2 This file is part of GNUnet.
3 (C) 2012, 2013 Christian Grothoff (and other contributing authors)
5 GNUnet is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published
7 by the Free Software Foundation; either version 3, or (at your
8 option) any later version.
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with GNUnet; see the file COPYING. If not, write to the
17 Free Software Foundation, Inc., 59 Temple Place - Suite 330,
18 Boston, MA 02111-1307, USA.
22 * @file util/crypto_ecc.c
23 * @brief public key cryptography (ECC) with libgcrypt
24 * @author Christian Grothoff
28 #include "gnunet_common.h"
29 #include "gnunet_util_lib.h"
31 #define EXTRA_CHECKS ALLOW_EXTRA_CHECKS
34 * Name of the curve we are using. Note that we have hard-coded
35 * structs that use 256 bits, so using a bigger curve will require
36 * changes that break stuff badly. The name of the curve given here
37 * must be agreed by all peers and be supported by libgcrypt.
39 #define CURVE "NIST P-256"
41 #define LOG(kind,...) GNUNET_log_from (kind, "util", __VA_ARGS__)
43 #define LOG_STRERROR(kind,syscall) GNUNET_log_from_strerror (kind, "util", syscall)
45 #define LOG_STRERROR_FILE(kind,syscall,filename) GNUNET_log_from_strerror_file (kind, "util", syscall, filename)
48 * Log an error message at log-level 'level' that indicates
49 * a failure of the command 'cmd' with the message given
50 * by gcry_strerror(rc).
52 #define LOG_GCRY(level, cmd, rc) do { LOG(level, _("`%s' failed at %s:%d with error: %s\n"), cmd, __FILE__, __LINE__, gcry_strerror(rc)); } while(0)
56 * Extract values from an S-expression.
58 * @param array where to store the result(s)
59 * @param sexp S-expression to parse
60 * @param topname top-level name in the S-expression that is of interest
61 * @param elems names of the elements to extract
62 * @return 0 on success
65 key_from_sexp (gcry_mpi_t * array, gcry_sexp_t sexp, const char *topname,
74 list = gcry_sexp_find_token (sexp, topname, 0);
77 l2 = gcry_sexp_cadr (list);
78 gcry_sexp_release (list);
84 for (s = elems; *s; s++, idx++)
86 l2 = gcry_sexp_find_token (list, s, 1);
89 for (i = 0; i < idx; i++)
94 gcry_sexp_release (list);
95 return 3; /* required parameter not found */
97 array[idx] = gcry_sexp_nth_mpi (l2, 1, GCRYMPI_FMT_USG);
98 gcry_sexp_release (l2);
101 for (i = 0; i < idx; i++)
103 gcry_free (array[i]);
106 gcry_sexp_release (list);
107 return 4; /* required parameter is invalid */
110 gcry_sexp_release (list);
116 * If target != size, move target bytes to the end of the size-sized
117 * buffer and zero out the first target-size bytes.
119 * @param buf original buffer
120 * @param size number of bytes in the buffer
121 * @param target target size of the buffer
124 adjust (unsigned char *buf,
130 memmove (&buf[target - size], buf, size);
131 memset (buf, 0, target - size);
137 * Output the given MPI value to the given buffer.
139 * @param buf where to output to
140 * @param size number of bytes in buf
141 * @param val value to write to buf
144 mpi_print (unsigned char *buf,
152 gcry_mpi_print (GCRYMPI_FMT_USG, buf, rsize, &rsize,
154 adjust (buf, rsize, size);
159 * Convert data buffer into MPI value.
161 * @param result where to store MPI value (allocated)
162 * @param data raw data (GCRYMPI_FMT_USG)
163 * @param size number of bytes in data
166 mpi_scan (gcry_mpi_t *result,
167 const unsigned char *data,
172 if (0 != (rc = gcry_mpi_scan (result,
176 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_mpi_scan", rc);
183 * Convert the given private key from the network format to the
184 * S-expression that can be used by libgcrypt.
186 * @param priv private key to decode
187 * @return NULL on error
190 decode_private_key (const struct GNUNET_CRYPTO_EccPrivateKey *priv)
199 rc = gcry_sexp_build (&result, NULL,
200 "(private-key(ecdsa(curve \"" CURVE "\")(d %m)))",
202 gcry_mpi_release (d);
205 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
209 if (0 != (rc = gcry_pk_testkey (result)))
211 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_pk_testkey", rc);
220 * Initialize public key struct from the respective point
223 * @param q point on curve
224 * @param pub public key struct to initialize
225 * @param ctx context to use for ECC operations
228 point_to_public_key (gcry_mpi_point_t q,
230 struct GNUNET_CRYPTO_EccPublicKey *pub)
235 q_x = gcry_mpi_new (256);
236 q_y = gcry_mpi_new (256);
237 if (gcry_mpi_ec_get_affine (q_x, q_y, q, ctx))
239 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "get_affine failed", 0);
243 mpi_print (pub->q_x, sizeof (pub->q_x), q_x);
244 mpi_print (pub->q_y, sizeof (pub->q_y), q_y);
245 gcry_mpi_release (q_x);
246 gcry_mpi_release (q_y);
251 * Extract the public key for the given private key.
253 * @param priv the private key
254 * @param pub where to write the public key
257 GNUNET_CRYPTO_ecc_key_get_public (const struct GNUNET_CRYPTO_EccPrivateKey *priv,
258 struct GNUNET_CRYPTO_EccPublicKey *pub)
264 sexp = decode_private_key (priv);
265 GNUNET_assert (NULL != sexp);
266 GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, sexp, NULL));
267 gcry_sexp_release (sexp);
268 q = gcry_mpi_ec_get_point ("q", ctx, 0);
269 point_to_public_key (q, ctx, pub);
270 gcry_ctx_release (ctx);
271 gcry_mpi_point_release (q);
276 * Convert a public key to a string.
278 * @param pub key to convert
279 * @return string representing 'pub'
282 GNUNET_CRYPTO_ecc_public_key_to_string (const struct GNUNET_CRYPTO_EccPublicKey *pub)
285 size_t keylen = (sizeof (struct GNUNET_CRYPTO_EccPublicKey)) * 8;
289 keylen += 5 - keylen % 5;
291 pubkeybuf = GNUNET_malloc (keylen + 1);
292 end = GNUNET_STRINGS_data_to_string ((unsigned char *) pub,
293 sizeof (struct GNUNET_CRYPTO_EccPublicKey),
298 GNUNET_free (pubkeybuf);
307 * Convert a string representing a public key to a public key.
309 * @param enc encoded public key
310 * @param enclen number of bytes in enc (without 0-terminator)
311 * @param pub where to store the public key
312 * @return GNUNET_OK on success
315 GNUNET_CRYPTO_ecc_public_key_from_string (const char *enc,
317 struct GNUNET_CRYPTO_EccPublicKey *pub)
319 size_t keylen = (sizeof (struct GNUNET_CRYPTO_EccPublicKey)) * 8;
322 keylen += 5 - keylen % 5;
324 if (enclen != keylen)
325 return GNUNET_SYSERR;
327 if (GNUNET_OK != GNUNET_STRINGS_string_to_data (enc, enclen,
329 sizeof (struct GNUNET_CRYPTO_EccPublicKey)))
330 return GNUNET_SYSERR;
336 * Convert the given public key from the network format to the
337 * S-expression that can be used by libgcrypt.
339 * @param pub public key to decode
340 * @return NULL on error
343 decode_public_key (const struct GNUNET_CRYPTO_EccPublicKey *pub)
345 gcry_sexp_t pub_sexp;
351 mpi_scan (&q_x, pub->q_x, sizeof (pub->q_x));
352 mpi_scan (&q_y, pub->q_y, sizeof (pub->q_y));
353 q = gcry_mpi_point_new (256);
354 gcry_mpi_point_set (q, q_x, q_y, GCRYMPI_CONST_ONE);
355 gcry_mpi_release (q_x);
356 gcry_mpi_release (q_y);
358 /* initialize 'ctx' with 'q' */
359 GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, CURVE));
360 gcry_mpi_ec_set_point ("q", q, ctx);
361 gcry_mpi_point_release (q);
363 /* convert 'ctx' to 'sexp' */
364 GNUNET_assert (0 == gcry_pubkey_get_sexp (&pub_sexp, GCRY_PK_GET_PUBKEY, ctx));
365 gcry_ctx_release (ctx);
371 * Create a new private key. Caller must free return value.
373 * @return fresh private key
375 struct GNUNET_CRYPTO_EccPrivateKey *
376 GNUNET_CRYPTO_ecc_key_create ()
378 struct GNUNET_CRYPTO_EccPrivateKey *priv;
379 gcry_sexp_t priv_sexp;
380 gcry_sexp_t s_keyparam;
384 if (0 != (rc = gcry_sexp_build (&s_keyparam, NULL,
385 "(genkey(ecdsa(curve \"" CURVE "\")))")))
387 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
390 if (0 != (rc = gcry_pk_genkey (&priv_sexp, s_keyparam)))
392 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_pk_genkey", rc);
393 gcry_sexp_release (s_keyparam);
396 gcry_sexp_release (s_keyparam);
398 if (0 != (rc = gcry_pk_testkey (priv_sexp)))
400 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_pk_testkey", rc);
401 gcry_sexp_release (priv_sexp);
405 if (0 != (rc = key_from_sexp (&d, priv_sexp, "private-key", "d")))
407 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "key_from_sexp", rc);
408 gcry_sexp_release (priv_sexp);
411 gcry_sexp_release (priv_sexp);
412 priv = GNUNET_new (struct GNUNET_CRYPTO_EccPrivateKey);
413 mpi_print (priv->d, sizeof (priv->d), d);
414 gcry_mpi_release (d);
420 * Get the shared private key we use for anonymous users.
422 * @return "anonymous" private key
424 const struct GNUNET_CRYPTO_EccPrivateKey *
425 GNUNET_CRYPTO_ecc_key_get_anonymous ()
428 * 'anonymous' pseudonym (global static, d=1, public key = G
431 static struct GNUNET_CRYPTO_EccPrivateKey anonymous;
436 mpi_print (anonymous.d,
437 sizeof (anonymous.d),
445 * Wait for a short time (we're trying to lock a file or want
446 * to give another process a shot at finishing a disk write, etc.).
447 * Sleeps for 100ms (as that should be long enough for virtually all
448 * modern systems to context switch and allow another process to do
454 struct GNUNET_TIME_Relative timeout;
456 timeout = GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MILLISECONDS, 100);
457 (void) GNUNET_NETWORK_socket_select (NULL, NULL, NULL, timeout);
462 * Create a new private key by reading it from a file. If the
463 * files does not exist, create a new key and write it to the
464 * file. Caller must free return value. Note that this function
465 * can not guarantee that another process might not be trying
466 * the same operation on the same file at the same time.
467 * If the contents of the file
468 * are invalid the old file is deleted and a fresh key is
471 * @param filename name of file to use to store the key
472 * @return new private key, NULL on error (for example,
475 struct GNUNET_CRYPTO_EccPrivateKey *
476 GNUNET_CRYPTO_ecc_key_create_from_file (const char *filename)
478 struct GNUNET_CRYPTO_EccPrivateKey *priv;
479 struct GNUNET_DISK_FileHandle *fd;
484 if (GNUNET_SYSERR == GNUNET_DISK_directory_create_for_file (filename))
486 while (GNUNET_YES != GNUNET_DISK_file_test (filename))
488 fd = GNUNET_DISK_file_open (filename,
489 GNUNET_DISK_OPEN_WRITE | GNUNET_DISK_OPEN_CREATE
490 | GNUNET_DISK_OPEN_FAILIFEXISTS,
491 GNUNET_DISK_PERM_USER_READ |
492 GNUNET_DISK_PERM_USER_WRITE);
497 if (GNUNET_YES != GNUNET_DISK_file_test (filename))
499 /* must exist but not be accessible, fail for good! */
500 if (0 != ACCESS (filename, R_OK))
501 LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_ERROR, "access", filename);
503 GNUNET_break (0); /* what is going on!? */
508 LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_ERROR, "open", filename);
513 GNUNET_DISK_file_lock (fd, 0,
514 sizeof (struct GNUNET_CRYPTO_EccPrivateKey),
521 LOG (GNUNET_ERROR_TYPE_ERROR,
522 _("Could not acquire lock on file `%s': %s...\n"), filename,
526 LOG (GNUNET_ERROR_TYPE_INFO,
527 _("Creating a new private key. This may take a while.\n"));
528 priv = GNUNET_CRYPTO_ecc_key_create ();
529 GNUNET_assert (NULL != priv);
530 GNUNET_assert (sizeof (*priv) ==
531 GNUNET_DISK_file_write (fd, priv, sizeof (*priv)));
532 GNUNET_DISK_file_sync (fd);
534 GNUNET_DISK_file_unlock (fd, 0,
535 sizeof (struct GNUNET_CRYPTO_EccPrivateKey)))
536 LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "fcntl", filename);
537 GNUNET_assert (GNUNET_YES == GNUNET_DISK_file_close (fd));
540 /* key file exists already, read it! */
541 fd = GNUNET_DISK_file_open (filename, GNUNET_DISK_OPEN_READ,
542 GNUNET_DISK_PERM_NONE);
545 LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_ERROR, "open", filename);
552 GNUNET_DISK_file_lock (fd, 0,
553 sizeof (struct GNUNET_CRYPTO_EccPrivateKey),
559 LOG (GNUNET_ERROR_TYPE_ERROR,
560 _("Could not acquire lock on file `%s': %s...\n"), filename,
562 LOG (GNUNET_ERROR_TYPE_ERROR,
564 ("This may be ok if someone is currently generating a private key.\n"));
569 if (GNUNET_YES != GNUNET_DISK_file_test (filename))
571 /* eh, what!? File we opened is now gone!? */
572 LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "stat", filename);
574 GNUNET_DISK_file_unlock (fd, 0,
575 sizeof (struct GNUNET_CRYPTO_EccPrivateKey)))
576 LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "fcntl", filename);
577 GNUNET_assert (GNUNET_OK == GNUNET_DISK_file_close (fd));
581 if (GNUNET_OK != GNUNET_DISK_file_size (filename, &fs, GNUNET_YES, GNUNET_YES))
583 if (fs < sizeof (struct GNUNET_CRYPTO_EccPrivateKey))
585 /* maybe we got the read lock before the key generating
586 * process had a chance to get the write lock; give it up! */
588 GNUNET_DISK_file_unlock (fd, 0,
589 sizeof (struct GNUNET_CRYPTO_EccPrivateKey)))
590 LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "fcntl", filename);
593 LOG (GNUNET_ERROR_TYPE_ERROR,
595 ("When trying to read key file `%s' I found %u bytes but I need at least %u.\n"),
596 filename, (unsigned int) fs,
597 (unsigned int) sizeof (struct GNUNET_CRYPTO_EccPrivateKey));
598 LOG (GNUNET_ERROR_TYPE_ERROR,
600 ("This may be ok if someone is currently generating a key.\n"));
602 short_wait (); /* wait a bit longer! */
607 fs = sizeof (struct GNUNET_CRYPTO_EccPrivateKey);
608 priv = GNUNET_malloc (fs);
609 GNUNET_assert (fs == GNUNET_DISK_file_read (fd, priv, fs));
611 GNUNET_DISK_file_unlock (fd, 0,
612 sizeof (struct GNUNET_CRYPTO_EccPrivateKey)))
613 LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "fcntl", filename);
614 GNUNET_assert (GNUNET_YES == GNUNET_DISK_file_close (fd));
620 * Create a new private key by reading our peer's key from
621 * the file specified in the configuration.
623 * @return new private key, NULL on error (for example,
626 struct GNUNET_CRYPTO_EccPrivateKey *
627 GNUNET_CRYPTO_ecc_key_create_from_configuration (const struct GNUNET_CONFIGURATION_Handle *cfg)
629 struct GNUNET_CRYPTO_EccPrivateKey *priv;
633 GNUNET_CONFIGURATION_get_value_filename (cfg, "PEER", "PRIVATE_KEY", &fn))
635 priv = GNUNET_CRYPTO_ecc_key_create_from_file (fn);
642 * Setup a key file for a peer given the name of the
643 * configuration file (!). This function is used so that
644 * at a later point code can be certain that reading a
645 * key is fast (for example in time-dependent testcases).
647 * @param cfg_name name of the configuration file to use
650 GNUNET_CRYPTO_ecc_setup_key (const char *cfg_name)
652 struct GNUNET_CONFIGURATION_Handle *cfg;
653 struct GNUNET_CRYPTO_EccPrivateKey *priv;
655 cfg = GNUNET_CONFIGURATION_create ();
656 (void) GNUNET_CONFIGURATION_load (cfg, cfg_name);
657 priv = GNUNET_CRYPTO_ecc_key_create_from_configuration (cfg);
660 GNUNET_CONFIGURATION_destroy (cfg);
665 * Retrieve the identity of the host's peer.
667 * @param cfg configuration to use
668 * @param dst pointer to where to write the peer identity
669 * @return GNUNET_OK on success, GNUNET_SYSERR if the identity
670 * could not be retrieved
673 GNUNET_CRYPTO_get_host_identity (const struct GNUNET_CONFIGURATION_Handle *cfg,
674 struct GNUNET_PeerIdentity *dst)
676 struct GNUNET_CRYPTO_EccPrivateKey *priv;
677 struct GNUNET_CRYPTO_EccPublicKey pub;
679 if (NULL == (priv = GNUNET_CRYPTO_ecc_key_create_from_configuration (cfg)))
681 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
682 _("Could not load peer's private key\n"));
683 return GNUNET_SYSERR;
685 GNUNET_CRYPTO_ecc_key_get_public (priv, &pub);
687 GNUNET_CRYPTO_hash (&pub, sizeof (pub), &dst->hashPubKey);
693 * Convert the data specified in the given purpose argument to an
694 * S-expression suitable for signature operations.
696 * @param purpose data to convert
697 * @return converted s-expression
700 data_to_pkcs1 (const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose)
702 struct GNUNET_HashCode hc;
706 GNUNET_CRYPTO_hash (purpose, ntohl (purpose->size), &hc);
707 if (0 != (rc = gcry_sexp_build (&data, NULL,
708 "(data(flags rfc6979)(hash %s %b))",
713 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
721 * Sign a given block.
723 * @param priv private key to use for the signing
724 * @param purpose what to sign (size, purpose)
725 * @param sig where to write the signature
726 * @return GNUNET_SYSERR on error, GNUNET_OK on success
729 GNUNET_CRYPTO_ecc_sign (const struct GNUNET_CRYPTO_EccPrivateKey *priv,
730 const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose,
731 struct GNUNET_CRYPTO_EccSignature *sig)
733 gcry_sexp_t priv_sexp;
734 gcry_sexp_t sig_sexp;
739 priv_sexp = decode_private_key (priv);
740 data = data_to_pkcs1 (purpose);
741 if (0 != (rc = gcry_pk_sign (&sig_sexp, data, priv_sexp)))
743 LOG (GNUNET_ERROR_TYPE_WARNING,
744 _("ECC signing failed at %s:%d: %s\n"), __FILE__,
745 __LINE__, gcry_strerror (rc));
746 gcry_sexp_release (data);
747 gcry_sexp_release (priv_sexp);
748 return GNUNET_SYSERR;
750 gcry_sexp_release (priv_sexp);
751 gcry_sexp_release (data);
753 /* extract 'r' and 's' values from sexpression 'sig_sexp' and store in
755 if (0 != (rc = key_from_sexp (rs, sig_sexp, "sig-val", "rs")))
758 gcry_sexp_release (sig_sexp);
759 return GNUNET_SYSERR;
761 gcry_sexp_release (sig_sexp);
762 mpi_print (sig->r, sizeof (sig->r), rs[0]);
763 mpi_print (sig->s, sizeof (sig->s), rs[1]);
764 gcry_mpi_release (rs[0]);
765 gcry_mpi_release (rs[1]);
773 * @param purpose what is the purpose that the signature should have?
774 * @param validate block to validate (size, purpose, data)
775 * @param sig signature that is being validated
776 * @param pub public key of the signer
777 * @returns GNUNET_OK if ok, GNUNET_SYSERR if invalid
780 GNUNET_CRYPTO_ecc_verify (uint32_t purpose,
781 const struct GNUNET_CRYPTO_EccSignaturePurpose
783 const struct GNUNET_CRYPTO_EccSignature *sig,
784 const struct GNUNET_CRYPTO_EccPublicKey *pub)
787 gcry_sexp_t sig_sexpr;
788 gcry_sexp_t pub_sexpr;
793 if (purpose != ntohl (validate->purpose))
794 return GNUNET_SYSERR; /* purpose mismatch */
796 /* build s-expression for signature */
797 mpi_scan (&r, sig->r, sizeof (sig->r));
798 mpi_scan (&s, sig->s, sizeof (sig->s));
799 if (0 != (rc = gcry_sexp_build (&sig_sexpr, NULL,
800 "(sig-val(ecdsa(r %m)(s %m)))",
803 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
804 gcry_mpi_release (r);
805 gcry_mpi_release (s);
806 return GNUNET_SYSERR;
808 gcry_mpi_release (r);
809 gcry_mpi_release (s);
810 data = data_to_pkcs1 (validate);
811 if (! (pub_sexpr = decode_public_key (pub)))
813 gcry_sexp_release (data);
814 gcry_sexp_release (sig_sexpr);
815 return GNUNET_SYSERR;
817 rc = gcry_pk_verify (sig_sexpr, data, pub_sexpr);
818 gcry_sexp_release (pub_sexpr);
819 gcry_sexp_release (data);
820 gcry_sexp_release (sig_sexpr);
823 LOG (GNUNET_ERROR_TYPE_INFO,
824 _("ECC signature verification failed at %s:%d: %s\n"), __FILE__,
825 __LINE__, gcry_strerror (rc));
826 return GNUNET_SYSERR;
833 * Derive key material from a public and a private ECC key.
835 * @param priv private key to use for the ECDH (x)
836 * @param pub public key to use for the ECDH (yG)
837 * @param key_material where to write the key material (xyG)
838 * @return GNUNET_SYSERR on error, GNUNET_OK on success
841 GNUNET_CRYPTO_ecc_ecdh (const struct GNUNET_CRYPTO_EccPrivateKey *priv,
842 const struct GNUNET_CRYPTO_EccPublicKey *pub,
843 struct GNUNET_HashCode *key_material)
846 unsigned char sdata_buf[2048]; /* big enough to print
849 gcry_mpi_point_t result;
853 gcry_sexp_t pub_sexpr;
854 gcry_sexp_t ecdh_sexp;
859 /* first, extract the q = dP value from the public key */
860 if (! (pub_sexpr = decode_public_key (pub)))
861 return GNUNET_SYSERR;
862 GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, pub_sexpr, NULL));
863 gcry_sexp_release (pub_sexpr);
864 q = gcry_mpi_ec_get_point ("q", ctx, 0);
866 /* second, extract the d value from our private key */
867 mpi_scan (&d, priv->d, sizeof (priv->d));
869 /* then call the 'multiply' function, to compute the product */
870 result = gcry_mpi_point_new (0);
871 gcry_mpi_ec_mul (result, d, q, ctx);
872 gcry_mpi_point_release (q);
873 gcry_mpi_release (d);
875 /* finally, convert point to string for hashing */
876 result_x = gcry_mpi_new (256);
877 result_y = gcry_mpi_new (256);
878 if (gcry_mpi_ec_get_affine (result_x, result_y, result, ctx))
880 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "get_affine failed", 0);
881 gcry_mpi_point_release (result);
882 gcry_ctx_release (ctx);
883 return GNUNET_SYSERR;
885 gcry_mpi_point_release (result);
886 gcry_ctx_release (ctx);
887 if (0 != (rc = gcry_sexp_build (&ecdh_sexp, NULL,
888 "(dh-shared-secret (x %m)(y %m))",
892 LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc);
893 gcry_mpi_release (result_x);
894 gcry_mpi_release (result_y);
895 return GNUNET_SYSERR;
897 gcry_mpi_release (result_x);
898 gcry_mpi_release (result_y);
899 slen = gcry_sexp_sprint (ecdh_sexp,
900 GCRYSEXP_FMT_DEFAULT,
901 sdata_buf, sizeof (sdata_buf));
902 GNUNET_assert (0 != slen);
903 gcry_sexp_release (ecdh_sexp);
904 /* finally, get a string of the resulting S-expression and hash it
905 to generate the key material */
906 GNUNET_CRYPTO_hash (sdata_buf, slen, key_material);
912 * Derive the 'h' value for key derivation, where
915 * @param pub public key for deriviation
916 * @param label label for deriviation
917 * @param context additional context to use for HKDF of 'h';
918 * typically the name of the subsystem/application
922 derive_h (const struct GNUNET_CRYPTO_EccPublicKey *pub,
927 struct GNUNET_HashCode hc;
929 GNUNET_CRYPTO_kdf (&hc, sizeof (hc),
930 "key-derivation", strlen ("key-derivation"),
932 label, strlen (label),
933 context, strlen (context),
935 mpi_scan (&h, (unsigned char *) &hc, sizeof (hc));
941 * Derive a private key from a given private key and a label.
942 * Essentially calculates a private key 'd = H(l,P) * x mod n'
943 * where n is the size of the ECC group and P is the public
944 * key associated with the private key 'd'.
946 * @param priv original private key
947 * @param label label to use for key deriviation
948 * @param context additional context to use for HKDF of 'h';
949 * typically the name of the subsystem/application
950 * @return derived private key
952 struct GNUNET_CRYPTO_EccPrivateKey *
953 GNUNET_CRYPTO_ecc_key_derive (const struct GNUNET_CRYPTO_EccPrivateKey *priv,
957 struct GNUNET_CRYPTO_EccPublicKey pub;
958 struct GNUNET_CRYPTO_EccPrivateKey *ret;
965 GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, CURVE));
966 n = gcry_mpi_ec_get_mpi ("n", ctx, 1);
967 GNUNET_CRYPTO_ecc_key_get_public (priv, &pub);
968 h = derive_h (&pub, label, context);
969 mpi_scan (&x, priv->d, sizeof (priv->d));
970 d = gcry_mpi_new (256);
971 gcry_mpi_mulm (d, h, x, n);
972 gcry_mpi_release (h);
973 gcry_mpi_release (x);
974 gcry_mpi_release (n);
975 gcry_ctx_release (ctx);
976 ret = GNUNET_new (struct GNUNET_CRYPTO_EccPrivateKey);
977 mpi_print (ret->d, sizeof (ret->d), d);
978 gcry_mpi_release (d);
984 * Derive a public key from a given public key and a label.
985 * Essentially calculates a public key 'V = H(l,P) * P'.
987 * @param pub original public key
988 * @param label label to use for key deriviation
989 * @param context additional context to use for HKDF of 'h';
990 * typically the name of the subsystem/application
991 * @param result where to write the derived public key
994 GNUNET_CRYPTO_ecc_public_key_derive (const struct GNUNET_CRYPTO_EccPublicKey *pub,
997 struct GNUNET_CRYPTO_EccPublicKey *result)
1008 GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, CURVE));
1010 /* obtain point 'q' from original public key */
1011 mpi_scan (&q_x, pub->q_x, sizeof (pub->q_x));
1012 mpi_scan (&q_y, pub->q_y, sizeof (pub->q_y));
1014 q = gcry_mpi_point_new (0);
1015 gcry_mpi_point_set (q, q_x, q_y, GCRYMPI_CONST_ONE);
1016 gcry_mpi_release (q_x);
1017 gcry_mpi_release (q_y);
1019 /* calulcate h_mod_n = h % n */
1020 h = derive_h (pub, label, context);
1021 n = gcry_mpi_ec_get_mpi ("n", ctx, 1);
1022 h_mod_n = gcry_mpi_new (256);
1023 gcry_mpi_mod (h_mod_n, h, n);
1024 /* calculate v = h_mod_n * q */
1025 v = gcry_mpi_point_new (0);
1026 gcry_mpi_ec_mul (v, h_mod_n, q, ctx);
1027 gcry_mpi_release (h_mod_n);
1028 gcry_mpi_release (h);
1029 gcry_mpi_release (n);
1030 gcry_mpi_point_release (q);
1031 /* convert point 'v' to public key that we return */
1032 point_to_public_key (v, ctx, result);
1033 gcry_mpi_point_release (v);
1034 gcry_ctx_release (ctx);
1038 /* end of crypto_ecc.c */