GNUnet 0.21.1
crypto_kdf.c
Go to the documentation of this file.
1/*
2 This file is part of GNUnet.
3 Copyright (C) 2010 GNUnet e.V.
4
5 GNUnet is free software: you can redistribute it and/or modify it
6 under the terms of the GNU Affero General Public License as published
7 by the Free Software Foundation, either version 3 of the License,
8 or (at your option) any later version.
9
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Affero General Public License for more details.
14
15 You should have received a copy of the GNU Affero General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
17
18 SPDX-License-Identifier: AGPL3.0-or-later
19 */
20
28#include "platform.h"
29#include <gcrypt.h>
30
31
32#include "gnunet_util_lib.h"
33
34#define LOG(kind, ...) GNUNET_log_from (kind, "util-crypto-kdf", __VA_ARGS__)
35
36
37enum GNUNET_GenericReturnValue
38GNUNET_CRYPTO_kdf_v (void *result,
39 size_t out_len,
40 const void *xts,
41 size_t xts_len,
42 const void *skm,
43 size_t skm_len,
44 va_list argp)
45{
46 /*
47 * "Finally, we point out to a particularly advantageous instantiation using
48 * HMAC-SHA512 as XTR and HMAC-SHA256 in PRF* (in which case the output from SHA-512 is
49 * truncated to 256 bits). This makes sense in two ways: First, the extraction part is where we need a
50 * stronger hash function due to the unconventional demand from the hash function in the extraction
51 * setting. Second, as shown in Section 6, using HMAC with a truncated output as an extractor
52 * allows to prove the security of HKDF under considerably weaker assumptions on the underlying
53 * hash function."
54 *
55 * http://eprint.iacr.org/2010/264
56 */
57 return GNUNET_CRYPTO_hkdf_v (result,
58 out_len,
59 GCRY_MD_SHA512,
60 GCRY_MD_SHA256,
61 xts,
62 xts_len,
63 skm,
64 skm_len,
65 argp);
66}
67
68
69enum GNUNET_GenericReturnValue
70GNUNET_CRYPTO_kdf (void *result,
71 size_t out_len,
72 const void *xts,
73 size_t xts_len,
74 const void *skm,
75 size_t skm_len, ...)
76{
77 va_list argp;
78 int ret;
79
80 va_start (argp, skm_len);
81 ret = GNUNET_CRYPTO_kdf_v (result,
82 out_len,
83 xts,
84 xts_len,
85 skm,
86 skm_len,
87 argp);
88 va_end (argp);
89
90 return ret;
91}
92
93
94void
95GNUNET_CRYPTO_kdf_mod_mpi (gcry_mpi_t *r,
96 gcry_mpi_t n,
97 const void *xts, size_t xts_len,
98 const void *skm, size_t skm_len,
99 const char *ctx)
100{
101 gcry_error_t rc;
102 unsigned int nbits;
103 size_t rsize;
104 uint16_t ctr;
105
106 nbits = gcry_mpi_get_nbits (n);
107 /* GNUNET_assert (nbits > 512); */
108 ctr = 0;
109 while (1)
110 {
111 /* Ain't clear if n is always divisible by 8 */
112 size_t bsize = (nbits - 1) / 8 + 1;
113 uint8_t buf[bsize];
114 uint16_t ctr_nbo = htons (ctr);
115
116 rc = GNUNET_CRYPTO_kdf (buf,
117 bsize,
118 xts, xts_len,
119 skm, skm_len,
120 ctx, strlen (ctx),
121 &ctr_nbo, sizeof(ctr_nbo),
122 NULL, 0);
123 GNUNET_assert (GNUNET_YES == rc);
124 rc = gcry_mpi_scan (r,
125 GCRYMPI_FMT_USG,
126 (const unsigned char *) buf,
127 bsize,
128 &rsize);
129 GNUNET_assert (GPG_ERR_NO_ERROR == rc); /* Allocation error? */
130 GNUNET_assert (rsize == bsize);
131 gcry_mpi_clear_highbit (*r,
132 nbits);
133 GNUNET_assert (0 ==
134 gcry_mpi_test_bit (*r,
135 nbits));
136 ++ctr;
137 /* We reject this FDH if either *r > n and retry with another ctr */
138 if (0 > gcry_mpi_cmp (*r, n))
139 break;
140 gcry_mpi_release (*r);
141 }
142}
143
144
145/* end of crypto_kdf.c */
ret
static int ret
Final status code.
Definition: gnunet-arm.c:94
ctx
static struct GNUNET_FS_Handle * ctx
Definition: gnunet-download.c:40
result
static int result
Global testing status.
Definition: gnunet-regex-profiler.c:240
bsize
static unsigned int bsize
Definition: gnunet-set-ibf-profiler.c:33
gnunet_util_lib.h
GNUNET_CRYPTO_hkdf_v
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_hkdf_v(void *result, size_t out_len, int xtr_algo, int prf_algo, const void *xts, size_t xts_len, const void *skm, size_t skm_len, va_list argp)
Derive key.
Definition: crypto_hkdf.c:166
GNUNET_CRYPTO_kdf
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_kdf(void *result, size_t out_len, const void *xts, size_t xts_len, const void *skm, size_t skm_len,...)
Derive key.
Definition: crypto_kdf.c:70
GNUNET_CRYPTO_kdf_mod_mpi
void GNUNET_CRYPTO_kdf_mod_mpi(gcry_mpi_t *r, gcry_mpi_t n, const void *xts, size_t xts_len, const void *skm, size_t skm_len, const char *ctx)
Deterministically generate a pseudo-random number uniformly from the integers modulo a libgcrypt mpi.
Definition: crypto_kdf.c:95
GNUNET_CRYPTO_kdf_v
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_kdf_v(void *result, size_t out_len, const void *xts, size_t xts_len, const void *skm, size_t skm_len, va_list argp)
Derive key.
Definition: crypto_kdf.c:38
GNUNET_GenericReturnValue
GNUNET_GenericReturnValue
Named constants for return values.
Definition: gnunet_common.h:106
GNUNET_YES
@ GNUNET_YES
Definition: gnunet_common.h:111
GNUNET_assert
#define GNUNET_assert(cond)
Use this for fatal errors that cannot be handled.
Definition: gnunet_common.h:937