2 This file is part of GNUnet.
3 Copyright (C) 2001-2013 GNUnet e.V.
5 GNUnet is free software: you can redistribute it and/or modify it
6 under the terms of the GNU Affero General Public License as published
7 by the Free Software Foundation, either version 3 of the License,
8 or (at your option) any later version.
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Affero General Public License for more details.
15 You should have received a copy of the GNU Affero General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 SPDX-License-Identifier: AGPL3.0-or-later
22 * @file include/gnunet_crypto_lib.h
23 * @brief cryptographic primitives for GNUnet
25 * @author Christian Grothoff
26 * @author Krista Bennett
27 * @author Gerd Knorr <kraxel@bytesex.org>
28 * @author Ioana Patrascu
29 * @author Tzvetan Horozov
30 * @author Jeffrey Burdges <burdges@gnunet.org>
32 * @defgroup crypto Crypto library: cryptographic operations
33 * Provides cryptographic primitives.
35 * @see [Documentation](https://gnunet.org/crypto-api)
37 * @defgroup hash Crypto library: hash operations
38 * Provides hashing and operations on hashes.
40 * @see [Documentation](https://gnunet.org/crypto-api)
43 #ifndef GNUNET_CRYPTO_LIB_H
44 #define GNUNET_CRYPTO_LIB_H
48 #if 0 /* keep Emacsens' auto-indent happy */
55 * The identity of the host (wraps the signing key of the peer).
57 struct GNUNET_PeerIdentity;
59 #include "gnunet_common.h"
64 * Maximum length of an ECC signature.
65 * Note: round up to multiple of 8 minus 2 for alignment.
67 #define GNUNET_CRYPTO_ECC_SIGNATURE_DATA_ENCODING_LENGTH 126
71 * Desired quality level for random numbers.
74 enum GNUNET_CRYPTO_Quality
77 * No good quality of the operation is needed (i.e.,
78 * random numbers can be pseudo-random).
81 GNUNET_CRYPTO_QUALITY_WEAK,
84 * High-quality operations are desired.
87 GNUNET_CRYPTO_QUALITY_STRONG,
90 * Randomness for IVs etc. is required.
93 GNUNET_CRYPTO_QUALITY_NONCE
98 * @brief length of the sessionkey in bytes (256 BIT sessionkey)
100 #define GNUNET_CRYPTO_AES_KEY_LENGTH (256 / 8)
103 * Length of a hash value
105 #define GNUNET_CRYPTO_HASH_LENGTH (512 / 8)
108 * How many characters (without 0-terminator) are our ASCII-encoded
109 * public keys (ECDSA/EDDSA/ECDHE).
111 #define GNUNET_CRYPTO_PKEY_ASCII_LENGTH 52
114 * @brief 0-terminated ASCII encoding of a struct GNUNET_HashCode.
116 struct GNUNET_CRYPTO_HashAsciiEncoded
118 unsigned char encoding[104];
122 GNUNET_NETWORK_STRUCT_BEGIN
126 * @brief header of what an ECC signature signs
127 * this must be followed by "size - 8" bytes of
128 * the actual signed data
130 struct GNUNET_CRYPTO_EccSignaturePurpose
133 * How many bytes does this signature sign?
134 * (including this purpose header); in network
137 uint32_t size GNUNET_PACKED;
140 * What does this signature vouch for? This
141 * must contain a GNUNET_SIGNATURE_PURPOSE_XXX
142 * constant (from gnunet_signatures.h). In
143 * network byte order!
145 uint32_t purpose GNUNET_PACKED;
150 * @brief an ECC signature using EdDSA.
151 * See cr.yp.to/papers.html#ed25519
153 struct GNUNET_CRYPTO_EddsaSignature
158 unsigned char r[256 / 8];
163 unsigned char s[256 / 8];
168 * @brief an ECC signature using ECDSA
170 struct GNUNET_CRYPTO_EcdsaSignature
175 unsigned char r[256 / 8];
180 unsigned char s[256 / 8];
185 * Public ECC key (always for curve Ed25519) encoded in a format
186 * suitable for network transmission and EdDSA signatures. Refer
187 * to section 5.1.3 of rfc8032, for a thorough explanation of how
188 * this value maps to the x- and y-coordinates.
190 struct GNUNET_CRYPTO_EddsaPublicKey
193 * Point Q consists of a y-value mod p (256 bits); the x-value is
194 * always positive. The point is stored in Ed25519 standard
197 unsigned char q_y[256 / 8];
202 * Public ECC key (always for Curve25519) encoded in a format suitable
203 * for network transmission and ECDSA signatures.
205 struct GNUNET_CRYPTO_EcdsaPublicKey
208 * Q consists of an x- and a y-value, each mod p (256 bits), given
209 * here in affine coordinates and Ed25519 standard compact format.
211 unsigned char q_y[256 / 8];
216 * The identity of the host (wraps the signing key of the peer).
218 struct GNUNET_PeerIdentity
220 struct GNUNET_CRYPTO_EddsaPublicKey public_key;
225 * Public ECC key (always for Curve25519) encoded in a format suitable
226 * for network transmission and encryption (ECDH),
227 * See http://cr.yp.to/ecdh.html
229 struct GNUNET_CRYPTO_EcdhePublicKey
232 * Q consists of an x- and a y-value, each mod p (256 bits), given
233 * here in affine coordinates and Ed25519 standard compact format.
235 unsigned char q_y[256 / 8];
240 * Private ECC key encoded for transmission. To be used only for ECDH
241 * key exchange (ECDHE to be precise).
243 struct GNUNET_CRYPTO_EcdhePrivateKey
246 * d is a value mod n, where n has at most 256 bits.
248 unsigned char d[256 / 8];
252 * Private ECC key encoded for transmission. To be used only for ECDSA
255 struct GNUNET_CRYPTO_EcdsaPrivateKey
258 * d is a value mod n, where n has at most 256 bits.
260 unsigned char d[256 / 8];
264 * Private ECC key encoded for transmission. To be used only for EdDSA
267 struct GNUNET_CRYPTO_EddsaPrivateKey
270 * d is a value mod n, where n has at most 256 bits.
272 unsigned char d[256 / 8];
277 * @brief type for session keys
279 struct GNUNET_CRYPTO_SymmetricSessionKey
282 * Actual key for AES.
284 unsigned char aes_key[GNUNET_CRYPTO_AES_KEY_LENGTH];
287 * Actual key for TwoFish.
289 unsigned char twofish_key[GNUNET_CRYPTO_AES_KEY_LENGTH];
292 GNUNET_NETWORK_STRUCT_END
295 * @brief IV for sym cipher
297 * NOTE: must be smaller (!) in size than the
298 * `struct GNUNET_HashCode`.
300 struct GNUNET_CRYPTO_SymmetricInitializationVector
302 unsigned char aes_iv[GNUNET_CRYPTO_AES_KEY_LENGTH / 2];
304 unsigned char twofish_iv[GNUNET_CRYPTO_AES_KEY_LENGTH / 2];
309 * @brief type for (message) authentication keys
311 struct GNUNET_CRYPTO_AuthKey
313 unsigned char key[GNUNET_CRYPTO_HASH_LENGTH];
318 * Size of paillier plain texts and public keys.
319 * Private keys and ciphertexts are twice this size.
321 #define GNUNET_CRYPTO_PAILLIER_BITS 2048
325 * Paillier public key.
327 struct GNUNET_CRYPTO_PaillierPublicKey
332 unsigned char n[GNUNET_CRYPTO_PAILLIER_BITS / 8];
337 * Paillier private key.
339 struct GNUNET_CRYPTO_PaillierPrivateKey
342 * Lambda-component of the private key.
344 unsigned char lambda[GNUNET_CRYPTO_PAILLIER_BITS / 8];
346 * Mu-component of the private key.
348 unsigned char mu[GNUNET_CRYPTO_PAILLIER_BITS / 8];
353 * Paillier ciphertext.
355 struct GNUNET_CRYPTO_PaillierCiphertext
358 * Guaranteed minimum number of homomorphic operations with this ciphertext,
359 * in network byte order (NBO).
361 int32_t remaining_ops GNUNET_PACKED;
364 * The bits of the ciphertext.
366 unsigned char bits[GNUNET_CRYPTO_PAILLIER_BITS * 2 / 8];
370 /* **************** Functions and Macros ************* */
374 * Seed a weak random generator. Only #GNUNET_CRYPTO_QUALITY_WEAK-mode generator
377 * @param seed the seed to use
380 GNUNET_CRYPTO_seed_weak_random (int32_t seed);
385 * Calculate the checksum of a buffer in one step.
387 * @param buf buffer to calculate CRC over
388 * @param len number of bytes in @a buf
392 GNUNET_CRYPTO_crc8_n (const void *buf, size_t len);
396 * Perform an incremental step in a CRC16 (for TCP/IP) calculation.
398 * @param sum current sum, initially 0
399 * @param buf buffer to calculate CRC over (must be 16-bit aligned)
400 * @param len number of bytes in @a buf, must be multiple of 2
401 * @return updated crc sum (must be subjected to #GNUNET_CRYPTO_crc16_finish to get actual crc16)
404 GNUNET_CRYPTO_crc16_step (uint32_t sum, const void *buf, size_t len);
408 * Convert results from GNUNET_CRYPTO_crc16_step to final crc16.
410 * @param sum cummulative sum
411 * @return crc16 value
414 GNUNET_CRYPTO_crc16_finish (uint32_t sum);
419 * Calculate the checksum of a buffer in one step.
421 * @param buf buffer to calculate CRC over (must be 16-bit aligned)
422 * @param len number of bytes in @a buf, must be multiple of 2
423 * @return crc16 value
426 GNUNET_CRYPTO_crc16_n (const void *buf, size_t len);
431 * Compute the CRC32 checksum for the first len
432 * bytes of the buffer.
434 * @param buf the data over which we're taking the CRC
435 * @param len the length of the buffer @a buf in bytes
436 * @return the resulting CRC32 checksum
439 GNUNET_CRYPTO_crc32_n (const void *buf, size_t len);
443 * Zero out @a buffer, securely against compiler optimizations.
444 * Used to delete key material.
446 * @param buffer the buffer to zap
447 * @param length buffer length
450 GNUNET_CRYPTO_zero_keys (void *buffer, size_t length);
455 * Fill block with a random values.
457 * @param mode desired quality of the random number
458 * @param buffer the buffer to fill
459 * @param length buffer length
462 GNUNET_CRYPTO_random_block (enum GNUNET_CRYPTO_Quality mode,
468 * Produce a random value.
470 * @param mode desired quality of the random number
471 * @param i the upper limit (exclusive) for the random number
472 * @return a random value in the interval [0,@a i) (exclusive).
475 GNUNET_CRYPTO_random_u32 (enum GNUNET_CRYPTO_Quality mode, uint32_t i);
480 * Random on unsigned 64-bit values.
482 * @param mode desired quality of the random number
483 * @param max value returned will be in range [0,@a max) (exclusive)
484 * @return random 64-bit number
487 GNUNET_CRYPTO_random_u64 (enum GNUNET_CRYPTO_Quality mode, uint64_t max);
492 * Get an array with a random permutation of the
494 * @param mode #GNUNET_CRYPTO_QUALITY_STRONG if the strong (but expensive) PRNG should be used,
495 * #GNUNET_CRYPTO_QUALITY_WEAK or #GNUNET_CRYPTO_QUALITY_NONCE otherwise
496 * @param n the size of the array
497 * @return the permutation array (allocated from heap)
500 GNUNET_CRYPTO_random_permute (enum GNUNET_CRYPTO_Quality mode, unsigned int n);
505 * Create a new random session key.
507 * @param key key to initialize
510 GNUNET_CRYPTO_symmetric_create_session_key (
511 struct GNUNET_CRYPTO_SymmetricSessionKey *key);
516 * Encrypt a block using a symmetric sessionkey.
518 * @param block the block to encrypt
519 * @param size the size of the @a block
520 * @param sessionkey the key used to encrypt
521 * @param iv the initialization vector to use, use INITVALUE
523 * @return the size of the encrypted block, -1 for errors
526 GNUNET_CRYPTO_symmetric_encrypt (
529 const struct GNUNET_CRYPTO_SymmetricSessionKey *sessionkey,
530 const struct GNUNET_CRYPTO_SymmetricInitializationVector *iv,
536 * Decrypt a given block using a symmetric sessionkey.
538 * @param block the data to decrypt, encoded as returned by encrypt
539 * @param size how big is the block?
540 * @param sessionkey the key used to decrypt
541 * @param iv the initialization vector to use
542 * @param result address to store the result at
543 * @return -1 on failure, size of decrypted block on success
546 GNUNET_CRYPTO_symmetric_decrypt (
549 const struct GNUNET_CRYPTO_SymmetricSessionKey *sessionkey,
550 const struct GNUNET_CRYPTO_SymmetricInitializationVector *iv,
556 * @brief Derive an IV
557 * @param iv initialization vector
558 * @param skey session key
559 * @param salt salt for the derivation
560 * @param salt_len size of the @a salt
561 * @param ... pairs of void * & size_t for context chunks, terminated by NULL
564 GNUNET_CRYPTO_symmetric_derive_iv (
565 struct GNUNET_CRYPTO_SymmetricInitializationVector *iv,
566 const struct GNUNET_CRYPTO_SymmetricSessionKey *skey,
573 * @brief Derive an IV
574 * @param iv initialization vector
575 * @param skey session key
576 * @param salt salt for the derivation
577 * @param salt_len size of the @a salt
578 * @param argp pairs of void * & size_t for context chunks, terminated by NULL
581 GNUNET_CRYPTO_symmetric_derive_iv_v (
582 struct GNUNET_CRYPTO_SymmetricInitializationVector *iv,
583 const struct GNUNET_CRYPTO_SymmetricSessionKey *skey,
591 * Convert hash to ASCII encoding.
592 * @param block the hash code
593 * @param result where to store the encoding (struct GNUNET_CRYPTO_HashAsciiEncoded can be
594 * safely cast to char*, a '\\0' termination is set).
597 GNUNET_CRYPTO_hash_to_enc (const struct GNUNET_HashCode *block,
598 struct GNUNET_CRYPTO_HashAsciiEncoded *result);
603 * Convert ASCII encoding back to a 'struct GNUNET_HashCode'
605 * @param enc the encoding
606 * @param enclen number of characters in @a enc (without 0-terminator, which can be missing)
607 * @param result where to store the hash code
608 * @return #GNUNET_OK on success, #GNUNET_SYSERR if result has the wrong encoding
611 GNUNET_CRYPTO_hash_from_string2 (const char *enc,
613 struct GNUNET_HashCode *result);
618 * Convert ASCII encoding back to `struct GNUNET_HashCode`
620 * @param enc the encoding
621 * @param result where to store the hash code
622 * @return #GNUNET_OK on success, #GNUNET_SYSERR if result has the wrong encoding
624 #define GNUNET_CRYPTO_hash_from_string(enc, result) \
625 GNUNET_CRYPTO_hash_from_string2 (enc, strlen (enc), result)
631 * Compute the distance between 2 hashcodes. The
632 * computation must be fast, not involve @a a[0] or @a a[4] (they're used
633 * elsewhere), and be somewhat consistent. And of course, the result
634 * should be a positive number.
636 * @param a some hash code
637 * @param b some hash code
638 * @return number between 0 and UINT32_MAX
641 GNUNET_CRYPTO_hash_distance_u32 (const struct GNUNET_HashCode *a,
642 const struct GNUNET_HashCode *b);
647 * Compute hash of a given block.
649 * @param block the data to hash
650 * @param size size of the @a block
651 * @param ret pointer to where to write the hashcode
654 GNUNET_CRYPTO_hash (const void *block,
656 struct GNUNET_HashCode *ret);
660 * Calculate the 'proof-of-work' hash (an expensive hash).
662 * @param salt salt to use in pow calculation
663 * @param buf data to hash
664 * @param buf_len number of bytes in @a buf
665 * @param result where to write the resulting hash
668 GNUNET_CRYPTO_pow_hash (const char *salt,
671 struct GNUNET_HashCode *result);
675 * Context for cummulative hashing.
677 struct GNUNET_HashContext;
681 * Start incremental hashing operation.
683 * @return context for incremental hash computation
685 struct GNUNET_HashContext *
686 GNUNET_CRYPTO_hash_context_start (void);
690 * Add data to be hashed.
692 * @param hc cummulative hash context
693 * @param buf data to add
694 * @param size number of bytes in @a buf
697 GNUNET_CRYPTO_hash_context_read (struct GNUNET_HashContext *hc,
703 * Finish the hash computation.
705 * @param hc hash context to use, is freed in the process
706 * @param r_hash where to write the latest / final hash code
709 GNUNET_CRYPTO_hash_context_finish (struct GNUNET_HashContext *hc,
710 struct GNUNET_HashCode *r_hash);
714 * Abort hashing, do not bother calculating final result.
716 * @param hc hash context to destroy
719 GNUNET_CRYPTO_hash_context_abort (struct GNUNET_HashContext *hc);
723 * Calculate HMAC of a message (RFC 2104)
724 * TODO: Shouldn' this be the standard hmac function and
725 * the above be renamed?
727 * @param key secret key
728 * @param key_len secret key length
729 * @param plaintext input plaintext
730 * @param plaintext_len length of @a plaintext
731 * @param hmac where to store the hmac
734 GNUNET_CRYPTO_hmac_raw (const void *key,
736 const void *plaintext,
737 size_t plaintext_len,
738 struct GNUNET_HashCode *hmac);
743 * Calculate HMAC of a message (RFC 2104)
745 * @param key secret key
746 * @param plaintext input plaintext
747 * @param plaintext_len length of @a plaintext
748 * @param hmac where to store the hmac
751 GNUNET_CRYPTO_hmac (const struct GNUNET_CRYPTO_AuthKey *key,
752 const void *plaintext,
753 size_t plaintext_len,
754 struct GNUNET_HashCode *hmac);
758 * Function called once the hash computation over the
759 * specified file has completed.
762 * @param res resulting hash, NULL on error
764 typedef void (*GNUNET_CRYPTO_HashCompletedCallback) (
766 const struct GNUNET_HashCode *res);
770 * Handle to file hashing operation.
772 struct GNUNET_CRYPTO_FileHashContext;
777 * Compute the hash of an entire file.
779 * @param priority scheduling priority to use
780 * @param filename name of file to hash
781 * @param blocksize number of bytes to process in one task
782 * @param callback function to call upon completion
783 * @param callback_cls closure for @a callback
784 * @return NULL on (immediate) errror
786 struct GNUNET_CRYPTO_FileHashContext *
787 GNUNET_CRYPTO_hash_file (enum GNUNET_SCHEDULER_Priority priority,
788 const char *filename,
790 GNUNET_CRYPTO_HashCompletedCallback callback,
795 * Cancel a file hashing operation.
797 * @param fhc operation to cancel (callback must not yet have been invoked)
800 GNUNET_CRYPTO_hash_file_cancel (struct GNUNET_CRYPTO_FileHashContext *fhc);
805 * Create a random hash code.
807 * @param mode desired quality level
808 * @param result hash code that is randomized
811 GNUNET_CRYPTO_hash_create_random (enum GNUNET_CRYPTO_Quality mode,
812 struct GNUNET_HashCode *result);
817 * compute @a result = @a b - @a a
819 * @param a some hash code
820 * @param b some hash code
821 * @param result set to @a b - @a a
824 GNUNET_CRYPTO_hash_difference (const struct GNUNET_HashCode *a,
825 const struct GNUNET_HashCode *b,
826 struct GNUNET_HashCode *result);
831 * compute @a result = @a a + @a delta
833 * @param a some hash code
834 * @param delta some hash code
835 * @param result set to @a a + @a delta
838 GNUNET_CRYPTO_hash_sum (const struct GNUNET_HashCode *a,
839 const struct GNUNET_HashCode *delta,
840 struct GNUNET_HashCode *result);
845 * compute result = a ^ b
847 * @param a some hash code
848 * @param b some hash code
849 * @param result set to @a a ^ @a b
852 GNUNET_CRYPTO_hash_xor (const struct GNUNET_HashCode *a,
853 const struct GNUNET_HashCode *b,
854 struct GNUNET_HashCode *result);
859 * Convert a hashcode into a key.
861 * @param hc hash code that serves to generate the key
862 * @param skey set to a valid session key
863 * @param iv set to a valid initialization vector
866 GNUNET_CRYPTO_hash_to_aes_key (
867 const struct GNUNET_HashCode *hc,
868 struct GNUNET_CRYPTO_SymmetricSessionKey *skey,
869 struct GNUNET_CRYPTO_SymmetricInitializationVector *iv);
874 * Obtain a bit from a hashcode.
876 * @param code the `struct GNUNET_HashCode` to index bit-wise
877 * @param bit index into the hashcode, [0...159] where 0 is the leftmost bit
878 * (bytes in code interpreted big endian)
879 * @return Bit \a bit from hashcode \a code, -1 for invalid index
882 GNUNET_CRYPTO_hash_get_bit_ltr (const struct GNUNET_HashCode *code,
887 * Obtain a bit from a hashcode.
888 * @param code the GNUNET_CRYPTO_hash to index bit-wise
889 * @param bit index into the hashcode, [0...511] where 0 is the rightmost bit
890 * (bytes in code interpreted little endian)
891 * @return Bit \a bit from hashcode \a code, -1 for invalid index
894 GNUNET_CRYPTO_hash_get_bit_rtl (const struct GNUNET_HashCode *code,
900 * Determine how many low order bits match in two
901 * `struct GNUNET_HashCodes`. i.e. - 010011 and 011111 share
902 * the first two lowest order bits, and therefore the
903 * return value is two (NOT XOR distance, nor how many
904 * bits match absolutely!).
906 * @param first the first hashcode
907 * @param second the hashcode to compare first to
908 * @return the number of bits that match
911 GNUNET_CRYPTO_hash_matching_bits (const struct GNUNET_HashCode *first,
912 const struct GNUNET_HashCode *second);
917 * Compare function for HashCodes, producing a total ordering
920 * @param h1 some hash code
921 * @param h2 some hash code
922 * @return 1 if @a h1 > @a h2, -1 if @a h1 < @a h2 and 0 if @a h1 == @a h2.
925 GNUNET_CRYPTO_hash_cmp (const struct GNUNET_HashCode *h1,
926 const struct GNUNET_HashCode *h2);
931 * Find out which of the two GNUNET_CRYPTO_hash codes is closer to target
932 * in the XOR metric (Kademlia).
934 * @param h1 some hash code
935 * @param h2 some hash code
936 * @param target some hash code
937 * @return -1 if @a h1 is closer, 1 if @a h2 is closer and 0 if @a h1== @a h2.
940 GNUNET_CRYPTO_hash_xorcmp (const struct GNUNET_HashCode *h1,
941 const struct GNUNET_HashCode *h2,
942 const struct GNUNET_HashCode *target);
947 * @brief Derive an authentication key
948 * @param key authentication key
949 * @param rkey root key
951 * @param salt_len size of the salt
952 * @param argp pair of void * & size_t for context chunks, terminated by NULL
955 GNUNET_CRYPTO_hmac_derive_key_v (
956 struct GNUNET_CRYPTO_AuthKey *key,
957 const struct GNUNET_CRYPTO_SymmetricSessionKey *rkey,
965 * @brief Derive an authentication key
966 * @param key authentication key
967 * @param rkey root key
969 * @param salt_len size of the salt
970 * @param ... pair of void * & size_t for context chunks, terminated by NULL
973 GNUNET_CRYPTO_hmac_derive_key (
974 struct GNUNET_CRYPTO_AuthKey *key,
975 const struct GNUNET_CRYPTO_SymmetricSessionKey *rkey,
984 * @param result buffer for the derived key, allocated by caller
985 * @param out_len desired length of the derived key
986 * @param xtr_algo hash algorithm for the extraction phase, GCRY_MD_...
987 * @param prf_algo hash algorithm for the expansion phase, GCRY_MD_...
989 * @param xts_len length of @a xts
990 * @param skm source key material
991 * @param skm_len length of @a skm
992 * @param ... pair of void * & size_t for context chunks, terminated by NULL
993 * @return #GNUNET_YES on success
996 GNUNET_CRYPTO_hkdf (void *result,
1010 * @param result buffer for the derived key, allocated by caller
1011 * @param out_len desired length of the derived key
1012 * @param xtr_algo hash algorithm for the extraction phase, GCRY_MD_...
1013 * @param prf_algo hash algorithm for the expansion phase, GCRY_MD_...
1015 * @param xts_len length of @a xts
1016 * @param skm source key material
1017 * @param skm_len length of @a skm
1018 * @param argp va_list of void * & size_t pairs for context chunks
1019 * @return #GNUNET_YES on success
1022 GNUNET_CRYPTO_hkdf_v (void *result,
1035 * @param result buffer for the derived key, allocated by caller
1036 * @param out_len desired length of the derived key
1038 * @param xts_len length of @a xts
1039 * @param skm source key material
1040 * @param skm_len length of @a skm
1041 * @param argp va_list of void * & size_t pairs for context chunks
1042 * @return #GNUNET_YES on success
1045 GNUNET_CRYPTO_kdf_v (void *result,
1055 * Deterministically generate a pseudo-random number uniformly from the
1056 * integers modulo a libgcrypt mpi.
1058 * @param[out] r MPI value set to the FDH
1059 * @param n MPI to work modulo
1061 * @param xts_len length of @a xts
1062 * @param skm source key material
1063 * @param skm_len length of @a skm
1064 * @param ctx context string
1067 GNUNET_CRYPTO_kdf_mod_mpi (gcry_mpi_t *r,
1079 * @param result buffer for the derived key, allocated by caller
1080 * @param out_len desired length of the derived key
1082 * @param xts_len length of @a xts
1083 * @param skm source key material
1084 * @param skm_len length of @a skm
1085 * @param ... void * & size_t pairs for context chunks
1086 * @return #GNUNET_YES on success
1089 GNUNET_CRYPTO_kdf (void *result,
1100 * Extract the public key for the given private key.
1102 * @param priv the private key
1103 * @param pub where to write the public key
1106 GNUNET_CRYPTO_ecdsa_key_get_public (
1107 const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
1108 struct GNUNET_CRYPTO_EcdsaPublicKey *pub);
1112 * Extract the public key for the given private key.
1114 * @param priv the private key
1115 * @param pub where to write the public key
1118 GNUNET_CRYPTO_eddsa_key_get_public (
1119 const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
1120 struct GNUNET_CRYPTO_EddsaPublicKey *pub);
1125 * Extract the public key for the given private key.
1127 * @param priv the private key
1128 * @param pub where to write the public key
1131 GNUNET_CRYPTO_ecdhe_key_get_public (
1132 const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
1133 struct GNUNET_CRYPTO_EcdhePublicKey *pub);
1137 * Convert a public key to a string.
1139 * @param pub key to convert
1140 * @return string representing @a pub
1143 GNUNET_CRYPTO_ecdsa_public_key_to_string (
1144 const struct GNUNET_CRYPTO_EcdsaPublicKey *pub);
1147 * Convert a private key to a string.
1149 * @param priv key to convert
1150 * @return string representing @a priv
1153 GNUNET_CRYPTO_ecdsa_private_key_to_string (
1154 const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv);
1158 * Convert a private key to a string.
1160 * @param priv key to convert
1161 * @return string representing @a pub
1164 GNUNET_CRYPTO_eddsa_private_key_to_string (
1165 const struct GNUNET_CRYPTO_EddsaPrivateKey *priv);
1169 * Convert a public key to a string.
1171 * @param pub key to convert
1172 * @return string representing @a pub
1175 GNUNET_CRYPTO_eddsa_public_key_to_string (
1176 const struct GNUNET_CRYPTO_EddsaPublicKey *pub);
1180 * Convert a string representing a public key to a public key.
1182 * @param enc encoded public key
1183 * @param enclen number of bytes in @a enc (without 0-terminator)
1184 * @param pub where to store the public key
1185 * @return #GNUNET_OK on success
1188 GNUNET_CRYPTO_ecdsa_public_key_from_string (
1191 struct GNUNET_CRYPTO_EcdsaPublicKey *pub);
1195 * Convert a string representing a private key to a private key.
1197 * @param enc encoded public key
1198 * @param enclen number of bytes in @a enc (without 0-terminator)
1199 * @param priv where to store the private key
1200 * @return #GNUNET_OK on success
1203 GNUNET_CRYPTO_eddsa_private_key_from_string (
1206 struct GNUNET_CRYPTO_EddsaPrivateKey *pub);
1210 * Convert a string representing a public key to a public key.
1212 * @param enc encoded public key
1213 * @param enclen number of bytes in @a enc (without 0-terminator)
1214 * @param pub where to store the public key
1215 * @return #GNUNET_OK on success
1218 GNUNET_CRYPTO_eddsa_public_key_from_string (
1221 struct GNUNET_CRYPTO_EddsaPublicKey *pub);
1226 * @brief Create a new private key by reading it from a file.
1228 * If the files does not exist and @a do_create is set, creates a new key and
1229 * write it to the file.
1231 * If the contents of the file are invalid, an error is returned.
1233 * @param filename name of file to use to store the key
1234 * @param do_create should a file be created?
1235 * @param[out] pkey set to the private key from @a filename on success
1236 * @return #GNUNET_OK on success, #GNUNET_NO if @a do_create was set but
1237 * we found an existing file, #GNUNET_SYSERR on failure
1240 GNUNET_CRYPTO_ecdsa_key_from_file (const char *filename,
1242 struct GNUNET_CRYPTO_EcdsaPrivateKey *pkey);
1247 * @brief Create a new private key by reading it from a file.
1249 * If the files does not exist and @a do_create is set, creates a new key and
1250 * write it to the file.
1252 * If the contents of the file are invalid, an error is returned.
1254 * @param filename name of file to use to store the key
1255 * @param do_create should a file be created?
1256 * @param[out] pkey set to the private key from @a filename on success
1257 * @return #GNUNET_OK on success, #GNUNET_NO if @a do_create was set but
1258 * we found an existing file, #GNUNET_SYSERR on failure
1261 GNUNET_CRYPTO_eddsa_key_from_file (const char *filename,
1263 struct GNUNET_CRYPTO_EddsaPrivateKey *pkey);
1267 * Forward declaration to simplify #include-structure.
1269 struct GNUNET_CONFIGURATION_Handle;
1274 * Create a new private key by reading our peer's key from
1275 * the file specified in the configuration.
1277 * @param cfg the configuration to use
1278 * @return new private key, NULL on error (for example,
1279 * permission denied); free using #GNUNET_free
1281 struct GNUNET_CRYPTO_EddsaPrivateKey *
1282 GNUNET_CRYPTO_eddsa_key_create_from_configuration (
1283 const struct GNUNET_CONFIGURATION_Handle *cfg);
1288 * Create a new private key.
1290 * @param[out] pk private key to initialize
1293 GNUNET_CRYPTO_ecdsa_key_create (struct GNUNET_CRYPTO_EcdsaPrivateKey *pk);
1298 * Create a new private key.
1300 * @param[out] pk private key to initialize
1303 GNUNET_CRYPTO_eddsa_key_create (struct GNUNET_CRYPTO_EddsaPrivateKey *pk);
1308 * Create a new private key. Clear with #GNUNET_CRYPTO_ecdhe_key_clear().
1310 * @param[out] pk set to fresh private key;
1313 GNUNET_CRYPTO_ecdhe_key_create (struct GNUNET_CRYPTO_EcdhePrivateKey *pk);
1318 * Clear memory that was used to store a private key.
1320 * @param pk location of the key
1323 GNUNET_CRYPTO_eddsa_key_clear (struct GNUNET_CRYPTO_EddsaPrivateKey *pk);
1328 * Clear memory that was used to store a private key.
1330 * @param pk location of the key
1333 GNUNET_CRYPTO_ecdsa_key_clear (struct GNUNET_CRYPTO_EcdsaPrivateKey *pk);
1338 * Clear memory that was used to store a private key.
1340 * @param pk location of the key
1343 GNUNET_CRYPTO_ecdhe_key_clear (struct GNUNET_CRYPTO_EcdhePrivateKey *pk);
1348 * Get the shared private key we use for anonymous users.
1350 * @return "anonymous" private key; do not free
1352 const struct GNUNET_CRYPTO_EcdsaPrivateKey *
1353 GNUNET_CRYPTO_ecdsa_key_get_anonymous (void);
1358 * Setup a hostkey file for a peer given the name of the
1359 * configuration file (!). This function is used so that
1360 * at a later point code can be certain that reading a
1361 * hostkey is fast (for example in time-dependent testcases).
1363 * @param cfg_name name of the configuration file to use
1366 GNUNET_CRYPTO_eddsa_setup_hostkey (const char *cfg_name);
1371 * Retrieve the identity of the host's peer.
1373 * @param cfg configuration to use
1374 * @param dst pointer to where to write the peer identity
1375 * @return #GNUNET_OK on success, #GNUNET_SYSERR if the identity
1376 * could not be retrieved
1379 GNUNET_CRYPTO_get_peer_identity (const struct GNUNET_CONFIGURATION_Handle *cfg,
1380 struct GNUNET_PeerIdentity *dst);
1384 * Internal structure used to cache pre-calculated values for DLOG calculation.
1386 struct GNUNET_CRYPTO_EccDlogContext;
1390 * Point on a curve (always for Curve25519) encoded in a format suitable
1391 * for network transmission (ECDH), see http://cr.yp.to/ecdh.html.
1393 struct GNUNET_CRYPTO_EccPoint
1396 * Q consists of an x- and a y-value, each mod p (256 bits), given
1397 * here in affine coordinates and Ed25519 standard compact format.
1399 unsigned char q_y[256 / 8];
1404 * Do pre-calculation for ECC discrete logarithm for small factors.
1406 * @param max maximum value the factor can be
1407 * @param mem memory to use (should be smaller than @a max), must not be zero.
1408 * @return NULL on error
1410 struct GNUNET_CRYPTO_EccDlogContext *
1411 GNUNET_CRYPTO_ecc_dlog_prepare (unsigned int max, unsigned int mem);
1415 * Calculate ECC discrete logarithm for small factors.
1416 * Opposite of #GNUNET_CRYPTO_ecc_dexp().
1418 * @param dlc precalculated values, determine range of factors
1419 * @param input point on the curve to factor
1420 * @return INT_MAX if dlog failed, otherwise the factor
1423 GNUNET_CRYPTO_ecc_dlog (struct GNUNET_CRYPTO_EccDlogContext *edc,
1424 gcry_mpi_point_t input);
1428 * Multiply the generator g of the elliptic curve by @a val
1429 * to obtain the point on the curve representing @a val.
1430 * Afterwards, point addition will correspond to integer
1431 * addition. #GNUNET_CRYPTO_ecc_dlog() can be used to
1432 * convert a point back to an integer (as long as the
1433 * integer is smaller than the MAX of the @a edc context).
1435 * @param edc calculation context for ECC operations
1436 * @param val value to encode into a point
1437 * @return representation of the value as an ECC point,
1438 * must be freed using #GNUNET_CRYPTO_ecc_free()
1441 GNUNET_CRYPTO_ecc_dexp (struct GNUNET_CRYPTO_EccDlogContext *edc, int val);
1445 * Multiply the generator g of the elliptic curve by @a val
1446 * to obtain the point on the curve representing @a val.
1448 * @param edc calculation context for ECC operations
1449 * @param val (positive) value to encode into a point
1450 * @return representation of the value as an ECC point,
1451 * must be freed using #GNUNET_CRYPTO_ecc_free()
1454 GNUNET_CRYPTO_ecc_dexp_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc,
1459 * Multiply the point @a p on the elliptic curve by @a val.
1461 * @param edc calculation context for ECC operations
1462 * @param p point to multiply
1463 * @param val (positive) value to encode into a point
1464 * @return representation of the value as an ECC point,
1465 * must be freed using #GNUNET_CRYPTO_ecc_free()
1468 GNUNET_CRYPTO_ecc_pmul_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc,
1474 * Convert point value to binary representation.
1476 * @param edc calculation context for ECC operations
1477 * @param point computational point representation
1478 * @param[out] bin binary point representation
1481 GNUNET_CRYPTO_ecc_point_to_bin (struct GNUNET_CRYPTO_EccDlogContext *edc,
1482 gcry_mpi_point_t point,
1483 struct GNUNET_CRYPTO_EccPoint *bin);
1487 * Convert binary representation of a point to computational representation.
1489 * @param edc calculation context for ECC operations
1490 * @param bin binary point representation
1491 * @return computational representation
1494 GNUNET_CRYPTO_ecc_bin_to_point (struct GNUNET_CRYPTO_EccDlogContext *edc,
1495 const struct GNUNET_CRYPTO_EccPoint *bin);
1499 * Add two points on the elliptic curve.
1501 * @param edc calculation context for ECC operations
1502 * @param a some value
1503 * @param b some value
1504 * @return @a a + @a b, must be freed using #GNUNET_CRYPTO_ecc_free()
1507 GNUNET_CRYPTO_ecc_add (struct GNUNET_CRYPTO_EccDlogContext *edc,
1509 gcry_mpi_point_t b);
1513 * Obtain a random point on the curve and its
1514 * additive inverse. Both returned values
1515 * must be freed using #GNUNET_CRYPTO_ecc_free().
1517 * @param edc calculation context for ECC operations
1518 * @param[out] r set to a random point on the curve
1519 * @param[out] r_inv set to the additive inverse of @a r
1522 GNUNET_CRYPTO_ecc_rnd (struct GNUNET_CRYPTO_EccDlogContext *edc,
1523 gcry_mpi_point_t *r,
1524 gcry_mpi_point_t *r_inv);
1528 * Obtain a random scalar for point multiplication on the curve and
1529 * its multiplicative inverse.
1531 * @param edc calculation context for ECC operations
1532 * @param[out] r set to a random scalar on the curve
1533 * @param[out] r_inv set to the multiplicative inverse of @a r
1536 GNUNET_CRYPTO_ecc_rnd_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc,
1542 * Generate a random value mod n.
1544 * @param edc ECC context
1545 * @return random value mod n.
1548 GNUNET_CRYPTO_ecc_random_mod_n (struct GNUNET_CRYPTO_EccDlogContext *edc);
1552 * Free a point value returned by the API.
1554 * @param p point to free
1557 GNUNET_CRYPTO_ecc_free (gcry_mpi_point_t p);
1561 * Release precalculated values.
1563 * @param dlc dlog context
1566 GNUNET_CRYPTO_ecc_dlog_release (struct GNUNET_CRYPTO_EccDlogContext *dlc);
1571 * Derive key material from a public and a private ECC key.
1573 * @param priv private key to use for the ECDH (x)
1574 * @param pub public key to use for the ECDH (yG)
1575 * @param key_material where to write the key material (xyG)
1576 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1579 GNUNET_CRYPTO_ecc_ecdh (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
1580 const struct GNUNET_CRYPTO_EcdhePublicKey *pub,
1581 struct GNUNET_HashCode *key_material);
1586 * Derive key material from a ECDH public key and a private EdDSA key.
1587 * Dual to #GNUNET_CRRYPTO_ecdh_eddsa.
1589 * @param priv private key from EdDSA to use for the ECDH (x)
1590 * @param pub public key to use for the ECDH (yG)
1591 * @param key_material where to write the key material H(h(x)yG)
1592 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1595 GNUNET_CRYPTO_eddsa_ecdh (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
1596 const struct GNUNET_CRYPTO_EcdhePublicKey *pub,
1597 struct GNUNET_HashCode *key_material);
1601 * Derive key material from a ECDH public key and a private ECDSA key.
1602 * Dual to #GNUNET_CRRYPTO_ecdh_ecdsa.
1604 * @param priv private key from ECDSA to use for the ECDH (x)
1605 * @param pub public key to use for the ECDH (yG)
1606 * @param key_material where to write the key material H(h(x)yG)
1607 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1610 GNUNET_CRYPTO_ecdsa_ecdh (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
1611 const struct GNUNET_CRYPTO_EcdhePublicKey *pub,
1612 struct GNUNET_HashCode *key_material);
1617 * Derive key material from a EdDSA public key and a private ECDH key.
1618 * Dual to #GNUNET_CRRYPTO_eddsa_ecdh.
1620 * @param priv private key to use for the ECDH (y)
1621 * @param pub public key from EdDSA to use for the ECDH (X=h(x)G)
1622 * @param key_material where to write the key material H(yX)=H(h(x)yG)
1623 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1626 GNUNET_CRYPTO_ecdh_eddsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
1627 const struct GNUNET_CRYPTO_EddsaPublicKey *pub,
1628 struct GNUNET_HashCode *key_material);
1632 * Derive key material from a EcDSA public key and a private ECDH key.
1633 * Dual to #GNUNET_CRRYPTO_ecdsa_ecdh.
1635 * @param priv private key to use for the ECDH (y)
1636 * @param pub public key from ECDSA to use for the ECDH (X=h(x)G)
1637 * @param key_material where to write the key material H(yX)=H(h(x)yG)
1638 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1641 GNUNET_CRYPTO_ecdh_ecdsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
1642 const struct GNUNET_CRYPTO_EcdsaPublicKey *pub,
1643 struct GNUNET_HashCode *key_material);
1648 * @brief EdDSA sign a given block.
1650 * The @a purpose data is the beginning of the data of which the signature is
1651 * to be created. The `size` field in @a purpose must correctly indicate the
1652 * number of bytes of the data structure, including its header. If possible,
1653 * use #GNUNET_CRYPTO_eddsa_sign() instead of this function (only if @a validate
1654 * is not fixed-size, you must use this function directly).
1656 * @param priv private key to use for the signing
1657 * @param purpose what to sign (size, purpose)
1658 * @param[out] sig where to write the signature
1659 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1662 GNUNET_CRYPTO_eddsa_sign_ (
1663 const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
1664 const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose,
1665 struct GNUNET_CRYPTO_EddsaSignature *sig);
1670 * @brief EdDSA sign a given block.
1672 * The @a ps data must be a fixed-size struct for which the signature is to be
1673 * created. The `size` field in @a ps->purpose must correctly indicate the
1674 * number of bytes of the data structure, including its header.
1676 * @param priv private key to use for the signing
1677 * @param ps packed struct with what to sign, MUST begin with a purpose
1678 * @param[out] sig where to write the signature
1680 #define GNUNET_CRYPTO_eddsa_sign(priv,ps,sig) do { \
1681 /* check size is set correctly */ \
1682 GNUNET_assert (htonl ((ps)->purpose.size) == sizeof (*ps)); \
1683 /* check 'ps' begins with the purpose */ \
1684 GNUNET_static_assert (((void*) (ps)) == \
1685 ((void*) &(ps)->purpose)); \
1686 GNUNET_assert (GNUNET_OK == \
1687 GNUNET_CRYPTO_eddsa_sign_ (priv, \
1695 * @brief ECDSA Sign a given block.
1697 * The @a purpose data is the beginning of the data of which the signature is
1698 * to be created. The `size` field in @a purpose must correctly indicate the
1699 * number of bytes of the data structure, including its header. If possible,
1700 * use #GNUNET_CRYPTO_ecdsa_sign() instead of this function (only if @a validate
1701 * is not fixed-size, you must use this function directly).
1703 * @param priv private key to use for the signing
1704 * @param purpose what to sign (size, purpose)
1705 * @param[out] sig where to write the signature
1706 * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
1709 GNUNET_CRYPTO_ecdsa_sign_ (
1710 const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
1711 const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose,
1712 struct GNUNET_CRYPTO_EcdsaSignature *sig);
1717 * @brief ECDSA sign a given block.
1719 * The @a ps data must be a fixed-size struct for which the signature is to be
1720 * created. The `size` field in @a ps->purpose must correctly indicate the
1721 * number of bytes of the data structure, including its header.
1723 * @param priv private key to use for the signing
1724 * @param ps packed struct with what to sign, MUST begin with a purpose
1725 * @param[out] sig where to write the signature
1727 #define GNUNET_CRYPTO_ecdsa_sign(priv,ps,sig) do { \
1728 /* check size is set correctly */ \
1729 GNUNET_assert (htonl ((ps)->purpose.size) == sizeof (*(ps))); \
1730 /* check 'ps' begins with the purpose */ \
1731 GNUNET_static_assert (((void*) (ps)) == \
1732 ((void*) &(ps)->purpose)); \
1733 GNUNET_assert (GNUNET_OK == \
1734 GNUNET_CRYPTO_ecdsa_sign_ (priv, \
1742 * @brief Verify EdDSA signature.
1744 * The @a validate data is the beginning of the data of which the signature
1745 * is to be verified. The `size` field in @a validate must correctly indicate
1746 * the number of bytes of the data structure, including its header. If @a
1747 * purpose does not match the purpose given in @a validate (the latter must be
1748 * in big endian), signature verification fails. If possible,
1749 * use #GNUNET_CRYPTO_eddsa_verify() instead of this function (only if @a validate
1750 * is not fixed-size, you must use this function directly).
1752 * @param purpose what is the purpose that the signature should have?
1753 * @param validate block to validate (size, purpose, data)
1754 * @param sig signature that is being validated
1755 * @param pub public key of the signer
1756 * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid
1759 GNUNET_CRYPTO_eddsa_verify_ (
1761 const struct GNUNET_CRYPTO_EccSignaturePurpose *validate,
1762 const struct GNUNET_CRYPTO_EddsaSignature *sig,
1763 const struct GNUNET_CRYPTO_EddsaPublicKey *pub);
1768 * @brief Verify EdDSA signature.
1770 * The @a ps data must be a fixed-size struct for which the signature is to be
1771 * created. The `size` field in @a ps->purpose must correctly indicate the
1772 * number of bytes of the data structure, including its header.
1774 * @param purp purpose of the signature, must match 'ps->purpose.purpose'
1775 * (except in host byte order)
1776 * @param priv private key to use for the signing
1777 * @param ps packed struct with what to sign, MUST begin with a purpose
1778 * @param sig where to write the signature
1780 #define GNUNET_CRYPTO_eddsa_verify(purp,ps,sig,pub) ({ \
1781 /* check size is set correctly */ \
1782 GNUNET_assert (htonl ((ps)->purpose.size) == sizeof (*(ps))); \
1783 /* check 'ps' begins with the purpose */ \
1784 GNUNET_static_assert (((void*) (ps)) == \
1785 ((void*) &(ps)->purpose)); \
1786 GNUNET_CRYPTO_eddsa_verify_ (purp, \
1795 * @brief Verify ECDSA signature.
1797 * The @a validate data is the beginning of the data of which the signature is
1798 * to be verified. The `size` field in @a validate must correctly indicate the
1799 * number of bytes of the data structure, including its header. If @a purpose
1800 * does not match the purpose given in @a validate (the latter must be in big
1801 * endian), signature verification fails. If possible, use
1802 * #GNUNET_CRYPTO_eddsa_verify() instead of this function (only if @a validate
1803 * is not fixed-size, you must use this function directly).
1805 * @param purpose what is the purpose that the signature should have?
1806 * @param validate block to validate (size, purpose, data)
1807 * @param sig signature that is being validated
1808 * @param pub public key of the signer
1809 * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid
1812 GNUNET_CRYPTO_ecdsa_verify_ (
1814 const struct GNUNET_CRYPTO_EccSignaturePurpose *validate,
1815 const struct GNUNET_CRYPTO_EcdsaSignature *sig,
1816 const struct GNUNET_CRYPTO_EcdsaPublicKey *pub);
1821 * @brief Verify ECDSA signature.
1823 * The @a ps data must be a fixed-size struct for which the signature is to be
1824 * created. The `size` field in @a ps->purpose must correctly indicate the
1825 * number of bytes of the data structure, including its header.
1827 * @param purp purpose of the signature, must match 'ps->purpose.purpose'
1828 * (except in host byte order)
1829 * @param priv private key to use for the signing
1830 * @param ps packed struct with what to sign, MUST begin with a purpose
1831 * @param sig where to write the signature
1833 #define GNUNET_CRYPTO_ecdsa_verify(purp,ps,sig,pub) ({ \
1834 /* check size is set correctly */ \
1835 GNUNET_assert (htonl ((ps)->purpose.size) == sizeof (*(ps))); \
1836 /* check 'ps' begins with the purpose */ \
1837 GNUNET_static_assert (((void*) (ps)) == \
1838 ((void*) &(ps)->purpose)); \
1839 GNUNET_CRYPTO_ecdsa_verify_ (purp, \
1847 * Derive a private key from a given private key and a label.
1848 * Essentially calculates a private key 'h = H(l,P) * d mod n'
1849 * where n is the size of the ECC group and P is the public
1850 * key associated with the private key 'd'.
1852 * @param priv original private key
1853 * @param label label to use for key deriviation
1854 * @param context additional context to use for HKDF of 'h';
1855 * typically the name of the subsystem/application
1856 * @return derived private key
1858 struct GNUNET_CRYPTO_EcdsaPrivateKey *
1859 GNUNET_CRYPTO_ecdsa_private_key_derive (
1860 const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
1862 const char *context);
1867 * Derive a public key from a given public key and a label.
1868 * Essentially calculates a public key 'V = H(l,P) * P'.
1870 * @param pub original public key
1871 * @param label label to use for key deriviation
1872 * @param context additional context to use for HKDF of 'h'.
1873 * typically the name of the subsystem/application
1874 * @param result where to write the derived public key
1877 GNUNET_CRYPTO_ecdsa_public_key_derive (
1878 const struct GNUNET_CRYPTO_EcdsaPublicKey *pub,
1880 const char *context,
1881 struct GNUNET_CRYPTO_EcdsaPublicKey *result);
1885 * Output the given MPI value to the given buffer in network
1886 * byte order. The MPI @a val may not be negative.
1888 * @param buf where to output to
1889 * @param size number of bytes in @a buf
1890 * @param val value to write to @a buf
1893 GNUNET_CRYPTO_mpi_print_unsigned (void *buf, size_t size, gcry_mpi_t val);
1897 * Convert data buffer into MPI value.
1898 * The buffer is interpreted as network
1899 * byte order, unsigned integer.
1901 * @param result where to store MPI value (allocated)
1902 * @param data raw data (GCRYMPI_FMT_USG)
1903 * @param size number of bytes in @a data
1906 GNUNET_CRYPTO_mpi_scan_unsigned (gcry_mpi_t *result,
1912 * Create a freshly generated paillier public key.
1914 * @param[out] public_key Where to store the public key?
1915 * @param[out] private_key Where to store the private key?
1918 GNUNET_CRYPTO_paillier_create (
1919 struct GNUNET_CRYPTO_PaillierPublicKey *public_key,
1920 struct GNUNET_CRYPTO_PaillierPrivateKey *private_key);
1924 * Encrypt a plaintext with a paillier public key.
1926 * @param public_key Public key to use.
1927 * @param m Plaintext to encrypt.
1928 * @param desired_ops How many homomorphic ops the caller intends to use
1929 * @param[out] ciphertext Encrytion of @a plaintext with @a public_key.
1930 * @return guaranteed number of supported homomorphic operations >= 1,
1931 * or desired_ops, in case that is lower,
1932 * or -1 if less than one homomorphic operation is possible
1935 GNUNET_CRYPTO_paillier_encrypt (
1936 const struct GNUNET_CRYPTO_PaillierPublicKey *public_key,
1939 struct GNUNET_CRYPTO_PaillierCiphertext *ciphertext);
1943 * Decrypt a paillier ciphertext with a private key.
1945 * @param private_key Private key to use for decryption.
1946 * @param public_key Public key to use for decryption.
1947 * @param ciphertext Ciphertext to decrypt.
1948 * @param[out] m Decryption of @a ciphertext with @private_key.
1951 GNUNET_CRYPTO_paillier_decrypt (
1952 const struct GNUNET_CRYPTO_PaillierPrivateKey *private_key,
1953 const struct GNUNET_CRYPTO_PaillierPublicKey *public_key,
1954 const struct GNUNET_CRYPTO_PaillierCiphertext *ciphertext,
1959 * Compute a ciphertext that represents the sum of the plaintext in @a x1 and @a x2
1961 * Note that this operation can only be done a finite number of times
1962 * before an overflow occurs.
1964 * @param public_key Public key to use for encryption.
1965 * @param c1 Paillier cipher text.
1966 * @param c2 Paillier cipher text.
1967 * @param[out] result Result of the homomorphic operation.
1968 * @return #GNUNET_OK if the result could be computed,
1969 * #GNUNET_SYSERR if no more homomorphic operations are remaining.
1972 GNUNET_CRYPTO_paillier_hom_add (
1973 const struct GNUNET_CRYPTO_PaillierPublicKey *public_key,
1974 const struct GNUNET_CRYPTO_PaillierCiphertext *c1,
1975 const struct GNUNET_CRYPTO_PaillierCiphertext *c2,
1976 struct GNUNET_CRYPTO_PaillierCiphertext *result);
1980 * Get the number of remaining supported homomorphic operations.
1982 * @param c Paillier cipher text.
1983 * @return the number of remaining homomorphic operations
1986 GNUNET_CRYPTO_paillier_hom_get_remaining (
1987 const struct GNUNET_CRYPTO_PaillierCiphertext *c);
1990 /* ********* Chaum-style RSA-based blind signatures ******************* */
1994 * The private information of an RSA key pair.
1996 struct GNUNET_CRYPTO_RsaPrivateKey;
1999 * The public information of an RSA key pair.
2001 struct GNUNET_CRYPTO_RsaPublicKey;
2004 * Constant-size pre-secret for blinding key generation.
2006 struct GNUNET_CRYPTO_RsaBlindingKeySecret
2009 * Bits used to generate the blinding key. 256 bits
2010 * of entropy is enough.
2012 uint32_t pre_secret[8] GNUNET_PACKED;
2016 * @brief an RSA signature
2018 struct GNUNET_CRYPTO_RsaSignature;
2022 * Create a new private key. Caller must free return value.
2024 * @param len length of the key in bits (i.e. 2048)
2025 * @return fresh private key
2027 struct GNUNET_CRYPTO_RsaPrivateKey *
2028 GNUNET_CRYPTO_rsa_private_key_create (unsigned int len);
2032 * Free memory occupied by the private key.
2034 * @param key pointer to the memory to free
2037 GNUNET_CRYPTO_rsa_private_key_free (struct GNUNET_CRYPTO_RsaPrivateKey *key);
2041 * Encode the private key in a format suitable for
2042 * storing it into a file.
2044 * @param key the private key
2045 * @param[out] buffer set to a buffer with the encoded key
2046 * @return size of memory allocatedin @a buffer
2049 GNUNET_CRYPTO_rsa_private_key_encode (
2050 const struct GNUNET_CRYPTO_RsaPrivateKey *key,
2055 * Decode the private key from the data-format back
2056 * to the "normal", internal format.
2058 * @param buf the buffer where the private key data is stored
2059 * @param buf_size the size of the data in @a buf
2060 * @return NULL on error
2062 struct GNUNET_CRYPTO_RsaPrivateKey *
2063 GNUNET_CRYPTO_rsa_private_key_decode (const void *buf,
2068 * Duplicate the given private key
2070 * @param key the private key to duplicate
2071 * @return the duplicate key; NULL upon error
2073 struct GNUNET_CRYPTO_RsaPrivateKey *
2074 GNUNET_CRYPTO_rsa_private_key_dup (
2075 const struct GNUNET_CRYPTO_RsaPrivateKey *key);
2079 * Extract the public key of the given private key.
2081 * @param priv the private key
2082 * @retur NULL on error, otherwise the public key
2084 struct GNUNET_CRYPTO_RsaPublicKey *
2085 GNUNET_CRYPTO_rsa_private_key_get_public (
2086 const struct GNUNET_CRYPTO_RsaPrivateKey *priv);
2090 * Compute hash over the public key.
2092 * @param key public key to hash
2093 * @param hc where to store the hash code
2096 GNUNET_CRYPTO_rsa_public_key_hash (const struct GNUNET_CRYPTO_RsaPublicKey *key,
2097 struct GNUNET_HashCode *hc);
2101 * Obtain the length of the RSA key in bits.
2103 * @param key the public key to introspect
2104 * @return length of the key in bits
2107 GNUNET_CRYPTO_rsa_public_key_len (const struct GNUNET_CRYPTO_RsaPublicKey *key);
2111 * Free memory occupied by the public key.
2113 * @param key pointer to the memory to free
2116 GNUNET_CRYPTO_rsa_public_key_free (struct GNUNET_CRYPTO_RsaPublicKey *key);
2120 * Encode the public key in a format suitable for
2121 * storing it into a file.
2123 * @param key the private key
2124 * @param[out] buffer set to a buffer with the encoded key
2125 * @return size of memory allocated in @a buffer
2128 GNUNET_CRYPTO_rsa_public_key_encode (
2129 const struct GNUNET_CRYPTO_RsaPublicKey *key,
2134 * Decode the public key from the data-format back
2135 * to the "normal", internal format.
2137 * @param buf the buffer where the public key data is stored
2138 * @param len the length of the data in @a buf
2139 * @return NULL on error
2141 struct GNUNET_CRYPTO_RsaPublicKey *
2142 GNUNET_CRYPTO_rsa_public_key_decode (const char *buf, size_t len);
2146 * Duplicate the given public key
2148 * @param key the public key to duplicate
2149 * @return the duplicate key; NULL upon error
2151 struct GNUNET_CRYPTO_RsaPublicKey *
2152 GNUNET_CRYPTO_rsa_public_key_dup (const struct GNUNET_CRYPTO_RsaPublicKey *key);
2156 * Compare the values of two signatures.
2158 * @param s1 one signature
2159 * @param s2 the other signature
2160 * @return 0 if the two are equal
2163 GNUNET_CRYPTO_rsa_signature_cmp (struct GNUNET_CRYPTO_RsaSignature *s1,
2164 struct GNUNET_CRYPTO_RsaSignature *s2);
2167 * Compare the values of two private keys.
2169 * @param p1 one private key
2170 * @param p2 the other private key
2171 * @return 0 if the two are equal
2174 GNUNET_CRYPTO_rsa_private_key_cmp (struct GNUNET_CRYPTO_RsaPrivateKey *p1,
2175 struct GNUNET_CRYPTO_RsaPrivateKey *p2);
2179 * Compare the values of two public keys.
2181 * @param p1 one public key
2182 * @param p2 the other public key
2183 * @return 0 if the two are equal
2186 GNUNET_CRYPTO_rsa_public_key_cmp (struct GNUNET_CRYPTO_RsaPublicKey *p1,
2187 struct GNUNET_CRYPTO_RsaPublicKey *p2);
2191 * Blinds the given message with the given blinding key
2193 * @param hash hash of the message to sign
2194 * @param bkey the blinding key
2195 * @param pkey the public key of the signer
2196 * @param[out] buf set to a buffer with the blinded message to be signed
2197 * @param[out] buf_size number of bytes stored in @a buf
2198 * @return #GNUNET_YES if successful, #GNUNET_NO if RSA key is malicious
2201 GNUNET_CRYPTO_rsa_blind (const struct GNUNET_HashCode *hash,
2202 const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks,
2203 struct GNUNET_CRYPTO_RsaPublicKey *pkey,
2209 * Sign a blinded value, which must be a full domain hash of a message.
2211 * @param key private key to use for the signing
2212 * @param msg the (blinded) message to sign
2213 * @param msg_len number of bytes in @a msg to sign
2214 * @return NULL on error, signature on success
2216 struct GNUNET_CRYPTO_RsaSignature *
2217 GNUNET_CRYPTO_rsa_sign_blinded (const struct GNUNET_CRYPTO_RsaPrivateKey *key,
2223 * Create and sign a full domain hash of a message.
2225 * @param key private key to use for the signing
2226 * @param hash the hash of the message to sign
2227 * @return NULL on error, including a malicious RSA key, signature on success
2229 struct GNUNET_CRYPTO_RsaSignature *
2230 GNUNET_CRYPTO_rsa_sign_fdh (const struct GNUNET_CRYPTO_RsaPrivateKey *key,
2231 const struct GNUNET_HashCode *hash);
2235 * Free memory occupied by signature.
2237 * @param sig memory to free
2240 GNUNET_CRYPTO_rsa_signature_free (struct GNUNET_CRYPTO_RsaSignature *sig);
2244 * Encode the given signature in a format suitable for storing it into a file.
2246 * @param sig the signature
2247 * @param[out] buffer set to a buffer with the encoded key
2248 * @return size of memory allocated in @a buffer
2251 GNUNET_CRYPTO_rsa_signature_encode (
2252 const struct GNUNET_CRYPTO_RsaSignature *sig,
2257 * Decode the signature from the data-format back to the "normal", internal
2260 * @param buf the buffer where the public key data is stored
2261 * @param buf_size the number of bytes of the data in @a buf
2262 * @return NULL on error
2264 struct GNUNET_CRYPTO_RsaSignature *
2265 GNUNET_CRYPTO_rsa_signature_decode (const void *buf,
2270 * Duplicate the given rsa signature
2272 * @param sig the signature to duplicate
2273 * @return the duplicate key; NULL upon error
2275 struct GNUNET_CRYPTO_RsaSignature *
2276 GNUNET_CRYPTO_rsa_signature_dup (const struct GNUNET_CRYPTO_RsaSignature *sig);
2280 * Unblind a blind-signed signature. The signature should have been generated
2281 * with #GNUNET_CRYPTO_rsa_sign() using a hash that was blinded with
2282 * #GNUNET_CRYPTO_rsa_blind().
2284 * @param sig the signature made on the blinded signature purpose
2285 * @param bks the blinding key secret used to blind the signature purpose
2286 * @param pkey the public key of the signer
2287 * @return unblinded signature on success, NULL if RSA key is bad or malicious.
2289 struct GNUNET_CRYPTO_RsaSignature *
2290 GNUNET_CRYPTO_rsa_unblind (const struct GNUNET_CRYPTO_RsaSignature *sig,
2291 const struct GNUNET_CRYPTO_RsaBlindingKeySecret *bks,
2292 struct GNUNET_CRYPTO_RsaPublicKey *pkey);
2296 * Verify whether the given hash corresponds to the given signature and the
2297 * signature is valid with respect to the given public key.
2299 * @param hash the message to verify to match the @a sig
2300 * @param sig signature that is being validated
2301 * @param public_key public key of the signer
2302 * @returns #GNUNET_YES if ok, #GNUNET_NO if RSA key is malicious, #GNUNET_SYSERR if signature
2305 GNUNET_CRYPTO_rsa_verify (const struct GNUNET_HashCode *hash,
2306 const struct GNUNET_CRYPTO_RsaSignature *sig,
2307 const struct GNUNET_CRYPTO_RsaPublicKey *public_key);
2310 #if 0 /* keep Emacsens' auto-indent happy */
2318 /* ifndef GNUNET_CRYPTO_LIB_H */
2320 /* end of gnunet_crypto_lib.h */