crypto_ecc_gnsrecord.c

Go to the documentation of this file.

/*
     This file is part of GNUnet.
     Copyright (C) 2012, 2013, 2015 GNUnet e.V.
 
     GNUnet is free software: you can redistribute it and/or modify it
     under the terms of the GNU Affero General Public License as published
     by the Free Software Foundation, either version 3 of the License,
     or (at your option) any later version.
 
     GNUnet is distributed in the hope that it will be useful, but
     WITHOUT ANY WARRANTY; without even the implied warranty of
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
     Affero General Public License for more details.
 
     You should have received a copy of the GNU Affero General Public License
     along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
     SPDX-License-Identifier: AGPL3.0-or-later
 */
 
#include "platform.h"
#include <sodium.h>
#include "gnunet_util_lib.h"
 
#define CURVE "Ed25519"
 
static void
derive_h (const void *pub,
          size_t pubsize,
          const char *label,
          const char *context,
          struct GNUNET_HashCode *hc)
{
  static const char *const salt = "key-derivation";
 
  GNUNET_CRYPTO_hkdf_gnunet (
    hc,
    sizeof(*hc),
    salt,
    strlen (salt),
    pub,
    pubsize,
    GNUNET_CRYPTO_kdf_arg_string (label),
    GNUNET_CRYPTO_kdf_arg_string (context));
}
 
 
enum GNUNET_GenericReturnValue
GNUNET_CRYPTO_eddsa_sign_derived (
  const struct GNUNET_CRYPTO_EddsaPrivateKey *pkey,
  const char *label,
  const char *context,
  const struct GNUNET_CRYPTO_SignaturePurpose *purpose,
  struct GNUNET_CRYPTO_EddsaSignature *sig)
{
  struct GNUNET_CRYPTO_EddsaPrivateScalar priv;
  crypto_hash_sha512_state hs;
  unsigned char sk[64];
  unsigned char r[64];
  unsigned char hram[64];
  unsigned char R[32];
  unsigned char zk[32];
  unsigned char tmp[32];
  unsigned char r_mod[64];
  unsigned char hram_mod[64];
 
  GNUNET_CRYPTO_eddsa_private_key_derive (pkey,
                                          label,
                                          context,
                                          &priv);
 
  crypto_hash_sha512_init (&hs);
 
  memcpy (sk, priv.s, 64);
 
  crypto_scalarmult_ed25519_base_noclamp (zk,
                                          sk);
 
  crypto_hash_sha512_update (&hs, sk + 32, 32);
  crypto_hash_sha512_update (&hs, (uint8_t*) purpose, ntohl (purpose->size));
  crypto_hash_sha512_final (&hs, r);
 
  memcpy (sig->s, zk, 32);
 
  crypto_core_ed25519_scalar_reduce (r_mod, r);
 
  crypto_scalarmult_ed25519_base_noclamp (R, r_mod);
  memcpy (sig->r, R, sizeof (R));
 
  crypto_hash_sha512_init (&hs);
  crypto_hash_sha512_update (&hs, (uint8_t*) sig, 64);
  crypto_hash_sha512_update (&hs, (uint8_t*) purpose,
                             ntohl (purpose->size));
  crypto_hash_sha512_final (&hs, hram);
 
  crypto_core_ed25519_scalar_reduce (hram_mod, hram);
 
  crypto_core_ed25519_scalar_mul (tmp, hram_mod, sk);
  crypto_core_ed25519_scalar_add (sig->s, tmp, r_mod);
 
  sodium_memzero (sk, sizeof (sk));
  sodium_memzero (r, sizeof (r));
  sodium_memzero (r_mod, sizeof (r_mod));
  return GNUNET_OK;
}
 
 
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
enum GNUNET_GenericReturnValue
GNUNET_CRYPTO_ecdsa_sign_derived (
  const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
  const char *label,
  const char *context,
  const struct GNUNET_CRYPTO_SignaturePurpose *purpose,
  struct GNUNET_CRYPTO_EcdsaSignature *sig)
{
  struct GNUNET_CRYPTO_EcdsaPrivateKey *key;
  enum GNUNET_GenericReturnValue res;
  key = GNUNET_CRYPTO_ecdsa_private_key_derive (priv,
                                                label,
                                                context);
  res = GNUNET_CRYPTO_ecdsa_sign_ (key,
                                   purpose,
                                   sig);
  GNUNET_free (key);
  return res;
}
 
 
struct GNUNET_CRYPTO_EcdsaPrivateKey *
GNUNET_CRYPTO_ecdsa_private_key_derive (
  const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
  const char *label,
  const char *context)
{
  struct GNUNET_CRYPTO_EcdsaPublicKey pub;
  struct GNUNET_CRYPTO_EcdsaPrivateKey *ret;
  struct GNUNET_HashCode h;
  unsigned char h_mod_L[crypto_core_ed25519_SCALARBYTES];
  unsigned char h_le[64];
 
 
  ret = GNUNET_new (struct GNUNET_CRYPTO_EcdsaPrivateKey);
  GNUNET_CRYPTO_ecdsa_key_get_public (priv, &pub);
 
  derive_h (&pub, sizeof (pub), label, context, &h);
 
  for (size_t i = 0; i < 64; i++)
    h_le[i] = ((unsigned char*) &h)[63 - i];
 
  crypto_core_ed25519_scalar_reduce (h_mod_L,
                                     (unsigned char*) &h_le);
  crypto_core_ed25519_scalar_mul (ret->d, h_mod_L, priv->d);
  return ret;
}
 
 
void
GNUNET_CRYPTO_ecdsa_public_key_derive (
  const struct GNUNET_CRYPTO_EcdsaPublicKey *pub,
  const char *label,
  const char *context,
  struct GNUNET_CRYPTO_EcdsaPublicKey *result)
{
  struct GNUNET_HashCode hc;
  unsigned char h_mod_L[crypto_core_ed25519_SCALARBYTES];
  unsigned char h_le[64];
 
  derive_h (pub, sizeof (*pub), label, context, &hc);
  for (size_t i = 0; i < 64; i++)
    h_le[i] = ((unsigned char*) &hc)[63 - i];
 
 
  crypto_core_ed25519_scalar_reduce (h_mod_L,
                                     (unsigned char*) &h_le);
  GNUNET_assert (0 == crypto_scalarmult_ed25519_noclamp (result->q_y,
                                                         h_mod_L,
                                                         pub->q_y));
}
 
 
#pragma GCC diagnostic pop
 
 
void
GNUNET_CRYPTO_eddsa_private_key_derive (
  const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
  const char *label,
  const char *context,
  struct GNUNET_CRYPTO_EddsaPrivateScalar *result)
{
  struct GNUNET_CRYPTO_EddsaPublicKey pub;
  struct GNUNET_HashCode h;
  unsigned char h_le[64];
  unsigned char sk[64];
  unsigned char *d;
  unsigned char *nonce;
  unsigned char h_mod_L[crypto_core_ed25519_SCALARBYTES];
 
  d = result->s;
  nonce = result->s + 32;
 
  crypto_hash_sha512 (sk, priv->d, 32);
  sk[0] &= 248;
  sk[31] &= 127;
  sk[31] |= 64;
 
  GNUNET_CRYPTO_eddsa_key_get_public (priv, &pub);
  derive_h (&pub, sizeof (pub), label, context, &h);
 
  for (size_t i = 0; i < 64; i++)
    h_le[i] = ((unsigned char*) &h)[63 - i];
 
 
  crypto_core_ed25519_scalar_reduce (h_mod_L,
                                     (unsigned char*) &h_le);
  crypto_core_ed25519_scalar_mul (d, h_mod_L, sk);
 
  {
    crypto_hash_sha256_state hs;
    crypto_hash_sha256_init (&hs);
    crypto_hash_sha256_update (&hs, sk + 32, 32);
    crypto_hash_sha256_update (&hs, (unsigned char*) &h, sizeof (h));
    crypto_hash_sha256_final (&hs, nonce);
  }
 
}
 
 
void
GNUNET_CRYPTO_eddsa_public_key_derive (
  const struct GNUNET_CRYPTO_EddsaPublicKey *pub,
  const char *label,
  const char *context,
  struct GNUNET_CRYPTO_EddsaPublicKey *result)
{
  struct GNUNET_HashCode h;
  unsigned char h_le[64];
  unsigned char h_mod_L[crypto_core_ed25519_SCALARBYTES];
 
  /* calculate h_mod_n = h % n */
  derive_h (pub, sizeof (*pub), label, context, &h);
 
  for (size_t i = 0; i < 64; i++)
    h_le[i] = ((unsigned char*) &h)[63 - i];
 
  crypto_core_ed25519_scalar_reduce (h_mod_L,
                                     (unsigned char*) &h_le);
 
  GNUNET_assert (0 == crypto_scalarmult_ed25519_noclamp (result->q_y,
                                                         h_mod_L,
                                                         pub->q_y));
}
 
 
void
GNUNET_CRYPTO_eddsa_key_get_public_from_scalar (
  const struct GNUNET_CRYPTO_EddsaPrivateScalar *priv,
  struct GNUNET_CRYPTO_EddsaPublicKey *pkey)
{
  unsigned char sk[32];
 
  memcpy (sk, priv->s, 32);
 
  crypto_scalarmult_ed25519_base_noclamp (pkey->q_y,
                                          sk);
}