461}
Private ECC key encoded for transmission.

References BENCHMARK_END, BENCHMARK_START, GNUNET_CRYPTO_QUALITY_NONCE, GNUNET_CRYPTO_random_block(), and pk.

Referenced by do_rekey(), GCT_create_tunnel(), GNUNET_CRYPTO_hpke_authkem_encaps(), GNUNET_CRYPTO_hpke_kem_encaps(), GNUNET_CRYPTO_hpke_sender_setup(), GSC_KX_init(), new_ephemeral(), output_vectors(), and print_examples_ecdh().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_eddsa_key_clear()

void GNUNET_CRYPTO_eddsa_key_clear ( struct GNUNET_CRYPTO_EddsaPrivateKey pk)

Clear memory that was used to store a private key.

Parameters
pklocation of the key

Definition at line 447 of file crypto_ecc.c.

448{
450}
static void buffer_clear(void *buf, size_t len)
Definition: crypto_ecc.c:418

References buffer_clear(), and pk.

Referenced by GNUNET_CRYPTO_private_key_clear(), and GNUNET_CRYPTO_sign_by_peer_identity().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_ecdsa_key_clear()

void GNUNET_CRYPTO_ecdsa_key_clear ( struct GNUNET_CRYPTO_EcdsaPrivateKey pk)

Clear memory that was used to store a private key.

Parameters
pklocation of the key

Definition at line 440 of file crypto_ecc.c.

441{
443}

References buffer_clear(), and pk.

Referenced by GNUNET_CRYPTO_private_key_clear().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_edx25519_key_clear()

void GNUNET_CRYPTO_edx25519_key_clear ( struct GNUNET_CRYPTO_Edx25519PrivateKey pk)

Clear memory that was used to store a private key.

Parameters
pklocation of the key

Definition at line 38 of file crypto_edx25519.c.

39{
40 memset (pk, 0, sizeof(struct GNUNET_CRYPTO_Edx25519PrivateKey));
41}
Private ECC key material encoded for transmission.

References pk.

◆ GNUNET_CRYPTO_ecdhe_key_clear()

void GNUNET_CRYPTO_ecdhe_key_clear ( struct GNUNET_CRYPTO_EcdhePrivateKey pk)

Clear memory that was used to store a private key.

Parameters
pklocation of the key

Definition at line 433 of file crypto_ecc.c.

434{
436}

References buffer_clear(), and pk.

Referenced by cleanup_ax().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_private_key_clear()

void GNUNET_CRYPTO_private_key_clear ( struct GNUNET_CRYPTO_PrivateKey pk)

Clear memory that was used to store a private key.

Parameters
pklocation of the key

Definition at line 47 of file crypto_pkey.c.

48{
49 switch (ntohl (key->type))
50 {
53 break;
56 break;
57 default:
58 GNUNET_break (0);
59 }
60}
void GNUNET_CRYPTO_eddsa_key_clear(struct GNUNET_CRYPTO_EddsaPrivateKey *pk)
Clear memory that was used to store a private key.
Definition: crypto_ecc.c:447
void GNUNET_CRYPTO_ecdsa_key_clear(struct GNUNET_CRYPTO_EcdsaPrivateKey *pk)
Clear memory that was used to store a private key.
Definition: crypto_ecc.c:440
@ GNUNET_PUBLIC_KEY_TYPE_EDDSA
EDDSA identity.
@ GNUNET_PUBLIC_KEY_TYPE_ECDSA
The identity type.
#define GNUNET_break(cond)
Use this for internal assertion violations that are not fatal (can be handled) but should not occur.

References GNUNET_break, GNUNET_CRYPTO_ecdsa_key_clear(), GNUNET_CRYPTO_eddsa_key_clear(), GNUNET_PUBLIC_KEY_TYPE_ECDSA, GNUNET_PUBLIC_KEY_TYPE_EDDSA, and key.

Referenced by dequeue_message_from_room(), and GNUNET_MESSENGER_set_key().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_ecdsa_key_get_anonymous()

const struct GNUNET_CRYPTO_EcdsaPrivateKey * GNUNET_CRYPTO_ecdsa_key_get_anonymous ( void  )

Get the shared private key we use for anonymous users.

Returns
"anonymous" private key; do not free

'anonymous' pseudonym (global static, d=1, public key = G (generator).

Definition at line 500 of file crypto_ecc.c.

501{
506 static struct GNUNET_CRYPTO_EcdsaPrivateKey anonymous;
507 static int once;
508
509 if (once)
510 return &anonymous;
512 sizeof(anonymous.d),
513 GCRYMPI_CONST_ONE);
514 anonymous.d[0] &= 248;
515 anonymous.d[31] &= 127;
516 anonymous.d[31] |= 64;
517
518 once = 1;
519 return &anonymous;
520}
static int once
Global to mark if we've run the initialization.
Definition: gnsrecord.c:65
void GNUNET_CRYPTO_mpi_print_unsigned(void *buf, size_t size, gcry_mpi_t val)
Output the given MPI value to the given buffer in network byte order.
Definition: crypto_mpi.c:79

References GNUNET_CRYPTO_EcdsaPrivateKey::d, GNUNET_CRYPTO_mpi_print_unsigned(), and once.

Referenced by decrypt_block_with_keyword(), GNUNET_FS_search_start_searching_(), GNUNET_FS_unindex_do_remove_kblocks_(), GNUNET_IDENTITY_ego_get_anonymous(), process_kblock_for_unindex(), and publish_ksk_cont().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_eddsa_setup_hostkey()

void GNUNET_CRYPTO_eddsa_setup_hostkey ( const char *  cfg_name)

Setup a hostkey file for a peer given the name of the configuration file (!).

This function is used so that at a later point code can be certain that reading a hostkey is fast (for example in time-dependent testcases).

Parameters
cfg_namename of the configuration file to use

◆ GNUNET_CRYPTO_get_peer_identity()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_get_peer_identity ( const struct GNUNET_CONFIGURATION_Handle cfg,
struct GNUNET_PeerIdentity dst 
)

Retrieve the identity of the host's peer.

Parameters
cfgconfiguration to use
dstpointer to where to write the peer identity
Returns
GNUNET_OK on success, GNUNET_SYSERR if the identity could not be retrieved

Definition at line 274 of file crypto_ecc_setup.c.

276{
278
280 {
282 _ ("Could not load peer's private key\n"));
283 return GNUNET_SYSERR;
284 }
286 &dst->public_key);
287 GNUNET_free (priv);
288 return GNUNET_OK;
289}
void GNUNET_CRYPTO_eddsa_key_get_public(const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, struct GNUNET_CRYPTO_EddsaPublicKey *pub)
Extract the public key for the given private key.
Definition: crypto_ecc.c:201
struct GNUNET_CRYPTO_EddsaPrivateKey * GNUNET_CRYPTO_eddsa_key_create_from_configuration(const struct GNUNET_CONFIGURATION_Handle *cfg)
Create a new private key by reading our peer's key from the file specified in the configuration.
#define GNUNET_log(kind,...)
@ GNUNET_ERROR_TYPE_ERROR
#define _(String)
GNU gettext support macro.
Definition: platform.h:179
struct GNUNET_CRYPTO_EddsaPublicKey public_key

References _, cfg, GNUNET_CRYPTO_eddsa_key_create_from_configuration(), GNUNET_CRYPTO_eddsa_key_get_public(), GNUNET_ERROR_TYPE_ERROR, GNUNET_free, GNUNET_log, GNUNET_OK, GNUNET_SYSERR, and GNUNET_PeerIdentity::public_key.

Referenced by DHTU_ip_init(), get_result_iterator(), get_service_peer_identity(), GNUNET_CONVERSATION_phone_create(), and run().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_sign_by_peer_identity()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_sign_by_peer_identity ( const struct GNUNET_CONFIGURATION_Handle cfg,
const struct GNUNET_CRYPTO_EccSignaturePurpose purpose,
struct GNUNET_CRYPTO_EddsaSignature sig 
)

Sign a given block with a specific purpose using the host's peer identity.

Parameters
cfgconfiguration to use
purposewhat to sign (size, purpose)
sigwhere to write the signature
Returns
GNUNET_OK on success, GNUNET_SYSERR if the identity could not be retrieved

Definition at line 293 of file crypto_ecc_setup.c.

298{
301
303 {
305 _ ("Could not load peer's private key\n"));
306 return GNUNET_SYSERR;
307 }
308
309 result = GNUNET_CRYPTO_eddsa_sign_ (priv, purpose, sig);
311 return result;
312}

References _, cfg, GNUNET_CRYPTO_eddsa_key_clear(), GNUNET_CRYPTO_eddsa_key_create_from_configuration(), GNUNET_CRYPTO_eddsa_sign_(), GNUNET_ERROR_TYPE_ERROR, GNUNET_log, GNUNET_SYSERR, and result.

Referenced by sign_message_by_peer().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_verify_peer_identity()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_verify_peer_identity ( uint32_t  purpose,
const struct GNUNET_CRYPTO_EccSignaturePurpose validate,
const struct GNUNET_CRYPTO_EddsaSignature sig,
const struct GNUNET_PeerIdentity identity 
)

Verify a given signature with a peer's identity.

Parameters
purposewhat is the purpose that the signature should have?
validateblock to validate (size, purpose, data)
sigsignature that is being validated
identitythe peer's identity to verify
Returns
GNUNET_OK if ok, GNUNET_SYSERR if invalid

Definition at line 316 of file crypto_ecc_setup.c.

322{
323 return GNUNET_CRYPTO_eddsa_verify_ (purpose, validate, sig,
324 &identity->public_key);
325}
static struct GNUNET_IDENTITY_Handle * identity
Which namespace do we publish to? NULL if we do not publish to a namespace.
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_verify_(uint32_t purpose, const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, const struct GNUNET_CRYPTO_EddsaSignature *sig, const struct GNUNET_CRYPTO_EddsaPublicKey *pub)
Verify EdDSA signature.
Definition: crypto_ecc.c:708

References GNUNET_CRYPTO_eddsa_verify_(), and identity.

Referenced by verify_message_by_peer().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_ecc_ecdh()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecc_ecdh ( const struct GNUNET_CRYPTO_EcdhePrivateKey priv,
const struct GNUNET_CRYPTO_EcdhePublicKey pub,
struct GNUNET_HashCode key_material 
)

Derive key material from a public and a private ECC key.

This is X25519 DH (RFC 7748 Section 5) and corresponds to H(X25519(b,X25519(a,9))) where b := priv, pub := X25519(a,9), and a := GNUNET_CRYPTO_ecdhe_key_create().

Parameters
privprivate key to use for the ECDH (x)
pubpublic key to use for the ECDH (yG)
key_materialwhere to write the key material (xyG)
Returns
GNUNET_SYSERR on error, GNUNET_OK on success

Definition at line 732 of file crypto_ecc.c.

735{
736 uint8_t p[crypto_scalarmult_BYTES];
737 if (0 != crypto_scalarmult (p, priv->d, pub->q_y))
738 return GNUNET_SYSERR;
739 GNUNET_CRYPTO_hash (p, crypto_scalarmult_BYTES, key_material);
740 return GNUNET_OK;
741}

References GNUNET_CRYPTO_EcdhePrivateKey::d, GNUNET_CRYPTO_hash(), GNUNET_OK, GNUNET_SYSERR, p, pub, and GNUNET_CRYPTO_EddsaPublicKey::q_y.

Referenced by checkvec(), derive_session_keys(), output_vectors(), print_examples_ecdh(), t_ax_decrypt_and_validate(), t_ax_encrypt(), and update_ax_by_kx().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_eddsa_ecdh()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_ecdh ( const struct GNUNET_CRYPTO_EddsaPrivateKey priv,
const struct GNUNET_CRYPTO_EcdhePublicKey pub,
struct GNUNET_HashCode key_material 
)

Derive key material from a ECDH public key and a private EdDSA key.

Dual to #GNUNET_CRRYPTO_ecdh_eddsa. This uses the Ed25519 private seed as X25519 seed. As such, this also is a X25519 DH (see GNUNET_CRYPTO_ecc_ecdh). NOTE: Whenever you can get away with it, use separate key pairs for signing and encryption (DH)!

Parameters
privprivate key from EdDSA to use for the ECDH (x)
pubpublic key to use for the ECDH (yG)
key_materialwhere to write the key material H(h(x)yG)
Returns
GNUNET_SYSERR on error, GNUNET_OK on success

Definition at line 745 of file crypto_ecc.c.

748{
749 struct GNUNET_HashCode hc;
750 uint8_t a[crypto_scalarmult_SCALARBYTES];
751 uint8_t p[crypto_scalarmult_BYTES];
752
753 GNUNET_CRYPTO_hash (priv,
754 sizeof (struct GNUNET_CRYPTO_EcdsaPrivateKey),
755 &hc);
756 memcpy (a, &hc, sizeof (struct GNUNET_CRYPTO_EcdhePrivateKey));
757 if (0 != crypto_scalarmult (p, a, pub->q_y))
758 return GNUNET_SYSERR;
760 crypto_scalarmult_BYTES,
761 key_material);
762 return GNUNET_OK;
763}

References GNUNET_CRYPTO_hash(), GNUNET_OK, GNUNET_SYSERR, p, pub, and GNUNET_CRYPTO_EddsaPublicKey::q_y.

Referenced by update_ax_by_kx().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_x25519_ecdh()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_x25519_ecdh ( const struct GNUNET_CRYPTO_EcdhePrivateKey sk,
const struct GNUNET_CRYPTO_EcdhePublicKey pk,
struct GNUNET_CRYPTO_EcdhePublicKey dh 
)

Derive key material from a ECDH public key and a private X25519 key.

Dual to #GNUNET_CRRYPTO_ecdh_x25519. NOTE: Whenever you can get away with it, use separate key pairs for signing and encryption (DH)!

Parameters
skprivate key from X25519 to use for the ECDH (x)
pkpublic key to use for the ECDH (yG)
additional_datathis is fed into HKDF-Extract along with the ECDH shared secret
ad_lenLength of the additional data
dhthe DH shared secret (NOTE: Derive key from this before use!)
Returns
GNUNET_SYSERR on error, GNUNET_OK on success

Definition at line 767 of file crypto_ecc.c.

770{
771 uint64_t checkbyte = 0;
772 size_t num_words = sizeof *dh / sizeof (uint64_t);
773 if (0 != crypto_scalarmult_curve25519 (dh->q_y, sk->d, pub->q_y))
774 return GNUNET_SYSERR;
775 // We need to check if this is the all-zero value
776 for (int i = 0; i < num_words; i++)
777 checkbyte |= ((uint64_t*)dh)[i];
778 return (0 == checkbyte) ? GNUNET_SYSERR : GNUNET_OK;
779}
unsigned char q_y[256/8]
Q consists of an x- and a y-value, each mod p (256 bits), given here in affine coordinates and Ed2551...

References GNUNET_CRYPTO_EcdhePrivateKey::d, GNUNET_OK, GNUNET_SYSERR, pub, GNUNET_CRYPTO_EddsaPublicKey::q_y, and GNUNET_CRYPTO_EcdhePublicKey::q_y.

Referenced by GNUNET_CRYPTO_hpke_elligator_kem_decaps(), and GNUNET_CRYPTO_hpke_kem_decaps().

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_hpke_kem_decaps()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_decaps ( const struct GNUNET_CRYPTO_EcdhePrivateKey priv,
const struct GNUNET_CRYPTO_HpkeEncapsulation c,
struct GNUNET_ShortHashCode prk 
)

Decapsulate a key for a private X25519 key.

Dual to GNUNET_CRYPTO_hpke_kem_encaps. Use GNUNET_CRYPTO_hkdf_expand to derive further context-specific keys from the key material.

Parameters
privprivate key from X25519 to use for the ECDH (x)
cthe encapsulated key
prkwhere to write the key material
Returns
GNUNET_SYSERR on error, GNUNET_OK on success

Definition at line 370 of file crypto_hpke.c.

373{
375 uint8_t kem_context[sizeof *c + crypto_scalarmult_curve25519_BYTES];
376 uint8_t pkR[crypto_scalarmult_BYTES];
377
378 // pkE = DeserializePublicKey(enc) is a NOP, see Section 7.1.1
379 // dh = DH(skR, pkE)
380 if (GNUNET_OK !=
383 &dh))
384 return GNUNET_SYSERR; // ValidationError
385
386 // pkRm = DeserializePublicKey(pk(skR)) is a NOP, see Section 7.1.1
387 crypto_scalarmult_curve25519_base (pkR, skR->d);
388 // kem_context = concat(enc, pkRm)
389 memcpy (kem_context, c, sizeof *c);
390 memcpy (kem_context + sizeof *c, pkR, sizeof pkR);
391 // shared_secret = ExtractAndExpand(dh, kem_context)
393 &dh, sizeof dh,
394 "HPKE-v1",
395 "HPKE-v1",
396 "eae_prk", strlen ("eae_prk"),
397 "shared_secret", strlen ("shared_secret"),
398 kem_context, sizeof kem_context,
401 shared_secret);
402}
static uint8_t GNUNET_CRYPTO_HPKE_KEM_SUITE_ID[]
Definition: crypto_hpke.c:158
static enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_labeled_extract_and_expand(const void *dh, size_t dh_len, const char *extract_ctx, const char *expand_ctx, const void *extract_lbl, size_t extract_lbl_len, const void *expand_lbl, size_t expand_lbl_len, const uint8_t *kem_context, size_t kem_context_len, const uint8_t *suite_id, size_t suite_id_len, struct GNUNET_ShortHashCode *shared_secret)
Definition: crypto_hpke.c:124
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_x25519_ecdh(const struct GNUNET_CRYPTO_EcdhePrivateKey *sk, const struct GNUNET_CRYPTO_EcdhePublicKey *pk, struct GNUNET_CRYPTO_EcdhePublicKey *dh)
Derive key material from a ECDH public key and a private X25519 key.
Definition: crypto_ecc.c:767
Public ECC key (always for Curve25519) encoded in a format suitable for network transmission and encr...

References GNUNET_CRYPTO_EcdhePrivateKey::d, GNUNET_CRYPTO_HPKE_KEM_SUITE_ID, GNUNET_CRYPTO_hpke_labeled_extract_and_expand(), GNUNET_CRYPTO_x25519_ecdh(), GNUNET_OK, and GNUNET_SYSERR.

Referenced by GNUNET_CRYPTO_eddsa_kem_decaps(), and GNUNET_CRYPTO_hpke_receiver_setup2().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_hpke_kem_encaps()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_encaps ( const struct GNUNET_CRYPTO_EcdhePublicKey pkR,
struct GNUNET_CRYPTO_HpkeEncapsulation c,
struct GNUNET_ShortHashCode prk 
)

Encapsulate key material for a X25519 public key.

Dual to GNUNET_CRYPTO_hpke_kem_decaps. Use GNUNET_CRYPTO_hkdf_expand to derive further context-specific keys from the key material.

Parameters
pkRpublic key of receiver
cpublic key from X25519 to use for the ECDH (X=h(x)G)
prkwhere to write the key material
Returns
GNUNET_SYSERR on error, GNUNET_OK on success

Definition at line 299 of file crypto_hpke.c.

302{
304 // skE, pkE = GenerateKeyPair()
306
307 return GNUNET_CRYPTO_hpke_kem_encaps_norand (pub, c, &skE, shared_secret);
308}
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_encaps_norand(const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *enc, const struct GNUNET_CRYPTO_EcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
Deterministic variant of GNUNET_CRYPTO_hpke_kem_encaps.
Definition: crypto_hpke.c:282
void GNUNET_CRYPTO_ecdhe_key_create(struct GNUNET_CRYPTO_EcdhePrivateKey *pk)
Create a new private key.
Definition: crypto_ecc.c:454

References GNUNET_CRYPTO_ecdhe_key_create(), GNUNET_CRYPTO_hpke_kem_encaps_norand(), and pub.

Referenced by GNUNET_CRYPTO_eddsa_kem_encaps().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_hpke_kem_encaps_norand()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_encaps_norand ( const struct GNUNET_CRYPTO_EcdhePublicKey pkR,
struct GNUNET_CRYPTO_HpkeEncapsulation c,
const struct GNUNET_CRYPTO_EcdhePrivateKey skE,
struct GNUNET_ShortHashCode prk 
)

Deterministic variant of GNUNET_CRYPTO_hpke_kem_encaps.

Use GNUNET_CRYPTO_hkdf_expand to derive further context-specific keys from the key material.

Parameters
pkRpublic key of receiver
cpublic key from X25519 to use for the ECDH (X=h(x)G)
skEephemeral private key from X25519 to use
prkwhere to write the key material
Returns
GNUNET_SYSERR on error, GNUNET_OK on success

Definition at line 282 of file crypto_hpke.c.

287{
288 // enc = SerializePublicKey(pkE) is a NOP, see Section 7.1.1
290 skE,
294 pkR, enc, skE, shared_secret);
295}
static enum GNUNET_GenericReturnValue kem_encaps_norand(uint8_t *suite_id, size_t suite_id_len, const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_EcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
Definition: crypto_hpke.c:246
static OpusEncoder * enc
OPUS encoder.
void GNUNET_CRYPTO_ecdhe_key_get_public(const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, struct GNUNET_CRYPTO_EcdhePublicKey *pub)
Extract the public key for the given private key.
Definition: crypto_ecc.c:217

References enc, GNUNET_CRYPTO_ecdhe_key_get_public(), GNUNET_CRYPTO_HPKE_KEM_SUITE_ID, and kem_encaps_norand().

Referenced by GNUNET_CRYPTO_hpke_kem_encaps(), and GNUNET_CRYPTO_hpke_sender_setup2().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_hpke_authkem_encaps_norand()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_authkem_encaps_norand ( const struct GNUNET_CRYPTO_EcdhePublicKey pkR,
const struct GNUNET_CRYPTO_EcdhePrivateKey skS,
struct GNUNET_CRYPTO_HpkeEncapsulation c,
const struct GNUNET_CRYPTO_EcdhePrivateKey skE,
struct GNUNET_ShortHashCode shared_secret 
)

Encapsulate authenticated key material for a X25519 public key.

Deterministic variant of GNUNET_CRYPTO_hpke_authkem_encaps. Dual to GNUNET_CRYPTO_hpke_authkem_decaps. Use GNUNET_CRYPTO_hkdf_expand to derive further context-specific keys from the key material.

Parameters
pkRpublic key of receiver
skSsecret of the authenticating sender
cpublic key from X25519 to use for the ECDH (X=h(x)G)
shared_secretwhere to write the key material
Returns
GNUNET_SYSERR on error, GNUNET_OK on success

Definition at line 212 of file crypto_hpke.c.

218{
219 // enc = SerializePublicKey(pkE) is a NOP, see Section 7.1.1
221 skE,
222 (struct GNUNET_CRYPTO_EcdhePublicKey*) c);
225 pkR, skS, c, skE, shared_secret);
226}
static enum GNUNET_GenericReturnValue authkem_encaps_norand(uint8_t *suite_id, size_t suite_id_len, const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const struct GNUNET_CRYPTO_EcdhePrivateKey *skS, struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_EcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
Definition: crypto_hpke.c:166

References authkem_encaps_norand(), GNUNET_CRYPTO_ecdhe_key_get_public(), and GNUNET_CRYPTO_HPKE_KEM_SUITE_ID.

Referenced by GNUNET_CRYPTO_hpke_authkem_encaps(), and GNUNET_CRYPTO_hpke_sender_setup2().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_hpke_authkem_encaps()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_authkem_encaps ( const struct GNUNET_CRYPTO_EcdhePublicKey pkR,
const struct GNUNET_CRYPTO_EcdhePrivateKey skS,
struct GNUNET_CRYPTO_HpkeEncapsulation c,
struct GNUNET_ShortHashCode shared_secret 
)

Encapsulate authenticated key material for a X25519 public key.

Dual to GNUNET_CRYPTO_hpke_kem_encaps. Use GNUNET_CRYPTO_hkdf_expand to derive further context-specific keys from the key material.

Parameters
pkRpublic key of receiver
skSsecret of the authenticating sender
cpublic key from X25519 to use for the ECDH (X=h(x)G)
shared_secretwhere to write the key material
Returns
GNUNET_SYSERR on error, GNUNET_OK on success

Definition at line 230 of file crypto_hpke.c.

235{
237 // skE, pkE = GenerateKeyPair()
239
240 return GNUNET_CRYPTO_hpke_authkem_encaps_norand (pkR, skS, c, &skE,
241 shared_secret);
242}
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_authkem_encaps_norand(const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const struct GNUNET_CRYPTO_EcdhePrivateKey *skS, struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_EcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
Encapsulate authenticated key material for a X25519 public key.
Definition: crypto_hpke.c:212

References GNUNET_CRYPTO_ecdhe_key_create(), and GNUNET_CRYPTO_hpke_authkem_encaps_norand().

Here is the call graph for this function:

◆ GNUNET_CRYPTO_hpke_authkem_decaps()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_authkem_decaps ( const struct GNUNET_CRYPTO_EcdhePrivateKey skR,
const struct GNUNET_CRYPTO_EcdhePublicKey pkS,
const struct GNUNET_CRYPTO_HpkeEncapsulation c,
struct GNUNET_ShortHashCode shared_secret 
)

Decapsulate a key for a private X25519 key.

Dual to GNUNET_CRYPTO_hpke_authkem_encaps. Use GNUNET_CRYPTO_hkdf_expand to derive further context-specific keys from the key material.

Parameters
skRsecret key of receiver
pkSpublic key of the authenticating sender
cthe encapsulated key
shared_secretwhere to write the key material
Returns
GNUNET_SYSERR on error, GNUNET_OK on success

Definition at line 327 of file crypto_hpke.c.

332{
333 struct GNUNET_CRYPTO_EcdhePublicKey dh[2];
334 uint8_t pkR[crypto_scalarmult_BYTES];
335 uint8_t kem_context[sizeof *c + sizeof pkR + sizeof *pkS];
336
337 // pkE = DeserializePublicKey(enc) is a NOP, see Section 7.1.1
338 // dh = DH(skE, pkR)
340 (struct
342 &dh[0]))
343 return GNUNET_SYSERR; // ValidationError
344 // dh = DH(skS, pkR)
345 if (GNUNET_OK != GNUNET_CRYPTO_ecdh_x25519 (skR, pkS,
346 &dh[1]))
347 return GNUNET_SYSERR; // ValidationError
348 // pkRm = DeserializePublicKey(pk(skR)) is a NOP, see Section 7.1.1
349 crypto_scalarmult_curve25519_base (pkR, skR->d);
350 // kem_context = concat(enc, pkRm)
351 memcpy (kem_context, c, sizeof *c);
352 memcpy (kem_context + sizeof *c, pkR, sizeof pkR);
353 memcpy (kem_context + sizeof *c + sizeof pkR,
354 pkS, sizeof *pkS);
355 // shared_secret = ExtractAndExpand(dh, kem_context)
357 dh, sizeof (struct GNUNET_CRYPTO_EcdhePublicKey) * 2,
358 "HPKE-v1",
359 "HPKE-v1",
360 "eae_prk", strlen ("eae_prk"),
361 "shared_secret", strlen ("shared_secret"),
362 kem_context, sizeof kem_context,
365 shared_secret);
366}
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdh_x25519(const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, const struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_CRYPTO_EcdhePublicKey *dh)
Derive key material from a EdDSA public key and a private ECDH key.
Definition: crypto_ecc.c:783

References GNUNET_CRYPTO_EcdhePrivateKey::d, GNUNET_CRYPTO_ecdh_x25519(), GNUNET_CRYPTO_HPKE_KEM_SUITE_ID, GNUNET_CRYPTO_hpke_labeled_extract_and_expand(), GNUNET_OK, and GNUNET_SYSERR.

Referenced by GNUNET_CRYPTO_hpke_receiver_setup2().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand ( uint8_t  random_tweak,
const struct GNUNET_CRYPTO_EcdhePublicKey pkR,
struct GNUNET_CRYPTO_HpkeEncapsulation c,
const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey skE,
struct GNUNET_ShortHashCode shared_secret 
)

Carries out ecdh encapsulation with given public key and the private key from a freshly created ephemeral key pair.

Following the terminology in https://eprint.iacr.org/2021/509.pdf. Use GNUNET_CRYPTO_hkdf_expand to derive further context-specific keys from the key material.

Parameters
random_tweakrandom 8-bit value used as seed
pkRpublic key of receiver
crepresentative of ephemeral public key A to use for the ECDH (direct_map(r)=A=aG)
skEspecial elligator ephemeral private key from X25519 to use
shared_secretwhere to write the key material HKDF-Extract(r||aX)=HKDF-Extract(r||x(aG))
Returns
GNUNET_SYSERR on error, GNUNET_OK on success

Definition at line 423 of file crypto_hpke.c.

429{
431 // skE, pkE = GenerateElligatorKeyPair()
432 // enc = SerializePublicKey(pkE) == c is the elligator representative
434 skE,
435 &pkE,
436 (struct
438 *) c);
439
442 pkR, c, (const struct
444 shared_secret);
445}
static uint8_t GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID[]
Definition: crypto_hpke.c:163
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdhe_elligator_key_get_public_norand(uint8_t random_tweak, const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *sk, struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_CRYPTO_ElligatorRepresentative *repr)
Generates a valid public key for elligator's inverse map by adding a lower order point to a prime ord...
Elligator representative (always for Curve25519)

References GNUNET_CRYPTO_ecdhe_elligator_key_get_public_norand(), GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID, and kem_encaps_norand().

Referenced by GNUNET_CRYPTO_hpke_elligator_kem_encaps(), GNUNET_CRYPTO_hpke_sender_setup2(), and main().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_hpke_elligator_kem_encaps()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_encaps ( const struct GNUNET_CRYPTO_EcdhePublicKey pkR,
struct GNUNET_CRYPTO_HpkeEncapsulation c,
struct GNUNET_ShortHashCode shared_secret 
)

Carries out ecdh encapsulation with given public key and the private key from a freshly created ephemeral key pair.

Following the terminology in https://eprint.iacr.org/2021/509.pdf. Use GNUNET_CRYPTO_hkdf_expand to derive further context-specific keys from the key material.

Parameters
pkRReceiver public key (X)
crepresentative of ephemeral public key A to use for the ECDH (direct_map(r)=A=aG)
shared_secretwhere to write the key material HKDF-Extract(r||aX)=HKDF-Extract(r||x(aG))
Returns
GNUNET_SYSERR on error, GNUNET_OK on success

Definition at line 449 of file crypto_hpke.c.

453{
454 uint8_t random_tweak;
456
458 &random_tweak,
459 sizeof(uint8_t));
460
461 // skE, pkE = GenerateElligatorKeyPair()
463
464 return GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand (random_tweak, pkR, c,
465 &skE, shared_secret);
466}
void GNUNET_CRYPTO_ecdhe_elligator_key_create(struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *sk)
Generates a private key for Curve25519.
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand(uint8_t random_tweak, const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
Carries out ecdh encapsulation with given public key and the private key from a freshly created ephem...
Definition: crypto_hpke.c:423
Special private ECC key generated by GNUNET_CRYPTO_ecdhe_elligator_key_create.

References GNUNET_CRYPTO_ecdhe_elligator_key_create(), GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand(), GNUNET_CRYPTO_QUALITY_NONCE, and GNUNET_CRYPTO_random_block().

Referenced by setup_initial_shared_secret_ephemeral(), and start_initial_kx_out().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_hpke_elligator_kem_decaps()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_kem_decaps ( const struct GNUNET_CRYPTO_EcdhePrivateKey skR,
const struct GNUNET_CRYPTO_HpkeEncapsulation c,
struct GNUNET_ShortHashCode shared_secret 
)

Carries out ecdh decapsulation with own private key and the representative of the received public key.

Following the terminology in https://eprint.iacr.org/2021/509.pdf. Use GNUNET_CRYPTO_hkdf_expand to derive further context-specific keys from the key material.

Parameters
skRsender private key (x)
rreceived representative r, from which we can obtain the public key A (direct_map(r)=A=aG)
shared_secretwhere to write the key material HKDF-Extract(r||aX)=HKDF-Extract(r||x(aG))
Returns
GNUNET_SYSERR on error, GNUNET_OK on success

Definition at line 470 of file crypto_hpke.c.

474{
478 uint8_t kem_context[sizeof *r + crypto_scalarmult_curve25519_BYTES];
479 uint8_t pkR[crypto_scalarmult_BYTES];
480
482 // pkE = DeserializePublicKey(enc) Elligator deserialize!
484 // dh = DH(skR, pkE)
486 &dh));
487 // pkRm = DeserializePublicKey(pk(skR)) is a NOP, see Section 7.1.1
488 crypto_scalarmult_curve25519_base (pkR, skR->d);
489 memcpy (kem_context, r, sizeof *r);
490 memcpy (kem_context + sizeof *r, pkR, sizeof pkR);
491 // shared_secret = ExtractAndExpand(dh, kem_context)
493 &dh, sizeof dh,
494 "HPKE-v1",
495 "HPKE-v1",
496 "eae_prk", strlen ("eae_prk"),
497 "shared_secret", strlen ("shared_secret"),
498 kem_context, sizeof kem_context,
501 shared_secret);
502}
void GNUNET_CRYPTO_ecdhe_elligator_decoding(struct GNUNET_CRYPTO_EcdhePublicKey *point, bool *high_y, const struct GNUNET_CRYPTO_ElligatorRepresentative *representative)
Clears the most significant bit and second most significant bit of the serialized representaive befor...
uint8_t r[256/8]
Represents an element of Curve25519 finite field.

References GNUNET_CRYPTO_EcdhePrivateKey::d, GNUNET_assert, GNUNET_CRYPTO_ecdhe_elligator_decoding(), GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID, GNUNET_CRYPTO_hpke_labeled_extract_and_expand(), GNUNET_CRYPTO_x25519_ecdh(), GNUNET_OK, and GNUNET_CRYPTO_ElligatorRepresentative::r.

Referenced by GNUNET_CRYPTO_hpke_receiver_setup2(), setup_in_cipher_elligator(), and setup_initial_shared_secret_dec().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_hpke_elligator_authkem_encaps_norand()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_authkem_encaps_norand ( const struct GNUNET_CRYPTO_EcdhePublicKey pkR,
const struct GNUNET_CRYPTO_EcdhePrivateKey skS,
struct GNUNET_CRYPTO_HpkeEncapsulation c,
const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey skE,
struct GNUNET_ShortHashCode shared_secret 
)

Encapsulate authenticated key material for a X25519 public key.

Elligator variant. Deterministic variant of GNUNET_CRYPTO_hpke_authkem_encaps. Dual to GNUNET_CRYPTO_hpke_authkem_decaps. Use GNUNET_CRYPTO_hkdf_expand to derive further context-specific keys from the key material.

Parameters
pkRpublic key of receiver
skSsecret of the authenticating sender
cpublic key from X25519 to use for the ECDH (X=h(x)G)
shared_secretwhere to write the key material
Returns
GNUNET_SYSERR on error, GNUNET_OK on success

Definition at line 506 of file crypto_hpke.c.

512{
514 // skE, pkE = GenerateElligatorKeyPair()
515 // enc = SerializePublicKey(pkE) == c is the elligator representative
517 skE, &pkE,
519
522 ,
523 pkR, skS, c,
524 (const struct
526 shared_secret);
527}
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdhe_elligator_key_get_public(const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *sk, struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_CRYPTO_ElligatorRepresentative *repr)
Generates a valid public key for elligator's inverse map by adding a lower order point to a prime ord...

References authkem_encaps_norand(), GNUNET_CRYPTO_ecdhe_elligator_key_get_public(), and GNUNET_CRYPTO_HPKE_KEM_ELLIGATOR_SUITE_ID.

Referenced by GNUNET_CRYPTO_hpke_elligator_authkem_encaps().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_hpke_elligator_authkem_encaps()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_authkem_encaps ( const struct GNUNET_CRYPTO_EcdhePublicKey pkR,
const struct GNUNET_CRYPTO_EcdhePrivateKey skS,
struct GNUNET_CRYPTO_HpkeEncapsulation c,
struct GNUNET_ShortHashCode shared_secret 
)

Encapsulate authenticated key material for a X25519 public key.

Elligator variant. Dual to GNUNET_CRYPTO_hpke_kem_encaps. Use GNUNET_CRYPTO_hkdf_expand to derive further context-specific keys from the key material.

Parameters
pkRpublic key of receiver
skSsecret of the authenticating sender
cpublic key from X25519 to use for the ECDH (X=h(x)G)
shared_secretwhere to write the key material
Returns
GNUNET_SYSERR on error, GNUNET_OK on success

Definition at line 531 of file crypto_hpke.c.

536{
538 // skE, pkE = GenerateElligatorKeyPair()
540
542 shared_secret);
543}
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_authkem_encaps_norand(const struct GNUNET_CRYPTO_EcdhePublicKey *pkR, const struct GNUNET_CRYPTO_EcdhePrivateKey *skS, struct GNUNET_CRYPTO_HpkeEncapsulation *c, const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *skE, struct GNUNET_ShortHashCode *shared_secret)
Encapsulate authenticated key material for a X25519 public key.
Definition: crypto_hpke.c:506

References GNUNET_CRYPTO_ecdhe_elligator_key_create(), and GNUNET_CRYPTO_hpke_elligator_authkem_encaps_norand().

Here is the call graph for this function:

◆ GNUNET_CRYPTO_hpke_elligator_authkem_decaps()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_elligator_authkem_decaps ( const struct GNUNET_CRYPTO_EcdhePrivateKey skR,
const struct GNUNET_CRYPTO_EcdhePublicKey pkS,
const struct GNUNET_CRYPTO_HpkeEncapsulation c,
struct GNUNET_ShortHashCode shared_secret 
)

Decapsulate a key for a private X25519 key.

Elligator variant. Dual to GNUNET_CRYPTO_hpke_authkem_encaps. Use GNUNET_CRYPTO_hkdf_expand to derive further context-specific keys from the key material.

Parameters
skRprivate key from X25519 to use for the ECDH (x)
pkSpublic key of the authenticating sender
cthe encapsulated key
shared_secretwhere to write the key material
Returns
GNUNET_SYSERR on error, GNUNET_OK on success

◆ GNUNET_CRYPTO_eddsa_kem_decaps()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_kem_decaps ( const struct GNUNET_CRYPTO_EddsaPrivateKey priv,
const struct GNUNET_CRYPTO_HpkeEncapsulation c,
struct GNUNET_ShortHashCode prk 
)

Decapsulate a key for a private EdDSA key.

Dual to #GNUNET_CRRYPTO_eddsa_kem_encaps. Use GNUNET_CRYPTO_hkdf_expand to derive further context-specific keys from the key material.

Parameters
privprivate key from EdDSA to use for the ECDH (x)
cthe encapsulated key
prkwhere to write the key material HKDF-Extract(c||aX)=HKDF-Extract(c||x(aG))
Returns
GNUNET_SYSERR on error, GNUNET_OK on success

Definition at line 407 of file crypto_hpke.c.

411{
413
414 // This maps the ed25519 point to X25519
415 if (0 != crypto_sign_ed25519_sk_to_curve25519 (skR.d, priv->d))
416 return GNUNET_SYSERR;
417 return GNUNET_CRYPTO_hpke_kem_decaps (&skR, c, shared_secret);
418
419}
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_decaps(const struct GNUNET_CRYPTO_EcdhePrivateKey *skR, const struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
Decapsulate a key for a private X25519 key.
Definition: crypto_hpke.c:370

References GNUNET_CRYPTO_EcdhePrivateKey::d, GNUNET_CRYPTO_EddsaPrivateKey::d, GNUNET_CRYPTO_hpke_kem_decaps(), and GNUNET_SYSERR.

Referenced by handle_dv_box(), setup_in_cipher(), and setup_shared_secret_dec().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_eddsa_kem_encaps()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_kem_encaps ( const struct GNUNET_CRYPTO_EddsaPublicKey pub,
struct GNUNET_CRYPTO_HpkeEncapsulation c,
struct GNUNET_ShortHashCode prk 
)

Encapsulate key material for a EdDSA public key.

Dual to #GNUNET_CRRYPTO_eddsa_kem_decaps. Use GNUNET_CRYPTO_hkdf_expand to derive further context-specific keys from the key material.

Parameters
privprivate key to use for the ECDH (y)
cpublic key from EdDSA to use for the ECDH (X=h(x)G)
prkwhere to write the key material HKDF-Extract(c||aX)=HKDF-Extract(c||x(aG))
Returns
GNUNET_SYSERR on error, GNUNET_OK on success

Definition at line 312 of file crypto_hpke.c.

315{
317
318 // This maps the ed25519 point to X25519
319 if (0 != crypto_sign_ed25519_pk_to_curve25519 (pkR.q_y, pub->q_y))
320 return GNUNET_SYSERR;
321
322 return GNUNET_CRYPTO_hpke_kem_encaps (&pkR, c, shared_secret);
323}
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hpke_kem_encaps(const struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_CRYPTO_HpkeEncapsulation *c, struct GNUNET_ShortHashCode *shared_secret)
Encapsulate key material for a X25519 public key.
Definition: crypto_hpke.c:299

References GNUNET_CRYPTO_hpke_kem_encaps(), GNUNET_SYSERR, pub, GNUNET_CRYPTO_EddsaPublicKey::q_y, and GNUNET_CRYPTO_EcdhePublicKey::q_y.

Referenced by encapsulate_for_dv(), inject_rekey(), and setup_shared_secret_ephemeral().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_ecdsa_ecdh()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdsa_ecdh ( const struct GNUNET_CRYPTO_EcdsaPrivateKey priv,
const struct GNUNET_CRYPTO_EcdhePublicKey pub,
struct GNUNET_HashCode key_material 
)

HPKE END.

Derive key material from a ECDH public key and a private ECDSA key. Dual to #GNUNET_CRRYPTO_ecdh_ecdsa.

Parameters
privprivate key from ECDSA to use for the ECDH (x)
pubpublic key to use for the ECDH (yG)
key_materialwhere to write the key material H(h(x)yG)
Returns
GNUNET_SYSERR on error, GNUNET_OK on success

Definition at line 805 of file crypto_ecc.c.

808{
809 uint8_t p[crypto_scalarmult_BYTES];
810
811 BENCHMARK_START (ecdsa_ecdh);
812 if (0 != crypto_scalarmult (p, priv->d, pub->q_y))
813 return GNUNET_SYSERR;
815 crypto_scalarmult_BYTES,
816 key_material);
817 BENCHMARK_END (ecdsa_ecdh);
818 return GNUNET_OK;
819}

References BENCHMARK_END, BENCHMARK_START, GNUNET_CRYPTO_EcdsaPrivateKey::d, GNUNET_CRYPTO_hash(), GNUNET_OK, GNUNET_SYSERR, p, pub, and GNUNET_CRYPTO_EddsaPublicKey::q_y.

Here is the call graph for this function:

◆ GNUNET_CRYPTO_ecdh_eddsa()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdh_eddsa ( const struct GNUNET_CRYPTO_EcdhePrivateKey priv,
const struct GNUNET_CRYPTO_EddsaPublicKey pub,
struct GNUNET_HashCode key_material 
)

Derive key material from a EdDSA public key and a private ECDH key.

Dual to #GNUNET_CRRYPTO_eddsa_ecdh. This converts the Edwards25519 public key pub to a Curve25519 public key before computing a X25519 DH (see GNUNET_CRYPTO_ecc_ecdh). The resulting X25519 secret is then derived to a key using SHA-512. NOTE: Whenever you can get away with it, use separate key pairs for signing and encryption (DH)!

Parameters
privprivate key to use for the ECDH (y)
pubpublic key from EdDSA to use for the ECDH (X=h(x)G)
key_materialwhere to write the key material H(yX)=H(h(x)yG)
Returns
GNUNET_SYSERR on error, GNUNET_OK on success

Definition at line 823 of file crypto_ecc.c.

826{
827 uint8_t p[crypto_scalarmult_BYTES];
828 uint8_t curve25510_pk[crypto_scalarmult_BYTES];
829
830 if (0 != crypto_sign_ed25519_pk_to_curve25519 (curve25510_pk, pub->q_y))
831 return GNUNET_SYSERR;
832 if (0 != crypto_scalarmult (p, priv->d, curve25510_pk))
833 return GNUNET_SYSERR;
834 GNUNET_CRYPTO_hash (p, crypto_scalarmult_BYTES, key_material);
835 return GNUNET_OK;
836}

References GNUNET_CRYPTO_EcdhePrivateKey::d, GNUNET_CRYPTO_hash(), GNUNET_OK, GNUNET_SYSERR, p, pub, and GNUNET_CRYPTO_EddsaPublicKey::q_y.

Referenced by checkvec(), output_vectors(), and update_ax_by_kx().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_ecdh_x25519()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdh_x25519 ( const struct GNUNET_CRYPTO_EcdhePrivateKey priv,
const struct GNUNET_CRYPTO_EcdhePublicKey pub,
struct GNUNET_CRYPTO_EcdhePublicKey dh 
)

Derive key material from a EdDSA public key and a private ECDH key.

Dual to #GNUNET_CRRYPTO_x25519_ecdh. NOTE: Whenever you can get away with it, use separate key pairs for signing and encryption (DH)!

Parameters
privprivate key to use for the ECDH (y)
pubpublic key from EdDSA to use for the ECDH (X=h(x)G)
dhthe DH shared secret (NOTE: Derive key from this before use!)
Returns
GNUNET_SYSERR on error, GNUNET_OK on success

Definition at line 783 of file crypto_ecc.c.

786{
787 uint64_t checkbyte = 0;
788 size_t num_words = sizeof *dh / sizeof (uint64_t);
789 if (0 != crypto_scalarmult_curve25519 (dh->q_y, sk->d, pk->q_y))
790 return GNUNET_SYSERR;
791 // We need to check if this is the all-zero value
792 for (int i = 0; i < num_words; i++)
793 checkbyte |= ((uint64_t*)dh)[i];
794 if (0 == checkbyte)
795 {
797 "HPKE ECDH: X25519 all zero value!\n");
798 return GNUNET_SYSERR;
799 }
800 return GNUNET_OK;
801}

References GNUNET_CRYPTO_EcdhePrivateKey::d, GNUNET_ERROR_TYPE_ERROR, GNUNET_log, GNUNET_OK, GNUNET_SYSERR, pk, and GNUNET_CRYPTO_EcdhePublicKey::q_y.

Referenced by authkem_encaps_norand(), GNUNET_CRYPTO_hpke_authkem_decaps(), and kem_encaps_norand().

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_ecdh_ecdsa()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdh_ecdsa ( const struct GNUNET_CRYPTO_EcdhePrivateKey priv,
const struct GNUNET_CRYPTO_EcdsaPublicKey pub,
struct GNUNET_HashCode key_material 
)

Derive key material from a EcDSA public key and a private ECDH key.

Dual to #GNUNET_CRRYPTO_ecdsa_ecdh.

Parameters
privprivate key to use for the ECDH (y)
pubpublic key from ECDSA to use for the ECDH (X=h(x)G)
key_materialwhere to write the key material H(yX)=H(h(x)yG)
Returns
GNUNET_SYSERR on error, GNUNET_OK on success

Definition at line 841 of file crypto_ecc.c.

844{
845 uint8_t p[crypto_scalarmult_BYTES];
846 uint8_t curve25510_pk[crypto_scalarmult_BYTES];
847
848 if (0 != crypto_sign_ed25519_pk_to_curve25519 (curve25510_pk, pub->q_y))
849 return GNUNET_SYSERR;
850 if (0 != crypto_scalarmult (p, priv->d, curve25510_pk))
851 return GNUNET_SYSERR;
852 GNUNET_CRYPTO_hash (p, crypto_scalarmult_BYTES, key_material);
853 return GNUNET_OK;
854}

References GNUNET_CRYPTO_EcdhePrivateKey::d, GNUNET_CRYPTO_hash(), GNUNET_OK, GNUNET_SYSERR, p, pub, and GNUNET_CRYPTO_EddsaPublicKey::q_y.

Here is the call graph for this function:

◆ GNUNET_CRYPTO_eddsa_sign_()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_sign_ ( const struct GNUNET_CRYPTO_EddsaPrivateKey priv,
const struct GNUNET_CRYPTO_EccSignaturePurpose purpose,
struct GNUNET_CRYPTO_EddsaSignature sig 
)

EdDSA sign a given block.

The purpose data is the beginning of the data of which the signature is to be created. The size field in purpose must correctly indicate the number of bytes of the data structure, including its header. If possible, use GNUNET_CRYPTO_eddsa_sign() instead of this function (only if validate is not fixed-size, you must use this function directly).

Parameters
privprivate key to use for the signing
purposewhat to sign (size, purpose)
[out]sigwhere to write the signature
Returns
GNUNET_SYSERR on error, GNUNET_OK on success

Definition at line 625 of file crypto_ecc.c.

629{
630
631 size_t mlen = ntohl (purpose->size);
632 unsigned char sk[crypto_sign_SECRETKEYBYTES];
633 unsigned char pk[crypto_sign_PUBLICKEYBYTES];
634 int res;
635
636 BENCHMARK_START (eddsa_sign);
637 GNUNET_assert (0 == crypto_sign_seed_keypair (pk, sk, priv->d));
638 res = crypto_sign_detached ((uint8_t *) sig,
639 NULL,
640 (uint8_t *) purpose,
641 mlen,
642 sk);
643 BENCHMARK_END (eddsa_sign);
644 return (res == 0) ? GNUNET_OK : GNUNET_SYSERR;
645}
static char * res
Currently read line or NULL on EOF.
uint32_t size
How many bytes does this signature sign? (including this purpose header); in network byte order (!...

References BENCHMARK_END, BENCHMARK_START, GNUNET_CRYPTO_EddsaPrivateKey::d, GNUNET_assert, GNUNET_OK, GNUNET_SYSERR, pk, res, and GNUNET_CRYPTO_EccSignaturePurpose::size.

Referenced by do_dht_put(), GNUNET_CRYPTO_sign_(), GNUNET_CRYPTO_sign_by_peer_identity(), GNUNET_CRYPTO_sign_raw_(), insert_decrypt_element(), insert_round1_element(), insert_round2_element(), regex_iterator(), setup_flood_message(), and sign_ephemeral_key().

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_ecdsa_sign_()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdsa_sign_ ( const struct GNUNET_CRYPTO_EcdsaPrivateKey priv,
const struct GNUNET_CRYPTO_EccSignaturePurpose purpose,
struct GNUNET_CRYPTO_EcdsaSignature sig 
)

ECDSA Sign a given block.

The purpose data is the beginning of the data of which the signature is to be created. The size field in purpose must correctly indicate the number of bytes of the data structure, including its header. If possible, use GNUNET_CRYPTO_ecdsa_sign() instead of this function (only if validate is not fixed-size, you must use this function directly).

Parameters
privprivate key to use for the signing
purposewhat to sign (size, purpose)
[out]sigwhere to write the signature
Returns
GNUNET_SYSERR on error, GNUNET_OK on success

Definition at line 554 of file crypto_ecc.c.

558{
559 gcry_sexp_t priv_sexp;
560 gcry_sexp_t sig_sexp;
561 gcry_sexp_t data;
562 int rc;
563 gcry_mpi_t rs[2];
564
565 BENCHMARK_START (ecdsa_sign);
566
567 priv_sexp = decode_private_ecdsa_key (priv);
568 data = data_to_ecdsa_value (purpose);
569 if (0 != (rc = gcry_pk_sign (&sig_sexp, data, priv_sexp)))
570 {
572 _ ("ECC signing failed at %s:%d: %s\n"),
573 __FILE__,
574 __LINE__,
575 gcry_strerror (rc));
576 gcry_sexp_release (data);
577 gcry_sexp_release (priv_sexp);
578 return GNUNET_SYSERR;
579 }
580 gcry_sexp_release (priv_sexp);
581 gcry_sexp_release (data);
582
583 /* extract 'r' and 's' values from sexpression 'sig_sexp' and store in
584 'signature' */
585 if (0 != (rc = key_from_sexp (rs, sig_sexp, "sig-val", "rs")))
586 {
587 GNUNET_break (0);
588 gcry_sexp_release (sig_sexp);
589 return GNUNET_SYSERR;
590 }
591 gcry_sexp_release (sig_sexp);
592 GNUNET_CRYPTO_mpi_print_unsigned (sig->r, sizeof(sig->r), rs[0]);
593 GNUNET_CRYPTO_mpi_print_unsigned (sig->s, sizeof(sig->s), rs[1]);
594 gcry_mpi_release (rs[0]);
595 gcry_mpi_release (rs[1]);
596
597 BENCHMARK_END (ecdsa_sign);
598
599 return GNUNET_OK;
600}
static int key_from_sexp(gcry_mpi_t *array, gcry_sexp_t sexp, const char *topname, const char *elems)
Extract values from an S-expression.
Definition: crypto_ecc.c:100
static gcry_sexp_t data_to_ecdsa_value(const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose)
Convert the data specified in the given purpose argument to an S-expression suitable for signature op...
Definition: crypto_ecc.c:531
#define LOG(kind,...)
Definition: crypto_ecc.c:64
static gcry_sexp_t decode_private_ecdsa_key(const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv)
Convert the given private key from the network format to the S-expression that can be used by libgcry...
Definition: crypto_ecc.c:158
static char * data
The data to insert into the dht.
@ GNUNET_ERROR_TYPE_WARNING
unsigned char s[256/8]
S value.
unsigned char r[256/8]
R value.

References _, BENCHMARK_END, BENCHMARK_START, data, data_to_ecdsa_value(), decode_private_ecdsa_key(), GNUNET_break, GNUNET_CRYPTO_mpi_print_unsigned(), GNUNET_ERROR_TYPE_WARNING, GNUNET_OK, GNUNET_SYSERR, key_from_sexp(), LOG, GNUNET_CRYPTO_EcdsaSignature::r, and GNUNET_CRYPTO_EcdsaSignature::s.

Referenced by GNUNET_CRYPTO_ecdsa_sign_derived(), GNUNET_CRYPTO_sign_(), GNUNET_CRYPTO_sign_raw_(), and GNUNET_FS_publish_ublock_().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_edx25519_sign_()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_edx25519_sign_ ( const struct GNUNET_CRYPTO_Edx25519PrivateKey priv,
const struct GNUNET_CRYPTO_EccSignaturePurpose purpose,
struct GNUNET_CRYPTO_Edx25519Signature sig 
)

Edx25519 sign a given block.

The purpose data is the beginning of the data of which the signature is to be created. The size field in purpose must correctly indicate the number of bytes of the data structure, including its header. If possible, use GNUNET_CRYPTO_edx25519_sign() instead of this function (only if validate is not fixed-size, you must use this function directly).

Parameters
privprivate key to use for the signing
purposewhat to sign (size, purpose)
[out]sigwhere to write the signature
Returns
GNUNET_SYSERR on error, GNUNET_OK on success

Edx25519 sign a given block.

But instead of expanding a private seed (which is usually the case for crypto APIs) and using the resulting scalars, it takes the scalars directly from Edx25519PrivateKey. We require this functionality in order to use derived private keys for signatures.

The resulting signature is a standard EdDSA signature which can be verified using the usual APIs.

Parameters
privthe private key (containing two scalars .a and .b)
purpthe signature purpose
sigthe resulting signature

Calculate the public key P from the private scalar in the key.

Calculate r: r = SHA512 (b ∥ M) where M is our message (purpose).

Temporarily put P into S

Reduce the scalar value r

Calculate R := r * G of the signature

Calculate hram := SHA512 (R ∥ P ∥ M)

Reduce the resulting scalar value

Calculate S := r + hram * s mod L

Definition at line 103 of file crypto_edx25519.c.

107{
108
109 crypto_hash_sha512_state hs;
110 unsigned char r[64];
111 unsigned char hram[64];
112 unsigned char P[32];
113 unsigned char r_mod[64];
114 unsigned char R[32];
115 unsigned char tmp[32];
116 unsigned char hram_mod[64];
117
118 crypto_hash_sha512_init (&hs);
119
123 crypto_scalarmult_ed25519_base_noclamp (P,
124 priv->a);
125
131 crypto_hash_sha512_update (&hs,
132 priv->b,
133 sizeof(priv->b));
134 crypto_hash_sha512_update (&hs,
135 (uint8_t*) purpose,
136 ntohl (purpose->size));
137 crypto_hash_sha512_final (&hs,
138 r);
139
143 memcpy (sig->s, P, 32);
144
148 crypto_core_ed25519_scalar_reduce (r_mod, r);
149
153 crypto_scalarmult_ed25519_base_noclamp (R, r_mod);
154 memcpy (sig->r, R, sizeof (R));
155
160 crypto_hash_sha512_init (&hs);
161 crypto_hash_sha512_update (&hs, (uint8_t*) sig, 64);
162 crypto_hash_sha512_update (&hs, (uint8_t*) purpose,
163 ntohl (purpose->size));
164 crypto_hash_sha512_final (&hs, hram);
165
169 crypto_core_ed25519_scalar_reduce (hram_mod, hram);
170
175 crypto_core_ed25519_scalar_mul (tmp, hram_mod, priv->a);
176 crypto_core_ed25519_scalar_add (sig->s, tmp, r_mod);
177
178 sodium_memzero (r, sizeof (r));
179 sodium_memzero (r_mod, sizeof (r_mod));
180
181 return GNUNET_OK;
182}
unsigned char b[256/8]
b consists of 32 bytes which where originally the lower 32bytes of the key expansion.
unsigned char s[256/8]
S value.
unsigned char r[256/8]
R value.

References GNUNET_CRYPTO_Edx25519PrivateKey::a, GNUNET_CRYPTO_Edx25519PrivateKey::b, GNUNET_OK, GNUNET_CRYPTO_Edx25519Signature::r, GNUNET_CRYPTO_Edx25519Signature::s, and GNUNET_CRYPTO_EccSignaturePurpose::size.

◆ GNUNET_CRYPTO_eddsa_verify_()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_eddsa_verify_ ( uint32_t  purpose,
const struct GNUNET_CRYPTO_EccSignaturePurpose validate,
const struct GNUNET_CRYPTO_EddsaSignature sig,
const struct GNUNET_CRYPTO_EddsaPublicKey pub 
)

Verify EdDSA signature.

The validate data is the beginning of the data of which the signature is to be verified. The size field in validate must correctly indicate the number of bytes of the data structure, including its header. If purpose does not match the purpose given in validate (the latter must be in big endian), signature verification fails. If possible, use GNUNET_CRYPTO_eddsa_verify() instead of this function (only if validate is not fixed-size, you must use this function directly).

Parameters
purposewhat is the purpose that the signature should have?
validateblock to validate (size, purpose, data)
sigsignature that is being validated
pubpublic key of the signer
Returns
GNUNET_OK if ok, GNUNET_SYSERR if invalid

Definition at line 708 of file crypto_ecc.c.

713{
714 const unsigned char *m = (const void *) validate;
715 size_t mlen = ntohl (validate->size);
716 const unsigned char *s = (const void *) sig;
717
718 int res;
719
720 if (purpose != ntohl (validate->purpose))
721 return GNUNET_SYSERR; /* purpose mismatch */
722
723 BENCHMARK_START (eddsa_verify);
724
725 res = crypto_sign_verify_detached (s, m, mlen, pub->q_y);
726 BENCHMARK_END (eddsa_verify);
727 return (res == 0) ? GNUNET_OK : GNUNET_SYSERR;
728}
static struct GNUNET_ARM_MonitorHandle * m
Monitor connection with ARM.
Definition: gnunet-arm.c:103
uint32_t purpose
What does this signature vouch for? This must contain a GNUNET_SIGNATURE_PURPOSE_XXX constant (from g...

References BENCHMARK_END, BENCHMARK_START, GNUNET_OK, GNUNET_SYSERR, m, pub, GNUNET_CRYPTO_EccSignaturePurpose::purpose, GNUNET_CRYPTO_EddsaPublicKey::q_y, res, and GNUNET_CRYPTO_EccSignaturePurpose::size.

Referenced by block_plugin_dns_check_block(), block_plugin_regex_check_block(), GNUNET_CRYPTO_signature_verify_(), GNUNET_CRYPTO_signature_verify_raw_(), GNUNET_CRYPTO_verify_peer_identity(), GNUNET_GNSRECORD_block_verify(), handle_ephemeral_key(), keygen_round1_new_element(), keygen_round2_new_element(), and verify_message_crypto().

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_ecdsa_verify_()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdsa_verify_ ( uint32_t  purpose,
const struct GNUNET_CRYPTO_EccSignaturePurpose validate,
const struct GNUNET_CRYPTO_EcdsaSignature sig,
const struct GNUNET_CRYPTO_EcdsaPublicKey pub 
)

Verify ECDSA signature.

The validate data is the beginning of the data of which the signature is to be verified. The size field in validate must correctly indicate the number of bytes of the data structure, including its header. If purpose does not match the purpose given in validate (the latter must be in big endian), signature verification fails. If possible, use GNUNET_CRYPTO_eddsa_verify() instead of this function (only if validate is not fixed-size, you must use this function directly).

Parameters
purposewhat is the purpose that the signature should have?
validateblock to validate (size, purpose, data)
sigsignature that is being validated
pubpublic key of the signer
Returns
GNUNET_OK if ok, GNUNET_SYSERR if invalid

Definition at line 649 of file crypto_ecc.c.

654{
655 gcry_sexp_t data;
656 gcry_sexp_t sig_sexpr;
657 gcry_sexp_t pub_sexpr;
658 int rc;
659
660 BENCHMARK_START (ecdsa_verify);
661
662 if (purpose != ntohl (validate->purpose))
663 return GNUNET_SYSERR; /* purpose mismatch */
664
665 /* build s-expression for signature */
666 if (0 != (rc = gcry_sexp_build (&sig_sexpr,
667 NULL,
668 "(sig-val(ecdsa(r %b)(s %b)))",
669 (int) sizeof(sig->r),
670 sig->r,
671 (int) sizeof(sig->s),
672 sig->s)))
673 {
674 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
675 return GNUNET_SYSERR;
676 }
677 data = data_to_ecdsa_value (validate);
678 if (0 != (rc = gcry_sexp_build (&pub_sexpr,
679 NULL,
680 "(public-key(ecc(curve " CURVE ")(q %b)))",
681 (int) sizeof(pub->q_y),
682 pub->q_y)))
683 {
684 gcry_sexp_release (data);
685 gcry_sexp_release (sig_sexpr);
686 return GNUNET_SYSERR;
687 }
688 rc = gcry_pk_verify (sig_sexpr, data, pub_sexpr);
689 gcry_sexp_release (pub_sexpr);
690 gcry_sexp_release (data);
691 gcry_sexp_release (sig_sexpr);
692 if (0 != rc)
693 {
695 _ ("ECDSA signature verification failed at %s:%d: %s\n"),
696 __FILE__,
697 __LINE__,
698 gcry_strerror (rc));
699 BENCHMARK_END (ecdsa_verify);
700 return GNUNET_SYSERR;
701 }
702 BENCHMARK_END (ecdsa_verify);
703 return GNUNET_OK;
704}
#define CURVE
IMPLEMENTATION NOTICE:
Definition: crypto_ecc.c:62
#define LOG_GCRY(level, cmd, rc)
Log an error message at log-level 'level' that indicates a failure of the command 'cmd' with the mess...
Definition: crypto_ecc.c:78
@ GNUNET_ERROR_TYPE_INFO

References _, BENCHMARK_END, BENCHMARK_START, CURVE, data, data_to_ecdsa_value(), GNUNET_ERROR_TYPE_ERROR, GNUNET_ERROR_TYPE_INFO, GNUNET_OK, GNUNET_SYSERR, LOG, LOG_GCRY, pub, GNUNET_CRYPTO_EccSignaturePurpose::purpose, GNUNET_CRYPTO_EddsaPublicKey::q_y, GNUNET_CRYPTO_EcdsaSignature::r, and GNUNET_CRYPTO_EcdsaSignature::s.

Referenced by block_plugin_fs_check_block(), GNUNET_CRYPTO_signature_verify_(), GNUNET_CRYPTO_signature_verify_raw_(), and GNUNET_GNSRECORD_block_verify().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_edx25519_verify_()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_edx25519_verify_ ( uint32_t  purpose,
const struct GNUNET_CRYPTO_EccSignaturePurpose validate,
const struct GNUNET_CRYPTO_Edx25519Signature sig,
const struct GNUNET_CRYPTO_Edx25519PublicKey pub 
)

Verify Edx25519 signature.

The validate data is the beginning of the data of which the signature is to be verified. The size field in validate must correctly indicate the number of bytes of the data structure, including its header. If purpose does not match the purpose given in validate (the latter must be in big endian), signature verification fails. If possible, use GNUNET_CRYPTO_edx25519_verify() instead of this function (only if validate is not fixed-size, you must use this function directly).

Parameters
purposewhat is the purpose that the signature should have?
validateblock to validate (size, purpose, data)
sigsignature that is being validated
pubpublic key of the signer
Returns
GNUNET_OK if ok, GNUNET_SYSERR if invalid

Definition at line 186 of file crypto_edx25519.c.

191{
192 const unsigned char *m = (const void *) validate;
193 size_t mlen = ntohl (validate->size);
194 const unsigned char *s = (const void *) sig;
195
196 int res;
197
198 if (purpose != ntohl (validate->purpose))
199 return GNUNET_SYSERR; /* purpose mismatch */
200
201 res = crypto_sign_verify_detached (s, m, mlen, pub->q_y);
202 return (res == 0) ? GNUNET_OK : GNUNET_SYSERR;
203}

References GNUNET_OK, GNUNET_SYSERR, m, pub, GNUNET_CRYPTO_EccSignaturePurpose::purpose, GNUNET_CRYPTO_EddsaPublicKey::q_y, res, and GNUNET_CRYPTO_EccSignaturePurpose::size.

◆ GNUNET_CRYPTO_ecdsa_private_key_derive()

struct GNUNET_CRYPTO_EcdsaPrivateKey * GNUNET_CRYPTO_ecdsa_private_key_derive ( const struct GNUNET_CRYPTO_EcdsaPrivateKey priv,
const char *  label,
const char *  context 
)

Derive a private key from a given private key and a label.

Essentially calculates a private key 'h = H(l,P) * d mod n' where n is the size of the ECC group and P is the public key associated with the private key 'd'.

Parameters
privoriginal private key
labellabel to use for key deriviation
contextadditional context to use for HKDF of 'h'; typically the name of the subsystem/application
Returns
derived private key

Definition at line 202 of file crypto_ecc_gnsrecord.c.

206{
209 struct GNUNET_HashCode hc;
210 uint8_t dc[32];
211 gcry_mpi_t h;
212 gcry_mpi_t x;
213 gcry_mpi_t d;
214 gcry_mpi_t n;
215 gcry_ctx_t ctx;
216
217 GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, CURVE));
218
219 n = gcry_mpi_ec_get_mpi ("n", ctx, 1);
221
222 derive_h (&pub, sizeof (pub), label, context, &hc);
223 GNUNET_CRYPTO_mpi_scan_unsigned (&h, (unsigned char *) &hc, sizeof(hc));
224
225 /* Convert to big endian for libgcrypt */
226 for (size_t i = 0; i < 32; i++)
227 dc[i] = priv->d[31 - i];
229 d = gcry_mpi_new (256);
230 gcry_mpi_mulm (d, h, x, n);
231 gcry_mpi_release (h);
232 gcry_mpi_release (x);
233 gcry_mpi_release (n);
234 gcry_ctx_release (ctx);
237 /* Convert to big endian for libgcrypt */
238 for (size_t i = 0; i < 32; i++)
239 ret->d[i] = dc[31 - i];
240 sodium_memzero (dc, sizeof(dc));
241 gcry_mpi_release (d);
242 return ret;
243}
static void derive_h(const void *pub, size_t pubsize, const char *label, const char *context, struct GNUNET_HashCode *hc)
Derive the 'h' value for key derivation, where 'h = H(l,P)'.
#define CURVE
static mp_limb_t d[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static struct GNUNET_ARM_Handle * h
Connection with ARM.
Definition: gnunet-arm.c:98
static struct GNUNET_FS_Handle * ctx
static struct GNUNET_FS_DownloadContext * dc
static pa_context * context
Pulseaudio context.
void GNUNET_CRYPTO_ecdsa_key_get_public(const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, struct GNUNET_CRYPTO_EcdsaPublicKey *pub)
Extract the public key for the given private key.
Definition: crypto_ecc.c:190
void GNUNET_CRYPTO_mpi_scan_unsigned(gcry_mpi_t *result, const void *data, size_t size)
Convert data buffer into MPI value.
Definition: crypto_mpi.c:132
Public ECC key (always for Curve25519) encoded in a format suitable for network transmission and ECDS...

References context, ctx, CURVE, d, GNUNET_CRYPTO_EcdsaPrivateKey::d, dc, derive_h(), GNUNET_assert, GNUNET_CRYPTO_ecdsa_key_get_public(), GNUNET_CRYPTO_mpi_print_unsigned(), GNUNET_CRYPTO_mpi_scan_unsigned(), GNUNET_new, h, pub, and ret.

Referenced by GNUNET_CRYPTO_ecdsa_sign_derived(), GNUNET_FS_publish_ublock_(), and run_pkey().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_ecdsa_public_key_derive()

void GNUNET_CRYPTO_ecdsa_public_key_derive ( const struct GNUNET_CRYPTO_EcdsaPublicKey pub,
const char *  label,
const char *  context,
struct GNUNET_CRYPTO_EcdsaPublicKey result 
)

Derive a public key from a given public key and a label.

Essentially calculates a public key 'V = H(l,P) * P'.

Parameters
puboriginal public key
labellabel to use for key deriviation
contextadditional context to use for HKDF of 'h'. typically the name of the subsystem/application
resultwhere to write the derived public key

Definition at line 247 of file crypto_ecc_gnsrecord.c.

252{
253 struct GNUNET_HashCode hc;
254 gcry_ctx_t ctx;
255 gcry_mpi_t q_y;
256 gcry_mpi_t h;
257 gcry_mpi_t n;
258 gcry_mpi_t h_mod_n;
259 gcry_mpi_point_t q;
260 gcry_mpi_point_t v;
261
262 GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, CURVE));
263
264 /* obtain point 'q' from original public key. The provided 'q' is
265 compressed thus we first store it in the context and then get it
266 back as a (decompresssed) point. */
267 q_y = gcry_mpi_set_opaque_copy (NULL, pub->q_y, 8 * sizeof(pub->q_y));
268 GNUNET_assert (NULL != q_y);
269 GNUNET_assert (0 == gcry_mpi_ec_set_mpi ("q", q_y, ctx));
270 gcry_mpi_release (q_y);
271 q = gcry_mpi_ec_get_point ("q", ctx, 0);
273
274 /* calculate h_mod_n = h % n */
275 derive_h (pub, sizeof (*pub), label, context, &hc);
276 GNUNET_CRYPTO_mpi_scan_unsigned (&h, (unsigned char *) &hc, sizeof(hc));
277 n = gcry_mpi_ec_get_mpi ("n", ctx, 1);
278 h_mod_n = gcry_mpi_new (256);
279 gcry_mpi_mod (h_mod_n, h, n);
280 /* calculate v = h_mod_n * q */
281 v = gcry_mpi_point_new (0);
282 gcry_mpi_ec_mul (v, h_mod_n, q, ctx);
283 gcry_mpi_release (h_mod_n);
284 gcry_mpi_release (h);
285 gcry_mpi_release (n);
286 gcry_mpi_point_release (q);
287
288 /* convert point 'v' to public key that we return */
289 GNUNET_assert (0 == gcry_mpi_ec_set_point ("q", v, ctx));
290 gcry_mpi_point_release (v);
291 q_y = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0);
292 GNUNET_assert (q_y);
293 GNUNET_CRYPTO_mpi_print_unsigned (result->q_y, sizeof(result->q_y), q_y);
294 gcry_mpi_release (q_y);
295 gcry_ctx_release (ctx);
296}
static struct GNUNET_REVOCATION_Query * q
Handle for revocation query.

References context, ctx, CURVE, derive_h(), GNUNET_assert, GNUNET_CRYPTO_mpi_print_unsigned(), GNUNET_CRYPTO_mpi_scan_unsigned(), h, pub, q, GNUNET_CRYPTO_EddsaPublicKey::q_y, and result.

Referenced by block_sign_ecdsa(), GNUNET_FS_search_start_searching_(), GNUNET_FS_unindex_do_remove_kblocks_(), GNUNET_GNSRECORD_query_from_public_key(), run_pkey(), and schedule_transmit_search_request().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_eddsa_private_key_derive()

void GNUNET_CRYPTO_eddsa_private_key_derive ( const struct GNUNET_CRYPTO_EddsaPrivateKey priv,
const char *  label,
const char *  context,
struct GNUNET_CRYPTO_EddsaPrivateScalar result 
)

Derive a private scalar from a given private key and a label.

Essentially calculates a private key 'h = H(l,P) * d mod n' where n is the size of the ECC group and P is the public key associated with the private key 'd'. The result is the derived private scalar, not the private key as for EdDSA we cannot derive before we hash the private key.

Parameters
privoriginal private key
labellabel to use for key deriviation
contextadditional context to use for HKDF of 'h'; typically the name of the subsystem/application
resultderived private scalar

Libsodium does not offer an API with arbitrary arithmetic. Hence we have to use libgcrypt here.

Get our modulo L

This is the standard private key expansion in Ed25519. The first 32 octets are used as a little-endian private scalar. We derive this scalar using our "h".

Get h mod L

dc now contains the private scalar "a". We calculate: d' := h * a mod L

We hash the derived "h" parameter with the other half of the expanded private key. This ensures that for signature generation, the "R" is derived from the same derivation path as "h" and is not reused.

Definition at line 300 of file crypto_ecc_gnsrecord.c.

305{
307 struct GNUNET_HashCode hc;
308 uint8_t dc[32];
309 unsigned char sk[64];
310 gcry_mpi_t h;
311 gcry_mpi_t h_mod_L;
312 gcry_mpi_t a;
313 gcry_mpi_t d;
314 gcry_mpi_t L;
315 gcry_ctx_t ctx;
316
321 GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, "Ed25519"));
322
326 L = gcry_mpi_ec_get_mpi ("n", ctx, 1);
328
335 crypto_hash_sha512 (sk, priv->d, 32);
336 sk[0] &= 248;
337 sk[31] &= 127;
338 sk[31] |= 64;
339
343 derive_h (&pub, sizeof (pub), label, context, &hc);
344 GNUNET_CRYPTO_mpi_scan_unsigned (&h, (unsigned char *) &hc, sizeof(hc));
345 h_mod_L = gcry_mpi_new (256);
346 gcry_mpi_mod (h_mod_L, h, L);
347 /* Convert scalar to big endian for libgcrypt */
348 for (size_t i = 0; i < 32; i++)
349 dc[i] = sk[31 - i];
350
356 GNUNET_CRYPTO_mpi_scan_unsigned (&a, dc, sizeof(dc)); // a
357 d = gcry_mpi_new (256);
358 gcry_mpi_mulm (d, h_mod_L, a, L); // d := h * a mod L
359 gcry_mpi_release (h);
360 gcry_mpi_release (a);
361 gcry_mpi_release (L);
362 gcry_mpi_release (h_mod_L);
363 gcry_ctx_release (ctx);
365 {
372 crypto_hash_sha256_state hs;
373 crypto_hash_sha256_init (&hs);
374 crypto_hash_sha256_update (&hs, sk + 32, 32);
375 crypto_hash_sha256_update (&hs, (unsigned char*) &hc, sizeof (hc));
376 crypto_hash_sha256_final (&hs, result->s + 32);
377 }
378 /* Convert to little endian for libsodium */
379 for (size_t i = 0; i < 32; i++)
380 result->s[i] = dc[31 - i];
381
382 sodium_memzero (dc, sizeof(dc));
383 gcry_mpi_release (d);
384}
Public ECC key (always for curve Ed25519) encoded in a format suitable for network transmission and E...

References context, ctx, d, GNUNET_CRYPTO_EddsaPrivateKey::d, dc, derive_h(), GNUNET_assert, GNUNET_CRYPTO_eddsa_key_get_public(), GNUNET_CRYPTO_mpi_print_unsigned(), GNUNET_CRYPTO_mpi_scan_unsigned(), h, pub, and result.

Referenced by GNUNET_CRYPTO_eddsa_sign_derived(), and run_edkey().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_eddsa_public_key_derive()

void GNUNET_CRYPTO_eddsa_public_key_derive ( const struct GNUNET_CRYPTO_EddsaPublicKey pub,
const char *  label,
const char *  context,
struct GNUNET_CRYPTO_EddsaPublicKey result 
)

Derive a public key from a given public key and a label.

Essentially calculates a public key 'V = H(l,P) * P'.

Parameters
puboriginal public key
labellabel to use for key deriviation
contextadditional context to use for HKDF of 'h'. typically the name of the subsystem/application
resultwhere to write the derived public key

Definition at line 388 of file crypto_ecc_gnsrecord.c.

393{
394 struct GNUNET_HashCode hc;
395 gcry_ctx_t ctx;
396 gcry_mpi_t q_y;
397 gcry_mpi_t h;
398 gcry_mpi_t n;
399 gcry_mpi_t h_mod_n;
400 gcry_mpi_point_t q;
401 gcry_mpi_point_t v;
402
403 GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, "Ed25519"));
404
405 /* obtain point 'q' from original public key. The provided 'q' is
406 compressed thus we first store it in the context and then get it
407 back as a (decompresssed) point. */
408 q_y = gcry_mpi_set_opaque_copy (NULL, pub->q_y, 8 * sizeof(pub->q_y));
409 GNUNET_assert (NULL != q_y);
410 GNUNET_assert (0 == gcry_mpi_ec_set_mpi ("q", q_y, ctx));
411 gcry_mpi_release (q_y);
412 q = gcry_mpi_ec_get_point ("q", ctx, 0);
414
415 /* calculate h_mod_n = h % n */
416 derive_h (pub, sizeof (*pub), label, context, &hc);
417 GNUNET_CRYPTO_mpi_scan_unsigned (&h, (unsigned char *) &hc, sizeof(hc));
418
419 n = gcry_mpi_ec_get_mpi ("n", ctx, 1);
420 h_mod_n = gcry_mpi_new (256);
421 gcry_mpi_mod (h_mod_n, h, n);
422
423 /* calculate v = h_mod_n * q */
424 v = gcry_mpi_point_new (0);
425 gcry_mpi_ec_mul (v, h_mod_n, q, ctx);
426 gcry_mpi_release (h_mod_n);
427 gcry_mpi_release (h);
428 gcry_mpi_release (n);
429 gcry_mpi_point_release (q);
430
431 /* convert point 'v' to public key that we return */
432 GNUNET_assert (0 == gcry_mpi_ec_set_point ("q", v, ctx));
433 gcry_mpi_point_release (v);
434 q_y = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0);
435 GNUNET_assert (q_y);
436 GNUNET_CRYPTO_mpi_print_unsigned (result->q_y, sizeof(result->q_y), q_y);
437 gcry_mpi_release (q_y);
438 gcry_ctx_release (ctx);
439
440}

References context, ctx, derive_h(), GNUNET_assert, GNUNET_CRYPTO_mpi_print_unsigned(), GNUNET_CRYPTO_mpi_scan_unsigned(), h, pub, q, GNUNET_CRYPTO_EddsaPublicKey::q_y, and result.

Referenced by block_sign_eddsa(), GNUNET_GNSRECORD_query_from_public_key(), and run_edkey().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_edx25519_private_key_derive()

void GNUNET_CRYPTO_edx25519_private_key_derive ( const struct GNUNET_CRYPTO_Edx25519PrivateKey priv,
const void *  seed,
size_t  seedsize,
struct GNUNET_CRYPTO_Edx25519PrivateKey result 
)

Derive a private scalar from a given private key and a label.

Essentially calculates a private key 'h = H(l,P) * d mod n' where n is the size of the ECC group and P is the public key associated with the private key 'd'.

Parameters
privoriginal private key
seedinput seed
seedsizesize of the seed
resultderived private key

dc now contains the private scalar "a". We carefully remove the clamping and derive a'. Calculate: a1 := a / 8 a2 := h * a1 mod n a' := a2 * 8 mod n

Definition at line 245 of file crypto_edx25519.c.

250{
252 struct GNUNET_HashCode hc;
253 uint8_t a[32];
254 uint8_t eight[32] = { 8 };
255 uint8_t eight_inv[32];
256 uint8_t h[64] = { 0 };
257
259
260 /* Get h mod n */
261 derive_h (&pub,
262 seed,
263 seedsize,
264 &hc);
265
266 memcpy (h, &hc, 64);
267 crypto_core_ed25519_scalar_reduce (h,
268 h);
269#ifdef CHECK_RARE_CASES
277 {
278 char zero[32] = { 0 };
279 char one[32] = { 1 };
280
281 GNUNET_assert (0 != memcmp (zero, h, 32));
282 GNUNET_assert (0 != memcmp (one, h, 32));
283 }
284#endif
285
295 GNUNET_assert (0 == crypto_core_ed25519_scalar_invert (eight_inv,
296 eight));
297
298 crypto_core_ed25519_scalar_mul (a, priv->a, eight_inv);
299 crypto_core_ed25519_scalar_mul (a, a, h);
300 crypto_core_ed25519_scalar_mul (a, a, eight);
301
302#ifdef CHECK_RARE_CASES
303 /* The likelihood for a' == 0 or a' == 1 is neglegible */
304 {
305 char zero[32] = { 0 };
306 char one[32] = { 1 };
307
308 GNUNET_assert (0 != memcmp (zero, a, 32));
309 GNUNET_assert (0 != memcmp (one, a, 32));
310 }
311#endif
312
313 /* We hash the derived "h" parameter with the other half of the expanded
314 * private key (that is: priv->b). This ensures that for signature
315 * generation, the "R" is derived from the same derivation path as "h" and is
316 * not reused. */
317 {
318 struct GNUNET_HashCode hcb;
319 struct GNUNET_HashContext *hctx;
320
322 GNUNET_CRYPTO_hash_context_read (hctx, priv->b, sizeof(priv->b));
323 GNUNET_CRYPTO_hash_context_read (hctx, (unsigned char*) &hc, sizeof (hc));
325
326 /* Truncate result, effectively doing SHA512/256 */
327 for (size_t i = 0; i < 32; i++)
328 result->b[i] = ((unsigned char *) &hcb)[i];
329 }
330
331 for (size_t i = 0; i < 32; i++)
332 result->a[i] = a[i];
333
334 sodium_memzero (a, sizeof(a));
335}
static void derive_h(const struct GNUNET_CRYPTO_Edx25519PublicKey *pub, const void *seed, size_t seedsize, struct GNUNET_HashCode *phc)
Derive the 'h' value for key derivation, where 'h = H(P ∥ seed) mod n' and 'n' is the size of the cyc...
static const struct GNUNET_CRYPTO_PrivateKey zero
Public key of all zeros.
void GNUNET_CRYPTO_edx25519_key_get_public(const struct GNUNET_CRYPTO_Edx25519PrivateKey *priv, struct GNUNET_CRYPTO_Edx25519PublicKey *pub)
Extract the public key for the given private key.
void GNUNET_CRYPTO_hash_context_read(struct GNUNET_HashContext *hc, const void *buf, size_t size)
Add data to be hashed.
Definition: crypto_hash.c:363
void GNUNET_CRYPTO_hash_context_finish(struct GNUNET_HashContext *hc, struct GNUNET_HashCode *r_hash)
Finish the hash computation.
Definition: crypto_hash.c:387
struct GNUNET_HashContext * GNUNET_CRYPTO_hash_context_start(void)
Start incremental hashing operation.
Definition: crypto_hash.c:347
Public ECC key (always for curve Ed25519) encoded in a format suitable for network transmission and E...

References GNUNET_CRYPTO_Edx25519PrivateKey::a, GNUNET_CRYPTO_Edx25519PrivateKey::b, derive_h(), GNUNET_assert, GNUNET_CRYPTO_edx25519_key_get_public(), GNUNET_CRYPTO_hash_context_finish(), GNUNET_CRYPTO_hash_context_read(), GNUNET_CRYPTO_hash_context_start(), h, pub, result, seed, and zero.

Referenced by output_vectors().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_edx25519_public_key_derive()

void GNUNET_CRYPTO_edx25519_public_key_derive ( const struct GNUNET_CRYPTO_Edx25519PublicKey pub,
const void *  seed,
size_t  seedsize,
struct GNUNET_CRYPTO_Edx25519PublicKey result 
)

Derive a public key from a given public key and a label.

Essentially calculates a public key 'V = H(l,P) * P'.

Parameters
puboriginal public key
seedinput seed
seedsizesize of the seed
resultwhere to write the derived public key

Definition at line 339 of file crypto_edx25519.c.

344{
345 struct GNUNET_HashCode hc;
346 uint8_t h[64] = { 0 };
347
348 derive_h (pub,
349 seed,
350 seedsize,
351 &hc);
352 memcpy (h,
353 &hc,
354 64);
355 crypto_core_ed25519_scalar_reduce (h,
356 h);
357 GNUNET_assert (0 == crypto_scalarmult_ed25519_noclamp (result->q_y,
358 h,
359 pub->q_y));
360}

References derive_h(), GNUNET_assert, h, pub, GNUNET_CRYPTO_EddsaPublicKey::q_y, result, and seed.

Referenced by output_vectors().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_ecdhe_elligator_decoding()

void GNUNET_CRYPTO_ecdhe_elligator_decoding ( struct GNUNET_CRYPTO_EcdhePublicKey point,
bool *  high_y,
const struct GNUNET_CRYPTO_ElligatorRepresentative representative 
)

Clears the most significant bit and second most significant bit of the serialized representaive before applying elligator direct map.

Parameters
representativeserialized elligator representative of an element of Curves25519's finite field
pointdestination for the calculated point on the curve
high_ybool pointed to will be set to 'true' if corresponding y-coordinate is > 2 ^ 254 - 10, otherwise 0. Can be set to NULL if not needed.

Definition at line 508 of file crypto_elligator.c.

512{
513 // if sign of direct map transformation not needed throw it away
515 bool high_y_local;
516 bool *high_y_ptr;
517 if (NULL == high_y)
518 high_y_ptr = &high_y_local;
519 else
520 high_y_ptr = high_y;
521
522 memcpy (&r_tmp.r, &representative->r, sizeof(r_tmp.r));
523 r_tmp.r[31] &= 63;
524 // GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,"Print high_y\n");
525 elligator_direct_map ((uint8_t *) point->q_y,
526 high_y_ptr,
527 (uint8_t *) r_tmp.r);
528}
static bool elligator_direct_map(uint8_t *point, bool *high_y, uint8_t *representative)
Takes a number of the underlying finite field of Curve25519 and projects it into a valid point on tha...

References elligator_direct_map(), GNUNET_CRYPTO_EcdhePublicKey::q_y, and GNUNET_CRYPTO_ElligatorRepresentative::r.

Referenced by GNUNET_CRYPTO_hpke_elligator_kem_decaps().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_ecdhe_elligator_encoding()

bool GNUNET_CRYPTO_ecdhe_elligator_encoding ( uint8_t  random_tweak,
struct GNUNET_CRYPTO_ElligatorRepresentative r,
const struct GNUNET_CRYPTO_EcdhePublicKey pub 
)

Encodes a point on Curve25519 to a an element of the underlying finite field.

This transformation is deterministic.

Parameters
random_tweakrandom 8-bit value used as seed
rstorage for the calculated representative
puba point on the curve
Returns
'true' if the given point can be encoded into a representative. Otherwise 'false' is returned and the content of the representative storage is undefined

Definition at line 359 of file crypto_elligator.c.

363{
364 bool high_y;
365 bool msb_set;
366 bool smsb_set;
367
368
369 uint8_t *representative = r->r;
370 uint8_t *point = (uint8_t *) pub->q_y;
371
372 mp_limb_t scratch_space[scratch_space_length];
373
374 mp_limb_t a[P_LIMBS + P_LIMBS];
375 mp_limb_t b[P_LIMBS + P_LIMBS];
376 mp_limb_t c[P_LIMBS + P_LIMBS];
377
378 high_y = random_tweak & 1;
379
380 // a := point
381
382 decode_bytes (a, point);
383
384 // b := -a / (a + A), or b := p if a = 0
385
386 mpn_add_n (b, a, A, P_LIMBS);
387 mpn_sec_powm (c, b, P_LIMBS, negative_2, P_BITS - 1, p, P_LIMBS,
388 scratch_space);
389 mpn_sec_mul (b, c, P_LIMBS, a, P_LIMBS, scratch_space);
390 mpn_sec_div_r (b, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
391 mpn_sub_n (b, p, b, P_LIMBS);
392
393 // If high_y = true, b := 1 / b or b := 0 if it was = p
394
395 mpn_sec_powm (c, b, P_LIMBS, negative_2, P_BITS - 1, p, P_LIMBS,
396 scratch_space);
397 mpn_cnd_swap (high_y, b, c, P_LIMBS);
398
399 // c := b / u
400
401 mpn_sec_mul (c, b, P_LIMBS, inverted_u, P_LIMBS, scratch_space);
402 mpn_sec_div_r (c, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
403
404 // If c is a square modulo p, b := least_square_root(c)
405
406 least_square_root (b, c, scratch_space);
407
408 // Determine, whether b ^ 2 = c
409
410 mpn_sec_sqr (a, b, P_LIMBS, scratch_space);
411 mpn_sec_div_r (a, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
412 mpn_sub_n (a, a, c, P_LIMBS);
413
414 {
415 bool result = mpn_sec_sub_1 (a, a, P_LIMBS, 1, scratch_space);
416
417 encode_bytes (representative, b);
418
419 // Setting most significant bit and second most significant bit randomly
420 msb_set = (random_tweak >> 1) & 1;
421 smsb_set = (random_tweak >> 2) & 1;
422 if (msb_set)
423 {
424 r->r[31] |= 128;
425 }
426 if (smsb_set)
427 {
428 r->r[31] |= 64;
429 }
430 return result;
431 }
432}
static void decode_bytes(mp_limb_t *number, const uint8_t *bytes)
This function decodes the byte buffer into the MPI limb.
static void encode_bytes(uint8_t *bytes, mp_limb_t *number)
This function encodes the MPI limb into a byte buffer.
static mp_limb_t negative_2[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
#define P_BITS
static mp_limb_t p[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
#define P_LIMBS
static void least_square_root(mp_limb_t *root, const mp_limb_t *number, mp_limb_t *scratch_space)
Calculates the root of a given number.
static mp_size_t scratch_space_length
static mp_limb_t A[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static mp_limb_t inverted_u[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]

References A, decode_bytes(), encode_bytes(), inverted_u, least_square_root(), negative_2, p, P_BITS, P_LIMBS, pub, GNUNET_CRYPTO_EddsaPublicKey::q_y, GNUNET_CRYPTO_ElligatorRepresentative::r, result, and scratch_space_length.

Referenced by GNUNET_CRYPTO_ecdhe_elligator_key_get_public_norand().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_ecdhe_elligator_key_get_public_norand()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdhe_elligator_key_get_public_norand ( uint8_t  random_tweak,
const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey sk,
struct GNUNET_CRYPTO_EcdhePublicKey pub,
struct GNUNET_CRYPTO_ElligatorRepresentative repr 
)

Generates a valid public key for elligator's inverse map by adding a lower order point to a prime order point.

Following Method 1 in description https://elligator.org/key-exchange section Step 2: Generate a “special” public key.

Parameters
random_tweakrandom 8-bit value used as seed
skprivate key for generating valid public key
pubvalid public key for elligator inverse map
reprstorage for a calculated representative
Returns
GNUNET_OK on success

Definition at line 639 of file crypto_elligator.c.

644{
646 if (GNUNET_SYSERR ==
648 return GNUNET_SYSERR;
649
650 if (NULL == repr)
651 return GNUNET_OK;
652 if (! GNUNET_CRYPTO_ecdhe_elligator_encoding (random_tweak,
653 repr,
654 &pub))
655 return GNUNET_SYSERR;
656 memcpy (pk->q_y, pub.q_y, sizeof(pk->q_y));
657 return GNUNET_OK;
658}
static enum GNUNET_GenericReturnValue elligator_generate_public_key(const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *pk, struct GNUNET_CRYPTO_EcdhePublicKey *pub)
bool GNUNET_CRYPTO_ecdhe_elligator_encoding(uint8_t random_tweak, struct GNUNET_CRYPTO_ElligatorRepresentative *r, const struct GNUNET_CRYPTO_EcdhePublicKey *pub)
Encodes a point on Curve25519 to a an element of the underlying finite field.

References elligator_generate_public_key(), GNUNET_CRYPTO_ecdhe_elligator_encoding(), GNUNET_OK, GNUNET_SYSERR, pk, pub, and GNUNET_CRYPTO_EddsaPublicKey::q_y.

Referenced by GNUNET_CRYPTO_ecdhe_elligator_key_get_public(), GNUNET_CRYPTO_hpke_elligator_kem_encaps_norand(), and main().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_ecdhe_elligator_key_get_public()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdhe_elligator_key_get_public ( const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey sk,
struct GNUNET_CRYPTO_EcdhePublicKey pub,
struct GNUNET_CRYPTO_ElligatorRepresentative repr 
)

Generates a valid public key for elligator's inverse map by adding a lower order point to a prime order point.

Following Method 1 in description https://elligator.org/key-exchange section Step 2: Generate a “special” public key.

Parameters
skprivate key for generating valid public key
pubvalid public key for elligator inverse map
reprstorage for a calculated representative
Returns
GNUNET_OK on success

Definition at line 662 of file crypto_elligator.c.

666{
667 uint8_t random_tweak;
669 &random_tweak,
670 sizeof(uint8_t));
671
673 sk,
674 pk,
675 repr);
676}

References GNUNET_CRYPTO_ecdhe_elligator_key_get_public_norand(), GNUNET_CRYPTO_QUALITY_NONCE, GNUNET_CRYPTO_random_block(), and pk.

Referenced by GNUNET_CRYPTO_ecdhe_elligator_key_create(), and GNUNET_CRYPTO_hpke_elligator_authkem_encaps_norand().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ GNUNET_CRYPTO_ecdhe_elligator_key_create()

void GNUNET_CRYPTO_ecdhe_elligator_key_create ( struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey sk)

Generates a private key for Curve25519.

Parameters
skCurve25519 private key

Definition at line 680 of file crypto_elligator.c.

682{
685 // inverse map can fail for some public keys generated by GNUNET_CRYPTO_ecdhe_elligator_generate_public_key
686 while (true)
687 {
689 sk,
690 sizeof (struct
692 ;
694 &repr))
695 break;
696 }
697
698}

References GNUNET_CRYPTO_ecdhe_elligator_key_get_public(), GNUNET_CRYPTO_QUALITY_NONCE, GNUNET_CRYPTO_random_block(), GNUNET_OK, and pk.

Referenced by GNUNET_CRYPTO_hpke_elligator_authkem_encaps(), and GNUNET_CRYPTO_hpke_elligator_kem_encaps().

Here is the call graph for this function:
Here is the caller graph for this function: