2 This file is part of GNUnet.
3 Copyright (C) 2001-2013 GNUnet e.V.
5 GNUnet is free software: you can redistribute it and/or modify it
6 under the terms of the GNU Affero General Public License as published
7 by the Free Software Foundation, either version 3 of the License,
8 or (at your option) any later version.
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Affero General Public License for more details.
15 You should have received a copy of the GNU Affero General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 SPDX-License-Identifier: AGPL3.0-or-later
22 * @file include/gnunet_crypto_lib.h
23 * @brief cryptographic primitives for GNUnet
25 * @author Christian Grothoff
26 * @author Krista Bennett
27 * @author Gerd Knorr <kraxel@bytesex.org>
28 * @author Ioana Patrascu
29 * @author Tzvetan Horozov
30 * @author Jeffrey Burdges <burdges@gnunet.org>
32 * @defgroup crypto Crypto library: cryptographic operations
33 * Provides cryptographic primitives.
35 * @see [Documentation](https://gnunet.org/crypto-api)
37 * @defgroup hash Crypto library: hash operations
38 * Provides hashing and operations on hashes.
40 * @see [Documentation](https://gnunet.org/crypto-api)
43 #ifndef GNUNET_CRYPTO_LIB_H
44 #define GNUNET_CRYPTO_LIB_H
48 #if 0 /* keep Emacsens' auto-indent happy */
55 * The identity of the host (wraps the signing key of the peer).
57 struct GNUNET_PeerIdentity;
59 #include "gnunet_common.h"
64 * Maximum length of an ECC signature.
65 * Note: round up to multiple of 8 minus 2 for alignment.
67 #define GNUNET_CRYPTO_ECC_SIGNATURE_DATA_ENCODING_LENGTH 126
71 * Desired quality level for random numbers.
74 enum GNUNET_CRYPTO_Quality
77 * No good quality of the operation is needed (i.e.,
78 * random numbers can be pseudo-random).
81 GNUNET_CRYPTO_QUALITY_WEAK,
84 * High-quality operations are desired.
87 GNUNET_CRYPTO_QUALITY_STRONG,
90 * Randomness for IVs etc. is required.
93 GNUNET_CRYPTO_QUALITY_NONCE
98 * @brief length of the sessionkey in bytes (256 BIT sessionkey)
100 #define GNUNET_CRYPTO_AES_KEY_LENGTH (256 / 8)
103 * Length of a hash value
105 #define GNUNET_CRYPTO_HASH_LENGTH (512 / 8)
108 * How many characters (without 0-terminator) are our ASCII-encoded
109 * public keys (ECDSA/EDDSA/ECDHE).
111 #define GNUNET_CRYPTO_PKEY_ASCII_LENGTH 52
114 * @brief 0-terminated ASCII encoding of a struct GNUNET_HashCode.
116 struct GNUNET_CRYPTO_HashAsciiEncoded
118 unsigned char encoding[104];
122 GNUNET_NETWORK_STRUCT_BEGIN
126 * @brief header of what an ECC signature signs
127 * this must be followed by "size - 8" bytes of
128 * the actual signed data
130 struct GNUNET_CRYPTO_EccSignaturePurpose
133 * How many bytes does this signature sign?
134 * (including this purpose header); in network
137 uint32_t size GNUNET_PACKED;
140 * What does this signature vouch for? This
141 * must contain a GNUNET_SIGNATURE_PURPOSE_XXX
142 * constant (from gnunet_signatures.h). In
143 * network byte order!
145 uint32_t purpose GNUNET_PACKED;
150 * @brief an ECC signature using EdDSA.
151 * See cr.yp.to/papers.html#ed25519
153 struct GNUNET_CRYPTO_EddsaSignature
158 unsigned char r[256 / 8];
163 unsigned char s[256 / 8];
168 * @brief an ECC signature using ECDSA
170 struct GNUNET_CRYPTO_EcdsaSignature
175 unsigned char r[256 / 8];
180 unsigned char s[256 / 8];
185 * Public ECC key (always for curve Ed25519) encoded in a format
186 * suitable for network transmission and EdDSA signatures.
188 struct GNUNET_CRYPTO_EddsaPublicKey
191 * Point Q consists of a y-value mod p (256 bits); the x-value is
192 * always positive. The point is stored in Ed25519 standard
195 unsigned char q_y[256 / 8];
200 * Public ECC key (always for Curve25519) encoded in a format suitable
201 * for network transmission and ECDSA signatures.
203 struct GNUNET_CRYPTO_EcdsaPublicKey
206 * Q consists of an x- and a y-value, each mod p (256 bits), given
207 * here in affine coordinates and Ed25519 standard compact format.
209 unsigned char q_y[256 / 8];
214 * The identity of the host (wraps the signing key of the peer).
216 struct GNUNET_PeerIdentity
218 struct GNUNET_CRYPTO_EddsaPublicKey public_key;
223 * Public ECC key (always for Curve25519) encoded in a format suitable
224 * for network transmission and encryption (ECDH),
225 * See http://cr.yp.to/ecdh.html
227 struct GNUNET_CRYPTO_EcdhePublicKey
230 * Q consists of an x- and a y-value, each mod p (256 bits), given
231 * here in affine coordinates and Ed25519 standard compact format.
233 unsigned char q_y[256 / 8];
238 * Private ECC key encoded for transmission. To be used only for ECDH
239 * key exchange (ECDHE to be precise).
241 struct GNUNET_CRYPTO_EcdhePrivateKey
244 * d is a value mod n, where n has at most 256 bits.
246 unsigned char d[256 / 8];
250 * Private ECC key encoded for transmission. To be used only for ECDSA
253 struct GNUNET_CRYPTO_EcdsaPrivateKey
256 * d is a value mod n, where n has at most 256 bits.
258 unsigned char d[256 / 8];
262 * Private ECC key encoded for transmission. To be used only for EdDSA
265 struct GNUNET_CRYPTO_EddsaPrivateKey
268 * d is a value mod n, where n has at most 256 bits.
270 unsigned char d[256 / 8];
275 * @brief type for session keys
277 struct GNUNET_CRYPTO_SymmetricSessionKey
280 * Actual key for AES.
282 unsigned char aes_key[GNUNET_CRYPTO_AES_KEY_LENGTH];
285 * Actual key for TwoFish.
287 unsigned char twofish_key[GNUNET_CRYPTO_AES_KEY_LENGTH];
290 GNUNET_NETWORK_STRUCT_END
293 * @brief IV for sym cipher
295 * NOTE: must be smaller (!) in size than the
296 * `struct GNUNET_HashCode`.
298 struct GNUNET_CRYPTO_SymmetricInitializationVector
300 unsigned char aes_iv[GNUNET_CRYPTO_AES_KEY_LENGTH / 2];
302 unsigned char twofish_iv[GNUNET_CRYPTO_AES_KEY_LENGTH / 2];
307 * @brief type for (message) authentication keys
309 struct GNUNET_CRYPTO_AuthKey
311 unsigned char key[GNUNET_CRYPTO_HASH_LENGTH];
316 * Size of paillier plain texts and public keys.
317 * Private keys and ciphertexts are twice this size.
319 #define GNUNET_CRYPTO_PAILLIER_BITS 2048
323 * Paillier public key.
325 struct GNUNET_CRYPTO_PaillierPublicKey
330 unsigned char n[GNUNET_CRYPTO_PAILLIER_BITS / 8];
335 * Paillier private key.
337 struct GNUNET_CRYPTO_PaillierPrivateKey
340 * Lambda-component of the private key.
342 unsigned char lambda[GNUNET_CRYPTO_PAILLIER_BITS / 8];
344 * Mu-component of the private key.
346 unsigned char mu[GNUNET_CRYPTO_PAILLIER_BITS / 8];
351 * Paillier ciphertext.
353 struct GNUNET_CRYPTO_PaillierCiphertext
356 * Guaranteed minimum number of homomorphic operations with this ciphertext,
357 * in network byte order (NBO).
359 int32_t remaining_ops GNUNET_PACKED;
362 * The bits of the ciphertext.
364 unsigned char bits[GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8];
368 /* **************** Functions and Macros ************* */
372 * Seed a weak random generator. Only #GNUNET_CRYPTO_QUALITY_WEAK-mode generator
375 * @param seed the seed to use
378 GNUNET_CRYPTO_seed_weak_random (int32_t seed);
383 * Calculate the checksum of a buffer in one step.
385 * @param buf buffer to calculate CRC over
386 * @param len number of bytes in @a buf
390 GNUNET_CRYPTO_crc8_n (const void *buf, size_t len);
394 * Perform an incremental step in a CRC16 (for TCP/IP) calculation.
396 * @param sum current sum, initially 0
397 * @param buf buffer to calculate CRC over (must be 16-bit aligned)
398 * @param len number of bytes in @a buf, must be multiple of 2
399 * @return updated crc sum (must be subjected to #GNUNET_CRYPTO_crc16_finish to get actual crc16)
402 GNUNET_CRYPTO_crc16_step (uint32_t sum, const void *buf, size_t len);
406 * Convert results from GNUNET_CRYPTO_crc16_step to final crc16.
408 * @param sum cummulative sum
409 * @return crc16 value
412 GNUNET_CRYPTO_crc16_finish (uint32_t sum);
417 * Calculate the checksum of a buffer in one step.
419 * @param buf buffer to calculate CRC over (must be 16-bit aligned)
420 * @param len number of bytes in @a buf, must be multiple of 2
421 * @return crc16 value
424 GNUNET_CRYPTO_crc16_n (const void *buf, size_t len);
429 * Compute the CRC32 checksum for the first len
430 * bytes of the buffer.
432 * @param buf the data over which we're taking the CRC
433 * @param len the length of the buffer @a buf in bytes
434 * @return the resulting CRC32 checksum
437 GNUNET_CRYPTO_crc32_n (const void *buf, size_t len);
441 * Zero out @a buffer, securely against compiler optimizations.
442 * Used to delete key material.
444 * @param buffer the buffer to zap
445 * @param length buffer length
448 GNUNET_CRYPTO_zero_keys (void *buffer, size_t length);
453 * Fill block with a random values.
455 * @param mode desired quality of the random number
456 * @param buffer the buffer to fill
457 * @param length buffer length
460 GNUNET_CRYPTO_random_block (enum GNUNET_CRYPTO_Quality mode,
466 * Produce a random value.
468 * @param mode desired quality of the random number
469 * @param i the upper limit (exclusive) for the random number
470 * @return a random value in the interval [0,@a i) (exclusive).
473 GNUNET_CRYPTO_random_u32 (enum GNUNET_CRYPTO_Quality mode, uint32_t i);
478 * Random on unsigned 64-bit values.
480 * @param mode desired quality of the random number
481 * @param max value returned will be in range [0,@a max) (exclusive)
482 * @return random 64-bit number
485 GNUNET_CRYPTO_random_u64 (enum GNUNET_CRYPTO_Quality mode, uint64_t max);
490 * Get an array with a random permutation of the
492 * @param mode #GNUNET_CRYPTO_QUALITY_STRONG if the strong (but expensive) PRNG should be used,
493 * #GNUNET_CRYPTO_QUALITY_WEAK or #GNUNET_CRYPTO_QUALITY_NONCE otherwise
494 * @param n the size of the array
495 * @return the permutation array (allocated from heap)
498 GNUNET_CRYPTO_random_permute (enum GNUNET_CRYPTO_Quality mode, unsigned int n);
503 * Create a new random session key.
505 * @param key key to initialize
508 GNUNET_CRYPTO_symmetric_create_session_key (
509 struct GNUNET_CRYPTO_SymmetricSessionKey *key);
514 * Encrypt a block using a symmetric sessionkey.
516 * @param block the block to encrypt
517 * @param size the size of the @a block
518 * @param sessionkey the key used to encrypt
519 * @param iv the initialization vector to use, use INITVALUE
521 * @return the size of the encrypted block, -1 for errors
524 GNUNET_CRYPTO_symmetric_encrypt (
527 const struct GNUNET_CRYPTO_SymmetricSessionKey *sessionkey,
528 const struct GNUNET_CRYPTO_SymmetricInitializationVector *iv,
534 * Decrypt a given block using a symmetric sessionkey.
536 * @param block the data to decrypt, encoded as returned by encrypt
537 * @param size how big is the block?
538 * @param sessionkey the key used to decrypt
539 * @param iv the initialization vector to use
540 * @param result address to store the result at
541 * @return -1 on failure, size of decrypted block on success
544 GNUNET_CRYPTO_symmetric_decrypt (
547 const struct GNUNET_CRYPTO_SymmetricSessionKey *sessionkey,
548 const struct GNUNET_CRYPTO_SymmetricInitializationVector *iv,
554 * @brief Derive an IV
555 * @param iv initialization vector
556 * @param skey session key
557 * @param salt salt for the derivation
558 * @param salt_len size of the @a salt
559 * @param ... pairs of void * & size_t for context chunks, terminated by NULL
562 GNUNET_CRYPTO_symmetric_derive_iv (
563 struct GNUNET_CRYPTO_SymmetricInitializationVector *iv,
564 const struct GNUNET_CRYPTO_SymmetricSessionKey *skey,
571 * @brief Derive an IV
572 * @param iv initialization vector
573 * @param skey session key
574 * @param salt salt for the derivation
575 * @param salt_len size of the @a salt
576 * @param argp pairs of void * & size_t for context chunks, terminated by NULL
579 GNUNET_CRYPTO_symmetric_derive_iv_v (
580 struct GNUNET_CRYPTO_SymmetricInitializationVector *iv,
581 const struct GNUNET_CRYPTO_SymmetricSessionKey *skey,
589 * Convert hash to ASCII encoding.
590 * @param block the hash code
591 * @param result where to store the encoding (struct GNUNET_CRYPTO_HashAsciiEncoded can be
592 * safely cast to char*, a '\\0' termination is set).
595 GNUNET_CRYPTO_hash_to_enc (const struct GNUNET_HashCode *block,
596 struct GNUNET_CRYPTO_HashAsciiEncoded *result);
601 * Convert ASCII encoding back to a 'struct GNUNET_HashCode'
603 * @param enc the encoding
604 * @param enclen number of characters in @a enc (without 0-terminator, which can be missing)
605 * @param result where to store the hash code
606 * @return #GNUNET_OK on success, #GNUNET_SYSERR if result has the wrong encoding
609 GNUNET_CRYPTO_hash_from_string2 (const char *enc,
611 struct GNUNET_HashCode *result);
616 * Convert ASCII encoding back to `struct GNUNET_HashCode`
618 * @param enc the encoding
619 * @param result where to store the hash code
620 * @return #GNUNET_OK on success, #GNUNET_SYSERR if result has the wrong encoding
622 #define GNUNET_CRYPTO_hash_from_string(enc, result) \
623 GNUNET_CRYPTO_hash_from_string2 (enc, strlen (enc), result)
629 * Compute the distance between 2 hashcodes. The
630 * computation must be fast, not involve @a a[0] or @a a[4] (they're used
631 * elsewhere), and be somewhat consistent. And of course, the result
632 * should be a positive number.
634 * @param a some hash code
635 * @param b some hash code
636 * @return number between 0 and UINT32_MAX
639 GNUNET_CRYPTO_hash_distance_u32 (const struct GNUNET_HashCode *a,
640 const struct GNUNET_HashCode *b);
645 * Compute hash of a given block.
647 * @param block the data to hash
648 * @param size size of the @a block
649 * @param ret pointer to where to write the hashcode
652 GNUNET_CRYPTO_hash (const void *block,
654 struct GNUNET_HashCode *ret);
658 * Calculate the 'proof-of-work' hash (an expensive hash).
660 * @param buf data to hash
661 * @param buf_len number of bytes in @a buf
662 * @param result where to write the resulting hash
665 GNUNET_CRYPTO_pow_hash (const void *buf,
667 struct GNUNET_HashCode *result);
671 * Context for cummulative hashing.
673 struct GNUNET_HashContext;
677 * Start incremental hashing operation.
679 * @return context for incremental hash computation
681 struct GNUNET_HashContext *
682 GNUNET_CRYPTO_hash_context_start (void);
686 * Add data to be hashed.
688 * @param hc cummulative hash context
689 * @param buf data to add
690 * @param size number of bytes in @a buf
693 GNUNET_CRYPTO_hash_context_read (struct GNUNET_HashContext *hc,
699 * Finish the hash computation.
701 * @param hc hash context to use, is freed in the process
702 * @param r_hash where to write the latest / final hash code
705 GNUNET_CRYPTO_hash_context_finish (struct GNUNET_HashContext *hc,
706 struct GNUNET_HashCode *r_hash);
710 * Abort hashing, do not bother calculating final result.
712 * @param hc hash context to destroy
715 GNUNET_CRYPTO_hash_context_abort (struct GNUNET_HashContext *hc);
719 * Calculate HMAC of a message (RFC 2104)
720 * TODO: Shouldn' this be the standard hmac function and
721 * the above be renamed?
723 * @param key secret key
724 * @param key_len secret key length
725 * @param plaintext input plaintext
726 * @param plaintext_len length of @a plaintext
727 * @param hmac where to store the hmac
730 GNUNET_CRYPTO_hmac_raw (const void *key,
732 const void *plaintext,
733 size_t plaintext_len,
734 struct GNUNET_HashCode *hmac);
739 * Calculate HMAC of a message (RFC 2104)
741 * @param key secret key
742 * @param plaintext input plaintext
743 * @param plaintext_len length of @a plaintext
744 * @param hmac where to store the hmac
747 GNUNET_CRYPTO_hmac (const struct GNUNET_CRYPTO_AuthKey *key,
748 const void *plaintext,
749 size_t plaintext_len,
750 struct GNUNET_HashCode *hmac);
754 * Function called once the hash computation over the
755 * specified file has completed.
758 * @param res resulting hash, NULL on error
760 typedef void (*GNUNET_CRYPTO_HashCompletedCallback) (
762 const struct GNUNET_HashCode *res);
766 * Handle to file hashing operation.
768 struct GNUNET_CRYPTO_FileHashContext;
773 * Compute the hash of an entire file.
775 * @param priority scheduling priority to use
776 * @param filename name of file to hash
777 * @param blocksize number of bytes to process in one task
778 * @param callback function to call upon completion
779 * @param callback_cls closure for @a callback
780 * @return NULL on (immediate) errror
782 struct GNUNET_CRYPTO_FileHashContext *
783 GNUNET_CRYPTO_hash_file (enum GNUNET_SCHEDULER_Priority priority,
784 const char *filename,
786 GNUNET_CRYPTO_HashCompletedCallback callback,
791 * Cancel a file hashing operation.
793 * @param fhc operation to cancel (callback must not yet have been invoked)
796 GNUNET_CRYPTO_hash_file_cancel (struct GNUNET_CRYPTO_FileHashContext *fhc);
801 * Create a random hash code.
803 * @param mode desired quality level
804 * @param result hash code that is randomized
807 GNUNET_CRYPTO_hash_create_random (enum GNUNET_CRYPTO_Quality mode,
808 struct GNUNET_HashCode *result);
813 * compute @a result = @a b - @a a
815 * @param a some hash code
816 * @param b some hash code
817 * @param result set to @a b - @a a
820 GNUNET_CRYPTO_hash_difference (const struct GNUNET_HashCode *a,
821 const struct GNUNET_HashCode *b,
822 struct GNUNET_HashCode *result);
827 * compute @a result = @a a + @a delta
829 * @param a some hash code
830 * @param delta some hash code
831 * @param result set to @a a + @a delta
834 GNUNET_CRYPTO_hash_sum (const struct GNUNET_HashCode *a,
835 const struct GNUNET_HashCode *delta,
836 struct GNUNET_HashCode *result);
841 * compute result = a ^ b
843 * @param a some hash code
844 * @param b some hash code
845 * @param result set to @a a ^ @a b
848 GNUNET_CRYPTO_hash_xor (const struct GNUNET_HashCode *a,
849 const struct GNUNET_HashCode *b,
850 struct GNUNET_HashCode *result);
855 * Convert a hashcode into a key.
857 * @param hc hash code that serves to generate the key
858 * @param skey set to a valid session key
859 * @param iv set to a valid initialization vector
862 GNUNET_CRYPTO_hash_to_aes_key (
863 const struct GNUNET_HashCode *hc,
864 struct GNUNET_CRYPTO_SymmetricSessionKey *skey,
865 struct GNUNET_CRYPTO_SymmetricInitializationVector *iv);
870 * Obtain a bit from a hashcode.
872 * @param code the `struct GNUNET_HashCode` to index bit-wise
873 * @param bit index into the hashcode, [0...159]
874 * @return Bit \a bit from hashcode \a code, -1 for invalid index
877 GNUNET_CRYPTO_hash_get_bit (const struct GNUNET_HashCode *code,
883 * Determine how many low order bits match in two
884 * `struct GNUNET_HashCodes`. i.e. - 010011 and 011111 share
885 * the first two lowest order bits, and therefore the
886 * return value is two (NOT XOR distance, nor how many
887 * bits match absolutely!).
889 * @param first the first hashcode
890 * @param second the hashcode to compare first to
891 * @return the number of bits that match
894 GNUNET_CRYPTO_hash_matching_bits (const struct GNUNET_HashCode *first,
895 const struct GNUNET_HashCode *second);
900 * Compare function for HashCodes, producing a total ordering
903 * @param h1 some hash code
904 * @param h2 some hash code
905 * @return 1 if @a h1 > @a h2, -1 if @a h1 < @a h2 and 0 if @a h1 == @a h2.
908 GNUNET_CRYPTO_hash_cmp (const struct GNUNET_HashCode *h1,
909 const struct GNUNET_HashCode *h2);
914 * Find out which of the two GNUNET_CRYPTO_hash codes is closer to target
915 * in the XOR metric (Kademlia).
917 * @param h1 some hash code
918 * @param h2 some hash code
919 * @param target some hash code
920 * @return -1 if @a h1 is closer, 1 if @a h2 is closer and 0 if @a h1== @a h2.
923 GNUNET_CRYPTO_hash_xorcmp (const struct GNUNET_HashCode *h1,
924 const struct GNUNET_HashCode *h2,
925 const struct GNUNET_HashCode *target);
930 * @brief Derive an authentication key
931 * @param key authentication key
932 * @param rkey root key
934 * @param salt_len size of the salt
935 * @param argp pair of void * & size_t for context chunks, terminated by NULL
938 GNUNET_CRYPTO_hmac_derive_key_v (
939 struct GNUNET_CRYPTO_AuthKey *key,
940 const struct GNUNET_CRYPTO_SymmetricSessionKey *rkey,
948 * @brief Derive an authentication key
949 * @param key authentication key
950 * @param rkey root key
952 * @param salt_len size of the salt
953 * @param ... pair of void * & size_t for context chunks, terminated by NULL
956 GNUNET_CRYPTO_hmac_derive_key (
957 struct GNUNET_CRYPTO_AuthKey *key,
958 const struct GNUNET_CRYPTO_SymmetricSessionKey *rkey,
967 * @param result buffer for the derived key, allocated by caller
968 * @param out_len desired length of the derived key
969 * @param xtr_algo hash algorithm for the extraction phase, GCRY_MD_...
970 * @param prf_algo hash algorithm for the expansion phase, GCRY_MD_...
972 * @param xts_len length of @a xts
973 * @param skm source key material
974 * @param skm_len length of @a skm
975 * @param ... pair of void * & size_t for context chunks, terminated by NULL
976 * @return #GNUNET_YES on success
979 GNUNET_CRYPTO_hkdf (void *result,
993 * @param result buffer for the derived key, allocated by caller
994 * @param out_len desired length of the derived key
995 * @param xtr_algo hash algorithm for the extraction phase, GCRY_MD_...
996 * @param prf_algo hash algorithm for the expansion phase, GCRY_MD_...
998 * @param xts_len length of @a xts
999 * @param skm source key material
1000 * @param skm_len length of @a skm
1001 * @param argp va_list of void * & size_t pairs for context chunks
1002 * @return #GNUNET_YES on success
1005 GNUNET_CRYPTO_hkdf_v (void *result,
1018 * @param result buffer for the derived key, allocated by caller
1019 * @param out_len desired length of the derived key
1021 * @param xts_len length of @a xts
1022 * @param skm source key material
1023 * @param skm_len length of @a skm
1024 * @param argp va_list of void * & size_t pairs for context chunks
1025 * @return #GNUNET_YES on success
1028 GNUNET_CRYPTO_kdf_v (void *result,
1038 * Deterministically generate a pseudo-random number uniformly from the
1039 * integers modulo a libgcrypt mpi.
1041 * @param[out] r MPI value set to the FDH
1042 * @param n MPI to work modulo
1044 * @param xts_len length of @a xts
1045 * @param skm source key material
1046 * @param skm_len length of @a skm
1047 * @param ctx context string
1050 GNUNET_CRYPTO_kdf_mod_mpi (gcry_mpi_t *r,
1062 * @param result buffer for the derived key, allocated by caller
1063 * @param out_len desired length of the derived key
1065 * @param xts_len length of @a xts
1066 * @param skm source key material
1067 * @param skm_len length of @a skm
1068 * @param ... void * & size_t pairs for context chunks
1069 * @return #GNUNET_YES on success
1072 GNUNET_CRYPTO_kdf (void *result,
1083 * Extract the public key for the given private key.
1085 * @param priv the private key
1086 * @param pub where to write the public key
1089 GNUNET_CRYPTO_ecdsa_key_get_public (
1090 const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
1091 struct GNUNET_CRYPTO_EcdsaPublicKey *pub);
1095 * Extract the public key for the given private key.
1097 * @param priv the private key
1098 * @param pub where to write the public key
1101 GNUNET_CRYPTO_eddsa_key_get_public (
1102 const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
1103 struct GNUNET_CRYPTO_EddsaPublicKey *pub);
1108 * Extract the public key for the given private key.
1110 * @param priv the private key
1111 * @param pub where to write the public key
1114 GNUNET_CRYPTO_ecdhe_key_get_public (
1115 const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
1116 struct GNUNET_CRYPTO_EcdhePublicKey *pub);
1120 * Convert a public key to a string.
1122 * @param pub key to convert
1123 * @return string representing @a pub
1126 GNUNET_CRYPTO_ecdsa_public_key_to_string (
1127 const struct GNUNET_CRYPTO_EcdsaPublicKey *pub);
1130 * Convert a private key to a string.
1132 * @param priv key to convert
1133 * @return string representing @a priv
1136 GNUNET_CRYPTO_ecdsa_private_key_to_string (
1137 const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv);
1141 * Convert a private key to a string.
1143 * @param priv key to convert
1144 * @return string representing @a pub
1147 GNUNET_CRYPTO_eddsa_private_key_to_string (
1148 const struct GNUNET_CRYPTO_EddsaPrivateKey *priv);
1152 * Convert a public key to a string.
1154 * @param pub key to convert
1155 * @return string representing @a pub
1158 GNUNET_CRYPTO_eddsa_public_key_to_string (
1159 const struct GNUNET_CRYPTO_EddsaPublicKey *pub);
1163 * Convert a string representing a public key to a public key.
1165 * @param enc encoded public key
1166 * @param enclen number of bytes in @a enc (without 0-terminator)
1167 * @param pub where to store the public key
1168 * @return #GNUNET_OK on success
1171 GNUNET_CRYPTO_ecdsa_public_key_from_string (
1174 struct GNUNET_CRYPTO_EcdsaPublicKey *pub);
1178 * Convert a string representing a private key to a private key.
1180 * @param enc encoded public key
1181 * @param enclen number of bytes in @a enc (without 0-terminator)
1182 * @param priv where to store the private key
1183 * @return #GNUNET_OK on success
1186 GNUNET_CRYPTO_eddsa_private_key_from_string (
1189 struct GNUNET_CRYPTO_EddsaPrivateKey *pub);
1193 * Convert a string representing a public key to a public key.
1195 * @param enc encoded public key
1196 * @param enclen number of bytes in @a enc (without 0-terminator)
1197 * @param pub where to store the public key
1198 * @return #GNUNET_OK on success
1201 GNUNET_CRYPTO_eddsa_public_key_from_string (
1204 struct GNUNET_CRYPTO_EddsaPublicKey *pub);
1209 * Create a new private key by reading it from a file. If the
1210 * files does not exist, create a new key and write it to the
1211 * file. Caller must free return value. Note that this function
1212 * can not guarantee that another process might not be trying
1213 * the same operation on the same file at the same time.
1214 * If the contents of the file
1215 * are invalid the old file is deleted and a fresh key is
1218 * @param filename name of file to use to store the key
1219 * @return new private key, NULL on error (for example,
1220 * permission denied); free using #GNUNET_free
1222 struct GNUNET_CRYPTO_EcdsaPrivateKey *
1223 GNUNET_CRYPTO_ecdsa_key_create_from_file (const char *filename);
1228 * Create a new private key by reading it from a file. If the
1229 * files does not exist, create a new key and write it to the
1230 * file. Caller must free return value. Note that this function
1231 * can not guarantee that another process might not be trying
1232 * the same operation on the same file at the same time.
1233 * If the contents of the file
1234 * are invalid the old file is deleted and a fresh key is
1237 * @param filename name of file to use to store the key
1238 * @return new private key, NULL on error (for example,
1239 * permission denied); free using #GNUNET_free
1241 struct GNUNET_CRYPTO_EddsaPrivateKey *
1242 GNUNET_CRYPTO_eddsa_key_create_from_file (const char *filename);
1246 * Forward declaration to simplify #include-structure.
1248 struct GNUNET_CONFIGURATION_Handle;
1253 * Create a new private key by reading our peer's key from
1254 * the file specified in the configuration.
1256 * @param cfg the configuration to use
1257 * @return new private key, NULL on error (for example,
1258 * permission denied); free using #GNUNET_free
1260 struct GNUNET_CRYPTO_EddsaPrivateKey *
1261 GNUNET_CRYPTO_eddsa_key_create_from_configuration (
1262 const struct GNUNET_CONFIGURATION_Handle *cfg);
1267 * Create a new private key. Caller must free return value.
1269 * @return fresh private key; free using #GNUNET_free
1271 struct GNUNET_CRYPTO_EcdsaPrivateKey *
1272 GNUNET_CRYPTO_ecdsa_key_create (void);
1277 * Create a new private key. Caller must free return value.
1279 * @return fresh private key; free using #GNUNET_free
1281 struct GNUNET_CRYPTO_EddsaPrivateKey *
1282 GNUNET_CRYPTO_eddsa_key_create (void);
1287 * Create a new private key. Clear with #GNUNET_CRYPTO_ecdhe_key_clear().
1289 * @param[out] pk set to fresh private key;
1290 * @return #GNUNET_OK on success, #GNUNET_SYSERR on failure
1293 GNUNET_CRYPTO_ecdhe_key_create2 (struct GNUNET_CRYPTO_EcdhePrivateKey *pk);
1298 * Create a new private key. Caller must free return value.
1300 * @return fresh private key; free using #GNUNET_free
1302 struct GNUNET_CRYPTO_EcdhePrivateKey *
1303 GNUNET_CRYPTO_ecdhe_key_create (void);
1308 * Clear memory that was used to store a private key.
1310 * @param pk location of the key
1313 GNUNET_CRYPTO_eddsa_key_clear (struct GNUNET_CRYPTO_EddsaPrivateKey *pk);
1318 * Clear memory that was used to store a private key.
1320 * @param pk location of the key
1323 GNUNET_CRYPTO_ecdsa_key_clear (struct GNUNET_CRYPTO_EcdsaPrivateKey *pk);
1328 * Clear memory that was used to store a private key.
1330 * @param pk location of the key
1333 GNUNET_CRYPTO_ecdhe_key_clear (struct GNUNET_CRYPTO_EcdhePrivateKey *pk);
1338 * Get the shared private key we use for anonymous users.
1340 * @return "anonymous" private key; do not free
1342 const struct GNUNET_CRYPTO_EcdsaPrivateKey *
1343 GNUNET_CRYPTO_ecdsa_key_get_anonymous (void);
1348 * Setup a hostkey file for a peer given the name of the
1349 * configuration file (!). This function is used so that
1350 * at a later point code can be certain that reading a
1351 * hostkey is fast (for example in time-dependent testcases).
1353 * @param cfg_name name of the configuration file to use
1356 GNUNET_CRYPTO_eddsa_setup_hostkey (const char *cfg_name);
1361 * Retrieve the identity of the host's peer.
1363 * @param cfg configuration to use
1364 * @param dst pointer to where to write the peer identity
1365 * @return #GNUNET_OK on success, #GNUNET_SYSERR if the identity
1366 * could not be retrieved
1369 GNUNET_CRYPTO_get_peer_identity (const struct GNUNET_CONFIGURATION_Handle *cfg,
1370 struct GNUNET_PeerIdentity *dst);
1374 * Internal structure used to cache pre-calculated values for DLOG calculation.
1376 struct GNUNET_CRYPTO_EccDlogContext;
1380 * Point on a curve (always for Curve25519) encoded in a format suitable
1381 * for network transmission (ECDH), see http://cr.yp.to/ecdh.html.
1383 struct GNUNET_CRYPTO_EccPoint
1386 * Q consists of an x- and a y-value, each mod p (256 bits), given
1387 * here in affine coordinates and Ed25519 standard compact format.
1389 unsigned char q_y[256 / 8];
1394 * Do pre-calculation for ECC discrete logarithm for small factors.
1396 * @param max maximum value the factor can be
1397 * @param mem memory to use (should be smaller than @a max), must not be zero.
1398 * @return NULL on error
1400 struct GNUNET_CRYPTO_EccDlogContext *
1401 GNUNET_CRYPTO_ecc_dlog_prepare (unsigned int max, unsigned int mem);
1405 * Calculate ECC discrete logarithm for small factors.
1406 * Opposite of #GNUNET_CRYPTO_ecc_dexp().
1408 * @param dlc precalculated values, determine range of factors
1409 * @param input point on the curve to factor
1410 * @return INT_MAX if dlog failed, otherwise the factor
1413 GNUNET_CRYPTO_ecc_dlog (struct GNUNET_CRYPTO_EccDlogContext *edc,
1414 gcry_mpi_point_t input);
1418 * Multiply the generator g of the elliptic curve by @a val
1419 * to obtain the point on the curve representing @a val.
1420 * Afterwards, point addition will correspond to integer
1421 * addition. #GNUNET_CRYPTO_ecc_dlog() can be used to
1422 * convert a point back to an integer (as long as the
1423 * integer is smaller than the MAX of the @a edc context).
1425 * @param edc calculation context for ECC operations
1426 * @param val value to encode into a point
1427 * @return representation of the value as an ECC point,
1428 * must be freed using #GNUNET_CRYPTO_ecc_free()
1431 GNUNET_CRYPTO_ecc_dexp (struct GNUNET_CRYPTO_EccDlogContext *edc, int val);
1435 * Multiply the generator g of the elliptic curve by @a val
1436 * to obtain the point on the curve representing @a val.
1438 * @param edc calculation context for ECC operations
1439 * @param val (positive) value to encode into a point
1440 * @return representation of the value as an ECC point,
1441 * must be freed using #GNUNET_CRYPTO_ecc_free()
1444 GNUNET_CRYPTO_ecc_dexp_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc,
1449 * Multiply the point @a p on the elliptic curve by @a val.
1451 * @param edc calculation context for ECC operations
1452 * @param p point to multiply
1453 * @param val (positive) value to encode into a point
1454 * @return representation of the value as an ECC point,
1455 * must be freed using #GNUNET_CRYPTO_ecc_free()
1458 GNUNET_CRYPTO_ecc_pmul_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc,
1464 * Convert point value to binary representation.
1466 * @param edc calculation context for ECC operations
1467 * @param point computational point representation
1468 * @param[out] bin binary point representation
1471 GNUNET_CRYPTO_ecc_point_to_bin (struct GNUNET_CRYPTO_EccDlogContext *edc,
1472 gcry_mpi_point_t point,
1473 struct GNUNET_CRYPTO_EccPoint *bin);
1477 * Convert binary representation of a point to computational representation.
1479 * @param edc calculation context for ECC operations
1480 * @param bin binary point representation
1481 * @return computational representation
1484 GNUNET_CRYPTO_ecc_bin_to_point (struct GNUNET_CRYPTO_EccDlogContext *edc,
1485 const struct GNUNET_CRYPTO_EccPoint *bin);
1489 * Add two points on the elliptic curve.
1491 * @param edc calculation context for ECC operations
1492 * @param a some value
1493 * @param b some value
1494 * @return @a a + @a b, must be freed using #GNUNET_CRYPTO_ecc_free()
1497 GNUNET_CRYPTO_ecc_add (struct GNUNET_CRYPTO_EccDlogContext *edc,
1499 gcry_mpi_point_t b);
1503 * Obtain a random point on the curve and its
1504 * additive inverse. Both returned values
1505 * must be freed using #GNUNET_CRYPTO_ecc_free().
1507 * @param edc calculation context for ECC operations
1508 * @param[out] r set to a random point on the curve
1509 * @param[out] r_inv set to the additive inverse of @a r
1512 GNUNET_CRYPTO_ecc_rnd (struct GNUNET_CRYPTO_EccDlogContext *edc,
1513 gcry_mpi_point_t *r,
1514 gcry_mpi_point_t *r_inv);
1518 * Obtain a random scalar for point multiplication on the curve and
1519 * its multiplicative inverse.
1521 * @param edc calculation context for ECC operations
1522 * @param[out] r set to a random scalar on the curve
1523 * @param[out] r_inv set to the multiplicative inverse of @a r
1526 GNUNET_CRYPTO_ecc_rnd_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc,
1532 * Generate a random value mod n.
1534 * @param edc ECC context
1535 * @return random value mod n.
1538 GNUNET_CRYPTO_ecc_random_mod_n (struct GNUNET_CRYPTO_EccDlogContext *edc);
1542 * Free a point value returned by the API.
1544 * @param p point to free
1547 GNUNET_CRYPTO_ecc_free (gcry_mpi_point_t p);
1551 * Release precalculated values.
1553 * @param dlc dlog context
1556 GNUNET_CRYPTO_ecc_dlog_release (struct GNUNET_CRYPTO_EccDlogContext *dlc);
1561 * Derive key material from a public and a private ECC key.
1563 * @param priv private key to use for the ECDH (x)
1564 * @param pub public key to use for the ECDH (yG)
1565 * @param key_material where to write the key material (xyG)
1566 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1569 GNUNET_CRYPTO_ecc_ecdh (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
1570 const struct GNUNET_CRYPTO_EcdhePublicKey *pub,
1571 struct GNUNET_HashCode *key_material);
1576 * Derive key material from a ECDH public key and a private EdDSA key.
1577 * Dual to #GNUNET_CRRYPTO_ecdh_eddsa.
1579 * @param priv private key from EdDSA to use for the ECDH (x)
1580 * @param pub public key to use for the ECDH (yG)
1581 * @param key_material where to write the key material H(h(x)yG)
1582 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1585 GNUNET_CRYPTO_eddsa_ecdh (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
1586 const struct GNUNET_CRYPTO_EcdhePublicKey *pub,
1587 struct GNUNET_HashCode *key_material);
1591 * Derive key material from a ECDH public key and a private ECDSA key.
1592 * Dual to #GNUNET_CRRYPTO_ecdh_ecdsa.
1594 * @param priv private key from ECDSA to use for the ECDH (x)
1595 * @param pub public key to use for the ECDH (yG)
1596 * @param key_material where to write the key material H(h(x)yG)
1597 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1600 GNUNET_CRYPTO_ecdsa_ecdh (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
1601 const struct GNUNET_CRYPTO_EcdhePublicKey *pub,
1602 struct GNUNET_HashCode *key_material);
1607 * Derive key material from a EdDSA public key and a private ECDH key.
1608 * Dual to #GNUNET_CRRYPTO_eddsa_ecdh.
1610 * @param priv private key to use for the ECDH (y)
1611 * @param pub public key from EdDSA to use for the ECDH (X=h(x)G)
1612 * @param key_material where to write the key material H(yX)=H(h(x)yG)
1613 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1616 GNUNET_CRYPTO_ecdh_eddsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
1617 const struct GNUNET_CRYPTO_EddsaPublicKey *pub,
1618 struct GNUNET_HashCode *key_material);
1622 * Derive key material from a EcDSA public key and a private ECDH key.
1623 * Dual to #GNUNET_CRRYPTO_ecdsa_ecdh.
1625 * @param priv private key to use for the ECDH (y)
1626 * @param pub public key from ECDSA to use for the ECDH (X=h(x)G)
1627 * @param key_material where to write the key material H(yX)=H(h(x)yG)
1628 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1631 GNUNET_CRYPTO_ecdh_ecdsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
1632 const struct GNUNET_CRYPTO_EcdsaPublicKey *pub,
1633 struct GNUNET_HashCode *key_material);
1638 * EdDSA sign a given block.
1640 * @param priv private key to use for the signing
1641 * @param purpose what to sign (size, purpose)
1642 * @param sig where to write the signature
1643 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1646 GNUNET_CRYPTO_eddsa_sign (
1647 const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
1648 const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose,
1649 struct GNUNET_CRYPTO_EddsaSignature *sig);
1654 * ECDSA Sign a given block.
1656 * @param priv private key to use for the signing
1657 * @param purpose what to sign (size, purpose)
1658 * @param sig where to write the signature
1659 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1662 GNUNET_CRYPTO_ecdsa_sign (
1663 const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
1664 const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose,
1665 struct GNUNET_CRYPTO_EcdsaSignature *sig);
1669 * Verify EdDSA signature.
1671 * @param purpose what is the purpose that the signature should have?
1672 * @param validate block to validate (size, purpose, data)
1673 * @param sig signature that is being validated
1674 * @param pub public key of the signer
1675 * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid
1678 GNUNET_CRYPTO_eddsa_verify (
1680 const struct GNUNET_CRYPTO_EccSignaturePurpose *validate,
1681 const struct GNUNET_CRYPTO_EddsaSignature *sig,
1682 const struct GNUNET_CRYPTO_EddsaPublicKey *pub);
1687 * Verify ECDSA signature.
1689 * @param purpose what is the purpose that the signature should have?
1690 * @param validate block to validate (size, purpose, data)
1691 * @param sig signature that is being validated
1692 * @param pub public key of the signer
1693 * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid
1696 GNUNET_CRYPTO_ecdsa_verify (
1698 const struct GNUNET_CRYPTO_EccSignaturePurpose *validate,
1699 const struct GNUNET_CRYPTO_EcdsaSignature *sig,
1700 const struct GNUNET_CRYPTO_EcdsaPublicKey *pub);
1705 * Derive a private key from a given private key and a label.
1706 * Essentially calculates a private key 'h = H(l,P) * d mod n'
1707 * where n is the size of the ECC group and P is the public
1708 * key associated with the private key 'd'.
1710 * @param priv original private key
1711 * @param label label to use for key deriviation
1712 * @param context additional context to use for HKDF of 'h';
1713 * typically the name of the subsystem/application
1714 * @return derived private key
1716 struct GNUNET_CRYPTO_EcdsaPrivateKey *
1717 GNUNET_CRYPTO_ecdsa_private_key_derive (
1718 const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
1720 const char *context);
1725 * Derive a public key from a given public key and a label.
1726 * Essentially calculates a public key 'V = H(l,P) * P'.
1728 * @param pub original public key
1729 * @param label label to use for key deriviation
1730 * @param context additional context to use for HKDF of 'h'.
1731 * typically the name of the subsystem/application
1732 * @param result where to write the derived public key
1735 GNUNET_CRYPTO_ecdsa_public_key_derive (
1736 const struct GNUNET_CRYPTO_EcdsaPublicKey *pub,
1738 const char *context,
1739 struct GNUNET_CRYPTO_EcdsaPublicKey *result);
1743 * Output the given MPI value to the given buffer in network
1744 * byte order. The MPI @a val may not be negative.
1746 * @param buf where to output to
1747 * @param size number of bytes in @a buf
1748 * @param val value to write to @a buf
1751 GNUNET_CRYPTO_mpi_print_unsigned (void *buf, size_t size, gcry_mpi_t val);
1755 * Convert data buffer into MPI value.
1756 * The buffer is interpreted as network
1757 * byte order, unsigned integer.
1759 * @param result where to store MPI value (allocated)
1760 * @param data raw data (GCRYMPI_FMT_USG)
1761 * @param size number of bytes in @a data
1764 GNUNET_CRYPTO_mpi_scan_unsigned (gcry_mpi_t *result,
1770 * Create a freshly generated paillier public key.
1772 * @param[out] public_key Where to store the public key?
1773 * @param[out] private_key Where to store the private key?
1776 GNUNET_CRYPTO_paillier_create (
1777 struct GNUNET_CRYPTO_PaillierPublicKey *public_key,
1778 struct GNUNET_CRYPTO_PaillierPrivateKey *private_key);
1782 * Encrypt a plaintext with a paillier public key.
1784 * @param public_key Public key to use.
1785 * @param m Plaintext to encrypt.
1786 * @param desired_ops How many homomorphic ops the caller intends to use
1787 * @param[out] ciphertext Encrytion of @a plaintext with @a public_key.
1788 * @return guaranteed number of supported homomorphic operations >= 1,
1789 * or desired_ops, in case that is lower,
1790 * or -1 if less than one homomorphic operation is possible
1793 GNUNET_CRYPTO_paillier_encrypt (
1794 const struct GNUNET_CRYPTO_PaillierPublicKey *public_key,
1797 struct GNUNET_CRYPTO_PaillierCiphertext *ciphertext);
1801 * Decrypt a paillier ciphertext with a private key.
1803 * @param private_key Private key to use for decryption.
1804 * @param public_key Public key to use for decryption.
1805 * @param ciphertext Ciphertext to decrypt.
1806 * @param[out] m Decryption of @a ciphertext with @private_key.
1809 GNUNET_CRYPTO_paillier_decrypt (
1810 const struct GNUNET_CRYPTO_PaillierPrivateKey *private_key,
1811 const struct GNUNET_CRYPTO_PaillierPublicKey *public_key,
1812 const struct GNUNET_CRYPTO_PaillierCiphertext *ciphertext,
1817 * Compute a ciphertext that represents the sum of the plaintext in @a x1 and @a x2
1819 * Note that this operation can only be done a finite number of times
1820 * before an overflow occurs.
1822 * @param public_key Public key to use for encryption.
1823 * @param c1 Paillier cipher text.
1824 * @param c2 Paillier cipher text.
1825 * @param[out] result Result of the homomorphic operation.
1826 * @return #GNUNET_OK if the result could be computed,
1827 * #GNUNET_SYSERR if no more homomorphic operations are remaining.
1830 GNUNET_CRYPTO_paillier_hom_add (
1831 const struct GNUNET_CRYPTO_PaillierPublicKey *public_key,
1832 const struct GNUNET_CRYPTO_PaillierCiphertext *c1,
1833 const struct GNUNET_CRYPTO_PaillierCiphertext *c2,
1834 struct GNUNET_CRYPTO_PaillierCiphertext *result);
1838 * Get the number of remaining supported homomorphic operations.
1840 * @param c Paillier cipher text.
1841 * @return the number of remaining homomorphic operations
1844 GNUNET_CRYPTO_paillier_hom_get_remaining (
1845 const struct GNUNET_CRYPTO_PaillierCiphertext *c);
1848 /* ********* Chaum-style RSA-based blind signatures ******************* */
1852 * The private information of an RSA key pair.
1854 struct GNUNET_CRYPTO_RsaPrivateKey;
1857 * The public information of an RSA key pair.
1859 struct GNUNET_CRYPTO_RsaPublicKey;
1862 * Constant-size pre-secret for blinding key generation.
1864 struct GNUNET_CRYPTO_RsaBlindingKeySecret
1867 * Bits used to generate the blinding key. 256 bits
1868 * of entropy is enough.
1870 uint32_t pre_secret[8] GNUNET_PACKED;
1874 * @brief an RSA signature
1876 struct GNUNET_CRYPTO_RsaSignature;
1880 * Create a new private key. Caller must free return value.
1882 * @param len length of the key in bits (i.e. 2048)
1883 * @return fresh private key
1885 struct GNUNET_CRYPTO_RsaPrivateKey *
1886 GNUNET_CRYPTO_rsa_private_key_create (unsigned int len);
1890 * Free memory occupied by the private key.
1892 * @param key pointer to the memory to free
1895 GNUNET_CRYPTO_rsa_private_key_free (struct GNUNET_CRYPTO_RsaPrivateKey *key);
1899 * Encode the private key in a format suitable for
1900 * storing it into a file.
1902 * @param key the private key
1903 * @param[out] buffer set to a buffer with the encoded key
1904 * @return size of memory allocatedin @a buffer
1907 GNUNET_CRYPTO_rsa_private_key_encode (
1908 const struct GNUNET_CRYPTO_RsaPrivateKey *key,
1913 * Decode the private key from the data-format back
1914 * to the "normal", internal format.
1916 * @param buf the buffer where the private key data is stored
1917 * @param len the length of the data in @a buf
1918 * @return NULL on error
1920 struct GNUNET_CRYPTO_RsaPrivateKey *
1921 GNUNET_CRYPTO_rsa_private_key_decode (const char *buf, size_t len);
1925 * Duplicate the given private key
1927 * @param key the private key to duplicate
1928 * @return the duplicate key; NULL upon error
1930 struct GNUNET_CRYPTO_RsaPrivateKey *
1931 GNUNET_CRYPTO_rsa_private_key_dup (
1932 const struct GNUNET_CRYPTO_RsaPrivateKey *key);
1936 * Extract the public key of the given private key.
1938 * @param priv the private key
1939 * @retur NULL on error, otherwise the public key
1941 struct GNUNET_CRYPTO_RsaPublicKey *
1942 GNUNET_CRYPTO_rsa_private_key_get_public (
1943 const struct GNUNET_CRYPTO_RsaPrivateKey *priv);
1947 * Compute hash over the public key.
1949 * @param key public key to hash
1950 * @param hc where to store the hash code
1953 GNUNET_CRYPTO_rsa_public_key_hash (const struct GNUNET_CRYPTO_RsaPublicKey *key,
1954 struct GNUNET_HashCode *hc);
1958 * Obtain the length of the RSA key in bits.
1960 * @param key the public key to introspect
1961 * @return length of the key in bits
1964 GNUNET_CRYPTO_rsa_public_key_len (const struct GNUNET_CRYPTO_RsaPublicKey *key);
1968 * Free memory occupied by the public key.
1970 * @param key pointer to the memory to free
1973 GNUNET_CRYPTO_rsa_public_key_free (struct GNUNET_CRYPTO_RsaPublicKey *key);
1977 * Encode the public key in a format suitable for
1978 * storing it into a file.
1980 * @param key the private key
1981 * @param[out] buffer set to a buffer with the encoded key
1982 * @return size of memory allocated in @a buffer
1985 GNUNET_CRYPTO_rsa_public_key_encode (
1986 const struct GNUNET_CRYPTO_RsaPublicKey *key,
1991 * Decode the public key from the data-format back
1992 * to the "normal", internal format.
1994 * @param buf the buffer where the public key data is stored
1995 * @param len the length of the data in @a buf
1996 * @return NULL on error
1998 struct GNUNET_CRYPTO_RsaPublicKey *
1999 GNUNET_CRYPTO_rsa_public_key_decode (const char *buf, size_t len);
2003 * Duplicate the given public key
2005 * @param key the public key to duplicate
2006 * @return the duplicate key; NULL upon error
2008 struct GNUNET_CRYPTO_RsaPublicKey *
2009 GNUNET_CRYPTO_rsa_public_key_dup (const struct GNUNET_CRYPTO_RsaPublicKey *key);
2013 * Compare the values of two signatures.
2015 * @param s1 one signature
2016 * @param s2 the other signature
2017 * @return 0 if the two are equal
2020 GNUNET_CRYPTO_rsa_signature_cmp (struct GNUNET_CRYPTO_RsaSignature *s1,
2021 struct GNUNET_CRYPTO_RsaSignature *s2);
2024 * Compare the values of two private keys.
2026 * @param p1 one private key
2027 * @param p2 the other private key
2028 * @return 0 if the two are equal
2031 GNUNET_CRYPTO_rsa_private_key_cmp (struct GNUNET_CRYPTO_RsaPrivateKey *p1,
2032 struct GNUNET_CRYPTO_RsaPrivateKey *p2);
2036 * Compare the values of two public keys.
2038 * @param p1 one public key
2039 * @param p2 the other public key
2040 * @return 0 if the two are equal
2043 GNUNET_CRYPTO_rsa_public_key_cmp (struct GNUNET_CRYPTO_RsaPublicKey *p1,
2044 struct GNUNET_CRYPTO_RsaPublicKey *p2);
2048 * Blinds the given message with the given blinding key
2050 * @param hash hash of the message to sign
2051 * @param bkey the blinding key
2052 * @param pkey the public key of the signer
2053 * @param[out] buf set to a buffer with the blinded message to be signed
2054 * @param[out] buf_size number of bytes stored in @a buf
2055 * @return #GNUNET_YES if successful, #GNUNET_NO if RSA key is malicious
2058 GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode *hash,
2059 const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks,
2060 struct GNUNET_CRYPTO_RsaPublicKey *pkey,
2066 * Sign a blinded value, which must be a full domain hash of a message.
2068 * @param key private key to use for the signing
2069 * @param msg the (blinded) message to sign
2070 * @param msg_len number of bytes in @a msg to sign
2071 * @return NULL on error, signature on success
2073 struct GNUNET_CRYPTO_RsaSignature *
2074 GNUNET_CRYPTO_rsa_sign_blinded (const struct GNUNET_CRYPTO_RsaPrivateKey *key,
2080 * Create and sign a full domain hash of a message.
2082 * @param key private key to use for the signing
2083 * @param hash the hash of the message to sign
2084 * @return NULL on error, including a malicious RSA key, signature on success
2086 struct GNUNET_CRYPTO_RsaSignature *
2087 GNUNET_CRYPTO_rsa_sign_fdh (const struct GNUNET_CRYPTO_RsaPrivateKey *key,
2088 const struct GNUNET_HashCode *hash);
2092 * Free memory occupied by signature.
2094 * @param sig memory to free
2097 GNUNET_CRYPTO_rsa_signature_free (struct GNUNET_CRYPTO_RsaSignature *sig);
2101 * Encode the given signature in a format suitable for storing it into a file.
2103 * @param sig the signature
2104 * @param[out] buffer set to a buffer with the encoded key
2105 * @return size of memory allocated in @a buffer
2108 GNUNET_CRYPTO_rsa_signature_encode (
2109 const struct GNUNET_CRYPTO_RsaSignature *sig,
2114 * Decode the signature from the data-format back to the "normal", internal
2117 * @param buf the buffer where the public key data is stored
2118 * @param len the length of the data in @a buf
2119 * @return NULL on error
2121 struct GNUNET_CRYPTO_RsaSignature *
2122 GNUNET_CRYPTO_rsa_signature_decode (const char *buf, size_t len);
2126 * Duplicate the given rsa signature
2128 * @param sig the signature to duplicate
2129 * @return the duplicate key; NULL upon error
2131 struct GNUNET_CRYPTO_RsaSignature *
2132 GNUNET_CRYPTO_rsa_signature_dup (const struct GNUNET_CRYPTO_RsaSignature *sig);
2136 * Unblind a blind-signed signature. The signature should have been generated
2137 * with #GNUNET_CRYPTO_rsa_sign() using a hash that was blinded with
2138 * #GNUNET_CRYPTO_rsa_blind().
2140 * @param sig the signature made on the blinded signature purpose
2141 * @param bks the blinding key secret used to blind the signature purpose
2142 * @param pkey the public key of the signer
2143 * @return unblinded signature on success, NULL if RSA key is bad or malicious.
2145 struct GNUNET_CRYPTO_RsaSignature *
2146 GNUNET_CRYPTO_rsa_unblind (const struct GNUNET_CRYPTO_RsaSignature *sig,
2147 const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks,
2148 struct GNUNET_CRYPTO_RsaPublicKey *pkey);
2152 * Verify whether the given hash corresponds to the given signature and the
2153 * signature is valid with respect to the given public key.
2155 * @param hash the message to verify to match the @a sig
2156 * @param sig signature that is being validated
2157 * @param public_key public key of the signer
2158 * @returns #GNUNET_YES if ok, #GNUNET_NO if RSA key is malicious, #GNUNET_SYSERR if signature
2161 GNUNET_CRYPTO_rsa_verify (const struct GNUNET_HashCode *hash,
2162 const struct GNUNET_CRYPTO_RsaSignature *sig,
2163 const struct GNUNET_CRYPTO_RsaPublicKey *public_key);
2166 #if 0 /* keep Emacsens' auto-indent happy */
2174 /* ifndef GNUNET_CRYPTO_LIB_H */
2176 /* end of gnunet_crypto_lib.h */