2 This file is part of GNUnet.
3 Copyright (C) 2001-2013 Christian Grothoff (and other contributing authors)
5 GNUnet is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published
7 by the Free Software Foundation; either version 3, or (at your
8 option) any later version.
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with GNUnet; see the file COPYING. If not, write to the
17 Free Software Foundation, Inc., 59 Temple Place - Suite 330,
18 Boston, MA 02111-1307, USA.
22 * @file include/gnunet_crypto_lib.h
23 * @brief cryptographic primitives for GNUnet
25 * @author Christian Grothoff
26 * @author Krista Bennett
27 * @author Gerd Knorr <kraxel@bytesex.org>
28 * @author Ioana Patrascu
29 * @author Tzvetan Horozov
31 * @defgroup crypto Cryptographic operations
32 * @defgroup hash Hashing and operations on hashes
35 #ifndef GNUNET_CRYPTO_LIB_H
36 #define GNUNET_CRYPTO_LIB_H
41 #if 0 /* keep Emacsens' auto-indent happy */
47 * @brief A 512-bit hashcode
49 struct GNUNET_HashCode;
52 * The identity of the host (wraps the signing key of the peer).
54 struct GNUNET_PeerIdentity;
56 #include "gnunet_common.h"
57 #include "gnunet_scheduler_lib.h"
62 * @brief A 512-bit hashcode
64 struct GNUNET_HashCode
66 uint32_t bits[512 / 8 / sizeof (uint32_t)]; /* = 16 */
71 * Maximum length of an ECC signature.
72 * Note: round up to multiple of 8 minus 2 for alignment.
74 #define GNUNET_CRYPTO_ECC_SIGNATURE_DATA_ENCODING_LENGTH 126
78 * Desired quality level for random numbers.
81 enum GNUNET_CRYPTO_Quality
84 * No good quality of the operation is needed (i.e.,
85 * random numbers can be pseudo-random).
88 GNUNET_CRYPTO_QUALITY_WEAK,
91 * High-quality operations are desired.
94 GNUNET_CRYPTO_QUALITY_STRONG,
97 * Randomness for IVs etc. is required.
100 GNUNET_CRYPTO_QUALITY_NONCE
105 * @brief length of the sessionkey in bytes (256 BIT sessionkey)
107 #define GNUNET_CRYPTO_AES_KEY_LENGTH (256/8)
110 * Length of a hash value
112 #define GNUNET_CRYPTO_HASH_LENGTH (512/8)
115 * How many characters (without 0-terminator) are our ASCII-encoded
116 * public keys (ECDSA/EDDSA/ECDHE).
118 #define GNUNET_CRYPTO_PKEY_ASCII_LENGTH 52
121 * @brief 0-terminated ASCII encoding of a struct GNUNET_HashCode.
123 struct GNUNET_CRYPTO_HashAsciiEncoded
125 unsigned char encoding[104];
129 GNUNET_NETWORK_STRUCT_BEGIN
133 * @brief header of what an ECC signature signs
134 * this must be followed by "size - 8" bytes of
135 * the actual signed data
137 struct GNUNET_CRYPTO_EccSignaturePurpose
140 * How many bytes does this signature sign?
141 * (including this purpose header); in network
144 uint32_t size GNUNET_PACKED;
147 * What does this signature vouch for? This
148 * must contain a GNUNET_SIGNATURE_PURPOSE_XXX
149 * constant (from gnunet_signatures.h). In
150 * network byte order!
152 uint32_t purpose GNUNET_PACKED;
158 * @brief an ECC signature using EdDSA.
159 * See https://gnunet.org/ed25519
161 struct GNUNET_CRYPTO_EddsaSignature
167 unsigned char r[256 / 8];
172 unsigned char s[256 / 8];
179 * @brief an ECC signature using ECDSA
181 struct GNUNET_CRYPTO_EcdsaSignature
187 unsigned char r[256 / 8];
192 unsigned char s[256 / 8];
198 * Public ECC key (always for Curve25519) encoded in a format suitable
199 * for network transmission and EdDSA signatures.
201 struct GNUNET_CRYPTO_EddsaPublicKey
204 * Q consists of an x- and a y-value, each mod p (256 bits), given
205 * here in affine coordinates and Ed25519 standard compact format.
207 unsigned char q_y[256 / 8];
213 * Public ECC key (always for Curve25519) encoded in a format suitable
214 * for network transmission and ECDSA signatures.
216 struct GNUNET_CRYPTO_EcdsaPublicKey
219 * Q consists of an x- and a y-value, each mod p (256 bits), given
220 * here in affine coordinates and Ed25519 standard compact format.
222 unsigned char q_y[256 / 8];
228 * The identity of the host (wraps the signing key of the peer).
230 struct GNUNET_PeerIdentity
232 struct GNUNET_CRYPTO_EddsaPublicKey public_key;
237 * Public ECC key (always for Curve25519) encoded in a format suitable
238 * for network transmission and encryption (ECDH),
239 * See http://cr.yp.to/ecdh.html
241 struct GNUNET_CRYPTO_EcdhePublicKey
244 * Q consists of an x- and a y-value, each mod p (256 bits), given
245 * here in affine coordinates and Ed25519 standard compact format.
247 unsigned char q_y[256 / 8];
252 * Private ECC key encoded for transmission. To be used only for ECDH
253 * key exchange (ECDHE to be precise).
255 struct GNUNET_CRYPTO_EcdhePrivateKey
258 * d is a value mod n, where n has at most 256 bits.
260 unsigned char d[256 / 8];
265 * Private ECC key encoded for transmission. To be used only for ECDSA
268 struct GNUNET_CRYPTO_EcdsaPrivateKey
271 * d is a value mod n, where n has at most 256 bits.
273 unsigned char d[256 / 8];
278 * Private ECC key encoded for transmission. To be used only for EdDSA
281 struct GNUNET_CRYPTO_EddsaPrivateKey
284 * d is a value mod n, where n has at most 256 bits.
286 unsigned char d[256 / 8];
292 * @brief type for session keys
294 struct GNUNET_CRYPTO_SymmetricSessionKey
297 * Actual key for AES.
299 unsigned char aes_key[GNUNET_CRYPTO_AES_KEY_LENGTH];
302 * Actual key for TwoFish.
304 unsigned char twofish_key[GNUNET_CRYPTO_AES_KEY_LENGTH];
308 GNUNET_NETWORK_STRUCT_END
311 * @brief IV for sym cipher
313 * NOTE: must be smaller (!) in size than the
314 * `struct GNUNET_HashCode`.
316 struct GNUNET_CRYPTO_SymmetricInitializationVector
318 unsigned char aes_iv[GNUNET_CRYPTO_AES_KEY_LENGTH / 2];
320 unsigned char twofish_iv[GNUNET_CRYPTO_AES_KEY_LENGTH / 2];
325 * @brief type for (message) authentication keys
327 struct GNUNET_CRYPTO_AuthKey
329 unsigned char key[GNUNET_CRYPTO_HASH_LENGTH];
334 * Size of paillier plain texts and public keys.
335 * Private keys and ciphertexts are twice this size.
337 #define GNUNET_CRYPTO_PAILLIER_BITS 2048
341 * Paillier public key.
343 struct GNUNET_CRYPTO_PaillierPublicKey
348 unsigned char n[GNUNET_CRYPTO_PAILLIER_BITS / 8];
353 * Paillier public key.
355 struct GNUNET_CRYPTO_PaillierPrivateKey
358 * Lambda-component of the private key.
360 unsigned char lambda[GNUNET_CRYPTO_PAILLIER_BITS / 8];
362 * Mu-component of the private key.
364 unsigned char mu[GNUNET_CRYPTO_PAILLIER_BITS / 8];
369 * Paillier ciphertext.
371 struct GNUNET_CRYPTO_PaillierCiphertext
374 * Guaranteed minimum number of homomorphic operations with this ciphertext,
375 * in network byte order (NBO).
377 int32_t remaining_ops GNUNET_PACKED;
380 * The bits of the ciphertext.
382 unsigned char bits[GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8];
386 /* **************** Functions and Macros ************* */
390 * Seed a weak random generator. Only #GNUNET_CRYPTO_QUALITY_WEAK-mode generator
393 * @param seed the seed to use
396 GNUNET_CRYPTO_seed_weak_random (int32_t seed);
400 * Perform an incremental step in a CRC16 (for TCP/IP) calculation.
402 * @param sum current sum, initially 0
403 * @param buf buffer to calculate CRC over (must be 16-bit aligned)
404 * @param len number of bytes in @a buf, must be multiple of 2
405 * @return updated crc sum (must be subjected to #GNUNET_CRYPTO_crc16_finish to get actual crc16)
408 GNUNET_CRYPTO_crc16_step (uint32_t sum,
414 * Convert results from GNUNET_CRYPTO_crc16_step to final crc16.
416 * @param sum cummulative sum
417 * @return crc16 value
420 GNUNET_CRYPTO_crc16_finish (uint32_t sum);
425 * Calculate the checksum of a buffer in one step.
427 * @param buf buffer to calculate CRC over (must be 16-bit aligned)
428 * @param len number of bytes in @a buf, must be multiple of 2
429 * @return crc16 value
432 GNUNET_CRYPTO_crc16_n (const void *buf,
438 * Compute the CRC32 checksum for the first len
439 * bytes of the buffer.
441 * @param buf the data over which we're taking the CRC
442 * @param len the length of the buffer @a buf in bytes
443 * @return the resulting CRC32 checksum
446 GNUNET_CRYPTO_crc32_n (const void *buf,
452 * Fill block with a random values.
454 * @param mode desired quality of the random number
455 * @param buffer the buffer to fill
456 * @param length buffer length
459 GNUNET_CRYPTO_random_block (enum GNUNET_CRYPTO_Quality mode,
465 * Produce a random value.
467 * @param mode desired quality of the random number
468 * @param i the upper limit (exclusive) for the random number
469 * @return a random value in the interval [0,@a i) (exclusive).
472 GNUNET_CRYPTO_random_u32 (enum GNUNET_CRYPTO_Quality mode,
478 * Random on unsigned 64-bit values.
480 * @param mode desired quality of the random number
481 * @param max value returned will be in range [0,@a max) (exclusive)
482 * @return random 64-bit number
485 GNUNET_CRYPTO_random_u64 (enum GNUNET_CRYPTO_Quality mode,
491 * Get an array with a random permutation of the
493 * @param mode #GNUNET_CRYPTO_QUALITY_STRONG if the strong (but expensive) PRNG should be used,
494 * #GNUNET_CRYPTO_QUALITY_WEAK or #GNUNET_CRYPTO_QUALITY_NONCE otherwise
495 * @param n the size of the array
496 * @return the permutation array (allocated from heap)
499 GNUNET_CRYPTO_random_permute (enum GNUNET_CRYPTO_Quality mode,
505 * Create a new random session key.
507 * @param key key to initialize
510 GNUNET_CRYPTO_symmetric_create_session_key (struct GNUNET_CRYPTO_SymmetricSessionKey *key);
515 * Encrypt a block using a symmetric sessionkey.
517 * @param block the block to encrypt
518 * @param size the size of the @a block
519 * @param sessionkey the key used to encrypt
520 * @param iv the initialization vector to use, use INITVALUE
522 * @return the size of the encrypted block, -1 for errors
525 GNUNET_CRYPTO_symmetric_encrypt (const void *block,
527 const struct GNUNET_CRYPTO_SymmetricSessionKey *sessionkey,
528 const struct GNUNET_CRYPTO_SymmetricInitializationVector *iv,
534 * Decrypt a given block using a symmetric sessionkey.
536 * @param block the data to decrypt, encoded as returned by encrypt
537 * @param size how big is the block?
538 * @param sessionkey the key used to decrypt
539 * @param iv the initialization vector to use
540 * @param result address to store the result at
541 * @return -1 on failure, size of decrypted block on success
544 GNUNET_CRYPTO_symmetric_decrypt (const void *block,
546 const struct GNUNET_CRYPTO_SymmetricSessionKey *sessionkey,
547 const struct GNUNET_CRYPTO_SymmetricInitializationVector *iv,
553 * @brief Derive an IV
554 * @param iv initialization vector
555 * @param skey session key
556 * @param salt salt for the derivation
557 * @param salt_len size of the @a salt
558 * @param ... pairs of void * & size_t for context chunks, terminated by NULL
561 GNUNET_CRYPTO_symmetric_derive_iv (struct GNUNET_CRYPTO_SymmetricInitializationVector *iv,
562 const struct GNUNET_CRYPTO_SymmetricSessionKey *skey,
564 size_t salt_len, ...);
568 * @brief Derive an IV
569 * @param iv initialization vector
570 * @param skey session key
571 * @param salt salt for the derivation
572 * @param salt_len size of the @a salt
573 * @param argp pairs of void * & size_t for context chunks, terminated by NULL
576 GNUNET_CRYPTO_symmetric_derive_iv_v (struct GNUNET_CRYPTO_SymmetricInitializationVector *iv,
577 const struct GNUNET_CRYPTO_SymmetricSessionKey *skey,
585 * Convert hash to ASCII encoding.
586 * @param block the hash code
587 * @param result where to store the encoding (struct GNUNET_CRYPTO_HashAsciiEncoded can be
588 * safely cast to char*, a '\\0' termination is set).
591 GNUNET_CRYPTO_hash_to_enc (const struct GNUNET_HashCode *block,
592 struct GNUNET_CRYPTO_HashAsciiEncoded *result);
597 * Convert ASCII encoding back to a 'struct GNUNET_HashCode'
599 * @param enc the encoding
600 * @param enclen number of characters in @a enc (without 0-terminator, which can be missing)
601 * @param result where to store the hash code
602 * @return #GNUNET_OK on success, #GNUNET_SYSERR if result has the wrong encoding
605 GNUNET_CRYPTO_hash_from_string2 (const char *enc,
607 struct GNUNET_HashCode *result);
612 * Convert ASCII encoding back to `struct GNUNET_HashCode`
614 * @param enc the encoding
615 * @param result where to store the hash code
616 * @return #GNUNET_OK on success, #GNUNET_SYSERR if result has the wrong encoding
618 #define GNUNET_CRYPTO_hash_from_string(enc, result) \
619 GNUNET_CRYPTO_hash_from_string2 (enc, strlen(enc), result)
625 * Compute the distance between 2 hashcodes. The
626 * computation must be fast, not involve @a a[0] or @a a[4] (they're used
627 * elsewhere), and be somewhat consistent. And of course, the result
628 * should be a positive number.
630 * @param a some hash code
631 * @param b some hash code
632 * @return number between 0 and UINT32_MAX
635 GNUNET_CRYPTO_hash_distance_u32 (const struct GNUNET_HashCode *a,
636 const struct GNUNET_HashCode *b);
641 * Compute hash of a given block.
643 * @param block the data to hash
644 * @param size size of the @a block
645 * @param ret pointer to where to write the hashcode
648 GNUNET_CRYPTO_hash (const void *block,
650 struct GNUNET_HashCode *ret);
654 * Context for cummulative hashing.
656 struct GNUNET_HashContext;
660 * Start incremental hashing operation.
662 * @return context for incremental hash computation
664 struct GNUNET_HashContext *
665 GNUNET_CRYPTO_hash_context_start (void);
669 * Add data to be hashed.
671 * @param hc cummulative hash context
672 * @param buf data to add
673 * @param size number of bytes in @a buf
676 GNUNET_CRYPTO_hash_context_read (struct GNUNET_HashContext *hc,
682 * Finish the hash computation.
684 * @param hc hash context to use, is freed in the process
685 * @param r_hash where to write the latest / final hash code
688 GNUNET_CRYPTO_hash_context_finish (struct GNUNET_HashContext *hc,
689 struct GNUNET_HashCode *r_hash);
693 * Abort hashing, do not bother calculating final result.
695 * @param hc hash context to destroy
698 GNUNET_CRYPTO_hash_context_abort (struct GNUNET_HashContext *hc);
703 * Calculate HMAC of a message (RFC 2104)
705 * @param key secret key
706 * @param plaintext input plaintext
707 * @param plaintext_len length of @a plaintext
708 * @param hmac where to store the hmac
711 GNUNET_CRYPTO_hmac (const struct GNUNET_CRYPTO_AuthKey *key,
712 const void *plaintext,
713 size_t plaintext_len,
714 struct GNUNET_HashCode *hmac);
718 * Function called once the hash computation over the
719 * specified file has completed.
722 * @param res resulting hash, NULL on error
725 (*GNUNET_CRYPTO_HashCompletedCallback) (void *cls,
726 const struct GNUNET_HashCode *res);
730 * Handle to file hashing operation.
732 struct GNUNET_CRYPTO_FileHashContext;
737 * Compute the hash of an entire file.
739 * @param priority scheduling priority to use
740 * @param filename name of file to hash
741 * @param blocksize number of bytes to process in one task
742 * @param callback function to call upon completion
743 * @param callback_cls closure for @a callback
744 * @return NULL on (immediate) errror
746 struct GNUNET_CRYPTO_FileHashContext *
747 GNUNET_CRYPTO_hash_file (enum GNUNET_SCHEDULER_Priority priority,
748 const char *filename,
750 GNUNET_CRYPTO_HashCompletedCallback callback,
755 * Cancel a file hashing operation.
757 * @param fhc operation to cancel (callback must not yet have been invoked)
760 GNUNET_CRYPTO_hash_file_cancel (struct GNUNET_CRYPTO_FileHashContext *fhc);
765 * Create a random hash code.
767 * @param mode desired quality level
768 * @param result hash code that is randomized
771 GNUNET_CRYPTO_hash_create_random (enum GNUNET_CRYPTO_Quality mode,
772 struct GNUNET_HashCode *result);
777 * compute @a result = @a b - @a a
779 * @param a some hash code
780 * @param b some hash code
781 * @param result set to @a b - @a a
784 GNUNET_CRYPTO_hash_difference (const struct GNUNET_HashCode *a,
785 const struct GNUNET_HashCode *b,
786 struct GNUNET_HashCode *result);
791 * compute @a result = @a a + @a delta
793 * @param a some hash code
794 * @param delta some hash code
795 * @param result set to @a a + @a delta
798 GNUNET_CRYPTO_hash_sum (const struct GNUNET_HashCode *a,
799 const struct GNUNET_HashCode *delta,
800 struct GNUNET_HashCode *result);
805 * compute result = a ^ b
807 * @param a some hash code
808 * @param b some hash code
809 * @param result set to @a a ^ @a b
812 GNUNET_CRYPTO_hash_xor (const struct GNUNET_HashCode *a,
813 const struct GNUNET_HashCode *b,
814 struct GNUNET_HashCode *result);
819 * Convert a hashcode into a key.
821 * @param hc hash code that serves to generate the key
822 * @param skey set to a valid session key
823 * @param iv set to a valid initialization vector
826 GNUNET_CRYPTO_hash_to_aes_key (const struct GNUNET_HashCode * hc,
827 struct GNUNET_CRYPTO_SymmetricSessionKey *skey,
828 struct GNUNET_CRYPTO_SymmetricInitializationVector *iv);
833 * Obtain a bit from a hashcode.
835 * @param code the `struct GNUNET_HashCode` to index bit-wise
836 * @param bit index into the hashcode, [0...159]
837 * @return Bit \a bit from hashcode \a code, -1 for invalid index
840 GNUNET_CRYPTO_hash_get_bit (const struct GNUNET_HashCode *code,
846 * Determine how many low order bits match in two
847 * `struct GNUNET_HashCodes`. i.e. - 010011 and 011111 share
848 * the first two lowest order bits, and therefore the
849 * return value is two (NOT XOR distance, nor how many
850 * bits match absolutely!).
852 * @param first the first hashcode
853 * @param second the hashcode to compare first to
854 * @return the number of bits that match
857 GNUNET_CRYPTO_hash_matching_bits (const struct GNUNET_HashCode *first,
858 const struct GNUNET_HashCode *second);
863 * Compare function for HashCodes, producing a total ordering
866 * @param h1 some hash code
867 * @param h2 some hash code
868 * @return 1 if @a h1 > @a h2, -1 if @a h1 < @a h2 and 0 if @a h1 == @a h2.
871 GNUNET_CRYPTO_hash_cmp (const struct GNUNET_HashCode *h1,
872 const struct GNUNET_HashCode *h2);
877 * Find out which of the two GNUNET_CRYPTO_hash codes is closer to target
878 * in the XOR metric (Kademlia).
880 * @param h1 some hash code
881 * @param h2 some hash code
882 * @param target some hash code
883 * @return -1 if @a h1 is closer, 1 if @a h2 is closer and 0 if @a h1== @a h2.
886 GNUNET_CRYPTO_hash_xorcmp (const struct GNUNET_HashCode *h1,
887 const struct GNUNET_HashCode *h2,
888 const struct GNUNET_HashCode *target);
893 * @brief Derive an authentication key
894 * @param key authentication key
895 * @param rkey root key
897 * @param salt_len size of the salt
898 * @param argp pair of void * & size_t for context chunks, terminated by NULL
901 GNUNET_CRYPTO_hmac_derive_key_v (struct GNUNET_CRYPTO_AuthKey *key,
902 const struct GNUNET_CRYPTO_SymmetricSessionKey *rkey,
903 const void *salt, size_t salt_len,
909 * @brief Derive an authentication key
910 * @param key authentication key
911 * @param rkey root key
913 * @param salt_len size of the salt
914 * @param ... pair of void * & size_t for context chunks, terminated by NULL
917 GNUNET_CRYPTO_hmac_derive_key (struct GNUNET_CRYPTO_AuthKey *key,
918 const struct GNUNET_CRYPTO_SymmetricSessionKey *rkey,
919 const void *salt, size_t salt_len,
926 * @param result buffer for the derived key, allocated by caller
927 * @param out_len desired length of the derived key
928 * @param xtr_algo hash algorithm for the extraction phase, GCRY_MD_...
929 * @param prf_algo hash algorithm for the expansion phase, GCRY_MD_...
931 * @param xts_len length of @a xts
932 * @param skm source key material
933 * @param skm_len length of @a skm
934 * @param ... pair of void * & size_t for context chunks, terminated by NULL
935 * @return #GNUNET_YES on success
938 GNUNET_CRYPTO_hkdf (void *result,
952 * @param result buffer for the derived key, allocated by caller
953 * @param out_len desired length of the derived key
954 * @param xtr_algo hash algorithm for the extraction phase, GCRY_MD_...
955 * @param prf_algo hash algorithm for the expansion phase, GCRY_MD_...
957 * @param xts_len length of @a xts
958 * @param skm source key material
959 * @param skm_len length of @a skm
960 * @param argp va_list of void * & size_t pairs for context chunks
961 * @return #GNUNET_YES on success
964 GNUNET_CRYPTO_hkdf_v (void *result,
977 * @param result buffer for the derived key, allocated by caller
978 * @param out_len desired length of the derived key
980 * @param xts_len length of @a xts
981 * @param skm source key material
982 * @param skm_len length of @a skm
983 * @param argp va_list of void * & size_t pairs for context chunks
984 * @return #GNUNET_YES on success
987 GNUNET_CRYPTO_kdf_v (void *result,
999 * @param result buffer for the derived key, allocated by caller
1000 * @param out_len desired length of the derived key
1002 * @param xts_len length of @a xts
1003 * @param skm source key material
1004 * @param skm_len length of @a skm
1005 * @param ... void * & size_t pairs for context chunks
1006 * @return #GNUNET_YES on success
1009 GNUNET_CRYPTO_kdf (void *result,
1020 * Extract the public key for the given private key.
1022 * @param priv the private key
1023 * @param pub where to write the public key
1026 GNUNET_CRYPTO_ecdsa_key_get_public (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
1027 struct GNUNET_CRYPTO_EcdsaPublicKey *pub);
1031 * Extract the public key for the given private key.
1033 * @param priv the private key
1034 * @param pub where to write the public key
1037 GNUNET_CRYPTO_eddsa_key_get_public (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
1038 struct GNUNET_CRYPTO_EddsaPublicKey *pub);
1044 * Extract the public key for the given private key.
1046 * @param priv the private key
1047 * @param pub where to write the public key
1050 GNUNET_CRYPTO_ecdhe_key_get_public (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
1051 struct GNUNET_CRYPTO_EcdhePublicKey *pub);
1055 * Convert a public key to a string.
1057 * @param pub key to convert
1058 * @return string representing @a pub
1061 GNUNET_CRYPTO_ecdsa_public_key_to_string (const struct GNUNET_CRYPTO_EcdsaPublicKey *pub);
1065 * Convert a public key to a string.
1067 * @param pub key to convert
1068 * @return string representing @a pub
1071 GNUNET_CRYPTO_eddsa_public_key_to_string (const struct GNUNET_CRYPTO_EddsaPublicKey *pub);
1075 * Convert a string representing a public key to a public key.
1077 * @param enc encoded public key
1078 * @param enclen number of bytes in @a enc (without 0-terminator)
1079 * @param pub where to store the public key
1080 * @return #GNUNET_OK on success
1083 GNUNET_CRYPTO_ecdsa_public_key_from_string (const char *enc,
1085 struct GNUNET_CRYPTO_EcdsaPublicKey *pub);
1089 * Convert a string representing a private key to a private key.
1091 * @param enc encoded public key
1092 * @param enclen number of bytes in @a enc (without 0-terminator)
1093 * @param priv where to store the private key
1094 * @return #GNUNET_OK on success
1097 GNUNET_CRYPTO_eddsa_private_key_from_string (const char *enc,
1099 struct GNUNET_CRYPTO_EddsaPrivateKey *pub);
1103 * Convert a string representing a public key to a public key.
1105 * @param enc encoded public key
1106 * @param enclen number of bytes in @a enc (without 0-terminator)
1107 * @param pub where to store the public key
1108 * @return #GNUNET_OK on success
1111 GNUNET_CRYPTO_eddsa_public_key_from_string (const char *enc,
1113 struct GNUNET_CRYPTO_EddsaPublicKey *pub);
1118 * Create a new private key by reading it from a file. If the
1119 * files does not exist, create a new key and write it to the
1120 * file. Caller must free return value. Note that this function
1121 * can not guarantee that another process might not be trying
1122 * the same operation on the same file at the same time.
1123 * If the contents of the file
1124 * are invalid the old file is deleted and a fresh key is
1127 * @param filename name of file to use to store the key
1128 * @return new private key, NULL on error (for example,
1129 * permission denied); free using #GNUNET_free
1131 struct GNUNET_CRYPTO_EcdsaPrivateKey *
1132 GNUNET_CRYPTO_ecdsa_key_create_from_file (const char *filename);
1137 * Create a new private key by reading it from a file. If the
1138 * files does not exist, create a new key and write it to the
1139 * file. Caller must free return value. Note that this function
1140 * can not guarantee that another process might not be trying
1141 * the same operation on the same file at the same time.
1142 * If the contents of the file
1143 * are invalid the old file is deleted and a fresh key is
1146 * @param filename name of file to use to store the key
1147 * @return new private key, NULL on error (for example,
1148 * permission denied); free using #GNUNET_free
1150 struct GNUNET_CRYPTO_EddsaPrivateKey *
1151 GNUNET_CRYPTO_eddsa_key_create_from_file (const char *filename);
1155 * Forward declaration to simplify #include-structure.
1157 struct GNUNET_CONFIGURATION_Handle;
1162 * Create a new private key by reading our peer's key from
1163 * the file specified in the configuration.
1165 * @param cfg the configuration to use
1166 * @return new private key, NULL on error (for example,
1167 * permission denied); free using #GNUNET_free
1169 struct GNUNET_CRYPTO_EddsaPrivateKey *
1170 GNUNET_CRYPTO_eddsa_key_create_from_configuration (const struct GNUNET_CONFIGURATION_Handle *cfg);
1175 * Create a new private key. Caller must free return value.
1177 * @return fresh private key; free using #GNUNET_free
1179 struct GNUNET_CRYPTO_EcdsaPrivateKey *
1180 GNUNET_CRYPTO_ecdsa_key_create (void);
1185 * Create a new private key. Caller must free return value.
1187 * @return fresh private key; free using #GNUNET_free
1189 struct GNUNET_CRYPTO_EddsaPrivateKey *
1190 GNUNET_CRYPTO_eddsa_key_create (void);
1195 * Create a new private key. Caller must free return value.
1197 * @return fresh private key; free using #GNUNET_free
1199 struct GNUNET_CRYPTO_EcdhePrivateKey *
1200 GNUNET_CRYPTO_ecdhe_key_create (void);
1205 * Clear memory that was used to store a private key.
1207 * @param pk location of the key
1210 GNUNET_CRYPTO_eddsa_key_clear (struct GNUNET_CRYPTO_EddsaPrivateKey *pk);
1215 * Clear memory that was used to store a private key.
1217 * @param pk location of the key
1220 GNUNET_CRYPTO_ecdsa_key_clear (struct GNUNET_CRYPTO_EcdsaPrivateKey *pk);
1225 * Clear memory that was used to store a private key.
1227 * @param pk location of the key
1230 GNUNET_CRYPTO_ecdhe_key_clear (struct GNUNET_CRYPTO_EcdhePrivateKey *pk);
1235 * Get the shared private key we use for anonymous users.
1237 * @return "anonymous" private key; do not free
1239 const struct GNUNET_CRYPTO_EcdsaPrivateKey *
1240 GNUNET_CRYPTO_ecdsa_key_get_anonymous (void);
1245 * Setup a hostkey file for a peer given the name of the
1246 * configuration file (!). This function is used so that
1247 * at a later point code can be certain that reading a
1248 * hostkey is fast (for example in time-dependent testcases).
1250 * @param cfg_name name of the configuration file to use
1253 GNUNET_CRYPTO_eddsa_setup_hostkey (const char *cfg_name);
1258 * Retrieve the identity of the host's peer.
1260 * @param cfg configuration to use
1261 * @param dst pointer to where to write the peer identity
1262 * @return #GNUNET_OK on success, #GNUNET_SYSERR if the identity
1263 * could not be retrieved
1266 GNUNET_CRYPTO_get_peer_identity (const struct GNUNET_CONFIGURATION_Handle *cfg,
1267 struct GNUNET_PeerIdentity *dst);
1271 * Compare two Peer Identities.
1273 * @param first first peer identity
1274 * @param second second peer identity
1275 * @return bigger than 0 if first > second,
1276 * 0 if they are the same
1277 * smaller than 0 if second > first
1280 GNUNET_CRYPTO_cmp_peer_identity (const struct GNUNET_PeerIdentity *first,
1281 const struct GNUNET_PeerIdentity *second);
1286 * Derive key material from a public and a private ECC key.
1288 * @param priv private key to use for the ECDH (x)
1289 * @param pub public key to use for the ECDH (yG)
1290 * @param key_material where to write the key material (xyG)
1291 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1294 GNUNET_CRYPTO_ecc_ecdh (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
1295 const struct GNUNET_CRYPTO_EcdhePublicKey *pub,
1296 struct GNUNET_HashCode *key_material);
1301 * Derive key material from a ECDH public key and a private EdDSA key.
1302 * Dual to #GNUNET_CRRYPTO_ecdh_eddsa.
1304 * @param priv private key from EdDSA to use for the ECDH (x)
1305 * @param pub public key to use for the ECDH (yG)
1306 * @param key_material where to write the key material H(h(x)yG)
1307 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1310 GNUNET_CRYPTO_eddsa_ecdh (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
1311 const struct GNUNET_CRYPTO_EcdhePublicKey *pub,
1312 struct GNUNET_HashCode *key_material);
1317 * Derive key material from a EdDSA public key and a private ECDH key.
1318 * Dual to #GNUNET_CRRYPTO_eddsa_ecdh.
1320 * @param priv private key to use for the ECDH (y)
1321 * @param pub public key from EdDSA to use for the ECDH (X=h(x)G)
1322 * @param key_material where to write the key material H(yX)=H(h(x)yG)
1323 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1326 GNUNET_CRYPTO_ecdh_eddsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
1327 const struct GNUNET_CRYPTO_EddsaPublicKey *pub,
1328 struct GNUNET_HashCode *key_material);
1333 * EdDSA sign a given block.
1335 * @param priv private key to use for the signing
1336 * @param purpose what to sign (size, purpose)
1337 * @param sig where to write the signature
1338 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1341 GNUNET_CRYPTO_eddsa_sign (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
1342 const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose,
1343 struct GNUNET_CRYPTO_EddsaSignature *sig);
1348 * ECDSA Sign a given block.
1350 * @param priv private key to use for the signing
1351 * @param purpose what to sign (size, purpose)
1352 * @param sig where to write the signature
1353 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1356 GNUNET_CRYPTO_ecdsa_sign (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
1357 const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose,
1358 struct GNUNET_CRYPTO_EcdsaSignature *sig);
1362 * Verify EdDSA signature.
1364 * @param purpose what is the purpose that the signature should have?
1365 * @param validate block to validate (size, purpose, data)
1366 * @param sig signature that is being validated
1367 * @param pub public key of the signer
1368 * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid
1371 GNUNET_CRYPTO_eddsa_verify (uint32_t purpose,
1372 const struct GNUNET_CRYPTO_EccSignaturePurpose *validate,
1373 const struct GNUNET_CRYPTO_EddsaSignature *sig,
1374 const struct GNUNET_CRYPTO_EddsaPublicKey *pub);
1380 * Verify ECDSA signature.
1382 * @param purpose what is the purpose that the signature should have?
1383 * @param validate block to validate (size, purpose, data)
1384 * @param sig signature that is being validated
1385 * @param pub public key of the signer
1386 * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid
1389 GNUNET_CRYPTO_ecdsa_verify (uint32_t purpose,
1390 const struct GNUNET_CRYPTO_EccSignaturePurpose *validate,
1391 const struct GNUNET_CRYPTO_EcdsaSignature *sig,
1392 const struct GNUNET_CRYPTO_EcdsaPublicKey *pub);
1397 * Derive a private key from a given private key and a label.
1398 * Essentially calculates a private key 'h = H(l,P) * d mod n'
1399 * where n is the size of the ECC group and P is the public
1400 * key associated with the private key 'd'.
1402 * @param priv original private key
1403 * @param label label to use for key deriviation
1404 * @param context additional context to use for HKDF of 'h';
1405 * typically the name of the subsystem/application
1406 * @return derived private key
1408 struct GNUNET_CRYPTO_EcdsaPrivateKey *
1409 GNUNET_CRYPTO_ecdsa_private_key_derive (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
1411 const char *context);
1416 * Derive a public key from a given public key and a label.
1417 * Essentially calculates a public key 'V = H(l,P) * P'.
1419 * @param pub original public key
1420 * @param label label to use for key deriviation
1421 * @param context additional context to use for HKDF of 'h'.
1422 * typically the name of the subsystem/application
1423 * @param result where to write the derived public key
1426 GNUNET_CRYPTO_ecdsa_public_key_derive (const struct GNUNET_CRYPTO_EcdsaPublicKey *pub,
1428 const char *context,
1429 struct GNUNET_CRYPTO_EcdsaPublicKey *result);
1433 * Output the given MPI value to the given buffer in network
1434 * byte order. The MPI @a val may not be negative.
1436 * @param buf where to output to
1437 * @param size number of bytes in @a buf
1438 * @param val value to write to @a buf
1441 GNUNET_CRYPTO_mpi_print_unsigned (void *buf,
1447 * Convert data buffer into MPI value.
1448 * The buffer is interpreted as network
1449 * byte order, unsigned integer.
1451 * @param result where to store MPI value (allocated)
1452 * @param data raw data (GCRYMPI_FMT_USG)
1453 * @param size number of bytes in @a data
1456 GNUNET_CRYPTO_mpi_scan_unsigned (gcry_mpi_t *result,
1462 * Create a freshly generated paillier public key.
1464 * @param[out] public_key Where to store the public key?
1465 * @param[out] private_key Where to store the private key?
1468 GNUNET_CRYPTO_paillier_create (struct GNUNET_CRYPTO_PaillierPublicKey *public_key,
1469 struct GNUNET_CRYPTO_PaillierPrivateKey *private_key);
1473 * Encrypt a plaintext with a paillier public key.
1475 * @param public_key Public key to use.
1476 * @param m Plaintext to encrypt.
1477 * @param desired_ops How many homomorphic ops the caller intends to use
1478 * @param[out] ciphertext Encrytion of @a plaintext with @a public_key.
1479 * @return guaranteed number of supported homomorphic operations >= 1,
1480 * or desired_ops, in case that is lower,
1481 * or -1 if less than one homomorphic operation is possible
1484 GNUNET_CRYPTO_paillier_encrypt (const struct GNUNET_CRYPTO_PaillierPublicKey *public_key,
1487 struct GNUNET_CRYPTO_PaillierCiphertext *ciphertext);
1491 * Decrypt a paillier ciphertext with a private key.
1493 * @param private_key Private key to use for decryption.
1494 * @param public_key Public key to use for decryption.
1495 * @param ciphertext Ciphertext to decrypt.
1496 * @param[out] m Decryption of @a ciphertext with @private_key.
1499 GNUNET_CRYPTO_paillier_decrypt (const struct GNUNET_CRYPTO_PaillierPrivateKey *private_key,
1500 const struct GNUNET_CRYPTO_PaillierPublicKey *public_key,
1501 const struct GNUNET_CRYPTO_PaillierCiphertext *ciphertext,
1506 * Compute a ciphertext that represents the sum of the plaintext in @a x1 and @a x2
1508 * Note that this operation can only be done a finite number of times
1509 * before an overflow occurs.
1511 * @param public_key Public key to use for encryption.
1512 * @param c1 Paillier cipher text.
1513 * @param c2 Paillier cipher text.
1514 * @param[out] result Result of the homomorphic operation.
1515 * @return #GNUNET_OK if the result could be computed,
1516 * #GNUNET_SYSERR if no more homomorphic operations are remaining.
1519 GNUNET_CRYPTO_paillier_hom_add (const struct GNUNET_CRYPTO_PaillierPublicKey *public_key,
1520 const struct GNUNET_CRYPTO_PaillierCiphertext *c1,
1521 const struct GNUNET_CRYPTO_PaillierCiphertext *c2,
1522 struct GNUNET_CRYPTO_PaillierCiphertext *result);
1526 * Get the number of remaining supported homomorphic operations.
1528 * @param c Paillier cipher text.
1529 * @return the number of remaining homomorphic operations
1532 GNUNET_CRYPTO_paillier_hom_get_remaining (const struct GNUNET_CRYPTO_PaillierCiphertext *c);
1535 /* ********* Chaum-style RSA-based blind signatures ******************* */
1541 * The private information of an RSA key pair.
1543 struct GNUNET_CRYPTO_rsa_PrivateKey;
1546 * The public information of an RSA key pair.
1548 struct GNUNET_CRYPTO_rsa_PublicKey;
1551 * Key used to blind a message
1553 struct GNUNET_CRYPTO_rsa_BlindingKey;
1556 * @brief an RSA signature
1558 struct GNUNET_CRYPTO_rsa_Signature;
1562 * Create a new private key. Caller must free return value.
1564 * @param len length of the key in bits (i.e. 2048)
1565 * @return fresh private key
1567 struct GNUNET_CRYPTO_rsa_PrivateKey *
1568 GNUNET_CRYPTO_rsa_private_key_create (unsigned int len);
1572 * Free memory occupied by the private key.
1574 * @param key pointer to the memory to free
1577 GNUNET_CRYPTO_rsa_private_key_free (struct GNUNET_CRYPTO_rsa_PrivateKey *key);
1581 * Encode the private key in a format suitable for
1582 * storing it into a file.
1584 * @param key the private key
1585 * @param[out] buffer set to a buffer with the encoded key
1586 * @return size of memory allocatedin @a buffer
1589 GNUNET_CRYPTO_rsa_private_key_encode (const struct GNUNET_CRYPTO_rsa_PrivateKey *key,
1594 * Decode the private key from the data-format back
1595 * to the "normal", internal format.
1597 * @param buf the buffer where the private key data is stored
1598 * @param len the length of the data in @a buf
1599 * @return NULL on error
1601 struct GNUNET_CRYPTO_rsa_PrivateKey *
1602 GNUNET_CRYPTO_rsa_private_key_decode (const char *buf,
1607 * Extract the public key of the given private key.
1609 * @param priv the private key
1610 * @retur NULL on error, otherwise the public key
1612 struct GNUNET_CRYPTO_rsa_PublicKey *
1613 GNUNET_CRYPTO_rsa_private_key_get_public (const struct GNUNET_CRYPTO_rsa_PrivateKey *priv);
1617 * Compute hash over the public key.
1619 * @param key public key to hash
1620 * @param hc where to store the hash code
1623 GNUNET_CRYPTO_rsa_public_key_hash (const struct GNUNET_CRYPTO_rsa_PublicKey *key,
1624 struct GNUNET_HashCode *hc);
1628 * Free memory occupied by the public key.
1630 * @param key pointer to the memory to free
1633 GNUNET_CRYPTO_rsa_public_key_free (struct GNUNET_CRYPTO_rsa_PublicKey *key);
1637 * Encode the public key in a format suitable for
1638 * storing it into a file.
1640 * @param key the private key
1641 * @param[out] buffer set to a buffer with the encoded key
1642 * @return size of memory allocated in @a buffer
1645 GNUNET_CRYPTO_rsa_public_key_encode (const struct GNUNET_CRYPTO_rsa_PublicKey *key,
1650 * Decode the public key from the data-format back
1651 * to the "normal", internal format.
1653 * @param buf the buffer where the public key data is stored
1654 * @param len the length of the data in @a buf
1655 * @return NULL on error
1657 struct GNUNET_CRYPTO_rsa_PublicKey *
1658 GNUNET_CRYPTO_rsa_public_key_decode (const char *buf,
1663 * Duplicate the given public key
1665 * @param key the public key to duplicate
1666 * @return the duplicate key; NULL upon error
1668 struct GNUNET_CRYPTO_rsa_PublicKey *
1669 GNUNET_CRYPTO_rsa_public_key_dup (const struct GNUNET_CRYPTO_rsa_PublicKey *key);
1673 * Create a blinding key
1675 * @param len length of the key in bits (i.e. 2048)
1676 * @return the newly created blinding key
1678 struct GNUNET_CRYPTO_rsa_BlindingKey *
1679 GNUNET_CRYPTO_rsa_blinding_key_create (unsigned int len);
1683 * Compare the values of two blinding keys.
1686 * @param b2 the other key
1687 * @return 0 if the two are equal
1690 GNUNET_CRYPTO_rsa_blinding_key_cmp (struct GNUNET_CRYPTO_rsa_BlindingKey *b1,
1691 struct GNUNET_CRYPTO_rsa_BlindingKey *b2);
1695 * Compare the values of two signatures.
1697 * @param s1 one signature
1698 * @param s2 the other signature
1699 * @return 0 if the two are equal
1702 GNUNET_CRYPTO_rsa_signature_cmp (struct GNUNET_CRYPTO_rsa_Signature *s1,
1703 struct GNUNET_CRYPTO_rsa_Signature *s2);
1707 * Compare the values of two public keys.
1709 * @param p1 one public key
1710 * @param p2 the other public key
1711 * @return 0 if the two are equal
1714 GNUNET_CRYPTO_rsa_public_key_cmp (struct GNUNET_CRYPTO_rsa_PublicKey *p1,
1715 struct GNUNET_CRYPTO_rsa_PublicKey *p2);
1719 * Destroy a blinding key
1721 * @param bkey the blinding key to destroy
1724 GNUNET_CRYPTO_rsa_blinding_key_free (struct GNUNET_CRYPTO_rsa_BlindingKey *bkey);
1728 * Encode the blinding key in a format suitable for
1729 * storing it into a file.
1731 * @param bkey the blinding key
1732 * @param[out] buffer set to a buffer with the encoded key
1733 * @return size of memory allocated in @a buffer
1736 GNUNET_CRYPTO_rsa_blinding_key_encode (const struct GNUNET_CRYPTO_rsa_BlindingKey *bkey,
1741 * Decode the blinding key from the data-format back
1742 * to the "normal", internal format.
1744 * @param buf the buffer where the public key data is stored
1745 * @param len the length of the data in @a buf
1746 * @return NULL on error
1748 struct GNUNET_CRYPTO_rsa_BlindingKey *
1749 GNUNET_CRYPTO_rsa_blinding_key_decode (const char *buf,
1754 * Blinds the given message with the given blinding key
1756 * @param hash hash of the message to sign
1757 * @param bkey the blinding key
1758 * @param pkey the public key of the signer
1759 * @param[out] buffer set to a buffer with the blinded message to be signed
1760 * @return number of bytes stored in @a buffer
1763 GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode *hash,
1764 struct GNUNET_CRYPTO_rsa_BlindingKey *bkey,
1765 struct GNUNET_CRYPTO_rsa_PublicKey *pkey,
1770 * Sign the given message.
1772 * @param key private key to use for the signing
1773 * @param msg the (blinded) message to sign
1774 * @param msg_len number of bytes in @a msg to sign
1775 * @return NULL on error, signature on success
1777 struct GNUNET_CRYPTO_rsa_Signature *
1778 GNUNET_CRYPTO_rsa_sign (const struct GNUNET_CRYPTO_rsa_PrivateKey *key,
1784 * Free memory occupied by signature.
1786 * @param sig memory to freee
1789 GNUNET_CRYPTO_rsa_signature_free (struct GNUNET_CRYPTO_rsa_Signature *sig);
1793 * Encode the given signature in a format suitable for storing it into a file.
1795 * @param sig the signature
1796 * @param[out] buffer set to a buffer with the encoded key
1797 * @return size of memory allocated in @a buffer
1800 GNUNET_CRYPTO_rsa_signature_encode (const struct GNUNET_CRYPTO_rsa_Signature *sig,
1805 * Decode the signature from the data-format back to the "normal", internal
1808 * @param buf the buffer where the public key data is stored
1809 * @param len the length of the data in @a buf
1810 * @return NULL on error
1812 struct GNUNET_CRYPTO_rsa_Signature *
1813 GNUNET_CRYPTO_rsa_signature_decode (const char *buf,
1818 * Unblind a blind-signed signature. The signature should have been generated
1819 * with #GNUNET_CRYPTO_rsa_sign() using a hash that was blinded with
1820 * #GNUNET_CRYPTO_rsa_blind().
1822 * @param sig the signature made on the blinded signature purpose
1823 * @param bkey the blinding key used to blind the signature purpose
1824 * @param pkey the public key of the signer
1825 * @return unblinded signature on success, NULL on error
1827 struct GNUNET_CRYPTO_rsa_Signature *
1828 GNUNET_CRYPTO_rsa_unblind (struct GNUNET_CRYPTO_rsa_Signature *sig,
1829 struct GNUNET_CRYPTO_rsa_BlindingKey *bkey,
1830 struct GNUNET_CRYPTO_rsa_PublicKey *pkey);
1834 * Verify whether the given hash corresponds to the given signature and the
1835 * signature is valid with respect to the given public key.
1837 * @param hash the message to verify to match the @a sig
1838 * @param sig signature that is being validated
1839 * @param public_key public key of the signer
1840 * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid
1843 GNUNET_CRYPTO_rsa_verify (const struct GNUNET_HashCode *hash,
1844 const struct GNUNET_CRYPTO_rsa_Signature *sig,
1845 const struct GNUNET_CRYPTO_rsa_PublicKey *public_key);
1848 #if 0 /* keep Emacsens' auto-indent happy */
1856 /* ifndef GNUNET_CRYPTO_LIB_H */
1858 /* end of gnunet_crypto_lib.h */