crypto_kdf.c File Reference

Key derivation. More...

#include <gcrypt.h>
#include "platform.h"
#include "gnunet_crypto_lib.h"

Include dependency graph for crypto_kdf.c:

Go to the source code of this file.

Macros
#define	LOG(kind, ...)   GNUNET_log_from (kind, "util-crypto-kdf", __VA_ARGS__)

Functions
enum GNUNET_GenericReturnValue	GNUNET_CRYPTO_kdf_v (void *result, size_t out_len, const void *xts, size_t xts_len, const void *skm, size_t skm_len, va_list argp)
	Derive key. More...
enum GNUNET_GenericReturnValue	GNUNET_CRYPTO_kdf (void *result, size_t out_len, const void *xts, size_t xts_len, const void *skm, size_t skm_len,...)
	Derive key. More...
void	GNUNET_CRYPTO_kdf_mod_mpi (gcry_mpi_t *r, gcry_mpi_t n, const void *xts, size_t xts_len, const void *skm, size_t skm_len, const char *ctx)
	Deterministically generate a pseudo-random number uniformly from the integers modulo a libgcrypt mpi. More...

Detailed Description

Key derivation.

Author

Nils Durner

Jeffrey Burdges burdg.nosp@m.es@g.nosp@m.nunet.nosp@m..org

Definition in file crypto_kdf.c.

Macro Definition Documentation

LOG

#define LOG	(		kind,
			...
	)		GNUNET_log_from (kind, "util-crypto-kdf", __VA_ARGS__)

Definition at line 33 of file crypto_kdf.c.

Function Documentation

GNUNET_CRYPTO_kdf_v()

enum GNUNET_GenericReturnValue GNUNET_CRYPTO_kdf_v	(	void *	result,
		size_t	out_len,
		const void *	xts,
		size_t	xts_len,
		const void *	skm,
		size_t	skm_len,
		va_list	argp
	)

Derive key.

Parameters

result	buffer for the derived key, allocated by caller
out_len	desired length of the derived key
xts	salt
xts_len	length of xts
skm	source key material
skm_len	length of skm
argp	va_list of void * & size_t pairs for context chunks

Returns

GNUNET_YES on success

Definition at line 1 of file crypto_kdf.c.

{
  /*
   * "Finally, we point out to a particularly advantageous instantiation using
   * HMAC-SHA512 as XTR and HMAC-SHA256 in PRF* (in which case the output from SHA-512 is
   * truncated to 256 bits). This makes sense in two ways: First, the extraction part is where we need a
   * stronger hash function due to the unconventional demand from the hash function in the extraction
   * setting. Second, as shown in Section 6, using HMAC with a truncated output as an extractor
   * allows to prove the security of HKDF under considerably weaker assumptions on the underlying
   * hash function."
   *
   * http://eprint.iacr.org/2010/264
   */
  return GNUNET_CRYPTO_hkdf_v (result,
                               out_len,
                               GCRY_MD_SHA512,
                               GCRY_MD_SHA256,
                               xts,
                               xts_len,
                               skm,
                               skm_len,
                               argp);
}

Referenced by GNUNET_CRYPTO_hmac_derive_key_v(), and GNUNET_CRYPTO_symmetric_derive_iv_v().

Here is the caller graph for this function:

GNUNET_CRYPTO_kdf_mod_mpi()

void GNUNET_CRYPTO_kdf_mod_mpi	(	gcry_mpi_t *	r,
		gcry_mpi_t	n,
		const void *	xts,
		size_t	xts_len,
		const void *	skm,
		size_t	skm_len,
		const char *	ctx
	)

Deterministically generate a pseudo-random number uniformly from the integers modulo a libgcrypt mpi.

Parameters

[out]	r	MPI value set to the FDH
	n	MPI to work modulo
	xts	salt
	xts_len	length of xts
	skm	source key material
	skm_len	length of skm
	ctx	context string

Definition at line 94 of file crypto_kdf.c.

{
  gcry_error_t rc;
  unsigned int nbits;
  size_t rsize;
  uint16_t ctr;
 
  nbits = gcry_mpi_get_nbits (n);
  /* GNUNET_assert (nbits > 512); */
  ctr = 0;
  while (1)
  {
    /* Ain't clear if n is always divisible by 8 */
    size_t bsize = (nbits - 1) / 8 + 1;
    uint8_t buf[bsize];
    uint16_t ctr_nbo = htons (ctr);
 
    rc = GNUNET_CRYPTO_kdf (buf,
                            bsize,
                            xts, xts_len,
                            skm, skm_len,
                            ctx, strlen (ctx),
                            &ctr_nbo, sizeof(ctr_nbo),
                            NULL, 0);
    GNUNET_assert (GNUNET_YES == rc);
    rc = gcry_mpi_scan (r,
                        GCRYMPI_FMT_USG,
                        (const unsigned char *) buf,
                        bsize,
                        &rsize);
    GNUNET_assert (GPG_ERR_NO_ERROR == rc);  /* Allocation error? */
    GNUNET_assert (rsize == bsize);
    gcry_mpi_clear_highbit (*r,
                            nbits);
    GNUNET_assert (0 ==
                   gcry_mpi_test_bit (*r,
                                      nbits));
    ++ctr;
    /* We reject this FDH if either *r > n and retry with another ctr */
    if (0 > gcry_mpi_cmp (*r, n))
      break;
    gcry_mpi_release (*r);
  }
}

References bsize, buf, ctx, GNUNET_assert, GNUNET_CRYPTO_kdf(), and GNUNET_YES.

Referenced by cs_full_domain_hash(), GNUNET_CRYPTO_rsa_blind(), and rsa_blinding_key_derive().

Here is the call graph for this function:

Here is the caller graph for this function: