2013-01-26 15:30:46 +01:00
|
|
|
|
/**
|
|
|
|
|
|
* \file ecdh.h
|
|
|
|
|
|
*
|
2018-03-27 12:12:25 +02:00
|
|
|
|
* \brief This file contains ECDH definitions and functions.
|
2013-01-26 15:30:46 +01:00
|
|
|
|
*
|
2018-03-13 16:22:58 +01:00
|
|
|
|
* The Elliptic Curve Diffie-Hellman (ECDH) protocol is an anonymous
|
2018-03-27 12:12:25 +02:00
|
|
|
|
* key agreement protocol allowing two parties to establish a shared
|
|
|
|
|
|
* secret over an insecure channel. Each party must have an
|
2018-01-25 22:57:43 +01:00
|
|
|
|
* elliptic-curve public–private key pair.
|
|
|
|
|
|
*
|
|
|
|
|
|
* For more information, see <em>NIST SP 800-56A Rev. 2: Recommendation for
|
|
|
|
|
|
* Pair-Wise Key Establishment Schemes Using Discrete Logarithm
|
|
|
|
|
|
* Cryptography</em>.
|
2018-01-05 16:33:17 +01:00
|
|
|
|
*/
|
|
|
|
|
|
/*
|
2018-01-25 22:57:43 +01:00
|
|
|
|
* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
|
2015-09-04 14:21:07 +02:00
|
|
|
|
* SPDX-License-Identifier: Apache-2.0
|
2013-01-26 15:30:46 +01:00
|
|
|
|
*
|
2015-09-04 14:21:07 +02:00
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
|
|
|
|
* not use this file except in compliance with the License.
|
|
|
|
|
|
* You may obtain a copy of the License at
|
2013-01-26 15:30:46 +01:00
|
|
|
|
*
|
2015-09-04 14:21:07 +02:00
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
2013-01-26 15:30:46 +01:00
|
|
|
|
*
|
2015-09-04 14:21:07 +02:00
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
|
|
|
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
|
|
* limitations under the License.
|
2013-01-26 15:30:46 +01:00
|
|
|
|
*
|
2018-01-25 22:57:43 +01:00
|
|
|
|
* This file is part of Mbed TLS (https://tls.mbed.org)
|
2013-01-26 15:30:46 +01:00
|
|
|
|
*/
|
2018-01-25 22:57:43 +01:00
|
|
|
|
|
2015-04-08 12:49:31 +02:00
|
|
|
|
#ifndef MBEDTLS_ECDH_H
|
|
|
|
|
|
#define MBEDTLS_ECDH_H
|
2013-01-26 15:30:46 +01:00
|
|
|
|
|
2018-12-16 11:14:37 +01:00
|
|
|
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
2019-07-04 21:01:14 +02:00
|
|
|
|
#include "mbedtls/config.h"
|
2018-12-16 11:14:37 +01:00
|
|
|
|
#else
|
|
|
|
|
|
#include MBEDTLS_CONFIG_FILE
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
2019-07-04 21:01:14 +02:00
|
|
|
|
#include "mbedtls/ecp.h"
|
2013-01-26 15:30:46 +01:00
|
|
|
|
|
2018-10-25 13:41:04 +02:00
|
|
|
|
#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
|
2018-12-14 12:03:02 +01:00
|
|
|
|
#undef MBEDTLS_ECDH_LEGACY_CONTEXT
|
2018-10-25 13:41:04 +02:00
|
|
|
|
#include "everest/everest.h"
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
2013-06-27 14:29:21 +02:00
|
|
|
|
#ifdef __cplusplus
|
|
|
|
|
|
extern "C" {
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
2013-12-12 09:55:52 +01:00
|
|
|
|
/**
|
2018-03-27 12:12:25 +02:00
|
|
|
|
* Defines the source of the imported EC key.
|
2013-12-12 09:55:52 +01:00
|
|
|
|
*/
|
|
|
|
|
|
typedef enum
|
|
|
|
|
|
{
|
2018-04-16 17:04:57 +02:00
|
|
|
|
MBEDTLS_ECDH_OURS, /**< Our key. */
|
2018-03-27 12:12:25 +02:00
|
|
|
|
MBEDTLS_ECDH_THEIRS, /**< The key of the peer. */
|
2015-04-08 12:49:31 +02:00
|
|
|
|
} mbedtls_ecdh_side;
|
2013-12-12 09:55:52 +01:00
|
|
|
|
|
ECDH: Add flexible context and legacy flag
We want to support alternative software implementations and we extend
the ECDH context to enable this. The actual functional change that makes
use of the new context is out of scope for this commit.
Changing the context breaks the API and therefore it has to be
excluded from the default configuration by a compile time flag.
We add the compile time flag to the module header instead of
`config.h`, because this is not a standalone feature, it only
enables adding new implementations in the future.
The new context features a union of the individual implementations
and a selector that chooses the implementation in use. An alternative
is to use an opaque context and function pointers, like for example the
PK module does it, but it is more dangerous, error prone and tedious to
implement.
We leave the group ID and the point format at the top level of the
structure, because they are very simple and adding an abstraction
layer around them away does not come with any obvious benefit.
Other alternatives considered:
- Using the module level replacement mechanism in the ECP module. This
would have made the use of the replacement feature more difficult and
the benefit limited.
- Replacing our Montgomery implementations with a new one directly. This
would have prevented using Montgomery curves across implementations.
(For example use implementation A for Curve448 and implementation B for
Curve22519.) Also it would have been inflexible and limited to
Montgomery curves.
- Encoding the implementation selector and the alternative context in
`mbedtls_ecp_point` somehow and rewriting `mbedtls_ecp_mul()` to
dispatch between implementations. This would have been a dangerous and
ugly hack, and very likely to break legacy applications.
- Same as above just with hardcoding the selector and using a compile
time option to make the selection. Rejected for the same reasons as
above.
- Using the PK module to provide to provide an entry point for
alternative implementations. Like most of the above options this
wouldn't have come with a new compile time option, but conceptually
would have been very out of place and would have meant much more work to
complete the abstraction around the context.
In retrospect:
- We could have used the group ID as the selector, but this would have
made the code less flexible and only marginally simpler. On the other
hand it would have allowed to get rid of the compile time option if a
tight integration of the alternative is possible. (It does not seem
possible at this point.)
- We could have used the same approach we do in this commit to the
`mbedtls_ecp_point` structure. Completing the abstraction around this
structure would have been a much bigger and much riskier code change
with increase in memory footprint, potential decrease in performance
and no immediate benefit.
2018-08-13 16:52:45 +02:00
|
|
|
|
#if !defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
|
|
|
|
|
|
/**
|
|
|
|
|
|
* Defines the ECDH implementation used.
|
|
|
|
|
|
*
|
|
|
|
|
|
* Later versions of the library may add new variants, therefore users should
|
|
|
|
|
|
* not make any assumptions about them.
|
|
|
|
|
|
*/
|
|
|
|
|
|
typedef enum
|
|
|
|
|
|
{
|
|
|
|
|
|
MBEDTLS_ECDH_VARIANT_NONE = 0, /*!< Implementation not defined. */
|
|
|
|
|
|
MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0,/*!< The default Mbed TLS implementation */
|
2018-10-25 13:41:04 +02:00
|
|
|
|
#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
|
|
|
|
|
|
MBEDTLS_ECDH_VARIANT_EVEREST /*!< Everest implementation */
|
|
|
|
|
|
#endif
|
ECDH: Add flexible context and legacy flag
We want to support alternative software implementations and we extend
the ECDH context to enable this. The actual functional change that makes
use of the new context is out of scope for this commit.
Changing the context breaks the API and therefore it has to be
excluded from the default configuration by a compile time flag.
We add the compile time flag to the module header instead of
`config.h`, because this is not a standalone feature, it only
enables adding new implementations in the future.
The new context features a union of the individual implementations
and a selector that chooses the implementation in use. An alternative
is to use an opaque context and function pointers, like for example the
PK module does it, but it is more dangerous, error prone and tedious to
implement.
We leave the group ID and the point format at the top level of the
structure, because they are very simple and adding an abstraction
layer around them away does not come with any obvious benefit.
Other alternatives considered:
- Using the module level replacement mechanism in the ECP module. This
would have made the use of the replacement feature more difficult and
the benefit limited.
- Replacing our Montgomery implementations with a new one directly. This
would have prevented using Montgomery curves across implementations.
(For example use implementation A for Curve448 and implementation B for
Curve22519.) Also it would have been inflexible and limited to
Montgomery curves.
- Encoding the implementation selector and the alternative context in
`mbedtls_ecp_point` somehow and rewriting `mbedtls_ecp_mul()` to
dispatch between implementations. This would have been a dangerous and
ugly hack, and very likely to break legacy applications.
- Same as above just with hardcoding the selector and using a compile
time option to make the selection. Rejected for the same reasons as
above.
- Using the PK module to provide to provide an entry point for
alternative implementations. Like most of the above options this
wouldn't have come with a new compile time option, but conceptually
would have been very out of place and would have meant much more work to
complete the abstraction around the context.
In retrospect:
- We could have used the group ID as the selector, but this would have
made the code less flexible and only marginally simpler. On the other
hand it would have allowed to get rid of the compile time option if a
tight integration of the alternative is possible. (It does not seem
possible at this point.)
- We could have used the same approach we do in this commit to the
`mbedtls_ecp_point` structure. Completing the abstraction around this
structure would have been a much bigger and much riskier code change
with increase in memory footprint, potential decrease in performance
and no immediate benefit.
2018-08-13 16:52:45 +02:00
|
|
|
|
} mbedtls_ecdh_variant;
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
* The context used by the default ECDH implementation.
|
|
|
|
|
|
*
|
|
|
|
|
|
* Later versions might change the structure of this context, therefore users
|
|
|
|
|
|
* should not make any assumptions about the structure of
|
|
|
|
|
|
* mbedtls_ecdh_context_mbed.
|
|
|
|
|
|
*/
|
|
|
|
|
|
typedef struct mbedtls_ecdh_context_mbed
|
|
|
|
|
|
{
|
|
|
|
|
|
mbedtls_ecp_group grp; /*!< The elliptic curve used. */
|
|
|
|
|
|
mbedtls_mpi d; /*!< The private key. */
|
|
|
|
|
|
mbedtls_ecp_point Q; /*!< The public key. */
|
|
|
|
|
|
mbedtls_ecp_point Qp; /*!< The value of the public key of the peer. */
|
|
|
|
|
|
mbedtls_mpi z; /*!< The shared secret. */
|
|
|
|
|
|
#if defined(MBEDTLS_ECP_RESTARTABLE)
|
|
|
|
|
|
mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */
|
|
|
|
|
|
#endif
|
|
|
|
|
|
} mbedtls_ecdh_context_mbed;
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
2013-02-10 14:21:04 +01:00
|
|
|
|
/**
|
2017-08-23 14:40:21 +02:00
|
|
|
|
*
|
|
|
|
|
|
* \warning Performing multiple operations concurrently on the same
|
|
|
|
|
|
* ECDSA context is not supported; objects of this type
|
|
|
|
|
|
* should not be shared between multiple threads.
|
2018-01-25 22:57:43 +01:00
|
|
|
|
* \brief The ECDH context structure.
|
2013-02-10 14:21:04 +01:00
|
|
|
|
*/
|
2018-07-24 10:02:47 +02:00
|
|
|
|
typedef struct mbedtls_ecdh_context
|
2013-02-10 14:21:04 +01:00
|
|
|
|
{
|
ECDH: Add flexible context and legacy flag
We want to support alternative software implementations and we extend
the ECDH context to enable this. The actual functional change that makes
use of the new context is out of scope for this commit.
Changing the context breaks the API and therefore it has to be
excluded from the default configuration by a compile time flag.
We add the compile time flag to the module header instead of
`config.h`, because this is not a standalone feature, it only
enables adding new implementations in the future.
The new context features a union of the individual implementations
and a selector that chooses the implementation in use. An alternative
is to use an opaque context and function pointers, like for example the
PK module does it, but it is more dangerous, error prone and tedious to
implement.
We leave the group ID and the point format at the top level of the
structure, because they are very simple and adding an abstraction
layer around them away does not come with any obvious benefit.
Other alternatives considered:
- Using the module level replacement mechanism in the ECP module. This
would have made the use of the replacement feature more difficult and
the benefit limited.
- Replacing our Montgomery implementations with a new one directly. This
would have prevented using Montgomery curves across implementations.
(For example use implementation A for Curve448 and implementation B for
Curve22519.) Also it would have been inflexible and limited to
Montgomery curves.
- Encoding the implementation selector and the alternative context in
`mbedtls_ecp_point` somehow and rewriting `mbedtls_ecp_mul()` to
dispatch between implementations. This would have been a dangerous and
ugly hack, and very likely to break legacy applications.
- Same as above just with hardcoding the selector and using a compile
time option to make the selection. Rejected for the same reasons as
above.
- Using the PK module to provide to provide an entry point for
alternative implementations. Like most of the above options this
wouldn't have come with a new compile time option, but conceptually
would have been very out of place and would have meant much more work to
complete the abstraction around the context.
In retrospect:
- We could have used the group ID as the selector, but this would have
made the code less flexible and only marginally simpler. On the other
hand it would have allowed to get rid of the compile time option if a
tight integration of the alternative is possible. (It does not seem
possible at this point.)
- We could have used the same approach we do in this commit to the
`mbedtls_ecp_point` structure. Completing the abstraction around this
structure would have been a much bigger and much riskier code change
with increase in memory footprint, potential decrease in performance
and no immediate benefit.
2018-08-13 16:52:45 +02:00
|
|
|
|
#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
|
2018-01-25 22:57:43 +01:00
|
|
|
|
mbedtls_ecp_group grp; /*!< The elliptic curve used. */
|
|
|
|
|
|
mbedtls_mpi d; /*!< The private key. */
|
|
|
|
|
|
mbedtls_ecp_point Q; /*!< The public key. */
|
|
|
|
|
|
mbedtls_ecp_point Qp; /*!< The value of the public key of the peer. */
|
|
|
|
|
|
mbedtls_mpi z; /*!< The shared secret. */
|
|
|
|
|
|
int point_format; /*!< The format of point export in TLS messages. */
|
|
|
|
|
|
mbedtls_ecp_point Vi; /*!< The blinding value. */
|
|
|
|
|
|
mbedtls_ecp_point Vf; /*!< The unblinding value. */
|
|
|
|
|
|
mbedtls_mpi _d; /*!< The previous \p d. */
|
2017-04-27 11:38:26 +02:00
|
|
|
|
#if defined(MBEDTLS_ECP_RESTARTABLE)
|
2018-06-12 12:40:54 +02:00
|
|
|
|
int restart_enabled; /*!< The flag for restartable mode. */
|
|
|
|
|
|
mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */
|
ECDH: Add flexible context and legacy flag
We want to support alternative software implementations and we extend
the ECDH context to enable this. The actual functional change that makes
use of the new context is out of scope for this commit.
Changing the context breaks the API and therefore it has to be
excluded from the default configuration by a compile time flag.
We add the compile time flag to the module header instead of
`config.h`, because this is not a standalone feature, it only
enables adding new implementations in the future.
The new context features a union of the individual implementations
and a selector that chooses the implementation in use. An alternative
is to use an opaque context and function pointers, like for example the
PK module does it, but it is more dangerous, error prone and tedious to
implement.
We leave the group ID and the point format at the top level of the
structure, because they are very simple and adding an abstraction
layer around them away does not come with any obvious benefit.
Other alternatives considered:
- Using the module level replacement mechanism in the ECP module. This
would have made the use of the replacement feature more difficult and
the benefit limited.
- Replacing our Montgomery implementations with a new one directly. This
would have prevented using Montgomery curves across implementations.
(For example use implementation A for Curve448 and implementation B for
Curve22519.) Also it would have been inflexible and limited to
Montgomery curves.
- Encoding the implementation selector and the alternative context in
`mbedtls_ecp_point` somehow and rewriting `mbedtls_ecp_mul()` to
dispatch between implementations. This would have been a dangerous and
ugly hack, and very likely to break legacy applications.
- Same as above just with hardcoding the selector and using a compile
time option to make the selection. Rejected for the same reasons as
above.
- Using the PK module to provide to provide an entry point for
alternative implementations. Like most of the above options this
wouldn't have come with a new compile time option, but conceptually
would have been very out of place and would have meant much more work to
complete the abstraction around the context.
In retrospect:
- We could have used the group ID as the selector, but this would have
made the code less flexible and only marginally simpler. On the other
hand it would have allowed to get rid of the compile time option if a
tight integration of the alternative is possible. (It does not seem
possible at this point.)
- We could have used the same approach we do in this commit to the
`mbedtls_ecp_point` structure. Completing the abstraction around this
structure would have been a much bigger and much riskier code change
with increase in memory footprint, potential decrease in performance
and no immediate benefit.
2018-08-13 16:52:45 +02:00
|
|
|
|
#endif /* MBEDTLS_ECP_RESTARTABLE */
|
|
|
|
|
|
#else
|
|
|
|
|
|
uint8_t point_format; /*!< The format of point export in TLS messages
|
|
|
|
|
|
as defined in RFC 4492. */
|
|
|
|
|
|
mbedtls_ecp_group_id grp_id;/*!< The elliptic curve used. */
|
|
|
|
|
|
mbedtls_ecdh_variant var; /*!< The ECDH implementation/structure used. */
|
|
|
|
|
|
union
|
|
|
|
|
|
{
|
|
|
|
|
|
mbedtls_ecdh_context_mbed mbed_ecdh;
|
2018-10-25 13:41:04 +02:00
|
|
|
|
#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
|
|
|
|
|
|
mbedtls_ecdh_context_everest everest_ecdh;
|
|
|
|
|
|
#endif
|
ECDH: Add flexible context and legacy flag
We want to support alternative software implementations and we extend
the ECDH context to enable this. The actual functional change that makes
use of the new context is out of scope for this commit.
Changing the context breaks the API and therefore it has to be
excluded from the default configuration by a compile time flag.
We add the compile time flag to the module header instead of
`config.h`, because this is not a standalone feature, it only
enables adding new implementations in the future.
The new context features a union of the individual implementations
and a selector that chooses the implementation in use. An alternative
is to use an opaque context and function pointers, like for example the
PK module does it, but it is more dangerous, error prone and tedious to
implement.
We leave the group ID and the point format at the top level of the
structure, because they are very simple and adding an abstraction
layer around them away does not come with any obvious benefit.
Other alternatives considered:
- Using the module level replacement mechanism in the ECP module. This
would have made the use of the replacement feature more difficult and
the benefit limited.
- Replacing our Montgomery implementations with a new one directly. This
would have prevented using Montgomery curves across implementations.
(For example use implementation A for Curve448 and implementation B for
Curve22519.) Also it would have been inflexible and limited to
Montgomery curves.
- Encoding the implementation selector and the alternative context in
`mbedtls_ecp_point` somehow and rewriting `mbedtls_ecp_mul()` to
dispatch between implementations. This would have been a dangerous and
ugly hack, and very likely to break legacy applications.
- Same as above just with hardcoding the selector and using a compile
time option to make the selection. Rejected for the same reasons as
above.
- Using the PK module to provide to provide an entry point for
alternative implementations. Like most of the above options this
wouldn't have come with a new compile time option, but conceptually
would have been very out of place and would have meant much more work to
complete the abstraction around the context.
In retrospect:
- We could have used the group ID as the selector, but this would have
made the code less flexible and only marginally simpler. On the other
hand it would have allowed to get rid of the compile time option if a
tight integration of the alternative is possible. (It does not seem
possible at this point.)
- We could have used the same approach we do in this commit to the
`mbedtls_ecp_point` structure. Completing the abstraction around this
structure would have been a much bigger and much riskier code change
with increase in memory footprint, potential decrease in performance
and no immediate benefit.
2018-08-13 16:52:45 +02:00
|
|
|
|
} ctx; /*!< Implementation-specific context. The
|
|
|
|
|
|
context in use is specified by the \c var
|
|
|
|
|
|
field. */
|
|
|
|
|
|
#if defined(MBEDTLS_ECP_RESTARTABLE)
|
|
|
|
|
|
uint8_t restart_enabled; /*!< The flag for restartable mode. Functions of
|
|
|
|
|
|
an alternative implementation not supporting
|
|
|
|
|
|
restartable mode must return
|
|
|
|
|
|
MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED error
|
|
|
|
|
|
if this flag is set. */
|
|
|
|
|
|
#endif /* MBEDTLS_ECP_RESTARTABLE */
|
|
|
|
|
|
#endif /* MBEDTLS_ECDH_LEGACY_CONTEXT */
|
2013-02-10 14:21:04 +01:00
|
|
|
|
}
|
2015-04-08 12:49:31 +02:00
|
|
|
|
mbedtls_ecdh_context;
|
2013-02-10 14:21:04 +01:00
|
|
|
|
|
2019-02-11 18:41:27 +01:00
|
|
|
|
/**
|
|
|
|
|
|
* \brief Check whether a given group can be used for ECDH.
|
|
|
|
|
|
*
|
|
|
|
|
|
* \param gid The ECP group ID to check.
|
|
|
|
|
|
*
|
|
|
|
|
|
* \return \c 1 if the group can be used, \c 0 otherwise
|
|
|
|
|
|
*/
|
|
|
|
|
|
int mbedtls_ecdh_can_do( mbedtls_ecp_group_id gid );
|
|
|
|
|
|
|
2013-01-26 16:05:22 +01:00
|
|
|
|
/**
|
2018-01-25 22:57:43 +01:00
|
|
|
|
* \brief This function generates an ECDH keypair on an elliptic
|
|
|
|
|
|
* curve.
|
2013-01-26 16:05:22 +01:00
|
|
|
|
*
|
2018-01-25 22:57:43 +01:00
|
|
|
|
* This function performs the first of two core computations
|
|
|
|
|
|
* implemented during the ECDH key exchange. The second core
|
|
|
|
|
|
* computation is performed by mbedtls_ecdh_compute_shared().
|
2013-01-26 16:05:22 +01:00
|
|
|
|
*
|
2018-03-27 12:12:25 +02:00
|
|
|
|
* \see ecp.h
|
|
|
|
|
|
*
|
2018-12-17 19:10:43 +01:00
|
|
|
|
* \param grp The ECP group to use. This must be initialized and have
|
|
|
|
|
|
* domain parameters loaded, for example through
|
|
|
|
|
|
* mbedtls_ecp_load() or mbedtls_ecp_tls_read_group().
|
2018-01-25 22:57:43 +01:00
|
|
|
|
* \param d The destination MPI (private key).
|
2018-12-17 19:10:43 +01:00
|
|
|
|
* This must be initialized.
|
2018-01-25 22:57:43 +01:00
|
|
|
|
* \param Q The destination point (public key).
|
2018-12-17 19:10:43 +01:00
|
|
|
|
* This must be initialized.
|
|
|
|
|
|
* \param f_rng The RNG function to use. This must not be \c NULL.
|
|
|
|
|
|
* \param p_rng The RNG context to be passed to \p f_rng. This may be
|
|
|
|
|
|
* \c NULL in case \p f_rng doesn't need a context argument.
|
2018-01-25 22:57:43 +01:00
|
|
|
|
*
|
2018-03-27 12:12:25 +02:00
|
|
|
|
* \return \c 0 on success.
|
2018-10-15 13:22:41 +02:00
|
|
|
|
* \return Another \c MBEDTLS_ERR_ECP_XXX or
|
|
|
|
|
|
* \c MBEDTLS_MPI_XXX error code on failure.
|
2013-01-26 16:05:22 +01:00
|
|
|
|
*/
|
2015-04-08 12:49:31 +02:00
|
|
|
|
int mbedtls_ecdh_gen_public( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
|
2013-01-26 16:05:22 +01:00
|
|
|
|
int (*f_rng)(void *, unsigned char *, size_t),
|
|
|
|
|
|
void *p_rng );
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
2018-01-25 22:57:43 +01:00
|
|
|
|
* \brief This function computes the shared secret.
|
|
|
|
|
|
*
|
|
|
|
|
|
* This function performs the second of two core computations
|
|
|
|
|
|
* implemented during the ECDH key exchange. The first core
|
|
|
|
|
|
* computation is performed by mbedtls_ecdh_gen_public().
|
2013-09-02 14:29:09 +02:00
|
|
|
|
*
|
2018-03-27 12:12:25 +02:00
|
|
|
|
* \see ecp.h
|
|
|
|
|
|
*
|
|
|
|
|
|
* \note If \p f_rng is not NULL, it is used to implement
|
2018-04-16 17:04:57 +02:00
|
|
|
|
* countermeasures against side-channel attacks.
|
|
|
|
|
|
* For more information, see mbedtls_ecp_mul().
|
2018-03-27 12:12:25 +02:00
|
|
|
|
*
|
2018-12-17 19:10:43 +01:00
|
|
|
|
* \param grp The ECP group to use. This must be initialized and have
|
|
|
|
|
|
* domain parameters loaded, for example through
|
|
|
|
|
|
* mbedtls_ecp_load() or mbedtls_ecp_tls_read_group().
|
2018-01-25 22:57:43 +01:00
|
|
|
|
* \param z The destination MPI (shared secret).
|
2018-12-17 19:10:43 +01:00
|
|
|
|
* This must be initialized.
|
2018-01-25 22:57:43 +01:00
|
|
|
|
* \param Q The public key from another party.
|
2018-12-17 19:10:43 +01:00
|
|
|
|
* This must be initialized.
|
2018-01-25 22:57:43 +01:00
|
|
|
|
* \param d Our secret exponent (private key).
|
2018-12-17 19:10:43 +01:00
|
|
|
|
* This must be initialized.
|
|
|
|
|
|
* \param f_rng The RNG function. This may be \c NULL if randomization
|
|
|
|
|
|
* of intermediate results during the ECP computations is
|
|
|
|
|
|
* not needed (discouraged). See the documentation of
|
|
|
|
|
|
* mbedtls_ecp_mul() for more.
|
|
|
|
|
|
* \param p_rng The RNG context to be passed to \p f_rng. This may be
|
|
|
|
|
|
* \c NULL if \p f_rng is \c NULL or doesn't need a
|
|
|
|
|
|
* context argument.
|
2013-01-26 16:05:22 +01:00
|
|
|
|
*
|
2018-03-27 12:12:25 +02:00
|
|
|
|
* \return \c 0 on success.
|
2018-10-15 13:22:41 +02:00
|
|
|
|
* \return Another \c MBEDTLS_ERR_ECP_XXX or
|
|
|
|
|
|
* \c MBEDTLS_MPI_XXX error code on failure.
|
2013-01-26 16:05:22 +01:00
|
|
|
|
*/
|
2015-04-08 12:49:31 +02:00
|
|
|
|
int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z,
|
|
|
|
|
|
const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
|
2013-09-02 14:29:09 +02:00
|
|
|
|
int (*f_rng)(void *, unsigned char *, size_t),
|
|
|
|
|
|
void *p_rng );
|
2013-01-26 15:30:46 +01:00
|
|
|
|
|
2013-02-10 14:21:04 +01:00
|
|
|
|
/**
|
2018-01-25 22:57:43 +01:00
|
|
|
|
* \brief This function initializes an ECDH context.
|
2013-02-10 14:21:04 +01:00
|
|
|
|
*
|
2018-12-17 19:10:43 +01:00
|
|
|
|
* \param ctx The ECDH context to initialize. This must not be \c NULL.
|
2013-02-10 14:21:04 +01:00
|
|
|
|
*/
|
2015-04-08 12:49:31 +02:00
|
|
|
|
void mbedtls_ecdh_init( mbedtls_ecdh_context *ctx );
|
2013-02-10 14:21:04 +01:00
|
|
|
|
|
2018-10-30 12:53:25 +01:00
|
|
|
|
/**
|
|
|
|
|
|
* \brief This function sets up the ECDH context with the information
|
|
|
|
|
|
* given.
|
|
|
|
|
|
*
|
|
|
|
|
|
* This function should be called after mbedtls_ecdh_init() but
|
|
|
|
|
|
* before mbedtls_ecdh_make_params(). There is no need to call
|
|
|
|
|
|
* this function before mbedtls_ecdh_read_params().
|
|
|
|
|
|
*
|
|
|
|
|
|
* This is the first function used by a TLS server for ECDHE
|
|
|
|
|
|
* ciphersuites.
|
|
|
|
|
|
*
|
2018-12-17 19:10:43 +01:00
|
|
|
|
* \param ctx The ECDH context to set up. This must be initialized.
|
2018-10-30 12:53:25 +01:00
|
|
|
|
* \param grp_id The group id of the group to set up the context for.
|
|
|
|
|
|
*
|
|
|
|
|
|
* \return \c 0 on success.
|
|
|
|
|
|
*/
|
2018-12-17 19:10:43 +01:00
|
|
|
|
int mbedtls_ecdh_setup( mbedtls_ecdh_context *ctx,
|
|
|
|
|
|
mbedtls_ecp_group_id grp_id );
|
2018-10-30 12:53:25 +01:00
|
|
|
|
|
2013-02-10 14:21:04 +01:00
|
|
|
|
/**
|
2018-01-25 22:57:43 +01:00
|
|
|
|
* \brief This function frees a context.
|
2013-02-10 14:21:04 +01:00
|
|
|
|
*
|
2018-12-17 19:10:43 +01:00
|
|
|
|
* \param ctx The context to free. This may be \c NULL, in which
|
|
|
|
|
|
* case this function does nothing. If it is not \c NULL,
|
|
|
|
|
|
* it must point to an initialized ECDH context.
|
2013-02-10 14:21:04 +01:00
|
|
|
|
*/
|
2015-04-08 12:49:31 +02:00
|
|
|
|
void mbedtls_ecdh_free( mbedtls_ecdh_context *ctx );
|
2013-02-10 14:21:04 +01:00
|
|
|
|
|
2013-02-10 15:01:54 +01:00
|
|
|
|
/**
|
2018-12-17 19:10:43 +01:00
|
|
|
|
* \brief This function generates an EC key pair and exports its
|
|
|
|
|
|
* in the format used in a TLS ServerKeyExchange handshake
|
|
|
|
|
|
* message.
|
2013-02-10 15:01:54 +01:00
|
|
|
|
*
|
2018-10-30 12:53:25 +01:00
|
|
|
|
* This is the second function used by a TLS server for ECDHE
|
|
|
|
|
|
* ciphersuites. (It is called after mbedtls_ecdh_setup().)
|
2013-02-10 15:01:54 +01:00
|
|
|
|
*
|
2018-03-27 12:12:25 +02:00
|
|
|
|
* \see ecp.h
|
|
|
|
|
|
*
|
2018-12-17 19:10:43 +01:00
|
|
|
|
* \param ctx The ECDH context to use. This must be initialized
|
|
|
|
|
|
* and bound to a group, for example via mbedtls_ecdh_setup().
|
|
|
|
|
|
* \param olen The address at which to store the number of Bytes written.
|
|
|
|
|
|
* \param buf The destination buffer. This must be a writable buffer of
|
|
|
|
|
|
* length \p blen Bytes.
|
|
|
|
|
|
* \param blen The length of the destination buffer \p buf in Bytes.
|
|
|
|
|
|
* \param f_rng The RNG function to use. This must not be \c NULL.
|
|
|
|
|
|
* \param p_rng The RNG context to be passed to \p f_rng. This may be
|
|
|
|
|
|
* \c NULL in case \p f_rng doesn't need a context argument.
|
2013-02-10 15:01:54 +01:00
|
|
|
|
*
|
2018-03-27 12:12:25 +02:00
|
|
|
|
* \return \c 0 on success.
|
2018-06-12 12:40:54 +02:00
|
|
|
|
* \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
|
2017-04-27 10:48:29 +02:00
|
|
|
|
* operations was reached: see \c mbedtls_ecp_set_max_ops().
|
2018-10-15 13:22:41 +02:00
|
|
|
|
* \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
2013-02-10 15:01:54 +01:00
|
|
|
|
*/
|
2015-04-08 12:49:31 +02:00
|
|
|
|
int mbedtls_ecdh_make_params( mbedtls_ecdh_context *ctx, size_t *olen,
|
2013-02-11 20:28:55 +01:00
|
|
|
|
unsigned char *buf, size_t blen,
|
|
|
|
|
|
int (*f_rng)(void *, unsigned char *, size_t),
|
|
|
|
|
|
void *p_rng );
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
2018-12-17 19:10:43 +01:00
|
|
|
|
* \brief This function parses the ECDHE parameters in a
|
|
|
|
|
|
* TLS ServerKeyExchange handshake message.
|
2018-01-25 22:57:43 +01:00
|
|
|
|
*
|
2018-12-17 19:10:43 +01:00
|
|
|
|
* \note In a TLS handshake, this is the how the client
|
|
|
|
|
|
* sets up its ECDHE context from the server's public
|
|
|
|
|
|
* ECDHE key material.
|
2018-01-25 22:57:43 +01:00
|
|
|
|
*
|
2018-03-27 12:12:25 +02:00
|
|
|
|
* \see ecp.h
|
2013-02-11 20:28:55 +01:00
|
|
|
|
*
|
2018-12-17 19:10:43 +01:00
|
|
|
|
* \param ctx The ECDHE context to use. This must be initialized.
|
2018-12-17 23:59:13 +01:00
|
|
|
|
* \param buf On input, \c *buf must be the start of the input buffer.
|
|
|
|
|
|
* On output, \c *buf is updated to point to the end of the
|
|
|
|
|
|
* data that has been read. On success, this is the first byte
|
2018-12-17 19:10:43 +01:00
|
|
|
|
* past the end of the ServerKeyExchange parameters.
|
|
|
|
|
|
* On error, this is the point at which an error has been
|
|
|
|
|
|
* detected, which is usually not useful except to debug
|
|
|
|
|
|
* failures.
|
|
|
|
|
|
* \param end The end of the input buffer.
|
2013-02-11 20:28:55 +01:00
|
|
|
|
*
|
2018-03-27 12:12:25 +02:00
|
|
|
|
* \return \c 0 on success.
|
|
|
|
|
|
* \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
2013-02-11 20:28:55 +01:00
|
|
|
|
*
|
|
|
|
|
|
*/
|
2015-04-08 12:49:31 +02:00
|
|
|
|
int mbedtls_ecdh_read_params( mbedtls_ecdh_context *ctx,
|
2018-12-17 19:10:43 +01:00
|
|
|
|
const unsigned char **buf,
|
|
|
|
|
|
const unsigned char *end );
|
2013-02-10 15:01:54 +01:00
|
|
|
|
|
2013-12-12 09:55:52 +01:00
|
|
|
|
/**
|
2018-01-25 22:57:43 +01:00
|
|
|
|
* \brief This function sets up an ECDH context from an EC key.
|
2013-12-12 09:55:52 +01:00
|
|
|
|
*
|
2018-01-25 22:57:43 +01:00
|
|
|
|
* It is used by clients and servers in place of the
|
|
|
|
|
|
* ServerKeyEchange for static ECDH, and imports ECDH
|
|
|
|
|
|
* parameters from the EC key information of a certificate.
|
2013-12-12 09:55:52 +01:00
|
|
|
|
*
|
2018-03-27 12:12:25 +02:00
|
|
|
|
* \see ecp.h
|
|
|
|
|
|
*
|
2018-12-17 19:10:43 +01:00
|
|
|
|
* \param ctx The ECDH context to set up. This must be initialized.
|
|
|
|
|
|
* \param key The EC key to use. This must be initialized.
|
|
|
|
|
|
* \param side Defines the source of the key. Possible values are:
|
2018-12-19 00:32:42 +01:00
|
|
|
|
* - #MBEDTLS_ECDH_OURS: The key is ours.
|
|
|
|
|
|
* - #MBEDTLS_ECDH_THEIRS: The key is that of the peer.
|
2013-12-12 09:55:52 +01:00
|
|
|
|
*
|
2018-03-27 12:12:25 +02:00
|
|
|
|
* \return \c 0 on success.
|
2018-10-15 13:22:41 +02:00
|
|
|
|
* \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
2013-12-12 09:55:52 +01:00
|
|
|
|
*
|
|
|
|
|
|
*/
|
2018-12-17 19:10:43 +01:00
|
|
|
|
int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx,
|
|
|
|
|
|
const mbedtls_ecp_keypair *key,
|
|
|
|
|
|
mbedtls_ecdh_side side );
|
2013-12-12 09:55:52 +01:00
|
|
|
|
|
2013-02-11 21:51:45 +01:00
|
|
|
|
/**
|
2018-12-17 19:10:43 +01:00
|
|
|
|
* \brief This function generates a public key and exports it
|
|
|
|
|
|
* as a TLS ClientKeyExchange payload.
|
2018-01-25 22:57:43 +01:00
|
|
|
|
*
|
|
|
|
|
|
* This is the second function used by a TLS client for ECDH(E)
|
|
|
|
|
|
* ciphersuites.
|
2013-02-11 21:51:45 +01:00
|
|
|
|
*
|
2018-03-27 12:12:25 +02:00
|
|
|
|
* \see ecp.h
|
|
|
|
|
|
*
|
2018-12-17 19:10:43 +01:00
|
|
|
|
* \param ctx The ECDH context to use. This must be initialized
|
|
|
|
|
|
* and bound to a group, the latter usually by
|
|
|
|
|
|
* mbedtls_ecdh_read_params().
|
|
|
|
|
|
* \param olen The address at which to store the number of Bytes written.
|
|
|
|
|
|
* This must not be \c NULL.
|
|
|
|
|
|
* \param buf The destination buffer. This must be a writable buffer
|
2018-12-19 00:32:42 +01:00
|
|
|
|
* of length \p blen Bytes.
|
2018-12-17 19:10:43 +01:00
|
|
|
|
* \param blen The size of the destination buffer \p buf in Bytes.
|
|
|
|
|
|
* \param f_rng The RNG function to use. This must not be \c NULL.
|
|
|
|
|
|
* \param p_rng The RNG context to be passed to \p f_rng. This may be
|
|
|
|
|
|
* \c NULL in case \p f_rng doesn't need a context argument.
|
2013-02-11 21:51:45 +01:00
|
|
|
|
*
|
2018-03-27 12:12:25 +02:00
|
|
|
|
* \return \c 0 on success.
|
2018-06-12 12:40:54 +02:00
|
|
|
|
* \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
|
2017-04-27 10:48:29 +02:00
|
|
|
|
* operations was reached: see \c mbedtls_ecp_set_max_ops().
|
2018-10-15 13:22:41 +02:00
|
|
|
|
* \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
2013-02-11 21:51:45 +01:00
|
|
|
|
*/
|
2015-04-08 12:49:31 +02:00
|
|
|
|
int mbedtls_ecdh_make_public( mbedtls_ecdh_context *ctx, size_t *olen,
|
2013-02-11 21:51:45 +01:00
|
|
|
|
unsigned char *buf, size_t blen,
|
|
|
|
|
|
int (*f_rng)(void *, unsigned char *, size_t),
|
|
|
|
|
|
void *p_rng );
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
2018-12-17 19:10:43 +01:00
|
|
|
|
* \brief This function parses and processes the ECDHE payload of a
|
|
|
|
|
|
* TLS ClientKeyExchange message.
|
2018-01-25 22:57:43 +01:00
|
|
|
|
*
|
2018-10-30 12:53:25 +01:00
|
|
|
|
* This is the third function used by a TLS server for ECDH(E)
|
|
|
|
|
|
* ciphersuites. (It is called after mbedtls_ecdh_setup() and
|
|
|
|
|
|
* mbedtls_ecdh_make_params().)
|
2013-02-11 21:51:45 +01:00
|
|
|
|
*
|
2018-03-27 12:12:25 +02:00
|
|
|
|
* \see ecp.h
|
2013-02-11 21:51:45 +01:00
|
|
|
|
*
|
2018-12-17 19:10:43 +01:00
|
|
|
|
* \param ctx The ECDH context to use. This must be initialized
|
|
|
|
|
|
* and bound to a group, for example via mbedtls_ecdh_setup().
|
|
|
|
|
|
* \param buf The pointer to the ClientKeyExchange payload. This must
|
|
|
|
|
|
* be a readable buffer of length \p blen Bytes.
|
|
|
|
|
|
* \param blen The length of the input buffer \p buf in Bytes.
|
2013-02-11 21:51:45 +01:00
|
|
|
|
*
|
2018-03-27 12:12:25 +02:00
|
|
|
|
* \return \c 0 on success.
|
|
|
|
|
|
* \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
2013-02-11 21:51:45 +01:00
|
|
|
|
*/
|
2015-04-08 12:49:31 +02:00
|
|
|
|
int mbedtls_ecdh_read_public( mbedtls_ecdh_context *ctx,
|
2018-12-17 19:10:43 +01:00
|
|
|
|
const unsigned char *buf, size_t blen );
|
2013-02-11 21:51:45 +01:00
|
|
|
|
|
2013-02-11 22:05:42 +01:00
|
|
|
|
/**
|
2018-01-25 22:57:43 +01:00
|
|
|
|
* \brief This function derives and exports the shared secret.
|
|
|
|
|
|
*
|
|
|
|
|
|
* This is the last function used by both TLS client
|
|
|
|
|
|
* and servers.
|
|
|
|
|
|
*
|
2018-03-27 12:12:25 +02:00
|
|
|
|
* \note If \p f_rng is not NULL, it is used to implement
|
2018-04-16 17:04:57 +02:00
|
|
|
|
* countermeasures against side-channel attacks.
|
|
|
|
|
|
* For more information, see mbedtls_ecp_mul().
|
2018-03-27 12:12:25 +02:00
|
|
|
|
*
|
|
|
|
|
|
* \see ecp.h
|
2018-12-17 19:10:43 +01:00
|
|
|
|
|
|
|
|
|
|
* \param ctx The ECDH context to use. This must be initialized
|
|
|
|
|
|
* and have its own private key generated and the peer's
|
|
|
|
|
|
* public key imported.
|
|
|
|
|
|
* \param olen The address at which to store the total number of
|
|
|
|
|
|
* Bytes written on success. This must not be \c NULL.
|
|
|
|
|
|
* \param buf The buffer to write the generated shared key to. This
|
|
|
|
|
|
* must be a writable buffer of size \p blen Bytes.
|
|
|
|
|
|
* \param blen The length of the destination buffer \p buf in Bytes.
|
|
|
|
|
|
* \param f_rng The RNG function, for blinding purposes. This may
|
|
|
|
|
|
* b \c NULL if blinding isn't needed.
|
|
|
|
|
|
* \param p_rng The RNG context. This may be \c NULL if \p f_rng
|
|
|
|
|
|
* doesn't need a context argument.
|
2013-02-11 22:05:42 +01:00
|
|
|
|
*
|
2018-03-27 12:12:25 +02:00
|
|
|
|
* \return \c 0 on success.
|
2018-06-12 12:40:54 +02:00
|
|
|
|
* \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
|
2017-04-27 10:48:29 +02:00
|
|
|
|
* operations was reached: see \c mbedtls_ecp_set_max_ops().
|
2018-10-15 13:22:41 +02:00
|
|
|
|
* \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
2013-02-11 22:05:42 +01:00
|
|
|
|
*/
|
2015-04-08 12:49:31 +02:00
|
|
|
|
int mbedtls_ecdh_calc_secret( mbedtls_ecdh_context *ctx, size_t *olen,
|
2013-09-02 14:29:09 +02:00
|
|
|
|
unsigned char *buf, size_t blen,
|
|
|
|
|
|
int (*f_rng)(void *, unsigned char *, size_t),
|
|
|
|
|
|
void *p_rng );
|
2013-02-11 22:05:42 +01:00
|
|
|
|
|
2017-05-18 12:35:37 +02:00
|
|
|
|
#if defined(MBEDTLS_ECP_RESTARTABLE)
|
|
|
|
|
|
/**
|
2018-06-12 12:40:54 +02:00
|
|
|
|
* \brief This function enables restartable EC computations for this
|
|
|
|
|
|
* context. (Default: disabled.)
|
2017-05-18 12:35:37 +02:00
|
|
|
|
*
|
2018-06-12 12:40:54 +02:00
|
|
|
|
* \see \c mbedtls_ecp_set_max_ops()
|
2017-05-18 12:35:37 +02:00
|
|
|
|
*
|
|
|
|
|
|
* \note It is not possible to safely disable restartable
|
|
|
|
|
|
* computations once enabled, except by free-ing the context,
|
|
|
|
|
|
* which cancels possible in-progress operations.
|
|
|
|
|
|
*
|
2018-12-17 19:10:43 +01:00
|
|
|
|
* \param ctx The ECDH context to use. This must be initialized.
|
2017-05-18 12:35:37 +02:00
|
|
|
|
*/
|
|
|
|
|
|
void mbedtls_ecdh_enable_restart( mbedtls_ecdh_context *ctx );
|
|
|
|
|
|
#endif /* MBEDTLS_ECP_RESTARTABLE */
|
|
|
|
|
|
|
2013-01-26 16:05:22 +01:00
|
|
|
|
#ifdef __cplusplus
|
|
|
|
|
|
}
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
2014-05-01 13:03:14 +02:00
|
|
|
|
#endif /* ecdh.h */
|