2 This file is part of GNUnet.
3 Copyright (C) 2001-2013 GNUnet e.V.
5 GNUnet is free software: you can redistribute it and/or modify it
6 under the terms of the GNU Affero General Public License as published
7 by the Free Software Foundation, either version 3 of the License,
8 or (at your option) any later version.
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Affero General Public License for more details.
15 You should have received a copy of the GNU Affero General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 SPDX-License-Identifier: AGPL3.0-or-later
22 * @file include/gnunet_crypto_lib.h
23 * @brief cryptographic primitives for GNUnet
25 * @author Christian Grothoff
26 * @author Krista Bennett
27 * @author Gerd Knorr <kraxel@bytesex.org>
28 * @author Ioana Patrascu
29 * @author Tzvetan Horozov
30 * @author Jeffrey Burdges <burdges@gnunet.org>
32 * @defgroup crypto Crypto library: cryptographic operations
33 * Provides cryptographic primitives.
35 * @see [Documentation](https://gnunet.org/crypto-api)
37 * @defgroup hash Crypto library: hash operations
38 * Provides hashing and operations on hashes.
40 * @see [Documentation](https://gnunet.org/crypto-api)
43 #ifndef GNUNET_CRYPTO_LIB_H
44 #define GNUNET_CRYPTO_LIB_H
48 #if 0 /* keep Emacsens' auto-indent happy */
55 * The identity of the host (wraps the signing key of the peer).
57 struct GNUNET_PeerIdentity;
59 #include "gnunet_common.h"
64 * Maximum length of an ECC signature.
65 * Note: round up to multiple of 8 minus 2 for alignment.
67 #define GNUNET_CRYPTO_ECC_SIGNATURE_DATA_ENCODING_LENGTH 126
71 * Desired quality level for random numbers.
74 enum GNUNET_CRYPTO_Quality {
76 * No good quality of the operation is needed (i.e.,
77 * random numbers can be pseudo-random).
80 GNUNET_CRYPTO_QUALITY_WEAK,
83 * High-quality operations are desired.
86 GNUNET_CRYPTO_QUALITY_STRONG,
89 * Randomness for IVs etc. is required.
92 GNUNET_CRYPTO_QUALITY_NONCE
97 * @brief length of the sessionkey in bytes (256 BIT sessionkey)
99 #define GNUNET_CRYPTO_AES_KEY_LENGTH (256 / 8)
102 * Length of a hash value
104 #define GNUNET_CRYPTO_HASH_LENGTH (512 / 8)
107 * How many characters (without 0-terminator) are our ASCII-encoded
108 * public keys (ECDSA/EDDSA/ECDHE).
110 #define GNUNET_CRYPTO_PKEY_ASCII_LENGTH 52
113 * @brief 0-terminated ASCII encoding of a struct GNUNET_HashCode.
115 struct GNUNET_CRYPTO_HashAsciiEncoded {
116 unsigned char encoding[104];
120 GNUNET_NETWORK_STRUCT_BEGIN
124 * @brief header of what an ECC signature signs
125 * this must be followed by "size - 8" bytes of
126 * the actual signed data
128 struct GNUNET_CRYPTO_EccSignaturePurpose {
130 * How many bytes does this signature sign?
131 * (including this purpose header); in network
134 uint32_t size GNUNET_PACKED;
137 * What does this signature vouch for? This
138 * must contain a GNUNET_SIGNATURE_PURPOSE_XXX
139 * constant (from gnunet_signatures.h). In
140 * network byte order!
142 uint32_t purpose GNUNET_PACKED;
147 * @brief an ECC signature using EdDSA.
148 * See cr.yp.to/papers.html#ed25519
150 struct GNUNET_CRYPTO_EddsaSignature {
154 unsigned char r[256 / 8];
159 unsigned char s[256 / 8];
164 * @brief an ECC signature using ECDSA
166 struct GNUNET_CRYPTO_EcdsaSignature {
170 unsigned char r[256 / 8];
175 unsigned char s[256 / 8];
180 * Public ECC key (always for curve Ed25519) encoded in a format
181 * suitable for network transmission and EdDSA signatures.
183 struct GNUNET_CRYPTO_EddsaPublicKey {
185 * Point Q consists of a y-value mod p (256 bits); the x-value is
186 * always positive. The point is stored in Ed25519 standard
189 unsigned char q_y[256 / 8];
194 * Public ECC key (always for Curve25519) encoded in a format suitable
195 * for network transmission and ECDSA signatures.
197 struct GNUNET_CRYPTO_EcdsaPublicKey {
199 * Q consists of an x- and a y-value, each mod p (256 bits), given
200 * here in affine coordinates and Ed25519 standard compact format.
202 unsigned char q_y[256 / 8];
207 * The identity of the host (wraps the signing key of the peer).
209 struct GNUNET_PeerIdentity {
210 struct GNUNET_CRYPTO_EddsaPublicKey public_key;
215 * Public ECC key (always for Curve25519) encoded in a format suitable
216 * for network transmission and encryption (ECDH),
217 * See http://cr.yp.to/ecdh.html
219 struct GNUNET_CRYPTO_EcdhePublicKey {
221 * Q consists of an x- and a y-value, each mod p (256 bits), given
222 * here in affine coordinates and Ed25519 standard compact format.
224 unsigned char q_y[256 / 8];
229 * Private ECC key encoded for transmission. To be used only for ECDH
230 * key exchange (ECDHE to be precise).
232 struct GNUNET_CRYPTO_EcdhePrivateKey {
234 * d is a value mod n, where n has at most 256 bits.
236 unsigned char d[256 / 8];
240 * Private ECC key encoded for transmission. To be used only for ECDSA
243 struct GNUNET_CRYPTO_EcdsaPrivateKey {
245 * d is a value mod n, where n has at most 256 bits.
247 unsigned char d[256 / 8];
251 * Private ECC key encoded for transmission. To be used only for EdDSA
254 struct GNUNET_CRYPTO_EddsaPrivateKey {
256 * d is a value mod n, where n has at most 256 bits.
258 unsigned char d[256 / 8];
263 * @brief type for session keys
265 struct GNUNET_CRYPTO_SymmetricSessionKey {
267 * Actual key for AES.
269 unsigned char aes_key[GNUNET_CRYPTO_AES_KEY_LENGTH];
272 * Actual key for TwoFish.
274 unsigned char twofish_key[GNUNET_CRYPTO_AES_KEY_LENGTH];
277 GNUNET_NETWORK_STRUCT_END
280 * @brief IV for sym cipher
282 * NOTE: must be smaller (!) in size than the
283 * `struct GNUNET_HashCode`.
285 struct GNUNET_CRYPTO_SymmetricInitializationVector {
286 unsigned char aes_iv[GNUNET_CRYPTO_AES_KEY_LENGTH / 2];
288 unsigned char twofish_iv[GNUNET_CRYPTO_AES_KEY_LENGTH / 2];
293 * @brief type for (message) authentication keys
295 struct GNUNET_CRYPTO_AuthKey {
296 unsigned char key[GNUNET_CRYPTO_HASH_LENGTH];
301 * Size of paillier plain texts and public keys.
302 * Private keys and ciphertexts are twice this size.
304 #define GNUNET_CRYPTO_PAILLIER_BITS 2048
308 * Paillier public key.
310 struct GNUNET_CRYPTO_PaillierPublicKey {
314 unsigned char n[GNUNET_CRYPTO_PAILLIER_BITS / 8];
319 * Paillier private key.
321 struct GNUNET_CRYPTO_PaillierPrivateKey {
323 * Lambda-component of the private key.
325 unsigned char lambda[GNUNET_CRYPTO_PAILLIER_BITS / 8];
327 * Mu-component of the private key.
329 unsigned char mu[GNUNET_CRYPTO_PAILLIER_BITS / 8];
334 * Paillier ciphertext.
336 struct GNUNET_CRYPTO_PaillierCiphertext {
338 * Guaranteed minimum number of homomorphic operations with this ciphertext,
339 * in network byte order (NBO).
341 int32_t remaining_ops GNUNET_PACKED;
344 * The bits of the ciphertext.
346 unsigned char bits[GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8];
350 /* **************** Functions and Macros ************* */
354 * Seed a weak random generator. Only #GNUNET_CRYPTO_QUALITY_WEAK-mode generator
357 * @param seed the seed to use
360 GNUNET_CRYPTO_seed_weak_random(int32_t seed);
365 * Calculate the checksum of a buffer in one step.
367 * @param buf buffer to calculate CRC over
368 * @param len number of bytes in @a buf
372 GNUNET_CRYPTO_crc8_n(const void *buf, size_t len);
376 * Perform an incremental step in a CRC16 (for TCP/IP) calculation.
378 * @param sum current sum, initially 0
379 * @param buf buffer to calculate CRC over (must be 16-bit aligned)
380 * @param len number of bytes in @a buf, must be multiple of 2
381 * @return updated crc sum (must be subjected to #GNUNET_CRYPTO_crc16_finish to get actual crc16)
384 GNUNET_CRYPTO_crc16_step(uint32_t sum, const void *buf, size_t len);
388 * Convert results from GNUNET_CRYPTO_crc16_step to final crc16.
390 * @param sum cummulative sum
391 * @return crc16 value
394 GNUNET_CRYPTO_crc16_finish(uint32_t sum);
399 * Calculate the checksum of a buffer in one step.
401 * @param buf buffer to calculate CRC over (must be 16-bit aligned)
402 * @param len number of bytes in @a buf, must be multiple of 2
403 * @return crc16 value
406 GNUNET_CRYPTO_crc16_n(const void *buf, size_t len);
411 * Compute the CRC32 checksum for the first len
412 * bytes of the buffer.
414 * @param buf the data over which we're taking the CRC
415 * @param len the length of the buffer @a buf in bytes
416 * @return the resulting CRC32 checksum
419 GNUNET_CRYPTO_crc32_n(const void *buf, size_t len);
423 * Zero out @a buffer, securely against compiler optimizations.
424 * Used to delete key material.
426 * @param buffer the buffer to zap
427 * @param length buffer length
430 GNUNET_CRYPTO_zero_keys(void *buffer, size_t length);
435 * Fill block with a random values.
437 * @param mode desired quality of the random number
438 * @param buffer the buffer to fill
439 * @param length buffer length
442 GNUNET_CRYPTO_random_block(enum GNUNET_CRYPTO_Quality mode,
448 * Produce a random value.
450 * @param mode desired quality of the random number
451 * @param i the upper limit (exclusive) for the random number
452 * @return a random value in the interval [0,@a i) (exclusive).
455 GNUNET_CRYPTO_random_u32(enum GNUNET_CRYPTO_Quality mode, uint32_t i);
460 * Random on unsigned 64-bit values.
462 * @param mode desired quality of the random number
463 * @param max value returned will be in range [0,@a max) (exclusive)
464 * @return random 64-bit number
467 GNUNET_CRYPTO_random_u64(enum GNUNET_CRYPTO_Quality mode, uint64_t max);
472 * Get an array with a random permutation of the
474 * @param mode #GNUNET_CRYPTO_QUALITY_STRONG if the strong (but expensive) PRNG should be used,
475 * #GNUNET_CRYPTO_QUALITY_WEAK or #GNUNET_CRYPTO_QUALITY_NONCE otherwise
476 * @param n the size of the array
477 * @return the permutation array (allocated from heap)
480 GNUNET_CRYPTO_random_permute(enum GNUNET_CRYPTO_Quality mode, unsigned int n);
485 * Create a new random session key.
487 * @param key key to initialize
490 GNUNET_CRYPTO_symmetric_create_session_key(
491 struct GNUNET_CRYPTO_SymmetricSessionKey *key);
496 * Encrypt a block using a symmetric sessionkey.
498 * @param block the block to encrypt
499 * @param size the size of the @a block
500 * @param sessionkey the key used to encrypt
501 * @param iv the initialization vector to use, use INITVALUE
503 * @return the size of the encrypted block, -1 for errors
506 GNUNET_CRYPTO_symmetric_encrypt(
509 const struct GNUNET_CRYPTO_SymmetricSessionKey *sessionkey,
510 const struct GNUNET_CRYPTO_SymmetricInitializationVector *iv,
516 * Decrypt a given block using a symmetric sessionkey.
518 * @param block the data to decrypt, encoded as returned by encrypt
519 * @param size how big is the block?
520 * @param sessionkey the key used to decrypt
521 * @param iv the initialization vector to use
522 * @param result address to store the result at
523 * @return -1 on failure, size of decrypted block on success
526 GNUNET_CRYPTO_symmetric_decrypt(
529 const struct GNUNET_CRYPTO_SymmetricSessionKey *sessionkey,
530 const struct GNUNET_CRYPTO_SymmetricInitializationVector *iv,
536 * @brief Derive an IV
537 * @param iv initialization vector
538 * @param skey session key
539 * @param salt salt for the derivation
540 * @param salt_len size of the @a salt
541 * @param ... pairs of void * & size_t for context chunks, terminated by NULL
544 GNUNET_CRYPTO_symmetric_derive_iv(
545 struct GNUNET_CRYPTO_SymmetricInitializationVector *iv,
546 const struct GNUNET_CRYPTO_SymmetricSessionKey *skey,
553 * @brief Derive an IV
554 * @param iv initialization vector
555 * @param skey session key
556 * @param salt salt for the derivation
557 * @param salt_len size of the @a salt
558 * @param argp pairs of void * & size_t for context chunks, terminated by NULL
561 GNUNET_CRYPTO_symmetric_derive_iv_v(
562 struct GNUNET_CRYPTO_SymmetricInitializationVector *iv,
563 const struct GNUNET_CRYPTO_SymmetricSessionKey *skey,
571 * Convert hash to ASCII encoding.
572 * @param block the hash code
573 * @param result where to store the encoding (struct GNUNET_CRYPTO_HashAsciiEncoded can be
574 * safely cast to char*, a '\\0' termination is set).
577 GNUNET_CRYPTO_hash_to_enc(const struct GNUNET_HashCode *block,
578 struct GNUNET_CRYPTO_HashAsciiEncoded *result);
583 * Convert ASCII encoding back to a 'struct GNUNET_HashCode'
585 * @param enc the encoding
586 * @param enclen number of characters in @a enc (without 0-terminator, which can be missing)
587 * @param result where to store the hash code
588 * @return #GNUNET_OK on success, #GNUNET_SYSERR if result has the wrong encoding
591 GNUNET_CRYPTO_hash_from_string2(const char *enc,
593 struct GNUNET_HashCode *result);
598 * Convert ASCII encoding back to `struct GNUNET_HashCode`
600 * @param enc the encoding
601 * @param result where to store the hash code
602 * @return #GNUNET_OK on success, #GNUNET_SYSERR if result has the wrong encoding
604 #define GNUNET_CRYPTO_hash_from_string(enc, result) \
605 GNUNET_CRYPTO_hash_from_string2(enc, strlen(enc), result)
611 * Compute the distance between 2 hashcodes. The
612 * computation must be fast, not involve @a a[0] or @a a[4] (they're used
613 * elsewhere), and be somewhat consistent. And of course, the result
614 * should be a positive number.
616 * @param a some hash code
617 * @param b some hash code
618 * @return number between 0 and UINT32_MAX
621 GNUNET_CRYPTO_hash_distance_u32(const struct GNUNET_HashCode *a,
622 const struct GNUNET_HashCode *b);
627 * Compute hash of a given block.
629 * @param block the data to hash
630 * @param size size of the @a block
631 * @param ret pointer to where to write the hashcode
634 GNUNET_CRYPTO_hash(const void *block,
636 struct GNUNET_HashCode *ret);
640 * Context for cummulative hashing.
642 struct GNUNET_HashContext;
646 * Start incremental hashing operation.
648 * @return context for incremental hash computation
650 struct GNUNET_HashContext *
651 GNUNET_CRYPTO_hash_context_start(void);
655 * Add data to be hashed.
657 * @param hc cummulative hash context
658 * @param buf data to add
659 * @param size number of bytes in @a buf
662 GNUNET_CRYPTO_hash_context_read(struct GNUNET_HashContext *hc,
668 * Finish the hash computation.
670 * @param hc hash context to use, is freed in the process
671 * @param r_hash where to write the latest / final hash code
674 GNUNET_CRYPTO_hash_context_finish(struct GNUNET_HashContext *hc,
675 struct GNUNET_HashCode *r_hash);
679 * Abort hashing, do not bother calculating final result.
681 * @param hc hash context to destroy
684 GNUNET_CRYPTO_hash_context_abort(struct GNUNET_HashContext *hc);
688 * Calculate HMAC of a message (RFC 2104)
689 * TODO: Shouldn' this be the standard hmac function and
690 * the above be renamed?
692 * @param key secret key
693 * @param key_len secret key length
694 * @param plaintext input plaintext
695 * @param plaintext_len length of @a plaintext
696 * @param hmac where to store the hmac
699 GNUNET_CRYPTO_hmac_raw(const void *key,
701 const void *plaintext,
702 size_t plaintext_len,
703 struct GNUNET_HashCode *hmac);
708 * Calculate HMAC of a message (RFC 2104)
710 * @param key secret key
711 * @param plaintext input plaintext
712 * @param plaintext_len length of @a plaintext
713 * @param hmac where to store the hmac
716 GNUNET_CRYPTO_hmac(const struct GNUNET_CRYPTO_AuthKey *key,
717 const void *plaintext,
718 size_t plaintext_len,
719 struct GNUNET_HashCode *hmac);
723 * Function called once the hash computation over the
724 * specified file has completed.
727 * @param res resulting hash, NULL on error
729 typedef void (*GNUNET_CRYPTO_HashCompletedCallback) (
731 const struct GNUNET_HashCode *res);
735 * Handle to file hashing operation.
737 struct GNUNET_CRYPTO_FileHashContext;
742 * Compute the hash of an entire file.
744 * @param priority scheduling priority to use
745 * @param filename name of file to hash
746 * @param blocksize number of bytes to process in one task
747 * @param callback function to call upon completion
748 * @param callback_cls closure for @a callback
749 * @return NULL on (immediate) errror
751 struct GNUNET_CRYPTO_FileHashContext *
752 GNUNET_CRYPTO_hash_file(enum GNUNET_SCHEDULER_Priority priority,
753 const char *filename,
755 GNUNET_CRYPTO_HashCompletedCallback callback,
760 * Cancel a file hashing operation.
762 * @param fhc operation to cancel (callback must not yet have been invoked)
765 GNUNET_CRYPTO_hash_file_cancel(struct GNUNET_CRYPTO_FileHashContext *fhc);
770 * Create a random hash code.
772 * @param mode desired quality level
773 * @param result hash code that is randomized
776 GNUNET_CRYPTO_hash_create_random(enum GNUNET_CRYPTO_Quality mode,
777 struct GNUNET_HashCode *result);
782 * compute @a result = @a b - @a a
784 * @param a some hash code
785 * @param b some hash code
786 * @param result set to @a b - @a a
789 GNUNET_CRYPTO_hash_difference(const struct GNUNET_HashCode *a,
790 const struct GNUNET_HashCode *b,
791 struct GNUNET_HashCode *result);
796 * compute @a result = @a a + @a delta
798 * @param a some hash code
799 * @param delta some hash code
800 * @param result set to @a a + @a delta
803 GNUNET_CRYPTO_hash_sum(const struct GNUNET_HashCode *a,
804 const struct GNUNET_HashCode *delta,
805 struct GNUNET_HashCode *result);
810 * compute result = a ^ b
812 * @param a some hash code
813 * @param b some hash code
814 * @param result set to @a a ^ @a b
817 GNUNET_CRYPTO_hash_xor(const struct GNUNET_HashCode *a,
818 const struct GNUNET_HashCode *b,
819 struct GNUNET_HashCode *result);
824 * Convert a hashcode into a key.
826 * @param hc hash code that serves to generate the key
827 * @param skey set to a valid session key
828 * @param iv set to a valid initialization vector
831 GNUNET_CRYPTO_hash_to_aes_key(
832 const struct GNUNET_HashCode *hc,
833 struct GNUNET_CRYPTO_SymmetricSessionKey *skey,
834 struct GNUNET_CRYPTO_SymmetricInitializationVector *iv);
839 * Obtain a bit from a hashcode.
841 * @param code the `struct GNUNET_HashCode` to index bit-wise
842 * @param bit index into the hashcode, [0...159]
843 * @return Bit \a bit from hashcode \a code, -1 for invalid index
846 GNUNET_CRYPTO_hash_get_bit(const struct GNUNET_HashCode *code,
852 * Determine how many low order bits match in two
853 * `struct GNUNET_HashCodes`. i.e. - 010011 and 011111 share
854 * the first two lowest order bits, and therefore the
855 * return value is two (NOT XOR distance, nor how many
856 * bits match absolutely!).
858 * @param first the first hashcode
859 * @param second the hashcode to compare first to
860 * @return the number of bits that match
863 GNUNET_CRYPTO_hash_matching_bits(const struct GNUNET_HashCode *first,
864 const struct GNUNET_HashCode *second);
869 * Compare function for HashCodes, producing a total ordering
872 * @param h1 some hash code
873 * @param h2 some hash code
874 * @return 1 if @a h1 > @a h2, -1 if @a h1 < @a h2 and 0 if @a h1 == @a h2.
877 GNUNET_CRYPTO_hash_cmp(const struct GNUNET_HashCode *h1,
878 const struct GNUNET_HashCode *h2);
883 * Find out which of the two GNUNET_CRYPTO_hash codes is closer to target
884 * in the XOR metric (Kademlia).
886 * @param h1 some hash code
887 * @param h2 some hash code
888 * @param target some hash code
889 * @return -1 if @a h1 is closer, 1 if @a h2 is closer and 0 if @a h1== @a h2.
892 GNUNET_CRYPTO_hash_xorcmp(const struct GNUNET_HashCode *h1,
893 const struct GNUNET_HashCode *h2,
894 const struct GNUNET_HashCode *target);
899 * @brief Derive an authentication key
900 * @param key authentication key
901 * @param rkey root key
903 * @param salt_len size of the salt
904 * @param argp pair of void * & size_t for context chunks, terminated by NULL
907 GNUNET_CRYPTO_hmac_derive_key_v(
908 struct GNUNET_CRYPTO_AuthKey *key,
909 const struct GNUNET_CRYPTO_SymmetricSessionKey *rkey,
917 * @brief Derive an authentication key
918 * @param key authentication key
919 * @param rkey root key
921 * @param salt_len size of the salt
922 * @param ... pair of void * & size_t for context chunks, terminated by NULL
925 GNUNET_CRYPTO_hmac_derive_key(
926 struct GNUNET_CRYPTO_AuthKey *key,
927 const struct GNUNET_CRYPTO_SymmetricSessionKey *rkey,
936 * @param result buffer for the derived key, allocated by caller
937 * @param out_len desired length of the derived key
938 * @param xtr_algo hash algorithm for the extraction phase, GCRY_MD_...
939 * @param prf_algo hash algorithm for the expansion phase, GCRY_MD_...
941 * @param xts_len length of @a xts
942 * @param skm source key material
943 * @param skm_len length of @a skm
944 * @param ... pair of void * & size_t for context chunks, terminated by NULL
945 * @return #GNUNET_YES on success
948 GNUNET_CRYPTO_hkdf(void *result,
962 * @param result buffer for the derived key, allocated by caller
963 * @param out_len desired length of the derived key
964 * @param xtr_algo hash algorithm for the extraction phase, GCRY_MD_...
965 * @param prf_algo hash algorithm for the expansion phase, GCRY_MD_...
967 * @param xts_len length of @a xts
968 * @param skm source key material
969 * @param skm_len length of @a skm
970 * @param argp va_list of void * & size_t pairs for context chunks
971 * @return #GNUNET_YES on success
974 GNUNET_CRYPTO_hkdf_v(void *result,
987 * @param result buffer for the derived key, allocated by caller
988 * @param out_len desired length of the derived key
990 * @param xts_len length of @a xts
991 * @param skm source key material
992 * @param skm_len length of @a skm
993 * @param argp va_list of void * & size_t pairs for context chunks
994 * @return #GNUNET_YES on success
997 GNUNET_CRYPTO_kdf_v(void *result,
1007 * Deterministically generate a pseudo-random number uniformly from the
1008 * integers modulo a libgcrypt mpi.
1010 * @param[out] r MPI value set to the FDH
1011 * @param n MPI to work modulo
1013 * @param xts_len length of @a xts
1014 * @param skm source key material
1015 * @param skm_len length of @a skm
1016 * @param ctx context string
1019 GNUNET_CRYPTO_kdf_mod_mpi(gcry_mpi_t *r,
1031 * @param result buffer for the derived key, allocated by caller
1032 * @param out_len desired length of the derived key
1034 * @param xts_len length of @a xts
1035 * @param skm source key material
1036 * @param skm_len length of @a skm
1037 * @param ... void * & size_t pairs for context chunks
1038 * @return #GNUNET_YES on success
1041 GNUNET_CRYPTO_kdf(void *result,
1052 * Extract the public key for the given private key.
1054 * @param priv the private key
1055 * @param pub where to write the public key
1058 GNUNET_CRYPTO_ecdsa_key_get_public(
1059 const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
1060 struct GNUNET_CRYPTO_EcdsaPublicKey *pub);
1064 * Extract the public key for the given private key.
1066 * @param priv the private key
1067 * @param pub where to write the public key
1070 GNUNET_CRYPTO_eddsa_key_get_public(
1071 const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
1072 struct GNUNET_CRYPTO_EddsaPublicKey *pub);
1077 * Extract the public key for the given private key.
1079 * @param priv the private key
1080 * @param pub where to write the public key
1083 GNUNET_CRYPTO_ecdhe_key_get_public(
1084 const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
1085 struct GNUNET_CRYPTO_EcdhePublicKey *pub);
1089 * Convert a public key to a string.
1091 * @param pub key to convert
1092 * @return string representing @a pub
1095 GNUNET_CRYPTO_ecdsa_public_key_to_string(
1096 const struct GNUNET_CRYPTO_EcdsaPublicKey *pub);
1099 * Convert a private key to a string.
1101 * @param priv key to convert
1102 * @return string representing @a priv
1105 GNUNET_CRYPTO_ecdsa_private_key_to_string(
1106 const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv);
1110 * Convert a private key to a string.
1112 * @param priv key to convert
1113 * @return string representing @a pub
1116 GNUNET_CRYPTO_eddsa_private_key_to_string(
1117 const struct GNUNET_CRYPTO_EddsaPrivateKey *priv);
1121 * Convert a public key to a string.
1123 * @param pub key to convert
1124 * @return string representing @a pub
1127 GNUNET_CRYPTO_eddsa_public_key_to_string(
1128 const struct GNUNET_CRYPTO_EddsaPublicKey *pub);
1132 * Convert a string representing a public key to a public key.
1134 * @param enc encoded public key
1135 * @param enclen number of bytes in @a enc (without 0-terminator)
1136 * @param pub where to store the public key
1137 * @return #GNUNET_OK on success
1140 GNUNET_CRYPTO_ecdsa_public_key_from_string(
1143 struct GNUNET_CRYPTO_EcdsaPublicKey *pub);
1147 * Convert a string representing a private key to a private key.
1149 * @param enc encoded public key
1150 * @param enclen number of bytes in @a enc (without 0-terminator)
1151 * @param priv where to store the private key
1152 * @return #GNUNET_OK on success
1155 GNUNET_CRYPTO_eddsa_private_key_from_string(
1158 struct GNUNET_CRYPTO_EddsaPrivateKey *pub);
1162 * Convert a string representing a public key to a public key.
1164 * @param enc encoded public key
1165 * @param enclen number of bytes in @a enc (without 0-terminator)
1166 * @param pub where to store the public key
1167 * @return #GNUNET_OK on success
1170 GNUNET_CRYPTO_eddsa_public_key_from_string(
1173 struct GNUNET_CRYPTO_EddsaPublicKey *pub);
1178 * Create a new private key by reading it from a file. If the
1179 * files does not exist, create a new key and write it to the
1180 * file. Caller must free return value. Note that this function
1181 * can not guarantee that another process might not be trying
1182 * the same operation on the same file at the same time.
1183 * If the contents of the file
1184 * are invalid the old file is deleted and a fresh key is
1187 * @param filename name of file to use to store the key
1188 * @return new private key, NULL on error (for example,
1189 * permission denied); free using #GNUNET_free
1191 struct GNUNET_CRYPTO_EcdsaPrivateKey *
1192 GNUNET_CRYPTO_ecdsa_key_create_from_file(const char *filename);
1197 * Create a new private key by reading it from a file. If the
1198 * files does not exist, create a new key and write it to the
1199 * file. Caller must free return value. Note that this function
1200 * can not guarantee that another process might not be trying
1201 * the same operation on the same file at the same time.
1202 * If the contents of the file
1203 * are invalid the old file is deleted and a fresh key is
1206 * @param filename name of file to use to store the key
1207 * @return new private key, NULL on error (for example,
1208 * permission denied); free using #GNUNET_free
1210 struct GNUNET_CRYPTO_EddsaPrivateKey *
1211 GNUNET_CRYPTO_eddsa_key_create_from_file(const char *filename);
1215 * Forward declaration to simplify #include-structure.
1217 struct GNUNET_CONFIGURATION_Handle;
1222 * Create a new private key by reading our peer's key from
1223 * the file specified in the configuration.
1225 * @param cfg the configuration to use
1226 * @return new private key, NULL on error (for example,
1227 * permission denied); free using #GNUNET_free
1229 struct GNUNET_CRYPTO_EddsaPrivateKey *
1230 GNUNET_CRYPTO_eddsa_key_create_from_configuration(
1231 const struct GNUNET_CONFIGURATION_Handle *cfg);
1236 * Create a new private key. Caller must free return value.
1238 * @return fresh private key; free using #GNUNET_free
1240 struct GNUNET_CRYPTO_EcdsaPrivateKey *
1241 GNUNET_CRYPTO_ecdsa_key_create(void);
1246 * Create a new private key. Caller must free return value.
1248 * @return fresh private key; free using #GNUNET_free
1250 struct GNUNET_CRYPTO_EddsaPrivateKey *
1251 GNUNET_CRYPTO_eddsa_key_create(void);
1256 * Create a new private key. Clear with #GNUNET_CRYPTO_ecdhe_key_clear().
1258 * @param[out] pk set to fresh private key;
1259 * @return #GNUNET_OK on success, #GNUNET_SYSERR on failure
1262 GNUNET_CRYPTO_ecdhe_key_create2(struct GNUNET_CRYPTO_EcdhePrivateKey *pk);
1267 * Create a new private key. Caller must free return value.
1269 * @return fresh private key; free using #GNUNET_free
1271 struct GNUNET_CRYPTO_EcdhePrivateKey *
1272 GNUNET_CRYPTO_ecdhe_key_create(void);
1277 * Clear memory that was used to store a private key.
1279 * @param pk location of the key
1282 GNUNET_CRYPTO_eddsa_key_clear(struct GNUNET_CRYPTO_EddsaPrivateKey *pk);
1287 * Clear memory that was used to store a private key.
1289 * @param pk location of the key
1292 GNUNET_CRYPTO_ecdsa_key_clear(struct GNUNET_CRYPTO_EcdsaPrivateKey *pk);
1297 * Clear memory that was used to store a private key.
1299 * @param pk location of the key
1302 GNUNET_CRYPTO_ecdhe_key_clear(struct GNUNET_CRYPTO_EcdhePrivateKey *pk);
1307 * Get the shared private key we use for anonymous users.
1309 * @return "anonymous" private key; do not free
1311 const struct GNUNET_CRYPTO_EcdsaPrivateKey *
1312 GNUNET_CRYPTO_ecdsa_key_get_anonymous(void);
1317 * Setup a hostkey file for a peer given the name of the
1318 * configuration file (!). This function is used so that
1319 * at a later point code can be certain that reading a
1320 * hostkey is fast (for example in time-dependent testcases).
1322 * @param cfg_name name of the configuration file to use
1325 GNUNET_CRYPTO_eddsa_setup_hostkey(const char *cfg_name);
1330 * Retrieve the identity of the host's peer.
1332 * @param cfg configuration to use
1333 * @param dst pointer to where to write the peer identity
1334 * @return #GNUNET_OK on success, #GNUNET_SYSERR if the identity
1335 * could not be retrieved
1338 GNUNET_CRYPTO_get_peer_identity(const struct GNUNET_CONFIGURATION_Handle *cfg,
1339 struct GNUNET_PeerIdentity *dst);
1343 * Internal structure used to cache pre-calculated values for DLOG calculation.
1345 struct GNUNET_CRYPTO_EccDlogContext;
1349 * Point on a curve (always for Curve25519) encoded in a format suitable
1350 * for network transmission (ECDH), see http://cr.yp.to/ecdh.html.
1352 struct GNUNET_CRYPTO_EccPoint {
1354 * Q consists of an x- and a y-value, each mod p (256 bits), given
1355 * here in affine coordinates and Ed25519 standard compact format.
1357 unsigned char q_y[256 / 8];
1362 * Do pre-calculation for ECC discrete logarithm for small factors.
1364 * @param max maximum value the factor can be
1365 * @param mem memory to use (should be smaller than @a max), must not be zero.
1366 * @return NULL on error
1368 struct GNUNET_CRYPTO_EccDlogContext *
1369 GNUNET_CRYPTO_ecc_dlog_prepare(unsigned int max, unsigned int mem);
1373 * Calculate ECC discrete logarithm for small factors.
1374 * Opposite of #GNUNET_CRYPTO_ecc_dexp().
1376 * @param dlc precalculated values, determine range of factors
1377 * @param input point on the curve to factor
1378 * @return INT_MAX if dlog failed, otherwise the factor
1381 GNUNET_CRYPTO_ecc_dlog(struct GNUNET_CRYPTO_EccDlogContext *edc,
1382 gcry_mpi_point_t input);
1386 * Multiply the generator g of the elliptic curve by @a val
1387 * to obtain the point on the curve representing @a val.
1388 * Afterwards, point addition will correspond to integer
1389 * addition. #GNUNET_CRYPTO_ecc_dlog() can be used to
1390 * convert a point back to an integer (as long as the
1391 * integer is smaller than the MAX of the @a edc context).
1393 * @param edc calculation context for ECC operations
1394 * @param val value to encode into a point
1395 * @return representation of the value as an ECC point,
1396 * must be freed using #GNUNET_CRYPTO_ecc_free()
1399 GNUNET_CRYPTO_ecc_dexp(struct GNUNET_CRYPTO_EccDlogContext *edc, int val);
1403 * Multiply the generator g of the elliptic curve by @a val
1404 * to obtain the point on the curve representing @a val.
1406 * @param edc calculation context for ECC operations
1407 * @param val (positive) value to encode into a point
1408 * @return representation of the value as an ECC point,
1409 * must be freed using #GNUNET_CRYPTO_ecc_free()
1412 GNUNET_CRYPTO_ecc_dexp_mpi(struct GNUNET_CRYPTO_EccDlogContext *edc,
1417 * Multiply the point @a p on the elliptic curve by @a val.
1419 * @param edc calculation context for ECC operations
1420 * @param p point to multiply
1421 * @param val (positive) value to encode into a point
1422 * @return representation of the value as an ECC point,
1423 * must be freed using #GNUNET_CRYPTO_ecc_free()
1426 GNUNET_CRYPTO_ecc_pmul_mpi(struct GNUNET_CRYPTO_EccDlogContext *edc,
1432 * Convert point value to binary representation.
1434 * @param edc calculation context for ECC operations
1435 * @param point computational point representation
1436 * @param[out] bin binary point representation
1439 GNUNET_CRYPTO_ecc_point_to_bin(struct GNUNET_CRYPTO_EccDlogContext *edc,
1440 gcry_mpi_point_t point,
1441 struct GNUNET_CRYPTO_EccPoint *bin);
1445 * Convert binary representation of a point to computational representation.
1447 * @param edc calculation context for ECC operations
1448 * @param bin binary point representation
1449 * @return computational representation
1452 GNUNET_CRYPTO_ecc_bin_to_point(struct GNUNET_CRYPTO_EccDlogContext *edc,
1453 const struct GNUNET_CRYPTO_EccPoint *bin);
1457 * Add two points on the elliptic curve.
1459 * @param edc calculation context for ECC operations
1460 * @param a some value
1461 * @param b some value
1462 * @return @a a + @a b, must be freed using #GNUNET_CRYPTO_ecc_free()
1465 GNUNET_CRYPTO_ecc_add(struct GNUNET_CRYPTO_EccDlogContext *edc,
1467 gcry_mpi_point_t b);
1471 * Obtain a random point on the curve and its
1472 * additive inverse. Both returned values
1473 * must be freed using #GNUNET_CRYPTO_ecc_free().
1475 * @param edc calculation context for ECC operations
1476 * @param[out] r set to a random point on the curve
1477 * @param[out] r_inv set to the additive inverse of @a r
1480 GNUNET_CRYPTO_ecc_rnd(struct GNUNET_CRYPTO_EccDlogContext *edc,
1481 gcry_mpi_point_t *r,
1482 gcry_mpi_point_t *r_inv);
1486 * Obtain a random scalar for point multiplication on the curve and
1487 * its multiplicative inverse.
1489 * @param edc calculation context for ECC operations
1490 * @param[out] r set to a random scalar on the curve
1491 * @param[out] r_inv set to the multiplicative inverse of @a r
1494 GNUNET_CRYPTO_ecc_rnd_mpi(struct GNUNET_CRYPTO_EccDlogContext *edc,
1500 * Generate a random value mod n.
1502 * @param edc ECC context
1503 * @return random value mod n.
1506 GNUNET_CRYPTO_ecc_random_mod_n(struct GNUNET_CRYPTO_EccDlogContext *edc);
1510 * Free a point value returned by the API.
1512 * @param p point to free
1515 GNUNET_CRYPTO_ecc_free(gcry_mpi_point_t p);
1519 * Release precalculated values.
1521 * @param dlc dlog context
1524 GNUNET_CRYPTO_ecc_dlog_release(struct GNUNET_CRYPTO_EccDlogContext *dlc);
1529 * Derive key material from a public and a private ECC key.
1531 * @param priv private key to use for the ECDH (x)
1532 * @param pub public key to use for the ECDH (yG)
1533 * @param key_material where to write the key material (xyG)
1534 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1537 GNUNET_CRYPTO_ecc_ecdh(const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
1538 const struct GNUNET_CRYPTO_EcdhePublicKey *pub,
1539 struct GNUNET_HashCode *key_material);
1544 * Derive key material from a ECDH public key and a private EdDSA key.
1545 * Dual to #GNUNET_CRRYPTO_ecdh_eddsa.
1547 * @param priv private key from EdDSA to use for the ECDH (x)
1548 * @param pub public key to use for the ECDH (yG)
1549 * @param key_material where to write the key material H(h(x)yG)
1550 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1553 GNUNET_CRYPTO_eddsa_ecdh(const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
1554 const struct GNUNET_CRYPTO_EcdhePublicKey *pub,
1555 struct GNUNET_HashCode *key_material);
1559 * Derive key material from a ECDH public key and a private ECDSA key.
1560 * Dual to #GNUNET_CRRYPTO_ecdh_ecdsa.
1562 * @param priv private key from ECDSA to use for the ECDH (x)
1563 * @param pub public key to use for the ECDH (yG)
1564 * @param key_material where to write the key material H(h(x)yG)
1565 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1568 GNUNET_CRYPTO_ecdsa_ecdh(const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
1569 const struct GNUNET_CRYPTO_EcdhePublicKey *pub,
1570 struct GNUNET_HashCode *key_material);
1575 * Derive key material from a EdDSA public key and a private ECDH key.
1576 * Dual to #GNUNET_CRRYPTO_eddsa_ecdh.
1578 * @param priv private key to use for the ECDH (y)
1579 * @param pub public key from EdDSA to use for the ECDH (X=h(x)G)
1580 * @param key_material where to write the key material H(yX)=H(h(x)yG)
1581 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1584 GNUNET_CRYPTO_ecdh_eddsa(const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
1585 const struct GNUNET_CRYPTO_EddsaPublicKey *pub,
1586 struct GNUNET_HashCode *key_material);
1590 * Derive key material from a EcDSA public key and a private ECDH key.
1591 * Dual to #GNUNET_CRRYPTO_ecdsa_ecdh.
1593 * @param priv private key to use for the ECDH (y)
1594 * @param pub public key from ECDSA to use for the ECDH (X=h(x)G)
1595 * @param key_material where to write the key material H(yX)=H(h(x)yG)
1596 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1599 GNUNET_CRYPTO_ecdh_ecdsa(const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
1600 const struct GNUNET_CRYPTO_EcdsaPublicKey *pub,
1601 struct GNUNET_HashCode *key_material);
1606 * EdDSA sign a given block.
1608 * @param priv private key to use for the signing
1609 * @param purpose what to sign (size, purpose)
1610 * @param sig where to write the signature
1611 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1614 GNUNET_CRYPTO_eddsa_sign(
1615 const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
1616 const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose,
1617 struct GNUNET_CRYPTO_EddsaSignature *sig);
1622 * ECDSA Sign a given block.
1624 * @param priv private key to use for the signing
1625 * @param purpose what to sign (size, purpose)
1626 * @param sig where to write the signature
1627 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1630 GNUNET_CRYPTO_ecdsa_sign(
1631 const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
1632 const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose,
1633 struct GNUNET_CRYPTO_EcdsaSignature *sig);
1637 * Verify EdDSA signature.
1639 * @param purpose what is the purpose that the signature should have?
1640 * @param validate block to validate (size, purpose, data)
1641 * @param sig signature that is being validated
1642 * @param pub public key of the signer
1643 * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid
1646 GNUNET_CRYPTO_eddsa_verify(
1648 const struct GNUNET_CRYPTO_EccSignaturePurpose *validate,
1649 const struct GNUNET_CRYPTO_EddsaSignature *sig,
1650 const struct GNUNET_CRYPTO_EddsaPublicKey *pub);
1655 * Verify ECDSA signature.
1657 * @param purpose what is the purpose that the signature should have?
1658 * @param validate block to validate (size, purpose, data)
1659 * @param sig signature that is being validated
1660 * @param pub public key of the signer
1661 * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid
1664 GNUNET_CRYPTO_ecdsa_verify(
1666 const struct GNUNET_CRYPTO_EccSignaturePurpose *validate,
1667 const struct GNUNET_CRYPTO_EcdsaSignature *sig,
1668 const struct GNUNET_CRYPTO_EcdsaPublicKey *pub);
1673 * Derive a private key from a given private key and a label.
1674 * Essentially calculates a private key 'h = H(l,P) * d mod n'
1675 * where n is the size of the ECC group and P is the public
1676 * key associated with the private key 'd'.
1678 * @param priv original private key
1679 * @param label label to use for key deriviation
1680 * @param context additional context to use for HKDF of 'h';
1681 * typically the name of the subsystem/application
1682 * @return derived private key
1684 struct GNUNET_CRYPTO_EcdsaPrivateKey *
1685 GNUNET_CRYPTO_ecdsa_private_key_derive(
1686 const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
1688 const char *context);
1693 * Derive a public key from a given public key and a label.
1694 * Essentially calculates a public key 'V = H(l,P) * P'.
1696 * @param pub original public key
1697 * @param label label to use for key deriviation
1698 * @param context additional context to use for HKDF of 'h'.
1699 * typically the name of the subsystem/application
1700 * @param result where to write the derived public key
1703 GNUNET_CRYPTO_ecdsa_public_key_derive(
1704 const struct GNUNET_CRYPTO_EcdsaPublicKey *pub,
1706 const char *context,
1707 struct GNUNET_CRYPTO_EcdsaPublicKey *result);
1711 * Output the given MPI value to the given buffer in network
1712 * byte order. The MPI @a val may not be negative.
1714 * @param buf where to output to
1715 * @param size number of bytes in @a buf
1716 * @param val value to write to @a buf
1719 GNUNET_CRYPTO_mpi_print_unsigned(void *buf, size_t size, gcry_mpi_t val);
1723 * Convert data buffer into MPI value.
1724 * The buffer is interpreted as network
1725 * byte order, unsigned integer.
1727 * @param result where to store MPI value (allocated)
1728 * @param data raw data (GCRYMPI_FMT_USG)
1729 * @param size number of bytes in @a data
1732 GNUNET_CRYPTO_mpi_scan_unsigned(gcry_mpi_t *result,
1738 * Create a freshly generated paillier public key.
1740 * @param[out] public_key Where to store the public key?
1741 * @param[out] private_key Where to store the private key?
1744 GNUNET_CRYPTO_paillier_create(
1745 struct GNUNET_CRYPTO_PaillierPublicKey *public_key,
1746 struct GNUNET_CRYPTO_PaillierPrivateKey *private_key);
1750 * Encrypt a plaintext with a paillier public key.
1752 * @param public_key Public key to use.
1753 * @param m Plaintext to encrypt.
1754 * @param desired_ops How many homomorphic ops the caller intends to use
1755 * @param[out] ciphertext Encrytion of @a plaintext with @a public_key.
1756 * @return guaranteed number of supported homomorphic operations >= 1,
1757 * or desired_ops, in case that is lower,
1758 * or -1 if less than one homomorphic operation is possible
1761 GNUNET_CRYPTO_paillier_encrypt(
1762 const struct GNUNET_CRYPTO_PaillierPublicKey *public_key,
1765 struct GNUNET_CRYPTO_PaillierCiphertext *ciphertext);
1769 * Decrypt a paillier ciphertext with a private key.
1771 * @param private_key Private key to use for decryption.
1772 * @param public_key Public key to use for decryption.
1773 * @param ciphertext Ciphertext to decrypt.
1774 * @param[out] m Decryption of @a ciphertext with @private_key.
1777 GNUNET_CRYPTO_paillier_decrypt(
1778 const struct GNUNET_CRYPTO_PaillierPrivateKey *private_key,
1779 const struct GNUNET_CRYPTO_PaillierPublicKey *public_key,
1780 const struct GNUNET_CRYPTO_PaillierCiphertext *ciphertext,
1785 * Compute a ciphertext that represents the sum of the plaintext in @a x1 and @a x2
1787 * Note that this operation can only be done a finite number of times
1788 * before an overflow occurs.
1790 * @param public_key Public key to use for encryption.
1791 * @param c1 Paillier cipher text.
1792 * @param c2 Paillier cipher text.
1793 * @param[out] result Result of the homomorphic operation.
1794 * @return #GNUNET_OK if the result could be computed,
1795 * #GNUNET_SYSERR if no more homomorphic operations are remaining.
1798 GNUNET_CRYPTO_paillier_hom_add(
1799 const struct GNUNET_CRYPTO_PaillierPublicKey *public_key,
1800 const struct GNUNET_CRYPTO_PaillierCiphertext *c1,
1801 const struct GNUNET_CRYPTO_PaillierCiphertext *c2,
1802 struct GNUNET_CRYPTO_PaillierCiphertext *result);
1806 * Get the number of remaining supported homomorphic operations.
1808 * @param c Paillier cipher text.
1809 * @return the number of remaining homomorphic operations
1812 GNUNET_CRYPTO_paillier_hom_get_remaining(
1813 const struct GNUNET_CRYPTO_PaillierCiphertext *c);
1816 /* ********* Chaum-style RSA-based blind signatures ******************* */
1820 * The private information of an RSA key pair.
1822 struct GNUNET_CRYPTO_RsaPrivateKey;
1825 * The public information of an RSA key pair.
1827 struct GNUNET_CRYPTO_RsaPublicKey;
1830 * Constant-size pre-secret for blinding key generation.
1832 struct GNUNET_CRYPTO_RsaBlindingKeySecret {
1834 * Bits used to generate the blinding key. 256 bits
1835 * of entropy is enough.
1837 uint32_t pre_secret[8] GNUNET_PACKED;
1841 * @brief an RSA signature
1843 struct GNUNET_CRYPTO_RsaSignature;
1847 * Create a new private key. Caller must free return value.
1849 * @param len length of the key in bits (i.e. 2048)
1850 * @return fresh private key
1852 struct GNUNET_CRYPTO_RsaPrivateKey *
1853 GNUNET_CRYPTO_rsa_private_key_create(unsigned int len);
1857 * Free memory occupied by the private key.
1859 * @param key pointer to the memory to free
1862 GNUNET_CRYPTO_rsa_private_key_free(struct GNUNET_CRYPTO_RsaPrivateKey *key);
1866 * Encode the private key in a format suitable for
1867 * storing it into a file.
1869 * @param key the private key
1870 * @param[out] buffer set to a buffer with the encoded key
1871 * @return size of memory allocatedin @a buffer
1874 GNUNET_CRYPTO_rsa_private_key_encode(
1875 const struct GNUNET_CRYPTO_RsaPrivateKey *key,
1880 * Decode the private key from the data-format back
1881 * to the "normal", internal format.
1883 * @param buf the buffer where the private key data is stored
1884 * @param len the length of the data in @a buf
1885 * @return NULL on error
1887 struct GNUNET_CRYPTO_RsaPrivateKey *
1888 GNUNET_CRYPTO_rsa_private_key_decode(const char *buf, size_t len);
1892 * Duplicate the given private key
1894 * @param key the private key to duplicate
1895 * @return the duplicate key; NULL upon error
1897 struct GNUNET_CRYPTO_RsaPrivateKey *
1898 GNUNET_CRYPTO_rsa_private_key_dup(
1899 const struct GNUNET_CRYPTO_RsaPrivateKey *key);
1903 * Extract the public key of the given private key.
1905 * @param priv the private key
1906 * @retur NULL on error, otherwise the public key
1908 struct GNUNET_CRYPTO_RsaPublicKey *
1909 GNUNET_CRYPTO_rsa_private_key_get_public(
1910 const struct GNUNET_CRYPTO_RsaPrivateKey *priv);
1914 * Compute hash over the public key.
1916 * @param key public key to hash
1917 * @param hc where to store the hash code
1920 GNUNET_CRYPTO_rsa_public_key_hash(const struct GNUNET_CRYPTO_RsaPublicKey *key,
1921 struct GNUNET_HashCode *hc);
1925 * Obtain the length of the RSA key in bits.
1927 * @param key the public key to introspect
1928 * @return length of the key in bits
1931 GNUNET_CRYPTO_rsa_public_key_len(const struct GNUNET_CRYPTO_RsaPublicKey *key);
1935 * Free memory occupied by the public key.
1937 * @param key pointer to the memory to free
1940 GNUNET_CRYPTO_rsa_public_key_free(struct GNUNET_CRYPTO_RsaPublicKey *key);
1944 * Encode the public key in a format suitable for
1945 * storing it into a file.
1947 * @param key the private key
1948 * @param[out] buffer set to a buffer with the encoded key
1949 * @return size of memory allocated in @a buffer
1952 GNUNET_CRYPTO_rsa_public_key_encode(
1953 const struct GNUNET_CRYPTO_RsaPublicKey *key,
1958 * Decode the public key from the data-format back
1959 * to the "normal", internal format.
1961 * @param buf the buffer where the public key data is stored
1962 * @param len the length of the data in @a buf
1963 * @return NULL on error
1965 struct GNUNET_CRYPTO_RsaPublicKey *
1966 GNUNET_CRYPTO_rsa_public_key_decode(const char *buf, size_t len);
1970 * Duplicate the given public key
1972 * @param key the public key to duplicate
1973 * @return the duplicate key; NULL upon error
1975 struct GNUNET_CRYPTO_RsaPublicKey *
1976 GNUNET_CRYPTO_rsa_public_key_dup(const struct GNUNET_CRYPTO_RsaPublicKey *key);
1980 * Compare the values of two signatures.
1982 * @param s1 one signature
1983 * @param s2 the other signature
1984 * @return 0 if the two are equal
1987 GNUNET_CRYPTO_rsa_signature_cmp(struct GNUNET_CRYPTO_RsaSignature *s1,
1988 struct GNUNET_CRYPTO_RsaSignature *s2);
1991 * Compare the values of two private keys.
1993 * @param p1 one private key
1994 * @param p2 the other private key
1995 * @return 0 if the two are equal
1998 GNUNET_CRYPTO_rsa_private_key_cmp(struct GNUNET_CRYPTO_RsaPrivateKey *p1,
1999 struct GNUNET_CRYPTO_RsaPrivateKey *p2);
2003 * Compare the values of two public keys.
2005 * @param p1 one public key
2006 * @param p2 the other public key
2007 * @return 0 if the two are equal
2010 GNUNET_CRYPTO_rsa_public_key_cmp(struct GNUNET_CRYPTO_RsaPublicKey *p1,
2011 struct GNUNET_CRYPTO_RsaPublicKey *p2);
2015 * Blinds the given message with the given blinding key
2017 * @param hash hash of the message to sign
2018 * @param bkey the blinding key
2019 * @param pkey the public key of the signer
2020 * @param[out] buf set to a buffer with the blinded message to be signed
2021 * @param[out] buf_size number of bytes stored in @a buf
2022 * @return #GNUNET_YES if successful, #GNUNET_NO if RSA key is malicious
2025 GNUNET_CRYPTO_rsa_blind(const struct GNUNET_HashCode *hash,
2026 const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks,
2027 struct GNUNET_CRYPTO_RsaPublicKey *pkey,
2033 * Sign a blinded value, which must be a full domain hash of a message.
2035 * @param key private key to use for the signing
2036 * @param msg the (blinded) message to sign
2037 * @param msg_len number of bytes in @a msg to sign
2038 * @return NULL on error, signature on success
2040 struct GNUNET_CRYPTO_RsaSignature *
2041 GNUNET_CRYPTO_rsa_sign_blinded(const struct GNUNET_CRYPTO_RsaPrivateKey *key,
2047 * Create and sign a full domain hash of a message.
2049 * @param key private key to use for the signing
2050 * @param hash the hash of the message to sign
2051 * @return NULL on error, including a malicious RSA key, signature on success
2053 struct GNUNET_CRYPTO_RsaSignature *
2054 GNUNET_CRYPTO_rsa_sign_fdh(const struct GNUNET_CRYPTO_RsaPrivateKey *key,
2055 const struct GNUNET_HashCode *hash);
2059 * Free memory occupied by signature.
2061 * @param sig memory to free
2064 GNUNET_CRYPTO_rsa_signature_free(struct GNUNET_CRYPTO_RsaSignature *sig);
2068 * Encode the given signature in a format suitable for storing it into a file.
2070 * @param sig the signature
2071 * @param[out] buffer set to a buffer with the encoded key
2072 * @return size of memory allocated in @a buffer
2075 GNUNET_CRYPTO_rsa_signature_encode(
2076 const struct GNUNET_CRYPTO_RsaSignature *sig,
2081 * Decode the signature from the data-format back to the "normal", internal
2084 * @param buf the buffer where the public key data is stored
2085 * @param len the length of the data in @a buf
2086 * @return NULL on error
2088 struct GNUNET_CRYPTO_RsaSignature *
2089 GNUNET_CRYPTO_rsa_signature_decode(const char *buf, size_t len);
2093 * Duplicate the given rsa signature
2095 * @param sig the signature to duplicate
2096 * @return the duplicate key; NULL upon error
2098 struct GNUNET_CRYPTO_RsaSignature *
2099 GNUNET_CRYPTO_rsa_signature_dup(const struct GNUNET_CRYPTO_RsaSignature *sig);
2103 * Unblind a blind-signed signature. The signature should have been generated
2104 * with #GNUNET_CRYPTO_rsa_sign() using a hash that was blinded with
2105 * #GNUNET_CRYPTO_rsa_blind().
2107 * @param sig the signature made on the blinded signature purpose
2108 * @param bks the blinding key secret used to blind the signature purpose
2109 * @param pkey the public key of the signer
2110 * @return unblinded signature on success, NULL if RSA key is bad or malicious.
2112 struct GNUNET_CRYPTO_RsaSignature *
2113 GNUNET_CRYPTO_rsa_unblind(const struct GNUNET_CRYPTO_RsaSignature *sig,
2114 const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks,
2115 struct GNUNET_CRYPTO_RsaPublicKey *pkey);
2119 * Verify whether the given hash corresponds to the given signature and the
2120 * signature is valid with respect to the given public key.
2122 * @param hash the message to verify to match the @a sig
2123 * @param sig signature that is being validated
2124 * @param public_key public key of the signer
2125 * @returns #GNUNET_YES if ok, #GNUNET_NO if RSA key is malicious, #GNUNET_SYSERR if signature
2128 GNUNET_CRYPTO_rsa_verify(const struct GNUNET_HashCode *hash,
2129 const struct GNUNET_CRYPTO_RsaSignature *sig,
2130 const struct GNUNET_CRYPTO_RsaPublicKey *public_key);
2133 #if 0 /* keep Emacsens' auto-indent happy */
2141 /* ifndef GNUNET_CRYPTO_LIB_H */
2143 /* end of gnunet_crypto_lib.h */